IR 05000344/1989013
| ML20248B245 | |
| Person / Time | |
|---|---|
| Site: | Trojan File:Portland General Electric icon.png |
| Issue date: | 05/19/1989 |
| From: | Mendonca M NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION V) |
| To: | |
| Shared Package | |
| ML20248B238 | List: |
| References | |
| 50-344-89-13, NUDOCS 8906080297 | |
| Download: ML20248B245 (7) | |
Text
{{#Wiki_filter:.. _ _ _ _ _ _ -. _ - - _ _. - - _. - - _ _, .~- c ' . . , > s , /0 ' n
, U. Si NUCLEAR. REGULATORY COMMISSION
, REGION.V: ' ,, , - . ,
Report No.
50-344/89-13 ,- ~ ' ' _ _
4 , Docket No.
50-344 .c License;No.
NPF-1 ' , Licensee: Portland General Electric Company 121 S.W.. Salmon Street Portland, OR 97204
Facility Name: Trojan Inspection at: Rainier, Oregon Inspection conducted: April.9-29, 1989 Inspectors: R. C. Barr Senior Reside'nt Inspector G. Y. Suh' Resident Inspector % b C c^-
7 ~ Approved By: M. M. Mendonca, Chief Date Signed Reactor Projectn Section I Summary: Inspection on April 9-29, 1989-(Report 50-344/89-13) Areas Inspected: Special inspection at the Trojan Nuclear Power Plant. The inspection focused on licensee activities related to the failure of the permissive and interlock features for Residual Heat Removal System (RHRS) shutdown cooling suction isolation valve, M0-8702.
Inspection procedures 30702, 30703, 92700,'and 93702 were used as guidance during the conduct of the inspection.
Results: One violation was identified and no deviations.
Paragraph 2 discusses the inoperability of the permissive and interlock features of shutdown cooling suction isolation valve M0-8702.
The inoperability of MO-8702 was not discovered following a design modification due to inadequate testing.
Additionally,_the licensee Quality Assurance Organization performed no technical reviews of'the post modification test procedure, and the engineering and Plant Review Board reviews did not identify the problem.
, - I . O[[ R ADO O G ' ! . . _ _ _. _ _ _ _ _ _ - _ - _ _ _ _ - - _ _ _ - _ _ - _ _ -
7.. - ;- 7 - - a , ja L ' ' ' ,. ~ p:y ., ' (, ". -
t' ' L d[3,} ' ' . n , , , ,, ' p.
, l
DETAILS ..., , ~ ( - , , w 1.
Persons Contacted ' '[ D. W. 'Cockfidld, Vice president, Nuclear
- C. P.,'Yundt,: Plant General Manager i
, ' *D. L. Nordstrom, Actine Manager, Nuclear Quality Assurance
- R. P. Schmitt, Manager, Operations and Maintenance
'
- D. W. Swan, Manager, Technical Services
- J. D. Reid, Manager, Plant Services
' ~ *J. W. Lentsch, Manager, Personnel Protection !
- J. M. Anderson, Manager, Material Services R. A. Reinart, Instrument and Control Supervisor A. N. Roller, Manager, Nuclear Plant Engineering M. A. Perry, Electrical Engineer E. A. Schmieman, Electrical Engineer'
.
- Attended Exit Meeting on April 28, 1989 The inspectors also interviewed and talked with other licensee employees
! during the course of the inspection.
These included shift supervisors, j reactor and auxiliary operators, maintenance personnel, plant technicians and engineers, and quality assurance personnel.
' 2.
Failure of M0-8702 Residual Heat Removal (RHR) Shutdow1 "coling Suction . Isolation Valve to Close on a Simulated High Pressure Sig:'al (92700, 93702), A.
Summary
On April 9, 1989, the licensee performed Periodic Operating Test ' (P0T) 2-5, " Safety Injection System-ECCS Valve and System Performance" with the reactor shutdown in Mode 5, a bubble in the pressurizer and Reactor Coolant System (RCS) pressure and
temperature of 365 psig and 163 degrees F, respectively.
The test l , revealed that Residual Heat Removal System (RHRS) shutdown cooling l suction motor operated isolation valve (M0-8702) would not operate in accordance with an interlock and a permissive, i.e., an interlock 'I to close the valve when a 600 psig and increasing simulated electrical signal was introduced, and a permissive which allows i manually opening the valve at pressures less than 425 psig.
j .I As immediate corrective action, the licensee locked opened M0-8702, l declared the valve inoperable and initiated an event report.
, ; s Additionally, as a courtesy, the licensee notified the NRC ' g Operations Duty Officer and the Resident Inspector of the failure of e, - 'N( ...the valve.to. function as designed.
_, ' . .s -< ' ' , j '3 n , I
j.
' .. [ i c
+% , ' y , _ _ _-- m 9
pi 'R' ~. ' ~ ' ' ' , we .- , & ?:4 _ }= "* p
( cb .' p . ..,. , ' L'/'r
- As
- immediate. follow-up, licensee Instrument and Control.(I&C).
- L technicians. performed polarity. checks.on the logic and control: ' I G.
wiring for M0-8702.~.The' technicians determined the connector'that
~ s transfersLthe-input of_ signal comparator module'(PB-405A-8) to its ' J associated' interface l terminal connection board had. incorrect . polarity on two pins'of.the multi pin (multiconductor) connector.- .Upon identifying the wiring error, the licensee concluded that with~ gL ~ ', 'the. existing plant conditions'immediate repair was not required.- -Correction of,the wiring error has_been planned prior,to entering- '
Mode 4.
-[ Subsequently, the licensee. determined that the: reverse polarity had < ~ occurred as'a result of< modifications to the Remote Shutdown.
. Station.
The licensee completed a comprehensive review of the post: . modification testing for the Remote Shutdown Station' modification,= ' , $ ' < -
- Temporary Plant? Test (TPT)'-235.
' _ TheTinspectors. reviewed the problem and conc 1'uded thai: ' ' q ' L 1.
TPT-235 should have teste'd the subject RH'R valve' interlock / , permissive circt.itry as these; protective functions were > , interrupted.by.the modification.
y 2.
The independent review of the TPT'by a test. engineer.was not ' adequate to find the problem.
.I - g '3.
- The review and obse'rvations by.the Quality Assurance Department' (as part of the Plant Review Board.and during. test conduct) were not technically oriented and did not identify!the problem.
, 4.
The review by the Plant' Review Board was not adequate to-identify the problem.
os b - , .. 5.
. Therek,asnotechnicalfreviewof[thiiTPTbydesign. engineers a for'the modification.il. % / ? _..; - + , , 6.
The 'c'omplete' information for the design charige was provided to the cognizant. test engineer. shortly before the test was to~ be conduct 6d, which may have' contributed to the failure.to perform < an adequate post modification, test.
- 7.
The problemLofLresersed polarity.most likely occurred during origina1' construction and was notl documented or known at the time.
, .c , . 8: The inspectors concurred with the licensee's assessment that other functions affected by the modification had been verified
by separate tests subsequent to the modification.
B.
helectedResidual'HeatRemovalSystem(RHRS)DesignFeatures A function of the RHRS, at low temperature and low pressure, is to remcVe heat from the reactor core and reactor coolant system during plant cooldown and refueling operation.
This function is , _ - - _ _. _ _. _. _. _ _ _ _ _ _. _ _ _ _ _. _ _ _. _. _ _ _ _ _., _ _ _ _ _ _
- _ u ,
. .
- , . i . .
l accomplished by pumping reactor coolant from the reactor coolant system (RCS). loop 4 hot leg through RHR heat exchangers,.which f - remove he'at from the reactor coolant using component cooling water, ' and returning the reactor coolant to the' cold legs of the reactor-coolant system.
Since the RHR system is a low pressure system and connected to the high pressure: reactor coolant system, the system must be protected from overpressurization.
If the Residual Heat Removal System were to rupture as a result.of overpressurization the potential of a primary coolant system leak outside the reactor containment (EVENT V) to the auxiliary building would exist.
Design features and administrative controls are used to protect the RHR . system from overpressurization.
The design features used are interlocks, permissives and pressure relief valves.
An RHRS interlock, associated with the shutdown cooling function of the RHR system, is designed to automatically shut the loop 4 hot leg motor operated,-14", suction, isolation, gate valves, M0-8701 and M0-8702 prior to RHR system pressure exceeding 600 psig. The permissive, associated with the shutdown cooling function of the RHR system, permits manual opening of the suction valves MO-8701 and MO-8702 only when reactor coolant system , pressure is less than 425 psig.
Thus, the interlock and permissive ' prevent exceeding system design pressure (600 psig) by preventing . system operation at greater than 600 psig.
Additionally, four pr. essure relief valves are installed on the shutdown cooling. portion of the RHR system.
Pressure relief valve PSV 8708, whose capacity is' based on relieving the capacity of two centrifugal charging pumps and the positive displacement charging pump (approximately 778 gpm) is.a 3" valve with a capacity of 900 gpm at 600 psig and is located on the shutdown. cooling suction.
Pressure relief valves PSV 8856A , 'and PSV 8856B,-whose capacity is based on gross pressure isolation - chec( valve back-leakage, are located on the RCS loops 1/2 and RCS - loops 3/4 cold leg discharge, respectively, and are 2"' valves with each'having'a capacity of 400 gpm at'600 psig.
Pressure relief valve PSV-8709 whose capacity is based on pressure isolation check 1 valve leakage,'is located on the RCS loop 2/4 hot leg discharge and-is a 3/4" valve with a capacity of 20 gpm.
' C.
Miswiring of M0-8702/ Remote Shutdown Station (RSS) Design Change , f During the 1988' Refueling Outage, Request for Design Change (RDC) 85-052, Remote Shutdown Station (RSS), was implemented.
The RDC relocated the RSS and improved its operational features.
Since new equipment (Bailey Network 90) and improved operating features were added by the modification, it was also necessary to modify portions of the installed plant control and logic (HAGAN) instrumentation.
Temporary Plant Test (TPT)-235 " Remote Shutdown Station Input / Output Verification" dated (approved) April 27, 1988, was to establish the methodology and testing to verify proper operation of equipment affected by the modification.
The inspectors recognized that the System Engineer tasked with organizing, developing and coordinating the test program for the RSS modification had been involved with the design change during it's =_-_________-_- - ____ D
._ - - - - _ _ _ _ _ _ _ , , .. p ..
a, I development Additionally, the inspectors noted that all drawings and data required for. development of.the TPT'for the testing associated with MO-8702 were. pros Med to the cognizant test engineer on approximately May 6, 1988. The inspectors concluded that only having two weeks for the development of a complex test procedure may have contributed to the failure to establish a comprehensive test for the modification.
Section 1.2 of the test proce' dure states the purpose of the test procedure is "to verify that circuits interrupted by thejRSS installation will perform their control, i_ndication, permissive and/or protective functions after. restoration".
Additionally, section 1.14 states " Protection. functions that have been interrupted are verified operable after. restoration by causing or. simulating a trip signal and. observing protective action.", In discussions with' the inspectors,;theLcognizaht Test.Engin'eer that drafted and supervised TPT-235, stated'that test methodology should have tested the M0-8702, however, by oversight.the testing was not~ proceduralized.
The inspectors noted:that each test was independently verified'to be correct.and adequate by one of the other test engineers assigned to work on this modification.
The. inspectors also assessed the Quality Assurance Organization's participation in the' review and approval of,TPT-235.
Temporary Plant Tests (TPT's) controlled per Administrative Order, A0-3-15, " Temporary Procedures", are reviewed by the. originator, the originator's supervisor, the Plant Review Board (PRB) and approved by the Plant Manager.
The only Quality Assurance review of TPT's is performed by the Quality Assurance representative of PRB.
The PRB review is a general review for acceptable methodology and testing philosophy.
No Quality Assurance Organization reviews are performed on TPT's for technical adequacy.
During the conduct of TFT's, the Quality Assurance Organization may, if deemed appropriate, conduct observations to ensure procedural compliance and verifications to ensure proper data values, lead termination etc.
For TPT-235, observations and verifications were performed; however, technical adequacy of the tests performed was not randomly sampled by the Quality Assurance Organization.
The inspectors reviewed in detail with the design engineer, supervising testing engineer and the I&C group supervisor various portions of the RSS modification.
The inspectors concluded the.RSS modification associated with MO-8702 was designed and installed correctly.
The failure of the interlock and permissive associated with MO-8702 appears'to have resulted from a wiring error made prior to 1977 and most probably during original construction.
Acceptance testing records from original construction were reviewed with no documentation of failure of M0-8702 interlocks and permissives to function properly.
Additionally, surveillance records from 1977 to the present were reviewed to verify that the permissive and interlock features of M0-8702 were operable.
Also, in the RSS modification there were approximately sixteen instances where the independent verification failed to identify an inadequate test, but ! - __-__
_ (L.4 l( '
n .. i'
, l the licensee has subsequently verified these operable by previous ,'
i test results.
- 1
- The drawings used to develop the RSS modification did not indicate incorrect polarity.
Therefore, the design po:kage engineers could not'have' identified the reverse polarity problem; however, post . ' modification testing should have identified the problem.
The t i , w inspectors independently noted that "as-built" drawings of these
, , . / circuits had never been established.
Additionally, the licensee and
3
,,y,b '
- the inspectors independently concluded'that review of the test by i
i , ~Y> ,: design engineering may have identified the problem.
The licensee /. + ,t.
plans;to institute such test verification by design engineers in the
' ,. s, , - future.
-
3 _ In' summary, 'a wiring error probably occurred during original ' ' construction, and was corrected by reversing leads which was not
e l'
documented.
The reversal resulted in the Remote Shutdown Station.
> + , Er 3 modification design being in error for the wiring of MD-8702.
" ' 'p' Because the; control system had never been as-built, the error was , not recognized.
Because the' post modification testing was inadequate and there was no technical reviews by,QA of the post- - _ , J, ' modification test, the error was not_ identified until a subsequent surveillance was performed approximately one year after the modification had been implemented.
This is an' apparent violation of Appendix'B requirements (50-344/89-13-01).
D.
Safety Significance of the Failure of MO-8702 to Operate as Designed The ultimate safety concern is exceeding the offsite dose limits of 10 CFR 100 via an uncontrolled reactor coolant system leak through a failed residual heat removal system.
The RHRS is des.igned such that a single failure would not prevent the system from performing its intended safety function.
To fully understand the safety significance of the failure of M0-8702 to operate, the single failure of M0-8701 was assumed.
The,following paragraphs analyze RHR system response with both RHR suction. isolation valves MO-8701 and MO-8702 failing to operate as designed.
With the facility operating in Modes 1, 2 and 3, reactor power from 100% to shutdown and RCS temperature greater than 350 degrees F, administrative controls require M0-8701 and M0-8702 to be closed with power removed from the valves motor operators.
Additionally, plant procedures require the RHRS not be placed in service until pressure and temperatures are less than 425 psig and 350 degrees F, respectively.
Therefore, the potential of overpressurizing the RHRS in Modes 1, 2 and 3 due to M0-8702 interlock and permissive failing and a single failure is extremely low.
With the facility operating in Mode 4 the shutdown cooling portion of the RHR system may be placed in service by procedure when RCS temperature and pressure is less that 350 degrees F and 425 psig, respectively. With these conditions, events that could result in RCS and RHR pressurization greater than 600 psig must be evaluated.
The most limiting event appears to be a safety injection initiation .
- - - -. _ - - _ - -
f,'4 ' [,. ].} M, [ly [' N A . R ' > , A . 3s .t v . , , ,y FS ~ y ,. T % %< .,?- 'pih, , ' w d u.
y,~*[ y' ;P 16; _., ' ' > , l
- , u y ., g, , , 3t' _ , , ' < ' . < ,- m , &# ^ l ... ^ '
, that could;resul,tjin the njectiAntofmapproximately 1366 gpm.(a . ' ., (combination of. safety /inj]ection, pumps,iS88'gpm; and the centrifugal.
' f,. , ' [ >, -# ~ ~ ' ~ L4 charging;and;_ positive' displacement pumps,'778 gpm).. The injection M of 1366 gpm of' water would slightly exceed the. relief capacity of ' the ' system 1320'gpm in a. wor' t case situation. This would then
s - result in-an} increasing system pressur'e that would be expected to; stabilize at" a pressurefs1ightly above'the RHRS design pressure.
, l17 However, the;1icensee noted that-the probability of this' worst case " configuration.was highly unlikely.
That.is, the' positive: ' displacement charging pump has not generally been used and does not- '
have=an automatic start' signal. : Consequently,'the relief capacity-s, of the system would be adequate for..the capacities.of all.pumpsi(two? safety injection and two centrifugal charging pumps) th'at'could pump- , into the RCS with:the.RHR in service.. Additionally, during the time.
when the interlock and permissive were inoperable,-the positive . displacement pump had;been caution tagged in the pull.to-lock.
.. position asLa compensatory measure for. electric separation (Appendix " . R) concerns,; therefore, the RHR relief capacity would not' have been - J exceeded.
, When the facility is in. Mode 4 with the RCSLless than 290 degrees'F, , _ only one.~ safety. injection pump'is' operable and the overpressure mitigation system _is in, service. ;With these. features enabled, the overpressurizationof, the ' RHRS "is unlikely. Additionally with the facility in Modes'5 and 6,-overpressurization'of the-RHR system'is , unlikely due to having-adequate relief paths' established.
Y ~3.
Exit Interview (30703) .An' inspector met with the licensee representatives denoted in paragraph 1 ~ onl April 28, 1989, and with licensee management throughout the inspection period.
In these meetings'the inspector summarized the scope and findings of the inspection activities.
, t 'h 'q g- %
. - v ?l .. 4N . lg ~$- + , - , ,
. g .;.
V " , % }}