ML13324A885

From kanterella
Jump to navigation Jump to search
Technical Evaluation of Issues from NRC Staff Action Plan in Response to 851121 Event at San Onofre Unit 1
ML13324A885
Person / Time
Site: San Onofre Southern California Edison icon.png
Issue date: 06/05/1986
From:
Office of Nuclear Reactor Regulation
To:
Shared Package
ML13324A884 List:
References
NUDOCS 8606130005
Download: ML13324A885 (74)
v  d  e


Text

OFFICE OF NUCLEAR REACTOR REGULATION DIVISION OF PWR LICENSING-A TECHNICAL EVALUATION OF ISSUES FROM THE NRC STAFF ACTION PLAN IN RESPONSE TO THE NOVEMBER 21, 1985 EVENT AT SAN ONOFRE, UNIT 1 8606130005 860605 PDR ADOCK 05000206 S

PDR

TABLE OF CONTENTS TITLE PAGE I. INTRODUCTION 1

TABLE 1:

PWR-A REVIEW ISSUES 3

II. EVALUATION OF TECHNICAL ISSUES 5

Item 3.a.1 -

Lack of automatic loading of the diesel 5

generators following a loss of power event.

Item 3.a.2 -

Lack of remote control of steamline isolation 15 valves and resultant impact on assurance of steam generator availability to remove decay heat (in event of steamline or feedline break).

Item 3.a.3 -

Lack of steam generator blowdown status in 18 control room or auto termination capability.

Item 3.a.4 -

Adequacy of the licensee's design changes 21 to eliminate spurious SI indication on loss of power (SI annunciator and SIS sequencer surveillance panel.

Item 3.a.5 -

Non-safety related auto sequencer (reliability 23 and impact on station blackout).

Item 3.a.6 -

Impact of interlock between reactor bypass 26 breaker and diesel generator output breaker on electrical power reliability.

Item 3.a.7 -

Adequacy of labeling for selected control room 29 indicators.

Item 3.a.8 -

Reliability of power to vital buses, e.g.,

30 power to important control room indications and controls.

Item 3.a.9 -

Increased reliability of 4KV power supplies 32 (includes evaluation of cause of failure of C transformer power cable).

a) Cable reliability.

b) Alternate immediate source of offsite power (e.g., additional reserve transformer).

Item 3.b.1 -

Water hammer design considerations/engineering.

41

00 TITLE PAGE Item 3.b.2 -

Water hammer design considerations/systems 42 aspects.

Item 3.b.3 -

Possible instrumentation to indicate impending 46 water hammer conditions.

Item 3.b.4 -

Adequacy of feedwater repair/system integrity 47 and material considerations.

Item 4.c.-

Evaluate adequacy and reliability of post-trip 50 data retrieval equipment.

Item 6.b. -

Assess appropriateness of paralleling buses 52 with indicated ground fault.

Item 7.b. -

Evaluate implementation of technical specifi-59 cation action statements when warranted, e.g., reluctance to fully isolate failed transformer and removal from service of one feedwater pump.

Item 12. -

Evaluate the licensee's effort to assure 63 that the steam generators low-levels did not damage or leave damaging chemical materials in the steam generators.

Item 16. -

Loose parts in the steam generator feedrings.

65 III.

Actions Summary 67 -:

EG&G Technical Evaluation Report (TER),

EGG-NTA-7176 :

EG&G Technical Evaluation Report (TER),

EGG-NTA-7204

1. INTRODUCTION On November 21, 1985, Southern California Edison's San Onofre Nuclear Generating Station, Unit 1 (SONGS-1), located south of San Clemente, California, experienced a partial loss of inplant AC electrical power while the plant was operating at 60 percent power. Following a manual reactor trip, the plant lost all inplant AC power for 4 minutes and experienced a severe incidence of water hammer in the feedwater system which caused a leak, damaged plant equipment, and challenged the integrity of the plant's heat sink.

Subsequent to the water hammer, plant conditions were quickly stabilized and the plant was brought to cold shutdown conditions.

An NRC Incident Investigation Team (IIT) was established by the Executive Director for Operations (EDO) and after a two-month investigation, its findings were published in NUREG-1190. On February 4, 1986 the EDO issued a memorandum to NRC Office Directors which identified and assigned responsibility for generic and plant-specific actions resulting form the IIT's investigation. The EDO assigned to Region V the lead responsibility for staff actions relating to facility restart. In accordance with the EDO's directions, an NRC staff action plan was established and transmitted to the EDO on March 6, 1986.

The March 6, 1986 staff action plan and subsequent revisions assigned to NRR/PWR-A the review of twenty technical issues prior to facility restart.

Most of these issues, which are listed in Table 1, relate to the adequacy of the licensing design basis of San Onofre, Unit 1; and include consideration of TABLE 1: PWR-A REVIEW ISSUES Action Plan Item No.

Title 1.d.1(a)

NRR review of IST program at SONGS-1 docketed prior to the event.

1.d.1(b)

NRR review of SCE's 3-3-86 revision of the IST program.

1.d.4 NRR review of SONGS-1 IST program requirements in light of November 21, 1985 event.

3.a.1 Lack of automatic loading of the diesel generators following a loss of power event.

3.a.2 Lack of remote control of steam line isolation valves and resultant impact on assurance of steam generator availability to remove decay heat (in event of steamline or feedline break).

3.1.3 Lack of steam generator blowdown status in control room or auto termination capability.

3.a.4 Adequacy of the licensee's design change to eliminate spurious SI indication on loss of power (SI annunciator and SIS sequencer surveillance panel).

3.a.5 Non-safety related auto sequencer (reliability and impact on station blackout).

3.a.6 Impact of interlock between reactor bypass breaker and diesel generator output breaker on electrical power reliability.

3.a.7 Adequacy of labeling for selected control room indicators.

3.a.8' Reliability of power to vital buses, e.g., power to important control room indications and controls.

3.a.9 Increased reliability of 4KV power supplies (Includes evaluation of cause of failure of C transformer power cable).

a) Cable reliability.

b) Alternate immediate source of offsite power (e.g.,

additional reserve transformer).

3.b.1 Water hammer design considerations/engineering.

3.b.2 Water hammer design considerations/systems aspects.

TABLE 1: PWR-A REVIEW ISSUES (Continued)

Action Plan Item No.

Title 3.b.3 Possible instrumentation to indicate impending water hammer conditions.

3.b.4 Adequacy of feedwater repair/system integrity and material considerations.

4.c.

Evaluate adequacy and reliability of post-trip data retrieval equipment.

6.b.

Assess appropriateness of paralleling buses with indicated ground fault.

7.b.

Evaluate implementation of technical specification action statements when warranted, e.g., reluctance to fully isolate failed transformer and removal from service of one feedwater pump.

12.

Evaluate the licensee's effort to assure that the steam generators low-levels did not damage or leave damaging chemical materials in the steam generators.

numerous design modifications proposed by the licensee in response to the November 21, 1985 event. This report addresses the resolution of seventeen of those issues. The three remaining issues involve review of the licensee's Inservice Testing (IST) program, which is ongoing. Items 1.d.1(a) and 1.d.1(b) will be resolved by providing information to IE/Vendor Program Branch which will summarize our technical conclusions reached regarding the licensee's Inservice Testing (IST) Program dated March 3, 1986 and previously submitted requests for relief from Section XI of the ASME Code.

Item 1.d.4 will be resolved by PWR-A review and concurrence on the IE/Vendor Program Branch evaluation of safety related check valves at SONGS-1.

II. EVALUATION OF TECHNICAL ISSUES ITEM 3.a.1 -

LACK OF AUTOMATIC LOADING OF THE DIESEL GENERATORS FOLLOWING A LOSS OF POWER EVENT.

The staff's evaluation of this issue considered three areas. First, the staff reviewed the SONGS-1 design to ensure that regulatory requirements for design of electrical power systems were satisfied. Second, to support the results of the electrical review, the staff next performed a systems review to ensure that all manual actions to load the diesel generators during certain transients and accidents can be accomplished within the required time period.

During the systems review, the staff evaluated the acceptability of other manual actions required to initiate auxiliary feedwater for a feedline break accident during which the diesel generators would be automatically loaded. This effort was undertaken because the staff determined that this accident was the limiting case for manual actions involving the auxiliary feedwater system. In the third area, the staff evaluated the possible effects on the November: 21, 1985 SONGS-1 event had the diesel generators been designed to automatically load. These evaluations are described in detail below.

A. Evaluation of Electrical Design Criteria 1.0 Introduction The design of the onsite electrical power system at San Onofre, Unit 1 has been reviewed in accordance with the requirements and guidance contained in General Design Criterion 17 (GDC 17), GDC 20, NUREG-0800 Chapters 8.2 and 8.3, Regulatory Guide 1.32, IEEE-Std-308, and NUREG-0737 Item II.E.1.2.

A detailed evaluation of the licensee's submittals was performed by EG&G Idaho, Inc., under contract to the NRC, with general supervision by the NRC staff.

This work was reported by EG&G in their Technical Evaluation Report (TER),

EGG-NTA-7176, "Assessment of the Manual Loading of the Diesel Generators for the Loss of Offsite Power, San Onofre Nuclear Generating Station, Unit No. 1,"

dated March 1986 (Enclosure #1).

2.0 Discussion The SONGS-1 diesel generators are designed to automatically start and sequentially load whbn offsite power is lost concurrent with a safety injection signal.

When offsite power is lost concurrent with accidents which do not generate safety injection signals, the emergency diesel generators are automatically started but must be manually connected to the Class 1E buses. The previous and revised analyses for the TMI modifications (NUREG-0737 Items II.E.1.1 and II.E.1.2) related to the automation of the auxillary feedwater system and assumed manual action to provide power to the motor driven AFW pump. Although the motor driven AFW pump controls and associated circuitry are automatically initiated given a low steam generator level signal, the AFW pump will not have motive electrical power and cannot deliver flow until the diesel generator is manually con nected to the Class 1E bus. These analyses assumed that sufficient time was available to manually restore AC power to the Class 1E bus.

3.0 Evaluation The staff has discussed in detail with the licensee the operator actions required for manual restoration of AC power to Class 1E buses. The licensee has assured the staff that for complete loss of offsite power (LOP), only one operator action is required to manually restore on-site AC power to the Class 1E bus in order to supply power to the motor driven auxiliary feedwater pump.

This action may be accomplished within a time period of several seconds up to a minute after the operator has verified that the offsite grid is not available. No further operator actions are required for loading the motor driven AFW pump.

4.0 Conclusion In order to ensure that the SONGS-1 onsite electrical power system complies with the evaluation criteria described above, the staff reevaluated the adequacy of manual action to supply power to the motor-driven AFW pump. This evaluation is described in-the following section.

B. Systems Review 1.0 Introduction From a systems standpoint, the lack of automatic loading of the diesel generators following a loss of offsite power event involves consideration of its impact on automatic initiation of auxiliary feedwater. Automatic operation of the SONGS-1 motor driven AFW pump does not occur for a loss of offsite power unless a coincident safety injection signal exists.

For a loss of offsite power, the main feedwater and condensate pumps are tripped. Thus, certain events involving a loss of offsite power without the generation of an accompanying safety injection signal will create conditions where manual operations are required to supply feedwater to the steam generators, assuming single failure of the steam driven AFW pump. Approximately 3 minutes after reaching the low steam generator water level (AFW automatic actuation signal) the steam driven AFW pump will automatically deliver flow. The motor driven pump will not deliver flow until the operator manually energizes the 4160 Volt emergency bus which powers the AFW pump.

2.0 Discussion SCE evaluated the adequacy of the automatic and manual provisions for initi ating AFW flow as part of its response to TMI Action Plan Item II.E.1.2.

The SCE evaluation, performed in 1981, considered a variety of postulated transients and accidents including loss of main feedwater, loss of offsite power, main feed Water line break, main steam line break and a small break LOCA.

Based on these analyses, SCE concluded that the provisions for AFW actuation were adequate, and ensured that applicable SRP criteria were satisfied; i.e.,

(1) reactor coolant system and main steam system pressure remained below 110%

of design, and (2) fuel cladding integrity was maintained.

Most relevant to the issue of manual actions were the analysis assumptions for manual actions, in two cases. In the case of a loss of offsite power and assumed failure of the turbine driven AFW pump, manual action was assumed to result in AFW flow at 8 minutes. In the case of a main feedwater line break, AFW was-assumed to be automatically actuated. However, since the feedwater pipe break results in depressurization of the steam generators, the motor driven AFW pump was assumed to trip on low discharge pressure. The turbine driven pump was assumed to be inoperable since the steam supply is lost for secondary system pipe breaks. Trip of the motor-driven pump on low discharge pressure is part of the design; its intent is to provide pump runout protection.

Operator action was assumed at 10 minutes to restart the AFW flow and correctly align flow to the intact steam generators. No single failure was assumed in the analysis of a main feedwater line pipe break; the single failure of the motor driven AFW pump would have resulted in a total loss of AFW flow.

The staff evaluated the SCE response to TMI Action Item II.E.1.2 (Letter to R. Dietch from D. Crutchfield, November 18, 1982), and concluded that the San Onofre Unit 1 AFWS automatic initiation and flow indication designs were acceptable.

3.0 Evaluation As parf of the review of the loss of power and water hammer event, the staff has reevaluated the adequacy of provisions for actuation of AFW at San Onofre Unit 1. In earlier meetings with SCE, the staff questioned the licensee on these matters and SCE stated that the earlier analyses demonstrated the adequacy of manual action for certain accidents in meeting the appropriate SRP criteria (e.g. maintenance of reactor coolant system pressure below 110% of design).

Furthermore, SCE stated that the analyses described above were overly conservative and that more realistic but still acceptably conservative analyses would demonstrate that more time is available for the operator to perform manual actions.

By letter dated May 1, 1986, the licensee submitted the results of revised analyses to demonstrate the limiting conditions for establishment of auxiliary feedwater flow. These revised analyses considered two cases: case 1 was a loss of normal feedwater and case 2 was a feedwater line break. In the reanalysis of these cases the same methodology, i.e., the LOFTRAN code, was used but the revised analyses incorporated different assumptions intended to account for plant specific design features not originally modeled. Also, a less conservative but acceptable decay heat model was utilized for the calculations.

With regard to case 1, loss of normal feedwater, the revised analysis indicates that auxiliary feedwater flow at a rate of 165 gpm is needed within 30 minutes after reactor trip in order to provide sufficient heat removal capacity. Operator action to manually energize the emergency bus which powers the AFW pimp (assum ing single failure of the steam turbine pump) is required within 29 minutes; allowing 1 minute for valve opening, control circuit, and pump start delays.

By comparison, the analysis of a loss of normal feedwater performed by SCE in 1981 indicated that an AFW flowrate of 165 gpm would be needed within 3 minutes after reactor trip. The major reasons for the pronounced increase in the time available for establishing AFW flow are the changes in analytical assumptions regarding operation of the reactor coolant pumps. The revised analysis assumed the loss of the reactor coolant pumps, with plant specific pump coastdown characteristics, since in the SONGS-1 design the reactor coolant pumps are powered from the generator and would be lost on a turbine trip.

With regard to case 2, a feedwater line pipe break, the revised analysis indicates that an AFW flow rate of 250 gpm (total) to two intact steam gener ators within 20 minutes after reactor trip is adequate to remove core decay heat. An earlier analysis demonstrated a need for 250 gpm to the steam generators within 15 minutes after reactor trip. Unlike case 1 above, in case 2 the diesel generators would automatically load since a safety injection signal would be generated about 2 minutes after the break. As noted previously, in an earlier analysis of a feedwater line pipe break, operator action was assumed to restart the motor-driven auxiliary feedwater pump and correctly align the AFWS Yalves to permit AFW flow delivery to the two intact steam generators and to isolate the broken line. In the revised analysis a total period of 20 minutes is available to establish adequate flow, however, refilling of the main feedwater piping requires approximately 5 minutes.

An additional delay of approximately 1 minute occurs due to valve opening, control circuit, and pump start delays. Therefore, operator action to diagnose the situation, restart the motor driven AFW pump, and throttle flow to deliver 125 gpm to each of the three steam generators is required within approximately 14 minutes.

Operator action is not now assumed for isolation of the broken feedwater line as in previous licensee evaluations, although the operator is instructed by the emergency operating instructions to isolate the ruptured line after establishing flow to all three feedwater lines, at which time more AFW flow will be available to remove decay heat. The revised analysis indicates, however, that establishment of adequate AFW flow does not depend on operator actions to identify and isolate the broken feedwater line.

Since the revised analysis of a main feedwater line break assumes the operator takes action to deliver 125 gpm to each steam generator, (with 125 gpm spilling out the broken line) it also assumes capable of providing 375 gpm. The rated design flow (which is the flow rate normally used in safety analyses) of the motor driven AFW pump is 208 gpm. However, at lower secondary side pressures the pump is capable of providing more flow. The staff has questioned the licensee about the basis for the determination that the AFW pump would provide the necessary flow under these conditions. The licensee responded that tests being conducted by the manufacturer as part of the ongoing refurbishment of the pump will demonstrate the ability of the pump to meet the criteria established by the safety analyses. The staff requires confirmation of these test results prior to restart.

3.0 Conclusion The staff has reviewed the revised analyses performed by the licensee and concludes that the methodology, models and assumptions are acceptable and that the appropriate acceptance criteria have been satisfied. Furthermore, the staff concludes that time is available for operator action to:

1) manually energize the emergency bus which powers the motor driven AFW pump in the event of a loss of feedwater without safety injection and/or 2) manually restart and adjust AFW flow in the event of a main feedwater line pipe break.

In order to ensure that the existing motor-driven AFW pump is capable of providing the flow rates assumed in the feedline break analysis, the staff requires that the licensee provide test results verifying 375 gpm flow at 700 psig discharge pressure.

As noted previously, an evaluation of a feedwater line pipe break with the assumed failure of the motor driven AFW pump would have resulted in a loss of all AFW flow since the turbine driven AFW pump is ineffective due to depressu rization of the secondary system. However, the licensee has installed and will make available for manual operation a third AFW pump (motor driven) before restart from the current outage. This matter is discussed further under item 3.a.2.

C. Possible Effects of Automatic Loading of the Diesel Generators on the November 21, 1985 Event 1.0 Introduction SCE has studied and reported the effect of auto-loading diesel generators on the water-hammer event. This section provides the staff's resolution of the issue.

2.0 Evaluation The licensee concluded that automatic loading of the diesel generators would not have prevented the development of conditions leading to water hammer.

This determination is based on the following considerations:

1) Following the rupture of the flash evaporator with ensuring loss of FW, the leakage area in the feedwater system was estimated to be 3 square inches.

This break size would result in a mass release rate sufficient to void the feedwater line in approximately 1 minute if the check valves fail, which they did.

2) If the motor driven AFW pump were automatically powered, approximately 1 minute would elapse before effective flow delivery, allowing time for diesel start up, pump start, opening of the pump discharge control valve and line filling.
3) Initially at least, flow from the AFW pump would be carried toward the pipe break and would not be available to fill the leg of feedwater piping down stream from the junction with the AFW line.

In summary, the licensee believes that even with automatic diesel loading the auxiliary the feedwater flow would not be sufficient to compensate for the multiple check valve failures and that the likelihood of water hammer events can best be reduced by addressing the reliability of check valve performance.

3.0 Conclusion The rapid voiding of the feedwater line was a phenomenon which occurred more quickly than could be mitigated by additional modifications to the loading scheme for the diesel generators. This fact and the other arguments presented by SCE support the conclusion that the lack of automatic diesel generator loading had little probable impact on the water hammer event of November 21, 1985.

ITEM 3.a.2 -

LACK OF REMOTE CONTROL OF STEAMLINE ISOLATION VALVES AND RESULTANT IMPACT OF STEAM GENERATOR AVAILABILITY TO REMOVE DECAY HEAT (IN EVENT OF STEAMLINE OR FEEDLINE BREAK) 1.0 Introduction As part of the SONGS-1 event review, the staff reevaluated the adequacy of the San Onofre 1 design insofar as the lack of remote control of steamline isolation valves may affect steam generator availability to remove decay heat in the event of a steamline or feedline break.

2.0 Evaluation The primary purpose of the main steam isolation valves is to ensure that no more than one steam generator will blowdown, in the event of a pipe break, to

1) reduce the primary system cooldown rate and prevent a return to criticality and 2) limit the blowdown and concomitant pressure rise within containment if the pipe break occurs inside containment. Main steamline isolation valves can serve other purposes, e.g., reduction of offsite radioactivity releases for a steamline break.outside containment if there is primary to secondary side leakage. Main steamline isolation does not generally have a direct significant influence on the ability to remove decay heat in the event of secondary system pipe ruptures. The ability to remove decay heat is more directly influenced by the ability to provide auxiliary feedwater to the steam generators. However, since the turbine driven AFW pump receives its motive power from the steam supplied by the steam generators which are not isolable, secondary system pipe breaks will result in a loss of the turbine driven AFW pump. Analyses to determine the limiting conditions for supplying AFW flow during a variety of accidents and transients have demonstrated the acceptability of the SONGS-1 design. Moreover, it should be recognized that main steam isolation for SONGS-1 would not significantly affect the consequences of pipe breaks inside containment. It is common practice to locate MSIVs outside containment; the SONGS-1 steamline valves, without remote capability, are also located outside containment. The SONGS-1 main steam system design, however, is different from current designs in that the main steamlines from the individual steam generators are connected together by a common header inside containment.

Therefore, closure of the MSIVs outside containment would have little or no effect on the outcome of pipe break accidents inside containment. On this basis.alone it appears that there is only marginal benefit from modification of the main steam isolation capability without additional major redesign of the piping layout.

The licensee has evaluated the impact of no main steamline isolation as part of their April 8, 1986 submittal.

The licensee concluded that reactor coolant system cooldown, containment response and decay heat removal aspects associated with secondary system pipe ruptures are all satisfactorily considered and that the consequences-of those pipe breaks are acceptable. The staff reviewed these analyses, most of which were submitted in 1981 and 1982, as part of the Systematic Evaluation Program (SEP), and concluded that the lack of main steamline isolation capability poses no undue risk. The results of the SEP Integrated Plant Safety Assessment were published in NUREG-0829, April 1985 (Draft).

The SEP evaluation noted that in the event of a main steamline break, decay heat removal depends on the availability of the motor driven auxiliary feedwater pump since the turbine driven pump will be lost due to depressurization of the steam generators. The same situation arises for a feedwater line break. Therefore, if a single failure of the motor driven AFW pump is assumed in conjunction with the pipe break there would be no means to remove decay heat through the steam generators, although primary system feed and bleed operations could be used to remove decay heat. In order to resolve this issue, the licensee has committed to provide a third AFW train (motor driven). This additional AFW capability is now installed and will be available (by manual operation only) for accidents involving a single failure of the original motor driven AFW pump. During the upcoming fuel cycle this additional motor driven AFW pump can be operated only by an operator leaving the control room, starting the dedicated shutdown diesel (which powers the AFW pump),

aligning valves, and loading the AFW pump to its power supply. During the next refueling outage, the licensee has committed to provide safety-grade automatic initiation capability for this third AFW train.

Currently, the emergency operating instructions (EOI's) do not instruct the operator to activate the third train of AFW flow unless other actions prove to be ineffective. -The staff concludes that prior to restart the EOIs should be modified to direct the operators to take action to initiate the third AFW train and place it in a standby mode immediately upon indication of abnormal conditions requiring AFW flow.

2.0 Conclusion Based upon the above discussion, the staff concludes that lack of remote control operation of the SONGS-1 steamline isolation valves is acceptable, on the condition that the licensee modifies the EOI's to include use of the third AFW pump prior to restart from the current refueling outage.

ITEM 3.a.3 -

LACK OF STEAM GENERATOR BLOWDOWN STATUS IN CONTROL ROOM OR AUTO TERMINATION CAPABILITY 1.0 Introduction The lack of status indication for steam generator blowdown and the inability to assure closure of the isolation valves were found to be conditions adversely affecting the outcome of the November 21, 1985 event.

Resolution of these issues are needed before restart.

2.0 Evaluation The function of the steam generator blowdown system is to control the total dissolved solids concentration in the steam generator secondary side (shell).

The San Onofre Unit 1 design provided for isolation of the blowdown system upon sensing high radiation or upon a loss of power to the radiation monitor.

The design of the isolation capability was intended to reduce radioactivity releases in the event of primary to secondary leakage in the steam generators.

The design of the steam generator blowdown isolation provisions, however, was somewhat unique in two regards.

First, there were no provisions for indication of the status of the blowdown system in the main control room, i.e., there was no valve position indication. Secondly, upon reset of the isolation signal, (high radiation), the blowdown isolation valves automatically reopened. During the event of November 21, 1985, the steam generator blowdown isolation provisions functioned in accordance with their design; the isolation valves closed upon a loss of power to the radiation monitors and automatically reopened upon reset after power was restored.

The staff has reevaluated the adequacy of the blowdown isolation provisions and concludes that the design was inadequate. In the staff's view, the valves which isolate the steam generator blowdown system serve as containment isolation valves since their primary intent was to reduce the offsite radioactive release.

In that regard the valves are subject to certain specific requirements applicable to containment isolation valves; namely, that the valves be provided with valve position indication status in the main control room, that the valves not automatically reopen after reset of an isolation signal and that the valves have remote manual closure capability from the main control room. These provisions are outlined in SRP Section 6.2.4. The lack of valve position indication and automatic reopening of the valves in the steam generator blowdown system are significant design deficiencies in view of the unique design of the San Onofre Unit 1 secondary system. Since ruptures in the feedwater or main steam systems can result in the simultaneous blowdown of all steam generators and since operator action is required to provide AFW flow during a feedwater line -break, it becomes even more important to avoid steam generator blowdown while attempting to restore water level in the steam generators.

As part of the evaluation of the November 21, 1985 event, the licensee has committed by a submittal dated April 8, 1986, to modify the isolation provisions for the steam generator blowdown system prior to restart. In order to minimize the loss of inventory from the steam generators during accidents when AFW flow is required, the licensee will provide for automatic isolation of the valves upon generation of an AFW initiation signal (low steam generator water level in 2 of 3 steam generators) in addition to the high radiation signal or loss of power to the radiation monitor. Modifications will also be made to preclude the automatic reopening of valves upon reset of the isolation signals.

Furthermore the licensee has committed to provide valve position indication and remote manual operation for selected blowdown system valves.

The licensee has not included one of the blowdown system valves as part of the modifications dealing with position indication and remote manual operation since it is in series with another valve which is being modified.

3.0 Conclusion The staff has reviewed the modifications proposed by the licensee and concludes that these changes represent an improvement to the plant design and that the isolation provisions for the steam generator blowdown systems, as modified, are acceptable.

ITEM 3.a.4 -

ADEQUACY OF THE LICENSEE'S DESIGN CHANGE TO ELIMINATE SPURIOUS SI INDICATION ON LOSS OF POWER (SI ANNUNCIATOR AND SIS SEQUENCER SURVEILLANCE PANEL) 1.0 Introduction A detailed review and technical evaluation of the licensee's submittals (referenced in Enclosure 2) was performed by EG&G Idaho, Inc., under contract to the NRC, with general supervision by the NRC staff. This work was reported by EG&G in their Technical Evaluation Report (TER), EGG-NTA-7204, "Assessment of the Corrective Actions Taken to Resolve the Electrical Technical Issues Related to the November 21, 1985 Event, San Onofre Nuclear Generating Station, Unit No. 1," dated May, 1986 (Enclosure #2).

2.0 Evaluation The safety injection annunciator is required to provide a visible and audible alarm when either or both Safeguard Load Sequencing System (SLSS) Sequencers operate. Annunication is achieved by removing power from the annunciator auxiliary relay through the opening of contacts from either or both sequencers.

When auxiliary transformer C was isolated by the differential relays from class 1E bus 2C, the window 2 (Safety Injection) of the reactor plant first-out annunciator alarmed. This alarm was determined to be spurious by the operators since they observed that plant parameters had not reached Safety Injection (SI) initiation setpoints. The licensee's post-event investigations have determined the cause of this spurious SI indication to be a consequence of transformer C isolation from class 1E bus 2C, which supplies power to Motor Control Center (MCC) MCC-3A. The power to the auxiliary relay comes from MCC-3A (primary) or MCC-C (alternate) through a manual transfer switch. During the loss of power event, MCC-3A was the in-service source of power to the auxiliary relay.

Although the SLSS continued to received power from the 125V DC batteries, the loss of power to the auxiliary relay produced an alarm the same as if a Safety Injection signal were present.

To correct this deficiency, the licensee has stated that prior to startup from the current refueling outage the SI annuciator relay auxiliary contact chain will be powered by the SONGS Units 2 and 3 non-Class 1E Uninterruptible Power Supply (UPS) via the security distribution system. The Units 2 and 3 non-Class 1E UPS is backed up by the 125V DC from a non-1E battery system as well as from the diesel-backed class 1E AC source via the battery charger. In the event of loss of the inverter, a static switch automatically transfers the UPS loads to a non 1E MCC via a regulating transformer. Eventually, the SI annunciator relay auxiliary contact chain will be powered from the Unit 1 vital bus 4 UPS. The licensee states that installation of the UPS is planned for the next refueling outage (Cycle 10).

3.0 Conclusion The staff concludes that the proposed change to supply the SI annunciator relay auxiliary contact chain from Unit 2/3 UPS until the Cycle 10 outage, and sub sequently from the Unit 1 vital bus 4 UPS is acceptable for eliminating the spurious indication of a SI upon loss of offsite power. These changes are in conformance with the applicable regulations and regulatory guides.

ITEM 3.a.5 -

SPURIOUS REMOTE INDICATION FOR SAFEGUARD LOAD SEQUENCERS 1.0 Introduction A detailed review and technical evaluation of the submittals was performed by EG&G Idaho, Inc., under contract to the NRC, with general supervision by the NRC staff. This work was reported by EG&G in their Technical Evaluation Report (TER), EGG-NTA-7204, "Assessment of the Corrective Actions Taken to Resolve the Electrical Technical Issues Related to the November 21, 1985 Event, San Onofre Nuclear Generating Station, Unit No. 1," dated May, 1986 (Enclosure #2).

2.0 Evaluation The Safeguard Load Sequencing System (SLSS) is an integral part of the safety injection actuation system which monitors the reactor process parameters and the availability of offsite power and initiates operation of the Safety Injection System. There is one remote surveillance panel located in the main control room for-each of the two SLSS (#1 and #2).

The lights (neon lamps) for each of the load groups A through F (loads groups E and F are spares) on the remote surveillance panel for each sequencer are designed to be lit when the individual sequencers are in the normal (non-tripped) condition. Each sequencer is independent and will operate equipment in the associated train if actuated regardless of the condition of the other.

The remote surveillance panel neon lamps receive power from a 125V DC bus.

A loss of power event signal will extinguish the load group A lamps only.. A Safety Injection signal will extinguish load group A through F lamps. A safety injection and loss of offsite power signal will sequence off lamps for load groups A through F. Once extinguished, a reset should occur before the lamps will light again.

During the November 21, 1985 loss of power event, the load groups A through D lamps extinguished while lamps from load groups E and F remained lit. The proper response for the event should have extinguished only load group A lamps.

Also, the load groups B through D lamps relit without being reset. However, during the event the sequencers themselves operated as designed.

The licensee has performed post-event testing to determine how the observed conditions occurred in the remote surveillance panels. The licensee used Operating Instruction SOI-1203-7, "Monthly Sequencer Test," for testing sequencers Nos. 1 and 2 and found no cause for the abnormal indications on the remote surveillance-panel. The licensee has ruled out loss of voltage as the cause since lamps E and F remained lit throughout the event. Testing on the applicable wiring and the spare sequencer logic board revealed no cause for the abnormal indication.

The licensee has concluded that the abnormal condition was caused directly by the loss of power event. The licensee could not simulate the observed conditions during the testing or find the mechanism for this failure. Thus the licensee has not identified any further corrective action. The operation of the lamps did not affect the sequencer operation and the sequencers did function as designed. Therefore, no further correction is indicated by the licensee.

3.0 Conclusion With regard to the spurious remote indication for safeguard load sequencers, the licensee has concluded that this abnormal condition was caused directly by the loss of power event. The licensee could not identify a corrective action although extensive testing was performed to simulate the observed conditions.

Since the sequencers themselves did function as designed and only faulty indication at the remote surveillance panels occurred, the staff concludes that the resolution of this matter is not warranted for restart. However, the staff recommends that the licensee further review the design of the remote surveillance panel to possibly identify the deficiency which may have caused the faulty indication.

ITEM 3.a.6 -

IMPACT OF THE INTERLOCK BETWEEN THE REACTANCE BYPASS BREAKER AND THE DIESEL GENERATOR OUTPUT BREAKER ON ELECTRICAL POWER RELIABILITY 1.0 Introduction A detailed review and technical evaluation of the submittals was performed by EG&G Idaho, Inc., under contract to the NRC, with general supervision by the NRC staff. This work was reported by EG&G in their Technical Evaluation Report (TER), EGG-NTA-7204, "Assessment of the Corrective Actions Taken to Resolve the Electrical Technical Issues Related to the November 21, 1985 Event, San Onofre Nuclear Generating Station, Unit No. 1," dated May, 1986 (Enclosure #2).

2.0 Evaluation Current limiting reactors are used in.series with the auxiliary transformer C 4160V secondary X and Y windings during the monthly testing of the diesel generators. Theicurrent limiting reactors are used to limit the available short circuit current to within the rating of the 4160 class 1E switchgear during parallel operation of auxiliary transformer C and the diesel generators.

The current limiting reactors are bypassed during normal operation by closing the reactance bypass breakers. The reactance bypass breakers are interlocked with the diesel generator output breakers such that the reactance bypass breaker has to be opened (i.e., inserting reactance in the circuit) before the diesel generator output breaker can be closed on to its respective 4160 Volt bus. In order to manually connect the diesel generator to its associated Class 1E bus during a loss of power event, it would require the operator to first open the reactance bypass breaker before closing the diesel generator circuit breaker.

The licensee has evaluated the impact of this interlock on 4160 volt electrical power reliability and is removing it to enhance the reliability of manual closing of the diesel generator circuit breaker following a loss of offsite power event. This feature will allow the diesel generator circuit breaker to be closed independent of the positions of the reactance bypass breaker. In addition, the licensee is also installing an alarm which will sound in the control room after 10 seconds when any two power sources (auxiliary transformer C, A, or B and the diesel generators) are paralleled onto a 4160 volt bus.

This alarm will alert the operators that more than one power source is supplying the 4160 volt Class 1E bus. The licensee's procedures will be modified to provide operator instructions for response to this alarm prior to return to service from the current outage.

This interlock between the reactance bypass breaker and the diesel generator output breaker was also discussed in NUREG-1190, Section 5.2, (Page 5-5) as a design deficiency. This assessment was based on the fact that when the reactance bypass breaker is rolled out of its cell position, the circuit connecting the normally closed contact would become open and prevent the closing of the diesel generator breaker from the control room. This concern now has been adequately resolved since the licensee has proposed deleting this interlock to allow manual closing from the control room of the diesel generator breaker independent of the position of the reactance bypass breaker.

The staff finds that this modification to delete the interlock will enhance the restoration of onsite power for.the loss of offsite power event. However, the possibility exists that available fault current from two parallel sources supplying the 4160 class 1E buses could exceed the equipment rating and may jeopardize the class 1E equipment under a maximum fault condition. For such a postulated faulted condition, the licensee has stated in discussions with the staff that the second power train is available to mitigate the consequences of a design bases accident.

3.0 Conclusions The staff has concluded that removal of the interlock between the auxiliary transformer C reactance bypass breaker and the diesel generator output breaker will enhance the reliability of restoration of the onsite power sources for the loss of offsite power event. Although the licensee has proposed a 10 second alarm to replace the diesel test mode reactance breaker interlock function, the Class 1E 4160 volt switchgear remains vulnerable to failure due to excessive short-circuit currents when either the offsite circuit and the diesel or two offsite sources are connected to the switchgear. Therefore, the staff recommends that SCE operating and emergency procedures adequately address this concern.

The staff also recommends that the procedures be put in place to ensure that the auxiliary transformer C reactance bypass breaker is opened before the diesel generator output breaker is closed for the diesel generator test mode operation.

The licensee's proposed modifications and the proposed mode of paralleling capability meet the applicable regulations and regulatory guides.

ITEM 3.a.7 -

ADEQUACY OF LABELING FOR SELECTED CONTROL ROOM INDICATORS 1.0 Introduction The licensee's submittal of April 8, 1986, states that SCE will assure that an evaluation of the vital bus indication is included in the scope of the Control Room Design Review (CRDR) currently ongoing. The licensee acknowledges that the labels on the vital bus availability lights are not large enough to read from all areas of the control room, but states that this deficiency is not considered to be an immediate safety concern.

2.0 Evaluation Although the licensee's proposed evaluation of this item is acceptable in the longer term, the licensee must comit to provide larger labels for the vital bus availability lights prior to restart from the present outage. This interim enhancement should then be further evaluated as a permanent modification as proposed by the licensee. Even though the operators involved in the November 21, 1985 event responded within 20 seconds, they may have responded even sooner had they been alerted by larger labels. Larger labels would also reduce the potential for operator error, particularly for new operators. The impact of this enhancement on licensee resources is negligible and can be accomplished quickly.

3.0 Conclusion The licensee must install larger labels for the vital bus availability lights.

This modification must be completed prior to facility restart.

ITEM 3.a.8 -

RELIABILITY OF POWER TO VITAL BUSES 1.0 Introduction A detailed review and technical evaluation of the submittals was performed by EG&G Idaho, Inc., under contract to the NRC, with general supervision by the NRC staff. This work was reported by EG&G in their Technical Evaluation Report (TER), EGG-NTA-7204, "Assessment of the Corrective Actions Taken to Resolve the Electrical Technical Issues Related to the November 21, 1985 Event, San Onofre Nuclear Generating Station, Unit No. 1," dated May, 1986 (Enclosure #2).

2.0 Evaluation There are seven vital buses at San Onofre Unit 1 and all except vital bus 4 are powered by an uninterruptible power supply (UPS). Vital bus 4 is normally powered by a 7.5 KVA regulating transformer with an alternate supply from a 37.5 KVA transformer via an automatic transfer switch. However, at San Onofre Unit 1, both transformers (i.e., 7.5 KVA and 37.5 KVA) are supplied from the same 480 Motor Control Center MCC-2. MCC-2 in turn is supplied from Class 1E bus 2C via Station Service Transformer #2. Thus, when bus 2C was deenergized as a result of auxiliary transformer C relaying, the power to vital bus 4 was lost. Vital bus 4 is the power supply to a significant number of safety related alarms, indications and controls. As a result of loss of this bus, the unit was tripped manually as required by procedures.

Based upon his post-event assessment, the license has committed to install an UPS as one of the power sources for vital bus 4. This modification will provide a 7.5 KVA UPS that will be the normal power source for this bus.

The UPS will be connected to the Unit 1 DC bus 1. An automatic transfer switch will connect the vital bus 4 to the existing 130 V AC source which will serve as the alternate supply for this bus.

The existing divisional independence of vital bus 4 and the 130V AC source will maintained. The licensee has indicated that this modification will be implemented in the next refueling outage (Cycle 10 outage).

3.0 Conclusion Based on the licensee's commitment, the staff finds that this modification will improve the reliability of power to the 120V vital bus 4. Since the modification is a complex and significant upgrade, the staff concludes that the licensee's proposed implementation during the next refueling outage is acceptable.

ITEM 3.a.9 -

INCREASED RELIABILITY OF 4 KV POWER SUPPLIES 1.0 Introduction The Electrical System at SONGS-1 consists of a 220KV switchyard system, a 4160V system, a 480V system, a 120V AC system, a 125V DC System and a diesel generator system to provide an onsite 4160V power source. The 4160 volt system consists of the four buses 1A, 1B, 1C and 2C. Buses 1C and 2C are safety related and are normally fed from the 220 KV switchyard via auxiliary transformer C. Bus 1C can also be supplied via auxiliary transformer A through Bus 1A and a tie breaker. Similarly Bus 2C can also be supplied via auxiliary transformer B through bus 1B and a tie breaker. Buses 1C and 2C can also be supplied automatically from their respective diesel generators when offsite power is lost concurrent with a safety injection signal, which would be generated by either a LOCA or main steamline break (MSLB) accident. However, when offsite power is lost without a safety injection signal, the diesel generators are started automatically, but must be manually connected to their respective safety bus. Buses 1C and 2C also provide power for the 480V system via Station Service Transformers 1, 2 and 3. Buses 1A and 1B are non-safety related and are normally supplied from the 18kV output of the unit generator via auxiliary transformers A and B. Buses 1A and 1B do not normally power components that are required for the safe shutdown of the plant.

Auxiliary transformer C is a three-phase, 60HZ, 30MVA, Class OA transformer with a delta connected, 230KV primary winding and two delta connected 4360V secondary windings denoted as the "X" and "Y" windings. The "X" winding is rated at 15MVA and supplies power to the IC bus. Similarly, the "Y" winding is rated at 15MVA and supplies power to the 2C bus. Four sets of cables, each consisting of 3/c-750KC mil copper, Simplex Anhydrex "XX", 5KV insulated, neoprene jacketed, unshielded, aluminum armored, are used to carry power from transformer C secondary windings (i.e., X and Y windings) to buses 1C and 2C.

The cable connecting the auxiliary transformer C and bus 1C developed a ground fault which eventually degraded to a phase-to-phase fault and caused the loss of power event on November 21, 1985.

2.0 Evaluation 2.1 Criteria The design of 4160V power supplies of Unit 1 of the San Onofre Nuclear Generating Station was evaluated against the requirements and recommendations of the documents normally used by the staff for review of licensing actions.

Specifically, the requirements of GDC 17, GDC 20, NUREG 800 Chapters 8.2 and 8.3, Regulatory Guides 1.32 and 1.75 and IEEE-Std-308 were compared to the SONGS-1 electrical design. General Design Criteria (GDC) 17 requires two physically independent circuits to supply power to the onsite electric power distribution system. The requirement regarding transfer between the two offsite power sources is that "each of these circuits shall be designed to be available in sufficient time following a loss of all onsite alternating current power supplies and the other offsite electric power circuit, to assure that specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded."

2.2 Electrical Power System The design of the SONGS-i Electrical Power System is such that an immediate access circuit through auxiliary transformer,C is provided to be available immediately following a LOCA; a delayed access circuit through auxiliary transformers A and B is provided to be available in sufficient time following a loss of all on-site electric power sources and the immediate access circuit.

For a loss of AC power without a concurrent safety injection signal, the diesels (onsite electric power) are automatically started and run in standby; the Loss of Voltage Auto Transfer Sequence (LOVATS) system realigns the 4160V circuit breakers so that power can be restored from the alternate offsite source by manually closing one of the 220kV circuit breakers. Manual action is required to connect the diesels onto their respective safety buses. The diesels are automatically loaded only when there is a loss of power coincident with a safety injection signal.

The licensee's transient and accident analyses have shown that a loss of electric power to the 4160V buses is acceptable for up to 29 minutes-The licensee further states that for station blackout events in which single failures are not postulated, 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> are available to restore AC power with no detrimental effect on the safe shutdown capability of the unit.

Accordingly, the staff concludes that the licensee has adequate time to perform the manual actions needed to transfer to the delayed-access offsite power source or to the onsite source to supply power to the 4160 volt safety buses for ac cidents and non-accident conditions.

Although the design of the SONGS-1 Electrical Power System conforms to the regulatory criteria as delineated above, several concerns remain unanswered with regard to 4160 volt power supply reliability as a result of the November 21, 1985 loss of power event. These concerns deal with providing increased reliability of the 4kV power supplies; specifically, 4kV cable reliability and an alternate immediate source of offsite power.

2.3 4kV Cable Reliability The power supply cables between auxiliary transformers C, A and B and 4kV buses IC, 2C, 1A and lB are copper conductor Simplex Anhydrex "XX", 5KV insulated, neoprene jacketed, unshielded, and aluminum armoured and were manufactured in 1965. These cables have been inservice since their installation. No periodic monitoring of these cables (or other 4kV cables) has been performed to assess degradation over time due to aging or other conditions. A fault occurred in the cable connecting auxiliary transformer C and bus IC which initiated the protective relays associated with the auxiliary transformer C and, as a result, isolated the auxiliary transformer C from the 4160 volt bus 1C and 2C.

Following the loss of auxiliary transformer "C", the unit was manually tripped which resulted in loss of station power at SONGS-1.

Licensee investigations into the cable failure which caused auxiliary trans former C to relay have revealed the root cause to be subjecting the faulted section of the cable to localized overheating conditions over a long period of time. Visual inspection of the cable indicated localized jacket and insula tion degradation caused by long-term exposure to high temperatures (4000F).

This localized high ambient temperature was due to an uninsulated feedwater line and pipe flange in the immediate vicinity of the failed cable. The thermal insulation had been removed from the feedwater pipe during a previous repair of a gasket leak. SCE has engaged an independent material testing laboratory to analyze the failed cable and to confirm the failure mode. The results of this investigation will be available at a later date.

As indicated in the licensee's April 8, 1986 submittal, the cable degradation occurred over a long period of time and went undetected due to lack of a system atic program for inspection and testing of selected representative electrical cables at SONGS-1. As part of the post-event review, SCE has taken several steps to assess and evaluate the conditions of the 4160 volt cables before restart. These steps include the following:

a. All 4160 volt cables will be tested with a controlled DC overvoltage test in accordance with SCE test procedures. Any cables failing the test will be replaced and an evaluation will be conducted to determine the cause of the failure.
b. Regardless of the test results, the cables for auxiliary transformers A, B and C will be replaced before restart as a precautionary measure.
c. Walkdown inspections will be performed and documented to identify any potential heat sources in the immediate vicinity of cables. Any heat sources identified that could adversely affect the cables will be addressed and corrected.
d. SCE has established a special Cable Evaluation Task Force to investigate and analyze the cable failures to assess the material condition of the 4160V cables not being replaced before restart.

This task force will also determine the generic implication, if any, of the failed cables on the balance of the 4KV electrical cables.

e. SCE is acquiring a set of baseline plots using the EG&G Electrical Circuit Characterization and Diagnostic (ECCAD) system for selected 4160V cables during the current outage. This is being performed as a research and development effort to assess whether or not the ECCAD system would give an indication of long term circuit conditions. If SCE finds the ECCAD system credible, the usefulness of a long-term surveillance program will be assessed and implemented as appropriate.

The steps being implemented by SCE to assess the integrity of the 4160 volt cables for restart are adequate and in conformance with general industry practice.

However, SCE's surveillance program for monitoring cable circuits degradation over time for inservice conditions appears to be inadequate for the following reasons. The EG&G ECCAD system is being tried as a research and development effort and may or may not be implemented for 4160V cable circuits. SCE Company's conventional program for monitoring integrity of electrical cables consists of overvoltage testing every 15-20 years and it is not evident if this testing program will be implemented at SONGS-1. In order to realize meaningful benefits from such a program, representative samples of 4KV cables should be tested more frequently, such as every refueling outage.

2.4 Sources of offsite power The immediate source of offsite power to the 4160V safety buses 1C and 2C is provided by auxiliary transformer C which is fed from the 220kV switchyard. The delayed access source is provided via auxiliary transformers A, B and the main unit step-up transformer which is connected to the 220kV switchyard. The delayed access source availability involves a semi-automatic operation. In case of loss of the immediate source which results in loss of the safety buses 1C and 2C, the loss of voltage auto transfer sequence (LOVATS) system automatically realigns the 4160 volt system so that power can be restored by manual action from the delayed access source. During the loss of power event of November 21, 1985, this semi-automatic operation took approximately four minutes before power was restored. During the event, several equipment abnormalities and operator lack of familiarization with switching of 220KV circuit breakers contributed to the total time that it took to restore power.

The SONGS-1 electrical design is somewhat unique as compared to many other nuclear power plants where the immediate access source is via a fast transfer scheme from the unit generator auxiliary transformer to the start-up transformer. Although the SONGS-1 offsite power system design is unique, it complies with the regulations.

SCE has stated on page 6-103 of their April 8, 1986 investigation report, that "response to emergencies which involve the loss of bus 1C and 2C would be improved if the access to the second source of offsite power were immediate and automatic." The staff agrees with the SCE assessment and believes that an automatic fast transfer access to the alternate source would indeed improve the reliability of the safety-related 4kV buses.

SCE has also indicated in their April 8, 1986 report that as a plant improvement to increase reliability of the electrical system, a modification will be implemented to enhance the availability of the second source of offsite power. The different options being considered to enhance the availability of the alternate offsite source are being studied by SCE and results of this study will be provided to NRC by June 30, 1986. The staff will review and evaluate the information on the proposed modifications and provide a Safety Evaluation Report accordingly. Such modifications to the offsite power system sources are not required prior to start-up since the current SONGS-1 design meets the requirements of GDC 17.

The licensee has identified the abnormalities which delayed the recovery of the delayed offsite source during the November 21, 1985 event, and is implementing the following corrective actions:

a. An automatic reset of the generator backup overspeed trip will be applied to the 220 kV generator output circuit breakers 4012 and 6012 and the Bus 1A and 1B source circuit breakers (11A04 and 11B04). Thus, the operator will not have to reset the trip prior to manually closing these circuit breakers and the Bus 1A and lB source circuit breakers can be automatically closed by the LOVATS.
b. The transformer C loss of voltage trip will be automatically reset when the generator Motorized Operator Disconnect (MOD) opens. With this lockup eliminated, the operator will not have to reset this trip in restoring offsite power.

The staff agrees that these modifications (2.4.a and 2.4.b above) will enhance the restoration of the delayed source of offsite power.

4.0 Conclusion Based upon the above evaluation, the staff finds that the design of SONGS-1 offsite electrical power system conforms with the criteria delineated above.

However, the access to the delayed offsite source could be improved. To enhance the availability of the second source of the offsite power, the licensee has committed to implement a modification as referenced in the SCE April 8, 1986 Investigation Report. The information on this modification will be submitted to the NRC on June 30, 1986. The staff will review the licensee information and provide a Safety Evaluation accordingly.

In the interim, the licensee is making modifications to correct the abnormalities discussed above which delayed the recovery of the offsite power. These modifications are in accordance with the General Design Criterion and applicable regulatory guides. The staff concludes that these corrective actions are acceptable.

The root cause for cable failure was determined and the program for assessing cable integrity prior to restart is acceptable.

But long term integrity assessment requires further improvement and licensee submittal of new information to enhance its effectiveness as delineated above.

ITEM 3.b.1 -

WATER HAMMER DESIGN CONSIDERATIONS/ENGINEERING 1.0 Evaluation and Conclusion The staff is in agreement with the licensee that water hammer in piping systems should be prevented by system design and operation. Since water hammer loads are thus not to be added to system design requirements, additional calculation of water hamer forces or loadings was not undertaken.

ITEM 3.b.2 -

WATER HAMMER DESIGN CONSIDERATIONS/SYSTEMS ASPECTS 1.0 Introduction The staff has reviewed the adequacy of the modifications made by the licensee to reduce the potential for feedwater line water hammer. The staff has also reviewed these modifications with regard to possible impacts on the feedwater system.

2.0 Evaluation The corrective actions taken by the licensee to reduce the potential for water hammer and to provide additional protection redundant to that afforded by the normal feedwater line check valves include:

a. Replacement of the B feedwater line (inside containment) with piping continuously sloped away from the steam generator. The slope will reduce the susceptibility of the B feedwater line to water hammer (giventa voided pipe and other appropriate conditions) to a level consistent with the A and C feedwater lines.
b. Provisions for automatic closure of the three main feedwater regulating valves upon simultaneous loss of main feedwater, turbine trip and auxiliary feedwater initiation.
c. Installation of one additional 10 inch check valve in the feedwater line downstream of the existing 10 inch check valves (inside containment) in each of the three feedwater lines. This will provide a redundant valve to preclude the failure of any two check valves from resulting in a voided feedwater line.

In addition to the above modifications, other feedwater system check valves are being replaced with new valves of a different design. The adequacy of these check valves is being reviewed separately by the IE/Vendor Program Branch.

The staff agrees that sloping the feedwater line away from the "B" steam generator will reduce the potential for occurrence of a water hammer if the line becomes voided and is subsequently refilled with feedwater. This effect is due to the reduced surface area of the steam/water interface and the different geometry of the sloping line which would make it less likely to trap a pocket of steam as the line refills.

The licensee's modifications to provide auto-closure of the main feedwater regulating valves and the installation of an additional set of feedwater line check valves inside containment will result in two additional barriers to prevent voiding of the feedlines. In addition, replacing the feedwater system check valves with valves which are less susceptible to failure will also help prevent feedline voiding. The staff concludes that the licensee's proposed modifications provide adequate protection against feedline water hammer.

Regarding other possible impacts of these modifications on the feedwater system, the staff has found that sloping the feedwater line has no discernible effect on the normal operability of the feedwater system.

The staff also concludes that automatic regulating valve closure will ensure more rapid steam generator level recovery and stabilization of plant conditions.

Also, adding a new check valve in each feedwater line inside containment is judged to have no significant effect on the reliability of feedwater delivery to the steam generators. However, the addition of this valve does reduce the likelihood of simultaneous blowdown of all three steam generators in the event of a feedwater line rupture upstream of the valves. Thus, for feedwater line ruptures, now only those pipe ruptures in the feedwater line inside containment between the check valve and the steam generator can result in the loss of all steam generator inventory.

To evaluate the performance of the new check valves inside containment, the licensee has conducted flow tests as described in their May 5, 1986 submittal. These tests, conducted at the Utah Water Research Laboratory, Utah State University, confirmed the performance of the new valve over a range of operating conditions simulating both main feedwater and auxiliary feedwater flow rates. The tests performed to date were largely qualitative in nature, i.e., engineering judgment was used to determine whether tapping or any other noises generated by the valve were indicative of severe wear conditions.

Pressure transducer measurements were also available to indicate pressure fluctuations downstream of the valve.

It was the conclusion of the licensee's contractor that the new check valve performed well with fluctuation and light tapping of the valve over the flow range of 2700-3050 gpm. This behavior is anticipated to result in slow wear of the valve hinge pin. At lower flow rates of 40 and 150 gpm, intended to simulate auxiliary feedwater flow rates, the valve was stable as evidenced by the lack of tapping or disc movement detectable by ear or by an accelerometer.

Furthermore, the downstream pressure transducer indicated no valve induced pressure fluctuations. Thus it was concluded that the valve could operate indefinitely at the low flow rates.

The staff finds that the tests performed to date by the licensee offer assurance that the modifications to the feedwater system are acceptable.

Additional testing is planned to provide accelerated check valve wear information.

3.0 Conclusion The staff concludes that the corrective actions taken by the licensee to reduce the likelihood and consequences of water hammer are adequate and do not materially affect operability of the feedwater system in a detrimental sense. The add ition of new feedwater line check valves inside containment is an improvement to the feedwater system design. Thus, the modifications are acceptable.

ITEM 3.b.3 -

POSSIBLE INSTRUMENTATION TO INDICATE IMPENDING WATER HAMMER CONDITIONS 1.0 Evaluation and Conclusion The licensee did not propose the addition of instrumentation to detect impending water hammer. Since the staff and licensee are committed to a FW design which effectively minimizes occurrence of a water hammer, there is no compelling reason to require such instrumentation. Hence, the staff concludes that no further review of this issue is required.

ITEM 3.b.4 -

ADEQUACY OF FEEDWATER REPAIR/SYSTEM INTEGRITY AND MATERIAL CONSIDERATIONS 1.0 Introduction The feedwater piping in train "B" at San Onofre-1 experienced a water hammer event on November 21, 1985. The damage to the piping in the "B" feedwater loop is described in Section 6.2 of NUREG-1190. The force of the water hammer damaged the piping and pipe supports within containment. Section 6.2.1 of NUREG-1190 indicates that the piping experienced plastic yielding of the northeast elbow and a visible crack on the outside of a pipe, extending approximately 80 inches axially.

2.0 Evaluation In Section 6.2 of SCE's April 8, 1986 submittal, the licensee describes its program to ensure feedwater pipe integrity. The licensee's program includes: an analytic stress evaluation; repair and replacement of damaged and defective pipe; non-destructive examination (NDE) of pipe welds; pipe material testing and metallurgical evaluation of damaged and defective pipe.

The stresses resulting from the pressure transient at the pipe to nozzle interface were calculated using hydraulic forcing functions and pipe deflection data. The calculated loads, moments and stresses were less than the design allowables.

The licensee replaced the piping inside containment from approximately 8 inches below the second 45 degree elbow upstream of the steam generator nozzle to within 12 inches of the first weld downstream of the penetration sleeve. The piping replaced included al piping inside containment that had been observed to be damaged by the transient. According to the licensee's May 1, 1986 submittal, each weld inside containment that was not replaced was ultrasonically inspected. Each weld in train "B" inside containment was ultrasonically inspected to the requirements of ASME Code Section XI, 1974 Edition with addenda through Summer 1975. The acceptance standard was to Article IWB-3514 of ASME Code Section XI, 1977 Edition with addenda through Summer 1978. One indication was reported in feedwater nozzle weld 392-13 and four indications were observed in penetration C-3C. One indication in penetration C-3C was removed by grinding and the remaining indications in penetration C-3C and feedwater nozzle weld 392-13 met ASME Code Section XI acceptance criteria. Piping welds outside containment were magnetically and ultrasonically inspected to the same codes and standards as the welds inside containment. As a result, seven indications were reported. All indications were removed, weld repaired and subsequently examined to meet the acceptance standards of Article IWB-3514 of the ASME Code Section XI, 1977 Edition with addenda through Sumer 1978.

According to 10 CFR 50, Section 50.55a(g), the licensee's inservice inspection must be performed in accordance with ASME Code Section XI, 1974 Edition with addenda through Summer 1975. However, this Code does not include acceptance criteria for piping. Hence, the licensee utilized the acceptance standard in ASME Code Section XI, 1977 Edition with addenda through Summer 1978.

The licensee's May 1, 1986 submittal provides information that clarifies the conditions noted in Section 6.2.1 of NUREG-1190. In this report, the licensee provided mechanical, dimensional, and chemical test results and fractographic evaluation of pipe removed from service. These tests and evaluations were performed on samples that were removed from seven pipe locations inside containment. The pipe locations included elbows that had been displaced and dented from impacting hangers or the containment wall, and pipe segments that contained flaws or had been displaced from the supporting hanger. The dimensional analysis indicates that the elbows had not been distorted or bent by the loads resulting from the water hammer. The chemical and mechanical tests indicate that the pipe materials met the original material specifications. The fractographic analysis of the flaws, including the 80 inch crack reported in NUREG-1190, indicates that the observed flaws were from original fabrication, did not extend during the event and had no cracks emanating from their surfaces. These test results indicate that the pipe inside containment maintained its integrity throughout the water hammer event and was only damaged as a result of impacting the containment wall or the pipe hangers.

3.0 Conclusion Based on the analyses and the NDE examination of welds in non-replaced piping performed.by the licensee, the repair and subsequent NDE examination to ASME Code requirements of the replacement material, the staff concludes that the feedwater pipe in train "B" is acceptable for service.

ITEM 4.c -

EVALUATE ADEQUACY AND RELIABILITY OF POST-TRIP DATA RETRIEVAL EQUIPMENT 1.0 Evaluation The licensee's submittals of April 8 and May 1, 1986 state that to enhance the plant post-trip review capability the following changes are planned:

1. The TSC Fox III Computer will be programmed to automatically reset after a power interruption. If the interruption is too long (beyond several seconds), then an audible alarm will sound in the Technical Support Center (TSC) printer console. This alarm will alert operators of a pending loss to trending information. They will then inform a computer operator to reset the computer. A further software change to the post-trip review program will enhance data recording capacity.

The change will add the flow rate of each of the three auxiliary feed water lines to the number of parameters that are recorded following sensing of a plant trip. These changes will be implemented prior to return to service from the present outage.

2. The licensee will attempt to provide an uninterruptible power supply for the TSC Fox III Computer prior to return to service from the present outage. If not achieved prior to return to service, it will be installed not later than July 15, 1986.
3. Vital bus No. 4 will also be provided with an uninterruptible power supply to enhance the control room data recording capability during a loss of power since several recorders are powered from this power supply. This will be accomplished prior to restart after the next scheduled refueling outage (Cycle 10).

2.0 Conclusion The staff had reviewed the licensee's commitments described above and concludes that the proposed modifications are acceptable since they will significantly enhance the post-trip data recording capability at SONGS-1. The staff also concludes that the licensee's proposed implementation schedule for these plant upgrades is acceptable.

ITEM 6.b -

ASSESS APPROPRIATENESS OF PARALLELING BUSES WITH AN INDICATED GROUND FAULT 1.0 Introduction The SONGS Unit 1 electrical distribution system consists of the main transformer, auxiliary transformers A, B and C which interface with the 220 KV switchyard and the inplant electrical system. The inplant electrical system is composed of the 4160V Class 1E and non-Class 1E buses, 480V Class 1E and non-Class 1E buses, 120V yital buses, 125 VDC safety buses and the emergency diesel generators. The non-safety 4160V buses 1A and IB are normally supplied by auxiliary transformer A and B respectively. The safety buses 1C and 2C are normally supplied by auxiliary transformer C. Buses 1A and IC can be connected together through a tie breaker 11COl and buses 1B and 2C can be connected together through a tie breaker 12C01. Both tie breakers (11CO1 and 12C01) can be opened and closed from the control room, as well as closed automatically on station loss of voltage auto transfer sequence.

The safety-related Bus 1C is normally supplied by the X winding of the auxiliary transformer C via circuit breaker 11C02. This bus can also be supplied by auxiliary transformer A through Bus 1A and tie breaker 11CO1.

Emergency diesel generator 1 can also supply Bus 1C through its associated breaker 11C14. Similarly, safety-related Bus 2C is normally supplied by the Y winding of the auxiliary transformer C via circuit breaker 12C02. The Bus 2C can also be supplied by auxiliary transformer B through Bus lB and tie breaker 12C01. Emergency diesel generator 2 can also supply Bus 2C through its own associated breaker 12C14. Source breakers for the individual Buses 1A, 1B, 1C and 2C and emergency diesel generators output breakers can be opened and closed from the control room.

Auxiliary Transformer C is a three winding transformer rated.at 230KV to 4360V/4360V. The primary winding is rated at 30 MVA and the 4360 volt windings are rated at 15 MVA each. The winding connections of the auxiliary transformer C are Delta-Delta/Delta and the impedance from primary to secondary is 11% on 15 MVA. The auxiliary transformers A and B are two winding transformers rated at 18KV to 4360 volts with dual MVA rating of 10/12.5 respectively. The winding connections of these transformers are Delta for 18KV side and wye for the 4.36KV side. The wye winding neutral is grounded through a potential transformer effectively providing a high resistance ground return. The impedance of auxiliary transformer A and B is 6.5% +/- 7.5% on 10 MVA Base. The phase relationships of auxiliary transformer A, B and C 4.36KV (secondary) windings are the same.

Under normal operating conditions, auxiliary transformer C supplies power to 4.36KV Class 1E buses IC and 2C, and auxiliary transformers A and B supply power to non-Class 1E bus 1A and 1B.

Although there are tie breakers between bus 1A and IC, and bus lB and 2C respectively, they are normally open during plant operation. However, during plant startup, auxiliary transformer C supplies the power-to non-class 1E buses 1A and 1B.

Once the unit is up to power, auxiliary transformers A and B are paralleled momentarily with auxiliary transformer C for transferring bus 1A and 1B to auxiliary transformer A and B.

2.0 Evaluation The normal 4160 volt bus configuration for on-line operation is that buses 1A and 1B are supplied from auxiliary transformer "A" and "B" respectively and buses 1C and 2C from auxiliary transformer "C".

However, during plant start-up and shutdown the auxiliary transformers "A", "B" and "C" are paralleled momentarily, i.e., after auxiliary transformer "A" and "B" 4160 volt circuit breakers are closed and 4160V Bus-Tie breakers (11CO1 and 12C01) are manually tripped. This manual action assumes no intentional time delay by the operator other than time taken to execute the manual actions.

During the loss of offsite power event of November 21, 1985, the auxiliary transformers "A" and "C" were paralleled for time periods beyond the time-limits stated for startup conditions for trouble shooting of a ground fault on the 4360 volt system. In this case, auxiliary transformers "A" and "C" were paralleled three times for periods ranging from 5 seconds to 5 minutes. In order to assess the appropriateness of paralleling the two transformers ("A" and "C") during a ground fault condition, the following electrical design aspects need to be evaluated for such an operating line-up.

a. The possibility of providing a fault current path for a single ground on ungrounded Delta connected auxiliary transformer "C" by paralleling it with the high resistance grounded neutral of transformer "A".
b. The ability of the 4360 volt switchgear to withstand and/or interrupt short-circuit currents in case of fault during the time periods when auxiliary transformer "A" and "C" are paralleled.
c. The possibility of sufficiently large circulating currents between the two transformers (i.e., transformer "A" and "C") when they are paralleled causing excessive heat rise.
d. The possibility of tripping both transformers, i.e., both sources, for a given fault in the 4360 volt switchgear.

The delta-connected auxiliary transformer "C" is ungrounded, i.e., there is no intentional connection between the transformer "C" and ground except for the capacitive coupling between the system conductors and ground. Therefore, the November 21, 1985 ground fault that occurred on the cables supplying bus 1C from the X winding of transformer "C" caused a very small ground fault current to flow through the distributed system capacitance. This current was so small that it did not affect the normal operation of the system or the operation of the protective relaying associated with the system. However, when auxiliary transformer "A" was paralleled with auxiliary transformer "C", a second ground connection point was established through the grounded neutral of the transformer "A". The transformer "A" neutral is grounded through a potential transformer providing a high resistance path between the faulted cable ground and transformer "A" neutral ground. Although a definite ground path is provided between the cable ground fault and the transformer "A" grounded neutral, the current flow through this path is limited by the impedance of this path.

While-this current is limited to a low value, it was larger than the ground fault current before this path existed. The staff believes that this ground fault current value became sufficiently large due to the addition of the second ground path so that the existing cable fault was worsened. With one ground on the system, as was the case on transformer "C", it is not advisable to parallel another grounded source (such as transformer "A" and "B") with transformer C.

The 4360V switchgear associated with safety buses 1C and 2C and non-safety buses lA and 18 is rated at 250 MVA or for a fault current value of 34,737 amperes. For a bolted three-phase fault condition, transformer "C" can supply a fault current of 18,948 amperes and transformer "A" can supply a current of 21,377 amperes. The combined fault currents of transformer "A" and "C" when they are operating in parallel are equal to 40,325 amperes, which is in excess of the 4360V switchgear capability. It would be inappropriate to parallel transformers "A" and "B" with transformer "C" for supplying power to 4360V safety related switchgear because serious damage could result to the safety switchgear in case of a fault.

The impedance of auxiliary transformer "C" is 11% on 15 MVA whereas the impedance of transformer "A" is 6.5% on 10 MVA. When converted to a common base of 10 MVA, the impedance of transformer "C" is equal to 7.34%. The impedance mismatch between transformer "A" and transformer "C" is equal to 13%. In order to parallel transformers, one of the criteria required is that the impedance of the two transformers be equal to prevent circulating currents. In this case, it appears there will be circulating current flow between the two transformers because-of a 13% impedance mismatch. However, the acceptability of paralleling transformers is dependent on the magnitude of the circulating currents permitted to flow on the system. In this case, it appears that circulating current may not be a serious problem over a short period, but will certainly contribute to heat rise of the one transformer during prolonged parallel operating conditions.

The possibility of tripping both sources (i.e., transformers "A" and "C")

exists when they are operated in parallel, as was done during the ground fault troubleshooting procedures at SONGS-1 on November 21, 1985. The bus-tie breaker between safety bus 1C and non-safety bus 1A is equipped with phase overcurrent relays. The 4360 volt breakers of transformers "C" and "A" are also equipped with phase overcurrent relays, which normally back-up the bus-tie breaker phase overcurrent relays for a 4360 volt bus fault. In certain situations, when the bus tie phase overcurrent relays fail to open the bus tie breaker, the transformer "C" and "A" relays will pickup and clear both the transformer "A" and "C" 4360 volt breakers. This situation would result in both the offsite sources being lost for a common fault in the 4360V switchgear, when operating transformer "C" in parallel with transformers "A" or "B".

3.0 Conclusion Based on the above evaluation of the SONGS-1 4360 volt electrical system, the staff concludes that it is inappropriate to parallel auxiliary transformer "C" with transformer-"A" or "B", except momentarily during startup or shutdown conditions. Operating the transformers "C" and "A" (or "B") in parallel is inappropriate for the following reasons:

1. The high resistance grounded neutral of transformer "A" (or transformer "B") would provide a fault current path for a ground fault in the safety grade ungrounded 4360V electrical system supplied by transformer "C".

Although the current flow in this ground path is limited, it will worsen the situation and may result in a major fault (phase to phase to ground or three phase to ground) causing the loss of the offsite source to Class 1E buses.

2. The Class 1E 4360 volt switchgear is not rated to handle the maximum fault current (40,325A) which would result when the 4360V buses are energized from the offsite power through auxiliary transformers "A" (or "B")

and "C".

3. Although circulating currents between auxiliary transformers "A" (or "B") and "C" do not appear to pose a serious problem, it is not good operating practice to operate these transformers in parallel. The circulating currents would add to the normal (or fault) current, thus affecting the transformer temperature rise.
4. The two offsite sources supplying power through the two transformers

("A" and "C" or "B" and "C") to a common 4360V bus could be lost for a given single fault in the 4360V switchgear. To minimize such an occurrence, it is inappropriate to parallel the two sources with a fault present on the 4360V switchgear.

ITEM 7.b -

EVALUATE IM MENTATION OF TECHNICAL SPECIFTION ACTION STATEMENTS WHEN WARRANTED, E.G., RELUCTANCE TO FULLY ISOLATE FAILED TRANSFORMER AND REMOVAL FROM SERVICE OF ONE FEEDWATER PUMP 1.0 Introduction Section 3.2 of NUREG-1190 describes the actions of the SONGS-1 operators in their attempts to locate the ground on bus 1C and their apparent reluctance to de-energize the bus. As noted in Section 3.2, had they de-energized bus IC, they would have placed the plant under a Technical Specification Action Statement requiring plant shutdown within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> if the bus were not re-energized within that time period. They even went so far as to improvise a scheme for checking the transformer for bus IC without de-energizing the bus.

While the improvised procedure was successful, and while it had management approval, it was a deviation from approved procedures. Further, after determining that the ground was located at the transformer, the operating crew left the transformer in-service by realigning the buses and transformers, thereby avoiding having to de-energize bus 1C and losing one of the required ties to the offsite power source. Concern has been expressed that the operating crew actions were indicative of attempts to avoid invoking the Technical Specification Action Statement.

2.0 Evaluation The licensee's April 8, 1986 report on its investigation of the event at SONGS-1 and the corrective actions being taken as a result of the investigation contains a section on the licensee's evaluation of operator performance (Section 6.4). The licensee concluded that auxiliary transformer C was not isolated as soon as it could have been. This, in turn, contributed to the development of the ground into a fault. The reason for the untimely response in isolating transformer C was that the operators were unaware of the urgency of the situation. There also appeared to be some reluctance to act because of the need to enter a Technical Specifications action statement. But this apparent reluctance was evidenced only because the situation appeared to allow latitude in both the timing and sequence of troubleshooting the ground, i.e., the operating procedure for locating grounds provides general guidance and allows for Shift Superintendent determination of: (1) which components should be stopped and in what order (2) what components should be restarted, (3) changes in unit load when required and (4) need for management and technical guidance.

There was no sense of urgency. Several factors contributed to this lack of urgency with regards to isolation of the ground. First, the operating instruction used during the troubleshooting (SOI-9-7) was a normal operating instruction and therefore, does not invoke a sense of urgency; second, the Shift.Technical Advisor (STA) did not invoke a sense of urgency and may have become too much a part of the operating crew, concentrating on the identification and isolation of the 4160V ground rather than identifying plant conditions that require action to be taken promptly, based on fundamental safety considerations. Finally, the ground alarm on the 4160V bus extinguished when the transformer low side breaker was opened, possibly misleading the operators into thinking that the ground was no longer being fed.

This explanation of the transformer C isolation scenario was confirmed as reasonable and probable on May 7, 1986 by discussions with the SONGS-1 resident inspector.

Regarding the apparent reluctance to remove a feedwater pump from service, the staff in its investigation (NUREG-1190) found that the Shift Superintendent proceeded through a logical progression in order to narrow in on the location of the ground in the 1C circuit until the possibilities were limited to the auxiliary transformer and the feedwater pump. At that point, preparations were made to stop the feedwater pump by reducing the unit load from 250 to 150 MWe.

Before the reduction was initiated, however, the Shift Superintendent, on the suggestion of two electrical test technicians and with his management's concurrence, improvised a method of troubleshooting the iC transformer instead of reducing power to troubleshoot the west feedwater pump.

Since the Shift Superintendent was obviously preparing to reduce power before the idea of an improvised troubleshooting procedure was suggested, the staff does not see this as a problem of reluctance to implement Technical Specification action statements, but rather as a lack of recognition of the safety implications involved in the improvised troubleshooting procedure.

The licensee has'proposed to implement the following corrective actions:

(1) increase operator experience in troubleshooting and manipulation of plant electrical systems, (2) increase the effectiveness of the STA in responding to abnormal, non-emergency plant conditions, (3) improve the ground alarm system to provide indication of auxiliary transformer C ground conditions and (4) upgrade the status of 4160V ground isolation procedure to an abnormal operating instruction.

3.0 Conclusion The staff concludes that the apparent reluctance of SONGS-1 operations staff to isolate auxiliary transformer C and to remove a feedwater pump from service was caused by an inadequate recognition of the urgency of the situation by the operating staff and the STA. The staff also concludes that the licensee has proposed adequate corrective actions which provide reasonable assurance that such a situation will not recur.

ITEM 12 - EVALUATE THE LICENSEE'S EFFORT TO ASSURE THAT THE STEAM GENERATOR LOW-LEVELS DID NOT DAMAGE OR LEAVE DAMAGING CHEMICAL MATERIALS IN THE STEAM GENERATORS 1.0 Introduction The licensee's April 8, 1986 report briefly addressed mechanical and chemistry effects and referenced a fracture mechanics analysis previously submitted on June 3, 1982.

2.0 Evaluation The licensee's evaluation of the potential mechanical effects of drying out the steam generators was that the pressure and temperature conditions in the steam generators during the loss of water level and subsequent refilling remained within steam generator design conditions and that the auxiliary feedwater flow rates were within the envelope of conditions considered by the June 3, 1982 submittal.

Further, an inspection of the A and B steam generators in the vicinity of the secondary side of the tubesheet revealed no adverse effects of the loss of water level and subsequent refilling on the integrity of the steam generators.

Finally, the mechanical effects on the sludge pile were also considered. It was concluded that the hard sludge pile may have been cracked and that more surface for chemical dissolution (return from hideout) would be available but there would be no deleterious effects.

The licensee's evaluation of the potential chemical (corrosion) effects of drying out of steam generators was that the temperature and pressure conditions in the steam generator during the loss of water level and subsequent refilling remained within steam generator design conditions and that there were no foreign substances introduced during the event. It was concluded by the licensee that only the effects of drying out with the normal range of water chemistry should be considered. Further, although the steam generator is normally not allowed to dry out at the top of the tubesheet at temperatures greater than 200'F, the effects in that region should be no different than in other regions which are routinely wetted and dried during operation.

The staff's experience is that conversion of sludge to deleterious materials under these conditions is not expected. Also, increase in the concentration of dissolved chemicals as the result of evaporative boiling would not be expected to degrade the steam generators.

2.0 Conclusion The staff has reviewed and concurs with the conclusions of the mechanical and chemical evaluations provided by the licensee which indicate that there were no deleterious effects of the dryout (low level) condition on the steam generators at San Onofre 1.

ITEM 16 - LOOSE PARTS IN THE STEAM GENERATOR FEED RINGS 1.0 Evaluation In the licensee's submittal of April 8, 1986, damage to check valves is described in which parts were not recovered. The licensee took an inventory of all parts that were missing and all the parts from the "A" and "B" feedwater check valves have been located in the "A" and "B" steam generator feedrings. The "C" steam generator was not inspected for a missing washer and a missing lock pin because these parts were not considered a credible threat to the steam generator tubes.

At the time the location of these parts was being investigated several unsuc cessful attempts were made to remove a washer in the "B" feedring.

It was determined that the "A" steam generator feedring contains a li" diameter hex nut with a piece of fractured stud inside. The "B" feedring contains two 1" diameter hex nuts, one of which contains a piece of fractured stud, and a 21" to 3" flat washer. The nuts and washer are made of stainless steel.

The hex *nut with the fractured stud was identified during an inspection in 1982 and tack welded to the feedring at that time. The nut showed no sign of peening or wear when it was discovered in 1982, but it is not known how long it had been in the feedring prior to its discovery. The tack weld is still intact.

The steam generator feedrings are made of ferritic steel with 1" diameter flow holes.

Ferritic steel feedrings have no known susceptibility to cracking.

Although the loose parts and the feedring are of dissimilar metals, the effect of this on the feedring or the loose parts will be very minimal.

The feed rings were visually examined as part of the investigation to locate the loose parts. There was no evidence of damage to the inside of the feedrings.

Therefore, the presence of the nuts and washers would not be expected to affect the integrity of the feedrings. The parts have migrated to low flow regions of the feedrings and the effect of movement of the loose parts on reducing the size of the parts by wear is also expected to be minimal.

Because of their shape the lock pin and washer from the "C" feedwater check valve would not be a concern even if they are in the steam generator secondary side. For the above reasons and since the parts in the feedrings are significantly larger than the flow holes the staff believes that this situation does not present a safety problem with respect to plant startup and operation of the steam generators.

2.0 Conclusion The staff concluded that for long term operation it would be prudent for the.

licensee to perform a visual inspection of these parts through the flow holes in the feedrings coincident with future maintenance or scheduled surveillance being performed on the secondary side of the steam generators. At least one feedring should be inspected at the next refueling outage. At the conclusion of the inspection an assessment should be made of the condition of the parts and the feedring and of the need for any additional action. The licensee has indicated that plans are being made to perform this examination and assessment in conjunction with a scheduled inspection of the "B" feedring thermal sleeve.

III. ACTIONS

SUMMARY

The technical evaluations contain recommendations for study, test, and modifications of the SONGS-1 facility. Following is a summary of these actions with a reference to the text of the report. Items marked with an asterisk are to be completed prior to restart.

  • 1. Item 3.a.1 (page 12); NRC Requirement:

Perform a motor-driven AFW pump test verifying the pump capacity (375 gpm @ 700 psig discharge) assumed in the feedline break analysis.

  • 2. Item 3.a.2 (page 17):

NRC Requirement: Modify E0Is to include use of third AFW pump.

  • 3. Item 3.a.3 (page 19):

(a) Licensee Commitment: Provide automatic isolation of steam generator blowdown upon AFW initiation signal, high radiation signal, or loss of power to radiation monitor.

(b) Licensee Commitment: Provide a modification to preclude automatic reopening of the valves upon reset of the isolation signal.

(c) Licensee Commitment:

Provide valve position indication and remote manual operation from the control room for selected blowdown system valves.

4. Item 3.a.4 (page 22):
  • (a) Licensee Commitment:

Supply the SI annunciator relay auxiliary contact chain from Unit 2/3 UPS until Cycle 10 outage.

(b) Licensee Commitment:

After the Cycle 10 outage supply this contact chain from the Unit 1 vital bus 4 UPS.

5. Item 3.a.5 (Page 25):

NRC Recommendation:

Review further the design of the SLSS remote surveillance panels to possibly identify the deficiency which may have caused the faulty indication.

  • 6. Item 3.a.6 (page 28):

(a) Licensee Commitment: Remove interlock between auxiliary transformer C reactance bypass breaker and the diesel generator output breaker.

(b) Licensee Commitment:

Install 10 second alarm in the control room to activate when any two power sources (auxiliary transformers C, A or B and the diesel generators) are paralleled onto a 4160 volt bus.

(c) Licensee Commitment: Modify procedures to provide operator instructions for response to this alarm.

(d) NRC Recommendations: Modify procedures to ensure that the auxiliary transformer C reactance bypass breaker is opened for the diesel generator test mode operation.

(e) NRC Recommendation: Modify operating and emergency procedures to add caution statement regarding parallel bus operation.

  • 7. Item 3.a.7 (page 29):

NRC Requirement:

Install larger labels for the vital bus availability lights.

8. Item 3.a.8 (page 31):

Licensee Commitment:

Install an uninterruptible power supply as one of the power sources of vital bus 4 during the Cycle 10 outage.

9. Item 3.a.9 (pages 36-40):
  • (a) Licensee Committment: Test all 4160V cables with DC overvoltage test (p. 36).
  • (b) Licensee Commitment:

Replace cables for auxiliary transformers A, B, and C. (p. 36).

  • (c) Licensee Commitment:

Identify and correct any heat sources that may adversely affect 4160V cables (p. 36).

  • (d) Licensee Commitment: Assess material condition of all 4160V cables not replaced. (p. 36).
  • (e) Licensee Commitment: Develop baseline cable data using ECCAD system (p. 37).

(f) NRC Requirement: Submit a description of the program for monitoring cable integrity over time. (p. 40).

  • (g) Licensee Commitment: Provide automatic reset of generator backup overspeed trip for 220KV generator output circuit breakers (4012 and 6012) and bus 1A and lB source circuit breakers (11A04 and 11B04).

(p.39)

  • (h) Licensee Commitment:

Provide automatic reset for transformer C loss of voltage trip when generator Motorized Operator Disconnect opens.

(p.39)

(i) Licensee Commitment: Submit for staff review by June 30, 1986 a description of a modification to enhance the availability of the second source of offsite power. (p. 40)

10. Item 3.b.2 (p. 42):
  • (a) Licensee Commitment:

Replace "B" feedwater line with new piping continuously sloping away from the steam generator.

  • (b) Licensee Commitment:

Provide for automatic closure of main feedwater regulating valves upon simultaneous loss of main feedwater, turbine trip, and AFW initiation.

  • (c) Licensee Commitment:

Install additional 10" check valves in feedwater lines inside containment.

11.

Item 4.c (pp. 50-51):

  • (a) Licensee Commitment: Reprogram Fox III computer to reset after power interruption.
  • (b) Licensee Commitment:

Install audible alarm in TSC if Fox III power interruption (beyond several seconds) occurs.

(c) Licensee Commitment:

Provide Fox III with uninterruptible power supply by July 15, 1986.

12.

Item 7.b (p. 60):

(a) Licensee Commitment:

Increase operator experience in troubleshooting and manipulation of plant electrical systems.

(b) Licensee Commitment:

Increase effectiveness of STA in responding to abnormal, non-emergency conditions.

(c) Licensee Commitment:

Improve the ground alarm system to provide indication of auxiliary transformer C ground conditions.

(d) Licensee Commitment:

Upgrade 4160V ground isolation procedure to abnormal operating instruction.

13.

Item 16 (p. 65):

NRC Requirement:

Inspect at least one steam generator feedring (A or B) at the next refueling outage and provide an assessment of the condition of the parts in the feedring and of the need for any additional action.

Retrieved from "https://kanterella.com/w/index.php?title=ML13324A885&oldid=5222599"