Final Post-Implementation Audit Rept for Omaha Public Power District Fort Calhoun Station SPDS, Technical Evaluation Rept

ML20245D144
Person / Time
Site:	Fort Calhoun
Issue date:	01/06/1988
From:	SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY
To:	NRC
Shared Package
ML20245D147	List: ML20245D144 ML20245D149
References
CON-NRC-03-82-096, CON-NRC-3-82-96, RTR-NUREG-0737, RTR-NUREG-0800, RTR-NUREG-737, RTR-NUREG-800 SAIC-87-3092, TAC-59713, NUDOCS 8801270042
Download: ML20245D144 (52)
v • d • e

Text

. . _ ._ _

SAIC-87/3092 POSTIMPLEMENTATION AUDIT REPORT FOR

r. OMAHA PUBLIC POWER DISTRICT'S 1 FORT CALHOUN STATION l SAFETY PARAMETER DISPLAY SYSTEM TAC NO. 59713 1

m .

January 6, 1988 EA12 Prepared for:

U.S. Nuclear Regulatory Comission Washington, D.C. 20555 Contract NRC-03-82-096 11 oilomst

& ng Post Omce Box 1303.1710 Goodridge Dnve, McLean, Vwginia 22102, (703) 8214300

. .. . e ,.

t TABLE OF CONTENTS Section- bgg

1.0 INTRODUCTION

. . . . . . . . . . . . . . . . . . . . . I

2.0 BACKGROUND

1 3.0 EVALUATION . . . . . . . . . . . . . . . .-. . . . . . 4 3.1 Concise display of critical plant variables to control room operators ............ -4 3.2 Located convenient to control room operators .. 5 3.3 Continuous display of plant' safety status information . . . . . . . . . . . . . . . . . . 6 3.4 Should have a high degree of reliability .... 7 3.4.1 Data Validity . . . . . . . . . . . . . .

7 3.4.2 System Verification and Validation .. 8 3.4.3 Maintenance and Configuration Control . 9 3.4.4 Security ............... 10 3.4.5 Rapid Display . . . . . . . . . . . . . 10 3.4.6 Operational Availability ....... 10 3.5 Suitably isolated from electrical and electronic interference with safety systems .;..... 11 3.6 Designed incorporating accepted human factors engineering principles ............ 11 3.6.1 Display Content . . . . . . . . . . . . 12 3.6.2 Display Format ............ 13 3.6.3 Control / Display Relationship ..... 14 3.7 Minimum information displayed should be sufficient to determine the plant status with respect to five functions . . . . . . . . . . . 15 3.7.1 Critical Safety Functions . . . . . . . 15 3.7.2 Parameter Selection . . . . . . . . . . 16 3.8 Procedures and operator training addressing actions with and without SPDS . . . . . . . . . 19 11 1

g ..-

I' o

TABLE OF CONTENTS (Continued)

Section Eggg

4.0 CONCLUSION

S ...................... 20 i.

E REFERENCES . . . . ... . . . . . . . . . . . . . . . . 23 Attachment 1 List of Heeting Attendees Attachment 2 Audit Agenda Attachment 3 .SPDS Display Formats Attachment 4 Licensee Presentation Materials M

iii l

POSTIMPLEMENTATION AUDIT REPORT FOR OMAHA PUBLIC POWER DISTRICT'S FORT CALHOUN STATION SAFETY PARAMETER DISPLAY SYSTEM >

l

1.0 INTRODUCTION

'This report documents the findings of the Nuclear Regulatory Commission (NRC) postimplementation audit of Omaha Public Power District's Fort Calhoun Nuclear Station (Fort Calhoun) Safety Parameter Display System (SPDS). The audit, conducted between September 14 and 17, 1987, was performed to-ascertain whether the SPDS met the minimum requirements of NUREG-0737, Supplement 1 (Reference 1), whether it had been installed in accordance with the licensee's' plan, and whether it was functioning properly.

The audit' team consisted of an NRC team leader, an additional NRC staff member, three contractor personnel from Science Applications International Corporation (SAIC), and a representative from SAIC's subcontractor, Comex Corporation. The team consisted of individuals representing the disciplines of nuclear systems engineering, human factors engineering, and software systems engineering. All members were familiar with the NRC SPDS requirements.and the NRC and licensee background documentation.

A list of audit meeting attendees is provided in Attachment 1. The audit' agenda is provided in Attachment 2. A copy of each SPDS display is provided in Attachment 3 and licensee presentation materials are provided in Attachment 4.

2.0 BACKGROUND

The principal purpose and function of the SPDS is to aid control room personnel during abnormal and emergency conaitions in determining the safety status of the plant and in assessing whether abnormal conditions warrant corrective action by operators to avoid degradation of the core. The SPDS 1

can be particularly important during anticipated transients and the initial phase of an accident.

All holders of operating licenses must provide an SPDS in the control room of their plants. The NRC requirements for the SPDS are defined in NUREG-0737, Supplement 1. NUREG-0737, Supplement I requires licensees and applicants to prepare a written Safety Analysis Report sufficient to assess the safety status of each identified function for a wide range of events, including symptoms of severe accidents. Licensees and applicants must prepare an Implementation Plan for the SPDS that contains schedules for design, development, installation, and full operation of the SPDS as well as )

a design Verification and Validation Plan. The Safety Analysis Report and the Implementation Plan are submitted to the NRC for staff review. The results of the staff's review are published in a Safety Evaluation Report.

The SPDS requirements as defined by NUREG-0737, Supplement I are:

1. Should provide a concise display of critical plant variables to i control room operators (NUREG-0737, Supplement 1, Paragraph 4.1.a)  !

2. Should be located convenient to control room operators (NUREG-0737, Supplement 1, Paragraph 4.1.b)

3. Will continuously display plant safety status information (NUREG-0737, Supplement 1, Paragraph 4.1.b)

4. Should have a high degree of reliability (NUREG-0737, Supplement 1, Paragraph 4.1.b)

5. Shall be suitably isolated from electrical or electronic interference with safety systems (NUREG-0737, Supplement 1, Paragraph 4.1.b)

6. Shall be designed incorporating accepted human factors engineering principles (NUREG-0737, Supplement 1, Paragraph 4.1.e) 2 1

)

.n, L

7. Minimum information displayed shall be sufficient to determine plant safety status with respect to five safety functions (NUREG-0737, Supplement 1, Paragraph 4.1.f):

1. Reactivity control

11. Reactor core cooling and heat removal from the primary system iii. Reactor coolant system integrity iv. Radioactivity control

v. Containment conditions.

8. Procedures and operator training addressing actions with and without. SPDS should be implemented (NUREG-0737, Supplement 1, Paragraph 4.1.c)

Guidance as to what constitutes acceptable implementation of the above requirements is provided by Appendix A to Section 18.2 of NUREG-0800 (Reference 2) and other documents cited therein, particularly NUREG-0700 (Reference 3)..

In 1985, an NRC survey of six operating SPDSs was performed to sample the status and quality of SPDSs. The survey included onsite evaluations of licensee documentation and hardware, as well as interviews with operational personnel. The survey findings included the descriptions of major deficiencies that were identified in Inspection and Enforcement Information Notice No. 86-10, " Safety Parameter Display System Malfunctions," dated February 13, 1986 (Reference 4).

The NRC staff's safety evaluation of Fort Calhoun's SPDS was forwarded to Omaha Public Power District by letter dated June 7, 1985 (Reference 5).

An open issue in the safety evaluation was the human factors evaluation of the licensee's design. Omaha Public Power District submitted a letter dated August 15, 1985(Reference 6)concerningthehumanfactorsreview of the SPDS. The submittal included the licensee's contractor report of the human factors review and the licensee's conclusions and plans relative to the report. A schedule for resolution was provided with each human engineering discrepancy (HED).  ;

i 3

i l

On January- 28, 1986, Omaha Public Power District submitted a letter (Reference 7) stating that, with respect to the HEDs for the SPDS, .a determination of whether or not changes would be made was scheduled for December 1986. . The changes would then be implemented over the 1988 and 1990 refueling outages.

The NRC staff held a meeting with the' licensee at the plant site on February 26 and 27, 1986 to discuss the human factors review, the resolution of HEDs, and to evaluate the SPDS within the control room. By letter -dated.

September 5, 1986 (Reference 8), the licensee submitted a Hurran Factors Maintenance Plan for SPDS display. formats and techniques for staff review.

The NRC staff submitted the Supplemental Safety Evaluation Report for the fort. Calhoun SPDS on October 20,-1986 (Reference 9). The Staff concluded in the Supplemental Safety Evaluation Report that final confirmation of whether or not the SPDS meets the requirements of NUREG-0737, Supplement I could be made only after a postimplementation audit or when sufficient information.

would be available for the staff to make such a determination.

On September 29, 1986 (Reference 10), the licensee requested NRC approval for use of " Emergency Boration" in place of " Boron Concentration" to check for boration in progress and deletion of "RCS Average Temperature (T-AVG)" and " Containment Temperatures." By letter dated November 28, 1986 (Reference 11), the NRC concurred with the licensee's request.

3.0 EVALUATION The audit team evaluated the SPDS against the NUREG-0737, Supplement I requirements. The audit findings are presented below.

3.1- Concise disol3 v of critical olant variables to control room onerators NUREG-0800 states that a concise display of a critical plant variables will help the control room operator to compare data from related plant functions and assess the safety status of the plant. For example, critical plant variables for the SPDS are presented on a single primary display or on a group of displays in a single location. Also, display formats should contain patterns and enhancements that define the critical plant variables.

l 4  !

l 4

The Fort Calhoun SPDS consists of a cathode ray tube (CRT) terminal located on the operator's desk. The SPOS, which is intended for use by the shift technical ~ advisor (STA), is designed to consolidate critical plant variable information needed for completion of the Critical Safety function (CSF) Status Checklists. If the system is operating as designed, the STA 2

should be able to assess the . status of_ each of the seven critical safety 1

functions with SPDS alone.

1 With regard to display formats, there are several techniques used to define the critical plant variables. First, the most general technique used to define the critical plant variables is the use of critical safety function boxes on all SPDS screens. When variables proceed from normal to alert to alarm conditions, the critical safety function boxes go from.. green to yellow to magenta. Second, the critical plant variables are defined by bar charts that change color (green, yellow, and magenta) as the individual parameters that make up the critical plant variables go-from normal to alert to al arm. Third, the display presents digital status of each of the individual parameters for plant variables.

It-is the audit team's judgment that the licensee meets the NUREG-0737, Supplement I requirement for display of critical plant variables to control-room operators.

3.2 Located convenient to control room operators NUREG-0800 states that the display should be located so that it is convenient to the control room operating crew and where control room operators who are responsible for avoiding degraded and damaged core events can observe the SPDS display. The display system should not interfere with the crew's normal movement. Also, the display system should not interfere with full visual access to other control room operating systems and with  ;

displays important to safe operation.

Two terminals are provided in the control room for use in viewing the SPDS displays and the other displays of the Emergency Response Facility (ERF) computer system. The primary user of the Fort Calhoun SPDS during reactor transients is the on-shift STA. The STA would use the north terminsi, which is located at a convenient work station and which allows the 5

l

STA to be behind the operations staff and yet view actions in progress at  ;

the control board. The south terminal is primarily used by operators to view both SPDS displays and other ERF displays such as piping and instrumentation diagrams (often used for following instrument and safety '

system surveillance).  !

i With regard to not interfering with the crew's normal movements, the j SPDS controls and display are located outside the restricted operator area, (

which is designated by carpeting directly in front of the panel benchboards.

Thus, the STA can perform the critical safety function assessment tasks on the SPDS and monitor operator performance while not interfering with operator movements.

With regard to interfering with visual access to the important control room displays, the SPDS is located so that the STA has full visual access to the controls, displays, and annunciators, as well as to the operators. In addition, the SPDS does not block the visual access of the control room for the panel operators. ,

It is the audit team's judgment that the licensee meets the NUREG-0737, Supplement I requirement for an SPDS to be located convenient to control room operators.

3.3 Continuous display of olant safety status information NUREG-0800 states that a continuous single-format primary display is not necessary. The primary display may be a continuous indication of individual plant variables or may be composed of a number of measured or 4

derived variables. The main concern is that the SPDS users are made aware of important changes in critical safety-related variables when they occur  ;

and that the SPDS users can readily obtain information from the SPDS to help them determine the safety status of the plant. :l All of the top and mid-level SPDS displays have a continuous display of the seven CSFs and the thirteen [ Engineered] Safeguards Signals. There are, j however, several ERF computer system displays which share the control room terminals which do not contain these top level SPDS displays. Examples of j these displays include: Setup menu for X-Y Plots, Electrical Power Supply 6

i

. . .. a ,

'I Index,- Group Directory. for Trend Reports, and the Strip Chart Emulator. On the ERF displays, the CSF alarms are audibly alarmed on an auxiliary keypad box for each terminal. These audible alarms. can be defeated through the use of a key lock s. witch on the box. Since the key is left in:the box, it is possible for both' control room terminals to be selected to display one of the .creens lacking the mini top level display and to' have both audible

- alarms -~ defeated;. Correction of this' deficiency may be accomplished in-several ways, ranging from the complex solution of adding the. CSF alarm boxes to all ERF displays to the simple solution of administrative 1y or physically preventing the defeat of both audible alarms on the auxiliary keypad boxes.

It is the audit tehm's judgment that the licensee does not meet the NUREG-0737, Supplement 1. requirement for a continuous display of plant safety status information.

3.4 Should have a hiah decree of reliability NUREG-0800 . states that in order for the control room operator to rapidly and reliably determine the status of the plant, the displayed data should represent current and correct status of the plant ' variables. In order to keep the con. trol room operator current on the safety status of the plant, the display should be responsive to transient and accident sequences.

To prevent misleading the control room operator, displayed data should be validated on a "real time" basis where practical.

3.4.1 Data Validity Observations made and information obtained during the audit supported an overall positive judgment with respect to data validity. Three areas were considered in conducting the assessment: 1) presence and types of computer point validation schemes incorporated into the system to perform automated data checking, 2) validity of data input to the computer system, and 3) freedom from inadvertent degradation of data due to other system malfunction.

The ERF computer system includes automated data validation schemes which check range and acceptability. Questionable data is displayed j accompanied with a "?" to flag its status.

7

l ..

9 The licensee conducts perbdic surveillance checks on plant data (sensor-to-display) to establish accuracy of data being input into SPDS functions.

Since the SPDS resides in the ERF computer and is integrated with other ERF functions, SPDS data may be inadvertently affected by other non-SPDS functions. Total system evaluation or establishment of total SPDS functional isolation is needed to clearly establish freedom from l

degradation. The licensee has extensively tested the system, but has not i clearly demonstrated that data degradation will not occur. Further emphasis on this type of assessment'is recommended.

One other potential source .of confusion exists relative to data validity when certain portions of the input network are being tested. For example, when the Qualified Safety Parameter Display System (QSPDS) was undergoing test, some data being displayed by the SPDS was test data and was not so indicated on the screen. Recognition of the status of this test data is dependent on the administrative process of notifying the control room operators.

3.4.2 System Verifi,q1 tion and Validation Recognition that the SPDS performs reliably was heavily based on observation of system performance and on support of personnel to guide auditors through existing documentation and records. The licensee has recognized many of the limitations existing on current system documentation and is taking positive steps to more clearly document the computer software as it currently exists. In addition, a Verification and Validation plan would have been very helpful to convey the evaluation approach and scope.

Without a plan the auditors had to piece together their understanding of the extent and scope of the SPDS evaluation. Only because of the observed system performance and the willingness of personnel to spend the necessary effort to walk the auditors through both system development and evaluation records was a positive response possible.

The system Verification and Validation process did not include identification of system requirements together with review and test evaluation results to establish that the requirements were met. Their 8

evaluation results consisted of test procedures carefully implemented and recorded; they did not include indications of scope or convey a test l.

l strategy from which assessment of coverage could be obtained. Licensee personnel discussed test coverage and how testing was implemented. Based on the additional discussions, _ the auditors judged the assessment to be adequately complete to- support the' reliability requirement. It is recommended, however, that the licensee prepare a Verification and ,

Validation Plan 'for SPDS application as the system evolves to include plant (

i process computer functions. This plan should include test coverage needed to ensure future reliability of the SPDS.

Software control ,Jrocedures were revised to impose a more systematic control process' Currently, Software Configuration Management Plan, Revision 0 has been submitted to the NRC for approval to be implemented at-Fort Calhoun. 7 The' Software Change Reviews Committee process involves the following departments:

Quality Assurance Nuclear Production Generating Station Engineering Management System Services When approved,- the plan will be applicable to all ERF support software.

3.4.3 Maintenance and Configuration Control -

Control procedures were established to exercise formal control over the ERF computer system software as of April 30, 1986. This date coincided with declaration of Version 1.0 of the SPDS, which is correlated to Fort Calhoun's plant-specific E0Ps.

l l

1 i

9

t

- 3.4.4 Securii2 {

In addition to administrative security measures, the licensee provides two types of protection to facilitate adequate system security. These are password protection and physical location discrimination.

Set-point changes and software changes require a programming . level security. This is the most restrictive level of security exercised on the system. The security levels are somewhat confusing as currently designated and are a potential source of error unless well understood and carefully followed.

3.4.5 Rapid Disolav The data displayed on each of the seven SPDS pages can be called up in i

11/2 seconds with all eleven screens in use. The audit team callup of the displays in the control room confirmed that each of the displays could be l called up rapidly.

The display - log is updated at a rate of about once a second for all parameters, values, and calculations. The individual sensor update rates vary from less than a second to ten seconds. The scan rates for the individual parameters were determined by a variety of sources, such as the vendor of the original PRODAC computer system and the licensee's engineering department. It is the audit team's judgment that the licensee's SPDS displays critical safety function information rapidly.

3.4.6 Operational Availability Since declaring the SPDS operational on April 30, 1986, the licensee stated that the availability has been 99.63% through August 1, 1987. The calculation of availability is based on computer system hardware availability.

When individual sensors or computer points are not providing correct information, a *?" appears on the screen beside the affected parameter value. When maintenance is being performed on the SPDS or other systems, 10

such as the QSPDS, the control room operators are notified and record the activities affecting the availability of SPDS in their watch logs.

Fort -Calhcun routine instrument loop surveillance and calibration procedures include steps for checking the computer points on the SPDS and ERF displays. This check ensures, on a day-to-day basis-(in accordance with the normal instrumentation and control (I&C) testing schedule), that SPDS.

parameters are accurate. The only problems noted ir. reviewing SPDS computer points were on total Safety Injection F1m:, which read about 120 gallons per minute (GPM) in a no-flow conditior., and Auxiliary Feedwater Flow, which read about 13 GPM in a no-flow ccndition. Both of these suspect readings are well below the normally expected values for system operational flow and are not considered.to be a problem. This situation is often seen in . cases where the no-flow calibration of the system detectors has drifted.

Interviews- with six operators and STAS, conducted by the NRC audit team, substantiated licensee claims of SPDS availability of over 99%. The independent responses of six personnel were very consistent in stating that one of the two control room terminals is out of service for short ' periods only five times per year and that the entire system is unavailable for only brief periods once or twice per year.

It'is the audit team's judgment that the licensee meets the NUREG-0737,-

Supplement I requirement for a high degree of reliability.

3.5 Igitably isolated from electrical and electronic interference with safety systems Electrical isolation is being evaluated by a separate NRC organization and was not part of this audit.

3.6 Desianed incorooratino accepted human factors enoineerino orinciples NUREG-0737, Supplement I states that the SPDS display shall be designed to incorporate accepted human factors engineering principles so that the displayed information can be readily perceived and comprehended by the SPDS users. Review of the adequacy of the display to effectively communicate data and information to the operators includes an evaluation of the display 11 i

(

- - - - - ___-___-________ - D

1 content, display formats, and control display relationships. Guidance for i

evaluating the human factors aspects of the SPDS is provided in NUREG-0800 and NUREG-0700.

3.6.1 Disolav Content At Fort Calhoun, the primary user of the SPDS is the STA. During emergency operations, following a reactor trip, and during emergency exercises and drills, .the STA uses the SPDS to complete the Safety Function Status Checks for the six Emergency Operating Procedures and the Functional Restoration Guidelines. The six Emergency Operating Procedures are:

1. Reactor Trip

2. Electrical Emergency

3. Loss of Coolant Accident

4. Steam Generator Tube Rupture S. Uncontrolled Heat Extraction

6. Loss of All Feedwater The Safety Function Status Checklists, ' located at the end of each of the Emergency Operating Procedures are similar to each other, but not exactly the same. They are, however, all organized into the seven critical safety functions as are the procedures.

During emergency operations, the shift supervisor removes the Safety Function Checklist from the back of the Emergency Operating Precedure that is being implemented, and gives it to the STA for completion. The STA is assigned the task of assessing the status of the seven critical safety functions at ten minute intervals. The critical safety functions are:

1. Reactivity Control

2. Maintenance of Vital Auxiliaries

3. Reactor Coolant System Inventory Control

4. Reactor Coolant System Pressure Control S. Core Heat Removal

6. Reactor Coolant System Heat Removal

7. Containment Integrity 12

In order to evaluate the adequacy of the SPDS display content to apply the Safety Function Checklist, the audit team used the Safety Function Checklist for the Reactor Trip Procedure and SPDS displays. The checklists parallel the critical safety functiori of the format of the procedure. They are laid out in order of safety significance, from reactivity control to containment integrity. The audit team identified only one case where the information needed to complete the checklist was not on the SPDS displays.

This observation occurred on the Maintenance of Vital Auxiliary (VAX) display where the checklist called for status of 4160 voit bus IAl, IA2, IA3, and 1A4, but only 1A3 and 1A4 were displayed. This finding is inconsistent with NUREG-0700 guideline 6.5.1.1.b which states that displays should give the operators all the information needed to meet task requirements.

In summary, the audit determined that the content of the SPDS displays was consistently integrated with the Emergency Operating Procedures, Safety Function Checklists and the role of the STA. There is however, at least one case (4160 volt bus lAl and 1A2) where the content is incomplete.

3.6.2 Displav Format The purpose of this evaluation was to determine if the formats were consistent with the guidance provided in NUREG-0800 and NUREG-0700. This part of the review focuses on the guidelines associated with control room workspace, visual displays, labels and location aids, process computers, and panel layout.

The audit team evaluation included a review of the one top level display for Normal / Alert / Alarm status and the seven mid-level displays corresponding to each of the safety functions and engineered safeguards signal actuation (Safety Injection Actuation Signal, Containment Isolation Actuation Signal, etc.) status. With a few exceptions, the audit team I

l 13 i

l .

concluded that the displayed information can be readily perceived and l

comprehended by the STA. The exceptions are listed below.

1. Reactivity Control Display - The bar chart for start up rate extends to the left of the vertical axis to indicate a negative start up rate. This format is inconsistent with other positive / negative bar charts such as Reactor Power, which are y formatted to the right of the vertical axis. This format is also inconsistent with NUREG-0700 guideline 6.8.2.3 for layout consistency.

2. Reactivity Control Display - The control element assembly (CEA) bar chart will indicate a "not full in" condition if one or more rod bottom lights on the reactor control panel are burned out.

The stated cause of the problem is the fact that rod bottom light circuits are in series with the CEA signal. This finding is inconsistent with NUREG-0700 guideline 6.5.1.1.f for display failure indications.

3. Reactor Coolant System Heat Removal Display - Steam Generator Level is not labeled Wide Range as indicated by the Safety Function Status Checklist. This finding is inconsistent with NUREG-0700 guideline 6.6.6.1.a which states that labels should

- describe the function of equipment. There is a potential for confusion on this display because both wide range and narrow range steam generator level displays on the panels are 0 to 100% scales.

4. Containment Integrity Display - The Containment Spray digital display box is not labeled with the engineering units (GPM). This finding is inconsistent with NUREG-0700 guideline 6.6.3.1 for the kinds of information that should be on display labels.

3.6.3 Control /Displav Relationship Access to the one top-level display and seven lower-level displays is obtained through a dedicated keyboard located beside the SPDS. The keyboard is laid out in the same pattern as the miniature critical safety function boxes in the lower left corner of each display. Access to each display 14 l

____ _ - - - _ _ _ . _ _ _ _ _ . _ _ _ _ _ _ _ _ _ ]

g L *

4 requires. only a single stroke of the appropriate key, which is labeled the same as the boxes on the screen. Access to other diagnostic screens is available through a standard keyboard located in front of the SPDS displ ay.

It is the audit team's judgment that access to the licensee's SPDS displays is appropriate 1y' human engineered.

In summary, it is the audit team's judgment that the licensee's SPDS incorporates effective human factors principles in the areas of content, format and control-display relationships. However, it is the audit team's judgment that the licensee does not meet the NUREG-0737, Supplement 1 l requirement for a design incorporating accepted human factors principles because of the four concerns identified above.

3.7 Minimum information displayed should be sufficient to determine the olant status with respect to five functions NUREG-0800 states that the minimum information to be provided shall be sufficient to provide information to plant control room operators about the following critical safety functions:

1. Reactivity control

2. Reactor core cooling and heat removal from the primary system

3. Reactor coolant system (RCS) integrity

4. Radioactivity control

5. Containment conditions To monitor the plant process, the control room operator must be able to evaluate each of the above functions or their equivalents.

3.7.1 Critical Safety Functions The Fort Calhoun SPDS uses seven Critical Safety Functions. The seven CSFs used are:

1. Reactivity Control

2. Maintenance of Vital Auxiliaries

3. RCS Inventory Control

4. RCS Pressure Control 15

I

5. Core Heat Removal

6. RCS Heat Removal

7. Containment Integrity This CSF scheme combines the nine generic Combustion Engineering (C-E)

CSFs into seven CSFs.by combining the Containment Isolation, Temperature and l

Pressure Control, and Combustible Gas Control CSFs into one Containment Integrity Control CSF (see Figure 1). The important area of heat removal, from both the RCS and containment, are covered by the Maintenance of Vital Auxiliaries, Core Heat Removal, and RCS Heet Removal CSFs. The NUREG-0737, Supplement I requirement to provide indication of radiological releases has also been incorporated in the Containment Integrity CSF (see more on this subject under Parameter Selection). The seven CSFs are presented as alarm boxes on the top level display (page 100) and in the lower left hand corner of each of the mid level (page 200 series) displays. In addition to the seven CSFs, thirteen Safeguards Signals are displayed in the lower right hand corner of the top and mid level displays. Based upon the programmed algoritnms, the CSF and Safeguards Signals change status from a normal level The yellow green, to an alert level yellow, and to an alarm level magenta.

alert levels are keyed to administrative and normal operating limits, while the magenta alarms are keyed to E0P limits.

A comparison of the Fort Calhoun SPDS critical safety functions and NUREG-0737, Supplement I critical safety functions was made in order to determine if the two were equivalent (see Figure 2). As a result of this review, it is the audit team's judgment that the licensee's critical safety functions are the equivalent of the NUREG-0737, Supplement I critical safety functions.

3.7.2 Parameter Selection The parameters selected to depict each of the critical safety functions were evaluated by the audit team. In all cases except one, the parameters were judged to be comprehensive. The exception involves the NUREG-0737, The three Supplement 1 Radioactivity Control Critical Safety Function.

variables considered by NRC to be essential for monitoring of radioactivity stack monitors, steam line monitors, and containment control for SPDSs are:

16

Figure 1 EOP/SPDS Safety Functions vs CE 3PG Safety Functions CE EPC's E0P's/SPDS

1. Reactivity Control 1. Reactivity Control {

i

2. Maintenance of Vital I Auxiliaries 2. Maintenance of Vital l Auxiliaries  !

l

3. RCS Inventory Contro t

,3. RCS Inventory Control'

, 4. RCS Pressure Control

4. RCS Pressure Control

5. Core Heat Remova) l 4

6. RCS Heat Removal I

I Isolation

6. RCS Heat Removal j

8. Containment Temperature and <

Pressure Control e

9. Containment I '

Combustible Gas Control 17

e e

- Figure 2 EOP/SPDS Safety Functions vs NUREG 0737 Supplement 1 NUREG 0737 Supplement 1 E0P's/SPDS I i 1

1. Reactivity Control ; 1. Reactivity Control ',

2. Maintenance of Vital l

2. Core Cooling and RCS Heat Removal i i 1

3. RCS Inventory Control f 3. RCS Integrity 4. RCS Pressure Control l

5. Core Heat Removal f

4. Radioactivity ,

Control

6. RCS Heat Removal

5. Containment _  ;

7. Containment Integrity ,-

Conditions j 18

monitors. The Fort Calhoun SPDS Containment Integrity critical safety function does not include steam line radiation.

The steam line monitors in pressurized water reactors measure radiation ]

releases to atmosphere when main steam relief valves are open during - plant transients and during a turbine-trip. The steam line monitor is also important inI measuring the radioactivity on the seccndary side during a.

steam generator tube rupture.

The major effluent points at Fort Calhoun which could become the source of radiation releases to the environment are the main plant vent stack, the air ejector offgas line and the steam line reliefs (and breaks downstream of the main steam isolation valves). Vent stack, air-ejector offgas and other.

radiological monitors such as steam generator - blowdown monitors and containment atmosphere sampler results are input to the SPDS. The system is, however, deficient in not using the main steam line radiation monitor as an input to one of the algorithms in the Containment Integrity CSF. There is a single main steam line monitor at Fort Calhoun which cycles between main steam lines approximately every seven minutes. This monitor is input to the ERF computer system as a computer point, so adding it to a CSF should not represent a major SPDS modification.

In summary, it is the audit team's judgment that Fort Calhoun critical safety functions are equivalent to the NUREG-0737, Supplement I critical safety functions and the parameters selected, except for steamline radiation, are comprehensive, and appropriate. However, it is the audit team's judgment that the licensee does not meet Supplement I requirement for minimum information displayed, sufficient to determine safety status with respect to five safety functions, because of the lack of steamline radiation.

3.8 Procedures and operator trainina addressino actions with and without if.M NUREG-0737, Supplement I states that procedures and operator training addressir3 actions with and without SPDS should be implemented.

19

l

. i

\

l The licensee stated that all licensed operators and STAS at Fort Calhoun receive a short training course on SPDS during hot license reactor training and again during periodic requalification. The initial training 1 consisted of forty hours vendor training when the system was first installed, followed by three hour training sessions for the operators.

I 1

The training for the STAS, who are the primary users of the SPDS, is ]

done primarily through the operator training lesson plans. The STAS are j trained to perform their critical safety function assessment with and without the SPDS. The STAS, however, do not receive detailed training on the computer points (parameter sensor points) that drive the SPDS logic. As a result, the STAS may not be current on the safety function logic.

In summary, it is the audit team's judgment that the licensee does not meet the NUREG-0737, Supplement I requirement for procedures and training with and without SPDS, because of the lack of detailed, formal training for the STAS.

4.0 CONCLUSION

S A postimplementation audit of Omaha Public Power District's Fort Calhoun SPDS was conducted by an NRC audit team between September 14 and 17, 1987. The purpose of the audit was to ascertain that the SPDS fulfilled the requirements of NUREG-0737, Supplement I and had been installed in accordance with the licensee's plant and was functioning properly.

1. It is the audit team's judgment that the licensee meets the NUREG-0737, Supplement I requirement to provide a concise display of critical plant variables.

2. It is the audit team's judgment that the licensee meets the NUREG-0737, Supplement I requirement to be located convenient to control room operators.

3. It is the audit team's judgment that the licensee does not meet the NUREG 0737, Supplement I requirement for a continuous display of plant safety status information because the menu screen which 20

a ,

e does not have the critical safety function boxes can replace SPDS on the CRT, and.the audible alert can be inhibited.

4. It is the audit team's judgment that the licensee meets the NUREG-0737, Supplement I requirement for a high degree of reliability.

5. The audit team .made no evaluation of the suitability of the electrical or electronic isolation because this is being done by another organization within NRC.

6. It is the audit team's judgment that the licensee does not meet the NUREG-0737, Supplement I requirement for a- design incorporating human factors engineering principles because of the

'five concerns identified below.

a. The 4160 bus IAI 'and 1A2 on the Maintenance of Vital Auxiliaries (VAX) display is not included in the display, even though' it is called out in the Safety Function Checklist,

b. The start-up-rate bar chart on the Reactivity Control displays extends to the left of the vertical axis.

c. The- control element assembly bar chart on the reactivity control display gives misleading stuck rod indication when the rod bottom indicator lamps on the' Reactor Control Panel are burned out.

d. The steam generator level bar chart on the Reactor Coolant System Heat Removal Display is not labeled wide range.

e, The Containment Spray digital display on the Containment Integrity display is not labeled with engineering units (gallons per minute).

21

7. It is the audit team's judgment that the licensee does not meet.

the NUREG-0737, Supplement I requirement for minimum information displayed sufficient to determine plant safety status with respect to five safety functions because steamline radiation was not included in the SPDS.

8. It is the audit team's judgment that the licensee does not meet the NUREG-0737, Supplement 1 requirement- for procedures and operator training with and without SPDS because the Shift Technical Advisor does not receive formal training on the ' display system logic.

i i

22 l i

REFERENCES

1. NUREG-0737, Supplement 1 Requirements. for Emergency Response Capability (Generic Letter 82 33), USNRC, December 17, 1982.

2. .NUREG-0800. Standard Review Plan of Safety Analysis Reports for Nuclear Power Plants, Section 18.2, Rev. O, Safety Parameter Display System (SPDS), Appendix A to SRP Section 18.2, USNRC, November 1984.

3. NUREG-0700, Guidelines for Control Room Design Reviews, .USNRC, September 1981.

4. 1E Information Notice No. 86-10: Safety Parameter Display System Malfunctions, USNRC, February 13, 1986.

5. Letter from E.J. Butcher (NRC) to R.L. Andrews (OPPD), " Safety Parameter Display System," June 7,1985.

6. Letter from R.L. Andrews (OPPD) to E.J. Butcher (NRC), August 15, 1985 (LIC-85-673).

7. Letter from R.L. Andrews (OPPD) to A.C. Thadani (NRC), January 28, 1986 (LIC-86-025).

8. Letter from R.L. Andrews (OPPD) to A.C. Thadani (NRC), " Safety Parameter Display System, Human Factors Review," September 5,1986.

9. Letter from A.C. Thadani (NRC) to R.L. Andrews (OPPD), " Safety f Parameter Display System Supplemental Safety Evaluation Report," {

October 20, 1986.

10. Letter from R.L. Andrews (OPPD) to A.C. Thadani (NRC), " Request for Change of Safety Parameter Display System Variable List," September 29, )

1986.

I 23

a d' ~

11 REFERENCES (Continued) l

11. -Letter from A.C. Thadant (NRC),to R.L. Andrews (0 PPD), " Safety  !

Parameter Display System Variable List,"_ NRC, November 28, 1986, 1

- 1 l

24 l

r e I

l^

l' ATTACHMENT 1 LIST OF MEETING ATTENDEES 25

[

1. .-

EXIT MEETING 9/17/87 gag Affiliation Anthony Bournia NRC/PD Project Manager Richard'J. Eckenrode NRC/DLPQE/HFAB

!, Garmon West, Jr. NRR/DLPQE/HFAB Joseph.DeBor. SAIC Jim O'Connor OPPD Mike _Elzway OPPD

. Bill'Gartner OPPD Linda Gondrum OPPD Mark Gutierrez OPPD Tom Heng OPPD Larry Sealock OPPD Robert Johnston OPPD Gary Bethke NRC/COMEX Joe Moyer NRC/SAIC James J..Fisicaro OPPD (Supervisor - Nuclear Regulatory and Industry Affairs)

Deborah Munderloh OPPD (Senior Engineer - Nuclear Regulatory and Industry Affairs)

_ Larry Kusek OPPD (Acting Plant Manager)

Joe Gasper OPPD (Manager - Administrative & Training Services)

Nina Thomas NRC/SAIC Phil Harrell SRI /FCS/RIV/NRC l

26  ;

_ _ - - - _ _ - - _ - _ - _ _ _ . _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ J

l

's s 4

i ATTACHMENT 2 AUDIT AGENDA

Enclosure 2 Tentative Agenda for the Combined DCRDR/SPDS Audit at Oklahoma Public Power District's Fort Calhoun Station. Unit 1 September 14 through September 17, 1987 DAY 1 l

l DCRDR Audit Schedule 2 pm - IntroductionoftheNRCAuditTeam(NRC) 2:15 pm - Presentation on individual DERDR requirements (NRC) 3 pm - Erief presentation on the DERDR program by the licensee 4 pm - Tour of control Room

• DAY 2 .

8:30 am - Selection of Design Improvements

a. Discuss the selection of design improvement process (licensee).

b. Review the results of the selection of design improvements.

- Discuss the licensee's prepared responses to the HED concerns identified in Attachment 1.

- Discuss the schedules for implementing design improvements.

12 noon - BREAK FOR LUNCH 1 pm - Conduct Sample Survey of the Control Room Modifications in the Control Room (Consider use of mockup)

- NRC Audit team caucus

- Comparison of current NRC Audit Team's findings with licensee's DCRDR team

- Concurrently, it is reouested that the following SPDS-related documentation be available for review:

- Functional Requirements

- Data Requirements

- System / Subsystem Specifications

- Program Specifications

- Data Base Specifications

• Obtain authorization to use camera to take pictures of the control room.

DAY 3

~8:30 am - IntroductionandBriefino(NRC)

- Presentation on individual SPDS requirements (NRC) 9:15 am - OverviewofSPDSImplementation(Licensee)

- Definition-ofSPDS(scope) '

- Parameter Selection Process

- Human Factors Engineering Program

- Reliability

- Verification and Validation Program Implementation Program ,

- Project Milestones 12 noon - BREAK FOR LUNCH I pm - Critical Safety Function /Parametei Selection (Licensee)

- Parameter Selection

-- Critical Safety Functions (vs. NUREG-0737)

- Critical Safety Functions / Parameter Relationships

- Range of Events / Conditions covered by parameters

- Safety Evaluation Report Concerns 2:30 pm - Visit Control Room (CR)/ Technical Support Center (TSC)

- SPDS Demons'tration

- Human Factors Engineering Review

- DisplayLocation(CR)

- Display Format (TSC)

- Display Techniques (TSC)

- Open Concerns of SER of September 29, 1986: human factors review, report, and implementation schedule

- Operations Review

- Concise Display (TSC)

- Parameter identified Critical Safety Functions in and (0737 SAR on SPDS (TSC))

Plant (TSC)

- Reliability (Hardware / Software)(CR)

- ResponseTimes(DisplayCall-upandScreenUpdate)(CR)

- Integrated into Emergency Operations (CR)

- SPDS Parameter Values vs. Fixed Panel Values (Comparison) (CR)

- Procedures and Training

- Control Room SPDS vs. Simulator SPDS Comparison

DAY 4 8:30 am - SystemDesign(Licensee)

- System Description

- Display Configuration

- Data Validity

- Security SystemVerificationandValidation(Licensee)

- Verification Test Plan

- Validation

- Maintenance and Configuration Control .

Electrical Isolation

- Provide feedback on licensee's response on March 13, 1987 to request for additional information 10:30 am - Operator Interviews

- Shift Supervisor

- Reactor Operator

- Shift Technical Advisor 12 noon - BREAK FOR LUNCH 1 pm - Audit Team Caucus 4 pm - Exit Briefing (covering both DCRDR and SPDS) m

-n.__----------- - - - -- - . - -- - - - - _ _ - . - -

a ,

ATTACHMENT 3 SPDS DISPLAY FORMATS l

l 1

U-____-__-_-__-__-_-_____-_____-__

.____.__e_ . . - - , ,

p.,,.. #

i

[., b. '3,

{ r

' J.

.g.

{ g a Ek . s ',

n:  ! cw t . { {l, s*z '

E r

{  !

g],' _

t .. : .

I . .E . . :.

f +. ~4.9.l.' -

l T ,

-156%iH

wo.. win l l

I I

g. .

I i i l f-S. i S

I, E'.pl"

> t N . i

, w;_g , . ._ _ .

, O

• Wir t! ,

1 C [

Q. o 3:

rl's ,

. i i g te if .*

!. EE '

!,8l.lI -

r . ... N l -. .

s Y.

\ g \

I N g T .

f N'e N't N ?I ,

v s s =E I

N IE i g N 3.. s. .

.e s ,

i f

y- s

\

s

- ..1  ! ;,,

i

• s . ..

8 N NT

, N E le g 1-fE e% EnhE 3

!r!g!

- h[h n t

nr .

W it I.b I fld t.

W~E , I E

, t" Ta '

[

i ~

, -t -

i I':- EE

' J [,

3 O i  %

I W s E

=

Z

! I g a '

fg C

= f* U -[

. g 8 g

. ,, : is

• ii >-  ;

l _ n_s

!=s g

i i

EI ll IE EE > I i

i s  :* -

8 p I ,

' Q 4 i JI' R E R E C - - '

I w [_eJ Q.J i  % ,

I i f- - . . - . - ---- --.-- .------'

l j

l 1

._. -_ .l

g- i--

g- A e  :

t; un I t' ,

- n 54 x d 9 E* -I* a s

e w E I: sw -

t-

, m

[Il!

it,I;- !!ll!

5.:;il; 3-I(5.thilII

mt o l

i 5 1

i  :

l I i i

I. "I "I "I g 8 i w -l> -

3 .

~ . gs u .

l RS "E -

I '

I i __:5

/\

/

D,-

S w2  !

/s

/s O e tt f *

/

q! q l s'- I s l N-l /s*

/s

! Q.  ! l s s 3

• is - ,

eeg,g l Mg Qc

, lr .-

4e E6iil-f -

l t 2 N t

l- 13g A 't, . ~ t.,

I 2 k,  ;

J n

l g At s c .-

).c ,

g ,::

j / 1 N I s '"

p / \

\ [#k i vs - N > s -

i =

re sa ,

l SE'

• y s

i ,

i i D 1

l m

l yr w

~

! ...i. riia g .I 5

9 0 l g i:i:r tE._lte

... . a i

i Ell r, ase.ill r-s I f 15

e. Y b 5 '

i i

E.l~l!E[I o .E EE 3 q

I  :*

i g G

i %IiEEiEEEEE H t

1 s

[-

I f----.-...--------------.-----  !

l

4 Figure 4-2 b POSTACCIDENTPRESSURE-TEMPERATURELIMITS15EFP ij i i i , ,

2500 iiii i i i 6 i 6 e 2 i .

LOWEST EERVICE

/~~ TEMPER LTURE

/ l

/ ,

1 2000 j -

i

~

'2

~

100 DEG/HR / 1 l

G CCOLDOWN

/ ~

/

y $500 i

g -

e ~

i\ ~

/ 200 DEG f / ( SUSCDCLED -

c.- -

g - l

( .%

b y

1000 r

i RCP NPSH ll f

,/ -

2 ,

,i

,/ _SHUTCOWN / ( pg tgg ,

CCDLING

, , SUSCCCLED

' ~

/ O CEG -

' # SUSC00 LED

~

(SATURA TICN) - 1

~ '

t 1  ! 1 I t 1 I 4 t I f f f L _

1 O

200 300 400 500 600 i 100 RCS Temperature (Deg F) f NOTE: 200 DEG SUBC00 LED CURVE SUPERSEDES 100 DEG/HR C00LDOWN CURVE ANYTIHE RCS HAS EXPERIENCED AN UNCONTROLLED COOLDOWN CAUSING RCS TEMPERATURE TO GO BELOW 500 DEG F

( ISSUED E0P-01 i SEP 171986 FC/EOP/01 9' E R1 09 17 86

i :11 E i' y

5 i 't,,

e *g. I t, E EN s U" 9

e E*

e!. .

-l s -e u g. .-

. g -

!.=

1,'e l r.e g t y r ,! -,.,, -;;. ..~

( . .% .. -

s$ii!Iff,thI l

i ~l I

1 l

-l

'I i

3 i I

i  %

~. ig n t

i

.[ .;

.l. .. ...

s wI O t t-n A

.<r Q.

I aj:,y ,

E ,

, m /%8

)

. I P <

-l i

p ^

A ilif{;f E 4g j ,-

t 1

. 3 -! -

s <+ -

l 3

,  % I .

, av ges ge j...I i .

$ m I A gp-l m. W A.,  : .  : n t

, .. I. .s. h l kh I

1 e i h' If i:23 iPs.l I!u "rs a *IcJ l

i ti s i ss

-- te i -I g_l

, O gFs r

I 3

>- $p I f;El -

i  ! . =

e U

i i

,. >- 9 0 3

I I ti.t Ir

• y C

• e O

i i

!!EIINfEf pi rr r= a .;.g - 1 _

1 e

ep-ij I

z, u.

b 5 i >

I z y

t TZl.

LLI

. t l I! n 5 5 5 5 5 kg9 o g.

-g e i

1 _____________________________________________

g  ?!

E E  : .a

' vi u I t, s 6<, .a  ; .!

$ cv { 8 w

-4 i

• - 3: ',

.E g ._

~

C C

/l{,,!!ijIf-ri t;4 j!;.i

': i.

.~

(M5t$..I 5 i

Et lT":Il I i

I

,i i.

I I '

l S t j

i O ~

)

i Il N

• 1 1 :7) ~

I i

I w =I l o"

;s t

c Q-

[ -

rs E -

i  ? "I I 1 W i

s N' ! E f e fl5!I i

Q[ .t \ a\ \ \ ^

l

. I I

l 3! TF ~~

7-1 l l l 85 i

3 Ng ... s ..

s' I

g:

I \

i b8*

\

[

i . .- .e I e s .a f - se y r $,

Ei@n

. ga,E & E :j i

i Sf*i ]set-I 'r e h.'  ;

EE g i l g

aw~

s j I

• u k

1 O E'=E P t

{ W [

f

' , .r!.!."I$

u

. .E '

I i

:. I W e

I

!; t. n.!! *I E E .rh 3 -

h.

I pi II tr i 3 r es iis

- u

.!s g

m y

i E i a.

.E '

I ti

.i  !!: e -

I l J

1. ______________________________________________ \

l 1

i L__ _ ___.-_ _____ ___ _ - - - - - - _ _ - - . -

_____._._m. _ , _

g i-s* C

• l "y ' Is r..

t E 5%  ;

at:.,

E 'cw . [! st h

g[ 2) 5 t l

itikig h

-Y!fl i:3, M if$lkilll '

N m p ij i

,________________________________________r_____

i i

I , t i )

i i

.i .i _g

,G ~~T

... g .g knI-i N e & i 1

I .. ..p ..g W l 1

g.. .

.g g -p g g -g

, c f  ::

n. 8 1 L

. , . .g ..g g- .

g j '

i j f[ j s,}

~

wa ss i

^.

. - g g h.g '

D .1 5 '

l f l

-,. - -e s-

-r s. s o t N

-4 li s

x a

/'\I ['

I N'l 1

/N'h QA ES i s n .4g* E 1

, . ( .

N c A.+ p.. . ".'-

E -

t ft : q {.t. m E

t. e: peu.

, e sg. q p tr  :@d Eo ca r a; k-

, :e -

-~

se<< .

1 II **

II g666 Ew i

_SEE e:

,i [q ,

l i >

3 C '

I

>I O

i i 2.lb"*

m i

i y

E{

e E,

gel- C 8 6 $ E- 8 E"

l s E ln.

~  :

i i i i, [::v Egf ,a f..if$

m m i

l z @ E  :

I I e -

• m ,

• j

• g- t l

I uhh O l l______________________________________________

E d")

5 e t E

a O I*

5k al-E 9 EW l] s t E E 2l u

~

.E. p-

! ! !!! [D1, lltj !!li

!i,!;"$!j:Il

~

t[!(iMthl

. ~ .Wi 'iM l ,

I i

l i

l i

i i i O l I O ~{

of -l l'{';*r  ;

i 'g N

• i -

( !. i j  ! -t -

f $#

c I

!: le.

i i

l

., c. e 7

j;;b

/i%: e. mg .

p 3 el i i a o EecL '

E!.i I'8l'(t I

i m ..,-

i  :.t i .

i l

s dv"3d$

e' t

%) 4

1 l *n - .

! jd, n,3 m m g; ,

r, s

n u

a /vg 7'1 '-

, . .A_ . A. . /N I

I

{ 4_.Vd I AW, .I

.::: .r g;rer;:' 2, lI *_.1,~2-]:ta k$ e*H c:

e ~34M c

$ - 1[ ik i 4A??  ????  ??  ?? SERE E i

t trar rrrr rr rr .;;;

gtt . "'e c I

• k-I EE I

I l .

= . 8 s c

- ~ -

> n n g 3 } e O d u

! = 3 I E l I I *

! E * 'g5

.. LLI Ej E { l 'A.lj 1 i I m h::s;s

. g:: *I ::E [.

i t z t E,r I a a r -

i q i i y  ; v.

l I (

jlR E E E i E E -!: m h"0 gi l

l i e

~

i l

1.-____________--_____________--------__-----__

I 1

l I

L______-------_________ _ - - - - - - - -. - ..

g

.., g ;_

< .. O e

t I r. .

E 6f- a ;I

~

e a'

q i4

t. E u .

_ c E y u -

.: e e. i U  !

U

[l!'i'!

ili-i j; I, ':"

khil:t Di .ff 98l  !

i ,

1 I i l i I <

l @

i . CD -

%{lI i i /s N

• i $g's %1 b W ;;;l g Q' /s  ? l l s '

/N i i N /5 .

' ' ' ' 'I O f i!T -T g s /s C l8 3 :7 ,

1 No N 1 s' -.

s;l!! fl i .

3 l gj

s, s ,

I N ' a si f /v. q..

i '

/s s /4 s ...

!' s / Nl /N s e /N /N.

s g 5, l  %. " 'i ~ , - .

.E, .-

4 )

., 5 l I4..,l_E~Wj~E i_nn, j u.~

i g

1

_u_I 2 fg Q fetg gg g'1 w[3_

_ I; 2

!_ ~ '  !. _ Y.Iff 2m prg gt gal g5{b[

_i (i i

i [7!- lI gr ga gs E

l wi si vi 3E LL EL LL >-

g F- g";:f r

I

% RE I i

' O I

W I

g i 9 U L

l t

j  !>y i

i1 5th s Is, S I.:g l , . [rri z _g lj Ue fi:

_-  : : W l [ :[ iiii ~ ~ ~

!g I z l i

H e*

q  ?

l< j $. k k k k *

, ia.ti .rr II :bE*-C r o =m

.e a l

1 r

.J .E U i l 1 l______________________________________________

r f

(

i Figure 4-3

(

I SIS FLOW vs PZR PRESSURE 1700 ,i,, i , , i , , , , , , , ,

h SIAS _

1500 1400 1300

$ 1200

-\ _

e 1100

-\ -

a 5- 1C00

\ -

15 -

0 S00 k.

u

\

0-800 5,-

rw 700

\ -

g -

.J 600

{

g C m E 500 i

)

400 gg;gp7;g;g

~

300 200 'ABLE i

_ UNAC _

0 0 500 1000 1500 2000 Total Safety Injection Flow (GPM)

(sum of all injection point flows)

NOTE: EELOW SIAS PRESSURE. SAFETY INJECTION SYSTEM PUMPS WILL SE OPERATING, BUT THERE WILL SE NO INJECTION FLOW UNTIL SYSTEM PRESSURE FALLS EELOW PUMP SHUTOFF HEAD b ISSUED E0P-01 SEP 171cBS Page 23 e 28

-- ~~

FC/EOP/01 R1 09-17-S5

- _ _ _ _ _ _ _ . __ l

• O i

ATTACHMENT 4 LICENSEE PRESENTATION MATERIAL $

1

D EFINITION OF SPDS

1. - SPDS DESIGNED TO PROVIDE A CONCISE DISPLAY OF CRITICAL PLANT VARIABLES TO THE CONTROL ROOM OPERATORS /STA's TO AlD THEM IN RAPIDLY AND RELIABLY DETERMINING THE SAEETY STATUS OF THE PLANT.

e COMPUTERIZED MEANS OF PERFORMING THE SAFETY FUNCTION STATUS CHECKS OF THE EfW'2RGENCY OPERATING PROCEDURES.

ALL PARAMETERS REQUIRED BY THE SFSC's ARE CONTAINED WITHIN THE CORRESPONDING SAFETY FUNCTION OF THE SPDS.

e 1 TOP LEVEL DISPLAY FOR NORMAL / ALERT / ALARM STATUS 7 MID LEVEL DISPLAYS CORRESPONDING TO EACH OF THE L SAFETY FUNCTIONS:-

(1) REACTIVITY CONTROL (2) MAINTENANCE OF VITAL AUXILIARIES l (3) RCS INVENTORY CONTROL (4) RCS PRESSURE CONTROL (5) CORE HEAT REMOVAL (6) RCS HEAT REMOVAL (7) CONTAINMENT EACH MID LEVEL DISPLAY CONTA'NS THE TOP i EVEL AND SAFEGUARDS ACTUATION (e.g. SIAS, CIAS, ETC.) ST ATUS e SUBSET OF ERF COMPUTER SYSTEM

< c P AR A M ETER S ELECTION PROCESS l l

e SPDS.REV. 00 INSTALLED AUGUST 1983 BASED ON THE PARAMETERS REQUIRED BY REV. 01 OF THE CE EMERGENCY PROCEDURES GUIDELINES AND GROUPED UNDER THE

(: NUREG-0737 SUPPLEMENT 1 ITEM 4.1.f CRITICAL SAFETY FUNCTIONS.

e SPDS REV. 01 DECLARED OPERATIONAL APRIL 30,1986 UTILIZED THE SEVEN EOP SAFETY FUNCTIONS. PARAMETER LIST REMAINED THE SAME EXCEPT:

(1) T-avg DELETED (2) CONTAINMENT TEMPERATURE DELETED (3) ADDITIONAL PARAMETERS ADDED e ALL PARAMETERS REQUIRED TO COMPLETE ANY EOP SFSC ARE CONTAINED ON CORRESPONDING SPDS SAFETY FUNCTION.

HUMAN FACTORS R EVIE W 124 HEDs IDENTIFIED 42 SPDS RELATED; 82 ERFCS RELATED BUT NOT SPDS RELATED 44 EVALUATED HEDs (DECEMBER 1986):

NUMBER DESCRIPTION  !

7 NO CHANGES TO BE MADE 14 CHANGES COMPLETED 3 SCHEDULED FOR 1988 REFUELING OUTAGE 20- SCHEDULED FOR 1990 REFUELING OUTAGE i I

)

I 80 REMAINING HEDs '

NUMBER DESCRIPTION 1

36 IDENTIFIED IN " DESCRIPTION" OF HED i AS REQUIRING NO CHANGE 12 NO CHANGE 1 18 CHANGES COMPLETED 5 IN PROGRESS 1 SCHEDULED FOR 1988 REFUELING OUTAGE 6 SCHEDULED FOR 1990 REFUELING OUTAGE 2 OSPDS - NOT PART OF SPDS I l

C O M P O SIT E ST ATU S O F E R FC S H E D s-NUMBER STATUS 32 CHANGES COMPLETE 36 IDENTIFIED IN " DESCRIPTION" OF HED' AS REQUIRING NO CHANGE 19 NO CHANGES TO BE MADE 5 IN PROGRESS (SCE) 4 SCHEDULED FOR 1988 REFUELING OUTAGE 26 SCHEDULED FOR 1990 REFUELING OUTAGE 2 OSPDS - NOT PART SPDS 124

STATUS OF SPDS HEDS NUMBER STATUS 41 RESOLVED 1 IN PROGRESS STATUS BREAKDOWN SOFTWARE 6 CHANGES COMPLETE 15 IDENTIFIED IN " DESCRIPTION" OF HED AS REQUIRING NO CHANGE.

6 NO CHANGES TO BE MADE HARDWARE 12 CHANGES COMPLETE 2 IDENTIFIED IN " DESCRIPTION" OF HED AS REQUIRING NO CHANGE 41

P R O'J E C T M I L E S T O N E S DATES ACTIVITY AUGUST 1983 SPDS INSTALLED (E.1.)

JUNE 1,1984 (ORIGINAL RELEASE OF) SPDS COMPLETION TEST. SYSTEM ON ~ 2 YEARS PRIOR TO BEING DECLARED OPERATIONAL.

APRIL 30,1986 REV. 01 OF SPDS DECLARED OPERATIONAL CONSISTENT WITH EOP SAFETY FUNCTION STATUS CHECKS.

MAY 18,1987 REY. 02 OF SPDS COMPLETE - CONSISTENT WITH NOVEMBER 28,1987 SER.

9

. _ _ _ _ . _ = - , _ . . _ _ - . . - . _ . . . _ _ . _ _ _ _ _ _ _ . _ _ . - _ - _ _ _ -

. I R ELI ABILITY e - STANDING ORDER 0-32B FOR TRACKING EQUIPMENT AND SYSTEM MAINTENANCE AND AVAILABILITY.

O AVAILABILITY (APRIL 30,1986 TO PRESENT) = 99.626% I l

l

.V E RI FI C A TIO N AN D V ALID ATIO N PROGRAM e COMPREHENSIVE FUNCTIONAL TEST CONDUCTED MARCH -

APRIL 1986. COMPLETED APRIL 5,1986 (MR-FC-81-87) e FUNCTIONAL CALIBRATION AND POINT CHECKS COMPLETED PRIOR TO V+V TESTING, e ALERT / ALARM SETPOINTS, COLOR CODES, AND SOFTWARE FUNCTION ALLY VALIDATED.

a_--________ . _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _