Safety Insp Rept 50-341/89-33 on 891228-900108.Violations Noted.Major Areas Inspected:Circumstances Described in LER 89-31

ML20011E425
Person / Time
Site:	Fermi
Issue date:	02/01/1990
From:	Axelson W NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION III)
To:
Shared Package
ML20011E424	List: IR 05000341/1989033 ML20011E423
References
50-341-89-33, NUDOCS 9002130386
Download: ML20011E425 (10)
v • d • e

Text

%

-

y

^'

'

c

,

,

,

" r. -

>

',

..

<

,

,4 i

i

$w

- '

Y-

-U.

S. NUCLEAR REGULATORY COMMISSION'

'

REGION III-Report No.. 50-341/89033(DRP)

Docket No. 50-341 Operating License No. NPF-43-Licensee: The Detroit Edison Company

.

2000 Second Avenue

>

Detroit, MI 48226 Facility Name:

Fermi 2 q

Inspection At:

Fermi Site,-Newport, MI Inspection Conducted:. December 28, 1989 through January 8,1990 Inspector:

W. Rogers

' Approved By:

.W.

ef k

/

9d

'

'!

Reactor Projects Branch 2 Date Inspection Summary :

Inspection on December 28, 1989, through January 8c 1990, TheportNo. 50-341/89033(DRP))

'

Areas Inspected: Special safety inspection into the circumstances described in LER 89-31, " Inadequate Surveillance Procedure Renders Emergency Equipment

<

Cooling Water (EECW) and Emergency Equipment Service Water '(EESW). Inoperable."

Results: Two potential violations were identified (Paragraph 7.a and 7.b).

Through inadequate-technical preparation / review of two electrical bus load shed v

.-testing surveillance procedures, the procedures failed to direct plant

!

operators to reset certain relays which rendered two: safety systems inoperable.

i These inadequate procedures were generated as the result of the licensee identifying deficiencies in load shed testing during corrective actions to a

.

'

. previous surveillance violation in August of 1988.. During the license's review of this situation, the licensee incorrectly concluded that a 10 CFR 50.72

. report was not warranted and only a 10 CFR 50.73 report was made.

70021hh pDB Q

- - - -

.. -

- -

- -

- - - -

-

- -

- - -

- - -

U;g

.

k n

'

i

-

o

,

)

DETAILS

.

l 1.

Persons Contacted l

a.

Detroit Edison Cogany

'

I

• P. Anthony, Licensing

!

'T. Bradish, Supervisor, PQA l

• S. Catola, Vice President, Nuclear Engineering and Services

• P. Fessler, Supervisor, Plant Safety l

• D. Gipson, Plant Manager

'

• L. Goodman, Director of Licensing

• K Howard, Principle Engineer, Plant Systems

!

• A. Kowalcruk Superintendent, Maintenance t

• R. McKeon, Superintendent, Oporations

• W. Orser, Vice President, Nuclear Operations j

J. Plona, Operations Engineer i

• G. Preston, Director, Nuclear Training T. Riley, Licensing

• B. R. Sylvia, Senior Vice President, Nuclear Operations

'

• G. Trahey, Director, Projects

• R. Stafford, Director, Quality Assurance b.

U. S. Nuclear Regulatory Commission

• W. Rogers, Senior Resident Inspector

'

• S. Stasek, Resident Inspector

• Denotes those attending the exit meeting on January 10, 1990.

The inspectors also interviewed others of the licensee's staff during this inspection.

-

2.

Normal and Emergency Equipment Cooling Water and Service Water Descriptions

a.

Reactor Building Closed Cooling Water System i

During normal operation, the reactor building closed cooling water system (RBCCW) provides cooling for safety and non-safety related equipment housed within primary and secondary containments.

The

>

system is composed of three 50 percent capacity pumps (one normally in standby) discharging to a common header.

The common header splits into three pathways. One pathway is through all the non-safety related cooled equipment except the drywell coolers and

-

the reactor recirculation pumps. The second sathway is through all the Division I safety related equipment, one 1alf of the drywell coolers, and one reactor recirculation pump. The third pathway is through all the Division 11 safety related equipinent, one half of the drywell coolers, and one reac ir recirculation pump. The three pathways join into common piping and then split to pass through two heat exchangers. The two discharge lines from the heat exchangers

,

. - -, -

P l

-

-

.

,

.

I join into one line before splitting into the three suction lines for the pumps. A head tank is tied into the single line of pump suction M oing to assure adequate net positive suction head is maintained.

l TN power and control circuits for the three RBCCW pumps are non-Class IE.

Three non-safety related actuation si RBCCW pumps. These signals are low head tank level,gnals trip the

!

low suction

!

pressure, and high pump motor current.

The only seismically

!

supported portions of the RBCCWS are the two safety related pathways.

• b.

General Service Water System The shell side of the RBCCW heat exchangers are cooled by the j

general service water system. This is another non-safety related system which takes suction from Lake Erie and discharges the water via five pumps to cool RBCCW and the turbine building cooling water system before returning the water back to Lake Erie, i

c.

Emergency Equipment Cooling Water System

$

Section 7.3.d of the Updated Safety Analysis Report (USAR)

classifies the EECW system as an engineered safety feature system.

'

Section 7.3.3.2.2 of the USAR states "In the event that the RBCCW system shuts down, the EECW system is started by low differential

.

pressure between the supply and return headers.

Logic is

'

"one-out-of-two." Alossofoffsitepower(LOOP)directlyinitiates the EECW system to anticipate the loss of )ower to the RBCCW system.

-

The EECW system is also auto-initiated on ligh drywell pressure."

Section 9.2.2.2 of the USAR states in part "The EECW section of the RBCCWS consists of two redundant full-capacity loops, each with a heat exchanger, pump, and makeup tank, as shown in Figures 9.2-3 and 9.2-4.

The twin systems designated as Division I and Division II are cooled by the EESWS....During normal plant operation, both EECW divisions are isolated from the RBCCWS by niotor.'perated isolation valves. Upon loss of offsite power, high drywell pressure, or

,

failure of the RBCCWS, both divisions of the EECWS are automatically activated; that is, ) umps start, makeup tanks isolation valves open,

'

and valves isolate tie nonessential portion of the RBCCWS....

Upon loss of RBCCWS differential pressure between the supply and return headers, either Division I and/or Division II EECW loops will start automatically, depending on the portion of the RBCCWS affected.

The EECWS may also be manually initiated."

Section 9.2.2.2 of the USAR further states "The following equipment, considered essential to reactor shutdown, can be cooled either by the RBCCWS or, in an emergency, by at least one division of the EECWS:

.-

.

.

-

-

,

>

.

s

.

.

I RHR pumps (two out of four)

i Core spray pumps (two out of four)

Reactor auxiliary space coolers (three in Division I or four in DivisionII)

(4) Standby control air compressor, aftercooler, and space cooler t

(oneoutoftwosets)

i Post-LOCA thermal recombiner system coolers (one out of two)

'

Switchgear room space coolers (two out of four)

Standby gas treatment room space cooler (one out of two)

Controlcenterairconditioningequipment(oneoutoftwo)

i Auxiliary building battery charger area space coolers (one out oftwo)

Section 9.2.2.3 of the USAR states in part "The EECW Division I and Division Il portions of the RBCCWS are designed to provide cooling

.

to equipment required for reactor shutdown in spite of a single active or passive failure.

Division I and Division II loops are

completely isolable from each other. Each loop of the EECWS is

_

operable from a separate emergency bus....Upon activation of the

!

EECWS, all nonessential loads of the RBCCWS will be isolated except for.the seven drywell coolers and the reactor recirculation pumps.

These loads tan be manually isolated from the control room or will be automatically isolated if a high drywell pressure occurs."

Section 9.2.2.3 of the USAR further states "Both EECW Icops are automatically started on high drywell pressure or upon loss of normal offsite power. Upon failure of the RBCCWS, such as pipe rupture, redundant differential pressure switches automatically start the EECW pump (s), depending on the location and severity of the break, and initiate ap theoperatingEECWpump(s)propriateloopisolationconsistentwith

.

Section 7.3.4.3.1.a of the USAR discusses how Paragraph 4.1, Automatic Initiation, of IEEE 279-1971 is met for the EECW system, i

This section states "This requireecnt is met by incorporating

.

capability in the design for automatic startup of the EECW system on loss of offsite power, on high drywell pressure, or on occurrence of low pressure across the supply and return headers of either cooling loop."

d.

Emergency Equipment Service Water System The shell side of the two EECW heat exchangers is cooled by emergency equipment service water (EESW).

EESW is a standby safety related, seismically supported, Class 1E powered system composed of two independent loops.

Each loop is composed of suction piping from the ultimate heat sink, a pump housed in the residual heat removal y

complex, piping to an EECW heat exchanger, and piping returning from l

the heat exchanger to the ultimate heat sink.

The same actuation j

signals that initiate EECW initiate EESW.

,

!

-.

.

-

_

_

.

.

.

- -.

.

,

,

O I

!

.

,

I 3.

Applicable Technical Specification Requirements

.

a.

Technical Specification Surveillance Requirement 4.8.1.1.2.e.6.a.

!

states that an 18 month test simulating a loss-of-offsite power in i

conjunction with an ECCS actuation test signal verifying deenergiration of the emergency busses and load shedding from the

emergency busses shall be accomplished, j

'

b.

Technical Specification 3.7.1.2 requires two independent emergency equipment cooling water (EECW) system subsystems to be operable in modes 1, 2, 3, 4 and 5.

Inclusive in the definition of an operable

&

EECW subsystem is the ability of the EECW pump associated with that subsystem to automatically start on an automatic actuation signal as discussed in Technical Specification Surveillance Requirement 4.7.1.2.b.

c.

Technical Specification 3.7.1.3 requires two independent emergency t

equipment service water (EESW) system subsystems to be operable in

modes 1, 2, 3, 4 and 5.

Inclusive in the definition of an operable

!

EESW subsystem is the ability of the EESW pump associated with

!

that subsystem to automatically start on an automatic actuation signal as discussed in Technical Specification Surveillance

Requirement 4.7.1.3.b.

,

d.

The action statement associated with Technical Specification 3.7.1.2 and 3.7.1.3 requires in part that the action statement associated with Technical Specification 3.5.2 be taken as applicable,

'

e.

Technical Specification 3.5.2. requires two subsystems of emergency core cooling be operable in cold shutdown (mode 4) and, under action statement b. secondary containment integrity must be established within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of loss of both subsystems, f.

Technical Specification 6.8.1.d states * Written procedures shall be established, implemented, and maintained covering surveillance and test activities of safety-related equipment."

g.

10CFR50.72(b)(2)(iii)statesinpart"thelicenseeshallnotify

'

the NRC as soon as practical and in all cases, within four hours of the occurrence of any event or condition that alone could have prevented the fulfillment of the safety function of structures or systems that are needed to shutdown the reactor and maintain it in a safe shutdown condition... or mitigate the consequences of an accident."

4.

Event Description On December 20, 1989, the licensee issued LER 89-031.

The LER discussed the rendering inoperable of two safety systems through inadequate surveillance test procedures. The LER reported that both subsystems of EECW and EESW were rendered inoperable following 480VAC engineered safety features bus load shed testing in accordance with surveillance procedures 24.305.01 and 24.305.02,

_

.

-

.

.

.

,

Procedure 24.305.01 provided instructions for partial testing of Division I 480 VAC buses 72B, 720, 72EA, and 72EB.

Procedure 24.305.02 provided instructions for partial testing of Division II 480 YAC buses 72E, 72F.

72EC, and 72ED. Both surveillance test instructions were identical except for divisional nomenclature.

In the body of the surveillances, the EECW

!

and EESW pump's undervoltage (UV) relays were actuated. Actuation of the i

UV relay deenergized another relay, the anti-pump relay (52XX), which

opened a relay contact in the pump breaker closing circuit.

With the UV

!

relay actuated and this relay contact open, the pumps were incapable of i

accepting some automatic start signals and a control room manual start

!

'

signal until such tine as the UV and anti-pump relays were reset.

However, the surveillance procedures never directed the anti-pump relays be reset. Therefore, upon completion of each surveillance test, that respective subsystem of EECW and EESW remained inoperable.

i The test procedures were performed on November 19 and 20 during the

!

licensee's recent refueling outage with the facility in cold shutdown (mode 4) and the integrated leak rate test in progress. Approximately l

12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after completing the second surveillance test, plant operators i

attempted to conduct a quarterly Division I EECW/EESW pump and valve test. When the EECW/EESW initiation switches were pressed, an automatic

trip of the pumps occurred due to the improper relay configuration.

In

-

less than an hour plant operators determined the improper relay configuration and reset all the anti-pump relays (Division I and i

DivisionII). Reset of the anti-pump relay is a relatively simple action

,

accomplished from within the contrcl room by taking the p' ump control switch to the "0FF-RESET" position and back to the "AUT0 position.

I Operations personnel deduced that the anti-pump relay had not been reset upon the conclusion of load shed surveillance testing. Other load shed surveillance test procedures were reviewed for a similar problem.

Subsequently, operations p rsonnel wrote Deviation Event Report

(DER)89-1371. The DER triggered a review of the situation by technical engineering personnel which provided the information on which the LER was

!

based. Also, as a result of the review, the two surveillance procedures, 24.305.01 and 24.305.02, were revised on December 6 to reset the 52XX

!

relay at the conclusion of load shed testing.

5.

Inspector Review On December 28, 1989, the inspector reviewed LER 89-031 and noted that the event warranted additional followup. On January 2,1990, the inspector reviewed the contents of DER 89-1371.

The information present confirned the event description provided in Paragraph 4 above. Also, during the DER review, the inspector noted that the 50.72 reportability section of

,

the DER had been checked "No" by the shift supervisor, but a note by the 50.73 stated "T0 BE DETERMINED." The DER further stated in the plant manager assignment section " Tech staff determine reportability and operability in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />."

. - - - -.

.

.

.

.

-

.

c

,

l

'

-

.

i The inspector interviewed the DER evaluator and reviewed the applicable

'

elementary electrical logic drawings along with the surveillance

!

procedure. At the conclusion of this interview / review, the inspector

agreed with the licensee's conclusion that the two surveillance

!

procedures were technically inadequate.

'

During the interview, the inspector ascertained that these surveillance procedures had been generated due to previously identified inadequacies in 480 VAC load shed testing. During the Technical Specification

Improvement Program (TSIP), a comprehensive corrective action to a Notice i

of Violation the licensee determired that some breakers had not been verifiedtoloadshedinanundervoltagecondition. Subsequently, appropriate testing (was successfully performed in August 1988 under a_

sequence of events SOE) test. Procedures 24.305.01 and 24.305.02 were

.

written along with some other surveillance procedures to accomplish the same testing as performed under the SOE test.

This was the first time these new surveillance procedures had ever been utilized. Also, the i

personnel involvea in preparing / reviewing these new surveillance

'

procedures were involved in the TSIP effort and qualified as procedure

-

preparers / reviewers under the licensee's program.

'

The inspector reviewed the surveillance records / operational logs and determined that the Division II surveillance, 24.305.02, was performed between 1130 and 1800 on November 19, 1989. The Division I surveillance,

24.305.01, was performed between 1745 on November 19, 1989, and 0614 on November 20, 1989.

The quarterly pump and valve surveillance was begun at 1755 on November 20, 1989. Tripping of the pumps occurred at 1805 and following an initial review by the STA, the automatic anti-pump relays were reset at 1850.

'

Subsequently, on January 2 and 3,1990, the inspector met with the operating authority and reviewed the sequence of events. During this activity, the inspector had two questions to be answered. The first dealt with what rationale was utilized to not report this event to the NRC via the emergency notification system network. Second, the inspector

,

requested confirmation that testing of Division I was authorized by the operations personnel 15 minutes before completion of the testing on Division II.

,

,

The operating authority informed the inspector that the rationale of why a 50.72 report was not made would be immediately pursued. At the exit on January 10, 1990, the nuclear licensing director provided the review actions and rationale associated with the DER. The review / rationale was that even though the 50.72 section had been checked

"No," technical engineering and licensing had reviewed the situation for 50.72 and 50.73 reportability.

The licensee review concluded that EECW/EESW was inoperable under the Technical Specifications, but the systems would have been able to aerform their safety function.

The safety function determination was aased upon the low heat rejection demand in cold shutdown, that the loss of offsite power EECW/EESW initiation signal would have worked, that the high probability signal for EECW/EESW actbation was the loss of offsite power, control room annunciators were available to inform the operators of loss of EECW/EESW, and restoration of the manual EECW/EESW ectuation capability would not constitute a heroic action.

.

-

'

,

.

.

-

c

.

The operating authority response to the second question was that the same

,

i-personnel were involved in testing both divisions and that upon l

completion of the Division !! testing, preparatory actions for Division I i

testing were begun even though the paperwork had not been completed on Division II.

6.

Inspector Review of EECW Actuation Signals i

During the inspection period a nunt,er of questions arose regarding the l

actuation signals associated with EECW/EESW initiation. As a result the l

four actuation signals for EECW/EESW were evaluated.

j a.

High Drywell Pressure

.

During the inspection, the inspector noted that prior to and during the load shed testing all high drywell pressure signals had been jumpered out to allow integrated leak rate testing to be performed.

The inspector asked the engineering authority whether the high drywell pressure signal was taken credit for in any accident scenario in cold shutdown. The preliminary response from the licensee, as the inspector expected, was no. Therefore, the rendering of the high drywell pressure EECW/EE3W initiation signal in cold shutdown was of t

no safety consequence.

However, had the licensee entered into startup, mode 2, or power operation, mode 1, prior to identifying this situation, there would have been safety significance.

It should be noted that the Technical Specifications associated with the EECW/EESW systems do not exalicitly state what the automatic actuation signals are, or for w1at modes each signal is required.

This same situation exists in the standby gas treatment system (SGTS)TechnicalSpecification3.6.5.3.

In the Control Center Heating, Ventilation, and Air Conditioning system (CCHVAC) Technical Specification, 3.7.2, the high drywell pressure actuation signal is explicitly identified in the surveillance requirements as needing testing at least every 18 months. The CCHVAC system is required in all modes.

However, no delineation has ever been made as to what modes each CCHVAC actuation signal is required for CCHVAC to be

operable. As with the EECW/EESW condition, it is questionable as to w1 ether the high drywell pressure signal is needed in cold shutdown for standby gas treatment and CCHVAC.

b.

LossofOffsitePower(LOOP)

During one of the initial meetings on this event, licensee personnel stated that the LOOP signal would still have auto-initiated EECW/EESW.

The inspector reviewed the basic electrical drawings again and reached that same conclusion. There are two ways to reset the 52XX relay. One way is through operation of the control switch and the other is through activation of an emergency diesel generator (EDG)

lead sequencer relay contact.

In a LOOP the UV relay would actuate as it did in the load shed test. Once the applicable EDG was running, the UV relay would reset and automatic bus loading would begin. To accomplish this loading for the EECW/EESW pumps, the 52XX relay would

..

,

.

k

.

!

'

'

t

be energized by the closing of the EDG load sequencer contact in the

52XX relay circuit. Subsequent energization of the 52XX relay would I

close its respective contact in the pump breaker closing circuit.

l The breaker would close and the respective pump would start.

I c.

RBCCW Low Differential pressure The inspector determined, as did the licensee, that had an RBCCW

!

failure occurred without a LOOP, the auto-initiation signal was i

defeated by the open 52XX relay contact.

d.

Manual

_

'

The inspector determined that the manual initiation features from the control room for EECW/EESW were defeated by the open 52XX relay contact as was seen when the EECW pump and valve test was performed that led to the discovery of this situation. The ability to restore this feature was an easy action from within the control room by

-

manipulation of the control switch provided the operator had the i

presence of mind to perform such an action.

7.

Results

,

a.

Technical Specifications 3.7.1.2 for EECW and 3.7.1.3 for EESW direct plant operators to Technical Specification 3.5.2 for ECCS

'

upon inoperability of EECW or EESW to the applicable ECCS pumps.

In

?

cold shutdown, Technical Specification 3.5.2 directs plant operators to establish secondary containment integrity within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> when

,

,

all of the reodred ECCS pumps ate inoperable which occurred at 1745 on November 19. Secondary containnent integrity was not established / verified 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after the applicable ECCS subsystems

became inoperable. Therefore, Technical Specification action

'

statement 3.5.2.b. apparently was violated (341/89033-01(DRP)). The root cause of the violation was inadequate preparation and review of the content in surveillance procedures 24.305.01 and 24.305.02.

• On-shift plant operators were in no way accountable for exceeding

,

this Technical Specification action statement, b.

10 CFR 50./2(b) was apparently violated (341/89033-02(DRP)) when the licensee failed to inform the NRC via the ENS of the rendering of two safety systems incapable of performing their safety function. The root cause of the violation was not necessarily the on-shift review of the event but the subsequent comprehensive ifcensing/ technical staff reportability review.

During that reportability review, the wrong conclusion was derived.

c.

On-shift operations personnel exercised poor judgement in authorizing Division I load shed testing prior to completing the test of Division II.

Licensee management agreed that this was not a practice condoned by management.

..

.

..

'

..

\\

-

.,

d.

Given that the original concept planned for the refueling outage was to divisionalize maintenance / surveillance activities, it is questionable what in the planning / scheduling process forced back-to-back divisional load shed testing, c.

An enhancement to the Technical Specifications is warranted to annotate when the high drywell pressure signal is needed for EECW, EESW, CCHVAC, and SGTS.

No other violations or deviations were identified in this area.

,

8.

Exitinterview(30703)

The inspectors met with licensee representatives (denoted in Paragraph 1)

on January 10, 1990, and informally throughout the inspection period and summarized the scope and findings of the inspection activities.

Inclusive in the presentation to the licensee was a request to explore enhancing the Technical Specifications, either in the body or the bases, with annotations as to when the high drywell pressure signal is needed for EECW, EESW, SGTS, and CCHVAC. The inspectors also discussed the likely informational content of the inspection report with regard to

-

documents or processes reviewed by the inspectors during the inspection.

The licensee did not identify any such documents / processes as proprietary.

The licensee acknowledged the findings of the inspection.

,

>

l l

!

l l

l l_

.

_

.

_