ML20213C795

From kanterella
Jump to navigation Jump to search
Verification & Validation Program Summary Rept for Georgia Power Co,Vogtle Electric Generating Plant Emergency Response Facilities Computer Sys
ML20213C795
Person / Time
Site: Vogtle  Southern Nuclear icon.png
Issue date: 10/31/1986
From:
ENERGY, INC.
To:
Shared Package
ML20213C787 List:
References
NUDOCS 8611100284
Download: ML20213C795 (35)


Text

f'.

VERIFICATION AND VALIDATION PROGRAM

SUMMARY

REPORT FOR GEORGIA POWER COMPANY VOGTLE ELECTRIC GENERATING PLANT EMERGENCY RESPONSE FACILITIES COMPUTER SYSTEM PREPARED BY ENERGY INCORPORATED P.O. BOX 736 IDAHO FALLS, IDAHO 83402 CONTRACT NO. PAV-9846

. October, 1986 8611100284 861031 PDR ADOCK 05000424 E PDR

TABLE OF CONTENTS P. AGE.

1.0 INTRODUCTION

.............................................. 1 1.1- Background.......................................... 1 1.2 Purpose of This Report.............................. 2 2.0 PROGRAM SCOPE............................................. 3 H3 . 0 DEVELOPMENT OF THE PROGRAM................................ 4 3.1 Project Staffing.................................... 4 3.2 Initial-Interface Meeting........................... 5 3.3 V& V P r o g r a m P l a n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.0 P R O GR AM ACT I VI T I E S . . . . . . . . . . . . . . . . . . . .' . . . . . . . . . . . . . . . . . . . . 7 4.1 Program Planning.................................... 7 4.2 Meetings and Discussions............................ 7 4.3 Requirements Review................................. 8 4.4- D e s i g n R e v i e ws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 4.4.1 Hardware Review.............................. 10 4.4.2 Software Review.............................. 11 4.5 Test Program Formulation........................... 12 i

4.6 Testing and Evaluation............................. 14

! 4.7 Safety Analysis Report............................. 15 4.8 Georgia Power Co. Internal V&V Activities.......... 16 4

4.8.1 ERF Interface Meetings....................... 16 4.8.2 Peer-Level Reviews........................... 16 1

4.8.3 Reviews By Plant Staff....................... 17 4.8.4 Simulator Training........................... 17 4.8.5 Emergency Drills............................. 17 4.8.6 Control Room Design Review................... 18 i

! 5.0 CLOSING OF VERIFICATION & VALIDATION REVIEWS............. 19 i

i i

f

b:

6.0 C0NCLUSIONS.............................................. 19 References.................................................... 21 APPENDIX'-' Resolutions' to Review Deficiencies................. 23 F

\

l n

I i

1 i

i t

l t

e f

i 1

I i

. _ , - . - . . . - - . . . _ , . _ , , _ , - - , - , , _ . . . , . - - , . , . - - _ . . . , _ _ . _ , , , . _ . , . - - - _ , - . . , _ . _ - . , . , _ , - . - - - . , ~ - - - - . . . _ , ,

? .

1 I

i I

i ACRONYMS

.EI Energy Incorporated EOF Emergency Operations Facility EOP Emergency Operating Procedures ERF Emergency Response Facilities.

ERFCS Emergency Response Facilities Computer System IEEE Institute of Electrical and Electronics Engineers NRC Nuclear Regulatory Commission NUREG Nuclear Regulation Document Series NSAC Nuclear Safety Analysis Center R.G. Regulatory Guide Document Series RAM Random Access Memory SPDS Safety Parameter _ Display System TSC Technical Support Center V&V Verification and Validation g s-w, -- - . -m, -.- ,- .- w-----,------ _

,,,.,,.,.,,.m.- , - . _ , 9yy. , - - ,,,-g,,,,w .--,,,-. + -,, - y y, , - , . -, y. -

1.0 INTRODUCTION

1.1 Backaround As a result of the accident at the Three Mile Island Nuclear Power Plant in 1979, federal regulations governing operation of power reactors were amended to require the inclusion of additional capabilities for responding to emergency situations (10CFR50.47). From these requirements more specific guidance for the implementation of emergency response capabilities was developed for plant owners by the United States Nuclear Regulatory Commission (NRC), primarily in NUREG-0696, " Functional Criteria for Emergency Response Facilities", February, 1981, with additional clarification in NUREG-0737, Supplement 1.

Anticipating that the emergency response facilities would be dependent upon rather sophisticated computer technology, NUREG-0696, Sec. 9, mandated that the development of new systems to meet these requirements be subjected to a formal verification and validation program. A general approach to validating computer systems of this type is suggested in NSAC-39, " Verification and Validation for Safety Parameter Display Systems, December, 1981, a report commissioned by the Electric Power Research Institute's Nuclear Safety Analysis Center. This approach has been acknowledged by the NRC as acceptable.

In the summer of 1983, the Georgia power Company. issued a request for proposals from interested parties to provide an independent verification and validation service to' their development of a comprehensive computer system to satisfy the emergency response facilities monitoring needs at the Alvin W. Vogtle nuclear power plant, using the approaches described in NSAC-39. Energy Incorporated was selected to provide these services to the Georgia Power Co.

I 1.2 Puroose of This Reoort For the past three years, EI has conducted various V&V activities in fulfillment of its obligations under its contract with the Georgia Power Co. A number of formal V&V documents have been generated during this time. This report providcs a summary of the verification and validation efforts that have been performed. Sufficient background and information are provided in this report to capture the essence of the V&V program. -In addition, full references to various program documentation are given so that details on any specific aspect of the program can be readily retrieved.

The activities that were performed are described, and the report summarizes all of the formal documents produced during the program. Final closing of items found during the design reviews to be in need of resolution are also provided in this report.

Section 2.0 briefly describes the scope of work. Section 3.0 discusses hos the program was developed. Major- program activities conducted are described in Section 4.0, including brief synopses and summaries of the formal reports generated during this work. Resolutions of outstanding review issues follow in Section 5.0. Finally, conclusions on the overall validity of the system are cited in Section 6.0.

i

p -

3

-2.0 PROGRAM SCOPE The verification and validation scope of . work consisted of the following major tasks:

(1) generation of the verification and validation program plan; (2) review of the system requirements; (3) review of the hardware designs; (4) review of the software designs; (5) formulation of the system validation testing program; and (6) development of the safety analysis report.

Discussions of the activities associated with these tasks are given in the subsequent sections of this report. In addition to the tasks listed above, some discussion is provided on a number of legitimate verification and validation activities that Georgia Power Co. has conducted internally. These consisted of activities such as conferring with the plant operations staff on information presentation formats and man-machine interface, software module testing, evaluation .of the system during development using the plant simulator, etc.

3.0 DEVELOPMENT OF THE PROGRAM The development of the V&V program involved three major facets:

(1) staffing the project with the requisite technical and managerial sk. ills; (2) collaboration with the system design team in terms of their design approaches, system concepts, and project

-interfaces; and (3) generation of a V&V program plan.

3.1 project Staffina A number of technical staff at Energy Incorporated (EI) contributed to the execution of this program. Staff members were generally selected on the basis of particular skills applicable to a specific task. Each individual who was involved is listed below with a brief indication of his involvement.

(a) Frank Felicione -

overall project management; interface meetings and discussions; program plan; safety analysis report; test planning; test observation.

(b) Larry Hansel -

interface meetings and discussions; hardware design. review.

(c) Carol Mancuso - interface meetings and discussions; test planning; software design review; test observation.

(d) Robert Narum -

software design review; test observati'on.

_4_

~ -

p (e) Bruce Peterson - requirements review.

(f) Ron . Stewart - requirements review; interface meetings and discussions.

(g) William Hurt - displays review.

-(h) Dennis Hollenbeck- -

interface meetings and discussions; program plan.

(i) Robert Curran - interface meetings and discussions; program plan.

3.2 Initial Interface Meetino EI met with the Georgia Power Co. in Atlanta in September, 1983, to kick off the V&V effort ~. This meeting established lines of communication between EI and Georgia Power Co.; provided a forum for discussing the methods by which the system design would be carried out; addressed the tasks with which EI would be concerned; and provided some general V&V guidance for the designers. Details are given in Reference 1.

On the basis of this initial meeting and subsequent communications, a plan for the execution of the entire V&V program was generated.

3.3 V&V Procram Plan A program plan was developed. This plan set forth the manner in which the V&V program would be conducted. The plan contained the following information:

(a) identification of the V&V program requirements; (b) major elements of the program; (c) organizational responsibilities; (d) descriptions of the V&V documents'to be generated; and (e) a schedule for the V&V activities.

.The program plan was submitted to and approved by the Georgia Power Co. It is documented in References 2,3, and 4.

I l

i

-s-f I

4.0 PROGRAM ACTIVITIES V&V program activities in which EI participated consisted of (a) program planning, (b) meetings and discussions, (c) requirements review,

( d_ ) design reviews, (e) test program formulation, (f) test evaluation,and (g) safety analysis report.

1 This section discusses each 'of these activities and identifies pertinent references.

4.1 Procram Plannino Program planning.'has-been addressed in Section 3.0.

4.2 Meetinas and Discussions Discussions between the V&V team at EI and the system designers at Georgia Power Co. occurred throughout the program. These discussions were often supplemented with informal written communications via facsimile or mail, where appropriate.

Five project meetings took place as listed below:

(1) Atlanta, Georgia - September 20 & 21, 1983;

_ ~ . - - - -- .-._ _. . . _ _ . _ _ .

( c v

(2) Waynesboro, Georgia - Hay 9 & 10,.1985; -

o_ ,s.

% f (3) Idaho Falls, Idaho - February 24 & 25, 1986; and

]'

e (4) Atlanta,. Georgia -

September 29 & 30, 1986, in conjunction with validation testing.

(5) Idaho Falls, Idaho - October 29, 1986 ,

These meetings were devoted to clarifying project activities, establishing schedules, reviewing partially completed work,,,and planning future activities. ,.

~

4.3 Recuirements Review An extensive review of the requirements established for the ERFCS was conducted. Both regulatory and owner-designated design requirements were considered. This review established that the .

requirements set forth for the system, if faithfully implemented, .

would result in an acceptable ERFCS. The review is documented in

-- m References No. 5,6, and 8.

The review addressed the specific topico described be. low.

(a) The pertinent governmental regulatory standards and i Georgia ' Power Co. documents which collectively; establish the system requirements were identified.

k (b) Requirements were grouped in terms of their purpose, ~ -

consisting of the following categories:

(1) functional, (2) performance,.

(3) quality,

g 1 a-s.-.

1

,"Al

,s '

.s, s s

l %.w p ,' . .

(4) development and implementation,

-V n (5) audit trail, (6) user, m.

.- (7) interface,

m. > (8) testing, i

(9) installation, operation, and maintenance, and f.N s  ;

..-[, *

,- 3 (10) training.

(c) A traceability matrix was constructed that provided a 4 cross-reference table relating the various system requirements to the original requirement references (such as an NRC document).

/

. (d) An evaluation of the system requirements was made that

'~

h examined n ',

, a

'C., .

(1) correctness, 4

(2) completeness, 1 ,

(3) consistency, 1

(4) feasibility,

n V -

(5) testability,

. . - (6) traceability, and d'

(7) clarity.

_9_

I

' ' , .c._ - . _ , - - , . _ . -_ ~

7 r ,

(e) Inadequacies found in the requirements were discussed. These were further categorized as being either s

(1) deficiencies, i.e., in need of resolution; s

(2) observations on the part of the reviewer, i.e.,

suggestions for further evaluation by Georgia Power Co.; or (3) incompleteness in the documentation that prevented completion of the review.

4.4 Desion Reviews

\

Reviews were conducted on both the hardware and software aspects l of the ERFCS. Because of the different technical skills required, these reviews were conducted separately, and they are documented in separate volumes of a design review report (References No. 14 and 15; see also References No. 7 and 12).

4.4.1 Hardware Review The hardware review considered compliance of the design with hardware requirements that had earlier been established'and reviewed. Since the Vogtle ERFCS hardware consists mostly of a standard product line from an established equipment vendor (Foxboro), there was no nee 7 t,. evaluate particular design features; the hardware reviis t . :ame largely a review for completeness and traceability.

This review mapped the design reference for each hardware feature to each requirement, i.e., escablished the traceability of each requirement to a specific design disclosure. This was done by appending to the requirements 3

.10-

)

1 l

. _ _ _ _ . _ _ _ _ _ _ _ _ . J

{ 1 4

i' traceability matrix (see Section 4.3(c), this report) 9 another column showing the documentation or design file reference for each hardware feature. A few deficiencies in the~' design were identified. These were provided to the I$ design team for resolution.

t A 4.4.2 Software Review-s The sof tware design review evaluated'several aspects of the design:

9i ,

(a) the compliance of the software features with

'I those set forth in the system requirements; s

(b) adequacy of the software design documentation; (c) coding practices; and (d) SpDS display designs.

The code-related review was conducted by examining in detail 3

a portion of the various software modules which had been either modified from existing code or were newly created for the ERFCS. application. Approximately 10% 'o f all such software was reviewed. This resulted in five deficiencies i and three observations (i.e., recommendations for improvement).

The software features requirements (for all of the software) was evaluated by constructing the traceability matrix which

. mapped a software design file designation to each r et;uir eme nt, as discussed in the hardware review description, above.

It was concluded that the system software is adequately designed and implemented to meet system requirements.

4

(

The actual SPDS displays were reviewed against the following criteria:

(a) adequacy of the chosen variables to assess critical safety functions; (b) adequacy of the chosen variables to rapidly assess plant safety status; (c) data validation; and (d) consistency and comprehensibility of the presentation.

Seven observations and two deficiencies were noted in the SPDS display review. Generally, the displays were found to have been well thought out and should prove to be a useful -

aid to the plant staff during.both abnormal and normal plant operation. The SPDS displays were determined to be directly integrated with the plant emergency operation procedures (EOPs) and should provide an important adjunct to overall plarit safety.

4.5 Test Procram Formulation A test program was constructed for validation of the system. The test planning addressed validation in terms of achieving specific objectives to demonstrate the system performance vis-a-vis the design requirements. The test program plan (a) specified individual tests to be performed; (b) cited the objectives of each test;

I w (c) described the extent of -testing required for the stated objectives; (d) established ' the ' div'ision of responsibilities between EI and Georgia Power Co.;

(e) addressed requirements for the generation of test procedures; (f) _ provided direction for the execution of the test program and test documentation; and .

(g)- addressed the handling of test failures and abnormalities.

The test plan is documented in Reference No. 13. The test plan was developed over a considerable per'iod of time and included significant collaboration between the design team and the 'V&V team.

On the basis of the direction provided by 'the test plan, the system designers developed a comprehensive set of test procedures. These procedures were reviewed for adequacy and completeness by the 'V&V team (References No. 10 - and 11). The review found that the test procedures (a) enveloped the. scope called for in the test plan; (b) were complete; (c) 'the documentation required would be adequate; and (d) would result in tests that were meaningful in terms of meeting the stated objectives.

i

4.6 Testino and Evaluation Validation testing was conducted over a three-week-long period beginning in late September, 1986. The majority of the testing was done in the Georgia . Power company's Atlanta offices ~. These tests used ,the Vogtle Unit hardware which was procured at the same time and is identical to the Unit-1 hardware. Several tests were of a nature that office simulation could not provide meaningful results. In these instances, the. tests were performed at the_ plant site on the actual Unit-1 hardware.

A portion of the tests conducted in the general offices was repeated on _ the Unit-1 hardware in the field. The successful completion of'these repeated tests, together with those described above that were conducted in the field, provide a high assurance that there are neither subtle, unknown differences between the Unit-1 and Unit-2 hardware nor are there idiosyncrasies that would invalidate the office testing results. Descriptions of the field tests are given in Reference 17.

Energy Incorporated personnel witnessed approximately 90% of the tests performed in Atlanta, and were involved in a portion of these tests as test directors. Testing was determined to be successful, based on the following criteria:

(a) all testing was well planned; (b) testing execution was professionally handled; (c) when difficulties were encountered they were quickly recognized, conscientiously addressed, and competently resolved; and (d) test documentation was carefully maintained so as to permit independent confirmation of the results.

F ]

A full evaluation of the testing program is provided in Reference No. 16.

4.7 Safety Analysis Reoort The safety analysis report that is required by NUREG-0737, Supplement 1 -was developed. This report documented how the parameters selected for the Safety Parameter Display System (SPDS) portion of the ERFCS were sufficient to assess the safety status of each identified safety function for a wide range of events, which include symptoms of severe accidents.

The safety analysis report contained the following information:

(a) a description of the critical safety functions that would be monitored; (b) identification of the sources for selection of the parameter. set; (c) a description of the Vogtle ERFCS data presentation; (d) a listing of the parameters selected and justification for each; (e) an explanation as to how radiation monitoring would be appended to the system; and (f) a conclusion as to the adequacy of the Vogtle SPDS.

The safety analysis report was transmitted in Reference 9.

g ,

%w 4.8 Georola Power Co. Internal V&V Activities V&V activities performed internally by Georgia Power Co.

constituted .a vital. segment of the overall verification and validation program imposed on this system (Reference 18). These included (a) interface meetings, (b) peer-level reviews, (c) reviews by plant personnel, (d) simulator training, (e) emergency drills, and (f) control room design reviews.

4.8.1 ERF Interface Meetinas ERF meetings were prevalent during the early stages of the ERF project and involved the following organizations:

Bechtel Power Co., Westinghouse Electric Co., Foxboro, Southern Company Services, and Georgia Power Co. These interface meetings were held at various sites and consisted primarily of hardware design review, discussions of regulatory concerns, and interfaces to other computer systems in the plant.

4.8.2 Peer-Level Reviews Peer-level reviews were conducted throughout the course of the ERFCS project by the design team staff. These reviews covered all aspects of the system, including hardware design

( ,

and fabrication, display designs, operator interfaces, CPU timing, algorithms, and peer-level independent testing.

4.8.3 Reviews By Plant Staff Reviews. were conducted by the plant engineering and operations staff on display designs and man-machine interfaces, and provided nuclear engineering guidance to the system designers.

4.8.4 Simulator Trainino Foxboro hardware identical to that in the .ERFCS was installed in the plant simulator to provide operator training on the SPDS. With the exception of data acquisition, all software is also identical to that of the plant system. -The simulator installation proved very useful in obtaining operations input during the design phase, and this resulted in many modifications and enhancements to the design. The use of the simulator also provided numerous opportunities for exercising the ERFCS algorithms in simulated normal and abnormal operating situations.

4.8.5 Emeroency Drills The ERFCS was used during several emergency drills as well as during the NRC-graded emergency exercise. ERFCS color consoles in the simulator control room, Emergency Operations

. Facility, and Technical Support Center were used during the drills, with all plant data provided - by the simulator /ERFCS interface. User feedback during these drills was incorporated into the software and hardware designs.

l

4.8.6 control Room Desian Review The SPDS was included in the control room design review.

This review considered human factors and the proper integration of the SPDS into the emergency operating procedures. Discrepancies cited in the Human Engineering Discrepancy Status Report were factored into the ERFCS hardware and software designs.

l

5.0 CLOSING OF VERIFICATION & VALIDATION REVIEWS Deficiencies noted in the various reviews conducted throughout

~

the V&V program are reconciled in the appendix to this report.

Each review that uncovered deficiencies is addressed. The x' references for the review report are cited, and the deficiencies found are listed, together with the Georgia Power-Co. resolution.

For convenience, references given in the Appendix refer to the reference list at the end of the body of this report.

l r

p

6.0 CONCLUSION

An extensive verification and validation program was developed and implemented to assure the correctness and usefulness of the Vogtle Electric Generating Plant emergency response facilities computer system. This program covered all phases of this system's development, climaxing in a very successful test program.

By virtue of the activities described in this and other V&V reports, it is concluded that the objectives of the V&V effort have been achieved. The Georgia Power Company can look forward to the important safety benefits of a fully validated system during the operation of this new electric generating facility.

i i

J

7-REFERENCES

1. Latter, Felicione to Steinspring,

Subject:

IV&V Meeting Report, dated September 30 1983.

2. Letter, Felicione to Steinspring,

Subject:

Transmittal of Program Plan, dated December 22, 1983.

3. Letter, Felicione to Steinspring,

Subject:

Transmittal of Program Plan, dated February 20, 1984.

4. Letter, Felicione to Steinspring,

Subject:

Revision of Program Plan, dnted February 28, 1984.

5. Letter, Felicione to Steinspring,

Subject:

Preliminary Requirements Review Report, dated May 25, 1984.

6. Letter, Felicione .t o Steinspring,

Subject:

Transmittal of Requirements Review Report, dated February 27, 1985.

7. Letter, Hansel to Buttler,

Subject:

Hardware Design Documentation, dated May 16, 1985.

8. Letter, Felicione to Philips,

Subject:

Requirements Review Report, dated June 5, 1985.

9. Letter, Felicione to Philips,

Subject:

Safety Analysis Report, dated September 20, 1985.

10. Letter, Felicione to Butts,

Subject:

Forms for Validation Testing, dated September 22, 1986.

11. Letter, Felicione to Philips,

Subject:

Review of Validation Test Procedures, dated September 26, 1986.

i

_._.~-- _ _. _ _ _ _ _ ._._. -

12. Letter, Felicione to Philips,

Subject:

Software Design Review, dated September 26, 1986.

13. L e t t e r ,- F e l i c i o n e to Philips,

Subject:

Transmittal of Test Plan, dated October 13, 1986.

I

14. Letter, Felicione to Philips,

Subject:

Transmittal of Hardware Design Review Report, dated October 21, 1986.

15. Letter.. Felicione to Philips,

Subject:

Transmittal of Sof tware Design Review Report, dated October 30, 1986.

16. Letter, Felicione to Philips, subject: Transmittal of Test Report, dated October 30, 1986.
17. Letter, Philips to Felicione,

Subject:

Validation Testing, dated October 20, 1986.

18. Letter, Philips to Felicione,

Subject:

- Internal V&V Activities at Georgia Power.Co., dated October 23, 1986.

.19. Verbal communication. Letter, Philips to Felicione,

Subject:

Resolution of Requirements Review Deficiencies, to be issued.

20. Letter, Bockhold to Felicione,

Subject:

Resolution of Hardware Design Review Deficiencies, dated October 27, 1986.

21. Verbal communication. Letter, Philips to Felicione,

Subject:

Clarifications to Resolutions of Hardware Design l

Review Deficiencies, to be issued.

i

22. Verbal communication. Letter, Philips to Felicione, l

Subject:

Resolution of Software Design Review Deficiencies, I

to be issued.

l I

l i

APPENDIX Resolutions of Review Report Deficiencies A.1 Reauirements Review Deficiencies The review of the system requf.rements is documented in References 5, 6, and 8.

(a) Nuclear Data Link Requirements did not address the Nuclear Data Link that is required by ' NUREG-0696, . Sections 1.3.5, 1.4, and 6.0.

Resolution - Inadvertently omitted in the requirements document. The ERFCS currently includes provisions for both asynchronous and bisynchronous communications which will handle the nuclear data link requirements (Reference 19).

(b) System Availability Requirements did not address system availability as mandated by NUREG-0696, Section 5.1.

Resolution -

Georgia Power Co. will include availability in its design per the guidelines given in NUREG-0696. A demonstration test of this capability will be performed (Reference 19).

f (c) Protection From Non-!1afety Systems Failures of non-safety systems cannot be allowed to

jeopardize the SPDS, per NUREG-0696, Section 5.1. The system requirements do not address this.

Resolution - The design of the ERFCS does not permit non-safety system failures to ~ impact the SPDS (Reference 19).

(d) Ooerations Interference Operation of the Emergency Operations Facility (EOF) must not interfere with control room functions (NUREG-0696, Section 4.7). Requirements do not address this.

Resolution - Only plant monitoring can be done on the ERFCS from the EOF (Reference 19).

(e) Information Availability It is required by NUREG-0696, Section 2.9 that all sensor data and calculated variables that are available for the SPDS, EOF, and for off-site transfer be available in the Technical Support Center (TSC).

Requirements do not address this.

Resolution - The ERFCS design permits all information to be accessed from all terminals (Reference 19).

(f) Human Factors Requirements do not address the need for human factors evaluations in the design (NUREG-0696, Section 5.1).

Resolution -

Human factor considerations have been made; the formal control room design retview included the ERFCS (Reference 19).

['

(g) Verification and Validation NUREG-0696, Section 9.0 requires- that a formal V&V program be applied to the ERFCS design. Requirements do not address this need.

1 i

Resolution -

This was inadvertently .omitted from the requirements document. Georgia Power Co. conducts

! numerous VsV activities. Energy Incorporated has been contracted to provide an independent overview of the

. V&V process (Reference 19).

A.2 Hardware Desian Deficiencies i Deficiencies found during reviews of the hardware design are

! given in Reference l'4.

(a) Isolation Eauinment Isolation equipment was not shown in the design documentation.

Resolution -

This equipment is outside the scope of the ERFCS as such. Isolation of input signals to_the ERFCS is accomplished by the Remote Processing Units, Data Processing Units, PERMS, and the isolation device panels. The issue has been addressed by Westinghouse, l Bechtel, and the Vogtle Project licensing organization

! with the NRC (Reference 20).

1 (b) Seismic Qualification I

j.

Apparent conflicts in the NRC requirements for seismic l

qualification of the ERFCS have not been resolved.

j .

lE Resolution - The Vogtle ERFCS has been designed to the requirements of NUREG-0737, Supplement 1 which does not require the system to be seismically qualified (Reference 20). Note: NUREG-0696 does, in fact, require seismic qualification for the safety systems.

However, the safety systems are not within the scope of this ERFCS project; those are provided by others and have been properly qualified.

(c) Environmental Soecifications The Bechtel Procurement Specification X5AB04 required all equipment except the multipliers and multiplexers to ~ operate at 40 F to 120 F and 3% to 80% relative humidity. The multipliers and multiplexers were required to operate at 17 F to 120 F and 45% to 100%

relative humidity.

Foxboro took exceptions to these requirements, offering instead 40 F to 110 F and 5% to 95% relative humidity. No reconciliation of these variances was found.

Resolution -

Numerous meetings were held on the procurement issue to refine the true needs for this equipment. On the basis of a Foxboro letter to Bechtel dated February 24, 1983, Bechtel and Foxboro reached agreement as to environmental conditions (Reference 21).

(d) Fire Protection Recuirementg The Bechtel procurement specification invokes R.G.-

1.120, Rev. 1 and IEEE-472 as applicable to the ERFCS equipment.

t I

'gi l

Foxboro specifically took exception to these requirements.. No reconciliation could be found in the design documentation.

Resolution -

Numerous meetings were held on the procurement, and this discrepancy was addressed.

Certain equipment modifications were made, and. the

.resulting design was accepted by Bechtel in a telex to Foxboro dated July.9, 1981 (Reference 21).

(e) Drawinas Inadeauate System configuration drawings are inadequate to maintain the system.

Resolution - Bechtel and Foxboro prepared a complete series of applicable drawings (series X5AB04). These drawings had inadvertently been omitted from the design review package (Reference 20).

(f) Hardware Features Foxboro documentation does not confirm the inclusion of a real-time clock, power-fail monitor, priority interrupts, and addressable registers in the system hardware.

Resolution -

Foxboro vendor manual 1X5AB04-146 addresses these equipment features. This documentation was inadvertently omitted from the design review package (Reference 20).

(g) Bisvnchronous Interface No design documentation was found for this interface.

/'

5 Resolution -

This information is to be obtained from Foxboro. This feature is present but is not currently being used (Reference 20).

(h) RAM Memorv Foxboro documentation shows only 64K RAM being provided instead of the 128K shown in Georgia Power Co. functional requirements.

Resolution -

An additional 64K was later added, Purchase Order No. VGP7-0279 (Reference 20).

3 (i) QUERTY Keyboard t

Foxboro documentation does not show the QWERTY

! keyboard in the EOF.

Resolution -

This keyboard has been deleted from the EOF. It may be used elsewhere or saved as a spare (Reference 20).

(j) Foxboro documentation shows two consoles and two spares in the control room.

! Resolution -

During a control room redesign, one spare console was made active, the other moved elsewhere.

The new arrangement is shown on Plant Drawing No.

AX5D52A02 (Reference 20).

(k) Hardware Missina from Drawinas The multiplier, SOE, and AIM equipment was not found on any drawings.

l l

l i

[4 Resolution - Documentation has been added. The new X5AB04 series of drawings includes this equipment (Reference 20).

(1) Hardware Descriotions Missino No design descriptions for the RPUs, data concentrator, and PERHS protocol was found.

Resolution - Documentation has been added to the VEGP ERF System Manual to cover these items (Reference 20).

A.3 Software Desian Review Deficiencies Five software deficiencies were found as listed below. Georgia Power Co. has acknowledged these and has committed to rectify them (Reference 22).

(a) In the VOGERF-14 file, identify the final version of the CSF status trees approved by the plant for those diagrams that have multiple copies.

(b) Correction required in the flow chart in Section 5.5.1.9 of the System Description to show the appropriate direction for the arrow from the box labeled "DO A,B,C AGREE WITHIN DELTA".

(c) Add to the VOGERF-16 file the resolution of the requested review of a hardware problem with the asynchronous interface.

(d) Add the VAQS calls to Section 3.2 of the System Description.

y p

(e) In VOGERF-16 reimplement the software ' modification dated 9-5-85 requesting that "If a failure timer expires on diagnostic output, release KSR EXEC and restore diagnostics to running status".

A.4 SPDS Disolavs Two deficiencies were found in the review of the SPDS displays.

The resolutions are given below.

(a) Heatun/Cooldown The calculated heatup/cooldown rate is based on a wide-range T-ave difference of one minute. The RCS integrity decision is based on a T-cold difference in

, 60 minutes. The calculated value should be made consistent with the information requirements of the status tree which is consistent with plant technical specifications.

Resoluti'on - There are additional aspects to this that make the given approach. acceptable (Reference 22):

(1) the T-ave difference in one minute is r. sed to compute a T-ave difference in one hour; (2) the RCS Integrity determination is correctly calculated and is independent; l

l (3) the Technical Specifications do not mandate a particular temperature measurement; and i

l (4) the ERFCS also has a T-ave trend that shows cooldown/heatup rates compared to l

l the limits.

l 1

I l

.,l -

(b) The saturation curve display has an area labeled

" SATURATION REGION". This is incorrect and should be SATURATION LINE.

Resolution -

This display has been corrected (Reference 22).