IR 05000275/1999015
| ML16342B995 | |
| Person / Time | |
|---|---|
| Site: | Diablo Canyon  |
| Issue date: | 10/14/1999 |
| From: | NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION IV) |
| To: | |
| Shared Package | |
| ML16341D130 | List: |
| References | |
| 50-275-99-15, 50-323-99-15, NUDOCS 9910210241 | |
| Download: ML16342B995 (100) | |
Text
July 1, 1999
SUBJECT:
NRC INSPECTION REPORT NO. 50-275/99-14; 50-323/99-14
Dear Mr. Rueger:
This refers to the inspection conducted on August 22 through October 9, 1999, at the Diablo Canyon Nuclear Power Plant, Units 1 and 2, facility. The enclosed report presents the results of this inspection.
During the 7-week period covered by this inspection period, your conduct of activities at the Diablo Canyon Nuclear Power Plant facilitywas generally characterized by safety-conscious operations, sound engineering and maintenance practices, and good radiation protection support.
Based on the results of this inspection, the NRC has determined that five Severity Level IV violations of NRC requirements occurred.
These violations are being treated as noncited violations (NCVs), consistent with Appendix C of the Enforcement Policy. These NCVs are described in the subject inspection report.
If you contest the violation or severity level of these NCVs, you should provide a response within 30 days of the date of this inspection report, with the basis for your denial, to the Nuclear Regulatory Commission, ATIN: Document Control Desk, Washington, DC 20555-0001, with copies to the Regional Administrator, U.S. Nuclear Regulatory Commission, Region IV, 611 Ryan Plaza Drive, Suite 400, Arlington, Texas 76011, the Director, Office of Enforcement, United States Nuclear Regulatory Commission, Washington, DC 20555-0001, and the NRC Resident Inspector at the Diablo Canyon Nuclear Power'lant, Units 1 and 2, facility.
In accordance with 10 CFR 2.790 of the NRC's "Rules of Practice," a copy of this letter, its enclosure, and your response, if requested, willbe placed in the NRC Public Document Room (PDR).
Pacific Gas and Electric Company-2-Should you have any questions concerning this inspection, we willbe pleased to discuss them with you.
Sincerely, Li da Joy Smit, C ief Project Branch E Division of Reactor Projects Docket Nos.:
50-275 50-323 License Nos.: DPR-80 DPR-82
Enclosure:
NRC Inspection Report No.
50-275/99-14; 50-323/99-14
REGION IV==
Docket Nos.:
License Nos.:
Report No.:
Licensee:
Facility:
Location:
Dates:
Inspectors:
Approved By:.
50-275 50-323 DPR-80 DPR-82 50-275/99-14 50-323/99-14 Pacific Gas and Electric Company Diablo Canyon Nuclear Power Plant, Units 1 and 2 7 ~/2 miles NW of Avila Beach Avila Beach, California August 22 through October 9, 1999 David L. Proulx, Senior Resident Inspector Dyle G. Acker, Resident Inspector Gregory A. Pick, Senior Project Engineer CliffordA. Clark, Reactor Inspector Linda Joy Smith, Chief, Project Branch E ATTACHMENT:
Supplemental Information
. 0
EXECUTIVESUMMARY Diablo Canyon Nuclear Power Plant, Units 1 and 2 NRC Inspection Report No. 50-275/99-14; 50-323/99-14 This inspection included aspects of licensee operations, maintenance, engineering, and plant support.
The report documents inspections performed during a 7-week period by the resident inspectors.
~Oerations
~
Operators responded well to a reactor trip that resulted from a lightning strike near the facility. The shift foreman followed emergency procedures appropriately, exhibited conservative decision making, performed frequent and informative crew briefings, and effectively used extra off-shift operators to ensure equipment problems were resolved in a timely manner.
The posttrip review appropriately described the sequence of events and identified the root cause (Section 01.2).
Operators responded well to a significant leak from the suction flange of Main Feedwater Pump 1-1 by immediately ramping down Unit 1, then tripping and isolating the pump. The shift supervisor performed frequent crew briefings, used extra personnel appropriately, and exhibited conservative decision making in that a precautionary evacuation of the turbine building was ordered upon discovery of'the magnitude of the leak (Section 01.3).
A violation of 10 CFR 50.72 was identified for failure to report an engineered safety features actuation within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> to the NRC operations center.
Turbine-driven Auxiliary Feedwater Pump 1-1 automatically started on low voltage following a loss of 500 kV startup power. Operators reported this actuation approximately 5~/~ hours later because of competing operational priorities. This Severity Level IV violation is being treated as a noncited violation in accordance with Appendix C of the Enforcement Policy. -This item is in the licensee's corrective action system as Action Request A0491952 (Section 01.4).
The training, preparations, and contingencies for early midloop operations were conservative and properly implemented.
Operable equipment exceeded that required by the Technical Specifications.
The pre-evolution briefings were thorough and informative. The training for midloop operations included draindown, maintenance and refill for midloop operations, as well as several casualties.
Operators drained down to the midloop condition, maintained level, and refilled the reactor coolant system in a careful, deliberate manner.
The addition of new methods of level indication was an excellent initiative, which provided a diverse method of vessel level indication. These diverse methods included two new wide-and narrow-range level systems using pressure transmitters and ultrasonic indication on the loop piping (Section 01.5).
Operators started to drain Steam Generator 2-2 based on a misunderstanding of a prerequisite.
The midloop procedure required at least two steam generators to be filled to 15 percent on the narrow-range with the reactor coolant system at reduced inventory.
However, operators incorrectly believed that the prerequisite referred to 15 percent on
-2-the wide range.
After the inspectors identified this issue to the operators, operators stopped the steam generator drain prior to lowering level below 15-percent on the narrow range.
Although the midloop procedure was not violated, and subsequent review of the outage safety plan revealed that maintaining water in the steam generators was only required when the reactor coolant system intact, operators demonstrated poor attention to detail (Section 01.5).
Even though the outage risk plan required that the single source of offsite power be protected from production work, the licensee parked a truck within several feet of the single source of offsite power. The licensee had to remove the vehicle barriers to place the truck in this location (Section 01.5).
Maintenance
.
Maintenance personnel failed to properly tighten a fitting used to inject liquid sealant, as part of a temporary leak repair of the suction flange to nonsafety-related Main Feedwater Pump 1-1. The repair had occurred during a forced outage, resulted in a significant flange leak after Unit 1 returned to 100 percent power, and caused an unplanned down power to 50 percent.
The licensee subsequently correctly installed the temporary leak repair rig. The licensee appropriately characterized this issue as a maintenance preventable functional failure (Section 01.3).
System maintenance personnel at the switchyard inappropriately placed nonsafety-related Overvoltage Relay 559-1 in service with a trip signal in place,'resulting in a loss of 500 kV offsite power and an automatic start of Turbine-driven AuxiliaryFeedwater Pump 1-1, while Unit 1 was in Mode 3. This transient indicated that controls over switchyard work required improvement.
Allother loads successfully transferred to the startup transformer (Section 01.4).
The inspectors concluded that testing of main annunciator alarms was well coordinated by technical maintenance, system engineering, and control room personnel (Section M1.2).
During main annunciator system testing after multiple card replacements, the inspectors observed that licensee personnel did not document a nonsafety-related main annunciator test failure until questioned by the inspectors 4 days later. The inspectors considered that the failure to document alarm problems whe'n they were observed was a poor work practice (Section M1.2).
The replacement of Centrifugal Charging Pump 2-2 was performed well and included
.
good radiation protection work practices.
The inspectors identified a poor work practice in that personnel stood on small bore pipe, not designed for this type of loading.
Licensee management responded appropriately by issuing a notice to all employees to refrain from standing on piping less than 2 inches in diameter.
Engineering personnel inspected the line in question and determined by engineering judgement that no damage had occurred (Section M1.3).
-3-The licensee exhibited excellent initiative and a good focus on safety by inspectirig all control room light sockets after operators noted an increasing trend in socket failures when changing out control board light bulbs. When additional failures were found during a sample inspection, the licensee commenced a 100 percent inspection (Section M1.5).
The licensee initiallyprioritized the control room socket inspections incorrectly. The inspectors identified that the inspection priority did not focus on ensuring a train of safe shutdown for a seismic event (probable socket failure mechanism) but focused on the risk achievement worth of internal events.
Subsequently, the licensee adjusted the inspection priority based on the external event or seismic risk assessment (Section M1.5).
The licensee identified 48 control board light socket failures, many of which affected the control power for safety related systems, out of 1300 sockets inspected.
In order to review the potential safety consequence of the simultaneous failure of all of these items, this issue willbe treated as an unresolved item (Section M1.5).
Licensee personnel improperly installed the dc control power fuses for local operation of the output breaker for Diesel Engine Generator 1-2. This condition existed for 6 months, but only affected the availability of Diesel Engine Generator 1-2 for fire or safe shutdown scenarios.
This issue is being tracked as an unresolved item until the licensee completes the root cause and safety consequence evaluations (Section M1.6).
Plant materiel condition was good and improved over the previous 6 months as evidenced by lower maintenance backlogs and availability of all essential equipment in preparation for the storm season (Section M2.1).
A violation of Technical Specifications 3.8.1.1 was identified for two examples of operators failing to perform conditional surveillance requirements.
The conditional surveillance required that the remaining sources of electrical power be verified after one or more sources were taken out of service.
One example was from July 1999 and one from July 1997.
In both cases, after electrical equipment was taken out of service, operators determined that the conditional surveillance was required but failed to complete the surveillance in the time allowed. This Severity Level IV violation is being treated as a noncited violation, consistent with Appendix C of the Enforcement Policy.
The licensee placed these items in the corrective action system as Nonconformance Reports N0002099 and N0002035, respectively (Sections M8.1 and M8.2).
A violation of Technical Specification 3.1.1.1 was identified for operators failing to complete conditional surveillance 4.1.1.1a.
On July 13, 1999, operators declared the rod control system inoperable.
Operators entered Technical Specification 3.1.3.1, Action c for inoperable rods but failed to enter Technical Specification 3.1.1.1.
Technical Specification 3.1.1.1 required that an adequate shutdown margin be verified within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This action was not completed until July 15. This Severity Level IV violation is being treated as a noncited violation, consistent with Appendix C of the Enforcement Policy. The licensee included this item in the corrective action system as Nonconformance Report N0002100 (Section M8.3).
II
~En ineerin A violation of 10 CFR Part 50, Appendix B, Criterion III, "Design Control," occurred because Design Change DC2-SE-50149 did not,provide adequate isolation between non-Class 1E loads and Class 1E inverters.
The design failed to ensure that malfunctions on the non-Class 1E circuits would not cause failure of Class 1E equipment.
The failure to recognize and include inverter current limiting characteristics in design criteria documents contributed to this deficiency.
However, this Severity Level IVviolation is being treated as a noncited violation, consistent with Appendix C of the Enforcement Policy. The licensee modified the design and placed this item in the corrective action system as Action Requests A049073, A0491436, and A0494173 (Section E1.1).
~
The inspectors considered that the main annunciator system met the Year 2000 compliance guidelines of Temporary Instruction 2515/141, Revision 1. This review completed the inspectors'ollowup of Year 2000 readiness (Section E8.1).
Plant Su ort
~
A violation of Technical Specification 6.12.1.b with two examples was identified for failures to meet the requirements for high radiation area entries.
In the first example, an experienced engineer entered a high radiation area without obtaining the required radiation protection briefing of the area dose rates because of unfamiliarity with the high radiation area controls.
In the second example, two contractors entered a high radiation area without being familiar with the area dose rates.
These individuals incorrectly believed that a high radiation area radiation work permit authorized entry into any'igh radiation area.
Similar violations of high radiation controls had occurred during Refueling Outage 1R9; however, licensee response to these issues was appropriate to the circumstances.
This Severity Level IVviolation is being treated as a noncited violation in accordance with Appendix C of the Enforcement Policy. These items are in the licensee's corrective action system as Action Requests A0492245 and A0492922 (Section R1.1).
Re ort Details Summa of Plant Status Unit 1 began this inspection period at 100 percent power. On September 22, 1999, Unit 1 experienced a reactor trip because of a lightning strike on a 500 kV line. Following minor repairs and testing that occurred in Mode 3 (Hot Standby), operators entered Mode 2 (Startup)
on September 24. Later that day, the main generator was synchronized to the grid: Unit 1 achieved 100 percent power on September 26. On September 30, operators reduced Unit 1 to 50 percent power because the suction flange of Main Feedwater Pump 1-1 leaked excessively.
Operators returned Unit 1 to 100 percent power on October 1. Unit 1 operated at essentially 100 p'ercent power until the end of this inspection period.
Unit 2 began this inspection period at 100 percent power. On September 19, Unit 2 began reactor power coastdown prior to Refueling Outage 2R9. On September 26, with reactor power at 93 percent, operators commenced shutdown of Unit 2. On September 27, Unit 2 entered Mode 3. Operators cooled down Unit 2 and entered Mode 5 (Cold Shutdown) on September 28. The core offload commenced on October 4 and was completed on October 7.
Unit 2 remained defueled at the end of this inspection period.
I. ~Oeratinns
Conduct of Operations 01.1 General Comments 71707 The inspectors visited the control room and toured the plant on a frequent basis when on site, including periodic backshift inspections.
In general, plant operator performance reflected a focus on safety.
Operators performed self-and peer-checking.
The utilization of three-way communications continued to improve, and operators responded promptly and appropriately to alarms.
01.2 Reactor Tri Because of Li htnin Strike Unit 1 a.
Ins ection Sco e 71707 93702 The inspectors observed operator response in the control room, interviewed operators, and reviewed the posttrip evaluation.
In addition, the inspectors evaluated licensee actions associated with Action Request (AR) A0491798.
b.
Observations and Findin s On September 22, 1999, at 9:32 a.m. (PDT) lightning struck a Unit 1 500 kV transmission tower, resulting in a reactor trip from 100 percent power. The Unit 1 main generator output Breakers PCB-532 and -632 opened on overvoltage.
This load rejection caused the secondary steam dumps to open and control rods to automatically step in. Heat dissipated through the steam dumps at a rate less than the heat added to the reactor coolant system heated up, which increased primary pressure liftingtwo of the pressurizer power operated relief valves.
The sudden subsequent decrease in
-2-pressure, coupled with the reactor coolant system temperature decrease, caused the Overtemperature Delta T reactor trip setpoint to be exceeded.
Thus, the solid state protection system initiated a reactor trip.
Allcontrol rods fullyinserted, and the auxiliary feedwater system actuated as expected.
The main steam isolation valves remained open, so'decay heat was removed by dumping steam to the main condenser.
Offsite power automatically transferred to the 230 kV startup source as expected.
No diesel generator starts or other engineered safety features actuated.
Operators entered the emergency operating procedures and implemented the applicable steps.
Operators quickly throttled back auxiliary feedwater flowand controlled the initial cooldown such that the minimum reactor coolant system pressure reached 1975 psig, significantly above the safety injection setpoint of 1850 psig. Operators stabilized Unit 1 at normal operating temperature and pressure in Mode 3.
Because the 500 kV system had been subject to a lightning strike, operators conservatively declared the 500 kV backfeed capability for offsite power inoperable.
Operators performed the conditional Technical Specifications surveillances within the required time. Following inspections of the main bank transformers, the 500 kV lines, and the switchyard, the licensee declared the 500 kV offsite power operable and transferred power back to the 500 kV offsite power source.
Minor equipment problems occurred following the reactor trip. A significant leak developed at the suction flange of Main Feedwater Pump 1-1. Operators isolated the pump in a timely manner to mitigate the leak. Containment Hydrogen Analyzers CEL-82 and -83 tripped during the transfer to 230 kV startup power. Subsequently, operators reset the breakers, returning the hydrogen analyzers to service.
The inspectors concluded that the operators responded well to the reactor trip. The shift foreman followed emergency procedures appropriately, exhibited conservative decision making, performed frequent and informative crew briefings, and effectively used extra off-shiftoperators to ensure timely resolution of equipment problems.
The inspectors evaluated the posttrip review, including the annunciator printouts and plant computer
- traces, and determined that the licensee satisfactorily described the sequence of events and identified the root cause.
The root cause investigation revealed that the lightning strike induced voltage into Overvoltage Relay 559-1, which caused the main generator output breakers to open.
The licensee removed this relay and performed checks to ensure that the relay was not damaged.
The effect of reinstallation of Overvoltage Relay 559-1 is discussed in Section 01.4.
Conclusions Operators responded well to a reactor trip that resulted from a lightning strike near the facility. The shift foreman followed emergency procedures appropriately, exhibited conservative decision making, performed frequent and informative crew briefings, and
-3-effectively used extra off-shift operators to ensure equipment problems were re'solved in a timely manner.
The posttrip review appropriately described the sequence of events and identified the root cause.
01.3 Plant Transient Because of Flan e Leak Unit 1 Ins ection Sco e 71707 93702 The inspectors responded to the control room and evaluated the licensee response to an unplanned downpower to 50. percent power. The inspectors observed operator response in the control room and reviewed AR A0492722.
b.
Observations and Findin s On September 22, 1999, the suction flange of nonsafety-related Main Feedwater Pump 1-1 developed a significant steam leak. The leak was isolated by closing the manual suction and discharge valves.
During the forced outage, contract maintenance personnel performed a temporary leak repair using liquid sealant to stop the steam leak.
After the repair, operators opened the suction and discharge valves and observed no leakage.
On September 30, a significant steam leak was again noted at the suction flange of Main Feedwater Pump 1-1. A contract maintenance mechanic attempted to inject more liquid sealant into the flange; however, a fitting in the leak repair rig blew off, which resulted in a steam leak. Upon notification, operators ramped Unit 1 from 100 to 50 percent power so operators could trip and manually isolate Main Feedwater Pump 1-1. In addition, the shift supervisor initiated a precautionary evacuation of the turbine building in the event that the leak should worsen.
The inspectors noted that the shift supervisor performed frequent crew briefings, used extra personnel appropriately, and exhibited conservative decision making in mitigating the leak.
While the pump was isolated, the mechanics reinstalled the leak repair fitting, checked
~ the tightness of the other leak repair rig fittings, and reinjected the liquid sealant.
Operators unisolated Main Feedwater Pump 1-1, and the licensee verified that the steam leak was stopped.
Licensee investigation revealed that contract mechanics failed to properly tighten the leak repair rig fittings during the Unit 1 forced outage.
The licensee wrote AR A0492722 to place this item into the corrective action system.
The licensee appropriately characterized this issue as a maintenance preventable functional failure.
Conclusions Operators responded well to a significant leak from the suction flange of Main Feedwater Pump 1-1 by immediately ramping down Unit 1, then tripping and isolating the pump. The shift supervisor performed frequent crew briefings, used extra personnel
-4-appropriately, and exhibited conservative decision making in that a precautionary evacuation of the turbine building was ordered upon discovery of the magnitude of the leak.
Maintenance personnel failed to properly tighten a fitting used to inject liquid sealant, as part of a temporary leak repair of the suction flange to nonsafety-related Main Feedwater Pump 1-1. The repair occurred during a forced outage, resulted in a significant flange leak after Unit 1 had returned to 100 percent power, and caused an un'planned downpower to 50 percent.
The licensee subsequently correctly installed the temporary leak repair rig. The licensee appropriately characterized this issue as a maintenance preventable functional failure.
Loss of 500 kV Offsite Power Because of Im ro er Rela Controls Unit 1 Ins ection Sco e 71707 The inspectors evaluated the licensee response to a loss of 500 kV offsite power that had resulted from improper relay controls. The inspectors reviewed ARs A0491947 and A0491953 as part of this inspection.
Observations and Findin s J
On September 23, 1999, with Unit 1 back feeding from the 500 kV offsite power source, Unit 1 lost 500 kV offsite power. System maintenance personnel at the switchyard placed Overvoltage Relay 559-1 in service with a trip signal in place, which opened 500 kV Breakers 532 and 632. As a result, Unit 1 loads automatically transferred to the 230 kV startup transformer.
Because of the slow transfer of the safety-related busses, Turbine-driven AuxiliaryFeedwater Pump (TDAFW) 1-1 automatically started and fed all four Unit 1 steam generators.
TDAFW Pump 1-1 injected for 5 minutes following the loss of power before operators secured the pump. Reactor coolant system temperature decreased 7'F, from 547 F to 540 F. This reactor coolant system cool down decreased pressurizer level such that the letdown system automatically isolated at the,low level setpoint of 17 percent.
Following tripping of TDAFW Pump 1-1, operators restored pressurizer level to the normal band and reinitiated letdown flow.
The licensee determined that the trip of the 500 kV offsite power source occurred when switchyard personnel inappropriately placed nonsafety-related Overvoltage Relay 559-1 in service with the relay in the tripped condition. No instructions or policy statements existed to ensure that the relay was not placed in service with a trip signal present.
Switchyard personnel did not notify control room operators of returning the relay to service.
Following this investigation, offsite personnel reset the relay and restored 500 kV offsite power. The licensee initiated AR A0491947 to enter this item into the corrective action program.
The licensee evaluated the automatic start of TDAFW Pump 1-1 to determine if the start was in accordance with the design basis.
The design for transfer of offsite power from
-5-the 500 to 230 kV source was a dead bus transfer of the onsite safety-related busses, which resulted in a momentary undervoltage condition that started TDAFW Pump 1-1.
Subsequently, the licensee determined that the automatic start of TDAFW Pump 1-1 was an engineered safety features actuation and was reportable within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, as specified in 10 CFR 50.72.
However, because of competing operational priorities, the operating crew reported the event approximately 5~/~ hours following the pump start, despite the plant being stabilized within 20 minutes.
10 CFR 50.72 (b)(2)(ii) states, in part, that the licensee shall report any engineered
'afety features actuations within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> to the NRC Operations Center via the Emergency Notification System.
The automatic start of TDAFW Pump 1-1 was an engineered safety features actuation as defined in the Final Safety Analysis Report Update. The failure to report the automatic start of TDAFW Pump 1-1 to the NRC Operations Center within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is a violation of 10 CFR 50.72 (b)(2)(ii). However, this Severity Level IVviolation is being treated as a noncited violation in accordance with Appendix C of the Enforcement Policy. This item is in the licensee's corrective action system as AR A0492245 (275/99014-01).
Conclusions A violation of 10 CFR 50.72 was identified for failure to report an engineered safety features actuation within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> to the NRC operations center.
TDAFW Pump 1-1 automatically started on low voltage following a loss of 500 kV startup power. Oper'ators reported this actuation approximately 5~/~ hours later because of competing operational priorities. This Severity Level IVviolation is being treated as a noncited violation in accordance with Appendix C of the Enforcement Policy. This item is in the licensee's corrective action system as AR A0491952.
01.5
'
System maintenance personnel at the switchyard inappropriately placed nonsafety-related Overvoltage Relay 559-1 in service with a trip signal in place, resulting in a loss of 500 kV offsite power and an automatic start of TDAFW Pump 1-1. This transient indicated that controls over switchyard work required improvement.
Allother loads successfully transferred to the startup transformer.
Reduced lnvento Midloo 0 erations Unit 2 Ins ection Sco e 71707 The inspectors provided continuous coverage of the reduced inventory operations during Refueling Outage 2R9. The inspectors used Procedures OP A-2:II"Reactor Vessel - Draining the Reactor Coolant System to the Vessel Flange.,- With Fuel in the Vessel," Revision 22, and OP A-2:III,"Reactor Vessel - Draining to Half Loop/Half Loop Operations with Fuel in the Vessel," Revision 16, as guidance for the inspection.
Additionally, the inspectors evaluated the training and contingencies for the evolution to ensure that the licensee took action to mitigate the potential risk. On occasion during reduced inventory conditions, the inspectors toured the plant to ascertain if equipment was still being maintained as directed by procedures for maintaining outage safety.
-6-Observations and Findin s b.1 Back<around During Refueling Outage 2R9, the licensee scheduled the re'actor coolant system to be drained to reduced inventory (midloop) to install steam generator nozzle dams.
The early reactor coolant system draindown to midloop had a high decay heat load, with a time to boil less than 20 minutes upon a loss of shutdown cooling.
The planned electrical configuration of Unit 2 during reduced inventory included all three diesel engine generators available and only one source of offsite power. The licensee maintained:
(1) the startup transformer available and protected, while replacing the main bank transformer, (2) both residual heat removal pumps operable, and (3) only one auxiliary saltwater pump available since the crosstie to the Unit 1 auxiliary saltwater system was available. This equipment configuration for midloop operations exceeded that required by the Technical Specifications.
b.2 Pre arations The inspectors walked down the level indication systems, verified that midloop coordinators were in place, verified that venting rigs were staged for the residual heat removal pumps, and ensured that the offsite power sources were protected.
In addition, the inspectors reviewed the lesson plans and training records.
The inspectors noted that the training included draindown, maintenance and refillfor midloop operations, as well as several casualties.
The inspectors concluded that the training, preparations, and contingencies for early midloop operations were conservative and properly implemented.
b.3 Level Indication During the initial reduction in reactor inventory, the inspectors observed that the licensee had three official level indications:
(1) wide-range level from a differential pressure detector, (2) narrow-range level from a separate differential pressure detector, and (3) a sight glass.
The licensee also connected trial level indication which consisted of wide-range level using two separate pressure detectors, narrow range level using two more pressure detectors, and hot-leg level indication using an ultrasonic detector.
The inspectors observed that when the reactor water level was lowered toward midloop, both normal and trial wide-and narrow-range detectors within 2 inches of each other.
When level was lowered below the top of the hot-leg, the ultrasonic detector consistently, read approximately 2 inches lower than the other indications. When the licensee stopped draining, all the normal and trial instrumentation read within the 4-inch target level band.
The inspectors noted that the ultrasonic level detector provided an indication completely separate from the other level systems and therefore greatly increased the confidence of the indication.
-7-b.4 Drain and Refill of the Reactor Coolant S stem Durin Mid-loo On October 2, 1999, operators drained the reactor coolant system to reduced inventory (107 feet, 10 inches).
Operators implemented a conservative draining rate to carefully implement the procedure.
Draindown to midloop occurred with no problems.
After approximately 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br /> at midloop, the licensee commenced refillof the reactor coolant system.
Shortly after commencing refillof the reactor coolant system, operators announced that they were draining Steam Generator 2-2. Procedure OP A-2:III,Section 4.2.2 required at least two steam generators to be filled to at least 15 percent on the narrow-range with the reactor coolant system at reduced Inventory, as a backup method of decay heat removal. At this time', Steam Generators 2-1 and 2-2 were at approximately 25 percent on the narrow range, and Steam Generators 2-3 and 2-4 were at 50 percent wide range.
The inspectors questioned the shift supervisor as to whether Procedure OP A-2:III, Section 4.2.2 allowed draining of an additional steam generator while in reduced inventory. The shift supervisor stopped the draindown of Steam Generator 2-2 before the level was decreased.
The licensee initiated an event trending record to track this inattention to detail.
Subsequent licensee review revealed that steam generator reflux cooling was designed to"occur when the reactor coolant system was intact. Therefore, draining Steam Generator 2-2 after the primary system nozzle dams were installed would have no potential safety consequence.
The licensee stated that Procedure OP A-2:IIIwould be revised to allow steam generator draining when the reactor coolant system was no longer intact. The inspectors noted that, although the midloop procedure was not violated and subsequent review of the outage safety plan revealed that cooling with the steam generators was only possible with the reactor coolant system intact, operators demonstrated poor attention to detail.
b.5 Offsite Power Because the licensee replaced the main transformers, the licensee provided a risk analysis that demonstrated that the reliability of the startup power source.
Further, the diesel engine generators provided a very low probability for loss of electrical power during this risk-sigriificant operation.
The inspectors observed that Startup Transformer 2-2 was physically separated from the main transformers, had vehicle barriers installed, and had no major work ongoing.
After completion of midloop operations, reactor water level was increased to approximately 4 feet above the hot-leg (1 foot above the defined conditions for reduced inventory). The outage safety plan defined this condition as a higher risk condition because of the short time to boil. The inspectors observed that a full sized semi and trailer set within a few feet'of Startup Transformer 2-2. In order to get the truck into this location, the licensee had:
(1) removed the vehicle barriers, (2) backed the truck and trailer directly in front and near the transformer, and (3) continued to back the trailer
-8-while making a 90 degree turn into a narrow space between the transformer and a light pole. The trailer contained a personnel liftingdevice for work on the connection to the turbine building of the lightning wires above the 500 kV lines.
The licensee stated that they had controlled the truck movement with an independent observer and that, because the reactor head was de-tensioned, the risk from loss of electrical power was reduced because of the ability to gravity feed. The licensee indicated that all three diesel engine generators were available.
The inspectors observed that one of the diesel engine generators was paralleled to the startup power for a 24-hour full load run and could have been damaged along with the startup power.
The inspectors also noted that the licensee flooded the refueling cavity later in the day, which would have reduced the impact of loss of offsite power.
The inspectors observed that the outage risk plan indicated the startup power source would be protected from production work that could compromise the startup power source when the second source of offsite power was not available.
The inspectors considered use of observers to control the truck movement did not provide the same protection as the vehicle barriers.
Conclusions The training, preparations, and contingencies for early midloop operations were conservative and properly implemented.
Operable equipment exceeded that required by the Technical Specifications.
The pre-evolution briefings were thorough and informative. The training for midloop operations included draindown, maintenance and refillfor midloop operations, as well as several casualties.
Operators drained down to the midloop condition, maintained level, and refilled the reactor coolant system in a careful, deliberate manner.
The addition of new methods of level indication was an excellent initiative, which provided a diverse method of vessel level indication. These diverse methods included two new wide-and narrow-range level systems using pressure transmitters and ultrasonic indication on the loop piping.
Operators started to drain Steam Generator 2-2 based on a misunderstanding of a prerequisite.
The midloop procedure required at least two steam generators to be filled'o 15 percent on the narrow-range with the reactor coolant system at reduced inventory.
However, operators incorrectly believed that the prerequisite referred to 15 percent on the wide-range.
After the inspectors identified this issue to the operators, operators
- stopped the steam generator drain prior to lowering level below 15 percent on the narrow-range.
Although the midloop procedure was not violated, and subsequent review of the outage safety plan revealed that maintaining water in the steam generators was only required when the reactor coolant system intact, operators demonstrated poor attention to detail.
Even though the outage risk plan required that the single source of offsite power be protected from production work, the licensee parked a truck within several feet of the single source of offsite power. The licensee had to remove the vehicle barriers to place the truck in this location.
-9-II. Maintenance M1 Conduct of Maintenance M1.1 Maintenance Observations Ins ection Sco e 62707 The inspectors observed all or portions of the following work activities:
Work Order
~Desert ttcn C0158026 Replace Centrifugal Charging Pump 2-2 pump and speed increaser C0164120 ModifyCentrifugal Charging Pump 2-2 discharge piping (Line 2-S6-46-4).
C0164140
=
Remove section of Centrifugal Charging Pump 2-1 Suction Line-42 piping.
C0164141 Repair Centrifugal Charging Pump 2-1 Suction Line-42, broken weld on CVCS-2-56.
'M001 9841 Main Feedwater Pump 1-1, temporary leak repair inlet flange leak (Wirewrap)."
R018323903 Steam Generator 2-1, installation of steam generator nozzle dams to support steam generator tube eddy current examinations.
R018323803 Steam Generator 2-2, installation of steam generator nozzle dams to support steam generator tube eddy current examinations.
R018323603 Steam Generator 2-3, installation of steam generator nozzle dams to support steam generator tube eddy current examinations.
R018323703 Steam Generator 2-4, installation of steam generator nozzle dams to support steam generator tube eddy current examinations.
C0162878 Freeze Seal for valve maintenance C0156893 CS-2-8992, disassemble, inspect valve M0019675 Troubleshoot and repair main annunciator b.
Observations and Findin s The inspectors concluded that each of these work activities was performed satisfactorily, except as noted below.
)
i-10-M1.2 'roubleshootin Main Annunciator Failures Unit 1 a.
Ins ection Sco e 62707 On August 27, 1999, the inspectors observed troubleshooting activities in accordance with Work Order M0019675 in response to alarm problems documented in AR A0490354. This AR reported that a number of main annunciator alarms had occurred after installation of new software designed to prevent failure upon turnover to the Year 2000 (Y2K).
b.
Observations and Findin s Operators responded to multiple unexpected alarms after software designed to prevent Y2K-problem failures was installed in Unit 1. Operators followed the specific alarm response procedures and determined that the main annunciator system generated the
, spurious alarms.
Alarms for main annunciator trouble and main annunciator maintenance terminal trouble were valid.
Technical maintenance personnel used the maintenance terminal to identify potential defective cards and replaced defective cards in the main annunciator system.
No attempt was made to determine if any of the spurious alarms received by the operators indicated that the associated alarms were inoperable.
Technical maintenance personnel stated that all the failures occurred in Channel A of the main annunciator system and that Channel B would have still annunciated valid alarms.
Technical maintenance personnel installed 25 new cards and then initiated a complete internal test of the main annunciator system.
In general, the test internally energized all the energized-to-alarm annunciators and removed power to all the deenergized-to-alarm annunciators.
The test was also divided by channel and multiplexing unit.
The inspectors discussed the failures with the system engineer.
The system engineer stated that the failures were associated with enabling an internal self-testing circuit during the Y2Ksoftware upgrades, which was totally independent of Y2K changes.
The inspectors reviewed the upgrades the licensee made and agreed with the system engineer that the failures were not Y2K software related.
During the test, the inspectors observed excellent coordination among technical maintenance personnel, the system engineer, and the control room staff. Technical maintenance personnel obtained permission and informed the control room staff for each test, as all the alarms illuminated in the control room. A specifically assigned licensed operator supported the testing and immediately verified that the alarms occurred in the train being tested and did not mask a concurrent valid alarm from the other train.
During one test, the inspectors observed that one channel of diesel engine generator
.
relay protection did not alarm as required. The inspectors observed that neither the technical maintenance personnel nor system engineer recorded this information in Work Order M0019675 when it was observed or after completion of the specific test. The licensee completed the work on August 27 and signed the work order as complete;
-11-however, on August 31, the inspectors reviewed the associated work order and the daily ARs and could not identify where the licensee had documented and corrected the emergency diesel generator aiarm input failure.
The inspectors asked the system engineer about the failed diesel engine generator alarm input. The system engineer stated that three inputs had failed to produce alarms; however, all,three inputs had been verified by applying an alarm signal external to the test circuit. The system engineer also stated that he had requested a technical maintenance employee to initiate an AR to document the test circuit failure.
Subsequently, after the inspectors asked, the system engineer determined that the AR had not been written and initiated AR A0490604 on September 1. The system engineer stated that he would have noted that the problem had not been documented independent of the inspectors'equest.
The inspectors noted that the specific test of the three failed alarms was also not documented in the work order.
On September 17, the system engineer informed the inspectors that he had completed bench testing of 14 of the 25 failed circuit cards and had determined that all of the cards responded properly to valid input signals.
The system engineer stated that the remaining cards had been sent to the vendor to determine whether the cards were really defective or the internal self-testing circuit was not functioning properly.
'onclusions The inspectors concluded that testing'of main annunciator alarms was well coordinated by technical maintenance, system engineering, and.control room personnel.
During main annunciator system testing after multiple card replacements, the inspectors observed that licensee personnel did not document a nonsafety-related main annunciator test failure until questioned by the inspectors 4 days later. The inspectors considered that the failure to document alarm problems when they were observed was a poor work practice.
M1.3 Centrifu al Char in Pum 2-2 Re lacement Unit 2 Ins ection Sco e
The inspectors observed maintenance activities associated with replacement of Centrifugal Charging Pump 2-2.
b.
Observations and Findin s The inspectors observed good craft work when maintenance personnel replaced Centrifugal,Charging Pump 2-2.
In addition, the inspectors observed good radiation protection support and good radiation practices in maintaining control of radiological contamination present on surfaces exposed by the work.
While observing the pump replacement, the inspectors noted that inservice inspection personnel were using a 1-inch stainless steel drain line as a step and stand while cleaning a weld. The inspectors observed that the line had an unsupported span of
-12-approximately 38 inches, that the line sagged when stood upon, but returned to its original position when unloaded.
The inspectors questioned the person standing on the
'ipe.
This person stated that it was acceptable to stand on piping that was 1 inch in diameter or greater and continued to do so. The inspectors requested conformation from management personnel that it was acceptable to stand on 1-inch lines.
Management personnel stated that it was not acceptable but no written guidance existed.
Engineering personnel inspected the, line in question and concluded that no damage had occurred.
The licensee issued a notice to workers that personnel should not stand on piping less than 2 inches in diameter.
Conclusions The replacement of Centrifugal Charging Pump 2-2 was performed well and included good radiation protection work practices.
The inspectors identified a poor work practice in that personnel stood on small bore pipe, not designed for this type of loading.
Licensee management responded appropriately by issuing a notice to all employees refrain from standing on piping less than 2 inches in dianieter.
Engineering personnel inspected the line in question and determined by engineering judgement that no damage had occurred.
Surveillance Observations Ins ection Sco e 61726 The inspectors observed performance of the following surveillance test procedure:
STP M-9A
"Diesel Engine Generator Routine Surveillance Test," Revision 54 Observations and Findin s The inspectors observed that during a 1-hour loaded test of Diesel Engine Generator 2-2 in accordance with Procedure STP M-9Athat the governor actuator oil level was below the minimum level specified by the manufacturer for an operating engine.
The vendor required oil level was incorporated into Procedure STP M-9A. The inspectors notified the shift foreman, and the licensee added oil to the governor actuator.
Control Room L'i ht Socket Failures Ins ection Sco e 62707 The inspectors evaluated the licensee response to an observed increasing trend in control room light socket failures.
In addition, the inspectors witnessed several inspections and'replacements of the light sockets. The inspectors reviewed ARs A0488656, A0490737, A0490663, and Nonconformance Report N00021 02 to support this inspection.
-13-Observations and Findin s On July 27, 1999, a shift supervisor requested an operability evaluation of a system when an operator broke a control board light socket during bulb replacement.
In 1998, 23 of theselight sockets failed, and 19 had failed up to this point'in 1999. The operability evaluation determined that, if the indicating light socket broke, the light socket would no longer be seismically qualified. This could result in a short circuit that would fail the control power fuse for the component.
Because of the increasing trend in socket failures, the licensee performed a sample inspection of Westinghouse EZC Minalite bulb sockets (model prone to failure). The licensee selected the eight oldest sockets installed in the plant for internal visual inspection on August 27. Following the visual inspection, the socket was subjected to a 3 pound downward force with an instrumented rod to simulate operators replacing a burnt out bulb. If technicians found that the socket broke or cracked, the component was declared inoperable and the socket replaced.
Technicians identified two control room light socket failures. Based on these failures, the licensee increased the size of the sample and found additional failures. On September 2, the licensee determined that a potential generic common mode failure existed with respect to control room light sockets and initiated a 100 percent inspection of the sockets for both units.
The licensee developed a procedure and an inspection plan for the socket inspections.
Engineering personnel categorized the scope of the work documents based the effect of a failed socket on the plant (i.e., from no effect on the plants with a limiting condition for operation greater than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> to the potential to cause a plant trip).
Within these categories, the licensee prioritized the sequence of components to be inspected based on the risk achievement worth associated with the internal event probabilistic risk assessment.
The inspectors questioned this risk approach for two reasons.
First, the potential failure mode of a component with a failed light socket was a loss of control power by a short circuit during a seismic event. The Final Safety Analysis Report committed the licensee to achieve and maintain safe shutdown in a seismic event.
Based on the inspectors'uestioning, the licensee altered their sequence such that a train of safe shutdown would be inspected and assured operable as the first priority. Second, the inspectors also noted that the risk ranking of the systems was not based on susceptibility to a seismic event; consequently, the licensee reperformed the risk ranking based upon a seismic event at the plant. The final plan ensured one train of safe shutdown components was operable; however, but within that train, inspecting the most seismic risk significant items first.
The licensee aggressively inspected and repaired the control board light sockets at a rate of approximately 100 per day. The licensee completed the Unit 1 inspections during the forced outage from September 22 through 24. The licensee completed the Unit 2 inspections during Refueling Outage 2R9, such that all of the inspections were complete as of the end of this inspection period. The licensee performed approximately 1300 socket inspections and identified 48 failures, which included a number of safety and risk-significant components.
AuxiliarySaltwater Pump 2-2, Component Cooling Water Pump 2-2, TDAFW Pump 1-1, and the residual heat removal to safety injection
0
"-14-crossover valve were examples.
The licensee initiated Nonconformance Report N0002102 to review the potential safety significance of the failed components, with respect to the ability to achieve and maintain safe shutdown in a seismic event.
The inspectors will evaluate the potential safety consequence when the licensee review is complete.
Therefore, the failure of control room light sockets is an unresolved item (275; 323/99014-02).
Conclusions The licensee exhibited excellent initiative and a good focus on safety by inspecting all control room light sockets after operators noted an increasing trend in socket failures when changing out control board light bulbs. When additional failures were found during a sample inspection, the licensee commenced a 100 percent inspection.
The licensee initiallyprioritized the control room socket inspections incorrectly. The inspectors identified that the inspection priority did not focus on ensuring a train of safe shutdown for a seismic event (probable socket failure mechanism) but focused on the risk achievement worth of internal events.
Subsequently, the licensee adjusted the inspection priority based on the external event or seismic risk assessment.
The licensee identified 48 control board light socket failures, many of which affected the control power for safety related systems, out of 1300 sockets inspected.
In order to review the potential safety consequence of the simultaneous failure of all of these items, this issue willbe treated as an unresolved item.
Im ro er Installation of Control Power Fuses Unit 1 Ins ection Sco e 62707 The inspectors evaluated the licensee's response to AR AO491213, which discussed an event that the dc control power fuses for local operation of Diesel Engine Generator 1-2 were found installed improperly.
Observations and Findin s On September 11, 1999, the licensee performed a clearance to support control room light socket testing (refer to Section M1.5) associated with Diesel Engine Gene'rator 1-2.
The clearance required operators to place the Local/Remote switch for Diesel Engine Generator 1-2 in the "Local" position. When control of Diesel Engine Generator 1-2 was transferred to local operation, operators unexpectedly received the annunciator "Loss of DC Control Power," for Diesel Engine Generator 1-2. The licensee initiated an AR to enter this item into the corrective action system.
The licensee found that the control power fuse holder for local operation of the output breaker was installed upside down. After operators installed the fuse holder properly, the annunciator cleared.
Maintenance personnel had not worked in this panel since Refueling Outage 1R9 in March of 1999, indicating that this condition had existed for 6 months. The licensee believed that the fuse holder had been repositioned to upside
-15-down to support preventative maintenance in the Diesel Engine Generator 1-2 local control panel.
However, the licensee had not identified the root cause of the mispositioned fuse holder by the end of this inspection period. The inspectors will further review this item for enforcement when the licensee completes the evaluation.
The failure to properly install the local control power fuse holder for Diesel Engine Generator 1-2 is an Unresolved Item (275/99014-03).
The licensee performed a preliminary evaluation of the potential safety consequences of the mispositioned fuse holder. The licensee noted that, for the design basis loss-of-coolant accident, Diesel Engine Generator 1-2 was required to start automatically using the normal control power circuit. However, the fire protection and safe shutdown analysis credited the ability to start and load each of the diesel engine generators locally. Thus, Diesel Engine Generator 1-2 was unavailable for these functions. The licensee stated that the mispositioned fus'es were likelyto be easily identified if a diesel engine generator failed to start or load locally, mitigating the potential safety consequence.
The inspectors will review the licensee evaluation upon closure of the unresolved item.
Conclusions Licensee personnel improperly installed the dc control power fuses for local operation of the output breaker for Diesel Engine Generator 1-2. This condition existed for 6 months, but only affected the availability of Diesel Engine Generator 1-2 for fire or safe shutdown scenarios.
This issue is being tracked as an unresolved item until the licensee completes the root cause and safety consequence evaluations.
Maintenance and Materiel Condition of Facilities and Equipment Plant Materiel Condition Units 1 and 2 General Comments 62707 The inspectors reviewed the overall plant materiel condition as it related to the overall plant readiness to prevent transient initiators and mitigate accidents.
The inspectors noted that plant materiel condition was good and improved over the past 6 months.
The licensee had decreased the number of control room deficiencies, which allowed both units to sustain essentially a "blackboard" condition while the units were operating.
In addition, the maintenance backlogs of both units had substantially decreased over the last 6 months.
In preparation for storm season, the licensee ensured that the important support equipment in the intake structure was operational.
The kelp grinders, screen wash pumps, and traveling screens were all available to aid in combating a potential kelp intrusion.
-16-MS M8.1 Miscellaneous Maintenance Issues (92700)
Closed Licensee Event Re ort LER 275/1997-014-00:
Technical Specification 3.8.1.1 not met because of personnel error.
On July 17, 1997, operators failed to complete the monitoring requirements of Technical Specification 3.8.1.1, Action b, when a diesel engine generator was inoperable.
Specifically, the operators performed the initial surveillance within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to verify availability of offsite power but failed to again perform the surveillance within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, as required. After identification of the missed surveillance, operators immediately verified the offsite power alignment.
The licensee attributed the root cause to personnel errors by the shift technical advisor and shift foreman, in that they failed to ensure proper performance of the conditional surveillance.
The licensee counseled the operators regarding the need for attention to detail when tracking a surveillance and provided additional timing devices for conditional surveillance tracking in the control room.
The inspectors noted that LERs 323/1997-004-00, 275/1998-005-00, and 275/1999-004-00, documented additional examples of personnel errors that resulted in failure to comply with Technical Specification 3.8.1.1.
However, the inspectors determined that each of the occurrences had different root causes and concluded that this was not a repetitive violation. The inspectors determined that the failure to perform the required Technical Specification surveillance was a violation of Technical Specification 3.8.1.1, Action b. However, this Severity Level IVviolation is being treated as an example of a noncited violation, consistent with Appendix C of the Enforcement Policy. This item was placed in the corrective action system as Nonconformance Report N0002035 (275/99014-04, Example 1).
M8.2 Closed LER 275/1 999-004-00:
Technical Specification 3.8.1.1 not met because of personnel error.
On July 6, 1999, operators failed to complete the conditional surveillance requirements of Technical Specification 3.8.1.1, Action c, when the offsite 230 kV startup power source was inoperable.
Specifically, the operators failed to perform the conditional surveillance within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to verify availability of other power sources.
Operators were performing a procedure that required de-energizing of one source of offsite power and one diesel engine generator on several occasions; therefore, the operators were required to perform Technical Specification 3.8.1.1, Action c several times.
On one occasion, control room personnel noted the need to perform the action but failed to do so within the required 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. After identification of the missed surveillance, operators immediately verified the remaining power sources.
The licensee determined that the shift foreman failed to ensure proper performance of the surveillance.
The licensee counseled the operator regarding the need for attention
-17-to detail when tracking conditional surveillances and stated that the associated procedure would be enhanced to provide specific requirements for ensuring completion
. of conditional surveillances.
The inspectors noted that LERs 323/1 997-004-00, 275/1 997-014-00, and 275/1998-005-00 documented additional examples of personnel errors that resulted in failure to comply with Technical Specification 3.8.1.1.
However, the inspectors determined that each of the occurrences had different root. causes and concluded that this was not a repetitive violation. The inspectors determined that the failure to perform the requir'ed Technical Specification surveillance was a violation of Technical Specification 3.8.1.1, Action c. However, this Severity Level IVviolation is being treated as a noncited violation consistent with Appendix C of the Enforcement Policy. This item was placed in the corrective action system as Nonconformance Report N0002099 (275/99014-04, Example 2).
M8.3 Closed LER 275/1 999-005-00:
Technical Specification 4.1.1.1a not met because of personnel error.
On July 13, 1999, operators failed to complete the monitoring requirements of Technical Specification 3.1.1.1,,after declaring the rod control system inoperable.
Specifically, operators failed to perform Technical Specification Surveillance Requirement 4.1.1.1a within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to verify the required shutdown margin. Operators declared the rod control system inoperable but trippable after observing unwarranted inward rod motion.
Operators entered Technical Specification 3.1.3.1, Action c for inoperable rods; however, operators failed to enter Technical Specification 3.1.1.1 to verify shutdown margin. On July 15, system engineers informed the operators that planned troubleshooting could affect the rod insertion limitmonitor alarm. At this time, operators completed Technical Specification Surveillance Requirement 4.1.1.1a.
Operators subsequently realized that they had failed to perform this conditional surveillance when initiallyrequired.
The licensee attributed the root cause to personnel error by the operating crew and lack of Technical Specifications guidance concerning the relationship between Technical Specifications 3.1.1.1 and 3.1.3.1, Action c. The licensee observed that the Improved Technical Specifications provided adequate guidance.
The licensee planned to provide additional guidance for existing Technical Specifications until the Improved Technical Specifications are implemented.
The inspectors noted that LERs 323/97-004-00, 275/97-014-00, 275/98-005-00, and 275/99-004-00 documented additional examples of personnel errors that resulted in failure of operators to comply with Technical Specifications conditional surveillance requirements.
However, the inspectors determined that these other occurrences involved failure to complete known conditional surveillances'and not a failure to note that a conditional surveillance was required.
In addition, LER 275/99-002-00 reported a Technical Specification error because an operator misunderstood howe calibration procedure affected the reactor protection system.
Therefore, the inspectors considered that this LER had different root causes and concluded that this was not a repetitive violation. The inspectors determined that the failure to perform the conditional
-18-surveillance was a violation of Technical Specification 3.1.1.1.
However, this Severity Level IVv'iolation is being treated as a noncited violation consistent with Appendix C of the Enforcement Policy. This item was placed in the corrective action program as Nonconformance Report N00021 00 (275/99014-05).
The inspectors observed that, although the root causes were not always the same, the LERs discussed in this section and the LERs discussed in Sections M8.1 and M8.2 all related to operator compliance with Technical Specifications.
The Director of Operations briefed the inspectors on planned actions to address the causes of these LERs. These planned actions also addressed implementation of the Improved Technical Specifications the following year and included changes in control room staffing, additional technical support, and improved training.
Conduct of Engineering Modification of Main Feedwater S eed Control S stem Unit 2 Ins ection Sco e 37551 The inspectors reviewed Design Change DC2-SE-50419, "Main Feedwater.Speed Control System," for any interfaces with safety-related systems.
Observations and Findin s The inspectors observed that power for the new main feedwater speed control system power supplies was to be supplied from safety-related (Class 1E) inverters. The inspectors reviewed the system design and determined that this nonsafety-related (non-Class 1E) system was isolated from the Class 1E inverters by a single pole, 20-amp circuit breaker.
Desi n Basis The Final Safety Analysis Report Update, Section 8.3.1.4.1, stated that Diablo Canyon was not built to the electrical separation requirements of Regulatory Guide (RG) 1.75,
"Physical Independence of Electric Systems."
However, Section 8.3.1.4.1 also stated that the licensee would incorporate RG 1.75 in new installations when feasible.
Licensee design installation documents repeated this requirement but did not further define feasible.
RG 1.75, Revision 2, specified that non-Class 1E circuits supplied from Class 1E power sources shall be isolated from,the Class 1E power system by a method other than circuit breakers that only interrupt fault current.
RG 1.75 also recommended specific methods for separation of cables and stated that faults on non-Class 1E loads that are supplied by Class 1E power sources shall not impact Class 1E loads supplied from the same power sources.
-19-Design Criteria Memorandum T-19, "Electrical Separation and Isolation," Section 4.4, defined an electrical isolation device as preventing a malfunction on a non-Class 1E circuit from having an unacceptable influence on a Class 1E circuit.
Design Criteria Memorandum T-18, "Electrical Protection Systems," Section'4.3, stated that when fuses or circuit breakers were used as isolation devices the isolation devices willbe coordinated with supply circuit breakers.
Procedure CF3.ID9, "Design Change Package Development," Revision 11, required personnel preparing design changes to ensure that new designs conform to RG 1.75 and, where such conformance was not feasible, required that an explicit statement for the basis for.this determination be included in the design change.
b.2 Review of Desi n Chan e DC2-SE-50419 The inspectors reviewed Design Change DC2-SE-50419 and observed that the design change used a 20-amp circuit breaker'to isolate this non-Class 1E load from its Class 1E power source.
The inspectors observed that this circuit breaker did not comply with the requirements of RG 1.75 for use of an isolation device other than one that only interrupts faults.
In addition, the inspectors determined that Design Change DC2-SC-50419 did not contain a discussion as to why conformance to RG 1.75 was not feasible, as required by Procedure CF3.ID9.
The inspectors evaluated whether the 20-amp circuit breaker could prevent malfunctions on the non-Class 1E main feedwater pump speed control circuits from unacceptably influencing the Class 1E circuits. The inspectors observed that Design Change DC2-SE-50419 did not include the isolation circuit breaker trip characteristics or circuit worst case calculated fault current.
Upon request, the licensee provided the 20-amp circuit breaker trip curves and the projected worst case fault current for the largest load on the inverter. The licensee stated that, since the worst case load current was adequately coordinated with the 20-amp circuit breaker, this design bounded the new feedwater speed control system and that no specific calculation had been performed.
The inspectors observed that the licensee had established proper coordination between the inverter and the 20-amp circuit breaker; however, the calculated fault current for the worst case load was higher than th'e current limitof the inverter. The inspectors observed that the inverter would limitany fault to 125 percent of inverter rating. When the inverter reached this 125 percent current rating (-200 amps), the inverter would switch to a backup transformer supply, which was not connected to a safety-related battery. This swapover removed the safety-related battery from supplying other Class 1E loads and would place the unit in Technical Specification 3.8.2.1, with a 24-hour allowed outage time. If for some reason the backup transformer source was not available, the inverter would continue to carry the fault load within the inverter current limit.
Next, the inspectors evaluated the fault capability limits of the inverter and backup transformer.
Vendor test data for the inverter and backup transformer indicated that this equipment could supply approximately 375 amps before the output voltage degraded by
-20-greater than 10 percent.
At higher currents both the inverter and backup transformer limited the current output by sharply reducing the voltage output (voltage collapse) within one cycle of a fault. The inspectors noted that licensee design criteria, memorandums did not include directions to consider inverter voltage collapse when evaluating the effect of malfunctions on non-Class 1E loads on the inverters and Class 1E loads.
The inspectors compared the fault capability of the inverter and backup transformer with the worst case fault data provided by the licensee.
The inspectors found that the data indicated that a maximum fault on the control room radiation monitoring system resulted in voltage collapse and loss of power to all the Class 1E loads supplied by the inverter.
The inspectors discussed this conclusion with the licensee.
The licensee stated that the control room radiation monitoring system was a Class 1E system (worst case load) and did not require an isolation device.
Following inspector questions, the licensee performed a fault calculation for the actual planned feedwater control system installation and compared this calculation with the 20-amp circuit breaker trip characteristics.
The licensee concluded that faults at the load would be isolated from the Class 1E supply by the 20-amp supply circuit breaker before the inverter voltage collapsed or inverter supply circuit breakers tripped. The inspectors reviewed the calculation and observed that faults on the non-Class 1E supply cables to the feedwater speed control system could exceed the inverter and backup transformer current limit rating. Therefore, non-Class 1E cable faults would cause inverter voltage collapse before the 20-amp supply circuit breaker could isolate the fault, which would cause a loss of voltage to all the Class 1E loads on the inverter.
The inspectors noted that, since Design Change DC2-SE-50419 did not discuss exceptions to RG 1.75, compliance to RG 1.75 was required by Procedure CF3.ID9.
The inspectors concluded that the design failed to comply with RG 1.75 separation criteria, both because the design used only an isolation device to interrupt current and because the current interrupt characteristics of the device used would not preclude an unacceptable influence on Class 1E systems.
The inspectors provided this conclusion to the licensee.
b.3 The inspectors considered that these design deficiencies constituted a violation of 10 CFR Part 50, Appendix B, Criterion III, Design Control, which requires, in part, that the design basis shall be correctly translated into procedures and instructions.
However, this Severity Level IVviolation is being treated as a noncited violation, consistent with Appendix C of the Enforcement Policy (323/99014-06).
Corrective Actions The licensee issued a field change notice to add fuses in series with the 20-amp supply circuit breaker to the feedwater speed control system and to address why other requirements of RG 1.75 were not feasible.
The licensee initiated ARs A049073, A0491436, and A0494173 to address:
(1) the addition of inverter current limiting characteristics to design criteria; (2) the root cause for failure of the design to address RG 1.75 as required, (3) the adequacy of the isolation of other non-Class 1E circuits powered from Class 1E inverters, and (4) the
-21-isolation of other non-Class 1E circuits powered from Class 1E inverters, and (4) the addition of guidance on determining what parts of RG 1.75 are feasible at Diablo Canyon.
The inspectors considered that the licensee's corrective actions were adequate.
Conclusions A violation of 10 CFR Part 50, Appendix B, Criterion III, "Design Control,", occurred because Design Change DC2-SE-50149 did not provide adequate isolation between non-Class 1E loads and Class 1E inverters. The design failed to ensure that malfunctions on the non-Class 1E circuits would not cause failure of Class 1E equipment.
The failure to recognize and include inverter current limiting characteristics in design criteria documents contributed to this deficiency.
However, this Severity Level IVviolation is being treated as a noncited violation, consistent with Appendix C of the Enforcement Policy. The licensee modified the design and placed this item in the corrective action system as ARs A049073, A0491436, and A0494173.
ES Miscellaneous Engineering Issues E8.1 Y2K Readiness Ins ection Sco e Tl 2515/141 Revision
Temporary Instruction 2515/141, Revision 1, "Review of Year 2000 (Y2K) Readiness of Computer Systems at Nuclear Power Plants," required that inspections be performed for systems which were not Y2K compliant by July 1999.
For Diablo Canyon, the only system not ready in July 1999 was the main annunciator system in both Units 1 and 2.
The licensee stated that the main annunciator system was completed on September 21.
The inspectors reviewed completion of the main annunciator system in accordance with Temporary Instruction 2515/1 41; Revision 1.
b.
Observations and Findin s
The inspectors reviewed the main annunciator system Y2K assessment documents, testing and validation records, certification documents, and contingency plans and observed system testing. The inspectors used the detailed system guidance from Temporary Instruction 2515/141 to assist in determining acceptable Y2K compliance.
The inspectors determined that records demonstrated acceptable Y2K compliance.
The inspectors observed that actual Y2K testing met the required performance criteria. The licensee did not have specific contingency plans for failure of the main annunciator system.
The licensee included this system in overall site contingency planning. The inspectors determined that this method was acceptable using the guidance of Temporary Instruction 2515/1 41.
-22-c.
Conclusions The inspectors considered that the main annunciator system met the Y2K compliance guidelines of Temporary Instruction 2515/141, Revision 1. This review completed the inspectors'ollowup of Y2K readiness.
IV.
R1 Radiological Protection and Chemistry Controls R1.1 Im ro er Hi h Radiation Area Ent Units1 and 2 a.
Ins ection Sco e 71750 The inspectors evaluated the licensee response to ARs A0492245 and A0492992, which discussed two examples of improper entry into a high radiation areas.
b.
Observations and Findin s b.1 Im ro er Hi h Radiation Area Ent in Unit 1 Auxilia Buildin On September 27, 1999, a radiation protection technician identified that an individual in the auxiliary building 100-foot level penetration area was not displaying a high radiation area briefing tag, which was required to indicate that the individual was adequately briefed on the dose rates.
This area was posted as a high radiation area because of the elevated dose rates following residual heat removal initiation. The radiation protection technician escorted the individual from the area and wrote AR A0492245.
Investigation revealed that the individual was an experienced engineer that infrequently entered the radiologically controlled area.
This individual was not sufficiently familiar with the requirements for high radiation area entries.
The individual wore the required monitoring device but did not obtain a radiation protection department briefing prior to entry into the high radiation area.
Licensee management took the applicable administrative action for the individual, briefed engineering services personnel on the occurrence, and provided an electronic description of the occurrence to all employees.
The licensee was evaluating enhancements to training requirements with respect to radiation protection at the end of this inspection'eriod.
Technical Specification 6.12.1.b states, in part, that individuals permitted to enter high radiation areas may enter such areas if they have in their possession a radiation monitoring device that continuously integrates the radiation dose rate and alarms when a preset dose is received.
Entry into such areas with this monitoring device may be made after the dose rates have been established and the applicable personnel have been made knowledgeable of them. Therefore, the failure to obtain a radiation protection briefing of the dose rates prior to entry into a high radiation'area is a violation
-23-of Technical Specification 6.12.1.b.
However, this Severity Level IVviolation is being treated as a noncited violation in accordance with Appendix C of the Enforcement Policy. This item is in the licensee's corrective action system as AR A0492245 (275; 323/99014-07, Example 1).
b.2 Im ro er Hi h Radiation Area Ent in Unit 2 Containment On October 3, 1999, while movement of the Unit 2 reactor head was in progress, radiation protection technicians identified that two contractors in a high radiation area did not have the required high radiation area identification card. The radiation protection technicians challenged the contractors as to their knowledge of the dose rates.
When the contractors replied. incorrectly, the radiation protection technicians escorted the contractors from the area.
The licensee initiated AR A0492992 to enter this item into the corrective action system.
Licensee investigation revealed that the contractors believed that, since the radiation work permit allowed entry into a high radiation for their specific task, the radiation work permit allowed entry into any high radiation area.
The contractors also believed that they were knowledgeable of the area dose rates because they knew the generic definition of a high radiation area.
The licensee pulled the contractors'adiologically controlled area access authorization.
In addition, the licensee conducted a standdown with contract personnel to emphasize the requirements for entry into high radiation areas and radiation worker practices overall. The inspectors determined that the licensee actions were appropriate to the circumstances.
Technical Specification 6.12.1.b states, in part, that individuals permitted to enter high radiation areas may enter such areas if they have in their possession a radiation monitoring device that continuously integrates the radiation dose rate and alarms when a preset dose is received.
Entry into such areas with this monitoring device may be made after the dose rates have been established and the applicable personnel have been made knowledgeable of them. Therefore, the failure of the contractors to obtain radiation protection briefings of the dose rates prior to entry into a high radiation area is a violation of Technical Specification 6.12.1.b.
However, this Severity Level IVviolation is being treated as a noncited violation in accordance with Appendix C of the Enforcement Policy. This item is in the licensee's corrective action system as-AR A0492245 (275; 323/99014-07, Example 2).
The inspectors found the licensee response to these issues appropriate to the circumstances.
In addition to the licensee investigation, the inspectors noted that the high radiation area postings contained a listing of the requirements for a high radiation area entry and concluded that the individuals demonstrated a lack of a questioning attitude when encountering the posting. The inspectors noted that similar violations occurred during Refueling Outage 1R9 and that licensee corrective action efforts had minimized these occurrences.
The licensee acknowledged the inspectors'onclusions.
I
-24-Conclusions A violation of Technical Specification 6.12.1.b with two examples was identified for failures to meet the requirements for high radiation area entries.
In the first example, an experienced engineer entered a high radiation area without obtaining the required radiation protection briefing of the area dose rates because of unfamiliarity with the high radiation area controls.
In the second example, two contractors entered a high radiation area without being familiar with the area dose rates.
These individuals incorrectly" believed that a high,radiation area radiation w'ork permit authorized entry into any high radiation area.
Similar violations of high radiation controls had occurred during Refueling Outage 1R9; however, licensee response to these issues was appropriate to the circumstances.
This Severity Level IVviolation is being treated as a noncited violation in accordance with Appendix C of the Enforcement Policy. These items are in the licensee's corrective action system as ARs A0492245 and A0492922.
Conduct of Security and Safeguards Activities S1.1 General Comments 71750 During routine tours, the inspectors noted that the security officers were alert at. their posts, security boundaries were being maintained properly, and screening processes at the Primary Access Point were performed well. During backshift inspections, the inspectors noted that the protected area was properly illuminated, especially in areas where temporary equipment.was brought in.
F1 Control of Fire Protection Activities F1.1 General Comments 71750 The inspectors toured the facilityon a frequent basis to ensur'e that adequate fire protection controls were in place.
The inspectors verified the operability of detection and suppression systems, correct control of fire, and, generally minimal presence of transient combustibles.
F8 Miscellaneous Fire Protection Issues (90712)
F8.1 Closed Licensee Event Re ort 275 323/1994-001-02:
inadequate fire barrier penetration. seals because of a programmatic deficiency.
On January 28, 1994, the licensee identified that certain fire barrier penetration seals did not meet the required fire rating because damming boards were not installed in accordance with the designed and tested configuration. The licensee considered all fire penetration seals inoperable because they did not understand the extent of the problem.
The licensee verified that already established hourly roving fire watches were in place for the affected areas, as specified in Equipment Control Guideline 18.7, "Fire Rated
-25; Assemblies."
NRC Inspection Report 50-275; 323/96-13, Section E8.1, closed out Revision 1 of this LER and determined that the licensee had a program established that would identify and correct fire barrier penetration seal deficiencies.
This revision of the LER provided an update to the types of seal problems uncovered during program implementation, which included four distinct types of errors.
In addition, the licensee determined that. deficient gaps existed in fire rated walls. The licensee concluded that their design process failed to consider proper sealing requirements for gaps; consequently, design documents did not exist to ensure appropriate installation, acceptance criteria, and maintenance of fire barrier sealing material. The licensee determined that gaps in fire rated walls were not readily visible because construction practices such as plastering covered the gaps.
Gap deficiencies included:
(1) poor physical condition (improper materials or not completely filled) and (2) drawings failing to show gaps or, ifshown, specified an incorrect material.
The inspectors had over the past year reviewed proper installation of penetration seals and had verified that 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> roving fire watches had continued.
The inspectors concluded that the licensee took appropriate, comprehensive corrective actions once the problem became known, as specified in this licensee event report. Because an already established a roving fire watch had been touring the affected areas, the inspectors concluded that no violation of regulatory requirements occurred.
V. Mana ement Meetin s
'1 Exit Meeting Summary The inspectors presented the inspection results to members of licensee management at the conclusion of the inspection on October 13, 1999. The licensee acknowledged the findings presented.
The inspectors asked the licensee whether any materials examined during the inspection should be considered proprietary.
No proprietary information was identified.
I ~
ATTACHMENT SUPPLEMENTAL INFORMATION PARTIALLIST OF PERSONS CONTACTED Licensee J. R. Becker,'anager, Operations Services W. G. Crockett, Manager, Nuclear Quality Services R. D. Gray, Director, Radiation Protection T. L. Grebel, Director, Regulatory Services D. B. Miklush, Manager, Engineering Services D. H. Oatley, Vice President and Plant Manager R. A. Waltos, Manager, Maintenance Services L. F. Womack, Vice President, Nuclear Technical Services INSPECTION PROCEDURES (IP) USED IP 37551 IP 61726 IP 62707 IP 71707 IP 71750 IP 90712 IP 92700 IP 93702 Onsite Engineering Surveillance Observations Maintenance Observation Plant Operations Plant Support Activities In Office Review of Written Reports of Nonroutine Events at Power Reactor Facilities Onsite Followup of Written Reports of Nonroutine Events at Power Reactor Facilities Prompt Onsite Response to Events at Operating Power Reactors
-2-ITEMS OPENED AND CLOSED
~Oened 275; 323/99014-02 URI 275/99014-03 URI Closed
Failure of control board light sockets (Section M1.5)
Improper installation of Diesel Engine Generator 1-2 fuses (Section M1.6)
275/1997-014-00 275/1 999-004-00 275/1 999-005-00 275; 323/
1994-001-02 0 ened and Closed LER Technical Specification 3.8.1.1 not met because'of personnel error (Section M8.1)
LER
.Technical Specification 3.8.1.1 not met because of personnel error (Section M8.2)
LER Technical Specification 4.1.1.1a not met because of personnel error (Section M8.3)
LER Inadequate fire barrier penetration seals because of a programmatic deficiency (Section F8.1)
275/99014-01 275/99014-04 275/99014-05 NCV Late report of engineered safety features actuation (Section 01.4)
NCV Two examples of failure to meet Technical Specification 3.8.1.1because of personnel error (Sections M8.1and M8.2)
NCV Technical Specification 4.1.1.1a not.met because of personnel error (Section M8.3)
323/99014-06 NCV 275; 323/99014-07 NCV Failure to implement design controls for Class IE/non-Class IE interface (Section E1.1)
Two examples of high radiation area entry violations (Section R1.1)
-3-LIST OF ACRONYMS USED AR IP LER NCV NRC PDR RG TDAFW URI Y2K action request inspection procedure licensee event report noncited violation U. S. Nuclear Regulatory Commission Public Document Room regulatory guide turbine-driven auxiliary feedwater unresolved item Year 2000
'