IR 05000269/2018090
| ML18352A630 | |
| Person / Time | |
|---|---|
| Site: | Oconee  |
| Issue date: | 12/18/2018 |
| From: | Omar Lopez-Santiago NRC/RGN-II/DRS/EB1 |
| To: | Burchfield J Duke Energy Carolinas |
| References | |
| EA-18-036 IR 2018090 | |
| Download: ML18352A630 (22) | |
Text
UNITED STATES December 18, 2018
SUBJECT:
REISSUE - OCONEE NUCLEAR STATION - NRC INSPECTION REPORT 05000269/2018090, 05000270/2018090, AND 05000287/2018090
Dear Mr. Burchfield:
On December 6, 2018, the U.S. Nuclear regulatory Commission (NRC) issued the NRC Inspection Report for the Oconee Nuclear Station, which was memorialized as Agencywide Documents Access and Management System Accession Number: ML18340A172. In reviewing this report, an administrative error was identified regarding the assigned violation numbers.
Specifically, the referenced Green NCV number in the report was incorrectly identified as 05000269, 270, and 287/2018090-01, should have been Green NCV number 05000269, 270, 287/2018013-01. In addition, the Severity Level IV NCV Number in the report was incorrectly identified as 05000269, 270, 287/2018090-02, and should have been Severity Level IV NCV Number 05000269, 270, 287/2018013-02. Therefore, for the sake of clarity, we are re-issuing the entire report. We request that you disregard the previous information and replace the previous cover letter and report with this report in its entirety.
For administrative purposes, this letter is issued as NRC Inspection Report 05000269/2018090, 05000270/2018090 and 287/2018090. Accordingly the apparent violations (AVs) documented in NRC Inspection Report 05000269/2018013, 05000270/2018013 and 05000287/2018013 (ML18117A477) are designated as Non-cited Violations (NCVs).
This letter, its enclosure, and your response (if any) will be made available for public inspection and copying at http://www.nrc.gov/reading-rm/adams.html and at the NRC Public Document Room in accordance with 10 CFR 2.390, Public Inspections, Exemptions, Requests for Withholding.
Sincerely,
/RA/
Omar López-Santiago, Chief Engineering Branch 1 Division of Reactor Safety Docket Nos. 50-269, 50-270, 50-287 License Nos. DPR-38, DPR-47, DPR-55
Enclosures:
1. Reissued Cover Letter 2. Reissued Inspection Report 05000269/2018090, 05000270/2018090, and 05000287/2018090 w/Attachment: Supplementary Information, TIA 2014-05 ADAMS (ADAMS A
Inspection Report
Docket Nos: 50-269, 50-270, and 50-287 License Nos: DPR-38, DPR-47, DPR-55 Report Nos: 05000269/2018090, 05000270/2018090, and 05000287/2018090 Enterprise Identifier: I-2018-090-0003 Licensee: Duke Energy Carolinas, LLC Facility: Oconee Nuclear Station, Units 1, 2, and 3 Location: Seneca, SC 29672 Inspection Dates: March 7 - 12, 2018 Inspector: T. Fanelli, Senior Reactor Inspector Approved By: Omar López- Santiago, Chief Engineering Branch 1 Division of Reactor Safety Enclosure 2
SUMMARY
The U.S. Nuclear Regulatory Commission (NRC) continued monitoring licensees performance by conducting a follow up inspection of an unresolved item identified in inspection report 05000269, 270, 287/2014007 at Oconee Nuclear Station Units 1, 2, and 3, in accordance with the Reactor Oversight Process. The Reactor Oversight Process is the NRCs program for overseeing the safe operation of commercial nuclear power reactors. Refer to https://www.nrc.gov/reactors/operating/oversight.html for more information. NRC-identified findings and violations are summarized in the tables below.
List of Findings and Violations Failure to Translate Design and Licensing Basis Requirements and Verify Adequate Design Cornerstone Significance Cross-cutting Report Aspect Section Initiating Events Green None 71111.21 NCV 05000269, 270, 287/2018013-01 Component Closed Design Basis Inspection The NRC identified two examples of a Green finding and associated NCV of 10 CFR 50,
Appendix B, Criterion III, for the licensees failure to translate the site design requirements specified in the site specific design and licensing basis into specifications used to design and install modifications associated with the site protection systems1 and for the licensees failure to verify that the same modifications met the design basis in the UFSAR2. Specifically, the licensee exposed common Class 1E direct current (DC) system trains (power and control) for the three Oconee units to potentially damaging high voltages by re-locating the common trains adjacent to and parallel with the onsite alternating current (AC) power distribution system cables. The configuration was not consistent with Oconees design requirements described in IEEE 279-19683 and the single failure design requirements described in IEEE 279-19714.
For purposes of the IEEE 279 criteria, the nuclear power generating station protection system encompasses all electric and mechanical devices and circuitry (from sensors to actuation device input terminals) involved in generating those signals associated with the protective function. These signals include those that actuate reactor trip and that, in the event of a serious reactor accident, actuate engineered safeguards such as containment isolation, core spray, safety injection, pressure reduction, and air cleaning. This IEEE 279 scope is considered to cover sensors and transducers, the devices that control actuators (control rods, valves, pumps, etc.), and everything in between. In accordance with the Atomic Energy Commission (AEC) position in the 1968 publication from the Oak Ridge National Lab (ORNL) Nuclear Safety Information Center (NSIC), ORNL-NSIC-51, Design Principles of Reactor Protection Instrument Systems. Section 2.1.
Updated Final Analysis Report (UFSAR) Oconee, Units 1, 2, and 3 Final Safety Analysis Report for Facility, dated 12/29/1970,
Volume 2. (ADAMS Accession No. ML12268A123)
IEEE 279-1968, Proposed IEEE Criteria for Nuclear Power Plant Protection Systems
IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations
Failure to Submit for License Review and Obtain a License Amendment for Modifications Approval Cornerstone Severity Cross-cutting Report Aspect Section Not Applicable Severity Level IV Not Applicable 71111.21 NCV 05000269, 270, 287/2018013-02 Component Closed Design Basis Inspection The NRC identified an NCV of Title 10 of the Code of Federal Regulations part 50.59(c)(2),
Changes, tests and experiments, for the failure to submit a plant modification for license review and obtain a license amendment for a change that resulted in more than a minimal increase in the likelihood of occurrence of DC protection system malfunctions and a departure from methods for protection system single failure analysis as described in the FSAR.
Specifically, the violation was associated with engineering changes (ECs), EC91880, Keowee Emergency-start Cable, Revision 24, and EC91875, Keowee AC Power Supply Tie-Ins,
Revision 15, and EC91874, 13.8 KV Feed To PSW System from 100 KV APS, Rev. 7.
INSPECTION SCOPE
Inspections were conducted using the appropriate portions of the inspection procedure (IP) in effect at the beginning of the inspection unless otherwise noted. Currently approved IPs with their attached revision histories are located on the public website at http://www.nrc.gov/reading-rm/doc-collections/insp-manual/inspection-procedure/index.html. The team reviewed selected procedures and records, observed activities, performed walk downs, and interviewed personnel to assess licensee performance and compliance with Commission rules and regulations, license conditions, site procedures, and standards.
REACTOR SAFETY
==71111.21 - Component Design Bases Inspection (Team)
The team evaluated the following components, permanent modifications during the weeks of February 10, 2014 to May 9, 2014 and March 9, 2018 to July 18, 2018.
Component==
- (1) Keowee Emergency-start Logic
(2) 125 volt direct current (Vdc) Vital I&C Batteries (Units 1, 2, and 3) Permanent Modification
- (1) Emergency Power Cable Replacement (Trench 3)
- (2) Protected Service Water (PSW) Modifications
- (3) Tornado / High Energy Line Break (HELB) Modification
INSPECTION RESULTS
Failure to Translate Design and Licensing Basis Requirements and Verify Adequate Design Cornerstone Significance Cross-cutting Report Aspect Section Initiating Events Green None 71111.21 NCV 05000269, 270, 287/2018013-01 Component Closed Design Basis Inspection The NRC identified two examples of a Green finding and associated NCV of 10 CFR 50, Appendix B, Criterion III, for the licensees failure to translate the site design requirements specified in the site specific design and licensing basis into specifications used to design and install modifications associated with the site protection systems1 and for the licensees failure to verify that the same modifications met the design basis in the UFSAR2. Specifically, the licensee exposed common Class 1E direct current (DC) system trains (power and control) for the three Oconee units to potentially damaging high voltages by re-locating the common trains adjacent to and parallel with the onsite alternating current (AC) power distribution system cables. The configuration was not consistent with Oconees design requirements described in IEEE 279-19683 and the single failure design requirements described in IEEE 279-19714.
Description:
This NCV was previously described as an Apparent Violation (AV) 05000269, 270, 287/2018013-01, Failure to Translate Design and Licensing Basis Requirements and Verify Adequate Design, (EA-18-036) in inspection report 05000269/2018013, 05000270/2018013, and 05000287/2018013, and is further described below. Site modifications installed the Protected Service Water (PSW) System which was implemented to meet 10 CFR 50.48(c)5, and additional design changes were implemented that relocated protection system cabling to mitigate vulnerabilities associated with tornados and high-energy line breaks (HELBs). The team reviewed multiple design change packages for these modifications to determine if the new designs maintained the original design and licensing basis requirements. The team observed that the design changes interconnected new and old cable raceway systems around the site together, that in effect, created one very long common raceway with many branches to various parts of the Oconee power station. Design change package NSM ON-530656,7 installed a raceway that connected the Oconee CT4 blockhouse to the Keowee Hydro Station (Trench 3, 4000 feet), which is the onsite emergency underground power source to the three Oconee units. The design change packages that installed the PSW systems and tornado/HELB modifications (EC 91870, EC 91873, EC 91880, and EC 91881)8 For purposes of the IEEE 279 criteria, the nuclear power generating station protection system encompasses all electric and mechanical devices and circuitry (from sensors to actuation device input terminals) involved in generating those signals associated with the protective function. These signals include those that actuate reactor trip and that, in the event of a serious reactor accident, actuate engineered safeguards such as containment isolation, core spray, safety injection, pressure reduction, and air cleaning. This IEEE 279 scope is considered to cover sensors and transducers, the devices that control actuators (control rods, valves, pumps, etc.), and everything in between. In accordance with the Atomic Energy Commission (AEC) position in the 1968 publication from the Oak Ridge National Lab (ORNL) Nuclear Safety Information Center (NSIC), ORNL-NSIC-51, Design Principles of Reactor Protection Instrument Systems. Section 2.1.
Updated Final Analysis Report (UFSAR) Oconee, Units 1, 2, and 3 Final Safety Analysis Report for Facility, dated 12/29/1970, Volume 2. (ADAMS Accession No. ML12268A123)
IEEE 279-1968, Proposed IEEE Criteria for Nuclear Power Plant Protection Systems IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations NRC issued Amendment Nos. 371, 373, and 372 to Renewed Facility Operating Licenses DPR-38, DPR-47, and DPR-55, for the Oconee Nuclear Station, Units 1, 2, and 3, respectively (ML103630612). The amendments consisted of changes to the licenses and Technical Specifications (TSs) to allow you to maintain a fire protection program (FPP) in accordance with 10 CFR 50.48(c).
NSM ON-53065, Replace Underground Power, Aux. Power & Control Cables from Keowee to Oconee Nuclear Station, Rev. 1 K-0904-A Sections and Details Pre-Fab Concrete Trench #3, Rev. 0 Engineering Change (EC) 91870 PSW Building - This package installs the new PSW building which has been designed. This building will house all the PSW equipment required for the PSW project. The PSW equipment will provide the electrical power for installed a new raceway (PSW duct bank, 1800 feet) to connect to Trench 3 in order to establish a raceway from the PSW system to the Keowee Hydro Station. In between the PSW building and trench 3, the PSW duct bank intersected two original raceways that connected the CT4 blockhouse to the switchyard (SY) relay house (SY trenches, 700 feet). Ultimately, the design changes installed the cabling systems for the protection systems over the length of the various raceways adjacent to high-voltage AC power that is capable of high power short circuit currents. The cabling of concern included protection systems, Class 1E9 AC power and DC, and non-Class 1E AC power and DC.
The Oconee UFSAR, since 1970, established in Chapter 7, that the protection systems shall be designed to meet the intent of Standard IEEE-279. Additionally, prior to the issuance of the provisional construction permit, the Oconee construction application10 specified that the site protection systems would be designed and built in accordance with IEEE 279-1968. In addition, in 1976 as part of the emergency core cooling system analysis to meet an NRC Order associated with 10 CFR 50.4611, Oconee committed to the single failure requirements in IEEE 279-197112. The team noted that these requirements were stated in Sections 4.2, Single Failure Criterion, 4.7, Control and Protection System Interaction, 4.11, Channel Bypass or Removal from Operation, and 4.17, Manual Initiation. From these requirements, it was noted that the licensee failed to perform various analyses to verify the safety-related functional performance and reliability of protection systems over the full range of electrical transients and malfunctions expected due to the electrical design changes in modifications NSM ON-53065, EC 91870, EC 91873, EC 91880, and EC 91881. As a result, the design changes introduced multiple hazards from unanalyzed single failures.
The team reviewed the design specifications used for the design changes to determine if the protection system design requirements were consistent with Oconees licensing bases as required by 10 CFR 50.55a(h). The teams review determined that the licensee did not implement the requirements of 10 CFR 50, Appendix B, Criterion III, as described in the following examples.
the alternate feeds to the manual transfer switches.
EC 91873 PSW Power Feed Installation - This package installs the 600 VAC MCC in the Aux Building that provides the alternate feed to the automatic transfer switches.
EC91880 Keowee Emergency-start Cable -this package used cables installed by NSM 53065 which originate in Keowee (KHU-1 &
KHU-2) and are terminated in the [CT4] Blockhouse termination cabinets (KHU-1A & KHU-2A). EC91880 installs new cables from Blockhouse termination cabinets KHU-1A & KHU-2A to Aux Building via new PSW building and Keowee terminal cabinets KHU-1B & KHU-2B located in the Unit 3 Aux Building 783 Elevation.
EC 91881 Ductbank - This package installs all the ductbank required for the PSW project cables.
Class 1E - The safety classification of the electric equipment and systems that are essential to emergency reactor shutdown, containment isolation, reactor core cooling, and containment and reactor heat removal, or are otherwise essential in preventing significant release of radioactive material to the environment. Note: For the purposes of this report, the terms Class 1E and safety-related for electrical systems are interchangeable.
In Duke Power Company Amendment No. 1 to Application for Licenses Docket No s. 50-269 50-270 to the Oconee construction application dated April 1, 1967 prior to the issuance of construction permits November 6, 1967, Oconee stated conformance to the Proposed IEEE Criteria for Nuclear Power Plant Protection Systems, (ADAMS Accession No. ML15215A125).
10 CFR 50.46, Acceptance criteria for emergency core cooling systems for light-water nuclearpower reactors Order for Modification of License for the Oconee Nuclear Power Station Units 1, 2, and 3 pertaining to your proposed Technical Specifications which were submitted pursuant to Section 50.46 and Appendix K of 10 CFR Part 50. Dated 12/27/1974 (ADAMS Accession No. ML15216A221)
Response to Mr. R. A. Purple's request for additional information regarding the ECCS analysis for the Oconee Nuclear Station Units 1, 2, and 3 dated 5/13/1976 (ADAMS Accession No. ML16014A501)
Example 1:
The team determined that specification OSS-0254.00-00-4013, Design Basis Specification for the Oconee Single Failure Criterion, failed to include design and licensing basis requirements located in IEEE 279-1968 and IEEE 279-1971, and did not conform to statements in sections 7 and 8.2.3.3 of the Oconee UFSAR. Specifically, the team noted that design and analysis requirements from IEEE 279, sections 3(g), 3(h), 4.2, and 4.7 were not translated into the specification. The team also noted that design changes NSM ON-53065, EC 91870, EC 91873, EC 91880, and EC 91881 utilized the specification to perform design and analysis related to the modifications.
The team noted the following sections in specification OSS-0254.00-00-4013 did not reflect the original design requirements. The team noted that some of these sections were incorporated by an internal memo to file13 written by Oconee dated 1993, which was not part of the site licensing basis and was not reviewed by or approved by the NRC.
- Section 3.1.1, Single Failure, specified that single failures would only be considered on demand of a component to operate;
- Section 3.2.1.3, Single Failure Licensing Basis for Electrical Systems, stated that the Oconee design allows distinctions between active and passive electrical failures;
- Section 3.2.1.4.2, Single Failures in a System Shared by Two or More Units, excluded the consideration of single failures from occurring during normal plant operations;
- Section 3.2.1.4.3, Effects of a Non-Qualified Component Failure, stated that Oconee would not make any distinction between the protection systems and non-Class 1E systems. Failures in the non-Class 1E systems were credited for the single failure criterion, which does not meet the original design requirements for control system and protection system interactions, and
- Section 3.3.6, Exemptions for Electrical Cabling and Internal Electrical Enclosure Wiring, stated that Oconee would not consider single failures in armored electrical cables, which did not meet the inclusion requirement in IEEE 279, Section 4.2 to evaluate short-circuits in interconnected power cables.
The team further noted that Oconee design change package NSM ON-53065 updated the UFSAR to include the bronze electrical shielding on power cables as armor, but the team determined that the use of bronze shielding is not equivalent to armor and must be analyzed.
In response to the teams questions about including the effects of three phase short circuits on the cable configurations in Oconee single failure analysis, the licensee specified14 that armor makes this unnecessary. In addition, the licensee indicated that for high impedance grounded systems such as the emergency power system, multiphase short circuits were not credible because they required more than one single failure to make it possible. The team noted that the Oconee electrical system is not high impedance grounded under all operating conditions.
In any event, three phase short circuits were credible in all of the Oconee electrical systems and should have been considered in single failure analyses. The specification and the Memo to File, ME Patrick (PJ North), dated 1/12/92, Single Failure Timing Licensing Basis, no file number given (Note: Memo was actually written 1/12/93).
O-14-03190, corrective action document for Questions raised concerning single failure criteria associated with Keowee underground cable (Trench 3), dated 03/27/2014.
licensees position on multiphase short circuits did not meet the original design requirements to include in single failure analyses credible malfunctions or events that cause a number of consequential component failures.
Example 2:
The team determined that specification OSS-218.00-00-0019, (ELECT) Installation Spec Cable and Wiring Separation Criteria, failed to include design and licensing basis requirements located in IEEE 279-1968 and IEEE 279-1971. Specifically, design and analysis requirements from IEEE 279, sections 3(g), 3(h), 4.5, and 4.6 were not translated into the specification, and design changes NSM ON-53065, EC 91870, EC 91873, EC 91880, and EC 91881 utilized the specification to perform design and analysis related to the modifications.
The team noted the following sections in specification OSS-218.00-00-0019 which did not reflect the original design requirements and led to deficiencies in the modifications designs.
- Section 4.1 defined that cable armor although providing substantial protection is not considered a barrier to provide isolation, moreover the specification did not provide any criteria to verify barrier material for proper isolation. Barriers would need to be matched to the power levels they are exposed to so they would not be defeated directly or indirectly. Due to the use of this specification during development of their modification packages, the licensee failed to perform analyses to determine if the interlinked armor cable and bronze shielding materials they credited for independence and separation were qualified as barriers for the high power levels; and
- Section 6.4 specified that trenches may simultaneously contain power, control and instrumentation cables. Mutually redundant safety cables shall be located on opposite sides of the trench. The specification did not have any provisions for separation distance in trenches other than one quarter the diameter of the larger power cable. This distance cannot provide proper isolation for high power transients. The team observed that the design changes exposed the protection systems and Class 1E DC power systems to potential interactions between Class 1E and Non-Class 1E AC Power systems, which could adversely affect the reliability of the protection systems.
Specifically, the licensee did not analyze that the design could maintain necessary functional capability under extremes conditions from voltage impressment and induction events that could disable the functional capability of the protection systems.
The team determined that the licensees failure to verify through analyses that the design changes met the site protection system design requirements introduced unanalyzed single-failure hazards that could degrade the integrity of the protection systems.
Corrective Actions: The licensee implemented a number of modifications to address the protection system single failure vulnerability concerns associated with the subject plant modifications. On February 28, 2018, (ML180051B257) the NRC granted relief from the applicable Code and concluded that the proposed alternatives provided an acceptable level of quality and safety for the specified cable configurations and locations. The NRC plans to conduct inspections of the corrective actions for the aforementioned violation, as appropriate.
Corrective Action Reference: AR 02203327 and NCRs 1864405, 1905999, and 1906088.
Performance Assessment:
Performance Deficiency: The licensee exposed common Class 1E DC system trains (power and control) for the three Oconee units to potentially damaging high voltages due to postulated failures by re-locating the common trains adjacent to and parallel with the onsite AC power distribution system cables. The configuration did not comply with the Oconee design and licensing basis identified in IEEE 279-1968 and IEEE 279-1971 and thus was a performance deficiency and violation of 10 CFR 50, Appendix B, Criterion III (NCV 05000269, 270, &
287/2018013-01).
Screening: The performance deficiency was determined to be more than minor because it was associated with the Design Control attribute of the Initiating Events Cornerstone and adversely affected the cornerstone objective of limiting the likelihood of events that upset plant stability and challenge critical safety functions. Specifically, the failure to translate the design requirements of IEEE 279-1968 and IEEE 279-1971 into specifications resulted in cable alignments that could let high-current electrical failures cause induced high-voltages and impressed voltages on the protection systems. This created the possibility for a new accident sequence.
Significance: The team evaluated the finding with Inspection Manual Chapter (IMC) 0609, Att.
4, Initial Characterization of Findings, issued October 7, 2016, for Initiating Events, and IMC 0609, Appendix A, The Significance Determination Process (SDP) for Findings At-Power, issued June 19, 2012, and determined the finding met the Support System Initiators screening criteria for requiring a detailed risk evaluation. The team determined that this issue increased the likelihood of the support system initiator site wide loss of offsite power (LOOP) in addition to the site wide loss of DC protection systems. A regional Senior Reactor Analyst (SRA)performed the detailed risk evaluation using input from SAPHIRE Version 8.1.7 and Versions 8.50 and 8.55 of the SPAR Model for Oconee. The SRA developed a new event tree to model the various cable segments and damage states for the finding. The result was an increase in core damage frequency of less than 1E-6/year for each Oconee unit, which would be a finding of very low significance (Green). The dominant sequence was related to a fault in the normally energized 4.16 kVac cable in the new Trench 3 from Keowee to Oconee that resulted in a total loss of AC & DC power. This was mitigated by the standby shutdown facility and the low likelihood of a fault severe enough to cause damage or the low probability of such a severe damage state. No cross cutting aspect was assigned to this finding because the inspectors determined the finding did not reflect present licensee performance.
Enforcement:
10 CFR Part 50, Appendix B, Criterion III, Design Control, stated, in part, that measures shall be established to assure that applicable regulatory requirements and the design basis, as defined in § 50.2 and as specified in the license application, for those structures, systems, and components to which this appendix applies are correctly translated into specifications, drawings, procedures, and instructions, that design control measures shall provide for verifying or checking the adequacy of design, and that design changes, including field changes, shall be subject to design control measures commensurate with those applied to the original design The Oconee regulatory requirements and the design basis for the design of protection systems are, in part, IEEE 279-1968, Section 1, Scope, Section 2, Definitions, Section 3, Design Basis, and Section 4, Requirements, and IEEE 279-1971 Sections 4.2, Single Failure Criterion, Section 4.7, Control and Protection System Interaction, Section 4.11, Channel Bypass or Removal from Operation, and Section 4.17, Manual Initiation.
Contrary to the above, the NRC identified examples of the licensee failing to meet the aforementioned requirements from May 17, 2001 to May 9, 2014, when the licensee approved multiple modification packages associated primarily with protected service water system modifications. The licensee failed to ensure the regulatory requirements and design basis requirements were translated into specifications, drawings, procedures, and instructions and failed to apply design control measures commensurate with the original design. The modification packages involved the installation of Class 1E and non-Class 1E AC power and DC cabling systems adjacent to one another over long distances in the PSW duct bank, SY trenches, and Trench 3.
The licensee failed to translate the original design requirements from IEEE 279-1968 and IEEE 279-1971 into specifications OSS-0254.00-00-4013, Design Basis Specification for the Oconee Single Failure Criterion, and OSS-218.00-00-0019, Installation Spec Cable and Wiring Separation Criteria,; failed to translate those requirements into the modification packages instructions and procedures; and failed to verify the adequacy of the design as compared to those requirements in their modification design packages.
Specifically:
The licensees use of specification OSS-0254.00-00-4013, Design Basis Specification for the Oconee Single Failure Criterion, Revision 4, failed to ensure that the protection system single failure analyses for the subject modifications was properly conducted. Specific design bases not in the specification included: IEEE 279-1968, Section 3, which required analysis throughout the full range of normal conditions, transient conditions, and malfunctions specified in the electrical systems design basis; IEEE 279-1971, Section 4.2 , which required an analysis of passive and active single failures occurring within the protection system at any time; and IEEE 279-1971, Section 4.7 , which required an analysis of failures that could occur within the protection system in addition to any non-Class 1E equipment failures that could degrade the protection system.
The licensees use of specification OSS-218.00-00-0019, Installation Specification for Cable and Wiring Separation Criteria, Revision 17, failed to ensure the protection system electrical channel integrity and channel independence for the subject modifications. Specific design bases not included in the specification included: IEEE 279-1968, Section 3, which required an analyses of the protection system throughout the full range of normal conditions, transient conditions, and malfunctions; IEEE 279-1968, Section 4.5, which required the protection system channels to maintain necessary functional capability under extremes of conditions; and IEEE 279-1968, Section 4.6, which required the protection system to be independent and physically separated from the coupling effects (e.g. voltage induction and impressment)resulting from unsafe electrical faults (transients). Of note was that while OSS-218.00-00-0019, Section 4.1, did state that cable armor although providing substantial protection is not considered a barrier to provide isolation, it did not result in the required analyses.
The failure to verify the adequacy of the multiple modification packages combined with the failure to translate the design requirements of IEEE 279-1968 and IEEE 279-1971 into plant specifications resulted in the introduction of multiple unanalyzed conditions where an electrical fault in a power system cable could potentially result in damage to the protection systems which could prevent proper protective actions at the system level.
Enforcement Action: This violation is being treated as a non-cited violation, consistent with Section 2.3.2.a of the Enforcement Policy, because it was very low safety significance (GREEN) and was entered into the licensees corrective action program as AR 02203327.
Failure to Submit Changes for License Review and NRC Approval.
Cornerstone Severity Cross-cutting Report Aspect Section Not Applicable Severity Level IV Not Applicable 71111.21 NCV 05000269, 270, 287/2018013-02 Component Closed Design Basis Inspection The team identified an NCV of 10 CFR 50.59(c)(2), Changes, tests and experiments, for the failure to submit a plant modification for license review and obtain a license amendment for a change that resulted in more than a minimal increase in the likelihood of occurrence of DC protection system malfunctions and a departure from methods for protection system single failure analysis as described in the FSAR. Specifically, the violation was associated with engineering changes (ECs), EC91880, Keowee Emergency-start Cable, Revision 24 and EC91875, Keowee AC Power Supply Tie-Ins, Revision 15, and EC91874, 13.8 KV Feed To PSW System from 100 KV APS, Rev. 7.
Description:
This NCV was previously described as an Apparent Violation (AV) 05000269, 270, 287/2018013-02, Failure to Submit for License Review and Obtain a License Amendment for a Modification, (EA-18-036) in inspection report 05000269/2018013, 05000270/2018013, and 05000287/2018013, and is further described below. The licensees procedure for evaluating changes under 10 CFR 50.59, NSD 2091 utilized the guidance in NEI 96-072. Section 4.3.2, of NEI 96-07 specified that if a change in likelihood of occurrence of a malfunction increases by more than a factor of two the modification would need NRC approval, because certain changes that satisfy the factor of two limit exceed the minimal increase standard for accident/transient frequency under criterion 10 CFR 50.59(c)(2)(i). The team evaluated the change in likelihood of malfunctions in the DC protection systems3. The changes in question installed protection system cables adjacent to medium voltage high power AC cables in multiple areas, which did not meet the site licensing basis for 10 CFR 50.55a(h)and the specific requirements of the IEEE 279 standards.
The following is a description of the modifications in question:
Nuclear System Directive (NSD): 209 10 CFR 50.59 Process, Nuclear Energy Institute (NEI) 96-07, Guidelines for 10 CFR 50.59 Implementation, Revision 1 For purposes of the IEEE 279 criteria, the nuclear power generating station protection system encompasses all electric and mechanical devices and circuitry (from sensors to actuation device input terminals) involved in generating those signals associated with the protective function. These signals include those that actuate reactor trip and that, in the event of a serious reactor accident, actuate engineered safeguards such as containment isolation, core spray, safety injection, pressure reduction, and air cleaning. This IEEE 279 scope is considered to cover sensors and transducers, the devices that control actuators (control rods, valves, pumps, etc.), and everything in between. In accordance with the Atomic Energy Commission (AEC) position in the 1968 publication from the Oak Ridge National Lab (ORNL) Nuclear Safety Information Center (NSIC), ORNL-NSIC-51, Design Principles of Reactor Protection Instrument Systems. Section 2.1.
The first modification was implemented from 2000 to 2002. Oconee replaced the Keowee power cabling system to address aging degradation. Change package NSM ON-530654,5 replaced two independent, previously separately direct buried, cabling systems with new cabling systems routed in a new underground concrete raceway designated as Trench 3.
The raceway was a 2.4 foot by 2.75 foot concrete tunnel 4000 feet long between the Oconee CT4 (transformer) blockhouse and the Keowee Hydro Station. Following the modification installation, a barrier between the two cabling systems no longer existed, as there was when they were separately buried. The two new cabling systems included twelve 13.8 kilo-volt (kV)and six 4.16 kV AC power cables and 24 multi-conductor DC protection system cables. The DC protection system cables were installed parallel to the AC power cables along the length of Trench 3 within five inches. This modification placed into service six of the 13.8 kV cables and three 4.16 kV cables. The portion of the unused AC power cables that were longer than the Trench 3 raceway were left uncut on reels in the switchyard (spared) for future use. The DC cables were connected to terminal cabinets at Oconee (CT4 blockhouse) and at the Keowee Hydro Station and left unconnected to the protection systems for use in future modifications.
This modification did not present hazards until the modifications were completed in 2014.
The second series of modifications were implemented from approximately 2007 to 2014.
Engineering change packages implemented design changes to address the fire, tornado, and HELB vulnerabilities in the turbine building (EC 91870, EC 91873, EC 91880, and EC 918816).
The modifications added approximately 1800 feet of cabling systems outside in an underground duct bank raceway to bypass the turbine building. The raceway interconnected with two outside switchyard (SY) trenches leading to the CT4 blockhouse. The raceway then went on to provide an outside route to Keowee through Trench 3. Approximately 24 safety-related DC cables and three PSW non-safety-related DC cables were routed in the raceways within inches in parallel with the non-safety-related PSW high power AC cabling systems and with the Keowee Class 1E high power emergency power AC cabling systems. For the PSW to Keowee route, six of the spare 13.8kV cables from the previous modification were used. The cables provided two trains of non-Class 1E power from the Keowee Hydro Station to the PSW building (approximately 5800 feet). Six additional new 13.8kV cables provided two normal trains of non-Class 1E power from an offsite commercial power source (approximately 400 feet from the duct bank manhole six to the PSW building). The SY trenches contained non-safety-related 4.16kV AC power cables to provide AC power to the switchyard. The cables for the switchyard isolation protection system, which are part of the safety-related DC cables, returned to the switchyard relay house through the SY trenches (approximately 700 feet).
The alignment of cabling in raceway systems introduced multiple postulated hazards from unanalyzed single failures. The hazards created the possibility for a new accident sequence.
The accident sequence could result from high voltages developed between the AC power systems and the DC (protection and power) systems. The voltages could result from faulted conditions in the interconnected AC power components. These single failure vulnerabilities could credibly disable the AC systems, and may prevent proper protection system actuation when the systems are required to operate. The design is contrary to the requirements of IEEE Std. 279 and the Oconee licensing basis.
The team used the SPAR model and IEEE 493-20077 to estimate whether the increase in likelihood of failure of DC system components exceeded the factor of two threshold established in NEI 96-072. The IEEE standard met the requirements of 10 CFR 50.54(jj) for consideration in protection system design. The standards failure frequency database included the necessary components (e.g. cables, switchgear, switchgear, terminations, circuit breakers, and transformers). The standard deconstructed the component failures to the damaged part and failure type, the failure repair method, and repair urgency (i.e. how catastrophic the failure was). These characteristics were used to estimate the number of faults that could induce damaging voltages in the DC protection systems. The SPAR model provided a nominal random failure rate for each of the DC protection system buses of 1.9 E-3 per year. The buses in this configuration have the potential to fail from the same event. The standards database gave a random nominal failure rate for the power cable in the raceways. The cable was metallically shielded thermoset AC medium voltage cable. The failure rate was approximately 8.89 E-3 failures per thousand feet per year. Given a total length of cable in Trench 3 of 10260 feet, and the proximity and parallel length of cables, the estimated increase in likelihood of a DC system malfunction exceeded the factor of two threshold established in NEI 96-072.
Additionally, the guidance in NEI 96-07, Section 4.3.8, specified that the use of new or different methods of evaluation that are not approved by NRC for the intended application required NRC approval. The methods used were not consistent with the methods described in the Oconee licensing basis. The UFSAR, Chapter 7, described the single failure analysis methodology:
No single component failure will prevent a protective system from fulfilling its protective functions when action is required, and No single component failure will initiate unnecessary protective system action where implementation does not conflict with the criterion above.
The licensee developed new single failure timing criteria around 1993 in a memo to file8. The timing excluded credible single failures that occurred at any other time than on demand. The licensee incorporated the new timing criteria in a design basis specification (DBD) for single failures9 created in 1995. Using the guidance from the single failure DBD, the licensee excluded single failure vulnerabilities that could have prevented the protection system from fulfilling its protective functions when action was required.
The UFSAR, Section 8.3.1.2, Analysis, for onsite AC Power Systems stated that the basic design criterion for the electrical portion of the emergency electric power system of a nuclear unit, including the generating sources, distribution system, and controls is that a single failure of any component, passive or active, will not preclude the system from supplying emergency power when required. The single failure DBD, Section 3.2.1.3 specified, In 10 CFR 50 Appendix A, there is no distinction between active and passive failures in electrical systems.
However, the criteria in 10 CFR 50 Appendix A are not part of Oconees licensing basis, and a NSM ON-53065, Replace Underground Power, Aux. Power & Control Cables from Keowee to Oconee Nuclear Station, Rev. 1 K-0904-A Sections and Details Pre-Fab Concrete Trench #3, Rev. 0
- Engineering Change (EC) 91870 PSW Building - This package installs the new PSW building, which has been designed. This building will house all the PSW equipment required for the PSW project. The PSW equipment will provide the electrical power for the alternate feeds to the manual transfer switches.
EC 91873 PSW Power Feed Installation - This package installs the 600 VAC MCC in the Aux Building that provides the alternate feed to the automatic transfer switches.
EC91880 Keowee Emergency-start Cable -this package used cables installed by NSM 53065 which originate in Keowee (KHU-1
& KHU-2) and are terminated in the [CT4] Blockhouse termination cabinets (KHU-1A & KHU-2A). EC91880 installs new cables from Blockhouse termination cabinets KHU-1A & KHU-2A to Aux Building via new PSW building and Keowee terminal cabinets KHU-1B & KHU-2B located in the Unit 3 Aux Building 783 Elevation.
EC 91881 Ductbank - This package installs all the ductbank required for the PSW project cables.
IEEE 493-2007, IEEE Recommended Practice for the Design of Reliable Industrial and Commercial Power Systems, Memo to File, ME Patrick (PJ North), dated 1/12/92, Single Failure Timing Licensing Basis, no file number given (Note: Memo was actually written 1/12/93).
OSS-0254.00-00-4013, Design Basis Specification for the Oconee Single Failure Criterion, Rev. 4 distinction between active and passive failures is made for Oconee electrical systems (see Reference 4.3.1.1). Reference 4.3.1.1 is the memo from 19938. Using the guidance in the single failure DBD, the licensee excluded passive single failures that could have prevented the protection system from fulfilling its protective functions when action is required.
The team determined that these changes were a change to methods of evaluation described in the UFSAR and would need NRC approval, because it was considered a departure from a method of evaluation described in the UFSAR.
From the time this issue was first identified, the licensee performed several modifications designed to remove the DC protection system cables from the parallel configurations in question. In addition, the site was granted relief (ADAMS Accession No. ML18060A028) for certain areas where the licensee found corrective action too problematic in accordance with 10 CFR 50.55a(z). However, the SY trenches were not included in the relief request, and the two SY trenches each contained one channel of the DC protection system cables in parallel with medium voltage cables. As such, the corrective action in this area would need to be addressed.
Corrective Actions: The licensee implemented a number of modifications to address the protection system single failure vulnerability concerns associated with the subject plant modifications. On February 28, 2018, (ML180051B257) the NRC granted relief from the applicable Code and concluded that the proposed alternatives provided an acceptable level of quality and safety for the specified cable configurations and locations. The NRC plans to conduct inspections of the corrective actions for the aforementioned violation, as appropriate.
Corrective Action References: AR 02203327 and NCRs 1864405, 1905999, and 1906088
Performance Assessment:
Traditional Enforcement Assessment: This violation was associated with a previously documented finding assessed using the significance determination process, which was documented under NCV 05000269, 270, 287/2018013-01.
Enforcement:
Severity: The ROP significance determination process does not specifically consider the regulatory process impact in its assessment of licensee performance. Therefore, it is necessary to address this violation, which impedes the NRCs ability to regulate using traditional enforcement to adequately characterize the non-compliance. The finding was determined to be a Severity Level IV violation consistent with Section 6.1.d.2 of the NRC Enforcement Policy.
Violation: 10 CFR 50.59(c)(2), Changes, tests and experiments, required, in part, a licensee shall obtain a license amendment pursuant to Sec. 50.90 prior to implementing a change, test, or experiment if the change, test, or experiment would
- (ii) result in more than a minimal increase in the likelihood of occurrence of a malfunction of a structure, system, or component (SSC) important to safety or (viii) result in a departure from a method of evaluation described in the FSAR (as updated) used in establishing the design bases, or in the safety analyses.
Contrary to the above, from June 2013 until discovery, the licensee failed to obtain a license amendment pursuant to Sec. 50.90 prior to implementing a change that resulted in more than a minimal increase in the likelihood of occurrence of a malfunction of an SSC important to safety previously evaluated in the FSAR and departed from a method of evaluation described in the FSAR (as updated) used in establishing the design bases or in the safety analyses.
Specifically, the licensee implemented modifications to the plant that resulted in a more than minimal increase in the likelihood of occurrence of a malfunction of the DC protection systems that had the potential to adversely affect the three Oconee units and the Keowee emergency power hydro station, and departed from the single failure analysis methods decribed in the FSAR.
Enforcement Action: This violation is being treated as a non-cited violation, consistent with Section 2.3.2.a of the Enforcement Policy, because it was very low safety significance (SLIV)and was entered into the licensees corrective action program as AR
EXIT MEETINGS AND DEBRIEFS
On July 26, 2018, the NRC presented the results of the detailed risk evaluation to you and other members of your staff.
LIST OF
DOCUMENTS REVIEWED
CALCULATIONS
KC-2190-004 Failure Mode and Effects Analysis (FMEA) for the Keowee 13.8 KV Switchgear
(KPF) Power Feeds To Protected Service Water System (PSW) Switchgear (B6T B7T)
KC-2195-000, Keowee 13.8 KV Breaker Equipment Mounting and Cable Tray Supports
Qualification
KC-2197-001, Keowee Hydro KPF-1 and KPF-2 13.8KV Switchgear Arc-Flash Analysis 6
2011
OSC-7729-003, Oconee-Keowee Underground Power Cable Replacement Calculations (for
NSM ON-53065), Rev. 3
OSC-9370, Units 123 PSW AC Power System Voltage and Short Circuit Analysis
KC-2217, Protective Relay Settings for Keowee 13.8 kV KPF Switchgear Rev. 2
OSC-9831, Protective Relay Settings Associated with PSW Switchgear Rev. 3
KC-2131, Electrical Design Input Calculation for NSM ON-53065 (Keowee Underground Cable
Replacement)
OSC-7729, Oconee-Keowee Underground Power Cables Replacement Calculations Rev. 3
OSC-5096, Keowee Single Failure Analysis, Rev. 13
OSC-3716 Station Blackout Coping Study Rev. 001
OSC-2059, U1 AC Power System Voltage and Fault Duty Analyses, Rev. 25
DRAWINGS
O-711-C, Unit 1 Connection Diagram Unit Control Board 1UB1, Rev. 68
O-1711-C, Unit 2 Connection Diagram Unit Control Board 2UB1, Rev. 64
O-2711-D, Unit 2 Connection Diagram Unit Control Board 3UB1, Rev. 56
O-705, Unit 1 One Line Diagram 120 VAC & 125 VDC Station Aux. Circuits Instrumentation
Vital Buses, Rev. 98
O-1705, Unit 2 One Line Diagram 120 VAC & 125 VDC Station Aux. Circuits Instrumentation
Vital Buses, Rev. 82
O-2705, Unit 3 One Line Diagram 120 VAC & 125 VDC Station Aux. Circuits Instrumentation
Vital Buses, Rev. 80
O-753-L, Connection Diagram Keowee Emergency-start Panel - Rev. 17G
O-1753-N - Connection Diagram Keowee Emergency-start Panel - Rev. 9B
O-2753-N - Connection Diagram Keowee Emergency-start Panel - Rev. 12B
K-904-B Sections and Details Trench #3 Power Cable Switchover, Rev. 0
KEE 117, Elementary Diagram Remote Controls, Rev. 6
KEE 217 Elementary Diagram Remote Controls KHU2, Rev. 8
KEE-213 KHU2 Master control Start, Rev. 25
OEE 120, Elementary Diagram Channel A Keowee Emergency-start, Rev. 17
OEE 120-A, Elementary Diagram Channel A Keowee Emergency-start Contact Development,
Rev. 10
OEE 120-I, Elementary Diagram Channel B Keowee Emergency-start, Rev. 17
OEE 120-A-I, Elementary Diagram Channel B Keowee Emergency-start Contact Development,
Rev. 10
O-799-A Interconnection Diagram Keowee-Oconee Interface Cabinet KOIC-A, Rev. 28
O-799-B Interconnection Diagram Keowee-Oconee Interface Cabinet KOIC-B
O-799-C - Outline and Connection Diagram Terminal Cabinet KHU-1A, Rev. 1
O-799-C-1- Outline and Connection Diagram Terminal Cabinet KHU-1B - Rev. 0
O-799-D - Outline and Connection Diagram Terminal Cabinet KHU-2A - Rev. J
O-799-D-1 - Outline and Connection Diagram Terminal Cabinet KHU-2B - Rev. 0
O-2792-D, Connection Diagram Unit Control Terminal Cabinet UCTC 7, Rev. 2
OEE-163-37, Elementary Diagram SSF RC Loop Hot Leg Temp, Rev. 1
PROCEDURES
AP/0/A/2000/002, Keowee Hydro Station - Emergency-start, Rev. 15
AP/0/A/2000/003, Keowee Hydro Station - Auxiliary Power Recovery, Rev. 0
DESIGN BASIS DOCUMENTS
OSS-0254.00-00-2006, Design Basis Specification for the 125 VDC Vital Instrumentation and
Control Power System, Rev. 9
OSS-0254.00-00-2000, Design Basis Specification for the 4KV Essential Auxiliary Power
System, Rev. 20
OSS-0254.00-00-2005, Design Basis Specification for the Keowee Emergency Power, Rev. 22
OSS-0254.00-00-4013, Design Basis Specification for the Oconee Single Failure Criterion,
Rev. 4
PLANT MODIFICATIONS
NSM ON-53065, Replace Underground Power, Aux Power, & Control Cables from Keowee
Hydro-Station to Oconee Nuclear Station, Rev. 1
EC91826-OD100924, Backup Power-U1 Pressurizer Heater and Battery Chargers 1CA & 1CB
from PSW, Rev. 0
EC91830-OD100941, Unit 1 Main Control Room Board Additions for PSW, Rev. 16
EC91849-OD200925, Backup Power-U2 Pressurizer Heater and Battery Chargers 2CA & 2CB
from PSW, Rev. 7
EC91850-OD200934, Protected Service Water Test Line/Minimum Flow, Rev. 9
EC91852-OD200945, Unit 2 Outage Main Control Board Additions, Rev. 8
EC91853-OD200942, Unit 2 Pre-outage Main Control Room Board Adds for PSW, Rev. 5
EC91856-OD500921, PSW Support Equipment Installation and Testing, Rev. 37
EC91859-OD300926, Backup Power-U3 Pressurizer Heater and Battery Chargers 3CA & 3CB
from PSW, Rev. 2
EC91860-OD300935, (OMP) Protected Service Water, Rev. 15
EC91863-OD300943, Unit 3 Pre-Outage Main Control Room Board Adds for PSW, Rev. 1
EC91866-OD300955, Unit 3 Outage Main Control Room Board Adds For PSW, Rev. 4
EC91873-OD500922, PSW Power Feed Installation, Rev. 8
EC91874-OD500923, 3.8 KV Feed to PSW System from 100 KV APS, Rev. 7
EC91875-OD500927, Keowee AC Power Supply Tie-Ins, Rev. 15
EC91876-OD500928, SSF 4.16KV Alternate Power Feed from PSW, Rev. 37
EC91877-OD500932, Protected Service Water, Main Header, Rev. 18
EC91880-OD500940, Keowee Emergency-start Cable, Rev 24 (HELB Involved SY Trenches)
PLANT MODIFICATIONS
NSM ON-53065, Replace Underground Power, Aux Power, & Control Cables from Keowee
Hydro-Station to Oconee Nuclear Station, Rev. 1
EC91826-OD100924, Backup Power-U1 Pressurizer Heater and Battery Chargers 1CA & 1CB
from PSW, Rev. 0
EC91830-OD100941, Unit 1 Main Control Room Board Additions for PSW, Rev. 16
EC91849-OD200925, Backup Power-U2 Pressurizer Heater and Battery Chargers 2CA & 2CB
from PSW, Rev. 7
EC91850-OD200934, Protected Service Water Test Line/Minimum Flow, Rev. 9
EC91852-OD200945, Unit 2 Outage Main Control Board Additions, Rev. 8
EC91853-OD200942, Unit 2 Pre-outage Main Control Room Board Adds for PSW, Rev. 5
EC91856-OD500921, PSW Support Equipment Installation and Testing, Rev. 37
EC91859-OD300926, Backup Power-U3 Pressurizer Heater and Battery Chargers 3CA & 3CB
from PSW, Rev. 2
EC91860-OD300935, (OMP) Protected Service Water, Rev. 15
EC91863-OD300943, Unit 3 Pre-Outage Main Control Room Board Adds for PSW, Rev. 1
EC91866-OD300955, Unit 3 Outage Main Control Room Board Adds For PSW, Rev. 4
EC91873-OD500922, PSW Power Feed Installation, Rev. 8
EC91874-OD500923, 3.8 KV Feed to PSW System from 100 KV APS, Rev. 7
EC91875-OD500927, Keowee AC Power Supply Tie-Ins, Rev. 15
EC91876-OD500928, SSF 4.16KV Alternate Power Feed from PSW, Rev. 37
EC91877-OD500932, Protected Service Water, Main Header, Rev. 18
EC91880-OD500940, Keowee Emergency-start Cable, Rev 24 (HELB Involved SY Trenches)
MISCELLANEOUS DOCUMENTS
Condition Reports Written Due to this Inspection
PIP O-14-02965 (PDO) Evaluation of Dynamic Loads from Cable Faults (Cable Whip)
PIP O-14-03190 (PDO) Single failure criteria associated with Keowee underground cable
PIP O-14-5125 Cable faults on the PSW 13.8 kV Fant power path needs to be evaluated,
PDO updated 5-19-2014