ML20205Q540

From kanterella
Revision as of 05:25, 12 December 2020 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Technical Evaluation of Dcrdr Summary Rept for Rancho Seco Nuclear Generating Station
ML20205Q540
Person / Time
Site: Rancho Seco
Issue date: 05/20/1986
From:
SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY
To:
Office of Nuclear Reactor Regulation
Shared Package
ML20205Q545 List:
References
CON-NRC-03-82-096, CON-NRC-3-82-96 SAIC-86-1706A, NUDOCS 8605300206
Download: ML20205Q540 (23)
v  d  e


Text

.

SAIC-86/I706A TECHNICAL EVALUATION OF THE DETAILED CONTROL ROOM DESIGN REVIEW

SUMMARY

REPORT FOR THE SACRAMENTO MUNICIPAL UTILITY DISTRICT'S RANCHO SEC0 NUCLEAR GENERATING STATION May 20, 1986 Prepared for:

U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Prepared by:

Science Applications International Corporation 1710 Goodridge Drive McLean, Virginia 22102 f

Y d

0 l.

r r ) ('

2 FOREWORD This Technical Evaluation Report (TER) documents the findings of a review of the Sacramento Municipal Utility District's (SMUD) Detailed Control Room Design Review (DCRDR) for its Rancho Seco Nuclear Generating

- Station. The evaluation of Science Applications International Corporation (SAIC) was performed in support of the Division of PWR Licensing - 8, Plant, Electrical, Instrumentation and Control Systems Branch under Contract NRC-03-82-096, Technical Assistance in Support of Licensing Actions, Program III. SAIC previously participated in the review of the Program Plan and in an in-progress audit of Rancho Seco.

I I

I l .

i i

~

TABli 0F CONTENTS Section Pace BACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 DISCUSSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1. Establishment of a Qualified Multidisciplinary Review Team . 4
2. Function and Ta.tk Analysis To Identify Control Room Operator Tasks and Information and Control Requirements During Emergency Operations ................ 5
3. Comparison of Display and Control Requirements With a Control Room Inventory . . . . . . . . . . . . . . . . . . . 8
4. A Control Room Survey To Identify Deviations From Accepted Human Factors Principles . . . . . . . . . . . . . . . . . . 10
5. Assessment of HEDs To Determine Which Are Significant and Should Be Corrected .................... 12
6. Selection of Design Improvements . . . . . . . . . . . . . . 13
7. Verification That Selected Improvements Will Provide the Necessary Correction and Verification That Improvements Will Not Introduce New HEDs ................ 15
8. Coordination of Control Room Improvements With Changes From Other Programs Such as the Safety Parameter Display System (SPDS), Operator Training, Reg. Guide 1.97 Instrumentation, and Upgraded Emergency Operating Procedures (E0Ps) . . . . . 17 CONCLUSIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 ii

9 TECHNICAL EVALUATION OF THE DETAILED CONTROL ROOM DESIGN REVIEW FOR THE RANCHO SECO NUCLEAR GENERATING STATION UNIT NO. 1 This report documents the findings of an evaluation of Sacramento Municipal Utility District's (SMUD) Summary Report of the Detailed Control Room Design Review (DCRDR) of the Rancho Seco Nuclear Generating Station Unit No. 1 (Reference 1). The purpose of the evaluation was fourfold:

1. To determine whether the DCRDR conducted by SMUD as documented in the Summary Report is acceptable
2. To recommend to the NRC whether a pre-implementation audit or a meeting should be conducted
3. To provide an audit or meeting agenda where appropriate
4. To provide a basis for feedback to SMUD.

The requirements set forth in Supplement I to NUREG-0737, " Requirements for Emergency Response Capability" December 1982 (Reference 2), served as the basis of the Summary Report evaluation.

SMUD's DCRDR of Rancho Seco Nuclear Power Station Unit No. I began with the submittal of the Program Plan to the NRC on April 30, 1984 (Reference 3). The NRC staff comments on the Program Plan were forwarded to SMUD on September 12, 1984 (Reference 4).

Based on review of the Program Plan, the NRC staff planned a meeting with SMUD at Rancho Seco. That meeting was conducted on October 23-24, 1984. NRC staff comments resulting from that meeting were forwarded to the Division of Licensing for transmittal to SMUD on December 6,1984 (Reference 5). The NRC staff also planned an in-progress audit of the Rancho Seco DCRDR. The purpose of the audit was to compare the organization, process, and results of the Rancho Seco DCRDR with the DCRDR requirements of Supple-ment 1 to NUREG-0737. The in-progress audit was conducted at the Rancho Seco Nuclear Generating Station on October 28 through November 1, 1985, and 1

I .

the findings of the audit were forwarded to the PWR Project Directorate No.

6 on January 9, 1986 (Reference 6). The DCRDR Summary Report was submitted by SMUD to the NRC on December 27, 1985. The findings of the evaluation of the Summary Report follow a brief overview of the background of the DCRDR requirements.

BACKGROUND Licensees and applicants for operating licenses are required to conduct a Detailed Control Room Design Review (DCRDR). The objective is to

" improve the ability of nuclear power plant control room operators to pre-vent accidents or cope with accidents if they occur by improving the information provided to them" NUREG-0660, Item 1.D.1 (Reference 7). The need to conduct a DCRDR was confirmed in NUREG-0737 (Reference 8). DCRDR requirements in Supplement I to NUREG-0737 replaced those in earlier docu-ments. Supplement I to NUREG-0737 requires each applicant or licensee to conduct its DCRDR on a schedule negotiated with the NRC. Guidelines for conducting a DCRDR are provided in NUREG-0700 (Reference 9), while the assessment processes for the NRC are contained in NUREG-0800 (Reference 10).

A DCRDR is to be conducted according to the licensee's own Program Plan

, (which must be submitted to the NRC). According to NUREG-0700, it should include four phases: (1) planning, (2) review, (3) assessment and implemen-tation, and (4) reporting. The product of the last phase is a Summary Report, which according to Supplement I to NUREG-0737, must include an outline of proposed control room changes, their proposed schedules for implementation, and summary justification for human engineering discrepan-cies with safety significance to be left uncorrected or partially corrected.

Upon receipt of the licensee's Summary Report and prior to implementation of proposed changes, the NRC must prepare a Safety Evaluation Report (SER) indicating the acceptability of the DCRDR (not just the Summary Report).

The NRC's evaluation encompasses all documentation as well as briefings, discussions, and audits, if any were conducted.

The purpose of this Technical Evaluation Report is to assist the NRC by providing a technical evaluation of the Rancho Seco DCRDR process and results.

2

. 1 The DCRDR requirements as stated in Supplement I to NUREG-0737 can be summarized in terms of the nine specific elements listed below:

1. Establishment of a qualified multidisciplinary review team.
2. Use of function and task analysis to identify control room operator tasks and information and control requirements during emergency operations.
3. A comparison of display and control requirements with a control room inventory.
4. A control room survey to identify deviations from accepted human factors principles.
5. Assessment of human engineering discrepancies (HEDs) to determine which HEDs are significant and should be corrected.
6. Selection of design improvements that will correct those discrepan-cies.
7. Verification that selected design improvements will provide the necessary correction.
8. Verification that improvements can be introduced in the control room without creating any unacceptable human engineering discrepan-cies.
9. Coordination of control room improvements with changes resulting from other improvement programs such as SPDS, operator training, new instrumentation (Reg. Guide 1.97, Rev. 2), and upgraded emer-gency operating procedures.

3 I -

' 1k DISCUSSION ,

1. Establishment of a Oualified Multidisciolinary Review Team

' The organization for conduct of a successful DCRDR can vary widely, but

is ' expected to conform to some general criteria. Overall administrative leadership should be provided by a utility employee. The DCRDR team should be given sufficient authority to carry out its mission.

A core group of specialists in'the fields of human factors engineering and nuclear engineer-ing are expected to participate with assistance as required from other l disciplines.. Staffing for each technical task should bring appropriate j expertise to bear. Human factors expertise should be included in the staff-ing for most, if not all, ' technical tasks. Finally, the DCRDR team should receive an orientation, which contributes to the success of the DCRDR.

Section 18-1, Appendix A, of NUREG-0800, describes criteria for the multi-

, disciplinary review team in more detail.

The Summary Report. includes.a description of Rancho Seco's Unit 1 DCRDR 0

management and staffing. The' design review team consists of the following:

l. Principal investigator

,2. Reactor operator

, 3. Nuclear systems specialist t 4. I&C engineers

5. Human factors engineers
6. CRDR specialist The core group is supplemented by personnel from other disciplines as required. The noise and illumination surveys were conducted by BBN Labs, a subsidiary of Bolt, Beranek and Newman, Inc. Assistance in estimating the time-critical nature of operator tasks during emergency operations was pro-vided by a Babcock and Wilcox (B&W) consultant, who had been instrumental in

. ' preparing the upgraded Emergency Operating Procedures for Rancho Seco.

_ The NRC in-progress audit team evaluated the composition and qualifica-i tions of the DCRDR audit team in order to address the NRC concerns identi-fied during the meeting of October 23-24, 1984. The concerns were resolved, 4

- 4 j ,

l

. i I

and the in-progress audit team concluded that the DCRDR team satisfies Supplement I to NUREG-0737 requirements.

As noted, the Summary Report provides the resumes of the principal DCRDR team members, along with a description of team management and staffing. Evaluation of the Summary Report documentation and review of the in-progress audit evaluation of team structure were conducted in order to verify that all previous NRC concerns had been addressed. As a result, SAIC concludes that the structure and management of the DCRDR Team satisfies this Supplement 1 to NUREG-0737 requirement for a qualified multidisciplinary review team.

2. Function and Task Analysis To Identify Control Room Operator Tasks and Information and Control Reouirements Durina Emeraency Ooerations The purpose of the system function and task analysis (SFTA) is to identify the control room operator's tasks during emergency operations and to determine the information and control capabilities the operators need to perform those tasks. The Summary Report provided an overview description of the SFTA activity. This SFTA description is consistent with the processes and results evaluated by the NRC in-progress audit team findings.

During the in-progress audit, the NRC team made the following observations regarding the details of the Rancho Seco SFTA. In order to independently identify operator information and control requirements along with instrumentation and control characteristics, the DCRDR team performed a system function analysis using seven basic sources of information. The Station Manual provided the system descriptions.

s The Process Standards provided system characteristics, such as operating ranges and tank levels.

i The updated Safety Analysis Report provided system descriptions. The i Abnormal Transient Operating Guideline (AT0G) presented the analytical assumptions of how the systems fit together as a whole. The upgraded E0Ps ,

provided seven basic E0Ps, along with five cooldown procedures and seven rules which define operator tasks (see Figure 1). The Piping and Instrumen-tation Diagrams served as a primary source of instrumentation information. i Training manuals developed by General Physics Corporation provided operator  !

training information for each system. NRC in-progress audit team review of the above scurce documents and results concluded that the operator

, 5 l l

~ '

TABLE OF CONTENTS PLANT OPERATIONS - EMERGENCY PROCEDURE EMERGENCY ^ PROCEDURES -

E.01 IMMEDIATE ACTIONS Original 06-01-85 E.02 VITAL SYSTEM STATUS VERIFICATION Rev. 1 06-27-85 E.03 LOSS OF SUBC00 LING Original 06-03-85 E.04 LOSS OF HEAT TRANSFER Rev. 1 09-11-85 E.05 EXCESSIVE HEAT TRANSFER Rev. 4 10-24-85 E.06 SGTR Rev. 3 10-17-85 E.07 ICC Rev. 3 10-24-85 CP.101 A LARGE LOCA HAS OCCURRED AND THE CORE FLOOD TANK IS Rev. 1 05-31-85 EMPTYING CP.102 NORMAL C00LDOWN Original 06-04-85 CP.103 TRANSIENT TERMINATION FOLLOWING AN OCCURRENCE THAT Rev. 2 09-11-85 ~

LEAVES THE RCS SATURATED WITH OTSG(S) REMOVING HEAT CP.104 TRANSIENT TERMINATION'FOLLOWING AN OCCURRENCE THAT Original 06-05-85 LEAVES THE RCS BEING COOLED BY HPI COOLING CP.105 TRANSIENT TERMINATION FOLLOWING AN OCCURRENCE THAT Rev. 1 05-31-85 MAY REQUIRE PRESSURIZER RECOVERY SOLID PLANT C00LOOWN WITH OTSG REMOVING HEAT AND RCS SUBC00 LED RULE 1 INITIATION OF HPI Original 06-05-85 RULE 2 HPI FLOW CONTROL Original 05-31-85 RULE 3 FEEDWATER THROTTLING GUIDEl.INES Rev. 1 05-31-95 RtiLE 4 SG LEVEL SETPOINT Original 05-05-85 RULE 5 LPI CONTROL Original 06-05-85 RULE 6 REACTOR VESSEL THERMAL SHOCK CONSIDERATIONS Original 06-05-85 RUI.E 7 RM HYDROGEN MONITOR Original 06-05-85 Figure 1. Plant Emergency Procedures, Cooldown Procedures and Rules.

t 6

_ _ _ . _ __._____..___ .,__-_ . _ . _ _ _ _ ._ _ ______ _ L

. l

  • 1 information and control requirements along with instrumentation and control characteristics were defined independent of the existing control room.

The function and task analysis conducted by the licensee was based on the upgraded symptomatic E0Ps, emergency cooldown procedures, and their companion operating rules. These three categories are bound together for easy access by the operators in a " red book." These symptomatic procedures are an outgrowth of the B&W owners group work on generic procedures, which were then made plant-specific by each licensee.

During the DCRDR in-progress audit, the NRC audit team members deter-mined that the " Cautions," " Notes," and status tasks embodied in the proce-dures were not incorporated into the SFTA. Since these cautions and notes often require operator action, they should be analyzed as part of the SFTA.

The issue of analysis of the " Cautions," " Notes," and status tasks was not addressed in the Summary Report.

The E0Ps are organized such that at various points in the vocedures, the operator is referred to another procedure that is not in the red bcok.

During its SFTA, the licensee's design review team did not continue its analysis into the procedures located "outside the red book." The NRC in-progress audit team reviewed these procedures and determined that most referrals were to procedures that conducted routine operations and were entered when the plant was in a stable condition.

In addition to performing a task analysis of the emergency operating procedures, cooldown procedures, and rules, the SMUD design review team also performed a task analysis of tasks that have been added as a result of revisions to the upgraded emergency operating procedures. This is referred to as deviation task analysis. Data collected during deviation task analy-sis were entered on standard CRDR Task Analysis forms and CRDR verification forms.

The only concern regarding the deviation task analysis process is that SMUD does not have a formal procedure for performing this analysis on future emergency operating procedures. It was recommended by the NRC in-progress audit team that a procedure be implemented to perform deviation task j analyses on future emergency operating procedure changes.

l -

! 7 i

L

The in-progress audit team recommended that the licensee also perform a task analysis of the containment hydrogen purge procedure "A.52." This is a

' safety-significant abnormal operating procedure which requires the use of control room instrumentation and communications with auxiliary operators.

However, the licensee did not address the issue of procedure A.52 in the Summary Report.

. As a result of an evaluation of the SFTA description in the Summary Report and in-progress audit results, the SAIC reviewers concluded that this activity was thoroughly performed and documented in accordance with the Program Plan. There are, however, three DCROR in-progress audit concerns that should be addressed by the licensee. First, the SMUD team should indicate that they performed a task analysis of the Cautions, Notes, and Status instructions in the emergency operating procedures. Second, a writ-task analyzed

' ten procedure for ensuring that future E0P changes would be should be developed. Third, the licensee should perform a task analysis of be procedure A.52 cr provide a justification why this procedure should not analyzed.

3. Comoarison of Disolav and Control Reauirements With a Control Room

~

i Inventory I con-The purpose of comparing display and control requirements with a trol room inventory is to determine the availability and suitability of Success of this displays and controls required for performance of the E0Ps.

element depends heavily on the quality of the function and task analysis and j

the control room inventory. Display and control requirements should be

[

! derived from analyses that are sufficiently detailed to support development Characteristics appropriate to of complete and technically adequate E0Ps.

the task should be described for each display and control need identified by function and task analysis.

The control room inventory should be a complete representation of The inventory should displays and controls currently in the control room. in include appropriate characteristics of current displays and controls and order to allow meaningful comparison with the results of the function task analysis. Unavailable or unsuitable displays and controls should be Overview descriptions documented as Hurran Engineering Observations (HE0s).

8

of the inventory activities including verification of availability and validation of suitability were included in the Summary Report. In addition to the Summary Report descriptions, the NRC in-progress audit results were reviewed during the evaluation of the inventory requirement.

The SMUD design review team inventoried approximately 6,000 items in the control room. The inventoried items included all fixed panel instrumen-tation along with computer-generated information from the plant process computer, safety parameter display system, and digital radiation monitoring system. The data fields included computer points, panel, item number, description, control room display number, system, instrument number, scale / meter / computer display, scale division, miscellaneous comments, and last modification date.

In order to verify the availability of required control room instrumen-tation, the SMUD design review team compared the information and control requirements along with instrumentation and control characteristics identi-fied during the task analysis with the inventory. The suitability of existing control room instrumentation was verified by performing a desk-top comparison of the task analysis data, control room inventory data, and Criteria Report guidelines. The results of the Verification of Task Performance Capabilities activity are documented in the Verification Report.

NRC in-progress audit team review of the Verification Report indicated that the report described the availability and suitability of all instruments that meet the information and control requirements identified in the task analysis. For example, all sources of main feedwater flow identified on the fixed panels, in the process computer, and on the SPDS are documented in the Verification Report. HE0s identified in this activity are cross-referenced to other DCRDR activities, such as the control room survey.

The Verification Report data fields include record number, control or display, instrument number, description, control room display number, panel number, item number, task analysis specificat on met, human factors engi-neering suitability, Human Engineering Observation number, and comments.

The validation of control room functions was conducted on the mock-up.

During the validation activity, all seven emergency operating procedures and five cooldown procedures were evaluated. An experienced operations expert

- 9

. . - - - - - - . ---,m- -- ,. - - -,.-n -,y - - . - - - . , , , -

9 was used to walk through the postulated plant configurations that could arise in the emergency. Two human factors experts collected two complete sets of operator data for all operator tasks. Each set of operator data contained procedure step number, panel, item number, and comments. The two sets of operator data were compared and differences resolved. Approximately 50 HEOs evolved from the validation activity.

In addition to the validation walk-throughs, the SMUD design review team prepared Traffic Link Diagrams and Spatial Sequence Diagrams for all E0Ps. Analysis of these diagrams produced several HE0s, but the vast majority of HE0s come from operator discussions during the walk-throughs.

The desk-top verification analysis was then compared with the mock-up validation analysis in order to identify differences. Where differences were identified, they were documented. In some cases, additional operator needs were identified; in others, displays that were not needed were iden-tified.

The HE0s identified during the verification and validation process indicate that the SMUD design review team appropriately conducted a compari-son of results of the function and task analysis to the control room inventory.

It is our conclusion that the process and results of the inventory activity are in accordance with the requirements of Supplement I to NUREG-0737. However, this activity cannot be closed until the issue of additional task analysis requirements resulting from the analysis of E0P cautions, notes, and status tasks has been addressed and procedure A.52.

4. Control Room Survey To Identify Deviations From Accepted Human Factors Principles The key to a successful control room survey is a systematic comparison of the control room against accepted human engineering guidelines. One accepted set of human engineering guidelines is provided by Section 6 of NUREG-0700. Discrepancies between the control room and human engineering guidelines should be documented as HE0s.

10 i

The licensee's control room survey start point was the result of an Essex Corporation (NUREG/CR-1580) survey conducted shortly after the requirement for control room design reviews was determined after the TMI incident. The Essex items were listed as HE0s and were reviewed by the licensee's design review team. All control room modifications made since the original survey were also incorporated.

The licensee prepared a Criteria Report document upon which to base its determination of departures from accepted human factors principles. This document had several departures from the guidance contained in NUREG-0700.

The NRC audit team reviewed each such departure and found the licensee's position to be accurate, complete, and thoroughly documented.

At the time of the in-progress audit, the DCRDR team had completed all the surveys except the Auditory Environment Survey and the Illumination Survey. The Auditory Environment Survey was being delayed until restart after the current extended outage. This was being done in order to measure accurately ambient noise levels during actual operating conditions. The auditory and illumination surveys were completed by December 1985.

The licensee's Summary Report states that the survey review was done using the full-scale control room mock-up. Any questionable items were checked with control room operators in the actual control room. HE0s produced from this review were included in the assessment phase. The Summary Report further states that new surveys were done for:

l 1. Noise and Illumination

2. Environment
3. Emergency / Safety Equipment i 4. Computer (SPDS only).

HE0s identified during these surveys were included in the assessment phase.

l A comprehensive review was also done of the presentation of alarms in the control room. HE0s concerning alarms that were generated during the

. previous Essex review and during the current DCRDR were provided to the project team.

. 11 l

\

In summary, the licensee's Criteria Report represents an ac,ceptable set of control room survey guidelines. All control room survey activities based on Criteria Report guidelines are completed. Review of the HE0s resulting from the control room surveys indicates that the Rancho Seco Nuclear generating Station Unit No. I has met the requirement for a control room l survey as required by NUREG-0737, Supplement 1.

5. Assessment of HEDs To Determine Which Are Sionificant and Should Be Corrected Based on the guidance of NUREG-0700 and the requirements of Supplement 1 to NURFG-0/s, all HEDs should be assessed for significance. The poten-tial for operator error and the consequence of that error in terms of plant safety should be systematically considered in that assessment. Both the individual and aggregate effects of HEDs shculd be considered. The result of the assessment process is a determination of which HEDs should be corrected because of their potential impact on plant safety. Decisions on whether HEDs are safety-significant should not be compromised by considera-tion of such issues as the means and potential cost of correcting those HEDs.

SMUD's methodology for HE0 assessment was conducted as described in Section 5.0 of the Program Plan. The assessment of HE0s to determine which are significant was conducted by the review team, which contained the proper subject matter experts and human factors specialists. Each HE0 was assigned to a team member for research into its validity and safety significance.

That team member was then responsible for presenting it to the assembled l team for discussion and determination of recommended action. Each HE0 was categorized. This categorization is shown on page 5-7, Figure 5-3 of the licensee's CRD review plan. No category A (high safety-importance non-I resolvable error) HE0s were found. Table 3-1 of the Summary Report, shows the distribution of HE0s according to source and category. Table 3-2 of the Summary Report shows the distribution of HE0s by type (and category). Of the Category B (safety consideration-recoverable error, corrected by opera-tors) HE0s, 13 were originally categorized as C or D, but were re-catego-rized based on a second review relative to safety significance. Category B HE0s were further categorized as Human Engineering Discrepancies (HEDs).

. 12

The primary means for identifying cumulative effects of HE0s was the observations of DRT made during the walk-throughs of the Emergency Operating Procedures in the control room mockup. Each HE0 was evaluated with consideration of how it impacted emergency operations in the context of all other HE0s.

In conclusion, the licensee's HE0/HED assessment process and results indicate that the assessment activity met the requirements of Supplement I to NUREG-0737.

6. Selection of Desian Imorovements i

The purpose of selecting improvements is, as a minimum, to correct safety-significant HEDs. Selection ~of ~ design impro~vements sh~o~uld include a

~

systematic process for development and comparison of alternative means for resolving HEDs. Both enhancement -and design modifications may be considered. ._

The licensee's design review team's recommendations for design improve-ments made during the assessment process generally were made without considering cost. The process has developed a reasonable and integrated set of design solutions. At the time of the in-progress audit, there was a concern about the three levels of management concurrence required for imple-mentation. The licensee's management approval of the Summary Report repre-sents a legal commitment to implement the proposed changes, thereby addressing-the NRC in-prtgress audit concern of management concurrence. The Summary Report is signed by the DCRDR team members, the Control Room Design Review Group Leader, the Emergency Response Capabilities Steering Group Chairman, and the Executive Management Committee.

The Summary Report outlines 65 proposed control room changes that have resulted from the DCRDR. The description of proposed control room changes are at the appropriate level of detail for the Summary Report documentation requirements. The outlines of the 65 proposed control room changes also reflect the influence of human factors engineering on the modification process.

13

~.'

Our review of the individual HE0s provided in the Summary Report indicated that the licensee has committed to correct all category B HE0s.

Since Category B HE0s are also classified as HEDs, the licensee has committed to correct all safety-significant HEDs. The correction methods include: design changes, enhancement modifications, procedures changes, and training. All proposed control room changes are justified through the t detailed technical review description on all HE0/HEDs.

In addition to Category B HE0/HEDs, the licensee provided all Category C and D HE0 descriptions. All Category C and D HE0 descriptions include technical review details, and reccmmended modifications. In many cases, the licensee has proposed control room changes for Category C and D HE0s. In all cases the licensee has provided justifications for leaving the HE0 uncorrected or partially corrected.

We do, however, have concern regarding the integrated implementation of the tentative control room modifications proposed in the Summary Report.

For example, SS-01 Auxiliary Feedwater System Upgrading - EFIC Implementa-tion entails major system revisions which delete several existing controls, but add many controls, displays and sensors. In addition to this change, SP-03 Additional CRT Display for SPDS proposes adding a CRT on the EFICs console to monitor natural circulation cooldown. At the time of the Summary Report, the licensee was still considering design alternatives for these changes. Therefore, we do not have the information to judge what the final control room design will look like. The most effective way of determining what the final control room design will look like is to evaluate the proposed modifications on the DCRDR mockup.

The Summary Report states that the proposed control room modifications will be implemented according to the licensee's " Integrated Living Sche-dule." Since the Integrated Living Schedule is coordinated with the NRC Project Manager and the licensee, this is judged to be an appropriate method for scheduling control room modifications.

In summary, the proposed control room changes presented in the Summary Report are described in the appropriate level of detail and reflect the integration of human factors in the design process. The justifications for leaving Category C and D HE0s uncorrected or partially corrected are 14

appropriate. The proposed list of 65 control room changes has been approved by plant management. Our concern is that the licensee has proposed exten-sive control room modifications which were not finalized at the time of the Summary Report. Therefore, we cannot judge the acceptability of the modifi-cations without reviewing finalized design modifications. In this regard, it would be very useful to evaluate the integrated set of design modifica-tions on the DCRDR mockup.

7. Verification That Selected Imorovements Will Provide The Necessary Correction and Verification That Imorovements Will Not Introduce New HEDs A key criterion of DCRDR success is a consistent, coherent, and effec-tive interface between the operator and the control room. One good way to satisfy that criterion is through iteration of the process of selection of design improvements, verification that selected design improvements will provide the necessary correction, and verification that improvements will not introduce new HEDs. Techniques for the verification process might include partial resurveys on mocked-up panel s, applied experiments, engineering analyses, environmental surveys, and operator interviews. Each iteration of the selection and verification processes should reduce incon-sistencies in the operator-control room interface while increasing coherence and effectiveness of that interface. An operator-control room interface with consistency, coherence, and effectiveness is important to operator performance. Thus, evaluation of both the changed and unchanged portions of i the control room is necessary during the verification processes.

l The Rancho Seco DCRDR team indicated that the above verification requirements are accomplished as part of the selection of design improve-ments. As design improvements are selected, there is a reapplication of the control room review guidelines to ensure:

1. Other human factors engineering guidelines are not violated.
2. Other corrections are not invalidated.
3. Any resulting increase in significance of other findings is identi-  !

fled and accommodated.

t

. 15

l The entire control room interface will be analyzed by for consistency, coherence, and effectiveness by performing a walk-through of procedure E.06

" Steam Generator Tube Rupture" on the modified mock-up. This procedure contains a comprehensive set of operator tasks, which are intended to exer-cise the proposed control room modifications. Experienced Rancho Seco operators and human factors engineers walk through the procedure to deter-mine whether the proposed corrective actions have resolved the HEDs and have not introduced new HEDs. This process is designed to confirm that the consistent, coherent, and effective control room interfaces result from the proposed changes.

The NRC in-progress audit team observed a walk-through of this proce-dure on the mock-up and determined that it is an effective method of verifi-cation. The mock-up is both an effective design tool and a training aid.

The licensee's Summary Report states that following the HE0 assessment process, the mock-up was modified to reflect the proposed design solutions and portions of the control room review process were reapplied, as appro-priate, to ensure that:

e The identified HE0s were resolved e Additional HE0s were not generated by the design changes (or if generated, were resolved by modification to the design changes).

The licensee's design review team provided the NRC in-progress audit team with a visual presentation of a number of modifications using the mock-up. The evaluation of these HE0 solutions included confirmation of the adequacy of the design modification by the Operations Department and review by the CRDR group.

In summary, the verification processes used to evaluate component level modifications and control room-wide modifications are being consistently applied as part of the DCRDR. The improvement verification processes and results should satisfy the requirements of Supplement 1 to NUREG-0737.

16

8. Coordination of Control Room Imorovements With Chances From Other Pro-arams Such as the Safety Parameter Disolav System (SPDS). Operator Trainina. Rec. Guide 1.97 Instrumentation. and Uoaraded Emeroency Doeratino Procedures (EOPs)

Improvement of emergency response capability requires coordination of the DCRDR with other activities. Satisfaction of Reg. Guide 1.97 require-ments and addition of the SPDS requires modifications and additions to the control room. Those modifications and additions should be specifically addressed by the DCRDR. Exactly how they are addressed depends on a number

of factors including the relative timing of various emergency response I

capability upgrades. Regardless of the means for coordination, the result should be integration of Reg. Guide 1.97 instrumentation and SPDS equipment into a consistent, coherent, and effective control room interface with the operators.

The Summary Report describes how Supplement 1 to NUREG-0737 initiatives are integrated under the overall coordination of the Emergency Response Capabilities Steering Group. The Summary Report also describes the coordi-i nation of the DCRDR with the Safety Parameter Display System, Regulatory Guide 1.97, Upgraded Emergency Operating Procedures, Emergency Response

. Facilities, and Training. Based on the in-progress audit team evaluation of the coordination requirement, and the evaluation of the Summary Report description of the integration of the DCRDR with other imhrovement programs, j the licensee has met this requirement.

CONCLUSIONS It is our evaluation that the licensee has made a concerted effort to resolve NRC concerns identified during earlier meetings with the NRC and during an in-progress audit. We did, however, identify several concerns related to the in-progress audit findings and Summary Report evaluation that remain to be addressed. The concerns are listed below:

. 1. The Summary Report did not indicate that E0P Cautions, Notes, and I Status tasks were analyzed following the NRC in-progress audit.

17

___. _ .m. - - _.--_ _ _ .. , _ . . . . _ _ _ _ _ . . _ _

t

2. The Summary Report did not indicate that the licensee , developed a formal procedure for performing a task analysis of new operator tasks introduced into the control room by E0P revisions.
3. The Summary Report did not include an indication that procedure A.52 " Hydrogen Purge System Procedure was task analyzed as recommended in the in-progress audit.
4. Comparison of information and control requirements identified in items 1 and 3 with the control room inventory to verify control and display availability and suitability need to be completed.
5. Assessment of new HE0s identified during additional task analyses, i.e., E0P Cautions, Notes, and Status tasks, need to be completed.
6. Given the major extent of the proposed control room changes, and the fact that some designs such as EFICs were not finalized at the time of the Summary Report, we do not have the information to judge the adequacy of the proposed changes. We recommend that the ',

licensee implement the proposed changes on the DCRDR mockup for evaluation by NRC.

7. Verification that the proposed solutions resolve the HE0s/HEDs and do not introduce new HEDs needs to be completed for HE0s/HEDs identified during E0P Cautions, Notes and Status tasks.

Given the extent to which the licensee proposes to modify the control room, we recommend that an audit be conducted to evaluate the integrated modification package on the DCRDR mockup and in the control room. This would give the NRC a comprehensive first hand look at extensive changes being implemented in such systems as integrated control system and the feedwater system.

18

s REFERENCES

[

1. " Sacramento Municipal Utility District's Rancho Seco Nuclear Generating Station Unit No. I's Control Room Design Review Summary Report,"

attachment to letter from R.J. Rodriguez, SMUD, to Frank J. Miraglia, USNRC, dated December 27, 1985.

2. Supplement 1 to NUREG-0737 - Requirements for Emergency Response Capa-bility (Generic Letter No. 82-33), U.S. Nuclear Regulatory Commission, i December 17, 1982.
3. Rancho Seco Nuclear Generating Station - Unit No. 1 Detailed Control Room Design Review Program Plan, Sacramento Municipal Utility District, April 30, 1984.
4. Review of the Rancho Seco Nuclear Generating Station Detailed Control Room Design Review Program Plan Submittal, U.S. Nuclear Regulatory Commission, August 15, 1985.
5. Results of October 23-24, 1984, Meeting to Discuss the Detailed Control Room Design Review of Rancho Seco Nuclear Generating Station, U.S.

Nuclear Regulatory Commission, December 6,1984.

6. Results of the October 28 - November 1, 1985, In-Progress Audit of the Rancho Seco Nuclear Generating Station Detailed Control Room Design Review, U.S. Nuclear Regulatory Commission, January 9,1986.

l

7. NUREG-0660, "NRC Action Plan Developed as a Result of the TMI-2 Accident," May 1980; revision 1, August 1980.
8. NUREG-0737, " Clarifications of TMI Action Plan Requirements," November 1980.
9. NUREG-0700, " Guidelines for Control Room Design Review," September 1981.

+

19

e.

10. NUREG-0800, " Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 18-1, Rev. O, September 1984.

W e

. 20 1

Retrieved from "https://kanterella.com/w/index.php?title=ML20205Q540&oldid=3018620"