L-MT-05-107, Reply to Revised Notice of Violation Dated September 22, 2005
| ML053050182 | |
| Person / Time | |
|---|---|
| Site: | Monticello  |
| Issue date: | 10/24/2005 |
| From: | Conway J Nuclear Management Co |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| IR-05-003, L-MT-05-107 | |
| Download: ML053050182 (11) | |
Text
C e eS Committed to NcerE c l~ Monticello Nuclear Generating Plant Operated by Nuclear Management Company, LLC October 24, 2005 L-MT-05-107 10 CFR 2.201 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001 Monticello Nuclear Generating Plant Docket 50-263 License No. DPR-22 Reolv to Revised Notice of Violation Dated SeDtember 22, 2005
References:
- 1) NRC to NMC, "Monticello Nuclear Generating Plant, NRC Integrated Inspection Report 05000263/2005003 and Notice of Violation," dated July 27, 2005
- 2) NMC to NRC, "Reply to Notice of Violation", L-MT-05-090, dated August 26, 2005
- 3) NRC to NMC, "Revised Notice of Violation (Inspection Report 05000263/2005003)," dated September 22, 2005 In Reference 1, the U.S. Nuclear Regulatory Commission (NRC) issued a Severity Level IV Notice of Violation (NOV) for a failure of Nuclear Management Company, LLC (NMC) to notify the NRC Operations Center within eight hours of the actuation of certain systems on April 2, 2005, at the Monticello Nuclear Generating Plant in accordance with 10 CFR 50.72(b)(3)(iv)(A).
In Reference 2, the NMC denied the violation because 1) the NOV cited the activation of systems such as Standby Gas Treatment and the Control Room Emergency Filtration Systems that are not listed under 10 CFR 50.72(b)(3)(iv)(B) as reporting requirements and 2) the partial Primary Containment Isolation System (PCIS) Group II isolation was not a valid actuation and therefore was not reportable.
In Reference 3, the NRC issued a revised NOV that limited the scope of the violation to the partial PCIS Group II isolation and provided the basis for the staffs belief that the actuation was valid.
2807 West County Road 75
- Monticello, Minnesota 55362-9637 KlE 0J Telephone: 763.295.5151
Document Control Desk Page 2 This letter provides an evaluation which concludes that the partial PCIS Group 11 isolation was not required to mitigate the consequences of an event, therefore the actuation was invalid. Consequently, the NMC respectfully denies the revised violation.
The enclosure, "Reply to the Revised Notice of Violation," explains the basis for this denial.
This letter contains no new commitments and makes no revisions to existing commitments.
2g T Cnway ow Site Vice President, Monticello Nuclear Generating Plant Nuclear Management Company, LLC Enclosure cc: Administrator, Region 111, USNRC Project Manager, Monticello, USNRC Resident Inspector, Monticello, USNRC Director, Office of Enforcement, USNRC
REPLY TO THE REVISED NOTICE OF VIOLATION On September 22, 2005, the NRC issued a revised Notice of Violation (Inspection Report 05000263/2005003) which states:
During an NRC inspection conducted from April 1, 2005, through June 30, 2005, a violation of NRC requirements was identified. In accordance with NRC Enforcement Policy the violation is listed below:
Section (b)(3)(iv)(A) of 10 CFR 50.72 requires the licensee to notify the NRC Operations Center as soon as practical and in all cases within eight hours of the occurrence of any event or condition that results in a valid actuation of any of the systems listed in paragraph (b)(3)(iv)(B) except when the actuation results from and is part of a pre-planned sequence during testing or operation.
Contrary to the above, on April 2, 2005, the licensee failed to make a required notification to the NRC when it experienced a valid partial Primary Containment Isolation System, Group II actuation, a system specified under 10 CFR 50.72 as being reportable upon a valid actuation. As of June 30, 2005, the licensee failed to notify the NRC Operations Center, a period in excess of eight hours.
This is a Severity Level IV violation (Supplement I).
RESPONSE
The Nuclear Management Company, LLC (NMC) has reviewed this event against the criteria in 10 CFR 50.72(b)(3)(iv)(A) and (B) and has determined that a valid actuation did not occur for the system in question at the Monticello Nuclear Generating Plant (MNGP) on April 2, 2005.
I. BASIS FOR DISPUTING THE VIOLATION 10 CFR 50.72(b)(3)(iv)(A) requires a licensee to notify the U.S. Nuclear Regulatory Commission (NRC) Operations Center within eight hours of the occurrence of:
Any event or condition that results in valid actuation of any of the systems listed in paragraph (b)(3)(iv)(B) of this section except when the actuation results from and is part of a pre-planned sequence during testing or reactor operation.
Page 1 of 9
REPLY TO THE REVISED NOTICE OF VIOLATION The event was reviewed against the criteria of 10 CFR 50.72(b)(3)(iv)(A) and (B), and Revision 2 of NUREG-1022.1 The review indicated that the event was not reportable because:
- The actuation of the radiation monitors did not result from the measurement of actual physical system parameters, i.e. radiation levels, which were at their setpoint.
- The radiation monitors did not actuate to mitigate the consequences of an event.
A. DETERMINATION OF VARIABLES INITIATING SAFETY FUNCTIONS Standard Review Plan Section 7.3, Engineered Safety Features Systems,2 states "The accident analysis described in Chapter 15 of the [safety analysis report] establishes the bases for monitored variables and the values of monitored variables ... used to initiate protective system actions." NMC is committed to IEEE-279, 3 for the MNGP, which was applied to the design of the Reactor Protection System, and also to other Engineered Safety Feature (ESF) systems, such as those for containment isolation. IEEE-279 states in Section 4.1, General Functional Requirements:
The nuclear power plant protection system shall ...automatically initiate appropriate protective action whenever a plant condition monitored by the system reaches a preset level.
Section 3 of IEEE-279 states the design basis should document:
The plant conditions which require protective action [and] the plant variables (e.g., neutron flux, coolant flow, pressure, etc.) that are required to be monitored in order to provide protective actions.
Section 4.8 of IEEE-279 states "protection system inputs shall be derived from signals which are direct measures of the desired variables." These variables which are utilized in the safety analyses are generally ESF signals and are included in the plant Technical Specifications.
I NUREG-1022, Revision 2, "Event Reporting Guidelines 10 CFR 50.72 and 50.73,"
dated October 2000.
2 NUREG-0800, Standard Review Plan, Revision 2, Section 7.3, 'Engineered Safety Features Systems," Item I.,Areas of Review, third paragraph, dated July 1981.
3 ANSI/IEEE-279, "Proposed Criteria for Protection Systems for Nuclear Power Generating Stations," dated August 1968.
Page 2 of 9
REPLY TO THE REVISED NOTICE OF VIOLATION MNGP Technical Specification (TS) Table 3.2.44 lists the following plant variables assumed in the safety analyses to isolate reactor building ventilation, initiate the Standby Gas Treatment (SBGT) System and close select Group II Primary Containment Isolation System (PCIS) isolation valves.
(1) reactor vessel water level, (2) drywell pressure, (3) reactor building exhaust high radiation, and (4) refueling floor exhaust high radiation.
These are the plant variables monitored to initiate protective actions in response to a change in the actual plant conditions or parameters, i.e., a change exceeding TS setpoints, to initiate the safety functions of the above systems. The refueling floor and reactor building exhaust high radiation signals are listed above as two of the initiating plant variables; a loss of power to the radiation monitors is not an initiating plant variable, is not credited in the safety analyses, and is not included within the TS.
B. SAFETY FUNCTIONS VERSUS DESIGN REQUIREMENTS In the September 22, 2005 NOV, the staff stated they 'considered the licensee's definition of the design and safety functions of the radiation monitors to be incomplete with regard to the "valid" signals intended to cause an actuation of the PCIS, Group II isolation.' The staff referred to GDC-235 and an equivalent commitment made for MNGP to draft GDC-26 6 as the basis for their determination that NMC's definition of the design and safety function of the radiation monitors was incomplete. Draft GDC-26 states:
The protection systems shall be designed to fail into a safe state or into a state established as tolerable on a defined basis if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air), or adverse environments (e.g., extreme heat or cold, fire, steam, or water) are experienced.
A typical safety related system/component has several functions, some of which are safety functions. Safety functions are a subset of design functions.
As described in the Updated Safety Analysis Report (USAR), the refueling accident offers the greatest potential for radioactive release via the reactor building ventilation exhaust. To mitigate the consequences of this accident, the safety functions of the reactor building plenum and fuel pool high radiation 4 MNGP TS Table 3.2.4, "Instrumentation That Initiates Reactor Building Ventilation Isolation And Standby Gas Treatment System Initiation."
5 10 CFR 50 Appendix A, General Design Criteria (GDC), Criterion 23, uProtection System Failure Modes."
6 MNGP is committed to Draft General Design Criterion 26, 'Protection Systems Fail-Safe Design," in Appendix E, Section 2.4 of the Updated Safety Analysis Report.
Page 3 of 9
REPLY TO THE REVISED NOTICE OF VIOLATION monitors are to isolate reactor building ventilation, start the SBGT System and isolate secondary containment, and close select Group II primary containment isolation valves upon detection of abnormal radiation levels.
NMC agrees with the staff that the refueling floor and reactor building exhaust plenum radiation monitors are designed to fail into a safe state on a loss of power by registering an upscale tripped condition, which is a design function of the radiation monitors. Variables that initiate the safety function were discussed previously in Section A.
Requiring systems to fail to a safe state upon a loss of power is a design requirement not a safety function. The design of the radiation monitor circuitry is such that on a loss of power, relays open and auxiliary relays in-turn actuate resulting in the system/component actuations previously described.
The safety function of the radiation monitors is to sense and measure radiation levels at specific plant locations and initiate the systems/components previously discussed when the measured values exceed the TS setpoint. Example 1 in NUREG-10227 supports the position that safety function setpoints originate at the sensor.
The automatic signals were valid because they were generated from the sensor by measurement of an actual physical system parameter that was at its setpoint.
In the MNGP case the actual physical system parameter is the radiation level measured at the detector (sensor). The definition of an instrument channel 8 in the MNGP TS states "An instrument channel means an arrangement of a sensor and auxiliary equipment required to generate and transmit to a trip system, a single trip signal related to the plant parameter monitored by that instrument channel." No parameter is measured or monitored for a loss of power to the radiation monitors. A loss of power signal for the radiation monitors is not credited in safety analyses or prescribed in the TS. No degraded or loss of voltage settings are specified for the radiation monitors, as is the case with the degraded voltage safety function and loss of voltage safety function credited for the EDGs in the safety analyses.
Contrast this against the degraded and loss of voltage safety functions specified for the EDG in the safety analyses (and controlled during operation by the TS). The safety function of the EDGs is to provide power to the essential loads to shut down the reactor and maintain it in a safe shutdown condition, remove residual heat, control the release of radioactive material, or mitigate the 7 NUREG-1022, Revision 2, page 50, Example 1, WRPS Actuation."
8 MNGP TS Section 1, "Definitions," Item Q.1, uProtective Instrumentation Logic Definitions, Instrument Channel."
Page 4 of 9
REPLY TO THE REVISED NOTICE OF VIOLATION consequences9 of anticipated operational occurrences or design basis accidents. The degraded and loss of voltage trip settings for the EDG are safety functions required for the EDG to perform its safety function.
For the radiation monitors, only when an actual high radiation signal is measured, as opposed to a loss of power, is a condition created where one of the four safety functions specified in 10 CFR 50.72 and 50.73, i.e., control of the release of radioactive material, applicable. A loss of power signal to the radiation monitors is not indicative of the occurrence of an actual plant condition requiring system/component operation to meet any of the four safety functions:0 "that are required during any plant mode or accident situation as described or relied on in the plant safety analysis report."
Fulfillment of the design requirement to fail to a safe state upon a loss of power does not equate to measurement of an actual physical system parameter that is at its TS trip setpoint. Revision 2 of NUREG-1 022 states:
Valid signals are those signals that are initiated in response to actual plant conditions or parameters satisfying the requirements for initiation of the safety function of the system. They do not include those which are the result of other signals.
Valid signals are signals initiated due to the actual monitored process variables, i.e., the actual plant conditions or parameters assumed in the safety analyses, where the trip setpoints for the conditions/parameters is exceeded, requiring actuation of the safety function of the associated systems. Conversely, signals from sources not representing actual plant condition or parameters assumed in the safety analyses are invalid, since they are initiated in response to conditions not requiring initiation of the safety function of the system.
A loss of power to the radiation monitors is not identified in the MNGP safety analyses as a monitored process variable and hence a loss of power to the monitors was not included in the MNGP TS. A loss of power to the radiation monitors is not indicative of an actual plant condition requiring containment isolation and release filtration, i.e., the safety function of the systems and components initiated by the radiation monitors. Therefore, a loss of power to the radiation monitors as occurred at MNGP, because this process variable is not assumed in the safety analyses and not representative of an actual high radiation condition, is an example of an "other signal" as defined in Revision 2 of NUREG-1022 and is therefore an invalid signal.
9 These are the four general safety functions specified in 10 CFR 50.72(b)(3)(v) and 10 CFR 50.73(a)(2)(v).
10 NUREG-1022, Revision 2, page 54, fourth paragraph.
Page 5 of 9
REPLY TO THE REVISED NOTICE OF VIOLATION Further, no event is, or could be, mitigated upon a loss of power to the radiation monitors. No plant transient or accident is triggered based upon a loss of power to the radiation monitors. Actuation of the radiation monitors due to a loss of power (the design function) fits the definition of a non-reportable condition, where NUREG-1022 states:
Actuations that need not be reported are those initiated for reasons other than to mitigate the consequences of an event.
C. VALID SIGNALS RELATIONSHIP TO ESF SIGNALS Safety systems and initiating signals are discussed in the safety analysis report.
The refueling floor and reactor building plenum radiation monitor signals, in response to high radiation conditions, are credited in the safety analyses and specified in the plant TS as performing protective safety functions. A loss of power signal to the radiation monitors is not credited in the safety analyses or specified in the plant TS.
It is instructive to review Revision I of NUREG-1 022" to consider how valid signals are determined. Revision 1 stated that the valid signals required to be reported were ESF signals.
Valid ESF signals are those signals that are initiated in response to actual plant conditions or parameters satisfying the requirements for ESF initiation. Note this definition of "valid" requires that the initiation signal must be an ESF signal. This distinction eliminates actuations which are the result of non-ESF signals from the class of valid actuations.
[emphasis added]
With Revision 2 of NUREG-1022 the sentences underlined above were eliminated and valid signals12 described as, Valid signals are those signals that are initiated in response to actual plant conditions or parameters satisfying the requirements for initiation of the safety function of the system. They do not include those which are the result of other signals.
11 Revision 1 of NUREG- 022 was not applied in determining the reportability of the April 2, 2005, loss of power event. Revision 2 was the source of reportability guidance.
12 "Other signals" were identified In Revision 1 as non-ESF signals and classified as invalid.
Page 6 of 9
REPLY TO THE REVISED NOTICE OF VIOLATION Removal of the term ESF 13 and the replacement with a list of those highly risk-significant systems for which valid actuations are to be reported does not change reporting requirements beyond re-scoping the applicable systems. The ESF system signals14 initiated in response to actual plant conditions or parameters satisfying the safety function initiation requirements are still the same. The few, new, formerly non-ESF systems that were added, have signals that are initiated in response to actual plant conditions or parameters that satisfy the initiation of the safety function of the associated systems.
The NMC does not believe that the revision of NUREG-1 022 was designed to change the intent of what was to be reported as valid actuations with the transition from Revision I to 2. Rather, only the scope of systems for which actuations were to be reported under this criterion was to be changed.
Therefore, signals which formerly clearly did not perform a safety function, since they were not provided in response to an actual plant conditions or parameters assumed in the safety analyses, and hence, were not reportable under Revision 1, continue to be not reportable under Revision 2 of NUREG-1 022.
D. DISCUSSION OF NUREG-1022 EXAMPLES The NRC staff states in the revised NOV that Example 715 referred to as analogous by NMC in the reply to the NOV dated August 26, 2005 was not analogous to the MNGP event. Example 7 describes an event where an actuation signal during a maintenance activity "resulted from a loss of continuity of a jumper used to prevent an actuation signal during maintenance, a situation that did not involve actual plant conditions or parameters being present that would normally cause a system actuation." The NRC concluded in NUREG-1 022 that for Example 7 the event was not reportable under 10 CFR 50.72(b)((2)(iv) or (b)(3)(iv) because the actuations were not valid. The NRC stated in the NOV, "In the Monticello case, the PCIS actuation signal was generated as a direct result of the radiation monitors sensing an actual plant condition or parameter that existed and was a part of the safety function of the system."
13 Previously, reporting the actuation of any ESF was required. Now reporting of those highly risk-significant systems listed in the regulation is required. These highly risk-significant systems include mostly ESF and a few non-ESF systems. Reporting actuations of certain low risk significant, mainly ventilation, ESF systems is no longer required. However, the vast majority of systems required to be reported are those systems formerly identified in the regulation as ESF systems.
14 A high radiation condition sensed by the refueling floor or reactor building exhaust plenum radiation monitors would constitute an ESF signal.
15 NUREG-1022, Revision 2, page 53, Example 7, "Actuation During Maintenance Activity."
Page 7 of 9
REPLY TO THE REVISED NOTICE OF VIOLATION The NMC does not agree with this position because the PCIS Group II actuation signal at the MNGP was not generated as a result of the radiation monitors sensing an actual plant condition or parameter corresponding to the safety function of the system. The radiation level was not above the trip setpoint (2 100 mr/hour), the initiation level for the safety function of the monitors. Measured radiation level was less than 2 mr/hour. The trip on a loss of power was generated by the radiation monitors as a design feature to fail safe on a loss of power. It did not represent a sensed response to a process variable assumed in the safety analyses, i.e., in this case the ambient radiation level at certain locations. An actual plant condition pertaining to the safety function of the radiation monitors did not exist.
Also, the NRC staff stated in the revised NOV that Example 3 was a more appropriate example to illustrate the reportability guidance for the Monticello event. Example 3 as stated in the NOV, describes an event where an emergency diesel generator automatically started'6 when "a technician inadvertently caused a short circuit that de-energized an essential bus during a calibration. The actuation was valid because the actuation signal was the result of the system sensing an actual plant condition or parameter for which the system was designed to respond, i.e., the essential bus was de-energized."
The NMC agrees that Example 3 is reportable, but it is not relevant to the loss of power event for the radiation monitors at the MNGP. In Example 3 the EDG actuated to mitigate the consequences of a loss of essential bus voltage. This is an ESF function for the EDGs assumed in the safety analyses. Trip settings for degraded and undervoltage conditions are included in the TS as the process parameters that initiate the safety function of the EDGs. Therefore, in this example's case the actual physical system parameter (bus undervoltage or loss of voltage) was at its set point. The actuation of the EDG was valid because loss or degraded voltage on a safeguards bus is one of the signals assumed in the safety analyses as a safety function to initiate operation of the EDGs.
The MNGP partial PCIS, Group II isolation is not analogous to this example because the radiation monitors did not respond to an actual plant condition, high radiation. A loss of power to the radiation monitors is not a safety function signal for the radiation monitors. Only a high radiation signal is included in the plant TS.
16 NUREG-1022, Revision 2, page 51, Example 3, Emergency Diesel Generator (EDG)
Starts."
Page 8 of 9
REPLY TO THE REVISED NOTICE OF VIOLATION E.
SUMMARY
- 1. NUREG-1022 distinguishes between a valid signal initiated in response to actual plant conditions or parameters satisfying the requirements for initiation of the usafety function of the system" and invalid signals that are "other" signals that do not meet the criteria for being valid. NUREG-1022 states, consistent with design standards that a valid signal originates at a sensor by measurement of an actual physical system parameter that is at its set point.
- 2. The actuation of the radiation monitors did not result from the measurement of actual physical system parameters, i.e. radiation levels, which were at their setpoint.
- 3. The radiation monitors did not actuate to mitigate the consequences of an event.
When the event is a loss of power to the radiation monitors, the monitors do not perform a safety function to mitigate the consequences of an event. Valid actuations in accordance with NUREG-1022 are concerned only with the initiation of the safety functions of a system. A loss of power to a radiation monitor therefore is an invalid signal.
As the partial Primary Containment Isolation System, Group II actuation was initiated for reasons other than to mitigate the consequences of an actual event and was not in response to an actual plant parameter that had reached its setpoint, in accordance with the guidance of NUREG-1022 this was an invalid actuation and the event is not reportable under 10 CFR 50.72(b)(3)(iv)(A).
II. CORRECTIVE STEPS THAT HAVE BEEN TAKEN AND THE RESULTS ACHIEVED Not Applicable III. CORRECTIVE STEPS THAT WILL BE TAKEN TO AVOID FURTHER VIOLATIONS Not Applicable IV. DATE WHEN FULL COMPLIANCE WILL BE ACHIEVED Full compliance has been, and continues to be maintained, since the date of the event on April 2, 2005.
Page 9 of 9