ML20153B052
| ML20153B052 | |
| Person / Time | |
|---|---|
| Site: | Sequoyah  |
| Issue date: | 03/11/1988 |
| From: | NRC OFFICE OF SPECIAL PROJECTS |
| To: | |
| Shared Package | |
| ML20127A683 | List:
|
| References | |
| NUDOCS 8803210353 | |
| Download: ML20153B052 (8) | |
Text
["%
i UNITED STATES 3
h NUCLEAR REGULATORY COMMISSION h-ij WASHINGTON, D. C. 20555 e
\\...../
SE0VOYAH NUCLEAR POWER PLANT, UNITS 1 AND 2 SAFETY EVALUATION REPORT FOR EMPLOYEE CONCERN ELEMENT REPORT 205.4(B), "VERIF' CATION / DOCUMENTATION OF OVALITY-RELATED DESIGN COMPUTER CODES" I.
SUBJECT Category:
Engineering (20000)
Subcategory:
Control of Design Calculations (20500)
Element:
Verification / Documentation of Quality-Related Design Computer Codes (20504)
The basis for Element Report 205.4(B) Revision 1, dated February 2, 1987 is Employee Concern HI-85-077-N15 which states:
"NRC identified the following concern from review of the QTC file:
inadequate verification / documentation of quality-related design computer Codes."
This concern was originally raised at Watts Bar Nuclear Plant and it was evaluated by TVA as potentially nuclear safety-related and potentially applicable to Sequoyah (generic) because the design organization and their procedures were the same.
II.
SUMMARY
OF ISSUE The issue defined by TVA is inadequate documentation and verification of quality-related design computer programs.
The specific issue was lack of quality assurance program centrols for computer programs usad for the cable routing system.
III.
EVALUATION The governing standards and regulations are 10 CFR 50 Appendix B Criterion III and ANSI N45.2 and ANSI N45.2.11. and are supplemented by internal procedures and practices.
The licensee investigated the implementation of these standards and procedures and their evaluation resulted in numerous findings and commitments for future action.
Existing procedures were upgraded in 1986 to provide more explicit control for computer-generated calculations and design output.
Specific requirements and responsibilities were added relating to the use of computers in the design process.
The Engineering Computer Methods Branch (ECB) prepares or coordir.ates all Division of Nuclear Engineering (DNE) computer program documentation.
ECB-EP 28.01, "0E Computer Activities Requiring Quality Assurance Cor.puter Usage, Computer Program Documentation and Computer Resident Data," controls DNE ccmputer activities and the verification and documentation requirements.
8803210353 880311 DR ADOCK 0500 8
f PROGRAM VERIFICATION ECB-EP 28.01 contains specific requirements for the program user and provides methods for verifying the programs.
For example, the program user must ensure that the program applies to the application and that it is used correctly.
The licensee performed an evaluation and found that the files contained verification documentation for each program sampled with the exception of the cable routing programs and the one program that had illegible documentation.
The licensee reported in NCR SONECB 8501 that there was neither verification documentation nor controlled user documentation available for the computer programs used in the cable routing system.
The programs had been classified as "business" category programs, not subject to quality assurance program requirements. The NRC staff reviewed the corrective actions with the licensee's Engineering Computer Methods Branch and found a comprehensive sequence of actions that assured that the program is designed, verified and validated in a manner similar to industry (IEEE) practice, and includes written operations and user manuals.
The files are now secured in the Resource Access Control Facility and only authorized users may have access to update their jobs and related files.
The files are protected against unauthorized modification or deletion and engineers at Secuoyah are limited to a "use only" capability.
Examples of calculations that included computer program verification documenta-tion were reviewed by the licensee to evaluate verification docurentation of the type prepared and maintained by the library.
The examples demonstrated compliance with ECB-EP 28.01..
Earlier deficiencies had been documented in NCR GENNEB8501 which identified a lack of verification for three computer programs concerned with radiation doses and isotopes.
Verification of these programs was documented in 1987.
The licensee has committed to identifying the calculations required to support safety systems used for safe shutdown.
The essential calculations are to be reviewed and then generated, upcated, or superseded as necessary to support the design.
Further details are discussed in Sequoyah element report 205.1.
ECB instructions for accomplishing this calculation program were reviewed by the licensee and where there were not specific measures for coafirming the existence of computer software verification to support an essential calculation, the licensee confirmed verification by performing calculations.
ECB-EP 28.01 requires a licensee-approved OA program to verify non-licensee ccmputer programs used by vendors.
Through an audit of its impleirentation, the licensee evaluation confirmed that a vendor's QA policies and procedures manual had been correctly evaluated and approved.
PROGRAM DOCUMENTATION Mandatory elements of program documentation are contained in ECB-EP 28.01.
Samples of the documentation in the computer library were reviewed and found to be adequate by the licensee. The error reporting system of ECB-EP 28.01 provides the necessary steps for controlling, administering and documenting this activity.
j,
Implementation of the system to control user manuals showed an informal procedure which, according to the licensee, appeared to be well-organized with master copies maintained in a controlled fashion.
The licensee commited to verifying the distribution lists and keeping them current.
The licensee concluded that their current practices and procedures for verification and documentation of computer programs used in safety-related design at Sequoyah provide a system that addresses the essential elements of the applicable standards and regulations.
The licensee committed to establishing a complete list of computer programs used for the generation of design output at Sequoyah.
Each program will be evaluated to determine the j
level of usage, documentation, and verification.
Corrective actions will be taken, where necessary.
Based on a sampling evaluation, the licensee concluded that the documentation of verifications was in general conformance to procedural requirements.
However, there was a lack of verification for several isotope and cable routing system programs.
The ?icensee has completed the corrective actions.
Existing procedures for control of the verification and documentation of computer programs used in design activities do not provide sufficient i
description of the requirements and the program elements necessary for proper implementation.
The licensee committed to preparing a procedure to cover elements such as error reporting and library functions for documentation and production library controls and training will be provided.
The documentation for the RESPONSE program was illegible and considered inadeouate.
The licensee committed to making a legible microfilm copy of the l
computer program verification documentation.
Procedures will recuire the library to verify the legibility of microfilm copies of documentation.
The licensee admits that the concern regarding inadeouate verification and documentation of quality-related design ccmputer programs is valid, however the licensee has instituted new control procedures and extensive reviews of existing programs have been perforn.ed.
IV.
CONCLUSIONS The NRC staff believes that the licensee's investigation and resolution of the concerns as descrited in Element Report 205.4(B), Ravision 1, dated February 2, 1987 are adequate. Monitoring the documentation and verification of the computer programs for the design of safety-related components and systems is a function of high importance and needs to be performed on a continuous basis.
SEQUOYAH NUCLEAR POWER PLANT, UNITS 1 AND 2_
SAFETY EVALUATION REPORT FOR EMPLOYEE CONCERN ELEMENT REPORT 206.1(B), "AS-BUILT INACCURACIES" I.
SUBJECT Category:
Engineering (20000)
Subcategory:
As-Built Reconciliation (20600)
Element:
As-Built inaccuracies (20601)
The basis for Element Report 206.1(8), revision 1, dated February 23, 1987 is employee concerns Hi-85-094-N02,1-85-128-NPS, IN-85-152-001, Wi-85-100-045, XX-85-062-003, XX-85-070-001, XX-85-070-003 and XX-85-077-002 which state:
Hi-85-094-N02:
"The as-built condition of the plant does not match the design drawings.
The emergency raw cooling water (ERCW) system is having its carbon steel piping changed to stainless steel.
The work has been divided into many workplans which are being installed piece meal at various outages.
There is a good change that SeQuoyah I.:s been operating the plant in an unanalyzed condition since it is doubtful that the stress analyst has analyzed all piping configurations that have been installed during operation."
l-85-128-NPS:
"An individual from Bellefonte Nuclear Plant wrote the nuclear safety review staff expressing his concern that the control and quality of the Office of Engineering's design effort is inadequate. The concerned individual (CI) sent several roughly written pages detailing and suinfarizing his evaluation and conclusion of three major areas: (1) design calculations, (2) non-conformance reports and (3) management policies."
"interviewee expressed concern that certain drawings (perhaps as-built drawings) might not be up-to-date because they had not been ' checked'.
Interviewee had mentioned this to another person (but not to his supervisor) and was told that drawings do not require ' checking' until they are approved (' signed off').
Many drawings are not ' approved' although the hardwre is already installed."
i WI-85-100-045:
"As-built drawings and documents are nonexistent or in poor condition in many cases.
Cl has no further information. Anonymous concern via letter."
XX-85-062-003:
"Sequoyah, Browns Ferry: CI unofficially informed that the drawings, in many instances, are not a true representation of the installation.
Nuclear Power concern.
CI has no further information."
XX-85-070-001:
"%cuoyah Uniu 1 & 2: Numerous documents contain a high percent of errors and drawings do not reflect the installations in many instances (Names / Dept./ details to the specific case are known to QTC and withheld to maintain confidentiality). Cl has no furhter information. Nuclear Power Dept. concern."
XX-85-070-003:
"Sequoyah work plans contain inaccurate data. Majority of the design change requests taken care [ofl, but not documented right and drawings do not reflect the as-built conditions.
Details withheld to maintain confidentiality. Nuc Power concern.
CI has no further infonnation."
XX-85-077-002:
Seouoyah Units 1 & 2:
Numerous design drawings are inaccurate and do not reflect as-built condition. Several field change reouests were written, but not reflected on design drawings.
CI has no further inforn tion.
Construction Department concern."
These concerns were evaluated by the licensee as potentially nuclear safety-related and potentially applicable to Sequoyah (generic).
II.
SUMMARY
0,F, ISSUES Five issues were identified by the licensee In many instances, the as-built decurrents and drawings are non-existent, are in poor condition, contain many errors, and are not a true representation of installation.
There is inadeouate management of configuration control procedures covering plant change documentation, field change requests (FCR), design change reouests (DCR), etc., and inconsistent control over plant change practices resulting in unapproved plant changes and improper documentation.
Changes are made to the plant configuration often by FCRs and drawings are not charged in a timely manner.
The essential raw cooling water (ERCW) piping is being changed from carbon steel to stainless steel in a piecemeal fashion, and all installed piping changes may not have been stress analyzed.
Certain drawings (perhaps as-built drawings) might not be up-to-date because they had not been checked.
These concerns also generated issues which are addressed in other Sequoyah Element Reports:
204.6 Work plans contain inaccurate data.
204.11 Scope of engineering recuired for modifications is not identified. No attempt is made to identify design activities for modifications.
205.1 Basic calculations are not prepared.
Basic calculations are not documented.
Design documents are not supported by calcula tier.s.
205.2 There are no procedures to control and maintain calculations current.
III. EVALUATION AS-BUILT ORAWINGS/ PLANT CONFIGURATION CONTROL The employee concerns about as-built documents, configuration control, and management control of modifications and documentation are valid. The evaluation team found that the problems were mostly due to (a) lack of management involvement and lack of emphasis on adherir.g to in-place procedures, (b) the use of a two drawing system of independent as-designed and as-constructed drawings, (c) partial implementation of engineering change notices (ECN) without updating drawings, and (d) improper handling of the design change request (DCR) process and documents.
The licensee comitted to corrective actions in the Seoucyah Nuclear Perfonnance Plan, Volume 2, Chapter ? in the sections about engineering responsibility (1.2.5) and plant modifications and design control (3.0), and Chapter 3 in the sections about design and configuration control (2.0) and the design baseline and verification program (DBVP) (2.2).
The licensee established a Change Control Board to manage the design control process.
A new design control system as described in SQEP-13. "Procedure for Transitional Design Change Control" is in use.
"As-configured" drawings are being verified for accuracy.
ECNs are being reviewed for necessity and cancelled, when possible.
ECNs are now limited in scope and more clearly defined.
Additional engineering approvals are needed to resolve unreviewed safety cuestion determinations (US00). The DBVP was established to assess the adequacy of past modification work and correct deficiencies and its progress is being closely audited by the NRC staff.
Examples of DBVP auditing are inspection reports 50-328/86-38,45,55 and 87-06,14,27 The evaluation team was very concerned with the requirements of Supplement I to NUREG-0737, "Requirements for Emergency Respor.se Capability," which states
E that emergency response facilities will be provided with accurate, complete and current plant records essential for evaluation of the plant under accident conditions. However, the FSAR requirements in paragraph 13.3 only require the Technical Support Center (TSC) to contain plant drawings which are defined in the implementing procedure SON IP-6, Revision 17 dated September 14, 1987, "Activation and Operation of the TSC" as "plant functional drawings".
This topic may be the subject of future NRC staff discussions and audits.
UPDATING ORAWINGS IN A TIMELY MANNER The concern that the present procedures do not establish a specific time period between the completion of a physical change to the plant and the completion of as-built drawings was substantiated. However, the NRC staff does not agree with establishing an arbitrary time limit independent of modification testing, quality control review and workplan completion. The NRC staff did find a comitment to publish a revised primary control room drawing within 21 working days after the marked drewing was approved. Updating drawings in a timely manner will be audited by the NRC staff.
The licensee has committed to updating the primary as-built drawings in the control room by red-line marking prior to restart. These drawings consist of f
flow diagrams, dontrol diagrams and electrical single line drawings.
The licensee also has comitted to develop configuration control de3 wings for control room as-constructed drawings by December 31, 1989.
AS-8UILT CALCULATION CONTROL 1
The NRC staff perfortned an independent design inspection (IDI) of the essential raw cooling water system (ERCW) after this element report was issued and confirmed tnat the ERCW was being modified in sections without a design analysis of each configuration of the piping system.
The licensee is performing qualifying analyses as part of the DBVP. This issue has become a separate item and implementation of the corrective action is not included in this review.
CHECXING ENGINEERING DRAWINGS This issue is not substantiated because numerous engineering procedures in existence since at least 1983 require several signatures before the drawing is issued. For example', EN DES-EP 4.01, "Signatures / Initials for Preparation, Review, and Approval of EN DES Drawings," Revision 10 dated April 25, 1985 required seven signatures, including that of the checker, before the drawing could be issued.
In addition, the Seouoyah site organization did not have the capability for producing or revising engineering drawings.
IV.
CONCLUSTONS The NRC staff believes that the licensee's investigation of the concerns was adequate, and their resolution of the concerns as described in TVA Employee Concerns Special Program Report Number 206.1(B) Revision 1 dated February 23, 1987, "As-Built Inaccuracies" is acceptable, except for the essential raw water cooling system which has become a separate issue.
The NRC staff will be monitoring the adecuacy of the improvements through inspections and audits.
J SERS FOR EN 20702 Atl0 EN 20/04 ARE ATTACHED TO THE EN 20104 SER PACKAGE f