ML20134F038
| ML20134F038 | |
| Person / Time | |
|---|---|
| Site: | Crystal River  |
| Issue date: | 10/28/1996 |
| From: | NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION II) |
| To: | |
| Shared Package | |
| ML20134E989 | List: |
| References | |
| 50-302-96-13, NUDOCS 9611040233 | |
| Download: ML20134F038 (46) | |
See also: IR 05000302/1996013
Text
?. e, -
.
U.S. NUCLEAR REGULATORY COMMISSION
REGION ll
l
Docket No.: 50-302
License No.: DPR-72
Report No.: 50-302/96-13
Licensee: Florida Power Corporation
Facility: Crystal River 3 Plant
Location: 15760 West Power Line Street
Crystal River, FL 34428-6708
Date: September 19 - October 9,1996
Inspectors: B. Crowley, Lead Inspector
T. Cooper, Resident inspector
L. Stratton, Security inspector
Approved by: A. F. Gibson, Director l
Division of Reactor Safety
{
Enclosure
9611040233 961028
PDR ADOCK 05000302
G PDR
_, . _ .
-- _ - . _ - - - - . - - - . _ . - - - - . - _ - - -
- .
4
i
j EXECUTIVE SUMMARY
j Crystal River Nuclear Plant
] NRC Inspection Report 50-302/96-13
4
!
l
$ A chronological Sequence of Events for previous 1A Emergency Diesel General (EGDG)
j cooling fan gear drive lube oil strainer problems and for the foreign material (penny) found in ,
- the strainer on September 19,1996, was established by the inspectors. The Sequence of {
! Events is documented in Attachment A to this report.
l
l Overall, the licensee's response to the potential tampering event discovered on
i September 19,1996, was satisfactory.
Y
i On September 19,1996, the licensee identified that the lube oil strainer for the 1A EGDG
l cooling fan gear box had a coin (penny) under the strainer screen. The licensee's
[ documented evaluation concluded that the penny most probably entered the strainer
l accidently when a mechanic, who carried the strainer screen in his pocket along with loose
i change, re-installed the strainer screen into the strainer body without inspecting it for foreign
! objects.
1
{ The practice of transporting small safety-related components, without any identification or
protection, as was done with the strainer screen, is considered a poor work practice.
, The inspectors concluded that site managemt nt appropriately pursued identification of the
j cause for the penny in the lube oil strainer.
!
! Following extensive reviews by the licensee ani independent verifications by NRC, the
! inspectors concluded no evidence of tampering had been identified. l
l
l The Corporate investigative staff adequately reviewed the event and other previo s problems
i to ensure that any potential tampering events had been fully evaluated. They cori luded that
! the penny most probably entered the strainer accidently and there was no evidence that
i suggests a pattern of tampering at the facility.
l The licensee was able to successfully restore the EGDGs to operable status on
i September 20,1996.
s
The inspectors concluded that tampering with EGDG-1 A cooling fan gear box lube oil strainer
- could not be conclusively ruled out based on the existing evaluation documentation.
i )
However, as concluded by the licensee's investigation, the penny most likely entered the !
strainer by accident during installation of the strainer screen after removal for measurements i
on September 15,1996.
The inspectors concluded that the licensee adequately evaluated other systems for signs of
tampering and correctly concluded that no additional signs of tampering were evident.
i
!
l
I
. _ _ _ . _ . - . _ _ - _ _ _ _ . _ _ _ . _ _ _ _ _ . _
'
'
.
.
l
~
l
2
'
The inspectors concluded that there was no evidence of additional potential tampering and
that the licensee had adequately evaluated the plant problem reports and other
documentation for additional examples of potential tampering.
'
The licensee appropriately identified actions to be taken to enhance detection of additional
i tampering.
The licensee was in compliance with the Physical Security Plan (PSP) with respect to fitness
for duty, personnel access authorization, criminal history checks, and access control of vital
areas. The licensee appropriately recorded the suspected tampering event in the Safeguards
Event Log, as required by 10 CFR 73.71, " Reporting of Safeguards Events," Appendix G.
Attachment C contains information provided to Crvstal River site management by NRC to
assist in the licensee's response to the events. The attachment contains NRC Information
Notice (IN) 83-27 conceming deliberate acts directed against plant equipment and intemal
NRC guidance for plant system check out following suspected sabotage.
l
l Attachment D contains a graphical representation of the lube oil strainer and copies of
l
'
photographs of the strainer screen as found on September 19 and as photographed on
September 15 before re-installation into the strainer body.
!
l 1
j
1
L
l >
i
I
l
l
!
1
.
,
_ - _ _ . - __- - .- __ _- _ _ . ._ _ __ . .-
'
i
i e
Report Details
02 Operational Status of Facilities and Equipment
O2.1 PotentialTamoerina Event
On September 19,1996, the licensee found a coin (penny) under the strainer screen of the
lube oil strainer for EGDG-1 A cooling fan gear drive. The strainer had been removed from
the Lube oil System as a complete assembly for the purpose of replacing with a strainer
,
containing a larger mesh screen. The penny was under the inlet end of the screen covering
l the inlet bore of the strainer and appeared to block all flow through the strainer (See
Attachment D, Figure 1 for a graphical representation of the strainer and the location of the
'
penny). There had been a history of the strainer clogging and the licensee was in the
process of replacing the complete strainer assembly since a larger mesh screen that would fit
the installed strainer body was not available.
The licensee identified the event as potential tampering, declared an Unusual Event (UE),
and initiated an immediate inspection for evidence of tampering of the entire 1A EGDG and
associated systems, as well as other plant equipment. At the same time an investigation was
initiated to try to determine if the penny in the tube oil strainer was in fact tampering.
02.1.1 Evaluation and Correction of Damaaed Comoonents
a. Inspection Scope
4
Review licensee's evaluation of the damaged components to determine if the as-found
conditions represented potential tampering and determine if the damaged components
l
'
were replaced or the damage corrected and the operability of the EGDGs satisfactorily
demonstrated. -
, b. Observations and Findinas
e
Following detection of the potential tampering, the licensee developed a plan for
!
verifying that EGDG-1 A was fun:tional, that no further evidence of tampering existed,
.
and that the EGDG could be proven to be operable. Prior to the detection, EGDG-1A
!
had been declared inoperable, to allow maintenance on the component, due to
concems with degrading cooling fan gear drive lube oil pressures.
Operational History
During 1994, the licensee identified a decreasing trend in the 1A EGDG cooling fan
gear box pump lube oil discharge pressures, even though the pressures remained
<
above the administrative limits. The decision was made at that time to attempt to
- clean the oilin the gear box asscmbly. The gear box does not have an access port to
allow cleaning. A small oil addition port at the top was opened and cleaning was
- attempted using a small tool through the port. The existing oil was drained from the
1
gear box through the drain line, which is mounted on the side of the gear box. This
3
drain line does not allow for complete draining of the gear box. Following the refilling
of the gear box, the licensee noted that pressures were even lower and the strainer
screen was fouling more rapidly. The licensee surmised that their attempts at
- . - _ _ - __ _ .- - .- . - - . -.
'
L
.
I
2
I
cleaning had merely stirred up debria that was trapped below the drain line. They
drained and replaced the oilin the gear box a second time. Discharge pressure
values retumed to normal ranges. The licensee made the decision to replace the
entire gear box assembly during the 10R refueling outage.
'
Following the replacement of the gear drive assembly in February 1996, the licensee
had noted a trend of decreasing cil pressures during surveillance testing. During the
,
performance of the EGDG-1A surveillance on September 11,1996, the discharge
i
pressure started at approximately 13 psi and dropped to approximately 8 psi. The
administrative limits for the discharge pressure is between 14 and 29 psi. The
q licensee had determined, in response to Request for Engineering Assistance (REA)
'
91-1466 written for an unrelated problem and based on information obtained from the
'
vendor, that 5 psi was the minimum discharge pressure for the system to remain
functional. In response to this low gear box lube oil pressure, the licensee cleaned
the screen and contacted the vendor. it was determined that the screen in place was
a sheathed 40 mesh screen. Engineering determined that the metal sheathing
.
reduced the flow area of the screen by about 1/2. While the vendor thought that this
j size screen would function acceptably in a system with clean oil, a 20 mesh
- unsheathed screen would be optimum for this application.
J
Conversations with the vendor revealed that each gear box assembly had a different
,
strainer unit, procured commercial grade and dedicated to the asfembly,
i
Consequently, the licensee could not order a replacement screen without a detailed
description of what was needed. On September 15,1996, technicians from
Mechanical Maintenance removed the screen from the strainer to allow the receipt
inspection personnel in the warehouse to obtain measurements to order a
l replacement. The mechanic removed the screen, placed it in his pocket, and
j proceeded to the warehouse.
At the warehouse, the receipt inspectors took close-up photographs and detailed
measurements of the screen, in an attempt to obtain the information to order
,
replacement 20 mesh screens.
!
Based on licensee interviews, the maintenance technician stated that he then placed
the screen in his pocket, which contained loose coins, and retumed it to the plant. He
.
proceeded, alone, to replace the screen in the strainer. On his first attempt, he
placed the screen upside down in the strainer, but the retaining plug would not fit with
the screen in this configuration. He reversed the screen and replaced the plug. The
inspectors pointed out to the licensee that the practice of transporting safety-related
components, without any identification or protection, is considered a poor work
practice.
)
! The licensee was unable to obtain a replacement 20 mesh screen, so the decision
was made on September 18 to replace the entire strainer assembly, with a 20 mesh
screen installed. Following the replacement, the maintenance technicians noticed the
4
obstruction in the removed strainer.
I
j
.
-.- -
' '
!
'
I
a
!
i
'
3 ;
- Recoverv
!
The inspectors verified by examining the Work Request (WR) and examining the
,
system in the field that the strainer had been replaced prior to the licensee detecting
!
the suspected tampering. It was while the maintenance technicians were examining
j the removed component that the potential tampering was identified.
i
l The inspector accompanied plant personnel; two engineers, a Senior Reactor
l Operator (SRO) certified operations support person, and a security officer; on a field
j
!
walkdown of EGDG-1A. The licensee personnel performed a detailed, intensive,
examination of the EGDG; examining all accessible valves, electrical connections,
linkages,' freedom of travel in moving components, and appearances of lubricating oil
and jacket cooling water.
,
One lubricating oil drain valve was found out-of-position, in the open position, but this
was on a line that was capped and no leakage was observed from the cap. The -
licensee documented the discrepancy in a Problem Report (PR) and retumed the
valve to its conect position.
Following the completion of the walk-down, on September 19,1996, operations
performed Security Procedure (SP)-354A, Monthly Functional Test of the Emergency
Diesel Generator EGDG-1A. The inspectors witnessed the performance of the
surveillance test. The normal range of discharge pressures for the gear box pump is
14 to 29 psi. During the performance of the EGDG-1 A surveillance, the cooling fan I
gear box lube oil pressure at the beginning of the four hour test was approximately I
23.5 psi. After the oil had heated, the discharge pressure had decreased to j
approximately 21 psi, where it remained for the duration of the four hour surveillance. i
On September 20,1996, a walk-down on EGDG-1B was performed by Engineering !
personnel, Training Instructors, Operations personnel, and Security personnel.- No !
discrepancies were identified. The inspectors observed the performance of licensee
procedure, SP-3548, Monthly Functional Test of the Emergency Diesel Generator
EGDG-18. Acceptable gear box pump discharge pressures, consistent with the
values expected on EGDG-1B, were obtained.
!
After full load conditions were reached, during the run of the EGDG, a high jacket
coolant alarm was received on the diesel control panel. Localinvestigation revealed
the engine outlet temperature was 178'F, using infra-red instrumentation. The high
coolant temperature setpoint is supposed to be 195'F. Engineering monitored the
temperatures and determined that the perfomlance of the EGDG was acceptable.
The alarm setpoint was calibrated to proper levels following completion of the
surveillance. WR NU 0337921 was initiated to investigate the alarm set point.
Based on the EGDG walk-downs, the successful completion of the surveillance
testing, and the investigation conclusions that there did not appear to be any other
tampering on the EGDGs, the EGDGs were declared operable on September 20,
1996.
-. - - -
. -.- - . - . - - - . . . - . - - . . - - _ - - . - - .
7
- -
_-
$~ &
.
!
!
l- 4
4
1
l5
Examination of the Removed Strainer ;
4
1
On September 20,1996, the licensee conducted a test in the site receipt inspection
j facilities, where approximately 5 psi of oil pressure was applied to the strainer that
1
had been removed, to determine if, with the penny in place, the strainer would have )'
passed any oil flow. The licensee monitored the strainer for approximately 20 l
i minutes. There was no observed leakage past the obstruction.
I
The licensee removed the screen element from the strainer and examined it,
comparing the results to the documented results of the September 15,1996
inspection. There were marked differences in the observed dimensions and the
! uniformity of the measurements on September 20,1996. In addition, distortions at the
- ends of the screen and damage to the screen mesh were present on September 20
- that were not present on September 15, as shown in Figure 2. The licensee has
- determined, based on these observations, that the penny was not present in the
strainer prior to the examination on September 15,1996. The inspectors observed
I
the licensee taking the measurements of the damaged screen and compared the
j screen to photographs taken of the screen on September 15,1996. Licensee
j interviews with additional mechanics revealed that one of the mechanics had noted i
j the deformation of the screen on September 17,1996, during maintenance, but had
i concluded that this was normal.
i
The licensee has concluded that, based on the pictorial evidence and interviews, the
penny entered the strainer between September 15 and September 17,1996, and
4
most likely on September 15 when the mechanic re-installed the screen after carrying
j it in his pocket with loose coins. When the screen was removed from the strainer
i
body on September 20, the licensee demonstrated that a penny would fit inside the
j screen and sometimes would hang up in the screen when it was tumed upside down.
j
If the penny was in the screen at the time the mechanic tried to re-install it upside
j down, it could have fallen out into the oil in the bottom of the strainer body and not
j have been noticed by the mechanic.
c. Conclusions
The licensee was able to successfully restore the EGDGs to operable status on
September 20,1996. Testing and examinations conducted by the licensee resulted in
a high probability that the penny had not been in the system during any previous
testing. As concluded in the licensee's investigation report, the penny most likely
entered the strainer by accident on September 15,1996, during re-installation of the
screen after removal for measurements and transporting in the mechanics pocket,
which contained loose change.
The oractice of transporting small safety-related components, without any identification
or protection, as was done with the strainer screen, is considered a poor work
practice.
. _ _ _ - _ -
l
.
5
O2.1.2 Evaluation of Plant Systems for Additional Tamoerina
a. Inspection Secoe
Verify plant safety systems have been sufficiently evaluated for potential tampering to
assure they can perform their intended functions.
4
b. Observations and Findinas
in response to the penny found in the EGDG gear drive ILbe oil strainer, the licensee
performed an inspection of additional systems, including ah safety related systems
and non-safety related systems that could have an impact on the safe operation of the
plant, to assure that the systems were intact, with no signs of potential tampering. l
The Operations and Engineering departments conducted independent walk-downs of
the systems to provide a defense in depth approach. Acceptance criteria for these l
system walk-downs were specified in licensee procedure Wi-100, Security Event l
Recovery Guidelines, Enclosure 1, Comprehensive Walkdowr: Guidelines. '
in the Auxiliary Building, one core flood nitrogen supply line valve, CFV-82, was found
to be partially open, but the valve is located on a capped line. The cap was verified
to be present. In the Reactor Building, several cables for pressurizer heaters were
found to be disconnected without being tagged. The licensee verified that these ;
cables were for failed heaters and had been disconnected under a Maintenance l
Request. In the main control room, several fuse holders were found with the fuses
removed. The inspector observed the Engineering, Operations, and Management
personnel review and resolution of these holders. Each of the holders had been
jumpered, as part of permanent modifications, and the fuses removed. No additional
discrepant conditions were identified.
The inspectors performed an independent general tour of the Turbine, Auxiliary, and
Control Buildings. No obvious indications of tampering were identified.
Review of Previous Problem Reports (prs) for Evidence of Tamperina
The licensee reviewed the prs issued since January 1,1996, in an effort to
determine if any other suspected issues existed that had the potential to have been
caused by tampering. A total of 392 prs were reviewed, using the following criteria
developed to detect potential tampering:
-
Loose bolts or fasteners
-
Mispositioning - valves, breakers, etc.
-
Foreign material
-
Lost parts or equipment when work in progress
-
Mislabeled equipment
-
Unexplained spills
-
Radioactive material found outside control areas
-
Controlled doors left open
-
Damaged equipment (i.e. stepped on tubing, Mecatiss, Thermolag, etc.)
__
'
'
.
6
-
Broken bolts
-
PA speakers turned off or stuffed with rags
-
Changes to setpoints not explained by normal drift
-
Fires of undetermined origin 1
-
Unexplained contamination or overexposure
Based on the screening criteria, 82 prs were identified tha: sarranted further review.
A panel of three experienced licensee representatives, two permanent employees and
one contractor, reviewed the details of the events in the prs and reduced the number
of prs needing investigation to twelve, including the PR for the penny found in the
strainer. '
A review of the remaining events was conducted, which consisted of reviews of
documentation, interviews with involvert personnel, and review of the licensee's root
cause determinations. A recent event involving a mispositioned CRD breaker was
investigated in depth. The licensee's investigation, based on interviews and review of ;
reports and logs, found no credible evidence of tampering and concluded that the i
open breaker was most likely caused by human error. The licensee concluded that
none of the additionalidentified events were the result of deliberate tampering.
The inspectors performed an independent review of the prs since January 1,1996
and determined that the licensee list of prs for additional review was reasonable and
in good agreement with the inspector's list. The inspectors reviewed the licensee's
analysis of each of the twelve identified prs and examined, where applicable, the
areas where location in the plant (e.g. high radiation area) played a role in the
licensee determination. The inspectors found the basis for conclusions to be i
reasonable. I
c. Conclusions
Based on independent review of the documentation of licensee's inspections and
walkdowns of the plant, the inspectors concluded that no additional examples of
tampering were identified. The more likely cause of the misadjusted valve was poor
performance by licensee personnel.
The inspectors concluded that the licensee adequately evaluated other systems for
signs of tampering and correctly concluded that no additional signs of tampering were
evident.
Based en independent review of documentation and observations of the involved
equipment, the inspectors concluded that for the mispositioned CRD breaker,
tampering, although it could not be conclusively ru!ed out, was not likely the cause of
the mispositioned breaker. The most probable cause of this event was personnel
error.
The inspectors concluded that there was no evidence of additional potential tampering
and that the licensee had adequately evaluated the plant problem reports for
additional examples of potential tampering.
__ . . _ _ . _ _. _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ - _ - . _ .
,
-
l
- *
4
l 7
i
O2.1.3 Site Manaaement's Response to the Event
a. Inspection Scope
!
' Review the actions taken by site management in responding to the potential
tampering on the EGDG-1A cooling fan gear drive to determine if management's
response was appropriate for the circumstances.
.
- b. Observations and Findinas
1
,
The inspectors observed the licensee's actions throughout recovery from the event.
- Prompt action was taken to declare an UE and a Recovery Action Plan initiated. The
Action Plan included the following four general steps:
>
!
-
l Ensure integrity / operability of equipment required for core cooling
-
Initiate / conduct an independent investigation
- -
Develop plan for recovery from the unusual event
- -
Communications and event documentation
Management initiated the following immediate measures: (1) compensatory security
d
measures to guard against any continued acts of tampering, (2) detailed walkdown
inspections by Operations and Engineering to ensure there was no evidence of
tampering with plant equipment, and (3) an independent investigation to determine if
tampering had occurred and the extent of any tampering. Management met frequently
with plant personnel to discuss the status of the recovery plcn and direct the recovery
effod. Management kept NRC (site personnel, Regional NRC management, and NRR
i
management) informed of the actions being taken and the status of the recovery plan.
.
c. Conclusions
+
i
The inspectors concluded that site management appropriately pursued identification of
l the cause for the penny in the EGDG-1 A cooling fan gear box lube oil strainer and
identification of any additional potential tampering with plant equipment.
The inspectors concluded that tampering with EGDG-1 A cooling fan gear box lube oil l
strainer could not be conclusively ruled out based on the existing evaluation ,
1
documentation. However, as concluded by the licensee's investigation, the penny I
most likely entered the strainer by accident during installation of the strainer screen .
- after removal for measurements on September 15,1996. !
'
? :
1
~
4
_
]
1
1
. . . _ . -.. - . . _ - . - - - - -_ _ -. - - - -- . - - . . .
. * ;
c, ,
. .
i
!
i
8
02.1.4 Imolementation of Interim Action to Detect New Tamperina
! a. Inspection Scope
l Determine if adequate inte H actions to detect new tampering had been implemented.
! b. Observations and Findint I
After the identification of 7 wted EGDG tampering, a Security Emergency was
declared. The licensee impe. d immediate compensatory posts at the two
entrances to the diesel generator area. Doors D-201 and D-207 were posted
re=cectively with armed security officers to preclude access to the diesel generator
l
'
area. In addition, supplementary personnel were added to perform additional patrols.
The inspectors observed that the additional random patrol was being performed on
the evening of September 24,1996. Site security officers were briefed to heighten
their awareness of the potential for other tampering activities. The inspectors
questioned several security officers conceming their understanding of their duties and
considered their responses appropriate and in accordance with the licensee's PSP.
Upon exit of the UE, the Security Emergency was downgraded to a Security Alert. In
response to this downgrade, the licensee removed the two compensatory posts
previously established at Doors D-201 and D-207.
In accordance with Wi-100, Revision 3, " Security Event Recovery Guidelines," the
licensee initiated a walkdown of the security system mainframe and peripherals
located in the Nuclear Security Operations Center (NSOC), in addition to plant local
and remote computer cabinets and printers associated with those systems. No
evidence of tampering was identified,
c. Conclusion
The licensee appropriately identified actions to be taken to enhance detection of
additional tampering. '
S1 Conduct of Security and Safeguards Activities 1
S1.2.5 Security investiaation of the Event
a. Inspection Scope
Determine if Security and Investigative staffs adequately reviewed the event.
b. Observations and Findinas
i
The corporate investigators responded to the site on September 19,1996, to ;
independently determine when and how a penny became lodged in the 1A EGDG '
cooling fan lube oil strainer. PR 0386, Revision 1, was initiated to track the results of
this investigation.
_ ..
..
l
.
9
Immediately after discovery of the event, the strainer, penny, and the oil taken from
the strainer were taken into custody by Security and locked in a security container.
!
Interviews, bench tests, and applicable logs, and other documentation were reviewed
by the investigators.
The Federal Dureau of Investigation (FBI) was notified of the potential tampering
event and currently has possession of tne strainer and penny in question. The FBI is
reviewing the issue. The NRC Office of Investigations and Region il Physical Security
,
Staff are maintaining liaison with the FBI.
The corporate investigators interviewed 33 individuals relative to the EGDG penny
issue and 20 other individuals associated with other prs reviewed by the investigators
for potential tampering. In addition, the investigators reviewed applicable
documentation and observed testing of the physical evidence. A separate Problem
Report Review Team (PRRT) convened to determine if other events identified could
support a pattem of tampering. The PRRT used a 14 point checklist to screen
problem reports that could indicate possible tampering (See Paragraph O2.1.2 for
additional details). This screening resulted in 82 problem reports which were
reviewed in detail; with 12 requiring an additional followup. Only one of the 12 events
identified required a separate investigation.
The inspectors noted that the Licensee's " Report of Independent investigation Team
Conceming Possible Instances of Tampering at Crystal River #3 - September 1996" i
provided little detail relative to the rationale regarding which individuals were
interviewed as part of the investigation. Based on discussions with the investigation
team, the inspectors did not have concems with which individuals were interviewed
and the conclusions reached by the investigation team, just that bases for the
conclusions were not documented appropriately in the report. At the exit interview, )
the licensee stated that the report would be supplemented to provide this information. )
Subsequent to the inspection, the Report was revised to provide rationales for which
individuals were interviewed and why and was reviewed by the inspectors prior to
leaving the site.
1
c. Conclusion
The corporate investigative staff adequately reviewed the event and concluded that
the penny most probably entered the strainer accidently and there is no evidence that
suggests a pattem of tampering at the facility.
S1.2.7 Evaluation of Comoliance with the Physical Security Plan (PSP)
a. Inspection Scope
Determine if the licensee was in compliance with their PSP and applicable
procedures.
.
,
1
i
- 10
- b. Observations and Findinas '
i
l" To preclude individuals from being authorized access to the facility who may engage
in tampering, the licensee established a screening program in accordance with !
_
' 10 CFR 73.56 requirements. The PSP states that "the Fitness for Duty Program I
(10 CFR 26), Personnel Access Program (10 CFR 73.56), and Criminal History
! checks (10 CFR 73.57), contribute to the overali effectiveness of the physical security
- program in combatting possible insider threats within the Plant."
. The PSP further requires that, "all ingress and egress from the Protected Area and
1
Vital Areas is controlled by human, mechanical, or electronic means. Only a limited
j number of portals are provided, and they are locked and alarmed..." In addition, the
l PSP states, "Only those persons required to enter Vital Areas to perform work
functions necessary for the operation of the Plant are granted access. Each
! individual's need to have access to Vital Areas is reviewed once every 31 days to l
, ensure that need still exists." i
a
l The EGDGs are accessible through Doors D-201 and D-207. Door D-201 leads from
j the protected area through the EGDG area. Access is controlled by a cardreader
'
system. Door D-201 is located on the opposite side of the EGDG area. This door is
neither locked or alarmed because access is gained through the Auxiliary Building,
i which is controlled by a cardreader system. This vital island is approved in the
i licensee's PSP.
i
4
c. Conclusion
P
l The licensee was in compliance with the PSP with respect to fitness for duty,
i personnel access authorization, criminal history checks, and access control of vital
j areas. The licensee appropriately recorded the suspected tampering event in the
i Safeguards Event Log, as required by 10 CFR 73.71, " Reporting of Safeguards
l Events," Appendix G.
i
Personnel access to the EGDGs was controlled in accordance to the licensee's PSP
l and applicable procedures.
!
.
l INSPECTION PROCEDURES USED
!
l IP 37551: On Sight Engineering Review
{ IP 61726: Surveillance Observations '
!' IP 62707: Maintenance Observation
i IP 71707: Plant Operations
, IP 71750: Plant Support Activities
i IP 81601: Safeguards Contingency Plan Implementation Review
] IP 81700: Physica! Security Program for Power Reactors
IP 92901: Followup - Plant Operations
j IP 92902: Followup Maintenance and Surveillance
!
l
., . ., . . - - . _ - . . _ - - - - - .-
- - . - . . _ . - - .__- . . - - . . - - _ _- - - - . _ . ._- -_ ._.
.
.
]
'
11
X1 Exit Meeting Summary
!
The inspection Scope and findings were summarized to licensee management at the
conclusion of the inspection on October 9,1996. The inspectors described the areas
inspected and discussed the inspection results. The inspectors discussed the limited
documentation in the licensee's report. The licensee acknowledged the inspectors'
comments and noted that the report would be supplemented appropriately. Proprietary
information is not contained in this report. Dissenting comments were not received from the
,
$
licensee. Subsequent to the inspection, the licensee modified the investigation report, which
was reviewed by the inspectors.
PARTIAL LIST OF PERSONS CONTACTED
.
Licensee
P. Beard, Senior Vice President Nuclear Operations
j G. Boldt, Vice President, Nuclear Production
j
J. Campbell, Assistant Security Manager
J. Carter, Corporate Security
l1 R. Davis, Assistant Plant Director, Operations and Chemistry
j A. Glenn, Corporate Counsel
.
B. Gutherman, Manager, Nuclear Licensing
! G. Halnon, Assistant Director, Nuclear Operations Site Support !
B. Hickle, Director, Nuclear Plant Operations !
j L. Kelly, Director, Nuclear Operations Site Support
D. Kurtz, Senior Nuclear Staff Specialist
P. McKee, Director, Quality Programs
R. McLaughlin, Nuclear Regulatory Specialist
- J. Pelham, Corporate Security
- J. Terry, Manager, Nuclear Plant Technical Support
D. Watson, Manager Nuclear Security
NRC
i R. Butcher, Senior Resident inspector
l
l Other licensee employees contacted included Operations, Engineering, Licensing, and
- maintenance personnel.
]
I
.
4
,
4
, ._
~ " ~ '
.
,. .. . _ - . .. .
-
l ?
. l
12
LIST OF ACRONYMS USED
CR Condition Report
CRD Control Rod Drive
EGDG Emergency Diesel Generator
FBI Federal Bureau of Investigation
IN information Notice
l NPWO Nuclear Plant Work Order I
NRC Nuclear Regulatory Commission
NRR Nuclear Reactor Regulation l
l
'
NSOC Nuclear Security Operations Center li
'
PR Problem Report '
PRRT Problem Report fw new Team
PSP Physical Security Plan
REA Request for Engineering Assistance
SP Security Procedure
SRO Senior Reactor Operator
UE Unusual Event
WI Work Instruction
WR Work Request
l
l
l
l
l
i
l
e
i
, . . . -
_ _ . _
- ;
- -
,
l
i
l
1
CHRONOLOGICAL SEQUENCE OF EVENTS '
l DATE TIME EVENT
!
. 8/10/94 - WR NU 0321409 issued, EGDG 1A fan gear drive lube oil strainer cleaned and
!
re-installed August 16,1994, attempt to clean gear box delayed until
September outage
l
- 8/23/94 - WR NU 0321632 issued because of low oil pressure, flushed and attempted to
clean gear box, strainer cleaned and re-installed September 13,1994
i 9/14/94 - WR NU 032119 was issued because of low pressure after flushing and
attempted cleaning of the tube oil gear Box - strainer cleaned and re-installed
September 22,1994
1
l
4/28/95 - WR NU 0327782 issued documenting low pressure (still above administrative
l
limit) and dirt / foreign material in gear box - gear drive assembly replaced
j April 2,1996, in 1996 Refueling Outage
!
2/29/96 - Because of problems with oil pressure, EGDG 1A fan right angle gear drive
assembly replaced, including gear box lube oil strainer assembly which was
part of gear drive assembly
3/18/96 - WR NU 0334062 issued because of low gear drive lube oil pressure - strainer
removed, cleaned, and re-installed March 18,1996
4/02/96 - Gear box assembly replaced in 1996 refueling outage
l 5/16/96 - WR NU 0335432 documented low gear drive lube oil pressure and strainer
j
screen completely clogged - cleaned and re-installed June 12,1996
,
9/11/96 - WR NU 0337661 issued documenting need to clean strainer because oflow
I
lube oil pressure during monthly surveillance, screen cleaned and re-installed i
September 12,1996 '
9/14/96 - WR NU 0337742 issued to remove strainer, compare mesh size with proper l
mesh size and install new strainer
9/15/96 - Determination had been made that 20-mesh screen was needed for lube oil
strainer screen, removed existing 40-mesh screen from strainer assembly,
cleaned, measured screen (for purpose of obtaining 20-mesh), photographed,
and re-installed
'
} 9/17/96 - Mechanic noted deformation of screen during performance of maintenance
.
1
.
Attachment A
_
- _ _ _ _ _ _ _ _ . _ . _ _ _ _ . - _ - . - _ _ _ _ _ _ _ _ _ _ _ __ . __ __
'
'
.
.
2
DATE TIME EVENT
9/18/96 -
Decided to replace strainer assembly with new assembly, which
contained 20-mesh screen since 20-mesh screen to fit existing filter
housing was not available
9/19/96 0215 Started hanging clearance on 1A EGDG for replacement of gear drive
lube oil strainer assembly
-
Nuclear Shift Manager reported that mechanics had found a penny
lodged in the removed strainer assembly at the inlet to the strainer
screen. An inspection was made by the NMS, Engineering and
Mechanical Supervisor.
0455 Security notified of event
0510 Security was notified and an Usual Event (UE) was declared
0514 Security Emergency declared
0525 Security Officer posted at D-201
0527 NRC notified of UE
0555 Security Officer posted at D-207
I
0615 PR 96-0386 issued to document potential tampering with 1A EGDG fan {
gear drive lube oil strainer
0830 Detailed walkdown inspection 1 ADG by Operations, Engineering,
Security, and NRC Resident inspector
0915 Random patrol initiated.
L
0950 Completed detailed inspection of 1 A EGDG room, including inspection {
of exhaust system for the Hot Machine Shop roof - also completed I
inspection of core cooling systems for tampering
i
1555 Complete valve line up verified for all systems associated with 1 A i
EGDG
,
1944 Operations completed comprehensive inspection for tampering of
- essentially all site areas, including intake Structure
- 9/20/96 0221 Monthly Functional Test of 1 A P.sDG completed !
4
,
Attachment A
i
I
i l
_ _ . _ _ _ .. _ - ._. _ . _ - - _ _ _ . _ _ -
. . _ _ _ _ _. ._ _
'
.
3
DATE TIME EVENT
0900 1 A EGDG declared operable except for issue with dieselloading during
design basis accidents
1100 1B EGDG removed from service for inspection of gear drive tube oil
strainer
1818 Completed comprehensive inspection of 18 EGDG for potential
tampering
2131 Monthly functional test of 1B EGDG completed
9/21/96 0100 Engineering system inspections complete
0255 1B EGDG declared operable except for issue with dieselloading during
design basis accidents
0300 Wi-100 walkdown inspections of plant equipment completed, exited UE
after determining there was no ongoing security compromises
,
0305 Security steps down from a Security Emergency to a Security Alert
0323 Security Officers posted at D-201 and D-207 removed
10/3/96 0900 Independent investigation of possible tampering instances complete and
report issued
!
I
i
i
1
!
l
,
Attachment A
1
_ . _ . . __ . _ _ .
.
.
l
l LIST OF LICENSEE DOCUMENTS REVIEWED
PR 96-0386, Revision 1
EM-202, Emergency implementing Procedure, " Duties of the Emergency Coordinator," l
Revision 54, dated July 29,1996
.
)
I
l Shift Supervisor's Log of September 19,1996,1100-2300
, ;
Security incident Report 10541, dated September 19,1996
l
,
Wl-100, Revision 3, " Security Event Recovery Guidelines," dated September 21,1996 I
l
Safeguards Coatingency Plan, Revision 4
Physical Security Plan, Revision 6-13
Security Procedure SS-206, " Security Safeguards Contingency Events," Revision 7, dated
June 12,1996
Report of Independent Investigation Team Conceming Possible Instances of Tampering
Work Requests NU 0321409, NU 0321632, NU 032119, NU 0327782, NU 0334062, ;
,
NU 335432, NU 0337661, and NU 0337742 for work related to the 1 A EGDG cooling fan i
l gear Box Lube Oil strainer
I
,
'
Operability Concem Resolution EG-96-EGDG-1A/1B, Revision 2, EGDG-1A/1B Gearbox
Pump Discharge Pressure
Request for Engineering Assistance (REA) 960902 dated September 20,1996
D. O. James Gear drive Service Manual
D. O. James Drawing H-72578, Change C, increaser Drive Size NO.-CH-1000VHB
i
Operations and Engineering Documentation of Plant Walkdown Inspections
l All Problems Reports issued in 1996 were screened, selected reports reviewed in detail
l
Licensee Unusual Event initiation and Recovery Documentation
l
.
-
.
l
ATTACHMENT B
i
__ . _ . _ . _ _ . . _ . . _ . - . . _ -_ _ _
.
INFORMATION PROVIDED TO LICENSEE BY NRC ON SEPTEMBER 19,1996 !
(1) NRC IN 83-27
i
(2) NRC Intemal memo dated December 12,1985
1
(3; NRC Intemal memo dated July 14,1982 '
(4) Draft Document 89-XX, Guidelines For Assessing Indications of
Equipment Tempering / Sabotage
,
t
t
1
I
f
ATI'ACEMENT C
. - , . _ _ . _ _ _ _ - . ~ _ , _ - - - . _ _ - _
. . . . - . . _ . _ _ _ . .- . . . . - . - _ - .
, rROM HRC 1;31 M.&e.& W 1 h 27 M2
'
1 *
- e S$1N5 No.is 68 E
IN 83 27 ;
l~
.
-
UNITED STATES
i ammme
!
NJCLEAR RERILATORY C(NGISSION .-
0FFICT OF INSPECTION AND ENFORCEMENT l
} WASHI!ETON, D.C. 20655 '
f
May 4, 1983
.
'
IE INFORMATION NOTICE NO. 33-E7: OPERATIONAL RESPONSE TO EV
1ELIBERATE ACTS DIRECTED AGAINST PLANT
j EUIPMENT
i
- Addressees
3
j
All nuclear reactor factlinies nolding an operating license (0L) or construction
permit (CP).
!
Durcose:
1
!
i
This information retica 's icr:vtene as a notificatten of events wnien may nave
j
- nvolvec celiberate acts cirectaa against clant sou1cment ano a lack of station
t
mrocecures concerning response cy cceratir.g personnel. It is expected that
i
- ecipients will review the {inferrarion for applicapility to their station
procecures. No specific action er response is reautred at tnis time.
I
Descriotien of Circumstances:
! W
-
A review of recent operati g reactcr events indicates that some improper valve
j
positioning and %strument tion irregularities may nave involveo deliberate
acts directed against :' ant eauionant in vital areas. The following is a brief
a
acccunt of these events. l
l
At tne 'irst facility, during routine operation, the Control Room Operator
j
receivec a steam generator lfeenwasar ;umo (SGFP) hign vibration alarm.- Subse-
quently the SGFP tripped and the operator immediately reduced turbine load
l to prevent the unit from t1'ipptng. The instrument valves on the low vacuum
.
~
i
trip sensing line located outside vital areas were apparently caliberately
{ recesitioned resulting in the pump trip. The licensee concluded that this
.
deliberate act eculd have biten a result of a labor dispute.
!
! At the second facility du ng a routine operator tour at approximatel 1:00
! a.m. a manual valve wa,s f ne shut in the common suction piping to th high
! head safety injection (HHSI) Temps. The valve was insnediately reopen .. This
- valve. which is checked by operaturs each shift, had been verified open at
about 4:30 p.m. the previous day. *he chain and oaaleck which secured this
! valve in tne open cosition wm missing. additionally, On the previous day the
j manual suction isolation valves of tne three auxiliary feec-water pumps had been
j
' found unenained ano unlecxen in violation of technical specifications require-
ments. These valves were f svne m tnetr normally open position. The motive
1
tentne tne actions was not proven, :ut the actions resultea in the rHSI system
l - being inoperable.
av
1
-Ste3044030
I
i
'
. .. . . -. *
1
l
_ _ _ . - _ _ _ _ _ . ______ _ .
,
e3.se.1990 erste Pt 3
f .
!,
e
A
I T*
4,legt:
P
j '
E of t
.
These events,' and events I
j .
at other plants, demonstrate that the potential for-
deliberate acts directen kgsinst plant equipment must be recogni
i
i
two above
followuo events the licensees were not totally prepared
actions.
.
In for
onal
the opera
Other p fconsees may or may not be prepared to assess
,
i situation
to and decisions
safety or make take necessary stsas tooperation
concerning continued assure operability of
.
! Gutdelines er-
deliberste and inaavertemt acts with erespec
available.
k
j
!
system (s)) mata power supply.The guidelin ce
- n addition interrelated systems should be
inspected and selected safety-relatee electrical panels and cab,
the plant and in the contkl roce, may require a detailed inspection ,
n I
t
additional tampering is detectee, the licensee snould be . If
orepare! '
}
i cecisien on wnether
systems necessary f:
a safeer rett :entinueo
trut:cwn are operaole.ecerstion is justifiac and wn
1
i
Coeratt:nal ano security crosecures to cope with raciological
j Appencix C ot Part 73. threats to ssfaty must be develooen in acc
Th6 potenttal impact of any deliberate act dilutedand
.
i
1
' W against plant
anticipated safety equipment
censequences.nsst be evaluated, ano actions taken to mitig
! I
! No written response to thig notice is required.
)
'
appropriate NRC Regional Offite Or this cffice.regarding thi
l
\,
wa
e:J
. voraan, Of rector
Divisi n of Emergency Preparenness
and Engineering Response
Office of Inspection and Enforcasent
Tecnnical Contact: Paul R. Farren. IE
(301) . M2-4756 I
Attaenirent:
l
List cf Recently Issueo II Information Notices ,
,
/
I i
,
1
l
,_
...tNDees
' ~~
, . roon wac :.ot so.te.tsss 17:32
, Pr 2
. r
.
.
December 12. 1985 <
1
l
!
MEX0RANDUM FOR: D1861 Staff
TROH1 A. E; Chaffee. Chief
Rosesor Projects Branch
ENCLOSURE: 1
l
Menotandum from ED Jordan to Brian Grimes entitled
" Plait Systems checkout Following Suspected Sabotage
SUBJECT!
POTENTIAL SABOTAGE GUIDANCE TOR TOLLCW-UP
!
Enclosure 1providesguidanceforNRCandlicensesactionswhenpotaattal
sabotage has been identified. This guidance is provided for your revietr and
use. F1sase also review the licensea's program for dealing with potsatial
sabotage from an operations standpoint. Enclosure 1 is a good guide to use
in evaluating the licensee's program. You will note that this sutdanse is
not included in any forssi document. Pisase find a method to file this
document so it is availaWie when needed.
I
l
\
$d
A. E. Cha fee, Chief
Reactor Projects Branch
1
h
!
!
!
I
i.
O
!
, '
,
!
i
l
l
t
I
. -.
- .* ROM MRC 1.01 00.14 1990 17832
m , ,
Pt 3 ,
. . .
.n
ser e asses ec-spsfAeleNat
. /. g m.g- .s
,
meer est-
/ A unatts stAtst ,
.
'
t suct. Annsout.Aronycomms son .
i
. Mst. W 1i
- , w. J*~
amsuu.evow, s.a.amas
, -
,
SM gg '
w
,
I
l JUL 14 W e q, -
! -
.
MtHORANDUM FORr tria
m K. 4rtues. Director,
Pr operednaus,IE. Otvision of Emergency
,
FA0Nt ,
,
Edward L. Assurance.
Jessian. IE Dtrector. 01vis1on of Engineeri
.
.
and Quality
i .
tutJECT:
PLANT SYSTEMS CHECKOUT FOLLOWING SU
,
.
ne enclossa, procendre provtales guidance for actions
i
instancas of suspected astbtage.
- '
t We request that you enke this guidance
,
available to tE Hanage' l
ment on-call and the IE Operations C
We are issuing the precedure as a Tamecrary Instruction enalfor u
_0ffices. i
,
.I
.
,
'
o ;.
-
p 2
,
'
M L. FreTan, otrector
.
Divisto f Engineering and
Quant Ataurence, It
.Enclosuret Precoeure forIAssessing
.
Ingicated Sabotage
n
ec/w enclosures 1.11_ e _ W,h0'
{_,N >n 4 460.. : -
W. J. Direks, E00 '
.
N. R. Denton, NAR ,
t .g. T ' hQ
'
J. S. Davis, MNS$ W - - - - - l
k. C. DeYoun
O,
.
IE *
J.L.81ths,gIE :
gi' 2
R. C. Ha At .
J. P. O'ynesRet1Iy i .
J. G. Xeppler , A!! i
- - ,
J. T. Con tas,, A!V AIII l .
'
R. H. Engelken. AV i.
J. M. Taylor. IE ,
,
J. Partlow, IE
'
.
- -
.
i
.e
.
/) .
i
- . .
_._.._ _._..._ _ _-_-_.__ _ ____ _ _
,
.,,en n,c 13 3
, so. s e. a no t D s* US
. ..'
engems 14:33 >no easta* ss M et
e e .
He.eBL seg.--
.
,
. *
_
.
.
i
. PROCEDURE FOR ASSESSINE $10NIFICANCE OF t
INDICATION OF
.
SABOTAGE PRIOR TO CONTINUED OPERATION
'
s . i
IKTR09VCH$ ,
.
.
In view of recent events involving indkcation of potentia) sabotagg at the
Sales andofIronswick
instances this kind. facilitt e, a procedum has been prepared for use in future
sabotaos has been committed purpose of the pacedure is to'deterutne if
condit' ens. The procedure 1 as to check out the plant to ensure cent sped saft
,
intended to provide guidance for' IE. both operations
centd> evty officer and mens
with P6sponse to such events ,
amant-on-ce11, and regional personnel involved '
t
QBJECTIVE i
'
The primary objective in' des
is to ensure continued safeHne facility withconditions. an event inetcative of potential pabotage
or intentionally.. initiated. J When an event occurs :seettently
of the ennt ano the correct 9udgments must. be made regardine potential,tensecuenses
ve actions to be taken to eliminate the init$sttag
conditions and minimise the consequences.
M
~
.
After potential or actual sabotage has been identified, it is necessary te Gather
sufficient fsets to enable 'aiclear understanding of the significance of the i
1
identified sabotsge.
in responding to the Gaining
identif' ed such understanding is the first action to be taken
sabotage.
first action is mferred to ' n.iten A below.Infomation that may assist in this
With an understanding of the
identified sabotage, it is ttlen appropriate to establish an initia'.pri6ritised
search of the associated or suspect systems. The resulting information is then
the basis for deteminin -
plant is checked (i.e.. g sudseevent action. Clearly.the extent to which the
1,ndications of further sabotdge foune during the checkout. items 5 ans C er C be
.
A. Sabotaos Event Evaluatiin . - - '
-
\
.
The enclosure to the mes'erandum dated November 6 1981 to Coonissioner *
l
Breeford from W. Direks consists of 1.precedure Yer this evaluation.
copy is encloses. It is to be used for general guidance on implementetien
~A l
of this precedure. -
I
3. , Overell Inspection of Plant
. .
As set forth on page 3 cf the enclosed Sabotage Event Evaluation." the '
i
conduct 'of search and eevipment chaos should include a check of the I
overall plant and'than a system by system inspection, as appropriate. I
a
The overall plant and system by system listings reflects a "hanas-on"
approach that would enaule an inspector to verify the licensee's . .'
. .
.
. .
%e
_ _ . ._
, .,,,, n e :,3
n. :.. a ns in 35 e.- :
. ..
,
i
senses twee gusinsTMsstas.
, .
,
-
.
No.ent ass - ,
.
. .
. *
,,
'
- . . . . . . ,
.
.
.
, -t. '
'
action in checking out .
sabotage. T4 repeat 1 ta is nuclear power plant in instances of suspected
the licenses
plant. The assumptio,nI
overall guidance to pla ismadethattheISARwouldbeavailableftnot tdLC, tha
5pecifications would ba nt system requirements and that the plant "eehntest
operation or matart. t satisfied before justificatten of continued
, .
. -
Prior to a. systems chet
broad brush inspection hout based on the listing in itsee C and 0 b
.
Niaspection should be largely by visunt neans and Msconsist * *
chtegories. , These aref
1. control room insp tion, .
.
2. plant structures inspection.
,
5. piping.and valve usikdown,and
4. electrical power i ntegrity confinnstion. '
'
This broad inspection should be initially performed to spot any nm,ior '
abnormality such as a damaged pipeline or a planted explosive. It should
'
not be progreasses to detect all potentially faulted systems.
,
In the control room, v'1
and ins 16e cabinets wit"1ual inspection should be made of all panels. boards'
) an eye to spotting any obvious fault. One should
be alert to spotting julapers, and certainly to any strange " packages."
In the visual
should checkout af plant structures, the agne generet attitude
be appropriate. *
category should include Look for abnormalities and foreign materiais. This
reactor building. turbi ne the emin plant buildings, that is, containment,
-
connection to ultimate heat sink. building anc of course, the intake structure or
.
. The piping ana valve wa .
not seek to distinguish kdown should use the sans merspective.
between system piping whics is safety-gradp and
It sheeld
that.which is net. Thin inspection should simply consist of a toutine
'of patrol of all accesstb1$ piping runs being alert to the more obvious type
f4uiting. For example, one should be ennected to be ehle to "ftne" a
cut chain of a " Chain and padlocked" valve aandie. On the other , one
should not expect to confirm yalve E*1gnment during this initial c k'. -
. Fina11ya the initial che ,
sans general approach. ek of the electrical system should be made with.the
It should seek to verify that the vital power
supplies were not " altered" in a significant way. * The purpose of this
chect.should be to make sure it was safe to turn power on for further
systems checking. ,
-
'
. .
.
When preliminary determi nation.cf sabotage has been made and further
.
investigation indicates . -
be necessary to perform that specific systems might be affected. It any
a complete walkdown of ce,rtain systems, checkthe
'
seminar- E"'5Eur" i .
. _ _ . _ . _ _ _ _ _ . _ -
. _ _ . . _ _ _ . . _ - . . _ _ _ _ . _ _ _ _ _ _ _ _ _ .._.. _._. ..__.-___
,
l ,
-
. raon unc 1:01 es.ts.in8 th 37 N 8'
t
. - ~ .
, .
. .
4
!
! ese to 31 M>SWT4EsT-Ws MLM
, ..
l
' ' ' W4 """"""'""'" '
9
i i .-
. 1
i .
.
t
i .
-
-
.'s .
4 - ,
.
I *
.
j 411 actassible manual
and electrical switch:i ed motor operated valve positions, circuit brecher
'
mattions,etc. Attual system welkdowns sett -
- especially pertinent wth respect to standby systems whose operett
j cannot be eempletely deonstrated during normal plant opentions. chisets lity
i in high radiation arsag any be required deoending on detailed .
' Al.AAA consideration. consideration of the evidence of sanosage In these
l
,
. -
,
, 8lihen evidenceconside
& e identified, of sabotge is found and specific camponents and systems
should be taken. A thoration of the consequences of corrective attiene
,
corrective actions shedd be made and esntingency plans to add
responses should be determines prior to taking corrective actions. l
beteiled examination of systems including those associated with the
identified sabotage may be necessary to establish the basis for centinued
operation.*
-
applicable. 'The systees to be examined are listed in item C or 0'as
Followine guen a checkout. It then would be appropriote.to
confim systems opera 6
Specification requiremehity throughout the plant using the Tecmital i
nts as the measure of safe operability. This
conformance with Techni sal Spectfication requirements represents the
overall criteria on whi l
ande of reactor operati ch ons.decisions may be made rega'reing changing the '
C. BWR'Tiant Systems '
,
'
"
1.. Reactor Systea
s .- '
h. Vessel - chesk for obvious abnorinal conditten '
Yessel teve)11nstrumentation - concensinq chamoers, piping, dp
racks wir g .
~
1. Reactor Recirculation System
'
.
.e . Piping
. b. Yalves. disds e and suction
. C. Motor. pump. ' controls
'd. Ptwer supply 15 Est. cables, modules, breakers
.
-
t. Control cabiasts. wiring, boards, breakers -
. . . i -
,
-
- .
,
.
.
- .
-
. t
,
- .t *
- " .
,
l
"If the plans is operating.3entinued operation should and must be permitted
untii
downsufficient
safely. chacr.s hem Dean mace to assure that the plant can be shut
' .*
l .
- *
-
.
,
, , _- , ;--- - - _ M: .
. . _ _ _ _ . _ _ _ _ . - - . - -- - - - -
,
-
Fegn zac 1.01
,
..
08 14.1996 17:39 Pr r
.. .
.
.
wramas twiud
. . -
e.s a se M asui ad
.
tea,nast
M- , ,
'
'. -
.
, ...
- * *
.-
,
.
,
-4- *
.
<
'
3. Centrol Red Drive Hydraulic System -
s.
MCUs (Hydrashic Contrel (Nits), directional control valves.
1 solation alves, asram valves
b. Piping throu heut HCus, SDV (Stram Discharge
'
c. 80V drain an vant valves
d. Centrol circo1try - embles.bea
'!V Level switches, Volum
e. Air supply - pip 9ngaosvaI'ves,rdecontrols, pilot valves
'
w.: , '
4'. - $$andby Liquid Control system
I
a. ELC tank. level, piping
D. Pumos ane meters, power supplies, controls
-
c. Vaives. squit.1 solation
d. Control etrevitry, penets, sabinets, cables 1
5. ResiduO Heat Aemoval (AHI) System - - .
s. ) teat exchangers, primary side (shall); secondary side (tube)
b. Primary side (LpC!) pumpsi-motors. piping valves, isolattan
valves drywell spray piping and valves torus spray piping -
andvalvesi *
c.
Other primary side pining and valves, i.e., shutdown' cooling.
isolation gesting where a
d.
Control
Power suppl circuitry, wirpi
ies cost
panela,
power supplies
. pplicable
boards. Logic inte'reonnections.
.
e. RHR Service Cater System
Pumpsn motors, water supply structure
) Piping sne valves, isolation and interconnections .
1 w
-
-
iv))- Control
Power' supply,circuitryIn
can ,iring, boards, panels -
breakers. cop,trols
.
g; Core, spray system'-
.
.
'
a. Pumps. motort '
b. piping and volves. 1 solation valves -
c. cnock valves
d.
Control ctrcottry, wiring.,panela, logic, control power
Power suppitos, cable 4 treakers, controis
7.' High Pressure cool antInhectionsyntam - -
m. * ' Pump and turoine driver *
b. Piping valvos 1solatism valves condensste traps
c. Centrol circo1try, wiring. logic, control power
de Turbine oli tystem. tartine control valvqs. speed governor ,
n. -
. .
,
.
.
.
.
.
l
T ~ Ne,i Ae noi ...i..i, . i n .. i, . .
-
l .. .
,
'
!
,
esepus tones iac-enurAissr-va HD.801 ens ,
j * * -
'
i , .
i .
'
! .
.
! ..
j -
.
5-
-
- .
l .
8. Automatic Depressoritatten system .
4
'
a. Safety reliet valves operability
! b. Control circyttry. wiring. timer logic
! c. Air or pneumatic escuan1stors, air supply check valves, air
! . supply piping = ,
. ,
'
9. Retster Cors Isola tion Cooling Systeer'
'
,
l
l .
A a. pues and turtiine driver *
i
l
-
b. piping valves. isointion valves. check moves, condensate tfsps
o. Contro
j cirejitry. wiring logic
l 10. Diese) Generator $ystem
i I
j a. Day tanks and steente tants
b. pi
c. Fuel oil Ciregitry.
Centrol puses. notorsIng.
wir ping: logic - .
i ./ d. Diesel air start and lube oil systems
!
- e. Generator protective devices and output interconnections kles
- electrical systmas)
..
.
,
! 11. Containment Systans
i
i a. prirriary containment isolation valves including M51Vs and controls
1
,
b. primary cont' 4tnmust inerting system pipings valves, controls.
! tempting
! c. Suppression chapter water level .
d. Vacuum breakiers - OW to torus to reactor building
i s. $taneby gas tressment system operatiitty
f. DW purge and vent valves contro)
l
!
'
j 12. Water $ystems .
,
! a. RNR service valves, pumps motors
! . b. Kaargency sewaterpipingUfapplicable),
nica water piping, valves, pumps.
$ . N%N .
I c. Intake strue bure integrity
j d. Reactor builiing closee cooling water. turbine building c10 sed
i cooling we ter, feel pool' cooling -
i '
s. Circulatsng water system .
f. Diesel generator 1:oo11eg water system -
9. , Condensate a nd famawater system including storage tanks and
- dominere11 ters -
i h. Condensate.Fbeduster piping, pumps. valves
j 14 Feedvater hentets with associated pipin.g and valves
.
i
j . ,
'
-
..' -
<
i
=ror eartter suas using an lisoletion condenser for this function. only the
above items (f.b.) and (9.t.) are applicebla. ,
.
I ~! _i s. .--- m uur -
.
!
!
-~ . _ - . . . . - - . - _ . - _ _ . - . . - - . - . - - _ - ~ ~ . . . -
-
,420M Mtc 1 01 es.14.1996 !?sen Pi 9
.-
,
... .
.
snakes teses -
ecarneTAseT=44 Nil. Set egy l
. . '
. . .
,
l
. a .
, , ...
, ,
. l
.
,
. s. -
l
.
13. Instamentation and control Systems
4. Renator orot6ction systes, boeres, racks relays, complete
sentro) rami check
-
b. Wutron mont<tering system including T!P piping and valves and
.
ERM APRM
- c. Proces. s IRM,
centFe interfaces *
.
4. intered saf ty feature controls, racks
e. I for safe shutdown including control room habitabilit
.
- 4' *
,
f. Other !&C - e.g., fuel poet cooling, offgas nenitoring, y ete system - '
i
14. 54ectrical systems
'
a. DC system supply and monitoring on 125 volt and 250 volt
batteries knd chargers. switchgear and panels
b. Vital AC seu paent including 4kv. 440 volt and 130 volt buses
- and switch ear
c. Ital motor entrol centers - . .
d. no 11 hting syntes
e. Remote s ut control system '
f. Cable spreedNng room .
1L. Compresses Air $ystem -
s ressors. secumulater tanks ane meters '
b.- '
c. Pip
Centro ng)and ci valves * ,
g, wiring .
sc n.in tur.ine cener.cor .
-
,
s. Turbine contro) system including electrohydraulic oil system
,b. pass valve l controls
.
c. morator protective systems .
.
D ., PWR plant tvatams
-
.,1. Reactor system -
s. Reetter pressure vessel
b. Centrol red rive mechanism above reactor vessel
c. Centrol and instrumentation for the reactor protection system
(RP5) and the overpressure protection system -
'
1.
Reactor Coolant ystem (RCS)
a. Prisery and tsecondary coolant loops pipine, valves (including *
safety retief). instrumentation and contro)
b. Reactor coolant pumps (RCPD and associated component cooling -
including icemoonent esoltng of lube oil coolers and component ,
soolingvalvesandpipingouttocentjineentpenetration
.
.
..
- _-
1
-
. -
. ... ... .., ......,,,. ,,... -.
- -
! .
. s 1
.
- *8' 1* * NRI>eneT4msf=4e ND,331
f ,. ogg-
. *
,
. , .
'
j . . .
i .
-
., .y.
- -
i .
,
'
I *
.
.
e ..
d.
Steam generstar external dhange, including safety relief valves
j
Pressuriner including PORV?s, associated centrol.etr (or
nitrogen) tupply, heater! control and hetter backup power
j supply, and valves and piping to pressure relief tank
i
-
3. EmergencyCoreCoelingSystem(kCS) *
- . . -
,
a.
,
l
Accumulatorsiand piping to. RCE vent and isolathn valves,
a .
-
- nitrogen pressure and sups)y -
b. Hign head thirging pumes, charging lines, boron injection
-
tanks. all;other safety injection pumps (1.a., intermediats
!
i heta pumos:1f
alignment applicable)
(incluain and relatta
manual 1se14 pittag)and
tion valves to ACS valve
! c. Residual heat remove)g(RNR$ systems heat anchangers. '
pumps, valves including penval system itelation valve
- * .a)1gnment..and associated control circuitry wiring panels. .
- interconnections, power supp)1es and control power supplies
i d. '
RNR servica water system inclucing pumps. motors, piping,
i
valves (especially system isolatten volves)
s. Refus11ng water storage tank, associated 1,sotation valvks and
piping for;ECCS pump suction
i
f. Instrument and contrei racks for the entire ECCS system
I -
4
l Component Cooling; System ,
! '
'
a. heat exchangers, spent fuel poo) heat
Component
exchangers water. cooling
seapumpsI heat exchangers .
- b. Special attention should go to component coo)1ng for' RCPs.
i
emergency diesel generators. ECCS pumps and associated
l .
isolation valves and piping
. ..
j l. Instrumentation ene Contro)
, ,
t.
Visual inspection and functional testing of Rps and engineering
i .
safeguardstsystems
! . b. Visual chect'of instrument racks and wiring for RHR, auxillary
!
feedwater system and shutdown systems
i c. Prosperational testing of 5AMS, IRMS and all other power
j level instrumenta '
,
d. Centrol room;and sust11ery room ventilation system . .
e. Instrument control air (or nitrogen) pressure ve)ves and
piping fort safety systems
f.. Control, room: panels and cabiness
.
-
, ..
- *
. .
.
. . . , ,
.... K
'
...veo.e.
. .
l
'
.' -
,
.
, {
-
- . ..
. ,
~
. .
-
'
,
8-
.
i
6. Waste Disposal and Radition Protection System
a. Radiation monitors for service water discharge headers and plant i
vents
b. Reactor coolant drain tanks, CVCS holdup tanks. and the waste
holdup tanks, valves, piping and adiation alarms
,
- c. Waste gas monitor tanks, vaive line up to service water
l system
! d. Gas decay tanks, analyzer tanks and niant vent valve lineup and -
i .
?-' associated radiation monitors
7. 06ntainment Systems
a. Containment isolation valves. CVCS letdown lines, MSIVs
b. Containment pressure relief valves, purge exhaust valves and
i
' all other manually operated containment valves which are
.
. accessible
c. Personnel and eouipment access hatene: .
d. Containment spray systems, piping, valves, instrumentation and
wiring, pumps, heat exchanger an:' recirculation system sump,
pump and controls
e. Hydrogen reccmbiner units including the control panels and
power supply .
l
f. Fan coolers with safety cooling ' unctions and ice condensers
(ifapplicable)
8.' Electrical Systems
a. Auxiliary power system, including 4160/480 vital buses. 125 vo'it
DC control buses / battery and 120 VAC vital instrument bus
, b.. Emergency diesel generator system controls, fuel oil, lube oil,
tanks and piping -
c. Cable spreading room
. 9. Ha'in Steam System
,
a. Associated relief valves
,
b. Turbines include lube oil system, bypass valves and
l
l
generator protection systems
c. Steam generator feedpumos and val.e lineup through FW heaters-
l Auxiliary feedwater system pumps 3nd r.anual isolat. ion valves
' d.
!
10. Spent fuel pool and fuel handling systems (i.e.. if in refueling
outage), incluaing cooling system ano level indicatiens
11. Service water system including piping, r.ilves, pumps, and heat .
exchangers .
12. Sampling system for appropriate systems including isolation valver,
-
. _ .
.
._ .__ ~ . _ _ _ ____ _ _.._ _ .__. _ _ _ _..__ _._ _ _ _ __ ___..
.
f .......... .....
, , _ , _ , , ,
.- - ~ Q h.f
i
ym
i !
- .-7.C. "'
'
v.
.
. .:,
"
l UNITED TES'
!'
Q NUCLEAR RE
0FFICE OF N
t0 MIS $10N
RR[ACTORREGGLATION
WASNINGTON,D.C. 20555 ,.
i
February Ex.198p -
l NRC INFORNATION NOTICE NO. 89-XX: GUIDELINES FOR ASSESSING INDICATIONS
l OF EQUIPMENT TAMPERING /SAB0TAGE
1
j Addressees
! All holders of operating l icenses or can'struction permits for nuclear power
j reactors.
Purposes
)
! This information notice in being provided to assist addressess in planning
- -_ for events involving indication of possible sabotage. If such an event ~
! "o~ccurs, whether accidentally or intentionally initiated, judgments must be
! made regarding potential consequences of the event and the corrective actions
i necessary to eliminate tha initiating conditions and minimize the consequences.
i It is expected that reciplents will review the information for applictbility
j to their facilities. Howitver, suggestions contained in this information notice
- do not constitute NRC requirements; therefore, no specific action or written
l response is required.
'
l Descriotion of_Cfrcumstan$es:
) Nuclear ' power reactor Ife ensees personnel have identified several instances of
- equipment tampering, for example, misaligned breakers or valves, cut wires or
or the placement of foreign objects in a piece of machinery or contamin-
!
cables,iquids
ating l in reservoirs or tanks.
i
- Discussion
l In determining what actions are appropriate following an indication of. sabotage
1 the governing principle is to avoid undue
i
'
risk
or to the public health, and
tampering at a nucleari power plant, In implementsng safety. all per- th
tinent factors must be carefully examinbd to determine whether the con
resulted from an accident l or from a deliberate act of vandalism, malicious mis-
chief, or sabotage. If
factors such as sophisti udred at'on,to be an attem>ted
intent act of radiological
and tis possibility of othersabotage
acts by t$e
samepersonmustbeconsdared,aswellastheeventhistoryoftheplant.
In formulating any respor se action, tho'Itcensee should consider notential
safety consequences of st ch actions and the condition of the plant. Before
making any change in the the licensee should
consider the basis for tt operating a change andstatus of the facilityItigating
its potential for m or com-
pounding the situation. As a general rule, the public health and safety are
probably best served by i nitially maintaining a stable mode of plant operation
as the trans4ents caused by changes in plant status could contribute to a
Q reduction in plant safety. In addition, contingency plans and other measures
need to be Initiated to torrect the cotidition and prevent further acts while
the facts of the matter tre being fullf, assessed.
.
F F'O M H2C 1103 ca.14.t934 1tser r4
1
IN xx
Page E of 11.:
%d
Because each plant situation is unique, Jiard and fast rules for dealing with
attempted sabotage do not seem practical. However, some general * guidelines
appear appropriate in inost circumstances. -
I
A. Evaluation of a Tamoering/ Sabotage Event
After potential or a tual sabota tampering has been identified, it is
necessary to gather ufficien acts o permit a clear understanding of the
significance of the ' dentified s age or tampering.
Some of the factors that should be cons.idered in gathering this information
are as followas
The event may prevent a safety system from performing its intended
function.
.- *
*
The event may prevent a system designed to preve'nt 6r mitigate the
consequence of talfunction from performing its intended function,
resulting in a iossible release of radioactive material.
'
The event may cause a safety system failure only if multiple other
events occur.
"
The event may p revent a system designed to support a safety system,
,
from performing its intended function.
There are no ' apparent safety implications.
Three factors should,be censidered in determining the probability of a
'
malevolent act, as opposed to an accidental occurrence:
1
1. OVERTNESS - Sometimes by the act itself, it is obvious that an act
of sabotage has been perpstratedt but more often than not the cause
1 of an event isjnot obvious. The cause could be misaligned valves, for
example. In such cases, the following criteria should be used in
determinine whether sabotage occurred.
a. Physical hvidence clearly related to the event, for example, the
lock to aivalve is cut and the velve misaligned; or the actuator
to the mo or control valve is shorted.
b. physical evidence tangentially related to the event, for example,
the door yo the vital areas (VA) is forced open and the valve is
misaligned.
.
%n
-.. .- . ._ - .. .. . .- . .. - - - - -
4-- - - . . . .
- , -......,,. .....
, , , ,
-
l- ! W.po ,
l .
Ill-xx
'
'
! . : Pege 3 of*1t
I
1
h c. Circumstant ial evidence clearly related to the event for exemple,
j the lock andchainaremi,ssingandthevalveismisaligned. '
d. Circumstant tal evidence t'angentially related to the event, fbe
'
example, tte key to the VA door is missing and the valve is
.
I
misaligned,
i
.
e. No evidence of deliberate manipulation of equipment.
l
l 2. INTD T - Some iflferences conce'rning the intent of the adversary can
i be drawn from asialyzing the safety significance and the overtness of
- the act. In addition, intent 'can be determined by other means, the
j most obvious being a comunicated threat. ;
-
i
l a. A comuniented threat is received before the event.
. .
.-
!
--
b. A comunicated threat is received, and circumstantial evidence -
i relating ts the event exists.
,
! c. A comunicated threat is received, but no other evidence I
l
(physical or circumstantial) exists. No event occurs. '
l d. No comuni :sted threat it received.
f 3. HISTDRY - The historical significance of an event should'be evaluated l
l using the following criteria:
l a. History ofl recent similar events escalating in safety
j significance.
I
- b. History of random events with no escalation in safety significance.
'
c. History of vandalism relating to labor / management problems.
,
- d. No previou s events.
! An analysis of the above factors may lead to a conclusion about whether the act
I was willful or accidental. When overtness is judged to be low, and history is
i found to bs low, the everit may be less .likely to involve sabotage. If the
i evidence is not conclusive or if the event is determined to be accidental, the
i appropriate corrective as tion to preven't recurrence and to mitigate the con-
'
sequences should be takeri.
If the event is cetermined to be an act of sabotage or, after evaluation of
the previous factors sabotare cannot be ruled out, a judgment must be made
regarding the level of soph <stication of the event and the consequences intended
by the adversary. Some 'nferences regarding the adversary's capability can be
drawn from the safety significance of the target. If the adversary's capability
is evaluated as being hi6h, the potential to do significant damage is great
L therefore, the leval of. sophistication of the event is a critica element in
V the decision. Evaluation of the following factors may provide some insight
regarding the level of sophistication.
.
.
DRAl=T
-
_
.. ...
.
. . . . . . - - .... .......... .....
.
_
- I
MT -^
V CJ
.Mk
.
m.xx - me : -
-
Page 4 ofit: 3;
4. LeveI_of_ Sophistication -
.
'
- a. Target selection and timihg clearly deecnstrate en intention to-
cause conseq'uences to the public health and safety. A high degree-
of knowledge of the plant and the sabotage scholas desenstrate's
highlevelhfprofessiona capabilities (expertemploymentand-
most advantageousn locatio) of explosives or installation
jumper that wouldnullifythesafetyfunctionofavitalcomponent).
b. Evidence ir dicates an int'ention to cause consequences to'the public
health and safety and a sophisticated sabotage method s used but
target sole etion and timing demonstrate limited plant nowledge.
,
'
c. Target seteetion and timing indicate poor knowledge of plants a
crude sabotage method is used.
' --
After consideration of the above fa'ctors, a response liction should be taken
that is comensurate with the potential safety consequence of the act and
the sophistication Itvel of the adversary. The following is a list of
possible response acitons; one or more of these measures may be needed:
Contact the FE _.to request their assistance in investigating the
incident and provide technical assistance to the FBI as requested.
Ensure that effective coordination and comunication exhts between
plant operationn and securfty personnel during the FBI investigation.
Identify which tampered / sabotaged equipment has had recent maintenance
performed and who performed it.
1 Identify by computer check (if feasible) the personnel who had recent
'
, access to the a-eas in which tampering / sabotage occurred.
Increase security measures for areas of concern to include additional
access controls and increase vital area patrols for the rest of the
plant until the investigation is completed and the perpetrator removed.
Des
support 1gnate a senior
and resnond to manager as the point
inquiries pertaining to theof 6 }to assist and coo
investigation.
Review recent p ersonnel problems or issues for indications of dis-
gruntlement.
Initiate accele rated functional testing.
Establish limited two-man rulb for area in which event occurred.
~
Establish tota two-man rule for all vital areas in the plant.
Consider contr lled shutdown.
I
'
[
.. .....
- ,
i MYfT
l
,
-
IN-xx
t Page 4 of it
i * .
i'
technical speciflications and operating procedure
for example
i
oneoperatingafstemtothenext, ensure availability of requirsk
.
i
! Withanunderstandin'oftheident1Itedsabotage,itisthenapprop
establish an initial
resultin earch of the associated or suspect systems.
i action. gClearly
informatib then will be the basis for determining subse The
!
i
i
andCorDbelow)dep'endsonjudgmehtregardingind
sabotage found during the checkout.
items 8
- 8.
'
Overall Inspection of Plant
<
.
i As set forth in item
.cond f search anc eauipment
j
.-
-- ['5vera11 p an , and
check should include a cA, " Ev
the
1
i
thdn a system-by . system inspectf5h
appropriate. -
The overall plant anc
i
approach in checking ]out system-by-system
a nuclear itstings reflects a " hands-on"
sabotage. The assump sower plant in instances of suspected
.
would be satisfied be tion is made taat the plant technical specifications
! fore justification of continued operation or restart.
d
-
j
( a broad inspection
inspection should be
of theBefore
ekout based on thealisting
system's
in itemscht
C and D below
lent should be made by the licensee. This ,
1
main categories: large y visual and consist of the following four
1
1. Control room inspection
{
2. Plant structures inspection
! 3. . Piping and valve welkdown inspection
l , .
4
Confirmation of electrical power integrity
i ,
i
This broad
abnormality suchinspectico
as should be initially performed to spot any ae
!
not be progranmed to 4 damaged pipeline er.a planted explosive. It should
detect all potentially faulted systems.
i In the ebntrol room
visual inspection sh
to s et try obvious ould be made of all panels, boards, and
,
j 'su lt.
shou d be spotted. Unauthorized jumpers and any strange " packages
I
,
! In the visual checko
i
be appropriate. Abn at of plant structures, the same general attitude should
l Plant structures inc lude the main plant buildings, that is>rmelities
j the reactor building
- course the intake st , the auxiliary building, the turbine buildinthe containment
ructure or connection to ultimate heat sink. g, and of ,
i
i, V
4
1 .
'
.
I
-
- ..._ 1) MAW
'.
.
~%. a . =. . . . . . . M. ,. . ~
.
-.---- -..-- - .-- - . - . . . - - - . _ - _ - - - -
j .
raen an6 a19 0 .14.1996 18802 g , , p, y
0$f
~
l
'
'
~
-
- ..
.
Ill.au
l Pope.5 of it j
bad '
,
tion should involve the same par.
j
i
The piping
spective. and valve
This inspection shouldwalkdown
no inspe(t seek to distinguish I
grade and nonsafety gradesystempiping. This inspection should simply
1
consist of a routine patrol of all 4ccessible piping rues in which tie
j inspector is alert to the more obvidus type of faulting. For example l
i
i
the inspector should be able to " find" a cut chain of a " chained and .
padlocked" valve hand le.
On the other hand the insoector should not
expect to confirm valvealignanntduringthIsinitialcheck.
l '
j Finally, the initial : heck of the e'ectrical system should be made with
!
thesamegeneralapgrosch. It shou d seek to verify that the vital wwer
l suppliers were not a ltered" in a significant way. The purpose of tiis )
1
3
check shob1d be to ma ke sure it was safe to turn power on for further
j checking Of systems.
- i
i
'
.
-
-- If preliminary determination of sabotage has been made and further !
investigation indicatbs that specific systems might ble affected, it may -
!
be necessary to perform a complete walkdown inspection of certain systems, !
i checking all accessible manual and motor-operated valve positions, circuit !
1
' breaker and electrica l switch positions, etc. Actual system walkdown
inspections are espec ally pertinent with respect to standby systems whose
o
,
mrabilit/ cannot be completely demonstrated during normal plant operations.
C tecks in 11gh radiat on areas may a required depending on detailed con.
!
1
sideration of the evi ence of sabot ge in these areas and as low as is
reasonablyachievable'(ALARA)consitration.
Ifevidenceofsabotageisfoundanpspecificcomponentsandsystemsare
identified, consideration of the cohsequences of corrective actions should
be made. A thorough heterinination of possible system response to corrective
actions should~ be made and contingency plans to address these responses !
should be determined before corrective actions are taken.
.
Detailed examination of systems including those associated with the
identified sabotage, Imy be necessary to estabitsh the basis for continued ;
operation.* The systems to be examined are listed in item C or 0, as '
applicable. Followin
confirm system operab[h such a checkbut,
11ty throughout the plant using it then
thewould
technical be appropriate t
specification requir nts as the mbasure of safe operability. This i
conformance with tec nical specifiestion requirements represents the
overall criteria on hich decisions may be made regarding changing the
mode of reactor opera'tions.
C. Boiline-Water Reactor (BWR) Plant Systems
1. Reactor System
a. Yessel - check for obvious abnormal condition
b. Yessel Level Instrumentation - condensing chan6ers, piping,
differentia'l pressure (DP) racks, and wiring
kaw'
n the plant is operating, operation sh'ould continue until sufficient checks
have been made to ensure the plant can be shut down.
D RA l=r
- . ._ .- - . - .- . -- _ _ - . - - = - . _ - .
- - - --
.gg,_
. "- -
p- - :
-
I
.
y .;:mm
. . . .
'
- IN-xx Z
] 2. Reactor Recirculation System
.
- a. Pfplng -
i
'
b. Yalves-discharge and suction .
c. Motor, pump , and controls '
- d. '
Power supply entor generator (MG) set, cables, mo'dules,
and broadern
j e. Control cab inets, wiring, . boards, and breakers
,
3. Control Rod Drive liydraulic System
,
a.
.
Hydraulic control
Isolation volves, units
and (HCUs)lvesdirectional
scram va control valves,
b. PipingthroughoutHCOsandscramdischargevolume(
i c. )
- SDY drain and vent valves and instrumented volume (
switches
1evel
.
} .
~
--
d. Control circuitry - cables and boards
e. Air supply I piping and valves, controls, ahd pilot valves -
) 4 Standby Liquid Control (SLC) System
!
i a. SLC tank, lovel, and piping
i b. Pumps and motors, power supplies, and controls
! c. Yalves squLb, and isolation
- d. Controlcircuitry, panels, cabinets, and cables ,
5 Residual Heat Releval (RHR) System
j a. Heat exchangers, primary . side (shell), secondary side (tube),
- and service water
j b. Primary sido low-pressure core injection (LPCI) pumps, motors,
,
p1 Ing valves, isolation valves, drywell spray piping and
i va ves and torus spray piping and valves
- c. that is, shutdown cooling
Other
and isolati p,rimary
n coolinside pipin't,and
Mere ap Ilcab valves,le
i d. Control cir uttry, w ing, pane s boards
I power supplies, and control power, supplies, logic interconnection ,
I e. RHR Service Water System
j Pumps, motors and
i ((
(
Piping and valves, water supply structureisolation, and interconnec
Contro l circuitry w boa
} ( Power nupply, cable,iringkers,rds,
brea and and panels
controls
{
6. Core Spray Syst m
.i
- a. Pumps, and retors
- b. Piping and alves, isolation valves and check valves
l
'
c. Control cir uttry, wiring, panels, logic, and control power
d. Power supp11es, cable, breakers, and controls
4
- Wes/
!
?/2AFl
4
!
epi vn na6 asps 98.84.1996
,
18805 p. e
- .
9/W1 -
-
-
lban
4
. . .I
Page 8 of 125 -"i
i V 7. High Pressure CoalantInjectionSystem
i a. Pusip and tu sine driver -
- - .
l
Piping val /es, isolation valves
'
b.
i c. Controlcir :vitry, wiring, logic, and coedensate.
, and traps
control power
j d. Turbine oil system, turbine control valves, and speed governor
- 8. Autosatic Depres turization System !
- ;
i a. Safety reli ef valves operability
a b. Control cir :uitry, wiring tim and logic
,
i
i c. Air or pneu;nstic accumulaIors,eralrsupplycheckvalves,and
l air supply siping
i
- 9. Reactor Core Isolation Cooling System *
.
l
!
.'
--
a. Pump and tu rbine driver I
l b. Piping, val ves, isolation valves, check valves"and condensate -
- traps
'
c. Control cir:vitry, wiring, and logic
- 10. Diesel Generator System
,
i a. Day tanks a id storage tanks
?
b. Fuel oil pumps, motors an
,
y c. Control circuitry, wiring,d pipingand logic '
I
- d. Diesel air start and lube oil systems
- e. Generator p rotective devices and output interconnections (see
j electrical systems)
11. Containment Systems l
1
l
j a. Primary con,tainment isolation valves, including main steam
isolationvp1ves(MS!Ys)andcontrols '
i b. Primary containment inerting system piping, valves, controls.
.
i c. andsamplin)chamberwaterlevel
Suppression
i d. Yacuum breaxers - drywell (DW) to torus to reactor building
! e. Standby gas' treatment system operability
j f. DW purge an'd vent valves control
f
.
l 12. Water Systems
4
! a. RHR service water piping, valves pumps and motors
i b. Emergency s'ervice water (if app 1Icable), piping, valves, pumps,
4
and motors l
1 c. Intake structure integrity
i d. Reactor building closed cooling water, and turbine building
j closed cooling water, and fuel pool cooling
4
V 'For earlier BWRs using an isolation condenser for this function, only the
above items 9.b and 9.c are applicable.
i
4
-
-, -
- - - - _ . _ - - . . _ . - - - . . .-
-
--
,
7...........-_ ,3,. , , , gg
.,.e ,fe18
i .
~
0@fr .y
.
W !
!
INinx
Page9of'it
4* I
I
,
j e.
- f. Circulating
Diesel generator water system
cooling wa , ter system
! 9,
Condensate and feedwater system, including storag6 tanks sad.
i domineralisers - .
i h. Condensate-Feedwater )iping, pusps, and valves
,
i
.
l
1. Feedwater heaters witt associated piping and valves i
.
j 13. lastrumentation and Control (14C) Systems I
! a. Reactor protection system, boards, racks, relays, and complete
.
b. controlrochcheck l
Neutron monitoring system, including traveling incore probe (TIP)
, piping and intermediate
i
range monitor valves andaverage
(!RM), and source power range monitor
range mon ($RM)Itor (ARA
c. Process control interfaces ~
i
d. Engineered and racks
i :_. "
e. * Instrumenta! safety feature controlstion and control (!&C
! control rocia habitability system ~
,
f. Other I&C J for example, fuel pool cooling, offgas' monitoring.
l etc.
14. Eledtrical $yptens
! l
1
a. DC system supply and monitoring on 125 volt and 250-volt batteries !
3 andchargeds,switchgear,andpanels
!
j
h b. Vital AC e utpment including 4ky, 480-volt and 230-volt buses
and switch ear
l
! c. Vital moto control centers
i d. Emergency lighting system
! e. Remote sautdown control system
j f. Cable spres ding room
.
l
-
15. Compressed Air lystem
l a. Compressort, accumulator tanks, and motors
i b. Piping and valves
l c. Control circuitry, and wiring
16. Main Turbine Generator
!
l a. Turbine control system
j b. Bypass valte controls , including electrohydraulic oil system
j c. Generator protective systems
i .
.
! D. Pressurfted-Water Reactor (PWR) Plant Systems -
.
j 1. Reactor System
{ a. Reactor prossure vessel
i b.
i
y c.
Control rod drive mechanism above reactor vessel
Control and instrumentation for the reactor protection system
(RPS) and the overpressure protection system
'
.
-
}
.-
.
Ad d
- . . = = = + + = .. .. .% .. - -
,_,-=-we-
== ._ __.____ - -- , . . -
._
,,.,_. -- ._ _ ._ __.___ _ _ -. ______ .
,
-
j .
.' vxyp i -
l
- IN.xx
- page 10.of.'Ir.
2. Reactor Coolant systems (Rcs)
! a. Primary and secondary coolant loopapiping, valver(including
, safetyrelikf),instrumentationandcontrol .
i b. Reactor coo;1 ant pumps (RCP) and associated component cooling,
i including onent cooling of lube oil coolers and component
! cooling va ves and piping to containment penetration
! c. External s am generator, including safety relief valves
i d. Pressurizar , including power-operated relief valves (PORVs),
-
associated heater control and
i heater backup controlpowerair Cor and
supply, nitrogen)
valves and supply,iping
p to pressure
relief tant
l
3. Emergency Core C ooling System (ECCS)
i a. Accumulators and piping to RCS vent and isolation valves and
i
.- --
nitrogenp(essureandsupply
l b. Hi[h head gharging pumps, charging lines, bbron injection tankst
- al other safet
! if applicable) y injection pumps (i.e., intermediate head pum
manual isol ationvalves) TORCS
c.
I Residual heat removal (RHR) system-heat exchangers pumps)
valves (includingmanualsystemisolationvalvealIgnment
I associated control circuitry, wiring, panels, interconnections,
! power supplies, and control power supplies
j d. RHR servico water system including
! (especially system isolakion valves) pumps, motors, piping, valves
i e. Refueling water storage tank, associated isolation valves, and
! piping for ECCS pump suction
- f. Instrument and control racks for the entire ECCS system
,
j 4 Component cooli1g System
.
a. Component zooling pumps, heat exchangers, spent fuel pool heat
exchancers , and water seal heat exchangers
b. Special attention should be given component cooling for RCPs,
emergency Wiesel generators. ECCS pumps, and assoc'ated isolation
l valves and piping
.
6. Instrumentation and Control
! a. Visual inspection and functional testing of RPS and engineering
i systems
- b. safeguards'ck
Visual che of instrument racks and wiring for RHR, auxiliary
J feedwaterlsystem,andshutdownsystems
! c. Preoperational testing of SRMS, IRMS, and all other power level
4
instrument's
j d. Control ro'om and auxiliary room ventilation system
- e. Instrumenti control air (or nitrogen) pressure valves and piping
j for safetf systems
f. Control rc om panels and cabinets
]
i
i
-. .. _ _ . . - -
- _ ,
.. - .- - _ _. - _- _
- __ - - . .-
_
1 .
1
-
IN-xx
j
Page 11 of it' i
I
l
l 6. Waste Disposal and Radiation Protection System _
'
! a. Radiation sonitors for service water discharge headers and plant-
1 vents
b. Reactor coq 1 ant drain tanks, chemical and volume' control system
]
i (CYCS) holdup tanks, and the waste holdup tanks, valves, piping
j and radiat on alams
4 c. Waste gas , nitor tanks, and valve line to service water system
. 'd . Gas decay tenks, analyzer tanks, plant vent valves lineup, and
I associated radiation monitors
7. Containment Systems
a. Containment isolation valves, CYC5 letdown lines, and MSIVs
b. Containment pressure relief valves, purge exhaust valves and all
Other manun11y operated containment valves that "
are accessible
.- --
c. Personnel und equipment access hatches -
d. Containment sprcy systems, piping, valves, instrumentation and
wiring, punps, heat exchanger and recirculation system sump
zusp and controls
e. iydrogen rocombiner units, including the control panels and
power supply
f. Fan cooler 1 with safety cooling functions and ice condensers
(ifapplicable)
8. Electrical Syst ems
a. Auxiliary power s stem, including 4160/480 vital buses, 125 volt
DC control buses / attery and 120-VAC V i tal instrument bus
b. Emergencyhieselgeneratorsystemcontrols,fueloil,lubeoil,
tanks, and piping
. c. Cable spre,ading room !
9. Main Steam System
a. Associate reitef valves
b. Turbines, including lube oil system, bypass valves and generator
protectic systems
c. Steam generator feedputnps and valve lineup through feedwater (FW)
heaters
d. Auxiliary lfeedwater system pumps and manual isolation valves
10. Spent fuel pool andfuelhandlingsystems(i.e.,ifinrefueling
outage),incluc ing cooling system and level indications
11. Service water system, including piping, valves, pumps, and heat
exchangers ;
I
12. f ampling systey for appropriate systems, including isolation valves
'
.
I
l
i
'
, . .
. _ _ _ _ _ . _ _ . _ . _ .
, _ ______ . _ _ _ _
_ . _ . _ _ . . _ . . _ _ _ . _ _ _ _ _ . . _ _
, ~
-
'
! rn.xx ~"IJ+
'
Page it of 1c._r ,
..$ ".
. + -
"
'
' V No specific action or writ l ten response is required by this information noti
If you have any questions plasse contact one.cf the technical
contacts listed below or about this matterheRegionalAdminIstratoroftheappropria
!.
<
office. *
a
l
I
charles E. Rossi, Director
- i Division of Operational Events '
l
Assessment
l Office of Nuclear Reactor Regulation
1
Safeguards Technical Contact: Eucene W. McPeek, NRR
(301)492-3210
.
! -- .Qperational Technical Contact: Richard Lobel, NRR -
-
l
j (301) 492-1157 i
Attachment: List of Recehtly !ssued NRC Information Notices
!
'
t
l
1
,
.
I
l
i
,
.
i
l
j JM FT~
-- -. - .
.. ....
, .
, . *
,
- j
j
ATDOE'ItC D
l
I
!
i
'
OUTLET PORT
/
[
r: r j -
/
! % , t
'Y' STRAINER BODY p
a ,
-
.s e
l 1 *#$
/
PENNY '
'c
!
!
/ Y l
1
,
i
[
I i
L ! - - . ;
j IHLET PORT
i
l
i FLOW
.
General Arrangement of "Y" Strainer
! Components and Location of Penny
FIGURE 1
l
l __ . _ _ _ _ _ . . . . _ . . _ . _ _ _ _ _
!lll '!lIl!Il! i ll sjl !;
,
. . -
-
.
-
.
_
._ _
_
_
_ ,
_ D.
.
_
O
._ o'
._ w
.
t o.
a w. j'
'
l n
ao
_
_
' M
5 5
%
.,
< e.
n
r
en
ne6
ee9
2 8
e-
_ Gr9
_ 3 S c1
_
M.8 "6 dS
n ,
_
. n 1 af0o2
7 s
. .
nnr
_ -
,
'
'
.
ooe
iib
st m
nie
edt
-
-
.
'
s N. R* [X mnp
i oe
N. R9t -
_
-
-
.
%* s! pb
-
2
- E
-
R .i
-
U
_
_
i i'
G
I
F
_
_-
-
-
-
_
-
1l
NO& l n
I ' ' ao
I
kI r
-
en
2
)
d ne6
ee9
Gr9
% u07 dS
n
af5
c1
,
-
-
7 s
o1
_- K nnr
ooe
iib
- [
stm
_- nie
edt
-
1o 4h , kO t mnp
ioe
_
_
_
_
_
_.
_
_.
_
._
-
-
-
.
.
,;! ', ;- ! #! ;' - ! I .