ML20149N007
| ML20149N007 | |
| Person / Time | |
|---|---|
| Site: | Millstone  |
| Issue date: | 02/17/1988 |
| From: | Mccabe E NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION I) |
| To: | |
| Shared Package | |
| ML20149N001 | List: |
| References | |
| 50-423-88-03, 50-423-88-3, NUDOCS 8802290378 | |
| Download: ML20149N007 (20) | |
See also: IR 05000423/1988003
Text
__.
V
.y
.
-
U.S. NUCLEAR REGULATORY COMMISSION
REGION I
Report No. 50-423/88-03
Docket No. 50-423
License No. NPF-49
Licensee: Northeast Nuclear Energy Company
P.O. Box 270
Hartford, CT 06101-0270
-Facility Name: Millstone Nuclear-Power Station, Unit 3
Inspection At: Waterford, Connecticut
Inspection Conducted: January 19, 1988 - January 29, 1988
Inspectors: W. J. Raymond, Senior Resident Inspector
G. S. Barber, Resident Inspector
Reporting Inspector: G. S. Barber
Approved by: $ 0 b M , )r '
2/Ml88
E. C. McCabe, Chief, Reactor Projects Section IB Date
Inspection Summary:
Areas Inspected: Special resident inspection (66 hours7.638889e-4 days <br />0.0183 hours <br />1.09127e-4 weeks <br />2.5113e-5 months <br />) of the January 19, 1988
inoperability of required Reactor Coolant System Overpressure Protection features.
Results: The lack of a required overpressure protection system violated Technical
Specifications (TSs). That TS violation was identified during review of an actual
overpressure transient. Prompt operator action effectively mitigated the transient.
Factors involved in this event included drawing inadequacies, lack of assurance
of operability of the PORV low pressure setpoint, lack of awareness of the effect
of an. inoperable solid state protection system (SSPS) power supply on the Cold
Overpressure Protection function of the power-operated relief valves (PORVs), and
the work controls over fuse pulling.
,
The event was reported to the NRC resident inspectors and licensee management.
'
However, a 4-hour Emergency Hotification System (ENS) report was not made.
Corrective actions are in progress. Inspector concerns about related organiza-
tional, policy and procedural matters were discussed with plant management,
i
8802290378 880222
PDR ADOCK 05000423
0 PDR
_
. - . __
- ,
_.
7
.f.-
. .
TABLE OF CONTENTS
PAGE
e 1.0' -
Overview............................................................. 1
2.0 Description of Systems and Requirements.............................. 1
2.1 Technical Specification Requirements - Cold Overpressure
Protection...................................................... 1
2.2 RHR System Suction Relief Valves................................ 2
2.3 ~ Pressurizer Power Operated Relief Valves (P0RVs) . . . . . . . . . . . . . . . . 2
3.0 Operational Sequence of Events....................................... 3
4.0 Engineering' Evaluation of-the Overpressure Event..................... 7
5.0 Control of Activities................................................ 8
5.1 Action to Place COPS in Service................................. 8
5.2 Control of TBV Calibration.............................. ....... 10
5.3 Drawing Control and Adequacy.................................... -12
5.4 Conclusions......................... ........................... 13
6.0 Reportability........................................................ 15
,
7.0 Analysis of Event.................................................... 16
8.0 Summary of Findings............ ..................................... 17
f
!
i
i
i
i
!
L
_- , __-_ ,_-.. .- -
_____
.
.
1.0 Overview
The licensee notified the inspector of a January 19 loss of residual heat
l removal (RHR) due to RHR isolation. The "B" RHR suction valves closed at
- 10:54 a.m., January 19, when an Instrument and Control (I&C) technician (tech)
! pulled fuses to test the turbine bypass system. Prior to the event, the plant
l was solid with letdown flow through the RHR system balancing charging flow.
l Loss of the RHR and letdown (LD) flowpath cauced an increasing pressure
transient from unbalanced charging flow. The operators observed a pressure
increase and took actions to mitigate it by opening the LD Pressure Control
Valve (PCV) further and closing the normal charging valve to stop the pressure
increase. Pressure peaked at 526 psia before it bled off through the three
open LO orifice isolation valves. The I&C tech who pulled the fuses noticed
the RHR isolation end reinstalled the pulled fuses. Operators opened the RHR
suction valves to reestablish LD flow and restarted the "B" RHR pump to re-
establish decay heat (DH) removal.
During the overpressure transient, operators noticed that the power-operated
relief valves (PORVs) did not open. Discussions held after the transient and
follow-up by I&C showed that at least one PORV should have opened. I&C tech-
nicians discovered that the Cold Overpressure Protection System (COPS) func-
tion of the PORVs was inoperable because it was powered from the Solid State
Protection System (SSPS), which had been tagged out of service on November
3, 1987.
The "A" RHR train had been removed from service at 9:10 p.m. , January 16 and
the "B" RHR train's suction valves closed during this event, isolating its
suction relief valve from the RCS. No overpressure protection system was
2.0 Description of Systems and Requirements
2.1 Technical Specification Requirements - Cold Overpressure Protection
Technical Specification 3.4.9.3 provides the Limiting Condition for
Operation (LCO) for low temperature overpressure protection. This
specification requires that one of the following overpressure protection
systems be operable when RCS temperature is less than or equal to 350
degrees F and the reactor vessel head is on:
--
two residual heat removal RHR suction relief valves, each with a
setpoint of 450 psig; or,
--
two power-operated relief valves (PORVs) with lif t settings that
do not exceed the pressure-temperature limits established by Figures
3.4-4a and 3.4-4b for 4 and 3 loop operation; or,
--
the reactor coolant system (RCS) depressurized with an RCS vent of
greater than or equal to 7.0 square inches.
. .
.
..
. _ _ -
...
. 2
The required ACTION with one required PORV or RHR suction relief valve
inoperable is to restore two PORVs or relief valves to an operable status
within 7 days, or depressurize and vent the RCS through a 7 square inch
or larger vent within the next 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. With both required PORVs in-
operable, the required ACTION is to restore both RHR suction relief
valves to operable status within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, or depressurize and vent the
RCS through a 7 square inch or larger vent within the next'8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. With
both required RHR suction valves. inoperable, the required ACTION is to
restore both PORVs to operable status within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />,.or depressurize
and vent the RCS through a 7 square inch or larger vent within the next
8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
2.2 RHR System Suction Relief Valves
Reactor shutdown cooling is provided when the low pressure safety injec-
tion pumps are operated in the RHR mode. The suction of each of the two
RHR punips is connected to the reactor coolant system by a 12-inch diame-
ter residual heat removal drop line from the RCS hot legs. Each RHR drop
line has three isolation valves between the RCS and the suction of the
RHR pumps; valves 2RHS*MV8701A,B&C and 3RHS*MV8702A,B&C for the "A" and
"B" RHR pumps, respectively. The "C" and "B" suction valves provide
double valve isolation between the high pressure RCS and the low pressure
RHR piping. The "A" and "B" valves are interlocked closed on high RCS
pressure (765 psia) as sensed by wide range pressure channels 3RCS*PT405
and 3RCS*PT403. Each RHR drop line has a low pressure relief valve,
3RHS*RV8708A&B, between the 8701A&B and the 8702A&B valves, with a lif t
set pressure of 440 psig. The relief valves are connected to the RHR
drop lines via a 4-inch diameter line.
2.3 Pressurizer Power Operated Relief Valves (PORVs)
Two power-operated relief valves, RCS*PCV 455A and RCS*PCV 456, are con-
nected to the top of the pressurizer through 3-inch diameter lines. Each
PORV has an upstream blocking valve, RCS*MV8000A&B, respectively. During
reactor operation at normal temperature and pressure, the PORVs will lift
if RCS pressure reaches 2335 psig. The valve operation is provided by
the automatic actuation circuit based on inputs from the Nuclear Steam
Supply System (NSSS) process control cabinets when sensed RCS pressure
, exceeds the established reference pressure setpoint. Although a PORV
l 2200 psia blocking interlock is processed through the solid state pro-
! tection system (SSPS), this high pressure actuation circuit also is
l enabled when the SSPS Mode Switch is in the "Test" position. Thus, even
though the COPS function of the PORVs was dependent on SSPS operability
as explained below, the PORV high pressure relief function was not.
(During this event, the SSPS tagout in effect placed the SSPS Mode Switch
in the test position.)
l
The PORVs are used in their cold overpressurization protection system
. (COPS) mode to protect the reactor against overpressure when the plant
j is cooled down. The COPS is safety grade with redundant power supplies,
l
,
.
- - . ..
-
- - - - - - -
.
.. .. . .. ..
l- .
p
. 3
t
actuation channels, and equipment trains. Train "A" of COPS actuates
PORV PCV-455A and Train "B" actuates PORV PCV-456. Each actuation cir-
cuit receives inputs from wide range temperature and pressure instruments.
The redundant Train "A" and "B" protection circuits are identical, except
that their temperature and pressure inputs differ. COPS Train "A" re-
ceives temperature inputs from four hot-leg resistance temperature de-
tectors (RTDs), TE 413A, 423A, 433A & 443A. COPS Train "B" receives
temperature inputs from cold-leg RTDs TE 4138, 423B, 433B, & 4438. The
four temperature inputs in each train are compared and the low signal
is auctioneered out for use in the programming circuits. Reactor coolant
system pressures measured from wide range pressure transmitters Pf 405
and PT 403 are used in Train "A" & "B", respectively. The temperature
and pressure inputs are compared in the programaer circuits, which de-
velop the PORV actuation pressure as a function of temperature. As RCS
temperature decreases, the pressure setpoint is automatically lowered
to provide brittle fracture protection. The actual relief valve set-
points are 475 psi and 515 psi at 135 degrees F.
The COPS system is placed in service when the operator places the Train
"A" and "B" "ARM / BLOCK" switches on Main Board 4 (MB4) in the "ARM"
position. The COPS actuation circuit is further dependent upon the SSPS
system because its actuation logic is processed through the SSPS logic.
A trip signal developed from the sensing circuits in either train passes
through the SSPS output cabinets and uses actuation relays K628 & K528
which rely on 118 VAC SSPS power. When the SSPS is made inoperable by
placing the Mode Selector Switch in the "Test" position, the SSPS output
actuation relays, including the COPS auto PORV K628s and K528s, are de-
activated because 15 VAC is substituted for the 118 VAC supply to the
slave relay coils. The 15 volt supply is applied to verify circuit con-
tinuity during testing and is insufficient to actuate the slave relay.
Thus, in addition to arming the COPS circuits on MB4, the control opera-
tor would have to verify the SSPS is operable to assure COPS is operable.
3.0 Operational Sequence of Events
Prior to the overpressure transient, the plant was aligned as follows: "B"
RHR was running and "A" RHR was isolated for local leak rate testing (LLRT);
Normal charging was provided via flow control valve (FCV) 121 and the "B"
charging pump was running at 60-80 gpm; seal injection was provided on three
lines at 10-11 gpm each; letdown flow was provided through the "B" RHR suction
line via the RHR to Chemical and Volume Control System (CVCS) cross-tie through
LD PCV 131 (set at 340 psig) in automatic mode. The licensee believed that
both PORVs were operable at their low pressure setpoint when he intentionally
armed COPS and isolated the "A" RHR suction relief path at 9:10 pm, January
16. In addition, the Shift Supervisor (SS) on duty during the event stated
that he believed that COPS was operable. Since the LD orifice isolation
valves were open, the letdown relief valve (set at 600 psig) was also avail-
able for overpressure protection. Reactor Coolant Pump RCP-3 was running to
determine if seal leakoff was excessive as a check for improper seal package
alignment.
.
.
. 4
Just prior to the event, staff I&C entered the control room to discuss turbine
bypass testing with the Senior Control Operator (SCO). An I&C technician told
the SCO he wished to deenergize the low-low Tave interlock to the turbine by-
pass circuitry to allow him to test the valves. This interlock (P-12) pre-
vents operation of the steam dumps below 553F. The tech reviewed a copy of
ESK-7HX with the SCO, showing him the 2 fuses he wanted to pull to deenergize
5 relays in each train of the turbine bypass system. The SCO questioned three
unterminated wires endings shcwn on the drawing (Pin locations 711-1, 711-6,
711-9). The technician left to research the wire endings in the cabinet.
He returned about one hour later and stated that he verified they were dead-
ended in the SSPS cabinet. The SCO questioned the tech to ensure that the
maintenance would not affect the running RHR train. The technician stated
that it should not affect RHR. The SCO then verified the tech's drawing was
the latest revision by a check against the control room's controlled print
set and then gave permission to proceed with the fuse pulling. The inspector
determined, by interviewing the SCO, that he did not question the tech on
whether an Automated Work Order (AWO) or tagout was needed prior to authoriz-
ing the work activity. He assumed that the tech was performing a test since
he had paperwork in his hand but the SCO did not review the paperwork. After
.
the work was authorized by the SCO, the tech proceeded to the SSPS cabinet
and pulled fuses to deenergize the turbine bypass low temperature interlocks.
After the fuse pulling, a control operator (CO) noticed a low RHR flow alarm
and announced it as he proceeded to the RHR section of the main control board
(MB). He noticed flow was about 1000 gpm and oscillating wildly. The other
C0 told him that the orange and purple "B" train suction valves were going
closed. He observed the valve closure, announced that he was stopping the
RHR pump, and then stopped it. Questioning the cause and .emembering that
high suction pressure (765 psia) closed the valves, he looked over at the MB3
low range RCS pressure indication. He noticed that pressure had increased
to 400 psia from 350 psia and was continuing to increase. Thereupon, he
closed FCV 121 to stop charging flow and opened PCV 131 further to maximize
LD through the LD orifices. The SS and SCO acknowledged the C0's actions,
as he performed them, while observing the pressure transient. The CO, SCO
and SS noted that pressure peaked at about 500 psia on the two low range in-
dicators on MB3 and 520 psia by the Wide Range (WR) pressure recorder on MB4.
Pressure increased for about one minute before it started to decrease. Opera-
tor action to limit charging flow while maximizing letdov:n limited the transi-
ent. The C0 and SS noted that neither PORV opened during the transient. The
C0 also indicated that, had the PORV opened, a MB4 overhead annunciator would
have illuminated. At the time, they felt that pressure had stayed below the
PORV setpoint, so they were not surprised when the PORVs did not open. The
SCO ordered the I&C tech to replace the pulled fuses and restore the SSPS
cabinets to their pre-test configuration. I&C performed the required re-
alignments and went to determine if the fuse pulling caused the RHR isolation.
As pressure decreased after the peak, the CO regulated letdown and charging
flow to maintain RCS pressure above 340 psia. He was concerned that pressure
would drop below the minimum running 340 psia net positive suction head (NPSH)
for the running RCP. The crew shifted their focus to regaining decay heat
. . _,_ _ . . . _ _ _ . _ _ , _
.
. 5
removal and dispatched an operator to the auxiliary (aux) shutdown (S/0) panel
to open the RHR suction valves. The purple train suction valve was success-
fully opened.from the Main Control board but the orange train suction valve
did not open. The purple train suction valve high pressure closure interlock
resets at 390 psia and the orange train suction resets at 311 ps'q. The SS
recalled that the aux S/D controls bypassed the high pressure clowre reset
for one RHR suction train but did not remember which, so he ordered the orange
train suction opened from the auxiliary S/D panel. The valve failed to open.
Thus, he was forced to secure the "C" RCP prior to reducing RCS pressure fur-
ther. The SS was concerned with meeting the minimum NPSH and No. I seal DP
requirements (=200 psid). After the RCP was tripped, pressure was lowered
to 311 psig, the orange train suction valve was opened, and the "B" RHR pump
was started. Decay heat removal was reestablished at 11:10 a.m., January 19.
Later on shift, the operators conducted an informal discussion to determine
if the PORVs should have opened at their COPS setpoint. They noted that the
maximum allowable COPS setpoint on TS Figure 3.4-4a was approximately 530 psig
at 135F. Additionally, OP 3208 (Cooldown procedure) specified a COPS satpoint
of about 500 psig. Unsure of the actual setpoint, the C0 contacted I&C to
determine the relief setpoints from the actual calibration data. I&C stated,
after their investigation, that PORVs were set at 475 psig and 515 psig.
Therefore, the operators requested that I&C investigate further to determine
why the PORVs did not open. The I&C review took place over shift turnover
and was reported to the swing shift (3:30 pm - 11:30 pm) SS. I&C determined
that, since the SSPS system was blue-tagged on November 3, the PORV COPS
function was inoperable during and prior to the event. The licensee also
stated that COPS was available during ESF testing since SSPS had to be re-
energized for the Train "A" and "B" tests.
The inspector questioned whether there were other times during the outage when
the required overpressure systems were unavailable. The inspector noted that
this overpressure transient occurred during the "A" train outage when the "A"
RHR system was isolated for maintenance and questioned whether the same con-
ditions existed during the "B" train outage. The licensee stated that the
RCS was open and vented through a greater than 7 sq. in. vent during the "B"
train outage. At least one pressurizer safety valve was removed to provide
the required vent path. All three safeties were removed on November 10 and
l
the last of the three safeties was reinstalled on January 14, fiva days before
identified.
Operators were interviewed by the inspector to determine their knowledge and
use of applicable procedures during and prior to the overpressure transient.
They all stated that no specific procedure existed that addressed a low tem-
perature overpressure transient. However, portions of the conduct of opera-
,
tions procedure (OP 3260), plant cooldown (C/D) procedure (OP 3208), pressuri-
l zer pressure control procedure (OP 3301G) and the charging and letdown proce-
dure (OP 3304A) were directly applicable. The inspector reviewed these pro-
cedures to determine their applicability and noted that: Step 2.5 of OP 3208
required operators to perform the required surveillances on the COPS subsystem;
l
t
!
!
i
.
. 6
Step 4.20 of OP 3208 required the RCS overpressure protection system to be
in service to prevent exceeding pressure-temperature (P-T): limitations when
less than 350 degrees F; Step 4.22 of OP-3208 notes that changes in RHR flow
rate such as stopping an RHR pump with the plant solid can result in a 140
to 150 psia pressure increase; Step 4.23 of OP 3208 cautions the operator to
have the RHR-CVCS X-tie valve full open and all 3 LD orifice isolation valves
full open; Step 4.26 of OP 3208 cautions that a RHR relief valve should not
be isolated unless a steam bubble exists at low pressure conditions; Step 5.20
requires COPS to be armed at 425 degrees and 700 psia decreasing af ter verify-
ing performance of the required surveillances; Section 8.1 and 8.2 of OP 3301G
requires COPS to be armed when wide range Th and Tc reach 350 degrees F; Sec-
tion 8.3 and 8.4 of OP 3301G requires the operator to check for a charging /
letdown mismatch when pressure is within 30 psi of the COPS setpoint; Section
7.2.7 of OP 3304A cautions operators not to stop charging or letdown during
solid plant conditions since it directly affects pressure control. Step 6.3.1
of OP 3260 directs operators to be aware of system precautions and the ef-
fects of system interrelations and to exercise good operating judgement at
all times. E0P 3505, Loss of Shutdown Cooling, while applicable to reestab-
lishing shutdown cooling, does not address the loss of RHR due to suction
valve closure. Operator actions to establish a suction flowpath and start
the "B" RHR pump were found timely and appropriate for the circumstances that
existed. The inspector noted the frequent reference to the availability of
COPS in the reviewed procedures but concluded that there was no independent
indication that could be used to verify that COPS was armed.
Operators were asked if a procedure specifically addresses LTOP overpressure
transients. They replied that none applied directly but there is indirect
guidance in many operating procedures, and identified the procedures noted
above. The SS and C0 identified at least two COPS-related annunciators in
the control room, but stated that these did not illuminate during the transi-
ent. The inspector questioned alarm response procedure relevance and utility
in post-transient analysis. Upon review, the SS and CD both concluded that
alarm procedure steps applied directly to the event and that, while this type
of review is not normally performed, it should be. The inspector concurred.
The inspector also questioned the operators to determine what actions they
would have taken if pressure continued to increase. They stated that they
would have manually opened the PORVs and doubled their efforts to establish
a letdown flowpath. The inspector noted that the availability of the normal
letdown flowpath during the event lessened the rate of pressure increase.
Had it not been available, the operators stated that they would have opened
the PORVs. Operators also stated that their simulator training emphasized
the need to take manual actions that mimic failed automatic functions.
The inspector concluded that the operator response to the transient was timely
and proper,
,
.
. 7
i
4.0 Engineering Evaluation of the Overpressure Event *
Technical Specification (TS) Figure 3.4-2 limits the allowable pressure-
temperature (P-T) combinations to a predefined set of points on a curve. The
curve bounds acceptable P-T conditions to prevent non-ductile failure of the
reactor vessel. If the curve is exceeded, the P-T combination shall be re-
stored within the curve and an engineering evaluation performed to determine
the effects of the out-of-limit condition on RCS structural integrity. The
inspector reviewed this TS and noted that the curve is very difficult to in-
terpret because the minimum pressure and temperature increments are 1000 psig
and 100 degrees F, respectively. Based on inspection of the curve, the limit
for pressure at 135 degrees F is approximately 500 psig.
After the overpressure transient, the licensee reviewed the curve to determine
if it had been exceeded. The licensee concluded, by strict interpretation
of plant conditions at the time of the event and by their best estimate of
- the limiting pressure, that an out of-limit condition did exist. However,
they concluded that no challenge to RCS integrity existed when the error
,
margins for temperature and pressure and the actual measurement errors as
determined by instrument calibrations performed during the current oatage were
factored into the evaluation. The licensee determined that, at 135 degrees
F, indicated RCS pressure should not exceed 500 psig or 515 psia based on TS
Figure 3.4-2. This value assumes a 60 psi maximum allowance for possible
pressure instrumentation errors and 10 degrees F maximum allowance for pos-
sible temperature instrumentation errors as specified on the figure. This
TS also assumes that the measurements are being made on the indications
located on the main control board. With the curve corrected for these error
allowances to obtain a zero error curve, the maximum allowable pressure at
135 degrees F is 580 psia. Based on Offiste Information System (0FIS) data,
corrected for the maximum possible errors, the maximum pressure reached was
526 psia. The minimum possible temperature recorded on 0FIS at the same time
was 134 degrees F after factoring in the actual calibration errors for the
temperature instrument recorded from the last surveillance. Therefore, the
licensee concluded that the structural integrity of the RCS was not challenged.
The licensee conciuded that the high pressure condition existed for a maximum
of 16 minutes based on the SS log. The inspector concluded that the high
pressure condition existed for less than one minute by analyzing a pressure
trace of the transient generated by 0FIS.
After discussion with the NRC, the licensee agreed to place a hold on plans
to enter Mode 4 until an independent review of their engineering evaluation
was performed. The licensee completed his engineering evaluation on January
25 and forwarded it to the NRC for review. The NRC Region I Materials and
'
Processes Section performed an independent calculation to determine the actual
maximum allowable pressure for an RCS temperature of 125 degrees F at the
vessel's existing neutron fluence. The fluence level considered in the lic-
ensee's TS curve was 10 equivalent full power years (EFPY). Actual plant
fluence is less than 1 EFPY. By using i EFPY, the NRC determined that the
.
,- y _. ._, ,_
_.-. _ __. _ _ _ _ _ -_ _ _ _ _ _ _ _ - _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ - _ - _ _ _
,
s
.p ~
. S
4
actual limiting pressure could be 1680 psig. Therefore, the NRC concluded
~t hat the reactor vessel had not been harmed, and that it was acceptable to
. proceed toward resumption of operation.
5.0 Control of Activities
5.1' Action to Place COPS in Service
Based on a review of shift logs and surveillances, the plant operators
took action to place the COPS in service in preparation for an outage
on the "A" RHR train by placing the control switches for both trains of
COPS into the ARM position at 7:03 p.m. on 1/16/88. The "B" train was
blocked for work on the channel by I&C at 7:27 p.m. After further dis-
cussions with I&C personnel to verify the prerequisites for declaring
COPS operable were satisfied, and after accepting the completed results
for SP 3443A21 and SP 3443821, the control room operator ARMED the "B"
train of COPS at 9:10 p.m. on 1/16/88.
Two issues relative to the above sequence arose during the inspector's
review. The first involved what actions I&C took on the COPS after the
operator removed the "B" Train from service at 7:27 p.m. A second issue
stemming from the shift supervisor's log entries is whether the operators
ARME0 both COPS trains at 7:03 p.m. or only the "B" train. The issue
could not be settled conclusively based on interviews with the operators.
The inspector noted that subsequent entries in the control room operators
log, OPS Form 3672.1-1, suggest that both trains were ARMED since credit
was taken for both trains being available. The licensee was requested
i to address these questions in his follow-up review of the event.
<
Based on the information available to the control room, the operators
believed they could assess COPS operability by (1) observing the control
switches on MB4 in the ARM position; (ii) verifying PORV block valves
,
energized and open; and (iii) observing that the PORVs were energized.
l There is no indication in the control room that the COPS actuation cir-
! cuit is operable. The COPS system was in fact not operable on January
- 16th because the SSPS was removed from service and the operators did not
, recognize that COPS operability depended on SSPS being operable.
[
l The SSPS was tagged out of service on November 3, 1987 per AW0s 87-14469
l
' (Train A) and 87-14470 (Train B) to allow maintenance and test of the
protection system. Tagging orders 3391-87 and 3392-87 were the clearance
tags used to remove the SSPS from service. The SSPS was removed from
service by placing the "Mode Selector Switch" in output cabinet 2 for
both trains from the "Operable" to the "Test" position. This action left
the SSPS inputs operable to provide annunciator function to the control
room but disabled the SSPS outputs to prevent trip signals generated
during testing from being sent to the actuation devices.
.
. 9
Surveillance procedures SP 3443A21 and 3443B21 are used to satisfy the
Technical Specification 4.4.9.3.1 requirements for the COPS operability
demonstration by completing an analog functional operational test on the
PORV actuation channel. However, the surveillance only tests the actu-
ation channel from the RTD and pressure channel inputs into the instru-
ment loops up to the bistable trip on the output of the setpoint com-
parator - e.g. from temperature channel test card NTC1 to the channel
test card NTC on the output of the dual comparator. The trip signal
process path downstream of the dual comparat?r into the SSPS is excluded
from the functional test. The technic:1 spo tfications require that the
channel functional test be performed within 1 days prior to entering
a condition in which the PORV is required to be operable, and once per
31 days thereafter. SP 3442A21 and 3443821 was completed satisfactorily
on 1/7/88. This fact was verified by the operators on 1/16/88. But,
completion of this test alone could not have detected the inoperable COPS
actuation circuit.
Prior to declaring COPS operable, the control room operators requested
verification from I&C that all prerequisites would be satisfied. This
question was addressed internally within the I&C group and when the
question was asked whether SSPS was needed to support COPS operability,
the incorrect conclusion was reached that the SSPS was not needed.
Operating Procedure OP3208, Plant Cooldown, Revision 2, provides the
following instructions to the operator for placing the COPS into service:
--
5.20.1. Verify completion of surveillance per master test schedule.
--
5.20.2. Depressurize RCS per OP 3301G to less than 700 psia.
--
5.20.3. ARM the Train "A" & "B" COPS (MB4).
There is no reference in the procedure to the SSPS, nor a requirement
that the SSPS be operable as a prerequisite to arming COPS.
The training material provided to the operators as part of the license
training program does not explicitly describe the COPS /SSPS interface,
as noted by inspector review of training manual sections on pressurizer
level and pressure control, temperature indicating systems, and the
reactor protection and safeguards actuation system. The training repre-
sentative stated that the training diagrams do show SSPS logic developed
in functional diagrams and the functional diagrams normally are associ-
ated with the SSPS. The training representative stated that COPS arming
switches were added to the simulator in the Spring of 1987, and that the
function was not taught prior to 1984.
Based on review of AW0s 87-16613, 16615, 16616, & 16617 involving the
temperature inputs to the COPS actuation circuits, the inspector noted
that all four cold leg RTOs (3RCS*TY-4138, 4238, 4338 & 4438) were re-
moved from the RCS on November 25, 1987 to protect the instruments from
inadvertent damage during outage activities. In addition to removing
the RTDs, the licensee also pulled the RTO amplifier (NRA) cards in the
-
- __
,
.
. 10
4
control circuit to prevent the amplifiers from saturating while the in-
puts are removed. Removing the NRA cards places a zero volts input to
the low select summing amplifier and has the effect of forcing a PORV
pressure lift setpoint to be as low as possible based on the low tempera-
ture snput. The AW0s showed that RTDs 423B & 433B, which were on the
operable RCS loops, were returned to service on 1/16/88. RTDs 413B &
443B were returned to service on 1/22/88.
Licensee personnel stated that the status of the COPS circuit was re-
viewed and COPS Train B was deemed operable with the disabled temperature
inputs since the system met the OPERABILITY definition of Technical
Specification 1.19: a component is operable when it is capable of per-
forming its specified function. The inspector noted that the net effect
of the disabled inputs produced a conservative PORV lift setpoint. How-
ever, the inspector questioned whether the COPS Train "B" met the intent
of the operability requirements for safety systems of being able to per-
form its intended function in its intended manner, with all necessary
attendant instrumentation and controls capable of performing the related
support function. The inspector noted further that, even if all RTDs _
are installed in the loops, the RTOs will not sense reactor vessel tem-
perature when an RCS loop is isolated since they are located between the
steam generators and the loop stop valves. The wide range pressure in-
struments are located between the loop stop valves and the vessel, and
will sense reactor pressure even if all RCS loops are isolated. Based
on the installed RTO locations, the inspector noted that COPS channels
would not sense actual vessel temperature in isolated loops. But, even
if all four loops are isolated, the COPS would provide conservative trip
setpoints on a vessel heatup transient.
The inspector could not identify a safety concern relative to the above.
However, this item is open pending further NRC review to assure the pro-
tection provided by the COPS is adequate with less than the required
number of inputs, or for operation involving isolated RCS loops (UNR
88-03-01).
The licensee was asked to provide information that showed how the Tech-
nicial Specification 3.4.9.3 requirements were intended to be met during
the outage. Attachment II provides a summary of the systems used to meet
the LCO.
5.2 Control of Turbine Bypass Valve Calibration
On January 19, 1988, when an 1&C Technician, working under automated work
order (AWO) 87-06410, pulled the two FU61 fuses (one for each train) in
the SSPS cabinets, he did so to deenergize relays in the turbine bypass
control system and to allow removal of a block on bypass valve operation.
The turbine bypass system was not required to be operable for the exist-
ing plant conditions. The block was in effect, per the control circuit
design, because RCS temperature was less that the low-low Tave setpoint
of 553 degrees F.
F-
.
. 11
The technician had been working under procedure IC 3490A21 for about a
week to caliorate the positioner circuits for 8 of the 9 turbine bypass
valves. On January 19, the technician was preparing to perform the
calibration on the 9th valve, and to use the loop calibration report,
3 MSS-047A, to calibrate the control circuits for all the valves. The
technician knew he had to remove the low-low Tave interlock to allow
valve motion to complete the loop calibration, but no instructions were
provided in either the AW0 or the applicable procedures on how to remove
the block. The technician had checked with his supervisor about the
planned activities for the day, but had neither requested nor received
guidance on how to accomplish the task of bypassing the inhibits. The
technician had participated in the turbine bypass loop calibration during
the initial plant startup phase, but was not familiar with the actions
taken then to remove the block.
The technician reviewed the turbine bypass control system auxiliary cir-
cuit on drawing ESK-7HX and noted that the block could be removed by de-
energizing relays K727, K725, K702 and K726, which were all powered from
a 120 VAC vital bus circuit through fuse FU61 in the SSPS cabinets. The
technician concluded it would be preferable to pull the circuit fuses,
rather than lift leads to de-energize the relays, and reviewed the in-
terfacing electrical drawings to verify what other circuits are energizcd
through the subject fuses. Pulling the circuit fuses was deemed accept-
able since the system was not required to be operable. The inspector
verified that present licensee administrative controls do not specifically
address the circumstances under which circuits can be de-energized by
pulling fuses.
The technician consulted with control room operators on what would be
required to pull the fuses and on how to identify what other loads may
be powered from the circuit. The technician noted that ESK-7HX refer-
enced one-line diagrams EE-1BF and EE-1BG as the 120 VAC power source
for the turbine control relays, energized via fuse FU61. The technician
reviewed electrical one-line drawings for distribution panels 3VBA*PNL-VB1
& VB2, respectively, and noted that circuit 12 in each panel fed the
turbine control circuits via SSPS Train "A" and Train "B" cabinets,
3RPS*RAK0TA2 and 3RPS*RAK0TB2, respectively. Neither the ESK-7HX or the
EE drawings suggested there were any other loads powered through fuse
FU61 in either circuit (see Attachments 2, 3 & 4). The technician re-
viewed the turbine control circuit wiring further to assure no other
loads were powered from apparent circuit termination end points as shown
on ESK-7HX. None were found.
The technician recognized that the circuit passed through the SSPS, but
he was not familiar with it since it was not one of his assigned systems.
He consulted with another I&C technician experienced with SSPS. This
informal consultation provided only confirmation that pulling the two
,
FU61 fuses would produce the desired effect on the turbine bypass control
system. There was no discussion or consideration of what additional
circuits might be affected via the SSPS. The technician experienced in
.
. 12
SSPS directed the first technician to find an SSPS drawing with FU61
depicted on it. The tech performing the work located Westinghouse (W)
drawing 1083H88 with FU61 on it and also a table that clearly identified
the relay numbers shown on ESK-7HX as providing power to the steam dumps.
The inspector noted that FU61 shown on the lower left hand corner of the
W drawing was shown attached to a short run of wire on both sides of the
fuse, which terminated at two numbered pin locations. The pin locations
were repeated on the upper right hand side of the drawing in contact with
relays which closed contacts that fed the RHR valves shown on another
section of the drawing. The I&C tech showed the drawing to the ex-
perienced SSPS tech and pointed out FU61 and the table containing the
appropriately numbered turbine bypass relays. The experienced SSPS tech
noted the tech's observations and did not question his research any
further. The tech proceeded to the control room to pull fuses. He
reviewed the fuse pulling with the SCO (See Section 3) and pulled the
fuses, causing RHR suction valve closure.
The immediate result of pulling fuse FU61 in SSPS cabinet RAK0TA2 (Train
"A") and fuse FU61 in SSPS cabinet RAK0TB2 (Train "B") was to de-energize
the turbine bypass control relays, as desired, and the K735 relays in
the control circuits for the residual heat removal suction isolation
valves, 3RHS*MV8702A and 8702B. The K735 relays provide the control
logic, developed within SSPS Trains "A" & "B", to close the RHR suction
isolation valves on high RCS pressure at 765 psia, and to open the valves
on low RCS pressure at 390 psia. In addition to de-energizing the K735
relays, pulling the FU61 fuses de-energized other relays powered off the
circuit in the SSPS system, including the following: turbine bypass, SSPS
general warning, SSPS loss of power, source range block, intermediate
range rod stop block, Nuclear Instrument (NI) 35 and 36 bypass, and the
RHR suction isolation valve open interlock.
Pulling the FU61 fuses caused the RHR isolation event and isolated the
only operable RHR relief valve actually providing RCS overpressure pro-
tection. Upon pulling the fuses, the technician went to the control room
to verify his actions had no adverse effects, saw that the operators were
responding to an isolation of the "B" RHR train, assumed his actions may
have caused the problem, and returned to the SSPS cabinets to re-install
the FU61 fuses. Subsequent detailed review of the FU61 turbine bypass
and associated SSPS circuits by the technician and the assistant I&C
foreman identified the additional equipment affected by fuse FU61.
5.a Omwing Control and Adequacy
The I&C tech who pulled the fuses that caused the RHR isolation used many
drawings to determine how to test the steam dumps. He needed to remove
the inhibit placed on the steam dumps from the low temperature condition
(P-12 (a 553 degrees F). The technician vised a loop calibration re-
port drawing for the steam dumps (NU No. 3212-: J324 Sh. 33A) and noted
that Low Tave signal circuitry was shown on ESK-74X (32001). In review-
ing ESK-7HX, the tech noted that he needed to deenergize 5 relays for
__- __ - ______ - ____ .__
.
. 13
each train ("A" & "B") of the steam dumps to allow the required testing.
Also on drawing ESK-7HX, a fuse (FU61) was shown that, if pulled, would
deenergize the 5 turbine bypass low Tave relays. There was one fuse for
the "A" train and one fuse for the "B" train, both labeled as Fuse 61
(FU61). The drawing also showed terminated wire endings at 3 pin loca-
tions(711-1,711-9,711-10). The tech determined, by review of the
actual equipment configuration inside the two SSPS output relay cabinets,
that wire endings were in fact terminated as shown on the drawing. The
tech also identified that the upstream one-line diagrams (EE-1BF and .
EE-1BG) showed one load on circuit 12 of the diagram. The load was
listed as an SSPS auxiliary circuit (ESK 7HX) which led the tech directly
back to the ESK.
The inspector reviewed the mentioned and other pertinent drawings and
conducted interviews with operations and I&C personnel to determine each ,
drawing's use and adequacy. The interface between the EE one-line
diagram and ESK 7HX clearly showed the ESK as the only load. The licen-
see stated that, although ESK 7HX is the only listed load, the location
of the circuit inside the SSPS is significant. He stated that whenever
a drawing from the architect-engineer (S&W ESKs) leads into a vendor
panel, the vendor drawings take priority. The tech partially recognized
this fact when he tried to research the circuit on his own. This I&C '
tech was unfamiliar with the vendor SSPS drawings, made his best attempt
to determine the effects of the fuse pulling, and consulted with a more
knowledgeable technician about the adequacy of his actions. However,
licensee use of a technician not sufficiently experienced and qualified
for the work in progress contributed to the event, as did the insuffi-
ciency of the input of the more experienced I&C technician consulted.
Line I&C supervision was not consulted by the I&C tech doing the work.
The interrelationship between the architect engineer (S&W) and vendor
drawings was not adequately understood by the tech involved. Training
on the limitations of S&W drawings does not clearly identify the need
to refer to vendor prints when they interface with S&W designed systems.
The actual ESK-7HX pin locations that supply the RHR suction valves are
shown between continuous lengths of wire and there is no reference to
the RHR system on the drawing. This type of unmarked referencing to
other drawings is not an isolated case. The licensee stated that, to
adequately understand system interrelationships, personnel involved must
often redraw numerous circuits showing and connecting each pin location
to truly understand the affected systems. This approach is not clearly
defined in the licensee's policies or procedures and, in many instances,
because of the press of daily business, is not performed. This indicates
that multiple drawing inadequacies may exist.
5.4 Conclusions
5.4.1 Operator Knowledge and Procedures
Based on the above, the following factors contributed to the
failure to arm the COPS as intended on 1/16/88:
. . _ _ _ _ _ _ - _ _ - . - _ _ _ _
. _ _ _ _ _ _
~
[IT},
. .14
The operating procedure _that-addressed actions to arm the ac-
tuating circuit was incomplete and did not reference the in-
terface with'the SSPS. There_is no specific procedure for the
cold overpressure protection system.that would address all
prerequisites needed for system operability.
The operators.were not immediately familiar with the interface
between SSPS and COPS. The operator training program and the
training material provided for_ operator reference do not ex-
plicitly show the SSPS/ COPS interface.
The technical expertise in the I&C. department did not identify
the COPS dependency on the SSPS.
There is a human factors deficiency in the COPS, in that the
design does not provide unambiguous indication to the control-
room operator that the actuating circuit is capable of opening _
the PORVs when the MB4 control switches are in the ARM position.
5.4.2 Drawings
The problem in the EE/ESK interface highlighted by the RHR
event is not an isolated case. While the Architect Engineers
ESK and EE drawings correctly cross referenced each other to
show details pertinent to the turbine bypass control system,
they did not adequately cross reference other drawings showing
additional circuit development within the NSSS vendor's scope
of supply. The I&C technician was not formally trained in the
multiple drawings systems and was thus not apprised of the
limitation.
5.4.3 Technician Qualification on the SSPS Equipment
The technician who performed the work on the turbine bypass
'
valves is a licensee contractor who has worked at the site for
about 3 years beginning with the startup program. He works
in the analog / digital group in the I&C Department and has on-
the-job work experience with the turbine bypass control system.
He has not had formal training on the SSPS system and has had
limited SSPS work experience. The SSPS system is assigned to
the digital group within the I&C Department and is maintained
by different individuals. Although the technician referred
to SSPS drawings in his investigation of circuits affected by
fuse FU61, he was not sufficiently familiar with the SSPS to
thoroughly research the circuit. The informal consultation
with another "SSPS experienced" technician did not provide an
adequate review of the planned activity.
_ . _ .
. . .
.
.
.
. _ . .. ..
_
..
, 15
5.4.4 Procedures
The written instructions provided to the technician in the loop-
calibration report to calibrate the turbine bypass valve and
control system were incomplete in that it did not fully de-
scribe all actions needed to establish plant conditions neces-
sary to perform the work. The licensee subsequently revised
the.3 MSS-047A loop calibration report to provide instructions
- on how to remove the Tave interlock, and the calibration was
! subsequently completed satisfactorily. Other loop calibration
l reports may contain similar limitations. The lack of specific
l instructions placed the technician in a position where he had
to research and implement the action needed to do the work.
6.0 Reportability
Shortly after the event, the licensee reviewed the transient to determine its
reportability. He concluded that the event was not reportable since one RHR
suction relief was available from 9:10 p.m., January 16, and the event occurred'
at 10:54 a.m. , January 19. TS 3.4.9.3 Action Statement "a" allows operation
for up to 7 days with either one PORV or one RHR suction relief out of service.
Therefore, the licensee concluded that he was within the bounds of the action
statement.
The inspector disagreed with the licensee's conclusion on reportability. TS 3.4.9.3 requires one of three overpressure systems to be operable et all times
when less than 350 degrees F. The systems are two RHR suction reliefs, two
PORVs capable of relieving at their COPS setpoint, or a 7 square inch or
larger vent. In order to enter the train "A" outage, the licensee needed to
isolate the "A" RHR train which was providing the required overpressure pro-
tection. Thus, the licensee decided to shift the required overpressure system
to the PORVs. at their COPS setpoint as evidenced by his log entry at 9:10
p.m., January 16. This log entry stated that Train "B" COPS was armed and
that the "A" RHR suction valves were closed. During interviews, shift per-
sonnel stated that COPS was the operable overpressure system. Unbeknownst
to the licensee personnel involved, the COPS function of the PORVs was in-
operable since its operation was blocked due to an SSPS tagout since November
3. Thus, the PORVs were the required overpressure system and neither of them
was operable. TS 3.4.9.3 action b. requires the restoration of either both
PORVs or both RHR suction reitefs within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> when both required PORVs are
inoperable. NRC review concluded that the Itcensee's controls should have
provided definitive determination of PORV COPS operability, and that the
inoperability should have been known to plant personnel. The time at which
the licensee's entry into the 8-hour action statement was measured is the time
at which the inoperability should have been detected, about 9:10 p.m. on
January 16. The PORVs were not restored to an operable status until 4:50 p.m.
January 19 according to the SS log. Therefore, this was a violation of a TS
Limiting Condition for Operation (LCO).
w_-__-___- - _ _ _ - _ _ _ _ _ _ _ - - _ _
.
0 16
The inspector expressed his reportability assessment to the unit superinten-
dent early in his review of the event. The licensee initially disagreed with
the inspector's reportability assessment because one RHR suction relief re-
mained operable. The inspector pointed out the log entry made at 9:10 p.m.,
January 16, and the understanding of the operating shifts regarding COPS.
Additionally, the inspector noted that there was no log entry made to state
that the 7 day time clock of Action Statement a. was entered. The licensee
is reevaluating nis initial reportability conclusion.
7.0 Analysis of Event
The inspector reviewed the event to determine its safety significance. Based
on a review of the events, the inspector noted that plant personnel took ac-
tion to ARM COPS on 1/16/88 and thought that they were then in compliance with
the TS 3.4.9.3 LCO. The COPS was in fact inoperable because of the reliance
on the out-of-service SSPS. There was an operable RCS relief path available
via the online "B" RHR train suction relief valve. This relief path was
available from January 16-19, until the RHR system was isolated during the
pressure transient event.
The bases for Technical Specification 3.4.9.3 states that the RCS will be
protected from pressure transients that could exceed 10 CFR 50 Appendix G
limits by having two operable PORVs or an open RCS vent of at least 7 square
inches. Since the PORV relief capability is less than that of the RHR relief
valves, two operable RHR relief valves also provide adequate pressure protec-
tion. The bases state that one PORV has adequate relieving capacity to pro-
tect the RCS from either of two design basis events: (i) the start of an idle
RCP with less than a 50 degree F delta-T between the RCS cold leg and the
secondary side of the steam generator; or, (ii) the start of a charging pump
and its injection into a water-solid RCS. Thus, adequate protection is
available even in the event of a single active failure of either one of the
two PORVs or two RHR relief valves, whichever is the operable system.
To assure that a mass and heat input transient more severe than those assumed
cannot occur, the technical specifications require lockout of all but one
charging pump and safety injection pump during Mode 5 operations, and prohibit
the start of an idle RCP loop with greater than 50 degrees F delta-T. Addi-
tionally, to further assure overpressure protection, plant operating proce-
dures also require that the normal letdown flow path remain available. During
the period from January 16 until the RHR system isolation on January 19, an
operable relief path existed that was capable of mitigating the design basis
event, albeit from a system different than that assumed to exist by the plant
operators. While there was a low temperature overpressure protection
mechanism for the plant from January 16 to 19, there is a safety concern
about fulfillment of the Technical Specification 3.4.9.3 LCO, in that actuai
plant conditions and the method of satisfying the LCO was different than that
intended by the licensee.
_ _ _
.
. 17
During the RHR isolation event on January 19, a potentially significant event
existed when the operating charging pump continued to run after the established
RHR letdown path was secured. Operator actions at the time were prompt and
appropriate. A relief valve on the letdown line downstream of the orifices
with a setpoint of 600 psig was capable of relieving RCS pressure during the
RHR isolation. The engineering evaluation discussed above demonstrates that
adequate margins remained to the reactor vessel limits. Although the RHR
isolation and RCS pressure increase event on January 19 is a significant event
that highlighted weaknesses in operating procedures, operator and technician
knowledge, drawings, and controls, the actual safety impact of the event was
minimal.
One item that warrants further licensee and NRC staff consideration because
of the potential significance of the isolation event is the question of "what
would the outcome of the transient have been if the operators had not acted
to mitigate the pressure increase." This question was presented to the lic- !
ensee for consideration in his evaluation of the event. '
i 8.0 Summary of Findings
Listed below are some issues to be discussed by the NRC and the licensee at
an enforcement conference.
--
Evaluation of what the January 19th pressure transient outcome would have
been assuming no operator action. 3
1
--
Adequacy of drawings and of training personnel in their use, especially
in interrelationships between drawings from different suppliers (e.g.,
architect-engineer and NSSS vendor drawings). i
--
Assuring that sork affecting SSPS and other safety-related equipment is
performed by personnel having appropriate training, qualifications, and
experience.
--
Adequacy of controls allowing work on turbine bypass control circuits
without tags for pulling fuses, and the duty senior control room operator
on January 19th approving work without reviewing the applicable AWO.
--
Adequacy and utility of Technical Specification curves prescribing
pressure-temperature limits.
,
--
Adequacy of procedures and training on the COPS design and interface with
the SSPS. :
--
Use of alarm response procedures in post-transient reviews.
'
--
Appropriateness of provisions that allow up to 31 days to elapse between
surveilling a system for operability and placing it in operation, and
i
assuring adequacy of supporting equipment configuration in the interim
and afterwards,
t
,
f
6
- . - - . , ,n -,-
.
0 18
--
Adequacy of the surveillance used to determine COPS operability.
--
Lack of positive indication of COPS arming.
--
Development of a specific low temperature overpressure protection proce-
dure, or providing additional guidance in existing procedures to assure
that operators are properly aware of low pressure overprotection fea-
tures' status and that they follow-up quickly, appropriately, and fully
to transients and to losses of overpressure protection.
--
Assumption by the operators that COPS was the available overpressure
system when, in fact, it was not operable. This resulted in the viola-
tion of TS 3.4.9.3 which requires at least one overpressure system to
be available at all times when less than 350 degress F (VIO 88-03-02).
--
The failure to notify the NRC about the overpressure transient via the
Emergency Notification System (ENS) within four hours (VIO 88-03-03).
J