ML20214R211
| ML20214R211 | |
| Person / Time | |
|---|---|
| Site: | Rancho Seco |
| Issue date: | 03/25/1987 |
| From: | Roberts E EG&G IDAHO, INC., IDAHO NATIONAL ENGINEERING & ENVIRONMENTAL LABORATORY |
| To: | Carrington M Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML20214R213 | List: |
| References | |
| CON-FIN-A-6483, RTR-REGGD-01.097, RTR-REGGD-1.097 EWR-69-87, NUDOCS 8706080021 | |
| Download: ML20214R211 (16) | |
Text
f 9
/NEA Idaho National Engineering Laborotory March 25, 1987 Mr. M. Carrington, Program Manager Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, D.C. 20555 TRANSMITTAL OF " DESIGN VERIFICATION AND DESIGN VALIDATION AUDIT OF THE UPGRADED SAFETY PARAMETER DISPLAY SYSTEM (SPDS) FOR THE SACRAMENTO MUNICIPAL UTILITY DISTRICT, RANCHO SECO NUCLEAR GENERATING STATION" (FIN A6483) - EWR-69-87 Ref: NRC Form 189, " Program for Evaluating Licensee / Applicant Conformance to RG 1.97, Rev. 2, and SPDS Implementation" (FIN A6483), October 1986
Dear Mr. Carrington:
Transmitted herewith is the above subject audit report. I The report documents the INEL's participation in the audit of the Rancho I Seco upgraded SPDS/RG 1.97 display system. This review of the upgraded display system addressed conformance to guidelines set forth in RG 1.97.
The audit was incomplete because the upgraded SPDS has not been installed .
in the plant, j The staff identified several deficiencies in the upgraded SPDS. The deficiencies are identified in Section 4, " Conclusions." Additionally, a i post-implementation audit must be performed before final acceptance can !
be granted.
Very truly yours, e
E. W. Roberts, Manager l NRC Headquarters Support
Enclosure:
As Stated cc: L. Beltracchi, NRR-PBPE C. Miller, NRR-PBPE J. A. Calvo, NRR-PBPE (w/o Encl.)
G. L. Jones, DOE-ID J. O. Zane, EG&G Idaho, Inc. (w/o Encl.)
hEGzGu . . Itm nackvme rike suite oro neckvme, aso 20esz 8706080021 870325 2 PDR ADOCK 0500 P
,- ,. m. s.._~ ._. . . _ _ _ _ . . _. . _ . _
i
-, .: I l
( . .
l tst I.
-l DESIGN VERIFICATION AND DESIGN VALIDATION AUDIT OF 'IHE UPGPADED SAFE 1Y PARAMETI'ER DISPIAY SYSTEM FOR 'IHE SACRAMENIO MJNICIPAL UTTT.T'IY Dis 2ucr
- l. PANGO SECO NUCT. EAR GENERATDF3 STATION i
l k'
-1 INI1ODUCTION .
l l 'Ihis report evaluates the %1.adi=1 Rancho Seco safety-grade, Regulatory .l' I Guide 1.971 (RG 1.97) display system using the criteria p1.ai-ded in applicable
. Nuclear Regulatory Manion (NRC) arv,irmnts.. 'Ihe Rancho Seco Nuclear.
, Generating Station is a RaWk and Wilcox (B&W) nuclear power plant owned and operated by the Sauan=AO Municipal Utility District (SlWJD) .- 'Ibe plant is
~
s located near Sau au= ic, California.
?
Section 2 of this report provides background information regarding the Rancho 4
Seco irryradad safety-grade display system. An evaluation of the RG 1.97 display.
. system is presented in Section 3. 'Ihe results of the audit are s==adzed in I Section 4. Section 5 lists the references used in this report.
4 2 BACN20UND i
Frta Septaber 29 to October 2,1986, the Plant Electrical, Instrumentation and Control Systems Branch, Division of PWR Licensing B,' Office of Nuclear Reactor Regulation, NRC corvhv+ad an audit at the Rancho Seco plant site. 'Ihe scope of ;
the audit was to collect and evaluate data in the SifJD Action Plan for i Performance Irprovement, the Detailed Control Roan Design Review, and the I j upgrade of the Safety Parameter Display System (SPDS) .
'Ihe Rancho Seco SPDS was tWad to safety-grade status based on requis.==A.:s developed in response to the E+ ;+r, 1985 overcooling event at Rancho Seco.
'Ihis upgrade of the SPDS required the NRC staff to reevaluate the system for 2
conformance with RG 1.97 ard RG 1.152 requirements. 'Ihe licensee estimated j that the upgrade of the SPDS would be ocuplete in January,1987.
I
- I t
I
_. , - . . . . - - . . . ~ . . . - - - - - _ _ .- - - _ . -_ . , . - - . - . .
o .
\
+ . .
l
,, 'Ihe staff corrhv+M an audit of the Rancho Seco RG 1.97 display system frm 4
February 9 through February 12, 1987. 'Ihe purpose of this audit was to mllect l 1
and evaluate sufficient data to all s the NRC staff to prepare a Safety l Evaluation Report (SER) for the %scdsd system. 'Ihe audit was hacM on the criteria specified in RG 1.97 and RG 1.152.
l l' 'Ihe scope of the audit required that the licensee prwide the follwing hn=ntation at the audit site: ,
4
- 1. Display system functional requitou .ubs i
- 2. A listing of the software code i 3. Test plans and prrrwhwes
- 4. All products fra the verification and validation (V&V) activities
. 5. Post-installation test plans and test reports )
i 1
'Ihe licensee provided the following information at the audit site: .
- 1. Rancho Seco SPDS Ebnctional h iption
- 2. SNJD Draft SPDS hiption 4 j
{ , 3. Design specifications of the ANATEC Prrma Control System
- 4. Handwritten wotME=6 hibing selected multiplexer isolation i i
device leakage analyses performed by SKJD !
- 5. A proprietary listing of the software code l
- 6. WotM4=sts for the Decay Heat Removal System (WRS) Flow Alert logic i i 7. Test results worksheets for T-Cold, Icop A and B, for the Post-Trip i '
] P-T display, the Normal P-T display, the Iow Temoerature P-T display, l and the Alphanumeric Page display
- l
- 8. Test results hME:st for T-Hot, Icop A, Posthp P-T display l 1 1 j 9. Documentation for conducting cn-paper walk-throughs frm sensor to
- display of a containment pressure signal and a cold leg tenperature i
signal
- 10. Capabilites Matrix
- 11. Itemized listing of various SNJD hn=nts regarding SPDS V&V
- 12. Couparison of SNJD SPDS V&V to Regulatory Guide 1.152 5 i
e 4
- )
i 1
4
.- - , . - - - . - . . . . . . _ , . - - _ = , - . - , . - _ . . , _ , . , . - _ , . - _ . - - - - - - - - , . . , - - - ~, . - .- . ~ . , - --
t I
1
< l
,,- 3 EVALUATICN OF 'IHE BG 1.97 DISPIAY SYSTDI '
'Ihe purpose of this section is to sunmarize the findings for each of the audit I
topics covered by the reviewer.
3.1 Erniimant Oualification i
A schematic of the SPDS/BG 1.97 system is shown in Attachment 1. Multiplexers 1 and 4 (H4CDAR1 and H4CDAR4, respectively) are irdicated on this drawing with the letters "TE". 'Ihe distinction between these vultiplexers and the Class 1E nultiplexers is the sensor input classifications. 'Ihe nultiplexer differen-tiation in the Attachment 1 schematic inplies that the sensor channels listed in Table 1, below, do not meet the Category 1 or 2 qualification criteria.
'Ihe parameters in the SPDS/PG 1.97 signal list athe+=i to the functional requimu=d.s hmant were ocanpared to the parameters listed in RG 1.97. 'Ihis axnparison indicated that 8 Category 1 signals and 11 Category 2 signals are pE- Nd by nultiplexers H4CDAR1 or H4CDAR4. 'Ihese signals are listed in Table 1.
TABIE 1. CATEGORY 1 AND 2 PARAMETIERS PROCESSED BY 141TIPIEXERS 1 AND 4 SPDS List Reqd Cat. NLuc Parameter Point No(s) (PG 1.97) E i Neutron Flux 1-8 1 H4CDAR1 Maheep Flow - In 47,99 2 H4CDAR1 Ietdown Flow - Out 48,98 2 H4CDAR1 Volume Ctrl Tnk IN1 46,102 2 H4CDAR1 & 4
- - Cntnmnt Effluent 105,107 2 H4CDAR1 Aux Bldg Effluent 106 2 H4CDAR1 SG Valve Effluent 208,109 2 H4CDAR1 .
e 3
i
.. 'Ihe licensee stated that the neutron flux instrumentation will be upgraded to i
i Class 1E during the Cycle 8 outage.
'the Category 2 parameters in Table 1 were evaluated with respect to' BG 1.97 r- power supply and aryii==nt qualification criteria. 'Ihe power supplies for H4CDAR1 and H4CDAR4 have the rummonded battery backups. 'Ihe agiimant qualification criteria are not required for these nultiplexers because they are l located in a mild envi&w-- d.. 'Iherefore, the signals in Table 1 are acceptable for the RG 1.97 display syste.
I In aMition to the neutron flux instrumentation untads, SNJD will add reactor
- vanaal level instrumentation during the next plant cutage. 'Ihe NRC staff has
! accepted this =+=dnle of inplementation. .
3.2 System Desion i
j Coments regarding the SPDS/RG 1.97 syste design are sinmnarized in the
, following s'heartions.
3.2.1 System Description O
- 'Ihe functional requitwaiim d~'= ant briefly riaeribes the purpose of the SPDS/RG 1.97 display system and explains how the design r3dra==a= the design j objectives. Other dev'= ants riaar ribing data requit==d.s, system
)
specifications, pr% &am specifications, and data base specifications were
- required to ocuplete the system review.
1
- In aMition to the software, the system mnsists of the following hardware j wr-its
- ?
4.
e 2 ANATEC sensor input tannels c 2-ANATEC central contD31 units (CCUs) 2 B&W SPDS display computers 2 IDF 2200 video generators 2 IDI seiamimlly qualified color video monitors 3 2 B&W pushbutton control. panels-i 4
4 4
1
-,w.. --,m--+ ., - - - . _ . - - , ~., .,--+..- --w,.,,--e. . . . , .---w -+ --t----==.r--e+ y ,-yT -i i~-m'-
l .o
.. SMUD will docket a schematic of the hartivare configuration prior to the post-implementation audit. h schematic will replace the urxiocketed version shown in Attachment 1 to this report. 'Ihe docketed system description will identify the isolators, power supplies, and system camponents.
'Ihe sensor liq:xit channels (Trains A and B) were connected to each of the CCUs to provide additional redundancy. 'Ihe sensor trains are polled by a CCU switching unit (CSU) to allow both CCUs to access data in both charmels. With this configuration, only one CtU can process data from a particular train during any given clock cycle. It appears that this redundancy is not required and that it has resulted in adding more isolation devices to the system. Nevertheless, this redundancy does provide increased data validation capabilities, which can benefit system performance. Isolation device qualification is addressed in Section 3.2.6.
If the GU fails, the Train B CCU will be lost. 'Ihis condition will result in a limiting condition of opetion (ILL) . 'Ihe Technical Specifications (Tech Specs) will be updated to reflect this mode of operation prior to plant restart.
'Ihe NRC requested that SMUD provide a enmmrison of their digital system availability with that of an equivalent analog system. 'Ihis request was in response to SMUD's use of the 0.01 unavailability guideline set forth in NUREG-0696.6 Since this system processes RG 1.97 signals, the staff believes that NUREG-0696 is not the appropriate reference for benchmarking ths RG 1.97 display system availability. NUREG-0696 is applicable only to non-Class 1E systems. SMUD replied that the NUREG-0696 availability criteria were used because RG 1.97 does not provide specific limits cn availability.
Detailed quantitative studies camparing analog and digital SPM /RG 1.97 availabilites have not been performed. - However, an investigation of the South Texas Project Quality Data Processing System revealed that, qualitatively, the digital system availability was slightly better than an equivalent analog system. SMUD is encouraged to review this document and determine its applicability to Rancho Seco.
5
2e reviewer believes that the conversion fran an analog system to a digital system is justifiable. He use of digital systems in nuclear power plants is supported by EPRI, and by B&W and other reactor vendors. Precedents have been established for charging frun analog to digital systems where high availability is a significant factor. For exanple, Boeing formally conmitted to the use of digital control systems in the Boeing 757/767 pregawa.8 Nevertheless, without quantitative data, the availability of the M 1.97 display system should be confirmed by frequent re r u.Li to the staff regarding system operation. We frequency of the reports may be decreased, depending on the availability of the display system through the first several reporting periods.-
3.2.2 Display Configuration he SPDS/M 1.97 displays were shown on the same model CRP as will be used at the plant. W e displays were well-conceived and easy to interpret. Minor deficiencies regarding the use of dark blue on a black background were noted by B&W and SMUD personnel. W ese deficiencies will be corrected prior to system installation. m is audit did not include the human factors aspects of these displays.
We system was initialized as part of the system demonstration. W e initiali-zatica process is self-driven and provides pertinent information with regard to hardware status. When no hardware errors are identified, the system displays I the status messages for a brief period, then overwrites the status display with !
l the Ibst-Trip Par display. % e final evaluation of display configurations will be determined following a human factors review of the display formats.
We parameters selected for the R31.97 portions of the SEOS were reviewed in February 1985.' no results of that review were transmitted to SPUD in August 1985. 0 3.2.3 Data Validity Drawings and related th'n=nts were provided for an on-paper walk-through of two signals: containment pressure and cold leg tenperature. h e walk-througin were conducted from the sensor to the display screen.
6
4
, 'Ihe drawings used for the hardaare portion of the walk-throughs needed to be updated, aM at one location, a discontinuity in the signal flow path for the cold leg temperature sensor channel was discovered. Nevertheless, the audit team was satisfied with the traceability of the two sensor leads. 'Ihe audit tmm was assured that the drawings would be updated prior to restart.
The two signals were also traced through the software portion of the system.
The software walk-through was aided by .the modular design of the prograrcs. The input signals were sn-fully traced from the input routines to the display screens. It was evident from the two signal walk-throughs that a sensor signal could be traced from end to end.
Data validity is also addressed in the system design by using two redumlant sensor trains. The signals from the trains are compared in the software portion of the system. Most of the data validity involves comparing the signals between two or more similar signals aM checking the hardvare status flag for each signal. .
Data validation is used for detecting instrument inaccuracies. Signals representing the same parameter are used to determine possible deviations from measurement accuracy. If the two signals deviate by more than five times the measurement accuracy, the signals are flagged as questionable. Instrument ranges in the software tables are also used to provide data validation for many of the signals.
3.2.4 Maintenance and Configuration Control Maintenance is presently performed on an as-needed basis, but will be performed in the future on a scheduled preventive maintenance basis. The schedule will be developed after restart.
l The M RTEC CCUs use Motorola 6800 chips for the central processor unit. METEC i no longer manufactures this equipment, and spares are not available if this i equipment fails. B&W and SMUD have indicated that this is not a concern because 7
. this equipment is very reliable. Neither B&W nor SED have made provisions for replacirxy the CCUs. 'Ihis approach will satisfy the short-term requirements for the system, but may cause availability problems in the future.
'Ihe SMUD personnel did not have a contingency plan for replacing a failed backplane or other critical camponents. One response indicated that ccupvlents might be repaired on-site. A limiting condition of operation (IID) will be included in the Technical Specifications for failure of a CCU.
SMUD purchased a significant quantity of multiplexer spares. 'Ihese spares will be kept on-site as emergency replacements. Other equipment will also be kept available.
3.2.5 Security
'Ihe camputer hardware is located in the control room, which is a secured area.
Software security was addressed by electronically storing the validated software logic in read-only memory (ROM) ccuputer chips, which are part of the camputer hardware.
3.2.6 Isolation Devices A schematic of the SPDS/PG 1.97 configuration is shown in Attnrhnt 1. The 1 isolation devices considered in this section are indicated on the schematic as isolator types 6, 8, and 9.
Since the upgraded safety parameter display system processes both RG 1.97 Category 1 (Class 1E) cignals and Class 2 (non-Class 1E) signals, the Class 2 isolators must isolate the Class 1E camponents from the Class 2 components.
Additionally, Train "A" camponents rust be isolated from Train "B" components, arxi the redurxlant buses within the trains must be isolated from each other.
'I5e Class 1E components are to be isolated from Class 2 component failures using the No. 6 arxi No. 8 type isolators. 'Ihe No. 6 isolators were electrically tested, but failed during the tests. The test results indicated that the No. 6 8
\
1
, isolator leakage was less than 500 mV. However, the test results did not demonstrate that 500 mV would be the maximum leakage.
SMUD performed an analysis to determine the effect of a 500 mV leakage on the l Class 1E inputs to a multiplexer circuit board. Worksheets describing the analysis are shown in Attachment 2. 'Ihe worksheets indicate that a 500 mV leakage will result in a 0.24 mV potential at the 1E input. 'Ihe worksheets do not show the effect of this voltage on the 1E circuitry.
'Ihe Maca 1E signals are to be isolated from Class 2 system failures using the No. 8 bus isolators. 'Ihese isolators are also used to isolate the redundant Trains A and B from each other. 'Ihe capability of these isolators to prevent signal leakage in either direction must be durasmL.uted. 'Ihe licensee has verbally agreed to perform the required testing on these components. 'Ihe ,
l results of these tests were not available at the audit. <
'Ihe CCUs are to be isolated fram the non-1E plant IIRDS camputer (reference Attachment 1) by the No. 9 isolators. 'Ihese isolators also failed during electrical testing. As with the No. 6 isolators, the tests did not demonstrate that 500 mV was the maximum leakage or that the Class 1E circuits would be properly protected from faults in the non-Class 1E circuits.
Given the tight schedule for plant restart, qualification of the isolation devices is considered a critical path item. 'Ihese isolators must be approved for use in Class 1E circuits before the requirements of RG 1.97 can be satisfied. 'Ihe tests should be performed and the results docketed as soon as possible.
3.3 System Verification and Validation Schar, Inc. performed the system V&V. 'Iheir audit report is included in this report as Appendix A. Schar's r - ndations are summarized in this section.
Schar, Inc. r-nds that the verification be exparded to include structural testing of the software system.
9
l
)
, A deficiency noted in the validation process was in the resolution of discrepancies resulting from erroneous acceptance criteria (expected results).
It is re >- merded that greater effort be made to establish accurate acceptance l
criteria and to enforce the discrepancy resolution procedures.
It is ra >- >arded that the final V&V reports, including all discrepancies and their resolutions, be audited.
3.4 Use of RG 1.97 Disolav System in Plant Operation
'Ihe SPES is designed to be used by the operators during normal plant operations to advise the operator of approaches to operating limits. Upon plant trip, the SPDS automatically switches to the RG 1.97 A'IDG P-T display and provides the operator with RG 1.97 information. Alams are indicated on all displays and may be acknowledged or investigated using a. single pushbutton.
Alarm acknowledgement is M m W in the SPDS functional description document.
'Ihe drent indicates that alams may be cleared from the screen by pushing a button. 'Ihe dev'=nt does not say what the effect will be if there are multiple alarms, arxi the operator wants to clear only one alarm. 'Ihis should be clarified by either formal correspondence or a telephone conversation between the staff and cognizant SMUD personnel.
B&W deawmLmted the RG 1.97 display system at the Lynchburg facility. It was not possible to determine the time delay from when a sensor signal is sampled to when it is displayed or to compare the display time response to the response of other instruments in the control room.
'Ihe RG 1.97 display screens were shown during the dens =Lation. Invalid data were displayed with a question mark (?). Other than these superficial checks, no other assessment of the RG 1.97 display system operability was performed. A demonstration of the system after it is installed at the plant will be required before the staff can complete the system evaluation.
10
i
, 4 CONCIIJSIONS 4
i 'Ibe Rancho Seco SPDS was upgraded to irs.ur@ rate RG 1.97 requirements. 'Ihis
- required the staff to review the system with regard to guidalines set forth in RG 1.97. 'Ihe audit was inomplete, because the RG 1.97 display system was not installed in the plant.
i l Except for the neutron power and the reactor vessel level parameters, the I RG 1.97 display system sufficiently indicates the status of critical plant i
conditions. 'Ihese two parameters are to be aMad to the display system in the next outage.
i
'Ihe availability of the RG 1.97 display system should be conf 4 mad by frequent j reports to the staff regarding systen operation. 'Ihe frequency of the rarsrts l.
may be decreased, depending on the availability of the display system through l the first several tararting periods.
I 1
j 'Ihe Class 1E isolation devices have not been ompletely tested, and the restart
! date for Rancho Seco may be inpacted by the test schedule for these devices.
i
'Ihe isolation devices nust be electrically tested and approved for use in j Class 1E cirmits before the Rancho Seco RG 1.97 display system can be approved 1
l by the staf.'
I Sahar, Inc. t+_ --ards that the verification be expanded to include structural
- testing of ti e software system, i
4 One deficiency noted in the validation pr - = was in the resolution of discrepancies resulting from erroneous acceptance criteria (expected results).
i i
Additionally, it is re)--. sided that greater effort be made to establish j accurate acceptance criteria and to enforce the discrepancy resolution
) Procedures.
3 1
11 I
i 1,,_._...--._.__.__ ._._ _.._. .. - -.. . _ . _ - _ . _ . , _ _ . _ . . . _ . , . _ _ , _ ~ _ . _ . . , , , . . . , _ . . ~ _ . . . . . . . . - . . . _ . .
, It is also reocumended that the final V&V iwtG, includirg all discrepancies 8
and their resolutions, be audited.
Except for the isolation device testirq and the discrepancies discovered by the V&V audit (Appendix A), the RG 1.97 display system appears to conform to RG 1.97 gidaalines.
l i
J 0
1 1
I 1
1 l
s e I
l l
, 4
! 1 1
1 l
l l
j l
4
+- r r -- - ,.e ---,, - , - . - . - 7 . s m.m_.._._m. _ , _ . . . y .._m ._.m... % w._ ,
I O
3 5 REFERENCES 1
- 1. U. S. Nuclear Regulatory h i m ion, Regulatory Guide 1.97,
" Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Con 91tions During and Folloviry an Accident," Revision 3, May 1983.
- 2. U. S. Nuclear Regulatory himicn, Regulatory Guide 1.152, " Criteria for Programmable Digital Cmputer System Software in Safety-Related Systems of Nuclear Power Plants," Neverber 1985.
- 3. R,WIC & WilCoX PC7 der GeneratiCn GIGIp, " Rancho Seco Safety Parameter Display System RInctional Description," February 2,1987.
- 4. R'Wk & WilCoX Power Generation Group (ammad author),"SMUD Safety Parameter Display System (Draft)," May 21, 1982.
- 5. T. Daughtrey, Power CmputiIg Capany, " Comparison of SMUD SPDS V&V to Regulatory Guide 1.152," February 1987.
- 6. U. S. Nuclear Regulatory Commission, NUREG-0696, "RInctional Criteria for Emergency Response Facilities", February 1981.
I l
- 7. J. P. Poloski, Review of South 'Ibxas Proiect Ouality Data Processina System 1 Reliability Study. (Draft Technical Evaluation Recort), IIiG-REQ-7542, February 1987.
- 8. R. A. Erickson, " Sensitivity of a Micro-Processor Based Control System to Variation in Fault 'lblerant Parameters," Pcreer Plant Dicital Control and Fault <olerant Miu.@ waters Seminar. Scottsdale. Arizona. Acril 9-12.
1985.
- 9. A. C. Udy, Conformance to Reculatorv Guide 1.97. Rancho Seco Nuclear Generatina Station, EG&G Idaho Interim Report, February 1985.
13
O d
t
. e 1
- 10. Ietter from J. F. Stolz, Operating Reactors Branch #4, Division of
! Licensing, NRC, to R. J. Rodriguez, Assistant General Manager, Nuclear, Sacramento Municipal Utility District, "Conformance to Regulatory Guide 1.97 Request for Additional Information," August 19, 1985.
O e
l i
l ll I
l 1
14 1
a
j 6 4 r
4 APPENDIX A SOHAR AUDIT REPORT RANCHO SECO SAFETY GRADE SPDS SOFTWARE VERIFICATION O
e
)
1 1