ML20150B551
| ML20150B551 | |
| Person / Time | |
|---|---|
| Site: | Beaver Valley |
| Issue date: | 03/09/1988 |
| From: | Lester Tripp NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION I) |
| To: | |
| Shared Package | |
| ML20150B549 | List: |
| References | |
| 50-334-88-12, NUDOCS 8803170047 | |
| Download: ML20150B551 (9) | |
See also: IR 05000334/1988012
Text
.
.
V. S. NUCLEAR REGULATORY COMMISSION
REGION I
Report ilo. :
50-334/88-12
License No.:
Licensee:
Duquesne Light Company
One Oxford Center
301 Grant Street
Pittsburgh, PA 15279
Facility Name: Beaver Valley Power Station, Unit 1
Location:
Shippingport, Pennsylvania
Dates:
March 3-8, 1988
Inspectors:
J. E. Beall, Senior Resident Inspe-tor
S.
. Pir ale, esident Inspector
Approved By:
h
b
-
L ' ell E. Tripp(IChief
' Date
Reactor Projects Section No. 3A
Inspection Su: mary:
Inspection Report No. 50-334/88 12 on March 3-8, 1988
Areas Inspected:
Special resident inspection (48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />) of the event dis-
covered on March 3,1988 which involved the inoperability of two of the four
high-high containment pressure channels due to the placement of the associated
bistables in the bypassed condition.
Results:
Operation with fewer than three operable high-high containment
pressure channels available to automatically start the safety systems designed
to suppress the pressure rise inside containment that would result from a high
j
energy line break was an apparent violation cf Technical Specifications. Addi-
tionally, the lack of control room bypass indication associated with the high-
high containment pressure bistables is an apparent deviation from licensee
commitments in the FSAR.
Licensee investigations and corrective actions were still in progress at the
end of the inspection.
Inspector concerns about related administrative con-
trois were discussed with licensee senior management.
8803170047 890310
ADOCK 05000334
g
.
.
. -
.
TABLE OF CONTENTS
Page
1.
Overview (I.P. No. 93702) . .
1
................
2.
System Description and Requirements
1
)
.............
2.1 Containment Depressurization System.
1
...........
2.2 Requirements . . . . . . . . . . . . .
2
.........
2.2.1
Technical Specifications . . . . . . . . . . . .
2
2.2.2
Final Safety Analysis Report .
2
.........
3.
Sequence of Events. . . . . . . . . . . . . . . . . . . . . . .
3
4.
Control of Outage Activities. . . . . . . . . . . .
4
.....
4.1 Outage Recovery.
4
. . . ..........
.......
4.2 Design Control . . . . . . . . . . . . . . . . . . . . . .
5
5.
Corrective Actions. . . . . . . . . . . . . .
6
.........
5.1
Immediate Corrective Actions . . . . . . . . . . . . . . .
6
5.2
Long-term Corrective Actions . . . . . . . . . . . . . . .
6
6.
Summary of Findings . . . . . . . . . . . . . . . . . . . . . .
7
'
7.
Exit Interview (I.P. No. 30703) . . . . . . . . . . . . .
7
..
)
l
!
i
l
'
e
.
OETAILS
1.0 Overview
On March 3, while operating at 30% power, the licensee identified a condi-
tion that was outside the design basis of the plant. While performing a
Technical Specification (TS) required surveillance test,
two out of the
four high-high containment pressure (HHCP) bistables (1 per channel) were
found to be bypassed. After a brief investigation was unable to identify
any reason for the bistables to be bypassed, the bistables were restored
to operability.
Actuation of two out of four HHCP channels automatically generates a con-
tainment isolation phase B (CIB) sigral.
A CIB signal, in turn, auto-
matically
initiates the containment depressurization system.
By TS 3.3.3.1, Engineered Safety Features Actuation System Instrumentation, the
licensee is required to maintain a minimum of three HHCP channels operable
while in Modes 1 through 3; the above condition had existed since
February 22, 1988. Mode 3 was entered following the sixth refueling out-
age on February 23, 1988.
Single failure of either of the two remaining
operable channels would have rendered the automatic CIB actuation system
The above condition was determined to be outside the design
basis of the plant, which requires that no single failure result in the
loss of a protection function, since February 24,1988 (approximately 8
days). A review of this event was conducted by the resident inspectors to
determine the details of the event with respect to root causes and its
safety
significance.
This special
inspection was conducted between
March 3 and March 8, 1938.
2.0 System Description and Requirements
2.1 Containment Depressurization System
The ESF system initiates the containment depressurization system
(COS) throuch the actuation of a containment Phase B (CIB) signal.
The CIB sigr al 4; generated upon the coincidence of two out of four
high-high containment pressure signals or two out of two manual push-
button signals. The CDS acts to reduce containment building pressure
in the event of a loss of coolant or steam line break accident inside
containment. The CDS cools the containment directly via spray mani-
folds inside containment and limits the release of fission products
1
by absorbing iodine, should it be released into containment. The CIB
signal also isolates and pressurizes the main control room, isolates
reactor plant
iver water from non-safeguards systems and trips non-
essential loads from the emergency powered buses.
.
'
.
.
2
The bistables associated with the HHCP channels are designed to
energize to trip, to avoid spurious actuations of the CDS upon loss
of supply power.
The positions associated with the system final
bistable switches are normal and bypass.
In the normal position,
when the associated setpoint is reached, the bistable will trip and
perform its intended protective function.
In the bypass position,
the actual HHCP condition on that channel does not affect channel
output or system actuation.
This particular design is documented as
being acceptable in the Unit 1 FSAR (Section 7.3.2.1.1) because the
protection channels meet the criteria of IEEE Standard 279-1971,
Criteria for Protection Systems for Nuclear Power Generating Stations.
2.2 Requirements
2.2.1
Technical Specifications
Technical Specification 3.3.2.1,
ESF Actuation
System
Instrumentation, requires that the channels and interlocks
specified in Table 3.3-3 be operable.
The required action
for
actuation
system
instrumentation
channels
specifies
that when the
number of operable
channels is one less than the total number of channels (4),
demonstrate that the minimum channels operable requirement
is met within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.
Operation may continue with the
<
inoperable channel bypassed and one channel may be bypassed
for up to two hours for testing per Specification 4.3.2.1.
2.2.2
Final Safety Analysis Report
Section 7.3.2.1 of the Unit 1 FSAR, Instrumentation and
Controls for the ESF System (evaluation of compliance with
IEEE Standard 279-1971) addresses the licensee's commit-
ments with respect to indication of bypassed components.
The FSAR states that, in general, if any analog channel in
the ESF actuation system is taken out of service for any
,
reason, the channel is placed in the tripped mode and the
l
channel trip status light is lit on the control board.
The
channel bistable output relays associated with the contain-
ment spray function are not tripped to ro_;ce the possibil-
ity of inadvertent actuation, but are negated (bypassed)
for test and maintenance purposes.
The FSAR states that a
status light indicating a negated condition is provided for
i
each channel.
)
)
I
i
l
.-
.
.
,
.
3
The FSAR documents the licensee's commitment to IEEE Stand-
ard 279-1971, Criteria For Protection Systems For Nuclear
Generating Station, with respect to ESF System instrumen-
,
tation and controls.
Included in the Standard's require-
ments are single failure and bypass indication criteria.
The single failure criterion states that any single failure
within the system shall nt't prevent proper protection
action at the system level .
The bypass indication criter-
- on states that if the protective action of some part of
the system has been bypassed or deliberately rendered
inoperative for any purpose, this fact shall be continu-
ously indicated in the control room.
3.0 Sequence of Events
On March 3,1988, technicians were in the process of performing periodic
maintenance surveillance procedure, MSP 12.01, P-LM 100A Containment
Pressure Protection Channel I Monthly Test, when they noted that the HHCP
bistable associated with Channel I was in the bypass position.
Checks of
the remaining three channels identified that the bistable associated with
one additional channel (II) was also bypassed.
The bistable switches for
the two remaining channels (III and IV) were in the normal position. The
technicians immediately notified plant operations personnel at 6:05 am on
March 3.
A brief investigation by control room operators could not iden-
tify any apparent reason for the bistables being in the bypass position
!
(e.g., maintenance activities or surveil'ance testing), and both bistables
'
were restored to normal at 6:31 am.
Subsequent discussions determined
that the condition was outside the design basis of the plant, since a
single failure of either operable HHCP channel would render the CIB auto-
matic actuation safety function inoperative.
The licensee subsequently
performed the MSPs for HHCP Channels III and IV and confirmed that both
channels were operable.
The inspector observed the performance of both
MSPs.
1
Licensee investigation into the reason for the bistables being in the
bypass position identified the following. On February 21, 1988, Unit I was
in Mode 5 and performing outage recovery activities. Operations personnel
were performing component restoration steps as outlined in Startup Check-
list A (Cold Shutdown Conditions).
At the same time, technicians were
performing maintenance surveillance procedures.
Startup Checklist A
instructed plant operators to restore the bistable switches associated
with exh of the four HHCP protection channels to the normal position.
Per the associated MSPs (1 per channel), the technicians were instructed
to place the bistable associated with the HHCP channels in the defeat
(bypass) position following completion of the containment pressure pre-
tection channel monthly tests if the plant was in Mode 5 or 6, and in the
normal position if the plant was in Modes 1 through 4.
The MSPs for
Channels I and II were performed while still in Mode 5, hence, the bis-
tables were left in the bypass position. The following sequence of events
.
has been verified by the licensee and has been determined to be the appar-
i
ent reason for having the two bistables in the bypass position:
.
.
.
.
.
4
.
4:05 pm, 2/21/88;
Technicians completed MSP 12.04 on Channel IV
5:30 pm, 2/21/88;
Technicians completed MSP 12.03 on Channel III
NOTE:
At this point, all bistable switches were in the bypass
position.
6:44 pm, 2/21/88;
Operations personnel restored all four bistables
to normal position per Startup Checklist A
1:09 am, 2/22/88;
Technicians completed MSP 12.02 on Channel II
1:27 am, 2/22/88;
Technicians completed MSP 12.01 on Channel
I
NOTE:
At this point, bistable switches for Channels I and II were
in the bypass position.
Channels III and IV were in the
normal position.
2:00 am, 2/23/88;
Unit 1 entered Mode 4 (Hot Shutdown)
7:36 am, 2/24/88;
Unit 1 entered Mode 3 (Hot Standby)
6:05 am, 3/3/88;
Condition of bistable switches for Channels I and
II discovered
6:31 am, 3/3/88;
Bistable switches restored by Operations follow-
'
ing brief investigation.
The inspector asked whether there were provisions and requirements
for channel checks that should have indicated the bypassed condi-
tions. The inspector determined that no such capability or require-
,
ments existed; therefore, it appears that the bypassed channels were
f
identified at the first available opportunity.
4
4.0 Control of Activities
4.1 Outage Recovery
The licensee determined that the cause of the event was the perform-
ance of the two MSPs following the performance of Startup Checklist A
(Cold Shutdown conditions), for additional details, see Section 3.
MSP procedure revisions have been completed to preve it a future
similar occurrence.
During the review of this event, the inspector
determined that Startup Checklist 8 (to be completed when leaving
Mode 5) contains a sig off (Step 22) which states: The containment
oepressurization system is in service ready to function when required,
j
by an automatic spray signal or by manual actuation (all high-high
!
containment pressure comparators in NORMAL).
The step was initialed
as completed on February 22, 1988, during the day shif t (8:00 a.m. -
i
4:00 p.m.).
The licensee stated that Step 22 was included in Startup
i
,
Checklist B only to confirm that the corresponding portion of Startup
Checklist A had been completed.
l
,
.
-
.
.
5
.
The inspector identified several fact,rs which contributed to th'
event.
The MSPs were very general in nature and, as the licenn
identified, did not address imminent Mcde changes.
The control - oi
outage recovery activities displayed weakness in that different
station groups were allowed to perform mutually opposing activities
concurrently.
In particular, Startup Checklist A was not performed
subsequent to all planned maintenance activities, nor were the con-
trols in place to prevent the subsequent switch repositioning per-
formed during the MSPs.
Startup Checklist B was found not to be an
independent check of system status, but placed reliance on the com-
'
pletion of Startup Checklist A sections without either providing
guidance on allowable elapsed time or controls on subsequent activ-
ities.
The cumulative result of these contributory factors was a
period of plant vulnerability to unidentified configuration changes
which, in this case, led to operation cutside the design bases.
It
should be noted that a minor char.ge in the timing of the sequence of
events (e.g.,
technicians complete Channel II testing two hours
later) would have resulted in a complete loss of safety function (CIB
automatic initiation) until discovery 8 days later.
4.2 Design Control
The Beaver Valley Unit 1 Control Room design, as documented in the
FSAR and as originally licensed in 1976, included status lights on
the control board which lit when each bistable asscciated with Con-
tainment Spray, high-high containment pressure (HHCP), was placed in
the negated condition. These status lights were part cf the design
to implement the licensee's commitment to IEEE Standard 279-1971,
"Criteria for Protection Systems for Nuclear Power Generating Sta-
tions." That Standard requires that if the protective action of some
part of the system has been defeated or bypassed, then that fact must
be continuously indicated in the Control Room (see Section 2.2.2).
During the first refueling outage in 1980, the licensee implemented
a station modification (DCP-94) to ef fect automatic ECCS switchover
from the injection phase following a LOCA to the recirculation phase
(RWST empty,
recirculation frun Contair, ment sump).
This design
change was required by the Operating License.
One portion of this
major modification was to provitS the Control Room operators with
visual indication of the trip statis of the Refueling Water Storage
Tank (RWST) low-low level bistable .
The control board lights used
by DCP-94 were those originally used by the HHCP circuits to indicate
that the bistables had been placed in the negated condition; no
replacement HHCP bypassed indication was provided.
i
.
.
.
,
-
.
.
6
The inspector was unable to find any evidence that the safety signif-
icance of deleting HHCP bypassed indication had been evaluated. The
FSAR, as updated in 1982 and amended annually thereafter, still con-
tains text, table and figure references to the HHCP bypassed lights
in Chapter 7.
Licensee investigation concerning the history and
design rationale of DCP-94 was still in progress at the close of the
inspection.
The licensee announced at the exit meeting plans to
reinstall HHCP bypassed indication in the Control Room to correct
this apparent Deviation from FSAR design commitments.
5.0 Corrective Actions
5.1
Immediate Corrective Actions
The licensee initiated several immediate corrective actions following
identification of this event on March 3,1988. Approximately twenty-
six (26) minutes after the identification of the two bypassed HHCP
channels, the licensee restored the channels to the normal position.
- A walkdown of all reactor protection bistables was subsequently con-
ducted, using Operating Manual Table 1-6, Reactor Protection Bistable
Function and Location List. All bistables were found in the normal
alignment.
Additionally, plant operators walked down and verified
,
the normal system alignment positions of specified ESF valves,
switches, breakers and power supplies as per Special Operating Order
,
No. 85-9, Unexplained or Malicious Degradation of S6feguards Oper-
ability.
The licensee elected to implement this Special Operating
Order since the reason for the two bistables being in the bypass
position had not been explained.
The ESF verification identified no
components out of normal system alignment.
The licensee also com-
pleted a review of all maintenance surveillance procedures to deter-
mine if additional procedural deficiencies existed with respect to
protection bistables directed to be placed in off-normal positions
that are dependent upon plant mode. No similar discrepancies of this
l
type were identified.
5.2 Leng-term Corrective Actions
The licensee is currently reviewing licensing documentation, drawings
and applicable codes and standards to determine if additional defici-
encies exist with respect to bypass indications on other system com-
,
ponents.
At the close of this inspection, one additional similar
'
problem had been identified.
Specifically,
the automatic ECCS
switchover feature installed in 1980 is also an energize-to-trip
1
circuit, which uses a normal-bypass switch for testing / maintenance
purposes. It appears that the required remote bypass indication (per
IEEE Standard 279-1971) does not exist for tnis circuit,
j
i
h
-.
,
.-
,
.
7
.
6.0 Summary of Findings
Listed below are some issues to be discussed by the NRC and the licensee
at an enforcement conference.
Adequacy of controls allowing work on safety related equipment during
--
the approach to changes in plant Operating Mode.
Adequacy of safety evaluations for past station modifications invol-
--
ving safety related equipment.
Licensee plans to restore the CIB circuitry to meet original design
--
commitments (i.e., HHCP bypassed indication).
Adequacy of other ESF circuits to meet IEEE Standard 279-1971
--
commitments.
7.
Exit Interview
A summary of findings was presented to the licensee at the exit meeting
on March 8, 1988. In addition to the issues listed in Detail 6 above, the
following conclusions were discussed:
a.
There was an apparent violation of Technical Specification 3.3.2.
which specifies the minimum number of operable ESF actuation syste,
instrumentation channels and which existed from February 24 to
March 3, 1988.
(50-334/88-12-01)
b.
There was an apparent devia ion f rom the FSAR com.mitment to IEEE
Standard 279-1971 which reqtirts indicattor of bypassed protective
action functions in the Control 'lo'Jm.
(50-334/88-12-02)
-