CNL-16-004, Observations on the Basis for a Non-Cited Violation Involving a Design Change to Remove a Kirk Key Mechanical Interlock

From kanterella
(Redirected from ML16012A480)
Jump to navigation Jump to search
Observations on the Basis for a Non-Cited Violation Involving a Design Change to Remove a Kirk Key Mechanical Interlock
ML16012A480
Person / Time
Site: Sequoyah  Tennessee Valley Authority icon.png
Issue date: 01/08/2016
From: James Shea
Tennessee Valley Authority
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
CNL-16-004, IR 2015007
Download: ML16012A480 (22)
v  d  e


Text

Tennessee Valley Authority, 1101 Market Street, Chattanooga, Tennessee 37402 January 8, 2016 10 CFR 50.4 CNL-16-004 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, D.C. 20555-0001 Sequoyah Nuclear Plant, Units 1 and 2 Renewed Facility Operating License Nos. DPR-77 and DPR-79 NRC Docket Nos. 50-327 and 50-328

Subject:

Observations on the Basis for a Non-Cited Violation Involving a Design Change to Remove a Kirk Key Mechanical Interlock

Reference:

Letter from NRC to TVA, "Sequoyah Nuclear Plant - NRC Evaluation of Changes, Tests , and Experiments and Permanent Plant Modifications Inspection Report 05000327 /2015007 and 05000328/2015007," dated September 14, 2015 On July 31 , 2015, the Nuclear Regulatory Commission (NRC) completed an inspection at Sequoyah (SQN) for Evaluation of Changes, Tests , and Experiments and Permanent Plant Modifications as documented in the above reference . NRC inspectors documented four non-cited violations (NCVs) of very low safety significance (green) and one Severity Level IV NCV.

Tennessee Valley Authority (TVA) is not contesting the violations.

The purpose of this letter is to provide TVA's observations on the basis for the NCVs involving ;

1) the failure to ensure that plant licensing design basis for shared Class 1E electrical systems were controlled and maintained, and 2) the failure to obtain a license amendment prior to implementing a change to the onsite emergency and shutdown alternating current electrical systems supplying the shared essential raw cooling water systems. The enclosure to this letter provides TVA's observations on the basis of the NCVs.

There are no regulatory commitments contained in this submittal. If you have any questions, please call Mike McBrearty, Site Licensing Manager at (423) 843-7088.

ely, L~

ice President, Nuclear Licensing Enclosure cc: See Page 2

U.S. Nuclear Regulatory Commission CNL-16-004 Page2 January 8, 2016

Enclosure:

Observations on the Basis for Violation Documented in NRG Inspection Report 05000327, 328/2015007 cc: (Enclosure)

NRG Regional Administrator - Region II NRG Branch Chief - Region II NRG Senior Resident Inspector - Sequoyah Nuclear Plant NRG Project Manager - Sequoyah Nuclear Plant

U.S. Nuclear Regulatory Commission CNL-16-004 Page3 January 8, 2016 JTJ:

bee (Enclosure):

M. A Balduzzi G. A Boerschig C.R. Church D. M. Czufin S. M. Douglas M. J. Durr M. A. Giacini M. Gillman J.P. Grimes E. K. Henderson T. A Hess J. T.Johnson T. B. Marshall M. W. McBrearty W. J. Pierce P. P. Pratt W.C. Reneau E. D. Schrull C. J. Schwarz J.W.Shea S. A Vance B. A Wetzel P.R. Wilson EDMS

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327,328/2015007 CNL-16-004 E-1

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 TABLE OF CONTENTS Executive Summary I. NRC NON-CITED VIOLATION 05000327, 328/2015007-02: FAILURE TO MEET DESIGN BASIS REQUIREMENTS TO PROVIDE INTERLOCKS BETWEEN SHARED ONSITE EMERGENCY AND SHUTDOWN AC ELECTRIC SYSTEMS II. TENNESSEE VALLEY AUTHORITY (TVA) OBSERVATIONS

1. Introduction
2. Sequoyah (SQN) Licensing and Design Basis 2.1 SQN Updated Final Safety Analysis Report (UFSAR) 2.2 Regulatory Requirements and Applicable Guidance
3. TVA Observation - Establishing Performance Characteristics 3.1 NRC Statement 3.2 TVA Observation
4. Summary 111. SEVERITY LEVEL IV VIOLATION 05000327, 328/2015007-03: FAILURE TO REQUEST A LICENSE AMENTMENT PRIOR TO REMOVING INTERLOCKS FROM SHARED ONSITE EMERGENCY AND SHUTDOWN AC ELECTRIC SYSTEMS IV. TENNESSEE VALLEY AUTHORITY (TVA) OBSERVATIONS
1. Introduction
2. SQN Licensing and Design Basis 2.1 SQN UFSAR 2.2 Regulatory Requirements and Applicable Guidance
3. TVA Observation - Prior NRC Approval 3.1 NRC Statement 3.2 TVA Observation
4. Summary
5. Additional Information
6. References Attachment 1 Simplified One-Line Diagram of 480V ERCW MCCs Power Sources and Load Groups CNL-16-004 E-2

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 Executive Summary:

The Tennessee Valley Authority (TVA) has reviewed Non-Cited Violation (NCV) 05000327, 328/2015007-02 and -03 issued by the NRC in Inspection Report 05000327, 05000328/2015007 on September 14, 2015, for the Sequoyah Nuclear Plant (SQN). TVA has identified several observations on specific elements of the NCVs and the supporting information in the Inspection Report. TVA has reviewed the broad base of regulatory requirements and guidance and related industry standards as well as the SQN plant specific licensing basis. The observations address elements of the inspection report and NCV where the relationship to regulatory requirements, guidance, and standards were unclear. Based on this review, TVA's observation is that SQN programs and processes for design control for the Unit 1A and Unit 2A Essential Raw Cooling Water (ERCW) Motor Control Centers (MCC) still appear appropriate and consistent with SQN licensing basis, and regulatory requirements and guidance. Similarly, TVA's observation is that prior NRC approval does not appear to be warranted or required for the design change involving the Kirk Key mechanical interlock.

I. NRC NON-CITED VIOLATION 05000327, 32812015007-02: FAILURE TO MEET DESIGN BASIS REQUIREMENTS TO PROVIDE INTERLOCKS BETWEEN SHARED ONSITE EMERGENCY AND SHUTDOWN AC ELECTRIC SYSTEMS NRC Inspection Report 05000327, 328/2015007, dated September 14, 2015, states non-cited violation (NCV) 05000327, 328/2015007-02 as follows (emphasis added):

10 CFR Part 50, Appendix B, Criterion Ill, "Design Control," stated, in part, that "measures shall include provisions to assure that appropriate quality standards are specified and included in design documents and that deviations from such standards are controlled." Contrary to the above since 2014, the licensee failed to include provisions to assure that appropriate quality standards were specified and included. in design documents and that deviations from such standards were controlled. Specifically, design changes to the Unit 1A and Unit 2A ERCW power sources failed to include IEEE 308-1971, Regulatory Guides 1.81 and 1.6 and that deviations from them were controlled subject to design control measures commensurate with those applied to the original design. The issue was entered into the licensee's corrective action program as CR 1064736. The licensee has administrative controls in place to limit the risk of this configuration pending determination of corrective actions. Because the finding was of very low safety significance (Green) and was entered into the licensee's corrective action program this violation will be treated as an NCV consistent with section 2.3.2 of the NRC enforcement policy. This violation is identified as NCV 05000327, 328/2015007-02, Failure to meet Design Basis Requirements to have Interlocks between Shared systems.

CNL-16-004 E-3

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 II. TENNESSEE VALLEY AUTHORITY (TVA) OBSERVATIONS

1. Introduction The 480V Essential Raw Cooling Water (ERCW) Motor Control Centers (MCCs) support various ERCW loads such as: ERCW strainers, ERCW screen wash pumps, and travelling screens.

There are four (4) 480V ERCW MCC boards, 1A-A, 1B-B, 2A-A, and 2B-B, all located in the ERCW building. Each board is fed from its dedicated Unit and train 6.9kV shutdown board (SDBD) (1A-A, 1B-B, 2A-A, and 2B-B). Each 6.9kV SDBD has dedicated preferred (offsite) sources and a standby (diesel generator) power source. The design of the 6.9kV SDBDs meets the requirements of GDC-17, GDC-5, RG 1.6, RG 1.81, and IEEE 308-1971 for redundancy, independence, and multi-unit sharing.

Alternate power may be manually transferred to the 480V ERCW MCC boards. The alternate power source for the A-trains is from the opposite Unit's A-train 6.9kV SDBD, and the alternate power source for the B-trains is from the opposite Unit's B-train 6.9kV SDBD. Each train of the four (4) 480V ERCW MCC boards.and its associated loads is considered one load group.

Load groups of the opposite train designation and same Unit are redundant to each other (1A-A, 1B-B). Load groups of the same train designation and opposite Unit are not redundant to each other (1A-A, 2A-A).

The 480V ERCW MCCs do not have breaker alignment capability for manually connecting redundant load groups. The ability to parallel normal and alternate power sources is contained within a single load group. Should both the A-train normal and alternate power supplies to the 1A-A and 2A-A 480V ERCW MCCs be lost, the B-train normal and alternate power supplies to the 1B-B and 2B-B 480V ERCW MCCs are available such that sufficient power is maintained to operate the ESF features for a DBE on one unit and those systems required for concurrent safe shutdown on the remaining Unit.

See Attachment 1 for a simplified one-line diagram of 480V ERCW MCCs power sources and load groups.

The original design of the 480V ERCW MCCs included a mechanical interlock (Kirk Key) which prevented paralleling of the normal and alternate power supply on each MCC. The mechanical interlock was provided with the original MCC procurement in the original purchase specification.

The normal and alternate power supplies to each 480V ERCW MCC support the functions of one (1) train of 480V ERCW MCC loads. The standby power sources (fed through the Unit and train 6.9kV SDBDs to the same Unit and train 480V ERCW MCCs) have no connection to any other redundant load group. As permitted in RG 1.6 and described in the SQN UFSAR, the standby power source for one 480V ERCW MCC load group has a manual connection to a load group of a different Unit (same train designation). The Kirk Key provides a mechanical interlock between these same-train normal and alternate power sources. The Kirk Key does not provide a design or interlock function described in the Updated Final Safety Analysis Report (UFSAR) or required by GDC-17, GDC-5, RG 1.6, RG 1.81, or IEEE 308-1971.

CNL-16-004 E-4

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007

2. SQN Licensing and Design Basis 2.1 SQN Updated Final Safety Analysis Report (UFSAR)

Chapter 8 of the Sequoyah (SQN) UFSAR describes the current licensing basis of the offsite and onsite electric power systems.

Regarding the offsite preferred power system, Section 8.2 of the SQN UFSAR states:

The intent of GDC 17 has been implemented in the design of the Preferred Power System by providing two physically and functionally independent circuits for energizing safety related load groups. This section identifies these two circuits and describes the general provisions made to achieve functional independence between them.

And Regulatory Guide 1.6, Rev. O has been implemented by providing each redundant load group with a connection to each of the preferred source circuits. Figure 8.1.2-1 indicates that when supplied by preferred power circuits, the redundant load groups in each Unit are normally fed from different preferred power source circuits. Figure 8.1.2-1 also indicates that alternate feeder alignments at the start buses may result in feeding redundant load groups in each Unit from a common preferred power source circuit. The two preferred power source circuits are shared between the two nuclear units.

Regarding the onsite standby AC power system, Section 8.3 of the SQN UFSAR states:

The boards, motor control centers, and transformers comprising the system are arranged to provide physical independence and electrical separations between power trains necessary for eliminating credible common mode failures.

And Figure 8.1.2-1 is the single line representation of the plant AC auxiliary power distribution system. The standby portion of the system is identified as the diesel generators, the 6.9-kV shutdown boards, the 480V shutdown boards, and all motor control centers supplied by the 480V shutdown boards for both units.

The Standby Power System serving each unit is divided into two redundant load groups (power trains). These power trains (train A and train B for each unit) supply power to safety-related equipment.

The above statements establish that redundant load groups (power trains) are provided, consistent with RG 1.6.

Section 8.3.1.2 describes SQN's compliance with the redundancy and independence requirements of RG 1.6, RG 1.81, and IEEE 308-1971 for standby power systems described above:

CNL-16-004 E-5

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 Redundancy General Design Criteria 17 The onsite AC electrical power sources (diesels) and the onsite electrical distribution system have sufficient independence, redundancy, and testability to perform their safety function assuming a single failure.

Regulatory Guide 1.6, Rev. 0 The electrically powered AC safety loads are separated into redundant load groups such that loss of any one group will not prevent the minimum safety functions from being performed.

IEEE Standard 308-1971 Sufficient physical separation, electrical isolation, and redundance is provided to prevent the occurrence of common failure mode in Class 1E systems. The Class 1E system design includes:

(1) Electric loads separated into two redundant load groups.

(2) The safety actions performed by each group of loads are redundant and independent of the safety actions provided by its redundant counterpart.

(3) Each of the redundant load groups has access to both a preferred and a standby power supply. Each power supply consists of one or more sources.

Independence Regulatory Guide 1.6, Rev. 0 The design of the standby ac power system conforms with the independence requirements placed on redundant systems by Regulatory Guide 1.6, Rev. 0.

These include:

(a) The standby source of one load group cannot be automatically paralleled with the standby source of another load group or with the offsite system.

(b) No provisions exist for automatically connecting one load group to another load group.

(c) No provisions exist for automatically transferring loads between redundant power sources.

(d) Where means exist for manually connecting redundant load groups together, at least one interlock is provided to prevent an operator error that would parallel their standby power sources.

CNL-16-004 E-6

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 IEEE Standard 308-1971 Class 1E electric equipment is physically separated from its redundant counterpart or mechanically protected as required to prevent the occurrence of common failure mode.

Each type of Class 1E electric equipment is qualified either by analysis, successful use under conditions, or by actual test to demonstrate its ability to perform its function under normal and design basis events.

Distribution circuits to redundant equipment are physically and electrically independent of each other.

Auxiliary devices that are required to operate dependent equipment are supplied from a related bus section to prevent the loss of electric power in one load group from causing the loss of equipment in another load group.

Protective devices are provided to isolate failed equipment automatically. Sufficient indication is provided to identify the equipment that is made unavailable.

By means of breakers located in Class 1 structures it is possible to disconnect completely Class 1E systems from those portions located in other than Class 1 structures.

2.2 Regulatorv Requirements and Applicable Guidance The General Design Criteria (GDC) contained in Appendix A of 10 CFR 50 establish minimum requirements for the principal design criteria for water-cooled nuclear power plants. The following GDC, regulatory documents, and industry standards establish specific design requirements applicable to independence between redundant power sources and shared systems for multi-unit sites for SQN: GDC-17, GDC-5, RG 1.6, RG 1.81 and IEEE 308-1971 GDC-17 requires, in part, that the onsite electric power supplies, including the onsite electric distribution system, shall have sufficient independence and redundancy to perform their safety functions assuming a single failure.

GDC-5 requires that structures, systems, and components important to safety, including the onsite electric power supplies and distribution systems, shall not be shared among nuclear power units unless it can be shown that such sharing will not significantly impair their ability to perform their safety functions, including, in the event of an accident in one unit, an orderly shutdown and cool down of the remaining units.

Relative to non-cited violation (NCV) 05000327, 328/2015007-02, Regulatory Guide (RG) 1.6 requires the following:

  • Safety loads should be separated into redundant load groups such that the loss of any one group will not prevent the minimum safety functions from being performed.
  • Each alternating current (AC) load group should have a connection to the preferred (offsite) and standby (onsite) power source:

CNL-16-004 E-7

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007

a. The standby power source should have no automatic connection to any other redundant load group;
b. At multi-unit sites, the standby power source for one load group may have an automatic connection to a load group of a different unit;
c. A preferred power source bus may serve redundant load groups.
  • When operating from the standby power sources, redundant load groups and the redundant standby sources should be independent of each other at least to the following extent:
a. The standby source of one load group should not be automatically paralleled with the standby source of another load group under accident conditions;
b. No provisions should exist for automatically connecting one load group to another load group;
c. No provisions should exist for automatically transferring loads between redundant load groups;
d. If means exist for manually connecting redundant load groups together, at least one interlock should be provided to prevent an operator error that would parallel their standby power sources.

RG 1.6 provides the following definitions:

Preferred Power System: The offsite external commercial power system.

Standby Power System: Those onsite power sources and their distribution equipment provided to energize devices essential to safety and capable of operation independently of the preferred power system.

Standby Power Source: An electrical generating unit and all necessary auxiliaries, usually a diesel generator set, which is part of the standby power system.

Load Group: An arrangement of buses, transformers, switching equipment, loads, etc.,

fed from the same power source.

RG 1.81 describes the potential undesirable effects of sharing onsite power systems at a multi-unit site:

Sharing of onsite power systems at multi-unit power plant sites generally results in a reduction in the number and capacity of the onsite power sources to levels below those required for the same number of units located at separate sites. The reduced capacity could cause undesirable interactions. Examples of such interactions are (1) the interconnection of engineered safety feature (ESF) control circuits of each unit such that failures and maintenance or testing operations in one unit affect the availability of ESF in other units, (2) coordination required between unit operators in order to cope with an accident in one unit and safe shutdown of the remaining unit(s), and (3) system overload conditions as a consequence of real accident in a unit coincident with a false or spurious accident signal in another unit.

CNL-16-004 E-8

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 RG 1.81 further states that a device is considered to be shared among units if it is designed to perform the same function in all units as required.

Relative to non-cited violation (NCV) 05000327, 328/2015007-02, Regulatory Guide (RG) 1.81 requires the following: *

  • A single failure should not preclude the capability to automatically supply minimum ESF loads in any one unit and safely shut down the remaining unit, assuming a loss of offsite power
  • The interaction between each unit's ESF electric circuits should be limited such that any allowable combination of maintenance and test operations in the units will not preclude the capability to automatically supply power to minimum ESF loads in any unit, assuming a loss of offsite power IEEE Standard 308-1971 reiterates the RG 1.6 and RG 1.81 positions described above.

Specifically:

  • Sufficient physical separation, electrical isolation, and redundancy shall be provided to prevent the occurrence of common failure mode in the Class 1E systems;
  • Multi-unit stations may share preferred and standby power supply capacity between units, given that the total preferred capacity is sufficient to operate the ESF features for a design basis event (DBE) on one unit and those systems required for concurrent safe shutdown on the remaining unit(s);
  • It is permissible to provide inter-unit ties between the Class 1E buses of the units in a multi-unit station, provided any single component failure does not degrade the Class 1E electrical systems of any unit below an acceptable level and provided that the independence of the redundant systems is maintained;
  • Shared Class 1E electric systems shall be designed such that the sharing does not increase the probability of a DBE occurring in more than one unit at the same time.

The requirements and definitions above establish the redundancy and independence requirements for preferred and standby power sources, as well as the preferred and standby power requirements for multi-unit sites. Further, the requirements for these power systems as they relate to redundant load groups, and the ESF functions provided by those redundant load groups, are established. *

3. TVA Observation - Establishing Performance Characteristics 3.1 NRC Statement The NRC Inspection Report stated:

10 CFR Part 50, Appendix B, Criterion Ill, "Design Control," stated, in part, that "measures shall include provisions to assure that appropriate quality standards are specified and included in design documents and that deviations from such standards are controlled. "Contrary to the CNL-16-004 E-9

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 above since 2014, the licensee failed to include provisions to assure that appropriate quality standards were specified and included in design documents and that deviations from such standards were controlled. Specifically, design changes to the Unit 1A and Unit 2A ERCW power sources failed to include IEEE 308-1971, Regulatory Guides 1.81 and 1.6 and that deviations from them were controlled subject to design control measures commensurate with those applied to the original design.

3.2 TVA Observation The design of the 480V ERCW MCCs (with or without the mechanical interlock) is consistent with GDC-17, GDC-5, RG 1.6, RG 1.81, and IEEE 308-1971. Redundant load groups are powered by offsite (preferred) and onsite (standby) power sources that are dedicated to each power division's Unit and train designation. In providing sufficient power to operate the ESF functions for a DBE on one unit and those systems required for concurrent safe shutdown on the remaining unit, load groups of the opposite train designation and same Unit (e.g., 1A and 1B) are redundant to each other. Load groups of the same train designation and opposite Unit (e.g., 1A and 2A) are not redundant to each other. Standby power sources from the same train designation and opposite Unit (e.g., 1A and 2A) are considered alternate power sources to a load group.

The 480V ERCW MCCs do not have breaker alignment capability for manually connecting redundant load groups. The ability to parallel normal and alternate power sources is contained within a single load group. The purpose of the mechanical interlock was not to prevent the connection of redundant load groups, rather the purpose of the mechanical interlock was to preclude the paralleling of normal and alternate sources within a same train. Should both the A-train normal and alternate power supplies to the 1A-A and 2A-A 480V ERCW MCCs be lost, the B:..train normal and alternate power supplies to the 1B-B and 2B-B 480V ERCW MCCs are available such that sufficient power is maintained to operate the ESF features for a DBE on one unit and those systems required for concurrent safe shutdown on the remaining unit.

Replacing the Kirk Key mechanical interlocks with administrative controls does introduce the possibility of aligning two ERCW transformers to a single MCC in the event that the administrative controls are not effective. However, this would not impact the design functions of the ERCW system. As described in DCN 23085, "Replace breaker handle, breaker operating mechanism and remove Kirk Key interlock," paralleling of the two ERCW transformers onto a single MCC increases the available short circuit current and causes circulating currents that can heat and damage equipment. The possible heating effects of the circulating currents are minimized due to the similarity in impedance values of the transformers which are powered from the 161 kV system. Similar to transformer impedance, this limits the voltage variation that causes the circulating currents to the differences in impedance from the source to each of the ERCW MCCs. Additionally, each of the ERCW main feeder breakers is equipped with a thermal trip unit that provides an additional level of protection against the possible heating effects.

Regarding fault current, the MCC buses, MCC breakers, and cross-tie breakers are rated to clear the maximum fault current supplied by two paralleled ERCW transformers without impacting the electrical supply. Although, the available fault current could potentially double, the capacity of the MCC buses, MCC breakers, and cross-tie breakers are sufficiently sized to withstand and clear the available fault current. There are two breakers that feed from the two 6.9 kV sources, one above and one below the step down transformers. It would take a failure of more than one breaker to impact either 6.9 kV source, and more than a single failure to impact both 6.9 kV sources.

CNL-16-004 E-10

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 The ERCW system is a shared two-train system, each train having the capability to provide the maximum required cooling water requirement for both units under any credible plant conditions.

These equipment trains are sufficiently independent to guarantee the availability of at least one train at any time. The operation of two pumps on one train is sufficient to supply all cooling water requirements for the 2-Unit plant for unit cool down, refueling, or post-accident operation.

Such an arrangement assures adequate cooling water under both normal and emergency conditions. The removal of the Kirk Key interlock from the 480V ERCW MCC design did not create the possibility of undesirable interactions, as described in RG 1.81. On page 2 of RG 1.81, the following examples of undesirable interactions are given:

  • The interconnection of engineered safety feature (ESF) control circuits of each unit such that failures and maintenance or testing operations in one unit affect the availability of ESF in other units;
  • Coordination required between unit operators in order to cope with an accident in one unit and safe shutdown of the remaining unit(s); and
  • System overload conditions as a consequence of real accident in a unit coincident with a false or spurious accident signal in another unit.

Alternate power supplies to each 480V ERCW MCC from the opposite Unit, same train designation do not interconnect ESF control circuits between Units, and cannot cause system overload conditions as a consequence of a real accident in a Unit coincident with a false or spurious accident in another Unit. Also, the administrative controls to prevent power source paralleling are not performed as a part of accident mitigation actions.

The Kirk Key interlocks do not provide a design or licensing basis function described in the UFSAR. SQN is required to provide redundant, independent load groups of Class 1E power systems to prevent common failure modes. Each load group must have a preferred and standby power source. The load group independence requirements of RG 1.6 are met in the SQN design, as described in Chapter 8 of the UFSAR. Protective devices are provided to isolate failed equipment automatically such that the loss of one load group does not cause the loss of equipment in the redundant load group. A failure caused by inadvertently paralleling the normal and alternate power supplies to a 480V ERCW MCC cannot result in the loss of equipment in a redundant load group.

CNL-16-004 E-11

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 4.: Summary The 480V ERCW MCCs design, and their associated power sources, comply with GDC-17, GDC-5, RG 1.6, RG 1.81, and IEEE 308-1971. The removal of the Kirk Key from the design did not alter the possibility of undesirable effects described in RG 1.81, as discussed in Section 7.1 of this Enclosure.

Removal of the Kirk Key mechanical interlocks and failure to follow administrative controls potentially aligns two ERCW transformers (same train, opposite unit) to a single MCC. The 10 CFR 50.59 evaluation for this design change concluded that this will not result in a more than minimal increase in the likelihood of occurrence of a malfunction of systems, structures and components (SSC) important to safety previously evaluated in the UFSAR. The worst case result of alignment of two ERCW transformers to a single MCC is the loss of one shared train of ERCW. This potential loss of a single train of ERCW previously existed when ERCW MCCs were cross tied from a single transformer. Because each train is capable of providing the maximum required cooling water for both units under any credible plant condition, the design and licensing basis of the ERCW system continues to be met.

DCN 23085 10 CFR 50.59 evaluation response to 10 CFR 50.59 Criterion (c)(2)(ii),"Does the proposed activity result in more than a minimal increase in the likelihood of occurrence of a malfunction of an SSC important to safety previously evaluated in the UFSAR," has been enhanced to evaluate the 480V ERCW MCC mechanical interlock replacement with administrative controls as a modified manual action. NEI 96-07, Revision 1, Section 4.3.2, Example 4 provides guidance for the human performance aspects of manual operator actions for DCN 23085. This guidance includes verification that the revised manual action.is reflected in plant procedures and operator training, action completion time, ability to recover from credible errol'S, and the effect of the change on plant systems. The revised 10 CFR 50.59 evaluation concludes based upon the response to the NEI 96-07, Revision 1, Section 4.3.2, Example 4 guidance, there is not a more than minimal increase in the likelihood of malfunction of the ERCW MCCs as a result of replacing the mechanical interlock with administrative controls. The 10 CFR 50.59 evaluation revision has been reviewed and approved by the Plant Operation Review Committee (PORC) on October 28, 2015.

CNL-16-004 E-12

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 Ill. SEVERITY LEVEL IV VIOLATION 05000327, 328/2015007-03: FAILURE TO REQUEST A LICENSE AMENTMENT PRIOR TO REMOVING INTERLOCKS FROM SHARED ONSITE EMERGENCY AND SHUTDOWN AC ELECTRIC SYSTEMS In Nuclear Regulatory Commission (NRC) Inspection Report 05000327, 328/2015007, dated September 14, 2015, Severity Level IV violation (SUV) 05000327, 328/2015007-03 is described as follows (emphasis added):

10CFR 50.59.c.(2).ii stated, "A licensee shall obtain a license amendment pursuant to Sec. 50.90 prior to implementing a proposed change, test, or experiment if the change, test, or experiment would result in more than a minimal increase in the likelihood of occurrence of a malfunction of a structure, system, or component (SSC) important to safety previously evaluated in the final safety analysis report (as updated)." Contrary to the above since 2014, the licensee did not obtain a license amendment pursuant to Sec 50.90 prior to implementing the change to kirk-key interlocks, which created a more than minimal increase in the likelihood of occurrence of a malfunction of a SSC important to safety previously evaluated in the UFSAR. The issue was entered into the licensee's corrective action program as CR 1076179. The licensee has administrative controls in place to limit the risk of this configuration pending determination of corrective actions. Because the finding was of very low safety significance (SUV) and was entered into the licensee's corrective action program this violation will be treated as an NCV consistent with section 2.3.2.a of the NRC enforcement policy. This violation is identified as NCV 05000327, 328/2015007-03, Failure to request a licensee amendment prior to removing interlocks from shared onsite emergency and shutdown AC electric systems.

In addition, the following descriptions of the issue were provided:

Further, departures from the design and performance standards as outlined in the General Design Criteria (Appendix A to Part 50) are not compatible with a "no more than minimal increase" standard."

And A modification to the MCCs removed these kirk key interlocks and the licensee failed to identify that the design departed from the acceptance criteria outlined in the design and performance standards mentioned above. Further, the removal of the kirk key interlock made credible the possibility of a single act or event paralleling the two MCCs power sources, which could now cause undesirable interactions. The inspectors determined that this modification more than minimally increased the likelihood of occurrence of a malfunction of the shared ERCW A train, which would have required NRC approval prior to implementation.

And The licensee's change to the facility resulted in a departure from acceptance criteria in design and performance standards, which resulted in a more than a minimal increase in the likelihood of occurrence of a malfunction as specified by NEI 96-07 Chapter 4, was a CNL-16-004 E-13

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 performance deficiency. The performance deficiency was determined to be more than minor because there was a reasonable likelihood that the change required Commission review and approval prior to implementation and the failure to request approval impacted the regulatory process. Specifically, the departure from acceptance criteria identified in IEEE 308, RG 1.81, and RG 1.6 reasonably required commission review and approval prior to implementation.

IV. TENNESSEE VALLEY AUTHORITY OBSERVATIONS

1. Introduction In the design change that removed the Kirk Key from the 480V ERCW MCC design, SQN instituted administrative controls to preclude paralleling the normal and alternate power sources to one (1) load group (train). Since the Kirk Key did not provide a design function described in the UFSAR, the change could not have resulted in a more than minimal increase in the likelihood of occurrence of a malfunction. In the 10 CFR 50.59 evaluation, SON assessed operator error as a mode of failure for one train of 480V ERCW MCC for either unit, and whether the change deviated from the UFSAR-described ERCW and/or power distribution designs. SQN concluded that the change would not result in more than a minimal increase in the likelihood of occurrence of a malfunction of an SSC important to safety based on the following:
  • The existing fault clearing equipment is rated for the expected fault current, should the power sources to one (1) train of a Unit's 480V ERCW MCCs be paralleled, such that the fault will not propagate to the power sources
  • A malfunction of one (1) train of a Unit's 480V ERCW MCCs due to normal and alternate power source paralleling caused by an operator error would not prevent the ERCW system from performing its design function as described in the UFSAR, or increase the likelihood of ERCW system malfunction
  • The instituted administrative controls are not part of accident mitigation actions, and do not support a design function described in the UFSAR.

CNL-16-004 E-14

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007

2. SQN Licensing and Design Basis 2.1 SQN Updated Final Safety Analysis Report CUFSARl See Section 2.1, Sequoyah Licensing and Design Basis, under the first violation of this Enclosure for a detailed description of the licensing basis and design of the SQN offsite (preferred) and onsite (standby) power supplies, as well as the licensing basis and design of the 480V ERCW MCCs and the Kirk Key.

The SQN electrical power scheme associated with the 480V ERCW MCCs, as described in the UFSAR, conforms to RG 1.6, RG 1.81, and IEEE 308. In conforming to the above standards, SQN meets GDC-17 for electrical power system design, and GDC-5 for multi-unit sharing of electric power systems.

  • In addition, the removal of the Kirk Key interlock from the 480V ERCW MCC design did not create the possibility of undesirable interactions, as described in RG 1.81. On page 2 of RG 1.81, the following examples of undesirable interactions are given:
  • The interconnection of engineered safety feature (ESF) control circuits of each unit such that failures and maintenance or testing operations in one unit affect the availability of ESF in other units,
  • Coordination required between unit operators in order to cope with an accident in one unit and safe shutdown of the remaining unit(s), and
  • System overload conditions as a consequence of real accident in a unit coincident with a false or spurious accident signal in another unit.

2.2 Regulatory Requirements and Applicable Guidance 10 CFR 50.59, Changes, Tests, and Experiments, provides the criteria to be utilized in assessing whether a change to the licensing basis of the facility, as described in the updated final safety analysis report (UFSAR), requires prior NRC approval pursuant to 10 CFR 50.90.

Regulatory Guide (RG) 1.187, Guidance for Implementing of 10 CFR 50.59, Changes, Tests, and Experiments, provides additional clarification to licensees regarding acceptable guidance for use when implementing 10 CFR 50.59. RG 1.187 endorses Nuclear Energy Institute (NEI) 96-07, Guidelines for 10 CFR 50.59 Evaluations, Revision 1.

NEI 96-07 provides criteria for assessing whether specific types of changes require prior NRC approval. Additional guidance is provided to assess the activity against the criteria of 10 CFR 50.59(c)(2). Relative to severity level IV violation 05000327, 328/2015007-03, the following criterion is discussed:

Does the activity result in more than a minimal increase in the likelihood of occurrence of a malfunction of an SSC important to safety?

NEI 96-07 discusses this criterion in Section 4.3.2:

CNL-16-004 E-15

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 Although this criterion allows minimal increases, licensees must still meet applicable regulatory requirements and other acceptance criteria to which they are committed (such as contained in regulatory guides and nationally recognized industry consensus standards, e.g., the ASME B&PV Code and IEEE standards). Further, departures from the design, fabrication, construction, testing and performance standards as outlined in the General Design Criteria (Appendix A to Part 50) are not compatible with a "no more than minimal increase" standard.

In addition, the following example is given to illustrate a case where an activity would not constitute more than a minimal increase in the likelihood of occurrence of a malfunction of an SSC important to safety:

The change involves a new or modified operator action that supports a design function credited in safety analyses provided:

  • The action (including required completion time) is reflected in plant procedures and operator training programs
  • The licensee has demonstrated that the action can be completed in the time required considering the aggregate affects, such as workload or environmental conditions, expected to exist when the action is required
  • The evaluation of the change considers the ability to recover from credible errors in performance of manual actions and the expected time required to make such a recovery
  • The evaluation considers the effect of the change on plant systems.

Finally, the following example is given to illustrate a case where an activity would require prior NRC approval because it would result in more than a minimal increase in the likelihood of occurrence of a malfunction of an SSC important to safety:

The change would (permanently) substitute manual action for automatic action for performing UFSAR-described design functions. (Guidance for temporary substitution of manual action for automatic action to compensate for a degraded/nonconforming condition is provided in NRC Generic Letter 91-18, Revision 1.)

See Section 2.2, Regulatory Requirements and Applicable Guidance, under the first violation of this Enclosure for additional discussion of the regulatory requirements and guidance documents pertinent to SUV violation 05000327, 328/2015007-03.

CNL-16-004 E-16

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007

3. TVA Observation~ Prior NRC Approval 3.1 NRC Statement The NRC Inspection Report stated:

10 CFR 50.59.c.(2).ii stated, "A licensee shall obtain a license amendment pursuant to Sec. 50.90 prior to implementing a proposed change, test, or experiment if the change, test, or experiment would result in more than a minimal increase in the likelihood of occurrence of a malfunction of a structure, system, or component (SSC) important to safety previously evaluated in the final safety analysis report (as updated)." Contrary to the above since 2014, the licensee did not obtain a license amendment pursuant to Sec 50. 90 prior to implementing the change to kirk-key interlocks, which created a more than minimal increase in the likelihood of occurrence of a malfunction of a SSC important to safety previously evaluated in the UFSAR.

3.2 TVA Observation See discussions above regarding SQN's compliance with GDC-17, GDC-5, RG 1.6, RG 1.81, and IEEE 308-1971. The term, "undesirable interactions," originates from RG 1.81 and is in reference to multi-unit sharing of onsite emergency and shutdown AC electrical systems. As established above, the SQN design is not capable of causing undesirable effects, as defined in RG 1.81, even if the 1A and 2A 480V ERCW MCCs are paralleled and the boards lost (i.e., the B-train is fully capable of providing and supporting DBE ESF functions).

In addition, the "more than minimal" criteria in NEI 96-07 are generally related to malfunctions that could cause, or inhibit the mitigation of, DBEs. The action to change power from normal to alternate on a 480V ERCW MCC is not related to accident mitigation, and should an error occur, could not cause a malfunction of a redundant train. It would be inappropriate to apply the "more than minimal," criteria generically to equipment that does not support or perform functions described in the UFSAR.

4. Summary The 480V ERCW MCCs design, and their associated power sources, comply with GDC-17, GDC-5, RG 1.6, RG 1.81, and IEEE 308. The removal of the Kirk Key from the design did not create the possibility of undesirable effects described in RG 1.81, as discussed in Section 7.1 of this Enclosure.

In addition, this change did not result in a more than minimal increase in the likelihood of occurrence of a malfunction of the Unit 1 and/or Unit 2 A-train ERCW systems: the instituted administrative controls do not meet the criteria established in Section 4.3.2 of NEI 96-07, Revision 1, for changes that would require prior NRC approval because they would result in more than a minimal increase in the likelihood of occurrence of a malfunction of an SSC important to safety.

CNL-16-004 E-17

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007

5. Additional Information Although the violation is characterized as a findings of very low safety significance, the regulatory precedent and licensing basis ramifications could be significant to SQN and the rest of the TVA nuclear fleet. The NRC position documented in the NRC Inspection Report appears to constitute a change in NRC regulatory position. Specifically, the NRC Inspection Report definition of inter-unit sharing as redundant load groups may apply to similar configurations in other systems at SQN and within the TVA fleet (e.g., component cooling water system, emergency gas treatment system).
6. References GDC-5, Sharing of Structures, Systems, and Components GDC-17, Electric Power Systems Regulatory Guide 1.6 (AEC Safety Guide 1.6), Independence Between Redundant (Onsite)

Power Sources and Between Their Distribution Systems, Revision 0 Regulatory Guide (RG) 1.81, Shared Emergency and Shutdown Electric Systems for Multi-Unit Nuclear Power Plants, Revision 1 IEEE 308-1971, Criteria for Class 1E Electric Systems for Nuclear Power Generating Sta.tion CNL-16-004 E-18

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 Attachment 1 Simplified One-Line Diagram of 480V ERCW MCCs Power Sources and Load Groups

)( 'l From 6 .9kV SDBD lA-A From 6 .9kV SDBD 2A-A JL x 1-BCTA-202-CM/22-A ) 2-BCTA-202-C0/22-A )

Transforme r lA-A Transformer 2A-A 6.9kV-480V 6.9kV-480V 300KVA

~

1-BCTD-201- FKN/lA-A )

I 1A-A 480V ERCW MCC I lA-A Load Group 1-BCTD-201- FKA/lB- A 2A-A Load Group Note: The 480V Main Feeder Breakers 1-BCTD-201-FKN/lA-A and 2-BCTD-201-FLN/

lA-A and the Tie Breakers 1-BCTD-201-FKA/lB-A and 2-BCTD-201-FLA/lB-A are administratively interlocked to prevent the transformers from being paralleled .

'{ 't From 6.9kV SDBD lB-B From 6.9kV SDBD 2B-B 1-BCTA-202- C N / 2 2 - i) B 2-BCTA-202-CP/22x-B )

Transformer lB-B Transformer 2B-B i) 6.9kV-480V 6.9kV- 480V 300KVA 300KVA

~)

~

l) 2-BCTD-201-FNA/lB- B 1-BCTD-201-FMN/lA-B 0 HCTDW>>NN/>Ae I 1B-B 480V ERCW MCC I <( ) I ,,_, "ov mw Mee I lB- B Load Group 2B- B Load Group Note: The 480V Main Feeder Breakers 1- BCTD- 201-FMN/lA-B and 2-BCTD-201-FNN/lA-B and the Tie Breakers 1-BCTD-201- FMA/lB-B and 2-BCTD-201-FNA/lB-B are mechanically interlocked to prevent the transformers from being paralleled .

CNL-16-004 E-19

Tennessee Valley Authority, 1101 Market Street, Chattanooga, Tennessee 37402 January 8, 2016 10 CFR 50.4 CNL-16-004 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, D.C. 20555-0001 Sequoyah Nuclear Plant, Units 1 and 2 Renewed Facility Operating License Nos. DPR-77 and DPR-79 NRC Docket Nos. 50-327 and 50-328

Subject:

Observations on the Basis for a Non-Cited Violation Involving a Design Change to Remove a Kirk Key Mechanical Interlock

Reference:

Letter from NRC to TVA, "Sequoyah Nuclear Plant - NRC Evaluation of Changes, Tests , and Experiments and Permanent Plant Modifications Inspection Report 05000327 /2015007 and 05000328/2015007," dated September 14, 2015 On July 31 , 2015, the Nuclear Regulatory Commission (NRC) completed an inspection at Sequoyah (SQN) for Evaluation of Changes, Tests , and Experiments and Permanent Plant Modifications as documented in the above reference . NRC inspectors documented four non-cited violations (NCVs) of very low safety significance (green) and one Severity Level IV NCV.

Tennessee Valley Authority (TVA) is not contesting the violations.

The purpose of this letter is to provide TVA's observations on the basis for the NCVs involving ;

1) the failure to ensure that plant licensing design basis for shared Class 1E electrical systems were controlled and maintained, and 2) the failure to obtain a license amendment prior to implementing a change to the onsite emergency and shutdown alternating current electrical systems supplying the shared essential raw cooling water systems. The enclosure to this letter provides TVA's observations on the basis of the NCVs.

There are no regulatory commitments contained in this submittal. If you have any questions, please call Mike McBrearty, Site Licensing Manager at (423) 843-7088.

ely, L~

ice President, Nuclear Licensing Enclosure cc: See Page 2

U.S. Nuclear Regulatory Commission CNL-16-004 Page2 January 8, 2016

Enclosure:

Observations on the Basis for Violation Documented in NRG Inspection Report 05000327, 328/2015007 cc: (Enclosure)

NRG Regional Administrator - Region II NRG Branch Chief - Region II NRG Senior Resident Inspector - Sequoyah Nuclear Plant NRG Project Manager - Sequoyah Nuclear Plant

U.S. Nuclear Regulatory Commission CNL-16-004 Page3 January 8, 2016 JTJ:

bee (Enclosure):

M. A Balduzzi G. A Boerschig C.R. Church D. M. Czufin S. M. Douglas M. J. Durr M. A. Giacini M. Gillman J.P. Grimes E. K. Henderson T. A Hess J. T.Johnson T. B. Marshall M. W. McBrearty W. J. Pierce P. P. Pratt W.C. Reneau E. D. Schrull C. J. Schwarz J.W.Shea S. A Vance B. A Wetzel P.R. Wilson EDMS

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327,328/2015007 CNL-16-004 E-1

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 TABLE OF CONTENTS Executive Summary I. NRC NON-CITED VIOLATION 05000327, 328/2015007-02: FAILURE TO MEET DESIGN BASIS REQUIREMENTS TO PROVIDE INTERLOCKS BETWEEN SHARED ONSITE EMERGENCY AND SHUTDOWN AC ELECTRIC SYSTEMS II. TENNESSEE VALLEY AUTHORITY (TVA) OBSERVATIONS

1. Introduction
2. Sequoyah (SQN) Licensing and Design Basis 2.1 SQN Updated Final Safety Analysis Report (UFSAR) 2.2 Regulatory Requirements and Applicable Guidance
3. TVA Observation - Establishing Performance Characteristics 3.1 NRC Statement 3.2 TVA Observation
4. Summary 111. SEVERITY LEVEL IV VIOLATION 05000327, 328/2015007-03: FAILURE TO REQUEST A LICENSE AMENTMENT PRIOR TO REMOVING INTERLOCKS FROM SHARED ONSITE EMERGENCY AND SHUTDOWN AC ELECTRIC SYSTEMS IV. TENNESSEE VALLEY AUTHORITY (TVA) OBSERVATIONS
1. Introduction
2. SQN Licensing and Design Basis 2.1 SQN UFSAR 2.2 Regulatory Requirements and Applicable Guidance
3. TVA Observation - Prior NRC Approval 3.1 NRC Statement 3.2 TVA Observation
4. Summary
5. Additional Information
6. References Attachment 1 Simplified One-Line Diagram of 480V ERCW MCCs Power Sources and Load Groups CNL-16-004 E-2

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 Executive Summary:

The Tennessee Valley Authority (TVA) has reviewed Non-Cited Violation (NCV) 05000327, 328/2015007-02 and -03 issued by the NRC in Inspection Report 05000327, 05000328/2015007 on September 14, 2015, for the Sequoyah Nuclear Plant (SQN). TVA has identified several observations on specific elements of the NCVs and the supporting information in the Inspection Report. TVA has reviewed the broad base of regulatory requirements and guidance and related industry standards as well as the SQN plant specific licensing basis. The observations address elements of the inspection report and NCV where the relationship to regulatory requirements, guidance, and standards were unclear. Based on this review, TVA's observation is that SQN programs and processes for design control for the Unit 1A and Unit 2A Essential Raw Cooling Water (ERCW) Motor Control Centers (MCC) still appear appropriate and consistent with SQN licensing basis, and regulatory requirements and guidance. Similarly, TVA's observation is that prior NRC approval does not appear to be warranted or required for the design change involving the Kirk Key mechanical interlock.

I. NRC NON-CITED VIOLATION 05000327, 32812015007-02: FAILURE TO MEET DESIGN BASIS REQUIREMENTS TO PROVIDE INTERLOCKS BETWEEN SHARED ONSITE EMERGENCY AND SHUTDOWN AC ELECTRIC SYSTEMS NRC Inspection Report 05000327, 328/2015007, dated September 14, 2015, states non-cited violation (NCV) 05000327, 328/2015007-02 as follows (emphasis added):

10 CFR Part 50, Appendix B, Criterion Ill, "Design Control," stated, in part, that "measures shall include provisions to assure that appropriate quality standards are specified and included in design documents and that deviations from such standards are controlled." Contrary to the above since 2014, the licensee failed to include provisions to assure that appropriate quality standards were specified and included. in design documents and that deviations from such standards were controlled. Specifically, design changes to the Unit 1A and Unit 2A ERCW power sources failed to include IEEE 308-1971, Regulatory Guides 1.81 and 1.6 and that deviations from them were controlled subject to design control measures commensurate with those applied to the original design. The issue was entered into the licensee's corrective action program as CR 1064736. The licensee has administrative controls in place to limit the risk of this configuration pending determination of corrective actions. Because the finding was of very low safety significance (Green) and was entered into the licensee's corrective action program this violation will be treated as an NCV consistent with section 2.3.2 of the NRC enforcement policy. This violation is identified as NCV 05000327, 328/2015007-02, Failure to meet Design Basis Requirements to have Interlocks between Shared systems.

CNL-16-004 E-3

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 II. TENNESSEE VALLEY AUTHORITY (TVA) OBSERVATIONS

1. Introduction The 480V Essential Raw Cooling Water (ERCW) Motor Control Centers (MCCs) support various ERCW loads such as: ERCW strainers, ERCW screen wash pumps, and travelling screens.

There are four (4) 480V ERCW MCC boards, 1A-A, 1B-B, 2A-A, and 2B-B, all located in the ERCW building. Each board is fed from its dedicated Unit and train 6.9kV shutdown board (SDBD) (1A-A, 1B-B, 2A-A, and 2B-B). Each 6.9kV SDBD has dedicated preferred (offsite) sources and a standby (diesel generator) power source. The design of the 6.9kV SDBDs meets the requirements of GDC-17, GDC-5, RG 1.6, RG 1.81, and IEEE 308-1971 for redundancy, independence, and multi-unit sharing.

Alternate power may be manually transferred to the 480V ERCW MCC boards. The alternate power source for the A-trains is from the opposite Unit's A-train 6.9kV SDBD, and the alternate power source for the B-trains is from the opposite Unit's B-train 6.9kV SDBD. Each train of the four (4) 480V ERCW MCC boards.and its associated loads is considered one load group.

Load groups of the opposite train designation and same Unit are redundant to each other (1A-A, 1B-B). Load groups of the same train designation and opposite Unit are not redundant to each other (1A-A, 2A-A).

The 480V ERCW MCCs do not have breaker alignment capability for manually connecting redundant load groups. The ability to parallel normal and alternate power sources is contained within a single load group. Should both the A-train normal and alternate power supplies to the 1A-A and 2A-A 480V ERCW MCCs be lost, the B-train normal and alternate power supplies to the 1B-B and 2B-B 480V ERCW MCCs are available such that sufficient power is maintained to operate the ESF features for a DBE on one unit and those systems required for concurrent safe shutdown on the remaining Unit.

See Attachment 1 for a simplified one-line diagram of 480V ERCW MCCs power sources and load groups.

The original design of the 480V ERCW MCCs included a mechanical interlock (Kirk Key) which prevented paralleling of the normal and alternate power supply on each MCC. The mechanical interlock was provided with the original MCC procurement in the original purchase specification.

The normal and alternate power supplies to each 480V ERCW MCC support the functions of one (1) train of 480V ERCW MCC loads. The standby power sources (fed through the Unit and train 6.9kV SDBDs to the same Unit and train 480V ERCW MCCs) have no connection to any other redundant load group. As permitted in RG 1.6 and described in the SQN UFSAR, the standby power source for one 480V ERCW MCC load group has a manual connection to a load group of a different Unit (same train designation). The Kirk Key provides a mechanical interlock between these same-train normal and alternate power sources. The Kirk Key does not provide a design or interlock function described in the Updated Final Safety Analysis Report (UFSAR) or required by GDC-17, GDC-5, RG 1.6, RG 1.81, or IEEE 308-1971.

CNL-16-004 E-4

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007

2. SQN Licensing and Design Basis 2.1 SQN Updated Final Safety Analysis Report (UFSAR)

Chapter 8 of the Sequoyah (SQN) UFSAR describes the current licensing basis of the offsite and onsite electric power systems.

Regarding the offsite preferred power system, Section 8.2 of the SQN UFSAR states:

The intent of GDC 17 has been implemented in the design of the Preferred Power System by providing two physically and functionally independent circuits for energizing safety related load groups. This section identifies these two circuits and describes the general provisions made to achieve functional independence between them.

And Regulatory Guide 1.6, Rev. O has been implemented by providing each redundant load group with a connection to each of the preferred source circuits. Figure 8.1.2-1 indicates that when supplied by preferred power circuits, the redundant load groups in each Unit are normally fed from different preferred power source circuits. Figure 8.1.2-1 also indicates that alternate feeder alignments at the start buses may result in feeding redundant load groups in each Unit from a common preferred power source circuit. The two preferred power source circuits are shared between the two nuclear units.

Regarding the onsite standby AC power system, Section 8.3 of the SQN UFSAR states:

The boards, motor control centers, and transformers comprising the system are arranged to provide physical independence and electrical separations between power trains necessary for eliminating credible common mode failures.

And Figure 8.1.2-1 is the single line representation of the plant AC auxiliary power distribution system. The standby portion of the system is identified as the diesel generators, the 6.9-kV shutdown boards, the 480V shutdown boards, and all motor control centers supplied by the 480V shutdown boards for both units.

The Standby Power System serving each unit is divided into two redundant load groups (power trains). These power trains (train A and train B for each unit) supply power to safety-related equipment.

The above statements establish that redundant load groups (power trains) are provided, consistent with RG 1.6.

Section 8.3.1.2 describes SQN's compliance with the redundancy and independence requirements of RG 1.6, RG 1.81, and IEEE 308-1971 for standby power systems described above:

CNL-16-004 E-5

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 Redundancy General Design Criteria 17 The onsite AC electrical power sources (diesels) and the onsite electrical distribution system have sufficient independence, redundancy, and testability to perform their safety function assuming a single failure.

Regulatory Guide 1.6, Rev. 0 The electrically powered AC safety loads are separated into redundant load groups such that loss of any one group will not prevent the minimum safety functions from being performed.

IEEE Standard 308-1971 Sufficient physical separation, electrical isolation, and redundance is provided to prevent the occurrence of common failure mode in Class 1E systems. The Class 1E system design includes:

(1) Electric loads separated into two redundant load groups.

(2) The safety actions performed by each group of loads are redundant and independent of the safety actions provided by its redundant counterpart.

(3) Each of the redundant load groups has access to both a preferred and a standby power supply. Each power supply consists of one or more sources.

Independence Regulatory Guide 1.6, Rev. 0 The design of the standby ac power system conforms with the independence requirements placed on redundant systems by Regulatory Guide 1.6, Rev. 0.

These include:

(a) The standby source of one load group cannot be automatically paralleled with the standby source of another load group or with the offsite system.

(b) No provisions exist for automatically connecting one load group to another load group.

(c) No provisions exist for automatically transferring loads between redundant power sources.

(d) Where means exist for manually connecting redundant load groups together, at least one interlock is provided to prevent an operator error that would parallel their standby power sources.

CNL-16-004 E-6

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 IEEE Standard 308-1971 Class 1E electric equipment is physically separated from its redundant counterpart or mechanically protected as required to prevent the occurrence of common failure mode.

Each type of Class 1E electric equipment is qualified either by analysis, successful use under conditions, or by actual test to demonstrate its ability to perform its function under normal and design basis events.

Distribution circuits to redundant equipment are physically and electrically independent of each other.

Auxiliary devices that are required to operate dependent equipment are supplied from a related bus section to prevent the loss of electric power in one load group from causing the loss of equipment in another load group.

Protective devices are provided to isolate failed equipment automatically. Sufficient indication is provided to identify the equipment that is made unavailable.

By means of breakers located in Class 1 structures it is possible to disconnect completely Class 1E systems from those portions located in other than Class 1 structures.

2.2 Regulatorv Requirements and Applicable Guidance The General Design Criteria (GDC) contained in Appendix A of 10 CFR 50 establish minimum requirements for the principal design criteria for water-cooled nuclear power plants. The following GDC, regulatory documents, and industry standards establish specific design requirements applicable to independence between redundant power sources and shared systems for multi-unit sites for SQN: GDC-17, GDC-5, RG 1.6, RG 1.81 and IEEE 308-1971 GDC-17 requires, in part, that the onsite electric power supplies, including the onsite electric distribution system, shall have sufficient independence and redundancy to perform their safety functions assuming a single failure.

GDC-5 requires that structures, systems, and components important to safety, including the onsite electric power supplies and distribution systems, shall not be shared among nuclear power units unless it can be shown that such sharing will not significantly impair their ability to perform their safety functions, including, in the event of an accident in one unit, an orderly shutdown and cool down of the remaining units.

Relative to non-cited violation (NCV) 05000327, 328/2015007-02, Regulatory Guide (RG) 1.6 requires the following:

  • Safety loads should be separated into redundant load groups such that the loss of any one group will not prevent the minimum safety functions from being performed.
  • Each alternating current (AC) load group should have a connection to the preferred (offsite) and standby (onsite) power source:

CNL-16-004 E-7

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007

a. The standby power source should have no automatic connection to any other redundant load group;
b. At multi-unit sites, the standby power source for one load group may have an automatic connection to a load group of a different unit;
c. A preferred power source bus may serve redundant load groups.
  • When operating from the standby power sources, redundant load groups and the redundant standby sources should be independent of each other at least to the following extent:
a. The standby source of one load group should not be automatically paralleled with the standby source of another load group under accident conditions;
b. No provisions should exist for automatically connecting one load group to another load group;
c. No provisions should exist for automatically transferring loads between redundant load groups;
d. If means exist for manually connecting redundant load groups together, at least one interlock should be provided to prevent an operator error that would parallel their standby power sources.

RG 1.6 provides the following definitions:

Preferred Power System: The offsite external commercial power system.

Standby Power System: Those onsite power sources and their distribution equipment provided to energize devices essential to safety and capable of operation independently of the preferred power system.

Standby Power Source: An electrical generating unit and all necessary auxiliaries, usually a diesel generator set, which is part of the standby power system.

Load Group: An arrangement of buses, transformers, switching equipment, loads, etc.,

fed from the same power source.

RG 1.81 describes the potential undesirable effects of sharing onsite power systems at a multi-unit site:

Sharing of onsite power systems at multi-unit power plant sites generally results in a reduction in the number and capacity of the onsite power sources to levels below those required for the same number of units located at separate sites. The reduced capacity could cause undesirable interactions. Examples of such interactions are (1) the interconnection of engineered safety feature (ESF) control circuits of each unit such that failures and maintenance or testing operations in one unit affect the availability of ESF in other units, (2) coordination required between unit operators in order to cope with an accident in one unit and safe shutdown of the remaining unit(s), and (3) system overload conditions as a consequence of real accident in a unit coincident with a false or spurious accident signal in another unit.

CNL-16-004 E-8

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 RG 1.81 further states that a device is considered to be shared among units if it is designed to perform the same function in all units as required.

Relative to non-cited violation (NCV) 05000327, 328/2015007-02, Regulatory Guide (RG) 1.81 requires the following: *

  • A single failure should not preclude the capability to automatically supply minimum ESF loads in any one unit and safely shut down the remaining unit, assuming a loss of offsite power
  • The interaction between each unit's ESF electric circuits should be limited such that any allowable combination of maintenance and test operations in the units will not preclude the capability to automatically supply power to minimum ESF loads in any unit, assuming a loss of offsite power IEEE Standard 308-1971 reiterates the RG 1.6 and RG 1.81 positions described above.

Specifically:

  • Sufficient physical separation, electrical isolation, and redundancy shall be provided to prevent the occurrence of common failure mode in the Class 1E systems;
  • Multi-unit stations may share preferred and standby power supply capacity between units, given that the total preferred capacity is sufficient to operate the ESF features for a design basis event (DBE) on one unit and those systems required for concurrent safe shutdown on the remaining unit(s);
  • It is permissible to provide inter-unit ties between the Class 1E buses of the units in a multi-unit station, provided any single component failure does not degrade the Class 1E electrical systems of any unit below an acceptable level and provided that the independence of the redundant systems is maintained;
  • Shared Class 1E electric systems shall be designed such that the sharing does not increase the probability of a DBE occurring in more than one unit at the same time.

The requirements and definitions above establish the redundancy and independence requirements for preferred and standby power sources, as well as the preferred and standby power requirements for multi-unit sites. Further, the requirements for these power systems as they relate to redundant load groups, and the ESF functions provided by those redundant load groups, are established. *

3. TVA Observation - Establishing Performance Characteristics 3.1 NRC Statement The NRC Inspection Report stated:

10 CFR Part 50, Appendix B, Criterion Ill, "Design Control," stated, in part, that "measures shall include provisions to assure that appropriate quality standards are specified and included in design documents and that deviations from such standards are controlled. "Contrary to the CNL-16-004 E-9

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 above since 2014, the licensee failed to include provisions to assure that appropriate quality standards were specified and included in design documents and that deviations from such standards were controlled. Specifically, design changes to the Unit 1A and Unit 2A ERCW power sources failed to include IEEE 308-1971, Regulatory Guides 1.81 and 1.6 and that deviations from them were controlled subject to design control measures commensurate with those applied to the original design.

3.2 TVA Observation The design of the 480V ERCW MCCs (with or without the mechanical interlock) is consistent with GDC-17, GDC-5, RG 1.6, RG 1.81, and IEEE 308-1971. Redundant load groups are powered by offsite (preferred) and onsite (standby) power sources that are dedicated to each power division's Unit and train designation. In providing sufficient power to operate the ESF functions for a DBE on one unit and those systems required for concurrent safe shutdown on the remaining unit, load groups of the opposite train designation and same Unit (e.g., 1A and 1B) are redundant to each other. Load groups of the same train designation and opposite Unit (e.g., 1A and 2A) are not redundant to each other. Standby power sources from the same train designation and opposite Unit (e.g., 1A and 2A) are considered alternate power sources to a load group.

The 480V ERCW MCCs do not have breaker alignment capability for manually connecting redundant load groups. The ability to parallel normal and alternate power sources is contained within a single load group. The purpose of the mechanical interlock was not to prevent the connection of redundant load groups, rather the purpose of the mechanical interlock was to preclude the paralleling of normal and alternate sources within a same train. Should both the A-train normal and alternate power supplies to the 1A-A and 2A-A 480V ERCW MCCs be lost, the B:..train normal and alternate power supplies to the 1B-B and 2B-B 480V ERCW MCCs are available such that sufficient power is maintained to operate the ESF features for a DBE on one unit and those systems required for concurrent safe shutdown on the remaining unit.

Replacing the Kirk Key mechanical interlocks with administrative controls does introduce the possibility of aligning two ERCW transformers to a single MCC in the event that the administrative controls are not effective. However, this would not impact the design functions of the ERCW system. As described in DCN 23085, "Replace breaker handle, breaker operating mechanism and remove Kirk Key interlock," paralleling of the two ERCW transformers onto a single MCC increases the available short circuit current and causes circulating currents that can heat and damage equipment. The possible heating effects of the circulating currents are minimized due to the similarity in impedance values of the transformers which are powered from the 161 kV system. Similar to transformer impedance, this limits the voltage variation that causes the circulating currents to the differences in impedance from the source to each of the ERCW MCCs. Additionally, each of the ERCW main feeder breakers is equipped with a thermal trip unit that provides an additional level of protection against the possible heating effects.

Regarding fault current, the MCC buses, MCC breakers, and cross-tie breakers are rated to clear the maximum fault current supplied by two paralleled ERCW transformers without impacting the electrical supply. Although, the available fault current could potentially double, the capacity of the MCC buses, MCC breakers, and cross-tie breakers are sufficiently sized to withstand and clear the available fault current. There are two breakers that feed from the two 6.9 kV sources, one above and one below the step down transformers. It would take a failure of more than one breaker to impact either 6.9 kV source, and more than a single failure to impact both 6.9 kV sources.

CNL-16-004 E-10

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 The ERCW system is a shared two-train system, each train having the capability to provide the maximum required cooling water requirement for both units under any credible plant conditions.

These equipment trains are sufficiently independent to guarantee the availability of at least one train at any time. The operation of two pumps on one train is sufficient to supply all cooling water requirements for the 2-Unit plant for unit cool down, refueling, or post-accident operation.

Such an arrangement assures adequate cooling water under both normal and emergency conditions. The removal of the Kirk Key interlock from the 480V ERCW MCC design did not create the possibility of undesirable interactions, as described in RG 1.81. On page 2 of RG 1.81, the following examples of undesirable interactions are given:

  • The interconnection of engineered safety feature (ESF) control circuits of each unit such that failures and maintenance or testing operations in one unit affect the availability of ESF in other units;
  • Coordination required between unit operators in order to cope with an accident in one unit and safe shutdown of the remaining unit(s); and
  • System overload conditions as a consequence of real accident in a unit coincident with a false or spurious accident signal in another unit.

Alternate power supplies to each 480V ERCW MCC from the opposite Unit, same train designation do not interconnect ESF control circuits between Units, and cannot cause system overload conditions as a consequence of a real accident in a Unit coincident with a false or spurious accident in another Unit. Also, the administrative controls to prevent power source paralleling are not performed as a part of accident mitigation actions.

The Kirk Key interlocks do not provide a design or licensing basis function described in the UFSAR. SQN is required to provide redundant, independent load groups of Class 1E power systems to prevent common failure modes. Each load group must have a preferred and standby power source. The load group independence requirements of RG 1.6 are met in the SQN design, as described in Chapter 8 of the UFSAR. Protective devices are provided to isolate failed equipment automatically such that the loss of one load group does not cause the loss of equipment in the redundant load group. A failure caused by inadvertently paralleling the normal and alternate power supplies to a 480V ERCW MCC cannot result in the loss of equipment in a redundant load group.

CNL-16-004 E-11

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 4.: Summary The 480V ERCW MCCs design, and their associated power sources, comply with GDC-17, GDC-5, RG 1.6, RG 1.81, and IEEE 308-1971. The removal of the Kirk Key from the design did not alter the possibility of undesirable effects described in RG 1.81, as discussed in Section 7.1 of this Enclosure.

Removal of the Kirk Key mechanical interlocks and failure to follow administrative controls potentially aligns two ERCW transformers (same train, opposite unit) to a single MCC. The 10 CFR 50.59 evaluation for this design change concluded that this will not result in a more than minimal increase in the likelihood of occurrence of a malfunction of systems, structures and components (SSC) important to safety previously evaluated in the UFSAR. The worst case result of alignment of two ERCW transformers to a single MCC is the loss of one shared train of ERCW. This potential loss of a single train of ERCW previously existed when ERCW MCCs were cross tied from a single transformer. Because each train is capable of providing the maximum required cooling water for both units under any credible plant condition, the design and licensing basis of the ERCW system continues to be met.

DCN 23085 10 CFR 50.59 evaluation response to 10 CFR 50.59 Criterion (c)(2)(ii),"Does the proposed activity result in more than a minimal increase in the likelihood of occurrence of a malfunction of an SSC important to safety previously evaluated in the UFSAR," has been enhanced to evaluate the 480V ERCW MCC mechanical interlock replacement with administrative controls as a modified manual action. NEI 96-07, Revision 1, Section 4.3.2, Example 4 provides guidance for the human performance aspects of manual operator actions for DCN 23085. This guidance includes verification that the revised manual action.is reflected in plant procedures and operator training, action completion time, ability to recover from credible errol'S, and the effect of the change on plant systems. The revised 10 CFR 50.59 evaluation concludes based upon the response to the NEI 96-07, Revision 1, Section 4.3.2, Example 4 guidance, there is not a more than minimal increase in the likelihood of malfunction of the ERCW MCCs as a result of replacing the mechanical interlock with administrative controls. The 10 CFR 50.59 evaluation revision has been reviewed and approved by the Plant Operation Review Committee (PORC) on October 28, 2015.

CNL-16-004 E-12

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 Ill. SEVERITY LEVEL IV VIOLATION 05000327, 328/2015007-03: FAILURE TO REQUEST A LICENSE AMENTMENT PRIOR TO REMOVING INTERLOCKS FROM SHARED ONSITE EMERGENCY AND SHUTDOWN AC ELECTRIC SYSTEMS In Nuclear Regulatory Commission (NRC) Inspection Report 05000327, 328/2015007, dated September 14, 2015, Severity Level IV violation (SUV) 05000327, 328/2015007-03 is described as follows (emphasis added):

10CFR 50.59.c.(2).ii stated, "A licensee shall obtain a license amendment pursuant to Sec. 50.90 prior to implementing a proposed change, test, or experiment if the change, test, or experiment would result in more than a minimal increase in the likelihood of occurrence of a malfunction of a structure, system, or component (SSC) important to safety previously evaluated in the final safety analysis report (as updated)." Contrary to the above since 2014, the licensee did not obtain a license amendment pursuant to Sec 50.90 prior to implementing the change to kirk-key interlocks, which created a more than minimal increase in the likelihood of occurrence of a malfunction of a SSC important to safety previously evaluated in the UFSAR. The issue was entered into the licensee's corrective action program as CR 1076179. The licensee has administrative controls in place to limit the risk of this configuration pending determination of corrective actions. Because the finding was of very low safety significance (SUV) and was entered into the licensee's corrective action program this violation will be treated as an NCV consistent with section 2.3.2.a of the NRC enforcement policy. This violation is identified as NCV 05000327, 328/2015007-03, Failure to request a licensee amendment prior to removing interlocks from shared onsite emergency and shutdown AC electric systems.

In addition, the following descriptions of the issue were provided:

Further, departures from the design and performance standards as outlined in the General Design Criteria (Appendix A to Part 50) are not compatible with a "no more than minimal increase" standard."

And A modification to the MCCs removed these kirk key interlocks and the licensee failed to identify that the design departed from the acceptance criteria outlined in the design and performance standards mentioned above. Further, the removal of the kirk key interlock made credible the possibility of a single act or event paralleling the two MCCs power sources, which could now cause undesirable interactions. The inspectors determined that this modification more than minimally increased the likelihood of occurrence of a malfunction of the shared ERCW A train, which would have required NRC approval prior to implementation.

And The licensee's change to the facility resulted in a departure from acceptance criteria in design and performance standards, which resulted in a more than a minimal increase in the likelihood of occurrence of a malfunction as specified by NEI 96-07 Chapter 4, was a CNL-16-004 E-13

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 performance deficiency. The performance deficiency was determined to be more than minor because there was a reasonable likelihood that the change required Commission review and approval prior to implementation and the failure to request approval impacted the regulatory process. Specifically, the departure from acceptance criteria identified in IEEE 308, RG 1.81, and RG 1.6 reasonably required commission review and approval prior to implementation.

IV. TENNESSEE VALLEY AUTHORITY OBSERVATIONS

1. Introduction In the design change that removed the Kirk Key from the 480V ERCW MCC design, SQN instituted administrative controls to preclude paralleling the normal and alternate power sources to one (1) load group (train). Since the Kirk Key did not provide a design function described in the UFSAR, the change could not have resulted in a more than minimal increase in the likelihood of occurrence of a malfunction. In the 10 CFR 50.59 evaluation, SON assessed operator error as a mode of failure for one train of 480V ERCW MCC for either unit, and whether the change deviated from the UFSAR-described ERCW and/or power distribution designs. SQN concluded that the change would not result in more than a minimal increase in the likelihood of occurrence of a malfunction of an SSC important to safety based on the following:
  • The existing fault clearing equipment is rated for the expected fault current, should the power sources to one (1) train of a Unit's 480V ERCW MCCs be paralleled, such that the fault will not propagate to the power sources
  • A malfunction of one (1) train of a Unit's 480V ERCW MCCs due to normal and alternate power source paralleling caused by an operator error would not prevent the ERCW system from performing its design function as described in the UFSAR, or increase the likelihood of ERCW system malfunction
  • The instituted administrative controls are not part of accident mitigation actions, and do not support a design function described in the UFSAR.

CNL-16-004 E-14

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007

2. SQN Licensing and Design Basis 2.1 SQN Updated Final Safety Analysis Report CUFSARl See Section 2.1, Sequoyah Licensing and Design Basis, under the first violation of this Enclosure for a detailed description of the licensing basis and design of the SQN offsite (preferred) and onsite (standby) power supplies, as well as the licensing basis and design of the 480V ERCW MCCs and the Kirk Key.

The SQN electrical power scheme associated with the 480V ERCW MCCs, as described in the UFSAR, conforms to RG 1.6, RG 1.81, and IEEE 308. In conforming to the above standards, SQN meets GDC-17 for electrical power system design, and GDC-5 for multi-unit sharing of electric power systems.

  • In addition, the removal of the Kirk Key interlock from the 480V ERCW MCC design did not create the possibility of undesirable interactions, as described in RG 1.81. On page 2 of RG 1.81, the following examples of undesirable interactions are given:
  • The interconnection of engineered safety feature (ESF) control circuits of each unit such that failures and maintenance or testing operations in one unit affect the availability of ESF in other units,
  • Coordination required between unit operators in order to cope with an accident in one unit and safe shutdown of the remaining unit(s), and
  • System overload conditions as a consequence of real accident in a unit coincident with a false or spurious accident signal in another unit.

2.2 Regulatory Requirements and Applicable Guidance 10 CFR 50.59, Changes, Tests, and Experiments, provides the criteria to be utilized in assessing whether a change to the licensing basis of the facility, as described in the updated final safety analysis report (UFSAR), requires prior NRC approval pursuant to 10 CFR 50.90.

Regulatory Guide (RG) 1.187, Guidance for Implementing of 10 CFR 50.59, Changes, Tests, and Experiments, provides additional clarification to licensees regarding acceptable guidance for use when implementing 10 CFR 50.59. RG 1.187 endorses Nuclear Energy Institute (NEI) 96-07, Guidelines for 10 CFR 50.59 Evaluations, Revision 1.

NEI 96-07 provides criteria for assessing whether specific types of changes require prior NRC approval. Additional guidance is provided to assess the activity against the criteria of 10 CFR 50.59(c)(2). Relative to severity level IV violation 05000327, 328/2015007-03, the following criterion is discussed:

Does the activity result in more than a minimal increase in the likelihood of occurrence of a malfunction of an SSC important to safety?

NEI 96-07 discusses this criterion in Section 4.3.2:

CNL-16-004 E-15

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 Although this criterion allows minimal increases, licensees must still meet applicable regulatory requirements and other acceptance criteria to which they are committed (such as contained in regulatory guides and nationally recognized industry consensus standards, e.g., the ASME B&PV Code and IEEE standards). Further, departures from the design, fabrication, construction, testing and performance standards as outlined in the General Design Criteria (Appendix A to Part 50) are not compatible with a "no more than minimal increase" standard.

In addition, the following example is given to illustrate a case where an activity would not constitute more than a minimal increase in the likelihood of occurrence of a malfunction of an SSC important to safety:

The change involves a new or modified operator action that supports a design function credited in safety analyses provided:

  • The action (including required completion time) is reflected in plant procedures and operator training programs
  • The licensee has demonstrated that the action can be completed in the time required considering the aggregate affects, such as workload or environmental conditions, expected to exist when the action is required
  • The evaluation of the change considers the ability to recover from credible errors in performance of manual actions and the expected time required to make such a recovery
  • The evaluation considers the effect of the change on plant systems.

Finally, the following example is given to illustrate a case where an activity would require prior NRC approval because it would result in more than a minimal increase in the likelihood of occurrence of a malfunction of an SSC important to safety:

The change would (permanently) substitute manual action for automatic action for performing UFSAR-described design functions. (Guidance for temporary substitution of manual action for automatic action to compensate for a degraded/nonconforming condition is provided in NRC Generic Letter 91-18, Revision 1.)

See Section 2.2, Regulatory Requirements and Applicable Guidance, under the first violation of this Enclosure for additional discussion of the regulatory requirements and guidance documents pertinent to SUV violation 05000327, 328/2015007-03.

CNL-16-004 E-16

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007

3. TVA Observation~ Prior NRC Approval 3.1 NRC Statement The NRC Inspection Report stated:

10 CFR 50.59.c.(2).ii stated, "A licensee shall obtain a license amendment pursuant to Sec. 50.90 prior to implementing a proposed change, test, or experiment if the change, test, or experiment would result in more than a minimal increase in the likelihood of occurrence of a malfunction of a structure, system, or component (SSC) important to safety previously evaluated in the final safety analysis report (as updated)." Contrary to the above since 2014, the licensee did not obtain a license amendment pursuant to Sec 50. 90 prior to implementing the change to kirk-key interlocks, which created a more than minimal increase in the likelihood of occurrence of a malfunction of a SSC important to safety previously evaluated in the UFSAR.

3.2 TVA Observation See discussions above regarding SQN's compliance with GDC-17, GDC-5, RG 1.6, RG 1.81, and IEEE 308-1971. The term, "undesirable interactions," originates from RG 1.81 and is in reference to multi-unit sharing of onsite emergency and shutdown AC electrical systems. As established above, the SQN design is not capable of causing undesirable effects, as defined in RG 1.81, even if the 1A and 2A 480V ERCW MCCs are paralleled and the boards lost (i.e., the B-train is fully capable of providing and supporting DBE ESF functions).

In addition, the "more than minimal" criteria in NEI 96-07 are generally related to malfunctions that could cause, or inhibit the mitigation of, DBEs. The action to change power from normal to alternate on a 480V ERCW MCC is not related to accident mitigation, and should an error occur, could not cause a malfunction of a redundant train. It would be inappropriate to apply the "more than minimal," criteria generically to equipment that does not support or perform functions described in the UFSAR.

4. Summary The 480V ERCW MCCs design, and their associated power sources, comply with GDC-17, GDC-5, RG 1.6, RG 1.81, and IEEE 308. The removal of the Kirk Key from the design did not create the possibility of undesirable effects described in RG 1.81, as discussed in Section 7.1 of this Enclosure.

In addition, this change did not result in a more than minimal increase in the likelihood of occurrence of a malfunction of the Unit 1 and/or Unit 2 A-train ERCW systems: the instituted administrative controls do not meet the criteria established in Section 4.3.2 of NEI 96-07, Revision 1, for changes that would require prior NRC approval because they would result in more than a minimal increase in the likelihood of occurrence of a malfunction of an SSC important to safety.

CNL-16-004 E-17

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007

5. Additional Information Although the violation is characterized as a findings of very low safety significance, the regulatory precedent and licensing basis ramifications could be significant to SQN and the rest of the TVA nuclear fleet. The NRC position documented in the NRC Inspection Report appears to constitute a change in NRC regulatory position. Specifically, the NRC Inspection Report definition of inter-unit sharing as redundant load groups may apply to similar configurations in other systems at SQN and within the TVA fleet (e.g., component cooling water system, emergency gas treatment system).
6. References GDC-5, Sharing of Structures, Systems, and Components GDC-17, Electric Power Systems Regulatory Guide 1.6 (AEC Safety Guide 1.6), Independence Between Redundant (Onsite)

Power Sources and Between Their Distribution Systems, Revision 0 Regulatory Guide (RG) 1.81, Shared Emergency and Shutdown Electric Systems for Multi-Unit Nuclear Power Plants, Revision 1 IEEE 308-1971, Criteria for Class 1E Electric Systems for Nuclear Power Generating Sta.tion CNL-16-004 E-18

ENCLOSURE OBSERVATIONS ON THE BASIS FOR VIOLATION DOCUMENTED IN NRC INSPECTION REPORT 05000327, 328/2015007 Attachment 1 Simplified One-Line Diagram of 480V ERCW MCCs Power Sources and Load Groups

)( 'l From 6 .9kV SDBD lA-A From 6 .9kV SDBD 2A-A JL x 1-BCTA-202-CM/22-A ) 2-BCTA-202-C0/22-A )

Transforme r lA-A Transformer 2A-A 6.9kV-480V 6.9kV-480V 300KVA

~

1-BCTD-201- FKN/lA-A )

I 1A-A 480V ERCW MCC I lA-A Load Group 1-BCTD-201- FKA/lB- A 2A-A Load Group Note: The 480V Main Feeder Breakers 1-BCTD-201-FKN/lA-A and 2-BCTD-201-FLN/

lA-A and the Tie Breakers 1-BCTD-201-FKA/lB-A and 2-BCTD-201-FLA/lB-A are administratively interlocked to prevent the transformers from being paralleled .

'{ 't From 6.9kV SDBD lB-B From 6.9kV SDBD 2B-B 1-BCTA-202- C N / 2 2 - i) B 2-BCTA-202-CP/22x-B )

Transformer lB-B Transformer 2B-B i) 6.9kV-480V 6.9kV- 480V 300KVA 300KVA

~)

~

l) 2-BCTD-201-FNA/lB- B 1-BCTD-201-FMN/lA-B 0 HCTDW>>NN/>Ae I 1B-B 480V ERCW MCC I <( ) I ,,_, "ov mw Mee I lB- B Load Group 2B- B Load Group Note: The 480V Main Feeder Breakers 1- BCTD- 201-FMN/lA-B and 2-BCTD-201-FNN/lA-B and the Tie Breakers 1-BCTD-201- FMA/lB-B and 2-BCTD-201-FNA/lB-B are mechanically interlocked to prevent the transformers from being paralleled .

CNL-16-004 E-19

Retrieved from "https://kanterella.com/w/index.php?title=CNL-16-004,_Observations_on_the_Basis_for_a_Non-Cited_Violation_Involving_a_Design_Change_to_Remove_a_Kirk_Key_Mechanical_Interlock&oldid=2025073"