ML20207T424
| ML20207T424 | |
| Person / Time | |
|---|---|
| Site: | Catawba, 05000000 |
| Issue date: | 12/30/1985 |
| From: | NRC |
| To: | |
| Shared Package | |
| ML20205H658 | List: |
| References | |
| FOIA-87-68, RTR-NUREG-0737, RTR-NUREG-737 NUDOCS 8703240001 | |
| Download: ML20207T424 (17) | |
Text
+
ENCLOSURE 1 SAFETY EVALUATION REPORT 9
FOR THE CATAWBA NUCLEAR STATION, UNITS 1 AND 2 SAFETY PARAMETER DISPLAY SYSTEM I. INTRODUCTION All holders of operating licenses issued by the Nuclear Regulatory Commission (licensees) and applicants for an operating license (0L) must provide a Safety Parameter Display System (SPDS) in the control room of their plant. The Commission approved requirements for the SPDS are defined in Supplement 1 to NUREG-0737.
The purpose of the SPDS is to provide a concise display of critical plant variables to control room operators to aid them in rapidly and reliably determining the safety status of the plant. NUREG-0737, Supplement 1, requires licensees and applicants to prepare a written safety analysis describing the basis on which the selected parameters are sufficient to assess the safety status of each identified function for a wide range of events, which include symptoms of severe accidents.
Licensees and applicants shall also prepare an Implementation Plan for the SPDS which contains schedules for design, development, installation, and full operation of the SPDS as well as a design Verification and l 8703240001 870319 PDR FOIA P DR ,, .
STENGERB7-68 27L)3d'lCC)O1
c .- ,
Validation (V&V) Plan. The Safety Analysis and the Implementation Plan are to be submitted to the NRC for staff review.- The results from the staff's review are to be published in a Safety Evaluation Report (SER).
The staff review for licensees requesting a pre-implementation review and for applicants consists of a review of SPDS documentation (i.e.,
safety analysis report and implementation plan) and audit meetings / site visits.
After an initial review of the licensee / applicant's submittals, three separate audit meetings / site visits, as described below, may be arranged through the Division of Licensing Project Manager. As dictated by the comprehensiveness of the applicant / licensee's documentation and the schedule for design and implementation of the SPDS, the objectives of these audits may be met in fewer site visits.
Design Verification Audit: The purpose of this audit meeting is to obtain additional information required to resolve any outstanding questions about the V&V Prcgram, to confirm that the V&V Program is being correctly implemented, and to audit the results of the V&V activities to date. At this meeting, the applicant should provide a thorough description of the SPDS design process. Emphasis should be placed on how the applicant is assuring that the implemented SPDS will:
,,p .-.
provide appropriate parameters', be isolated from safety systems, provide reliable and valid data, and incorporate good human engineering _
practice.
Design Validation Audit: After review of all documentation, an audit may be conducted to review the as-built prototype or installed SPDS.
The purpose of this audit is to assure that the results_of the applicant / licensee's testing demonstrate that the SPDS meets the functional requirements of the design and to assure that the SPDS exhibits good human engineering practice.
Installation Audit: As necessary, a final audit may be conducted at the site to ascertain that the SPDS has been installed in accordance with the applicant / licensee's plan and is functioning properly. A specific concern is that the data displayed reflect the sensor signal which measures the variable displayed. This audit will be coordinated-with and may be conducted by the NRC Resident Inspector.
Unlike operating reactors, applicants will undergo, prior to implementation, a full review to determine whether the applicable provisions of Supplement 1 to NUREG-0737 have been satisfied. To the extent possible, the staff will temper its review to conform to the schedule for licensing and SPDS implementation.
l
+- m., - - - - , _ . - _ _ .-,._ , ,._,._-_..r,. -. ,,..,,--.z- , - . -
,_-.,m,-, -._y__y_ .c,_ _-p.c,p._-,.4 ,_, ..
Since the Catawba SPDS was in an advanced stage of development when the staff's review began, a combined design verification and design validation audit was conducted on May 13-15, 1985.
II.
SUMMARY
Duke Power Company (DPC) submitted, for staff review, documentation regarding the SPDS for Catawba Nuclear Station (Ref. 1). Subsecuently an on-site Design Verification / Validation Audit was scheduled. The audit was conducted on May 13-15, 1985. Specific findings were documented in an audit report (Ref. 2). The staff had requested information from the applicant on September 14, 1984 (Ref. 3). The applicant responded in a letter dated October 18,1984(Ref.4).
Another request for information was issued on October 31, 1985 (Ref. 5).
The applicant responded to the audit findings and to the second request for information in its letter dated November 27, 1985 (Ref. 6).
Clarification of DPC positions regarding parameter selection and the scope of SPDS was obtained in teleconferences on December 11 and 18, 1985 (Ref. 7 and 8).
Based on the above review, the staff concludes that the Catawba SPDS does not fully meet the applicable provisions of Supplement I to NUREG-0737. However, since the staff did not identify any serious safety concerns with the existing system, the Catawba SPDS may be operated as an interim implementation until the open issues identified herein are resolved.
III A. SPDS DESCRIPTION The Catawba SPDS is essentially a software implementation on the existing plant process computer. The SPDS displays are presented on cathode-ray tubes (CRTs) that are an integrated part'of the control room. Operator access to displays is through the existing keyboards that are also used for accessing other plant programs and displays. The capability for continuous monitoring of plant safety status.is provided in the form of six critical safety function blocks displayed at the bottom of the " alarm video", a CRT centrally located on the main control board. In addition, the critical safety function blocks may be displayed on two other CRTs that are available in the control room.
B. PARAMETER SELECTION Section 4.1.(f) of Supplement 1 to NUREG-0737 states that:
"The minimum information to be provided shall be sufficient to provide information to plant operators about:
(1) Reactivity Control (ii) Reactor core cooling and heat removal from the primary system (iii) Reactor coolant system integrity (iv) Radioactivity control (v) Containment conditions."
For review purposes, these five items have been designated as Critical Safety Functions.
o 1
In the evaluation of the SPDS, the staff has considered the Westinghouse Owners Group's, " Westinghouse Emergency Response Guidelines (ERGS).
Program," which was reviewed and approved by the staff (Reference 9), as I
- a principal technical source of variables important to operational safety. The SPDS. variables selected by the applicant and their coordination with the CSFs are summarized in Reference 1.
The staff has reviewed the applicant's Safety Analysis Report on the Catawba SPDS. Although the variables selected do comprise a generally comprehensive list, the following important variables are not proposed for the Catawba SPDS.
- 1. Hot Leg Temperature
- 2. RHR Flow Rate
- 3. Stack Monitor
- 4. Steam Generator (or steamline) Radiation
- 5. Containment Isolation Hot leg temperature is a key indicator used in the ERGS (Revision 1 "ES-0.1,AttachmentA,""GenericInstrumentation,"page3)todetermine the viability of natural circulation as a mode of heat removal.
Reference 1 indicates "NC System temperature" as a proposed variable, but does not specify hot leg temperature.
1
During RHR and ECCS modes of cooling when steam generators are not available, RHR flow is a key indicator to monitor the viability of the heat removal system. - Steamline (or steam generator) radiation, in conjunction with containment radiation and reactor stack radiation, gives a rapid assessment of radiation status for the most likely radioactive release paths to accomplish the " Radioactivity Control" safety function.
For a rapid assessment of Radioactivity Control, the applicant has not demonstrated how radiation in the secondary system (steam generators and steamlines) is monitored by SPDS when the steam generators and/or their steamlines are isolated.
Containment isolation is an important parameter for use in making a rapid assessment of " Containment Conditions." In particular, a determination that known process pathways through containment have been secured provides significant additional assurance of containment integrity.
The above variables do, for given scenarios, provide unique inputs to the determinations of status for their respective CSFs, which have not been discussed by the applicant as being satisfied by other variables in the proposed Catawba SPDS list. We recomend that the applicant address these variables and their functions by: (1) adding the variables to the Catawba SPDS, or (2) providing alternate added variables along with justifications that these alternates accomplish the same safety functions for all scenarios.
Based on this review of the applicant's supporting analysis, and the observation that the selected variables appear to be consistent with the Westinghouse Owners Group ERGS, the staff finds the proposed list of key variables to be generally acceptable, with exceptions noted above.
Finally, design flexibility should be provided for possible future expansion of the SPDS. For example, with consideration of the Westinghouse Owners Group ERGS and with possible amendments to the ERGS, other key variables may be identified to assess the safety status of the CSFs.
C. DISPLAY DATA VALIDATION The staff reviewed the applicant's submittals to determine that means are provided in the design to assure that the data displayed are valid.
The method of data validation currently used in the Catawba SPDS is range / status checking supplemented by redundant sensor logic if more than one sensor is available.
l l Each computer analog input is continuously monitored for over and under range conditions, scan lockout, and out of service status. Digital input power fuses are also monitored. When an input involving a function becomes invalid (blown fuse, over/under range, out of service, etc.) but the CSF status can still be determined from the remaining i
i I
L
inputs, an alarm indicating an invalid input for the particular function affected is displayed. If the invalid input affects the determination of the status, the affected CSF block changes to magenta indicating an indeterminate condition and remains in this state until the invalid input can be corrected or until the input is locked out to a known valid value or status.
The staff finds this method to be acceptable as an interim measure based on the fact that Duke Power is involved in an Electric Power Research Institute (EPRI) project investigating signal validation techniques and is committed to evaluating the results of that program (EPRI Project RP-2292-1, " Validation and Integration of PWR Signals") to improve the current data validation methodology, if feasible.
l l
Information Needed for Confirmatory Review A description of the improvements to the current data validation methodology should be submitted to the staff when the applicant has finalized the data validation methodology, i.e. incorporated appropriate techniques from the EPRI study. This information should be submitted no later that August 1, 1987.
D. HUMAN FACTORS PROGRAM The staff evaluated the applicant's submittals for a commitment to a Human Factors Program in the development of the SPDS.
i
- The applicant has attempted to incorporate good human engineering principles into the Catawba SPDS design at several points in the design ,
process. Initially, when the design was conceptualized in early 1982, the design basis was independently reviewed by an EPRI staff member with experience in SPDS design. Since the design logic is based on the status trees of the Westinghouse ERGS, it also benefitted from the Westinghouse human factors input, albeit indirectly.
However, the bulk of the human factors input was derived from coordination with the Duke Power Company (DPC) efforts on the Detailed Control Room Design Review (DCRDR). During the SPDS development the control room review team conducted a task analysis using a mockup and color slides of proposed SPDS displays. The analysis also examined the order and format of supporting (non-SPDS) displays, their useability, and ability to support operator tasks as defined in the Westinghouse ERGS. After implementation
- the control room review team surveyed the computer displays including SPDS using a check-list that was derived from NUREG-0700. Areas of review included color usage, glare, labels, keyboard arrangement, and other human factors issues. In addition, operator comments were solicited as part of the Operating Experience Review phase of the DCRDR.
Development of the Catawba SPDS was actually done on the McGuire plant -
the Catawba and McGuire SPDSs are conceptually and programmatically identical.
g- -
a
^.,, .
The staff identified no significant deviations ~ from good human -
engineering _ practice in the SPDS displays or interface devices..
However, the staff did identify a significant problem in the content of the SPDS display's. As presently defined by DPC the scope of the Catawba.
SPDS incompasses only the six color blocks that are intended to represent the status of-the critical safety functions. DPC does_not consider any of the-supporting displays such as the Emergency Operating.
Procedure status tree displays and input displays lists to be a part of SPDS. Given this limited scope, the staff concludes that the critical safety function-(CSF) color blocks do not provide sufficient information from which an operator can assess the safety status of the plant.
First, the CSF color blocks do not include as inputs all of the
-variables judged by the staff to be necessary for assessment of the critical safety fur.ctions (see Section III.B of this report). The staff requires that the variables listed below be added to the Catawba SPDS:
- 1. Hot Leg Temperature
- 2. RHR Flow Rate
- 3. Stack Monitor
- 4. Steam Generator (or steamline) Radiation
- 5. Containment Isolation Secondly, the color blocks do not provide the actual value of the input variables, so the operator cannot determine either the current state of a variable or its trend. It is also impossible to determine which
variable is in alarm using the Catawba SPDS, i.e. the CSF color blocks.
Therefore, the staff requires that the Catawba SPDS be redesigned / defined to include the actual value of all of the SPDS input variables as well as the five additional variables discussed above. These actual values should be provided on easily accessible, logically grouped displays similar to those now defined as supporting displays, e.g. status tree -
displays, CSF input list displays.
E. ELECTRICAL AND ELECTRONIC ISOLATION The SPDS at Catawba is software implemented on the operator aid computer (0AC) system. This system consists of a Honeywell model 4400 computer and bulk core memory. The system displays are driven by an Aydin 5205-C color graphic video display generator. Alarm typers, printers and floppy disk drives are also utilized. The OAC has both Class IE and non-Class 1E sensor inputs. The Class 1E inputs are isolated from the OAC by qualified isolation amplifiers, Westinghouse series 7300, that were reviewed and accepted by the staff in the following documents:
(1) WCAP-8892-A " Westinghouse 7300 Series Process Control System Noise Tests," June 1977, (2) NRC letter, R. Tedesco to C. Eicheldinger, Westinghouse Electric Company, April 20, 1977. The only exception to this configuration is the interface between the high range containment radiation channels and the SPDS - these are isolated using E-MAX devices.
l
---1' a w w ay,, , ------.v-mm,w,---,,-+e- -
,y- v +-
--e--- ,ir-+ _w-e- ----r
l The E-MAX devices were subjected to dielectric and transverse mode tests. The dielectric test was performed using 2500V RMS applied to the input and output connections. The device passed this test satisfactorily with no breakdown of the dielectric. For the transverse mode test the maximum credible fault was determined to be 120 VAC limited to 20 amperes.
This fault voltage was applied across the plus and minus outputs of the device. The device was energized in the normal fashion with separate sources and a storage type oscilloscope (scope) was connected to the input to detect any propagation of the fault to the input signal circuitry. The pass / fail criteria for the transverse mode test was that upon application of the fault to the output circuitry (non-Class 1E side) the input circuitry (Class 1E side) must sustain no damage and the fault should not propagate to the input.
Upon the application of the fault, the input circuitry scope recorded a 147 millivolt (mv) spike of a few milliseconds duration. This low voltage spike was attributed to noise being generated as the output circuit components were being destroyed. The noise spike was not detrimental to the input circuit.
Based on an audit of the above documentation on isolation amplifiers and the E-MAX isolators, the topical report, and the previous staff approval
f p .
of this report, the' staff concludes that these devices are acceptable for interfacing the OAC/SPDS with safety-related systems, and that this equipment meets the Comission's requirements as stated in NUREG-0737, Supplement No. 1.
V. CONCLUSIONS Based on its documentation review and on-site audit, the staff concludes that the Catawba Safety Parameter Display System does not fully meet the applicable requirements of Supplement 1 to NUREG-0737. This conclusion is based on the following:
The variables included in the SPDS are not sufficient to provide the minimum information required to assess the critical safety functions. In addition, the SPDS variables are not displayed for operator viewing - only alarm boxes are displayed.
In order to resolve this deficiency, DPC should add five additional variables to the SPDS -
Hot Leg Temperature RHR Flow Rate Stack Monitor Steam Generator (or Steamline) Radiation Containment Isolation Status.
In ad'dition, all SPDS variables including the five listed above should be displayed for operator viewing. These displays should be logically grouped and easily accessible.
Because the staff did not identify any serious safety questions concerning the Catawba SPOS, the staff concludes that it is acceptable as an interim implementation and may be used until the open items identified above have been resolved.
t t
r... . . . . .
~
)
REFERENCES
- 1. Letter from H. B. Tucker (DPC) to H. R. Denton (NRC) dated March 28, 1984, forwarding Revision 4 to DPC response to Supplement 1 to NUREG-0737(SPDSSafetyAnalysisincludedasSection4).
- 2. Letter from E. G. Adensam (NRC) to H. B. Tucker (DPC) dated September 10,1985, forwarding results of the staff's audit of SPDS conducted May'13-15, 1985.
- 3. Letter from E. G. Adensam (NRC) to H. B. Tucker (DPC) dated September 14, 1984.
- 4. Letter from H. B. Tucker (DPC) to H. R. Denton (NRC) dated October 18, 1984.
- 5. Letter from E. G. Adensam (NRC) to H. B. Tucker (DPC) dated October 31, l 1985, forwarding a request for information.
- 6. Letter from H. B. Tucker (DPC) to H. R. Denton (NRC) dated November 27, 1985, forwarding responses to NRC letters dated September 10, 1985 and October 31, 1965.
- 7. Teleconference between K. Jabbour, G. Lapinsky, F. Orr (NRC) and R. Sharp, et al (DPC), December 11, 1985.
- 8. TeleconferencebetweenK.Jabbour,G.Lapinsky,F.Orr(NRC)and R. Sharp, et al (DPC), December 18, 1985.
- 9. Safety Evaluation of " Emergency Response Guidelines," Generic Letter 83-22, June 8, 1983.
. i .
ENCLOSURE 2 PROPOSED LICENSE CONDITION REGARDING THE CATAWBA SPDS (TAP ITEM ID 2)
SPDS (Section 18.2)
Prior to restart following the first refueling outage, DPC shall add to the Safety Parameter Display System (SPDS) and have operational the following SPDS parameters:
Residual Heat Removal (RHR) Flow (1))
(ii Containment Isolation Status iii) Stack Radiation Measurements i) Primary Coolant System Hot Leg Temperature v Steam Generator or Steamline Radiation The actual value of these and all other SnDS variables should be displayed for operator viewing in easily and rapidly accessible display formats.
L