ML20212D238
| ML20212D238 | |
| Person / Time | |
|---|---|
| Site: | Sequoyah  |
| Issue date: | 02/17/1987 |
| From: | Gridley R TENNESSEE VALLEY AUTHORITY |
| To: | Youngblood B NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM), Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML20212D245 | List: |
| References | |
| NUDOCS 8703040088 | |
| Download: ML20212D238 (29) | |
Text
e e
TENNESSEE VALLEY AUTHORITY CH ATTANOOGA. TENNESSEE 374of SN 157B Lookout Placo FEB 171987 U.S. Nuclear Regulatory Commission Attn Document Control Desk Office of Nuclear Reactor Regulation Washington, D.C. 20555 Attention Mr. B. J. Youngblood In the Matter of
)
Docket Nos. 50-327 Tennessee Valley Authority
)
50-328 SEQUOYAH NUCLEAR PLANT (SQN) - REQUEST FOR ADDITIONAL INFORMATION ON THE BYPASS IN0pERABLE STATUS INDICATION (BISI) SYSTEM The purpose of this letter is to provide the information requested in your letter dated January 28, 1987, (reference 3) on the subject above. contains an evaluation which concludoo that use of administrativo procedures to determine the status of safety systems does not involvo an unreviewed safety question.
It is important to note that SQN procedures are comparable and consistent in scope with those implemented at Watts Bar Nuclear (WBN) Plant. The Safety Evaluation Report (SER) for WBN (NUHEG-0847, June 1982), section 7.7.2, states that, "The staff finds that these interim measures, which are comparable to the provisions in presently operating planto, provide adequate treatment of the concerns of Regulatory Guido 1.47.
The SER allows WBN to operato until the first refueling outage until installation of BISI. The proposal contained horoin allows for one full cycle for each SQN unit to allow for design, procurement, installation, testing, and training to complete BISI implementation. contains the Functional Requirements Document for the proposed BISI system. This was previously submitted an enclosure 2 in reference 2.
This Functional Requirements Document describoo in detail how TVA's proposed DISI system for SQN will be designed to conform to the guidelineo for Regulatory Guido 1.47. includou detailed answers to the questions included in the enclosure to your request for additional information (RAI) (reference 3).
0703040000 ET70217 0(
PDH ADOCK 05000327 j0 p
PDR l\\
An L4uJI Opportunity EmployOf
.D
. U.S. Nuclear Regulatory Commission
((_Q{hh} It is evident from these questions that there was a miscommunication or misunderstanding between the NRC and TVA participants in our previous telephone conference call mentioned in your RAI (reference 3). The status board referenced by TVA in the telephone conferenco call was not an integral part of administrativo procedures for configuration control. The status board was designed as a visual aid to operators to provide technical specification limiting condition for operation (LCO) status. This board was not intended and was inappropriate to display safety system status. The board was located in the only availablo location for its placement in the control room which was inconvenient and not visible to control room operators. The information displayed by the board is now maintained on a logshoot, controlled by an administrative proceduro, which is readily accessible to operators. Safety system status, though inappropriate for inclusion on the board duo to the space required to provido necessary detail, is maintained officiently and appropriately in system files and configuration logs which are controlled by administrativo procedures. Therefore, for the reasons given above, usage of the status board has been discontinued. The questions included in your RAI (reference 3) portaining to status board usage are answorod (enclosuro 3) by describing the appropriato files, logs, procedures, etc. The responses address how information necessary to maintain operator cognizance of safety system status is provided to the responsible operators. The procedures discussed in enclosures 1 and 3 represent TVA's approach to configuration control as it rotates to operator cognizance of safety system status at SQN. Thoso proceduros are TVA's implementation of NUHEG-0737. Item 1.C.6, " Guidance on procedures for Verifying Correct performance of Operating Activities." As such, these proceduros represent a firm commitment for maintaining oporator cognizance of safety system status. The dates presented in this letter of cycle 4 outages for both units 1 and 2 reprosont TVA's firm commitment for HISI implementation. If further information or clarification on any of the enclosed material is ( noconsary, ploano call M. R. Ilarding, Soquoyah Site Licensing Managor, at (615) 810-6422. Very truly yours, TENNESSEE VALLEY AUTil0H1TY 1 i R. Crldley, Dit octor Nuclour Safety and Licensing Enclosures cc Soo puso 3
o . U.S. Nuclear Regulatory Conmission cc (Enclosures): U.S. Nuclear Regulatory Commission Region II Attn Dr. J. delson Crace, Regional Administrator 101 Marietta Street, NW, Suite 2900 Atlanta, Georgia 30323 Mr. J. J. Holonich Sequoyah Project Manager U.S. Nuclear Regulatory Commission 7920 Norfolk Avenue Bethesda, Maryland 20814 Mr. James Taylor, Director Office of Inspection and Enforcement U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Mr. G. G. Zech, Director TVA Projects U.S. Nuclear Regulatory Commission Region II 101 Marietta Street, NW, Suite 2900 Atlanta, Georgia 30323 Sequoyah Resident Inspector Sequoyah Nuclear Plant 2600 Igou Ferry Road Soddy Daisy, Tennessee 37319
~ ..? ./* L _r LIST-OF ENCLOSURES + ~ Enclosure No. Title Safety Evaluation of Using' 1 . Administrative Procedures in Lieu of a BISI System. 2 Discussion of How the Proposed BISI System Conforms to Regulatory Guide 1.47 3 Responses to NRC Specific Questions l 4 SQN Operations Section Letter OSLA-58, " Maintaining Cognizance of Operational Status" (9/16/86) 5 SQN Admin'Astrative Instruction AI-5, " Shift and Relief Turnover " Rev. 36 (8/11/86) 6 - SQN Administrative Instrue. tion AI-3, " Clearance Procedure," Rev. 33 (11/28/86) 7 SQN Administrative Instructica AI-6, " Log Entrica_and Review." Rev. 10 (11/12/86) 1_ 1 .)
LIST OF REFERENCES 1. U.S. Atomic Energy Commission Regulatory Guide 1.A7, " Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety System," May 1973 2. Letter from R. Gridley to B. Youngblood dated October 31, 1986, "Sequoyah Wuclear Plant Units 1 and 2 - Bypassed and Inoperable Status Indications System (BISI)" 3. Letter from B. J. Youngblood to S. A. White dated January 28, 1987, " Request for Additional Information on the Bypass Inoperable Status Indication System" e I J
i c: ENCLOSURE 1 ') SAFETY EVALUATION OF USING ADMINISTRATIVE PROCEDURES IN LIEU OF A BISI SYSTEM L f 1
oA kGC0ry TVA 10697 (DNE 6461 DNE CALCULATIONS TITLE PLANT / UNIT BYPASSED AND INOPERABLE STATUS INDICATION SYSTEM (BISI) SQN 1 & 2 PREPARING ORGANIZATION KEY NOUNS (Consult RIMS DESCRIPTORS LIST) DNE/ NEB /SQS2 BYPASS, SAR, BISI BRANCH / PROJECT IDENTIFIERS Each time these calculations are issueo, preparers must ensure that the original (RO) RIMS accession SQN-SQS2-0031 Rev (for RIMS
- use)
RIMS accession number B25 870211 807 APPLICABLE DESIGN DOCUMENT (S) R_ RG 1.47 g_ SAR SECTION(S) UNID SYSTEMtS) 7.4 N/A R Revision 0 R1 R2 R3 Safety 4 elated? Yes O No @ ECN No. (or indscate Not Applicable) N/A Statement of Problem a [, fggynaq g-S_ince the Bypassed and Inop-k 7,wd gg erable Status Indication System (BISI) is not expected to be instaJled at SQNP until the [ Q cycleT/ refueling outage, a lR justification of previously Appr ved g established administrative Date r controls is required for the { p g 7 g p interim. The purpose of this List all pages added eva a n s M de m d ne <== by this revision, j whether the use of administrative List all pages deleted jg; by this revision. O ed Safety Question. jyl List all pages changed by this revision. [ Abstract Yhese calculations contain an unverified assumption (s) that must be verified later. Yes O No 0 Based on the attached Safety Evaluation, the utilization of administrative controls in lieu of an automatic BISI system does not constitute an Unreviewed Safety Question per 10CFR50.59. l O u croi.im and sto,e caicuiai,ons.n RiuS Service Cenier. u.croeiim and eesirov. O M'crofilm and return calculations to: S. C. Newman Address: DSC-A7 SQNP cc: RIMS.SL 26 C K /
_=_=_== _ - _=--------------------------------------
Brcnch/ProJCct idcntifier==> SON-SOS 2-OO51 Page 1 of JPY RI , Subjcct==> Safety Evaluation of using Administrative Procedures in lieu of a BISI system Computed /date==> j zgo/g7 =- --_-__S___ N -_------_-----_ _-__________ _ Regulatory Guide 1.47 requires that status inf ormation on a system basis be available to the operator to ensure that safety systems are ready,t o operate in the event they are called upon. It is the intent of SONP to employ a satisfactory set of administrative procedures which, in effect, will adequately serve as a means of compliance with the contents of RG 1.47. Consideration of this substitution will be for the interim period from reactor start-up to implementatico of the planned BISI system. At SONP, TVA has implemented a set of administrative procedures to comply with the requirements of NUREG 0737, item 1.C.6. Specifically, the administrative procedures requiret. 1. 7-(1) the alignment of all systems and components'important to safety be . verified prior to unit, start-up (Equi pme,nt important to safety is defined 'as the RCS (pressure boundary components) and associated pressurizer and pressure relief systems; the residual heat removal systems ESF systems; ESFs electric power systems; and cooling water systems necessary to operate the above systems). Additional aids are in place which provide direct feedback to the operator regarding equipment availability such as posting orange stickers on inoperable instrument channels and tagging MCR switches to indicate equipment out of service. As an added precaution, operators are trained to evaluate equipment operability relative to support system availability, and to follow strict authorization and documentation processes price to removing any safety related equipment from service. (2) Changes in the alignment of any system important to safety be recorded on the applicable status sheet of the configuration control system. Presently at SONP, the operational status of critical systems structures and components (CSSC), a record of the status of valves, power supplies, instrumentation, penetrations and structural components is required and maintained on the Configuration Log which is the prominently displayed, three ring notebook type binder kept in the MCR. The shift supervisor or an authorized senior reactor operator "must" approve removal from and return to normal alignment entry items. (3) Shift personnel being relieved communicate information on any l abnormal plant condition including temporary conditions. At SONP, shift personnel are required by administrative instructions to convey pertinent items or activities'in progress; off normal or unusual conditions and any limiting conditions for operations (LCOs). Pre-shift briefings are also required before a change of control room personnel which involves the exchange of information such as special tests in progress, significant equipment deficiencies or out of service and significant maintenance in progress. o G
-. =_ _-----====. Ercnch/Projcct idcntifier==> SON-SOS 2-OO;l Page 2 of fr3F Al ,Subjcet==> Safety Evaluation of using Administrative Procedures in lieu of a BISI system Computed /date==>,g 2/gg7 4 --- k ?- __==___---------------------------- - ~ l (4) System operability be demonstrated before a system is returned to service. Provisions have been implemented which verify proper system' alignment through the use of status checklists for all modes of plant operation. As a final check, once every 24-hour shift, a physical walkdown of those CSSC systems, as required by AI-5 appendi:: C, is conducted to ensure system availability and operability. -(5) Approval by the shift supervisor or his/her representative must be received prior to the performance of any activity on any systems important to safety or any activity that may; affect systems important to s~afety. The shif t supervisor or his/her representative is notified when an ~ activity authorized to be performed on a system important to safety,is completed or a change occurs in the scope of the activity. Plant operating instructions require completion of a start-up checklist before unit start-up This checklist is used to verify correct alignment of all systems important to safety. In addition, alignment of systems important to safety are reviewed each shift. Any time a critical component is changed from its normal position or condition, and entry is made on the applicable status sheet of the configuration control system. Panel checklists are reviewed each shift to verify that proper panel alignment exists for all systems important to safety. Independent verification of the alignment of systems important to safety is being performed as required by administrative procedure. The 4.. ; requirements of the administrative procedure apply to the control of l valves, breakers, or any component that would, if mi sp os i t i on'ed, significantly degrade a safety function or present a safety concern. Independent verification is applied to placing and removing clearances and . the return to service of equipment aff ected by plant instructions f or following systems: Auxiliary building gas treatment system l Auxiliary feedwater system Boron injection system Component cooling water system Containment isolation system Containment spray l Emergency core cooling system 9 i -)
_------------=__
- _ _ _ = - - - - - - - - - - = =-- =_ Brcnch/ProJcet id:nti f icr==> SON-SOS 2-0031 Page 3 of A(5 NI .SubJcct==> Safety Evaluation of using Administrative Proced res in lieu of a BISI system Computed /date==>, hng 2[Oh7 Checked /date===> (% eg g 7 L------------- = _. Emergency gas treatment system Engineered safety features actuation system Essential raw cooling water system High pressure fire protection in safety-related areas Post accident sampling system .. = Radiation monitoring systems--Those parts of the systems that provide
- isolation functions to effluent pathways or monitor direct release
, athways to_the environment p Radwaste systems--Thosb parts that isolate releases to the environment. This includes condensate deminerali=er release tanks. This does not include the entire system, but only the valves that isolate the system from the environment. Reactor coolant system Reactor protection system Residual or decay heat removal systems Standby Diesel Generators HVAC DG support system Upper head injection system Class 1E electrical distribution system for the above listed systems. 125V vital de distribution system--That part of the system that supplies control power essential for the shutdown boards to function properly. In addition to the administrative procedures just described, the safety channel bypasses are annunciated in the MCR and safety system valve alignment monitor lights are provided in the MCR. These as well as other indications and alarms in the MCR provide information to assist the operators in determining if any safety system is bypassed or inoperative. To summarize, it should be noted that the usage of administrative procedures in lieu of BISI would not, in any way, introduce or increase the probability of accidents (or any malfunction of a different type) as outlined previously in the Safety Analysis Report. It can also be said that the margin of safety, as outlined in the bases section of any technical specification, is not reduced. w
_-----_--===-
==---- Ercnch/ProJsct idsntifier==> SON-SOS 2-0031 -=----------_------_-= Page 4 of ffjf R1 Subject==> Safety Evaluation of using Administrative Procedu es in lieu of a BISI system Computed /date==>.( 2/M/S7
- "*"2*"'**l' """' '-.'-- h- >422Z-------------------- - -_
References 1. NUREG 0847 " Safety Evaluation Report related to the operation of Watts Bar Nuclear Plant, Units 1 and C"; 2. Administrative Instructions (AI)-5, appendices A1,A3,B1,B1A,B2,B2A,C; AI-6; AI-30; 3. Discussions with J. R. Walker, SONP Operations. ~ 4. Discussions with Ted Widner, EES KNoxW E. ~ O e i s. l l 1 g - -, - .w w n' - ~ - ~ ~ ~ ~ w
Page 5 of 5 REVISION LOG BYPASSED AND INOPERABLE STATUS INDICATION SYSTEM (BISI) SQN-SQS2-0031 "'[ " DESCRIPTION OF REVISION _ App d o, 1 This revision changes the implementation schedule of the BISI system from the cycle 5 refueling outage to the cycle 4 refueling outage. All other information contained in I this calculation remains unchanged. 2[l3 7 6 nr 9 f TVA 10534 (EN DES-4 78)
ENCLOSURE 2 DISCUSSION OF IICW THE PROPOSED BISI SYSTEM CONFORMS TO REGULATORY GUIDE 1.47 d 1 r l l 5 i
Rev. 3 10-10-86 FUNCTIONAL REQUIREMENTS DOCUMENT FOR THE BYPASSED AND INOPERABLE STATUS INDICATION (BISI) SYSTEM 1.0 Egoge This document defines the required functional and operational characteristics for the BISI to meet the requirements of NRC Regulatory Guide 1.47, revision 0. Each reactor unit will have a separate BISI. This system does not include the requirements for operating and trip bypasses of the RPS and E3FAS. Those' requirements are addressed in the FSAR. 2.0 Purpose ~ This document describes an approach for the implementation of the NRC Regulatory Guide 1.47, revision 0. Described is the functional requirements for satisfying this guide so as to provide the unit operator high level status information about systems which are actuated by the plant protection system when a safety function has been purposely rendered bypassed or inoperable. The function of the BISI system is to provide automatic MCR indication of bypassed and deliberately induced abnormal conditions for plant safety systems and the auxiliary or support system (s) that must be operable for the safety systems to perform 4 their safety-related functions. The BISI will supplement plant administrative procedures in keeping the MCR personnel abreast of plant system status. The prinary intent of BISI is to provide a indication that a functional path for each train of a safety system has been purposely rendered in a state which could cause inoperability. l The functional path is defined as the process flow path for each train of equipment. In this system, it is assumed that the use of alternate equipment to make up a functional path requires manual operator intervention and is not considered in the functional path definition. The final decision of system operability or inoperability is left to the unit operator to determine per Technical Specifications, since the operator may configure the system to meet Technical Specifications but may not meet the functional path logic. 3.0 BISI Desian and Operation 3.1 The BISI shall be designed to operate during all normal plant modes of operations including startup, shutdown, standby, refueling, and power operation. The logic to implement the BISI shall be developed for power operations. Process flow path alignment may be different for other modes of operation l (e.g. refueling), thus creating abnormal alarms that do not l directly relate to the system level alarm (e.g. Tr A AFW). l The operating crew will determine the impact of each alarm on the process flow path indication during these modes of l operation.
- 3.1.1 The BISI is not required to operate during or after an accident. 3.1.2 The BISI.wil1 not be designed to safety system criteria and therefore is not to be used to perform functions essential to the health and safety of the public, nor is operator action based solely on BISI indications. 3.1.3 All plant systems monitored by BISI will be monitored and alarmed regardless of plant operating mode. 3.2 The components monitored to make up the functional path alarm for each plant mode for each system must meet the following conditions: 3.2.1 Could render inoperable a redundant portion of the protection system, systems actuated or controlled by the protection system, and auxiliary or supporting systems that must be operable for the protection system and the systems it actuates to perform their safety-related functions; - and 3.2.2 Is expected to be rendered in operable more frequently than once a year; and 3.2.3 Is expected to occur when the affected system is normally required to be operable per Technical Specifications. 3.3 Not all equipment and components making up a functional path will require monitoring by BISI to satisfy 3.2 above. Only those components determined to meet all of the above requirements will be monitored. 3.4 No component is required to have power available mo'nitored if it fails safe on loss of power or power disconnect. 3.5 Component handswitch position (e.g., Pull to Lock) will be monitored on components where the handswitch can block or bypass the actuation system from placing the' component in the actuated state. 3.6 Combination logic will be used to create the system level " ABNORMAL" such that if any component in a functional path is " ABNORMAL" for plant modes for which it is required, then the path.is abnormal. Also, if any supporting function such as cooling water, ventilation, control air, or electric power is lost, then all systems affected by that loss shall be so indicated. See section 5.0 for implementation criteria.
3.7 The BISI shall have an audible alarm which shall operate in conjunction with the BISI upper level indication to alert MCR personnel of a new BISI system going into alarm. 3.8 The BISI shall provide on demand alarm message displays or printouts of all BISI alarms. 3.9 The BISI shall be capable of providing printouts of all BISI alarms for shift turnover or historical logging. 3.10 Appropriate electrical and physical isolation from safety-related equipment to the non-safety system shall be provided to meet the requirements identified in the FSAR. 4.0 Systems Monitored by BISI The BISI shall monitor and provide system level alarms of the safety-related portions of the following plant system. Portions of these systems which serve no safety function and can be separated from the safety functions performed by these systems will not be monitored. MAIN AND AUXILIARY FEEDWATER (INCLUDE SG ISOLATION) SAFETY INJECTION RESIDUAL HEAT REMOVAL i i CONTAINMENT SPARY EMERGENCY GAS TREATMENT ESSENTIAL RAW COOLING WATER i CHEMICAL AND VOLUME CONTROL VENTILATING COMPONENT COOLING CONTROL AIR (INCLUDING AUXILIARY CONTROL AIR) STANDBY DIESEL GENERATOR If there are components identified which are not within the above systems but are actuated by the ESFAS to support the operation of the above systems, then these components shall be monitored and alarmed l with the system they support. t l
. 5.0 Component Level Implementation criteria Those components which are selected per the guidelines given in section 3.0 will be monitored for the following conditions: 5.1 Status contacts shall continuously monitor the availability of control power and the position of circuit breakers (rack-in or out) of all automatically actuated ESF devices identified in the systems referred to in section 4.0. 5.2 Status contacts shall continuously monitor the availability of control power of motor starters of all automatically actuated ESF devices identified in the systems referred to in section 4.0. 5.3 Status contacts shall continuously monitor the availability of control power of solenoid valve actuated components if the device requires control power to be available for movement to its safe condition. This applies to all automatically actuated ESF devices identified in the systems referred to in section 4.0. 5.4 Status contacts shall continuously monitor the position of handswitches (e.g., Pull To Lock) that can be placed in a state which would yield the systems or components identified in section 4.0 inoperable. 5.5 System level logic shall be developed on each train functional path (e.g., AFW TR A) to actuate a system level alarm. An example is as follows: FCV-3-116A AFW TR A m FCV-3-116B C h Abnormal m AFW pump 1A-( HS-3-118A FCV-3-126 A FCV-3-126B [ / \\ AFW TR B m AFW pump 18-[ O Abnormal HS-3-128A j g ERCW TR A Abnormal s ERCW TR B ' AFW Support Abnornal System Abnormal LCV-3-172 D/G TR A ' O s s LCV-3-173 (Q Abnormal m LCV-3-174 D/G TR B ' s LCV-3-175 C Abnormal s FCV-1-51 C See Note ( r Note 1: This diagram is an-example of concept. Other plant systems may impact the operation of the AFW system (e.g. control air), t
-5 ~ 6.0 Display Criteria i 6.1 A system level display via the BISI display or indicating lights shall be provided to indicate the status of the systems identified in section 4.0 This system level display or indicating lights shall indiciate the status of each systems train functional path as well as the status of any support system that may place the indicated system in an inoperable or bypassed condition. An example is as follows: Functional Path Plant System Tr. A Tr B Support System Auxiliary Feedwater System Normal Nornal Normal If an alarm condition exists for the functional path or support system, additional detailed information shall be provided to the operating crew so as to allow determination of the abnormal condition. The information provided shall identify to the operating crew the exact nature of the initiating condition for the abnormal alarm. An example is as follows: Loss of control power - AFW pump 1A-A 6.2 Alarm function Whenever a system abnormal condition exist, an audible alarm shall be generated so as to direct the operators attention to the BISI system display or indicating lights. The BISI system shall have alarm silence, alarm acknowledge, alarm reset and reflash capability. 6.3 Manual Control Manual entry capability of each system status shall be provided. This allows the operating crew to provide bypass indication for an event that renders a safety system abnormal but does not automatically operate the system level indicators. There shall not be any capability to defeat an automatic operation of a system level indicator but the capability shall be provided to inhibit the audible alarm when the plant is in an operating mode (e.g. refueling) where many system and component alarms may be generated. The capability shall be provided to inhibit the audible alarm at the process flow path level (e.g. Tr A AFW). 6.4 Human Factor Requirements All BISI displays and alarms shall be designed per human factor principles. 0128W
ENCLOSURE 3 RESPONSES TO NRC SPECIFIC QUESTIONS Ouestion 1 Describe in detail the status boards used in keeping the operator aware of safety system status including the location and main responsible user.
Response
Technical specification LCO status is monitored by operators in accordance with SQN Administrative Instruction (AI)-6, " Log Entries and Review," (enclosure 7). This procedure delineates the information required to be entered and maintained in operator's logs. Operations within technical specification LCO action times are a required log entry. In addition, as an appendix to this procedure, maintenance of a LCO action log is required. This log records the LCO nunber, the affected system or component, the date and time entered and exited, and surveillance instructions required to be performed as a result of technical specification action requirements. The LCO Action Log is maintained by operators of both units for each respective unit and any LCOs entered because of equipment or conditions common to both units. The log is maintained in the proximity of the unit " horseshoe" area and is transferred to a new log sheet each day, in accordance with procedure, by the first shift (11 p.m. to 7 a.m.) operator. In addition to technical specification LCO information, AI-6 requires entry of information such as significant equipment malfunctions, abnormal or unusual conditions, maintenance activities, and any equipment removed from service for maintenance. SQN AI-5, " Shift and Relief'$urnover," (enclosure 5 to this submittal) requires review of logs for operators before assuming shift. This review must be back to the last shift worked by that operator or five calendar days. This review is documented by signature of the oncoming operator on AI-5, Appendix Al, " Transfer of Authority and Responsibility."
ENCLOSURE 3 Ouestion 2 What aids are available to the operator for determination which safety systems are rendered inoperable when a supporting system is deliberately bypassed?
Response
Several aids are provided to the operator to indicate inoperability due to equipment unavailability. SQN AI-13 " Control of Inoperable and Unavailable CSSC Equipment," requires the affixation of a sticker to indicate components identified as unavailable because of inoperability of another component in the associated loop. This sticker identifies to the operator the potential unreliability of that particular indicator or annunciator. The sticker will also contain information to the operator such as the Maintenance Request (MR) sequential number and the date affixed. Using this information, the operator may access a database by way of a terminal located in the control room to obtain information as to the origin of the problem and the status of the work. SQN AI-3, " Clearance Procedure," (enclosure 6) describes the method used by SQN to establish clearance boundaries for protection of workers and equipment. Clearances are established for maintenance and testing. When systems are aligned abnormally or disassembled for these purposes, clearances are established by the use of tags placed appropriately to indicate the main point of control and the boundaries of the clearance. These tags at the point of control provide direct feedback to operators to indicate bypassed or inoperable equipment. When supporting systems are deliberately bypassed for any reason, operations personnel are trained to evaluate the effects upon operability of technical specification system or components. When operability is compromised, the technical specification system / component is declared inoperable and is recorded in accordance with AI-6 in the appropriate journals and logs. SQN AI-30 " Nuclear Plant Method of Operation," describes the responsibilities of plant personnel initiating maintenance, test, or modification activities. These persons are instructed to receive permission from the shif t engineer or his representative before any such activity on, or that may affect, plant equipment. Such notification will allow cognizant, responsible operations personnel to make an evaluation on the potential for technical specification impact and the need to alert the appropriate operations personnel of the unavailability of associated equipment. _ - _
ENCLOSURE 3 Question 3 Before removal or manipulation of a component that results in the unavailability of a safety system, do the procedures ensure that the status board has been changed to show the affected system as unavailable? Are there provisions included to prevent work from proceeding until the status board has been updated?
Response
As described in the response to question 3, AI-30 requires plant personnel to notify the shift engineer of intended maintenance, modification, or test activities before their commencement. This procedure describes, generally, the steps to be taken by the Operations Section Instruction Letter OSLA-58. This is the controlling procedure for maintaining SQN's operators' cognizance of safety system configuration. This procedure is included as enclosure 4 of this submittal. SQN operators use a configuration log and status file described by OSLA-58 to maintain cognizance of safety system alignment. It is important to note that SQN AI-5 requires review of Configuration Log and Status File during each shift. ENCLOSURE 3 Ouestion 4 Is the status board updating included in a systematic documented system similar to a document control system, so that updating is timely and'the restoration to service is not complete until the status board has been updated?
Response
The Status File and Configuration Log as described in the answer to question 3 of this enclosure and OSLA-58 (enclosure 4 to this submittal) are updated in a systematic documented system. This system is timely and is an integral step in the operator's return of a system or component to operability and/or availability. 6 ENCLOSIIRE 3 Ouestion 5 (a) Are simple alphanumeric characters used and readable from the intended viewing distance? (b) Are words, symbols, and abbreviations on the status boards consistent with terms used in the rest of the plant? (c) Is color coding, where used, consistent with color coding used elsewhere in the plant?
Response
As this question is specific to the use of the LCO status board, which is being discontinued, this question is considered no longer applicable. t 4 I ~ I I -S-
ENCLOSURE 3 Question 6 In what way is the status board updated? Do the devices used for this purpose 2 conform to human factors guidelines for controls, where applicable? Who is responsible for the updating?
Response
The method for update of operator's logs, the Status File, and the Configuration Log has been previously discussed (questions 1 and 3). Operations personnel responsible for timely updating of these documents are described in the answers to these questions, SQN AI-6 and OSLA-58. e I 1
ENCLOSURE 3 Question-7 Does the placement of the status board optimize ease of access for personnel updating displays and ease of viewing for personnel reading the displayst
Response
The Status Files and Configuration Logs are located, by procedure, in areas where the unit operators may easily access them and are easily recognizable to cognizant operations personnel. l 4 e F 1. e m-. u
ENCLOSURE 3 Ouestion 8 Are the status board checks a part of the shift turnover?
Response
SQN AI-5 (enclosure 5) describes the Shif t Turnover process for operations personnel. This procedure requires that the oncoming operator complete several detailed forms documenting review and briefing of various aspects of plant configuration and status. Among these aspects are: o LCO status and action times o Off normal or unusual conditions j o Major activities in progress o Abnonmal system alignments In addition, each operator (lead unit operator and Balance-of-Plant Operator) has a detailed checklist which checks such details as: 4 o Annunciator panels o Control room switch position and indication o Values of significant parameters o Status monitor panels operability (ESF protection channels, ECCS system alignment) o Configuration Log review SQN AI-5 also requires completion, once per shif t, of a critical valve Summary Checklist (Appendix C). This checklist is intended to verify proper valve alignment on each safety-related system applicable to the unit's mode of operation. This verification is required to be a physical, hands-on or visual inspection on the first shift (11 p.m. to 7 a.m.). The second and third shift verification may be accomplished by review of the status file, configuration log, and/or visual inspection. l l f m ,-..,-----.--,--,e
ENCLOSURE 3 Ouestion No. 9 Provide full justification for your proposed scheduel (in 1990) for implen.enting the new Bypassed and Inoperable Status Indication (BISI) system.
Response
TVA gave the cycle 5 units 1 and 2 BISI implementation schedule in our October 31, 1986 submittal letter from R. Gridley to NRC's B. Youngblood on SQN's units 1 and 2 BISI System. The basis for this schedule was that, at that time, the SQN Technical Support Center Data System (TSCDS) computer system was not considered capable of including the additional BISI function and inputs while maintaining an acceptable real-time response, and thus, alternate methods were being evaluated. Since this time, it has been determined that ongoing improvements to the TSCDS computer system will allow the BISI function to be successfully integrated with the TSCDS computer and installed during the cycle 4 units 1 and 2 outages. Besides representing an improvement to the previously proposed schedule, this approach will provide the features of an integrated software / hardware design and man-machine interface which should benefit operations and maintenance personnel. _g_ t l l
ENCLOSURE 3 The current schedule for BISI implementation methodology determination and implementation for SQN unit I and 2 is as follows: BISI System Logic Diagrams complete Functional Requirements Doc (Rev. 3) complete \\ U - Software (S/W) Specification Generation / Integration - Software Design Implementation - S/W Acceptance Test Procedure (ATP) Generation and Execution Start of unit I and 2 Cycle 4 Outage Respectively for both units - Site Install Software - Pre-Op Test U - Final Operations / Human Factors /V&V Signoff L/ Unit Start Operator Training End of unit I and 2 Cycle 4 Outage Respectively for both units The cycle 4 outage end dates are presently scheduled for January 1989 (unit 1) and July 1989 (unit 2)... -.
I 1 i ENCLOSURE 4 SQN OPERATIONS SECTION INSTRUCTION LETTER GSLA - 58 O l}}