ML18041A048
| ML18041A048 | |
| Person / Time | |
|---|---|
| Site: | Nine Mile Point  |
| Issue date: | 02/18/1997 |
| From: | Sylvia B NIAGARA MOHAWK POWER CORP. |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| NMP1L-1184, NUDOCS 9702250240 | |
| Download: ML18041A048 (319) | |
Text
1,',
II CATEGORY j.
4 REGULAT~ INFORMATION DISTRIBUTION STEM (RIDE)
ACCESSION NBR:9762250240 DOC.DATE: 97/02/18 NOTARIZED: YES DOCKET FACIL:50-220 Nine Mile Point Nuclear Station, Unit 1, Niagara Powe 05000220 50-410 Nine Mile Point Nuclear Station, Unit 2, Niagara Moha 05000410 AUTHOR AFFILIATION AUTH. NAME SYLVIA,B.R.
RECIP.NAME Niagara Mohawk Power Corp.
RECIPIENT AFFILIATION 5~
p~pp t4 Document Control Branch (Document Control Desk)
SUBJECT:
Forwards response to request for info per 10CFR50.54(f) re availability of design bases info.
adequeacy a DISTRIBUTION CODE: A074D COPIES RECEIVED:LTR i ENCL TITLE: Responses to 50.54(f) Req. for Design Basis Info I BISE: I NOTES:
RECIPIENT - COPIES RECIPIENT COPIES ID CODE/NAME LTTR ENCL ID CODE/NAME LTTR ENCL
~ PD 1 1 HOOD,D 1 1 INTERNAL: b 1 1 NRR/DRPM/PGEB 1 1 PDR-2/THOMAS,K 3 3 EXTERNAL: NRC PDR 1 1 D
U E
NOTE TO ALL "RIDS" RECIPIENTS:
PLEASE HELP US TO REDUCE WASTE! CONTACT THE DOCUMENT CONTROL DESK, ROOM OWFN 5D-5(EXT. 415-2083) TO ELIMINATE YOUR NAME FROM DISTRIBUTION LISTS FOR DOCUMENTS YOU DON'T NEED!
'OTAL NUMBER OF COPIES REQUIRED: LTTR 8 ENCL, ', 8
I. "a
( s I(
NIAGARA MOHAWK G E N E RAT I 0 N 300 ERIE BOULEVARDWEST, SYRACUSE, NEW YORK 13202/TELEPHONE (31 5) 4284983 BUSINESS GROUP B. RALPH SYLVIA February 18, 1997 Executive Vice President Generation Business Group NMP1L 1184 Chiet Nuclear Officer U. S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, DC 20555 RE: Nine Mile Point Unit 1 Nine Mile Point Unit 2 Docket No. 50-220 Docket No. 50-410
Subject:
Request for Information Pursuant to IOCFR50.$ 4@ Regarding Adequacy and Availability of Design Bases Information Gentlemen; On October 18, 1996, Niagara Mohawk Power Corporation (NMPC) received a letter requesting; (a) a description of our engineering design and configuration control processes, including those that implement 10CFR50.59, 10CFR50.71(e) and Appendix B to 10CFR50; (b) a rationale for concluding that design bases requirements are translated into operating, maintenance, and testing procedures; (c) a rationale for concluding that system, structure, and component configuration and performance are consistent with the design bases; (d) a description of the processes for identification of problems and implementation of corrective actions, including actions to determine the extent of problems, action to prevent recurrence, and reporting to NRC; and (e) an assessment of the overall effectiveness of our current processes and programs in concluding that the configuration of our plants is consistent with the design bases. Attachment A and Attachment B to this letter provide the requested information for Nine Mile Point Unit 1 (NMP1) and Unit 2 (NMP2), respectively.
In response to Requested Action (a), we are providing a description of our current design and configuration control processes, Quality Assurance (QA) program, as well as our 10CFR50.71(e) and 10CFR50.59 processes. In providing our rationale for concluding that design bases requirements are translated into procedures, our response to Requested Action (b) focuses on the initial development, review, and approval of plant operating, maintenance, and testing procedures, the procedure revision process, and the assessments and initiatives conducted to assure consistency between our design bases and plant procedures. The assessments and initiatives discussed include NMP1's Surveillance Verification Program, Updated Final Safety Analysis Report (UFSAR) Verification Program, Restart Action Plan, and QA Audits and NMP2's Surveillance Verification Program, Updated Final Safety Analysis Report (UFSAR) Verification Program, and QA Audits. In our response to Requested Action (c), we discuss NMP1's Design Basis Reconstitution walkdowns, Restart Action Plan 9702250240 970218 PDR ADaCV. 05000220 P PDR
0 3
Page 2 activities, Restart Readiness Report, and NMP2's design, construction, and startup QA Program controls, initial test program, and Power Uprate effort as a means for providing reasonable assurance that structure, system and component configuration and performance are consistent with the design bases. Also delineated in our response to Requested Action (c) and common to both units are safety system functional inspections, routine surveillance testing and examinations, and responses to industry operations experience items. Concerning our processes for identification of problems, implementation of corrective actions, and reporting requirements, our response to Requested Action (d) includes a description of our Deviation/Event Reporting (DER) process. The DER process provides for the identification, documentation, notification, evaluation, correction, and reporting of conditions, events, activities, and concerns that have the potential for affecting the safe and reliable operation of the plants. In Requested Action (e), the Commission asked licensees to describe the overall effectiveness of their current processes and programs. In response, NMPC summarizes its programs and processes and the results of the assessments and initiatives previously described in our responses to Requested Actions (a) through (d). Although the responses to Requested Actions (a) and (d) are nearly the same for NMP1 and NMP2, the Attachments have been unitized because of the differences in response to Requested Actions (b) and (c). Specifically, differences exist between each units'rocedure development, plant testing activities, assessments and initiatives, and responses to industry operations experience items. Note that several of the attached responses are based on current versions of NMPC programs and processes which are subject to revisions and/or enhancements. Also, in order to eliminate any ambiguity with regard to commitments contained in this response, Attachment C delineates the specific commitments made by NMPC in our response to Requested Actions (a), (b), (c), (d),
and (e).
Based on the information provided in the enclosed Attachments, NMPC has reasonable assurance that: (1) design bases requirements are being translated into operating, maintenance, and testing procedures; and (2) system, structure, and component configuration and performance are consistent with the design bases. Also, NMPC has an effective administrative tool for the identification, documentation, notification, evaluation, correction, and reporting of conditions, events, activities, and concerns that have the potential for adversely affecting the safe and reliable operation of the Nine Mile Point Nuclear Station (i.e., the DER system) ~
Although deficiencies in the areas of design and configuration control have been identified, the significance of these deficiencies has been small. As problems are identified, DERs are initiated and dispositioned, and appropriate corrective and preventive actions are taken. These processes are a feedback loop to the design and configuration control process in that they either confirm that the processes are working effectively or identify problem areas with subsequent corrective actions to enhance the process.
Very truly yours, B. Ralph Sylvia Chief Nuclear Officer
Page 3 BRS/JMT/1mc Attachments xc: Mr. H. J. Miller, NRC Regional Administrator Mr. S. J. Collins, Director, Office of NRR Mr. S. S. Bajwa, Acting Director, Project Directorate I-l, NRR Mr. B. S. Norris, Senior Resident Inspector Mr. D. S. Hood, Senior Project Manager Records Management
UNITED STATES NUCLEAR REGULATORY COMMISSION In the Matter of )
)
Niagara Mohawk Power Corporation ) Docket No. 50-220
) Docket No. 50-410 Nine Mile Point Unit 1 and Unit 2 )
B. Ralph Sylvia, being duly sworn, states that he is Chief Nuclear Officer of Niagara Mohawk Power Corporation; that he is authorized on the part of said Corporation to sign and file with the Nuclear Regulatory Commission the document attached hereto; and that the document is true and correct to the best of his knowledge, information and belief.
B. Ralph lvia Chief Nuclear Officer Subscribed and sworn before me, in and for the State of New York and the County of this 18th day of February 1 7.
My Commission expires: 9'"~~> ~" I NOTARY UBLIC
&En
AC Alternating Current AE Architect-Engineer ALARA As Low As Reasonably Achievable ANSI American National Standards Institute ASME American Society of Mechanical Engineers ASSS Assistant Station Shift Supervisor BTP Branch Technical Position BWR Boiling Water Reactor CAD Computer Aided Drawing CDS Controlled Document System CFR Code of Federal Regulations CSL Low Pressure Core Spray System
.DBR Design Basis Reconstitution DC Direct Current DCD Design Criteria Document DCR Design Change Request DDC Design Document Changes DER Deviation/Event Report DSDS System Design Specification Data Sheets EDSFI Electrical Distribution System Functional Inspection EOP Emergency Operating Procedure EPI Engineering Program Integration Project EQ Equipment Qualification EWC Electronic Work Control FSAR Final Safety Analysis Report GAP Generation Administrative Procedure GDC General Design Criteria GE General Electric GI Generic Issue GIP Generic Implementation Procedure GL Generic Letter HPCI High Pressure Coolant Injection HPCS High Pressure Core Spray HPES Human Performance Evaluation System HVAC Heating Ventilating Air Conditioning IAS Instrument Air System IN Information Notice INPO Institute of Nuclear Power Operations IPE Individual Plant Examination ISEG Independent Safety Engineering Group ISI Inservice Inspection IST Inservice Testing ITS Improved Technical Speci6cations JTG Joint Test Group
LCO Limiting Condition for Operation LDCR Licensing Document Change Request LER Licensee Event Report LOCA Loss-of-Coolant Accident MC Modification Coordinator MEL Master Equipment List MOV Motor-Operated Valve MSIV Main Steam Isolation Valve NCTS Nuclear Commitment Tracking System NDD Nuclear Division Directive NEP Nuclear Engineering Procedure NFPA National Fire Protection Association NIP Nuclear Interface Procedure NMP1 Nine Mile Point Unit 1 NMP2 Nine Mile Point Unit 2 NMPC Niagara Mohawk Power Corporation NMPNS Nine Mile Point Nuclear Station NPRDS Nuclear Plant Reliability Data System NRC Nuclear Regulatory Commission NRR Nuclear Reactor Regulation NSSS Nuclear Steam Supply System NTSD Non-Technically Significant Discrepancy NUMARC Nuclear Management and Resource Council P &ID Piping and Instrument Diagram PM Preventive Maintenance PMST Preventive Maintenance/Surveillance Testing PTSD Potential Technically Significant Discrepancy PCR Plant Change Request Q1P Quality First Program QA Quality Assurance QARSE Qualified Applicability Reviewer Safety Evaluator QATR Quality Assurance Topical Report QVSA Quality Verification and Safety Assessment RAP Restart Action Plan RBCLC Reactor Building Closed Loop Cooling RFO6 Refueling Outage No. 6 RG Regulatory Guide RHS Residual Heat Removal System SALP Systematic Assessment of Licensee Performance SAP Startup Administrative Procedure SAR Safety Analysis Report SBO Station Blackout SDBD System Design Basis Document SER Significant Event Reports SERT Senior Engineering Review Team SEWS Screening Evaluation Worksheet SOER Significant Operating Experience Report
I SORC Station Operations Review Committee SQ Seismic Qualification SQUG Seismic Qualification Utility Group SRAB Safety Review and Audit Board SRV Safety Relief Valve SSC Structures, Systems, and Components SSEL Safe Shutdown Equipment List SSER Supplemental Safety Evaluation Report SSFI Safety System Functional Inspection SSS Station Shift Supervisor SVP Surveillance Verification Program TRR Training Review Request TSD Technically Significant Deficiency UFSAR Updated Final Safety Analysis Report (Unit 1)
Updated Safety'nalysis Report (Unit 2)
USI Unresolved Safety Issue USQ Unreviewed Safety Question V&V Verification and Validation VMC Vendor Manual Coordinator
0
~ . ~h
ine i e oint nit
...g702250240
, ATTACHMENTA NINE MILEPOINT UNIT 1 To ic Pa e REQUESTED ACTION (a) 1 RESPONSE 1 Executive Summary 1 Introduction 1 Engineering Design and Configuration Control Processes 2
- 1. Activities Affecting Changes to the Physical Plant 4 1A. Design Change 4 1B. Configuration Change 10 1C. Temporary Modification 11 1D. Setpoint Change 12 1E. Maintenance and Surveillance 12
- 2. Activities Affecting Changes to Configuration Documents/Data 13 2A. Procedure Changes 13 2B. Design Document Changes (DDCs) 14 2C. Program Changes 15 2D. Changes to Training 15 2E. Evaluations/Analyses 15 2F. Database Changes 16 2G. Vendor Manual Changes 16 2H. Supplier Document Acceptance 17 2I. Changes to Licensing Documents/New Regulatory Commitments 17 2J. External Sources of Change 18
- 3. Activities Associated with Specific 10CFR50 Requirements 18 3A. 10CFR50.59 Safety Evaluation Process 18 3B. 10CFR50.71(e) 19 3C. QA Program/10CFR50 Appendix B 19
- 4. Common Programs 20 4A. Problem Identification Processes 20 4B. Training 21 REQUESTED ACTION (b) 23 RESPONSE 23 Executive Summary 23 Introduction 24
ATTACHMIi2IITA NINE MILEPOINT UNIT 1 To IC Pa e Procedure Development, Review, Approval, and Revision 24 Assessments and Initiatives 26, Surveillance Verification Program (SVP) 26 Restart Action Plan (RAP) 27 Administrative Procedure Update Program 28 Vendor Manual and Vendor Interface Programs 32 Quality Assurance (QA) Audits 32 Station Blackout (SBO) Audit 32 Fire Protection Audit 33 Service Water System Audit 34 Operations Experience 35 GL 88-14, Instrument Air Supply System Problems Affecting Safety-Related Equipment 35 Unresolved Safety Issues (USIs) A-44, Station Blackout (SBO) 35 UFSAR Verification Program 36 Training 37 Summary 38 REQUESTED ACTION (c) 39 RESPONSE 39 Executive Summary 39 Introduction 40 Surveillance Testing and Examinations 40 Design Basis Reconstitution (DBR) Program 41 Design Basis Reconstitution (DBR) Walkdowns 45 Restart Action Plan (RAP) 46 Restart Readiness Report 47 NMP1 1990 Power Ascension Program 48 Safety System Functional Inspections (SSFIs) 49 Electrical Distribution System Functional Inspection 49 Core Spray System and High Pressure Coolant Injection (HPCI)/
Feedwater Functional Inspection 50
ATTACHMENTA NINE MILEPOINT UNIT j.
TO 1C Pa e Operations Experience 50 GL 89-10, Safety-Related Motor-Operated Valve (MOV) Testing and Surveillance 51 GL 89-13, Service Water Problems Affecting Safety-Related Equipment 51 GL 88-14, Instrument Air Supply System Problems Affecting Safety-Related Equipment 52 GL 91-06, Resolution of Generic Issue (Gl) A-30, Adequacy of Safety-Related DC Power Supplies 52 GL 87-02, Verification of Seismic Adequacy of Mechanical and Electrical Equipment in Operating Reactors, Unresolved Safety Issue (USI) A-46 53 NRC Bulletin 88-04, Potential Safety-Related Pump Loss 53 Unresolved Safety Issue (USI) A-44, Station Blackout 54 DER Trending Results 55 REQUESTED ACTION (d) 57 RESPONSE 57 Executive Summary 57 Deviation/Event Report (DER) 57 Trending 61 Lessons Learned 61 Problem Identification/Evaluation 61 Station Operations Review Committee (SORC) 61 Safety Review and Audit Board (SRAB) 61 QA Audits and Surveillances and Third Party Reviews 62 Self-Assessment 63 Surveillance Testing 63 Quality First Program (Q1P) (Employee Concerns) 64 NRC Interface Process 64 Training 65 REQUESTED ACTION (e) 66 RESPONSE 66 111
ATTACHMENTA NINE MILEPOINT UNIT 1 To ic Pa e ENCLOSURE 1 Design Configuration Documents List 69 ENCLOSURE 2 Design Input Considerations 70 ENCLOSURE 3 Design Change Operability Acceptance 71 ENCLOSURE 4 Design Change Closeout 72 ENCLOSURE 5 Field Variance Risk DDC Criteria 73
ATTACEIMENTB NINE MILEPOINT UNIT 2 To ic Pa e REQUESTED ACTION (a) 1 RESPONSE 1 Executive Summary 1 Introduction 1 Engineering Design and Configuration Control Processes 2 1 ~ Activities Affecting Changes to the Physical Plant 4 1A. Design Change 4 1B. Configuration Change 10 1C. Temporary Modification 11 1D. Setpoint Change 12 1E. Maintenance and Surveillance 12
- 2. Activities Affecting Changes to Configuration Documents/Data 13 2A. Procedure Changes 13 2B. Design Document Changes (DDCs) 14 2C. Program Changes 15 2D. Changes to Training 15 2E. Evaluations/Analyses 15 2F. Database Changes 16 2G. Vendor Manual Changes 16 2H. Supplier Document Acceptance 17 2I. Changes to Licensing Documents/New Regulatory Commitments 17 2J. External Sources of Change 18
- 3. Activities Associated with Specific 10CFR50 Requirements 18 3A. 10CFR50.59 Safety Evaluation Process 18 3B. 10CFR50.71(e) 19 3C. QA Program/10CFR50 Appendix B 19
- 4. Common Programs 20 4A. Problem Identification Processes 20 4B. Training 21 REQUESTED ACTION (b) 23 RESPONSE 23 Executive Summary 23 Introduction 24
0 ATTACHlVEÃTB NINE MLE POINT UNIT 2 To ic Pa e Procedure Development, Review, Approval and Revision 24 Assessments and Initiatives 27 Administrative Procedure Update Program 27 Surveillance Verification Program (SVP) 31 IST 31 ISI 31 Appendix J 31 Remainder of TS Surveillances 31 UFSAR Verification Program 33 NMP2 Power Uprate 34 Quality Assurance (QA) Audits 34 Fire Protection Audit 34 Service Water System Audit 35 Vendor Manual and Vendor Interface Program 36 Improved Technical Specification (ITS) Conversion 38 Independent Safety Engineering Group (ISEG) 38 Operations Experience 39 GL 88-14, Instrument Air Supply System Problems Affecting Safety-Related Equipment 39 Unresolved Safety Issues (USIs) A-44, Station Blackout (SBO) 39 Training 40 Summary 41 REQUESTED ACTION (c) 42 RESPONSE 42 Executive Summary 42 Introduction 43 FSAR Verification Effort 43 NMP2 Initial Test Program 43 Surveillance Testing and Examinations 44 Power Uprate 45 Safety System Functional Inspections (SSFIs) 46 Electrical Distribution System Functional Inspection (EDSFI) 46 Service Water System 46
ATTACHMENTB NINE MILEPOINT UNIT 2 To ic Pa e Operations Experience 46 GL 89-10, Safety-Related Motor-Operated (MOV) Testing and Surveillance 47 GL 89-13, Service Water Problems Affecting Safety-Related Equipment 48 GL 88-14, Instrument Air Supply System Problems Affecting Safety-Related Equipment 48 NRC Bulletin 88-04, Safety-Related Pump Loss 48 Unresolved Safety Issue (USI) A-44, Station Blackout (SBO) 49 DER Trending Results 49 REQUESTED ACTION (d) 51 RESPONSE 51 Executive Summary 51 Deviation/Event Report (DER) 51 Trending 55 Lessons Learned 55 Problem Identification/Evaluation 55 Independent Safety Engineering Group (ISEG) 55 Station Operations Review Committee (SORC) 55 Safety Review and Audit Board (SRAB) 56 QA Audits and Surveillances and Third Party Reviews 56 Self-Assessment 57 Surveillance Testing 58 Quality First Program (Q1P) (Employee Concerns) 58 NRC Interface Process 58 Training 59 REQUESTED ACTION (e) 60 RESPONSE 60 ENCLOSURE 1 Design Configuration Documents List 63 ENCLOSURE 2 Design Input Considerations 64 ENCLOSURE 3 Design Change Operability Acceptance 65 ENCLOSURE 4 Design Change Closeout 66 ENCLOSURE 5 Field Variance Risk DDC Criteria 67
ATTACHM1<PITC NINE MILEPOINT UNIT 1 AND U5KT 2 To icPa e NRC Commitments Made:
e Provide a description of engineering design and configuration control processes, including those that implement 10CFR50.59, 10CFR50.71(e), and Appendix B to 10CFR Part 50.
The text that follows in response to Requested Action (a) of the 50.54(fj letter provides a description of how the design and configuration control process is managed, controlled, and implemented at Nine Mile Point Nuclear Station (NMPNS). In addition, details are provided to show that procedures exist for ensuring that engineering design and configuration changes aQecting the Updated Final Safety Analysis Report (UFSAR) are evaluated in accordance with the criteria of 10CFR50.59 and incorporated into the UFSAR in accordance with the requirements of 10CFR50.71(e). Also detailed are the quality program elements that assure that any work involving safety-related structures, systems, or components meets the design and configuration control requirements of Appendix B of the MVPNS UFSAR in accordance with our commitment to Appendix B to 10CFR50.
NMPNS personnel perform work in accordance with procedures that have been developed and, in recent years, significantly improved, to meet the regulatory requirements established to operate and maintain the plant in accordance with our license. These procedures are periodically reviewed and undergo revision, as appropriate. The management and the stafF of NMPNS have significantly improved their awareness of the licensing and design basis documents in recent years.
Back-to-Basics training programs have been established which have emphasized the importance of license-based thinking. Our corrective action program focuses attention on the correction and prevention of mistakes resulting from a failure to fully understand or adhere to the requirements of our procedures.
The approach for assuring that procedures exist to control engineering work such that the plant design and configuration control conforms with the Nine Mile Point Unit 1 (NMP1) licensing basis follows.
The Niagara Mohawk Power Corporation (NMPC) Nuclear Division Policy and Directives Manual sets forth the overall program for controlling the operation, maintenance, and modification of the NMPNS to assure compliance with applicable regulatory requirements, license conditions, and NMPC commitments. The total program consists of the Nuclear Division Policy, the Nuclear Division Directives (NDDs), and lower tier documents (administrative and implementing procedures) developed to implement the applicable requirements. The hierarchy of Policy, Directives, and administrative and implementing procedures is shown on Figure 1 in our response to Requested Action (b).
The NDDs are the vehicle by which management communicates requirements for performing and controlling activities to those responsible for preparing Nuclear Division, departmental, and branch procedures. The NDDs identify applicable regulatory requirements and associated Quality Assurance (QA) program commitments that must be incorporated into implementing procedures. Each activity addressed in an NDD identifies the specific requirements and organizational responsibilities concerning that activity.
Nuclear Interface Procedures (NIPs) are prepared to implement NDDs. NIPs govern activities involving interfaces between organizational departments and for those activities performed by more than one Nuclear Division department where a common methodology is desired.
Department and branch level administrative procedures are prepared to define the organization, assign responsibilities within the organization, and prescribe methods for accomplishing those activities or portions of activities addressed in NDDs or NIPs. Engineering design and configuration control activities are primarily implemented in conformance with Nuclear Engineering Procedures (NEPs) and applicable Generation Administrative Procedures (GAPs).
Technical implementing procedures are step-by-step procedures prepared to prescribe methods for accomplishing those activities or portions of activities as outlined in the respective NDD, NIP, or department administrative procedure to be conducted within the individual branch.
The hierarchy described above is maintained for the engineering design and configuration control program. The NDD on Design Control establishes the requirements for the NMPNS design control program and assigns the responsibility for implementing those requirements.
The Design Control Directive applies to design activities associated with safety-related or quality-related structures, systems, and components (SSCs). The design control requirements included in this directive are specified in the NMPC QA Topical Report (NMPC-QATR-1),
the Technical Specifications administrative control section and the NDDs governing nuclear computer systems. Activities subject to design control are categorized as one or more of the following: engineering evaluation or analysis, design change, configuration change, temporary modification, or plant condition monitoring program.
A separate NDD establishes the requirements and responsibilities for configuration management, including requirements to identify and update selected controlled documents and databases to assure that the NMPNS is operated, modified, and maintained in conformance with the approved design and current licensing basis. This function is accomplished by controlling changes to essential plant SSCs and associated procedures, programs, and databases so that they are maintained consistent with approved design output documents. Information or data about plant configuration that is necessary for efficient and correct design, operation, and maintenance of essential plant systems is subjected to configuration controls.
The following discussion describes current methods for controlling engineering design and plant configuration, including design changes, configuration changes, design document
changes (DDC), procedure changes, temporary modifications, program changes, plant maintenance, and the evaluation of various sources of information for possible impact to the design basis.
Typical of nuclear plants throughout the industry, the NMPNS is committed to a system of design and configuration controls based on the requirements of Appendix B to 10CFR Part 50, as well as other regulations and industry standards, This system includes not only controls, but also feedback loops (testing, evaluation) that result in an ongoing comparison of actual configuration with the design basis. Successful implementation of the design and configuration control system assures that the NMPNS is operated, tested, and maintained within its design basis throughout its life.
The discussion that follows is organized into four broad areas of activities. The first area includes those activities affecting the physical plant. The second area includes those activities affecting configuration documents/data. The third area includes activities associated with specific 10CFR50 requirements. The fourth area includes common programs applicable to the other activities. Each of these areas is further organized into detailed activities as follows.
- 1. Activities Affecting Changes to the Physical Plant:
1A. Design Change 1B. Configuration Change 1C. Temporary Modification 1D. Setpoint Change 1E. Maintenance and Surveillance
- 2. Activities Affecting Changes to Configuration Documents/Data:
2A. Procedure Changes 2B. Design Document Changes (DDCs) 2C. Program Changes 2D. Changes to Training 2E. Evaluations/Analyses 2F. Database Changes 2G. Vendor Manual Changes
K 2H. Supplier Document Acceptance 2I. Changes to Licensing Documents/New Regulatory Commitments 2J. External Sources of Change
- 3. Activities Associated with Specific 10CFR50 Requirements:
3A. 10CFR50.59 Safety Evaluation Process 3B. 10CFR50.71(e) 3C. QA Program/10CFR50 Appendix B
- 4. Common Programs:
4A. Problem Identification Processes 4B. Training When physical plant changes are requested, they are evaluated in accordance with a NIP to determine whether design controls should be applied to the change. Increasing levels of control are applied to plant changes commensurate with the safety significance of the change as per Appendix B to 10CFR50.
Changes to the physical plant are accomplished using one of the following processes: design change, configuration change, or temporary modification. Each of these processes is described below. Setpoint changes, maintenance, and surveillance activities are also discussed because they represent processes that assure, or confirm continuing, reliable system operation and, as such, must be controlled to remain consistent with design basis parameters.
1A. Design Change The design change process is a controlled process that is applied when design configuration documents and/or databases (as listed in Enclosure 1 to this Attachment) are affected, and the proposed change affects the function of safety-related or quality-related SSCs or their reliability, expected life, local environment, or failure modes. Additionally, the design change process is applied to changes involving interfaces with safety-related or quality-related SSCs.
The process may also be used for other situations at the discretion of Engineering or plant management when stringent controls are desirable.
When a plant change has been evaluated and approved for implementation, it is entered into the Plant Change Request (PCR) database. Ifit is to be treated as a design change, it is given
V a design change number. In the initial stages of a design change, the responsible engineer or designer uses a design impact checklist to determine the potential impact of the change, possible issues to be considered, and the kinds of design input required. Based on the checklist review, input is requested from discipline experts, program administrators, and affected groups. The design input procedure requires that those providing input consider a comprehensive list of topics. These primarily emphasize the design basis requirements, functionality and performance requirements, and other requirements related to maintaining the integrity of the design (Enclosure 2 to this Attachment). Specifically, the design input procedure requires that design input such as design bases, performance requirements, regulatory requirements, and codes and standards, are identified, documented, and the selection reviewed and approved by the design organization. Also, references must be sufficiently specific to allow traceability. This provides the initial link between the proposed change, the design bases, and the licensing basis. The design change is subsequently developed on the basis of these inputs. As later described, these inputs are verified in accordance with procedures and the design is subjected to further comparison with the licensing basis at other stages of the design process.
Concurrently, the configuration management processes are also initiated. The Master Equipment List (MEL) and the Controlled Document System (CDS) are searched for potentially affected documents, for other pending work or work-in-progress that could affect the design, and for confirmation of equipmentldocument current status. The MEL may also be used as a confirmatory source of information for many of the items in the design impact checklist because it lists various equipment requirements and characteristics, including safety class. A variety of other information may also be available, including whether Equipment Qualification (EQ), Seismic Qualification (SQ), Inservice Inspection (ISI) and Nuclear Plant Reliability Data System (NPRDS) considerations apply to the components.
The next phase of the design change process is the developmental phase. Intermediate products, such as evaluations and analyses, stress reports, and calculations, are prepared.
These activities are performed using controlled procedures and result in controlled products that cannot be changed without re-invoking the original level of review and approval. New design output documents or changes to design outputs, such as revisions to drawings, vendor technical manuals, acceptance criteria, setpoint data sheets, design basis documents/design criteria, and specifications, are developed. Changes may either be in the form of DDCs that are posted against the affected document or by full revision of the document. Pending changes to configuration databases are also identified and processed. Changes to licensing documents, including the UFSAR and Technical Specifications, are developed in accordance with controlled procedures. System Engineers in the Technical Support Department are requested by the responsible engineer to notify procedure owners of required changes to procedures, and to coordinate required training. Finally, any guidance necessary to support installation and testing is developed in coordination with the installing organization.
Upon completion of these steps, the design package is sufficiently complete from a technical point of view to allow final review prior to issuance. Design outputs are approved, but not released for implementation until the reviews required in the final design phase are complete.
I I Ill Il I
During the final design phase, the responsible engineer/designer reviews the package to assure that the design objective is met, that no open technical issues exist, and that appropriate design impacts have been satisfactorily addressed. Any individual who provided design input may request final design review to confirm that'the design input was correctly implemented in the final design change package.
The next step is independent design verification by a qualified individual per the engineering design verification procedure. This activity provides an independent review to assure that appropriate design criteria, quality criteria, and design bases have been correctly identified, and to assure that the design output meets the specified design inputs and the overall design objective.
Ifnot done previously, an applicability review and safety evaluation are completed as described later under the 10CFR50.59 safety evaluation process.
After verification (and resolution of any concerns), the design change is ready for final review and approval. These reviews include:
~ Review and approval by a qualified engineering approver; I
Review by, a Qualified Technical Reviewer per, Technical Specification 6.5.2.3;
~ Cross-disciplinary reviews, ifrequired by the Qualified Technical Reviewer per Technical Specification 6.5.2.4; and
~ Review and approval by the Plant Manager or'Manager Technical Support per Technical Specification 6.5.2.3.
Completion of the design, review, and approval activities is documented on a Design Change Control form. This form serves as a flag to either prevent or allow issuance of design output documents to the field for installation, as described below.
Design output documents are issued and released per the document control interface procedure.
They are entered into the CDS as documents that are approved but not yet Operations Accepted (i.e., they do not yet represent installed configuration). They are then distributed to a standard distribution that includes the Modification Coordinator in the Technical Support department, The Modification Coordinator serves as the coordination point for plant design changes and it is through the Modification Coordinator that design output documents are transmitted to the field for installation. When the Modification Coordinator receives design output documents (e.g., revised drawings, DDCs, etc.), the document(s) is retained until a copy of the associated Design Change Control form is received. This prevents premature or inadvertent issuance of design output documents that have not been fully reviewed and approved for installation; i.e., approved at both the document level and at the design change level.
~
~
I
'4
Work Orders are written by the responsible engineer, Modification Coordinator, or maintenance planner using the electronic work control (EWC) system. These Work Orders and their associated design output documents are cross-referenced in the PCR database under the associated design change number, so that when the Work Orders associated with the design change are completed, the Modification Coordinator can notify involved parties that Operations Acceptance (turnover to Operations) is possible. Upon completion of the Work Orders associated with a design change, the Modification Coordinator confirms that the applicability review number and safety evaluation number (ifapplicable) are listed in the design package (as a check to verify completion of the applicability review and safety evaluation ifapplicable), and notifies the System Engineer to verify completion of any procedure changes, testing, and training required to place the system in service. Plant Support Engineering is notified to "redline" critical drawings so that plant operators will have current and accurate drawings in the Control Room when the new design change is Operations Accepted. The Modification Coordinator also verifies that all required risk-released documents have been resolved prior to Operations Acceptance (see below for an explanation of the risk-release process). Nonconformances identified during the process are documented on Deviation/Event Reports (DER), evaluated, and resolved.
When these actions are complete, they are documented on a Design Change Operability Acceptance form. The signature of the Manager/General Supervisor Operations (or designee) conveys Operations acceptance of the design change (Enclosure 3 to this Attachment).
Operations acceptance is required prior to relying on the SSC to perform its function. A Design Change Closeout Form (Enclosure 4 to this Attachment) is initiated to assure that activities associated with the design change are verified and documented as complete.
The Modification Coordinator then enters the Operations Acceptance date into the PCR database to indicate that the design change has been accepted and is now current plant configuration. This information is shared with the CDS database to status the associated design documents as Operations Accepted. The MEL database is automatically updated to move the pending MEL changes from the "pending" file to the "active" file with a status of "C" which designates that it reflects current configuration.
At closeout, the responsible engineer forwards the Design Change Control form, and any other required records that were not previously released through the CDS, to the permanent plant file. The documents used to track the design change through installation to Operations Acceptance; e.g., logs, Operations Acceptance form, Design Change Closeout form, and PCRs are forwarded to the permanent plant file by the Modification Coordinator. These actions ensure that permanent records of the design change, from initiation to closeout, are if available for the balance of plant life for further review or audit, needed.
There are two variants of the design change process; 1) risk-release of design changes; and 2) partial operations acceptance of design changes. Risk-release is defined in our engineering procedures as a process by which an organization formally recognizes and approves the financial risk of beginning an implementation or installation prior to full approval of the final design. Risk-release does not involve a risk to personnel safety or nuclear safety. Usually,
0 1 1
design output documents are issued only after appropriate aspects of the design development, review, and approval are complete. Under certain circumstances, it is necessary to release certain design outputs on a "risk basis" to allow pre-staging, pre-fabrication, pre-installation, partial installation, and to allow for field variances to work in'progress. However, because these circumstances involve financial risk, the risk-release process is used sparingly.
Activities such as pre-staging, pre-fabrication, and pre-installation/partial installation may be initiated and processed using the risk-release process. First, the responsible engineer must prepare a documented justification of why the design or partial design must be released prior to being fully approved. The activity must be reversible within a time frame consistent with the activity to support operating requirements. Ifthe responsible Engineering supervisor approves the risk-release, it is submitted to the Plant Manager for approval. In accordance with the safety evaluation procedure, which prohibits any change to the plant (temporary or permanent) without an appropriate review, any risk-released work must have been properly evaluated for plant safety impact and compared with the design and licensing bases prior to implementation.
After Plant Manager approval, the responsible engineer makes limited distribution of the required design documents, which are statused as "risk" in the configuration databases. Until this "risk" status is resolved, the design change cannot be'Operations Accepted, (i.e., turned over to Operations) or relied upon to provide its function. When the risk is resolved, the design change process continues normally through Operations Acceptance and closeout.
Risk-release of field variances may be authorized by a responsible engineer to allow minor changes to work in progress (e.g., correcting interferences). In these cases, the installer requests Engineering to review the situation and the requested field variance for initial feasibility. Ifthe field variance satisfies the procedural criteria (listed in Enclosure 5 to this Attachment), the engineer may initiate a risk-release DDC to allow the work to continue without interruption. The risk DDC is given limited distribution by the responsible engineer.
One copy goes to the installer to continue work; one copy to the Modification Coordinator to enter the risk DDC into the design change document log for subsequent tracking and resolution prior to Operations Acceptance; one copy to Document Control for entry into CDS with a "Risk" status; and the original to Engineering for completion of all reviews and approvals in accordance with the requirements of the normal design change process. Ifthe Engineering review and approval process uncovers problems with the risk DDC, the work is stopped and reversed, or otherwise corrected. When the risk DDC is fully approved per Engineering procedures, it is issued through Document Control to its standard distribution. The document status is changed from "risk" to "approved". Once the Modification Coordinator receives and distributes the fully approved DDC, the work is completed or confirmed complete in accordance with the fully approved DDC. The design change can then be Operations Accepted and closed out following the normal design change process.
The other variant to the normal design change process is the option of partial Operations Acceptance. This option may be used when the design change affects multiple components or trains that may be safely put back into service before every component or "train" has been modified. An example of how partial Operations Acceptance could be used is the process of implementing a change that affects many identical components across a variety of applications
,'l<. ', >> <)f$ ) l< 'r i V
5
or systems. In this case, the design documents and associated safety evaluation would be written to cover many specific applications of a single type of component (e.g., pipe snubbers). The Modification Coordinator would then be able to track and obtain Operations Acceptance of the design change at the component level rather than having to wait until all affected components in the design change were Operations Accepted. As in the normal design change process, the databases are updated at the time of partial Operations Acceptance to show that the design change has been completed for component X for example (but not Y and Z),
and the component is ready to go back into service. The requirements for partial Operations Acceptance are similar to full Operations Acceptance, that is, the safety review process must be complete; associated Work Orders, including those for testing, must be complete; applicable procedures must be revised; required training completed or in progress; risk-released documents must be fully approved and the risk resolved; and the Control Room critical drawings accurately updated to show the portion of the change that is being partially Operations Accepted.
Fuel replacement, because of its unique requirements, is controlled by a set of procedures that includes NEPs and Fuels Group Engineering Design Standards (OT-EDS) that meet 10CFR50 Appendix B requirements. Key design inputs are solicited, reviewed, and approved as part of the design process. The preliminary fuel bundle design is provided by an NMPC-qualified vendor. Design iterations occur between the fuel vendor and NMPC. Analyses and calculations supporting the core design are performed and verified by NMPC using controlled procedures. The final core design is verified independently by the vendor under their NMPC-qualified QA program. Calculations and analyses supporting licensing requirements for transients and loss-of-coolant accidents (LOCAs) are performed to determine fuel operating limits for the new core design. The vendor submits a final report to NMPC documenting the verification of the design, compliance to design requirements, analysis results, and new operational limits. NMPC accepts the design by technical review and performs a 10CFR50.59 safety evaluation as described later in this section. Licensing document changes are performed in accordance with controlled procedures. The final review and approval, issuance, installation, and acceptance follow a process similar to the design change process.
In summary, the design change process (including risk-release and partial Operations Acceptance, and fuel replacement) is a controlled process which requires review and comparison of the proposed change to the design basis of the plant. The primary barrier of defense against deviations from the licensing basis is the 10CFR50.59 process that is required for each plant change, The design impact assessment and design input process require the responsible engineer and, as necessary, other discipline experts, program administrators, and other affected groups to describe or reference appropriate design requirements and constraints to assure compliance with the plant design basis. Additionally, configuration databases provide confirmatory sources of design basis information. An independent verifier reviews the design for consistency with design inputs, including design basis requirements. Finally, a variety of configuration controls, including administrative procedures and databases, are in place to assure that information necessary to support the change is accurate and is put in place concurrent with the change (e.g., revisions to procedures, drawings, training, and databases).
This assures that design basis and licensing basis requirements cascade down through the NMP1
~ I
4 P
system and result in proper operation, maintenance, and testing of the plant as licensed by the.
Nuclear Regulatory Commission (NRC).
1B. Configuration Change The configuration change process is used for activities including plant changes that affect design documents or databases (Enclosure 1 to this Attachment), and: 1) do not affect the functions of safety-related or quality-related SSCs; 2) do not adversely affect the reliability, expected life, local environment, or failure modes of safety-related or quality-related SSCs; 3) do not involve interfaces with safety-related or quality-related SSCs and; 4) do not change the intent or effectiveness of programs required by regulation. This process is primarily intended for nonsafety-related changes having no safety impact and no interfaces with safety-related systems. However, it may also be used for safety-related equivalent, replacements such as like-for-like component replacements.
The first step in the configuration change process is to confirm that the proposed change either satisfies or does not affect the current design and licensing basis. This step is in addition to the 10CFR50.59 review that will eventually also be performed; however, it assures that the responsible engineer will compare the proposed change with the UFSAR, Technical Specifications, and other licensing documents and regulations as early in the process as possible. The procedure also requires that if the engineer determines that safety-related or quality-related functions described in the current design and licensing basis are affected, the design change process must be used instead of the configuration change process. Like the design change process, a configuration change requires assessment of potential impacts using the design impact checklist and the identification of potentially affected documents and databases.
At this point, output documents such as drawings, drawing revisions, DDCs, specifications, and vendor manual revisions are processed and pending changes to databases are developed.
Changes to license documents are processed per the interface procedure governing control of licenses, UFSARs, and NRC approved plans and programs.
Ifthe change involves safety-related or quality related SSCs, an equivalency evaluation is documented for the permanent plant file showing why the change has no effect on the design bases. Ifequivalencycannotbejustified, thechangeisprocessed asadesignchange. Like any other plant change, configuration changes are evaluated per 10CFR50.59.
At this point, the configuration change is ready for final review by the Engineering approver.
Unlike a design change, independent verification and Plant Manager approval are not necessary. However, similar to a design change, the completion and approval of a configuration change is documented on a Configuration Change Control form. Processing from this point forward is similar to the processing of a design change. Outputs are distributed through Document Control to the Modification Coordinator who, upon receipt of an approved Configuration Change Control form, issues the change to the field and, upon completion, presents it to Operations for review and acceptance, The same configuration controls that NMP1 10
h I
applied to the design change process are invoked by the configuration change process at Operations Acceptance, including automatic database updates, verification of procedures and training,,and "redlining" of critical drawings.
In summary, although the configuration change process is aimed primarily at changes that do not affect the design basis of the plant, there are numerous controls in place to prevent these changes from compromising the plant operating, maintenance, and test requirements, and the design documents upon which they are based.
1C. Temporary Modification Temporary modifications are controlled per a GAP. This GAP applies to temporary modifications to site installations, facilities, structures, and inservice systems and components therein, as described in the UFSAR. Like configuration and design changes, temporary modifications must be screened to determine whether design controls apply and if 10CFR50,59 applies. Because of the hierarchical structure of the procedures, the interfacing procedures governing design control and 10CFR50.59 reviews are always invoked for plant changes that could impact the licensing basis, including temporary modifications. As a result; temporary modifications receive the same review as permanent changes regarding conformance with design and licensing:basis requirements.
Temporary modifications are coordinated by the System Engineers in the Technical Support Branch. Design changes are processed per engineering procedures described previously. A temporary modification control form is used to control the installation and removal of the temporary modification. Associated 10CFR50.59 safety evaluations are developed and reviewed as described later in the response. Temporary modifications that affect nuclear safety are reviewed by a Qualified Technical Reviewer and approved by the Plant Manager or Manager Technical Support.
Prior to authorizing implementation of a temporary modification, the Station Shift Supervisor (SSS) reviews the associated applicability review/safety evaluation and Work Order to assure compliance with the Technical Specifications. At, this point in the process, the temporary modification may be installed per applicable work/design documents with the permission of the operating shift leadership (SSS and Chief Shift Operator). Temporary modifications are tagged and tested as required by procedure. They are, verified as having been installed in accordance with applicable work/design documents and Control Room critical drawings are redlined as part of implementation. The SSS reviews the completed temporary modification package to determine the operability status of the affected system(s).
J Clearance of temporary modifications is the reverse of the above except that 10CFR50.59 reviews are not necessary unless the equipment is being returned to a state other than the original design. In that case, the activity would go through the screening processes again and be re-evaluated per procedure. Clearance involves independent verification, confirmation of completion of procedure revisions, testing, and as necessary training and determination of simulator impact. If design documents or databases were affected, Engineering is notified so 11
V that the original configuration'an be restored. Control Room critical drawings are updated to the original configuration, ifpreviously affected. The SSS reviews cleared temporary modification packages to determine the operability of the affected system(s).
ll In summary, the temporary modification process is a controlled process that assures the integrity of the license and design bases by invoking the reviews of the license basis required by 10CFR50.59, and by applying configuration controls that assure that the plant, associated procedures, training, and testing conform to the design basis of the plant. These checks are applied both during installation and clearance of temporary modifications, assuring that the changes from, and the restoration to, the original condition are verified as complete and correct.
1D. Setpoint Change NMPNS maintains setpoint control through the hierarchy of design control and configuration management procedures. Changes to setpoints are performed and controlled in accordance with NEPs including those associated with "Design Change," "Configuration Change,"
"Design Document Change," "Design Input," and "Calculations." A design input statement is required for setpoint changes that are defined as a design change and provides the input and basis for the change. In addition, each setpoint change requires an applicability review to be performed in accordance with the NIP for Applicability Reviews and Safety Evaluations.
NMP1 Instrument and Control safety-related and nonsafety-related design setpoints are controlled in accordance with an Engineering Setpoint Specification. When setpoints are changed, design output documents in the form of DDCs are issued and posted against this document and later incorporated into subsequent revisions to the specification. The revision process is controlled in accordance with the Engineering procedure for engineering specifications.
Setpoint requirements for plant instruments, both safety-related and nonsafety-related, are defined in controlled documents and are maintained via the document control process.
Changes to setpoints are considered plant changes and are managed by the engineering change process via the appropriate NIPs and NEPs. A setpoint change may be a configuration change, a design change, or a temporary modification.
'E.
Maintenance and Surveillance Maintenance and surveillance activities, whether corrective maintenance, preventive maintenance or testing, are based on, or are consistent with; approved design documentation, Technical Specifications, or regulatory source documents. Recurring activities such as preventive maintenance or surveillance testing are addressed by controlled procedures.
Corrective maintenance, may be performed utilizing procedural guidance, or may be performed using design documents directly as part of a Work Order. Drawings, vendor manuals, specifications, setpoint data sheets, DDCs, and other approved Engineering 12
4 documents are often referenced in the Maintenance Work Orders so that they can be used to accurately return the SSC to its as-designed state.
2.
The preceding text covered how changes to the physical plant are made, including the processes used to compare the change to the design bases to assure continued compliance, and the revision of affected documents/databases to reflect the change. In this section, the discussion will cover situations where a change to documents or databases, rather than a change to the physical plant, is the initiator, and how that change is compared to the licensing basis and design bases for compliance and, if necessary, is incorporated into the plant configuration. These change processes include: 1) Procedure Changes; 2) DDCs; 3) Program Changes; 4) Changes to Training; 5) Evaluations/Analyses; 6) Database Changes; 7) Vendor Manual Changes; 8) Supplier Document Acceptance; 9) Changes to Licensing Documents/New Commitments; and 10) Other External Sources of Change. These processes may impact the way the NMPNS is operated, tested, maintained and modified; therefore, they are discussed in detail as follows.
2A. Procedure Changes The procedure change process used at NMPNS includes controlled requirements for development, required reviews, approvals, and configuration control. The process generally conforms with the requirements 'and recommendations of American National Standards Institute (ANSI)/ANS-3.2-1976 as endorsed by Regulatory Guide (RG) 1.33, Revision 2, and Section 5.3 of ANSI/ANS-3,2-1982, and has been expanded and refined beyond the basic requirements to incorporate operating experience and lessons learned. Key support programs and guidance documents have been established to enhance program efficiency and facilitate timely incorporation of changes. The process consists of four distinct elements: 1) development; 2) developmental reviews; 3) final review; and 4) approval. The details of the process differ slightly for administrative procedures and technical procedures (e.g., changes to administrative procedures do not require a technical verification unless the procedures are required by Technical Specification'6.8 or otherwise affect nuclear safety), however, the basic elements are employed for both types of procedures.
The development phase requires assignment of an individual knowledgeable in the area covered by the procedure. To assist in the development process, NMPC has developed a Procedure Writers Manual which provides extensive g'uidance on the structure, content, and human factors principles to be used in preparing procedures, The Procedures Writers Manual is used to ensure consistency throughout the roughly 3,500 procedures maintained at NMPNS.
For technical procedures, the revision process requires that procedure preparers research and use controlled reference documents including, but not limited to, engineering specifications, drawings, vendor manuals, and Technical Specifications. The use of controlled documents ensures that information used to prepare procedures reflects current design configuration.
13
'i Developmental reviews are conducted to the extent required by the procedure. Cross-disciplinary reviews may be conducted when a procedure involves areas of specific expertise that are outside the group that prepared the procedure, or when another group is required to perform activities within the procedure. For technical procedures, a validation review is normally performed'contingent upon complexity, potential consequences, and expected environment including reducing radiation to as low as reasonably achievable (ALARA))by the end users to ensure the procedure is workable and contains a sufficient level of detail for the intended users.
The final review phase is known as technical verification. As previously discussed, changes to administrative procedures do not require a technical verification unless the procedure is required by Technical Specification 6.8 or otherwise affects nuclear safety. Technical review, as required by Technical Specification 6.5.2.1, is performed by an individual other than the individual who prepared the procedure. The final review is permitted only after developmental reviews have been completed. The verification involves a review of the procedure and reference documents used to develop the procedure to independently verify the accuracy. This review may only be performed by qualified individuals previously designated by the Plant Manager. These qualified reviewers, as defined by Technical Specification 6.5.2.4, are members of the station supervisory staff and they are qualified in areas specific to their expertise (such as Operations, Maintenance, or Radiation Protection).
Following final review each technical procedure and Technical Specification related administrative procedure is reviewed for applicability under 10CFR50.59 as described later under the 10CFR50.59 safety evaluation process.
In the approval phase, the responsible procedure owner and the responsible approver (e.g.,
Branch Manager, etc.) provide approval and ensure that required reviews by qualified personnel have been accomplished. The approval process also includes requirements to assure that pending changes have been appropriately addressed, that the Technical Specification classification (a determination as to whether or not a procedure is required by Technical Specification 6.8 or otherwise affects nuclear safety) is appropriate, that any changes made during review have not invalidated previous reviews, and that any required implementation training has been arranged.
In summary, the procedure revision process provides controls to ensure that procedures are prepared to reflect current configuration, that adequate review is performed by appropriately qualified personnel to independently verify accuracy, and that appropriate approvals are obtained.
2B. Design Document Changes (DDCs)
DDCs, even when not associated with a physical change to the plant, are processed under either the design change or the configuration change process as previously discussed. There are two other means of document changes that involve engineering enhancements and editorial changes.
NMP1 14
I p The first means, engineering enhancement, is a term used 'for the correction of a verified error.
The engineering enhancement process has traditionally been used to correct drawing errors. In effect, it is a revision to a drawing perform'ed in accordance with the applicable procedure, but separate from the configuration change process..Per the Engineering procedure governing
'drawing control, an Applicability Review is performed to assure that the applicability of 10CFR50.59 is considered; i.e., whether the change could affect the licensing basis. The drawing revision is checked and approved just like any other revision, and then issued to its standard distribution so that all holders willbe provided with the "enhanced" drawing.
The second means, editorial changes, are minor changes that do not affect the technical content or intended purpose',of the document. Examples are spelling, typographical, and grammatical errors. Because they are inconsequential, they are usually not initiated independently. Most commonly, these errors are identified when the document is being revised for some other purpose such as a design change. They are usually processed and controlled as part of the associated design or configuration change. Ifan editorial change was made independently of any other process, it would be done as a revision in accordance with the controlled procedure for that type of design document. Ifthe change potentially affected the UFSAR, Technical Specifications, or NRC approved programs, such as nomenclature changes, it would be processed per the procedure for initiating hcensing document changes.
2C. Program Changes Program changes to NRC-approved programs must be processed per the procedures that govern Applicability Reviews, safety evaluations, licenses, UFSARs, and NRC-approved plans and programs. Additional administrative controls may also be applied. For example, there is an engineering procedure for plant condition monitoring programs which invokes program responsibilities, and requires reviews for continuing compliance and effectiveness. A description of how regulatory requirements are reflected in the NMPC procedure hierarchy is described in our response to Requested Action (b) under "Administrative Procedure Update Program." Changes to programs that are not NRC approved but are required by regulation, such as the Maintenance Rule Program required by 10CFR50;65, are also controlled by administrative procedures.
2D. Changes to Training Changes to training associated with design or configuration changes are addressed by requiring the Modification Coordinator to notify the Training Department. Requests for changes to training or training programs that are part of the license basis are processed as described later in response to Requested Action (a) under "Training."
2E. Evaluations/Analyses Specific recurring evaluations like safety evaluations, breach permit evaluations, evaluations of temporary shielding, and seismic evaluations are addressed by controlled administrative procedures. Other evaluations that potentially affect design functions are directed to the 1
15
A E
W Engineering Department and processed per a controlled Engineering procedure. This procedure requires that any evaluation or analysis performed to define the design basis for a design change or to establish a design basis be processed in a manner that assures that proper technical input, impact assessments, design reviews, and verifications are obtained.
Independent verification is required when the evaluation or analysis willresult in a change to the design or licensing basis. Examples of when verification may be required include:
Evaluations done in response to regulatory requirements; Analysis done in support of a design change or that is likely to result in a design change; Evaluations or analysis supporting changes to NRC approved programs; and
~ Analysis/Evaluation of safety-related or quality-related activities.
As previously discussed, the controlled Engineering procedure for independent verification requires that appropriate design criteria, quality criteria, and design bases be reviewed to assure that they have been correctly identified and incorporated.
2F. Database Changes t
Configuration database changes are accomplished per controlled procedures. Primarily, these changes result from design or configuration changes, however, some are initiated independently as Engineering enhancements or editorial changes. Regardless of the reason for initiation, each proposed change to configuration data is reviewed for completeness and accuracy before entry, as well as being checked for the accuracy of the data entry itself.
Changes to computer hardware and software are also controlled by administrative procedures.
Verification and validation (V & V) processes are applied to assure that software programs operate as intended and do not result in erroneous displays of information.
2G. Vendor Manual Changes NMPC maintains a vendor interface program that provides for annual contact with our Nuclear Steam Supply System (NSSS) supplier and bi-annual contacts with vendors for other selected key safety-related equipment. These vendors are contacted to request the latest technical manuals, service bulletins, notices, advisories, letters, and operation, maintenance, and repair procedures for the selected equipment.
Additionally, the vendor interface program provides for the maintenance of an index of applicable technical documents and a log of vendor contacts and correspondence. Periodically, the list of vendors to be contacted is updated based on responses received and Engineering reviews of the lists of key safety-related equipment. Follow-up contacts are made with non-NMP1 16
g II II
~
responsive vendors to ensure that a good faith effort was made to obtain the necessary
~
equipment information. ~
Vendor manual changes may then be initiated by receipt of new information from the vendor, or by NMPC to accommodate preferred practices, materials, or other considerations.
Revisions of both kinds are addressed in an engineering procedure governing vendor technical manuals.
Vendor initiated changes are forwarded to the Vendor Document Coordinator for logging and tracking. The change is then forwarded to an assigned responsible engineer who reviews it for applicability to the NMPNS. Ifappropriate, the responsible engineer obtains multi-disciplinary reviews. Ifthe manual is associated with equipment or activities that are safety-related, quality-related, EQ-related, or Technical Specification related, at least one other knowledgeable reviewer must review the change. Nonconformances between the NMPC-accepted vendor product and the proposed change are documented in a DER. When review comments and nonconformances have been resolved with the reviewers and the vendor, the revised manual is approved and distributed.
NMPC-initiated changes to vendor manuals are processed in the same way, except as follows:
~ A DDC may be posted against the manual instead of revising and redistributing the entire manual. Invoking the DDC process involves design impact assessment, checking, and approval.
~ To support the PM Optimization Program, vendor recommended PM methods and frequencies may be changed without revising the vendor manual based on Maintenance, Operations, Technical Support, and Engineeiing review and concurrence.
Additionally, the review must be documented and filed in the Maintenance Department and revised PM method or frequency identified on a component level in the Preventive Maintenance Surveillance Testing (PMST) database.
2H. Supplier Document Acceptance Supplier documents, other than Vendor Technical Manuals, are processed in accordance with the controlled procedure for the specific document type. The process of supplier document acceptance is similar to other types of design documents and includes: 1) preparation, checking, verification, review, and approval, controlled either by the vendor's (NMPC approved) QA program or by NMPC procedures and 2) formal acceptance by NMPC based on a detailed review of technical content, certificate of compliance, or surveillance of work in progress.
I 2I. Changes to Licensing Documents/New Regulatory Commitments Changes to licensing documents/new regulatory commitments are processed per the interface procedure governing control of licenses, UFSARs, and NRC-approved plans and programs.
17
New commitments are processed per the interface procedure that governs NRC interfaces and tracked via the Nuclear Commitment Tracking System (NCTS). In both cases, proposed changes must be reviewed for impact on the design configuration and processed appropriately as a design change, configuration change, a program change or a controlled evaluation/analysis. As previously discussed, any change to the design bases invokes the requirement for reviews in accordance with 10CFR50.59, including a review of potential impact on Technical Specification required procedures. The above controls assure that when new regulatory or license changes are implemented, they are properly reflected in the plant, the design basis, the affected programs, and procedures.
2J. External Sources of Change External sources of change derived from deficiencies, concerns, or issues identified by regulatory agencies, industry operating experience, vendor information notices (INs), or external publications are processed per the DER process. As discussed in our response to Requested Action (d), DERs often result in referral to other processes such as design change, procedure change, and evaluation/analysis for corrective and preventive action. Use of the DER process ensures that evaluation, disposition, resolution and trending of the issue will occur.
3.
3A. 10CFR50.59 Safety Evaluation Process An NDD regarding safety evaluations establishes the requirements for assessing proposed changes, tests, or experiments to determine ifadditional analysis, evaluation, or NRC approval is required before implementation. This directive applies to proposed changes to NMPNS facilities (permanent or temporary), proposed revisions or changes to procedures, and proposed tests or experiments. A qualified evaluator determines whether 10CFR50.59 applies to the proposed change, test or experiment by determining ifit involves a change to the facility or procedures as described in the UFSAR, a test or experiment not described in the UFSAR, and whether the activity affects nuclear safety in a way not previously evaluated in the UFSAR or requires a change to a Technical Specification.. This determination is documented as part of the Applicability Review. When the Applicability Review determination identifies that the requirements of 10CFR50.59 are applicable,'a 10CFR50.59 safety evaluation is then performed to determine if an unreviewed safety question (USQ) exists. The preparer must also obtain the review of his/her Branch Manager, signifying a sufficient cross-disciplinary review has been performed. The Manager Technical Support may specify additional technical review and may waive Station Operations Review Committee (SORC) review ifit is determined that a proposed change does not affect nuclear safety. Prior to implementation, safety evaluations for changes that affect nuclear safety are reviewed by the SORC. SORC renders a determination, in writing, as to whether or not the safety evaluation constitutes a USQ. Ifthe proposed change, test or experiment involves a USQ, it will not be implemented without prior NRC approval. The Safety Review and Audit Board (SRAB) reviews safety evaluations to verify that actions completed under the provisions of 10CFR50.59 did not constitute a USQ.
18
! t.
A NIP governing Applicability Reviews and safety evaluations provides administrative controls for the review of changes, testsand experiments. These reviews assess impact to Operating Licenses, UFSARs, NRC-approved plans and programs, and NRC commitments; determine whether the change involves a USQ; and determine whether NRC review and approval is required. Consistent with the governing NDD, the procedure applies to all proposed changes to NMPNS structures, systems, or components (permanent and temporary), proposed revisions or changes to procedures, and proposed tests or experiments. When an Applicability Review indicates a change to a licensing document is required, the proposed change is processed per a second nuclear interface procedure.
1 This second interface procedure, which controls licenses, UFSARs, and NRC-approved plans and programs, provides administrative controls for amendments and revisions to Operating Licenses, UFSARs, and NRC-approved plans and programs.: The effects of proposed facility changes, procedure changes, tests and experiments are identified on a Licensing Document Change Request (LDCR). Each LDCR is reviewed, approved, and incorporated into license documents in accordance with specific requirements identified within the procedure.
In September 1996, NMPC began using Adobe Acrobat software to search and view electronic versions of the NMPNS UFSAR and plant Technical Sp'ecifiications. The Adobe software provides full-text search commands that can find all the words on a page, no matter where or how they are used. Adobe Acrobat software is a new tool for Applicability Reviewers and Safety Evaluators to identify and assess the impact of proposed changes on information presented in the UFSAR and Technical Specifications.
3B. 10CFR50.71(e)
An NDD regarding changes to Operating Licenses, UFSARs, and NRC approved plans and programs reflects the requirements of 10CFR50.71(e). A NIP governing changes to Licenses, UFSARs, and NRC-approved plans and programs provides administrative controls for the initiation, review, and approval of proposed changes to the UFSAR. A NIP governing interface with the NRC provides administrative controls for filing the UFSAR revision. These procedures provide administrative controls for revising the UFSAR to include the effects of:
all changes made in the facility or procedures as described in the UFSAR; all safety evaluations performed by the licensee either in support of requested license amendments or in support of conclusions that changes did not involve an USQ; and all analyses of new safety issues performed by or on behalf of the licensee at the NRC's request. The updated information is appropriately located within the UFSAR.
3C. QA Program/10CFR50 Appendix B The NMPNS QATR (UFSAR Appendix B) addresses the requirements for a description of the QA Program for the operations phase of the NMPNS. The QATR applies to organizations performing work that affects the operation, maintenance, or modification of safety-related structures, systems or components and indicates that the accountability for the quality of NMP1 19
safety-related work rests with the performer, whereas accountability for verifying the quality of work rests with the verifying organizations.
The QATR provides for the operation, maintenance, and modification of NMPNS consistent with ANSUAmerican Society of Mechanical Engineers (ASME) NQA-l, ANSI/ANS-3.2 and Branch Technical Position (BTP) APCSB 9.5-1, Appendix A.
The QATR is organized to present the NMPC QA program in the order of the 18 criteria set forth in 10CFR50 Appendix B. The QATR states NMPC's policy for each. of these criteria and describes how the controls pertinent to each are camed out. A matrix showing the 18 criteria of 10CFR50 Appendix B and the policy and directives and organization procedures implementing these criteria is presented in the QATR. Changes made to the QATR that do not reduce commitments previously accepted by the NRC are submitted to the NRC in accordance with the requirements of 10CFR50.71(e). Changes made to the QATR that do not satisfy the criteria of Appendix B to 10CFR50, or reduce commitments previously accepted by the NRC, are submitted to the NRC and must receive NRC approval prior to implementation. The changes described above are submitted in accordance with the requirements of 10CFR50.54.
As previously stated, NMPNS is committed to a system of design and configuration controls that satisfy the requirements of Appendix B of 10CFR50. Concerning Appendix B, Criteria III, the NMPNS QATR states that station modifications are accomplished in accordance with approved designs and procedures. The controls apply to preparation, review, and revision of design documents, including the correct translation of applicable regulatory requirements and design bases into design, procurement, and procedural documents. The controls apply to design work performed by contractors as well as by NMPC engineering and technical organizations. Administrative procedures at NMPNS were developed to assure that license requirements, including Appendix B requirements, are accurately implemented and that responsibilities for implementation are properly assigned.
4.
4A. Problem Identification Processes A NIP prescribes the method for processing DERs. Guidance is provided regarding identification, documentation, notification, evaluation, correction, and reporting of conditions, events, activities, and concerns that have the potential for affecting the safe and reliable operation of the NMPNS. The DER process is described in detail in our response to Requested Action (d) under "Deviation/Event Report." DERs are initiated upon discovery of a deficiency, including deficiencies in our engineering design and configuration control process, or inconsistencies between our license documents, physical plant, and procedures. A number of other processes exist at NMPNS that have the potential to identify problems. These processes include self-identification, reviews performed by the SORC and the SRAB, required technical reviews, QA audits and surveillances, self assessments, surveillance and examination activities, Institute of Nuclear Power Operations (INPO) evaluations, NRC inspections, and the evaluation of. industry operational experiences.
20
N l~ lt
As problems are identified, DERs are initiated, dispositioned, and appropriate corrective and preventive actions taken. These processes are a feedback loop to the design and configuration control process in that they either confirm that the processes are working effectively or identify problem areas with subsequent corrective actions to enhance the process.. Results from some of these processes are presented in our responses to Requested Actions (b) and (c), providing part of our bases for concluding that design bases requirements are being translated into operating, maintenance, and testing procedures, and that SSC configuration and performance is consistent with the design bases.
4B. Training I
Training concerning engineering design and configur'ation control procedures is provided to station operating and technical/engineering personnel as part of their continuing training/position specific training programs as required. Operators are routinely trained on the processes used for temporary/permanent changes to plant design or procedures. Additionally, reviews of actual changes to procedures and significant plant design changes after major maintenance outages are covered, as appropriate, before startup. Simulators may be used to train operators and others on new systems/components before actual system startup and to develop new procedures for system operation before the system/component is turned over for testing. Plant system configuration changes, special tests and significant evolutions may be tested on the simulator before they are actually accom'plished in the plant. The PCR database is searched by the simulator support staff quarterly as a review of plant changes for simulator impact. Administrative controls are in place that ensure that any plant changes having potential impact on the simulator are evaluated and changes implemented as required.
Maintenance, chemistry, radiation protection, and engineering personnel receive training in plant design/procedure changes as part of the continued training program, either on an as needed basis or cyclically. Procedure changes and plant design changes can also reach the training program via the Training Review Request (TRR)/Training Change Order process.
This process requires that each change that potentially has training program impact be evaluated and revisions made as appropriate.'lant personnel can initiate a TRR on any issue which could have training program impact. TRRs/Training Change Orders are routinely used for issues that require training program modification.
Concerning training on the 10CFR50.59 process, operations shift management, designated engineering and maintenance support personnel, and others in'management and technical positions are trained and qualified as Applicability Reviewers/Safety Evaluators and have to complete a requalification every two years. Training includes an overview of license documents including Technical Specifications, UFSAR, and NRC-approved plans and programs together with an overview of the hierarchy of procedures. Currently, there are approximately 400 fully trained and qualified personnel onsite who have. the knowledge and ability to do Applicability Reviews and safety evaluations. This training/knowledge base contributes to the awareness and sensitivity that exists throughout the work force with regard to operating the plant within the licensing basis.
21
I~ 8 g 1 ~
~ Ar
I Branch Managers and Senior Managers also perform observations of simulator and other classroom training as part of their normal duties. Their feedback to the training organization is factored into the overall program to ensure the curriculum and conduct of training meets management's expectations.
NMP1 22
I" 'K y, S Provide the rationale for concluding that design bases requirements are translated into operating, maintenance and testing procedures.
As discussed below, Niagara Mohawk has reasonable assurance that design bases requirements are translated into operating, maintenance and testing procedures at NMP1. The rationale supporting this conclusion is based on numerous actions, programs and oversight activities.
As described in NDDs, administrative procedures establish requirements for the preparation, review, and approval of technical procedures, Technical procedures define requirements for the operation, maintenance, and testing described in the Operating License, Technical Specifications, and UFSAR. As discussed in the response to Requested Action (a), extensive programs and controls are utilized at NMPNS to ensure that design basis information is accurately maintained and updated as conditions warrant. Procedures are updated to reflect changes in design, corrective actions (identifiied by the corrective action program), industry operating experience, and changes to source'requirements.
During the development, review, and approval of operating, maintenance, and testing procedures, a review of design documents was conducted. This review included reviews of design drawings, Design Specifications, Technical Specifications, and the Final Safety Analysis Report (FSAR).
I Following the development of operating, maintenance, and testing procedures, the technical accuracy of the procedures has been maintained through programmatic controls for procedure revision and periodic review. These programs have been strengthened over the years to their current status.
NMPC has utilized knowledgeable and appropriately qualified individuals to develop, review, approve, and revise procedures. Program requirements have been in'place for many years and have been enhanced over time to improve the effectiveness of the development, review, and approval process. The training program and other administrative requirements assure that personnel assigned to perform these functions are competent to perform their assigned tasks.
This assures that NMPC can effectively implement program requirements associated with the development, review, approval, and revision of administrative and technical procedures.
Finally, NMPC has been involved in numerous assessments that demonstrate how effectively design requirements are translated into operating, maintenance, and testing procedures. These assessments include, in part, functional inspections, compliance verification projects, audits, and procedure (both administrative and technical) and related program upgrade projects.
23
I P
a
NMPC's response to Requested Action (a) provides a description of the engineering design and configuration control processes currently in place at NMP1, including those that implement 10CFR50.59, 10CFR50,71(e), and Appendix B to 10CFR Part 50. Our response to Requested Action (d) provides a detailed description of the processes'for the identification of problems and implementation of corrective actions to prevent recurrence (i.e., the DER). Our response to Requested Action (b) discusses the process which was used to develop, review, and approve the operations, maintenance, and testing procedures consistent with the design bases. An overview of the historic procedure revision process is presented, as well as the current revision process. The training program is discussed to show that individuals are capable of effectively implementing the procedure development, review, approval, and revision process. Finally, a review of assessments and initiatives conducted is provided to further demonstrate that the implementation of program requirements has been effective in assuring that design basis requirements are being translated into operating, maintenance and testing procedures.
NMPC is confident that adherence to our design and configuration control processes and DER process provide reasonable assurance that design bases requirements are properly translated into operating, maintenance, and testing procedures and that, when inconsistencies are found, they are evaluated and proper corrective actions are taken.
NMP1 s operating, maintenance, and testing procedures were initially developed in the late 1960s. Subsequent to the initial development of procedures, the administrative process for procedure development, review, approval, and revision has changed and improved. The technical content of operating, maintenance, and testing procedures has also continued to improve. We have chosen to describe the process since the completion of construction of Nine Mile Point Unit 2 (NMP2) in the mid-1980s. Although previous direction and control of procedures existed, they have been significantly enhanced since the construction of NMP2.
These program controls defined the requirements necessary in order to assure design basis requirements were adequately translated into operating, maintenance, and testing procedures.
Some of the program documents in place at the time included the following:
~ ANSIN18.7 provided the requirements for the preparation, review and approval process for procedures, as well as an appendix of activities which require procedures.
~ Administrative procedures prescribed the process for the generation, approval, publication, distribution, and control of procedures.
~ Administrative procedures prescribed the SORC requirements associated with the committee's responsibilities. Among those were requirements for formal procedure review and the documentation of those reviews.
24
/ N
NMPC has utilized knowledgeable and appropriately qualified individuals to develop, review, approve, and revise procedures. Program requirements for development of procedures have been in place for many years. Personnel involved in the writing of technical procedures were either NMPC employees or contractors cognizant in the area for which the procedure was being written. In either case, individuals assigned to those tasks were competent to perform their respective tasks. Individuals assigned to support the review, approval, and revision functions of procedure development and maintenance were also appropr'iately qualified.
Through the training program, and other administrative requirements, reasonable assurance is provided that personnel assigned to perform these functions are competent to perform their assigned tasks. This, in turn, reasonably assures that NMPC can effectively implement the program requirements associated with the development, review, approval, and revision of administrative and technical procedures.
Following procedure development, review and approval, procedures were maintained up-to-date utilizing administrative controls for the revision process. Procedure revision controls were in place to establish requirements necessary to ensure that procedures were maintained appropriately. These requirements, coupled with configuration and design control processes, ensured that design basis requirements were translated into operating, maintenance, and testing procedures in a timely manner.
Over time, the procedure development, review, approval, and control process has been strengthened. A brief summary of. major program enhancements follows:
~ 1984 An administrative. procedure change incorporated the NMP1 and NMP2 organizations under a common site administration program..
j 1985 Administrative procedures provided significantly more detail regarding the development, review, and revision process for procedures.
1989 A Site Procedure Writer's Guide was developed and approved in order to provide consistent guidance on format and human factors. This was completed in anticipation of a major procedure rewrite effort.
I 1990-1992-'-A new procedure hierarchy development was initiated. This was done to provide a more organized, tiered procedure structure and hierarchy. Administrative Procedures for procedure generation, approval, distribution, revision, and use would be transformed into the NDD and NIP-PRO series. A major technical procedure rewrite program was also underway, utilizing the Site Procedure Writer's Guide. The bulk of this effort was completed in 1992. Concurrent with the technical procedure upgrade, APs governing procedural controls were themselves enhanced to better describe certain requirements for procedure review and control activities. A key attribute to this change was better defining the expectations for procedure authors and reviewers, as well as improving the 10CFR50.59 screening process.
25
Training efforts were completed to ensure procedure writers, reviewers, approvers and those involved in the revision process could effectively implement the program requirements.
~ 1992-1997 The quality of procedures and related processes continue to improve due to enhancements in the areas of technical review, validation, verification and the 10CFR50.59 screening process and safety evaluation quality. Initial qualification and requalification programs in these areas have been strengthened considerably.
These program changes have led to our current program requirements described in our response to Requested Action (a).
NMPC has conducted several initiatives in order to improve the process by which design requirements are transferred into operating, maintenance, and testing procedures.
Additionally, several assessments have been conducted which reviewed plant procedures, demonstrated that NMPC's programs contain sufficient requirements, and that NMPC personnel are qualified to implement the program requirements. This reasonably assures that NMPC can conclude that design basis requirements are translated into operating, maintenance and testing procedures. A summary of the significant initiatives and assessments in this area is provided on the following pages.
NMPC initiated (1989) and completed (1990) the NMP1 SVP with the purpose of ensuring that Technical Specification logic systems were being adequately tested. As part of the SVP, surveillance tests were reviewed to ensure that whole logic channels and subchannels were tested in accordance with Technical Specifications. In addition, the review verified that contacts in logic circuits were being procedurally tested in a way that uniquely determines that each contact performed its safety function. For parallel paths, this meant assuring that each path was functionally tested separately.
The SVP was documented as a one-time review using a temporary procedure. The review documentation consisted of comparing system design bases drawings, surveillance procedures and the applicable Technical Specifications, Review forms were completed for each system verified. The review forms compared each Technical Specification line with required functions to be tested. Many surveillance procedures were updated, as appropriate, based on the results from the review.
As a result of IN 95-15, a guideline was issued to provide guidance to system engineers regarding test requirements. As a result of the notice, NMPC recently verified that modifications to safety-related circuits since 1990 were being tested properly to meet Technical Specifications, These modifications met the scope of review and the testing program was found to be satisfactory. Further, NMPC strengthened specific administrative controls for NMP1 26
g I I
establishing requirements for preparation and review of technical procedures, for determining and performing post-maintenance testing, and for testing design cha'nges to plant systems and equipment.
Based on recent industry events involving improper testing of logic circuits and information provided in Generic Letter (GL) 96-01, NMPC determined it would be prudent to reaffirm our SVP for completeness and scope. The systems to be reviewed will be the reactor protection system, emergency diesel generator load shedding and sequencing, and actuation logic for engineered safety features. Based on this reassessment, another review of surveillance test procedures and associated prints willbe implemented to verify Technical Specification logic system testing requirements are being met. This reassessment is being completed per our submittal for GL 96-01 and is scheduled for completion prior to startup from RFO15.
In summary, the SVP was an extensive effort to ensure operating, maintenance, and testing procedures comply with design bases testing requirements as reflected in the plant Technical Specifications, In December 1987, NMP1 was shut down due to equipment problems. During the outage, technical and programmatic deficiencies were identified by NMPC and the NRC. These deficiencies led to the issuance of a Confirmatory Action Letter by the NRC concerning NMPC line management's ineffectiveness in recognizing and remedying problems. NMPC was required to prepare and submit a RAP for NRC approval. Included among the corrective actions in the RAP were a number of actions which determined the adequacy of procedures and design. Actions related to procedures included:
- 1. The surveillance testing requirements contained in the plant Technical Specifications were reviewed'to ensure that they had been adequately translated into implementing procedures. This effort is described in more detail under "Surveillance Verification Program (SVP)."
- 2. A requirement for the development of a streamlined deficiency reporting system led to the establishment of the DER process, the details of which are described in our response to Requested Action (d) of this letter. This formal process is used, in part, to identify and resolve discrepancies between the as-built configuration of the plant, (including operating, maintenance, and testing procedures, and the UFSAR), and the plant design bases.
- 3. A review was completed to insure that Emergency Operating Procedures (EOP) input values were consistent with design basis information. In addition, controls were added to ensure the EOPs were modified, as necessary, to reflect changes to the "as-built" condition of the plant.
27
ll ]i 4
- a. Administrative controls were established to require adequate review and control of the Inservice Testing /ST) Program. The second interval IST program was finalized to include all required pumps and valves in accordance with the design bases requirements. The procedures were updated to reflect the program and hence design bases requirements.
Operating, maintenance, and testing procedures are developed and maintained in accordance with the requirements of various administrative procedures a'nd programs. The administrative controls applicable to operating, maintenance, and testing procedures are described in detail in our response to Requested Action (a). This section describes the Administrative Procedure Update Program which was completed in 1992 to restructure and validate administrative procedures and programs at NMPNS. The primary objectives of the program were to:
I
~ Review licensing documentation to identify licensing requirements and commitments applicable to NMPNS.
Verify that license requirements and commitments were completely and accurately implemented through administrative procedures and programs.
I Verify that responsibilities for implementing license requirements and commitments were appropriately assigned within the organization.
The Administrative Procedure Update Program was initiated by developing a Nuclear Division "Policy" document. The Policy provided a summary of the major organizational responsibilities, general program requirements, and other elements for ensuring the safe, reliable, and efficient operation of NMPNS. The Policy also defined a hierarchy of procedures to facilitate organized implementation of license requirements.
28
r ill 4
The current hierarchy is depicted in Figure 1:
EKKIRFD Nuclear
'ivision Policy Nuclear Division Directives Department Nuclear SpeciTic Interface Administrative Procedures Procedures Branch Level Administrative Procedures Technical Implementing Procedures Initial efforts also involved development of a comprehensive list of functional areas to encompass all aspects of operation, maintenance, modification, and testing of the NMPNS.
NMP1 29
0
)limni <" I
~ ~ ~
The list of functional areas is as follows:
ALARAProgram Occupational Safety and Health Audits and Surveillances Operations Budget/Expenditure Control Outage Management Chemistry Nuclear Division Policy and Configuration Management Directives Manual Control Design Control Procurement of Materials, Document Control Equipment, Parts, Supplies and Evaluation and Corrective Action Services Environmental Protection Procedures and Orders Emergency Preparedness Planning and Scheduling Fitness for Duty Project and Task Management Fire Protection Program Radiological Effluents Human Resource Management Station Reliability Housekeeping and System Cleanness ~ Records Management ISI and Testing Radioactive Material Processing, Inspections Transport and Disposal Interfacing with Regulatory and ~ Radiation Protection Program Industry Groups Regulatory Posting Requirements Inventory, Identification and Physical ~ Safeguards Information Control Control of Materials, Equipment, ~ Surveillance and Testing Parts and Supplies ~ Security Licenses, Plans and Programs Safety Evaluations Maintenance Special Nuclear Material Measuring and Test Equipment Accountability Nuclear Computer Systems Special Processes Control Nuclear Fuel Management Safety Reviews Training, Qualification and Simulators Following development of the Policy, NDDs were developed for each functional area identified above. NDDs are used to establish requirements that must be accomplished to comply with regulatory requirements and guidelines, industry standards and practices, and commitments to regulatory agencies outlined in the Operating License, UFSAR, and Technical Specifications. They serve as a vehicle by which management communicates requirements for performing and controlling activities to those responsible for preparing the associated administrative and implementing procedures.
I Subject matter experts were assigned to compile each NDD by performing a comprehensive assessment of licensing requirements and commitments to identify applicable requirements for each functional area. Each NDD was reviewed by responsible individuals in the functional area and then by the Seniorgfanagement Team. The NDDs were issued as a set in the-Nuclear Division Policy and Directives Manual. Administrative controls are applied to ensure the NDDs remain accurate.
NMP1 30
4
~ f~ I
Following issuance of the Nuclear Division Policy and Directives Manual, the Administrative Procedure Update Program was completed by incorporating requirements contained in the NDDs throughout various lower tier administrative procedures. It is important to note that, in parallel with implementation of the NDDs, NMPNS conducted a comprehensive "Back to Basics" program to educate station personnel on the structure and content of the licensing basis, including its relation to the Nuclear Division Policy and Directives Manual. This program is described later in our response to Requested Action (b) under "Training."
In contrast to the NDDs which establish "what" the requirements are for a particular functional area, the implementing procedures provide the details of methods to be used to implement the requirements contained in the NDDs. This was accomplished using the procedure hierarchy developed earlier in the program. Two tiers of administrative procedures are employed in the procedure hierarchy to ensure appropriate levels of review and approval are obtained:
Department level administrative procedures which include: 1) NIPs which implement common or universal programs for NMPNS departments (such as procedure review and control, corrective action, and security). NIPs are reviewed by responsible individuals from appropriate areas and approved by the Vice President and General Manager-Nuclear; and 2) Department-specific administrative procedures which implement common programs assigned to a specific department (such as Generation or Engineering). Department-specific administrative procedures are reviewed within the appropriate department and approved by the department head.
Lower tier (branch level) administrative procedures which are specific to functional areas within departments (such as Operations or Radiation Protection) and involve implementation of requirements by an individual group. Branch level administrative procedures are reviewed and approved within the functional area and allow flexibility in implementing detailed requirements provided compliance with the NDDs and higher tier procedures is maintained.
Adherence to the procedure hierarchy was maintained to ensur'e implementing procedures were developed to the extent necessary to execute the requirements contained in the NDDs. The effort was coordinated by a central group to ensure completen'ess and to minimize overlap and duplication. A procedure numbering scheme was employed that associated implementing procedures to their parent NDD. This phase of the program resulted in revision of nearly all of the more than 800 administrative procedures that were in place at that time.
In summary, this effort verified that license basis requirements were being implemented through administrative proc'edures including those applicable to developing and maintaining operations, maintenance, and testing procedures. The program also served to consolidate requirements for more effective implementation and to eliminate outdated or undesirable practices. Upon completion, the total number of administrative procedures was reduced from more than 800 to approximately 350. The described procedure program and hierarchy remains in place today as an integral part of the NMPNS procedure program.
31
,) lgV Ir The NMP1 Design Basis Reconstitution (DBR) Program included a Vendor Technical Manual Review and Upgrade Project. The integrated program included processing over 10,000 vendor documents which resulted in review and approval of over 7,000 vendor technical manuals.
Part of this effort was to develop the equipment to Vendor Technical Manual cross-reference as part of DBR.
In November of 1995, the process for vendor manual use and control was enhanced using INPO's Good Practice DE102, INPO 87-009, Control of Vendor Manuals, as a guide. The revised process ensures plant personnel are provided with current and technically accurate vendor manuals to support operation and maintenance and includes the following:
- 1. Identification of the primary responsibilities of various individuals responsible for control of vendor manuals including the Vendor Document Coordinator.
- 2. Expectations for turnaround time for the review and approval of vendor manuals.
- 3. Requirements for the receipt, review, approval, issue, and revision of vendor manuals, and notification to departments and responsible personnel for new and/or revised vendor manuals. This notification serves as the trigger to station personnel to review revise appropriate programs and procedures if they are affected by a particular
'nd vendor manual.
- 4. A process for plant personnel to take exception to requirements specified by a vendor.
Based on the above, NMPC is confident that plant personnel are provided with current and technically accurate vendor manuals to support plant operation and maintenance. The Vendor Interface Program and the internal review and approval process assures that vendor manual information is reviewed against the design basis. This process confirms the acceptability of technical information that has not changed, and identifies other information that requires revision.
Significant QA audits (vertical slices) have been performed in the areas of Station Blackout (SBO), Service Water and Fire Protection in which a review of procedures against design basis documents was included.
A QA audit was performed in 1993 to determine NMP1's ability to cope with a SBO event.
The audit team found that NMP1 had an established SBO Program with a four hour coping duration and that Operations had received adequate training and developed procedures that would enable them to cope with a SBO. The audit concluded that a diesel generator reliability 32
t j ~ h program had been established and met the requirements of RG 1. 155. Procedures and guidelines used to cope with a SBO were reviewed. This included a comparison of Nuclear Management and Resource Council (NUMARC) 87-00 to our special operating procedures for SBO, observing use of the procedures in the simulator, and performing a walkdown of portions of the procedures in the plant. The audit concluded that the SBO procedures included the operator actions necessary to cope with a SBO and that the procedures had been written to incorporate NVMARC 87-00 and RG 1.155 requirements. This audit did identify some inconsistencies. These items were documented through the DER process.
A QA audit was performed in 1995 under the cognizance" of SRAB to meet the requirements of the annual, biennial and triennial fire protection audits described in the Technical Specifications. The audit objectives were to evaluate the fire protection program and implementing procedures to assure the requirements for design, procurement, fabrication, installation, testing, maintenance and administrative controls for the respective programs are included in the QATR and me'et program requirements established by the license documents and BTP APCSB 9.5-1, Appendix A-1976, Section C.'dditional objectives were to assess the plant fire protection equipment and program implementation to verify compliance with the NRC requirements addressed in license documents and implementing procedures. The audit team concluded that the NMPNS Fire Protection Program was in compliance with applicable Code requirements and the National Fire Protection Association (NFPA) fire protection guidelines. The fire protection design and design change processes were considered a program strength. Opportunities for program improvements were identified which included attention to detail concerning the identification of related document changes needed when Fire Protection program changes were implemented. DERs were, written against the program which included inconsistencies with the FSAR, but none indicated any major program flaws or violations.
The audit evaluated the design control and procurement document control processes for fire protection by reviewing DDCs for plant change modifications, reviewing procurement documents for fire protection system replacement items, and conducting interviews with design engineering and procurement personnel. The audit team found the design change control process for fire protection to be a strength, particularly the thoroughness of engineering evaluations for Appendix R requirements. Quality standards, such as fire protection codes, were specified in design documents and deviations from these codes or standards were appropriately controlled. Also, new designs and plant modifications were reviewed by qualified personnel to ensure inclusion of applicable fire protection requirements. The audit team also reviewed procedures, instructions and drawings to ensure that fire protection program elements had been appropriately incorporated into the implementing documents. The team also observed personnel performance of fire protection procedures and interviewed personnel to assess the implementation of these procedures and program elements.
The team found that the training programs for fire fighting and fire prevention were being implemented in accordance'with documented procedures and that the training programs for fire brigade members met the'minimum requirements of 10CFR50 Appendix R. The team also NMP1 33
I4 found that, the instructions, procedures, and drawings for design, installation, inspection, test, maintenance, modification, and administration of fire protection activities and systems were being properly reviewed, and contained appropriate requirements for control of ignition sources, combustibles, precautions and compensatory actions when fire systems were placed out of service. The audit team reviewed the NMPNS UFSAR Appendix B (NMPC-QATR-l),
fire protection surveillance test procedures, NFPA standards, and fire protection related work documents to ensure that a program of independent inspection had been established. The audit team also reviewed test and surveillance procedures and related work documents, witnessed testing activities and interviewed personnel to verify that a test program had been established.
The team found that the test procedures incorporated the requirements and limits contained in applicable design documents and that the schedules and methods for periodic testing had been appropriately developed and implemented. The team also found that fire protection equipment and communications equipment were tested periodically to assure that the equipment would properly function and continue to meet design criteria.
An audit of the NMP1 Service Water System was conducted in 1993 to review system design and operation, including maintenance, testing and various regulatory commitments such as heat exchanger performance (GL 89-13) and check valve monitoring (INPO Significant Operating Experience Report (SOER) 86-03). The purpose of the audit was to determine if the NMP1 service water system was designed, operated, tested, and maintained to assure performance of design safety functions in response to postulated accident conditions, postulated natural phenomena, and hazardous system interactions. The audit team employed deep, vertical-slice techniques originally developed by the NRC Safety System Functional Inspection (SSFI) program. Specifically, the Service Water System was reviewed in technical depth in order to evaluate system design and modification processes, and to evaluate the implementation of the design in operations, maintenance, testing, training and administrative controls programs.
Written questions were issued where concerns or needs for additional information were identified. Upon evaluation of question responses from responsible organizations, items were closed, continued for further evaluation or corrective action, or where appropriate, a DER was issued.
The team found that the NMP1 Service Water System Design Basis Document (SDBD) was well organized, informative and comprehensive, and that stating the functional requirement and its basis was a sound practice and consistent with the design basis definition in 10CFR50.2. The audit also stated the SDBDs contained a good balance between functional requirements and design details making them useful for areas such as plant modifications, safety evaluations, maintenance, operations and training. The team also commented on the inherent design reliability of the Service Water System, the commitments to do frequent heat exchanger cleaning and the approach being taken to control microbiologically induced corrosion (i.e., our response to GL 89-13). The overall conclusion was that the NMP1 Service Water System was sufficiently designed, operated tested, and maintained to assure performance of design safety functions under postulated design basis accident conditions.
NMP1 34
0
"[II s
In conclusion, these audits were designed, in part, to verify that the design basis was properly reflected in the applicable operating, maintenan'ce, and testing procedures for those functional areas. The results indicate that while not perfect, there is a reasonable basis for concluding that goal has been accomplished. Continual verification through audit and surveillance activities is a management expectation.
Industry operations, experience items provide NMPNS opportunities to confirm that design bases requirements are translated into operating, maintenance, and testing procedures. As a minimum, NRC Bulletins, Notices, GLs, and INPO issuances such as SOERS and Significant Event Reports (SERs), as well as vendor issuances are reviewed to determine applicability to the NMPNS. Nuclear Division personnel are directed to initiate a DER upon discovery of a deviation/event or condition adverse to quality or when it is determined that an industry experience is applicable to the NMPNS. The DER process,'s described in our response to Requested Action (d), requires a disposition and corrective actions, as necessary. Some examples of operations experience items that have required NMPNS to 'confirm and/or take action to assure that design basis re'quirements are being translated into operating, maintenance, and testing procedures are as follows:
The purpose of GL 88-14 was to request that each licensee/applicant review NUREG-1275, Volume'2, and perform a design and operations verification of the instrument air system (IAS). As stated in the GL, the verification should include "verification that maintenance practices, emergency procedures, and training are adequate to ensure that safety-related equipment will function as intended on loss of instrument air." In response to the request, NMPC reviewed the specified procedures and found them to be adequate to ensure that the subject safety-related equipment would function as intended on loss of instrument air or during design basis accidents. Operational procedures were also revised to improve procedural control during the load shedding process. The reviews and enhancements conducted as part of this GL effort provide assurance that for the instrument air system, design basis has been properly translated into procedures.
NRC USI A-44, SBO was concerned with the ability of a nuclear power plant to cope with a total loss of both offsite and onsite alternating current (AC) electrical power.
The NRC resolved the issue by incorporating requirements for coping with a SBO in 10CFR50.63.
As part of NMPC's efforts to address ensuring compliance with these requirements, existing procedures were reviewed and, in conjunction with the creation of a new operating procedure detailing the specific actions for responding to an SBO, were found fl NMP1 35
a ~
to meet the requirements of 10CFR50.63 and guidelines in NUMARC 87-00. As part of this review, NMPC confirmed that existing procedures provided guidance which would permit the restoration of AC power either from offsite or from the emergency diesel generators. Additionally, corporate operating instructions were identified that address the restoration of offsite power to NMP1 and the Scriba Substation from various sources. Confirmation of these existing procedural and operating controls along with those added to meet NUMARC 87-00 provides a rationale that operating procedures adequately address the design basis for loss of AC power events.
Prompted by relevant industry events, NMPC initiated and has since completed a review of selected UFSAR chapters to determine their accuracy. The review covered ten high risk systems (based on PRA) including safety-related and nonsafety-related systems. This review identified attributes that should be implemented by plant procedures, approved processes or contained in an Engineering document. In this way, design basis and licensing information could be verified. Each attribute was then provided to the appropriate line department to provide technical justification as to whether or not the attribute was fully implemented. This review identified approximately 634 individual statements to be verified by plant and engineering personnel. As of the end of January 1997, approximately 600 statements (or 95%) have been dispositioned. Of the 600 statements, less than 9% resulted in discrepancies contained in the UFSAR that met the criteria for DER initiation.
These discrepancies ranged from typographical mistakes to minor inconsistencies in information contained in plant procedures and processes. Of the identified inconsistencies, the majority of these were due to failure to accurately update the applicable UFSAR section as described in existing safety evaluations. Based upon our review to date, no discrepancy has resulted in an operability concern, a plant performance problem, or a reportable condition outside the design bases of the plant.
A self-assessment of the UFSAR review was then initiated to determine the need for and scope of an UFSAR verification program. Additionally, this self-assessment also evaluated selected NRC inspection reports and NMPC Licensee Event Reports (LERs) for the purpose of determining the accuracy of the UFSAR information. The self-assessment concluded that the NMP1 UFSAR is generally accurate in describing the operation of the plant. Although deficiencies and minor inconsistencies have been identified, they have been determined not to impact plant operation or performance. However, the assessment indicates that NMPC should pursue improving the accuracy of the UFSAR. This process would also confirm the validity of the design basis for the remaining systems, and improve the ability to efficiently maintain the NMP1 UFSAR.
Accordingly, we are currently finalizing our plans for a UF SAR verification effort. We intend to perform a comprehensive review which will be completed by the end of 1998. This review will include provision for prompt evaluation of identified deviations for operability and reportability. It will also assess on an ongoing basis whether there are broad underlying NMP1 36
It concerns of design basis related inadequacies. The UFSAR Verification Program confirms NMPC's commitment to ensure the design basis is reflected in the day-to-day operation of the unit, and that plant personnel are knowledgeable and aware of the significance of operating within the licensing basis.
In 1992, NMPC developed a new training course entitled "Back-to-Basics." This course provided training on licensing basis documents and operation within our licensing envelope, and was designed to result in enhancements to our management and leadership skills. Also discussed was the expectation that ifwork could not be performed within the controls of a procedure, the work should stop and a resolution obtained before work continues. This training was provided to Branch Managers and selected Supervisors who were then responsible to teach the "Back-to-Basics" course to the individual work groups.
"Back-to-Basics H" training was conducted in 1995-1996 to assist organizations in understanding how Back-to-Basics relates to their specific jobs. This training included a diagram of our license basis and discussions of 10CFR50.59 and 50.92, commitments made to Operational Experience items, RGs, and industry standards and how we change these commitments, a definition of operability with an emphasis on post accident function, discretionary enforcement, reportability requirements of 10CFR50 Parts 72, 73 and 21, and how specific work activities interact with the design basis.
Concerning 50.59 training, the biennial requaliflication training for personnel authorized to prepare safety evaluations now includes a specific discussion of the consequences of failing to prepare a safety evaluation. Members of the Senior Management Team recently attended the requalification training to ensure their expectations are incorporated, and to heighten awareness of 10CFR50.59 requirements and issues. Members of the SORC and the SRAB are also required to attend requalification training.
Training for nuclear division personnel developed during the Restart Action Plan period emphasized increased Standards of Performance expectations. Topics included a heightened focus on design control, DBR, and a better understanding of the NMPl design and how plant personnel should use design documents when writing procedures and performing modifications. Lessons learned were presented in training which discussed configuration control and program management. Changes in training program processes included configuration control of individual training and qualification records for licensed operators. A new Training Records System, TRAIN, was put in place to help with the management of training records. Additionally, program procedures were revised to specify continuing coverage of topics annually.
Operational Experience, including industry events, are typically analyzed for training value in conjunction with DER dispositions and, ifappropriate, are included in the continuing training program for operations, maintenance, engineering, chemistry, radiation protection, and support organizations.
37
Routine and special training periodically results in enhancements to procedures. Operators can process procedure changes when training activities show that there is a better way to accomplish the specific task. Procedures are reviewed periodically with intent to prevent personnel errors, ensure better understanding, and train personnel on the design or licensing basis of. the plant. An example of where an engineering support continued training class identified a concern was the discussion of control rod drive flow and how it is used to calculate core thermal power. As a result of this discovery, configuration changes to the plant process computer were made to correct the deficiency. This has since been identified as an industry problem that initiated action at other plants.
Administrative procedures and controls have been in place since construction of NMPl, although substantially enhanced over time, to mandate requirements associated with the preparation, review, approval and revision of operating, maintenance, and testing procedures.
These procedures and processes contain appropriate requirements which reasonably ensure design basis requirements are incorporated into administrative and technical procedures.
Personnel qualification requirements assure that NMPC is capable of implementing the program requirements. Continuous improvement of program requirements and implementation has been a regular practice at NMPNS. Additionally, multiple assessments have been conducted which'demonstrate the overall effectiveness of various programs in the design/configuration control and procedure area. Coupled together, these activities and processes provide reasonable assurance that design basis requirements are translated into operating, maintenance, and testing procedures at NMPl.
38
0 t
Provide the rationale for concluding that system, structure and component configuration and performance are consistent with the design bases.
NMP1 was built prior to establishment of QA Criteria of 10CFR50 Appendix B and other more formal design and configuration controls applied to newer plants. However, actions have been taken since initial operation to ensure that system, structure, and components configuration and performance are consistent with design bases.
Surveillance testing programs have been in place throughout NMP1's operating life and are formalized by procedures. Such tests provide a primary basis to ensure that performance of systems meet design bases requirements. Additionally, post-maintenance and modification testing is routinely performed to ensure that design bases requirements continue to be met following maintenance and modification activities. Pressure retaining components are also routinely tested through ISI and testing programs., In addition to confirming that SSCs meet acceptance requirements, these testing programs provide a mecha'nism to identify deficiencies using the DER process and to trend equipment performance.
Several initiatives have been taken or are in place to confirm that the physical configuration of the plant is also consistent with design bases. As part of the DBR program, a number of system walkdowns were performed for selected safety significant systems. These included verification activities relating to major electrical and mechanical components and systems as well as piping/pipe support and penetration walkdowns.
NMP1 was in an extended outage from 1987-1990. As part of this extended regulatory outage, NMP1 prepared a RAP and Restart Readiness Report, which included a number of actions to confirm design adequacy prior to restart.
In 1990, a Power Ascension Program was completed for NMP1. Tests were conducted at various power levels to verify the performance of individual systems as well as inter-related system performance and overall station operation and control.'he testing also provided a basis for additional evaluation of station operating and surveillance test procedures.
Operations experience and SSFIs/Electrical Distribution System Functional Inspection (EDSFIs) have been applied to further and more specifically evaluate NMP1's conformance and performance against design bases. NMPC's Operations Experience Program routinely evaluates NRC Bulletins, Notices, GLs, as well as other industry inputs including INPO's SOERs, SERs, and vendor issuances. Evaluations such as EDSFI and Operations Experience include our assessment of motor-operated valves (MOVs) capability under GL 89-10, Service Water System capability under GL 89-13, Instrument Air System capability as part of GL 88-14, GL 91-06 which discussed the adequacy of safety-related direct current (DC) power supplies, GL 87-02 39
~
w~ y
regarding seismic adequacy, and SBO-USI A-44. These assessments, coupled with ongoing evaluations of plant performance, assure that configuration to performance parameters are updated as appropriate.
The above activities, coupled with our corrective action program, will ensure routine problem identification and evaluation of as-built conditions and test results and provide reasonable assurance that current performance and configuration are consistent with the design bases.
NMPC's response to Requested Action (a) provides a description of the engineering design and configuration control processes currently in place at NMP1, including those that implement 10CFR50.59, 10CFR50.71(e), and Appendix B to 10CFR Part 50. Our response to Requested Action (d) provides a detailed description of the processes for the identification of problems and implementation of corrective actions to prevent recurrence (i.e., the DER). NMPC is confident that adherence to these processes provide reasonable assurance that NMPNS SSC configuration and performance are consistent with the design bases. NMPC bases this confidence not only the quality of these processes, but on the multiple efforts, reviews, inspections, tests and audits that have taken place and that are currently being taken to assure SSC configuration and performance are consistent with our design bases. A discussion of some of these efforts, reviews, inspections, tests and audits is provided below.
Routine surveillance testing and examinations provide a primary method by which the performance and material condition of plant SSCs are confirmed to be consistent with design bases. An NDD establishes the requirements for development and execution of a program for surveillances and tests required by the Technical Specifications, regulatory commitments including the IST Program, industry experience, and special tests and experiments. A surveillance and test program has been established to demonstrate that SSCs perform satisfactorily in service. The regulatory requirements are identified in the operating license, Technical Specifications and UFSAR. The surveillance and test program is updated as a result of design changes, corrective actions identified as part of the DER process, evaluations of industry operating and maintenance experience and changes to source requirements. Also, test requirements for surveillance and tests meet the requirements of the ASME Boiler and Pressure Vessel Code and RGs as appropriate. Specific procedures are developed for each surveillance and test, and will simulate, as near as practical, the actual conditions under which the system must operate on demand, Post-maintenance and modification'ests verify the capability of SSCs to perform satisfactorily in service. The extent of the testing is commensurate with the work performed and the importance of the SSC to station safety and reliability. The test requirements and acceptance criteria for design changes are derived from design documents or sources for regulatory requirements. SSC deficiencies and test data trends are evaluated and a DER initiated as appropriate.
NMP1 40
A
'I>> ~
An NDD also establishes the requirements for the development of ISI and Testing programs.
This directive applies to the examination and testing of the pressure retaining components of the NMPNS reactor coolant pressure boundary and to components required to be tested in accordance with the ASME Boiler and Pressure Vessel Code,Section XI. Unacceptable examination or test results willresult in the initiation of a DER and appropriate actions. Such testing and examination activities assure that SSCs continue to perform as described in the design basis documents.
During the NMP1 extended outage from December 1987 to July 1990, 'a number of design basis related deficiencies were identified which supported the need for a design basis project.
The DBR Project, initially called the Engineering Program Integration Project (EPg, was implemented to review and provide the basis for integrating the various activities involved with engineering support and program management for NMP1 into the appropriate functional groups of the Nuclear Division. The programs included in the DBR Project were those which:
1
~ Defined and verified the current plant configuration, the corresponding design basis documents, 'and developed tools necessary for controlling the plant configuration after it was defined and verified.
~ Assessed the material condition of the plant systems and structures, assessed maintenance effectiveness, developed the long-term strategy for plant monitoring on a continuous basis, and coordinated this with plant life extension activities,
~ Established the approach for addressing plant upgrades, technical issues and system assessments.
Coordinated engineering resource development including organization, training, engineering computer/software support and advanced methodology development.
As the program evolved, the program focused on DBR and configuration management activities. The specific objectives of DBR and configuration management upgrade program were to: A Recover and document design basis information for plant system, components and structures of NMP1.
Develop SDBD and Design Criteria Documents (DCDs) which include the design basis information.
~ Determine and document the current as-built configuration of the plant.
~ Validate vendor documentation based on the as-built information.
41
~ Establish systems to provide access and control for plant design configuration information.
'l When the DBR Project was ended in June 1994, the following items had been completed:
~ 21 SDBDs.
~ 23 DCDs.
~ 71 program reviews.
1 Vax Equipment List (E-List) that includes components identified from the databases which were merged into the E-List and additional components identified through the development of SDBDs. The E-List was converted after DBR into the MEL-1 which is consistent with the format at NMP2 and is currently used.
26 walkdowns (system, piping, pipe supports, electrical panels, cables, etc.).
~ Integration of the Vendor Technical Manuals Program.
Improvements to the Configuration Management System, I
. Development of a process to improve plant condition assessment and demonstration of initial evaluations of one system and two components.
~ 3 areas of technical assessment improvement.
~ 8 engineering tools developed.
more detailed discussion of some of the above items is provided below:
The SDBDs were developed as a result of recovering/reconstituting the system design basis of certain systems at NMP1. The SDBDs are intended to summarize the technical and regulatory bases for the system design and operation and to provide a road map to the underlying design basis documents. The 21 SDBDs represent the majority of the safety-related systems at NMP1. Those systems chosen were based on input from Engineering and Operations and were judged to be highly risk significant (although the Individual Plant Examination (IPE) was not complete at the time).
The DCDs are topical design basis summary documents for use in engineering support of NMP1. The subject of these topical design basis documents include, but are not limited to, pipe supports, seismic classification, fire protection criteria, hydraulic design requirements, Instrument & Control setpoint criteria, and DC load and power distribution. The DCDs contain both the original design bases and optional upgrades (i.e., requirements from newer codes, etc., that are not currently part of the design bases).
42
5L+,~
Many configuration management improvements were implemented as a result of the DBR program including the upgrading of the older equipment lists into an integrated MEL-1 and development of software interfaces with the other configuration databases (PCR, CDS, and EWC). Specific examples include the following:
~ The controlled document database was linked with MEL-1 through the Equipment/
Component Identification and, Alternate Identification.
~ The PCR database was linked with MEL-1 through the Equipment/Component Identification and interfaces with MEL-1 for the Component Identification, Subsystem/System and Safety Class.
~ The interface with the EWC (WC Mosse) database was improved.
These software upgrades primarily improved the timeliness and coordination of equipment status and document status, so that plant staff can more easily recognize when pending changes have been completed, when they have been made operational, and the status of associated design documents. Technical assessment improvements resulting from DBR activities included the IPE Integration which coordinated the development schedule and content for the SDBDs and DCDs.
The DBR program also resulted in the development of the engineering tools described below:
~ A cable routing database was established through the use of software for tracking and evaluating cable routing. The database used was based on drawing reviews and walkdowns. Selected ampacity calculations were also performed.
~ A fusing index was established using a computer program for tracking fuse information.
Necessary information on certain fuses was obtained and a final database was integrated in the E-List.
~ Forty calculations for key EOPs and safety-related instrumentation were developed. These calculations were used to define NMPC's approach to Instrument & Control instrument loop accuracy calculations.
Personnel training materials were developed to instruct engineers in the use and care of design basis information. Classes were given to Nuclear Engineering and selected other groups,
~ A prototype Advanced Search and Image Retrieval Methods for Design Basis Information system, used for document retrieval, was developed for Core Spray System documents.
This system was based on a detailed review of available technology.
NMP1 43
0 I
~ Computer Aided Drawing (CAD) versions of the Piping and Instrument Diagrams (P&IDs) were developed including color overlays. Prototype CAD versions of other drawing types for each discipline were developed to demonstrate linking of drawing information.
~ NMPC procured a computer program, training and technical support for piping and hanger analysis code. Analysis code was tailored to specific NMPC document formats and compatibility requirements.
~ NMPC also procured a thermal-hydraulic analysis tool for'Mechanical Engineering and developed specific interfaces for the software to facilitate its use. Training and manuals for using the software were also developed. These tools aid designers and engineers in organizing and tracking design information which should, in turn, help them to recognize and satisfy design basis requirements. I The DBR Program included a Vendor Technical Manual Review and Upgrade Project. This integrated program included processing over 10,000 vendor documents which resulted in the review and approval of over 7,000 vendor technical manuals for both safety and nonsafety-related equipment. Part of this effort was to develop an Equipment to Vendor Technical Manual cross-reference.
Open Items were generated during the DBR Program as a result of walkdowns and the development of SDBDs and DCDs. During the conduct of DBR walkdowns, open items were generated when the installed equipment and/or configuration of the system was inconsistent with the controlled design documentation.
An Open Item was defined as:
~ An inconsistency between documents, databases, and drawings reviewed, or
~ Missing or incomplete design basis information, or
~ DBR commitments to be resolved during the preparation of the Design Basis Summary Document, or
~ Interfaces between Design Basis Summary Documents that cannot be confirmed due to the completion status of the interfacing documents.
Discrepancies between the as-installed configuration and the design documentation were classified as observations. Observations,,which are a subset of Open Items, were assessed for technical significance and assigned a classification of:
~ Routine Maintenance Item
~ Non-Technically Significant Discrepancy (NTSD) 44 .
~ Potential Technically Significant Discrepancy (PTSD)
Observations classified as PTSD were presented to the Senior Engineering Review Team (SERT) which consisted of Engineers from the various disciplines assigned responsibility for evaluation and disposition of observations (i.e., mechanical, electrical, structural). The SERT discipline engineer would provide guidance to the Evaluation Engineer to evaluate the impact of the discrepancy on equipment, system safety function, etc. As appropriate, the observations would be brought to the attention of the full SERT membership to obtain a broader perspective of the issue. In addition, discrepancies which were evaluated to be Technically Significant Deficiencies (TSDs) were reviewed by the entire SERT Team and representatives from DBR, licensing, and operations.
The Open Items classified as Observations were dispositioned in accordance with DBR guidelines, The Observations were assessed for technical significance. A DER was prepared for TSDs and they were reviewed for operability and reportability.
Open Items were closed/resolved by correcting equipment/components through routine maintenance, performing evaluations to accept as is, issuing Design Change Requests (DCRs) to rework installed components, or reconstitution of design bases, etc. As a result of the DBR program, a total of 6009 Open Items were originated as of June 1, 1994, and at the conclusion of DBR, 5083 Open Items were closed. Remaining Open Items were evaluated and determined not to require additional action, with the understanding that as a system requires a modification, enhancement, or for other reasons, the missing information, analysis, etc., will be investigated, collected or pursued. Those items that involve a discrepancy with the UFSAR are being resolved by the corrective action program.
As previously discussed, system walkdowns were performed as part of our DBR effort. These walkdowns, performed for 19 of the 21 systems for which SDBDs were developed, were conducted to verify that the as-built configuration of the systems was consistent with design drawings and documents, including the Safety Analysis Report (SAR) description. This included obtaining name plate information for major electrical and mechanical components in the system. In addition, piping, pipe supports and containment penetration configurations were walked down.
In addition, piping/pipe supports limited scope walkdowns (i.e., for large bore piping, penetrations, etc.) were performed for five systems for which SDBDs were not developed.
These five systems are condensate transfer, main steam, reactor recirculation, reactor water cleanup and spent fuel pool filtering and cooling systems. Electrical panel walkdowns were also performed separate from the system walkdowns as well as a walkdown of RG 1.97 instrument cables.
NMP1 45
0 0
4 t
During the conduct of DBR walkdowns, Open Items were gen crated when the installed II equipment and/or configuration of the system was inconsistent with'the controlled design documentation. The review processes assured that Open Items were evaluated promptly and a determination was made regarding operability, significance and additional actions Additional information concerning the processing of Open Items is provided in our previous description of the DBR program.
In summary, the DBR Project was the major engineering sponsored activity toward the improvement of the unit performance between 1989 and mid-1994. The project resulted in several significant accomplishments, including the documentation of design basis information of important safety systems (SDBDs) and topical design criteria (DCDs). In some cases, design basis documentation was reconstituted because it was important and/or foundational information such as service water heat loads and thermal-hydraulic analysis, or emergency diesel generator electric loads and transient analysis.
During the DBR Program, improvements were made to the configuration management process as well as to the methods for researching and reconstituting design basis information.
Any potential safety concerns were reviewed by a SERT and appropriate actions taken. There were no design basis issues which concluded that any system or component was inoperable.
Except for a few instances such as selected pipe supports being overstressed and sizing of fuses, plant configuration was found to be in accordance with the design basis of the plant. In those instances of fuses and piping supports, actions have been taken to bring the discrepancies into design basis compliance for safety-related systems.
As discussed in our response to Requested Action (b), the NMPC RAP contained a number of actions to determine the adequacy of procedures and design. Additionally, the RAP conducted actions relative to equipment configuration and performance including the following:
- 1. The plant fire barriers were walked down to reconcile the '"as-installed" configuration with design base documents. Specific accountability for ensuring that the design base be kept current was also assigned via the issuance of a NEP defining fire protection engineering responsibilities.
- 2. The design bases for the station battery chargers were'pecified in a design report as a result of concerns identified with their safety classification. These were later replaced with static safety-related battery chargers.
- 3. A SSFI of the Core Spray System by the NRC resulted in several findings that were incorporated into the RAP. Several corrective actions for these findings resulted in an updating and augmentation of the Core Spray design bases information. As a result of this situation, problem reports documenting specific deficiencies in design basis documentation were reviewed and evaluated. Any deficiencies that were considered to be of safety consequence were resolved prior to startup.
46
0 k t.
In addition, a longer term commitment was made to develop and implement a DBR and Configuration Management Upgrade Program. A detailed description and status of this program was provided earlier in this response.
- 4. The design basis of the 125V DC system was evaluated following concerns identified with the ability to demonstrate operability and functional capability. Subsequently, three new batteries were installed, two safety-related and one nonsafety-related. In addition, this system was included in the DBR program.
In September 1989, NMPC issued the "Restart Readiness Report". This report provided status and assessments for the corrective actions contained in the RAP. A portion of the restart report provided an assessment of the readiness of the physical plant for restart. One of the conditions to be met for restart was that "the as-built design of the plant is known to agree with the safety design basis'as described in the FSAR". An engineering evaluation entitled, "Design Basis Justification for Nine Mile Point Restart" was performed in May 1990 to document that this condition was satisfied. The evaluation was structured to justify the adequacy of the NMP1 safety systems in support of restart to ensure the safety of subsequent operation with the understanding that design basis and configuration inadequacies would be resolved by the longer term DBR and Configuration Management Upgrade Program discussed earlier.
An evaluation of the NMP1 safety systems was initiated based on reviewing the significant topics and issues affecting both the design and operation of the NMP1 safety systems. This topic-based evaluation approach made use of the safety system related conclusions, recommendations, and actions implemented by the NMPC engineering and station programs and activities completed prior to unit restart. This approach was similar to a system-based evaluation, such as is done with a SSFI since both approaches address virtually the same topics. The primary difference in the approaches was that topics were identified on an issue basis or on a system basis. An advantage of the program review approach was that the information reviewed covered a greater period of time.
The evaluation developed the specific technical basis for applying engineering judgement to the assessment of the adequacy of the as-built design and configuration of the 13 safety systems evaluated for NMP1. These systems were selected for evaluation based on their accident control and mitigation roles.
The evaluation supported conclusions on the adequacy of NMP1 as-built design for unit restart. The key factors considered in evaluating the safety system adequacy provided by each activity were:
~ Functional adequacy
~ Structural adequacy 47
I II 1IIP
~ Configuration agreement
~ Procedure/Document Control adequacy The execution, findings and implementation status of each activity provided the technical basis for an engineering judgment in each of these areas. An overall conclusion on the adequacy of NMP1 safety systems was provided'by evaluating the completeness of the individual program evidence.
The evaluation of program and issue resolution activity as described in this report concluded that the design basis and configuration concern raised for the NMP1 safety systems had been addressed. The evaluation concluded that there was a high degree of, confidence that the thirteen key safety systems evaluated would be consistent with and perform their safety design basis functions as described in the NMP1 UFSAR and that the NMP1 safety systems were adequately as-built for unit restart.
NMPC completed a Power Ascension Program for NMP1 in 1990 to demonstrate the plant will operate consistent with the design bases. Systems which could not be fully tested during the extended refueling outage (1988-1990) were tested during the Power Ascension Program.
The Power Ascension Program was divided into three phases: 0 to 25%, 25 to 75%, and 60 to 100% power. The tests were conducted to verify the performance of individual systems, verify inter-related system performance, and overall station operation and control.
Additionally, the testing provided additional evaluation of system, station operating and surveillance procedures. These procedures were used in their normal fashion wherever possible to support power ascension testing. The program consisted of 3 administrative procedures and 13 power ascension tests. The 13 tests were determined based on' review of the following documentation: 1) NMP1 initial startup test program; 2) NMP2 startup test program; (3) modifications and outage maintenance activities; 4) industry issues for which testing could support previous evaluations; 5) other recent Boiling Water Reactor (BWR) restart power ascension test programs; and 6) transient analysis assumptions. The program test controls included SORC review of each test procedure, test result, and test exception. SORC reviewed the results of each test phase and recommended approval to move to the next test phase. The procedure for test controls provided general guidance, instructions for test interpretations, data collection, review of acceptance criteria, shift logs, turnover, and shift briefings. The Power Ascension Self-Assessment procedure assessed management effectiveness including personnel performance, during the Power Ascension Program.
Evaluations and assessments were completed by the line management, Nuclear QA Operation, the Independent Assessment Group and SORC. Assessments were based on NMPNS standards of performance, departmental performance criterion, and INPO Performance Standards.
SORC determined if the self assessments were satisfactory prior to proceeding to the next test phase for completion of the Power Ascension Program. NMPC documented the results of our overall assessment of the Power Ascension Program in a report to the NRC as required by Confirmatory Action Letter 88-17. The report concluded that the operating and support personnel have prepared themselves and are capable of continued safe operation of NMP1.
NMP1 48
le)'
The report also concluded that self assessment and other problem identification and resolutions are in place to prevent, or detect, and correct future problems.
During the period between September 23 and October 25, 1991, an NRC inspection team conducted an EDSFI at NMP1. The inspection was performed to determine if the electrical distribution system was capable of performing its intended safety functions as designed, installed, and configured. The team also assessed the licensee's engineering and technical support of electrical distribution system activities. For these purposes, the team performed plant walkdowns and technical reviews of studies, calculations, and design drawings pertaining to the electrical distribution system, and conducted interviews, of corporate and plant personnel.
Based upon the sample of design drawings, studies and calculations reviewed and equipment inspected, the team concluded that the electrical distribution system at NMP1 is capable of performing its intended functions. In addition, the team concluded that the engineering and technical support staff provide adequate support for the safe operation of the electrical distribution system at the plant. The inspection also identified two violations (one was later withdrawn), one non-cited violation, twelve unresolved items, various strengths and observations as discussed in the paragraphs below.
The team found that root cause analyses were thorough, corrective actions were taken in a timely manner, and NMPC's plant modification and design change program was adequate.
The team also found that the licensee had an effective program for controlling temporary modifications in the plant, and the procedures to operate the electrical distribution system were sufficient and would assure electrical distribution system operability under normal, abnormal, and accident conditions. Operators were found to be knowledgeable of the electrical distribution system and associated procedures.
The NRC found that NMPNS had a commendable self-assessment program that allows plant personnel to identify the problem areas, evaluate the problems, and initiate corrective actions to improve plant performance. Senior management was directly involved in this program.
Three strengths that were identified in the engineering and technical support area consisted of:
- 1) an internal systematic assessment of licensee performance (SALP) program to evaluate and improve performance; 2) a self-initiated EDSFI to identify electrical distribution system deficiencies and take corrective actions; and 3) a DER program to identify problem areas and initiate corrective actions before they become a safety concern.
The team's review of the design attributes within the scope of this inspection concluded that, with the exception of the specific findings in the report, the electrical distribution system components were adequately sized and configured, design was generally adequate, and no operability problems exist. In the area of mechanical support'systems for the electrical 49
e distribution system, the team concluded that the technical staff was knowledgeable of the mechanical systems affecting the electrical distribution system., Sufficient information was available to review and assess the operability of these mechanical systems with the exception of the lack of good documentation for pump performance curves and adequate heating ventilating air conditioning (HVAC) calculations for the electrical distribution system.
However, bounding calculations were performed and administ'rative controls implemented to assure the operability of the system.
In general, the NRC concluded that adequate controls had been implemented to maintain the electrical system configuration for all safety-related electrical distribution system components.
Our letter dated February 18, 1992, provided our response to the EDSFI, including the corrective actions taken to address the identified deficiencies to prevent recurrence.
L A SSFI was conducted during the period of September 12, 1988, through October 7, 1988.
The effort involved an assessment of the operational readiness and functionality of the HPCI mode of the Feedwater (HPCI/Feedwater) system and the Core Spray System. Particular attention was directed to the details of modifications and design control, maintenance, operation, and testing of the applicable systems. Additionally, the programs for assuring operability in these areas were reviewed to determine their effectiveness.
The inspection team concluded that design information for both the Core Spray and HPCI/Feedwater Systems was not adequately controlled nor supported by sufficiently detailed analyses. As previously discussed, many of these findings were incorporated into the RAP.
Corrective actions included updating and augmenting the Core Spray design basis information.
Any deficiencies that were considered to be of safety consequence were resolved prior to startup.
Further, the DBR program previously described resulted in improvements to design basis information and reconciliation with operating, maintenance, and testing procedures for this system.
In summary, function'al inspections are conducted to determine ifplant systems are capable of performing their intended safety functions as designed, installed, and configured, and therefore, provide a rationale that SSCs configuration and performance are consistent with the design bases.
Industry operations experience items provide the NMPNS opportunities to confirm that SSC configuration and performance is consistent with the design bases., As a minimum, NRC Bulletins, Notices, GLs, and INPO issuances such as SOERs and SERs, as well as vendor issuances are reviewed to determine applicability to the NMPNS. Nuclear Division personnel are required by procedure and trained to initiate a DER upon discovery of a deviation/event or NMPl 50
~
i 0
I ll" .
condition adverse to quality or when it is determined that an industry experience is applicable to the NMPNS. The DER process, as described in our response to Requested Action (d),
requires a disposition and corrective actions, as necessary. Some examples of operations experience items that have required NMPNS to confirm and/o'r take action to assure that SSC configuration and performance is consistent with the design bases are provided below:
GL 89-10 requested that licensees develop and implement a program to ensure that MOV switch settings are selected, set and maintained so that MOVs would operate under design basis conditions for the life of the plant. The NMP1 MOV Program Plan was developed in response to GL 89-10 to identify the scope of the program and assure proper design basis review and confirmation that safety-related MOVs could perform their design function under all design conditions. The program examines design basis requirements of all MOVs under the program and documented the results of this review under NMPC's calculation procedure'to assure future access to this information. This review encompasses such design basis documentation as applicable UFSAR sectioris, Technical Specifications, system design criteria, system descriptions, operating, and maintenance procedures.
With these design requirements firmly established and verified, each MOV is evaluated in a sizing calculation to assure sufficient actuator capability to perform designated design functions. Appropriate MOV maintenance procedures are developed to statically and dynamically test MOVs. A selected number of MOVs are tested under dynamic conditions as close to design basis differential pressure as achievable in accordance with NMP1's MOV testing grouping study. Where in-situ plant testing information is determined insufficient to validate design assumptions used in MOV sizing calculations, applicable industry data is applied to supplement NMP1 information.
As a result of these reviews and testing results, additional 'safety margin was identified as desirable for selected MOVs and resulted in several modifications to the plant design.
Modifications performed include actuator replacement, gearing changes, and spring pack changes. In summary, the efforts of GL 89-10 have provided added assurance that MOVs will operate as needed for design bases conditions. GL 89-10 testing activities are scheduled to be completed by the end of REFOUT 97 scheduled for the Spring of 1997.
Program closure, including incorporation of test. results, is scheduled for 30 days after the end of the outage.
GL 89-13 states that nuclear power plants must ensure that the Service Water System is in compliance with the minimum requirements of 10CFR50,,'Appendix A, General Design Criteria (GDC) 44, 45, and 46, and Appendix B,Section XI. Actions have been taken in response to GL 89-13 to help ensure the performance and configuration of the Service Water System are consistent with the design bases. These actions include, but are not limited to, the following: I ~
51
I r
Erosion/Corrosion Program developed for the Service Water System to identify areas most susceptible to erosion/corrosion, provide resolution to specific erosion/corrosion problems, and establish a monitoring program to detect onset of erosion/corrosion.
As part of plant power ascension in 1990, thermal performance testing and/or supporting calculations were performed for Reactor Building Closed Loop Cooling (RBCLC) and Containment Spray heat exchangers. Testing and calculations demonstrated acceptable heat exchanger performance in accordance with design basis.
~ Raw water safety-related heat exchanger maintenance (inspections and cleanings) frequencies were reviewed and revised as required. Frequencies established to minimize degradation, maintaining baseline tested heat exchanger condition.
~ RBCLC heat exchanger thermal performance testing is performed semi-annually.
Testing performed to evaluate heat exchanger condition and ensure they meet minimum thermal performance requirement.
As previously discussed, an audit of the NMP1 Service Water System w'as conducted to review system design and operation including commitments to GL 89-13. This audit concluded that the NMP1 Service Water System was sufficiently designed, operated, tested, and 'maintained to assure performance of design safety functions under postulated design basis accidents.
The purpose of GL 88-14 was to request that each licensee/applicant review NUREG-1275, Volume 2, Operating Experience Feedback Report - Air Systems Problems, and perform a design and operations verification of the IAS. In response to GL 88-14, NMPC verified and evaluated the IAS design and operation. Specific equipment and design document enhan'cements were identified and modifications performed to enhance IAS reliability and performance. Enhancements included new instrument air dryers, development of a SDBD, verification of design basis requirements for system end user components, system walkdowns, upgrading of existing documents. These activities provide assurance that IAS configuration and performance is consistent with the design basis.
GI A-30, "Adequacy of Safety-Related DC Power Supplies," is concerned with multiple and common cause failures of DC power supplies; primarily as the result of inadequate maintenance, surveillance, and failure detection. GL 91-06 requested licensees to submit plant-specific information concerning their safety-related DC power supplies to enable the NRC to determine iflicensees had adequately resolved GI A-30. GL 91-06 also gave 52
't j
licensees the option of providing certain supporting information as part of their IPE submittal instead of supplying it in response to the GL.
Following the direction given in GL 91-06, NMP1 responded that it complied with most of the design, maintenance, and testing 'attributes described in the letter. In particular, the level of redundancy, control room indication, weekly testing, performance testing, and battery system capacity were in accordance with the provisions set forth in the letter.
Exceptions were later addressed in the NMP1 IPE submittal dated July 1993. Justification was provided for 1) alternative alarm indications, and 2) performing certain testing on a 24-month cycle versus the, recommended 18-month frequency.
In conclusion, NMP1's response to GL 91-06 demonstrated that maintenance, surveillance, and monitoring provisions are appropriate to preclude multiple and common cause failures of the safety-related DC system.
N In GL 87-02, dated February 19, 1987, the Commission set forth the process for resolution of USI A-46, SQ of Equipment in Operating Plants. In GL 87-02, the NRC concluded that the seismic adequacy of certain equipment must be reviewed against seismic criteria not in use when the plants were licensed. In Supplement 1 to GL 87-02, dated May 22, 1992, the Commission required that licensees submit a commitment to the Generic Implementation Procedure'(GIP) for Seismic Verification of Nuclear Plant Equipment, Revision 2, (GIP-2), prepared by the Seismic Qualification Utility Group (SQUG). By letter dated September 18, 1992, NMP1, responded to Supplement 1 of GL 87-02. Our response included a commitment to implement GIP-2, including the clarifications, interpretations, and exceptions in Supplemental Safety Evaluation Report (SSER-2), and to communicate to the Commission any significant or programmatic deviations from the GIP guldallce. I Based on the Screening Evaluation Worksheet (SEWS) evaluations performed, the NMP1 A-46 Safe Shutdown Equipment List (SSEL) equipment meets the intent of the GIP-2 with the exception of identified outliers. Outliers not meeting the criteria identified in the SEWS were identified on DERs and operability determinations performed in accordance with Nine Mile Point (NMP) Engineering guidelines and procedures. Although deficiencies have been noted, the equipment was determined to be operable and modifications for these outliers (to comply with GIP-2) scheduled to be completed at the conclusion of RFO15. The activities of GL 87-02 have provided added assurance that plant equipment willperform their intended functions.
For NMP1, nine systems with safety-related pumps were evaluated for potential minimum flow concerns. Of the nine systems, eight were found acceptable based on evaluation NMP1 53
I f' 1
alone. For the one remaining system, core spray, a test was conducted to verify operability. The test simulated small break LOCA conditions including pump initiation sequence and maximum operating time in the minimum flow mode. The test results verified that the core spray pumps and topping pumps would be able to operate in the minimum flow mode during a small break LOCA. Additionally, to address the possibility that degradation of the pumps could affect the initial test results, and therefore, require repeated testing, NMPC installed individual recirculation lines for the pumps. The efforts in response to Bulletin 88-04 provided additional assurance through analysis and specific testing that susceptible safety-related pumps were in fact designed with adequate minimum flow protection to meet design basis requirements.
NRC USI A-44, "Station Blackout" (SBO), was concerned with the ability of a nuclear power plant to cope with a total loss of both offsite and onsite AC electrical power. The NRC resolved the issue by incorporating requirements for coping with a SBO in the Code of Federal Regulations (CFR), specifically 10CFR50.63. Assessment and implementation of the SBO requirements resulted in the following:,
I
~ Analyses were performed to demonstrate that the reactor core, primary containment, control room, and other critical'areas in the plant would not be adversely affected by an SBO duration of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
~ An emergency diesel generator reliability requirement of at least .975 or greater was shown to be satisfied.
~ Analyses were performed to insure that critical DC power supplies and associated instrumentation required for the 4-hour coping duration were available.
~ System walkdowns were performed as necessary,to validate the existence of adequate lighting, that equipment was physically located as determined from configuration documents and that plant equipment could be physically controlled in the manner assumed by the procedures.
These efforts have provided assurance of NMP1's ability to cope with a SBO. Self-audits have confirmed that this design basis change has been adequately implemented thereby demonstrating the proper implementation of the design controls described in response to Requested Action (a), Additionally, as with any change made to the facility, activities such as walkdowns and reanalysis provide the opportunity to potentially identify existing discrepancies. For these reasons, the activities associated with SBO help provide assurance that system, structure and component configuration and performance are consistent with the design bases.
54
(
A historical analysis was completed of the DER data system. Specifically, a search was done to determine the number of design and configuration control issues which have been identified.
Since 1991, over 1400 DERs have been initiated which had a causal factor code "Design and Configuration Analysis." These included 519 DERs for NMP1, 922 DERs for NMP2, and 21 DERs which were common to both plants. The number of DERs relating to design and configuration control issues has increased in more recent years. The specific results are as follows:
DERs 1991 1992 1993 1994 1995 1996 Unit 1 15 50 84 204 155 Unit 2 9 12 79 205 341 276 Common 10 TOTAL 20 28 131 294 548 441 As a measure of significance of the over 1400 issues identified, we determined the number of LERs identified as a result of these issues. In the same time period, 8 of the DERs for NMP1 were reported on LERs and 10 for NMP2. The details by year are as follows:
LERs 1991 1992 1993 1994 1995 1996 Unit 1 Unit 2 TOTAL 0'f the over 1400 DERs initiated since 1991, 19 were initiated as a result ofNRC identified issues.
The details by year and unit are as follows:
DERs 1991 1992 1993 1994 1995 1996 Unit 1 0 Unit 2 TOTAL 0 In summary, the above data indicates that NMPC is routinely identifying issues associated with the Nine Mile Point Design and Configuration Control processes and programs. The fact that the number of issues has increased since 1991 does not mean that design and configuration control is more deficient, but that our ability to identify issues is improving. Also, because very few of these issues resulted in reportable events, the safety significance of most issues is small. These results 55
P 1
r (
support our belief that the overall design bases for both units are sound and are under constant scrutiny and increased questioning to ensure that discrepancies, regardless of signi6cance, are promptly identified~and resolved.
NMP1 56
4 c p
Describe the processes for identification of problems and implementation of corrective actions, including actions to determine the extent of problems, actions to prevent recurrence, and reporting to the NRC.
NMPC utilizes the DER as the administrative tool for documenting, evaluating (including reportability to the NRC), determining cause, and determining corrective and preventive actions for problems that are identified at the NMPNS. Problem identification results from a wide range of sources, which include in-house events, testing and inspection activities, observations, audit and surveillance activities, self-assessments, and outside and evaluation activities. The DER is also used as the tracking tool for Operations agencies'nspections Experience issues. The text that follows describes in detail the NMPNS's process for problem identification and ultimate resolution, the cornerstone of which is the DER, and associated administrative procedures that ensure effective implementation of the process.
An NDD establishes the requirements for the identification, documentation, notification, evaluation, correction, and reporting of deviations/events or conditions adverse to quality that may impact the safe and reliable operation of the NMPNS or personnel safety, with the exception of certain Safeguards information. This NDD directs each Nuclear Division employee, as part of his/her normal duties, to be alert for and to promptly identify events and nonconforming items, including hardware failures. A continuous assessment of operating and industry experience for impact on safe operation is performed and a formal program for reviewing industry experience established. As a minimum, NRC Bulletins, Notices, GLs, and INFO issuances such as SOERs and SERs, as well as vendor issuances are reviewed to determine applicability to the NMPNS. Nuclear Division personnel are directed to initiate a DER upon discovery of a deviation/event or condition adverse to quality or when it is determined that an industry issuance is applicable to the NMPNS. The determination of reportability and operability is then performed as necessary, the DER dispositioned, and appropriate corrective and preventive actions taken.
A NIP prescribes the method for processing DERs for the identification, documentation, notification, evaluation, correction, and reporting of conditions, events, activities, and concerns that have the potential for affecting the safe and reliable operation of the NMPNS.
This interfacing procedure applies to conditions having an adverse or potentially adverse effect on activities important to nuclear safety, industrial safety, plant reliability, or human performance, including but not limited to the following:
57
0 1
~ I
'4 f'$ <
0
~ hardware failures other than normal wear and tear;
~ hardware or component malfunctions resulting from design or manufacturing deviations or defects;
~ out-of-calibration measuring and test equipment known to have adversely or potentially adversely affected other plant equipment; I
~ non-compliances having nuclear safety significance;
~ adverse personnel performance such as failure to follow procedures or violations of personnel safety rules or practices;
~ radiation protection deviations;
~ preventive maintenance activities not completed before late date or deferral date;
~ recurring corrective maintenance/ hardware failures;
~ human performance problems/issues;
~ inadequate corrective actions or test failures;
~ deviations from design document requirements (other than normal wear and tear) including station configuration discrepancies;
~ conditions adverse to fire protection such as failures, malfunctions, deficiencies, deviations, defective components, uncontrolled combustible material, and nonconformances.
1 Also applicable are deficiencies, concerns, or issues resulting from regulatory agencies, industry and internal operating experience, inspections, observations or publications, reportable events to the NRC and other regulatory agencies, issues resulting from self-assessment, and issues that do not meet the above criteria but, in the opinion of management, warrant evaluation.
A DER requires a concise summary of the event or deviation, the component number, if applicable, the identifying organization and a description of any immediate actions taken to place the plant in a stable condition or to minimize personnel and equipment safety hazards.
The DER initiator then must hand-deliver the DER to his or her Supervisor. Ifthe deviation/event could have an impact on plant equipment, is potentially reportable, or is security related, the DER is hand delivered to the SSS/Assistant Station Shift Supervisor (ASSS) for reportability and operability determinations.
NMP1 58
0 I,
$ S
An operations administrative procedure establishes a method for determining the operability of SSCs. This operations administrative procedure was specifically developed to provide guidance to Operations personnel as necessary when making operability assessments of SSCs that have been identified on DERs or Work Orders as being in a degraded or nonconforming condition. Included in this procedure is an Equipment Operability Determination Checklist which documents the decision affirming the capability of a system/component to perform its specified function as required by the Technical Specifications or the FSAR. Guidance provided in the procedure indicates that a SSC is either operable or inoperable at all times.
Operability determinations are required to be performed promptly (in most cases within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />), with a timeliness that is commensurate with the potential safety significance of the issue. For SSCs in Technical Specifications, the SSS/ASSS uses the time limit contained in the specific Limiting Condition for Operation (LCO) action statement as guidance to determine safety significance. Engineering may be requested to support an operability determination.
An Engineering Supporting Analysis must be completed within 5 days of notification or as directed by the plant manager based on the significance of the deviation. In order to declare an SSC operable while the engineering review is being performed, operations personnel must have reasonable assurance, based on the best information available, that the SSC is capable of performing its design function if called upon. In the absence of reasonable assurance, or if mounting evidence suggests the final analysis will conclude the SSC cannot perform its specified function, the SSC is declared inoperable and the appropriate actions implemented.
When Engineering is preparing an Engineering Support Analysis, the individual must consider the following: calculations, test results and other documentation which define the SSC design basis; the potential adverse affects on safety and Technical Specification impact; the length of time the condition has been and willremain in effect; for each equipment function adversely impacted, the impact on related system functions; for each system function adversely impacted, the impact on any equipment or systems supported by the impacted system functions. The Engineering Support Analysis must be of sufficient depth to provide a logical and defensible basis for operability conclusions and to determine whether a 10CFR50.59 safety evaluation is required to support any operability decisions.
Guidance to determine if a deviation/event is reportable to the NRC is provided by a NIP.
The NIP provides a summary of the required NRC notifications and reports and the responsible organizations.
Following reportability/operability determination activities, the DER is delivered to the Plant Manager's office by the end of the operating shift. The plant manager, based on the significance of the deviation, assigns a category to the DER for dispositioning. The disposition to the DER requires that a Root Cause Evaluation be performed and documented in the DER ifthe threshold guidelines for performing a formal root cause are met. A formal root cause is performed for all Category 1 (highest significance category) DERs and in the event of any of the following:
NMPI 59
j II, ~
~
l'
~V%
~ a severe or unusual plant transient;
~ safety system malfunction or improper operation;
~ major equipment damage;
~ other events involving nuclear safety or plant reliability;
~ fuel handling or storage event;
~ excessive radiation exposure or severe personnel injury;
~ excessive discharge of radioactivity;
~ or a deficiency in design, analysis, operations, maintenance, testing, procedures or training that could cause a significant event as described above.
The DER procedure requires that personnel performing root'cause analysis be qualified in the techniques of root cause analysis. Apparent cause determinations are used when a formal root cause evaluation is not required. Apparent or root causes are validated for potentially significant DERs by ensuring a deviation/event would not have occurred had the cause not been present, that the deviation/event will not recur due to the same causal factor(s) if the cause is corrected or eliminated, and that correction or elimination of the cause willprevent recurrenc'e of similar conditions. The condition is assigned, a Deviation Event Trend Code for tracking purposes. A disposition to the DER is then generated which includes corrective actions and for potentially significant DERs, preventive actions to prevent recurrence.
References to current and approved design documents, procedures, instructions for repairs, retest/inspection requirements, acceptance criteria, supporting sketches and documentation are included as appropriate, If the DER is for an industry issuance, the potential impact on equipment documents such as vendor manuals and vendor design documents is identified. The procedure governing the DER process requires that ifa DER is a nonconformance and not corrected, the nonconformance willbe assessed for impact on the Updated Final Safety Analysis Report (UFSAR). Ifa nonconformance results in a deviation from the UFSAR, the plant manager is notified and the nonconformance must be reconciled within six months of the deviation (or earlier as determined by the plant manager). The disposition will implement the following as appropriate: 1) restore the nonconformance to compliance with the UFSAR, or 2) change the UFSAR per the NIP governing applicability reviews and safety evaluations, or 3) if it is not possible to correct the nonconformance within six months (such as ifa plant outage is required), provide an Engineering Support Analysis that supports operation with the nonconformance for the period of time required. A nonconformance is defined as a deficiency in characteristic, documentation, or procedure that renders the quality of an item unacceptable or indeterminate. DER dispositions must be approved by the appropriate Branch Manager, and ifrequired, by the SORC and the plant manager. DERs are not closed until required 60
1 ~
P
~ ~ ~ ~
disposition actions, have been completed and identified deficiencies have been corrected. Final
~
closure requires a Branch Manager signature; XxcQRlg Trend information is generated by the QA department using the Trend Codes portion of the DER database. Reports are submitted to the Branch Managers on a quarterly basis. Branch Managers are expected to investigate and evaluate trends identified, to assess their strengths and weaknesses, and to determine, what types of corrective actions have been effective and where they need to improve performance in their branch.
A NIP provides the administrative controls for communication of "lessons learned" information throughout the Nuclear Division. A Lessons Learned Transmittal is used when it is necessary to communicate appropriate actions that should be encouraged or inappropriate actions that must be prevented from recurring. Lessons Learned Transmittals contain a description of the event, cause of event, and lessons learned and typically result from dispositioning DERs.
An NDD governing safety reviews establishes the requirements for the development and execution of a program for the planned, systematic review of the operation of NMPNS and to assign responsibility for implementing those requirements. Safety Review Organizations include the SORC and the SRAB. The responsibilities for each of these groups is delineated in the plant Technical Specifications.
The SORC functions to advise the plant manager on all matters related to nuclear safety. The SORC is responsible for the investigation of violations of the Technical Specifications, including the preparation and forwarding of reports covering evaluation and recommendations to prevent recurrence, to the Vice-President and General Manager-Nuclear, and to the SRAB.
The SORC is also responsible for the review of all reportable events, review of unit operations to detect potential hazards to nuclear safety, performance of special reviews, investigations, or analyses and reports as requested by the Plant Manager or the SRAB.
A NIP provides the administrative controls and conduct of the SRAB to ensure that the Executive Vice President-Generation Business Group and Chief Nuclear Officer is advised on matters of nuclear safety. Currently, the SRAB is composed of a Chairman and 12 members including four non-NMPC members. The SRAB provides an'independent review and audit of designated activities in the areas of plant operations, nuclear engineering, chemistry and NMP1 61
na t '(>> ~ '
radiochemistry, metallurgy, instrumentation and control, radiological safety, mechanical and electrical engineering and QA. The SRAB reviews significant operating abnormalities or deviations from normal and expected performance of plant equipment that affect nuclear safety, all reportable events, recognized indications of an unanticipated deficiency in some aspect of design or operation of structures, systems or components that could affect nuclear safety, and reports and meeting minutes of the SORC. Audits of unit activities that occur under the cognizance of the SRAB encompass, but are not limited to, the conformance of unit operations to provisions contained within the Technical Specifications and applicable license conditions, the results of actions taken to correct deficiencies occurring in unit equipment, structures, systems or methods of operation that affect nuclear safety and the performance of activities required by the Operational QA Program to meet the criteria of 10CFR50 Appendix B.
The QA Department reviews NMPNS's adherence to engineering design and configuration control procedures and programs. The three groups which specifically do this are audits, inspection, and Quality Verification and Safety Assessment (QVSA). The Audit Group performs audits which meet the requirements of Technical Specifications, UFSAR/USAR Appendix B and Appendix B to 10CFR Part 50. Audits are scheduled and planned based on a matrix prepared to reflect the license basis and internal requirements. In some cases audits are performed for the SRAB. Audit planning considers results from previous audits, surveillances and inspections and takes into account DERs, trends, internal and external performance information, NRC and INPO performance criteria and reports, and applicable directives and procedures. Audits are performed in accordance with the approved plans. The DER process is used to document any deviations and nonconformances identified during audit or surveillance activities. QA reviews the disposition of audit initiated DERs and follows up on their closure in subsequent surveillances and audits. Audit results are communicated to appropriate management through exit meetings and audit reports. The Inspection Group performs examinations, in process, and final inspections in accordance with codes, standards, regulations or as specified by Nuclear Engineering acceptance criteria. This group independently confirms that critical characteristics identified by Engineering meet acceptance criteria. Other inspections and examinations may be performed on selected operations where it is deemed necessary to verify conformance to specified requirements. The DER process is used to document nonconformances.
The QA Surveillance Program is performed by the QVSA Group., Surveillance topics are scheduled based on input from other organizations, previous surveillance results, current activities, projects and program changes, DERs and regulatory commitments, upcoming audit topics and audit results. Surveillances review performance in several ways. These include process monitoring which evaluates a selection of'ongoing work activities to determine effectiveness and conformance to requirements, product review which reviews selected operations, maintenance, engineering and support group work outputs to evaluate quality and technical content, and component configuration review which evaluates the continuing design control of selected plant hardware by reviewing current configuration against the design basis NMP1 62
v r and subsequent design changes and replacements. The DER process is used to document any deviations and nonconformances. Also, the effectiveness of the Operations Experience program (screening and implementation) is periodically reviewed during QVSA surveillances and QA audits.
Several organizations, including INPO, ANI, and ANII, provide third party reviews for the NMPNS. NMPC personnel are responsible for interfacing with these organizations and documenting their. findings on DERs as discussed above. INPO evaluations currently review the NMPNS using INPO Criteria 90-015, "Performance Objectives and Criteria for Operation and Near-term Operating License Plants." ANIIevaluations review the plants'esign conformance and maintenance of ASME Section XI. An ANIIInspector is assigned full time to NMPNS. This inspector verifies that, as needed, the required ASME examinations, system hydrostatic testing, and repairs are performed and documented correctly. Findings are documented and resolved using the DER process. ANI evaluations are done to determine insurance premiums. The NMPNS adherence to codes and design criteria are specifically reviewed. The evaluations are broken into two parts, Fire Protection and Pressure System (Boiler and Machinery). Findings from the ANI evaluations are documented and resolved using the DER process. The ANI reviews the resolution of all of its findings and evaluates them to determine if they were acceptable for closure.
A NIP establishes the self-assessment program to, achieve higher standards of quality and performance. Each nuclear division branch manager ensures that at least two branch self-assessments are performed anhually. At least one self-assessment normally involves an assessment of the corrective action program to determine if adverse conditions and common causes receive appropriate management attention, and that causes from previous self-assessment findings were addressed and actions taken were effective. Areas to be considered when developing self-assessment schedules include activities that exhibit negative trends based on information from the DER database. The assessor ensures a DER is generated for self-assessment findings that meet the DER initiation criteria. Further, branch managers meet with the Senior Management Team to review the results of their findings. The results, methods, and planned corrective actions are discussed with the Senior Management Team to assure the adequacy of the assessments and resultant corrective actions.
Surveillance testing and plant examinations as required by the Technical Specifications and the ASME Code are an additional means of verifying equipment is capable of performing its intended function and identifying problems. Surveillance testing and examinations are discussed in our response to Requested Action (c).
NMP1 63
I f
jltl I 1
Senior management has stated that they support the workers'ight to raise safety issues and that those workers who raise safety concerns will not be subjected to harassment, intimidation, or discrimination. Senior management recognizes that the preferred vehicle for most employees for identification and resolution of concerns is through the normal line organization.
Senior management provides support to line supervision in addressing concerns raised through the normal line organization. Notwithstanding resolution of problems in the normal line organization, senior management also provides for and supports a confidential employee concerns program to address concerns raised by workers. A NIP governing the Q1P provides the administrative controls for the confidential reporting of concerns and subsequent evaluation and corrective action. This procedure applies to NMPC employees and contractors having safety, quality, and nonsafety-related concerns.
In addition to the reporting activities controlled through the DER process, NMPC maintains a positive and professional working relationship with NRC personnel through forthright communication of identified problems and the actions taken to thoroughly evaluate and correct such deficiencies.
NDDs and NIPs establish a primary interface with the NRC through the Licensing Branch with certain additions. Training, Emergency Preparedness and Security have direct NRC interfaces. Further, the Plant Managers are designated to have the primary interface with the NRC Resident Inspector(s). Each organization or position has defined responsibilities to manage their respective interfaces for various forms of communication. First, formal interfaces include on-site inspections or investigations, technical or management meetings, and telephone conferences in response to requests for information 'on any issue. Secondly, informal communications are initiated to provide pertinent information to the Resident Inspector or the Nuclear Reactor Regulation (NRR) Project Manager concerning situations that would not otherwise require reporting. In addition, as part of their overall management responsibilities, the Plant Managers routinely meet with the Resident Inspection Staff to keep them apprised on the status of plant operations and developments on specific issues, including the resolution of identified deficiencies. Other senior managers do the same periodically for issues in their respective functional areas.
The Licensing staff routinely assists and advises the Plant Managers with respect to their site NRC interface, and maintains a normal interface with the NRR Project Manager on licensing matters requiring Staff involvement. Typically,'his includes license amendment applications, GL and Bulletin response reviews, and resolution of a variety of technical issues. In addition, Licensing regularly advises each NMPC department, on license bases issues to assure that problem identification and corrective/preventive action specification are consistent with that bases, the regulations and NMPC commitments.
I Pl
)
The procedures also assure written communications, including incoming and outgoing correspondence, meeting minutes, and reports, are appropriately distributed, reviewed, and addressed. In addition, procedures provide for outgoing correspondence to receive a thorough management review prior to submittal to ensure its accuracy. NMPC maintains a process for tracking docketed commitments contained in such correspondence (both incoming and outgoing) to assure they are completed in a timely manner (i.e., NCTS). While the NCTS system focuses on docketed commitments, the DER system tracks the completion of other associated actions.
Station personnel have received training on the DER procedur'e and as procedure revisions are made, follow-up training is conducted within the individual departments. Station personnel also receive appropriate reportability training related to their specific job function (e.g.,
Operation receives 10CFR50.72, 50.73 training). Various station personnel have attended formal Human Performance Evaluation System (HPES) root cause training and similar training (e.g., barrier analysis, etc.) and are'capable of performing a root cause determination. The DER procedure currently requires that the appropriate Branch Manager ensure a Root Cause Evaluation is performed, when required, and that the individual assigned is knowledgeable in the techniques of Root Cause Analysis. SORC and SRAB members receive safety evaluator training and attend Qualified Applicability Reviewer Safety Evaluator (QARSE) requalification training. QARSE training is extensive with the initial training session lasting three days and continued training lasting four hours every two years. Approximately, 400 NMPNS employees are trained (as QARSE) including members of each operating shift.
NMP1 65,
N l4lw Describe the overall effectiveness of your current processes and programs in concluding that the configuration of your plant is consistent with the design bases.
Based upon the information presented in our responses to Requested Actions (a), (b), (c), and (d), NMPC has evidence that reasonable assurance exists that design bases requirements are being translated into the appropriate procedures; that SSCs configuration and performance are consistent with their design bases; and that an effective administrative tool for documenting, evaluating, determining cause and appropriate corrective and preventive actions exists at NMPNS (i.e., the DER system).
As discussed in our response to Requested Action (c), NMP1 was built prior to establishment of QA Criteria of 10CFR50 Appendix B and other more formal controls. However, appropriate and extensive actions have been taken since initial operation that assure that SSCs configuration and performance are consistent with design bases.
Surveillance testing programs have been in place throughout NMP1's operating life and are formalized by procedures. Such tests provide a primary basis to assure that performance of systems meet design bases requirements. Additionally, post-maintenance and modification testing is routinely performed to assure that design bases requirements continue to be met following maintenance and modification activities. Pressure retaining components are also routinely tested through ISI and testing programs as applicable. In addition to confirming that SSCs meet acceptance requirements, these testing programs provide a mechanism to identify deficiencies (using the DER process) and to trend equipment performance.
Several initiatives have been taken or are in place to confirm that the physical configuration of the plant is consistent with design bases. As part of the DBR program, a number of system walkdowns were performed for selected safety significant systems. These included verification activities relating to major electrical and mechanical components and sy'stems as well as piping/pipe support and penetration walkdowns.
NMP1 was in an extended outage from 1987 through 1990. As part of this extended regulatory outage, NMP1 prepared a RAP and Restart Readiness Report which included a number of actions to confirm design adequacy prior to restart. In 1990, a Power Ascension Program was completed for NMP1. Tests were conducted at various power levels to verify the performance of individual systems as well as inter-related system performance and overall station operation and control.
The testing also provided a basis for additional evaluation of station operating and surveillance test procedures. SSFIs have been conducted to determine ifselected plant systems are capable of performing their intended function. Industry operations experience is also routinely applied to further and more specifically evaluate NMP1's conformance and performance against design bases.
NMP1 66
4 I
These activities, coupled with our corrective action program, assure routine problem identification and evaluation of as-built conditions and test results. This provides additional assurance that current performance and configuration are consistent with the design bases.
As discussed in our response to Requested Action (b), administrative procedures establish requirements for the preparation, review, and approval of technical procedures. Technical procedures implement requirements for the operation, maintenance and testing described in the Operating License, Technical Specifications and UFSAR. During the development, review and approval of operating, maintenance, and testing procedures, a review of design documents was conducted. This review encompassed design drawings, Design Specifications, Technical Specifications, and the FSAR. Following the development of operating, maintenance and test procedures, technical accuracy of the procedures was maintained through program controls for procedure revision and periodic review. These programs have been continually strengthened over time, NMPC has utilized knowledgeable and appropriately qualified individuals to develop, review, approve, and revise procedures. Program requirements have been in place for years and have been enhanced, over time, to improve the effectiveness of the development, review and approval process. The training program and other administrative requirements assure that personnel assigned to perform these functions are competent to perform those tasks. This assures that NMPC can effectively implement program requirements associated with the development, review, approval and revision of administrative and technical procedures.
Also discussed in our response to Requested Action (b) were some of the assessments and initiatives used to provide assurance that design basis requirements are translated into procedures. This includes the SVP, UFSAR Verification Program, RAP, QA audits, and Operations Experience items.
As discussed in the response to Requested Action (a), extensive programs and controls are utilized at NMPNS to assure that design basis information is accurately maintained and updated as conditions warrant. Procedures are updated to reflect changes in design, corrective actions (identified by the corrective action program), industry. operating experience, and changes to source requirements.
In addition, NMPC has conducted "Back-to-Basics" training for NMPNS personnel. "Back-to-Basics I" provided training on licensing basis documents and operation within the licensing basis. Also discussed was the expectation that ifwork cannot be performed within the control of a procedure, the work should be stopped and a resolution obtained before work continues.
"Back-to-Basics II" was conducted to assist organizations in understanding how Back-to-Basics relates to their specific jobs. This training included a description of our licensing basis and discussions of 10CFR50.59 and 50.92, commitments made to;operational experience items, RGs, industry standards, and the process for changing commitments. Also, a definition of operability with an emphasis on post accident function, reportability, and how various activities interact with the design basis was included. The effectiveness of this training and the resulting increased awareness by plant personnel to design basis issues can be seen in the lower 67
I l5fs>
threshold at which configuration and design control issues are being reported via the DER system. A discussion of design basis deficiency trends is included in our response to Requested Action (c). Also, the majority of plant engineering, maintenance support, and others in management and technical positions are trained on 10CFR50.59 and qualified as Applicability Reviewers/Safety Evaluators and have to complete a requalification every two years.
The effectiveness of our current processes and programs which assure that the plant configuration is consistent with the design basis are assessed on an ongoing basis. These assessments, which include testing activities, functional inspections, compliance verification projects, audits and surveillances, and line management self-assessments, provide an overall indication that NMP1 is operated within its design bases and that our processes and programs are effective. NMP1 s UFSAR Verification effort, which is scheduled for completion by the end of 1998, willprovide an ongoing assessment of design basis related inadequacies. Also, NMPC has reinforced the importance of maintaining consistency with our design basis through "Back-to-Basics" training as well as 10CFR50.59 training. On the basis of our programs and processes and assessment activity, NMPC has reasonable assurance that the configuration of NMP1 is consistent with its design basis.
NMP1 68
ENCLOSURE I DESIGN CONFIGURATION DOCUMENTS LIST 1.0 DESIGN INPUT DOCUMENTS "Design Input Statements - Generated and/or approved by Nuclear Engineering 2.0 DESIGN OUTPUT DOCUMENTS DATABASES
~ ~
- 2. 1 Drawings - Generated and/or approved by Nuclear Engineering 2.2 " Specifications - Generated and/or approved by Nuclear Engineering. .The scope and .content of these specifications vary by topic as follows:
2.2. 1 Installation 2.2.2 Design 2.2.3 Fabrication 2.2.4 Procurement 2.2.5 . Inspection .and Testing 2.2.6 Configuration Control t I - ~ ~
2.3 Change Paper Engineering generated and/or approved changes to Engsn'eering documents or d'atabas'es
.2.4 Databases needed to maintain plant configuration, such as:
Master Equipment List (MEL) - Data fields maintained and/or approved by Nuclear Engineering
~ Cable Configuration and Tracking Systems
~ Validated Master Parts Lists 2.5 System Design Basis Documents (SDBDs) - Generated and/or approved by Nuclear Eng>neering 2.6 Setpoint Data Sheets Approved by Nuclear Engineering 2 .7 Programs and Plans - Approved by Nuclear Engineering and that specify lant configuration details, such as Erosion/Corrosion, Appendix J esting, etc.
3.0 DES G OC DOCUM NTS DATABASES Calculations - Approved or accepted by Nuclear Engineering Controlled Document System (CDS) 4.0 OTHER DESIGN-RE AT D DOCUMENTS Vendor Documents - Engineering accepted 69
ENCLOSURE 2 DESIGN INPUT CONSIDERATIONS Each discipline or program area shall consider the following as a minimum used in the development of design input. Discipline Design Input criteria may be in conjunction with the considerations and are the responsibility of the discipline/program to maintain and use.
Design bases, including available System Design Basis Documents (SDBDs)
.and Design Criteria Documents (DCDs)
Regulatory requirements Codes and Standards, including issue, rev.
Basic system, structure or component (SSC)
Functions Performance requirements Design Conditions Loads Operating Experience reviews and assessments, such as DER trending, NRC SOERs, INPO NPRDS and others Anticipated Environmental conditions (internal and external to the plant) during: ~
Normal Plant Operation
~ Anticipated Tran'sients
~ 'ccidents
~ Special Evolutions Functional and physical interfaces of SSCs Material Requirements, compatibility, coatings, etc.
Mechanical requirements Structural requirements, including seismic/dynamic qualification Hydraulic requirements Chemistry requirements I Electrical requirements, including process computer requirements Layout and arrangement requirements Instrumentation and Control requirements Access and Administration control requirements Redundancy, diversity, separation requirements Failure Modes and Effects Analysis (FMEA)
Test requirements; pre-operational and periodic Accessibility, maintenance, repair, inservice requirements Personnel qualification requirements for operation, maintenance, testing .
Transportation requirements Fire protection requirements
,Handling, storage, cleaning requirements Other requirements to prevent undue risk to public Materials, processes, parts, equipment suitability Personnel safety requirements, electrical, radiation, heat, confined space; etc.
Ouality and quality assurance requirements 70
ENCLOSURE 3 DESIGN'CHANGE 'OPERABILITY ACCEPTANCE Design Change Control Number 1.0 - Initiation 1.1 Title 0 Partially Accepted Review epproved.
1.2 The following final Sefety Eveluetions/Applicebility Review for this design chenge ere SORC/Technicel SE/AR Numbers: Revision:
1.3 The following WOs have been completed
- 1. WO
- 2. WO 4. WO 6. WO 6. WO 10. WO 12. WO 2.0 - System Engineer 2.1 0 The tests listed on the Design Change Test Record have been completed, reviewed, and approved. 0 Not Applicable 2.2 The following procedures were revised by this design change. 0 Not Applicable Number Title
.3 0 Required training is completed or in progress. 0 Not Applicable 2.4 Completed By Date 3.0 - Modification Coordinator 3.1 The following Technical Specification was revised by this design change. 0 Not Applicable Section Title 3.2 0 Risk Basis design change documents have received final Engineering approval. 0 Not Applicable 3.3 0 Control Room Critical Drawings have been updated to reflect installed condition. 0 Not Applicable 3.4 Comments 3.5 Completed By Date 4.0 - Acceptance for Operation Manager/General Supervisor Operations or designee Date 71
ENCLOSURE 4
' "-"DESIGN'CHANGE CLOSEOUT Design Change Control Number 1.0 - In'ation 1.1 Title 1.2 Major Order No. Account Code 1.3 Remarks 1.4 Operability Acceptance Date Required Completion Date 1.5 Modification Coordinator Date 2.0 Closeout Activit)es ISign when activity is complete and return to Modification Coordinator)
Action Completed By Date No. Department Closeout Activity N/A(I) 2.1 Modification Coordinator Site Document Log Closed 2.2 Plant Accounting Property-In-Service Rept. Completed & M.O. Closed 2.3 Stores Major Order Overstock Dispositioned 2.4 Technical Support NPRDS Coordinator Informed 2.5 ISI-Installer ISI Req Satisfied/INIS-2) 2.6 ISI/IST Nuc. Engineering ISI/IST Program Revised IST-Tech Support/Ops IST Req Satisfied/Procedures Revised 2.8 Operations All Operations Proc/STs Revised/Markup Database Revised/PM ST 2.9 Training Reviewed for incorporation into Training Program 2.10 Training Simulator Evaluated 2.11 QA QA Files Closed 2.12 Project Engineer Final Design/Safety Evaluation Reviewed 2.13 ALARA ALARA Review S-AIP-2, Job Reviews Complete 2.14 Mechanical Maintenance All Procedures Revised/PMs Required/PMST Revised 2.15 Electrical Maintenance All Procedures Revised/PMs Required/PMST Revised 2.16 Instrument & Control All Procedures Revised/PMs Required/PMST Revised 2.17 Fire Protection All Procedures Revised/PMs Required/PMST Revised 2.18 Modification Coordinator Other Required Procedure Changes Completed 2.19 System Engineering Post< perability Acceptance Testing Completed 2.20 Technical Support Changes evaluated against maintenance rule requirements 2.21 Mechanical Design P&ID's updated for significant changes (Unit 1 only) 2.22 Radwaste Operators All Radwaste Operations procedures revised and markup database revised/PMST 3.0 Closeo t Com 'letion 3.1 Closeout Activities Complete: Modification Coordinator Date
.2 Database Updated and Records sent to Permanent File Date 72
ENCLOSURE 5 0Y NAGARA MOHAWK NUCLEAR ENGINEERING D VARIANC RISK DDC C I A field variance, MHILE MORK IS IN PROGRESS, to approved design documents or change documents may be issued on a "risk basis" if the following criteria is satisfied.
The requested field variance shall NOT:
A. Extend the scope of a design or configuration change.
I B. Alter the intent (purpose as described in the applicability review or safety evaluation) of a design change or plant procedure.
C. Affect the Design Input/Impact Assessment.
D. Alter the acceptance criteria beyond the range defined in the controlling design or plant documentation.
E. Alter the function of equipment from that defined in the controlling design or plant documentation.
F. Be irreversible.
73
ine i e oint nit
Provide a description of engineering design and configuration control processes, including those that implement 10CFR50.59, 10CFR50.71(e), and Appendix B to 10CFR Part 50.
The text that follows in response to Requested Action (a) of the 50.54(fj letter provides a description of how the design and configuration control process is managed, controlled, and implemented at Nine Mile Point Nuclear Station (NhPNS). In addition, details are provided to show that procedures exist for ensuring that engineering design and configuration changes affecting the Updated Final Safety Analysis Report (UFSAR) are evaluated in accordance with the criteria of 10CFR50.59 and incorporated into the UFSAR in accordance with the requirements of 10CFR50.71(e). Also detailed are the quality program elements that assure that any work involving safety-related structures, systems, or components meets the design and configuration control requirements of Appendix B of the NMPNS UFSAR in accordance with our commitment to Appendix B to 10CFR50.
NMPNS personnel perform work in accordance with procedures that have been developed and, in recent years, significantly improved, to meet the regulatory requirements established to operate and maintain the plant in accordance with our license. These procedures are periodically reviewed and undergo revision, as appropriate. The management and the stafF of NMPNS have significantly improved their awareness of the licensing and design basis documents in recent years.
Back-to-Basics training programs have been established which have emphasized the importance of license-based thinking. Our corrective action program focuses attention on the correction and prevention of mistakes resulting from a failure to fully understand or adhere to the requirements of our procedures.
The approach for assuring that procedures exist to control engineering work such that the plant design and configuration control conforms with the Nine Mile Point Unit 2 (NMP2) licensing basis follows.
The Niagara Mohawk Power Corporation (NMPC) Nuclear Division Policy and Directives Manual sets forth the overall program for controlling the operation, maintenance, and modification of the NMPNS to assure compliance with applicable regulatory requirements, license conditions, and NMPC commitments. The total program consists of the Nuclear Division Policy, the Nuclear Division Directives (NDDs), and lower tier documents (administrative and implementing procedures) developed to implement the applicable requirements. The hierarchy of Policy, Directives, and administrative and implementing procedures is shown on Figure 1 in our response to Requested Action (b).
The NDDs are the vehicle by which management communicates requirements for performing and controlling activities to those responsible for preparing Nuclear Division, departmental, and branch procedures. The NDDs identify applicable regulatory requirements and associated Quality Assurance (QA) program commitments that must be incorporated into implementing procedures. Each activity addressed in an NDD identifies the specific requirements and organizational responsibilities concerning that activity.
Nuclear Interface Procedures (NIPs) are prepared to implement NDDs. NIPs govern activities involving interfaces between organizational departments and for those activities performed by more than one Nuclear Division department where a common methodology is desired.
Department and branch level administrative procedures are prepared to define the organization, assign responsibilities within the organization, and prescribe methods for accomplishing those activities or portions of activities addressed in NDDs or NIPs. Engineering design and configuration control activities're primarily implemented in conformance with Nuclear Engineering Procedures (NEPs) and applicable Generation Administrative Procedures (GAPs).
Technical implementing procedures are step-by-step procedures prepared to prescribe methods for accomplishing those activities or portions of activities as outlined in the respective NDD, NIP, or department administrative procedure to be conducted within the individual branch.
The hierarchy described above is maintained for the engineering design and configuration control program. The NDD on Design Control establishes the requirements for the NMPNS design control program and assigns the responsibility for implementing those requirements.
The Design Control Directive applies to design activities associated with safety-related or quality-related structures, systems, and components (SSCs). The design control requirements included in this directive are specified in the NMPC Quality Assurance Topical Report (NMPC-QATR-1), the Technical Specifications administrative control section and the NDDs governing nuclear computer systems. Activities subject to design control are categorized as one or more of the following: engineering evaluation or analysis, design change, configuration change, temporary modification, or plant condition monitoring program.
A separate NDD establishes the requirements and responsibilities for configuration management, including requirements to identify and update selected controlled documents and databases to assure that the NMPNS is operated, modified, and maintained in conformance with the approved design and current licensing basis. This function is accomplished by controlling changes to essential plant SSCs and associated procedures, programs, and databases so that they are maintained consistent with approved design output documents, Information or data about plant configuration that is necessary for efficient and correct design, operation, and maintenance of essential plant systems is subjected to configuration controls.
The following discussion describes current methods for controlling engineering design and plant configuration, including design changes, configuration changes, design document changes (DDCs), procedure changes, temporary modifications, program changes, plant
'r maintenance, and the evaluation of various sources of information for possible impact to the design basis.
Typical of nuclear plants throughout the industry, the NMPNS is committed to a system of design and configuration controls based on the requirements of Appendix B to 10CFR Part 50, as well as other regulations and industry standards. This system includes not only controls, but also feedback loops (testing, evaluation) that result in an ongoing comparison of actual configuration with the design basis. Successful implementation of the design and configuration control system assures that the NMPNS is operated, tested, and maintain'ed within its design basis throughout its life.
The discussion that follows is organized into four broad areas of activities. The first area includes those activities affecting the physical plant. The second area includes those activities affecting configuration documents/data. The third area includes activities associated with specific 10CFR50 requirements. The fourth area includes common programs applicable to the other activities. Each of these areas is further organized into detailed activities as follows.
- 1. Activities Affecting Changes to the Physical Plant:
1A. Design Change 1B. Configuration Change 1C. Temporary Modification 1D. Setpoint Change 1E. Maintenance and Surveillance
- 2. Activities Affecting Changes to Configuration Documents/Data:
2A. Procedure Changes 2B. Design Document Changes (DDCs) 2C. Program Changes 2D. Changes to Training 2E. Evaluations/Analyses 2F. Database Changes 2G. Vendor Manual Changes
I II ~
2H. Supplier Document Acceptance 2I. Changes to Licensing Documents/New Regulatory Commitments 2J. External Sources of Change
- 3. Activities Associated with Specific 10CFR50 Requirements:
3A. 10CFR50.59 Safety Evaluation Process 3B. 10CFR50.71(e) 3C. QA Program/10CFR50 Appendix B
- 4. Common Programs:
4A. Problem Identification Processes 4B. Training When physical plant changes are requested, they are evaluated in accordance with a NIP to determine whether design controls should be applied to the change. Increasing levels of control are applied to plant changes commensurate with the safety significance of the change as per Appendix B to 10CFR50.
Changes to the physical plant are accomplished using one of the following processes: design change, configuration change, or temporary modification. Each of these processes is described below. Setpoint changes, maintenance, and surveillance activities are also discussed because they represent processes that assure, or confirm continuing, reliable system operation and, as such, must be controlled to remain consistent with design basis parameters.
1A. Design Change The design change process is a controlled process that is applied when design configuration documents and/or databases (as listed in Enclosure 1 to this Attachment) are affected, and the proposed change affects the function of safety-related or quality-related SSCs or their reliability, expected life, local environment, or failure modes. Additionally, the design change process is applied to changes involving interfaces with safety-related or quality-related SSCs.
The process may also be used for other situations at the discretion of Engineering or plant management when stringent controls are desirable.
When a plant change has been evaluated and approved for implementation, it is entered into the Plant Change Request (PCR) database. Ifit is to be treated as a design change, it is given NMP2
J' a design change number. In the initial stages of a design change, the responsible engineer or designer uses a design impact checklist to determine the potential impact of the change, possible issues to be considered, and the kinds of design input required. Based on the checklist review, input is requested from discipline experts, program administrators, and affected groups. The design input procedure requires that those providing input consider a comprehensive list of topics. These primarily emphasize the design basis requirements, functionality and performance requirements, and other requirements related to maintaining the integrity of the design (Enclosure 2 to this Attachment). Specifically, the design input procedure requires that design input such as design bases, performance requirements, regulatory requirements, and codes and standards, are identified, documented, and the selection reviewed and approved by the design organization. Also, references must be sufficiently specific to allow traceability. This provides the initial link between the proposed change, thedesignbases, and thelicensingbasis. Thedesignchangeissubsequently developed on the basis of these inputs. As later described, these inputs are verified in accordance with procedures and the design is subjected to further comparison with the licensing basis at other stages of the design process.
Concurrently, the configuration management processes are also initiated. The Master Equipment List (MEL) and the Controlled Document System (CDS) are searched for potentially affected documents, for other pending work or work-in-progress that could affect the design, and for confirmation of equipment/document current status. The MEL may also be used as a confirmatory source of information for many of the items in the design impact checklist because it lists various equipment requirements and characteristics, including safety class. A variety of other information may also be available, including whether Equipment Qualification (EQ), Seismic Qualification (SQ), Inservice Inspection (ISI) and Nuclear Plant Reliability Data System (NPRDS) considerations apply to the components.
The next phase of the design change process is the developmental phase. Intermediate products, such as evaluations and analyses, stress reports, and calculations, are prepared.
These activities are performed using controlled procedures and result in controlled products that cannot be changed without re-invoking the original level of review and approval. New design output documents or changes to design outputs, such as revisions to drawings, vendor technical manuals, acceptance criteria, setpoint data sheets, design basis documents/design criteria, and specifications, are developed. Changes may either be in the form of DDCs that are posted against the affected document or by full revision of the document. Pending changes to configuration databases are also identified and processed. Changes to licensing documents, including the UFSAR and Technical Specifications, are developed in accordance with controlled procedures. System Engineers in the Technical Support Department are requested by the responsible engineer to notify procedure owners of required changes to procedures, and to coordinate required training. Finally, any guidance necessary to support installation and testing is developed in coordination with the installing organization.
Upon completion of these steps, the design package is sufficiently complete from a technical point of view to allow final review prior to issuance. Design outputs are approved, but not released for implementation until the reviews required in the final design phase are complete.
p During the final design phase, the responsible engineer/designer reviews the package to assure that the design objective is met, that no open technical issues exist, and that appropriate design impacts have been satisfactorily addressed. Any individual who provided design input may request final design review to confirm that the design input was correctly implemented in the final design change package.
The next step is independent design verification by a qualified individual per the engineering design verification procedure. This activity provides an independent review to assure that appropriate design criteria, quality criteria, and design bases have been correctly identified, and to assure that the design output meets the specified design inputs and the overall design objective.
Ifnot done previously, an applicability review and safety evaluation are completed as described later under the 10CFR50.59 safety evaluation process.
After verification (and resolution of any concerns), the design change is ready for final review and approval. These reviews include:
~ Review and approval by a qualified engineering approver; Review by a Qualified Technical Reviewer per Technical Specification 6.5.2.3;
~ Cross-disciplinary reviews, ifrequired by the Qualified Technical Reviewer per Technical Specification 6.5.2.4; and
~ Review and approval by the Plant Manager or Manager Technical Support per Technical Specification 6.5.2.3.
Completion of the design, review, and approval activities is documented on a Design Change Control form. This form serves as a flag to either prevent or allow issuance of design output documents to the field for installation, as described below.
Design output documents are issued and released per the document control interface procedure.
They are entered into the CDS as documents that are approved but not yet Operations Accepted (i.e., they do not yet represent installed configuration). They are then distributed to a standard distribution that includes the Modification Coordinator in the Technical Support department. The Modification Coordinator serves as the coordination point for plant design changes and it is through the Modification Coordinator that design output documents are transmitted to the field for installation. When the Modification Coordinator receives design output documents (e.g., revised drawings, DDCs, etc.), the document(s) is retained until a copy of the associated Design Change Control form is received. This prevents premature or inadvertent issuance of design output documents that have not been fully reviewed and approved for installation; i.e., approved at both the document level and at the design change level.
NMP2
Work Orders are written by the responsible engineer, Modification Coordinator, or maintenance planner using the electronic work control (EWC) system. These Work Orders and their associated design output documents are cross-referenced in the PCR database under the associated design change number, so that when the Work Orders associated with the design change are completed, the Modification Coordinator can notify involved parties that Operations Acceptance (turnover to Operations) is possible. Upon completion of the Work Orders associated with a design change, the Modification Coordinator confirms that the applicability review number and safety evaluation number (if applicable) are listed in the design package (as a check to verify completion of the applicability review and safety evaluation if applicable), and notifies the System Engineer to verify completion of any procedure changes, testing, and training required to place the system in service. Plant Support Engineering is notified to "redline" critical drawings so that plant operators will have current and accurate drawings in the Control Room when the new design change is Operations Accepted. The Modification Coordinator also verifies that all required risk-released documents have been resolved prior to Operations Acceptance (see below for an explanation of the risk-release process). Nonconformances identified during the process are documented on Deviation/Event Reports (DER), evaluated, and resolved.
When these actions are complete, they are documented on a Design Change Operability Acceptance form. The signature of the Manager/General Supervisor Operations (or designee) conveys Operations acceptance of the design change (Enclosure 3 to this Attachment).
Operations acceptance is required prior to relying on the SSC to perform its function. A Design Change Closeout Form (Enclosure 4 to this Attachment) is initiated to ensure that activities associated with the design change are verified and documented as complete.
The Modification Coordinator then enters the Operations Acceptance date into the PCR database to indicate that the design change has been accepted and is now current plant configuration. This information is shared with the CDS database to status the associated design documents as Operations Accepted. The MEL database is automatically updated to move the pending MEL changes from the "pending" file to the "active" file with a status of "C" which designates that it reflects current configuration.
At closeout, the responsible engineer forwards the Design Change Control form, and any other required records that were not previously released through the CDS, to the permanent plant file. The documents used to track the design change through installation to Operations Acceptance; e.g., logs, Operations Acceptance form, Design Change Closeout form, and PCRs are forwarded to the permanent plant file by the Modification Coordinator. These actions ensure that permanent records of the design change, from initiation to closeout, are if available for the balance of plant life for further review or audit, needed.
There are two variants of the design change process; 1) risk-release of design changes; and 2) partial operations acceptance of design changes. Risk-release is defined in our engineering procedures as a process by which an organization formally recognizes and approves the financial risk of beginning an implementation or installation prior to full approval of the final design. Risk-release does not involve a risk to personnel safety or nuclear safety. Usually,
design output documents are issued only after appropriate aspects of the design development, review, and approval are complete. Under certain circumstances, it is necessary to release certain design outputs on a "risk basis" to allow pre-staging, pre-fabrication, pre-installation, partial installation, and to allow for field variances to work in progress. However, because these circumstances involve financial risk, the risk-release process is used sparingly.
Activities such as pre-staging, pre-fabrication, and pre-installation/partial installation may be initiated and processed using the risk-release process. First, the responsible engineer must prepare a documented justification of why the design or partial design must be released prior to being fully approved. The activity must be reversible within a time frame consistent with the activity to support operating requirements. Ifthe responsible Engineering supervisor approves the risk-release, it is submitted to the Plant Manager for approval. In accordance with the safety evaluation procedure, which prohibits any change to the plant (temporary or permanent) without an appropriate review, any risk-released work must have been properly evaluated for plant safety impact and compared with the design and licensing bases prior to implementation.
After Plant Manager approval, the responsible engineer makes limited distribution of the required design documents, which are statused as "risk" in the configuration databases. Until this "risk" status is resolved, the design change cannot be Operations Accepted, (i.e., turned over to Operations) or relied upon to provide its function. When the risk is resolved, the design change process continues normally through Operations Acceptance and closeout.
Risk-release of field variances may be authorized by a responsible engineer to allow minor changes to work in progress (e,g., correcting interferences). In these cases, the installer requests Engineering to review the situation and the requested field variance for initial feasibility. If the field variance satisfies the procedural criteria (listed in Enclosure 5 to this Attachment), the engineer may initiate a risk-release DDC to allow the work to continue without interruption. The risk DDC is given limited distribution by the responsible engineer.
One copy goes to the installer to continue work; one copy to the Modification Coordinator to enter the risk DDC into the design change document log for subsequent tracking and resolution prior to Operations Acceptance; one copy to Document Control for entry into CDS with a "Risk" status; and the original to Engineering for completion of all reviews and approvals in accordance with the requirements of the normal design change process. If the Engineering review and approval process uncovers problems with the risk DDC, the work is stopped and reversed, or otherwise corrected. When the risk DDC is fully approved per Engineering procedures, it is issued through Document Control to its standard distribution. The document status is changed from "risk" to "approved". Once the Modification Coordinator receives and distributes the fully approved DDC, the work is completed or confirmed complete in accordance with the fully approved DDC. The design change can then be Operations Accepted and closed out following the normal design change process.
The other variant to the normal design change process is the option of partial Operations Acceptance. This option may be used when the design change affects multiple components or trains that may be safely put back into service before every component or "train" has been modified. An example of how p'artial Operations Acceptance could be used is the process of implementing a change that affects many identical components across a variety of applications NMP2
p "I p
or systems. In this case, the design documents and associated safety evaluation would be written to cover many specific applications of a single type of component (e.g., pipe snubbers). The Modification Coordinator would then be able to track and obtain Operations Acceptance of the design change at the component level rather than having to wait until all affected components in the design change were Operations Accepted. As in the normal design change process, the databases are updated at the time of partial Operations Acceptance to show that the design change has been completed for component X for example (but not Y and Z),
and the component is ready to go back into service. The requirements for partial Operations Acceptance are similar to full Operations Acceptance, that is, the safety review process must be complete; associated Work Orders, including those for testing, must be complete; applicable procedures must be revised; required training completed or in progress; risk-released documents must be fully approved and the risk resolved; and the Control Room critical drawings accurately updated to show the portion of the change that is being partially Operations Accepted.
Fuel replacement, because of its unique requirements, is controlled by a set of procedures that includes NEPs and Fuels Group Engineering Design Standards (OT-EDS) that meet 10CFR50 Appendix B requirements. Key design inputs are solicited, reviewed, and approved as part of the design process. The preliminary fuel bundle design is provided by an NMPC-qualified vendor. Design iterations occur between the fuel vendor and NMPC. Analyses and calculations supporting the core design are performed and verified by NMPC using controlled procedures. The final core design is verified independently by the vendor under their NMPC-qualified QA program. Calculations and analyses supporting licensing requirements for transients and loss-of-coolant accidents (LOCA) are performed to determine fuel operating limits for the new core design. The vendor submits a final report to NMPC documenting the verification of the design, compliance to design requirements, analysis results, and new operational limits. NMPC accepts the design by technical review and performs a 10CFR50.59 safety evaluation as described later in this section. Licensing document changes are performed in accordance with controlled procedures. The final review and approval, issuance, installation, and acceptance follow a process similar to the design change process.
In summary, the design change process (including risk-release and partial Operations Acceptance, and fuel replacement) is a controlled process which requires review and comparison of the proposed change to the design basis of the plant. The primary barrier of defense against deviations from the licensing basis is the 10CFR50.59 process that is required for each plant change. The design impact assessment and design input process require the responsible engineer and, as necessary, other discipline experts, program administrators, and other affected groups to describe or reference appropriate design requirements and constraints to assure compliance with the plant design basis. Additionally, configuration databases provide confirmatory sources of design basis information. An independent verifier reviews the design for consistency with design inputs, including design basis requirements. Finally, a variety of configuration controls, including administrative procedures and databases, are in place to assure that information necessary to support the change is accurate and is put in place concurrent with the change (e.g., revisions to procedures, drawings, training, and databases).
This assures that design basis and licensing basis requirements cascade down through the
4 system and result in proper operation, maintenance, and testing of the plant as licensed by the Nuclear Regulatory Commission (NRC).
1B. Configuration Change The configuration change process is used for activities including plant changes that affect design documents or databases (Enclosure 1 to this Attachment), and: 1) do not affect the functions of safety-related or quality-related SSCs; 2) do not adversely affect the reliability, expected life, local environment, or failure modes of safety-related or quality-related SSCs; 3) do not involve interfaces with safety-related or quality-related SSCs and; 4) do not change the intent or effectiveness of programs required by regulation. This process is primarily intended for nonsafety-related changes having no safety impact and no interfaces with safety-related systems. However, it may also be used for safety-related equivalerit replacements such as like-for-like component replacements.
1 The first step in the configuration change process is to confirm that the proposed change either satisfies or does not affect the current design and licensing basis. This step is in addition to the 10CFR50.59 review that will eventually also be performed; however, it assures that the responsible engineer will compare the proposed change with the UFSAR, Technical Specifications, and other licensing documents and regulations as early in the process as possible. The procedure also requires that if the engineer determines that safety-related or quality-related functions described in the current design and licensing basis are affected, the design change process must be used instead of the configuration change process. Like the design change process, a configuration change requires assessment of potential impacts using the design impact checklist and the identification of potentially affected documents and databases.
At this point, output documents such as drawings, drawing revisions, DDCs, specifications, and vendor manual revisions are processed and pending changes to databases are developed.
Changes to license documents are processed per the interface procedure governing control of licenses, UFSARs, and NRC approved plans and programs.
Ifthe change involves safety-related or quality related SSCs, an equivalency evaluation is documented for th'e permanent plant file showing why'the change has no effect on the design bases. If equivalency cannot be justified, the change is processed as a design change. Like any other plant change, configuration changes are evaluated per 10CFR50.59.
At this point, the configuration change is ready for final review by the Engineering approver.
Unlike a design change, independent verification and Plant Manager approval are not necessary. However, similar to a design change, the completion and approval of a configuration change is documented on a Configuration'Change Control form. Processing from this point forward is similar to the processing of a design change. Outputs are distributed through Document Control to the Modification Coordinator who, upon receipt of an approved Configuration Change Control form, issues the change to the field and, upon completion, presents it to Operations for review and acceptance. The same configuration controls that 10
applied to the design change process are invoked by the configuration change process at Operations Acceptance, including automatic database updates, verification of procedures and training, and "redlining" of critical drawings.
In summary, although the configuration change process is aimed primarily at changes that do not affect the design basis of the plant, there are numerous controls in place to prevent these changes from compromising the plant operating, maintenance, and test requirements, and the design documents upon which they are based.
1C. Temporary Modification Temporary modifications are controlled per a GAP. This GAP applies to temporary modifications to site installations, facilities, structures, and inservice systems and components therein, as described in the UFSAR. Like configuration and design changes, temporary modifications must be screened to determine whether design controls apply and if 10CFR50.59 applies. Because of the hierarchical structure of the procedures, the interfacing procedures governing design control and 10CFR50.59 reviews are always invoked for plant changes that could impact the licensing basis, including temporary modifications, As a result, temporary modifications receive the same review as permanent changes regarding conformance with design and licensing basis requirements.
Temporary modifications are coordinated by the System Engineers in the Technical Support Branch. Design changes are processed per engineering procedures described previously. A temporary modification control form is used to control the installation and removal of the temporary modification. Associated 10CFR50.59 safety evaluations are developed and reviewed as described later in the response. Temporary modifications that affect nuclear safety are reviewed by a Qualified Technical Reviewer and approved by the Plant Manager or Manager Technical Support.
Prior to authorizing implementation of a temporary modification, the Station Shift Supervisor (SSS) reviews the associated applicability review/safety evaluation and Work Order to ensure compliance with the Technical Specifications. At this point in the process, the temporary modification may be installed per applicable work/design documents with the permission of the operating shift leadership (SSS and Chief Shift Operator). Temporary modifications are tagged and tested as required by procedure. They are verified as having been installed in accordance with applicable work/design documents and Control Room critical drawings are redlined as part of implementation. The SSS reviews the completed temporary modification package to determine the operability status of the affected system(s).
Clearance of temporary modifications is the reverse of the above except that 10CFR50.59 reviews are not necessary unless the equipment is being returned to a state other than the original design. In that case, the activity would go through the screening processes again and be re-evaluated per procedure. Clearance involves independent verification, confirmation of completion of procedure revisions, testing, and as necessary training and determination of simulator impact. If design documents or databases were affected, Engineering is notified so 11
~~y J ~
that the original configuration can be restored. Control Room critical drawings are updated to the original configuration, ifpreviously affected. The SSS reviews cleared temporary modification packages to determine the operability of the affected system(s).
1 In summary, the temporary modification process is a controlled process that assures the integrity of the license and design bases by invoking the reviews of the license basis required by 10CFR50.59, and by applying configuration controls that assure that the plant, associated procedures, training, and testing conform to the design basis of the plant. These checks are applied both during installation and clearance of temporary modifications, assuring that the changes from, and the restoration to, the original condition are verified as complete and correct. I 1D. Setpoint Change NMPNS maintains setpoint control through the hierarchy of design control and configuration management procedures. Changes to setpoints are performed and controlled in accordance with NEPs including those associated with "Design Change," "Configuration Change,"
"Design Document Change," "Design Input," and "Calculations." A design input statement is required for setpoint changes that are defined as a design change and provides the input and basis for the change. In addition, each setpoint change requires an applicability review to be performed in accordance with the NIP for Applicability Reviews and Safety Evaluations.
NMP2 is committed to compliance with the Regulatory Position (Paragraph C) of Regulatory Guide (RG) 1. 105, Instrument Setpoints. The process is outlined in an Engineering Design Standard. This document also provides the criteria for establishing an instrument setpoint.
Setpoint requirements for plant instruments, both safety-related and nonsafety-related, are defined in controlled documents and are maintained via the document control process, Changes to setpoints are considered plant changes and are managed by the engineering change process via the appropriate NIPs and NEPs, A setpoint change may be a configuration change, a design change, or a temporary modification.
I 1E. Maintenance and Surveillance Maintenance and surveillance activities, whether corrective maintenance, preventive maintenance (PM) or testing, are based on, or are consistent with, approved design documentation, Technical Specifications, or regulatory source documents. Recurring activities such as PM or sur veillance testing are addressed by controlled procedures. Corrective maintenance may be performed utilizing procedural guidance, or may be performed using design documents directly as part of a Work Order. Drawings, vendor manuals, specifications, setpoint data sheets, DDCs, and other approved Engineering documents are often referenced in the Maintenance Work Orders so that they can be used to accurately return the SSC to its as-designed state.
NMP2 12
)h
~
4 I
2.
The preceding text covered how changes to the physical plant are made, including the processes used to compare the change to the design bases to assure continued compliance, and the revision of affected documents/databases to reflect the change. In this section, the discussion will cover situations where a change to documents or databases, rather than a change to the physical plant, is the initiator, and how that change is compared to the licensing basis and design bases for compliance and, if necessary, is incorporated into the plant configuration. These change processes include: 1) Procedure Ch'anges; 2) DDCs; 3) Program Changes; 4) Changes to Training; 5) Evaluations/Analyses; 6) Database Changes; 7) Vendor Manual Changes; 8) Supplier Document Acceptance; 9) Changes to Licensing Documents/New Commitments; and 10) Other External Sources of Change. These processes may impact the way the NMPNS is operated, tested, maintained and modified; therefore, they are discussed in detail as follows.
2A. Procedure Changes The procedure change process used at NMPNS includes controlled requirements for development, required reviews,'approvals, and configuration control. The process generally conforms with the requirements and recommendations of American National Standards Institute (ANSI)/ANS-3.2-1976 as endorsed by RG 1.33, Revision 2, and Section 5.3 of ANSI/ANS-3.2-1982, and has been expanded and refined beyond the basic requirements to incorporate operating experience and lessons learned. Key support programs and guidance documents have been established to enhance program efficiency and facilitate timely incorporation of changes. The process consists of four distinct elements: 1) development; 2) developmental reviews; 3) final review; and 4) approval. The details of the process differ slightly for administrative procedures and technical procedures (e.g., changes to administrative procedures do not require a technical verification unless the procedures are required by Technical Specification 6.8 or otherwise affect nuclear safety), however, the basic elements are employed for both types of procedures.
The development phase requires assignment of an individual knowledgeable in the area covered by the procedure. To assist in the development proces's, NMPC has developed a Procedure Writers Manual which provides extensive guidance on the structure, content, and human factors principles to be used in preparing procedures. The Procedures Writers Manual is used to ensure consistency throughout the roughly 3,500 procedures maintained at NMPNS.
For technical procedures, the revision process requires that procedure preparers research and use controlled reference documents including, but not limited to, engineering specifications, drawings, vendor manuals, and Technical Specifications. The use of controlled documents ensures that information used to prepare procedures reflects current design configuration.
Developmental reviews are conducted to the extent required by the procedure. Cross-disciplinary reviews may be conducted when a procedure involves areas of specific expertise that are outside the group that prep'ared,the procedure, or when another group is required to 13
s P f
II perform activities within the procedure. For technical procedures, a validation review is normally performed (contingent upon complexity, potential consequences, and expected environment including reducing radiation to as low as reasonably achievable (ALARA))by the end users to ensure the procedure is workable and contains a sufficient level of detail for the intended users.
The final review phase is known as technical verification. As previously discussed, changes to administrative procedures do not require a technical verification unless the procedure is required by Technical Specification 6.8 or otherwise affects nuclear safety. Technical review, as required by Technical Specification 6.5.2.1, is performed by an individual other than the individual who prepared the procedure. The final review is permitted only after developmental reviews have been completed. The verification involves a review of the procedure and reference documents used to develop the procedure to independently verify the accuracy. This review may only be performed by qualified individuals previously designated by the Plant Manager. These qualified reviewers, as defined by Technical Specification 6.5.2.4, are members of the station supervisory staff and they are qualified in areas specific to their expertise (such as Operations, Maintenance, or Radiation Protection).
Following final review each technical procedure and Technical Specification related administrative procedure is reviewed for applicability under 10CFR50.59 as described later under the 10CFR50.59 safety evaluation process.
In the approval phase, the responsible procedure owner and the responsible approver (e.g.,
Branch Manager, etc,) provide approval and ensure that required reviews by qualified personnel have been accomplished. The approval p'rocess also includes requirements to assure that pending changes have been appropriately addressed, that the Technical Specification classification (a determination as to whether or not a procedure is required by Technical Specification 6.8 or otherwise affects nuclear safety) is appropriate, that any changes made during review have not invalidated previous reviews, and that any required implementation training has been arranged.
In summary, the procedure revision process provides controls to ensure that procedures are prepared to reflect current configuration, that adequate review is performed by appropriately qualified personnel to independently verify accuracy, and that appropriate approvals are obtained.
2B. Design Document Changes (DDCs)
DDCs, even wheri not associated with a physical change to the plant, are processed under either the design change or the configuration change process as previously discussed. There are two other means of document changes that involve engineering enhancements and editorial changes.
The first means, engineering enhancement, is a term used for the correction of a verified error.
The engineering enhancement process has traditionally been used to correct drawing errors. In NMP2 14
$ I If gal)II' j
effect, it is a revision to a drawing performed in accordance with the applicable procedure, but separate from the configuration change process. Per the Engineering procedure governing drawing control, an applicability review is performed to assure that the applicability of 10CFR50.59 is considered; i.e., whether the change could affect the licensing basis. The drawing revision is checked and'approved just like any other revision, and then issued to its standard distribution so that all holders will be provided with the "enhanced" drawing.
The second means, editorial changes, are minor changes that do not affect the technical content or intended purpose of the document. Examples are spelling, typographical, and grammatical errors.'ecause they are inconsequential, they are usually not initiated independently. Most commonly, these errors are identified when the document is being revised for some other purpose such as a design change. They are usually processed and controlled as part of the associated design or configuration change. Ifan editorial change was'ade independently of any other process, it would be done as a revision in accordance with the controlled procedure for that type of design document. If the change potentially affected the UFSAR, Technical Specifications, or NRC approved programs, such as nomenclature changes, it would be processed per the procedure for initiating licensing document changes.
2C. Program Changes Program changes to NRC-approved programs must be processed per the procedures that govern applicability reviews, safety evaluations, licenses, UFSARs, and NRC-approved plans andprograms. Additionaladministrativecontrois mayalsobeapplied. Forexample, thereis an engineering procedure for plant condition monitoring p'rograms which invokes program responsibilities, and requires reviews for continuing compliance and effectiveness. A description of how regulatory requirements are reflected in the NMPC procedure hierarchy is described in our response to Requested Action (b) under "Administrative Procedure Update Program." Changes to programs that are not NRC approved but are required by regulation, such as the Maintenance Rule Program required by 10CFR50.65, are also controlled by administrative procedures.
2D. Changes to Training Changes to training associated with design or configuration changes are addressed by requiring the Modification Coordinator to notify the Training Department. Requests for changes to training or training programs that are part of the license basis are processed as described later in response to Requested Action (a) under "Training."
2E. Evaluations/Analyses Specific recurring evaluations like safety evaluations,'reach permit evaluations, evaluations of temporary shielding, and seismic evaluations are addressed by controlled administrative procedures. Other evaluations that potentially affect design functions are directed to the Engineering Department and processed per a controlled Engineering procedure. This procedure requires that any evaluation or analysis performed to define the design basis for a NMP2 15
I E
design change or to establish a design basis be processed in a manner that assures that proper technical input, impact assessments, design reviews, and verifications are obtained.
Independent verification is required when the evaluation or analysis willresult in a change to the design or licensing basis. Examples of when verification may be required include:
I Evaluations done in response to regulatory requirements; Analysis done in support of a design change or that is likely to result in a design change;
~ Evaluations or analysis supporting changes to NRC approved programs; and
~ Analysis/Evaluation of safety-related or quality-related activities.
As previously discussed, the controlled Engineering procedure for independent verification requires that appropriate design criteria, quality criteria, and design bases be reviewed to assure that they have been correctly identified and incorporated.
2F. Database Changes I
Configuration database changes are accomplished per controlled procedures. Primarily, these changes result from design or configuration changes; however, some are initiated independently as Engineering enhancements or editorial changes. Regardless of the reason for initiation, each proposed change to configuration data is reviewed for completeness and accuracy before entry, as well as being checked for the accuracy of the data entry itself.
Changes to computer hardware and software are also controlled by administrative procedures.
Verification and validation (V & V) processes are applied to assure that software programs operate as intended and do not result in erroneous displays of information.
2G. Vendor Manual Changes NMPC maintains a vendor interface program that provides for annual contact with our Nuclear Steam Supply System (NSSS) supplier and bi-annual contacts with vendors for other selected key safety-related equipment. These vendors are contacted to request the latest technical manuals, service bulletins, notices, advisories, letters, and operation, maintenance, and repair procedures for the selected equipment.
Additionally, the vendor interface program provides for the maintenance of an index of applicable technical documents and a log of vendor contacts and correspondence. Periodically, the list of vendors to be contacted is updated based on responses received and Engineering reviews of the lists of key safety-related equipment. Follow-up contacts are made with non-responsive vendors to ensure that a good faith effort was made to obtain the necessary equipment information.
NMP2 16
I Vendor manual changes may then be initiated by receipt of new information from the vendor, or by NMPC to accommodate preferred practices, materials, or other considerations.
Revisions of both kinds are addressed in an engineering procedure governing vendor technical manuals.
Vendor initiated changes are forwarded to the Vendor Document Coordinator for logging and tracking. The change is then forwarded to an assigned responsible engineer who reviews it for applicability to the NMPNS. Ifappropriate, the responsible engineer obtains multi-disciplinary reviews. Ifthe manual is associated with equipment or activities that are safety-related, quality-related, EQ related, or Technical Specification related, at least one other knowledgeable reviewer must review the change. Nonconformances between the NMPC-accepted vendor product and the proposed change are documented in a DER. When review comments and nonconformances have been resolved with the reviewers and the vendor, the revised manual is approved and distributed.
NMPC-initiated changes to vendor manuals are processed in the same way, except as follows:
A DDC may be posted-against the manual instead of revising and redistributing the entire manual. Invoking the DDC process involves design impact assessment, checking, and approval.
~ To support the PM Optimization Program, vendor recommended PM methods and frequencies may be changed without revising the vendor manual based on Maintenance, Operations, Technical Support, and Engineering review and concurrence.
Additionally, the review must be documented and filed in the Maintenance Department and revised PM method or frequency identified on a component level in the Preventive Maintenance Surveillance Testing (PMST) database.
'H.
Supplier Document Acceptance Supplier documents, other than Vendor Technical Manualsare processed in accordance with the controlled procedure for the specific document type. The process of supplier document acceptance is similar to other types of design documents and includes:,1) preparation, checking, verification, review, and approval, controlled either by the vendor's (NMPC approved) QA program or by NMPC procedures and 2) formal acceptance by NMPC based on a detailed review of technical content, certificate of compliance, or surveillance of work in progress.
I 2I. Changes to Licensing Documents/New Regulatory Commitments Changes to licensing documents/new regulatory commitments are processed per the interface procedure governing control of licenses, UFSARs, and NRC-approved plans and programs.
New commitments are processed per the interface procedure that governs NRC interfaces and tracked via the Nuclear Commitment Tracking System (NCTS). In both cases, proposed changes must be reviewed for impact on the design configuration and processed appropriately 17
~
I p
as a design change, configuration change, a program change or a controlled evaluation/analysis. As previously discussed, any change to the design bases invokes the requirement for reviews in accordance with 10CFR50.59, including a review of potential impact on Technical Specification required procedures. 'he above controls assure that when new regulatory or license changes are implemented, they are propeily reflected in the plant, the design basis, the affected programs, and procedures.,
2J. External Sources of Change External sources of change derived from deficiencies, concerns, or issues identified by regulatory agencies, industry operating experience, vendor information notices (INs), or external publications are processed per the DER process. As discussed in our response to Requested Action (d), DERs often result in referral to other processes such as design change, procedure change, and evaluation/analysis for corrective and preventive action. Use of the DER process ensures that evaluation, disp'osition, resolution and trending of the issue will occur.
3.
3A. 10CFR50.59 Safety Evaluation Process An NDD regarding safety evaluations establishes the requirements for assessing proposed changes, tests, or experiments to determine ifadditional analysis, evaluation, or NRC approval is required before implementation. This directive applies to proposed ch'anges to NMPNS facilities (permanent or temporary), proposed revisions or changes to procedures, and proposed tests or experiments. A qualified evaluator determines whether 10CFR50.59 applies to the proposed change, test or experiment by determining ifit involves a change to the facility or procedures as described in the UFSAR, a test or experiment not described in the UFSAR, and whether the activity affects nuclear safety in a way not'previously evaluated in the UFSAR or requires a change to a Technical Specification. This determination is documented as part of the applicability review.. When the applicability review determination identifies that the requirements of 10CFR50.59 are applicable, a 10CFR50.59 safety evaluation is then if performed to determine an unreviewed safety question (USQ) exists. The preparer must also obtain the review of his/her Branch Manager, signifying a sufficient cross-disciplinary review has been performed. The Manager Technical Support may specify additional technical review and may waive Station Operations Review Committee (SORC) review if it is determined that a proposed change does not affect nuclear safety. Prior to implementation, safety evaluations for changes that affect nuclear safety are reviewed by the SORC. SORC renders a determination, in writing, as to whether or not the safety evaluation constitutes a USQ. Ifthe proposed change, test or experiment involves a USQ, it will not be implemented without prior NRC approval. The Safety Review and Audit Board (SRAB) reviews safety evaluations to verify that actions completed under the provisions of 10CFR50.59 did not constitute a USQ.
A NIP governing applicability reviews and safety evaluations provides administrative controls for the review of changes, tests, and experiments. These reviews assess impact to Operating 18
0 t
I
~
1 pl
I Licenses, UFSARs, NRC approved plans and programs, and NRC commitments; determine whether the change involves a USQ; and determine whether NRC review and approval is required. Consistent with the governing NDD, the procedure applies to all proposed changes to NMPNS structures, systems, or components (permanent and temporary), proposed revisions or changes to procedures, and 'proposed tests or experiments. When an applicability review indicates a change to a licensing document is required," the proposed change is processed per a second NIP.
This second interface procedure, which controls licenses, UFSARs, and NRC-approved plans and programs, provides administrative controls for amendments and revisions to Operating Licenses, UFSARs, and NRC-approved plans and programs. The effects of proposed facility changes, procedure changes, tests and experiments are identified on a Licensing Document Change Request (LDCR). Each LDCR is reviewed, approved, and incorporated into license documents in accordance with specific requirements identified within the procedure.
In September 1996, NMPC began using Adobe Acrobat software to search and view electronic versions of the NMPNS UFSAR and plant Technical Specifications. The Adobe software provides full-text search commands that can find all the words on a page, no matter where or how they are used. Adobe Acrobat software is a new tool for Applicability Reviewers and Safety Evaluators to identify and assess the impact of proposed changes on information presented in the UFSAR and Technical Specifications.
3B. 10CFR50.71(e)
An NDD regarding changes to Operating Licenses, UFSARs, and NRC approved plans and programs reflects the requirements of 10CFR50.71(e). A NIP governing changes to Licenses, UFSARs, and NRC-approved plans and programs provides administrative controls for the initiation, review, and approval of proposed changes to the UFSAR. A NIP governing interface with the NRC provides administrative controls for filing the UFSAR revision. These procedures provide administrative controls for revising the UFSAR to include the effects of:
a11 changes made in the facility or procedures as described in the UFSAR; all safety evaluations performed by the licensee either in support of requested license amendments or in support of conclusions that changes did not involve an USQ; and all analyses of new safety issues'performed by or on behalf of the licensee at the NRC's request. The updated information is appropriately located within the UFSAR.
II 3C. QA Program/10CFR50 Appendix B The NMPNS QATR (UFSAR Appendix B) addresses the requirements for a description of the QA Program for the operations phase of the NMPNS. The QATR applies to organizations performing work that affects the operation, maintenance, or modification of safety-related structures, systems or components and indicates that the accountability for the quality of safety-related work rests with the performer, whereas accountability for verifying the quality of work rests with the verifying organizations.
19
V E The QATR provides for the operation, maintenance, and modification of NMPNS consistent with ANSUAmerican Society of Mechanical Engineers (ASME) NQA-1, ANSI/ANS-3.2 and Branch Technical Position (BTP) APCSB 9.5-1, Appendix A.
The QATR is organized to present the NMPC QA program in the order of the 18 criteria set forth in 10CFR50 Appendix B. The QATR states NMPC's policy for each of these criteria and describes how the controls pertinent to each are carried out. A matrix showing the 18 criteria of 10CFR50 Appendix B and the policy and directives and organization procedures implementing these criteria is presented in the QATR. Changes made to the QATR that do not reduce commitments previously accepted by the NRC are submitted to the NRC in accordance with the requirements of 10CFR50.71(e). Changes made to the QATR that do not satisfy the criteria of Appendix B to 10CFR50, or reduce commitments previously accepted by the NRC, are submitted to the NRC and must receive NRC approval prior to'implementation. The changes described above are submitted in accordance with the requirements of 10CFR50.54.
As previously stated, NMPNS is committed to a system of design and configuration controls that satisfy the requirements of Appendix B of 10CFR50. Concerning Appendix B, Criteria III, the NMPNS QATR states that station modifications are accomplished in accordance with approved designs and procedures. The controls apply to preparation, review, and revision of design documents, including the correct translation of applicable regulatory requirements and design bases into design, procurement, and procedural documents. The controls apply to design work performed by contractors as well as by NMPC engineering and technical organizations. Administrative procedures at NMPNS were developed to'ssure that license requirements, including Appendix B requirements, are accurately implemented and that responsibilities for implementation are properly assigned.
4.
4A. Problem Identification Processes A NIP prescribes the method for processing DERs. Guidance is provided regarding identification, documentation, notification, evaluation, correction, and reporting of conditions, events, activities, and concerns that have the potential for affecting the safe and reliable operation of the NMPNS. The DER process is described in detail in our response to Requested Action (d) under "Deviation/Event Report-(DER)." DERs are initiated upon discovery of a deficiency, including deficiencies in our engineering design and configuration control process, or inconsistencies between our license documents, physical plant, and procedures. A number of other processes exist at NMPNS that have the potential to identify problems. These processes include self-identification, reviews performed by the SORC and the SRAB, required technical reviews, QA audits and surveillances, self assessments, surveillance and examination activities, Independent Safety Engineering Group (ISEG) assessments, Institute of Nuclear Power Operations (INPO) evaluations, NRC inspections, and the evaluation of industry operational experiences.
20
/
f>'
I As problems are identified, DERs are initiated, dispositioned, and appropriate corrective and preventive actions taken. These processes are a feedback loop to the design and configuration control process in that they either confirm that the processes" are working effectively or identify problem areas with subsequent corrective actions to enhance the process. Results from some of these processes are presented in our responses to Requested Actions (b) and (c), providing part of our bases for concluding that design bases requirements are being translated into operating, maintenance, and testing procedures, and that SSC configuration and performance is consistent with the design bases.
4B. Training Training concerning engineering design and configuration control procedures is provided to station operating and technical/engineering personnel as part of their continuing training/position specific training programs as required. Operators are routinely trained on the processes used for temporary/permanent changes to plant design or procedures. Additionally, reviews of actual changes to procedures and significant plant design changes after major maintenance outages are covered, as appropriate, before startup. Simulators may be used to train operators and others on new systems/components before actual system startup and to develop new procedures for system operation before. the system/component is turned over for testing. Plant system configuration changes, special tests and significant evolutions may be tested on the simulator before they are actually accomplished in the plant. The PCR database is searched by the simulator support staff quarterly as a review of plant changes for simulator impact. Administrative controls are in place that ensure that any plant changes having potential impact on the simulator are evaluated and changes implemented as required.
Maintenance, chemistry, radiation protection, and engineering personnel receive training in plant design/procedure changes as part of the continued training program, either on an as needed basis or cyclically. Procedure changes and plant design changes can also reach the training program via the Training Review Request/Training Change Order process. This process requires that each change that potentially has training program impact be evaluated and revisions made as appropriate. Plant personnel can initiate a Training Review Request on any issue which could have training program impact. Training Review Requests/Training Change Orders are routinely used for issues that require training program modification.
Concerning training on the 10CFR50.59 process, operations shift management, designated engineering and maintenance support personnel, and others in management and technical positions are trained and qualified as Applicability Reviewers/Safety Evaluators and have to complete a requalification every two years. Training includes an overview of license documents including Technical Specifications, UFSAR, and NRC- approved plans and programs together with an overview of the hierarchy of procedures. Currently, there are approximately 400 fully trained and qualified personnel onsite who have the knowledge and ability to do applicability reviews and safety evaluations. This training/knowledge base contributes to the awareness and sensitivity that exists throughout the work force with regard to operating the plant within the licensing basis.
21
4 l,p<'g C
Branch Managers and Senior Managers also perform observations of simulator and other classroom training as part of their normal duties. Their feedback to the training organization is factored into the overall program to ensure the curriculum and conduct of training meets management's expectations.
II 22
Provide the rationale for concluding that design bases requirements are translated into operating, maintenance and testing procedures.
As discussed below, Niagara Mohawk has reasonable assurance that design bases requirements are translated into operating, maintenance and testing procedures at NMP2; The rationale supporting this conclusion is based on numerous actions, programs, and oversight activities.
As described in NDDs, administrative procedures establish requirements for the preparation, review, and approval of technical procedures. Technical procedures define requirements for the operation, maintenance, and testing described in the Operating License, Technical Specifications, and UFSAR. As discussed in the response to Requested Action (a), extensive programs and controls are utilized at NMPNS to ensure that design basis information is accurately maintained and updated as conditions warrant. Procedures are updated to reflect changes in design, corrective actions (identified by the corrective action program), industry operating experience, and changes to source requirements.
During the initial development, review, and approval of operating, maintenance and testing procedures, a review of design documents was conducted. This review included reviews of relevant system descriptions, design drawings, Design Specification Data Sheets, vendor manuals, Technical Specifications, and the Final Safety Analysis Report (FSAR). Additional procedure development activities iricluded selected design walkdown verifications, and in the case of preoperational test procedures, review of applicable engineering design calculations to ensure that the as-built system met design requirements. Preoperational test development also utilized system preoperational test standards for the NSSS.
Following the approval of initial ope'rating, maintenance, and testing procedures, the technical accuracy of the procedures has been maintained through programmatic controls for procedure revision and periodic review. These programs have been strengthened over the years to their current status.
NMPC has utilized knowledgeable and appropriately qualified individuals to develop, review, approve, and revise procedures. Program requirements have been in place starting with the initial development of procedures and have been enhanced over time to improve the effectiveness of the development, review, and approval process. The training program and other administrative requirements assure that personnel assigned to perform these functions are competent to perform their assigned tasks. This assures that NMPC can effectively implement program requirements associated with the development, review, approval, and revision of administrative and technical procedures.
23
11/ P Finally, NMPC has been involved in numerous assessments that demonstrate how effectively design requirements are translated into operating, maintenance, and testing procedures. These assessments include, in part, functional inspections, compliance verification projects, audits, and procedure (both administrative and technical) and related program upgrade projects.
NMPC's response to Requested 'Action (a) provides a description of the engineering design and configuration control processes currently in place at NMP2, including those that implement 10CFR50.59, 10CFR50.71(e), and Appendix B to 10CFR Part 50. Our response to Requested Action (d) provides a detailed description of the processes for the identification of problems and implementation of corrective actions to prevent recurrence (i.e., the DER). Our response to Requested Action (b) discusses the process which was used to develop, review, and approve the initial operations, maintenance, and testing procedures. An overview of the historic procedure revision process is presented, as well as the current revision process. The training program is discussed to show that individuals are capable of effectively implementing the procedure development, review, approval, and revision process. Finally, a review of assessments conducted is provided to further demonstrate that the implementation of program requirements has been effective in assuring that design basis requirements are being translated into operating, maintenance and testing procedures.
NMPC is confident that adherence to our design and configuration control processes and the DER process provides reasonable assurance that design bases requirements are properly translated into operating, maintenance, and testing procedures and that, when inconsistencies are found, proper corrective actions are taken.
NMP2's operating, maintenance, and testing procedures were initially developed in the mid-1980s. They were developed utilizing administrative procedures and controls contained in multiple documents. These program controls defined the requirements necessary in order to assure design basis requirements were adequately translated into operating, maintenance, and testing procedures. Some of the program documents in place at the time included the following:
~ ANSVANS-3.2 provided the requirements for the preparation, review and approval process for procedures, as well as an appendix of activities which require procedures.
~ A Startup Administrative Procedure (SAP) defined the requirements for the preparation of station procedures referring to RG 1.33 Revision 2, as the governing regulatory document and defined what procedures were required to be in place prior to licensing NMP2.
~ A SAP defined the qualification and certification of site and unit personnel.
24
C Administrative procedures prescribed the process for the generation, approval, publication, distribution, and control of procedures.
~ Administrative procedures prescribed the SORC requirements associated with the committee's responsibilities. Among those were requirements for formal procedure review and the documentation of those reviews.
As part of the procedure development, review, approval, and revision process for initial technical procedure development, the following actions took place in order to assure the technical adequacy of those procedures:
1
~ The following engineering controlled documents were reviewed during the initial preparation and review of procedures as applicable:
- l. FSKs, Mechanical one line drawings
- 2. ESKs, Electrical schematics
- 3. LSKs, Logic diagrams
- 4. Vendor manuals
- 5. EEs, wiring diagrams
- 6. System Design Specification Data Sheets (DSDS)
- 7. System descriptions
- 8. Others as required Cross-disciplinary reviews and consultation with vendors, the NSSS supplier (General Electric (GE)), and the Architect-Engineer (AE) were conducted as appropriate.
As part of the EOP development program, a specialized review process was utilized to ensure design basis requirements were appropriately captured in the procedures. An extensive verification of design inputs was utilized to support EOP calculations.
Each procedure was reviewed by the SORC.
~ Procedures were routinely validated utilizing the plant simulator, where possible, as part of the initial training programs. Since the simulator design and procedure development were based upon plant design requirements, utilizing procedures in the simulator provided a good measure of the technical accuracy of the procedures and simulator.
~ The Operations Department Superintendent was assigned as a member of the Joint Test Group (JTG). This group was required to review and approve preoperational test procedures to be run in the station as well as completed test results. This allowed direct feedback capability to the AE regarding discrepancies between design requirements and procedures. This group provided technical review and oversight functions.
25
V V t f
~ Operating experience from other plants developing initial operating, maintenance, and testing procedures was sought out and incorporated into NMPC's program.
NMPC has utilized knowledgeable and appropriately qualified individuals to develop, review, approve, and revise procedures. Program 'requirements were established before initial development of procedures. Personnel involved in the initial writing of technical procedures were either NMPC employees or contractors cognizant in the area for which the procedure was being written. In either case, individuals assigned to those tasks were competent to perform their respective tasks. Individuals assigned to support the review, approval and revision functions of procedure development and maintenance were also appropriately qualified.
Through the training program and other administrative requirements, reasonable assurance is provided that personnel assigned to perform these functions are competent to perform their assigned tasks. This in turn, reasonably assures that NMPC can effectively implement the program requirements associated with the development, review, approval, and revision of administrative and technical procedures.
Following initial procedure development, review, and approval, procedures were maintained up to date utilizing administrative controls for the revision process. At the time of receipt of the NMP2 low power license (10/31/86), required procedures had been developed, reviewed, and approved in accordance with existing programmatic requirements. Procedure revision controls were in place to establish requirements necessary to ensure that procedures were maintained appropriately. These requirements, coupled with configuration and design control processes, ensured that design basis requirements were translated into operating, maintenance, and testing procedures in a timely manner.
Over time, the procedure development, review, approval, and control process has been strengthened. A brief summary of major program enhancements follows:
~ 1984 An Administrative Procedure change incorporated the Nine Mile Point Unit 1 (NMP1) and NMP2 organizations under a common site administration program.
~ 1985 An Administrative Procedure provided significantly more detail regarding the development, review, and revision process for procedures.
A Site Procedure Writer's Guide '989 was developed and approved in order to provide consistent guidance on format and human factors. This was completed in anticipation of a major procedure rewrite effort, i
1990-1992 A new procedure hierarchy development was initiated. This was done to provide a more organized, tiered procedure structure and hierarchy. 'dministrative Procedures for procedure generation, approval, distribution, revision, and use would be transformed into the NDD and NIP-PRO series. A major technical procedure rewrite program was also underway, utilizing the Site Procedure Writer's Guide. The bulk of this effort was completed in 1992. Concurrent with the technical procedure upgrade, 26
, r
~"
APs governing procedural controls were themselves enhanced to better describe certain requirements for procedure review and control, activities. A key attribute to this change was better defining the expectations for procedure authors and reviewers, as well as improving the 10CFR50 59 screening process.
I Training efforts were completed to ensure procedure writers, reviewers, approvers and those involved in the revision process could effectively implement the program requirements.
~ 1992-1997 The quality of procedures and related processes continue to improve due to enhancements in the areas of technical review, validation, verification, and the 10CFR50.59 screening process and safety evaluation quality. Initial qualification and requalification programs in these areas hav'e been strengthened considerably.
These program changes have led to our current program requirements described in our response to Requested Action (a).
NMPC has conducted several initiatives in order to improve the process by which design requirements are transferred into operating, maintenance and testing procedures. Additionally, several assessments have been conducted which reviewed plant, procedures, demonstrated that NMPC's programs contain sufficient requirements, and that NMPC personnel are qualified to implement the program requirements. This reasonably assures that NMPC can conclude that design basis requirements are translated into operating, 'maintenance and testing procedures. A summary of the significant initiatives and assessments in this area is provided on the following pages.
Operating, maintenance, and testing procedures are developed and maintained in accordance with the requirements of various administrative procedures and programs. The administrative controls applicable to operating, maintenance, and testing procedures are described in detail in our response to Requested Action (a). This section describes the Administrative Procedure Update Program which was completed in 1992 to restructure and validate administrative procedures and programs at NMPNS. The primary objectives of the program were to:
~ Review licensing documentation to identify licensing requirements and commitments applicable to NMPNS.
~ Verify that license requirements and commitments were completely and accurately implemented through administrative procedures and programs.
~ Verify that responsibilities for implementing license requirements were appropriately assigned within the organization.
27
The Administrative Procedure Update Program was initiated by developing a Nuclear Division "Policy" document. The Policy provided a summary of the major organizational responsibilities, general program requirements, and other elements for ensuring the safe, reliable, and efficient operation of NMPNS. The Policy also defined a hierarchy of procedures to facilitate organized implementation of license requirements.
The current hierarchy is depicted in Figure 1:
ZIGIlKM Nuclear Division Policy Nuclear Division Directives
, Department Nuclear Specific Interface Administrative Procedures Procedures Branch Level Administrative Procedures Technical Implementing Procedures Initial efforts also involved development of a comprehensive list of functional areas to encompass all aspects of operation, maintenance, modification, and testing of the NMPNS.
28
The list of functional areas is as follows:
ALARAProgram Occupational Safety and Health Audits and Surveillances Operations Budget/Expenditure Control Outage Management Chemistry Nuclear Division Policy and Configuration Management Directives Manual Control Design Control Procurement of Materials,
'Document Control Equipment, Parts, Supplies and Evaluation and Corrective Action Services Environmental Protection Procedures and Orders Emergency Preparedness Planning and Scheduling Fitness for Duty Project and Task Management Fire Protection Program Radiological Effluents Human Resource Management Station Reliability Housekeeping and System Cleanness Records Management ISI and Testing Radioactive Material Processing, Inspections Transport and Disposal Interfacing with Regulatory and Radiation Protection Program Industry Groups Regulatory Posting Requirements Inventory, Identification and Physical Safeguards Information Control Control of Materials, Equipment, Surveillance and Testing Parts and Supplies Security Licenses, Plans and Programs Safety Evaluations Maintenance Special Nuclear Material Measuring and Test Equipment Accountability Nuclear Computer Systems, Special Processes Control Nuclear Fuel Management Safety Reviews Training, Qualification and Simulators Following development of the Policy, NDDs were developed for each functional area identified above. NDDs are used to establish requirements that must be accomplished to comply with regulatory requirements and guidelines, industry standards and practices, and commitments to regulatory agencies outlined in the Operating License, UFSAR, and Technical Specifications. They serve as a vehicle by which management communicates requirements for performing and controlling activities to those responsible for preparing the associated administrative and implementing procedures.
Subject matter experts were assigned to compile each NDD by performing a comprehensive assessment of licensing requirements and commitments to identify applicable requirements for each functional area. Each NDD was reviewed by responsible individuals in the functional area and then by the Senior Management Team. The NDDs were issued as a set in the Nuclear Division Policy and Directives Manual. Administrative controls are applied to ensure the NDDs remain accurate.
29
Following issuance of the Nuclear Division Policy and Directives Manual, the Administrative Procedure Update Program was completed by incorporating requirements contained in the NDDs throughout various lower tier administrative procedures. It is important to note that, in parallel with implementation of the NDDs, NMPNS conducted a comprehensive "Back-to-Basics" program to educate station personnel on the structure and content of the licensing basis, including its relation to the Nuclear Division Policy and Directives Manual. This program is described later in our response to Requested Action (b) under "Training."
In contrast to the NDDs which establish "what" the requirements are for a particular functional area, implementing procedures provide the details of methods to be used to implement the requirements contained in the NDDs. This was accomplished using the procedure hierarchy developed earlier in the program. Two tiers of administrative procedures are employed in the procedure hierarchy to ensure appropriate levels of review and approval are obtained:
Department level administrative procedures which include: 1) NIPs which implement common or universal programs for NMPNS departments (such as procedure review and control, corrective action, and security). NIPs are reviewed by responsible individuals from appropriate areas and approved by the Vice President and General Manager-Nuclear; and 2) Department-specific administrative procedures which implement common programs assigned to a specific department (such as Generation or Engineering). Department-specific administrative procedures are reviewed within the appropriate department and approved by the departm'ent head.
Lower tier (branch level) administrative procedures which are specific to functional areas within departments (such as Operations or Radiation Protection) and involve implementation of requirements by an individual group. Branch level administrative procedures are reviewed and approved within the functional area and allow flexibility in implementing detailed requirements provided compliance with the NDDs and higher tier procedures is maintained.
Adherence to the procedure hierarchy was maintained to ensure implementing procedures were developed to the extent necessary to execute the requirements contained in the NDDs. The effort was coordinated by a central group to ensure completeness and to minimize overlap and duplication. A procedure numbering scheme was employed that associated implementing procedures to their parent NDD. This phase of the program resulted in revision of nearly all of the more than 800 administrative procedures that were in place at that time.
In summary, this effort verified that license basis requirements were being implemented through administrative procedures including those applicable to developing and maintaining operations, maintenance, and testing procedures. The program also served to consolidate requirements for more effective implementation and to eliminate outdated or undesirable practices. Upon completion, the total number of administrative procedures was reduced from more than 800 to approximately 350. The described procedure program and hierarchy remains in place today as an integral part of the NMPNS procedure program.
30
NMPC has initiated several surveillance program reviews over the past six years. Several of these were conducted by independent consultants to ensure an unbiased review. Specifically, the Inservice Testing (IST) Program for pumps and valves was reviewed by Stone and Webster Engineering Corporation personnel, the 10CFR50 Appendix J Program was reviewed by General Physics Corporation, and the remainder of the Surveillance Program was reviewed by Vectra Technologies, Inc. In. addition, NMPC has performed internal reviews of the ISI Program.
In 1990, NMPC utilized the services of Stone and Webster Engineering Corporation to review the NMP2 IST Program for pumps and valves. This review consisted of evaluating all American Society of Mechanical Engineers (ASME) class and safety-related pumps and valves to assure that the NMP2 program plan scope contained applicable pumps and valves and associated code testing requirements. The results of that review verified that the program plan contained applicable components; if not, the program plan was revised. In addition, the review assured that testing procedures were adequate and that tests were performed at the proper periodicity.
During 1989-1990, NMPC performed a verification of the ASME Section XI ISI Program. A group of NMPC engineers and consultants performed this review. They verified that welds and supports required by the ASME code were in the program and that the plan included provisions to meet the 10 year inspection require'ments. Subsequently, some minor revisions to the program have been implemented.
In 1993, NMPC utilized the services of General Physics Corporation,to perform a review of the NMP2 10CFR50 Appendix J Testing Program. The review verified commitments to and compliance with the testing requirements of 10CFR50 Appendix J. This review included a penetration by penetration review of plant drawings, and a review of plant surveillance procedures used to conduct Type A, B, and C tests. In addition, the NMP2 Appendix J Testing Program was reviewed against the requirements of 10CFR50 Appendix J, ANS N45.4-1972, Leakage-Rate Testing of Containment Structures for Nuclear Reactors, ANSI/ANS 56.8-1981, Containment System Leakage Testing Requirements and NRC Appendix J Inspection Procedures.
A review of the remainder of the NMP2 Surveillance Program was performed utilizing the services of Vectra Technologies, Inc. This effort was completed in January 1995. This effort 31
II entailed a thorough review of NMP2 Technical Specifications and applicable procedures.
Where warranted, interviews were conducted with cognizant personnel responsible for the testing. Required surveillances were identified, including Channel Checks, Channel Functional Tests, Channel Calibration, Logic System Functional Tests, and other surveillance tests. Specifically excluded from this review were ASME Section XI weld and support (ISI)
I surveillance requirements and the Appendix Program since, they had been previously reviewed as discussed above. The review also included the documentation of the basis and the method for meeting each type of surveillance requirement.
During this task, the following types of information/sources were reviewed:
Design Basis Documents (e.g., FSAR, drawings)
System Descriptions and Design Criteria Documents (DCDs)
System Level Drawings - piping and instrument diagrams (P&IDs), electrical single line and schematics, logic drawings, etc.
Information relative to the development of the original Technical Specifications and subsequent amendments I Licensing correspondence Vendor information related to component operation and surveillance requirements Test procedures and results ASME XI Pump and Valve Program, including deviation requests Applicable safety analysis Instrument setpoint information and methodology System/Component Failure Modes and Effects Analysis Applicable Engineering Analyses Industry Codes and Standards NRC Regulations and RGs
'n addition, the basis for acceptance criteria and how those criteria relate to the surveillance requirement was defined. This effort included the identification of the limits that are protected by the specification, the basis for the acceptance criteria along with the references to the source documents from which the subject information was obtained, the acceptance criteria and surveillance test intervals, and a discussion of the reasons.and/or bases for any exceptions.
The results of the verification effort were compiled in a surveillance basis document. The resultant document provided the basis for the Technical Specification Surveillance Program and methods of compliance with the surveillance requirements, and their acceptability. In addition, a database was developed which created a matrix of surveillance requirements, implementing procedures, and components. This database file provides the end user the ability to search any field to compile unique reports of requirements, procedures, and/or components.
In the process of compiling this document, the basis for elimination of possible duplication and/or unnecessary surveillance requirements was explored. Consequently, redundant or unnecessary surveillance requirements were identified. Furthermore, during the performance of this task, areas where surveillance requirements could be combined were explored. The NMP2 32
~ Iv
~ V
evaluation also focused on the surveillance program "process" and identified weaknesses and/or omissions that may have existed. Along with the identification of weaknesses and/or potential omissions, recommended actions to address the areas of concern were proposed. As part of the Technical Specification review, the PMST database was reviewed to verify compliance with Technical Specification requirements, frequency requirements, and any special mode restraints.
In each verification effort described above, the overriding requirement (e.g., ASME code or Technical Specification) has been verified and the design program plans and procedures reviewed. The processes considered definition of the requirement, comparison of design to the requirement, comparison of the program plans to the requirement and review of the implementing procedures to ensure compliance. Based upon the results of ISI, IST, Appendix J and remaining Technical Specification surveillance requirement reviews, NMPC has a high degree of confidence that required surveillances are being performed, and that these programs are appropriately implementing the design requirements.
In addition to the above, on January 10, 1996, the Commission issued Generic Letter (GL) 96-01, "Testing of Safety-Related Logic Circuits," to notify addressees about problems with testing of safety-related logic circuits. By letter dated April 18,'1996, NMPC provided its initial response to GL 96-01. Our letter stated our intent to perform an assessment of NMP2 surveillance test procedures to verify that logic circuits of the reactor protection system, Emergency Diesel Generator (EDG) load shedding and sequencing, and actuation logic for engineered safety features are tested in accordance with Technical Specifications. Moreover, our response recognized that GL 96-01 requested that this assessment and, ifrequired, any procedure changes be completed prior to startup from NMP2 Refueling Outage No. 6 (RFO6) scheduled for Spring of 1998. After determining the scope of work and resource requirements, NMPC confirmed its commitment to complete'the GL 96-01 assessment and, if required, procedure changes prior to startup from RFO6, by letter dated August 14, 1996.
On March 28, 1996, NMPC personnel identified that full core offloads to the spent fuel pool performed during refueling outages were outside the design bases of the plant. This event was described in Licensee Event Report (LER) 96-03, Supplement 1, "Full Core Offload and Spent Fuel Pool Cooling System Operating Outside of Design Basis." Corrective action included a lessons learned transmittal describing this event'nd the need to perform an in-depth review and evaluation of design bases when writing and/or revising procedures. The Branch Managers reviewed this issue with personnel qualified to do applicability reviews and safety evaluations.
Also, in response to LER 96-03, Supplement 1, as well as industry issues concerning UFSAR discrepancies, a review team was formed to evaluate a sample of systems contained in the NMP2 UFSAR. The team was tasked with evaluating this sample of systems to determine whether any omissions or errors exist between plant procedures and the license basis documents. To date, these evaluations have indicated that the NMP2 UFSAR is generally 33
4 I II
accurate in describing the operation of the plant. Although deficiencies and minor inconsistencies have been identified, they have been determined not to impact plant operation, performance, or be a reportable condition outside the design basis of the plant. The assessment does, however, indicate that NMPC should continue to focus on improving the accuracy of the UFSAR. This process would also confirm the validity of the design basis for the remaining systems, and improve the ability to efficiently maintain the UFSAR.
~ I Accordingly, we are currently finalizing our plans for a'UFSAR verification effort. We intend to perform a comprehensive review which willbe completed by the end of 1998. This review willinclude provision for prompt evaluation of identified deviations for operability and reportability. It will also assess, on an ongoing basis, whether there are broad underlying concerns of design basis related inadequacies. The UFSAR Verification Program confirms NMPC's commitment to ensure the design basis is reflectedin the day-to-day operation of the unit, and that plant personnel are knowledgeable and aware of the significance of operating within the licensing basis.
As described in the response to Requested Action (c), NMP2 developed a program to implement a 4.3% power uprate. Engineering reviewed GE NSSS and turbine generator changes, NMP2 design calculations, 'and affected drawings, making, appropriate changes.
Selected Generation system engineers and Operations personnel then reviewed the EDCs.
Affected Maintenance and Operations procedures were reviewed and revised to reflect the uprated power condition based on the new design bases requirements. These reviews provided the opportunity to examine existing procedures and provides reasonable assurance that they accurately reflected the existing design basis. I II I
Significant QA audits (vertical slices) have been performed in the areas of Fire Protection and Service Water in which a review of procedures against design basis documents was included.
t A QA audit was performed in 1995, under the cognizance of the SRAB, to meet the requirements of the annual, bierinial, and triennial fire protection audits described in the Technical Specifications. The audit objectives were to evaluate the fire protection program and implementing procedures to assure the requirements for design, procurement, fabrication, installation, testing, maintenance and administrative controls for the respective programs are included in the QATR and meet program requirements established by the license documents and BTP APCSB 9.5-1, Appendix A-1976, Section C. Additional objectives were to assess
~
the plant fire protection equipment and program implementation to verify compliance with the NRC requirements addressed in license documents and implementing procedures. The audit team concluded that the NMPNS Fire Protection Program was in compliance with applicable Code requirements and the National Fire Protection Association (NFPA) fire protection 34
guidelines. The fire protection design and design change processes were considered a program strength. Opportunities for program improvements were identified which included attention to detail concerning the identification of related docu'ment changes needed when Fire Protection program changes were implemented. DERs were written against the program which included inconsistencies with the FSAR, but none indicated any major program flaws or violations.
The'audit evaluated the design control and procurement document control processes for fire protection by reviewing DDCs for recent plant changes/modifications, reviewing procurement documents for fire protection system replacement items and conducting interviews with design engineering and procurement personnel. The audit team found the design change control process for fire protection to be a strength, particularly in regards to the thoroughness of engineering evaluations for Appendix R requirements. Quality standards, such as fire protection codes, were specified in design documents and deviations from these codes or standards were appropriately controlled. Also, new designs and plant modifications were reviewed by qualified personnel to ensure inclusion of applicable fire protection requirements.
The audit team also reviewed procedures, instructions and drawings to ensure that fire protection program elements had been appropriately incorporated into the implementing documents. The team also observed personnel performance regarding fire protection procedures and interviewed personnel to assess the implementation of these procedures and program elements.
The team found that the training programs for fire fighting and fire prevention were being implemented in accordance with documented procedures and that the training programs for fire brigade members met the minimum requirements of 10CFR50 Appendix R. The team also found that the instructions, procedures, and drawings for design, installation, inspection, test, maintenance, modification, and administration of fire protection activities and systems were being properly reviewed, and contained appropriate requirements for control of ignition sources, combustibles, precautions and compensatory actions when fire systems were removed from service. The audit team reviewed the NMPNS UFSAR Appendix B (NMPC-QATR-l),
fire protection surveillance test procedures, NFPA standards and fire protection related work documents to ensure that a program of independent inspection had been established. The audit team also reviewed test and surveillance procedures and related work documents, witnessed testing activities and interviewed personnel to verify that a test program had been established.
The team found that the test procedures incorporated the requirements and limits contained in applicable design documents and that the schedules and methods for periodic testing had been appropriately developed and implemented. The team also found that fire protection equipment and communications equipment were tested periodically to assure that the equipment would properly function and continue to meet design criteria.
An audit of the NMP2 Service Water System was conducted in 1993 to review system design and operation, maintenance, testing and various regulatory commitments such as heat exchanger performance (GL 89-13), motor-operated valve (MOV) control program (GL 89-10) and check valve monitoring gNPO Significant Operating Experience Report (SOER) 86-03).
35
e 1 III
The purpose of the audit was to determine ifthe NMP2 Service Water System was designed, operated, tested, and maintained to assure performance of design safety functions in response to postulated accident conditions, p'ostulated natural phenomena, and hazardous system interactions. The audit team employed deep, vertical-slice techniques originally developed by the NRC Safety System Functional Inspection (SSFQ program. Specifically, the Service Water System was reviewed to evaluate system design and modification processes, and to evaluate the implementation of the design in operations, maintenance, testing, training and administrative controls program. The results of this audit, 93003-RG/IN "Unit 2 Service Water System (GL-13)," were presented to the Commission on June 9, 1993 in King of Prussia, PA.
The executive summary of 93003-RG/IN states the following: "The audit team concluded that the NMP2 Service Water System is sufficiently designed, operated, tested, and maintained to assure performance of its design safety function under postulated design basis accident conditions, including the most limiting single failures', postulated natural phenomena, or hazardous system interactions. Continuing flow degradation and related trends, similar to those observed at other power plants, indicate that continuing actions and vigilance are essential to assure long-term availability."
Concurrent with the time the audit plan was being prepared the Commission issued Temporary Instruction 2515/118, Revision 1, Service Water System Operational Performance Inspection (SWOP/." NMPC was requested to review their audit plan versus the NRC requirements and prepare a matrix to ensure that all items of the NRC Inspection Manual were addressed. This was completed and presented to the Commission. The NMPC effort at self-assessment preceded the issuance by the NRC of Inspection Procedure 40501, "Licensee Self-Assessments Related to Area-of-Emphasis Inspections.", The overall'conclusion was that the NMP2 Service Water System was sufficiently designed, operated, tested, and maintained to assure performance of design safety functions under postulated design basis accident conditions.
Thus, it can be further concluded that the SWP system design bases requirements have been translated into operating, maintenance, and testing procedures, In conclusion, these audits were designed, in part, to verify that the design basis was properly reflected in the applicable operating, maintenance, and testing procedures for those functional areas. The results indicate that while not perfect, there is a reasonable basis for concluding that goal has been accomplished. Continual verification through audit and surveillance activities is a management expectation.
NMP2 safety-related and nonsafety-related vendor manuals were originally reviewed for technical content,and general application to NMP2 and issued for use by our A/E. After the issuance of GL 83-28, vendor manuals were identified to a component level and a plant-specific applicability review was performed for each manual, identifying those portions of the manual applicable to the identified components. This applicability review was performed by a NMP2 36
N I
contractor and was generally accomplished by reviewing plant-specific drawings. This activity was completed in the late 1980's.
In September 1990, NMP2 initiated a Vendor Manual Upgrade Program. This program
. involved the updating (baselining) of NSSS System Level Manuals and updating 225 component level vendor manuals for selected safety-related pieces of equipment. The updating of NSSS system manuals was completed by our NSSS supplier with the objective to provide a baseline update of NMP2's NSSS system manuals to reflect new configuration information (i.e., changes made to the plant since the manuals were supplied or last updated), new technology, Boiling Water Reactor (BWR) field experience information and a review of Service Information Letters to retrieve any operating or maintenance information. This project was completed in 1996.
NMPC updated selected component level manuals. The update process focused on two key elements: equipment supplier component configuration changes and a review of new technologies. The review of new technologies included an investigation of operating experiences from the suppliers which could provide improved or simplified operating and maintenance procedures for the equipment (i.e., new lubricants, simplified assembly, or calibrating procedures, etc.). When applicable new or revised vendor manuals were provided to NMPC, they were reviewed and approved by NMPC Engineering and then issued, superseding our current revision. This project was completed in September 1993.
In November 1991, actions were completed to implement a method to track and trend the review and approval of vendor manuals. This involved the appointment of a Vendor Manual Coordinator (VMC), and the cleanup and enhancement of the Planning and Scheduling Database in the CDS. Monthly reports are now issued by the VMC to department supervisors and management to identify manuals that are" in the review cycle and the overall status of manuals issued, added, and backlogged.
In November of 1995, the process for vendor manual use and.control was enhanced using INPO's Good Practice DE-102, INPO 87-009, Control of Vendor Manuals, as a guide. The review process ensures plant personnel are provided with current and technically accurate vendor manuals to support the operation and maintenance and includes the following:
I
- 1. Identification of the primary responsibilities of various individuals responsible for control of vendor manuals including the Vendor Document Coordinator.
- 2. Expectations for turnaround time for the review and approval of vendor manuals.
- 3. Requirements for the receipt, review, approval, issue,,and revision of vendor manuals, and notifications to departm'ents and responsible personnel for new and/or revised vendor manuals. This notification serves as the trigger to station personnel to review and revise appropriate programs and procedures if they are affected by a particular vendor manual.
NMP2 37
V i, il
- 4. A process for plant personnel to take exception to requirements specified by a vendor.
II Based on the above, NMPC is confident that plant personnel are provided with current and technically accurate vendor manuals to support plant operation and maintenance. The Vendor Interface Program and the internal review and approval process assures that vendor manual information is reviewed against the design basis. This process confirms the acceptability of technical information that has not changed, and identifies other information that requires
- revision, NMP2 is in the process of converting its current Technical Specifications to the ITS. NMP2 is also converting from an 18-month to a 24-month operating cycle. This conversion process is described below.
II The ITS contains a generic Bases which is substantially greater in detail than the Bases of the current Technical Specifications. During the conversion process (i.e., drafting of the proposed license amendment) the generic Bases of the ITS is reviewed and compared with the UFSAR of NMP2. In certain instances, calculations and analyses are also reviewed during the conversion process. In addition, during the conversion process and on an as-needed basis, the NRC's "Safety Evaluation Report Related to the Operation of Nine Mile Point Nuclear Station Unit 2" (NUREG-1047), including its six supplements, is also reviewed by NMPC. Based on these reviews, the generic Bases of the ITS is appropriately modified to reflect the Licensing and Design Basis of NMP2. t The conversion of NMP2 to the ITS also includes increasing the length of the operating cycle from 18 to 24 months. Each 18-month Surveillance Requirement is evaluated to determine the feasibility of increasing its surveillance interval. This evaluation includes a review of historical maintenance and surveillance data, the UFSAR and appropriate calculations, analyses, and vendor manuals. Based on these reviews and evaluations, the operating cycle of NMP2 is expected to be increased from 18 to 24 months.
As a result of the above reviews and evaluations for ITS and 24-month conversion, required changes willbe made to the facility, and its calculations, analyses, procedures, UFSAR, and vendor documents. In those instances where the conversion will result in new or more stringent requirements, plant procedures will be appropriately revised and thereby made consistent with the design basis of the unit. The above process provides assurance that the design and licensing basis of the plant, its procedures, and the performance of plant equipment (i.e., SSCs) will support conversion to the ITS and to a 24-month cycle.
The function of ISEG is to examine plant operating characteristics, various NRC issuances, industry advisories,'ERs and other sources of unit design and operating experience information, including units of similar design'which may indicate areas of improving unit 38
safety. This has included independent reviews of plant activities/programs, including maintenance, modifications, operational concerns and analysis. The ISEG makes detailed recommendations for procedure changes, equipment modifications, maintenance activities, operations activities or other means of improving unit safety to the Vice President - Nuclear Safety Assessment and Support. Many of the reviews/assessments performed to date have been related to design bases and configuration control issues.
Industry operations experience items provide NMPNS opportunities to confirm that design bases requirements are translated into operating, maintenance, and testing procedures. As a minimum, NRC Bulletins, Notices, GLs, and INPO issuances such as SOERs and Significant Event Reports (SERs), as well as vendor issuances are reviewed to determine applicability to the NMPNS. Nuclear Division personnel are directed to initiate a DER upon discovery of a deviation/event or condition adverse to quality or when it is determined that an industry experience is applicable to the NMPNS. The DER process, as described in our response to Requested Action (d), requires a disposition and corrective actions, as necessary. Some examples of operations experience items that have required NMPNS to confirm and/or take action to conclude that design bases requirements are being translated into operating, maintenance, and testing procedures are discussed below.
The purpose of GL 88-14,was to request that each licensee/applicant review NUREG-1275, Volume 2, and perform a design and operations verification of the instrument air system (IAS). As stated in the GL, the verification should include "verification that maintenance practices, emergency procedures, and training are adequate to ensure that safety-related equipment will function as intended on loss of instrument air." In response to the request, NMPC reviewed the specified procedures and found them to be adequate to ensure that the subject safety-related equipment would function as intended on loss of instrument air or during design basis accidents. In addition to further enhance maintenance of the system, a new sampling procedure was developed to test for quality criteria, and existing procedures were revised to address filter changeout practices and check valve testing. The reviews and enhancements conducted as part of this GL effort provide assurance that for the IAS, design basis has been properly translated into procedures.
NRC URI A-44, SBO was concerned with the ability of a nuclear power plant to cope with a total loss of both offsite and onsite alternating current (AC) electrical power.
The NRC resolved the issue by incorporating requirements for coping with a SBO in 10CFR50.63.
39
4 I
0
As part of NMPC's efforts to address ensuring compliance with these requirements, existing procedures were reviewed and modified to meet 10CFR50.63 requirements and the guidelines in Nuclear Management and Resource Council (NUMARC) 87-00. As part of this review, NMPC confirmed that existing procedures provided guidance which would permit the restoration of AC power either from offsite or from the emergency diesel generators. Additionally, corporate operating instructions were identified that address the restoration of offsite power to NMP2 and the Scriba, Substation from various sources. Confirmation of these existing procedural and operating controls along with those added to meet NUMARC 87-00 provides a rationale that operating procedures adequately address the design basis for loss of AC power events.
II In 1992, NMPC developed a new,,training course entitled "Back-to-Basics." This course provided training on licensing basis documents and operation within our licensing envelope, and was designed to result in enhancements to our management and leadership skills. Also discussed was the expectation that if work could not be performed within the controls of a procedure, the work should stop and a resolution obtained before work continues. This training was provided to Branch Managers and selected Supervisors who were then responsible to teach the "Back-to-Basics" course to the individual work groups.'
"Back-to-Basics'II" training was conducted in 1995-1996 to assist organizations in understanding how Back-to-Basics relates to their specific jobs. This training included a diagram of our license basis and discussions of 10CFR50,59 and 50.92, commitments made to Operational Experience items, RGs, and industry standards and how we change these commitments, a definition of operability with an emphasis on post accident function, discretionary enforcement, reportability requirements of 10CFR50 Parts 72, 73 and 21, and how specific. work activities interact with the design basis.
Concerning 50.59 training, the biennial requalifiication training for personnel authorized to prepare safety evaluations now includes a specific discussion of the consequences of failing to prepare a specific evaluation. Members of the Senior Management Team recently attended the requalification training to ensure their expectations are incorporated, and to heighten awareness of 10CFR50.59 requirements and issues. Members of the SORC and the SRAB are also required to attend requalification training.
Operation Experience, including industry events, are typically analyzed for training value in conjunction with DER dispositions and, if appropriate, are included in the continuing training program for operations, maintenance, engineering, chemistry, radiation protection, and support organizations.
Routine and special training periodically results in enhancements to procedures. Operators can process procedure changes when training activities show that there is a better way to accomplish the specific task. Procedures are reviewed periodically with intent to prevent personnel errors, ensure better understandin'g, and train personnel on the design or licensing 40,
4 II basis of the plant. An example of where an engineering support continued training class identified a concern was the discussion of control rod drive flow and how it is used to calculate core thermal power. As a result of this discovery, configuration changes to the plant process computer were made to correct the deficiency. This has since been identified as an industry problem that initiated action at other plants.
Administrative procedures and controls have been in place prior to NMP2 receiving a low power license to mandate requirements associated with the preparation, review, approval, and revision of operating, maintenance, and testing procedures. These procedures and processes contain appropriate requirements which reasonably ensure design basis requirements are incorporated into administrative and technical procedures. Personnel qualification requirements assure that NMPC is capable of implementing the program requirements.
Continuous improvement of program requirements and implementation has been a regular practice at NMPNS. Additionally, multiple assessments have been conducted which demonstrate the overall effectiveness of various programs in the design/configuration control and procedure area. Coupled together, these activities and processes provide reasonable assurance that design basis requirements are translated into operating, maintenance and testing procedures at NMP2. P 41
Provide the rationale for concluding that system, structure and component configuration and performance are consistent with the design bases.
During the design, construction and startup ofNMP2, a rigorous QA Program was applied. This program included procedures and processes consistent with 10CFR50, Appendix B requiring proceduralized design controls to ensure design adequacy and checking processes throughout construction and testing to confirm that Engineering requirements were implemented.
The NMP2 initial test program began as systems, components, and structures were nearing construction completion. The objectives of the program were to demonstrate that plant SSCs operate in accordance with the design performance requirements while utilizing to the extent possible plant procedures and demonstrating, where practical, that the plant is capable of withstanding anticipated transients and postulat'ed accidents. The procedures for the NMP2 Startup Test Program required test engineers to perform walkdowns of the systems/equipment.
Markups of master drawings were maintained and as-built changes were documented as part of the process. This program included preliminary, preoperational'and startup testing.
Surveillance testing and examination programs have been used since startup. These tests and examinations are formalized by procedures and ensure that surveillances and tests required by Technical Specifications and other regulatory commitments are established. 'These tests and examinations provide a primary basis to ensure that the performance of systems meet design bases requirements. Additionally, post-maintenance and modification testing is routinely performed to ensure that design bases requirements continue to be met following maintenance and modification activities. Pressure retaining components are also routinely tested in accordance with in-service inspection and testing programs. In addition to confirming that SSCs meet acceptance requirements, these testing programs provide a mechanism to identify deficiencies using the DER process.
Additional design verification and power ascension testing was performed as part of the 4.3%
power uprate effort implemented in 1995.
Operations Experience and SSFIs/Electrical Distribution System Functional Inspections (EDSFIs) have been applied to further and more specifically evaluate NMP2's conformance and performance against design bases. NMPC's Operations Experience Program evaluates NRC Bulletins, Notices, GLs as well as other industry inputs including INPO's SOERs, SERs, and vendor issuances. Evaluations such as EDSFI and Operations Experience include our assessment ofMOV capability under GL 89-10, Service Water System capability under GL 89-13, Instrument Air System capability as part of GL 88-14, pump dead-heading issues as described in Bulletin 88-04, and URI A-44, SBO. These assessments, coupled with ongoing evaluations of plant performance, assure that configuration and performance parameters are updated as appropriate.
42
I
~ ~
The above activities, coupled with our corrective action progr'am ensure routine problem
~
identification and evaluation of as-built conditions and test results and provide reasonable
~ ~ ~ ~
~ ~ ~ ~
assurance that current performance and configuration are consistent with the design bases.
NMPC's response to Requested Action (a) provides a description of the engineering design and configuration control processes currently in place at NMPNS, including those that implement 10CFR50.59, 10CFR50.71(e), and Appendix B to 10CFR Part 50. Our response to Requested Action (d) provides a detailed description of the processes for the identification of problems and implementation of corrective actions to prevent recurrence (i.e., the DER). NMPC is confident that adherence to these processes provide reasonable assurance that NMPNS configuration and performance are consistent with the design bases. NMPC bases this confidence not only on the quality of these processes, but on the multiple efforts, reviews, inspections, tests, and audits that have taken place and that are currently being taken to assure consistency between our plants and the design bases. A discussion of these various efforts is provided below.
During the NMP2 licensing process, NMPC established a program for the verification of the final draft Technical Specifications and the FSAR. The verification effort consisted of annotating both licensing documents to controlling plant documents such as drawings, specifications, and calculations. This effort included provisions for updating the
'rocedures, licensing documents, as necessary, to reflect the as-built configuration of the plant. The verification program provided assurance that the plant was constructed in accordance with the FSAR and the Technical Specifications to be issued with the low power license.
The NMP2 startup and test program consisted of three phases which began as systems and components and structures were nearing construction completion. The objectives of the startup and test program included the following:
Demonstrate, to the extent practical, that the plant SSCs operate in accordance with their design and performance requirements.
~ Utilize and evaluate, to the extent possible, the plant procedures.
Demonstrate, where practical, that the plant is capable of withstanding anticipated transients and postulated accidents.
The three major phases of the test program provided a systematic and controlled approach to plant startup. The three phases, preliminary-testing, preoperational testing, and startup testing, are described in the following paragraphs.
43
l '"
~ I
Preliminary testing - tests performed subsequent to release of the equipment, system, or structure from construction. This test phase verified proper installation and operation of equipment, systems and, where applicable, structures.
Preoperational testing - performed after system turnover and usually prior to fuel load to verify that the performance of plant systems and components met applicable performance design and regulatory requirements. Two types of tests were included during preoperational testing:
\
l ao Preoperational tests - performed to provide verification that SSCs met performance requirements and satisfied the design criteria.to the extent possible.
These tests were performed on safety-related systems as specified in RG 1.68, systems designated under the augmented QA program, and other systems important to reactor safety or the safe shutdown of the reactor.
- b. Acceptance tests - similar to preoperational tests except they were performed on non-safety systems and were not specified in RG 1.68.
1 Startup testing - consisted of fuel loading, precritical, low power, and power ascension tests that ensure fuel loading in a safe manner, confirm the design bases, demonstrated where practical that the plant is capable of withstanding the anticipated transients and postulated accidents, and ensured that the plant is safely brought to rated capacity and sustained power operation.
The NMP2 Startup Program was governed by SAPs which required test engineers to perform walkdowns of the systems/equipment. Component verification and system preparation were the two phases of the preliminary test activities for the Startup Program. Component verification included initial energizing, calibration, logic testing, and equipment operation, while system preparation included initial system operation. Yellow line markups of applicable master drawings were maintained and as-built changes were documented as part of the process.
In summary, the NMP2 initial test program 'was implemented,to demonstrate, to the extent practical, that the plant SSCs operated in accordance with their design and performance requirements prior to commercial plant operation. It also demonstrated that the existing plant configuration was in conformance with the FSAR description, with as-built changes documented. Following completion of the initial test program, routine surveillance testing and examinations have provided the primary method by which performance and material condition of plant SSCs are confirmed to be consistent with the design basis.
Routine surveillance testing and examinations provides a primary method by which the performance and material condition of plant systems, structures and components are confirmed to be consistent with design bases. An NDD establishes the requirements for development and execution of a program for surveillances and tests required by the Technical Specifications, NMP2 44
0 C
regulatory commitments including the IST program, industry experience, and special tests and experiments. A surveillance and test program has been established to demonstrate that SSCs perform satisfactorily in service. The regulatory requirements are identified in the operating license, Technical Specifications and UFSAR. The surveillance and test program is updated, in part, as a result of design changes, corrective actions identified as part of the DER process, evaluations of industry, operating and maintenance experience, and changes to source requirements. Also, requirements for surveillances and tests meet the requirements of the ASME Boiler and Pressure Vessel Code and RGs as appropriate. Specific procedures are developed for each surveillance test and simulate, to the extent practical, the actual conditions under which the system must operate on demand. Post-maintenance and modification tests verify the capability of SSCs to perform satisfactorily in service. The extent of the testing is commensurate with the work performed and the importance of the SSC to station safety and reliability. The test requirements and acceptance criteria for design changes are derived from design documents and sources for regulatory requirements. SSC deficiencies and test data adverse trends are evaluated and a DER initiated as appropriate.
An NDD also establishes the requirements for the development of ISI and Testing programs.
This directive applies to the examination and testing of the pressure retaining components of the NMPNS reactor coolant pressure boundary and to components required to be tested in accordance with the ASME Boiler & Pressure Vessel Code,Section XI. Unacceptable examination or test results willresult in the initiation of a DER and appropriate corrective actions. Such testing and examination activities assure that SSCs continue to perform as described in the design basis documents.
A Power Uprate - Power Ascension Startup Program was developed and performed to implement a 4.3% power uprate in 1995. The requirements for testing were derived from the NMP2 power uprate licensing submittals, the NRC Staff's Safety Evaluation Report for power uprate, Chapter 14 of the UFSAR, the GE power uprate power ascension test specification and the Technical Specifications for pow'er uprate. The results of this test program were reported to the NRC in the NMP2 "Power Uprate Power Ascension Test Program Interim Startup Report," Rev. 1 dated November 1995, and revised periodically. The Power Ascension Program followed the normal NMP2 administrative procedures, and one administrative procedure specifically written for the program, which delineated the power uprate power ascension test requirements. The program test controls included SORC review of each special test procedure, special test results, and test exceptions. The Manager Technical Support reviewed the results of each test phase and approved moving to the next phase.
As part of the power uprate effort, Engineering reviewed the GE power uprate evaluations and analyses transmitted to NMPC and the appropriate NMP2 design calculations and drawings.
The appropriate changes were made. The assigned Generation personnel reviewed subsequent Engineering changes. Applicable procedures were revised and updated to reflect the uprated power condition and any new design bases requirements. The power ascension program NMP2 45
r'4 r "pl
~.
provided a testing evaluation to confirm the performance and configuration of individual systems and overall station operation and control 'at various power levels.
I An EDSFI (Inspection Report No. 50-410/93-81) was conducted at NMP2 from November 29, 1993 through January 28, 1994. This inspection was directed toward areas important to public health and safety. The purpose of this inspection was to determine whether the electrical distribution system as designed, installed, and configured at NMP2 was capable of performing its intended safety functions. In addition, this inspection also included a review of our self-assessment of the electrical distribution system and a review of our response to the deficient condition that the High Pressure Core Spray (HPCS) System injection valve failed to open during testing as reported in LER 93-10.
Based on the team's independent review of selected electrical and mechanical design areas, and maintenance and test areas, the team determined that our electrical distribution system was capable of performing its intended function. The team also determined that our self-assessment was comprehensive and of high quality, and that our actions in response to the deficient condition involving the HPCS system injection valve'ere appropriate.
In addition, as discussed in our response to Requested Action (b) under QA Audits, a SSFI type audit was performed on the NMP2 Service Water System. The purpose of this audit was to determine ifthe SWP system was designed, operated, tested and maintained to assure performance of design safety functions. Details of this audit can be found in our response to Requested Action (b).
In summary, functional inspections are conducted to determine ifplant systems are capable of performing their intended safety functions as designed, installed and configured and, therefore, provide a rationale that SSCs configuration and performance are consistent with the design bases.
Industry operations experience items provide the NMPNS opportunities to confirm that SSC configuration and performance is consistent with the design bases. As a minimum, NRC Bulletins, Notices, GLs, and INPO issuances such as SOERs and SERs, as well as vendor issuances are reviewed to determine applicability to the NMPNS. Nuclear Division personnel are required by procedure and trained to initiate a DER upon discovery of a deviation/event or condition adverse to quality or when it is determined that an industry experience is applicable to the NMPNS. The DER process, as described in our response to Requested Action (d),
requires a disposition and corrective actions, as necessary. Some examples of operations E
I 46
~
'a I
N
experience items that have required NMPNS to confirm and/or take action to assure that SSC configuration and performance is consistent with the design bases are provided below:
GL 89-10 requested that licensees develop and implement a program to ensure that MOV switch settings (i.e., torque, torque bypass, position limit, overload) are selected, set and maintained so that MOVs would operate under design basis conditions for the life of the plant. The NMP2 MOV Program'Plan was developed in response to GL 89-10 to identify the scope of the program and assure proper design basis review and confirmation, that safety-related MOVs could perform their design function. The program examined design basis requirements of MOVs under the program and documented the results of this review under NMPC's calculation procedure to assure future access to this information. This review encompassed such design basis documentation as applicable UFSAR sections, technical specifications, system design criteria, system descriptions, operating, and maintenance procedures.
With these design requirements firmly established and verified, each MOV was evaluated in a sizing calculation to assure sufficient actuator capability to perform designated design functions. Appropriate MOV maintenance procedures were developed to periodically statically test, perform preventative maintenance, and dynamically test MOVs. 'A selected number of MOVs were tested under dynamic conditions as close to design basis differential pressure as achievable in accordance with NMP2's MOV testing grouping study. Where in-situ plant testing information was determined insufficient to validate design assumptions used in MOV sizing calculations, applicable industry data was applied to supplement NMP2 information.
As a result of these reviews and testing results, additional safety margin was identified as desirable for selected MOVs and resulted in several modifications to the plant design. Modifications performed include actuator replacement, gearing changes, and spring pack changes.
NMP2 is presently in the closure process of the GL 89-10 program. As a result of inspector concerns identified during the GL 89-10 closure audit in October-November 1996, additional margin is being added to the design basis for several MOVs. This will result in several additional modifications such as motor replacement, additional gearing changes, and potential actuator replacement, to assure reasonable future setup capability of MOVs during periodic verification. The inspector identified that the actual field setup of NMP2's MOVs provide sufficient operating safety margin for continued plant operation but that additional design specified and controlled margin may be warranted to address presently unknown valve degradation between periodic verifications.
In summary, the efforts of GL 89-'10 have provided added assurance that MOVs will operate as needed under design basis conditions.
NMP2 47
I I yp
I GL 89-13 states that nuclear power'lants must ensure that the service water system is in compliance with the minimum requirements of 10CFR50, Appendix A, General Design Criteria (GDC) 44, 45, and 46, and Appendix B,Section XI; Actions were taken in response to GL 89-,13 to ensure compliance with these requirements. As previously discussed, an audit of the NMP2'Service Water System was conducted to review system design and operation, including commitments to GL 89-13. This audit concluded that the NMP2 Service Water System was sufficiently designed, operated, tested, and maintained to assure performance of design safety functions under postulated design bases accidents.
lt The purpose of GL 88-14 was to request that each licensee/applicant review NUEEG-1275, Volume 2, Operating Experience Feedback Report-Air Systems Problems, and perform a design and operations verification of. the IAS. In response to GL 88-14, NMPC verified and evaluated the IAS design and operation. Specific equipment and design document enhancements were identified and modifications performed to enhance IAS reliability and performance. Modifications/enhancements included replacement of the IAS compressors and a P&ID upgrade to provide a summary of the end users downstream 'of each root valve. A system walkdown was performed to verify the P&ID valve data. Also, Automatic Depressurization System (ADS), Main Steam Isolation Valve (MSIV), and Safety Relief Valve (SRV) accumulator sizing, test methods and calculations were reviewed to verify design and licensing requirements were being met and IAS modes of operation were within the operational design basis.
NRC Bulletin 88-04, requested licensees to investigate'and correct, as appropriate, the potential for pump dead-heading due to pump-to-pump interactions and the adequacy of installed minimum flow capacity for safety-related systems.
For NMP2 there are only two safety-related systems that could have two pumps running in parallel with a common minimum flow line, These systems are the Low Pressure Core Spray System (CSL) and the Residual Heat Removal System (RHS).
The original design was found adequate to preclude dead-heading of one or more pumps during minimum flow operation, and therefore, and no corrective actions were required.
The review identified three systems; HPCS, CSL, and RHS, pumps with potential for operation for extended periods on minimum flow after a system start on a LOCA signal. The recommendation was to minimize the amount of time the pump is in the 48
I I t
minimum flow'ode. Accordingly, the operating procedures include cautions against extended operation in the minimum flow mode.
I, In summary, the concerns of Bulletin 88-04 have been addressed providing reasonable assurance that NMP2 ECCS Systems willperform consistent with design bases.
NRC URI A-44, SBO, was concerned with the ability of a nuclear power plant to cope with a total loss of both offsite and onsite AC electrical power. The NRC resolved the issue by incorporating requirements for coping with a SBO in 10CFR50.63.
Assessment and implementation of-the SBO requirements resulted in the following:
~ Analyses were performed to insure that critical direct current (DC) power supplies and associated instrumentation required for the 4-hour coping duration were available.
~ An emergency diesel generator target reliability of 0.975 was shown to be satisfied.
~ Analyses were performed to demonstrate that condensate inventory for decay heat removal was sufficient, that reasonable assurance of the operability of SBO response equipment was determined for the effects of loss'of ventilation, and that reactor coolant inventory was adequate under SBO conditions.
~ System walkdowns were performed as necessary to validate the existence of adequate lighting, that equipment was physically located as determined from configuration documents, including breaker positions, and that plant equipment could be physically controlled in the manner assumed by the procedures.
These efforts have provided assurance of NMP2's ability to cope with a SBO.
Inspection reports and self-audits have confirmed the proper implementation of the design controls described in response to Requested Action (a). For these reasons, the activities associated with SBO help provide assurance that system, structure and component configuration and performance are consistent with the design bases.
A historical analysis was completed of the DER Data System. Specifically, a search was done to determine the number of design and configuration control issues which have been identified.
Since 1991, over 1400 DERs have been initiated which had a causal factor code "Design and Configuration Analysis." These included 519 DERs for NMP1, 922 DERs for NMP2, and 21 DERs which were common to both plants. The number of DERs relating to design and configuration control issues has increased in more recent years. The specific results are as follows:
49
DERs 1991 1992 1993 1994 1995 1996 Unit 1 15 50 84 204 155 Unit 2 12 79 "
205 341 276 Common 10 TOTAL 20 28 131 ,294 548 441 As a measure of significance of the over 1400 issues identified, we determined the number of LERs identified as a result of these issues. In the same time period, 8 of the DERs for NMP1 were reported on LERs and 10 for NMP2. The details by year are as follows:
1991 1992 1993 1994 1995 1996 Unit 1 Unit 2 0 TOTAL Of the over 1400 DERs initiated since 1991, 19 were initiated as a result ofNRC identified issues.
The details by year and unit are as follows:
DERs 1991 1992 1993 1994 1995 1996 Unit 1 0 Unit 2 TOTAL 0 In summary, the above data indicates that,NMPC is routinely identifying issues associated with Nine Mile Point Design and Configuration Control processes and programs. The fact that the
'he number of issues has increased since 1991 does not mean that design and configuration control is more deficient, but that our ability to identify issues is improving. Also, because very few of these issues resulted in reportable events, the safety significance of most issues is small. These results support our belief that the overall design bases for both units are sound and are under constant scrutiny and increased questioning to ensure that discrepancies, regardless of significance, are promptly identified and resolved.
50
Describe the processes for identification of problems and implementation of corrective actions, including actions to determine the extent of problems, actions to prevent recurrence, and reporting to the NRC.
NMPC utilizes the DER as the administrative tool for documenting, evaluating (including reportability to the NRC), determining cause, and determining corrective and preventive actions for problems that are identified at the NMPNS. Problem identification results from a wide range of sources, which include in-house events, testing and inspection activities, observations, audit and surveillance activities, self-assessments, and outside agencies inspections and evaluation activities. The DER is also used as the tracking tool for Operations Experience issues. The text that follows describes in detail the NMPNS's process for problem identification and ultimate resolution, the cornerstone of which is the DER, and associated administrative procedures that ensure effective implementation of the process.
An NDD establishes the requirements for the identification, documentation, notification, evaluation, correction, and reporting of deviations/events 'or conditions adverse to quality that may impact the safe and reliable operation of the NMPNS or personnel safety, with the exception of certain Safeguards information. This NDD directs each Nuclear Division employee, as part of his/her normal duties, to be alert for and to promptly identify events and nonconforming items, including hardware failures. A continuous assessment of operating and industry experience for impact on safe operation is performed and a formal program for reviewing industry experience established. As a minimum, NRC Bulletins, Notices, GLs, and INPO issuances such as SOERs and SERs, as well as vendor issuances are reviewed to determine applicability to the NMPNS. Nuclear Division personnel are directed to initiate a DER upon discovery of a deviation/event or condition adverse to quality or when it is determined that an industry issuance is applicable to the NMPNS. The determination of reportability and operability is then performed as necessary, the DER dispositioned, and appropriate corrective and preventive actions taken.
A NIP prescribes the method for processing DERs for the identification, documentation, notification, evaluation, correction, and reporting of conditions, events, activities, and concerns that have the potential for affecting the safe and reliable operation of the NMPNS.
This interfacing procedure applies to conditions having an adverse or potentially adverse effect on activities important to nuclear safety, industrial safety, plant reliability, or human performance, including but not limited to the following:
NMP2 51
li I ~
I
il
~ hardware failures other than normal wear and tear;
~ hardware or component malfunctions resulting from design or manufacturing deviations or defects; out-of-calibration measuring and test equipment known to have adversely or potentially adversely affected other plant equipment; non-compliances having nuclear safety significance; adverse personnel performance such as failure to follow procedures or violations of personnel safety rules or practices; radiation protection deviations;
~ PM activities not completed before late date or deferral date;
~ recurring corrective maintenance/ hardware failures;
~ human performance problems/issues; inadequate corrective actions or test failures; deviations from design document requirements (other than normal wear and tear) including station configuration discrepancies; conditions adverse to fire protection such as failures, malfunctions, deficiencies, deviations, defective components, uncontrolled combustible material, and nonconformances.
Also applicable are deficiencies, concerns, or issues resulting from regulatory agencies, industry and internal operating experience, inspections, observations or publications, reportable events to the NRC and other regulatory agencies, issues resulting from self-assessment, and issues that do not meet the above criteria but, in the opinion of management, warrant evaluation.
A DER requires a concise summary of the event or deviation, the component number, if applicable, the identifying organization and a description of any immediate actions taken to place the plant in a stable condition or to minimize personnel and equipment safety hazards.
The DER initiator then must hand-deliver the DER to his or her Supervisor. If the deviation/event could have an impact on plant equipment, is potentially reportable, or is security related, the DER is hand delivered to the SSS/Assistant Station Shift Supervisor (ASSS) for reportability and operability determinations.
52
U An operations administrative procedure establishes a method for determining the operability of SSCs. This operations administrative procedure was specifically developed to provide guidance to Operations personnel as necessary when making operability assessments of SSCs that have been identified on DERs or Work Orders as being in a degraded or nonconforming condition. Included in this procedure is an Operability Checklist which documents the decision affirming the capability of a system/component to perform its specified function as required by the Technical Specifications or the FSAR. Guidance provided in the procedure indicates that a SSC is either operable or inoperable at all times. Operability determinations are required to be performed promptly (in most cases within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />), with a timeliness that is commensurate with the potential safety significance of the issue. For SSCs in Technical Specifications, the SSS/ASSS uses the time limit contained in the specific Limiting Condition for Operation (LCO) action statement as guidance to determine safety significance.
Engineering may be requested to support an operability determination. An Engineering Supporting Analysis must be completed within 5 days of notification or as directed by the Plant Manager based on the significance of the deviation. In order to declare an SSC operable while the engineering review is being performed, operations personnel must have reasonable assurance, based on the best information available, that the SSC is capable of performing its if if design function called upon. In the absence of reasonable assurance, or mounting evidence suggests the final analysis will conclude the SSC cannot perform its specified function, the SSC is declared inoperable and the appropriate actions implemented.
When Engineering is preparing an Engineering Support Analysis, the individual must consider the following; calculations, test results and other documentation which define the SSC design basis; the potential adverse affects on safety and Technical Specification; the length of time the condition has been and will remain in effect; for each equipment function adversely impacted, the impact on related system functions; for each system function adversely impacted, the impact on any equipment or systems supported by the impacted system functions. The Engineering Support Analysis must be of sufficient depth to provide a logical and defensible basis for operability conclusions and to determine whether a 10CFR50.59 safety evaluation is required to support any operability decisions.
Guidance to determine if a deviation/event is reportable to the NRC is provided by a NIP.
The NIP provides a summary of the required NRC notifications and reports and the responsible organizations.
Following reportability/operability determination activities, the DER is delivered to the Plant Manager's office by the end of the operating shift. The plant manager, based on the significance of the deviation, assigns a category to the DER for dispositioning. The disposition to the DER requires that a Root Cause Evaluation be performed and documented in the DER ifthe threshold guidelines for performing a formal root cause are met. A formal root cause is performed for all Category 1 (highest significance category) DERs and in the event of any of the following:
NMP2 53
I ~
1 )P
~ a severe or unusual plant transient;
~ safety system malfunction or improper operation;
~ major equipment damage;
~ other events involving nuclear safety or plant reliability;
~ fuel handling or storage event;
~ excessive radiation exposure or severe personnel injury;
~ excessive discharge of, radioactivity;
'r a deficiency'in design, analysis, operations, maintenance,'testing, procedures or training that could cause a significant event as described above.
The DER procedure requires that personnel performing root cause analysis be qualified in the techniques of root cause analysis. Apparent cause determinations are used when a formal root cause evaluation is not required. Apparent or root causes are validated for potentially significant DERs by ensuring a deviation/event would not have occurred had the cause not been present, that the deviation/event will not recur due to the same causal factor(s) if the cause is corrected or eliminated, and that correction or elimination of the cause willprevent recurrence of similar conditions. The condition is assigned a Deviation Event Trend Code for tracking purposes. A disposition to the DER is then generated which includes corrective actions and for potentially significant DERs, preventive actions to prevent recurrence.
References to current and approved design documents, procedures, instructions for repairs, retest/inspection requirements, acceptance criteria, supporting sketches and documentation are included as appropriate. Ifthe DER is for an industry issuance, the potential impact on equipment documents such as vendor manuals and vendor design documents is identified. The procedure governing the DER process requires that ifa DER is a nonconformance and not corrected, the nonconformance will be assessed for impact on the UFSAR. Ifa nonconformance results in a deviation from the UFSAR, the plant manager is notified and the nonconformance must be reconciled within six months of the deviation (or earlier as determined by the plant manager). The disposition will implement the following as appropriate: 1) restore the nonconformance to compliance with the UFSAR; or 2) change the UFSAR per the NIP governing applicability reviews and safety evaluations; or 3) ifit is not possible to correct the nonconformance within six months (such as ifa plant outage is required), provide an Engineering Support Analysis that supports operation with the nonconformance for the period of time required. A nonconformance is defined as a deficiency in characteristic, documentation, or procedure that renders the quality of an item unacceptable or indeterminate. DER dispositions must be approved by the appropriate Branch Manager, and ifrequired, by the SORC and the plant manager. DERs are not closed until required disposition actions have been completed and identified deficiencies have been corrected. Final closure requires a Branch Manager signature.
NMP2 54
0 I
<we
Trend information is generated by the QA department using the Trend Codes portion of the DER database. Reports are submitted to the Branch Managers on a quarterly basis. Branch Managers are expected to investigate and evaluate trends identified, to assess their strengths and weaknesses, and to determine what types of corrective actions have been effective and where they need to improve p'erformance in their branch.
A NIP provides the administrative controls for communication of "lessons learned" information throughout the Nuclear Division. A Lessons Learned Transmittal is used when it is necessary to communicate appropriate actions that should be encouraged or inappropriate actions that must be prevented from recurring. Lessons Learned Transmittals contain a description of the event, cause of event, and lessons learned and typically result from dispositioning DERs.
An NDD governing safety reviews establishes the requirements for the'development and execution of a program for the planned, systematic review of the operation of NMPNS and to assign responsibility for implementing those requirements. Safety review organizations include the ISEG, the SORC, and the SRAB. The responsibilities for each of these groups is delineated in the plant Technical Specifications.
The ISEG group functions to examine unit operating characteristics, NRC issuances, industry advisories, LERs, and other sources of unit design and operating experience information, including units of similar design, which may indicate areas for improving unit safety. The ISEG makes detailed recommendations for procedure changes, equipment modifications, maintenance activities, operations activities, or other means of improving unit safety to the Vice President-Nuclear Safety Assessment and Support. This includes assessments of plant maintenance, modification, and operations activities as well as assessments of design bases and configuration control issues. The ISEG is composed of five, dedicated, full-time engineers located on site.
The SORC functions to advise the plant manager on all matters related to nuclear safety. The SORC is responsible for the investigation of all violations of the Technical Specifications, including the preparation and forwarding of reports covering evaluation and recommendations to prevent recurrence, to the Vice-President and General Manager-Nuclear, and to the SRAB.
The SORC is also responsible for the review of all reportable events, review of unit operations to detect potential hazards to nuclear safety, performance of special reviews, NMP2 55
4 P
investigations, or analyses and reports as requested by, the Plant Manager or the SRAB and review of safety evaluations and analyses resulting from Technical Review and Control Activities described in Sections 6.5.2.1, 6.5.2.2, 6.5.2.3, and 6.5.2.5 of the Technical Specifications.
A NIP provides the administrative controls and conduct of the SRAB to ensure that the Executive Vice President-Generation Business Group and Chief Nuclear Officer is advised on matters of nuclear safety. The SRAB is composed of a Chairman and 12 members including four non-NMPC members. The SRAB provides an independent review and audit of designated activities in the areas of plant operations, nuclear engineering, chemistry and radiochemistry, metallurgy, instrumentation and control,'radiological safety, mechanical and electrical engineering and QA. The SRAB reviews significant operating abnormalities or deviations from normal and expected performance of plant equipment that affect nuclear safety, all reportable events, all recognized indications of an unanticipated deficiency in some aspect of design or operation of structures, systems or components that could affect nuclear safety, and reports and meeting minutes of the SORC. Audits of unit activities that occur under the cognizance of the SRAB encompass, but are not limited to, the conformance of unit operations to provisions contained within the Technical Specifications and applicable license conditions, the results of actions taken to correct deficiencies occurring in unit equipment, structures, systems or methods of operation that affect nuclear safety and the performance of activities 'required by the Operational QA Program to meet the criteria of 10CFR50 Appendix B.
The QA Department reviews NMPNS's adherence to engineering design and configuration control procedures and programs. The three groups 'which specifically do this are audits,,
inspection, and Quality Verification and Safety Assessment (QVSA). The Audit Group performs audits which meet the requirements of Technical Specifications, UFSAR/USAR Appendix B and Appendix B to 10CFR Part 50. Audits are scheduled and planned based on a matrix prepared to reflect the license basis and internal requirements. In some cases audits are performed for the SRAB. Audit planning considers results from previous audits, surveillances and inspections and takes into account DERs, trends, internal and external performance information, NRC and INPO performance criteria and reports, and applicable directives and procedures. Audits are performed in accordance with the approved plans, The DER process is used to document any deviations and nonconformances identified during audit or surveillance activities. QA reviews the disposition of audit initiated DERs and follows up on their closure in subsequent surveillances and audits. Audit results are communicated to appropriate management through exit meetings and audit reports. The Inspection Group performs examinations, in process, and final inspections in accordance with codes, standards, regulations or as specified by Nuclear Engineering acceptance criteria. This group independently confirms that critical characteristics identified by Engineering meet acceptance criteria. Other inspections and examinations may be performed on selected operations where it 56
I 4
4
is deemed necessary to verify conformance to specified requirements. The DER process is used to document nonconformances.
The QA Surveillance Program is performed by the QVSA Group. Surveillance topics are scheduled based on input from other organizations, previous surveillance results, current activities, projects and program changes, DERs and regulatory commitments, upcoming audit topics and audit results. Surveillances review performance in several ways. These include process monitoring which evaluates a selection of ongoing work activities to determine effectiveness and conformance to requirements, product review which reviews selected operations, maintenance, engineering and support group work outputs to evaluate quality and technical content, and component configuration review which evaluates the continuing design control of selected plant hardware by reviewing current configuration against the design basis and subsequent design changes and replacements. The DER process is used to document any deviations and nonconformances. Also, the effectiveness of the operations experience program (screening and implementation) is periodically reviewed during QVSA surveillances and QA audits.
Several organizations, including INFO, ANI, and ANII, provide third party reviews for the NMPNS. NMPC personnel are responsible for interfacing with these organizations and documenting their findings on DERs as discussed above. INPO evaluations currently review the NMPNS using INPO Criteria 90-015, "Performance Objectives and Criteria for Operation and Near-term Operating License Plants." ANIIevaluations review the plants'esign conformance and maintenance of ASME Section XI. An ANIIInspector is assigned full time to NMPNS. This inspector verifies that, as needed, the required ASME examinations, system hydrostatic testing, and repairs are performed and documented correctly. Findings are documented and resolved using the DER process. ANI evaluations are done to determine insurance premiums. The NMPNS adherence to codes and design criteria are specifically reviewed. The evaluations are broken into two parts,'ire Protection and Pressure System (Boiler and Machinery). Findings from the ANI evaluations are documented and resolved using the DER process. The ANI reviews the resolution of each of its findings and evaluates them to determine if they were acceptable for closure.
A NIP establishes the self-assessment program to achieve higher standards of quality and performance. Each nuclear division branch manager ensures that at least two branch self-assessments are performed annually. At least one self-,assessment normally involves an assessment of the corrective action program to determine if adverse conditions and common causes receive appropriate management attention, and that causes from previous self-assessment findings were addressed and actions taken were effective'. Areas to be considered when developing self-assessment schedules include activities that exhibit negative trends based on information'rom the DER database. The assessor ensures a DER is generated for self-assessment findings that meet the DER initiation criteria. Further, branch managers meet with the Senior Management Team to review the results of their findings. The results, methods, 57
and planned corrective actions are discussed with'the Senior Management Team to assure the adequacy of the assessments and resultant corrective actions.
Surveillance testing and plant examinations as required by the Technical Specifications and the ASME Code are an additional means of verifying equipment is capable of performing its intended function and identifying problems. Surveillance testing and examinations are discussed in our response to Requested Action (c).
Senior management has stated that they support the workers'ight to raise safety issues and that those workers who raise safety concerns "willnot be subjected to harassment, intimidation, or discrimination. Senior management recognizes that the preferred vehicle for most employees for identification and resolution of concerns is through the normal line organization.
Senior management provides support to line supervision in addressing concerns raised through the normal line organization. Notwithstanding resolution of problems in the normal line organization, senior management also provides for and supports a confidential employee concerns program to address concerns raised by workers. A NIP governing the Q1P provides the administrative controls for the confidential reporting of concerns and subsequent evaluation and corrective action. This procedure applies to NMPC employees and contractors having safety, quality, and nonsafety-related concerns.
In addition to the reporting activities controlled through the DER process, NMPC maintains a positive and professional working relationship with NRC personnel through forthright communication of identified problems and the actions taken to thoroughly evaluate and correct such deficiencies.
NDDs and NIPs establish a primary interface with the NRC through the Licensing Branch with certain exceptions, Training, emergency preparedness and security, have direct NRC interfaces. The Plant Managers are designated to have the primary interface with the NRC Resident Inspector(s). Each organization or position has defined responsibilities to manage their respective interfaces for various forms of communication. First, formal interfaces include on-site inspections or investigations, technical or management meetings, and telephone conferences in response to requests for information on any issue. Secondly, informal communications are initiated to provide pertinent information "to the Resident Inspector or the Nuclear Reactor Regulation (NRR) Project Manager concerning situations that would not otherwise require reporting. In addition, as part of their overall management responsibilities, the Plant Managers routinely meet with the Resident Inspection Staff to keep them apprised on the status of plant operations and developments on specific issues, including the resolution of identified deficiencies. Other senior managers do the same periodically for issues in their respective functional areas.
58
II The Licensing staff routinely assists and advises the Plant Managers with respect to their site NRC interface, and maintains a normal interface with the NRR Project Manager on licensing matters requiring Staff involvement. Typically, this includes license amendment applications, GL and Bulletin response reviews, and resolution of a variety of technical issues. In addition, Licensing regularly advises each NMPC department on license bases issues to assure that problem identification and corrective/preventive action specification are consistent with that bases, the regulations and NMPC commitments.
The procedures also assure written communications, including incoming and outgoing correspondence, meeting minutes, and reports, are appropriately distributed, reviewed, and addressed. In addition, procedures provide for outgoing correspondence to receive a thorough management review prior to submittal to ensure its accuracy. NMPC maintains a process for tracking docketed commitments contained in such correspondence (both incoming and outgoing) to assure they are completed in a timely manner (i,e., NCTS)." While the NCTS system focuses on docketed commitments, the DER system tracks the completion of other associated actions.
Station personnel have received training on the DER procedure and as procedure revisions are made, follow-up training is conducted within the individual departments. Station personnel also receive appropriate reportability training related to their specific job function (e.g.,
Operations receive 10CFR 50.72, 50.73 training). Various station personnel have attended formal Human Performance Evaluation System (HPES) root cause training and similar training (e.g., barrier analysis, etc.) and are capable of performing a root cause determination. The DER procedure currently requires that the appropriate Branch Manager ensure a Root Cause Evaluation is performed, when required, and that the individual assigned is knowledgeable in the techniques of Root Cause Analysis. SORC and SRAB members receive Safety Evaluator training and Qualified Applicability Reviewer Safety Evaluator (QARSE) requalification training. QARSE training is extensive with the initial training session lasting three days and continued training lasting four hours every two years. Approximately 400 NMPNS employees are trained (as QARSE) including members of each operating shift.
59
Describe the overall effectiveness of your current processes and programs in concluding that the configuration of your plant is consistent with the design bases.
Based upon the information presented in our responses to Requested Actions (a), (b), (c), and (d), NMPC has evidence that reasonable assurance exists that design bases requirements are being translated into the appropriate. procedures; that SSCs configuration and performance are consistent with their design bases; and that an effective administrative, tool for documenting, evaluating, determining cause and appropriate corrective and preventive actions exists at NMPNS (i.e., the DER system).
As discussed in our response to Requested Action (c), during the design, construction and startup ofNMP2, a rigorous QA Program was applied. This program included procedures and processes consistent with 10CFR50, Appendix B requiring proceduralized design controls. These design controls were to assure design adequacy and checking processes used throughout construction and testing confirmed that Engineering requirements were implemented. The NMP2 initial test program and Power Uprate demonstrated that plant SSCs operate in accordance with the design performance requirements. This was demonstrated while utilizing, to the extent possible, plant procedures and demonstrating where practical that the plant is capable of withstanding anticipated transients and postulated accidents.
Surveillance testing and examination programs have been implemented since initial startup. These tests and examinations are formalized by procedures to assure that surveillances and tests required by the Technical Specifications and other regulatory commitments are established. These tests and examinations provide a primary basis to assure that performance of systems meet design bases requirements. Additionally, post-maintenance and modification testing is routinely performed to assure that design bases requirements continue to be met following maintenance and modification activities. Pressure retaining components are also routinely tested using in-service inspection and testing programs. In addition to confirming that SSCs meet acceptance requirements, these testing programs provide a mechanism to identify deficiencies using the DER process.
4 Power ascension testing was performed at NMP2 as part of the 4.3% power uprate effort implemented in 1995. SSFIs have been conducted to determine ifselected plant systems are capable of performing intended functions. Industry Operations Experience is also routinely applied to further and more specifically evaluate NMP2's performance and the plant's conformance with design bases.
These types of activities, coupled with our corrective action, program, assure routine problem identification and evaluation of as-built conditions and test results. This provides reasonable assurance that the current plant performance and configuration are adequately consistent with the design bases.
'0
As discussed in our response to Requested Action (b), administrative procedures establish requirements for the preparation, review, and approval of technical procedures. Technical procedures implement requirements for the operation, maintenance and testing described in the Operating License, Technical Specifications and UFSAR.
During the initial development, review and approval of operating, maintenance, and testing procedures, a review of design documents was conducted. This review encompassed design drawings, Design Specification Data Sheets, vendor manuals, Test Loop Diagrams, Technical Specifications, and the FSAR. Additional technical reviews included design walkdown verifications, and in the case of preoperational test procedures, review of applicable engineering design calculations to assure that the as-built system met design requirements.
Design values for various parameters were included throughout the initial technical procedures.
Following the approval of initial operating, maintenance, and test procedures, technical accuracy of the procedures was maintained through program controls for procedure revision and periodic review. These programs have been continually strengthened over time.
NMPC has utilized knowledgeable and appropriately qualified individuals to develop, review, approve, and revise procedures. Program requirements have been in place since initial development of procedures. These programs have been enhanced, over time, to improve the effectiveness of the development, review and approval process. The training program and other administrative requirements assure that personnel assigned to perform these functions are competent to perform those tasks. This assures that NMPC can effectively implement program requirements associated with the development, review, approval and r'evision of administrative and technical procedures.
Also discussed in our response to Requested Action (b) were some of the assessments and initiatives used to provide assurance that design basis requirements are translated into procedures. This includes the SVP, UFSAR Verification Program, QA audits, and Operations Experience items.
As discussed in the response to Requested Action (a),'xtensive programs and controls are utilized at NMPNS to assure that design basis information'is accurately maintained and updated as conditions warrant. Procedures are updated to reflect changes in design, corrective actions (identified by the corrective action program), industry operating experience, and changes to source requirements.
In addition, NMPC has conducted "Back-to-Basics" training for NMPNS personnel. "Back-to-Basics I" provided training on licensing basis documents and operation within the licensing basis. Also discussed was the expectation that ifwork cannot be performed within the control of a procedure, the work should be stopped and a resolution obtained before work continues.
"Back-to-Basics II" was conducted to assist organizations in understanding how Back-to-Basics relates to their specific jobs. This training included a description of our licensing basis and discussions of 10CFR50.59 and 50.92, commitments made to operational experience items, RGs, industry standards, and the process for changing commitments. Also, a definition of operability with an emphasis on post-accident function, reportability, and how various NMP2 61
activities interact with the design basis was included. The effectiveness of this training and the resulting increased awareness by plant personnel to design basis issues can be seen in the low'er threshold at which configuration and design control issues are being reported via the DER system. A discussion of design basis deficiencies trends is included in our response to Requested Action (c). Also, the majority of plant engineering, plant technical staff, and others in management and technical positions are trained on 10CFR50.59 and qualified as Applicability Reviewers/Safety Evaluators and are required to complete a requalification every two years.
The effectiveness of our current processes and programs which assure that the plant configuration is consistent with the design basis are assessed o'n an ongoing basis. These assessments, which include testing activities, functional inspections, compliance verification projects, audits and surveillances, and line management self-assessments, provide an overall indication that NMP2 is operated within its design bases and that our processes and programs are effective. NMP2 UFSAR verification effort, which is scheduled for completion by the end of 1998, willprovide an ongoing assessment of design basis related inadequacies. Also, NMPC has reinforced the importance of maintaining consistency with our design basis through "Back-to-Basics" training as well as 10CFR50.59 training. On the basis of our programs, processes and assessment activities, NMPC has reasonable assurance that the configuration of NMP2 is consistent with its design basis.
62
ENCLOSURE 1 DESIGN CONFIGURATION DOCUMENTS LIST 1.O DESIGN INPUT DOCUMENTS Design Input Statements - Generated and/or approved by Nuclear Engineering 2.0. DESIGN OUTPUT DOCUMENTS DATABASES 2.1 Drawings - Generated and/or approved by Nuclear Engineering 2.2 Specifications - Generated and/or approved by Nuclear Engineering. The scope and content of these specifications vary by topic as follows:
2.2. I .
Installation 2.2.2 Design 2.2.3 Fabrication 2.2.4 Procurement 2.2.5 Inspection and Testing 2.2.6 . Configuration Control I
2.3 Change Paper - Engineering generated and/or approved changes to Eng>neering documents or databases 2.4 Databases needed to maintain plant configuration, such as:
~ Master Equipment List (MEL) - Data fields maintained and/or approved by Nuclear Engineering
~ Cable Configuration and Tracking Systems
~ Validated Master Parts Lists 2.5 System Design Basis Documents (SDBDs) - Generated and/or approved by Nuclear Eng>neering 2.6 Setpoint Data Sheets Approved by Nuclear Engineering 2.7 Programs and Plans - Approved by Nuclear Engineering and that specify lant configuration details, such as Erosion/Corrosion, Appendix J esting, etc.
3.0 DES G OC DOCUM NTS DATABASES Calculations - Approved or accepted by Nuclear Engineering Controlled Document System (CDS) 4.0 OTHER DESIGN-RE ATED DOCUMENTS Vendor DOcuments - Engineering accepted
ENCLOSURE 2 DESIGN INPUT CONSIDERA IONS Each discipline or program area shall consider the following as a minimum in the development of design input. Discipline Design Input criteria may be used in conjunction with the considerations and are the responsibility of the discipline/program to maintain and use.
Design bases, including available System Design Basis Documents (SDBDs) and Design Criteria Documents (DCDs)
Regulatory requirements Codes and Standards, including issue, rev.
Basic system, structure or component (SSC)
Functions Performance requirements Design Conditions Loads Operating Experience reviews and assessments, such as DER trending, NRC SOERs, INPO NPRDS and others Anticipated Environmental conditions (internal and external to the plant) during:
~ Normal Plant Operation
~ Anticipated Transients
~ Accidents
~ Special Evolutions Functional and physical interfaces of SSCs Material Requirements, compatibility, coatings, etc.
Mechanical requirements Structural requirements,.including seismic/dynamic qualification Hydraulic requirements Chemistry requirements Electrical requirements, including process computer requirements Layout and arrangement requirements Instrumentation and Control requirements Access and Administration control requirements Redundancy, diversity, separation requirements Failure Modes and Effects Analysis (FMEA)
Test requirements; pre-operational and periodic Accessibility, maintenance, repair, inservice requirements Personnel qualification requirements for operation, maintenance, testing .
Transportation requirements Fire protection requirements Handling, storage, cleaning requirements Other requirements to prevent undue risk to public Materials, processes, parts, equipment suitability Personnel safety requirements, electrical, radiation, heat, confined space, etc.
guality and quality assurance requirements 64
ENCLOSURE 3
= '"":DESIGNCHANGE 'OPERABILITY ACCEPTANCE Design Change Control Number 1.0 - Initiation 1.1 Title 0 Partially Accepted Review approved.
1.2 The following final Safety Evaluations/Applicability Review for this design change ere SORC/Technical SE/AR Numbers: Revision:
1.3 The following WOs have been completed 1.WO '.WO 5.WO 7.WO B.WO 11. WO
- 2. WO 2.0 - System Engineer 2.1 0 The tests listed on the Design Change Test Record have been completed, reviewed, and approved. 0 Not Applicable 2.2 The following procedures were revised by this design change. 0 Not Applicable Number Title
.3 0 Required training is completed or in progress. 0 Not Applicable 2.4 Completed By Date 3.0 - Modification Coordinator 3.1 The following Technical Specification was revised by this design change. 0 Not Applicable Section Title 3.2 0 Risk Basis design change documents have received final Engineering approval. 0 Not Applicable 3.3 0 Control Room Critical Drawings have been updated to reflect installed condition. 0 Not Applicable 3.4 Comments 3.5 Completed By Date 4.0 - Acceptance for Operation Manager/General Supervisor Operations or designee Date 65
ENCLOSURE 4
'"'-: '""DESIGN CHANGE 'CLOSEOUT Design Change Control Number 1.0 - In'ation
~ ~
1.1 Title 1.2 Major Order No. Account Code 1.3 Remarks 1.4 Operability Acceptance Date Required Completion Date 1.5 Modification Coordinator Date 2.0 Closeout Activities {Sign when activity is complete and return to Modification Coordinator)
Action Completed By Date No. Department Closeout Activity N/AVI 2.1 Modification Coordinator Site Document Log Closed 2.2 Plant Accounting Property-In-Service Rept. Completed & M.O. Closed 2.3 Stores Major Order Overstock Dispositioned 2.4 Technical Support NPRDS Coordinator Informed 2.5 ISI-Installer ISI Req Satisfied/(NIS-2) 2.6 ISI/IST Nuc. Engineering ISI/IST Program Revised
.7 IST-Tech Support/Ops IST Req Satisfied/Procedures Revised All Operations Proc/STs Revised/Markup Database
.8 Operations Revised/PM ST 2.9 Training Reviewed for incorporation into Training Program 2.10 Training Simulator Evaluated 2.11 QA QA Files Closed 2.12 Project Engineer Final Design/Safety Evaluation Reviewed 2.13 ALARA ALARA Review S-AIP-2, Job Reviews Complete 2.14 Mechanical Maintenance All Procedures Revised/PMs Required/PMST Revised 2.15 Electrical Maintenance All Procedures Revised/PMs Required/PMST Revised 2.16 Instrument & Control All Procedures Revised/PMs Required/PMST Revised 2.17 Fire Protection All Procedures Revised/PMs Required/PMST Revised 2.18 Modification Coordinator Other Required Procedure Changes Completed 2.19 System Engineering Post-Operability Acceptance Testing Completed 2.20 Technical Support Changes evaluated against maintenance rule requirements 2.21 Mechanical Design P&ID's updated for significant changes (Unit 1 only) 2.22 Radwaste Operators All Radwaste Operations procedures revised and markup database revised/PMST 3.0 Closeo t Com letion 3.1 Closeout Activities Complete: Modification Coordinator Date
.2 Database Updated and Records sent to Permanent File Date 66
ENCLOSURE 5 hl Y NAGARA II0 MOHAWK NUCLEAR ENGINEERING D A ANC ISK DDC C A field variance, l6iILE ifORK IS IN PROGRESS, to approved design documents or change documents may be issued on a "risk basis" if the following criteria is satisfied.
The requested field variance shall NOT:
A. Extend the scope of a design or configuration change..'
B. Alter the intent (purpose as described in the applicability review or safety evaluation) of a design change or plant procedure.
C. Affect the Design Input/Impact Assessment.
D. Alter the acceptance criteria beyond the range defined in the controlling design or plant documentation.
E. Alter the function of equipment from that defined in the controlling
.design or plant documentation.
F. Be irreversible.
67
ine i e oint nit an nit
~ ~
Specific commitments made in response to NRC Request for Information Pursuant to 10CFR50.54(f) Regarding Adequacy and Availability of Design Bases Information.
~
Complete a UFSAR Verification Program by the end of 1998, as described in our response to Requested Action (b).
Complete a UFSAR Verification Program by the end of 1998, as described in our response to Requested Action (b).