ML16341F046
| ML16341F046 | |
| Person / Time | |
|---|---|
| Site: | Diablo Canyon  |
| Issue date: | 03/13/1989 |
| From: | Jim Melfi, Richards S NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION V) |
| To: | |
| Shared Package | |
| ML16341F047 | List: |
| References | |
| 50-275-89-02, 50-275-89-2, 50-323-89-02, 50-323-89-2, GL-85-06, GL-85-6, NUDOCS 8903280248 | |
| Download: ML16341F046 (22) | |
See also: IR 05000275/1989002
Text
U.
S.
NUCLEAR REGULATORY COMMISSION
REGION V
Report
Nos.
Docket Nos.
License
Nos.
,Licensee:
Facility Name:
Inspection at:
50-275/89-02,
50-323/89-02
50-275,
50-323
Pacific Gas
and Electric Company
77 Beale Street,
Room 1451
San Francisco,
94106
Di ab1 o Canyon
Units
1 and
2
San Luis Obispo, California (Diablo Canyon Site)
Inspection
Conducted:
.January
30 - February
2,
1989
f
burma /. //+~
Inspectors
J
F. Melfi, Reactor
nsp ctor
Other Accompanying Personnel
J.
L. Mauck, Section Chief,
SICB,
R.
W. Stevens,
Inspector,
SICB,
Approved By:
S.
A. Richards,
Chief, Engineering Section
~Summau:
Ins ection
on Januar
30 - Februar
2
1989
Re ort 50-275/89-,02
50-323/89-02
/0
D te
igned
s is/S I
Date Signed
Areas
Ins ected:
A special,
announced
inspection of the Anticipated Transient
Without Scram
(ATWS) mitigating system to the requirements
of 10 CFR 50.62.
This inspection
assessed
the conformance of the licensee's
ATWS system with 10 CFR 50.62, in accordance
with Temporary Instruction (TI) 2500/20.
Inspection
procedures
30703
and
25020 were
used during this inspection.
Safet
Issue
Mana ement
S stem
SIMS
Items:
(Closed for Unit 2,
Open for Unit 1) Multiplant Action (MPA) A-020,
"10 CFR 50.62 Operating
Reactor
Reviews".
8903280248
890313
F'a i
ADOCK 05000275
9
-2-
Results:
General
Conclusions
and
S ecific Findin
s
The licensee
has installed the
ATHS Mitigation System Actuation Circuitry
(AMSAC) equipment
adequately
to meet the requirements
of the
ATWS rule,
In general,
the physical
arrangement
and installation
was
done in
accordance
with the
NRC staff Safety Evaluation Report
(SER)
on the system.
The inspectors
identified several
specific items of concern
as
noted below.
Si nificant Safet
Matters:
None
Summar
of Violations:
None
0 en Items
Summar
3 new items were opened.
Followup on the
Followup on the
AMSAC cabinet.
The items are
as follows:
I
licensee's
actions
on annunciator
windows.
licensee's
actions
on the separation
of wires in the
Verification of the fi'rst calibration of the
AMSAC circuitry.
DETAILS
Persons
Contacted
Diablo Can
on Nuclear
Power Plant
"J.
Townsend,
Plant Manager
"J. Gisclon, Assistant Plant Manager
- J. Taggart, guality Support Director
~D. Miklush, Maintenance
Manager
~W. Coley, General
Construction Supervisor
"B. Giffin, Tech.
Services
Manager
"M. Tresler,
Project Engineer
"C. 'Eldridge, equality Control
Manager
"R.
Webb, Senior Compliance
Engineer
"C. Dougherty,
gA Engineer
"R. Washington,
I8C Engineer
"W. Vip, Tech.
Services
Engineer
~D. Tatesan,
Senior Engineer
"T. Grebel,
Regulatory Compliance Supervisor
~W. Kelly, Compliance
Engineer
J. Blakeley,
Licensing Supervisor
B. Guilbeult, Material Services
Manager
J. Hefler,
I8C Engineer
T.
Lee, Senior Mechanical
Engineer
W.
Weems,
Operations
Training Instructor
The inspectors
also held discussions
with other licensee
.and contract
personnel
during the inspection.
This included plant staff engineers,
technicians,
and administrative
and clerical assistants.
Introduction
The purpose of this inspection
was to compare
the installed plant
instrumentation
and equipment with the commitments
contained in
correspondence
related to the Anticipated Transient Without Scram
(ATWS)
issue.
An ATWS event is defined
as
an operational
transient that would
be expected to trip (scram)
the reactor,
but a failure in the Reactor
Protection
System
(RPS) prevents
the reactor
from scramming.
On July 26,
1984,
an amendment to the
Code of Federal
Regulations
(CFR) was issued
(10 CFR 50.62) to address
the
ATWS issue at all commercial light water
cooled nuclear
power plants.
This inspection
assessed
whether the
equipment
and instrumentation installed at Diablo Canyon meets
the
criteria specified in the
ATWS Rule and is installed
as described
in the
NRC Safety Evaluation Report
(SER).
Some of the references
used to
assess
the licensee's
conformance to the
ATWS rule were:
Temporary Instruction 2500/20,
"Inspection
To Determine
Compliance
with ATWS Rule,
10 CFR 50.62," February 9, 1987.
Letter,
C.
E.
Rossi
(NRC) to
L.
D. Butterfield (WOG), "Acceptance of
Referencing of Licensing Topical Report," July 7,
1986.
Letter,
R.
A.
Newton
(WOG) to J.
Lyons (NRC), "Westinghouse
Owners
Group Transmittal of Topical Report,
Revision 1,
AMSAC Generic
Design Package,"
August 3, 1987.
Letter,
R.
A. Newton
(WOG) to J.
Lyons (NRC), "Westinghouse
Owners
Group Addendum
1 to WCAP-10858-P-A and WCAP-11293-A:
AMSAC Generic
Design Package,"
February 26,
1987,
Letter,
H.
Rood
(NRC) to J.
D. Shiffer (PGE), "Safety Evaluation of
the
AMSAC System, with Enclosure
1 'Safety Evaluation Report,
Diablo
Canyon
Power Plant, Units 1 and 2, Compliance With ATWS Rule 10 CFR 50.62'," August 15,
1988.
The Westinghouse
Owners
Group
(WOG) analyzed possible
ATWS scenarios,
and
provided three different
ATWS Mitigation System Actuation Circuitry
(AMSAC) designs
to mitigate the most limiting ATWS event at Westinghouse
designed
reactors.
As noted in the July 7,
1986 letter above,
the
staff stated that all three generic
AMSAC designs
would meet the
requirements
of the
ATWS Rule (10 CFR 50.62) at Westinghouse
designed
reactors.
This letter also stated that the staff would review the plant
specific design details to assure
compliance.
The licensee
supplied correspondence
related of their site specific
installation in letters
dated
October
30,
1987,
March 2,
1988 and April
28,
1988.
The licensee
submitted
a letter dated August 15,
1988,
requesting
to delay the installation of the
AMSAC until the third
refueling (1989) outage,
si.nce the
NRC
SER had not been
issued.
The
was issued
on the
same
day,
and the
NRC issued
a letter dated
September
13,
1988 informing the licensee
that the installation of the equipment
could not be delayed.
As a result of the generic reviews,
the
NRC staff agreed with
that the most severe
ATWS scenarios
requiring
AMSAC to
actuate
were
a Loss of Normal
(LONF) or a Loss of Load (LOL)
event,
concurrent with an
ATWS.
These
events
were analyzed for different
reactor powers,
and it was determined that
a reactor
power greater
than
70% with these
assumed
events
could lead to a reactor vessel
pressure
(3200 Psig)
exceeding
the
ASME Boiler and Pressure
Vessel
Code
C Service
Limit stress criteria.
To correct this situation,
the licensee
elected to install option 1 of
the generic
AMSAC designs.
To help maintain the water
mass in the steam
generator,
this equipment is designed
to isolate
blowdown
and sample valves,
actuate
a turbine trip, and start Auxiliary Feedwater
(AFW) flow when conditions indicative of an
ATWS are
sensed.
The
equipment
senses
conditions indicative of an
ATWS by monitoring the
narrow range
water levels,
and main turbine power.
The
water level setpoint for
AMSAC initiation is set below
the
RPS trip setpoints,
allowing the
RPS to normally actuate first, start
AFW and cause
a turbine trip.
The
AMSAC equipment is prevented
from
actuating for 25 seconds after these conditions are sensed,
to allow the
RPS to fulfillits function.
A turbine setpoint
(C-20) was installed for
the
AMSAC system,
which arms the
AMSAC system
when
a turbine power
greater
than
40% is achieved.
This setpoint
was
chosen to prevent
inadvertent
AMSAC actuations
during startup
and to limit the amount of
predicted voiding in the core at 70K power.
The
AMSAC equipment
remains
armed for several
minutes after the turbine
goes
below 40K power, to
assure that the
AMSAC will actuate if needed.
These actions will help
maintain water inventory in the steam generators
to maintain
a heat sink
for the reactor during an
ATMS event.
In order to provide this diverse feature,
the
NRC staff realized that the
AMSAC equipment
has to be separate
and independent
from the
RPS (the
is assumed
to be failed) to minimize common cause failures.
This
includes being seismically
and environmentally qualified to appropriate
standards,
the
use of different isolation devices
and power supplies
from
the
RPS,
and
AMSAC equipment
being designed
and installed with good
engineering practice.
The equipment also
has to be testable,
and capable
of being bypassed.
The staff concluded that the
AMSAC equipment
does
not
need to be class lE, but it did need to be procured in accordance
with
Ins ection Details
The inspectors
reviewed the licensee's
design in accordance
with the
NRC
Safety Evaluation Report
(SER).
The separate
items considered
in the
are addressed
below.
A.
Procurement
As noted in correspondence
with the licensee,
the
NRR staff
concluded that
AMSAC equipment
does
not need to be class
1E, with
the
gA requirements
imposed
on class
lE systems,
but did need to
have the
gA requirements
for procurement
noted in Generic Letter 85-06.
The staff asked questions
on the
gA requirements
that the
licensee
used for the
AMSAC system.
The licensee
responded
to the staff specific questions
on the
gA
requirements
on this system in their letter dated
March 2, 1988.
The gA measures
that the licensee
implemented
on the procurement
and
installation of the
AMSAC equipment
are discussed
below.
The inspector
reviewed purchase
order 756844,
dated
March 12,
1987
and verified that the purchase
order was consistent with the
technical
design
and the licensee's
plan for implementing the
rule.
Receipt inspection, identification and storage
controls
were
applied in accordance
with the licensee's
procedures.
The licensee
performed vendor inspections
to verify the quality of the
equipment.
The inspector verified that the
AMSAC equipment for. unit
1 (which is not yet installed)
was marked
and stored in a
partitioned area.
The utility was using the latest installation
specifications,
drawings,
and procedures.
The licensee
had put the
AMSAC equipment
on the 'g'ist,
and would purchase
spare parts for
the
AMSAC equipment to the committed standards.
During the installation of the equipment,
the licensee
used the
gA
controls appropriate for this installation.
~0iversit
Diversity is required
between the
AMSAC system
and the
RPS to
minimize common cause failures.
The .licensee
provided
a response
to
the issue of diversity in their plant specific submittal
dated
October 30,
1987.
The licensee's
response
confirmed that the
microprocessor-based
AMSAC logic circuits have analog
inputs
provided
by isolation amplifiers.
This logic is diverse
from the
discrete digital logic circuits of the
RPS in the areas of design,
equipment,
and manufacturing.
The final actuation
devices
which
initiate AMSAC are isolated
by Struthers
Dunn relays,
which are
different from the relays
used
by the
RPS.
The
NRC staff previously concluded that the equipment is diverse
from the
RPS,
as noted in the
SER.
Lo ic Power
Su
lies
As noted in the
SER, the logic power supplies
are not required to'e
class
1E, but must
be capable of performing the design function on
a
The use of
RPS batteries
and inverters
was
not considered
acceptable
by the
NRC staff, since it was not
independent
from the
RPS.
The inspectors verified that the licensee
powers the
AMSAC equipment
off of the chemistry lab and counting
room inverter.
This inverter
can
be powered
from non-RPS
power supplies.
The inverter has its
own set of batteries for continued operation in the event of a loss
of AC power.
The logic power supplies
were found to be in
accordance
with the
SER.
Safet -Related
Interface
The
SER reauired that existing
RPS continue to meet all applicable
safety criteria regarding its interface with the
The inspectors verified that the existing Class
Water Level instrumentation
and Turbine First Stage
Pressure
instrumentation
inputs into the
AHSAC were adequately
isolated.
The
output to start the
AFW pumps
were also verified to be adequately
isolated.
Maintenance
and
0 eratin
B
asses
In the
NRC SER, the
NRC staff stated that the maintenance
bypass
status
and operating
bypasses
should
be continuously indicated in
the control
room.
The staff also noted that the independence
of the
C-20 permissive
should
be addressed.
The licensee
provided information to the staff stating that the
maintenance
bypass
and operational
bypass
status
would be provided
in the control
room through the use of status lights and
annunciation.
During documentation
review and inspection of the control
room
status
indication,
a concern
surfaced related to the adequacy of the
annunciation
associated
with the
AMSAC system.
Two annunciator
windows [PK12-13
("ANSAC ARMED/BYPASSED") and
PK08-15
("ANSAC
TROUBLE/TRIP")] are currently provided
on the control
room
panels.
The
AMSAC status
signal output and light
coordination design is currently such that the illumination of both
lights represents
any one of two completely opposite operating
conditions, either tripped or bypassed.
Discussions
with plant
operating personnel
supported
the inspector's
concern that the
current
scheme
does not clearly or adequately
represent
the
system operational
status
and is potentially misleading to plant
operators.
The inspector verified that there is a single distinct
ANSAC status
output signal for the tripped/actuated
condition, which is currently
used
as
an input into the
same
window associated
with the trouble
signals.
Thus, it is the inspectors position that, in conjunction
with this signal,
a dedicated (third) annunciator
window should
be
incorporated into the plant design to aid in the distinction that
the
AMSAC has actually produced
a trip/actuation signal.
The
inspector considered that with the incorporation of a three
window combination,
the control
room operators will be
able to accurately
diagnose
in a timely (rapid) manner the
operational
status
of ANSAC at any given point in time without
reliance
on other means.
The licensee's
response
to this issue
on
annunciation will be followed up in a future inspection report
(50-323/89-02-01).
The independence
of the C-20 permi'ssive
signal
was noted in the
to be maintained for a time period consistent with revision
1 to
It was identified during the inspection that the
time delay associated
with the
AMSAC C-20 permissive
was set at 240
seconds
instead of the 360 seconds
recommended
by Revision
1 to
10858-P-A.
The licensee
subsequently
provided copies of information
dated
February
12,
1988 and February
2,
1989 to verify that
a study
was performed for Diablo Canyon by Westinghouse
to confirm the
adequacy
of setting the C-20 time delay at 240 seconds.
Based
on
this information, the setting is appropriate.
Manual Initiation
Manual initiation capability of the
ANSAC mitigation function was
required.
The licensee
discussed
in their October 30,
1987
submittal
how a manual turbine trip and
AFW actuation
are
accomplished
by the operator.
These
manual start procedures
are
outlined in the licensee's
Emergency
Procedure
FR-S. 1,
"Response
to
Nuclear
Power Generation/ATWS."
The inspectors
reviewed the
procedure
and concluded that the capability for manual initiation is
adequate.
6
Electrical
Inde endence
As noted in the
SER,
independence
is required
from the sensor
output
to the final actuation
device, at which point nonsafety-related
circuits must be isolated
from the safety-related
circuits by
qualified Class lE isolators.
The inspectors verified that the licensee
had provided the required
isolation devices
and that they were tested to Class lE electrical
equipment
requirements.
The inspectors
also reviewed the
qualification package for the isolators.
The
AMSAC equipment
appears
to be electrically independent.
Se aration from the Existin
Reactor Protection
S stem
The
NRC
SER noted that the implementation of the
AMSAC system
must
be such that the separation criteria applied to the existing
RPS are
not violated.
The
SER also stated
the the licensee
would continue
to meet the original plant separation criteria.
During a physical
inspection of the
AMSAC microprocessor
logic
cabinet,
the inspectors
identified that adequate
separation
apparently
was not maintained
between
the
AMSAC analog input signal
wiring (steam generator
low level and main turbine impulse pressure)
obtained
from the existing reactor protection
system
(RPS) Class
analog process
cabinets.
Within each channelized
Class
IE analog
protection process
rack, the
AMSAC signal wiring from the output
(downstream)
side of the qualified isolator becomes
associated
(physically bundled together) with the respective
Class
IE channel
wiring before being routed in separate
channelized
conduit to the
AMSAC cabinet.
The wiring exiting each conduit associated
with
(common to) each of the four independent
and redundant
Class
protection sets
was found to be physically bundled together in the
bottom of the subject
AMSAC cabinet.
The inspectors
considered
that
the cable routing observed
inside the
AMSAC logic cabinet
may
violate the
RPS separation criteria (fSAR Section 8.3. 1.4) approved
by the
NRC during original plant licensing.
The configuration is
not consistent with the separation
guidance of Regulatory
Guide 1.75
and
IEEE 384 pertaining to "Associated" circuits.
A failure inside
the
AMSAC non-Class
IE cabinet could potentially negate
required
protective actions
due to lack of physical separation
between the
inputs
and outputs of the isolators
and result in loss of the
protective function, although this possibility appears
small
considering
the low energy of the circuits involved.
During an
NRC review of the original plant design prior to initial
plant licensing,
a similar situation
was identified.
SER Section
7.2.3 (October 16, 1974) states
that
a separation violation to IEEE 279-1968
and
was discovered related to the wiring
routed
from the protection
system process
analog racks to the
non-safety related control racks.
The situation
was resolved
subsequent
to the
NRC staff's approval
of noise
and fault voltage
tests.
It is the
NRC staff's understanding
that such
a method
was
viable in that case
because
of space restrictions within the
protection
system
analog process
cabinets
and the control racks.
However,
such
an approach
for the
AMSAC situation
does
not appear to
be appropriate
as it appeared
from inspection that sufficient open
space exists within the subject
AMSAC logic cabinet to allow the
licensee
to implement
an approved
method of physical
separation
to
maintain
independence
between
the redundant circuits associated
with
the Class
IE analog process
rack wiring.
Thus, the licensee
should
provide
a minimum physical
separation
of six inches
where possible
and provide approved barriers/wrapping
where required
between the
associated
redundant wiring within the
AMSAC logic cabinet.
The
licensee's
actions regarding the separation
of wires within the
AMSAC cabinet,
and the applicability of noise
and fault voltage
testing to this situation, will be reviewed in a future inspection
(50-323/89-02-02).
Seismic
uglification
The
AMSAC equipment is not required to be seismically qualified by
the
NRC staff.
The occurrence
of an
ATWS with a seismic event
was
not deemed credible.
The licensee
did qualify AMSAC cabinets
to
resist the worst case
loads in the cable spreading
room where the
cabinet is located.
This was
done to prevent interaction with the
other cabinets
in the
room per the licensee's
Seismic Interaction
Program (SIP).
The licensee
installed the cabinets
to rigid supports
as noted in
Design
Change
Notice
(DCN) DC2-EC-40065.
The licensee
designed
the
supports
as noted in Calculation
Number SgE-31,
dated 3/28/88.
As
noted in the calculation,
the cabinets
and supports
were designed
to
tPe worst case floor acceleration
in the
room.
also
provided the qualification of the
AMCO cabinet
and Hoffman relay
enclosure
in WCAP 8687,
dated
May, l988.
The licensee verified that
the
AMSAC equipment
met the design spectra
in calculation
SgE-32,
dated 6/14/88.
The
DCN and calculation
appeared
complete, with appropriate
sign-offs.
The inspector verified that the supports
were installed
as designed
during a walkdown of the system.
The seismic
qualification seems
appropriate.
Environmental
uglification
The
AMSAC equipment is required to be environmentally qualified for
the environment where the equipment is located.
As noted in the
licensee's
October
30,
1987 submittal
on the site specific design,
all of the
AMSAC equipment is located in the cable spreading
room of
the auxiliary building.
This area is a mild environment.
The
equipment is designed
to operate
from 5 to 50
C and
0 to 95K
humidity (non-condensing).
The
AMSAC design is qualified for the
cable spreading
room, since the design conditions
are
more extreme
than the conditions expected
in the cable spreading
room.
0
0
The licensee
purchased
the equipment to an'ppropriate
environmental
specification.
Based
on the staff review, the environmental
qualification seems
adequate.
~Teatin
The
AMSAC equipment
was required
(as noted in the
SER) to be capable
of being tested periodically at power.
The testing could be
performed in the bypass
mode.
It was also noted that the licensee
would perform a post-installation startup test.
The inspectors
reviewed test documentation
to verify that the system
was capable of being tested at power and to confirm that
preoperational
testing
had been accomplished for AMSAC.
During the
preoperational
testing of the
AMSAC system,
it'was identified that
the main steam
blowdown and sample valves failed to close
upon
actuation.
The
AFW pump also inadvertently started.
It was found
by investigation
by they licensee that the circuit wiring was
incorrect for the subject valves.
The licensee
stated that the
situation
was corrected
by Field Change Notice 11948.
The
inspectors
reviewed the electrical
schematics
to verify the correct
situation.
The licensee
subsequently
wrote Licensee
Event Report
(LER)88-018 to document the above situation
and also to document
poor communication
between
the site
and corporate
engineering.
The
LER was closed out in the last resident inspectors'eport.
The inspectors
were informed that administrative
procedures
for
at-power testing
and refueling outage
end-to-end testing were not
complete/finalized.
The licensee
stated that the at-power test
procedure
(STPI-92A) would be completed
by March 2,
1989
and that
the
18 month test procedure
(STPI-92B) would be completed
by the
refueling outage following initial implementation of the
system.
Also, the staff was informed that the
AMSAC test procedures
will be incorporated
as part of the plant recurring task schedule
(RTS) with a priority one or two assigned
to it.
The completion
and
adequacy
of these
respective efforts will be'followed
up in a later
inspection
(50-323/89-02-03).
The staff did confirm through design
documentation
review and
inspection that "sufficient capability does exist to allow for
appropriate
AMSAC testing during both power operation
and while the
plant is shut
down.
~Trainin
The inspectors
discussed
training with the control
room operators
and training instructors,
to verify that the operators
had been
trained
on the
new
AMSAC installation.
The inspectors
also toured
the simulator to verify the implementation of the
AMSAC modification
on the simulator.
The training was verified by the inspectors
to be
completed
by 11/16/88 for all the operators.
Based
on the
discussions
held with the licensee's
staff and review of the lesson
plan,
the operators
were found to be trained
on the
new
modification.
M.
Com
1 eti on of Miti ati ve Action
The licensee
was required to verify that (1) the protective action,
once initiated,
goes to completion
and (2) the subsequent
return to
operation requires deliberate
operator action.
Based
on the review of the test results,
and system design,
the
AMSAC system
should complete its action once initiated.
The
subsequent
return to operation also requires deliberate
operator
action.-
.N.
Technical
S ecifications
The plant specific submittal
was to address
the technical
specification requirements
for AMSAC.
The licensee
stated that
no technical, specification action was
proposed with respect to the
AMSAC system at this time and that
normal administrative controls were sufficient to ensure
operability.
The
NRC staff is presently reviewing
ATWS requirements
to determine
whether
and to what extent technical specifications
are appropriate.
The
NRC staff will provide guidance to the licensee
for the
system at
a later date.
4.
Exit Interview
The inspectors
met with the licensee
representatives
identified in
paragraph
1 on February 2, 1989.
The scope of the inspection
and the
findings up to that date were discussed.