NRR Audit Rept on Implementation of GL 98-01, Year 2000 Readiness of Computer Sys at Npps, 980927-1001

ML20195C495
Person / Time
Site:	Seabrook
Issue date:	11/06/1998
From:	NRC (Affiliation Not Assigned)
To:
Shared Package
ML20195C478	List: ML20195C473 ML20195C495
References
GL-98-01, GL-98-1, NUDOCS 9811170131
Download: ML20195C495 (24)
v • d • e

Text

.-_ _ . _ _ -

i s

U.S. NUCLEAR REGULATORY COMMISSION OFFICE OF NUCLEAR REACTOR REGULATION (NRR) l AUDIT REPORT ON I

IMPLEMENTATION OF GENERIC LETTER (GL) 98-01

" YEAR 2000 READINESS OF COMPUTER SYSTEMS AT NUCLEAR POWER PLANTS" Docket Nos: 50-443 License No: NPF-86 Licensee: North Atlantic Energy Services Corporation Facility: Seabrook Unit 1 Location: Seabrook, NH 13 Miles South of Portsmouth, NH Dates: September 27-October 1,1998 Audit Team Members: Matthew Chiramal, NRR William Ruland, Region i Deirdre Spaulding, NRR

Approved by

Jared Wermiel, Chief Instrumentation and Controls Branch Office of Nuclear Reactor Regulation L

L l 9811170131 981106 '~

j PDR ADOCK 05000443 P ENCLOSURE i

PDR

- - - - - - - -. _- . -. ._~ ~ .. -_ --_- -. - - .-- . - . _- -- -

l

\

EXECUTIVE

SUMMARY

From September 29 through October 1,1998, the NRC staff conducted an audit of the Year 2000 (Y2K) program at the Seabrook Nuclear Generating Station in accordance with the audit plan for this activity.

The purpose of the audit was to (1) assess the effectiveness of the North Atlantic Energy Services Corporation (the licensee) programs for achieving Y2K readiness, includirg continued safe operation of the plant as well as compliance with applicable NRC regulations and license conditions with respect to the potential Y2K problems, (2) evaluate Y2K program implementation to assure that the licensee's schedule is in accordance with NRC Generic Letter (GL) 98-01 guidelines for achieving Y2K readiness by July 1999, and (3) assess the licensee's contingency plans for addressing risks associated with l potential events resulting from Y2K problems. The audit team reviewed selected licensee documentation regarding Seabrook's Millennium Project Plan (Seabrook Y2K readiness program) and ,

conducted interviews with the cognizant licensee personnel. The results of this audit and subsequent l

i audits at other wiected plants will be used by the staff to determine the need for additional action, if any, !

on Y2K readine:s for nuclear power plants.

Based on the audit team's assessment and evaluation of the Seabrook Y2K readiness program, the following observations were made:

1. The Seabrook Millennium Project Plan, Revision 3.0, incorporates several items that reflect an increased understanding of Y2K issues that were identified through project self assessments, oversight, and audits since Revision 2 was issued in August 1998.

2. The Seabrook Millennium Project Plan is based on the guidance of NEl/NUSMG 97-07 and NRC Generic Letter 98-01 and is well-structured and readily useable.

3. The evaluation performed by the station project staff in completing the analysis of items is considered to be consistent with the Seabrook Millennium Project Plan. The Seabrook Millennium '

Project is planned to be completed by July 1999, with the primary exception of the modified l Radiation Data Monitor System which is scheduled for installation in the 4th quarter of 1999. The licensee and audit team identified an inconsistency in classification of items in the plan which is being corrected.

4. The Seabrook project is in the remediation phase. The test procedure developed by Seabrook for identifying the Y2K problem and for verifying remediated software and embedded systems is a thorough, detailed procedure that would adequately identify Y2K problems and aid in identifying and correcting the root cause of the problem.

5. The Seabrook Millennium Project Plan Revision 3.0 includes the Contingency Plan based on the guidance in NEl/NUSMG 98-07. The implementation of the plan is scheduled to start in November 1998.

6. ' The Seabrook Y2K plan is being coordinated with independent System Operators New England in order to address electric power supply system availability concems.

1.0 INTRODUCTION

The objectives of the Seabrook Nuclear Generating Station (Seabrook) Y2K Program Audit were to:

1. Assess the effectiveness of the North Atlantic Energy Services Corporation (the licensee) program for achieving Y2K readiness including continued safe operation of the plant as well as compliance with applicable NRC regulations and license conditions with respect to potential Y2K problems.

2. Evaluate Y2K program implementation to assure that the licensee's schedule is in accordance with NRO Generic Letter (GL) 98-01 guidelines for achieving Y2K readiness by July 1,1999.

3. Assess the licensee's contingency plans for addressing risks associated with potential events resulting from Y2K problems.

The audit was conducted in accordance with the established audit plan which was based in part on the guidance and requirements contained in the following documents:

- GL 98-01," Year 2000 Readiness of Computer Systems at Nuclear Power Plants"

- Licensee Response (s) to GL-98-01

- Plant technical specifications and license terms and conditions

- Applicable NRC regulations

- NEl/NUSMG 97-07, " Nuclear Utility Year 2000 Readiness" i

Prior to the audit at the plant site, the audit team reviewed the Seabrook Millennium Project Plan, Revision 2.0. Upon commencement of the audit, a copy of the Seabrook Millennium Project Plan Revision 3.0 was made available by the licensee for review during the audit. Attachment 1 is a list of documents reviewed by the audit team.

The audit process started with an entrance meeting attended by the Seabrook Y2K Sponsor and Y2K Project Manager, other plant personnel, and members of the audit team. Attachment 2 is a list of the attendees. Members of the Seabrook Y2K organization described the project organization, the project plan, implementation, and the current status.

Subsequent to the entrance meeting, the audit team reviewed the Seabrook Millennium Project Plan, associated project documentation, and communicated with the Seabrook Millennium personnel on an on-going basis to resolve questions as they arose.

2.0 SEABROOK PROJECT DESCRIPTION 2.1 Prolect Oraanization The Seabrook Millennium Project Plan organization consists of the following roles: (1) an Executive Sponsor, who is responsible for strategic project guidance, approval and executive support, (2) a Y2K Sponsor, who is responsible for providing overall guidance and approval on the budget, resources, progress and results, (3) a Y2K Project Manager, who is responsible for the overall success of the f

)

I -

l 3-project, including development of the implementation plan, supervising the project team and providing leadership on millennium issues tb all station departments, (4) a Y2K project team consisting of the Seabrook Station personnel performing activities related to the millennium effort, (5) the software, hardware, and embedded system sponsors; who have primary responsibility for the operation of the item, typically the principal user of the item, and is held accountable for the performance of the item, (6) the software, hardware, embedded system maintainers who have primary responsibility for the maintenance of the item, and the completion of millennium-related tasks, including any remediation, testing and validation, and implementation, (7) the millennium project steering committee, (8) the joint owner audit committee, (9) a contingency plan coordinator who is assigned to facilitate and coorainate the millennium contingency planning effort, (10) the contingency planning team, and (11) a contingency plan technicallead.

The Seabrook licensee participates in group activities related to the Y2K effort with other organizations I as follows: NUSMG ar.d NEl, Northeast Energy Alliance (NEA), EPRI, independent System Operators .

(ISO) New England, Sorrento Owners Group, and Westinghouse Owners Group (WOG). The Seabrook l licensee will use documentation and test plans from the WOG as they are made available to evaluate l Y2K readiness or compliance of identified items within the WOG scope. Additionally, the licensee is  !

engaged in bench-marking and peer review activities with other plants as the opportunity is available.

The Seabrook licensee and Florida Power and Light (FP&L) engaged in a bench-marking and peer review activity in June 1998 and established an information exchange to explore the manner in which the Y2K problem was and is being addressed at their plant sites. This type of bench-marking and peer review interface will be scheduled with other utilities as the opportunity occurs.

. 2.2 Proiect Plan The Seabrook Millennium Project Plan, Revision 3.0, dated September 25,1998 is the plant specific Y2K readiness plan developed by the licensee. The goal of the Seabrook Millennium Project is to ensure that

! the station is Y2K ready by July 1999. The Seabrook Millennium Project began in October 1996.

Revision 0 of the Project Plan was issued in the spring of 1997. The Seabrook plan is similar to the l NEl/NUSMG 97-07 Nuclear Utility Year 2000 Readiness guidance which was published in the Fall of l 1997. The audit team's review found that the Seabrook Millennium Project Plan encompasses the l l guidance in the NEl/NUSMG 97-07, although some differences in activity names / terms exist. I 4

t The implementation Plan of the Seabrook Millennium Project Plan includes the process for awareness, invitory, assessment, remediation, testing, validation, documentation and signoff of items. The plan ird,udes a change management process that allows new items to be added to the inventory, while l existing items, plans, strategies and impacts can be re-evaluated and modified if necessary.

t

4 2.2.1 Awareness The awareness activities are included in the section entitled " Communication Plan," in the Seabrook Millennium Project Plan. The formal Y2K awareness phase of the Y2K program at Seabrook began in 1997. The Y2K problem was brought to the attention of the entire plant via "Seabrook Today," a newsletter published by North Atlantic Communications, and distributed October 23,1997.

Communication and awareness is maintained at all levels throughout the plant. The communication mode and information is tailored to the specific site audience. Seabrook's Millennium Communication Plan is intended to ensure that appropriate plant personnel are aware of the Y2K problem and take j suitable action. The Seabrook licensee uses " communication deliverables" to foster participation and '

awareness. The following communication deliverables are tailored for their specific audience; project plan revisions, project status reports, millennium item owners and maintainers communication, internal millennium articles, millennium posters and banners, awareness sessions / presentations, and one-on-one meetings. The audit team reviewed the Seabrook Millennium Communication Matrix which identifies I the various audiences and the corresponding awareness communication (s).

The Seabrook Y2K Readiness schedule is provided in Table 1.

2.2.2 Initial Assessment What the NEl/NUSMG 97-07 guidance indicates as initial assessment which includes the inventory, categorization, classification, prioritization, and analysis of the initial assessment, is described in Seabrook's readiness plan in Section 4,1 inventory. In Seabrook's readiness plan, the inventory activities include inventory scope, categorization, classification, and inventory signoff.

The inventory identifies all software items and embedded systems potentially affected by the Y2K problem. Additionally, because embedded systems are particularly difficult to inventory, the Seabrook project team took added care to ensure that all potentially affected embedded systems and firmware items were included in the inventory. The embedded system inventory was handled by the Seabrook Station Technical Support Department Engineers. Since most of the staff hao oeen at Seabrook since the plant's design phase, there was a great deal of historical knowledge on station systems, procedures, programs, manuals and other documentation pertaining to embedded systems to draw upon.

Identification of the embedded systems encompassed system reviews, EPRI database searches and vendor contacts, internal and external comparisons of inventory data, and knowledge-based decisions.

The inventory phase at Seabrook was completed in August 1998.

2.2.3 Detailed Assessment Detailed assessment results are used to make decisions regarding activities required to ensure the continued operation of the software. Seabrook's readiness plan Section 4.2 Assessment, includes the analysis activity which encompasses failure impact, Y2K status and strategy, and the activities of planning and assessment phase signoff.

. i

. . l l

l-l i

! Y2K classification at Seabrook is based upon " failure impact" analysis. Failure impact classification is defined as follows:

f .

Safety implication - Important to safety of personnel and the public, safety-related controls, performs design basis calculation on nuclear safety-j related structures, systems and components, process monitoring

!' used as the basis for operational actions which prevent the release l

of radioactive material to the environment, and safety-related direct l l impact.

1

. Plant Trip . Affects the plant's ability to stay on-line. I l

Generation Reduction - Impacts level of power generation.

-. RegulatoryRequirement - Required by regulators, pertains to a license commitment.

Business Critical- Important to continuity of business, major impact on service to customers, could result in lost productivity to the majority of i employees.

. Miriimum Impact - Minimal impact to business, services not affected, loss of productivity to some employees.

No impact - Non-essential, no impact to business operations, no lost productivity. ,

The Y2K status of systems is identified as: non-compliant, compliant, in-process, validated, eliminated, or unknown. The plan notes that for vendor responses that indicate an application or device is Y2K ready or compliant, a decision on whether to perform validation testing is required. This decision may be based on failure impact, extent of documentation provided, confidence in the vendor, and Seabrook's knowledge and experience with the product.

Once Y2K status is determined, the strategies to achieve compliance or readiness is determined.

Strategies identified in the Seabrook Millennium Project Plan are: eliminate, fix, replace, or accept as is.

Table 2 provides the inventory of items. Of the 1304 items identified, the Seabrook licensee identified 12 that were found to have safety implications,13 to have implications with respect to plant trip,160 were found to be required by regulations or license, and 800 were found to be significant to business. Table 3 provides the inventory assessment.

One item of the 12 classified as Safety implication, the Reactor Vessel Level Indication System (RVLIS),

is required by technical specifications (post accident monitoring) and performs high energy line break (HELB) isolation of auxiliary steam, steam blowdown andletdown upon detection of a high temperature I condition in the auxiliary building. RVLIS has ben identified as not Y2K compliant and is being

! remediated as part of the WOG Y2K effort. In addition to the testing done by Westinghouse, the licensee plans to do additional testing of the remediated RVLIS at the site.

i l

- -- ---wo-.-,-,, ,sw- m-- - --- - - - -m. ---e.----

6-The folders of items reviewed by the Audit Te om are listed in Tables 4, 5,6, and 7. The team reviewed 10 items that had safety implications, 5 that impact generation reduction, 9 that impact plant trip, and 10 that have regulatory impact. (Note: The classification in these tables is defined in Seabrook's North Atlantic Information Manual (NAIM). The NAIM, Revision 4 is effective October 1,1998, in this revision, the classification values (grading) change. All items added to the millennium inventory on or after 10/1/98 will use the new software classification values. All items in the millennium database prior to 10/1/98 do not need to be reclassified in the millennium database. Valid values prior to 10/1/98 are:

safety critical, mission critical, and non-rated. Valid values 10/1/98 or later are: Level A1, Level A2, Level B, Level C, Level D).

2.2.4 Y2K Testina and Validation

Testing and validation is performed by the maintainer to ensure that the item is either Y2K ready or i compliant. Existing station programs are used for testing. For embedded systems, work requests are l written to track and document all testing performed. If there are multiple occurrences of an item that is l being tested, for example in spare parts, then these items are to be flagged and tracked for testing prior l to anticipated failure dates. Depending on the item, Y2K testing may be performed at multiple levels

i unit testing which focuses on functionality and compliance testing of a single item; interface testing to determine the ability to process Y2K data from one item to another; and integration testing of the platforms on which the item operates. Documentation requirements for testing / validation includes indication if testing was performed and if not, why. If testing is performed, the test plan checklist is used i

to ensure appropriate testing is performed. The test plan checklist includes a review of the following tests: rollovers, high risk dates, leap year, sorting and comparisons, calculations, and interfaces. Testing l should ensure that an item is Y2K ready and that no new problems are introduced. Testing is performed l in accordance with a Technical Support Group Instruction (TSGI). The audit team reviewed TSGI-13 for general software tes;ing and a draft version of TSGI-14 on embedded systems testing (documents 2 and 3 of Attachment 1) and witnessed two bench tests of components that utilized TSGI-14 guidance.

2.2.5 Remediation The purpose of remediation is to replace, fix, or eliminate items identified in the assessment as non Y2K compliant. Remediation includes activities that make the item Y2K compliant or ready. Software-based system changes are made in accordance with the NAIM which defines the Software Quality Assurance Program. In the documentation of the remediation of an item, if the item interfaces with other systems, l the maintainer identifies the system interfaces so that arrangements can be made for interface testing i and scheduling.

2.2.6. Reaulatory Considerations l

in implementing the Seabrook Millennium Project Plan the licensee makes use of existing programs and policies to ensure that appropriate reviews and evaluations are performed and documented for regulatory compliance. These reviews and evaluations encompass 10 CFR 50.59 reviews, reportability i evaluations per 10 CFR 50.72, 50.73 and 10 CFR Part 21, and operability determinations as required

by technical specifications.

l.

lI l

7 2.2.7 Contingency Plannina The Seabrook licensee's contingency plan addresses Y2K contingency planning management, contingency planning remediation risks, continge,ncy planning internal facility risks, contingency planning external risks, and an integrated millennium contingency plan. The steps that Seabrook will take in contingency planning include risk identification, event analysis, risk management, and verification.

l Individual contingency plans are prepared for items, systems, or events as identified in the Seabrook guidance. Contingency planning remediation risks include risk identification (identified by the maintainer during the remediation and testing and validation phases of the project), event analysis (performed at the .

initial remediation phase to understand the nature of the challenges to the selected remediation strategy), risk analysis, and verification. The purpose of the internal risk contingency is to anticipate and l prepare for events that could occur due to system failures and reduce their impact on safe operations. l Contingency planning external risks covem the means for mitigation of external millennium events that could compromise safety or continued opsation of Seabrook station. One of the external risks to be l considered is transmission / distribution system events. Concems addressed include loss of off-site.

l power, grid instability and voltage fluctuation, load fluctuations and loss of grid control systems. This contingency planning effort included information exchanges with the appropriate Independent System Operators (ISO) New England subcommittees with grid control responsibilities.

The contingency plan project organization at Seabrook includes a Contingency Plan Coordinator, and a cross-matrix Contingency Planning Team led by a Contingency Plan Technical Lead. The implementation of the plan is scheduled to start in the later part of 1998. The audit team met with the l

Technical Lead and members of the Contingency Planning Team and was given an outline of the l l contingency planning implementation process. The process would start with the systems, components and procedures for safe shutdown of the plant and expand to consider systems and procedures for safe continued operation, and, finally include systems and interfaces beyond the station boundary.

2.2.8. Y2K Program Manaaement l The Seabrook Y2K program management plan establishes, organizes, manages, and integrates the i diversity of activities required to address Y2K readiness. The Y2K readiness activities are covered in the three management areas of risk management, contingency planning, and project internal controls.

Project milestones completed include: development of the communications and awareness plan, the l inventory (complete identification and analysis), schedule defined for implementation of corrective actions, and Seabrook Millennium Project Plan Revision 3. Key performance indicators (metrics that measure performance against established goals for each phase of the implementation plan) are used to measure project performance and serve as the basis for monthly reports and appropriate actions to be taken to ensure project schedules are met. To date the established schedules have been met.

a_ .

--2A: # e-2m,

+ _

,aa.. 1.-- -,,- - -A J--- -- -- u. ---

i l

l l The Y2K readiness project is planned to be completed by July 1999, with the primary exception of the l Radiation Data Monitor System testing (for either the replacement Y2K compliant system or the l remediated system), and its interface testing with system components and the Main Plant Computer.

This is scheduled for the fall of 1999. .

l l Methods of oversight of the project include management reviews, self assessments and surveillances, and intemal and external audits.

l .

2.2.9 Electrical Grid Issqqs ISO New England has a Year 2000 subcommittee and several subcommittees established to exchange Y2K information, create procedures for testing and remediation, and prepare compliance assurance statements. The ISO New England Coordinator in the Seabrook Millennium Project organization is the person responsible for monitoring the status of the ISO efforts through the Generation Subcommittee.

The audit team met with the ISO New England Coordinator assigned to the project. He described the activities that have been initiated and planned in the ISO New England organization regarding the Y2K problem as it affects the electric power supply system. The interchange of information between the Seabrook licensee and ISO New England has just begun.

Electrical grid issues are also being addressed in Seabrook's contingency planning for external risks. As indicated in the discussion above, issues pertaining to electric grid availability will be evaluated and planned for in the Seabrook Y2K contingency plan.

3.0 AUDIT TEAM OBSERVATIONS The audit team developed the following observations:

1. The Seabrook Millennium Project Plan, Revision 3.0, incorporates severalitems that were being used by the project team members but were not included in Revision 2.0 of the plan, such as the project test plan checklist and project vendor readiness questionnaire. The changes were the result of items identified through project self assessments, oversight and interval audits performed since Revision 2.0 was issued in August 1998. Revision 3.0 also contains the Contingency Plan.

Revision 3.0 includes a list of documents related to existing station programs and policies for performing the activities and QA measures related to the Y2K problem. The audit team pointed out to the project sponsor and project manager that the guidance on the use of existing station programs and policies appears to be very general and the appropriate use of the documents for specific activities (e.g.', activities related to design changes to software, hardware, or embedded firmware) are left to the individual. The project sponsor stated that additional training has been

, provided to all station staff working on Y2K related activities on the use of existing procedures.

Additionally, the majority of the staff at the Seabrook Station has been working in the same technical area since the startup of the station and are well-versed in applying existing procedures and policies to change processes and adverse condition report activities in their area of

, responsibility.

l

2. The Seabrook Millennium Project Plan is based on the guidance in NEl/NUSMG 97-07 and NRC Generic Letter 98-01. The method for classifying an item was simplified and failure impact is used to classify items in the inventory or analysis phase.

Based on the review and evaluation by the' audit team of the plan and its implementation up to the analysis phase, the Seabrook Millennium Project Plan is considered to be well-structured and readily usable. The revisions to the plan are based on the lessons learned and feedback obtained in the use of the plan by the project team members and audit teams.

3. Based on the audit team's review and evaluation of the results of the Y2K readiness project to date, the audit team considers the evaluation done by the station project staff in completing the analysis of items in the inventory to be consistent with the Seabrook Millennium Project Plan. The Seabrook Millennium Project is planned to be completed by July 1999, with the primary exception of the Radiation Data Monitor System discussed in item 7 below.

The audit team identified an inconsistency in how the application of classification as defined in the plan was applied to certain items that were not susceptible to the Y2K problem. The use of failure impact in classifying an item is not dependent on whether an item is affected by the Y2K problem or not. The project manager and team were already aware of this inconsistency since it was identified by an earlier audit and the entire inventory was being re-classified to correct the errors in classification. Additionally, the project staff had been given additional training in this area.

4. The detailed assessment phase includes both analysis and planning. Analysis includes classification based on failure impact, millennium status and strategies to achieve Y2K readiness or compliance. The millennium strategies are: eliminate, fix, replace or accept as is.

The Seabrook project is in the remediation phase and for those items that are in the "Fix" category, includes testing to identify the failure mode due to a Y2K problem, followed by corrective changes to make the item Y2K ready or compliant. The audit team witnessed bench tests of two components with firmware. These bench tests were based on the test procedure developed for embedded systems. Based on the witnessing of the tests, the audit team considers that the test picedure is a thorough, detailed procedure that would adequately identify Y2K problems and aid in identifying and correcting the root cause of the problem.

5. The Seabrook Millennium Project Plan includes an outline of the Contingency Plan based on NEl/NUSMG 98-07 guidance. The Project Organization includes a Contingency Plan Coordinator, and a cross-matrix Contingency Planning Team led by a Contingency Plan Technical Lead. The implementation of the plan is scheduled to start in the later part of 1998. The audit team met with the Technical Lead and members of the Contingency Planning Team and was provided with an outline of the contingency planning process.

6. The audit team met with the ISO New England Coordinator assigned to the project, and was briefed on the activities thathave been initiated and planned regarding the Y2K problem as it affects the electric power supply system availability. ISO New England has established sub-committees to exchange Y2K information, create procedures for testing and remediation, and prepare compliance assurance statements.

7. The Seabrook licensee has identified a Y2K problem with the Radiation Data Monitor System (RDMS). The RDMS is a vendor package provide by Sorrento Electric which has been determined to be not Y2K compliant. The vendor has indicated that they have no plans to make this system Y2K compliant. The vendor has identified a work around to provide for RDMS operation if the licensee plans to keep the system. The licensee's strategy for attaining RDMS Y2K compliance / readiness was to investigate alternatives. Several of the plants that use this device, including Seabrook, have formed a Sorrento Owners Group to address and solve the Y2K problem with this device. The options to date are to either obtain a Y2K compliant replacement system (three vendors have been identified) or to implement the vendor identified work around as discussed below.

The vendor has indicated to their customers that the RDMS cannot properly function with a year identification that ends in 00 (every decade), but that when the year 2000 comes to an end, the system will be able to operate properly in the year 2001. An approach identified by the Seabrook licensee is to change the system date to some date in the past when Seabrook was not tracking data; that is, the date will be setback 28 years. (Initial testing at the Seabrook test bed indicated the RMDS operated with the date of 1972 inserted, but did not function correctly with "00.")

Procedurally, the licensee could insert a " dummy" date of say 1978 for the year 2000, and then reset the date correctly to 2001 when that year arrives.

The present schedule calls for having either the RDMS replacement or work around option implemented by the fourth quarter of 1999. (The necessary Main Plant Computer System software change to " dummy" a date for the RDMS input is scheduled for November 1998 and planned for testing and actual use in the last quarter of 1999.) j 1

I I

. . ~.. . .. - . . . - . . _ - - . _ , - . . _ _ _ . . - . . . . - . _ _ . - - . - . .

l l

11

i. -

l Table 1 - Seabrook Millennium Project Plan Schedule Activity Startina Qaig Finishina Date t

Awareness 1997 On-going Initial Assessment May 1,1998 1

Detailed Assessment / analysis June 15,1998 -  !

Remediation November 1998 June 1999*

Contingency Planning November 1998 l l . (* Except for RDMS which is scheduled for 4th quarter of 1999) i l

Table 2 -Inventory Total Safety Plant Trip / Reg. Business Min. Impact / 1 Implication Generation Reqmnts Critical No impact Reduction Software items 745 7 3/1 101 319 159/155 Embedded items 559 5 10/4 58 298 89/95 (Equipment, firmware, e-prom) i i

l t

I

l l

l i

Table 3 -Inventory Assessment I

! IMPACT Accept As Is Fix Replace Eliminate Total l Safety 7 4 1 12 Implication Plant Trip 13 13 i Generation 5 5 Reduction Regulatory 72 72 11 4 159 Requirement '

Business 322 142 111 42 617 Critical 1

i Minimum 169 44 23 12 248 Impact No impact 202 16 10 22 250 Total 772 296 156 80 1304 l

l l

i .

l Table 4 - Safety implications The following systems that have safety implications were reviewed by the audit team.

l Millennium item Classification Millennium Strategy impact Status l PDS Safety Critical Compliant Accept As is Safety implication PDSTRUDL CBS Safety Critical Compliant Accept As is Safety implication 1 Containment Building Spray DAPPER Safety Critical Compliant Accept As is Safety implication Distribution l Analysis For l Power Planing SFHX Safety Critical Compliant Accepted As is Safety implication Spent Fuel Pool Cooling Heat

! Exchanger ADL-SK Safety Critical Compliant Accepted As is Safety Critical ADLPipe Seabrook ,

RC Safety Critical Not Compliant Fix Safety implication Ultrasonic Level Requiring Y2K l Monitoring System Testing ,

l FH Safety Critical Not Compliant Fix Safety implication i Fuel Handling Requiring Y2K System Testing l

FH1 Safety Critical Not Compliant Fix Safety implication Fuel Handling Requiring Y2K

! Machine-MMI Testing RVLIS Safety Critical Not Compliant Fix Safety implication l Reactor Vessel Y2K testing l Level Indication required  !

! System 1

FIREDET Non Rated Unknown Replace Safety implication Fire Detection System '

l l

I

1 PROTOFLO Non Rate,d Safety implication Proto Power's l

Proto-Flo Software l GTS-GTSTRUDL Safety Critical Compliant Accept As Is Safety implication l

Si Mission Not Compliant Fix Minimum impact Safety injection Critical Y2K testing I required SSPS Non Rated Compliant Accept As is No impact l

l PDSTRUDL is a digital computer program used for analysis and design of complex structures. The vendor is Phi-Delta, Inc. The vendor certified that dates were not used in the processing of calculations but were used only as a display function on reports. Four digit dates are used.

CBS - Containment Building Spray system has no date aware equipment.

j .

DAPPER is an electrical engineering / software tool manufactured by SKM Systems Analysis. _The vendor stated that there are no date related calculations and that there are no known problems.

www.skm.com/ year 2000.html SFHX is an in-house software program that was developed to account for the available safety margin with respect to the spent fuel pool heat exchangers (performs thermal performance '

calculations to determine heat removal rate capability.) There is no date in this program. The program !cnguage is C.

ADL-SK ADLPipe is a pc-based digital computer program used for analysis and design of complex piping systems. According to the vendor, the software is not dependent on calculation of date and/or time in any manner.

RC-Ultasonic level measuring system is for indication of reactor coolant (evel during reactor coolant mid-loop (reduced inventory refueling) operation only. Initial Y2K testing is being performed by Westinghouse and will be verified by testing by the licensee. A system modification is in progress for installation of a new EPROM. Y2K testing will be integrated with the re-test of the modification.

• FH-Fuel Handling System has the GE Fanue Programmable Logic Controller (PLC). The GE

automation system consists of a series 90-30/90-20 PLC microcontroller. The system is date &

time aware and will be fully tested. Testing will need to be performed during a refueling outage l

when there is no impact to the refueling schedule.

r

. . , .__ _ . - ~ . - ,. . _ .

,- 0 FH1-Fuel Handling Machine - Wonderware MMI Software package. The man / machine interface (MMI) to the GE Fanue PLC is a Wonderware Product which is date and time aware. It will be tested on the refueling machine prior to a refueling outage. The vendor is PAR Systems.

RVLIS-Reactor Vessel Level Indication Sys' tem - The RVLIS package will be tested by Westinghouse and retested by the Seabrook licensee, RVLIS is required by post-accident monitoring technical specifications and initiates isolation functions upon indication of a high temperature condition in various locations in the auxiliary building.

FIREDET-Fire Detection Systems - The licensee is determining whether the system is Y2K compliant.

PROTOFLO-Proto Power's Proto-Flo Software is written in Visual Basic. According to the vendor, the software is Y2K compliant because dates were not used in processing of calculations but were used as a display only function in reports.

GTS-GTSRUDL is a digital computer program used for analysis and design of complex structures.

The vendor is Phi-Delta, Inc. . The programming language used is Fortran. ' According to vendor, the software is Y2K compliant.

SI-Safety injection - The Si system flow transmitter is a non-safety related device that is used in the performance of certain inservice testing to quantify or detect leakage through various valves. The transmitter is essentially a stand alone device that performs an indication only function. Should the device fail, for ly reason, attemative flow indication on the same test line is available.

SSPS - Solid Stat . Protection System has no date aware equipment.

0

Table 5 - Generation Reduction 1

- The following table contains the systems that impact power generation reduction which were reviewed by the audit team. .

Millennium item Classification Millennium Strategy impact Status FW' Mission Not Compliant Fix Generation Rosemount Smart Transmitter Critical Y2K testing Reduction Field Programmable Device required SY Mission Not Compliant Fix Generation

. Sequence of events recorder Critical Y2K testing Reduction '

required SY1 Mission Not Compliant Fix Generation Switchyard Digital Fault Recorder Critical Y2K testing Reduction required AS Non Rated Not Compliant Fix Generation l Controller for maintaining Y2K testing Reduction auxiliary boiler steam pressure required '

TGS Mission In Process Fix Generation l Tagout System Critical Production l .

FW- The Rosemount Smart Transmitter field programmable device output feeds the calorimetric.

Failure could cause a reduction or increase in power generation and thus potentially violate j technical specifications.

l SY Sequence of event recorder - records relay and breaker actuation in the switchyard. These l recordings are used in post trip reviews. Without these recordings, a restart following a trip would I be extended several days due to the additional trip analysis required. The recorder is date and l time aware.

SY1 Switchyard digital fault recorder-records voltage and current readings in the switchyard. The data recorded is used for many purposes including post trip analysis. Without these readings, the post trip review could be extended for several days. This recorder also uses the Geographic Position System (GPS) satellite clock.

AS - This is a digital controller for maintaining auxiliary boiler steam pressure by modulating steam flow to one of the feedwater heaters during feedwater prewarming for plant startup. The vendor is Fischer & Porter. The Fischer & Porter controllers will be tested via a blackbox approach. An i identical spare will be used from the warehouse and tested in the technical support facility. When

!. performing this testing, the tester will confirm that the controllers have the same chip # and the j same version #.

t l

TGS - The Tagout System stores, manipulates and modifies data associated with the installation and removal of danger, caution, ground and extension control tags in the plant. The current Software Sense Tagout System does not properly recognize the year 20CO. This software is a package that is written in DBASE and Clipp,er Tests were performed to dutermine if minor changes to the Tagout System written in DBASE could permit it to function in the y9ar 2000. The tests were successful, therefore, the strategy for Tagout System compliance is to have the vendor make minor changes to the existing system software such that it recognizes and operates in the year 2000.

k

[

l.

I.

l l

l l

I l

I l-18-Table 6 - Plant Trip The following table lists the systems reviewed by, the audit team that impact plant trip.

Millennium item Classification Millennium Strategy impact t

Status ,

SUPVSR Mission Critical Not Compliant Fix Plant trip Fischer & Porter Y2K testing j Supervisor required DCS Mission Critical Not Compliant Fix Plant trip DCS Operating Y2K testing ,

System required l HD Mission Critical Not Compliant Fix Plant trip HDTC Heater Drain Y2K testing Tank Level Control required SA Mission Critical Not Compliant Fix Plant trip I SA Intellisys . Y2K testing required GSC-COND Mission Critical Unknown Fix Plant trip GSC Rosemount Conductivity Analyzer MSD Mission Critical Not Compliant Fix Plant trip Main Stream Drain Y2K testing required AR Mission Critical Not Compliant Fix Plant trip AR-DP Transmitter Y2K testing l Pressure Indicators required MS Mission Control Not Compliant Fix Plant trip l MSRC Moisture Y2K testing l Separator required l Reheater Control CO HOTWELL Mission Control Not Compliant Fix Plant trip Hotwell Level Y2K. testing Control

l- .. .

19-SUPVSR.- The Fischer & Porter Supervisor uses 53SU5000 Supervisor PC equipment and controls each of the Fischer & Porter digital controllers in the plant.' Y2K compliance must be verified.

t DCS - DCS Operating System - The field installattion and testing of the Y2K compliant software will be completed in the next refueling outage by Foxboro. The simulator software should be installed and tested in the last quarter of 1998.

l- HD HDTC Heater Drain Tank Level Control equipment is a Fischer & Porter 53MC5000 controller and L will be tested by the licensee, SA Intellisys - The Ingersoll-Rand rotary air cor.1 pressor is a microprocessor control package which will i be tested by the licensee.

GSC-COND - GSC Rosemount conductivity analyzer model 1054BLC-01 is under review by the licensee.

MSD - Main Steam Drain - The moisture separator reheater (MSR) drain tank level is controlled via Fischer & Porter 53MC5000 digital controllers. If the controller fails either the unit will trip on a high MSR shell side water level or a pipe break could occur in the MSR drain tank lines to the condenser. These controllers will be bench tested with identical spares and then field tested during a refueling outage.

AR - AR-DP Transmitter - These Rosemount 1151 DP5 pressure transmitters auto-start the condenser by initiating valve opening. Failure could prevent the auto-start feature from operating. This pressure transmitter will be bench tested.

MS MSRC Moisture Separator Reheater Control- These Fischer & Porter 53MC5000 controllers will be bench tested for Y2K compliance followed by a field test during a refueling outage.

CO HOTWELL Hotwell level control - The Foxboro 1/A Series hotwell level program / function equipment will be included in the DCS operating system installation and testing.

l l

,, ,e - - , - -- , , - - = - , , . , a -w,.

l Table 7- Regulatory Requirement The following table is a list of items which have a, regulatory requirement impact which were reviewed by the audit team.

Millennium item Cicssification Millennium Status Strategy impact PAC Mission Critical Not Compliant Fix Regulatory Public Address Y2K testing Requirement System required SM Mission Critical Not Compliant Fix Y2K Seismic Monitoring testing Software required SFD Business Critical Wt Compliant Fix HG Hand Y2K testing Geometry required Ni Mission Critical Not Compliant Fix Boron Dilution Y2K testing Monitor required FP COSENTRY Mission Critical Not Compliant Fix Carbon Monoxide Y2K testing Gas Monitoring required  ;

System FP Mission Critical Not Compliant Fix Fire Protection Y2K testing required LPMS Mission Critical Not Compliant Fix Loose parts - Y2K test Vibration Monitor required RAW - RAW-AIX Safety Critical Compliant Accept as is Reactor Analysis Workstation RDMS Mission Critical Not Compliant Fix RDMS DEC PDP/11 Software

! S3FINC Mission Critical Not Compliant Fix Fixed Incore Y2K testing Analysis required r

PAC - Public Address System - The PAC system is date/ time aware and will be remediated in the 3rd quarter of 1998.

SM Seismic Monitoring Software The seismic monitor is a new hardware and software package, and will be fully tested. The softwee performs time / history updating. The vendor (Kinemetrics, Inc.) will be contacted in the last quarter of 1998.

SFD HG Hand Geometry - The hand geometry software package will be changed out. However, the present SFD system, including the hand geometry is being made Y2K compliant as a fallback position against unforeseen delays in delivery of the new system. The testing will be scheduled for the first half of 1999, when the new system is installed. Should the hand geometry software fail, all access to the unit would be via manual means.

NI Boron Dilution Monitor - The Gammametrics Shutdown Monitor RCS-30 does not appear to be date aware. However, several clock functions are used and due to its importance to the plant will be evaluated further.

FP COSENTRY - Carbon Monoxide Gas Monitoring System - The Sierra Monitor Corporation gas monitoring system, SPL5000-8R is date aware ir that failure occurs with bad date input. The system will be tested and remediated accordingly.

FP Fire Protection - The Simplex 41000 Fire Protection System has been determined by the vendor to be Y2K compliant. The licensee will verify this determination by testing.

LPMS Loose Parts Vibration Monitoring - The licensee will replace the entire loose parts monitoring sys4m with a pc-based Y2K compliant system. This is a technical specification required system and its inoperability impacts plant operation.

RAW Reactor Analysis Workstation RAW-AIX - The strategy for this item is to accept the statement from IBM that the software is compliant and provide further verification testing using the S3/FINC software to validate this assumption. The product name is AIX, version #4.2, operating system for RS/6000 workstations. (http://www.rs6000. ibm.com/ resource /results/ year.htm)

RDMS RDMS DEC PDP/11 Software - Tne RDMS system runs on a Sorrento Electronics DEC/PDP11 platform. The operating system is RSX-11 and the application is written in FORTRAN. This system is i

not Y2K compliant. The vendor has indicated that they have no plans to make this system Y2K compliant but has identified a work around if the licensee plans to keep the system. The vendor l recommended work around is to insert a " dummy" date when data was not being tracked for the year l 2000.

S3FINC Fixed Incore Analysis - A contractor has been obtained to perform Y2K testing and verify that the code is Y2K compliant.

l I

l

I DOCUMENTS REVIEWED

1. Seabrook Millennium Project Plan Revision,3.0, prepared 9/24/98, submitted 9/24/98, approved 9/24/98, effective 9/2S/98

2. Technical Support Group Instructions, System Engineering Y2K Implementation Plan, TSGI-13 Rev. 00, prepared 9/23/98, approved 9/23/98

3. Technical Support Group Instructions, Y2K Generic Test Instruction For Embedded Equipment, TSGi-14 Rev. 00 Preliminary Draft, prepared 9/28/98

4. North Atlantic Information Manual (NAIM)

ATTACHMENT 1 l

l

.

.. .F' ENTRANCE MEETING - SEPTEMBER 29,1998 P. Prugnarola Y2K Sponsor-Information Resources Manager N. Durand Y2K Project Manager - Information Services Manager D. Spaulding Electronics Engineer - NRC/NRR/HICB

' M. Chiramal - Senior Level Advisor- NRC/NRR/HICB W. A. DiProfio Station Director J. M. Brand NRC - Region l M. DeBay Assistant Operations Manager J. Linville . Acting Chem /HP Manager P. Casey Senior Emergency Planning Coordinator B. Seymour Security & Safety Manage:

'J. Sobotka Reg. Compliance Supervisor

' G. Mcdonald Nuclear Oversight Consultant T. Feigenbaum North Atlantic- CNO

. M. Ossing - Senior Project Engineer - NAESCO .

G. Gram Director Support Services R. White' Mechanical Engineering Manager J. Watts - Sr. Auditor- Audit & Evaluations B. Drawbridge Director of Services -

S. West Tech. Support, Systems Engineering - RM C. Howard Comp. Eng. Dept. Manager M. Mills Y2K Embedded Systems Coor.

EXIT MEETING - OCTOBER 1,1998 M. Ossing North Atlantic W. A. DiProfio North Atlantic S. Wooley North Atlantic J. Sobotka No/th Atlantic R. Larson NRC J. Watts North Atlantic C. Howard NAESCO M. Mills NAESCO D. Spaulding NRC G. Gram . North Atlantic N. Durand North Atlantic J. Grillo NAESCO M. Chiramal NRC ATTACHMENT 2 L