Text

Forwards Response to 871208 Ltr Re Violations Noted in Insp Rept 50-397/87-19.Corrective Actions:Ped S218-E-C640 Issued to Rescind Previous Design Change & Document Acceptance of Existing Conductor motor-operated Valve Circuits
	ML17279A794
Person / Time
Site:	Columbia
Issue date:	01/29/1988
From:	Mazur D; WASHINGTON PUBLIC POWER SUPPLY SYSTEM
To:	; NRC OFFICE OF ADMINISTRATION & RESOURCES MANAGEMENT (ARM)
References
	GO2-88-025, GO2-88-25, NUDOCS 8802050174
	Download: ML17279A794 (82)
	v • d • e

REGULATORY INFORMATION DISTRIBUTION SYSTEM (RIDS)

ACCESSION NBR: 8802050174 DOC. DATE: 88/01/29 NOTARIZED:, NO DOCKET FACIL: 50-397 WPPSS Nuclear Progecti Unit 2T Washington Public Poee 050003'P7 AUTH. NAME AUTHOR AFFILIATION AZURI D. W. Washington Pub l.i c Poeer Supply System RECIP. NAME RECIPIENT AFFILIATION Document Control Branch (Document Control Desk)

SUBJECT:

Foreards response to 871208 ltr re violations noted in Insp Rept 50-397/87-19. Corrective actions: PED S218-E-C640 issued to rescind previous design change directions 8c to document acceptance of existing conductor motor-operated valve.

DIBTRIBUTION CODE:

TITLE: General IEOID COP IEB RECEIVED: LTR (50 Dkt)-Insp Rept/Notice of J ENCL Violation f SIZE:

Response

NOTES:

RECIPIENT COPIES REC IP IENT COPIES ID CODE/NAME LTTR ENCL ID CODE/NAME LTTR ENCL PD5 PD 1 1 SAMWORTH, R 2 2 INTERNAL: ACR S AEOD. 1 1 OE'IENEE DEDRO 1 1 NRR MORISSEAU> D 1 1 NRR/DLPG/PEB 1 1 NRR/DOEA DIR 1 1 NRR/DREP/EPB 1 NRR/DREP/RPB 2 2 NRR/DR IS DIR 1' NRR/PMAS/ ILRB 1 1 R

E('

FILE Nr J 01 1

1 1

1 OQC/HDS2 RES/DRPS DIR 1, 1 1 1

X TERNAL: LPDR 1 1 NRC PDR 1 1 NSIC 1 1 TOTAL NUMBER OF COPIES REQUIRED: LTTR 23 ENCL 23

0 Washington Public Power Supply System 3000 George Washington Way P.O. Box 968 Richland, Washington 99352-0968 (509)372-5000 January 29, 1988 G02-88-025 Docket No. 50-397 U. S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, D.C. 20555 Gentlemen:

Subject:

'UCLEAR PLANT NO. 2 LICENSE NO. NPF-21 NRC INSPECTION REPORT 87-19

Reference:

Letter, GC Sorensen to JB Martin, dated 12/22/87 The Washington Public Power Supply System hereby replies to the Notice of Violation contained in your letter dated December 8, 1987. Our reply, pursuant to the pr ovisions of Section 2.201, Title 10, Code of Federal Regulations, consists of this letter and Appendices A, B and C.

Appendix A addresses each Notice of Violation with an explanation of our position regarding the validity, corrective action(s) and date of full com-pliance. Appendix B provides an assessment of the unresolved items identified in the inspection report and includes any corrective actions taken or planned. Appendix C describes our action plan for strengthening the design modification process. The action plan addresses the broader programmatic issues which either were identified by the NRC Safety System Functional, Inspection (SSFI) team, or which resulted from Supply System consideration of underlying causes which may have contributed to the deficienci,es noted by the NRC.

8802050174 880l29 PDR 9

ADOCK 05000397 PDR i/

Page Two NRC INSPECTION REPORT 87-19 The" Supply System reaffirms its commitment to continue improvements in our Configuration Management Programs. The NRC SSFI provided a beneficial focus to enable the Supply System to make further program improvements.-

Accordingly, the action plan includes both near and long-term initiatives to address the programmatic improvement needs as a result of the SSFI. In addition, we will continue to monitor our performance in this area and make improvements where necessary.

As stated in the referenced letter, it was agreed with members of your staff that our response to the inspection report would be due by February 5, 1988.

Should you have any questions, please contact Mr. P. L. Powell, Manager, WNP-2 Licensing.

ry truly yours, D, W. Mazur Managing Director JDA/bk Attachments cc: JB Martin NRC RV NS Reynolds - BCP8R RB Samworth - NRC DL Williams - BPA/399 NRC Site Inspector - 901A

Appendix A .

Page 1 of 21 APPENDIX A During an NRC inspection conducted on August 3 through 28, 1987, violations of NRC requirements were identified. In accordance with the "General Statement of Policy and Procedure for NRC Enforcement Actions," 10 CFR part 2, Appendix C ( 1987), the violations are listed below:

A. 10 CFR 50, Appendix 8, Criterion V, and the licensee's Operational Quality Assurance Program Description, Section 5, require, in part, that activities affecting quality shall be prescribed by documented instructions, procedures, or drawings, of a type appropriate to the circumstances; Contrary to the above, at the time of the inspection, the following.

procedures for testing of safety related equipment were found to be inappropriate to the circumstances.

1. PED-S218-E-C640 documented testing completed in December, 1983, of DC motor operated valve circuits to demonstrate that installed 5 conductor wiring was acceptable as a replacement for the 9 conductor wiring specified in plant design documents. The test-ing was not appropriate in that it did not include all applicable circuit loads nor did it consider the worst case motor starting currents for the loads that were tested.

2. Surveillance procedures for motor operated valve thermal overload devices (procedure No. 7.4.8.4.3.2 through 7.4.8.4.3.4, "MOV Thermal Overload Group 2, 3, and 4") were not appropriate in that:

a') For Group 2, 3 and 4 thermal overload devices,, tested in 1985, the test current prescribed by the procedure was incorrect for the time to trip criteria specified.

b) For Group 2 thermal overload devices, tested in 1987, proce-dure revisions changed 5 thermal overload heater sizes but failed to properly change the corresponding test current specified by the procedure.

This is a Severity Level IV violation (Supplement I).

Response to A.l Validit of Violation The Supply System acknowledges the validity of this violation in that test data documented in startup problem report SPR-E-3890 was inappro-priately used to determine cable voltage drop values for several safety related motor operated valves (MOVs). PED S218-E-C640 was issued to rescind previous design change directions and to document acceptance of the existing 5 conductor MOV circuits based on the data supplied by SPR-E-3890 without performing additional calculations.

Appendix A Page 2 of 21 Corrective Ste s Taken/Results Achieved The voltage drop calculations have been repeated. The calculations utilized the motor calculated peak in-rush current and actual bus and process load parameters to conclude that the installed configuration (5 conductors per circuit) does not result, in voltage drops in excess of design parameters.

Corrective Action to be Taken No further corrective action is planned.

Date of Full Com liance The Supply System is currently in full compliance.-

Appendix A Page 3 of 21 Response to A.2 Validit of Violation The Supply System acknowledges the validity of this violation. In-correct values were used for the time to trip given the currents used for testing groups 2,3, and 4 MOV thermal overload relays per Plant Procedures (PPMs) 7.4.8.4.3.2 through 7.4.8.4.3.4. In addition, pro-cedure 7.4.8.4.3.2, Revision 1, was deviated to change overload sizes did not change the corresponding test current. 'ut Corrective Action Taken/Results Achieved Previous surveillance data for overload relay testing for groups 2,3, and 4 has been reviewed to ensure that the installed overload relays would not have prematurely tripped during an emergency. The surveil-lance data was reviewed to verify whether the 1) actual test currents met or exceeded the required test currents while still meeting the required trip time or 2) the actual test current was compared to the manufacturer's relay curve to ensure that minimum operating time requirement at that current was met. Two valve overload relays were identified where existing surveillance data did not meet this criteria. These overload relays were retested and found to be accep-table. The surveillance data for those overload relay heaters that were incorrectly deviated in PPM 7.4.8.4.3.2 without changing the associated test currents were included in this review and were found acceptable. The Group 1 surveillance test (PPM 7.7.8.4.3.1) has not yet been performed since only 25% of the safety related valves are tested each year. This surveillance is scheduled for its first per-formance this year.

Corrective Action to be Taken Procedures (PPMs) 7.7.8.4.3.1 through 7.7.8.4.3.4 will be revised to include the correct test current and associated minimum trip times.

The overload maintenance procedure -(PPM) 10.25.3, for verifying correct motor overload relay operation, will be revised to include sibilityyselection tables, overload relay time-current curves, and heater instr uctions for determining test current and acceptable operating times for all relay types at WNP-2. This will make this information readily available to all craft and engineers.

The Plant Manager will issue a memorandum reemphasizing the respon-of each Department Manager to ensure that procedure devia-tions initiated by his department are reviewed for technical adequacy prior to being submitted for POC review.

Date of Full Com liance All corrective action will be complete by March 31, 1988.

Appendix A Page 4 of 21 Plant technical specifications 3.8.1.1 and 3.8.1.2, "AC Sources Operating and Shutdown" require a minimum fuel oil supply of 53,000 gallons for division 1 and 2 diesel generators.

Contrary to the above, in response to. an NRC identified concern invol-ving the measurement of diesel fuel oil tank capacities, the li'censee determined that licensee procedures for determining diesel generator fuel. oil levels were in error. These errors resulted in four instances, since July 1986, in which the actual amount of usable fuel oil in a Division 1 or 2 fuel oil tank was below the minimum technical specification limit of 53,000 gallons. The worst case involved a 11 day period in October 1986, during which the actual Division 1 storage tank level was only 50,230 gallons.

This is a Severity Level IV violation (Supplement I).

Validit of Violation The Supply System acknowledges the validity of this violation. The original Diesel Fuel Oil Storage Tank calculations included an error margin which did not accurately account for the dead storage oil (oil below the transfer pump suction), volume of submerged structural steel internal'o the tank and the proper head shape of the tank. There-fore, the actual usable fuel stored in a tank was less than the value shown in the tank capacity tables used to verify technical specifica-tion compliance.

A review of Plant historical storage tank level data determined that there were four instances when the a'ctual amount of fuel in a tank was below the minimum allowable technical specification amount. LER 87-026 was issued to report the error.

Corr ective Ste s Taken/Results Achieved Generation Engineering recalculated the tank capacity versus oil level data and revised the tables used to verify fuel quantity. The tank capacity is verified daily, relies upon dipstick readings and uses the new data. All D/G test procedures also verify oil quantity prior to and following D/G operation.

To obtain the necessary capacity measurement accuracy, the Master Data Sheet calibration span for each fuel oil storage tank level instrument has been revised. The new span criteria also requires calibration data to be collected. The low-level alarm setpoints have been calculated.

Corrective Action to be Taken Each fuel oil storage tank level instrument will be recalibrated and its low-level alarm setpoint set per the revised Master Data Sheets.

This activity requires significant fuel transfer for calibration data collection to support the calibration procedure preparation. This effort is planned for early Summer 1988.

Appendix A Page 5 of 21 Date of Full Com liance The Supply System is currently in full compliance. Each Diesel Fuel Oil Storage Tank is verified daily and during Diesel Generator testing to verify the stored fuel exceeds minimum technical specification requirements..

Calibration of the tank level instrumentation will. be accomplished by July 20, 1988.

Appendix A Page 6 of 21 C. 10 CFR 50 Appendix B, Criterion Y states, in part, that: "Activities affecting quality shall be prescribed by documented instructions, procedures or drawings...and shall be accomplished in accordance with these instructions, procedures or drawings".

Section 5.2.1 of the WNP-2 Operational Quality Assurance Program Description Manual, states "Activities that affect safety related functions of plant items shall be described by and accomplished through implementation of documented procedures, instructions or drawings as appropriate."

1. Plant Procedures Manual (PPN) No. 1.4. 1, Revision 2, dated September 6, 1984, entitled "Plant Modifications," Attachment 1, Plant Modification Record (PMR) and Instructions Block 18 states, in part, that the "Plant Systems Engineer..." will sign and date the PNR "indicating that the installation of the modification is complete."

Contrary to the above, at the time of the inspection:

a ~ PMR 02-84-1096-1, written to implement DCP 84-1096-0B, was signed and dated by a Plant System Engineer on June 6, 1985, indicating that installation of structural shielding for two auxiliary steam isolation valves was completed, when in fact the shielding was never installed.

b. Maintenance Work Request (NWR-AT-0444), initiated to change position indicator light labels to indicate that valves SW-PCV-38A and B were deactivated, was identified as having been completed on the PNR, as specified by a Plant System Engineer's signature on May 28, 1987, although the work had not been done.

This is a Severity Level IY violation (Supplement I).

Validit of Violation The Supply System acknowledges the validity of the violation. In the case of the failure to install shielding for the auxiliary steam isolation valves, closeout of this plant modification was assigned to a Plant System Engineer different from the Plant System Engineer who prepared and implemented the work package.

The implementing engineer inadvertently did not include an NWR for the shield installation .in the original work package. The Plant Technical Super visor approved the incomplete work package.

The newly assigned engineer performed an inadequate review of the PMR/MWR work package and closed the PMR without all PMR work being completed.

Appendix A Page 7 of 21 In the second instance cited, the Plant System Engineer prepared and scheduled the MHR to change labels on the Standby Service Water valves with the Maintenance Department. The engineer was assured that the work would be completed on a priority basis.

Operability of the Service Water system was required for Plant startup. The System Engineer correctly determined that all modifications required for system operability were complete and all top tier drawings had been changed to show the correct system logic. The operational condition of the indicating lights was, communicated to the operations staff by revision to the operating procedures. The labeling change MWR was subsequently superseded by higher priority work without the System Engineer's knowledge.

The Plant Modification Request procedure requires the engineer responsible for the modification to veri,fy all work is complete prior to signing the PNR complete block. The two instances cited are contrary to the PNR procedure.

Corrective Ste s Taken/Results Achieved The individuals involved in the two instances cited have been counseled on their responsibility to ensure all work is complete prior to signing the modification complete block on the Plant Modification Request document and the risks associated with sharing Project Engineer responsibilities.

During the SSFI, preparations were initiated to install the missile shield on the auxiliary steam isolation valves. The Plant System Engineer determined that the shield as designed did not provide adequate access to the valves for maintenance.

Engineering was requested to redesign the shield. During this redesign effort, the need for the shield was reevaluated and it was determined that the shielding of these valves is not re-quired.

The labeling of the deactivated Standby Service Hater valves was completed on August 25, 1987 during the SSFI.

Corrective Action to be Taken The PNR procedure, PPM 1.4. 1, Plant Modifications, will be re-vised to require the Plant System Engineer to perform a post modification review and/or walkdown with support from Design Engineering, Maintenance, Operations and QA/QC as appropriate to assure completion of all required work prior to system return to service.

Date of Full Com liance March 30, 1988

Appendix A Page 8 of 21

2. Automatic Depressurization System design drawing FSK-346, Revi-sion 3, dated'une 18, 1983, requires that "shims be placed under (nitrogen) bottles as required, depending on the individual bottle height, to achieve a snug fit between the top of the bottle and the collar of the rack."

Contrary to the above, as of August 3, 1987, shims had not been installed for any of the ADS nitrogen bottles, with the result that the bottles were free to move in the collars during a seismic event.

This is a Severity Level V violation (Supplement I).

Validit of Violation The Supply System acknowledges the validity of this violation in that shims were not placed under the nitrogen bottles as required to achieve a snug fit.

Corrective Ste s Taken/Results Achieved New NIL Specification (MIL-C-17376A) bottles have been purchased and are currently installed in the Plant in place of the standard bottles. Calculation CE-02-87-34 shows that these new bottles will withstand the reactions induced by seismic events from the existing bottle racks and concluded the existing racks are adequate. In addition, the new configur ation does not require the use of shims.

The manner in which the racks were assembled has been addressed in the Operations Department Night Orders instructing the Equip-.

ment Operators on correct rack assembly. Nitrogen bottle change-out instructions have been written and attached to each bottle rack.

Corrective Action to be Taken No further corrective action is planned.

Date of Full Com liance The Supply System is currently in full compliance.

Appendix A Page 9 of 21

3. Procedure No. 10.25.46, "PGCC Modification, and Cable Installa-tion", provides installation requirements for permanent electri-cal terminations. The procedure provides specific requirements for installation of terminal lugs and heat shrink tubing, such that terminals are properly crimped and bare conductor wire is not exposed.

Contrary to the above, as of August 3, 1987, automatic depressur-ization system instrument rack termination crimping, terminal lugs and heat shrinking were not installed in accordance with procedure 10.25.46 in Instrumentation Racks No. IR-67, IR-68, IR-69 and also in the Control Room Cabinet H13-P631 ADS Div. 2.

In particular, terminations were improperly crimped and heat shrink tubing was improperly installed such that bare wire was exposed.

This is a Severity Level V violation (Supplement I).

Validit of Violation The Supply System does not acknowl edge the val i di ty of thi s vi ol ati on. In April, 1984 a Pl ant Nonconformance Report was issued which documented electrical construction related deficiencies in instrument panels, power panels, termination boxes, and switchgear. Forty-one . electrical enclosures were inspected, including instrument .rack IR-69. All problems which did not meet Plant Electrical Specification or Plant Procedure requirements were accepted-as-is or corrected. The questionable crimp in IR-69 cited in the violation was included in the inspection and judged by a Plant engineer to be acceptable. As a result of this violation, the electrical wir ing in instrument racks IR-67 and IR-68 was inspected and the deficiencies identified were accepted as-is.

The criteria used to determine if a crimp is acceptable was a pull test, verification that the wire is secure in the crimp,'nd a determination that the exposed wire is not susceptible to shor ting.

Appendix A Page 10 of 21 Regarding terminal lugs, the procedure referenced in the Notice of Violation, PPM 10.25.46, is only applicable to the control room cabinets and, ther efore, only applies to the H13-P631 cabinet cited in the violation. Plant Procedure (PPM) 10.25.19 "Termination and Splicing Instruction" is the applicable proce-dure for instrument rack IR-69. The terminations cited in instrument rack IR-69 are installed in accordance with PPM 10.25.19. Two sizes of ring lugs (22-16 ga. lug or 14-16 ga.

lug) are acceptable by procedure, for use with 16 ga wire.

The terminations in cabinet H13-P631 are acceptable. Installing terminal lugs back to back is a good electrical practice, but is not a requirement in PPMs 10.25.46 or 10.25.19.

it The two wires cited for improperly installed heat shrinking were installed in 1979 and 1982 in accordance with the existing con-struction procedure. The two wires are drain wires and the present installation is acceptable for drain wires.

Corrective Ste s Taken/Results Achieved The electrical wiring in instrument racks IR-67 . and IR-68 was inspected. The crimps cited in the Notice of Violation were determined to be acceptable as-is.

Corrective Action to be Taken No further corrective action is planned.

Date of Full Com liance The Supply System is currently in full compliance.

Appendix A Page ll of 21

4. Licensee procedure 1.3.7, "Maintenance Work Request", provides requirements for performing work on safety related equipment.

The procedure requires that all work be performed in accordance with a written work request and that any modifications to safety related equipment be properly reviewed in accordance with appli-cable requirements of 10 CFR 50.59 Contr ary to the above, as of August 3, 1987, the licensee was observed to have installed temporary foam insulation filters on the ventilation louvers for the 4KY breakers on safety related SN7 switchgear without the use of a written work request and without proper review of the modification.

This is a Severity level V violation (Supplement I).

Validit of Violation The Supply System acknowledges the validity of this violation.

The filters were installed prior to commercial operation to protect the switchgear from construction dust and debris.

Corrective Ste s Taken/Results Achieved

1. The filters were immediately removed and an inspection was performed which confirmed that these filters were not installed on other switchgear.

2. It has been determined that the installation of the foam filters did not cause degradation of the associated switch-gear.

3. Since the time frame when the filters were installed, plant procedur es have been developed which clearly define the responsibilities and programmatic controls associated with maintenance activities and plant design modifications.

Specifically, the Maintenance Work Request (NWR) is used to control all corrective maintenance activities and the imple-mentation of permanent plant modifications or additions which result from Plant Modification Requests (PNRs).

Included in the scope of the PNR process is the requirement to perform a 10 CFR 50.59 Safety Evaluation. In addition, temporary modifications are controlled by the Lifted Lead and Jumper pr ogram.

Appendix A Page 12 of 21 As a result, it is expected that the processes which are currently in place, to control plant maintenance activ'ities and design modifications, would prevent such situations from occurring.

However, it has been determined that additional controls can be applied, in the area of housekeeping, which could increase the probability of identifying and correcting any other problems of this type.

Corrective Action to Be Taken PPM 1.3. 19, "Housekeeping", will be revised to better define the responsibilities and expectations of the Floor/Area Coordinators in the areas of material deficiencies, industrial safety hazards, cleanliness and housekeeping deficiencies and radiological pro-tection deficiencies. The coordinators will be expected to be aware of the degradation and abnormalities of equipment and structures within the areas for which they are responsible.

In addition, training will be developed and pr ovided to the coordinators on these responsibilities and expectations.

Date of Full Com liance 1

While the Supply System is currently in full compliance with regard to the item identified in this violation, further correc-tive action will be completed by June 30, 1988.

Appendix A Page 13 of 21

5. Licensee procedures 10.2.53, "Seismic Control for Scaffolding, Ladders, Tool Gang Boxes and Metal Storage Cabinets" and 1.3.19 "Housekeeping", provide specific requirements for ensuring the proper seismic restraint of equipment in safety related areas and for proper cleanup of work areas fol.lowing maintenance activi-ties.

Contrary to the above, at the time of the inspection:

a. An unsecured tool box, breaker handling truck, ladder and several sets of disassembled metal brackets and mounting hardware were observed adjacent to safety related switchgear in ESF switchgear room SM7..

b. An inspection of containment electrical penetration enclo-sure X-105A (TB-R312) for Division 1 electrical circuits identified several loose terminal block screws, bare wire remnants, scrap tape and other debris inside of the enclo-sure.

This is Severity Level Y violation (Supplement I).

Validit of Violation The Supply System acknowledges the validity of the violation. An unsecured tool box, breaker handling truck, ladder and several sets of disassembled metal brackets and mounting hardware were adjacent to safety related switchgear SM7, contrary to the Plant procedures.

The Supply System acknowledges the validity of the violation concerning debris inside electrical penetration enclosure X-105A.

This problem is believed to be an isolated'nstance. In the Spring of 1985, Plant Nonconformance Report (NCR) 285-308 was initiated which caused all electrical penetrations to be inspected. The associated Maintenance Work Request (MWR) gave instructions to note all deficiencies. During the R-3 outage (Spring 1987) approximately ten electrical penetration enclosures were examined by an Equipment qualification Engineer and no cleanliness problems were noted. During a recent Plant outage the X-105A enclosur e was cleaned. Three additional penetrations were inspected for similar problems and no debris or foreign material was found.

Appendix A Page 14 of 21 Corrective Ste s -Taken/Results Achieved All identified unsecured items were properly secured and/or removed from the SM7 switchgear room immediately upon identifi-cation of the problem to Plant Maintenance personnel by the SSFI team. This was accomplishe'd prior .to the SSFI team departing the P 1 ant.

Additionally, PPM 10.2.53 was routed for required reading by Plant Electrical Maintenance personnel as a reminder of Plant requirements regarding seismic control.

Electrical penetration enclosure X-105A was cleaned and re-closed. In addition to this, three other penetration enclosures were inspected to determine if the problem might exist elsewhere.

The penetrations inspected were X-100A, X-100B and X-107A. No debris or foreign material was encountered in these penetrations, only a very light coating of dust. The enclosures were cleaned and reclosed.

The Supply System has in place a preventive maintenance program

. to periodically inspect electrical enclosures, those which are most readily accessible, for cleanliness. The electrical pene-tration enclosures are not included in this program because they are bolted closed and only opened for maintenance.

Corrective Action to be Taken PPM 10.2.53 "Seismic Requirements for Scaffolding, Ladders, Tool Gang Boxes and Metal Storage Cabinets", will be revised to better define the responsibilities and expectations of Plant Maintenance personnel.

Date of Full Com liance April 15, 1988

Appendix A Page 15 of 21 Plant Problem Procedure 1.3.12 "Plant Problems", Revision 10, Sections 1.2.12.5 and 1.3.12.5, provide specific r equirements for the preparation and issuance of non-conformance reports (NCRs) when plant equipment deficiencies are observed. Specifically, the procedure e requires the issue of an NCR in the event of failure of plant equipment and requires that the NCR properly indicate whether the equipment is "safety related" and whether the problem is "safety significant".

Contrary to the above: in June 1987, NCR 287-219 was issued without proper indication of the safety significance of a failure of safety related valves CIA-V-39A and CIA-V-398; and in July 1987, when the same valves again failed, no NCR was issued.

This is a Severity Level V violation (Supplement I).

Validit of Violation The Supply System acknowledges the validity of this violation.

The originator of an NCR is procedurally required to check either the safety related or non-safety related block at the top of the Nonconformance Report (NCR) form. The purpose of this block is to help the Shift Manager determine whether the problem is a Nonconformance Report (safety related) or a Plant Deficiency Report (non-safety related). The failure to check this block was an oversight of the originator; however, the Shift Manager did correctly determine that the problem was safety related and evaluated it as such.

The issue of safety significance is not as clear cut. Plant procedure 1.3.12, section 1.3. 12.2.c, requires that problems be identified as safety significant if one or more of four cr iteria are met. This evaluation is somewhat subjective and involves a value judgment as to the "significance" of an individual problem.

When the original safety significance determination was made for the June 19, 1987 NCR (287-219), it was thought that the failure was due to a failure of the position indication system and did not represent an actual failure of the valves to close. Thus, this failure was not deemed safety significant. In retrospect, however, the failure turned out to be repetitive and more likely a failure of the valves to fully close and, therefore, "signi-ficance" was justified by section 1.3.12.2.c of PPM 1.3.12.

Appendix A Page 16 of 21 It is impor tant to note that this valve design util i zes a posi-tion indication design that is difficult to adjust and'sensitive to environmental changes. Also, since there is no stem motion visible nor means of verifying flow, the previous conclusions that position indication failure was the basic problem can be understood. Based on the experience gained through the failures of these valves, it was concluded that the valve design is a misapplication for those service conditions, as was documented in NCR 287-219, and the only long term solution is replacement.

Although a formally documented root cause evaluation was not written during the July event, a root cause determination was made by those involved to determine the actual failure mode and was the basis for the subsequent design change.

The failure to document the July, 1987 failure by an NCR does not meet the requirements of Plant Procedure 1.3. 12. This omission is an oversight on the part of plant personnel.

Corrective Ste s Taken/Results Achieved As a result of the June 1987, failure, it was determined that more reliable valves were required for this application. This decision was documented in the Corrective Action section of NCR 287-219 on June 22, 1987 and the Plant Engineering staff was directed to begin preparation for valve replacement during the Spring 1988 refueling outage. In addition, personnel involved in the failur e to write an NCR to document the failur e of a technical specification surveillance have been counseled.

Prior to the July failure of the 39A and B valves, it was thought that the previous failures were mainly failure of the val ve position indication which relies on magnetic switching integral to the valve. Based on additional troubleshooting during the Jul y fai ure, i t was conc 1 uded that the pl ug i tsel f was not 1

reliably closing and that this condition was correctable by incr easing the closing force of the valve. This closing force was subsequently increased by a design change and the valves have performed without failure since that time. The design change was discussed with the valve manufacturer prior to implementation.

At the present, replacement valves of a more simple and reliable design are on order and intended for delivery and installation during the Spring 1988 refueling outage. This valve replacement is a part of an overall design upgrade of the CIA system.

Appendix A Page 17 of 21 This problem has been reviewed for reportability per 10CFR 50.73 and determined to be not reportable. The basis for this determi-nation lies in the evaluation of availability of CIA-V-41A/B to check leakage flow back through CIA V-39A/B. These two check valves are periodically tested in the Plant surveillance program factorilyy (PPN 7.4.0.5.23) to verify their functionality and each satis-passed this test in June, 1987. Although valve leakage is not measured in this procedure, the capability of the valves to perform their function following failure of CIA-V-39A/B is verified and, therefore, the CIA system integrity is verified.

Although the long term (30 day) capacity of the nitrogen supply may be somewhat decreased by the expected increased leakage in this condition, additional nitrogen supply capability is designed into the plant. Consequently, the failure of CIA-V-39A/B is not.

considered a "serious degradation" of the system or one that "seriously compromises" plant safety.

Corrective Action to be Taken The Plant Problems Procedure (PPN) 1.3. 12 will be revised to require a documented root cause analysis for all NCRs which docu-ment scrams, significant plant transients or other problems deemed appropriate by management. The requirement to assess problems for generic implications will be strengthened.

The CIA-V-39A/B valves are scheduled for replacement in the upcoming Spring 1988 refueling outage.

A plant procedure defining the method of root cause analysis will be written and issued.

Date of Full Com liance July 1, 1988.

'S Appendix A Page 18 of 21 Plant technical specification 6.8.3 states that "Temporary changes to procedures of specification 6.8.1 may be made provided...the change is approved by two members of the unit management staff, at least one of whom holds a Senior Reactor Operator license; (and) the change is documented, reviewed by the POC and approved by the Plant Manager within 14 days of implementation."

Station procedure 1.2.3, "Use of Plant Procedures" implements the above requirements for making procedure changes.

Contrary to the above, on May 15, 1985 and Nay 7, 1987, maintenance personnel performing procedure 7.4.8.4.3.4 and 7.4.8.4.3.2, "MOV Thermal Overload Group 4" did not make a temporary procedure change in accordance with Procedure 1.2.3 when they noted that installed thermal overload devices did not match the size specified in the procedure.

Instead, the maintenance personnel noted the different thermal over-load devices and revised test currents in the comments section of the procedure. In two cases, RCC-V-6 and RHR-V-3A, the revised test currents were incorrect and did not correspond to the required device trip time criteria.

This is a Severity Level IY violation (Supplement I).

Validit of Violation The Supply System acknowledges the validity of the violation in that Procedure 7.4.8.4.3.4 was deviated in violation of the require-ments of safety related procedure PPN 1.2.3.

Corrective Ste s Taken/Results Achieved As explained in our response to violation A2, the Group 2,3, and 4 surveillance test data has been reviewed to ensure that the overload relays would not prematurely trip. The surveillance test data for both RCC-V-6 and RHR-V-3A were included in this review. In the case of RCC-V-6 the surveillance test current should have been 27. 18 amperes for the associated surveillance trip time of 22 seconds. The actual surveillance test current used was 26 amperes which means the minimum allowable trip time must be increased to 26 seconds based on

Appendix A Page 19 of 21 manufacturer supplied test curves. The actual trip times measured for the RCC-Y-6 overloads were 51.5 seconds and 74.1 seconds which met the minimum allowable trip time criteria of 26 seconds. In a similar manner the surveillance test data for RHR-V-3A was analyzed. In this case the required test current was 30.7 amperes and the actual test current was 23.6 amperes which corresponds to minimum allowable trip times of 22 seconds, and 45 seconds. The actual trip times were 56, 53 and 60 seconds which again met the minimum allowable trip time of 45 seconds. Therefore, eVen though the tests were not run at the normal three times pickup current the surveillance results do verify that the overloads do not prematurely trip.

This incident has been discussed by the Maintenance Electrical Supervisor with all electrical shop personnel at either a shop meeting or individually.

Correc'tive Action to be Taken As a part of the corrective action of violation A2, procedures 7.4.8.4.3. 1 through 7.4.8.4.3.4 will be revised to include the correct overload heater size, test current, and minimum trip time. Refer to violation A2 for associated corrective actions.

Date- of Full Com liance March 31, 1988.

Appendix A Page 20 of 21 E.

procedures recommended in Appendix 'A'f Section 6.8.1.a of the Technical Specifications requires applicable Regulatory Guide 1.33, Section 8.a of Appendix 'A'f February, 1978, be established and implemented.

Regulatory Guide 1.33 requires that, "Procedures of a type appropriate to the circumstances should be provided to ensure that tools, gauges, instruments, controls, and other measuring and testing devices are properly controlled, calibrated, and adjusted at specified periods to maintain accuracy. Specific examples of such equipment to be calibrated and tested are readout instruments, inter-lock permissive 'and prohibit circuits, alarm devices, sensors, signal conditioners, controls, protective circuits, and laboratory equip-ment."

Contrary to the above requirements, as of August 3, 1987,'rocedures had not been established for -the periodic calibration of time delay relays associated with permissive and protective functions of the following safety r elated time delay relays:

(1) SE-RLY-V/2A3 and 2A4, that provide 12 second and 62 second time delay values to control the slow opening of the service water pump discharge valve to minimize water hammer effects.

(2) SGT-RLY-TK/2Al and 2A2, that provide a 30 second time delay for automatic start of the redundant standby gas treatment system.

(3) RHR-RLY-K54A, that provides a 10 second time delay for minimum flow bypass for the RHR pump.

(4) RHR-RLY-K70A, that provides a 5 second time delay for starting of the RHR pump.

(5) RHR-RLY-K93A, that provides a 10 minute time delay before the operator can manipulate RHR heat exchanger valves after the start of an accident.

This is a Severity Level IV violation (Supplement I).

Validit of Violation The Supply System acknowledges the validity of this violation in that not all safety related time delay relays (TDRs) were included in the periodic calibration program. However, it should be noted that this condition had been previously addressed by the Supply System. Prior to the SSFI, 26 TDRs had been placed on a periodic calibration program through the use of the Scheduled Maintenance System (SMS) program and in conjunction with existing procedures covering TDR calibration and technical specification required surveillance tests.

Appendix A Pa'ge 21 of 21 It should also be noted that equipment and TDR performance has tradi-tionally been verified (indirectly) through various sur veillances and logic system functional tests (e.g., loss of power tests, response time tests, etc.). To date, none of the testing has disclosed any.

major TDR setpoint drift problems.

Corrective Ste s Taken/Results Achieved Safety related time delay relays will be calibrated on an initial two or three year frequency utilizing the SNS program. To date, 119 of the 159 safety related TDRs have been processed for inclusion into the SNS program, and the remaining safety related TDRs are currently in the process of being entered into the program.

Corrective Action to be Taken The remaining 40 safety related TDRs will be added to the SMS program for periodic (two to three year frequency) calibration; with all TDRs scheduled for calibration by 1991, Date of Full Com liance All safety related TDRs will have been added to the SMS program by March 30,. 1988.

Appendix B Page 1 of 24 APPENDIX B The following is an assessment of the unr esolved items identified 'in NRC Inspection Report 50-397/87-19. As requested, any corrective actions taken or planned are included.

A. PLANT ENGINEERING AND DESIGN MODIFICATION

1. Class IE Batter Sizin (87-19-01)

(a) Issue: Failure to assure that the design basis for the safety-related batteries was correctly translated into plant documents appears to be a violation of 10 CFR 50 Appendix B, Criterion III.

(b) Discussion: Calculation No. 2.05.01, Battery and Battery Charger Calculation 250VDC, 125VDC, and 24VDC Systems (Rev.

6), was revised on September 21, 1987, for the 250VDC and 125VDC Divisions 1 and 2 direct current systems. This revision (Rev. 7) utilized the calculation methodology described in IEEE Standard 485-1983 and the Exide mance data for the installed cells. The load pr ofile cell'erfor for each battery was redefined eliminating the inconsisten-cies between the DC one line drawing (E505), inverter loads and efficiencies, and starting currents for valve and pump motors. Factors for temperature correction, aging and design margin were included in the sizing calculation. This recalculation concluded that the installed battery systems are capable of withstanding the in-rush values without exceeding the batteries'ne minute ratings and are capable of meeting their respective duty cycles.

The updating/revision of calculation E/I-02-85-02, for the High Pressure Core Spray DC System, is currently in pr o-gress. The inconsistencies/concerns identified by the SSFI team are addressed. Results indicate that the HPCS battery is capable of meeting its required duty cycle.

Appendix 8 Page 2 of 24 In July 1984, Supply System Engineering adopted a design control program that requires that any calculation needed in support of a design change be completed, verified, and approved prior to release of the design change for field implementation. A copy of the calculation cover sheet must be included, in the design change package. The design con-trol program in force prior to that time also required completion of affected calculations on a timely basis, but did not require inclusion of the completed calculation cover sheet.

During the development of design basis documents, as dis-cussed in Appendix C, omissions or errors in baseline material such as calculations, where identified, will be resolved.

Appendix B Page 3 of 24

2. Motor 0 crated Valve Overload Selection (87-19-04)

(a) Issue: Failure to confirm the 'assumption that thermal overload relays selected at 140K of motor full load current would provide adequate protection for short time duty motor operated valves appears to'e a violation of 10 CFR 50 Appendix B, Criterion III.

(b) Discussion: The ,WNP-2 thermal overload relay setting of

'40K ,full load current is governed by our commitment to Regulatory -Guide (RG) 1.106 and discussions with the NRC (the NRC initially requested a 300K setting or a complete bypass).

We agree with the conclusions of the review team that a 140%

overload setting does not provide adequate protection for a short time duty motor operated valve. However, these over-loads are not sized to protect valves from duty cycle type failures; they are sized to assure that safety related valves attain their safe position, assuming degraded voltage conditions, with maximum available torque applied. This criteria generally requires overload relay settings greater than the manufacturer's 1255 recommended settings.

WNP-2 sizes overloads by selecting two sizes greater than that required by calculation, resulting in settings of approximately 150K. The adequacy of existing overload relay settings is being verified by the WNP-2 MOVATS testing program currently in progress. RCIC and HPCS valves have been tested to date. Indications are that some overloads could be set at a value less than 140K and some could not.

The SSFI teams'tatement that "most of the valves in the RHR system and some in other systems" have the 8 phase overload heater wired for alarm is incorrect. At WNP-2, no safety related valve overload heaters are used for alarm functions. In some MOVs, the heaters of "A" and "C" phases are wired for a tripping function. For this arrangement, the "B" phase heater element is not used. Generally, all three phases are wired to trip.

Appendix B Page 4 of 24

3. Fire Protection S stems for Diesel Generator (87-19-07)

(a) Issue: As a result of a single credible failure, all three sources of onsite AC electrical power could potentially be lost.

(b) Discussion: The Supply System agrees that a potential common mode failure exists if steps to mitigate the flooding are not taken in accordance with Appendix R requirements.

This condition was recognized and addressed in FSAR Appendix F, Item C on Page F.3-47, Amendment 24, Nay 1982.

The potential common mode failure identified could have disabled all three emergency electrical power diesel generator s. This failure could result if a fire occurs in the HPCS diesel generator room, the fire protection sprinklers in the room actuate, and steps are not taken to mitigate flooding which could extend into the diesel fuel oil transfer pump rooms located adjacent to the HPCS diesel generator room. Flooding in the transfer pump rooms would fill the pump pits, submerging the pump motors and disabling the Division 1 and Division 2 diesel generators after the day tank storage is exhausted.

The FSAR section indicates that actions such as opening doors to mitigate flooding from fire protection system actuation must be taken to prevent adverse affects on safety related equipment by flooding. On an annual basis, the fire brigade is trained to take such actions. This area is discussed in the fire brigade training lesson plans.

Since the SSFI, the Supply System has revised the Abnormal Condition Procedure (4FCP.2-9.3) to specifically require that, upon confirmation of fire suppression system actuation in the HPCS diesel generator rooms, a security officer will be dispatched to open the outside (south wall 441') door of the building. It has been demonstrated that the security officer or fire brigade personnel will respond to conduct this action within ten minutes of notification. Calcula-tions have been completed which show that the flood level in the room will not exceed 7 inches in 10 minutes. Therefore, the potential for the common mode failure postulated is satisfactorily mitigated by the above actions which are in accordance with Appendix R requirements. In addition, procedures 4.FCP.2-8.3 and 4.FCP.2-8.6 for the Division 1 and Division 2 diesel generator rooms have also been revised to mitigate flooding events. These mitigating actions will also be incorporated into the WNP-2 Pre-Fire Plans.

P Appendix B Page 5 of 24 4 ~ Fire Protection S stem for Diesel Generators (87-19-08)

(a) Issues: I) Flooding o'f the diesel generator rooms (specifi-cally Division 2) could compromise the ability of the plant to achieve safe shutdown, and 2) Flooding of the diesel fuel transfer pump rooms degrades the condition of the plant.

(b) Discussion: Both of these issues involve the potential for a fire to spread from one fire zone to another. At WNP-2 each fire zone boundary is protected from a fire spr eading from one zone to the next in accordance with standard NFPA and Appendix R requirements.

The first event is postulated as follows:

During a LOCA and loss of off-site power, a diesel fuel line failure occurs in the Division 2 diesel generator room (fire zone DG-III) and causes a fire. Subsequent fire suppression system actuation could cause a small amount of oil mixed with water to enter the common corridor between the diesel generator and reactor building (fire zone TG-I) where Divi-sion I and Division 2 conduits are installed. A fire in the corridor could damage unprotected Division 1 cable necessary to mitigate the consequences of a LOCA. A similar event could be postulated if the fire were to occur in the Divi-sion 1 (fire zone DG-II) or Division 3 (fire zone DG-I) areas. These areas are protected as 3-hour fire areas.

Consideration of a postulated LOCA and fire occurring simul-taneously is not within the licensing design basis for WNP-2. Therefore, we do not concur with the postulated event above, or any event that simultaneously imposes a fire and LOCA on the design of the plant. In accordance with the philosophy of Appendix R, it is not credible to assume that a fire will pass from one fire zone to another (e.g., DG-II to TG-I), and the postulated event is not required to be analyzed in plant design.

The Supply System agrees that, a mixture of fuel oil and water may enter the TG-I corridor, via the very small gap at the bottom of the fire doors, during the event. However, the quantity of fuel oil in the mixture would be very small considering that the diesel generator floor drain system will prevent large quantities from collecting in the room.

In addition, the fire brigade will rapidly respond (within ten minutes) to the event and take action to control the spread of the potentially combustible mixture. However, to mitigate the potential for such an event, the height of the curbs at the diesel generator room to TG-I corridor will be increased to a curb height that prevents any flood water flow out of the diesel generator rooms.

Appendix B Page 6 of 24 The Supply System concludes that the Plant design (floor drains) and fire brigade actions discussed above satis-factorilyy mitigate this postulated event. Raising the curb height is an additional action which will prevent this event from occurring.

The second event is postulated as follows:

A fire resulting from diesel fuel oil leakage in the fuel oil transfer pump room occurs, and because these rooms do not have a floor drain system, a mixture of diesel fuel and water would enter the HPCS room as the transfer pump room is flooded. In order for this event to become an Appendix R Safe Shutdown concern, it would require an initial fire in one of the pump rooms to pass from one diesel generator fire area to another diesel generator fire area (i.e., DG-YI, V or VI to DG-I area). The areas are protected as 3-hour fire areas, The Supply System does not believe the event described is credible and in accordance with the philosophy of Appendix R, this event is not required to be analyzed.

The equipment in the transfer pump rooms is designed to prevent the occurrence of a fire. The transfer pump con-trols and electrical box in the room are designed to be explosion proof, including the pump motor (Westinghouse total enclosed fan cooled, explosion proof). The piping in the rooms is designed and installed to ASME III, Class III requirements.

Each time the diesel engines are started, if an operator is not present . in the area, the Shift Manager iranediately dispatches one to the diesel generator rooms to perform routine observations and inspection. Minor leaks in such items or pump seals would be quickly discovered and actions taken to mitigate and correct the problems. If in the unlikely event a fire did occur, the fire brigade would rapidly respond (within 10 minutes) to the area and be able to control the spread of any oil and water mixture that may enter the HPCS diesel room. The drains in the room would also help prevent significant spread of any such mixture.

The Supply System concludes that the actions described above would satisfactorily mitigate this postulated event.

Appendix B Page 7 of 24 1

5. Air Filtration for Emer enc Diesel Generator Units (87-19-09)

(a) Issue: ,Lack of coordination in Engineering, Operations, Maintenance and ()uality Assurance activities associated with the design basis ash fall event.

(b) Discussion: Analysis proved the adequacy of the dust storm protective filtration system. The entire ash fall program is being reviewed: Plant procedures are being reviewed and revised, filter inventories are being revised and selective testing is being performed to demonstrate the workability of the ash fall program. This review is a coordinated activity involving 'Engineering, Operations, Maintenance and (}uality Assurance staff.

Item (1) No An'al sis of Oil Bath Combustion Air Filters for Dust Storm The analysis for a design basis dust storm has been com-pleted and documented in calculation ME 02-87-95. The analysis indicated that the existing system is adequate and the oil bath combustion filters would provide sufficient protective filtration for 110 hours0.00127 days 0.0306 hours 1.818783e-4 weeks 4.1855e-5 months . This provides adequate margin when considering the required 18 hours2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months duration for a design bases dust storm.

Item (2) No Anal sis of Tem orar Filters for Ash Fall The analysis for a design basis volcanic ash fall has been completed and documented in calculation ME 02-87-95. The results of the analysis indicate that the existing system and procedure were inadequate in that the prefilter s would load to capacity in 34 minutes. Changes to the Abnormal Condition Procedure are needed to assure recirculation of the HYAC air (except for 2,000 cfm outside air to maintain a positive pressure) which will increase the filter change out time to 5.4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . All temperature requirements and room pressurization requirements for the diesel areas will be maintained. As indicated in Item 6, actual time require-ments for complete filter change outs are being determined to ensure that the 5.4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months limit will not be exceeded.

Item (3) No Anal sis of Oil Bath Combustion Air Filters for Ash Fall The analysis to determine the adequacy of the. oil bath combustion filters when used in conjunction with the pr e-filters during a design basis volcanic ash fall has been completed and documented in calculation ME 02-87-95 and ME 02-88-03. The analysis indicated that with the prefilter s in place the oil bath combustion filters will provide pro-tective filtration for 19.7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months without exceeding combus-tion air pressure drop requirements. The design basis volcanic ash fall event of 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months duration can be com-pleted by the alternate running of Division 1 and Division 2 diesels if required.

4 Appendix B Page 8 of 24 Item (4) Inade uate Abnormal 0 eratin Procedure Review of the Abnormal Operating Procedure for volcanic ash fall, PPN 4. 12.4.5, has indicated that more detailed direc-tion is needed to assure'roper alignment of HYAC dampers during an ash fall event'. During the ash fall. event dampers must be aligned to give 2,000 cfm or 350 cfm outside air flow, depending on outside temperatures. Testing will be performed to determine the damper positions associated with these flow rates. PPN 4. 12.4.5 will be revised to include specific instructions for setting of dampers to achieve the required flow rates. The procedure revision will also include the addition of steps to start preparatory activities when first notified of a potential ash fall.

Item (5) No Documentation of Filter Structural Ade uac The filters were installed such that air flows tend to unseat them. This was done because of a lack of access for filter change out on the upstream side. During the design process the frame and filter manufacturer was contacted and agreed that this method would be adequate for the Supply System's application. The supplier was requested to perform tests on filters mounted in this way and their tests con-cluded that no damage would be done to the filters when operating at a higher differential pressure than the Supply System uses for filter chan'ge out. The tests did indicate that air bypasses of from 10 to 205 could occur, and this information has been included in the calculations discussed in Item 3.

Item (6) No Testin of Tem orar Fi1 ter Arran ement The ash filter frames are of modular construction with each individual frame being identical and mechanically locked into the adjacent frames. Persons involved in the original installation were contacted and indicated that a trial fitup of filter to frame module was performed but not documented.

Because all filters and filter frame modules are identical there is no need to verify proper fitup. The manhours required to install the ash fall filters at typical locations, including one diesel intake and one service water pumphouse intake, will be determined and incorporated into PPN 4.12.4.5.

Appendix b Page 9 of 24 Item (7) Other Ash Fall Filters Reviews and analyses are in process to determine the load-ing characteristics of all ash filter locations. Based on the results of the reviews and analyses, the number of filters stored in the Pl'ant warehouse will be adjusted to ensure enough filters for an ash fall event. PPN 4. 12.4.5 will be revised to show the filter loading times and to pro-vide operational guidance to reduce the number of filter change outs required (i.e. serving the machine shop HVAC, reducing the number of Turbine Building supply fans from 4 to 2 or .less depending on heat load, securing Reactor Build-ing HVAC and using the standby gas trains for pressure control).

Appendix B Page 10 of 24

6. Instrument Set oint Calculations and Hethodolo (87-19-14)

(a) Issue: Safety-related instrument setpoint methodology considered only normal plant conditions and not environ-mental and seismic considerations.

(b) Discussion: The discussion provided by the review team contains several inaccuracies. It is incorrect to say that the General Electric setpoint methodology, as presented in Design Specification 22A5261 and Topical Report NEDC-31336, do not consider the effects of harsh environments (tempera-ture, humidity, radiation) on instrument accuracy.

General Electric Specification 22A5261 (provided to the NRC in Docket Letter G02-85-238, dated Nay 6, 1985) provides a methodology containing considerable conservatism. For example, the methodology utilizes two standard deviations in drift and accuracy calculations instead of one (refer to page 7 of 22A5261). Additionally, a significant unassigned margin exists between the "analytical limit" and the "design safety limit" (refer to page 4 of 22A5261). This margin was provided to account for analytical model uncertainties, primary element inaccuracies, response time effects, transient overshoot, and harsh environment effects. Thus, even though not specifically assigned to harsh envi-ronment effects", we believe that sufficient margin exists in the General Electric calculations to account for any inaccuracies which may occur.

A review indicates that instrument setpoint calculations performed for BOP instruments do not specifically identify inaccuracies that may occur from harsh environments. The Supply System's Equipment (}ualification Program has identi-fied equipment inaccuracies caused by harsh environment testing. These were either found acceptable, or the equipment was replaced, or sufficient margin was available in the design.

The Supply System is in the process of evaluating the calcu-lation margins available which might specifically accommo-'ate the addition of the harsh environment inaccuracies in both the General Electric and the BOP setpoint calculations.

Preliminary analysis indicates that the majority of the

Appendix B Page 11 of 24 instruments will perform their safety function prior to being impacted by the harsh environment. Therefore, the, abili ty to complete the safety functions remains unaffected by the harsh environment. In these cases, the addition of the accuracies resulting from the equipment qualification test program to the manufacturer's stated accuracy as suggested in the audit report would be an overly conserva-tive approach. The manufacturer's stated accuracy often includes environment effects as the quoted accuracy must be obtainable over a fairly large range of environmental condi-tions.

Relative to the concern for seismic effect on instrument inaccuracy, Supply System safety related actuation instru-mentation is primarily of a mechanical switch type rather than antransmitter/trip unit (only used for SCRAM discharge volume level) type. Research indicates that environmental parameters impact instrument accuracy performance much more than the seismic event (see NUREG/CR-3630 Equipment (}ualifi-cation Methodology Research: Tests of Pr essure Switches).

For mechanical switch type instrumentation, industry testin has emphasized contact chatter (rather than accuracy as a more sensitive indicator of instrument sensitivity to vibra-tion. The Supply System Seismic (}ualification Program has accepted this premise and has deemed a device of this type acceptable if the equipment testing demonstrates that con-tact chatter or change of state does not inadvertently occur as a result of vibration of the level expected for the device at WNP-2. Accuracy is measured during (if required) and after ,seismic testing. (}ualification tests documented in the WNP-2 (}ID files confirm the research results that seismic affects accuracy less than the harsh environment for both switch and transmitter/trip unit instruments.

The Supply System will undertake a Margin Reevaluation Program that will address the documentation concerns. The program will address the timing of the environmental impact and the safety function actuation. The most limiting (seismic or environmental) event will be confirmed, existing margin will be documented and instrument response'hen subjected to the impacting event will be verified.

To summarize, the Supply System believes that the existing WNP-2 methodology has conservatively assigned instrument setpoints, i.e., we do not expect revision to the setpoints will be necessary following completion of the Margin Reevaluation Program.

Appendix B Page 12 of 24

7. 'Incorrect Desi n Documents (87-19-15)

(a) Issue: Lack of design control and attention to detail in failing to correct or keep current diesel generator flow diagram M512.

(b) Discussion: With the exception of the first example regard-ing the floor drain in the HPCS Diesel Fuel Oil Day Tank Room, it was correctly stated in the inspection report that several examples were discovered where the actual physical configuration of plant str uctures, systems or components were not in accordance with design documents. It must be noted that the subject Drawing M512 is a compilation of vendor supplied skid mounted equipment.

With regard to the floor drain issue, drawing M582 shows the roof drain which comes from drawing N788 and passes through the HPCS Day Tank Room and ties into the underground storm drain. As a result, there is no floor drain in the day tank room and the subject drawings are correct.

The following is a discussion of the other examples noted by the inspection team:

o Diesel Oil Stora e Tank No. 2 Pi in The classification boundary indicated on N512 as

(}uality Class 1, Seismic Category 1, to ()uality Class 2, Seismic Category 2, was shown reversed. A check of the construction records verified the as-built configuration to be correct. Accordingly, the drawing will be revised to reflect the as-built condition.

o DO-RV-4Al and 4B1 On Drawing N512, at one time, there were a number of spring-loaded check valves shown as relief valves.

This effort occurred in the translation of the skid mounted equipment vendor drawings to the flow diagram.

On a subsequent drawing revision, when the relief valve symbols were being corrected to check valves, two of the valves were missed. This was identified and the drawing was in the process of being revised at the time of the inspection. The symbol inconsistency was traced to vendor drawings of skid mounted equipment.

Appendix 8 Page 13 of 24 o Check Valves DSA-V-37A2, 3781 and 3782 The check valves DSA-V-37A1, 37A2, 3781 and 3782 were shown on Drawing N512 in opposition to the required direction of flow. This occurred in the translation of the skid mounted equipment vendor drawings to the flow diagram by the A/E. However, a field check completed immediately after the question was raised indicated the valves are correctly installed.. Preoperational testing and surveillance testing also confirmed appropriate installation. The flow diagram (M512) is in the process of being corrected.

o Check Valves DO-V-53A1 and A2 The inspection made note of the subject check valves missing on the "A" unit. The check valves are installed on the "8" unit, so a skid mounted equipment inconsistency was again the source of the document problem. This error was in the process of being corrected by PNR 86-0073-1 at the time of SSFI. It had been discovered, sometime before this and contact was made with the skid supplier (Stewart Stevenson) and END of. General Motors. Those discussions combined with r evi ew of the preoper ati onal test data led to the conclusion that the valves were not necessary. It had, therefore, been decided that the DO-V-53A1 and 53A2 valves would be deleted from the drawing. The valves are not installed, and are not required.

o Restrictin Orifices Several restricting orifices shown on M512 (R0-3A1, 4A1, 4A2, 381, 481, 382, 482) are not installed. These orifices were shown on the skid mounted vendor drawing in a way that indicated a separate orifice. Contacts with the vendor (Stewart Stevenson) and EMD of General Motors had identified that the symolism was for the bleed of fuel from the injector supply manifold. This flow cools the injector. The diagram was being corrected to remove the EPNs and show the orifice in the injector. Vendor diagram symbology led to this problem.

Appendix B Page 14 of 24 o Pressure Switches DLO-PS-4A1, 4A2, 4B1 and 4B2 The apparent labeling inconsistencies and activation status questions raised in the inspection have- been reviewed. The subject pressure switches were origi-nally intended to start the standby lube oil circu-lating pump when the engine shutdown; however, when the standby lube oil system was modified to maintain the lube oil in a better readiness state, this switch was electrically bypassed so the pump runs all the time.

The change was made on the electrical diagrams, but N512 was not changed to show the switch had been elec-trically deactivated. The flow diagram had not been

.clarified to show this. This incomplete change occurred prior to the time when design control was transferred from the A/E to the Supply System, and did not affect the function of the system, or its ability to meet its functional objectives (

Reference:

PED 218-E-B132, dated March 17, 1983). The flow diagram (N512) is in the process of being revised to clarify switch status.

All drawing problems noted above have been corrected and the drawings are in the process of being issued. It should be noted, that the scope of our drawing review was expanded in that a complete functional review of the diagram was per-formed and a field walkdown of each diesel generator was performed. Any differences found between the installation and the diagram were resolved and the vendor drawings corrected as necessary. Special - attention to detail was required with respect to the skid mounted equipment because errors were tr aced primarily to the 'skid mounted equipment vendor drawings that had been used as the basis for the flow diagrams.

The Supply System does not believe that the problems asso-ciated with the diesel generator skid mounted equipment shown on M512 are prevalent on other flow diagrams. The root of the problems on N512 was a combination of vendor drawing error and A/E inclusion of a high level of skid mounted detail on the flow diagrams without field verifica-tion.

Appendix 8 Page 15 of 24 We have not experienced this type of problems on other flow diagrams. The SSFI review involved several other flow diagrams, and there were no significant errors identified.

Other flow diagrams do include some skid mounted equipment, such as the: nitrogen inerting skid and the recombiners, but these systems are much less complex and generally are shown in less detail on the flow diagrams. To assure that ther e are no errors associated with other safety related skid mounted equipment shown on flow diagrams the hydrogen recom-biners configuration will be verified by a field walkdown to assure the correctness of design documentation. A review of skid mounted equipment was performed and the hydrogen recom-biners are the only safety related skid mounted components shown on a top tier flow diagram which shows piping on the skid.

Functional adequacy of all systems is assured by the star t-up. operability, and surveillance testing that has been performed already.

Appendix B Page 16 of 24

8. Procedural Control Over use of ADS Inhibit Switch (87-19-16)

(a) Issue: Potential use of the ADS inhibit switch, in lieu of the timer pushbutton switch, reduces the availability and reliability of the ADS toward performing its ECCS safety functions.

(b) Discussion: NUREG-0737, Item II.K.3.18, Modification of ADS Logic was evaluated by the BHROG, with review and approval received from the NRC by memo dated April 1, 1983. The HNP-2 operating license contained a condition (2.C.18),

which documented the commitment to modify the ADS logic as specific'd by Option 2 of the BWROG Report, prior to restart following the first refueling outage. This was further endorsed by the NRC in NUREG-0892, SSER ¹4, section 6.3.6.

The license condition and SER also required that the Plant Emergency Procedures be revised to include the usage of the inhibit switch. No specified guidance or restrictions were provided on the use of the inhibit switch in either the April 1, 1983 SER, the WNP-2 license condition or NUREG-0892. In fact the April 1, 1983 memo states "Addition of the manual inhibit switch (options 2,4,8) enables the opera-tor to override the ADS should this be necessary (as for some ATWS events)". This statement does not limit switch usage and implies usage is permissible during transients other than an ATWS.

In addition, the BHROG was performing a Human Engineering Review of the Emergency Procedure Guidelines and identified a deficiency (NRC No. E-5.11, SS ¹24.45) related to the reliance on repeated pressing of the timer reset buttons.

The Supply System responded in three letter s to the issue (G02-83-343, G02-83-929 and G02-85-758) which received concurrence from the Staff in the Detailed Control Room Design Review SER dated October 13, 1987. The Supply System believed that the position established in the G02 929 letter was acceptable. Our response relied upon the inhibit switches to pr event ADS in both LOCA and ATHS rela-ted EOP's.

The inhibit switches were installed during our N-3 outage in the spring of 1985. At that time, the EOP's were revised to

"...inhibit automatic initiation of ADS" for both LOCA and ATWS events.

Appendix B Page 17 of 24 Revision 3A (March 1984) of the EPG Bases did not address use of the inhibit switch but it did endorse other methods which were not specified. Usage of the switch was subse-quently considered by the BWROG and is included in Revision 4 of the EPG's. A letter was issued by the BWROG recommend-ing use of the inhibit switch for LOCA events in August 1987.

In summary, the Supply System is unaware of any previous NRC directive limiting use of the inhibit switch prior to the SSFI conducted at HNP-2. It seems that this has only re-cently become an issue since the SSFI and challenges posi-tions previously endorsed by both the Staff and BWROG. He further consider this a generic issue that should not be resolved by our staff. The NRC's review and approval of Revision 4 of the EPG is yet another form of endorsement pending.

As a result of the SSFI, the Supply System has revised the Emergency Procedures to direct usage of the timer reset for LOCA related procedures and the inhibit switch for an ATWS.

The procedur es will remain in that condition until the issue is resolved.

Appendix B Page 18 of 24

9. ADS Backu Nitro en Su 1 Discre ancies (87-19-17)

(a) Issue: 1) The wording in the FSAR pertaining to the number of ADS valve cycles (individual or group) available in a 30-day period is unclear, and 2) the design basis for the 48 cycle requirement could not be produced by the licensee.

(b) Discussion: 1) The FSAR is in the process of being revised to clearly state that the number of available ADS valve cycles is on a group basis, i.e., one cycle is defined to be the .simultaneous actuation of all ADS valves. Included in the FSAR revision will be a clarification of the design and capacity of the backup nitrogen supply system.

2) The discussion provided in the FSAR on the ability of the backup nitrogen supply to provide 48 ADS cycles during a 30 day period is a reflection of the stored capacity of system and not a system function requirement. This stored capacity was'onservatively designed to provide the plant operator with the capability to actuate the 7 ADS relief valvees i n dividually or as a group mutiple times in response to an accident or transient event.

As an engineered safety feature system, the ADS relief valves must provide two distinct functions which are not required to be postulated in the same event. The first as discussed in FSAR Section 6.3.2.2.2. is a backup to the HPCS to ensure adequate core cooling during the initial recovery phase of an accident or transient. The second as discussed in FSAR Section 15.A.6.3.3 is a backup to the RHR system for long term decay heat removal from the reactor. As designed, the backup nitrogen system provides the operator with the capability to meet both of the above system design requirements.

The short term or ADS function would be accomplished within the first 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months of a postulated event. The ADS blowdown of the vessel will occur with one actuation of the system (e.g. one cycle). The stored capacity of the backup nitrogen system provides the operator with the ability to actuate the 7 ADS valves over 100 times (all valves) within a five day period after the initiating event. The 100 cycles of capacity conservatively acc'omplishes this function.

Appendix B Page 19 of 24 The long term (after 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months ) decay heat removal function of ADS can be accomplished with a single relief valve. The system provides adequate capacity for the operator to open two relief valves (PPN 5.3.5 Alternate Shutdown Cooling Contingency) and maintain them open for a minimum of 30 days. The operator can replenish the nitrogen supply from the main bottle storage area in the reactor building railway bay or in cases where this area is inaccessible an alternate location is provided in the cor ridor between the diesel generator and reactor buildings. Control room indication and alarms are provided to alert the operator to a low pressure condition in either division of the backup nitrogen supply and the need to replenish the nitrogen supply.

The discrepancy between the FSAR and Calculation 5.46.05, Revision I, pertaining to the number of ADS cycles available (48 group cycles and 18 group cycles respectively) was due to an oversight on the part of the Supply System. In 1984, an evaluation of the CIA system was conducted in preparation for developing a design change for the system. During this evaluation it was noted that the system capacity calculation was based on a nitrogen bottle pressure or 2490 psig and the technical specification setpoint for the system was 2200 psig criteria as well as additional calculation conserva-tisms. Based on this revised calculation, the available ADS group cycles were reduced from 48 to 18 during a 30-day period.

The noted oversight has been evaluated as a singular event.

Formal design calculations are normally performed in conjunction with a design change package which requires a FSAR review. As stated, the subject calculation was performed on a confirmatory basis and was not a part of the formal preparation of a design change. The existing calculation verification checklist will be revised to include a review of the FSAR for impact with subsequent issuance of an FSAR change notice if required.

Appendix B Page 20 of 24

10. ADS Backu Nitro en Su 1 Discre ancies (87-19-18)

(a) Issue: The current, annunciator response procedures for the low pressure alarms provide no indication to the operator of the time available to put the remote nitrogen backup bottles in service after the alarm is received.

(b) Discussion: The design for the CIA system provides for automatic initiation of the backup nitrogen bottles upon a sustained loss 'of pressure in the nitrogen header. Conse-quently, no operator action is required in the near term to initiate the backup supply. This supply is sized to provide sufficient nitrogen to the CIA system for SRV actuation for many days following the Design Basis Event and can ultimately be supplemented by an additional header connec-tion located outside the reactor building (diesel generator building corridor) which is accessible for indefinte nitro-gen replenishment. In addition, each SRV contains its own accumulator located in containment which will provide one additional valve cycle capability in addition to the bottled nitrogen supply.

The issue of response time for valving in the long term nitrogen supply in the diesel generator building corridor is not quantifiable. It should be recognized that the design requirement of this alternate alignment is not to provide backup for any postulated failure of the existing safety related nitrogen supply but it does provide a capability to supply the CIA system long term (beyond approximately 30 days) for SRV operation if required. The annunciator procedure was also reviewed and no changes are required.

Appendix B Page 21 of 24 B. MAINTENANCE AND SURVEILLANNE

1. Batter Surveillance Testin (87-19-20)

(a) Issue: As a result of battery surveillance test deficien-cies, the 18 month service tests performed in 1986 failed to demonstrate the capability of the batteries to meet design requirements.

(b) Discussion:

1) The SSFI teams'bservation was correct in that disc're-pancies existed in the, battery load pr ofiles shown in the FSAR surveillance procedures and the latest design calculations. "

The calculations have since been corrected and verify adequate battery sizing. FSAR and Technical Specification Change Notices will be ini-tiated and submitted to the NRC for approval. It is our expectation that the Technical Specification amend-ment request be sent to the NRC by February 29, 1988.

The FSAR change will be part of Amendment 39.. The 18 month testing required during the HNP-2 annual outage will utilize combination load profiles. Application of these profiles is considered acceptable as they are more conservative than the existing Technical Specifi-cation, FSAR, or newly developed profile. The combina-tion load profile will be developed by utilizing the most . conservative (severe) requirement from the existing load profiles for each section of the load pr ofile.

2) The Technical Specifications list the basis for battery surveillance testing as Regulatory Guide 1.29 "Main-tenance Testing and Replacement of -Large Lead Storage Batteries for Nuclear Power Plants", February 1978, and IEEE Standard 450-1980, "IEEE Recommended Practice for Maintenance, Testing and Replacement of Large Lead Storage Batteries for Generating Stations and Sub-stations." Regulatory Guide 1.29 endorses conformance with the requirements of IEEE 450 as being an adequate basis for compliance with NRC requir ements.

Appendix B Page 22 of 24 IEEE Standard 450-1980 historically has not specified a requirement to temperature compensate the amperage values used during the service (profile) test. Dis-cussions with the current and past chairman of the IEEE 450 Standards Committee, and the battery manufacturer's Stationary 'attery Engineering Department Manager have confirmed this position. The service test is provided as a functional demonstration vf the battery in its as-found condition. It is considered that adequate design capacity margins and performance (capacity) test requirements ensur e the capability of the battery to design load requirements. From a practical standpoint, WNP-2 controls the battery environment such that the battery and service test have historically been per-formed very close to 77 F (records show one m~ximum deviation of +8 F and all other testing within +3 F).

Contrary to previous statements made by the NRC reviewer, the current IEEE 450 Committee Chairman has stated that this issue is not on the agenda for consi-deration. if It is suggested that the Staff wishes to expand current interpretations of the existing standard, or to add new requirements, that such a proposal be made to the Standards Committee. Both the IEEE 450 Committee Chairman and manufacturer ques-tion the validity of using performance test derating factors for conditions seen during the service test.

Use of the chart recorder by itself, without additional measurements, would indeed prevent accurate determina-tion of voltage levels. However, test conclusion voltage is observed using portable meters (typically a Fluke Yoltmeter) and are recorded by a chart recorder.

The meter response is sufficient to determine that transient voltage changes during the profile tests rema'n above the test conclusion voltage. Also, proce-durally, WNP-2 requires use of an automatic low voltage cutout during the service test. Therefore, the chart recorder span is not believed to be an issue and its use is justified during this test.

Appendix 8 Page 23 of 24

2. Standb Service Water S stem Pool Tem erature Elements (87-19-26)

(a) Issue: Pond temperature at the temperature probe may not be representative of the overall pond temperature. Possible violation of Technical Specification surveillance require-ment 4.7.1.3 (verification every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months that the ultimate heat sink water temperature is within its limit).

(b) Discussion: The WNP-2 Technical Specifications require t$ at bulk (average) spray pond temperature remains below 77 F.

This limit arises out of the safety analysis presented in Section 9.(.5 of the FSAR, in which an initial pond tempera-ture of 77 F was used. Technical Specification Surveillance 4.7.1.3 requires verificatiog every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months that the spray pond temperature is below 77 F.

The temperature probes that have been, used to monitor spray pond temper ature are near the bottom of the pond. In 1984 a Plant Modification Record (PNR) was written (PNR 02-84-1039, dated May 25, 1984) to install a more comprehensive tempera-ture monitoring system that would better reflect average pond temperature.

As an interim measure, with the more comprehensive system not yet installed, a .limit of 72 F has been used for measurements taken with the presently installed equipment margin (5 F) to account for seasonal differences between water temperature near the bottom of the 14 foot deep pond and the average temperature. Even if an elevated tempera-ture layer conservatively assumed to be four feet thick were stratified on thy surface of the pond, and the balance of the water was 72 F, the surface lager could be 90 F before the average temperature reached 77 F. Surface temperatures above 90 F are highly unlikely at this latitude and eleva-tion (Source 1 "Effect of Geographical Location on Cooling Pond Requirements and Performance, EPA 16130FD(}03/71").

Experience has shown that in shallow lakes water tempera-tures at 10 to 15 feet averacp within 3 F of the surface temperatures (Source 2 "Cooling Ponds, A Survey of the Art, Hanford Engineering Development Laboratory, HEDL-TNE-72-101, Page 25").

Appendix 8 Page 24 of 24 C. CONTROL ROOM OBSERVATIONS

1. Service Water S stem (87-19-34)

(a) Issue: The CRT display for -the Safety Parameter to read from the Reactor Oper a-Display'ystem (SPDS) are impossible tor's Desk and are difficult to read when standing at the Main Control Panel. This situation does not appear to be consistent with the FSAR description. It is stated in the FSAR (Section 7.5.1.23) that the CRT supplies additional information 'ia high performance human factored display useful for emergency response.

(b) Discussion: We are unable to find any documentation to indicate that this issue was discussed during the inspec-tion and believe it to be a new issue. As such our full appreciation of this issue may not be realized. The issue appear s to be directed towards the ability to use the infor-mation displayed on the GDS display screens from the Control Room Operators desk. To alert the operator to a potential unsafe condition using the CRTs, from anywhere in line of sight, a color change in the safety parameter group boxes is relied upon. If any of these 5 boxes is other than green, there is a potentially unsafe condition in the plant that will require operator attention. This is similar in principle to the normal control room annunciators. The logic that changes the color of these 5 boxes to yellow or red also causes a touch-pad to blirik at a particular spot.

This directs attention towards the appropriate display and upon touching this spot on the touch pad, the is appropriate'isplay accessed.

A brightness adjustment is available to the operator on each CRT. The CRT located on H13-P602 is used more frequently during normal operation and currently has no additional brightness adjustment available. We are currently evalua-ting the CRT performance. In addition, glare reducing visors are used to reduce the glare from the control room overhead lighting. Contrast enhancement screens designed to reduce glare are being evaluated as a part of a Detailed Control Room Design Review issue.

In conclusion, we believe the GDS displays and hardware meet the design requirements presented in the FSAR and that the FSAR is accurate.

APPENDIX C SUPPLY SYSTEM ACTION PLAN FOR IMPROVEMENTS IN CONFIGURATION MANAGEMENT

Appendix C Page 1 of 12 APPENDIX C INDEX INTRODUCTION OVERVIEW OF NEAR AND LONG RANGE PLAN A. RECENT PLANT MODIFICATION RELATED PROCESS IMPROVEMENTS B. FURTHER NEAR TERM IMPROVEMENTS PLANNED C. LONG TERM IMPROVEMENTS LONG TERM IMPROVEMENTS DESCRIPTION A. CONFIGURATION MANAGEMENT PROGRAM IMPROVEMENT (CMP ) I I. WNP-2 DESIGN BASES DOCUMENTATION

2. CMP CHANGE CONTROL PROCESSES

a. PLANT MODIFICATION

b. MAINTENANCE ACTIVITY

c. PLANT OPERATIONS ACTIVITY

d. POST MODIFICATION 8 MAINTENANCE ACTIVITY B. EQUALITY ASSURANCE PROGRAM C. SELF-INITIATED SAFETY SYSTEM FUNCTIONAL INSPECTION (SSFI)

Appendix C Page 2 of 12 SUPPLY SYSTEM ACTION PLAN FOR IMPROVEMENTS IN CONFIGURATION MANAGEMENT I. INTRODUCTION The NRC conducted a Safety System Functional Inspection at >NP-2 during the period August 3 through August 28, 1987. For this inspection, the AC and DC electrical distribution systems, the standby service water system, and the automatic depressurization system were reviewed.

Specific responses have been provided to the Notice of Yiolations and unresolved issues. This action plan addresses the broader programmatic issues which either were identified by the NRC Safety System Functional Inspection (SSFI) team, or which resul,ted from Supply System consideration of underlying causes which may have contributed to the deficiencies noted by the NRC.

The Supply System has determined that further improvements are appropriate to address the SSFI issues. They focus on the following areas:

a) errors and ommissions in the design basis documents b) lack of ready access to design basis information c) less than full compliance with established procedures d) lack of thorough and effective integration of related administrative procedures to assure that design bases information is communicated across organizations e) insufficient involvement of the gA Organization in the verification of design activities The Supply System reaffirms its commitment to continue improvements in our Configuration Management Program. The NRC SSFI provided a beneficial focus to enable the Supply System to make further program improvements. This action plan includes both near term and long term initiatives to address the programmatic improvement need."- as a result of the NRC SSFI. The objectives of these programs are to:

Identify and organize design basis information associated with systems important to safety into a more readily accessible, controlled basis document format.

2. Perform Supply System initiated SSFI's on selected systems following preparation of design basis documents.

3. Further refine and integrate change processes and controls in all organizations implementing design basis requirements.

Further improve guality Assurance overview of the technical aspects of design and modification activities.

5. Provide measurement and feedback on personnel performance through in-line verification and quality organization overview.

Appendix C Page 3 of 12 The proposed actions described herein are far reaching from both organizational and financial viewpoints, and will be implemented over an achievable period of time which is presently estimated and scoped to complete in 1994. These improvements, when implemented, will provide further assurance that the original design basis for the plant will be maintained during the operation, maintenance and modification of the facility. Development of design basis documents will identify and organize design basis information into a controlled format providing easy access by all employees and wi 11 also ensure that critical design knowledge is captured and not lost through attrition. Improved administrative controls and additional (}uality Assurance involvement in the technical aspects of design and the modification process will provide added assurance 'that the design intent is maintained.

The Supply System has programs which address personnel performance where they are a contributing factor in the Configuration Management process. These include the INPO initiated Human Performance Evaluation System (HPES) and the NCR process which communicates personnel errors to Management for review.

Further we are developing a formal, more extensive Root Cause Analyses process which includes the human performance aspect. Finally, near and long term actions, described elsewhere in this plan, provide additional focus on human performance aspects, i.e., supplemental quality reviews of design changes and work packages, independent design reviews, post modification reviews/walkdowns.

II. OVERVIEl( OF NEAR AND LONG RANGE PLAN Response to NRC concerns includes both near-term and long-term improvements.

These improvements are a continuation of the refinements and recent program upgrades and include further upgrading of certain plant modification implementation processes and procedures. These are summarized herein, and were individually discussed in our responses to individual Notices of Violation where pertinent.

Appendix C Page 4 of 12 A. RECENT PLANT MODIFICATION RELATED PROCESS IMPROVEMENTS o Implemented Project Management Process for Plant August '86 Nodificatons To Provide Better Focus, guality 8 Management o Upgraded Conceptual Design Approval Processes August '86 To Provide Discrete Review of What Is Required for Plant Modification Before Detail Design o Upgraded Design Changes Package August '86 To Improve ()uality, Integration 8 Implementability o Implemented Project Review Committee August '86 To Provide Better Focus 8 Management of Technical and Financial Aspects o Implemented Technical Evaluation Request (TER) Process - August '86 To Provide Formal Method for any Person to Request Evaluation of a Design Related Technical Problem o Implemented Request For Technical Services (RFTS) Process- August '86 To Provide Simplified, Formal Method to Obtain Non-Design Change Technical Services i.e., Drawing Changes, Analyses, Studies o Implemented Post Modification Test (PNT) Program Sept '86 To Provide Improved 8 Uniform Test Requirements and Criteria o Refined Maintenance Work Request (NWR) Process, March '86 Upgraded Operability Check Sheet (OCS)

To Improve Focus and guality of Work Packages o Established dedicated Parts/Spare Parts Group July '86 To Improve Assurance of Technical guality in in Procurements and Refine Configuration Control at the Component/Piece Part Level o Upgraded 50.59 Review Process Sept. '87 To Assure Rigorous Review of Safety/Licensing Aspects of Changes o Implemented Motor Operated Valve (NOV) Testing Program - Sept. '87 (NOVATS)

To Assure Design Bases and Performance of MOY's is Maintained

Appendix C Page 5 of 12 B. FURTHER NEAR-TERM IMPROVEMENTS PLANNED o Revise procedures and instructions to focus on the specific steps required to return a modified system to service, including partial Plant Modifications.

o, MWR Procedure - Complete 01/20/88 o PNR Procedure - Est. Complete 03/30/88 o Engr. Instruction - Est. Complete 03/30/88 o Revise procedures and instructions to clearly specify organizational responsibilities for specific test requirements, the degree of detail they are to be specified, and where they are to be specified.

o NWR Procedure - Complete 01/20/88 o PNR Procedure - Est. Complete 03/30/88 o PMT Procedure - Est. Complete 03/30/88 o Engr. Instruction - Est. Complete 03/30/88 o Revise procedures to improve testing direction and requirements and provide additional training of Plant System Engineers and Maintenance Engineers to improve application and review of these test requirements on NWR's.

o PMT Procedure - Est. Complete 03/30/88 o Training - Est. Complete 04/15/88 o Perform supplemental quality review of NWR work packages for selected safety-related, 1988 Refueling Outage Modification work.

o Complete prior to start of Refueling Outage o Revise PNR Procedure to require Post Modification reviews and/or walkdowns, as appropriate, to assure completion of all required work prior to system return to service.

o PMR Procedure - Est. Complete 03/30/88 o Initiate a longer term plan to develop a Design Basis Document Program for selected safety systems and perform a pilot program for two system Design Basis Documents.

o Plan - Complete ll/25/87 o Pilot Program (LPCS) - Est. Complete 07/01/88 o Pilot Program (Elect Dist) - Est. Complete 07/01/89 o Initiate longer term plan for Configuration Management Program Improvements.

o Preliminary Plan - Complete ll/04/87 o Final Plan - Est. Complete 06/30/89

Appendi x C Page 6 of 12 B. FURTHER NEAR-TERM IMPROVEMENTS PLANNED (Continued) o Develop flow chart of the Plant Modification Process, as well as other related processes, and evaluate to assure that appropriate and timely quality verifications are performed by both in line organizations and by guality Assurance. These evaluations will compare actual practice against proceduralized process and identify overly complex steps, shortcuts, and interface disconnects. Management will use these results to perform a meaningful assessment and streamline the processes. This review of the Plant Modification process has been essentially completed and is now being finalized.

o Increase gA/(jC technical capabilities are being increased to assure an effective overview of design and modification implementation activities.

o Perform planned formal independent design review of seven design changes prior to implementation at R-3 utilizing personnel from Engineering and other organizations.

o Perform selected independent, formal design reviews prior to implementation during R-4 using personnel from Engineering, and other organizations.

o Establish in January 1988 an Engineering Administrative Verification Program to review Design Engineering output for completeness.

C. LONG TERM IMPROVEMENTS o Develop and implement Configuration Management Program Improvements (CMPI) to further integrate procedures and processes. This program will:

Assure incorporation of design basis information into all pertinent plant documentation as part of a Plant Modification.

Improve the configuration management aspects of the design change process, as well as maintenance and operations acti vi ties.

o Identify and organize design basis information on a system and topical basis.

o Strengthen the Supply System gA/gC Program.

o Perform internal SSFIs on selected safety systems.

S Cr

Appendix C Page 7 of 12 I II. LONG TERM IMPROVEMENTS DESCRIPTION A. CONFIGURATION MANAGEMENT PROGRAM IMPROVEMENT (CMPI)

The Supply System will continue to improve and integrate our Configuration Management Program to enhance the accessibility of design basis information and improve the integration of processes that may affect plant configuration.

The purpose of these improvements is to ensure that the physical and functional characteristics of the plant are subject to effective change control processes and are accurately and adequately described in controlled documents and computerized records.,

Effective configuration management requires both readily accessible documented design bases information and effective change control processes applied to both hardware and software. These two elements are discussed below.

1. WNP-2 Design Bases Documentation One of the contributing causes for many of the SSFI unresolved issues, open items, and violations is that the WNP-2 design bases is not currently documented in a readily accessible form. As is the case for many nuclear plants, HNP-2 design bases information is distributed through a great multiplicity of documents which were developed during the HNP-2 design and construction phases. The basic information is generally available but is in some cases, retrievable with significant difficulty.

The Supply System will develop a series of documents relating system, component, and special topical design basis information. This information, when available, will guide the CMP process to maintain the physical and operational configuration of the plant. Design changes, surveillance procedures, operating procedures, and maintenance procedures will be reviewed to verify the conformance with the design basis information following creation of a System Design Bases Document.

A plan has been formulated for development of these Design Bases Documents (DBD). To summarize, the Supply System will undertake a program to develop, and organize design bases documents for 17 safety systems, 40 non-safety systems, and 20 safety-significant'topical subjects. This documentation will be used under the CMP to assure that: (1) The design bases for important plant systems, st< uctures, and components are not inadvertently altered during maintenance or operational activities, or as a result of design changes; and, (2) The plant systems, structures, and components are operated, tested, and maintained in conformance with the design bases.

Appendix C Page 8 of 12

1. MNP-2 Design Bases Documentation (Continued)

Errors or omissions discovered in the baseline material during the DBD preparation phase, will be evaluated and appropriate action will be taken to resolve such deficiencies. It is planned that deficiencies found in preparation of these documents, will be identified as open items within the document.

Currently, the Supply System is assembling a DBD for the Low Pressure Core Spray System (LPCS). This DBD is being developed as a pilot program, and will be complete in early summer, 1988. It will, in turn, be tested by a Supply System SSFI to be conducted on the LPCS in the late summer of 1988. One additional DBD (for the on-site electrical system) will be developed in the fall/winter of 1988 as a final pilot program.

2. CMP CHANGE CONTROL PROCESSES The Supply System will continue the process of establishing a more unified and integrated change control process to govern all activities which may affect either the physical or operational configuration of the plant. This integrated process will further strengthen the current change control process and will be responsive to the NRC concer n about lack of coordination between Supply System organizational units. The improved, integrated process will cover pertinent activities of all interfacing organizations and will, in effect, integrate and strengthen several administrative processes which interface with each other. These improved change control processes will be applied as outlined below.

a. PLANT MODIFICATIONS:

Improvements to more fully integrate procedures governing the activities of all groups and personnel involved in the Plant Modification process from the "idea" stage to the "declaration of operability" stage will further assure that these activities are coordinated in an uniform manner. The general thrust will be as indi'cated below.

Appendix C Page 9 of 12

2. CMP CHANGE CONTROL PROCESSES - PLANT MODIFICATIONS (Continued) o Provide added assurance of complete and integrated implementation of the design change requirements by implementing a broader base organizational review of technical and procedural documentation necessary for, or affected by, design changes that would result in a physical plant configuration change.

o Provide added assurance that design change implementation activity is completed before returning the affected system/component/structure to operability status by performance of a modification review, consistency of a walkdown, or inspection of the physical change, review of the affected plant procedures, review of post-modification testing results, and confirmation that the "as-constructed" change conforms to all technical, operational, and safety requirements. This review will include interorganizational participation as appropriate.

The goal for implementation of the CNPI as it applies to the design change process is to have it in place to support the spring '88 refueling outage.

b. MAINTENANCE ACTIVITY:

Maintenance activity not associated with a Plant Modification will also be included within the scope of the CNPI for those particular activities that have potential of changing either physical configuration or equipment setpoint/adjustments.

Current administrative maintenance processes will be blended into the CMPI to strengthen requirements for preparation of maintenance work instructions (MWR's) and documenting the details of work actually accomplished. This will facilitate more accurate and timely updating of master equipment lists, bill-of-materials lists, equipment history files, instrument data sheets, equipment manuals, etc., which document the "as-maintained" configuration of systems, structures, and components. These improvements will enhance on-going maintenance, troubleshooting activities, and performance trending. The results of surveillance testing and pertinent post maintenance testing are-reviewed and trended to assure inclusion of design bases requirements.

,Appendix C Page 10 of 12 2.'MP CHANGE CONTROL PROCESSES (Continued)

The goal for enhancing the implementation process as part of the CMPI as it applies to maintenance processes is to begin the review to identify necessary improvements by late 1988.

c. PLANT OPERATIONS ACTIVITY:

N The Plant Modification Program has always required that operating procedures be reviewed/revised as a result of plant modifications. As Design Basis Documents are completed, self initiated SSFI will be performed to include review of operating procedures to assure that they conform to the plant design bases. Near term actions in this matter are discussed in our Notice of Violation and Unresolved Issues in response to particular current issues.

d. POST MODIFICATION 8 MAINTENANCE TESTING:

Post Modification and Maintenance testing is common to both design changes and maintenance activity. It is discussed here to summarize both the response to individual Notice of Violation issues and the short term improvements described earlier in this plan.

The essence of these improvements is to clarify responsibilities for test requirements, improve the PMT procedure, and to more rigorously implement the testing requirements. All testing required by a Plant Modification or Maintenance activity will now be focused and specified on the body of the MHR or on the MWR Operability Check Sheet, including procedures for approval upon completion. For Plant Modification and Maintenance related testing, the CMPI will review existing processes to assure thorough and complete incorporation of all testing requirements to assure that the design bases requirements are fulfilled. The goal for initiation of this review to identify needed testing program improvements is July 1988 with, completion of the review by July 1989.

4 Appendix C Page 11 of 12 B. OVAL'ITY ASSURANCE PROGRAM This section provides additional detail with regard to improvements in the quality of design and related implementation activities as well as improvements in the quality verification functions which overview these activities.

The Supply 'System has implemented its (}uality Assurance Program under the basic premise that the individual performing an activity is primarily responsible for the quality and adequacy of the activity, and that programs must contain sufficient checks and balances to verify that quality. As a result of the issues raised during the SSFI, several improvements are being implemented to assure that individual performance results ir, a quality product, and that adequate in-line checks, and overview activities by the gA organization, are in place to verify the quality of the design process. The elements of these improvements involve:

1. Refining procedures governing the development and control of design activities which focus on the communication of design information.

2. Additional in-line review of plant modification activities by cognizant organizations.

3. Selected design reviews by an Engineering Design Review Committee with gA Organization involvement.

4. Increased staffing of the Plant gA organization by personnel knowledgeable in engineering concepts and design analysis. These personnel will monitor and assess Plant Modification activities on a routine basis through our surveillance/review functions.

5. Increased emphasis, by the guality Assurance Organization on overview of the technical adequacy of activities. Review of design change implementation will include a larger sampling of:

o Work Package Preparation o Verification of Proper Work Practices o Post Modification Walkdowns o Observation of Post Modification Testing

rC y

4

Appendix C Page 12 of 12 C. SELF"INITIATED SAFETY SYSTEM FUNCTIONAL INSPECTION (SSFI)

The Supply System will perform a self initiated review similar to an NRC SSFI.

Our SSFI will be managed by the guality Assurance Organization and conducted using technical personnel that have been reasonably free from involvement in the WNP-2 design/modification/testing or mai ntenance efforts. This degree of separation from the plant will provide additional assurance that all issues will be pursued regardless of previous perceptions.

The ,first SSFI will be conducted following the pilot Engineering effort to identify and organize the design bases for the LPCS system. The timing of our review is impor tant because it will provide early pilot program feedback on the completeness and ease of use of the consolidated design bases. Further, we will compare our SSFI process with the NRC SSFI process and make appropriate improvements if required.

VC

ML17279A794

Contents

Text

SUBJECT:

Response

Subject:

Reference:

Reference:

Navigation menu

ML17279A794

Text

SUBJECT:

Response

Subject:

Reference:

Reference:

Navigation menu

Search