U.S. Nuclear Regulatory Commission Component Design Bases Inspection - Inspection Report 05000424/2016007 and 05000425/2016007, and Exercise of Enforcement Discretion

ML16358A672
Person / Time
Site:	Vogtle
Issue date:	12/23/2016
From:	Gody A Division of Reactor Safety II
To:	Taber B Southern Nuclear Operating Co
References
EA-16-271 IR 2016007
Download: ML16358A672 (42)
v • d • e

Text

UNITED STATES NUCLEAR REGULATORY COMMISSION ber 23, 2016

SUBJECT:

VOGTLE ELECTRIC GENERATING PLANT - U. S. NUCLEAR REGULATORY COMMISSION COMPONENT DESIGN BASES INSPECTION - INSPECTION REPORT 05000424/2016007 AND 05000425/2016007, AND EXERCISE OF ENFORCEMENT DISCRETION

Dear Mr. Taber:

On November 4, 2016, U. S. Nuclear Regulatory Commission (NRC) completed an inspection at your Vogtle Electric Generating Plant, Units 1 and 2, and discussed the results of this inspection with you and other members of your staff. The inspection team documented the results in the enclosed inspection report (IR).

NRC inspectors documented seven findings of very low safety significance (Green) in this report. Seven of these findings involved violations of NRC requirements; one of these violations was determined to be Severity Level IV (SLIV) under the traditional enforcement process. The NRC is treating these violations as non-cited violations (NCVs) consistent with Section 2.3.2.a of the Enforcement Policy.

A violation of 10 CFR 50, Appendix B, Criterion XVI was identified related to the failure to identify conditions adverse to quality for tornado-generated missile protection. As discussed in the enclosed IR, the NRC is exercising enforcement discretion to not cite this violation, in accordance with the NRC Enforcement Policy, Section 3.10, Reactor Violations with No Performance Deficiencies.

If you contest the violations or significance of these NCVs, you should provide a response within 30 days of the date of this inspection report, with the basis for your denial, to the U.S. Nuclear Regulatory Commission, ATTN: Document Control Desk, Washington, DC 20555-0001; with copies to the Regional Administrator, Region II; the Director, Office of Enforcement; and the NRC resident inspector at the Vogtle Electric Generating Plant. If you disagree with a cross-cutting aspect assignment or a finding not associated with a regulatory requirement in this report, you should provide a response within 30 days of the date of this inspection report, with the basis for your disagreement, to the U.S. Nuclear Regulatory Commission, ATTN: Document Control Desk, Washington, DC 20555-0001; with copies to the Regional Administrator, Region II; the Director, Office of Enforcement; and the NRC resident inspector at the Vogtle Electric Generating Plant.

This letter, its enclosure, and your response (if any) will be made available for public inspection and copying at http://www.nrc.gov/reading-rm/adams.html and at the NRC Public Document Room in accordance with 10 CFR 2.390, Public Inspections, Exemptions, Requests for Withholding.

Sincerely,

/RA/

Anthony T. Gody, Director Division of Reactor Safety Docket Nos.: 05000424 and 05000425 License Nos.: NPF-68 and NPF-81

Enclosure:

Inspection Report 05000424/2016007 and 05000425/2016007 w/Attachment:

Supplemental Information

REGION II==

Dockets: 05000424 05000425 License: NPF-68 and NPF-81 Report Nos.: 05000424/2016007 and 05000425/2016007 Licensee: Southern Nuclear Operating Company, Inc. (SNC)

Facility: Vogtle Electric Generating Plant, Units 1 and 2 Location: Waynesboro, GA 30830 Dates: October 3 - November 4, 2016 Team Leader: T. Fanelli, Senior Reactor Inspector, Engineering Branch 1 Inspectors: J. Eargle, Senior Reactor Inspector T. Su, Reactor Inspector A. Ruh, Resident Inspector, Browns Ferry Nuclear Plant Accompanying Personnel: W. Sherbin, Contractor Beckman and Associates A. Della Greca, Contractor, Beckman and Associates Approved By: Jonathan H. Bartley, Branch Chief Engineering Branch 1 Enclosure

SUMMARY

IRs 05000424/2016007 and 05000425/2016007; 10/03/2016 - 11/04/2016; Vogtle Electric

Generating Plant, Units 1 and 2; Component Design Bases Inspection.

The inspection activities described in this report were performed between October 3, 2016, and November 4, 2016, by four inspectors from the NRCs Region II office and two NRC contract personnel. Seven findings of very low safety significance (Green) are documented in this report. These findings involved violations of NRC requirements; one of these violations was determined to be Severity Level IV under the traditional enforcement process. The significance of inspection findings is indicated by their color (Green, White, Yellow, or Red), which is determined using Inspection Manual Chapter 0609, Significance Determination Process, dated 04/29/15. Their cross-cutting aspects are determined using Inspection Manual Chapter 0310,

Aspects Within the Cross-Cutting Areas, dated 12/04/14. Violations of NRC requirements are dispositioned in accordance with the NRCs Enforcement Policy. The NRC's program for overseeing the safe operation of commercial nuclear power reactors is described in NUREG-1649, Reactor Oversight Process, Revision 6.

Cornerstone: Mitigating Systems

Green.

The NRC identified a Green non-cited violation of Title 10 Code of Federal Regulations Part 50, Appendix B, Criterion III, Design Control, for failure to correctly translate the appropriate permissible limits for frequency and voltage from technical specifications into the emergency diesel generators design loading calculations as required by the licensing and design bases. The violation and related issues were entered into the licensees corrective action program as condition reports 10288732 and 10293810. The licensee was evaluating corrective actions, which included determining acceptable loads at the more limiting power demands and developing procedural guidance.

The performance deficiency was determined to be more than minor because it was associated with the Design Control attribute of the Mitigating Systems Cornerstone and adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of the emergency diesel generators to respond to initiating events to prevent undesirable consequences.

Specifically, failing to evaluate the impact from the frequency and voltage limits allowed by technical specification could result in overloading the diesel generator if operators manually loaded additional plant protection systems during an event. The team determined the finding was of very low safety significance (Green) because it was a design deficiency that did not result in a loss of emergency diesel generators operability. The team did not assign a crosscutting aspect because the most significant contributor did not reflect current licensee performance. (Section 1R21.2.b.1)

Green.

The NRC identified a Green non-cited violation of Title 10 Code of Federal Regulations Part 50, Appendix B, Criterion V, Instructions, Procedures and Drawings, for the licensees failure to have adequate instructions and acceptance criteria to confirm the emergency diesel generators capability to reject the largest single load without exceeding predetermined frequency and voltage while maintaining a specified margin to the overspeed trip. The violation was entered into the licensees corrective action program as condition report 10294395. An immediate determination of operability was performed and concluded that the Emergency Diesel Generators were operable but degraded nonconforming. The licensee was evaluating corrective actions, which may include a final determination of the most severe single largest load and re-performing the surveillance tests.

The performance deficiency was determined to be more than minor because it was associated with the Procedure Quality attribute of the Mitigating Systems Cornerstone and adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of systems to respond to initiating events to prevent undesirable consequences. Specifically, without adequate acceptance criteria in surveillance procedure SR 3.8.1.8, the procedure could not ensure availability, reliability, and capability of the EDG under the most severe power demand characteristics for electric power used by components. The team determined the finding to be of very low safety significance (Green) because the finding was not a design deficiency, did not represent a loss of system and/or function, and did not represent the loss of any trains of technical specification or non-technical specification equipment. The team did not assign a crosscutting aspect because the most significant contributor did not reflect current licensee performance. (Section 1R21.2.b.2)

Green.

The NRC identified a Green non-cited violation of Title 10 Code of Federal Regulations Part 50, Appendix B, Criterion III Design Control, for installing non-safety related Individual Cell Equalizer devices into the Class 1E battery charging circuits without isolation as specified by Institute of Electrical and Electronics Engineers standard 384 as amended by RG 1.75. The violation was entered into the licensees corrective action program as condition report 10294321. The licensee was evaluating corrective actions, which included the removal of the non-Class 1E components.

The performance deficiency was determined to be more than minor because it affected the Design Control attribute of the Mitigating Systems Cornerstone and adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of systems to respond to initiating events to prevent undesirable consequences. Specifically, the failure to conform to Class 1E design requirements for independence affected the reliability of the Class 1E battery systems. The team determined the finding to be of very low safety significance (Green),

because it was a deficiency affecting the design or qualification of a SSC, and the SSC maintained its operability or functionality. The team did not assign a crosscutting aspect because the most significant contributor did not reflect current licensee performance. (Section 1R21.2.b.3)

Green.

The NRC identified a Green non-cited violation of Technical Specification 5.5.8,

Inservice Testing Program, for Vogtle Unit 2 failure to perform the required testing in accordance with the American Society of Mechanical Engineers Operation and Maintenance Code for nine valves that had active safety functions. Specifically, these valves were required to operate when aligning the AFW pumps from Condensate Storage Tank (CST) 1 to CST 2.

The violation was entered into the licensees corrective action program as condition report 10293900. The licensee performed an immediate determination of operability and determined that the CST valves were operable but degraded nonconforming. The licensee planned to register the CST valves into the IST program and exercise those valves that that have never been exercised at the first available opportunity.

The performance deficiency was determined to be more than minor because it was associated with the Mitigating Systems Cornerstone attribute of Equipment Performance, and affected the cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, degraded valve performance could go undetected without periodic testing and trending. The team determined the finding to be of very low safety significance (Green) because the finding was not a design or qualification deficiency, did not represent a loss of system and/or function, and did not represent the loss of any trains of TS or Non-TS equipment. The team did not assign a crosscutting aspect because the most significant contributor did not reflect current licensee performance.

(Section 1R21.2.b.4)

Green.

The NRC identified a Green, non-cited violation of Title 10 Code of Federal Regulations Part 50.55a(h)(2) Protection Systems, because the licensee failed to perform periodic testing of safety-related valve interlocks to ensure an adequate single failure analysis by identifying detectable failures in accordance with Institute of Electrical and Electronics Engineers standard (IEEE) 379-1972, IEEE Trial-Use Guide for the Application of the Single-Failure Criterion to Nuclear Power Generating Station Protection Systems. The violation was entered into the licensees corrective action program as condition report 10293749. The licensee performed an immediate determination of operability and determined that the affected systems were operable but degraded nonconforming. The licensee was in the process of determining and developing adequate corrective actions to conform with Institute of IEEE Standard 379-1972.

The performance deficiency was determined to be more than minor because it was associated with the Equipment Performance attribute of the Mitigating Systems Cornerstone and adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, the failure to periodically test safety-related valve interlocks affected the adequacy of the licensees single failure analysis. The team determined the finding to be of very low safety significance (Green) because the finding was not a design deficiency, did not represent a loss of system and/or function, and did not represent the loss of any trains of technical specification or non-technical specification equipment. The team did not assign a crosscutting aspect because the most significant contributor did not reflect current licensee performance. (Section 1R21.2.b.5)

Green.

The NRC identified a Green non-cited violation of Title 10 Code of Federal Regulations Part 50, Appendix B, Criterion III, Design Control for the licensee's failure to translate the Auxiliary Feedwater (AFW) pumps design bases into adequate acceptance criteria for technical specifications SR 3.5.7.2 and for the failure to verify the adequacy of the design of the same AFW pumps. The licensee entered the violation into the corrective action program as condition reports 10293456 and 10294168. As an immediate corrective action, the licensee evaluated the operability of the Unit 1 and 2 AFW pumps, modify the allowed diesel frequency acceptance criteria, and initiated corrective action to develop new acceptance criteria and monitor pump performance for degradation.

The performance deficiencies were more-than-minor because they were associated with the Design Control attribute of the Mitigating Systems cornerstone and adversely affected the cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences (i.e., core damage). Specifically, when the quality of the established surveillance criteria was considered, there was a reasonable doubt on the operability of the Unit 1 and 2 turbine driven AFW and 2A and 1B motor driven AFW pumps. The team determined the finding to be of very low safety significance (Green) because it did not represent an actual loss of function of at least a single train for greater than its technical specification allowed outage time. The team determined that the finding had a cross-cutting aspect in the Human Performance area of Design Margins [H.6], because engineers did not demonstrate the characteristic of ensuring that design margins were guarded and changed only through a systematic and rigorous process. (Section 1R21.2.b.6)

Other Findings

and Violations SLIV. The NRC identified a severity level IV non-cited violation of Title 10 Code of Federal Regulations Part 50.71(e)(4) for the failure to reflect all changes made in the facility or procedures as described in the Updated Final Safety Analysis Report (UFSAR). The licensee failed to update UFSAR with the design basis of a new digital emergency diesel generator sequencers installed in 2007. This violation was entered into the licensees corrective action program as condition reports 10288350, 10293456, 10291633. The licensee planned to update the UFSAR with the applicable design basis.

The failure to update the UFSAR was a performance deficiency that was determined to be a minor reactor oversight program violation because it did not meet the more than minor screening criteria. Because the issue impacted the NRCs ability to perform its regulatory process, the inspectors evaluated the violation using the traditional enforcement process. The inspectors determined the issue was a severity level IV violation because it met violation example 6.1.d.3 of the NRC Enforcement Policy. The violation represented a failure to update the UFSAR as required by Title 10 Code of Federal Regulations Part 50.71(e), but the lack of up-to-date information has not resulted in any unacceptable change to the facility or procedures.

Cross-cutting aspects are not assigned to traditional enforcement violations. (Section 1R21.2.b.7)

REPORT DETAILS

REACTOR SAFETY

Cornerstones: Initiating Events, Mitigating Systems, and Barrier Integrity This inspection of component design bases verifies that plant components are maintained within their design basis. Additionally, this inspection provides monitoring of the capability of the selected components and operator actions to perform their design basis functions. As plants age, modifications may alter or disable important design features making the design bases difficult to determine or obsolete. The plant risk assessment model assumes the capability of safety systems and components to perform their intended safety function successfully. This inspectable area verifies aspects of the Initiating Events, Mitigating Systems and Barrier Integrity cornerstones for which there are no indicators to measure performance.

1R21 . Component Design Basis Inspection

1. Inspection Sample Selection Process

The team selected risk-significant components and related operator actions for review, using information contained in the licensees probabilistic risk assessment. In general, this included components and operator actions that had a risk achievement worth factor greater than 1.3, or Birnbaum value greater than 1 X10-6. The sample included 12 components; one component associated with large early release frequency (LERF)implications; and three components associated with issues identified through one of the operating experience (OE) feedback process.

The team performed a margin assessment and a detailed review of the selected risk-significant components and associated operator actions, to verify that the design bases had been correctly implemented and maintained. Where possible, this margin was determined by the review of the design basis, and Updated Final Safety Analysis Report (UFSAR). This margin assessment also considered original design issues, margin reductions due to modifications, or margin reductions identified because of material condition issues. Equipment reliability issues were also considered in the selection of components for a detailed review. These reliability issues included items related to failed performance test results, significant corrective action, repeated maintenance, maintenance rule status, Inspection Manual Chapter (IMC) 0326 conditions, NRC resident inspector input regarding problem equipment, system health reports, industry operating experience (OE), and licensee problem equipment lists. Consideration was also given to the uniqueness and complexity of the design, OE, and the available defense-in-depth margins. An overall summary of the reviews performed, and the specific inspection findings identified, are included in the following sections of the report.

2. Component Reviews

a. Inspection Scope

Structures, Systems, or Components (SSCs)

• Condensate Storage Tank

• RWST suction pipe ruptures

• MDAFW Pump Discharge Check Valves 002 and 058

• MDAFW Pump B Flow Distribution Line to SG3 MOV HV5134

• TDAFW Pump Steam Admission Valve HV-5106

• Diesel Generator 2B

• RHR Train B Mini-flow Valve

• 125V DC Bus 1AD1, Distribution Panel 1AD11

• Transformer 1AB15X

• 480V Switchgear 1AB05

• Battery 1BD1B

• 480V MCC Transformer 1BBB03X or 480V MCC Transformer 1ABB03X Components with LERF Implications

• RHR Pump B RWST Suction MOV HV8812B Operational Experience

• IN 97-45, Containment High Radiation Monitoring cable failures under post-accident conditions

• Bulletin 2012-01, and IN-2012-03, Design Vulnerability in Electric Power System

• IN 98-41, Spurious Shutdown Of Emergency Diesel Generators From Design Oversight For the components, LERF component, and operational experience items listed above, the team reviewed the plant technical specifications (TSs), UFSAR, design bases documents, and drawings to establish an overall understanding of the design bases of the components. Design calculations and procedures were reviewed to verify that the design and licensing bases had been appropriately translated into these documents.

Test procedures and recent test results were reviewed against design bases documents, to verify that acceptance criteria for tested parameters were supported by calculations or other engineering documents, and that individual tests and analyses served to validate component operation under accident conditions.

Maintenance procedures were reviewed to ensure components were appropriately included in the licensees preventive maintenance (PM) program. System modifications, vendor documentation, system health reports, preventive and corrective maintenance history, and corrective action program (CAP) documents were reviewed (as applicable),in order to verify that the performance capability of the component was not negatively impacted, and that potential degradation was monitored or prevented. Maintenance Rule information was reviewed to verify that the component was properly scoped, and that appropriate PM was being performed to justify current Maintenance Rule status.

Component walk-downs and interviews were conducted to verify that the installed configurations would support their design and licensing bases functions under accident conditions, and had been maintained to be consistent with design assumptions.

b. Findings

b.1 Failure to Verify Capability of Emergency Diesel Generators (EDGs) under Maximum Frequency and Voltage

Introduction:

The NRC identified a Green non-cited violation (NCV) of Title 10 Code of Federal Regulations (CFR) 50, Appendix B, Criterion III, Design Control, for failure to correctly translate the appropriate permissible limits for frequency and voltage from Technical Specifications (TS) into the EDGs design loading calculations as required by the licensing and design bases.

Description:

The TS specify that the EDGs are required to perform at steady state frequencies (Hz) 58.8 Hz and 61.2 Hz (+/-2% Hz), and voltages 4025volts (V) and 4330V (+3.93% V, -3.35% V).

The Vogtle licensing basis required the EDG loading calculations to assume the most severe steady state conditions, which is when the EDG Loads experience the most limiting of the permitted TS steady state conditions. In Vogtle UFSAR Chapters 7, Instrumentation and Controls and 8, Electric Power, the licensee committed to compliance with the Institute of Electrical and Electronics Engineers (IEEE) 279-1971 Criteria for Protection Systems for Nuclear Power Generating Stations in accordance with 10 CFR 50.55a(h)(2). Standard IEEE 279-1971 Section 3, Design Basis, bullet (7), required, in part, the consideration of the range of transient and steady-state conditions of both frequency and voltage during normal, abnormal, and accident circumstances throughout which the system must perform. The team determined that steady-state DG operation at the permitted variations of frequency and voltage could have a broad impact on the plant design bases for electrical SSCs, including EDG loading calculations. The team determined that the licensees EDG steady state loading and dynamic calculations did not comply with IEEE 279-1971.

The existing EDG loading calculation (X3CE01, EDG Steady-State Loading Study, Version 10) determined that, during a Loss of Offsite Power (LOOP) event, the 1B EDG would be loaded automatically without consideration of manual loads that could be added by the operator. The calculation indicated that when required, after the automatic sequencing, certain components that could total up to a nominal 6415kW could be designated to be loaded onto the diesel. However, at the most limiting TS permitted frequency and voltage, the maximum automatic load would have been greater than 6807kW. This reduced the margin available for additional manual loads to a negligible amount. The licensee indicated that due to the uncertain nature of what loads that could be added after 50.5 seconds a definite load profile could not be added to the EDG load profile. Additionally, the dynamic load calculation (X3CE07, EDG Dynamic Study, Version 2) failed to confirm that, during automatic loading, the response of the EDGs would have been within expected performance while operating at the higher frequency allowed by the TS.

Calculation X3CE01 identified the loads powered by each of the four EDGs under two events. One, a LOOP conditions and second, a LOOP in conjunction with a Safety Injection (SI). The various calculation tables listed loads at nominal 4160V and 60Hz, whereas TS permitted diesel operation at voltages varying from 4025V to 4330V and frequencies from 58.8Hz to 61.2Hz. Similarly, Calculation X3CE07, evaluated the adequacy of the emergency diesel generators to start and power the loads which are automatically actuated by the ESF Sequencer. However, the calculation failed to confirm that the conclusions reached at nominal frequency and voltage remained valid at the TS permitted frequency and voltage.

Analysis:

The team determined the failure to correctly translate the TS permissible limits for frequency and voltage into the EDG design loading calculations as required by the licensing and design bases was a performance deficiency (PD). The PD was determined to be more than minor because it was associated with the Design Control attribute of the Mitigating Systems Cornerstone and adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of the emergency diesels to respond to initiating events to prevent undesirable consequences. Specifically, failing to evaluate the impact from the frequency and voltage limits allowed by TS could result in overloading the diesel generator if operators manually loaded additional plant protection system equipment during an event. The team evaluated the finding with IMC 0609, Att. 4, Initial Characterization of Findings, issued June 19, 2012, for Mitigating Systems, and IMC 0609, App. A, The SDP for Findings At-Power, issued June 19, 2012. The team determined the finding was of very low safety significance (Green)because it was a design deficiency that did not result in a loss of EDG operability. This finding was not assigned a cross-cutting aspect because the issue did not reflect current licensee performance.

Enforcement:

10 CFR Part 50, Appendix B, Criterion III, Design Control, required, in part, that measures be established to ensure that applicable regulatory requirements and the design basis, as defined in § 50.2 are correctly translated into specifications, drawings, procedures, and instructions. Contrary to the above, Since February 4, 2009, the licensee failed to translate applicable regulatory requirements and the design basis, as defined in § 50.2 for the TS permissible limits for emergency diesel generator frequency and voltage into specifications, drawings, procedures, and instructions.

Specifically, the emergency diesel generator load calculations did not incorporate the allowable frequency and voltage bands allowed by TS. The licensees inadequate evaluation of the EDG steady state loading and dynamic performance under higher loads and loss of design margin could have resulted in operating the EDG in excess of its continuous rating during required manual load additions. Evaluation of specified loads by the licensee confirmed that automatic safety functions remained operable. The licensee was evaluating corrective actions, which included determining acceptable loads at the more limiting power demands and developing procedural guidance. Because this violation was of very low safety significance and was entered into the CAP as CR10288732 and CR10293810, the violation is being treated as a NCV consistent with Section 2.3.2 of the Enforcement Policy. This violation is identified as NCV 05000424, 425/2016007-01, Failure to Verify Capability of EDGs Under Maximum Frequency and Voltage.

b.2 Failure to Ensure Adequate EDG Surveillance Acceptance Criteria

Introduction:

The NRC identified a Green NCV of 10 CFR Part 50, Appendix B, Criterion V, Instructions, Procedures and Drawings, for the licensees failure to have adequate instructions and acceptance criteria in the EDG surveillance instructions to ensure that the largest load rejection test bounded the power demand of the largest load.

Description:

Surveillance Requirement (SR) 3.8.1.8 required verification that the EDG response was within specified frequency and voltage limits (+/-2% Hz and +3.93% V, -

3.35% V) following the rejection of a load greater than or equal to its associated single largest post-accident load.

Vogtle licensing and design bases required that the calculation and surveillance procedures consider the EDG largest single load rejection under the most severe power demands experienced by the components that are powered by the EDG. In the UFSAR the licensee committed to Regulatory Guide (RG) 1.9, Design, and Qualification of Diesel Generator Units Used as Standby (Onsite) Electric Power Systems at Nuclear Power Plants, and to IEEE 387-1977, IEEE Standard Criteria for Diesel Generator Units Applied as Standby Power Supplies for Nuclear Power Generating Stations as amended by RG 1.9. Standard IEEE 387-1977 Section 3 Definitions, 3.4 defined, design load as that combination of electric loads, having the most severe power demand characteristic, which is provided with electric energy from a diesel-generator unit for the operation of engineered safety features and other systems required during and following shutdown of the reactor.

The licensees Unit 1 surveillance procedure 14666-1, Train A Diesel Generator and ESFAS Test, Version 39, step 5.3.35, stated the load was to meet not less than 671 kW (Channel 4). The 671kW load was the AFW pump motor nameplate nominal load rating of 900 HP, 4160V, and 60Hz, which did not meet the most severe power demand characteristic as specified by IEEE 387-1977. Equivalent procedures for other trains used the nominal load.

The EDG Steady State Loading Study (X3CE01), Version 10 was used to develop the surveillance procedure. The calculation determined that certain accident conditions caused the AFW pump to exceed a 113% service-factor power increasing the load to 758.7 kW. This power demand was not included in the surveillance procedure. The team determined that when the most severe power demand (the most limiting frequency and voltage demand) was included, the test load would increase to approximately 805.1 kW. None of the completed surveillances test met 805.1 kW. Because of the inadequate procedure, of the eight completed surveillances evaluated by the team, the largest was 774 kW in SNC335799, second was 764 kW in Work Order SNC394769.

These two surveillances were the only ones that met the 758.7kW specified in X3CE01.

Analysis:

The licensees failure to have adequate acceptance criteria in the EDG Surveillance Procedures that met the load requirements as specified by the Vogtle licensing and design bases was a PD. The PD was determined to be more than minor because it was associated with the Procedure Quality attribute of the Mitigating Systems Cornerstone and adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of systems to respond to initiating events to prevent undesirable consequences. Specifically, without adequate acceptance criteria in surveillance procedure SR 3.8.1.8, the procedure could not ensure availability, reliability, and capability of the EDG under the most severe power demand characteristics for electric power used by components. The team evaluated the finding with IMC 0609, Att.

4, Initial Characterization of Findings, issued June 19, 2012, for Mitigating Systems, and IMC 0609, App. A, The SDP for Findings At-Power, issued June 19, 2012. The team determined the finding to be of very low safety significance (Green) because the finding was not a design deficiency, did not represent a loss of system and/or function, and did not represent the loss of any trains of TS or Non-TS equipment. The finding was not assigned a cross-cutting aspect because the issue did not reflect current licensee performance.

Enforcement:

Title 10 of CFR Part 50, Appendix B, Criterion V, Instructions, Procedures, and Drawings, required, in part, that activities affecting quality shall be prescribed by documented instructions, procedures, or drawings, of a type appropriate to the circumstances and shall include appropriate quantitative or qualitative acceptance criteria for determining that important activities have been satisfactorily accomplished.

Contrary to the above, since February 4, 2009, the licensee failed to ensure that activities affecting quality were prescribed by documented procedures of a type suitable to the circumstances and failed to ensure that written test procedures incorporated appropriate quantitative acceptance criteria. Specifically, the licensees procedures that implement TS SR 3.8.1.8 failed to ensure that the rejected load bounded the largest load under the most severe power demands predicted for components under post-accident conditions. An immediate determination of operability was performed and concluded that the EDGs as operable but degraded nonconforming The licensee was evaluating corrective actions, which included determining the most severe single largest load and re-performing the surveillance tests. This nonconformance affected the EDGs ability to adequately respond to transients under accident conditions. Because the violation was of very low safety significance and it was entered into the CAP as CR10294395, the violation is being treated as an NCV consistent with section 2.3.2 of the Enforcement Policy. The violation is identified as NCV 05000424, 425/2016007-02, Failure To Ensure Adequate Unit 1 Emergency Diesel Generator Surveillance Acceptance Criteria.

b.3 Failure to Meet Isolation Requirements When Incorporating Non-Class 1E Components into Class 1E electrical Circuits

Introduction:

The NRC identified a Green NCV of 10 CFR Part 50, Appendix B, Criterion III Design Control, for installing non-Class 1E Individual Cell Equalizer (ICE) devices into the Class 1E battery charging circuits without isolation as specified by IEEE 384 as amended by RG 1.75. Without isolation from non-Class 1E devices, the Class 1E battery circuits cannot meet Class 1E independence requirements affecting the reliability and availability of the batteries.

Description:

To meet the requirements of IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, Subsection 4.6 Channel Independence, the UFSAR committed to RG 1.75 Physical Independence of Electric Systems revision 2 and committed to IEEE 384-1981, IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits as amended by RG 1.75. The RG (1.75) and IEEE standard 384-1981, Section 5.1 Required Independence, specified, physical separation and electrical isolation shall be provided to maintain the independence of Class 1E circuits. According to the RG and IEEE standard, these specifications were to prevent degradation of the non-Class 1E components from affecting Class 1E functions. The Vogtle UFSAR section 8.3.1.4.3.E discussed that the non-Class 1E circuits are electrically isolated from Class 1E circuits, and Class 1E circuits from different separation groups are electrically isolated with the use of isolation devices... The section further stated that when isolation devices are used to isolate Class 1E equipment from non-Class 1E circuits, the circuits within or from the Class 1E equipment or devices to the isolation device are identified as Class 1E and are treated as such.

The team identified that non-Class 1E ICE devices were installed in Class 1E battery charging circuits without isolation as required by IEEE 384-1981 as amended. The team noted that when the ICE devices are working properly, they clamp the battery post voltages to an artificially low 2.28 VDC. A Condition Report (10012500) documented that when the ICE devices failed open, the battery voltage would increase to 2.31 VDC.

This demonstrated an electrical interlock where certain failure modes (i.e. short circuits)of the ICE devices could eventually have detrimental effects on the Class 1E batteries when they are needed. The team determined that the licensee had not fully evaluated failures such as short circuits and their possible effects on the charging circuits or batteries. Open circuits were the only failure mode evaluated by the licensee.

Analysis:

The failure to conform to Class 1E design requirements for isolation between Class 1E batteries and circuit from non-Class 1E circuits as specified by IEEE 384-1981 as amended, was a PD. The PD was determined to be more than minor because it affected the Design Control attribute of the Mitigating Systems Cornerstone and adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of systems to respond to initiating events to prevent undesirable consequences. Specifically, the failure to conform to Class 1E design requirements for independence affected the reliability of the Class 1E battery systems. The team evaluated the finding with IMC 0609, Att. 4, Initial Characterization of Findings, issued June 19, 2012, for Mitigating Systems, and IMC 0609, App. A, The SDP for Findings At-Power, issued June 19, 2012. The team determined the finding to be of very low safety significance (Green), because it was a deficiency affecting the design or qualification of a SSC, and the SSC maintained its operability or functionality. This finding was not assigned a cross-cutting aspect because the issue did not reflect current licensee performance.

Enforcement:

Title 10 CFR Part 50, Appendix B, Criterion III, Design Control, required, in part, that that measures be established to ensure that applicable regulatory requirements and the design basis, as defined in § 50.2 are correctly translated into specifications, drawings, procedures, and instructions. Contrary to the above, since 1994, applicable regulatory requirements and the design basis, as defined in § 50.2 for the Class 1E batteries were not correctly translated into specifications, drawings, procedures, and instructions. Specifically, the Vogtle design basis for physical separation and electrical isolation was not translated into the instructions used to install the ICE devices. The licensee was evaluating corrective actions, which included the removal of the non-Class 1E components. This nonconformance effected the reliability of the battery systems to respond to initiating events. Because this violation was of very low safety significance and was entered into the licensees CAP as CR10294321, this violation is being treated as an NCV, consistent with Section 2.3.2.a of the NRC Enforcement Policy. This violation is identified as NCV 05000424, 425/2016007-03, Failure to Meet Isolation Requirements When Incorporating Non-Class 1E Components into Class 1E electrical Circuits.

b.4 Failure to Perform Required In-Service Testing of Unit 2 CST Swap Over Valves

Introduction:

The NRC identified a Green NCV of TS 5.5.8, Inservice Testing (IST)

Program, for Vogtle Unit 2 failure to perform the required testing in accordance with the ASME Operation and Maintenance (OM) Code for nine valves that had active safety functions. Specifically, these valves were required to operate when aligning the AFW pumps from Condensate Storage Tank (CST) 1 to CST 2.

Description:

Procedure ES-EP-003 50.55a Evaluations Section 8 Inservice Testing of Valves Subsection 8.2 Scope specified, in part, ASME Class 1, 2, and 3 valves covered by the Regulatory Position of Regulatory Guide (RG) 1.26 (September 1974)are included within the scope of this program and are tested using the provisions of the OM Code. The RG 1.26 Quality Group Classifications and Standards for Water-,

Steam-, and Radioactive-Waste-Containing Components Of Nuclear Power Plants, Specified that the CST valves used for the Auxiliary Feedwater (AFW) system safety function must be classified in quality group C subject ASME Boiler and Pressure Vessel Code ,Section III, Nuclear Power Plant Components Class 3. This code classification required the valves to be scoped into the IST program. The team determined that the licensee failed to scope the safety-related AFW valves into the IST program as specified by procedure ES-EP-003.

The team reviewed procedure 13610-2, Auxiliary Feedwater System, Version 47.2, and Unit 2 TS LCO 3.7.6, Two CSTs shall be OPERABLE The team noted that when Unit 2 was required to align AFW pump suction from Unit 2s CST 1 to CST 2, at least nine valves were required to operate, and thus, the nine valves had a AFW safety function and were safety-related. These valves were required to operate in order to meet TS 3.7.6, and as such the valves were required by the ASME OM Code to be exercised. The licensee initiated CR 10293900 and verified the valves were operable based on past operation of seven of the nine valves, and their similarity to the other two valves.

Analysis:

The team determined the failure to scope the nine valves into the IST program in accordance with the IST program was a PD. The PD was determined to be more than minor because it was associated with the Mitigating Systems Cornerstone attribute of Equipment Performance, and affected the cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, degraded valve performance could go undetected without periodic testing and trending. The team evaluated the finding with IMC 0609, Att. 4, Initial Characterization of Findings, issued June 19, 2012, for Mitigating Systems, and IMC 0609, App. A, The SDP for Findings At-Power, issued June 19, 2012. The team determined the finding to be of very low safety significance (Green) because the finding was not a design or qualification deficiency, did not represent a loss of system and/or function, and did not represent the loss of any trains of TS or Non-TS equipment. The finding had no cross-cutting aspect because it was not indicative of current performance.

Enforcement:

TS 5.5.8, Inservice Testing Program, required testing of Code Class components in accordance with the ASME Boiler and Pressure Vessel Code. The Vogtle testing basis document was developed to meet the requirements of ASME OM Code 2001 Edition with Addenda through OMb-2003, for all valve Inservice testing. Section ISTC-3540 required, in part, exercising manual valves. Contrary to the above, since 2006, the licensee failed to test nine Code Class components in accordance with the ASME Boiler and Pressure Vessel Code and exercise manual valves in accordance with ASME OM Code 2001 Edition with Addenda through OMb-2003, Section ISTC-3540.

Specifically, nine Unit 2 CST 2 swap-over valves required to reposition for AFW operability were not exercised in accordance with the OM Code testing requirements, which include full stroke exercise and observation of change in obturator position. The licensee performed an immediate determination of operability and determined that the CST valves were operable but degraded nonconforming. The licensee planned to register the CST valves into the IST program and at the first available opportunity, exercise those valves that that have never been exercised. This nonconformance affected the ability of the CSTs to provide cooling water to the AFW system under accident conditions. Because this violation was of very low safety significance and it was entered into the licensees CAP as CR10293900, this violation is being treated as an NCV, consistent with Section 2.3.2 of the NRC Enforcement Policy. This violation is identified as NCV 05000425/2016007-04, Failure to Perform Required In-Service Testing of Unit 2 CST Swap over Valves.

b.5 Failure to Perform Periodic Testing Of Safety-Related Valve Interlocks

Introduction:

The NRC identified a Green, NCV of 10 CFR 50.55a(h)(2)

Protection Systems, because the licensee failed to perform periodic testing of safety-related valve interlocks to ensure an adequate single failure analysis by identifying detectable failures in accordance with IEEE Std. 379-1972, IEEE Trial-Use Guide for the Application of the Single-Failure Criterion to Nuclear Power Generating Station Protection Systems.

Description:

In 2002, the licensee issued LER 1-2002-001 identifying improperly wired interlocks in the Emergency Core Cooling Systems (ECCS) re-circulation MOVs 1HV8813 and 1HV8509B. These errors could have prevented the opening of 1HV8804B. After the discovery of the errors, the licensee developed procedures 14715-1, ECCS Valve Interlock Verification, Revision 1, and 14715-2, ECCS Valve Interlock Verification, Revision 3.1. As part of the corrective actions for LER 1-2001-001, the periodicity of these procedures was specified at 54 months. The interlock verifications ensured that the ECCS valve interlocks were functioning properly. The procedures were performed only once satisfactorily in March 28, 2005, for Unit 1, and April 9, 2007 for Unit 2. In 2009 when it was time to implement the Unit 1 procedure again, the procedures were deactivated based on an incorrect determination that there was no regulatory requirement, standard, or other plant commitment to verify safety-related interlocks.

The team noted that 10 CFR 50.55a(h)(2) Protection Systems, required, in part, for nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999, protection systems must meet the requirements in IEEE Std. 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations. The licensees UFSAR section 1.9.3 states, that The guidance in trial-use IEEE Std. 379-1972 for applying the single-failure criterion to the design and analysis of nuclear power plant protection systems is generally acceptable and provides an adequate interim basis for complying with Section 4.2 of IEEE Std. 279-1971, subject to the qualifications identified in the guide. IEEE Std. 379-1972 states, in part, that Detectable failures are those that can be identified through periodic testing or are revealed by alarm, anomalous indication, etc. The team noted that when the licensee made the determination to cancel the procedures, the licensee no longer met IEEE Std. 379-1972. This meant that they no longer ensured that unidentified failures would not affect the plants single failure analysis as described in the safety analysis.

Analysis:

The licensees failure to perform periodic testing of safety-related valve interlocks to identify detectable failures and ensure an adequate single failure analysis in accordance with IEEE Std. 379-1972 was a PD. The PD was determined to be more than minor because it was associated with the Equipment Performance attribute of the Mitigating Systems Cornerstone and adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, the failure to periodically test safety-related valve interlocks affected the adequacy of the licensees single failure analysis. The team evaluated the finding with IMC 0609, Att. 4, Initial Characterization of Findings, issued June 19, 2012, for Mitigating Systems, and IMC 0609, App. A, The SDP for Findings At-Power, issued June 19, 2012. The team determined the finding to be of very low safety significance (Green) because the finding was not a design deficiency, did not represent a loss of system and/or function, and did not represent the loss of any trains of TS or Non-TS equipment. The team did not assign a crosscutting aspect because the most significant contributor did not reflect current licensee performance.

Enforcement:

Title 10 of CFR 50 50.55a(h)(2) Protection Systems, requires, in part, for nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999, protection systems must meet the requirements in IEEE Std. 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations. Contrary to the above, since March 28, 2005, for Unit 1, and April 9, 2007, for Unit 2, the licensee failed to meet the requirements of IEEE Std. 279-1971 by not performing periodic testing of safety-related valve interlocks to identify detectable failures and ensure an adequate single failure analysis in accordance with IEEE Std. 379-1972. This nonconformance affected the reliability and availability of safety systems with interlocks to respond to initiating events. The licensee was in the process of determining and developing adequate corrective actions to conform with IEEE Std. 379-1972. Because this violation was of very low safety significance and it was entered into the licensees CAP as CR10293749, this violation is being treated as an NCV consistent with section 2.3.2.a of the Enforcement Policy. This violation is identified as NCV 05000424,425/2016007-05, Failure to Perform Periodic Testing Of Safety-Related Valve Interlocks.

b.6 Turbine Driven Auxiliary Feedwater (TDAFW) Pumps - 1/2-1302-P4-001 and Motor Driven Auxiliary Feedwater (MDAFW) Pumps - 1/2-1302-P4-002/003

Introduction:

The NRC identified a Green NCV of 10 CFR Part 50, Appendix B, Criterion III, Design Control for the licensee's failure to translate the AFW pumps design bases into adequate acceptance criteria for TS SR 3.5.7.2 and for the failure to verify the adequacy of the design of the same AFW pumps.

Description:

UFSAR chapter 10.4.9 Auxiliary Feedwater System established that the design basis for the AFW system was to provide a minimum total flow of 510 gallons per minute (GPM) of water, at 120°F maximum, from the CSTs. The total flow could be provided to at least two intact generators (SGs), but could be divided across three or more SGs. This would be at a pressure equivalent to the accumulation pressure of the lowest set safety valve. UFSAR table 10.4.9-3 demonstrated the design basis minimum flow requirement was met for various postulated operating scenarios such as: a feedwater line break with only the TDAFW pump available, and a loss of normal feedwater with only one MDAFW pump available. TS SR 3.7.5.2 periodically verified each trains capability to provide this design basis minimum flow.

The UFSAR table and TS surveillance requirements were developed and periodically modified using calculation X4C1302V04, Auxiliary Feedwater Pumps TS Verification.

This calculation was last modified 1/7/2016. The team determined that various deficiencies with the calculation called into question the AFW pump surveillance acceptance criteria and the completed surveillances that used the acceptance criteria.

Inspectors identified the following: 1) inconsistent density values were used when converting required discharge pressures to the equivalent pump discharge head; 2) the TDAFW pump acceptance criteria for the developed differential pressure was based on maintaining the pumps performance at the level of a turbine operating at 4200RPM plus instrument uncertainties; however, this level of performance was not consistent with the design bases; 3) instrument uncertainties were unaccounted for in the discharge pressure acceptance criteria for the AFW pumps and also for the differential pressure across the MDAFW pumps; 4) the acceptance criteria for the MDAFW pumps did not account for the effects of reduced motor speeds associated with TS allowed EDG frequency and voltage variances; 5) the acceptance criteria for the pump discharge pressure was based on a 66% CST level and did not account for the actual CST level at the time of the surveillance tests; and 6) the acceptance criteria for the MDAFW pumps were based on a flowrate of 175gpm or above, however, the quarterly surveillance flow tests non-conservatively accepted flow rates as low as 150gpm.

In addition, X4C1302V04 was used to determine the available pump margins by evaluating expected system performance under various accident conditions. This was used to verify that the AFW system satisfied the design bases. Additionally, the margins were credited by other calculations and the TS Bases for LCO 3.7.5 to allow the discovery of inoperable steam generator sample line isolation valves to not affect AFW pump operability. The team determined that the margins identified in X4C1302V04 were not accurately determined and maintained, which challenged AFW pump operability and statements in the TS Bases for LCO 3.7.5. Specifically, inspectors identified: 1)inconsistent TDAFW pump speeds were used (4250rpm vs 4230rpm actual); 2) the available margins were based on the normal pump performance curves, however, the TS surveillances permitted performance levels that were below the normal pump performance curve, e.g. EDG frequency and voltage; and 3) the calculation did not account for higher recirculation flows caused by replacing the Unit 1 TDAFW recirculation line flow orifice in October 2015.

As a result of the teams questions, the licensee performed operability determinations on the AFW pumps to verify that past and current surveillance test results remained acceptable. For the TDAFW pump, the licensee determined that the current performance did not satisfy the design basis in the UFSAR table 10.4.9-3 Case 1.3-3 for the postulated feed water line break. The team determined that the design basis for the surveillance tests included Case 1.3-3, which required the TDAFW pump to provide at least 510 GPM to at least two of three intact steam generators for a feed water line break on a fourth, but it could not meet this requirement. Although the TDAFW pumps could not meet the surveillance requirement, the licensee concluded the pump was still operable because Chapter 15.2.8 of the UFSAR, was based on two of the three pumps being available rather than just one pump required in the design basis. This added enough flow to meet a 510gpm total flow. For the MDAFW pumps, the licensees operability determination found that the current performance of the 1A and 2B MDAFW pumps were sufficient to assure operability, but with significantly reduced margin. The 1B and 2A MDAFW pumps could not satisfy the design basis when the current pump performance was adjusted for uncertainty and minimum diesel frequency and voltage allowances. However, based on historical and current diesel performance levels, the actual variation in diesel frequency was less than permitted by TS. As a result, based on actual diesel performance, all of the MDAFW pumps would be capable of performing their specified safety function and were therefore operable. As a compensatory measure, to ensure continued operability, the licensee implemented a standing order to reduce the acceptable frequency band permitted during surveillance tests and to assess quarterly pump test results for degradation.

Analysis:

The team determined that the failure to correctly translate the AFW pump design bases into acceptance criteria for TS SR 3.5.7.2 and the failure to verify the adequacy of the design as required by 10 CFR Part 50, Appendix B, Criterion III was a PD. The PD was more than minor because it affected the Design Control attribute of the Mitigating Systems cornerstone and adversely affected the cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences (i.e., core damage). Specifically, when the quality of the established surveillance criteria was considered, there was a reasonable doubt on the operability of the Unit 1 and 2 TDAFW and 2A and 1B MDAFW pumps.

The team evaluated the finding with IMC 0609, Att. 4, Initial Characterization of Findings, issued June 19, 2012, for Mitigating Systems, and IMC 0609, App. A, The SDP for Findings At-Power, issued June 19, 2012. The team determined the finding to be of very low safety significance (Green) because did not represent an actual loss of function of at least a single train for greater than its TS allowed outage time. The team determined that the finding had a cross-cutting aspect in the Human Performance area of Design Margins [H.6], because engineers did not demonstrate the characteristic of ensuring that design margins were guarded and changed only through a systematic and rigorous process.

Enforcement:

10 CFR Part 50, Appendix B, Criterion III, Design Control, stated, in part, that measures shall be established to assure that applicable regulatory requirements and the design basis are correctly translated into procedures and that design control measures shall provide for verifying or checking the adequacy of design.

Contrary to the above, since December 12, 2008, the licensees design control measures failed to correctly translate the design basis into procedures that established the acceptance criteria for TS SR 3.5.7.2, and failed to verify the adequacy of the design since credited margins were incorrectly assessed and maintained. As an immediate corrective action, the licensee evaluated the operability of the Unit 1 and 2 pumps and initiated corrective action to develop new acceptance criteria, modify the allowed EDG frequency acceptance criteria, and monitor pump performance for degradation. This nonconformance affected the ability of the AFW pumps to provide cooling water the steam generators under accident conditions. Because the violation was of very low safety significance and it was entered into the CAP as CR10293456 and CR10294168, the violation is being treated as an NCV consistent with Section 2.3.2 of the Enforcement Policy. The violation is identified as NCV 05000424, 425/2016007-06, Failure to Assure Auxiliary Feedwater Design Basis Capability.

b.7 Failure to Update the UFSAR with the Complete and Accurate Information

Introduction:

The NRC identified a Severity Level (SL) IV NCV of 10 CFR 50.71(e)(4) for the failure to reflect all changes made in the facility or procedures as described in the UFSAR.

Description:

In the UFSAR, the licensee committed to RG 1.70 revision 3. The RG 1.70 Section 7.1.2, Identification of Criteria specified, that the licensee list, in this section of the FSAR, all design bases (including considerations of instrument errors), criteria, regulatory guides, standards, and other documents that will be implemented in the design of the systems listed in Section 7.1.1. The team noted that the licensee did not list any of the design basis for the digital EDG sequencer system, which was installed in 2007 in the UFSAR. These would include the digital EDG sequencer rooms total integrated dose values, IEEE 603-1991 IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, and IEEE 7-4.3.2 IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations.

Analysis:

The failure to update the UFSAR was a performance deficiency that was determined to be a minor ROP violation because it did not meet the more than minor screening criteria. Because the issue impacted the NRCs ability to perform its regulatory function, the inspectors evaluated the violation using the traditional enforcement process. The inspectors determined the issue was a SL IV violation because it met violation example 6.1.d.3 and it was material to safe operation, maintenance, and modification of these components. The violation represented a failure to update the Updated Final Safety Analysis Report (UFSAR) as required by 10 CFR 50.71(e), but the lack of up-to-date information has not resulted in any unacceptable change to the facility or procedures. Cross-cutting aspects are not assigned to traditional enforcement violations. This finding and violation was entered into the licensees corrective action program as CR10288350 and CR10291633.

Enforcement:

10 CFR 50.71(e)(4) states, in part, that periodic revisions to the UFSAR submitted to the NRC must reflect all changes made in the facility or procedures as described in the UFSAR up to a maximum of six months prior to the date of filing.

Contrary to the above, Vogtle failed to update the FSAR associated with the Digital Sequencer design basis information as a result of a digital upgrade. The licensee planned to update the UFSAR with the applicable design basis. This nonconformance affected the design bases used for maintenance and modifications to safety systems.

This violation is SL IV violation and was entered into the licensees CAP as CR10288350 and CR10291633, this violation is being treated as an NCV, consistent with Section 2.3.2.(a) of the NRC Enforcement Policy. This violation is identified as NCV 05000424, 425/2016007-07, Failure to Reflect Changes to Facility and Procedures in Final Safety Analysis Report Periodic Revisions.

b.8 Failure to Promptly Identify Nonconformances with Tornado Missile Protection

Description:

Enforcement Guidance Memorandum (EGM) 15-002 dated 6/10/2015, (ADAMS Accession No. ML15111A269) provided guidance to exercise enforcement discretion when an operating power reactor licensee does not comply with the plants current site-specific licensing basis for tornado-generated missile protection. Specifically, discretion would apply to the TS limiting conditions for operation (LCO) which would require a reactor shutdown or mode change, if a licensee could not meet TS LCO required action(s) within the TS completion time.

The EGM background discussed Regulatory Issue Summary (RIS) 2015-06, Tornado Missile Protection, dated 6/10/2015, (ADAMS Accession No. ML15020A419) to remind licensees of the need to conform their facility to the current, site-specific licensing basis for tornado-generated missile protection. In addition the EGM stated, that upon reviewing the above-noted RIS, some licensees may discover that a TS-controlled SSC at their facility does not comply with the plants current licensing basis (CLB) and that an operability determination (or functional assessment) will be necessary. The EGM actions section specified that the NRC would exercise this enforcement discretion only when a licensee implements initial compensatory measures prior to the expiration of the time allowed by the LCO that provide additional protection such that the likelihood of tornado missile effects are lessened.

The licensee initiated CR10087558 on 06/23/2015, to evaluate the RIS and conducted at least two walk-downs to identify tornado missile nonconformances. The licensee discovered potential nonconformances during these walk-downs and itemized them in a list. However, the licensee failed to identify all of these items as conditions adverse to quality (CAQs), in accordance with Appendix B, Criterion XVI. The team determined that the CAP required the evaluation of these items, CRs to document the nonconformances, and operability determinations for items affecting TS.

Procedure NMP-GM-002, Corrective Action Program, Section 2, defined a condition adverse to quality in part, as an all-inclusive term used in reference to any of the following: , deficiencies, , and nonconformances potentially impacting Nuclear Safety. Nonconformances are deficiencies in characteristic, documentation, or procedure that renders the quality of an item or activity unacceptable or indeterminate.

The team determined that, at the time of discovery, the itemized tornado missile vulnerabilities rendered the quality of SSCs indeterminate and thus a nonconformance in accordance with the definition in the procedure.

Procedure NMP-GM-002-001, Corrective Action Program Instructions Section 4 specified that personnel should initiate a CR to identify an event, condition, problem, or process that needs correcting. [This included] nonconforming items. In addition, Section 4 specified to immediately contact the Shift Support Supervisor or Work Week Coordinator (Dispatcher) when a condition is discovered that has the potential to impact plant operation or reportability. [This included] equipment or process issues related to Technical Specifications (tech specs). The team noted that the licensee did not create any additional CRs for the itemized potential vulnerabilities as required by their corrective action instructions procedure.

On October 4, 2016, the inspectors conducted plant walk downs of the SSCs selected in the CDBI inspection plan and identified potential tornado missile issues. These issues were previously highlighted as potential nonconformances by the licensee, but not identified as CAQs. As a result of these observations, the licensee initiated CRs:

CR10291142, Unit 1 TDAFW Exhaust nonconformance CR10291143, Unit 2 TDAFW Exhaust nonconformance CR10291144, Unit 1 Condensate Storage Tanks nonconformance CR10291145, Unit 2 Condensate Storage Tanks nonconformance CR10291146, Unit 1 Main Steam Safety Valve Exhaust nonconformance CR10291148, Unit 2 Main Steam Safety Valves Exhaust nonconformance The licensee determined that the TDAFW Exhaust and Condensate Storage Tanks were not operable because of nonconformances with these components tornado missile protection design bases. Additionally, the licensee submitted a 10 CFR 50.72 notification report (52319) to the NRC in accordance with plant procedures and NRC requirements.

Enforcement:

10 CFR 50 Appendix B, Criterion XVI, Corrective Action , states, in part, measures shall be established to assure that conditions adverse to quality, such as nonconformances are promptly identified and corrected. Contrary to the above, since approximately January 2016, the licensee failed to establish measures to assure that conditions adverse to quality, such as nonconformances were promptly identified and corrected. The licensee failed to promptly identify tornado missile nonconformances after completing system walk downs. A generic risk analysis of potential tornado missile protection non-compliances (ADAMS Accession No. ML14114A556) was performed to support EGM 15-002. This generic bounding risk analysis concluded that tornado missile protection issues were of low safety significance. The NRC is exercising enforcement discretion (Enforcement Action (EA)-16-271) in accordance with the NRC Enforcement Policy, Section 3.10, Reactor Violations with No Performance Deficiencies.

In this case, the licensee implemented a process for identifying, evaluating, and correcting tornado missile protection nonconformances that was, in good faith, believed to be prompt and consistent with the guidance in EGM 15-002, based on their interpretation of verbal communications with the NRC. However, the licensee did not promptly identify these issues as CAQs as required to 10 CFR 50, Appendix B, Criterion XVI, such that the nonconformances would be promptly corrected. This issue does not represent a performance deficiency because the aforementioned verbal communications, along with a misinterpretation of the EGM guidance, hindered the licensees ability to reasonably foresee and correct the tornado missile nonconformances.

The licensee performed immediate determinations of operability and submitted a 10 CFR 50.72 notification report (52319) to the NRC. The license entered this into the CAP as CR10291142, CR10291143, CR10291144, CR10291145, CR10291146, and CR10291148.

3. Results of Reviews for Operating Experience

a. Inspection Scope

The team reviewed the licensees evaluation of operating experience identified in the scope section 1R21.2.a. The team verified that the licensees review adequately addressed the issues in the operating experience.

b. Findings

No findings were identified.

4OA6 Meetings, Including Exit

Exit Meeting Summary

On November 4, 2016, the team presented the inspection results to Mr. Keith Taber, and other members of the licensee staff. The licensee acknowledged the issues presented.

The licensee confirmed that any proprietary information reviewed by the team had been returned or destroyed.

SUPPLEMENTAL INFORMATION

KEY POINTS OF CONTACT

Licensee Personnel

G. Gunn, Licensing Manager

K. Shelton, Design Engineer

D. Tamplin, Design Engineer

S. Wright, IST Engineer

O. Mcloughlin, System Engineer

H. Williams, Operations Shift Manager

H. Jones, Electrical Design Engineer

S. Bailey, Electrical Design Supervisor

L. Smith, Electrical Engineer

P. Pawlak, Breaker Engineer

K. Taber, Site Vice-President

K. Walden, Licensing Engineer

LIST OF REPORT ITEMS

Opened and Closed

05000424, 425/ Failure to Verify Capability of EDGs under Maximum Voltage and NCV 2016007-01 Frequency (Section 1R21.2.b.1)

05000424, 425/ Failure To Ensure Adequate Unit 1 Emergency Diesel Generator NCV 2016007-02 Surveillance Acceptance Criteria (Section 1R21.2.b.2)

Failure to Meet Isolation Requirements When Incorporating Non-

05000424, 425/

NCV Class 1E Components into Class 1E electrical Circuits (Section 2016007-03, 1R21.2.b.3)

05000425/ Failure to Perform Required In-Service Testing of Unit 2 CST NCV 2016007-04, Swap over Valves (Section 1R21.2.b.4)

05000424, 425/ Failure to Perform Periodic Testing Of Safety-Related Valve NCV 2016007-05, Interlocks (Section 1R21.2.b.5)

Turbine Driven Auxiliary Feedwater (TDAFW) Pumps - 1/2-1302-

05000424, 425/

NCV P4-001 and Motor Driven Auxiliary Feedwater (MDAFW) Pumps -

2016007-06, 1/2-1302-P4-002/003 (Section 1R21.2.b.6)

05000424, 425/ Failure to Update the UFSAR with the Complete and Accurate SLIV 2016007-07 Information (Section 1R21.2.b.7)

LIST OF DOCUMENTS REVIEWED