IR 05000275/2002007

From kanterella
Jump to navigation Jump to search
IR 05000275/2002-007, IR 05000323/2002-007, on 2/22/02 - 3/1/02; Pacific Gas and Electric Co.; Diablo Canyon Nuclear Power Plant Units 1 and 2. Special Team Insp Rpt. Problem Identification & Resolution, Event Response, Operability Eval, Mo
ML020980587
Person / Time
Site: Diablo Canyon  Pacific Gas & Electric icon.png
Issue date: 04/08/2002
From: William Jones
NRC/RGN-IV/DRP/RPB-E
To: Rueger G
Pacific Gas & Electric Co
References
IR-02-007
Download: ML020980587 (26)
v  d  e


Text

ril 8, 2002

SUBJECT:

DIABLO CANYON - NRC SPECIAL TEAM INSPECTION REPORT 50-275/02-07; 50-323/02-07

Dear Mr. Rueger:

On March 1, 2002, the NRC completed the onsite special team inspection at your Diablo Canyon Nuclear Power Plant, Units 1 and 2, facility. The enclosed report documents the inspection findings which were discussed with Mr. D. Oatley and other members of your staff on March 1, and a follow up discussion on April 5.

This inspection examined the events surrounding the Unit 2 reactor trip on February 9, 2002, as they relate to safety and compliance with the Commissions rules and regulations and with the conditions of your licenses. The inspection consisted of examination of procedures and records, and interviews with station personnel and staff members from one of your design contractors.

Based on the results of this inspection, the NRC has identified an issue that was evaluated under the risk significance determination process as having very low safety significance (Green). The NRC has determined that two violations are associated with this issue. These violations are being treated as a single noncited violation, consistent with Section VI.A of the Enforcement Policy. The noncited violation is described in the subject inspection report. If you contest the violation or significance of the noncited violation, you should provide a response within 30 days of the date of this inspection report, with the basis for your denial, to the U.S. Nuclear Regulatory Commission, ATTN: Document Control Desk, Washington, DC 20555-0001, with copies to the Regional Administrator, U.S. Nuclear Regulatory Commission, Region IV, 611 Ryan Plaza Drive, Suite 400, Arlington, Texas 76011; the Director, Office of Enforcement, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001; and the NRC Resident Inspector at the Diablo Canyon Nuclear Power Plant, Units 1 and 2 facility.

In accordance with 10 CFR 2.790 of the NRC's "Rules of Practice," a copy of this letter, its enclosure, and your response will be made available electronically for public inspection in the NRC Public Document Room or from the Publicly Available Records (PARS) component of NRCs document system (ADAMS). ADAMS is accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html (the Public Electronic Reading Room).

-2-Should you have any questions concerning this inspection, we will be pleased to discuss them with you.

Sincerely,

/RA/

William B. Jones, Chief Project Branch E Division of Reactor Projects Dockets: 50-275 50-323 Licenses: DPR-80 DPR-82

Enclosure:

NRC Inspection Report 50-275/02-07; 50-323/02-07

REGION IV==

Dockets: 50-275 50-323 Licenses: DPR-80 DPR-82 Report No: 50-275/02-07 50-323/02-07 Licensee: Pacific Gas and Electric Company Facility: Diablo Canyon Nuclear Power Plant, Units 1 and 2 Location: 7 1/2 miles NW of Avila Beach Avila Beach, California Dates: February 22 through March 1, 2002 Inspector(s): N. OKeefe, Senior Resident Inspector, South Texas Project G. Johnston, Senior Operations Engineer T. Jackson, Resident Inspector Approved By: W. B. Jones, Chief, Project Branch E Division of Reactor Projects

SUMMARY OF FINDINGS Diablo Canyon Nuclear Power Plant, Units 1 and 2 NRC Special Inspection Report 50-275/02-07; 50-323/02-07 IR 05000-275-02-07, IR 05000-323-02-07, on 2/22/02 - 3/1/02; Pacific Gas and Electric Co.;

Diablo Canyon Nuclear Power Plant Units 1 and 2. Special Team Inspection Report. Problem identification and resolution, event response, operability evaluations, modifications.

The report covers a special inspection that assessed the licensee response to: (1) a Unit 2 reactor trip on February 9, 2002, and (2) the resulting discovery of nonconservative setpoints for steam generator water-low low level trips. This inspection team was composed of a senior resident inspector, a resident inspector and one region-based senior operations engineer. The inspection identified a Green issue with two associated violations. The significance of this issue for Diablo Canyon is indicated by its color (Green, White, Yellow, or Red) and was determined by the Significance Determination Process in Inspection Manual Chapter 0609. The NRCs program for overseeing the safe operation of commercial nuclear power reactors is described at its Reactor Oversight Process website at http://www.nrc.gov/NRR/OVERSIGHT/ASSESS/index.html.

A. Inspection Findings Identification and Resolution of Problems The team determined that a critical opportunity was missed to promptly identify and correct a risk-significant condition adverse to quality involving a nonconservative limiting safety setting and an engineered safety features setpoint. The licensees posttrip event review process did not recognize that the Unit 2 protection system response to a loss of feedwater flow to Steam Generator 2-4 was inappropriate in that the steam generator water level-low low actuations did not occur when required.

Cornerstone: Mitigating Systems Green. The failure to promptly identify and correct the steam generator narrow range water level-low low reactor trip system and engineered safety system instrumentation nonconservative setpoint bias following the Unit 2 manual reactor trip on February 9, 2002, is a violation of 10 CFR Part 50, Criterion XVI. The licensees event review failed to recognize that an engineered safety feature, including a reactor trip, failed to actuate when required during a loss of feedwater event to Steam Generator 2-4. This failure resulted in the licensee restarting Unit 2 with the reactor trip and engineered safety system instrumentation inoperable, and in the operation of both units with the same instrumentation inoperable, in violation of Technical Specification 3.3.1. This issue is being treated as a noncited violation, consistent with Section VI.A of the Enforcement Policy (50-275; 323/2002-07-01). The licensee documented this deficiency in Action Request A0549031.

The failure to promptly recognize inoperable trip and actuation functions and comply with Technical Specification requirements had a credible impact on safety. The resulting delays in an automatic reactor trip and engineered safety features actuations would have delayed the plants response to a loss of feedwater event and reduced the

-2-water mass available for the heat sink function in the affected steam generator(s).

Further, this deficiency had the potential to affect the integrity of the reactor coolant system boundary. A Phase 3 Significance Determination Process evaluation concluded that the issue had very low safety significance (Green). The finding represents a condition that existed for 5-days. The significance of the steam generator narrow range water level-low low setpoint offset (bias) is reduced if feedwater flow is lost to two or more steam generators. Based on the short duration from the time a single steam generator would dryout (the limiting initiator is a loss of feedwater to a single generator)

and actuation of auxiliary feedwater, the condition does not result in an appreciable increase in the probability of a steam generator tube rupture occurring. The licensees analysis using the plant specific simulator showed that the engineered safety feature actuation and reactor trip on steam generator water level-low low would have initiated at or before steam generator dryout would occur. The reactor coolant system physical over pressure protective features (safety relief and power operated relief valves) should not be challenged and there were other protective trips in place (over temperature-delta temperature and over pressure delta-temperature) in place that would have protected the reactor coolant system and fuel integrity in the event a manual reactor trip is not initiated on a loss of feedwater flow to a steam generator [Sections 4OA2.a.(2) and 5].

Report Details 1 SPECIAL INSPECTION ACTIVITIES The NRC conducted this special inspection to better understand the circumstances surrounding the unexpected water level indications in Steam Generator 2-4 during a loss of feedwater flow and the subsequent manual plant trip. The team evaluated the potential generic safety implications related to the cause of the indication anomaly. The inspectors used NRC Inspection Procedure 93812, Special Inspection Procedure, to conduct the inspection. The team reviewed procedures, logs, instrumentation printouts, corrective action documents, and design and maintenance records for the equipment of concern. The team interviewed key station personnel regarding the event and subsequent posttrip review investigation. The team observed computer simulations of plant responses under numerous conditions and held discussions with Westinghouse personnel in order to assess the generic implications, as well as the data and methods used to assess: (1) the magnitude of the instrument bias, (2) the value of the revised setpoints, and (3) the power level reduction required to restore operability with the original setpoints.

2 EVENT DESCRIPTION AND INITIAL CONDITION EVALUATION 2.1 General Event Discussion On February 9, 2002, with Unit 2 at full power, Main Feedwater Regulating Valve FW-2-FCV-540 failed in the closed position, resulting in a rapid decrease in Steam Generator 2-4 water level. Indicated narrow range water level decreased to 7.5 percent and leveled out. Operators tripped the Unit 2 reactor within approximately 1 minute of the main feedwater regulating valve closing. On February 14, 2002, after the Unit 2 restart but while still investigating into the event, a potentially unanalyzed condition was identified involving the narrow range steam generator water level instrumentation. The licensee determined that during the plant transient, actual water level in Steam Generator 2-4 fell below the 7.2 percent narrow range trip setpoint for engineered safety-feature and reactor trip actuations before operators manually tripped the reactor. The steam generator vendor attributed this water level discrepancy to a previously unaccounted for differential pressure created by steam flow past the middeck plate in the moisture separator section of the steam generator. This differential pressure phenomena caused the steam generator narrow range instruments to indicate a higher water level than actual water level at high steam flows (greater than 60 percent power). Thus, the steam generator narrow range water level-low low setpoint was nonconservative during certain transients.

2.2 Risk Significance of Event Following the February 9, 2002, failure of feedwater flow control valve to Steam Generator 2-4 the NRC performed an evaluation of the preliminary risk significance in terms of conditional core damage probability (CCDP). The NRCs initial risk analysis determined that the CCDP was on the order of 1 E-6. The CCDP is the probability of core damage given that the event (loss of feedwater to Steam Generator 2-4) has occurred. The licensee performed a separate calculation which arrived at a CCDP of

-2-4.87 E-7 and a conditional large early release probability (CLERP) of 1.18 E-7. These assessments were specific to Diablo Canyon and may not reflect risk insights for other facilities which were also subject to the nonconservative water level-low low setpoint.

The NRC considered the nonconservative engineered safety feature actuation setpoint at Diablon Canyon for steam generator water level-low low, the potential generic applicability to Westinghouse steam generators, and the risk insights in the decision to initiate a Special Inspection Team. This decision incorporated the guidance in NRC Management Directive 8.3, NRC Incident Investigation Program.

Both the NRCs independent assessment and the licensees calculation for CCDP considered the loss of feedwater to Steam Generator 2-4 as well as an increase in the steam generator tube rupture probability given that the water inventory in the steam generator was appreciably less than had the steam generator narrow range instruments actuated as expected. An NRC risk analyst consulted with subject matter experts in the NRC and ascertained that a probability of a steam generator tube rupture occurring was approximately 0.01. The licensee also assigned the same probability based on their Individual Plant Examination review.

The initial follow up of the event by the resident inspectors confirmed that the risk important systems used to mitigate a loss of feedwater event as well as a postulated steam generator tube rupture were available. In addition, the over temperature-delta temperature and over pressure-delta temperature reactor trip circuits were functional and would have provided for reactor coolant system and fuel barrier integrity in the event a manual reactor trip had not been initiated by the reactor operators. The anticipated transient without scram circuitry was available for reactor coolant system high pressure.

Plant specific simulator runs provided confidence that reactor trip and engineered safety feature actuations would have initiated off the Steam Generator 2-4 water level-low low narrow range instrumentation at about the time of steam generator dry out. The simulations showed that the actuations should occur prior to dry out of a steam generator if more than one steam generator had lost feedwater flow.

The NRC performed a conservative calculation that accounted for the probability of a steam generator tube rupture from the decreased water inventory in the steam generator. The core damage contribution from a loss of all feedwater initiators was considered along with the increased probability of steam generator tube rupture occurring from the initiator (loss of feedwater to one steam generator). The CCDP was determined to be on the order of 1E-6.

3 SPECIAL INSPECTION AREAS 3 .1 Overview and Sequence of Events The team developed a detailed sequence of events and organizational response timeline. The timeline included applicable events and actions before, during, and following the failure of the steam generator feedwater regulating Valve Number 4. The

-3-timeline was generated from control room computer printouts, operator logs, written records, and interviews with members of the licensees staff. The teams review satisfied the activities associated with Special Inspection Team Charter Element 1, Develop a complete sequence of events related to the February 9, 2002, Unit 2 reactor trip and the nonconservative steam generator water level-low low trip setpoint. The Special Inspection Team Charter is provided as an attachment.

February 9, 2002:

(All times are in Pacific Standard Time)

3:36:07 a.m. Main Feed Regulating Valve FCV-540 failed closed, stopping feedwater flow to Steam Generator 2-4.

3:37:01 a.m. After a failed attempt to reopen Valve FCV-540, operators initiated a manual reactor trip. Operators observed that auxiliary feedwater automatically actuated after the trip.

8:00 a.m. During discussions with the resident inspectors, the operations manager and shift supervision expressed skepticism that steam generator level got as low as observed by the steam generator wide range instrument during the trip. The shift technical advisor confirmed wide range level indication reached 10 percent.

1:00 p.m. Engineering Services reported that steam generator structural integrity was not affected by low wide range level. Engineering Services preliminarily concluded that dynamic processes contributed to inaccurate wide range level indication.

8:00 p.m. During a conference call with the NRC to discuss the licensees plans for restart of Unit 2, the licensee reviewed their corrective actions for the feedwater regulating valve and other failed components. The NRC expressed concern that wide range indicated level was abnormally low for this transient. The licensee explained their theory that actual level was higher because of the difference between the transient conditions (hot, dynamic) and the calibration conditions (cold, static). The licensee believed steam generator narrow range level response to be normal, and the wide range level indication was overly conservative but did not impact operator response to such indication. The NRC decided to conduct followup activities on level anomalies.

9:30 p.m. The Plant Staff Review Committee reviewed the results of the trip event response team investigation and readiness for restart. The steam generator wide range water level anomaly issue was discussed and determined not to be a restart issue. The issue was classified as an issue needing validation to determine impact on operability (INVDIO).

The Station Director granted permission to restart the plant.

-4-February 10, 2002:

10:56 a.m. Unit 2 entered Mode 2 as operators commenced reactor startup.

3:00 p.m. Unit 2 entered Mode 1 as operators continued the reactor startup.

February 12, 2002:

The licensee continued its investigation of the Unit 2 steam generator response during the transient. Licensee personnel sent plant trip data to Westinghouse for review.

February 13, 2002:

The licensee began to focus on steam generator narrow range indication as a potential concern.

February 14, 2002 11:00 a.m. During a conference call between the licensee and Westinghouse, Westinghouse informed the licensee about a new process measurement error term related to mid-deck plate differential pressure that had not been included in the existing setpoint analysis.

4:00 p.m. Operators in both units declared all channels of narrow range level instrumentation inoperable and entered Technical Specification 3.0.3.

Operations issued a shift order to manually trip the reactor on loss of feedwater flow.

5:00 p.m. Operators in both units began reducing power to less than 60 percent thermal power to restore the narrow range instruments to operable and exit Technical Specification 3.0.3.

7:19 p.m. Based on information received from Westinghouse, the licensee completed a prompt operability assessment that concluded the existing trip setpoint at 7.2 percent narrow range level remained operable at or below 60 percent reactor power. Operators stopped power reductions at 60 percent power.

February 15, 2002 The licensee implemented setpoint changes by Design Change Packages J-049609 (in Unit 1) and J-050609 (in Unit 2) to raise the steam generator low-low setpoint to 15 percent. After implementation, operators increased power to 100 percent in both units.

-5-Westinghouse issued Nuclear Safety Advisory Letter (NSAL) 02-3, Steam Generator Mid-deck Plate Pressure Loss Issue. This letter provided a basic description of the physical phenomenon and quantified the unit-specific potential impact for all plants with Westinghouse steam generators.

February 19, 2002 Westinghouse issued Nuclear Safety Advisory Letters 02-4, Maximum Reliable Indicated Steam Generator Water Level, and 02-5, Steam Generator Water Level Control System Uncertainty Issue. These letters covered other effects of the same physical phenomenon as Nuclear Safety Advisory Letter 02-3.

3.2 Physical Phenomenon and System Description Steam generators designed by Westinghouse incorporated two-stage moisture separation. The first stage used centrifugal separators and the second stage used chevron-type separators. A divider (mid-deck) plate separates the two stages. The steam generator water level instrumentation used differential pressure instruments with two ranges, a wide range instrument (nonsafety related) and three narrow range instruments (safety related). The wide range instrument spanned essentially the entire length of the downcomer region, while the three narrow range instruments spanned only the upper 25 percent of the wide range to cover the normal operating band. The upper taps for all four instruments were located above the mid-deck plate, while the lower taps were all located below this plate.

Westinghouse recognized a new phenomenon while evaluating the design of new (replacement) steam generators using computer modeling tools not available during design reviews for the original steam generators. The holes in the mid-deck, which were designed to allow moisture removed from the second stage separators to flow back into the downcomers, acted as orifices which restricted steam flow and allowed pressure differences when water levels decreased below the mid-deck region. At higher steam flow rates and decreasing steam generator water level, steam exiting the first stage separators along with the moisture being separated was enough to build up pressure below the plate that was not acting above the plate. Since the upper steam generator water level instrument taps were connected above the plate, a pressure difference acted on the four instruments that provided a bias that caused the instruments to indicate higher than actual during periods of high steam flow. For the limiting safety setting of low-low steam generator water level setpoint, this bias acted in the nonconservative direction. The magnitude of the bias dropped as steam flow decreased.

Westinghouse began accounting for this bias in the setpoint calculation in about 1998 during design work for replacement steam generators. However, the potential impact for original model steam generators was apparently not recognized until 2001. As a bias, when actual water level dropped below the narrow range lower taps on a steam

-6-generator, it was possible for the three instruments to indicate that level was still in the indicating range, and in some cases, above the low-low steam generator water level setpoint.

During the February 9, 2002, event, the wide range level instrument, which was calibrated for cold plant conditions, had behaved basically as expected. However, the three safety-related narrow range indications did not show that steam generator water level had decreased below 7.5 percent (just above the automatic trip setpoint of 7.2 percent) until after the manual reactor trip. At the time of the Diablo Canyon event, Westinghouse was in final preparation for issuing several Nuclear Safety Advisory Letters on this topic.

The steam generator water level low-low trip was the limiting safety setting designed to be the primary trip protection for a loss of heat sink event, such as a normal loss of feedwater. If water level in the steam generator lowers to 7.2 percent, the circuitry was designed to trip the reactor and actuate auxiliary feedwater. However, this trip function did not respond as designed.

3.3 Human Performance and Procedure Adequacy During the Event The team interviewed control room operators and the resident inspectors, and reviewed logs, recorder trends, and plant operating procedures related to the event. The team assessed main control board controls, indications and annunciators for human factors considerations that may have impacted the operators ability to diagnose and respond to the event. No findings of significance were identified.

4 OTHER ACTIVITIES (OA)

4OA2 Identification and Resolution of Problems (71152)

.1 Effectiveness of Problem Identification a. Inspection Scope:

The team conducted a broad review of the licensees event review, trip analysis, restart readiness review, operability determinations, simulator modeling efforts, corrective actions, and investigations into the steam generator water level anomaly. Interviews were conducted with mid- and senior-level management, engineering and operations personnel, and Plant Staff Review Committee members.

b. Observations and Findings The team determined that a critical opportunity was missed to promptly identify and correct a risk-significant condition adverse to quality involving a nonconservative limiting safety and engineered safety features setpoint. The licensees posttrip event review process did not recognize that the Unit 2 plant response as expected to a loss of feedwater flow to Steam Generator 2-4. Specifically, the licensee did not review

-7-available data that would have indicated that the steam generator water level-low low engineered safety features and automatic reactor trip actuations did not occur when required. This failure to promptly identify and correct this significant condition adverse to quality was identified as a violation of 10 CFR 50, Appendix B, Criterion XVI. As a result of this failure, Unit 2 was restarted on February 10 and both Units 1 and 2 were operated for approximately 5-days with steam generator water level-low low trip and engineered safety features actuations inoperable in violation of Technical Specification 3.3.1. This was determined to be a finding of very low safety significance (Green).

The event review process did not effectively evaluate the observed plant response to the expected response. Procedure OP1.DC1, Administrative Program to Control the Return to Power After a Reactor Trip, Revision 3A, stated the purpose of an event review was to provide a systematic review and assessment of a plant transient in order to determine the cause of an unscheduled reactor shutdown, and ascertain proper operation of safety-related equipment. The team reviewed the completed procedure and concluded that it focused personnel on the cause of the trip rather than ascertaining the proper operation of safety-related equipment during the event. The NRC noted that the procedural sections that related to ascertaining proper operation of safety-related equipment were not completed. Specifically, Attachment 6.4, Transient Detail Data, which listed three pages of important plant parameters (pre- and post-transient, minimum and maximum values) had not been completed. The licensees implementation of the procedure did not adequately evaluate actual versus expected actuations. This likely contributed to not recognizing unexpected indications and lack of an expected trip and engineered safety features actuation.

When the question of actual water level in the steam generator was considered on February 9, 2002, licensee personnel presumed that the narrow range instruments correctly indicated that level did not go significantly below the narrow range and the plant responded normally with the exception that wide range indication read lower than actual. This was explained through comparison of the wide range instrument being cold-calibrated and the indication and referencing the instrument during the transient condition. The licensee accepted these tentative explanations without thoroughly reviewing all available data to confirm its suspicions.

The team noted that this theory did not adequately explain the observed plant behavior.

The licensee calculated that approximately 75 percent of the initial water mass boiled off during the transient. The wide range indication reached a minimum value of approximately 10 percent, but the licensee calculated actual wide range level to be 20 percent. The team noted that the bottom of the narrow range indication corresponded to approximately 75 percent actual wide range level. The team also noted that following the initiation of auxiliary feedwater, narrow range level did not increase quickly, indicating that considerable water injection was required to reach the narrow range. Therefore, the wide range instrument indicated the trend (if not exact water level) correctly and demonstrated that level was actually below the narrow range indications. The inspectors concluded that the licensee did not adequately check to see that its calculated level matched other available information. By not adequately assessing the transient, the licensee failed to promptly recognize the actual problem.

-8-The failure to promptly identify and correct the steam generator narrow range level nonconservative setpoint bias following the Unit 2 manual reactor trip on February 9, 2002, is a violation of 10 CFR Part 50, Appendix B, Criterion XVI. The failure to correct this condition subsequently resulted in Unit 2 changing Modes (Mode 3 to 2 to 1) with the reactor trip system and engineered safety system steam generator water level-low low instrumentation inoperable and subsequent operation of Units 1 and 2 (Mode 1) in a condition prohibited by Technical Specification 3.3.1. This Technical Specification requires that the reactor trip system instrumentation for steam generator level-low low be operable for Modes 1 and 2 and the engineered safety feature actuation instrumentation steam generator water level-low low be operable in Modes 1, 2 and 3. These two violations are being treated as a single issue and as a single noncited violation; consistent with Section VI.A of the Enforcement Policy (50-275; 323/2002-07-01). The licensee documented this deficiency in Action Request A0549031. The significance of this issue was determined to be very low (Green), as discussed in detail in Section 5 below.

The team also found that the licensees investigation did not consider other possible causes of unusual instrument behavior. For example, a single maintenance crew calibrated all three narrow range channels on the Steam Generator 2-4 on the same day, which could introduce a common error in all three channels. The licensee did not investigate the narrow range indication until after plant restart. Further, the licensee did not investigate other potential sources of error (calibration issues, material conditions, unique equipment arrangement, design, setpoint control, uncorrected problem identification and resolution issues, etc.). Section 4OA2.3 discusses the inspection teams investigation into other possible causes.

.2 Operability Determination Process (71111.15)

a. Inspection Scope The team interviewed operators, engineers, and managers involved in the event review process to assess what efforts were made to determine the operability of the steam generator water level instruments and specifically the water level-low low setpoint. Log entries, corrective action documents, Plant Staff Review Committee meeting minutes, and design-basis documents were reviewed. The inspectors used guidance from Inspection Procedure 71111.15, Operability Evaluations. The team reviewed the following documents:

  • Action Request A0549031
  • Procedure OM7.ID5, Issues Needing Validation to Determine Impact on Operability, Revision 8
  • Procedure OM7.ID8, Operability Evaluation, Revision 8

-9-

  • Operability Evaluation 02-01, Operability With Nonconservative Assumptions in Calculations Used for Steam Generator Water Level Low -low Set Points, Revision 0
  • Event Response Plan 02-01, February 9, 2002 The team also conducted two teleconferences on February 28, 2002, with the licensee and Westinghouse personnel at the Energy Center and Waltz Mill offices. The team discussed: (1) the test and computer code data used to determine the magnitude of the instrument bias, and (2) the methodology used to determine the new setpoints and determine the power level that would assure the existing setpoints would fulfill the safety function.

b. Observations and Findings The team reviewed the opportunities to identify problems and assess the operability of safety-related equipment. Once Westinghouse provided the background on the nonconservative setpoint bias that could occur to the licensee, Diablo Canyon personnel made a proper determination of operability and took appropriate action to compensate for and then correct the condition and restore operability in a prompt manner.

In addressing the wide range instrument question, it was clear that the licensee was not fully satisfied that the issue was well understood. However, rather than clarify the issue immediately, the licensee used a station administrative process to further study the issue for 30-days, and declared the problem to be an issue needing validation to determine the impact on operability (INVDIO). The team concluded that this process was not integrated with the stations operability determination process, and effectively permitted an issue that was thought to relate to an operability question to be studied for 30-days before addressing the operability question. This approach was considered to be contrary to guidance provided in Generic Letter 91-18, which provided guidance on the need to perform prompt operability assessments. While this process did not cause the licensee to miss the opportunity to assess the operability of the narrow range instrumentation, it did provide a station process that appeared to lend legitamacy to the decision to restart the plant without first thoroughly understanding the discrepancy between the narrow range and wide range instrument indications.

The team concluded that the licensee had indications from the February 9, 2002, event which provided evidence that steam generator narrow range level indications functioned in an unexpected and inconsistent manner. The team concluded that the operability of these instruments, and thus the limiting safety setting for low-low steam generator water level, should have been evaluated as a result of the questions about steam generator water level indication. Because, in part, of the licensees decision to restart the plant and study the issue further using the INVDIO process, the licensee operated Unit 2 above 60 percent power between February 10 and 14 with inoperable steam generator water level low-low trip functions. The NRC staff will review the licensees INVDIO process during the scheduled April 2002 problem identification and resolution inspection. The licensees use of the INVDIO process will be an unresolved item (URI 50-275; 323/2002-07-02).

-10-The potential generic safety concerns for other plants were discussed adequately in Nuclear Safety Advisory Letters 02-3, 02-4, and 02-5. Basically, all plants with Westinghouse designed steam generators were susceptible to this instrument bias, although some plants that have replaced steam generators may have accounted for this phenomenon in their setpoint calculations. The Nuclear Safety Advisory Letters indicate the magnitude of the bias at each plant, and indicates that secondary trips will ensure reactor safety. However, as was the case at Diablo Canyon, Technical Specifications may require prompt action based on operability.

.3 NRC Review of Other Potential Causes of Instrument Inaccuracies a. Inspection Scope The team reviewed the licensees probable cause determination for the steam generator narrow range level indication anomaly during the February 9, 2002 reactor trip. The inspectors reviewed a wide spectrum of issues which could potentially affect the performance of steam generator water level instrument channels to determine if a design, installation, maintenance, or existing material condition problems could have caused the level indication anomaly observed during the event. The inspectors reviewed documentation related to the design bases, setpoint calculations, instrumentation piping, calibration procedures/data, and corrective action documents associated with steam generator level instrumentation.

The team reviewed the following design-bases documents:

  • Design Criteria Memorandum S-4, Turbine Steam Supply System, Revision 19
  • Design Criteria Memorandum S-38A, Plant Protection System, Revision 11
  • Design Criteria Memorandum S-38B, ATWS Mitigation System Actuation Circuitry (AMSAC), Revision 2 In order to assess possible common cause problems with all three channels on narrow range level instruments, the inspectors reviewed the physical layout drawing for instruments and piping, the logic associated with the steam generator water level low-low reactor trip function, the auxiliary feedwater actuation signal, and the AMSAC system. A sample of the documents reviewed include:
  • Drawing 495877, Functional Logic Diagram: Steam Generator Trip Signals, Revision 3
  • Drawing 495887, Functional Logic Diagram: AMSAC Signals, Revision 1

-11-

  • Physical layout drawings contained in DCP-J-48184, S/G Narrow Range Transmitters Ref. Legs Heatup, December 20, 1993 The inspectors reviewed the results from the last two calibrations for each steam generator water level instrument on all steam generators, compared the calibration procedures to vendor manual procedures, and reviewed training material related to preforming that type of calibration. The following specific documents were reviewed:
  • Procedure STP I-4-L547, Steam Generator 4 Narrow Range Level Channel LT-547 Calibration, Revision 2
  • Procedure STP I-4-L548, Steam Generator 4 Narrow Range Level Channel LT-548 Calibration, Revision 2
  • Procedure STP I-4-L549, Steam Generator 4 Narrow Range Level Channel LT-549 Calibration, Revision 2
  • Vendor manual, Rosemont Model 1154 Alphaline Pressure Transmitter for Nuclear Service, January 1992
  • Lesson IAFC150-FE-010, Rosemont 1151 Pressure/Differential Pressure Transmitter Maintenance, Revision 1
  • Job Performance Measure IJP0713A, Calibrate a Rosemont 1151 Pressure/Differential Pressure Transmitter, Revision 2B The inspectors analyzed the setpoint calculations related to the steam generator water level low-low trip function. Additionally, the inspectors discussed the setpoint methodology and calibration process with licensee engineers. The setpoint calculations are described in WCAP-11082, Westinghouse Set point Methodology for Protection Systems: Diablo Canyon Units 1 & 2, 24 Month Fuel Cycle Evaluation, Revision 5 and Procedure SC-I-4-L517, Instrument Scaling Calculation Steam Generator Narrow Range Level Channels, Revision 3.

The team also reviewed corrective action program documents related to steam generator level instruments to determine if there was a pattern of instrument problems or any uncorrected material condition problems prior to the February 9, 2002 event. The inspectors also looked to see if there was any indication of the level phenomenon observed prior to the event. The inspectors reviewed past licensee event reports and found no similar events.

b. Observations and Findings The team found that the licensee had historically identified and corrected problems related to the steam generator narrow range and wide range level instruments. Also, the team found no evidence that the level phenomenon had been observed prior to February 9, 2002, and identified that this was the first event to challenge the steam

-12-generator water level-low low trip since the current transmitters had been installed in 1991.

5 Risk Significance of the Event a. Inspection Scope The team reviewed design and licensing basis documents related to the steam generators, water level indications and the associated trip and engineered safety features actuation signals. The team reviewed accident evaluations and methods of protection for initiating events which could challenge these trips and actuations. To assess the event, the team discussed chart recorder data with the control room operators that were on shift during the event and with the thermal-hydraulic engineers.

The team also worked with licensee computer plant specific simulation personnel to assess event data, existing simulator response, and simulation modeling which was revised to account for the mid-deck plate pressure difference. The licensee performed multiple simulation runs to assess the severity of different scenarios, the timeliness and availability of secondary trips, and the fidelity of the revised modeling.

b. Findings NRC Significance Determination Process Phase 1 and 2 Assessment The licensees failure to promptly recognize inoperable trip and actuation functions and comply with Technical Specification requirements had a credible impact on safety, because the required limiting safety setting trips would have delayed responses and reduced the water mass available for the heat sink function in the affected steam generator(s). This issue had a credible impact on the operability of the steam generator water level-low low trip and engineered safety features actuation, as well as having the potential for affecting the integrity of the reactor coolant system boundary. A Phase 2 Significance Determination Process review resulted in an indeterminate assessment because of the need to include the probability of a steam generator tube rupture occurring in the transient worksheet when auxiliary feedwater initiated in a dry steam generator.

NRC Phase 3 Risk Assessment The team reviewed the accident and transient sequences that could challenge the steam generator narrow range water level-low low setpoint under conditions which could also cause the observed mid-deck plate instrument bias. The applicable condition involved the loss of feedwater flow to one or more steam generators at high power without causing any other trip signals. These constraints eliminated most ways to lose feedwater flow, except for the type of valve failures experienced during the Diablo Canyon event. Plant specific simulation data showed that loss of feedwater flow to a single steam generator resulted in the most severe plant response. This was because the unaffected steam generators would not generate trip signals, and the affected steam

-13-generator would not generate a trip signal until a significant portion of the water mass in the steam generator boiled off, allowing steam flow and pressure to drop.

The steam generator water level-low low trip was the limiting safety setting designed to be the primary trip protection for a loss of heat sink, such as a normal loss of feedwater event (NLOF). It was intended to actuate auxiliary feedwater and trip the reactor if water level reached the narrow range water level-low low setpoint (7.2 percent) in a single steam generator.

Plant design documents showed that the reactor was also protected by secondary trips from over temperature-delta temperature (OT- T), over power-delta temperature (OP- T) or an engineered safety features actuation signal. These secondary trips provided protection during the events of concern through computer simulation (adjusting steam generator hydraulic modeling to account for the mid-deck plate differential pressure effect). The plant specific simulator also demonstrated that an automatic steam generator water level-low low trip and auxiliary feedwater actuation would have occurred with some delay (30 to 40 seconds), after the water inventory loss caused by steaming the water mass in the steam generator and causing steam flow to drop. The inspectors concluded that this time delay did not significantly impact core cooling.

However, two aspects could increase the plant consequences of a loss of feedwater.

Dry out of the affected steam generator(s) would be somewhat more likely due to increased loss of water mass before an automatic reactor trip occurred. Reaching dry out offers two challenges to steam generator tube integrity - hot dry failure (maximum pressure differential across tubes), and thermal shock from delayed introduction of cool auxiliary feedwater water.

The following additional considerations were included in the Phase 3 analysis:

  • Steam flow less than 60 percent the steam generator narrow range instrumentation tracks actual level
  • Feedwater pump trip results in turbine trip/reactor trip and narrow range instrumentation not effected
  • Failure of all feed regulating valves would pick up OT- T
  • Over temperature-delta temperature (OT- T) or over power-delta temperature (OP- T) are next trips to come in if narrow range water level-low low setpoint not picked up for the failure of 1 feedwater regulating valve
  • Auxiliary feedwater would automatically actuate (if not manually initiated) when steam flow decreases below 60 percent

-14-

  • Operator actions remained the same The above assumptions were utilized in assessing the change in core damage frequency and large early release frequency based on the finding of the nonconservative steam generator narrow range water level-low low bias existing for 5-days (based on the period between approval to restart Unit 2 and identification of steam generator narrow range instrument nonconservative bias). An initiating event consisting of loss of feedwater was considered with an additional top event concerning an increased probability of steam generator tube rupture (0.01) with a transfer to the steam generator tube rupture event tree. The top event probabilities associated with no power operated relief valves open and power operated relief closed were not modified based on the actual and plant specific simulator responses for the reactor system response (pressure and temperature).

An upper bounding analysis was performed to ascertain whether a more stringent risk analysis should be performed to include immediate operator actions and better define the initiating event frequency. The large early release frequency was assumed to be the same as the core damage frequency given a steam generator rupture event occurs.

The risk analyst determined that given the initiaitor would occur once per year (conservative) and the induced steam generator tube rupture probability of 1E-2 that the core damage frequency and large early release frequencies would be on the order of 1E-8.

These values were compared to the licensees results using their plant specific probabilistic risk assessment model and the assumption that no automatic trip occurs before reaching dryout conditions. This analysis showed there was a very minor increase in risk of CDF= 4.37E-8 per year, and LERF=6.54E-9 per year.

Based on the NRC risk analyst independent assessment and review of the licensees assessment, the team concluded that the overall safety significance of the steam generator narrow range water level-low low nonconservative setpoint bias for the 5-day period was of very low safety significance (Green).

Consideration of External Events and Flooding The NRC reactor analyst considered the effects of external events, in particular seismic and flooding. It was found that these initiators did not result in a change to the CDF or the LERF based on reactor trip actuations would occur on a seismic event and the effects of flooding would initiate other trips or loss of feedwater and a subsequent reactor trip. As previously discussed, the initiator that resulted in the greatest steam generator narrow range instrument nonconservative bias was loss of feedwater to one steam generator. Conditions that generated a reactor trip would result in reduced steam flow such that the engineered safety feature actuations (initiate auxiliary feedwater)

would occur at the established narrow range water level-low low setpoint.

-15-06 Meetings

.1 Exit Meeting Summary The team presented the inspection results to Mr. D. Oatley, Vice President, Operations, and other members of licensee management during a telephonic exit meeting on March 1 and on April 5, 2002. The licensee acknowledged the findings presented.

The team asked the licensee whether or not any materials discussed during the exit should be considered proprietary. No proprietary information was identified.

ATTACHMENT SUPPLEMENTAL INFORMATION KEY POINTS OF CONTACT Licensee A. Afzali, Supervisor PRA Group J. Becker, Station Director K. Bych, Manager, Engineering Services R. Lee, Westinghouse M. Mayer, Engineering Supervisor D. Miklush, Director, Engineering Services D. Oatley, Vice President B. Rice, Westinghouse J. Shoulders, Manager, Engineering D. Taggart, Manager, Nuclear Quality J. Tomkins, Director, Nuclear Quality and Licensing R. Tuley, Westinghouse R. Washington, I&C Supervisor, Engineering Services L. Womack, Vice President, Nuclear Services NRC D. Proulx, Senior Resident Inspector, Diablo Canyon ITEMS OPENED, CLOSED, AND DISCUSSED Opened 50-275; 323/200207-01 NCV Reactor operation with the steam generator water level-low low trips and engineered safety actuation instrumentation inoperable for both units (Section 4OA2.1.b).

50-275; 323/200207-02 URI Licensee use of INVDIO process for operability evaluations (Section 4OA2.2.b).

Closed 50-275; 323/200207-01 NCV Reactor Operation with the steam generator water level-low low trips inoperable in both units ((Section 4OA2.1.b).

Discussed None.

-2-LIST OF ACRONYMS USED AMSAC ATWS Mitigating System Actuation Circuitry ATWS anticipated transient without scram CCDP conditional core damage probability CLERP conditional large early release probability INVDIO issue needing validation to determine impact on operability LONF loss of normal feedwater NCV noncited violation DOCUMENTS REVIEWED The following documents were selected and reviewed by the inspectors to accomplish the objectives and scope of the inspection and to support any findings:

Action Requests A0549024 A0549031 A0549032 N0002137 Design Criteria Memorandum S-4, Turbine Steam Supply System, Revision 19 S-38A, Plant Protection System, Revision 11 S-38B, ATWS Mitigation System Actuation Circuitry, Revision 2 Design Change Package Design Change Packages (DCPs) J-049609 and J-050609, Adjust the Steam Generator Narrow Range Water level-low low Level Set point in E21 to Correspond to a Nominal 15 Percent, Revision 0 DCP-J-48184, S/G Narrow Range Transmitters Ref. Legs Heatup, December 20, 1993 Drawings 108036, Steam Generator 2-4 Narrow Range Level, Revision 72 495877, Functional Logic Diagram: Steam Generator Trip Signals, Revision 3 495885, Functional Logic Diagram: Auxiliary Feedwater Pumps Startup, Revision 3 495887, Functional Logic Diagram: AMSAC Signals, Revision 1 Procedures XI1.ID3, Event Investigation Team, Event Response Team, and Event Investigation Report

-3-OM7.ID12, Operability Determination, Revision 4C SC-I-4-L517, Instrument Scaling Calculation Steam Generator Narrow Range Level Channels, Revision 3 STP I-4-L547, Steam Generator 4 Narrow Range Level Channel LT-547 Calibration, Revision 2 STP I-4-L548, Steam Generator 4 Narrow Range Level Channel LT-548 Calibration, Revision 2 STP I-4-L549, Steam Generator 4 Narrow Range Level Channel LT-549 Calibration, Revision 2 Vendor Manuals Rosemont Model 1154 Alphaline Pressure Transmitter for Nuclear Service, January 1992 Training Documents Lesson IAFC150-FE-010, Rosemont 1151 Pressure/DP Transmitter Maintenance, Revision 1 Job Performance Measure IJP0713A, Calibrate a Rosemont 1151 Pressure/DP Transmitter, Revision 2B Other Documents LER 91-002-00, Reactor Trip on Steam Generator Low Level With Steam Flow/Feedwater Flow Mismatch Due to Personnel Error Operability Evaluation 02-01, Operability With Nonconservative Assumptions in Calculations Used for Steam Generator Water Level Low -low Set Points, Revision 0 WCAP-11082, Westinghouse Set point Methodology for Protection Systems: Diablo Canyon Units 1 & 2, 24 Month Fuel Cycle Evaluation, Revision 5 Westinghouse Nuclear Safety Advisory Letter 02-03, Steam Generator Mid-deck Plant Pressure Loss Issue Probabilistic Risk Assessment PRA02-01, Revision 0, February 19, 2002

Retrieved from "https://kanterella.com/w/index.php?title=IR_05000275/2002007&oldid=2707117"