ML20237H242
| ML20237H242 | |
| Person / Time | |
|---|---|
| Site: | Beaver Valley |
| Issue date: | 08/13/1987 |
| From: | Stolz J Office of Nuclear Reactor Regulation |
| To: | Carey J DUQUESNE LIGHT CO. |
| References | |
| NUDOCS 8708170115 | |
| Download: ML20237H242 (80) | |
Text
- _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __
i l
August 13, 1987 l b
Docket No. 50-412 g/h l
Mr. J. J. Carey, Senior Vice President Duquesne Light Company Nuclear Grour Post Office Box 4 Shippingport, PA 15077 )
l
Dear Mr. Carey:
SUBJECT:
BEAVER VALLEY UNIT 2 - ISSUANCE OF SUPPLEMENT 6 TO THE SER (SSER 6)
We have issued SSER 6. Enclosed is an advance copy of the subject document. )
l Bound copies will be available in a few days and will be distributed according )
to our service list.
! Sincerely, 1
b John F. Stolz, Director Project Directorate I-4 Division of Reactor Projects I/II
Enclosure:
As stated '
cc w/o enclosure:
See next page Distribution:
Docket File NRC & LPDRs PDI-4 Files SVarga BBoger PTam SNorris OGC-Beth EJordan JPartlow ACRS 10
/
~/
I-SNhhsPDI 4 j PDI-4gS-7i PTam() J tolz
@ / /.1/87 F/f3/87 {/p/87 8708170115 870813 PDR ADOCK 05000412 O PDR
Mr. J. J. Carey Duquesne Light Company Beaver Valley 2 Power Station I CC:
Gerald Charnoff, Esq. Mr. R. E. Martin, Manager Jay E. Silberg, Esq.
Regulatory Affairs Shaw, Pittman, Potts & Trowbridge Duquesne Light Company 2300 N Street, N.W. Beaver Valley Two Project Washington, DC 20037 P. O. Box 328 Shippingport, Pennsylvania 15077 Mr. C. W. Ewing, Quality Assurance Pennsylvania Office of Consumer Manager Advocate.
l Quality Assurance Department ATTN: Michael Bardee !
l Duquesne Light Company 1425 Strawberry Square P. O. Box 186 Harrisburg, Pennsylvania 17120 Shippingport, Pennsylvania 15077 l
John.D. Burrows, P.E.
Director, Pennsylvania Emergency Dimetor of Utilities Management Agency State of Ohio Room B-151 .
Public Utilities Comission Transportation & Safety Building 180 East Broad Street Harrisburg, Pennsylvania 17120 Columbus, Ohio 43266-0573 Mr. T. J. Lex Bureau of Radiation -Protection Westinghouse Electric Corporation PA Department of Environmental Power Systems Resources P. O. Box 355 ATTN: R. Janati
- Pittsburgh, Pennsylvania 15230 P.O. Box 2063 Harrisburg, Pennsylvania 17120 l Mr. P. RaySircar Stone & Webster Engineering Corporation BVPS-2 Records Management Supervisor P. O. Box 2325 Duquesne Light Company Boston, Massachusetts 02107 Post Office Box 4 Shippingport, Pennsylvania 15077 Mr. J. Beall U. S. NRC John A. Lee, Esq.
P. O. 181 Duquesne Light Company
, Shippingport, Pennsylvania 15077 1 0xford Centre i
301 Grant Street Regional Administrator, Region I Pittsburgh, Pennsylvania 15279 U.S. Nuclear Regulatory Commission 631 Park Avenue King of Prussia, Pennsylvania 19406 1
i i
~
ABSTRACT This report,. Supplement No. 6 to the Safety Evaluation Report for the applica-tion filed.by the Duquesne Light Company et al. (the licensee) for a license
-to operate the Beaver Valley Power Station, Unit 2 (Docket No. 50-412), has been prepared by the Office of Nuclear Reactor Regulation of the U.S. Nuclear Regulatory Commission. 'This supplement reports the. status.of certain. items that had not been resolved when the Safety Evaluation Report and its Supple-ments 1, 2, 3, 4, and 5 were published.
l 1 -
i i l l
1 s
i I
i l
Beaver Valley 2 SSER 6 iii
l
?
TABLE OF CONTENTS Page Abstract ............................................................. iii 1 INTRODUCTION AND GENERAL DISCUSSION ............................. 1-1 1.1 Introduction ............................................... 1-1 i 3 DESIGN CRITERIA FOR STRUCTURES, SYSTEMS, AND COMPONENTS ....... . 3 3.10 Seismic and Dynamic Qualification of Service Category I Mechanical and Electrical Equipment ........................ 3-1 l t
3.10.1 Seismic and Dynamic Qualification of Electrical and Mechanical Equipment ........................... 3-1 3.10.2 Pump and Valve Operability Assurance ............... 3-4 i
. 4 REACTOR ........................... ............................. 4-1 )
4.3 Nuclear Design ............................................. 4-1
! 4.3.2 Fuel System Design ................................. 4-1 i
7 INSTRUMENTATION AND CONTROLS .................................... 7-1 l
7.3 Engineered Safety Features Systems ......................... 7-1 t
l 7.3.3 Specific Findings ................................... 7-1 7.5 Information Systems Important to Safety .................... 7-1 7.5.2 Specific Findings ................................... 7-1 9 AUXILIARY SYSTEMS ............................................... 9 9.5 Other Auxiliary Systems .................................... 9-1 9.5.1 Fire Protection Program ............................. 9-1 11 RADI0 ACTIVE WASTE MANAGEMENT .................................... 11-1 11.4 Solid Waste Management System .............................. 11-1 11.4.2 Evaluation F,i_ndings ................................. 11-1 13 CONDUCT OF OPERATIONS ........................................... 13-1 13.3 Emergency Planning ......................................... 13-1 Beaver Valley 2 SSER 6 v
1 L
TABLE OF CONTENTS (Continued)
Page 1 13.3.1 Introduction ........................................ 13-1 13.3.5 Review of Offsite Emergency Preparedness ............ 13-1 15 ACCIDENT ANALYSIS ............................................... 15-1 15.8 Anticipated Transients Without Scram ....................... 15-1 18 HUMAN FACTORS ENGINEERING ....................................... 18-1 18.1 Detailed Control Room Design Review ........................ 18-1 18.1.1 Background .......................................... 18-1 18.1.2 Evaluation .......................................... 18-1 18.1.3 Conclusion .......................................... 18-3 j 18.2 Safety Parameter Display System ............................ 18-4 18.2.1 Background and Introduction ......................... 18-4 1
l 18.2.2 Evaluation .......................................... 18-5 l 18.2.3 Conclusion ..........................................
18-10 APPENDICES APPENDIX A CONTINUATI6d 0F CHRON0 LOGY OF NRC RADIOLOGICAL REVIEW .
OF BEAVER VALLEY POWER STATION, UNIT 2 )
APPENDIX E NRC STAFF CONTRIBUTORS AND CONSULTANTS '
APPENDIX P ERRATA APPENDIX S HUMAN FACTORS ENGINEERING DETAILED CONTROL ROOM DESIGN !
REVIEW SUPPLEMENTAL TECHNICAL EVALUATION REPORT FOR DUQUESNE LIGHT COMPANY, BEAVER VALLEY POWER STATION, l
i UNIT 2 APPENDIX T TECHNICAL EVALUATION REPORT OF THE SAFETY PARAMETER l
DISPLAY SYSTEM FOR DUQUESNE LIGHT COMPANY, BEAVER VALLEY POWER STATION, UNIT 2 l
l l
Beaver Valley 2 SSER 6 vi
i i
I ACRONYMS ATWS anticipated transients without scram BVPS-1 Beaver Valley Power Station Unit 1 BVPS-2 Beaver Valley Power Station Unit 2 CSF critical safety functions DCRDR detailed control room design review DRMS digital radiation monitoring system DRPI digital rod position indicating l
ERFCS emergency response facility computer system )
ESFAS engineered safety feature actuation' system FAT factory acceptance testing FEMA Federal Emergency Management Agency GL Generic Letter HED human engineering discrepancies IEEE Institute of Electrical and Electronics Engineers MCF maximum credible fault ,
MSIV main steam isolation valves 1 OBE operating basis earthquake PCP process control program PSMS plant safety monitoring system SAT site acceptance testing ;
S-D Struthers-Dunn, Inc. ;
SER Safety Evaluation Report i SPDS safety parameter display system SSE safe shutdown earthquake i SSER Supplemental Safety Evaluation Report SSR Supplemental Summary Report TER Technical Evaluation Report '
TMI-2 Three Mile Island Unit 2 V&V verification and validation Beaver Valley 2 SSER 6 vii
. l 1 INTRODUCTION AND GENERAL DISCUSSION 1.1 Introduction The Nuclear Regulatory Commission (NRC) Safety Evaluation Report (NUREG-1057)-
(SER) on the application of the Duquesne Light Company et al. (DLC or the licensee, for holder of low power license NPF-64) for a license to operate the Beaver Valley Power Station Unit 2 (BVPS-2) was issued in October 1985. Supple-ments 1, 2, 3, 4, and 5 were issued in May, August, and November 1986 and March and May 1987, respectively. This is the sixth and last supplement to the SER.
The purpose of this sixth Supplemental Safety Evaluation Report (SSER 6) is to revise the SER by providing the results of the staff's review of new informa .
tion subsequently submitted by the applicant. The information provided in
- letters referenced in this SSER have been acceptably documented in amendments, up to No. 18, to the Beaver Valley Unit 2 Final Safety Analysis Report (FSAR)
~by the licensee.
. Each section or appendix of this SSER is designated and titled so that it cor-responds to the section or appendix of the SER that has been affected by the ,
staff's additional evaluation. Except where specifically noted, the SSER does j not replace the corresponding SER section or appendix. Appendices S and T !
have been added. Appendix A is a continuation of the chronology of events, including correspondence, leading to the publication of this SSER. Appendix E is a list of the principal contributors to this SSER. Appendix P, " Errata,"
corrects errors in the SER and in SSERs 1 through 5. No changes were made to I the other appendices. I TablesI.2,1.3,1.4,and1.5,allcorrespondingtotablesofthesamenumbers in the SER and previous supplements, provide summaries of the status of open, backfit, confirmatory, and license condition issues, respectively. If the status of an issue has changed since issuance of the last supplement, details of the change are documented in this supplement.
Action items that resulted from the Three Mile Island Unit 2 (TMI-2) accident have been addressed in the SER; Table 1.1 of the SER provided cross-references of various items to sections in the SER. TMI-2 action items that were not fully closed out in the SER have been identified as open or confirmatory issues in the SER or its supplements. Closecut status of open or confirmatory TMI-2 issues may be obtained by reviewing Tables 1.2 and 1.4 of this supplement.
Action items that resulted from the Salem anticipated-transients-without-scram (ATWS) (NUREG-1000) event have been addressed ~in various SER supplements.
Closecut status of these items is presented in Section 15.8 of this supplement.
Those actions that have not been completed by the time of operating license issuance will be carried as o~perating reactor actions, and will be tracked by a TAC number.
Beaver Valley 2 SSER 6 1-1
I i
l Copies of this SSER are available for public inspection in the NRC Public Docu-ment Room'at 1717 H Street N.W., Washington, D.C., and at the B. F. Jones l Memorial Library, 663 Franklin Ave. , Aliquippa, Pa. Copies of this SSER are j also available for purchase from the sources indicated on the inside front 1
. cover of this report. 1 The NRC Project Manager is. Peter S. Tam. He was assisted by Messers. Roger _j Pedersen and Frank Orr, Project Engineers. 'Mr. Tam may be contacted by calling l
-(301) 492-4837 or by writing to the following address:
Division of Reactor Projects I/II U.S. Nuclear Regulatory Commission ;
Washington, D.C. 20555 This supplement is published concurrently with but separately from issuance of-the full power license of Beaver Valley Unit 2. j l
l 1
i l
l 1
l 4
Beaver Valley 2 SSER 6 1-2
q I
Table 1.2 Open issues i Issue Status ~~SER section (1) Preservice/ inservice testing program 1
(a) PST Closed in SSER 3 3.9.6 (b) IST Closed in SSE,R 5 3.9.6 ;
(2) Pump and valve leak testing Closed in SSER 3 3.9.6 (3) Inadequate core cooling instruments- Closed in SSER 2 4.4.7 tion (Item II.F.2 of NUREG-0737)
(4) Preservice/ inservice inspection program (a) PSI Closed in SSER 5 5.2.4.3, i 6.6.3 (b) ISI Closed in SSER 5 5.2.4.3 6.6.3 l
l (5) Safe and alternate shutdown Closed in SSER 5 9.5.1 I
(6) Management and organization Closed in SSER 5 3.1, 13.4, 13.5.1 (7) Cross-training program Closed in SSER 1 13.2.1.2 (8) Emergency preparedness plan Closed in SSER 5 13.3.3 1
(9) Initial test program Closed in SSER 3 14 i (10) Control room design review Closed in SSER 5 18.1 (11) Safety parameter display system Closed in SSER 5 18.2 i
1 Beaver Valley 2.SSER 6 1-3
l Table 1.3 Backfit issues Issue Status SER section (1) Snow and ice load C 2.3.1 (2) Underestimation of atmospheric dispersion C 2.3.4, 15.4.8 conditions (x/Q) at exclusion area boundary and consequences of radioactive release (3) Potential for flooding from probable maximum C 2.4.2, 2.4.10 precipitation and Peggs Run (4) Steam generator level control and protection C2 7.3.3.12 (5) Motor-operated accumulator isolation valve C 8.3.1.12 (6) Spent fuel pool maximum heat load C 9.1.3 (7) Fire suppression in the cable spreading room C5 9.5.1.6 j (8) Class IE power for lighting and communication C 9.5.2.1 l systems
! (9) Application of GDC 5 to communication systems C 9.5.2.1 (10) Application of GDC 2 and 4 to communication C 9.5.2 systems (11) Application of GDC 4 to lighting systems C 9.5.3 (12) Illumination levels in excess of SRP criteria C 9.5.3 (13) Application of RG 1.26 to areas excluded by C 9.5.4-9.5.8 RG 1.26 (14) Air dryers for emergency diesel generator C 9.5.6 (15) Alarm for rocker arm lube oil reserve C 9.5.7 (16) Diesel lube oil fill procedure C 9.5.7 C - Closed in SER (October 1985).
C2 - Closed in SSER 2 (August 1986).
C5 - Closed in SSER 5 (May 1987).
Beaver Valley 2 SSER 6 1-4
l I
Table 1.4 Confirmatory issues l
Issue Status SER section (1) Operating procedures for continuous Closed in SSER 3 2.2.2 l communication links l l
(2) Differential settlements of buried pipes Closed in SSER 5 2.5.4.3.3, l
. 2.5.4.5 (3) Internally generated missiles (outside Closed in SSER 5 3.5.1.1 containment) 1 l (4) Internally generated missiles (inside Closed in SSER 5 3.5.1.2 containment)
(5) Turbine missiles Closed in SSER 5 3.5.1.3 l
(6) Analysis of pipe-break protection 3.6.1 Closed in SSER 5 i outside containment (7) FSAR drawings of break locations Closed in SSER 5 3.6.2
. (8) Results of jet impingement effects Closed in SSER 5 3.6.2 l l
I (9) Soil-structure interaction analysis Closed in SSER 1 3.7.3 (10) Design documentation of ASME Code Closed in SSER 2 3.9.3.1 components (11) Item II.D.1 of NUREG-0737, safety / Closed in SSER 5 3.9.3.2 relief valves (12)Seismicanddynamicqualificationof Closed in SSER 5 3.10.1 mechanical and electrical equipment and 6 (SQRT)
(13) Pump and valve operability assurance Closed in SSER 5 3.10.2 (PV0RT) and 6 (14) Environmental qualification of Closed in SSER 5 3.11 mechanical and electrical equipment (EQRT)
(15) Peak pellet design basis Closed in SSER 1 4.2.1 (16) Discrepancies in the FSAR Closed in SSER 1 4.2.2 (17) Rod bowing analysis Closed in SSER 1 4.2.3.1(6)
(18) Fuel rod internal pressu'r'e Closed in SSER 1 4.2.3.1(8)
(19) Predicted cladding collapse time Closed in SSER 1 4.2.3.2(2)
Beaver Valley 2 SSER 6 1-5
Table 1.4 (Continued)
Issue Status 1ER section (20) Use of the square-root-of-the-sum-of- Closed in SSER 1 4.2.3.3(4) the-squares method for seismic and loss-of-coolant-accident ~1 cad calculation (21) Analysis of combined ioss-of-coolant- Closed in SSER 5 4.7.3.3(4) accident and seismic loads (MULTIFLEX)
(22) Natural circulation test Closed in SSER 5 5.4.7.5 (23) Reactor coolant system high point vents Closed in SSER 3 5.4.12 (24) Blowdown mass and energy release closed in SSER S 6.2.1.3 analysis methodology '
(25) Containment sump 50% blockage assumption Closed in 5SER 5 6.2.2 (26) Design modification of automatic reactor Closed in SSER 5 7.2.2.3 trip using shunt coil trip attachment (27) Automatic opening of service water Closed in SSER 1 7.3.3.10 Y system valves M0V113C and 113D l
(28) IE Bulletin 80-06 concerns Closed in SSER 6 7.3.3.13 l (29) r4UREG-0737, Item II.F.1, accident Closed in SSER 1 7.5.2.2 monitoring instrumentation positions (30) Bw ass and inoperative status panel Closed in SSER 5 7.5.2.4.
(31) Revision of the FSAR--cold leg accumu- Closed in SSER 3 7.6.2.4 lator motor-operated valve position indication (32) Control system failure caused by Closed in SSEF. 5 7.7.2.3 malfunctions of common power source or instrument line (33) Confirmatory site visit (a) Independence of offsite power Closed in SSER .1 8.2.2.3 between the switchyard and Class 1E system (b) Confirmation of the protective Closed in SSER 1 8.3.1.2 bypass -
Beaver Valley 2 SSER 6 1-6 '
Table 1.4 (Continued)
Issue Status ~~SER section (33) Confirmatory site visit (Continued)
(c) Verification of DG start and load Closed in SSER 1 8.3.1.8 bypass (d) DG load capability qualification Closed in'SSER 1 6.3.1.9 test (e) Margin qualification test Closed in SSER 1 8.3.1.10 )
1 (f) Electrical interconnection between Closed in SSER 1 8.3.1.13 l redundant Class 1E buses !
l (g) Verification of electrical Closed in SSER 1 8. 3. 3. 5' l independence between power surplies j controls in control room and remote locations i (34) Voltage analysis--verification of test Closed in SSER 5 8.3.1.1
~
results 1 (35) Documentation of description and analysis Closed ii. SSER 5 8.3.3.7.1 of compliance with GDC 50 (36) Completion of plant-specific core damage Closed in SSER 5 9.3.2.2 estimate procedure before fuel load (37) Training program for the operation and Closed in SSER 5 9.5.4.1 maintenance of the diesel generators j
(38) Vibration of instruments and controls on Closed in SSER 5 9.5.4.1 I diesel generator (39) Surveillance of lube oil level in the Closed in SSER 2 9.5.7 l diesel generator rocker arm lube oil I reservoir (40) Solid waste process control program Closed in SSER 6 11.4.2 (41) TMI Action Plan items (a) III.D.1.1, postaccident reactor Closed in SSER 5 13.5.2 coolant leakap outside containment (b) II.K.1.5 and II.K.1.10, IE Closed in SSER S 15.9.2 Bulletins on measures to 15.9.3 mitigate small-break LOCAs and loss of feedwater Beaver Valley 2 SSER 6 1-7 l
r
-M
l Table 1.4 (Continued) 1 l
Issue Status 1ER section I (41) TMI Action Plan items (continued) ,
(c) II.K.3.5, automatic reactor Closed in SSER 5 15.9.4 coolant pump trip during LOCA i (d) II.K.3.17, report on ECCS outage Closed in SSER 5 15.9.11 (e) II.K.3.31, compliance with Closed in SSER 3 15.9.14 j 10 CFR 50.46 i (42) Plant-specific dropped rod analysis Closed in SSER 2 15.4.2 (43) Steam generator tube rupture Closed in SSER 5 15.6.3 l
(44) Quality assurance program Closed in SSER 1 17.4 (45) Cross-training of Unit 1 & 2 operators Closed in SSER 4 13.2.1.1 (46) Control room isolation on high radiation Closed in SSER 5 7.3.3.9 signal (47) Review of procedures generatien package Closed in SSER 5 13.5.2 '
(48) Fire protection: Amendment 12 review and site visit (a) Amendment 12 review Closed in SSER.3 9.5.1 (W Site visit Completed on 1/30/87 9.5.1 (c) Safety-related system Closed in SSER 5 9.5.1 fire-barrier deviations (49) Steam generator high-level trip as non- Closed in SSER 5 7.3 protection system (50) Implementation letter of ICCI system Closed in SSER 5 4.4.7 (51) Superheated steam in valve house Closed in SSER 5 3.6.1 due to steamline break (52) Initial testing (a) Accumulator isolation valves Closed in SSER 5 14 (b) SOV, P0, IST tests. Closed in SSER 5 14 Beaver Valley 2 SSER 6 1-8
t
}
Table 1.4 (Continued)
Issue Status SER section (52) Initial-testing (continued)
(c) Plant performance after MSIV Closed in SSER 5. 14 closure (d) Steam extraction system and Closed in SSER 5 14 process computer Table 1.5 Plant-specific license condition issues License condition Status SER section (1) Emergency response capability, Deleted in SSER.5 7. 5'. 2.'1 '
RG 1.97, Rev. 2 (2) Fire protection Introduced in SSER 6; 9.5.1 .!
, full power license (3) Control room design review Introduced in SSER 6; 18.1 full power license (4) Safety parameter display system Introduced in SSER 6; ' 18.' 2 full power license (5) Inservice Inspection Introduced-in SSER 5;. 5.2.4.3 full power license (6) Verification and validation Introduced in SSER 6; 7.5.2 of plant safety monitoring full power license l cystem i
L Beaver Valley 2 SSER 6 1-9 l
3 DESIGN CRITERIA FOR STRUCTURES, SYSTEMS, AND COMPONENTS 3.10 Seismic and Dynamic Qualification of Service Category I Mechanical and ;
Electrical Equipment ;
l 3.10.1 Seismic and Dynamic Qualification of Electrical and Mechanical Equipment i 1
3.10.1.1 Discussion i l
l As stated in SSER 4, the staff and its consultants from the Idaho National I Engineering Laboratory (comprising the Seismic Qualification Review Team (SQRT)) !
conducted an onsite audit evaluation of the licensee's program for seismic ]
and dynamic qualification of safety related electrical and mechanical equipment at Beaver Valley Unit 2 from September 30 through October 3, 1986. The onsite audit is performed by comparing as-built configuration to test and/or analysis g configuration to assure the validity of the modeling assumptions to qualify the ]
equipment. The audit identified both generic and equipment-specific concerns i l
relating to the qualification program. These concerns were discussed in SSER 4. j l
Subsequent to the audit, the licensee did further investigation through test a.id analysis. On the basis of the results of the investigation, responses to the issues of concern were provided in letters dated February 23, April 16, 1 May 11, and June 5, 1987. Resolution summary und status of the issues identi- I fied in SSER 4 are presented in the following sections. ]
3.10.1.3 Generic Items Issue of Model and/or Serial Number for Traceability i
In its letter dated April 16, 1987, the licensee stated that the marking system )
employed at Beaver Valley Power Station (BVPS), Unit 2, was similar to a system I successfully implemented on other plants, e.g., BVPS-1, Millstone, and Shoreham. :
The licensee is convinced, based on its experience with BVPS-1, that the system I works and does provide complete traceability to control, monitor, and assess status of the equipment. Based upon the successful implementation of this system in other plants and especially BVPS-1, the staff is convinced of the suitability of the licensee's marking system. The response is* satisfactory, and this issue is closed.
_I_ssue of Inadequate Clearance Between Cabinets and/or Panels The licensee indicated that a walkdown program of all safety-related components /
systems located in Category I safety areas was completed in November 1986.
This was intended to identify all cases where a 2-inch minimum clearanen requirement was not met. Thirteen problem cases were identified at that tinie.
Based en subsequent analysis ,(calculation 12241 - NM(B)704), 8 out of the 13 were accepted as they were. The remaining five needed field modifi-cations. The modifications are now complete. However, panels mounted as close as physically possible to each other were not included in the above sur-vey. They were included in a subsequent survey which identified deficiencies associated with 46 cabinets. These are being bolted on the sides to assure Betver Valley 2 SSER 6 3-1
I
{l I
l sufficient rigidity to preclude serious impact loading. After a review of the l program as summarized above, the staff concludes that the program, if carried j out to its completion, would insure that the equipment not be subjected to )
disabling impact loadings. This is satisfactory, and the issue is closed. ]
l Issue of Verification of As-Built Loads
- The licensee stated in its April 16, 1987 response that BVPS-2 success fully implemented and completed the as-built loads reconciliation program. This program included a review of all interface loads on mechanical equipment, e.g. , .
pumps, valves, heat exchangers, and strainers. The reconciliation ensured that l the actual loads imposed were below the specified design-allowable loads. This !
is satisfactory, and the issue is closed. ,
]
Overall Cempletion of Qualification Program l
The latest response from the licensee indicated that the seismic and dynamic qualification program for the safety-related equipment is complete except for l the equipment and system testing for the three main steam isolation valves '
(MSIVs). Accordin the required testig ng to the licensee, is complete. however, Therefore, thecriticality will not that staff concludes occur theuntil l program is essentially complete and the issue is closed.
3.10.1.4 Equipment-Specific Issues *
(1) Issue on Analysis of Residual Heat Removal System Heat Exchanger (a) The calculated stresses, using Bijlaard technique, for the 24-inch nozzle-shell juncture were near the allowable limit. This analysis i used an unrepresentative condition in that the nozzle was assumed isolated from discontinuities on the vessel. In the latest response, however, the licensee has provided additional information including (1) a recalculation using appropriate loads and stress concentration factors, and (2) rationale indicating the conservatism of the Bijlaard technique for this particular case. The staff review of a summary of tb recalculations confirmed the licensee's conclusion.
The stresses are within allowable limits and the use of the Bijlaard technique is appropriate. This is satisfactory, and the issue is closed.
(b) T'e sizing basis and the supporting details have now been addressed.
The staff has reviewed a summary and found it acceptable. The ade-quacy of the weld is documented. The issue is closeo.
(c) The licensee, in its latest response, indicated that a finite-element .
model (stick) was used to evaluate the stresses in the shell at the gusset conn'ection in addition to the Bijlaard technique. However, the reconciliation program at BVPS-2 identified a concern with the stresses in the lower support lug. Westinghouse, in turn, modified the support gussets ~ arrangement by adding two more gussets between the existing gussets which were 30 inches apart. This new design has inner gussets 16 inches apart, and the calculated stresses are well below the allowables. The changes have been implemented in the field. Based upon a review of a summary, the staff concludes that Beaver Valley 2 SSER 6 3-2
l ,
I the new design is adequate. This is acceptable, and the issue is '
closed.
(2) Isr.ues on Qualification of Alternate Shutdown Panel i (a) The licensee indicated that the finite-element model was, subse-quently, authenticated by in-situ testing. The measured overall fundamental frequency was within reasonable range. The details are l in the licensee's report 12241-65-AV3, dated December 1986. The j report was not reviewed by the staff but the summary statement that 1 the model predicted and the results from the in-situ tests were j within tolerances were deemed adequate. This is satisfactory, and l l the issue is closed. I 1
t (b) According to the licansee, the internals are not required to be seis- I mically qualified. The panel needs to operate only in a fire situa-tion as an alternate shutdown panel. As such, the internals are not i categorized as seismic Category I items, and the staff concurs. Thus, I l the issue becomes irrelevant.
l (c) The issue regarding auditable link between the field item and docu- l' l mentation is resolved as a result of resolution of the generic item (see Section 3.10.1.3).
1 (3) Irsues of Anomalies and Change in Acceptance Criteria for Motor-0perated j Damper j
The licensee's response indicates that, subsequent to the audit, the licensee j and Stone & Webster Engineering Corporation reviewed the anomalies and their i resolutions. Based on the m yiew, it was concluded that the results met the plant-specific requirements. Some of the anomalies were rasolved on the basis i
- of different attributes (modified since testing had occurred). The staff re- l viewed a summary of the resolutions and discussed them with the licensee in a ;
conference call. The staff concludes that the licenee's response is acceptable; !
the issue is closed.
(4) Issue of Low-Cycle Fatigue Effects cn Electrical and Instrumentation !
Equipment l
The licensee's response dated April 16 and May 11, 1987, with respect. to the l fatigue issue was divided into two parts. The first part was related to items j that were tested. The argument of test duration being adequate for the items i in this category was reviewed and judged to be justified. The second part l addressed the issue for the items that were analyzed for qualification. In I this case the argument based on stress allowables being 70% of the minimum yield for the operating basis earthquake (OBE) and lesser of 100% of minimum yield or 70% of the ultimate strength was not satisfactory. This argument i dealt with generalities. No specific evaluation of fatigue parameters for any 1 item in this category had been made. This was discussed with the licensee. ]
I According to the latest response dated June 5, 1987, the licensee has now l estimated the significant number of stress cycles to be 900 for five OBEs and l I one safe shutdown earthquake (SSE). Using the ASME fatigue curves as an I accepted basis for low carbon steel, the licensee concludes that the design i Beaver Valley 2 SSER 6 3-3 j j i l l
basis for the analyzed support structures contain inherent margin for 900 sig-nificant cycles, whicn precludes any significant fatigue damage for the. life of the plant. This is satisfactory, and the issue is clostd.
- 3.10.1.5 Conclusion l
On the basis of the site audit and the review of subsequent submittals, the staff concludes that an appropriate seismic and dynamic qualification program has been defined and implemented. The seismic and dynamic qualification of the
- safety related equipment at Beaver Valley Unit 2 meets the applicable portions of GDC 1, 2, 4, 14, and 30 of Appendix A to 10 CFR Part 50; Appendix B to 10 CFR Part 50; and Appendix A to 10 CFR Part 100.
3.10.2 Pomp and Valve Operability Assurance 3.10.2.3 Operability Issues In SSER 5 the staff reported the licensee's replacement of the Crosby main steam isolation valves (MSIVs) with valvos manuf actured by Atwood/Morrill. The staff stated that it would review the supporting documentation 'n order to verify the l operability qualification of the MSIVs.
The staff has completed its review of the documentation which demonstrates !
qualification of the Atwood/Morrill MSIVs instelled at Beaver Valley Unit 2. i Qualification is based on a combination of tests and analyses. The results meet the requirements of the American Society of Mechanical Engineers (ASME) Boiler and Pressure Vessel Code, 1979 Edition, and Institute of Electrical and Elec-tronics Engineers (IEEE) Standards 323-1974, 344-1975, and 382-1972. i Based on this review, the staff concludes that the licensee has adequately demon-strated qualification of these valves for operation at Beaver Valley Unit 2.
This issue is closed. j l
Beaver Valley 2 SSER 6 3-4 ,
i
l
\
l l
I l ;
1 4 REACTOR
{
! - 4.3 Nuclear Design i 4.3.2 Fuel System Design 4.3.2.1 Power Distribution Supplement 5 (SSER 5) to the staff safety evaluation report for Beaver Valley Unit 2 stated that a;i axial flux difference (AFD) of i 7% in Technical Specifi- l cation 3.2.1, an Fq of 2.32 in Technical Specification 3.2.1, and an F multi-plier of 0.3 in Technical Specification 3.2.3 were acceptable. The acceptabil-ity was based in part on a May 22, 1987 telephone conference during which the licensee indicated to the staff that (a) safety analyses have been performed and will be documented with all the above parameters as stated, and (b) the results are within regulatory limits. SSER 5 also stated that a final evaluation would be provided by the staff prior to issuance of a full power license. In a letter
, dated June 8, the licensee provided the needed information.
The licensee stated that the values of i 7% AFD (or AI) band 2.32 for F , and 0.3 for F3g were used in the safety analyses for Beaver Valley Unit 2. q The li- '
censee's submittal also referenced a Westinghouse letter dated May 27, 1987 from J. N. Steinmetz to J. A. Kline in which Westinghouse confirmed that the following parameters were used in the safety analysis for Cycle 1: +/- 7% Al band without axial power distribution monitoring system (APDMS) requirements, the 2.32 F q loss-of-coolant-accident (LOCA) limit, and the 0.3 F 3g multiplier.
These analyses are provided in the FSAR. Since the analyses have been reviewed and approved by the staff and the licensee has confirmed the use of the above values in the analyses, the Technical Specifications are acceptable. This com-pletes the staff's review of the issue, e
Beaver Valley 2 SSER 6 4-1
i 7 INSTRUMENTATION AND CONTROLS _
7.3 Engineered Safety Features Systems
.1 7.3.3 Specific Findings 7.3.3.13 IE Bulletin 80-06 Concerns j l
IE Bulletin 80-06 requested a review of all systems serving safety-related func-tions to ensure that no device will change position solely because of the reset of an engineered safety feature actuation' system (ESFAS). In the SER the staff i considered the subject issue resolved subject to confirmation of successful completion of the verification test required by the Bulletin. By letter dated July 10,1987, the licensee stated that the verification tests have been com-pleted as part of the startup tests. This fully addresses the staff's concern, and confirmatory issue'28 is considered closed.
7.5 Information Systems Important to Safety j 1
7.5.2 Specific Findings !
The licensee is using a Class 1E computer-based digital display system (plant safety monitoring system (PSMS)) to display many of the RG 1.97 variables. !
This information is provided to the operator via a plasma display.in the control l room. The staff has been requiring that a verification and validation (V&V) program be performed on the development of all software used in Class IE systems.
By letter dated April 30, 1987, the licensee stc.ted that the PSMS is a Class 1E design and was given the required degree of design review, factory testing, and site testing to ensure that it meets design function. No specific information was provided regarding a V&V plan for the PSMS Class 1E software components.
The BVPS-2 station control philosophy is that the operators will use the main control board indication as the primary source cf control information. The licensee then identified the Category 1 and Category 2 Regulatory Guide (RG) 1.97 variables that are displayed on the PSMS.
Of the nine Category 1 variables displayed on the PSMS, all'but two of the Cate-gory 1 variables have diverse instrumentation that is either independent or redundant from'the PSMS and is available on the control room boards. _0ne vari-able (neutron flux monitoring) has diverse indication that is available at a local cabinet. The second variable (core exit thermocouple) can be determined by an alterncte method of measuring the voltage output of the thermocouple at the terminal screw inputs to the PSMS cabinet.
1 The staff finds that the design review, the redundant main control board indica- ;
tors, and the procedures for alternate indication discussed by the licensee !
provide adequate assurance that sufficient accident monitoring instrumentation will be available.to the operator over an interim period (approximately 6 months) '
of operation.
Beaver Valley 2 SSER 6 7-1 i
i, The licensee shall submit within 6 months after the date of the low power .
i license a V&V plan which will be able to demonstrate the reliability of the'PSMS E software. The approved V&V plan must be implemented before startup following the first refueling outage. A license condition will be imposed, and this issue .;
will be tracked by_ licensing-action TAC 64577. '
,1 i
l
.I J
l
)
! l 1
l i
. 1 1
. j 1
y i
1 d
l l .i l
... i Beaver Valley'2 SSER 6 7-2
______=_ _______ _ _ _ -
I 1
l l
- l 9 AUXILIARY SYSTEMS j 9.5 Other Auxiliary Systems i
9.5.1 Fire Protection Program In SSER 5, the staff expressed concern regarding the adequicy of the fire alarm system. A license condition was~ imposed in the low power license that directed l the licensee to develop and implement a test procedure to confirm the operabil-ity of the system on a periodic basis. By letters dated May 18, June 24, and July 6, 1987, the licensee provided additional information on this issue. !
Section 9.5.1.5 of this supplement includes an evaluation of this information. i By letters dated May 20 and 21, 1987, the licensee provided information regarding the anticipated schedule for completing all work associated with l implementing the approved fire protection program. The following four '
features of the program were identified as being incomplete:
(1) The installation of fire-rated cable wraps'for certain safe shutdown systems (2) Completion of fire damper acceptance tests *
(3) Tne installation of back draft dampers to rel' evei room overpressurization associated with C0 2 fire suppression system discharge (4) The installation of an additional CO 2 system storage tank Pending completion of the above work, the licensee has committed to maintain l the existing fire protection features, which include fire detection systems and manual fire-fighting equipment, as well as implementing fire watch patrols in the affected areas. The licensee plans to complete work on the first two items listed above before exceeding 5% power. A license condition will be imposed to require the licensee to complete installation of the back draft dampers by September 30, 1987.
The additional carbon dioxide storage tank will fulfill a previous licensee commitment. The additional quantity of CO2 exceeds the staff guidelines-delineated in BTP CMEB 9.5-1, which have been satisfied. The staff has deter-mined that the proposed delay in implementation of additional tank capacity until December 31, 1987, is acceptable. Therefore, based on the existing fire protection features and the interim fire watch patrol, the staff concludes that
- i. the licensee's schedule for completing the fire prntection program, as described above, is acceptable.
i Beaver Valley 2 SSER 6 9-1 i
l 9.5.1.5 Fire Detection and Suppression Fire Detection In SSER 5, the staff expressed concern that a single break or ground fault' condition could render portions of the fire alarm system inoperable. As a result, the low power license was conditioned to require the licensee to iden-tify all electrically ur. supervised fire alarm system circuits and to develop and implement a test procedure to confirm the operability of such circuits.
By letters dated May 18, June 24, and July 6,1987, the licensee provided addi-tional information on this issue. Circuits that are part of the fire alarm system consist of both supervised and unsupervised types, as described in these letters. Class A supervised circuits, such as those associated with the early l
warning smoka detection systems, will function under a single break or ground !
fault condition. These circuits conform with National Fire Protection Associa-tion (NFPA) Standard No. 720 and BTP CMEB 9.5-1 and are, therefore, acceptable.
- Class B supervised circuits, such as those associated with the heat detectors -
l for the water suppression systems, will annunciate a trouble alarm if a single break or ground fault condition occurs. The licensee will then declare the system inoperable and will implement a fire watch in accordance with the plant fire protection procedures. This conforms with the above-referenced guidelines.
and is, therefore, acceptable. The remaining fire alarm system circuits are ,
- l. unsupervised. However, where these circuits have separate and redundant counterparts, such as those from the information handling system annunciation l
(IHA) to the control room, or if the circuits are not required for system operation, such as a trouble signal circuit, a single break or ground fault j l will have no safety significance. Therefore, these types of unsupervised cir- !
l cuits are acceptable. The remaining unsupervised circuits, including the fire 1 and discharge circuits for the water suppression systems from the local control I panel to the IHA cabinet, will be tested monthly to assure operability or will l be modified to include supervision.
Onthebasisoftheabove,thestaffconcludesthatthelicensee'sresponseto this issue is acceptable.
9.5.1.7 Summary of Approved Deviations From BTP CMEB 9.5-1 The SER through Supplement 3 provides details on eight deviations from BTP
! CMEB 9.5-1. Based on the evaluations in the previous supplement (SSER 5), the staff concluded that additional deviations are acceptable as follows (numbered as a continuation of listing in the SER and SSER 3):
1
- 9. Structural steel fireproofing
- 10. Sealing of conduits and penetrations
- 11. Ventilation ; penetration openings
- 12. Modified fire doors :
- 13. Transformer locations
- 14. Safe shutdown components
- 15. Saf e shutdown circuitry
- 16. Co;rtinuous line-type heat detectors
- 18. Hydrant spacing Beaver Valley 2 SSER 6 9-2
j I
- 19. . Containment - separation of equipment -
- 20. Cable spreading rsom a tire of CO 2 i
- 21. Safety-related pumps
~
- 22. New fuel area / spent fuel pool area' 4
- 23. Radwaste and decontamination area l See SSER 5-for details on deviations numbered 9 through 23. (
l J
t
- ) 1
-)
'l I
g ,
i 4
v-
' Beaver VL' ley 2 SSER 6 9-3
1
~
l 11 RADI0 ACTIVE WASTE MANAGEMENT ]
11.4 Solid Waste Management Systehi 11.4.2 Evaluation Findings ,
In the SER, the staff found the solid waste system acceptable but stated that the licensee should submit a solid waste process control program to the staff for review before initial reactor heatup.
By letter' dated June 9, 1987, the licensee submitted the BVPS-2 solid waste process control program (PCP) and stated that the PCP will be contained as Chapter 18~of the Beaver Valley Unit 2 Operations Manual. . The' submittal ful-fills the purpose of confirmatory issue 40 as reiterated above. Therefore, confirmatory issue 40 is considered closed.
1 l
l i
i l
1 4
a l ;
I Beaver Valley 2 SSER 6- 11-1
l
'~
13 CONDUCT OF OPERATIONS -
13.3 Emergency Planning i 13.3.1 Introduction After reviewing the latest revisions of the emergency plan.and procedures and the results of the exercise on November 19, 1986, in SSER 5 the staff corcluded that BVPS-2 onsite emergency preparedness meets the requirements of 10 CFR 50 and Appendix E thereto for issuance of a license authorizing fuel loading and low power operation up to 5% of rated power.
Not addressed in SSER 5 was the Federal Emergency Management Agency (FEMA) evaluation of offsite emergency preparedness. FEMA's findings and the staff's overall finding are presented below.
13.3.5 Review of Offsite Emergeacy Preparedness i
13.3.5.1 FEMA Report on Offsite Preparedness l I
FEMA Region III reviewed the of fsite radiological emergency planning of the l Commonwealth of Pennsylvania and Beaver County, and the State of West Virginia '
and Hancock County, and the exercises conducted to date. On May 29, 1987, FEMA issued an interim finding stating that there is reasonable assurance that off-site radiological emergency planning and preparedness in the Commonwealth of Pennsylvania and the State of West Virginia are adequate to protect the health and safety of the public in the event of a radiological emergency at BVPS-2.
On March 16, 1987, FEMA Region V provided an evaluation of the State of Ohio and Columbiana County plans for radiological emergencies related to the BVPS-2 1 and the*results of the full participation exercise conducted on November 19, l 1986. On the basis of this evaluation, FEMA, on June 5, 1987, issued a finding !
that the Ohio State and local pla:a and preparedness for BVPS-2 are adequate
- to protect the health and safety of the public in that there is reasonable l l assurance that the appropriate protective measures can be taken off site in the event of a radiological emergency.
l i By letter dated June 11, 1987, the licensee provided a status report on arrangements with offsite medical services in accordance with FEMA Guidance Memorandum MS-1. The staff found the arrangements acceptable. i The staff has reviewed the FEMA findings on the state and local plans for Penn-sylvania, West Virginia, Ohio, and the three counties, and the results of the full participation exercise, and concurs with the FEMA findings on offsite emergency planning and preparedness for BVPS-2.
13.3.5.3 Conclusion On the basis of its review of the onsite emergency plan and procedures and the FEMA findings on offsite emergency planning and preparedness, the staff concludes Beaver Valley 2 SSER 6 13-1
- thationsite and offsite emergency plans and preparedness. provide reasonable. .;
assurance'that adequate protective measures can and will be taken in the. event' of a radiological emergency at BVPS-2. .
i i
f 1
1
'l l
I
- i 1
i 1
.v-I i l-
- i Beaver Valley 2 SSER 6 13-2 q
i
. t
l I
15 ACCIDENT ANALYSIS 15.8 Anticipated Transients Without Scram i
Status of Salem ATWS Event Issues 1 On July 8,1983, the NRC issued Generic Letter (GL) 83-28 as a result of the j anticipated-transients-without-scram (ATWS) events at Salem Nuclear Generating i Station. This letter addressed actions to be taken by licensees and applicants to ensure that a comprehensive program of preventive maintenance and surveil- l l lance testing is implemented for the reactor trip breakers in pressurized-water j reactors.
The staff has completed its review of the bulk of the licensee's response to GL 83-28 and has documented its results in appendices to the SER. The follow-ing list serves to record completed staff reviews and to show where individual safety evaluations may be found:
Item 1.1, Post-Trip Review (Appendix K, SSER 1)
Item 2.1, Equipment Classification and Vendor Interface (Reactor Trip System Components (Appendix L, SSER 2 and SSER 4) 4
- hw 1LI, F eat cJ.n:t:ca;,n Pryte w t>< A tl Satdy -Kddeg Cog. sun l
- JtenNY151' ahm; 8 T.1IY,Toh-Maintenance Testing Reactor Trip System {
Components (Appendix 0, SS.ER 4)
)
Items 3.1.3 and 3.2.3, Post-Maintenance Testing in Technical Specification That Could Degrade Safety (Appendix M, SSER 2)
Items 3.2.1 and 3.2.2, Post-Maintenance Testing--All Other Safety-Related Components (Appendix 0, SSER 4)
Itens 4.1, Trip System Reliability (Appendix J, SSER 1)
Items 4.2.1 and 4.2.2, Preventive Maintenance Program for Reactor Trip Breakers--Maintenance and Trending (Appendix J, SSER 1)
Items 4.3, Shunt Trip Technical Specifications (incorporated in the Tech-l nical Specifications)
Item 4.5.1, Reactor Trip System Reliability--System Functional Testing (Appendix 0, SSER 4)
Item 4.5.2, Reactor Trip System Reliability--On-line Testing l (Appendix N, SSER 4) l l The remaining issues of GL 83-28 are under review but their resolution is not a requirement for issuance of an operating license. These will continue to be tracked by licensing actions TAC 62950, 62951, 62952, 62955, and 62958.
Beaver Valley 2 SSER 6 15-1 i
18 HUMAN FACTORS ENGINEERING 18.1 Detailed Control Room Design Review 18.1.1 Background -
l In SSER 1, the staff stated that a site audit was performed on February 11 and .
j 12, 1986. The staff further stated that the licensee was conducting a detailed control room design. review (DCRDR) that_would generally meet the requirements '
of Supplement 1 to NUREG-0737, but that L supplemental summary report would be required from the licensee to close open issue 10.
As a result of the audit, the staff issued an interim evaluation of the DCRDR.
on July 28, 1986. The organization, process, and results of the BVPS-2 DCRDR were compared with the requirements of Supplement 1 to NUREG-0737 and the guide-lines in Section 18.1 of the Standard Review Plan (SRP). The staff concluded
! that the licensee had conducted a comprehensive DCRDR and had generally satisfied l the requirements of Supplement 1 to NUREG-0737. The licensee had to complete I certain items and to report their completion in a supplemental summary report. 1 In response to the staff's evaluation, the licensee submitted the DCRDR Supple-mental Summary Report (SSR) on January 8, 1987. A Technical Evaluation Report '
(TER) on the SSR is enclosed as Appendix S.
By letter dated April 30, 1987, the licensee submitted an amendment to the implementation schedule for several control room improvements, revised the resolutions on several human engineering discrepancies (HEDs), and revised the schedule for completion of several incomplete surveys.
18.1.2 Evaluation The staff evaluation of the BVPS-2 DCRDR is provided below. This evaluation is based on all information available to date and is organized according to DCRDR elements specified in Supplement 1 to NUREG-0737.
Establishment of a qualified multidisciplinary review team The staff concludes that the licensee has established and used a qualified multidisciplinary review team that satisfies the requirement of Supplement 1 to NUREG-0737.
Function and task analysis to identify control room operator tasks and information and control requirements Review of the BVPS-2 Summary Report indicates that the licensee has successfully accomplished the system function and task analysis as required by Supplement 1 to NUREG-0737.
Beaver Valley 2 SSER 6 18-1
I Comparison of display and control requirements with a control room inventory
~
The staff concludes that the licensee has successfully implemented th'e inventory process and has acceptably accomplished the comparison of control and' display requirements with the inventory.
Control room survey to identify deviations from accepted human factors principles The licensee has generally accomplished the control room survey, based on Section 6 of NUREG-0700, in an adequate and systematic manner. However, several parts of the survey are in progress or are scheduled to be completed at a later date. These schedules are as follows:
Workspace to be initiated after installation of the control room partition Emergency Equipment to be initiated after installation of the control room partition Communications to be initiated after April 30, 1987 Heating, Ventilation, to be conducted when the HVAC system is in Air Conditioning (HVAC) normal operational mode Illumination (Lighting) to be conducted during or before the first refueling outage Ambient Noise to be conducted after beginning of commercial operation Implementation of resolutions to all HEDs resulting from these surveys will be accomplished before startup following the first refueling outage. '
In addition, review of certain human factors criteria related to lighting and communications, but part of otherwise completed surveys, will be completed before startup following the first refueling outage (see Section 2.1.2 of Appendix S).
Section 4.0 of the SSR addresses specific HEDs identified during the NRC audit.
Section 2.1.2 of Appendix S discusses each HED and evaluates the licensee's resolution. The staff finds these resolutions acceptable except for item C, "No Lamp Test or Check Procedure."
The discussion on this item in Appendix 5 indicates that periodic surveillance and maintenance procedures on single-filament, single-bulb, normally off indi-cator lights will be modified to require verification of bulb operability. It is the staff's position that periodic testing, even on a shift basis, is not adequate to ensure that bulbs will light when energized. The operator has no indication when a single-filament, single-bulb, normally off indicator light is burned out and, therefore, has no assurance that it is providing a proper indication.
Beaver Valley 2 SSER 6 18-2
I A survey of the BVPS-2 control room identified 19 of these single-filenent, single-bulb indicator lights associated with safety-related equipment. _Examina-tion of the use and conditions of operation for each light indicates that no l serious safety condition results from the failure of any bulb. Therefore, the l licensee's proposed testing methods and intervals, as described in its submittal on January 8,1987, are acceptable as an interim measure. However, the staff does consider the condition to be such that an acceptable corrective action or l satisfactory justification for non-correction is required to resolve the ' issue.
The discussion on item D in Section 2.1.2 of Appendix S states that the licensee's j justification for not clearly differentiating between lighted pushbuttons and i light indicators does not adequately address the problem of selective identifi-cation. Therefore, this item will remain open until corrective action is proposed or a satisfactory justification based on behavioral / operational con-siderations is submitted.
Assessment of human engineering discrepancies The staff finds that, in general, the licensee's HED assessment process is satisfactory and, based on the onsite audit, agrees with most of the assessment results. Two exceptions, described in the interim report of July 28, 1986, are (1) lack of annunciator prioritization and (2) lack of targets on control i switches at the alternate and emergency thutdown panels. Both items were l addressed satisfactorily in the SSR, and the staff concludes that the licensee l has satisfied this requirement of Supplement 1 to NUREG-0737.
Selection of design improvements At the time of the onsite audit, design improvements for the correction of a number of HEDs had not been sufficiently developed. The licensee's SSR pro-vided satisfactory resolutions to most of the HEDs, but information is still i needed to resolve a few. The information required is described in Appendix S. l t
Verification that selected im3rovements will provide the necessary correction and will not introduce new HE)s The methodology used by the licensee to ensure that improvements correct HEDs without introducing new HEDs is acceptable to the staff. A description of the involvement of Stone and Webster in 378 control room changes was provided in the SSR as requested. The staff concludes that this requirement of Supplement 1 to NUREG-0737 has been satisfied.
Coordination of DCRDR activities with other emergency response capability programs The licensee's DCRDR coordination effort with other emergency response capability programs appears to be well planned and implemented. The staff concludes that the licensee has satisfied this requirement of Supplement I to NUREG-0737.
18.1.3 Conclusion -
On the basis of its review of the BVPS-2 DCRDR Summary Report, a pre-implementation onsite audit in February 1986, and review of the licensee's SSR, the staff finds that the licensee has generally satisfied the requirements Beaver Valley 2 SSER 6 18-3
l I
of Supplement 1 to NUREG-0737. Several items, listed below and described in Appendix S, remain to be completed: .
l -
Surveys Workspace
- Emergency Equipment l Communications HVAC Illumination (lighting)
Ambient Noise .
Partial Surveys Annunciators I l Controls Displays Labels Computer Systems l -
Re-evaluate the resolution to the HED regarding single-filament, single-bulb indicator lights associated with safety equipment and propose an acceptable corrective action.
Provide additional justification which addresses the reasons for not differentiating between lighted pushbuttons and indicators on the turbine control panel.
Address the HED-related issues, and concerns summarized in Appendix S.*
The above items must be completed and reported to the NRC prior to startup l following the first refueling outage. A license condition will be imposed to.
ensure completion and reporting of these activities necessary to fully satisfy the DCRDR requirements of Supplement 1 to NUREG-0737. All remaining actions will be tracked by licensing action TAC 62879.
18.2 Sdfety Parameter Display System 18.2.1 Background and Introduction All holders of and applicants for operating licenses must provide a safety param-eter display system (SPDS) in the control rooms of their plants. The Commission's requirements for the SPDS are defined in Supplement 1 to NUREG-0737.
The staff's original evaluation on the SPDS of BVPS-2 was transmitted to the licensee in December 1984. The evaluation was based on a review of the l licensee's August 1, 1984 submittal. The evaluation concluded that the licensee l had not provided sufficient information to allow the staff to complete its l review. The licensee submitted information on December 20, 1985, along with a l schedule that called for the SPDS to be operating 3 months before fuel load.
Further information was provided by submittals dated April 9 and June 16, 1986.
The staff conducted an onsite audit of the installed SPDS February 18 and 19, 1987. The purpose of the audit was to confirm that a verification and valida-tion (V&V) program was being correctly implemented, that the results of the-f licensee's testing demonstrated that the SPDS meets functional requirements,
[ and that the SPDS exhibits good human engineering practice. However, j.
Beaver Valley 2 SSER 6 18-4
r i
i ;
I determination if the SPDS is installed in accordance with the licensee's plan and if it functions properly can be made only after it is declared operational.
The staff's preliminary evaluation of the SPDS to accommodate the low power
( licensing schedule was published in SSER 5.
18.2.2 Evaluation The results of the detailed evaluation of the BVPS-2 SPDS ar.e summarized below, and a TER on the SPDS is included as Appendix T.
18.2.2.1 Verification and Validation Program Although Supplement 1 to NUREG-0737 does not specifically require V&V of the SPDS, a V&V program performed during design, installation, and implementation facilitates the staff review of the system. Knowledge that an effective V&V l program is being conducted can reduce the scope and detail of the technical l audit required by the staff to assess the design. SRP Section 18.2 contains ;
criteria and recommendations for an effective V&V program. l (1) System Requirements Review
. The BVPS-2 SPDS implements certain major features of the generic Westing-house iconic design. As part of the review of the generic design, the.
staff found that the Westinghouse design verification process included a satisfactory system requirements review. Thus, the BVPS-2 SPDS design process follows the recommendation to conduct a system requirements review.
1 (2) Design Verification Review The BVPS-2 SPDS is one function of the emergency response facility computer system (ERFCS). The SPDS receives data from the plant safety monitoring syst%m (PSMS), the digital rod position indicating (DRPI) system, and the digital radiation monitoring system (DRMS).
The ERFCS hardware was assembled from proven components. Therefore, formal design verification was not conducted on each component. The vendor did I
review the hardware system design to verify that it supports the SPDS ,
requirements. The licensee intends to perform site acceptance tests on all components not yet installed. The SPDS software was reviewed on a modular basis by vendor programmers independent of the development process. '
Acceptance of each module was documented, and the documentation was audited during the onsite review.
Verification and validation of the PSMS is being conducted by Westinghouse on a generic basis. Once the V&V is complete, the licensee will apply the program to the BVPS-2 plant-specific PSMS. The licensee has indicated that verification testing of the DRMS had been conducted by the system vendor. ,,
With respect to the SPDS functions of ERFCS, the BVPS-2 V&V process satisfies the intent of the recommendation to conduct an effective V&V program. The V&V activities for the PSMS are addressed separately in >
Beaver Valley 2 SSER 6 18-5
I J
l t
i Section 7.5.2 of this report. The process and results of the DRMS V&V program should be reported for staff review. .
)
l (3) Validation Testing j Factory acceptance testing (FAT) of the integrated hardware / software ERFCS l was conducted by Westinghouse based on a validation procedure used to test {
the Westinghouse generic SPDS. PSMS and DRMS inputs were simulated. After j installation, site acceptance testing (SAT) was conducted by the licensee. J Significant discrepancies were corrected and retesting was conducted. j Man-in-the-loop testing of the generic SPDS design was conducted by l Westinghouse. The licensee does not plan plant-specific testing to ;
validate the BVPS-2 SPDS in the context of the control room and operator j training. j i
With respect to integrated hardware and software system testing, the licensee's validation efforts satisfy the intent of the recommendations of, SRP Section 18.2. Integration of the SPDS functions of the PSMS, DRMS, and DPRI still need to be validated. !
1 The man-in-the-loop testing conducted by Westinghouse demonstrated the l effectiveness of the generic design as an operator aid. However, because the licensee has not yet included SPDS in its operations philosophy, the ]
j applicability of the Westinghouse testing is in question. The license.e must conduct man-in-the-loop testing to validate the usefulness of SPDS l once an acceptable philosophy for SPDS use has been established and !
operators are trained in this philosophy. j i
(4) Field Verification Tests i The verification test program for BVPS-2 SPDS is in progress. Value l accuracy of inputs and proper display location on SPDS have been verified. ,
This' field verification program will satisfy the intent of the recommenda- l tions of SRP Section 18.2. -
18.2.2.2 Assessment of SPDS Design j The following paragraphs address the SPDS design requirements, as given in SRP I Section 18.2 1 (1) "The SPDS Should Provide A Concise Display...."
i The top-level displays (narrow- and wide-range iconics) present plant ;
parameters needed to assess the critical safety functions in a concise i
.nanner. The narrow-range iconic contains parameters important during nor- )
mal operations. The wide-range iconic, which appears automatically on j reactor trip, contains those parameters important after reactor trip. !
Distortion of the octagonal pattern on the iconic, as well as color coding j and reverse video display of parameter values, provides a concise display i of critical / abnormal plant-conditions. )
1 i
i Beaver Valley 2 SSER 6 18-6 i l
l r - -- -
4
(2) "The SPDS (shall be) Located Convenient To The Control Room Operators" l The BVPS-2 SPDS terminal, located on the reactor operator's console, is l convenient to the control room operators. However, operators interviewed during the onsite audit indicated that the SPDS terminal mounted in the control room vertical panels (as in BVPS-1) would significantly improve SPDS usefulness because they prefer to analyze instrument readings.and )
l detailed SPDS data together. As discussed previously, the licensee has i not yet established its operations philosophy for SPDS. Location of the 1 1
l terminal in the control room is directly related to this philosophy and l should be reconsidered once an acceptable philosophy is established. This issue remains open.
l (3) "The SPDS Shall Continuously Display Information From Which The Safety Status of the Plant...Can be Assessed...." l The BVPS-2 top-level display formats that provide an overview of plant safety status are continuously available but are not necessarily con-tinuously displayed. Because more than 40 lower-level formats can be accessed, the requirement for a continuous display of plant safety is not satisfied. In addition, the designated SPDS terminal at the reactor ,
operator's desk is also designated as a backup for ERFCS, resulting in I
- another potential breech of the continuous display requirement of plant safety status. .
a (4) "The SPDS Should... Aid Them (operators) in Rapidly and Reliably Deter-mining the Safety Status of the Plant"
]
The staff considers the components of the " rapidly" requirement to include data update rate, display refresh rate, and system response time to operator interaction. Except for radiation monitoring, parameter values displayed byg SPDS are updated every two seconds. Radiation monitoring data updates occur once a minute. Response time to operator requests has been specified by the licensee as less than 5 seconds. At the onsite audit, actual response time appeared to be consistently less than 3 seconds, under con-ditions of low system load. The licensee plans to conduct response time testing under extreme system loading to confirm that requirements are met.
The components of " reliably" are considered to include data validity and system security and availability. With regard to data validity, the BVPS-2 process includes range checking of data inputs and interchannel comparison of good inputs based upon expected instrument accuracy. The staff finds these to be acceptable methods of data validity checking. However, during the onsite audit, the staff found that when one of a number of sensor inputs is labeled bad (indicated by magenta "X"s), the remaining inputs of that group are labeled poor (magenta data value with a "P" fing). Data other than bad may be the best indicator of the parameter status available to the SPDS user. However, during the audit, operators indicated that they ignore any data displayed in magenta. Thus, the color convention may not be helping operators to determine plant safety status.
The licensee verified that all instrument inputs were correctly converted into engineering data, that instrument calibration procedures were verified, and that data outputs were displayed correctly on SPDS. The staff finds Beaver Valley 2 SSER 6 18-7
these acceptable and recommends that verification of SPDS readings be included in periodic instrument calibration procedures. ., j Data base changes are keylocked functions with keys under shift siupervisor control. Programming changes can be made without access keys but require approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> to accomplish since the source code tape must be ;
loaded and changes compiled. Currently, programming changes can be made .l from the emergency operations facility, technical support center, computer '
room, or control room. The staff recommends that programming change access 4 be limited to the computer room and control room. I SPDS availability estimates are not yet complete. The SPDS functions !
l accomplished by DRPI, PSMS, and DRMS must be included in these estimates. j i
(5) "The SPDS Shall Be Suitably Isolated from Electrical'or Electronic Inter- j ference with Equipment and Sensors That Are In Use for Safety Systems" h r l In order to satisfy.the NRC requirements concerning the SPDS, the-licensee l
provided a description and a safety analysis of the SPDS by letter dated August 1, 1984. This report did not address the requirement that the SPDS must be isolated from equipment and sensors that are Used in safety systems to prevent electrical and electronic interference.
By letter dated December 20, 1985, the licensee provided additional infor-l mation. The staff held telephone conferences with the licensee on January 16 and April 29, 1986, which resulted ir April 9 and June 16, 1986 1 t
submittals, respectively.
1 The staff evaluation addresses the qualification and documentation of the I isolators used at BVPS-2 as acceptable interface devices between the 1 Class 1E safety-related instrumentation systems and the SPDS.
]
The SPDS at BVPS-2 is implemented in the plant computer and is reported in the Westinghouse report WCAP-10170, Appendix C-51, Revision 1, which'is a plant-specific version of the generic Westinghouse SPDS key safety parameters.
The hardware design of the SPDS employs'both analog and digital electric i isolators. These isolators are located in a mild environment; therefore, the environmental requirements of 10 CFR 50.49 do not apply. The seismic qualification of the isolators are consistent with the seismic criteria that were the basis for plant licensing, The analog isolators are Westing-house 7300 Series isolation devices. The digital isolators, which are supplied by Struthers-Dunn, Inc. (S-D), are Series CX 3916 NE and CX 3918' NE isolators.
The Westinghouse 7300 isolators are addressed in WCAP-8892A, June 1977.
This report was reviewed and accepted by the staff in letters dated January 19 and April 20 t.1977.
The S-D isolators are reed switch relays. Of the two isolators in use at the plant, only the CX 3916 NE was tested with the maximum credible fault -i (MCF). ;
i Beaver Valley 2 SSER 6 18-8
l~
l l
An analysis of the CX 3916 NE and CX 3918 NE reed relays shows that the only difference between them is that the CX 3918 NE has two reed switches wired in-series. The materials used in both units and the environmental characteristics of both switches are the same. The method of construction for both units (the installation of two switches instead of one switch) is also essentially the same.
1 The units are rated at 120 V ac and 125 V dc. The MCF ac voltage was determined by assuming a fault of a 480-V system with a 10 percent margin. ;
l This set the ac fault voltage at 528 V ac. The ac fault current was ;
l selected at 2000 amperes. The MCF de voltage and current were selected at 132 V de and 500 amperes.
1 The pass / fail criteria state that there shall be no damage to the unfaulted i
' side of the unit under test and that the excitation current shall not increase more than 5 percent of maximum normal. The criteria also state that the unit must not break down during a subsequent Hi-Pot test.
Upon the application of the MCF voltage / current to three representative
, units, the reed switches in two units burned out. The inputs or coils l were not damaged in any of the units. The three uriits also passed the j subsequent Hi-Pot test.
l Based on the staff's review of the submittals on the S-D CX 3916 NE isola- i tion devices and on the prier review and acceptance of WCAP-8892A, the' l statf concludes that the isolation devices used at BVPS-2 qualify as isola-tors and are acceptable for interfacing the SPDS with Class 1E safety systems. The staff also concludes that this equipment meets the Commis-sion's requirements, as stated in Supplement 1 to NUREG-0737.
(6) "The SPDS Display Shall Be Designed to Incorporate Accepted Human Factors PrinciplesSoThatTheDisglayedInformationCanBeReadilyPerceivedAnd Comprehended By SPDS Users In general, the BVPS-2 SPDS displays incorporate accepted human factors principles. However, the onsite audit did identify several human engi-neering discrepancies that must be addressed by the licensee. These are as follows: j
- a. The use of yellow to represent normal data or conditions is contrary to widely accepted human factors color-coding conventions and may be inconsistent with the control room color conventions.
- b. Allowable limits of parameters are not indicated on trend and history plots. Thus, operators cannot perform margin monitoring (i.e., deter-mine how far parameters are from alarm limits),
- c. Trend and history plots appear to be too small to be readable.
- d. One trend plot screen, 2TR2, displays two parameters on the same plot.
Lines representing values of each parameter are color-coded identically making discrimination difficult.
Beaver Valley 2 SSER 6 18-9
- e. Function pushbuttons are located in two groups, one on the keyboard and one in a vertical configuration on the display terminal. Inter-l action' sequences often require excessive operator hand and ar'm move-ment between both groups of pushbuttons.
l
- f. Confusing and/or irrelevant prompts are frequently presented. For example, prompt messages may list three response options. To the right of these options, a prompt to PRESS EXECUTE is displayed. This last prompt indicates a response which produces no actions by the system. 1
- g. Cursor movement via keyboard arrow keys is slow. The option of cursor movement via joystick such as is provided on the BVPS-1 SPDS is generally faster and more efficient.
(7) "The SPDS Should... Display... Critical Plant Variables" With the exception of containment isolation valve status, which is not included on the BVPS-2 SPDS, the parameters displayed are sufficient to provide operators with information regarding the rtatus of the five crit-ical safety functions (CSF) identified in Supplement 1 to NUREG-0737. !
The staff considers the presence or absence of containment isolation to be l i one important indicator of containment conditions. The licensee should i l
add this parameter to its containment integrity CSF or provide satisfactory '
justification for not including containment isolation status on SPDS.
(8) " Procedures Which Describe The Timely and Correct Safety Status Assessment When the SPDS Is and Is Not Available Will Be Developed By The Licensee In Parallel With The SPDS. Furthermore, Operators Should Be Trained To Respond To Accident Conditions Both With and Without The SPDS Available" The licensee considers the SPDS to be a useful tool to aid operators in assessing the plant safety status. However, SPDS is not required to be used during emergency conditions nor is it even referenced in the Emergency Operating Procedures. The staff has identified three issues related to the training program:
- a. The licensee has neither developed nor implemented a philosophy for utilization of SPDS. Cu'rrently, plant operators do not appear to understand the value of SPDS as a system.
- b. The licensee has not identified a specific user of the SPDS. Con-sequently, the relationship between SPDS training and utilization of
- SPDS during abnormal plant conditions is unclear.
- c. Operators should be trained to respond with and without the SPDS; however, the BVPS-2 training program does not address this l requirement.
18.2.3 Conclusion The staff concludes that, with several exceptions, the BVPS-2 SPDS fulfills the requirements of Supplement 1 to NUREG-0737. The exceptions are listed in l Section 18.2.2 and are described in further detail in Appendix T. Because no ,
! Beaver Valley 2 SSER 6 18-10
serious safety concerns were identified with the existing system, the staff finds the BVPS-2 SPDS acceptable for operation as an interim implementation.
A license condition will be imposed to ensure that the licensee completes the following activities necessary to fully satisfy the requirements of Supple-ment 1 to NUREG-0737:
(1) Perform the necessary field verification tests, integrated system tests, and man-in-the-loop tests to confirm that the system is correctly imple-mented and is useable. .
(2) Develop and implement an accepcable operational philosophy for the use of SPDS and provide procedures and training to accomplish this implementation.
(3) Provide for a continuous display of plant safety status.
(4) Add containment isolation status to the containment integrity critical safety function.
(5) Based on the new operational philosophy and intended use of the SPDS by operators, reassess the human factors aspects of: (a) the location of .
SPDS in the control room, (b) display coding conventions for poor data and j the use of color, (c) trend and history plots, (d) SPDS control types and location, and (e) the use of prompts.
(6) Provide estimates of SPDS availability when assessment is completed.
These remaining issues will be tracked by licensing action TAC 62880.
i d
1 1
I I
i l
l l
3 I
l 1
l I l
l l
Beaver Valley 2 SSER 6 18-11 !
l
I I
J 1
l APPENDIX A CONTINUATION OF CHRONOLOGY OF NRC RADIOLOGICAL REVIEW 0F BEAVER VALLEY POWER STATION, UNIT 2 May 28, 1987 Letter to licensee transmitting Supplement No. 5 of the SER. ,
1 May 28, 1987 Letter to licensee transmitting the low power (5%) operating license, NPF-64.
May 29, 1987 Letter to licensee requesting edditional information on off-site medical services for emergency preparedness.
June 4, 1987 Letter to licensee requesting additional information on plant safety monitoring system (PSMS).
June 4, 1987 Letter to licensee informing of minor discrepancies between the FSAR and the Technical Specifications.
June 5, 1987 Letter from licensee providing additional information on questions raised by the Seismic Qualification Review Team. l June 8, 1987 Letter from licensee providing information on several parameters related to the peaking factor. j June 9, 1987 Letter from licenses submitting the BVPS-2 Solid Waste Process Control Program (PCP). j l
June 9, 1987 Letter from licensee submitting the BVPS-2 Offsite Dose !
d Calculation Manual. '
June 10, 1987 Letter to licensee transmitting corrected pages to the Technical Specifications.
June 11, 1987 Letter to licensee transmitting bound copies of SSER 5.
June 11, 1987 Letter from licensee responding to the staff's letter of May 29, 1987, on medical services for offsite emergency preparedness.
June 22, 1987 Letter from licensee transmitting FSAR Amendment 18.
June 23, 1987 Letter from licensee providing additional comments on the SER.
June 23, 1987 Letter from licensee confirming completion of accumulator isolation val've test.
June 24, 1987 Letter from licensee providing comments on the low power license.
l Beaver Valley 2 SSER 6 1 Appendix A l
l
J June 24, 1987 Letter from licensee transmitting drawings for preservice ;
inspection (PSI) review. ;
June 29, 1987 Letter from licensee transmitting information on Power Ascension Operational Self Assessment Program.
June 30, 1987 Letter from licensee informing of completion of all Regulatory j Guide 1.75 modifications. !
July 2, 1987 Letter from licensee informing of completion of diesel generator instruments vibration test. (Confirmatory issue 38).
July 2, 1987 Letter to licensee granting relief from certain requirements of 10 CFR 50.55a, inservice testing and preservice inspection.
July 6, 1987 Letter from licensee withdrawing request for schedular exemp-tion for steam generator high level median selector. #
July 6, 1987 Letter from licensee addressing fire protection supervisory circuits and other issues.
July 6, 1987 Letter from licensee addressing technical specifications on control room habitability.
July 8, 1987 Commission meeting on full power license.
July 8, 1987 Letter to licensee requesting input to NRC Safety Issues Management System.
July 8, 1987 Letter from licensee addressing technical specification on control room habitability.
July 10,1987 Letter from licensee stating that all tests required by I&E Bulletin 80-06 have been completed.
July 14, 1987 Letter from licensee informing of changes to FSAR Chapter 14, Initial Tests.
July 14, 1987 Letter to licensee informing of acceptability of Offsite Dose Calculations Manual (0DCM).
July 27,1987 Letter from licansee transmitting signed Indemnity Agreement No. B-73, Amenon.ent 10.
July 27, 1987 Letters from licensee requesting relief from certain preser-July 28, 1987 vice inspection requirements.
July 31, 1987 July 28, 1987 Letter from licensee informing of completion of containment instrument a.ir design verification.
July 31 to August 7, 1987 Staff inspection of licensee's low power operation.
Beaver Valley 2 SSER 6 2 Appendix A
August 6, 1987 Letter from licensee requesting ful1 power license be issued soon after August 7, 1987.
i .,
I August 10, 1987 Letter to licensee transmitting safety evaluation on j item 2.2.1 of NUREG-1000 (Salem ATWS events).
{
l August 13, 1987 Commission meeting to vote on approval to issue full power license. Full power license issued.
I 1
l l
l l.
l Beaver Valley 2 SSER 6 3 Appendix A
I I
APPENDIX E I NRC STAFF CONTRIBUTORS AND CONSULTANTS Staff Reviewer Title l Frederick Burrows Electrical Engineer l Timothy Collins Section Leader Richard Eckenrode Human Factors Engineer Shou-Nien Hou Senior Mechanical Engineer Dennis Kubicki Fire Protection Engineer l Armando Masciantonio Mechanical Engineer Jerry Mauck Section Leader I Gerald Simonds Emergency Preparedness Analyst i
Administration '
Shirley Norris Licensing Assistant 1
Consultants Gary L. Johnson, Lawrence Livermore National Laboratory Jack W. Savage, Lawrence Livermore National Laboratory E. Eugene Schultz, Jr., Lawrence Livermore National Laboratory Technical Editor Jane Corley Beaver Valley 2 SSER 6 1 Appendix E
l l
\
i l
1 i
APPENDIX P l i ERRATA l
Errors in the SER ,
Page Location Comment 7-4 Section 7.3.2.2, Should read "...approximately I first sentence of 628 seconds..."
l second paragraph I 11-8 Section 11.4.1, Should read "...and paper will third sentence of be compacted in the waste first paragraph compaction area."
Errors in SSER 5 Page Location Comment 1-5 Table 1.4 Confirmatory issue 11 should' read " Item II.D.1 of NUREG-0737, safety / relief valves".
1-9 Table 1.5 Items (3), (4) and (6) should not be there at all, l
l l 14-1 First paragraph Should read "...the applicant i # addressing Section committed to the testing of safety 14.2.12.12.6 injection accumulator...."
l l
14-2 Paragraph addressing Should read "the applicant Section 14.2.12.66.2 .... .
l l
l Beaver Valley 2 SSER 6 1 Appendix P
1 i
- HUMAN FACTORS ENGINEERING DETAILED CONTROL ROOM DESIGN REVIEW l
SUPPLEMENTAL TECHNICAL EVALUATION REPORT FOR DUQUESNE LIGHT COMPANY BEAVER VALLEY POWER STATION UNIT 2 I
1
- 1
.l Jack W. Savage Lawrence Livermore National Laboratory I April 8, 1987 l
Beaver Valley 2 5SER 6 Appendix S
HUMAN FACTORS ENGINEERING DETAILED CONTROL ROOM DESIGN REVIEW I SUPPLEMENTAL TECHNICAL EVALUATION REPORT l FOR DUQUE5NE LIGHT COMPANY l l
BEAVER VALLEY POWER STATION UNIT 2 ..
- 1. BACKGROUND j l
l Licensees and applicants for operating licenses shall conduct a Detailed Control Room Design Review (DCRDR). The objective is to " improve the ability of nuclear power plant control room operators to prevent accidents or cope with accidents if they occur by improving the information provided to them" l (NUREG-0660, Item I.D.1.).2 The need to cgnduct a DCRDR was confirmed in NUREG-0737 and Supplement I to NUREG-0737.2 DCRDR requirements in Supplement I to NUREG-0737 replaced those in earlier documents. Supplement 1 to NUREG-0737 requires each applicant or licensee to conduct a DCRDR on a schedule negotiated with the Nuclear Regulatory Commission (NRC). l NUREG-07003 describes four phases of the DCRDR and provides applicants and licensees with guidelines for its conduct. The phases are.
- 1. Planning i
- 2. Review
- 3. Assessment and Implementation l
- 4. Reporting NUREG-0800 Section 18.15 provides additional guidance to be used in developing and evaluating DCRDR programs.
Supplement 1 to NUREG-0737 requires that the DCRDR include the following elements:
- 1. Establishment of a qualified multidisciplinary review team.
- 2. Function and task analyses to identify control room operator tasks s and information and control requirements during emergency operations.
- 3. A comparison of display and control requirements with a control room inventory.
- 4. A control room survey to identify deviations from accepted human factors principles.
- 5. Assessment of human engineering discrepancies (HEDs) to determine which are significant and should be corrected.
- 6. Selection of design improvements.
- 7. Verification that selected design improvements will provide the necessary correction and do not introduce new HEOs.
- 8. Coordination of control room improvements with changes from other programs such as the safegy parameter display system (SPDS), operator training, Reg. Guide 1.97 instrumentation, and upgraded emergency operating procedures (EOPs).
Licensees are expected to complete Element I during the DCRDR's planning phase, Elements 2 through 4 during the DCRDR's review phase, and Elements 5 DCRDRBVPS2:4/8/87 Beaver Valley 2 SSER 6 1 Appendix 5
through 7 during the DCRDR's assessment and implementation phase. Completion of Element 8 is expected to cut across the planning, review, and assessment and implementation phases. ._
A sumary report is to be submitted at the end of the DCRDR. As a minimum it 1 shall: l
- 1. Outline proposed control room changes.
- 2. Outline proposed schedules for implementation.
- 3. Provide sumary justification for HEDs with safety significance to be left uncorrected or partially corrected.
The NRC staff evaluates the organization, process, and results of the DCRDR.
Results of the evaluation are documented in a Safety Evaluation Report (SER) published within two months after receipt of the Sumary Report.
- 2. ASSESSMENT OF DCRDR ACTIVITIES l Duquesne Light Company's (DLC) DCRDR Sumary Report for the Beaver Valley l Power Station Unit 2 was submitted on December 2, 1985. The NRC staff, with l assistance from Lawrence Livermore National Laboratory (LLNL) reviewed the ;
Sumary Report and conducted a preimplementation audit of the Beaver Valley l Power Station DCRDR on February 11 and 12, 1986. Based upon this review, NRC ;
concluded that DLC had satisfied most DCRDR requirements of Supplement I to l NUREG-0737. However, a few open items need to be addressed in a Supplemental Summary Report. NRC has identified these open items in a Safety Evaluation Report (SER)B.
The evaluation of the Beaver Valley Power Station Unit 2 DCRDR provided in !
this Supplemental Technical Evaluation Report (TER) is based on rpiew of the i NRC SER of July 7,1986 and the Supplemental Sumary Report (SSR)Y submitted ;
by DLC on January 8, 1987. DLC has resolved most of the open items identified l by NRC apd thus has satisfied most of the requirements of Supplement I to I NUREG-0737. The following is a list of the topic areas discussed in this Supplemental TER:
o Control Room Survey o Assessment of HEDs o Selection of Design Improvements o Verification Process for Determining that Design Improvements Provide the Necessary Correction and Do Not Introduce New HEDs These topics encompass all open items remaining from the Sumary Report review. The DLC responses to a number of open items, incomplete items and possible problem areas identified in the SER are also discussed in this report. However, DLC will need to supply additional responses to some items which are identified in this report.
l DCRDRBVPS2:4/8/87 ~2-Beaver Valley 2 SSER 6 2 Appendix 5
t 2.1 CONTROL ROOM SURVEY 2.1.1 Requirement ,
Supplement I to NUREG-0737 requires that a control room survey be conducted to identify deviations from accepted human factces principles. NUREG-0700 provides guioviines and criteria for conducti.g a control room survey.
-2.1.2 Discussion NRC's SER indicated that DLC has generally accomplished the control room survey in an adequate and systematic manner. DLC, however, needed to resolve two open items for the control room survey to be completely acceptable, o Complete survey items that had been deferred pending further progress I of control room construction, o Address several specific human engineering deficiencies (NEDs) noted by the NRC Audit Team, but which did not appear to have been ,
, identified by the BVPS-2 DCRDR.
DLC's SSR indicated that most of the remaining control room survey tasks were l completed. However, the following surveys are not complete due to Control Room (CR) construction status and operation stal.us of the plant:
o Work space -
will be initiated prior to April 30, 1987 l 0 Emergency Equipment -
will be initiated prior to April 30, 1987 o Communications -
will be initiated after April 30, 1987 ,
o Heating, Ventilating, Air Conditioning (HVAC) - will be conducted when the HVAC system is in nonnal operational mode o Illumination (Lighting) -
will be conducted prior to or during the first refueling outage o f Ambient Noise will be conducted post-comercial operation Furthermore, review of certain criteria in otherwise complete surveys has been deferred. These deferred surveys are:
I DCRDRBVPS2:4/8/87 Beaver Valley 2 SSER 6 3 Appendix 5
Number of Open/
Unfinished SSR Section Criteria Coment ._
3.3 Annunciators 2 Will complete 4/30/87 3.5 Displays 1 Completion deferred until prior to or during the first refueling outage (lighting survey) 3.6 Labels 1 Completion deferred until prior to or during the first refueling outage (lighting survey) 3,7 Computer System PCS 8 Completion deferred until prior to or during the first refueling outage (lighting survey)
Computer System ERFCS/SPDS 6 Completion deferred until prior to or.during the first refueling outage (lighting survey)
Computer System PSMS 6 Completion deferred until prior to or during the first refueling outage (lighting survey) -
Computer System DRMS 17 Completion deferred until prior to or during the first refueling outage (lighting survey) 3.9 Maintainability 1 Completion deferred until after 4/30/87 (communications survey) a PCS - Plant Computer System ERFCS/SPDS - Emergency Response Facility Computer System / Safety Parameter Display System PSMS - Plant Safety Monitoring System DRMS = Digital Radiation Monitoring System In some cases the deferrals were due to inability to access equipment due to the construction / operational status of the plant. In other cases, the ,
deferral was dependent on the availability of special equipment. I In all cases, the emergency shutdown panel and the alternate shutdown panel are stated to be included in the surveys. ,
Section 4.0 of the SSR addresses the following specific HEDs identified in the NRC SER review:
DCRDRBVPS2:4/8/87 Beaver Valley 2 SSER 6 4 Appendix S
A. Meter Character Size A walkdown review using NUREG-0700 guidelines identified small letter scale plates for replacement. Larger letter scaleplates (approximately 3/16" height) were determined to be acceptably legible if the scaleplate type and l meter pointer were compatible. The review determined the correctness of each '
I meter scaleplate. Replacements will be completed by 04/30/87. This is acceptable.
B. Control Display Integration .
The status lights and switches on the control board, Section C, will be rearranged by 04/30/87 to provide a logical progression of status lights.
This is acceptable. l l
C. No Lamp Test or Check Procedure All single filament, single bulb indicator lights were identified. Existing l periodic surveillance and maintenance procedures will be modified to require l verification of bulb operability for indicators associated with safety i equipment. The longest planned test interval is 18 months. This is l acceptable.
D. Lighted Push Buttons (PB) Cannot be Distinguished From Light Indicators (LI) .
The stated justification for not clearly differentiating between PB and LI does not clearly address the problem of selective identification. It,is recommended that this item be kept open until such justification is provided to the NRC for evaluation.
E. Ltck of a System to Ensure Removed Annunciator Tiles will be Correctly Replaced Unique tile location identification labels will be installed by 04/30/87.
This is acceptable.
F. Lack of Coding Between Tri as and Reset Switches for Safety Injection (SI),
Containment Isolation System (CIS), and Reactor Trip All switches have been enclosed with unique color coded demarcation. This is acceptable.
G. Inconsistent Nomenclature Between Meter Faces, Labels, and Steam Generator Instrumentation /Procajures Work requests were initiated to alleviate the inconsistencies. This will be acceptable when % work is completed and suitably described to the' NRC for evalu6 tion.
DCRDRBVPS2:4/8/87 Beaver Valley 2 SSER 6 5 Appendix 5
i 2.1.3 Conclusion i 5
Once DLC completes the remaining control room surveys and survey items _in the manner described in the Sumary Report and Supplemental Sumary Report,-this requirement of Supplement I to NUREG-0737 will be acceptably addressed ~. The following remains to be done: I o Completion of the control surveys and the specific survey criteria i deferred to a later stage of plant construction. i o Resolution of the nomenclature inco~nsistencies .
o Submittal of satisfactory justification for not providing clear differentiation between pushbuttons and lighted indicators.
DLC should complete these items and document completiun for NRC review in a ;
Supplemental Sumary Report.
2.2 ASSESSMENT OF HEDS 2.2.1 Requirement Supplement I to NUREG-0737 requires that HEDs be assessed to determine which HEDs are significant and should be corrected.
. 2.2.2 Discussion NRC's DCRDR SER found DLC's assessment process acceptable. However, NRC 4 requested that DLC reassess two HEDs concerning annunciator prioritization and !
remote shutdown panel control switch targets. l The reassessment of annunciator prioritization suggested in the SER was l executed and DLC decided that no change was needed because operators are trained to respond to all alarms on a 2-level-by-position code basis as follows:,
j o Panel A-5 reactor / turbine trips first-out panel - contains the highest priority alarms.
o All other alarms on other panels are considered to be secondary priority.
l The reassessment of lack of targets on the Emergency Shutdown Panel-(ESP) and Alternate Shutdown Panel (ASP) control switches resulted in procedures being i revised to remove reference to non-existent control switch targets on the ASP and ESP control cwitches.
2.2.3 Conclusion This requirement of Supplement 1 to NUREG-0737 has been met.
DCRDRBVPS2:4/8/87 Beaver Valley 2 SSER 6 6 Appendix S
2.3 SELECTION OF DESIGN IMPROVEMENTS 2.3.1 Requirement ,
. Supplement I to NUREG-0737 requires the selection of control room improvements that will correct significant HEDs. It also states that improvements that can be accomplished with an enhancement program should be done promptly.
2.3.2 Discussion NRC previously found thatDLC'sprocessforselectingdesignimprovementsis l acceptable. There were, however, a few improvements for which DLC needed to provide more details about the planned corrective action.
The DLC Supplemental Summary Report (SSR) includes the following information on corrective actions for complex problems:
A. Hierarchical Labeling Attachment 4.1 to the SSR contains a short description of nameplate instructions and attachment 4.2 to the SSR is a colored bench board photo showing some hierarchical labels. However, the single enmple of a proposed device label to be applied "where possible" to vertical board sections does
. not constitute a complete and comprehensive statement of where labels will be applied or a description of a hierarchical labeling system. It is reconrnended that the NRC request an additional description in order that a valid evaluation can be made, j
B. Functional Demarcation Attachment 4.1 to the SSR (Plant Identification Guidelines) indicates DLC plans to demarcate functionally related displays and controls using color coded demarcation lines. The color code meaning will be identified by a similar y color coded legend table. The single photo (attachment 4.2) supplied in the report illustrates an acceptable example of demarcation. The described functional demarcation scheme is acceptable.
i C. Meter Banding DLC plans to indicate normal 100 percent power operating ranges, alarm set i points, automatic action set points, reactor trip limits, design limits and technical specification limits on plant instrumentation. The planned meter banding scheme is acceptable.
D. Tagout process DLC has developed a tagout process that makes use of stickers in lieu of tags in the control room. The use of stickers avoids concerns with tags obscuring important information. This process is acceptable.
i DCRDRBVPS2:4/8/87 l Beaver Valley 2 SSER 6 7 Appendix 5
E. Tracking of HEDs and Resolutions DLC addressed the NRC review team finding of confusing, conflicting an_d inconsistent considerations and resolutions of HEDs between DLC management and the DCRDR team by implementing a tracking system illustrated by Table'4.4 of the SSR. HEDs previously categorized as "no change" were also reviewed, clarified, and resolutions sumarized in Table 4.4 of the SSR. The table shows that the HED corrective actions sumarized will all be implemented no later than 04/15/87.
A review of SSR Table 4.4 identified the following concerns:
HED Coment 2VA6-2010 Implemented, but verification should be completed.
2***-1105 2***-1107 Implemented, but verification date and schedule not entered, and 1 2***-1108 description of corrective action should be made more specific.
2***-1116 2BA4-2502 HED states "make same as Unit-1". Description states "no change
- same as BV-1". Conflict must be clarified.
2***-2213 Shown in two places; Pg. 4-19 and Pg. 4-21. Page 4-19 -
2***-2220 reads, " Mark normal zones and set points on scales".
Verification states "CRISM SSR SEC4". Page 4-21 reads, " Revise set points to next most conservative readable value."
l Verification states "No char.ge." Conflict must be clarified.
j A review of HEDs included in the SSR identified the following concern:
SSR HED. Coment 201C-5225 Yellow is used for a different meaning on the SPDS than on the other CR displays and plant computers. DCL does not plan to correct this discrepancy, LLWL recomends that DLC make modifications as needed to implement uniform use of color coding or provide NRC with additional justification for not consistently applying color code conventions.
2.3.3 Conclusion )
i DLC has acceptably addressed concerns B, C and D above. Attachment 4.1 of the j SSR (Plant Identification Guidelines) cites NUREG-0700 and "BV-2 Control Room l Design Review" as references. More information is needed to support a conc?usion of this nature for items A and E above.
~
l l
DCRDRBVPS2:4/8/87 1 I
Beaver Valley 2 SSER 6 8 Appendix S
- 1. For Item A DLC should provide a more complete description than is contained in Attachment 4.1 of the SSR of the philosophy and human factors criteria to be used in implementing hierarchical labeling.
Specific items that should be included are: -
o Replace the indefinite phrase "where possible" with definitive statements describing the extent and process of selection and installation of hierarchical labels on the control room panels.
o A description of how the DLC will use the guidelines of NUREG-0700 Chapter 6.6 (Labels and Location Aids) in regard ,to Ranking of major, minor, and component labels Letter size gradations Label placement and mounting Label orientation and visibility
- 2. For Item E, DLC must document the completion of the HED correction, verification review, and resolve conflicts in the indicated corrective action as described above.
The additional description of the hierarchical labeling scheme and of the resolution of concerns with Item E above should be provided for NRC review in a Supplemental Sumary Report.
DLC should advise the NRC that it will use color coding in a uniform end consistent manner, or justify why it will not do so.
2.4 VERIFICATION THAT DESIGN IMPROVEMENTS PROVIDE NECESSARY CORRECTION AND DO NOT INTRODUCE NEW HEDs 2.4.1 Requirement Supplement I to NUREG-0737 requires verification that selected design improvements will provide the necessary correction and will not introduce new HEDs intb the control room.
2.4.2 Discussion The NRC SER found DLC's process for verifying design improvements is acceptable except that the process for verifying the human factors suitability of changes made since completion of DCRDR but before implementation of procedures that require human factors review of any control room changes had not been described.
In response to the NRC pre-implementation audit concerns about the design change process, Section 2 of the SSR (Post CRDR change evaluation) describes the DLC/ Stone and Webster review between September 1984 and April 1986 of 378 changes to the CR main control board, emergency shutdown panel and alternate shutdown panel. Ten HEDs were identified and sumarized in Table 2.1 of the SSR. The assessment and description of the HEDs was conducted as described in l Section 5.0 of the SSR. .
DCRDRBVPS2:4/8/87 Beaver Valley 2 SSER 6 9 Appendix S
2.4.3 Conclusion DLC has satisf actorily addressed this requirement of NUREG-0737, Supplernent 1.
3.0
SUMMARY
Based upon our review of the Beaver Valley Power Station Supplementary Sumary Report, we find DLC has cenerally satisfied the requirements of Supplement I to NUREG-0737. The following items remain to be completed, corrective actions selected and implementations scheduled and addressed in a supplemental sumary report to be submitted on a schedule acceptable to the NRC.
3.1 Complete the following survey sections:
o Workspace o Emergency Equipmtat o Communications o HVAC o Illumination (Lighting) o Ambient Noise 3.2 Complete the partially completed surveys summarized in Section 2.1.2 of this report:
o Annunciators .
o Controls o Displays o Labels j o Computer Systems -
3.3 Address the following items described in Section 2.1.2 of this report:
o , Provide additional justification which addresses the reasons for not differentiating between lighted push buttons and indicators on the Turbine Control Panel, o Provide additional descriptions of what is being done to make the nomenclature consistent among meter faces, labels, and steam cenerator instrumentation / procedures.
3.4 Provide additional information as requested in Section 2.3.2 of this report: ,
o Provide information that will allow the NRC to evaluate the acceptability of the proposed Hierarchical Labeling System. '
l o Address the HED related issues and concerns summarized on page 8 of this report.
I i
s' DCRDRBVPS2:4/8/87 -F-Beaver Valley 2 SSER 6 10 Appendix S
1 l
- 4. REFERENCES l
- 1. U.S. Nuclear Regulatory Counist. ion, NUREG-0737, " Clarification of THI l Action Plan Requirements," November 1980, Supplement 1 December.1982.
i1
- 2. U.S._ Nuclear Regulatory Commission, NUREG-0660, "NRC Action Plan Developed as a Result of the TMI-2 Accident," ~0ctober 1981. J
- 3. U.S. Nuclear Regulatory Commission, NUREG-0700, " Guidelines for Control $
i Room Design Review," September 1981. I 4 U.S. Nuclear Regulatory Connission, Regulatory Guide 1.97,
" Instrumentation for Light-Water Cooled Nuclear Power Plants to Assess Plant and Environs During and Following an Accident," December 1980.
- 5. U.S. Nuclear Regulatory Commission, NUREG-0800, " Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," l Section 18.1, Control Room, Rev. O, September 1984. ;
- 6. DLC Beaver Valley Power Station Unit 2 Sumary Report, submitted December 2, 1985.
- 7. U.S. Nuclear Regulatory Comission, In-Progress Audit Report, dated August 23, 1984. '
- 8. U.S. Nuclear Regulatory Comission, " Safety Evaluation Report of Beaver Valley Station, Unit 2, Detailed Control Room Design Review,"
July 7, 1986.
- 9. Duquesne Light Company, " Detailed Control Room Design Review -
Supplemental Sumary Report," January 8,1987.
l l
i i
l l
l l
DCRDRBVPS2:4/8/87 Beaver Valley 2 SSER 6 11 Appendix 5 1
l i
l 1
TECHNICAL EVALUATION REPORT , q OF THE SAFETY PARAMETER DISPLAY SYSTEM j FOR DUQUESNE LIGHT COMPANY BEAVER VALLEY POWER STATION UNIT 2 l
1 APRIL 22, 1987 l
E. Eugene Schultz, Jr.
Gary L. Johnson l <
Lawrence Livermore National Laboratory 6
For The United States Nuclear Regulatory Commission l
i l
l l
I Beaver Valley 2 SSER 6 Appendix T l
l
i TECHNICAL EVALUATION REPORT SAFETY PARAMETER DISPLAY SYSTEM DUQUESNE LIGHT COMPANY BEAVER VALLEY POWER STATION, UNIT 2 -
I
- 1. BACKGROUND NUREG-0660 [1] identified the need for power reactor licensees and applicants l
for operating licenses to provide a Safety Parameter Display System (SPDS) that will display to operating personnel a minimum set of parameters which define the safety status of the plant. This need was confirmed by NRC in l NUREG-0737 [2] and Supplement I to NUREG-0737 [3]. SPDS requirements in '
Supplement 1 to NUREG-0737 replaced those in earlier documents.
included in Supplement I to NUREG-0737 is the requirement that the licensee or dpplicant prepare a written safety analysis for the SPDS and provide this '
analysis along with the plant-specific SPDS implementation plan for NRC review. Criteria for evaluating Safety Parameter Display Systems are i contained in Section 18.2 of NUREG-0800 [4], the Standard Review Plan. These criteria address both the review of a specific SPDS design, and review of the applicant's or licensee's verification and validation (V8V) program, including the program for SPDS design, development, and testing. Results of the NRC evhluation of a SPDS will be documented in a Sefety Evaluation Report (SER) or
- SER Supplement.
This Technicol Evaluation Report provides Lawrence Livermore National Laboratory's (LLNLs) evaluation of the Beaver Valley Power Station, Unit 2 (BVPS-2) SPDS with respect to the requirements of Supplement 1 to NUREG-0737, for NRC's use in preparing a SER. This evaluation was based upon review of Duquesne Light Company's (DLC's) BVPS-2 SPDS Safety Analysis Report [6] and the results of an on-site audit conducted February 18 and 19,1987. The onsite audit reviewed the BVPS-2 SPDS V&V program and operation of the SPDS.
Thus, the audit specifically addressed the points of both a Design Verification Audit and a Design Validation Audit, as described by Sec. 18.2 of NUREG-0800 (4). The Audit Team was composed of one individual from the NRC and two' individuals from LLNL, acting as consultants to the NRC.
- 2. SAFETY PARAMETER DISPLAY SYSTEM DESIGN OVERVIEW The SPDS is a function of the BVPS-2 Emergency Response Facility Computer System (ERFCS).The SPDS receives data input from the Plant Safety Monitoring System (PSMS), the Digital Rod Position Indicating (DRPI) System, and Digital Radiation Monitoring System (DRMS), all of which must be operable for SPDS to be completely functional. The SPDS function is provided by a set of displays 5ased on six critical safety functions (CSFs). These CSFs include reactivity o ntrol, reactor core cooling, heat removal in primary system, RCS integrity, radioactivity control, and containment integrity.
l BVPS2-SPD:4/22/87jak 1 Beaver Valley 2 SSER 6 1 Appendix T l
i
l i
SPDS users access functions primarily through use of pushbuttons. A few user interactions require a combination of pushbutton press and keyboard entry.
j There are four levels of hierarchically-arranged displays: i
- 1. Top-level displays, which show the status of key plant operating-parameters in an octagonal pattern. DLC calls these top-1crel displays iconic displays. This pattern is fonned by diag nals emanating from a comon origin. Each diagonal represents a key parameter. The length of 1
i each diagonal represents the value of that parameter normalized to the expected parameter values under normal operating conditions. As ;
parameter values change, the length of the diagonal r' representing that :
parameter changes, so that the octagon becomes asymmetrical when one or l more parameters deviate from the expected value. Actual and reference '
values of each parameter are displayed next to each diagonal. There are two top-level displays: 1) a wide range or " mitigate mode" display, associated with parameters that are important after reactor trip, and 2) i a narrow range or " terminate mode" display, associated with parameters i important during normal operation.
- 2. Second-level displays, which show overall plant status. One of the two 1
j displays at this level is a graph of reactor cooling system pressure vs. I maximum core-exit thermocouple reading. The other shows important plant ,
parameters on a primary and secondary system piping and instrumentation !
diagram.
- 3. Third-level displays, consisting of individual plant system displays' .
Except for radiation monitoring, these displays show important parameters for each of several critical plant systems. Parameters are 1 displayed on system piping and instrument diagrams. Radiation monitoring '
data are presented in alphanumeric format.
i
- 4. Fourth-level displays, which depict individual analog sensor data within each system in tabular format.
I A menu-map display is also available. This map shows the relationship between !
displays in the display hierarchy. Operators can use this display to determine how to reach a desired display from any other display. Users may also directly access displays from this map by piacing the cursor over the map i location corresponding to the desired display.
In addition to the displays in the display hierarchy, several other types of displays are available:
- 1. " Point detail" displays, which contain detailed information about sensor input for a selected parameter. These displays can be accessed through i moving the cursor over displayed parameter values, then pressing the EXECUTE key on the keyboard. 4
- 2. Trend displays for the key parameters depicted in top-level displays.
Each trend display depicts four plant parameter values over periods of BVPS2-SPD:4/22/87jak 2 Beaver Valley 2 SSER 6 2 Appendix T
1 b
5- and 30-minutes from the present. Trend displays can be called directly via pushbuttons.
- 3. History displays in the form of pre-trip and post-trip trend plots for !
each parameter chosen for top-level displays, available to SPDS insers via pushbutton access.
- 4. Iconic replay displays, which show time history of iconic displays during 5- or 30-minute intervals before either pre-or post-trip periods, ;
or both. I l Parameter values are updated every two seconds, except for radiation data, -
l which are updated every minute. Values which exceed upper- or lower-limits l l
are displayed in red, or in reverse-video red. Normal values are displayed in l yellow. The option for users to enter and/or modify data base information is !
provided.
l 3.0 ASSESSMENT OF THE VERIFICATION AND VALIDATION PROGRAM l A Verification and Validation (V&V) Program is concerned with the process of ;
j specification, design, fabrication, testing, and installation associated with !
an overall system's software, hardware, and operation. For the SPDS, verification is the review of the requirements to see that the right problem is being solved, review of the design to see that it meets the requirements, i and testing of system modules to verify that they function properly. !
Validation includes performance testing of the integrated system to see that j it meets all requirements. Validation testing should not only include l l
integrated testing of the hardware and software, but testing of the SPDS as j l part of the larger system for plant operations which includes the control !
room, plant procedures, plant operators, and operator training.
! Supplement 1 to NUREG-0737 does not require Verification and Validation of the SPDS. However, a V&V program performed by the applicant / licensee during l design, installation, and implementation of an SPDS will facilitate the NRC review of the system. On the basis of an effective V&V program, the NRC staff will reduce the scope and detail of the technical audit of the design.
The remainder of this section presents LLNL's assessment of the V&V program.
The criteria for a effective V8V program recomended by Section 18.2 of NUREG-0800 and by NSAC/39 [5] were used as the basis of this assessment.
3.1 SYSTEM REQUIREMENTS REVIEW The system requirements are the foundation on which the completed system must be designed, built, and accepted. Section 18.2 of NUREG-0800 recommends that a review of system requirements be conducted to determine that the SPDS functiont.1 needs will be satisfied. NSAC/39 states that a system requirements review should independently determine if the requirements will result in a possiole and usable solution to the entire problem, and should verify that the requirements are correct, complete, consistent, understandable, felsible, testable, and traceable. ,.
BVPSt-SPD:4/22/87jak 3 Beaver Valley 2 SSER 6 3 Appendix T
i 3.1.1 Discussion
~
The BVPS-2 SPDS is a implementation of the generic Westinghouse iconic SPDS design. This implementation included only certain features of the generic design, and did not include features that were prirnarily intended to support functions of the Technical Support Center (TSC). For BVPS-2, the result of the Westinghouse design process was a specification that detailed the SPDS displays, human factors conventions, and SPDS algorithms [a].
Westinghouse's SPDS design process included a systems requirement review of the planned capabilities of the generic design. This effort was reviewed as part of the NRC's review of the generic design. The NRC review [7] found that the Westinghouse verification process had satisfied the intent of the V8V recommendations of Section 18.2 of NUREG-0800.
3.1.2 Evaluation The BVPS-2 SPDS design process has fulfilled the intent of Section 18.2 to NUREG-0800 with respect to the recommendation to conduct a system requirements review.
3.2 DESIGN VERIFICATION REVIEW Section 18.2 of NUREG-0800 recommends that a design verification review be performed after the system is initially designed to verify that the design will satisfy functional needs. NSAC/39 recorrrnends that the design review ensure that the system requirements decomposition into hardware and software is complete, and that there are no ambiguities or deficiencies.
3.2.1 Discussion The ERFCS was constructed from a design specification prepared for DLC by Stone ahd Webster [e]. This SPDS portion of this specification incorporated the Westinghouse SPDS specification by reference. The ERFCS was constructed by Bailey Controls Corporation.
ERFCS hardware was assembled from off-the-shelf equipment. Considerable experience with this equipment was available to demonstrate its ability to perform in accordance with the ERFCS specification. Therefore, formal design verification was not conducted for each component of the ERFCS hardware.
Bailey did, however, review the hardware system design to verify that the system supports the SPDS and ERFCS requirements. In addition, DLC intends to perform site acceptance tests in which every hardware component is loaded to its limits.
SPDS software was developed by Bailey to conform with the requirements of the Westinghouse specification. Software was developed on a modular basis to correspond to the software modules defined by Westinghouse. The coding of each software module was reviewed by Bailey to confirm that the code coirectly BVPS2-SPD:4/22/87jak 4 l
Beaver Valley 2 SSER 6 4 Appendix T
implemented the algorithm and/or display layout set forth in the Westinghouse specification. This review, performed by' Bailey programmers who were independent of the ERFCS development process, was conducted in accordance with predefined V8V procedures [h.1]. Any discrepancies noted were documented and corrected. Once the the independent reviewer concluded that the code correctly implemented the specification requirements, the reviewer prepared a memo documenting the acceptance of the module under review.
The NRC Audit Team examined sample documentation of the verification review i
[c]. This review confirmed the implementation of the process described above.
Since the Plant Safety Monitoring System (PSMS) and the' Digital Radiation Monitoring System (DRMS) provide data and quality information to the ERFCS, appropriate Verification and Validation of the SPDS functions of these systems i is an important part of the Y&V of the SPDS function. Verification and !
Validation of the PSMS is being conducted on a generic basis by l Westinghouse. Once the generic V8V program is complete, the program will be !
reviewed and actions will be taken to make the progra:n applicable to the plant specific BVPS-2 PSMS. Detailed infonnation regarding verification of the DRMS '
function was not available for NRC Audit Team review. DLC indicated, however, that DRMS verification testing had bten conducted by the system vendor. j 3.2.2 Evaluation The BVPS-2 V&V process satisfied the intent of this reconrnendation of Section 18.2 of NUREG-0800 with respect to the SPDS functions performed by the ERFCS. The adequacy of the verification activities applied to PSMS will be separately reviewed and approved by NRC. DLC should confirm to NRC that this process is applied to the SPDS functions of the PSMS. Verification of the .
SPDS functions of DRMS still needs to be demonstrated. DLC should review the process for verifying that the SPDS functions of the system were correctly implemented. The process for this review, any deficiencies noted, and the i proposed corrective action for the noted deficiencies should be described for '
NRC review. ,
3.3 VALIDATION TESTING NUREG-0800, Section 18.2 recommends that validation testing be performed after the system is assembled to confirm that the operating system satisfies functional needs. <
3.3.1 Discussion Informal integrated hardware / software system testing was conducted by Westinghouse as part of the ERFCS Factory Acceptance Test (FAT) [b]. The FAT procedure was derived from a Westinghouse-developed validation procedure that was used for validation testing of the Westinghouse generic SPDS. Test results were checked against system specifications, and discrepancies were documented. After system installation at BVPS-2, DLC perfonned detailed, formal Site Acceptance Testing (SAT), in which test results were cgmpared to BVPS2-SPD:4/22/87jak 5 Beaver Valley 2 SSER 6 5 Appendix T 1
f I
the design basis. Significant discrepancies were corrected, and retesting was conducted to verify the correction. A decision not to correct a test i discrepancy required concurrence by both DLC and Stone and Webster L
representatives. " .
l The PSMS and the DRMS were not available at the factory site to support the 1 FAT. Therefore, this phase of validation testing was conducted using simulated inputs from these systems. More complete validation of the integration of the PSMS, DRMS, and ERFCS is planned as part of SAT.
The NRC Audit Team examined sample documentation for FAT and SAT [1], )
including test discrepancies that are not to be corrected. For the samples i examined, the conduct of the FAT and SAT documentation was found to be in accordance with the V&V and test procedures.
To validate the useability of the SPDS design as an aid in determining plant safety status, man-in-the-loop testing on the generic SPDS design was '
conducted by Westinghouse. This testing has previously been reviewed by NRC, and was found to have acceptably validated the generic system design [7). DLC l does not plan testing to validate the effectiveness of the BVPS-2 SPDS within the context of the unit's control room and the plant-specific operator training.
3.3.2 Evaluation DLC's system validation efforts satisfactorily address the recommendations of Section 18.2 of NUREG-0800 with respect to integrated hardware and software system testing. DLC must still complete the portions of the SAT necessary to validate the integration of the SPDS functions of the PSMS, DRMS, DPRI, and ;
i ERFCS. !
i l
The man-in-the-loop testing conducted by Westinghouse demonstrated the effectiveness of the BVPS-2 SPDS design as an operator aid. DLC needs to ,
conduct. further man-in-the-loop testing to validate the usefulness of this aid 1 in the context of the BVPS-2 control room, operations philosophy, and operator j training. This testing should be conducted after DLC has developed an acceptable philosophy for SPDS use under transient conditions, and should be i conducted with plant operators trained in this philosophy. DLC should also l take advantage of this man-in-the-loop testing to solicit operator feedback on the human factors aspects of this design. Specific feedback on NRC Audit Team human factors concerns noted in Section 4.9.1 of this TER should be included.
DLC should report to NRC on both the completion of system integration validation and man-in-the-loop testing. The test processes should be described along with a discussion of test results, discrepancies identified by testing, and planned corrective actions.
i i
BVPS2-SPD:4/22/87jak 6 Beaver Valley 2 SSER 6 6 Appendix T
i i
3.4 FIELD VERIFICATION TESTS l J
NUREG-0800, Section 18.2 recommends performance of field verification tests, '
once the system is installed, to verify that the validated system was installed properly. NSAC/39 recommends that, as a minimum, field verification-testing should confirm that the information displayed .is directly correlated with the sensor data being input.
3.4.1 Discussion l i
Verification testing of the SPDS installation is.in progress. As part of '
plant acceptance testing, inputs to system data input nodes and to the plant
- computer have already been verified. This effort includes verification that an -l accurate value of each input is displayed, and that the value is displayed in i the proper area of the SPDS display terminal. Any discrepancies were noted, "
i and were then given to Stone and Webster for correction.
! Yoltage measurements made at plant computer system analog point inputs during-this testing are being used to simulate the plant process instrumentation inputs to verify proper SPDS response. Acceptance test results for the PSMS, DRMS, and DRPI System are being audited to verify that this testing ;
j demonstrated that the SPDS functions of these installed systems function as j l designed. j i 1 3.4.2 Evaluation i The BVPS-2 SPDS field verification program will satisfy the intent of the recommendation of NUREG-0800, Section 18.2 in this area once the testing has ;
been completed and any identified discrepancies have been appropriately !
resol ved. DLC should submit, for NRC review, a discussion of the test .
results, including description of the deficiencies identified, planned )
corrective actions, and corrective action schedules.
l 4. AbESSMENTOFSPDSDESIGN ]
l The NRC Audit Team assessed the SPDS system with respect to Supplanent I to NUREG-0737 and the specific review criteria suggested by NUREG-0800, Section 18.2, Appendix A. This portion of the audit addressed the points of a design validation audit. The following provides a discussion of the BVPS-2 SPDS design features relative to the provisions of Supplement I to NUREG-0737, and ,
the corresponding LLNL assessment in each area. !
4.1 "THE SPDS SHOULD PROVIDE A CONCISE DISPLAY ..."
4.1.1 Discussion The two top-level displays present plant parameters needed to assess critical safety functions in a compact format. Distortion of the octagonal pattern as well as color coding and reverse video display of parameter values denote -
critical / abnormal plant conQitions. Additional displays can be accessed to BVPS2-SPD:4/22/87jak 7 Beaver Valley 2 SSER 6 7 Appendix T
1 i
4 allow users to obtain more detailed information, including tabular data and information about trends. Although these additional displays are not as concise as are top-level displays, the organization of the display hie ~rarchy l and low system response time (usually less than three seconds) facilitate users' ability to access any particular desired information. Furthermore, status information for key plant parameters is available at one location, a l single SPDS workstation. {
i 4.1.2 Assessment .
j The BVPS-2 SPDS meets tne requirements of Supplement I to NUREG-D737 regarding l l concise display. j
! 4.2 "THE SPDS SHOULD .. . DISPLAY .. . CRITICAL PLANT VARI ABLES" 4.2.1 Discussion ,
i Selection of parameters for display on the BVPS-2 SPDS was based upon a Westinghouse analysis to identify the parameters needed to detect depa-'.ures from safe plant conditions. This analysis identified the parameters needed to !
detect a challenge to any of the five critical plant safety functions listed in Supplement I to NUREG-0737. These functions are 1) reactivity control, 2) j reactor core cooling and heat removal from the primary system, 3) RCS '
integrity, 4) radioactivity control, and 5) containment integrity. i
, Consideration was given to the information needed to detect challenges under l pre- and post-trip conditions. Additionally, parameters were included to allow operators to determine system states relevant to the restoration or maintenance of these safety functions. Table 1 provides a listing of the
, parameters displayed by the BVPS-2 SPDS.
The NRC Audit Team noted that containment isolation valve status is not provided by SPDS. Therefore, the status of the containment integrity CSF cannot ee completely assessed by use of the SPDS. )
l The too top-level SPDS displays are mode-dependent. The narrow-range and wide-range iconic displays are associated with the terminate and mitigate modes, respectively. Alarm setpoints applicable to all displays also change l as appropriate to reflect changes in plant operating status. ;
4.2.2 Assessment l i
With one exception, the parameters displayed by the BVPS-2 SPDS are sufficient to provide users with information regarding the status of the five safety functions identified by Supplement I to NUREG-0737. DLC should modify the l SPDS to include this information or should provide additional justification for not including containment isolation valve status in SPDS displays. !
4.3 "THE SPDS SHOULD ... AID THEM (OPERATORS) IN RAPIDLY AND RELIABLY !
DETERMINING THE SAFETY STATUS OF THE PLANT" l
\
i l
BVPS2-SPD:4/22/87jak 8 Beaver Valley 2 SSER 6 8 Appendix T
I-4.3.1 Discussion Except for radiation monitoring, parameter values displayed by SPDS are - i updated every two seconds. Radiation monitoring data updates occur once every minute. DLC has specified that response time for user interaction be less than 5 seconds. Under conditions of low system load, the NRC Audit Team noted shat response time for user interaction is consistently less than 3 seconds.
DLC plans to perform response time testing which will establish the bounds of data update rates and system response. This testing v:111 confirm that system response time requirements are met under extremes of system loading.
The ERFCS transforms direct analog inputs into engineering units, using a linear, square root, or exponential conversion, as appropriate. ERFCS also receives inputs from PSMS and DRMS. In these cases, the engineering units conversion is performed before the data are passed to the ERFCS. Inputs are checked to ensure that they fall within the range (based on instrument capabilities of the sensors from which they originate.) Inputs are labeled either GOOD or BAD.
After individual data inputs are checked, an interchannel comparison of good inputs is performed. An algorithm developed by Westinghouse determines whether differences between good inputs fall within predefined acceptance criteria. These acceptance criteria are bawd upon expected instrument accuracy during post-accident and normal m ating conditions. If one or more inputs do not pass the interchannel comparison test, these inputs are flag'ged as BAD, and all other inputs are flagged as POOR. All individual instrument readings which are "not bad" are used to synthesize a single " group value" for each parameter. The group value is quality tagged as follows:
Group Data Quality Code Description BAD 3 No good quality sensor e inputs.
POOR 2 Group qualitj is not bad, but one or more of the individual group sensors has a quality other than good.
MANUAL 1 Not applicable date---
a manually-entered group value will not be utilized. ,
GOOD 0 A group value which is neither bad nor poor.
BVPS2-SPD:4/22/87jak 9 Beaver Valley 2 SSER 6 9 Appendix T
{
-Finally, individual channel data quality labels are revised. Because inputs 1 have already been labeled as GOOD or BAD as a result of range checking, 1 relabeling of individsal channel inputs may occur. The following algori_thm is used: ~
Data Quality Code Description :
i BAD 3 Signal missing, or removed from scan with no value entered,' or ,
originating from an i I/O point which was - i detected as failed by '
system diagnostic j routines, j POOR 2 Signal has failed consistency check.
MANUAL 1 Signal has been j removed from scan, and, a value has been manually entered..
l~ GOOD 0 A sensor value other i i
than bad, poor, or l manual.
]
I In accordance with the data validation algorithms, non-alarm data values are l colored yellow if good, and magenta if any quality other than good. Bad data !
are not displayed, but are indicated by magenta "X"s, and flagged with the letter "B." The values of poor and manually entered data are displayed in tagenta to indicate these values were obtained while one or more channels i yields 606D inputs. These displays are flagged with "P" to indicate poor data '
or "M" to indicate manually-entered data.- A process alarm condition is indicated by displaying data values in reverse video red, and red color coding indicates that-the design' limits of the core have been exceeded. Cyan is used to indicate reference values or static materials, i
The NRC Audit Team pointed out that the labeling of data as POOR merely because one of a number of sensor inputs is labeled BAD is a cause of ;
concern. Data other than BAD input data may be the best indication of plant ,
variable status available to the SPDS user. During the SPDS Audit, however, '
several operators indicated that they ignore any data displayed in' magenta. .
These labeling and color coding conventions may therefore not help operators !
- in determination of plant safety status.
As part of the' field verification testing process, DLC reviewed the scale and
- range of every instrument. The ERFCS was not available during field verification testing, so DLC routed inputs through the ERFCS communications BVPS2-SPD:4/22/87jak 10 Beaver Valley 2 SSER 6 10 Appendix T
-),
m____.__m-______________.______._m______.____.___-m._
loop to the plant computer. DLC verified that every instrument input is correctly converted into engineering data by data transformation algorithms.
DLC required that this transformation not introduce errors greater thart .0025 percent. In a tabletop walkthrough, DLC demonstrated that the algorithm which transforms pressurizer pressure yields appropriate output values.
1 According to DLC, instrumentation calibration procedures were performed as i part of maintenance surveillance activity, and were verified by the BVPS-2 On- l Site Safety Comittee. In addition, DLC verified the screen display location and color of each data output. Plans to include verificat. ion of SPDS readings during periodic instrument calibration were not evident. j l System operability is indicated by several cues. A clock continuously i displays current time every two seconds. Thus, if the system were to become !
inoperable, the indicated time would not change. The blinking of the cursor l l also indicates system operability. In the case of an extreme malfunction, a l computer alarm message is displayed.
I Accuracy of numerical displays is generally to the naarest integer, or to the nearest one-tenth of a unit. The resolution of trend and history plots is five to ten percent of full scale. Trend and history plots are based upon a ;
ten-second sample of parameter values. Trend and history plot scaling, time duration, and sample rates are not user-modifiable.
Security for SPDS is accomplished primarily through procedures specified by a data base change checklist. Access to keys required to perform keylocked l functions is necessary for data base changes, such as the setting of parameter ;
I values, scaling, etc., to be made. The shift supervisor controls these keys.
Programming changes can be made from the Emergency Operations Facility (EOF),
l Technical Support Center (TSC), Computer Room, or Contrr1 Room. Programming
! changes can be entered from SPDS consoles without access to keys. However, to make such changes, one must first load the source code tape, then compile l changes". At BVPS-1, this process requires four hours. Programing changes are currently controlled by the V&V process applicable to system development.
Procedures that ensure proper review of software' changes after system turnover l to DLC have not yet been developed.
The BVPS-2 SPDS is controlled by redundant CPUs with shared memory. These two l CPUs are both diesel- and battery-backed, and are fed by redundant interface nodes. Two SPDS consoles are located in the control room. DLC considers the SPDS terminal at the reactor operator's console to be the primary SPDS console. The TSC tenninal near the shift supervisor's office is primarily an l ERFCS console and secondarily an SPDS console. The terminal at the reactor i operator's console serves as a back-up to the terminal near the shift l supervisor's office; if the latter becomes inoperable, the former may function as an ERFCS terminal. Two additional SPDS tenninals are located in the Alternate TSC above the control room.
l <
BVPS2-SPD:4/22/87jak 11 Beaver Valley 2 SSER 6 11 Appendix T L
Estimates of system availability were not complete at the time of the audit.
DLC is conducting an overall availability study for the BVPS-1 SPDS. This study will be used to estimate BVPS-2 availability.
~
4.3.2 Assessment-The BVPS-2 SPDS, for the most part, satisfies.the provisions of Supplement 1 to NUREG-0737 regarding rapid and reliable display of SPDS information. To completely satisfy this requirement, DLC should address the following issues:
- 1. Reevaluate the perceptual cues used to flag POOR dat'a. Input from operators should be solicited in the resolution of this issue.
- 2. Incorporate verification that SPDS is displaying correct values into procedures for periodic instrument loop verification.
- 3. Complete assessment and prediction of SPDS availability. The function of the entire SPDS system, including SPDS functions performed by DRPI,
'PSMS, and DRMS, must be considered in SPDS availability estimates.
DLC should describe to the NRC the results of activities undertaken to address these issues. This information should be submitted no later than start-up following the first refueling.
It is also recomended that DLC develop a procedure for_ tracking SPDS availability. Actual hardware and software availability should conform t6 predictions.
l 4.4 "THE PRINCIPLE PURPOSE AND FUNCTION OF THE SPDS IS TO AID THE CONTROL l- ROOM PERSONNEL DURING ABNORMAL AND EMERGENCY CONDITIES IN DETERMINING THE l SAFETY STATUS OF THE PLANT AND IN ASSESSING WHETHER ABNORMAL CONDITIONS WARRANT CORRECTIVE ACTIONS BY CONTROL ROOM OPERATORS TO AVOID A DEGRADED CORE."
8 4.4.1 Discussion The BVPS-2 SPDS displays the current value of input variables, and provides perceptual cues to abnormal values through use of pattern recognition (i.e.,
distortion of the octagon which represents key plant parameters), reverse video, and status color coding. The magnitude of critical values is indicated by display of digital parameter values, and, in the case of top-level displays, the length of diagonals in the octagonal figures. As stated l previously, 5- and 30-minute trend and history data, and iconic replay data
- are also available. Iconic replays are labeled as such in the upper-left l
portion of the display.
l l 4.4.2 Assessment l
The BVPS-2 SPDS fulfills the requirement of Supplement I to NURErrsa7 with respect to providing the operator aid in the determination of safety status.
BVPS2-SPD:4/22/87jak 12 Beaver Valley 2 SSER 6 12 Appendix T
1 4.5 "THE SPDS (SHALL BE) LOCATED CONVENIENT TO THE CONTROL ROOM OPERATORS" l 4.5.1 Discussion .
As discussed in Section 4.3.1, two SPDS terminals (reactor operator's console and.TSC terminal) are located in the control room. Because there is a wide aisleway behind each SPDS terminal, neither terminal is likely to interfere with operatos m vement. .However, two operators who were interviewed by the NRC Audit Team stated that a SPDS display mounted on the control room vertical panels (as in DVPS-1) would significantly improve $PDS usefulness.
These operators related ttat they prefer to analyze instrument readings and detailed SPDS data together.
4.5.2 Assessment DLC has fulfilled the requirement of Supplement 1 to NUREG-0737 that the SPDS be convenient to operators.
l Although DLC has met this requirement, the NRC Audit Team recommends that PLC obtsin additional operator input concerning optimal location of SPDS terminals in the control room. If additional input indicates tnat operators prefer the placement of an SPDS terminal on the front board of the control room, DLC should consider placing this terminal accordingly.
4.6 "THE SPDS SHALL CONTINUOUSLY DISPLAY INFORMATION FROM WHICH THE SAFETY STATUS OF THE PLANT ... CAN BE ASSESSED ..."
l 4.6.1 Discussion The BVPS-2 SPDS top-level displays provide an overview of the status of key plant parameters. Perceptual cues also facilitate operators' ability to determine the plant safety status. Only some of the 49 SPDS displays, however, provide information sufficient to assess plant safety status.
Furthermore, the SPDS terminals in the control room may be used for ERFCS displays which likewise do not contain information to assess plant safety status. During the BVPS-2 SPDS Audit. DLC stated that they would implement
. administrative controls to require one of the control room consoles to be l verified in the SPDS mode at least once per shift.
4.6.2 Assessment DLC has not satisfied the requirement of Supplement 1 to NUREG-0737 that the SPDS shall continuously display information from which the safety status of the plant can be determined. Selecting the SPDS mode once per shift does not constitute continuous display of infonnation from which plant safety status can be assessed. Furthermore, a consnitment to ensure continuous display of the l SPDS mode on one control room terminal would not satisfy this requirement i since many SPDS displays do not contain all of the information needed to assess CSF status. Continuously displaying the full-screen top-letel iconic q BVPS2-SPD:4/22/87jak 13 Beaver Valley 2 SSER 6 13 Appendix T
on one of.the two control room consoles would significantly degrade the system's usefulness as a operator aid.
DLC must modify the BVPS-2 SPDS to continuously display infomation from which the safety status of the plant can be assessed, and describe to NRC the actions undertaken to fulfill this requirement. Inform /. tion about these actions should be submitted no later than start-up following the first refueling..
4.7 "THE SPDS SHALL BE SUITABLY ISOLATED FROM ELECTRICAL OR ELECTRONIC INTERFERENCE WITH EQUIPMENT AND SENSORS THAT ARE IN USE FOR' SAFETY SYSTEMS" 4.7.1 Discussion DLC indicated that Class IE isolation devices are'used at each interface between Class 1E systems and the SPDS. Test type data for the specific isolation devices has been separately provided to the NRC. NRC's conclusions regarding the suitability of isolation devices and SPDS isolation provisions will be provided in a Safety Evaluation Report. -
4.7.2 Assessment Review of the isolation provisions is not within the scope of this Technical Evaluation Report.
4.8 " PROCEDURES WHICH UESCRIBE THE TIMELY AND CORRECT SAFETY STATUS -
ASSESSMENT WHEN THE SPDS IS AND IS NOT AVAILABLE WILL BE DEVELOPED BY THE LICENSEE IN PARALLEL WITH THE SPDS. FURTHERMORE, OPERATORS SHOULD BE TRAINED TO RESPOND TO ACCIDENT CONDITIONS BOTH WITH AND WITHOUT THE SPDS AVAILABLE."
4.8.1 Discussion DLC has written the f.A'3 wing statement of the relationship between SPDS and BVPS-2 faergency Op iting Procedures:
"BV-2 Operations considers the SPDS to be a useful tool which can be used by the operators to aid and augment the required control room indication.- The SPDS may be used as an operator aid to assess the plant safety status.
However, the SPDS is not referenced in the E0Ps and is not required to be used during emergency conditions."
SPDS training is designed to teach SPDS users how to: 1) recognize differences in plant design between Unit 1 and Unit 2, 2) interpret top-level displays, and 3) access relevant detailed information. Training content is tailored to operators and shift technical advisors.
The NRC Audit Team examined three lesson plans which DLC uses in its training program. The lesson plans reveal that a sufficient amount of infomation is
- covered during training to enable novice users to operate SPDS. However, three related issues are not covered by ti e training program
BVPS2-SPD:%/22/87jax l I4 B9 aver Valley 2 SSER 6 14 Appendix T-r
- 1. DLC has not identified a specific user of SPDS. Consequently, the relationship between SPDS training and utilization of SPDS during abnormal plant conditions is unclear. .
~
- 2. DLC has neither developed nor implemented a philosophy for utilization of SPDS. Currently, plant operators do not appear to understand the value of SPDS as a system. When describing the merits of SPDS, these operators instead focus upon the ability to access one or two types of infonnation.
- 3. Requirements state that operators should be trained to respond with and without SPDS. Due to a lack of philosophy for SPDS utilization, the BVPS-2 training program does not address this requirement. j i
During the SPDS Audit, three plant operators were interviewed to determine how !
effective an aid SPDS is. Operators generally reported that .SPDS 'is rapid and easy to use, and that it provides the desired functions. However, operators did not report that the top-level (iconic) displays were helpful in determining plant safety status. There appeared to be a preference in !
obtaining information about key variables from ERFCS and from the panels.
Operators generally agreed that more effective SPDS training would enhance the l usefulness of SPDS.
4.8.2 Assessment The BVPS-2 SPDS does not meet this requirement of Supplement I to NUREG-073f.
l DLC should by start-up from the first refueling correct the deficiencies noted above. Evidence of corrective actions should be submitted to the NRC no later l than start-up from the first refueling. )
4.9 "THE SPDS DISPLAY SHALL BE DESIGNED TO INCORPORATE ACCEPTED HUMAN FACTORS PRINCIPLES SO THAT THE DISPLAYED INFORMATION CAN BE READILY PERCEIVED AND l COMPREHENDED BY SPDS USERS." 1 4.9.1 Discussion The SPDS is based on the generic Westinghouse SPDS design. Thus, the SPDS human factors design was, for the most part, developed by Westinghouse. The display hierarchy is based on a cognitive model describing thinking stages of ;
an operator responding to abnormal plant conditions. Westinghouse also '
utilized human factors principles and man-in-the-loop tests in developing the generic SPDS human factors design.
l The BVPS-2 SPDS was evaluated with respect to NUREG-0700 guidelines during the BVPS-2 Control Room Design Review. Thirty Human Engineering Discrepancies (NEDs) were generated. The NRC Audit Team concluded that, with one exception, appropriate action has been scheduled to resolve the identified HEDs. NRC's review of the DCRDR process has determined that DLC's process of 14entifying and resolving HEDs is acceptably [8].
BVPS2-SPD:4/22/87jak 15 Beaver Valley 2 SSER 6 15 Appendix T
m i
The NRC, Audit Team informe 'y performed " hands-on" useability testing of the SPDS.- The human factors dhplay conventions and screen formats of the BVPS-2 .
SPDS are generally acceptable. However, several specific aspects of coding,- !
readability, and the control interface are' deficient: -
- 1. The use of yellow to represent normal data / conditions'is contrary to ;
widely accepted human factors color coding conventions.
- 2. Allowable limits of parameters are not indicated on trend and history plots. Thus, operators cannot perform margin monitoring, i.e.,
determine how far parameters are from alarm limits.
- 3. Trend and history plots are too small to be conducive to readability.
- 4. One trend plot screen, 2TR2, displays two parameters on the same plot.
Lines representing values of each parameter are color-coded 1 identically. It is difficult to determine which line represents which -
parameter.
- 5. Pushbuttons are located in two groupings, one on the keyboard, and one -
in a vertical configuration on the display terminal.
Interaction sequences often require excessive operator hand and arm movement be' tween both groupings of pushbuttons.
- 6. Confusing and/or irrelevant prompts are frequently presented. For .
example, prompt messages may list three response options. To the right ,
of these options, a prompt to PRESS EXECUTE is displayed. This last prompt indicates a response which produces no actions by the system.
- 7. Cursor movement via keyboard arrow keys is slow. The option of cursor movement via joystick in BVPS-1 SPDS is, in many interaction sequences, !
much faster and more efficient.
4.9.2 #ssessment ,
1 The BVPS-2 SPDS has, for the most part, satisfied the provisions of Supplement 1 to NUREG-0737 regarding human factors principles. To completely satisfy this requirement, DLC should address the human factors problems described in 4.9.1 by comparing a task analysis of normal operator response sequences and information requirements to the SPDS coding, information display, and '
interaction technique conventions. HEDs should be generated and resolved on the basis of this evaluation. DLC should by start-up following the first ;
refueling submit to NRC the resuits of this activity.
BVPS2-SPD:4/22/87jak 16 i
Beaver Valley 2 SSER 6 16 Appendix T
__ _ __ _ i
5.0 Sum ARY
- With several' exceptions, the Beaver Valley Unit 2 Safety Parameter Display System fulfills the SPDS requirements of Supplement 1 to NUREG-0737. .To allow an unqualified conclusion regarding SPDS acceptability, DLC should, by start-up following the first refueling, complete the following activities, and submit to NRC documentation that these activities have been completed:
- 1. Verification that SPDS functions of PSMS and DRMS are correctly implemented, and that acceptable procedures for verification of SPDS functions of PSMS were conducted. Documentation should include a description of noted deficiencies and' corrective actions to resolve these deficiencies.
- 2. System validation testing, including system integration and man-in-the-loop testing.
- 3. Field verification testing. Documentation'should include noted deficiencies, planned corrective actions, and schedules for corrective l actions.
- 4. Inclusion of containment isolation valve status in SPDS displays, or submission of a rationale for omitting this infomation from SPDS l - displays.
- 5. Reanalysis of display coding conventions for P00R data.
- 6. Revision of periodic instrument loop calibration to include verification that SPDS is displaying accurate data values.
]
- 7. Completion of assessment and prediction of SPDS availability.
- 8. Conformance with Supplement I to NUREG-0737 requirements regarding i c6ntinuous display of infomation needed to determine plant safety j status.
- 9. Modification of training to comply with requirements in Supplement I to NUREG-0737,
- 11. Comparison of results of a task analysis to SPDS coding, display, and interaction technique conventions. Documentation should include a description of HEDs generated as a result of this activity, and the; resolution of these HEDs.
.BVPS2-SPD:4/22/87jak 17 Beaver Valley 2 SSER 6 17 Appendix T t
In addition, the NRC Audit; Team reconenends that DLC reexamine the following issues that do not directly affect the acceptability of the system with respect to the requirements of NUREG-0737, Supplement 1: ..
- 1. Development of a procedure for tracking SPDS availability.
- isplay on the control room vertical panels may enhance SPDS useability.
6.0 REFERENCES
6.1 GENERAL REFERENCES
- 1. NUREG-0660, "NRC Action Plan Developed as a Result of the THI-2 Accident," Rev. O. May 1980, Rev.1, August 1980.
- 2. NUREG-0737, " Clarification of TMI Action Plan Requirements," November 1980.
- 3. NUREG-0737, Supplement 1, " Clarification of TMI Action Plan Requirements,' December 1982.
~
- 4. NUREG-0800, " Standard review Plan for the Review of Safety Analysis l Reports for Nuclear F swer Plants," Section 18.2, " Safety Parameter i
Display System (SPDS)," Rev. O, November 1984.
l
- 5. NSAC/39, " Verification and Validation for Safety Parameter Display Systems," prepared by Science Applications, Inc. for the Nuclear Safety Analysis Center, December 1981.
- 6. Letter, 2NRC-4-115 E. J. Woolever (DLC) to D. G. Eisenhut (NRC),
" Safety Parameter Display System Safety Analysis Report and Implementation Plan Report," August 1, 1984.
- 7. Letter, LS05-84-02-009, D. M. Crutchfield (NRC) to k. P. Rahe (Westinghouse), " Review of Westinghouse Generic Safety Parameter Display System," February 2,1984.
- 8. Memo, F. Rosa (NRC) to P. Tam (NRC), " Safety Evaluation Report for Beaver Valley Power Station, Unit 2. Detailed Control Room Design Review," July 7, 1986. ,
6.2 DOCUMENTS EXAMINED DURING AUDIT
- a. Westinghouse Design Specification 955809, " Safety Parameter Display System Software and Onsite Technical Support Center Displays," Rev. 3, December 15,1986,(proprietary).
- b. Test Procedure IT-635-ERF-4, "3eaver Valley 2 ERFCS Site Acepptance Test," Rev. O, October J,1986. -
BVPS2-SPD:4/22/87jak 18 Beaver Valley 2 SSER 6 18 Appendix T
l
- c. "SPDS Verification Acceptance Forms," Module VECTA, January 16, 1985 and.
February 6, 1985. . _ . ,
- d. Nuclear Group Directive No. 34, " Configuration Management Program,'"
Draft.
- e. " Specification for Emergency Response Facility Computer System, Beaver Valley Power Station, Unit 2," Rev.1. April 26,1985.
- f. ESD-CR&CD-105, " Design Basis Document, Plant Safety Status Display,"
Revision 1, Westinghouse Corporation, July 10,1985, (proprietary).
- g. WCAP-10170, Westinghouse Corporation, April 29,1982,(proprietary).
- h. Bailey Controls Procedure, "SPDS Verification and Validation Process,"
Rev. C January 16, 1985.
- 1. Bailey Controls Procedure, "BVPS-2 ERFCS Verification and Validation-Process," Rev. A, August 14, 1986.
- j. DLC letter, 2NRC-3-017 E. J. Woolever (DLC) to D. G. Eisenhut (NRC),
" Requirements for Emergency Response Capability," April 15, 1983.
- k. Westinghouse Report, "SPDS Development Process Appendices," no date, ,
l (proprietary).
- 1. Site Acceptance Test Discrepancy Reports, "BV 2 ERFCS Computer Faults,"
October 7, 1986.
- m. Westinghouse Test Procedures, Beaver Valley Unit 2 Safety Parameter Display System Software, Rev. 3, November 22, 1985 (proprietary)
- n. Key S# afety Parameter Selection for the Beaver Valley Unit 2 Safety Parameter Display System, Westinghouse Water Reactors Division, WCAP- .
10170, Rev. 2, September 30, 1986 (proprietary)
- o. Beaver Valley Power Station-Unit 2 Emergency' Response Facilities Computer System, 08700-DES-0149, October 27, 1986
- p. Beaver Valley Power Station-Unit 1 Test Procedures,1T-635-ERF-6, l October 25, 1986
- q. Beaver Valley Power Station-Unit 2 ERFCS Software Verification Test, IT-035-ERF-7, January 27, 1987
- r. ERFCS Digital Input Verification Procedure,1T-635-ERF-8, February 11, 1987
- s. MSP Supplement, 2MSP-6.4)-1, no date BVPS2-SPD:4/22/87jak 19 Beaver Valley 2 SSER 6 19 Appendix T
_____-______ _ _ __-_ _ a
- t. DLC Safety Parameter Display System Lesson Plan, LP-DCP-70, June 7,1985
- u. DLC Emergency Response Facility Computer System / Safety Parameter Display System Lesson Plan, 2LP-SQS-5C, February 17, 1987
- v. DLC Unit I/II STA Cross-Treining Lesson Plan, 2LP-STA-71, February 12, 1987. l l
Al 1
BVPS2-SPD:4/22/87jak 20 Beaver Valley 2 SSER 6 20 Appendix T
. _ _ _ _ _ _ - . l
i TABLE 1 2 PARAMETERS INPUT TO BVPS-2 SPDS -
Reactor Power, Power,. Intermediate, and Source Range.
Volume Control Tank Level Boric Acid Tank Level ,
Emergency Boration Flow Reactor Cooling System (RCS) Makeup Flow Chemical' and Volume Control System (CVCS) Valve Positions -
'CVCS Flow CVCS Pump Breaker Status Turbine Power RCS Average Temperature Control Rod Position Main Steam Line Isolation Demand Signal Main Steam Line Pressures .
Steam Generator Water Levels (Wide and Narrow Ranges) Steam Flow Steam Relief Valve Positions Main Steam Line Isolation Valve Positions l Main Feedwater Flow Feedwater Isolation Valve Positions Steam Dump Valve Positions
~
Condenser Status Demineralized Water Storage Tank Level Auxiliary Feedwater (AFW) Flow AFW Valve Positions ,
AFW Pump Status Containment Water Level RCS Temperatures (T-hot and T-cold) Core Exit Temperatures RCS Wide Range Pressure RCS Flow Reactor Coolant Pump (RCP) Breaker Position RCS Stop Valve Positions Pressurizer Level Pressurizer Vapor Space Temperature Pressurizer Liquid Temperature Pressurizer Heater Breaker Positions Pressurizer Spray Valve Positions Pressurizer Relief Tank (PRT) Valve Positions Pressurizer Power Operated Relief Valve (PORV) Positions 1 PORY Tail Pipe Temperatures Pressurizer Safety Valve Positions ;
Reactor Vessel Water Level Subcooling Margin Reactor Trip Breaker Status Reactor Heat Removal (RHR) Flow RHR Valve Positions RHR Pump Breaker Positions RHR Heat Exchanger Inlet and Outlet Temperatures ,
Engineered Safety Feature (ESF) Valve Positions Emergency Core Cooling System'(ECCS) Flows ,
BVPS2-SPD:4/22/87jak 21 Beaver Valley 2 SSER 6 21 Appendix T 4
ECCS Pump Discharge Pressures ECCS Pump Breaker Status.-
Refueling Water Storage Tank (RWST) Level -
Accumulator Level Accumulator Pressure RCS Letdown Flow RCP Seal Water Flow (supply and return)
Plant Elevated Release Point Radiation Plant Vent Radiation Containment Radiation '
Containment Exhaust Radiation Steam Generator Blowdown Radiation Auxiliary Steam Radiction Condenser Air Ejector Off Gas Radiation Auxiliary Building Area Radiation Decontamination Area Radiation Condensate Polishing Area Radiation Safeguards Building Area Radiation i Waste Handling Building Area Radiation Waste Gas Storage Tank Radiation Liquid Waste Effluent Radiation Fuel Building Ventilation Radiation Fuel Building Area Radiation Control Room Area Radiation Component Cooling Water Radiation Main Steam Line Radiation Service Water Radiation Containment Spray Valve Positions Containment Spray Pump Breaker Positions Containment Hydrogen Concentration Containment Air Temperatures Containment Sump Level Containment Pressure (wide and narrow range)
Containment Spray Actuation Signal Containment Fan Cooler Breaker Status Containment Fan Cooler Inlet and Outlet Water Temperatures Containment Isolation Signals BVPS2-SPD:4/22/87jak 22 Beaver Valley 2 SSER 6 22 Appendix T
_