Y2K , Prüfbericht zum AKW Seabrook, Block 1, New Hampshire, USA

Dieses Dokument (s. Anhang), offensichtlich das erste seiner Art, zeigt die Komplexität der von einander abhängigen Systeme, die alle in Betracht gezogen
und, wo nötig, angepasst werden müssen, bevor von einem AKW behauptet werden kann, daß es "fit" ist für das Datum 2000. Die deutsche Übersetzung des
gesamten Dokumentes wäre wegen der Länge zu zeitaufwendig. Deswegen folgt hier eine Synopse samt erläuternden Kommentaren:

HINTERGRUND

In den USA werden alle Reaktoren kontrolliert von der Nuclear Regulatory Commission (NRC) (Reaktor-Kontroll-Kommission), welche dem Department of Commerce (Wirtschaftsministerium) und letztlich dem Präsidenten gegenüber verantwortlich ist. Sie legt die Sicherheitskriterien fest, erteilt Betriebsgenehmigungen und überprüft Betriebsabläufe. Wichtig ist, daß die Kommission bei Nichteinhalten der Betriebsregeln hohe Geldbußen verhängen kann und dies auch des öfteren tut.

Das Office of Nuclear Reactor Regulation, (NRR) (Büro für Reaktor-Vorschriften) setzt sich zusammen aus  Regierungsbeamten, die nicht nach Parteizugehörigkeit ausgewählt werden, sondern durch Prüfungen nach freier
Ausschreibung. Sie sind angestellt bei der NRC.

Um das "Jahr 2000"-Problem, zu lösen, gab die NRC ein spezielles Dokument heraus (NEI/NUSMG 97-07, "Nuclear Utility Year 2000 Readiness") (Atom-kraftwerken Jahr 2000 Bereitschaft). Danach erließ das NRR spezielle Vorschriften (GL98-01, "Year 2000 Readiness of Computer Systems at Nuclear Power Plants") ("Die Jahr 2000 Bereitschaft der Computer-Systeme bei Atomkraftwerken".)

Diese fordern eine spezielle Überprüfung für jedes AKW, die Ernennung eines Projekt teams, die Veröffentlichung des  Projektplanes, und eine detailierte Auflistung der betroffenen hardware und software sowie Pläne für Tests und deren erwiesene Gültigkeit, einen genauen Anpassungs-zeitplan und einen Nachweis, daß die notwendigen Änderungen durchgeführt wurden. Wenn dies nicht vor dem Jahre 2000 gelingt, muß das jeweilige AKW abgeschaltet werden.

AKW-SEABROOK PROJEKT

Das Projektteam setzt sich zusammen aus dem NRR-Büro, Herstellern wichtiger hardware und software, und den Kraftwerksbetreibern. Alle Teammitglieder zeichnen verantwortlich für den Überprüfungsbericht, der öffentlich eingesehen
werden kann.

Das angehängte Dokument (mit Datum vom 6. Nov. 1998) ist ein Zwischenbericht, aus dem hervorgeht, wie weit die erforderlichen Arbeiten erledigt wurden. Das Projektteam stellte 1304 Prüf-Tatbestände fest, 745 software und 559 die
Embedded Equipment ("innere Steuerungsstruktur" der hardware) betreffend. Jedes Teil wurde befragt unter dem Gesichtspunkt, was würde passieren, wenn esfehlerhaft arbeitet:

-- Safety Implication - (Sichherheitsrisiken für die Öffentlichkeit) (bei 12 Teilen)

-- Plant Trip - (Das AKW hört auf zu arbeiten) (bei 13 Teilen)

-- Generation Reduction - (Eingeschränkte Energieproduktion) (bei 5 Teilen)

-- Regulatory Requirement - (Das AKW würde zwar arbeiten, aber nicht vorschriftsgemäß) (bei 72 Teilen)

-- Business Critical - Der Service für Kunden und Bedienstete wäre betroffen (bei 322 Teilen)
-- Minimum Impact - Geringfügige Geschäftsstörungen (Service nicht betroffen ) (bei169 Teilen)

-- No Impact - (nicht wichtig) (bei 202 Teilen)

In Tabelle 4 des Berichtes werden alle Teile beschrieben, welche die Sichherheit des AKW betreffen. Einige davon wurden als Y2K-compliant ("-stimmig") angesehen. Diejenigen, welche eine Überarbeitung oder Ersatz und Testen erfordern, sind angezeicht. Auch Tabelle 5 (Generation Reduction); Tabelle 6 (Plant Trip) und Tabelle 7 (Regulatory Requirement) bechaffen
weitere Information.

FAZIT

Das Prüfteam ist zusammengesetzt aus Experten, berufen von der Regierung, und von Kraftwerksbetreibern. Alle Teamitglieder sind als Verantwortliche in der Liste für die Veröffentlichung aufgeführt; die Inspektion folgt einem systematischen Plan. Auch Ersatzteilarbeiten oder Reparaturen folgen einem genauen Zeitplan. Alle Zwischen- und Abschlussberichte sind zur Überprüfung
für die Öffentlichkeit zugänglich.

Was aber passiert in Deutschland ?

Nachfolgend der Originaltext

 

November 6, 1998

Mr. Ted C. Feigenbaum
Executive Vice President and
Chief Nuclear Officer
North Atlantic Energy Service Corporation
c/o Mr. Terry L. Harpster
P.O. Box 300
Seabrook, NH 03874

SUBJECT: AUDIT REPORT ON IMPLEMENTATION OF GENERIC LETTER 98-01, "YEAR 2000 READINESS OF COMPUTER SYSTEMS AT NUCLEAR POWER PLANTS" FOR SEABROOK STATION, UNIT NO. 1 (TAC NO. MA1887)

Dear Mr. Feigenbaum:

The enclosed report includes the results of the subject audit conducted by NRC staff at the Seabrook Station from September 29, 1998, through October 1, 1998. The purpose of the audit was to assess the effectiveness of the Year 2000 (Y2K) program at Seabrook, to evaluate the implementation schedule in accordance with Generic Letter (GL) 98-01, and to assess the contingency plans that address potential Y2K problems.

The audit team found the Seabrook Millennium Project Plan, which addresses the Y2K readiness program, to be well-structured and readily useable. In addition, the test procedure developed by Seabrook for identifying and correcting potential Y2K problems appeared thorough. During the audit, the team identified an inconsistency in the application of certain classifications. However, your staff was already aware of the inconsistency and had already started to resolve the issue. The results of this audit and subsequent audits at other selected nuclear power plants will be used by the staff to determine the need for additional action, if any, on Y2K readiness for nuclear power plants.

In accordance with 10 CFR 2.790 of the NRC's "Rules of Practice," a copy of this letter and its enclosure will be placed in the NRC Public Document Room. If you have any questions regarding the attached report, please contact me at (301) 415-3199.

Sincerely,

John Harrison, Project Manager
Project Directorate I-3
Division of Reactor Projects - I/II
Office of Nuclear Reactor Regulation



Docket No.: 50-443

Enclosure: Y2K Audit Report

Attachment: As stated

 


U.S. NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION (NRR)
AUDIT REPORT
ON
IMPLEMENTATION OF GENERIC LETTER (GL) 98-01
"YEAR 2000 READINESS OF COMPUTER SYSTEMS AT NUCLEAR POWER PLANTS"

Docket Nos: 50-443
License No: NPF-86
Licensee: North Atlantic Energy Services Corporation
Facility: Seabrook Unit 1
Location: Seabrook, NH
13 Miles South of Portsmouth, NH
Dates: September 27 - October 1, 1998
Audit Team Members: Matthew Chiramal, NRR
William Ruland, Region I
Deirdre Spaulding, NRR
Approved by: Jared Wermiel, Chief
Instrumentation and Controls Branch
Office of Nuclear Reactor Regulation

 


 


Executive Summary

From September 29 through October 1, 1998, the NRC staff conducted an audit of the Year 2000 (Y2K) program at the Seabrook Nuclear Generating Station in accordance with the audit plan for this activity. The purpose of the audit was to (1) assess the effectiveness of the North Atlantic Energy Services Corporation (the licensee) programs for achieving Y2K readiness, including continued safe operation of the plant as well as compliance with applicable NRC regulations and license conditions with respect to the potential Y2K problems, (2) evaluate Y2K program implementation to assure that the licensee's schedule is in accordance with NRC Generic Letter (GL) 98-01 guidelines for achieving Y2K readiness by July 1999, and (3) assess the licensee's contingency plans for addressing risks associated with potential events resulting from Y2K problems. The audit team reviewed selected licensee documentation regarding Seabrook's Millennium Project Plan (Seabrook Y2K readiness program) and conducted interviews with the cognizant licensee personnel. The results of this audit and subsequent audits at other selected plants will be used by the staff to determine the need for additional action, if any, on Y2K readiness for nuclear power plants.

Based on the audit team's assessment and evaluation of the Seabrook Y2K readiness program, the following observations were made:

  1. The Seabrook Millennium Project Plan, Revision 3.0, incorporates several items that reflect an increased understanding of Y2K issues that were identified through project self assessments, oversight, and audits since Revision 2 was issued in August 1998.
  2. The Seabrook Millennium Project Plan is based on the guidance of NEI/NUSMG 97-07 and NRC Generic Letter 98-01 and is well-structured and readily useable.
  3. The evaluation performed by the station project staff in completing the analysis of items is considered to be consistent with the Seabrook Millennium Project Plan. The Seabrook Millennium Project is planned to be completed by July 1999, with the primary exception of the modified Radiation Data Monitor System which is scheduled for installation in the 4th quarter of 1999. The licensee and audit team identified an inconsistency in classification of items in the plan which is being corrected.
  4. The Seabrook project is in the remediation phase. The test procedure developed by Seabrook for identifying the Y2K problem and for verifying remediated software and embedded systems is a thorough, detailed procedure that would adequately identify Y2K problems and aid in identifying and correcting the root cause of the problem.
  5. The Seabrook Millennium Project Plan Revision 3.0 includes the Contingency Plan based on the guidance in NEI/NUSMG 98-07. The implementation of the plan is scheduled to start in November 1998.
  6. The Seabrook Y2K plan is being coordinated with Independent System Operators New England in order to address electric power supply system availability concerns.

1.0 Introduction

The objectives of the Seabrook Nuclear Generating Station (Seabrook) Y2K Program Audit were to:

  1. Assess the effectiveness of the North Atlantic Energy Services Corporation (the licensee) program for achieving Y2K readiness including continued safe operation of the plant as well as compliance with applicable NRC regulations and license conditions with respect to potential Y2K problems.
  2. Evaluate Y2K program implementation to assure that the licensee's schedule is in accordance with NRC Generic Letter (GL) 98-01 guidelines for achieving Y2K readiness by July 1, 1999.
  3. Assess the licensee's contingency plans for addressing risks associated with potential events resulting from Y2K problems.

The audit was conducted in accordance with the established audit plan which was based in part on the guidance and requirements contained in the following documents:

- GL 98-01, "Year 2000 Readiness of Computer Systems at Nuclear Power Plants"
- Licensee Response(s) to GL-98-01
- Plant technical specifications and license terms and conditions
- Applicable NRC regulations
- NEI/NUSMG 97-07, "Nuclear Utility Year 2000 Readiness"

Prior to the audit at the plant site, the audit team reviewed the Seabrook Millennium Project Plan, Revision 2.0. Upon commencement of the audit, a copy of the Seabrook Millennium Project Plan Revision 3.0 was made available by the licensee for review during the audit. Attachment 1 is a list of documents reviewed by the audit team.

The audit process started with an entrance meeting attended by the Seabrook Y2K Sponsor and Y2K Project Manager, other plant personnel, and members of the audit team. Attachment 2 is a list of the attendees. Members of the Seabrook Y2K organization described the project organization, the project plan, implementation, and the current status.

Subsequent to the entrance meeting, the audit team reviewed the Seabrook Millennium Project Plan, associated project documentation, and communicated with the Seabrook Millennium personnel on an on-going basis to resolve questions as they arose.

2.0 Seabrook Project Description

2.1 Project Organization

The Seabrook Millennium Project Plan organization consists of the following roles: (1) an Executive Sponsor, who is responsible for strategic project guidance, approval and executive support, (2) a Y2K Sponsor, who is responsible for providing overall guidance and approval on the budget, resources, progress and results, (3) a Y2K Project Manager, who is responsible for the overall success of the project, including development of the implementation plan, supervising the project team and providing leadership on millennium issues to all station departments, (4) a Y2K project team consisting of the Seabrook Station personnel performing activities related to the millennium effort, (5) the software, hardware, and embedded system sponsors; who have primary responsibility for the operation of the item, typically the principal user of the item, and is held accountable for the performance of the item, (6) the software, hardware, embedded system maintainers who have primary responsibility for the maintenance of the item, and the completion of millennium-related tasks, including any remediation, testing and validation, and implementation, (7) the millennium project steering committee, (8) the joint owner audit committee, (9) a contingency plan coordinator who is assigned to facilitate and coordinate the millennium contingency planning effort, (10) the contingency planning team, and (11) a contingency plan technical lead.

The Seabrook licensee participates in group activities related to the Y2K effort with other organizations as follows: NUSMG and NEI, Northeast Energy Alliance (NEA), EPRI, Independent System Operators (ISO) New England, Sorrento Owners Group, and Westinghouse Owners Group (WOG). The Seabrook licensee will use documentation and test plans from the WOG as they are made available to evaluate Y2K readiness or compliance of identified items within the WOG scope. Additionally, the licensee is engaged in bench-marking and peer review activities with other plants as the opportunity is available. The Seabrook licensee and Florida Power and Light (FP&L) engaged in a bench-marking and peer review activity in June 1998 and established an information exchange to explore the manner in which the Y2K problem was and is being addressed at their plant sites. This type of bench-marking and peer review interface will be scheduled with other utilities as the opportunity occurs.

2.2 Project Plan

The Seabrook Millennium Project Plan, Revision 3.0, dated September 25, 1998 is the plant specific Y2K readiness plan developed by the licensee. The goal of the Seabrook Millennium Project is to ensure that the station is Y2K ready by July 1999. The Seabrook Millennium Project began in October 1996. Revision 0 of the Project Plan was issued in the spring of 1997. The Seabrook plan is similar to the NEI/NUSMG 97-07 Nuclear Utility Year 2000 Readiness guidance which was published in the Fall of 1997. The audit team's review found that the Seabrook Millennium Project Plan encompasses the guidance in the NEI/NUSMG 97-07, although some differences in activity names/terms exist.

The Implementation Plan of the Seabrook Millennium Project Plan includes the process for awareness, inventory, assessment, remediation, testing, validation, documentation and signoff of items. The plan includes a change management process that allows new items to be added to the inventory, while existing items, plans, strategies and impacts can be re-evaluated and modified if necessary.

2.2.1 Awareness

The awareness activities are included in the section entitled "Communication Plan," in the Seabrook Millennium Project Plan. The formal Y2K awareness phase of the Y2K program at Seabrook began in 1997. The Y2K problem was brought to the attention of the entire plant via "Seabrook Today," a newsletter published by North Atlantic Communications, and distributed October 23, 1997. Communication and awareness is maintained at all levels throughout the plant. The communication mode and information is tailored to the specific site audience. Seabrook's Millennium Communication Plan is intended to ensure that appropriate plant personnel are aware of the Y2K problem and take suitable action. The Seabrook licensee uses "communication deliverables" to foster participation and awareness. The following communication deliverables are tailored for their specific audience: project plan revisions, project status reports, millennium item owners and maintainers communication, internal millennium articles, millennium posters and banners, awareness sessions/presentations, and one-on-one meetings. The audit team reviewed the Seabrook Millennium Communication Matrix which identifies the various audiences and the corresponding awareness communication(s).

The Seabrook Y2K Readiness schedule is provided in Table 1.

2.2.2 Initial Assessment

What the NEI/NUSMG 97-07 guidance indicates as initial assessment which includes the inventory, categorization, classification, prioritization, and analysis of the initial assessment, is described in Seabrook's readiness plan in Section 4.1 Inventory. In Seabrook's readiness plan, the inventory activities include inventory scope, categorization, classification, and inventory signoff.

The inventory identifies all software items and embedded systems potentially affected by the Y2K problem. Additionally, because embedded systems are particularly difficult to inventory, the Seabrook project team took added care to ensure that all potentially affected embedded systems and firmware items were included in the inventory. The embedded system inventory was handled by the Seabrook Station Technical Support Department Engineers. Since most of the staff had been at Seabrook since the plant's design phase, there was a great deal of historical knowledge on station systems, procedures, programs, manuals and other documentation pertaining to embedded systems to draw upon. Identification of the embedded systems encompassed system reviews, EPRI database searches and vendor contacts, internal and external comparisons of inventory data, and knowledge-based decisions.

The inventory phase at Seabrook was completed in August 1998.

2.2.3 Detailed Assessment

Detailed assessment results are used to make decisions regarding activities required to ensure the continued operation of the software. Seabrook's readiness plan Section 4.2 Assessment, includes the analysis activity which encompass failure impact, Y2K status and strategy, and the activities of planning and assessment phase signoff.

Y2K classification at Seabrook is based upon "failure impact" analysis. Failure impact classification is defined as follows:

  • Safety Implication - Important to safety of personnel and the public, safety-related controls, performs design basis calculation on nuclear safety- related structures, systems and components, process monitoring used as the basis for operational actions which prevent the release of radioactive material to the environment, and safety-related direct impact.
  • Plant Trip - Affects the plant's ability to stay on-line.
  • Generation Reduction - Impacts level of power generation.
  • Regulatory Requirement - Required by regulators, pertains to a license commitment.
  • Business Critical - Important to continuity of business, major impact on service to customers, could result in lost productivity to the majority of employees.
  • Minimum Impact - Minimal impact to business, services not affected, loss of productivity to some employees.
  • No impact - Non-essential, no impact to business operations, no lost productivity.

The Y2K status of systems is identified as: non-compliant, compliant, in-process, validated, eliminated, or unknown. The plan notes that for vendor responses that indicate an application or device is Y2K ready or compliant, a decision on whether to perform validation testing is required. This decision may be based on failure impact, extent of documentation provided, confidence in the vendor, and Seabrook's knowledge and experience with the product.

Once Y2K status is determined, the strategies to achieve compliance or readiness is determined. Strategies identified in the Seabrook Millennium Project Plan are: eliminate, fix, replace, or accept as is. Table 2 provides the inventory of items. Of the 1304 items identified, the Seabrook licensee identified 12 that were found to have safety implications, 13 to have implications with respect to plant trip, 160 were found to be required by regulations or license, and 800 were found to be significant to business. Table 3 provides the inventory assessment.

One item of the 12 classified as Safety Implication, the Reactor Vessel Level Indication System (RVLIS), is required by technical specifications (post accident monitoring) and performs high energy line break (HELB) isolation of auxiliary steam, steam blowdown and letdown upon detection of a high temperature condition in the auxiliary building. RVLIS has been identified as not Y2K compliant and is being remediated as part of the WOG Y2K effort. In addition to the testing done by Westinghouse, the licensee plans to do additional testing of the remediated RVLIS at the site.

The folders of items reviewed by the Audit Team are listed in Tables 4, 5, 6, and 7. The team reviewed 10 items that had safety implications, 5 that impact generation reduction, 9 that impact plant trip, and 10 that have regulatory impact. (Note: The classification in these tables is defined in Seabrook's North Atlantic Information Manual (NAIM). The NAIM, Revision 4 is effective October 1, 1998. In this revision, the classification values (grading) change. All items added to the millennium inventory on or after 10/1/98 will use the new software classification values. All items in the millennium database prior to 10/1/98 do not need to be reclassified in the millennium database. Valid values prior to 10/1/98 are: safety critical, mission critical, and non-rated. Valid values 10/1/98 or later are: Level A1, Level A2, Level B, Level C, Level D).

2.2.4 Y2K Testing and Validation

Testing and validation is performed by the maintainer to ensure that the item is either Y2K ready or compliant. Existing station programs are used for testing. For embedded systems, work requests are written to track and document all testing performed. If there are multiple occurrences of an item that is being tested, for example in spare parts, then these items are to be flagged and tracked for testing prior to anticipated failure dates. Depending on the item, Y2K testing may be performed at multiple levels: unit testing which focuses on functionality and compliance testing of a single item; interface testing to determine the ability to process Y2K data from one item to another; and integration testing of the platforms on which the item operates. Documentation requirements for testing/validation includes indication if testing was performed and if not, why. If testing is performed, the test plan checklist is used to ensure appropriate testing is performed. The test plan checklist includes a review of the following tests: rollovers, high risk dates, leap year, sorting and comparisons, calculations, and interfaces. Testing should ensure that an item is Y2K ready and that no new problems are introduced. Testing is performed in accordance with a Technical Support Group Instruction (TSGI). The audit team reviewed TSGI-13 for general software testing and a draft version of TSGI-14 on embedded systems testing (documents 2 and 3 of Attachment 1) and witnessed two bench tests of components that utilized TSGI-14 guidance.

2.2.5 Remediation

The purpose of remediation is to replace, fix, or eliminate items identified in the assessment as non Y2K compliant. Remediation includes activities that make the item Y2K compliant or ready. Software-based system changes are made in accordance with the NAIM which defines the Software Quality Assurance Program. In the documentation of the remediation of an item, if the item interfaces with other systems, the maintainer identifies the system interfaces so that arrangements can be made for interface testing and scheduling.

2.2.6. Regulatory Considerations

In implementing the Seabrook Millennium Project Plan the licensee makes use of existing programs and policies to ensure that appropriate reviews and evaluations are performed and documented for regulatory compliance. These reviews and evaluations encompass 10 CFR 50.59 reviews, reportability evaluations per 10 CFR 50.72, 50.73 and 10 CFR Part 21, and operability determinations as required by technical specifications.

2.2.7 Contingency Planning

The Seabrook licensee's contingency plan addresses Y2K contingency planning management, contingency planning remediation risks, contingency planning internal facility risks, contingency planning external risks, and an integrated millennium contingency plan. The steps that Seabrook will take in contingency planning include risk identification, event analysis, risk management, and verification.

Individual contingency plans are prepared for items, systems, or events as identified in the Seabrook guidance. Contingency planning remediation risks include risk identification (identified by the maintainer during the remediation and testing and validation phases of the project), event analysis (performed at the initial remediation phase to understand the nature of the challenges to the selected remediation strategy), risk analysis, and verification. The purpose of the internal risk contingency is to anticipate and prepare for events that could occur due to system failures and reduce their impact on safe operations. Contingency planning external risks covers the means for mitigation of external millennium events that could compromise safety or continued operation of Seabrook station. One of the external risks to be considered is transmission/distribution system events. Concerns addressed include loss of off-site power, grid instability and voltage fluctuation, load fluctuations and loss of grid control systems. This contingency planning effort included information exchanges with the appropriate Independent System Operators (ISO) New England subcommittees with grid control responsibilities.

The contingency plan project organization at Seabrook includes a Contingency Plan Coordinator, and a cross-matrix Contingency Planning Team led by a Contingency Plan Technical Lead. The implementation of the plan is scheduled to start in the later part of 1998. The audit team met with the Technical Lead and members of the Contingency Planning Team and was given an outline of the contingency planning implementation process. The process would start with the systems, components and procedures for safe shutdown of the plant and expand to consider systems and procedures for safe continued operation, and, finally include systems and interfaces beyond the station boundary.

2.2.8. Y2K Program Management

The Seabrook Y2K program management plan establishes, organizes, manages, and integrates the diversity of activities required to address Y2K readiness. The Y2K readiness activities are covered in the three management areas of risk management, contingency planning, and project internal controls.

Project milestones completed include: development of the communications and awareness plan, the inventory (complete identification and analysis), schedule defined for implementation of corrective actions, and Seabrook Millennium Project Plan Revision 3. Key performance indicators (metrics that measure performance against established goals for each phase of the implementation plan) are used to measure project performance and serve as the basis for monthly reports and appropriate actions to be taken to ensure project schedules are met. To date the established schedules have been met.

The Y2K readiness project is planned to be completed by July 1999, with the primary exception of the Radiation Data Monitor System testing (for either the replacement Y2K compliant system or the remediated system), and its interface testing with system components and the Main Plant Computer. This is scheduled for the fall of 1999.

Methods of oversight of the project include management reviews, self assessments and surveillances, and internal and external audits.

2.2.9 Electrical Grid Issues

ISO New England has a Year 2000 subcommittee and several subcommittees established to exchange Y2K information, create procedures for testing and remediation, and prepare compliance assurance statements. The ISO New England Coordinator in the Seabrook Millennium Project organization is the person responsible for monitoring the status of the ISO efforts through the Generation Subcommittee.

The audit team met with the ISO New England Coordinator assigned to the project. He described the activities that have been initiated and planned in the ISO New England organization regarding the Y2K problem as it affects the electric power supply system. The interchange of information between the Seabrook licensee and ISO New England has just begun.

Electrical grid issues are also being addressed in Seabrook's contingency planning for external risks. As indicated in the discussion above, issues pertaining to electric grid availability will be evaluated and planned for in the Seabrook Y2K contingency plan.

3.0 Audit Team Observations

The audit team developed the following observations:

1. The Seabrook Millennium Project Plan, Revision 3.0, incorporates several items that were being used by the project team members but were not included in Revision 2.0 of the plan, such as the project test plan checklist and project vendor readiness questionnaire. The changes were the result of items identified through project self assessments, oversight and internal audits performed since Revision 2.0 was issued in August 1998. Revision 3.0 also contains the Contingency Plan.
Revision 3.0 includes a list of documents related to existing station programs and policies for performing the activities and QA measures related to the Y2K problem. The audit team pointed out to the project sponsor and project manager that the guidance on the use of existing station programs and policies appears to be very general and the appropriate use of the documents for specific activities (e.g., activities related to design changes to software, hardware, or embedded firmware) are left to the individual. The project sponsor stated that additional training has been provided to all station staff working on Y2K related activities on the use of existing procedures. Additionally, the majority of the staff at the Seabrook Station has been working in the same technical area since the startup of the station and are well-versed in applying existing procedures and policies to change processes and adverse condition report activities in their area of responsibility.
2. The Seabrook Millennium Project Plan is based on the guidance in NEI/NUSMG 97-07 and NRC Generic Letter 98-01. The method for classifying an item was simplified and failure impact is used to classify items in the inventory or analysis phase.
Based on the review and evaluation by the audit team of the plan and its implementation up to the analysis phase, the Seabrook Millennium Project Plan is considered to be well-structured and readily usable. The revisions to the plan are based on the lessons learned and feedback obtained in the use of the plan by the project team members and audit teams.
3. Based on the audit team's review and evaluation of the results of the Y2K readiness project to date, the audit team considers the evaluation done by the station project staff in completing the analysis of items in the inventory to be consistent with the Seabrook Millennium Project Plan. The Seabrook Millennium Project is planned to be completed by July 1999, with the primary exception of the Radiation Data Monitor System discussed in item 7 below.
The audit team identified an inconsistency in how the application of classification as defined in the plan was applied to certain items that were not susceptible to the Y2K problem. The use of failure impact in classifying an item is not dependent on whether an item is affected by the Y2K problem or not. The project manager and team were already aware of this inconsistency since it was identified by an earlier audit and the entire inventory was being re-classified to correct the errors in classification. Additionally, the project staff had been given additional training in this area.
4. The detailed assessment phase includes both analysis and planning. Analysis includes classification based on failure impact, millennium status and strategies to achieve Y2K readiness or compliance. The millennium strategies are: eliminate, fix, replace or accept as is.
The Seabrook project is in the remediation phase and for those items that are in the "Fix" category, includes testing to identify the failure mode due to a Y2K problem, followed by corrective changes to make the item Y2K ready or compliant. The audit team witnessed bench tests of two components with firmware. These bench tests were based on the test procedure developed for embedded systems. Based on the witnessing of the tests, the audit team considers that the test procedure is a thorough, detailed procedure that would adequately identify Y2K problems and aid in identifying and correcting the root cause of the problem.
5. The Seabrook Millennium Project Plan includes an outline of the Contingency Plan based on NEI/NUSMG 98-07 guidance. The Project Organization includes a Contingency Plan Coordinator, and a cross-matrix Contingency Planning Team led by a Contingency Plan Technical Lead. The implementation of the plan is scheduled to start in the later part of 1998. The audit team met with the Technical Lead and members of the Contingency Planning Team and was provided with an outline of the contingency planning process.
6. The audit team met with the ISO New England Coordinator assigned to the project, and was briefed on the activities that have been initiated and planned regarding the Y2K problem as it affects the electric power supply system availability. ISO New England has established sub-committees to exchange Y2K information, create procedures for testing and remediation, and prepare compliance assurance statements.
7. The Seabrook licensee has identified a Y2K problem with the Radiation Data Monitor System (RDMS). The RDMS is a vendor package provide by Sorrento Electric which has been determined to be not Y2K compliant. The vendor has indicated that they have no plans to make this system Y2K compliant. The vendor has identified a work around to provide for RDMS operation if the licensee plans to keep the system. The licensee's strategy for attaining RDMS Y2K compliance/readiness was to investigate alternatives. Several of the plants that use this device, including Seabrook, have formed a Sorrento Owners Group to address and solve the Y2K problem with this device. The options to date are to either obtain a Y2K compliant replacement system (three vendors have been identified) or to implement the vendor identified work around as discussed below.
The vendor has indicated to their customers that the RDMS cannot properly function with a year identification that ends in 00 (every decade), but that when the year 2000 comes to an end, the system will be able to operate properly in the year 2001. An approach identified by the Seabrook licensee is to change the system date to some date in the past when Seabrook was not tracking data; that is, the date will be setback 28 years. (Initial testing at the Seabrook test bed indicated the RMDS operated with the date of 1972 inserted, but did not function correctly with "00.") Procedurally, the licensee could insert a "dummy" date of say 1978 for the year 2000, and then reset the date correctly to 2001 when that year arrives.
The present schedule calls for having either the RDMS replacement or work around option implemented by the fourth quarter of 1999. (The necessary Main Plant Computer System software change to "dummy" a date for the RDMS input is scheduled for November 1998 and planned for testing and actual use in the last quarter of 1999.)

 


Table 1 - Seabrook Millennium Project Plan Schedule

Activity Starting date Finishing Date
Awareness 1997 On-going
Initial Assessment   May 1, 1998
Detailed Assessment/analysis   June 15, 1998
Remediation November 1998 June 1999*
Contingency Planning November 1998  
* Except for RDMS which is scheduled for 4th quarter of 1999



Table 2 - Inventory

  Total Safety
Implication
Plant Trip/
Generaiton
Reduction
Reg.
Reqmnts
Business
Critical
Min. Impact/
No Impact
Software items 745 7 3/1 101 319 159/155
Embedded items
(Equipment, firmware, e-prom)
559 5 10/4 58 298 89/95



Table 3 - Inventory Assessment

IMPACT Accept As Is Fix Replace Eliminate Total
Safety Implication 7 4 1   12
Plant Trip   13     13
Generation
Reduction
  5     5
Regulatory
Requirement
72 72 11 4 159
Business
Critical
322 142 111 42 617
Minimum
Impact
169 44 23 12 248
No Impact 202 16 10 22 250
Total 772 296 156 80 1304

The following systems that have safety implications were reviewed by the audit team.



Table 4 - Safety Implications

Millennium Item Classification Millennium Status Strategy Impact
PDS
PDSTRUDL
Safety Critical Compliant Accept As Is Safety Implication
CBS
Containment Building Spray
Safety Critical Compliant Accept As Is Safety Implication
DAPPER
Distribution Analysis For Power Planing
Safety Critical Compliant Accept As Is Safety Implication
SFHX
Spent Fuel Pool Cooling Heat Exchanger
Safety Critical Compliant Accepted As Is Safety Implication
ADL-SK
ADLPipe Seabrook
Safety Critical Compliant Accepted As Is Safety Critical
RC
Ultrasonic Level Monitoring System
Safety Critical Not Compliant Fix
Requiring Y2K Testing
Safety Implication
FH
Fuel Handling System
Safety Critical Not Compliant Fix
Requiring Y2K
Testing
Safety Implication
FH1
Fuel Handling Machine-MMI
Safety Critical Not Compliant Fix
Requiring Y2K
Testing
Safety Implication
RVLIS
Reactor Vessel Level Indication System
Safety Critical Not Compliant Fix
Y2K testing required
Safety Implication
FIREDET
Fire Detection System
Non Rated Unknown Replace Safety Implication
PROTOFLO
Proto Power's Proto-Flo Software
Non Rated     Safety Implication
GTS-GTSTRUDL Safety Critical Compliant Accept As Is Safety Implication
SI
Safety Injection
Mission Critical Not Compliant Fix
Y2K testing required
Minimum Impact
SSPS Non Rated Compliant Accept As Is No Impact
  • PDSTRUDL is a digital computer program used for analysis and design of complex structures. The vendor is Phi-Delta, Inc. The vendor certified that dates were not used in the processing of calculations but were used only as a display function on reports. Four digit dates are used.
  • CBS - Containment Building Spray system has no date aware equipment.
  • DAPPER is an electrical engineering/software tool manufactured by SKM Systems Analysis. The vendor stated that there are no date related calculations and that there are no known problems. www.skm.com/year2000.html
  • SFHX is an in-house software program that was developed to account for the available safety margin with respect to the spent fuel pool heat exchangers (performs thermal performance calculations to determine heat removal rate capability.) There is no date in this program. The program language is C.
  • ADL-SK ADLPipe is a pc-based digital computer program used for analysis and design of complex piping systems. According to the vendor, the software is not dependent on calculation of date and/or time in any manner.
  • RC-Ultasonic level measuring system is for indication of reactor coolant level during reactor coolant mid-loop (reduced inventory refueling) operation only. Initial Y2K testing is being performed by Westinghouse and will be verified by testing by the licensee. A system modification is in progress for installation of a new EPROM. Y2K testing will be integrated with the re-test of the modification.
  • FH-Fuel Handling System has the GE Fanuc Programmable Logic Controller (PLC). The GE automation system consists of a series 90-30/90-20 PLC microcontroller. The system is date & time aware and will be fully tested. Testing will need to be performed during a refueling outage when there is no impact to the refueling schedule.
  • FH1-Fuel Handling Machine - Wonderware MMI Software package. The man/machine interface (MMI) to the GE Fanuc PLC is a Wonderware Product which is date and time aware. It will be tested on the refueling machine prior to a refueling outage. The vendor is PAR Systems.
  • RVLIS-Reactor Vessel Level Indication System - The RVLIS package will be tested by Westinghouse and retested by the Seabrook licensee. RVLIS is required by post-accident monitoring technical specifications and initiates isolation functions upon indication of a high temperature condition in various locations in the auxiliary building.
  • FIREDET-Fire Detection Systems - The licensee is determining whether the system is Y2K compliant.
  • PROTOFLO-Proto Power's Proto-Flo Software is written in Visual Basic. According to the vendor, the software is Y2K compliant because dates were not used in processing of calculations but were used as a display only function in reports.
  • GTS-GTSRUDL is a digital computer program used for analysis and design of complex structures. The vendor is Phi-Delta, Inc. The programming language used is Fortran. According to vendor, the software is Y2K compliant.
  • SI-Safety Injection - The SI system flow transmitter is a non-safety related device that is used in the performance of certain inservice testing to quantify or detect leakage through various valves. The transmitter is essentially a stand alone device that performs an indication only function. Should the device fail, for any reason, alternative flow indication on the same test line is available.
  • SSPS - Solid State Protection System has no date aware equipment.

The following table contains the systems that impact power generation reduction which were reviewed by the audit team.



Table 5 - Generation Reduction

Millennium Item Classification Millennium Status Strategy Impact
FW
Rosemount Smart Transmitter Field Programmable Device
Mission Critical Not Compliant Fix
Y2K testing required
Generation Reduction
SY
Sequence of events recorder
Mission Critical Not Compliant Fix
Y2K testing required
Generation Reduction
SY1
Switchyard Digital Fault Recorder
Mission Critical Not Compliant Fix
Y2K testing required
Generation Reduction
AS
Controller for maintaining auxiliary boiler steam pressure
Non Rated Not Compliant Fix
Y2K testing required
Generation Reduction
TGS
Tagout System
Mission Critical In Process Fix Generation Production
  • FW - The Rosemount Smart Transmitter field programmable device output feeds the calorimetric. Failure could cause a reduction or increase in power generation and thus potentially violate technical specifications.
  • SY Sequence of event recorder - records relay and breaker actuation in the switchyard. These recordings are used in post trip reviews. Without these recordings, a restart following a trip would be extended several days due to the additional trip analysis required. The recorder is date and time aware.
  • SY1 Switchyard digital fault recorder-records voltage and current readings in the switchyard. The data recorded is used for many purposes including post trip analysis. Without these readings, the post trip review could be extended for several days. This recorder also uses the Geographic Position System (GPS) satellite clock.
  • AS - This is a digital controller for maintaining auxiliary boiler steam pressure by modulating steam flow to one of the feedwater heaters during feedwater prewarming for plant startup. The vendor is Fischer & Porter. The Fischer & Porter controllers will be tested via a blackbox approach. An identical spare will be used from the warehouse and tested in the technical support facility. When performing this testing, the tester will confirm that the controllers have the same chip # and the same version #.
  • TGS - The Tagout System stores, manipulates and modifies data associated with the installation and removal of danger, caution, ground and extension control tags in the plant. The current Software Sense Tagout System does not properly recognize the year 2000. This software is a package that is written in DBASE and Clipper. Tests were performed to determine if minor changes to the Tagout System written in DBASE could permit it to function in the year 2000. The tests were successful, therefore, the strategy for Tagout System compliance is to have the vendor make minor changes to the existing system software such that it recognizes and operates in the year 2000.

The following table lists the systems reviewed by the audit team that impact plant trip.



Table 6 - Plant Trip

Millennium Item Classification Millennium Status Strategy Impact
SUPVSR
Fischer & Porter Supervisor
Mission Critical Not Compliant Fix
Y2K testing required
Plant trip
DCS
DCS Operating System
Mission Critical Not Compliant Fix
Y2K testing required
Plant trip
HD
HDTC Heater Drain Tank Level Control
Mission Critical Not Compliant Fix
Y2K testing required
Plant trip
SA
SA Intellisys
Mission Critical Not Compliant Fix
Y2K testing required
Plant trip
GSC-COND
GSC Rosemount Conductivity Analyzer
Mission Critical Unknown Fix Plant trip
MSD
Main Stream Drain
Mission Critical Not Compliant Fix
Y2K testing required
Plant trip
AR
AR-DP Transmitter
Pressure Indicators
Mission Critical Not Compliant Fix
Y2K testing required
Plant trip
MS
MSRC Moisture Separator Reheater Control
Mission Control Not Compliant Fix
Y2K testing required
Plant trip
CO HOTWELL
Hotwell Level Control
Mission Control Not Compliant Fix
Y2K testing
Plant trip

SUPVSR - The Fischer & Porter Supervisor uses 53SU5000 Supervisor PC equipment and controls each of the Fischer & Porter digital controllers in the plant. Y2K compliance must be verified.

DCS - DCS Operating System - The field installation and testing of the Y2K compliant software will be completed in the next refueling outage by Foxboro. The simulator software should be installed and tested in the last quarter of 1998.

HD HDTC Heater Drain Tank Level Control equipment is a Fischer & Porter 53MC5000 controller and will be tested by the licensee.

SA Intellisys - The Ingersoll-Rand rotary air compressor is a microprocessor control package which will be tested by the licensee.

GSC-COND - GSC Rosemount conductivity analyzer model 1054BLC-01 is under review by the licensee.

MSD - Main Steam Drain - The moisture separator reheater (MSR) drain tank level is controlled via Fischer & Porter 53MC5000 digital controllers. If the controller fails either the unit will trip on a high MSR shell side water level or a pipe break could occur in the MSR drain tank lines to the condenser. These controllers will be bench tested with identical spares and then field tested during a refueling outage.

AR - AR-DP Transmitter - These Rosemount 1151 DP5 pressure transmitters auto-start the condenser by initiating valve opening. Failure could prevent the auto-start feature from operating. This pressure transmitter will be bench tested.

MS MSRC Moisture Separator Reheater Control - These Fischer & Porter 53MC5000 controllers will be bench tested for Y2K compliance followed by a field test during a refueling outage.

CO HOTWELL Hotwell level control - The Foxboro 1/A Series hotwell level program/function equipment will be included in the DCS operating system installation and testing.

The following table is a list of items which have a regulatory requirement impact which were reviewed by the audit team.



Table 7- Regulatory Requirement

Millennium Item Classification Millennium Status Strategy Impact
PAC
Public Address System
Mission Critical Not Compliant Fix
Y2K testing required
Regulatory Requirement
SM
Seismic Monitoring Software
Mission Critical Not Compliant Fix Y2K testing required  
SFD
HG Hand Geometry
Business Critical Not Compliant Fix
Y2K testing required
 
NI
Boron Dilution Monitor
Mission Critical Not Compliant Fix
Y2K testing required
 
FP COSENTRY
Carbon Monoxide Gas Monitoring System
Mission Critical Not Compliant Fix
Y2K testing required
 
FP
Fire Protection
Mission Critical Not Compliant Fix
Y2K testing required
 
LPMS
Loose parts - Vibration Monitor
Mission Critical Not Compliant Fix
Y2K test required
 
RAW - RAW-AIX
Reactor Analysis Workstation
Safety Critical Compliant Accept as is  
RDMS
RDMS DEC PDP/11 Software
Mission Critical Not Compliant Fix  
S3FINC
Fixed Incore Analysis
Mission Critical Not Compliant Fix
Y2K testing required
 

PAC - Public Address System - The PAC system is date/time aware and will be remediated in the 3rd quarter of 1998. .

SM Seismic Monitoring Software - The seismic monitor is a new hardware and software package, and will be fully tested. The software performs time/history updating. The vendor (Kinemetrics, Inc.) will be contacted in the last quarter of 1998.

SFD HG Hand Geometry - The hand geometry software package will be changed out. However, the present SFD system, including the hand geometry is being made Y2K compliant as a fallback position against unforeseen delays in delivery of the new system. The testing will be scheduled for the first half of 1999, when the new system is installed. Should the hand geometry software fail, all access to the unit would be via manual means.

NI Boron Dilution Monitor - The Gammametrics Shutdown Monitor RCS-30 does not appear to be date aware. However, several clock functions are used and due to its importance to the plant will be evaluated further.

FP COSENTRY - Carbon Monoxide Gas Monitoring System - The Sierra Monitor Corporation gas monitoring system, SPL5000-8R is date aware in that failure occurs with bad date input. The system will be tested and remediated accordingly.

FP Fire Protection - The Simplex 41000 Fire Protection System has been determined by the vendor to be Y2K compliant. The licensee will verify this determination by testing.

LPMS Loose Parts Vibration Monitoring - The licensee will replace the entire loose parts monitoring system with a pc-based Y2K compliant system. This is a technical specification required system and its inoperability impacts plant operation.

RAW Reactor Analysis Workstation RAW-AIX - The strategy for this item is to accept the statement from IBM that the software is compliant and provide further verification testing using the S3/FINC software to validate this assumption. The product name is AIX, version #4.2, operating system for RS/6000 workstations. (http://www.rs6000.ibm.com/resource/results/year.htm)

RDMS RDMS DEC PDP/11 Software - The RDMS system runs on a Sorrento Electronics DEC/PDP11 platform. The operating system is RSX-11 and the application is written in FORTRAN. This system is not Y2K compliant. The vendor has indicated that they have no plans to make this system Y2K compliant but has identified a work around if the licensee plans to keep the system. The vendor recommended work around is to insert a "dummy" date when data was not being tracked for the year 2000.

S3FINC Fixed Incore Analysis - A contractor has been obtained to perform Y2K testing and verify that the code is Y2K compliant.

 


Attachment 1

Documents Reviewed

  1. Seabrook Millennium Project Plan Revision 3.0, prepared 9/24/98, submitted 9/24/98, approved 9/24/98, effective 9/25/98
  2. Technical Support Group Instructions, System Engineering Y2K Implementation Plan, TSGI-13 Rev. 00, prepared 9/23/98, approved 9/23/98
  3. Technical Support Group Instructions, Y2K Generic Test Instruction For Embedded Equipment, TSGI-14 Rev. 00 Preliminary Draft, prepared 9/28/98
  4. North Atlantic Information Manual (NAIM)

 


Attachment 2

Entrance Meeting - September 29, 1998

P. Prugnarola Y2K Sponsor - Information Resources Manager
N. Durand Y2K Project Manager - Information Services Manager
D. Spaulding Electronics Engineer - NRC/NRR/HICB
M. Chiramal Senior Level Advisor - NRC/NRR/HICB
W. A. DiProfio Station Director
J. M. Brand NRC - Region I
M. DeBay Assistant Operations Manager
J. Linville Acting Chem/HP Manager
P. Casey Senior Emergency Planning Coordinator
B. Seymour Security & Safety Manager
J. Sobotka Reg. Compliance Supervisor
G. McDonald Nuclear Oversight Consultant
T. Feigenbaum North Atlantic - CNO
M. Ossing Senior Project Engineer - NAESCO
G. Gram Director Support Services
R. White Mechanical Engineering Manager
J. Watts Sr. Auditor - Audit & Evaluations
B. Drawbridge Director of Services
S. West Tech. Support, Systems Engineering - RM
C. Howard Comp. Eng. Dept. Manager
M. Mills Y2K Embedded Systems Coor.

Exit Meeting - October 1, 1998

M. Ossing North Atlantic
W. A. DiProfio North Atlantic
S. Wooley North Atlantic
J. Sobotka North Atlantic
R. Larson NRC
J. Watts North Atlantic
C. Howard NAESCO
M. Mills NAESCO
D. Spaulding NRC
G. Gram North Atlantic
N. Durand North Atlantic
J. Grillo NAESCO
M. Chiramal NRC

Bearbeitet am: 10.12.1998/ad


zurück zur Homepage