Technical Evaluation Rept on Duke Power Co McGuire & Catawba Nuclear Stations Spds

ML20237J062
Person / Time
Site:	Mcguire, Catawba, McGuire, 05000000
Issue date:	08/19/1987
From:	SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY
To:	NRC
Shared Package
ML20237J064	List: ML20237J062
References
CON-NRC-03-82-096, CON-NRC-3-82-96 SAIC-87-3058, TAC-50413, TAC-50414, TAC-51254, TAC-51255, NUDOCS 8708250290
Download: ML20237J062 (40)
v • d • e

Text

._

.i i

SAIC-87/3058

( 3 TECHNICAL EVALUATION REPORT ON DUKE F0WER COMPANY'S MCGUIRE AND CATAWBA NUCLEAR STATIONS SAFETY PARAMETER DISPLAY SYSTEMS TAC NUMBERS 51254, 51255, 50413, AND 50414

( )

August 19, 1987 Prepared for U.S. Nuclear Regulatory Comission Washington, D.C. 20555 Contract NRC-03-82-096 N

Y 70 Yl50 Z9 0 ,o g

l Post OHice Box 13tQ,1710 Goodridge Orin, McLeen, %ptw 221W, (?tQ) Cl-@0

TABLE OF CONTENTS Section Page

1.0 INTRODUCTION

. . . . . . . . . . . . . . . . . . . . . . . . I

2.0 BACKGROUND

. . . . . . . . . . . . . . . . . . . . . . .. 2 3.0 REGULATORY BASIS FOR SPDS AUDITS . . . . . . ... . . . . . . 3 4.0 REVIEW 0F SPDS EVALUATION TOPICS . . . . . . . . . . . . . . 5 4.1 Critical Safety Functions (CSF)/ Parameter Selection . . 5 l

4.2 System Design . . . . . . . . . . . . . . . . . . . . . 10 l 4.2.1 System Description . . . . . . . . . . . . . . . 10 4.2.2 Display Configuration ............. 11 4.2.3 Data Validity ................. 13 4.2.4 Maintenance and Configuration Control . . . . 14 4.2.5 Security . . . . . . . . . . . . . . . . .. 15 4.2.6 Electrical Isolation . . . . . . . . . . . . . 15 4.3 System Verification and Validation ......... 15 4.4 u uman Factors Engineering . . . . . . . . . . . . . . .. 16 4.5 Use of SPDS in Operation ............... 19 5.0 AUDIT FINDINGS ann CONCLUSIONS . . . . . . . . . . . . . . . 21 REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Attachment 1 - Audit Agenda ..

Attachment 2 - List of Attendees Attachment 3 - Alarm Video Layout With Safety Parameter Display Attachment 4 - Example Status Tree Display Attachment 5 - Example Parameter Alarm Display i

t TECHNICAL EVALUATION REPORT FOR '

DUKE P0WER COMPANY'S MCGUIRE AND CATAWBA NUCLEAR STATIONS SAFETY PARAMETER DISPLAY SYSTEMS

1.0 INTRODUCTION

This report documents the findings of the Nuclear Regulatory Commission

.(NRC) post-implementation audit of the Duke Power Company's McGuire ' Nuclear.

Station Safety Parameter Display System (SPDS). The Catawba Nuclear Station SPDS. is nearly identical to the McGuire SPDS and was evolved from original I I

design work performed on the McGuire SPDS. Consequently, this review may be considered.to apply to the SPDSs at both McGuire and Catawba.

]

The audit was conducted June 29 to July 1,1987 by representatives from the NRC and its consultants, Science Applications International Corporation 1 (SAIC), and COMEX Corporation. The audit team was comprised of individuals representing the disciplines of nuclear systems engineering, nuclear power plant operations, human factors engineering, and software systems engineering. An earlier audit had been conducted in May 1985, at which time several technical issues were left unresolved. The purpose of the latest, audit was: to determine what information is available to control room operators to rapidly and reliably determine the safety status of the plant and- how this information is presented, the ultimate objective being to resolve the remaining open issues. The agenda that was followed during the latest audit is provided in Attachment 1. The list of meeting attendees is provided in Attachment 2. , )

The open issues concerned: (1) the boundary of the SPDS in relation to the Operator Aid Computer (OAC) on which it is implemented; (2)theuse of status lights in lieu of explicit displays of parameters; and (3) the selec- )

tion of parameters to represent the five critical safety functions (CSFs) defined by NUREG-0737 Supplement 1 (Reference 1).

i l l 1

2.0 BACKGROUND

The principle purpose and function of the SPDS is to aid the control room personnel in rapidly and reliably determining the safety status of the plant and in assessing whether abnormal conditions warrant corrective action by operators to avoid a degraded core by providing a continuous, concise  !

display of critical plant variables. This can be particularly important during anticipated transients in the initial phase of an accident. However j the. SPDS should be operational during normal and abnormal conditions as well as emergency conditions.

All holders of operating licenses must provide an SPDS in the control room of their plant. The NRC-approved requirements for the SPDS are defined '

in NUREG-0737 Supplement 1.

NUREG-0737, Supplement I requires licensees and applicants to prepare a written safety analysis report (SAR)describingthebasis on which the selected parameters are sufficient to assess the safety status of each function for a wide range of events, which include symptoms of severe accidents. Licensees and applicants must prepare an Implementation Plan for

)

the SPDS that contains schedules for design, development, installation, and full operation of the SPDS as well as a design Verification and Validation (V&V) Plan. The SAR and Implementation Plan are to be submitted to the NRC' for staff review. The results of the staff's review are to be published in aSafetyEvaluationReport(SER). I Duke Power Company submitted for staff review documentation describing the SPDSs for the Catawba and McGuire Nuclear Stations (Reference 2). The NRC staff requested additional information from the licensee on September 14, 1984 (Reference 3). The licensee responded in a letter dated October 18, 1984 (Reference 4). Subsequently, an on-site Design Verifica-tion / Validation Audit was conducted on May 14 and 15, 1985. NRC staff findings were documented in an audit report dated September 10, 1985 (Reference 5). Another request for additional information was issued by the NRC on October 31,1985(Reference 6). The licensee responded to the audit l report and the second request for information in a letter dated November 27, l 1985 (Reference 7). Clarification of Duke's positions regardir.g parameter i

2 I

selection and the scope of the SPDS was obtained in teleconferences on December 11 and 18,1985 (References 8 and 9). ,

In February of 1986, the NRC issued an SER for both Catawba and McGuire (References 10 and 11). The SER identified the open issues discussed earlier. in this report and indicated that five specific parameters had to be added to the Duke SPDSs in order to satisfy the requirements of NUREG-0737 Supplement 1. In a letter dated March 25, 1986, Duke requested that the staff positions be processed as a plant-specific backfit in accordance with 10 CFR 50.109 and NRC Manual Chapter 0514 (Reference 12). The NRC staff denied Duke's backfit claim in a letter dated June 13, 1986 (Reference 13).

The staff's denial was subsequently appealed by Duke on March 27, 1987 (Reference 14).

3.0 REGULATORY BASIS FOR SPDS AUDITS The SPDS requirements as defined by NUREG-0737 Supplement I are:

1. To provide a concise display of critical plant variables to control room operators. (para 4.1.a)

2. To be located convenient to control room operators. (para 4.1.b)

3. 'To continuously display plant safety status information. (para 4.1.b)  ;

4. To be reliable. (para 4.1.b)

5. To be suitably isolated from electrical or electronic interference with safety systems. (para 4.1.c) ,

6. To be designed incorporating accepted Human Factors Engineering l principles. (para 4.1.e) 3

l. ... - - _ - _ - _ - _ _ _ _

i

7. To display, as a minimum, information sufficient to determine plant safety status with respect to five safety functions. (para 4.1.f) 4

1. Reactivity control

11. Reactor core cooling and heat removal from the primary system 111. Reactor coolant system integrity iv. Radioactivity control

v. Containment conditions

8. To implement procedures and operator training addressing actions with and without SPDS. (para 4.1.c) b Guidance as to what constitutes acceptable implementation of the above i requirements is provided by Appendix A to NUREG-0800, Section 18.2 l (Reference 15) and other documents cited therein, particularly NUREG-0700 (Reference 16).  !

As indicated above, an earlier audit had been conducted in May 1985, at which time several technical issues were left unresolved. In response to i these open issues and the events previously outlined in Section 2.0, an audit was scheduled and conducted at McGuire June 29 to July 1,1987. The objectives of this audit were to determine what information is available to control room operators for rapidly and reliably determining the safety.

status of the plant and how this information is presented. Documents reviewed during the course of this audit included: I

1. McGuire/ Catawba SPDS Critical Safety Function Trees and Logic Development

2. McGuire/ Catawba SPDS Detailed Logic Diagrams for all CSFs

3. McGuire Emergency Procedures (EPs): EP/2/5000/02 (High Energy Line Break Inside Containment), EP/2/5000/10 (CSF Trees),

EP/2/5000/01 (Safety Injection), and the EP on Station Blackout (Loss of All AC Power)

4. Description of SPDS (Integrated Approach, WOG ERGS, CSF Status Trees, CSF Blocks, Status Trees, and Parameters in Alarm) 4

j

.A aJ-

5. Duke Power presentation on SPDS Current Licensing Status

6. Summary Description of SPDS and Other Systems

7. Duke Power Internal Study on Operator Acceptance of SPDS.

8. Human Factors Engineering of the Catawba /McGuire SPDS 1

The audit findings are presented below.

4.0 REVIEW 0F SPDS EVALUATION TOPICS 4.1 Critical Safety Functions (CSF)/ Parameter Selection One of the main purposes of the second onsite review of the McGuire/ Catawba SPDS was to further evaluate the topic of parameter selec- l tion. The parameter selection issue revolves around an NRC position that five additional parameters must be added to the top level of the l McGuire/CatawbaSPDS: stack and main steamline radiation monitors, contain-ment isolation, hot leg temperature, and RHR flow. The parameter selection open issues are discussed in detail in the following paragraphs.

~ ,

Radioactivity Control Parameters Radioactivity control is explicitly l identified by NUREG-0737 Supplement 1 as one of the five CSFs that must be displayed on the SPDS. The Duke systems are designed around the Westing-house Emergency Response Guidelines (ERGS), which do not include radioactiv-ity control as one of their CSFs. TheMcGuire/ Catawba SPDS is clearly deficient in this respect and should be required to monitor this function on the top level SPDS display.

The stack monitor at McGuire/ Catawba is the gaseous channel of the unit vent monitor. The iodine and particulate channels are also available in the Operator Aid Computer (OAC). Both the unit vent gaseous monitor and all four steam line radiation monitors are inputs to the OAC and may be viewed in tabular form by calling up Display Group 35 on the system. If an alarm were to occur on any of these channels, it would be dispinyed in red on the top level Alarm Video display, except in the case where the display page was 5

l I

full of unacknowledged alarms on other computer inputs. Neither of these  !

parameters (unit vent and steam line radiation) are currently used in a CSF l

algorithm.

Since McGuire/ Catawba are single release point plants for all building ventilationandexhaust(e.g., Air Ejector Offgas) systems, the. alarm would be satisfactory if it included only unit vent and steam line radiation monitors as inputs. Duke should evaluate the desirability of adding addi-tional computer inputs to a Radioactivity Control alarm.

A radioactivity control alarm should be distinctly different from the j existing CSF alarms. The radiation monitors need not become inputs to the existing CSF logic unless Duke decides to modify the E0Ps to incorporate radiation monitors in the CSFs. .

1 Containment Isolation The approximately 150 Technical Specification containment isolation valves all provide computer point inputs to the OAC, .

the same computer system that hosts the SPDS software. Upon a containment isolation signal, the OAC software checks all of the containment isolation valves for full closure. If complete isolation is achieved, a light on the

" monitor light panel" behind the Shift Technical Advisor's-(STA) SPDS console is illuminated. This light is checked by Emergency Procedure to verify a satisfactory containment isolation. If the light is not 111umi c nated when an isolation is required, the E0Ps direct the operator to check a  !

non-SPDS screen on the OAC entitled the " Tech Spec 13 Display." This display lists in tabular form the valves that have failed to isolate. The Westinghouse guidelines, and consequently the McGuire/ Catawba E0P and SPDS CSFs, monitor challenges to containment integrity and do not specifically look at isolation valve position. Other sections of the E0Ps, outside of the CSF procedure (EP2),dorequiretheoperator to check containment isolation valve status. Although isolation status is available on a separate monitor panel directly behind the primary SPDS user, the top level SPDS displays do not provide a concise and continuous display of containment isolation status. The importance of the valve status in determining '

containment conditions, combined with the minor nature of the software change in the OAC that would be required to provide the containment isol a-tion status on the top level SPDS display (in addition to providing it on 6

I the monitor light panel), reinforces our opinion that such a status indi-l l cator or alarm would be a desirable addition to the SPDS.

The two new alarms or status indicators recommended above (Radioactive l Release and Containment Isolation Valve Status) could be implemented with l software modifications. Neither would have to interfere with the existing CSF alarm blocks. Two suggestions for adding these indicators to the top level display of the SPDS were discussed with the Duke staff and are indicated below:

i

1. The simplest approach is to give priority to alarms associated with the individual computer points or previously computed status (e.g., Containment Isolation Sat /Not Sat) on the Alarm Video CRT. I l

2. A second possibility would involve creatin'g a new alarm logic algorithm with an accompanying omnipresent " alarm box" that would change color in an alarmed condition.

Hot Leo Temperature Hot leg temperature (Thot) from all four loops is indirectly input to the " Core Cooling" CSF. One of the inputs to the " Core Cooling" logic is "Subcooling Margin." Per the licensee's description (not l

verified by detailed review of wiring and logic diagrams), the worst case I subcooling margin (Core or Loop) is sent to the " Core Cooling" CSF logic.,

Core subcooling is computed by comparing Tsat in the reactor coolant system to thehottestCoreExitThermocouple(CET) temperature;subcoolingin the loops is computed by comparing Tsat to Thot for each loop. If a loss of subcooling in a loop preceded a loss of subcooling in the vessel, the condition would result in an alarm on the SPDS. Voiding in a loop caused by loss of subcooling should result in the operators specifically checking l individual loop Thot values on lower level OAC displays or on the control boards. All loop narrow and wide range Thot values are available as tabular data points in the OAC. If any concern remains that a loss of the secondary i heat sink CSF alarm would not prompt the operators to look at individual l

loop Thots, and more importantly loop delta Ts, a more detailed review of l the McGuire/ Catawba E0Ps would be necessary. No further action with l respect to the use of Thot in the SPDS is recommended at this time. l 4

7 l

e

! t

?

RHR Flow Rate The Duke plants rely on two major paths- for heat

removal, one through the steam generators and one through the RHR-(ECCS) heat exchangers. The " Heat Sink" function monitored by the SPDS pertains only to the steam generator path. The SPDS does not monitor heat removal j status when the steam generators are unavailable (although the information i is available on the OAC). I The NRC position requiring RHR flow to be displayed was based on a j strict distinction between core cooling and heat removal, wherein core l temperature and vessel and pressurizer level are considered only indirect I indicators of heat removal, or of the viability of heat removal, in shutdown-l cooling or containment sump recirculation modes of operation. A direct  ;

indication of loss of flow would be desirable in a situation such as a sump '

blockage, so that the SPDS could alert the operators to take action 'to protect the pumps from damage by overheating and to enticipate a subsequent challenge to the core cooling function.

Based on information obtained during operator interviews at the audit, ,

i it appeared that of the five parameters listed as missing in the SER for McGuire, RHR flow was the only one that is not an input to the OAC computer system. However, during a teleconference among NRC, Duke, SAIC, and Comex >

on July 14,1987 (Reference 17), Duke indicated that RHR. flow ggi an input to the OAC, along with several other RHR system parameters (numerous-temperatures, levels, and valve positions) and that all are available as tabular and graphic displays. It was not clear why the operators were

. unaware that the RHR flow rate was available on the OAC; Duke promised to confirm the correctness of their statement and committed to add RHR flow rate to the system if it was not already there and if NRC required it.

It appears now that the information available on the OAC is sufficient to monitor heat removal through the RHR system. (RHR flow rate alone is not a sufficient indicator of heat removal, althougt loss of RHR flow would indicate loss of heat removal from containment.) Heat removal via RHR is not, however, an input to one of the CSFs on the top-level SPDS display; the issue is whether it must be there to monitor heat removal as an anticipatory ,

indication of potential core cooling problems.

8

- _ _ - - _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ O

1 l H. .

l l The Westinghouse ERGS, designed to support development of symptom-oriented procedures, were based upon monitoring the consequences of a lack l of injection flow rather than the actual flow. None of the CSFs use RHR flow, Safety Injection flow (approximately 1550 psig shutoff head) or high head flow (charging system, shutoff head above normal operator pressure) as  !

l inputs or decision points. Rather, they use CETs, Reactor Vessel level, l Pressurizer level, and loop Tcold to monitor the heat removal and inventory l functions. A loss of RHR flow (or the other injection flows) would be detected by the logic for the " Core Cooling," " Integrity," and " Inventory"  !

CSFs. For the specific case of a loss of RHR during shutdown cooling, the i loss of RHR would be detected by a gradual increase in temperature. In case l

of a loss of RHR in'the containment sump recirculation mode, the loss would

• be detected by a decreasing reactor vessel or pressurizer level . These  !

parameters are all monitored at the top level by the McGuire/ Catawba SPDS.

l However, none would provide an immediate indication of a loss of heat removal from containment (which may be considered an extension of the l

l

-j primary system under LOCA conditions) as would RHR flow.

l The rationale for requiring a top level display of RHR flow raises questions about why other parameters (e.g., delta T across ECCS heat l exchangers, flow in other cooling systems) are not required and where the line should be drawn between what is required on the SPDS and what suffices to be avail'able only on secondary displays of the OAC or on the regular.

l control boards. A more definitive exposition of the SPOS requirements than' l

l 1s provided in NUREG-0737 Supplement I would be helpful in this area. l It should also be noted that Duke designed the top level SPDS displays and the logic supporting them as an accurate electronic version of their E0P l critical safety function event trees. This in itself does not ensure that l the SPDS meets all requirements for providing an overview of the safety status of the plant and the CSFs defined by NUREG-0737 Supplement 1. For l example, radioactivity control and containment isolation need to be added to the Duke systems, even though they are not essential to representing the J E0Ps. However, with respect to monitoring thermal-hydraulic critical safety I functions (core cooling, heat removal, primary inventory), a deficiency in parameter selection suggests questions as to the comprehensiveness of Duke's E0Ps. The linkage between SPDS and E0Ps is less definite at most other 9

'1" $;

i j '

i

,\p Westinghouse plants hr theSPDSisolyanapprhimation(rather.than an l exact replica) of the E0P CSF philoscphy. '

4.2 System Desisa ce "

l The' McGuire/ Catawba SPDS is essentially a software application impi t.- '

f mented on the existing OA6 system, .a.Honeywell 4400 computer system. The ,

)

SPDS displays are preserded on c.ath' ode ray tubes (CRTs) integrated into the ,

l existing control room.' Thefo}lowingsectionsdescribevariousaspects of l the SPDS system in greater detail.

)

4.2.1 System Description, -

\

The SPDS 1s;a, software application irnplemented on the existing. 0AC, I which serves as the plarrprocess comm;ter. That part of' the' OAC referred to explicitly as the SPDS con'sists of six CSF blocks that use color coding to convey the status of the' plant, with respect to the functions, The six functions displayed are: .sabertticality, core cooling, hed sink, primary )

system integrity, containm' e nt crmditions, and priu ry system water inven-tory. Secondary displays' provide further information in the fehn of status j trees and parameter values., The plant-specific status tree displays, which l i

are based on the Westingbokse Owrers Group (WOG) ERGS, indicate the plant, function (s)fromwhichtheSPDSelarmmayhaveoriginated, the major klarin {

logic path nodes, and'the,emergenef procedure number that must be entered. l The system displays all alumed inputs associated with the logic path of an alarm, as well as backup pages contairdng tabular listings of alarmed, i

invalid, or out-of-service inputs.

)

1  !

At the previous audit , conducted at Catawba on May 14-15, 1985, Duke did not take credit forLthese secondary displays as being part of the SPDS.

However, at the n,ost recent audit. Dake acknowledged that the seconaary displays are in fact part of the fiPDS and are used as such by the operators.

The operators interviewed specifically identified the secondary displays as part of the SPDS, as did'the trafning program.

1 The SPDS is such an integral feature of the CAC that any attempt to draw a boundary between them is artificial and unnecessary. Any information that is available to the epwator on the OAC and that supports an SPDS 10

[ .- -_-- _ - - _--_ - _ _  :

t. ,

function, provided it meets the requirements for an SPDS, should be considered part of the SPDS.

Based upon three days' observation of the McGuire SPDS and interviews with operators, this system appears to be one of. the most reliable in the industry. The McGuire SPDS demonstrated no significant deviations between data displayed on the CRTs and data obtainable from the IE control boards and other control room instrumentation. Operator /STA interviews produced no complaints or memories of misleading deviations between data displayed on the SPDS (OAC) and that available elsewhere in the control room. A spot check of SPDS computer points against the control board indications revealed no differences in engineering values. Theaverageofoperator/STAresponses to the question "How many times per year have you seen the system out of l service (for other than planned maintenance)?" was two or three times per  ;

year for periods of a few minutes. This is a remarkably low incidence of  !

operator-noted system problems (compared to the industry norm). These  !

observations support plant records indicating OAC availability of greater than 99 percent.

4.2.2 Display Configuration The McGuire/ Catawba SPDS is organized into a three level hierarchy -a top level overview display and two supporting displays. At the top level of.

the SPDS, the six Westinghouse CSFs are continuously displayed in blocks at the bottom of the OAC Alarm Video (see Attachment 3). The supporting displays provide the operator with further information regarding the alarmed CSF blocks through selectable displays. The status tree displays (see  !

Attachment 4) indicate the plant function (s) from which the SPDS alarm may '

have originated, the alarm logic path, and the emergency procedure number to be followed in order to correct the alarm condition. The backup pages to  !

the status trees display all inputs associated with the plant function (s) in the flow path of an alarm as well as inputs that are invalid or out of service (Jee Attachment 5). The CSF blocks are duplicated at the bottom of  !

l the supporting displays and cannot be removed by operator keyboard manipu-l 1ations, i One of the open issue, noted earlier in the report concerns the use of l status lights in lieu of explicit displays of parameters. Status lights on i 11 l

I

top level displays indicating challenges to CSFs have been deemed acceptable provided that actual values of parameters are readily available within the SFDS and that the operator's attention is directed to the appropriate infor-mation when a challenge occurs. This open issue is essentially resolved by redefining the SPDS to include the secondary displays and other supporting  ;

information on the OAC as discussed above in Section 4.2.1, subject to determination that the SPDS as redefined satisfies all other SPDS require-ments, such as rapid accessibility of the underlying information.

The SPDS uses color coding to highlight information for the operator.

Different types of lines and graphic symbols add redundancy to the color '

coding. The CSF blocks change color to indicate the status of each CSF as defined below:

GREEN: CSF satisfied YELLOW: Degraded CSF; C,arator action may eventually be needed ORANGE: CSF under severe challenge; prompt operator action necessary RED: CSF in jeoperdy; immediate operator action required MAGENTA: CSF is indeterminate due to invalid input

\

When the status changes from normal (GREEN), the appropriate CSF block j changes color and begins to blink. The CSF block continues blinking until  !

the condition is acknowledged by the operator (or returns to normal). When the condition returns to normal, the CSF block returns to GREEN. The CSF blocks are al:,o prioritized from left to right in order of importance corresponding to the hierarchy of the CSFs in the plant specific E0Ps. In this SPDS the reactivity control block is located on the far left to indicate that it is the most important function of the six for the operator l

to control.

l The status tree flow paths in the supporting displays are highlighted l in GREEN when conditions are normal. When an alarm is present, the appro-priate path changes to RED and the status tree block changes color corres-12

l.. t

^

ponding to the alarmed CSF block. Additionally, one CSF block at the bottom of the page is outlined in white to indicate the CSF block for which the current supporting display is being displayed. On the backup pages, symbols are used to provide the operator with information about the points asso-ciated with the alarm. A "i" sign indicates a locked out point; a "X" sign indicates a point out of service; a "*" sign indicates input over/under range; and a "$" sign indicates a blown fuse (for digital points only).

Although the CSF blocks at the top level and on the bottom of the supporting displays are updated every 5 seconds, the status tree display l

reflects the alarm conditions present at the time of the operator request.

The operator must manually update the status tree (by depressing ENTER and TAB) or reenter his request.

Hovement through the SPDS is provided through a combination of function keys and page number keys. To get to the top level SPDS display from within the OAC, the operator must depress GENERAL followed by 3, 7, SELECT, ENTER, and O. Similarly, to go to the status tree displays, the operator must depress ABORT, ENTER, TECH SPEC, the appropriate TECH SPEC function number, DISPLAY, and ENTER. Single function keys such as arrow keys are not pro-vided to enable the operator to move quickly from one level of the SPDS to the next and back.

4.2.3 Data Validity -

The computer point validation schemes used in the OAC are some of the most sophisticated in use for licensee SPDS systems. All computer points undergo at least a range check, with derived or composed points undergoing more sophisticated redundancy checks (e.g., input rejection based on pre-determined deviation from the average of similar inputs).

Two additional areas were identified during the audit in assessing validity of data supporting SPDS functions: 1) validity of parameters input to the OAC, then obtained and processed by the SPDS function to provide operator access; 2) freedom from inadvertent degradation of data due to other 0AC system functions.

13

Over the past two years, Duke Power Company has extended their opera-tional' maintenance procedures to address both areas. Monthly surveillance checks on plant data parameters from the sensor, through the computer system data base, and to the OAC CRT provide ongoing assurance that valid data is being obtained, utilized and displayed as required by SPDS functions.

Additionally, a review of the SPDS is performed after each plant trip to establish that the SPDS reacted accurately and predictably to the plant trip conditions and displayed the safety status of the plant for operator information. These trip reviews conducted over the past 2-year period increase the level of confidence that data validity is not being inadver-tently affected by other 0AC system functions.

I 4.2.4 Maintenance and Configuration control Maintenance and configuration control over the SPDS and the entire OAC are performed for both McGuire and Catawba by Duke Power Company's Computer Engineering Department. A spot check of several recently completed instru-ment loop surveillance check procedures and results confirmed that OAC and SPDS displays of computer points are checked simultaneously with the analog or digital devices on the normal control boards. This ensures instrument loop continuity from sensor (or drawer) to CRT and accuracy for OAC and SPDS data. -

Formal written procedures are in place for' exercising formal configura- '

tion control over the OAC computer systems. An overview audit of the docu-mentation indicated that the formal procedures are closely followed. Based i on observations made regarding the organization and the current status of the document records, the audit team concluded that the configuration j control procedures are adequate.

Maintenance of the computer system exercises Duke's change control procedures, which include ongoing verification and validation as deemed appropriate as part of the process. Forms are in place indicating that required approvals are obtained throughout the process. Duke's application of rigorous maintenance and configuration control procedures to the total  !

OAC system has increased the level of confidence that the system is meeting  !

its design objectives.

14 j

4.2.5 Security There is no remote access to the SPDS terminals in the control room.

Changes to SPDS and other DAC software are made through inputs from floppy disks. Limited changes, such as taking specific input points out of service to reduce spurious signals, are made directly from the keyboards in the control room. All changes are made by personnel from the Nuclear Production Department who are responsible for implementation and maintenance of the computer systems. Access to the system is controlled by' passwords available only to these personnel; according to supervisory personnel, passwords are changed daily. These procedures, combined with limited access ~to the ,

control room itself, appear to provide adequate protection against unauthor-ized modifications to the system software.

4.2.6 Electrical Isolation Isolation has been evaluated by the NRC and found acceptable prior to this audit.

4.3 System Verification and Validation Discussions with the Duke staff indicated that, at the time of the May 1985 audit, the SPDS had been narrowly defined because they did not havec documentation to support a claim that the total OAC had undergone a formal

' system verification and validation (V&V) process. This continues to be the case. However, Duke has conducted a V&V process on the SPDS sofi. ware and has implemented a V&V program for the OAC that is part of their regular computer system maintenance process. 0AC (including SPDS) working documen-tation is well organized and contains approval sheets and design documenta-tion stored on a subsystem basis. Other activities and procedures seem to be in place which reduce the level of concern over the lack of formal V&V documentation. Instrumentation surveillance checks routinely include tests of instrument loops from sensor inputs to computer outputs. Also, post-trip reviews include SPDS performance reviews. The system has been in regular i use over the past two years. It has a record of high reliability and is well accepted by the operators. A major reason for this acceptance is the

, very short time (approximately 5-10 minutes, compared to over a year at some l

15

• I plants) necessary to take invalid inputs out of service and thereby reduce spurious alarms.

A recent LER (Reference 18) concerning a Technical Specification viola-tion (containment leak rate calculation) resulting from a software error introduced in the process of modifying a program was discussed. Duke has taken action to correct the problem and modified their procedures to mini-l mize the chances of this type of error recurring. The audit team checked l documentation to verify that the procedure is being followed.

In summary, expansion of change control and evaluation procedures to the total OAC system and the operating history of the past several years should remove the perceived need to consider the SPDS in isolation from the secondary displays which support it. No restrictions should be placed on further use of the more broadly defined SPDS pending additional V&V activi-ties. Nevertheless, in order to alleviate any concern over the lack of documentary evidence demonstrating the extent of OAC evaluation, it is suggested that Duke prepare a total evaluation overview (system V&V) defini-tion; the V&V plan should be updated and expanded to include all system evaluation activities. It is also noted that the software V&V program could be improved with an indexing scheme for documentation storage and retrieval.

In addition, an evaluation chec-klist and procedure is needed to establish how evaluations are performed and what objectives are met. ~

4.4 Human Factors Engineering i

A formal human factors review of the McGuire/ Catawba SPDS was under-taken to verify that the SPDS provides direct, readily useable information {

and is organized in an effective format to support operator tasks. The ,

human factors program for the SPDS consisted of three activities: 1) review and comment, 2) task analysis, and 3) human factors survey. During concept development and design of the SPDS, human factors review and comment was solicited. After concept development and design was completed, a task analysis was performed as part of the Detailed Control Room Design Review (DCRDR). The task analysis defined and described operator tasks and infor-mation requirements for those tasks in which the SPDS supports operator needs. Walk-throughs of event scenarios were performed using slide projec-tion of the SPDS on the control board mockup. Members of the DCRDR team, a 16

I l

senior reactor operator, system engineers, and observers participated in the walk-through. The task analysis addressed issues such as the logical order-ing of displays, terminology and abbreviations, labeling and coding, usabil-

! ity of displayed information, and operator task support.

l After implementation, the Duke Power Design Department performed a human factors survey of the actual displays as part of the DCRDR. The SPDS was surveyed using a checklist based on Section 6 of.NUREG-0700. The check- I list covered color usage, character heights, room lighting and glare, pre-sentation of data, labels and coding, operator message presentation, and use of keyboard interface. Human factors consultants prepared the checklist and presented workshops and seminars for the operations and engineering personnel performing the survey. The human factors consultants also pro-vided an overview or human factors quality assurance function. A number of j human engineering discrepancies (HEDs) resulted from this review and were included by the licensee in the DCRDR Summary Reports. Several changes

(

resulted from the human factors review, including the addition of an audible

{

alarm on CSF status change, the addition of the CSF blocks at the bottom of the supporting displays, and the use of color coding to indicate CSF path 4 status (GREEN, RED).

I While the licensee identified and corrected several HEDs, the audit team identified a number of HEDs that remain on the SPDS. These are listed- I below.

l

1. Moving from one display level to another requires as many as seven or eight key strokes by the user. Although none of the operators or STAS interviewed had difficulty carrying out these series of key strokes, under stressful situations, especially with inexperienced operators, the process for accessing displays could result in a delay in receiving critical plant safety status infor-mation.

2. Some of the colors used in the SPDS are not readily distinguish-l able. In particular, yellow and green are difficult to distin- I guish.

1 17

3. The color coding used to highlight the status tree paths is not consistent with that used by the CSF blocks. The CSF blocks change from GREEN to YELLOW, ORANGE, or RED depending on the severity of the alarm. However, the status tree paths turn from GREEN to RED regardless of the severity of the alarm.

4. The status tree display is not automatically updated every 5 seconds as are the CSF blocks. The status tree display reflects the alarm conditions present at the time of the operator request rather than the current alarm conditions. The operator must manually update the status tree display by depressing ENTER and TAB, or reenter his request.

5.- At the third level of the SPDS, the points that are the source of an alarm are not readily discernible from all the points associated with the flow path of an alarm. These points could be easier to identify if they were highlighted in some manner.

6. The OAC Alarm Video list that is displayed above the CSF blocks on the top level display is not considered part of the " formal" SPDS.

HoWever, if the licensee proposes to use any of this information to meet SPDS requirements, the following HEDs are applicable:

~

a. The Alarm Video display does not provide any indication of existing alarms that cannot fit on the display page. The operator may not be aware of or may not remember existing alarms.

b. The Alarm Video display provides no means for bringing up and viewing alarms that do not fit on the display page. These alarms cannot be viewed until alarms already on the page have cleared.

c. Letter designations for the systems in alarm are provided below the CSF blocks at the bottom of the Alarm Video display. However, the audit team found inconsistencies between the system letter designations displayed on the OAC and a hard copy list of system letter designations.

18 '

Concerning the location of the SPDS, the audit team found that the displays are located conveniently to the intended users. Three displays are located at eye level on the vertical section of the primary. control boards for use by the reactor operators and the shift supervisor. A fourth SPDS display is located at the desk in the back of the control room. This display is primarily for use by the STA, the primary user during transient situations.

In summary, the licensee performed a formal human factors engineering review of the SPDS during the DCRDR. The licensee's review resulted in th.e identification and assessment of a number of HEDs as well as the implementa-l tion of enhancements to the SPDS. However, the. operational SPDS still has additional HEDs that were identified by the audit team. These HEDs should be evaluated and assessed by the licensee.

4.5 Use of SPDS in Operation From an operations viewpoint, the McGuire/ Catawba SPDS displays are .

excellent in that they match the hard copy E0P CSF status trees precisely.

The terminus points of the status tree screens of the SPDS are annotated with the Functional Recovery Procedure numbers for each situation. The color and shape coding of the CSF trees on the SPDS matches those in the hard copy E0Ps. Another impressive aspect of the McGuire/ Catawba SPDS design is the extensive work that has been performed on the computer logic to ensure tht.t the CSF blocks do not alarm under nonaccident conditions, such as Reactor Startup, Reactor Shutdown, and nonaccident condition trips such as Turbine Load Reject.

The six operator and STA interviews conducted during this review provided the' following results concerning the use of SPDS in plant opera-tions:

1. The STA is the primary user of SPDS in the transient environment.

Operators use the SPDS during transients as a backup to their written procedures and where its use is specifically directed by the EPs.

19

i -

1 l

2. The Primary use of SPDS during steady state operating conditions is to monitor the progress of instrument loop surveillance in progress. The operators consistently knew what CSF alarms to j exoect during specific surveillance (e.g., they expect an Orange J

CSF path on Containment Integrity during testing of the l containment Hydrogen Analyzer).

l

3. Use of the SPDS during transients is identical to use of the hard q copy EPs, with the STA concentrating more on the top level SPDS j status displays while the operators perform the detailed steps in

{

the EPt.

With respect to parameter selection and CSF design issues, the interviews provided the following observations:

1. All of the operators / STAS interviewed stressed their desire to keep the SPDS " simple" and in harmony with the E0Ps. They do not desire to see the system grossly modified with extra features at the top level displays.

2. The operators / STAS demonstrated a better-than-average knowledge of the basis for the CSF logic and the data displayed by SPDS. This is typically evidence of a thorough training program and a high-level of acceptance by the users.

I

3. The only change that any of the six interviewees consistently stated as a desirable modification to the SPDS was the addition of a tabular display on the backup pages of the CSF trees that provides continuous display of all of the computer points that are input to the CSF logic. The as-built system only displays the inputs that are in alarm or that have failed validation. Five of {

j six personnel interviewed independently arrived at this recommendation.

Because the McGuire/ Catawba SPDS is designed as an automated version of I the E0Ps, E0P and SPDS procedures are synonymous. Procedures for manipulat-ing SPDS displays are also synonymous with procedures for using the OAC 20

_ - - _ - - - - - - - ]

System. The SPDS design minimized the necessity for special procedures or training of operators on the system.

Operation without the SPDS requires only that the operators rely on installed analog devices. The procedures for monitoring and recovering from emergency conditions does not change with a failure of SPDS. Failure of SPDS would imply a failure of the Plant Process Computer, since the SPDS logic and displays are a subset of the Process Computer's functions. One of the malfunctions programmed on the McGuire simulator, and that operators are frequently tested on, is the Loss of the Process Computer. Operation with and without the SPDS requires no major change in basic operating philosophy since the SPDS logic and displays are precisely an automated representation -

of the approved E0Ps. .

Of the six operators and STAS interviewed, most had received specific SPDS hands-on training in the McGuire simulator within the past 2 months.

They stated that the simulator instructors do include a critique of their use of SPDS as part of the overall critique of their performance during a drill. Training records show that all of the operators and STAS interviewed have received classroom training on the SPDS within the past 18 months and are scheduled to receive SPDS training again before the end of CY 1987.

5.0 AUDIT FINDINGS AND CONCLUSIONS The conclusions are presented in terms of the eight HUREG-0737 Supplement 1 SPDS requirements.

1. The SPDS presents a physically concise display of the six Westing-house CSFs and of supporting information from the OAC.

2. The control room SPDS is conveniently located to the intended user of the SPDS and to control room operators.

3. The SPDS continuously displays the six Westinghouse CSF blocks.

It does not, however, display sufficient information to satisfy the requirements of NUREG-0737 Supplement 1, as delineated in item 7 below. Moreover, actual values of many parameters are available 21

only from manual recall of secondary displays, and then only when in an alarmed or invalid state.

4. The SPDS has a high degree of reliability.

l 5. The SPDS, according to prior NRC review, is suitably isolated to l prevent electrical or electronic interference with safety systems.

6. The SPDS has incorporated accepted human factors principles.

However, the audit team identified a set of specific human engi-neering discrepancies (see Section 4.4 of this report) which should be evaluated and assessed by the licensee and corrected if necessary.

7. The SPDS does not provide the minimum information needed to deter-mine plant safety status with respect to the five critical safety functions specified in NUREG-0737 Supplement 1. Specifically, radioactivity control and containment isolation should be added to the top level SPDS display. In addition, parameters representing heat removal from the primary system (as distinct from core cooling), under conditions where RHR provides the means of heat removal, should be added to the SPDS (see Section 4.1 of this report for discussion).

8. SPDS procedures are synonymous with the E0Ps and with procedures for using the OAC system. Operator training adequately addresses operation with the SPDS. Operation with and without the SPDS requires no major change in basic operating philosophy since the SPDS logic and displays are a precise automated representation of the approved E0Ps.

The SPDSs at the McGuire and Catawba Nuclear Stations represent a concise and continuous display of the six Westinghouse CSFs to the control room operators to aid them in determining the safety status of the plants.

It is also the audit team's , judgment that the close correspondence between the SPDS and the Emergency Operating Procedures and the integration of the SPDS into the existing control room contributed to its success and 22

t. .

\

acceptance by the operators. However, the system still has the above-  !

mentioned problems that need to be resolved.

Any modifications to the existing SPDS logic and displays should be the result of careful consideration by a team of personnel with representation  ;

from operations, computer systems, human factors engineering and licensing.

Modifications to the McGuire/ Catawba SPDS systems represent a task wherein an otherwise satisfactory and highly accepted system must be modified to comply with NUREG-0737 Supplement 1. The required modifications can be accomplished in a manner that does not detract from the existing system. In i summary, the Radioactivity Control, Heat Removal, and Containment Isolation Status alarms can be added to the top level display as priority tabular alarms or new Status Blocks. Addition of the nonalarmed CSF logic inputs to

the supporting tabular displays should be done in a manner that does not clutter these displays and that preserves the priority of the alarmed and invalid data display.

l l

1 e

)

23

l' REFERENCES l

l 1. NUREG-0737, Supplement 1, " Requirements for Emergency Response Capability," USNRC, Washington, DC, December 1982.

2. Letter to H.R. Denton, NRC, from H.B. Tucker, Duke Power Company, forwarding Revision 4 to Duke Power Company response to NUREG-0737  :

Supplement 1 (SPDS Safety Analysis included as Section 4), March 28, 1984.

3. Letter to H.B. Tucker, Duke Power Company, from E.G. Adensam, NRC, September 14, 1984.

4. Letter to H.R. Denton, NRC, from H.B. Tucker, Duke Power Company, October 18, 1984.

5. Letter to H.B. Tucker, Duke Power Company, from E.G. Adensam, NRC, subject: Results of Audit of Catawba 2 Safety Parameter Display System, Docket No. 50-414, September 10, 1985.

6. Letter to H.B. Tucker, Duke Power Company, from E.G. Adensam, NRC, forwarding request for additional information, October 31, 1985.

7. Letter to H.R. Denton, NRC, from H.B. Tucker, Duke Power Company",

forwarding responses to audit findings and request for additional information, November 27, 1985.

8. Teleconference between K. Jabbour, G. Lapinsky, F. Orr, NRC, and R.

Sharpe, et al., Duke Power Company, December 11, 1985.

9. Teleconference between K. Jabbour, G. Lapinsky, F. Orr, NRC, and R.

Sharpe, et al., Duke Power Company, December 18, 1985.

10. Letter to H.B. Tucker, Duke Power Company, from B.J. Youngblood, NRC, subject: Safety Evaluation Report for the McGuire Nuclear Station Units 1 and 2 Safety Parameter Display System, Docket Nos. 50-369 and 50-370, February 28, 1986.

24

f'

11. Letter to H.B. Tucker, Duke Power Company, from B.J. Youngblood, NRC, subject: Safety Evaluation Report for the Catawba Nuclear Station l~ Units 1 and 2 Safety Parameter Display System, Docket Hos. 50-413 and 50 414, February 1986.

12. Letter to H.R. Denton, NRC, from H.B. Tucker, Duke Power Company, forwarding a plant-specific backfit claim, March 25, 1986.

13. Letter to H.B. Tucker, Duke Power Company, from H.R. Denton, NRC, subject: Backfit Determination Regarding the Safety Parameter Display System - McGuire and Catawba Nuclear Stations Units I and 2, June, 13, I 1986.

14. Letter to H.R. Denton, NRC, from H.B. Tucker. Duke Power Company, l forwarding appeal of backfit determination, March 27, 1987.

i

15. NUREG-0800, Standard Review Plan for Review of Safety Analysis Reports for Nuclear Power Plants, Section 18.2, Rev. D, Safety Parameter Display System (SPDS), Appendix A to SRP Section 18.2, NRC, November 1984.

I

16. NUREG-0700, Guidelines for Control Room Design Reviews, NRC, September 1981.

17. Teleconference between J. Kramer, et al., NRC, Robert Liner, SAIC, Gary Pethke, COMEX, R. Sharpe, et al., Duke Power Company, July 14, 1987.

18. Letter to Document Control Desk, NRC, from H.B. Tucker, Duke Power Company, forwarding Licensee Event Report 414/87-08-01, May 6, 1987.

1 i

25 {

ATTACHMENT 1

(

Audit Agenda E

\

l l

4 26

- ERC VISIT TO EVALUATE CONTROL 100H

' INFORMATION AND DISPLATS June 29 - July 1, 1987 McGuire Nuclear Station I

l 06/29/87 l

1:30 p.m. Introduction and Briefina (Training Trailer)(TT) 1:45 p.m. Summaary Description of SFDS and Other Systems (TT) .-

- Introduction (R. C. Morgan)

- Rack $round and Pending Issues (R. O. Sharpe)

- Description of SPDS (R. C. Mcrgan)

- SPDS Status Tree Development (G. 3. Swindleburst) '

- - SFDS LoSie (G. 3. Swindleburst)

- Scenario Discussion to show interfaces between Energency Procedures. SPDS, and other Control Roos Indications (L. F. FirebauSh) 3:00 p.m. Observe operation of SPDS (Control Room. TSC, OAC Roon)

- Tour Control Room ($sall Groups)

- SFDS Operation in OAC Roos

.- TSC 06/30/87

~

8:30 a.m. Bunan Factors Engineering (TT) - '

f

- Control Roon Review Team. Human Factors Consultant, and EF l TraininS (R. E. W ite) l

- Task Analysis of SFDS (R. E. Wite) i

- Human Factors Review (R. B. Wite)

- Operator Acceptance of SPDS (R. C. Morgan) 9:30 a.m. SFDS Related Training (S. Griffin) (TT) 10:00 a.m. SPDS Operation and Human Factors Review (OAC Roon)

WOON LUNCE 1:30 p.m. Systen verification and validation (TT)

- In-house capabilities and Duka Organization (R. G. Morgan) l

- Generation and Verification of SPDS Logic (C. 3. Swindlehurst) l

- Generation of SFDS Software (C. R. Miller)

- V6V of Implemented Sof tware (L. R. Frick)

- Busan Factors Review of SPDS Displays (R. E. Wh$te)

- Maintenance and Confi$uration Control (R. G. Morgan) 27 1

l l

l l

i l

1 06/30/87_

l 3:00 p.m. Operator Interviews and Documentation Review (TSC) l I

07/01/s7 8:30 a.m. Continue Operator Interviews (as Necessary)

Continue Documentation _ Review (Including Sofrva_rg Audit Team Caucus l

_(Small Conference Room)

NOON

• LUNCE 1:30 p.m. Exit Briefinz (Large Conference Boom) 1 J

l l

t

(

- 1 i

NOTE: Small Conference Room available for NRC and Contractors all three days.

l 1

i ,

t

. l i

\

l 1

/

28

ATTACHMENT 2 List of Attendees 4

1 l

29

JUNE 29, 1987 l

Hug Title / Location l l

H.G. Atherton P.S. III/McGuire

R.F. Banner NPE/McGuire R.G. Morgan Frod. Engr./NPD GO l

R.O. Sharpe Nuclear Engineer /GO L.F. Firebaugh A0E/MNS G.B. Swindlehurst Sup. Design Eng./GO Bethany H. Drum HF Reviewer /NRC/SAIC Nina C. Thomas V&V Reviewer /NRC/SAIC Robert Liner SAIC (NRC Contractor) J Gary Bethke COMEX (NRC Contractor) j Darl Hood NRC/NRR Jim Clifford NRC/NRR George Lapinsky NRC/NRR/DLPQE/HFAB Wm. H. Regan NRC/NRR/HFAB Seymour H. Weiss NRC/NRR/HFAB Joel J. Kramer NRC/NRR/HFAB Robert Gill Duke /NPD/ Licensing G.D. Gilbert DPC/NPD/MNS/0PS W.T. Orders USNRC/ SRI /McGuire ,

C.R. Miller PSD/PCU-TTC/TS S. Guenther USNRC/RI/McGuire L.R. Frick Design Engr./ Electrical l

I 30 1

I I

JUNE 30, 1987  ;

l

}{Lm.it Title / Location Joel Kramer NRC/HRR/DLPQE/HFAB

. Seymour H. Weiss NRR/HFAB Jim Clifford NRC/NRR l George Lapinsky NRC/NRR/HFAB l Gary Bethke NRC(COMEX) )

Nina Thomas NRC(SAIC)

Bob Liner NRC/SAIC Bethany H. Drum NRC/SAIC Roland White Duke / Design Engng.

Len Firebaugh A0E/MNS R.G. Morgan Production Engr./NPD/NOPS R.F. Banner NPE/McGuire R.O. Sharpe Duke /NPD-Licensing R.L. Gill Duke /NPD Licensing H.G. Atherton PSIII/NPD/McGuire C.R. Miller PSD/ Prog. Supv. - TTC/TS Terry Tessnear Sim. Instructor /MNS/TTC Steven Helms Sim. Instructor /MNS/TTC Bill Griffin Sr. Instructor /MNS ,

David Arndt ClassroomInstructor/MNS/P.T.P.

Gregg B. Swindlehurst Design Eng./ Nuclear Eng. - S.A.

Douglas E. Fairweather Design Eng./ Electrical 31 f

c. . m i

JULY 1, 1987 gag Groun/ Title / Location Jim Clifford NRC/NRRWashington George Lapinsky NRC/NRR/HFAB Washington William Regan NRC/NRR/HFAB Washington Seymour H. Weiss NRC/NRR/HFAB Washington Gus Lainas NRC/NRR/AD-PR07 Joel Kramer NRC/NRR/HFAB ,

Darl Hood NRC/NRR/PD2-3 Joe Youngblood NRC/NRR/DRP/PD2-3 T. A. Peebles Set. Branch Chief Region II W.T. Ordus SRI S.F. Guenther RI Morris Sample Duke /McGuire Supt. of I.S.

Neal Rutherford Duke /NPD Licensing Hal B. Tucker Duke /VPNPD Bruce Travis Duke / Supt Dps/MNS Tony L. McConnell Duke / Station Manager /MNS Robert O. Sharpe Duke /NPD Licensing Gary Bethke NRC/COMEX/Dialla,WA Bethariy H. Drum NRC/SAIC ,

Nina C. Thomas NRC/SAIC Robert Liner NRC/SAIC Neal McCraw Duke /McGuire/ Compliance Engineer Robert Gill Duke /NPD/ Licensing Gregg B. Swindlehurst Duke /DesignEngineering Randy Banner Duke /MNS/ Compliance Len Freebaugh DPL/A0E/MNS Ronnie Miller Duke / Prog.Supy-TTC/TS C.L. Hartrell Duke /CNS/ Compliance D.J. Rains Duke /MNS/ Supt. of Maint.

M.G. Atherton Duke /MNS/NPD III Robert G. Morgan Duke /NPD/ Nuclear Ops 32 i

• 4 ATTACHMENT 3 Alarm Video Layout With Safety Parameter Display W

G G

33

i 3 2.20.6 ALARM VID10 LAYOUT WITH SAFITY PARAMITER DISPLAY I

1 1 1 1 1 1 1 1 1 1 2 2'? ;222 3 33 I oS7u6e aeo t' 2 3 46 s1 e e ol266.9 e2l2lo

, 2 9- 3 41.2l3l3 3

6.c 3 4'4l4l4'4 4 6l6 61 c t!?.3 4!6411 e o 1,71) 4 6Sh 1 t e3l2l3f'4!al4 6!16 6l6 6f6l6 66'66'6 e o e 9.? 4 6 t 1.e o'o.gl ,

6'6 t II 0 02k9 9 -HI l i NC DR A'l N' f7 AN K' al'2' tBL k 'N K t T P R [ E 's g R t j i I l l l l ; l il Illll I I I ll I llllll ll!illll lil !!ilillli..

2i AD57 2 I '7.? 'Dtr. F- LO_ VP,PI R $UR GI TA NK :B WATE D fIMP i i

's Illli 11 I lilli i lli it's illi l s')

iliail6i i: li l; e g

4 0130 8 H l' L D' P.TE 5'$ - N'E AT E R J1 L'E VI L' i l ie Fililli ili (

Il lll ll Il!I'llll i IIllI li lii ',

6 !A 0 05ik i 64 2 DEG F LD H DTV'E Li P.M P DI 1C HAR CE k EADER f71M P i I i lIi l 7: l 11 l l 1 .i t '

I I Ill lli lillil!i.: 1 Il Illii it.I iii.'

8ID355 b l/LD l i G EN !H'2 P ; t s suR E ' i ' l ' lill lei.l: !  : i 9Ilitie til lie l '

lllllll lil'Ill!' il } I!li  ;'It' 10 @M; 2 kI 'l I I MD'I E T URT' 'Q PARL in R in R w T w y IP 9 t t e ti i  !

11.1 l i l i l ll llI 'il 1 l lllllllllllllll;I!ll8lll llll'8li. *: -

12 !A089 6 ! ll l P 'G PM L 3 CF! PUMP ~ A '5 E At ; il N !E E 7 I D M FLD W I8 i' *. !

13 11181!! 'l l I l lilllill lI ll!lli 8l it  !!!!!!itt i 14 iDC4 33 i E MI:R HII i Cl COND iAME RTA P iEr ERG EN CY iBA CKVAS H iD/P i i 15 tilli.!181l I ll ll l 1ifll*lli- 'li!llfiliti38il  :

16 .005 72 i H I 1 : li ' !s*', 'ev P.

~

7 0 .Conr D Rx vtv 's B ss DRN POT t VL- i 17, i l ' I l l lill I '

ll l llllll llilllll' il'!!!.lll! Iil'!il: 's t e 'D0423 T RO UB UE- l MOVE:AB L E - (D ETE CTOR HARDVARE Il  ! i'ii, t is itilfl illIIl t i IIlitiilili18 1118 I6ti i 1. itIi i l 20 10261 '$ $6 L O WN IFUSE BD AA D 207 4 i 'I i!il i I i !l I-21 'lli'6i'll I llilitil 'lil ilil' till 8Ill itt t i.

22 ;0065 6 ' H I I

!!$7 IST C DRN TN K 82 't E VE t 1.*'Iiiili i 'l 23 lleti'li'l i  ! lilillll ll illilt! llllel I l' fi' it'i' l 14 'D1910 l N l i I ti i ICFP T .1 A DIL RE SERVD IR L YL' I i '8i 'i '8 25 illii!}' illi l l' t iIlllilli llillll'sillll!'l I lil: Itl' l 26 D2B 18

• H I s l i ll ' I I iNDl570RE :5CPA RATOR YE55 EL 31 LIVE:L 'i* I 27 ilii tiiii l' litf I I IIIllti I:l:lli. .

Illii silI8' i'i 2e .All 99 i ' i 18 1 'DE G F L S 'I NC D I N S T R D Op i EN P B I iilii*Iili 'i-29 i !! %E[

~

tt.: i i i! 'l ll l lIllllIli'lilli Illi l11 - 8 30 :016 53

• L D i 4 Ii !2ND $7 G DRN !TNK 11 'L t L' E L i I ' i' I 31' i l ' l i l i.. I l ll lllltIiilIiiii i itiiI, I I 32 D2B 16 HI M01 iTURE. S EP IRATOR VI15 Et C2 LYV Et i 8 i 33 ' l ' i l i li i ' lll 11 l

il l'I  ! li'l li' 'll *

' i 34 IDDS 71 4I i i SK l 'Y F f 0 CON D IDRN V1f 1B60'DRN 'P OT LV L I 35' I i l i i i *- I l l l } l l

I li I I l  !! 'I I 36 00555 Le D'RN N ' K' B2 24D. S T;G- Lt V E ll til .ll l I

37. l- lil si li l lli ll II I I 4: 1Ill' I 38 D? FIS HI HT R' f E t ;D' *t B L ET DR N v!L /. NE 1% DRN P DT m 8E VE L f

39 lit il I l l } I I I l llll'88l'I'l ll I L40' SUB C R IT CDDL HEA1 Sl yK fC l'NTEC ' l CC R E C ON T' A I N 'i'H C lh VK I dij i ' '

{

l lil 4 21 I I III '

4 3' ' l '

ll iIll Il '

t 44!HM E 9, :M i ii EO '

,409;. M s. H ,.d '

I I i!

46'Rt '

47 R/ SM M IVV l i t t i t ) 22 227 22 3 4 444444466 i 1 1 1 1 3 6 66,666666666,66 ,,

.u , , . .o ,4,3 ml2g, . e v,3 613,,3 2 3L , s9'6N.b ,,6: , ,. aw>'

2,.733 g 4 , , u 6 6..., , 3 b 4/1/81 34

ATTACHMENT 4 Example Status Tree Display 4

I 35

. 4.6.21.$

i l

t t t t 1 I

i i t i t 22 2'?,22 i 2 t',23 333 I

a l

II 3 4l4 33I 4'gl4'4 4 4'4' 6

I I 6 6l6 t 6!6 I'

6 t,6 f,!r)[6'! l6 6l6 t t'6't I t'

a$796e? seo 1.21 4srt e , oly g 9.3_4 6 Li v o.o $,2 2 .6.e,leeoi m4lg 3p,ei 2 3 4 6'6 t,t 's o ina 6 ct,e ,'e',1 i

O A AI KK :l" A SYBC R'tYt t A TY' 5'Up!P05.'TI-N C fl DL A 'Y i!Itiii i..I ii m 'l

{

1; '

!!il i. .  !

1 '

' I fi fl s. t 2

'  :? il'I i ,

3 r i. _

4 . . . j ,. ' I ' l l I i l 1 E.P ,l I. I .

i I il i

6. * - ' 'I _4 I I 11 1 6' IND I i 8 1,,,,1 * .I i! -l i i i lilii till i .:

7i i i i i g - PO W tiR A MG'E. i i i I i,l?I il jl,. l i '

i lk 5 % ill .- l l li6, :

9' I

' '  ; It U I;1,a 10 i I I I li Ill 18 8 11:

til l ' 'Til6 ' I l lI Ill l lt I.lll!!ll.N.: .

13 .

' l -

til llitvliiltii et NO I le i lie !'i_1alei* j 13 I i .

14 I i i . I'l' li itsi it:isi. t

.lilli i 15 l 11 IIA !5VR l I ,

' < , / =' l Z E R 0' I II 'N o !l' EiPill,.2 Il 16 I i!

, I i l l i I 17, il i,.

18 t) 'Y [ $ lY'E5' l ll'R $UR ll l I l l l 19 Ii- _ i , , L._ ,,

I l <! -l 2 D Pr* I i l  !

i l  ; ;i 30' W J g3Rj P, i ,

l 'Y.[ S l l , 'l i

i ii't i il

21. I l IRE QU I RE D N'O 11 Ilii i 23 '!l

litt i T il I N 0' I

'.. il 4 i I 50 08 C E' k Mti Ei II C51 b lAT 1  ;

25 I l i E N!k'C l2' E D' l l lli ,

I li.

26 ' , . ,,

? V:E5 i l !I III II' j 22 1 t i6e i.

as I i i l 20 1 1 l 1 hD ll' P.ll .t i ,

I i ill !

30 i I S D .O R C E. . R ANL .E i li I..

31_l I Su iR. </ f= J.Ef. O. titi 32 I l

I I i '

33' I I I  : , ili 34; I '

' 4 5; l t i I i I, iiii , i i I I 35_ .

t l 36, w

! I c s r, I 37: 1 i

i ii l I i llI!

38 I '

39

,.is ,,, __..

KLATt 5 i Nb' N C I NT OF

'Eloh TA I N t I sh IL l i iN'. . t h __i i

l 40' 5 L BC RIU. I E. D NE! L!Q3L l ,  !

di '

l I l {!!

! i l l)l 42 l i ist i ( L' 43' .1 _

el__

i PA[, E t jl 44j PJ51 E NT E R 'TO TJAN i I LI d$l L l

av I l_

l 47 ]

t i i t t i 22 2333 3 3 3 3 3 3'e 4 4 4 4 4 4 8 71 't ,

t 6'6 6 6 6 6 8,ic 'J 1 1 1 2 2l22,t g ,4 6.5,,1lt!shi 2!a,;4g6,6,.f,ie ,9 4 4s,0,1l6l6 4j6j6'2,3h.6!6 6I 6e 6s c'i 6'6j6'6 2'3'4!6!66his i

6 6,7 s. o if?g)3,:

o,2l2,Me,2 j o1 2 3 4 ,6 6 tl i to i i h3 4 6 6 t 8.e i t2 l New 9/01/81i i Rev. 4/1/85 36 1

i

i.

ATTACHMENT 5 Example Parameter Alarm Display

'l O

O 37 1

's e 4.8.21.12

. }

48 66b bb bb b 6 (16 6 hI

, , , ..a,,,, ) ) ) ))da d44 6 t i i 1 1 9 1, 1 1 1 2 7 2 17 ?? ? ls ) ) ,9

,t. t,i6 , m e ,., ,,6. v,,4gh .

.u, 2.y 'Vy, af

,,.4, ..e .., > .. ., ,.6,,.,

,, (i l 1e jg;i eta 7; $ q. , 5F P_'OA7.l NGt)I

> L'A (r '

l t gy, 3 g g jy c. i l

ll ((l j((f!

t t

il (Il f

ll1 III l

( "

'f' 2, 'f(

iNVA- 'l D/C 0,T_ ,$yu I Cit - I N K .t.M i$

f I i ,

3' ' ' _ !, , _ l. ',, ,

il 8 IJ 1  !

' I I? ,l d jill llll lL l l

11 i P

$A JJ i L Q,,,,,0H ,3_ .1 4$.33 1

0); _u i 5_

F s I t. .

V5)C' 6'DI .' VW s , .

s 1 1 ,

l T WW I lt I 15,' jf 11 i

I 8 14 t til J ~ft i ,

8' a '

. i l rij i 9I i i . 7~ 6'~~7 1: T~i'1 G ; g t 3

,aIt i to g i

,3: ,

T" l_ - -

. ,  %, , , l n- ,

I I

' i

' :1 ). '

I!It ll18 ,

14: 1 til l  ! I Iil l li iii li it' l l'  ! l_

' ll i

16 ' '

l _j

' f 17i '

l 1 i

18  ! l i I 1

_g ,

19 '

' t

_) l I _

20 1r 1 21 ,.T 4

_u (g

I 22

~

l {

1 ,

e rcJ

.- l j i

.t .li I

I[l '

'26I l I ii l 26 *' l l

{ .; {

27. I -

l.=_

28 i

- 1 29 e ilI f

30 i 1

> l le 31' l I

-jh l .

4 l

32 I f

< >- i" I~ ",g*,g 7b

%nq e

J.

33 I i  ;

i .

.... .e- J _ ,..,

3e f

cr - -

rm ,

l a ,

= 1 3h y

,1 _

38 -

' l- _

39 s 1 CONTA1:N .N C IMih NJ; I NTal f, i

$"J B UR I T Cs0F. t 000 t. $ CAT. EttNK 40' / R 'l l 1 f ( ,

i F T[r' 411  !

1 I i

42: i  ! ii j g. ilI (l f

j qI i l- '

d3 i E D' 'T PEE i 4 b T E'M 0 828 O. T RT E.'TA B f,' [ hifth't/D D AT '

l 4 $' ,  ;

l l .I h II _

7:

47 l aa 4sa6 6'6 6,6 6 6 1172 L6,1,6t.l,6 .V, 66 ,:,w 66 6 6% e' 6.. .Jos 11 11 1(,

,3 66 1 1

,.J.6,2jii gA,6g  ? Pj? 2 6 ,e4t.2  % 6P 33 33 3Jage 3k4 3.13 1241 4 4l.M'6 6466i6

, , 2,. ,

toew 9/01/84 Rev. 4/1/85 38 .

m

L l

.,,.,y q 4

L i DISTRIBUTION I l

Docket File I NRC PDR .

Local PDR OGC-Bethesda '

PDII-3 Reading '

ACRS(10) / '

KJabbour /

L

.DHood e'  !

DLPQ RF  !

HFAB RF MMI Section Members j

HFAB:DLPQ JKramer:abh HFAB:DLPQ SWeiss HFAB:DLPQ WRegan D:DLPQ' JRoe Tech. 2d.

g

, c d , 'd ',g 8/ /87- 8/ /87 8/ /87 8// /87 8//7/87 PDII-3/DRP.-1/II PDII-3/DRP-1/II AD[ PDII-3/DRP-I/II-3 KJabbour DHood RStarostecki 8JYoungblood 8/ /87 8/ /87 8/ /87 8/ /87 i

NRR/ADR2 NRR/DRP NRR/ADP f D0/NRR l Glainas SVarga. FMiraglia JSniezek 8/, /87 8/ /87 8/ /87 8/ /87

,/ I

'/, i f a

3

/

/

,/

/

/

,