Y2K , Prüfbericht zum AKW Seabrook, Block 1,
New Hampshire, USA
Dieses Dokument (s. Anhang), offensichtlich das erste seiner Art, zeigt die Komplexität der von einander abhängigen Systeme, die alle in Betracht gezogen
und, wo nötig, angepasst werden müssen, bevor von einem AKW behauptet werden kann, daß es "fit" ist für das Datum 2000. Die deutsche Übersetzung des
gesamten Dokumentes wäre wegen der Länge zu zeitaufwendig. Deswegen folgt hier eine Synopse samt erläuternden Kommentaren:
Nachfolgend der Originaltext
Mr. Ted C. Feigenbaum
SUBJECT: AUDIT REPORT ON IMPLEMENTATION OF GENERIC LETTER 98-01, "YEAR 2000 READINESS OF COMPUTER SYSTEMS AT NUCLEAR POWER PLANTS" FOR SEABROOK STATION, UNIT NO. 1 (TAC NO. MA1887)
Dear Mr. Feigenbaum:
The enclosed report includes the results of the subject audit conducted by NRC staff at the Seabrook Station from September 29, 1998, through October 1, 1998. The purpose of the audit was to assess the effectiveness of the Year 2000 (Y2K) program at Seabrook, to evaluate the implementation schedule in accordance with Generic Letter (GL) 98-01, and to assess the contingency plans that address potential Y2K problems.
The audit team found the Seabrook Millennium Project Plan, which addresses the Y2K readiness program, to be well-structured and readily useable. In addition, the test procedure developed by Seabrook for identifying and correcting potential Y2K problems appeared thorough. During the audit, the team identified an inconsistency in the application of certain classifications. However, your staff was already aware of the inconsistency and had already started to resolve the issue. The results of this audit and subsequent audits at other selected nuclear power plants will be used by the staff to determine the need for additional action, if any, on Y2K readiness for nuclear power plants.
In accordance with 10 CFR 2.790 of the NRC's "Rules of Practice," a copy of this letter and its enclosure will be placed in the NRC Public Document Room. If you have any questions regarding the attached report, please contact me at (301) 415-3199.
Docket No.: 50-443
Enclosure: Y2K Audit Report
U.S. NUCLEAR REGULATORY COMMISSION
From September 29 through October 1, 1998, the NRC staff conducted an audit of the Year 2000 (Y2K) program at the Seabrook Nuclear Generating Station in accordance with the audit plan for this activity. The purpose of the audit was to (1) assess the effectiveness of the North Atlantic Energy Services Corporation (the licensee) programs for achieving Y2K readiness, including continued safe operation of the plant as well as compliance with applicable NRC regulations and license conditions with respect to the potential Y2K problems, (2) evaluate Y2K program implementation to assure that the licensee's schedule is in accordance with NRC Generic Letter (GL) 98-01 guidelines for achieving Y2K readiness by July 1999, and (3) assess the licensee's contingency plans for addressing risks associated with potential events resulting from Y2K problems. The audit team reviewed selected licensee documentation regarding Seabrook's Millennium Project Plan (Seabrook Y2K readiness program) and conducted interviews with the cognizant licensee personnel. The results of this audit and subsequent audits at other selected plants will be used by the staff to determine the need for additional action, if any, on Y2K readiness for nuclear power plants.
Based on the audit team's assessment and evaluation of the Seabrook Y2K readiness program, the following observations were made:
The objectives of the Seabrook Nuclear Generating Station (Seabrook) Y2K Program Audit were to:
The audit was conducted in accordance with the established audit plan which was based in part on the guidance and requirements contained in the following documents:
- GL 98-01, "Year 2000 Readiness of Computer Systems at Nuclear Power Plants"
Prior to the audit at the plant site, the audit team reviewed the Seabrook Millennium Project Plan, Revision 2.0. Upon commencement of the audit, a copy of the Seabrook Millennium Project Plan Revision 3.0 was made available by the licensee for review during the audit. Attachment 1 is a list of documents reviewed by the audit team.
The audit process started with an entrance meeting attended by the Seabrook Y2K Sponsor and Y2K Project Manager, other plant personnel, and members of the audit team. Attachment 2 is a list of the attendees. Members of the Seabrook Y2K organization described the project organization, the project plan, implementation, and the current status.
Subsequent to the entrance meeting, the audit team reviewed the Seabrook Millennium Project Plan, associated project documentation, and communicated with the Seabrook Millennium personnel on an on-going basis to resolve questions as they arose.
2.0 Seabrook Project Description
The Seabrook Millennium Project Plan organization consists of the following roles: (1) an Executive Sponsor, who is responsible for strategic project guidance, approval and executive support, (2) a Y2K Sponsor, who is responsible for providing overall guidance and approval on the budget, resources, progress and results, (3) a Y2K Project Manager, who is responsible for the overall success of the project, including development of the implementation plan, supervising the project team and providing leadership on millennium issues to all station departments, (4) a Y2K project team consisting of the Seabrook Station personnel performing activities related to the millennium effort, (5) the software, hardware, and embedded system sponsors; who have primary responsibility for the operation of the item, typically the principal user of the item, and is held accountable for the performance of the item, (6) the software, hardware, embedded system maintainers who have primary responsibility for the maintenance of the item, and the completion of millennium-related tasks, including any remediation, testing and validation, and implementation, (7) the millennium project steering committee, (8) the joint owner audit committee, (9) a contingency plan coordinator who is assigned to facilitate and coordinate the millennium contingency planning effort, (10) the contingency planning team, and (11) a contingency plan technical lead.
The Seabrook licensee participates in group activities related to the Y2K effort with other organizations as follows: NUSMG and NEI, Northeast Energy Alliance (NEA), EPRI, Independent System Operators (ISO) New England, Sorrento Owners Group, and Westinghouse Owners Group (WOG). The Seabrook licensee will use documentation and test plans from the WOG as they are made available to evaluate Y2K readiness or compliance of identified items within the WOG scope. Additionally, the licensee is engaged in bench-marking and peer review activities with other plants as the opportunity is available. The Seabrook licensee and Florida Power and Light (FP&L) engaged in a bench-marking and peer review activity in June 1998 and established an information exchange to explore the manner in which the Y2K problem was and is being addressed at their plant sites. This type of bench-marking and peer review interface will be scheduled with other utilities as the opportunity occurs.
2.2 Project Plan
The Seabrook Millennium Project Plan, Revision 3.0, dated September 25, 1998 is the plant specific Y2K readiness plan developed by the licensee. The goal of the Seabrook Millennium Project is to ensure that the station is Y2K ready by July 1999. The Seabrook Millennium Project began in October 1996. Revision 0 of the Project Plan was issued in the spring of 1997. The Seabrook plan is similar to the NEI/NUSMG 97-07 Nuclear Utility Year 2000 Readiness guidance which was published in the Fall of 1997. The audit team's review found that the Seabrook Millennium Project Plan encompasses the guidance in the NEI/NUSMG 97-07, although some differences in activity names/terms exist.
The Implementation Plan of the Seabrook Millennium Project Plan includes the process for awareness, inventory, assessment, remediation, testing, validation, documentation and signoff of items. The plan includes a change management process that allows new items to be added to the inventory, while existing items, plans, strategies and impacts can be re-evaluated and modified if necessary.
The awareness activities are included in the section entitled "Communication Plan," in the Seabrook Millennium Project Plan. The formal Y2K awareness phase of the Y2K program at Seabrook began in 1997. The Y2K problem was brought to the attention of the entire plant via "Seabrook Today," a newsletter published by North Atlantic Communications, and distributed October 23, 1997. Communication and awareness is maintained at all levels throughout the plant. The communication mode and information is tailored to the specific site audience. Seabrook's Millennium Communication Plan is intended to ensure that appropriate plant personnel are aware of the Y2K problem and take suitable action. The Seabrook licensee uses "communication deliverables" to foster participation and awareness. The following communication deliverables are tailored for their specific audience: project plan revisions, project status reports, millennium item owners and maintainers communication, internal millennium articles, millennium posters and banners, awareness sessions/presentations, and one-on-one meetings. The audit team reviewed the Seabrook Millennium Communication Matrix which identifies the various audiences and the corresponding awareness communication(s).
The Seabrook Y2K Readiness schedule is provided in Table 1.
What the NEI/NUSMG 97-07 guidance indicates as initial assessment which includes the inventory, categorization, classification, prioritization, and analysis of the initial assessment, is described in Seabrook's readiness plan in Section 4.1 Inventory. In Seabrook's readiness plan, the inventory activities include inventory scope, categorization, classification, and inventory signoff.
The inventory identifies all software items and embedded systems potentially affected by the Y2K problem. Additionally, because embedded systems are particularly difficult to inventory, the Seabrook project team took added care to ensure that all potentially affected embedded systems and firmware items were included in the inventory. The embedded system inventory was handled by the Seabrook Station Technical Support Department Engineers. Since most of the staff had been at Seabrook since the plant's design phase, there was a great deal of historical knowledge on station systems, procedures, programs, manuals and other documentation pertaining to embedded systems to draw upon. Identification of the embedded systems encompassed system reviews, EPRI database searches and vendor contacts, internal and external comparisons of inventory data, and knowledge-based decisions.
The inventory phase at Seabrook was completed in August 1998.
Detailed assessment results are used to make decisions regarding activities required to ensure the continued operation of the software. Seabrook's readiness plan Section 4.2 Assessment, includes the analysis activity which encompass failure impact, Y2K status and strategy, and the activities of planning and assessment phase signoff.
Y2K classification at Seabrook is based upon "failure impact" analysis. Failure impact classification is defined as follows:
The Y2K status of systems is identified as: non-compliant, compliant, in-process, validated, eliminated, or unknown. The plan notes that for vendor responses that indicate an application or device is Y2K ready or compliant, a decision on whether to perform validation testing is required. This decision may be based on failure impact, extent of documentation provided, confidence in the vendor, and Seabrook's knowledge and experience with the product.
Once Y2K status is determined, the strategies to achieve compliance or readiness is determined. Strategies identified in the Seabrook Millennium Project Plan are: eliminate, fix, replace, or accept as is. Table 2 provides the inventory of items. Of the 1304 items identified, the Seabrook licensee identified 12 that were found to have safety implications, 13 to have implications with respect to plant trip, 160 were found to be required by regulations or license, and 800 were found to be significant to business. Table 3 provides the inventory assessment.
One item of the 12 classified as Safety Implication, the Reactor Vessel Level Indication System (RVLIS), is required by technical specifications (post accident monitoring) and performs high energy line break (HELB) isolation of auxiliary steam, steam blowdown and letdown upon detection of a high temperature condition in the auxiliary building. RVLIS has been identified as not Y2K compliant and is being remediated as part of the WOG Y2K effort. In addition to the testing done by Westinghouse, the licensee plans to do additional testing of the remediated RVLIS at the site.
The folders of items reviewed by the Audit Team are listed in Tables 4, 5, 6, and 7. The team reviewed 10 items that had safety implications, 5 that impact generation reduction, 9 that impact plant trip, and 10 that have regulatory impact. (Note: The classification in these tables is defined in Seabrook's North Atlantic Information Manual (NAIM). The NAIM, Revision 4 is effective October 1, 1998. In this revision, the classification values (grading) change. All items added to the millennium inventory on or after 10/1/98 will use the new software classification values. All items in the millennium database prior to 10/1/98 do not need to be reclassified in the millennium database. Valid values prior to 10/1/98 are: safety critical, mission critical, and non-rated. Valid values 10/1/98 or later are: Level A1, Level A2, Level B, Level C, Level D).
Testing and validation is performed by the maintainer to ensure that the item is either Y2K ready or compliant. Existing station programs are used for testing. For embedded systems, work requests are written to track and document all testing performed. If there are multiple occurrences of an item that is being tested, for example in spare parts, then these items are to be flagged and tracked for testing prior to anticipated failure dates. Depending on the item, Y2K testing may be performed at multiple levels: unit testing which focuses on functionality and compliance testing of a single item; interface testing to determine the ability to process Y2K data from one item to another; and integration testing of the platforms on which the item operates. Documentation requirements for testing/validation includes indication if testing was performed and if not, why. If testing is performed, the test plan checklist is used to ensure appropriate testing is performed. The test plan checklist includes a review of the following tests: rollovers, high risk dates, leap year, sorting and comparisons, calculations, and interfaces. Testing should ensure that an item is Y2K ready and that no new problems are introduced. Testing is performed in accordance with a Technical Support Group Instruction (TSGI). The audit team reviewed TSGI-13 for general software testing and a draft version of TSGI-14 on embedded systems testing (documents 2 and 3 of Attachment 1) and witnessed two bench tests of components that utilized TSGI-14 guidance.
The purpose of remediation is to replace, fix, or eliminate items identified in the assessment as non Y2K compliant. Remediation includes activities that make the item Y2K compliant or ready. Software-based system changes are made in accordance with the NAIM which defines the Software Quality Assurance Program. In the documentation of the remediation of an item, if the item interfaces with other systems, the maintainer identifies the system interfaces so that arrangements can be made for interface testing and scheduling.
In implementing the Seabrook Millennium Project Plan the licensee makes use of existing programs and policies to ensure that appropriate reviews and evaluations are performed and documented for regulatory compliance. These reviews and evaluations encompass 10 CFR 50.59 reviews, reportability evaluations per 10 CFR 50.72, 50.73 and 10 CFR Part 21, and operability determinations as required by technical specifications.
The Seabrook licensee's contingency plan addresses Y2K contingency planning management, contingency planning remediation risks, contingency planning internal facility risks, contingency planning external risks, and an integrated millennium contingency plan. The steps that Seabrook will take in contingency planning include risk identification, event analysis, risk management, and verification.
Individual contingency plans are prepared for items, systems, or events as identified in the Seabrook guidance. Contingency planning remediation risks include risk identification (identified by the maintainer during the remediation and testing and validation phases of the project), event analysis (performed at the initial remediation phase to understand the nature of the challenges to the selected remediation strategy), risk analysis, and verification. The purpose of the internal risk contingency is to anticipate and prepare for events that could occur due to system failures and reduce their impact on safe operations. Contingency planning external risks covers the means for mitigation of external millennium events that could compromise safety or continued operation of Seabrook station. One of the external risks to be considered is transmission/distribution system events. Concerns addressed include loss of off-site power, grid instability and voltage fluctuation, load fluctuations and loss of grid control systems. This contingency planning effort included information exchanges with the appropriate Independent System Operators (ISO) New England subcommittees with grid control responsibilities.
The contingency plan project organization at Seabrook includes a Contingency Plan Coordinator, and a cross-matrix Contingency Planning Team led by a Contingency Plan Technical Lead. The implementation of the plan is scheduled to start in the later part of 1998. The audit team met with the Technical Lead and members of the Contingency Planning Team and was given an outline of the contingency planning implementation process. The process would start with the systems, components and procedures for safe shutdown of the plant and expand to consider systems and procedures for safe continued operation, and, finally include systems and interfaces beyond the station boundary.
The Seabrook Y2K program management plan establishes, organizes, manages, and integrates the diversity of activities required to address Y2K readiness. The Y2K readiness activities are covered in the three management areas of risk management, contingency planning, and project internal controls.
Project milestones completed include: development of the communications and awareness plan, the inventory (complete identification and analysis), schedule defined for implementation of corrective actions, and Seabrook Millennium Project Plan Revision 3. Key performance indicators (metrics that measure performance against established goals for each phase of the implementation plan) are used to measure project performance and serve as the basis for monthly reports and appropriate actions to be taken to ensure project schedules are met. To date the established schedules have been met.
The Y2K readiness project is planned to be completed by July 1999, with the primary exception of the Radiation Data Monitor System testing (for either the replacement Y2K compliant system or the remediated system), and its interface testing with system components and the Main Plant Computer. This is scheduled for the fall of 1999.
Methods of oversight of the project include management reviews, self assessments and surveillances, and internal and external audits.
ISO New England has a Year 2000 subcommittee and several subcommittees established to exchange Y2K information, create procedures for testing and remediation, and prepare compliance assurance statements. The ISO New England Coordinator in the Seabrook Millennium Project organization is the person responsible for monitoring the status of the ISO efforts through the Generation Subcommittee.
The audit team met with the ISO New England Coordinator assigned to the project. He described the activities that have been initiated and planned in the ISO New England organization regarding the Y2K problem as it affects the electric power supply system. The interchange of information between the Seabrook licensee and ISO New England has just begun.
Electrical grid issues are also being addressed in Seabrook's contingency planning for external risks. As indicated in the discussion above, issues pertaining to electric grid availability will be evaluated and planned for in the Seabrook Y2K contingency plan.
3.0 Audit Team Observations
The audit team developed the following observations:
The following systems that have safety implications were reviewed by the audit team.
The following table contains the systems that impact power generation reduction which were reviewed by the audit team.
The following table lists the systems reviewed by the audit team that impact plant trip.
SUPVSR - The Fischer & Porter Supervisor uses 53SU5000 Supervisor PC equipment and controls each of the Fischer & Porter digital controllers in the plant. Y2K compliance must be verified.
DCS - DCS Operating System - The field installation and testing of the Y2K compliant software will be completed in the next refueling outage by Foxboro. The simulator software should be installed and tested in the last quarter of 1998.
HD HDTC Heater Drain Tank Level Control equipment is a Fischer & Porter 53MC5000 controller and will be tested by the licensee.
SA Intellisys - The Ingersoll-Rand rotary air compressor is a microprocessor control package which will be tested by the licensee.
GSC-COND - GSC Rosemount conductivity analyzer model 1054BLC-01 is under review by the licensee.
MSD - Main Steam Drain - The moisture separator reheater (MSR) drain tank level is controlled via Fischer & Porter 53MC5000 digital controllers. If the controller fails either the unit will trip on a high MSR shell side water level or a pipe break could occur in the MSR drain tank lines to the condenser. These controllers will be bench tested with identical spares and then field tested during a refueling outage.
AR - AR-DP Transmitter - These Rosemount 1151 DP5 pressure transmitters auto-start the condenser by initiating valve opening. Failure could prevent the auto-start feature from operating. This pressure transmitter will be bench tested.
MS MSRC Moisture Separator Reheater Control - These Fischer & Porter 53MC5000 controllers will be bench tested for Y2K compliance followed by a field test during a refueling outage.
CO HOTWELL Hotwell level control - The Foxboro 1/A Series hotwell level program/function equipment will be included in the DCS operating system installation and testing.
The following table is a list of items which have a regulatory requirement impact which were reviewed by the audit team.
PAC - Public Address System - The PAC system is date/time aware and will be remediated in the 3rd quarter of 1998. .
SM Seismic Monitoring Software - The seismic monitor is a new hardware and software package, and will be fully tested. The software performs time/history updating. The vendor (Kinemetrics, Inc.) will be contacted in the last quarter of 1998.
SFD HG Hand Geometry - The hand geometry software package will be changed out. However, the present SFD system, including the hand geometry is being made Y2K compliant as a fallback position against unforeseen delays in delivery of the new system. The testing will be scheduled for the first half of 1999, when the new system is installed. Should the hand geometry software fail, all access to the unit would be via manual means.
NI Boron Dilution Monitor - The Gammametrics Shutdown Monitor RCS-30 does not appear to be date aware. However, several clock functions are used and due to its importance to the plant will be evaluated further.
FP COSENTRY - Carbon Monoxide Gas Monitoring System - The Sierra Monitor Corporation gas monitoring system, SPL5000-8R is date aware in that failure occurs with bad date input. The system will be tested and remediated accordingly.
FP Fire Protection - The Simplex 41000 Fire Protection System has been determined by the vendor to be Y2K compliant. The licensee will verify this determination by testing.
LPMS Loose Parts Vibration Monitoring - The licensee will replace the entire loose parts monitoring system with a pc-based Y2K compliant system. This is a technical specification required system and its inoperability impacts plant operation.
RAW Reactor Analysis Workstation RAW-AIX - The strategy for this item is to accept the statement from IBM that the software is compliant and provide further verification testing using the S3/FINC software to validate this assumption. The product name is AIX, version #4.2, operating system for RS/6000 workstations. (http://www.rs6000.ibm.com/resource/results/year.htm)
RDMS RDMS DEC PDP/11 Software - The RDMS system runs on a Sorrento Electronics DEC/PDP11 platform. The operating system is RSX-11 and the application is written in FORTRAN. This system is not Y2K compliant. The vendor has indicated that they have no plans to make this system Y2K compliant but has identified a work around if the licensee plans to keep the system. The vendor recommended work around is to insert a "dummy" date when data was not being tracked for the year 2000.
S3FINC Fixed Incore Analysis - A contractor has been obtained to perform Y2K testing and verify that the code is Y2K compliant.
Entrance Meeting - September 29, 1998
Exit Meeting - October 1, 1998
Bearbeitet am: 10.12.1998/ad
zurück zur Homepage