IR 05000315/2003007
| ML032260201 | |
| Person / Time | |
|---|---|
| Site: | Cook  |
| Issue date: | 08/12/2003 |
| From: | Dave Hills Division of Reactor Safety III |
| To: | Bakken A American Electric Power Co |
| References | |
| IR-03-007 | |
| Download: ML032260201 (29) | |
Text
ust 12, 2003
SUBJECT:
DONALD C. COOK NUCLEAR POWER PLANT, UNITS 1 AND 2 NRC INSPECTION REPORT 50-315/03-07(DRS); 50-316/03-07(DRS)
Dear Mr. Bakken:
On July 11, 2003, the U.S. Nuclear Regulatory Commission (NRC) completed an inspection at your Donald C. Cook Nuclear Power Plant. The enclosed report documents the inspection findings, which were discussed on July 11, 2003, with yourself and other members of your staff.
The inspection examined activities conducted under your license as they relate to safety and compliance with the Commissions rules and regulations and with the conditions of your license.
The inspectors reviewed selected procedures and records, observed activities, and interviewed personnel. Specifically, this inspection focused on the design and performance capability of the emergency diesel generator system to ensure that it was capable of performing its required safety-related functions.
Based on the results of this inspection, there was one NRC-identified finding of very low safety significance, which involved a violation of NRC requirements. However, because this violation was non-willful and non-repetitive and because it was entered into your corrective action program, the NRC is treating the issue as a Non-Cited Violation (NCV) in accordance with Section VI.A.1 of the NRCs Enforcement Policy.
If you contest the subject or severity of a Non-Cited Violation, you should provide a response within 30 days of the date of this inspection report, to the U.S. Nuclear Regulatory Commission, ATTN: Document Control Desk, Washington, DC 20555-0001, with copies to the Regional Administrator, U.S. Nuclear Regulatory Commission, Region III, 801 Warrenville Road, Lisle, IL 60532-4351; the Director, Office of Enforcement, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001; and the NRC Resident Inspector at the D.C. Cook Nuclear Power Plant. In accordance with 10 CFR 2.790 of the NRC's Rules of Practice, a copy of this letter and its enclosure will be available electronically for public inspection in the NRC Public Document Room or from the Publicly Available Records (PARS) component of NRC's document system (ADAMS). ADAMS is accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html (the Public Electronic Reading Room).
Sincerely,
/RA by Andrew Dunlop Acting For/
David E. Hills, Chief Mechanical Engineering Branch Division of Reactor Safety Docket Nos. 50-315; 50-316 License Nos. DPR-58; DPR-74 Enclosure: Inspection Report 50-315/03-07(DRS);
50-316/03-07(DRS) w/Attachment: Supplemental Information cc w/encl: Site Vice President M. Finissi, Plant Manager R. Whale, Michigan Public Service Commission Michigan Department of Environmental Quality Emergency Management Division MI Department of State Police D. Lochbaum, Union of Concerned Scientists
SUMMARY OF FINDINGS
IR 05000315/2003-007(DRS), IR 05000316/2003-007(DRS); Indiana Michigan Power
Company; 06/23/2003 - 07/11/2003; D.C. Cook Nuclear Power Plant, Units 1 and 2; Safety System Design and Performance Capability Inspection.
This report covers a 3-week announced baseline inspection of the design and performance capability of the emergency diesel generator system. The inspection was conducted by regional engineering specialists with electrical and mechanical consultants assistance. One Green finding associated with a Non-Cited Violation was identified. The significance of most findings is indicated by their color (Green, White, Yellow, Red) using Inspection Manual Chapter (IMC) 0609, Significance Determination Process (SDP). Findings for which the SDP does not apply may be Green, or be assigned a severity level after NRC management review. The NRC's program for overseeing the safe operation of commercial nuclear power reactors is described in NUREG-1649, Reactor Oversight Process, Revision 3, dated July 2000.
A. Inspector-Identified and Self-Revealed Findings
Cornerstone: Mitigating Systems
- Green.
A finding of very low safety significance was identified involving a Non-Cited Violation of 10 CFR 50, Appendix B, Criterion XVI, Corrective Actions, for the failure to timely resolve Technical Specification interpretation inconsistencies associated with the total required volume in the emergency diesel generator fuel oil day tanks. These inconsistencies were identified by the licensee in August 2000, however, as of July 11, 2003, this issue remained unresolved.
This finding is greater than minor because the lack of timeliness associated with resolution of this issue impacted the mitigating systems cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. This finding is of very low safety significance because there was not a loss of function as each fuel oil system contained redundant, safety-related fuel oil transfer pumps that would start prior to reaching the unusable volume in the day tank; and that these pumps have shown good reliability.
(Section 1R21.2.1)
Licensee-Identified Violations
No findings of significance were identified.
REPORT DETAILS
REACTOR SAFETY
Cornerstone: Initiating Events, Mitigating Systems, and Barrier Integrity
1R21 Safety System Design and Performance Capability
Introduction Inspection of safety system design and performance verifies the initial design and subsequent modifications and provides monitoring of the capability of the selected systems to perform design bases functions. As plants age, the design basis may be lost and important design features may be altered or disabled. The plant risk assessment model is based on the capability of the as-built safety system to perform the intended safety functions successfully. This inspectable area verifies aspects of the mitigating systems cornerstone for which there are no indicators to measure performance.
The objective of the safety system design and performance capability inspection is to assess the adequacy of calculations, analyses, other engineering documents, and operational and testing practices that were used to support the performance of the selected systems during normal, abnormal, and accident conditions. The inspection was performed by a team of inspectors that consisted of a team leader, two Region III inspectors, one electrical consultant, and one mechanical consultant.
The emergency diesel generator system was selected for review during this inspection based upon:
- having a high probabilistic risk analysis ranking;
- being a high safety significant maintenance rule system; and
- having an inter related function (for station blackout).
The criteria used to determine the systems performance included:
- applicable Technical Specifications;
- applicable Updated Final Safety Analysis Report (UFSAR) sections; and
- the systems design documents.
The following system and component attributes were reviewed in detail:
System Requirements Process Medium - water, fuel oil, electricity Energy Source - electrical power, fuel oil, air Control Systems - initiation, control, and shutdown actions Heat Removal - cooling water and ventilation System Condition and Capability Installed Configuration - elevation and flow path operation Operation - system alignments and operator actions Design - calculations and procedures Testing - flow rate, pressure, temperature, voltage, and level Components The emergency diesel generator heat exchangers, fuel oil transfer pumps, fuel oil day tanks, and air start subsystem were selected for detailed review during the inspection.
These components were specifically reviewed for component degradation due to the impact that its failure would have on the plant.
.1 System Requirements
a. Inspection Scope
The inspectors reviewed the UFSAR, Technical Specifications, drawings and available design basis information to determine the performance requirements of the emergency diesel generator system. The reviewed systems attributes included process medium, energy sources, control systems, and heat removal. The rationale for reviewing each of the attributes was:
Process Medium: This attribute needed to be reviewed to ensure that the emergency diesel generators would supply the required electrical loading under the design basis events of loss of offsite power and loss of offsite power concurrent with a loss of coolant accident.
Energy Sources: This attribute needed to be reviewed to ensure that the emergency diesel generators would start when called upon. In order to ensure that the diesels start, the following subsystems are necessary: direct-current control power, starting air, combustion air, and diesel fuel.
Controls: This attribute required review to ensure that the trips of the emergency diesel generator functioned as specified. This included review of trips bypassed during design basis events to ensure that the trips would not erroneously actuate and impact diesel operation.
Heat Removal: This attribute required review to ensure that the heat generated while the emergency diesel generators are running can be effectively removed. Three subsystems were included in this review: ventilation air, jacket water cooling, and lubrication oil cooling.
b. Findings
No findings of significance were identified.
.2 System Condition and Capability
a. Inspection Scope
The inspectors reviewed design basis documents and plant drawings, abnormal and emergency operating procedures, requirements, and commitments identified in the UFSAR and Technical Specifications. The inspectors compared the information in these documents to applicable electrical, instrumentation and control, and mechanical calculations, setpoint changes, and plant modifications. The inspectors also reviewed operational procedures to verify that instructions to operators were consistent with design assumptions. The inspectors also used applicable industry standards, such as the American Society of Mechanical Engineers (ASME) Code and the Institute of Electrical and Electronics Engineers (IEEE) Standards, to evaluate plant design.
The inspectors reviewed information to verify that the actual system condition and tested capability were consistent with the identified design bases. Specifically, the inspectors reviewed the installed configuration, the system operation, the detailed design, and the system testing, as described below.
Installed Configuration: The inspectors confirmed that the installed configuration of the emergency diesel generator system met the design basis by performing detailed system walkdowns. The walkdowns focused on the installation and configuration of piping, components, and instruments; the placement of protective barriers and systems; the susceptibility to flooding, fire, or other environmental concerns; physical separation; provisions for seismic and other pressure transient concerns; and the conformance of the currently installed configuration of the systems with the design and licensing bases.
Design: The inspectors reviewed the mechanical, electrical, and instrumentation design of the emergency diesel generator system to verify that the systems and subsystems would function as required under accident conditions. This included a review of the design bases, design changes, design assumptions, calculations, boundary conditions, and models as well as a review of selected modification packages. Instrumentation was reviewed to verify appropriateness of applications and setpoints based on the required equipment function. Additionally, the inspectors performed limited analyses in several areas to verify the appropriateness of the design values.
Testing: The inspectors reviewed records of selected periodic testing and calibration procedures and results to verify that the design requirements of calculations, drawings, and procedures were incorporated in the system and were adequately demonstrated by test results. Test results were also reviewed to ensure automatic initiations occurred within required times and that testing was consistent with design basis information.
b. Findings
Introduction:
The inspectors identified a Green Non-Cited Violation (NCV) involving 10 CFR 50, Appendix B, Criterion XVI, Corrective Actions, for the failure to promptly correct a condition adverse to quality. Specifically, the licensee was untimely in resolving Technical Specification requirement interpretation inconsistencies concerning the volume of fuel oil required in the emergency diesel generator (EDG) day tanks.
Description:
A licensee review of the calculation for the EDG fuel oil day tank level identified several examples of inconsistencies regarding the licensees interpretation of a Technical Specification requiring 70 gallons of fuel oil in the day tank. On different occasions, the requirement had been interpreted as either total contained volume or total usable volume. There were also inconsistencies regarding the calculation of the total unusable volume in the day tank, and which variables must be included in the calculation. Depending on these assumptions and interpretations, the licensees implemented administrative limit (minimum of 140 gallons in fuel oil day tank) may not be adequate to ensure that the Technical Specification minimum of 70 gallons was maintained at all times.
Calculation MD-12-DG-004-N determined the total unusable volume in the day tank as a combination of geometrical and vortexing factors. In this calculation, the geometrical aspect considered that the top of the horizontal tank outlet was located approximately 4 inches above the bottom of the tank, such that the unusable tank volume due to the tank/piping geometry was approximately 29 gallons. The vortexing aspect took into account that a pipe outlet below the surface of a fluid may induce a surface vortex, which would allow air to pass into the outlet pipe. This calculation determined that maintaining a minimum tank volume of approximately 33 gallons above the outlet pipe would eliminate any possible vortexing issues. Thus, the total unusable volume due to tank/pipe geometry and vortexing considerations was determined to be approximately 62 gallons. This calculation non-conservatively interpreted the Technical Specification requirement as 70 gallons total contained volume in the tank, which inferred that 8 gallons usable volume existed at the Technical Specification limit. This 8 gallons usable volume corresponds to an 111-second EDG run time at full load.
Other examples illustrated the licensees interpretation of the Technical Specification limit as the total usable volume. Calculation 1-2-LI-06,Section II, Calculation #1, verified the appropriate placement of set points and switches on the fuel oil day tank corresponding to the low-low level alarms (currently set at 104 total gallons) and fuel oil transfer pump start (currently set at total tank volume of 123 gallons decreasing). This calculation interpreted the requirement as the total usable volume in the day tank, and appropriately verified placement of the switches to maintain this level. However, this calculation, in a non-conservative fashion, did not consider possible vortexing effects in the calculation of the total unusable volume.
The licensee identified the inconsistencies regarding the interpretation of the Technical Specification minimum volume requirement, and initiated condition report (CR) P-00-11222 in August 2000 to resolve the issue. As of July 11, 2003, this issue remained unresolved. Using calculation MD-12-DG-004-N as a basis, and interpreting the Technical Specification limit as useable volume as well as incorporating geometry, vortexing, and instrument uncertainty considerations, the fuel oil day tank minimum required volume could have been 170 gallons, which exceeded the administrative limit of 140 gallons. The final resolution of the administrative limit, as well as the functional placement of the switches corresponding to the low-level alarms and the fuel oil transfer pumps start both rely on a consistent interpretation of the Technical Specification required volume (i.e., contained versus usable).
Analysis:
This issue was a corrective action deficiency resulting in a finding of very low safety significance (Green). The deficiency was due to the licensees failure to timely resolve the interpretation of the Technical Specification requirement of 70 gallons of fuel oil in the day tank.
This finding is greater than minor because the lack of timeliness associated with resolution of this issue impacted the mitigating systems cornerstone objective of ensuring the availability, reliability and capability of systems that respond to initiating events to prevent undesirable consequences, through a loss of safety margin in the EDG fuel oil day tanks.
This finding was evaluated with the Significance Determination Process (SDP) Phase I, and found to be of very low safety significance (Green). No EDG system functionality was lost due to redundant, safety-related fuel oil transfer pumps that would start prior to reaching the unusable volume in the day tank and that these pumps have shown good reliability. Thus this issue was not considered an operability concern, but a loss of safety margin, especially due to the relatively small size of the day tank.
Enforcement:
10 CFR 50, Appendix B, Criterion XVI states, in part, that measures shall be established to assure that conditions adverse to quality....are promptly identified and corrected.
Contrary to the above, as of July 11, 2003, the licensee did not promptly correct the identified inconsistencies in the Technical Specification interpretation for the required volume in the EDG fuel oil day tank.
Because of the low safety significance of this issue, the issue was considered non-willful and non-repetitive, and the issue was in the licensee's corrective action program (CR 03190012), the issue is being treated as a Non-Cited Violation, consistent with Section VI.A.1 of the NRC Enforcement Policy (NCV 50-315, 316/2003007-01).
.2 Degraded Voltage Protection Bypassed
Introduction:
The degraded voltage protection scheme was bypassed whenever the 4160V buses were not being supplied through the reserve auxiliary transformers (RATs). This resulted in a lack of automatic degraded voltage protection during normal operation, and for the first 30 seconds of an accident when engineered safety feature (ESF) loads were being sequenced onto the safety buses. This is considered an unresolved item pending further review to determine the plants licensing basis with respect to this issue.
Description:
In order for the trip function of the degraded voltage scheme to be active, the supply breaker to the 4160V bus from the RATs must be closed. During normal operation the 4160V buses were supplied through the unit auxiliary transformers (UATs)so the supply breakers from the RATs were open and the trip function of the degraded voltage protection scheme was disabled. This condition also existed for the first 30 seconds of an accident when the majority of ESF loads would be sequenced onto the safety buses. This was due to a deliberate 30 second time delay between the time a turbine trip signal was initiated by the reactor protection system, and the time the 4160V buses would be transferred from the UATs to the RATs. The relaying relied upon to transfer the 4160V buses to the RATs was non-safety related.
This was contrary to the design criteria for degraded voltage protection stated in the Generic Letter dated June 3, 1977, and later incorporated into Branch Technical Position PSB #1 [Power Systems Branch], which stated, The voltage sensors shall automatically initiate the disconnection of offsite power sources whenever the voltage set point and time delay limits have been exceeded. Technical Specifications 3.3.2.1, Table 3.3.3, item 8.b, required degraded voltage protection whenever the units were in modes 1, 2, 3 and 4. Neither the Technical Specifications nor its bases provided for bypassing the protection scheme when the units were connected to the UATs.
The licensee position was that degraded voltage protection was only required when the unit was connected to the offsite source. The licensee interpreted the term offsite to include only the RAT source and not to include the UAT source.
The inspectors reviewed the available record of correspondence and other communications between the licensee and the NRC and noted considerable ambiguity regarding the acceptability of this design. The original design for degraded voltage protection proposed by the licensee (July 22, 1977 letter) featured a design where the safety buses would not be protected while being supplied by the UATs. The proposed design used undervoltage relays on the high side of the 34.5kV/4.16kV RATs in order to monitor the offsite power supply directly. The NRC rejected this proposal and required the degraded voltage relays to monitor the 4160V safety busses citing the 1997 NRC Generic Letter, which required the design of the voltage monitors to comply with IEEE-279-1971. The letter stated that the intent of the position was that the monitors of the undervoltage protection system for ESF loads were a part of the Class 1E distribution system.
The current design had the voltage monitors on the 4160V safety buses, but they only provided a trip function when the buses were supplied by the RATs. The licensee has described the UAT connection as the normal power supply and the RAT connection as the preferred offsite power supply. In general, the licensee has been consistent in stating that degraded voltage protection was available only when the 4160V buses were connected through the RATs, and not when connected to the UATs. However, it appeared that the significance of this distinction had not been noted by the NRC until it was stated explicitly in Technical Specifications change request AEP:NRC 1063, dated November 28, 1988, as follows, Please note that the function of the Degraded Voltage relays is to disconnect the plant from the grid for a sustained degraded voltage condition. These relays are armed only when the plant is fed from offsite power and not normally active during unit operation. This statement did not note that the degraded voltage function was also not active for the critical first 30 seconds of an accident.
The NRC took note of the licensees 1988 statement in the cover letter to Amendment Nos. 137 and 124 to License Nos. DPR-58 and DPR-74, dated May 25, 1990.
The NRC stated that the design was not in conformance with Standard Review Plan (SRP), Chapter 8, Appendix 8A, Branch Technical Position PSB #1 and recommended that the degraded voltage relays remain in force regardless of the power sources connected to the safety busses; i.e., whether powered by the unit auxiliary transformer or the off-site power system.
The licensee stated in an internal memo from M. J. Finissi to G. P. Argent, dated April 22, 1993, that, It is agreed that there is non-compliance with Branch Technical Position PSB #1. The memo justified the non-compliance based on two reasons;
- (1) there was a potential for tripping the degraded voltage scheme during operation under light load conditions on the grid with reduced generator voltage; and
- (2) AEP was not committed to Branch Technical Position PSB #1. The inspectors questioned the technical adequacy of this evaluation because an accident could occur when generator voltage was low and automatic protection of ESF loads was bypassed. It did not appear that either this memo or any other formal response to the May 25, 1990, NRC recommendation was provided to the NRC. Task Interface Agreement (TIA) dated June 10, 1994, for D.C. Cook stated, After the Millstone and ANO-1 events, the staff developed generic requirements for degraded grid protection. Under MPA B-23, all licensees were required to address degraded voltage conditions. These generic requirements were subsequently documented in Branch Technical Position BTP-1 in the SRP. Therefore, Office of Nuclear Reactor Regulation (NRR) considers the requirements for degraded voltage protection to be part of the plants current licensing basis. Therefore, although specific commitments to PSB #1 may not have been made, it appeared that conformance to PSB #1 may have been assumed in previous licensing actions.
There was no record that the NRC formally reviewed and accepted the existing scheme, particularly with respect to the bypassing of degraded voltage protection during the first 30 seconds of an accident.
Analysis:
Although the inspectors concluded that bypassing the degraded voltage protection during normal operations when offsite power is supplied through the UATs is not in accordance with the 1977 Generic Letter and Branch Technical Position PSB #1, the licensee stated that they are not committed to the Branch Technical Position and this issue had been resolved during the extended shutdown of the Cook units. The licensee was unable to provide any documentation or details of this resolution during the inspection. In addition, this position, does not appear to conform to the 1994 TIA in which NRR implied that Branch Technical Position PSB #1 was part of the plants current licensing basis. Based on this conflicting information, this will be considered an unresolved item (URI 50-315, 316/2003007-02) pending further NRC review to determine the current licensing basis for the Cook facility with respect to degraded voltage protection and whether the licensee is in conformance with Technical Specifications 3.3.2.1.
Enforcement:
The enforcement aspects of this issue will be determined after further NRC evaluation of the unresolved item.
.3 Components
a. Inspection Scope
The inspectors examined the emergency diesel generators to ensure that component level attributes were satisfied. The attributes selected for review were: equipment and environmental qualification, equipment protection, and operating experience.
Equipment and Environmental Qualification: To confirm this attribute, the inspectors reviewed calculations and equipment qualification documents to ensure that components located in the emergency diesel generator rooms would perform their function under the temperatures that would be expected.
Equipment Protection: The inspectors reviewed calculations and other documents, performed walkdowns and interviewed personnel to ensure that components located in the emergency diesel generator rooms would perform their function following seismic, tornado, and high energy line break events.
Operating Experience: The inspectors reviewed condition reports, problem identification forms, and other documents to confirm that the licensee adequately evaluated industry information regarding emergency diesel generator problems.
b. Findings
No findings of significance were identified.
OTHER ACTIVITIES (OA)
4OA2 Identification and Resolution of Problems
a. Inspection Scope
The inspectors reviewed a sample of auxiliary feedwater and emergency diesel generator systems problems that were identified by the licensee and entered into the corrective action program. The inspectors reviewed these issues to verify an appropriate threshold for identifying issues and to evaluate the effectiveness of corrective actions related to design issues. In addition, condition reports initiated on issues identified during the inspection were reviewed to verify adequate problem identification and incorporation of the problem into the corrective action system. The specific corrective action documents that were sampled and reviewed by the inspectors are listed in the attachment to this report.
b. Findings
One Green Finding was identified concerning untimely corrective actions as discussed in section 1R21.2.1 of this report.
4OA6 Meetings
.1 Exit Meeting
The inspectors presented the inspection results to Mr. A. Bakken, and other members of licensee management at the conclusion of the inspection on July 11, 2003. The inspectors asked the licensee whether any materials examined during the inspection should be considered proprietary. No proprietary information was identified.
ATTACHMENT:
SUPPLEMENTAL INFORMATION
KEY POINTS OF CONTACT
Licensee
- D. Baker, Manager, Engineering, Nuclear Technical Services
- C. Bakken, Senior Vice President, Nuclear Generation
- A. Feliciano, Design Engineering
- M. Finissi, Plant Manager
- J. Giessner, Director, Design Engineering and Regulatory Affairs
- H. Heidarisafa, Electrical Design/EQ
- R. Jervey, Regulatory Affairs
- J. Kovarik, I&C Design Engineering
- B. McIntyre, Manager, Regulatory Affairs
- B. Mutz, Operations
- J. Pollock, Site Vice President
- M. San, Design Engineering
- M. Scarpello, Compliance Supervisor
- B. Wah, Design Engineering
Nuclear Regulatory Commission
- D. Hills, Chief, Mechanical Engineering Branch, RIII
- I. Netzel, Resident Inspector
- C. Pederson, Director, Division of Reactor Safety, RIII
LIST OF ITEMS OPENED, CLOSED, AND DISCUSSED
Opened and Closed
50-315, 316/03-07-01 NCV Untimely Corrective Action for Diesel Fuel Oil Day Tank Level Issue (Section 1R21.2.1)
Opened
50-315, 316/03-07-02 URI Bypassing Degraded Voltage Protection When Power Supplied by Unit Auxiliary Transformers (Section 1R21.2.2)
Discussed
None.
Attachment