REFERENCE:

1)

NRC Safety Evaluation Report from Mr. G. W. Knighton (NRC) to Mr. E. E. Vtley (CPRL), Dated October 25, 1985

Dear Mr. Denton:

Carolina Power k Light Company submits responses to'your staff's request for additional information identified in the NRC's Safety Evaluation Report (SER) for the Shearon Harris Nuclear Power Plant Safety Parameter Display System (Reference 1). Please review these attached responses and issue a supplemental SER.

If you have any questions, please contact Mr. Gregg A. Sinders at (919) 836-8168.

Y s ver

uly, SRZ/GAS/pgp (3050GAS)

Attachments cc:

Mr. B. C. Buckley (NRC)

Mr. G. F. Maxwell (NRC-SHNPP)

Dr. J. Nelson Grace (NRC-RII)

Mr. Travis Payne (KUDZU)

Mr. Daniel F. Read (CHANGE/ELP)

Mr. L. Beltracci (NRC)

Mr. R. J. Eckenrode (NRC)

Mr. T. S. Moore (ASLAB)

Wake County Public Library 8bObOb0050 ElbOb02 PDR ADOCI~, 0S00OO00

[

PDR S. R. Zimmerman Manager Nuclear Licensing Section Mr. Wells Eddleman Mr. John D. Runkle Dr. Richard D. Wilson Mr. G. O. Bright (ASLB)

Dr. J. H. Carpenter (ASLB)

Mr. J. L. Kelley (ASLB)

Mr. S. H. Weiss (NRC)

Dr. R. L. Gotchy (ASLAB)

Mr. H. A. Wilber (ASLAB) 411 Fayettevilte Street o P. O. Box 1551 o Raleigh, N. C. 27602

t-p1 fl

Question I Modify the display's design such that the Class lE multiplexer cards be powered from Class IE power within their division. This modification shall be completed prior to declaring the safety systems operational for the plant. Documentation to support this modification should be submitted to the NRC for confirmatory review,

~Res nse The display's design has been modified such that the Class lE multiplexer cards are powered from Class lE power within their division. Documentation to support this modification is attached.

The modification willbe completed prior to fuel load.

(3450GAS )

~ABET</ PIV. A

~FETy'IV. ej 8Am7ZRy ct/A+C6g. /A SA

/8OV GHEE arlcc. /A2/ SA 8>l 7ERy Ct/ARCER

/6 SA AgOVE&6/ti HCC IA3/ I ghA~BRQ ceARCE'lC.

IA S6 ASOV E'mER

~

<CIOV E~~.

ACC /I32/-SQ

/ /CC. /8$ /-S t3A 'PV O'Ry C /PARCE/2 /t3 S8 I2 V 8LIS DP-IA-SA l25V 8US DP-z5-sS

/25 V ATTY'R)

/A SA 480V Gm6R

&C.C. /A2/-SA 48OV 6 htcC /ASI

/25'

/3Afv&T

/0 ~5b QBov EMC'R mcC l/82/-SB 480 v 8wer.

Ncc. //3'3l S

)

)

7OOJ /2CIV patt/QR P4'a ZII-SA

+

cttAauP/ 7 vAJ/~I///I PO4%X 5IIFA~

cktAHt/EL~

u~/~BXCAK/P7, FewdIL su/A.

IA I/ SA Ctt~C g Vt/INKRIIVP/

POND/I; SVPPL C.H+pJ%6L W volw76RavP/

PO~

2OS//2OV mw6R. PHC-I >/I SQ l2OV AC

)g 0

MP-sX V

to 0

/2OVAC TDPS//1

/20 V AC.

DPQ'

)'

Ia 0

CO ut0 4

e

)~

)

/2ovAC TDP-Sii7 Vt 0<

o~

I 30

~v g tu u '9 0 0

~<n

~

H q to u 00 0 gL "o

Po oh

~ <

~

IO 0

0 gL zd g t/t v 0 oo L

I0

>u

. IO g N f 0 0

~L It ~

I It

$ u u g 0 g H

I g

~0Hu hlOIU Au/&AT'/C

%BC/tAM/CAI /~RLOCK gp Fgg DJV' SAFE+ DIV-5

A report on'the Safety Parameter Display System's (SPDS) design availability analysis for confirmatory staff review.

~Res nse The availability analysis is completed and the calculated availability of the SPDS is 99.87 percent.

The availability (A;) is calculated by the following equation:

MTBF MTBF + MTTR MTBF = Mean Time Between Failure MTTR = Mean Time to Repair V

The MTBF is calculated by the following equation:

MTBF=~

V/here X.

= Failure Rate of Any Component s

Availabilityis the probability that a system or equipment, when used under specified operational conditions and support environment, willoperate satisfactorily at any time.

The inherent availability, as quantified in this analysis, assumes an ideal support environment (i.e., available tools, spares, trained personnel, etc.) and excludes preventive maintenance actions, logistics supply time, and administrative downtime.

The MTTR is defined as the average time to perform corrective maintenance action.

This time period begins with equipment failure and ends when the equipment is returned to operational status. It includes time for fault detection, fault isolation, access/secure, maintenance operations (repair and/or replace), and function testing. It is also assumed that adequate spares are available at the site. A MTTR of 0 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> was used throughout as specified by most of the vendors.

For the purpose of this analysis, system success means that the status information (analog value or digital status) of each of the specified SPDS points is available to the operator in the Control Room.

An apparent single point of failure is the peripheral switch controller system.

However, there are two features that provide additional reliability for the system.

One is that should the CPU control circuitry fail, the switches may be switched manually.

The other feature is that since the switch modules are mechanical, magnetically-latched relays they remain in the last commanded position and permit signal continuity even without power.

The calculated availability of 99.87 percent exceeds the high availability goal of 99 percent requested by the NRC. Carolina Power R Light Company (CPRL) considers this matter closed.

estion 2.b A commitment that procedures which describe the timely and correct safety status assessment when the SPDS is and is not available willbe developed and that operators be training to respond to accident conditions both with and without the SPDS available.

~Res nse The Critical Safety Function Status Trees (CSFST) developed as part of the Westinghouse Owners'roup Emergency Response guidelines form the basis of the SPDS displays.

The Shearon Harris Nuclear Power Plant (SHNPP) Emergency Operating Procedures (EOPs) and EOPs network currently specify when the CSFST are to be monitored and when the Functional Restoration Procedures required by the respective states of the CSFST are to be implemented.

The value of the input parameters for the CSFST and the resulting states of the CSFST are available directly from the SPDS.

The current information is available through the CRTs in the Control Room.

The SPDS has a calculated availability of 99.87 percent, however, if the SPDS is not available, a hard copy of the CSFST willbe available for manual assessment of the CSFST.

The EOPs do not distinguish between the manual or the computerized acquisition of the CSFST information since they produce identical results.

The training of the Shift Technical Advisors (STAs) (the primary individual responsible for evaluating the CSFST) and the licensed operators has covered the use of the EOPs, the purpose and use of the CSFST, and the'implementation of the manual method.

The STAs and licensed operators willbe trained on how the SPDS displays are accessed from the Control Room CRTs.

CPRL considers this matter closed.

(3450GAS )

Information on how new displays created by users from the keyboard willnot be confused with the standard set of displays within the SPDS.

Rese~nse Users cannot create new displays from consoles located in the Control Room, Technical Support Center, or Emergency Operations Facility. The console in the plant computer room is the only console from which new displays can be created.

This console is a locked console and the key is controlled by Control Room personnel in accordance with administrative procedures.

These administrative procedures, along with other plant access security controls to the computer room, comprise the security measures in place for the SPDS.

Additionally, top level, second level, and third level displays are called by labeled, dedicated function keys, or operator functions from top or second level displays.

PRIDs or one-lines cannot be inadvertently called by SPDS function keys or from a second level SPDS.

The display structures are completely separate and distinctively labeled.

CPRL considers this matter closed.

(3450GAS )

A list which coordinates the SPDS variables with the critical safety functions specified in NUREG-0737, Supplement l. In addition, the list could contain information which identifies the display format (or page) where the variable is presented to the user.

~Res nse For a response to this question, please refer to our December 2, 1983 letter (from M. A.

McDuffie to H. R. Denton) which transmitted the safety analysis of the SPDS.

CPRL considers this matter closed.

(3450GAS )

Data which demonstrates that the SPDS adequately monitors the Radioactivity Control Function under plant conditions with isolated steam generators.

~Res nse See response to Item 0 below.

(3450GAS )

A description of how the design validation of the SPDS variables willbe achieved as part of the Validation Test Plan.

~Res nse The Critical Safety Function Status Trees originating from the Westinghouse Owners'roup (WOG) Emergency Response Guidelines (ERGs) form the basis of the SHNPP SPDS top two levels of display.

These status trees provide an explicit, systematic mechanism for evaluating the plant safety status.

For multiple event/multiple failure scenarios that go beyond the design basis of the Engineered Safeguards System and the scope of the Emergency Operating Procedures (EOPs), the operator is provided with the means of directly monitoring the Critical Safety Functions and taking the prescribed action based on the Critical Safety Function display.

The WOG selected the "appropriate set of plant parameters" for the Critical Safety Functions.

For each parameter selected to be read, evaluated, and displayed on the SPDS, the WOG has provided a basis/background document.

Based on Regulatory Guide 1.97 instruments and plant instrumentation for the values requiring plant specific input, explicit evaluation guidelines have been provided.

For SHNPP, a complete setpoint study has been completed and included in the Procedures Generation Package (PGP) transmitted to the NRC in 1980.

The draft Technical Specification values have also been evaluated with the EOP values for consistency.

The status trees require no operator action other than monitoring a limited set of plant parameters.

The SPDS status trees are a part of the integrated plant computer system and display a subset of the plant parameters the operators use for routine operations terminating an event or in mitigating the consequences of an event.

Once a change of status is acknowledged and the EOP network has. been entered, the operator should begin monitoring the appropriate branch of the tree.

The top level SPDS is defined as the six-critical safety function boxes which are displayed constantly.

When the operator is not displaying a second level status tree, an overview of key plant parameters willbe displayed in the general display area.

The third level displays consist of sets of pre-defined variables for trending.

In addition to the WOG analysis for the type of variable for the "standard plant," CPRL has performed scenarios on two different simulators, licensed a class of operators, walked through the procedures in table top emergency planning reviews, and utilized the experiences of the H. B. Robinson Plant whose procedures were written in parallel by the same author.

With the large amount of operator input, review, and the setpoint study combined with the results from simulator exercises, CPRL feels that the variables in the SPDS as well as the EOPs have been proven to be acceptable.

The variables have been verified, tested, validated, and analyzed and the results show that the actual result matches the expected results.

Finally, CPRL must also note that both plants, H. B. Robinson and SHNPP, have been using the SPDS function for well over a year in the hard copy mode (w/o the computer).

CPRL has found that not only does the concept function better than expected, but that the operators use SPDS functions during EOP situations.

The operators also trust the SPDS function and the EOP function especially after the extensive amount of EOP/SPDS background information and analysis that support these functions and the simulator exercises.

(3450GAS )

As the WOG/Westinghouse utilized human factors principles in the evaluation of the transition from procedure to procedure in the layout/format of the EOPs (which include the CPRL EOPs and the Critical Function Status Trees) and in the area of simulator V R V, CPRL believes that these procedures have a sound engineering, analytical, and human factors basis.

CPRL has also provided sound engineering in the transition from generic to plant specific, sound analysis in the development of the setpoint study and the other evaluations required in the transition from generic to plant specific.

Sound human factors have also been utilized in the many hours of evaluation on simulators, procedures walkthroughs during the Control Room Design Review (CRDR) effort, operator interviews, and the total CRDR effort. This includes receiving operator comments, evaluating the comments, and making modifications where necessary.

(3450GAS )

estion 2.

A Validation Test Plan which includes human factors acceptance criteria for evaluating the use of the SPDS.

~Res once See Response to Question 5 (3450GAS )

A Validation Test Report which describes test results and plans for resolution of problems identified during the test program.

~Res nse CPRL has a high degree of confidence that the Final Validation Test Report will demonstrate that the SHNPP SPDS is an extremely well designed computer system.

The SPDS has been developed from the top down as shown in the attached figure.

Additionally, hardcopy outputs of the as-designed SPDS have been used on the Harris simulator with great success and acknowledged by the NRC staff in a Trip Report dated May 22, l980. The Final Validation Test Report willbe available prior to startup following the first refueling outage.

(3450GAS )

t.,%X'IGURE 1-1 ERFIS/SPOS EFFORT DETAllH)

FUNCTIONAL SPEC.

NUREG-0696 R.G. 1.97 NUREG-0654 PLANT PARAMETERS S

DEVELOPED EOPS HUMAN FACTORS e CONSOLE DESIGN e SAIC REVIEW

~

• SPDS

'ISPLAY DEVELOPMENT EOPS ERF LOCATIONS MONITORS INFORMATION SAI'ETY ANALYSIS

, EMERGENCY ACTION LEVELS (EAL )

FINAUZE STATUS TREES FAGER STATIC CHECK OF ERRS SPDS HNAN FhCtORS EFFaRT o OtSPLAY RBt9f o Th8K RP SYb~ TEST PLAN RNAL ERFIS DS IN CONTROL ROOM 1-22

~estion 3 Conduct a review of all SPDS display formats for human engineering discrepancies (HEDs). Allidentified HEDs from the review should be assessed and resolved within the DCRDR effort and the results of the assessment reported in the DCRDR Summary Report which is submitted for staff review.

~Res nse A preliminary review of SPDS display formats for HEDs has been completed.

HEDs identified from this review have been assessed within the DCRDR effort, The disposition of the HEDs were reported to the staff in the DCRDR Final Summary Report submitted to the NRC on September 13, l985 (A. B. Cutter to H. R. Denton, NLS-85-235).

Additional HEDs identified on the SPDS willbe resolved prior to startup following the first refueling outage.

(3450GAS )

~estion ts Address the following variables which are not included in the SPDS by:

l) adding these variables to the SHNPP SPDS, 2) providing alternate added variables along with justifications that these alternates accomplish the same safety function for all scenarios, 3) providing justification that variables currently on the SHNPP SPDS do in fact accomplish the same safety functions for all scenarios, or 0) identifying that these variables are in fact available from the SPDS console:

a.

source range neutron flux, b.

intermediate range neutron flux, c.

RHR flow, d.

steam generator (or steam line) radiation, e.

stack radiation, f.

containment isolation status, g.

containment hydrogen concentration.

~Res nse Variables a-c are in fact available from the SPDS consoles.

Based on discussions with the NRC staff, CPRL willadd variables d-g to the SPDS top level display to resolve this item. CP6rL considers this matter closed.

(3450GAS )

Question 5 Submit the Verification and Validation Program Plan for docketing.

~Res nse A Summary of Verification and Validation Plan is attached.

(3450GAS )

SUMMARY

OF THE VERIFICATIONAND VALIDATIONPLAN 1.

INTRODUCTION i.i

~ob ective The objective of the Verification and Validation (V@V) Program for the Carolina Power R Light Company (CPkL) Shearon Harris Nuclear Power Plant (SHNPP) Unit 1 Safety Parameter Display System (SPDS) Emergency Response Facility Information System (ERFIS) is to provide a quality system through independent technical review and evaluation.

The V@V effort described meets the basic objective that an adequate independent technical evaluation has been made on the SPDS functions provided by the ERFIS computer.

The ERFIS willbe evaluated to determine that SPDS functions provide continuous and reliable display of SPDS plant parameters to control room operators.

The SPDS function is required in order to keep the control room operator informed of the status of critical safety functions and alert to abnormal operating conditions.

The SPDS computer functions have been incorporated with other plant computer functions such as the NSSS functions.

These other plant computer functions provided by ERFIS willalso be subject to limited V@V. An evaluation of the interactions and interfaces between these functions and the SPDS functions willbe performed by the V@V Team.

To ensure that a separate technical evaluation of the SPDS willbe performed without programmatic bias, the V@V Team staff is independent of the Development Team and Quality Assurance Program.

(3450GAS )

2.

ERFIS V@V SCOPE Rhh The V@V Program activities described in this V@V Plan are based on the NSAC-39 Report.

Our approach is a practical balance with the size and complexity of the SPDS/ERFIS.

The five VXVactivities described in NSAC-39 and being applied for SPDS/ERFIS include Systems Requirements Verification (System Requirements Review),

Design Verification (Design Review), System Validation (Validation Test and Report),

Field Installation Verification (Field Verification Test), and preparation of the Final V@V Report.~

The Final V@V Report willsummarized the results of the four VXVactivities listed above and willsummarize all discrepancies found during the VRV evaluation.

The balanced approach provides assurance that the system has been constructed in accordance with system requirement specifications.

Figure 2-1 shows the V@V activities in relation to generic system development activities.

2.2 VRV Activit Overview Figure 2-2 shows an overview of the V@V activities to be applied in evaluating the ERFIS and the following paragraphs describe each of these activities.

2.2.1 S stem Re uirements Verification System Requirements Verification is a technical evaluation of the SPDS/ERFIS requirements documentation against NRC standards and regulations relating to the upgrade of Emergency Response Facilities. It also involves an evaluation to ensure the SPDS/ERFIS design specification is a proper translation of the SPDS/ERFIS requirements documentation.

Evaluation of the design specification documentation is normally a System Design Verification step.

Exception to this normal V@V procedure is being taken to consider the design specification documentation as the requirements baseline document once the System Requirement Verification is complete.

2.2.2 S stem Desi n Verification System Design Verification is an evaluation of SPDS/ERFIS detailed hardware and software design documentation against the verified SPDS/ERFIS requirements documentation.

Design Verification provides assurance that the system complies with the system requirements.

Hardware design utilizing off-the-shelf items willnot undergo independent design verification.

..3 S~i System Validation provides assurance that the final system complies with the system requirements.

Demonstration of acceptable operation of implemented functions is accomplished through a planned testing and evaluation process.

The activity names shown in parentheses are the names used in NSAC-39.

(3450GAS )

The objective of validation testing and evaluation is to provide an.end-to-end check to determine that the system implements the required functions in compliance with the specified system criteria. System Validation comprises two primary phases:

1) preparation of the Validation Test Plan, and 2) validation testing and evaluation.

2.2.0 Field Installation Verification Field Installation Verification is an evaluation of the validated system after it has been installed. It is a verification that the installed system is the one validated during validation testing.

Verification that the information displayed is directly correlated with the sensor data input is an objective of Field Verification Installation.

..5

~il I R

The purpose of the Final V@V Report is to summarize the V@V activities performed throughout the project and to summarize the results of those evaluation activities. The report provides a summary of results of the VdcV effort; it willbe organized to aid in reviewing the adequacy of the validation effort and providing confidence in the validated system.

Traceability of the V@V activities throughout the project, identification and resolution of discrepancies, and reference to more detailed documentation willbe provided in the Final V@V Report.

2.3 V@V Documentation The contents of the documentation willbe consistent with the typical report contents which are described in NSAC-39.

2.0 Confi uration Mana ement of V@V Documentation An important activity in the VIVProgram is the management and control of project documentation and correspondence received by and V@V reports issued by the V@V Team.

An individual within the V@V organization is assigned the responsibility of controlling the project documentation.

This individual willbe referred to as the V@V Configuration Manager.

The V@V Configuration Manager is responsible for logging and filingall project documentation, controlling changes to V@V deliverable documentation, and maintaining the status of the documentation changes.

Project documentation and correspondence received by the V@V Team must be acknowledged and made available to each team member.

When documentation items are received, the VXVConfiguration Manager records the item received on a project log which is available to all V@V Team members.

The documentation item is then filed in a central file location designated specifically for this project.

Formal V@V reports are subject to change control by the V@V Team.

A change control system has been designed to provide identification and traceability of documentation changes throughout the V@V activities.

Once a document has been released as a final document (is no longer a draft) changes are controlled under this procedure.

Each formal document released by the VXVTeam is assigned a unique identification number and a revision level.

Each document contains a revision page in the front which indicates the date on which the document was revised, the document section, and page numbers of the text affected by the change.

(3450GAS )

04/16/84 5AI-84/ 1 526526 4 Fioure 2-1 Relationship of V5V to Generic Sys em Development Activities 7 2 7 FOR SPDS NSLC 39 SYS i e'vf RKQUIREAENTS (HARDVIARE 8c SOr BEWARE)

REQU I RBIEifTS VERIFICATION HARDY/ARE SPECIFICATION P RELIMINARY DESIGN FiNAL DESIGN DESIGN VERIFiCATION MANUFACTURE TEST TEST BED REQUIREvt EVIS DESIGN CONSTRUCTION INTEGRATe.

8c TTEST YALfDATION TES I SOFiiYARE SP ECfF1CATION PREL'MINARY DESIGN FINAL DESIGN DESIGN

'vt,RIFICATION CODE//'EBUG TEST RESULTS FIEW INST>LtlTION 8c ~tS INSi~TIQN V&IFICATlONWe=~S VALIDATlON R~ORT 2-9

VdY PLhtt AND'ROCEDURES NRC S'IANDAROS Sf~gggg~REHEtt PERfORH SVSTEH REQUIREHEHIS ERFIS fUNCTIOtthl VERlflCAIIOtl SPECIFICATIOH RE ttIRENENTS VER F CATIOtl REPOR VdV PLAN ANO PROCEDURES

~0)IotLIta~ttH tjfA PERFORN OESIOtt VERIFICATIOtl s>c~caIaeuatLareaa YdY PLhtt At8 PROCEDURES DEVELOPER'S TEST DOCUHEHTATION IHSTALLATIOtlDOCUHENTATION PERFORH STSTEH VALIDATIOtl ERFIS VALIDATIONTEST PI.AN DhTIMJESLREE YdV PLAtl Atto I'ROCEOURES PERFORH FIELD INSTALI.ATIOtl VER IF ICAIION ERFIS Ifl0J II518ll!IINIL VERIFICATIOtl REPORT Vdv PLhtt d

PROCEDURES Os OEVEI.OP Ydv F INAL REPORT VdV FINAL REPORf OVERVIEW OF V/V ACTIVITY PERFORMANCE FIOURE 2-2

estion 6 Provide revised Implementation Plan to reflect currently planned activities and schedules for the design completion, control room installation, and operation of the SPDS.

~Res nse The design of the SPDS is complete.

The SPDS willbe operational and the other related activities discussed in this letter willbe completed prior to fuel load, except as discussed in response to Questions 2.h and 3.

CPRL believes that these responses willallow the NRC to issue a supplemental SER and that a post-implementation audit willnot be necessary.

(3450GAS )