ML20215A004
| ML20215A004 | |
| Person / Time | |
|---|---|
| Site: | Seabrook  |
| Issue date: | 10/03/1986 |
| From: | Cooper J, Johnson G LAWRENCE LIVERMORE NATIONAL LABORATORY |
| To: | NRC |
| References | |
| OL-1-I-SAPL-004, OL-1-I-SAPL-4, NUDOCS 8612110119 | |
| Download: ML20215A004 (22) | |
Text
MM eft 'g #dd OCT 03 '86 05314 P01 P.001 OCT.02 '86 15:18 HRC ME55RGE CENTER BETHE5DA MD s
~
DESIGN VERIFICATION AND DESIGN VALIDATION AUDIT y 6 t,j_LT, j j4/S s.
OF THE a
ll'l q 9tc B Mr b-SAFETY PARAMETER DISPLAY SYSTEM p
Q,gg?R% a)
' R PI'BLIC SERVICE COMPANY OF NEW H AMPSlilRE 6{-
h/
SEABROOK STATION
/.
June 9,1986 Ja nes Cooper Gary L. Johnson Lawrence Livermore National Laborato.y for the United States Nuclear Regulatory Commission Nucttaa etsmar0nv Connemsmes YNb *d Official Esh. Ile, Dechst Na leme,,an.,eni 4 L+ 2c11 w 0+ 4 h A'
$teff 10(NilflE0 Appl. cent a(CEMtB D
p(JECTED 14ereener Cast's Offs
/ o 3 -f'l-Case,seter natt 0.e, ee, 477 Mh 3,
seps,ter 8612110119 861003 PDR ADOCK 05000443 0
PDR i
OCT 03 '86 05:14 P02 OCT.02 '86 15:19 HRC MESSAGE CENTER BETHESDA MD P.002 DESIGN YERIFICATION AND DESIGN VALIDATION AUDIT OF THE SAFETY PARAMETER DISPLAY SYSTEM FOR PUBLIC SERVICE COMPANY OF NEW HAMPSHIRE SEABROOK STATION i
- 1. INTRODUCTION
/
On June 19 and_2.1,1986, an audit of the Seabrook Station Safety Parameter Display /
System was conducted by the NRC. This NRC audit examined the Seabrook Verification and Validation program and reviewed the operation of the SPDS.
Thus, the audit specifically add *essed the points of both a Design Verificatfon Audit and a Design Validation Audit as described by Sec.18.2 of NUREG-0800.
The audit team was composed of one individual from the Nuclear Regulatory Commission Human Factors Engineering Branch, an individual from the Lawrence Livermore National Laboratory, and an individual from EG&G acting as consultants to the NRC.
The audit was based upon the recommended criteria of NUREG-0800 Sec.18.2. In accordance with that guidance, up to three separate audit meetings / site visits, as described below, may be arranged.
Design Verificatm_ Audit. The purpose of this audit meeting is to obtain additional information required to resolve any outstanding questions about the V&V program, to confirm that the V&V program is being correctly implemented, and to audit the results of the V&V activities to date. At this meeting, the applicant should provide a thorough description of the SPDS design process. Emphasis should be placed on how the applicant is assuring that the implemt:nted SPDS will: provide appropriate parameters, be isolated from safety systems, provide reliable and valid data, and incorporate good human engineering practice. To the extent dictated by the completeness of the V&V program plan, the HFEB reviewer will arrange for participation of PSRB and ICSB reviewers at this meeting.
Design Validation Audit. After review of all documentation, an audit may be conducted to review the as-built prototype or installed SPDS. The purpose of this audit is to assure that the results of the applicant / licensee's testing demonstrate that the SPDS meets the functional requirements of the design and to assure that the SPDS exhibits good human engineering practice.
Installation Audit. As necessary, a final audit may be conducted at the site to ascertain
~
that the SPDS has been installed in accordance with the applicant / licensee's plan and is i
functioning properly. A specific concern is that the data displayed reflect the sensor signal which measures the variable displayed. This audit wDI be coordinated with and may be conducted by the NRC Resident Inspector.
Based on the advamd state of the Seabrook SPDS design, the NRC staff ca ried out a i
combined Design Verifintbn rV Des %n Validt. tier, audit at the plant site.
JYB:860603:6/18/86 _
OCT 03 '86 05:15 P03 OCT.02 '86 15:20 HRC NESSAGE CENTER BETHE5DA MD P.003 i
During the course of this audit, the NRC audit team discussed aspects of the Additionally, SPDS program with Public Service Company of New Hampshire (PSNH).
l the Seabrook control room was visited to ascertain t at the unit simulator to observe how the SPDS is used by the plant operating st
- 2. SAFETY PARAMETER DISPLAY SYSTEM DESIGN OVERVIE ne Seabrook Station SPDS is a feature of the station %
the status of the six critical safety features defined by the Seabrook Emergency Operating procedures. These eight displays consist of:
An overview display showing the status of all CSFs.
o Six logic tree displays, one for each of the CSFs defined by the EOPs. Eac display shows the current value of the parameters used to assess the CSF j
o the logic used to determine the status of the CSF.
A hardwired display of containment isolation status.
o PSSH has commited to add a radiological control CSF display that shows the current 4
valac of the radiation monitoring parameters used to determine the status of the i
radiological control CSF.
l SPDS displays can be called up on any of seven MPC CRT f
displaying historical trends of any parameter input to the MPC or of any calculated room.
l derived by the MPC.
il De MPC receives inputs from plant instrumentation via nine intellJgent remote terminaJ l
units (IRTU) that convert the input signals to digital format and transmit the data to two Each IRTU contains redundant central processing units l
host computer units (IRTU).PSNH has organized MPC inputs such that redu (CPUs).
dif ferent IRTUs.
De hosts check each input value to The host computer consists of redundant CPUs.
verify it is within the range of the measuring irstrument and is within reasonableness The host computer also performs SPDS calculations,logie, l
limits established by PSNH.
and develops SPDS displays in addition to other MPC and visual alarm system functions l
l l
The MPC also receives input of SPDS parameters from the inadequate Core Cooling Monitor (ICCM) and the Radiologteal Data Monitoring System (RDAS).
Unlike J
parameters input via IRTUs, parameters received from ICCM and RDAS have had j
and reasonableness checks by these systems; therefore, additional checking is not l
l performed by the host computer.
varicles that wo *n One of the Safety Parameter D: splay System (SPDS) er; ties]
originally planned to be included in the Seabrook SPDS system is tedio'.@cf. n."J:,
response to NRC's identification of the need for a radiological control CSF the j
l 1
l i
-2 l
JYB:460603:6/18/86 l
bbk03 86 05:16 PO4 I
OCT.02 '86 15:20 HRC MESSAGE CENTER BETHESDA MD P.004
\\
Radiological Data Monitoring System (RDMS) will be modified to input to the SPDS. This system uses redundant central processor units and a loop data bus data acquisition system to continuously monitor area and effluent radiation levels around the station. De system periodically collects data from approximately 170 sensors, all with different addresses on the loop data busses. 'Ihis information is presently displayed on a console in j
the control room. Linking this RDMS system by data bus to the main plant computer system (MPCS) will enable the display of current radiological data at any main plant I
computer system (MPCS) work station, at the emergency response facility (ERF), the j
meteorological workstation (MET) and on the SPDS. Seabrook plans to link the M PCS to the RDMS by use of a vendor recommended interface.
- 3. ASSESSMENT OF THE VERIFICATION AND VALIDATION PROGRAM A Verification and Validation (V&V) Program is concerned with the process of specification, design, fabrication, testing, and Installation associated with an overall
{
system's sof tware, hardware, and operation. For the SPDS, verification is the review of l
the requirements to see that the right problem is being solved and a review of the design I
to see that it meets the requirements. Validation is the performance of tests of the integrated system to see that it meets all requirements.
Verification and Validation activities are not a regulatory requirement for the SPDS.
j Nevertheless, a V&V program performed by the applicant / licensee during design, j
installation, and implementation of an SPDS wQ1 faellitate the NRC staff review of the 1
system, ne staff would then evaluate the program for the results'of the de<gn V&V program. On the basis of an effective V&V program, the staff would reduce the scope-and detail of the technical audit of the design.
The purpose of the NRC Design Verification Audit was to obtain additional information required to resolve any outstanding questions about the PSNH Va V Program, to confirm i
that the V&V Program is being correctly implemented, and to audit the results of the V&V activities to date. The criteria suggested in N!,' REG-0500, Sec.18.2, Appendix A were used as a basis for this audit.
The recommendation of NSAC/39 0 provided
]
additional guidance to the audit team.
l The remainder of this section presents the audit team's observations and assessments of j
the PSNH V&V Program for the following four items: System Requirements Review, 1
Design Verification Review, Validation Tests, and Field Verification. Tests.
The observations and assessments were obtained through an examination of the available documentation.
{
3.1 SYSTEM REQUIREMENTS REVIEW section 18.2 of NUREG-0800 recommends that the SPDS development process include a review of desired system capabilities to determine that the functional needs w01 be i
satisfied.
De principal goal of this activity is to independently determine if the requirements will result in a possible and usable solution to the entire problem. The requirements a-o reviewed for correctness, completeness, consistency, unde standabi'ity, i
feasibility, testability, and traceability. The requirements revie
- Go provides the buis i
j for devdoping tne system validation test plan.
I JYB:860603:6/18/86,
i v-m. _,,
.w_.~.--__-.-_,,
w.
.-_-__mm_cm-m_.,
,,y
-_,.,,,.,.m.
-____.._.-.,-___,.___.._._.,__.,..___..,,-_,,.__.,.,,-m,
OCT 03 '86 05:17 P05 i
OCT.02 '86 15:21 HRC MESSAGE CENTER B'ETHESDA MD P.005 i
3.1.1 Audit Team Observations i
Since the Main Plant Computer design was completed before the development of requirements for a Safety Parameter Display System, PSNH could not conduct a formal review of planned MPC/SPDS capabilities against functional needs. ;--
An informal requirements review of the SPDS display contents and format was conducted i
during the development of SPDS software. This review, however, did not include other j
attributes such as the requirements for data validation, continuous display or user interface. Section 4 of this report discusses a number of deficiencies noted by the audit j
team indicate that the SPDS development would have benefited from a thorough system requirements review to insure the system completely fulfilled the requirements of NUREG-0737, Supplement 1.
)
PSNH has implemented procedures to require a requirements vs. planned capability j
design review for future modifications to the Main Plant Computer including the SPDS j
software.
I 3.1.2 Audit Team Assessment f
Public Service of New Hampshire did not implement the recommendatien of Sec.18.2 to i
NUREG-0800 to preform a verification that planned system capabilities will acco nplish l
the functional needs for a SPDS. Given the advanced state of the system design the I
audit team beUeves there woald be litt!c benefit in conducting K review of this type at this time.
'The existence of formal design review requirements for future software modifications should help PSNH avoid similar problems as a result of future modifications.
3.2 DESIGN VERIFICATION REVIEW i
Section 18.2 of NUREG-0800 recommends that the SPDS development process include a design verification review performed after the system is initially designed to verify that the design will, satisfy functional needs. This activity is intended to verify the hardware 1
and software design against the systems requirements. This review covers both the hardware and software specifications as well as the design. '!he specifications and the designs are reviewed to ensure that the system requirements decomposition into hardware and software is complete and that there are no ambiguities or deficiencies.
l 3.2.1 Audit Team Observations As with the system requirements review, NRC recommendations regarding review of system design against functional needs were not available to support the development of the Main Plant Computer system and rediological data monitoring system. Therefore, the review process suggested by Sec.18.2 of NUREG-0800 was not fully implemented by PSN H.
The SPDS toftwro e develop nent process did, however, incorporate a review of software routines ap! st : n' ef fud:u' recu!re.ents for each SPDS display. These display function! requirt v-
- 4 - 5chpd $y tne system engineer in conjunction with plant operations.
A p.eif a mpt t.n, f.ndings of these reviews were not documented except for ultimate approval of the routines by the reviewer.
4 JYI3:860603:6/18/86 '
1
}
- u a -
0CT 03 '86 05t17 P06 OCT.02 '86 15t22 HRC MESSAGE CENTER BETHE5DR MD P.006 Testing of the SPDS mftware routines has also been conducted to verify that test combinations of data input to the MPC data base produce the expected parameter value, and proper validity flag. At the time of the audit plant SPDS software development had not yet proceeded to the point where validation testing of the CSF status determination logic could be conducted.
4 3.2.2 Aud_it_ Team Assessment PSNH did not fully implement the recommendations of Sec.18.2 of NUREG-0800 regarding review of the system design venus system functional requirements. Although Verification and Validation reviews are not a requirempnt of Supple nent I to i
NUREG-0737, the design problems identified by the NRC auditLeombined with the lack of a formal PSNH V&V process lead to the concern that additional. design deficiencies may exist in the Seabrook SPDS that were not detected by the audit process.j It is rvc5nimended that PSNH resolve this concern by conducting a formal, independent review of SPDS capabilities against the SPDS requirements of Supplement I to l
NUREG-0737, including verification that the RDMS and ICCM will provide the necessary va.-iables and performance to satisfy the SPDS requirements.
l 3.3 YALIDATION TESTS l
)
Section 18.2 of NUREG-0800 recommends the SPDS development proecss include validation tests performed after the system is assembled to confirm that the integrated system satisfies the functione.! needs when combined with the plant contro: room and j
plant operators who have received the normal plant specific training in the use of the SPDS.
'Ihe foundation for this activity lies in the information derived from the requirements review, the design review and the hardware, software, and system tests performed by the system supplier.
The system validation tests follow the system integration tests performed by the supplier to demonstrate that the hardware and 1
sof tware function acceptably.
l 3.3.1 Aud_it Team _Observati_ons The Seabrook SPDS was operable in the Seabrook control room simulator when the simulator was used to conduct validation testing of the Westinghouse Owners Group Emergency Response Guidelines and Functional Response Guidelines, his testing included response to plant upsets both with and without the use of the SPDS. PSNH stated that the SPDS reduced the time required to respond to upset conditions. At the time of the audit, however, no documentation or other information was available to provide the details of how this conclusion was reached.
Furthermore, there was no indication that any other measures of SPDS effectiveness were considered or observed.
3.3.2 Audit Tea _m Assessment i
Sufficient information was not available at the audit to allow a conclusion that the i
overall system validation testing conducted as part of the WOG ERG vaudation program i
satisfies the intent of See 18.2 of NUREG-0800 in this regard. The fact that operstars did not choose to access lower level SPDS screens during the d-B1 witr. esse:':y the a et team would seem to sapport the conslusion that there are proble ns with the syste:r. as a whole that were not identified by the system vaUdation testing. PSNH should reevaluate Ji% 860603:6/18/86.
OCT 03 '86 05t18 P07 OCT.02 '86 15:23 HRC MESSAGE CENTER BETHE5DA MD P.007 3
the adequacy of the previous validation testing to insure that the usefulness of the Seabrook SPDS was thoroughly established. If PSNH concludes that the previous efforts represented an adequate test, the basis for this information should be described to NRC. Dis basis should include:
2 o
identification of the specific simulated plant upsets for which the SPDS effectiveness was evaluated.
o Discussion of the applicability of the testing to the Seabrook plant SPDS given the differences between the simulator system and the plant system (e.g., the simulator does not provide redundant inputs to the SPDS ;therefore, input of combinations of invalid data could not be simulated.)
o Description of any differences between the philosophy and training for using i
the SPDS during the procedure validation process and the Seabrook specific training and philosophy.
o Identification of the specific data gathered to evaluate SPDS effectiveness and the data collection techniques.
o Description of the method and criteria used to evaluate the data.
o Discussion of the resalts of the validation testing.
l l
3.4 FIELD YERIFICATION TESTS Section 18.2 of NUREG-0800 recommends the SPDS development process include field verification tests performed af ter the system is installed to verify that the validated system was installed properly. As a minimum field verifiestion will consist of verifying that each input signal is properly connected and that the signal range is co tsistent with the design. Stated differently, it must be verified that the information displayed is directly correlated with the sener data being input. It is expected that an independent review of the installation tests may fulfill a portion of the field verification test plan.
3.4.1 Audit Team Observations As part of Main Plant Computer system acceptance testing PSNH confirmed that each MPC input point was properly connected by verifying that the current value of each instrument input was accurately stored by the MPC. his process will be repeated as part of each instrument loop calibration by verifying that each calibration input is accurately displayed by the MPC. De final SPDS software has not yet been installed in the plant so Verification testing of this SPDS is not complete.
]-
3.4.2 Audit Team Assessment i
Since PSNil has not yet completed all verification testing and since PSNH presented no
)
overall test plan that identified the verification testing yet to be &ne, a firm conclasion regarding the degree to whier. PSNHi Verification testing will comply with the recommendations of Sec.16.2 of NCREG-0500 can not be reachee. Mcwever, daring tu I
audit PSNH did exhibit a good understanding of the purpose of field verification testing; j
j JYB:860603:6/18/86
-6
OCT 03 '86 05t19 POS OCT.02 '86 15t24 NRC MESSAGE CENTER BETHESDA MD P.008 p
therefore, if PSNH carles follows through on the validation testing process in a manner that is consistent with the testing to date, they are expected to satisfy the intent of Sec.18.2 to NUREG-0800 in this regard. 'the audit team suggests that this verification testing include an and to end system test of all portions of the MPC that perform SPDS functions.
Once SPDS field verification testing is complete PSNH should provide NRC with a description of the system attributes tested, the test methodology, and test results so that a final conclusion regarding the acceptability of the testing can be reached.
- 4. ASSESSMENT OF SPDS DESIGN The NRC audit team assessed the SPDS system with respect to the requirements of Supplement I to N UR EG-0737 using the specific review criteria suggested by NUREG-0800, Sec.18.2, Appendix A. nis portion of the audit add essed le points of a Design Validation Audit. We following provides a discussion of the f a took Station SPDS design features relative to the provisions of Supplement I to NUREG-0737, and the corresponding audit team assessment in each area.
4.1 "THE SPDS SHOULD PROVIDE A CONCISE DISPLAY..."
4.1.1 Audit Team Observations _
The Scabrook SPDS provides an overview of the status of all seven Critical safety.
Functions (CSF). his overview display consists of a seven section torizontal bar. Each section corresponds to a CSF and is displayed in one of four colors that indicates the current degree of challenge to the safety function. De color coding scheme is:
Red - CSF under ext eme challenge.
Orange - CSF under severe challenge.
Yellow - CSF off normal.
Green - CSF satisfied.
The overview can be displayed separately and reduced version is incorporated into each of the other SPDS displays.
Lower level displays provide the specific information used by the SPDS in determining the status of each critical safety function.
With the exception of the Radiological Control CSF, this information is displayed in logic tree format. The current parameter value used at each deelsion point is displayed near the decision block that describes the logical decision made by the SPDS. Each logic path is color coded to show the degree of CSF challenge represented by that path. The terminus point flashes on the logic path that corresponds to the current status of the Critical Safety Function.
Not an of the information needed to assess the Containment CSF !3 ine!ded o,'he CL.~
c.spisys. The str.tus of Con:myr. ant bolation is prevded on a brJ eed m ;c.
display acrcss the control room from the primary SPDS display. Most, but not all, status JYB:860603:6/18/86 '
i 1
OCT 03 '86 05:20 P09 OCT.02 '86 15:24 NRC MESSAGE CENTER BETHE5DA MD P.009 lights are illuminated by containment isolation and the lights are not arranged or labeled such that an operator at the primary SPDS CRT cannot readily determine whether an unlit status light corresponds to a failed containment isolation valve or to an unused light.
The radioactivity control CSF display consists of ten horizontal intensity ba s and four of the bars are for steam generator radiation levels and one for radiation level at the containment vent. Each bar is titled on the display under the bar. 'Ihe readout also shows the range of the detector channel that it displays. As the level of the channe! goes up, the bar fills in progressing from left to right. When the channel is in alarm, as determined by the RDMS setting, the bar color turns red. It is cyan for low values. This alarm conditions will be carried through to the overview display.
4.1.2 Audit Team Assessment With the exception of the difficult to interpret containment isolation status display, the Seabrook SPDS meets the requirements of Supplement I to Nt: REG-0737 regarding i
concise display of critical safety function status. The Seabrook SPDS will totally satisfy i
this requirement if the containment isolation status display is modified such that an operator at the primary SPDS console can readily determine if all required containment isolation values have closed. Two possible modifications that would accomplish this purpose would be to light the spare indicators on a containment isolation signal or to rearrange the indicators such that the ones that should be lit on containment isolation form an easily recognized patterr., PSNH sMuld describe to NRC how the containment isolation status display will be corrected.
4.2 "THE SPDS SHOULD... DISPLAY... CRITIC AL PLANT VARIABLES" 4.2.1 Audit Team Obse-vations j
De following plant parameters are inputs to the Scadrook SPDS Reactivity Control CSF o
Intermediate range reactor power source range, through 200 percent.
o Start-up rate.
i Core Cooling Critical Safety Function l
o Core exit temperatures o
Reactor coolant pump status o
Reactor vessel level indication i
o Wide range reaet: cooling syste r (F.05' p.cmre (used m'"
erre ert te.perature 10 cC: Mate tM dinlefed vr:tt'.e suox in;-),
i JYD:860603:6/24/86 - -
OCT 03 '86 05:20 P10 OCT.02 '86 15:25 HRC MESSAGE CENTER BETHESDA MD P.010 Heat Sink Critical Safety Function o
Steam geperator wide and narrow range water level.
o Emergency feed water flow.
o Steam generator pressure.
o Containment pressure (used in determining decision criteria for steam generator water level).
Reactor Cooling System Integrity Critical Safety Function o
RCS cold leg wide range temperatures.
o RCS wide range pressure.
Containment Critical Safety Function o
Containment pressure.
o Containment recirculation su np level, o
Containment radiatio. level.
o Containment isolation valve status.
Reactor Coolant System Inventory Critical Safety Function o
Pressurizer level, o
PSNH has also committed to establishing a radiological control CSF screen on the SPDS. It will provide steam generator radiation level and stack monitor radiation level.
'ihe parameters selected for display and the groupings of paramete.s into CSFs are based upon the Critical Safety Functions monitored by the Westinghouse upgraded Emergency Operating Procedures. Two exceptions are Containment Isolation Value status indication and the Radiological Control CSF which are being added to the SPDS to resolve minor differences in philosophy behind the safety functions evaluated by EOPs and the CSF parameter selection for the SPDS.
The CSF's displayed by the Seabrook SPDS roughly correspond in the following manner to the five safety functions identified by Supplement I to NUREG-0737.
JYB:860603:6/24/86.
OCT 03 '86 05:21 P11 OCT.02 '86 15:26 l1RC MESSAGE CEt1TER BETHESDA MD P.011 NUREG-0737, SI-Seabrook SPDS CSF
_ C_SF Reactivity Suberiticality
~~
Reactor core cooling and Core cooling (Except that the Seabrook heat removal from the Heat sink SPDS has no param eter primary system.
inputs which can be used to monitor the status of heat removal when post accident cool down has progressed to the point where cool down via steam generators is no longer desirable.)
RCS integrity Integrity Inventory Radiation control Radiation control Containment Containment (Except that the challenge to the containment safety function posed by high hy& ogen concentration is not monitored by the SPDS.)
4.2.2 Audit Team Assessment With two exceptions, the parameters displayed by the Seabrook SPDS are sufficient to provide operators with information regarding the status of the five safety functions identified by Supplement I to NUREG-0737. 'Ihe two exceptions are:
o The Seabrook SPDS has no inputs that allow the evaluation of the status of heat removal from the primary system af ter the post accident cool down has progressed to the point where the Residual Heat Removal (RHR) system provides the primary heat removal path. RHR flow is one parameter that would provide the needed information, o
The Seabrook SPDS does not account for high hydrogen concentration in containment as a challenge to containment integrity.
PSNH should submit a discussion to NRC of how thcse two items will be addressed by the SPDS. This discussion should also confirm PSSH's commitme.nt to include containT.ent i.:::ation status and radiolopea! control CSF in the SPDS and should docu?,ent Pe co-tent, format, data validstion methodology, anc CSF eveu2P:- legie un: i r i t.:
radiologica; control CSF displey.
JYB:360603: 5/24/86.
l.
OCT 03 '86 05:22 P12 l
OCT.02 '86 15:26 HRC ME55 ACE CENTER BETHE5DA MD P.012 4.3 "THE SPDS SHOdLD... AID THEM (OPERATORS) IN RAPIDLY AND RELIABLY DETERMINING THE SAFETY STATUS OF THE PLANT" 4.3.1 Audit Team Observations.
Most parameter values displayed by the SPDS and SPDS logic trees are updsted every five seconds. De update rate is controlled by the MPC program scheduler in which SPDS programs are assigned a higher priority than most other MPC routines, therefore, the update interval should remain relatively independent of MPC workload. Two exceptions to the five-second update rate are the calculation of core heat up and cool down rate for the RCS integrity status tree snd the information on the radicactivity control CSF display. The heat-up rate calculation is updated every thirty seconds. More frequent recalculation of this value is unnecessary because the status tree decision criterion is based upon change in temperature over the last sixty minutes rather than upon the instantaneous value of the heat up or cool down rate. The RDMS remote processors e.,equire data continuously and are polled every 30 seconds on the bus by the RM-It host.
One bne connects each c' the RM-11 hosts to the plant computer. Every 30 seconds the plant computer can request the current radiological data, in this manner, the screen data car be updated every 30 seconds for the cwrent radiological conditions.
'The SPDS parameters input via the Intelligent Remote Terminal Units receive a gross validity check as part of the process for inserting irtstrument readings into the MPC data base, This g oss check includes:
o Verification that the IRTU is scanning the instrument loop in question, Operability verification of the communications link between the input o
processor the the host computer.
o IRTU Operability verification.
o Verification that the input parameter value is within the capability of the associated instrument loop.
o Verification that the parameter value is within a reasonable range as defined by PSNH engineering and operations.
Dese checks form the basis of an instrument validity status word that is associated with the reading in the MPC data base.
For radioactivity control CSF information, the RDMS performs data and operability checks at remote processors located with the radiation detector. The remote process.or monitors data quality and operability status and encodes this information, along with the current radiation data, on the data bus to the RDMS host computers in their central acquisition and display console. The data are flagged questionable if:
c The e sre inconr.e.i values more tnen M peren: c' n :
t :: 2; o.;; n 1 n'd.
o Dere is any operate failure.
.h'B: B S0603 :6 /18 /86 _ - _
OCT 03 '86 05:22 P13 OCT.02 '86 15:27 HRC MESSAGE CENTER BETHE5DR MD P.013 De. Integrated calculations are not accurate enough (95 percent confidence o
of value within 6 percent of mean).
.m, nere is less than 85 pe3 cent response to the automatic check source.
o An operate failure is reported for a loss of counts.
o o
Sample flow is lost.
o A channel is out of service.
o A check source test failed.
o A futer is torn or clogged.
The data quality and operability status is passed up the bus to the RDSiS display where the data display is color coded to indicate data validity this data wQl be transferred along with current radiation data, to the main plant computer and subsequently to the SPDS display system.
In cases where redundant measurements of plant parameters are input to the 31PC, the SPDS synthesizes a single value of the parameter by either averaging all valid inputs or by selecti'g the highest or lowest reading from among the valid inputs. De use of high, low, or average was selected in each case to insu c a conservstive interpretation of the CSF status trees. If no valid inputs are avaDable for a given parameter, the parameter value wul be displayed with a question mark. If a lack of valid information prevents the evaluation of a tree under current plant conditions, the affected status tree will not be evaluated, the status tree wn! not disp!ay an active evaluation path. and the overview display will disp'.sy the ststus of the affected tree as b:sek for nsble to r.aluate.
The audit team noted that two status trees appear to provide incorrect status information during power operation.
De reactivity status is indicated red (under extreme challenge) wnenever reactor power exceeds 5 percent. Since no plant mode information is used by this logic SPDS tree, the CSF is continuously indicated to be under extreme challenge during normal power operation. A simuar problem exists with the indication of core cooling CSF status because the RCS subcooling criteria used by the status tree may not always be met during power operation. This causes the status of core cooling to be erroneously Indicated as orange--under severe challenge.
The Seabrook SPDS does not carrently make use of interchannel comps. son of redundant instrumentation in the data validation scheme.
Indication of SPDS and 51PC operability is provided by a real time clock located in the upper left-hand corner of the display. When the SPDS and $1PC are ope.ating the clock updates every second; if the computer goes down the clock reading will no longer increment.
PSSi-i t.as conducted a re'.ici:ity sntiysis of the '.!a;n T!s.n* Cr" pu:ct r.
. c -
s' e ine:udes most SPDS functions. nis analysis estimated system avsi; oil:ty will exceed
. 9 9. This analysis assumed component mean-time-to-repair would be on the order of 1/2
.n a:860603 :6 /18/86.
OCT 03 '86 05:23 P14 OCT.02 '86 15128 HRC MESSAGE CENTER BETHE5DA MD P.014 to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. During the audit PSNH stated that this assumption is supported by their plans to maintain a complete set of MPC spare parts on site and to have qualified maintenance staff available on all shif ts. PSNH has also been keeping system avaDability data since December of 1985. De a'vailability records show that MPC availability has significantly exceeded.99 over this period.- Neither the avauability analysis nor the availability records address the effect upon SPDS avausbility of data processing systems, other than the MPC, that provide input data to the SPDS (i.e., Inadequate Core Cooling Monitor and Radiological Data Monitoring System).
Data on the availability of the radiation data measurement system (RDMS) was not available at the time of the audit. The similarity of design to the main plant computer system with dual processors and dual or ring data busses, would lead one to expect high availability of the RDMS, It is not known how the numeric reliability of the data components of the RDMS compare with the comparable components of the MPC. The components of both systems are proven products of established manufacturers. The RDMS was originally designed to be a stand-alone plant radiation monitoring system required to supply data on critical plant levels during demanding plant conditions.
4.3.2 Audit Tea _m Assessment De Seabrook SPDS does not completely satisfy the provisions of Supplement I to NUREG-0737 regarding rapid and reliable display because the data validation techniques used are insufficient to provide a highly reliable synthesized value of SPDS parameters and because the SPDS displays inearrectly indicates that the reactivity control and core cooling CSFs are under challenged during normal power operation. The use of high or low values provided by redundant instrumentation may result in a conservative estimation of the status of critical safety functions but it also ensures that the operator will be misled about safety function status in the event of large irastrument errors or on-scale ir.strument failures. Use of average values without additiona: validation checks tes not guarantee the operator wC1 be consistently misled in the conservative direction. PS N H must i np:ement data validation methodology that makes more effective use of redundant information available via the MPC.
PSNH could also improve the usefulness of the existing validity screening of input data by tightening the reasonableness band applied to some parameters. For example, at the time of the audit, PSNH was using 0[F as the lower limit for reasonableness check of temperatare inputs and 200% as the upper limit for the reasonableness check of reactor power. The audit team believes more meaningful bounds could be established in both cases.
The precision to which plant variables are indicated on the SPDS displays and the update rates for the SPDS data base and displays are acceptable. PSNH system verification testing should confirm that the SPDS update rate is not seriously affected when a large nu nber of nearly simultaneous processing demands are made on the MPC as may occur during the response to a severe accident.
The MPC system availability has been demonstrated to be sufficient to support the high SPDS availability goal set by supplement I to NUREG-0737. PSNH has not, however, de onst sted high avc!! ability for the SPDS as a whole since neit9er the avai:e5!!My Etysis nor the evailanility history address the ef fect of t.ne P.DM5 or :ne ICM tcLati;.ty upon over id! S?DS cvailadility. PSNH should incluh inese items r, tr.e procedures for monitoring of SPDS availability.
Ed:360603:6/24/86..
i OCT 03 '86 05:24 P15 0CT.02 '86 15:29 HRC H$55 AGE CENTER BETHESDA MD P.015 PSNH should provide rdiscussion for NRC review of the actions planned to improve the data validation' methodology and an assessment based either on calculation or operating experience data, of the overall availability of the SPDS including the Inadequate Core Cooling Monitor and the Radiological Data Monitoring System inputs.
.c.,
JP=M. -
4.4 "THE PRINCIPLE PURPOSE AND FUNCTION OF THE SPDS IS TO AID THE CONTROL ROOM PERSONNEL DURING ABNORMAL AND EMERGENCY CONDITIONS IN DETERMINING THE SAFETY STATUS OF THE PLANT AND IN ASSESSING WHETHER ABNORMAL CONDITIONS WARRANT CORRECTIVE ACTIONS BY CONTROL ROOM OPER ATORS TO AVOID A DEGR ADED CORE."
4.4.1 Audit Team Observations ne Seabrook SPDS displays the current value of input SPDS variasles and provides the operator with a visual indication of the status of each Critical Safety Function. This status takes the form of an overview display that shows the status of all CSFs and a detail display for each CSF that shows the CSF status, the value of each variable used to determine CSF status, the logic to determine CSF status, and references the procedure to be used to return the CSF to a normal condition.
De variables displayed, logic, logic setpoints, and logie display formats are based upon the critical safety function evaluation process contained in the Seabrook Emergency Response Procedures which were based upon the Emergency and Functional Response Guidelines developed for the Westinghouse Owne s Group. T'erefore, the basis for the existing CSF displays is directly traceable to the System Function and Task Analysis conducted during the development of the WOG guidelines.
The Seabrook Main Plant Computer is capable of displaying historical trends for any va-iable input to the MPC including all SPDS veis51es. Heweve*, since PSNH does not consider the trending capability to be a SPDS feature no preeranged trend displays have been established to simplify access to historleal trend information. Since the trending capability was not considered as part of the SPDS function, the audit team did not review the capabilities of the trending function.
The audit team observed a simulator drill conducted by PSNH to demonstrate the use SPDS under plant upset conditions. 'the audit team noted that daring the entire course of the drill, critical safety function status was monitored by the Shif t Technical Advisor using hardwired instrumentation and hard copies of the CSF status trees. At no time during the drill did any operator select for display a SPDS CSF status tree.
4.4.2 Audit Team Assessment _
Although the Seabrook SPDS appears to display the information required to evaluate CSF status in an easily understood manner that should aid the operators in the determination of plant safety status, the fact that no use was made of the logic tree displays during the drill indicates that the operators do not find the system to be a satisfactory aid.
Therefore, the audit team cannot conclude that the SeeDrook SPM yMdes N rep et ope ator aid in the determination of sMety status. PSNHst&
y t r. u.a.
rf tne operstor's reluctance to use tne 1:aer level SPDS d.s;k:,:
.. r c,a. :
- u.. :. ; *,c e
system changes made to make it useful from the operator's point of view.
JYB: 860603 : 6 /24 /86.-
OCT 03 '86 05:25 P16 0CT.02 '86 15:29 t1RC MESSAGE CEt1TER BETHESDA MD P.016 4.5
"(THE) SPDS (SHALL BE) LOCATED CONVENIENT TO THE CONTROL ROOM OPERATORS" -
4.5.1 Audit Team Observations The SPDS displays can be accessed at any one of four locations in the control room.
e On any of four CR1N located near the center of the main control board, between primary system and secondary system controls and displays.
o On a CRT located amongst Service Water and Emergency Safety Feature controls and displays on the left side of the main control board.
o One a CRT located amongst the Component Cooling Water controls and displays on the right side of the main control board, o
On a CRT located at the Shift Technical Advisor's desk.
The shift technical advisor has been designated as the primary user of the SPDS under upset conditions.
4.5.2 A_udit Team Assessment PSNH has clearly satisfied the requirement of Supplement 1 to NUREG-0737 that the SPDS be located convenient to operators.
4.6 "THE SP,75 SHALL CONTINUOUSLY DISPLAY INFORM ATION FROM WHICH THE SAFETY STATUS OF THE PLANT... C AN BE ASSESSED..."
4.6.1 Audit Team Observations The Seabrook SPDS provides a summary overview display of the status of each Critical Safety Function. His overview display cornists of a full screen display of a seven segment bar, each segment of which corresponds to one CSF. Each bar segment is color coded to represent the cwrent status of the corresponding safety function. When an individual CSF status tree is selected for display a reduced version of the overview is displayed in the lower left portion of the status tree display. Safety function status information is not incorporated into any of the MPC displays that are not designated as ]
SPDS displays. Additionally, PSNH has not ebmmited to continuously display the SPDS in l
the Seabrook control room.
a 4.6.2 Audit Team Assess nent Under the current Seabrook procedures, all control room displays could be selected such that no SPDS display is provided in the control room. Derefore, PSNH has not satisfied the reqxf ement of Sapplement 1 to NUREG-0737 to continuously display safety sta:us infor sty. Two possioie ways te resolve this deficicney would 0.c to ine:ade the CSF sis:s be on s!! MPC displays, or to implement administrative prMecures tw -+qrt an S."-DFispisy to Oc on at Icu:,one control room CRT whenever tne p:n.: a 5 %.1 mode 5. PSSH should report to NI{C on the ultimate resolution to this ite n.
r JYF:860603 :6 '13/86,-.
OCT 03 '86 05:26 P17 OCT.02 '86 15:30 tIRC MESSAGE CEllTER BETHE5DA MD P.017 4.7 "THE SPDS SHALL BE SUITABLY ISOLATED FROM ELECTRICAL OR ELECTRONIC INTERFERENCE WITH EQUIPMENT AND SENSORS THAT ARE IN USE FOR SAFETY SYSTEMS" 4.7.1 Audit Team Observations-PSNH uses three different models of isolators to electrically isolate the SPDS from safety related inputs. Type test data for two of these models has already been submitted to and reviewed by NRC. Type testing of the remaining model and the results will be submitted in the near future.
4.7.2 Au_ dit Team Assess 7nent The adequacy of electrical isolation devices used by the SPDS is being separately reviewed by NRC.
4.8 " PROCEDURES WHICH DESCRIBE THE T1MELY AND CORRECT SAFETY STATUS ASSESSMENT WHEN THE SPDS IS AND IS NOT AVAILABLE WILL BE DEVELOPED BY THE LICENSEE IN PARALLEL WITH THE SPDS.
FURTHERMORE, OPERATORS SHOULD BE TRAINED TO RESPOND TO ACCIDENT CONDITIONS BOTH WITH AND WITHOUT THE SPDS AVAILABLE."
4.8.1 Audit Team Observations Operator training in the use of the SPDS is incorporated into training on tne use of plant Functional Response Guidelines.
This training is required for operator licensing and requalification.
The Seabrook SPDS basically provides an automated means to continuously evaluate the Critical Safety Function Status Trees contained in the plant Emergency Operating Prxedu es. If the SPDS is unavaDable, the eperators wH1 perform the same status tree evaluation manually using paper copies of the status trees and ns-dwired plant instrumentation located on the main control boari.
4.8.2 Audit Team Assessment PSSH has satisfied the requirements of Supplement 1 to NUREG-0737 in this regard.
4.9 "THE SPDS DISPLAY SH ALL BE DESIGNED TO INCORPOR ATE ACCEPTED HUM AN FACTORS PRINCIPLES SO THAT THE DISPLAYED INFORM ATION CAN BE READILY,
PERCEIVED AND COMPREHENDED BY SPDS USERS."
4.9.1 Audit Team Observations The basic format of the Critical Safety Function Status Trees was developed by Westinghouse using their human factors design criteria and input from utility representatives participating in the Westinghouse Owners Group.
Except for use of control room color coding and nomenclatu e conventions, PSNH did not estsolish forme:
ruman factors criteria for use in the development of the Main P:rt Comp /te c-m:ementation Of the SPDS on *ne M ?C. H:w eve. I complete h.:
- f 3cto-< re,.
- c SPD5 disp'sys and ope. star interfaces was incorporate
- int
- 5: n >o.'s O c.a n er.
Control Room Design Review and no human engineering discrepeneies were noted.
JYS:860603:6'lS/86
~
OCT 03 '86 05:26 P18 OCT.02 '86 15:31 i1RC MESSAGE CEllTER BETHESDA MD P.018 During the audit the audit team operated tne SPDS to access and observe all displays.
De following hurhan engineering discrepancies were noted:
o he Containment Isolation Status indication is not arranged such that an operator at the primary SPDS user's (STA) station cannot readily determine if all automatic containment isolation valves have closed.
o Access from the overview display to the first two CSF status trees selected by the operator require considerable cursor movement and simultan' ous e
operation of two keyboard keys.
Selection of subsequent status trees is easier.
o On one tree a parameter value is displayed in a location that is inconsistent with the standard format.
o Although the CSF status trees provide both a color and pattern coding of the CSF status, the overview display only provides color codirg.
4.9.2 Audit Team Assessment Seabrook's SPDS will satisfy the NUREG-0737, Supplement I requirement to incorporate human factors principles provided the above noted problem with the layout of the Contain nent Isolation Status display is corrected. The remaining human engineering deficiencies noted during the audit are not severe problems. Nevertheiss, PSNH is encouraged to correct these discrepancies. PSSH should describe to NRC the corrective action taken in this area.
De noted difficulty in accessing the lower level SPDS displays should be evaluated as a potentiel source of the operators' reluctance to use the ststus tree dis?!sys.
- 5. SU Y.M AR Y he Seabrook Station Safety Parameter Display System only partially fulfills the SPDS requirements of Supplement 1 to NUREG-0737. De system deficiencies that lead to this conclusion are:
De status of containment isolation valves is not displayed concisely so that o
an operator at the primary SPDS terminal can readily determine if containment isolation has been satisfactorily completed.
o De SPDS does not allow assessment of heat sink status during post accident cool down after the steam generators are no longer the desired heat sink for the primary system.
o De SPDS does not provide indication if hydrogen concentration in containment poses a challenge to the Containment Critical Safety Function.
o Indication of the ststus of the Rsdblogies' Cer. tral Cr t.u: Safety yu.ction has not yet been i.p'. cme-ted.
JY3:860603:6/18/86.. -
OCT 03 "86 05827 P19 OCT 02 '86 15:32 NRC MESSAGE CENTER BETHE5DA MD P.019 Dc. data v'alidation algorithms used do not take advantage of redundant-o information to provide the operator and SPDSlogic with highly reliable values of SPDS parameters.
During normal pow'er operation, the SPDS provides an erroneous status o
indication for the reactivity control and core cooling CSFs.
PSNH has not demonstrated that SPDS update and response times will not be o
unacceptably affected by the high Main Plant Computer loading conditions expected to occur during response to a severe plant upset,
'Ihe simulated response to a plant accident witnessed by the audit team o
indicated that the Seabrook operators do not find the Critical Safety Function Status Trees to be a significant aid.
information from which the safety status of the plant can be assess' d is not e
o continuously displayed by the SPDS.
In addition to the above problems the audit team noted a few items which would not by themselves inhibit acceptance of the SPDS. Nevertheless PSNH should comider these items for correction.
ne limits selected for use in checking data reasonableness are in sorne cases o
well outside of the reasonable range of the variable.
The first two Critical Ssfety Function Status Trees called up after display of o
the CSF overview are somewhat awkward to address, o
On one status tree one parameter is displayed in a location thet is inconsistent with the convention used for all other pars.eter values.
o The Critical Safety Function overview display does not incorporate pattern coding of safety function status as a backup to color codig. PSNH should report to NRC on the actions taken to correct the problems listed above.
Although Verification and Validation of the SPDS design and implementation is not a regulatory requirement, the SPDS development process at Seabrook would have benefited i
significantly from a formal, rigorous V & V program. In the absence of a documented review by PSNH to verify that the Seabrook system meets the SPDS requirements of Supplement I to NUREG-0737, additional NRC review would be needed to determine if the problems listed above represent a complete list of the shortcomings of the syste n. It is recommended that PSSH conduct a thorough review of the Seabrook SPDS agaimt the requirements of Supplement t to NUREG-0737 and report the methodology and reults to NRC.
A:though SPDS validation testing was incorporated into the ver:fication and validation process f o.- the Wstighouse 0 mers Gr >ap r.mergency F.c.yc;c and Fr:tb-C
. esp: se Guidel' es. i u f :. ~. M:rm.a ion s avshMe n ~ ; 'N aS ': C-asscssment of the suitaDility of this testirg. The f act th&t tne b; crock cyrs*.ars ;;
I not choose to access any Critical Safety Function Status Trecs during the simulator d-ill JYB: 860603 :6 /18.'86 - - - - -.
\\
OCT 03 '86 05:28 P20 OCT.02 '86, 15:32 NRC NE55 AGE CENTER BETHESDA MD P.020 witnessed by tite audit team implies the existence of difficulties with the use of the system that were not detected by the original validation testing. It is recommended that PSNH review the adequacy of the original validation testing. PSNH should provide the details of this testing or any additional validation testing for NRC review. Specific information that should be included is discussed in Sec. 3.3.2 of this report.
Subsystem and field irstallation verification testing of the Seabrook SPDS has not been completed and PSNH has not documented the plans for the competition of this testing.
Therefore, a final conclusion.regarding the suitability of this testing could not be reached. Testing conducted to date, however, indicates that PSNH understands the need for and purpose of verification testing. Consequently, if subsystem and field irstallation verification testing proceeds in a manner that is consistent with the testing to date.
PSNH will comply with the intent of See 18.2 of Nt* REG-0800 and NSAC/39 in this regard.
The audit team recommends that an sensor-to-display test of the SPDS be included in the field verification test prog am.
PSNH should provide NRC with a J
discussion of the remaining system and field installation verification activities.
1 l
1 I
JY3:860603:6/18/86.
OCT 03 '86 05:28 P21 OCT.02 '86 15:33 HRC MESSAGE CEHIER BETHESDA MD P.021
- 6. REFERENCES 1.
U.S. Nuclear Regulatory Commission, NUREG-0737, " Clarification of TMI Action Plan Requirements," November 1980, Supplement 1, December 1982.
._ _._;._.. ; 2 2.
U.S. Nuclear Regulatory Commission, NUREG-0800, " Standard Review Plan for Review of Safety Analysis Reports for Nuclear Power Plants," Sec.16.1, Control Room, Rev. O, September 1984 and Sec.18,2, Human Factors Review GuideUnes for the Safety Parameter Display System (SPDS), Rev. O, November 1984.
3.
Verification and Validation for Safety Parameter Display Systems, NSAC/39, Science Applications, Inc., December 1981.
4.
U.S. Nuclear Regulatory Commission, NUREG-0700, "GuideUnes for Control Room Design Review," September 1981.
5.
U.S. Nuclear Regulatory Commission, NUREG-0835, Human Factors Acceptance Criteria for the Safety Parameter Display System."
6.
U.S. Nuclear Regulatory Commission, NUREG-0696, " Functional Criteria for Emergency Response Facilities," February 1981.
7.
Instrumentation for Light-Water Cooled Nuclear Power _ Plants to Assess Plant and Environs Durine and Follewine an Accident, Reg.11 story Guide 1.9~,
Rev.2, Nuclear Regulatory Commission, Office of Standards Development, December 1980.
8.
PX09-7, Rev.1 " Main Plant Computer System Hardware Configuration Manual,"
Janua y 24,1986.
9.
PX O 9-1, Rev.O, " Main Plant Computer System Functiona: Dese.-;ption,'
Ap il 12,1984
- 10. DWG M-510004, Rev. 48, " Computer Input-Output Parts List," May 9,1986.
- 11. GT-t-42, Rev.11, " General Test Procedure, Station Computer," October 31,1984.
- 12. G T-I-0 7, Rev.II,
" General Test Procedure Indicating / Control Loops,"
December 19,1984, 13 GT-1-101, Rev. O, " Main Plant Computer System," May 12,1983 14
" Computer Program Test, Inventory Critical Safety Function Status Tree," Rev. O, May 19,1986.
j
- 15. "SPDS Inventory Critical Safety Function Status Tree Sobroutine," R Ev. O, vay 20,1986.
raenta y Critical k iety Fanction 5:ncs Tree P. q. 5 :
De.w..p ti o.,'
Rev. O, May 19,1986.
K3:860603:6/24/86,,,.
o
---w.-
-_,#.y.
-m.
m,.s.7!.
---m-,
,,m.
OCT 03 '86 05:29 P22 OCT.02 '86 15:34 NRC MESSAGE CENTER BETHE5DA MD P.022
- 17. "SPDS Functional Requirements for Seabrook Unit 1 Main Plant Computer Software Development,"(for Inventory Status) no revision or date.
18
" Background Inforr.iation for Westinghouse Owners Group Emergency Response Guidelines; Critical Safety Function Status Tree FPO.6; Inventory," HP/LP-Rev.1, September 1,1983.
- 19. " Main Plant Computer Program Subroutine," for engineering units conversion.
- 20. " Main Plant Computer Program. Subroutine," for checking data against reasonableness limits.
- 21. "New Hampshire Yankee Nuclear Production Compute.- Control Program Manual,"
Rev. 0, December 24,1985
- 22. Test procedure, "SPDS Graphics Test."
- 23. Seabrook Station General Test Procedure, TPI-62-F01, Rev.2, " Radiation Monitoring System and Adjacent-to-Line Radiation Monitors."
24
" Gulf General Atomic Model RM-80, E-Il5-870 Microprocessor Software Design Document."
- 26. "Seabrook Station Emergency Response Facility Functional Description."
l 1
1 JYB:860603:6/24/86.._
-. _.