United States Nuclear Regulatory Commission - Protecting People and the Environment

Information Notice No. 86-10: Safety Parameter Display System Malfunctions

                                                            SSINS No: 6835 
                                                            IN 86-10       

                                UNITED STATES
                        NUCLEAR REGULATORY COMMISSION
                    OFFICE OF INSPECTION AND ENFORCEMENT
                           WASHINGTON, DC 20555

                              February 13, 1986

Information Notice No. NO 86-10:   SAFETY PARAMETER DISPLAY SYSTEM 
                                   MALFUNCTIONS 

Addressees: 

All nuclear power reactor facilities holding an operating license (OL) or a 
construction permit (CP) 

Purpose: 

This notice is to inform recipients of the results of a recent survey done 
to determine the status and quality of safety parameter display systems 
(SPDS) at operating reactors It is expected that recipients will review 
this information for applicability to their facilities and consider actions, 
if appropriate, to preclude a similar problem from occurring at their 
facilities However, suggestions contained in this notice do not constitute 
NRC requirements; therefore, no specific action or written response is 
required 

The information herein is being provided as an early notification of a 
significant matter that is still under review by the NRC staff The NRC is 
continuing to obtain and evaluate pertinent information If NRC evaluation 
so indicates, further licensee actions may be requested 

Background: 

Prompt implementation of the SPDS in operating reactors is a design goal of 
prime importance The NRC staff does not review operating reactor SPDS 
designs for compliance with the requirements of Supplement 1 of NUREG-0737 
prior to implementation unless a pre-implementation review has been 
specifically requested by the licensee The licensee's Safety Analysis and 
SPDS Implementation Plan are reviewed by the NRC staff only to determine if 
a serious safety question is posed or if the analysis is seriously 
inadequate 

If no serious safety question is identified and the licensee's analysis is 
reasonably adequate, the staff directs the licensee to continue 
implementation Final acceptability of the licensee's SPDS is conditional to
a satisfactory post-implementation audit 

To determine the appropriate level of technical effort needed for post-
implementation audits, the staff decided in mid-1985 to survey a sample of 
six operating plants to determine the state of SPDS implementation and to 
ascertain the scope and depth of review necessary for post-implementation 
audits 

8602100408 


                                                          IN 86-10 
                                                          February 13, 1986 
                                                          Page 2 of 2 

The sample selected for the survey was chosen to represent the major reactor
and SPDS types Five of the six plants in the sample had been issued 
Commission orders or license conditions that stipulated the SPDS was to be 
operational At the time of the survey all five of these plants had declared
their SPDSs operational in accordance with their orders or license 
conditions At two of these five plants the SPDS was, in fact, not 
operational 

Discussion: 

The survey included onsite evaluations of licensee documentation and 
hardware, as well as interviews with operations personnel Detailed survey 
findings are presented in Attachment 1 The major deficiencies identified 
from the survey results include: 

     o    Lack of SPDS availability because of gross system malfunctions, 
     o    Display of unreliable or invalid data and alarms, 
     o    Poor acceptance of SPDS by operators because of reliability 
          problems, 
     o    Failure of management to integrate SPDS into the operational 
          environment, 
     o    Changes and interruption of SPDS display from outside the control 
          room, 
     o    Inadequate documentation of SPDS and failure to control system 
          testing and modifications, and 
     o    Slow SPDS response to some operator commands 

Problems similar to those described above also have been identified by the 
staff during the evaluation of the emergency data acquisition systems as a 
part of the Emergency Response Facility appraisals These appraisals have 
been conducted at six different plant sites 

The following reference materials provide information on the individual 
guidance and requirements for SPDS and emergency data acquisition systems: 

     NUREG-0737, Supplement 1, January 1983 
     NUREG-0800, Chapter 182, November 1984 
     NUREG-0696, February 1981 

No specific action or written response is required by this information 
notice If you have questions about this matter, please contact the Regional
Administrator of the appropriate NRC regional office or this office 


                                   Edward L Jordan Director 
                                   Division of Emergency Preparedness 
                                     and Engineering Response 
                                   Office of Inspection and Enforcement 

Technical Contact:  Roger Woodruff, IE
                    (301) 492-7205

                    George Lapinsky, NRR
                    (301) 492-8166

Attachments:
1   Survey Results
2   List of Recently Issued IE Information Notices 


                                                          Attachment 1     
                                                          IN 86-10         
                                                          February 13, 1986 

                               SURVEY RESULTS

1   Reliability/Availability 

     Three of the six plants were identified as having serious problems 
     regarding SPDS availability Some systems were found to be unavailable 
     because of gross system malfunctions Others were providing invalid and
     unreliable data and were considered to be nonfunctional because 
     operators, justifiably, avoid using them Because no records or logs of
     SPDS performance are currently kept at these plants, the extent of the 
     problem could only be judged by the verbal descriptions of the users 
     and technical staff; eg, "The system has never run for twenty-four 
     hours straight without a failure" 

     Supplement 1 to NUREG-0737 calls for the SPDS to "continuously display 
     information from which the plant safety status can be readily and 
     reliably assessed  " Plants that have declared the SPDS to be 
     operational are expected to have reliable displays portraying accurate 
     values on a continuous basis This was not the case at half of the 
     plants in the sample 

2   Potentially Misleading Information 

     At half of the plants, the staff identified invalid data and alarms 
     that could mislead users This problem is most critical at those plants 
     that use the SPDS as a part of the emergency data acquisition system to 
     provide information to the technical support center (TSC) and emergency 
     operations facility (EOF) In most cases these erroneous indications 
     were caused by not maintaining SPDS software to reflect the most 
     current state of the plant; eg, new alarm setpoints were not entered 
     into SPDS software, and SPDS compensation and calibration were not 
     routinely checked and corrected In one case, the major problem was 
     that the system was simply not complete-revision and debugging of the 
     software was ongoing, while the SPDS was purportedly operational in the 
     control room, the TSC, and the EOF Normally any instrument that is not 
     functional is appropriately tagged-out and repaired, but this was not 
     done in this case In addition, using the control room as a test-bed 
     for SPDS creates the potential for misleading operators and of 
     destroying operator confidence in the SPDS 

3   Poor Operator Acceptance 

     Because of the problems stated above--unreliable, inaccurate, and 
     invalid data--some operations personnel stated that they did not trust 
     the SPDS and would not use it under any circumstances This problem 
     appeared to be further exacerbated at those plants where the operators 
     were not actively involved in SPDS design decisions 

4   Management Support At two plants the staff observed a lack of 
     management support for the SPDS concept At one plant this lack of 
     support was evidenced by a 


                                                          Attachment 1     
                                                          IN 86-10         
                                                          February 13, 1986 
                                                          Page 2 of 2      

     disinterested attitude toward an obviously useless system There was no
     delegation of responsibility to put somebody in the lead to correct the
     system and make it a useable tool for control room operators At a 
     second plant several high-ranking managers voiced their opinion that 
     the SPDS was only an aid and that its use was entirely optional 
     regardless of plant mode or condition As a result, the SPDS was not 
     well integrated into the operational environment of the control room at 
     this plant In fact, the operations personnel interviewed at this plant 
     did not know who, if anyone, was assigned to monitor plant status using 
     this SPDS 

5   Miscellaneous Findings 

     Display Security- At one plant where the SPDS had been operable for 2 
     years, control SPDS displays were routinely being changed and 
     interrupted from outside the control room This was being done without 
     the knowledge or consent of the control room crew and without "tagging 
     out" the SPDS for maintenance 

     System Documentation and Maintenance - Five of the six plants had one 
     or more of the following problems: incomplete or missing elements in 
     the system documentation, especially those that would be needed to 
     correctly maintain SPDS functions as originally designed; inadequate 
     testing, often without defined acceptance criteria; lack of software 
     change review process and appropriate reviewers; no plans for retesting 
     after software changes; and inability to produce current documentation 
     for the existing system 

     Response - At one plant the response of the SPDS to operator commands 
     varied from 3 seconds to several minutes depending on the type of 
     command and the number of other active terminals The staff has 
     observed that response times of over 10 seconds are generally perceived 
     by users as a system or communication failure Therefore, such long 
     response times may cause frustration and keying errors as the user 
     tries to "correct" the situation 

     Critical Safety Functions - At one plant the SPDS did not provide 
     sufficient information to monitor the radioactivity control safety 
     function (remote area radiation monitors) 

     Training - At three plants operators felt that their training regarding
     the use of SPDS was inadequate 

     Integration Into Emergency Operations - At three plants the role of the
     SPDS during emergency operations was undefined and no primary user 
     could be identified 

Page Last Reviewed/Updated Tuesday, November 12, 2013