ML18094B204
| ML18094B204 | |
| Person / Time | |
|---|---|
| Site: | Salem  |
| Issue date: | 12/05/1989 |
| From: | Swetland P NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION I) |
| To: | |
| Shared Package | |
| ML18094B203 | List: |
| References | |
| 50-272-89-25, 50-311-89-23, NUDOCS 8912210149 | |
| Download: ML18094B204 (9) | |
See also: IR 05000272/1989025
Text
Report No.
License
Licensee:
Facility:
Dates:
Inspectors:
Approved:
U. S. NUCLEAR REGULATORY COMMISSION
REGION I
50-272/89-25
50-311/89-23
Public Service Electric and Gas Comp~ny
P. 0. Box 236
Hancocks Bridge, New Jersey 08038
Salem Nuclear Generating Station - Units 1 and 2
November 17 - 29, 1989
K~thy Halvey Gibson, Senior Resident Inspector
Stephen M. Pindale, Resfdent Inspector
df3?p~*
P. 0. Swetland, Chief, Reactor Projects
Section 2A
Inspection Summary:
Inspection 50-272/89-25; 50-311/89-23 on November 17-29, 1989
Areas Inspected:
Special inspection to review the circumstances and licensee
response to the identification of an Emergency Core Cooling System single
failure vulnerability.
Results:
Installation of modifications in .late 1987 for Units 1 and 2 which
introduced a single failure vulnerability is an apparent violation of 10 CFR
50.59.
The subsequent failure of the onsite review committee to identify that
the proposed procedure changes to mitigate the concern contained a similar
unreviewed safety question is also an apparent violation of 10 CFR 50.59.
Further, the licensee did not properly follow their policy for implementing
Technical Specification 3.0.3 requirements.
An enforcement conference was
scheduled to review this occurrence and the conditions under which the Emergency
Core Cooling System may have not been able to perform its safety function during
previous plant operation.
8912210149 891205
ADOCK 05000272
Q
2
Details
1.
Overview
2.
On November 17, a licensee engineer completed a*review of a safety-related
valve tontrol circuit and identified that the residual heat removal (RHR)
system cold leg injection isolation valves (SJ49) were vulnerable to a
single failure which could result in a signific~nt reduction in core
cooling flow due to a premature inadvertent valve closure.
Such a failure
would reduce the low pressure/high volume core cooling flow to less than
that assumed in the plant design bases.
Each unit has two such valv~s (11
and 12SJ49 for Unit 1 and 21 and 22SJ49 for Unit 2).
The engineer
determined that a design change, implemented in late 1987 modified the*
valve control circuitry and introduced the single failure vulnerability.
At the time of discovery, both Units 1 and 2 were operating at full reactor
power.
Accordingly, the appropriate Technical Specifications (3.0.3) were
entered.
The Station Operations Review Committee (SORC) subsequently
approved a resolution plan, and. Technical Specification 3.0.3 was exited
wnen the actions were implemented.
On November 20, a fo 11 owup review by the NRC i dent i fi ed that the 1icensee
1 s
corrective actions were inappropriate and the RHR system was still vulner-
able to the same single failure.
A coriference call was held between PSE&G
. and NRC personnel on November 20, and PSE&G agreed to revise the corrective
actions t~ address this concern. On November 21, the licensee 1s SORC
approved the alternate plan, which was then fully implemented.
System Description
The low.pressure portion of the emergency core cooling system (ECCS) is
the RHR system.
During the injection phase of a loss of coolant accident
(LOCA), the two RHR pumps are designed to inject borated water from the
refueling water storage tank (RWST) into the four reactor coolant system
(RCS) cold legs.
During the recirculation phase, the RHR pumps are re-
aligned to take a suction from the containment sump, and provide water to
the charging pump (high pressure system) and safety injection pump
(intermediate pressure system) suctions, the containment spray system, and
the RCS via the four cold legs or two hot legs.
Each of the two RHR system trains have a motor-operated SJ49 valve in its
RCS cold leg injection flowpath.
Each SJ49 in turn*provides ECCS flow to
two RCS cold legs.
Injection to three RCS cold legs is required by the
Salem design bases.
The SJ49 valves are normally open and are not redun-
dant during the injection phase since an inadvertent closure of either one
3
would isolate ECCS flow to two RCS cold -1egs.
In 'the post LOCA recir-
culation phase with containment spray required, one of the two SJ49 valves
is closed by plant operators to provide the containment spray flowpath.
Therefore, since only one of the two SJ49s i~ required to be closed in the
recirculation phase, the valves are redundant for this safety function.
To preclude inadvertent actuation, the SJ49s are provided with a control
power lockout.
The lockout switch which isolates the valve motor closing
coil from the control logic was required by the NRC during initial plant
licensing. Two distinct operator actions are therefore required to close
the valve; removal of the control power lockout and then pushing the close
button from the control room console.
A control room alarm annunciates
when an SJ49 valve moves from its full open po~ition.
3.
SJ49 Circuitry Modification
The SJ49 control circuitry was modified in approximately December, 1987
due to degraded bus voltage concerns.
The modification (OCR Nos. lEC-2295
for Unit 1 and 2EC-2295 for Unit 2) added an interposing relay for each
control circuit to provide a contact to energize the open and close
cbntactors.
Under the previously existing arra~gement, the long cable
runs in the permissive contact wiring fed directly to the contactors.
The
high in-rush current required to operate the closing coil resulted in a
significant voltage drop.
During postulated degraded bus voltage *
conditions, the available voltage may have been insufficient to energize
the closing coil.
Therefore, an interposing relay, requiring a smaller
.in-rush current, was added to significantly reduce the voltage drop.
The
new circuit leg containing the contact associated with the interposing
relay was the location that was vulnerable to a single failure, which could
- inadvertently close the valve.
See Attachment 1 to this report for a
simplified drawing of the existing and modified control circuits.
4.
Regulatory Regui rements
Part 50.59 of Title 10 of the "Code of Federal Regulations" allows a
licensee to make changes in the facility as described in the safety
analysis report without prior NRC approval, unless the proposed change
involves an unreviewed safety question.
Criterion 35 of Appendix A to Part 50 of Title 10 of the "Code of Federal
Regulations
11 requires that sui~able ~edundancy in components and features,
and suitable interconnections shall b~ ~rovided in the Emergency Core
Cooling System to assure that the system safety function can be accom-
plished, assuming a single failure.
Technical Specification 3.0.3 requires thai when a L miting Condition for
Operation is not met except as provided in the assoc ated Action statements,
4
within one hour action sh~ll be in1tiated to place the unit in a Mode in
which the specification does not ~pply.
5.
Sequence of Events
On November 14, a potential single failure vulnerability in the SJ49
,
control circuit was identified by a .licensee engineer.
During a licensee
component classification effort for the_computerized equipment data system,
the Managed Maintenance Information System (MMIS), several components were
character*ized as "safety significant-zero," which is defined as a non-
redundant component.
Such components as the reactor vessel and the
containment building, as well as the SJ49 valves were classified as safety
significant zero (SSZ).
The licensee's Engineering Department was in the
process of evaluating all SSZ components to verify their acceptability.
Station personnel were contacted on November 14 to discuss the potential
problem~ However, several questions were identified and the engineering
personnel agreed to reevaluate the concern.
In the interim, Operations
Department personnel proposed corrective actions should the concern be -
valid. *Following the reevaluation, the engineers concluded that a
postulated single failure of a contact in the SJ49 control circuit was a
valid failure which must be resolved.
The post~lated failure (short-
circuit) of the new circuit leg in question would cause the SJ49 valve to
close irrespective of the position of the valve control power lockout
switch or the console pushbutton in the control room.
At 3:50 p.m. on November 17, the licensee entered Technical Specification (TS) 3.0.3 due to a postulated single failure that could terminate emer-
gency core cooling system (ECCS) injection flow to two reactor coolant
system (RCS) cold legs.
The design basis of Salem 1 and 2 assumes a
minimum of three cold leg injection flow paths from the residual heat
removal (RHR) system to mitigate the consequence of a design basis actident.
The licensee's proposed correcti~e actions included 1) tagging the SJ49
breakers in the open position, 2) revising the Emergency Operating
Procedures- ( EOPs) to dispatch an oper'ator to remove the tags and restore
power to the appropriate SJ49 motor breakers (EOP-TRIP-1), and 3) conduct
briefings with all onshift and oncoming shift operations personnel de-
scribing the concern and associated required corrective actions.
The
Station Operations Review Committee (SORC) reviewed and approved the
proposed actions on November 17.
As the one hour time limit allowed by TS 3,0.3 was approached, pl_ant-
operators questioned whether a shutdown should be commenced per TS 3.0.3
requirements.
Licensee management directed the operators not to exit TS 3.0.3 until the revised EOPs have b~en fully implemented, but not to reduce
6.
5
load sinae the EOPs would soon be forthcoming.
The revised EOPs were sub-
sequently implemented and Unit*l exited TS 3.0.3 at 5:31 p.m. and Unit 2
at 5:35 p.m.
All other.actions, including tagging open the required
breakers, SORC approving the EOP revisions and conduct of the shift
briefings were completed before one hour had passed while in TS 3~0.3.
On November 20, a conference call was held between NRC. and PSE&G personnel.
The NRC questioned the licensee as to whether their corrective actions had
properly resolved the single failure vulnerability. Specifically, if the
postulated single failure were to occur between the time of opening and
tagging the SJ49 breaker and when an operator would close the breaker as
directed by the revised EOP-TRIP-1, tne SJ49 valve would immediately close
upon breaker closure and ECCS injection flow would be lost to two RCS cold
legs.
Further, the same failure could potentially occur during the time
following the breaker closure, but before a control room operator would
intentionally attempt to remotely close the SJ49 as.directed by EOP-LOCA-3
(during transfer to recirculation mode of cooling).
The licensee later
determined that this time period could have been in excess of 30 minutes
based upon a simulator walkthrough.
The_ licensee agreed to reevaluate the
existing corrective actions.
Following the conference call, the licensee's newly proposed actions were
to revise EOP-LOCA-1 to direct Operations to station a field operator at
the appropriate SJ49 cubicle to be ready to close the breaker when requir-ed
by EOP-LOCA-3.
EOP-LOCA-3 was also revised to direct control room operators
to direct the field operator to close the breaker just prior to attempting
to remotely close the valve.
This action would preclude an existing short
circuit from prematurely (during the injection phase) closing the SJ49
when the breaker is closed.
The above actions were reviewed and approved
by SORC and implemented by Operations personnel.
Station operators were
info~med of the revised actions, and EOPs were revised, ap~roved and
implemented.
Licensee C~rrective Actions
Licensee immediate. coriective actions of this licensee identified concern
included:
1)
2)
3)
4)
5)
6)
Clear and tag the SJ49 motor breakers
Revise EOPs
Revise operator log sheets to require shiftly surveillance of the
SJ49 motor breakers.
Conduct briefings with onshift and oncoming shift personnel
SORC apprQve EOP changes
Implement EOP changes_
6
Following the November 20 conference call, revised corrective actions were
proposed and implemented on November 21.
On -November 22, a Justification
for Continued Operation (JCO) was reviewed and approved by the SORC.
The
JCO proposed three recommendati.ons to permanently resolve the postulated
single failure.
Those included 1) develop a modification which satisfies
both the single failure criterion and the degraded bus voltage concerns,
2) review the degraded bus voltage evaluations to determine whether
assumptions were overly conservative such that the original design could
be restored, or 3) develop an evaluation to justify the existing con-
figuration by demonstrating the postulated single failure is not a credible
failure.
This action will be completed no later than start-up from the
next refueling outage.
In addition, the licensee verified that the other valves with power lock-
outs were not similarly affected .
. 7.
Inspection Activities and Results
The inspector reviewed design change packages, TS requirements, the Safety
Analysis Report, and held discussions with licensee personnel.
The in-
-spector determined that the event was reported in accordance with
10 CFR 50.72 reporting requirements, and concluded that the revised interim
corrective actions implemented on November 21 were adequate to resolve the
single failure concern in the short term.
The inspector noted the licensee's continuing efforts to identify safety
concerns resulted in the self-identification and appropriate escalation
of this issue.
The NRC strongly supports such licensee efforts, which
- reflect the organization's questioning attitude and safety-conscious
perspective.
The inspector concluded that the following apparent violations of
10 CFR 50.59 existed.
Failure to identify that DCRs lEC-2295 for Unit 1 and 2EC-2295 for
. Unit 2 contained an unreviewed safety question in that the DCRs
introduced a potential single failure which could have jeqpardized
the ability of the ECCS systems to perform their safety function in
the event of a LOCA.
Failure of the SORC to identify that proposed changes to
EOPs on November 17 contained an unreviewed safety question
in that_the changes did not completely resolve the single
failure vulnerability.
The above two concerns will collectively be tracked as NRC Open Item
No. 50-272/89-25; 50-311/89-23.
7
Station operators are provided guidelines in the form of Operations
Directives (ODs) which document station management's position and *
interpretation of selected TSs.
OD-12, Revision 10 (2/10/86) provides
such a position on TS 3.0.3, which states that
11 to show intent of
compliance with this requirement, load should be reduced immediately at a
rate determined by the senior shift supervisor, however, if it is l~keJy
that compliance with the Action Statement can be achie~ed within one hour,
load does not have to be reduced.
11
On November 21, the station operators, as directed by plant management,
did not appear to properly implement the guidance provided in OD-12, in
that actions were not taken to initiate~ plant shutdown within one hour
of entering TS 3.0.3 or during the subsequent 40-45 minutes that the units
remained in TS 3.0.3. A similar incident relative to entry into TS 3.0.3
due to inoperable nuclear instrumentation occurred on November 9, 1989.
That event is detailed in NRC Inspection Report 50-272/89-27.
Resolutio~
of this NRC concern will be documented in the follow up to that inspection.
8.
Exit Meeting
On November 30, the inspectors met with the licensee ~o discuss the
inspection findings.
In particular, the two potential violations were
discussed as well as the fact that the licensee's initial corrective
actions had not properly resolved the single failure vulnerability.
The
inspectors indicated that an enforcement conference would be convened at a
future date to discuss the issues.
"\\\\-
...L.N /,*/'J£ 8REf1kER
.J
- - --- --. T-- ---- -, ,
/}1o To I?
J \\\\
I
'
\\
(no/o R
CoJoJTA c_ TC .R
\\
\\
I
I
I
- 1
I
I
I
/ICt/Ae:.
c [) N TA d I
11J ~ .. I E i{
'-* '
~
Tl
'--t---.. ..,, ~ f G"C/t(.; l' ft I
l-ock. o l< r
-::> , r:--,,'-01_,., o ?! ~Q 7
T ,
I J.1'a.1w_;J37 3
x
,___...____.,
'
-'-
Av ...1 .' n-:J ~.1 ~ 'J
Io ~,.l. -;..i a')
'r:f:J(Y)~cf
IO't//NO";)
~v /\\ s11 I
I
f
I
' ' ' '
' '
'
\\.
\\ ..
' I
,
.
J_ . I
' - -- - - -~ - - - - -+
TTT
07 ()