Text

- - - - - - - - - - - - - - - - - -, - - _ - -.

1 MAY.1987 DISTRIBUTION Docket No. 50-312 R 6._

NRC PDR/ Local PDR DMCrutchfield GMHolahan Mr. John E. Ward JLee Assistant General Manager Nuclear GKalman Sacramento Municipal Utility District OGC-Bethesda 6201 5 Street EJordan Post Office Box 15830 JPartlow Sacramento, California 95813 ACRS(10)

Dear Mr. Ward:

SUBJECT:

. AUDIT REPORT OF THE SAFETY PARAMETER DISPLAY SYSTEM 1

During February 9-12, 1987, the Nuclear Regulatory Comission staff conducted an audit at the Babcock and Wilcox facility (in Lynchburg, Virginia of the Rancho Seco Safety Parameter Display System SPDS). This audit was the most recent in a series of NRC/SMUD interfaces dealing with the SPDS as it pertains to Regulatory Guide (R.G.) 1.97 requirements. Enclosure 1 of this letter includes a report of the audit in Lynchburg and a status of the SPDS issue.

In response to this letter we request that you submit a schedule for resolution of the remaining outstanding iters which are identified in the audit report.

Your schedule should include:

(1)projecteddatefortestingtheSPDSrelated isolation devices, and (2) projected date for completing verification and i

validation (VAV)oftheSPDSprogran.

We tentatively slan to observe both evolutions. The onsite observation will ensure a more tsorough review and will expedite our evaluations of these areas.

Based on our analysis of the enclosed audit report we have the following recomendations to affect resolution of the outstanding items:

(1) The verification of the software should be expended to include structural testing. One methed of structural testing is by verifying access, during test, to each branch of the code.

0705070030 070501 ADOCK0500gl2 DH

1 MAY 1987 John E. Ward l (2) One deficiency noted in the validation process was in the resolution of discrepancies resulting from erroneous acceptance criteria (expected results). We recomend that greater effort be made to establish accurate acceptance criteria and to enforce the discrepancy resolution procedures.

(3) The licensee should provide additional information on alann acknowledge-ment within the upgraded SPDS. The staff needs data on system response when there are niultiple alanns and the operator wants tu clear only one alarm.

(4) The final V8V Report should be reviewed and evaluated by the staff.

(5) Once operational, the availability of the upgraded SPDS should be confirmed by frequent reports to the staff. The frequency of the reports may be decreased depending on the availability of the display system through the first several reporting periods.

As previously discussed, an operable SPDS, qualified to R.G. 1.97 criteria, is a plant restart prerequisite. Your method of resolution of the remaining R.G.1.97 requirer.ents and the proposed schedule for completing these requircrents is currently under review and will be addressed by separate correspondence. We will continue to work closely with your staff to resolve these issues expeditiously and in a technically sound manner.

GrN-'1slUdIrl:

L u.p ';!. ('.Q3 George W. Knighton, Director Project Directorate V Division of Reactor Projects - III/IV/V

& Special Projects cc: See next page I

DRSP/PD5 RES/RHFU/)

GKnhyD:PD5 DRSt GKalkn LBeltracchi ghton 5/ / /07 5/l /87/

5/ / /07 Off!CIAL RECORD COPY

Mr. John E. Ward Rancho Seco Nuclear Generating Sacramento Municipal Utility District Station cc:

Mr. David S. Kaplan, Secretary and General Counsel Sacramento Municipal Utility District 6201 S Street P. O. Box 15830 Sacramento, California 95813 Thomas A. Baxter, Esq.

Shaw, Pittman, Potts & Trowbridge 2300 N Street, N.W.

Washington,D.C. 20037 Mr. Ron Columbo Sacramento Municipal Utility District Rancho Seco Nuclear Generating Sta' tion

~~

4440 Twin Cities Road Herald,' California 95638-9799 Mr. Robert B. Borsum Babcock & Wilcox Nuclear Power Generation Division Suite 220, 7910 Woodsont Avenue Bethesda, Maryland 20814 Resident Inspector / Rancho Seco c/o U. S. N. R. C.

14410 Twin Cities Road Herald, California 95638 U.gional Administrator, Region V Re S. Nuclear Regulatory Comission 1450 Maria Lane, Suite 210 Walnut Creek, California 94596 Mr. Joseph 0. Ward, Chief Radiological Health Branch State Department of Health Services 714 P Street, Office Building #8 Sacramento, California 95814 Sacramento County Board of Supervisors 827 7th Street, Room 424 Sacramento, California 95814 Ms. Helen Hubbard P. O. Box 63 Sunol, California 94586

ENCLOSURE I DESIGN VERIFICATION AND DESIGN VALIDATION AUDIT-0F'THE UPGRADED SAFETY PARAMETER-DISPLAY SYSTEM FOR THE SACRAMENTO MUNICIPAL UTILITY DISTRICT RANCHO SECO NUCLEAR GENERATING STATION 1

INTR 000CTI0h This report evaluates the upgraded Rancho Seco safety-grade, Regulatory I (RG 1.97) display system using the criteria presented in applicable Guide 1.97 J

Nuclear Regulatory Commission (NRC) documents. The Rancho Seco Nuclear Generating Station is a Babcock and Wilcox (B&W) nuclear ~ power plant owned and operated by the Sacramento Municipal Utility District (SMUD). The plant is located near Sacramento, California.

Section 2 of this report provides background information regarding the Rancho Seco upgraded safety grade display system. An evaluation of the RG 1.97 display system is presented in Section 3.

The results of the audit are summarized in Section 4.

Section 5 lists the references used in this report.

2 BACKGROUND From September 29 to October 2,1986, the Plant Electrical, Instrumentation and-Control. Systems Branch, Division of PWR Licensing B, Office of Nuclear Reactor Regulation, NRC conducted an audit at the Rancho Seco plant site..The scope of the audit was to collect and evaluate data in the SMUD Action Plan for Performance Improvement, the Detailed Control Room Design Review, and the upgrade of the Safety Parameter Display System (SPDS).

The Rancho Seco SPDS was upgraded to safety-grade status based on requirements developed in response to the December, 1985 overcooling event at Rancho Seco.

This upgrade of the SPDS required the NRC staff to reevaluate the system for conformance with RG 1.97 and RG 1.1522 requirements.

The licensee estimated that the upgrade of the SPDS would be complete in January, 1987.

The staff conducted an audit of the Rancho Seco RG 1.97 display system from February 9 through February 12, 1987. The purpose of this audit was to collect and evaluate sufficient data to allow the NRC staff to prepare a Safety Evaluation Report (SER) for the upgraded system. The audit was based on the criteria specified in RG 1.97 and RG 1.152.

The scope of the audit required that the licensee provide the following documentation at the audit site:

1.

Display system functional requirements 2.

A listing of the software code 3.

Test plans and procedures 4.

All products from the verification and validation (V&V) activities 5.

Post-installation test plans and test reports The' lice'nsee provided the following information at the audit site:

3 1.

Rancho Seco SPDS Functional Description 4

2.

SMUD Draft SPDS Description 3.

Design specifications of the ANATEC Process Control System 4.

Handwritten worksheets describing selected multiplexer isolation device leakage analyses performed by SMUD 5.

A proprietary listing of the software code 6.

Worksheets for the Decay Heat Removal System (DHRS) Flow Alert logic 7.

Test results worksheets for T-Cold, Loop A and B, for the Post-Trip P-T display, the Normal P-T display, the Low Temperature P-T display, and the Alphanumeric Page display 8.

Test results worksheet for T-Hot, Loop A, Post-Trip P-T display 9.

Documentation for conducting on-paper walk-throughs from sensor to display of a containment pressure signal and a cold leg temperature signal 10.

Capabilites Matrix 11.

Itemized listing of various SMUD documents regarding SPDS V&V 5

12.

Comparison of SMUD SPDS V&V to Regulatory Guide 1.152 2

• i 3 EVALUATION OF THE RG 1.97 DISPLAY SYSTEM The purpose of this section is to summarize the findings for each of the audit topics covered by the reviewer.

~

3.1 Eauioment Qualification A schematic of the SPDS/RG 1.97 system is shown in Attachment 1.

Multiplexers 1 and 4 (H4CDAR1 and H4CDAR4, respectively) are indicated on this drawing with the letters "TE".

The distinction between these multiplexers and the Class lE multiplexers is the sensor input classifications.

The multiplexer differen-tiation in the Attachment I schematic implies that the sens,or channels listed in Table 1, below, do not meet the Category 1 or 2 qualification criteria.

The parameters in the SPDS/RG 1.97 signal list attached to the functional req 0irements document were compared to the parameters listed in RG 1.97.

This comparison indicated that 8 Category 1 signals and 11 Category 2 signals are processed by multiplexers H4CDAR1 or H4CDAR4. These signals are listed in Table 1.

TABLE 1.

CATEGORY 1 AND 2 PARAMETERS PROCESSED BY MULTIPLEXERS 1 AND 4 SPDS List Reqd Cat.

Mux Parameter Point 4g111 1RG 1.971 ID Neutron Flux 1-8 1

H4CDAR1 Makeup Flow - In 47,99 2

H4CDAR1 Letdown Flow - Out 48,98 2

H4CDAR1 Volume Ctrl Tnk Lvl 46,102 2

H4CDAR1 & 4 Cntnmnt Effluent 105,107 2

H4CDAR1 Aux Bldg Effluent 106 2

H4CDAR1 SG Valve Effluent 108,109 2

H4CDAR1 3

.e The licensee stated that the neutron flux instrumentation will be upgraded to Class IE during the Cycle 8 outage.

The Category 2 parameters in Table I were evaluated with respect to RG 1.97 power supply and equipment qualification criteria. The power supplies for H4CDARI and H4CDAR4 have the recommended battery backups. 'The equipment qualification criteria are not required for these multiplexers because they are located in a mild environment. Therefore, the signals in Table 1 are acceptable for the RG 1.97 display system.

In addition to the neutron flux instrumentation upgrade, SMUD proposes to add reactor vessel level instrumentation during the next plant,ou,tage.

The NRC staff is evaluating the acceptability of the proposed delayed implementation of the RG 1.97 requirements.

3.2 ~ svitem Desian Comments regarding the SPDS/RG 1.97 system design are summarized in the following subsections.

3.2.1

System Description

The functional requirements document briefly describes the purpose of the SPDS/RG 1.97 display system and explains how the design addresses the design objectives. Other documents describing data requirements, system specifications, program specifications, and data base specifications were required to complete the system review.

i In addition to the software, the system consists of the following hardware components:

2 ANATEC sensor input channels 2 ANATEC central control units (CCUs) 2 B&W SPDS display computers 2 IDT 2200 video generators 2 IDT seismically qualified color video monitors 2 B&W pushbutton control panels 4

.e

\\

SMUD will submit a schematic of the hardware configuration prior to the post-implementation audit. This schematic will replace the preliminary version shown in Attachment I to this report. The final system description will identify the isolators, power supplies, and system components.

The sensor input channels (Trains A and B) were connected fo each of the CCUs to provide additional redundancy. The sensor trains are polled by a CCU switching unit (CSU) to allow both CCUs to access data in both channels. With this configuration, only one CCU can process data from a particular train during any given clock cycle.

It appears that this redundancy is not required and that it has resulted in adding more isolation devices to the system. Nevertheless, this redundancy does provide increased data validation capabilities, which can benefit system performance.

Isolation device qualification is addressed in Section 3.2.6.

If the' CSU fails, the Train B CCU will be lost. This condition will result in a limiting condition of operation (LCO). The licensee committed to submit the upgraded SPDS-related Technical Specifications to the NRC prior to plant restart.

The NRC requested that SMUD provide a comparison of their digital system availability with that of an equivalent analog system.

This request was in response to SMUD's use of the 0.01 unavailability guideline set forth in NUREG-0696.6 Since this system processes RG 1.97 signals, the staff believes that NUREG-0696 is not the appropriate reference for benchmarking the RG 1.97 display system availability. NUREG-0696 is applicable only to non-Class lE systems. SMUD replied that the NUREG-0696 availability criteria were used because RG 1.97 does not provide specific limits on availability.

Detailed quantitative studies comparing analog and digital SPDS/RG 1.97 availabilites have not been performed.

However, an investigation of the South 7

Texas Project Quality Data Processing System revealed that, qualitatively, the digital system availability was slightly better than an equivalent analog system. SMUD is encouraged to review this document and determine its applicability to Rancho Seco.

1 5

The reviewer believes that the conversion from an analog system to a digital system is justifiable. The use of digital systems in nuclear power plants is supported by EPRI, and by B&W and other reactor vendors.

Precedents have been established for changing from analog to digital systems where high availability is a significant factor.

For example, Boeing formally committed to the use of digital control systems in the Boeing 757/767 programs.8 Nevertheless, without quantitative data, the availability of the RG 1.97 display system should be confirmed by frequent reports to the staff regarding system operation. The frequency of the reports may be decreased, depending on the availability of the display system through the first several reporting periods.

3.2.2 Display Configuration The SPDS/RG 1.97 displays were shown on the same model CRT as will be used at

~

the plant.

The displays were well-conceived and easy to interpret.

Minor deficiencies regarding the use of dark blue on a black background were noted by B&W and SMUD personnel. These deficiencies will be corrected prior to system installation. This audit did not include the human factors aspects of these displays.

The system was initialized as part of the system demonstration. The initiali-zation process is self-driven and provides pertinent information with regard to hardware status. When no hardware errors are identified, the system displays the status messages for a brief period, then overwrites the status display with.

the Post-Trip P-T display. The final evaluation of display configurations will be determined following a human factors review of the display formats.

The parameters selected for the RG 1.97 portions of the SPDS were reviewed in February 1985.9 The results of that review were transmitted to SMUD in August 1985.10 3.2.3 Data Validity Drawings and related documents were provided for an on-paper walk-through of two signals: containment pressure and cold leg temperature.

The walk-throughs were conducted from the sensor to the display screen.

6

\\

The drawings used for the hardware portion of the walk-throughs needed to be updated, and at one location, a discontinuity in the signal flow path for the cold leg temperature sensor channel was discovered. Nevertheless, the audit team was satisfied with the traceability of the two sensor leads. The audit team was assured that the drawings would be updated prior to restart.

The two signals were also traced through the software portion of the system.

The software walk-through was aided by the modular design of the programs. The input signals were successfully traced from the input routines to the display screens.

It was evident from the two signal walk-throughs that a sensor signal could be traced from end to end.

Data validity is also addressed in the system design by using two redundant sensor trains. The signals from the trains-are compared in the software portion of the system. Most of the data validity involves comparing the signals between two or more similar signals and checking the hardware status flag for each signal.

Data validation is used for detecting instrument inaccuracies. Signals representing the same parameter are used to determine possible deviations from measurement accuracy.

If the two signals deviate by more than five times the measurement accuracy, the signals are flagged as questionable.

Instrument ranges in the software tables are also used to provide data validation for many of the signals.

3.2.4 Maintenance and Configuration Control Maintenance is presently performed on an as-needed basis, but will be performed in the future on a scheduled preventive maintenance basis.

The schedule will be developed after restart.

The ANATEC CCUs use Motorola 6800 chips for the central processor unit. ANATEC no longer manufactures this equipment, and spares are not available if this equipment fails.

B&W and SMUD have indicated that this is not a concern because 7

. _ _ _ _o

4 this equipment is very reliable. Neither B&W nor SMUD have made provisions for replacing the CCUs. This approach will satisfy the short-term requirements for the system, but may cause availability problems in the future.

The SMUD personnel did not have a contingency plan for replacing a failed

~

backplane or other critical components. One response indicated that components might be repaired on-site. A limiting condition of operation (LCO) will be included in the Technical Specifications for failure of a CCU.

SMUD purchased a significant quantity of multiplexer spares.

These spares will be kept on-site as emergency replacements. Other equipment will also be kept available.

3.2.5 Security The comp' uter hardware is located in the control room, which is a secured area.

Software security was addressed by electronically storing the validated software logic in read-only memory (ROM) computer chips, which are part of the computer hardware.

3.2.6 Isolation Devices A schematic of the SPDS/RG 1.97 configuration is shown in Attachment 1.

The isolaticn devices considered in this section are indicated on the schematic as isolator types 6, 8, and 9.

Since the upgraded safety parameter display system processes both RG 1.97 Category 1 (Class 1E) signals and Class 2 (non-Class 1E) signals, the Class 2 isolators must isolate the Class IE components from the Class 2 components.

Additionally, Train "A" components must be isolated from Train "B" components, and the redundant buses within the trains must be isolated from each other.

The Class lE components are to be isolated from Class 2 component failures using the No. 6 and No. 8 type isolators.

The No. 6 isolators were electrically tested, but failed during the tests. The test results indicated that the No. 6 8

isolator leakage was less than 500 mV. However, the test results did not demonstrate that 500 mV would be the maximum leakage.

SMUD performed an analysis to determine the effect of a 500 mV leakage on the Class IE inputs to a multiplexer circuit board. Worksheets describing the

~

analysis are shown in Attachment 2.

The worksheets indicate that a 500 mV leakage will result in a 0.24 mV potential at the IE input. The worksheets do not show the effect of this voltage on the IE circuitry.

The Class IE signals are to be isolated from Class 2 system failures using the No. 8 bus isolators. These isolators are also used to isolate the redundant Trains A and B from each other. The capability of these isolators to prevent signal leakage in either direction must be demonstrated. The licensee has verbally agreed to perform the required testing on these components. The results of these tests were not available at the audit.

The CCUs are to be isolated from the non-lE plant IDADS computer (reference ) by the No. 9 isolators. These isolators also failed during electrical testing. As with the No. 6 isolators, the tests did not demonstrate that 500 mV was the maximum leakage or that the Class IE circuits would be properly protected from faults in the non-Class IE circuits.

Given the tight schedule for plant restart, qualification of the isolation devices is considered a critical path item. These isolators must be approved for use in Class IE circuits before the requirements of RG 1.97 can be satisfied.

The tests should be performed and the results docketed as soon as possible.

3.3 System Verification and Validation Sohar, Inc. performed the system V&V. Their audit report is included in this report as Appendix A.

Sohar's recommendations are summarized in this section.

Sohar, Inc. recommends that the verification be expanded to include structural testing of the software system.

9

=0 A deficiency noted in the validation process was in the resolution of discrepancies resulting from erroneous acceptance criteria (expected results).

It is recommended that greater effort be made to establish accurate acceptance criteria and to enforce the discrepancy resolution procedures.

It is recommended that the final V&V reports, including alt discrepancies and their resolutions, be audited.

3.4 Use of RG 1.97 Disolav System in Plant Operation The SPDS is designed to be used by the operators during normal plant operations to advise the operator of approaches to operating limits.

Upon plant trip, the SPDS automatically switches to the RG 1.97 AT0G P-T display and provides the operator with RG 1.97 information. Alarms are indicated on all displays and may be acknowledged or investigated using a single pushbutton.

Alarm acknowledgement is discussed in the SPDS functional description document.

The document indicates that alarms may be cleared from the screen by pushing a button. The document does not say what the effect will be if there are multiple alarms, and the operator wants to clear only one alarm. This should be clarified by either formal correspondence or a telephone conversation between the staff and cognizant SMUD personnel.

B&W demonstrated the RG 1.97 display system at the Lynchburg facility.

It was not possible to determine the time delay from when a sensor signal is sampled to when it is displayed or to compare the display time response to the response of other instruments in the control room.

l The RG 1.97 display screens were shown during the demonstration.

Invalid data were displayed with a question mark (?).

Other than these superficial checks, no other assessment of the RG 1.97 display system operability was performed. A i

l demonstration of the system after it is installed at the plant will be required before the staff can complete the system evaluation.

10

• ~

4 CONCLUSIONS The Rancho Seco SPDS was upgraded to incorporate RG 1.97 requirements. This required the staff to review the system with regard to guidelines set forth in RG 1.97.

The audit was incomplete, because the RG 1.97 display system was not installed in the plant.

Except for the neutron power and the reactor vessel level parameters, the RG 1.97 display system sufficiently indicates the status of critical plant conditions. The licensee proposes to add these two parameters to the display system during the next refueling outage.

The availability of the RG 1.97 display system shoul'd be confirmed by frequent reports to the staff regarding system operation. The frequency of the reports may be decreased, depending on the availability of the display system through the firs't several reporting periods.

The Class IE isolation devices have not been completely tested, and the restart date for Rancho Seco may be impacted by the test schedule for these devices.

The isolation devices must be electrically tested and approved for use in L

Class IE circuits before the Rancho Seco RG 1.97 display system can be approved by the staff.

Sohar, Inc. recommends that the verification be expandec to include structural testing of the software system.

One deficiency noted in the validation process was in the resolution of discrepancies resulting from erroneous acceptance criteria (expected results).

Additionally, it is recommended that greater effort be made to establish accurate acceptance criteria and to enforce the discrepancy resolution procedures.

11

.- _.. _ -. ~. - --

It is also recommended that the final V&V reports, including all discrepancies and their resolutions, be audited.

Except for the isolation device testing and the discrepa.icies discovered by the V&V audit (Appendix A), the RG 1.97 display system appears to conform to RG 1.97 guidelines.

I e

12 4

. -.. ~..

5 REFERENCES 1.

U. S. Nuclear Regulatory Commission, Regulatory Guide 1.97,

" Instrumentation for LigSt-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident," Revision 3, May 1983.

2.

U. S. Nuclear Regulatcry Commission, Regulatory Guide 1.152, " Criteria for Programmable Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants," November 1985.

3.

Babcock & Wilcox Power Generation Group, " Rancho Seco, Safety Parameter Display System Functional Description," February 2,1987.

4.

Babcock & Wilcox Power Generation Group (assumed author),"SMUD' Safety

~

Parameter Display System (Draft)," May 21, 1982.

5.

T. Daughtrey, Power Computing Company, " Comparison of SMUD SPDS V&V to Regulatory Guide 1.152," February 1987.

6.

U. S. Nuclear Regulatory Commission, NUREG-0696, " Functional Criteria for Emergency Response facilities", February 1981.

7.

J. P. Poloski, Review of South Texas Pro.iect Quality Data Processina System Reliability Study. (Draft Technical Evaluation Report), EGG-REQ-7542, February 1987.

8.

R. A. Erickson, " Sensitivity of a Micro-Processor Based Control System to Variation in Fault Tolerant Parameters," Power Plant Dioital Control and Fault-Tolerant Microcomouters Seminar. Scottsdale. Arizona. April 9-12.

1985, 9.

A. C. Udy, Conformance to Reaulatory Guide 1.97. Rancho Seco Nuclear Generatina Station, EG&G Idaho Interim Report, February 1985.

13

10. Letter from J. F. Stolz, Operating Reactors Branch #4, Division of Licensing, NRC, to R. J. Rodriguez, Assistant General Manager, Nuclear, Sacramento Municipal Utility District, "Conformance to Regulatory Guide 1.97 Request for Additional Information," August 19, 1985.

e 6

I e

14

T re L o.y t

APPENDIX A SOHAR AUDIT REPORT RANCHO SECO SAFETY GRADE SPDS SOFTWARE VERIFICATION

&O t

h t

i r

6 15 o

--w--

.w---,e 7,,wa n v.am,--.,-.,,,,w.,mem-,.-,,,-m..

w.,o--~~m,a,,_a-,,

w waa--

- - --