ML20137X381
| ML20137X381 | |
| Person / Time | |
|---|---|
| Site: | Vogtle  |
| Issue date: | 04/14/1997 |
| From: | NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION II) |
| To: | |
| Shared Package | |
| ML20137X373 | List: |
| References | |
| 50-424-97-01, 50-424-97-1, 50-425-97-01, 50-425-97-1, NUDOCS 9704220016 | |
| Download: ML20137X381 (33) | |
See also: IR 05000424/1997001
Text
.
.
U. S. NUCLEAR REGULATORY COMMISSION (NRC)
REGION II
Docket Nos. 50-424 and 50-425
License Nos. NPF-68 and NPF-81
Report No: 50-424/97-01, 50-425/97-01
Licensee: Southern Nuclear Operating Company. Inc.
Facility: Vogtle Electric Generating Plant (VEGP) Units 1 and 2
Location: 7821 River Road
Waynesboro. GA 30830
Dates: February 2 through March 15, 1997 l
Inspectors: C. Ogle. Senior Resident Inspector ,
M. Widmann Resident Inspector i
K. O'Donohue. Resident Inspector (in training)
W. Miller, Reactor Inspector (Sections F1.1. F2.1 F2.2. F3.
F5. F7. F8.1 F8.2)
J. Ganiere. Electrical Engineer. NRR (Sections E7.1. E7.3.
E7.4) l
M. Waterman. Senior Electrical Engineer. NRR (Sections E7.1.
E7.2. E7.4)
D. Wheeler. Senior Project Manager Vogtle NRR
Approved by: P. Skinner. Chief
Reactor Projects Branch 2
Division of Reactor Projects
,
l
Enclosure 2
"'
9704220016 970414
G ADOCK 05000424
.. _ _ _ . _ _ _ _ _ _ . - _ . _ _ _ _ _ . _ . _ . . _ _ . . - . . _ _ _
. ,
l~
l
EXECUTIVE SUMMARY
l Vogtle Electric Generating Plant Units 1 and 2 :
NRC Inspection Report 50-424/97-01, 50-425/97-01
'
This integrated inspection included aspects of licensee operations,
l engineering, maintenance, and plant support. The report covers a six-week
period of- resident inspection. It includes the results of an announced
inspection by a regional fire protection inspector. In addition. it includes
the results of a saecial inspection conducted on January 29 and 30, 1997 by ,
NRR personnel of. t1e Instrumentation and Controls Branch, Division of Reactor ;
. Controls and Human Factors. !
,
Ooerations
e In general, the conduct of operations was professional and
! safety-conscious (Section 01.1). ,
e Plant Review Board (PRB) discussions observed by the inspectors were
thorough and appropriately focused on safety (Section 07.1). '
,
e The Independent Safety Engineering Group (ISEG) assessment of
'
configuration control deficiencies was a positive example of licensee
.
!
self-assessment (Section 07.2).
e The inspectors' review of a licensee-identified issue associated with
j the quality of rounds performed by an operator on January 6. 1997, found 1
l that the rounds were of questionable quality (Section 08.1).
t
Maintenance
o Maintenance activities were generally completed thoroughly and
professionally (Section M1.1),
e An example of poor work practices was identified for the inadvertent
defeating of an automatic start feature for the Unit 1 engineered safety 1
,
. feature (ESF) 1A chiller during corrective maintenance (Section M1.3). '
i
e A violation was identified as a result of the discovery by the
inspectors that the positions of six valves in the Unit 2 auxiliary
feedwater system were not being properly verified (Section M3.1).
j Enaineerina ,
e The engineering evaluation associated with maintenance on valve -
2-HV-3548, reactor coolant system hot leg sam)1e line valve, was- !
detailed, thorough, and appropriate (Section :1.1).
-e The commercial grade item dedication process at Cooper Energy Services
(CES) was not acceptable in that CES did not verify the adequacy of the
-
701 DSC design by the performance of an acceptable design review or by
the performance of a suitable testing program (Section E7.1).
?
Enclosure 2
, ,
.- - . . . . . . . - -. . - . - - - - - . - . - . . . - - . . - - . -
. ,
,
.
.
1
2
i
e The' lice ~nsee failed to maintain records of safety-related equipment
settings and calibration constants under configuration control for the
diesel generator governor modifications (Section E7.2),
e The licensee performed appropriate point of installation Electromagnetic !
Interference (EMI) emissions testing. The 701 DSC EMI qualification was -1
sufficient to ensure proper operation in the actual EMI environment in )
which it will be used (Section E7.3). j
-e -The licensee's 10 CFR 50.59 safety evaluation _and supporting
documentation did not provide an acceptable basis to conclude that the
701 governor modification does not create a possibility for a
malfunction of a different type than any previously evaluated-in the
UFSAR. The 10 CFR 50.59 safety evaluation did not provide adequate
justification to conclude that installing the 701 governor does not
involve an unreviewed safety question (Section E7.4).
Plant SuDDort
e Appropriate action has been taken to resolve the Thermo-Lag issue at
Vogtle (Section F1.1).
e The relatively low number of open maintenance work orders (MW0), minimal
number of degraded fire barrier assemblies, and good material condition
of the fire protection com)onents and fire brigade equipment, indicated
that appropriate emphasis lad been taken on the maintenance and
operability of the fire protection components (Section F2.1). l
1
e Fire brigade radio communication transmission problems and one pre- l
action sprinkler system not being maintained to the design requirements '
l were identified as program weaknesses (Section F2.1).
,
e Appropriate surveillance and test procedures were provided for the fire
'
protection features. However, a violation was identified due-to the ;
failure to meet the 12-month operability test frequency required for the :
fire detection devices (Section F2.2).
1
,
e
'
l The fire protection program implementing procedures were adequate and
- met licensee and NRC requirements. Implementation of arocedures was
- good. Control of ignition sources, transient combusti)les, and general
L housekeeping was very good (Section F3).
! e The fire brigade organization and training met procedure requirements.
L Performance by the brigade during a drill was good, except for radio
'
communications problems between the fire brigade leader and brigade
members. A well qualified state-certified fire brigade training
instructor and good fire brigade training facilities were provided on
L , site (Section F5).
l
.
Enclosure 2
.
- -- - . . - . . -. - -- . . .
. .
.
3
e Thorough audits and assessments were made of the facility's fire
protection program and appropriate corrective actions were taken to
resolve the identified issues (Section F7).
- A violation was identified for the failure to revise the Updated Final
Safety Analysis Report (UFSAR) to reflect as-built Appendix R fire
protection related plant configurations (Section F8.1).
Enclosure 2
l
l
l
.
. .
l
.
Report Details
Summary ~of Plant Status
{
Unit 1 operated at- full power throughout the entire inspection period. ;
Unit 2 operated at- full _ power throughout the entire inspection period.
I. Operations
01 Conduct of Operations
]
01.1 General Comments-(71707)
Using Inspection Procedure 71707, the inspectors conducted frequent ;
reviews of ongoing plant operations. In general, the reviews.irdicated
.that the conduct of operations was satisfactory. '
.
02 Operational Status of Facilities and Equipment- l
02.1 Safety-Related Walkdowns
a. Insoection Scooe (71707) l
The inspectors walked down the following engineered safety feature (ESF)
systems as part of the routine inspection effort to verify availability
and overall condition of the safety-related systems.
Unit 1 and 2 Residual Heat Removal (RHR) Systems
b. Observations and Findinas j
,The ins)ectors verified proper system configurations both electrically
and meclanically for the above ESF systems through walkdowns of selected
)ortions of the system in the plant, etalkdowns of main control room !
Joards. and reviews of system drawings. The inspectors also observed !
the overall material condition of system components during-the ,
walkdowns. Minor issues identified were provided to the licensee for
resolution.
c .- Conclusions
The inspectors concluded that the systems reviewed were available to
perform their intended function and that the systems were properly
aligned. No significant items or discrepancies were noted during these 1
inspections. The inspectors did note that the licensee has
substantially improved the general area conditions in the four RHR pump
rooms. These pump rooms have been decontaminated and are no longer !
posted as contaminated areas.
Enclosure 2
y .-' *m m - - - -t w m --1ri-- -
w P - cu- r -m - - *e-- "
-t-+* --#'
T
- - . - . . - - - - - - . . - -
.
. .
.
i
-
2
.
03 Operations Proce~dures and Documentation
[ 03.1 Walkdown of' Clearances (71707)
-
During the inspection period, the inspectors walked down the following
. clearances:
i~
19600324 RHR, 1oop 1. is01ation
- 29600289 RHR. pump A. downstream, suction from hot leg
i 19700085 Parts removed from spare breaker-
l 19700131 Emergency Hydraulic Control pump train B. repair oil leaks
"
b. Observations:and Findinas
,
The inspectors did not identify any problems during these walkdowns.
4
t 07 Quality Assurance in Operations
~
i 07.1 Plant Review Board (PRB) Meetinas (40500)
!
- The inspectors attended PRB meetings on February 4 and 5, 1997. The
meeting on February 4 was a normally scheduled PRB and the majority of
- the items discussed-were routine in nature. Included in'the PRB review.
i at this meeting was proposed temporary modification 96-V2T054. This
! temporary modification was develo)ed as a contingency in the event that
j. repairs were required to valve 2-iV-8812A, Refueling Water Storage Tank
'
(RWST) to RHR Isolation Valve. The temporary modification was developed
(- to install freeze seals on either side of the valve if repairs to the
j valve were necessary.
'
This temporary modification was-also discussed at length during the
- February 5..PRB meeting.
l
- The PRB discussions were thorough and appropriately focused on safety.
- In particular, the inspectors noted that questions raised Dy the PRB
'
.
'
j enhanced the quality of the safety evaluation performed for the
07.2 Confiauration Control Self-Assessment' (40500)
t
t
The inspectors reviewed an Independent Safety Engineering Group (ISEG)
i document titled " Configuration Control Deficiency Card (DC)
2
Assessment." It provided'ISEG's review of the licensee's performance in
- the area of configuration control as documented in DCs generated between
f August 1995 and January 1997. The inspectors-observed that the analysis
contained in this assessment was extremely detailed and thorough.
Further, specific recommendations for enhancements to. improve licensee
performance in'this area were also included. The inspectors concluded
that this was a positi_ve example of licensee self-assessment.
Enclosure 2
-h. Ad +erou ...aii ne r4 4=. o.J -
c A - - .a. -.h-+ . . -4+4- 4 a
.
. .
.
3
'
08 Miscellaneous Operations Issues
08.1 Review of Non-Technical Soecification (TS) Operator Rounds
a. Insoection Scooe (71707)
The inspectors reviewed an issue concerning rounds completed by a plant
equipment operator (PE0) in Unit 2 on January 6, 1997. The NRC was
informed of this issue by the licensee at the beginning of the report
period. The licensee indicated that the performance of these rounds did
not meet their expectations. An independent review of this issue was
conducted by the ins)ectors. As part of this review, the inspectors
also reviewed other 3E0 rounds documented during January 1997. The
inspectors also discussed with plant management the circumstances
surrounding the performance of the rounds on January 6. as well as,
management's expectations in this area.
b. Observations and Findinas
l
PE0 non-technical specification rounds are grouped by specific buildings
and areas. Auxiliary building rounds are performed in accordance with l
Procedure 11881-1/2. Auxiliary Building Round Sheets. l
This issue involved PE0 performance of the Unit 2 auxiliary building
rounds. This effort requires general inspection and numerous readings
(approximately 58) of gauges and other indicators regarding the status I
of various components within the building. A review of the completed
Unit 2 auxiliary building rounds for January 6.1997. indicated that
data was recorded where appropriate. The rounds were completed in
approximately 44 minutes. A review of three other documented PE0 rounds
examined by the inspectors indicated that the average length of time to
complete a round was approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> 20 minutes. Based on computer
records, the January 6 rounds were entered into the hand-held computer
used by building operators. when the PE0 was in the technical support
center and not in the auxiliary building.
The licensee documented this issue in deficiency card (DC) 2-97-033.
The inspector's review of the DC identified that the initial disposition
did not address the issue of the adequacy of the rounds performed by the
PEO. The insaectors' observations of the initial disposition was
discussed wit 1 plant management. As a result, the licensee revised the
dispcsition. Disciplinary action was taken against the involved PEO.
In addition, the licensee has and is currently counseling shift
.
'
operators en management's expectations for the proper performance of TS
and non-TS roends.
Enclosure 2
i
- - -- - ..
. .
4
c. Conclusion I
The inspectors concluded that the rounds completed by a PE0 in the
Unit 2 auxiliary building on January 6.1997 were of questionable
quality.
II. Maintenance
M1 Conduct of Maintenance
'
M1.1 Maintenance Work Order Observations
4
a. Insoection Scooe (62707)
The inspectors observed portions of maintenance activities involving the l'
following work orders:
19700757 Unit 1 alarm panel module change out {
29602495 Reactor coolant system hot leg sample isolation valve l
2-HV-3548 packing leak i
29700212 2B Diesel Generator (DG) bypass line fuel oil leaks '
29700474 2B DG left bank fuel oil leaks
29700476 28 DG fuel oil injection pump number 6. troubleshoot
b. Observations and Findinas I
The observed maintenance activities were performed satisfactorily.
M1.2 Surveillance Observation i
5
a. Insoection Scooe (61726) 1
The inspectors observed the performance or reviewed the following
surveillances and plant procedures:
i 14420-1 Solid state protection system and reactor trip breaker train
A operability test
14495-2 Motor driven auxiliary feedwater (MDAFW) pump train A flow
path verification
14545-2 MDAFW train A pump operability test
14802-1 Nuclear service water cooling (NSCW) system train B pump
(1-1202-P4-002) and check valve (1-1202-U4-027) inservice
test (IST)
14807-2 Quarterly MDAFW pump train A IST
14980-2 DG 2B operability test
b. Observations and Findinas
The observed surveillance activities were performed satisfactorily.
Enclosure 2
!
l
,
_ - -
.
5
M1.3 Uriit 1 Enaineered Safety Feature (ESF) Train A Chiller Failed To Start
a. Insoection Scooe (62707)
The inspectors reviewed an issue concerning a failure to start of the
ESF 1A chiller on February 3. 1997.
b. Observations and Findinas
On February 3. at 4:20 a.m. the ESF 1A chiller evaporator chill water
low flow loop.1-F1-22425, was removed from service to allow corrective
maintenance to be conducted on flow indicator switch 1-FISL-22425 in
accordance with maintenance work order (MWO) 19700319. At 4:39 a.m..
ESF Chiller Train B was placed in "Stop." in accordance with Procadare
14400-1. Control Room Emergency Filtration nctuation Logic Test.
Section 5.2. ESF Chiller Actuation Logic Test. At 4:46 a.m . during
performance of a subsequent step in the procedure, operations personnel
identified that the ESF 1A chiller failed to start. At 4:49 a.m. the
ESF Train B chiller was restored to auto. 0)erations verified the auto
start of ESF Train A chiller at 5:02 a.m.. 40 other adverse equipment
conditions resulted during performance of Procedure 14400-1 or MWO
19700319. Limiting condition for operation (LCO) action statements for
the ESF chillers were entered / exited as appropriate.
A review of the circumstances surrounding performance of MWO 19700319
indicated that there was a failure of the Unit Shift Supervisor (USS)
and the instrument and controls (I&C) technician to properly communicate
the scope of the work to be performed and the impact on plant eauipment.
A subsequent review of the single line electrical diagram reveal'ed that
u)on removing the flow indicator loop from service, that a low flow
cailler trip was generated, preventing the auto start. The electrical
drawing was not reviewed by the USS prior to authorizing this work. In
addition, other factors contributed to the failed chiller start. This
included: the performance of the ESF 1A chiller surveillance
simultaneously with the flow indicator MWO; the MWO being authorized on
an op)osite train week (i.e.. Train A com)onent being worked on a Train
B weeO indicating that the work may not lave been scheduled properly or
thoroughly pre->lanned; the USS not following the )lan-of-the-day
schedule; and t1e MWO being removed from a work scleduler's desk
prematurely rather than the package being issued to the field as is
typically done.
During the review of this event, the inspectors learned that, in
general. USSs were unaware of the impact of flow indicator loop on the
chiller system (i.e.. loss of the automatic start feature) when removed
from service. As a result, the licensee has proposed a revision to
Procedure 24362-1. ESF Chiller Chilled Water Flow Trains A and B
1F-22425/1F-22426 Channel Calibration, to include a precaution on the
impact of removing the flow indicator from service on the ESF chiller
system.
Enclosure 2
. _ . _ ._ . _ . _ _ _ _ . _ _ _ _ . .______ . . _ _ _ . _
'
. .
'
.
6
- c. Conclusi'ons ;
The inspectors concluded that the inadvertent inoperability of a safety-
related component due to a lack of understanding of the work authorized
and poor communications between departments was an example of poor work
practices.
.
H3~ Maintenance-Procedures and Documentation
M3.1 Technical Soecification (TS) Surveillance Not Conducted
a. Jnipection Scooe (62707)
The inspectors reviewed the circumstances associated with the discovery !
that the positions of six valves in the Unit 2 auxiliary feedwater (AFW) !
system were not being properly verified. This included reviews of ,
Procedure 11610-2. AFW System Alignment: Procedure 11867-2. Safety
' . Related Locked Valve Verification Checklist: Procedure 14495-2.~AFW
System Flow Path Verification: Vogtle Electric Generating Plant Design
Manual . Design Control Number DC-1302. AFW System: Technical
Specifications (TSs): and Design Change Package (DCP) 95-V2N0019-1-1
AFW Hiniflow Bypass Addition.
b. Qbservations and Findinas
,
'
On February 13. 1997, the ins)ectors observed and notified operations
personnel that valves 2-1302-J4-180 through -185, though properly
i positioned, were not locked. Following the licensee's confirmation of
the inspectors' observation, the valves were locked in the proper
position and a deficiency card (DC) was generated.
These six valves are in the recirculation piping for the Unit 2 AFW
pumps and are downstream of three normally locked open valves. These
valves were installed during the fifth refueling outage (2RS) by DCP
. 95-V2N0019-1-1. Two valves are installed in parallel in each of the
-
three' Unit 2 AFW recirculation lines. The valves were installed to
.
permit AFW pump recirculation flow to be directed to the Unit 2
condensate storage tank (CST) serving as the AFW suction source.
.TS SR 3.7.5.1 requires verification that each AFW manual valve in each
water- flow path that is not locked, sealed or otherwise secured. is in
l the correct position every 31 days. Likewise. prior to implementation
- of improved technical specification (ITS) on January 23. 1997. TS
l surveillance 4.7.1.2.1 required a similar verification once per 31' days
on a staggered test basis.
Procedure 14495-2. AFW System Flow Path Verification, is used to
, accomplish the current surveillance requirement. Prior to
[ implementation of ITS it was also used to satisfy TS surveillance
!
$
Enclosure 2
.
_ . . . _ _ _ _ _ . _ _ _ _.. . _ _ .
-
l
. .
1
. !
7
4.~7.1.2.1. The six AFW valves in question were not included in this !
surveillance.
The inspectors determined that the positions of the six valves were
verified following installation during a valve lineup conducted near the
end of Unit 2 Fifth Refueling Outage (2RS) on October 5,1996. The
positions of all six valves were verified again on February 13, 1997, in
the 3rocess of installing locks on the valves. (The positions of five
of t1e six valves were verified on February 6.1997, during an AFW
system lineup verification.)
.
)
l
c. Conclusion '
The inspectors concluded that the licensee failed to' update Procedure
14495-2 or install locks on the valves following installation of the
valves during 2R5. As a result, the licensee failed to conduct TS
required surveillance testing for approximately 4 months. This is .
identified as Violation (VIO) 50-425/97-01-01. AFW System Surveillance
Not Conducted As Required By TS.
III. Enaineerina
El Conduct of Engineering
El.1 Enaineerina Seismic Evaluation
a. Insoection Scooe (37551)
The inspectors reviewed an engineering evaluation performed to support
maintenance on the reactor coolant system (RCS) hot leg sample line
valve. 2-HV-3548.
1
b. Observations and Findinas '
Maintenance to correct a packing leak on 2-HV-3548 was conducted per
maintenance work order (MWO) 29602495. To support this activity,
engineering personnel performed an evaluation to seismically restrain
the valve actuator during the maintenance. The valve' stem packing work
required that the actuator be removed using a chain-fall connected to an
I-beam located in the overhead in the general vicinity of the valve.
The licensee was concerned that if a seismic event occurred during the ,
performance of the maintenance activity, with the valve actuator '
unrestrained, surrounding equipment could be susceptible to damage.
The valve maintenance was completed on February 7. 1997, without I
incident.
I
Enclosure 2
- - - - . - - - . - . - . .
. .
i
8
c. Conclusions
The inspectors reviewed and discussed the evaluation with onsite ;
engineering personnel arior to commencement of the work activity. The
inspectors concluded tlat engineering. personnel appropriately addressed
equipment concerns while developing this evaluation. The inspectors
-concluded that this engineering evaluation was detailed, thorough, and I
appropriate.
E7 Quality Assurance in Engineering Activities Woodward 701 Digital
Governor Modification
a. Scope
i
The inspectors _ reviewed the licensee's software quality assurance i
measures related .to the Woodward 701 governor modification to the !
emergency diesel generators.(DGs). Specifically, the inspectors l
reviewed.the commercial grade item dedication process' for the 701 i
governor startup test procedures and tuning results, electromagnetic
interference (EMI) qualification testing results, and the-10 CFR 50.59
safety evaluation. The licensee installed the Woodward 701 governor in
Units 1 and 2 in 1994 to replace analog. type Woodward governors. The
digital governor comprises a generator loading control (GLC) generator
load sensor (GLS), and a microprocessor-based digital speed control
(DSC) that.contains approximately 12.000 lines of-software code.
.
b. Observations and Findinas
The following paragraphs (E7.1_through E7.4) address the inspectors'
observations. findings, and conclusions.
E7.1 Commercial Grade Item Dedication of Woodward 701' Governor
a. Insoection Scooe (52002)
The inspectors reviewed the commercial grade item dedication activities
that were performed to qualify the Woodward-701 DSC software for a
safety-related application. Cooper Energy Services (CES) qualified the
Woodward 701 DSC under their 10 CFR 50 Appendix B program.
b. Observations and'Findinas
In May 1994. CES audited the Woodward Governor Company (WGC) software
development process for the 701 DSC. The NRC inspectors reviewed the
CES software audit checklist and found that.it provided a comprehensive
plan for evaluating the WGC software development process. -CES
identified several deficiencies during the audit, which were documented
in four vendor program deficiency notices dated September 13. 1993. The
deficiency notices described important software cuality assurance
functions that were not performed or documented curing the development
Enclosure 2
___ __ _ _ . _ . _ . _ _ _
,
.
.
-9-
of the 701 DSC software. Specifically, the audit report and deficiency
notices revealed that there was no formal software requirements
specification, no source code and unit module testing, no traceability
of the source code back to requirements, no regression testing, no
controls on supplier software, minimal verification and validation (V&V)
activities, and no notification of software modifications to external
users. CES also identified weaknesses in the WGC software configuration
management process.
In response to the audit findings, WGC placed the 701 DSC source code
l and the supporting software development tools under configuration
l
L
control prior to shipment of the deliverable software product to CES. l'
Additionally. WGC revised and developed several software development
'
procedures and indicated that future software development would be
performed according to the revised procedures. However, WGC did not ;
apply the revised software development processes to the existing 701 DSC !
I
software version. ~'
{
l
CES found that WGC did not perform source code validation testing or- !
L regression testing of the 701 DSC software. Instead, WGC relied on ;
j. early prototype testing and functional testing of the integrated
' l
hardware-software product to confirm coding accuracy. Vendor program l
deficiency notice 953829-02 recommended that WGC perform V&V of the ;
software by means of comprehensive testing of the source code and unit !
modules, including all decision points, loo)s, and range of conditions. !
WGC did not perform this structural (white )ox) source code testing, but ;
instead indicated that the current version of the 701 DSC software.has i'
eeen validated based on extensive non-nuclear field experience (over 800
un:ts in service). Subsequently at the request of CES WGC performed a
design review of the software. The inspectors reviewed the WGC software
design review documentation provided to CES but could not conclude from 1
the available documentation that the review was of acceptable detail, '
In CES Engineering Repo," GO-01-1994. " Software Verification and
Validation Plan for a Woodward 701 Governing System," dated April 15. -
1994, and Engineering Report GO-02-1994, " Software Validation Test
Report for a Woodward 701 Digital Speed Controller," dated May 23. 1994, )
,
CES described the V&V activities to be 3erformed as part of the 701 DSC l
! software qualification. Since the 701 )SC software lad been 3reviously
i , primarily to validate. rather than verify, the software product.
j Software validation was. accomplished through WGC factory testing and CES
i- bench (simulation) type testing. The SVVP also stated that site 1
!
installation testing would be performed and would serve as additional l
t validation. The inspectors found that the factory acceptance and bench l
i type tests did not a) pear to sufficiently test the entire design l
l envelope, including aounding conditions. of the Woodward 701 DSC. CES :
i- did not perform a detailed analysis'of the abnormal conditions and !
t" l,
<
Enclosure 2 ;
i
!
. _ -
.= .-. - .. -
'
. .
I
3
)
- 10 -
events that could potentially interfere with the software accomplishing 1
its safety function. Section E7.2 describes the inspectors' review of l
the site installation testing results. '
Lastly, CES credited the operating history of the 701 DSC in commercial
applications for providing a statistical basis for historical software i
validation. However, documentation supporting this statistical basis '
was not available for review. Therefore, the inspectors could not
conclude that there was sufficient data available to credit 701 DSC
field experience as part of the software validation,
c. Conclusion
Based on the review of the CES audit report and the software audit
checklist, the ins)ectors concluded that the software audit was well-
planned and very t1orough. However, WGC corrective actions for the
problems identified in the vendor program deficiency notices were not
applied to the existing 701 DSC software version. The inspectors
concluded that the WGC design review of the software was too cursory to
resolve the issues identified in the audit and that there was not ;
adequate analysis of historical commercial experience to credit i
validation based on successful operating history. In addition, the
inspectors concluded that the factory acceptance and bench simulation
type tests do not appear to satisfy the system validation requirements
since they do not address abnormal conditions that could potentially
interfere with the software accomplishing its safety function.
Consequently, the inspectors concluded that the lack of a structured i
software development process and lack of source code validation presents I
a vulnerability for introduction of a previously unanalyzed software '
failure mechanism for the 701 DSC.
Based on these findings, the inspectors concluded that the commercial
grade item dedication process at CES was not acceptable. Specifically,
the inspectors concluded that, contrary to 10 CFR 50. Ap
Quality Assurance Criteria.Section III. Design Control.pendix B.not
CES did
verify the adequacy of the 701 DSC design by the performance of an
acceptable design review or by the performance of a suitable testing
program. This is identified as an example of Violation (VIO)
50-424, 425/97-01-04 Inadequate Testing of 701 Governor - Two Examples.
E7.2 Vogtle Site AcceDtance Testina of Woodward 701 Governor
l
a. Insoection Scooe (52002) l
The inspectors reviewed the CES startup test procedures for the Woodward I
701 governor to determine whether all safety functions and appropriate
t
input / output combinations were tested. Additionally, the inspectors l
,
Enclosure 2
i
_ _ _ . . _ . _ _ _ _ . _ _ _ _ _ _ _ _ . _ _ _ .. . .. _ _ ,_._m
'
. .
.. !
!
e - 11 - l
!
compared the current system setpoints for the 701 DSC in the Train'1A DG !
,
I
to those contained.in the dynamic tuning procedure data sheets. '
- b. Observations and Findings '
The startup test procedures contained both static and dynamic test
'
. procedures for the 701 governor. system. The static test procedure was !
'
- .
intended to verify that the 701 governor components were correctly
! installed and operating. Specifically, this procedure contained '
instructions for presetting the GLC and GLS and for verifying the 701
,
l
DSC field device inputs and parameter settings. The dynamic test 3
procedure provided methods for tuning the 701 governor for optimal i
performance. The objective of the dynamic adjustments was to obtain the '
optimal, stable engine speed response from minimum load to full load. l
All setpoints are saved permanently in a nonvolatile memory, which does ;
not require batteries or other power sources to retain data. Entries .i
can be changed using a removable hand-held programmer. The inspectors l
l
i
found that the startup tests did not appear to sufficiently test the i
entire design envelope, including. bounding conditions, of the 701 i
governor.
j
' '
The licensee accompanied CES to witness 701 governor tuning procedures-
on a diesel generator operated by the City of Springville. Utah. The !
l licensee stated that this trip provided many insights into the 701- !
i~ governor tuning process. The licensee used this experience to develoa ;
i
better tuning practices on the Vogtle DGs. The licensee stated that WGC i
701 governor tuning does compensate for some DG performance :
characteristics: however, tuning alone did not resolve all DG i
idiosyncracies. For example, differences in compression pressures ;
'
l between the DG pistons and the location of the speed sensing magnetic j
pickup units also affected governor performance. l
- , Using the 701 DSC hand-held programmer, the licensee downloaded the !
701 DSC setpoints from the Train 1A DG. The inspectors compared these :
setpoints to the setpoints in the original startup test procedure data !
sheets dated September 30, 1994. The documented setpoints did not agree l
with the downloaded setpoints. The licensee indicated that the magnetic j
pickup unit for sensing engine speed was relocated from the front of the :
.
engine to the generator side of the engine shortly after the completion !
i
of the original startup test procedure and, as a result, the original
l data sheets had been updated. The licensee was unable to locate the
!' revised data sheets during the inspection period.
i
The licensee obtained a record of the 701 DSC calibration constants for
!
'
the Train 1A DG from CES dated March 24, 1996. The inspectors compared I
the CES data with the data downloaded from the Train 1A DG. Table 1
! ' lists 3arameter values which the inspectors found to be inconsistent
!.
>
with't1e CES recorded values. In a conference call with the inspectors
[ Enclosure 2
u . _ ._. _. , , ._ __
.
- 12 -
on February 11. 1997, the licensee could not explain the reason for the
data discrepancies; however, none of the data discrepancies affect
system performance within the design specifications of the Train 1A DG.
Table 1. Calibration Constant Variations
Variable As Found by NRC As Recorded by CES
Window Width 1* 13.0 15.0
Gain 2* 0.1064 0.07270
Reset 2** 1.00 0.90
Compensation 2** 0.10 0.050
20 mA Tach * 490 458
4 mA Tach * 440 442
Torque Limit Breakpoint + 447 450
'hI
Identified by licensee
- Identifed by inspectors
c. Conclusions
The inspectors found the licensee's actions to dynamically tune the 701
governor for optimal performance to be acceptable. However, the
inspectors concluded that the startu) test procedures did not test an
acceptable range of input / output com)inations including conditions that
bound the 701 governor design envelope. Therefore, the inspectors
concluded that the licensee tests do not appear to satisfy the software
, and integrated system validation requirements. Based on these findings,
the inspectors concluded that, centrary to 10 CFR 50. Ap
Qaality Assurance Criteria.Section III. Design Control,pendix B.
the licensee
did not verify the adequacy of the 701 governor design by the
performance of an acceptable design review or by the performance of a
suitable testing program. This is identified as an example of
VIO 50-424. 425/97-01-04. Inadequate Testing of 701 Governor - Two
Examples.
In addition contrary to 10 CFR 50. Appendix B. Quality Assurance
Criteria.Section XVII. Quality Assurance Records, the licensee failed
to maintain records of safety-related equipment settings and calibration
l constants under configuration control. Tests of the Train 1A DG have
!
shown that the settings in question have had no adverse affect on system
performance. The discrepancies between the current 701 DSC setpoints ,
for the Train 1A DG and the setpoints contained in the test data sheets
i
Enclosure 2
i
l
!
. .. - - -- . = . -
'
,
'
l
- 13 -
is identified as VIO 50-424, 425/97-01-05, Failure to Maintain Records
of 701 DSC Setpoints.
j
,E7.3 Electromaanetic Interference Qualification of Woodward 701 DSC
a. Insoection Scoce (52002) I
l
'
The inspectors reviewed EMI testing results to verify that the Woodward
701 DSC EMI qualification was sufficient to ensure proper operation in
the actual EMI environment in which it will be used.
b. Observations and Findinaq
WGC performed laboratory EMI testing of the Woodward 701 DSC using the 4
guidance in MIL-STD-461C, " Electromagnetic Emission and Susceptibility
Requirements for Control of EMI." Specifically. WGC performed radiated
susceptibility testing using MIL-STD-461C test methods RS01 and RS03 and i
conducted susceptibility testing using MIL-STD-461C test methods CS01,
CS02, and CS06.
As documented in Test Report 31319-94M, " Test Report for Point of
Installation EMI Mapping of Diesel Generator Room " National Technical
System (NTS) performed an EMI point of installation mapping of DG 4
room 2A at Vogtle. The EMI mapping presented the actual EMI levels
the 701 DSC would be exposed to when installed. Specifically NTS
3erformed emissions measurements using MIL-STD-462 test methods CE01 (30
iz to 15 kHz) CE03 (15 kHz to 50 MHz), and CE07 (switching transients,
time domain) and radiated electric and magnetic field emission
measurements using test methods REXX ('0C magnetic field) RE01 (30 Hz to
50 kHz) RE02 (14 kHz to 1 GHz), and RE02.1 (hand-held radio profile).
Tests CE01, CE03 CE07. RE01, and RE02 were performed with the diesel
generator shutdown and with the diesel generator operating at 0%, 50%.
and 100% generator power. Test RE02.1 was performed with hand-held
radios.
In Test Report 31319-94M-1. " Test Report for Analysis of Point-of-
Installation and Generic Emissions EMI Mapping Data " NTS compared the
measured EMI emission levels to the EMI susceptibility test results
obtained during the WGC laboratory EMI testing. As indicated in this
test report, NTS recommended at least a six-decibel (dB) safety margin
between the measured EMI emission level and the EMI susceptibility test i
results. The inspectors confirmed that the worst case signal spectra y
from the conducted susceptibility tests (CS01 CS02 and CS06) is at i
least 69 dBs greater than the conducted emissions levels found during I
the site survey. In addition, the worst case signal spectra from the
radiated electric field susceptibility tests (RS03) is at least 16 dBs
greater than the radiated electric field emission levels. However, the i
worst case signal spectra from the radiated magnetic field
. Enclosure 2
e
,
.
.
- 14 -
susceptibility tests (RS01) was only five dBs greater than the radiated
magnetic field emissions level in the frequency range of 30 to 60 Hz.
Including the plus or minus two-dB measurement amplitude accuracy error
of the test equipment resulted in only a three-dB margin. The safety
margin increases to the recommended six-dB safety margin at 85 Hz and
continues to increase from that point until a frequency of 50 kHz is
reached. Based on these test results. NTS proposed that the radiated
magnetic field susceptibility test be repeated at a level of 170 dBs to
verify that a six-dB safety margin exists above the measured emission
,
i
level.
WGC originally performed the radiated magnetic field susceptibility test
at a level of 166 dBs. The original susceptibility test was not
>erformed at the level prescribed in MIL-STD-461C (180 dB at 50 Hz)
3ecause the WGC test equipment did not.have the capability to test at
that level. WGC indicated that they were confident that the 701 DSC
would pass a 170-dB test between 30 and 85 Hz and that they would
perform the test at 170 dBs if requested. However, CES and the licensee
concluded that the existing three-dB safety margin provided sufficient
conservatism and that a revised susceptibility test was not necessary.
Subsequent to the inspection. CES and NTS confirmed the 3-dB margin was
associated with the level measured at the generator control ]anel, l
bay 1-2 rear. However, the licensee indicated that the 701 )SC was !
actually installed in bay 3. As supported by Test Report 31319-94M, the !
specific measurements at bay 3 show at least a 23-dB safety margin
between the radiated magnetic field susceptibility and emissions levels.
Based on this information, by letters dated February 18 and February 27,
1997, CES and NTS concluded that additional testing is not necessary
since the recommended six-dB safety margin is met at the specific point
of installation (bay 3).
c. Conclusions 1
i
The inspectors concluded that the licensee performed appropriate point ;
of installation EMI emissions testing. The recommended six-dB safety
margin between the radiated and conducted susceptibility and emissions
tests was satisfied for the specific point of installation of the
701 DSC. Therefore, the inspectors concluded that the 701 DSC EMI
qualification was sufficient to ensure proper operation in the actual
EMI environment in which it will be used.
Enclosure 2
_- .-. .- . .. .. .- -. -
'
. .
.
- 15 -
E7.4 10 CFR 50.59 Safety Evaluation
a. Insoection Scoce (52002)
The inspectors reviewed the licensee's 10 CFR 50.59 safety evaluation to ;
determine whether the licensee addressed digital equipment failures l
including software common mode failure considerations, and to determine
whether an unreviewed safety question was associated with the 701 DSC
modification,
b. Observations and Findinas
The licensee's 10 CFR 50.59 safety evaluation associated with Design
Change Package (DCP) 93-V1N0050-0-1. dated February 28. 1994 stated
that the system level failure modes for the Woodward 701 governing '
system were the same as for the analog guverning system: (1) fail in a
manner where the engine speed increases. (2) fail in a manner where the
engine speed decreases, and (3) fail as is. In the case of a failure
causing the engine speed to increase. a backup mechanical ball head
governor would automatically assume control of the engine speed. Should l
the mechanical governor fail, the engine overspeed trip would stop the l
engine. The licensee concluded that in the cases of a failure causing '
the engine speed to decrease or to fail as is. the opposite train DG
would be available.
.
In addition the licensee did not view software common mode faliure as ,
being credible, based on the qualification of the software and the i
results of EMI. seismic, and 300 start tests. The inspectors did not
concur with the licensee's conclusion that software common mode failure
is not credible. The inspectors noted that the identical software i
versions are loaded in each 701 DSC. J
c. Conclusions
In reviewing the licensee's 10 CFR 50.59 safety evaluation and
supporting documentation, the inspectors concluded that the licensee did
not consider software common-mode failure in their 10 CFR 50.59
evaluation as a possible different type of malfunction than any i
previously evaluated in the Updated Final Safety Analysis Report. The '
licensee's determination that software common mode failures are not
credible based on the software qualification performed by CES and the
results of EMI. seismic, and 300 start tests is not considered
acceptable. Therefore, the ins)ectors concluded that there is no basis
i for the licensee's conclusion tlat, for the DG failure modes where the
i
i engine speed decreases or fails as is, the opposite train DG would be
available.
Enclosure 2
i
!
.
i.
- 16 -
Based on this information. the inspectors concluded that the licensee's
10 CFR 50.59 safety evaluation and supporting documentation did not
provide an acceptable basis to conclude that the 701 governor
modification does not create a possibility for a malfunction of a
different type than any previously evaluated in the FSAR. As a result.
the inspectors concluded that the 10 CFR 50.59 safety evaluation did not
provide adequate justification to conclude that installing the 701 i
governor does not involve an unreviewed safety question. This is i
identified as VIO 50-424, 425/97-01-06. 10 CFR 50.59 Unreviewed Safety l
Question Determination for Woodward 701 Governor.
E8 Miscellaneous Engineering Issues
'
. E8.1 (Closed) Unresolved Item (URI) 96-02-05: Condensate storage tank (CST)
ininimum water volume required by Technical Specifications (TSs)
URI 50-424. 425/96-02-05 documents inspector concerns with a discrepancy
between the minimum CST volume required by TSs and that determined from
analysis of possible accident scenarios. The inspectors reviewed
revisions to TS 3.7.6 and 3.7.6.a and the following. Procedures 11610-1
and 11610-2. Auxiliary Feedwater System (AFW) Alignment: Procedures ;
17017-1 and 17017-2. Annunciator Response Procedures for ALB 17 on l
Panel 182 on Main Control Board: Procedures 14000-1 and 14000-2.
Operations Shift and Daily Surveillance Logs; and drawings 2X4DB161-1.
Condensate Storage and Degasifier System and 2X4DB161-2. AFW System.
The inspectors concluded that the changes made to these documents
resolve this discrepancy. This item is closed.
l IV. Plant Support
1
P1 Conduct of Emergency Preparedness (EP) Activities
Pl .'1 EP Exercise
a. Insoection Scoce (71750.).
! On March 10. 1997 the licensee conducted an EP drill. The inspectors
reviewed the EP procedures prior to commencement of the drill and
discussed the critique findings with plant management at the completion
of the scenario.
I b. Observations and Findinas
The inspectors observed and reviewed the manning of the emergency
facilities. All facilities were manned in a timely manner and as
appropriate. Emergency organization manager positions were filled by
qualified personnel and. except for some telephones supplied for Nuclear
Enclosure 2
-
,. _ _ . _ , _. - _ _ _ _ . . _ . _ . _ _ _ _ _ - . _ _ _ _ _ _ . _ _ _ _ . .
'
l
l .
L.
- 17 -
Regulatory Commission (NRC) use, the facilities were arranged in
l
accordance with the site plan.
At the conclusion' of the exercise, the licensee performed a critique
-that identified a number of exercise objectives which were not met.
liost notably, the classification of the event and accountability did not
meet.their stated objectives. As the. event progressed, the emergency
director declared a GENERAL emergency although the conditions did not
l
'
warrant the classification. Also, although the accountability was
completed in the required time there were 21 missing personnel 30
minutes after the SITE AREA EMERGENCY declaration.
! c. Conclusions
- The licensee did not meet all its stated drill objectives. However, the
inspectors concluded that performance of the drill to identify EP
l deficiencies accomplished it; purpose and was therefore useful. The.
L licensee informed the inspectors that as a result of the unsatisfactory
objectives, additional drills will be conducted in the near term.
l
i- F1: Control of Fire Protection (FP) Activities !
F1.1. Resolut1on of Thermo-Lao Fire Barrier Issbe (64704)
a. Insoection Scooq
!.
,
The ins)ectors reviewed the action taken to resolve the degraded-
l Thermo _ag fire barrier issues at Vogtle to determine if this action-was
consistent with licensee and NRC requirements.
b. ' Observations and Findinos !
-
In 1991, the NRC found that Thermo-Lag fire barrier material did not
perform to the manufacturer's specifications. The NRC issued NRC 1
Bulletin 92-01. " Failure of Thermo-Lag 330 Fire Barrier System to- '
Maintain Cabling in Wide Cable Trays and Small Conduits Free from Fire-
Damage." and requested licensees with Thermo-Lag fire barriers to take
( the a)propriate compensatory measures for the areas where the Thermo-Lag
'
fire )arriers were installed.
Based on the unfavorable results of Thermo-Lag fire barrier installation-
tests performed during 1993 and 1994 by the nuclear industry, the
licensee elected to remove the Thermo-Lag fire barriers installed at
.Vogtle. Design Change Package (DCP) 94-V1N0061 and DCP 94-V2N0062 were
i
prepared which provided a design to either re-route the electrical
.
raceways enclosed within Thermo-Lag fire barriers or to replace the
! Thermo-Lag fire barriers with fire barriers which had been reviewed.
, tested and approved by a nationally recognized testing laboratory. such
,
l Enclosure 2
i
l-
!-
5 _ _ -___ _ _ _ _ . . .
. .- .. - . .
'
. .
e
e
- 18 -
as Underwriters Laboratories. Inc. These DCPs provided separation
between safe shutdown components which met the separation requirements
,
of 10 CFR 50, Appendix R Section III.G.
Work on these DCPs had been completed except for. the replacement:of the
Thermo-Lag'on one electrical raceway in the Unit 1 reactor building.
This work was scheduled to be completed during the Fall 1997 refueling
outage.
L
The replacement fire barriers consisted of several different types of
3-hour fire rated designs, including: hollow concrete block, gypsum
board, Carboline Pyrolite. WR Grace Monokote, and 3M Interam.
'
The inspectors reviewed the DCP work packages, performed walkdown
inspections of the rerouted cables and new fire barriers, and verified ;
that the required changes had been completed. During these walkdown
inspections, the inspectors noted that the 3-hour Monokote fire barriers ,
installed around the required redundant circuits for the raceways in 3
Room B77 of the Unit 1 control building and around the redundant cables '
in the raceways above the mezzanine of Room B31 of the Unit 2 control-
L building contained a number of cracks. The licensee determined that
'
these barriers were degraded and implemented the required compensatory
.
actions. The compensatory measures included an hourly fire watch. The
l
inspectors verified that this required fire watch had been' implemented. )
)
,
c. Conclusions i
i
riate action had been taken to resolve the Thermo-Lag issue at
'
F2 Status of Fire Protection Facilities and Equipment
F2.1 ODerability of FP Facilities and Eauioment (64704)
a; Insoection Scooe
,
,
l
The inspectors reviewed open fire protection related maintenance work
orders (MW0s), the maintenance department's list of fire protection
- deficiencies, and operation's list of out-of-service fire protection !
'
equipment to assess the licensee's performance for returning degraded
L fire protection components to service. In addition, walkdown !
t
inspections were made to assess the material condition of the plant's i
fire protection systems, equipment and features. l
1
f
Enclosure 2 :
._ _
4-
.
- 19 -
b. Observations and Findinas
' Maintenance of FP Eauioment and Comoonents:
-
As of February 13, 1997, there were ap3roximately 29 fire protection
related open work requests. Most of t1ese work requests involved minor
corrective maintenance work items which did not affect the operability
of the components or involved systems in non-safety related areas. Two
items were related to degraded fire barriers that were identified during
-
this inspection. One item involved a pre-action sprinkler-system for.
the Unit 1A emergency diesel generator (DG) building which was not being
maintained in its design configuration', i.e.. valve was set wet and
water flow alarm had been disconnected. In this configuration.
inadvertent sprinkler actuation could go undetected and result in water
damage to the emergency DG. This condition had existed since October
1995 due to'an exhaust leak on the diesel engine. This leak activated
the fire detection system which tripped the sprinkler system each time
the diesel engine was operated. During the exit interview, the licensee
stated that this situation would be promptly resolved and the sprinkler
system restored to its design configuration.
The inspectors toured the plant and noted that, with the exception of
-the two degraded fire barriers and the one sprinkler system not being
maintained in conformance to the design requirements, the fire
protection systems were operational, material condition was _very good. ,
and' components were well maintained.
Fire Briaade Eauioment:
The fire brigade turnout gear was stored in the control building
-
adjacent to the control room. Sufficient sets of turnout gear,
consisting of coats, pants, boots, helmets, etc., were provided to equip i
the fire brigade members expected to respond in the event of a fire or '
other emergency. The equipment was properly stored and well maintained.
During recent fire brigade drills, the fire brigade experienced problems
with radio communication. On one drill, the brigade had to rely on
runners in order for the fire brigade leader to communicate with the '
fire brigade members. The licensee determined that this arrangement was
not satisfactory. To resolve this issue, the licensee appointed a task ,
force to identity the extent of the problem, and to im)lement
appropriate corrective actions. Pending correction, t1e poor radio
communication problem is identified as a program weakness. Otherwise, i
the fire brigade equipment was operable, properly stored, and well
maintained.
<
'
Enclosure 2
4
.
\ ,
- 20 -
!
c. Conclusions !
>
!
The relatively low number of open MW0s, minimal (two) degraded fire !
L
barrier assemblies, and good material condition'of the fire protection
j
com)onents and fire brigade equipment indicated that appropriate
emplasis had been placed on the maintenance and operability of the fire.
protection components. However, the problems associated with the poor
fire brigade radio communications and the one pre-action sprinkler
system not bein
as weaknesses. g maintained to the design configuration were identified
,
L F2.2 Surveillance of FP Features and Eauioment
i
a, Insoection Scooe (64704)
The inspectors reviewed the following completed surveillance and test.
procedures:
! -
14951-C Fire Suppression System Operability Test-(Fire Pumps).
Monthly, Completed February 4, 1997.
14952-C. Fire' Suppression System Operability Test.(Fire Pumps),
-
Annually. Completed June 26, 1996. l
-
14956-C, Fire Suppression - 3-Year Flow Verification. Performed i
!
under T-0PER 95-003, Revision 0, Fire Suppression System REA
l VG-2720 Flow Verification Completed October 10, 1995.
-
29227-1 and -2 Fire and Smoke Detector Operational Test (Panel-
l LZIP 2-1813-03-F27. Completed January 22, 1997.
l
-
29231-1 and -2 Fire and Smoke Detector Operational Test-(Panel
LZIP 1-1813-03-F31. Completed October ~'4, 1996.
Ib. Observations and Findinos
The completed fire protection surveillance tests reviewed by the
inspectors had been appropriately completed and met the acceptance
criteria. The test procedures were good. The data obtained and
recorded for each fire. pump included multiple points on the pump curve
~ to verify pump 3erformance. The completed test procedures included an
evaluation of tie test data by the site fire protection system engineer
which provided good technical oversight of the tests on the fire
protection systems.
!
l 'The inspectors noted that the surveillance tests for the two fire
- detector panels included two specific work tasks. These two tasks were
<
initially scheduled to be performed every two years on a staggered test
, basis. One task performed an operability test on the fire detectors
i
,
Enclosure 2
..
l
! . - . -_. _
-
_ _. . _. .- __ . . _ . -_- _ . - . - -
'
! .
,
.
.
i
- 21 -
l -
supplied by the fire alarm panel. The second test included preventive
maintenance and sensitivity adjustments for each fire detector followed
by an operability test. These tests had initially been scheduled on an ,
annual staggered test frequency to meet the 12-month test frequency
specified by Updated Final Safety Analysis Report (UFSAR) Table
9.5.1-10. FP Operability Requirements. Section-1.4.1. 'However, recently e
the staggered test frequency had been changed such that the required >
12-month test frequency was not being aerformed. For example, the time ,
between the current test for Panel LZ13 2-1813-03-F27. com)leted on e
January 22. 1997, and.the previous test com)leted on Novem]er.1. 1994,
was approximately 25 months and 22 days. T1e time between the last two -
tests for Panel LZIP. 1-1813-03-F31, completed on October 4. 1996, and >
the test completed on February 11. 1996, was 9 months but the time
between this test and the previous test completed on June 17, 1994, was
approximately 19 months 11 days.
, Paragraph 2.G of the operating license for Units 1 and 2 requires the l
L licensee to implement and maintain in effect all provisions of the
'
approved fire protection program as described in the UFSAR. The failure
to aerform an operability test at least once 3er 12 months, as required
by JFSAR Table 9.5.1-10. Section 1.4.1. for t1e fire detectors supplied
by these two panels is identified as Violation (VIO)
50-424, 425/97-01-02. Failure to Demonstrate Fire Detectors Were.
Operable at Least Once per 12 Months. ,
The licensee reviewed the current test completion data on the
approximately 60 fire alarm panels installed within the power block and
concluded that there were no current operability concerns. All of the
panels had been tested within the past'12 months. However, the two 24
month surveillances for at least 12 panels had been completed on the
same date or within 30 days of each other. Tnis resulted in the next
!
'
scheduled surveillance for 24 months. This would have exceeded the <
. required 12-month test frequency. The licensee was also reviewing
historical test data to determine if the 12-month test frequency had
been exceeded on additional fire detectors.
c. Conclusions
Appropriate surveillance and test procedures were provided for the fire
protection features. However, a violation was identified due to the
failure to meet the 12 month operability test frequency required for the
j fire detection devices
,
1
2
.
J
l
,
Enclosure 2
t
6.
4
.
- 22 -
l
F3 Fire Protection Procedures and Documentation
.
a. Insoection Scooe (64704)
The inspectors reviewed the following procedures for compliance with the
NRC requirements and guidelines: 1
-
92000-C. Fire Protection Program
-
92005-C. Fire Response Procedure
l
-
92010-C, Control of Ignition Sources I
-
92015-C, Use. Control and Storage of Flammable / Combustible j
Materials l
1
-
92035-C, Fire Protection Operability Requirements l
-
92040-C. Fire Protection Limiting Condition for Operation (LCO) l
Program
Plant tours were performed to determine procedure compliance. i
b. Observations and Findinas l
The above procedures were the principle procedures issued to implement
the fire protection program at Vogtle. These procedures contained the ,
requirements for program administration, controls over combustibles and )
ignition sources, fire brigade organization and training, and l
o)erability requirements for the fire protection systems and features. !
T1e 3rocedures were satisfactory and met the licensee's commitments to I
the VRC.
The inspectors performed plant tours and noted that implementation of I
the site's fire prevention program for the control of ignition sources,
transient combustibles, and general housekeeping was very good.
The coordination and oversight of the facility's fire protection program
s were good and met the licensee and NRC requirements.
c. Conclusions
The fire protection program implementing procedures were adequate and
met licensee and NRC requirements. Implementation of 3rocedures was
good. Control of ignition sources, transient combusti)les, and general
housekeeping was very good.
Enclosure 2
- - - - . - - - - . - - .- - - - - - - .- - -. .. - - ~. -
'
.
!'
.
'
- 23 -
[ .
.
4
] F5 Fire Protection Staff Training and Qualification
- a. Insoection Scoce (64704)
h The inspectors reviewed the fire brigade organization 'and training
program, and the site's fire fighting preplans to determine if these
- were in compliance with the facility's fire' protection program and the.
NRC guidelines and requirements.
~
b. Observations and Findinas
i'
The organization and training requirements for the plant fire brigade
were established by Procedures 92000-C, FP Program, and 92030-C. Fire
Drill Program. The fire brigade for each shift was composed of a fire
j'
'
brigade leader and at least four brigade members from operations. The
fire brigade leader was a shift supervisor or shift support supervisor.
The.other members from operations were plant equipment (non-licensed)
operators.
Each fire brigade member was required to receive initial, quarterly and: l
annual fire fighting related training and to satisfactorily complete an !
annual medical evaluation and certification for participation in fire l
brigade fire fighting activities. In. addition, each member was required
to participate in at least two drills per year. '
'
As of the date of this inspection. there was a total of 35 operations
trained fire brigade leaders and 41 operations personnel on the. plant's - 1
fire brigade .
The inspectors reviewed the training and medical records for the fire l
brigade members and-verified that the training and medical records were
up to date. A well qualified state-certified fire brigade training
instructor and good fire brigade training facilities were provided on
site. I
During this inspection, the inspectors witnessed a fire brigade drill !
involving a simulated fire in a charcoal filter unit on Level 3 of the :
control building. The response of the fire brigade to the simulated ;
fire was good, except for radio communication problems noted between the i
fire brigade leader and fire brigade members. At times the leader's
radio transmissions to the brigade were not received. A critique to
discuss the brigade performance and identified weaknesses was held
following the drills.
c. Conclusions
!
The fire brigade organization and training met the requirements of the
site procedures. Performance by the brigades during a drill was very
Enclosure 2-
.
,
.
- 24 -
good, except for minor radio communications problems between the fire
brigade leader and brigade members. A well qualified state-certified
fire brigade training instructor and good fire brigade training
facilities were provided on site.
F7 Quality Assurance (QA) in Fire Protection Activities
a. Insoection Scoce (64704)
The following audit and self assessment reports were reviewed:
-
0A Audit OP20-96/14 Annual / Biennial FP Audit of June 5, 1996
-
0A Audit OP20-95/15 Annual / Triennial FP Audit of May 1 - 12,
1995
-
NML Inspections Loss Prevention Reports for inspections
conducted June 1996 and November 1996
b. Observations and Findinas
The OA audits of the site's fire protection program were comprehensive
and identified a number of finoings, observations and issues to enhance
the facility's fire protection program. The inspectors reviewed the
audit findings from occh OA report and the corrective actions taken on
the identified discrepancies. These items had been resolved.
c. Conclusions
Thorough audits and assessments were made of the facility's fire
protection program and appropriate corrective actions were taken to
resolve the identified issues.
JF8 Miscellaneous Fire Protection Issues (64704) (92904)
F8.1 FP Related NRC Information Notices (ins)
The inspector reviewed the licensee's evaluation for the following NRC
ins:
-
IN 92-18 Potential Loss of Shutdown Capacity During a Control
Room Fire
-
IN 92-28. Inadequate Fire Suppression System Testing
,
-
IN 93-41, One Hour Fire Endurance Tests Results For Thermal
Ceramics, 3M Company FS 195 and 3M Company E-50 Interim Fire
Barrier Systems
Enclosure 2
- .- . . = - . - - - . ,-
'
,
.
- 25 -
-
IN 94-28 Potential Problems with Fire Barrier Penetration Seals
-
IN 94-31 Potential Failure of WILCO, LEXAN-Type HN-4-L. Fire Hose
Nozzles
-
IN 94-58 Reactor Coolant Pump Lube Oil Fire
-
The licensee's evaluations and corrective actions for these ins were
appropriate, except that the evalcation for IN 92-18 had not been
completed.
The licensee's review of this issue identified a number of UFSAR
discrepancies. Most of these discrepancies were related to 10 CFR 50
Apperiix R safe shutdown components and their performance following an
A3pendix R fire. A number of apoarent errors were identified related tc
t1e safe shutdown components listed in UFSAR Table 9.5.1-1. Following
the identification of these apparent errors in June 1994, the reviewing
organization initiated Licensing Document Change Request (LDCR)
No.94-029, to complete an evaluation and provide appropriate UFSAR
changes to correct these errors. These UFSAR changes to reflect actual
plant design conditions were not made.
Procedure 00402-C. Licensing Document Change Request (LDCR), requires ;
the person identifying plant or licensing discrepancies'to complete LDCR
Figure 1. The originating department manager is required to implement
appropriate action to provide a safety evaluation on the identified
issue. This procedure was issued to provide instructions for making
changes to licensing documents such as the UFSAR. 10 CFR 50.71(e)
requires the UFSAR to be maintained to properly describe actual plant ;
conditions. Revision 5 of the UFSAR was issued September 1995 but did
not address these items. In addition, since an LDCR had not been issued
to address these discre3ancies, the revision currently being made to the .
UFSAR did not include taese changes. The failure to implement the LDCR l
to maintain the UFSAR up to date for these Appendix R fire protection l
issues is identified as Violation 50-424, 425/97-01-03. Failure to l
Revise UFSAR to Conform to As-Built Appendix R Plant Configurations. !
The inspectors reviewed the LDCR Coordinator's logbook and noted nine
additional requests for LDCR change numbers in which appropriate action
had not been taken for resolution. All of these involved items l
identified prior to 1996, as follows: one in 1989, one in 1990, three !
in 1991, one in 1992, three in 1994, and one in 1995. The safety i
significance on these issues were not known since safety evaluations for
- these items had not been completed.
i
.
Enclosure 2
r
.
i
i
__ _ _ . . _ ._ ... __ _ _... _ _ _ . _ _ . _ . . _ _ _ . . _._..m_
. .
s
- 26 -
i
F8.2 (Closed) VIO 50-424. 425/96-09-05. Control of transient combustibles. ;
This violation identified-two examples of inadequate control over the
' storage of combustibles within the plant. The inspector verified that
the corrective ~ action initiated by the licensee on this issue was
complete, appropriate and adequate to prevent recurrence. i
V. Manaaement Meetinas and Other Areas
X Review of Updated Final Safety Analysis Report (UFSAR) :
A recent discovery of a licensee o)erating its facility in a manner
contrary to the UFSAR description lighlighted the need for a special
focused review that compares plant practices' procedures and/or
parameters to the UFSAR descriptions. While performing the inspections
discussed in this- re) ort, the inspectors reviewed the applicable :
portions of the UFSAR that related to the areas inspected. The
inspectors verified that the UFSAR wording was consistent with the >
observed plant, practices, procedures and/or parameters.
X1. Exit Meeting Summary
The inspectors ) resented the inspection results to members of licensee
-
management at tie conclusion of the inspection on March 19, 1997, The !
licensee acknowledged the findings presented.-
The inspectors asked the licensee whether any materials examined during
the inspection should be considered proprietary. No proprietary
information was identified.
' X2' Pre Decisional Enforcement Conference Summary )
.
On March 10, 1997, a pre-decisional enforcement conference was held at
the Nuclear Regulatory Commi:dion (NRC) Region II office to discuss
potential enforcement issues identified in Inspection Report (IR)
50-424, 425/96-14. Discussion focused on configuration control issues
identified in that report as well as others identified over the last
eightecn months.
,
PARTIAL LIST OF PERSONS CONTACTED
Licensee
, J. Beasley. Nuclear Plant General Manager
. B. Brown. Plant Training and Emergency Preparedness Manager
i W. Burmeister.' Manager Engineering Support
,.
{ Enclosure 2
<
~ - .- -. . . .. . . - .. .-
-
. .
.
- 27 -
J. Gasser. Plant Operations Assistant General Manager
P. Rushton, Plant Support Assistant General Manager
S. Chestnut. Manager Operations
K. Holmes. Manager Maintenance
M. Sheibani. Nuclear Safety and Compliance Supervisor
C. Tippins Jr., Nuclear Specialist I
REFERENCED PROCEDURES AND DRAWINGS I
-
Drawing 2X4DB161-1 Revision 24. Condensate Storage and Degasifier
System
-
Drawing 2X4DB161-2. Revision 21. AFW System _
i
-
T-0PER 95-003. Revision 0. Fire Suppression System REA VG-2720 i
Flow Verification
-
Procedure 00402-C. Revision 15. LDCR i
-
Procedure 11610-1. Revision 13. AFW System Alignment )
-
Procedure 11610-2. Revision 15. AFW System Alignment !
-
Procedure 11867-2. Revision 20. Safety Related Locked Valve
Procedure 11881-1/2. Auxiliary Building Round Sheets. !
-
Procedure 14000-1. Revision 57. Operations Shift and Daily '
Surveillance Logs
-
Procedure 14000-2. Revision 41. Operations Shift and Daily
Surveillance Logs !
-
Procedure 14495-2. Revision 3. AFW System Flow Path Verification
-
Procedure 14951-C. Revision 5. Fire Suppression System Operability
Test (Fire Pumps). Monthly
-
Procedure 14952-C. Revision 5. Fire Suppression System Operability
Test (Fire Pumps). Annually
-
Procedure 14956-C. Revision 2. Fire Suppression - 3-Year Flow
Verification
-
Procedure 17017-1. Revision 10. Annunciator Response Procedures
for ALB 17 on Panel 1B2 on Main Control Board
-
Procedure 17017-2. Revision 7. Annunciator Response Procedures for
ALB 17 on Panel 182 on Main Control Board
-
Procedure 24362-1. Revision 10. ESF Chiller Chilled Water Flow
Trains A and B 1F-22425/1F-22426 Channel Calibration
Verification Checklist ;
-
Procedure 29227-1 and -2. Revision 1. Fire and Smoke Detector
Operational Test (Panel LZIP 2-1813-03-F27
-
Procedure 29231-1 and -2. Revision 2. Fire and Smoke Detector
Operational Test (Panel LZIP 1-1813-03-F31
-
Procedure 92000-C. Revision 11. Fire Protection Program
-
Procedure 92005-C. Revision 8. Fire Response Procedure
l
"
-
Procedure 92010-C. Revision 10. Control of Ignition Sources
-
Procedure 92015-C. Revision 14. Use. Control and Storage of
Flammable / Combustible Materials ,
-
Procedure 92030-C. Revision 6. Fire Drill Program
Enclosure 2
L
. .
. .
l
t
- 28 -
-
Procedure 92035-C. Revision 9. Fire Protection Operability
Requirements
-
Procedure 92040-C. Revision 12. Fire Protection LC0 Program
INSPECTION PROCEDURES USED
IP 37551: Onsite Engineering
IP 40500: Effectiveness of Licensee Controls In Identifying. Resolving and
Preventing Problems
IP 52002: Digital Retrofits not Receiving Prior Approval
IP 61726: Surveillance Observations
IP 62707: Maintenance Observations
IP 64704: Fire Protection / Prevention Program
IP 71707: Plant Operations 1
IP 71750: Plant Support Activities l
IP 92904: Followup - Plant Support
ITEMS OPENED AND CLOSED
Ooened l
i
50-425/97-01-01 VIO AFW System Surveillance Not Conducted As
Required By TS (Section M3.1).
50-424, 425/97-01-02 VIO Failure To Demonstrate Fire Detectors Were
, Operable At least Once Per 12 Months
l
(Section F2.2).
50-424, 425/97-01-03 VIO Failure to Revise UFSAR To Conform to As-Built
Appendix R Plant Configurations (Section F8.1).
50-424, 425/97-01-04 VIO Inadequate Testing of 701 Governor - Two ,
Examples (Sections E7.1 and E7.2). !
I 50-424. 425/97-01-05 VIO Failure to Maintain Records of 701 DSC Setpoints
l (Section E7.2). ,
!
- 50-424, 425/97-01-06 VIO 10 CFR 50.59 Unreviewed Safety Question
l Determination for Woodward 701 Governor
(Section E7.4). :
Closed
50-424. 425/96-02-05 URI CST Minimum Water Volume Required By TSs
(section E8.1)
50-424. 425/96-09-05 VIO Control Of Transient Combustibles (section F8.2)
'
Enclosure 2
..,
- - , , . __. . . . . -
'
. . ,
.
- 29 -
LIST OF ACRDNYMS USED
AFW - Auxiliary Feedwater System
CES - Cooper Energy Services
CFR - Code of Federal Regulations
CST - Condensate Storage Tank
dB - decibel
DC - Deficiency Card
DCP - Design Change Package
DG - Diesel Generator
DSC - Digital Speed Control
EMI - Electromagnetic Interference !
'
ESF - Engineered Safety Feature
FP - Fire Protection
GLC - Generator Loading Control
GLS - Generator Load Sensor
I&C - Instrumentation and Controls
IN - Information Notice
ISEG - Independent Safety Engineering Group
IST - Inservice Test
ITS - Improved Technical Specifications
'
LCO - Limiting Condition for Operation
,
'
LDCR - Licensing Document Change Request
MDAFW - Motor Driven Auxiliary Feedwater
MWO - Maintenance Work Order
NPF - Nuclear Power Facility
NRC - Nuclear Regulatory Commission '
NSCW - Nuclear Service Cooling Water
NTS - National Technical System
NUREG - Nuclear Regulations
PE0 - Plant Equipment Operator
l . PDR - Public Document Room
l PRB - Plant Review Board
l OA - Quality Assurance
!
RHR - Residual Heat Removal System
RWST - Refueling Water Storage Tank
SR - Surveillance Requirement
SVVP - Software Verification and Validation Plan
TS - Technical Specifications
1 UFSAR - Updated Final Safety Analysis Report
l URI - Unresolved Item l
!
USS - Unit Shift Supervisor
V&V - Verification and Validation
VIO - Violation )
.
'
WGC - Woodward Governor Company ;
2R5 - Unit 2 Fifth Refueling Outage I
i
4
Enclosure 2 i
4.
-
l
!