ML20214R393
| ML20214R393 | |
| Person / Time | |
|---|---|
| Site: | Seabrook  |
| Issue date: | 09/08/1986 |
| From: | Perlis R NRC OFFICE OF THE GENERAL COUNSEL (OGC) |
| To: | Harbour J, Luebke E, Wolfe S Atomic Safety and Licensing Board Panel |
| Shared Package | |
| ML20214R157 | List: |
| References | |
| OL-1, NUDOCS 8609290163 | |
| Download: ML20214R393 (37) | |
Text
Q f 5.0 ? /,
[ON
+= n cvi y,
Y,')
\\
UNITED STATES i
NUCLEAR REGULATORY COMMISSION c, '
k-
..- e
~
'l WASHINGTON, D. C. 20555
-)
$ {'D 0 r;,URS L -- - -
$.\\ '
- j /
e 4o o
's,
-.50Cl9nnc a M
"'**~
(U5iU$ "[
SEP 8 1986 o,7567
' /'/
Sheldon J. Wolfe, Esq., Chairman Dr. Jerry Harbour Administrative Judge Administrative Judge Atomic Safety and Licensing Atomic Safety and Licensing Board Panel Board Panel U.S. Nuclear Regulatory Commission U.S. Nuclear Regulatory Commission Washington, D.C.
20555 Washington, D.C.
20555 Dr. Emmeth A. Luebke Administrative Judge Atomic Safety and Licensing Board Panel U.S. Nuclear Regulatory Commission Washington, D.C.
20555 In the Matter of PUBLIC SERVICE COMPANY OF NEW HAMPSHIRE, et al.
(Seabrook Station, Units 1 and 2)
Docket Nos. 50-443 OL-01 and 50-444 OL-01 On-Site Emergency Planning and Safety Issues
Dear Administrative Judges:
In the NRC Staff Response to Applicants' Motion for Summary Disposition of Contention SAPL Supp. 6, the Staff indicated that the SPDS issue would be discussed in Section 18 of Supplement 6 to the Seabrook SER.
The Section 18 input to Supplement 6 has now been completed; a copy of the input is enclosed.
This input will appear unchanged in Supplement 6 when that Supplement is published.
Sincerely,
// !./
,D
/
y lf t
- &c L-i Robert G. Perlis Counsel for NRC Staff i
8609290163 860908 l
PDR ADOCK 05000443 G
PDR Ene: As stated cc (w/ene): Service List i
\\
0507
A 18 liUMAN FACTORS ENGINEERING 18.7 Safety Parameter Display System (TMI Action Plan Item I.D.2)
In Supplement No. 4, the staff described the safety parameter display system (SPDS) purpose and requirements and presented an initial status review of the Seabrook SPDS.
Py letter dated January 6, 1986, the applicant submitted the SPDS design report for staff review. The applicant submitted additional information on the design by letter dated April 2,1986.
In addition to the staff review, the staff, assisted by consultants from Lawrence Livermore National Laboratory, conducted an ensite design verification and validation audit of the Seabrook SPDS on May 20-22, 1986. Attached is the consultant's Technical Evaluation Report (TER) of that audit. The staff agrees with the technical positinns and conclusions contained in the TER. The following evaluation was prepared, based on the findings of the TER, to establish a basis for a license condition to ensure completion of itens partaining to the Seabrook SPDS.
SPDS Descriptinn The Seabrook SPDS is incorporated as a function within the main plant computer.
I The displays are presented on cathode ray tubes (CRTs) that are an integral part of the control room. The designated primary SPDS CRT is located near the center of the control roon at the shift technical advisor (STA) station. The 1
SPDS displays may be selected and presented at any of six other CRTs in the main control board. Operator access is through the existing keyboards used for accessing all plant programs and displays.
c
o t
l lhe top-level SPDS display format consists of six color-and position-coded bars representing the summary status of the six critical safety functions (C.SFs).
Each CSF status tree is displayed on the second-level format, which includes l
parameter values and a color-and shape-coded status circle for each tree branch.
l The color-coded sumnary bar for the six functions appears in ths lower left corner I
of each CSF status tree.
Variable Selection Section 4.1(f) of Supplement No. I to NUREG-0737 states:
I 1
1 The ninimum infornation to be provided shall be sufficient to provide information to plant operators about:
(
(il Peactivity control (ii) Reactor core cooling and heat removal from the primary system (iii) Reactor coolant system integrity (iv) Radioactivity control (v) Containment conditions.
For review purposes, these five items have been designated as CSFs.
i The applicant has defined the CSFs for Seabrook from a different perspective.
They are based on the maintenance of the following three physical barriers to 1
radiation release:
7, l
?
(1) Fuel matrix and fuel cladding (2) Reactor coolant system (RCS) pressure boundary (3) Containment The applicant has defined the following six CSFs to maintain these barriers:
l (1) Subcriticality
(?) Core Cooling 4
(31 Feat Sink (4) RCS Integrity (5) Containment Integrity (6) Deactor Coolant Inventory I
l Staff review of the paraneters selected by the applicant to support these func-1 l
tions indicates that the six CSFs defined by the applicant do not fully cover j
the five CSFs specified in Supplement 1 to NUREG-0737 Specific findings of l
the staff review are:
1 i
(1) Residual heat removal (RHR) flow and hydrogen concentration are not I
included in the Seabrook CSF status trees and are not displayed on the SPDS.
(?) Radiation parameterc are to be displayed but are not yet implemented.
1 i
j
?
- (3) Containment isolation is not displayed on the SPDS but is accessible, to a limited extent, from the prime SPDS position (see section entitled
" Human Factors Program" below).
The staff finds all other variables selected acceptable in satisfying the above requirement of NUREG-0737, Supplement No. 1.
Display Data Validation The audit indicated that the data validation methodology includes only range checking, averaging, and auctioneering. Concern was raised that a parameter value could be within an acceptable range but significantly different from other measures of the same parameter, causing the average value to be incorrect and possibly misleading. A more sophisticated data validation algorithm, to ensure display of more valid data, is being pursued by the applicant.
Human Factors Program The applicant's human factors program for the SPDS was not well described in the Seabrook SPDS description report.
Information provided in the letter of April 2, 1986, described three basic ways in which human factors was involved in the SPDS development.
First, the individual status trees (second-level formats) were developed as part of the Westinghouse Owners Group guidelines and had both human factors input into the display design and human factors review of the final format. Second, Seabrook operators exposed to human factors
. engineering, through participation in the detailed control room design review (DCRDR), developed the top-level display used in the SPDS.
Finally, the SPDS display systen was evaluated as part of the DCRDR program and no human engineering discrepancies were identified.
During the onsite audit, the staff con' ducted a human factors review of the Seabecok SPDS against the requirements of Supplement No. I to NUREG-0737.
The writeup below addresses the degree of acceptability of the Seabrook SPDS with respect to these requirements.
Concise Display: With the exception of the containment isolation panel, which is a separate display and is.to be improved, the SPDS CRT formats provide a concise display of plant conditions as required by NUREG-0737, Supplement No. 1.
Convenient Location:
The location of the prime SPDS CRT at the STA station near the center of the control room and the ability to call up the SPDS at other operator locations satisfy the NUREG-0737, Supplement No. I requirement for placing the SPDS in a convenient location.
The containment isolation dis-play as it is currently configured and located does not meet this requirement of NUREG-0737, Supplement No. 1.
Continuous Display: The capability to call up display formats, other than the SPDS, on the STA's designated SPDS CRT does not satisfy the NUREG-0737, Supple-ment No. I requirement for the SPDS to be a continuous display.
Either the CSF
summary display must be added to all CRT formats accessible on the STA's CRT, i
or a dedicated CSF summary display needs to be added to the STA station.
l Aid Operator in Rapidly and Reliably Determining Plant Status: Observation of an accident simulation indicated that the top-level CSF summary display appears to aid operators in rapidly deternining plant status, but lower-level display formats do not seem to be as useful. The staff suggests a strong man-in-the-lcop test program to identify drawbacks to the usefulness of the j
lower-level formats.
The systen response tine appears to be satisfactory, but the staff observations were made during a lightly loaded sequence.
Systen availability data indicate over 0.99 availability for the SPDS. The 1
applicant needs to determine how the availability of the Reactor Vessel Level Instrumentation System (RVLIS) and the Radiation Data Management System (RDMS) will be #actored into the system availability calculation.
The Subcriticality and Core Cooling status tree displays are not mode dependent.
The displays will indicate that these CSFs are being challenged during normal power operations.
4 l
5
.=
. This condition has the potential for misleading, operators and needs improvement.
Incorporate Accepted Human Factors Principles: The SPDS generally incorporates f
accepted human factors principles with the following exceptions:
(1) The heat sink format displays the flow data value in an unconventional location.
(2) The display callup method is acceptable but awkward. The staff recommends a single operator action for callup of each of the second-level displays.
(3) The containment isolation display is located a significant distance from the prinary SPDS location so that it is difficult to read the legends.
Unused cells appear to be randomly located so that pattern recognition is not a viable method of determining containment isolation.
Furthermore, the display cells were designed to use two light bulbs each, but heat pro-duced by two bulbs has caused the applicant to remove one bulb per cell.
This one-bulb condition reduces brightness and readability and eliminates the redundancy in indication provided by two bulbs.
Procedures and Training: Audit of the SPDS procedures and operator training program indicates that both satisfy the requirements of Supplement No. I to NUREG-0737.
. Electrical and Electronic Isolation The SPDS description report did not address isolation devices.
Further infor-nation was orovided by the letter of April 2,1986. The following types of isolatior. devices are used at Seabrook:
(1) Westinghouse 7300 Series instrumentation (2) General Atonics (GAT RM 80 isolators (3) Westinghouse isolators used in the RVLIS The Westinghouse 7300 Series isolators have been approved by the staff by means of Westinghouse Topical Report WCAP-889?A.
The GA Rf'. 80 isolators, with the temporary fix of their fused output circuit, i
have been approved by the staff for use before the first refueling outage.
At that tine, the isolators are to be replaced with isolators that do not have any fuses in their output circuit.
The Westinghouse RVLIS isolators, used to protect RVLIS from SPDS, have not yet been approved by the staff.
In the meantine, the staff approves the use of SPDS on an interim basis at reactor power levels less than 5%. The likelihood of core 4
damace at this low reactor power level is remote because the new fuel has not had a chance to build up significant radioactive decay products and therefore the amount of decay heat and the radiological source terms would both be low.
In ad-dition the Reactor Protection System instrumentation, including pressurizer level and pressure, would be available to provide an indication that the system is filled or is voiding.
~
9 The Westinghouse test report covering qualification of the RVLIS isolators is due in September 1986.
Since the circuitry in these isolator boards is identical to that used in an earlier approved Westinghouse product, Westinghouse believes the isolation capabilities to be sufficient. The staff concurs in the above and will confirn that the isolator capability is established prior to exceeding 5% power.
Conclusions On the basis of its documentation review and information gathered at the onsite audit, the staff concludes that the Seabrook SPDS does not fully meet the appli-cable requirements of Supplement No. I to NUREG-0737. The conclusion is based on the following:
(1) The SPDS display is not continuous.
(2) RHR flow and hydrogen concentration variables are considered by the staff to be part of the minimun information required to assess the CSFs and are not displayed on the SPDS.
(3) The containment isolation display is not satisfactorily readable from the prime SPDS location to be considered part of the SPDS.
(4) The SPDS does not display sufficient radiation variables.
1 (5) Several human engineering discrepancies have been identified.
(6) Two CSF status trees are not mode dependent and have the potential for misleading the operator.
(7)
Isolation devices between the RVLIS and-the SPDS have not yet been approved.
(R) Data validation algorithms may not be sophisticated enough to ensure valid data are displayed to the operator.
(9) The usefulness of the lower-level SPDS display formats to the operator is in question.
~
(10) RVLIS and RDf15 availability has not yet been factored into overall SPDS availability calculations.
(11.1 System response time appears to be satisfactory, but a system load test is needed to verify the worst condition.
Impler.ertation of the SPDS is nct required under NUREG-0737 before full power and is determined by a schedule that is negotiated with the staff. The appli-cant had proposed a.1une 30,1986, implementation date for the Seabrook SPDS, and the staff found this acceptable.
However, as noted in Supplement No. 4, a schedule for resolution of open itens identified in the staff's review and on-site audit would be established as a license condition to be implemented by the applicant before restart following the first refueling outage.
The staff did not identify any serious safety questions concerning the Seabrook SPDS.
However, the staff did determine that the isolators between RVLIS and SPDS have not not yet been approved. Accordingly the staff concludes that SPDS will be acceptable as an interim installation up to 5% reactor power.
Following approval of the isola-tors, the interim SPDS may be used until the other open items identified above
/
l i
i i
have been resolved, or up to the end of the first refueling outage. At a minimum, j
resolution of the open items shall include:
(1) centinuous display of the top-level critical safety function summary at the assigned SPOS control roon location
~
(2) addition of, or satisfactory justification for not adding, RHR flow and hydrogen concertration parameters to appropriate SPDS screens (3) addition of a containment isolation status screen on the SPDS, or improve-ment of the current containment isolation display to be satisfactorily recognizable from the assigned SPDS location in the control room. The second option must also include a commitment by the applicant that the 4
relative position and orientation of the containment isolation display with respect to the SPDS station be maintained or improved.
(4) addition of a radiation monitoring screen to display at least steam genera-tor (or steamline) and stack radiation (5) improvernent of the Heat Sink screen for consistency in labeling and the Subtriticality and Core Cooling screens for mode dependency so as not to mislead operators (6) addition of approved isolation devices between the RVLIS and the SPDS, prior to exceeding 5% reactor power.
j
, ' t J
I r. addition, the applicant shall satisfactorily resolve the other open items identified above or demonstrate to the staff's satisfaction that the open items will not degrade the performance of the SPDS.
I The staff proposes that the following license conditions be imposed to ensure satisfactory resolution of the open issues:
Prior to exceeding 5% reactor power, the applicant shall have installed qualilfied isolation devices, approved by the staff, between RVLIS and SPDS.
Before restart following the first refueling outage, the applicant shall have operational a safety parameter display system (SPDS) (as described in its submittals dated January 6,1986, and April 2,1986, and as modified as a result of the staff's audit findings) that is acceptable to the f!RC.
l l
4 l
l i
i i
i
.,,,,_m,.,,,,,
- _y_,
y_.
DESIGN VERIFICATION AND DESIGN VALIDATION AUDIT OF THE SAFETY PARAMETER DISPLAY SYSTEM FOR PUBLIC SERVICE COMPANY OF NEW HAMPSHIRE SEABROOK STATION t
i August 1,1986 James Cooper Gary L. Johnson Lawrence Livermore National Laboratory for the United States Nuclear Regulatory Commission l
I i
_ ~.
c TABLE OF CONTENTS P, age 1.
Introduction I
2.
Safety Para meter Display System Design Overview....................
2 1
3.
Assessment of the Verification and Validation Program................
3 3.1 System Requirements Review.................................
3 3.1.1 Audit Team Observations..............................
3 1
3.1.2 Audit Team Assessment.......................~........
4 1
3.2 Design Verification Review...................................
4 3.2.1 Audit Team Observations..............................
4 3.2.2 Audit Team Assessment 5
3.3 Vali d a t i o n Te s t s.............................................
5 3.3.1 Audit Team Observations..............................
5 l
3.3.2 Audit Team Assessment 5
3.4 Field Verification Tests......................................
6 3.4.1 Audit Team Observations..............................
6 3.4.2 Audit Tea m Assessm ent...............................
6 4.
Assess m ent o f S P D S Design........................................
7 4.1 "The SPDS Should Provide a Concise Display...".................
7 4.1.1 Audit Team Observations..............................
7 4.1.2 Audit Team Assessment 8
4.2 "The SPDS Should... Display... Critical Plant Variables"..........
8 4.2.1 Audit Team Observations..............................
8 4.2.2 Audit Team Assessment 10 4.3 "The SPDS Should... Aid Them (Operators) In Rapidly and Reliably Determining the Safety Status of the Plant" 11 4.3.1 Audit Team Observations..............................
11 4.3.2 Audit Tea m Assessm ent...............................
13
-lii-t 1
~ _ _ _ _
TABLE OF CONTENTS (Cont.)
^
- f. age 4.4 "The Principle Purpose and Function of the SPDS is to Aid.........................................................
14 4.4.1 Audit Team Observations..............................
14 4.4.2 Audit Team Assessment 14 4.5 "(The) SPDS (Shall Be) Located Convenient to the Control Room Operators".....................................
15 4.5.1 Audit Team Observations..............................
15 4.5.2 Audit Team Assessment 15 4.6 "The SPDS Shall Continuously Display Information................
15 4.6.1 Audit Team Observations..............................
15 4.6.2 Audit Team Assessment 15 4.7 "The SPDS Shall be Suitably Isolated............................
16 4.7.1 Audit Team Observations..............................
16 4.7.2 Audit Team Assessment 16 4.8 " Procedures Which Describe the Timely and Correct Safe ty Sta t us Assessm ent.....................................
16 4.8.1 Audit Team Observations..............................
16 4.8.2 Audit Team Assessment 16 i
4.9 "The SPDS Display Shall be Designed to Incorporate Accepted Hum an Factors.....................................
16 4.9.1 Audit Team Observations..............................
16 4.9.2 Audit Team Assessment 17 5.
Summary........................................................
17 6.
References......................................................
20 6.1 G en e ral R e fere nc e s..........................................
20 6.2 Documentation Examined During the Audit......................
20
-iv-
DESIGN VERIFICATION AND DESIGN VALIDATION AUDIT OF THE SAFETY PARAMETER DISPLAY SYSTEM FOR PUBLIC SERVICE COMPANY OF NEW HAMPSHIRE SEABROOK STATION
- 1. INTRODUCTION On May 20 and 21,1986, an on-site audit of the Seabrook Station Safety h'arameter Display System (SPDS) was conducted by the NRC. Ris NRC audit examined the Seabrook Verification and Validation program and reviewed the operation of the SPDS.
Bus, the audit specifically addressed the points of both a Design Verification Audit and a Design Validation Audit as described by Sec.18.2 of NUREG-0800. 2 The audit team was composed of one individual from the Nuclear Regulatory Commission Electrical Instrumentation and Control Systems Branch, an individual from the Lawrence Livermore National Laboratory, and an individual from EG&G acting as consultants to the NRC.
The audit was based upon the recommended criteria of NUREG-0800 Sec.18.2.
In accordance with that guidance, up to three separate audit meetings / site visits, as described below, may be arranged.
Design Verification Audit. The purpose of this audit meeting is to obtain additional information required to resolve any outstanding questions about the V&V program, to confirm that the V&V program is being correctly implemented, and to audit the results of the V&V setivities to date. At this meeting, the applicant should provide a thorough description of the SPDS design process. Emphasis should be placed on how the applicant is assuring that the implemented SPDS will: provide appropriate parameters, be isolated from safety systems, provide reliable and valid data, and incorporate good human engineering practice.
Design Validation Audit. After review of all documentation, an audit may be conducted to review the as-built prototype or installed SPDS. The purpose of this audit is to assure that the results of the applicant / licensee's testing demonstrate that the SPDS meets the functional requirements of the design and to assure that the SPDS exhibits good human engineering practice.
Installation Audit. As necessary, a final audit may be conducted at the site to ascertain that the SPDS has been installed in accordance with the applicant / licensee's plan and is functioning properly. A specific concern is that the data displayed reflect the sensor signal which measures the variable displayed. This audit will be coordinated with and may be conducted by the NRC Resident Inspector.
Based on the advanced state of the Seabrook SPDS design, the NRC staff emied out a combined Design Verification and Design Validation audit at the plant site.
During the course of this audit, the NRC audit team discussed aspects of the Seabrook SPDS program with Public Service Company of New Mampshire (PSNH). Additionally, the Seabrook control room was visited to ascertain the location of SPDS displays in JYB:860603:8/l/86 _.
_=
i relation to plant control boards and a response to a simulated plant upset was witnessed 3
at the unit simulator to observe how the SPDS is used by the plant operating staff.
Il
- 2. SAFETY PARAMETER DISPLAY SYSTEM DESIGN OVERVIEW i
l The Seabrook Station SPDS is a feature of the station's Main Plant Computer system j
(MPC). The SPDS consists of seven MPC displays and one hardwired display that reflect the status of the six Critical Safety Functions (CSF) defined by the Seabrook Emergency Operating procedures. These eight displays consist of:
o An overview display showing the status of all CSFs.
j o
Six logic tree displays, one for each of the CSFs defined by the EOPs. Each i
display shows the current value of the parameters used to. assess the CSF and the logic used to determine the status of the CSF.
i o
A hardwired display of containment isolation status.
PSNH has committed to add a Radiological Control CSF display that shows the current value of the radiation monitoring parameters used to determine the status of the Radiological Control CSF.
SPDS displays can be called up on any of seven MPC CRTs located around the control i
room.
In addition, the MPC is used to generate alarm displays and is capable of displaying historical trends of any parameter input to the MPC or of any calculated value derived by the MPC.
The MPC receives inputs from plant instrumentation via nine Intelligent Remote Terminal Units (IRTU) that convert the input signals to digital format and transmit the data to two host computer units. Each IRTU contains redundant central processing units (C pus). PSNH has organized MPC inputs such that redundant inputs are processed by j
different IRTUs.
The host computer consists of redundant CPUs. 'Ihe hosts check each input value to verify it is within the range of the measuring instrument and is within reasonableness limits established by PSNH. The host computer also performs SPDS calculations, logic, and develops SPDS displays in addition to other MPC and visual alarm system functions.
The MPC also receives input of SPDS parameters from the Inadequate Core Cooling Monitor (ICCM) and the Radiation Data Management System (RDMS). Unlike parameters input via IRTUs, parameters received from ICCM and RDMS have had range and reasonableness checks by these systems; therefore, additional checking is not performed by the host computer.
One Safety Parameter Display System Critical Safety Function Display that was not originally planned to be included in the Seabrook SPDS system is radiological control. In response to NRC's identification of the need for a Radiological Control CSF, the RDMS will be modified to input to the SPDS. This system uses redundant central processor units and a loop data bus data acquisition system to continuously monitor area and j
effluent radiation levels around the station. The system periodically collects data from 4
JYB:860603:8/1/86 i
approximately 170 sensors, all with different addresses on the loop data busses. 'Ihis information is presently displayed on a console in the control room. Linking this RDMS system by data bus to the Main Plant Computer will enable the display of current radiological data at any MPC work station, at the emergency response facility (ERF), the meteorological workstation (MET), and on the SPDS. Seabrook plans to link the MPCS to the RDMS by use of a vendor recommended interface.
- 3. ASSESSMENT OF THE VERIFICATION AND VALIDATION PROGRAM A Verification and Validation (V&V) Program is concerned with the process of specification, design, fabrication, testing, and installation associated with an overall system's software, hardware, and operation. For the SPDS, verification is the review of the requirements to see that the right problem is being solved and a review of the design to see that it meets the requirements. Validation is the performance of tests of the integrated system to see that it meets all requirements.
Verification and Validation ectivities are not a regulatory requirement for the SPDS.
Nevertheless, a V&V program performed by the applicant / licensee during design, installation, and implementation of an SPDS will facilitate the NRC staff review of the system. The staff would then evaluate the program for the results of the design V&V program. On the basis of an effective V&V program, the staff would reduce the scope and detail of the technical audit of the design.
The purpose of the NRC Design Verification Audit was to obtain additionalinformation required to resolve the outstanding questions about the PSNH V&V Program, to confirm that the V&V Program is being correctly implemented, and to audit the results of the V&V activities to date. The criteria suggcsted in NUREG-0800, Sec.18.2, Appendix A were used as a basis for this audit.
The recommendation of NSAC/39 b provided additional guidance to the audit team.
The remainder of this section presents the audit team's observations and assessments of the PSNH V&V Program for the following four items: System Requirements Review, Design Verification Review, Validation Tests, and Field Verification Tests.
The observations and assessments were obtained through an examination of the available documentation.
3.1 SYSTEM REQUIREMENTS REVIEW Section 18.2 of NUREG-0800 recommends that the SPDS development process include a review of desired system capabilities to determine that the functional needs will be satisfied.
The principal goal of this activity is to independently determine if the requirements will result in a possible and usable solution to the entire problem. The requirements are reviewed for correctness, completeness, consistency, understandability, feasibility, testability, and traceability. The requirements review also provides the basis for developing the system validation test plan.
3.1.1 Audit Team Observations Since the Main Plant Computer design was completed before the development of requirements for a Safety Parameter Display System, PSNH could not conduct a formal review of planned MPC/SPDS capabilities against functional needs.
JYB:860603:8/1/86 __
j i
An informal requirements review of the SPDS display contents and format was conducted during the development of SPDS software. This review, however, did not include other attributes such as the requirements for data validation, continuous display, or user interface. Sect. ion 4 of this report discusses a number of deficiencies noted by the audit j
team. Rese deficiencies indicate that the SPDS development would have benefited from a through system requirements review to insure the system completely fulfilled the requirements of NUREG-0737, Supplement 1.
PSNH has implemented procedures to require a requirements versus planned capabil'ty design review for future modifications to the Main Plant Computer including.the SPDS software.
3.1.2 Audit Team Assessment Public Service of New Hampshire did not implement the recommendation of Sec.18.2 to NUREG-0800 to perform a verification that planned system capabilities will accomplish the functional needs for an SPDS. Given the advanced state of the system design, the audit team believes there would be little benefit in conducting a review of this type at this tin e.
The existence of formal design review requirements for future software modifications 1
should help PSNH avoid similar problems as a result of future modifications.
3.2 DESIGN VERIFICATION REVIEW Section 18.2 of NUREG-0800 recommends that the SPDS development process include a design verification review performed after the system is initially designed to verify that the design will satisfy functional needs. His activity is intendqd to verify the hardware and software design against the system requirements.
This review covers both the hardware and software specifications as well as the design. The specifications and the designs are reviewed to ensure that the system requirements decomposition into hardware and software is complete and that there are no ambiguities or deficiencies.
3.2.1 Audit Team Observations As with the system requirements review, NRC recommendations regarding review of system design against functional needs were not available to support the development of the Main Plant Computer system and Radiation Data Management System. D erefore, the review process suggested by Sec.18.2 of NUREG-0800 was not fully implemented by 4
PSNH. The SPDS software development process did, however, incorporate a review of l
software routines against a set of functional requirements for each SPDS display. These display functional requirements were developed by the system engineer in conjunction 4
with plant operations.. He specific scope and findings of these reviews were not documented except for ultimate approval of the routines by the reviewer.
Testing of the SPDS software routines has also been conducted to verify that test combinations of data input to the MPC data base produce the expected parameter value, and proper validity flag. At the time of the audit, plant SPDS software development had not yet proceeded to the point where validation testing of the CSF status determination logic could be conducted.
JYB:860603:8/l/86 l i
3.2.2 Audit Team Assessment PSNH did not fully implement the recommendations of Sec.18.2 of NUREG-0800 regarding review of the system design versus system functional requirements. Although Verification and Validation reviews are not a requirement of Supplement 1 to NUREG-0737, the design problems identified by the NRC audit indicate that the Seabrook SPDS design would benefit from a thorough design verification review. 'lhe audit team, therefore, recommends that the process for correcting the identified system design problems should include a formal, complete, independent, and documented system design verification review to ensure that any systems shortcomings will be acceptably resolved.
3.3 VALIDATION TESTS Section 18.2 of NUREG-0800 recommends the SPDS development process include validation tests performed after the system is assembled to confirm that the integrated system satisfies the functional needs when combined with the plant control room and plant operators who have receivec the normal plant specific training in the use of the SPDS.
The foundation for this activity lies in the information derived from the requirements review, the design review, and the hardware, software, and system tests performed by the system supplier.
The system validation tests follow the system integration tests performed by the supplier to demonstrate that the hardware and software function acceptably.
3.3.1 Audit Team Observations The Seabrook SPDS was operable in the Seabrook control room simulator when the simulator was used to conduct validation testing of the Westinghouse Owners Group (WOG) Emergency Response Guidelines (ERG) and Functional Response Guidelines (FRG). This testing included response to plant upsets both with and without the use of the SPDS. PSNH stated that the SPDS reduced the time required to respond to upset conditions. At the time of the audit, however, no documentation or other information was available to provide the details of how this conclusion was reached. Furthermore, there was no indication that any other measures of SPDS effectiveness were considered or observed.
3.3.2 Audit Team Assessment Sufficient information was not available at the audit to allow a conclusion that the overall system validation testing conducted as part of the WOG ERG validation program satisfies the intent of See.18.2 of NUREG-0800 in this regard. The fact that operators did not choose to access lower level SPDS screens during the drill witnessed by the audit team would seem to indicate a need for further system validation testing. PSNH should reevaluate the adequacy of the previous validation testing to insure that the usefulness of the Seabrook SPDS was thoroughly established. If PSNH concludes that the previous efforts represented an adequate test, the basis for this conclusion should be described to NRC. This basis should include:
o Identification of the specific simulated plant upsets for which the SPDS effectiveness was evaluated.
JYB:860603:8/1/86 t
o Discussion of the applicability of the testing to the Seabrook plant SPDS given the differences between the simulator system and the plant system (e.g., the simulator does not provide redundant inputs to the SPDS; therefore, j
input of combinations of invalid data could not be simulated.)
o Description of any differences between the philosophy and training for using i
the SPDS during the procedure validation process and the Seabrook specific i
training and philosophy.
o Identification of the specific data gathered to evaluate SPDS effectiveness i
and the data collection techniques.
i o
Description of the method and criteria used to evaluate the data.
o Discussion of the results of the validation testing.
i 3.4 FIELD VERIFICATION TESTS l
Section 18.2 of NUREG-0800 recommends the SPDS development process include field verification tests performed after the system is installed to verify that the validated i
system was installed properly. As a minimum, field verification will consist of verifying i
that each input signal is properly connected and that the signal range is consistent with Stated differently, it must be ' erified that the information displayed is the design.
v i
directly correlated with the sensor data being input. It is expected that an independent review of the installation tests may fulfill a portion of the field verification test plan.
3.4.1 Audit Team Observations 1
As part of Main Plant Computer system acceptance testing PSNH confirmed that each MPC input point was properly connected by verifying that the current value of each instrument input was accurately stored by the MPC. nis process will be repeated as i
part of each instrument loop calibration by verifying that each calibration input is j
accurately displayed by the MPC. De final SPDS software has not yet been installed in j
the plant so verification testing of this SPDS is not complete, j
3.4.2 Audit Team Assessment PSNH has not yet completed all verification testing and has not developed an overall test j
plan that identifies the verification testing yet to be done. However, during the audit l
PSNH did exhibit an understanding of the purpose of field verification testing; therefore, if PSNH follows through on the validation testing process in a manner that is consistent
]
with the testing to date, they are expected to satisfy the intent of Sec.18.2 to NUREG-0800 in this regard.
The audit team suggests that this verification testing include an end-to-end system test of all portions of the MPC, RDMS, and ICCM that perform SPDS functions.
Once SPDS field verification testing is complete, PSNH should provide NRC with a description of the system attributes tested, the test methodology, and test results so that a final conclusion regarding the acceptability of the testing can be reached.
4 j
JYB:860603:8/l/86 6-m..,_.,.-..
e.,..m__.._a___,-,,
_,_...,..m...,__._
v
-.- - _ =,
- _m_,
--... _ _ -,....~
- 4. ASSESSMENT OF SPDS DESIGN De NRC audit team assessed the SPDS system with respect to the requirements of Supplement I to NUREG-0737 using the specific review criteria suggested by NUREG-0800, Sec.18.2, Appendix A. His portion of the audit addressed the points of a Design Validation Audit. De following provides a discussion of the Seabrook Station SPDS design features relative to the provisions of Supplement 1 to NUREG-0737, and the corresponding audit team assessment in each area.
4.1 "THE SPDS SHOULD PROVIDE A CONCISE DISPLAY..."
4.1.1 Audit Team Observations he Seabrook SPDS provides an overview of the status of all seven Critical Safety Functions. This overview display consists of a seven section horizontal bar. Each section corresponds to a CSF and is displayed in one of four colors that indicates the current degree of challenge to the safety function. De color coding scheme is:
Red - CSF under extreme challenge.
Orange - CSF under severe challenge.
Yellow - CSF off normal.
Green - CSF satisfied.
Each color is displayed in a different section of the CSF bar so that position coding of CSF status is available in addition to color coding. A condensed version of the overview display is incorporated into each of the other SPDS displays. This version presents only the color code to indicate CSF status.
Lower level displays provide the specific information used by the SPDS in determining the status of each Critical Safety Function. With the exception of the Radiological Control CSF, this information is displayed in logic tree format. The current parameter value used at each decision point is displayed near the decision block that describes the logical decision made by the SPDS. Each logic path is color coded to show the degree of CSF challenge represented by that path. The terminus point flashes on the logic path that corresponds to the current status of the Critical Safety Function.
Not all of the information needed to assess the Containment CSF is included on the CRT displays. De status of Containment Isolation is provided on a hardwired status light display across the control room from the primary SPDS display. Most, but not all, status lights are illuminated by containment isolation and the lights are not arranged or labeled such that an operator at the primary SPDS CRT can readily determine whether an unlit status light corresponds to a failed containment isolation valve or to an unused light.
The Radioactivity Control CSF display consists of five horizontalintensity bars. Four of the bars are for steam generator radiation levels and one for radiation level at the containment vent. Each bar is titled on the display under the bar. The readout also shows the range of the detector channel that it displays. As the level of the channel goes JYB:860603:8/l/86 i
up, the bar fills in-progressing from left to right. When the channel is in alarm, as determined by the RDMS setting, the bar color turns red. It is cyan for normal values.
The alarm condition will be carried through to the overview display.
4.1.2 Audit Tea'm Assessment With the exception of the difficult to interpret containment isolation status display, the Seabrook SPDS meets the requirements of Supplement I to NUREG-0737 regarding concise display of critical safety function status. 'Ihe Seabrook SPDS will totally satisfy this requirement if the containment isolation status display is modified sueh that an operator at the primary SPDS console can readily determine if all required containment isolation valves have closed. Two possible modifications that would accomplish this purpose would be to light the spare indicators on a containment isolation signal or to rearrange the indicators such that the ones that should be lit on containment isolation form an easily recognized pattern. PSNH should describe to NRC how the containment isolation status display will be corrected.
4.2 "THE SPDS SHOULD... DISPLAY... CRITICAL PLANT VARIABLES" 4.2.1 Audit Team Observations The following plant parameters are inputs to the Seabrook SPDS Reactivity Control Critical Safety Function o
Intermediate range reactor power; source range through 200 percent.
o Start-up rate.
Core Cooling Critical Safety Function o
Core exit temperatures.
o Reactor coolant pump status.
o Reactor vessel level indication, o
Wide range reactor cooling system (RCS) pressure (used with core exit temperature to calculate the displayed variable subcooling).
Heat Sink Critical Safety Function o
Steam generator wide and narrow range water level.
o Emergency feed water flow, o
Steam generator pressure.
o Containment pressure (used in determining decision criteria for steam generator water level).
JYB:860603:8/l/86._
Reactor Cooling System Integrity Critical Safety Function o
RCS cold leg wide-range temperatures.
o RCS wide-range pressure.
Containment Critical Safety Function o
Containment pressure.
o Containment recirculation sump level.
o Containment radiation level.
o Containment isolation valve status.
Reactor Coolant System Inventory Critical Safety Function o
Pressurizer level, o
1 PSNH has also committed to establish a Radiological Control CSF screen on the SPDS. It will provide steam generator radiation level and stack monitor radiation level.
The parameters selected for display and the groupings of parameters into CSFs are based upon the Critical Safety Functions monitored by the Westinghouse upgraded Emergency Operating Procedures. Two exceptions are containment isolation valve status indication and the Radiological Control CSF which are being added to the SPDS to resolve minor differences in philosophy behind the safety functions evaluated by EOPs and the CSF parameter selection for the SPDS.
The CSFs displayed by the Seabrook SPDS correspond in the following manner to the five safety functions identified by Supplement 1 to NUREG-0737.
JYB:860603:8/1/86 !
NUREG-0737, S1 Seabrook SPDS CSF CSF Reactivity Suberiticality Reactor core cooling and Core cooling (Except that the Seabrook heat removal from the Heat sink SPDS has no parameter inputs primary system, which can be used to monitor the status of heat removal when post accident cool down has progressed to the point where cool down via steam generators is no longer desir-able.)
RCS integrity Integrity Inventory Radiation control Radiation control Containment Containment (Except that the challenge to the containment safety func-tion posed by high hydrogen concentration is not monitor-ed by the SPDS.)
4.2.2 Audit Team Assessment With two exceptions, the parameters displayed by the Seabrook SPDS are sufficient to provide operators with information regarding the status of the five safety functions identified by Supplement I to NUREG-0737. The two exceptions are:
o The Seabrook SPDS has no inputs that allow the evaluation of the status of heat removal from the primary system after the post accident cool down has progressed to the point where the Residual Heat Removal (RHR) system provides the primary heat removal path. RHR flow is one parameter that would provide the needed information.
o The Seabrook SPDS does not account for high hydrogen concentration in containment as a challenge to containment integrity.
PSNH should submit a discussion to NRC of how these two items will be addressed by the SPDS. This discussion should also confirm PSNH's commitment to include containment isolation status and Radiological Control CSF in the SPDS and should document the content, format, data validation methodology, and CSF evaluation logic used in the Radiological Control CSF display.
)
JYB:860603:8/1/86 _ - --
4.3 "THE SPDS SHOULD... AID THEM (OPERATORS) IN RAPIDLY AND RELIABLY DETERMINING THE SAFETY STATUS OF THE PLANT" 4.3.1 Audit Team Observationr.
Most parameter values displayed by the SPDS and SPDS logic trees are updated every five seconds. We update rate is controlled by the MPC program scheduler in which SPDS programs are assigned a higher priority than most other MPC routines; therefore, the update interval should remain relatively independent of MPC workload. Two exceptions to the five-second update rate are the calculation of core heat-up and cool-down rate for the RCS integrity status tree and the information on the Radioactivity Control CSF display. The heat-up rate calculation is updated every thirty seconds. More frequent recalculation of this value is unnecessary because the status tree decision criterion is based upon change in temperature over the last sixty minutes rather than upon the instantaneous value of the heat-up or cool-down rate. De RDMS-remote processors acquire data continuously and are polled every 30 seconds on the bus by the RM-Il host.
One line connects each of the RM-11 hosts to the plant computer. Every 30 seconds, the plant computer can request the current radiological data. In this manner, the screen data can be updated every 30 seconds for the current radiological conditions.
The SPDS parameters input via the Intelligent Remote Terminal Units receive a gross validity check as part of the process for inserting instrument readings into the MPC data base. This gross check includes:
o Verification that the IRTU is scanning the instrument loop in question.
Operability verification of the communications link between the input o
processor and the host computer, o
IRTU operability verification.
o Verification that the input parameter value is within the capability of the associated instrument loop.
o Verification that the parameter value is within a reasonable range as defined by PSNH engineering and operations.
These checks form the basis of an instrument validity status word that is associated with the reading in the MPC data base.
For Radioactivity Control CSF information, the RDMS performs data and operability checks at remote processors located with the radiation detector. The remote processor monitors data quality and operability status and encodes this information, along with the current radiation data, on the data bus to the RDMS host computers. The data are flagged questionable if:
I o
here are inconsistent values more than 50 percent of the time (drop out in link).
o here is any operate failure.
JYB:860603:8/1/86 i 1
De integrated calculations are not accurate enough (95 percent confidence o
of value within 6 percent of mean).
I o
here is less than 85 percent response to the automatic check source.
j o
An operate failure is reported for a loss of counts.
o Sample flow is lost.
j o
A channel is out of service.
I i
o A check source test failed.
i l
o A filter is torn or clogged.
The data quality and operability status is passed up the bus to the RDMS display where the data display is color coded to indicate data validity. His validity data will be tcansferred, along with current radiation data, to the main plant computer and subsequently to the SPDS display system.
In cases where redundant measurements of plant parameters are input to the MPC, the SPDS synthesizes a single value of the parameter by either averaging all valid inputs or by selecting the highest or lowest reading from among the valid inputs. We use of high, low, or average was selected in each case to insure a conservative interpretation of the CSF status trees. If no valid inputs are available for a given parameter, the parameter value will be displayed with a question mark. If a lack of valid information prevents the j
evaluation of a tree under current plant conditions the affected status tree will not be evaluated, the status tree will not display an active evaluation path, and the overview i
display will display the status of the affected tree as black for unable to evaluate.
ne Seabrook SPDS does not currently make use of interchannel comparison of redundant instrumentation in the data validation scheme.
~
De audit team noted that two status trees appear to provide incorrect status l
information during power operation. De suberiticality status is indicated red (under i
extreme challenge) whenever reactor power exceeds 5 percent. Since no plant mode information is used by this SPDS logic tree, the CSF will be continuously indicated to be j
under extreme challenge during normal power operation. A similar problem exists with j
the indication of core cooling CSF status because the RCS subcooling criteria used by the i
status tree may not always be met during power operation. His will cause the status of j
core cooling to be erroneously indicated as orange, under severe challenge.
1 l
Indication of SPDS and MPC operability is provided by a real-time clock located in the j
upper left-hand corner of the display. When the SPDS and MPC are operating, the clock i
updates every second; if the computer goes down, the clock reading will no longer j
increment.
f PSNH has conducted a reliability analysis of the Main Plant Computer system which includes most SPDS functions. This analysis estimated system availability will exceed l
0.99. Bis analysis assumed component mean-time-to-repair would be on the order of 1/2 i
JYB:860603:8/1/86.
.,---..n-.
to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. During the audit, PSNH stated that this assumption is supported by their plans to maintain a complete set of MPC spare parts on site and to have qualified maintenance staff available on all shifts. PSNH has a'.so been keeping system availability data since December 1985. The availability records show that MPC availability has significantly ex'ceeded 0.99 over this period. Neither the availability analysis, nor the availability records address the effect upon SPDS availability of data processing systems, other than the MPC, that provide input data to the SPDS (i.e., Inadequate Core Cooling Monitor and Radiological Data Monitoring System).
Data on the availability of the Radiation Data Management System was not available at the time of the audit. %e similarity of design to the Main Plant Computer system, with dual processors and dual or ring data busses, would lead one to expect high availability of the RDMS. It is not known how the numeric reliability of the data components of the RDMS compare with the comparable components of the MPC. The components of both systems are proven products of established manufacturers. The RDMS was originally designed to be a stand-alone plant radiation monitoring system required to supply data on critical plant levels during demanding plant conditions.
4.3.2 Audit Team Assessment
%e Seabrook SPDS does not completely satisfy the provisions of Supplement I to NUREG-0737 regarding rapid and reliable display because the data validation techniques used are insufficient to provide a highly reliable synthesized value of SPDS parameters and because the SPDS displays incorrectly indicates that the reactivity control and core cooling CSFs are under challenge during normal power operation. The use of high or low values provided by redundant instrumentation may result in a conservative estimation of the status of Critical Safety Functions but it also ensures that the operator will be misled about safety function status in the event of large instrument errors or on-scale instrument failures. Use of average values without additional validation checks does not guarantee the operator will be consistently misled in the conservative direction. PSNH must implement data validation methodology that makes more effective use of redundant information available via the MPC.
PSNH could also improve the usefulness of the existing validity screening of input data by tightening the reasonableness band applied to some parameters. For example, at the time of the audit, PSNH was using O'F as the lower limit for reasonableness check of temperature inputs and 200 percent as the upper limit for the reasonableness check of reactor power. The audit team believes more meaningful bounds could be established in both cases.
'Ihe precision to which plant variables are indicated on the SPDS displays and the update rates for the SPDS data base and displays are acceptable. PSNH system verification testing should confirm that the SPDS update rate is not seriously affected when a large number of nearly simultaneous processing demands are made on the MPC as may occur during the response to a severe accident.
The MPC system availability has been demonstrated to be sufficient to support the high SPDS availability goal set by Supplement I to NUREG-0737. PSNH has not, however, demonstrated high availability for the SPDS as a whole, since neither the availability analysis nor the availability history address the effect of the RDMS or the ICCM reliability upon overall SPDS availability.
PSNH should include these items in their procedures for monitoring of SPDS availability.
JYB:860603:8/1/86. _ _ _ -,
PSNH should provide a discussion for NRC review of the actions planned to improve the data validation methodology and an assessment, based either on calculation or operating experience data, of the overall availability of the SPDS including the Inadequate Core Cooling Monitor and the Radiological Data Monitoring System inputs.
4.4 "THE PRINCIPLE PURPOSE AND FUNCTION OF THE SPDS IS TO AID THE CONTROL ROOM PERSONNEL DURING ABNORMAL AND EMERGENCY CONDITIONS IN DETERMINING THE SAFETY STATUS OF THE PLANT AND IN ASSESSING W HETHER ABNORMAL CONDITIONS WARRANT CORRECTIVE ACTIONS BY CONTROL ROOM OPERATORS TO AVOID A DEGRADED CORE."
4.4.1 Audit Team Observations De Seabrook SPDS displays the current value of input SPDS variables and provides the operator with a visual indication of the status of each Critical Safety Function. This status takes the form of an overview display that'shows the status of all CSFs. A detailed display for each CSF is also available. The detailed display shows the CSF status, the value of each variable used to determine CSF status, the logic to determine CSF status, and references the procedure to be used to return the CSF to a normal condition.
We variables displayed, logic, logic set points, and logie display formats are based upon the Critical Safety Function evaluation process contained in the Seabrook Emergency Operating Procedures which were based upon the Emergency and Functional Response Guidelines developed for the Westinghouse Owners Group. Derefore, the basis for the existing CSF displays is directly traceable to the System Function and Task Analysis conducted during the development of the WOG guidelines.
The Seabrook Main Plant Computer is capable of displaying historical trends for any variable input to the MPC including all SPDS variables. However, since PSNH does not consider the trending capability to be an SPDS feature, no prearranged trend displays have been established to simplify access to historical trend information.
Since the trending capability was not considered as part of the SPDS function, the audit team did not review the capabilities of the trending function.
The audit team observed a simulator drill conducted by PSNH to demonstrate the use of the SPDS under plant upset conditions. The audit team noted that during the entire course of the drill, Critical Safety Function status was monitored by the Shif t Technical Advisor using hardwired instrumentation and hard copies of the CSF status trees. At no time during the drill did any operator select for display an SPDS CSF status tree.
4.4.2 Audit Team Assessment Although the Seabrook SPDS appears to display the information required to evaluate CSF status in an easily understood manner that should aid the operators in the determination of plant safety status, the fact that no use was made of the logic tree displays during the drill indicates that the operators do not find the system to be a satisfactory aid.
Therefore, the audit team cannot conclude that the Seabrook SPDS provides the required operator aid in the determination of safety status. PSNH should investigate the basis of the operator's reluctance to use the lower level SPDS displays and report to NRC the system changes made to make it useful from the operator's point of view.
JYB:860603:8/1/86 4.5
"(THE) SPDS (SHALL BE) LOCATED CONVENIENT TO THE CONTROL ROOM OPERATORS" 4.5.1 Audit Team Observations The SPDS displays can be accessed at any one of four locations in the control room, o
On any of four CRTs located near the center of the main control board, between primary system and secondary system controls and displays.
o On a CRT located among Service Water and Emergency Safety Feature controls and displays on the left side of the main control board.
o On a CRT located among the Component Cooling Water controls and displays on the right side of the main control board.
o On a CRTlocated at the Shift Technical Advisor's desk.
The shift technical advisor has been designated as the primary user of the SPDS under upset conditions.
4.5.2 Audit Team Assessment PSNH has clearly satisfied the requirement of Supplement I to NUREG-0737 that the SPDS be located convenient to operators.
4.6 "THE SPDS SHALL CONTINUOUSLY DISPLAY INFORM ATION FROM WHICH THE SAFETY STATUS OF THE PLANT... C AN BE ASSESSED..."
4.6.1 Audit Team Observations
'Ihe Seabrook SPDS provides a summarybverview display of the status of each Critical Safety Function.
This overview display consists of a full screen display of a seven segment bar, each segment of which corresponds to one CSF. Each bar segment contains a color and position code to represent the current status of the corresponding safety function. When an individual CSF status tree is selected for display, a reduced version of the overview is displayed in the lower left portion of the status tree display. Safety function status information is not incorporated into any of the MPC displays that are not designated as SPDS displays. Furthermore, PSNH has not implemented procedures to insure the SPDS is always displayed on at least one control room CRT.
4.6.2 Audit Team Assessment Under the current Seabrook procedures, all control room displays could be selected such that no SPDS display is provided in the control room. 'Iherefore, PSNH has not satisfied the requirement of Supplement 1 to NUREG-0737 to continuously display safety status information. Two possible ways to resolve this deficiency would be to include the CSF status bar on all MPC displays, or to implement administrative procedures that require an SPDS display to be on at least one control room CRT whenever the plant is above mode 5. PSNH should report to NRC on the ultimate resolution to this item.
JYB:860603:8/1/86 -_.
4.7 "TH E SPDS SHALL BE SUITABLY ISOLATED FROM ELECTRICAL OR ELECTRONIC INTERFERENCE WITH EQUIPMENT AND SENSORS THAT ARE IN USE FOR SAFETY SYSTEMS" 4.7.1 Audit Tea ~m Observations PSNH uses three different models of isolators to electrically isolate the SPDS from safety related inputs. Type test data for two of these models has already been submitted to and reviewed by NRC. Type testing of the remaining model and the results will be submitted in the near future.
4.7.2 Audit Team Assessment he adequacy of electrical isolation devices used by the SPDS is being separately reviewed by NRC.
4.8
" PROCEDURES WHICH DESCRIBE THE TIMELY AND CORRECT SAFETY STATUS ASSESSMENT WHEN THE SPDS IS AND IS NOT AVAILABLE WILL BE DEVELOPED BY THE LICENSEE IN PARALLEL WITH THE SPDS. FURTHERMORE, OPERATORS SHOULD BE TRAINED TO RESPOND TO ACCIDENT CONDITIONS BOTH WITH AND WITHOUT THE SPDS AVAILABLE."
4.8.1 Audit Team Observations l
Operator training in the use of the SPDS is incorporated into training on the use of plant Emergency Operating Procedures. his training is required for operator licensing and requalification.
De Seabrook SPDS basically provides an automated means to continuously evaluate the Critical Safety Function Status Trees contained in the plant Emergency Operating Procedures. If the SPDS is unavailable, the operators will perform the same status tree evaluation manually using paper copies of the status trees and hardwired plant instrumentation located on the main control boards.
4.8.2 Audit Team Assessment PSNH has satisfied the requirements of Supplement I to NUREG-0737 in this regard.
4.9 "THE SPDS DISPLAY SHALL BE DESIGNED TO INCORPORATE ACCEPTED HUM AN FACTORS PRINCIPLES SO THAT THE DISPLAYED INFORMATION CAN BE READILY PERCEIVED AND COMPREHENDED BY SPDS USERS."
4.9.1 Audit Team Observations De basic format of the Critical Safety Function Status Trees was developed by Westinghouse using their human factors design criteria and input from utility depresentatives participating in the Westinghouse Owners Group.
Except for use of
, control room color coding and nomenclature conventions, PSNH did not establish formal human factors criteria for use in the development of the Main Plant Computer or
,/
implementation of the SPDS on the MPC. However, a complete human factors review of the SPDS displays and operator interfaces was incorporated into Seabrook's Detailed Control Room Design Review and no human engineering discrepancies were noted.
JYB:860603:8/l/86. _ -
During the audit the audit team operated the SPDS to access and observe all displays.
'Ihe following human engineering discrepancies were noted:
o. ne Containment Isolation Status indication is not arranged such that an oper'ator at the primary SPDS user's (STA) station can readily determine if all automatic containment isolation valves have closed.
o Access from the overview display to the first two CSF status trees is relatively awkward. He operator must traverse the cursor across a large portion of the CRT screen to address the desired tree then simultaneously push two keyboard buttons to display the tree. Access to subsequent displays is easier because after the second status tree is selected, the cursor remains in the area of the screen used to address status trees.
o On one tree, a parameter value is displayed in a location that is inconsistent with the standard format.
o Although the CSF status trees provide both a color and pattern coding of the CSF status, the overview display on the status trees only provides color coding.
4.9.2 Audit Team Assessment Seabrook's SPDS will satisfy the NUREG-0737, Supplement I requirement to incorporate human factors principles provided the above noted problem with the layout of the Containment Isolation Status display is corrected, ne remaining human engineering deficiencies noted during the audit are not severe problems. Nevertheless, PSNH is encouraged to correct these discrepancies. PSNH should describe to NRC the corrective action taken in this area.
The noted difficulty in accessing the lower level SPDS displays should be evaluated as a
~
potential source of the operators' reluctance to use the status tree displays.
- 5. SUMM ARY Re Seabrook Station Safety Parameter Display System only partially fulfills the SPDS requirements of Supplement I to NUREG-0737. He system deficiencies that lead to this conclusion are:
o ne status of containment isolation valves is not displayed concisely so that an operator at the primary SPDS terminal can readily determine if containment isolation has been satisfactorily completed.
o De SPDS does not allow assessment of heat sink status during post accident 1
cool down after the steam generators are no longer the desired heat sink for the primary system.
o ne SPDS does not provide indication if hydrogen concentratici in containment poses a challenge to the Containment Critical Safety Function.
JYB:860603:8/1/86 -.
=
)
o Indication of the status of the Radiological Control Critical Safety Function has not yet been implemented.
o The data validation algorithms used do not take advantage of redundant information to provide the operator and SPDS logic with highly reliable values of SPDS parameters.
o During normal power operation, the SPDS provides an erroneous status indication for the suberiticality and core cooling CSFs.
o PSNH has not demonstrated that SPDS update and response times will not be unacceptably affected by the high Main Plant Computer loading conditions expected to occur during response to a severe plant upset.
o The simulated response to a plant accident witnessed by the audit team indicated that the Seabrook operators do not find the Critical Safety Function Status Trees to be a significant aid.
o Information from which the safety status of the plant can be assessed is not continuously displayed by the SPDS.
i In addition to the above problems, the audit team noted a few items which would not by j
themselves inhibit acceptance of the SPDS. Nevertheless, PSNH should consider these items for correction.
o Re limits selected for use in checking data reasonableness are in some cases l
well outside of the reasonable range of the variable.
j o
Re first two Critical Safety Function Status Trees called up after display of the CSF overview are somewhat awkward to address.
l o
On one status tree,- one parameter is displayed in a location that 'is inconsistent with the convention used for all other parameter values.
o Re Critical Safety Function overview provided on status tree displays does not incorporate redundant coding of safety function status as a backup to color coding.
PSNH should report to NRC on the actions taken to correct the problems listed above.
i Although Verification and Validation of the SPDS design and implementation is not a regulatory requirement, the SPDS development process at Seabrook would have benefited significantly from a formal, rigorous V&V program. It is recommended that PSNH's process for correcting the NRC audit team's findings include a formal, complete, independent, and documented verification of SPDS capabilities against the requirements of Supplement I to NUREG-0737. This will ensure that adequate corrective actions are i
implemented. The methodology and results of this review should be made available for NRC review.
I JYB:860603:8/l/86 :
i s
-.,.n.._y,_-
.. -_,,--.,.-.~n.,-
..,--,n
\\
Although SPDS validation testing was incorporated into the verification and validation process for the Westinghouse Owners Group Emergency Response and Functional Response Guidelines, insufficient information was available during the audit to allow assessment of the suitability of this testing. 'Ihe fact that the Seabrook operators did not choose to access any Critical Safety Function Status Trees during the simulator drill witnessed by the audit team implies the existence of difficulties with the use of the system that were not detected by the original validation testing. It is recommended that PSNH review the adequacy of the original validation testing. PSNH should provide the details of this testing or any additional validation testing for NRC review. Specific information that should be included is discussed in Sec. 3.3.2 of this report.
Subsystem and field installation verification testing of the Seabrook SPDS has not been completed and PSNH has not documented the plans for the completion of this testing.
Therefore, a final conclusion regarding the suitability of this testing could not be reached. Testing conducted to date, however, indicates that PSNH understands the need for, and purpose of, verification testing.
Consequently, if subsystem and field installation verification testing proceeds in a manner that is consistent with the testing to date, PSNH will comply with the intent of Sec.18.2 of NUREG-0800 and NSAC/39 in this regard. The audit team recommends that a sensor-to-display test of all SPDS inputs be included in the field verification test program. PSNH should provide NRC with a discussion of the remaining system and field installation verification activities.
f 1
JYB:E60603:8/1/86 - -
4
- 6. REFERENCES 6.1 GENERAL REFERENCES 1.
U.S. Nuclear Regulatory Commission, NUREG-0737, " Clarification of TMI Action Plan Requirements," November 1980, Supplement 1, December 1982.
2.
U.S. Nuclear Regulatory Commission, NUREG-0800, " Standard Review Plan for Review of Safety Analysis Reports for Nuclear Power Plants," Sec.18.1, Control Room, Rev. O, September 1984 and Sec.18.2, Human Factors Review Guidelines for the Safety Parameter Display System (SPDS), Rev. O, November 1984.
3.
Verification and Validation for Safety Parameter Display Systems, NSAC/39, Science Applications, Inc., December 1981.
4.
U.S. Nuclear Regulatory Commission, NUREG-0700," Guidelines for Control Room Design Reviews," September 1981.
5.
U.S.
Nuclear Regulatory Commission, Draft NUREG-0835, Human Factors Acceptance Criteria for the Safety Parameter Display System."
6.
U.S. Nuclear Regulatory Commission, NUREG-0696, " Functional Criteria for Emergency Response Facilities," February 1981.
7.
Instrumentation for Light-Water Cooled Nuclear Power Plants to Assess Plant and Environs During and Following an Accident, Regulatory Guide 1.97, Rev. 2, Nuclear Regulatory Commission, Office of Standards Development, December i
1980.
6.2 DOCUMENTATION EXAMINED DURING THE AUDIT 8.
PX09-7, Rev.1, " Main Plant Computer System Hardware Configuration Manual,"
January 24,1986.
9.
PX09-1, Rev.O, " Main Plant Computer System Functional Description,"
April 12,1984.
- 10. DWG M-510004, Rev. 48, " Computer Input-Output Parts List," May 9,1986.
- 11. GT-1-42, Rev.11, " General Test Paocedure, Station Computer," October 31,1984.
- 12. G T-I-0 7, Rev.11,
't enerC.
Procedure Indicating / Control Loops,"
December 19,1984.
- 13. GT-I-101, Rev. O, " Main Plant Computer System," May 12,1983.
4
- 14. " Computer Program Test, Inventory Critical Safety Function Status Tree," Rev. O, May 19,1986.
J JYB:860603:8/l/86 _.
- 15. "SPDS Inventory Critical Safety Function Status Tree Subroutine," Rev. O, i
May 20,1986.
- 16. " Inventory. Critical Safety Function Status Tree Program Description,"
Rev. O, May 19,1986.
- 17. "SPDS Functional Requirements for Seabrook Unit 1 Main Plant Computer Software Development, Inventory Status," no revision or date.
- 18. " Background Information for Westinghouse Owners Group Emergency Response Guidelines; Critical Safety Function Status Tree FP0.6; Inventory," HP/LP-Rev.1, September 1,1983.
- 19. Main Plant Computer Program Subroutine,(Engineering Units Conversion).
- 20. Main Plant Computer Program Subroutine, (data checks against reasonableness limits).
- 21. "New Hampshire Yankee Nuclear Production Computer Control Program Manual,"
Rev. 0, December 24,1985.
- 22. Test procedure, "SPDS Graphics Test."
- 23. Seabrook Station General Test Procedure, TPI-62-F01, Rev.2, " Radiation Monitoring System and Adjacent-to-Line Radiation Monitors."
- 24. " Gulf General Atomic Model RM-80, E-115-870 Microprocessor Software Design Document."
- 26. "Seabrook Station Emergency Response Facility Functional Description."
JYB:860603:8/1/86 1