Text

_ - _ - - - - - - -

jd  ?

y. i

- NUREG-1057 Supplement No.-;6: -l Safety Evaluation Report related?to;the operstion of "

LBeaver Valley Power Statiori, Unit 2 Docket No. 50-412 Duquesne Light Company; et al.

]

U.S. Nuclear Regulatory Commission

' Office of Nuclear ' Reactor Regulation-August 1987 J

[enan'A kh.kIkbj. . . .

i

f. - ' '

il

________a_ __ ----ms-*_ - - - - - _ - - - - - - - - - - - - - -

u . . , , .,

Q ._ p

' - ,o }; g, ,. .t .

r,

. y; 9

. NOTICE L Availability of Reference Materials Cited in NRC Publications - r Most documents cited in NRC publications will be amiable from one of the following sources:

1.L The NRC Public Document Room,1717 H Street /N.W.t '

. Washington, DC 20555.

2. The Superintendent of Documents, U.S. Government Printing Office, Post Office Box 37082;- >

Washington, DC 20013-7082 3.' The National Technical Information Service, Springfield, VA 22161' Although the listing that fo:!ows represents the majority of documents cited in NRC publications, .

- it is not intended to be exhaustive.

- Referenced documents available for inspection and. copying for a fee from the.NRC Public Docu.

ment Room !nclude NRC correspondence and internal NRC memoranda; NRC Office of Inspection L and Enforcem ot bulletins, circulars, information notices, inspection and investigation notices;:

' Licensee Event deports; vendor reports and correspondence; Commission papers; and applicant and -

licensee documents and correspondence.

The following documents in the NUREG series are available for purchase from the GPO' Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission issuances.

Documents:available from the National Technical information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nucl ear Regulatory Commission.

Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legislation, and congressional reports can usually be obtained from these libraries.

Documents such as theses, dissertations, foreign reports and translations,and non-NRC conference proceedings are available for purchase from the organization sponsoring the publication cited.

S!ngle copies of N RC draft reports are available free, to the extent of supply, upon written request to the Division of Information Support Services, Distribution Section, U.S. Nuclear Regulatory Commission, Washington, DC 20555.

Copies of industry codes and standards used in a substantive manner in the NiiC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue,.Bethesda, Maryland, and are available there'for reference use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the  !

American National Standards Institute,1430 Broadway, New York, NY 10018. j i

L- _ _ . _ _ _ _ _ _ _ _ _ _ .

1

.1 i

NUREG-1057 I Supplement No. 6

)

Safety Evaluation Report related to the operation of Beaver Valley Power Station, Unit 2 Docket No. 50-412 Duquesne Light Company, et al.

U.S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation

. August 1987

( %,,

.s.....

h> a' l

I l

ABSTRACT This report, Supplement No. 6 to the Safety Evaluation Report for the applica-

' tion filed by the Duquesne Light Company et al. (the licensee) for a license to operate the Beaver Valley Power Station, Unit 2 (Docket No. 50-412), has been prepared by the Office of Nuclear Reactor. Regulation of the U.S. Nuclear Regulatory Commission. This supplement reports the status of certain items that had not been resolved when the Safety Evaluation Report and its Supple-ments 1, 2, 3, 4, and 5 were published.

l l

4 i

l Beaver Valley 2 SSER 6 iii )

i TABLE OF CONTENTS l Page Abstract .............................................................. iii 1 INTRODUCTION AND GENERAL DISCUSSION ............................. 1-1 1.1 Introduction ....................... ....................... 1-1 3 DESIGN CRITERIA FOR STRUCTURES, SYSTEMS, AND COMPONENTS ......... 3-1 3.10 Seismic and Dynamic Qualification of Service Category I Mechanical and Electrical Equipment ........................ 3-1 3.10.1 Seismic and Dynamic Qualification of Electrical and Mechanical Equipment ............................ 3-1 3.10.2 Pump and Valve Operability Assurance ............... 3-4 4 REACTOR.................. ................ ...................... 4-1 4.3 Nuclear Design ............................................. 4-1 4.3.2 F uel Sys tem De s i gn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

7 INSTRUMENTATION AND CONTROLS .................................... 7-1 4 7.3 Engineered Safety Features Systems .... .................... 7-1 7.3.3 Specific Findings ................................... 7-1 7.5 Information Systems Important to Safety ................... 7-1 7.5.2 Specific Findings ................................... 7-1 9 AUXILIARY SYSTEMS ............................................... 9-1 1 9.5 Other Auxiliary Systems ............. ....................... 9-1 9.5.1 Fire Protection Program ............................ 9-1

> 1 l-11 RADI0 ACTIVE WASTE MANAGEMENT .......... ... ..... ....... .... . 11-1 !

1 11.4 Solid Waste Management System ........ .............. .. .. 11-1 1

)

I 11.4.2 Evaluation Findings ........................... . ... 11-1 13 CONDUC's 0F OPERATIONS ... ............... ................ .. ... 13-1 13.3 Emergency Planning . .......... .. ... ..... ............ 13-1 3 Beaver Valley 2 SSER 6 v

l 1

TABLE OF CONTENTS (Continued)

Page 13.3.1 Introduction ........... ............................ 13-1 13.3.5 Review of Offsite Emergency Preparedness ............ 13-1 15 ACCIDENT ANALYSIS ............................................... 15-1 15.8 Anticipated Transients Without Scram ....................... 15-1 18 HUMAN FACTORS ENGINEERING ....................................... 18-1 18.1 Detailed Control Room Design Review ............ ........... 18-1 18.1.1 Background .......................................... 18-1 18.1.2 Evaluation .......................................... 18-1 18.1.3 Conclusion .......................................... 18-3 18.2 Safety Parameter Display System ............................ 18-4 18.2.1 Background and Introduction ......................... 18-4 18.2.2 Evaluation .......... ............................... 18-5 18.2.3 Conclusion ................................. ........ 18-10 APPENDICES APPENDIX A CONTINUATION OF CHRONOLOGY OF NRC RADIOLOGICAL REVIEW OF BEAVER VALLEY POWER STATION, UNIT 2 APPENDIX E NRC STAFF CONTRIBUTORS AND CONSULTANTS APPENDIX P ERRATA APPENDIX S HUMAN FACTORS ENGINEERING DETAILED CONTROL P.00M DESIGN REVIEW SUPPLEMENTAL TECHNICAL EVALUATION REPORT FOR DUQUESNE LIGHT COMPANY, BEAVER VALLEY POWER STATION, UNIT 2 APPENDIX T TECHNICAL EVALUATION REPORT OF THE SAFETY PARAMETER DISPLAY SYSTEM FOR DUQUESNE LIGHT COMPANY, BEAVER VALLEY POWER STATION, UNIT 2 Beaver Valley 2 SSER 6 vi

_ ,_m_-. - - _ .-

3, , .. , .,

y  ;

o j g,' ,

j

{

(

3

,a ACRONYMS 4 '

ATWS ' anticipated transients without scram a i BVPS-1 Beaver Valley Power Station Unit 1 BVPS-2' Beaver Valley Power Station Unit 2 CSF critical safety functions

' DCRDR detailed control room design review DRMS digital radiation monitoring system

- DRPI digital. rod position indicating LERFCS emergency response facility computer system ESFAS. . engineered safety. feature actuation system y.. . FAT factory acceptance testing

- FEMA Federal Emergency Management Agency GL Generic Letter HEDL human engineering discrepancies' IEEE Institute of Electrical and Electronics Engineers MCF ~ . maximum credible fault MSIV main steam isolation valves OBE operating basis earthquake PCP process control program PSMS plant safety monitoring system SAT site acceptance testing S-D .Struthers-Dunn, Inc.

SER Safety Evaluation Report SPDS safety parameter display system SSE- safe chutdown earthquake SSER Supplemental Safety Evaluation Report SSR Supple:nental Summary Report TER Technical Evaluation Report TMI-2 Three Mile Island Unit 2 I V&V verification and validation l

o . Beaver Valley 2 SSER 6 vii l- ,

l'  !

W '

, , i fip ,

y. >

I e I 1 INTRODUCTION AND' GENERAL DISCUSSION a 7

'1.1 -

Introduction ,

- The' Nticlear Regulatory Commission (NRC), Safety Evaluation Report (NUREG-1057)

.(SER) on the' application of the Duquesne Light Company et al. (DLC or the ilicensee, for holder of low power license NPF-64) for a~ license to operate the Beaver Velley Power' Station Unit 2 (BVPS-2) was issued in October 1985. Supple-

.ments 1, 2, 3, 4, and 5 were issued in May, Augu=.t; and November 1986 and March and May 1987., respectively. . This is the sixth ind last supplement to the SER.

The purpose of this sixth Supplemental Safety Evaluation Report (SSER 6) is to revise the SER by providing the results of the staff's review of new informa-tion subsequently submitted by the applicant. Thi information provided in letters referenced in this SSER have been acceptably documented in amendments, up to No.18,~ to the Beaver Valley Unit 2 Final Safety Analysis Report (FSAR)

.  ; by-.the. licensee.

Each section or appendix of this SSER is designated and titled so that it cor-

-responds to the section or-appendix of the SER that has been affected by the i staff's additional evaluation. Except where specifically noted, the_SSER does not: replace the corresponding SER section or appendix. Appendic,r, 5 and T have been added. Appendix A is a continuation of the chronology of events, Lincluding correspondence, leading to the publication of this SSER. Appendix E tis a: list of the principal contributors to this SSER. Appendix P, " Errata,"

corrects errors'in the SER and in SSERs 1 through 5. No changes were made to the other appendices.

Tables 1.2, 1.3, 1.4, and 1.5, all corresponding to tables of the same numbers .

in the SER and previous supplements, provide summaries of che status of cpen, backfit, confirmatory, and license condition issues, respectively. If the

' s ts as of an issue has changed since issuance of the last supplement, details of tne change are documented in this supplement.

. Action items that resulted from the Three Mi'le Island Unit 2 (TMI-2) accident

.have'been addressed in the SER; Table 1.1 of the SER provided cross-references

. of various items to sections in the SER. THI-2 action items that were not

. fully closed out in the SER have been identified as open or confirmatory issues

'in the SER or its supplements. Closeout status of open or confirmatory TMI-2 issues may be obtained by reviewing Tables 1.2 and 1.4 of this supplement.

l

Action items.that resulted from the Salem anticipated-transients-without-scram j (ATWS) (NUREG-1000) avert have been addressed in various SER supplements.

i Closeout status of these items is presented in Section 15.8 of this supplement.

Those actions that have not been completed by the time of operating license issuance will be carried as operating reactor actions, and will be tracked by a' TAC number.

l Beaver Valley 2 SSER 6 1-1

)

h

l 1

Copies of this SSER are available for public inspection in the 11RC Public Docu-ment Rnom at 1717 H Street N.W., Washington, D.C., and at the B. F. Jones ,

Memorial Library, 663 Franklin Ave. , Aliquippa, Pa. Copies of this SSER are I also available for purchase from the sources indicated on the e,ide front J cover of this report.

The NRC Project Manager is Peter S. Tam. He was assisted by Messers. Roger Pedersen and Frank Orr, Project Engineers. Mr. Tam may be contacted by calling (301) 492-4837 or by writing to the following address:

Division of Reactor Projects I/II U.S. Nuclear Regulatory Commission Washington, D.C. 20555 This supplement is published concurrently with but separately from issuance of the full power license of Beaver Valley Unit 2.

Beaver Valley 2 SSER 6 1-2

1 Table 1.2 Open issues

. Issue Status SER section (1) Pre $ervice/inservicetestingprogram (a) PST Closed in SSER 3 3.9.6 (b) IST Closed in SSER 5 3.9.6 (2) Pump and valve leak testing Closed ir SSER 3 3.9.6 (3) Inadequate core cooling instruments- Closed in SSER 2 4.4.7 tion (Item II.F.0 of NUREG-0737)

(4) Preservice/ inservice inspection program (a) PSI Closed in SSER 5 5.2.4.3, 6.6.3 (b) ISI Closed in SSER S 5.2.4.3 6.6.3 (5) Safe and alternate shutdown Closed in SSER 5 9.5.1  !

(6) Management and organization Closed in SSER 5 3.1, 13.4, 13,5.1 (7) Cross-training program Closed in SSER 1 13.2.1.2 l l

(8) Emergency preparedness plan Closed in SSER 5 13.3.3 (9) Initial test program Closed in SSER 3 14 (10) Control room design review Closed in SSER 5 18.1 (11) Safety parameter display system Closed in SSER 5 18.2 l

l i

Beaver Valley 2 SSER 6 1-3

Table 1.3 Backfit issues Issue Status SER section (1) Snow and ice load C 2.3.1 (2) Underestimation of atmospheric dispersion C 2.3.4, 15.4.8 conditions (x/Q) at exclusion area boundary and consequences of radioactive release l (3) Potential for flooding from probable maximum C 2.4.2, 2.4.10 precipitation and Peggs Run (4) Steam generator level control and protection C2 7.3.3.12 (5) Motor-operated accumulator isolation valve C 8.3.1.12 (6) Spent fuel pool maximum heat load C 9.1. 3 j i

(7) Fire suppression in the cable spreading room C5 9. 5.1. 6  ;

(8) Class-1E power for lighting and communication C 9.5.2.1 systems (9) Application of GDC 5 to communication systems C 9.5.2.1 (10) Application of GDC 2 and 4 to communication C 9.5.2 systems 1

l (11) Application of GDC 4 to lighting systems C 9.5.3 (12) Illumination levels in excess of SRP criteria C 9.5.3 (13) Application of RG 1.26 to areas excluded by C 9.5.4-9.5.8 RG 1.26 (14) Air dryers for emergency diesel generator C 9.5.6 (15) Alarm for rocker arm lube oil reserve C 9.5.7 (16) Diesel lube oil fill procedure C 9.5.7 C - C1 ed in SER (October 1985).

C2 - Closed in SSER 2 (August 1986).

C5 - Closed in SSER 5 (May 1987).

i

l Table 1.4.. Confirmatory issues l

' Issue Status SER section (1) Operating procedures for continuv. Closed in SSER 3 2.2.2 communication links (2) Differential settlements of buried pipes Closed in SSER 5 2.5.4.3.3, 2.5.4.5 (3) Internally generated missiles (outside Closed in SSER 5 3.5.1.1 containment)

(4) Internally generated missiles (inside Closed in SSER 5 3.5.1.2 containment)

(5) Turbine missiles Closed in SSER 5 3.5.1.3 (6) Analysis of pipe-break protection Closed in SSER 5 3.6.1 outside containment (7) FSAR drawings of break locations Closed in SSER 5 3.6.2 (8) Results of jet impingement effects Closed in SSER 5 3.6.2 (9) Soil-structure interaction analysis Closed in SSER 1 3.7.3 (10) Design documentation of ASME Code Closed in SSER 2 3.9.3.1 components (11) Item II.D.1 of NUREG-0737, safety / Closed in SSER 5 3.9.3.2 relief valves (12) Seismic and dynamic qualification of Closed in SSER 5 3.10.1 mechanical and electrical equipment and 6 (SQRT)

(13) Pump and valve operability assurance Closed in SSER 5 3.10.2 (PVORT) and 6 (14) Environmental qualification of Closed in SSER 5 3.11 mechanical and electrical equipment (EQRT)

(15) Peak pellet design basis Closed in SSER 1 4.2.1 (16) Discrepancies in the FSAR Closed in SSER 1 4.2.2 (17) Rod bowing analysis Closed in SSER 1 4.2.3.1(6)

(18) Fuel rod internal pressure Closed in SSER 1 4.2.3.1(8)

(19) Predicted cladding collapse time Closed in SSER 1 4.2.3.2(2)

Beaver Valley 2 SSER 6 1- 5

Table 1.4 (Continued) i i

Issue Status SER section 1

(20) Use of the square-root-of-the-sum-of- Closed in SSER 1 4.2.3.3(4) j L

the-squares method for seismic and l

loss-of-coolant-accident load calculation (21) Analysis of combined loss of-coolant- Closed in SSER 5 4.2.3.3(4) accident and seiFinic loads (MULTIFLEX)

(22) Natural circulation test Closed in SSER 5 5.4.7.5 l

(23) Reactor coolant system high point vents Closed in SSER 3 5.4.12 '

(24) Blowdown mass and energy release Closed in SSER 5 6.2.1.3 analysis methodology (25) Containment sump 50% blockage assumption Closed in SSER 5 6.2.2 i

(26) Design modification of automatic reactor Closed in SSER.5 7.2.2.3 )'

trip using shunt coil trip attachment (27) Automatic opening of service water Closed in SSER 1 7.3.3.10 system valves M0V1130 and 113D (28) IE Bulletin 80-06 concerns Closed in SSER 6 7.3.3.13 l

(29) NUREG-0737, Item II.F.1, accident Closed in SSER 1 7.5.2.2 monitoring instrumentation positions (30) Bypass and inoperative status panel Closed in SSER 5 7.5.2.4.

(31) Revision of the FSAR--cold leg accumu- Closed in SSER 3 7.6.2.4 lator motor-operated valve position indication (32) Control system failure caused by Closed in SSER 5 7.7.2.3 malfunctions of common power source or instrument line (33) Confirmatory site visit (a) Independence of offsite power Closed in SSER 1 8.2.2.3 between the switchyard and Class 1E system (b) Confirmation of the protect ve Closad in SSER 1 8.3.1.2 bypass l

Beaver Valley 2 SSER 6 1-6

Table 1.4 ,(Continued)

Issue Status SER section (33) Confirmatory site visit (Continued)

(c) Verification of DG start and load Closed in SSER 1 8.3.1.8 bypass (d) DG load capability qualification Closed in SSER 1 8.3.1.9 test l (e) Margin qualification test Closed in SSER 1 8.3.1.10  !

(f) Electrical interconnection between Closed in SSER 1 8.3.1.13 ,

redundant Class IE buses (g) Verification of electiital Closed in SSER 1 8.3.3.5 independence between power supplies to controls in control room and remote locations (34) Voltage analysis--verification of test Closed in SSER 5 8.3.1.1 results (35) Documentation of description and analysis Closed in SSER 5 8.3.3.7.1 of compliance with GDC 50 (36) Completion of plant-specific core damage Closed in SSER 5 9.3.2.2 estimate procedure before fuel load (37) Training program for the operation and Closed in SSER 5 9.5.4.1 maintenance of the diesel generators (38) Vibration of instruments and controls on Closed in SSER 5 9.5.4.1 j diesel generator l (39) Surveillance of lube oil level in the Closed in SSER 2 9.5.7 diesel generator rocker arm lube oil reservoir (40) Solid waste process control program Closed in SSER 6 11.4.2 (41) TMI Action Plan items (a) III.D.1.1, postaccident reactor Closed in SSER 5 13.5.2 l coolant leakage outside containment (b) II.K.1.5 and II.K.1.10, IE Closed in SSER 5 15.9.2 Bulletins on measures to 15.9.3 mitigate small-break LOCAs and loss of feedwater

{

Beaver Valley 2 SSER 6 1-7

9 Table 1.4 (Continued)

Issue Status' SER section (41) TMI Action Plan items (continued)

(c) II.K 3.5, automatic reactor Closed in SSER 5 15.9.9 coolant pump trip during LOCA (d) II.K.3.17, report on ECCS outage Closed in SSER 5 15.9.11  ;

(e) II.K.3.31, compliance with Closed in SSER 3 15.9.14 10 CFR 50.46 (42) Plant-specific dropped rod analysis Closed in SSER 2 15.4.2 (43) Steam generator tube rupture Closed in SSER 5 15.6.3 (44) Quality assurance program Closed in SSER 1 17.4 (45) Cross-training of Unit 1 & 2 operators Closed in SSER 4 13.2.1.1 (46) Control room isolation on high radiation Closed in SSER 5 7.3.3.9 signal (47) Review of procedures generation package Closed in SSER 5 13.5.2 (48) Fire protection: Amendment 12 review and site visit (a) Amendment 12 review Closed in SSER 3 9.5.1 (b) Site visit Completed on 1/30/87 9.5.1 (c) Safety-related system Closed in SSER 5 9.5.1 fire-barrier deviations (49) Steam generator high-level trip as non- Closed in SSER S 7.3 protection system (50) Implementation letter of ICCI system Closed in SSER 5 4.4.7 (51) Superheated steam in valve house Closed in SSER 5 3.6.1 due to steamline break (52) Initial testing (a) Accumulator isolation valves Closed in SSER 5 14 (b) 50V, P0, IST tests Closed in SSER 5 14 +

Beaver Valley 2 SSER 6 1-8

l

)

l Table 1.4 (Continued) i l

Issue Status SER section (52) Initial' testing (continued)

(c) Plant performance after MSIV Closed in SSER 5 14 closure (d) Steam extraction system and Closed in SSER 5 14 process computer Table 1.5 Plant-specific license condition issues i License condition Status SER section (1) Emergency response capability, Deleted in SSER 5 7.5.2.1 1 RG 1.97, Rev. 2 (2) Fire protection Introduced in SSER 6; 9.5.1 full power license (3) Control room design review Introduced in SSER 6; 18.1 full power license (4) Safety parameter display system Introduced in SSER 6; 18.2 full power license (5) Inservice Inspection Introduced in SSER 5; 5.2.4.3 ]

full power license (6) Verification and validation Introduced in SSER 6; 7.5.2 of plant safety monitoring full power license system i

Beaver Valley 2 SSER 6 1-9

- -,.,---r---,,---.--,,,--,.,, - , , - - - - - , . - - - - - - - --- ,r--- - , - - - _ . - . - - - - - - - - - - . . - - -, -, .- , . - - -

.t I -

^

I I

I I

I

-l l

h

)

.a I

m .a,---._ _. - - - _ _ _ _ - . - - - - - ,- - - - - - -- - - - -- -

i l

l 3 DESIGN CRITERIA FOR STRUCTURES, SYSTEMS, AND COMPONENTS 3.10 Seismic and Dynamic Qualification of Service Category I Mechanical and Elec.trical Equipment 3.10.1 Seismic and Dynamic Qualification of Electrical and Mechanical Equipment 3.10.1.1 Discussion g As stated in SSER 4, the staff and its consultants from the Idaho National Engineering Laboratory (comprising the Seismic Qualification Review Team (SQRT))

conducted an onsite audit evaluation of the licensee's program for, seismic and dynamic qualification of safety-related electrical and mechanical equipment at Beaver Valley Unit 2 from September 30 through October 3, 1986. The onsite audit is performed by comparing as-built configuration to test and/or analysis ccafiguration to assure the validity of the modeling assumptions to qualify the equipment. The audit identified both generic and equipment-specific concerns relating to the qualification program. These concerns were discussed in SSER 4.

Subsequent to the audit, the licensee did further investigation through test and analysis. On the basis of the results of the investigation, responses to the issues of concern were pr.svided in letters dated February 23, April 16, May 11, and June 5, 1987. Resolution summary and status of the issues identi-fied in SSER 4 are presentej in the following sections.

3.10.1.3 Generic Items Issue of Model and/or Serial Number for Traceability In its letter dated April 16, 1987, the licensee stated that the marking system employed at Beaver Valley Power Station (BVPS), Unit 2, was similar to a system i successfully implemented on other plants, e.g., BVPS-1, Millstone, and Shoreham. I The licensee is convinced, based on its experience with BVPS-1, that the system works and does provide complete traceability to control, monitor, and assess status of the equipment. Based upon the successful implementation of this system in other plants and especially BVPS-1, the staff is convinced of the suitability of the licensee's marking system. The response is satisf actory, and this issue is closed.

Issue of Inadequate Clearance Between Cabinets and/or Panels The licensee indicated that a walkdown program of all safety-related components /

systems located in Category I safety areas was completed in November 1986.

This was intended to identify all cases where a 2-inch minimum clearance requirement was not met. Thirteen problem cases were identified at that time.

Based on subsequent analysis (calculation 12241 - NM(B)704), 8 out of the 13 were accepted as they were. The remaining five needed field modifi-cations. The modifications are now complete. However, panels mounted as close as physically possible to each other were not included in the above sur-vey. They were included in a subsequent survey which identified deficiencies associat.ed with 46 cabinets. These are being bolted on the sides to assure Beaver Valley 2 SSER 6 3-1 i

i sufficient rigidity to preclude serious impact loading. After a review of the program as summarized above, the staff concludes that the program, if carried.

out to its completion, would insure that the equipment not be subjected to disabling impact loadings. This is satisfactory, and the issue is closed.

Issue of Verification of As-Built Loads The licensee stated in its April 16, 1987 response that BVPS-2 successfully implemented and completed the as-built loads reconciliation program. This program included a review of all interface loads on mechanical equipment, e.g. ,

pumps, valves, heat exchangers, and strainers. The reconciliation ensured that the actual loads imposed were below the specified design-allowable loads. This is satisfactory, and the issue is closed.

Overall Completion of Qualification Program The latest response from the licensee indicated that the seismic and dynamic qualification program for the safety-related equipment is complete except for the equipment and system testing for the three main steam isolation valves (MSIVs). According to the licensee, however, criticality will not occur until the required testing is complete. Therefore, the staff concludes that the program is essentially complete and the issue is closed.

3.10.1.4 Equipment-Specific Issues (1) Issue on Analysis of Residual Heat Removal System Heat Exchanger (a) The calculated stresses, using Bijlaard technique, for the 24-inch nozzle-shell juncture were near the allowable limit. This analysis used an unrepresentative condition in that the nozzle was assumed I isolated from discontinuities on the vessel. In the latest response, however, the licensee has provided additional information including (1) a recalculation using appropriate loads and stress concentration factors, and (2) rationale indicating the conservatism of the Bijlaard technique for this particular case. The staff review of a summary of the recalculations confirmed the licensee's conclusion.

The stresses are within allowable limits and the use of the Bijlaard ,

technique is appropriate. This is satisfactory, and the issue is '

closed.

(b) The sizing basis and the supporting details have now been addressed. l The staff has reviewed a summary and found it acceptable. The ade-quacy of the weld is documented. The issue is closed.  !

(c) The licensee, in its latest response, indicated that a finite-element model (stick) was used to evaluate the stresses in the shell at the gusset connection in addition to the Bijlaard technique. However, the reconciliation program at BVPS-2 identified a concern with the stresses in the lower support lug. Westinghouse, in turn, modified the support gussets arrangement by adding two more gussets between the existing gussets which were 30 inches apart. This new design has inner gussets 16 inches apart, and the calculated stresses are well below the allowables. The changes have been implemented in the field. Based upon a review of a summary, the staff concludes that l

Beaver Valley 2 SSER 6 3-2

the new design is adequate. This is acceptable, and the issue is closed.

(2) Issues on Qualification of Alternate Shutdown Panel (a) The licensee indicated that the finite-element model was, subse-quently, authenticated by in-situ testing. The measured overall fundamental frequency was within reasonable range. The details are in the licensee's report 12241-65-AV3, dated December 1986. The report was not reviewed by the staff but the summary statement that the model predicted and the results from the in-situ tests were within tolerances were deemed adequate. This is sat i sfactory, and the issue is closed.

(b) According to the licensee, the internals are not required to be seis-mically qualified. The panel needs to operate only in a fire situa-tion as an alternate shutdown panel. As such, the internals are not categorized as seismic Category I items, and the staff concurs. Thus, the issue becomes irreleva.it.

(c) The issue regarding auditable link between the field item and docu-mencation is resolved as a result of resolution of the generic item (see Section 3.10.1.3).

(3) Issues of Anomalies and Change in Acceptance Criteria for Motor-0perated Damper The licensee's response indicates that, subsequent to the audit, the licensee and Stone & Webster Engineering Corporation reviewed the anomalies and their resolutions. Based on the review, it was concluded that the results met the plant-specific requirements. Some of the anomalies were resolved on the basis z of differe-L attributes (modified since testing had occurred). The staff re- l viewed a summary of the resolutions and discussed them with the licensee in a  !

conference call. The staff concludes that the licenee's response is acceptabie; the issue is closed.

(4) Issue of Low-Cycle Fatigue Effects on Electrical and Instrumentation Equipment The licensee's response dated April 16 and May 11, 1987, with respect to the fatigue issue was divided into two parts. The first part was related to items that were tested. The argument of test duration being adequate for the items in this category was reviewed and judged to be justified. The second part  ;

addressed the issue for the items that were analyzed for qualification. In  !

this case the argument based on stress allowables being 70% of the minimum yield for the operating basis earthquake (0BE) and lesser of 100% of minimum yield or 70% of the ultimate strength was not satisf actory. This argument l

dealt with generalities. No specific evaluation cf fatigue parameters for any l item in this category had been made. This was discussed with the licensee. I 1

According to the latest response dated June 5, 1987, the licensee has now estimated the significant number of stress cycles to be 900 for five OBEs and i

one safe shutdown earthquake (SSE). Using the ASME fatigue curves as an I accepted basis for low carbon steel, the licensee concludes that the design Beaver Valley 2 SSER 6 3-3 L_____-_--_______-________-________

basis for the analyzed support structures contain inherent margin for 900 sig-nificant cycles, which precludes any significant fatigue damage for the life of the plant. This is satisfactory, and the issue is closed.

3.10.1.5 Conclusion On the basis of the site audit and the review of subsequent submittals, the staff concludes that an appropriate seismic and dynamic qualification program has been defined and implemented. The seismic and dynamic qualification of the safety-related equipment at Beaver Valley Unit 2 meets the applicable portions of GDC 1, 2, 4, 14, and 30 of Appendix A to 10 CFR Part 50; Appendix B to 10 CFR Part 50; and Appendix A to 10 CFR Part 100.

l 3.10.2 Pump and Valve Operability Assurance '

3.10.2.3 Operability Issues In SSER 5 the staff reported the licensee's replacement of the Crosby main steam isolation valves (MSIVs) with valves manufactured by Atwood/Morrill. The staff stated that it would review the supporting documentation in order to verify the operability qualification of the MSIVs.

The staff has completed its review of the documentation which demonstrates .

qualification of the Atwood/Morrill MSIVs installed at Beaver Valley Unit 2. l Qualification is based on a combination of tests and analyses. The results meet the requirements of the American Society of Mechanical Engineers (ASME) Boiler and Pressure Vessel Code, 1979 Edition, and Institute of Electrical and Elec-tronics Engineers (IEEE) Standards 323-1974, 344-1975, and 382-1972.

Based on this review, the staff con:ludes that the licensee has adequately demon-strated qualification of these valves for operation at Beaver Valley Unit 2.

This issue is closed.

Beaver Valley 2 SSER 6 3-4

m a

4 REACTOR 4.3 Nuclear' Design 4.3.2 Fuel System Design 4.3.2.1' Power Distribution Supplement 5 (SSER 5) to the staff safety evaluation report for Beaver Valley l Unit 2 stated that an axial flux difference (AFD) of i 7% in Technical Specifi-cation 3.2.1, an Fqof 2.32 in Technical Specification 3.2.1, and an F 3 multi-p' lier of 0.3'in Technical Specification 3.2.3 were acceptable. The acceptabil-  !

ity was based in part on a May 22, 1987 telephone conference during which the licensee indicated to the staff that (a) safety analyses have been performed and i will be documented with all the above parameters as stated, and (b) the results are within regulatory limits. SSER 5 also stated that a final evaluation would be provided by the staff prior to issuance of a full power license. In a letter dated June 8, the licensee provided the needed information.

The licensee stated that the values of i 7% AFD (or AI) band 2.32 for F ,qand 0.3 for F AH were used in the safety analyses for Deaver Valley Unit 2. The li-censee's submittal also referenced a Westinghouse letter dated May 27, 1987 -l from J. N. Steinmetz to J. A. Kline in which Westinghouse confirmed that the i following parameters were used in the safety analysis for Cycle 1: +/- 7% AI band without axial power distribution monitoring system (APDMS) requirements, the 2.32 F loss-of-coolant-accident (LOCA) limit, and the 0.3 F multiplier. j q AH These analyses are provided in the FSAR. Since the analyses have been reviewed j '

and approved by the staff and the licensee has confirmed the use of the above values in the analyses, the Technical Specifications are acceptable. This com-pletes the staff's review of the issue. j l

l i

j i

l 1

l

( Beaver Valley 2 SSER 6 4-1 l

1 i

7 INSTRUMENTATION AND CONTROLS 7.3 Engineered Safety Features Systems 7.3.3 Specific Findings

)

7.3.3.13 IE Bulletin 80-06 Concerns IE Culletin 80-06 requested a review of all systems serving safety related func-tions to ensure that no device will change position solely because of the reset ,

of an engineered safety feature actuation system (ESFAS). In the SER the staff considered the subject issue resolved subject to confirmation of successful completion of the verification test required by the Bulletin. By letter dated

• July 10, 1987, the licensee stated that the verification tests have been com-pleted as part of the startup tests. This fully addresses the staff's concern, and confirmatory issue 28 is considered closed.

7.5 Information Systems Important to Safety i 7.5.2 Specific Findings The licensee is using a Class 1E computer-based digital display system (plant safety monitoring system (PSMS)) to display many of the RG 1.97 variables.

This information is provided to the operator via a plasma display in the control room. The staff has been requiring that a verification and validation (V&V) ,

program be performed on the development of all software used in Class 1E systems. i By letter dated Apr'l 30, 1987, the licensee stated that the PSMS is a Class IE design and was given the required degree of design review, factory testing, and site testing to ensure that it meets design function. No specific information was provided regarding a V&V plan for the PSMS Class 1E software components.

The BVPS-2 station control philosophy is that the operators will use the main ,

control board indication as the primary source of control infor'mation. The j licensee then identified the Category 1 and Category 2 Regulatory Guide (RG) 1.97 variables that are displayed on the PSMS.

Of the nine Category 1 variables displayed on the PSMS, all but two of the Cate- I gory 1 variables have diverse instrumentation that is either independent or i redundant from the PSMS and is available on the control room boards. One vari-able (neutron flux monitoring) has diverse indication that is available at a local cabinet. The second variable (core exit thermocouple) can be determined by an alternate method of measuring the voltage output of the thermocouple at the terminal screw inputs to the PSMS cabinet.

The staff finds that the design review, the redundant main control board indica-tors, and the procedures for alternate indication discussed by the licensee provide adequate assurance that sufficient accident mor.itoring instrumentation will be available to the operator over an interim period (approximately 6 months) of operation.

Beaver Valley 2 SSER 6 7-1  !

l I

i The licensee shall submit within 6 months after the date of the low power license a V&V plan which will be able to demonstrate the reliability of the PSMS software. The approved V&V plan t..ust be implemented before startup following j the first refueling outage. A license condition will be imposed, and this issue j will be tracked by licensing action TAC 64577. 1 I

i l

l Beaver Valley 2 SSER 6 7-2

r f1 l-l 9 AUXILIARY SYSTEMS i l

9.5 Other Auxiliary Systems  !

l 9.5.1 Fire Protection Program In SSER 5, the staff expressed concern regarding the adequacy of the fire alarm j system. A license condition was imposed in the low power license that directed 1 the licensee to develop and implement a test procedure to confirm the operabil- l ity of the' system on a periodic basis. By letters dated May 18, June 24, and j July 6, 1987, the licensee provided additional information on this issue.

Section 9.5.1.5 of this supplement includes an evaluation of this information.

By letters dated May 20 and 21, 1987, the licensee provided information regarding the anticipated schedule for completing all work associated with .

implementing.the approved fire protection program. The following four  !

features of the program were identified as being incomplete:

(1) The installation of fire-rated cable wraps for certain safe shutdown systems (2) Completion of fire damper acceptance tests (3) The installation of back draft dampers to relisve room overpressurization associated with CO2 fire suppression system discharge (4) The installation of an additional C0 2 system storage tank Pending completion of the above work, the licensee has committed to maintain j the existing fire protection features, which include fire detection systems and '

manual fire-fighting equipment, as well as implementing fire watch patrols in the affected areas. The licensee plans to complete work on the first two items l listed above before exceeding 5% power. A license condition will be imposed to i require the licensee to complete installation of the back draft dampers by {

September 30, 1987. i l

The additional carbon dioxide storage tank will fulfill a previous licensee commitment. The additional quantity of CO2 exceeds the staff guidelines delineated in BTP CMEB 9.5-1, which have been satisfied. The staff has deter- j mined that the proposed delay in implementation of additional tank capacity until December 31, 1987, is acceptable. Therefore, based on the existing fire protection features and the interim fire watch patrol, the staff concludes that the licensee's schedule for completing the fire protection program, as described ,

above, is acceptable.

I l

Beaver Valley 2 SSER 6 9-1 l I

9.5.1.5 Fire Detection and Suppression Fire Detection, In SSER 5, the staff expressed concern that a single break or ground fault condition'could render portions of the fire' alarm system inoperable. As a result, the low power license was conditioned to require the' licensee to iden-stify all electrically unsupervised fire alarm system circuits and to develop and implement a test procedure to confirm the operability of such circuits.

By letters dated May 18,. June 24, and July 6,1987, the' licensee provided addi-tional information on this issue. Circuits that are part of the fire alarm system consist of both' supervised and unsupervised types, as described in these

_ _l etters. Class A supervised circuits, such as those associated.with the early-warning smoke detection systems, will. function under a single break.or ground

-fault condition. These circuits conform with National Fire Protection Associa-tion ~(NFPA) Standard No.'72D and BTP CMEB 9.5-1 and are,.therefore, acceptable.

Class.B supervised circuits, such as those associated with the heat' detectors-for the water suppression systems, will annunciate a trouble alarm.if,a single break or ground! f ault condition ' occurs. The licensee will then declare the system inoperable and will implement a fire watch in accordance with the plant fire' protection procedures. 'This conforms ~with the above referenced guidelines and is, therefore, acceptable. The remaining fire alarm system circuits are unsupervised, However, where these circuits have separate and redundant counterparts, such as those from the information handling system annunciation (IHA) to the control room, or if the circuits are not required for system -

operation,Lsuch as a trouble signal circuit, a single break or' ground fault l will have no safety significance. Therefore, these types of unsupervised cir-cuits are acceptable. The remaining unsupervised circuits, including the fire ..

and discharge circuits for the water suppression systems from the local control  !

' panel to the'IHA cabinet, will be tested monthly to assure operability or will _1 be modified to include supervision. 1 On the basis of the above, the staff concludes that the licensee's response to this issue is acceptable.

9.5.1.7 Summary of Approved Deviations From BTP CMEB 9.5-1 The SER through Supplement 3 provides details on eight deviations from BTP CMEB 9.5-1. Based on the evaluations in the previous supplement (SSER 5), the staff concluded that additional deviations are acceptable as follows (numbered as a continuation of listing in the SER and SSER 3):

9. ' Structural steel fireproofing

10. Sealing of conduits and penetrations 11.- Ventilation penetration openings  :

12. Modified fire doors l

13. Transformer locations

14. Safe shutdown components

15. Safe shutdown circuitry

16. Continuous line-type heat detectors

17. Emergency lighting Hydrant spacing 18.

Beaver Valley 2 SSER 6 9-2

_--,-,,-_:.--.-----,--,-----,--,-,-----_--.----------------_----_-_-,-----,----_---_----------------,,---_-_.----_-.-----.--.------------------.---..-.------..-- -- .----.-----,-----.-J

19. Containment - separation of equipment

20. Cable spreading room - use of C02

21. Safety-related pumps

22. New fuel' area / spent fuel pool area

23. Radwaste and decontamination area See SSER 5 for details on deviations numbered 9 through 23.

l Beaver Valley 2 SSER 6 9-3

i 11 RADI0 ACTIVE WASTE MANAGEMENT 11.4 Solid Waste Management System 11.4.2 Evaluation Findings In the SER, the staff found the solid waste system acceptable but stated that the licensee should submit a solid waste process control program to the staff for review before initial reactor heatup.

By' letter dated June 9, 1987, the licensee submitted the BVPS-2 solid waste i process control program (PCP) and stated that the PCP will be contained as Chapter 18 of the Beaver Valley Unit 2 Operations Manual. The submittal ful- j tills the purpose of confirmatory issue 40 as reiterated above. Therefore, confirmatory issue 40 is considered closed.

l l

l l

1 l-i l

i Beaver Valley 2 SSER 6 11-1 1

i 13 CONDUCT OF OPERATIONS 13.3 Emergency Planning.

13.3.1 Introduction After reviewing the latest revisions of the emergency plan and procedures and the results of the exercise-on November 19, 1986, in SSER 5 the staff concluded that BVPS-2 onsite emergency preparedness meets the requirements of 10 CFR 50 i and Appendix E thereto for issuance of a license authorizing fuel loading and low power operation up to 5% of rated power.

Not addressed in SSER 5 was the Federal Emergency Mcnagement Agency (FEMA)'

evaluation of offsite emergency preparedness. FEMA's findings and the staff's overall finding are presented below. i 13.3.5 Review of Offsite Emergency Preparedness 13.3.5.1 FEMA Report on Offsite Preparedness FEMA Region III reviewed the offsite radiological emergency planning of the i Commonwealth of Pennsylvania and Beaver County, and the State of-West Virginia

~

and Hancock County, and'the exercises conducted to date. On May 29, 1987, FEMA issued an interim finding stating that there is reasonable assurance that off-site radiological emergency planning and preparedness in the Commonwealth of Pennsylvania and the State of West Virginia are adequate to protect the health and safety of the public in the event of a radiological emergency at BVPS-2.

On March 16, 1987, FEMA Region V provided an evaluation of the State of Ohio and Columbiana County plans for radiological emergencies related to the BVPS-2 .

and the results of the full participation exercise conducted on November 19, 1986. On the basis of this evaluation, FEMA, on June 5, 1987, issued a finding i that the Ohio State and local plans and preparedness for BVPS-2 are adequate to protect the health and safety of the public in that there is reasonable f assurance that the appropriate protective measures can be taken off site in the i event of a radiological emergency.

By letter dated June 11, 1987, the licensee provided a status report on  !

arrangements with offsite medical services in accordance with FEMA Guidance l Memorandum MS-1. The staff found the arrangements acceptable. J The staff has reviewed the FEMA findings un the state and local plans for Penn-sylvania, West Virginia, Ohio, and the three counties, and the results of the full participation exercise, and concurs with the FEMA findings on offsite  ;

emergency planning and preparedness for BVPS-2.

13.3.5.3 Conclusion On the basis of its review of the onsite emergency plan and procedures and the FEMA findings on offsite emergency planning and preparedness, the staff concludes Beaver Valley 2 SSER 6 13-1

that onsite and offsite emergency plans and preparedness provide reasonable assurance that adequate protective measures can and will be taken in the event of a radiological emergency at BVPS-2.

4 I

l 1

1 l

1 I

I I

l 1

1 l

l i

(

)

Beaver Valley 2 SSER 6 13-2 1

l l

l f

1 l

i 1

15. ACCIDENT ANALYSIS 15.8- Anticipated Transients Without Scram Status of Salem ATWS Event Issues On July 8, 1983, the NRC issued Generic Letter (GL) 83-28 as a result of the anticipated-transients-without-scram (ATWS) events at Salem Nuclear Generating Station. This letter addressed actions to be taken by licensees and applicants to ensure that a comprehensive program of preventive maintenance and surveil-lance testing is implemented for the reactor trip breakers in pressurized-water reactors.

The staff has completed its review of the bulk of the licensee's response to GL 83-28 and has documented its results in appendices to the SER. The follow-ing list serves to record completed staff reviews and to show where individual .

safety evaluations may be found: .I Item 1.1, Post-Trip Review (Appendix K, SSER 1) 1 Item 2.1, Equipment Classification and Vendor Interface (Reactor Trip System Components (Appendix L, SSER 2 and SSER 4)

Item 2.2.1, Equipment Classification Programs for All Safety-Related Components (Letter, August 10,1987)

Items 3.l.1 and 3.1.2, Post-Maintenance Testing Reactor Trip System

-Components (Appendix 0, SSER 4)

Items 3.1.3 and 3.2.3, Post-Maintenance Testing in Technical Specification That Could Degrade Safety (Appendix M, SSER 2) l 1

Items 3.2.1 and 3.2.2, Post-Maintenance Testing--All Other Safety-Related 1 Components (Appendix 0, SSER 4) 4 Items 4.1, Trip System Reliability (Appendix J, SSER 1)

Items 4.2.1 and 4.2.2, Preventive Maintenance Program for Reactor Trip Breakers--Maintenance and Trending (Appendix J, SSER 1)

Items 4.3, Shunt Trip Technical Specifications (incorporated in the Tech-nical Specifications)

Item 4.5.1, Reactor Trip System Reliability--System Functional Testing (Appendix 0. SSER 4)

Item 4.5.2, Reactor Trip System Reliability--On-line Testing (Appendix N, SSER 4) i The remaining issues of GL 83-28 are under review but their resolution is not a requirement for issuance of an operating license. These will continue to be tracked by licensing actions TAC 62950, 62951, 62952, 62955, and 62958.

I Beaver Valley 2 SSER 6 15-1 I

18 HUMAN FACTORS ENGINEERING 18.1 Detailed Control Room Design Review 18.1.1 Background In SSER 1, the staff stated that a site audit was performed on February 11 and >

12, 1986. The staff further stated that the licensee was conducting a detailed control room design review (DCRDR) that would generally meet the requirements of Supplement 1 to NUREG-0737, but that a supplemental summary report would be required from the licensee to close open issue 10.

As a result of the audit, the staff issued an interim evaluation of the DCRDR on July 28, 1986. The organization, process, and results of the BVPS-2 DCRDR l were compared with the requirements of Supplement 1 to NOREG-0737 and the guide- i lines in Section 18.1 of the Standard Review Plan (SRP). The staff concluded that the licensee had conducted a comprehensive DCRDR and had generally satisfied .

the requirements of Supplement 1 to NUREG-0737. The licensee had to complete certain items and to report their cc,mpletion in a supplemental summary report.

In respon;e to the staff's evaluation, the licensee submitted the DCRDR Supple- ,

mental Summary Report (SSR) on January 8, 1987. A Technical Evaluation Report (TER) on the SSR is enclosed as Appendix.S.

By letter dated April 30, 1987, the licensee submitted an amendment to the implementation schedule for several control room improvements, revised the ,

resolutions on several human engineering discrepancies (HEDs), and revised the schedule fcr completion of several incomplete surveys. ]

1 18 1.2 Evaluation i The staff evaluation of the BVPS-2 DCRDR is provided below. This evaluation is ,

based on all information available to date and is organized according to DCRDR  !

elements specified in Supplement 1 to NUREG-0737, i i

Establishment of a qualified multidisciplinary review team  !

1 The staff concludes that the licensee has established and used a qualified multidisciplinary review team that satisfies the requirement of Supplement 1 to NUREG-0737.

Function and task analysis to identify control room operator tasks and

_i_nformation and control requirements Review of the BVPS-2 Summary Report indicates that the licensee has successfully accomplished the system function and task analysis as required by Supplement 1 to NUREG-0737.

Beaver Valley 2 SSER 6 18-1 1

Comparison of display and control requirements with a control room inventory The staf f concludes that the licensee has successfully implemented the inventory process and has acceptably accomplished the comparison of control and display requirements with the inventory.

Control room survey to identify deviations from accepted human factors principles The licensee has generally accomplished the control room survey, based on Section 6 of NUREG-0700, in an adequate and systematic manner. However, several parts of the survey are in progress or are scheduled to be completed at a later date. These schedules are as follows:

Workspace to be initiated after installation of the control room partition Emergency Equipment to be initiated after installation of the control room partition Communications to be initiated after April 30, 1987 Heating, Ventilation, to be conducted when the HVAC system is in Air Conditioning (HVAC) normal operational mode Illumination (Lighting) to be conducted during or before the first refueling outage Ambient Noise to be conducted after beginning of commercial operation Implementation of resolutions to all HEDs resulting from these surveys will be accomplished before startup following the first refueling outage.

In addition, review of certain human factors criteria related to lighting and communications, but part of otherwise completed surveys, will be completed before startup following the first refueling outage (see Section 2.1.2 of Appendix S).

Section 4.0 of the SSR addresses specific HEDs identified during the NRC audit.

Section 2.1.2 of Appendix S discusses each HED and evaluates the licensee's resolution. The staff finds these resolutions acceptable except for item C, "No Lamp Test or Check Procedure."

The discussion on this item in Appendix S indicates that periodic surveillance l and maintenance procedures on single-filament, single-bulb, normally off indi-  ;

cator lights will be modified to require verification of bulb operability. It is the staff's position that periodic testing, even on a shift basis, is not adequate to ensure that bulbs will light when energized. The operator has no indication when a single-filament, single-bulb, normally off indicator light is burned out and, therefore, has no assurance that it is providing a proper indication.

Beaver Valley 2 SSER 6 18-2

i A survey of the BVPS-2 control room identified 19 of these single-filament, single-bulb indicator lights associated with safety-related equipment. Examina-tion of the use and conditions of operation for each light indicates that no serious safety condition results from the failure of any bulb. Therefore, the licensee's proposed testing methods and intervals, as described in its submittal on January 8,1987, are acceptable as an interim measure. However, the staff does consider the condition to be such that an acceptable corrective action or satisfactory justification for non-correction is required to resolve the issue.

The discussion on item D in Section 2.1.2 of Appendix 5 states that the licensee's justification for not clearly differentiating between lighted pushbuttons and light indicators does not adequately address the problem of selective identifi-cation. Therefore, this item will remain open until corrective action is proposed or a satisfactory justification based on behavioral / operational con-siderations is submitted.

Assessment of human engineering discrepancies The staff finds that, in general, the licensee's HED assessment process is satisfactory and, based on the onsite audit, agrees with most of the assessment results. Two exceptions, described in the interim report of July 28, 1986, are (1) lack of annunciator prioritization and (2) lack of targets on control switches at the alternate and emergency shutdown panels. Both items were addressed satisfactorily in the SSR, and the staff concludes that the licensee has satisfied this requirement of Supplement I to NUREG-0737.

Selection of design improvements At the time of the onsite audit, design improvements for the correction of a number of HEDs had not been sufficiently developed. The licensee's SSR pro-vided satisfactory resolutions to most of the HEDs, but information is still needed to resolve a few. The information required is described in Appendix S.

Verification that selected imarovemen+s will provide the necessary correction and Will not introduce new HEls The methodology used by the licensee to ensure that improvements correct HEDs

, without introducing new HEDs is acceptable to the staff. A description of the J involvement of Stone and Webster in 378 control room changes was provided in the SSR as requested. The staf f concluder that this requirement of Supplement 1 to NUREG-0737 has been satisfied.  ;

Coordination of DCRDR activities with other eme_rgency response capability programs l

l The licensee's DCRDR coordination effort with other emergency response capability programs appears to be well planned and implemented. The staff concludes that the licensee has satisfied this requirement of Supplement I to NUREG-0737.

18.1.3 Conclusion On the basis of its review of the BVPS-2 DCRDR Summary Report, a pre-implementation onsite audit in February 1986, and review of the licensee's SSR, the staff finds that the licensee has generally satisfied the requirements ,

Beaver Valley 2 SSER 6 18-3 3

l-of Supplement I to NUREG-0737. Several items, listed below and described in .

Appendix S, remain to be completed:

Surveys Workspace Emergency Equipment Communications HVAC Illumination (lighting)

Ambient Noise Partial Surveys Annunciators j Controls '

Displays  ;

Labels Computer Systems Re evaluate the resolution to the HED regarding single-filament, single-bulb indicator lights associated with safety equipment and propose an acceptable corrective action.

Provide additional justification; which addresses the reasons for not  ;

differentiating between lighted pushbuttons and indicators on the turbine '

control panel.

Address the HED-related issues and concerns summarized in Appendix S.

The above items must be completed and reported to the NRC prior to startup followi.ng the first refueling outage. A license condition will be imposed to ensure completion and reporting of these activities necessary to fully satisfy the DCRDR requirements of Supplement 1 to NUREG-0737. All remaining actions will be tracked by licensing action TAC 62879. i 18.2 Safety Parameter Display System  !

18.2.1 Background and Introduction All holders of-and applicants for operating licenses must provide a safety param-eter display system (SPDS) in the control rooms of their plants. The Commission's requirements for the SPDS are defined in Supplement 1 to NUREG-0737.

The stafi s original evaluation on the SPDS of BVPS-2 was transmitted to the licensee in December 1984. The evaluation was based on a review of the licensee's August 1, 1984 submittal. The evaluation concluded that the licenset had not provided sufficient information to allow the staff to complete its review. The licensee submitted information on December 20, 1985, along with a schedule that called for the SPDS to be operating 3 months before fuei load.

Further information was provided by submittals dated April 9 and June 16, 1986.

The staff conducted an onsite audit of the installed SPDS February 18 and 19, 1987. The purpose of the audit was to confirm that a verification and valida-tion (V&V) program was being correctly implemented, that the results of the licensee's testing demonstrated that the SPDS meets functional requirements, and that the SPDS exhibits good human engineering practice. However, Eeave. Valley 2 SSER 6 18-4

I determination if the SPDS is installed in accordance with the licensee's plan and if it functions properly can be made only after it is declared operational.

l The staff's preliminary eraluation of the SPDS to accommodate the low power J licensing schedule was published in SSER 5. ]

18.2.2 Evaluation The results of the detailed evaluation of the BVPS-2 SPDS are summarized below, and a TER on the SPDS is included as Appendix T.

18.2.2.1 Verification and Validation Program Although Supplement 1 to NUREG-0737 does not specifically require V&V of the SPDS, a V&V program performed during design, installation, and implementation facilitates tt.e staff review of the system. Knowledge that an effective V&V program is being conducted can reduce the scope and detail of the technical audit required by the staff to assess the design. SRP Section 18.2 contains criteria and recommendations for an effective VLV program.

(1) System Requirements Review The BVPS-2 SPDS implements certain major features of the generic Westing-house iconic design. As part of the review of the generic design, the staff found that the Westinghouse design verification process included a satisfactory system requirements review. Thus, the BVPS-2 SPDS design process follows the recommendation to conduct a system requirements review.

(2) T'esign Verification Review The BVPS-2 SPDS is one function of the emergency response facility computer system (ERFCS). The SPDS receives data from the plant safety monitoring system (PSMS), the digital rod position indicating (DRPI) system, and the digital radiation monitoring system (DRMS).

The ERFCS hardware was assembled from proven components. Therefore, formal design verification was not conducted on each component. The vendor did review the hardware system design to verify that it supports the SPDS requirements. The licensee intends to perform site acceptance tests on all components not yet installed. The SPDS software was reviewed on a modular basis by vendor programmers independent of the development process.

Acceptance of each nodule was documented, and the documentation was audited l during the onsite rev!ew.

Verification and validation of the PSMS is being conducted by Westinghouse on a generic basis. Once the V&V is complete, the licensee will apply the program to the BVPS-2 plant-specific PSMS. The licensee has indicated that verification testing of the DRMS had been conducted by the system vendor.

With r espect to the SPDS functions of ERFCS, the BVPS-2 V&V process satisfies the intent of the recommendation to conduct an effective V&V program. The V&V activities for the PSMS are addressed separately in Beaver Valley 2 SSER 6 18-5

(

Section.7.5.2 of this report.' The process and.results of the DRMS V&V' program should be. reported for staff review.

(3) Validation Testing Factory acceptance testing'(FAT) of the integrated hardware / software ERFCS was conducted by Westinghouse based on'a validation procedure.used to test-the Westinghouse generic SPDS. PSMS and DRMS inputs were simulated. After installation, site acceptance testing (SAT).was conducted by the licensee.

Significant discrepancies were corrected and retesting was conducted.

Man-in-the-loop testing.of the generic SPDS design was conducted by- ,

i Westinghouse. The licensee does not plan plant-specific testing.to validate the BVPS-2 SPDS in the context of the control room and. operator

~

training.

l With respect.to integrated hardware and software s'ystem' testing, the l licensee's validation efforts satisfy the intent of the recommendations of l SRP Section 18.2. Integration of the SPDS functions of the PSMS, DRMS, and l- DPRI still need to be validated.

The man-in-the-loop testing conducted by Wcstingnouse demonstrated the effectiveness of the generic design as.an operator aid. However, because the licensee has not yet included SPDS in its operations philosophy, the applicability of the Westinghouse testing is in question. The licensee must conduct man-in-the-loop testing to validate the usefulness of SPDS once an acceptable philosophy for SPDS use has been established and operators are trained in this philosophy.

(4) Field Verification Tests The verification test program for BVPS-2 SPDS is in progress. Value I accuracy of inputs and proper display location on SPDS have been verified.

This field verification program will satisfy the intent of the recommenda-

, tions of SRP Section 18.2.

18.2.2.2 Assessment of SPDS Design The following paragraphs address the SPDS design requirements, as given in SRP Section 18.2 (1)' "The SPDS Should Provide A Concise Display...."

The top-level displays (narrow- and wide-range iconics) present plant parameters needed to assess the critical safety functions in a concise manner.- The narrow-range iconic contains parameters important during nor- j mal operations. The wide-range iconic, which appears automatically on reactor trip, contains those parameters important after reactor trip.

Distortion of the octagonal pattern on the iconic, as well as color coding and reverse video display of parameter values, provides a concise display of critical / abnormal plant conditions.

i o I Beaver Valley 2 SSER 6 18-6

(2) "The SPDS (shall be) located Convenient To The Control Room Operators" The BVPS-2 SPDS terminal, located on.the reactor operator's console, is convenient'to the control room operators. However, operators. interviewed during the onsite audit indicated-that the SPDS terminal mounted in the control room vertical. panels (as in BVPS-1) would significantly improve SPDS.usefulness because they prefer to analyze instrument readings and-detailed SPDS data together. As discussed previously,- the licensee has not yet established. its operations philosophy.for SPDS. Location of the terminal in the control room is directly related to this philosophy and should be reconsidered once an acceptable philosophy is established, This issue remains open.

(3) "The SPDS Shall Continuously Display'I. wrmation From Which The Safety Status of the Plant...Can be Assessed...."

The BVPS-2 top-level display formats that provide an overview of plant safety status-are continuously available but are not necessarily con-tinuously displayed. Because more than 40 lower-level formats can.be accessed, the requirement for a continuous display of plant safety is not-satisfied. In addition, the designated SPDS terminal at the reactor operator's desk is also designated as a backup for ERFCS, resulting in another potential breech of the continuous display requirement of plant safety status.

(4) "The SPDS Should... Aid Them (operators) in Rapidly and Reliably Deter-mining the Safety Status of the Plant" The staff considers the components of the " rapidly" requirement to include data update rate, display refresh rate, and system response time to operator interaction. Except for radiation monitoring,-parameter values displayed by SPDS are updated every two seconds. Radiation monitoring data updates occur once a minute. Response time to operator requests has been specified by the licensee as less than 5 seconds. At the onsite audit, actual response time appeared to be consistently less than 3 seconds, under con- ,

ditions of low system load. The licensee plans to conduct response time l I testing under extreme system loading to confirm that requirements are met.

L The components of " reliably" are considered to include data validity and system security and availability.. With regard to data validity, the BVPS-2 )

process includes range checking of data inputs and interchannel comparison of good inputs based upon expected. instrument accuracy. The staff finds-these to be acceptable methods of data validity checking. However, during the onsite audit, the staff found that when one of a number of sensor inputs is labeled bad (indicated by magenta "X"s), the remaining inputs of that group are labeled poor (magenta data value with a "P" flag). Data other than bad may be the best indicator of the parameter status available to the SPDS user. However, during the audit, operators indicated that they ignore any data displayeo in magents. Thus, the color convention may not be helping operators to determine plant safety status.

The licensee verified that all instrument inputs were correctly converted  !

into engineering data, that instrument calibration procedures were verified, j and that data outputs were displayed correctly on SPDS. The staff finds l Beaver Valley 2 SSER 6 18-7

, these acceptable and recommends that verification of SPDS readings be included'in periodic instrument calibration procedures.

Data base changes are keylocked functions with keys under shift supervisor control. Programming changes can be made without access keys but require approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> to accomplish since the source code tape must be loaded and changes' compiled. Currently, programming changes can be made from.the emergency operations facility, technical support center, computer The staff recommends that; programming change access room, or control room.

be-limited to the r.omputer room ana control room.

SPDS availability estimates are not yet complete. The SPDF functions accomplished by DRPI, PSMS, and DRMS must be included in these estimates.

(5) "The SPDS Shall Be Suitably Isolated from Electrical'or Electronic Inter-ference with Equipment and Sensors That Are In Use for Safety Systems" In order to satisfy the NRC requirements concerning the SPDS, the licensee.

provided a description and a safety analysis of the SPDS by letter-dated August 1, 1984. This report did not address the requirement that the SPDS must be isolated from equipment and sensors that are used in safety systems a to prevent electrical and electronic interference. 3 By letter dated December 20, 1985, the licensee provided additional infor- l mation. The staff hela i n phone conferences with the licensee on  ;

January 16 and April 29, 1986, which resulted in April 9 and June 16, 1986 i submittals, respectively. i l

The staff evaluation addresses the qualification and documentation of the l isolators used at BVPS-2 as acceptable interface devices between the l Class 1E safety related instrumentation systems and the SPDS. j The SPDS at BVPS-2 is implemented in the plant computer and is reported )

in the Westinghouse report WCAP-10170, Appendix C-51, Revision 1, which is  :

a plant-specific version of the generic Westinghouse SPDS key safety  ;

parameters. j The hardware design of the SPDS employs both analog and. digital electric j isolators. These isolators are located in a mild environment; therefore, l the environmental requirements of 10 CFR 50.49 do not apply. The seismic l qualification of the isolators are consistent with the seismic criteria that were the basis for plant licensing. The analog isolators are Westing-  !'

house 7300 Series isolation devices. The digital isolators, which are supplied by Struthers-Dunn, Inc. (S-D), are Series CX 3916 NE and CX 3918 NE isolators.  !

The Westinghouse 7300 isolators are addressed in WCAP-8892A, June 1977.

This report was reviewed and accepted by the staff in letters dated January 19 and April 20, 1977.

The S-D isolators are reed switch relays. Of the two isolators in use at the plant, only the CX 3916 NE was tested with the maximum credible fault (MCF).

Beaver Valley 2 SSER 6 18-8

An analysis of the'CX 3916 NE and CX 3918 NE reed relays shows that the only difference between them is that the.CX 3918 NE has two. reed switches wired in series. The materials used in both units and the environmental characteristics of both switches are the same. The method of construction for both units (the installation of two switches instead of one switch) is also essentially the same.

The units are rated at 120 V ac and 125 V dc. The MCF ac voltage was determined by assuming a fault of a 480-V system with a 10 percent margin.

This set the ac fault voltage at 528 V ac.' The ac fault current was selected at 2000 amperes. The MCF de-voltage and current were selected at 132 V:de and 500 amperes.

The pass / fail criteria state that there shall be no. damage to the unfaulted side of the unit under test and that the excitation current shall not increate more than 5 percent of maximum normal. The criteria also state that the unit must not break down during a subsequent Hi-Pot test.

Upon the application of the MCF voltage / current to three representative units, the reed switches in two units burned out. The inputs or coils were not damaged in any of the units. The three units also passed the subsequent Hi-Pot test.

Based on.the staff's review of the submittals on the S-D CX 3916 NE isola-tion devices and on the prior review and acceptance of WCAP-8892A, the staff concludes that the isolation devices used at BVPS-2 qualify as isola-tors and are acceptable for interfacing the SPDS with Class IE safety systems. The staff also concludes that this equipment meets the Commis-sion's requirements, as stated in Supplement I to NUREG-0737.

(6) "The SPOS Display Shall Be Designed to Incorporate Accepted Human Factors PrinciplesSoThatTheDisplayedInformationCanBeReadilyPerceivedAnd Comprehended By SPDS Users' In general, the BVPS-2 SPDS displays incorporate accepted human factors principles. However, the onsite audit did identify several human engi-neering discrepancies that must be addressed by the licensee. These are as follows:

a. The use of yellow to represent normal data or conditions is contrary to widely accepted human factors color-coding conventions and may be inconsistent with the control room color conventions,

b. Allowable limits of parameters are not indicated on trend and history plots. Thus, operators cannot perform margin monitoring (i.e. , deter-mine how far parameters are from alarm limits).

c. Trend and history plots appear to be too small to be readable.

d. One trend plot screen, 2TR2, displays two parameters on the same plot.

Lines representing values of each parameter are color-coded identically making discrimination difficult.

Beaver Valley 2 SSER 6 18-9

t. .

e. Function pushbuttons are 1ocated.in two groups, one on the keyboard J

and one in a vertical configuration on the display terminal. ' I nte r-action sequences'often require excessive operator hand and arm move-ment between both groups of.pushbuttons.-

f. Confusing and/or irrelevant prompts are frequently presented. For l example, prompt messages may list three response options. 'To.the L .right of these options,:a prompt.to PRESS EXECUTE is displayed. lThis last prompt indicates a response which produces no actions by the system.

g. Cursor movement via keyboard arrow keys is slow. The option of cursor.

movement.via joystick such as is provided on the BVPS-1 SPDS is generally faster and more efficient.

(7) "The SPDS Should... Display... Critical Plant Variables" With the exception of containment isolation valve status, which is not included on the BVPS-2 SPDS, the parameters displayed.are sufficient to provide operators with information.regarding the status of the five crit-ical' safety functions (CSF) identified in Supplement 1 to NUREG-0737.

The staff considers the presence or absence of containment isolation to be one important indicator of containment conditions. Th: licensee should add this parameter to its containment integrity CSF or provide satisfactory justification for not including containment isolation status on SPDS.

(8) " Procedures Which Describe The Timely and Correct Safety Status Assessment 'j When the SPDS'Is and Is Not Available Will Be Developed By The Licensee In 1 Parallel With The SPDS. Furthermore, Operators Should Be Trained To Respond To Accident Conditions Both With and Without The SPDS Available" i

The licensee considers the SPDS to be a useful tool to aid operators in assessing the plant safety 3tatus.. However, SPDS is not required to be used during emergency conditions nor is it even referemed in the Emergency j l Operating Procedures. The staff has identified three issues related to '

the training program:  !

i

a. The licensee has neither developed nor implemented a philosophy for '

utilization of SPDS. Currently, plant operators do not appear to  ;

understand the value of SPDS as a system.

b. The licensee has not identified a specific user of the SPDS. Con-sequently, the relationship between SPDS training and utilization of SPDS during abnormal plant conditions is unclear. ]

c. Operators should be trained to respond with and without the SPDS; however, the BVPS-2 training program does not address this requirement.

18.2.3 Conclusion The staff concludes that, with several exceptions, the BVPS-2 SPDS fulfills the requirements of Supplement 1 to NUREG-0737. The exceptions are listed in Section 18.2.2 and are described in further detail in Appendix T. Because no Beaver Valley 2 SSER 6 18-10 I

l l

l serious safety concerns were identified with the existing system, the staff finds the BVPS-2 SPDS acceptable for operation as an interim implementation.

A license condition will be imposed to ensure that the licensee completes the following activities necessary to fully satisfy the requirements of Supple-ment 1 to NUREG-0737:

(1) Perform the r,ecessary field verification tests, integrated system tests, l and man-in-the-loop tests to confirm that the system is correctly imple- l mented and is eseable.

(2) Develop and impleibent an acceptable operational philosophy for the use of SPDS and provide procedures and training to accomplish this implementation.

(3) Provide for a continuous display of plant safety status.

(4) Add containment isolation status to the containment integrity critical safety function.

(5) Based on the new operational philosophy and intended use of the SPDS by operators, reassess the human factors aspects of: (a) the location of SPDS in the control room, (b) display coding conventions for poor data and the use of color, (c) trend and history plots, (d) SPDS control types and location, and (e) the use of prompts.

(6) Provide estimates of SPDS availability when assessment is completed.

These remaining issues will be tracked by licensing action TAC 62880.

l 1

Beaver Valley 2 SSER 6 18-11

~  ;

APPENDIX A CONTINUATION OF CHRONOLOGY OF NRC RADIOLOGICAL REVIEW 0F BEAVER VALLEY POWER STATION, UNIT 2 May 28,.1987 Letter to licensee-transmitting. Supplement No. 5 of the SER.

May 28, 1987 Letter to licensee transmitting the low power (5%) operating license, NPF-64.

May 29, 1987' Letter-to licensee requesting additional information on off-site medical services for emergency preparedness.

June 4, 1987 Letter to licensee requesting additional information on-plant safety monitoring system (PSMS).

June 4,.1987 Letter to licensee informing of minor. discrepancies between the FSAR and the Technical Specifications.

June 5, 1987 Letter from licensee providing additional . information on questions raised by the Seismic Qualification Review Team.

June 8, 1987 Letter from licensee providing information on several parameters related to the peaking factor.

June 9, 1987 Letter from licensee submitting the BVPS-E Solid Waste Process Control Program (PCP).

June 9, 1987 Letter from licensee submitting the BVPS-2 Offsite Dose Calculation Manual.

June 10, 1987 Letter to licensee transmitting corrected pages to the Technical Specifications.  ;

June 11, 1987 Letter to licensee transmitting bound copies of SSER 5.

June 11, 1987 Letter from licensee responding to the staff's letter of May 29, 1987, on medical services for offsite emergency preparedness.

June 22, 1987 Letter from licensee transmitting FSAR Amendment 18.

June 23, 1987 Letter from licensee providing additional comments on the l

SER.

i' June 23, 1987 Letter from licensee confirming completion of accumulator isolation valve test.

June 24, 1987 Letter from licensee providing comments on the low power license.

Beaver Valley 2 SSER 6 1 Appendix A  ;

1

June 24, 1987 Letter from licensee transmitting drawings for preservice inspection (PSI) review.

June 29,.1987 Letter from: licensee transmitting information on Power Ascension Operational Self Assessment Program.

June 30, 1987 Letter from licensee informing of completion of all Regulatory Guide 1.75 modifications.

July 2, 1987  !.etter from licersee informing of completion of diesel generator instruments vibration test. (Confirmatory issue 38).

July 2,.1987 Letter to licensee granting relief from certain requirements

~

of 10 CFR 50.55a, inservice testing and preservice inspection.

July 6, 1987 Letter from licensee withdrawing request for schedular exemp-tion for steam generator high level median selector.

. July 6, 1987- Letter from licensee addressing fire protection supervisory circuits and other issues.

l July 6, 1987 Letter from licensee addressing technical specifications on l control room habitability.

July 8, 1987 Commission meeting on full power license.

. July 8, 1987 Letter to licensee requesting input to NRC Safety Issues Management System.

l- July 8, 1987 Letter from licensee addressing technical specification on control room habitability.

July 10, 1987 Letter from licensee stating that all tests required by I&E Bulletin 80-06 have been completed.

July 14, 1987 Letter from licensee informing of changes to FSAR Chapter 14, Initial Tests.

July 14, 1987 Letter to licensee informing of acceptability of Offsite Dose Calculations Manual (0DCM).

July 27, 1987 Letter from licensee transmitting signed Indemnity Agreement No. B-73, Amendment 10.

July 27, 1987 Letters from licensee requesting relief from certain preser-July 28, 1987' vice inspection requirements.

July 31, 1987 July 28, 1987 Letter from licensee informing of completion of containment instrument air design verification.

July 31 to August 7, 1987 Staff inspection of licensee's low power operation.

Beaver Valley 2 SSER 6 2 Appendix A

August 6, 1987 Letter from licensee requesting full power license be issued s-oon after August 7, 1987.

August 10, 1987 Letter to licensee transmitting safety evaluation on item 2.2.1 of NUREG-1000 (Salem ATWS events).

August 13, 1987 Commission meeting to vote on approval to issue full power license.

l Beaver Valley 2 SSER 6 3 Appendix A

APPENDIX E NRC STAFF CONTRIBUTORS AND CONSULTANTS Staff Reviewer Title

' Frederick Burrows Electrical Engineer Timothy Collins Section Leader Richard Eckenrode Human Factors Engineer Shou-Nien Hou Senior Mechanical Engineer Dennis Kubicki _ Fire Protection Engineer Armando Masciantonio Mechanical Engineer Jerry Mauck . Section Leader Gerald Simonds Emergency Preparedness Analyst Administration Shirley Norris Licensing Assistant Consultants Gary L. Johnson, Lawrence Livermore National Laboratory Jack W. Savage, Lawrence Livermore National Laboratory E. Eugene Schultz, Jr., Lawrence Livermore National Laboratory Technical Editor Jant Corley Beaver Valley 2 SSER 6 1 Appendix E

i l

APPENDIX P ERRATA Errors in the SER Page Location Comment 7-4 Section 7.3.2.2, Should read "...approximately first sentence of 628 seconds..."

second paragraph 11-8 Section 11.4.1, Should read "...and paper will third sentence of be compacted in the waste first paragraph compaction area."

Errors in SSER 5 Page Location Comment 1-5 Table 1.4 Confirmatory issue 11 should read " Item II.D.1 of NUREG-0737, safety / relief valves".

1-9 Table 1.5 Items (3), (4) and (6) should not be there at all.

14-1 First paragraph Should read ". . .the applicant addressing Section committed to the testing of safety 14.2.12.12.6 injection accumulator...."

14-2 Paragraph addressing Should read "the applicant Section 14.2.12.66.2 ....

i i

i l

Beaver Valley 2 SSER 6 1 Appendix P l

l 1

1 HUMAN FACTORS' ENGINEERING DETAILED CONTROL ROOM DESIGN REVIEW SUPPLEMENTAL ~ TECHNICAL EVALUATION REPORT FOR DUQUESNE LIGHT COMPANY BEAVER VALLEY POWER STATION UNIT 2 Jack W. Savage Lawrence Livermore National Laboratory April 8, 1987 Beaver Valley 2 SSER 6 Appendix S

_j

L <

i HUMAN FACTORS ENGINEERING DETAILED CONTROL ROOM DESIGN REVIEW f' SUPPLEMENTAL TECHNICAL EVALUATION REPORT l FOR DUQUE5NE LIGHT COMPANY BEAVER VALLEY POWER STATION UNIT 2 ,

i

1. BACKGROUND Licenstes and applicants for operating licenses shall conduct a Detailed Control Room Design Review (DCRDR). The objective is to " improve the ability -l of nuclear power plant control room operators to prevent accidents or cope with accidents if they occur by improving the information provided to them" (NUREG-0660, Item I.D.1.).2 The need to cpnduct a DCRDR was confirmed in NUREG-0737 and Supplement I to NUREG-0737.1 DCRDR requirements in Supplement  !

I to NUREG-0737 replaced those in earlier documents. Supplement 1 to ,

NUREG-0737 requires each applicant or licensee to conduct a DCRDR on a- t schedule negotiated with the Nuclear Regulatory Commission (NRC).

NUREG-07003 describes four phases of the DCRDR and provides applicants and licensees with guidelines for its conduct. The phases are:

1. Planning

2. Review

3. Assessment and Implementation

4. Reporting NUREG-0800 Section 18.15 provides additional guidance to be used in developing and evaluating DCRDR programs.

Supplement 1 to NUREG-0737 requires that the DCRDR include the following elements:

1. Establishment of a qualified multidisciplinary review team.

2. Function and task snalyses to identify control room operator tasks and information and control requirements during emergency operations. .'

3. A ccuparison of display and control requirements with a control room inventory.

4. A control room survey to identify deviations from accepted human 1 factors principles.

S. Assessment of human engineering discrepancies (HEDs) to determine which are significant and should be corrected.

6. Selection of design improvements.

7. Verification that selected design improvements will provide the necessary correction and do not introduce new HEDs.

8. Coordination of control-room improvements with changes from other programs such as the safegy parameter display system (SPDS), operator training, Reg. Guide 1.97 instrumentation, and upgraded emergency  ;

operating procedures (EOPs).

Licensees are expected to complete Element I during the DCRDR's planning '

phase, Elements 2 through 4 during the DCRDR's review phase, and Elements 5 i

DCRDRBVPS2:4/8/87 i Beaver Valley 2 SSER 6 1 Appendix 5 1

through 7 during the' DCRDR's assessment and implementation phase. Completion of Element 8 is expected to cut ecross the planning, review, and assessment and implementation pheses.

A sunnary report is to be submitted at the end of the DCRDR. As a minimum it shall:

1. Outline proposed control room changes.

2. Outline proposed schedules for implementation.

3. Provide summary justification for HEDs with safety significance to be left uncorrected or partially corrected.

The NRC staff evaluates the organization, process, and results of the DCRDR.

Results of the evaluation are documented in a Safety Evaluation Report (SER) published within two months after receipt of the Summary Report.

2. ASSESSMENT OF DCRDR ACTIVITIES Duquesne Light Company's (DLC) DCRDR Sunnary Report for the Beaver Valley Power Station Unit 2 was submitted on December I, 1985. The NRC staff, with assistance from Lawrence Livermore National Laboratory (LLNL) reviewed the Summary Report and conducted a preimplementation audit of the Beaver Valley Power Station DCRDR on February 11 and 12, 1986. Based upon this review, NRC  ;

concluded that DLC had satisfied most DCRDR requirements of Supplement 1 to l NUREG-0737. However, a few open items need to be addressed in a' Supplemental Summary Report. NRC has identified these open items in a Safety Evaluation Report (SER)8, The evaluation of the Beaver Valley Power Station Unit 2 DCRDR provided in this Supplemental Technical Evaluation Report (TER) is based on rgview of the NRC SER of July 7,1986 and the Supplemental Summary Report (SSR)V submitted by DLC on January 8, 1987. DLC has resolved most of the open items identified by NRC and thus has satisfied most of the requirements of Supplement 1 to NUREG-0737. The following is a list of the topic areas discussed in this Supplemental IER:

o Control Room Survey o Assessment of HEDs o Selection of Design Improvements o Verification Process for Determining that Design Improvements Provide the Necessary Correction and Do Not Introduce New HEDs These topics encompass all open items remaining from the Summary Report revi ew. The DLC responses to a number of open items, incomplete items and possible problem areas identified in the SSR are also discussed in this report. However, DLC will need to supply additional responses to some items which are identified in this report.

DCRDRBVPS2:4/8/87 Beaver Valley 2 SSER 6 2 Appendix S

l l

2.1 CONTROL ROOM SURVEY 2.1.1 Requirement Supplement I to NUREG-0737 requires that a control room survey be conducted to identify deviations from accepted human factors principles. NUREG-0700 ,

provides guidelines and criteria for conducting a control room survey. l 2.1.2 Discussion NRC's SER indicated that DLC has generally accomplished the control room L survey in an adequate and systematic manner. DLC, however, needed to resolve two open items for the control room survey to be completely acceptable.

o Complete survey items that had been deferred pending further progress of control room construction, o Address several specific human engineering deficiencies (HEDs) noted by the NRC Audit Team, but which did not appear to have been identified by the BVPS-2 DCRDR.

DLC's SSR indicated that most of the remaining control room survey tasks were compl eted. However, the following surveys are not complete due to Control Room (CR) construction status and operation status of the plant:

o Work space -

will be initiated prior to April 30, 1987 o Emergency Equipment - will be initiated prior to April 30, 1987 o Communications - will be initiated after April 30, 1987 o Heating, Ventilating, Air Conditioning (HVAC) - will be conducted when the HVAC system is in normal operational mode c Illumination (Lighting) - will be conducted prior to or during the first refueling outage o Ambient Noise - will be conducted post-commercial operation Furthermore, review of certain criteria in otherwise complete surveys has been deferred. These deferred surveys are:

DCRDRBVPS2:4/8/37 Beaver Valley 2 SSER 6 3 Appendix 5

i lL

Number of Open/

Unfinished

'SSR Section' Criteria- Connent 3.3' Annunciators 2 Will. complete .4/30/87 1

3.5 Displays ' 1 Completion deferred until prior to j or during the first refueling i outage - (lighting 's urvey)-

3.6 Labels 1 Comp 1etion deferred until -prior to. 4 or during the first refueling.  !

outage (lighting survey) 3.7. Computer System PCS 8 Completion deferred until prior.to or during the first refueling outage (lighting survey)

Computer System ERFCS/SPDS 6 Completion deferred until prior to ]

or durir.g the first refueling outage (lighting survey)

Computer System PSMS 6 Completion deferred until prior to or during the first refueling outage (lighting survey)

Computer System DRMS 17 Completion deferred until' prior to or during the first refueling outage (lighting survey) 3.9 Maintainability 1 Completion deferred until after 4/30/87 (communications survey)  !

PCS - Plant Computer System ERFCS/SPDS - Emergency Response Facility Computer System / Safety Parameter Display System PSMS - Plant Safety Monitoring System DRMS - Digital Radiation Monitoring System In some cases the deferrals were due to inability to access equipment due to the construction / operational status of the plant. In other cases, the deferral was dependent on the availability of special equipment.

In all cases, the emergency shutdown panel and the alternate shutdown panel are stated to be included in the surveys.

Section 4.0 of the SSR addresses the following specific HEDs identified in the NRC SER review:

DCRDRBVPS2:4/8/87 - Beaver Valley 2 SSER 6 4 Appendix 5

A. Meter Character Size A walkdown review using NUREG-0700 guidelines identified small letter scale plates for replacement. Larger letter scaleplates .(approximately 3/16" height) were determined to be acceptably legible if the scaleplate type and meter pointer were compatible. The review determined the correctness of each meter scaleplate. Replacements will be completed by 04/30/87. This is acceptable.

B. Control Display Integration The status lights and switches on the control board, Section C, will be rearranged by 04/30/87 to provide a logical progression of status lights.

This is acceptable.

C. No Lamp Test or Check Procedure All single filament, single bulb indicator lights were identified. Existing periodic surveillance and maintenance procedures will be modified to require verification of bulb operability for indicators associated with safety equipment. The longest planned test interval is 18 months. This is acceptable.

D. Lighted Push Buttons (PB) Cannot be Distinguished From Light Indicators (LI)

The stated justification for not clearly differentiating between PB and LI does not clearly address the problem of selective identification. It is recommended that this item be kept open until such justification is provided to the NRC for evaluation.

E. Lack of a System to Ensure Removed Annunciator Tiles will be Correctly Replaced i

Unique tile location identification labels will be installed by 04/30/87.

This is acceptable.

F. Lack of Coding Between Trips and Reset Switches for Safety Injection (SI),

Containment Isolation System (CIS), and Reactor Trip All switches have been enclosed with unique color coded demarcation. This is acceptable.

G. Inconsistent Nomenclature Between Meter Faces, Labels, and Steam Generator Instrumentation / Procedures Work requests were initiated to alleviate the incons stencies. This will be acceptable when the work is completed and suitably described to the NRC for evaluation.

OCRDRBVPS2:4/8/87 l Beaver Valley 2 SSER 6 5 Appendix 5 l

2.1.3 Conclusion -

'Once DLC completes the_ remaining control room surveys and survey items in the -

manner described in the Sunnery Report and Supplemental Sunnary Report, this requirement of Supplement I to NUREG-0737 will be acceptably addressed. The

.following remains _to be done:

o Completion of the control surveys and the specific survey criteria deferred to a later stage of plant construction, o Resolution of the nomenclature inconsistencies o . Submittal of satisfactory justification ~ for not providing. clear differentiation between pushbuttons and lighted indicators._

DLC should couplete these items and document completion for NRC review in a Supplemental Summary Report.

2.2 ASSESSMENT OF HEDS 2.2.1' Requirement j Supplement 1 to NUREG-0737 requires that HEDs be assessed to determine which ,

HEDs are significant and should be corrected.

2.2.2 Discussion NRC's DCRDR SER found DLC's assessment process acceptable. However, NRC ,

requested that DLC reassess two HEDs concerning annunciator prioritization and remote shutdown panel control switch targets. ,

The reassessment of annunciator prioritization suggested in the SER was executed and DLC decided that no change was needed because operators are trained to respond to all alarms on a 2-level-by-position code basis as follows: ,

o Panel A-5 reactor / turbine trips first-out panel - contains the highest priority alarms, o All other alarms on other panels are considered to be secondary priority.

The reassessment of lack of targets on the Emergency Shutdown Panel (ESP) and Alternate Shutdown Panel (ASP) control switches resulted in procedures being revised to remove reference to non-existent control switch targets on the ASP and ESP control switches.

2.2.3 Conclusion This requirement of Supplement 1 to NUREG-0737 has been met.

DCRDRBVPS2:4/8/87 Beaver Valley 2 SSER 6 6 Appendix S

1 2.3 SELECTION OF DESIGN IMPROVEMENTS 2.3.1 Requirement Supplement I to NUREG-0737 requires the selection of control room improvements that will correct significant HEDs. It also states that improvements that can !

be accomplished with an enhancement program should be done promptly.

'2.3.2 Discussion NRC previously found that DLC's process for selecting design improvements is acceptable.. There were, however, a few improvements for which DLC needed to provide more details about the planned corrective action.

The DLC Supplemental Summary Report (SSR) includes the following infonnation on corrective actions for complex problems:

A. . Hierarchical Labeling Attachment 4.1 to the SSR contains a short description of nameplate instructions and attachment 4.2 to the SSR is a colored bench board photo showing some hierarchical labels. However, the single example of a proposed device label to be applied "where possible" to vertical board sections does not constitute a complete and comprehensive statement of where labels will be applied or a description of a hierarchical labeling system. It is reconrnended that the NRC request an additional description in order that a valid evaluation can be made.

B. Functional Demarcation Attachment 4.1 to the SSR (Plant Identification Guidelines) indicates DLC plans to demarcate functionally related displays and controls using color coded demarcation lines. The color code meaning will be identified by a similarly color coded legend table. The single photo (attachment 4.2) supplied in the report illustrates an acceptable example of demarcation. The described functional demarcation scheme is acceptable.

C. Meter Banding i DLC plans to indicate normal 100 percent power operating ranges, alarm set )

points, automatic action set points, reactor trip limits, design limits and ]

technical specification limits on plant instrumentation. The planned meter l banding scheme is acceptable. I D. Tagout Process DLC has developed a tagout process that makes use of stickers in lieu of tags ,

in the control room. The use of stickers avoids concerns with tags obscuring important information. This process is acceptable.

DCRDRBVPS2:4/8/87 . Beaver Valley 2 SSER 6 7 Appendix 5

i E. Tracking of HEDs and Resolutions DLC addressed.the NRC review team finding of confusing, conflicting and inconsistent considerations and resolutions of HEDs between DLC management and j the DCRDR team by implementing a tracking system illustrated by Table 4.4 of l the SSR. HEDs previously categorized as "no change" were also reviewed, I

clarified, and resolutions summarized in Table 4.4 of the SSR. The table shows that the HED corrective actions summarized will all be implemented no later than 04/15/87.

A review of SSR Table 4.4 identified the following concerns:

HED Comment 2VA6-2010 Implemented, but verification should be completed.

2***-1105 2***-1107 Implemented, but verification date and schedule not entered, and l 2***-1108 description of corrective action should be made more specific. j 2***-1116 l 2BA4-2502 HED states "make same as Unit-1". Description states "no change

- same as BV-1". Conflict must be clarified, j 2***-2213 Shown in two places; Pg. 4-19 and Pg. 4-21. Page 4-19 2***-2220 reads, " Mark normal zones and set points on scales".

Verification states "CRISM SSR SEC4". Page 4-21 reads, " Revise set points to next most conservative readable value."

Verification states "No change." Conflict must be cicrified.

A review of HEDs included in the SSR identified the following concern: .

SSR HED Comment 2CIC-5225 Yellow is used for a different meaning on the SPDS than on the other CR displays and plant computers. DCL does not plan to correct this discrepancy, LLR'. recannends that DLC make modifications as needed to implement uniform use of color coding i or provide NRC with additional justifi, cation for not consistently applying color code conventions. ,

2.3.3 Conclusion DLC has acceptably addressed concerns B, C and D above. Attachment 4.1 of the SSR (Plant Identification Guidelines) cites NUREG-0700 and "BV-2 Control Room Design Review" as references. More information is needed to support a conclusion of this nature for items A and E above.

DCRDRBVPS2:4/8/87 Beaver Valley 2 SSER 6 8 Appendix S i __ . _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _

1. For Item A, DLC should provide a more complete description than is l contained in Attachment 4.1 of the SSR of the philosophy and human .

factors criteria to be used in implementing hierarchical labeling.

Specific items that should be included are:

o Replace the indefinite phrase "where possible" with definitive statements describing the extent and process of selection and installation of hierarchical labels on the control room panels.

o A description of how the DLC will use the guidelines of NUREG-0700 Chapter 6.6 (Labels and Location Aids) in regard to Ranking of major, minor, and component labels

- Letter size gradations

- Label placement and mounting  !

- Label orier tation and visibility

2. For Item E, DLC mus t document the completion of the HED correction, verification revitw, and resolve conflicts in the indicated corrective action as described above.

The additional description of the hierarchical labeling scheme end of the resolution of concerns with Item E above should be provided for NRC review in a Supplemental Sunrnary Report.

DLC should advise the NRC that it will use color coding in a uniform and consistent manner, or justify why it will not do so.

2.4 VERIFICATION THAT DESIGN IMPROVEMENTS PROVIDE NECESSARY CORRECTION AND DO NOT INTRODUCE NEW HEDs 2.4.1 Requirement ,

Supplement 1 to NUREG-0737 requires verification that selected design improvements will provide the necessary correction and will not introduce new HEDs into the control room.

2.4.2 Discussion The NRC SER found DLC's process for verifying design improvements is acceptable except that the process for verifying the human factors suitability of changes made since completion of DCRDR but before implementation of procedures that require human factors review of any control room changes had not been described.

I

! In response to the NRC pre-implementation audit concerns about the design I

change process, Section 2 of the SSR (Post CRDR change evaluation) describes the DLC/ Stone and Webster review between September 1984 and April 1986 of 378 i changes tc the CR main control board, emergency shutdown panel and alternate  !

shutdown panel. Ten HEDs were identified and sunrnarized in Table 2.1 of the 4 SSR. The assessment and description of the HEDs was conducted as described in l Section 5.0 of the SSR. l l

DCRDRBVPS2:4/8/87 )

I Beaver Valley 2 SSER 6 9 Appendix 5

)

2.4.3 Conclusion DLC has satisfactorily addressed this requirement of NUREG-0737, Supplement 1.

3.0

SUMMARY

Based upon our review of the Beaver Valley Power Station Supplementary Sumary i Report, we find DLC has generally satisfied the requirements of Supplement 1 1 to NUREG-0737. The following items remain to be completed, corrective actions  !

selected and implementations scheduled and addressed in a supple.nental sumary I report to be submitted on a schedule acceptable to the NRC.

3.1 Complete the following survey sections:

i o' Workspace o Emergency Equipment  :

o Communications o

o HVAC Illumination (Lighting) f o Ambient Noise 3.2 Complete the partially completed surveys summarized in Section 2.1.2 of this report:

o Annunciators ,

o Controls o Displays o labels o Computer Systems 3.3 Address the following items described in Section 2.1.2 of this report:

o Provide additional justification which addresses the reasons for not i differentiating between lighted push buttons and indicators on the Turbine Control Panel.

o Provide additional descriptions of what is being done to make the nomenclature consistent among meter faces, labels, and steam generator instrumentation / procedures.

3.4 Provide additional information as requested in Section 2.3.2 of this l report:

o Provide information that will allow the NRC to evaluate the acceptability of the proposed Hierarchical Labeling System.

o Address the HED related issues and concerns sumarized on page 8 of this report.

DCRDRBVPS2:4/8/37 Beaver Valley 2 SSER 6 10 Appendix S

l

)

l

4. REFERENCES

1. U.S. Nuclear Regulatory Comission, NUREG-0737, " Clarification of TMI Action Plan Requirements," November 1980 Supplement 1 December 1982.

2. U.S. Nuclear Regulatory Comission, NUREG-0660, "NRC Action Plan Developed as a Result of the TMI-2 Accident," October 1981. ,

3. U.S. Nuclear Regulatory Commission, NUREG-0700, " Guidelines fov Control Room Design Review," September 1981.

4. - U.S. Nuclear Regulatory Corrnission, Regulatory Guide 1.97, i

" Instrumentation for Light-Water Cocled Nuclear Power Plants to Assess

~ Plant and Environs During and Following an Accident," December 1980.

5. U.S. Nuclear Regulatory Comission, NUREG-0800, " Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants,"  !

Section 18.1, Control Room, Rev. O, September 1984. j i

6. DLC Beaver Valley Power Station Unit 2 Sumary Report, submitted December 2, 1985. ,

l

7. U.S. Nuclear Regulatory Commission, In-Progress Audit Report, dated August 23, 1984. )

l

8. U.S. Nuclear Regulatory Comission, " Safety Evaluation Report of Beaver

~

Valley- Station, Unit 2, Detailed Control Room Design Review,"

July 7, 1986.

9. Duquesne Light Company, " Detailed Control Roem Design Review - 1 Supplemental Sumary Report," January 8,1987.

I l

i i

DCRDRBVPS2:4/8/87 Beaver Valley 2 SSER 6 11 Appendix S

'4 r

/

TECHNICAL EVALUATION REPORT OF'THE

. SAFETY- PARAMETER DISPLAY SYSTEM FOR

'DUQUESNE LIGHT COMPANY-BEAVER VALLEY POWER STATION UNIT 2 APRIL 22, 1987

)

E. Eugene Schultz, Jr.

Gary L. Johnson-Lawrence Livermore National Laboratory For The United States Nuclear Regulatory Comission Beaver-Valley 2 SSER 6 Appendix T

L-i TECHNICAL EVALUATION REPORT l SAFETY PARAMETER DISPLAY SYSTEM  ;

DUQUESNE~ LIGHT COMPANY ";

BEAVER VALLEY POWER STATION, UNIT 2 i

,i

1. BACKGROUND'

~ NUREG-0660 [1] identified the need for power reactor licensees and applicants

-for operating licenses to provide a Safety Parameter Display System (SPDS) that will display to operating personnel a minimum set of ' parameters which

-define the safety status of the plant. This need was confirmed by NRC in NUREG-0737 [2] and Supplement I to NUREG-0737 [3]. SPDS requirements in Supplement 1 to NUREG-0737 replaced those in earlier documents. q Included in Supplement 1~ to NUREG-0737 is the requirement that the licensee or l applicant ^ prepare a written safety analysis' for the SPDS and provide this

.j analysis along with the plant-specific SPDS implementation plan for NRC j review. Criteria for evaluating Safety Parameter Display Systems are 1 contained in Section 18.2 of NUREG-0800 [4), the Standard Review Plan. These criteria address both the review of a specific SPDS design, and review of the {

app 11 cent's or licensee's verification and validation (V&V) program, including the program for SPDS design, development, and testing. Results of the NRC evaluation of a SPDS will be documented in a Safety Evaluation Report (SER) or SER Supplement.

This Technical-Evaluation Report provides Lawrence Livermore National Laboratory's (LLNLs) evaluation of the Beaver Valley Power Station, Unit 2 '.

(BVPS-2) SPDS with respect to the requirements of' Supplement 1 to NUREG-0737, for NRC's use in preparing a SER. This evaluation was based upon review of Duquesne Light Company's (DLC's) BVPS-2 SPDS Safety Analysis Report [6] and the results~ of an on-site audit conducted February 18 and 19,1987. The ,

onsite audit reviewed the BVPS-2 SPDS V&V program and operation of the SPDS. 1 Thus, the' audit specifically addressed the points of both a Design l Verification Audit and a Design Validation Audit, as described by Sec. 18.2 of NUREG-0800 -(4). The Audit Team was composed of one individual from the NRC and two individuals from LLNL, acting as consultants to the NRC.

2. SAFETY PARAMETER DISPLAY SYSTEM DESIGN OVERVIEW l The SPDS is a function of the BVPS-2 Emergency Response Facility Computer System (ERFCS).The SPDS receives data input from the Plant Safety Monitoring System (PSMS), the Digital Rod Position Indicating (DRPI) System, and Digital Radiation Monitoring System (DRMS), all of which must be operable for SPDS to be completely functional. The SPDS function is provided by a set of displays based on six critical safety functions (CSFs). These CSFs include reactivity control, reactor core cooling, heat removal in primary system, RCS integrity, radioactivity control, and containment integrity.

i l

BVPS2-SPD:4/22/87jak 1 Beaver Valley 2 SSER 6 1 Appendix T j i

1

SPDS users access functions primarily through use of pushbuttons. A few user interactions require' a combination of pushbutton press and keyboard entry.

There are four levels of hierarchically-arranged displays:

1. Top-level . displays, which show the status of key plant operating parameters in an octagonal pattern. DLC calls these top-level displays iconic displays.. This pattern is formed by diagonals emanating from a common origin. Each diagonal represents a key parameter. - The length of.

each diagonal represents the value.of that parameter normalized to the expected parameter values .under normal operating conditions. As.

parameter values change, the length of the. diagonal representing that parameter changes, so that the octagon becomes asynenetrical when one or more parameters deviate from the expected value. - Actual and reference values of each parameter are displayed next to each diagonal. There are two top-level displays: 1) a wide range or. " mitigate mode" . display, associated with parameters that are important after reactor trip, and 2) a narrow range or " terminate mode" display, associated with parameters  ;

important during normal operation. . l 1

2. Second-level. displays, which show overall plant status. Onefof the t'wo I' displays at this level is a graph of reactor cooling system pressure vs.

maximum core-exit thermocouple reading. The other shows important plant param;ters on a primary and secondary system piping and instrumentation ,

diagram.  !

l

3. Third-level displays, consisting of individual plant system displays. j Except for radiation monitoring, these displays show important '

parameters for each of several critical plant systems. Parameters are displayed on system piping and instrument diagrams. Radiation monitoring data are presented in alphanumeric format. l

4. Fourth-level displays, which depict individual analog sensor data within  !

each system in tabular format. l A menu-map display is also available. This map shows the relationship between l displays in the display hierarchy. Operators can use this display to determine i how to reach a desired display from any other display. Users may also directly access displays from this map by placing the cursor over the map  ;

location corresponding to the desired display, j i

In addition to the displays in the display hierarchy, several other types of displays are available: 3

1. " Point detail" displays, which contain detailed information about sensor j input for a selected parameter. These displays can be accessed through moving the cursor over displayed parameter values, then pressing the EXECUTE key on the keyboard. j

2. Trend displays for the key parameters depicted in top-level displays.

Each trend display depicts four plant parameter values over periods of BVPS2-SPD:4/22/87jak 2 l

Beaver Valley 2 SSER 6 2 Appendix i

l.

1 l 5- and 30-minutes from the present. Trend displays can be called  !

directly via pushbuttons, i l 3. Hiuory displays in the form of pre-trip and post-trip trend plots for j each parameter chosen for top-level displays, available to SPDS users  !

via pushbutton access.

4. Iconic replay displays, which show time history of iconic displays during 5- or 30-minute intervals before either pre-or post-trip periods, or both.

Parameter values are updated every two seconds, except for radiation data, which are updated every minute. Values which exceed upper- or lower-limits ,

are displayed in red, or in reverse-video red. Normal values are displayed in yellow. The option for users to enter and/or modify data base infonnation is provided.

3.0 ASSESSMENT OF THE VERIFICATION AND VALIDATION PROGRAM A Verification and Validation (V8V) Program is concerned with the process of specification, design, fabrication, testing, and installation associated with an overall system's software, hardware, and operation. For the SPDS, verification is the review of the requirements to see that the right problem is being solved, review of the design to see that it meets the requirements, and testing of system modules to verify that they function properly.

Validation includes perfonnance testing of the integrated system to see that it meets all requirements. Validation testing should not only include integrated testing of the hardware and software, but testing of the SPDS as part of the larger system for plant operations which includes the control room, plant procedures, plant operators, and operator training.

Supplement 1 to NUREG-0737 does not require Verification and Validation of the '

SPDS. However, a V&V program performed by the applicant / licensee during design; installation, and implementation of an SPDS will facilitate the NRC review of the system. On the basis of an effective V&V program, the NRC staff will reduce the scope and detail of the technical audit of the design.

s The remainder of this section presents LLNL's assessment of the V&V program.

The criteria for c effectiv'e V&V progran recommended by Section 18.2 of NUREG-

0800 and by NSAC/39 (5] were used as the basis of this assessment. j 3.1 SYSTEM REQUIR04ENTS REVIEW The system requirements are the four.detion on which the completed system must be designed, bui't, ind accepted. Section 18.2 of NUREG-0800 reconrnends that

,3 review of system requirements be co66ucted to determine that the SPDS functional needs will be !.atisfied. NSAC/39 states that a system requirements review should independently determine if the requirements will result in a possible and usable ~ solutior, to the entire problem, and should verify that the requiren?ents are correct, complete, consistent, understandable, feisible, testable, and traceable. {

l BVP!c4PD:4/22/67fak 3 4

1eaverValley A SSEL'6 3 Appendin T e s .

3.1.1 Discussion The BVPS-2 SPDS is a implementation of. the. generic Westinghouse iconic SPDS design. This implementation included only certain features of the' generic design, and did not include features that were primarily intended to support functions of the Technical Support Center (TSC). For BVPS-2, the result of the Westinghouse design process was a specification that detailed the SPDS displays, human factors conventions, and SPDS algorithms [a).

Westinghouse's SPDS design process included a systems requirement review of )

the planned capabilities of the generic design. This effort was reviewed as ]

part of the NRC's review of the generic design. The NRC review [7] found that i the Westinghouse verification process had satisfied the intent of the V8V l recommendations of Section 18.2 of NUREG-0800.  !

3.1.2 Evaluation The BVPS-2 SPDS design process has fulfilled the intent of Section 18.2 to 1 NUREG-0800 with respect to the recommendation to conduct a system requirements  :

review.

1 3.2 DESIGN VERIFICATION REVIEW Section 18.2 of NUREG-0800 recommends that a design verification review be perforr.ed af ter the system is initially designed to verify that the design will satisfy functional needs. NSAC/39 reconrnends that the design redew ensure that the system requirements decomposition into hardware and software is complete, and that there are no ambiguities or deficiencies.

l 3.2.1 Discussion The ERFCS was constructed from a design specification prepared for DLC by j Stone and Webster [e]. This SPDS portion of this specification incorporated the Westinghouse SPDS specification by reference. The ERFCS was constructed by Bailey Controls Corporation.

ERFCS hardware was assembled from off-the-shelf equipment. Considerable l exp?rience with this equipment was available to demonstrate its ability to perform in accordance with the ERFCS specification. Therefore, formal design verification was not conducted for each component of the ERFCS hardware.

Bailey did, however, review the hardware system design to verify that the system supports the SPDS and ERFCS requirements. In addition, DLC intends to perform site acceptance tests in which every hardware component is loaded to ,

its limits. I l SPDS sof tware was developed by Bailey to conform with the requirements of the Westinghouse specification. Software was developed on a modular basis to l correspond to the software modules defined by Westinghouse. The coding of each i' I software module was reviewed by Bailey to confirm that the code coirectly 8VPS2-SPD:4/22/87jak 4 i

Beaver Valley 2 ESER 6 4 Appendix T

. m _ _ _ _ _ _ _ _ _ _ ___m.___ _ _ _ _ _ __ _ _ _ _ _ . _ _ _ _ _ _ . _ _

implemented the algorithm and/or display layout set forth in the Westinghouse specification. This review, performed by Bailey programers who were independent of the ERFCS development process, was conducted in accordance with  ;

predefined V&V procedures [h,1). Any discrepancies noted were documented and l corrected. Once the the independent reviewer concluded that the code  !

correctly implemented the specification requirements, the reviewer prepared a memo documenting the acceptance of the module under review.

The NRC Audit Team examined sample documentation of the verification review I

[c]. This review confirmed the implementation of the process described above. j Since the Plant Safety Monitoring System (PSMS) and the Digital Radiation Monitoring System (DRMS) provide data and quality information to the ERFCS, j appropriate Verification and Validation of the SPDS functions of these systems 1 is an important part of the V&V of the SPDS function. Verification and Validation of the PSMS is being conducted on a generic basis by Westinghouse. Once the generic V&Y program is complete, the program will be reviewed and actions will be taken to make the program applicable to the plant specific BVPS-2 PSMS. Detailed information regarding verification of the DRMS function was not available for NRC Audit Team review. DLC indicated, however, that DRMS verification testing had been conducted by the system vendor.

3.2.2 Evaluation The BVPS-2 V&V process satisfied the intent of this recommendation of Section 18.2 of NUREG-0800 with respect to the SPDS functions performed by the ERFCS. The adequacy of the verification activities applied to PSMS will be separately reviewed and approved by NRC. DLC should confirm to NRC that this process is applied to the SPDS functions of the PSMS. Verification of the '

SPDS functions of DRMS still needs to be demonstrated. DLC should review the process for verifying that the SPDS functions of the system were correctly implemented. The process for this review, any deficiencies noted, and the i proposed corrective action for the noted deficiencies should be described for I NRC review. i 3.3 VALIDATION TESTING NUREG-0800, Section 18.2 recommends that validation testing be performed after the system is assembled to confirm that the operating system satisfies functional needs.

3.3.1 Discussion Informal integrated hardware / software system testing was conducted by Westinghout.e as part of the ERFCS Factory Acceptance Test (FAT) [b). The FAT procedure was derived from a Westinghouse-developed validation procedure that was used for validation testing of the Westinghouse generic SPDS. Test results were checked against system specifications, and discrepancies were l doc umented. Af ter system installation at BVPS-2, DLC performed detailed, formal Site Acceptance Testing (SAT), in which test results were cqapared to BVPS2-SPD:4/22/87jak 5 Beaver Valley 2 SSER 6 5 Appendix T  !

I the design ba;is. Significant discrepancies were corrected, and retesting was conducted to verify the correction. A decision not to correct a test discrepancy required concurrence by both DLC and Stone and Webster representatives.

The PSMS' and the DRMS wcre not available at the factory site to support the FAT. Therefore, this phase of validation testing was conducted using simulated inputs from these systems. More complete validation of the integration of the PSMS, DRMS, and ERFCS is planned as part of SAT.

The NRC Audit Team examined sample documentation for FAT and SAT [1],

including test discrepancies that ere not to be corrected. For the samples examined, the conduct of the FAT and SAT documentation was found to be in accordance with the V&V and test procedures.

To validate the useability of the SPDS design as an aid in determining plant safety status, man-in-the-loop testing on the generic SPDS design was conducted by Westinghouse. This testing has previously been reviewed by NRC, and was found to have seceptably validated the generic system design [7]. DLC  !

does not plan testing to validate the effectiveness of the BVPS-2 SPDS within j the context of the unit's control room and the plant-specific operator - '

training.

l 3.3.2 Evaluation l

. i DLC's system validation efforts satisfactorily address the recommendations of  ;

Section 18.2 of NUREG-0800 with respect to integrated hardware and software l system testing. DLC must still complete the portions of the SAT necessary to i validate the integration of the SPDS functions of the PSMS, DRMS, DPRI, and ERFCS. 1 4

The man-in-the-loop testing conducted by Westinghouse demonstrated the  !

effectiveness of the BVPS-2 SPDS design as an operator aid. DLC needs to I conduct further man-in-the-loop testing to validate the usefulness of this aid i in the context of the BVPS-2 control room, operations philosophy, and operator training. This testing should be conducted after DLC has developed an acceptable philosophy for SPDS use under transient conditions, and should be conducted with plant operators trained in this philosophy. DLC should also i take advantage of this man-in-the-loop testing to solicit operator feedback on the human factors aspects of this design. Specific feedback on NRC Audit Team human factors concerns noted in Section 4.9.1 of this TER should be included.

DLC should report to NRC on both the completion of system integration I validation and man-in-the-loop testing. The test processes should be j described along with a discussion of test results, discrepancies identified by l testing, and planned corrective actions.

l BVPS2-SPD 4/22/87jak 6

> Beaver Valley 2 SSER 6 6 Appendix T

,i 3.4 FIELD VERIFICATION TESTS NUREC-0800, Section 18.2 recommends performance of field verification tests, once the system is installed, to verify that the validated system was installed properly. NSAC/39 recrwnends that, as a minimum, field verification testing should confirm that the information displayed is directly correlated with the sensor data being input.

3.4.1 Discussion Verification testing of the SPDS installation is in progress. As part of plant acceptance testing, inputs to system data input nodes and to the plant computer _have already been verified. This effort includes verification that an accurate value of each input is displayed, and that the value is displayed in the proper area of the SPDS display terminal. Any discrepancies were noted, and were then given to Stone and Webster for correction.

Voltage measurements made at plant computer system analog point inputs during this testing are being used to simulate the. plant process instrumentation inputs to verify proper SPDS response. Acceptance test results for.the PSMS, DRMS, and DRPI System are being audited to verify that this. testing demonstrated that the SPDS functions of these installed systems function as designed.

3.4.2 Evaluation The BVPS-2 SPDS field verification program will satisfy the intent of the recommendation of NUREG-0800, Section 18.2 in this area once the testing has been completed and any identified discrepancies have been appropriately resol ved. DLC should submit, for' NRC review, a discussion of the test results, including description of the deficiencies identified, planned corrective actions, and corrective action schedules.

4. ASSESSMENT OF SPDS DESIGN The NRC Audit Team assessed the SPDS system with respect to supplement 1 to NUREG-0737 and the specific review criteria suggested by NUREG-0800, Section 18.2, Appendix A. This portion of the audit addressed the points of a design validation audit. The following provides a discussion of the BVPS-2 SPDS design features relative to the provisions of Supplement I to NUREG-0737, and the corresponding LLNL assessment in each area.

4.1 "THE SPDS SHOULD PROVIDE A CONCISE DISPLAY ..."

4.1.1 Discussion The two top-level displays present plant parameters needed to assess critical safety functions in a compact format. Distortion of the octagonal pattern as well as color coding and reverse video display of parameter values denote critical / abnormal plant conditions. Additional displays can be accessed to BVPS2-SPD:4/22/87jak 7 Deaver Valley 2 SSER 6 7 Appendix T

allow users to obtain more detailed information, including tabular data and information about trends. Although these additional displays are not as concise as are top-level displays, the organization of the display hierarchy and low system response time (usually less than three seconds) facilitate users' ability to access any particular desired information. Furthermore, status information for key plant parameters is available at one location, a single SPDS workstation.

4.1.2 Assessment The BVPS-2 SPDS meets the requirements of Supplement I to 90 REG-0737 regas ding concise display.

4.2 "THE SPDS SHOULD ... DISPLAY ... CRITICAL PLANT VARIABLES" 4.2.1 Discussion Selection of parameters for display on the BVPS-2 SPDS was based upon a Westinghouse analysis to identify the parameters needed to detect departures from safe plant conditions. This analysis identified the parameters needed to detect a challenge to'any of the five critical plant safety functions listed in Supplement 1 to NUREG-0737. These functions are 1) reactivity control, 2) reactor core cooling and heat removal from the primary system, 3) RCS integrity, 4) radioactivity control, and 5) containment integrity.

Consideration was given to the information needed to detect challenges under pre- and post-trip conditions. Additionally, parameters were included to allow operators to determine system states relevant to the restoration or maintenance of these safety functions. Table 1 provides a listing of the parameters displayed by the BVPS-2 SPDS.

The NRC Audit Team noted that containment isolation valve status is not provided by SPDS. Therefore, the status of the containment integrity CSF cannot be completely assessed by use of the SPDS.

The two top-level SPDS displays are moce-dependent. The narrow-range and wide-range iconic displays are associated with the terminate and mitigate ,

modes, respectively. Alarm setpoints applicable to all displays also change as appropriate to reflect changes in plant operating status.

4.2.2 Assessment With one exception, the parameters displayed by the BVPS-2 SPDS are sufficient to provide users with information regarding the status of the five safety functions identified by Supplement 1 to NUREG-0737. DLC should modify the i SPDS to include this information or should provide additional justification for not including containment i:olation valve status in SPDS displays.

4.3 "THE SPDS SHOULD . .. AID THEM (OPERATORS) IN RAPIDLY AND RELI ABLY DETERMINING THE SAFETY STATUS OF THE PLANT" BVPS2-SPD:4/22/87jak 8 Beaver Valley 2 SSER 6 8 Appendix T

I 4.3.1 Discussion l Except for radiation monitoring, parameter values displayed by SPDS are i updated every two seconds. Radiation monitoring data updates occur once every minute. DLC has specified that response time for user interaction be less than 5 seconds. Under conditions of low system load, the NRC Audit Team ocud shat response time for user interaction is consistently less than ? sectt.S ,

DLC plans to perform response time testing which will establish the bopW of data update rates and system response. This testing will confirm that sp zem response time requirements are met under extremes of system loading.

The ERFCS transforms direct analog inputs into engineering units, using a linear, square root, or exponential conversion, as appropriate. ERFCS also receives inputs from PSMS and DRMS. In these cases, the engineering units conversion is performed before the data are passed to the ERFCS. Inputs are checked to ensure that they fall within the range (based on instrument capabilities of the sensors from which they originate.) Inputs are labeled either GOOD or BAD.

After individual data inputs are checked, an interchannel comparison of good inputs is performed. An algorithm developed by Westinghouse determines whether differences between good inputs fall within predefined acceptance criteria. These acceptance criteria are based upon expected instrument accuracy during post-accident and normal operating conditions. If one or more inputs do not pass the interchannel comparison test, these inputs are flagged as BAD, and all other inputs are flagged as P00R. All individual instrument readings which are "not bad" are used to synthesize a single " group value" for each parameter. The group value is quality tagged as follows:

Group Data Quality code Description BAD 3 No good quality sensor -

inputs.

POOR 2 Group quality is not bad, but one or more of the individual group sensors has a quality other th6n good.

MANUAL 1 Not applicable data---

a manually-entered group value will not l be utilized.

GOOD 0 A group value which is neither bad nor poor.

BVPS2-SPD:4/22/87jak 9 l

Beaver Valley 2 SSER 6 9 Appendix T

Finally, individual channel data quality labels are revised'. Because inputs have already been labeled as GOOD or BAD as a result of range checking, relabeling of individual channel inputs may occur. The following algorithm is used:

Data Quality Code Description BAD 3 Signal missing, or removed from scan with no value entered, or originating from an I/O point which was detected as failed ,by system diagnostic routines.

POOR 2 Signal has failed consistency check.

MANUAL 1 Signal has been removed from scan, and a value has been manually entered.

GOOD 0 A sensor value other than bad, poor, or manual.

In accordance with the data validation algorithms, non-alarm data values are colored yellow if good, and magenta if any quality other than good. Bad data are not displayed, but are indicated by magenta "X"s, and flagged with the letter "B." The values of poor and manually entered data are displayed in magenta to indicate these values were obtaired while one or more channels yields GOOD inputs. These displays are flagged with "P" to indicate poor data or "M" to indicate manually-entered data. A process alarm condition is indicated by displaying data values in reverse video red, and red color coding indicates that the design limits of the core have been exceeded. Cyan is used ,

to indicate reference values or static mat ~ j The NRC Audit Team pointed out that the labeling of data as P00R merely because one of a number of sensor inputs is labeled BAD is a cause of concern. Dats other than BAD input data may be the best indication of plant variable. status available to the SPDS user. During the SPDS Audit, however,  ;

several operators indicated that they ignore any data displayed in magenta.

These labeling and color coding conventions may therefore not help operators i in determination of plant safety status.

As part of the field verification testing process, DLC reviewed the scale and range of every instrument. The ERFCS was not available during fie,ld verification testing, so DLC routed inputs through the ERFCS communications BVPS2-SPD:4/22/87jak 10 Beaver Valley 2 SSER 6 10 Appendix T

1 l

i l

1 loop to the plant computer. DLC verified that every instrument input is correctly converted into engineering data by data transformation algorithms.

DLC required that this transformation not introduce errors greater than .0025 I percent. In a tabletop walkthrough, DLC demonstrated that the algorithm which transforms pressurizer pressure yields appropriate output values.

According to DLC, instrumentation calibration procedures were performed as part of maintenance surveillance activity, and were verified by-the BVPS-2 On-Site Safety Committee. In addition, DLC verified the screen display location and color of each data output. Plans to include verification of SPDS readings during periodic instrument calibration were not evident.

System operability is indicated by several cues. A clock continuously displays current time every two seconds. Thus, if the system were to become inoperable, the indicated time would not change. The blinking of the cursor also indicates system operability. In the case of an extreme malfunction, a computer alarm message is displayed.

Accuracy of numerical displays is generally to the nearest integer, or to the nearest one-tenth of a unit. The resolution of trend and history plots is five to ten percent of full scale. Trend and history plots are based upon a ten-second sample of parameter values. Trend and history plot scaling, time duration, and sample rates are not user-modifiable.

Security for SPDS is accomplished primarily through procedures specified by a data base change checklist. Access to keys required to perform keylocked functions is necessary for data base changes, such as the setting of parameter values, scaling, etc., to be made. The shift supervisor controls these keys.

Programming changes can be made from the Emergency Operations Facility (EOF),

Technical Support Center (TSC), Computer Room, or Control Room. Programming changes can be entered from SPDS consoles without access to keys. However, to make such changes, one must first load the source code tape, then compile changes. At BVPS-1, this process requires four hours. Progranrning changes are currently controlled by the V&V process applicable to system development.

Procedures that ensure proper review of software changes after. system turnover to DLC have not yet been developed.

The BVPS-2 SPDS is controlled by redundant LPUs with shared memory. These two CPUs are both diesel- and battery-backed, and are fed by redundant interface nodes. Two SPDS consoles are located in the control room. DLC considers the SPDS terminal at the reactor operator's console to be the primary SPDS console. The TSC terminal near the shift supervisor's office is primarily an ERFCS console and se:ondarily an SPDS console. The terminal at the reactor operator's console serves as a back-up to the terminal near the shift supervisor's office; if the latter becomes inoperable, the former may function as an ERFCS terminal. Two additional SPDS terminals are located in the Alternate TSC above the control room.

BVPS2-SPD:4/22/87jak 11 Beaver Valley 2 SSER 6 11 Appendix T

l Estimates of system availability were not complete at the time of the audit.

DLC is conducting an overall availability study for the BVPS-1 SPDS. This study will be used to estimate BVPS-2 availability.

4.3.2 Assessment The BVPS-2 SPDS, for the most part, satisfies the provisions of Supplement I to NUREG-0737 regarding rapid and reliable display of SPDS information. To 1 completely satisfy this requirement, DLC should address the following issues: j j

1. Reevaluate the perceptual cues used to flag POOR data. Input from.

operators should be solicited in the resolution of this issue.

2. Incorporate verification that SPDS is displaying correct values into 1 procedures for periodic instrument loop verification.  !

3. . Complete assessment and predictior: of SPDS availability. The fmetion of ,

the entire SPDS system, including SPDS functions performed by DRPI, j PSMS, and DRMS, must be considered in SPDS availability estimates. l DLC should describe to the NRC the results of activities undertaken to address  ;

these issues. This information should be submitted no latcr than start-up '

following the first refueling.

It is also recommended that DLC develop a procedure for tracking SPDS availability. Actual hardware and software availability should conform to i predictions.

4.4 "THE PRINCIPLE PDRPOSE AND FUNCTION OF THE SPDS IS TO AID THE CONTROL ROOM PERSONNEL DURING ABNORMAL AND EMERGENCY CONDITIONS IN DETERMINING THE SAFETY STATUS OF THE PLANT AND IN ASSESSING WHETHER ABNORMAL CONDITIONS WARRANT CORRECTIVE ACTIONS BY CONTROL ROOM OPERATORS TO AVOID A DEGRADED CORE."

4.4.1 Discussion The BVPS-2 SPDS displays the current value of input yhriables, and provides perceptual cues to abnormal values through use of pattern recognition (i.e.,

distortion of the octagon which represents key plant parameters), reverse video, and status color coding. The magnitude of critical values is indicated by display of digital parameter values, and, in the case of top-level ,

displays, the length of diagonals in the octagonal figures. As stated l previously, 5- and 30-minute trend and history data, and iconic replay data are also available. Iconic repiays are labeled as such in the upper-left portion of the display. l 4.4.2 Assessment The BVPS-2 SPDS fulfills the requirement of Supplement I to NUREG-0757 with respect to providing the operator aid in the determination of safety status.

BVPS2-SPD:4/22/87jak 12 Beaver Valley 2 SSER 6 12 Appendix T

J l j 4.5_ "THE-SPDS_(SHALL BE) LOCATED CONVENIENT TO THE CONTROL ROOM OPERATORS" 4.5.1 Discussion As discussed in Section 4.3.1, two SPDS terminals (reactor operator's console and TSC terminal) are located in the control room. Because there is a wide aisleway behind each SPDS terminal, neither terminal is likely tc '

interfere with operator movement. However, two operators who were interviewed by the'NRC Audit Team stated that a'SPDS display mounted on the control room.

vertical. panels (as in BVPS-1) would significantly improve SPDS usefulness.

These operators related that they prefer to analyze instrument readings and detailed SPDS data together.

4.5.2 Assessment DLC has fulfilled the requirement of Supplement 1 to NUREG-0737 that the SPDS be convenient to operators.

Although.0LC has met this requirement, the NRC Audit Team recommends that DLC obtain additional operator input concerning optimal location of SPDS terminals in the control room. If additional input indicates.that operators prefer the placement of an SPDS terminal on the front board d the control room, DLC should consider placing this terminal ~accordingly.

4.6 "THE SPDS SHALL CONTINU0USLY DISPLAY INFORMATION FROM WHICH THE SAFETY STATUS'0F THE PLANT ... CAN BE ASSESSED ..."

4.6.1 Discussion I The BVPS-2 SPDS top-level displays provide an overview of the status of key plant parameters. Perceptual cues also facilitate operators' ability to I determine the plant safety status. Only some of the 49 SPDS displays, however, provide information suHicient to assess plant safety status.

Furthermore, the SPDS terminals in the control room may be used for ERFCS ,

displays which likewise do not contain information to assess plant safety I status. During the BVPS-2 SPDS Audit, DLC stated that they would implement I administrative controls to require one of the control room consoles to be verified in the SPDS mode at least once per shift.

4.6.2 Assessment DLC has not satisfied the requirement of Suppleinent I to NUREG-0737 that the SPDS shall continuously display information from which the safety status of the plant can be determined. Selecting the SPDS mode once per shift does not constitute continuous display of information from which plant safety status can be assessed. Furthermore, a conrnitment to ensure continuous display of the SPDS mode on one control room terminal would not satisfy this requirement since many SPDS displays do not contain all of the information needed to i

assess CSF status. Continuously displaying the full-screen top-legel iconic 4

i BVPS2-SPD:4/22/87jak 13 l

Beaver Valley 2 SSER 6 13 Appendix 1 )

"i:

a on one of the two control room consoles would significantly. degrade the system's usefulness as a operator aid. 1 L DLC must modify the BVPS-2 SPDS to continuously display information from which' the' safety status of the plant can be assessed, and describe to NRC the j actions undertaken to fulfill this requirement. Information about these i actions'should be submitted no later than start-up following the first f refueling.

4.7. "THE SPDS SHALL BE SUITABLY. ISOLATED FROM ELECTRICAL OR ELECTRONIC .l INTERFERENCE WITH EQUIPMENT AND SENSORS THAT ARE IN USE FOR SAFETY SYSTEMS" j I

4.7.1 Discussion DLC indicated that Class IE isolation devices are used at each interface between Class 1E systems and the SPDS. Test type data for the specific isolation devices has been separately provided to the NRC. NRC's conclusions regarding the suitability of isolation devices and SPDS isolation provisions will be provided in a Safety Evalu6 tion Report. 1 4.7.2 Assessment Review of the isolation provisions is not within the scope of this Technical Evaluation Report.

4.8 " PROCEDURES WHICH DESCRIBE TNE TIMELY AND CORRECT SAFETY STATUS ASSESSMENT WHEN lHE SPDS IS AND IS NOT AVAILABLE WILL BE DEVELOPED BY THE LICENSEE IN PARALLEL WITH THE SPDS. FURTHERMORE, OPERATORS SHOULD BE TRAINED TO RESPOND TO ACCIDENT CONDITIONS BOTH WITH AND WITHOUT THE SPDS AVAILABLE."

4.8.1 Discussion DLC has written the following statement of the rela'tionship between SPDS and BVPS-2 Emergency Operating Procedures:

"BV-2 Opera 6cnc n aiders the SPDS to be a useful tool which can be used by the operate r te aN nd augment the required control room indication. The i SPDS may be asec es e operator aid to assest, the plant safety status. l However, the 19D.- u act referenced in the E0Ps and is not required to be used during emerget.c . A.Jitie n ,"

SPDS training is designed to teach SPDS users how to: 1) recogni:e differences in plant cesign between Unit 1 and Unit 2, 2) interpret top-level displays, and 3) access relevant detaileo information. Training content is tailored to operators and shift technical advisors.

The NRC Audit Team examined three lesson plans which DLC uses in its training program. The lesson plans revaal that a sufficient amount of information is covered during training to enable novice users to operate SPDS. However, three related issues are not covered by the training program:

BVPS2-SPD:4/22/87jak 14 Beaver Valley 2 SSER 6 14 Appendix T

i i

1. DLC has not identified a specific user of SPDS. Consequently, the relationship between SPDS training and utilization of SPDS during i abnormal plant conditions is unclear.

2. DLC has neither developed nor implemented a philosophy for utilization y of SPDS. Currently, plant operators do not appear to understand the value of'SPDS as a system. When describing the merits of SPDS, these operators instead focus upon the ability to access one or two types of information.

3. Regairements state that operators should be trained to respond with and without SPDS. Due to a lack of philosophy for SPDS utilization, the BVPS-2 training program does not address this requirement. ,

During the SPDS Audit, three plant operators were interviewed to determine how effective an aid SPDS is. Operators generally reported that SPDS is rapid and easy to use, and that it provides the desired functions. However, operators i did not report that the top-level (iconic) displays were helpful in determining plant safety status. There appeared to be a preference in obtaining information about key variables from ERFCS and from the panels.

Operators generally agreed that more effective SPDS training would enhance the usefulness of SPDS.

4.8.2 Assessment The BVPS-2 SPDS does not meet this requirement of Supplement I to NUREG-0737.

DLC should by start-up from the first refueling correct the deficiencies noted above. Evidence of corrective actions should be submitted to the NRC no later J than start-up from the first refueling.

4.9 "THE SPDS DISPLAY SHALL BE DESIGNED TO INCORPORATE ACCEPTED HUMAN FACTORS I PRINCIPLES S0 THAT THE DISPLAYED INFORMATION CAN BE READILY PERCEIVED AND COMPREHENDED BY SPDS USERS."

l 4.9.1 Discussion i

The SPDS is based on the generic Westinghouse SPDS design. Thus, the SPDS human factors design was, for the most part,~ developed by Westinghouse. The display hierarchy is based on a cognitive model describing thinking stages of an operator responding to abnormal plant conditions. Westinghouse also utilized human f actors principles and man-in-the-loop tests in developing the generic SPDS human factors design.

The BVPS-2 SPDS was evaluated with respect to NUREG-0700 guidelines during the BVPS-2 Control Room Design Review. Thirty Human Engineering Discrepancies (HEDs) were generated. The NRC Audit Team concluded that, with one exception, appropriate action has been scheduled to resolve the identified HEDs. NRC's ',

review of the DCRDR process has determined that DLC's process of identifying and resolving HEDs is acceptable [S),

BVPS2-SPD:4/22/87jak 15 Beaver Valley 2 SSER 6 15 Appendix T

{

4 The NRC Audit Team informally performed " hands-on" useability testing of the SPDS. The human factors display conventions and screen formats of the BVPS-2 SPDS are generally acceptable. However, several specific aspects of coding, readability, and the control interface are deficient: l

1. The use of yrllow to represent normal data / conditions is contrary to widely accepted human factors color coding conventions. .

2. Allowable limits of parameters are not indicated on trend and history plots. Thus, operators cannot perform margin monitoring, i.e.,

determine how far parameters are from alarm limits.

3. Trend and history plots are too small to be conducive to readability.

i

4. One trend plot screen, 2TR2, displays two parameters on the same plot. l Lines representing values of each parameter are color-coded j

identically. It is difficult to determine which line represents which i parameter.

5. Pushbuttons are located in two groupings, one on the keyboard, and one in a vertical configuration on the display terminal. Interaction l sequer,ces often require excessive operator hand and arm movement between I both groupings of pushbuttons.

l 6. Confusing and/or irrelevant prompts are frequently presented. For ,

i example, prompt messages may list three response options. To the right j l of these options, a prompt to PRESS EXECUTE is displayed. This last z prompt indicates a response which produces no actions by the system. I l

7. Cursor movement via keyboard arrow keys is slow. The option of cursor {

movement via joystick in BVPS-1 SPDS is, in many interaction sequences,  ;

much faster and more efficient.

4.9.2 Assessment The BVPS-2 SPDS has, for the most part, satisfied the provisions of Supplement 1 to NUREG-0737 regarding human factors principles. To completely satisfy this requirement, DLC should address the human factors problems described in 4.9.1 by comparing a task analysis of normal operator response sequences and i information requirements to the SPDS coding, information display, and I interaction technique conventions. HEDs should be generated and resolved on j the basis of this evaluation. DLC should by start-up following the first I refueling submit to NRC the results of this activity.

l I

I i

BVPS2-SPD:4/22/87jak 16 Beaver Valley 2 SSER 6 16 Appendix T

5.0

SUMMARY

With several exceptions, the Beaver Valley Unit 2 Safety Parameter Display System fulfills the SPDS requirements of Supplement I to NUREG-0737. To allow an unqualified conclusion regarding SPDS acceptability, DLC should, by start-up following the first refueling, complete the following activities, and submit to NRC documentation that these activities have been completed:

1. Verification that SPDS functions of PSMS and DRMS are correctly implemented, and that acceptable procedures for verification of SPDS functions of PSMS were conducted. Documentation should include a description of noted deficiencies and corrective actions to resolve these deficiencies.

2. System validation testing, including system integration and man-in-the-loop testing.

3. Field verification testing. Documentation should include noted deficiencies, planned corrective actions, and schedules for corrective '

actions.

4. Inclusion of containment isolation valve status in SPDS displays, or submission of a rationale for omitting this infomation from SPDS displ ays .

5. Reanalysis of display coding conventions for POOR data.

6. Revision of periodic instrument loop calibration to include verification that SPDS is displaying accurate data values.

7. Completion of assessment and prediction of SPDS availability.

8. Conformance with Supplement I to NUREG-0737 requirements regarding continuous display of information needed to determine plant safety status.

9. Modification of training to comply with requirements in Supplement 1 to NUREG-0737.

q Comparison of results of a task analysis to SPDS coding, display, and  !

11.

interaction technique conventions. Documentation should include a description of HEDs generated as a result of this activity, and the resolution of these HEDs.

I BVPS2-SPD:4/22/87jak 17 I I

J Beaver Valley 2 SSER 6 17 Appendix T j

In addition, the NRC Audit Team recommends that DLC reexamine the following issues that do not directly affect the acceptability of the system with respect to the requirements of NUREG-0737, Supplement 1:

1. Development of a procedure for tracking SPDS availability.

2. Location of the SPDS display in the control room. Mounting a SPDS display on the control room vertical panels may enhance SPDS useability.

6.0 REFERENCES

6.1 GENERAL REFERENCES i

1. NUREG-0660, "NRC Action Plan Developed as a Result of the TMI-2 3 Accident," Rev. O, May 1980, Rev. 1. August 1980.

2. NUREG-0737, " Clarification of TMI Action Plan Requirements," November 1980.

3. NUREG-0737, Supplement 1, " Clarification of THI Action Plan Requirements," December 1982.

4. NUREG-0800, " Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 18.2, " Safety Parameter  ;

Display System (SPDS)," Rev. O, November 1984.

5. NSAC/39, " Verification and Validation for Safety Parameter Display Systems," prepared by Science Applications, Inc. for the Nuclear Safety l Analysis Center, December 1981.

6. Letter, 2NRC-4-115 E. J. Woolaver (DLC) to D. G. Eisenhut (NRC),

" Safety Parameter Display System Safety Analysis Report and .

Implementation Plan Report," August 1,1984. l

7. Letter, LS05-84-02-009, D. M. Crutchfield (NRC) to E. P. Rahe (Westinghouse), " Review of Westinghouse Generic Safety Parameter Display System," February 2,1984.

8. Memo, F. Rosa (NRC) to P. Tam (NRC), " Safety Evaluation Report for Beaver Valley Power Station, Unit 2, Detailed Control Room Design 4 Review," July 7, 1986.

6.2 DOCUMENTS EXAMINED DURING AUDIT

a. Westinghouse Design Specification 955809, " Safety Parameter Display System Software and Onsite Technical Support Center Displays,'" Rev. 3, December 15,1986,(proprietary).

b. Test Procedure IT-63S-ERF-4, " Beaver Valley 2 ERFCS Site Acceptance Test," Rev. O, October 7, 1986.

BVPS2-SPD:4/22/87jak 18 Beaver Valley 2 SSER 6 18 Appendix T

I

c. "SPDS Verification Acceptance Forms," Module VECTA, January 16, 1985 and February 6, 1985.

d. Nuclear Group Directive No. 34, " Configuration Management Program,"

Draft.

e. " Specification for Emergency Response Facility Computer System, Beaver Valley Power Station, Unit 2," Rev.1, April 26,1985.

f. ESD-CR&CD-105, " Design Basis Document, Plant Safety Status Display,"

Revision 1, Westinghouse Corporation, July 10,1985, (proprietary).

g. WCAP-10170, Westinghouse Corporation, April 29,1982,(proprietary).

h. Bailey Controls Procedure, "SPDS Verification and Validation Process,"

Rev. C, January 16, 1965.

i. Bailey Controls Procedure, "BVPS-2 ERFCS Verification and Validation Process," Rev. A, August 14, 1986.

j. DLC letter, 2NRC-3-017 E. J. Woolever (DLC) to D. G. Eisenhut (NRC),

" Requirements for Emergency Response Capability," April 15, 1983.

k. Westinghouse Report, "SPDS Development Process Appendices," no date, (proprietary).

1. Site Acceptance Test Discrepancy Reports, "BV 2 ERFCS Computer Faults,"

October 7, 1986.

m. Westinghouse Test Procedures, Beaver Valley Unit 2 Safety Parameter Display System Software, Rev. 3, November 22, 1985 (proprietary)

n. Key Safety Parameter Selection for the Beaver Valley Unit 2 Safety Parameter Display System, Westinghouse Water Reactors Division, WCAP-10170, Rev. 2, September 30, 1986 (proprietary)

, o. Beaver Valley Power Station-Unit 2 Emergency Response Facilities l Computer System, 08700-DES-0149, October 27, 1986 1

p. Beaver Valley Power Station-Unit 1 Test Procedures, IT-635-ERF-6, October 25, 1986 l l q. Beaver Valley Power Station-Unit 2 ERFCS Software Verification Test, IT-635-ERF-7, January 27, 1987

r. ERFCS Digital input Verification Procedure, 1T-635-ERF-8, February 11, 1987

s. MSP Supplement, 2MSP-6.43-1, no date BVPS2-SPD:4/22/87jak 19 Beaver Valley 2 SSER 6 19 Appendix T l

t. DLC Safety' Parameter Display System Lesson Plan', LP-DCP-70, June 7,1985 -

u. DLC Emergency Response Facility Computer System / Safety. Parameter Display.

' System , Lesson . Plan 2LP-SQS-5C, February 17, 1987

v. DLC Unit I/II STA Cross-Training Lesson Plan, 2LP-STA-71, February 12, 1987.

1 i

l l

l

'l j

I 20 I BVPS2-SPD:4/22/87jak Beaver Valley 2 SSER 6 20 Appendix T

i TABLE 1 PARAMETERS INPUT TO BVPS-2 SPDS Reactor Power, Power. Intermediate, end Source Range.

Volume Control Tank Level Boric-Acid Tank Level Emergency Boration Flow Reactor Cooling System (RCS) Makeup Flow Chemical and Volume Contro'l System (CVCS) Valve Positions CVCS Flow CVCS Pump Breaker Status Turbine Power RCS Average Temperature Control Rod Position Main Steam Line Isolation Demand Signal Main Steam Line Pressures Steam Generator Water Levels (Wide and Narrow Ranges) Steam Flow Steam Relief Valve Positions Main Steam Line Isolation Valve Positions Main Feedwater Flow Feedwater Isolation Valve Positions

' Steam Dump Valve Positions Condenser Status Demineralized Water Storage Tank Level Auxiliary Feedwater ( AFW) Flow AFW Valve Positions AFW Pump Status Containment Water. Level RCS Temperatures (T-hot and T-cold) Core Exit Temperatures RCS Wide Range Pressure RCS Flow Reactor Coolant Pump (RCP) Breaker Position RCS Stop Valve Positions Pressurizer Level Pressurizer Vapor Space Temperature Pressurizer Liquid Temperature i Pressurizer Heater Breaker Positions l Pressurizer Spray Valve Positions Pressurizer Relief Tank (PRT) Valve Positions Pressurizer Power Operated Relief Yalve (PORV) Positions PORY Tail Pipe Temperatures Pressurizer Safety Valve Positions  !

Reactor Vessel Water Level Subcooling Margin Reactor Trip Breaker Status Reactor Heat Removal (RHR) Flow RHR Valve Positions RHR Pump Breaker Positions RHR Heat Exchanger Inlet and Outlet Temperatures Engineered Safety Feature (ESF) Valve Positions Emergency Core Cooling System ,(ECCS) Flows BVPS2-SPD:4/22/87jak 21 Beaver Valley 2 SSER 6 21 Appendix T l

ECCS' Pump Discharge Pressures ECCS Pump Breaker Status-Refueling Water Storage Tank.(RWST) Level.

Accumulator Level Accumulator. Pressure

~RCS Letdown Flow. . .

RCP . Seal Water Flow (supply and return)

Plant Elevated Release Point Radiation Plant Vent Radiation Containment Radiation Containment Exhaust Radiation Steam Generator Blowdown Radiation Auxiliary Steam Radiation l Condenser' Air Ejector.'Off_ Gas Radiation Auxiliary Building-Area Radiation Decontamination Area Radiation Condensate-Polishing Area Radiation Safeguards Building Area Radiation' Waste Handling Building. Area Radiation Waste Gas. Storage Tank Radiation Liquid Waste Effluent Radiation  ;

Fuel Building Ventilation Radiation Fuel Building Area Radiation Control Room Area Radiation Component Cooling . Water Radiation Main Steam Line Radiation Service Water Radiation Containment Spray Valve Positions Containment Spray Pump Breaker Positions Containment Hydrogen Concentration 5

Containment Air Temperatures Containment Sump Level >

Containment Pressure-(wide and narrow range)

Containment Spray Actuation Signal Containment Fan Cooler' Breaker Status Containment Fan Cooler Inlet and Outlet Water Temperatures Containment Isolation Signals DVPS2-SPD:4/22/87jak 22 Beaver Valley 2 SSER 6 22 Appendix T j l

SP&C POAJ0 335 U.5, NUCLEAR ILEGULATOstY COMMISSION 1 REPOMT NUMBE M fAmynea sy rf0C, sad Vo# Af o , /t anrs

~

NUREG-1057

, ,o

!',$,.,220:,'

32o BIBLIOGRAPHIC DATA SHEET Supplement No. 6 Sit INSTRUC?lONS ON THE fitVE j 7 TITLE AND 8US flT LE 3 (f AVE 8 LANK

- Safety Evaluatio eport Related to the Operation of Beaver Valley P r Station, Unit 2 4 DATi pRT COMPLETED

, EAR MON T ,. p l

. AUT nO.,,, August / 1987 p DAf f REPORT ISSUED e- v.AR l

Ayj(ist 1987 7 PtRFORMsNQ OHGANi2 ATION NAME AND Mall E 6 PROST/T ASKtWORK UNIT NUMBEf4 Division of Reactor Pro ADDHESSfiveIpCeset cts I/I - =,jr Office of Nuclear Reacto Regulation U.S. Nuclear Regulatory C mission $

INOnoANTNUM. ,

Washington, D.C. 20555.

10. 5PON50HINQ QRGANt2 Af TON NAME AND MAILING ADD S itec/w#r t@ Cosef { lie T YPE OF HEPOHT ,

l Same as 7 above b PE8 trod COvf RED (fepve defest P

12 SUPPLtMENT AR v NOTES I Docket No. 50-412 13 ASSTM ACT (200 opords or lessl

• Supplement No. 6 to the Safety Eval on Report for the application filed by Duquesne Light Company, et al . , for . cense to operate the Beaver Valley Power Station. Unit 2 (Docket No. 50-41 , ' cated in Beaver County, Pennsylvania, has been prepared by the Office Nuc ar Reactor Regulation of the Nuclear..

Regulatory Commission. 'The pur se of- is supplement is to update the Safety Evaluation of (1) additional i ormation ubmitted by the licensees since Supplement No. 5 was issued, d (2) matt s that the staff had under review '

when Supplement No. 5 was i iled .

g

\

k t,

L I

14 DOCUMENT AN ALYSIS - s ~f VWORD5tDE5CRtPTDMS 16 A V AILA8iLI T v

$TATEMENT Un1imited 16 SECURITY CL ASSif lCP TION f rass paces

. De ~T,, ,e R , ~ .ND D Ti Ms Unclassified (Thos rgport)

Unc1assified 17 NUvet R OF P AGi$

18 PR'Cf w.

_ _ _ . _ _ _ _ _ _ _ _ . _____ _____m._.________ _ _ _ _ _ _ _ _ _ _ _ _ . . . _ _ _ _ . _ _ - _ _ . _ _ _ _ _ . _ _ _ - - - _ . - _ _ - - - - - - - .

um Ww%21BERBsG w g W,

A yan4 R MMWUNITED.STATESWMM$%M nNaWuMNnMMSM$e.@hWjd@G& CLEAR ddMM REGULATORYCOMMIS860NW$$@

B d

M MSffd%M M h$$M a mn ems wu poems m swek "M.7"NQ

$ph%

gOff@%

$hf65WW2,u, %+dh 4

AMyWaummwmusomw%u% esn w d n mas, wew+gowWadw$emm wnemuk

~

So w w .

u%nw4'Nhfb h aae$hfkhb .kb mm'm h Y -

hh h.YwwW Au hh w

kk a A m -

ww.

4 ppMd g h f M M M(MW dr g e e m m : m[ h N N.Mhk 3 NN 52J ' .'

~~' mmANwkt$w!@hd$$Wi 5MM % M -

$$h N  %

Mn@gh $ wm$q$m$Nk.f $sn m?m m y4  %%wYk,% ?d@h@w?b. -

nu W D$$an% bs @M $

gg www g$m h hkWhhhhhhDW n m, o. .

. . , ~. y. >,w $khh amm y o -a we#,w fgh e?h?wAhel j hhh0%$ e a&fG Wh V m ' ',

mm,s l %a +, h. mk$ nf a a

f b , &jhhhh w w a m sa%w %O 20

. w. u bh m e hNf w. p qIyh W wm

_- ~

_h Wehr M h%8 % ,W SkD 4 s@r o _m w~

.jQ%

_M Ww_T ww nl:QMMml%

%md m QQ .+W A M _o$v$ w M_ % %& ,! M _MM%d _NMM@mMy WQpffQpg%$qQS%% QW w;w;y :;b,1.e&l$%$ fyg %w.4l DR mgMgwW h 4o w .- p _m v, _v y - n b a b:?hY{'k.h.

n: >c- ., & o a qF Wp Wp mg , ,

u w @o ep a,7 kNhehgf h khhN wmm.x N h 5 w~N5khi g

$qycs u cm 0 kN,hY bY "h* ll Qhh?\hk$N

' ;moy-inw w w:: ;m

~ e% iw~ n&u:b.: m%  % f ma d, awk hy#w{w h> %s,v . . na 4wO" M % nn$yql$&&ny' wk

~ vm.. n Qhu?ql p% &05%NWsm* $ 2 QV~$W> = I * &lyww Q W&iflbW %%f, mP- Q nDiNNWNfhf W?,Q% &:{

f k

1 tQ s i ' #

anMW m~ MWh , %kM & k M g%yhp Wh%ap% %Q%v%

1 &&#,k % b :w% ' u.yx  % vg& a ? &o.g,y l 4@?MW ' ,

a-

.M , n kw%m e W

r

1. n

$n u& y MyW.5%m$%w.W

%hGW W W WO;N Ng& @wm o &

$gMp3.#,'

&w~.mym@y%:,pw@m$es m;. 4g w& g ; gks w@ym:: w.a. g s_m n.a

,b

% @kb upa,MW r:MW r

39%

p b; hum s a QGT W &

e W' M D,ySw f W vW W  %;F.4,s%e@M ww g jw gW'+t &g% eh W hm@m maep M

n g.mo

% M rh &N Wp, >

2. m g g" c-ui r r ,as . "n r- u.

a ,'+u._

7 4m7^ W, w%"

. "M w e: a n

J o e.., n-

% 3 wpw.<&' y.N.e9 9{p. , i ppa ei r e-:cn m':0, '1camma i c ,4 4g) P. . N 3 -

m ., g: Vy h c.! :8 L H y x y he r n,

% f ,.ypn f. ~. ~'nte,c . . ib i pwa 7x? o w. m, > .w ,g.cp .._w: , wa ~

xp :fv.k + +C "n'4' &

. a c r Y Yt YY Yn .O Nh ~ aw w 0. <s t";~&.l . x , as n . ~xw;s yhm .. . e.Y-

~

t ,

wn.

c

w. b , n .

%g%ny wwwp p p , w; w ~n ie r < m , nm p p .m 4 t+;hy:q IEh w,pMdSih w

, #,< f%k,V,a? ?w' . n" *>,'vcN s , 36 w- ,"r o.

my@n%

• o ww@#

f " # d.c %w &n g

,l N 9 w W W

<w " $p  ; ang?}

d;g n gh ;e a pj, pt:w,m,sxg:rs.

~

xy m?.m

. n A A: o su% - A 4-

< u p -m w .m';a - qQp; ef 'l gf ;M o

< 2 r >w$ . 4 w % .vg m- L.::

c WW hc

?

t

?:S M. ' WM

., i s m .r mA ' t:

&w:YQ, k jog.A r 3' i..@tsun &hg.

a' .

V  : + V:% ? (&:! s' J i N al7s p-i> %e:n@y;A

$myddk:? WL $ (,v o '

w.3

a; ;,',. . '< &-,i i

@?.p ,.

, b 5+m pc R

+94W

.#m gN o a .? ,

e91 ' +

b.y3 *r. lp MhWW; i%m /'n 4 . , , .

c<cpg@+; W  : %m - ' ^s N i'N M '

ss W m> '

1 v6 e 91 g.s v$.'1y  % ..q., :Q b,::q+t r m  ;,c ' V:  !

.Y:D %. s ma-n s h 't f l.3:L -, to , ;Q ' . Mr. s  % ypf9,:s&.9

-J _'y,,7-m.

m-.gn,1:W.a -no ,, p 4,t ;<< ,1 $

v,g .. < ; 3 ,.- - -

,o.

.n% ' f w m~w&- A a, y s .v w. ,- .,

p a p ,.m

-. -  ; s 4 , _ <  :

. ^' '

t? ,.-- N'1,n!rf (fl\. /s {',91 1 g , . .- t1 l&, ,,9 #

1 a h

' Mtf: .p ;,A}b; a. ,,' ' i.t,yd?g, a n.elp g -

s.

&?.y

.s*8 ..e Ji n , s::n 9% ~m- .t z

g. , p

wk e y'4 s, p c,

. .. r i f

,c 1>

e J-s

,o

,.x.,

- y 3' 5

R:  % E :.. 7 vl .

If m,,-.n 3

9-v A ;y I .[*

z

% .i ).

&, $Q, i

g L' ,i, j , r i

Y QQy

./u.G .M' B. {. < it m a' ;> , "[.

o

! 3%  :

Q m v r . sm n! .*a aq c, .

.[' I .t > 7 (' )

Q' H  ?,, Q r

% 'Q p '

< jfl .if

h x o '

r J ;i

@Nf spmw g is 20

~ ,<

4

',7

- m '

A, .gre x .

,a

" m 4 p m,e t

g 9.' .'[-

w

% i

.-l 5 w ~.

(j%g 3 1 4 Sg ,6 n

pm-a 1

.. my

% - ' .:pl,. + **

',y9

'j;b;pf h&&q_

NM g' ,

' rn '

?x!O ,

'mg -

hh&0]&. w l$ 9.}

g%.)y:

&,1 i d: 4q; :mbe s yu m ;4,, .:o , :'

r < -- ,

m.&

n 4

?, L .. N, ' h:y jf t fT.lk%  ?]klff kD:fl:{:fs Nfkj,3.'U,5 f,<> '

+

f' M

. r.)

n .~ ,- ,

cc-. m. 3' 4 4 m , o

,aa. n m Q,,@y',... ,v J;qb,

}$r.$c 5

s i 1

si wn f f j i-Mu 3

p?

4

, u.mg

%@4j, p V4 b yM ":

g'oc p+ :>.g

' c p; '

9 p.tcg M6 < > y ?:( , %, e v 9a t phy < Fe, ww, x y > <

o&p@mllt:,'

f yd%; > We

- :yk W)Q c(;, o.

bi j

g.Qh ; .jyd '

'.. t 1 '

Kk n ' . . :2 i e d<Luqa vn 4 &, u s ,

m f

'. v ry "WL

!4E;,nn,T i n. ? ','. n!t 1

6 .d,,

. ; }-

h. [,g' s f h, m. W.

4; 'f QMV -b '

o h, 4 m }~: g, -

h h; mm ' . >[

.- I, r.

, )

my .,

U

, -k ff&&fEQ' ew nc Wi :g&l?Y$, w:n,um,wa_memw, n$$&w,h;Q$m 'x n,

_a _ _wa h.

-lg a