ML20134F038
| ML20134F038 | |
| Person / Time | |
|---|---|
| Site: | Crystal River  |
| Issue date: | 10/28/1996 |
| From: | NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION II) |
| To: | |
| Shared Package | |
| ML20134E989 | List: |
| References | |
| 50-302-96-13, NUDOCS 9611040233 | |
| Download: ML20134F038 (46) | |
See also: IR 05000302/1996013
Text
?.
e, -
.
U.S. NUCLEAR REGULATORY COMMISSION
REGION ll
l
Docket No.:
50-302
License No.:
Report No.:
50-302/96-13
Licensee:
Florida Power Corporation
Facility:
Crystal River 3 Plant
Location:
15760 West Power Line Street
Crystal River, FL 34428-6708
Date:
September 19 - October 9,1996
Inspectors:
B. Crowley, Lead Inspector
T. Cooper, Resident inspector
L. Stratton, Security inspector
Approved by:
A. F. Gibson, Director
Division of Reactor Safety
Enclosure
9611040233 961028
ADOCK 05000302
G
_,
_
_-
. _ .
--
_ - . _ - - - - . - - - . _ . - - - - . - _ - - -
.
4
i
j
EXECUTIVE SUMMARY
j
Crystal River Nuclear Plant
]
NRC Inspection Report 50-302/96-13
4
!
l
$
A chronological Sequence of Events for previous 1A Emergency Diesel General (EGDG)
j
cooling fan gear drive lube oil strainer problems and for the foreign material (penny) found in
,
the strainer on September 19,1996, was established by the inspectors. The Sequence of
{
!
Events is documented in Attachment A to this report.
l
l
Overall, the licensee's response to the potential tampering event discovered on
i
September 19,1996, was satisfactory.
Y
i
On September 19,1996, the licensee identified that the lube oil strainer for the 1A EGDG
l
cooling fan gear box had a coin (penny) under the strainer screen. The licensee's
[
documented evaluation concluded that the penny most probably entered the strainer
l
accidently when a mechanic, who carried the strainer screen in his pocket along with loose
i
change, re-installed the strainer screen into the strainer body without inspecting it for foreign
!
objects.
1
{
The practice of transporting small safety-related components, without any identification or
protection, as was done with the strainer screen, is considered a poor work practice.
The inspectors concluded that site managemt nt appropriately pursued identification of the
,
j
cause for the penny in the lube oil strainer.
!
!
Following extensive reviews by the licensee ani independent verifications by NRC, the
!
inspectors concluded no evidence of tampering had been identified.
l
l
The Corporate investigative staff adequately reviewed the event and other previo s problems
i
to ensure that any potential tampering events had been fully evaluated. They cori luded that
!
the penny most probably entered the strainer accidently and there was no evidence that
i
suggests a pattern of tampering at the facility.
l
The licensee was able to successfully restore the EGDGs to operable status on
i
September 20,1996.
s
The inspectors concluded that tampering with EGDG-1 A cooling fan gear box lube oil strainer
could not be conclusively ruled out based on the existing evaluation documentation.
)
i
However, as concluded by the licensee's investigation, the penny most likely entered the
strainer by accident during installation of the strainer screen after removal for measurements
i
on September 15,1996.
The inspectors concluded that the licensee adequately evaluated other systems for signs of
tampering and correctly concluded that no additional signs of tampering were evident.
i
l
I
.
_
_ _ . _ . - . _ _ - _ _ _ _ . _ _ _ . _ _ _
_ _ . _
'
'
.
.
l
l
~
2
The inspectors concluded that there was no evidence of additional potential tampering and
'
that the licensee had adequately evaluated the plant problem reports and other
documentation for additional examples of potential tampering.
The licensee appropriately identified actions to be taken to enhance detection of additional
'
i
tampering.
The licensee was in compliance with the Physical Security Plan (PSP) with respect to fitness
for duty, personnel access authorization, criminal history checks, and access control of vital
areas. The licensee appropriately recorded the suspected tampering event in the Safeguards
Event Log, as required by 10 CFR 73.71, " Reporting of Safeguards Events," Appendix G.
Attachment C contains information provided to Crvstal River site management by NRC to
assist in the licensee's response to the events. The attachment contains NRC Information Notice (IN) 83-27 conceming deliberate acts directed against plant equipment and intemal
NRC guidance for plant system check out following suspected sabotage.
l
l
Attachment D contains a graphical representation of the lube oil strainer and copies of
l
photographs of the strainer screen as found on September 19 and as photographed on
'
September 15 before re-installation into the strainer body.
!
l
j
1
L
l
>
i
I
l
l
!
1
.
,
_
- _ _ .
-
__-
-
.- __ _-
_ _ .
._
_
__
.
.-
i
'
i
e
Report Details
02
Operational Status of Facilities and Equipment
O2.1 PotentialTamoerina Event
On September 19,1996, the licensee found a coin (penny) under the strainer screen of the
lube oil strainer for EGDG-1 A cooling fan gear drive. The strainer had been removed from
the Lube oil System as a complete assembly for the purpose of replacing with a strainer
containing a larger mesh screen. The penny was under the inlet end of the screen covering
,
l
the inlet bore of the strainer and appeared to block all flow through the strainer (See
Attachment D, Figure 1 for a graphical representation of the strainer and the location of the
penny). There had been a history of the strainer clogging and the licensee was in the
'
process of replacing the complete strainer assembly since a larger mesh screen that would fit
the installed strainer body was not available.
The licensee identified the event as potential tampering, declared an Unusual Event (UE),
and initiated an immediate inspection for evidence of tampering of the entire 1A EGDG and
associated systems, as well as other plant equipment. At the same time an investigation was
initiated to try to determine if the penny in the tube oil strainer was in fact tampering.
02.1.1 Evaluation and Correction of Damaaed Comoonents
a.
Inspection Scope
4
Review licensee's evaluation of the damaged components to determine if the as-found
conditions represented potential tampering and determine if the damaged components
l
were replaced or the damage corrected and the operability of the EGDGs satisfactorily
'
demonstrated. -
b.
Observations and Findinas
,
e
Following detection of the potential tampering, the licensee developed a plan for
!
verifying that EGDG-1 A was fun:tional, that no further evidence of tampering existed,
.
and that the EGDG could be proven to be operable. Prior to the detection, EGDG-1A
!
had been declared inoperable, to allow maintenance on the component, due to
concems with degrading cooling fan gear drive lube oil pressures.
Operational History
During 1994, the licensee identified a decreasing trend in the 1A EGDG cooling fan
gear box pump lube oil discharge pressures, even though the pressures remained
above the administrative limits. The decision was made at that time to attempt to
<
clean the oilin the gear box asscmbly. The gear box does not have an access port to
allow cleaning. A small oil addition port at the top was opened and cleaning was
attempted using a small tool through the port. The existing oil was drained from the
gear box through the drain line, which is mounted on the side of the gear box. This
1
drain line does not allow for complete draining of the gear box. Following the refilling
3
of the gear box, the licensee noted that pressures were even lower and the strainer
screen was fouling more rapidly. The licensee surmised that their attempts at
-
. - _ _ -
__ _
.-
-
.-
. -
-
.
-.
L
'
.
2
I
cleaning had merely stirred up debria that was trapped below the drain line. They
drained and replaced the oilin the gear box a second time. Discharge pressure
values retumed to normal ranges. The licensee made the decision to replace the
entire gear box assembly during the 10R refueling outage.
Following the replacement of the gear drive assembly in February 1996, the licensee
had noted a trend of decreasing cil pressures during surveillance testing. During the
'
performance of the EGDG-1A surveillance on September 11,1996, the discharge
,
i
pressure started at approximately 13 psi and dropped to approximately 8 psi. The
administrative limits for the discharge pressure is between 14 and 29 psi. The
q
licensee had determined, in response to Request for Engineering Assistance (REA)
'
91-1466 written for an unrelated problem and based on information obtained from the
vendor, that 5 psi was the minimum discharge pressure for the system to remain
'
functional. In response to this low gear box lube oil pressure, the licensee cleaned
the screen and contacted the vendor. it was determined that the screen in place was
a sheathed 40 mesh screen. Engineering determined that the metal sheathing
.
reduced the flow area of the screen by about 1/2. While the vendor thought that this
j
size screen would function acceptably in a system with clean oil, a 20 mesh
unsheathed screen would be optimum for this application.
J
Conversations with the vendor revealed that each gear box assembly had a different
strainer unit, procured commercial grade and dedicated to the asfembly,
,
i
Consequently, the licensee could not order a replacement screen without a detailed
description of what was needed. On September 15,1996, technicians from
Mechanical Maintenance removed the screen from the strainer to allow the receipt
inspection personnel in the warehouse to obtain measurements to order a
l
replacement. The mechanic removed the screen, placed it in his pocket, and
j
proceeded to the warehouse.
At the warehouse, the receipt inspectors took close-up photographs and detailed
measurements of the screen, in an attempt to obtain the information to order
replacement 20 mesh screens.
,
Based on licensee interviews, the maintenance technician stated that he then placed
!
the screen in his pocket, which contained loose coins, and retumed it to the plant. He
proceeded, alone, to replace the screen in the strainer. On his first attempt, he
.
placed the screen upside down in the strainer, but the retaining plug would not fit with
the screen in this configuration. He reversed the screen and replaced the plug. The
inspectors pointed out to the licensee that the practice of transporting safety-related
components, without any identification or protection, is considered a poor work
practice.
)
!
The licensee was unable to obtain a replacement 20 mesh screen, so the decision
was made on September 18 to replace the entire strainer assembly, with a 20 mesh
screen installed. Following the replacement, the maintenance technicians noticed the
obstruction in the removed strainer.
4
I
j
.
-.-
-
!
'
'
I
'
a
!
i
'
3
Recoverv
!
The inspectors verified by examining the Work Request (WR) and examining the
system in the field that the strainer had been replaced prior to the licensee detecting
,
!
the suspected tampering. It was while the maintenance technicians were examining
j
the removed component that the potential tampering was identified.
i
l
The inspector accompanied plant personnel; two engineers, a Senior Reactor
l
Operator (SRO) certified operations support person, and a security officer; on a field
j
walkdown of EGDG-1A. The licensee personnel performed a detailed, intensive,
!
examination of the EGDG; examining all accessible valves, electrical connections,
linkages,' freedom of travel in moving components, and appearances of lubricating oil
and jacket cooling water.
,
One lubricating oil drain valve was found out-of-position, in the open position, but this
was on a line that was capped and no leakage was observed from the cap. The
-
licensee documented the discrepancy in a Problem Report (PR) and retumed the
valve to its conect position.
Following the completion of the walk-down, on September 19,1996, operations
performed Security Procedure (SP)-354A, Monthly Functional Test of the Emergency
Diesel Generator EGDG-1A. The inspectors witnessed the performance of the
surveillance test. The normal range of discharge pressures for the gear box pump is
14 to 29 psi. During the performance of the EGDG-1 A surveillance, the cooling fan
gear box lube oil pressure at the beginning of the four hour test was approximately
23.5 psi. After the oil had heated, the discharge pressure had decreased to
j
approximately 21 psi, where it remained for the duration of the four hour surveillance.
i
On September 20,1996, a walk-down on EGDG-1B was performed by Engineering
personnel, Training Instructors, Operations personnel, and Security personnel.- No
discrepancies were identified. The inspectors observed the performance of licensee
procedure, SP-3548, Monthly Functional Test of the Emergency Diesel Generator
EGDG-18. Acceptable gear box pump discharge pressures, consistent with the
values expected on EGDG-1B, were obtained.
After full load conditions were reached, during the run of the EGDG, a high jacket
coolant alarm was received on the diesel control panel. Localinvestigation revealed
the engine outlet temperature was 178'F, using infra-red instrumentation. The high
coolant temperature setpoint is supposed to be 195'F. Engineering monitored the
temperatures and determined that the perfomlance of the EGDG was acceptable.
The alarm setpoint was calibrated to proper levels following completion of the
surveillance. WR NU 0337921 was initiated to investigate the alarm set point.
Based on the EGDG walk-downs, the successful completion of the surveillance
testing, and the investigation conclusions that there did not appear to be any other
tampering on the EGDGs, the EGDGs were declared operable on September 20,
1996.
-.
-
-
-
7
. -.- -
. - . -
-
- - . . .
- . - - . . -
-
-
_ -
- . - -
.
_-
$~
&
.
!
!
l-
4
4
1
Examination of the Removed Strainer
l5
4
1
On September 20,1996, the licensee conducted a test in the site receipt inspection
j
facilities, where approximately 5 psi of oil pressure was applied to the strainer that
)
1
had been removed, to determine if, with the penny in place, the strainer would have
'
passed any oil flow. The licensee monitored the strainer for approximately 20
l
i
minutes. There was no observed leakage past the obstruction.
I
The licensee removed the screen element from the strainer and examined it,
comparing the results to the documented results of the September 15,1996
inspection. There were marked differences in the observed dimensions and the
!
uniformity of the measurements on September 20,1996. In addition, distortions at the
ends of the screen and damage to the screen mesh were present on September 20
that were not present on September 15, as shown in Figure 2. The licensee has
determined, based on these observations, that the penny was not present in the
strainer prior to the examination on September 15,1996. The inspectors observed
I
the licensee taking the measurements of the damaged screen and compared the
j
screen to photographs taken of the screen on September 15,1996. Licensee
j
interviews with additional mechanics revealed that one of the mechanics had noted
i
j
the deformation of the screen on September 17,1996, during maintenance, but had
i
concluded that this was normal.
i
The licensee has concluded that, based on the pictorial evidence and interviews, the
penny entered the strainer between September 15 and September 17,1996, and
most likely on September 15 when the mechanic re-installed the screen after carrying
4
j
it in his pocket with loose coins. When the screen was removed from the strainer
i
body on September 20, the licensee demonstrated that a penny would fit inside the
j
screen and sometimes would hang up in the screen when it was tumed upside down.
j
If the penny was in the screen at the time the mechanic tried to re-install it upside
j
down, it could have fallen out into the oil in the bottom of the strainer body and not
j
have been noticed by the mechanic.
c.
Conclusions
The licensee was able to successfully restore the EGDGs to operable status on
September 20,1996. Testing and examinations conducted by the licensee resulted in
a high probability that the penny had not been in the system during any previous
testing. As concluded in the licensee's investigation report, the penny most likely
entered the strainer by accident on September 15,1996, during re-installation of the
screen after removal for measurements and transporting in the mechanics pocket,
which contained loose change.
The oractice of transporting small safety-related components, without any identification
or protection, as was done with the strainer screen, is considered a poor work
practice.
.
-
-
l
.
5
O2.1.2 Evaluation of Plant Systems for Additional Tamoerina
a.
Inspection Secoe
Verify plant safety systems have been sufficiently evaluated for potential tampering to
assure they can perform their intended functions.
4
b.
Observations and Findinas
in response to the penny found in the EGDG gear drive ILbe oil strainer, the licensee
performed an inspection of additional systems, including ah safety related systems
and non-safety related systems that could have an impact on the safe operation of the
plant, to assure that the systems were intact, with no signs of potential tampering.
The Operations and Engineering departments conducted independent walk-downs of
the systems to provide a defense in depth approach. Acceptance criteria for these
system walk-downs were specified in licensee procedure Wi-100, Security Event
Recovery Guidelines, Enclosure 1, Comprehensive Walkdowr: Guidelines.
'
in the Auxiliary Building, one core flood nitrogen supply line valve, CFV-82, was found
to be partially open, but the valve is located on a capped line. The cap was verified
to be present. In the Reactor Building, several cables for pressurizer heaters were
found to be disconnected without being tagged. The licensee verified that these
cables were for failed heaters and had been disconnected under a Maintenance
Request. In the main control room, several fuse holders were found with the fuses
removed. The inspector observed the Engineering, Operations, and Management
personnel review and resolution of these holders. Each of the holders had been
jumpered, as part of permanent modifications, and the fuses removed. No additional
discrepant conditions were identified.
The inspectors performed an independent general tour of the Turbine, Auxiliary, and
Control Buildings. No obvious indications of tampering were identified.
Review of Previous Problem Reports (prs) for Evidence of Tamperina
The licensee reviewed the prs issued since January 1,1996, in an effort to
determine if any other suspected issues existed that had the potential to have been
caused by tampering. A total of 392 prs were reviewed, using the following criteria
developed to detect potential tampering:
Loose bolts or fasteners
-
Mispositioning - valves, breakers, etc.
-
Foreign material
-
Lost parts or equipment when work in progress
-
Mislabeled equipment
-
Unexplained spills
-
Radioactive material found outside control areas
-
Controlled doors left open
-
Damaged equipment (i.e. stepped on tubing, Mecatiss, Thermolag, etc.)
-
__
'
'
.
6
Broken bolts
-
PA speakers turned off or stuffed with rags
-
Changes to setpoints not explained by normal drift
-
Fires of undetermined origin
1
-
Unexplained contamination or overexposure
-
Based on the screening criteria, 82 prs were identified tha: sarranted further review.
A panel of three experienced licensee representatives, two permanent employees and
one contractor, reviewed the details of the events in the prs and reduced the number
of prs needing investigation to twelve, including the PR for the penny found in the
strainer.
'
A review of the remaining events was conducted, which consisted of reviews of
documentation, interviews with involvert personnel, and review of the licensee's root
cause determinations. A recent event involving a mispositioned CRD breaker was
investigated in depth. The licensee's investigation, based on interviews and review of
reports and logs, found no credible evidence of tampering and concluded that the
i
open breaker was most likely caused by human error. The licensee concluded that
none of the additionalidentified events were the result of deliberate tampering.
The inspectors performed an independent review of the prs since January 1,1996
and determined that the licensee list of prs for additional review was reasonable and
in good agreement with the inspector's list. The inspectors reviewed the licensee's
analysis of each of the twelve identified prs and examined, where applicable, the
areas where location in the plant (e.g. high radiation area) played a role in the
licensee determination. The inspectors found the basis for conclusions to be
i
reasonable.
c.
Conclusions
Based on independent review of the documentation of licensee's inspections and
walkdowns of the plant, the inspectors concluded that no additional examples of
tampering were identified. The more likely cause of the misadjusted valve was poor
performance by licensee personnel.
The inspectors concluded that the licensee adequately evaluated other systems for
signs of tampering and correctly concluded that no additional signs of tampering were
evident.
Based en independent review of documentation and observations of the involved
equipment, the inspectors concluded that for the mispositioned CRD breaker,
tampering, although it could not be conclusively ru!ed out, was not likely the cause of
the mispositioned breaker. The most probable cause of this event was personnel
error.
The inspectors concluded that there was no evidence of additional potential tampering
and that the licensee had adequately evaluated the plant problem reports for
additional examples of potential tampering.
,
_
_. _ _ _ _ _ _ _ _ _ . _ _ _
_ _ _ - _
-
. _ .
__ . . _ _
.
l
-
4
l
7
i
O2.1.3 Site Manaaement's Response to the Event
a.
Inspection Scope
!
Review the actions taken by site management in responding to the potential
'
tampering on the EGDG-1A cooling fan gear drive to determine if management's
response was appropriate for the circumstances.
.
b.
Observations and Findinas
1
The inspectors observed the licensee's actions throughout recovery from the event.
,
Prompt action was taken to declare an UE and a Recovery Action Plan initiated. The
Action Plan included the following four general steps:
>
!
l
Ensure integrity / operability of equipment required for core cooling
-
-
Initiate / conduct an independent investigation
Develop plan for recovery from the unusual event
-
-
Communications and event documentation
Management initiated the following immediate measures: (1) compensatory security
measures to guard against any continued acts of tampering, (2) detailed walkdown
d
inspections by Operations and Engineering to ensure there was no evidence of
tampering with plant equipment, and (3) an independent investigation to determine if
tampering had occurred and the extent of any tampering. Management met frequently
with plant personnel to discuss the status of the recovery plcn and direct the recovery
effod. Management kept NRC (site personnel, Regional NRC management, and NRR
i
management) informed of the actions being taken and the status of the recovery plan.
.
c.
Conclusions
+
The inspectors concluded that site management appropriately pursued identification of
i
l
the cause for the penny in the EGDG-1 A cooling fan gear box lube oil strainer and
identification of any additional potential tampering with plant equipment.
The inspectors concluded that tampering with EGDG-1 A cooling fan gear box lube oil
strainer could not be conclusively ruled out based on the existing evaluation
,
1
documentation. However, as concluded by the licensee's investigation, the penny
I
most likely entered the strainer by accident during installation of the strainer screen
.
after removal for measurements on September 15,1996.
'
?
1
~
4
_
]
1
1
. . . _ .
-.. -
. . _ - .
- - -
-
-_
_ -. - -
- --
. - - . .
.
.
c,
,
.
.
i
!
i
8
02.1.4 Imolementation of Interim Action to Detect New Tamperina
!
a.
Inspection Scope
l
Determine if adequate inte H actions to detect new tampering had been implemented.
!
b.
Observations and Findint
After the identification of 7
wted EGDG tampering, a Security Emergency was
declared. The licensee impe.
d immediate compensatory posts at the two
entrances to the diesel generator area. Doors D-201 and D-207 were posted
re=cectively with armed security officers to preclude access to the diesel generator
l
area. In addition, supplementary personnel were added to perform additional patrols.
'
The inspectors observed that the additional random patrol was being performed on
the evening of September 24,1996. Site security officers were briefed to heighten
their awareness of the potential for other tampering activities. The inspectors
questioned several security officers conceming their understanding of their duties and
considered their responses appropriate and in accordance with the licensee's PSP.
Upon exit of the UE, the Security Emergency was downgraded to a Security Alert. In
response to this downgrade, the licensee removed the two compensatory posts
previously established at Doors D-201 and D-207.
In accordance with Wi-100, Revision 3, " Security Event Recovery Guidelines," the
licensee initiated a walkdown of the security system mainframe and peripherals
located in the Nuclear Security Operations Center (NSOC), in addition to plant local
and remote computer cabinets and printers associated with those systems. No
evidence of tampering was identified,
c.
Conclusion
The licensee appropriately identified actions to be taken to enhance detection of
additional tampering.
'
S1
Conduct of Security and Safeguards Activities
1
S1.2.5 Security investiaation of the Event
a.
Inspection Scope
Determine if Security and Investigative staffs adequately reviewed the event.
b.
Observations and Findinas
i
The corporate investigators responded to the site on September 19,1996, to
independently determine when and how a penny became lodged in the 1A EGDG
'
cooling fan lube oil strainer. PR 0386, Revision 1, was initiated to track the results of
this investigation.
_. ..
_
-
-
-
..
l
..
.
9
Immediately after discovery of the event, the strainer, penny, and the oil taken from
the strainer were taken into custody by Security and locked in a security container.
Interviews, bench tests, and applicable logs, and other documentation were reviewed
by the investigators.
The Federal Dureau of Investigation (FBI) was notified of the potential tampering
event and currently has possession of tne strainer and penny in question. The FBI is
reviewing the issue. The NRC Office of Investigations and Region il Physical Security
Staff are maintaining liaison with the FBI.
,
The corporate investigators interviewed 33 individuals relative to the EGDG penny
issue and 20 other individuals associated with other prs reviewed by the investigators
for potential tampering. In addition, the investigators reviewed applicable
documentation and observed testing of the physical evidence. A separate Problem
Report Review Team (PRRT) convened to determine if other events identified could
support a pattem of tampering. The PRRT used a 14 point checklist to screen
problem reports that could indicate possible tampering (See Paragraph O2.1.2 for
additional details). This screening resulted in 82 problem reports which were
reviewed in detail; with 12 requiring an additional followup. Only one of the 12 events
identified required a separate investigation.
The inspectors noted that the Licensee's " Report of Independent investigation Team
Conceming Possible Instances of Tampering at Crystal River #3 - September 1996"
i
provided little detail relative to the rationale regarding which individuals were
interviewed as part of the investigation. Based on discussions with the investigation
team, the inspectors did not have concems with which individuals were interviewed
and the conclusions reached by the investigation team, just that bases for the
conclusions were not documented appropriately in the report. At the exit interview,
the licensee stated that the report would be supplemented to provide this information.
)
Subsequent to the inspection, the Report was revised to provide rationales for which
individuals were interviewed and why and was reviewed by the inspectors prior to
leaving the site.
c.
Conclusion
The corporate investigative staff adequately reviewed the event and concluded that
the penny most probably entered the strainer accidently and there is no evidence that
suggests a pattem of tampering at the facility.
S1.2.7 Evaluation of Comoliance with the Physical Security Plan (PSP)
a.
Inspection Scope
Determine if the licensee was in compliance with their PSP and applicable
procedures.
.
,
1
i
10
b.
Observations and Findinas
'
i
l
To preclude individuals from being authorized access to the facility who may engage
"
in tampering, the licensee established a screening program in accordance with
_
10 CFR 73.56 requirements. The PSP states that "the Fitness for Duty Program
'
(10 CFR 26), Personnel Access Program (10 CFR 73.56), and Criminal History
!
checks (10 CFR 73.57), contribute to the overali effectiveness of the physical security
program in combatting possible insider threats within the Plant."
The PSP further requires that, "all ingress and egress from the Protected Area and
.
Vital Areas is controlled by human, mechanical, or electronic means. Only a limited
1
j
number of portals are provided, and they are locked and alarmed..." In addition, the
l
PSP states, "Only those persons required to enter Vital Areas to perform work
functions necessary for the operation of the Plant are granted access. Each
!
individual's need to have access to Vital Areas is reviewed once every 31 days to
ensure that need still exists."
i
,
a
l
The EGDGs are accessible through Doors D-201 and D-207. Door D-201 leads from
j
the protected area through the EGDG area. Access is controlled by a cardreader
system. Door D-201 is located on the opposite side of the EGDG area. This door is
neither locked or alarmed because access is gained through the Auxiliary Building,
'
which is controlled by a cardreader system. This vital island is approved in the
i
i
licensee's PSP.
i
c.
Conclusion
4
P
l
The licensee was in compliance with the PSP with respect to fitness for duty,
i
personnel access authorization, criminal history checks, and access control of vital
j
areas. The licensee appropriately recorded the suspected tampering event in the
i
Safeguards Event Log, as required by 10 CFR 73.71, " Reporting of Safeguards
l
Events," Appendix G.
i
Personnel access to the EGDGs was controlled in accordance to the licensee's PSP
l
and applicable procedures.
!
.
l
INSPECTION PROCEDURES USED
!
l
IP 37551:
On Sight Engineering Review
{
IP 61726:
Surveillance Observations
'
!'
IP 62707:
Maintenance Observation
i
IP 71707:
Plant Operations
IP 71750:
Plant Support Activities
,
i
IP 81601:
Safeguards Contingency Plan Implementation Review
]
IP 81700:
Physica! Security Program for Power Reactors
IP 92901:
Followup - Plant Operations
j
IP 92902:
Followup Maintenance and Surveillance
!
l
., .
.,
.
.
.
- - .
-
.
. _ - - -
-
-
.-
- - . - .
_
. - -
.__-
. . - - . . - - _
_-
- - - . _ . ._- -_
._.
.
.
.
]
'
11
X1
Exit Meeting Summary
!
The inspection Scope and findings were summarized to licensee management at the
conclusion of the inspection on October 9,1996. The inspectors described the areas
inspected and discussed the inspection results. The inspectors discussed the limited
documentation in the licensee's report. The licensee acknowledged the inspectors'
comments and noted that the report would be supplemented appropriately. Proprietary
information is not contained in this report. Dissenting comments were not received from the
licensee. Subsequent to the inspection, the licensee modified the investigation report, which
,
$
was reviewed by the inspectors.
PARTIAL LIST OF PERSONS CONTACTED
.
Licensee
P. Beard, Senior Vice President Nuclear Operations
j
G. Boldt, Vice President, Nuclear Production
j
J. Campbell, Assistant Security Manager
J. Carter, Corporate Security
l1
R. Davis, Assistant Plant Director, Operations and Chemistry
j
A. Glenn, Corporate Counsel
.
B. Gutherman, Manager, Nuclear Licensing
!
G. Halnon, Assistant Director, Nuclear Operations Site Support
B. Hickle, Director, Nuclear Plant Operations
j
L. Kelly, Director, Nuclear Operations Site Support
D. Kurtz, Senior Nuclear Staff Specialist
P. McKee, Director, Quality Programs
R. McLaughlin, Nuclear Regulatory Specialist
J. Pelham, Corporate Security
J. Terry, Manager, Nuclear Plant Technical Support
D. Watson, Manager Nuclear Security
NRC
i
R. Butcher, Senior Resident inspector
l
l
Other licensee employees contacted included Operations, Engineering, Licensing, and
maintenance personnel.
]
I
.
4
,
4
,
._
~ " ~ '
,. .. . _ -
.
..
.
.
l
?
-
l
.
12
LIST OF ACRONYMS USED
CR
Condition Report
Control Rod Drive
EGDG
Federal Bureau of Investigation
IN
information Notice
l
NPWO
Nuclear Plant Work Order
I
NRC
Nuclear Regulatory Commission
Nuclear Reactor Regulation
l
NSOC
Nuclear Security Operations Center
i
'
PR
Problem Report
'
'
PRRT
Problem Report fw new Team
Physical Security Plan
REA
Request for Engineering Assistance
Security Procedure
Senior Reactor Operator
Unusual Event
WI
Work Instruction
Work Request
l
l
l
i
l
e
i
, . . . -
_ _ . _
-
,
l
i
l
CHRONOLOGICAL SEQUENCE OF EVENTS
'
1
l
DATE
TIME
EVENT
!
.
8/10/94
- WR NU 0321409 issued, EGDG 1A fan gear drive lube oil strainer cleaned and
!
re-installed August 16,1994, attempt to clean gear box delayed until
September outage
l
8/23/94
- WR NU 0321632 issued because of low oil pressure, flushed and attempted to
clean gear box, strainer cleaned and re-installed September 13,1994
i
9/14/94
- WR NU 032119 was issued because of low pressure after flushing and
attempted cleaning of the tube oil gear Box - strainer cleaned and re-installed
September 22,1994
1
l
4/28/95
- WR NU 0327782 issued documenting low pressure (still above administrative
l
limit) and dirt / foreign material in gear box - gear drive assembly replaced
j
April 2,1996, in 1996 Refueling Outage
!
2/29/96
- Because of problems with oil pressure, EGDG 1A fan right angle gear drive
assembly replaced, including gear box lube oil strainer assembly which was
part of gear drive assembly
3/18/96
- WR NU 0334062 issued because of low gear drive lube oil pressure - strainer
removed, cleaned, and re-installed March 18,1996
4/02/96
- Gear box assembly replaced in 1996 refueling outage
l
5/16/96
- WR NU 0335432 documented low gear drive lube oil pressure and strainer
j
screen completely clogged - cleaned and re-installed June 12,1996
,
9/11/96
- WR NU 0337661 issued documenting need to clean strainer because oflow
I
lube oil pressure during monthly surveillance, screen cleaned and re-installed
September 12,1996
'
9/14/96
- WR NU 0337742 issued to remove strainer, compare mesh size with proper
l
mesh size and install new strainer
9/15/96
- Determination had been made that 20-mesh screen was needed for lube oil
strainer screen, removed existing 40-mesh screen from strainer assembly,
cleaned, measured screen (for purpose of obtaining 20-mesh), photographed,
and re-installed
'
}
9/17/96
- Mechanic noted deformation of screen during performance of maintenance
.
1
Attachment A
.
_
_
- _ _ _ _ _ _
_
_ . _ . _ _ _ _
. - _ - . -
_ _ _ _ _ _ _ _ _ _
_ __
.
__
__
'
'
.
.
2
DATE
TIME
EVENT
9/18/96
-
Decided to replace strainer assembly with new assembly, which
contained 20-mesh screen since 20-mesh screen to fit existing filter
housing was not available
9/19/96
0215 Started hanging clearance on 1A EGDG for replacement of gear drive
lube oil strainer assembly
Nuclear Shift Manager reported that mechanics had found a penny
-
lodged in the removed strainer assembly at the inlet to the strainer
screen. An inspection was made by the NMS, Engineering and
Mechanical Supervisor.
0455 Security notified of event
0510 Security was notified and an Usual Event (UE) was declared
0514 Security Emergency declared
0525 Security Officer posted at D-201
0527 NRC notified of UE
0555 Security Officer posted at D-207
I
0615 PR 96-0386 issued to document potential tampering with 1A EGDG fan
{
gear drive lube oil strainer
0830 Detailed walkdown inspection 1 ADG by Operations, Engineering,
Security, and NRC Resident inspector
0915 Random patrol initiated.
0950 Completed detailed inspection of 1 A EGDG room, including inspection
of exhaust system for the Hot Machine Shop roof - also completed
inspection of core cooling systems for tampering
i
1555 Complete valve line up verified for all systems associated with 1 A
i
EGDG
1944 Operations completed comprehensive inspection for tampering of
,
essentially all site areas, including intake Structure
9/20/96
0221 Monthly Functional Test of 1 A P.sDG completed
4
Attachment A
,
i
I
i
_
_
. _ _ _ .. _ -
._.
_ . _ - -
_ _ _ . _ _
-
.
.
_ _ _ _
_.
._
_
'
.
3
DATE
TIME
EVENT
0900 1 A EGDG declared operable except for issue with dieselloading during
design basis accidents
1100 1B EGDG removed from service for inspection of gear drive tube oil
strainer
1818 Completed comprehensive inspection of 18 EGDG for potential
tampering
2131 Monthly functional test of 1B EGDG completed
9/21/96
0100 Engineering system inspections complete
0255 1B EGDG declared operable except for issue with dieselloading during
design basis accidents
0300 Wi-100 walkdown inspections of plant equipment completed, exited UE
after determining there was no ongoing security compromises
0305 Security steps down from a Security Emergency to a Security Alert
,
0323 Security Officers posted at D-201 and D-207 removed
10/3/96
0900 Independent investigation of possible tampering instances complete and
report issued
!
I
i
i
1
!
l
Attachment A
,
1
_ . _ .
.
__
.
_ _ .
.
.
l
l
LIST OF LICENSEE DOCUMENTS REVIEWED
PR 96-0386, Revision 1
EM-202, Emergency implementing Procedure, " Duties of the Emergency Coordinator,"
Revision 54, dated July 29,1996
.
)
l
Shift Supervisor's Log of September 19,1996,1100-2300
,
Security incident Report 10541, dated September 19,1996
Wl-100, Revision 3, " Security Event Recovery Guidelines," dated September 21,1996
,
l
Safeguards Coatingency Plan, Revision 4
Physical Security Plan, Revision 6-13
Security Procedure SS-206, " Security Safeguards Contingency Events," Revision 7, dated
June 12,1996
Report of Independent Investigation Team Conceming Possible Instances of Tampering
Work Requests NU 0321409, NU 0321632, NU 032119, NU 0327782, NU 0334062,
NU 335432, NU 0337661, and NU 0337742 for work related to the 1 A EGDG cooling fan
,
l
gear Box Lube Oil strainer
I
,
Operability Concem Resolution EG-96-EGDG-1A/1B, Revision 2, EGDG-1A/1B Gearbox
'
Pump Discharge Pressure
Request for Engineering Assistance (REA) 960902 dated September 20,1996
D. O. James Gear drive Service Manual
D. O. James Drawing H-72578, Change C, increaser Drive Size NO.-CH-1000VHB
i
Operations and Engineering Documentation of Plant Walkdown Inspections
l
All Problems Reports issued in 1996 were screened, selected reports reviewed in detail
l
Licensee Unusual Event initiation and Recovery Documentation
l
.
-
.
l
ATTACHMENT B
i
__
. _ . _ . _ _ . . _ . . _ .
- . .
_ -_
_
_
.
INFORMATION PROVIDED TO LICENSEE BY NRC ON SEPTEMBER 19,1996
!
(1)
NRC IN 83-27
i
(2)
NRC Intemal memo dated December 12,1985
1
(3;
NRC Intemal memo dated July 14,1982
'
(4)
Draft Document 89-XX, Guidelines For Assessing Indications of
Equipment Tempering / Sabotage
,
t
t
1
I
f
ATI'ACEMENT C
. - , . _ _ . _ _ _
_ -
. ~ _ , _ - - - .
_ _ -
_
. . . . - . . _ .
_ _ _ .
.- . . . . -
. - _ - .
rROM HRC 1;31
M.&e.& W
1 h 27
M2
,
'
1
S$1N5 No.is 68 E
e
l
IN 83 27 ;
.
~
-
UNITED STATES
i
ammme
NJCLEAR RERILATORY C(NGISSION
.-
!
0FFICT OF INSPECTION AND ENFORCEMENT
}
WASHI!ETON, D.C.
20655
'
f
May 4, 1983
IE INFORMATION NOTICE NO. 33-E7: OPERATIONAL RESPONSE TO EV
.
'
1ELIBERATE ACTS DIRECTED AGAINST PLANT
j
EUIPMENT
i
Addressees:
All nuclear reactor factlinies nolding an operating license (0L) or construction
3
j
permit (CP).
!
Durcose:
i
This information retica 's icr:vtene as a notificatten of events wnien may nave
- nvolvec celiberate acts cirectaa against clant sou1cment ano a lack of station
j
mrocecures concerning response cy cceratir.g personnel.
It is expected that
t
- ecipients will review the {inferrarion for applicapility to their station
i
procecures.
No specific action er response is reautred at tnis time.
I
Descriotien of Circumstances:
!
W
A review of recent operati g reactcr events indicates that some improper valve
positioning and %strument tion irregularities may nave involveo deliberate
-
j
acts directed against :' ant eauionant in vital areas.
The following is a brief
acccunt of these events.
l
a
l
At tne 'irst facility, during routine operation, the Control Room Operator
receivec a steam generator lfeenwasar ;umo (SGFP) hign vibration alarm.- Subse-
j
quently the SGFP tripped and the operator immediately reduced turbine load
l
to prevent the unit from t1'ipptng.
The instrument valves on the low vacuum
~
.
i
trip sensing line located outside vital areas were apparently caliberately
{
recesitioned resulting in the pump trip.
The licensee concluded that this
.
deliberate act eculd have biten a result of a labor dispute.
!
!
At the second facility du ng a routine operator tour at approximatel
1:00
!
a.m.
a manual valve wa,s f ne shut in the common suction piping to th high
!
head safety injection (HHSI) Temps.
The valve was insnediately reopen
.. This
valve. which is checked by operaturs each shift, had been verified open at
about 4:30 p.m. the previous day.
- he chain and oaaleck which secured this
!
valve in tne open cosition wm missing.
additionally, On the previous day the
j
manual suction isolation valves of tne three auxiliary feec-water pumps had been
j
found unenained ano unlecxen in violation of technical specifications require-
ments. These valves were f svne m tnetr normally open position.
The motive
'
1
tentne tne actions was not proven, :ut the actions resultea in the rHSI system
l
being inoperable.
-
av
1
-Ste3044030
I
i
- '
1
.
.
-.
.
..
l
_ _ _ . - _ _ _ _ _ .
______ _ .
,
e3.se.1990
erste
Pt 3
f
!,
.
e
A
I
T*
4,legt:
P
E of t
j
These events,' and events
at other plants, demonstrate that the potential f
I
'
.
j
deliberate acts directen kgsinst plant equipment must be recogn
.
two above events the licensees were not totally prepared for opera
or-
i
In the
followuo actions.
.
i
Other p fconsees may or may not be prepared to assess
onal
situation and take necessary stsas to assure operability of
to safety or make decisions concerning continued operation
,
i
deliberste and inaavertemt acts with respe
!
Gutdelines er-
.
available.
e
k
system (s)) mata power supply.The guidelin
j
!
ce
- n addition interrelated systems should be
inspected and selected safety-relatee electrical panels and cab
the plant and in the contkl roce, may require a detailed inspection
,
,
n
additional tampering is detectee, the licensee snould be orepare
If
t
cecisien on wnether er rett :entinueo ecerstion is justifiac and wn
.
}
'
systems necessary f:
a safe trut:cwn are operaole.
i
1
Coeratt:nal ano security crosecures to cope with raciologica
i
Appencix C ot Part 73. threats to ssfaty must be develooen in acc
j
Th6 potenttal impact of any deliberate act dilutedand
.
against plant equipment nsst be evaluated, ano actions taken to mitig
i
anticipated safety censequences.
1
'
W
I
!
No written response to thig notice is required.
!
appropriate NRC Regional Offite Or this cffice.regarding thi
)
'
l
\\
J
,
e:
wa
voraan, Of rector
.
Divisi
n of Emergency Preparenness
and Engineering Response
Office of Inspection and Enforcasent
Tecnnical Contact:
Paul R. Farren. IE
(301) . M2-4756
Attaenirent:
l
List cf Recently Issueo II Information Notices
,
,
/
I
,
,_
...tNDees
' ~~
. roon wac :.ot
so.te.tsss 17:32
Pr 2
,
,
.
r
.
.
December 12. 1985
<
l
MEX0RANDUM FOR:
D1861 Staff
TROH1
A. E; Chaffee. Chief
Rosesor Projects Branch
l
ENCLOSURE:
1
Menotandum from ED Jordan to Brian Grimes entitled
" Plait Systems checkout Following Suspected Sabotage
SUBJECT!
POTENTIAL SABOTAGE GUIDANCE TOR TOLLCW-UP
!
Enclosure 1providesguidanceforNRCandlicensesactionswhenpotaattal
sabotage has been identified. This guidance is provided for your revietr and
F1sase also review the licensea's program for dealing with potsatial
use.
sabotage from an operations standpoint.
Enclosure 1 is a good guide to use
in evaluating the licensee's program.
You will note that this sutdanse is
not included in any forssi document.
Pisase find a method to file this
document so it is availaWie when needed.
I
l
\\
$d
A. E. Cha fee, Chief
Reactor Projects Branch
1
h
!
!
!
I
i.
O
!
'
,
,
!
i
l
l
t
I
.* ROM MRC 1.01
.
-.
00.14 1990 17832
Pt 3
m
,
,
,
.
.
.
.n
ser e
asses
ec-spsfAeleNat
meer
est-
. /. g m. - .s
g
,
/
A
.
unatts stAtst
'
J*~
,
suct. Annsout.Aronycomms son
t
.
amsuu.evow, s.a.amas
. Mst. W 1
i
gg '
- , w.
,
,
-
,
l
JUL 14 W
e q,
w
I
-
!
-
.
MtHORANDUM FORr
tria m K. 4rtues. Director, Otvision of Emergency
Properednaus,IE.
FA0Nt
,
Edward L. Jessian. Dtrector. 01vis1on of Engineeri
,
,
.
and Quality Assurance. IE
.
tutJECT:
i
.
PLANT SYSTEMS CHECKOUT FOLLOWING SU
,
ne enclossa, procendre provtales guidance for actions
instancas of suspected astbtage.
i
.
We request that you enke this guidance
t
'
available to tE Hanage' ment on-call and the IE Operations C
l
We are issuing the precedure as a Tamecrary Instruction for u
,
enal
_0ffices.
i
,
.I
.
'
,
o
-
- .
p
2
M L.
FreTan, otrector
,
'
Divisto
f Engineering and
Quant
.
Ataurence, It
.Enclosuret
Precoeure forIAssessing
Ingicated Sabotage
.
,h0'
n
ec/w enclosures
1.11_ e
W {_,N >n 4 460.. :
-
W. J. Direks, E00
_
'
N. R. Denton, NAR
t
.g.
'
J. S. Davis, MNS$
W
- - - - -
T
l
' hQ
.
,
k. C. DeYoun
gi'
O,
J.L.81ths,gIE
.
2
R. C. Ha
At
J. P. O'ynesRet1Iy
i
.
J. G. Xeppler , A!!
.
i
J. T. Con tas,, AIII
l
,
-
A!V
.
'
R. H. Engelken. AV
i.
J. M. Taylor. IE
,
,
J. Partlow, IE
.
'
.
-
i
.e
.
/)
.
i
-
.
.
.
.
_._.._ _._..._ _ _-_-_.__ _ ____ _ _
.,,en n,c 13 3
so. s e. a no t D s*
US
,
,
. . '
.
engems
14:33
>no easta ss M et
He.eBL
seg.--
e
e
.
.
,
.
.
_
.
i
PROCEDURE FOR ASSESSINE $10NIFICANCE OF
t
INDICATION OF SABOTAGE PRIOR TO CONTINUED OPERATION
.
.
'
s
i
.
IKTR09VCH$
.
.
,
In view of recent events involving indkcation of potentia) sabotagg at the
Sales and Ironswick facilitt e, a procedum has been prepared for use in future
instances of this kind.
sabotaos has been committed purpose of the pacedure is to'deterutne if
as to check out the plant to ensure cent sped saft
condit' ens. The procedure 1
intended to provide guidance for' IE. both operations
centd> evty officer and mens amant-on-ce11, and regional personnel involved
,
with P6sponse to such events ,
'
t
QBJECTIVE
i
'
The primary objective in' des Hne with an event inetcative of potential pabotage
is to ensure continued safe facility conditions.
or intentionally.. initiated. J
When an event occurs :seettently
of the ennt ano the correct 9udgments must. be made regardine potential,tensecuenses
ve actions to be taken to eliminate the init$sttag
conditions and minimise the consequences.
~
M
.
After potential or actual sabotage has been identified, it is necessary te Gather
sufficient fsets to enable 'aiclear understanding of the significance of the
i
identified sabotsge. Gaining such understanding is the first action to be taken
1
in responding to the identif' ed sabotage.
Infomation that may assist in this
first action is mferred to ' n.iten A below. With an understanding of the
identified sabotage, it is ttlen appropriate to establish an initia'.pri6ritised
search of the associated or suspect systems. The resulting information is then
the basis for deteminin
plant is checked (i.e.. g sudseevent action. Clearly.the extent to which the
-
1,ndications of further sabotdge foune during the checkout. items 5 ans C er C be
.
A.
Sabotaos Event Evaluatiin
-
'
.
-
\\
-
The enclosure to the mes'erandum dated November 6
.
1981 to Coonissioner
l
Breeford from W. Direks consists of 1.precedure Yer this evaluation.
~A
l
copy is encloses.
It is to be used for general guidance on implementetien
I
of this precedure.
-
3. , Overell Inspection of Plant
.
.
As set forth on page 3 cf the enclosed Sabotage Event Evaluation." the
'
conduct 'of search and eevipment chaos should include a check of the
i
I
overall plant and'than a system by system inspection, as appropriate.
a
The overall plant and system by system listings reflects a "hanas-on"
approach that would enaule an inspector to verify the licensee's
.'
.
.
.
.
.
.
%e
.,,,, n e
- ,3
_ _ .
._
,
n. :.. a ns in 35
e.- :
..
i
.
,
senses
twee
gusinsTMsstas.
No.ent
ass -
,
.
-
.
,
,
.
.
.
.
,,
'
-
.
. . . . . ,
-t.
.
.
'
,
.
action in checking out a nuclear power plant in instances of suspected
'
.
sabotage. T4 repeat 1 t is the licenses
ismadethattheISARwouldbeavailableftnot tdLC, tha
plant. The assumptio,nI
overall guidance to pla
5pecifications would ba nt system requirements and that the plant "eehntest
operation or matart.
t satisfied before justificatten of continued
,
.
.
-
Prior to a. systems chet
broad brush inspection hout based on the listing in itsee C and 0 b
Niaspection should be largely by visunt neans and consist
Ms
.
chtegories. , These aref
1.
control room insp tion,
.
.
2.
plant structures inspection.
5.
piping.and valve usikdown,and
,
4.
electrical power i ntegrity confinnstion.
'
'
This broad inspection should be initially performed to spot any nm,ior
abnormality such as a damaged pipeline or a planted explosive.
It should
'
not be progreasses to detect all potentially faulted systems.
'
In the control room, v'1
,
and ins 16e cabinets wit"1ual inspection should be made of all panels. boards'
) an eye to spotting any obvious fault. One should
be alert to spotting julapers, and certainly to any strange " packages."
In the visual checkout af plant structures, the agne generet attitude
should be appropriate.
Look for abnormalities and foreign materiais. This
category should include the emin plant buildings, that is, containment,
reactor building. turbi ne building anc of course, the intake structure or
connection to ultimate
-
heat sink.
.
The piping ana valve wa kdown should use the sans merspective.
It sheeld
.
.
not seek to distinguish between system piping whics is safety-gradp and
that.which is net. Thin inspection should simply consist of a toutine
' patrol of all accesstb1$ piping runs being alert to the more obvious type
of f4uiting.
For example, one should be ennected to be ehle to "ftne" a
cut chain of a " Chain and padlocked" valve aandie. On the other
, one
should not expect to confirm yalve E*1gnment during this initial c
k'.
-
Fina11ya the initial che ek of the electrical system should be made with.the
,
.
sans general approach.
It should seek to verify that the vital power
supplies were not " altered" in a significant way. * The purpose of this
chect.should be to make sure it was safe to turn power on for further
systems checking.
,
-
.
.
'
When preliminary determi nation.cf sabotage has been made and further
.
.
investigation indicates that specific systems might be affected. It any
.
-
be necessary to perform a complete walkdown of ce,rtain systems, checkthe
'
seminar-
E"'5Eur" i
.
. _ _ .
_ . _ _ _ _ _ . _
. _ _ . . _
_ _ . . _ -
. . _ _ _ _ . _ _ _ _ _ _ _ _ _ .._.. _._. ..__.-___
-
l
. raon unc 1:01
,
,
es.ts.in8 th 37
N 8'
t
-
~
.
.
-
,
.
.
.
4
!
!
ese
to 31
M>SWT4EsT-Ws
MLM
W4 """"""'""'" '
,
..
l
'
'
'
9
i
i
.
.-
i
t
.
.
i
-
.
-
4
-
,
I
.'s .
.
.
j
411 actassible manual ed motor operated valve positions, circuit brecher
'
and electrical switch:i mattions,etc.
Attual system welkdowns sett
-
especially pertinent wth respect to standby systems whose operett
cannot be eempletely deonstrated during normal plant opentions. lity
in high radiation arsag any be required deoending on detailed
j
chisets
i
Al.AAA consideration. consideration of the evidence of sanosage In these
l
.
'
,
lihen evidence of sabotge is found and specific camponents and systems
-
.
,
8 & e identified, conside
ration of the consequences of corrective attiene
,
should be taken. A tho
corrective actions shedd be made and esntingency plans to add
,
responses should be determines prior to taking corrective actions.
beteiled examination of systems including those associated with the
identified sabotage may be necessary to establish the basis for centinued
operation.*
applicable. 'The systees to be examined are listed in item C or 0'as
-
Followine guen a checkout. It then would be appropriote.to
confim systems opera 6
Specification requiremehity throughout the plant using the Tecmital
nts as the measure of safe operability. This
conformance with Technisal Spectfication requirements represents the
overall criteria on which decisions may be made rega'reing changing the
ande of reactor operations.
'
C.
BWR'Tiant Systems
'
,
1..
Reactor Systea
' "
Vessel - chesk for obvious abnorinal conditten '
s .-
'
h.
Yessel teve)11nstrumentation - concensinq chamoers, piping, dp
racks wir g
.
~
1.
Reactor Recirculation System
'
.
.e .
Piping
b.
Yalves. disds e and suction
.
C.
Motor. pump. '
controls
.
'd.
Ptwer supply 15 Est. cables, modules, breakers
-
.
t.
Control cabiasts. wiring, boards, breakers
-
. . .
i
-
,
-
.
,
.
.
.
t
-
.
,
- .t *
- "
l
.
,
"If the plans is operating.3entinued operation should and must be permitted
untii sufficient chacr.s hem Dean mace to assure that the plant can be shut
down safely.
.*
'
l
.
- *
-
.
,
, , _- , ;--- - -
M:
.
_
. . _ _ _ _ . _ _ _ _ . - - .
- --
-
-
- -
Fegn zac 1.01
-
,
08 14.1996
17:39
Pr r
,
..
..
.
.
.
wramas
twiud
e.s a se M asui ad
tea,nast
M-
-
.
.
.
,
,
'.
'
-
.
,
...
- * *
.-
,
-4-
,
.
.
<
3.
Centrol Red Drive Hydraulic System
'
-
MCUs (Hydrashic Contrel (Nits), directional control valves.
s.
1 solation alves, asram valves
b.
Piping throu heut HCus, SDV (Stram Discharge
Centrol circo1try - embles. '!V Level switches, Volum
80V drain an vant valves
'
c.
d.
bea
e.
Air supply - pip 9ngaosvaI'ves,rdecontrols, pilot valves
w.:
'
,
'
4'. -
$$andby Liquid Control system
I
a.
ELC tank. level, piping
D.
Pumos ane meters, power supplies, controls
c.
Vaives. squit.1 solation
d.
Control etrevitry, penets, sabinets, cables
-
1
5.
ResiduO Heat Aemoval (AHI) System
- -
.
s.
) teat exchangers, primary side (shall); secondary side (tube)
b.
Primary side (LpC!) pumpsi-motors. piping valves, isolattan
,
valves
andvalvesi well spray piping and valves torus spray piping
dry
-
Other primary side pining and valves, i.e., shutdown' cooling.
c.
isolation gesting where a
Control circuitry, wirpi . pplicable
d.
panela, boards. Logic inte'reonnections.
Power suppl ies cost
power supplies
e.
RHR Service Cater System
.
Pumpsn motors, water supply structure
)
Piping sne valves, isolation and interconnections
iv))- Control circuitryIn iring, boards, panels
1
.
w
-
-
Power' supply, can
, breakers. cop,trols
-
g;
Core, spray system'-
.
.
a.
Pumps. motort
'
.
'
b.
piping and volves. 1 solation valves
cnock valves
-
Control ctrcottry, wiring.,panela, logic, control power
c.
d.
Power suppitos, cable 4 treakers, controis
7.'
High Pressure cool antInhectionsyntam
-
-
- ' Pump and turoine driver
m.
b.
Piping valvos
1solatism valves condensste traps
c.
Centrol circo1try, wiring. logic, control power
de
Turbine oli tystem. tartine control valvqs. speed governor
,
n.
-
.
,
.
.
.
.
.
.
l
T ~ Ne,i Ae noi
...i..i, .
i n ..
i, . .
l
-
..
.
,
'
!
,
esepus
tones
iac-enurAissr-va
HD.801
ens ,
j
'
-
i
.
,
i
.
!
'
.
.
!
..
j
5-
-
.
-
.
l
8.
Automatic Depressoritatten system
.
.
4
a.
Safety reliet valves operability
'
!
b.
Control circyttry. wiring. timer logic
!
c.
Air or pneumatic escuan1stors, air supply check valves, air
!
supply piping
.
,
=
.
,
'
9.
Retster Cors Isola tion Cooling Systeer'
'
l
,
l
A
a.
pues and turtiine driver
.
l
b.
piping valves. isointion valves. check moves, condensate tfsps
-
j
cirejitry. wiring logic
o.
Contro
l
10. Diese) Generator $ystem
i
I
j
a.
Day tanks and steente tants
Fuel oil puses. notorsIng. ping: logic
b.
pi
Centrol Ciregitry. wir
c.
-
.
Diesel air start and lube oil systems
i
./ d.
Generator protective devices and output interconnections kles
!
-
e.
electrical systmas)
.
..
,
!
11. Containment Systans
i
i
a.
prirriary containment isolation valves including M51Vs and controls
1
b.
primary cont 4tnmust inerting system pipings valves, controls.
!
tempting
,
'
!
c.
Suppression chapter water level
.
d.
Vacuum breakiers - OW to torus to reactor building
i
s.
$taneby gas tressment system operatiitty
l
f.
DW purge and vent valves contro)
!
'
j
12. Water $ystems
.
,
valves, pumps motors
!
a.
RNR service waterpipingUfapplicable), piping, valves, pumps.
!
b.
Kaargency senica water
.
$
N%N
.
.
I
c.
Intake strue bure integrity
j
d.
Reactor builiing closee cooling water. turbine building c10 sed
cooling we ter, feel pool' cooling
i
-
i
s.
Circulatsng water system
.
'
f.
Diesel generator 1:oo11eg water system
-
9. , Condensate a nd famawater system including storage tanks and
dominere11 ters
-
i
h.
Condensate.Fbeduster piping, pumps. valves
j
14
Feedvater hentets with associated pipin.g and valves
.
i
. . '
j
-
.
,
'
-
<
i
=ror eartter suas using an lisoletion condenser for this function. only the
above items (f.b.) and (9.t.) are applicebla.
.
,
I
~!
_i
s.
.--- m uur
-
.
!
!
-~
. _
- .
. . .
- - . - _ .
- _
_ . - . . - - . - . -
- _ - ~ ~ . . . -
,420M Mtc 1 01
es.14.1996
!?sen
Pi 9
.-
-
,
. . .
.
.
snakes
teses
ecarneTAseT=44
Nil. Set
egy
-
.
.
.
.
.
'
,
.
a
.
...
,
,
,
,
.
s.
-
.
.
,
.
13.
Instamentation and control Systems
4.
Renator orot6ction systes, boeres, racks
relays, complete
sentro) rami check
b.
Wutron mont<tering system including T!P piping and valves and
-
Proces. IRM,
ERM
.
s centFe interfaces *
.
-
c.
4.
intered saf ty feature controls, racks
I
for safe shutdown including control room habitabilit
e.
Other !&C - e.g., fuel poet cooling, offgas nenitoring, y system
- 4' *
f.
-
'
ete
.
,
i
14. 54ectrical systems
'
a.
DC system supply and monitoring on 125 volt and 250 volt
batteries knd chargers. switchgear and panels
b.
Vital AC seu paent including 4kv. 440 volt and 130 volt buses
and switch ear
c.
Ital motor entrol centers -
.
.
d.
no 11 hting syntes
e.
Remote s ut
control system
'
f.
Cable spreedNng room
.
1L. Compresses Air $ystem
-
s
ressors. secumulater tanks ane meters
'
Pip ng)and valves
b.-
'
Centro ci
g, wiring
,
c.
.
sc n.in tur.ine cener.cor
-
.
s.
Turbine contro) system including electrohydraulic oil system
,
,b.
pass valve l controls
c.
morator protective systems
.
.
.
D .,
PWR plant tvatams
.,1.
Reactor system
-
-
s.
Reetter pressure vessel
b.
Centrol red rive mechanism above reactor vessel
c.
Centrol and instrumentation for the reactor protection system
(RP5) and the overpressure protection system
-
'
Reactor Coolant ystem (RCS)
1.
a.
Prisery and tsecondary coolant loops pipine, valves (including
safety retief). instrumentation and contro)
b.
Reactor coolant pumps (RCPD and associated component cooling
-
including icemoonent esoltng of lube oil coolers and component
,
soolingvalvesandpipingouttocentjineentpenetration
.
- _-
.
..
-
-
.
... ... ..,
......,,,. ,,...
-.
.
s
!
-
-
.
.
.
f
- *8'
1* *
NRI>eneT4msf=4e
ND,331
ogg-
,.
.
,
,
.
.
'
j
. . .
i
.,
.y.
-
.
i
-
-
.
,
'
I
.
.
Steam generstar external dhange, including safety relief valves
e ..
d.
Pressuriner including PORV?s, associated centrol.etr (or
j
nitrogen) tupply, heater! control and hetter backup power
j
supply, and valves and piping to pressure relief tank
i
EmergencyCoreCoelingSystem(kCS)
3.
-
.
.
-
,
l
a.
Accumulatorsiand piping to. RCE vent and isolathn valves,
,
nitrogen pressure and sups)y
-
a
.
-
b.
Hign head thirging pumes, charging lines, boron injection
tanks. all;other safety injection pumps (1.a., intermediats
-
!
heta pumos:1f applicable) and relatta pittag)and valve
i
alignment (incluain manual 1se14 tion valves to ACS
Residual heat remove)g(RNR$ systems heat anchangers.
!
c.
'
pumps, valves including penval system itelation valve
.a)1gnment..and associated control circuitry wiring panels. .
interconnections, power supp)1es and control power supplies
i
d.
RNR servica water system inclucing pumps. motors, piping,
'
valves (especially system isolatten volves)
i
Refus11ng water storage tank, associated 1,sotation valvks and
s.
piping for;ECCS pump suction
i
f.
Instrument and contrei racks for the entire ECCS system
I
-
l
4
Component Cooling; System
,
!
'
'
Component cooling pumpsI heat exchangers
a.
heat exchangers, spent fuel poo) heat
exchangers water sea
.
.
b.
Special attention should go to component coo)1ng for' RCPs.
i
emergency diesel generators. ECCS pumps and associated
l
isolation valves and piping
.
.
..
j
l.
Instrumentation ene Contro)
,
,
Visual inspection and functional testing of Rps and engineering
t.
safeguardstsystems
i
.
!
b.
Visual chect'of instrument racks and wiring for RHR, auxillary
.
!
feedwater system and shutdown systems
i
c.
Prosperational testing of 5AMS, IRMS and all other power
j
level instrumenta
'
d.
Centrol room;and sust11ery room ventilation system
.
.
,
e.
Instrument control air (or nitrogen) pressure ve)ves and
piping fort safety systems
f..
Control, room: panels and cabiness
-
..
.
,
-
.
.
.
K
. . . , ,
....
'
...veo.e.
.
.
l
.'
'
-
,
.
{
,
-
-
.
..
.
,
~
. .
-
8-
'
,
i
.
6.
Waste Disposal and Radition Protection System
a.
Radiation monitors for service water discharge headers and plant
i
vents
b.
Reactor coolant drain tanks, CVCS holdup tanks. and the waste
holdup tanks, valves, piping and adiation alarms
c.
Waste gas monitor tanks, vaive line up to service water
-
,
l
system
!
d.
Gas decay tanks, analyzer tanks and niant vent valve lineup and
-
associated radiation monitors
?-
i
'
.
7.
06ntainment Systems
a.
Containment isolation valves. CVCS letdown lines, MSIVs
b.
Containment pressure relief valves, purge exhaust valves and
all other manually operated containment valves which are
i
'
. accessible
.
c.
Personnel and eouipment access hatene:
.
d.
Containment spray systems, piping, valves, instrumentation and
wiring, pumps, heat exchanger an:' recirculation system sump,
pump and controls
e.
Hydrogen reccmbiner units including the control panels and
l
power supply
.
f.
Fan coolers with safety cooling ' unctions and ice condensers
(ifapplicable)
8.'
Electrical Systems
a.
Auxiliary power system, including 4160/480 vital buses. 125 vo'it
DC control buses / battery and 120 VAC vital instrument bus
b..
Emergency diesel generator system controls, fuel oil, lube oil,
,
tanks and piping
-
c.
Cable spreading room
9.
Ha'in Steam System
.
,
a.
Associated relief valves
l
b.
Turbines include lube oil system, bypass valves and
,
l
generator protection systems
Steam generator feedpumos and val.e lineup through FW heaters-
c.
l
d.
Auxiliary feedwater system pumps 3nd r.anual isolat. ion valves
'
!
10.
Spent fuel pool and fuel handling systems (i.e.. if in refueling
outage), incluaing cooling system ano level indicatiens
11. Service water system including piping, r.ilves, pumps, and heat
.
exchangers
.
12.
Sampling system for appropriate systems including isolation valver,
-
.
. _ .
._ .__ ~
. _ _ _ ____ _ _.._ _ .__. _ _ _ _..__ _._ _ _ _ __ ___..
.- - ~ Q
f
, , _ , _ , , ,
..........
.....
.
ym
h.f
i
i
!
-
.-7.C. v.
'
"'
.
.
.:,
l
UNITED
TES'
"
Q
NUCLEAR RE
t0 MIS $10N
!
0FFICE OF N
RR[ACTORREGGLATION
WASNINGTON,D.C.
20555
'
,.
i
February Ex.198p
-
l
NRC INFORNATION NOTICE NO. 89-XX: GUIDELINES FOR ASSESSING INDICATIONS
l
OF EQUIPMENT TAMPERING /SAB0TAGE
1
j
Addressees
!
All holders of operating l icenses or can'struction permits for nuclear power
j
reactors.
)
Purposes
!
This information notice in being provided to assist addressess in planning
for events involving indication of possible sabotage.
If such an event
-_
"o~ccurs, whether accidentally or intentionally initiated, judgments must be
~
!
!
made regarding potential consequences of the event and the corrective actions
i
necessary to eliminate tha initiating conditions and minimize the consequences.
i
It is expected that reciplents will review the information for applictbility
to their facilities.
Howitver, suggestions contained in this information notice
j
do not constitute NRC requirements; therefore, no specific action or written
l
response is required.
l
'
Descriotion of_Cfrcumstan$es:
)
Nuclear ' power reactor Ife ensees personnel have identified several instances of
equipment tampering, for example, misaligned breakers or valves, cut wires or
cables,iquids in reservoiof foreign objects in a piece of machinery or contamin-
or the placement
ating l
rs or tanks.
!
i
Discussion
l
In determining what actions are appropriate following an indication of. sabotage
the governing principle is to avoid undue
or tampering at a nucleari power plant, In implementsng th
1
risk to the public health, and safety.
all per-
i
tinent factors must be carefully examinbd to determine whether the con
'
resulted from an accident l or from a deliberate act of vandalism, malicious mis-
udred to be an attem>ted act of radiological sabotage $e
chief, or sabotage.
If
and tis possibility of other acts by t
factors such as sophisti at'on, intent
samepersonmustbeconsdared,aswellastheeventhistoryoftheplant.
In formulating any respor se action, tho'Itcensee should consider notential
safety consequences of st ch actions and the condition of the plant.
Before
the licensee should
operating status of the facilityItigating or com-
making any change in the
a change and its potential for m
consider the basis for tt
pounding the situation.
As a general rule, the public health and safety are
probably best served by i nitially maintaining a stable mode of plant operation
as the trans4ents caused by changes in plant status could contribute to a
Q
reduction in plant safety.
In addition, contingency plans and other measures
need to be Initiated to torrect the cotidition and prevent further acts while
the facts of the matter tre being fullf, assessed.
.
F F'O M H2C 1103
ca.14.t934
1tser
r4
1
IN xx
Page E of 11.:
%d
Because each plant situation is unique, Jiard and fast rules for dealing with
attempted sabotage do not seem practical.
However, some general * guidelines
appear appropriate in inost circumstances.
-
I
A.
Evaluation of a Tamoering/ Sabotage Event
After potential or a tual sabota
tampering has been identified, it is
necessary to gather
ufficien
acts o permit a clear understanding of the
significance of the ' dentified s
age or tampering.
Some of the factors that should be cons.idered in gathering this information
are as followas
The event may prevent a safety system from performing its intended
function.
The event may prevent a system designed to preve'nt 6r mitigate the
.-
consequence of talfunction from performing its intended function,
resulting in a iossible release of radioactive material.
The event may cause a safety system failure only if multiple other
'
events occur.
The event may p revent a system designed to support a safety system,
"
from performing its intended function.
,
There are no ' apparent safety implications.
Three factors should,be censidered in determining the probability of a
malevolent act, as opposed to an accidental occurrence:
'
1
1.
OVERTNESS - Sometimes by the act itself, it is obvious that an act
of sabotage has been perpstratedt but more often than not the cause
of an event isjnot obvious.
The cause could be misaligned valves, for
1
example.
In such cases, the following criteria should be used in
determinine whether sabotage occurred.
Physical hvidence clearly related to the event, for example, the
a.
lock to aivalve is cut and the velve misaligned; or the actuator
to the mo or control valve is shorted.
b.
physical evidence tangentially related to the event, for example,
the door yo the vital areas (VA) is forced open and the valve is
misaligned.
%n
.
-..
.-
. ._
-
..
..
.
.-
.
..
-
- - - -
4--
- - . . . .
-......,,. .....
,
, , , ,
l-
! W.po
-
,
l
.
Ill-xx
'
'
!
Pege 3 of*1t
.
I h
c.
Circumstant ial evidence clearly related to the event for exemple,
j
the lock andchainaremi,ssingandthevalveismisaligned.
1
'
tal evidence t'angentially related to the event, fbe
d.
Circumstant
example, tte key to the VA door is missing and the valve is
'
misaligned,
.
i
.
e.
No evidence of deliberate manipulation of equipment.
l
l
2.
INTD T - Some iflferences conce'rning the intent of the adversary can
i
be drawn from asialyzing the safety significance and the overtness of
the act.
In addition, intent 'can be determined by other means, the
j
most obvious being a comunicated threat.
i
-
a.
A comuniented threat is received before the event.
l
.
.-
.
!
b.
A comunicated threat is received, and circumstantial evidence -
--
i
relating ts the event exists.
,
!
c.
A comunicated threat is received, but no other evidence
l
(physical or circumstantial) exists.
No event occurs.
l
d.
No comuni :sted threat it received.
f
3.
HISTDRY - The historical significance of an event should'be evaluated
l
using the following criteria:
l
a.
History ofl recent similar events escalating in safety
j
significance.
I
b.
History of random events with no escalation in safety significance.
'
c.
History of vandalism relating to labor / management problems.
,
d.
No previou s events.
!
An analysis of the above factors may lead to a conclusion about whether the act
I
was willful or accidental.
When overtness is judged to be low, and history is
i
found to bs low, the everit may be less .likely to involve sabotage.
If the
i
evidence is not conclusive or if the event is determined to be accidental, the
i
appropriate corrective as tion to preven't recurrence and to mitigate the con-
sequences should be takeri.
'
If the event is cetermined to be an act of sabotage or, after evaluation of
the previous factors sabotare cannot be ruled out, a judgment must be made
regarding the level of soph <stication of the event and the consequences intended
by the adversary.
Some 'nferences regarding the adversary's capability can be
drawn from the safety significance of the target.
If the adversary's capability
is evaluated as being hi6h, the potential to do significant damage is great
L
therefore, the leval of. sophistication of the event is a critica
element in
V
the decision.
Evaluation of the following factors may provide some insight
regarding the level of sophistication.
.
DRAl=T
.
-
..
...
_
.
. . . . . . - - ....
..........
.....
.
_
I
V CJ
-^
.Mk
m.xx
- me : -
.
Page 4 ofit: 3;
-
4.
LeveI_of_ Sophistication
-
.
'
a.
Target selection and timihg clearly deecnstrate en intention to-
cause conseq'uences to the public health and safety. A high degree-
of knowledge of the plant and the sabotage scholas desenstrate's
most advantageous locatio) of explosives or installation
highlevelhfprofessiona capabilities (expertemploymentand-
n
jumper that wouldnullifythesafetyfunctionofavitalcomponent).
b.
Evidence ir dicates an int'ention to cause consequences to'the public
health and safety and a sophisticated sabotage method s used but
target sole etion and timing demonstrate limited plant nowledge.
,
c.
Target seteetion and timing indicate poor knowledge of plants a
'
crude sabotage method is used.
'
--
After consideration of the above fa'ctors, a response liction should be taken
that is comensurate with the potential safety consequence of the act and
the sophistication Itvel of the adversary.
The following is a list of
possible response acitons; one or more of these measures may be needed:
Contact the FE _.to request their assistance in investigating the
incident and provide technical assistance to the FBI as requested.
Ensure that effective coordination and comunication exhts between
plant operationn and securfty personnel during the FBI investigation.
Identify which tampered / sabotaged equipment has had recent maintenance
performed and who performed it.
Identify by computer check (if feasible) the personnel who had recent
1
'
access to the a-eas in which tampering / sabotage occurred.
,
Increase security measures for areas of concern to include additional
access controls and increase vital area patrols for the rest of the
plant until the investigation is completed and the perpetrator removed.
Des 1gnate a senior manager as the point of 6 }to assist and coo
support and resnond to inquiries pertaining to the investigation.
Review recent p ersonnel problems or issues for indications of dis-
gruntlement.
Initiate accele rated functional testing.
Establish limited two-man rulb for area in which event occurred.
~ Establish tota two-man rule for all vital areas in the plant.
Consider contr lled shutdown.
I
'
[
..
.....
-
,
i
MYfT
l
IN-xx
,
!
Page 4 of it
-
t
i
technical speciflications and operating procedure
.
i
'
for example
oneoperatingafstemtothenext, ensure availability of requirsk
i
Withanunderstandin'oftheident1Itedsabotage,itisthenappro
.
i
establish an initial
!
resultin
earch of the associated or suspect systems.
action. g informatib
The
Clearly
then will be the basis for determining subse
i
andCorDbelow)dep'endsonjudgmehtregardingind
!
items 8
i
sabotage found during the checkout.
i
8.
Overall Inspection of Plant
'
<
.
As set forth in item
f search anceauipment check should include a cA, " Ev
i
.-
.cond
j
-- ['5vera11 p an , and thdn a system-by . system inspectf5
the
1
appropriate.
i
-
The overall plant anc
system-by-system itstings reflects a " hands-on"
approach in checking ]out a nuclear sower plant in instances of suspected
i
sabotage.
The assumption is made taat the plant technical specifications
l
would be satisfied be fore justification of continued operation or restart.
.
!
a broad inspection of theBefore a system's cht
ekout based on the listing in items C and D below
(
d
lent should be made by the licensee.
-
inspection should be
large y visual and consist of the following four
,
This
j
main categories:
1
1
1.
Control room inspection
{
2.
!
Plant structures inspection
3.
. Piping and valve welkdown inspection
l
4
i
Confirmation of electrical power integrity
.
,
This broad inspectico should be initially performed to spot any ae
,
i
abnormality such as 4 damaged pipeline er.a planted explosive.
!
not be progranmed to detect all potentially faulted systems.
It should
i
In the ebntrol room
ould be made of all panels, boards, and
visual inspection sh
to s et try obvious
,
'su lt.
j
shou d be spotted.
Unauthorized jumpers and any strange " package
I
,
In the visual checko
!
be appropriate. Abnat of plant structures, the same general attitude should
lude the main plant buildings, that is>rmelities
i
l
Plant structures inc
j
the reactor building , the auxiliary building, the turbine buildinthe containment
course the intake st ructure or connection to ultimate heat sink. g, and of ,
i
i,
V
4
1
.
.
I
'
-
1) MAW
..._
'.
~%. a . =. . . . . . . . .
.
___
M ,.
.
~
-.----
-..-- - .--
- . - . .
. - - - .
_ -
_ - - - -
raen an6 a19
j
.
0 .14.1996
18802
l
0$f
~
g , , p,
y
'
'
~
-
..
.
Ill.au
l
Pope.5 of it
j
bad
'
The piping and valve walkdown inspe(t seek to distinguish
,
tion should involve the same par.
j
spective. This inspection should no
i
grade and nonsafety gradesystempiping.
This inspection should simply
1
consist of a routine patrol of all 4ccessible piping rues in which tie
j
inspector is alert to the more obvidus type of faulting. For example
i
the inspector should be able to " find" a cut chain of a " chained and .
i
padlocked" valve hand le.
On the other hand the insoector should not
l
expect to confirm valvealignanntduringthIsinitialcheck.
'
j
Finally, the initial : heck of the e'ectrical system should be made with
thesamegeneralapgrosch.
It shou d seek to verify that the vital
wwer
!
l
suppliers were not a ltered" in a significant way.
The purpose of tiis
)
3
check shob1d be to ma ke sure it was safe to turn power on for further
j
checking Of systems.
i
i
.
If preliminary determination of sabotage has been made and further
'
-
--
investigation indicatbs that specific systems might ble affected, it may
-
be necessary to perform a complete walkdown inspection of certain systems,
i
checking all accessible manual and motor-operated valve positions, circuit
1
breaker and electrica l switch positions, etc.
Actual system walkdown
'
inspections are espec ally pertinent with respect to standby systems whose
o mrabilit/ cannot be completely demonstrated during normal plant operations.
C tecks in 11gh radiat on areas may a required depending on detailed con.
,
1
sideration of the evi ence of sabot ge in these areas and as low as is
reasonablyachievable'(ALARA)consitration.
Ifevidenceofsabotageisfoundanpspecificcomponentsandsystemsare
identified, consideration of the cohsequences of corrective actions should
be made.
A thorough heterinination of possible system response to corrective
actions should~ be made and contingency plans to address these responses
should be determined before corrective actions are taken.
.
Detailed examination of systems including those associated with the
identified sabotage, Imy be necessary to estabitsh the basis for continued
operation.* The systems to be examined are listed in item C or 0, as
'
applicable.
Followin
confirm system operab[h such a checkbut, it then would be appropriate t
11ty throughout the plant using the technical
specification requir
nts as the mbasure of safe operability.
This
i
conformance with tec nical specifiestion requirements represents the
overall criteria on
hich decisions may be made regarding changing the
mode of reactor opera'tions.
C.
Boiline-Water Reactor (BWR) Plant Systems
1.
Reactor System
a.
Yessel - check for obvious abnormal condition
b.
Yessel Level Instrumentation - condensing chan6ers, piping,
differentia'l pressure (DP) racks, and wiring
kaw'
n the plant is operating, operation sh'ould continue until sufficient checks
have been made to ensure the plant can be shut down.
D RA l=r
-
.
._ .-
- . -
.- .
--
_ _ - . - -
= - . _
-
.
- -
-
--
.
"-
-
p- -
.gg,_:
-
y
.;:mm
.
I
.
. . .
IN-xx
Z
'
]
2.
Reactor Recirculation System
.
a.
Pfplng
-
i
b.
Yalves-discharge and suction
'
.
c.
Motor, pump , and controls
'
d.
Power supply entor generator (MG) set, cables, mo'dules,
'
and broadern
e.
Control cab inets, wiring, . boards, and breakers
j
,
3.
Control Rod Drive liydraulic System
Hydraulic control units (HCUs)lvesdirectional control valves,
a.
,
Isolation volves, and scram va
.
b.
PipingthroughoutHCOsandscramdischargevolume(
)
SDY drain and vent valves and instrumented volume (
1evel
i
c.
switches
}
.
d.
Control circuitry - cables and boards
.
~
Air supply I piping and valves, controls, ahd pilot valves
--
e.
-
)
4
Standby Liquid Control (SLC) System
!
i
a.
SLC tank, lovel, and piping
i
b.
Pumps and motors, power supplies, and controls
!
c.
Yalves squLb, and isolation
d.
Controlcircuitry, panels, cabinets, and cables
,
5
Residual Heat Releval (RHR) System
Heat exchangers, primary . side (shell), secondary side (tube),
j
a.
and service water
j
b.
Primary sido low-pressure core injection (LPCI) pumps, motors,
p1 Ing valves, isolation valves, drywell spray piping and
,
i
va ves and torus spray piping and valves
Other p,rimary side pipin't,and valves,le
c.
that is, shutdown cooling
and isolati n coolin
Mere ap Ilcab
i
d.
Control cir uttry, w ing, pane s boards
I
power supplies, and control power, supplies, logic interconnection ,
I
e.
RHR Service Water System
((
j
Pumps, motors and
and valves, water supply structureisolation, and interconnec
Piping
i
(
Contro l circuitry w
boa
nupply, cable,iringkers,rds, and panels
}
(
Power
brea
and controls
{
6.
Core Spray Syst m
.i
a.
Pumps, and retors
b.
Piping and alves, isolation valves and check valves
Control cir uttry, wiring, panels, logic, and control power
l
c.
'
d.
Power supp11es, cable, breakers, and controls
4
Wes/
!
?/2AFl
4
!
epi vn na6 asps
98.84.1996
18805
,
p.
e
9/W1
-
.
-
-
4
lban
. . .I
Page 8 of 125 -"i
i
V
7.
High Pressure CoalantInjectionSystem
i
a.
Pusip and tu sine driver
- - .
-
'
b.
Piping val /es, isolation valves
- vitry, wiring, logic, and coedensate. traps
i
c.
Controlcir
, and control power
j
d.
Turbine oil system, turbine control valves, and speed governor
8.
Autosatic Depres turization System
i
a.
Safety reli ef valves operability
a
b.
Control cir :uitry, wiring tim
and logic
,
i
c.
Air or pneu;nstic accumulaIors,eralrsupplycheckvalves,and
i
l
air supply siping
i
9.
Reactor Core Isolation Cooling System *
.
!
.'
a.
Pump and tu rbine driver
l
b.
Piping, val ves, isolation valves, check valves"and condensate
--
-
traps
'
c.
Control cir:vitry, wiring, and logic
10. Diesel Generator System
,
i
a.
Day tanks a id storage tanks
?
b.
Fuel oil pumps, motors
an
Control circuitry, wiring,d pipingand logic
y
c.
'
,
d.
Diesel air start and lube oil systems
e.
Generator p rotective devices and output interconnections (see
j
electrical systems)
11.
Containment Systems
1
l
j
a.
Primary con,tainment isolation valves, including main steam
isolationvp1ves(MS!Ys)andcontrols
'
i
b.
Primary containment inerting system piping, valves, controls.
andsamplin)chamberwaterlevel
.
i
c.
Suppression
i
d.
Yacuum breaxers - drywell (DW) to torus to reactor building
!
e.
Standby gas' treatment system operability
j
f.
DW purge an'd vent valves control
f
.
12. Water Systems
l
4
!
a.
RHR service water piping, valves
pumps and motors
Emergency s'ervice water (if app 1Icable), piping, valves, pumps,
i
b.
4
and motors l
1
c.
Intake structure integrity
i
d.
Reactor building closed cooling water, and turbine building
j
closed cooling water, and fuel pool cooling
4
V
'For earlier BWRs using an isolation condenser for this function, only the
above items 9.b and 9.c are applicable.
i
4
-
-,
-
,
-
7...........-_
- - - _ . _ - - . . _ . - -
- . .
,3,. , , , gg
.-
--
-
.,.e ,fe18
,
~
i
0@fr
.y
.
.
W
!
INinx
4*
I
Page9of'it
,
j
e.
Circulating water system , ter system
f.
Diesel generator cooling wa
!
9,
Condensate and feedwater system, including storag6 tanks sad.
i
domineralisers
-
i
h.
Condensate-Feedwater )iping, pusps, and valves
.
i
1.
Feedwater heaters witt associated piping and valves
i
.
.
j
13.
lastrumentation and Control (14C) Systems
!
Reactor protection system, boards, racks, relays, and complete
a.
controlrochcheck
.
l
b.
Neutron monitoring system, including traveling incore probe (TIP)
piping and valves and source range monitor ($RM)Itor (ARA
intermediate
,
i
range monitor (!RM), and average power range mon
c.
Process control interfaces
~
i
d.
- Instrumenta! safety feature controlstion and control (!&
Engineered
and racks
i
e.
- _.
!
control rocia habitability system
"
~
,
f.
l
Other I&C J for example, fuel pool cooling, offgas' monitoring.
etc.
14. Eledtrical $yptens
!
1
a.
DC system supply and monitoring on 125 volt and 250-volt batteries
andchargeds,switchgear,andpanels
3
!
h
b.
Vital AC e utpment including 4ky, 480-volt and 230-volt buses
j
and switch ear
!
c.
Vital moto control centers
i
d.
Emergency lighting system
!
e.
Remote sautdown control system
j
f.
Cable spres ding room
.
l
15. Compressed Air lystem
-
l
a.
Compressort, accumulator tanks, and motors
i
b.
Piping and valves
l
c.
Control circuitry, and wiring
16. Main Turbine Generator
!
l
a.
Turbine control system
Bypass valte controls , including electrohydraulic oil system
j
b.
j
c.
Generator protective systems
i
.
!
D.
Pressurfted-Water Reactor (PWR) Plant Systems
.
-
j
1.
Reactor System
.
{
a.
Reactor prossure vessel
i
b.
Control rod drive mechanism above reactor vessel
i
y
Control and instrumentation for the reactor protection system
c.
(RPS) and the overpressure protection system
'
.
-
}
Ad d
.
.-
- . . = = = + +
=
..
..
.%
..
-
-
,_,-=-we-
._ __.____ -
--
, . . -
==
._
, , . , _ .
--
._
_ ._ __.___ _ _
-.
______
.
,
j
.'
vxyp i
.
-
-
l
IN.xx
page 10.of.'Ir.
2.
Reactor Coolant systems (Rcs)
!
a.
Primary and secondary coolant loopapiping, valver(including
safetyrelikf),instrumentationandcontrol
,
.
i
b.
Reactor coo;1 ant pumps (RCP) and associated component cooling,
i
including
onent cooling of lube oil coolers and component
!
cooling va ves and piping to containment penetration
!
c.
External s
am generator, including safety relief valves
i
d.
Pressurizar , including power-operated relief valves (PORVs),
associated control air Cor nitrogen) supply,iping to pressure
heater control and
-
i
heater backup power supply, and valves and p
l
relief tant
3.
Emergency Core C ooling System (ECCS)
i
a.
Accumulators and piping to RCS vent and isolation valves and
nitrogenp(essureandsupply
i
.-
l
b.
Hi[h head gharging pumps, charging lines, bbron injection tankst
--
if applicable) y injection pumps (i.e., intermediate head pum
al
other safet
!
manual isol ationvalves) TORCS
Residual heat removal (RHR) system-heat exchangers pumps)
c.
valves (includingmanualsystemisolationvalvealIgnment
I
I
associated control circuitry, wiring, panels, interconnections,
!
power supplies, and control power supplies
j
d.
RHR servico water system including
(especially system isolakion valves) pumps, motors, piping, valves
!
i
e.
Refueling water storage tank, associated isolation valves, and
!
piping for ECCS pump suction
f.
Instrument and control racks for the entire ECCS system
,
j
4
Component cooli1g System
.
a.
Component zooling pumps, heat exchangers, spent fuel pool heat
exchancers , and water seal heat exchangers
b.
Special attention should be given component cooling for RCPs,
emergency Wiesel generators. ECCS pumps, and assoc'ated isolation
l
valves and piping
.
6.
Instrumentation and Control
!
a.
Visual inspection and functional testing of RPS and engineering
safeguards'ck of instrument racks and wiring for RHR, auxiliary
i
systems
b.
Visual che
J
feedwaterlsystem,andshutdownsystems
!
c.
Preoperational testing of SRMS, IRMS, and all other power level
4
instrument's
j
d.
Control ro'om and auxiliary room ventilation system
Instrumenti control air (or nitrogen) pressure valves and piping
e.
j
for safetf systems
]
f.
Control rc om panels and cabinets
i
i
-.
..
_ _ .
.
-
-
- _ ,
..
- .-
-
_ _. - _-
_
- __ - - .
.-
_
1
.
IN-xx
-
1
j
Page 11 of it'
i
I
l
6.
Waste Disposal and Radiation Protection System
_
a.
Radiation sonitors for service water discharge headers and plant-
'
!
1
vents
]
b.
Reactor coq 1 ant drain tanks, chemical and volume' control system
(CYCS) holdup tanks, and the waste holdup tanks, valves, piping
i
j
and radiat on alams
4
c.
Waste gas , nitor tanks, and valve line to service water system
'd .
Gas decay tenks, analyzer tanks, plant vent valves lineup, and
.
I
associated radiation monitors
7.
Containment Systems
a.
Containment isolation valves, CYC5 letdown lines, and MSIVs
b.
Containment pressure relief valves, purge exhaust valves and all
Other manun11y operated containment valves that are accessible
c.
Personnel und equipment access hatches
"
.-
-
--
d.
Containment sprcy systems, piping, valves, instrumentation and
wiring, punps, heat exchanger and recirculation system sump
zusp and controls
e.
iydrogen rocombiner units, including the control panels and
power supply
f.
Fan cooler 1 with safety cooling functions and ice condensers
(ifapplicable)
8.
Electrical Syst ems
a.
Auxiliary power s stem, including 4160/480 vital buses, 125 volt
DC control buses / attery and 120-VAC V tal instrument bus
i
b.
Emergencyhieselgeneratorsystemcontrols,fueloil,lubeoil,
tanks, and piping
c.
Cable spre,ading room
!
.
9.
Main Steam System
a.
Associate reitef valves
b.
Turbines, including lube oil system, bypass valves and generator
protectic systems
Steam generator feedputnps and valve lineup through feedwater (FW)
c.
Auxiliary lfeedwater system pumps and manual isolation valves
heaters
d.
10. Spent fuel pool andfuelhandlingsystems(i.e.,ifinrefueling
outage),incluc ing cooling system and level indications
11. Service water system, including piping, valves, pumps, and heat
exchangers
I
f ampling systey for appropriate systems, including isolation valves
12.
'
.
I
i
l
-
i
'
,
.
.
. _ _ _ _ _ .
, _
_
_ _ . _ . _ .
. _ _ _
_
_
. _ . _
_ . . _ .
. _ _ _ . _ _ _ _ _ .
. _ _
!
~"IJ+
,
~
'
rn.xx
-
Page it of 1c._r ,
'
..$ ".
. + -
V
No specific action or writ l ten response is required by this information not
"
'
'
plasse contact one.cf the technical
If you have any questions about this matterheRegionalAdminIstratoroftheappropria
contacts listed below or
!.
office.
<
a
l
I
charles E. Rossi, Director
Division of Operational Events
i
Assessment
'
l
Office of Nuclear Reactor Regulation
Safeguards Technical Contact: Eucene W. McPeek, NRR
(301)492-3210
.
!
--
.Qperational Technical Contact:
Richard Lobel, NRR
-
-
j
(301) 492-1157
Attachment: List of Recehtly !ssued NRC Information Notices
!
'
t
1
,
.
I
l
i
,
.
i
l
j
JM FT~
--
-.
-
.
..
....
,
.
,
.
,
j
ATDOE'ItC D
j
l
!
i
'
/
OUTLET PORT
[
j
/
r:
r
-
!
%
t
,
'Y'
STRAINER BODY
p
a
-
,
.s e
/
l
1
- $
'c
'
PENNY
!
[
/ Y
1
!
l
i
,
I
i
L
!
- - .
IHLET PORT
j
i
l
i
FLOW
.
General Arrangement of "Y" Strainer
!
Components and Location of Penny
FIGURE 1
l
l
__
. _ _ _ _ _ . . .
. _ . . _ . _ _ _ _
_
,
!lll
'!lIl!Il! i ll
sjl
!;
. .
-
-
.
-
.
_
._
_
_
_
_
,
_
D.
_
O
._
o'
.
._
w.
t
o.
.w
l n
_
j'
aM %
'
ao
.,
r
<
e.
en
'
e-
ne6
5 5
n
ee9
_
_
2 8
"6
Gr9
_
M.
3
S
c1
8
dS
_
n
,
_
n 1 af0
7
o2
.
s
.
.
nnr
_
'
ooe
,
-
'
.
iib
st m
nie
-
N. R* [X
edt
.
mnp
i oe
-
s
'
N. R9t
-
_
-
.
%*
s! pb
-
-
2
-
E
R
.i
-
-
U
_
i i'
G
_
I
_
F
_-
-
-
-
_
-
NO&
1l
l n
ao
I
'
'
I
kI
r
-
en
d
ne6
2
ee9
Gr9
)
%
u0
c1
dS
7
n
,
af5
-
7
o1
-
_-
K
snnr
ooe
iib
-
[
stm
_-
nie
t
edt
-
1o
4h
, kO
mnp
ioe
_
_
_
_
_
_.
_
_.
_
._
-
-
-
.
,;!
',
- -
!
- !
- '
-
! I
.
.
.
i
!
- '
- '