05000482/LER-2009-006

1pPLANT CONDITIONS PRIOR TO EVENT

MODE - 1 Power - 100

EVENT DESCRIPTION:

At 1115 CDT on June 30, 2009, a through wall leak on Essential Service Water (ESW) System [EIIS Code: BI] piping just upstream of valve EF HV-038 was identified by shift crew personnel during building watch rounds. The "B" ESW train was declared inoperable based on Technical Requirement TR 3.4.17, "Structural Integrity," and Condition A of LCO 3.7.8, "Essential Service Water (ESW) System," was entered. Required Action Al of LCO 3.7.8 has a Note to enter the applicable Conditions and Required Actions of LCO 3.8.1, "AC Sources — Operating," for a diesel generator (DG) made inoperable by the ESW System. This resulted in the "B" DG [EllS Code: EK] being declared inoperable and entering Condition B of LCO 3.8.1.

Required Action B.3,1 for TS 3.8.1 is to determine if the operable DG is inoperable due to a common cause failure.

Control room personnel utilized procedure SYS KJ-200, "Inoperable Emergency Diesel," when the DG was declared inoperable and determined that a common cause failure did not exist. Step 6.1.5 of SYS KJ-200 specifies to document the evaluation of common cause on the procedure cover sheet. The documented evaluation indicated that "B" DG inoperability was not common cause due to the "B" train ESW being inoperable. At 1202 CDT Required Action B.3.1 was exited. Subsequent discussions with control room staff indicated that a dedicated walkdown after identification of the leak on the "B" train was not performed. This decision was due to the affected location on the "A" train being in the same room and a leak on the "A" train would have been easily observed by the building watch as part of building watch rounds (the leak on "B" ESW train was discovered during building watch rounds).

At 2140 CDT, a structural integrity evaluation utilizing Code Case N-513-2 demonstrated that adequate structural integrity of the "B" ESW train existed. The "B" ESW train and "B" DG were declared operable.

Condition Report (CR) 00018217 was initiated on June 30, 2009 for the identified leak on EF138HBC-30. The structural integrity evaluation was documented in Work Order (WO) 09-318203-002. Five augmented examinations at locations similar in configuration to the identified leak were required based on. Code Case N-513­ 2. The code case requires the augmented examinations to be performed within 30 days. The below table provides information on the five augmented examinations.

Work Order Description Completed Train Results 09-318269 EF081HBC-30 D/S EFHVO37 7/8/09 A acceptable 09-318272 EF081HBC-30 U/S EFHVO37 7/8/09 A acceptable 09-318268 EF223HBC-30 D/S EFV108 7/8/09 A acceptable 09-318271 EF138HBC-30 D/S EFHVO38 7/21/09 B acceptable 09-318270 EF139HBC-30 D/S EFHVO40 7/21/09 B acceptable Subsequent to the restoration of the "B" ESW train and "B" DG on June 30, 2009, the NRC Resident Inspector challenged the adequacy of the common cause failure determination. On November 10, 2009, NRC Inspection Report 2009004 identified a Green noncited violation of Technical Specification 3.8.1 for failure to perform an adequate common cause evaluation within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to demonstrate no common cause failure mechanism existed between the operable and inoperable emergency diesel generators. This event is being reported pursuant to 10 CFR 50.73(a)(2)(i)(B) as a condition prohibited by the plant's TSs based on the NRC Inspection Report 2009004 characterization of the issue as a violation of TSs. WCNOC's denial of the violation has been submitted and based on the NRC's further review and final position, a resolution will be provided in a supplement to this LER.

As identified above, Condition B of LCO 3.8.1 was entered at 1115 CDT due to "B" DG being declared inoperable due to an ESW leak (there was no failure of the DG itself). At 1202 CDT Required Action B.3.1 (24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time) was exited when the common cause failure determination identified there was no common cause failure. The "B" DG was declared operable at 2140 CDT when an evaluation determined that structural integrity of "B" ESW was maintained. If the common cause failure determination was inadequate, the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time clock for Required Action B.3.1 would have continued until 1115 CDT on July 1, 2009 or until Condition B was exited. In this case Condition B was exited prior to expiration of the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time of Required Action B.3.1 based on a structural integrity assessment in accordance with Code Case N-513-2. The TS 3.8.1, Required Action B.3.1 and B.3.2 Bases state, in part: "In the event the inoperable DG is restored to OPERABLE status prior to completing either B.3.1 or B.3.2, the plant corrective action program will continue to evaluate the common cause possibility. This continued evaluation, however, is no longer under the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> constraint imposed while in Condition B.

LCO 3.0.2 states, in part, "If the LCO is met or is no longer applicable prior to expiration of the specified Completion Time(s), completion of the Required Action(s) is not required unless otherwise stated." There is no Note in Condition B of LCO 3.8.1 that requires Required Action B.3.1 or B.3.2 to be completed whenever Condition B is entered. As such, if the common cause evaluation was inadequate such that the Completion Time clock of Required Actions B.3.1 and B.3.2 continued, the LCO was met prior to the expiration of the specified Completion Times, and completion of Required Actions B.3.1 or B.3.2 is not required. Because the TS requirement to complete a common cause failure determination ceased to exist when operability of the "B",DG was restored within the specified Completion Time of Required Action B.3.1, WCGS remained in compliance with LCO 3.8.1.

WCNOC's review of this event determined that the event did not meet the criteria for reporting under 10 CFR 50.73(a)(2)(v) as an event or condition that could have prevented the fulfillment of a safety function. The "A" DG was operable during the time frame that the "B" DG was inoperable and the "B" DG was restored to operable status prior to the expiration of the Required Action B.3.1 Completion Time. There were no indications that the "A" DG was inoperable and a common cause determination would not have been required by TSs. Therefore, onsite emergency power was available to the plant and would not be reportable under 10 CFR 50.73(a)(2)(v).

CAUSE:

Specific information that was incorporated into the current technical specifications (CTS) (pre-improved TSs (ITS) via Amendment No. 123) and CTS Bases as a result of Amendment No. 101 was not incorporated into the expanded ITS and ITS Bases developed during the conversion to the ITS so as to more closely adhere to standardization. As a result, no changes were made to procedure SYS KJ-200, "Inoperable Emergency Diesel," as the basis for considering there is no common cause failure due to an inoperable support system was maintained.

The bases for this cause is discussed below.

On September 15, 1995, WCNOC submitted a license amendment request proposing to revise TS 3/4.8.1, "Electrical Power Systems — A.C. Sources," in part, based on the guidance in Generic Letter 93-05, "Line-Item Technical Specifications Improvements to Reduce Surveillance Requirements for Testing During Power Operation (Generic Letter 93-05)," and Generic Letter 94-01, "Removal of Accelerated Testing and Special Reporting Requirements for Emergency Diesel Generators (Generic Letter 94-01).

Specifically, Action b. of TS 3.8.1.1 was proposed to be revised as follows:

b.� With one diesel generator of the above required A.C. electrical power sources inoperable, demonstrate the OPERABILITY of the offsite A.C. sources by performing Specification 4.8.1.1.1 within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and at least once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter. Demonstrate the OPERABILITY of the remaining OPERABLE diesel generator by performing Specification 4.8.1.1.2a.4 within 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />s**, unless the absence of any potential common mode failure for the remaining diesel generator is demonstrated, or if the diesel generator became inoperable due to any cause other than an inoperable support system, an independently testable component, preplanned preventative maintenance or testing, or maintenance to correct a condition which, if left uncorrected, would not affect the OPERABILITY of the diesel generator; restore the inoperable diesel generator to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

• - � � - .. -� .. . :

diesel generator.

The amendment request included proposed changes to the CTS Bases to reflect the changes to the CTSs. The changes were proposed based on the guidance in Generic Letter 93-05. Generic Letter 93-05 provided guidance for TS improvements to reduce surveillance requirements for testing based on the results reported in NUREG-1366, "Improvements to Technical Specifications Surveillance Requirements." Specifically item 10.1 in Enclosure 1 of the generic letter recommended changes to the emergency diesel generator surveillance requirements.

Recommendation (1) stated: "When a EDG itself is inoperable (not including a support system or independently testable component), the other EDG(s) should be tested only once (not every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />) and within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> unless the absence of any potential common mode failure can be demonstrated.

This specific change was approved in Amendment No. 101 on August 9, 1996. The Safety Evaluation associated with Amendment No. 101, stated, in part:

The proposed changes are consistent with the recommendations contained in GL 93-05. Also, these changes are in conformance with Action B of TS 3.8.1 of the STS. The GL suggests that when an EDG is inoperable (not including a support system or independently testable component), the other EDG should be tested only once, unless the absence of any potential common mode failure can be demonstrated. Information provided in the STS indicates that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is a reasonable time frame to confirm that the operable EDG is not affected by the same problem as the inoperable EDG. The licensee reports that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is compatible with plant operating experience. Thus, the proposed changes are acceptable.

Note that Section 1.0 of the Safety Evaluation for Amendment No. 101 indicates that the proposed changes would incorporate recommendations and suggestions from GL 93-05; the improved Standard Technical Specifications, NUREG-1431, "Standard Technical Specification — Westinghouse Plants" (STS); and other NRC guidance documents. The wording in the Safety Evaluation indicates that the wording of the STS (NUREG-1431) are such that the common cause failure determination or performing SR 3.8.1.2 for the operable DG are not necessary if the inoperable DG were inoperable due to an inoperable support system, an independently testable component, preplanned preventative maintenance or testing, or maintenance to correct a condition which, if left uncorrected, would not affect the operability of the DG.

WCNOC letter ET 97-0050, dated May 15, 1997, provided the WCGS Technical Specification Conversion Application. The conversion application included a markup of current TS 3.8.1.1 Action b. and removed the associated wording associated with the DG being inoperable due to any cause other than an inoperable support system. The associated discussion of change (DOC 1-05-LS-6) indicates that the change was considered a less restrictive change and the DOC further indicates that the change was based on the guidance in Generic.Letter 84-15 and Generic Letter 93-05. While the expanded wording that was in the CTSs was not incorporated into the ITS or ITS Bases, the justification indicates that the intent of the ITS wording is based on the guidance in Generic Letter 84­ 15 and Generic Letter 93-05 (an inoperable support system that results in the inoperability of the DG is not considered a common cause failure or would not require the performance of SR 3.8.1.2).

ACTIONS TAKEN:

As a result of an additional leak on "B" ESW train on July 27, 2009 and additional discussions with NRC staff on July 28, 2009, direction was provided to control room personnel that when a DG is declared inoperable, for the purposes of meeting LCO 3.8.1, Required Actions B.3.1 or B.3.2, perform SR 3.8.1.2 for the operable DG unless the DG were declared inoperable for preplanned maintenance or testing. Procedure SYS KJ-200 was revised to reflect the guidance provided to control room personnel.

WCNOC submitted a license amendment request (letter WO 09-0039, dated November 20, 2009) that proposed to revise Technical Specification (TS) 3.8.1, "AC Sources — Operating," consistent with the changes previously approved in Amendment No. 101 and with the guidance provided in. Generic Letter 93-05, "Line-Item. Technical Specifications Improvements to Reduce Surveillance Requirements for Testing During Power Operation (Generic Letter 93-05).

SAFETY SIGNIFICANCE:

With one DG inoperable (due to one ESW train inoperable), the remaining operable DG and offsite circuits are adequate to supply electrical power to the onsite class lE AC power distribution system. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time takes into account the capacity and capability of the remaining ac sources, a reasonable time for repairs, and the low probability of a Design Basis Accident (DBA) occurring during this period. A structural integrity evaluation utilizing Code Case N-513-2 demonstrated that adequate structural integrity of the "B" ESW train existed.

The event did not result in any challenges to the fission product barriers or result in the release of radioactive materials. Therefore, there were no adverse safety consequences or implications as a result of this event and the event did not adversely affect the safe operation of the plant or health and safety of the public.

NRC Inspection Report 2007005 identified a green noncited violation of TS 3.8.1 for failure to perform an adequate common cause failure evaluation within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> when the "A" DG tripped on reverse power on November 1, 2007, and resulted in replacement of the digital reference unit. This noncited violation identified that an evaluation of the "A" DG did not use correct information to explain the observed failure mechanism, and both DGs were susceptible to a 10 CFR Part 21 notification that WCNOC did not evaluate until November 6, 2007.

This event was not the result of an inoperable support system.