IR 05000382/1990200
| ML20059K870 | |
| Person / Time | |
|---|---|
| Site: | Waterford  |
| Issue date: | 09/10/1990 |
| From: | Ball J, Konklin J, Lanning W Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML20059K868 | List: |
| References | |
| 50-382-90-200, NUDOCS 9009240296 | |
| Download: ML20059K870 (32) | |
Text
o - . - . - . _- . ._ . .. . . _ . - .-.
I
.
.
!
... 1
\
o U.S. NUCLEAR REGULATORY COMMISSION l
OFFICE OF NUCLEAR RCACTOR REGULATION l
>3 Division of Reactor Inspection and Safeguards NRC: Inspection Report: 50-382/90-200 License ho.: NFP-38
,
Docket No.: 50-362 Licensee: Entergy Operations, In )
Post Office Box B 4
-!
K111ona, Louisiana 70060 l facility Nanie: Waterford 3 Inspection Conducted: July 30 through August 10, 1990 Inspection Team: Jay R. Ball, Team Leader, NRR Sanny S. Diab, System / Risk Analyst, NRR l Philip C. Wagner, Inspector, Region IV NRC Consultants: J. L. Auflick, Idaho National Engineering Laboratory ;
C. C. Baker, Carlow Associates, In *
P. W. Eshleman, Engineering & Science Associates, In ]
S. A. Fleger, Carlow Associates, In D. C. Ford, Resource Technical Services j D. L. Jew, EAS Energy Services D. L. Kelly, Idebo National Engineering Laboratory 3 0. R. eye , d yionalEngineeringLaboratory
. Approved by: 2 % , M //7/70 i Jay llf., Operations Engineer Date /
Team ns detlon i Development Section A Speci 1 jl aspection Branch Division of Reactor Inspection and Safeguards Office of Nuclear eactor Regulation Approved by: [ An, w ~c> 9 10 90 JatWs . KonkMn, Chief DMe'
Team Inh)pection Development e ion A Special Inspection Branch Division of Reac Inspection and Safeguards :
Office of Nuclee I:eactor Regulation Approved by: 8aw _ _ ~ lo!id Wayne /D. 'L&nMg', Chief Dafte I '
' Spec %1 Inspection Branch Division of Reactor Inspec ~ and Safeguards Office of Nuclear Reactor Regulation M 2
- - -- .- . - . . - - -- . -. ..
1 i
' '
. !
TABLE OF CONTENTS PAGE E X E C UT I V E S UMMAR Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i BACKGROUND....................................................... 1 ,
i 2.0 INSPECTION APPR0ACH..............................................
'
2.1 Objective and
.
Scope......................:.................. 1 l 2.2 Sy s tem De s c r i p t i o n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 :
2.2.1 High Pressure Sa fety I njection. . . . . . . . . . . . . . . . . . . . . . . 2 2.2.2 S a fe ty I nj e ct i on Tan k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2.3 Shutdown Cooling and Low-Pressure Safet Injection Systems................................y . . . . . . . . . . . . . . 3 1
.
2.2.4 Chemical and Volute Control System. . . . . . . . . . . . . . . . . . . 5
'
2.3 ISLOCA Scenarios............................................ 5 3.0 PLANT DESIGN FEATURES............................................ 6 l
,
3.1 Design Capabili ty of Isolation Ya1ves. .. . . . . . . . . . . . . . . . . . . . . 6 3.2 Shutdown Cooling Suction Valve Interlocks................... 7
3.3 ISLOCA Annunciator Availabi li ty. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
'
4.0 MAINTENANCE, SURVEILLANCE, AND TESTING........................... S 4.1 Surveillance and Testing.................................... 8 ,
,
.
4.1.1 PressureIsolationValve(PIV)Identificationand Classification....................................... 9 .
4.1.2 PIV Surveillance Testing............................. 9 i 4.1.3 Relief Valve Testing................................. 10
.
. Maintenance................................................. 10 4.2.1 Corrective Maintenance............................... 10 4.2.2 Preventive Maintenance............................... 11 4.2.3 Plant Material Condition............................. 12
- 4.2.4 Failure Trending and Root-Cause Analysis............. 12 5.0 HUMAN FACTORS AND HUMAN RELIABILITY.............................. 13 5.1 Hu raa n F a c t o r s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5.1.1 Man-Machine Interface................................ 13
'
5.1.2 P rocedures a nd Documents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 5. Training............................................. 15 5.2 Hu ma n R e l i a b i l i ty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
,
,
. ,. , ,mr - - . , , . . - - .
.. _ . , - . , . , - . - , ,
.:.rm ,
,
-
!
a
, TABLEOFCONTENTS(Cont.) l PAGE CONCLUSION....................................................... ~iT APPENDIX A - Personnel in Attendance at Exit Meeting.................. A-1 APPENDIX B - Diagrams of the HPSI and SDC/LPSI S
.ystems. . . . . . . . . . . . . . . . B-1 APPENDIX C - Pressure I solatiot Va 1ves. . . . . . . . ....................... C-1 APPENDIX D - Documents R0 viewed....................................... D-1
,
,
S
$
e
>
$
_- _ -
-
-
.
\
. EXECUTIVE SUMMARY TheNRCteamconductedaninterfacingsystemloss-of-coolantaccident(ISLOCA)
inspection at the Waterford 3 nuclear power plant from July 30 through l August 10, 1990. This inspection supported the ongoing NRC program for assess- l ing the probability for ISLOCAs at operating nuclear power plants. The objec- l tive of the inspection was to collect data and information about plant conditions, inciding design features, systems, equipment, procedures, and operations that could affect operator detection, diagnosis, and response to an ISLOC In addition, the team collected information related to hur.an reliabil- ;
ity analysis (HRA) for a study being conducted by NRC's Office of Nuclear i Regulatory Researc '
.
ISLOCA refers to a type of postulated event in which the pressure boundary between the reactor coolant system (RCS) and a low-pressure system is breached, resulting in a loss of primary coolant outside containment. The team focused on the shutdown cooling and safety injection systems because of the possible consequences of component failures or operator errors in those systems. The team limited its review of the chemical and volume control system because of the low probability of an ISLOCA in that syste ,
.
The team found that the pressure isolation valves (PIVs) within systems interfacing with the RCS pressure boundary at Waterford 3 were adequately maintained and tested to minimize failures that could initiate an ISLOCA.
! The team did not identify any significant deficiencies in the r.an-machine l interface that might significantly increase the probability of an operator error initiating an ISLOCA. However, the team identified weaknesses in the
'
man-machine interface that could adversely affect the ability of the operators to mitigate an ISLOCA because of poor equipment labeling and the inaccessibility of some equipmen The team identified one scenario involving a normal cooldown evolution that appeared to have a higher than expected probability for occurrence. A simula-
'
tor exercise demonstrated that the operators, although not specifically trained .
and lacking specific procederal guidance, were able to adequately cope with the -
even The team considered that the lack of existing design calculations to verify the ability of PIVs to close against postulated differential pressures was a weakness. In addition, no calculation existed that showed check valves located withinthesuctionlinefromthereactorwaterstoragepool(RWSP)tothe i low-pressure safety injection (LPSI) pumps were correctly positioned with respect to upstream pipe fittings to ensure that they would not become damaged as a result of flow turbulence. The licensee performed an preliminary l calculation during the inspection that showed acceptable positioning of the valve The team found the licensee's maintenance program for the PIVs generally effective ar.d considered the failure trending and analysis to be a strengt '
Although the licensee had developed an adequate check valve maintenance
.
. _ _ _ _ . _
__. t
-
. ;
.
,
.
program, the teani noted a weakness in the maintenance of two LPSI > ump suction leader check valycs. These valves had recently been included in tic progran but had not received any form of internal maintenance or inspection during the >
life of the plant.
, The team concluded that the surveillance performed on PIVs was appropriet Although minor weaknesses were found in the surveillance procedures, these had '
already been identified by the licensee and the procedures were in the process of revisio >
-
The team found emergency operating procedures to be well written although they ,
1acked some human factors considerations. In addition, annunciator iesponse ,
procedures were found to contain some inconsistencies in format and wording, r Although training specific to ISLOCAs was not a part of the licenste's training program, oserators indicated, during walkthroughs and simulator exercises conducted 4)y the inspection team, that they were generally well prepared to ,
cope with losses of RCS inventor .
?
>
'
ii
. . . . . . _ _ .
. - . - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
. - ._ ... - ._- -_.--. - - -
., -
. ;
'
'
1.0 BACKGROUND ,
The interfacing system loss-of-coolant accident (ISLOCA) is a sostulated !
loss-of-coolant accident in which an interface between the higi-pressure boundary of the reactor coolant rystet. (RCS) and connecting low-pressure e piping is breached. This type of accident is of special concern because overpressurization of the low-pressure systems could result in a rusture outside containment and thereby a discharge of reactor coolant to t.ie envirora nt. Furthermore, mitigation systems for all types of LOCAs could be adverseiy affected by an ISLOC ,
The ISLOCA was first identified as a significant contributor to risk in the Reactor Safety Study WASH-1400. The ISLOCA was then referreo to as Event-V, '
andwaslimitedtothefailureoftwocheckvalves(thepressureisolation valves) which lead to overpressuring and rupture of the low pressure syste The ISLOCA has now been expanded to include failure or inadvertent opening of s.otor-operated valves. The consequences of an ISLOCA are greatly dependent on plant features break locations, and mitigating actions, and are associated with many uncer,tainties. Thus, the Nuclear Regulatory Cossnission (NRC)
initiated a series of inspections by the Office of Nuclear Reactor Regulation (NRR) and related efforts by the NRC Office of Nuclear Regulatory Research (RES) to collect information on plant features that could affect the frequency and severity of an ISLOC ISLOCA inspections have been performed at several other nuclear power plents. The team used the results of these inspections to
, prepare for the Waterford 3 ISLOCA inspectio .0 INSPECTION AFPROACH l
i 2.1 Objective and Scope The primary objective of this inspection was to evaluate specific plant design features, systems, equipment, procedures, operations activities, and human
, actions that could affect the initiation or progress of an ISLOCA. This included identification of generic events or system features associated with
'
postulated ISLOCAs, pcstible initiating or precursor events, and possible i
related human error The teau assessed licensee programs relevant to the ISLOCA and reviewed various licenseerecordstodeterminetheeffectivenessofpreventive, mitigative measures. The team considered pressure isolation valves corrective}and (PIVs to be those that isolated the higher pressure RCS from the lower pressure inter-facing systems. The team focused its review on the shutdown cooling (SDC),
low-pressure safety injection (LPSI), and high-pressure safety injection (HPSI)
systems because of their importance to the ISLOCA scenarios and potential I consequences. The team developed ISLOCA scenarios for each of these system '
! Multiple failures of equipment, inadequate procedures, and human error were l considered in this development process. To a limited extent, the team also
'
reviewed the chemical and volume control system (CVCS) and scenarios related to failures in that system.
i The systems considered for the ISLOCA inspection are discussed below, followed l by a discussion of the scenarios developed to identify conditions that could affect initiation or progress of an ISLOCA. Sections 3, 4, and 5 address the
'
,.
detailed inspection results, and Section 6 provides the overall conclusion of b
. . ~ . - __
_ _ _ _ _ _ __ __ _ _. . _ _ . _ _ _ _ _ _ . _ _ _ ._
,
.
..
,
.
'
t the inspection team. A held with the licensee'ppendix A lists theon s representatives persons Augustattending 10, 1950.the exit meetireg Appendices B, C, and D provide supplemental information to this inspection repor .2 System Descriptions l
The systems considered for this inspection generally set the following criteria:
piping that was connected to the RCS and penetrates the containment (lines i that were connected to the RCS but do not penetrate the containment were not considered because ru)tures in these lines would result in a LOCA ,
inside the containment, w11ch was a design-basis accident.)
interfacing pi RCS pressures. ping with design pressure ratings substantially below the
'
associated piping with the capacity for a sufficiently large leak rate so that the nors.a1 sakeup system would not have the capability to replace the inventory los '
The interfacing systems satisfying these criteria at the Waterford 3 slant were th'e hPSI, the safety injection tank (SIT), the SDC in conjunction wit 1 the LPSI and the CYCS.
l Low-pressure systems were postulated to be overpressurized by valve sanipulating or failures such as valves lef t open af ter scheduled surveillance or naintenance, inadvertent valve opening by operators, spurious valve opening, or a combint. tion of these mechanism .2.1 High-Pressure Safety Injection System The function of the HPSI system was to inject cooling water into the RCS during small- ano medium-size LOCAs through cold- or hot-leg injection flow path The cold-leg injection mode is started automatically u)on receipt of a safety injection signal. Hot-leg injection is activated by tie operator a few hours into the event to avoid boron precipitatio Two HPSI pumps, A and B, are aligned to in.icct water into the four cold-leg flow paths. An additional swing pump A/B can be manually aligned to provide In each of the HPSI flow paths, there were two check valves
'
for injectio inside the containment and a normally closed motor operated valve (K0Y) in the reactor auxiliary building (RAB). Injection into the hot-leg flow paths can be aligned manubily through two injection lines. Each of the injection lines had two check v61ves inside the containment and two closed NOVs in the RAB. The HOVs in the hot-leg injection flow path were procedurally controlled and locked closed with key-operated control switches in the control room. Appendix B, Figure 1 - shows a diagthm of the HPSI system and the relative location of the HPSI components within the RAB and the containment buildin The closed MOVs were the high-to-low pressure interfaces. The containment penetration piping downstream from the closed MOVs, including the two check valves, had a design pressure of 2485 psig. The piping in the RAE, upstream of
_ - -_ _ . . . -- - . - -- -. .
_ _ . _ _ _ _ . _ _ _ _ . _ . _ _ _ _ _ . _ __
!
'
.
j
'
j
- -* the MOVs sp to the pump discharge had a design pressure of 1950 psig. All the )
norw, ally ciefed MOVs on '.he HPSI injection lines that were in the RAE were i easily accessible for local operation. However, operation of these valves could be restricted by a break or by the inability of the valve to close ]
against high flows or pressure differentials if they had been opened, j If an ISLOCA break occurred at the suction portion of an HPSI pump and the I refuelingwaterstoragepool(RWSP)outletisolationvalves(SI-106AorB)
could not be closed, the RWSP water would be lost. This would affect long-term recovery and core cooling, and valves SI-106 A and B were not readily accessible for local operatio .2.2 Safety Injection Tank System The SIT system was a passive system thht provided a large volume of water to l make up for lost coolant in the reacter core if a large break LOCA occurre '
The system was actuated when the RCS pressure dro) ped below the pressure of the l cover gas in the tanks, which was maintained at a>out 650 psi l The SIT system consisted of four pressure vessels filled with borated water and pressurized with nitrogen gas. A 12-inch-diameter outlet line for each SIT was :
connected to one of the cold legs through a safety injection line. Since the SITS were passive components, only chec( valves and a locked-open MOV isolated them from the cold-leg flow paths.
l The SIT system piping that penetrated the containment consisted of the drain line and the fill lines that also were common to the HPSI and LPSI system ~ The drain line was a 2-inch line with two normally closed air-operated globe l
valves, and a manual valve outside the containment which acted as a
! 1950/550 psig high-to-low pressure interface. The 550 psig was the design l
pressure on the outside of the outermost valve. There were numerous valves -
!
I that could be used to isolate a break in either the drain line or fill line However, operation of any of these v61ves could be restricted by a break or by the inability of the valve to close against high flows or pressure l
differential High pressure alarms and instrumentation were available to alert the operator
'
to an ISLOCA within the SIT system. SIT pressure and level indications were also provided in the control room so that any in-leakage or out-leakage from the tanks could be detecte .2.3 Shutdown Cooling and Low-Pressure Safety Injection Systems The function of the Shutdown Cooling (SDC) system was to remove decay heat during normal plant shutdowns. The SDC system used the LPSI system lines and LPSI pumps to perform this function. A line from the RCS directed inventory to the LPSI pumps suction header. To remove decay heat, the flow was directed through line connections to the SDC heat exchangers and back to the RCS. The function of the LPSI system was to inject cooling water into the RCS during medium and large break LOCAs. Appendix B, Figure 2, shows a diagram of the SDC flow path from the RCS through the LPSI system and back to the RCS and the I relative location of the SDC/LPSI components within the auxiliary and
,
containnent buildings. The SDC system was placed in operation when the RCS l pressure and temperature were less than 392 psig and 350*F. The LPSI systeni s
l
.-- - . - - -
_ _ .- __ __ __ .__ _ _ ._ _ _
,
'
-
,
.
m >
,.
.
~w as normally in standby during power operations and operated automatically upon
. receipt of a safety injection signal. It could also t>e actuated manuall Hyoraelically operated valves (HOV) SI-405 A and B in the SDC 14-inch-diameter suction lines provided high-to-low pressure interfaces with the RCS. The design pressure was 2485 psig on the high-pressure ' Je (RCS sidS) and 440 psig on the low-pressure side for components and penetration piping, In addition, H0Vs SI-401 A and B with a 2485-psig pressure rating and MOVL SI-407 A and B with 440-psig pressure rating were located in the flow path from the RCS to the LPSI pump suction and were normally in the locked-closed position. These valves served as additional isolation valves for the SDC suction line Valves SI-401 A and B and SI-405 A and B located inside the containment were equipped with position indications that alarmed in the control room to alert an operator if the valves were off their closed-seat and the RCS pressure was greater than 392 psi Tne above valves were equipped with RCS pressure automatic closure interlocks-(ACI). If any of these valves was inadverter.tly left open during startup operations, the ACI would cause them to automatically close when the reactor pressure increased above 700 plia. However, the licensee planned to remove the ACI because of other considerations. Additionr11y, during the shutdown evolution, an open permissive interlock (OPI) allowed the valves to be opened *
fr.om the-control room only when the RCS pressure was within the SDC system design pressur Pressure relief valves SI-406 A and B were located on 6-inch-diameter low->ressure piping downstream of HOVs SI-405 A and A and B, which disciarged to the containment sump, had a reted capacity of about 3100 gallons per minute and a setpoint of 415 psi Each SDC/LPSI injection line to the cold legs had two check valves inside the
, containment and a normally closed, fail as-is MOV in the auxiliary buildin Between the two check valve; on each of the four injection lines, there was a pressure transducer that ind. d ed the pressure between the two valves in the control room and caused an alc.. to sound if the pressure increased to 1000 psi Between the closed MOV and the outboard check valve there was a -
test connection that was used for leak testing. As the RCS is pressurized i during startup, the pressure indication / alarm in the control rcom should alert the operator if the first check valve was leaking or had failed open. To isolate an ISLOCA in the SDC/LPSI lines, there were a number of valves that could be opercted from the control room or at the valve locations. However,
'
the ability to close these valves could be restricted by high flow rates or pressure differential The SDC/LPSI MOVs and manual valves located outside the containment were readily accessible for local operation, with the exception of $1-407 A and HOVs-SI-407 A and B were located about 20 feet above the floor and had simil
'
handwheels that could be difficult to manipulate. Locked-open manual valves SI-410 A and B were in line, respectively, with 51-407 A and B and could possi-l- 'bly be used to isolate an ISLOCA after being unlocked. If an ISLOCA break occurred at the suction sortion of an LPSI pump and valves SI-106 A or B could
,.
not be-readily closed, tie RWSP water would be lost, which would affect j long-term recovery and core cooling.
l l
! 4
\
. - -.
_ _ __ _ .__ _ _ _ _ _ _ _ _ .. _ __
'
.
.
"
2.2.4 Chemical and Volume Control System The functions of the CVCS included automatic control of- the RCS inventory and control of the boron concentration and reactor water purificatio The two CVCS lines that penetrated the containment were the letdown and 1 charging lines. The letdown line was a 2-inch line with a number of air- ,
operated valves that fail closed or kss of air or power. The second valve j outside the containment (the letdown flow control valve) acted as the high.to-low pressure interface. TP.a penetration piping up to and includiq the j letdown flow control valve had a design pressure of 2485 psig, and the p, ping downstream of that had a design pressure of 650 psi l
'The discharge lines from three positive displacement pumps combine into one injection line which penetrated the containment at the location of a locked-open valve, entered the regenerative heat exchanger, then lead into four-branch lines. Two of the branch lines wh solenoid-operated valve and a check valve,ich combined eachinto hasone a normally closed header and fed the pressurizer auxiliary spray. The other two branches, which each has normally open solenoid-operated valve and a check valve, fed two of the cold leg The piping downstream of the charging pumps had a design pressure of 3125 psi .,3 ISLOCA Scenarios The team reviewed seven ISLOCA scenarios to identify conditions that could i affect initiation or progress of an ISLOCA. These scenarios involved a failure of two pressure isolation valves in series, resulting in a loss of pressure boundary and subsequent overpressurization of a low-pressure (i.e., less than Rcd pre.sure) system.- Various other failures were then postulated, such as relief valve failures, loss of pump seals, or rupture of various pising or flange connections. The circumstances and assusiptions underlying tie postulated ISLOCA scenarios involved multiple failures and exceedance of the i
-
plant's design bases. The seven scenarios are. listed belo . Failure of SDC suction isolation valves Failure of LPSI cold-leg discharge check valves 3. - Fa.iure of HPS1 cold-leg discharge check valves Failure of HPSI hot-leg discharge check valves Failure of charging system cold-leg discharge valves Failure of the letdown flow control valve Failure of check valves in the suction line from the RWSP to the LPSI pump The team considered the seventh scenario to have the greatest chance for occurrence. The seventh scenario involved a normal plant cooldown evolution that would result in challenging two normally unseated check valves located in the line between the RWSP and the suction portion of one of the LPSI pump . - -- . . _
.- - _ - . . . . -
. . .
.
,
'
'
These check valves.(SI-108 A or B.and 51-1071 A or B) separated pipir.g rated at 160 psig from piping rated at 440 psig. During a plant cooldown, when transitioning from Mde 4 to 5, the operators ) lace one of the two trains of shutdown cooling into :ervice by opening the t1ree isolation valves (SI-401 A or B, SI-405 A or B and $1-407 A or B) between the RCS hot legs and the suction portion of a LPSI pump. This occurred by procedure when the RCS pressure was no greater than 392 psig. When'the last of these valves was opened, the check valves in the suction line from the RWSP must sent to prevent over-pressurization of the upstreem piping. If the valves failed to seat, the low-pressure piping could fail as a result of overpressurization. RCS inventory would be lost unless operator action was taken to reclose at least one of the three isolation valves in the SDC suction line. In addition, the scenario indicated thtt, if the opera'. ors were unable to close the RWSP outlet isolation valve (SI-106 A or B), whici was a normally open, fail-as-is, air-operated butte fly valve, the con *,ents of the RWSP coulo drain to the
, basement of the reactor auxiliary building. This could affect long-term recovery and core coolin .0 PLANT DESIGN FEATURES 3.1 Design Capability of' Isolation Yalves-Th,e team evaluated the electrical and mechanical design characteristics of various pressure isolation valves (PIVs) to determine their ability to prevent
.or termir. ate an ISLOCA. The team's review of the electrical schematic and the control wiring diagrams showed thst the control and interlock functions assoc 1-ated with the operation of the va'ives were satisfactory. The team also found the equipment qualification data recoris for selected P1Vs to be satisfactor The team reviewed in detail SDC suct'.on header isolation valves (SI-401 A and B and SI-405 A and B). The motor-operated $1-401 A and B valves isolated their SDC loop from the RCS near the penetration to the respective RCS hot leg. The pneumatic, hydraulically operated valves SI-405 A and B performed a fast-acting isolation function and were located immediately downstream of-the respective SI-401 valv The team evaluated the capabilities of the SDC valve actuators to close the valves against their design pressure and flow rate conditions. The valve data sheet for the SI-401 A and B valves indicated that tha stem thrust necessary to close the valves at their design pressure of 2485 psig had been calculated to be 64,016 pounds. The team performed an independent calculation using more current industry data and determined that the required stem thrust could be as high as 115,000 pounds. The team discussed these calculations with licensee personnel and were told that the S1-401 A and B valves were included in the motor-operated valve testing program and that they would be reevaluated as part of that program. In addition, licensee personnel stated that these valves would not be open when the RCS was pressurized above 700 psig. The team verified thet open sermissive-interlocks and automat e slosure features were-incorporated into tie control tira W j for the Y.ives. The team also reviewed the administrative controls '.nat limited the open condition of the valve These reviews are discussed in more detail in Section 3.!.
The SI-405 A and B' valves were opened by hydraulic oil p essure acting below the actuating piston and were closed by gas pressure acting above the pisto The team questioned the ability of the pneumatic-hydraulic actuators to close I
_ _ . .
.
.
the' valves if the volume of nitrogen gas in the accumulators was at the low-pressure alarm setpoint. The licensee was unable to produce any existing calculations.that proved the ability of the valves to close. Therefore, licensee ersonnel performed calculations of the stem thrust required to close
'
-
i theSI-40p,AandBvalvesatvariousRCSpressure . The licensee's calcula-tions indicated that a stem thrust of 21,478 pounds would be required to close the valves with'an RC3 pressure of 700 psig. The licensee then calculated the gas pressure needed to produce the necessary stem thrust. On the basis of those calculations, the licensee determined that a significant margin existed even if valve closing was initieted at the low-pressure alarm setpoint.
e Independently the team perforr a calculation and determined that a stem thrust of approximately 40,000 pounds would be required to close the valves if the RCS pressure were 700 psig. This calculation was based on the latest NRC guidance, which s.ay not have been used in the licensee's calculation. However, the team verified that adequate pressure would be available to close the valves
..
in questio The team concluded that the SDC isolation valves would function properly under all cf the postulated operating conditions. However, the lack of existing design calculations to verify the ability of PIVs to close against postulated differential pressures was considered a weakness. An additional case of missing calculations is discussed in Section 4. .'2 Shutdown Cooling Suction Valve Interlocks The team evaluated the technical adequacy of the shutdown cooling (SDC) system safety-related interlock circuits by reviewing a limited number of loop calcu-lations, design changes, elenentary wiring diagrams, scheniatics, modification packages, and equipment 5,necifications. The team conducted specific reviews of the power and controi circuit interconnecting wiring diagrams to verify the independence of sensors, interlock circuits, and power supplies. The team also
. ' reviewed the operation, testing, and calibration procedures ass ciated with the SDC system interlocks and the PIVs interconnected to the RC The high-to-low pressure interconnection of the RCS to SDC system was accom-p11shed by redundant trains of two isolation valves. Each valve was controlled by an interlock circuit with an independent pressure sensor from an independent tap on the pressurizer. Vital instrumentation and de power provided indepen-dent control of and power to each of the valves. MOVs SI-401 A and B at the interface to the RCS were normally closed with power disconnected to avert inadvertent operation. A permissive setpoint control existed that allowed valve opening only when RCS pressure was below 392 psig and operator action was required to open the valves. Thesecondvalveineachflowpath(HOVSI-405 A or B) maintained in an open position only when a low setpoint in pressurizer pressure was present. The valve closed by the-interlock circuit action when pressurizer pressure exceeded 700 psig. The interlock operation for these isolation valves was provided from diverse power sources and valve operation was provided from independent power sources, with power failure causing the H0V to close. During normal power operation, all of the isolation valves had either their power disabled or their control switch in a locked-close positio *
- - - _ _ - - - _ -
.- _ - - __ - - - - - - . - -_ .-~
l
.
.
-
The interlock circuitry provided protection from the inadvertent opening of the SDC system suction valves when RCS pressure was higher than the SDC system design pressure. In addition, the interlocks provided for the automatic closure of the HOVs and HOVs when the system pressure increased above a high setpoint. The~ interlocks performed their function whether the plant control was.from the control room or the remote shutdown panel. The interlock circuitry was overridden during long periods of SDC operation by disabling the MOVs automatic closure circuitry and mechanically blocking the HOVs in the open position. Administrative controls which documented performance and verification steps were used to ensure the return.of the valves to their automatic control statu During review of SDC system interlocks and related components, the team noted that the P& ids contained three different component identifiers. Other plant documentation such as operating procedures had component identifiers that differed from those of the Final Safety Analysis Report (FSAR) and the elementary wiring diagrams. The team considered this a weakness because it p provided awkward and confusing operational information, l
p 3.3 ISLOCA Annunciator Availat~lity .
1: .
L The team reviewed Operating Instruction 01-002-000, Revision 8, to determine plant annunciator status control. This rocedure allowed the shift superinten-dent to remove alarm windows from servi e if they were in a continued alann status. Plant engineering provided a status log weekly to track the addition of disabled and the return of alarm windows to active service. Three windows associated with the selected ISLOCA scenarios were in a disabled conditio Two of these were nuisance alarms that indicated the correct removal of power from isolation valves SI-401 A and B. The third alarm H0607 " Hot Leg Injection Line Check Valve Leakage," was disabled preventing operator knowledge
, .regarding possible valve SI-301 leakage, which could be a precursor to an L
ISLOCA event. No compensatory actions had been taken for this windo .
However, pressure indication, which could alert the operators to excessive check valve leakage, was available in the control roo The team considered the procedures used to obtain a ' blackboard" condition to be a strength in that they reduce the number of alarms that do not provide the operator with meaningful information. However, the team considered the removal l of an alarm indicator without establishing a compensating alarm or special l .watch condition for the disabled alarm to be a procedural weaknes .0 MAINTENANCE, SURVEILLANCE, AND TESTING 4.1 Surveillance and Testing The team identified pressure isolation valves (PIVs) that could affect the initiation or progress of an ISLOCA and reviewed surveillance testing proce-
.dures and test results. In addition, the team reviewed the licensee's Techni-calSpecifications,responsetoGenericLetter(GL)87-06,andflowdiagrams for the RCS, the HPSI system, the SDC/LPSI systems, and CVCS to ensure that the licensee had identified two valves in each system as PIVs at all appropriate high-'to low-pressure interface .. _
-._____ ____ -__ __________ - ____ _ _ _ _ ___ _ _ _____ ______
. _ . - . -- -. - - - . . . - . . .
,
, 4.1.1 Pressure Isolation Yalve Identification and Classification Technical Sp eificction Table 3.4-1, " Reactor Coolant System Pressure Isolation Yalves,' the. licensee's response to GL 87-06 dated Jun? 11, 1987 and Appendix C to this inspection report provide a list of PIV's along with additional infor-
- mation on testin l L
l-Ss.all 1-inch globe valves that served as isolation valves for bypass lines l around the PIVs for the HPSI discharge header, hot-leg injection flow path, and 1 LPSI header E discharge were not considered to be PIVs by the licensee. The i bypass lines permitted individual leak rate determination for etch PI Because of the small size of the isolation valves, the team did not consider l the licensee's failure to leak test these valves as PIVs to be a concer ,
,
six additional drain valves for the SITS were located in the system such that they also could be constrc; J to be PIVs. Again, four of these six valves were small 1-inch globe valves, therefore, the team did not consider thest to be
!
a concern with regard to excessive leakage. The remaining two valves, SI-301 l and $1-302, were 2-inch globe valves. Although leakage through these valves could be in excess of normal RCS makeup capability should gross failure occur, these two valves were located inside containment with the downstream piping l that would become overpressurized should valve failure occur also inside
,
'
containmen Therefore, the team did not consider the failure of these valves and associated piping to be a concern because such failure would result in a L LO'CA inside containment, which is a design-basis accident.
l The team concluded that the licensee's identification and classification of PIVs was satisfactor i 4.1.2 PIV Surveillance Testing The leak testing of all licensee-identified PIVs was performed using Surveil-lance Procedure OP-903-008, Revision 2 " Reactor Coolant System Isolation l Leakage Test." This procedure was well written, concise, and technically cdequate to determine accurate leakage rates for sost of the PIVs. It provided proper valve lineup for the tests, use of appropriate equipment-and iasi umen-l~ tation to determine leakage, and the establishment of proper '.est crnditii.ns and accestance values. The team, however, identified the following weaknetses within tie procedure:
Leakage for SIT dist.harge valves SI-329A, -329B, -330A, and -330B was
, determined by the change in level of_ the appropriate SIT over a specific
! time frame. SIT level indication was provided by computer display in the l
control room. However, inaccuracies of loop instrumentation could result in a variance of the final leakage results by as much as 0.25 gpm or
'
'
25 percent of the acceptance criteria of 1 gpm. The team reviewed the surveillance test results for these four valves and found that no leakage approached 0.75 gp *
Leakage past the four cold-leg injection PIVs (SI-335A, 3358, 336A, and 3360) and two hot-leg injection PIVs (SI-512A and 512B) was determined by measuring the change in pressure upstream of the valves (i.e., on the low-pressure side) over a specified time frarre and converting this change
-
-- - ._ - - . - . . _- -- . --
?
-
.
.
in pressure into gpm leakage. This method ap> eared not totally adequate
-
because it was predicated on the assumption t1at PIVs and smaller drain valves outside the injection lines were leaktight. Should any leakage existed for these other valves, the leakage test results for the PIVs ;
would be nonconservativ The team diseassed these weaknesses with the licensee and was told that the licensee had previously identified similar concerns and had initiated a revi-
'
sion to the ap>11 cable surveillance procedure to correct these weaknesses and incorporate otier minor change The team concluded surveillance tests had been performed adequately at the
-
required time intervals. Furthermore, any valves that had undergone signifi-cant maintenance had had an acceptable post-maintenance leak test perforsie .1.3 Relief Valve Testing SDC relief valves SI-406 A and B, which were associated with the ISLOCA scenarios, undergo testing in accordance with ASME Code Section XI, Article IWV-3510. Other HPSI, LPSI, and CVCS safety relief valves associated with ISLOCA scenarios also were bench tested to verify set prassure and seat e tightness per Maintenance Procedure PM-007-001, " Safety and Relief Valve Bench Testing."
.
4.2 Maintenance
L To determine the effectiveness of the licensee's inglesentation of maintenance-activities associated with PIVs that could affect tne initiation or progress of an ISLOCA, the team reviewed maintenance histories, associated maintenance procedures, completed work packages, industry standards, and vendor manual .2.1 Corrective Maintenance '
Maintenance histories indicated that several pressure isolation and check valves had experienced problems such as leakage at valve sacking glands or at flanges. Additionally, concerns had been identified by tie licensee with regard to remote operation of leakage drain valves and other minor component deficiencies. Selected plant work authorization (WA) packages and associated j data sheets indicated that corrective maintenance activities had been conducted in accordance with requirements and had been generally effective in resolving valve leakage and associated component deficiencie valve maintenance histories indicated that LPSI pump suction header However,lves check.va SI-108 A and B had not received any form of internal maintenance or inspection during the life of the plant. Discussions with s.aintenance-personnel disclosed that these valves had not been included in the licensee's program for check valvc maintenance until 1989. Interviews with operations personnel further revealed that the licensee had experienced external leakage problems at these valves for over 2 years. Plant operators also expressed concern with regard to the reliability of these check valves. During the walkdown of system components, the team noted that the area insnediately surrcunding these valves had been designated a high-radiation area and access o E__-._-__________._-___-_-__________________-___-___.__-___ ..
,
'
Lto the valves was controlled accordingly. Additionally, repeated attempts to
- eliminate valve flange leakage had been unsuccessful. The team was concerned
- that'the lack of preventive and corrective maintenance and the material condition of these valves could affect the initiation or mitigation of an ISLOCA in the LPSI pump suction line. These conditions were considered to be a weaknes The SI-108 A and B valves were dual-plate enfer check valves manufactured by TRW Mission Inc. The vendor technical manuai indicated that spacing of this valve type from upstream pipe fittings was critical to prevent damage as a result of turbulence under certain flow conditions. Plant isometric drawing E-2RD3-IC-62 and team walkdowns of the associated lines indicated that the
- required spacing may not have been obtained for these valves. In response to the team's concern, the licensee performed an informal calculation that indicated the valves would experience a flow velocity less than the value cetermined by the vendor to adversely affect the integrity of the valves. The team considered the absence of an existing calculation showing this to be the case to be a weakness in the area of (esign engineering, valves SI-1071 A and B were also components that possibly could affect one of the ISLOCA scenarios investigated. However, the plant engineering personnel could not readily locate documentation for the reason these valves were added to the design or for their design limitations and qualification status, includ-ing recent test results. The team considered this to also be indicative of a potential weakness in the area of engineering and technical suppor .2.2 Preventive Maintenance The teani's review of the plant lubrication, MOV diagnostic signature analysis, check valve maintenance, and post-maintenance testing programs indicated that maintenance planning and work activities had been appropriately im>1emente Procedure: detailing valve maintenance sufficiently incorporated tie
. requirements of vendor technical manuals, industry standards and regulatory _
- guidance. Administrative procedure MD-001-029, Revision 1, Check Valve Monitoring, Maintenance and Trending Program," provided a mechanism for monitoring and detecting degradation of check valves before possible failur Check valves were monitored on a frequency not to exceed once every three fuel cycles . Additionally, the procedure required an accelerated frequency of valve inspection should signs of degradation appear.- While this procedure was only recently implemented, it appeared to provide an adequate basis for evaluation of vital system check valve The team determined that preventive and corrective maintenance procedures provided sufficient technical detail and clarity to perform maintenance activities on PIVs. The format and content of procedures were consistent and generally conformed to the requirements of the maintenance procedure writers guide. The team did not identify any significant deficiencies in the licensee's preventive saintenance program. Furthermore, the team observed that the licensee had significantly decreased the backlog of maintenance activities during the past 2 year a I
.. - . .-. - . _ . - . . - - . _- _ - . -
'
.
.
4.2.3 Plant Material Condition The team conducted several tours of the plant during-the inspection to observe and assess the material condition of the plant. The team's plant walkdowns focused on portions of the HPSI and SDC/LPSI systems. The material condition of the plant generally was adequate, although there were a large number of valves with catch basins throughout the plant. Good huusekeeping was in evidence and the areas examined were free of obstructions. Several of the selected motor-operated and check valves examined exhibited minor leaking and boric acid buildup at packing glcnd, stems, or valve flanges. Procedure OP-100-002, Revision 4, " Lea cage Reduction," required that radioactive leaks be identified on a condition identification (CI) report and a CI tag be attachea to the affected equipment. In all but three instances, the required CI tags had been attached to the valve and appropriate catch basins had been mounted to ,
restrict and direct the flow of radioactive materials. However, valves SI-503B, SI-506B, SI-226B and HPSI pump A exhibited leakage but did not contain the required CI tags. In response to this observation, the licensee issued CI reports and associated tags to track component leakag .2.4 Failure Trending and Root-Cause Analysis Administrative procedures UNT-006-003, Revision 0, " Equipment Failure Trending," and UNT-007-025, Revision 2, " Plant Trending Program," provided guidance for tracking and following u) adverse trends in personnel, plant, and component performance. The licensee lad taken an aggressive, formalizM approach to trending component and activity failures. The licensee-trended the ,
performance of the various plant systems and equipment, as well as the performance of plant operators and technicians. Equipment performance trending was done by the department responsible for the system, equipsent, or component in question. Each department prepared adverse trend reports and the appropriate folicwup actions. The licensee collected all the trend reports for each quarter in one quarterly report. These reports indicated that problems with several of the valves included in ISLOCA scenarios that had been identified by the license The licensee had implemented a long-term reliability program (outlined in Plant Directive 40) that provided for trending of significant recurring. problems and established a counittee chaired by the Assistant Plant Manager for Operations to prioritize significant issues and recossiend followup action to the Plant Manager. This program appeared to be an effective tool to keep management aware of significant recurring problems that could affect safety, reliability, and pe'formance of plant components and system .The licensee had formalized methodology for collecting and addressing opera-tional experience. An " Events Analysis, Reporting and Response" group was charged with carrying out events analyses and reporting, root cause identi-fication, failure trending, and reliability and availability engineering. All significant operating occurrences in the plant were screened to identify appropriate root causes. Identification of d2ficiencies was the responsibility of all nuclear operations personnel. Deficiency identification was documented -
through a number of mechanist.s, including significant occurrence reports, nonconformance condition identification (e.g., defective equipment), poten-tially reportable events (possible licensee event reports) and quality notices (e.g., procedural noncompliance or deficiency).
- _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ . . _ . -- . . -.
--
.
.. .. .. .. ..
.
-
.
.. . . - .. .
'
.
e t
. The characteristics of the root-cause identification process included a root
'
cause determination, root-c:vse investigation, and corrective action confirmatory review and oversight. If a root cause was determined to have occurred previously (i.e., recurring problem) the issue was reviewed by the management and a significant quality notice was prepare The licensee implemented a human performance trending program, which was intended as a management tool to identify a decline in the performance of any departuent, in accordance with procedure UNT-006-018, Revision 0, "Hus.an Performance Trending." The procedure provided a caution'not to directly compare the performance of one group with that of other groups, but to compare a group's current performance with its own previous performanc The team concluded that the licensee's use of a formalized approach to problem identification, trending, and root-cause analysis was conducive to reliable -
plant o)eration. This effort by the licensee was considered a strength and should seighten plant personnel awareness of system reliability and human performanc .0 HUMAN FACTORS AND HUMAN RELIABILITY
'
5.1 Human Factors Th,e team reviewed man-machine interface, procedures and documents, and operator training to identify instances in which a human error could affect initiation, detection, or mitigation of an ISLOCA even .1.1 Han-Machine Interface The man-machine interface (MMI) appeared adequate with regard to minimizing the probability of an operator error initiating an ISLOCA. The control room was-quiet and exhibited well-controlled access. The overall impress M. o1 the control room was one of professionalism and stability. The Mt for remote shutdown panels appeared-adequat The design and layout of engineered safeguards panels, which would be used extensively for mitigation of an ISLOCA, would make it difficult for plant personnel to perform the operational tasks required to mitigate an ISLOC In particular, meter and valve position indicator lights had glare and vertical boards exhibited some mirror imaging and inconsistent display layou Glare on safeauards panel components made it difficult to read vertically oriented mete'rs and panel-mounted handswitches (e.g., hand controllers for SDC valves SI-401 A and B, SI-405 A and B, and SI-407 A and B, LPSI flow meters SI-IFI-0390-A and B, and HPSI flow meter SI-IFI-0311 1A). High readings on meters (pointersattopofscale)andswitchlabels(valve, motor, fan,etc)
were difficult to rea Mirror imaging on the safeguards panel increased the probability of display substitution errors and visual search time. Groups of displays on the vertical board were mirror imaged although the displays are similarly arranged within these groups. The controls on the off-vertical portion of the control boards were not mirror image . . .. . - . - . -.- - - -- . -
.
L' In addition, there was no dedicated recorder provided to monitor the volume
!
L control tank (VCT) level, which could be " sed to detect a loss of RCS '
inventory. However, the operators did i' ilcate that VCT level was usually trended using the plant computer.
L 'During walkdowns of portions of the reactor auxiliary building (RAB), the team noted that isolation valves SI-106 A and B, located in the safeguards room on 1 elevation -35, were inaccessible from the floor. An operator would require a ladder or scaffold to manually close the valves and there were no ladders available on the -35 level of the RAD. Additionally, the 20-foot ladders-stored on the -4 elevation could not be used because their large size precluded access to the -35 elevation. In addition, an operator would have to climb a ladder to verify-the identification of valves SI-106 A and B because the
-
labeling could not be read from the floo Isolation valves S1-407 A and B on the SDC suction line also are mounted about 20 feet above the floor and component identification could not be verified from the floor. If manual closure of the valve was required, an operator would have i
'
great difficulty getting to the valves, and operating the valve handwheel and clutch, which would require two hands.
l The inaccessibility of these valves, paired with the lack of ladders and l component label readability problems, presented substantial obstacles to local l - operation of the valves. Other plant labeling and identification weaknesses included temporary labeling of vital equipment with marking pen, inconsistent labeling of components and associated references in plant procedures, and control board instrumentation that required the operator to open a L spring-loaded label plate to access component identification number The team concluded that several human engineering designs existed that could l adversely affect the ability of the operators to mitigate an ISLOCA. The most I
'
notable of which is the inaccessibility and poor labeling of valves in the RAB.
l 5.1.2 Procedures and Documents 1 l- Emergency operating procedures appeared to be well written and in compliance with CEN-152, the Combustion Engineering (CE) Owners Group generic guidance for i CE plants. Although the procedures appeared to adhere to the writers guides (i.e. , OP-100-013. " Writers Guide for Operating Procedures," and WG-001,
" Writers Guide for E0Ps"), they were found to be lacking in several human factors areas (e.g., lack of multiple column format, no numbered table of contents, and failure to comply with a standardized plant nomenclature).
Theforcatandwordingoftheannunciatorresponseprocedures(ARPs)forthe l annunciators in cabinet H differed from the format and wording used for all the l other annunciator procedures. For example, "Possible Cause" in one ARP read l "SI-401A or SI-405A open before pressure falls below 386 PSIA" while the other ARP (for the annunciator in the other train) read " Isolation valve open and RCS pressure is 386 PSIA." In addition, the ARP section for train A was entitled ,
"Possible effects and Control Room Indicators" while the other ARP for train B '
had sections entitled " Plant effects / operator actions" and " Indication /
Verification." The ARPs referred to control room instruments by citing the indicator number rather than the indicator label. This practice cculd
l
.
. - - _- - _- . _. - .- - - _ _ - - - - -- -
...
~
,
.
y ~
,
increase the time it took for an o>erator to respond to annunciators because the indicator numbers were hidden aehind spring-loaded label plates on the main
' control board !
In addition, the table of contents for the procedures did not provide page -
numbers to access sections requiring readers to access information by paragraph numbers onl SDC PIVs SI-401 A and B were closed during plant transition from Mode 5 to By procedure, these valves were required to be closed and breakers SI-EBKR-311A and B in cabinets BD and 8H were required to be opened and locked into position. A control room operator directed an auxiliary operator to accomplish this activity. The auxiliary operator then confirmed completion of this task through consunication with the cor, trol room. Locked valve / breaker sign-off sheets were not used when operators re)ositioned these breakers, and no independent verification occurred whici would ensure that the breakers were'
locked open. This was considered a weakness in the control of locked valves-and breakers.
l
'
The team concluded that no procedural problesis existed that could directly affect the initiation of an ISLOCA under normal operating conditions although j_ weaknesses existed in ARPs and procedures as stated above.
i ,
L 5.1.3 Training
l Operators stated that, while they did not recall any training exercises that specifically addressed ISLOCAs, they felt they had been well-prepared to detect !
and identify breaches of the RCS pressure boundary. Interviews with operators confirmed their ability to describe the symptoms of an ISLOCA and how those symptoms would be indicated in the control roosi. The licensee had initiated an ISLOCA screening study to identify potential flow paths through which the RCS
. pressure boundary interfacing with a supporting system of lower design pressure could be breached. Subsequent to this study, a training module was assembled '
that was designed to increase operator awareness of symptoms of an ISLOC Discussions with the licensee indicated that all licei. sed operators would
. receive training using this m dule at least onc In addition, a siniulation scenario capability existed for small LPSI pump leaks in the LPSI pump room. However, according to the simulator supervisor, this scenario.had not been implemented as part of operator training. The licensee was'able'to use the existing simulation scenario to simulate a scenario that very closely paralleled the seventh ISLOCA scenario, which involved failure of the check valves located in the line between the RWSP and the suction portion of one of the LPSI pumps. The team observed an operating crew respond to the scenario on the simulator. Although the crew had presumably never seen this type of event and had little or no procedural guidance on how to handle the specifics of the event, the crew took appropriate actions available to them ,
to_ mitigate the consequences of the event. However, the lack of are specific procedural guidance or training with regard to this particular scenario did appear to affect the operators' timely coping with the event. It appeared that use of this simulation could enhance training in the area of ISLOC . . . - . - - - .. - - .
.
.
' .F Human Reliability The team collected plant-specific data to be used in the NRC's ISLOCA researc project. The plant-specific data from Waterford 3 also will be used in the formal ISLOCA probabilistic risk assessment (PRA) and human reliability analy-sis (HRA)fortheplant. HkA sodels the types of human actions that can either initiate, detect, diagnose, or mitigate potential ISLOCA scenarios. The team's human- reliability evaluation focused on collecting detailed information on operator performance as well as plant-specific factors that could increase or decrease the likelihood of operator error (usually called performance shaping factors, PSFs). Typically, these human error probabilities are placed on event trees, which are then used in conjunction with hardware component failure rates from the PRA to determine plant-specific and sequence-specific core melt probabilities. Ultimately, the human reliability analysis becomes an -
integrated component of the probabilistic risk assessaien The team reviewed a series of generic ISLOCA-related events as well as plant systems (RCS, LPSI, HPS1, SDCS, CYCS) that could be involved in an ISLOC On the basis of this information, the HRA team members collected detailed, plant-specific information using the following methods:
'
table-tcp task analyses of ISLOCA scenarios that were based on structured
,
interviews with-operations personnc1,
simulations of several ISLOCA scenarios with. detailed observations of crew activities,
simulator walkthroughs of systems and their corresponding alarms, l annunciators, etc. that may be involved in ISLOCA event *
lant walkdowns of systems in conjunction with licensed reactor operators
'
p(shiftsupervisors,controlroomsupervisors,andcuclearplantoperators)
and non-licensed nuclear auxiliary operators, and
'
detailed review of emergency and abnormal procedures, training lessons, station directives, operating procedures, and performance.and surveillance i test procedure ~l As part of the research project to employ PRA and HRA methods to assess ISLOCA risk, the HRA team members collected plant-specific information relating to PSFs, such as stress, the nature of tie task, procedures, training, experience of. the operators, and the quality of the man-machine interface. These PSFs can l be positive or negative and are used during the detailed quantification of l
' human actions to modify the nominal human error probability assigned to any
'
given human action in a scenario. PSFs also include any recovery factors, such as comunications, teamwork, independent verification, and/or system feedback,- l that would alert operators to critical errors, thereby returning their actions- I to-a " success" (safe) path. Plant data also was acquired to permit assessment of the influence of maintenance and repair on the probabilistic risk of an l
- - ______- - - - _____-. . . - - .
_ _ _ _ . _ . . . _ _
,n J *
- ,
ISLOCA. .These data iricluded procedures for configuration control, equipment
- out of service, and mode change checklists. Team observations relating to the quality of work control will also be include The ISLOCA PRA, performed by Idaho Nation 6 ? Engineering Laboratory (INEL) in conjunction with this inspection, will use the data collected from this inspec.
l tion to perform an independent analysis of ISLOCA scenarios. Specifically, the L analysis will use the RELAP computer code to model system thermal-hydraulic l response to overpressurization and will calculate failure distributions for ;
l
'-
various system piping and components on the basis of the applied stresses induced by the thermal and hydraulic forces. Offsite consequences will be I calculated with the MACCS computer cod Plant-specific data include the system piping and instrumentation drawings, piping isometrics, and vendor data
on valves, pumps, orifices, heat exchangers, et All of the information gathered by the team will be reviewed by INEL during the PRA process to help ensure that realistic plant-specific assessments are achieve .0 CONCLUSION The team concluoed that the pressure isolation valves within systems interfac-
- ing with the RCS pressure boundary at Waterforo 3 were adequately maintained and tested to prevent failures that could initiate an ISLOCA. Although-there ;
were weaknesses in the man-machirie interface, the team did not identify any 1 i significant' deficiencies that might significantly increase the probability of an operator error initiating an ISLOCA. No unresolved items were identifie )
.
!
. l l
l l J i
l
^
,
,
4 .-
,
,
,
APPENDIX A Personnel in Attendance at Exit Meeting-Personnel Organizasion Jack Auflick NRC Consultant, INEL R.G. Azzarello Entergy Operations, Director, Engineering &
Construction
' Dwight E. Bak Entergy Operations, Director, Operations Support Jay R. Ball NRC Team Leader, Special Inspection Branch, NRR Ronald G. Bennett Entergy Operations, QA Inspections Supervisor Timothy P. Brennan Entergy Operations, Manager, Design Engineering Steven D. Butler NRC Resident Ins >ector-Waterford 3 K.M. Campe NRC Acting Branci Chief, Risk Appl. Branch, NRR Albert C111uffa Entergy Operations, Maintenance Engineer Sangy Diab NRC Team Member, PRAB, NRR Huu D. Dinh Entergy Operations, Event Analysis & Reporting fleil Dubr> Entergy Operations, Senior Engineer Paul W. Eshleman NRC Consultant, Engineering & Science Assoc., In Steven E. Farkas Entergy Operations, Licensing Engineer Stephen A. Fleger NRC Consultant, Carlow Associates, In Daniel C. Ford NRC Consultant, Research Technical Service Ja'mes G._Hoffpauir Entergy Operations, Planning &~ Scheduling Manager Terry Holu.;i Entergy Operations, Supervisor, Safety & Eng Analysis-J.P. Jaudon NRC Deputy Director, DRS, Region'IY Dennis L. Jew NRC Consultant, EAS Energy Services Dana Kell) NRC Consultant, INEL
- J.E. Konklin NRC Section Chief, Specini Inspection Branch, NRR W.D. Lanning NRC Branch Chief, Special Inspection Branch, NRR Larry W. Laughlin Entergy Operations, Site Licensing Supervisor Theodore Leonard Entergy Operations, Acting Manager of Operations &
Maintenance Orville Meyer NRC Consultant, INEL P.V. Prasankumar Entergy Operations, Manager, Technical Services William T. Russell NRC Associate Director, NRR Douglas Schultz Entergy Operations, Asst. Operations Superintendent Ward F. Saiith NRC Senior Resident Inspector-Waterford 3 Wayne L. Smith Entergy Operations, Simulator Supervisor Philip C. Wagner NRC Team Member, Region IV f
A-1
I &
d
-
'
.,
,
!
. ,
.
. . -
-
APPENDIX'B .
a
.
Diagrams of the HPSI and SDC/LPSI Systems' ,
s
e k )-
t i
- I"
i
.
i k
-!
e I
t f
i
4
'. 4
t 1 -j
=i
'
$
r B-1
. .. _ . -. . . _ . . _ - .
. . , - , . , . - - - - , - . . . - _ -. ,.. . -_. ___ _ - . - . - -
, ,
,
e Y
i l
l i III ig!- !gl g
<
v ; ,
ls le is -in
! I! il i!
-
f: OK I 4m OKi e
- t.h., < be 3 t.t. .A< f t.1. . ,A t. .
. ,
"
g'
.
!- 3 4- *
l5ll
"
l
- 5 f kf u t i; n : si il 4; s si kV kV <; t is k E[ i i I 11 u n si I! un 3
- - u
'
I *
S a if L e F
-
< < e e *
4 ,
a
,
-
aim ~ ai:3 ai:~ 1s 5<ai:3ai:g ai,~ ai: 1 . , .
- - i f a 3
<
i 9oK & _
= oK* .t -
-
y . . m 8
,
SOK e, 9 OijSE h0h5: OKj j ti$ i-a l 8 S X 1 3 , t 4 x v~ R S'l,3 g , S .5.:=2 e - ,
,
, .
f f 5-Di D! DI S ll ,. s 4,.2s 1 ,
it i l s ... 4a a -
a a i m
.gI * i t (8 l tI ,
3lll l 2 , -
.
-
y4 - .!n ,
-
7 : 1 -
u- )
j)j
.
-
i ;,.
u
= Qa -
~
!
tj m i
.
Ibg
. -
4. hth j
.
-
I, i -
B-2
. .
__
.sm.. =4.aa, s 4 ai,..4..ms..#as...- .## mam-,.m,. e A .,w__m ._.,q_e- ...um,;,a er . . _ .t.mm,a ,,..u su
'
- .: ,
.
'
'
- .?-
'
-!
4 si s .
ij- n!!
8 .e e!! [i~
r!!
.s .e eE!
! ! t t! tf if .
=d: r 44ep4t$n!t$ax rt$ qt$ t$ qt$ i,3 ;
ij 11 ij 11 , 11 - 11 i I -
i l~l
.
sonf on fl~l
- ""
- i ,
.
.e t ; ..
.
an
- ,
[ j kk$ d $ l, dk[ k !$ 3 kI i ,il ,
~
ti l ,ii ~
tl t
?. ?
. .
=m:f
' g E
.
f ;
,
- ,
ss-
=
.
....
au :-
i cm 4 i cm g j{ >
"
OKi ! i [i SDi!lE l I '
g
,
[i
-
SO!! E
} ,
. .. ..
.n
! Ud
"I 4 e .{
- .
< :i . { h~8ES:i: 1
.-
fd e -
-
l s -S X$ l SX4 ll E! ;
. *
~ s -n -
~
. . )i 2)i; '"
I ,
.
a
- ,!ll . EfE_ff fE S }-
l
< .
7 -
R s
h $h - $ $.
,-
$?
l ! d
.
1 3k * .
11!11 -i
$
-
.
< Il
g .4 .
' i 8$ .!
"W
,
m ji },
i i I tf a p$ E'
_
4 -
! *
,
>
B-3
'
r
-.-__ _ ___ _ _ - _ _ - _ _ . _ _ - _ _ _ - - _ _ _ _ _ _ _ . - - . - - . - - . , . - . _ , . - . . . - , ..-,
,
,.
'
,.
.-
l F APPENDIX C Pressure Isolation Valves Valve IST Required Alternate-No. - Description' h CAT Testing Testing Notes SECTION A SI-329A SIT Discharge Check A/C CV/PIV DRR 1 SI-329B SIT Discharge Check A/C CV/PlV DRR 1-
$1-330 SIT _ Discharge Check A/C CV/PIY' DRR 1 SI-330B SIT Discharge Check A/C CV/PIV -DRR 1-SI-336 . Cold-Leg Inj.- Check- A/C CV/PIV DRR 2,3 SI-336B Cold-Leg In Check A/C CV/PIV DRR 2,3 SI-335A- Cold-Leg In Check A/C CV/PIV DRR 2,3 51-335B Cold-Leg : Inj .,- Check A/C CV/PIV: DRR 2,3 SI-510A- Hot-Leg'In Check A/C CV/PIY RR 4 SI.-512A Hot-Leg.In Check A/C CV/PIV RR 5
'SI-510B- Hot-Leg In Check A/C CV/PIY RR 4 51-512B_ Hot-Leg In Check. A/C .CV/PIY RR' 5
'
SI-241 HPSI Header Disc Check A/C CV/P1Y RR- 4
- SI-242 HPSI Header Disch. Check A/C CV/PIV RR 4 51-243- HPSI Header Disch, Check A/C CV/PIV RR 4 SI-244- HPSI Header Disch. Check A/C CV/PIV RR -4 SECTION B SI-142A .LPSI ileader Disch.- Check A/C CV/PIY CSR 3,6-51-142B LPSI Header Disch. Check A/C .CV/PIV- CSR 3,6
'
SI-143A -LPSI Header Disch. Check A/C CV/PIV CSR 3,6 SI-143B' ~LPSI Header Disch. Check A/C CV/PIV CSR 3,6
'SECTION C - POWER-OPERATED YALVES SI-401A SDC Suct. Iso Gate A Q/MT/PIV- CS 3,7,8-
.SI-401B_ SDC Suct. Iso Gate A Q/MT/P1Y CS 3,7,8 SI-405A SDC_Suct. Isol.- Gate A Q/MT/PIV CS 3,7,8 SI-405B SDC Suct. Iso Gate A Q/MT/PIY CS 3,7,8
- Testing Parameters:
-
CV Exercise check valve to the position required to fulfill its function at
'
least once .every 3 month PlV RCS Piys are leak tested per plant Technical Specification :
C-1
_ - - -- _-_--_-__-__L
.. . - - . --. .. .- --- -- .-- -.
-
.
,
.
'. ,
^
(Q Exercise. valves (full stroke) for operability at least once every .* months except when one train of a redundant system is inoperable. Valves in the remaining. train should not be cycled because their failure would cause a .
loss of total system functio "
MT Stroke time measurements are taken ano compared to the stroke time limit-l: ing value per ASME Code Section XI, Article IWV-3410. Trending of valve stroke time is performed per IWV-3417 for valves with stroke time limits ,
greater'than 2 seconds.
, DRR Valves are disassembled and stroked during reactor fueling outages on a sampling basi RR Exercise valve for operability at each reactor refueling outag CSR Exercise check valve (partial stroke) at each cold shutdown and full #
[ stroke at each reactor refueling outag CS Exercise valve (full stroke) for-operability during cold shutdown and at each refueling outag i
'
Notes:
. One of three valves (SI-329A, -3298, a M -330) and valve SI-330A will be disassembled and manually _ exercised every refueling outage per Relief kequest 3.1.1 . One of four valves (SI-335A, -335B, -336A, and -3368) will be disassembled and manually exercised every refueling outage per kolief Request 3.1.18.
l When corrective action is required, a retest will be satisfactorily L
-
perfornied before the valve is required for plant operability as defined in ,
E the plane Technical Specifications per Relief Regn st 3.1.3.
1.
These valves will be full-stroke tested during each refueling outage per Relief Request 3.1.1 , These valves will be full-stroke tested during each refueling outage per Relief Request 3.1.20.
l These' valves will be partial-stroked ~ tested during each cold shutdown and full-stroked using LPSI design flow during each refueling outage per Relief Request 3.1.1 ,
'
L : If increased stroke time exceeds the criteria of IWV-3417(a), the test L frequency shall be ircreased to once each cold shutdown, not to exceed l once each month per Aelief Request 3.1.4. .
L ', These valves shall be full-stroked tested for operability at each cold shutdown per Relief Request 3.1.1 ~
l l :
C-2
. - .- .. .-
. _ _ . .- _ _ _ _ . . - .- _ _ . _ . _ _-
t-
'
..- l
'
'
APPENDIX D Documents Reviewed !
m .; 1.- Ana.inistrative Procedures ,
Procedure N Title .Re Date-UNT-005-002 Condition Identification 9 9/7/89 UNT-005-004 Temporary Alteration Control 7 12/12/89 UNT-005-007 Plant Lubrication Progra /10/90 t UNT-005-010- Independent Yerification 1 N/A Program UNT-005-011 Calibration and Control 2 3/27/89~
of Measuring and Test Equipment UNT-005-015 Work Authorization 1 9/5/89 Preparation and Implementation l UNT-006-003 Equipment failure Trending 0 1/16/90
, UNT-007-025 Plant Trending Program 2 2/19/90 l
r
.
2/ Operating / Surveillance Procedures Procedure N Title Re Date 01-002-000 Annunciator and Alarm Status 8 9/8/89 Control 01-006-000 Operetor Aids, Use & 3 12/8/78- ,
Control
'
OP-001-001 RCS Fill and Vent 9 6/1/90 -
OP-001-00 RCS Drain Down 10 7/30/90 i f :OP-002-005' Chemical & Volume Control '9 4/16/90 E OP-005-015 Work Authorization Preparation 1~ 2/7/90
& Implementation )
OP-009-005 Shutdown Cooling System 10 3/19/9 P-009-008 Safety Injection System 8 12/27/89 OP-010-001 General Plant Operations 12 6/1/90
~0P-100-001 Duties & Responsibilitics 6 4/20/90 of Operators on Duty
.0P-100-002 Leak Reduction 4 10/7/88 '!
OP-100-003 Caution Tag Control 3 3/9/88 '
l OP-100-009 Control of Valves and 10_ 3/31/90 Brea kers
'0P-100-007 Shift Turnover 6 6/5/89
'OP-100-008 Key Control 3 9/30/89 7 OP-100-010: Equipnient Out of Service
- 5 2/2/90
OP-500-012 Annunciator Response for 4 4/20/90 Control Room Cabinet h 1 OP-901-004 Evacuation of Control r.oom 4 6/1/90
& Plant Shutdown
1 ,
D-1
-. . - . . -
- - . ., .. . - . - - . .. -.-- -- .- - .
.
. ,
,
k
, OP-901-046 Shutdown Cooling Malfunction 6 3/19/90 1 OP-902-000 Emergency Entry Procedure 3 8/26/89 OP-902-002 Loss of Coolant Accident 3 -8/28/89 Recovery OP-903-008 Reactor Coolant System 2 5/20/88 Isolation Leakage Test OP-903-024 ' Reactor Coolant System 7 -3/31/90 Water Inventory Balance '
OP-903-026 Fmergency Core Cooling "4 3/17/89
. System Valve Lineup Verif-ication OP-903-031 Containment Integrity Check 5 6/7/90 OP-903-032 Quarterly IST' Valve Test 7 2/28/90 OP-903-033 Cold Shutdown IST Valve 8 2/2/90 Test OP-903-034 -Containment Spray Valve 3 3/16/89
? - Lineup Verification l Maintenance Procedures Procedure N Title Re Date
'
r
'MD,-001-011 Maintenance Departmental 5 6/25/90 Procedure Initiation, Review, and Approval of~ Procedures, Changes, Revision and Deletions; Control and
.. Distribution MD-001-014 Conduct of Maintenance 3 6/30/89 MD-001-016 Failure and Trend Analysis- 1 12/16/87
-
MD-001-028 Writers Guide for, /28/89 g . Maintenance Department Procedures -
l MD-001-029- Check Valve Monitoring, 1 -4/1/90 Maintenance and Trending Program ME-007-008 Motor Operated Valve 8 6/29/90 l ME-007-028 MOV Setting, Signature' 0 9/12/69-F .
Trend Analysis and Evaluation
'
.MI-005-201 Instrument Loop Check 5 7/11/89
- MI-005-202 - Calibration of Pressure 3 10/30/85 L - Instruments
? -MI-005-207 Calibration - Indicators 4 10/22/84 MI-005-251 Westinghouse 7300 Card 4 7/25/89 Calibration MI-005-587 Calibration - Pressurizer 0 7/13/84 l- Pressure L
MM-006-001 Valve Maintenance 6 1/9/90 :
' 41-006-002 Valve Operator Maintenance 3 3/28/88 )
MM-006-105 Limitorque Motor Operator 2 10/31/86
, -
Maintenance-MM-007-021 Check Valve Monitoring By M0 VATS 1 4/1/90 Checkmate System and Inspection m ,
D-2
'
,__ . - _ _ - _
- - - - - - - -
. -
- - -
- . . . .
.
. . .
_ . . . .. . ..
.. .. .
- --
,
h l ,
14. Miscellaneous
' Procedure'N Tit 1e Re Date PMD-40 Plant Managesent Directive 0 <5/10/90 Long Terni Reliability Program WA-0102859: Valve SI-301 Troubir Shoot 10/25/88 WA-1000663 Valve Sl-108B Flange Leaking 8/19/87 WA-1025307, Valve SI-10BA Torque. Value 11/21/88 Monitoring on Valve Flanges-WA-1029002 Valve SI-108B Torque Value 12/16/88 Monitoring on Valve Flanges WA-1013187 Install Isolation Valve Leakoff 4/20/88 Line-in valve SI-401A WA-1001923 Cap Packing Gland Leakoff Lines 6/19/88 for valves SI-139A, SI-304A, SI-401A&B-WA-1048591 Valve Flange Leakage Calculation 12/7/89 for SI-108A 457001173 .Lukenhimer Gate Valve 4 10/4/88 Technical Manual Waterford 3 Pump and Valve
' Inservice Test Plan 5 Waterford 3 Response to Generic Letter-87-06 6/11/87 Drawings Drawing N Title Re .B-424-269S Pressurizer Pressure' Ins E B-424-515 RCS Hot Leg Injection 13 B-424-53 LPSI Pump A Controls 02-B-424-550 SI Tank 1A Instrumentation ~
'
B-424-5885- Pressurizer Pressure' Ins B-424-595 .SDC Isolation Valves- 03 B-424-595S SDC Isolation Valve B-424-596 SDC Isolation Valves 01 B-424-596S- SDC Isolation Valves 16 B-424-5995 Hydraulic Pump Control 09 B-424-2932 Annunciator Display 08 B-425-319 SI check Valve Leak Detector 01 B-425-390A SI HP Pump Controls 01 B-425-390B SI HP Pump Controls 01 502-13 CP-25 Wiring Diagram 06 503-14 CP-26 Wiring Diagram 06 504-14 CP-27 Wiring Diagram 04 505-14 CP-28 Wiring Diagram 04 506-29 CP-31 Wiring Diagram 05 8821027 CP-50 Wiring Diagram 09 8821038 CP-50 Wiring Diagram 09 i
D-3 a
r
- 1 -
.E e,
t
.
~ Piping and Instrumentation Diagrams
,
, Drawing N Title Re LOU-1564 G-167 S fety Injection System (SI) 28 Sheet 1 of 2-LOU-1564 G-167 Safety Injection System (SI) 25 Sheet 2 of 2
' LOU-1564 G-168 Chemical & Volue Control System (CVC), Sheet 1 of 2 25 Chemical & Volume Control 29
. LOU-1564 G-168-System (CVC), Sheet 2 of 2:
LOU-1564 G-172 ReactorCoolantSystem(RCS) 21 251-700-00 Safety Injection & Shutdown T01.03 Cooling CVCS & Boric Acid Makeup T01.03 l 2CYC-000-00 Systems j
'
i
!
,
.I
-
.-
L.
.
i l
l-l
,
1
[- .1
l
,
.
I
D-4 :
.