IR 05000387/1998004
| ML032300650 | |
| Person / Time | |
|---|---|
| Site: | Susquehanna  (NPF-014, NPF-022) |
| Issue date: | 07/16/2003 |
| From: | Wiggins J Division of Reactor Safety I |
| To: | Byram R Pennsylvania Power & Light Co |
| References | |
| IR-98-004, NUDOCS 9807220202 | |
| Download: ML032300650 (26) | |
Text
U.S. NUCLEAR REGULATORY COMMISSION
REGION I
Docket Nos.
License Nos.
Report Nos.
Licensee:
Facility:
Location:
Dates:
Inspectors:
50-387 and 50-388 NPF-14 and NPF-22 50-387/98-04 and 50-388/98-04 Pennsylvania Power and Light Company 2 North Ninth Street Allentown, PA 19101 Susquehanna Steam Electric Station P.O. Box 35 Berwick, PA 18603-0035 June 8-12, 1998 D.
A.
H.
J.
C.
H.
Ashley, Operations Engineer, NRR Fresco, NRC Consultant, BNL Gray, Senior Reactor Engineer Richmond, Resident Inspector Sisco, Operations Engineer Williams, Senior Operations Engineer Approved by:
Richard J. Conte, Chief Operator Licensing and Human Performance Branch Division of Reactor Safety 9807220202 980716 PDR ADOCK 05000387 Q
SUMMARY This inspection involved a review of Pennsylvania Power and Light Company's (PP&L)
implementation of the maintenance rule in accordance with the requirements of 10 CFR 50.65, at the Susquehanna Steam Electric Station (SSES). The report covers a one week onsite inspection by regional and headquarters inspectors during the week of June 8,1998.
PP&L adequately placed SSCs within the scope of the maintenance rule, with the exception of the Bypass Indication system. Failure to include the Bypass Indication system in the maintenance rule program was an apparent violation of 10 CFR 50.65(b).
The risk ranking process was based on PRA information and was acceptable. Appropriate actions had been taken by the expert panel to compensate for any weaknesses in the PRA.
The risk ranking process appropriately used the RAW, RRW and 90% of cutsets and included considerations for containment systems. Truncation levels and human recovery actions were considered appropriately when evaluating the PRA results.
The unavailability performance criteria resulted in an acceptable increase in CDF when factored into the PRA, and were based on the PRA unavailability data. The reliability criteria were linked to the PRA assumptions and were acceptable.
Several SSCs had exceeded their performance criteria in 1996 or 1997, but were not evaluated and placed in (a)(1) status until as late as June 1998. This was an apparent violation.
The system engineers had excellent knowledge of their systems, and good knowledge of the maintenance rule requirements. The system engineer's involvement and role was found to be a significant positive attribute of the maintenance rule program. In general, system engineers, work coordination managers, and licensed operators appeared able to fulfill their responsibilities under the maintenance rule. Their understanding of rule was acceptable.
Appropriate goal setting was in place for the (a)(1) systems which were reviewed.
However, the team observed the corrective actions for (a)(1) systems did not include review of preventive maintenance activities. Correction and preventive maintenance were considered appropriate and effective for the (a)(2) systems reviewed.
The licensee's new periodic maintenance effectiveness assessment procedure was adequate for implementing the requirements of the periodic assessments under 50.65(a)(3). The first periodic assessment did not meet the requirements of the rule by failing to adequately balance reliability and availability and assess the continued adequacy of goals for (a)(1) SSCs. This failure is an apparent violation.
The licensee's program for assessing the risk of taking equipment out of service when on-line was weak in that undesirable risk configurations could occur for scheduled work as well as for emergent work. While currently not a mandatory requirement, the team concluded that the licensee's process for assessment of plant risk during on-line i
maintenance does not appear to meet the intent of the maintenance rule. The plant procedure for risk assessment did not cover all risk significant systems and was not utilized for emergent work. However, when a formal risk assessment was required by the plant procedure, the assessment was adequately detailed, developed, and implemented.
Starting in December 1995, PP&L conducted a thorough set of evaluations of the maintenance rule program implementation. These evaluations identified a number of problem areas, however addressing of the issues was delayed. At the time of the team's inspection in June 1998, the corrective actions were in place and the maintenance rule program was appropriately established. Failure to have an adequate maintenance rule program that met the requirements of the rule on July 10, 1996 constituted apparent violations of 10 CFR 50.65.
ii
REPORT DETAILS Ml Conduct of Maintenance (62706)
M Structures, Systems and ComDonents (SSCs) In the Maintenance Rule Pro-ram Inspection Scope The team reviewed the scoping documentation to determine if the appropriate SSCs were included within the maintenance rule program in accordance with 10 CFR 50.65(b). The team used NRC Inspection Procedure (IP) 62706, NUMARC 93-01, Regulatory Guide 1.160, the Updated Final Safety Analysis Report (UFSAR) and PP&L procedures NDAP-QA-0413, Rev.2 'SSES Maintenance Rule Program" and NDAP-QA-1 163, Rev.1 "Structural Monitoring Program" to make the determination. Observations and Findings The team determined that, as of the time of the inspection, PP&L had adequately placed plant SSCs within the scope of the maintenance rule with one exception.
The team noted that the Bypass Indication system was removed from the scope of the maintenance rule by the expert panel because the system was not used in the emergency operating procedures (EOPs). UFSAR section 7.1.1 b.4 describes the system as a safety related display instrumentation system which provides the operator with information for normal plant operations and allows the operator to perform manual safety functions. Safety related SSCs are required to be included in the maintenance rule program. The failure of PP&L to place a safety related system within the maintenance rule program is an apparent violation of 10 CFR 50.65(b).
(EEI 50-387/388/98-04-01) Conclusions The team determined that PP&L had adequately placed SSCs within the scope of the maintenance rule, with the exception of the Bypass Indication system. Failure to include the Bypass Indication system in the maintenance rule program was an apparent violation of 10 CFR 50.65(b).
M1.2 Safety (Risk) Determinations, Performance Criteria, and Exoert Panel Inspection Scone Paragraph (a)(1) of the rule requires that goals be commensurate with safety.
Implementation of the rule using the guidance contained in NUMARC 93-01, required that safety be taken into account when setting performance criteria and monitoring under paragraph (a)(2) of the rule. This safety consideration was to be used to determine if the SSC should be monitored at the system, train, or plant level. The team reviewed the methods and calculations that the licensee used for making these risk determinations. The team also reviewed the performance criteria for selected SSCs. The team reviewed the licensee's expert panel process and information which documented the decisions made by the expert pane Observations and Findings Safety (Risk) Determinations Guidelines to determine the risk significance of SSCs within the scope of the Maintenance Rule were established in Procedure NDAP-QA-0413, "SSES Maintenance Rule Program," Revision 2, dated 4/20/98. The process for determining the risk significance was documented in Calculation EC-RISK-0528,
"Risk Significant System, Structures and Components for the Maintenance Rule and GL 89-10," Revision 4, dated 5/05/98.
The risk significance determination process was based on the probabilistic risk assessment (PRA) model developed for the individual plant examination (IPE) of severe accident vulnerabilities in response to NRC Generic Letter 88-20.
System functions were ranked by the risk achievement worth (RAW 2 2.0), the risk reduction worth (RRW > 1.005) and the top 90% of core damage frequency (CDF)
cutsets. As compared to a 1998 baseline CDF of 4.5 E-07/cycle, the cutsets appearing above a truncation point of 1 E-1 1 were used for the risk ranking process.
Calculations were performed with the human error probability set both to zero and to nominal values to identify components which might not otherwise be identified as risk significant due to human recovery actions. This assured that no important components affected by operator recovery actions had been lost by the truncation process. The PRA data for the residual heat removal (RHR), core spray (CS),
emergency service water (ESW), residual heat removal service water (RHRSW), and emergency diesel generators (EDG) were updated through 1997. Otherwise the data were current only through 1989.
If the SSC satisfied any one of the measures, it was considered to be risk significant. Some functions of the emergency service water, the four diesel generators, and the reactor protection system, had been upgraded to risk significant by the expert panel. Containment systems identified as risk significant either by the PRA or by the expert panel included primary containment instrument gas, containment and suppression pool including containment isolation function and vacuum breakers. Functions involving the fifth (swing) diesel generator and one of the diesel fire pumps had been downgraded by the expert panel, based on appropriate arguments.
Risk significance of SSCs used during shutdown had been determined qualitatively similar to the outage safety assessment guidelines of NUMARC 91-06, 'Guidelines for Industry Actions to Assess Shutdown Management,' December 1991. The critical shutdown functions such as emergency core cooling and decay heat removal, inventory control, reactivity control, and electrical distribution were identified in NDAP-00-0612, 'Outage Scope and Schedule Development and Control," Revision 4, dated 12/22/97, and NDAP-00-0613, "Outage Implementation and Assessment, Revision 4, dated 12/22/9 Performance Criteria The performance criteria for availability and reliability were established using the guidelines in NDAP-QA-0413. The system engineers were assigned the responsibility for monitoring the performance criteria for their systems in accordance with NSEI-AD-01 7, 'Maintenance Rule System Engineer's Handbook," Revision 0, dated 3/13/98.
The process for establishing the availability performance criteria of SSCs was documented in Calculation EC-RISK-1 054,"SSC Availability Performance Criteria for the Maintenance Rule,' Revision 2, dated 5/14/98. The unavailability performance criteria were monitored over a rolling 36 month period. As compared to a baseline core damage frequency of 4.5E-07/cycle, the unavailability criteria resulted in an increase in CDF of less than 15% to 5.OE-07/cycle. The team considered this to be a reasonable increase in CDF and that the performance criteria were appropriately established and were based on the PRA unavailability data.
Similarly, the process for establishing the reliability performance criteria of SSCs was documented in Calculation EC-RISK-1 060, "Acceptable Number of Failures for Risk Significant in the Scope of the Maintenance Rule," Revision 1, dated 5/13/98.
Functional failures under the maintenance rule were referred to as maintenance rule functional failures (MRFFs). Since the limits for the reliability performance criteria were calculated as much as possible using the data in the SSES PRA, the reliability criteria were directly and appropriately linked to the PRA assumptions and therefore were acceptable.
Expert Panel The charter of the expert panel was identified as Attachment A to Procedure NDAP-0413. The procedure specified that members should have expertise in one or more of the areas of probabilistic risk assessment, design basis requirements, maintenance effectiveness, performance monitoring, plant operation, and maintenance rule implementation. The panel was chaired by the maintenance rule coordinator (MRC). At least one panel member was to have Senior Reactor Operator (SRO) experience. A quorum consists of five members, one of whom must be the Maintenance Rule Coordinator or designated alternate. Depending upon the subject matter discussed, members with other expertise would be required to attend to constitute a quorum. The team considered the backgrounds and qualifications of the panel members to be appropriate.
The team noted that the expert panel was brought together on an 'as-needed" basis from 1994 to 1996 during the original implementation of the maintenance rule. In 1997, there was one meeting to discuss adding emergency lighting and communications to the scope of the program. The panel was reconstituted in 1998 and 21 meetings had been held since January 30, 1998. The meeting minutes for the reconstituted panel that had been issued in 1998 were sometimes sketchy and did not always adequately describe the reasons for the decisions mad The expert panel approved the risk ranking and performance criteria. The final decisions made by the expert panel were documented by means of the risk ranking and performance criteria appearing in the Maintenance Rule Basis Documents. The team considered the expert panel's decisions regarding the risk ranking and performance criteria to be appropriate to implement the requirements of the maintenance rule. Conclusions The team found the risk ranking process to be based on PRA information and was acceptable. Appropriate actions had been taken by the expert panel to compensate for any weaknesses in the PRA. The risk ranking process appropriately used the RAW, RRW and 90% of cutset measures and included considerations for containment systems. Truncation levels and human recovery actions were considered appropriately when evaluating the PRA results.
The unavailability performance criteria resulted in an acceptable increase in CDF when factored into the PRA, and were based on the PRA unavailability data. The reliability criteria were linked to the PRA assumptions and were acceptable.
The team considered the expert panel's qualifications and decisions regarding the risk ranking and performance criteria to be appropriate to implement the requirements of the maintenance rule.
M1.3 (a)(1) Goal Setting and Monitoring and (a)(2) Preventive Maintenance Insnection Scope The team reviewed program documents to evaluate the process established to set goals and monitor under (a)(1) and to verify that preventive maintenance had been demonstrated to be effective for SSCs under (a)(2) of the maintenance rule. The team also verified that appropriate performance criteria had been set for selected SSCs. The team performed detailed programmatic reviews of the maintenance rule implementation for the following systems:
Standby Liquid Control (a)(1)
Emergency Diesel Generators (a)(1)
Instrument Air (a)(1)
Main Steam (a)(1)
Feedwater Reactor Protection High Pressure Coolant Injection Reactor Manual Control (a)(1)
Fuel Handling Primary Containment Containment and Suppression Control Room Emergency Outside Air Supply (a)(1)
Each of the above systems was reviewed to verify that goals or performance criteria had been established commensurate with safety, that industry operating experience had been considered if appropriate, that monitoring and trending were being performed, and that corrective actions had been taken when an SSC failed to meet its goal or performance criteria or experienced a maintenance rule functional failure (MRFF). System engineers were interviewed to establish their involvement with the maintenance rule program.
The team performed walkdowns of systems in which vertical slice inspections were performed. Observations and Findings For the maintenance rule systems reviewed, the team noted that each system had a licensee review in early 1998 of the preceding three years of condition reports (CR)
and work authorizations (WAs) to identify maintenance rule functional failures. This licensee review identified a number of systems that were in category (a)(2) that should have been in (a)(1) for corrective actions and enhanced monitoring. The system engineers contacted during this inspection were monitoring current CRs and WAs to identify maintenance rule functional failures (MRFFs).
Instrument Air System (IA)
The instrument air system was appropriately scoped into the maintenance rule program. It was designated as risk significant. The instrument air system has reliability performance criteria established for the dryer trains of two maintenance rule functional failures (MRFF), zero MRFF's for the air header, five MRFF's for the compressors and 1 MRFF's for the instrument air - service air (SA) crosstie. The dryer trains and air header are linked to function 1 which insures that IA is supplied at > 65 psig. The compressors and IA-SA crosstie are linked to function 2 which insures that a supply of compressed air is available to the instrument air receivers.
During a review conducted as part of the maintenance rule improvement plan, the instrument air system was noted to have exceeded the reliability performance criteria. A condition report (CR) was issued in April 1998 to develop a goal setting and monitoring plan to restore the system to (a)(2). Both units exceed the allowable number of failures for function 2 in that the crosstie failed eight times on Unit 1 and six times on Unit 2 over a 36 month period. Design changes and modifications were made to the cross-tie equipment. Goals were developed and new values designated for the crosstie function of 1 MRFF and 5 MRFFs for the compressors. The system is expected to remain in (a)(1) for a period of six months while the modifications and performance criteria are being monitored. The crosstie failures for both units were caused by a valve failing to open. Licensee inspections of the valve found rust and water present in sufficient quantity to impede valve action. These repetitive failures occurred between 1995 and 1998 and the system was placed in (a)(1) in April 1998. 'Design Guide for Determining Levels of Monitoring Required for Structures, Systems, and Components within the Scope of 10 CFR 50.65," GDG-1 4, Rev. 1, states no repetitive MPFFs as performance
criteria. This system met the criteria to be placed in (a)(1) after the first repetitive failure or July 10, 1996, but was not placed in (a)(1) status until April 1998. This is an example of an apparent violation of 10 CFR 50.65(a)(1). (EEI 50-387/388/98-04-02)
Standby Liquid Control System (SLCS)
The maintenance rule basis document identified seven maintenance rule functions for the SLCS. CR 98-1653 describes 11 failures of the SLCS bubbler tube level indicator for Unit 1 and 20 failures for Unit 2. These failures were due to blockage of the bubbler tube. The 31 repetitive failures occurred between May 1995 and November 1997. GDG-14, Rev 1 states no repetitive MPFFs as performance criteria. This system met the criteria to be placed in (a)(1) on July 10, 1996, but was not placed in (a)(1) status until May 1998. This is another example of an apparent violation of 10 CFR 50.65(a)(1). (EEI 50-387/388/98-04-02).
Reactor Protection System (RPS)
The RPS had 18 defined maintenance rule functions, many with multiple subparts.
CR 98-1 1 55 identified that for Unit 2 the function of providing power to the RPS logic had an excess number of failures. This CR included discussion of the significance of the failures, the causes, corrective actions and a plan to return to the (a)(2) categor During walkdown of the RPS system, the upgrading of an electrical protection assembly card to prevent spurious half scrams was noted. This upgrade, along with supplemental cooling of electrical components, should provide for increased reliability of the RPS system.
Main Steam System (MS)
The maintenance rule basis document identifies 17 maintenance rule functions for the MS. Two of these, the Unit 1 automatic depressurization system (ADS) and Unit 2 safety relief valve (SRV) position indication were in the (a)(1) category.
These were discussed in CRs 1421 and 1420 respectively. The team found the goals developed and corrective action plans to be acceptable.
Control Room Emeraency Outside Air Supply System (CREOASS)
The CREOASS was properly scoped in the maintenance rule program, and was appropriately designated as a non-risk significant standby system. The system was in the (a)(1) status due to exceeding the performance criteria for MRFFs. One system function was to provide chilled water to control structure coolers. Trips of the 'B1 control structure chiller occurred in 1996 (2 trips) and 1997 (1 trip) due to low refrigerant temperature which was caused by an insufficient quantity of refrigerant. CDG-14, Rev. 1 states no repetitive MPFFs as performance criteria.
The system met the criteria to be placed in (a)(1) in 1996, but was not placed in (a)(1) status until May 1998. This is another example of an apparent violation of 10 CFR 50.65(a)(1). (EEI 50-387/388/98-04-02)
The team noted that the planned corrective actions in CR 98-1474 did not include a review of the preventive maintenance (PM) program for the system to assess the effectiveness of current PMs. This issue was discussed with the licensee, and they took the issue under consideration.
The FW system was properly scoped in the maintenance rule program, and was appropriately designated as a normally operating risk significant system. The system was in the (a)12) status, had six functions, and was monitored against plant level performance criteria, system unavailability, and reliability (MRFFs).
The plant level performance criteria had been exceeded and the team reviewed the licensee's evaluation which determined that the FW system status was not required to be changed to an (a)(1) status. The FW system functional failures contributed to exceeding the Unplanned Capacity Loss Factor (UCLF) allowable value of 5%, for Unit 1 (Unit 1 UCLF was 6.3%). CR 98-0870 evaluated the FW system contribution as 7.7% of the total UCLF. The FW system did not need to be placed in an (a)(1) status because the cause of the failure was known, the corrective action plan complete, and the corrective actions had been evaluated as proven effective.
The licensee evaluation appeared reasonable.
Some FW control system components have maintenance rule functions that are scoped in other systems. Specifically, the reactor level transmitters, trip units, and relays associated with the hi-hi reactor water level (Level-8) feedwater pump turbine trip are feedwater system components, but have maintenance rule functions scoped in the reactor feed pump turbine system, and reactor non-nuclear instrumentation system. The FW system engineers were unaware that FW components had defined maintenance rule functions which were scoped outside of the feedwater system.
The review for maintenance rule functional failures (MRFFs) was performed by system engineers system. Therefore, the system engineer, assigned to evaluate MRFFs for his system, may not be responsible or accountable for all of his system's component functions, as defined by the maintenance rule. This could result in a failure to identify a MRFF. The team found no examples of such failures.
High Pressure Coolant Iniection System (HPCI)
The HPCI system was properly scoped in the maintenance rule program, and was appropriately designated as a risk significant standby system. The system was in the (a)(2) status, had 11 functions, and was monitored against system unavailability and reliability (MRFFs).
Unavailability, monitored for the risk significant functions, had an allowable value of 2.5 % per 36 month period and appeared reasonabl Emergencv Diesel Generators (EDG)
The EDGs were appropriately scoped into the maintenance rule program The EDG's have performance criteria established of < 1.5% unavailability and > 97.5%
reliability for each of the four dedicated diesel generators, the one spare diesel, and a combined criteria for all the diesels.
The licensee tracks all functional failures and used this information to evaluate the SSC against the performance criteria. Since June 1995, there has been 2 start failures of the diesel generators and 1 load-run failure.
The standby emergency diesel generator "A' was placed in an (a)(1) status due to exceeding the reliability performance criteria. Placement of the EDG in the (a)(1)
category was determined by the system engineer on June 5, 1998. The performance criteria was actually exceeded in July 1997 and met the criteria to be placed in (a)(1) status. This is another example of an apparent violation of 10 CFR 50.65(a)(1). (EEI 50-387/388/98-04-02)
The licensee has conducted a causal analysis to identify the root cause of the Diesel Generator 'A' reliability failure and determined that the cause was a load limit knob out of position on the engine governor.
The team also verified that the EDG system was meeting the requirements for station blackout rule reliability for the last 20, 50, and 100 starts.
Reactor Manual Control System (RMCS)
The RMCS was properly scoped in the maintenance rule program and classified as risk significant. Based on discussions with the system engineer, the team determined the system engineer was knowledgeable of the system. The system was properly classified as an (a)(1) system for both units. CR 98-1 294 indicated that since April 1995 Unit 1 had 12 rod drive control system lockup failures and Unit 2 had 11 such failures. GDG-14; Rev.1 states no repetitive MPFFs as performance criteria. The systems met the criteria to be placed in (a)(1) on July 10, 1996, but was not placed in (a)(1) status until May 1998. This is another example of an apparent violation. (EEI 50-387/388/98-04-02) The team determined the plan to return the system to an (a)(2) status was adequate.
Fuel Handling System The fuel handling system was properly scoped in the maintenance rule program and was classified as nonrisk significant. Based on discussions with the system engineer, the team determined system monitoring was adequate and the system engineer was knowledgeable of the system boundaries as well as the maintenance rule requirements. The team determined that a maintenance rule function concerning an interface between the system and the RMCS was not well
established. As a result of the concern, PP&L established a maintenance rule function to capture a failure to correctly input to the RMCS as a functional failure of the fuel handling system. The fuel handling system was appropriately classified as an (a)(2) system.
Primary Containment System The primary containment system was properly scoped in the maintenance rule program and was classified as risk significant. Based on discussions with the system engineer, the team determined system engineer was knowledgeable of the system boundaries as well as the maintenance rule requirements. System monitoring was conducted in accordance with procedure NSEI-AD-412, Rev. 0,
"Primary Containment Structural Monitoring."
The system was properly classified as (a)(2).
Containment and Suppression System The containment and suppression system was a subsystem of the primary containment system and was properly scoped in the maintenance rule program.
The system was classified as a)(1a) because the main steam isolation valves (MSIVs) failed to meet the performance criteria of passing consecutive local leak rate tests (LLRT). The team reviewed the improvement plans concerning the MSIVs and found the plans to return the system to (a)(2) status to be reasonable. Conclusions The team noted that several SSCs had exceeded their performance criteria in 1996 or 1997, but were not evaluated and placed in (a)(1) status until as late as June of 1998. This was an apparent violation.
The team determined that the system engineers had excellent knowledge of their systems, and good knowledge of the maintenance rule requirements. The system engineer's involvement was found to be a significant positive attribute of the maintenance rule program.
Appropriate goal setting was in place for the (a)(1) systems which were reviewed.
However, the team observed the corrective actions for (a)(1) systems did not include review of preventive maintenance activities.
PP&L had completed a thorough scoping analysis for the SSCs reviewed. The team found some system components had functions scoped into other systems.
Consequently, those functions were not assigned to the system engineer for evaluation of MRFFs and could result in a failure to identify MRFFs.
Corrective and preventive maintenance were considered appropriate and effective for the (a)(2) systems reviewe \\<z MM1.4 Periodic Evaluations (a)(3) and Plant Safety Assessments Before Taking Equipment Out-of-service Inspection Scope Paragraph 10 CFR 50.65(a)(3) requires that periodic evaluations be performed and adjustments be made where necessary to assure that the objectives of preventing failures through the performance of preventive maintenance is appropriately balanced against the objectives of minimizing unavailability due to monitoring or preventive maintenance. The team reviewed NDAP-QA-0413, SSES Maintenance Rule Program, dated April 20, 1998, and NSEI-AD-022, Guidelines to Develop the Periodic Assessment of Maintenance Program Effectiveness, dated June 1 2, 1998, the maintenance rule periodic assessment for SSES for the period of April 1995 through September 1996, dated March 27, 1997, and the Maintenance Rule Improvement Plan.
The use of industry operating experience (IOE) was reviewed to determine how industry information was made available to the plant engineering staff and the extent to which IOE is factored into maintenance rule activities.
Paragraph (a)(3) of the maintenance rule states, in part, that in performing monitoring and preventive maintenance activities, an assessment of the total plant equipment that is taken out of service should be taken into account to determine the overall effect on performance of safety functions. The team reviewed the licensee's procedures and discussed the process with applicable personnel. Observations and Findings Periodic Assessment During the inspection, PP&L approved a new procedure for the conduct of the periodic assessment. The team found that the new procedure, NSEI-AD-022, contained criteria to implement an adequate periodic assessment program. The first periodic assessment contained a section on balancing availability and reliability.
However, because PP&L was using only plant level performance criteria, with no values for unavailability, balancing reliability and unavailability for risk significant SSCs was inadequate. In addition, the periodic assessment did not adequately address the results of the review of goals for their continued applicability. These failures were identified in PP&L audits and actions taken to correct the problems.
The team found that current performance criteria for risk significant SSCs were adequate for balancing reliability and unavailability. The new procedure provided adequate guidance on assessing goals. However, this failure to adequately evaluate the balance between availability and reliability and evaluate goals is an example of an apparent violation of 10 CFR 60.65(a)(3). (EEI 50-387/388198-04-03)
1 1 Industry Operating Experience Extensive IOE information is available for those who have knowledge of the computer system. However, system engineers demonstrated various degrees of familiarity with the computer programs providing IOE. The distribution list of
'NETDAY', the primary input of IOE includes only four of the 15 members of the expert panel and did not include the MRC. Only a few of the system engineers are on this distribution.
The first maintenance rule periodic assessment dated March 25,1997, stated there were problems with getting industry information to the system engineers and the area was not covered by any recent NAS audit.
Although the use of IOE could be improved, the system engineers demonstrated a knowledge of IOE applicable to their systems and had copies of relevant IOE information available. Some progress was evident in improving this area since the first periodic assessment.
Plant Safety Assessments Before Taking Equipment Out-of-Service The online maintenance program was described in NEPM-QA-0900, 'Assessment of On-Line Work Windows,' Revision 2, dated 5/15/98, and 'SSES Tactics for Excellence through Accountable Management," (TEAM MANUAL), approved at PORC Meeting No.95-166, dated 12/28/95.
Procedure NEPM-QA-0900 was intended to provide guidance to assess the risk from on-line work and identify mitigating measures which reduce the instantaneous risk during the on-line work window when the reactor was in Mode 1. The procedure also was intended to provide a format for preparing both specific and generic safety assessments of the on-line work windows for on-line work activities that were beyond the scope of the TEAM Manual. Scheduling of routine on-line work windows was covered in the TEAM Manual. Activities covered by the TEAM Manual were generally of short duration and were limited to one safety system.
Procedure NEPM-QA-0900 was targeted at on-line work activities that generally lasted more than one day, were more complex, and covered risk significant systems.
For a given week, a major system such as HPCI might be designated for maintenance. For HPCI and nine other risk significant systems, generic safety assessments had been prepared. The generic safety assessments provided very detailed risk insights which clearly identified the importance of maintaining available other systems which could be required in the event of an accident. The guidance in the generic safety assessments was well beyond that which would normally be provided by a two-dimensional risk matrix showing unacceptable combinations of systems being taken out of service. However, the generic safety assessments were primarily qualitative assessments because of the variation of the combinations of
systems which could be taken which during any given week. Each generic safety assessment included a table which identified systems on which work would not be allowed.
The TEAM Manual implements risk assessment of on-line maintenance activities by requiring adherence to a table of "scheduling rules." The TEAM Manual was reviewed by the PRA group, and updated in April 1998 to incorporate additional scheduling rules for risk significant systems. The manual requires a formal risk assessment only when planned work duration on risk significant SSCs will exceed the durations allowed by the TEAM Manual or by the Technical Specifications. The team reviewed several formal risk assessments and determined they were adequate.
Although, the TEAM Manual did not identify which systems were risk significant, the practice was to perform a formal risk assessment whenever any scheduling rule could not be satisfied.
The April, 1998, PRA review of the TEAM Manual did not perform a quantitative or qualitative evaluation of the risk associated with simultaneously removing various systems and equipment from service as allowed under the TEAM Manual rules.
Therefore, adherence to the scheduling rules may not satisfy the intent of the maintenance rule. Furthermore, not all plant systems are covered by the TEAM Manual, including a number of risk significant systems, such as emergency diesel generator building HVAC, reactor manual control system (RMCS), various reactor instrumentation channels, 1 25VDC distribution system, 4.1 6kV distribution system, 480VAC load centers, 480VAC motor control centers, and the reactor protection system.
The TEAM Manual, in part, requires that "All work activities that involve plant systems or equipment will be scheduled and will be reflected on a Nuclear Department Schedule." The manual also states 'Work Week Coordinators are responsible for planning, coordination and execution of all work activities."
However, emergent work, which may total 10 to 1 5% of weekly work orders, is directly handled by the on-shift licensed senior reactor operators, and does not get processed through the maintenance planning, scheduling, or work coordination groups. Although the interviewed licensed operators were familiar with the TEAM Manual, they did not formally use the manual, or verify compliance with the manual's scheduling rules, for the performance of emergent work. Therefore, emergent work, because it is not "scheduled work,' typically does not receive any risk assessment, beyond the consideration of the on-shift licensed operators.
Consequently, the risk assessment of emergent on-line maintenance activities may not meet the intent of the maintenance rule.
From interviews, the team determined that when the on-line work involved balance of plant equipment which could cause a plant transient or scram, such as the feedwater heater level control valves, the generic safety assessments that would prohibit taking other systems out of service would not necessarily be referred to.
The basic philosophy behind the generic safety assessments was the assumption that a major safety system would be worked on that week and the assessment provided guidance as to which other plant equipment should not be taken out of
service simultaneously. The opposite scenario, where emergent work on equipment occurred late in the schedule just prior to the implementation of the scheduled week's activities, would not necessarily trigger implementation of any of the generic safety assessments. Therefore, it was possible that even for scheduled work, undesirable risk configurations could be established.
The team noted that operations personnel did not routinely follow the requirements in the TEAM Manual, nor would they refer to a generic safety assessment because the assessments were not stored in the control room. The assessments were in the control room only as part of a work package for the current work window. When the work under the current work window was completed, the generic safety assessments would be sent back to the scheduling personnel. The supervisor recognized the possibility of two different types of emergent work scenarios. The first was when scheduled work was being presented to him for release and he had to consider what equipment had failed or been removed from service. The second scenario was when emergent work occurred during a night shift or weekend shift during the course of surveillance testing. In neither case would the TEAM Manual necessarily provide sufficient guidance nor would the generic safety assessments automatically be referenced or applicable. The PRA group was rarely consulted in either scenario for an evaluation of the emergent work risk status.
Although the team agreed that the generic safety assessments did provide a great deal of risk insights and information, the team considered the licensee's program for assessing the risk of taking equipment out of service during on-line operation to be a weakness in that undesirable risk configurations could occur for scheduled work as well as for emergent work.
To control risk during shutdown, NDAP-00-0612, "Outage Scope and Schedule Development and Control,' Revision 4, dated 12/22/97 and NDAP-00-0613,
"Outage Implementation and Assessment," Revision 4, dated 1 2/22/97 were used.
Critical shutdown functions such as emergency core cooling systems and decay heat removal, inventory control, reactivity control, and electrical distribution were identified similar to the outage safety assessment guidelines of NUMARC 91-06,
"Guidelines for Industry Actions to Assess Shutdown Management," December 1991. The licensee indicated that the EPRI-developed ORAM program was also used during outages to control risk. Conclusions The team found that the licensee's new periodic maintenance effectiveness assessment procedure was adequate for implementing the requirements of the periodic assessments under 50.65(a)(3). The first periodic assessment did not meet the requirements of the rule by failing to adequately balance reliability and availability and assess the continued adequacy of goals for (a)(1) SSCs. This failure is an apparent violatio The system engineers were aware of industry operating experience (IQE) for issues within their system boundaries. However, there are a number of opportunities to improve the flow of IOE information to better assure that relevant information reaches the appropriate individual.
The team concluded that emergent work was evaluated qualitatively by the control room staff based on operator knowledge and judgement and that there was no formal documentation of such evaluations.
The program for assessing the risk of taking equipment out of service was based on the TEAM Manual and guidance in generic safety assessments. The team noted that generic safety assessments had not been prepared for all risk significant systems. Also, the TEAM Manual did not cover all risk significant systems. It was possible that even for scheduled work, undesirable risk configurations could be established.
Although the team agreed that the generic safety assessments provided a great deal of risk insights and information, the team considered the licensee's program for assessing the risk of taking equipment out of service when on-line to be weak in that undesirable risk configurations could occur for scheduled work as well as for emergent work. While currently not a mandatory requirement, the team concluded that the licensee's process for assessment of plant risk during on-line maintenance does not appear to meet the intent of the maintenance rule The procedure for risk assessment did not cover all risk significant systems and was not utilized for emergent work. However, when a formal risk assessment was required by the plant procedure, the assessment was adequately detailed, developed, and implemented.
The licensee's shutdown risk program was based on critical shutdown functions such as emergency core cooling systems and decay heat removal, inventory control, reactivity control, and electrical distribution similar to the outage safety assessment guidelines of NUMARC 91-06.
M2 Material Condition of Facilities and Eauioment Inspection ScoDe The team performed walkdowns of those systems in which vertical slice inspections were performed. These system walkdowns were performed with the responsible system engineer, during which time the team observed the material condition of the plant. Observations, and Findings The specific SSCs examined by the team and the overall plant were noted to be in good conditio Conclusions The overall material condition of SSCs walked down by the team were maintained in good condition.
M3 Staff Knowledae and Performance Inspection Scope The team interviewed various plant staff, including; system engineers, work coordination managers, and licensed senior reactor operators to assess their understanding of the maintenance rule and their associated responsibilities. Observations and Findings The system engineers were knowledgeable of their systems, and expressed confidence in their ability to make maintenance rule functional failure (MRFF)
determinations. Their use of industry operating experience, to assist in performing root cause evaluations and subsequent corrective actions, varied from system engineer to system engineer.
A work coordination manager and a work week manager were interviewed. They displayed an adequate knowledge of the maintenance rule, in general, and a high level of knowledge on risk assessment for scheduled on-line maintenance activities.
They were aware of the need to perform risk assessment of emergent maintenance activities, but indicated operations personnel were responsible for management of emergent work.
A unit supervisor, a shift supervisor, and the operations supervisor were interviewed for their knowledge of the maintenance rule and its impact on plant operations. All displayed an adequate general level of knowledge of the maintenance rule. The licensed senior reactor operators were questioned about their responsibilities regarding risk assessment of emergent on-line maintenance activities; they were adequately versed on plant procedures and practices used for risk assessment of
"scheduled" on-line maintenance. However, the operators appeared unaware of the need to perform risk assessments of emergent maintenance activities.
M7 Quality Assurance (QA) in Maintenance Activities Insvection Scope The team reviewed the assessments and audits related to the maintenance rule in order to determine if the provisions of the rule were properly implemented. Observations and Findings Five major assessments or audits of maintenance rule program activities were completed by PP&L over the period of November 1995 to June 2, 1998. These
were the MRITE assessment dated December 1995, the SSES Nuclear Assessment Services (NAS) audit 96-066, the first periodic assessment dated March 25., 1 997 a contractor (ON-MARC) audit dated September 19,1997 and a NAS surveillance of the CR dated June 2,1998. The first four evaluations of the effectiveness of the maintenance rule activities each identified problem areas. The net result of these evaluations was a set of identified problems that were addressed by June 1998, resulting in many improvement The overall effectiveness of the recently initiated maintenance rule program changes will be clearer by the time of the second periodic assessment preparation. The series of evaluations of the maintenance rule process as implemented show a successful effort in identifying problems but a significant delay in completing corrective actions.
A Nuclear Assessment Services (NAS) assessment of the maintenance rule program conducted the week of September 15, 1997 using the ON-MARC audit, noted several potential violations of 10 CFR 50.65. CR 97-3098, dated September 18, 1997, described these areas of potential noncompliance. The CR and associated Maintenance Rule Program Improvement Plan, dated November 7, 1997, also described actions to correct these deficiencies. The planned actions had been completed during the week of the inspection. The team found the corrective actions to be adequate. The following potential violations were noted in the CR: Scoping-Several SSCs (or functions) were not in scope but should have been. For example, a) EDG safety related instrument functions, b) service air system, c) safety parameter display system and d) the post accident sampling system. These SSCs (or functions) were added to the maintenance rule program. Risk Significant Determinations-PP&L had originally considered only modes 1 and 2 in identifying risk significant SSCs. Risk significant determinations have subsequently been made for all modes of operation. Performance criteria-PP&L failed to establish effective performance criteria for risk significant SSCs. For example, plant level performance criteria were used for risk significant SSCs such as RPS, instrument air and CRD-HCUs.
The team's review of current performance criteria determined that the criteria was appropriate. Performance monitoring-There was a lack of timely review and failure to properly identify MPFFs. In some cases, system engineers were reviewing functional failures on a quarterly basis rather than as they were generated.
This caused delays in evaluations. Also, there was poor guidance on determining MPFFs. This resulted in many functional failures not to be properly classified as MPFFs. For example, the ESS pump house HVAC system had 17 functional failures with only two identified as MPFFs. The remaining 1 5 functional failures did not have a cause identified. Other examples of lack of timely review are described in section M1.3 for systems going from (a)(2) to (a)(1).
17 Periodic assessment-The periodic assessment did not meet maintenance rule requirements. This issue was discussed in section M1.4. Timeliness of corrective actions-Inadequate priority was placed on correction for maintenance rule deficiencies.
These self-identified problems were indicative of a programmatic weakness. The team found the actions to correct the problems were adequate, although they were not completed until just before the team's inspection. They are examples of apparent violations of 10 CFR 50.65 that existed from July 1996 until June 1998.
(EEI 50-387/388/98-04-04)
M8 Miscellaneous Condition ReDort (CR) 98-1177. Aooendix R Lightinq This CR documented a historical review of the lighting system for maintenance rule functional failures (MRFFs) and evaluated the MRFFs against a monitoring criteria of 98% reliability. The failure rate was calculated as 1.1 %, 0.8%, and 0.6%
respectively for Unit Common, 1, and 2. The CR documented a number of repetitive MRFFs, but evaluated them as "normal end of life" and concluded that those MRFFs did not represent a deterioration of the lighting system over the three year evaluation period. The maintenance rule basis document contained reasonably clear criteria as to what constituted a MRFF, and stated that certain components, such as bulbs, were considered run-to-failure components. The monitoring criteria and system status as (a)(2) appeared reasonable.
(CLOSED) Unresolved Item 50-387/388/97-03-04 The team reviewed Unresolved Item 50-387/388/97-03-04that concerned the back draft isolation dampers (BDIDs) that are located in various areas of the reactor building ventilation system. These BDIDS are actuated by pressure switches and provide isolation in the event of a high energy line break. The isolation function of these BDIDs was not tested and their isolation function was not included as a maintenance rule function of the reactor building ventilation system.
The team reviewed the maintenance rule basis document for the reactor building ventilation system and noted that PP&L had included function number 11 to provide duct isolation by closing the BDIDs after a high energy line break. Also, PP&L functionally tested the BDIDs using testing procedures TP-1 34-048 and TP-234-052. The results of the functional testing of the BDIDs was documented in plant condition report 97-3637. Based on the addition of function number 11 to the maintenance rule program and the completed functional testing of the BDIDs, the team concluded the Unresolved Item 50-387/388/97-03-04 is CLOSED. The team concluded that the enforcement aspects related to this issue would be adequately covered, consistent with staff resolution of EEI 98-04-0 Additional Findings During the inspection, the team noted that various plant procedures that contain operator actions required to be taken in the event of an emergency situation are not administratively controlled in the same manner as the Emergency Operating Procedures (EOPs). Administrative procedure NDAP-QA-0330 "Symptom-Oriented EOP Program and Writer's Guide' applies to the EOP flowcharts, but does not apply to the Emergency Support (ES) procedures or various system operating procedures.
After discussions with the team, PP&L prepared CR 98-2106 describing the lack of administrative controls of these procedures that captured the critical aspects of the issue. The licensee's resolution of this CR is an Inspector Follow Item 50-387/388/98-04-05. Management Meetings X Exit Meeting Summary The team discussed the progress of the inspection with PP&L representatives on a daily basis and presented the inspection results to members of management at the conclusion of the inspection on June 1 2, 199 PARTIAL LIST OF PERSONS CONTACTED Pennsylvania Power & Light Company Kevin Chambliss, Manager, Nuclear Operations Tom Fedorko, Operations Unit Supervisor Steve Geiger, Maintenance Rule Coordinator Cas Kukielka, PRA Engineer George Kuczynski, General Manager SSES Jerry Radishofski, Operations Supervisor Wilbur Slusser, Work Week Manager Jeff Sukal, Project Manager, Work Coordination Dave Walsh, Operations Shift Supervisor Bill Williams, Senior Licensing Engineer Robert Breslin, Manager, Nuclear Maintenance Dale Roth, Operations Engineering Supervisor G. Miller, General Manager, Nuclear Engineering Richard Pagodin, Manager, Nuclear Systems Engineering Mike Gorski, PP&L Inspection Team Lead Vince Kelly, Supervising Engineer Robert Prego, Supervisor, Surveillance Services LIST OF INSPECTION PROCEDURES IP 62706 Maintenance Rule
4W LIST OF ITEMS OPENED AND/OR CLOSED OPENED EEI 50-378/388/98-04-01 EEI 50-378/388/98-04-02 EEI 50-387/388/98-04-03 EEI 50-387/388/98-04-04 IFI 50-387/388/98-04-05 CLOSED URI 50-387/388/97-03-04 Failure to place a safety related system within the maintenance rule program.
Failure to place systems in (a)(1) status in a timely manner.
Failure to perform an adequate periodic assessment.
Failure to implement an effective maintenance rule program.
Administrative controls of EOP and support procedures.
Back draft isolation dampers tested and included in the maintenance rule progra LIST OF ACRONYMS USED ADS AOT ATWS BDID CDF CM CR CRD CREOASS CS EA EDG EOPs EPRI ESW FF FSAR FW GDG HCU HPCI HVAC IFI IOE IPE KV LCO LLRT MOV MPFF MRC MRFF MSIV NUMARC PM PORC PRA PSIG QA RAW RCIC RCS RHR RHRSW RMCS RPS RRW SBO Automatic Depressurization System Allowed Outage Time Anticipated Transient Without Scram Back Draft Isolation Damper Core Damage Frequency Corrective Maintenance Condition Report Control Rod Drive Control Room Emergency Outside Air Supply System Core Spray Enforcement Action Emergency Diesel Generator Emergency Operating Procedures Electric Power Research Institute Emergency Service Water Functional Failure Final Safety Analysis Report Feedwater General Design Guideline Hydraulic Control Unit High Pressure Coolant Injection Heating, Ventilation, and Air-Conditioning Inspector Follow Item Industry Operating Experience Individual Plant Examination Kilovolt Limiting Condition of Operation Local Leak Rate Test Motor Operated Valve Maintenance Performance Functional Failure Maintenance Rule Coordinator Maintenance Rule Functional Failure Main Steam Isolation Valve Nuclear Utility Management and Resource Council Preventative Maintenance Plant Operations Review Committee Probabilistic Risk Assessment Pounds Per Square Inch Gage Quality Assurance Risk Achievement Worth Reactor Core Isolation Cooling Reactor Coolant System Residual Heat Removal System Residual Heat Removal Service Water Reactor Manual Control System Reactor Protection System Risk Reduction Worth Station Blackout
SLCS Standby Liquid Control System SP Support Procedure SRV Safety Relief Valve SSCs Structures, Systems and Components SSES Susquehanna Steam Electric Station UCLF Unplanned Capacity Loss Factor UFSAR Updated Final Safety Analysis Report VAC Volts Alternating Current V DC Volts Direct Current WA Work Authorization