IR 05000528/1993007
| ML20036A550 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde  |
| Issue date: | 04/09/1993 |
| From: | Ang W NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION V) |
| To: | |
| Shared Package | |
| ML20036A527 | List: |
| References | |
| 50-528-93-07, 50-528-93-7, 50-529-93-07, 50-529-93-7, 50-530-93-07, 50-530-93-7, NUDOCS 9305120064 | |
| Download: ML20036A550 (14) | |
Text
..
.
U.
S.
NUCLEAR REGULATORY COMMISSION
REGION V
.
Report Numbers:
50-528/93-07, 50-529/93-07, and 50-530/93-07 Docket Numbers:
50-528, 50-529, and 50-530
License Numbers:
,
Licensee:
Arizona Public Service Company P.
O.
Box 53999, Station 9012 Phoenix, AZ 85072-3999
'
Facility Name:
Palo Verde Nuclear Generating Station Units 1, 2,
and 3 t
Inspection Conducted:
March 1 - 5, 1993
,
Inspectors:
F. Gee, Reactor Inspector, Region V J. Mauck, Nuclear Reactor Regulation P. Loeser, Nuclear Reactor Regulation C.
Antonescu, Nuclear Regulatory Research l
Approved By:
d-T'T3
'
W.
Ang, Chief Date Signed
'
Engineering Section
.
-
.
Summary:
.
Inspection durino the neriod of March 3 throuch 5.
1993 (Report Numbers 50-528/93-07. 50-529/93-07, and 50-530/93-07
'
Area Inspected:
The inspectors conducted an announced inspection to verify the
.
implementation of the Anticipated Transients Without Scram (ATWS)
i systems and to assess their conformance with the ATWS-rule, 10 CFR
,
50.62.
The inspectors used " Safety Evaluation Report, Palo Verde Nuclear Generating Station, Units 1, 2,
and 3 Evaluation.of.
Compliance with ATWS Rule: 10 CFR 50.62 Requirements for Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events-for Light-Water-Cooled Nuclear Power Plants, Docket Nos. 50-528 / 529 /
530,"
dated October 18, 1990 and Temporary Instruction 2500/020, Revision 2, " Inspection to Determine Compliance with ATWS Rule, 10
CFR 50.62," as guidance for this inspection.
,
9305120064 930409 PDR ADOCK 05000528
}
G PDR-l i
.
-
-
.. -
-
.
-
i
l
-
,
Results:
,
General Conclusions and Specific Findinas:
The licensee has installed the ATWS equipment adequately.
The l
installation complies with the requirements of the ATWS rule, 10 i
CFR 50.62.
In general, the physical arrangementEand installation
- !
appeared to be in accordance with the NRC staff safety evaluation-i report on the equipment.
The diverse auxiliary feedwater actuation system (DAFAS), which is
a part of the ATWS system, was installed as safety grade, exceeding
'
the quality requirements of Generic Letter 85-06, " Quality
Assurance Guidance for ATWS Equipment That is Not Safety-Related."
i However, the licensee did not provide to the inspectors sufficient.
t evidence to support the safety quality classification of the DAFAS
'!
software at the time of the inspection.
The documents, _ reviewed by j
the NRC inspectors, did not qualify the DAFAS software to be safety grade, j
No design basis and plant specific acceptance criteria for
,
electromagnetic and radio frequency interference (EMI/RFI) were
!
available on site.
No DAFAS system bypass annunciation was provided on the control f
room main control board.
The DAFAS annunciation on the control room main control board was not complete, j
Sienificant Safety Matters:
,
None
Safety Issues Manacement System:
l Issue Number A-9, Anticipated Transients Without Scram (ATWS),_was
,
closed during this inspection.
[
!
Summary of Apparent Violations and Deviations:
.
None Open Items Summary:
-
,
The inspectors opened one unresolved item regarding the safety grade qualification of DAFAS software,.EMI/RFI acceptance criteria,-
,
and DAFAS bypass annunciation.
i
-
!
r
,
t
..
.
.~.~
. ~. -
......
-
.
h
&
.
-
I Details s
\\
1.
Persons Contacted
- R.
Bernier, Supervisor, Nuclear Regulatory' Affairs
- R. Bouquot, Supervisor, Quality Assurance-& Monitoring l
- T. Bradish, Manager, Nuclear Regulatory Affairs j
- J. Draper, Site Representative, Southern California Edison
- R. Fountain, Supervisor, Quality Assurance & Monitoring l
- F.
Garrett, Manager, Fire Protection-Program i
- S.
Garrett, Supervisor, Nuclear Engineering
- F. Gowers, Site Representative, El' Paso Electric
- N. Henry, Project Manager, Operations Standards
>
- R.
Henry, Site Representative, Salt River Project l
- J.
Irwin, Senior Engineer, Nuclear Regulatory Affairs j
- C.
Lewis, Senior Engineer, Nuclear Engineering
.j
- W. Montefour, Coordinator, Owner Services (
- G. Overbeck, Director, Nuclear Engineering i
- J.
Thompson, Technical Assistant, Plant Support
NRC personnel in attendance at the exit interview j
!
- W.
Ang, Engineering Section Chief, Region V l
'
- J.
Sloan, Senior Resident Inspector, Palo Verde.
- Attended the exit meeting on March 5, 1993.
The inspectors also held discussions with other licensee
,
personnel during the inspection.
,
i
[,
2.
Introduction l
The purpose of this inspection was to evaluate the
!
implementation of the Palo Verde Anticipated Transients
{
Without Scram (ATWS) System design and installation.
The j
inspectors were to verify that the implementation was in
!
accordance with NRC safety evaluation report (SER), dated i
October 18, 1990, addressing the Palo Verde ATWS design.
The post-implementation inspection was conducted in accordance l
with the guidelines established in the NRC Inspection Manual
.
Temporary Instruction (TI) 2500/020, " Inspection to Determine
[
Compliance with ATWS Rule, 10 CFR 50.62,"
Revision 2, dated
'
May 4, 1990.
!
The licensee installed the diverse scram system (DSS) and the
. :
diverse auxiliary feedwater actuation system (DAFAS) as safety ~
j related systems'
The final trip device of the DSS (the motor,
j
.
generator output load contactors) and the undervoltage relays l
of the diverse turbine trip (DTT) were installed by the
licensee as quality augmented equipment ( " quality augmented" l
i
.
\\
'
>
l
I
.
-
-
,
.
-
_
t
ii
,
'is a Palo Verde equipment / system quality classification that
!'
is applied to equipment / systems that do not perform safety related function, but which, as a result of the regulatory
commitment or management directive, require the application of certain quality assurance program elements over and above
,
those required for non-safety related equipment / systems).
!
The quality classification of the DSS and the DAFAS. exceeded
the quality requirements of Generic Letter 85-06, " Quality i
Assurance Guidance for ATWS Equipment That is Not Safety-
,
Related."
A quality augmented classification for DSS and
DAFAS would meet Generic Letter 85-06 requirements.
Since the
!
licensee classified the DSS and the DAFAS as safety related systems, those systems were inspected as safety related
systems.
,
f 3.
Technical Evaluation
!
a.
General l
!
At the Palo Verde Nuclear Station, the licensee implemented an ATWS design that was based on a Supplementary Protection System (SPS) with a diverse and isolated logic output stage
that interrupts the power to the control element drive mechanisms (CEDMs).
The Palo Verde ATWS installation complied l
with the requirements of the ATWS Rule (10 CFR 50.62) for a DSS and a DTT.
t The SPS was installed as a safety grade system that utilizes p
four identical channels which were referred to as Supplemental Protection Logic Assemblies (SPLAs).
The SPS used the SPLAs in a two-out-of-four logic to interrupt the power supplied to
the CEDMs and thereby cause a reactor trip.
The SPS trip setpoint was set above the Reactor Protection System (RPS)
high pressurizer pressure trip setpoint which permitted the
_
RPS trip to be initiated first.
I The DTT design was a control grade system that sensed the CEDM power bus undervoltage.
When the DSS _ caused a reactor scram, i
power was interrupted to the CEDM coils upstream of the control rod power bus undervoltage relays.
The de-energizing of these undervoltage relays actuated the turbine trip circuitry.
The DAFAS consisted of isolators, signal conditioning, trip recognition, coincident logic, initiation logic, and other
,
circuitry and equipment necessary to monitor plant conditions.
The DAFAS initiated auxiliary feedwater (AFW) flow during conditions indicative of an ATWS.
The DAFAS was a safety i
i
I
.
related control system.
It interacted with process, cabinets,.
auxiliary relay cabinets and plant computers by the use of approved electrical isolation devices, fiber optic cables.
It-utilized'the existing safety related wide-range steam generator level sensors and the existing safety related auxiliary feedwater system equipment (pumps and valves) : to.
provide auxiliary feedwater to the steam generators to mitigate the consequences of an ATWS event.
The SER, dated October 18, 1990, stated that the' staff's acceptance of the Palo Verde ATWS design was subject'to the post-implementation verification of the following confirmatory items:
(1)
DAFAS software verification and validations (V&V)
[
t process, (2)
Human factors engineering review, (3)
DAFAS controls, alarms, and operating procedures,-
and
>
'
(4)
DAFAS test procedures.
'
b.
Verification of SER Confirmatory Items'
(1)
DAFAS Software The software used in the Palo Verde ATWS System was designated as safety _ grade by the licensee, despite
<
the fact that 10 CFR 50.62 does not require this_
l level of qualification.
The primary; problem with..
'
designating this software as safety grade was that
-
the operational software-was built with commercial, off-the-shelf tools.
There were no records
-
available onsite to certify that these. tools were designed or built using an acceptable V&V process.
,
For these reasons it was difficult, without:
significant insight into what those tools were:
doing,fto designate'the-resultant code _as safety-
grade.
The licensee did-not have a good understanding on how the software tools were used to support the operational software.. The licensee did not have any:
written functional-requirements.to provide; traceability between the DAFAS software requirements
~
and the ladder logic._ There was no software development plan or software design documentation
,
I f
k
s
-
,
b
.
)
(ANSI /IEEE-ANS-7.4.3.2 Section 4,
" Application Criteria for Programmable Digital Computer. Systems'
.
in Safety Systems of Nuclear Power Generating Stations").
There was no visibility on the step linkage between the ladder logic and the executable code.
There was also insufficient detail to perform
-!
a thread audit of the software.-(A thread audit is an audit in which the operational code of the.
software is verifiec with known inputs including-f exceptions).
The above noted conditions represented
'
some of the conditions that were needed,to support
,
the licensee's classification of the DAFAS software as safety related software.
,
The licensee's V&V process to produce the ladder
logic was also flawed. _The system test was written
'
by the design team, not by the V&V team as specified
by ANSI /IEEE-ANS-7.4.3.2.
No resumes were available for the V&V team.
The qualifications of the team were therefore unknown (ANSI /IEEE-ANS-7.4.3.2
.;
sec.7.1).
The V&V audit results, "DAFAS j
Verification and Validation Report," were not easily
understandable.
t There were other problems with the software design, test, and administration.
The ATWS software was not listed as controlled software in the " Nuclear
-
Administration and Technical Manual", Document 77DP-9ZZO4.
The watchdog timer was implemented in software, with each channel reading the other channel's watchdog.
(A watchdog timer is a method.
of continuously monitoring the system to verify
computer operation.)
This was valid only if the
!
possibility of a common. node or a common cause
'
failure (i.e. a failure of both channels) was
ignored.
Very little detail was available onLthe
'
hardware design.
No schematics or board drawings
were available.
The test equipment list contained in the October 25, 1991, test record was not sufficiently detailed to identify the test equipment used, and was therefore inadequate.
,
In general, the ATWS software was not written.to the standards required of safety grade software.
.While
an attempt was made to comply with some of the-
'
,
concepts of ANSI /IEEE-ANS-7.4.3.2, the unknowns associated with use of proprietary commercial software tools were of such a magnitude that the
attempt was insufficient.- In order to make'use of i
i
,
l l
.
t such tools, either the tools themselves must be
!
-
'
thoroughly examined, or the resultant code must be-simple enough to allow disassembly of the-j operational code to check for errors.
An alternate i
would be to test for all reasonable inputs and combinations of inputs, to insure that not only will
the software function as intended, but that no unintended functions will occur.
The feasibility of
'l this method is again highly dependent on the
complexity of the system.
,
i In conclusion, the ATWS software is acceptable for use with the ATWS System under 10 CFR 50.62.
The software was not shown to be adequate-to be called safety grade.
The DAFAS software lacked sufficient documentation to qualify it as safety related i
software.
This was discussed with the licensee. The licensee acknowledged that a reevaluation of the.
I safety grade classification of the DAFAS software would be performed.
This was identified as one of
.,
j the items for future inspection as summarized in
Section 4.
I
,
(2)
Human Factors Engineering Review l-l A walkdown of the ATWS equipment was performed on j
March 3, 1993.
The inspectors observed the i
!
arrangement and labelling of the controls'and
_
indications of the equipment.
Based on the walkdown of the equipment', the inspectors concluded that the
,
licensee appeared-to have performed'an adequate ~
'
human factors engineering review of the ATWS
'
equipment.
'
(3)
DAFAS Controls, Alarms, and Operating Procedures During the plant walkdown, the inspectors observed the controls, indicators, and alarms on the'DAFAS
.
local panel, which was located behind the control
!
room main control board.
The DAFAS-local control
!
panel had graphical display for steam generator-
t inputs, logic permissives, trip and bypass status, and test configurations.
The DAFAS local-control panel appeared to be adequate for controls and
!
indications.
With respect-to the alarm points, the licensee i
assigned two annunciation windows.to each DAFAS
>
channel on the main control board in the control
,
i i
e
'
.
t
-_
-_
-
- -
-
-
-
-
-
-
-
.
.
.
.
.
!
l
!
!
t i
.
room.
A combined total of four annunciation windows
.,
for channels A and B were installed.
They were i
!
DIVERSE AFAS A TRIP, DIVERSE AFAS B TRIP, DIVERSE.
AFAS A TEST /TRBL, and DIVERSE AFAS B TEST /TRBL.
'The.
DAFAS bypasses did not annunciate on the main
control board.
The DAFAS annunciation on the main i
control board did not include annunciation'of a
bypass status of the system.
!
l The licensee indicated that the key used to bypass
,'
DAFAS system was controlled.by a licensed control'
room operator.
The control room operator maintained
'
a log of the key check-out in the main control room.
'
The inspectors concluded that a key check-out log
-
was not an acceptable device in maintaining the
,
-i operator's awareness of the DAFAS bypass status.
The key check-out log did not assure that the bypass
'
status would continue to be recognized by the-operators after few shift turnovers.
.,
The licensee also indicated its commitment to IEEE'
Standard 279-1971, "IEEE Standard:. Criteria for Protection Systems for Nuclear Power. Generating'
Stations," in the Palo Verde final safety analysis i
report (FSAR).
The standard indicated in paragraph 4.13 that if the' protective action of some part of the system has been bypassed,.this fact shall be continuously indicated in the control room.
The
.,
licensee considered the location behind the main
!
control board, where the DAFAS. local control panel was located, as part of the control room.
On the
,
other hand, the duplication of the system' status'was made on the main annunciator on the control board.
The inspectors concluded that the duplication of-
"
DAFAS system status cn1 the' main control board was
'
not complete and did include the system bypass status.
The incomplete DAFAS annunciation on the control i
board in the control room was identified as one of
'
the items for future inspection as summarized in
Section 4.
l The inspectors reviewed Procedure Number 41AL-1RK5B,
!
" Panel B05B Alarm Responses," associated with the
!
DAFAS alarm responses.
The DAFAS alarm response procedure appeared to be adequate.
!
' I i
,!
,
t
.. -
.
-
The licensee indicated that Palo Verde did not take credit for the ATWS-equipment; therefore, the licensee did not revise the existing emergency operating procedures (EOP) for the ATHS modifications.
The inspectors reviewed pages four and nineteen of EOP 41EP-1EOO1, " Emergency Operations," Revision 00.06, and page 2 of Appendix FA of EOP 41EP-1ROO8, " Functional Recovery,"
Revision 00.07, and concluded that the licensee's assessment appeared to be adequate.
(4)
DAFAS Test Procedures The inspectors reviewed the following DAFAS test
.;
procedures for the at-power. testing capability, the
end-to-end system testing,'and the compliance with
!
10 CFR 50 Appendix B requirements:
{
!
(a)
Procedure Number.81490-ICE-3539, " Post Installation Acceptance Test Procedure
Guideline for the Diverse Auxiliary Feedwater
Actuation System for Palo Verde Nuclear
~
Generating Station, Units 1, 2,
& 3," Revision
04.
!
i (b)
Report Number 81490-ICE-3711, " Factory
'
Acceptance Test Summary Report for the Diverse-l Auxiliary Feedwater Actuation System for i
Arizona Public Service Palo Verde Nuclear Generating Station, Unit 2," Revision 00.
-
,
(c)
Procedure Number 36MT-9SA07, " Calibration of I
DAFAS Analog Input Modules,"' Revision 00.
'
t (d)
Procedure Number 36MT-9SA06, "DAFAS Functional
!
Test," Revision 00.01.
(e)
Procedure Number'36MT-9SA08, " Calibration of DAFAS Fiber Optic Modules," Revision 00.
The test procedures reviewed appeared to comply.with.
,
10 CFR 50 Appendix B requirements and also to satisfy the at-power and the end-to-end system testings, as required by the SER for the post-installation inspection.
i P
%
..
.
.
'
.
l
.
'C.
Other Considerations (1)
Diversity i
The licensee supplied an equipment list to the
inspectors, and this was verified by the inspectors j
through a plant walkdown.
The DAFAS design used_the i
existing safety related steam generator wide-range
!
level instrument for the input signal and sent an
actuation signal to the existing safety related AFW
,
system.
The DAFAS equipment was diverse from that used in the Reactor Protection System (RPS) in that the DAFAS logic system used a computer circuit board with solid state I/O modules (MODICON) while the RPS l
used a bistable electro-mechanical system.
The
'
DAFAS energized to actuate while the RPS de-energized to actuate.
The DAFAS interface with the
'
AFW system was through a relay which was not used in the RPS.
This relay was of a different manufacturer than that of the AFAS solid state relays.
(2)
Safety Related Interfaces
- f
>
Areas where the ATWS system interfaced with existing safety related and non-safety related systems were
'
inspected.
The physical interfaces were in
agreement with the plant's approved-procedures, and j
the electrical interfaces were protected'by approved
.
I isolators.
Installation diagram F402 OC-1371.was reviewed for the fiber optic cable installation
-,
along with the 3M Company keyed bayonet connection o
cable assemblies and field mount connection product bulletin (BUP #78069-1806-6).
In addition, the
'
inspectors reviewed the 6100 hot melt fiber optic connection field termination manual and optic connection product ~ bulletin.
The inspectors also reviewed the licensing document
,
change request for DAFAS.
For Palo Verde, Design Change Packages 1,2,3FS-SB-064 were issued to
{
install DAFAS in accordance with'the ATWS Rule.
The inspectors considered the licensee implementation of
.
'
the safety related interfaces to be acceptable.
(3)
Setpoints The inspectors reviewed the setpoint calculation
,
.
-..
.
.
-.
.
~
i
j
!
-
using " Calibration of Trip Setpoint Values Plant
'
Protection System", Document Number CEN-286 (v)
'
Revision 2, dated August 29, 1986.
No concerns were
'
identified.-
!
(4)
Separation
The inspectors walked down applicable ATWS system
!
wiring and inspected panel wiring for all of the
'!
systems.
No separation concerns were identified.
'l t
(5)
Environmental Qualification l
{
The inspectors reviewed the following topic areas to j
ensure that the DAFAS Class 1E~ system was_ capable of
_
performing its intended safety function under
{
environmental, seismic and electromagnetic and radio frequency noise conditions.
The equipment was
.,
installed in a mild environment at Palo VerdeJand
did not require environmental qualification.
Therefore, environmental qualification requirements
of 10 CFR 50.49 were not applicable.
The equipment inside the DAFAS cabinets and the DAFAS-' equipment housed inside the plant protective' cabinet (PPC),
[
auxiliary relay cabinet (ARC), and. electronic
isolation system (EIS)' cabinet were qualified for.
"
the environmental conditions inside the cabinets.
!
The DAFAS was tested in accordance with IEEE-STD-
'
323-1974, "IEEE Standard for Qualifying Class 1E-Equipment for Nuclear Power _ Generating Stations," to
,
confirm acceptable system behavior in more than
>
expected operating environmental conditions (i.e.
temperature and humidity etc.).
The licensee.
!
considered the effects of temperature, humidity,
I pressure, in-plant vibration, and radiation insignificant.
No concerns were identified.
[
t (6)
Seismic Qualification l
Although, the DAFAS system was not required to bei
!
Class 1E qualified, the DAFAS equipment.was mounted consistent with seismic requirements for Class 1E safety-related equipment.
The DAFAS equipment was tested _and qualified in accordance with IEEE 344-l 1975, "IEEE Recommended Practices for Seismic t
Qualification of Class 1E-Equipment for Nuclear
Power Generating Stations," to enhance the system l
performance'and reliability'by exceeding the seismic-l
f
.
.I k
t t
A
-
~. -
t
.
'
,
-
qualification acceptance criteria of existing i
'
t (7)
Electromagnetic and Radio Frequency Interference (EMI/RFI)' Qualification
.
.
Although there were no specific NRC endorsed standards for EMI/RFI qualification at this time,
'
the DAFAS was subjected to EMI susceptibility.
testing in accordance with MIL-STD-461 Revision C,
'
" Electromagnetic Emission and. Susceptibility Requirements for the Control of Electromagnetic Interference," and MIL-STD-462, " Measurement.of.
Electromagnetic Interference Characteristics."
The EMI test consisted of performing three conducted susceptibility (CS) tests-(CS01, CS02, CS03) and two radiated susceptibility (RS) tests'(RS02, RSO3).
The scope of the EMI test conducted by Wyle
..
Laboratories for Palo Verde was to. determine which frequencies and voltage levels (EMI characteristics)
the DAFAS equipment was susceptible to.
The test
-
setup was conservative from the point of view of
,
EMI, in that the test sample was-totally without enclosure shielding of any kind.
The inspector reviewed the EMI and.RFI qualification data to assure that the equipment was qualified for its operating environment.
. Based on this. review,
'
the inspector had the following concerns:
(a)
DAFAS susceptibility to EMI in the frequency range of 30 Hz to 9 kHz-was unknown.
Conducted
'
EMI intensity levels and corresponding levels could not be developed for CS01 test (30 Hz to 50 kHz).
(b)
The DAFAS test specimen was found susceptible
-
to selected frequencies attributable to power line conducted EMI and to selected frequencies of other electromagnetic fields.
'
(c)
The licensee did r.ot demonstrate that the installed DAFAS was compatiole with.the Palo Verde EMI/RFI envircnment.
The-licensee referenced the Arkansas nuclear one Unit 2
~
>
(ANO-2) Core Protection Computer System (CPCS)
Site Survey.(performed in 1987).
This survey, which reportedly identified potential EMI/RFI t
sources compatible to.Palo Verde, was not
,
h l
-
...
.
i L
/Ii
.
,
available at the time.of the inspection.
The
!
licensee did not demonstrate the correlation
!
between the ANO-2 Survey,and the Palo Verde j-environment.
]
The above concerns and the lack of design basis and h
plant specific acceptance criteria.for EMI/RFI were
the items summarized in Section 4 as one of the
,
items for. future inspection.
,
.1 (8)
Training.
Nuclear Administrative and Technical Manual Procedure 15DP-0TRS2, " Licensed Operator-Continuing-
Training - Training Program Description,": identified
{
the technical training requirements for licensed-operators.
Under the guidelines'of this procedure,
'
the licensee issued Lesson Number NUL85-00-RC-001-000, " Diverse AuxFeed Actuation System," dated February 8, 1993, for the training of the licensed
[
operators.
Similarly, the' licensee stated that the ATWS I
functions will be simulated in the new. simulator, l
vhich was scheduled to be operational by the end of j
I 1993.
The licensee also stated that the old simulator will be upgraded with ATWS features after l
the relocation in'1994 and that the local ATWS panel
!
functions will not be simulated.
.i The inspector reviewed the lesson plan.
The two-
_l hour training on DAFAS for. licensed operators appeared to be adequate.
Although the ATHS features
'
were not available on the simulator when theLATHS equipment was installed, theEsimulator modification
,
schedule appeared to be' adequate.
No violations or deviations were identified.
i-4.
Summarv
The licensee installed the ATWS equipment adequately to meet
the requirements of the ATWS rule, 10 CFR 50.62.- - In general, the physical arrangement and installation appeared to be in
,
accordance with the NRC staff safety evaluation report on the j
equipment.
t The diverse auxiliary feedwater actuation _ system (DAFAS),
!
portion of.the ATWS system, was: installed as safety grade,
!
!
l l
(
i
,
- -. *
-
.
_
.
..
.
!
'
t
,
t
,
' exceeding the quality requirements of Generic Letter 85-06,
\\
" Quality Assurance Guidance for ATWS Equipment That is Not
.
Safety-Related."
However, the licensee did not provide to the
.:J inspectors sufficient documentation to support the safety quality classification of the diverse auxiliary feedwater actuation system (DAFAS) software.
The documents reviewed did'
not qualify the DAFAS software to be safety grade.
,
f The licensee did not provide plant specific acceptance.
criteria and the design basis for such criteria in regard to electromagnetic and radio frequency interference.
The licensee did not demonstrate the correlation between the referenced survey and the Palo Verde' environment.
Until these'
items are resolved, the Palo Verde ATWS cannot be considered qualified with respect to EMI/RFI.
l
The licensee did not include an DAFAS system bypass
- '
annunciation on the main control board.
The duplication of DAFAS annunciation on the main control board was not complete.
The licensee initiated an engineering review of'the quality
_
classification of DAFAS and also contacted the vendor-for
'l additional documents in support of DAFAS equipment.
e
!
No violations or deviations were identified.
!
The follow-up of the above issues will be subject.of future inspections.
The documentation did not support the qualification of the diverse auxiliary feedwater actuation i
system (DAFAS) as a safety grade-system.
The' safety grade qualification of the DAFAS system was discussed-with' the_
'
Director of onsite Engineering and the licensee staff.
The
licensee acknowledged that a reevaluation of their
!
classification of DAFAS as a safety grade system needs to be performed.
(Unresolved Item (50-528/93-07-01).
l An unresolved item is a matter about which more information is required to ascertain whether it is an acceptable item, a
deviation, or a violation.
,
5.
Exit Meeting
The inspectors conducted an exit meeting on March.5, 1993, t
with members'of the licensee staff as indicated in Section~1.
During the exit meeting, the inspectors summarized the-scope
[
of the inspection activities'and reviewed the inspection findings--as described in this report.
The_ licensee acknowledged the. concerns identified in the report.
l
t
!
~
l