ML20214R265
| ML20214R265 | |
| Person / Time | |
|---|---|
| Site: | Seabrook  |
| Issue date: | 09/23/1986 |
| From: | Eckenrode R Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML20214R231 | List: |
| References | |
| OL-1, NUDOCS 8609290125 | |
| Download: ML20214R265 (52) | |
Text
_ _.
+, DOCXETED USHRC UNITED STATES OF AMERICA NUCLEAR REGULATORY COMMISSION '86 SEP 23 P3:10 BEFORE TIIE ATOMIC SAFETY AND LICENSING BOARIf0CHY .
d In the Matter of )
)
PUBLIC SERVICE COMPANY OF ) Docket Nos. 50-443 OL-1 NEW HAMPSHIRE, et al. ) 50-444 OL-1
) On-site Emergency Planning (Seabrook Station, Units 1 and 2) ) and Safety Issues NRC STAFF TESTIMONY OF RICHARD J. ECKENRODE ON THE SPDS PORTION OF CONTENTION SAPL SUPP. 6 Q.1 Please state your name and position with the NRC Staff.
A.1 My name is Richard J. Eckenrode. I am a Human Factors Engineer in the Electrical, Instrumentation and Control Systems Branch of the Division of PWR Licensing-A, Office of Nuclear Reactor Regulation, Nuclear Regulatory Commission. I have the lead responsibility for the NRC review of the Seabrook Station's compliance with NUREG-0737 Item I .D.2. I was the principal author of the Section 18 input for Supplement 6 to the Seabrook Safety Evaluation Report (SER). A copy of my professional qualifications is attached.
Q.2 What is the purpose of your testimony?
i !
A.2 The purpose of my testimony is to address the safety parameter display system (SPDS) for the Seabrook facility , and particularly to 8609290125 860919 PDR ADOCK 05000443 T PDR I
4
, s i
k t
1 y '
4 O
i address the question of whether the complete SPDS need be in place
, before the completion of the first refueling outage.
t Q.3 What is the safety parameter display system (SPDS)?
l A.3 The SPDS is designed to provide a concise display of critical plant variables to the control room operators to aid them in rapidly and I reliably determining the safety status of the plant. The SPDS itself is i
not considered a safety system; no operator actions are to be taken at the SPDS or based exclusively on information displayed on the SPDS.
The SPDS is instead used to refer operators to various other displays and controls in the control room where corrective actions are to be taken if needed. in the absence of the SPDS operators can still acquire the l
necessary information from these other displays.
The specific requirements for SPDS are set out in Item I.D.2 of r
Supplement 1 to NUP.EG-0737. According to that Item, SPDS must contain the following elements:
c) SPDS should aid operators in rapidly and reliably determining the safety status of the plant i d) SPDS shall be located convenient to control room operators e) SPDS shall be a continuous display f) SPDS shall be suitably isolated from safety-related systems i
g) SPDS shall be designed to incorporate accepted human factors principles h) Procedures and training shall address plant safety status and accident conditions with and without SPDS 4
T
(
D i e j
Q.4 Is there a required time for implementation of the SPDS?
A.4 According to Supplement 1 of NUREG-0737, implementation of the SPDS is determined by a schedule that is negotiated with the Staff.
Guidance provided to the Staff by the Director of the Division of Licensing stated that, for those plants that had not yet received an operating license , the SPDS Safety Analysis and Implementation Plan j
should be submitted by a license applicant six months prior to the fuel load date. This was meant to provide the Staff sufficient time to complete its licensing review. The Director's guidance further stated that, in i
those instances where proposed implementation dates were after the date for fuel load , license conditions were to be imposed for all thoses commitments that were not yet implemented at the time of issuance of an operating license.
Q.5 Did the Seabrook Applicants submit the required SPDS
- documentation to the Staff for review?
A.5 Yes. The Applicants submitted their SPDS report to the NRC l by letter dated January 6,1986 (SBN-920).
1 1 0.6 Please describe the nature of the Staff's review of the Applicants' submittal, d
4 A.6 The Staff and its consultants from Lawrence Livermore National Laboratories reviewed the report against the requirements of Supplement 1
t to NUREG-0737 and the guidance contained in Section 18.2 of the Standard Review Plan (NUREG-0800) . As has been the case in the majority of Staff SPDS reviews, additional information was requested by the Staff and was submitted by the Applicants on April 2,1986 (SBN-987). The Staff and its consultants reviewed this information and conducted an on-site design verification and validation audit on May 20-22, 1986.
Q.7 What were the Staff's conclusions with respect to the Seabrook SPDS?
A .7 The Staff's conclusions on the Seabrook SPDS are set out in detail in Section 18 of Supplement 6 to the Seabrook SER (a copy of the Section 18 input to Supplement 6 is attached hereto). The Staff found that the Seabrook SPDS is not at this time in complete compliance with Item I.D.2 of NUREG-0737, Supplement 1. The Staff also found, however, that this noncompliance does not present a serious safety question at Seabrook.
The SPDS in its current design should not provide erroneous or misleading information to plant operators and therefore will not increase the potential for operator error in the event of an abnormal occurrence at Seabrook (see Answer 9.c below); the current Seabrook SPDS does provide useful information to the plant operators (albeit not all the information called for in NUREG-0737, Supplement 1); and the information not presently available on the SPDS is available elsewhere in the control room. All this, combined with the fact that NUREG-0737, Supplement 1 does not require that SPDS be implemented before full power operation, led the Staff to conclude that implementation of the additional SPDS
l i
l 1
e requirements at Seabrook can await the completion of the first refueling outage.
)
i i Q.8 In what respects did the Staff find the Seabrook SPDS to be in
! noncompliance with Supplement I to NUREG-0737?
I A.8 The items of noncompliance are discussed in Supplement 6 to l
the SER. Briefly, those items are:
I 1) The SPDS display is not continuous
- 2) Residual heat removal (RHR) flow and hydrogen concentration variables are considered by the Staff to be part of the minimum information required to assess the critical safety functions (CSFs) and are not displayed on 4
the SPDS
- 3) The containment isolation display is not satisfactorily readable from the prime SPDS location to be considered part of the SPDS 1
! 4) The SPDS does not display sufficient radiation variables L
- 5) Several human engineering discrepancies have been
! identified
. 6) Two CSF status trees are not mode dependent and have the potential for misleading the operator
- 7) Isolation devices between the Reactor Vessel Level
! Instrumentation System (RVLIS) and the SPDS were not yet approved 4
- 8) Data validation algorithms may not be sophisticated enough to ensure valid data are displayed to the operator i
- 9) The usefulness, of the lower-level SPDS display formats to I, the operator is in question f 10) RVLIS and the Radiation Data Management System (RDMS) l availability has not yet been factored into overall SPDS
! availability calculations 1
- 11) System response time appears to be satisfactory, but a system load test is needed to verify the worst condition i
).
g , , - - ~ ------=r --r--- - - - - - - w-7 -- -- -m6wr--e m - - +7 e -r - - - -- m-7 1 y
e Q.9 Please describe the Staff's findings as they relate to the 8 review criteria in NUREG-0737, Supplement 1. Please include in your answer references to the 11 items of noncompliance identified in your last answer. l l
A.9.a Concise Display: With the exception of the containment l isolation panel (Item 3), which is a separate display and needs to be more readable from the SPDS location, the SPDS cathode ray tube (CRT) formats provide a concise display of plant conditions as required by NUREG-0737, Supplement 1.
A.9.b Critical Plant Variables: The Staff has identified a minimum set of approximately 20 plant parameters it believes to be j sufficient to provide plant operators with information about the critical safety functions specified in NUREG-0737, Supplement 1.
The Seabrook SPDS currently contains all but five of these parameters. Two of these five, steam line and stack radiation (Item 4), are currently displayed on the RDMS display, and will be added to the SPDS with the implementation of a radiation monitoring screen.
1 Another parameter, containment isolation status (Item 3), is currently provided on a separate display that will be improved for better readability from the primary SPDS location. The final two parameters, RHR flow and containment hydrogen concentration (Item 2), are currently under study by the Applicants to determine how the information concerning these parameters can best be obtained and displayed on the SPDS. Both parameters are currently available
l s
elsewhere in the control room, and procedures and training address their proper use. They have not yet, however, been integrated into the Seabrook SPDS.
A.9.c Aid Operators in Rapidly and Reliably Determining Safety Status: Rapid and reliable safety status indication is made up of many factors. The Staff audit identified five potential deficiencies that could affect the speed and/or the reliability of the SPDS: (1)
Although the system response time appeared to be satsifactory (most factors are updated every five seconds), the Staff observations were made during a lightly loaded sequence (Item 11); (2) The Staff audit indicated that the data validation methodology includes only range checking, averaging and auctioneering. A more sophisticated data validation algorithm may be required to ensure valid information (Item 8); (3) System availability data indicated an acceptable (over 99%) availability for the SPDS, but these calculations did not include
- the availability of RVLIS or RDMS data input (Item 10); (4) The suberiti
- :ality and core cooling status trees are not mode dependent and the SPDS displays will indicate that these functions are being challenged during normal power operations (Item 6) (plant operators have been made aware of this through their training); and (5)
Observation of an accident simulation indicated that the top-level CSF summary display appears to aid operators in rapidly determining plant status, but lower-level display formats do not seem to be as useful (Item 9).
e A.9.d Convenient Location: The location of the primary SPDS CRT at the Shift Technical Advisor (STA) station near the center of the control room and the ability to call up the SPDS at other operator locations satisfies the requirement to place the SPDS in a convenient location. Although its current location in the control room is appropriate for its intended usage, the containment isolation display as it is currently configured (Item 3) can not be easily read from the location of the primary SPDS CRT and hence that display does not meet the convenient location requirement.
A.9.e Continuous Display: Although SPDS is continuously accessible to the STA, the capability to call up display formats other than the SPDS on the S TA's designated SPDS CRT violates the requirement that the SPDS be a continuous display (Item 1). Either the CSF summary display must be added to all CRT formats accessible on the STA's CRT, or a dedicated CSF summary display needs to be added to the STA station.
A.9.f Electrical and Electronic Isolation: Three types of isolation devices are used at Seabrook: Westinghouse 7300 Series instrumentation; General Atomics RM 80 isolators; and additional Westinghouse isolators used in the RVLIS. The 7300 Series isolators were approved by the Staff by means of Westinghouse Topical Report WCAP-8892 A . The RM 80 isolators have been approved for use through the first refueling outage; at that time, the isolators are to be replaced by isolators that do not have fuses in their output
{
l I
l
=
circuit. The Westinghouse RVLIS isolators, which were previously identified as unapproved (Item 7), have recently been approved by the Staff based on a test conducted by Westinghouse in August of 1986. Thus the Seabrook SPDS now meets the requirement of electrical and electronic isolation from safety equipment.
A.9.g Incorporate Accepted Human Factors Principles: The SPDS generally incorporates accepted human factors principles, with the following exceptions: (1) The heat sink format displays the flow data value above the decision block instead of below the block as do all the other formats (Item 5); (2) The display callup method is acceptable, but awkward. The Staff recommends a single operator action for callup of each of the second-level displays (Item 9); (3)
The containment isolation display is located a significant distance from the primary SPDS location so that it is difficult to read the legends from the SPDS location (Item 3).
A.9.h Procedures and Training: An audit of the SPDS procedures and operator training program indicated that both satisfy the requirements of NUREG-0737.
Q.10 In Supplement 6 to the SER, the Staff identified a problem with the isolators between the RVLIS and the SPDS. Has that problem been resolved?
e A.10 At the time of the writing of the SER input, the RVLIS l
isolators (used to protect the RVLIS from the SPDS) had not been tested to the maximum credible fault (MCF) voltage and current. This test was conducted by Westinghouse in August of 1986. The RVLIS isolators successfully passed the MCF test, and are therefore acceptable to the Staff. An Appendix to Section 18 of Supplement 6 documents the acceptability of the RVLIS isolators; a copy of that Appendix is attached.
Q.11 In your input to Supplement 6 of the SER, you established a license condition that would allow the Applicants to operate until the first refueling outage before making various modifications to the SPDS to resolve the open items identified earlier in your testimony. Do you believe that deferral of these modifications poses a threat to the public health and safety.
A.11 No, I do not believe that deferral of the remaining 1
modifications to the Seabrook SPDS poses a threat to the public health and safety. It should be pointed out that the situation with the Seabrook SPDS is by no means uncommon. In its review of SPDS at other plants, the Staff has found that most utilities have experienced more than anticipated difficulties in the design , development and installation of a system that fully meets the SPDS requirements of NUREG-0737, Supplement 1. The Staff has extended the SPDS implementation dates for a number of plants in order to assure the development of a quality SPDS.
As to the safety implications of the Seabrook interim SPDS, the Staff review found that Seabrook currently has a functional, usable SPDS; the 1
plant just does not yet fully meet the requirements of NUREG-0737,
Supplement 1. All the information that will be added to the SPDS is currently available to the operators elsewhere in the control room. While the modifications will improve the quality of the SPDS, these modifications are not critical from a health and safety standpoint. The Staff therefore believes these modifications can safely await the end of the first refueling outage.
L . . - - - . .
RICHARD J. ECKENRODE PROFESSIONAL QUALIFICATIONS
.*+ ELECTRICAL, INSTRUMENTATION AND CONTROL SYSTEMS BRANCH OIVISION OF PWR LICENSING-A From December 1980 when I was hired by the U.S. NRC, to November 1985, I was assigned to the Human Factors Engineering Branch, Division of Human Factors Safety, Office of Nuclear Reactor Regulation. My initial responsibilities in-cluded: (1) participation in the development of NUREG-0700, " Guidelines for Control Room Design Reviews," and (2) participation in the onsite control room design reviews required for operating licenses. Subsequently, I have participated in j over 25 control room design reviews,15 of which I directed. I was a member of the NRC Task Forces which reviewed the steam generator tube rupture event at R. E. Ginna Nuclear Power Plant and the ATWS event at Salem Generating Station.
I am a qualified member of the NRC Incident Investigation Team. Since December, 1985, I have been assigned to the Electrical, Instrumentation, and Control Sys-tems Branch, Division of PWR Licensing-A and have been assigned as Multi-Plant Action Manager for the Safety Parameter Display System (SPDS). I have conducted or participated in four SPDS reviews, including Seabrook Station. ;
Since 1960, I have been active in the application of the human factors discipline to manned systems and have directed or participated in more than 30 major human factors projects before joining the NRC. I am a member of the Human Factors Society.
I hold a Bachelor of Science degree in Aeronautical Engineering from St. Louis
- University and have completed several NRC sponsored courses including Nuclear Reactor Concepts, Radiation / Contamination Protection, Pressurized Water Reactor Fundamentals, BWR Technology, PWR Simulation, and Incident Investigation.
From 1963 until joining the U.S. NRC in 1980, I was a Principal Associate with Dunlap and Associates, Inc., of Norwalk, Connecticut. Dunlap and Associates, Inc. is a research and consulting firm in the areas of systems and operations analyses and the behavioral sciences including human factors.
Some of my major projects included:
- Development of human factors guidelines for designing CRT color display formats for a large electrical power distribution control room. Subsequently designed a major portion of the displays.
- Development of a task analysis methodology for determining training :
requirements and training device requirements and , characteristics, as applied to military systems.
- Conducted human factors and systems analyses resulting in ,
man / machine interface design recommendations, procedures development and training requirements recommendations for the following systems and programs:
l I
v 1
1 Optical lens manufacturing facility
~
Hemotology laboratory Navy AEGIS combat system program
- Trident submarine missile system Remotely piloted aircraf t UTTAS and research helicopters Antisubmarine Warfare attack team trainer Landing helicopter assault ship Chemical / biological warfare protective clothing Manned orbital laboratory Apollo / Saturn prelaunch checkout system From 1960 to 1963 I was with the Life Sciences Department of McDonnell Aircraft Corporation. During that time I participated in the human factors analysis and design work on projects Mercury and Gemini and on mechanical ground support equipment for the F4 Tactical Fighter aircraft. I also participated in the Mercury astronaut acceleration training program and gathered human performance data to assist in verifying mission reliability estimates.
l l
l
~ _
L v
18 HUMAN FACTORS ENGINEERING 18.2 Safety Parameter Displav System (TMI Action Plan Item I.D.2)
I In Supplement No. 4, the staff described the safety parameter display system (SPDS) purpose and reouirements and presented an initial status review of the Seabrook SPDS.
By letter dated January 6,1986, the applicant submitted the SPDS design report for staff review. The apolicant submitted additional information on the design by letter dated April 2,1986, In addition to the staff review, the staff, assisted by consultants from Lawrence Livermore National Laboratory, conducted an ersite design verification and validation audit of the Seabrook SPDS on May 20-22, 1986. Attached is the consultant's Technical Evaluation Report (TER) of that audit. The staff agrees with the technical positions and conclusions contained in the TER. The following evaluation was prepared, based on the findings of the TER, to establish a basis for a license condition to ensure completion of iter.s pertaining to the Seabrook SPDS.
SDDS Description The Seabrook SPDS is incorporated as a function within the main plant computer.
The displays are presented on cathode ray tubes (CRTs) that are an integral part of the control room. The designated primary SPDS CRT is located near the center of the control room at the shift technical advisor (STA) station. The SPDS displays may be selected and presented at any of six other CRTs in the main control board. Operator access is through the existing keyboards used for accessing all plant programs and displays.
1 J
i The top-level SPDS display format consists of six color- and position-coded bars repretenting the summary status of the six critical safety functions (CSFs).
Each CSF status tree is displayed on the second-level format, which includes parameter values and a color- and shape-coded status circle for each tree branch.
The color-coded sumnary bar for the six functions appears in the lower left corner of each CSF status tree.
Variable Selection Section 4.1(#) of Sucplement No. I to NUREG-0737 states:
The ninimum information to be provided shall be sufficient to provido ir.fornation to plant oparators about:
(il Peactivity control (ii) Reactor core ccoling and heat removal from the primary system (iii) Reactor ccolant system integrity (iv) Radioactivity control (v) Containnent conditions.
For review purposes, these five items have been designated as CSFs.
The applicant has defined the CSFs for Seabrook from a different perspective.
They are based on the maintenance of the followir.g three physical barriers to radiation release:
(1) Fuel matrix and fuel cladding (2) Reactor coolant system (RCS) pressure boundary I (3) Containment The applicant has defined the following six CSFs to maintain these barriers:
(1) Subcriticality
(?) Core Cooling (31 Feat Sink (4) RCS Integrity (5) Containment Integrity (6) Reactor Coolant Inventory Staff review of the paraneters selected by the applicant to support these func-tions indicates that the six CSFs defined by the applicant do not fully cover the five CSFs specified in Supplement 1 to NUREG-0737 Specific findings of the staff review are:
(1) Residual heat removal (RHR) flow and hydrogen concentration are not included in the Seabrook CSF status trees and are not displayed on the SPDS.
(?) Radiation parameters are to be displayed but are not yet implemented.
.=
(3) Containment isolation is not displayed on the SPDS but is accessible, to a limited extent, from the prime SPDS position (see section entitled
" Human Factors Program" below).
The staff finds all other variables selected acceptable in satisfying the above requirement of NUREG-0737, Supplement No. 1.
Display Data Validation The audit indicated that the data validation methodology includes only range checking, averaging, and auctioneering. Concern was raised that a parameter value could be within an acceptab e range but significantly different from other measures of the same parameter, causing the average value to be incorrect and possibly misleading. A more sophisticated data validation algorithm, to ensure display of rare valid data, is being pursued by the applicant.
Human Factors Procram The applicant's human factors program for the SPDS was not well described in the Seabrook SPDS description report. Information provided in the letter of April 2, 1986, described three basic ways in which human factors was involved in the SPDS development. First, the individual status trees (second-level formats) were developed as part of the Westinghouse Owners Group guidelines and had both human factors input into the display design and human factors review i of the final format. Second, Seabrook operators exposed to human factors
- j i
1 I
engineering, through participation in the detailed control room design review i
(DCRDR), developed the top-level display used in the SPDS. Finally, the SPDS display systen was evaluated as part of the DCRDR program and no human engineering discrepancies were identified.
During the onsite audit, the staff conducted a human factors review of the Seabrook SPDS against the requirements of Supplement No. I to NUREG-0737. The writeup below addresses the degree of acceptability of the Seabrook SPDS with respect to these requirements.
Concise Display: With the exception of the containment isolation panel, which is a separate display and is to be improved, the SPDS CRT formats provide a concise display of plant conditions as required by NUREG-0737, Supplement No.1.
Convenient Location: The location of the prime SPDS CRT at the STA station near the center of the control room and the ability to call up the SPDS at other operator locations satisfy the NUREG-0737, Supplement No.1 requirement 1
for placing the SPDS in a convenient location. The containment isolation dis-play as it is currently configured and located does not meet this requirement
-l of NUREG-0737, Supplement No. 1.
i
)
Continuous Display: The capability to call up display formats, other than the SPDS, on the STA's designated SPDS CRT does not satisfy the NUREG-0737, Supple-ment No. I requirement for the SPDS to be a continuous display. Either the CSF i
l i
summary display must be added to all CRT fomats accessible on the STA's CRT, or a dedicated CSF summary display needs to be added to the STA station.
Aid Operator in Rapidly and Reliably Determining Plant Status: Observation of an accident simulation indicated that the top-level CSF sumary display f appears to aid operators in rapidly detemining plant status, but lower-level display formats do not seem to be as useful. The staff suggests a strong man-in-the-loop test program to identify drawbacks to the usefulness of the lower-level formats.
The systen response tine appears to be satisfactory, but the staff observations were made during a lightly loaded sequence.
Syster availability data indicate over 0.99 availability for the SPDS. The applicant needs to detemine how the availability of the Reactor Vessel Level i
i Instrumentation System (RVLIS) and the Radiation Data Managenent System (RDMS) l l
- will be 'actored into the system availability calculation.
l l The Subcriticality and Core Cooling status tree displays are not mode dependent.
The displays will indicate that these CSFs are being challenged during nomal power operations.
i
o l
l i
This condition has the potential for misleading operators and needs improvement.
Incorporate Accepted Human Factors Principles: The SPDS generally incorporates
- l accepted human factors principles with the following exceptions
(1) The heat sink format displays the flow data value in an unconventional location.
(2) The display callup method is acceptable but awkward. The staff recommends a single operator action for callup of each of the second-level displays.
(3) The containment isolation display is located a significant distance from the prinary SPDS location so that it is difficult to read the legends.
Unused cells appear to be randomly located so that pattern recognition is not a viable method of determining containment isolation. Furthermore ,
4 the display cells were designed to use two light bulbs each, but heat pro-duced by two bulbs has caused the applicant to remove one bulb per cell.
This one-bulb condition reduces brightness and readability and eliminates the redundancy in indication provided by two bulbs.
Procedures and Training: Audit of the SPDS procedures and operator training l program indicates that both satisfy the requirements of Supplement No. I to NUREG-0737.
l l
l i
l i I Electrical and Electronic Isolation i
The SPDS description report did not address isolation devices. Further infor-nation was orevided by the letter of April 2, 1986. The following types of
- isolatior. devices are used at Seabrook
(1) Westinghouse 7300 Series instrumentation (2) General Atonics (GAi RM 80 isolators (3) Westingbouse isolators used in the RVLIS The Westinghcuse 7300 Series isolators have been approved by the staff by means of Mestinghouse Topical Report WCAP-889?A.
4 The GA RM 80 isolators, with the temporary fix of their fused output circuit, j have been approved by the staff for use before the first refueling outage.
I At that tine, the isolators are to be replaced with isolators that do not have any fuses in their output circuit.
l The Westinghouse RVLIS isolators, used to prntect RVLIS from SPDS, have not yet beer, approved by the staff. In the meantime, the staff approves the use of SPDS on an interin basis at reactor power levels less than 5%. The likelihood of core j damage at this low reactor power level is remote because the new fuel has not had l a chance to build up significant radioactive decay products and therefore the
- amount of decay heat and the radiological source terms would both be low. In ad-dition the Reactor Protection System instrumentation, including pressurizer level i'
and pressure, would be available to provide an indication that the system is i
filled or is voiding.
4
- - - - - - - - +. - - - . - ~ _ . , , , - - - - , -- -, ,,-- , ,. , . _ . , ---,v---- --
q --n-.~ - - - - - - . , - - - - - > - -
_9_
The Westinghouse test report covering qualification of the RVLIS isolators is due in September 1986. Since the circuitry in these isolator boards is identical to that used in an earlier approved Westinghouse product, Westinghouse believes the isolation capabilities to be sufficient. The staff concurs in the above and will confirn that the isolator capability is established prior to exceeding 5% power.
i Conclusions i On the basis of its documentation review and information gathered at the onsite audit, the staff concludes that the Seabrook SPDS does not fully meet the appli-i cable requirements of Supplement No. I to NUREG_0737. The conclusion is based
~
or the following:
1 (1) The SPDS display is not continuous.
(2) RHR flow and hydrogen concentration variables are considered by the staff to be part of the minimun information required to assess the CSFs and are not displayed on the SPDS.
4 (3) The containment isolation display is not satisfactorily readable from the prime SPDS location to be considered part of the SPDS.
I
- (4) The SPDS does not display sufficient radiation variables, j (5) Several human engineering discrepancies have been identified.
(6) Two CSF status trees are not mode dependent and have the potential for misleading the operator.
(7) Isolation devices between the RVLIS and the SPDS have not yet been approved.
(R) Data validation algorithms may not be sophisticated enough to ensure valid data are displayed to the operator.
(9) The usefulness of the lower-level SPDS display formats to the operator is in question.
l (10) RVLIS and RNiS availability has not yet been factored into overall SPDS l availability calculations.
(11.1 System response time appears to be satisfactory, but a system load test is needed to verify the worst condition.
Implerectation of the SPDS is not required under NUREG-0737 before full power and is determined by a schedule that is negotiated with the staff. The appli-cant had proposed a .1une 30, 1986, implementation date for the Seabrook SPDS, and the staff found this acceptable. However, as noted in Supplement No. 4, a schedule for resolution of open itens identified in the staff's review and on-site audit would be established as a license condition to be implemented by the applicant before restart following the first refueling outage.
The staff did not identify any serious safety questions concerning the Seabrook SPDS.
However, the staff did determine that the isolators between RVLIS and SPDS have not not yet been approved. Accordingly the staff concludes that SPDS will be acceptable as an interin installation up to 5% reactor power. Following approval of the isola-tors, the interim SPDS may be used until the other open items identified above
have been resolved, or up to the end of the first refueling outage. At a minimum, resolution of the open items shall include:
(1) centinuous display of the top-level critical safety function sumary at the assigned SPDS control roon location (2) addition of, or satisfactory justification for not adding, RHR flow and hydrogen concentration parameters to appropriate SPDS screens (3) addition of a containment isolation status screen on the SPDS, or improve-rent of the current containment isolation display to be satisfactorily recognizable from the assigned SPDS location in the control room. The second optior. must also include a comitment by the applicant that the relative position and orientation of the containment isolation display with respect to the SPDS station be maintained or improved.
(4) addition of a radiation monitoring screen to display at least steam genera-tor for steamline) and stack radiatien (5) improvement of the Heat Sink screen for consistency in labeling and the Subcriticality and Core Cooling screens for mode dependency so as not to nislead operators (6) addition of approved isolation devices between the RVLIS and the SPDS, prior to exceeding 5% reactor power.
l
l l
I r. addition, the applicant shall satisfactorily resolve the other open items
! ident,ified above or demonstrate to the staff's satisfaction that the open items will not degrade the performance of the SPDS.
The staff proposes that the following license conditions be imposed to ens,re satisfactcry resolution of the open issues:
- Prior to exceeding 5% reactor power, the applicant shall have installed qualilfied isolation devices, approved by the staff, between RVLIS and SPDS.
Before restart following the first refueling outage, the applicant shall have operational a safety parameter display system (SPDS) (as described in its submittals dated January 6,1986, and April 2,1986, and as modified as a result of the staff's audit findings) that is
)
1 acceptable to the NP.C.
)i i
I I
i m_. ,,_ .__ . - - - - - y _, _%%m -,,, _ . ._ 4._- ,.,.,. __. - . - . . _ _ - , - , . - -
l l
j i DESIGN VERIFICATION AND DESIGN VALIDATION AUDIT OF THE SAFETY PARAMETER DISPLAY SYSTEM i
- FOR -
PUBLIC SERVICE COMPANY OF NEW HAMPSHIRE SEABROOK STATION August 1,1986 James Cooper Gary L. Johnson l Lawrence Livermore National Laboratory i
~
for the United States Nuclear Regulatory Commission l
1
TABLE OF CONTENTS
_P_ age,
- 1. Introduction ..................................................... I Safety Parameter Display System Design Overview . . . . . . . . . . . . . . . . . . . . 2 2.
Assessment of the Verification and Validation Program . . . . . . . . . . . . . . . . 3 3.
3 3.1 Syste m Requirem ents Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 3.1.1 Audit Team Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4 3.1.2 Audit Team Assessment ...............................
4 3.2 Design Verification Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4 3.2.1 Audit Team Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5 3.2.2 Audit Team Assessment ...............................
5 3.3 Vali d a t i o n Tes ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Audit Team Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.3.1 5
3.3.2 Audit Team Assessment ...............................
6 3.4 Field Verification Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.4.1 Audit Team Observa tions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 6
3.4.2 Audit Team Assessment ...............................
Assess m ent o f SPD S Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.
"The SPDS Should Provide a Concise Display ..." . . . . . . . . . . . . . . . . . 7 4.1 4.1.1 Audit Team Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.1.2 Audit Team Assessment ............................... 8 4.2 "The SPDS Should ... Display ... Critical Plant Variables" . . . . . . . . . . 8 4.2.1 Audit Team Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.2.2 Audit Team Assessment ............................... 10 4.3 "'Ihe SPDS Should ... Aid Them (Operators) In Rapidly and Reliably Determining the Safety Status of the Plant" ......... 11 4.3.1 Audit Team Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4.3.2 Audit Team Assessment ............................... 13 l
t t
l
-III-
TABLE OF CONTENTS (Cont.)
i Page 4.4 "The Principle Purpose and Function of the SPDS is to Aid......................................................... 14 4.4.1 Audit Team Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.4.2 Audit Team Assessment ............................... 14 4.5 "(The) SPDS (Shall Be) Located ' Convenient to the Control Room Opera tors" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.5.1 Audit Team Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.5.2 Audit Tea m Assessm ent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.6 "The SPDS Shall Continuously Display Information ... . . . . . . . . . . . . . 15 4.6.1 Audit Team Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.6.2 Audit Team Assessment ............................... 15 t 4.7 "The SPDS Shall be Suitably Isolated ... . . . . . . . . . . . . . . . . . . . . . . . . . 16 1 4.7.1 Audit Team Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
) 4.7.2 Audit Team Assessment ............................... 16 4.8 " Procedures Which Describe the Timely and Correct Sa fety Status Assessm ent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.8.1 Audit Team Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.8.2 Audit Te a m Assessm ent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.9 "'Ihe SPDS Display Shall be Designed to Incorporate Accepted Hum an Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.9.1 Audit Team Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.9.2 Audit Team Assessment ............................... 17
- 5. Summary........................................................ 17
- 6. References...................................................... 20 6.1 G ene ral Re f er e nc es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 6.2 Documentation Examined During the Audit . . . . . . . . . . . . . . . . . . . . . . 20
-iv-
}
)
i
DESIGN VERIFICATION AND DESIGN VALIDATION AUDIT OF THE SAFETY PARAMETER DISPLAY SYSTEM FOR PUBLIC SERVICE COMPANY OF NEW HAMPSHIRE SEABROOK STATION
- 1. INTRODUCTION On May 20 and 21,1986, an on-site audit of the Seabrook Station Safety Parameter Display System (SPDS) was conducted by the NRC. This NRC audit examined the Seabrook Verification and Validation program and reviewed the operation of the SPDS.
Thus, the audit specifically addressed the points of both a Design Verification Audit and a Design Validation Audit as described by Sec.18.2 of NUREG-0800. 2 The audit team was composed of one individual from the Nuclear Regulatory Commission Electrical Instrumentation and Control Systems Branch, an individual from the Lawrence Livermore National Laboratory, and an individual from EG&G acting as consultants to the NRC.
The audit was based upon the recommended criteria of NUREG-0800 Sec.18.2. In accordance with that guidance, up to three separate audit meetings / site visits, as described below, may be arranged.
Design Verification Audit. The purpose of this audit meeting is to obtain additional information required to resolve any outstanding questions about the V&V program, to confirm that the V&V program is being correctly implemented, and to audit the results of the V&V activities to date. At this meeting, the applicant should provide a thorough description of the SPDS design process. Emphasis should be placed on how the applicant is assuring that the implemented SPDS will: provide appropriate parameters, be isolated from safety systems, provide reliable and valid data, and incorporate good human engineering practice.
Design Validation Audit. After review of all documentation, an audit may be conducted to review the as-built prototype or installed SPDS. The purpose of this audit is to assure that the results of the applicant / licensee's testing demonstrate that the SPDS meets the functional requirements of the design and to assure that the SPDS exhibits good human engineering practice.
Installation Audit. As necessary, a final audit may be conducted at the site to ascertain that the SPDS has been installed in accordance with the applicant / licensee's plan and is functioning properly. A specific concern is that the data displayed reflect the sensor signal which measures the variable displayed. This audit will be coordinated with and may be conducted by the NRC Resident inspector.
Based on the advanced state of the Seabrook SPDS design, the NRC staff carried out a combined Design Verification and Design Validation audit at the plant site.
During the course of this audit, the NRC audit team discussed aspects of the Seabrook SPDS program with Public Service Company of New Hampshire (PSNH). Additionally, the Seabrook control room was visited to ascertain the location of SPDS displays in JYB:860603:8/1/86 relation to plant control boards and a response to a simulated plant upset was witnessed at the unit simulator to observe how the SPDS is used by the plant operating staff.
- 2. SAFETY PARAMETER DISPLAY SYSTEM DESIGN OVERVIEW The Seabrook Station SPDS is a feature of the station's Main Plant Computer system (M PC). The SPDS consists of seven MPC displays and one hardwired display that reflect the status of the six Critical Safety Functions (CSF) defined by the Seabrook Emergency Operating procedures. These eight displays consist of:
o An overview display showing the status of all CSFs.
o Six logic tree displays, one for each of the CSFs defined by the EOPs. Each display shows the current value of the parameters used to assess the CSF and the logie used to determine the status of the CSF.
o A hardwired display of containment isolation status.
PSNH has committed to add a Radiological Control CSF display that shows the current value of the radiation monitoring parameters used to determine the status of the Radiological Control CSF.
SPDS displays can be called up on any of seven MPC CRTs located around the control room. In addition, the MPC is used to generate alarm displays and is capable of displaying historical trends of any parameter input to the MPC or of any calculated value derived by the MPC.
The MPC receives inputs from plant instrumentation via nine Intelligent Remote Terminal Units (IRTU) that convert the input signals to digital format and transmit the data to two host computer units. Each IRTU contains redundant central processing units
-- (CPUs). PSNH has organized MPC inputs such that redundant inputs are processed by different IRTUs.
The host computer consists of redundant CPUs. The hosts check each input value to verify it is within the range of the measuring instrument and is within reasonableness limits established by PSNH. The host computer also performs SPDS calculations, logic, and develops SPDS displays in addition to other MPC and visual alarm system functions.
The MPC also receives input of SPDS parameters from the Inadequate Core Cooling Monitor (ICCM) and the Radiation Data Management System (RDMS). Unlike parameters input via IRTUs, parameters received from ICCM and RDMS have had range and reasonableness checks by these systems; therefore, additional checking is not performed by the host computer.
One Safety Parameter Display System Critical Safety Function Display that was not originally planned to be included in the Seabrook SPDS system is radiological control. In response to NRC's identification of the need for a Radiological Control CSF, the RDMS will be modified to input to the SPDS. This system uses redundant central processor units and a loop data bus data acquisition system to continuously monitor area and ,
effluent radiation levels around the station. The system periodically collects data from i JYB:860603:8/1/86 l
approximately 170 sensors, all with different addresses on the loop data busses. 'Ihis information is presently displayed on a console in the control room. Linking this RDMS system by data bus to the Main Plant Computer will enable the display of current radiological data at any MPC work station, at the emergency response facility (ERF), the meteorological workstation (MET), and on the SPDS. Seabrook plans to link the MPCS to the RDMS by use of a vendor recommended interface.
- 3. ASSESSMENT OF THE VERIFICATION AND VALIDATION PROGRAM A Verification and Validation (V&V) Program is concerned with the process of specification, design, fabrication, testing, and installation associated with an overall system's software, hardware, and operation. For the SPDS, verification is the review of the requirements to see that the right problem is being solved and a review of the design to see that it meets the requirements. Validation is the performance of tests of the integrated system to see that it meets all requirements.
Verification and Validation activities are not a regulatory requirement for the SPDS.
Nevertheless, a V&V program performed by the applicant / licensee during design, installation, and implementation of an SPDS will facilitate the NRC staff review of the system. The staff would then evaluate the program for the results of the design V&V program. On the basis of an effective V&V program, the staff would reduce the scope and detail of the technical audit of the design.
The purpose of the NRC Design Verification Audit was to obtain additionalinformation required to resolve the outstanding questions about the PSNH V&V Program, to confirm that the V&V Program is being correctly implemented, and to audit the results of the V&V activities to date. The criteria suggested in NUREG-0800, See 18.2, Appendix A were used as a basis for this audit. The recommendation of NSAC/39 b provided Edditional guidance to the audit team.
The remainder of this section presents the audit team's observations and assessments of the PSNH V&V Program for the following four items: System Requirements Review, Design Verification Review, Validation Tests, and Field Verification Tests. The observations and assessments were obtained through an examination of the available documentation.
3.1 SYSTEM REQUIREMENTS REVIEW Section 18.2 of NUREG-0800 recommends that the SPDS development process include a review of desired system capabilities to determine that the functional needs will be satisfied. The principal goal of this activity is to independently determine if the requirements will result in a possible and usable solution to the entire problem. The requirements are reviewed for correctness, completeness, consistency, understandability, feasibility, testability, and traceability. The requirements review also provides the basis for developing the system validation test plan.
3.1.1 Audit Team Observations Since the Main Plant Computer design was completed before the development of requirements for a Safety Parameter Display System, PSNH could not conduct a formal review of planned MPC/SPDS capabilities against functional needs. -
JYB:860603:8/1/86 -_ _
- i. .
An informal requirements review of the SPDS display contents and format was conducted
- during the development of SPDS software. This review, however, did not include other
! attributes such as the requirements for data validation, continuous display, or user interface. Section 4 of this report discusses a number of deficiencies noted by the audit team. Rese deficiencies indicate that the SPDS development would have benefited from a thorough system requirements review to insure the system completely fulfilled the requirements of NUREG-0737, Supl,lement 1.
1
! PSNH has implemented procedures to require a requirements versus planned capability
! design review for future modifications to the Main Plant Computer including.the SPDS
{ software.
! 3.1.2 Audit Team Assessment Public Service of New Hampshire did not implement the recommendation of Sec.18.2 to i NUREG-0800 to perform a verification that planned system capabilities will accomplish the functional needs for an SPDS. Given the advanced state of the system design, the audit team believes there would be little benefit in conducting a review of this type at this time, i
The existence of formal design review requirements for future software modifications should help PSNH avoid similar problems as a result of future modifications.
3.2 DESIGN VERIFIC ATION REVIEW i
Section 18.2 of NUREG-0800 recommends that the SPDS development process include a design verification review performed af ter the system is initially designed to verify that the design will satisfy functional needs. This activity is intended to verify the hardware i and software design against the system requirements. This review covers both the hardware and software specifications as well as the design. The specifications and the i "
designs are reviewed to ensure that the system requirements decomposition into hardware and software is complete and that there are no ambiguities or deficiencies.
3.2.1 Audit Team Observations i As with the system requirements review, NRC recommendations regarding review of system design against functional needs were not available to support the development of i the Main Plant Computer system and Radiation Data Management System. 'Iherefore, j the review process suggested by Sec.18.2 of NUREG-0800 was not fully implemented by
- PSNH. The SPDS software development process did, however, incorporate a review of
- software routines against a set of functional requirements for each SPDS display. These display functional requirements were developed by the system engineer in conjunction with plant operations. The specific scope and findings of these reviews were not i documented except for ultimate approval of the routines by the reviewer.
i
! Testing of the SPDS software routines has also been conducted to verify that test l combinations of data input to the MPC data base produce the expected parameter value,
- and proper validity flag. At the time of the audit, plant SPDS software development had l not yet proceeded to the point where validation testing of the CSF status determination a logic could be conducted.
JYB:860603:8/1/86 !
3.2.2 Audit Team Assessment PSNH did not fully implement the recommendations of Sec.18.2 of NUREG-0800 regarding revie~w of the system design versus system functional requirements. Although Verification and Validation reviews are not a requirement of Supplement I to NUREG-0737, the design problems identified by the NRC audit indicate that the Seabrook SPDS design would benefit from a thorough design verification review. %e audit team, therefore, recommends that the process for correcting the identified system design problems should include a formal, complete, independent, and documented system design verification review to ensure that any systems shortcomings will be acceptably resolved.
3.3 VALIDATION TESTS Section 18.2 of NUREG-0800 recommends the SPDS development process include validation tests performed after the system is assembled to confirm that the integrated system satisfies the functional needs when combined with the plant control room and plant operators who have received the normal plant specific training in the use of the SPDS. The foundation for this activity lies in the information derived from the requirements review, the design review, and the hardware, software, and system tests performed by the system supplier. The system validation tests follow the system integration tests performed by the supplier to demonstrate that the hardware and software function acceptably.
3.3.1 Audit Team Observations he Seabrook SPDS was operable in the Seabrook control room simulator when the simulator was used to conduct validation testing of the Westinghouse Owners Group (WOG) Emergency Response Guidelines (ERG) and Functional Response Guidelines (FRG). This testing included response to plant upsets both with and without the use of the SPDS. PSNH stated that the SPDS reduced the time required to respond to upset conditions. At the time of the audit, however, no documentation or other information was available to provide the details of how this conclusion was reached. Furthermore, there was no indication that any other measures of SPDS effectiveness were considered or observed.
3.3.2 Audit Team Assessment Sufficient information was not available at the audit to allow a conclusion that the overall system validation testing conducted as part of the WOG ERG validation program satisfies the intent of Sec.18.2 of NUREG-0800 in this regard. The fact that operators did not choose to access lower level SPDS screens during the drill witnessed by the audit team would seem to indicate a need for further system validation testing. PSNH should reevaluate the adequacy of the previous validation testing to insure that the usefulness of the Seabrook SPDS was thoroughly established. If PSNH concludes that the previous efforts represented an adequate test, the basis for this conclusion should be described to NRC. This basis should include:
o Identification of the specific simulated plant upsets for which the SPDS effectiveness was evaluated. .
JYB:860603:8/1/86 __ _ _ _ __ _- _ . _ _ _
o Discussion of the applicability of the testing to the Seabrook plant SPDS given the differences between the simulator system and the plant system (e.g., the simulator does not provide redundant inputs to the SPDS; therefore, input of combinations of invalid data could not be simulated.)
o Description of any differences between the philosophy and training for using the SPDS during the procedure validation process and the Seabrook specific training and philosophy, o Identification of the specific data gathered to evaluate SPDS effectiveness and the data collection techniques.
o Description of the method and criteria used to evaluate the data.
o Discussion of the results of the validation testing.
3.4 FIELD VERIFICATION TESTS Section 18.2 of NUREG-0800 recommends the SPDS development process include field verification tests performed after the system is installed to verify that the validated system was installed properly. As a minimum, field verification will consist of verifying that each input signal is properly connected and that the signal range is consistent with the design. Stated differently, it must be verified that the information displayed is directly correlated with the sensor data being input. It is expected that an independent review of the installation tests may fulfill a portion of the field verification test plan.
3.4.1 Audit Team Observations As part of Main Plant Computer system acceptance testing PSNH confirmed that each MPC input point was properly connected by verifying that the current value of each
_. Instrument input was accurately stored by the MPC. This process will be repeated as part of each instrument loop calibration by verifying that each calibration input is accurately displayed by the MPC. The final SPDS software has not yet been installed in the plant so verification testing of this SPDS is not complete.
3.4.2 Audit Team Assessment PSNH has not yet completed all verification testing and has not developed an overall test plan that identifies the verification testing yet to be done. However, during the audit ;
PSNH did exhibit an understanding of the purpose of field verification testing; therefore, l if PSNH follows through on the validation testing process in a manner that is consistent )
with the testing to date, they are expected to satisfy the intent of Sec.18.2 to NUREG-0800 in this regard. The audit team suggests that this verification testing include an end-to-end system test of all portions of the MPC, RDMS, and ICCM that perform SPDS functions.
Once SPDS field verification testing is complete, PSNH should provide NRC with a description of the system attributes tested, the test methodology, and test results so that l a final conclusion regarding the acceptability of the testing can be reached. j JYB:860603:8/1/86 l
- 4. ASSESSMENT OF SPDS DESIGN
'Ihe NRC audit team assessed the SPDS system with respect to the requirements of Supplement I to NUREG-0737 using the specific review criteria suggested by NUREG-0800, Sec.18.2, Appendix A. This portion of the audit addressed the points of a Design Validation Audit. 'Ihe following provides a discussion of the Seabrook Station SPDS design features relative to the provisions of Supplement I to NUREG-0737, and the corresponding audit team assessment in each area.
4.1 "THE SPDS SHOULD PROVIDE A CONCISE DISPLAY ..."
4.1.1 Audit Team Observations
'Ihe Seabrook SPDS provides an overview of the status of all seven Critical Safety Functions. This overview display consists of a seven section horizontal bar. Each section corresponds to a CSF and is displayed in one of four colors that indicates the current degree of challenge to the safety function. 'Ihe color coding scheme is:
Red - CSF under extreme challenge.
Orange - CSF under severe challenge.
Yellow - CSF off normal.
Green - CSF satisfied.
Each color is displayed in a different section of the CSF bar so that position coding of CSF status is available in addition to color coding. A condensed version of the overview display is incorporated into each of the other SPDS displays. This version presents only the color code to indicate CSF status.
Lower level displays provide the specific information used by the SPDS in determining the status of each Critical Safety Function. With the exception of the Radiological Control CSF, this information is displayed in logic tree format. The current parameter value used at each decision point is displayed near the decision block that describes the logical decision made by the SPDS. Each logic path is color coded to show the degree of CSF challenge represented by that path. The terminus point flashes on the logic path that corresponds to the current status of the Critical Safety Function.
Not all of the information needed to assess the Containment CSF is included on the CRT displays. The status of Containment Isolation is provided on a hardwired status light display across the control room from the primary SPDS display. Most, but not all, status lights are illuminated by containment isolation and the lights are not arranged or labeled i such that an operator at the primary SPDS CRT can readily determine whether an unlit j status light corresponds to a failed containment isolation valve or to an unused light. l The Radioactivity Control CSF display consists of five horizontalintensity bars. Four of l the bars are for steam generator radiation levels and one for radiation level at the I containment vent. Each bar is titled on the display under the bar. The readout also shows the range of the detector channel that it displays. As the level of the channel goes l
JYB:860603:8/1/86 l
~
up, the bar fills in-progressing from left to right. When the channel is in alarm, as determined by the RDMS setting, the bar color turns red. 't is cyan for normal values.
The alarm condition will be carried through to the overview display.
4.1.2 Audit Team Assessment With the exception of the difficult to interpret containment isolation status display, the Seabrook SPDS meets the requirements of Supplement I to NUREG-0737 regarding concise display of critical safety function status. The Seabrook SPDS will totally satisfy this requirement if the containment isolation status display is modified sue,h that an operator at the primary SPDS console can readily determine if all required containment isolation valves have closed. Two possible modifications that would accomplish this purpose would be to light the spare indicators on a containment isolation signal or to rearrange the indicators such that the ones that should be lit on containment isolation form an easily recognized pattern. PSNH should describe to NRC how the containment isolation status display will be corrected.
4.2 "THE SPDS SHOULD ... DISPLAY ... CRITICAL PLANT VARIABLES" 4.2.1 Audit Team Observations The following plant parameters are inputs to the Seabrook SPDS Reactivity Control Critical Safety Function o Intermediate range reactor power; source range through 200 percent.
o Start-up rate.
Core Cooling Critical Safety Function o Core exit temperatures.
o Reactor coolant pump status, i o Reactor vessellevelindication.
o Wide range reactor cooling system (RCS) pressure (used with core exit temperature to calculate the displayed variable subcooling).
[
Heat Sink Critical Safety Function o Steam generator wide and narrow range water level, o Emergency feed water flow.
l
. o Steam generator pressure.
o Containment pressure (used in determining decision criteria for steam
! generator water level).
JYB:860603:8/1/86 . _ _ _ _ _ _ _ _ . _ _ _ . - _ _ _ . - - -
o Reactor Cooling System Integrity Critical Safety Function o RCS cold leg wide-range temperatures.
o RCS wide-range pressure.
Containment Critical Safety Function o Containment pressure.
o Containment recirculation sump level.
o Containment radiation level.
o Containment isolation valve status.
Reactor Coolant System Inventory Critical Safety Function o Pressurizer level.
PSNH has also committed to establish a Radiological Control CSF screen on the SPDS. It will provide steam generator radiation level and stack monitor radiation level.
The parameters selected for display and the groupings of parameters into CSFs are based upon the Critical Safety Functions monitored by the Westinghouse upgraded Emergency Operating Procedures. Two exceptions are containment isolation valve status indication
, and the Radiological Control CSF which are being added to the SPDS to resolve minor differences in philosophy behind the safety functions evaluated by EOPs and the CSF parameter selection for the SPDS.
The CSFs displayed by the Seabrook SPDS correspond in the following manner to the five safety functions identified by Supplement I to NUREG-0737.
i j
i .
1 JYB:860603:8/1/86 I i
, ,._..-.,n--.. , - - - - . - - - -
- , - - . . . . . , . - - - , n. -- y , n. -_ .- .... , ,, -- -. ,-- , . .. y ,
l
< NUREG-0737, S1 Seabrook SPDS CSF CSF Reactivity Suberiticality Reactor core cooling and Core cooling (Except that the Seabrook a heat removal from the Heat sink SPDS has no parameter inputs primary system. which can be used to monitor the status of heat removal
- when post accident cool down has progressed to the point where cool down via steam generators is no longer desir-able.)
RCS integrity Integrity Inventory Radiation control Radiation control
, Containment Containment (Except that the challenge to the containment safety fune-tion posed by high hydrogen concentration is not monitor-ed by the SPDS.)
J 4.2.2 Audit Team Assessment 1
j With two exceptions, the parameters displayed by the Seabrook SPDS are sufficient to provide operators with information regarding the status of the five safety functions identified by Supplement I to NUREG-0737. The two exceptions are:
]
o The Seabrook SPDS has no inputs that allow the evaluation of the status of t heat removal from the primary system after the post accident cool down has progressed to the point where the Residual Heat Removal (RHR) system provides the primary heat removal path. RHR flow is one parameter that would provide the needed information.
- o The Seabrook SPDS does not account for high hydrogen concentration in containment as a challenge to containment integrity.
l PSNH should submit a discussion to NRC of how these two items will be addressed by the SPDS. This discussion should also confirm PSNH's commitment to include containment isolation status and Radiological Control CSF in the SPDS and should document the content, format, data validation methodology, and CSF evaluation logie used in the Radiological Control CSF display.
JYB:860603:8/1/86 !
l
~
4.3 "THE SPDS SHOULD ... AID THEM (OPERATORS) IN R APIDLY AND RELIABLY DETERMINING THE SAFETY STATUS OF THE PLANT" 4.3.1 Audit Team Observations Most parameter values displayed by the SPDS and SPDS logic trees are updated every five seconcs. We update rate is controlled by the MPC program scheduler in which SPDS programs are assigned a higher priority than most other MPC routines; therefore, the update interval should remain relatively independent of MPC workload. Two exceptions to the five-second update rate are the calculation of core heat-up and cool-down rate for the RCS integrity status tree and the information on the Radioactivity Control CSF display. The heat-up rate calculation is updated every thirty seconds. More frequent recalculation of this value is unnecessary because the status tree decision criterion is based upon change in temperature over the last sixty minutes rather than upon the i
instantaneous value of the heat-up or cool-down rate. We RDMS remote processors
- acquire data continuously and are polled every 30 seconds on the bus by the RM-ll host.
One line connects each of the RM-ll hosts to the plant computer. Every 30 seconds, the
} plant computer can request the current radiological data. In this manner, the screen data can be updated every 30 seconds for the current radiological conditions.
The SPDS parameters input via the Intelligent Remote Terminal Units receive a gross validity check as part of the process for inserting instrument readings into the MPC data base. This gross check includes:
o Verification that the IRTU is scanning the instrument loop in question.
o Operability verification of the communications link between the input processor and the host computer.
o IRTU operability verification.
o Verification that the input parameter value is within the capability of the associated instrument loop.
o Verification that the parameter value is within a reasonable range as defined by PSNH engineering and operations.
These checks form the basis of an instrument validity status word that is associated with the reading in the MPC data base.
For Radioactivity Control CSF information, the RDMS performs data and operability checks at remote processors located with the radiation detector. The remote processor monitors data quality and operability status and encodes this information, along with the current radiation data, on the data bus to the RDMS hmt computers. The data are flagged questionable if:
o There are inconsistent values more than 50 percent of the time (drop out in link).
o here is any operate failure.
JYB:860603:8/l/86 -
o The integrated calculations are not accurate enough (95 percent confidence of value within 6 percent of mean).
o Thers is less than 85 percent response to the automatic check source.
o An operate failure is reported for a loss of counts.
o Sample flow is lost.
o A channelis out of service.
o A check source test failed.
o A filter is torn or clogged.
The data quality and operability status is passed up the bus to the RDMS display where the data display is color coded to indicate data validity. This validity data will be transferred, along with current radiation data, to the main plant computer and subsequently to the SPDS display system.
In cases where redundant measurements of plant parameters are input to the MPC, the SPDS synthesizes a single value of the parameter by either averaging all valid inputs or by selecting the highest or lowest reading from among the valid inputs. The use of high, low, or average was selected in each case to insure a conservative interpretation of the CSF status trees. If no valid inputs are available for a given parameter, the parameter value will be displayed with a question mark. If a lack of valid information prevents the evaluation of a tree under current plant conditions the affected status tree will not be evaluated, the status tree will not display an active evaluation path, and the overview display will display the status of the affected tree as black for unable to evaluate.
We Seabrook SPDS does not currently make use of interchannel comparison of redundant
~~
instrumentation in the data validation scheme.
De audit team noted that two status trees appear to provide incorrect status information during power operation. He suberiticality status is indicated red (under extreme challenge) whenever reactor power exceeds 5 percent. Since no plant mode information is used by this SPDS logic tree, the CSF will be continuously indicated to be under extreme challenge during normal power operation. A similar problem exists with the indication of core cooling CSF status because the RCS subcooling criteria used by the status tree may not always be met during power operation. This will cause the status of core cooling to be erroneously indicated as orange, under severe challenge.
Indication of SPDS and MPC operability is provided by a real-time clock located in the upper left-hand corner of the display. When the SPDS and MPC are operating, the clock updates every second; if the computer goes down, the clock reading will no longer increment.
PSNH has conducted a reliability analysis of the Main Plant Computer system which includes most SPDS functions. This analysis estimated system availability will exceed 0.99. This analysis assumed component mean-time-to-repair would be on the order of 1/2 JYB:860603:8/1/86 I
l
~
to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. During the audit, PSNH stated that this assumption is supported by their plans to maintain a complete set of MPC spare parts on site and to have qualified maintenance staff available on all shifts. PSNH has also been keeping system availability data since December 1985. The availability records show that MPC availability has significantly exceeded 0.99 over this period. Neither the availability analysis, nor the availability records address the effect upon SPDS availability of data processing systems, other than the MPC, that provide input data to the SPDS (i.e., Inadequate Core Cooling Monitor and Radiological Data Monitoring System).
Data on the availability of the Radiation Data Management System was not available at the time of the audit. De similarity of design to the Main Plant Computer system, with dual processors and dual or ring data busses, would lead one to expect high availability of the RDMS. It is not known how the numeric reliability of the data components of the RDMS compare with the comparable components of the MPC. The components of both systems are proven products of established manufacturers. The RDMS was originally designed to be a stand-alone plant radiation monitoring system required to supply data on critical plant levels during demanding plant conditions.
4.3.2 Audit Team Assessment he Seabrook SPDS does not completely satisfy the provisions of Supplement I to NUREG-0737 regarding rapid and reliable display because the data validation techniques used are insufficient to provide a highly reliable synthesized value of SPDS parameters and because the SPDS displays incorrectly indicates that the reactivity control and core cooling CSFs are under challenge during normal power operation. The use of high or low values provided by redundant instrumentation may result in a conservative estimation of the status of Critical Safety Functions but it also ensures that the operator will be misled about saf(ty function status in the event of large instrument errors or on-scale instrument failures. Use of average values without additional validation checks does not guarantee the operator will be consistently misled in the conservative direction. PSNH must implement data validation methodology that makes more effective use of redundant information available via the MPC. PSNH could also improve the usefulness of the existing validity screening of input data by tightening the reasonableness band applied to some parameters. For example, at the time of the audit, PSNH was using 0*F as the lower limit for reasonableness check of temperature inputs and 200 percent as the upper limit for the reasonableness check of reactor power. The audit team believes more meaningful bounds could be established in both cases.
'Ihe precision to which plant variables are indicated on the SPDS displays and the update rates for the SPDS data base and displays are acceptable. PSNH system verification testing should confirm that the SPDS update rate is not seriously affected when a large number of nearly simultaneous processing demands are made on the MPC as may occur during the response to a severe accident.
The MPC system availability has been demonstrated to be sufficient to support the high SPDS availability goal set by Supplement I to NUREG-0737. PSNH has not, however, demonstrated high availability for the SPDS as a whole, since neither the availability analysis nor the availability history address the effect of the RDMS or the ICCM reliability upon overall SPDS availability. PSNH should include these items in their procedures for monitoring of SPDS availability.
JYB:860603:8/l/86
._ ._ _ . _- . _ _ _ _ _ _. _ , . _ _ . _ _ . . _ . _ _ _ _ _ _ _ . _ _ _ _ _ ~ . . ._
l PSNH should provide a discussion for NRC review of the actions planned to improve the j data validation methodology and an assessment, based either on calculation or operating j experience data, of the overall availability of the SPDS including the Inadequate Core j Cooling Monitor and the Radiological Data Monitoring System inputs.
l 4.4 "THE PRINCIPLE PURPOSE AND FUNCTION OF THE SPDS IS TO AID THE CONTROL ROOM PERSONNEL DURING ABNORMAL AND EMERGENCY CONDITIONS 1 IN DETERMINING THE SAFETY STATUS OF THE PLANT AND IN ASSESSING i
WHETHER ABNORM AL CONDITIONS WARRANT CORRECTIVE ACTIONS BY CONTROL ROOM OPERATORS TO AVOID A DEGRADED CORE."
4.4.1 Audit Team Observations l De Seabrook SPDS displays the current value of input SPDS variables and provides the l operator with a visual indication of the status of each Critical Safety Function. H is status takes the form of an overview display that shows the status of all CSFs. A detailed display for each CSF is also available. The detailed display shows the CSF status, the value of each variable used to determine CSF status, the logic to determine CSF status, and references the procedure to be used to return the CSF to a normal condition. ,
< De variables displayed, logic, logic set points, and logie display formats are based upon the Critical Safety Function evaluation process contained in the Seabrook Emergency l Operating Procedures which were based upon the Emergency and Functional Response Guidelines developed for the Westinghouse Owners Group. Derefore, the basis for the existing CSF displays is directly traceable to the System Function and Task Analysis conducted during the development of the WOG guidelines.
The Seabrook Main Plant Computer is capable of displaying historical trends for any variable input to the MPC including all SPDS variables. However, since PSNH does not
)j _
consider the trending capability to be an SPDS feature, no prearranged trend displays t
have been established to simplify access to historical trend information. Since the
. trending capability was not considered as part of the SPDS function, the audit team did
{ not review the capabilities of the trending function.
j The audit team observed a simulator drill conducted by PSNH to demonstrate the use of the SPDS under plant upset conditions. The audit team noted that during the entire course of the drill, Critical Safety Function status was monitored by the Shift Technical '
l Advisor using hardwired instrumentation and hard copies of the CSF status trees. At no
! time during the drill did any operator select for display an SPDS CSF status tree.
4.4.2 Audit Team Assessment 4
Although the Seabrook SPDS appears to display the information required to evaluate CSF status in an easily understood manner that should aid the operators in the determination of plant safety status, the fact that no use was made of the logic tree displays during the drill indicates that the operators do not find the system to be a satisfactory aid.
Therefore, the audit team cannot conclude that the Seabrook SPDS provides the required
. operator aid in the determination of safety status. PSNH should investigate the basis of
! the operator's reluctance to use the lower level SPDS displays and report to NRC the-
! system changes made to make it useful from the operator's point of view.
I JYB:860603:8/1/86 l l
l
. _ _ ~ . - -. - - . . - _ - - - -
4.5 "(THE) SPDS (SHALL BE) LOCATED CONVENIENT TO THE CONTROL ROOM OPERATORS" l 4.5.1 Audit Team Observations The SPDS displays can be accessed at any one of four locations in the control room.
1 o On any of four CRTs located near the center of the main control board, between primary system and secondary system controls and displays.
o On a CRT located among Service Water and Emergency Safety Feature controls and displays on the left side of the main control board, o On a CRT located among the Component Cooling Water controls and displays on the right side of the main control board, q
o On a CRT located at the Shift Technical Advisor's desk.
! The shift technical advisor has been designated as the primary user of the SPDS under upset conditions, j 4.5.2 Audit Team Assessment
- PSNH has clearly satisfied the requirement of Supplement I to NUREG-0737 that the
! SPDS be located convenient to operators.
! 4.6 "THE SPDS SHALL CONTINUOUSLY DISPLAY INFORM ATION FROM WHICH THE j SAFETY STATUS OF THE PLANT ... C AN BE ASSESSED ..."
1
- 4.6.1 Audit Team Observations I 'Ihe Seabrook SPDS provides a summary overview display of the status of each Critical i Safety Function. This overview display consists of a full screen display of a seven i
segment bar, each segment of which corresponds to one CSF. Each bar segment contains i a color and position code to represent the current status of the corresponding safety function. When an individual CSF status tree is selected for display, a reduced version of the overview is displayed in the lower left portion of the status tree display. Safety function status information is not incorporated into any of the MPC displays that are not designated as SPDS displays. Furthermore, PSNH has not implemented procedures to insure the SPDS is always displayed on at least one control room CRT.
4.6.2 Audit Team Assessment i Under the current Seabrook procedures, all control room displays could be selected such that no SPDS display is provided in the control room. 'Iherefore, FSNH has not satisfied J the requirement of Supplement I to NUREG-0737 to continuously display safety status information. Two possible ways to resolve this deficiency would be to include the CSF status bar on all MPC displays, or to implement administrative procedures that require an SPDS display to be on at least one control room CRT whenever the plant is above mcdc 5. PSNH should report to NRC on the ultimate resolution to this item.
i JYB:860603:8/1/86 ;
f 4.7 "THE SPDS SHALL BE SUITABLY ISOLATED FROM ELECTRICAL OR i I
- ELECTRONIC INTERFERENCE WITH EQUIPMENT AND SENSORS THAT ARE IN USE FOR SAFETY SYSTEMS" 4.7.1 Audit Tea'm Observations PSNH uses three different models of isolators to electrically isolate the SPDS from safety related inputs. Type test data for two of these models has already been submitted to and reviewed by NRC. Type testing of the remaining model and the results will be submitted in the near future.
4.7.2 Audit Team Assessment he adequacy of electrical isolation devices used by the SPDS is being separately reviewed by NRC.
4.8 " PROCEDURES WHICH DESCRIBE THE TIMELY AND CORRECT SAFETY STATUS ASSESSMENT WHEN THE SPDS IS AND IS NOT AVAILABLE WILL BE DEVELOPED BY THE LICENSEE IN PARALLEL WITII THE SPDS. FURTHERMORE, OPERATORS SHOULD BE TRAINED TO RESPOND TO ACCIDENT CONDITIONS BOTH WITH AND WITHOUT THE SPDS AVAILABLE."
4.8.1 Audit Team Observations Operator training in the use of the SPDS is incorporated into training on the use of plant Emergency Operating Procedures. This training is required for operator licensing and requalification. 'Ihe Seabrook SPDS basically provides an automated means to continuously evaluate the Critical Safety Function Status Trees contained in the plant Emergency Operating Procedures. If the SPDS is unavailable, the operators will perform the same status tree evaluation manually using paper copies of the status trees and hardwired plant instrumentation located on the main control boards.
4.8.2 Audit Team Assessment PSNH has satisfied the requirements of Supplement I to NUREG-0737 in this regard.
4.9 "THE SPDS DISPLAY SHALL BE DESIGNED TO INCORPORATE ACCEPTED HUM AN FACTORS PRINCIPLES SO THAT THE DISPLAYED INFORM ATION CAN BE READILY PERCEIVED AND COMPREHENDED BY SPDS USERS."
4.9.1 Audit Team Observations I The basic format of the Critical Safety Function Status Trees was developed by Westinghouse using their human factors design criteria and input from utility representatives participating in the Westinghouse Owners Group. Except for use of control room color coding and nomenclature conventions, PSNH did not establish formal human factors criteria for use in the development of the Main Plant Computer or implementation of the SPDS on the MPC. However, a complete human factors review of the SPDS displays and operator interfaces was incorporated into Seabrook's Detailed Control Room Design Review and no human engineering discrepancies were noted.
JYB:860603:8/1/86 I
, - __ _ - . -- --~
- During the audit the audit team operated the SPDS to access and observe all displays.
The following human engineering discrepancies were noted:
o De . Containment Isolation Status indication is not arranged such that an operator at the primary SPDS user's (STA) station can readily determine if all automatic containment isolation valves have closed, o Access from the overview display to the first two CSF status trees is relatively awkward. The operator must traverse the cursor across a large portion of the CRT screen to address the desired tree then simultaneously push two keyboard buttons to display the tree. Access to subsequent displays is easier because af ter the second status tree is selected, the cursor remains in the area of the screen used to address status trees.
3 o On one tree, a parameter value is displayed in a location that is inconsistent I with the standard format.
o Although the CSF status trees provide both a color and pattern coding of the CSF status, the overview display on the status trees only provides color coding.
4.9.2 Audit Team Assessment Seabrook's SPDS will satisfy the NUREG-0737, Supplement I requirement to incorporate human factors principles provided the above noted problem with the layout of the Containment Isolation Status display is corrected. He remaining human engineering deficiencies noted during the audit are not severe problems. Nevertheless, PSNH is
- encouraged to correct these discrepancies. PSNH should describe to NRC the corrective action taken in this area.
The noted difficulty in accessing the lower level SPDS displays should be evaluated as a
~
potential source of the operators' reluctance to use the status tree displays.
- 5. SUMM ARY 2
De Seabrook Station Safety Parameter Display System only partially fulfills the SPDS requirements of Supplement I to NUREG-0737. De system deficiencies that lead to this i conclusion are:
i o De status of containment isolation valves is not displayed concisely so that an operator at the primary SPDS terminal can readily determine if containment isolation has been satisfactorily completed.
o De SPDS does not allow assessment of heat sink status during post accident i cool down after the steam generators are no longer the desired heat sink for the primary system.
o De SPDS does not provide indication if hydrogen concentration in containment poses a challenge to the Containment Critical Safety Function.
, JYB:860603:8/1/86 i
o Indication of the status of the Radiological Control Critical Safety Function has not yet been implemented.
o The data validation algorithms used do not take advantage of redundant
~
information to provide the operator and SPDS logic with highly reliable values of SPDS parameters.
o During normal power operation, the SPDS provides an erroneous status indication for the suberiticality and core cooling CSFs.
o PSNH has not demonstrated that SPDS update and response times will not be unacceptably affected by the high Main Plant Computer loading conditions expected to occur during response to a severe plant upset.
o The simulated response to a plant accident witnessed by the audit team indicated that the Seabrook operators do not find the Critical Safety Function Status Trees to be a significant aid.
o Information from which the safety status of the plant can be assessed is not l
continuously displayed by the SPDS.
In addition to the above problems, the audit team noted a few items which would not by themselves inhibit acceptance of the SPDS. Nevertheless, PSNH should consider these
,' items for correction.
! o De limits selected for use in checking data reasonableness are in some cases l well outside of the reasonable range of the variable. -
o ne first two Critical Safety Function Status Trees called up after display of the CSF overview are somewhat awkward to address.
o On one status tree, one parameter is displayed in a location that is inconsistent with the convention used for all other parameter values.
o ne Critical Safety Function overview provided on status tree displays does l
not incorporate redundant coding of safety function status as a backup to j color coding.
I
' PSNH should report to NRC on the actions taken to correct the problems listed above.
l Although Verification and Validation of the SPDS design and implementation is not a l
regulatory requirement, the SPDS development process at Seabrook would have benefited
- significantly from a formal, rigorous V&V program. It is recommended that PSNH's process for correcting the NRC audit team's findings include a formal, complete,
- independent, and documented verification of SPDS capabilities against the requirements l
of Supplement I to NUREG-0737. This will ensure that adequate corrective actions are implemented. The methodology and results of this review should be made available for NRC review.
JYB:860603:8/1/86 <
i
- Although SPDS validation testing was incorporated into the verification and validation process for the Westinghouse Owners Group Emergency Response and Functional Response Guidelines, insufficient information was available during the audit to allow assessment of the suitability of this testing. 'Ihe fact that the Seabrook operators did not choose to access any Critical Safety Function Status Trees during the simulator drill witnessed by the audit team implies the existence of difficulties with the use of the system that were not detected by the original validation testing. It is recommended that PSNH review the adequacy of the original validation testing. PSNH should provide the details of this testing or any additional validation testing for NRC review. Specific information that should be included is discussed in Sec. 3.3.2 of this report. ,
Subsystem and field installation verification testing of the Seabrook SPDS har not been completed and PSNH has not documented the plans for the completion of this testing.
Therefore, a final conclusion regarding the suitability of this testing could not be reached. Testing conducted to date, however, indicates that PSNH understands the need for, and purpose of, verification testing. Consequently, if subsystem and field installation verification testing proceeds in a manner that is consistent with the testing to date, PSNH will comply with the intent of Sec.18.2 of NUREG-0800 and NSAC/39 in this regard. The audit team recommends that a sensor-to-display test of all SPDS inputs be included in the field verification test program. PSNH should provide NRC with a discussion of the remaining system and field installation verification activities.
l JYB:860603:8/1/86 !
i l
. _ _ = = .
l l 1
1 i
, = l i
- 6. REFERENCES I 6.1 GENERAL REFERENCES
- l. U.S. Nuclear Regulatory Commission, NUREG-0737, " Clarification of TMI Action I Plan Requirements," November 1980, Supplement 1, December 1982.
t
! 2. U.S. Nuclear Regulatory Commission, NUREG-0800, " Standard Review Plan for Review of Safety Analysis Reports for Nuclear Power Plants," Sec.18.1, Control Room, Rev. O, September 1984 and Sec.18.2, Human Factors Review Guidelines l for the Safety Parameter Display System (SPDS), Rev. O, November 1984.
J I 3. Verification and Validation for Safety Parameter Display Systems. NSAC/39, Science Applications, Inc., December 1981. l
}
1 l 4. U.S. Nuclear Regulatory Commission, NUREG-0700, " Guidelines for Control Room
! Design Reviews," September 1981.
- 5. U.S. Nuclear Regulatory Commission, Draft NUREG-0835, Human Factors l
Acceptance Criteria for the Safety Parameter Display System."
i 6. U.S. Nuclear Regulatory Commission, NUREG-0696, " Functional Criteria for Emergency Response Facilities," February 1981.
l t
- 7. Instrumentation for Light-Water Cooled Nuclear Power Plants to Assess Plant and Environs During and Following an Accident. Regelatory Guide 1.97, Rev. 2, Nuclear Regulatory Commission, Office of Standards Development, December 1980.
6.2 DOCUMENTATION EX AMINED DURING THE AUDIT i
j -- 8. PX09-7, Rev.1, " Main Plant Computer System Hardware Configuration Manual,"
j January 24,1986.
}
- 9. PX 09-1, Rev. O, " Main Plant Computer System Functional Description,"
April 12,1984.
1
- 10. DWG M-510004, Rev. 48, " Computer input-Output Parts List," May 9,1986.
t
- 11. GT-1-42, Rev. II, " General Test Procedure, Station Computer," October 31,1984.
I
! Procedure Indicating / Control Loops,"
! 12. GT-1-07, Rev.11, " General Test [
l December 19,1984. L I f i
- 13. GT-1-101, Rev. O," Main Plant Computer System," May 12,1983.
! 14. " Computer Program Test, Inventory Critical Safety Function Status Tree," Rev. O, i May 19,1986.
j .
1 JYB:860603:8/l/86 !
1 i
i f
_ ~ . _ - . _ . _ _ _ . ._ _. -__ . . _ _ - _ . _ _ . _ _ ._ .__. _ ___.
1 l
i
- 15. "SPDS Inventory Critical Safety Function Status Tree Subroutine," Rev. O, May 20,1986.
- 10. " Inventory Critical Safety Function Status Tree ' Program Description,"
Rev. O, May 19,1986.
- 17. "SPDS Functional Requirements for Seabrook Unit 1 Main Plant Computer Software Development, Inventory Status," no revision or date.
- 18. " Background Information for Westinghouse Owners Group Emergency Response Guidelines; Critical Safety Function Status Tree FPO.6; inventory," HP/LP-Rev.1,
! September 1,1983. ,
- 19. Main Plant Computer Program Subroutine,(Engineering Units Conversion).
- 20. Main Plant Computer Program Subroutine, (data checks against reasonableness limits).
- 21. "New Hampshire Yankee Nuclear Production Computer Control Program Manual,"
Rev. 0, December 24,1985.
- 22. Test procedure, "SPDS Graphics Test."
I 23. Seabrook Station General Test Procedure, TPI-62-F01, Rev.2, " Radiation i Monitoring System and Adjacent-to-Line Radiation Monitors."
- 24. " Gulf General Atomic Model RM-80, E-Il5-870 Microprocessor Software Design Document."
i 25. PSNH SS#20110, IMS D05.05.01, Sec. 5, " Radiation Data Management System Link I
(R DM S)."
j
} 26. "Seabrook Station Emergency Response Facility Functional Description."
l l
i, l
l l
4 JYB:860603:8/1/86 i I
l
l I -
e =
l
)
I APPENDIX 18A
, ELECTRICAL AND ELECTRONIC ISOLATION OF SAFETY PARAMETER DISPLAY SYSTEM i
At the time Section 18 was written for this sixth supplement the information
< provided in the material that follows was not yet available. Therefore, it is being added to the Seabrook SER at this time in this appendix.
Background
j In order to satisfy the NRC requirements concerning the safety parameter display j system (SPDS), Public Service Company of New Hampshire (PSNH) submitted a Safety l
Analysis Report by letter dated January 6, 1986 (J. DeVincentis, PSNH, to V. S.
Noonan,NRC). This report provided a description and a safety analysis of the SPOS at the Seabrook Station. However, the report did not address the require-ment that the SFDS must be isolated from equipment and sensors that are used in 9'
safety systems to prevent electrical and electronic interference. On March 11, j 1986, a request for additional information, which included specific questions i on these isolators, was sent to the applicant (V. Nerses, NRC, to R. J. Harrison, PSNH). The staff held several telephone conferences with the applicant, which resulted in submittals from the applicant (J. DeVincentis to V. S. Noonan) dated l
February 14, 1986, April 2, 1986, and August 28, 1986. These submittals docu-mented the various agreements and commitments reached in the telephone conferences.
The staff's evaluation addresses the qualification and documentation of the isolators as acceptable interface devices between Class 1E safety-related instru-mentation systems and the SPDS.
l 1
l i
l 18A-1 09/16/86 L _ _ _._ _ _SEABROOK SSER 6 APP 18A
e I
Discussion and Evaluation The SPDS developed at the Seabrook Station is an integral part of"Seabrook's Emergency Response Procedures (ERPs) and Radiological Emergency Plan. The ERPs are based on the Westinghouse Owners Group Emergency Response Guidelines. The SPDS utilizes the main plant computer to accept information from plant instru-mentation and to display critical functions to the plant operator. All inputs to the plant computer that are used by the SPDS and which come from Class 1E instrumentation are isolated by Class 1E electrical isolation devices.
These isolation devices are:
l (1) Westinghouse Series 7300 equipment supplied by Westinghouse (2) RM-80 microcomputer, supplied by GA Technologies, Inc, (3) RVLIS isolator Model No. 2343063G02 supplied by Westinghouse j The Westinghouse Series 7300 isolators have been reviewed and approved by the staff via Westinghouse report WCAP-8892A. The GA RM-80 isolators have been conditionally approved by the staff as reported in a staff memorandum dated June 14, 1986 (C. E. Rossi, NRC, to V. Nerses). The GA RM-80 isolators will be replaced with non-fuse-dependent isolators before startup after the first re-fueling outage.
i The RVLIS isolation device uses an opto-coupler as the isolation barrier. Anal-ysis shows that the maximum credible fault (MCF) voltage and current that the isolator could be subjected to are 240 V ac and 140 V dc, respectively, at a
! 20-ampere source. The pass / fail criteria established by PSNH state that the system must be in a normal operation mode and must provide normal information J within the execution cycle time of the microprocessor. The isolation devices l
are located in a mild environment; therefore, they are not covered by 10 CFR 50.49 conditions.
The reactor vessel level instrumentation system (RVLIS) isolators have been seismically qualified for the plant and have been subjected to several differ-
- ent types of noise testing without affecting the system output.
SEABROOK SSER 6 APP 18A 18A-2 09/16/86
s The MCF voltage and current were applied to the non-Class IE output of the iso-lator in the transverse mode. In accordance with the pass / fail criteria, there was no adverse effect on the Class IE input side of the isolator..
Conclusion On the basis of the staff's review and evaluation of the information supplied by the applicant with respect to the electrical isolation devices to be used with the SPDS, the staff has concluded that:
, (1) The Westinghouse 7300 Series isolators are acceptable as previously ap-proved by the staff. .-
(2) The interim fix for the RM-80 system for isolating safety-related data channels from the SPDS is approved.
(3) Replacing the RM-80 devices with approved non-fused devices shall remain a confirmatory issue to be resolved during the first refueling outage.
(4) The RVLIS isolation devices are acceptable for isolating Class 1E equipment from the SPDS.
The staff further concludes that this equipment meets the Commission's require-ments in NUREG-0737, Supplement No. 1, and that the following proposed license condition (Memorandum dated June 14, 1986, from Rossi to Nerses) has been satisfied:
Prior to exceeding 5% reactor power, the applicant shall have installed qualified isolation devices, approved by the staff, between RVLIS and SPDS. l l
SEABROOK SSER 6 APP 18A 18A-3 09/16/86
__