ML20214J447

From kanterella
Jump to navigation Jump to search
Post-Implementation Audit Rept for Yankee Atomic Electric Co,Yankee Rowe Nuclear Power Plant,Spds, Technical Evaluation Rept
ML20214J447
Person / Time
Site: Yankee Rowe
Issue date: 06/25/1986
From:
SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY
To:
Shared Package
ML20214J423 List:
References
CON-NRC-03-82-096, CON-NRC-3-82-96 SAIC-86-3060, NUDOCS 8612010316
Download: ML20214J447 (31)
v  d  e


Text

ERCLOSURE 2

~ * -

SAIC-86/3060 POST-IMPLEMENTATION AUDIT REPORT FOR YANKEE ATOMIC ELECTRIC COMPANY'S o YANKEE R0WE NUCLEAR POWER PLANT SAFETY PARAMETER DISPLAY SYSTEM SAIG Sesence Applearsons brometsonalCorporstscs:

June 25, 1986 Prepared for U.S. Nuclear Regulatory Commission Washington, D.C. 20555 g Prepared by Science Applications International Corporation 1710 Goodridge Drive McLean, Virginia 22102 Contract NRC-05-82-096 8612010316 861118 PDR ADOCK 05000029 P PDR.

Post Office Bcx 13W.1.'10 Goodndge Dme, McLean. Virginia 221W, (703) 8714300

TABLE OF CONTENTS Section Pace I.0 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . 1

2.0 BACKGROUND

. . . . . . . . . . . . . . . . . . . . . . . 1 3.0 REGULATORY BASIS FOR SPDS AUDITS . . . . . . . . . . . . 2 4.0 REVIEW 0F SPDS EVALUATION TOPICS . . . . . . . . . . . . 4 4.1 Critical Safety Functions / Parameter Selection . . . 4 4.2 System Design . . . . . . . . . . . . . . . . . . . 6 4.2.1 System Description . . . . . . . . . . . . . 6 4.2.2 Display Configuration. . . . . . . . . . . . 8 4.2.3 Data Validity. . . . . . . . . . . . . . . . 10 4.2.4 Maintenance and Configuration Control. . . . 13

,4.2.5 Security . . . . . . . . . . . . . . . . . . 14 4.2.6 Isolation Devices. . . . . . . . . . . . . . 14 4.3 System Verification and Validation. . . . . . . . . 14 4.4 Human Factors Engineering . . . . . . . . . . . . . 15 4.5 Use of SPDS in Operation. . . . . . . . . . . . . . 16 5.0 AUDIT FINDINGS AND CONCLUSIONS . . . . . . . . . . . . . 19 REFERENCES . . . . . . . . . . . . . . . . . . . . . . . 21

! ATTACHMENT 1: AUDIT AGENDA. . . . . . . . . . . . . . . 22 ATTACHMENT 2: MEETING ATTENDEES . . . . . . . . . . . . 26 l

i

we 6

LIST OF FIGURES 9

Fiaure ,

f3.21 1 Critical Safety Function /EOP/ Parameter Relationship. . . 7 2 Overview of SPDS Implementation. . . . . . . . . . . . . 9 3 Data Flow Diagram. . . . . . . . . . . . . . . . . . . . 11

~

4 SPDS Availability Calculations . . . . . . . . . . . . . 18 W

i it

POST-IMPLEMENTATION AUDIT REPORT FOR YANKEE ATOMIC ELECTRIC COMPANY'S YANKEE R0WE NUCLEAR POWER PLANT SAFETY PARAMETER DISPLAY SYSTEM

1.0 INTRODUCTION

a This report documents the findings of the Nuclear Regulatory Commission (NRC) post-implementation audit of Yankee Atomic Electric Company's Yankee Rowe Nuclear Power Plant Safety Parameter Display System (SPDS). The audit was conducted April 22-23, 1986. The purpose of the audit was to confirm the closure of several open issues from the Safety Evaluation Report dated December 17, 1984 (Reference 1). As described in NUREG-0800, Section 18.2 (Reference 2), was to ascertain that the SPDS has been installed in accord-ance with the licensee's plan and is functioning properly. The audit team consisted of an NRC team leader, two NRC contractor personnel from Science Applications International Corporation (SAIC) and a representative from SAIC's subcontractor, COMEX Corporation. The team was comprised of indi-viduals representing the disciplines of nuclear systems engineering, nuclear power plant operations, human engineering, and software systems engineering.

j All of the audit team members were familiar with NRC SPDS requirements and i the Yankee Rowe SPDS background documentation.

The findings of the evaluation of the SPDS follows a brief review of the background of the SPDS and regulatory requirements.

2.0 BACKGROUND

All holders of operating reactor licenses issued by the NRC and appli-cants for an operating license must provide a Safety Parameter Display System (SPDS) in the control room of their plant. The NRC-approved require-ments for the SPDS are defined in Supplement I to NUREG-0737 (Reference 3).

The purpose of the SPDS is to provide a concise display of critical plant variables to control room operators to aid them in rapidly and reliably determining the safety status of the plant. NUREG-0737, Supplement

! 1, requires licensees and applicants to prepare a written safety analysis I

l

report (SAR) describing the basis on which the selected parameters are sufficient to assess the safety status of each identified function for a wide range of events, which include symptoms of severe accidents. Licensees and applicants must also prepare an Implementation Plan for the SPDS which contains schedules for design, development, installation, and full operation of the SPDS as well as a design Verification and Validation (V&V) Plan. The SAR and Implementation Plan are to be submitted to the NRC for staff review.

The results from the staff's review are to be published in a Safety Evalua-tion Report (SER).

By letter dated September 1,1983 (Reference 4), Yankee Atomic Electric

. Company submitted an SAR regarding the SPDS for the Yankee Rowe Nuclear Power Plant in response to NUREG-0737 Supplement 1. The NRC staff reviewed the SAR and responded to it'with an SER dated December 17, 1984. Yankee Atomic Electric Company then responded to the NRC's SER concerns by letter dated April 8, 1985 (Reference 5).

3.0 REGULATORY BASIS FOR SPDS AUDITS The purpose of the SPDS as stated in NUREG-0737 Supplement 1 establishes the basic functional requirement for the system: "The SPDS should provide a concise display of critical plant variables to the control room operators to aid them in rapidly and reliably determining the safety status of the plant. Although the SPDS will be operated during normal operations as well as during abnormal conditions, the principal purpose and function of the SPDS is to aid the control room personnel during abnormal and emergency conditions in determining the safety status of the plant and in assessing whether abnormal conditions warrant corrective action by operators to avoid a degraded core. This can be particularly important l during anticipated transients and the initial phase of an accident."

c

The SPDS requirements as defined by NUREG-0737 Supplement I are
l. To provide a concise display of critical plant variables to con-l trol room operators (NUREG-0737), Supplement 1 Paragraph 4.1.a) 1
2. To be located convenient to control room operators (NUREG-0737, Supplement 1 Paragraph 4.1.b) 2
3. To continuously display plant safety status information (NUREG-0737, Supplement 1 Paragraph 4.1.b)
4. To be reliable (NUREG-0737, Supplement 1 Paragraph 4.1.b)
5. To be suitably isolated from electrical or electronic interference with safety systems (NUREG-0737, Supplement 1 Paragraph 4.1.c)

~

6. To be designed incorporating accepted Human Factors Engineering principles (NUREG-0737, Supplement 1 Paragraph 4.1.e)
7. To display, as a minimum, information sufficient to determine plant safety status with respect to five safety functions (NUREG-0737, Supplement 1 Paragraph 4.1.f):
i. Reactivity control ii. Reactor core cooling and heat removal from the primary system iii. Reactor coolant system integrity iv. Radioactivity control
v. Conta.nment conditions.

The five functions listed above will be referred to as critical safety functfons. Each critical safety function is depicted by combinations of individual parameters such as steam generator level or cold leg temperature. For audit purposes, the term

" variable" will not be used.

8. To implement procedures and operator training addressing actions with and without SPDS (NUREG-0737, Supplement 1 Paragraph 4.1.c)

Guidance as to what constitutes acceptable implementation of the above requirements is provided by Appendix A to NUREG-0800 Section 18.2 and other documents cited therein, particularly NUREG-0700 (Reference 6).

The audit was designed to evaluate the operational performance of the SPDS as well as the prescriptive regulatory compliance of NUREG-0737 Supple-ment 1. Yankee Rowe operations and management staff were interviewed, and i the SF~ S in the control room was evaluated in order to measure the 1

3 l

operational performance of the system. This audit report reflects the consolidated findings of the audit team.

The audit agenda is provided as Attachment 1 to this report. The list of audit meeting attendees is provided as Attachment 2 to this report.

4.0 REVIEW OF SPDS EVALUATION TOPICS 4.1 Critical Safety Functions / Parameter Selection In the SPDS SER, the NRC stated that the licensee, in its 1983 SAR, had not provided an evaluation of the relationship of the parameters to the critical safety functions in NUREG-0737, Supplement 1. The licensee responded by letter dated April 8, 1985. The licensee stated that while the bases for the selected Yankee Rowe critical safety functions and the NUREG-0737 Critical Safety Functions differ, the parameters selected provide equivalent information. The list of NUREG-0737 Supplement 1 Critical Safety Functions vs. Yankee Rowe SPDS parameters is provided below:

Cateoory SPDS Parameter

i. Reactivity control Power range power level Intermediate range power level i Source range power level
11. Reactor core cooling and Main coolant pressure heat removal from the Main coolant temperature primary system Steam generator pressure Steam generator water level l

! Pressurizer level Vapor container pressure Vapor container flood level Emergency feedwater flow Steam flow Feedwater flow Core exit temperature Saturation pressure Hot leg temperature l

l 4

l

Cateaory SPDS Parameter Cold leg temperature Upper head temperature iii. Reactor coolant system Main coolant temperature integrity Main coolant pressure Air ejector radiation Steam line radiation Vapor container pressure Vapor container flood level Pressurizer level Vapor container air particulate Vapor container radiation Vapor container hydrogen concentration Saturation pressure i

iv. Radioactivity control Air ejector radiation Steam line radiation

. Vapor container air particulate Vapor container radiation Vapor container pressure

v. Containment conditions Vapor container flood level Vapor container pressure Vapor container air particulate Vapor container radiation Vapor container hydrogen concentration In the NRC's December 17, 1984, letter, the NRC requested that contain-ment isolation be added to the Yankee Rowe parameters. Containment isolation has not been added to the computerized SPDS. However, a fixed panel display of essential and nonessential isolation indicators is provided within full view of both control room SPDS screens. It was the audit team's judgment that the location of the containment isolation displays is accepta-ble and can be considered part of the SPDS.

5

Figure 1 illustrates the relationship of the five Yankee Rowe critical safety functions, upgraded emergency operating procedures, and SPDS parame-ters. The critical safety functions and the parameters selected to depict them will be thoroughly integrated into emergency operations when the new upgraded emergency operating procedures are implemented.

In summary, the audit team made three judgments regarding SPDS parame-ters and functions. First, the basis for parameter selection was correct and appropriately documented. Second, the parameters selected for SPDS, including containment isolation . provide a complete set of critical safety function information. Third, the five Yankee Rowe critical safety functions

- provide information equivalent to the NUREG-0737 critical safety functions.

Therefore, it is the audit team's judgment that the licensee meets the NUREG-0737 Supplement 1 SPDS requirement for parameter selection.

4.2 System Design 4.2.1 . System Description Since the Yankee Rowe system is capable of presenting the operators with information that is used for normal as well as emergency conditions, it was necessary for the audit team to establish what part of the system is defined as SPDS. The team and the licensee established an SPDS definition which is limited to the ten emergency operations displays and their asso-ciated pushbutton controls. The displays are called to the SPDS screens by the two leftmost and eight rightmost pushbutton keys on the top row of the SPDS Ramtek keyboard. These are from left to right:

TOP SGS (Top Steam Generator Systems display)

TOP PT (Top Pressure Temperature display)

REACT (Reactivity Control display)

MCI (Main Coolant Inventory Control display)

CHR (Core Heat Removal Control display)

SCI-l (Secondary Cooling / Inventory Control for #1 Steam Generator)

SCI-2 (Secondary Cooling / Inventory Control for #2 Steam Generator)

SCI-3 (Secondary Cooling / Inventory Control for #3 Steam Generator)

SCI-4 (Secondary Cooling / Inventory Control for #4 Steam Generator)

VCI (Vapor Container Integrity Control display) 6

ec***cacea****eonceoooec*eo '

E  :* FUEL CLADDING INTEGRITY ga

%*************************f

                                                                                                              • ean*****t4***************************************

I SECONI ARY I MAIN l CORE

  • VAPOR I REACTIVITY *
  • C001.lNU/
  • C001. ANT l llEAT
  • CONTAINER
  • CONTROL I A REMOVAL I INTEGRITY I SKS INVENTURY INVENTORY 3 CONTROL
  • CONTROL I
  • CONTR01. CONTROI.

1*******************4*************mestat****IA******AAAA*sta****lA*****************f*******************I BTASKS:

HPTOM ,

OCEDURE MBER **************4*************

o************************************************************mana************************************I

  • I I
  • I retivity* Secondary
  • Secondary
  • Secondary
  • Secondary f Secondary
  • Main Coolant
  • thin Coolant * *Main Coolant
  • VC High ;

Press liigh

  • Press liigh;
omaly
  • Press Iligh
  • Level liigh
  • Level Low
  • Press Low
  • Rad liigh
  • Press Low
  • Temp fligh
  • E0P #5  ; E0P #6
  • E0P #8
  • E0P #10 *

'P #1  ; E0P #4

s*******/'.***********/'************/'**********/'******An**dke**********$**************I*************4*************I************I
a. Steam Generator a. Vapor Container a. Pressurizer a. Vapor Container
a. Power range power level pressure level level flood level LSK b. Intermediate b. Steam Cenerator b. Pressurizer b. Main Coolant b. Vapor Container range power level pressure level pressure radiation LINTENANCE LR I ABI.ES
c. Ilot leg c. Vapor Container
c. Source range c. Steam flow c. Air Ejector radiation temperature  !! e ncentration power level 2 a
d. Feedwater flow d. Main Coolant d. Cold leg pressure temperature
e. Steamline e. Vapor Container e. Core exit radiation pressure temperature
f. Fmergency f. Vapor Container f. Saturation Feedwater flow air particulate Pressure
g. Upper llead Temperature figure 1. Critical safety function /EOP/ parameter relationship.

i l

l l

i t

The system description is detailed in the following documen'ts:

1. Functional Requirements (NSAC-55) (Reference 7)
2. Data Requirements (NSAC-55)
3. System / Subsystem Specifications - General System Design (NSAC-55)
4. Program Specifications - Detailed System Design - Code and Test, System Test Plan - General Acceptance Test Plan (NSAC 61)

(Reference 8)

5. Data Base Specifications.

In summary, the definition of SPDS was limited to ten displays and their associated controls. The system description is thoroughly detailed in NSAC-55 and NSAC 61. An overview of SPDS implementation is provided in Figure 2.

4.2.2 Disolav Confiouration The SPDS display configuration was evaluated in the control room by the

.- audit team. At the time of audit team evaluation, the plant was operating at 100% power.'

The audit team evaluated the static and dynamic technical content of each of the ten displays in order to determine if the parameter and critical

safety function information is dispersed as specified in the system descrip-tions. In the Yankee Rowe SPDS, technical content consists of critical safety function alert boxes and dynamic parameter information on each of the ten di spl ays. The audit team evaluated each parameter in terms of range, accuracy, engineering units, and alert setpoints. Each parameter range, accuracy, and engineering unit was compared with the fixed panel control room information to determine the adequacy of the technical content. The alert setpoint marks were also evaluated to confirm the appropriateness of the setpoint marks within the context of the critical safety function dis-plays. For example, the pressurizer level alerts on low level on the main coolant inventory display in order to make the operator aware of a loss of inventory. However, the pressurizer level alerts on high level for core heat removal in order to make the operator aware of an increase in reactor coolant system volume which has been caused by an increase in temperature, 8

Overview of SPDS Implementation 22 APR 86 I. Overview A. Hardware

1. Modcomp Classics II w/ 1 Megabyte of Memory
2. Tape Drive 3, 21 Megabyte Disk
4. Ramtek Controller and Displays
5. Keyboard
6. Modacs
7. Serial Ports B. Software
1. Data Collection
a. Signal Range Validation
b. Truth values
c. Calculated Values
d. Alarms
2. Database
3. Historian
4. Display Routines
5. Process Monitor C. Data, Flow II. SPDS Functions A. Alert Indicators
1. Alarm Acknowledgement B. Steam Generator Summary
C. P/T Plot D. Custom Trend 1., Point ID Swap
2. Scale Change
3. Digital value E. Secondary Level Plots
1. REACT
2. MCI
3. CHR
4. SCII
5. SCI 2
6. SCI 3
7. SCI 4
8. VCI
r. Point ID Reports
l. Scan Data
2. Point Review
3. Offscan Report
4. Incore Thermocouple Map
5. Hardcopy Option G. Data Archival
1. Starting
2. Stopping III. Procedures A. Startup B. Flush C. Coldstart Figure 2. Overview of SPDS Implementation.

9

and with its corresponding decrease in water density. The audit team deter-mined that in each case the setpoints were appropriate and useful.

The SPDS information is presented on two display screens in the control room. This allows the shift supervisor to evaluate individual or combined critical safety function alerts. For example, a simultaneous alert on the main coolant inventory and core heat removal critical safety function displays can be used to indicate a classic TMI-type problem with a combined loss of main coolant inventory and inadequate core cooling. The audit team determined that the capability of presenting SPDS information on two screens is an especially useful feature.

The only fixed panel display used as part of the SPDS is the essential containment isolation and nonessential containment isolation panel. The content and workspace location of the containment isolation display were evaluated by the audit team in the control room. It was determined that all essential and nonessential containment penetration information is appro-priately displayed.

In summary, the audit team evaluated the technical content of the SPDS, including the Containment Isolation display, and determined that the status of the safety functions and associated parameters are correctly configured.

The use of the two display screens provides flexibility when analyzing single or combined critical safety function problems.

4.2.3 Data Validity Data validity for all displayed safety parameters on the SPDS is provided by either the " truth" signal method for redundant inputs or by a signal range check for single inputs. In the case of single input parameters, a preset range is compared with the actual signal input. (See Figure 3 for data flow diagrams.)

The SPDS is fed by redundant signals for most parameters. The signals are received directly from the sensors. The algorithms used to support data validity were developed by a team of EPRI and plant personnel using probabi-listic risk assessment t'o develop a full range of operating conditions and events over which the data would be validated. After evaluation of a sample 10

F1M T IN'tT1 51CRALS 1 3Av DATA  !

3 . CVRADT TALID DATA l

.,-,=..r , .L . ,

3 . CLet 6 IEAlvf D BATA .

A CVRADT 6 DER.!VED DATA 3 . ALAp atOct ST M MACS !!!

6 . ABCulft h&TA f - aff0af MTA g . D1571.AT DATA 9 . FICTVRE DATA 10 . AACR!n DATA I **""

11 - RIPORT DATA

18. SPD5 D15FMT5 BATA IEPtrT AIED TAI.1DAT10s:

(GTTDAT)

~~~L CALCLu TED TAKE5 PROCISSCE

.EALT3K)

~

~--l A_

F10CE5501 (ALARMF) 3 4

t i t e

A DATA BASE MANA0ER (DDiT5K),

1 EU EISTORIAN l DATA RAIT .

(515T) 8 d d .

s DISFuY I /

DATA REPORT A ARCHIVIST S CEN!RATOR C FROC1550R pt ;g [

(REPGD) (DSPSIL. D5?WD) ygL1 (RSAV1) l i

A"E l narcaT5 CetescaAPul:

DISPLAYS l k f l

Figure 3. Data Flow Diagrait.

l 11 i

_ . - _ - _ ~ . - . - .

33. Apestvt a20W5T g4 3372T uQWST is - ntsrut umsf necus osn zwref reocassen (T10TSE) 3 C A

j 1

r i

I l

I Figure 3. Data Flow Diagram (continued).

l 12 1,

set of software data validity algorithms, the audit team concluded that they were appropriate.

Invalid data is indicated by a parameter value displayed in white, rather than a color. White indicates either invalid data or off-scale readings.

In order to confirm the data validity of the operating system, all SPDS parameter readings were checked against the fixed panel instrumentation with the reactor at 100% power. They were verified to be correct with the exception of source range power.

The source range power indicates valid information while operating in the power range. The reason for this anomaly was not known at the time of the audit. However, the licensee made a commitment to find the cause and correct.the problem. ,

In summary, redundant hardware and software algorithms used to ensure data validity are reasonable. A check of the data validity in the control room confirmed that the data validity process works correctly with the exception of source range indication while operating in the power range.

The licensee made a commitment to find the cause of the invalid source range indication and correct the problem.

i 4.2.4 Maintenance and Confiauration Control The audit team evaluated software maintenance, including configuration control procedures, maintenance of system documentation and system modifica-tion records, and provisions for evaluating the impact of system modifica-tions of system performance.

The licensee has developed procedures for modifying the SPDS hardware /

software. Those procedures entail departmental request from the plant, quality assurance standards, computer systems software and services, scope, functional specification, and sign-offs. Documentation includes updates to the display specifications and system design. Records, including sign-offs by users and management, are kept at the licensee's headquarters in Framing-ham, Massachusetts. Modification impact evaluations are conducted in formal 13

sessions held two or three times per year. All changes, no matter how trivial, must adhere to this formal process.

The audit team determined that the maintenance and configuration control process is appropriate. As long as the current procedures are followed, the SPDS could readily be maintained and modified at any point in the foreseeable future.

~

4.2.5 Security System access is provided by remote telephone communication (RS232).

. Security is provided by a system which requires shift technical advisor approval to open a port and by use of passwords. Remote ports are enabled and disabled every time the system is accessed. This provides an access which is controlled by the technical advisory staff. The audit tc&m deter-mined that software security is adequate.

4.2.6 Isolation Devices The audit team made a hands-on inspection of the Technology for Energy Corporation TEC-156 isolation devices. The 28 TEC isolators meet IEEE Standards 323-1974 and 344-1975. Qualified cable and seismic-rated conduit cable trays are used between the TEC isolators and the plant safety grade instrumentation. Thirty two qualified TEC isolators are available for future applications.

The 16 nonsafety grade signals are electrically isolated using commer-cial grade signal converters while the 12 pneumatic signals were isolated using commercial pneumatic-electrical transducers.

The audit team confirmed that the devices were properly installed in a mild environment (cabinets in the control room).

4.3 System Verification and Validation The audit team evaluated the process and results of the hardware and software verification and validation. The verification and validation plan is documented in NSAC-61. Review of NSAC 61 indicated that the licensee's 14 l

I

process for verifying and validating the SPDS hardware and software was appropriate. All necessary verification and validation procedures were strictly followed, including a comprehensive validation and testing program, by an independent review team.

Audit team review of the documented verification and validation results indicated that the process as described in NSAC-61 was comprehensively performed.

4.4 Human Factors Engineering

. By NRC letter dated December 17, 1984, the NRC identified two human factors-related information items needed for staff confirmatory review.

First, the NRC requested that the licensee provide a commitment to validate all displayed safety parameters. The audit team confirmed that data validation for all displayed safety parameters on the SPDS is provided by either the " truth" signal method for redundant inputs or by a signal range check for single inputs. This confirmatory item is addressed and

!- the process approved in Section 4.2.3, Data Validity, of this report.

Second, the NRC requested that the licensee provide a commitment to improve the display method for identifying questionable data. The audit team confirmed that when data is invalid or off scale, the data is displayed in white rather than in its normal color. The system worked for all parame-ters, except for source range power. The source range issue is covered in greater detail in Section 4.2.3, Data Validity. Except for source range indication questionable data is identified on the SpDS; the operator can look to the main control boards for the information required.

The audit team performed a human factors engineering review of the SPDS l

in the control room with the plant operating at 100% power. As a result of l this review, the audit team determined that, with only minor exceptions, the displayed information, enhancement techniques, and control interface con-formed to good human factors principles such as those provided in NUREG-0700.

15

There were several minor human engineering discrepancies identified by the audit team. First, the cya'n color used for parameter readings has a low contrast ratio with white, which indicates invalid or off-scaled readings.

Second, the red indicator lights located above each of the ten SPDS controls serve no apparent function, such as indicating which control has been ener-gized. Third, there is no audible alarm signal associated with the SPDS alerts. These are minor concerns in a well-human engineered SPDS.

The workspace location of the two SPDS screens and controls is appropriate for the needs of the shift supervisor, who is the intended user.

In addition, the containment isolation panel is readily visible and usable from the position of the SPDS user.

All of the SPDS human engineering discrepancies identified by the DCRDR team were evaluated by the audit team. The DCRDR human engineering discrepancies were written two years ago and for the most part did not reflect the finished system in the control room at the time of the audit.

The audit team concluded after discussions with the licensee that none of the earlier discrepancies presented a concern on the installed system.

However, the licensee made a commitment to respond in writing to each of the DCRDR items in order to provide the complete documentation.

In summary, the audit team determined that, with three minor excep-tions, the SPDS displays good human factors engineering. The licensee should respond to the three minor discrepancies and provide a documented response to the DCRDR human engineering discrepancies.

4.5 Use of SPDS in Operation The purpose of this audit activity was to judge whether the SPDS satisfies its intended purpose of aiding operators in " rapidly and reliably determining the safety status of the plant" and "in ... assessing whether abnormal conditions warrant corrective actions by operators to avoid a degraded core." The audit team assessment was based on (1) demonstrated operation of the SPDS in the control room with the plant in operation, (2) interviews of licensed operators and other operations personnel, and (3) discussions with training personnel.

16

The audit team evaluated the display call-up response times in the control room. The displays for the two control room screens and one techni-cal support center screen responded in 3 to 4 seconds. The call-up time includes the time it takes for the previous display to leave the screen and the static and dynamic portions of the new display to appear on the screen.

All ten SPDS displays were called up in order to verify the 3 to 4 second call-up time. Since the system responds to one request at a time, the call-up takes 6 to 8 seconds if another display has just been requested on another screen. In this case, a printed message appears in the lower left corner of the second requestor's' screen informing him that another request is in process and that his will be answered in turn. The audit team deter-mined that the display call-up times were appropriate to the operators' needs.

The licensee has a requirement, which was negotiated with the NRC regional office, to report SPDS downtime when it exceeds 78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> while the

plant is in power operation. The availability of the SPDS has been moni-tored for three years by the shift technical advisors. Based on the down-time log, SPDS availability is calculated by shift technical advisors to be 97% (see Figure 4). The trend toward increased SPDS availability reflects the final resol'ution of hardware and software development problems.

The licensee has designed the SPDS to function as an integrated tool with the upgraded E0Ps, which are based on the critical safety functions.

At the time of the audit, the upgraded E0Ps were awaiting approval from NRC.

However, the licensee plans to begin training the operators on emergency i

operations using the upgraded E0Ps and the SPDS, as soon as the E0Ps are approved.

D The audit team conducted interviews with a shift supervisor, senior reactor operator, reactor operator, and a shift technical advisor in order to sample user acceptance of the SPDS. All of the SPDS users interviewed were knowledgeable in the system and accepted it as a useful tool for emergency and normal operations. The operators have much more experience with the SPDS during normal operations than with emergencies since the plant has been operated without major incidents over the past two years. The use of the SPDS during normal operations is an important feature of the SPDS 17

Yankee Atomic Electric Co.

Calculation: SPDS Availability (1984 - March 31, 1986)

SPDS availability is applicable only to MODES 1-4. During the following intervals, YNPS was in either operating MODE 5 or MODE 6:

Dalg Duration 4/1/84 - 6/3/84 64 days 7/13/84 - 8/13/84 31 days 42 days 10/20/85 - 12/2/85 137 days The total SPDS ' downtime' for the January 1, 1984 to March 31, 1986 interval was: -

19.74 days (MODES 1-4)

The maximum oossible time the system could have been active over this time span (for operating MODES 1-4) is 366 (1984) and 365 + 90 (January, February and March 1986) -137 days (MODES 5 and 6) - 684 days.

684-19.74 , ,97 684 97% AVAILABILITY Figure 4. SPDS Availability Calculations 18

design because it enhances operator confidence in the system and knowledge of its capabilities.

Training for the SPDS was reviewed by the audit team, and confirmed through operator and training department interviews and review of records.

Training for operations, with and without the SPDS available, is conducted.

Previous training and that planned, including continuing and retraining, were determined to be adequate.

An important feature of the Yankee Rowe SPDS is the data archival capability. All reactor trips experienced since SPDS installation were

~

recorded by the SPDS and are stored on tape in the control room. These tapes provide valuable diagnostic and historical data.

In summary, the control rohSPDSatYankeeRowe is reliable and available. The operators use it as k tool for emergency and normal opera-tions.

5.0 AUDIT FINDINGS AND CCNCLUSIONS The conciusions are presented in terms of the eight NUREG-0737 Supplement I requirements. Conclusions regarding each of the requirements are based on one or more audit activities. The consolidated audit team findings and conclusions are listed below:

1. The SPDS provides a concise display of the critical plant variables.
2. The SPDS is conveniently located.
3. The SPDS is continuously displayed in the control room.
4. The SPDS is reliable.
5. SPDS electrical and electronic isolation is in accordance with design requirements.

19

6. The SPDS adequately incorporates human factors engineering princi-ples, with the following minor exceptions, which the licensee has agreed to address:

o Source range power during power operations indicates a valid reading; o Cyan parameter color coding has low contrast to the white invalid coding; o Red indicator lights on SPDS control panels serve no function; o The licensee has not provided NRC with a written response to the DCRDR HEDs.

7. The SPDS provides the minimum information needed to determine plant safety status with respect to:

o , Reactivity control o Reactor core cooling and heat removal from the primary system o Reactor coolant system inventory o Radioactivity control o Containment conditions.

8. SPDS procedures and operator training addressing actions with and without the SPDS have been implemented.

In summary, the audit team determined that the SPDS will meet the NUREG-0737 SPDS requirement when the human factors engineering concerns identified in item 6 above are resolved.

20

[

REFERENCES

1. Letter from NRC to Yankee Atomic Electric Company, Subje:t: Revised SER for Yankee Rowe Safety Parameter Display System, NRC, December 17, 1984.

I 2. NUREG-0800, " Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 18.2, Rev. O, " Safety Parameter Display System (SPDS)," and Appendix A to SRP Section 18.2,

" Human Factors Review Guidelines for the Safet: Parameter Display

. System," November 1984.

3. NUREG-0737, Supplement 1, " Requirements for Emergency Response Capability," USNRC, Washington, D.C., December 1982, transmitted to reactor licensees via Generic Letter 82-33, December 17, 1982.
4. Yankee Atomic Electric Company Safety Parameter Display System (SPDS),

Yankee Atomic Electric Company, September, 1983.

5. Letter from: J.A. Kay, Senior Project Engineer - Licensing, Yankee Atomic Electric Company, to: John A. Zwolinski, Chief, Operating Reactors Branch No. 5, Division of Licensing, NRC,

Subject:

Safety Parameter Display System, Yankee Atomic Electric Company, April 8, 1985.

6. NUREG-0700, " Guidelines for Control Room Design Reviews," USNRC, Washington, D.C., September 1981.
7. NSAC-55, Safety Parameter Display System for Yankee Atomic Electric Company, prepared by Yankee Atomic Electric Company, Technology for Energy, Incorporated, and Nuclear Safety Analysis Center, August 1982.
8. NSAC-61, Verification and Validation of the Yankee Plant Safety Parameter Display System, Yankee Atomic Company, January 1984, i

1 21

0 0 e ATTACHMENT 1 AUDIT AGENDA

??

~

PROPOSED AUDIT AGENDA FOR POST-IMPLEMENTATION AUDIT OF YANKEE R0WE SAFETY PARAMETER DISPLAY SYSTEM (SPDS)

APRIL 22-24, 1986 TUESDAY. APRIL 22 8:30 a.m. Introduction and Briefing by NRC 8:45 a.m. Overview of SPDS Implementation Definition of SPDS Parameter Selection Process Human Factors Engineering Program Reliability Verification and Validation Program Implementation Program Project Milestones Implementation Status (Operational date) 10:15 a.m. Break 10:30 a.m. Tour of Control Room SPDS 12:00 Lunch 1:00 p.m. Desian Basis Evaluation Parameter Selection Critical Safety Functions (Yankee Rowe vs. NUREG-0737)

Critical Safety Functions / Parameter Relationships Range of Events / Conditions covered by parameters Safety Evaluation Report Concerns (Upper head temperature and Containment Isolation) 2:30 p.m. Break 2:45 p.m. System Desian System Requirements and Specifications Display Configuration Data Validity Security (Locus and Control dedicated to Control Room) 23

PROPOSED AUDIT AGENDA (continued)

System Verification and Validation Quality Assurance Verification Test Plan Validation Configuration Plan 4:30 p.m. Discussion / planning for day two 5:30 p.m. Adjourn WEDNESDAY. APRIL 23 8:30 a.m. Human Factors Enoineerino Review (Control Room)

Display Location Display Format Display Techniques DCRDR SPDS Findings Operations Review (Control Room)

Concise Display Parameters identified in SAR on SPDS Critical Safety Functions (0737 & Yankee Rowe)

Reliability (Hardware / Software)

Response Times (Display Call-up and Screen Update)

Integrated into Emergency Operations SPDS Parameter Values vs. Fixed Panel Values (Comparison)

Procedures and Training Control Room SPDS vs. Simulated SPDS Comparison Maintenance Software Hardware Electrical Isolation 12:00 Lunch 24

PROPOSED AUDIT AGENDA (continued) 1:00 p.m. Operator Interviews Training Program Evaluation NRC Caucus Exit Briefing a

l 1

I i

i r

i i 25

e 6 1

i l

l l

l l

, l f

ATTACHMENT 2 ,

MEETING ATTENDEES <

l t

f 26 i

_, __ ,,, , ,q1 .) , _ . . , , _ , _ , , _ _ _ _ _ _ _ ,

~

YANKEE R0WE SPDS AUDIT, APRIL 22, 1986 MEETING ATTENDEES Namg Position g R. Blond NRC/SAIC Contractor D. Candon Principal Engineer - YNSD F. Carlson NRC/Comex Contractor J. Clifford NRC Yankee Rowe Project Manager J. DeBor NRC/SAIC Contractor M. Desilets Shift Technical Advisor B. Drawbridge Asst. Plant Supt. YNPS H. Echenholz NRC/ Senior Resident Inspector R. Eckenrode NRC Team Leader J. Haseltine Project Manager, YNSD T. Henderson Technical Director /YR K. Jurentkuff Plant Asst. Operations Manager J. Kay Tech. Serv. Mgr.

T. LaFonta,ine YAEC/CSSD B. Loomis Maint. Support M. Motylszary Director, Computer Services Dept., YNSD R. Rossman Lead I&C Engr. - YNSD N. St. Laurent YAEC Plant Superintendent K.W.K. Wong YAEC/CSSD e

27

M . .

NOV 181986 Distribution Copies:

sDocket Files;50-029 NRC PDR Local PDR PAD #1 r/f PAD #1 p/f TNovak, Actg. DD NThompson, DHFT OGC-Bethesda Edordan BGrimes JPartlow Glear P5huttleworth EMcKenna ACRS (10)

LFMB l

4

Retrieved from "https://kanterella.com/w/index.php?title=ML20214J447&oldid=3243693"