ML20245G779
| ML20245G779 | |
| Person / Time | |
|---|---|
| Site: | Pilgrim |
| Issue date: | 04/12/1989 |
| From: | SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY |
| To: | NRC |
| Shared Package | |
| ML20245G740 | List: |
| References | |
| CON-NRC-03-87-029, CON-NRC-3-87-29 SAIC-89-1119, TAC-M59329, NUDOCS 8905030230 | |
| Download: ML20245G779 (12) | |
Text
-,_-- _-_ _
s-j 4
\\
1 1
SAIC-89/1119 l
IN-PROGRESS AUDIT REPORT FOR l
BOSTON EDISON COMPANY'S PILGRIM NUCLEAR POWER STATION SAFETY PARAMETER DISPLAY SYSTEM TAC NO. M59329 l
4 i
April 12, 1989 1
1 l
Prepared for:
U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Contract NRC-03-87-029 Task Order No. 36
s if TABLE OF CONTENTS Section EASA
1.0 INTRODUCTION
I
2.0 BACKGROUND
I 3.0 EVALUATION....................................................
4 3.1 Concise Display of Critical Plant Variables to Control Room 4
Operators..................................................
3.2 Located Convenient to Control Room Operators...............
4 3.3 Continuous Display of Plant Safety Status Information......
5 3.4 Should Have a High Degree of Reliability...................
5 3.5 Suitably Isolated From Electrical and Electronic Interferences 6
With Safety Systems........................................
3.6 Designed Incorporating Accepted Human Engineering 6
P r i n c i pl e s.................................................
3.7 Minimum Information Displayed Should be Sufficient to Determine Safety Status With Respect to Five Functions.....
7 3.8 Procedures and Operator Training Addressing Actions With and Without SPDS...........................................
7 7
4.0 C ON C LU S I O N S.....................................................
8 REFERENCES...........................................................
i 1
l
r j
1 i
,f IN-PROGRESS AUDIT REPORT FOR BOSTON EDISON COMPANY'S PILGRIM NUCLEAR POWER STATION SAFETY PARAMETER DISPLAY SYSTEM i
1.0 INTRODUCTION
1 This report documents the findings of an In-Progress Audit performed by the Nuclear Regulatory Commission (NRC) of Boston Edison Company's Pilgrim Nuclear Power Station Safety Parameter Display System (SPDS).
The audit, conducted March 22 to March 23, 1989, was performed to determine the status of the SPDS with regard to the minimum requirements of NUREG-0737, Supplement 1 (Reference 1).
In addition, the NRC audit team reviewed the licensee's plan to make the SPDS fully operational by December,1989.
The audit team consisted of an NRC team leader, two additional NRC staff members, and a member of the Spanish Nuclear Regulatory Agency.
In addition, the NRC team leader was supported by two contractors from Science Applications International Corporation (SAIC) and a representative from SAIC's subcontractor, Comex Corporation. The team consisted of specialists in human factors engineering, instrumentation and control
- systems, and nucle'ar operations.
A list of audit meeting attendees is provided in the Attachment.
2.0 BACKGROUND
The principal purpose and function of the SPDS is to aid control room personnel, during abnormal and emergency conditions, in determining the safety status of the plant and in assessing whether abnormal conditions warrant corrective action by operators to avoid degradation of the core.
The SPDS can be particularly important during anticipated transients and the initial phase of an accident.
I
n 4
All holders of operating licenses must provide an SPDS in the control room of their plants. The NRC requirements for the SPDS are defined in
{
I NUREG-0737, Supplement 1.
NUREG-0737, Supplement I requires licensees and applicants to prepare a written Safety Analysis Report sufficient to assess the safety status of each identified function for a wide range of events, including symptoms of severe accidents.
Licensees and applicants must implementation plan for the SPDS that contains schedules for i
prepare an design, development, installation, and full operation of the SPDS as well as design verification and validation plan. The Safety Analysis Report and a
i the implementation plan are submitted to the NRC for staff review.
The results of the staff's review are published in a Safety Evaluation Report.
The SPDS requirements, as defined by NUREG-0737, Supplement 1, are:
1.
Should provide a concise display of critical plant variables to control room operators (NUREG-0737, Supplement 1, Paragraph 4.1.a) 2.
Should be located convenient to control room operators (NUREG-0737, Supplement 1, Paragraph 4.1.b) 3.
Should continuously display plant safety status information (NUREG-0737, Supplement 1, Paragraph 4.1.b) 4.
Should have a high degree of reliability (NUREG-0737, Supplement 1, Paragraph 4.1.b)
I 5.
Shall be suitably isolated from electrical or electronic interference with safety systems (NUREG-0737, Supplement 1,
Paragraph 4.1.b) 6.
Shall be designed incorporating accepted human factors engineering j
principles (NUREG-0737, Supplement 1 Paragraph 4.1.e) l 7.
Minimum information displayed shall be sufficient to determine j
plant safety status with respect to five safety functions (NUREG-0737, Supplement 1, Paragraph 4.1.f):
1.
Reactivity control I
ii.
Reactor core cooling and heat removal from the primary system 2
- ~
t 111. Reactor coolant system integrity iv. Radioactivity control
{
v.
Containment conditions l
f 8.
. Procedures and operator training addressing actions with and
^
without SPDS should be implemented (NUREG-0737, Supplement 1,
Paragraph 4.1.c)
Guidance for the acceptable implementation of the above requirements is provided by Appendix A to Section 18.2 of NUREG-0800 (Reference 2) and other documents cited therein, particularly NUREG-0700 (Reference 3).
In 1985, an NRC survey of six operating SPDSs was performed to sample the status and quality of SPDSs. The survey included onsite evaluations of licensee documentation and hardware, as well as interviews with operations personnel.
The survey findings including the descriptions of major deficiencies were identified in Inspection and Enforcement Information Notice No. 86-10, " Safety Parameter Display System Malfunctions," dated February 13, 1986 (Reference 4).
Boston Edison company submitted a Safety Analysis Report for the Pilgrim Nuclear Power Station SPDS on August 10, 1984. The NRC reviewed the licensee's Safety Analysis Report and identified several open issues in a Safety Evaluation Report issued on March 21, 1985.
Based on additional information from the licensee, the staff issued a Safety Evaluation Report on March 24, 1986 concluding that the conceptuhl design of the SPDS was acceptable.
The SPDS was purchased from the General Electric Corporation and was installed in the Pilgrim Nuclear Power Station in 1987.
The construction phase was complete at the time of the audit, and the licensee was in the process of conducting the operational turnover phase. The licensee's schedule for data validation completion and fully operational SPDS was December, 1989.
3
3.0 EVALUATION The NRC audit team evaluated the SPDS against the eight NUREG 0737, Supplement I requirements. The audit findings are presented below.
3.1 foncise disolav of critical clant variables to control room operators The ' evaluation of the concise display criterion included a review of physical location of displayed information and technical information organization within the display screens. Both physical display grouping and technical information organization were needed to judge the display concise.
The Pilgrim SPDS did have the necessary information about the five critical safety functions identified in NUREG-0737, Supplement 1.
- However, the SPDS had two basic problems.
First, the licensee did not identify who within the control room staff will be the primary user of the SPDS. This presents a problem because there are four cathode ray tubes (CRTs) in the control room that may be used for
Second, the licensee did not identify how the SPDS will be used in conjunction with the Emergency and Plant Information Computer (EPIC) system.
The. problem is that the SPDS, which is a subset of EPIC, may not be l
disp 1'ayed continuously and therefore would not be concise.
The licensee should identify the display CRTs that will be used for the SPDS and determine how the SPDS will be used in conjunction with EPIC.
3.2 Located convenient to control room operators There are four CRTs in the Pilgrim Nuclear Power Station control room.
Two CRTs are located on the nuclear operations supervisor desk and two are swivel mounted on the reactor operator desk near the control panels.
The audit team could not determine if the SPDS locations were convenient because the licensee had not identified who within the control room operating staff would use the SPDS.
4 i
L__
4 d
l l
.In order to address the issue of convenient SPDS location, the licensee should:
identify who the user (s) will be 1.
Nuclear operations supervisor 2.
Watch engineer ensure that the SPO.c CRTs are convenient to the user (s) during abnormal and emerger.cy operations by identifying how the user (s) will implement the SPDS.
3.3 Continuous disclav of clant safety status information The Pilgrim SPDS consists of thirty five display pages including the menu display.
The five critical safety functions are displayed on a top level page. When the lower level detailed screens were displayed, it was l
not clear if the overview of the top level critical safety functions was maintained. The licensee had no process for continuously displaying top level information about the five critical safety functions identified in i
)
NUREG-0737, Supplement 1.
In order to address the issue of continuous display of SPDS information, the licensee should:
identify the CRTs that will be dedicated to SPDS identify procedures for continuous display of top level SPDS information l
identify the method (s) used by the SPDS that will alert the user j
to adverse changes to top level safety functions while using the lower level displays.
3.4 Should have a hiah decree of reliability
)
In order for the SPDS to be judged reliable, it should have greater than 99% hardware and software availability. Since the Pilgrim SPDS was 5
L ;-[*
y still in the operational turnover phase, the system had not achieved 99%
reliability.
d In order to demonstrate that the SPDS has achieved greater than 99%
hardware and software reliability, the licensee should:
complete data validity testing complete system verification and validation testing complete software security processes l
complete operational availability testing.
j 3.5 Suitably isolated from electrical and electronic interference with safety systems The licensee's SPDS electrical and electronic fiber optic isolation system was evaluated previously by NRC and found to be acceptable.
3.6 Desianed incorooratina accented human enaineerina orincioles The Pilgrim SPDS was purchased from General Electric with very few plant specific modifications to the display content. The General Electric generic SPDS design, based on revision 2 of the Emergency Procedures Guidelines, was evaluated by NRC in 1984, and found to be acceptable.
Therefore, the basic SPDS should meet the' NUREG-0737, Supplement I
requirement for a system that incorporates human engineering principles.
However, the licensee plans to make a number of changes to the SPDS in order to make it consistent with new emergency procedures that are based on revision 4 of the General Electric Emergency Procedures Guidelines.
For example, the licensee plans to change the reactor vessel w;ter level indication ranges to a connon zero reference level, versus a variabl.e zero reference level.
Plant specific modifications such as this are not part of i
the generic system approved by hRC and should be subjected to a human engineering analysis by the licensee.
)
6
3.7 Minimum information disolaved should be sufficient to determine safety status with resoect to five functions The parameters selected by the licensee to monitor the five functions identifit; in NUREG-0737, Supplement I were previously reviewed by NRC and found to be acceptable in the March 21, 1985 Safety Evaluation Report.
- However, since 1985 the licensee eliminated the Source Range Monitor Scram function that had been used as a substitute for Source Range Monitor information by providirig a scram event status indication for SPDS.
The licensee should evaluate the need to add Source Range Monitor information to SPDS in order to cover the entire range of reactor power.
3.8 Procedures and operator trainina addressina actions with and without SPDS.
The audit team found that no formal SPDS training program had been developed.
Prior to declaring the SPDS operational, the licensee should:
develop and implement procedures for using the SPDS develop and implement specific training modules for SPDS users to operate the plant with and without SPDS.
4.0 CONCLUSION
S The NRC audit team conducted an in-progress audit of Boston Electric Company's Pilgrim Nuclear Power Station Safety Parameter Display System on March 22 and 23, 1989. The purpose of the audit was to determine the status of the SPDS with regard to the minimum requirements of NUREG-0737, Supplement 1.
In addition, the NRC audit team evaluatsd the licensee's plan to make the SPDS operational by December 1989.
It was the audit team's judgment that the licensee currently meets one of the eight NUREG-0737, Supplement 1 SPDS requirements.
This conclusion is due largely to the fact that the licensee was just beginning SPDS verification, validation, and testing. Once the testing is comp.ete, and corrections made, the system should meet the minimum requirements of NUREG-0737, Supplement 1.
7
p REFERENCES 1.
NUREG-0737, Supplement 1,
Requirements for Emergency
Response
Capability, Generic Letter 82-33, USNRC, December 17, 1982.
2.
NUREG-0800, Standard Review Plan of Safety Analysis Reports for Nuclear Power Plants, Section 18.2, Rev. O, Safety Parameter Display System (SPDS), Appendix A to SRP Section 18.2, USNRC, November 1984.
3.
NUREG-0700, Guidelines for Control Room Design Reviews,
- USNRC, September 1981.
4.
IE Information Notice No. 86-10:
Safety Parameter Display System Malfunctions, USNRC, February 13, 1986.
I 8
i
l' ATTACHMENT LIST OF SPDS MEETING ATTENDEES I
4 9
I l
(
1 l
i l
I
(
p
.g,-
i i
Robert McMahon Acting SPDS project manager Brian McLaughlin Electrical Engineer l
Siben dasgupta Control Systems Division Manager Charles Minott Former SPDS project manager John Fiumara Computer Division Manager Gene Bellefeuille Manager of Reactor Safety and Performance (lead technical. input for SPDS project) l James Bongarra NRC Richard Eckenrode NRC Richard Correia NRC i
Rafael Cid CSN Joseph DeBor-(SAIC) i Barbara Paramore (SAIC)
Gordon Bryan (Comex) l l
.