IR 05000244/1988026
| ML17261A829 | |
| Person / Time | |
|---|---|
| Site: | Ginna  |
| Issue date: | 01/23/1989 |
| From: | Cowgill C NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION I) |
| To: | |
| Shared Package | |
| ML17261A828 | List: |
| References | |
| 50-244-88-26, NUDOCS 8902010323 | |
| Download: ML17261A829 (22) | |
Text
Licensee Licensee:
U.S.
NUCLEAR REGULATORY COMMISSION
REGION I
50-244/88-26 No.
DPR-18 Pri ority Rochester Gas and Electric Corporation 49 East Avenue Rochester, New York Category C
Facility:
R.
E. Ginna Nuclear Power Plant Location:
Ontario, New York Inspection Conducted:
December 11-21, 1988 Inspectors:
C.
S. Marschall, Senior Resident Inspector, Ginna N. S. Perry, Resident Inspector, Ginna Approved by:
C. J.
Co gill ef, Reactor Projects Section 1A Date
~Summar A~Id:
111
1
rator pressure sensing lines, and actions taken to prevent a Safety Injection Signal (SIS).
Results:
In the areas inspected, three apparent violations were identified: While conducting a plant shutdown, in an attempt to prevent an unnecessary SIS and plant trip, an Unreviewed Safety Question existed during the use of the simulated signal.
Failure of engineering, Plant Operations Review Committee (PORC)
and Ginna Station personnel to insure adequate corrective action for the sensing line freezing in December 1980 constitutes an apparent violation of requirements for corrective action to prevent recurrence of an equipment failure.
Restoring the bi stables for PT-479 is prohibited by procedure P-l, Reactor Control and Protection S stem.
The plant was operated in a questionable status for approximately seven-and-a-half minutes; the safety significance of operating the plant in this status was small in this instance; however, blocking protective functions when not in an emergency is a practice which lacks procedural or regulatory basis.
Procedure A-54.4. 1, Cold Weather Walkdown and ventilation conditions in several areas of plant were inadequate to insure equipment operability in this instance; the integrity of PT-479 and PT-483 sensing lines remains unresolved.
Inspection revealed a notable strength in the safety perspective exhibited by shift personnel; shift personnel initially complied with Technical Specification (TS)
requirements until it became apparent an unnecessary SIS was imminent.
However, no authority existed to deviate from the TS.
Further, a procedural weakness was identified in procedure A-52. 1.
89020'3 ggo 3 890gpg
~N 0S000~q I'Nu
i
DETAILS Persons Contacted During this inspection period, inspectors held discussions with and inter-viewed operators, technicians, engineers and supervisory level personnel.
The following people were among those contacted:
S.
Adams, Technical Manager R. Elias, Senior Nuclear Engineer D. Gomez, Reactor Operator R. Mecredy, General Manager, Nuclear President D. Peterson, Shift Foreman T. Schuler, Operations Manager M. Sexton, Shift Supervisor L. Smith, Operations Supervisor R. Smith, Vice President, Production and Engineering S. Spector, Plant Manager, Ginna Station J. Widay, Superintendent, Ginna Production P. Wilkens, Director, Nuclear Engineering Services G. Wrobel, Manager of Nuclear Safety and Licensing Conditions Prior to Event Prior to the event on December ll, 1988, the plant was operating at full power.
All required plant equipment was operable, except the turbine driven auxiliary feedwater pump, out of service for work on the check valves to each feedwater li'ne; one flowpath from the pump was lined up, and the other had one manual isolation valve shut.
Se uence of Events Pressure in the B Steam Generator is monitored by three instruments, PT-478, PT-479 and PT-483.
The instruments provide an alarm only function on high pressure (1050 psig setpoint)
and protective function on low pressure (514 psig setpoint).
A Safety Injection Signal (SIS), designed to provide protec-tion on a Main Steam Line Break (MSLB) occurs with any two-out-of-three in-struments at the 514 psig setpoint.
The A S/G is similarly instrumented.
On December 11, 1988 at ll:24 A'.M., with the plant at full power, the B main steam line pressure channel PT-479 drifted and remained high.
Operators tripped the associated bistables as required by Technical Specification (TS) 3.5.2 per procedure ER-INST-1 five minutes later.
At ll:44 A.M. the B main steam line pressure channel PT-483 pegged high.
Operators suspected common mode freezing and dispatched personnel to the intermediate building to inves-tigate.
The area near the pressure transmitters was very cold; actions were
,taken to close outside air dampers tightly and supply heat to the area.
Ad-ditionally, Instrumentation and Control (18C) technicians were called in.
Indication for PT-479 started decreasing, and at 12:30 P.M., operators started decreasing load at 20 percent per hour to comply with TS 3.5:2 which requires
the plant to be in Hot Shutdown within six hours of the second channel failure.
Indication for PT-479 continued decreasing and was below actual steam line pressure.
PT-483 indication started trending down (see Figure),
and fearing an eventual unwanted SIS and reactor trip, at 12:55 P.M.,
I&C technicians were instructed by the Shift Supervisor (SS) to inject a simulated, normal operating signal for PT-479.
Injecting a signal into PT-483 would have satisfied the logic for an SIS if its bistables tripped while inserting the signal; therefore PT-,
479, with its bistables already tripped was chosen for the simulated signal.
It was apparent to all in the control room that an SIS was not required nor desired at the time.
The SS, in conjunction with the Shift Technical Advisor (STA) decided to wait until indication for PT-483 decreased below 600 psig before restoring the bistables for PT-479 (SIS setpoint is 514 psig).
The PT-479 bistables were restored at 1: 17 P.M.
and operators tripped the PT-483 bistables at 1:25 P.M.
I&C technicians thawed the frozen sensing lines, cali-
.
brated PT-483 and operators declared PT-483 operable at 2:28 P.N.
Load re-duction was halted at 2:28 P.M. with power at approximately 63 percent, and operators started increasing load at 3:00 P..M.
PT-479 was declared operable at 3:22 P.M. after ILC technicians verified its calibration.
Protective Instrumentation Limitin Conditions for 0 eration After the first B steam generator pressure channel (PT-479) failed, 'the opera-tors declared, the channel inoperable and placed it in the tripped position within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> as required by TS 3'.2.
Technical Specifications allow opera-tion to proceed with one channel inoperable until the next Channel Functional Test with the inoperable channel in the tripped position.
Operators called in I&C technicians to troubleshoot PT-479.
When the second B steam generator pressure channel (PT-483) failed, the number of o'perable channels was less than the Minimum Operable Channels required by TS table 3.5-2.
Operators commenced a plant shutdown at 20 percent per hour to be in Hot Shutdown within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> of the second failure as directed by TS 3.5.2 '
When both channels were.observed trending downward, operators became concerned an SIS would re-sult.'fter verifying an SIS was not needed by checking other indications in the control room, the SS decided to take actions to prevent an undesired SIS from occurring.
A signal was injected.by ILC technicians into channel 479 simulating a normal pressure condition; actual output from PT-479 had already decreased below the SIS trip setpoint (514 psig).
If the output of PT-483 had decreased below the SIS trip setpoint with PT-479 bistables
'in the trip condition, an actual SIS'ould occur followed immediately by a plant trip.
When output from PT-483 decreased to a value slightly above the SIS trip setpoint, operators restored PT-479 by placing its associated bistables to the normal mode position; this action occurred approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 53 minutes after PT-479 failed.
Technical Specification 3.5.2 requires-operability of the Engineered Safety Feature Actuation System Instrumentation during plant operation.
By design, sufficient redundancy is provided to preserve the system's effectiveness when
any one or two of the channels is inoperable.
Placing a channel's bistables in the tripped mode when any one or two of the channels is inoperable, causes a two-out-of-three circuit logic to become a one-out-of-two or a one-out-of-one circuit logic, respectively; system operability is maintained.
Mhen operators restored the PT-479 bistables with the simulated signal in place, they rendered the system inoperable:
an actual low pressure condition would not have resulted in protective action from this system, since only one set'PT-478)
of bistables would have been tripped.
This action is not explicitly permitted nor prohibited by Technical Specification 3.5.2.
In addition, pro-cedure P-l, Reactor Control and Protection S stems, revision 44, effective December 1,
1988, step 2. 11.2 requires, in part, when reactor trip and safe-guards actuation channels are out of service for any reason, the channels shall be placed in the trip mode.
This is an apparent violation (VIO 50-244/
88"26-01).
Actions b Shift Personnel As a result of the unique situation, some actions were taken by shift person-
.-nel without procedural guidance.;
insufficient 'time was available,to convene the Plant Operations Review Committee (PORC) to insure adequate safety review of the events and actions planned by shift personnel.
Nevertheless, assess-ment of PT-479 and PT-483 failures was accurate.
Operator action to block the protective function of PT-479 was taken to prevent an unnecessary plant transient (SIS), not to maintain the plant at power; the plant was being shut down at a rate of 20 percent an hour after the failure of PT-483.
The plant was at about 90:,'ower when the signal was simulated.
All.shift personnel were aware of a vulnerability to a
MSLB on the B Steam Generator during the period between restoration of PT-479 and tripping the bistables associated with PT-483; during the period all shift personnel closely monitored other parameters which would be indicative oF a
MSLB including PT-478, stea
~ flow,
.feed flow and level for the B Steam Generator and containment pressure.
Al-though at least one Senior Reactor Operator (SRO)
and one Reactor Operator (RO) believed restoring the PT-479 bistables constituted a violation of the TS requirement to trip the bistables within one hour, the SS, STA, and Plant Superintendent did not consider restoring the bistables a violation of Tech-nical Specification (discussed in more detail in section 4 above);
the SRO and RO considered action to prevent an unnecessary transient appropriate.
Actions taken to comply with Limiting Conditions for Operations and the pri-mary concern for plant safety as opposed to remaining at power is an indica-tion of a positive safety perspective of shift personnel, and is a licensee strength.
However, important considerations missed by shift personnel are discussed in section 4, above, and sections 6 through 9 below.
Authorit to Deviate From Technical S ecifications Shift personnel had no procedural guidance providing use of simulated signals to block a protective function.
During an interview, the SS referenced Ad-ministrative procedure A-52. 1, Shift Or anization and Res onsibi lities, r e-vision 25, section 3.5.2, which states:
Any active licensed RO or SRO on-shift has the authority and responsibility to perform whatever proper actions
are requirecL to lim'it operation of the plant, shutdown the plant and minimize releases to the environment, in the event of abnormal'r emergency conditions" and section 3.5.3, which states:
"In the event that an active component of a safeguard system must be overridden during a plant transient condition which is not directed by an approved procedure, two active licensed ROs and/or SROs shall agree on the action prior to action initiation."
Although these sec-tions bear close similarity to
CFR 50.54 (x) and (y), important differences exist: (1)
CFR 50.54 (x) permits departure from a license condition or technical specification only in an emergency when this action is immediately needed to protect the public health and safety and no action consistent with license conditions and technical specifications that can provide adequate or equivalent protection is immediately apparent; (2)
CFR 50.54 (y) requires action under
CFR 50.54 (x) be approved, as a minimum, by a licensed senior operator prior to taking action.
Procedure A-52. 1 provides inadequate guidance to operators on the authority to depart from Technical Specifications or license requirements.
Licensee actions-'o correct the procedural weakness will be reviewed in a future in-spection report.
Plant 0 eration With a Simulated Si nal A simulated signal was not.inserted for PT-483 because the Shift Supervisor, after discussion with the Station 18C Foreman, concluded-there was a risk 'of tripping the bistables and generating the SIS while inserting the signal, al-though a signal. probably could have been inserted for PT-483 without causing the bistables to trip.
Inserting the signal for PT-483 would have allowed the PT-479 bistables to remain tripped; in this configuration, an actual steam line break associated with the B Steam Generator would have caused PT-478, still operable, to trip on low pressure, completing the two-out-of-three logic required for an SIS.
In the configuration actually used, shift personnel for a period of time blocked an SIS by insertirig the signal for PT-479, restoring its bistables and failing to trip the PT-483 bistables for a period of ap-proximately seven-and-a-half minutes.
During this time a
steam line break associated with the B Steam Generator would have caused PT-478 to trip; how-ever, as a result of the.simulated signal for PT-479 and frozen sensing line on PT-483, an SIS would not have been generated by low steam generator pres-sure as assumed in Chapter 9 of the Updated Final Safety Analysis Report (UFSAR).
In blocking SIS on low steam generator pressure, shift personnel took action causing plant operation in a condition different from that an-alyzed in the UFSAR.
This action was taken while the plant was in an orderly power decrease.
At the request of the inspectors, corporate engineers determined an SIS would be generated by pressurizer low pressure on a
MSLB 0. 1 seconds after the SIS normally generated by steam generator low pressure, for the worst case.
Since no significant change in, the effects of a MSLB is anticipated as a result of rendering steam generator pressure instrumentation inoperable, the safety sig-nificance of the use of a simulated signal is small for this particular in-stanc However, the practice of using simulated signals to block protective functions raises significant safety concerns, and must be considered more fully and carefully.
Acceptance of this practice places inordinate responsibility on operators to choose, without guidance for each and every situation, whether it is appropriate to block protective functions to avoid apparently unneces-sary transients.
Barring the conditions of 10 CFR 50.54 (x), preventing a
transient which the plant has been designed to withstand, based on time-short information which may be incomplete or inaccurate, should not be a decision made by operators alone.
This is discussed in the section which follows.
Modification of the Plant as described in the UFSAR Protective instrumentation at Ginna, including the pressure instruments on the steam generators, was designed to function without the use of a simulated signal to block protective functions.
Injection of a signal constitutes a
change to the facility as described in the UFSAR, and therefore requires a
review as described in
CFR 50.59 to determine whether an unreviewed safety question exists, prior to installation of the modification.
The basis for Technical Specification 3.5.2 states, in part: Reactor safety is provided by the Reactor Protection System, which automatically initiates appropriate action to prevent exceeding established limits.
Safety is not compromised, however, by continuing operation with certain instrumentation channels inoperable since provisions were made for this in the plant design and TS.
The removal of one trip channel is accomplished by placing that channel bistable in a tripped mode; e.g.,
a two-out-of-three circuit becomes a one-out-of-two circuit.
Use of a simulated signal to block the function of protective instrumentation is action beyond the assumptions of TS and the UFSAR, constitutes a reduction, however small, in the margin of safety as defined in the basis for TS 3.5.2 and therefore constitutes an unreviewed safety question.
CFR 50.59 re-quires, in part, prior Commission approval for a change to the facility which involves an unreviewed safety question.
On December 11, 1988, licensee per-sonnel installed a modification to the facility involving an unreviewed safety question without prior Commission approval.
This is an apparent violation (VIO 50-244/88-26-02).
At the conclusion of the inspection period, the licensee had not yet performed a review as required by 10 CFR 50.59.
Licensee evaluation of the use of a simulated signal will be reviewed in a future inspection report.
Instrument Line Freezin The immediate cause of the events on December 11, 1988, was depressed tempera-ture in the intermediate building, the location of PT-479 and PT-483.
On the day of the failure, eleven tours of mean length 8.38 minutes were made of'in-termediate building prior to the lines freezing.
One of the seven tours by operations personnel was to perform Administrative procedure A-54.4. 1, Cold Meather Malkdown Procedure, revision 4, effective February 20, 1988.
The
procedure requires the area of the intermediate building where the frozen instrument lines were located to be checked to insure all unit heaters in auto and operabTe, and exhaust fans, vents and louvers are closed, as required.
The auxiliary operator performing A-54.4. 1 closed an open outside ventilation access door near the instrument lines more than nine hours prior to the first instrument line failure; area heaters were functioning normally.
To understand prior history, the inspector examined two documented situations, an NRC Bulletin and a Ginna plant event.
This led to a realization that pre-vious corrective actions had not been effective in preventing the event of December 11, 1988.
In 1979 the NRC issued IE Bulletin 79-24, Frozen Lines, which required, in part, all licensees review their plants to determine if adequate protective measures had been taken to assure safety-related process, instrument and sampling lines do not freeze during extremely cold weather.
Licensee re-sponse
.to IEB 79-24 stated all instrument lines were within heated buildings and were therefore adequately protected.
At 7:34 A.M. on December 5,
1980, the sensing lines for PT-479 froze; I&C technicians thawed the frozen line.
PT-479 froze again at 8:20 A.M., causing sensing line failure as a result of freezing; maintenance personnel replaced the failed line and added insulation.
At 8:00 P.M.
a sensing line in the Main Feedwater (MFW) pump room froze causing a condensate
.bypass valve to open, initiating a transient in the condensate system; maintenance closed an open window in the MFW pump room to allow the Net Positive Suction Head (NPSH)
cabinet to warm up and the lines to thaw..
In a subsequent review of the eVents, PORC determined there were no TS violations or potential safety haz-ards, and no further action was required.
CFR 50, Appendix B requires correction of conditions adverse to quality.
The Ginna guality Assurance Manual, section 16, Corrective Action, paragraph "'
2.0 requires, in part, engineering identify, report, and correct conditions adverse to quality, Ginna Station correct conditions adverse to quality, and PORC recommend interim corrective actions.
Contrary to the requirements of the guality Assurance Manual, corrective actions for the problem of frozen lines identified by the NRC Bulletin and the frozen sensing lines on December 5,
1980 were inadequate to prevent sensing line failure on December 11, 1988.
This is an apparent violation (VIO 50-244/88-26-03).
Licensee corrective actions for the December ll, 1988 event to prevent future line freezing include revising A-54.4. 1 to include more guidance, placing plywood over openings in the intermediate building which were not tightly sealed, and submitting a trouble card for permanent resolution of the problem.
At the end of the inspection period, the licensee had plans to take measure-ments of the PT-479 and PT-483 sensing lines to determine if damage had been suffered as a result of freezing; however, the instruments were considered operable despite the questionable quality of the lines, and no measurements have been taken by the licensee since the December 11, 1988 freezin i
As discussed above, licensee corrective action in response to frozen lines in December 1980, was inadequate to prevent recurrence of freezing instrument lines; it appears the root cause of the frozen lines in December 1980 was not addressed by members of PORC, licensee engineers, or Ginna Station personnel.
Procedure A-S4.4. 1 was inadequate to insure plant protection during cold weather operation.
Additionally, ventilation in several areas of the plant is inadequate to insure heating and cooling as required for proper equipment operation.
Inspectors will follow licensee action to improve procedure A-54.4. 1 and to insure integrity of PT-479 and PT-483 sensing lines.
The licensee action regarding integrity of the sensing lines is an unresolved issue (UNR 50-244/88-26-04).
10.
~Summar The Special Inspection into the events of December 11, 1988, revealed a not-able strength in the safety perspective exhibited by shift personnel; shift personnel initially complied with TS requirements until it became apparent an unnecessary SIS was imminent.
While conducting a plant shutdown, in an attempt to prevent an unneces'sary SIS and'plant trip, actions not explicitly permitted nor prohibited by TS 3.5.2 but contrary to procedure P-1 were taken when the PT-479 bistables were restored with a simulated signal inserted:
The plant was operated in a questionable manner.
The safety significance is small in this instance, however, the practice of using simulated signals to block protective functions raises significant safety concerns, and must be considered more fully and carefully.
Acceptance of this practice would place inordinate responsibility on operators to choose, without guidance for each and every situation, when it. is appropriate to block protective functions to avoid apparently unnecessary transients.
Barring the conditions of 10 CFR 50.54 (x), preventing a transient which the plant has been designed to with-stand, based on time-short information which may be incomplete or inaccurate, should not be a decision made by operators alone.
An Unreviewed Safety ques-tion existed during the use of the simulated signal; the licensee had not done a review as required by
CFR 50.59.
Failure of engineering, Plant Opera-tions Review Committee and Ginna Station personnel to insure adequate correc-tive action for the sensing line freezing in December 1980 constitutes an apparent violation of regulatory requirements and the Ginna guality Assurance manual requirements for. corrective action to prevent recurrence of an equip-ment failure.
Procedure A-54.4. 1, Cold Weather Walkdown and several areas of plant ventilation were inadequate to insure equipment operability; the integrity of PT-479 and PT-483 sensing lines remains questionabl TABLE 1 SE UENCE OF EVENTS R.
E.
GINNA DECEMBER
1988 SOURCE EVENT 11:24:00 11:24:06 11:29:50 11:44:45 11:46:42 12:30:00 12:46:48 12:55:04 13:17:33 13:25:15 13:41:08 Main Control Room Log Alarm Report*
Alarm Report*
Alarm Report*
Alarm Report Main Control Room Log Alarm Report" Alarm Report*
Alarm Report*
Alarm Report*
Alarm Report*
Plant power was 100 percent; turbine driven auxiliary feedwater pump was out of service.
'8'team line pressure channel (PT-479)
failed highs Operators tripped the bistables for PT-479'er procedure ER-INST. 1
'B'ain steam line pressure channel (PT-483) failed high.
PT-479 started trending down.
Operators started decreasing load at about 20 percent per hour per Technical Specifi-cation.
PT-483 started trending down.
Instrumentation and Control (IAC) techni-cians inserted a simulated, normal full power signal for PT-479
'perators restored bistables for PT-479.
Operators tripped the bistables for PT-483 per ER-INST. l.
IKC technicians thawed frozen instr'ument line for PT-483 and indication returned to normal.
14:27:35 14:28:00 Alarm Report Main Control Room Log I&C technicians completed calibration pro-cedure (CP-483)
and restored bistables for PT-483.
Operators declared PT-483 operable and stopped the plant load reduction; plant power was 63 percen TIME 14:42:02 15:00:00 15:10:20 SOURCE Alarm Report*
Main Control Room Log Alarm Report" EVENT I&C technicians tripped the bistables for PT-479 per calibration procedure (CP-479).
Operators started increasing load.
18C technicians completed calibration pro-cedure (CP-479)
and restored bistables for PT-479.
15:22:00 Main Control Room Log Operators declared PT-479 operable.
- Main Plant Computer Data
200 GlNNA EVENT OF DECEMBER 1 1, 1 988 FROZEN PRESUURE SENSING LINES LEGEND 168 SIMULATED SIONAL Q4SERTED F OWER I
PT-4!8 I
1S2 136 120I 104
40 1 2:30 1 2:55 13:1 7 1 3:25 1 4:28 1 4:42 1 5:OO 1 5:22 nME NON-UNEAR SCALE