Text

Safety & Performance Improvement Control Room Mods Audit for Rancho Seco Nuclear Generating Station,Unit 1
	ML20211K473
Person / Time
Site:	Rancho Seco
Issue date:	11/06/1986
From:	; SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY
To:	; NRC
Shared Package
ML20149C277	List: ML20211K473;
References
	CON-NRC-03-82-096, CON-NRC-3-82-96 SAIC-86-3087, NUDOCS 8611250242
	Download: ML20211K473 (69)
	v • d • e

'

Enclosure 1 SAIC-86/3087 i

SAFETY AND PERFORMANCE IMPROVEMENT CONTROL ROOM MODIFICATIONS AUDIT FOR SACRAMENTO MUNICIPAL UTILITY DISTRICT'S RANCHO SECO NUCLEAR GENERATING STATION, UNIT N0. I k

. November 6, 1986 Prepared by:

Science Applications International Corporation 1710 Goodridge Drive McLean, Virginia 22102 l

Prepared for:

U.S. Nuclear Regulatory Commission Washington, D.C. 20555 i

Contract NRC-03-82-096

~

BWM6_l'D (o?)p

1 4

Table of Contents Section Eagg INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 DISCUSSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 FINDINGS

1. Evaluate the process used to identify and make changes to the control room . . . . . . . . . . . . . . . . . . 2

2. Evaluate the role of the human factors discipline in the Action Plan Modifications . . . . . . . . . . . . . 7

. 3. Evaluate the method used to validate the modified control room. . . . . . . . . . . . . . . . . . . . . . 7

4. Evaluate control room modifications that originated from the Action Pl an. . . . . . . . . . . . . . . . . . 9

5. Human Factors Issues. . . . . . . . . . . . . . . . . . 11

6. Detailed Control Room Design Review Concerns and Findings. . . . . . . . . . . . . . . . . . . . . . . . 12 CONCLUSIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 DOCUMENTATION NEEDS. . . . . . . . . . . . . . . . . . . . . . . . . 17 REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 ATTACHMENTS:

1. Audit Plan Outline

2. List of Meeting Attendees

3. Preliminary Action Plan Commitments

4. DCRDR/ Action Plan Comparison

5. Freliminary DCRDR Commitments

6. Schedule for DCRDR Control Room Modifications l

- _ . . - . ~ . _ _ _ . _ . _ . _ . . _ . . _ _ . _ _ _ . _ , _ _ _ , . . , - - _ . _ _ _ . , _ _ , _ . __ . . _ _ _ _ _ _

SAFETY AND PERFORMANCE IMPROVEMENT CONTROL ROOM MODIFICATIONS AUDIT FOR SACRAMENTO MUNICIPAL UTILITY DISTRICT'S RANCHO SECO NUCLEAR GENERATING STATION, UNIT NO. 1 INTRODUCTION p This report documents the findings of the Nuclear Regulatory Commission (NRC) audit team during the :afety and performance improvement control room modifications audit of Sacramento Municipal Utility District's (SMUD's)

Rancho Seco Nuclear Generating Station, Unit No. 1. The audit was conducted September 29, 1986, through October 2, 1986. The NRC audit team consisted of a representative from the NRC Plant Electrical Instrumentation and

~

Control Systems Branch (EICSB); a consultant from Science Applications International Corporation (SAIC); and a representative from Comex Corpora-tion, a subcontractor to SAIC. The audit was conducted on-site at the Rancho Seco Nuclear Generating Station. This report was prepared by SAIC, but is intended to reflect the consolidated observations, conclusions, and recommendations of the NRC audit team members. An outline of the audit plan and a list of audit meeting attendees are included as Attachments I and 2 to this report.

DISCUSSION The purpose of the audit was to evaluate control room modifications resulting from the licensee's Action Plan for Performance Improvement (Reference 1) and the detailed control rocm design review (DCRDR). The Action Plan was developed in response to the December 26, 1985, loss of integrated control systems and overcooling transient at Rancho Seco. The licensee describes the Action Plan as a systematic investigation to look far beyond the specific problems associated with the incident, with the goal of identifying and implementing an array of corrective actions that will address the root cause of past performance problems (see Attachment 3).

l The DCRDR was performed at Rancho Seco in response to Supplement I to NUREG-0737 (Reference 2), which requires each applicant and licensee to -

identify and correct control room design discrepancies. The NRC conducted an in-progress audit of the Rancho Seco DCRDR in October 1985 (Reference 3).

l 1

1 I

The licensee submitted its DCRDR Summary Report to the NRC by letter dated December 27, 1985 (Reference 4). NRC staff review of the Summary Report resulted in the identification of open DCRDR concerns. The NRC staff's review results for Rancho Seco's Summary Report were forwarded to the licensee by letter dated June 10, 1986 (Reference 5).

This report documents the NRC audit team's findings and conclusions regarding the Action Plan and the DCRDR. The audit findings are listed below in order of Audit Plan agenda items.

FINDINGS

1. Evaluate the process used to identify and make changes to the control room. ,

The Audit Team reviewed the " Performance Improvement Program", and reviewed the licensee's comparison between that program and the elements of the DCRDR to assess the adequacy of the Program in making plant modifica-tions (see Attachment 4).

Assessment of the plant design, management, operations, and administra-tion was evaluated in the " Investigation" phase by utilizing the following sources for recommendations (equivalent DCRDR process was preparation of

" Human Engineering Observations"):

o Detarministic Failure Consequences Analysis o Babcock and Wilcox Owners' Group Stop-Trip Program o December 26, 1985 Event and NUREG-1195 Action List o Plant Staff Interviews o Selected Projects o Precursor Review

'Each of these elements are described in the Action Plan, however, the Audit Team noted the following additional details. Approximately 1200 recommendations were made during the deterministic failure consequences, which was a table-top failure analysis of electrical system components and components of the instrument air system. Interviews with the plant staff were conducted. The interviews resulted in 1632 recommendations. All 2

I 4'

recommendations (about 5000) for plant improvement were forwarded to the Recommendations Review and Resolution Board to determine validity and priority; cost / benefit was not at issue in this " Validation" phase.

The 9 member Recommendations Review and Resolution Board was found to be multidisciplinary in experience. In performing validation activities, the Board determined if a recommendation was:

o Valid or o Valid, but otherwise covered or o Invalid.

Prioritization of valid recommendations was also accomplished by the Recommendations Review and Resolution Board with Priority 1 (complete prior to Re-start) being the highest. The criteria for Priority 1 items consisted of:

o Assured plant remained in post-trip window (see Figure 1) o Assured plant complied with Technical Specifications, and o Minimized operator action outside Control Room in first 10 minutes following a transient.

The criteria for Near Term (Priority 2) and Long Term (Priority 3) g recommendations are provided in Figure 2. Recommendations were forwarded to the Performance Analysis Group, a six-person team of the Department Managers, for the Approval phase.

The Audit Team noted that all human engineering discrepancies (HEDs) identified during the DCRDR have been evaluated as Category B (using the DCRDR assessment criteria, there were no Category A, Safety Significant, HEDs), and thus HEQi, per se, are not scheduled for correction prior to Restart. However, the audit team did note that several previously identified HEDs will be corrected as a result of the modifications implemented within the Action Plan. The licensee provided the Audit Team with a listing of all DCRDR HEDs that will be completed during Cycle 8 or 9 refuelings, the first following Restart (see Attachment 5).

L 3

4 e

O N

E r

So . l -

w.%E e 2-a-" i o n z a e

ne: , c==. -

z=* 55 * = 5 a

2e

'. O a 3;E w- o. : a. e a g e_. , -

"A '_

r_' ge: m _W = g g u

-'_ *g: - sgg 3O.E =

g _ u.

o e

E ==.E Es :-

5 shh

-- a =EE = g N=g 5 w

= n

_ x 3 g == E o

!s =! E !s-, Ea Eg g

' E.

'1- _

_ o g ,

i I _ o g

2

_ . , - e ,o r m h

g un M.

- w x

-1 1 _,

r s.

g 1 1 o o

w '.. ..so.

E

= : . _.__

o m

lys 1 m W v 1 es 1 .: . .

m o s.

a .-

f_

z g

< .o 1-r 5 Z o

a. . .

5 *

--1 -

G ==_ ':=_ g x 1

=

u 8 t rE 's m c

__ c :=

E5 1_

- 1 y

o N

yw l

= a I,

- =

4

g -

_- :- vi 3

2

^G - y o

.w

.m_

o.

ws

. _ ._. -m e

w g , gh.

~ '

s ~

gg 85 e m

me -w Er Wm ve

ma

, w <x u

D Qu; wa : m a m .o, u.

L._ - e o

i 6 i - e e e i i i , i i 4

$~ $~ $~ k~ $ $

k b

~

DISd '380SS3Bd 137100 WV31S ONV INV7003 8013V38 4

i ACTION PLAN PRIORITIZATIDN PRDCESS PRIDRITY CRITERIA

RESTART A. ASSURE PLANT REMAINS IN POST-TRIP WINDOW j B. COMPLIANCE WITH TECHNICAL SPECIFICATIONS C.

g MINIMIZE OPERATOR ACTION DUTSIDE CONTROL RDDM IN FIRST 10 MINUTES 4

NEAR TERM A. ENHANCE REMAINING IN POST-TRIP WINDOW -

(AUTO ACTION vs. OPERATOR ACTION)

B. REDUCE REACTOR TRIPS &

j C. REDUCE SAFETY SYSTEMS CHALLENGES D. PRODUCE NEAR-TERM PROGRAMMATIC BENEFITS LONG TERM A. IMPROVE RELIABILITY B.

C.

IMPROVE AVAILABILITY +

IMPLEMENT M(4JOR PROGRAMMATIC ENHANCEMENTS I lf i

l l .

ACTION PLAN / QCI-12 PRDCESS Figure 2. Action Plan Prioritization Process 5

In the Approval phase, the Performance Analysis Group was noted to be assigned responsibility for dispositioning the recommendations of the Recom-mendations Review and Resolution Board. The Performance Analysis Group reviews the priority, the corrective action, and assigns the plant organiza-tion responsible for action. Differences of opinion between the Recommenda-tions Review and Resolution Board and Performance Analysis Group were resolved by iteration between the groups until consensus was established.

Upon completion of the Approval phase, the Performance Analysis Group output (approved recommendation) enters the Implementation and Closure phase. The audit team was provided Nuclear Engineering Procedure 4109,

" Rancho Seco Configuration Control Procedure", which provides for the initiation, review, issuing, and revision of design documents such as Engi-neering Change Notices. Nuclear Engineering Procedure 4109 was noted to provide the controls typical throughout the industry for installing plant modifications.

Following the NRC audit team departure, a request to designate the control room as a system under the Systems Review and Test Program was granted by the Performance Analysis Group. Under the system designation,

, the control room will be treated like any other major system in the plant. ,

Cognizant human factors and engineering personnel will be permanently assigned the responsibility of evaluating all modifications to the control room. This will assure that the control room as defined by the DCRDR is not invalidated by the modifications resulting from the Action Plan. It will also assure that modifications made after the Cycle 8 and 9 DCRDR changes.

will not introduce new human engineering discrepancies into' the control room. This represents a significant improvement in the overall management of control room modifications.

Based upon the information provided by the licensee, the Audit Team concluded that the Action Plan embodies the elements of the DCRDR, and that the

correlation between the Action Plan and DCRDR steps represents an adequate methodology for plant modification. In addition, the designation of the control room as a system will assure that the control room as defined

. by the DCRDR will not be invalidated.

6

2. Evaluate the role of the human factors discipline in the Action Plan i Modifications.

Human Factors involvement was found to be in three major areas within I the activities of the Action Plan: l o Post Transient Analysis o Plant staff interviews o Plant procedures requiring human factors input for modifications The first two listed areas represent a direct human factors engineering activity that provided a source of plant modification recommendations. The latter activity is the human factors engineering input to plant design modifications. Any modification that results in an Engineering Change

- Notice is evaluated for human factors implications in accordance with !

Nuclear Engineering Procedure 4123, still under development. If the Engi-neering Change Notice has such implications, the design shall include com-pliance with human factors criteria (Nuclear Engineering Procedure 5105.3),

, which includes the DCRDR Criteria Report. Nuclear Engineering Procedure 5105.3 was reported by the licensee as being revised to " ... include plant design standards and criteria for areas other than the control room."

i The licensee provided the Audit Team with a listing of Action Plan

modifications (Figure 3) that have (or will) affected the Control Room as of l

1 October 1986. These modifications have all been approved by the Procedure i Analysis Group for installation prior to Restart.

Based upon the information provided the Audit Team by the licensee, it

l. was concluded that the role of the human factors discipline in activities of the Action Plan was adequate.

3. , Evaluate the method used to validate the modified control room.

l The licensee has constructed two mock-ups. One unit is a full scale, photographic mock-up that reflects modifications to the control room prior to restart. A smaller unit, approximately one-eighth size, reflects the panel configuration following Cycle 8 and 9 DCRDR modifications.

7 l

ATTAC3 MENT 3.b-1 BFE Operator Control Room Change Identified By Status Desten Input Desten Input

1. AFW control Indep. DFC, EFR, 01, Open Early Early of (EFIC) ICS NUR, PRE, BW, Some Doc.

SE, AL

2. ADV Control Indep. DFC, SPR, 01, Open Early Early of ICS (EFIC) PRE, BW Sore Doc.

3. TSV Control Indep. DFC, IFR, 01, Open Early of ICS PRE, BW Some Doc.

4. Annuciation changes PRE, B&W,RCR Closed Early Ea rly AL Some Doc.

5. ICS/NNI Labels DFC, NUR, SE Open Early Early

6. 51/52 Labels EFR, TR, RCR Open Early Limited

7. ICS Power Dist. Label AL, NCR Closed Early Early *

~

8. Valve Pos. Indication DFC, SE Open Early Early (ADV, T5V, MFW, SUFW) ;

9. Trip MFP on ICS LOP DFC Open Limited Early

10. Trip ICS on NNI LOP DFC Open Limited Early

11. SC Labels AL Closed Early Early

12. SPDS parameters DFC, PRE Open Limited Early indep. of NNI

13. CSD Recorder DFC Open Limited Early Indep. of KNI

14. Replacement of CRCR Open Limited Early computer f4. e,l.,

15. Aux Steam Reducing AL, NRC, TR Open Limited Early Station

16. seatup/Cooldown Rate 01 Open Limited Early

17. SPDS Controls CRDR Open Early Early Source Doc

18. T8V Contreuers DFC, IFR, CI, Open Early Limited i PRE, SW l

! 19. MS Sus Loading Open Limited Limited I

l Light I *

20. TDI Diesels Open Limited Limited 1

SE System Engineer RFR 12/26/85 Transient suman Factor Review BW BWOG SP Progthm DFC Deterministic Failure Consequence Analysis PRE Precurser Review &L 12/26/85 Transient Action List NUR NUREC 1195 OE Operster Interviews TR 12/26/85 Transient Trip Report NRC NRC/SMUD Meeting 2/10/06 i RCR Root Cause Report i

Figure 3. Action Plan Modifications i

l 8

i r

i

~. .- --

. - . , ,n - -- - . . - - . . - ._ - --. - , . .- - __ - _ . - - -

h Utilizing'the guidelines developed in the DCRDR, the licensee intends

to validate the modified control room using the mock-ups and other devices with the analysis procedures of the DCRDR, including the system function and

~

task analysis, and verification and validation of the revised emergency j operating procedures (EOPs).

I'

{- The verification and validation will incorporate the DCRDR criteria ,

i report. This report was evaluated by the NRC team during the DCRDR in- i progress audit (Reference 3) and found to be acceptable for use in validat-ing the modified control room.

Based upon the information provided by the licensee, the audit team.

concluded that the licensee's program for validating the control room responses to abnormal and emergency conditions subsequent to modifications ;

j identified in the Action Plan is adequate.

l 4. Evaluate control room modifications that originated from the Action Plan.

l 1

i The licensee has constructed two mockups. One unit is a full scale, j photographic mockup that reflects modifications to the Control Room prior to l Restart. A smaller unit, approximately one-eighth size, reflects the panel

! configuration following the Cycle 8 and 9 DCRDR modifications.

4 The audit team evaluated the Action Plan modifications listed in Figure i 3. This review included detailed human factors engineering and operations l evaluations of the proposed modifications on the control room mock-up, and i the implemented modifications in the control room. It is the audit team's l judgment that the proposed and implemented modifications resulting from the

! Action Plan appropriately incorporate human factors engineering and opera-j tions principles.

The audit team evaluated the implemented and proposed modifications for l the nonnuclear instrumentation (NNI) and integrated control system (ICS)

power supply circuit breakers S1/S2. These modifications consisted of [

i switch position enhancements, power available indicator lights, schematics, l and labeling. It is the audit team's judgment that acceptable design J

- _ - - . _ _ , - - . - . . . . . . - - - _ ~ . - - , , w

modifications have been proposed and implemented on the ICS and NNI power supplies.

The audit team reviewed the licensee's plans and mocked up designs for l valve position indications for the turbine bypass valves (TBVs),' atmospheric

, dump valves (ADVs), and auxiliary feedwater (AFW) control valves. These modifications are being implemented by Engineering Change Notice ~R-0828.

Additionally, the ADVs and AFW control valves will be controlled from the

! emergency feedwater initiation control (EFIC) system panel. It is the audit j team's judgment that the proposed TBV, ADV, and AFW valve position indi-cators incorporate good HFE and operations principles.

I

The audit team evaluated the need to correct the noise problem asso-f ciated with the control room heating, ventilation, and air conditioning (HVAC). This review included an evaluation of the licensee's System Status Report for the HVAC and Test Specification for modifications made to reduce noise to an acceptable level. It is the audit team's judgment that the

, proposed HVAC modifications should result in a control room with an j acceptable HVAC noise level.

! The audit team also evaluated annunciator window H2PSB-64 "ICS SYSTEM l TROUBLE," which will alarm on the loss of + or -24 volts DC power buses i

only. This alarm gives the control room operators immediate indication that ICS is no longer functioning. A detailed description of this control room j modification is provided in item 6.4 on page 13 of Attachment 3. It is the audit team's judgment that the ICS system trouble annunciator modification is acceptable from human factors engineering and operations needs.

In the course of conducting this audit, the audit team noted a preponderance of modifications affecting the feedwater control system and its relationship to the control room. According to reactor operators and instrument and control technicians, feedwater system control problems have been experienced in varying degrees throughout the life of the plant.

Previous system modifications to resolve control problems, such as system oscillations, have not resolved the problems to the satisfaction of the reactor operators. At the time of the audit, the System Review and Test Program for the feedwater system had not been formulated, and thus the acceptability of system modifications and the interface between the 10

feedwater control system and the control room could not be fully evaluated.

To assist the staff in assuring that feedwater operational control and human factors concerns are addressed, the licensee was asked to provide NRC with supporting documentation. The feedwater control system documentation should include the fecdwater system restart test plan, acceptance criteria, and

results of the tests performed on the system.

In summary, the audit team evaluated all of the control room modifica-tions that originated from the Action Plan. The audit team found the Action Plan modifications acceptable. The audit team, however, identified a con-cern related to modifications and testing of the feedwater control system.

As a result, the NRC requested that the licensee provide the staff with the feedwater system restart test program, acceptance criteria, and test

~

results. -

5. Human Factors Issues The Audit Team inspected modifications already implemented in the control room and proposed restart modifications fabricated on the full scale mock-up. All control room related modifications listed on Figure 3 were evaluated. The purpose of this evaluation was to determine if the control room modifications correct the original human engineering disc' epancies r and will not introduce new human engineering discrepancies. Details of the evaluation of specific items of concern are provided below.

1 5.1 Address the need for better diagnostics for bretker position indica-tion

Modifications to address this item have been completed on the ICS panel, including power supply status indication, breaker position indica-tion, and power supply schematics. The NNI cabinets only had the power supply schematic installation at the time of the audit. Based on a visual survey of the modifications, it was concluded that corrective actions imple-mented or planned are adequate.

, 11

-*w e -w yt --m -N+-----+----=m--ytw +-w- -

f 5.2 Address the need for valve position indication for TBVs, ADVs, and AFW control valves.

Based on a survey of the modifications installed on the mock-up, the

, Audit Team concluded that the valve position indication concerns will be resolved by the planned Control Room modifications.

5.3 Address the need to correct the noise problem associated with the control room HVAC.

4

The licensee provided the Audit Team with the " Control Room Tech l Support Center Essential HVAC System Status Report", Revision 1, dated 08-07-86 for review. Based upon review of this report, the Audit Team j concluded that the licensee has established a program of identification,

- modification, and testing to resolve the noise concerns.

5.4 Address the desirability of having separate alarms for "ICS" and " Fan Power Failure."

This problem has been resolved by separating the ICS from the Fan Power f Failure annunciator tile. The ICS part of the alarm is now a single input

annunciator tile, which indicates ICS TROUBLE, and the Fan Power Failu're l part of the tile has been moved into the computer alarm system. Evaluation

, of the modified ICS TROUBLE tile in the control room revealed that- this I

human engineering discrepancy has been satisfactorily resolved.

l Based upon the findings of the Audit Team in the areas addressed above,

the Team concluded that the licensee is implementing an adequate program to l

resolve these human factors issues.

l 6. Detailed Control Room Design Review Concerns and Findings i

j The following findings are related to the Detailed Control Room Design Review (DCRDR). In the NRC staff's previous review of these activities, the

} NRC identified several concerns related to the in-progress audit findings I (Reference 3) and Summary Report evaluation (Reference 5) that needed to be '

addressed during the audit. The audit team's DCRDR findings are provided below.

12

--nen,-,,, vn.e., -----~.-,-r-r,----g--__,---v~._ www- ,--.w,,,wmma,,m,,,,m,-,,--.e-v----- e m _ ,,w w-,-y7

-,-,,,-rrw ,-

^

6.1 The Sumary Report did not indicate that Emergency Operating Procedure Cautions, Notes, and Status Tasks were analyzed following the NRC in-progress audit.

The licensee made a written commitment (Attachment 6) to analyze Emer-gency Operating Procedure Cautions, Notes, and Status Tasks in accordance I

with DCRDR procedures. 'In addition, the licensee made a verbal comitment to perform a task analysis of any new operator tasks resulting from an Emergency Operating Precedure rewriting project, which was in progress at the time of the audit. It is the audit team's judgment that the licensee's

comitments will satisfactorily resolve this DCRDR concern. However, -it will be necessary for the licensee to docket a confirmatory comitment with NRC.

u i -

6.2 The Sumary Report did not indicate that the licensee developed a formal procedure for performing a task analysis of new operator tasks 4

introduced into the control room by E0P revisions.

4 Rancho Seco utilizes four administrative procedures for. Emergency Operating Procedure preparation. Administrative Procedures 47 and 47A are the Emergency Operating Procedure Writer's Guide. Administrative Procedure j 48, " Verification of Emergency Operating Procedure", assures technical accu-

racy of the E0P when compared to plant technical data. Administrative Procedure 49, " Validation of Emergency Operating Procedures", assures com-patibility of the procedures with the plant and operator training.

The Audit Team reviewed these procedures, and noted the following examples of steps within Administrative Procedures 48 and 49 that address task analysis issues in intent:

l l

o Administrative Procedure 48, Enclosure 4.4, Verification Criteria

. Checklist for Technical Accuracy

) 2.4 Plant Hardware Information l 1. Is the following plant hardware specified in the j Emergency Operation Procedures available for operator use and accurately named:

i i

13 t i

I' 1. equipment

2. controls

3. indicators

) 4. instrumentation o Administrative Procedure 49, Enclosure 4.2, Walk-Through Valida-I tion

1. Are instruments and switches r. umbered and controls

!' properly identified and correct?

o Enclosure 4.3, Simulator Validation i

16. Are instrument scales accurately and appropriately

. . specified when needed and are they in the same unit as the instrument and readable by the operator?

It was also understood by the Audit Team that modifications to the

Control Room will be analyzed by a human factors expert in accordance with l

Nuclear Engineering Procedure 4123 for operational impact, and if such l

impact is noted, affected procedures reviewed. Since Nuclear Engineering j Procedure 4123 was in preparation, the total extent of human factors engi-l neering participation in procedural review could not be determined.

l i Based upon the information provided by the licensee and the review of procedures by the Audit Team, it was concluded that the licensee ha: an adequate program for performing task analysis of new operator tasks required by Emergency Operating Procedure revisions.

6.3 The Summary Report did not include an indication that procedure A.52

" Hydrogen Purge Procedure," was task analyzed as recommended in the in-

, progress audit.

The licensee stated in item 7.3 of Attachment 6 that it will perform a task analysis of A.52. Based on this commitment, and discussions with the licensee, it is the audit team's judgment that the licensee will satisfac-torily perform a task analysis of A.52 in accordance with DCRDR procedures.

14

-, . - - _ _ - - . . _ = - . - . . . . - -_ .. - - ..

. ~

However, it will be necessary for the licensee to docket this commitment with the NRC.

6.4 . Comparison of operator information and control requirements identified l during ' task analysis of Emergency Operating Procedure Cautt'ons, Notes, and Status Tasks; new Emergency Operating Procedure tasks and pro-cedure A-52 tasks to the control room inventory.

The licensee stated in item 7.3 of Attachment 6 that this comparison i will take place. It is the audit team's judgment that this commitment will satisfactorily resolve this concern. We recommend that the licensee docket this commitment with the NRC.

6.5 Assessment of any new human engineering observations identified during i -

additional task analyses needs to be completed. i

The licensee stated in item 7.5 of Attachment 6 that if any new human engineering observations are generated by additional task analyses, they j will be addressed in accordance with DCRDR procedures. It is the audit

! team's judgment that this commitment appropriately addresses the procedure l for assessment of new human engineering observations. It will be necessary for the licensee to docket this commitment with the NRC.

6.6 Review of proposed changes laid out on the control room mock-up and implemented in the control room.

I

! The audit team performed a detailed evaluation of the Action Plan j modifications along with a review of fuel Cycle 8 and 9 DCRDR modifications.

The DCRDR-related modifications (see Attachment 5) will be implemented

during fuel Cycles 8 and 9. The DCRDR modifications are being developed by l Babcock and Wilcox in their Lynchburg, Virginia, facility, but were laid out on the control room mock-ups at Rancho Seco. Thus, the audit team was able l

to evaluate proposed DCRDR control room modifications.

4 f It is the audit team's judgment that the proposed control room

[ modifications effectively incorporate human factors engineering and

! operations principles. Further, it is the audit team's judgment that the l DCRDR modifications, along with the Action Plan restart modifications, i 15 1

i

should result in a significantly improved control room. It is our judgment that the licensee meets the Supplement I to NUREG-0737 requirement for the selection of design improvements.

6.7 Verification that the proposed control room modifications ' correct the human engineering discrepancies and do not introduce new human. engi-neering discrepancies.

The licensee stated in item 7.7 of Attachment 6 that it will perform a verification that the control room modifications correct the human engineer-ing discrepancies discovered during additional task analyses and do not introduce new human engineering discrepancies. Discussions with the licen-see indicated that the verification process will be done in accordance with the DCRDR. Therefore, it is the audit team's judgment that the licensee meets the Supplement I to NUREG-0737 requirement for the verification 'that control room modifications correct the human engineering discrepancies and do not introduce new humari engineering discrepancies. However, we recommend that the licensee docket this commitment with the NRC.

CONCLUSIONS

The purpose of the Rancho Seco audit was to evaluate the control room

( modifications resulting from the Sacramento Municipal Utility District's Action Plan for Performance Improvement and the detailed control room design l

review. The Action Plan was developed in response to the December 16, 1985, loss of integrated control system power and overcooling transient at Rancho Seco. The detailed control room design review was performed in response to Supplement I to NUREG-0737 requirements. Both the Action Plan and the detailed control room design review resulted in a significant number of modifications to the control room.

With regard to the Action Plan, the NRC audit team concluded that the control room related modifications resulting from the restart Action Plan incorporate acceptable operational and human factors engineering considera-tions. The audit team did, however, identify a concern regarding the adequacy of the feedwater control system to meet operational requirements.

As a result, the NRC requested that the licensee provide the staff with the 16

feedwater control system restart plan, acceptance criteria, and a summary of test results. These should be provided to NRC prior to plant restart.

With regard to the detailed control room design review concerns, the audit team concluded that all processes and control room modifications proposed by the licensee are acceptable. Further, it is the audit team's judgment that Sacramento Municipal Utility District has satisfactorily met the Supplement I to NUREG-0737 requirement for a detailed control room design review. In order for the staff to complete its evaluation of the Rancho Seco detailed control room design review, it will be necessary for the licensee to docket the confirmatory documentation and commitments listed below.

DOCUMENTATION NEEDS .

1. Action Plan documentation needs.

1. A description of the startup test program (with acceptance cri-teria) for the main feedwater control system and a summary of the test results. The staff desires to review the scope and depth of the test program prior to the test execution.

2. DCRDR Confirmatory Documentation Needs

1. Commitment to perform a task analysis of Emergency Operating Procedures, Cautions, Notes, and Status tasks along with new operator tasks identified as a result of the Emergency Operation Procedures rewrite project.

i

2. Commitment to perform a task analysis of Hydrogen Purge Procedure A.52.

, '3 . Commitment to compare the information and control requirements identified in items 1 and 2 with the control room inventory to l

I verify control and display availability and suitability.

4. Commitment to perform an assessment of new Human Engineering Observations identified during additional task analyses.

17

5. Commitment to perform a verification that the proposed solutions resolve human engineering discrepancies and do not introduce new human engineering discrepancies. .

4 l.

1 i

l o

I 1

f l

j i

f l

t 18 I

N

_m..n_-,,,,,,,_.n.~,_-_.,.,-. _ , . , , . _ , , , , , _. , __ , _ _ ,

e -

v- ,v.,-~~n,~, _ _

. i REFERENCES

1. " Action Plan for Performance Improvement," Sacramento Municipal Utility District, Rancho Seco, July 1986.

2. Supplement I to NUREG-0737, " Requirements for Emergency Response Capability" (Generic Letter No. 82-33), U.S. Nuclear Regulatory Commission, December 1982.

3. Results of the October 28 - November 1, 1985, In-Progress Audit of the Rancho Seco Nuclear Generating Station Detailed Control Room Design Review, U.S. Nuclear Regulatory Commission, January 9,1986.

4. " Sacramento Municipal Utility District's Rancho Seco Nuclear Generating

. Station Unit No. I's Control Room Design Review Summary Report,"

attachment to letter from R.J. Rodriguez, SMUD, to Frank J. Miraglia, USNRC, dated December 27, 1985.

5. Memorandum from D.M. Crutchfield, NRC, to S. Miner, NRC,

Subject:

Review Results of Rancho Seco's Summary Report of the Detailed Control Room Design Review, dated June 10, 1986.

I 19

r' s

e ATTACHMENT I AUDIT PLAN OUTLINE O

a l

., Enclosure 2 AUDIT PLAN FOR THE SAFETY EVALUATION OF RANCHO SECO'S ACTION PLAN FOR PERFORMANCE IMPROVEMENT CONTROL ROOM MODIFICATIONS OBJECTIVE The objective of the plan is to identify and document the scope, depth, and tasks for the subject audit. This audit plan will be forwarded to the licensee

~ '

prior to the audit as an aid to prepare documents and schedule personnel to A support the audit. This audit plan will also be forwarded to the staff's contractors as an aid to schedule personnel and prepare for the audit. The staff's goal in the audit is to collect and evaluate data to allow us to prepare a Safety Evaluation Report (SER) on the Action Plan, the Detailed l Control Room Design Review, and the upgrade Safety Parameter Display System.

BACKGROUND By letter dated July 3,1986, Sacramento Municipal Utility District submitted for NRC staff review an Action Plan for Performance Improvement (Reference 1) at the Rancho Seco Nuclear Generating Station. The Action Plan was developed in response to the December 26, 1985 overcooling event at Rancho Seco. The

! licensee describes the Action Plan as a systematic investigation to look far beyond the specific problems associated with the incident, with the goal of l '

identifying and implementing an array of corrective actions, which will address the root cause of past performance problems.

The licensee describes the objectives of the Action Plan as follows:

1. Reduce reactor trips;

2. Reduce challenges to safety systems;

+

3. Assure the plant remains in the post-trip window (the allowed ranges of reactor coolant system pressures and temperatures immediately following a reactortrip);

4. Assure compliance with license requirement;

5. Minimize the need for operator actions outside the control room;

6. Improve the reliability and availability of the plant.

The Action Plan is structured to achieve these objectives through the implementation of a number of individual program elements. The program elements are structured to analyze and identify deficiencies in plant design, operations, operating procedures, management, etc; to evaluate and implement actions to correct these deficiencies; and to verify the actions taken.

In the staff's initial review of the Action Plan and in our discussion of the plan with the licensee's personnel (SMUD-NRC Meeting, August 14,1986),we noted that numerous modifications to the control room were identified by the licensee. Because of the functional scope of these modifications ar.d because of the need to review current products from the Action Plan, the staff concluded a site audit would be the most effective means of performing the safety evaluation.

AUDIT SCOPE

+.

Several program elements within the Action Plan have identified modifications to annunciator windows, control board labels, instrumentation and controls.

I The licensee is also conducting a Detailed Control Room Design Review (DCRDR) in conformance with the Commission approved requirements presented in NUREG-0737, Supplement 1. The staff's review comments on the licensee's DCRDR Summary Report are presented in Reference 2.

In terms of audit scope, the staff plans to audit the process used by the Action Plan to identify control room modifications and also to evaluate the products of the modifications for compliance to the DCRDR process and guidelines. Furthermore, we request that the licensee respond to the staff's comments on the DCRDR. Specific details on these issues are identified in the enclosed Audit Agenda.

Also during the audit, the staff will evaluate the licensee's proposed modifications in the Safety Parameter Display System (SPDS), which are to:

1. Human factor the alphanumeric display formats;

2. Upgrade of the SPDS to safety grade status.

. The staff will utilize the guidance within Regulatory Guide 1.97,

" Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess An Accident," to evaluate the upgrade of the SPDS to safety grade status. The staff's review will evaluate both hardware and software for the SPDS. In the review of the software, the staff plans to utilize the guidance within Regulatory Guide 1.152, " Criteria For Programmable Digital Computer System Software In Safety-Related Systems of Nuclear Power Plants," dated November 15, 1985 and in ANSI /IEEE-ANS-7.4.3.2-1982 (Reference 3). Specific details on these audit tasks are identified in the enclosed audit agenda.

AUDIT AGENDA Table I contains an agenda of activities for the audit. The agenda is subdivided into tasks for the NRC audit team and for the licensee. These tasks identify the type of documents the licensee should collect to support the audit.

AUDIT SCHEDULE Based on the scope of the agenda and our experience with previous DCRDR and SPDS audits, the staff estimates that the technical audit will require three days of effort. We anticipate that two days will be required to perform the Action Plan and DCRDR tasks. We plan to spend one day auditing the upgrade of the SPDS, but we anticipate this will require parallel review sessions, one for hardware and one for software.

I e e

4 i

6 1

4 I

l

6 Comment The audit team and the licensee agreed that the paper walk-through was a preview of a more detailed V&V audit to be conducted pending completion of the software effort by the licensee. The walk-thFo'u gh'was tentatively scheduled for January 1987, at the B&W offices in Lynchburg, Virginia. The staff requested that the licensee have the system hardware designer and the system software designer at the audit.

NRC Q 9.5 -

Describe the features of the design process and display system that serve as guards against common mode failures / errors.

Response ,

The B&W data handler (common mode failure) was removed from the SPDS. This removes two potential common mode failure points. The SPDS is a redundant system with independent battery-backed power.

Comment l The B&W data handler system contained a CCU and a data handler. This arrangement commoned Channel A and Channel B safety-grade signals at the input t to the CCU and also commoned SPDS I and SPDS 2 at the output of the data handler.

The audit team discussed their concerns with respect to the common mode failures of the software in addition to that of the hardware. The licensee -

}

will address the aspects of common mode failure in the software and submit their findings to the staff. This is an open issue.

l 4

TABLE I AUDIT AGENDA I.. ACTION PLAN The following tasks relate to the Action Plan, and are divided in tertns of the NRC Audit Team and the Licensee.

NRC AUDIT TEAM LICENSEE

, 1. Conduct Entry Briefing

Identify scope of audit

Establish daily schedule for audit.

I 2. Evaluate the process 2. Identify and list the ' functional used to identify and make steps within the Action Plan that changes to the control room. result in a modification to the control room, then compare these steps to the process used for the Detailed Control Room Design Review.

3. Evaluate the role of the 3. List all control room modifications human factors discipline in identified by the Action Plan and for

. the Action Plan modifications. each modification discuss the role of the human factors discipline in the Action Plan which led to the modific-action.

4. Evaluate the method used to 4. Identify and discuss how the control validate the modified control room will be validated for responses room. to emergencies and abnormal events subsequent to the design modifica-tions identified.by the Action Flan.

5. Select and evaluate several 5. Conduct a walk through of how control room modifications execution of the Action Plan that originated from the identified control room Action Plan. (e.g., modifications. Provide and discuss Non-nuclear Instrument System documentation of the system studies

. Status Report) that identified the control room modifications.

Evaluate documentation Provide and discuss documentation on design for control room modifications.

. 6. Evaluate licensees 6. Human Factors Issues:

response to human factors issues 6.1. Address the need for better diagnostics for breaker position indication, e.g.;

simplified electric

! schematics.

6.2. Address the need for valve position

indication for TBVs, l ADVs, and AFW control l valves. ,

. 6.3. Address the need to correct the noise i problem associated i

with the control room's HVAC.

6.4. Address the desirability I

of having separate alarms

, for "ICS" and " Fan Power i Failure."

t l II. DETAILED CONTROL ROOM DESIGN REVIEW The following audit tasks relate to the Detailed Control Room Design Review.

In the staff's previous review of these activities, we identified several concerns related to the in-progress audit findings and sumary report evaluation that should be addressed by the licensee during this audit. These concerns are:

NRC AUDIT TEAM STAFF'S CONCERNS

7. Evaluate licensee's response 7.I. The Sumary Report did not indicate that E0P Cautions, Notes, and

. Status Tasks were analyzed follow-ing the NRC in-progress audit.

7.2. The.Sumary Report did not indicate that the licensee developed a femal procedure for performing a task analysis of new operator tasks

introduced into the control room by l E0P revisions.

l

. - . - - - - - , , , , , , _ - - - - . . - , , , , . - , , ~ , _ . . . - - - , . . - . , _ - - _ - - , . _ -

3-7.3. The Summary Report did not include an indication that procedure A.52

" Hydrogen Purge System Procedure,"'

was task analyzed as recomended in the in-progress audit.

7.4. Comparison of infomation and control requirements identified in items 7.1 and 7.3 with control room inventory to verify control and display availability and suitability need to be completed.

7.5. Assessment of new HEOs identified during additional task analyses, i.e., E0P Cautions, Notes, and.

- Status Tasks, need to be completed.

7.6. Given the major extent of the a proposed control room changes, and the fact that some designs such as EFICs were not finalized at the time of the Sumary Report, we do not have the information to judge the adequacy of the proposed changes. We recommend that the ,

licensee implement the proposed changes on the DCRDR mockup for l~ evaluation by the NRC.

I i

7.7. Verification that the proposed solutions resolve the HEOs/HEDs and do not introduce new HEDs needs to be completed for HE0s/

HEDs identified during E0P Cautions, Notes and Status tasks.

- III. SAFETY PARAMETER DISPLAY SYSTEM (SPDS) AND RG 1.97 i

The staff's safety evaluation of the licensee's SPDS is presented in Refererrces 4 and 5. The safety evaluation is incomplete and the licensee's progress on the open issues that remain will be evaluated during the audit.

These issues are:

NRC AUDIT TEAM LICENSEE 8.1. Evaluate design method and 8.1. Describe the re-design of the design products for compli- alphanumeric display formats. If ance to human factor available, provide the re-designed principles. display fomats for evaluation by the NRC audit team.

l

. l l 8.2. Evaluate the design data for 8.2.. Provide SPDS design data for the

, compliance to human factor assessment of the radioactivity principles. control function.

8.3. Evaluate the adequacy of 8.3. As the SPDS will be upgraded to the isolation devices. safety grade status, provide data on the isolation devices used to suitably isolate the SPDS from i electrical interference with equipment and sensors that are used in.non-safety systems. The specific data required by the staff to evaluate the isolation device are identified in Reference 4.

RG 1.97 ,

For the staff's previous evaluation of the SPDS, the display system was 4

reviewed as a non-safety grade system. The licensee's Action Plan describes a j n' program that will upgrade the SPDS, which will then allow it to be used to 4

comply with RG 1.97 requirements to monitor plant process variables.. The staff must now re-evaluate the licensee's SPDS for compliance t) RG 1.97 requirements.

This review effort will require data on the design of the hardware and of the software. The staff's review tasks and data requests from the licensee are:

i NRC AUDIT TEAM LICENSEE 9.1. Evaluate schedule for 9.1. Provide a schedule for the restart date and completion upgrade of the SPDS to safety of SPDS upgrade. grade status. Discuss how compli-ance with RG 1.97 requirements will be achieved if the completion of the upgrade is after the plant's restart date.

9.2. Evaluate the boundary of the 9.2. Identify and discuss the scope of upgrade. the upgrade in terms of hardware involved and interfaces with other systems, including safety and non-safety systems.

9.3. Evaluate conformance of the 9.3. Address the conformance of the software to RG 1.152. software to Regulatory Guide 1.152, " Criteria for Programable Digital Computer Software for Safety-Related Systems of Nuclear Power Plants." This Regulatory Guide Endorses ANSI /IEEE-ANS-7-4.3.2-1982(Ref-erence3). Also, provide documen-tation, such as test reports,

" K -. - - -_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ - _ . . _ _ _ _ - _ _ _ - _ - _ _ _ _ _ , _ _ - _ _ _ _

~ '

I verification reports etc. that are

' the products of the verification and validation effort.

9.4. Select a minimum of two 9.4. Conduct a walk through of the process sensors whose hardware and the software for the signals are used by the SPDS. selected signals. Discuss and illustrate how the signals are processed. Identify points in the walk through where verification and validation activities occurred.

Evaluate walk through. -

9.5. Evaluate guards against 9.5. Describe the features of the design conmon mode failures / errors. process and of the display system that serve as guards against common mode failures / errors'. .

9.6. Evaluate the maintenance and 9.6. Describe the maintenance and con-a configuration <,ontrol figuration control program for the program. display system. Provide.the procedures that will be used to modify the software.

9.7. Evaluate reliability 9.7. Describe the results of a analysis, reliability analysis that compares the reliability of the upgraded computer based SPDS and a hypothetical implementation of the same display function using analog hardware.

9.8. Evaluate compliance of the 9.8. Provide the documents and data that systems's hardware to' illustrate the. upgraded SPDS complies industry and regulatory with industry and regulatory criteria and standards for criteria and standards for safety-safety related systems. related systems (ie. IEEE Std 323, 1974 Standard for Qualification of Class IE Equipment for Nuclear Power Generating Stations, IEEE Std 344-1975, Recommended Practices for Seismic Qualification of Class IE Equipment for Nuclear Power, etc per RG 1.97.

9.9. Evaluate the restart pro- 9.9. Describe the steps needed to cedure and the design.of restart an upgraded SPDS upon a the display system. total loss of power to the system.

1

?

e t ,

i n

1 9.10. Evaluate the technical 9.10. Provide and discuss the technical specification proposed for specification that is to be used the system. for the operational syttem.

Discuss the scope and depth of the tests used to evaluate operability of the system. Also discuss the technical basis used to select the test period.

10. Exit Briefing

Preliminary observations and results from audit.

b t

- . . - . - - _ ,_ . _ _ _ - . .m . _. _

t a

9 e

f i

l ATTACHMENT 2

)

LIST OF MEETING ATTENDEES e

1 i

s NRC ENTRANCE MEETING ATTENDEES September 29, 1986 8:30 A.M.

N_amg Title Phone D.H. Schultz Comex/NRC 206-786-8388 J.S. DeBor SAIC/NRC L. Beltracchi NRC 301-492-7648 L.T. Conklin SMUD/I&C Engr. 916-452-3211 M.K. Hentschel ,

Restart PE Elect /I&C 916-452-3211 J. Williams SMUD/I&C Des. Supv 916-452-3211 D. Whitney SMUD/ Licensing 916-452-3211 '

. Dan Poole SMUD, Plant Manager 916-452-3211 Don Gillispie SMUD, Mgr Nuc Engr 916-452-3211 x 4964 Dallas Scott B&W/SMUD I&C 916-452-3211 x 4981 Bill McDaniel SMUD Restart Proj. Eng. 916-452-3211 x 4950 George Coward SMUD Deputy Restart Mgr. 209-333-2935 Jerry Delazenski SMUD - Licensing 209-333-2935 x 4909 I. Ahmed NRC G. Kalman NRC 301-472-8044 A.E. Nolan EG&G Idaho, Inc. 301-492-4592 K.T. Perkins SMUD R.I.M.

Glen P. Perez USNRC, Resident 209-748-2791

( Steve Redeker Nuclear Operations Mgr/SMUD 916-452-3211 x 4353 Tony D'Angelo USNRC Resident 209-748-2791 D.M. Prorch SMUD/I&C 916-452-3211 Charles England Babcock & Wilcox/Lynchburg 804-847-3753 Ray Ashley SMUD/ Man. of Licensing i

e t

l

O

+

ATTACHMENT 3 PRELIMINARY ACTION PLAN COMMITMENTS e

e, l

G l

l

e t e

RANCHO SECO INPUT TO

- SAFETY EVALUATION OF ACTION PLAN FOR PERFORMANCE IMPROVEMENT COffrROL ROOM MODIFICATIONS

.i p

PREllMINARY I

e l

l 1 e l

I. A N ON M - , (

-l.0 The following are Distric responses to NRC questions and concerns relating to the Action Plan.

2.0 Identify and list the functional steps within the Action Plan that results in a modification to the control room. Compare these steps to the process used for the Detailed Control Room Det,ign Review.

2.0 Response The program elements identified by the Rancho Seco Action Plan for Performance Improvement (Action Plan) are:

9 Department Managers Hardware and Programmatic Recommendations, GP Management Process Review, 9 Systematic Assessment Process (QCI-12,)

Gk System Review and Test Program (SRTP).

Each of these program elements have been described in the Action Plan. Control room changes could result from any of these program elements. However, physical changes are not anticipated to result from the Management Process Review.

Both physical and procedural control room changes are

- anticipated from the remaining program elements.

Department Managers Hardware and Programmatic Recommendations The department managers hardware and programmatic recommendations are -

reported in sections 4B and 4C of the Ac, tion Plan. This element consisted of an assessment of the plant design, management, operations I and administrative system deficiencies that was conducted based on the l

functional organizations' knowle.dge and existing documents of previous evaluations by others. The following sources were used as input to this assessment:

9 LRS Management Audit 9 INPO Audit Reports 9 Commitment Lists O American Nuclear Insurers (ANI) Open Items e IAG Report 85-41 Systematic Assessment Process (OCI-12)

The systematic assessment processs is described in section 4A of the Action Plan. A brief review follows:

The systematic assessment process program clement is a result of quality procedure QCI-12 which consists of the following phases:

A. Investigation B. Validation C. Approval D. Implemenation E. Closure 1 1017G l

- . . ~ . - ~ . .~*

t PRE.lMINARY The Action Plan modification items are the result of'the first I three phases A. The investigation phase includes the following items:

( l. Selected projects are thgse that are identified by the l Performance Improvement Manager on the basis of known

! problems or sensitivities in the plant.

! 2. Precursor Review is the process for the systematic -

review of documents directly asssociated with the plant operating history and of other documents that had or could have had an impact on that history.

3. The process of plant staff interviews identifies any previously unidentified, but known, problems which may-'

impact the safe or reliable operation of systems or -

components.

4. Deterministic Failure Consequences (DFC) Analyses is an analysis to identify areas where failures of plant systems or procedural inadequacies could potentially result in unnecessary reactor trips, unsatisfactory post-trip response, undue challenges to the operators or '

challenges to the safety systems.

5. BWOG Safety and Performance Improvements (SPI) program is the interface between the BEW Owners Group and the Rancho Seco Performance Improvement program.

6. December 26, 1985 Event /NUREG 1195 Action List incorporates the items identified on the December 26, 1985 Event Action List into the Rancho Seco Plant's Performance and Management Improvement Program.

~

B. The validation phase is the process used by the Recommendations Review and Resolution Board (RRRB) to determine whether the recommendation is valid or invalid, redundant to another recommendation; and to determine the system which is affected by the recommendation.

C. The approval phase is the process used by the Performance Analysis Group (PAG) to disposition, assign priority, assign an organization for action and approve or disapprove the recommendation for the Rancho Seco Performance Improvement Program.

The Implementation and Closure phases of the Systematic Assessment Process are detailed in Nuclear Engineering Procedure (NEP) 4109, Rancho Seco Configuration Control Program. A copy of NEP 4109 is being provided.

System Review and Test Program The system review and test program element consists of two review programs. The first program is called the System Review and Test Program (SRTP). The SRTP is structured to provide a systems review of issues, recommendation and test results. The purpose of the SRTP is to assure that the systems have retained their FSAR 2 1017G

PRELIMINARY .

- functional basis and have been adequately tested. The SRTP is

! described in section 4D of the Action Plan. The second program is called the System Functional Review. The purpose of this program is to provide a more detailed review of reliablility and component design criteria for the five systems identified as dominant causes for severe and complex post-trip plant response.

Comparison of Action Plan to CRDR The Action Plan (like the CRDR) is a method of identifying a need to modify the plant. Some of the needs identified as the results of the Action Plan program elements have been or will be modifications in the control room. Because the Action Plan looks at the whole plant (not just the control room), its focus is broader scoped than the CRDR process. .

Many of the phases of the program elements of the Action Plan are similar to steps within the CRDR process. The Action Plan is analogous to the CRDR Program Plan. They both explain the steps necessary to identify the need to perform a modification to the -

plant. The Systematic Assessment Process contains the Precursor

~

Review process which is analogous to the Historical Document Review step of the CRDR Operating Experience Review. The Plant Staff Interviews were modeled after the operator interviews, the second step of the CRDR Operating Experience Review.

The System Review and Test Program is duplicating (on a plant wide basis) the System Functions identification step of CRDR System Function and Task Analysis. The Control Room Survey was an i evaluation of the hardware in the control room. This is the same task addressed by the Systematic Assessment Process in the Systems Reviews, Deterministic Failure Consequences (DFC) analysis and the BWOG SPI program. CRDR Task Analysis is a table-top discussion of the procedures. The DFC analysis conducted table-top discussions, postulating component failures and color coding drawings to determine system / operator response to these failures. The test program of SRTP ensures the usability of the systen. This is analogous to the validation of Control Room Function for CRDR.

The assessment of recommendations is performed by the Recommendation Review and Resolution Board (RRRB) and the Performance Analysis Group. This activity is similar to the Assessment Phase of the CRDR. Implementation of Action Plan recommendations is then performed in accordance to the priorities

established by the plan (same as CRDR Process). Ohanges to the plant are explained below in the Modification Process.

Modification Process Nuclear Engineering Procedure (NEP) 4109 is the detailed configuration control document governing the initiation, review, issuing and revision of design documents (ECNts, DBR's, DVR's, DCN's).

1017G 3

~

PREllMINARY This procedure also provides detailed information on closure of ECN's at completion of a modification. This procedure governs all changes-to the plant whether identified by the CRDR Process or the Action Plan activities.

3. Evaluate the role of the Human Factors (HF) discipline in the Action Plan modifications. List all Control Room modifications identified by the Action Plan (Amendment 1) and for each modification, discuss the role of the H.F. discipline in the action plan which led to the modification.

3.a Response For every modification that results in an ECN, the modifica' tion will be evaluated using Nuclear Engineering Procedures (NEP) 4123' for human factors implications. This NEP is under development.

For those modifications that have H.F. implications, the design should conform to the Centralized Plant Controls Criteria (Nep 5105.3). NEP 5105.3 will be revised to include the CRDR Criteria Report. NEP 5105.3 will also be expanded to include plant design

~

standards and criteria for areas other than the control room.

This' revision is in progress. To evaluate the design, a H.F. -

analysis will be performed on all modifications with H.F.

implications. This analysis will be performed using the techniques developed during the CRDR process and referenced in NEP 4123. These guidelines are in the CRDR files. These guidelines are being revised to focus on modifications rather than the entire control room and are being written as an Analysis Guide in the NEP's.

3.b Response Attachment 3.b-1 lists the current modifications to the control room, the method by which the change was identified, and the design input from operators and HP discipline. The H.F.

discipline within the Action Plan was involved in three areas, the H.F. post transient analysis, the QCI-12 based Plant Interviews, and through normal engineering procedures for plant modifications.

After the December 26, 1985 transient, a human factors analysis of the transient was performed. . This analysis included operator interviews, a review of documents generated by other groups analyzing the transient, a review of raw data generated from the transient and a comparison of the findings to the results of the

- CRDR Summary Report. This analysis generated several recommendations, as can be seen in the. Action Plan on pages 4B-28 thru 4B-30. The operator training associated with FV-20527 &

FV-20528 has been completed, local hand-jack position indication for FV-20527 & FV-20528 has been added, the Security / Control Room interface has been improved, a long cord will be added to the red phone and the ICS and NNI power supply breakers Sl/S2 are relabled.

1017G 4

~

?RRNEARY The Plant Interview program was designed using H.F principles and executed using H.F. techniques. Any valid recommendations generated from this process were analyzed using the same process as all other action items associated with the Action Plan.

All Control Room modifications generated by the various programs within the action plan will be analyzed using standard procedures. NEP 4123 will define the role of the H.F. discipline within the procedures for plant modifications.

O e

e W

l l

1 l

l 5 1017G

- ATTACEMENT 3.b-1

- HFE Optrator Control Room Change Identified By Status Design Input Design Input AFW Control Indep. DFC, HFR, OI, Open Early Early 1.

of (EFIC) ICS NUR, PRE, BW,- Some Doc.

k SE, AL ADV Control Indep. DFC, HFR, OI, Open Early Early 2.

of ICS (EFIC) PRE, BW Some Doc.

TBV Control Indep. DFC, HFR, OI, Open Early 3.

of ICS PRE, BW Some Doc.

Annuciation changes PRE, B&W,RCR Closed Early Early 4.

AL Some Doc.

5. DFC, NUR, SE Open Early Early ICS/NNI Labels

6. S1/S2 Labels HFR, TR, RCR Open Early Limited ICS Power Dist. Label AL, NUR Closed Early Early 7.

Valve Pos. Indicaticn DFC, SE Open Early Early .

8.

(ADV, TBV, MFW, SUFW)

9. Trip MFP on ICS LOP DFC Open Limited Early

10. Trip ICS on NNI LOP DFC Open Limited Early AL Closed Early Early

11. SG Labels

12. SPDS parameters DFC, PRE Open Limited Early Indep. of NNI

13. CSD Recorder DFC Open Limited Early Indep. of NNI

14. Replacement of CRDR Open Limited Early computer R2->sja,

15. Aux Steam Reducing AL, NRC, TR Open Limited Early Station

16. Heatup/Cooldown Rate 01 Open Limited Early f

Oper Early Early

17. SPDS dontrols CRDR l

Source Doc

18. TBV Contrduers DFC, HFR, OI, Open Early Limited

~

PRE, BW

19. NS Bus Loading Open Limited Limited

' Light

20. TDI Diesels Open Limited Limited

\

SE System Engineer HFR 12/26/85 Transient Human Factor Review BW BWOG SP Program DFC Deterministic Failure Consequence Analysis f PRE Precurset Review AL 12/26/85 Transient Action List NUR NUREG 1195 OI Operator Interviews

,! TR 12/26/85 Transient Trip Report NRC NRC/SMUD Meeting 2/10/86 RCR Root Cause Report

. PEllMINARY 4.0 Identify and discuss how the control room will be validated for response to emergencies and abnormal events subsequent to the design modifications identified by the Action Plan.

4.0 Response Based on the guidelines developed during the CRDR, the control Room will be validated by performing the Analysis including all of the SFTA, Validation and Verification for the revised EOP's. Any HEO's that are categorized as Category A (High safety importance-probably leads to a non-recoverable error) or Category' B (Safety consideration-probably leads to a recoverable error) ,

will be dispositioned prior to start-up. .

5.0 Conduct a walk through of how execution of the Action Plan identified Control Room modifications. Provide and discuss documentation of the system studies that identified the Control -

Room modifications. Provide and discuss documentation on design for control room modifications.

5.0 Response A. presentation will be made at the entrance briefing to explain bow Control Room changes were/will be identified by the Action Plan. Attachments 5.a - I through 4 are provided as examples of g documentation for control Room changes identified by the Action Plan. A listing of Control Room modifications is provided in ,

section 3.b.

l

\

1017G 7

~

PRELIMINARY I

ATTACHMENT 5.a - 1 DOCUMENTATION FOR TRIP OF ICS ON LOSS OF NNI

1. Identified by Deterministic Failure, Consequences (DFC) Analysis

2. Given a tracking number by RRRB (26.0036)

3. Tracked by System Engineer (S.E.) in System Status Report (SSR)

4. Identified in Action Plan 4c.la.1.c.3

5. Modification Documentation R-0826 GEngineering Change Notice (ECN) -

GDesign Basis Report (DBR) esafety Analysis (SA)

STest Specifications GDesign Verification Report (DVR)

$ Package Cover Sheets 00rawing Transmittal 9 Design Change Notices (DCNs) i O

1 8 1017G

PREllMINARY J ATTACHMENT 5.a - 2 DOCUMENTATION ON TRIP OF MFP ON LOSS OF ICS

1. Identified by DFC

2. Given a tracking number by RRRB (26.0037)

3. Tracked by S.E. in SSR

4. Listed in Action Plan (4c.l.a.l.c.4)

5. Modification Documentation (R-0823) 4 Engineering Change Notice (ECN)

GDesign Basis Report *(DBR) esafety Analysis (SA)

OTest Specifications 4 Design Verification Report (DVR)

A 4 Calculation

4 Package Cover Sheet 4 Drawing Transmittal GDrawing Change Notices (DCN)

(

l e

9 1017G

. ~

~

PiELIMINelRY t

ATTACHMENT 5.a - 3 DOCUMENTATION FOR LABELING OF ICS AND NNI INDICATORS AND RECORDERS

1. Identified by DFC

2. Given a tracking number by RRRB (22.0300)

3. Tracked by SE in SSR

4. Listed in Action Plan (4c.l.a.l.b.4)

5. Modification Documentation (R-0822) 9 Engineering Change Notice (ECN)

GDesign Basis Report (DBR) ,

9 Package Cover Sheets GDrawing Transmittal -

9 Drawing Change Notices (DCN) l i

l l

l 10 1017G

- - ^ - - - - - --- _. . __ ____ ___ _

O 9

PRELNINARY ATTACHMENT 5.a - 4 DOCUMENTATION FOR LABELS FOR S.G. Isolation

1. Identified by the item 1.f.5 December 26, 1985 Transient Action List

2. Not given a tracking number by RRRB*

3. Not tracked by S.E. is SSR*

4. Listed in Action Plan (4c.3.d.l.2) .

5. Modification Documentation (R-0471) 9 Engineering Change Notice (ECN) 9 Design Basis Report (DBR) 9 Package Cover Sheets 9 Drawing Transmittal 9 Design Change Notice (DCN) ,

6. Closure Report

(

This item was closed before the tracking system for open items and the SSR were developed.

11 1017G

5.b Response

(

As identified in section 2.0 Control Room changes could be identified by the Department Managers Hardware Programatic Recommendations, the Management Review Process, the Systematic Assessment Process (QCI-12) or the System Review and Test Program. All design changes to the plant configuration including Control Room modifications are governed by Rancho Seco's Nuclear Engineering Procedure (NEP) 4109. NEP 4109 requires the following: an Engineering Change Notice (ECN), Design Basis Report (DBR), Design Verification Report (DVR), Drawing Change Notice (DCN), Test Specifications, Purchase Requests for equipment, Master Equipment List entries, if applicable, to be written, reviewed and/or approved by Operations, Engineering, and Construction.

Examples of ECNs issued to generate plant modifications with Control Room changes initated by the Action Plan are attached in 5.a-1 through 5.a-4.

6.0 Human Factors Issues 6.1 Address the need for better diagnostics for breaker position indication (simplified _ electric schematic).

6.1 Response

..The NNI and ICs provide the majority df the secondary plant controls and indicators. In the event of loss of power to the ICS or NHI, the procedures will direct the operators to repower the system after the plant has achieved a known safe state. Because .

i of this, it is important for the operators to be familiar with, and recognize the breakers to repower these systems. To.

facilitate this, both,the NNI and ICS cebinets now have simplified schematics td illustraie'the poser supply system (See Attachment 6.1-1) To fuither aid the operatochp since the S1/S2 breakers for these systems are located high in the cabinst, improved labeling of these systems has been performed (See Attachment 6.1-2). Since l these power supplies _are located inside of locked cabinets, l _ indicator lights are located above the cabinet doors to display

( power supply status. In addition, operator training will

! familiarize each operator with the procedures for repowering these systmes after loss of power.

12 1017G i

l l

w

)

/

6.2 Address the need for valve position indication for TBV's, ADV's j and AFW Control Valves.

6.2 Response Previously the ADV's, TBV's and AFW valves were operated through the ICS using Bailey Controllers located on the HIRI Console in the Control Room.

During the loss of ICS Power transient on December 26, 1985, there was no indication in the Control Room of the ADV and TBV valve positions. Prior to the restart of the plant, indicating lights will be added on the BlRI Console, powered independently of ICS, to provide the operator with information on the position of these valves. This modification is being implemented by ECN R-0828.

( Additionally, the ADV's and AFW valves will be controlled by EPIC before plant startup.) ,

6.3 Address the need to correct the noise problem associated with the Control Room's EVAC.

~

6.3 Response During the CRDR, the District contracted with BBN Laboratories Inc. to perform a sound and light survey according to NUREG-0700.

Because the construction of the essential HVAC systems was incomplete, the CRDR team did not generate any HE0's. During the December 26, 1985 transient, SFAS initiated both trains of the essential EVAC. The resultant noise was too loud for the operators to effectively communicate. As part of the post-transient HFE Analysis, the BBN data was reanalyzed and it .

was determined that with both trains running, h normal speaking level would only travel 2 feet and a " loud" voice would only travel 4 feet. This is unacceptable. As can be seen in the System Status Report (SSR) for the HVAC and in the Test Specification many modifications are being made to reduce the

, noise level to an acceptable level. A copy of the SSR and Test Specification is being provided.

6.4 Address the desirability of having separate alarms for "ICS* and

' Fan Power Failure".

6.4 Response After the December 26, 1985 transient, ICS/NNI annunciation was reviewed and modified as follows:

ICS

1. Failure l

13 1017G

~

PREllMINARY Annunciator window H2PSB-64 "ICS SYSTEM FAILURE" will' alarm on the loss of the + or - 24 Vdc power buses only. This alarm gives the

! control room operators immediate indication that ICS iA no longer functioning.

2. Trouble The main control room annunciator window B2PSB-34, "ICS TROUBLE" will alarm any of the following conditions:

a. Any fuse blown in the ICS system

b. Any cabinet fan failure in the ICS system

c. Any de power supply failure within the ICS system Blown fuse, f an f ailure and loss of a single power supply are on the same window because the operator's response is the same for all three conditions. The operator has to go to the ICS or NNI cabinets to determine which fuse has blown, which fan has failed or which power supply has failed. If a blown fuse leads to a reactor trip, the operator will get other alarms prior to the trip and post trip on the specific condition. The operator will

. respond to reactor conditions, to the specific alarms, then proceed to clear the blown fuse.

It was determined that none of these three items is likely to' cause a reactor trip or present an unsafe condition during plant operations. All these items require investigation within the ICS cabinets to determine which fuse has blown (fuse holder indicates blown fuse), which fan has failed, or which power supply has I

failed (extinguished indicating light on ICS cabinet indicates failed power supply).

3. In addition ac faults within the ICS system are annunciated as follows:

a. For a fault downstream of a fuse, the "ICS TROUBLE" alarm j will actuate on the blown fuse.

b. For a fault between the ABT and the fuse, the normal supply

, breaker in SlGB-1 panel will trip, the ABT will transfer to I the alternate supply, and the associated breaker in S1J panel will also trip causing a total loss of power to the ICS system. The H2PSB-34 "ICS Trouble", H2PSB-64 "ICS SYSTEM FAILURE", H2PSB-23 "ICS OR NNI 120 VOLT POWER TRANSFER", will all alarm on this condition beside display on the IDADS CRT for SlGB-1 bus trouble and H2ES-83 "NON-VITAL POWER BUS lE/lF/lJ TROUBLE' will alarm.

c. For a fault upstream of the ABT on the normal supply, the breaker in SlGB-1 panel will trip and the ABT will transfer to the alternate supply. The H2PSB-34 "ICS TROUBLE",

H2PBS-23 "ICS or NNI 120 VOLT POWER TRANSFER" will all alarm on this condition. For a fault upstream of the ABT on the l* alternate supply, breaker INSlJ will trip. The H2PSB-34 "ICS TROUBLE" will altam on this condition and there will be an H2ES-83 "NON-VITAL POWER BUS lE/lF/lJ TROUBLE" alarm.

l 14 1017G

~

J PREl.lMINARY t* -

1. Failure e NNI is similar to ICS but with three (3) distinct de power Sin dis {tribution systems, three (3) annunciator windows will be used to alarm a loss of + or - 24 Vdc power bus:

a. H2PSA-52 "NNI Z FAILURE" alarms on a loss of -Z 24 Vdc power bus

b. H2PSA-63 "NNI X FAILURE

alarms on a loss of +X or -X 24 Vdc

. power buses

c. H2PSA-64 'NNI Y FAILURE

alarms on a loss of +Y or -Y 24 Vdc power buses

2. Trouble Annunciator window H2PSA-32 will be established as "NNI TROUBLE" and will alarm on any of the following conditions:

. 1. Any fuse blown in the NNI system

2. Any cabinet fan failure in the NNI system

3. Any power supply failure within the NNI system It was determined that Items 2 and 3 above are not likely to cause a reactor trip or present an unsafe conditon during plant operations. Item 1 above may lead to a reactor trip but,all other indications and controls not associated with the blown fuse remain operable and present no problems in staying within the post trip window. All these items require investigation within the NNI cabinets to determine which fuse has blown (fuse holder indicates . .

blown fuse), which fan has failed, or which power supply has f ailed (extinguished indicating light on NNI cabinet indicates failed power supply).

3. ac faults within the NNI system are annunciated as follows:

a. For a fault downst' ream of any fuse'within any of the NNI sub-systems (X, Y or Z), the H2PSA-32 'NNI TROUBLE" alarm will actuate on a blown fuse.

b. For a fault between the ABT and the fuses within the X power l distribution system the normal supply breaker in SlGB-1 panel

! will trip, the ABT will transfer to the alternate supply and l breaker in SlJ panel and this breaker will also trip causing a total loss of X power to the NNI system. The H2PSA-32 'NNI TROUBLE", H2PSA-63 "NNI X FAILURE', H2PSA-23 "ICS OR NNI 120 VOLT POWER TRANSFER", H2ES-83 'NON-VITAL POWER BUS lE/lF/lJ TROUBLE

will all alarm on this condition and there will be a display on the IDADS CRT indicating trouble in SlGB-1 bus.

15 1017G G

c. For a fault between the ABT and the fuses within the Y and Z

. power distribution systems, the normal supply breaker in SlGB-1 panel will trip, the ABT will transfer to the I alternate supply and breaker in SlJ panel and this breaker will also trip causing a total loss of Y and Z power to the NNI system. The H2PSA-32 "NNI TROUBLE", H2PSA-64 "NNI Y FAILURE", H2PSA-52 "NNI Z FAILURE", H2PSB-23 "ICS OR NNI 120 VOLT POWER TRANSFER" and H2ES-83 "NON-VITAL POWER BUS lE/lF/lJ TROUBLE", will all alarm on this condition and'there will be a display on the IDADS CRT indicating trouble on SlGB bus,

d. For a fault upstream of the ABT in the X power distribution on the normal supply, breaker in SlGB-1 panel will trip and the ABT will transfer to the alternate supply. The H2PSA-32 "NNI TROUBLE", H2PSA-23 "ICS OR NNI 120 VOLT POWER TRANSFER" will alarm on this condition and there will be a display on the IDADS CRT for bus SlGB-1 trouble. For a fault on the alternate supply, breaker in SlJ panel will trip. The H2PSA-32 "NNI TROUBLE" and H2ES-83 will alarm.

e. For a fault upstream of the ABT in the Y and Z power distribution on the normal supply, breaker in S1GB-1 panel will trip and the ABT will transfer to the alternate supply. .

The H2PSA-32 "NNI TROUBLE" will alarm on this condition and there will be a display on the IDADS CRT for trouble on SlGB-1 bus. For a fault on the alternate supply, the associated breaker in SlJ panel will trip. The H2PSA-32 "NNI TROUBLE" and H2ES-83 will alarm.

~

PRRglBRY i

l l 16 1017G l

l I

i e

4 e

e e

ATTACHMENT 4

- DCRDR/ ACTION PLAN COMPARISON e

4 k .

, , , , - - - , . . - - - - , --- ,- ,-w-----s ' ~ ~ ~ ~ ' ' ' ' ' ' ' ' ~ ~ ' ' ' ' ' ' ' ' ' '

3

.y 3 .. . . ..

., ; . n, n s.\ .

h .> ;

-}

a \\a ORID !

Q0GESyS A0iOb !

UNy '

! MODF0ATON h CONTR0_

gs !

j i NEP 4109 OBSEP K ONS D !

i l

l S'WES i l

l l

l

m.

~

PROGRAM PLAN

+

OtlTERIA REPORT i

l 1 V

OPERNTE EX "ME REVEW IEGEAL MTOR occuelt m ens v

CONTROL ROOM NVENTORY I

T CONTROL ROOM STATESURW(

V .

SYS"EM UC 0N "AS( ANALYS$

00m osm:

SM FUCDI M TOR TASFS v

V8tlRCA"10N Of TASK P1UMANCE CAPABLITES

. AVAURIY SlKANJTY f

V VALDAT10N OF CONTROL ROOM FUNCTION i inuTc at sPAtw.ar maws manws

. COMPLEALL E0's

.a ny$,I eg$$'; 2*

0@iitTRM !

assesse qgg . . _ . .

_m^sE .

'iPROCESSP.

s, ,

+-

hg i 4 1 1 F i i F i i P 1 I I P1 R 1 1 P i F

\ J ' s ;

db d db di db ,, di d , ,, , bi n , > db ,i

,i u,

, ,,L, y00rui nNiuS CRITERA REPORT ACil0N 'IAF 0:VlATING KE13SC? : LEV 3s L2 usa mm e (pesoR r e OEPATOR lhmEt PIANI SIAR IhuttS -

CONIl0L 3001 SU3V3Y !IIHl? EVAX ONS: :FCA, S?P, E00, S:):P -

CONTROL ROOM INVENT 0RY SRTP-SYSTEM REVIEliS-:ESCRIT0hT SYSTEk MSCTION "ASI ARAXS N E SYSE M M SRTP-SYS E E N11NE DEPdIOR IIIS Ig ANgysis

EECA":0N 0? "ASK ')ER?01N3 SD - SSR/S:R C1)A11:238 PRcu anntios raoRIS AVilllBIIEY SUlIABQlIY l

YAJAT:0N 0? C.3. MICE:0N SE) mm:IN MGMS E PROGPH SPATIE IN MGPRS ASS?SSEN" ')lAS3 ASS?SSIN OF 3EC01 EDA"0NS l

l 1

f ._

CRDR PRIORITIZATION PROCESS HED SELECTION t P

, a HED CRITERIA '

CATEGORY A HIGH SAFETY IMPORTANCE NON-RECOVERABLE ERROR """'

II HED*S B SAFETY CONSIDERATION RECOVERABLE ERROR CORRECTED db BY OPERATORS C ELECTRICAL GENERATION RELIABILTY RELIABILITY CONSIDERATIONS D MINOR NON-SIGNIFICANT CONSIDERATION t

, ANALYZE V

NO UNRECOGNIZED YES SAFETY 1

IMPORTANCE i

HED*S TO BE DOCUMENT ANALYZED FOR CORRECTION p

G e

- _ _ _ . - _ _ , , - - . . - _ , - - . - . - - - - - - - . - - - - . . - , . _ _ - - - - - _ <___-.____m

i l

f ',

r .

1 l

ACTION PLAN PRIORITIZATION PROCESS l

i .

PRIORITY CRITERIA RESTART A. ASSURE PLANT REMAINS IN POST-TRIP WINDOW B. COMPLIANCE WITH TECHNICAL SPECIFICATIONS y C. MINIMIZE OPERATOR ACTION OUTSIDE CONTROL ROOM IN FIRST 10 MINUTES NEAR TERM A. ENHANCE REMAINING IN POST-TRIP WINDOW.

(AUTO ACTION vs. OPERATOR ACTION)

3. REDUCE REACTOR TRIPS D C. REDUCE SAFETY SYSTEMS CHALLENGES D. PRODUCE NEAR-TERM PROGRAMMATIC BENEFITS LONG TERM A. IMPROVE RELIABILITY B.

C.

IMPROVE AVAILABILITY +

, IMPLEMENT MAJOR PROGRAMMATIC ENHANCEMENTS ,

ACTION PLAN / QCI-12 PROCESS

= -

E. E_l- - . A _ _z_

1 CRDR SELECTION OF DESIGN IMPROVEMENTS HUMAN ENGINEERING DISCREPANCIES TO BE ANALYZED FOR CORRECTION (FR0rt THE HED SELECTION PROCESS) _

k ANALYSIS FOR CORRECTION BY ENHANCEMENT CORRECT WITH YES ENHANCEMENT 7

~

NCL V

ANALYSIS TO IDENTIFY DESIGN IMPROVEMENT ALTERNATIVE AND SELECT RECOMMENDED SOLUTION

9_

FU.N_CTI ON__A_N_A_L_Y_S_I_S___. ------------- I DESIGN - -

ALLOCATION l AND MAN l VALIDATE MACHINE l

, Y :

VER I FY ALLOCATI ON------ ---- -------

Y

SELECT PREFERRED !

DESIGN ALTERNATIVE l t !

V AL I D ATE DES I GN ----------- - - ------*

1

JUSTIFIED ASSESS EXTENT OF CORRECTION CORREN

& AND I

C & D ONLY DOCUMENTED s PARTIALLY

{ FULLY CORRECTED g CORRECTED V N.

JUSTIFY AND

> DOCUMENT Z

V V d

$ NEP 4109 g IMPLEMENTATION b

I l-I i

ACTION PLAN / QCI-12 PROCESS SELECTION OF DESIGN IMPROVEMENTS (RECOMMENDATION w

RRRB REVIEW

1. TECHNICAL CONTENT SYSTEMS ' ENGINEERS

2. PROPOSED SOLUTION

3. PROPOSED PRIORITY

, ELECTED YES w

YSTEMS7 .

If NO .

I S STEM MDME YE R SYSTEM INVESTIGATION REPORT (SIR)

If NO '

l! 3p YES PREPARE UPGRADE A CRTS TO SSR7 (SSR)

NO I I TEST REVIEW GROUP II 1P lf PERFORMANCE ANALYSIS GROUP m NO TEST

1. APPRdVE RECOMMENDATIONS ,

OPERABILITY 7

2. DETERMINE IMPLEMENTING DEPARTMENT

3. MONITOR IMPLEMENTATION q YES I f PERFORM TEST If I MODIFICATIONS PER l NEP 4109

, . - . _ . , . , . _ _ _ . , ,.-.-,-._r_.- - - - , . , . . - - - - - - -

D e

e ATTACHMENT 5 SCHEDULE FOR DCRDR CONTROL ROOM MODIFICATIONS a

l-

t .

.- " Alii CNTROL CD C!*I*.F,T:CNS A - JS ~57! % "E M 14, ;S86 ,

3:!6 & . _

I L

!*2MS *AS4 *10 I.E:7 O ;!VIL ".*r3 *0TA. 0.T73I 4h

- - - - CY".'.E .. 8+e++++++

00-02 ADDIT!: MAL CIT's 2000 200 0 0 #0 3000 ~4 CC-04 1T41D8 XEYBOARD 500 100 0 0 200 600 1T 3N-3 JKL C.*GE 140 250 0 0 0 '710 Gk-13 LAEL ME-~~S u w!*H CDERATICNAL SET 30!N S !0 0 0 0 0 50 ET/C

~

3N-13 30!NTERS lM #TIRS 8 RECORDERS 100 0 0 0 0 100 L~

3 *4 !N:!CCTOR DC'.ER 4! LURE 750 !00 0 0 0 ;2!0 LT '~

iC-02 01010AD SFAS SJIT HES ' 40 0 0 0 0 +0 *S BCC3iTED SW!!ChES FCR BYDASS 100 200 0 0 0 300 CLT RC-03 1EDLACI Dcv SdITCM 200 100 0 0 0 300 ST

. RC-04 MARRAm&EPIReTRChTROLS 200 100 0 0 0 300 . IT XMARNATE ASSOC!ATD 3R0095 40 0 0 0 0 40 Cr

. PROV!DE IN0!CATOR FOR HTR BANK 4 ;00 200 0 0 0 300 OuT RC-05 RECAL!BRATE B. A. F.CW 1.003 300 0 0 0 0 300 CC LAIEL SWITCH ( D-06)

RC-06 SE98 RATE DUAL INDICATORS .' 40. 300 0 0 0 700 CJT

. ECALIBRATE LETD(hN Funi LOOD 400 0 0 0 0 40 T.,T RC-07 A00 H01/nu RECIRC FLOW 1500 1500 #0 150 0 3950 CUT

~I PARALLEL CMTR(LS FOR Nf! YLVB

, SFV-23M9,10,11,12 . 600 200 0 100 0 900 ST 3RRAl.EL CTil FOR SIST VLYS 9FV-25003, 4 600 200 0 100 0 900 OLT f !N0! CAT!ON OF W V LIE UA 60 0 0 0 0 60 C.

RC-08 JEL DZR SDRRY VLVS (EN-06)

AC-09 WAACE CHART WITH NORE ACCMATE ONE 80 0 0 0 0 M AT R!-02 T-AVE ETER REPROGRAnED 100 0 0 0 300 40 NCN 9!-!3 ICS !MIT . LISHTS ENHANC2EkT 400 0 0 0 0 40 LT DROVIK M!MIC LINES FCR !CS 500 0 0 0 0 500 "T ,

I 340 VIDE $1EC*ABLE M *,AL CCNTROL 1 ATE

1 Fd VLV CCMT.10LLERE ;000 200 0 ;00 0 ;300 L' 4!-04 C IFY SCALES CF INDICA'*,RS '000

. 0 0 0 0 ;000 LT/C AEMOVE MFC. TRADEMARi(

100 0 0 0 0 ;00 C 9: 05 OROVIDE LAIELS FOR INDI"JTORS ( D-06)

RI-06 ALTER CONTROL OF YLYS 200 200 0 100 0 500 C.T 11-07 REARRANGE Sm RCE RANGE NI 500 100 0 0 0 600 DT RI-08 PROV!K 0181TAL INDICATOR FOR 0786 LIV!:. No 100 0 100 0 1000 LT R!-09 A3 (:'M8 UTER D!IptAY SELEC*!h 40 300 0 100 600 ;600 007 4

RI-10 A00 S*Afus OF TSV's 300 :00 0 :00 0 !00 0*

11-11 SECCNDARY SYSTD TKhDING INFO 1100 M0 0 300 too 3000 1T

SS-04 REARRAN3E SWITC MS ON LOVEJOY SUBJAML 500 100 0 0 0 500 GT

$$-05 CD.:A CC M CONFORP.!*Y (GN-06) 55-06 3 AS*!C L 3U4405 TC 3REKNT 2CTUATICN 100 0 0 0 0 :00 C j 55-07 REDLA G $p08 $2 LECTOR SWITCM S 750 100 0 0 0 $!0 OUT 55-09 ADD ;;,33 pso a r.3 O!SCHARGE PRESSJES M0 200 0 100 0 1100 LT

!!-01 Aw! ! !LER LABELS MODIFICAT!0N (GN-06) .

400 Act Sin ;RESS 8 FL0d h0! CAT!3m 400 100 0 100 0 500 GT I

16430 6150 600 1350 2900 2 % 30 l

j h p 42 *

AGE 2 C 3TRCL 40~. t C ITICAT:Ons s'ANCRS EST:?rE -

AJ rtl 14, 1985 -

3:55 4

i

DS *A34 !4C ~.E;T ?iC., C!v . C;33 '!:7A. LTA35 4s4 m"YCLE 3+++++++ ++++

~

BS-01 *E II SCALE 5 :000 200 0 0 0. :200 27 35-02 REP. ACE :hD: CAT:NG LI6hi 200 00 0 0 0 300 007 .

15-0: 30! STIRS 34 "Hi!E INCH 3ETERS 300 0 0 0 0 300 C.T 55-0; 3:3:74. AEAET, SELECTABLE 400 200 0 0 200 M0 17 '~

IS-02 :: C :4 4 i m W3 .ABELS 60 0 0 0 0 50 0 5-02 REA4%%3EST FCR CDSISTBCY OF BLSE *;00 200 0 0 0 300 Cw?

15-03 OE.tAUC7:01 CF 3AEMIRS (GN-06)

!5-04 *!PIC C.4%6I3 200 200 0 0 0 .00 C.~

. G4: IMSACVG .5E*D FACES 300 0 0 0 0 300 0.7 ES-06 ACD D.G. 0 & B FaiGuiNCY INDICATION 300 300 0 100 0 700 LT GN-06 LABEL CHANGE 1540 250 0 0 0 ;7% %7/NON GN-08 448 0F MOTCT!VE GUIPMENT 40 0 0 0 0 40 C BN-10 CPERATOR bok STATION ,

2A0 200 0 100 0 2300 Oui ,

GN-11 i!SHT CONIAOL INSIDE CONTROL 400 200 500 0 200 0 900 17 Gh-12 C09R ERJ!P CN H2ES 8 M2PS PAhELS 300 300 0 100 0 700 OLT i GN-12 CHANGES 8 40VE G4 e2WC Gh-12 DISpATCHU bOE

^

3h-12 SOUhD 30 BEAD MONES GN-12 WIRELESS Comun! CATION SYSTEM SN-12 dQ6E SYS*EA 3N-!3 ?!L! N0!C270AS 500 200 0 0 0 700 N7 SN-13 LABEL PETERS W!ili 07DATIONAL SET JOINTS 50 0 0 0 0 50 LT/C 3h-:3 JOINTIRS ON 4TERS 1 tE:0RDERS too 0 0 0 0 :00 27 Gh-:4 :h0!:A702 GG FA!L'.;4E 750 500 0 0 0 ;2:0 0.7 GN-15 BAC(L*3 aid DUSrBTNS: 501" A7:0N .ENSIS (SN-M) b-15 JN!FCRM C1CR LBSES (GN-M) 3W5 SHA"E CCDE (SN-M)

' CO,.CR CONVENTIONS (Gh-M) 3h-15 34-16 CChTAOL/DISPL4Y INTEGRAi!CM (ALL MODS)

GN-17 AEPLACE1ENT CF M.!!C0!NT RECCADERS 2000 600 0 300 0 2500 0.7 25-0; 2%N . CLR CCW Cui Vt.V CONTRCLS 500 300 0 100 0 900 17 CS-(2 O!SD.AY FACE Od%GES 300 0 0 0 0 300 L7/c DI-03 12 1 A*:R FACE CHANGES 4 AAAAN6 DENT 200 200 0 0 0 400 Ca?

35-05 RE?0 VAL OF lmCOR! DOT S TIC TTIA 34NE. S 35-0$ AND 3GSCNNE. -M:'H STA?tJS L:3h!S 500 800 0 :!0 0 ;!!0 .7 PI-06 LABEJ *O 1AR!'Y Fl.;K71CNS 35-07 4CP s CIL i!1T 26.12S IND::A70AS 200 200 0 0 0 400 *?

SF-03 NE' . AEL Th! S* c!TCRS 31-03 C0.09 ::Di3ELi:~~.1SW:70, 3F-03 C:U:02 50 23F F CRVE BY VSm ORVE s:-04 ;E:J CI S ea :s0:CA;!:N 600 300 0 :00 0 M0 c.* ,,

F-05 4EARRANGE 4 DACA*E m2SF DANE. !!00 1000 0 0 0 2500 C.7 -

57-:4 AEAm%st C 7 !.c!:Af:RS 500 300 0 0 0 No h*

SF-07 CnASE C:hT20. LOGIC FCA SFV-23508 Page 43

AGE 3 00x!11 RCC1 PCDI I;AT 035 th-AM ESTim I Aor .14, ;9%

3:!6 *M

(

~~JS TAS( *i- I_I;- -I;- : V*. **?: :. :. :II 4k F-08 A:D -DI r. W !s0 . 0-;00 3 7 ;000 200 0 ;00 0 ;300 LT SF-08 ; ROV X . NEARND::A*:S 70.1 JI ~~. C. 300 ;00 0 ;00 0 ;000 :-

SF-08 RECAJ3RA*E Dn X-712 F.C. 400 0 0 0 0 +00 :.T SF-09 EA.:3AATE WR'. 300 0 0 0 0 300 ".!

SF-:0 SEPARA*E RBS :hDICA'CR 500 100 0 0 0 600 17 SF-11 BW6 JVEL IND 044ED TO SINE.E 200 0 0 0 0 200 C.T SF-12 DELETE NS BLS LOAD h6 IND 200 200 0 0 300 700 0.7 S~-13 ADD C 7.0W '4101 CD02.98 1500 150 0 150 0 ;S00 L'-

SF-13 E AL: BRA *E NSCW PJT4 "hRU *st C:3;.EAS 200 0 0 0 0 200 1T S -02 :1CR;ADIN6 4 JiiELS FOR 99 VEN S 900 :00 0 ;00 300 ;300 T 3P-33 f. D S3CS Oli

S;-04 :.ABF ;NG OF SPD3 "0NTRCLS 200 0 0 0 0 200 :.,7 i .

4 .0-02 iEMOV2. OF ASU AarETER 4 S !7H 100 ;00 0 0 0 200 ~.T 4 -03 OIRC a'ER DRD CONT E DE ARCATION 40 0 0 0 0 40 Cw!

(1-02 XSCA:JTICN OF : N!RCL *WhGI (1-03 .002 E ALIBR27!0N 1 IND SCALE CHAn6ES 800 0 0 0 0 600 LT

~

' 11-05 C1CR CODING & C3hTR1 SCHEMES DEA GU: DES YS-01 A00 0*SG 3.0@Cist F.DW. INDICATION 700 200 100 ;00 0 ;;00 ~.,7 YS-02 REVISED LAYCLT OF 5" EAR ISOLATIOk 400 200 0 0 0 600 CUT YS-03 9E7 LACE DEGGI S $~M VLV ConTA0i.S AnD IND 700 200 100 100 0 ;;00 Cat

~

YS-04 ADD C &TICL FOR OTSB DRA!N B6TR Dap 600 200 0 100 0 900 007 t

23980 8500 200 1900 800 35480 l3 l

i f

CYCLES 18430 6150 800 1350 2900 29630 j CYCLE 9 23980 4500 200 1900 800 35460 so-==

i * !A. 42410 1450 1000 3250 3700 M;;0 SI E 270.1 Sup3CRT 1986, 1987 2000 Page 44 i

h

E 5

9 0

ATTACHMENT 6 PRELIMINARY DCRDR COMMITMENTS 0

P

._. -_ . _ , _ . _ . . - . _ _ . _ _ - , - - - , - -- - - - - - - , - - - - - - ' - - - - - - - ' ' ' ' - - - ^ ' - ' ' - - ' ' ~ ' ' ' ' " ' ' ' - ' ' - - - ' ' ' ' - ~ ' ' - ' " ' ' ' - -

a

, II Detailed Control Room Design Review - ' -

k 7.0 The following questions relate to the Detailed Control Room Design Review.

7.1 The Summary Report did not indicate that EOP Cautions, Notes, and Status Tasks were analyzed following the RRC in-progess audit.

7.1 Response EOP Cautions, Notes and Status Tasks being analyzed in accordance hith the CRDR procedures.

7.2 The Summary Report did not indicate that the licensee developed a.

formal procedure for performing a task analysis of new operator tasks introduced into the control room by EOP revisions.

7.2 Response currently the District has four administrative procedures that control modifications to the E0P's. They are AP 47, 47A, 48, and .

~

49. Procedures AP 47 (Attachment 7.2-1) and AP 47A (Attachment 7.2-2) are the EOP writer's guide. AP 48 (Attachment 7.2-3) is the procedure for verification of EOPs. It verifies the written correctness of the EOPs, verifies the technical accuracy of the EOP compared to Plant Technical data, and ensures that procedure changes or ECNs are evaluated fog their potential influence upon the E0P's. AP 49 (Attachment 7.2-4) is the procedure to validate I

the EOPs to ensure that the procedures are compatible with the plant operator training and will successfully mitigate emergency

. conditions. An example of an EOP modification including verification and validation will be provided. This is an effective method for performing a task analysis of EOP's.

Modifications to the control Room will still need to be H.F.

Analyzed following NEP 4123 for operational impact.

7.3 The Summary Report did not include an indication that procedure A.52 " Hydrogen Purge System Procedure" was task analyzed as recommended in the in-progress audit.

7.3 Response The task analysis of A.52 is in progress. The summary report will

be updated af ter the completion of the task analysis. '

s 7s4 Comparison of information and control requirements identified in items 7.1 and 7.3 with Control Room Inventory to verify control and display availability and suitability need to be completed.

7.4 Response The comparison takes place during the task verification process after the task analysis is complete. Upon completion of the task analyses required by 7.1 and 7.3, verification will take place.

17 1017G

._ _ -, - -- ---.y-.___ - .

PRELIMINARY

( 7.5 Assessment of new HEO's identified during additonal task analyses i.e., EOP Cautious, Notes, and Status Tasks, need to be completed.

7.5 Response If any HEO's are generated by the additional task analyses they will be assessed in accordance with CRDR procedures.

7.6 Given the major extent of the proposed control room changes, and the fact that some designs such as EFIC were not finalized at the time of the Summary Report, we do not have the information to judge the adequacy of the proposed changes. We recommend,that the licensee implement the proposed changes on the DCRDR mockup for evaluation by the NRC.

7.6 Response The mock-up has been modified to include those modifications planned to be completed prior to start-up. ,

7.7 verification that the proposed solutions resolve the HEO's/HED's and do not introduce new HED's needs to be completed for

HEO's/HED's identified during EOP Cautious, Notes and Status Tasks.-

7.7 Response The verification that no new HEO's/HED's are introduced after the proposed solutions are resolved will be completed at the end of the process and an addendum to the Summary Report will be, issued -

with the findings of the process.

l 1

e 6

18 1017G

Enclosure 2

~

AUDIT REPORT, INSTRUMENTATION 4

RANCHO SEC0 NUCLEAR GENERATING STATION SAFETY PARAMETER DISPLAY SYSTEM /RG 1.97 An NRC audit team conducted an Instrumentation & Control Systems (I&CS) audit at the Rancho Seco Nuclear Generating Station from September 29 to October 2 '

1986. The audit reviewed the licensee's Action Plan for Perfomance Improvement, as well as the Detailed Control Room Design Review, the Safety Parameter Display System (SPDS), and the licensee's conformance to Regulatory Guide (RG) 1.97. This report describes the audit team's findings with respect to the SPDS computer system and the system's compliance to SPDS and RG 1.97 requirements.

The licensee's Action Plan for Performance Improvement was developed in response to the December 26, 1985, overcooling event at Rancho Seco. One of the actions called for in the Action Plan was upgrading the Safety Parameter Display System (SPDS) to safety grade status. This upgrade called for the installation of Class IE rated input / output peripherals, i.e., input multiplexers, output displays. The Action Plan also called for the

i. incorporation of the RG 1.97 Category 1 variables into the SPDS computer. The Rancho Seco SPDS had been non-safety grade and had no post-accident requirements; however, the incorporation of the RG 1.97 into the SPDS computer required post-accident availability from the SPDS.

The NRC forwarded an audit plan to the licensee that contained questions and concerns related to SPDS and RG 1.97 compliance. The following is a listing of the NRC questions, the licensee's response and the audit team's comments.

NRC Q 8.1 l

Describe the redesign of the alphanumeric display formats. If available, provide the redesigned display fomats for evaluation by the NRC audit team.

2

Response

The redesign of the alphanumeric display is in progress. The RG 1.97 Category 1 variables will be contained in the displayed data.

Comments The preliminary redesign of the alphanumeric display formats appears to be satisfactory and is acceptable. Each format grouped parameters into related sets, that could be easily accessed and used by the operators. The staff

, requested that a copy of the final design of the alphanumeric display formats be included in the revised SPDS SAR.

NRC Q 8.2 Provide SPDS design data for the assessment of the radioactivity control function.

Response ,

A radiation alert will be added to the displays to alert the operator to high radiation in nine channels. Of the nine channels, four are already installed, two will be installed by restart, and three will be installed at a later date.

Comment The ifcensee was requested to respond to the staff's radioactivity concern in the formal submittal of the revised SPDS Safety Analysis Report (SAR). In addition, if the radiation displays of the rad waste area stack monitor, the reactor building effluent monitors, the auxiliary building effluent monitor, and the A and 8 main steam line monitors are not contained in the revised alphanumeric displays, the licensee should justify why they were left out of the displays.

3 NRC Q 8.3 As the SPDS will be upgraded to safety grade status, provide data on the isolation devices used to suitably isolate the SPDS from electrical interference with equipment and sensors that are used in non-safety systems.

The specific data required by the staff to evaluate the isolation device are identified in Reference 4.

Response

The licensee has engaged an outside contractor to conduct the testing of the

. isolation devices.

Comment This is an open' item pending the staff's review and approval of the test report. The test report was due' to the staff by December 31, 1986.

NRC Q 9.1 Provide a schedule for the upgrade of the SPDS to safety grade status. Discuss how compliance with RG 1.97 requirements will be achieved if the completion of the upgrade is after the plant's restart date.

Response

The SPDS upgrade will be completed prior to the plant's restart. The delivery of the seismic qualified cathode-ray tubes (CRTs) may be late. However, they will be installed as soon as they are received by the station.

4 Comment The audit team reviewed the schedules and observed that the CRTs and the software modifications are critical path items and may impact the schedule.

-The current schedule appears to be acceptable. The staff requested the licensee to inform the NRC Project Manager of any significant changes to the schedule.

NRC Q 9.2 Identify and discuss the scope of the upgrade in terms of hardware involved and interfaces with other systems, including safety and non-safety systems.

Response

All RG 1.97' Category 1 variables except reactor vessel level and neutron flux will be upgraded. These two remaining parameters will be upgraded by fuel Cycle

8. If the cables are subjected to common fire zones, they will be separated '

. and protected. Al safety grade sensors are connected to Class 1 multiplexors, and non-safety grade sensors are connected to Class 2 multiplexors. The Central Control Unit (CCU) outputs and the Interim Data Acquisition and Display System (IDADS) inputs are isolated via isolation transformers with fused secondaries.

l Comment j The audit team reviewed the RG 1.97 parameters and found them to be acceptable.

The licensee was requested to docket their comitment to meet Appendix "R."

l The licensee was also required to provide for staff review test reports to demonstrate that the isolators between the CCU and the IDAD will meet the isolation functions and the single failure criteria.

i

! NRC Q 9.3 4 Address the conformance of the software to RG 1.152 " Criteria for Programmable Digital Computer Software for Safety Related Systems of Nuclear Power Plants."

This Regulatory Guide endorses ANSI /IEEE/ANS-7-4.3.2-1982 (Reference 3). Also, provide documentation, such as test reports, verification reports etc., that are the products of the verification and validation effort.

Response

The SPDS upgrade will not include RG 1.152 requirements. The licensee will comparetheRanchoSecoSPDSverificationandvalidation(V8V)processagainst the requirements of RG 1.152 and provide results of the comparison to the staff.

Comment 4

The response is acceptable and the staff requested that the comparison be submitted to the NRC along with the revised SPDS SAR.

NRC Q 9.4 Conduct a walk-through of the hardware and software for the selected signals.

Discuss and illustrate how the signals are processed. Identify points in the walk-through where verification and validation activities occurred.

Response

4 The licensee provided a paper walk-through of the narrow and wide range

! channels of the containment pressure variable.

The data presented consisted of a functional description, flow charts, signal lists, a piping and instrumentation diagram, the master equipment list, test procedures, alpha-numeric display values, and the V8V plan. This information was sufficient to determine the check points in the design, installation, and checkout of the data channels.

6 Comment The audit team and the licensee agreed that the paper walk-through was a preview of a more detailed V&V audit to be conducted pending completion of the software effort by the licensee. The walk-through was tentatively scheduled for January 1987, at the B&W offices in Lynchburg, Virginia. The staff requested that the licensee have the system hardware designer and the system software designer at the audit.

NRC 0 9.5 Describe the features of the design process and display system that serve as guards against common mode failures / errors.

Response

The B&W data handler (comon mode failure) was removed from the SPDS. This removes two potential comon mode failure points. The SPDS is a redundant system with independent battery-backed power.

Coment The B&W data handler system contained a CCU and a data handler. This arrangement commoned Channel A and Channel B safety-grade signals at the input to the CCU and also comoned SPDS I and SPDS 2 at the output of the data handler.

The audit team discussed their concerns with respect to the comon mode failures of the software in addition to that of the hardware. The licensee will address the aspects of comon mode failure in the software and submit

'their findings to the staff. This is an open issue.

7 -

NRC Q 9.6 Describe the maintenance and configuration control program for the display system. Provide the procedures that will be used to modify the software.

Response ,

The maintenance is accomplished on an as-needed basis and is a joint effort between the licensee and B&W.

Comment The audit team discussed their concerns with this procedure. The team's concerns centered around the technical specifications (TS) for the SPDS and how the TS would be handled in the event of modification and changes to the SPDS.

The licensee will redo the response to this question addressing the TS aspects of the SPDS in greater detail and will docket the response. In the revised response the licensee should also discuss how configuration control for both hardware and software will be achieved and how modifications will be qualified and tested.

NRC Q 9.7 Describe the results of a reliability analysis that compares the reliability of the upgraded computer-based SPDS and a hypothetical implementation of the same display function using analog hardware.

Response

The availability of the SPDS is 99.9% in accordance with NUREG-0696. The guidelines permit the licensee to install a digital system.

8 The licensee proposes to submit an updated reliability analysis to ? '

demonstrate the conformance of the upgraded SPDS to moet the operational unavailability goal of 0.01, as specified in NUREG-0696.

Comment s.

s The licensee will update the SPDS reliability analysis and submit the results '

for staff review. The licensee will perform a reliability comparison between. x a digital data / display channel versus an analog data / display channel. This comparison will be performed on a non-interference basis with the plant's restart schedule. The results of the comparison will be submitted for staff review.

The audit team stated that a SPDS availability of 99.9% (NUREG-0696) was a guideline only. Also, the staff stated that the availability of the SPDS '"

digital displays for compliance to RG 1.97 requirements for Category 1 )

variables should be the equivalent of or greater than the availability of ,,((

analog hard-wired displays used for compliance to the same RG 1.97 requirements.

NRC 0 9.8 Provide the documents and data that illustrate that the upgraded SPDS complies with industry and regulatory criteria and standards for safety-related systems (i.e.,IEEEStd. 323, 1974, Standard for Qualification of Class 1E Equipment for Nuclear Power Generating Stations, IEEE Std. 344-1975, Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power, etc.),perRG1.97, i

Response

i When the upgrade is completed the plant's compliance with the separation, isolation, redundancy, and environmental requirements will be demonstrated. .

+ /

s '

)j#l

<f i

,l f' .,

f'

>l 9 i s A -

p 1 , ,,

L-

~

c Environmental qualification will be required only for sensor inputs, since all portions of the system, except field sensors, are in a mild environment.

2. n

<j: +q['

Comment ,

. ,. s .

Thecaudit' team's corii:ern iii this area is with post-accident operation of the SPb5andthedisplayoftheRG1.97 ,

variables. The team requested that the licensee docket the commitment to IEEE Std. 323-1974 and IEEE Std. 344-1975.

NRC Q 9.9 Describe the steps needed to restart an upgraded SPDS upon total loss of power to the system. /

bY, .! .

l ,_,

Response

., i .,

, t[pon the restoratido of power, the SPDS is self-starting and requires no operator action to restore the system.

C'omment

.~ ,

3, , ,

/ ,

The audit team foun;ti this response to be acceptable and requested that it be

, ~

docketed so that '.the answer may serve as a basis for the staff's Safety Evalba' tion ' Report -(SER) .

n .

NRC 9.10 Provide and discuss ,,s the technical specification that is to be used for the operitional system. Discuss the scope and depth of the tests used to evaluate operability of the system. Also, discuss the technical basis used to select

?

c

, the test period,

/

n ,i 3

w, * .

l

,- 's '

4

tou-r.,

!{

s 10

Response

The licensee stated that appropriate consideration for the computer driven display system will be included in the development of the Technical Specification. The licensee will submit the draft Technical Specification for

, NRC review as soon as it becomes available .

$p.reent i

The draft TS will be submitted to the staff for review. The licensee was advised of a- 90-day approval cycle. This question ties back to NRC Q 9.6. ,

A General The licensee dis. closed that the Class IE inverters supplying power to the non-Class IE CCU and the SPDS computers were going to be used as isolators to protect the Class IE,120 VAC bus from faults being propagated by the non-Class 1E equipment. The audit team was not sure that the inverters could -

c be used as Class IE isolators. Pending receipt of a power supply schematic for i the SPDS, the audit team will investigate the use of the inverters as isolators and will advise the licensee of their findings.

The licensee agreed to submit a redesign and a revised SAR on the SPDS by

[

l December 31, 1986.

(

l Attachment "1" is a Request for Additional Information needed by the staff to complete its review of the SPDS.

I i

i I-

REFERENCES

1. " Action Plan for Performance Improvement," Sacramento Municipal Utility

^

District, Rancho Seco, July 1986.

_ i

2. Letter from John F. Stolz, NRC to J. E. Ward, Sacramento Municipal Utility District,

Subject:

Review Results for Rancho Seco's Sumnary Report on the Detailed Control Room Design Review, dated June 10, 1986.

3. ANSI /IEEE-ANS-7.4.3.2-1982, " Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations,", July 6, 1982.

4. Letter from G. Rivenbark, NRC, to R. J. Rodriquez, Sacramento Municipal Utility District,

Subject:

Safety Parameter Display System, dated July 27, 1984.

5. Letter from J. F. Stolz, NRC, to R. J. Rodriquez, Sacramento Municipal ,

Utility District,

Subject:

Safety Evaluation, Rancho Seco's Safety Parameter Display Syster, dated April 7, 1986.

6

ATTACHMENT 1 REQUEST FOR ADDITIONAL INFORMATION RANCHO SECO NUCLEAR GENERATING STATION SAFETY PARAMETER DISPLAY SYSTEM The staff has reviewed the data submitted by the licensee during the course of the Action Plan Audit conducted at the facility, September 29 to October 2, 1986. The staff has concluded that the following information is needed for the staff to complete its review:

1. Apply questions "a" through "g," as appropriate, to all devices that are to be used as either isolators or interfaces between Class 1E systems and non-Class IE systems. Examples of such devices are isolation devices, multiplexers, fiber-optic cable, circuit breakers, inverters, converters, and uninterruptable power supply systems.

Please provide the following:

a. A description of the specific testing performed to demonstrate that the device used to accomplish electrical isolation is acceptable for itsapplication(s). This description should include elementary i diagrams, when necessary, to indicate the test configuration and should discuss how the maximum credible faults were applied to the device.

I b. The data to verify that the maximum credible faults applied during 1

l the tests were the maximum voltage (AC and DC) at the maximum potential current to which the device could be exposed, and define how the maximum voltages / currents were detennined.

I

c. The data to verify that the maximum credible faults were applied to the output of the device in the transverse mode (between signal and return) and that other faults were considered (i.e., open and short l circuits).

l

T

d. The definition of the pass / fail acceptance criteria for each type of isolation device,

e. A commitment that the isolation device complies with the environmental qualifications (10 CFR 50.49) and with the seismic qualifications that were the basis for plant licensing.

f. A description of the measures taken to protect the safety systems from electrical interference (i.e., Electrostatic Coupling, EMI, Common Mode and Crosstalk) that may be generated by the SPDS/RG 1.97.

g. The information to verify that the Class IE isolation devices are powered from a Class IE power source (s).

2. Provide data that the SPDS/RG 1.97 Category 1 variables will be available following a design basis event occurrence.

3. Provide data showing that the equipment is dedicated to the SPDS/RG 1.97 and is not required for the safe shutdown of the plant.

4. Provide a block diagram of the SPDS/RG 1.97. The block diagram should be of sufficient detail to show both the signal and power Class IE to non-Class 1E interfaces and the type of device used at the interface.

_. . . ___ ._ _ ___

ML20211K473

Text

Subject:

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Subject:

Subject:

Subject:

Navigation menu

Search