IR 05000498/2016007

From kanterella
Jump to navigation Jump to search
NRC Design Bases Inspection (Team) Report 05000498/2016007 and 05000499/2016007
ML16113A230
Person / Time
Site: South Texas  
Issue date: 04/22/2016
From: Thomas Farnholtz
Region 4 Engineering Branch 1
To: Koehl D
South Texas
Farnholtz T
References
IR 2016007
Download: ML16113A230 (66)
v  d  e


Text

April 22, 2016

SUBJECT:

SOUTH TEXAS PROJECT, UNITS 1 and 2 - NRC DESIGN BASES INSPECTION (TEAM) REPORT 05000498/2016007 and 05000499/2016007

Dear Mr. Koehl:

On February 11, 2016, the U.S. Nuclear Regulatory Commission (NRC) completed the onsite inspection at your South Texas Project, Units 1 and 2. On March 9, 2016, the NRC inspectors discussed the results of this inspection with G.T. Powell, Site Vice President, and other members of your staff. Inspectors documented the results of this inspection in the enclosed inspection report.

The NRC inspectors documented nine findings of very low safety significance (Green) in this report. All of these findings involved violations of NRC requirements. Additionally, the NRC inspectors documented one Severity Level IV violation with no associated finding.

The NRC is treating these violations as non-cited violations (NCVs) consistent with Section 2.3.2.a of the Enforcement Policy.

If you contest the violations or significance of these NCVs, you should provide a written response within 30 days of the date of this inspection report, with the basis for your denial, to the U.S. Nuclear Regulatory Commission, ATTN: Document Control Desk, Washington, DC 20555-0001; with copies to the Regional Administrator, Region IV; the Director, Office of Enforcement, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001; and the NRC Resident Inspector at the South Texas Project.

If you disagree with a cross-cutting aspect assignment or a finding not associated with a regulatory requirement in this report, you should provide a response within 30 days of the date of this inspection report, with the basis for your disagreement, to the Regional Administrator, Region IV; and the NRC Resident Inspector at the South Texas Project. In accordance with Title 10 of the Code of Federal Regulations 2.390, Public Inspections, Exemptions, Requests for Withholding, of the NRCs Rules of Practice and Procedure, a copy of this letter, its enclosure, and your response (if any) will be available electronically for public inspection in the NRCs Public Document Room or from the Publicly Available Records (PARS)

component of the NRCs Agencywide Documents Access and Management System (ADAMS).

ADAMS is accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html (the Public Electronic Reading Room).

Sincerely,

/RA/

Thomas R. Farnholtz, Branch Chief Engineering Branch 1 Division of Reactor Safety

Docket Nos. 50-498 and 50-499 License Nos. NPF-76 and NPF-80

Enclosure:

Inspection Report 05000498/2016007 and 05000499/2016007 w/Attachment: Supplemental Information

Electronic Distribution for South Texas Project

- 1 -

Enclosure

U.S. NUCLEAR REGULATORY COMMISSION

REGION IV

Docket:

05000498, 05000499 License:

NPF-76, NPF-80 Report:

05000498/2016007 and 05000499/2016007 Licensee:

STP Nuclear Operating Company Facility:

South Texas Project, Units 1 and 2 Location:

FM521 - 8 miles west of Wadsworth Dates:

January 25, 2016 - March 9, 2016 Team Leader:

G. George, Senior Reactor Inspector, Engineering Branch 1, Region IV Inspectors:

S. Hedger, Operation Examiner, Operations Branch, Region IV T. Fanelli, Senior Reactor Inspector, Engineering Branch 1, Region II C. Stott, Reactor Inspector, Engineering Branch 1, Region IV M. Williams, Reactor Inspector, Engineering Branch 1, Region IV Accompanying Personnel:

C. Baron, Contractor, Beckman and Associates S. Gardner, Contractor, Beckman and Associates J. Kirkland, Senior Operations Engineer, Operations Branch, Region IV Approved By:

Thomas R. Farnholtz, Branch Chief Engineering Branch 1 Division of Reactor Projects

- 2 -

SUMMARY

IR 05000498/05000499/2016007; 01/25/2016 - 03/09/2016; South Texas Project, Units 1 and 2; baseline inspection, NRC Inspection Procedure 71111.21M, Design Basis Inspection (TEAM).

The inspection activities described in this report were performed between January 25, 2016, and March 9, 2016, by four inspectors from the NRCs Region IV office, one inspector from the NRCs Region II office, and two contractors. Nine findings of very low safety significance (Green) are documented in this report. All of these findings involved violations of NRC requirements. Additionally, NRC inspectors documented in this report one Severity Level IV violation with no associated finding. The significance of inspection findings is indicated by their color (Green, White, Yellow, or Red), which is determined using Inspection Manual Chapter 0609, Significance Determination Process. Their cross-cutting aspects are determined using Inspection Manual Chapter 0310, Aspects Within the Cross-Cutting Areas.

Violations of NRC requirements are dispositioned in accordance with the NRCs Enforcement Policy. The NRCs program for overseeing the safe operation of commercial nuclear power reactors is described in NUREG-1649, Reactor Oversight Process.

Cornerstone: Mitigating Systems

Green.

The team identified a Green, non-cited violation of 10 CFR Part 50, Appendix B,

Criterion XI, Test Control, which states, in part, a test program shall assure that all testing required to demonstrate that structures, systems, and components will perform satisfactorily in service is identified and performed in accordance with written test procedures which incorporate the requirements and acceptance limits contained in applicable design documents. Specifically, since March 22, 1988, the licensee failed to assure that all testing required to demonstrate that the safety-related molded case circuit breakers would perform satisfactorily in service was performed in accordance with the acceptance limits contained in Institute of Electrical and Electronics Engineers (IEEE) 308-1974. In response to this issue, the licensee determined that the molded case circuit breakers will remain operable while implementing corrective actions to ensure the appropriate testing requirements of the molded case circuit breaker were included in the test programs. This violation was entered into the licensees corrective action program as Condition Report CR 16-2166.

The team determined that the failure to detect deterioration and demonstrate operability of molded case circuit breakers through appropriate testing was a performance deficiency.

The performance deficiency was determined to be more than minor, and therefore a finding, because it was associated with the equipment performance attribute of the Mitigating Systems cornerstone and adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, inadequate periodic testing to detect deterioration and to demonstrate continued operability was a significant programmatic deficiency that would adversely affect the reliability of Class 1E molded case circuit breakers to perform satisfactorily in service. In accordance with Inspection Manual Chapter 0609, Appendix A,

The Significance Determination Process (SDP) for Findings At-Power, dated June 19, 2012, Exhibit 2, Mitigating Systems Screening Questions, the team determined the finding to be of very low safety significance (Green) because the finding was a deficiency affecting the design or qualification of a structure, system, or component, and the structure, system, or component maintained its operability or functionality. This finding had a cross-cutting aspect in the area of human performance associated with consistent practices because the licensee did not use a consistent, systematic approach to make decisions. Specifically, the licensee did not use a consistent approach to determine which molded case circuit breakers would or would not be tested [H.13]. (Section 1R21.2.1.b.1)

Green.

The team identified two examples of a Green, non-cited violation of 10 CFR Part 50, Appendix B, Criterion III, Design Control, which states, in part, the design control measures shall provide for verifying or checking the adequacy of design, such as by the performance of design reviews, by the use of alternate or simplified calculational methods, or by the performance of a suitable testing program. Specifically, since March 22, 1988, the licensee failed to verify the adequacy of the molded case circuit breakers to perform their design basis function using appropriate time-current curves and tolerances or Class 1E 125 Vdc molded case circuit breakers to assure adequate trip response times, instantaneous trip accuracies, and rates of change of the sensed variable (the short circuit current). In response to this issue, the licensee determined that the 125 Vdc system would remain operable while implementing corrective actions to revise their design calculations to incorporate the appropriate time-current curves and current tolerances in design calculations. This violation was entered into licensees corrective action program as Condition Reports CR 16-2196 and CR 16-2117.

The team determined that the failure to verify the adequacy of the design of Class 1E 125 Vdc molded case circuit breakers was a performance deficiency. The performance deficiency was determined to be more than minor, and therefore a finding, because it was associated with the design control attribute of the Mitigating Systems cornerstone and adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences.

Specifically, the failure to verify the adequacy of the molded case circuit breakers to perform their design basis function using appropriate time-current curves and tolerances adversely affected the capability of the 125 Vdc systems. Additionally, independent inspector calculations confirmed that the calculation errors resulted in a reasonable doubt on the operability of the 125 Vdc molded case circuit breakers. In accordance with Inspection Manual Chapter 0609, Appendix A, The Significance Determination Process (SDP) for Findings At-Power, dated June 19, 2012, Exhibit 2, Mitigating Systems Screening Questions, the team determined the finding to be of very low safety significance (Green)because the finding was a deficiency affecting the design or qualification of a structure, system, or component, and the structure, system, or component maintained its operability or functionality. The team determined that this finding did not have a cross-cutting aspect because the most significant contributor did not reflect present licensee performance.

(Section 1R21.2.1.b.2)

  • Severity Level IV. The team identified a Severity Level IV, non-cited violation of 10 CFR 50.34(b)(2), Final Safety Analysis Report which requires, in part, that the final safety analysis report shall include a description and analysis of the structures, systems, and components of the facility, with emphasis upon performance requirements, the bases, with technical justification therefor, upon which such requirements have been established, and the evaluations required to show that safety functions will be accomplished. The description shall be sufficient to permit understanding of the system designs and their relationship to safety evaluations. Specifically, since March 22, 1988, the licensee failed to include, in the final safety analysis report, the safety system criteria specified by IEEE 603-1980 and IEEE 7.4-3-2 for the Eagle 21 control system, which described the facility, presented the design bases, and the limits on its operation. This violation does not represent an immediate safety concern. In response to this issue, the licensee created corrective actions to determine the appropriate information to include in the next update to the updated final safety analysis report. This violation was entered into the licensees corrective action program as Condition Report CR 16-1281.

The team determined that the failure to revise the final safety analysis report with the supplemental information that presented the design bases of the qualified display processing system was a violation of 10 CFR 50.34(b)(2). The violation was more than minor because the design basis information affected certain safety system functions (i.e., the auxiliary feedwater system control valves), which had a material impact on safety.

Because the issue affected the NRCs ability to perform its regulatory function, the inspectors evaluated this violation using the traditional enforcement process. The inspectors used the NRC Enforcement Policy, Subsection 6.1, Reactor Operations, dated February 4, 2015, to evaluate the significance of this violation. This violation is similar to example 6.1.d.3 in the Enforcement Policy. Therefore, this was a Severity Level IV violation because the violation represented a failure to update the final safety analysis report as required by 10 CFR 50.34(b)(2), but the lack of up-to-date information has not resulted in any unacceptable change to the facility or procedures. The team determined there was no cross-cutting aspect because cross-cutting aspects are not assigned to traditional enforcement violations. (Section 1R21.2.2.b.1)

Green.

The team identified a Green, non-cited violation of 10 CFR 50.55a(h)(2) Protection Systems, which requires, in part, for nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999, protection systems must meet the requirements in IEEE Std. 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations. Specifically, since approximately 1993, the licensee failed to demonstrate qualification of the Eagle 21 system, on a continuing basis, by appropriate methods for equipment whose qualified life is less than the design life of the system. This violation was entered into the licensees corrective action program as Condition Report CR 16-2214.

The team determined that the failure to perform on-going qualification testing of installed Eagle 21 components whose qualified life was less than the design life was a performance deficiency. The performance deficiency was determined to be more than minor, and therefore a finding, because it was associated with the equipment performance attribute of the Mitigating Systems cornerstone and adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, inadequate on-going equipment qualification adversely affects the availability, reliability, and capability of Class 1E components to meet their safety functional requirements throughout their service lives. In accordance with Inspection Manual Chapter 0609, Appendix A, The Significance Determination Process (SDP) for Findings At-Power, dated June 19, 2012, Exhibit 2,

Mitigating Systems Screening Questions, the team determined the finding to be of very low safety significance (Green) because the finding was a deficiency affecting the design or qualification of a structure, system, or component, and the structure, system, or component maintained its operability or functionality. The team determined that this finding did not have a cross-cutting aspect because the most significant contributor did not reflect present licensee performance. (Section 1R21.2.2.b.2)

Green.

The team identified a Green, non-cited violation of 10 CFR Part 50, Appendix B,

Criterion XII, Control of Measuring and Test Equipment, which states, Measures shall be established to assure that tools, gages, instruments, and other measuring and testing devices used in activities affecting quality are properly controlled, calibrated, and adjusted at specified periods to maintain accuracy within necessary limits. Specifically, since March 22, 1988, the licensee failed to establish measures to assure that the Class 1E Eagle 21 software tools and testing devices were properly controlled commensurate with their importance to the test and evaluation of the Class 1E integrated computer system, which ensures compliance with the functional, performance, and interface requirements of the system. In response to this issue, the licensee placed control of the tools and testing equipment under the nuclear quality assurance program. This violation was entered into the corrective action program as Condition Report CR 16-1985.

The team determined that the failure to control software tools and testing devices used in activities affecting quality of the Class 1E Eagle 21 system was a performance deficiency.

The performance deficiency was determined to be more than minor, and therefore a finding, because it would have the potential to lead to a more significant safety concern.

Specifically, the failure to control the software tools and testing devices would lead to potential errors being introduced to these tools and the safety-related Eagle 21 system. In accordance with Inspection Manual Chapter 0609, Appendix A, The Significance Determination Process (SDP) for Findings At-Power, dated June 19, 2012, Exhibit 2,

Mitigating Systems Screening Questions, the team determined the finding to be of very low safety significance (Green) because the finding was a deficiency affecting the design or qualification of a structure, system, or component, and the structure, system, or component maintained its operability or functionality. The team determined that this finding did not have a cross-cutting aspect because the most significant contributor did not reflect present licensee performance. (Section 1R21.2.2.b.3)

Green.

The team identified a Green, non-cited violation of 10 CFR Part 50, Appendix B,

Criterion XVI, Corrective Action, which states, in part, Measures shall be established to assure that conditions adverse to quality, such as failures, malfunctions, deficiencies, deviations, defective material and equipment, and nonconformances are promptly identified and corrected. Specifically, since September 24, 2014, the licensee failed to establish measures to assure that deficiencies, deviations, defective material and equipment, and nonconformances that were responsible for malfunctions in the Class 1E Eagle 21 system were corrected. In response to this issue, the licensee performed an operability determination which determined the system was operable but in a degraded condition.

This violation was entered into the licensees corrective action program as Condition Report CR 16-2220.

The team determined that the failure to correct conditions adverse to quality in the Class 1E Eagle 21 system that were nonconformances with requirements was a performance deficiency. The performance deficiency was determined to be more than minor, and therefore a finding, because it was associated with the equipment performance attribute of the Mitigating Systems cornerstone and adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, the failure to correct conditions adverse to quality in the Class 1E Eagle 21 system adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of the protective action implemented by the qualified display processing system. In accordance with Inspection Manual Chapter 0609,

Appendix AProperty "Inspection Manual Chapter" (as page type) with input value "NRC Inspection Manual 0609,</br></br>Appendix A" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process., The Significance Determination Process (SDP) for Findings At-Power, dated June 19, 2012, Exhibit 2, Mitigating Systems Screening Questions, the issue screened as having very low safety significance (Green) because it was a design or qualification deficiency that did not represent a loss of operability or functionality; did not represent an actual loss of safety function of the system or train; did not result in the loss of one or more trains of non-technical specification equipment; and did not screen as potentially risk significant due to seismic, flooding, or severe weather. This finding had a cross-cutting aspect in the area of human performance associated with conservative bias because the licensee individuals failed to use decision making practices that emphasize prudent choices over those that are simply allowable [H.14]. (Section 1R21.2.2.b.4)

Green.

The team identified a Green, non-cited violation of 10 CFR Part 50, Appendix B,

Criterion XVI, Corrective Actions, which states, in part, Measures shall be established to assure that conditions adverse to quality, such as failures, malfunctions, deficiencies, deviations, defective material and equipment, and nonconformances are promptly identified and corrected. Specifically, since 1997, the licensee failed to correct a condition adverse to quality by imposing administrative controls in response to a nonconservative Technical Specification. In response to this issue, the licensee performed an operability determination regarding past performance on the auxiliary feedwater motor-driven pumps and concluded that they have always retained their safety function. This violation was entered into the licensees corrective action program as Condition Report CR 16-2176.

The team determined that the failure to impose administrative limits in surveillance procedures to promptly correct a condition adverse to quality was a performance deficiency.

The performance deficiency was determined to be more than minor, and therefore a finding, because it was associated with the equipment performance attribute of the Mitigating Systems cornerstone and adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Additionally, if left uncorrected, the performance deficiency would have the potential to become a more significant safety concern. Specifically, operation of the motor driven auxiliary feedwater pumps with a diesel generator frequency acceptance criteria of up to +/-2 percent would allow operation in a regime where the pumps would not perform their safety function when called upon. In accordance with Inspection Manual Chapter 0609, Appendix A, The Significance Determination Process (SDP) for Findings At-Power, dated June 19, 2012, Exhibit 2, Mitigating Systems Screening Questions, the issue screened as having very low safety significance (Green) because it was a design or qualification deficiency that did not represent a loss of operability or functionality. This finding had a cross-cutting aspect in the area of human performance associated with change management because the licensee failed to use a systematic process for evaluating and implementing change so that nuclear safety remains the overriding priority. Specifically, the licensee did not properly evaluate the need to take appropriate interim corrective actions before the appropriate guidance was endorsed [H.3].

(Section 1R21.2.6.b.1)

Green.

The team identified a Green, non-cited violation of 10 CFR 50.63(a)(2) which states, in part, The reactor core and associated coolant, control, and protection systems, including station batteries and any other necessary support systems, must provide sufficient capacity and capability to ensure that the core is cooled and appropriate containment integrity is maintained in the event of a station blackout for the specified duration. Specifically, since September 12, 2013, the battery sizing and load profile calculations of the channel I (A train) direct current battery bus failed to include proper design data for expected loads and possible worst case load currents. In response to these issues, the licensee determined the battery bus was operable and the licensee initiated actions to analyze the effects of the change in calculation methodology, as well as to account for the additional loads. This finding was entered into the licensee's corrective action program as Condition Reports CR 16-1794, CR 16-2197, and CR 16-2236.

The team determined that the failure to ensure the capacity and capability of protection systems to provide support for core cooling and containment integrity maintenance in the event of a station blackout was a performance deficiency. The performance deficiency was more than minor, and therefore a finding, because it was associated with the equipment performance attribute of the Mitigating Systems cornerstone and adversely affected the cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. In addition, if left uncorrected, the performance deficiency would have the potential to lead to a more significant safety concern. Specifically, if the channel I emergency safety features direct current bus were required to support loads for the four hour coping period, the licensee may subject components used to ensure core cooling and containment integrity to conditions that were not assumed in their station blackout analysis. In accordance with Inspection Manual Chapter 0609, Appendix A, The Significance Determination Process (SDP) for Findings At-Power, dated June 19, 2012, Exhibit 2, Mitigating Systems Screening Questions, the issue screened as having very low safety significance (Green) because it was a design or qualification deficiency that did not represent a loss of operability or functionality; did not represent an actual loss of safety function of the system or train; did not result in the loss of one or more trains of non-technical specification equipment; and did not screen as potentially risk significant due to seismic, flooding, or severe weather. This finding had a cross-cutting aspect in the area of human performance associated with procedure adherence because the licensee failed to follow process, procedures, and work instructions.

Specifically, the licensee did not follow the calculation change process procedures to complete an impact review of pertinent licensing information associated with station blackout when the battery load assumptions were revised in the station blackout coping calculation

[H.8]. (Section 1R21.4.b.1)

Green.

The team identified a Green, non-cited violation of 10 CFR Part 50, Appendix B,

Criterion III, Design Control, which states, in part, that Measures shall be established to assure that applicable regulatory requirements and the design basisfor those structures, systems, and components to which this appendix applies are correctly translated into specifications, drawings, procedures and instructions. Specifically, since August 1, 2001, the licensee failed to translate into procedures that a loss of normal feedwater flow event would be mitigated consistent with the licensees design basis assumptions. In response to this issue, the licensee initiated actions to establish interim emergency operating procedure directions for the licensed operators to ensure that credited safety-related equipment is used with priority in the event if this were to occur at the plant. The emergency operating procedure is being revised to ensure permanent corrective action is taken. This finding was entered into the licensee's corrective action program as Condition Report CR 16-1694.

The team determined that the failure to establish measures to assure that the design bases was correctly translated into procedures and instructions was a performance deficiency.

The performance deficiency was determined to be more than minor, and therefore a finding, because it was associated with the Mitigating Systems cornerstone attribute of procedure quality, and adversely affected the cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. In addition, if left uncorrected, the performance deficiency would have the potential to lead to a more significant safety concern. Specifically, if the licensee used the procedure to mitigate a loss of normal feedwater flow event, the licensee may place the plant in an unanalyzed condition. In accordance with Inspection Manual Chapter 0609,

Appendix AProperty "Inspection Manual Chapter" (as page type) with input value "NRC Inspection Manual 0609,</br></br>Appendix A" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process., The Significance Determination Process (SDP) for Findings At-Power, dated June 19, 2012, Exhibit 2, Mitigating Systems Screening Questions, the issue screened as having very low safety significance (Green) because it was a design or qualification deficiency that did not represent a loss of operability or functionality. The team determined that this finding did not have a cross-cutting aspect because the most significant contributor did not reflect present licensee performance. (Section 1R21.4.b.2)

Cornerstone: Initiating Events

Green.

The team identified a Green, non-cited violation of Technical Specification 6.8.1.a.,

Procedures, which requires that written procedures shall be established, implemented, and maintained for procedures in Appendix A of Regulatory Guide 1.33, Revision 2,

February 1978. Procedures addressing combating emergencies involving loss of electric power are denoted in Appendix A, Section 6, Item c. Specifically, since July 2010, the licensee failed to maintain the loss of all alternating current power emergency procedure to ensure the procedure contained adequate direction to operators to mitigate a loss of reactor coolant pump seal cooling unique to the plants design. In response to this issue, the licensee initiated actions to consult with the plants design owners group to determine the best method of addressing this procedure vulnerability. Emergency operating procedure documentation and/or operator training will be revised based on owners group input.

This issue was entered into the licensee's corrective action program as Condition Report CR 16-2126.

The team determined that the failure to maintain procedures in accordance with accepted industry standards was a performance deficiency. The performance deficiency was determined to be more than minor, and therefore a finding, because it was associated with the Initiating Events cornerstone attribute of procedure quality, and adversely affected the cornerstone objective to limit the likelihood of events that upset plant stability and challenge critical safety functions during shutdown as well as power operations. Specifically, operating procedures did not contain appropriate attributes to ensure timely action to prevent an increased likelihood of a reactor coolant pump seal loss of coolant accident following a station blackout. In addition, if left uncorrected, the performance deficiency would have the potential to lead to a more significant safety concern. Specifically, if the licensee used the procedure to mitigate a loss of all alternating current power event, the licensee may increase the risk of increased reactor coolant pump seal leakage, as well as potentially placing the safety-related component cooling water system in an unanalyzed condition. In accordance with Inspection Manual Chapter 0609, Appendix A, The Significance Determination Process (SDP) for Findings At-Power, dated June 19, 2012, Exhibit 1, Initiating Events Screening Questions, the team determined a detailed risk evaluation was necessary because, after a reasonable assessment of degradation, the finding could result in exceeding the reactor coolant system leak rate for a small loss of coolant accident. Therefore, the senior reactor analyst performed a bounding detailed risk evaluation. The analyst determined that the change to the core damage frequency would be 1E-7 per year (Green). This finding had a cross-cutting aspect in the area of problem identification and resolution associated with evaluation because organizations failed to thoroughly evaluate issues to ensure that resolutions address causes and extent of condition commensurate with their safety significance. Specifically in 2014, the licensee received a non-cited violation associated with not having adequate procedures to address equipment malfunctions that caused a loss of reactor coolant pump seal cooling (Inspection Reports 05000498/2013007); however, the extent of condition review did not document any reviews of other procedures associated with reactor coolant pump seal cooling loss events to see if they allowed for seal cooling to be restored when seal temperatures were above 230 degrees F [P.2]. (Section 1R21.4.b.3)

REPORT DETAILS

REACTOR SAFETY

Cornerstones: Initiating Events, Mitigating Systems, and Barrier Integrity

This inspection of design bases verifies that plant components are maintained within their design bases. Additionally, this inspection provides monitoring of the capability of the selected components and operator actions to perform their design basis functions.

As plants age, modifications may alter or disable important design features making the design bases difficult to determine or obsolete. The plant risk assessment model assumes the capability of safety systems and components to perform their intended safety function successfully. This inspectable area verifies aspects of the Initiating Events, Mitigating Systems, and Barrier Integrity cornerstones for which there are no indicators to measure performance.

1R21 M Design Basis Inspection

Main article: IP 71111.21M

.1 Overall Scope

To assess the ability of the South Texas Project, Units 1 and 2, equipment and operators to perform their required safety functions, the team inspected risk-significant components and the licensees responses to industry operating experience. The team selected risk significant components for review using information contained in South Texas Project, Units 1 and 2, probabilistic risk assessments and the NRC standardized plant analysis risk model. In general, the selection process focused on components that had a risk achievement worth factor greater than 1.3 or a risk reduction worth factor greater than 1.005. The items selected included components in both safety-related and non-safety-related systems including pumps, circuit breakers, heat exchangers, transformers, and valves. The team selected the risk significant operating experience to be inspected based on its collective past experience.

To verify that the selected components would function as required, the team reviewed design basis assumptions, calculations, and procedures. In some instances, the team performed calculations to independently verify the licensee's conclusions. The team also verified that the condition of the components was consistent with the design bases and that the tested capabilities met the required criteria.

The team reviewed maintenance work records, corrective action documents, and industry operating experience records to verify that licensee personnel considered degraded conditions and their impact on the components. For selected components, the team observed operators during simulator scenarios, as well as during simulated actions in the plant.

The team performed a margin assessment and detailed review of the selected risk-significant components to verify that the design bases have been correctly implemented and maintained. This design margin assessment considered original design issues, margin reductions because of modifications, and margin reductions identified as a result of material condition issues. Equipment reliability issues were also considered in the selection of components for detailed review. These included items such as failed performance test results, significant corrective actions, repeated maintenance, 10 CFR 50.65(a)1 status, operable, but degraded, conditions, NRC resident inspector input of problem equipment, system health reports, industry operating experience, and licensee problem equipment lists. Consideration was also given to the uniqueness and complexity of the design, operating experience, and the available defense in-depth margins.

The inspection procedure requires a review of 10 to 17 total samples that include risk-significant and low design margin components, components that affect the large-early-release-frequency (LERF), and operating experience issues. The sample selection for this inspection was 12 components, 1 component that affects LERF, and 3 operating experience issues. The selected inspection and associated operating experience items supported risk significant functions including the following:

a. Electrical power to mitigation systems: The team selected several components in the electrical power distribution systems to verify operability to supply alternating current (ac)and direct current

(dc) power to risk significant and safety-related loads in support of safety system operation in response to initiating events such as loss of offsite power, station blackout, and a loss-of-coolant accident with offsite power available. As such, the team selected:
  • Unit 1, 125 Vdc Bus E1A11
  • Unit 1 and 2, Eagle 21 of Qualified Display Processing System
  • Unit 2, 4160 Vac Class 1E Switchgear E2C

b. Components that affect LERF: The team reviewed components required to perform functions that mitigate or prevent an unmonitored release of radiation. The team selected the following components:

  • Units 1 and 2, Equipment Hatch, Personnel Airlock, and Auxiliary Airlock Seals

c. Mitigating systems needed to attain safe shutdown: The team reviewed components required to perform the safe shutdown of the plant. As such, the team selected:

  • Unit 2, Chill Water Expansion Tank A and Reactor Coolant Building Expansion Tank
  • Unit 1, Component Cooling Water Surge Tank
  • Unit 2, High Head Safety Injection Pump 2C
  • Unit 2, Low Head Safety Injection Pump 2C
  • Unit 2, Power Operated Relief Valve Block Valve Motor Operated Valve Actuator B2RCMOV0001B

.2 Results of Detailed Reviews for Components:

.2.1 Unit 1, 125 Vdc Bus E1A11

a. Inspection Scope

The team reviewed the updated safety analysis report, system description, the current system health report, selected drawings, maintenance procedures, test procedures, and condition reports associated with the Unit 1 125 Vdc bus E1A11. The team also performed walkdowns and conducted interviews with engineering personnel to ensure capability of this component to perform its desired design basis function. Specifically, the team reviewed:

  • Component maintenance history and corrective action program reports to verify the monitoring of potential degradation
  • Calculations for electrical distribution, system load flow/voltage drop, short-circuit, and electrical protection to verify that bus capacity and voltages remained within minimum acceptable limits
  • The protective device settings and circuit breaker ratings to ensure adequate selective protection coordination of connected equipment during worst-case short circuit conditions
  • Procedures for preventive maintenance, inspection, and testing to compare maintenance practices against industry and vendor guidance; including the cable aging management program

b. Findings

1. Failure to Perform Adequate Periodic Testing of Molded Case Circuit Breakers

Introduction.

The team identified a Green, non-cited violation of 10 CFR Part 50, Appendix B, Criterion XI, Test Control, for the licensees failure to scope Class 1E molded case circuit breakers into the Class 1E molded case circuit breaker functional testing program.

Description.

The team identified a performance deficiency related to the licensees functional test program for Class 1E molded case circuit breakers as described in test Procedure 0PMP05-NA-0004, Molded Case Breaker Test, Revision 36. The South Texas Project Updated Safety Analysis Report, Section 8.3.2.1.4, Testing, stated that Periodic testing of Class 1E DC power system equipment is performed in accordance with Regulatory Guide 1.32 to verify its ability to perform its safety function.

The team noted that Regulatory Guide 1.32 refers to IEEE 308-1974, IEEE Standard Criteria for Class 1E Power Systems at Nuclear Power Generating Stations, as generally acceptable to the NRC staff with respect to the design, operation, and testing of electric power systems, subject to the regulatory positions in the regulatory guide.

The team determined that the Regulatory Guide 1.32 and IEEE 308-1974 specified that Class 1E molded case circuit breakers be periodically tested to determine the on-going acceptability as a protective device and verify their ability to perform their safety function.

To make this determination, the team noted that IEEE 308-1974, Section 5.3 Direct-Current Systems, subsection 5.3.1 General, paragraph

(6) Protective Devices, stated, in part, that protective devices shall be provided to limit the degradation of the Class 1E power systems. Subsection 5.3.2, Distribution System, Paragraph
(4) Surveillance, stated, the distribution system shall be monitored to the extent that it is shown to be ready to perform its intended function. Section 6, Surveillance Requirements, Subsection 6.3, Periodic Equipment Tests, stated, in part, tests shall be performed at scheduled intervals to:
(1) Detect the deterioration of the system toward an unacceptable condition.
(2) Demonstrate that standby power equipment and other components that are not exercised during normal operation of the station are operable.

The molded case circuit breakers in 125 V direct current distribution panels for the electrical auxiliary building (panels 039A, 039B, 039C, and 040A) and the diesel generator building (panels 139A, 139B, and 139C) were included in the scope of IEEE 308-1974. These circuit breakers were mechanically cycled periodically. However, the licensee failed to include overcurrent trip testing of these breakers in accordance with applicable test procedures to verify their ability to perform their safety function. This nonconformance affected approximately 60 molded cases circuit breakers per plant.

This issue was entered into the licensees corrective action program as Condition Report CR 16-2166. Subsequently, the licensee performed an operability determination which concluded that there is reasonable expectation that the molded case circuit breakers in the electrical auxiliary building and diesel generator building distribution panels will perform their design functions while the licensee determines the appropriate corrective actions of the condition. As a result, the distribution panels were considered operable but nonconforming.

The team inquired into the reason these Class 1E breakers were not overcurrent trip tested to verify their ability to perform their safety function and detect deterioration. The licensee discussed with the team that the breakers feeding these panels were overcurrent trip tested and this would ensure that faults downstream would be cleared.

Additionally, environmental conditions, their function (providing power to a single ungrounded load), their low current ratings, and the robust design of the circuit breaker, visual inspection and mechanical inspection that cycles the breaker was sufficient to meet IEEE 308-1974 section 6.3. However, this criteria was not established nor documented in Procedure 0PMP05-NA-0004, Molded Case Breaker Test, for determining appropriate test methodology for direct current molded case circuit breakers. This criteria did not meet the purpose or scope of the procedure which included thermal and magnetic trip tests for molded case circuit breakers rated for 600 volts or less.

The team determined this was not sufficient justification to ensure overcurrent faults would be cleared at the lowest level of distribution. Therefore, without sufficient justification or well-defined criteria to determine the appropriate circuit breaker test method, the team determined that the licensee did not use a consistent approach to determine which Class 1E breakers would be overcurrent trip tested. Although the cause of the performance deficiency occurred more than three years ago, the team determined, through discussions with the licensee staff, that the lack of a well-defined consistent approach for the appropriate molded case circuit breaker test method was reflective of present licensee performance. It was evident that the criteria communicated to the team were based on judgement of the current engineering staff, not on current accepted industry practices or standards. Therefore, the lack of a consistent approach to testing is an on-going issue and would occur again, if not corrected or eliminated.

Analysis.

The team determined that the failure to detect deterioration and demonstrate operability of molded case circuit breakers through appropriate testing was a performance deficiency. The performance deficiency was determined to be more than minor, and therefore a finding, because it was associated with the equipment performance attribute of the Mitigating Systems cornerstone and adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, inadequate periodic testing to detect deterioration and to demonstrate continued operability was a significant programmatic deficiency that would adversely affect the reliability of Class 1E molded case circuit breakers to perform satisfactorily in service. In accordance with Inspection Manual Chapter 0609, Appendix A, The Significance Determination Process (SDP) for Findings At-Power, dated June 19, 2012, Exhibit 2, Mitigating Systems Screening Questions, the team determined the finding to be of very low safety significance (Green) because the finding was a deficiency affecting the design or qualification of a structure, system, or component, and the structure, system, or component maintained its operability or functionality. This finding had a cross-cutting aspect in the area of human performance associated with consistent practices because the licensee did not use a consistent, systematic approach to make decisions.

Specifically, the licensee did not use a consistent approach to determine which molded case circuit breakers would or would not be tested [H.13].

Enforcement.

The team identified a Green, non-cited violation of 10 CFR Part 50, Appendix B, Criterion XI, Test Control, which states, in part, a test program shall assure that all testing required to demonstrate that structures, systems, and components will perform satisfactorily in service is identified and performed in accordance with written test procedures which incorporate the requirements and acceptance limits contained in applicable design documents. Contrary to the above, since March 22, 1988, the licensee failed to assure that all testing required to demonstrate that structures, systems, and components will perform satisfactorily in service is identified and performed in accordance with written test procedures which incorporate the requirements and acceptance limits contained in applicable design documents. Specifically, the licensee failed to assure that all testing required to demonstrate that the safety-related molded case circuit breakers would perform satisfactorily in service was performed in accordance with the acceptance limits contained in IEEE 308-1974. In response to this issue, the licensee determined that the molded case circuit breakers will remain operable while implementing corrective actions to ensure the appropriate testing requirements of the molded case circuit breaker were included in the test programs.

This violation was entered into the licensees corrective action program as Condition Report CR 16-2166. Because this violation was of very low safety significance and entered into the licensees corrective action program, this violation is being treated as a non-cited violation consistent with Section 2.3.2.a of the NRC Enforcement Policy.

(NCVs05000498/2016007-01, 05000499/2016007-01; Failure to Perform Adequate Periodic Testing of Molded Case Circuit Breakers)

2. Failure to Verify the Adequacy of Calculations Associated with Direct Current Circuit

Breakers

Introduction.

The team identified two examples of a Green, non-cited violation of 10 CFR Part 50, Appendix B, Criterion III, Design Control, for the licensees failure to verify the adequacy of design calculations for Class 1E 125 Vdc molded case circuit breakers.

Description.

The team identified two examples of a performance deficiency for failure to implement design and verification requirements for Class 1E 125 Vdc molded case circuit breakers to assure adequate trip response times, instantaneous trip accuracies, and rates of change of the sensed variable (the short circuit current), as specified by IEEE 279-1971, Criteria for Protection Systems at Nuclear Power Generating Stations, Sections 3(7), 3(9), and 4.3. The South Texas Project Updated Final Safety Analysis Report, Section 8.3.1.2.4, Compliance with IEEE 279-1971, and Regulatory Guide 1.32, states, in part, Class 1E systems and equipment comply with the requirements of IEEE 279-1971 (as amended by RGs 1.47, 1.62 and RG 1.32) by virtue of the separation, redundancy, and independence provided in the various systems and the location of equipment in Seismic Category I buildings and structures. The licensees commitment to Regulatory Guide 1.32 committed the licensee to using IEEE 308-1974, IEEE Standard Criteria for Class 1E Power Systems at Nuclear Power Generating Stations, in designing and maintaining the direct current distribution system.

Example 1 Calculation EC-5033, Protection Non 1E 48 VDC, 125 VDC & 250 VDC, and Class 1E 125 VDC Systems, Revision 6, and subsequent calculation design change notices inappropriately used time-current curves with alternating current root-mean-square response times and accuracies to evaluate the instantaneous trip function of molded case circuit breakers used in safety-related direct current applications. The calculation did not recalibrate or de-rate the molded case circuit breaker time-current curves for direct current application. When certain direct current circuits were modeled using the short circuit currents provided by the licensee and recalibrated time-current curves for direct current, the team calculated that some wires in the 125 Vdc bus panel E1A11 and downstream power distribution panel PL039A could reach temperatures that could cause secondary damage to other components along the wires routes. This put the operability of 125 Vdc systems in reasonable doubt.

The molded case circuit breakers used by the license are thermal-magnetic circuit breakers. They are dual use for sensing either alternating or direct currents, but they must be recalibrated or de-rated for use in the 125 Vdc system. The default calibrations and ratings are expressed in alternating current root-mean-square characteristics as specified in the National Electrical Manufacture Association (NEMA) Standard AB-1, Molded Case Circuit Breakers and Molded Case Switches, Section AB 1-2.16, Basis of Rated Interrupting Currents. Current on alternating current trip units are expressed in terms of root-mean-square trip values, while direct current trip units are expressed as instantaneous values. The electromagnetic trip is activated by induced magnetic forces from current flowing through the circuit breaker. The magnetic force is proportional to the square of the instantaneous value of current, instead of the root-mean-square value over some period of time. The difference in expressing current is an essential factor in adjusting alternating current curves to direct current systems.

Example 2 The inject current tolerance uncertainties in the licensee testing methodology for molded case circuit breakers were larger than specified on the manufacturer time-current curves.

This tolerance uncertainty affected the sensed accuracies and response times of the molded case circuit breakers. The licensees applicable standard, NEMA AB-2-1980, Procedures for Field Inspection and Performance Verification of Molded Case Circuit Breakers Used in Commercial and Industrial Applications, Table 5-1, specified that these tolerance uncertainties for inject current for instantaneous field trip testing were +40 percent on the high side of the time-current curve and -30 percent on the low side of the time-current curve. The manufacturing specifications for tolerance uncertainties were approximately +/-25 percent, as specified by the licensees applicable standard NEMA AB-1. The licensee did not account for the additional uncertainties in evaluations of the design function. The uncertainties for the time-current curve instantaneous trip were not accounted for by licensee calculations. Recalculating to account for these uncertainties could extend the damaging affects previously evaluated in example 1 above in 125 Vdc bus E1A11 and distribution PL039A to other components.

Following identification of both examples, the licensee performed an immediate operability determination. The immediate determination identified that there was sufficient margin within the Class 1E cabling to prevent degradation from an instantaneous fault; however, the design margin would be considerably less.

Analysis.

The team determined that the failure to verify the adequacy of the design of Class 1E 125 Vdc molded case circuit breakers was a performance deficiency. The performance deficiency was determined to be more than minor, and therefore a finding, because it was associated with the design control attribute of the Mitigating Systems cornerstone and adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, the failure to verify the adequacy of the molded case circuit breakers to perform their design basis function using appropriate time-current curves and tolerances adversely affected the capability of the 125 Vdc systems.

Additionally, independent inspector calculations confirmed that the calculation errors resulted in a reasonable doubt on the operability of the 125 Vdc molded case circuit breakers. In accordance with Inspection Manual Chapter 0609, Appendix A, The Significance Determination Process (SDP) for Findings At-Power, dated June 19, 2012, Exhibit 2, Mitigating Systems Screening Questions, the team determined the finding to be of very low safety significance (Green) because the finding was a deficiency affecting the design or qualification of a structure, system, or component, and the structure, system, or component maintained its operability or functionality. The team determined that this finding did not have a cross-cutting aspect because the most significant contributor did not reflect present licensee performance.

Enforcement.

The team identified two examples of a Green, non-cited violation of 10 CFR Part 50, Appendix B, Criterion III, Design Control, which states, in part, the design control measures shall provide for verifying or checking the adequacy of design, such as by the performance of design reviews, by the use of alternate or simplified calculational methods, or by the performance of a suitable testing program. Contrary to the above, since March 22, 1988, the licensee failed to provide design control measures that verified or checked the adequacy of design, such as by the performance of design reviews, by the use of alternate or simplified calculational methods, or by the performance of a suitable testing program. Specifically, the licensee failed to verify the adequacy of the molded case circuit breakers to perform their design basis function using appropriate time-current curves and tolerances or Class 1E 125 Vdc molded case circuit breakers to assure adequate trip response times, instantaneous trip accuracies, and rates of change of the sensed variable (the short circuit current). In response to this issue, the licensee determined that the 125 Vdc system would remain operable while implementing corrective actions to revise their design calculations to incorporate the appropriate time-current curves and current tolerances in design calculations. This violation was entered into licensees corrective action program as Condition Reports CR 16-2196 and CR 16-2117. Because this violation was of very low safety significance and it was entered into the licensees corrective action program, this violation is being treated as a non-cited violation consistent with Section 2.3.2.a of the NRC Enforcement Policy. (NCVs05000498/2016007-02, 05000499/2016007-02; Failure to Verify the Adequacy Calculations Associated with Direct Current Circuit Breakers)

.2.2 Units 1 and 2, Eagle 21 Qualified Display Processing System

a. Inspection Scope

The team reviewed the updated safety analysis report, system description, the current system health report, selected drawings, maintenance procedures, test procedures, and condition reports associated with the Units 1 and 2 Eagle 21 qualified display processing system. The team also performed walkdowns and conducted interviews with engineering personnel to ensure capability of this component to perform its desired design basis function. Specifically, the team reviewed:

  • Component maintenance history and corrective action program reports to verify the monitoring of potential degradation
  • Correspondences and submittals from the licensee to the NRC and vendor design criteria concerning the design basis of Eagle 21 system including design and verification and validation program to verify appropriate design basis was incorporated into the updated final safety analysis report
  • Procedures for preventive maintenance, inspection, and testing to compare maintenance practices against establish safety criteria and vendor guidance

b. Findings

1. Failure to Include Applicable Safety System Criteria in the Final Safety Analysis Report

Introduction.

The team identified a Severity Level IV, non-cited violation of 10 CFR 50.34(b)(2), Final Safety Analysis Report, for the licensees failure to revise the final safety analysis report to reflect the design changes reported in supplemental information to the NRC.

Description.

The team identified a performance deficiency related to the licensees exclusion from the final safety analysis report, the safety system criteria used for the licensing and design basis of the Eagle 21 computerized safety system used to implement the licensees Qualified Display Processing System (QDPS). The South Texas Project Updated Final Safety Analysis Report, Chapter 1, states, The Updated Final Safety Analysis Report (UFSAR) is submitted as a unique document in compliance with Regulatory Guide (RG) 1.70, Standard Format and Content of Safety Analysis Reports, Rev. 2 and 10 CFR 50.71(e). The introduction of Regulatory Guide 1.70, Revisions paragraph, states, Special care should be made to ensure that the main sections of the report are revised to reflect any design changes reported in supplemental information, i.e., responses to NRC staff requests for information or responses to regulatory positions.

The NRC initially completed the safety evaluation report that accepted the initial South Texas Project Final Safety Analysis Report in April 1986. The safety evaluation report stated, in part, Since the QDPS design is a microprocessor based technology; the staff requested the applicant to submit the verification and validation (V&V) program for the development of Class 1E software. The staff's evaluation of the system architecture and the V&V program for the QDPS will be addressed in a supplement to this report. The licensee provided the supplementary information in the following letters:

  • ST-HL-AE-1214, Action Items Resulting from December 12, 1984, Meeting On QDPS V&V Plan, March 28, 1985
  • ST-HL-AE-1344, QDPS Verification and Validation Plan, September 24, 1985
  • ST-HL-AE-1859, Submittal of the QDPS Verification and Validation Program Final Report And Response to the QDPS V&V SER Open Item, December 23, 1986
  • ST-HL-AE-2645, Revised QDPS Verification And Validation Plan, April 29, 1988

These letters identified the quality standards used to describe methods to the NRC they would find acceptable for complying with the Commission's regulations for promoting high functional reliability and design quality for the use of digital computers in safety systems of nuclear power plants. These standards included IEEE 7-4.3.2-1982, Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Station, and IEEE 603-1980, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations.

Regulatory Guide 1.70, Section 7.1.2, Identification of Safety Criteria, states, list all design bases (including considerations of instrument errors), criteria, regulatory guides, standards, and other documents that will be implemented in the design of the systems listed in Section 7.1.1. The South Texas Project Updated Final Safety Analysis Report Section 7.1.1, Identification of Safety-Related Systems, Subsection 7.1.1.4, Safety-Related Display Instrumentation, states, in part, Identification of the equipment and systems providing safety-related display instrumentation is provided in Section 7.5.

Section 7.5.6, Qualified Display Processing System, lists the qualified display processing system as applicable to Section 7.1.1, as specified by Regulatory Guide 1.70.

The Updated Final Safety Analysis Report, Section 7.5.6, Qualified Display Processing System, identified that the functions of the qualified display processing system included the Safety Grade Control of Safety Related Valves (i.e., auxiliary feedwater system flow control valves). The team identified that IEEE 603-1980 established the minimum functional and design requirements for safety systems and that IEEE 7-4.3.2-1982 established the application criteria for programmable digital computer systems used in safety systems for nuclear power generating stations by expanding the quality and equipment qualification requirements of IEEE Std. 603-1980. The team determined that these safety criteria established the quality, design basis, and limits on operation of the qualified display processing system safety functions and, as such, are material to the safe operation of this system.

Analysis.

The team determined that the failure to revise the final safety analysis report with the supplemental information that presented the design bases of the qualified display processing system was a violation of 10 CFR 50.34(b)(2). The violation was more than minor because the design basis information affected certain safety system functions (i.e., the auxiliary feedwater system control valves), which had a material impact on safety. Because the issue affected the NRCs ability to perform its regulatory function, the inspectors evaluated this violation using the traditional enforcement process. The inspectors used the NRC Enforcement Policy, Subsection 6.1, Reactor Operations, dated February 4, 2015, to evaluate the significance of this violation. This violation is similar to example 6.1.d.3 in the Enforcement Policy. Therefore, this was a Severity Level IV violation because the violation represented a failure to update the final safety analysis report as required by 10 CFR 50.34(b)(2), but the lack of up-to-date information has not resulted in any unacceptable change to the facility or procedures.

The team determined there was no cross-cutting aspect because cross-cutting aspects are not assigned to traditional enforcement violations.

Enforcement.

The team identified a Severity Level IV, non-cited violation of 10 CFR 50.34(b)(2), Final Safety Analysis Report which requires, in part, that the final safety analysis report shall include a description and analysis of the structures, systems, and components of the facility, with emphasis upon performance requirements, the bases, with technical justification therefor, upon which such requirements have been established, and the evaluations required to show that safety functions will be accomplished. The description shall be sufficient to permit understanding of the system designs and their relationship to safety evaluations. Contrary to the above, since March 22, 1988, the licensee failed to include, in the final safety analysis report, a description and analysis of the structures, systems, and components of the facility, with emphasis upon performance requirements, the bases, with technical justification therefor, upon which such requirements have been established, and the evaluations required to show that safety functions will be accomplished. Specifically, the licensee failed to include, in the final safety analysis report, the safety system criteria specified by IEEE 603-1980 and IEEE 7.4-3-2 for the Eagle 21 control system, which described the facility, presented the design bases, and the limits on its operation. This violation does not represent an immediate safety concern. In response to this issue, the licensee created corrective actions to determine the appropriate information to include in the next update to the updated final safety analysis report. This violation was entered into the licensees corrective action program as Condition Report CR 16-1281. Because this violation was of very low safety significance and it was entered into the licensees corrective action program, this violation is being treated as a non-cited violation consistent with Section 2.3.2.a of the NRC Enforcement Policy.

(NCV 05000498/2016007-03, 05000499/2016007-03; Failure to Include Applicable Safety System Criteria in the Final Safety Analysis Report)

2. Failure to Perform Adequate On-going Qualification of the Class 1E Qualified Display

Processing System

Introduction.

The team identified a Green, non-cited violation of 10 CFR 50.55a(h)(2),

Protection Systems for the licensees failure to comply with IEEE 279-1971, Section 4.4 Equipment Qualification, which requires the verification by test data that Class 1E Eagle 21 components meet the required equipment qualification on a continuing basis. The licensee used the Eagle 21 system as the plant qualified display processing system (QDPS).

Description.

The team identified a performance deficiency related to the licensees qualification of the qualified display processing system in accordance with IEEE 323-1974, Section 5, Principles of Qualification. The South Texas Project Updated Final Safety Analysis Report, Subsection 7.5.6.2.4, Equipment Qualification, stated, in part, the QDPS is seismically and environmentally qualified to IEEE 344-1975 and IEEE 323-1974. The team noted that IEEE 323-1974, IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations, indicated that its use was to provide guidance for demonstrating compliance with the qualification requirements of IEEE 279-1971. As reflected in updated final safety analysis report, the licensee committed to meeting the standards of IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, to comply with 10 CFR 50.55a(h)(2).

IEEE 323-1974, Section 5, Principles of Qualification, states, The capability of all Class 1E equipment, including interfaces, of a nuclear power generating station for performing its required function shall be demonstrated. It further states, Principles and procedures for demonstrating the qualification of Class 1E equipment include:

(1) Assurance that the severity of the qualification methods equal or exceed the maximum anticipated service requirements and conditions
(2) Assurance that any extrapolation or inference be justified by allowances for known potential failure modes and the mechanism leading to them
(3) On-going qualification testing of installed equipment whose qualified life is less than the design life of the equipment
(4) Documentation files which provide the basis for qualification
(5) Qualification test data as required for on-going qualification testing
(6) Qualification of any interfaces associated with Class 1E equipment

IEEE 323-1974, Section 8, Documentation, states, The qualification documentation shall verify that each type of electric equipment is qualified for its application and meets its specified performance requirements. The basis of qualification shall be explained to show the relationship of all facets of proof needed to support adequacy of the complete equipment. Data used to demonstrate the qualification of the equipment shall be pertinent to the application and organized in an auditable form.

The team reviewed the information in the original Eagle 21 Equipment Qualification Data Packages and Test Reports. The equipment qualification data packages and test reports specified the design life for Eagle 21 system was 40 years, but the qualified life for internal components (i.e., circuit board assemblies and other digital components) was only five years. The NRC safety evaluation of the Westinghouse qualification methods indicated that the components internal to the solid state protection systems were equally qualified for only five years. The qualification tests did not consider, non-Arrhenius, age-related operational stressors to determine the five-year qualified life. The qualified life was determined based on performance characteristics of the Eagle 21 being continuously powered without any preventative maintenance or other operational stressors such as cycling power or handling internal components. The team noted that many of the Eagle 21 components were still in use well outside the limits of their five-year qualified life.

The Eagle 21 system equipment qualification data packages and test reports clearly state, No preventive maintenance is required to support the equipment qualified life.

It further states, This does not preclude development of a preventive maintenance program designed to enhance equipment performance and identify unanticipated equipment degradation as long as this program does not compromise the qualification status of the equipment. In early plant operation, the licensee determined that since the system is located in a mild environment that the qualified life could be based on results of surveillance testing, maintenance, and trending of failures in spite of the documented qualification. Originally, the licensee maintained qualification by scheduled replacement and refurbishment of components before the end of their qualified life. The technical justification for the change was based on the system being redundant and the occurrence of a random failure being a tolerable, worst-case single failure. However, this technical justification does not meet the specifications of IEEE 323-1974 and failed to account for the operational stressors induced by testing and maintenance that compromised the five-year qualification status of the equipment.

Maintenance, troubleshooting, and other handling activities can cause operational stressors in the digital system. These stressors include power cycling, process cycling, calibration cycling, environmental cycling, and vibrations. These types of stressors produce stress gradients in microelectronics. These stress gradients produce shorter-acting, failure mechanisms that included conductive filament formation, stress relaxation at contact interfaces, package-to-board interconnect fatigue, maintenance fatigue, and power cycling transient stresses. The licensee had exposed the Eagle 21 components to these operational stressors routinely and extensively for more than five years. In addition, the team noted that the licensee had attributed past failures to some of these shorter acting failure mechanisms like broken and missing solder. The licensee recognized, documented in condition reports, and accepted that cycling power for maintenance has exacerbated failures and caused unpredictable behavior in the Eagle 21 system.

The team determined that the circuit board assemblies included parts with limited service life (i.e., electrolytic capacitors). The operational stressors could produce various failure mechanisms that can cause unstable, differing, and difficult symptoms to identify in complex digital components. Since the original qualification tests did not include operational stressors, the extrapolation of shorter-acting microelectronic failure rates resulting from these operational stressors could be impracticable. Ultimately, the team determined that the licensee had not demonstrated on-going qualification by appropriate methods for equipment whose qualified life is less than the design life of the equipment in accordance with IEEE 323-1974, Section 5, Principles of Qualification.

The licensee did not assure that the preventive maintenance program would preserve the five-year qualification of the Eagle 21 equipment. Additionally, the licensee did not complete similar qualification tests of Eagle 21 system, or on identical equipment installed in service conditions that equal or exceed the qualified equipment, at an interval less than the qualified life to assure that the qualified life of the equipment to exceeded the installed life of the equipment as specified by IEEE 323-1974, Section 6.6, On-going Qualification.

Analysis.

The team determined that the failure to perform on-going qualification testing of installed Eagle 21 components whose qualified life was less than the design life was a performance deficiency. The performance deficiency was determined to be more than minor, and therefore a finding, because it was associated with the equipment performance attribute of the Mitigating Systems cornerstone and adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, inadequate on-going equipment qualification adversely affects the availability, reliability, and capability of Class 1E components to meet their safety functional requirements throughout their service lives. In accordance with Inspection Manual Chapter 0609, Appendix A, The Significance Determination Process (SDP) for Findings At-Power, dated June 19, 2012, Exhibit 2, Mitigating Systems Screening Questions, the team determined the finding to be of very low safety significance (Green) because the finding was a deficiency affecting the design or qualification of a structure, system, or component, and the structure, system, or component maintained its operability or functionality. The team determined that this finding did not have a cross-cutting aspect because the most significant contributor did not reflect present licensee performance.

Enforcement.

The team identified a Green, non-cited violation of 10 CFR 50.55a(h)(2)

Protection Systems, which requires, in part, for nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999, protection systems must meet the requirements in IEEE Std. 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations. Contrary to the above, since approximately 1993, the licensee failed to meet the requirements in IEEE Standard 279-1971. Specifically, the licensee failed to demonstrate qualification of the Eagle 21 system, on a continuing basis, by appropriate methods for equipment whose qualified life is less than the design life of the system. This violation was entered into the licensees corrective action program as Condition Report CR 16-2214. Because this violation was of very low safety significance and it was entered into the licensees corrective action program, this violation is being treated as a non-cited violation consistent with Section 2.3.2.a of the NRC Enforcement Policy. (NCV 05000498/2016007-04, 05000499/2016007-04; Failure to Perform Adequate On-going Class 1E Qualification for the Qualified Display Processing System)

3. Failure to Control Software Tools Commensurate with the Importance to Safety

Introduction.

The team identified a Green, non-cited violation of 10 CFR Part 50, Appendix B, Criterion XII, Control of Measuring and Test Equipment, for the licensees failure to control software tools that are used to modify and validate the software for the Class 1E Eagle 21 system.

Description.

The team identified a performance deficiency for the failure to control software tools to quality assurance measures commensurate with their importance to the test and evaluation of the Class 1E integrated computer system, which ensures compliance with the functional, performance, and interface requirements of the system.

The licensee uses a man-machine interface tool to routinely modify the parameters in the Class 1E Eagle 21 system, perform maintenance, and surveillance testing. This tool has the potential to introduce Class 1E software errors and possible common mode/cause failures into the Eagle 21 system. Common mode/cause failures are classified in licensee Standard IEEE 379-1972, IEEE Trial-Use Guide for the Application of the Single-Failure Criterion to Nuclear Power Generating Station Protection Systems.

The South Texas Project Updated Final Safety Analysis Report, Section 7.1.2.7, Conformance to Regulatory Guide 1.53 and IEEE 379-1972 stated, in part, the principles described in IEEE Standard 379-1972 are used in the design of the Westinghouse protection system...The systems comply with the intent of this standard and the additional guidance of RG 1.53. In addition, the licensee uses an automatic erasable programmable read-only memory (EPROM) checksum calculator to verify the quality of the Eagle 21 EPROMs received from Westinghouse. The complex software contained on these EPROMs is the operating system of the Eagle 21, on which, the application software executes. Undetected software errors in the software would be unacceptable to the safe operation of the system.

The team determined the quality measures used by the licensee to control these tools was not commensurate with their importance because the licensee did not consider the vulnerability of the Eagle 21 to possible errors introduced by these tools.

Analysis.

The team determined that the failure to control software tools and testing devices used in activities affecting quality of the Class 1E Eagle 21 system was a performance deficiency. The performance deficiency was determined to be more than minor, and therefore a finding, because it would have the potential to lead to a more significant safety concern. Specifically, the failure to control the software tools and testing devices would lead to potential errors being introduced to these tools and the safety-related Eagle 21 system. In accordance with Inspection Manual Chapter 0609, Appendix A, The Significance Determination Process (SDP) for Findings At-Power, dated June 19, 2012, Exhibit 2, Mitigating Systems Screening Questions, the team determined the finding to be of very low safety significance (Green) because the finding was a deficiency affecting the design or qualification of a structure, system, or component, and the structure, system, or component maintained its operability or functionality. The team determined that this finding did not have a cross-cutting aspect because the most significant contributor did not reflect present licensee performance.

Enforcement.

The team identified a Green, non-cited violation of 10 CFR Part 50, Appendix B, Criterion XII, Control of Measuring and Test Equipment, which states, Measures shall be established to assure that tools, gages, instruments, and other measuring and testing devices used in activities affecting quality are properly controlled, calibrated, and adjusted at specified periods to maintain accuracy within necessary limits. Contrary to the above, since March 22, 1988, the licensee failed to establish measures to assure that tools, gages, instruments, and other measuring and testing devices used in activities affecting quality are properly controlled, calibrated, and adjusted at specified periods to maintain accuracy within necessary limits. Specifically, the licensee failed to establish measures to assure that the Class 1E Eagle 21 software tools and testing devices were properly controlled commensurate with their importance to the test and evaluation of the Class 1E integrated computer system, which ensures compliance with the functional, performance, and interface requirements of the system.

In response to this issue, the licensee placed control of the tools and testing equipment under the nuclear quality assurance program. This violation was entered into the corrective action program as Condition Report CR 16-1985. Because this violation was of very low safety significance and it was entered into the licensees corrective action program, this violation is being treated as a non-cited violation consistent with Section 2.3.2.a of the NRC Enforcement Policy. (NCV 05000498/2016007-05, 05000499/2016007-05; Failure to Control Software Tools Commensurate with the Importance to Safety)

4. Failure to Correct Conditions Adverse to Quality Associated with the Eagle 21 System

Introduction.

The team identified a Green, non-cited violation of 10 CFR Part 50, Appendix B, Criterion XVI, Corrective Action for two examples of a failure to correct conditions adverse to quality for multiple issues associated with the safety-related Class 1E Eagle 21 protection system.

Description.

The team identified a performance deficiency for the failure to correct conditions adverse to quality in the Class 1E Eagle 21 system. The Eagle 21 is a digital protection system used for the licensees Class 1E qualified display processing system.

The qualified display processing system performs several safety functions including control of auxiliary feed water control valves. The qualified display processing system was in a degraded reliability status as characterized by the licensee. The team noted that several condition reports and apparent cause evaluations associated with failed components and other system failures described degraded conditions that were not subsequently identified as conditions needing correction or conditions adverse to quality.

In addition, the licensee documented notably degraded components received from their vendor, but failed to verify if degraded components were installed in the Eagle 21 system cabinets. The team determined that these were nonconformances with IEEE 279-1971, Section 4.3, Quality of Components and Modules, which, states, in part, Quality levels shall be achieved through the specification of requirements known to promote high quality, such as requirements for design, for the derating of components, for manufacturing, quality control, inspection, calibration, and test. The following examples illustrate these nonconformances:

Example 1 Condition Reports CR 14-14966 and CR 14-15652 were classified as station level conditions adverse to quality and identified failed circuit boards, corrupted memory, and erratic behavior of qualified display processing system components and functions effecting reactivity. The condition reports stated that this was caused by power cycling the qualified display processing system cabinets. The apparent cause evaluations for the condition reports described, multiple AC power cycles exacerbated the probability of random failures and anomalies. However, the failures were classified as random and the boards were replaced without correcting the qualified display processing system vulnerability failures caused by power cycling. The team determined that vulnerability to failures caused by power cycling of the qualified display processing system cabinets was a degraded condition, which is a condition adverse to quality in accordance with OPGP03-ZX-0002, Section 2.7, Condition Adverse to Quality (CAQ). No corrective action for this condition was established.

Example 2 Condition Report CR 15-5487 was classified as a station level condition adverse to quality and described failures of dataplane processor units, DPU-A and DPU-C. The apparent cause evaluation described troubleshooting efforts where multiple replacement components were deficient (e.g., central processing unit boards). The ICES report described, This clock error is a known condition within the DPUs and randomly appears as a glitch. Further, the apparent cause evaluation identified historical deficiencies associated with multiple unused qualified display processing system components retrieved from stores. The apparent cause evaluation identified the current condition adverse to quality as the failure of an original backplane board due to inadequate vendor soldering. The apparent cause evaluation stated that the current issue identified a backplane board as the possible cause and this vulnerability could exist within all QDPS cabinets. However, history and current system indications do not support a backplane vulnerability for other QDPS cabinets which bounds the issue to Unit 2 DPU-A. It further stated, There are no corrective actions required for Extent of Condition due to other QDPS cabinets are indicating normal plant condition. The team determined that allowing a known clock error to exist in the DPUs of the Eagle 21 system was a nonconformance and a condition adverse to quality. No corrective action for this condition was established.

Analysis.

The team determined that the failure to correct conditions adverse to quality in the Class 1E Eagle 21 system that were nonconformances with requirements was a performance deficiency. The performance deficiency was determined to be more than minor, and therefore a finding, because it was associated with the equipment performance attribute of the Mitigating Systems cornerstone and adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, the failure to correct conditions adverse to quality in the Class 1E Eagle 21 system adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of the protective action implemented by the qualified display processing system. In accordance with Inspection Manual Chapter 0609, Appendix A, The Significance Determination Process (SDP) for Findings At-Power, dated June 19, 2012, Exhibit 2, Mitigating Systems Screening Questions, the issue screened as having very low safety significance (Green) because it was a design or qualification deficiency that did not represent a loss of operability or functionality; did not represent an actual loss of safety function of the system or train; did not result in the loss of one or more trains of non-technical specification equipment; and did not screen as potentially risk significant due to seismic, flooding, or severe weather. This finding had a cross-cutting aspect in the area of human performance associated with conservative bias because the licensee individuals failed to use decision making practices that emphasize prudent choices over those that are simply allowable [H.14].

Enforcement.

The team identified a Green, non-cited violation of 10 CFR Part 50, Appendix B, Criterion XVI, Corrective Action, which states, in part, Measures shall be established to assure that conditions adverse to quality, such as failures, malfunctions, deficiencies, deviations, defective material and equipment, and nonconformances are promptly identified and corrected. Contrary to the above, since September 24, 2014, the licensee failed to establish measures to assure that conditions adverse to quality, such as failures, malfunctions, deficiencies, deviations, defective material and equipment, and nonconformances were promptly identified and corrected. Specifically, the licensee failed to establish measures to assure that deficiencies, deviations, defective material and equipment, and nonconformances that were responsible for malfunctions in the Class 1E Eagle 21 system were corrected. In response to this issue, the licensee performed an operability determination which determined the system was operable but in a degraded condition. This violation was entered into the licensees corrective action program as Condition Report CR 16-2220. Because this violation was of very low safety significance and it was entered into the licensees corrective action program, this violation is being treated as a non-cited violation consistent with Section 2.3.2.a of the NRC Enforcement Policy. (NCV 05000498/2016007-06, 05000499/2016007-06; Failure to Correct Conditions Adverse to Quality Associated with the Eagle 21 System)

.2.3 Unit 2, 4160 Vac Class 1E Switchgear E2C

a. Inspection Scope

The team reviewed the updated safety analysis report, system description, the current system health report, selected drawings, maintenance procedures, test procedures, and condition reports associated with the Unit 2 4160 Vac Class 1E switchgear E2C. The team also performed walkdowns and conducted interviews with engineering personnel to ensure capability of this component to perform its desired design basis function.

Specifically, the team reviewed:

  • Circuit one-lines diagrams
  • Calculated short-circuit current at loads for the bus
  • Procedures for the 4160 Vac circuit breaker overhaul
  • Breaker shop; for tooling, cleanliness and organization
  • Method for circuit breaker tracking of maintenance history by serial number

b. Findings

No findings were identified.

.2.4 Unit 2, Emergency Diesel Generator 23 and Voltage Regulator

a. Inspection Scope

The team reviewed the updated safety analysis report, system description, the current system health report, selected drawings, maintenance procedures, test procedures, and condition reports associated with the Unit 2 emergency diesel generator 23 and voltage regulator. The team also performed walkdowns and conducted interviews with engineering personnel to ensure capability of these components to perform their desired design basis functions. Specifically, the team reviewed:

  • Component maintenance history and corrective action program reports to verify monitoring for potential degradation by comparing the last two 5-year preventive maintenance results
  • Validating acceptance criteria in preventive maintenance procedures by reviewing vendor manuals, specifically relay timing, contact brush placement, and pressure
  • Reviewing vendor reports on the generator/regulator from emergency diesel generator 22, which was thoroughly overhauled by a third party following a failure of the diesel engine

b. Findings

No findings were identified.

.2.5 Units 1 and 2, Equipment Hatches, Personnel Airlocks, and Auxiliary Airlock Seals

a. Inspection Scope

The team reviewed the updated safety analysis report, system description, the current system health report, selected drawings, maintenance and test procedures, and condition reports associated with Units 1 and 2 equipment hatches, personnel airlocks, and auxiliary airlock seals. The team also performed walkdowns and conducted interviews with system engineering personnel to ensure the capability of these components to perform their desired design basis functions. Specifically, the team reviewed:

  • Component maintenance history and corrective action program reports to verify the monitoring of potential degradation
  • Engineering change notices to understand different seal designs used by the site in order to improve performance of containment access points and reduce failures
  • Station videos created to ensure equipment function and operation

b. Findings

No findings were identified.

.2.6 Unit 1, Motor Driven Auxiliary Feedwater Pump 13

a. Inspection Scope

The team reviewed the updated safety analysis report, system description, the current system health report, selected drawings, maintenance and test procedures, and condition reports associated with Unit 1 motor driven auxiliary feedwater pump 13. The team also performed walkdowns and conducted interviews with system engineering personnel to ensure the capability of this component to perform its desired design basis function. Specifically, the team reviewed:

  • Component maintenance history and corrective action program reports to verify the monitoring of potential degradation
  • Calculations of pump flow and net positive suction head capacity to verify the capability of the pump to provide required flow to mitigate design basis accidents
  • Surveillance and in-service test procedures and recent results to verify the actual capability of the pump
  • Calculation of maximum pump discharge pressure associated with the motor driven auxiliary feedwater pump operating at maximum speed to verify the system piping and valves are not over pressurized.
  • Calculations involving auxiliary feedwater instrument uncertainty and standby diesel generator output frequency uncertainty

b. Findings

1. Failure to Implement Administrative Controls for a Nonconservative Technical

Specification of Standby Diesel Generator Frequency Variation

Introduction.

The team identified a Green, non-cited violation of 10 CFR Part 50, Appendix B, Criterion XVI, Corrective Actions, associated with the licensees failure to promptly correct conditions adverse to quality. Specifically, the licensee failed to implement administrative limits on the standby diesel generator frequency variation surveillance requirement to correct adverse conditions.

Description.

In 1997, the licensee wrote Condition Report CR 97-13089 to document that the actual standby diesel generator steady state frequency variation was within the design specification of a +/-0.25 percent, but that this information was not consistent with either Technical Specification Surveillance Requirement 4.8.1.1.2 or the surveillance test procedure acceptance criteria. The Technical Specification and surveillance test procedure acceptance criteria would allow the steady-state diesel generator frequency to vary by up to +/-2 percent. In response to this concern, the licensee performed Calculation E-5100, Perform Evaluation of Electrical Frequency Variations on Mechanical Fluid Systems, Revision 2, in order to evaluate if the standby diesel generator frequency output uncertainty of +/-2 percent would interfere with the acceptance criteria margin of affected safety-related equipment. The calculation determined the motor driven auxiliary feedwater pumps were the most limiting affected equipment. The auxiliary feedwater pumps had sufficient margin to accommodate two percent frequency variation based on nominal pump performance. However, when considered in combination with other required motor driven auxiliary feedwater pump uncertainties, the licensee limited the diesel generator frequency variation to +/-0.5 percent to ensure that the auxiliary feedwater pumps would have sufficient margin to perform their safety functions. This resulted in the frequency variation limits of Technical Specification Surveillance Requirement 4.8.1.1.2 being nonconservative. The licensee made no change to the Technical Specification Surveillance Requirement or the surveillance test procedure steady-state frequency limits to ensure operability of the motor driven auxiliary feedwater pumps.

In 2013, the licensee initiated Condition Report CR 13-8263 to track the NRC endorsement of WCAP-17308-NP, Treatment of Diesel Generator (DG) Technical Specification Frequency and Voltage Tolerances, which provided industry guidance for this issue. This condition report has been updated at least twice a year since 2013 to document that the licensee is aware of the status of NRCs review of the document and approval of the associated Technical Specification Task Force change document.

WCAP-17308-NP provided technical guidance and recommended changes to Technical Specifications steady-state frequency limits. This recommendation is consistent with NRCs expectations regarding correction of facility Technical Specifications when they are found to contain non-conservative values. Regarding nonconservative Technical Specifications values, NRC Administrative Letter 98-10 states, imposing administrative controls in response to an improper or inadequate TS is considered an acceptable short-term corrective action. During this time (1997 to 2016), the licensee took no interim corrective actions to impose administrative controls in order to tighten the frequency range allowed by Technical Specification Surveillance Requirements for the standby diesel generator output steady-state frequency to ensure operability of the motor driven auxiliary feedwater pumps, until NRC endorsed the guidance in WCAP-17308-NP.

Analysis.

The team determined that the failure to impose administrative limits in surveillance procedures to promptly correct a condition adverse to quality was a performance deficiency. The performance deficiency was determined to be more than minor, and therefore a finding, because it was associated with the equipment performance attribute of the Mitigating Systems cornerstone and adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Additionally, if left uncorrected, the performance deficiency would have the potential to become a more significant safety concern. Specifically, operation of the motor driven auxiliary feedwater pumps with a diesel generator frequency acceptance criteria of up to +/-2 percent would allow operation in a regime where the pumps would not perform their safety function when called upon. In accordance with Inspection Manual Chapter 0609, Appendix A, The Significance Determination Process (SDP) for Findings At-Power, dated June 19, 2012, Exhibit 2, Mitigating Systems Screening Questions, the issue screened as having very low safety significance (Green) because it was a design or qualification deficiency that did not represent a loss of operability or functionality. This finding had a cross-cutting aspect in the area of human performance associated with change management because the licensee failed to use a systematic process for evaluating and implementing change so that nuclear safety remains the overriding priority. Specifically, the licensee did not properly evaluate the need to take appropriate interim corrective actions before the appropriate guidance was endorsed [H.3].

Enforcement.

The team identified a Green, non-cited violation of 10 CFR Part 50, Appendix B, Criterion XVI, Corrective Actions, which states, in part, Measures shall be established to assure that conditions adverse to quality, such as failures, malfunctions, deficiencies, deviations, defective material and equipment, and nonconformances are promptly identified and corrected. Contrary to the above, since 1997, the licensee failed to establish measures to assure that conditions adverse to quality are promptly corrected. Specifically, the licensee failed to correct a condition adverse to quality by imposing administrative controls in response to a nonconservative Technical Specification. In response to this issue, the licensee performed an operability determination regarding past performance on the auxiliary feedwater motor-driven pumps and concluded that they have always retained their safety function. This violation was entered into the licensees corrective action program as Condition Report CR 16-2176. Because this violation was of very low safety significance and it was entered into the licensees corrective action program, this violation is being treated as a non-cited violation consistent with Section 2.3.2.a of the NRC Enforcement Policy.

(NCV 5000498/2016007-07, 05000499/2016007-07; Failure to Implement Administrative Controls for a Nonconservative Technical Specification of Standby Diesel Generator Frequency Variation)

2.7 Unit 2, Turbine Driven Auxiliary Feedwater Pump 24

a. Inspection Scope

The team reviewed the updated safety analysis report, system description, the current system health report, selected drawings, maintenance and test procedures, and condition reports associated with Unit 2 turbine driven auxiliary feedwater pump 24. The team also performed walkdowns and conducted interviews with system engineering personnel to ensure the capability of this component to perform its desired design basis function. Specifically, the team reviewed:

  • Component maintenance history and corrective action program reports to verify the monitoring of potential degradation
  • Calculations of pump flow and net positive suction head capacity to verify the capability of the pump to provide required flow to mitigate design basis accidents
  • Surveillance and in-service test procedures with recent results to verify the actual capability of the pump
  • Calculation of maximum pump discharge pressure associated with the turbine driven auxiliary feedwater pump operating at maximum speed to verify the system piping and valves are not over pressurized

b. Findings

No findings were identified.

.2.8 Unit 2, Emergency Diesel Generator 23 Fuel Oil Storage and Transfer System

a. Inspection Scope

The team reviewed the updated safety analysis report, system description, the current system health report, selected drawings, maintenance and test procedures, and condition reports associated with the Unit 2 emergency diesel generator 23 fuel oil storage and transfer system. The team also performed walkdowns and conducted interviews with engineering personnel to ensure capability of this component to perform its desired design basis function. Specifically the team reviewed:

  • Component maintenance history and corrective action program reports to verify the monitoring of potential degradation
  • The seismic qualification of the safety-related portion of the fuel oil system and the non-safety-related portion of the fuel oil filtration system
  • The fuel oil calculation to meet the 7-day requirement and verified the energy content of fuel oil supplied
  • The chemical sampling procedure
  • The seismic emergency procedure that protects against fuel inventory loss should a design basis seismic event occur during the 72-hour filtration process
  • Emergency procedures and associated equipment staging to fill the fuel oil storage tank

b. Findings

No findings were identified.

.2.9 Unit 2, Chill Water Expansion Tank A and Reactor Coolant Building Expansion Tank

a. Inspection Scope

The team reviewed the updated safety analysis report, system description, the current system health report, selected drawings, maintenance and test procedures, and condition reports associated with the Unit 2 chill water expansion tank A and reactor coolant building expansion tank. The team also performed walkdowns and conducted interviews with system engineering personnel to ensure the capability of this component to perform its desired design basis function. Specifically, the team reviewed:

  • Component maintenance history and corrective action program reports to verify the monitoring of potential degradation
  • Chemistry reports to verify fluid treatments are preventing corrosion or degradation of components
  • Calculations to support station actions are adequate to ensure safety functions of components are met

b. Findings

No findings were identified.

.2.10 Unit 1, Component Cooling Water Surge Tank

a. Inspection Scope

The team reviewed the updated safety analysis report, system description, the current system health report, selected drawings, maintenance and test procedures, and condition reports associated with the Unit 1 component cooling water surge tank. The team also performed walkdowns and conducted interviews with system engineering personnel to ensure the capability of this component to perform its desired design basis function. Specifically, the team reviewed:

  • Component maintenance history and corrective action program reports to verify the monitoring of potential degradation.
  • Chemistry reports to verify fluid treatments are preventing corrosion or degradation of components
  • Calculations to support station actions are adequate to ensure safety functions of components are met
  • Maintenance procedures verify adequate performance of components

b. Findings

No findings were identified.

.2.11 Unit 2, High Head Safety Injection Pump 2C

a. Inspection Scope

The team reviewed the updated safety analysis report, system description, the current system health report, selected drawings, maintenance and test procedures, and condition reports associated with Unit 2 high head safety injection pump 2C. The team also performed walkdowns and conducted interviews with system engineering personnel to ensure the capability of this component to perform its desired design basis function. Specifically, the team reviewed:

  • Component maintenance history and corrective action program reports to verify the monitoring of potential degradation
  • Calculations of pump flow and net positive suction head capacity to verify the capability of the pump to provide required flow to mitigate design basis accidents
  • Surveillance and in-service test procedures and recent results to verify the actual capability of the pump
  • Safety classification of pump minimum flow piping to verify emergency core cooling system inventory will be maintained under post-accident conditions
  • Leak tightness and testing of pump minimum flow isolation valves to verify impact on post-accident radiological releases
  • Procedures associated with using pump to fill the safety injection accumulators to verify the operability of the pump is maintained
  • Testing of control circuits and interlocks associated with transfer of the pump suction to the containment sump to verify impact on post-accident radiological releases

b. Findings

No findings were identified.

.2.12 Unit 2, Low Head Safety Injection Pump 2C

a. Inspection Scope

The team reviewed the updated safety analysis report, system description, the current system health report, selected drawings, maintenance and test procedures, and condition reports associated with Unit 2 low head safety injection pump 2C. The team also performed walkdowns and conducted interviews with system engineering personnel to ensure the capability of this component to perform its desired design basis function. Specifically, the team reviewed:

  • Component maintenance history and corrective action program reports to verify the monitoring of potential degradation
  • Calculations of pump flow and net positive suction head capacity to verify the capability of the pump to provide required flow to mitigate design basis accidents
  • Surveillance and in-service test procedures with recent results to verify the actual capability of the pump
  • Safety classification of pump minimum flow piping to verify emergency core cooling system inventory will be maintained under post-accident conditions
  • Leak tightness and testing of pump minimum flow isolation valves to verify impact on post-accident radiological releases
  • Testing of control circuits and interlocks associated with transfer of the pump suction to the containment sump to verify impact on post-accident radiological releases
  • Procedure associated with use of pump to mitigate an accident under shutdown conditions to verify the capability of the pump to perform its design function

b. Findings

No findings were identified.

.2.13 Unit 2 Power Operated Relief Valve Motor Operated Block Valve B2RCMOV0001B

a. Inspection Scope

The team reviewed the updated safety analysis report, system description, the current system health report, selected drawings, maintenance and test procedures, and condition reports associated with the Unit 2 power operated relief valve motor operated block valve, B2RCMOV0001B. The team also conducted interviews with system engineering personnel to ensure the capability of this component to perform its desired design basis function. Specifically, the team reviewed:

  • Component maintenance history and corrective action program reports to verify the monitoring of potential degradation
  • Calculations of valve thrust requirements to verify the capability of the valve to open and close as required under accident conditions
  • Valve test procedures and recent diagnostic test results to verify the actual capability of the valve
  • Evaluation of potential pressure locking and thermal binding of valve to verify capability of the valve to open and close as required under accident conditions
  • Calculations of valve operation under degraded voltage conditions to verify the capability of the valve to open and close as required under accident conditions

b. Findings

No findings were identified.

.3 Results of Reviews for Operating Experience

.3.1 Inspection of NRC Information Notice 1996-24, Preconditioning of Molded-Case Circuit

Breakers before Surveillance Testing

a. Inspection Scope

The team reviewed the licensees evaluation of Information Notice 1996-24, Preconditioning of Molded-Case Circuit Breakers before Surveillance Testing, to verify that a program was in place to address recording as-found overcurrent trip values of molded-case circuit breakers prior to manual manipulation of breakers.

b. Findings

No findings were identified.

.3.2 Inspection of NRC Information Notice 2007-36, Emergency Diesel Generator Voltage

Regulator Problems

a. Inspection Scope

The team reviewed the licensees evaluation of Information Notice 2007-36, Emergency Diesel Generator Voltage Regulator Problems, to verify that corrective actions were in place to address aging voltage regulator problems identified by the Information Notice.

The team verified that the licensees review adequately addressed the issues in the information notice.

b. Findings

No findings were identified.

.3.3 Inspection of NRC Information Notice 2009-22, Recent Human Performance Issues at

Nuclear Power Plants

a. Inspection Scope

The team reviewed the licensees evaluation of Information Notice 2009-22, Recent Human Performance Issues at Nuclear Power Plants, to verify that a program was in place to address human performance issues during refueling outages and power operations that can affect radiation worker protection and reactivity events. The team verified that the licensees review adequately addressed the issues in the information notice.

b. Findings

No findings were identified.

.4 Results of Reviews for Operator Actions

The team selected operator actions for review using information contained in the licensees probabilistic risk assessment and design basis documentation.

a. Inspection Scope

The team observed operators during simulator scenarios associated with the selected components, as well as observing simulated actions in the plant.

The selected operator actions were:

  • Scenario 1 and in-plant job performance measure: The scenario was designed to place the crew in a loss of all alternating current power (station blackout)event. In the emergency operating procedure for this event, the crew directs an operator to shed the A emergency safety features load sequencer load from the respective direct current bus. An in-plant job performance measure was used to evaluate the operator dispatched from the control room to complete this task. It is assumed that this task will be completed within 30 minutes of the onset of event.

b. Findings

1. Failure to Ensure Sufficient Capacity and Capability of Mitigating Systems during a

Station Blackout Event

Introduction.

The team identified a Green, non-cited violation of 10 CFR Part 50.63(a)(2)for failing to ensure sufficient capacity and capability of support systems during a station blackout event. Specifically, the licensee made changes in their direct current load calculation methodology that were inconsistent with their submitted correspondence for loss of all alternating current coping strategy.

Description.

During review of time critical operator action associated with a loss of all alternating current event (station blackout), the inspectors reviewed the licensees applicable licensing basis documentation. The licensees station blackout position and analysis were submitted in document ST-HL-AE-5010, Revised Position on 10 CFR50.63, Loss of All Alternating Current Power, dated March 1, 1995. During the NRCs staff review of this submittal, questions were provided to licensee staff to help inform their evaluation. These questions and their answers were documented in ST-AE-HL-AE-5103, Supplemental Information to Revised Position on 10CFR50.63, Loss of All Alternating Current Power, dated June 14, 1995. It was approved by the NRC in document ST-AE-HL-94257, Revised Station Blackout (SBO) Position, South Texas Project, Units 1 and 2 (STP) (TAC Nos. M90061 and M90062), dated July 24, 1995.

Part of the station blackout submittal addressed how the licensee would provide for direct current loads during the specified coping period. For this licensee, the coping period is four hours. In Attachment 1, Section C.2 of ST-HL-AE-5010, it states that,

[t]his battery sizing calculation utilizes the actual inverter loads and DC panel loads operating in a LOOP condition. To clarify the meaning of this statement, NRC staff asked the licensee, as documented in the ST-HL-AE-5103 attachment, what was meant by the term actual load on direct current panels and inverters, as used in the battery capacity calculations (NRC Question 1). The licensee responded by stating that loads on the direct current panels and inverters were derived from manufacturers published design documentation. The standard referenced for use in preparing the battery capacity calculations was IEEE Standard 485-1978 (NRC Question 7).

Based on the licensees calculations, the four Class 1E direct current battery banks would remain in an operable condition for a minimum of four hours. With respect to the channel I (A train) battery bank, the battery terminal voltage would exceed the minimum value of 106 Vdc at the end of the duty cycle, provided that the trains emergency safety features load sequencer is shed commencing at 30 minutes from the onset of the event. In the ST-HL-AE-5103 attachment, NRC staff asked what design margins and minimum battery terminal voltages resulted from the calculations. For channel I (A train), the final voltage and design margin at the end of a 4-hour duty cycle were estimated to be 106.2 Vdc and 1.3 percent, respectively (NRC Question 8).

On September 12, 2013, the calculations were relocated into calculation 13-DJ-006, 125 VDC Battery Four Hour Coping Analysis, Revision 0. Prior to that, they had been located in calculation EC-5008, Class 1E Battery, Battery Charger, and Inverter Sizing, Revision 13. In a table in Section 3.0 of the calculation 13-DJ-006, it states that the margin is 34.72 percent. Given that the design margin value had changed from the 1.3 percent communicated to the NRC in 1995, the inspectors asked the licensee to explain the reason for the difference. In response, the licensee indicated, as is documented in Section 2.0 of this calculation, that the loads for the associated inverters were modeled using measured loads. Based on what was communicated to the NRC previously, and how the capacity calculations were described in EC-5008, Revision 13; this represented a change in methodology on how inverter loads were estimated (manufacturers published design loads versus measured loads).

The inspectors conducted a more in-depth review of calculation 13-DJ-006, and its source calculation EC-5008. Design calculation EC-5008 establishes the required capacity of station batteries to respond to a loss of alternating current power. Design basis calculation 13-DJ006 relied on EC-5008 to establish loads to comply with four-hour coping requirement for station blackout. The team noted two characteristics that were not evaluated in the battery capacity calculations.

  • Emergency Operating Procedure 0POP05-EO-EC00, Step 6a, directs operators to attempt a control room emergency start, normal start, and a local start of an emergency diesel generator if needed to restore power to an emergency safety features bus. Calculation 13-DJ-006, Section 4.4, states that there are two emergency diesel generator start attempts, one with the auto start, and one start attempt at the end of the battery duty cycle. The additional attempts are not modeled in the battery profile.
  • Loads on safety-related inverters were modeled in calculations using measured currents at a discrete time during unidentified conditions.

The team determined that the calculations failed to meet the applicable design standards. Specifically, IEEE 485-1978, Section 4.3.1, requires loads whose inception and shutdown times are known are plotted. IEEE 279-1971, paragraph 4.4, allows use of test (measured) data provided consideration of the range of the transient and steady state conditions of both the energy supply and the environment during normal, abnormal and accident circumstances. Based on the information provided by the licensee, it cannot be said that the measured data is representative of all the environmental states in the standard. Therefore, the licensee did not meet this expectation.

Following the onsite inspection, the licensee completed an analysis of the battery coping using the conservative manufacturers published design loads. The licensee determined that the channel I direct current bus would only be available to cope for 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> 57 minutes, not the full 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> as required. The team determined there was no immediate safety concern because the licensees strategy to mitigate a station blackout event incorporated use of the three redundant battery trains that were not affected by the capacity issues and an alternate ac diesel generator.

The team inquired as to whether the licensee completed an impact review of the licensing basis information contained in letter ST-HL-AE-5010 when preparing calculation 13-DJ-006, as required by licensees calculation change procedure.

The licensee stated that they did not consider the impacts of the information in letter ST-HL-AE-5010. The licensee initiated Condition Report CR 16-2236 for the failure to follow the calculation change process.

Analysis.

The team determined that the failure to ensure the capacity and capability of protection systems to provide support for core cooling and containment integrity maintenance in the event of a station blackout was a performance deficiency. The performance deficiency was more than minor, and therefore a finding, because it was associated with the equipment performance attribute of the Mitigating Systems cornerstone and adversely affected the cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. In addition, if left uncorrected, the performance deficiency would have the potential to lead to a more significant safety concern. Specifically, if the channel I emergency safety features direct current bus were required to support loads for the four hour coping period, the licensee may subject components used to ensure core cooling and containment integrity to conditions that were not assumed in their station blackout analysis. In accordance with Inspection Manual Chapter 0609, Appendix A, The Significance Determination Process (SDP) for Findings At-Power, dated June 19, 2012, Exhibit 2, Mitigating Systems Screening Questions, the issue screened as having very low safety significance (Green) because it was a design or qualification deficiency that did not represent a loss of operability or functionality; did not represent an actual loss of safety function of the system or train; did not result in the loss of one or more trains of non-technical specification equipment; and did not screen as potentially risk significant due to seismic, flooding, or severe weather. This finding had a cross-cutting aspect in the area of human performance associated with procedure adherence because the licensee failed to follow process, procedures, and work instructions. Specifically, the licensee did not follow the calculation change process procedures to complete an impact review of pertinent licensing information associated with station blackout when the battery load assumptions were revised in the station blackout coping calculation [H.8].

Enforcement.

The team identified a Green, non-cited violation of 10 CFR 50.63(a)(2)which states, in part, The reactor core and associated coolant, control, and protection systems, including station batteries and any other necessary support systems, must provide sufficient capacity and capability to ensure that the core is cooled and appropriate containment integrity is maintained in the event of a station blackout for the specified duration. Contrary to the above, since September 12, 2013, the licensee failed to provide sufficient capacity and capability of station batteries to ensure core cooling and containment integrity is maintained in the event of a station blackout for the specified duration. Specifically, the battery sizing and load profile calculations of the channel I (A train) direct current battery bus failed to include proper design data for expected loads and possible worst case load currents. In response to these issues, the licensee determined the battery bus was operable and the licensee initiated actions to analyze the effects of the change in calculation methodology, as well as to account for the additional loads. This finding was entered into the licensee's corrective action program as Condition Reports CR 16-1794, CR 16-2197, and CR 16-2236. Because this finding was of very low safety significance and has been entered into the licensees corrective action program, this violation is being treated as a non-cited violation, consistent with Section 2.3.2.a of the NRC Enforcement Policy.

(NCV 05000498/2016007-08, 05000499/2016007-08; Failure to Ensure Sufficient Capacity and Capability of Mitigating Systems during a Station Blackout Event)

2. Failure to Ensure Adequate Design Control Measures in Place to Mitigate a Loss of

Normal Feedwater Flow Event

Introduction.

The team identified a Green, non-cited violation of 10 CFR Part 50, Appendix B, Criterion III, Design Control, for failure to ensure design control measures assumed in the design basis were correctly translated into procedures. Specifically, the licensee failed to provide direction to licensed operators to ensure that a loss of normal feedwater flow event would be mitigated consistent with the licensees design basis assumptions.

Description.

During a loss of normal feedwater flow event, analyzed in South Texas Project Updated Final Safety Analysis Report, Section 15.2.7, the licensee assumes that operator action is required 15 minutes after the initiation of the event to start a third auxiliary feedwater pump, delivering flow to a third steam generator. Emergency Operating Procedure 0POP05-EO-ES01, Reactor Trip Response, Revision 27, provides the actions taken to address restoring auxiliary feedwater flow to the three steam generators. Step 3 directs operators to restore feedwater to a third steam generator. However, Addendum 7, used in completing Step 3, allows operators to cross-connect flow from operating auxiliary feedwater pumps to the third steam generator, if desired. The procedure, which has been this way since August 1, 2001 (Revision 17), contains no direction to prioritize starting a third auxiliary feedwater pump in this situation. Review of licensed operator training documentation (initial and requalification programs) revealed that this assumption is not being taught to licensed operators. Due to the fact that the cross-connect valves are not safety-related, they cannot be credited within the analysis of this event. Therefore, the combination of inadequate procedural direction and licensed operator training content failed to ensure that the assumptions of the licensees accident analysis were met, potentially putting the plant in an unanalyzed condition.

In response to this issue, the licensee initiated actions to establish interim emergency operating procedure directions for the licensed operators to ensure that credited safety-related equipment is used with priority in the event if this were to occur at the plant. The emergency operating procedure document is being revised to ensure permanent corrective action is taken. The licensee analyzed the event scenario to determine if it could be successfully mitigated by cross-connecting auxiliary feedwater pumps with a third steam generator. The results show that adequate reactor coolant system decay heat removal can be provided and the pressurizer would not be overfilled with the use of two auxiliary feedwater pumps feeding three steam generators, assuming water inventory is available in the third steam generator at the beginning of the event. This finding was entered into the licensee's corrective action program as Condition Report CR 16-1694.

Analysis.

The team determined that the failure to establish measures to assure that the design bases was correctly translated into procedures and instructions was a performance deficiency. The performance deficiency was determined to be more than minor, and therefore a finding, because it was associated with the Mitigating Systems cornerstone attribute of procedure quality and adversely affected the cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. In addition, if left uncorrected, the performance deficiency would have the potential to lead to a more significant safety concern. Specifically, if the licensee used the procedure to mitigate a loss of normal feedwater flow event, the licensee may place the plant in an unanalyzed condition. In accordance with Inspection Manual Chapter 0609, Appendix A, The Significance Determination Process (SDP) for Findings At-Power, dated June 19, 2012, Exhibit 2, Mitigating Systems Screening Questions, the issue screened as having very low safety significance (Green) because it was a design or qualification deficiency that did not represent a loss of operability or functionality. The team determined that this finding did not have a cross-cutting aspect because the most significant contributor did not reflect present licensee performance.

Enforcement.

The team identified a Green, non-cited violation of 10 CFR Part 50, Appendix B, Criterion III, Design Control, which states, in part, that Measures shall be established to assure that applicable regulatory requirements and the design basisfor those structures, systems, and components to which this appendix applies are correctly translated into specifications, drawings, procedures and instructions. Contrary to the above, since August 1, 2001, the licensee failed to ensure that design control measures were established that assured the design basis was correctly translated into procedures and instructions. Specifically, the licensee failed to translate into procedures that a loss of normal feedwater flow event would be mitigated consistent with the licensees design basis assumptions. In response to this issue, the licensee initiated actions to establish interim emergency operating procedure directions for the licensed operators to ensure that credited safety-related equipment is used with priority in the event if this were to occur at the plant. The emergency operating procedure is being revised to ensure permanent corrective action is taken. This finding was entered into the licensee's corrective action program as Condition Report CR 16-1694. Because this finding was of very low safety significance and has been entered into the licensees corrective action program, this violation is being treated as a non-cited violation, consistent with Section 2.3.2.a of the NRC Enforcement Policy. (NCV 05000498/2016007-09, 05000499/2016007-09; Failure to Ensure Adequate Design Control Measures in Place to Mitigate a Loss of Normal Feedwater Flow Event)

3. Failure to Correct Procedure Deficiencies Allowing Cooling Restoration to RCP Seals

Introduction.

The team identified a Green, non-cited violation of Technical Specification 6.8.1.a, Procedures, which requires, in part, that written procedures will be established, implemented, and maintained for procedures in Appendix A of Regulatory Guide 1.33, Revision 2, February 1978. Specifically, the licensee failed to maintain the loss of all alternating current power emergency procedure to contain adequate direction to operators to mitigate a loss of reactor coolant pump seal cooling unique to the plants design.

Description.

During a simulator scenario, the inspectors evaluated the performance of licensed operators performing a loss of all alternating current power event using Emergency Operating Procedure 0POP05-EO-EC00, Loss of All AC Power, Revision 23. With the events onset, reactor coolant pump seal cooling is lost. In order to minimize the potential for further damage to the reactor coolant pump seal package or to prevent warping the reactor coolant pump shaft, seal cooling is not to be restored if the reactor coolant pump seal number 1 inlet temperature exceeds 230 degrees F (Step 3c). Seal cooling can be restored by forced seal injection or via component cooling water flow to the thermal barrier heat exchangers. In document DW-94-011, dated November 15, 1996, the plant design owners group determined that during an extended loss of alternating current power, no attempt will be made to restore seal cooling via the thermal barrier heat exchangers once reactor coolant pump seal temperatures exceed vendor recommended temperatures of the 230 degrees F. This is currently addressed in Step 8 of the procedure.

For this licensee, the susceptibility to the potential for reactor coolant pump seal damage and increased leak rates is different than for others with similar plant design. An evaluation of their reactor coolant pump seals documented in the STPEGS Probabilistic Risk Assessment Human Reliability Analysis Notebook, Revision 8.1, indicates that most Westinghouse plant seal packages are assumed to have increased risk of failure after loss of cooling for 13 minutes. Review of a Westinghouse technical bulletin specific to the licensees seal design revealed that the time to restore cooling for their plant is approximately 6 minutes. This was determined in July 2010.

During the loss of all alternating current power event (station blackout), the NRC granted alternate alternating current power source credit for restoration of any one of their standby diesel generators within 10 minutes of the events onset. The licensee proposed to receive this credit in their station blackout coping submittal, document ST-HL-AE-5010, Revised Position on 10CFR50.63, Loss of All Alternating Current Power, dated March 1, 1995. It was approved by the NRC in document ST-AE-HL-94257, Revised Station Blackout (SBO) Position, South Texas Project, Units 1 and 2 (STP) (TAC Nos. M90061 and M90062), dated July 24, 1995. In the procedure, the operators take actions to try to restore power to an emergency safety features bus (Steps 6 and 7). If an emergency safety features bus has power restored to it by the time Steps 6 or 7 of the procedure are reached, then the operators are directed to exit the procedure.

Observations of two crews showed the following:

  • Reactor coolant pump seal number 1 inlet temperatures began exceeding 230 degrees F at 6 minutes, 41 seconds; and 6 minutes, 37 seconds. All reactor coolant pump seal No. 1 inlet temperatures were above 230 degrees by 7 minutes, 40 seconds
  • Crews implemented Step 7 at 11 minutes, 53 seconds, and 12 minutes, 5 seconds While the procedure contains operator actions to isolate or minimize forced seal injection flow when 230 degrees F is reached, there are no operator actions stated to isolate component cooling water flow to the thermal barrier heat exchangers prior to Steps 6 and 7. With the restoration of a single standby diesel generator credited within 10 minutes, this alternating current power source may be restored between 6 and 10 minutes after the events onset. This will result in a period where the component cooling water thermal barrier heat exchanger cooling will be restored to the reactor coolant pump seals with temperatures greater than 230 degrees F, unless operator action is taken to restrict it from happening. The observations show that power restoration of an emergency safety features bus will occur prior to operators completing Step 7. This means that the crews will exit this procedure prior to implementing action to isolate component cooling water flow to the reactor coolant pump thermal barrier heat exchangers in Step 8. Therefore, with the procedure as written, it does not provide adequate direction to ensure that reactor coolant pump seal cooling will not be inadvertently restored when the seal number 1 inlet temperature is above 230 degrees F.

In response to this issue, the licensee initiated actions to consult with the plants design owners group to determine the best method of addressing this procedure vulnerability.

Given that the licensee has credit for restoring an alternate alternating current to an emergency safety features bus within 10 minutes, this makes the situation the licensee is responding to unique from the majority of Westinghouse pressurized water reactor plants. Emergency operating procedure documentation and/or operator training will be revised based on owners group input. This issue was entered into the licensee's corrective action program as Condition Report CR 16-2126.

In 2014, the licensee received a non-cited violation associated with not having adequate procedures to address equipment malfunctions that caused a loss of RCP seal cooling (05000498,05000499/2013007-07). One of the issues the violation documented was a site procedure that did not contain prohibitions against restoring seal cooling to the RCP seals after their temperature exceeded 2300F. In the Tier 2 Apparent Cause Investigation, Revision 1 (Condition Report 14-1635), the extent of condition review did not document any reviews of other procedures associated with RCP seal cooling loss events to see if they allowed for seal cooling to be restored when seal temperatures were above 2300F.

Analysis.

The team determined that the failure to maintain procedures in accordance with accepted industry standards was a performance deficiency. The performance deficiency was determined to be more than minor, and therefore a finding, because it was associated with the Initiating Events cornerstone attribute of procedure quality, and adversely affected the cornerstone objective to limit the likelihood of events that upset plant stability and challenge critical safety functions during shutdown as well as power operations. Specifically, operating procedures did not contain appropriate attributes to ensure timely action to prevent an increased likelihood of a reactor coolant pump seal loss of coolant accident following a station blackout. In addition, if left uncorrected, the performance deficiency would have the potential to lead to a more significant safety concern. Specifically, if the licensee used the procedure to mitigate a loss of all alternating current power event, the licensee may increase the risk of increased reactor coolant pump seal leakage, as well as potentially placing the safety-related component cooling water system in an unanalyzed condition. In accordance with Inspection Manual Chapter 0609, Appendix A, The Significance Determination Process (SDP) for Findings At-Power, dated June 19, 2012, Exhibit 1, Initiating Events Screening Questions, the team determined a detailed risk evaluation was necessary because, after a reasonable assessment of degradation, the finding could result in exceeding the reactor coolant system leak rate for a small loss of coolant accident. Therefore, the senior reactor analyst performed a bounding detailed risk evaluation. The analyst determined that the change to the core damage frequency would be 1E-7 per year (Green). This finding had a cross-cutting aspect in the area of problem identification and resolution associated with evaluation because organizations failed to thoroughly evaluate issues to ensure that resolutions address causes and extent of condition commensurate with their safety significance. Specifically in 2014, the licensee received a non-cited violation associated with not having adequate procedures to address equipment malfunctions that caused a loss of reactor coolant pump seal cooling (Inspection Reports 05000498/2013007);however, the extent of condition review did not document any reviews of other procedures associated with reactor coolant pump seal cooling loss events to see if they allowed for seal cooling to be restored when seal temperatures were above 230 degrees F [P.2].

Enforcement.

The team identified a Green, non-cited violation of Technical Specification 6.8.1.a., Procedures, which requires that written procedures shall be established, implemented, and maintained for procedures in Appendix A of Regulatory Guide 1.33, Revision 2, February 1978. Procedures addressing combating emergencies involving loss of electric power are denoted in Appendix A, Section 6, Item c. Contrary to the above, since July 2010, the licensee failed to establish, implement, and maintain for procedures in Appendix A of Regulatory Guide 1.33, Revision 2, February 1978.

Specifically, the licensee failed to maintain the loss of all alternating current power emergency procedure to ensure the procedure contained adequate direction to operators to mitigate a loss of reactor coolant pump seal cooling unique to the plants design. In response to this issue, the licensee initiated actions to consult with the plants design owners group to determine the best method of addressing this procedure vulnerability. Emergency operating procedure documentation and/or operator training will be revised based on owners group input. This issue was entered into the licensee's corrective action program as Condition Report CR 16-2126. Because this finding was of very low safety significance and has been entered into the licensees corrective action program, this violation is being treated as a non-cited violation, consistent with Section 2.3.2.a of the NRC Enforcement Policy. (NCV 05000498/2016007-10, 05000499/2016007-10; Failure to Correct Procedure Deficiencies Allowing Cooling Restoration to RCP Seals)

OTHER ACTIVITIES

Cornerstones: Initiating Events, Mitigating Systems, Barrier Integrity

4OA6 Meetings, Including Exit

Exit Meeting Summary

On February 11, 2016, the inspectors presented the initial inspection results to G.T. Powell, Site Vice President, and other members of the licensee staff. The licensee acknowledged the issues presented. The licensee confirmed that any proprietary information reviewed by the inspectors had been returned or destroyed.

On March 9, 2016, the inspectors presented the final inspection results to G.T. Powell, Site Vice President, and other members of the licensee staff. The licensee acknowledged the issues presented. The licensee confirmed that any proprietary information reviewed by the inspectors had been returned or destroyed.

SUPPLEMENTAL INFORMATION

KEY POINTS OF CONTACT

Licensee Personnel

M. Berg, Manager, Design Engineering/Test Programs
R. Butler, Operations
A. Capristo, Executive Vice President and Chief Administrative Officer
D. Chamberlain, Supervisor, Design Engineering
F. Comeaux, Engineer, Design Engineering
J. Connolly, General Manager, Engineering
J.B. Cook, Design Coordinator
R. Dunn Jr., Manager, Nuclear Fuel and Analysis
B. Eller, Manager, Corporate Communications
R. Engen, Manager, Engineering Projects
S. Flaherty, Manager, Staff Support
M. Foster, Supervisor, Operations Support - Procedures
K. Frazier, Supervisor, System Engineering
R. Gonzales, Senior Engineer, Licensing
G. Hildebrandt, Manager, Operations
G. Janak, Manager, Operations Training
B. Jenewein, Manager, Performance Improvement
R. Kersey, Design Engineering
D. Koehl, President and Chief Executive Officer
R. Lacey, Engineer, Design Engineering
H. Leon, Engineer, Design Engineering
T. Maxey, Engineer, Design Engineering
R. McNiel, Manager, Maintenance Engineering
M. Murray, Manager, Regulatory Affairs/Licensing
J.E. Pierce, Manager, Operations Division - Integrated Work Management & Outage
G.T. Powell, Site Vice President
K. Regis, Engineer, Design Engineering
D. Rencurrel, Senior Vice President Operations
M. Renteria, Engineer, Design Engineering
J. Rocha, Supervisor, Design Engineering
S. Rodgers, Risk Management
T. Russell, Engineer, Design Engineering
M. Ruvalcaba, Manager, Strategic Projects
R.D. Savage, Engineer Specialist/Licensing Consultant, Licensing
R. Scarborough, Manager, Quality Assurance
M. Schaefer, Plant General Manager
G.E. Schinzel, Supervisor, Design Engineering
W. Schulz, Engineer, Design Engineering
R. Stastny, Manager, Maintenance
L. Sterling, Supervisor, Licensing
C. Thomas, Design Engineering
J. Von Suskil, Owner Representative, NRG South Texas LP

NRC Personnel

A. Sanchez, Senior Resident Inspector
N. Hernandez, Resident Inspector

LIST OF ITEMS OPENED, CLOSED, AND DISCUSSED

Opened and Closed

05000498/05000499/2016007-01 NCV Failure to Perform Adequate Periodic Testing of Molded Case Circuit Breakers (Section 1R21.2.1.b.1)
05000498/05000499/2016007-02 NCV Failure to Verify the Adequacy Calculations Associated with Direct Current Circuit Breakers (Section 1R21.2.1.b.2)
05000498/05000499/2016007-03 NCV Failure to Include Applicable Safety System Criteria in the Final Safety Analysis Report (Section 1R21.2.2.b.1)
05000498/05000499/2016007-04 NCV Failure to Perform Adequate On-going Class 1E Qualification for the Qualified Display Processing System (Section 1R21.2.2.b.2)
05000498/05000499/2016007-05 NCV Failure to Control Software Tools Commensurate with the Importance to Safety (Section 1R21.2.2.b.3)
05000498/05000499/2016007-06 NCV Failure to Correct Conditions Adverse to Quality Associated with the Eagle 21 System (Section 1R21.2.2.b.4)
05000498/05000499/2016007-07 NCV Failure to Implement Administrative Controls for a Nonconservative Technical Specification of Standby Diesel Generator Frequency Variation (Section 1R21.2.6.b.1)
05000498/05000499/2016007-08 NCV Failure to Ensure Sufficient Capacity and Capability of Mitigating Systems during a Station Blackout Event (Section 1R21.4.b.1)
05000498/05000499/2016007-09 NCV Failure to Ensure Adequate Design Control Measures in Place to Mitigate a Loss of Normal Feedwater Flow Event (Section 1R21.4.b.2)
05000498/05000499/2016007-10 NCV Failure to Correct Procedure Deficiencies Allowing Cooling Restoration to RCP Seals (Section 1R21.4 b.3)

LIST OF DOCUMENTS REVIEWED

Retrieved from "https://kanterella.com/w/index.php?title=IR_05000498/2016007&oldid=5173550"