ML031750860
| ML031750860 | |
| Person / Time | |
|---|---|
| Site: | Kewaunee  |
| Issue date: | 06/19/2003 |
| From: | Caldwell J NRC/RGN-III |
| To: | Coutu T Nuclear Management Co |
| References | |
| EA-03-109 IR-02-007 | |
| Download: ML031750860 (14) | |
See also: IR 05000305/2002007
Text
June 19, 2003
Mr. Thomas Coutu
Site Vice President
Kewaunee Nuclear Plant
Nuclear Management Company, LLC
N490 Hwy 42
Kewaunee, WI 54216-9511
SUBJECT: KEWAUNEE NUCLEAR POWER PLANT
NRC INSPECTION REPORT 50-305/02-07(DRS)
Dear Mr. Coutu:
This refers to your letter dated April 4, 2003, denying the Non-Cited Violation of 10 CFR Part 50, Appendix B, Criterion III, that pertained to improper application and use of a common
non-safety related power supply to feed two redundant safety-related service water control
valve circuits. After consideration of your response, we have concluded that the violation of
10 CFR Part 50, Appendix B, Criterion III remains valid. The bases for our conclusion are
stated in the enclosed evaluation. In accordance with the NRC Enforcement Policy,Section VI,
licensees must take steps to address corrective actions for Non-Cited Violations. Furthermore,
licensees are required to restore compliance within a reasonable time after a violation is
identified. Failure to implement such actions will result in consideration of issuing a Notice of
Violation requiring a formal written response.
In accordance with 10 CFR Part 2.790 of the NRC's Rules of Practice, a copy of this
letter and its enclosure will be available electronically for public inspection in the NRC
Public Document Room or from the Publicly Available Records (PARS) component of
NRC's document system (ADAMS). ADAMS is accessible from the NRC Web site at
http://www.nrc.gov/reading-rm/adams.html (the Public Electronic Reading Room).
Sincerely,
/RA/
James L. Caldwell
Deputy Regional Administrator
Docket No. 50-305
License No. DPR-43
Enclosure: As stated
cc w/encl: D. Graham, Director, Bureau of Field Operations
Chairman, Wisconsin Public Service Commission
State Liaison Officer
Mr. Thomas Coutu
Site Vice President
Kewaunee Nuclear Plant
Nuclear Management Company, LLC
N490 Hwy 42
Kewaunee, WI 54216-9511
SUBJECT: KEWAUNEE NUCLEAR POWER PLANT
NRC INSPECTION REPORT 50-305/02-07(DRS)
Dear Mr. Coutu:
This refers to your letter dated April 4, 2003, denying the Non-Cited Violation of 10 CFR Part 50, Appendix B, Criterion III, that pertained to improper application and use of a common
non-safety related power supply to feed two redundant safety-related service water control
valve circuits. After consideration of your response, we have concluded that the violation of
10 CFR Part 50, Appendix B, Criterion III remains valid. The bases for our conclusion are
stated in the enclosed evaluation. In accordance with the NRC Enforcement Policy,Section VI,
licensees must take steps to address corrective actions for Non-Cited Violations. Furthermore,
licensees are required to restore compliance within a reasonable time after a violation is
identified. Failure to implement such actions will result in consideration of issuing a Notice of
Violation requiring a formal written response.
In accordance with 10 CFR Part 2.790 of the NRC's Rules of Practice, a copy of this
letter and its enclosure will be available electronically for public inspection in the NRC
Public Document Room or from the Publicly Available Records (PARS) component of
NRC's document system (ADAMS). ADAMS is accessible from the NRC Web site at
http://www.nrc.gov/reading-rm/adams.html (the Public Electronic Reading Room).
Sincerely,
/RA/
James L. Caldwell
Deputy Regional Administrator
Docket No. 50-305
License No. DPR-43
Enclosure: As stated
cc w/encl: D. Graham, Director, Bureau of Field Operations
Chairman, Wisconsin Public Service Commission
State Liaison Officer
- See Attached Emails
DOCUMENT NAME: G:DRS\ML031750860.wpd
- See Previous Concurrence
To receive a copy of this document, indicate in the box: "C" = Copy without attachment/enclosure "E" = Copy with attachment/enclosure "N" = No copy
OFFICE RIII ** RIII ** NRR * OE * NRR *
NAME ZFalevits:aa JLara APal per email JDixon-Herrity NTreham
for FCongel per email
DATE 5/15/03 5/21/03 04/21/03 5/27/03 02/14/03
OFFICE RIII * RIII * RIII NRR * RIII
NAME CPederson KLambert for PLouden JLamb per JCaldwell
BClayton email
DATE 6/8/03 6/3/03 6/5/03 02/14/03 6/19/03
OFFICIAL RECORD COPY
T. Coutu -2-
ADAMS Distribution:
F. Congel, OE
J. Dixon-Herrity, OE
D. Dambly, OGC
L. Dudes, NRR
WDR
JGL1
RidsNrrDipmIipb
GEG
JFL
DRPIII
DRSIII
PLB1
JRK1
OEMAIL
ENCLOSURE
NRC RESPONSE TO NUCLEAR MANAGEMENT COMPANYS DENIAL OF NON-CITED
VIOLATION 50-305/02-07(DRS)
Restatement of Non-Cited Violation 50-305/02-07(DRS)
On February 21, 2003, Inspection Report 50-305/02-07(DRS) was issued. The inspection
report included the following Non-Cited Violation in the Summary of Findings:
- Green. A finding of very low safety significance associated with a Non-Cited Violation of
10 CFR Part 50, Appendix B, Criterion III, Design Control, was identified that pertained
to improper application and use of a common non-safety related power supply to feed
two redundant safety-related circuits. This was not in accordance with the plant
engineering specification procedure, the Updated Safety Analysis Report and the
applicable Electrical and Electronics Engineers Standards.
This finding was more than minor because this finding was associated with design
control attributes which affected the Mitigating Systems Cornerstone objective to ensure
the reliability and capability of the component cooling water (CCW) system to respond to
initiating events to prevent undesirable consequences. The use of a common balance
of plant (non-safety) power supply to feed redundant safeguard electrical circuits, the
lack of adequate electrical separation, and evaluation of seismic qualifications of some
of these redundant circuits and components have the potential to upset plant stability,
challenge critical safety functions during shutdown as well as power operations, and
could potentially affect the reliability and capability of the CCW system to respond to
This design deficiency finding is assessed as Green because it did not result in an
actual loss of the CCW systems safety function. A review of the system design
identified a number of electrical separation issues, but did not result in any immediate
operability concerns. This provides reasonable assurance that there has not been an
actual loss of system function due to this condition. Therefore, this issue was screened
out of the significance determination process as Green (Section 1R17).
Description of Design Change
Design Change Request (DCR) 3163 was initiated on January 30, 2000, to align the service
water (SW) system on a safety injection (SI) signal to maximize flow to the containment fan
coil units early in the event of an accident. Specifically, the design change modified the
control circuits for SW to component cooling water (CCW) heat exchangers temperature
control valves CV-31406/SW-1306A (Train A) and CV-31407/SW-1306B (Train B). The
design change modified the control logic and added new control switches, relays, and
solenoid valves, which would cause the SW-1306A/B valves to open on a SI signal and on
loss of the non-safety control power. The DCR documented that actuators for SW-1306A/B,
the SI relay contacts, the new switches, relays, and the cabling from the existing relays to
the new relays were all classified QA1 (safety-related) and were to be separated per plant
Kewaunee Engineering Specification ES-9010, Cable Installation and Separation Criteria,
and IEEE Standard 308-1971, Criteria for Class 1E Electric Systems for Nuclear Power
Generating Stations. Also, the safety evaluation for this DCR stated that the power supply
ENCLOSURE
for the control circuit remained the same and that the new valves were powered from separate
power supplies, separated as required by Engineering Specification ES-9010.
Use of Common Non-Safety Related Power Source to Feed Redundant Safety Circuits
The inspectors determined that the licensee failed to apply the needed Class 1E separation
requirements to the 120 Vac power supplies and fuses that feed the two redundant and safety-
related valve control circuits. The inspectors noted however, that the licensee did apply the
required Class 1E separation to the electrical components used in the same circuits such as
relays, switches, solenoids, the interconnecting wiring and the routing of cables. For some
reason, this separation requirement was not applied to the 120 Vac power supplies. The
licensee used the same common non-safety related power source to feed both of the safety-
related valve control circuits. The non-safety related power supply is not considered quality
power that is free from adverse voltage and current transients, which can disturb component
operation. The licensee failed to address the effect of non-safety related power supply on the
solenoids. The non-safety power supply may have a detrimental effect on the solenoids and
the solenoids could be degraded so that they may not perform their intended safety function.
Two independent reviewers from the Electrical and Instrumentation and Control Branch in the
Office of Nuclear Reactor Regulation also reviewed this electrical separation issue and
concurred with the non-cited violation and RIIIs assessment of this issue.
NRC Response to the Violation Contested by the Licensee
In their reply to Non-Cited Violation 02-07-01, the licensee stated that they did not agree that
the design of the power and control circuits for the CCW control valves is in violation of plant
procedures, design basis documents or industry electrical design standards. However, on
page 8 of the response, the licensee agreed that a violation of 10 CFR Part 50, Appendix B,
Criterion III, did occur, but not against procedures, design basis documents, or industry
electrical design standards.
Licensees basis for denying the non-cited violation included the following:
(1) The licensee stated that the valves safety-related function is to open when a post accident
SI signal is present. This function is accomplished by de-energizing the solenoids that align
control air to the control valve actuators. Therefore, the licensee stated that there is sufficient
separation to fulfill the requirements and meet the ES-9010 intent, even though both redundant
valves control circuits are fed by a common non-safety related power supply.
NRC Response: The NRC does not agree with the licensees philosophy used whereby the
power feeds to two separate and redundant safety-related circuits do not have to be supplied
from safety-related and redundant sources (if the safety function of the safety-related Train A
and Train B control valves is accomplished by de-energizing the solenoids). As stated in detail
in report 02-07, the electrical configuration used to feed the valve control circuits is contrary to
plant design procedures, design basis documents and industry electrical design standards.
2
ENCLOSURE
When asked during the inspection, the licensee could not provide a plant, industry or NRC
document that approves or supports this electrical design philosophy.
(2) The licensee stated that when DCR 3163 was initiated, it took the plants existing control
valve circuit design (which was non-safety related) and upgraded portions of it to safety-related.
The newly added solenoids, control switches, control contacts, and control cabling for the
control valves were designed and classified as safety-related components. The DCR never
changed the existing power source. The portion of the control circuit that was upgraded is
separated according to the requirements of the ES-9010.
NRC Response: The NRC concern regarding this design change is that the DCR failed to
also upgrade the existing power source to the now upgraded safety-related components in
the redundant control valves circuits. Upgrading the power source from non-safety to
safety-related and providing redundant and safety-related power supplies to the valve control
circuits would ensure components associated with these valves would have been safety-related
and in compliance with plant procedures, design basis documents and industry electrical design
standards.
(3) The licensee stated that there is no single failure in the circuit design that would prevent
the safety-related function of both valves to open. There are no shorts or other circuit fault
conditions upstream or down stream of the safety-related interrupting contacts for the power
source to the valves solenoids that could cause a loss of both of the valves safety-related
function to open the valves.
NRC Response: Since the redundant safety-related circuits are being fed by a common
non-safety power source one can not provide assurance that a single failure in the non-safety
common source would not adversely affect both circuits. When the inspector asked that the
licensee provide an analysis or documentation to support their statements relative to the single
failure conclusions noted above, such an analysis was not available for review.
(4) The licensee stated that it is recognized that the non-qualified, non-safety portion of the
control circuit and power source leads to inadvertent or undesired opening of the temperature
control valves and a transient on the CCW system and upon the plant (undesirable reactivity
change), it is not an impact on any engineered safety feature and does not form a basis for
applying the ES, USAR, or IEEE electrical standards. Consequently, the licensee stated that a
loss of control that causes the valves to fail open is not truly relevant and should not be
considered when relating the circuit design to be compliant or not.
NRC Response: Relative to this issue, the inspectors documented in the inspection report that
on at least nine (9) separate occasions, between May 2000 and February 2003, control valves
SW-1306A and/or SW-1306B inadvertently opened, potentially causing an undesirable positive
reactivity addition in the reactor. These events occurred during normal plant operation due to
random grid disturbances, lightning strikes, and/or surveillance testing activities. Inadvertent
opening of valves SW-1306A and/or SW-1306B causes the CCW temp to decrease, and
potentially have a positive reactivity affect on the reactor. The inspectors also noted that
operator workaround 01-22 and abnormal procedure A-CC-31A, Abnormal Conditions in the
3
ENCLOSURE
Component Cooling System, were implemented during these events to bypass the letdown
demineralizer and to regain control of the system and prevent positive reactivity addition. In
addition, on June 21, 2002, the licensee concluded that as a result of the numerous instances
where valves SW-1306A and B have failed open, System 38 Function 04 (supplies 120VAC
QA2 power) has had repetitive maintenance preventable functional failures (MPFF) and was
considered (a)(2) degraded.
The inspectors determined that the lack of design control regarding reliable power sources (use
of non-safety related power sources in lieu of safety-related sources) and lack of adequate
electrical separation contributed to the inadvertent and unexpected opening of the control
valves and resulted in potential reactivity related events and a undesirable challenge to the
operators and the safeguard components and systems.
(5) Relative to the reference to IEEE Standard 308-1971, the licensee does not see this as an
applicable standard for control circuit in question.
NRC Response: Kewaunee is committed to IEEE Standard 308-1971. This standard is
applicable, in part, to vital instrumentation and control power systems including power supplies
that provide electrical power to Class 1E, safety-related and redundant electrical systems in
nuclear power generating stations.
(6) In the design of the power source to the valves in question, independence of power is not
required to ensure that the valve will open. If power were required to open the valve to ensure
its safeguards function, NMC would agree that independence would be necessary.
NRC Response: Electrical separation requirements to maintain independence, redundancy and
reliable operation of safety-related Class 1E electrical components and systems applies to
normally energized as well as to normally de-energized electrical circuits and systems. When
asked if this separation philosophy regarding normally energized circuits has been formally
documented and approved, the licensee could not provide documented evidence to support this
position.
(7) In summation, the design of the system at Kewaunee is sufficiently independent so as to
fulfill their intended safety functions. There is also adequate separation so that no single failure
(IEEE-279) can result in loss of a safety function for the valves.
NRC Response: The NRC disagrees with the conclusions arrived in the summation that the
design of the system for the control valves is sufficiently independent so as to fulfill their
intended safety functions. Per ES-9010, USAR, and applicable industry standards and codes,
safeguard components in Class 1E electrical circuits must meet electrical separation
requirements to ensure redundant circuit independence and system reliability. Separation
requirements need to be applied for the power supplies similar to the rest of the electrical
components in the safeguard, Class 1E circuits.
4
ENCLOSURE
During the inspection, the licensee was asked to conduct an extent of condition review to
determine if similar electrical separation applications existed in other safety-related systems.
The licensee could not identify other similar applications in safety-related circuits at Kewaunee.
NRC Conclusion:
NRC review of the licensees denial of the Non-Cited Violation determined that the bases for the
denial is not valid. Specifically, the NRC considers the use of a common non-safety related
power supply to feed redundant normally energized safeguard Train A and Train B electrical
circuits to be contrary to the requirements of Kewaunees design procedure ES-9010, the
USAR and the applicable industry standards and codes. The use of un-reliable non-safety
related power quality, with undervoltage, overvoltage and frequency variations, in safety-related
applications may have a detrimental effect on the solenoids which could be degraded such that
they may not perform their intended function. To address all potential failure modes of
redundant circuits in safety-related applications, it is essential that redundancy and electrical
separation of redundant safety-related circuits be maintained, including the power supplies to
the safety-related control circuits.
5
ENCLOSURE
Applicable Section from Inspection Report 50-305/02-07(DRS)
(for information only)
1R17 Permanent Plant Modifications (71111.17B)
Review of Recent Permanent Plant Modifications
a. Inspection Scope
The inspectors reviewed 17 permanent plant modifications that were performed by the
licensees engineering staff during the last two years, 10 of which were commercial
grade dedications. Three of the modifications affected the component cooling water
system and therefore, review of these modifications counted for completion of activities
under both NRC Inspection Procedures 71111, Attachments 17 and 21. The
modifications were reviewed to verify that the completed design changes were in
accordance with specified design requirements and the licensing bases and to confirm
that the changes did not affect the modified system or other systems safety function.
Calculations which were performed or revised to support the modifications were also
reviewed. As applicable to the status of the modification, post-modification testing was
reviewed to verify that the system, and associated support systems, functioned properly
and that the modification accomplished its intended function. The inspectors also
verified that the completed modifications did not place the plant in an increased risk
configuration. The inspectors evaluated the modifications against the licensees design
basis documents and the Updated Safety Analysis Report (USAR). The inspectors also
used applicable industry standards, such as the American Society of Mechanical
Engineers (ASME) Code and the Institute of Electrical and Electronics Engineers (IEEE)
Standards, to evaluate acceptability of the modifications.
b. Findings
Introduction: Green. The inspectors identified a Non-Cited Violation (NCV) of 10 CFR
Part 50, Appendix B, Criterion III, Design Control, that pertained to improper
application and use of a common balance-of-plant (BOP) non-safety power supply to
feed two redundant safety related control valve circuits.
Discussion: Design Change Request (DCR) 3163 was initiated on January 30, 2000, to
align the service water (SW) system on a safety injection (SI) signal to maximize flow to
the containment fan coil units early in the event of an accident. Specifically, the design
change modified the control circuits for SW to component cooling water (CCW) heat
exchangers temperature control valves CV-31406/SW-1306A (Train A) and
CV-31407/SW-1306B (Train B). The design change modified the control logic and
added control switches, relays, and solenoid valves, which would cause the
SW-1306A/B valves to open on a SI signal and on loss of the non-safety control power.
The valves were designed to modulate and control SW flow to the CCW heat
exchangers, thereby controlling CCW temperature during normal plant operation. If the
6
ENCLOSURE
valves were fully open, the CCW temperature at the heat exchanger outlet would be
cooled to approximately the SW temperature. This would then result in a subsequent
cooldown of the letdown flow temperature. The valves were designed to fail open on a
SI signal, loss of air, or loss of electrical power.
The DCR documented that actuators for SW-1306A/B, the SI relay contacts, the new
switches, relays, and the cabling from the existing relays to the new relays were all
classified QA1 (safety related) and were to be separated per plant Engineering
Specification ES-9010, Cable Installation and Separation Criteria, and IEEE Standard
308-1971, Criteria for Class 1E Electric Systems for Nuclear Power Generating
Stations. The inspectors noted that separation criteria in ES-9010 included the
following:
- Section 4.1, Safeguard Separation stated, The objective of the following
criteria is to achieve independent electrical systems compatible with and for
redundant equipment. Cable separation shall provide sufficient isolation
between redundant systems so that no single failure or credible incident can
render both systems inoperable or remove them from service.
- Section 4.1.2 stated, There are two trains provided for the Redundant
Safeguard System and four channels provided for the Reactor Protection
System. Separation of these trains or channels must be maintained to preclude
the possibility of any single incident causing both trains or more than one
channel from becoming inoperative. The power, control, and instrumentation
cables and trays for the Safeguard System and Reactor Protection System shall
be separated as follows: Train A, Train B...
- Section 4.1.3 stated, The power cables for each Redundant Safeguard System
may be placed in the cable trays only of the same train.
- Section 4.1.14 stated, Where the wiring for redundant engineered safety
features is within a single panel or panel section, this wiring shall be separated,
one group from the other by six-inch (6") air space or fireproof barrier..., wiring
not associated with either train" may be grouped with one train but may not
cross from one train bundle to the other train.
The inspectors also noted that USAR Section 8.2-2, Separation Criteria, Revision 17,
contained similar separation requirements to the one specified in ES-9010. The
separation criteria in the USAR included the following:
- Cable separation provides sufficient isolation between redundant systems so that
no single failure or electrical incident can render both redundant systems
inoperable or remove them from service.
- Non-safety related power, control or instrumentation cable shall not be permitted
to cross over from one safeguard tray to another.
- Where the wiring for redundant engineering safety features is within a single
panel or panel section, the wiring is separated one group from another, by a
7
ENCLOSURE
6-inch air space or a fireproof barrier. The barriers are steel metal or flexible
metallic conduit. Wiring not associated with either train may be grouped with
one train but may not cross from one train bundle to the other train.
IEEE Standard 308-1971, Section 5.4, Vital Instrumentation and Control Power
Systems, stated in part,
Dependable power supplies are required for the vital instrumentation and control
systems of the unit(s) including the engineering safety feature instrumentation
and control systems.
Power must be supplied to these systems in such a manner as to preserve their
reliability, independence and redundancy. Typically one or more of the following
may be required: (3) two or more independent alternating current power
supplies having a degree of reliability and availability, compatible with systems
they serve.
The inspectors concluded that use of a common non-safety related power supply to feed
both trains of safety related circuits was not in accordance with the requirements stated
above. The non-safety related power supply was not considered quality power that was
free from adverse voltage and current transients, which can disturb component
operation.
IEEE Standard 279-1968, Proposed IEEE Criteria for Nuclear Power Plant Protection
Systems, required that protection systems that generate reactor trip or engineered
safeguards actuation meet the single failure criterion specified in the IEEE Standard.
Section 4.2 states under Single Failure Criterion, any single failure within the protection
system shall not prevent proper protection system action when required. Valves
SW-1306A and B were designed as redundant safeguard components/systems and
were therefore required to meet the single failure criterion of IEEE Standard 279.
Section 3, Design Basis, states in part, a specific protection system design basis shall
be provided for each nuclear power plant and shall document as a minimum the
following: (h) the malfunction, accidents, or other unusual events (e.g., fire, explosion,
missiles, lightening, flood, earth-quake, etc.) which could physically damage protection
system components or could cause environmental changes leading to functional
degradation of system performance and for which provisions must be incorporated to
retain necessary protection system action.
The inspectors reviewed the safety evaluation for this DCR. In response to question
No. 1, the safety evaluation for this DCR stated that the power supply for the control
circuit remained the same and that the new valves were powered from separate power
supplies, separated by Engineering Specification ES-9010. However, the inspectors
determined that the 120VAC power supply for valves SW-1306A and SW-1306B
redundant control circuit logic was not being provided from separate safeguards power
supplies (as it should have been for redundant circuits) and was not separated per the
separation requirements delineated in Engineering Specification ES-9010. The DCR
8
ENCLOSURE
design implemented in the field indicated that the redundant safeguards valves were
powered from the same BOP (non-safeguard) power feed supplied by fuse panel
RR172 (circuits ACNI-9 and ACNI-10), as shown on schematic diagram E-2492,
Revision G. The licensee, however, considered it separate power supplies based on the
use of a separate fuse from the same BOP source to feed each of the redundant valves
control circuits. As such, the licensee considered that the installed modification was in
agreement with the statements in the safety evaluation. On February 4, 2003, the
licensee initiated CAP014584 which documented the difference between the licensees
and inspectors positions with respect to the statements in the safety evaluation. The
CAP stated that this was not an operability issue and that there was no failure potential
that can impact the operability of the CCW system from fulfilling its safeguards function.
However, the inspectors noted that there was no detailed engineering analysis to
evaluate all potential failures that could result from feeding both redundant circuits from
the same BOP feed.
The inspectors also determined that while the DCR stated that the SW-1306A/B valve
actuators (CV-31406 and CV-31407) were QA 1 components, they were supplied and
installed as non-safety (QA-2) components (reference CAP013501, dated October 30,
2002). In addition, the inspectors noted that an evaluation was not performed for
DCR 3163 to ensure that SW-1306A/B control switches 19904 and 19905 were
seismically qualified. CAP014389 was initiated on January 20, 2003, to address this
issue. The inspectors also noted that temperature controllers TC-26309 and TC-26310
used for controlling CCW temperature by modulating opening positions of valves 1306A
and 1306B had been designated as non-safety components and were also fed from the
same common non-safety power supply.
The DCR stated that normal (non-safeguards) power will be used to power the new
solenoid valves consistent with the remainder of the SW 1306A/B valves and that the
valves will be powered from two existing separate circuits. However, the inspectors
noted that the remainder of the SW-1306A/B control circuits were designed and
installed as safeguard systems but were fed from a common BOP feed.
The inspectors reviewed the electrical schematic and wiring diagrams for SW-1306A/B
and noted that terminal box (TB)1371, shown on wiring diagram E-2112, Revision V,
contained field wiring for both SW-1306A and SW-1306B valve circuits. Electrical
conductors coded ACN1-9L1 and ACN1-9L2 (designated as Train A wires), electrical
conductors coded ACN1-10L1 and ACN1-10L2 (designated as Train B wires), and BOP
conductors ACN1-42L1 and ACN1-42L2 were all terminated to terminal blocks inside
TB1371. In addition, a conduit containing the cables feeding control circuits for
SW-1306A and SW-1306B valves was routed from Train A section to Train B section of
TB2771. This conduit contained wire codes ACN1-42L1(power supply to BOP lights
and controllers for both 1306A and 1306B valves), ACN1-9L1 and ACN1-9L2 (power
supply to SW-1306A control circuit), and ACN1-10L1 and ACN1-10L2 (power to
SW-1306B control circuit).
9
ENCLOSURE
The inspectors also conducted a field inspection of SW-1306A/B and its associated
components. Wiring diagram E-I531, Revision AJ, showed TB2771 wiring which
included the new relays and switches. TB2771 was divided into two sections, which
were separated horizontally by a fireproof metal barrier to separate SW-1306A (Train A)
electrical components from SW-1306B (Train B) electrical components. The BOP feeds
from common fuse panel RR172 were routed via the same conduit into TB2771. Train
A related (9L1) 120VAC BOP feed was routed to the Train A section of TB2771 and
Train B related (10L1) 120VAC BOP feed was routed via the same conduit to the Train
B portion of TB2771. A short conduit was routed from Train A section to Train B section
of TB2771. This conduit contained the BOP feed cables conductors. The inspectors
determined that the present installed configuration of the 120VAC BOP feeds to
SW-1306A/B resulted in electrically connecting Train A and Train B circuitry through the
120VAC BOP power supplies. Each of the SW-1306A/B control circuits was protected
by one fuse and one slug located in RR172. The inspectors determined that the
installed electrical configuration was contrary to the electrical separation requirements
delineated in ES-9010, USAR 8.2.2, and IEEE-308-1971.
During review of condition reports, the inspectors identified that since May 2000, the
SW-1306A and/or the SW-1306B valve(s) inadvertently opened on at least nine
separate occasions. These following events occurred during normal plant operation due
to random grid disturbances, lightning strikes, and/or surveillance testing activities.
- May 10, 2000, (Kewaunee Assessment Process (KAP) 00-001414) SW-1306A/B
failed open when grid perturbation caused short lived loss of voltage. The KAP
stated that this condition has been experienced in the past.
- September 2, 2000, (KAP 00-003120) an electrical disturbance caused by a
lightning induced spike resulted in reactivity problems when SW-1306A and B
had failed open.
- November 24, 2001, (KAP 01-018732) SW-1306B failed open during
performance of SP-33-110, Diesel Generator Automatic Test, as a result of
load shedding and restarting of large loads. The KAP stated that the apparent
cause for the identified problem appears to be that the system design is subject
to this type of event because a momentary loss of power which occurs when
switching 120VAC QA2 power will result in valves SW-1306A and B failing open.
- November 20, 2001, (KAP 01-18695) valves SW-1306A and B failed open during
performance of surveillance testing SOP-ELV-40-8, after losing power during a
power switching activity.
- June 24, 2002, (CAP012001) a transient where both SW-1306A and B valves
opened due to an electrical transient. This caused the CCW temp to decrease,
which could have had a positive reactivity affect on the reactor had the operators
not taken actions. The CAP documented that operator workaround 01-22 and
abnormal procedure A-CC-31A, Abnormal Conditions in the Component Cooling
System, were implemented to bypass the letdown demin and an auxiliary
operator was dispatched to regain control of the system. Reactivity effects were
monitored, although no changes were seen due to early recognition of the
problem. The inspectors determined that loss of the common non-safety power
10
ENCLOSURE
supply resulted in both valves opening unexpectedly, challenging the operators
by use of an operator workaround to expeditiously bypass letdown demin and
prevent a potential positive reactivity effect.
- July 9, 2002, (CAP012174) a misalignment of substation capacitor bank opening
and closing resulted in a voltage dip that caused SW-1306B to fail open.
Operator workaround 01-22 and abnormal procedure A-CC-31A were
implemented to bypass the letdown demin and an auxiliary operator was
dispatched to regain control of the system.
The first three items above were determined by the licensee to be maintenance rule
functional failures in maintenance rule evaluation MRE000082, dated November 21,
2001. The fourth item above was classified as a maintenance preventible functional
failure in KAP 01-18695. Condition Evaluation CE002373, dated February 12, 2002,
and apparent cause evaluation ACE001828, dated June 21, 2002, concluded that as a
result of the numerous instances where valves SW-1306A and B have failed open,
System 38 Function 04 (supplies 120VAC QA2 power) has had a repetitive MPFF and
was considered (a)(2) degraded. ACE001828 documented three more instances where
SW-1306A or B valves failed open on June 23, July 21, and July 22, 2002, during
substation breaker manipulation and lightening strikes. Licensees investigation
(ACE001828) revealed the following three distinct concerns related to the SW-1306A
and B valve events: (1) The effects of random grid disturbances while at full power
should not result in these valves fully opening at times when plant power is not lost or
interrupted and a SI signal in not present, (2) train separation (should the power supply
for these valves be separated instead of tied to the same source), and (3) the controllers
are obsolete.
To identify the correct cause of the SW-1306A/B valves inadvertent openings and to
determine if Design Change 3205 (initiated to modify the power supplies to the
electronic controllers) will address the concern of the undesired opening of these valves
under certain conditions, the licensee issued temporary change TC 02-01 on July 2,
2002, to install monitoring equipment on the SW-1306B train. This has not yet been
implemented in the field. Therefore, the inspectors noted that actual cause of
SW-1306A/B failing open during normal plant operations has yet to be determined.
In a related matter, the licensee documented in OTH002449, dated August 30, 2001,
that CC water temperature could reach 390F during an event where a SI signal was
generated (SW-1306A and B open). The licensee stated in the OTH that this
temperature was not considered in the piping analysis and that the issue needed to be
examined by Westinghouse.
Analysis: Evaluation of this issue concluded that it was a design control issue resulting
in a finding of very low safety significance (Green). The design control issue was due to
a licensee performance deficiency in that the licensee failed to adequately control the
design modification process for modification DCR 3163 as required by established plant
and industry design standards.
11
ENCLOSURE
In accordance with Manual Chapter 0612, the inspectors determined the issue was
more than minor because this finding was associated with design control attributes
which affected the Mitigating Systems Cornerstone objective to ensure the reliability and
capability of the CCW system to respond to initiating events to prevent undesirable
consequences. The use of a common BOP (non-safety) power supply to feed
redundant safeguard electrical circuits, the lack of adequate electrical separation, and
evaluation of seismic qualifications of some of these redundant circuits and components
have the potential to upset plant stability, challenge critical safety functions during
shutdown as well as power operations, and could potentially affect the reliability and
capability of the CCW system to respond to initiating events.
This design deficiency finding is assessed as Green because it did not result in an
actual loss of the CCW systems safety function. A review of the system design
identified a number of electrical separation issues, but did not result in any immediate
operability concerns. This provides reasonable assurance that there has not been an
actual loss of system function due to this condition. Therefore, this issue was screened
out of the significance determination process as Green.
Enforcement: 10 CFR Part 50, Appendix B, Criterion III, Design Control, states, in
part, that measures be established to assure that applicable regulatory requirements
and the design basis are correctly translated into specifications, drawings, procedures,
and instructions. It further states that design changes shall be subject to design control
measures commensurate with those applied to the original design. Section 4.1.2 of
ES-9010 states in part that cable separation shall provide sufficient isolation between
redundant systems and that the power and control cables for the safeguard system shall
be separated.
Contrary to the above, on June 30, 2000, the installed electrical configuration was not
in accordance with plant and industry established electrical separation design
requirements as specified in IEEE Standard 308-1971, and in ES-9010 for the control
circuits for temperature control valves SW-1306A/CV-31406 and SW-1306B/CV-31407.
The licensee used non-safety related 120VAC power supplies from a common fuse
cabinet to feed the redundant safeguard system control circuits for these valves in lieu
of separate safety related power supplies, which would provide sufficient isolation
between these safeguard redundant systems.
Because of the low safety significance of this issue and because it was entered in the
licensee's corrective action program (CAP013801), the issue is being treated as a
Non-Cited Violation, consistent with Section VI.A.1 of the NRC Enforcement Policy
(NCV 50-305/02-07-01).
12