ML20138L090
| ML20138L090 | |
| Person / Time | |
|---|---|
| Site: | Pilgrim |
| Issue date: | 02/10/1997 |
| From: | Boulette E BOSTON EDISON CO. |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| BECO-2.97-014, BECO-2.97-14, NUDOCS 9702210037 | |
| Download: ML20138L090 (43) | |
Text
,
i
- I
.W
.e.
h
~
a a--
l Pdgrirn Nuclear Power Station i
Rocky Hill Road I
. Plyrnouth, Massachusetts 02360 ^
l t
i 3
E. T. Boulette, PhD
' Senior Von President - Nuclear February 10, 1997 BECo Ltr. 2.97- 014 l
U.S. Nuclear Regulatory Commission J
' Attention: Document Control Desk Washington, DC 20555 p
Docket No. 50-293 i
License No. DPR-35
~
c i
ResDonse to NRC 50.54m Letter Reoardina Adeouacy and Availability of l
Desian Bases Information i
I Attached is Pilgrim Station's response to the October 9,1996, NRC 10 CFR 50.54 (f) request for information regarding the adequacy and availability of design bases information. This information is l
requested from all operating nuclear power plants to provide the NRC with added confidence that 1
plants are operated and maintained within the design bases and that any deviations are reconciled i
in a timely manner, e
We understand the variables that can affect the design of Pilgrim and have assessed the processes j
and controls associated with maintaining Pilgrim in conformance with the design. Our assessment j
confirms the integrity of these controls and provides us with reasonable assurance that Pilgrim j
Station is operated and maintained within its dasign bases and any deviations are reconciled in a i
j timely manner.
j OLL T
E
?oulette, PhD J
b.g Commonwealth of Massachusetts) c County of Plymouth
)
M0093 1
Then personally appeared before me, E. T. Boulette, who being duly swom, did state that he is Senior Vice President - Nuclear of. Boston Edison Company and that he is duly authorized to execute and file the submittal contained herein in the name and on beha dison n'
Company and that the statements in said submittal are true to the best of his no ledgdgnd,.t l
My commission expires:
L // f 7
/ M
/
DATE NOTARY PUBLIC i J T. ~ ' f* d
~
,A *q 4.y-8 f.
9702210037 970210 P
I Y
PDR ADOCK 05000293 P
PDR g
'=
-, y j s.
" J BEC O Ltr. 2.97-014
. Page 2 i
Attachment:
Response to NRC 50.54(f) Questions Regarding Adequacy and Availability of Design Bases Information.
i cc:
Mr. Alan B. Wang, Project Manager Project Directorate 1-1 Office Of Nuclear Reactor Regulation Mail Stop: 1482 1 White Flint North 11555 Rockville Pike '
Rockville, MD 20852 U.S. Nuclear Regulatory Commission
' Region i 475 Allendale Road King of Prussia, PA 19406
- Mr. S. J. Collins, Director Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission j
1 White Flint North j
11555 Rockville Pike Rockville, MD 20852 Senior Resident inspector Pilgrim Nuclear Power Station s
4 4
,I W
i i
U 1
P r-r w,.,
ww-
J Attachment to BECo Letter 2.97-014 4
Responses to NRC 50.54(f) Questions Reaardina Adeauacy and Availability of Desian Bases Information I
1 I
i t
i i
k 4
f a
i a
s a s.
I Executive Summary i
i The NRC letter of October 9,1996, requests information pursuant to 10 CFR 50.54(f) to L
provide the NRC with added confidence and assurance that Pilgrim Station is operated -
i j
' and maintained within its design bases.
i in responding to.the questions, we have provided a description of our programs and _
processes used to manage the safe operation of Pilgrim Station within its design bases parameters. This description includes the overall set of controls for maintaining the t
structures, systems, and component configuration in conformance with the as-built design, the design change mechanisms, levels of management oversight and '
l
- committee reviews, methods of assessing process effectiveness, and the integrated organizational responsibilities and interfaces associated with implementing the design control processes.
We conclude our controls are effective in maintaining Pilgrim in conformance with the design bases. As part of the methodology used to arrive at this conclusion, a historical review of past audits and assessments was conducted including a review of the Pilgrim i
Station UFSAR. The UFSAR review identified discrepancies, but no issues adversely affecting equipment operability were discovered. However, the overall results indicate that further evaluation of the UFSAR is warranted to fully address the extent of the discrepancies. As such, we will conduct a more detailed in-depth review of the UFSAR in accordance with the NRC revised Enforcement Policy associated with departures from the UFSAR. The scope of this review will be developed and submitted within 60 days following our refueling outage, scheduled to commence on February 15,1997.
Additional areas we intend to explore further include the drawing revision process, configuration information management, and the revitalization of different aspects of our previous design bases reconstitution effort. The scope of activities for these additional areas will be developed by the end of the third quarter 1997.
i i
i I
e vi
c
.s e
Table of Contents Pace A.
Response for Action (a)
A-1 Engineering Organization and Design Control Overview A-1 Design Change initiation A-2 Design Change Development and Interfaces A-2 Design Change Vendor Interface A-4 Calculations A-5 Design Change Drawing Control A-6 Design Verification A-6 Design Change Implementation A-6 Design Change Testing and Turnover A-7 Vendor Equipment Technical Information Program A-7 Safety Evaluation Process (10 CFR 50.59)
A-9 10CFR50.71(e) UFSAR Update Process A-12 B.
Response for Action (b)
B-1 Operations Manual B-1 Operating Procedures B-2 Alarm Response /Off-Normal Procedures B-2 Emergency Operating Procedure (EOPs)
B-3 Maintenance Procedures B-3 Surveillance Testing Procedures B-4 Procedure Change Process B-5 Temporary Procedures B-6 Conclusion B-7 C.
Response for Action (c)
C-1 System, Structure, and Component Configuration C-1 System, Structure, and Component Performance C-2 Conclusion C-4
.i
, 1:
?
Table of Contents (Cont.)
Paae D.
Response for Action (d)
D-1 Problem Identification Methods D-1 I
Self-Assessment D-1 Problem Report Program D-2 initiation D-2 i
e e
Assessment D-3 Cause and Corrective Action Determination D-3 i
Nuclear Safety Concern Program D-4 Quality Assurance Oversight D-5 Documentation of QA Problems D-6 Deficiency Reports (DRs)
D-6 Nonconformance Reports (NCRs)
D-6 E.
Response for Action (e)
E-1 F.
Response for Action (f)
F-1 Discussion of Past DBR Efforts F-2 System Design Specifications F-2
)
Engineering Design Standards Manuals F-3 Archival Document File F-3 e
j Results of Effort F-3 e
Current Status F-3 1
jt Action (a): Description of engineering design and con 6guration controlprocesses, l
. including those thatimplement 10 CFR 50.59,10 CFR 50.71(e), and Appendix B to 10 -
1
- CFR Part 50.-
Response
- This section describes the engineering design and configuration control processes Jused at Pilgrim Station in compliance with 10 CFR 50, Appendix B. An overview of the engineering organization and the design change process is provided followed by more j
detailed descriptions of the design change process. The 10 CFR 50.59 safety evaluation process and _10 CFR 50.71(e) UFSAR update processes are described separately.
l
' l. Enaineerina Oraanization and Desian Control Overview '
]
LAt Pilgrim Station, the engineering organization is organized into traditional technical L disciplines. The following departments comprise the engineering staff reporting to the 1
. Group Manager of Nuclear Engineering Services: the Mechanical & Civil Structural i
Engineering Department, the Electrical Engineering Department, the Instrumentation &
Controls Engineering Department, and the Systems & Safety Analysis Department.
1 t
i System engineers are integrated into most technical departments. The entire engineering organization _is physically located on-site and provides support and j
L technical assessment functions for plant operations and maintenance staffs. The l
engineering organization has responsibility'for design modification, configuration, and documentation. For modifications, engineering assigns a lead engineering discipline j
with involvement from other engineering disciplines as determined from the scope of the modification.
I
' Additionally, Pilgrim employs system engineers that are part of the engineering staff.
The system engineer is responsible for the physical condition of the assigned systems 4
and typically coordinates oc is present during the' performance of surveillances and routine maintenance. The system engineer maintains a high level of technical proficiency for his system, evaluates system performance, performs root cause l.
- analyses for system problems, maintains trends of important system parameters, j
conducts periodic system walkdowns, and ensures system physical condition is j
t
[
maintained in support of the Maintenance Rule requirements.
j l
The design control process at Pilgrim is modeled after the guidance given in ANSI
-.N45.2.11, " Quality Assurance Requirements for the Design of Nuclear Power Plants" -
l1974. Generally, the majority of modifications are performed in-house. Detailed l
. procedures are in offect that describe the technical and management control processes l
for initiation,' development, review, approval, implementation, test, turnover to l
operations, and close-out of permanent and temporary modifications. Responsibilities l
of involved design disciplines and the means of technical information interface (both internal and external) are clearly outlined. Changes to procedures governing the
_ design control process are reviewed and approved by the Nuclear Engineering Group
^ and the Quality Assurance Group to ensure necessary control elements are A-1
,v.-
p n aintaineds Management review of program adequacy, review of internal and extemal audits, and review of corrective actions provide continual verification of design control.
7
) ll'. Desian Chanae Initiation p
. Pilgrim uses administrative procedures to initiate and approve funding for.
modifications; For major modifications, preliminary design inputs are solicited from related design disciplines, as well as operations, maintenance, radiological protection, 4
[
and other interfacing organizations. These disciplines determine the most beneficial
-l solution considering such issues as the extent to which the initial problem is resolved,
^J E
the impact on plant operators, maintainability, ease of construction, testing, future dose 1
impacts, impact on functional requirements and safety analyses, and cost. The 1
j-
_ proposed modification request must then be approved by an oversight committee of i
group managers.
.l' e
}
Smaller scope modifications represent the bulk of the total number of modifications.
-l These changes may be initiated by the corrective action process; requests from operations, maintenance or other departments; or management initiatives. Conceptual f
i scope definitions are either informally discussed or are clear enough to not require further discussion on scope.
i l
lil. Desian Chanae Develooment and Interfaces h
After preliminary scope and conceptual approval, detailed design criteria inputs are assembled by the responsible cognizant engineer. For large scope, multi-discipline 2
modifications, a modification team typically assembles the inputs. Operations, l
- i maintenance, licensing, planning, the cognizant system engineer, and affected design disciplines are represented as well as other, less frequently impacted organizations as required (e.g., security, reactor engineering). Procedural checklists are used to prompt L
consideration of the full range of criteria such as equipment operational and safety i
functions, codes and standards, operating conditions and performance requirements, environmental loads (seismic, radiation, temperature, wind, etc.), system and support system interfaces, materials, separation, fire protection, UFSAR and licensing commitments, Technical Specifications, and quality requirements. These criteria are j
identified and assembled by review of system design basis documents, the UFSAR, l
applicable NRC safety evaluation reports and Pilgrim licensing commitments, affected specifications, drawings and calculations, Regulatory Guides, NUREGs, and other similar documents.
The final criteria are documented and approved in the modification package. Major
- modifications to the design or NSSS analyses are performed with direct interface and support as necessary by the. NSSS supplier (please refer to Section Ill.A for further
- discussion of specifying and accepting supplier design documentation).
j With the criteria determined, the necessary calculations and analyses are performed.
- In cases where the original _ design input is not available, it is the preparer's responsibility to either retrieve the relevant design basis information or sufficiently re-A-2
~
e
. a o
create it (please refer to Section 111.8 for further discussion of the design calculation process). Inputs, assumptions, and methods are tested for conservatism and consistency with design and licensing bases. The purpose and limits of the analyses are clearly stated to ensure the results are used correctly. Related analyses are reviewed for impact and revised as necessary. The final calculations and analyses are then reviewed and approved by the cognizant department manager or designee.
Detailed design output documents can then be prepared. Impacted documents are identified such as drawings, specifications and data sheets (please refer to Section Ill.C for further discussion of the drawing control process). Each design discipline develops an " interim design" revision to the affected documents which form a part of the modification package. Current as-built documents are annotated in the document control system to identify pending modifications.
When each design discipline has completed preparation and independent review of design documents and analysis of design adequacy, the information is assembled in a single modification document (please refer to Section Ill.D for further discussion of design verification). The modification package also provides a narrative on the reason for and description of the change, the safety and quality classification, system boundaries for the change, detailed analysis of the adequacy of the design relative to the input criteria, a bill of materials, a safety evaluation or review, preliminary assessment of impact on operating, surveillance, and maintenance procedures, detailed installation instructions, ALARA considerations, post-modification testing requirements, and final acceptance criteria.
Multi-discipline (or otherwise significant) modifications are reviewed, at the discretion of the engineering group manager, by a Design Review Board (DRB) consisting of department managers (or designees) from each design discipline. The purpose of this board is to provide an additional review of the modification and its safety evaluation to ensure final comments and revisions have been properly addressed. This is an integrated senior level review of the design change package and its impact on safety and the station. The DRB recommends approval to the Nuclear Engineering Services Group Manager. Upon approval by the Nuclear Engineering Services Group Manager or Deputy Manager, the design change is routed to various station departments for review of impact on procedures, training, and adequacy. Comments are forwarded to the cognizant engineer for resolution.
Finally, the modification package is reviewed by the Operations Review Committee (ORC) as required by Technical Specifications. The ORC consists of senior experienced plant staff, at the manager level or equivalent, representing each of the following disciplines: plant operations, plant maintenance, plant technical, reactor engineering, radiation protection, and chemistry. The cognizant engineer presents the modification package to the ORC and provides additional insight and responses to questions from the ORC members. ORC reviews the design change for impact on nuclear safety and provides a recommendation for approval to install the modification to the Vice Prssident-Nuclear Operations / Station Director. If approved, the package is issued as a controlled document for implementation.
A-3
3 i A temporary modification is defined as any short-term alteration made to plant systems, structures, or equipment that changes a controlled design document and is not intended to be made permanent. Temporary modifications undergo the same design process as permanent modifications to ensure a complete technical review is performed including a 50.59 safety evaluation if necessary. A Temporary Modification Documentation Package is prepared and a Temporary Modification Status Log is j
maintained by the administrative assistants in the control room annex. Once the temporary modification is removed, the log is updated, and the equipment is restored to the original configuration.
Ill. A.
Desian Chanae Vendor Interface The process for procuring items or services is specified in engineering procedures.
Safety-related items or services are procured from suppliers on the Quality Assurance Group's Approved Suppliers List. Alternatively, a safety-related item may be procured from a non-approved supplier if it is subsequently dedicated and meets the criteria for a commercial grade item. Typical information contained in the purchase order includes a description of the item or the scope of services, the quality assurance requirements, and the method of acceptance. If significant engineering or quality documentation is to be provided by the supplier, then it is specified in the purchase order. The documentation required is determined by the information needed by engineering to fulfill its responsibilities, the degree of control exercised over the supplier's work process, or the level of quality assurance required from the onset of fabrication. An engineering specification may also be used in the procurement process to establish technical and quality assurance requirements and acceptance criteria for a given activity, system, structure, component, or consumable. When the supplier agrees to the terms and conditions of the purchase order and the item or service is offered for acceptance, the method of acceptance as specified is followed. This method could be receipt inspection, certificate of conformance, technical verification, source inspection, or a combination of all of these. Typical requirements provided for revievdng vendor-supplied design documentation may include:
Review for consistency with the conceptual design Conformance to referenced codes, standards, and regulatory requirements Appropriateness of any assumptions Conformance with the procurement document Conformance with equipment interlocks, protective features, local instrumentation, and remote instrumentation interfaces to specified requirements Confirmation of the existence of specified design margins A-4
-)
.,., a; i
Test and inspection reports and material certifications for traceability and '
consistency of acceptance criteria with other design documents
{
Conformance with the specified' design life or the number of cycles
.j e
t During review of the design documents, discussions with the supplier usually arise. A summary of important findings are included on the review form. Comments requiring revisions to the supplier document are formally transmitted in writing. The revised document undergoes the same review process.
f lil.B Calculations Calculations are prepared, reviewed, approved, and controlled in accordance with an engineering procedure. This procedure incorporates the requirements of the Boston l
Edison Quality Assurance Manual and ANSI N45.2.11-1974 and provides detailed j
guidance for calculation preparers, reviewers, and approvers.
j i
i When preparing a design change calculation, it is the responsibility of the preparer to either retrieve the relevant original design analysis / calculation and revise it to reflect areas affected by the design change or create a new design analysis / calculation. The procedure requires a problem report to be issued if a calculation identifies a deficient i
condition (see response to Action (d) for information on problem reporting process).
l Calculations are reviewed to ensure the calculation does not change an assumption or other information contained in the UFSAR. Such a change would require a 50.59 1
safety evaluation. The calculation preparer also determines if the calculation affects
]
.the existing piping analysis for safety-related piping systems. If it is found that a piping analysis is affected, the preparer. is required to initiate a revision to the piping analysis to incorporate the current information. Safety-related computer calculations are performed using codes that are documented and qualified in accordance with an engineering procedure on computer code qualification.
Calculations involving safety-related components, structures, and systems are independently verified in accordance with the design verification process. Revisions to calculations are subject to the same checking, review, and approval requirerrents as those imposed upon original calculations. Revised calculations are reviewed in their j
entirety to determine areas affected. Only those portions of a calculation determined to be affected are required to be checked, verified, and reviewed in detail. Revised calculations are forwarded to all personnel noted on the distribution of the onginal issue of the calculation. In order to change the distribution, a memo from the cognizant department manager is issued documenting the change. Any individual being added to or deleted from the distribution list is included in the distribution of the memo. The
. originals of prior calculations are retained for historical purposes and are identified by marking " SUPERSEDED" on the cover sheet of the calculation and in the " Remarks" j
(
A-5 i
c :.
, n
.j
. column of the applicable calculation index. The index page on which the superseding revision is 9ntered is also indicated.
i lil.C Desian Chanae Drawino Control Design change drawings are prepared, revised, and controlled by an engineering procedure. The cognizant engineer for a design activity is responsible for revising
'affected drawings, if the drawing is safety-related, the change requires an independent verification by a qualified individual. Once approved by the respective department -
manager, the drawing can be released for field implementation. Once construction is l
complete and field rsvisions are reflected on the drawing, it is ready to be revised.
Priority A drawings (dniwings needed to efficiently operate and maintain the station) l are revised and issued for use prior to turning over the equipment to operations. If not, an update schedule is craated. Drawing revisions require the same level of review and approval as the original. A Drawing Change Notice is issued for drawing revisions that occur outside the design change process, such as, a change to a Piping and Instrumentation Drawing (P&lD).
i Ill.D Desian Verification An engineering procedure exists that establishes methods for design verification. This procedure satisfies the Boston Edison Quality Assurance Manual for independent design verification of all safety-related systems, structures, and components. When an engineer has completed a calculation, analysis, or other design activity, an independent design verification is requested. The department manager determines the method of independent design verification to be done. A qualified person other than 4
the originator or engineer involved in the design activity is assigned. Cursory l
supervisory reviews do not qualify as independent reviews. Acceptable verification methods include but are not limited to: design review, alternate calculation, or j
qualification testing. The results of design verification efforts are required to be clearly l
documented and auditable against the verification methods. The department manager ensures all comments are resolved to the satisfaction of the independent reviewer.
The cognizant engineer ensures all comroents of the independent reviewer are included in the design document.
i 5
l IV. Desian Chance implementation Modifications are implemented by the maintenance organization or their approved i
4 designee or contractor. The same work control process used to perform corrective and preventive maintenance is used to implement the modifications. A maintenance request is written,' and a team consisting of a maintenance supervisor, a work package j
planner, and the applicable system engineer is assembled to prepare the detailed
)
implementation plans.-
i Changes to the design can be initiated by field workers or the cognizant engineer.
Minor changes can be made by issuing another " interim design" revision to affected j
. design documents with an appropriate assessment that documents the design A-6 2.
,t adequacy meets the original modification package criteria. This field revision notice (FRN) is reviewed and approved by the lead design discipline with input and approval from other disciplines as appropriate. If the safety evaluation is not affected by the minor change, the Design Review Board and Operations Review Committee may be waived. If the safety evaluation is affected, or if the scope of the modification changes significantly, the minor change is considered a major change, and ORC review is required. A DRB review is discretionary.
Minor design changes involving a single enciaeering discipline also can be made through the " Standing Plant Design Change" (PDC) process. FRNs are used and recorded within each discipline's standing PDC. Administrative limits on the scope of design changes that can be installed using this process are documented in the standing PDC.
A Senior Reactor Operator approves the start of all field work. This assures that necessary LCOs, fire and security watches, tag outs, and system impacts are controlled and operators are aware of what work is being performed.
V.
Desian Chance Testina and Turnover When the implementor completes field construction, engineering and operations are notified so that post-modification testing may begin. Depending on the extent of the modification, a detailed test procedure is prepared by engineering, reviewed by ORC, and approved by the responsible manager. This procedure reflects the testing requirements and acceptance criteria outlined in the modification package. The test proceduiu verifies that the design functions satisfactorily.
In parallel with the testing effort, plant procedures, Priority A drawings, vendor manuals, and other affected documents are updated and issued in a final version to reflect the completed modification unless waived on the turnover form for update later.
l Training of operators and other personnel as needed is performed. When testing, documentation update, (unless waived on the turnover form) and training is complete, the modification is formally accepted by operations and placed into service. Non-priority A drawings such as piping isometrics, data sheets, and detailed wiring diagrams do not require updating for operations acceptance. Users of working copies of these drawings are notified via the controlled document database that outstanding modifications exist for these drawings until the update revisions are made. The changes to these drawings are available to the user.
VI. Vendor Eauipment Technical information Proaram This proceduralized program contains requirements for controlling vendor manuals and performing periodic interface with equipment vendors to verify adequacy of technical information contained in vendor manuals. Information potentially affecting vendor manuals is received from various sources including but not limited to: Part 21 notices, vendor information, operating experience, design change process, and operations and maintenance feedback. Whoever receives information potentially affecting vendor A-7
)
, e manuals is required to forward that information to the manual owner or to the engineering manager if they do not know the owner. The affected pages of the manual are marked up and attached to a vendor manual change request which is numbered and entered into a tracking database. The change is evaluated for applicability, i
conformance to specifications, accuracy, and adequacy.. Other controlled documents that may need to change are also identified, and appropriate revisions are submitted. If a change occurs to a vendor manual due to action by Pilgrim personnel, then the vendor is contacted and any issues are resolved.
Vendor interface is required for safety-related vendor manuals prior to use if more than two years has elapsed since the last vendor interface. If emergent priority work arises, vendor manuals may be used at risk as long as the vendor interface is performed as soon as practical. Vendor information obtained from the interface is documented and i
included in the manual.
I 1
4 1
0'
[
1 i
i 4
i l
9 e
4 A-8 e
w
-v
.r--
o.
.t Vll. 50.59 Safety Evaluation Process The Pilgrim Station design and the procedures or tests described in the UFSAR may be changed if the change does not involve an unreviewed safety question or a change to the Technical Specifications. Tests or experiments not described in the UFSAR may also be performed if the tests or experiments do not involve an unreviewed safety question or a change to the Technical Specifications.
A safety evaluation is performed to confirm whether or not the design change, procedure change, test or experiment can be safely installed, operated or performed as applicable. The safety evaluation also fulfills the 10 CFR 50.59 evaluation requirement by providing the basis for determining whether an unreviewed safety question exists.
The procedure governing safety evaluation preparation applies to tests, experiments, design changes or changes to procedures for safety-related systems and components, and other systems and equipment as required for the continued safe and dependable operation of the station.
The procedure is patterned after NSAC-125 and establishes a two-part safety review j
process that includes a preliminary evaluation to help identify those specific changes, procedures, tests and experiments that are subject to a safety evaluation in accordance with 10 CFR 50.59, and the instructions for completing the safety evaluation itself. The preliminary evaluation is documented in the preliminary evaluation checklist (PEC), and j
it is used for the following.
j Procedure revisions where the procedure being revised is identified as Safety Review Required (a term used to identify station procedures that contain procedural steps or requirements identified in the UFSAR, or is a test or experiment not described in the UFSAR) j Major revisions to an existing procedure (such as a change affecting a regulatory commitment)
Any new procedure Plant design changes and field revision notices Operability evaluations Calculations Temporary modifications Other documents such as problem reports or nonconforming or degraded conditions,if appropriate i
i A-9 l
.t The PEC questions if the item modifies plant characteristics or procedural steps described in the UFSAR, affects the design, affects the function (directly or indirectly),
or affects the method of performing the functions of systems, structures, or components described in the UFSAR, defeats an Engineered Safeguards Feature (ESF) or systems interlock, creates a new test not described in the UFSAR that could affect safety, changes assumptions in the station accident analysis, affects the safe shutdown ability of the station in the event of a fire, or affects radioactive waste systems.
If any of these questions is answered affirmatively, a 50.59 safety evaluation is required. Before an individual is allowed to perform a 50.59 evaluation, the individual must be trained by nuclear training personnel in the safety evaluation process. It is the responsibility of the department manager to assign safety evaluation preparation to qualified personnel and to ensure safety evaluations are properly performed and resulting determinations are technically complete and accurate.
When performing the evaluation, the preparer is directed by procedure to compare the proposed change with specific plant design bases, system design bases, transient and accident events, and system descriptions and safety analysis results described in the UFSAR, and/or Technical Specifications bases. Potential consequences of failures that might occur under unique conditions created by a test, experiment, or installation procedure should be consistent with those in the UFSAR or license requirements.
Additional specific criteria to be considered for modifications of the design or operation of radioactive waste systems or the fire protection program are delineated in the procedure.
The preparer is expected to use a standardized format for documenting the analysis.
The standard format is:
Description of Change j
Purpose of the Change i
Systems, Subsystems, Components Affected Functions of Affected Systems / Components Effect of Change on Functions Analysis of Effect of Change on Functions j
Summary explanation for why each of the questions in 10 CFR 50.59 is satisfied Extensive guidance is contained in the procedure on how to complete the applicable sections of the evaluation. The initiator is also directed to attach the preliminary marked-up pages of the UFSAR text, tables, or figures showing the proposed changes, or to prepare a new section if the change is an analysis of a new safety issue.
Once the evaluation has been prepared, it must undergo a review and approval process. The procedure directs reviewers and approvers not to sign a safety evaluation unless they have read all parts of the evaluation; carefully considered all the facts, conclusions and determinations; considered themselves qualified to make the A-10
'l
o..
Judgments; and concur that the consequences to nuclear safety are carefully considered.
The discipline department manager reviews, approves, and ensures the technical completeness and accuracy of the safety evaluation. If another discipline (s) has major input into the proposal, they also review and approv3 the evaluation. Nuclear engineering safety evaluations are also reviewed and approved by the Systems and Safety Analysis Department. This department is most cognizant of the safety design bases described in the UFSAR.
Once the required reviews and approvals are obtained, the safety evaluation is forwarded to the Operations Review Committee (ORC). The ORC is required to determine independently if an unreviewed safety questions exists. The criteria for determination of an unreviewed safety question are the same as those delineated in 10CFR50.59(a)(2). If an unreviewed safety question exists, then a request for authorirstion of the change must be submitted and approved by the NRC prior to implementation. The change is not approved for implementation until the ORC has reviewed the safety evaluation and concurred with its contents.
Safety evaluations reviewed by the ORC are forwarded to the Regulatory Affairs Department for inclusion in the annual 10 CFR 50 59 (b) report and forwarded to the Training Group to determine the appropriateness of training. Safety evaluations not associated with a PDC or FRN are given additional distribution to the plant managers so that procedures, training, and other relevant activities can be reviewed and updated as necessary to reflect the change.
l An additional review of safety evaluations is performed by the Nuclear Safety Review and Audit Committee (NSRAC). The NSRAC consists of senior level, experienced i
individuals, many of whom are not employed by Boston Edison Company, who review safety evaluations from a broad industry safety perspective.
A-11
e, 2 -
- Vlli. 10 CFR 50.71 (e) UFSAR Update Process -
The UFSAR update is a proceduralized process.
The UFSAR is updated annually to include the effects of changes in the facility or
_ procedures as described in the UFSAR. Safety evaluations performed either in support of requested license amendments or in support of conclusions that chenges did not involve'an unreviewed safety question and all analyses of new safety issues performed at NRC request are reflected in the update.
- A UFSAR Change Request Form is used to docurnent changes and corrections to the UFSAR. Use of this form ensures proposed changes and applicable analyses are properly reviewed, dispositioned, tracked, and documented against the UFSAR. A UFSAR Change Request Form is initiated for every 50.59 safety evaluation not associated with a Plant Design Change package that has been reviewed by the ORC.
For PDCs and associated major FRNs with 50.59 evaluations, preliminary UFSAR changes are attached to the 50.59 safety evaluations. Once the PDC is completed (all applicable design c'~:9ments updated), a UFSAR Change Request Form is processed to reflect the change. The form is also used to document other changes and corrections to the UFSAR.
The originator of the UFSAR change completes the UFSAR Change Request Form and attaches marked-up copies of the applicable UFSAR pages. If a PDC is involved, the originator attaches a copy of the design change narrative, all 50.59 safety evaluations associated with the PDC, and a copy of the form that documents the closure of the PDC.
The originator's department manager reviews the change for accuracy and content, obtains review by any supporting departments, and forwards the change request to the Systems and Safety Analysis (S&SA) Department Manager if a 50.59 safety evaluation i
is involved. The S&SA Manager reviews the change request for accuracy and content and forwards it to regulatory affairs. Foi technical corrections (changes not associated 4
with the 50.59 process), the change request can be transmitted directly to regulatory affairs.
The Regulatory Affairs Department is responsible for updating the UFSAR. This i
department receives UFSAR change requests, assigns each a unique identification number, and logs the number into a UFSAR Change Request Log. A regulatory review j
is conducted to ensure accuracy relative to the licensing basis. Any discrepancies are resolved with the originator. Approved UFSAR changes are incorporated into a final UFSAR update.
p 1
4 A-12
~
i y >. a 19 '
Action (b)L The rationale for concluding that the design bases requirements are
~
translated into operating, maintenance, and testing procedures l
l
Response
l i
This section describes the Pilgrim Station process for incorporating and maintaining design bases requirements in the station operating, maintenance, and testing
- procedures. An overview of the procedures that make up the Operations Manual is provided as well as the controls governing their use and revision.
t
- 1. Operations Manual l
The operating, maintenance, and testing procedures, as well as, the station
- administrative policies have been written to meet or exceed the requirements of
- sections 5.1 and 5.3 of ANSI N18.7 - 1972 and 1976, and Appendix A of Regulatory l Guide 1.33. These documents define, describe and delineate the responsibility,
+
methodology, and procedural actions necessary to accomplish various tasks at the plant. The Operations Manual is a comprehensive set of procedures covering all piant j
disciplines including administrative, operations (normal, off-normal, emergency),
radiological, chemistry, maintenance, surveillance testing, and reactor engineering.
f i
New or revised procedures are reviewed to determine whether a change to a controlled design document is required. Permanent changes to the station configuration must i
have their associated design document approved prior to issuance of the new or revised procedure. With the exception of station administrative procedures, new or i
p revised procedures receive technical reviews and validation to confirm operational
[
correctness, usability, and technical accuracy. A detailed set of proceduralized criteria is used to validate the procedure.
l i
In 1988, Pilgrim Station commenced a procedure upgrade project to bring the quality, technical accuracy, level of detail, and human factors of the procedures comprising the i.
Operations Manual up to the highest standards of the industry. The UFSAR, vendor manuals, Technical Specifications, and industry standards served as some of the source documents for this project. In addition to the goal of improving the procedures, j
the upgrade established clear procedure ownership.
i L
. Since the onset of the upgrade program, additional improvements have been enacted to continually refine and ensure the plant's procedures are accurate, usable, and reflect the design bases.,- For example, the individual assigned as a " Technical Reviewer" for a new or revised procedure receives formal training and must complete an exam prior
_to being qualified to perform the task. It is the person assigned as the " Technical
- Reviewer", working from a checklist'of attributes, who ensures the technical accuracy
' of the Pilgrim _ Station procedures. Another enhancement requires commitments to outside or internal organizations be explicitly annotated in the procedure to eliminate the possibility of inadvertent deletion or revision of the commitment.
i B-1
- +1 2.
u-.
-.J..
4 fo
- a l
Review of operational, maintenance, and surveillance procedures occurs on a regular -
i Sasis. A formal two year review of all procedures, which serve to meet the
_ requirements of Appendix A of Regulatory Guide 1.33, is conducted. Procedures are reviewed throughout initial and requalification training of licensed and non-licensed l
operators. The maintenance, chemistry, and health physics procedures receive similar reviews through training and on-the-job application. Any deficiencies that become l
apparent through classroom, simulator, or in-plant training and use are identified for resolution.
i l.A Ooerstina Procedures Pilgrim Station's operating procedures are written at the system level for all plant 7
systems. Each procedure contains, as a minimum, a general discussion of the system's i
purpose / function, design data, administrative / regulatory limitations, precautions, _
procedural steps, and component lineup checklists. These procedures are utilized by 4
. operators to lineup and operate the plant's numerous systems during normal plant l
}
evolutions.
l i
The procedure upgrade program closely scrutinized the format and technical accuracy.
l of the operating procedures. Piping and instrumentation drawings, along with electrical drawings, were reviewed to verify that the component lineups were in accordance with the design documents. The pertinent Technical Specification requirements for each i
system were delineated in the procedure's beginning sections. The system operational requirements were also examined to verify correctness and usability.
i 1.B. Alarm Response /Off-Normal Procedures l
l The Pilgrim Station Alarm Response Procedures (ARPs) were also upgraded in 1988.
This extensive effort resulted in a distinct procedure for each annunciator window.
L Alarm setpoints were reviewed against the design information or calibration reference L
available at the time. Design documents are included as references for every alarm i
window providing operators the necessary information to rapidly diagnose problems.
L Additionally, the station recently completed, in 1995, a complete replacement of the l
control room annunciators as determined from the control room design review. This l
massive effort required operations and engineering personnel to work closely so that j
the ARPs correctly reflected the new design.
' Off-normal procedures have been created to capture required operator actions in
' response to specified transients. Design parameters and limitations are integrated throughout the off-normal procedures. These procedures were reviewed and validated during the proceoare upgrade program and are regularly exercised during initial
[
operator training and requalification cycles. Because these are among the most l
scrutinized procedures during simulator training sessions, off-normal procedures are frequently. reviewed.
[
B-2 e
lp
'.t j
1.C. Emeroency Operatina Procedures (EOPs)
]
The EOPs were developed from Revision 4 of the BWR Owners' Group Emergency-Procedure Guidelines (EPGs). The EPGs were submitted to the NRC Staff and a i
i Safety Evaluation Report was issued. The EOPs specify symptomatic operator actions i
that maintain the reactor in a safe condition and optimize plant response irrespective of
]
the initiating event.
l 5
l The EOPs are designed to be effective for both design basis events and those that J
exceed the Pilgrim design basis. Limits are included within the EOPs that establish the boundaries within which continued safe operation of the plant can be assured for both types of events. The design basis information and calculated limits utilized to create l
[
the EOPs are controlled via the Plant Specific Technical Guidelines (PSTGs). The PSTGs serve as the " bridge" between the generic EPGs and the Pilgrim EOPs. This
- document includes a justification for any deviation from the EPGs as well as all j
calculations utilized to create the graphs and parameter limitations of the EOPs.
i Procedures exclusive to EOPs are used for verifying, validating, and revising new l
l EOPs, or changes to existing EOPs.
i-The Pilgrim EOPs were the subject of a special NRC inspection (50-293/88-11) in 1988..The inspection team issued no violations and noted no deviations as a result of l-the inspection. The team concluded that the EOPs were implemented in accordance j
with the plant's Procedure Generation Package and revision 4 of the generic EPGs.
j Operators have and will continue to receive extensive training on the use of the EOPs.
l.D. Maintenance Procedures The maintenance organization is subdivided into two distinct areas, Mechanical / Electrical and Instrumentation & Controls (l&C). The procedures used by I
the maintenance mechanics and IRC technicians govern disassembly, repeir, j
calibration, assembly, and testing of the various components and systems at the station. The procedures range from detailed instructions on calibration of various components to the checklists necessary to disassemble and reassemble the reactor for l
refueling operation. All maintenance activities are performed utilizing approved procedures, controlled drawings, and instructions that comply with applicable codes i
and standards.
L The maintenance program's primary focus is to maintain the plant's configuration in L
conformance with the design basis. This is done by ensuring that when repairs are j
made, the component / system is returned to the configuration required by the currently 3
approved design documents. If the maintenance activity involves implementing a modification, the system is returned to service reflecting the new configuration as specified by the Plant Design Change (PDC) package.
I in contrast to the way in which operational procedures are performed as " stand alone" documents, maintenance procedures are almost always part of a planned work j
package. As a result, maintenance procedures receive a review against various design B '
.[
^i f 1-documents prior to implementation.. In putting together a maintenance package, the planner must review design documents and vendor information against the procedure j
to ensure the activity is comprehensively planned. While it is not the function of the work planner to perform procedural reviews, the process results in this additional -
e benefit.
l.
Minor and major maintenance activities are procedurally differentiated. Minor
^
maintenance is defined as troubleshooting, investigative work, and repairs for. hardware deficiencies that are easily corrected and do not affect the ability of a system to perform l
l its safety-related function. For a repair to be considered minor, it must not involve a plant design change, and all replacement parts must be "in-kind" (i.e., identical).' Major l
- maintenance requires the creation of a work plan to sequence the work. Plant design changes are processed as major maintenance activities.
1 E. Surveillance-Procedures (Testina Procedures) i
- Surveillance procedures fall under the same controls as described above for the other
{
station procedures within the Operation Manual. In addition, surveillance procedures have undergone several upgrade efforts in response to various regulatory initiatives over the past ten years. Three significant efforts are summarized.
t I
The surveillance procedures for safety-related pumps and valves were rewritten in their entirety in response to Technical Specification Amendment No.149, which formally invoked ASME Section XI testing. The limitations for operability of these components,
' as required by their design basis, are more stringent than before. The design basis limitations to which these components are now tested originate from and are maintained by the Nuclear Engineering Services Group. Procedures which serve to implement in-service testing (IST) requirements are labeled as such and cannot be changed without receiving an engineering review.
in msponse to Generic Letter 89-10, motor operated valves (MOVs) are also tested to ensure they will function under all plant conditions for which they are required to operate. In many cases, motor operators have been replaced with ones that can 3
develop more thrust to overcome worst case differential pressure conditions. Using 4
design data developed by the Nuclear Engineering Services Group, test procedures and techniques for MOV testing were created and are implemented by the operations 2
' and maintenance personnel.
T in response to an NRC inquiry regarding the adequacy of the logic system functional tests (LSFT) in meeting the requirements of the Technical Specifications, Pilgrim committed to a review of safety-related systems to ensure the requirements for LSFT 3
. are met. Deficiencies were noted during the review and were corrected through the procedure change process. Procedures that implement the logic system functional testing requirements are labeled as such and cannot be changed without receiving a LSFT review.
i y
B-4 i
m
,m
,,.m_
,.r
, d
L o f *( 3 '
c For each of these activities, the procedures for testing plant equipment have been i
closely scrutinized to ensure that design basis requirements have been adequately captured.
II; Procedure Chanae Process l
1 The Operations Manual is a living document. Changes to the procedures contained in j
~
' the manual may only be made under strict administrative controls. In order to permit i
the ability to effectively modify the individual procedures contained in the manual, l
t j
various types of procedural modification processos have been established.
q Pilgrim's operating, maintenance, and testing procedures are created, changed, and :
l
_ maintained in accordance with the requirements of a governing procedure. This i
. administrative procedure, by virtue of its rigorous requirements for review, verification, 1
- and validation, ensures changes to the plant's _ design basis are appropriately translated j
into the station's operating, testing, and maintenance procedures. A brief description of s
the procedure change process, level of review, and organizational interfaces follows.
New procedures, or those which meet the requirements to be considered a " major i
revision", undergo a safety review, technical review, and validation prior to approval.
A major revision classification is typically one that requires a 50.59 safety evaluation; changes critical step-by-step instructions; adds, deletes, or revises Technical Specification requirements or regulatory commitments; requires system prerequisite j
conditions or acceptance value criteria; or, in the opinion of the procedure owner, the revision warrants classification as a major revision. The safety, technical, and validation reviews are performed by qualified individuals in the subject discipline, and they ensure the proposed new or revised procedure does not introduce an unreviewed safety question, is technically accurate in accordanco with the appropriate design limitations, is easily usable, and is compatible with field conditions. In addition, based L
on the nature and scope of the procedure change, the procedure owner ensures the
[
. new or revised procedure receives any or all of the following reviews as appropriate:
ALARA review e
[
in-service Testing review e
L Emergency Planning review Nuclear Engineering Services Group review Quality Assurance review F
e Master Surveillance Tracking Program review e
When satisfi$d the noted reviews are complete, the procedure owner approves the new/ revised procedure, and if the procedure falls within the requirements of Technical Specification section 6.8, " Procedures", requests the Pilgrim Operations Review L
Committee (ORC) review it during their next formal meeting. When reviewed and recommended for approval by the ORC, the procedure must be approved by the responsible organization's department manager prior to being implemented.
B-5
n.
The modification process stipulates that all plant design change packages undergo review by the Operations and Maintenance Departments for the purpose of identifying proceduralimpacts. Upon receipt of a proposed design change, individuals knowledgeable in operations / maintenance procedures will determine the extent and scope of the necessary procedure changes. If a proposed design change requires a revision to station procedures, the previously described revision process will be followed. The procedure changes will be made effective upon completion and acceptance of the design modification. In this manner, changes made to the station's equipment, and/or design basis are identified and translated into operating, maintenance, and testing procedures.
With regard to the various design / configuration control process procedures, in addition to oversight of implementation practices, the Quality Assurance Group (OAG) is part of the review / approval cycle for the procedures. Plant procedures identified as "QA Program Related " are distributed to QAG for review to determine that new procedures or revisions do not degrade the level of quality established by the Boston Edison Quality Assurance Manual and other commitment documents. QAG logs the procedures distributed for review and tracks the comments made to ensure satisfactory disposition. The list of "QA Program Related" procedures includes those engineering and plant procedures associated with modifications to the station.
Procedures may be altered through less rigorous methods as long as the scope of the revision meets certain stringent criteria. As permitted by Technical Specification 6.8, temporary revisions to procedures may be made by a member of the management staff and approved by the Senior Reactor Operator on watch. The ORC must review these i
procedure changes within 14 days to ensure an unreviewed safety question has not
]
been introduced. Editorial revisions may also be made without the complete procedure review process to correct obvious typographical errors. For these cases, the procedure editor provides the oversight necessary to ensure the changes are truly editorial. The i
process for implementing Night and Standing Orders specifically prohibit the author from creating, modifying, or deleting any procedural requirements.
Ill. Temporary Procedures Temporary procedures can be prepared to perform system and equipment testing, pre-operational testing of new systems and equipment, system equipment testing following modifications, and special tests. Temporary procedures receive the same review and approval process as the operating, maintenance, and testing procedures previously described. Each temporary procedure receives a specific expiration date, with none exceeding 6 months from the date of approval unless justified in accordance with special circumstances allowed by the procedure.
B-6
JV. Conclusion The administrative requirements controlling the creation, maintenance, usage, and revision of the Operations Manual, combined with the above described enhancements, provide reasonable assurance that the Pilgrim Station design bases requirements are effectively translated into the operating, maintenance, and testing procedures. As l
discussed previously, Pilgrim's 1988 pro '.edure upgrade effort included upgrading the set of procedures comprising the Operations Manual. Since the onset of the upgrade program, additional improvements have been enacted to continually refine the Operations Manual and ensure the plant's procedures are accurate, usable, and reflect the design bases.
i In order to assess the effectiveness of the procedural controls in maintaining station procedures in compliance with the design bases, Quality Assurance Group audit and 1
surveillance reports and NRC inspection reports issued over the course of the last eight years were reviewed. A matrix of findings, both positive and negative, was established fc, sulected attributes relating to design bases and interfacing processes. The a: qutes reviewed included:
)
i Design change information translated to station documents
]
e l
UFSAR parameters compared to procedures 1
Technical Specification parameters compared to procedures j.
(
Vendor manual design informrdion compared to procedures The review did not identify adverse trends or programmatic deficiencies associated with j
the processes. Of the discrepancies identified, most were due to inapprupriate actions j
on the part of personnel. Instances were identified where design information and
)
various procedures were in conflict. Other instances were identified where the process j
was bypassed and design information was not incorporated into procedure revisions.
i Therefore, on occasion, corrective actions have included some procedure program l
changes to enhance the program, to provide clarification, or to eliminate confittt While the above described occurrences show several instances resulting in the M.un i
~
procedures not reflecting the Pilgrim design bases, the circumstances were not i
indicative of a programmatic breakdown. Appropriate corrective actione were taken, and the controls were strengthened accordingly. Thus, Pilgrim has reasenable assurance the design bases requirements are translated into operation, maintenance, and testing procedures.
l 1
B-7 r
.m m
l
- h. e *. ;.
l l
5 Action (c): The rationale for concluding that system, structure, and component configuration and performance are consistent with the design basis.
' Response -
L j
This section describes how the physical plant configuration is maintained in.
.)
accordance with the procedural process controls described in the response to action (b). An overview of system surveillance and maintenance restoration controls is 1
provided, including system line-up and walkdown verification mechanisms.
j;
- l. Systemc Structure.' and Component Confiauration
- Controlling the system, structure, and component configuration ensures the plant is' operated and maintained in accordance with the design basis. By maintaining system,
)
structure, and component !ineups in accordance with the design documents, a properly
. maintained system will be available to perform its safety function. At Pilgrim, configuration control is maintained by diverse methods throughout the organization.
l Whereas operations is chiefly responsible for maintaining the system and component f
lineups for the plant's major systems, other departments such as Chemistry and l&C
[
have responsibilities for ensuring sampling systems and all of the plant's instrumentation are correctly lined up for plant operation. The plant configuration is P
regularly assessed by routine operator tours, system engineer walkdowns, and quality assurance oversight.
[
Pilgrim procedures require the plant be aligned in accordance with the design l-documents. In the case of fluid systems, the piping and instrumentation drawings (P&lD) serve as the source documents for the valve lineup. On a regular frequency or 3
following major work during an outage, safety system alignments are performed. Once aligned in this baseline condition, components may not be repositioned unless permitted by an approved procedure or administrative process.
i Operations personnel maintain various logs to document the current configuration of i
the facility. Tagouts, lifted leads, disabled annunciators, and temporary modifications are examples. The Operations Department also maintains a log of malfunctioning l
- equipment that has caused operators to perform activities to compensate for the faulty component (s). Items placed in the Operations Compensatory Measures Log are given an elevated priority and tracked on a monthly basis. This log prevents the increase of operator " work arounds" by making their existence known to the station's management.
The minimization of " work arounds" limits the time and effort spent by operators on
- equipment the plant's designers intended to be automatically controlled.
)
Operators perform building tours once-per-shift. These tours are designed to check the operation of the equipment and provide additional assurance that the plant
. configuraUon is correct. Parameter limits are provided in the tour sheets to alert i
operators to potential off-normal conditions. Component misalignments can be identified through the operator tour.- Additionally, control board walkdowns, performed i
L
, by the control room Reactor Operators and Senior Reactor Operators at shift turnover, c-1
~,
i 1..>.*
i verify valve and switch positions as well as controller settings. Any off-normal l
alignment is discussed by the watch crews prior to the new crew assuming the watch.
System internal component configuration is maintained through the station
[
j maintenance program. The processes for work planning, parts procurement, and j
installation in the field are specifically designed to ensure the correct parts are utilized.
J As previously described, only in-kind replacement parts are used to repair plant j
components unless substitute components have been authorized via an Engineering Equivalency Evaluation.
l
' Quality Assurance Group (QAG) inspections of maintenance and modification activities i
i provide another check point for monitoring of plant configuration and component performance. Via the work control process, QAG inspection team personnel are notified of planned maintenance / modification work on safety-related equipment and are afforded the opportunity to insert inspection hold points at selected steps in the work process. These hold points allow for verification of various as-built conditions in all i
maintenance disciplines, review of replacement material adequacy, and l'
monitoring / witnessing of selected post work tests to the specified design and work i
package requirements.
i QAG also conducts audits and surveillances on a periodic basis which evaluate the l
adequacy of station configuration to the applicable licensing, design, and/or plant
)
[
documents.
l
[
System audits are performed yearly as vertical slice audits of various safety-related systems. As directed by the audit team leader, these audits include walkdowns of selected system features such as piping arrangements and component locations; valve position, type and identification; pipe support configuration, location, identification and condition; electrical breaker position and internal wiring; control switch positions and identification; annunciator status and descriptions; and numerous other field verifications. The UFSAR, Technical Specifications, piping and instrument drawings, isometrics, functional control diagrams, elementary and wiring diagrams, pipe support drawings and vendor manual descriptions are examples of documents utili vd in station configuration verification activities. In addition to the system audits, other QAG audits such as Technical Specification and operations audits also include verification of various aspects of plant configuration.
I II. System. Structure. and Component Performance l
Following maintenance activities or at the frequency delineated in the Technical Specifications, surveillance tests are performed on safety-related plant equipment. The periodic testing and post-maintenance surveillance testing of systems and components
'are the central methods for determining and maintaining system and component operability.'
l The Technical Specification surveillance tests have been designed to demonstrate the l
- functional capability of a system and its components to perform as required by the
)
C-2
__ ~
-. ;I
.~
),,4,.
design bases. Surveillance tests range from once per shift instrument checks to integrated logic system functional testing, instrument calibrations, pump performance tests, and various types of valve stroke testing. Hydrostatic, integrated and local leak rate testing, as well as other miscellaneous tests are also included in the program.
i t
Although the ownership of these test procedures rests within the Plant Group, the procedures receive significant engineering input to ensure design basis requirements L
are fully embodied in the procedures. As noted in the response for action (b), the procedures for all safety-related station pumps and valves have been completely i
rewritten by engineering so as to fully implement ASME Section XI in-service testing i
requirements. Similarly, it was an engineering review of all logic system functional '
r testing which corrected noted deficiencies in the LSFT procedures in 1988.
j Engineering continues to provide design basis testing requirements for the motor l
operated valve program formulated in response to Generic Letter 89-10 and is the 4
owner of the procedures that implement the 10 CFR 50 Appendix J leak rate testing program.
The involvement of the engineering group throughout the surveillance test program extends beyond the maintenance of programmatic controls. Surveillance tests are routed to the appropriate system engineer following completion for trending of 1
i important parameters. The successful completion of a Technical Specification surveillance test, given the amount of engineering input into the program, provides
)
i operations the reasonable assurance the system / component is performing at the l
required level to meet its design basis function.
J Following maintenance activities on safety-related plant components, the appropriate surveillance procedure along with any separate post-work test must be successfully j.
completed prior to declaring the system operable. The work control process provides the administrative tracking mechanism for all maintenance activities. The work control
)
process tracks the activity and ensures the necessary tests and final engineering review (if the job has implemented a modification) are complete prior to the
+
component / system being considered operable.
I Operability as paraphrased from the Pilgrim Technical Specifications is the assurance that a system or component is capable of performing its specified function and that all attendant support features are available and lined-up for service. Post-work testing 4
following maintenance seeks to ensure the maintenance activity was successful in restoring the system component to its design condition. Technical Specification surveillance testing ensures the system's performance following maintenance will meet i
the design basis requirements (i.e., be considered operable). Once all required testing i
is successfully completed and, in the case of a station modification, any necessary engineering reviews are complete, the Senior Reactor Operator will declare the system p
j in the same manner as verification of overall plant configuration, system / component performance is also monitored through the audit process. Technical Specification
. surveillance testing, in-service testing and post-modification testing are areas which C-3
^
i i,,.
i i
j are audited to verify that testing was performed to approved procedures; test results i
j wers properly documented and met the acceptance criteria; acceptance criteria reflect UFSAR, Technical Specification and plant design change package requirements; test i.
anomalies were identified and reconciled; and completed procedures were i
reviewed / approved as required. Witnessing of test performance is also done periodically to monitor procedural adherence and personnel performance.
i l
The QAG Surveillance Program is also utilized to verify various aspects of plant coraiguration and componert performance issues. Surveillances augment the audit j
process,' particularly in the witnessing of testing activities, and typically are narrowly focused reviews intended to evaluate selected system, component, or process features.
l 3
j Surveillances are both scheduled and unscheduled to allow adapting to changing plant conditions.
4 i
in addition to general inspection activities described above, the In-service Inspection j
(ISI) Program administered by the QAG involves examinations of program components l
to verify both the as-built (pre-service) and in-situ (in-service) component
?
configurations reflect the applicable design documents. The ISl program cuts across all plant safety-related systems with inspections scheduled and performed both during i
outage and non-outage times. The inspection boundaries of the program have been established by engineering and documented on specific ISI P&lDs and isometric 4
drawings. QAG coordinates / performs the inspections of various welds, welded attachments, supports, and pipe wall thickness to verify that configuration reflects the i
design drawings and specifications.
i lll. Conclusion The surveillance test program and the requirement to perform these tests post-maintenance provide reasonable assurance system, structure, and component configuration and performance are consistent with the design basis. The integration of l
the Nuclear Engineering Services Group throughout the creation and review of the Technical Specification surveillance procedures gives confidence the tests j
demonstrate the required attributes necessary for operability.
I In order to assess the effectiveness of the procedural controls in maintaining system, structure, and component configuration and performance consistent with the design 4
i bases, Quality Assurance Group audit and surveillance reports, and NRC inspection reports performed over the course of the last eight years were reviewed. A matrix of l-findings, both positive and negative, was established for selected attributes relating to design bases and interfacing processes. The attributes reviewed included:
Plant configuration compared to design drawings e
Plant configuration compared to system and operating procedures e
l Plant configuration compared to UFSAR equipment descriptions e
C-4
<A....
i i
Plant configuration compared to Technical Specification descriptions
. The review did not identify a breakdown in the programmatic controls associated with the procedural processes used to maintain the station configuration consistent with the design bases. However, mis-matches between plant configuration and design documents were identified, which were attributed in some cases to the multiple number i
of drawings containing the same or similar information. For example, the emergency.
diesel generators had as many as five different drawings containing the same setpoint parameter. Thus, one setpoint change required five drawing changes. In another example involving valve wiring discrepancies, three different drawings contained conflicting wiring information. While the wiring problems did not result in an inoperable condition, the problem was reportable.
i Assessment of these and the other findings revealed no apparent trends in.the types of j
issues identified. There were no widespread indications that the station system, j
structure, and component configuration were not consistent with the design basis.
}
Additionally, in June 1996, an initiative was commenced to assess the UFSAR The intent of the assessment was to provide a level of assurance that Pilgrim Station conforms to the descriptions provided in the UFSAR. A guideline was created for personnel performing the review regarding the scope and depth of the assessment.
This assessment was in progress prior to the issuance of the 10 CFR 50.54(f) letter dated October 9,1996.
1
?
I The UFSAR sections reviewed were largely determined by the systems that were within the scope of the Maintenance Rule. The assessment was focused on those systems whose performance is most important for avoiding the potential for core damage i
following an accident. As a result, safety and non-safety-related systems were l
reviewed. For each UFSAR section within the assessment, the following subsections j
were reviewed:
Safety Objective (if applicable)
Safety Design Basis (if applicable)
Power Generation Objective (if applicable) j j
Power Generation Design Basis (if applicable)
. - Description
[
Safety Evaluation (if applicable)
Inspection and Testing (if applicable)
Tables and Figures (if applicable)
The UFSAR sections were reviewed for consistency with station as-built design and 4
operational configuration. A confirmation of the accuracy of the literal descriptions contained in the UFSAR was intended. However, the intent of the assessment was not j
. to perform a detailed, in-depth review as might be done for a safety system functional j
inspection, Rather, the reviewer was tasked with determining if the description was C-5 w
v.---
,.-r
r-
accurate to the best of his knowledge. As a result of the review, numerous discrepancies were discovered, but no issues adversely affecting equipment operability were discovered. The existence of these discrepancies has been entered into the station corrective action process for resolution.
However, the overall results indicate that further evaluation of the UFSAR is warranted to fully address the extent of the discrepancies. As such, a more detailed in-depth 4
review of the UFSAR will be conducted in accordance with the October 18,1996, revised NRC Enforcement Policy associated with departures from the UFSAR. The scope of this review will be developed and submitted to the NRC within 60 days following Refueling Outage #11, which is scheduled to commence February 15,1997.
b 4
4 4
4 C-6
E y8.:
i Action (d): Processes foridenti6 cation of problems and implementation of corrective v
. actions, including actions to determine the extent of problems, action to prevent -
e recurrence, and reporting to the NRC.
i
Response
- 1. Problem Identification Methods j
Pilgrim Station uses several established processes for the idantification of problems i
L and potential problems.1These processes embody the principle of event prevention through implementation of the Four Levels of Defense of Quality.' The individual / work group is the first level of defense providing 100% coverage for discrete, identifiable.
. activities, evolutions; or work functions. This effort is owned by each individual j
~
- contributor. The second level of defense consists of all levels of management and -
p l supervision. The third level of defense consists of internal' oversight such as the LQuality Assurance Group (QAG), the Operations Review Committee (ORC), and the '
Nuclear Safety Review and Audit Committee (NSRAC), which assess the effectiveness
[
of self-assessment efforts. The fourth level of defense consists of extemal oversight, such as INPO and the NRC, which provide assessments of the first three levels. Each i:
level gains increasing objectivity, independence, breadth of perspective, and
. integration capacity.
l
- The processes used at Pilgrim by the individual / work group at the first level of defense include:
i-The Self-Assessment Process i
i The Problem Report Program e
The Nuclear Safety Concern Program l
1.A Self-Assessment Worker level self-assessments are scheduled on a periodic basis commensurate with the frequency of the activity. Each area scheduled for a periodic self-assessment (e.g.,
weekly, monthly, quarterly, semi-annually) is planned such that the majority of critical activities within the area are subject to the self-assessment process.
Management level self-assessments are planned and conducted at the group and t
. department manager level with each group conducting a minimum of one management level self-assessment per quarter. The planning of management level self-assessments
- is such that the combination of all management level self-assessments within a group
. will cover the major process or program areas of the group that are critical to Pilgrim.
Station. The plan typically includes the oversight of the worker level self-assessment process as well as any unresolved concerns identified at the worker level. The plan
. also allows for the additional assessments of unique, infrequent, or unplanned p
activities, or events of critical importance to the group, and any critical interface requirements between teams and departments.
1 i
o-,
1 a.; w i
a e>\\
Management level self-assessments conducted quarterly by each group are presented to the Nuclear Managers Committee for review and feedback. The Nuclear Managers Committee is a meeting of all Pilgrim Group managers to manage collectively the day-to-day business of the station.
Group cross-functional self-assessments are to be conducted by each group at least once during each 18 month evaluation period. The Quality Assurance Group assigns a person to function as team leader and assist the group manager in the preparation, performance, and documentation of each group cross-functional self-assessment. The assessment team typically consists of cognizant personnel from other groups, as requested by the group manager, as well as internal group personnel.
Pilgrim cross-functional self-assessments are to be performed once within each 18 month evaluation period and after all group cross-functional self-assessments have been completed. These are planned and coordinated by the Quality Assurance Group at the nuclear department level. This assessment is conducted with the assistance of peer utility personnel from other nuclear plants and Pilgrim personnel. The areas or topics for assessment are selected from the programs and processes that are critical to the operation of Pilgrim. Concerns identified during previous self-assessments conducted within the group, major process or program revisions, and the implementation of corrective actions resulting from self-identified or external organization oversight are typically included in the assessment.
Conditions adverse to quality or other concerns, as applicable, identified during the self-assessments are documented and processed in accordance with the " Problem Report Program" described below. If specific problems or broader issues are found, the assessor then focuses on the causes or barriers that contribute to the issue. Any action items identified during a self-assessment are documented in the respective Self-Assessment Report.
l.B Problem Report Proaram The process for reporting problems has recently been revised to include a lower threshold for problem reporting. This revision dovetails with the self-assessment activities described above by accommodating the smallest of worker observations and encouraging the inclusion of near misses and the potential or perception for near misses.
The process has three major elements: Initiation, Assessment, Cause and Corrective Action Determination.
l.B (1) initiation Any employee or contractor may file a problem report (PR). Employees have been instructed that the data needed at PR initiation is the person writing the report, work organization, a description of the problem and how it was found, work in progress, date and time of the problem, and any procedure in use. Employees are encouraged to file D-2
a,
a PR even if they just feel or think something might not be quite right. After the PR is prepared there is a checklist of questions to determine if the Nuclear Watch Engineer (NWE and SRO are equivalent to Shift Supervisor) or the Radiological Protection Manager (RPM) have a need to review the problem. The default of this checklist is to have the NWE perform a review. The NWE review of the problem focuses on operability of equipment and reportability (10 CFR 50.72) to the NRC and station management. The RPM review focuses on 10 CFR 20 reports and exposure limits.
Any required notifications are made, and the NWE further screens the PR for Technical Specification LCO entry.
Following the NWE/ RPM review, the PR is forwarded to the Operations Support Team (OST) for item capture, assessment of significance, and disposition. If the PR was determined not to require a NWE review, it is forwarded directly to the OST. The OST checks problem reports to assure that a NWE or RPM review is not missed.
l.B.(2) Assessment The PR is classified according to significance in accordance with 10 CFR 50 Appendix B paragraph XVI. There are two levels of significance, a Significant Condition Adverse to Quality (SCAQ) and a Non-SCAQ. The criteria for designating a PR as SCAO are:
A failure to comply with the Pilgrim license, Technical Specifications, FSAR, or applicable NRC regulations A condition which is determined to be reportable to the NRC according to 10 CFR 50.72/ 73,10 CFR 20, or 10 CFR 21 A condition which indicates lack of, or reduction of, management's ability to control activities affecting quality A failure or malfunction of safety-related equipment hardware or a non-hardware deficiency that causes or has the direct potential to seriously affect nuclear safety. The potential effect may be detected as a result of a specific occurrence or may become apparent because of recurrence.
A condition that warrants heightened management attention The Operations Department Manager, the senior SRO on site, renders the determination whether a PR is a SCAQ. Problem reports that do not meet any of the above criteria are designated as Non-SCAQ. If a PR is designated as SCAQ, the plant manager is notified.
l.B (3) Cause and Corrective Action Determination A PR designated as SCAO requires a root cause analysis to determine the failure mode. Problem reports associated with human performance require that the root cause be performed by a team and that one member of the team must have received specific human error cause analysis training. Problem reports that deal with equipment issues and are SCAQ also require a root cause analysis, but use of a team is at the discretion of the manager (s) involved. The completed root cause analysis, as well as the D-3
. ~
I 4 e '1'.
e i
' corrective action to preclude recurrence is reviewed by_a panel of managers consisting of the Plant Group Manager, and the Engineering Group Manager with oversight by L the Quality Assurance Group Manager. This panel is called the Corrective Action.
t Review Board.-
A PR designated as Non-SCAQ may also require a cause analysis; however, these' analyses are apparent or direct causes, and corrective actions are to address the problem directly.
l I
All problem reports are coded by several criteria to allow for trending and performance of common cause analysis. Results of trending or common cause analysis are i
t reviewed by the management team. - Specific trends or causes may be classified as r
SCAQ and require root cause and corrective actions to preclude recurrence.
After disposition, cause analyses and or corrective actions are assigned to appropriate organization members for resolution. Action due dates are assigned to each task.
}
NRC reporting requirements are assessed at this time, j
During the final close-out review phase, the data is checked and the corrective actions l
are entered into a database for tracking.
j l.C Nuclear Safety Concern Proaram j
u The Nuclear Safety Concern Program is a confidential program designed to encourage personnel to voice concerns regarding nuclear safety. This program extends to any 4:'
condition, practice, or event for which an individual believes adequate resolution has i
I not been obtained within the line organization and which may adversely impact nuclear 1'
safety. Employee concerns may include, but are not limited to, the following:
Perception by an employee that an unidentified or unaddressed problem with e
equipment exists or has occurred Perception by an employee that an error in design, construction, analysis, or e
fabrication exists or has occurred Perception by an employee that a program is lacking or deficient and may result in a e
problem
_ Perception by an employee that a policy exists which may result in a problem Belief of an employee that the actions of another individual may have resulted or may result in a problem Perception by an employee that a deficiency related to radiation safety exists -
l D-4 w,
L- - -
.n,
(e
(,
o
- 11. Quality Assurance Oversicht The on-site Quality Assurance Group (QAG) routinely monitors station processes and performance regarding design and configuration control activities. QAG oversight of these activities is accomplished via audits, surveillances, and inspections and is coordinated to provide coverage over a range of design configuration control attributes.
QAG coverage of plant design / configuration activities is defined in the " Oversight Plan" for the area. The Oversight Plan establishes the attributes, from both a process and implementation standpoint, which QAG intends to evaluate over a specified period.
These plans were devised as a method of identifying desired review areas and tracking QAG monitoring efforts in these areas.
Audits are performed by qualified personnel in accordance with approved procedures and established schedules. QAG audit responsibilities pertaining to 10 CFR 50 Appendix B, Criterion 111" Design Control" and ANSI N45.2.11,1974, " Quality Assurance Requirements for the Design of Nuclear Power Plants," Section 11, " Audits",
are primarily satisfied via the performance of " System Audits" which are conducted yearly. The system audits provide a vertical and horizontal slice approach to evaluating the adequacy of QA Program application to various safety-related plant systems (e.g., core spray). These audits were patterned after and are a scaled down version of the NRC's safety system functional inspections (SSFI). Within an audit j
context, pertinent licensing and design information is reviewed, and selected system features are evaluated to determine if the as-built and as-operated condition reflects design basis information and is supported by appropriate documentation. System audit teams are typically augmented by technical specialists from other utilities or independent consultants to provide additional expertise. These audits have both a technical and QA Program focus to identify process issues regarding design and configuration control as well as to evaluate specific technical features.
QAG surveillance activities are performed to approved procedures by qualified personnel. Surveillances are typically narrowly-focused reviews conducted to enhance the overall coverage of a particular functional area and involve reviews of processes (e.g., control of calculations) as well as actual plant configuration (e.g., equipment line-ups). Surveillances are performed in the functional areas of design, modification, and configuration control for those attributes listed on the associated Oversight Plan previously described and include evaluation of design bases information, translation practices, and plant configuration / operational adequacy.
In-process inspections of plant maintenance and modification work are also performed by QAG to verify that such work conforms with the associated documentation and is conducted in accordance with accepted plant practices. As part of these inspections, QAG personnel compare existing plant configuration to engineering drawings in all disciplines (i.e., electrical, mechanical, l&C) as well as verify, on a selected basis, that plant equipment is modified and tested in accordance with appropriate design change documents. The inspection focus is to ensure changes to the plant configuration, whether during routine maintenance or as part of a Plant Design Change package, are implemented in accordance with appropriate and approved drawings and procedures.
D-5
i
- 6.>
ll.A Documentation of QA Problems Procedures for the performance of audits, surveillances, and inspections require identified unsatisfactory conditions be documented on the appropriate corrective action document. In addition to the Problem Reporting (PR) process previously discussed, QAG utilizes the following processes to document, evaluate, disposition, and close-out unsatisfactory conditions.
II. A (1) Deficiency Reports (DRs)
DRs are used by QAG personnel to document deficiencies identified during the performance of audits and surveillances. The DR process is solely controlled by the OAG and is not integrated with the plant problem report system. The deficiency is initially evaluated for significance and NRC reportability per applicable QAG procedures. Deficiencies are then classified as either a Level I (significant), Level II (non-significant but warrants investigation), or Level lli (non-significant and easily corrected). Depending on deficiency classification, QAG determines the appropriate elements to be addressed in the response (i.e., cause, extent, corrective and/or preventive actions) and forwards the DR to the applicable manager for formulation of the response. Response turn-around times are accelerated for Level I deficiencies.
QAG reviews all DR responses for adequacy and indicates accept / reject status on the DR form. Rejected responses are returned to the respondee, and the issue is escalated to higher levels of management in accordance with QAG procedures.
Completed corrective actions and, when required by the response, preventiv4 actions are verified by the OAG to ensure that implemented actions are consistent with those stated in the response. Acceptable verification results in closure of the DR. QAG routinely tracks the status of DRs to ensure schedules are met. DRs, once accepted for close-out are discussed with the Sr. Vice President-Nuclear prior to formal closure.
II. A (2) Nonconformance Reports (NCRs)
Nonconforming parts, materials, and components identified by QAG inspection 4
personnel during installation inspections of various maintenance or modification activities are documented on a NCR. Nonconforming conditions are initially evaluated for significance and NRC reportability criteria per QAG procedures. Also, provisions are made to identify the nonconforming item in the applicable work control document to prevent inadvertent use. NCRs that may affect component / system operability are taken directly to the Nuclear Watch Engineer for proper determination of operability.
Disposition of the nonconforming condition is determined by plant management.
Engineering is required to concur with any NCR which has been dispositioned "use-as-is" or " repair" and provide technical justification for the conclusion. This engineering review allows for proper evaluation of design impact and configuration control issues regarding the nonconformance. Once the disposition has been documented and approved on the NCR form and implemented. QAG verifies the actions taken were consistent with the documented disposition. The NCR is closed upon satisfactory verification by QAG.
D-6
h,.,mg s
~
Action (e) The overall effectiveness of your current processes and programs in l
concluding that the configuration of yourplant is consistent with the design bases.
j I
ResponseL We have confidence and reasonable assurance that the requisite controls are in place to adequately develop and translate design requirements into processes / procedures that enable Pilgrim to operate safely within the design bases.
These processes / procedures are described in the responses to actions (a), (b), (c), and (d);and are generally effective in managing the generation, translation, and maintenance of design bases information. This conclusion is based on a review of
. these processes and examination of the results of audits, inspections, and L
assessments performed by both internal and external organizations over an eight year period from 1989 to present. Observations from _these oversight organizations were -
categorized into attributes that relate to the various key aspects of design / configuration control at Pilgrim Stationf Collective evaluation of these results indicates, on a general scale, that actual plant configuration matches ' associated design bases information, and
. that the current processes are effective in managing design information.' However, discrepant conditions of varying nature were noted at each level in the defensive quality hierarchy described in action (d). There were some instances where a n
' particular element of design bases control was considered to be ineffective. Some of l
l.
these instances presented challenges to the organization in terms of operability and 3
i reportability determinations. In these cases, the appropriate corrective action process L
was utilized to evaluate the condition. Notwithstanding, it is not Pilgrim's intent to use operability determinations as the primary qualifier in assessing effectiveness of design I
bases information controls but rather to establish a proper threshold in the evaluation of design bases issues which cuincides with the enhanced corrective action processes l
described in the response to action (d).
Process issues such as procedure adequacy and adherence are being addressed as discussed in the BECo response to NRC Violation 96-06-02 issued on January 31,
.1997. The Pilgrim Station corrective. action program has also undergone a comprehensive revision to address trending and management oversight as part of th!s effort. The problem reporting threshold has already been significantly lowered, and
}
UFSAR and design bases issues identified can be trended for appropriate corrective f
action implementation at the programmatic level, if root and common cause analyses results show such actions are warranted.
' The.following will be assessed and prioritized based on the trending results soon to be available as a result of the enhancements to the corrective action trending process:
L L
i 3-E-1
.~
s, s* 6 4 0 UFSAR level of detail Drawing revision process Validation of parameters for selected UFSAR chapters Re-vitalize previous DBR effort Enbarced configuration control processes Determination of analyses of record for design use issues involving the UFSAR will be factored into the scope of the UFSAR review activities discussed in response to action (c). The other issues planned for assessment will have scope definition and schedules by the end of the third quarter 1997.
i i
E-2 2 -
c _
y.,. r = # o '
~
Action (f): In addition, indicate whetheryou have undertaken any design review l
. or reconstitution programs, and if not, a rationale for not implementing such a t
program.'
i
Response
Design review initiatives are routinely undertaken for the following reasons:
implement new requirements inio the current design basis -
e Evaluate plant design changes or modifications e
Prepare license amendment submittals i
Perform operability evaluations for degraded conditions e
Determine the scope of corrective actions for degraded conditions Comply with past and ongoing regulatory initiatives e
As discussed in response to action (a), ths station design change process drives the need to identify and evaluate the design basis of structures, systems, and l
components prior to conducting modifications. In addition to design bases i
reviews,-design bases reconstitution has been conducted as needed during Pilgrim's operating history for various regulatory issues or as station initiatives.
1 Examples of focused design reviews undertaken include the following areas:
Safety-related instrument set points Safety-related motor operated valves e
Spent fuel storage and cooling
- Service water system and safety-related heat exchanger performance Emergency core cooling system performance j
e Reactor vessel fatigue analysis i
e Environmental qualification of electric equipment to meet the e
requirements of 10 CFR 50.49.
The next large scope opportunity for a focused design review is our planned conversion to Standard Technical Specifications.
l During the design reviews, essential design attributes are identified to ensure systems, structures, and components are designed to perform their intended functions consistent with the design basis. Design information and requirements j
are most often documented in, and are retrievable from, licensing documents, calculations, design analysis reports, drawings, and specifications.
t Design documents are identified and; if required, revisions are prepared, reviewed, approved, stored, and controlled in a systematic manner. Design documents are' stored in hard copy or film, and their location in the record file is retrievable from a computer database accessed from terminals on the nuclear
. organization computer network.
l f
F-1 4
~
[
h v/ s o
- 1. Discussion of Past DBR Efforts a
A limited scope design basis reconstruction effort began in the 1990 time frame entitled " System Design Specification" (SDS) update project. The purpose of the SDS update project was to enhance.the retrievability of design basis information j-(DBI). Engineers in the design change process were retrieving dbl during specific tasks without a controlled means to retain the increased knowledge in a 4
readily retrievable manner. When similar tasks arose, other engineers had to search again, even for the same dbl. This project was therefore established to introduce a controlled means of retaining the dbl following its generation or discovery. The intent was to enhan_ce retrievability of essential design bases information found while working on tasks needed to support safe and economic operation. The focus was on features / systems which have the greatest potential contribution to safety or power generation risk. Those features / systems were identified by Probabilistic Risk Assessment (PRA).
.The project had three major objectives:
L e'
Update or establish System Design Specifications (SDS) for selected plant features / systems i
Assemble and index Archival Document Files (ADF) containing historical design basis information Update or establish Engineering Design Standards Manuals (EDSMS) and dbl for discipline-specific design activities and selected topics t.
II. System Desion Specifications Y
I This activity was established to provide a controlled repository for dbl which could facilitate preparing engineering evaluations for input to proposed design changes and operability determinations. Developing a database with certain system design specifications would provide a cost-effective, user friendly method for access to the dbl in a centrally controlled location. It was not the purpose of the SDS update project to supersede any existing specifications, FSAR sections, or any other documents containing requirements. This activity instead focused on assembling the data base as engineering evaluations were conducted and establish the data base as used and useful rather than requiring complete assembly of system information with the potential of limited eventual application.
F-2
@gP Ill. Enaineerina Desian Standards Manuals This activity was established for the purpose of updating or. establishing discipline-specific and topical EDSMs to facilitate consistent technical approaches to engineering work, and to control design activities to ensure continued conformance with design bases. Each EDSM would identify what was required and how the requirements were to be met. The intent was not to 3
replace existing engineering textbooks, industry standards, or regulatory documents; rather, it was intended to identify, assemble, or reference existing
' topical documents containing specific topical design requirements and guidance, explaining how they are met such that the impact on design bases of a proposed
- i modification or a degraded condition can be properly evaluated by the engineer.
r IV. Archival Document File (ADF)
The ADF activity was established to enhance the engineer's capacity for i
retrievability of selected archival supplier-generated documents containing dbl.
It provides a means to cost effectively provide the engineer with more com%9te delineation of design basis considerations, a definition of system boundaries, and a compilation of supplier-generated documents containing dbl that would l
then remain available for future tasks, functional audits, design change considerations, and engineering evaluations for input to operability 7
determinations. It was not the intent of the ADF to retrieve all documents containing dbl. Also, much of the documentation containing DBI was created j
1 before 10 CFR 50 Appendix B was implemer ted. In some cases, design input documents, files, or calculations containing 0 Bl for a feature or system would not be available.
l l
V. Results of Effort I
i The HPCI system was used as a trial system for issuing the publications of this 1
extensive data collection and retrieval effort. Several attempts at a living, hard l
copy publication of the specifications and manuals showed the " publications" effort would not be universally conducive to the various needs of the individual engineering discipline managers. Consequently, this information is used as a l
resource tool for engineering personnel to access and use on an as-needed basis.
i VI. Current Status Since 1995, Pilgrim Station has been actively involved in various cultural enhancements. Among them is an effort aimed at creating team player
- environments, developing employee commitment to continuously strive to enhance human and equipment performance, and focusing efforts on employee i
F-3 f.
t
,,*r y-..
,__m.,..,.
. -9 0 }.>
development, skill building, rewards, and incentives. Key Result Area (KRA) teams are oftentimes formed as part of the implementation for such efforts. The KRA team identifies the components where the organization needs to excel in order to achieve a vision.
One such team, a Design Bases KRA team, has recently been formed and will develop plans and schedules to reach a consensus organization goal for further design bases information management efforts. This team will look at establishing the controls and tools best utilized and appreciated at the user level. This effort is an integral part of the additional assessment activities discussed in response to action (e) and will be included in the scope definition and schedules planned for completion by the end of the third quarter 1997.
4 l
I F-4
_ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ - _ _