• ~

M AINT MODE h "kI i I ~ TR S l o-100 U

Bhg

~ N,Oi.C 4 ) g , i ~ SHUTDOWN e_t GROUP II " c i .028 c "[3 ahU \\ ^ 8 A ACTIVATE O c 'c S e a 3 C A e 5 4 21 3 : /r-f g 2 (* 7 Pg / I C C T ^ i s p VIBRATION SWITCH e a I \\ C r f ( ( U LOCKOUT c A NOT ~C l b r 1 m__ _y __ _ _ _ _ _ _____ _ _;l ) 2* 7______________________.g__________SHgOww ke ~C (] ' ~ A NOT g 20 ~( l ~>y} L"-- I l *- A_c_ s/a __^ utu.c___^ l, + a ~ b b h"-{' (' I c 3N 7 C B STOP (A l0 p ] C c c g (- r c-a>-<t

• :,c "

SHUTDOWN ry DEACTIVATE V

i ,1 l l I)l' if1 c a @i - o e N ) ) wL oA DN 1G H VI S T C s A i t N T S_ l C_ N y IW T S UO N K N O C ] _gC eI C I T O C 'F, 6 A L l A _1gC R B IV [ mb 3 g p" ._ [! D b R A 5 C os - e - ,C g C Ic 8 s o [ t 8 2 g N 0 w h/ o A A g o T -r u H s C mX S A A e ' (( ? B } ,I!!4 8 ^_ 2 A C._ u 8 5 t l ] I f u 1 C_ ^_ Os E 8_. T Ni-R [^ I C 2 / A. T s 1 t c __ A C S ~ y 8 [3 B y ^- _y_ g]( f A R C, C~ r ~ E* - o t A T T ( rI O u O 02 N N L C A A g C C ,S C ( 4 g-s p I 0" - s d c pv N / ->n E E NT D P WA O O OV M T DI S TT T T UC A N C H E I A S A D M

EMERGENCY MODE lA I I IC IN CTL 3 T wur SHUTDOVvN LOGIC BOARO M AINT MODE "s 3 l I c TR S 0-100 ~ Jg s, ' .A_ not c 18 A/ 1 C A ACi b_-Q-u,Eu hc h S A B A C A B 3 s ] ph 21.006 1 A r g g VIBRATION SWITCH g 6 I ) LOCKOUT -- E l 3 lAccl 2 __A., Not c l 3 24 l5 ~IT SHUTDOWN g s s SIGN AL - l' ^ OT f-+ v 2o y g l l' l_ 4 i ce s/a B A uEu c ahe Pp.. A B A A A e s 12 is ( 6 .v. e 6 'C 3'.006 7 C J g STOP O C ^ f grt( t 1g e m r L__ ______ r in-G ^ lA " I ,gug g g____.L ___________________________________________ ? I i l t

[ ,p" -l l T R A S T N S TS W RN Y 'E O AW C D T O N T S D E U T H L G S A U R H E H NS h M S E E A R T A E L I A A V MT E F A T I T T LV O D R C AI L A A CT W E T E OC E I S D LA R F 1." 0 L' s e I 1 D c 2 I" u g i .i u p 2 5 QO 5 e 1 c 5 sa 5 5 3 8 eo 3 e e3 1 1 B ct 1m 1 2 L 3 2# R e2 3 O v J_ Y v 5 i i8 S v v v o M eW O' o ro S. S. s. S. 4 G S' c e C 2 S S AC E cC E E E i t 1 1 g5 e 3 D R '2 3. N ri 'l i 8 L U 8 207 O m F 1 2 3 c ST3 v 03 P. Sc SP E S 1 A i lU l CR I C E 2 C 1c 6 SN 5SIT 2A o i I R 1L Mk CA T G I 2 S D a 8: W 4 O F R L N8 Q'm ~ 0 B % _* ER _* S T.* 9 2 T A-1 4 0 E I o h 3," Y 8 Y e 2 3 c 8, 3 7 S 1 L-n P. s ES R S a 8 6' S cP S 2 S n G c c P O 1 E E 1 [ I +ll' M; 0 2 1 1 2Y xM S 8 P 5 g A t S G P E l 3

3 08 1

0 Y 0 S 4 P. m~ 3,f v g t S S c P / + g BO* " n i 1 l 2 3 4 5 6 7 8 9 0 2 3 4 5 6 7 8 9 0 0 i 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 2 t 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 llI l l lIl ll1 lll ll1

LOGIC AFTER PART 21 l ESK-11ECA04 0-AS E 101 rwo. sTARTiuc crecuti C93 C84 o DA CB 10AC9Og 103 52 l 104 51 105 1ECA.Sovvits 1EG5.PSY379 g START AIR 107 - Y--O ~ b 1ECS*SOVY238 108

['

DEACTIVATE SHUTDOWNS kCA-PSY218 (" ' ' ' ' } tEGS cSY198 R48-1 1EGS PSY180 S so C 55 5 W' 53 ! Qg E t 110 Ps-40s Ps-ro Ps-se-1 Secs.esYaze R48-2 .iss-1 g,, gg ^ ^ c 1ECS.50VY228 Ps-12e g R48,- 3 113 g 999, D TD2s es so 33 114 \\tej s ze n 8 11 5 i EwCRc. O i START r--- ---1 l @.l_ i,, e '-*-$0 116 - -(D-t -o o-- -- l 2' ' Rm s RESET 4 . tos REuoTE EMERGENCY START 117 $i U 3 t_ _ _ __a 118 2 e m 35-5 FIELD FLASH g L J 1EGS*SOvv318 7019

19 DISCOVERY Engineer determined a trip would occur at 40 psig pressure decreasing EDG vendor maintained ciesel designed not to trip on loss of air j Fuel shutdown cylinder manufacturer confirmed cylinder would actuate below approx. 40 psig Reviewed this discovery with EDG vendor EDG vendor concurred with our fmding i ...,.-,.-..~...,--.,..-e,-,,..mm.,n.---,,.a...,-,,.,-, .n

20 CONDITION DOCUMENTED i Procedures revised in 1990 to require air bottles Original perception (later determined to be i incorrect) was the changes were made to provide makeup air for long term diesel operstion l IST program did not reflect requirements to maintain control air The potential to un-bypass non-emergency trips at l 120# falling was not adequately evaluated

21 INITIAL OPERABILITY i Procedures already in place to connect make-up air Evaluated capability to perform this function - Drop test in IST program used as basis - Two hour time in Ops procedures used - Seismic qualification of compressor skid used I i er

5 22 IXITIAL ACTIONS Informed operations of the importance of performing the actions Ensure actions specified in procedures could be performed - Confirmed 49 air bottles on site - Walk-down ability to connect air bottles - Connection took longer than expected - CR generated

23 PRIORITIES

1. 1 - Operability of diesels
2. 2 - Determine long term fix
3. 3 - Review history of actions

.i

24 LEAKAGE TESTING As found leakage test performed to improve confidence Both diesels tested for as found leakage - No preconditioning - Existing audible leakage - Diesels tested in operation (non-emergency) i As found leakage significantly less than initial IST assumption CAR issued to diesel vendor 9 i

Diesel Air Receiver Decay Times 240 One Air Bank 3solated 200 i i g 160 7 S t 5 y 120 -= = = = = =

== -

=- === = - - n. As-found leakage { (with trip) T = a: 80 IST Acceptance Criteria As-found leakage (w/o trip) k 40 r i h i 0 f 0 8 16 24 32 40 48 56 64 72 Hours after Diesel Start I .l

Diesel Air Receiver Decay Times 240 One Air Bank Isolated 200 i g 160 7 S As-found leakage w/o trip l (220 psig post-start) E [ 120 *-- As-fou'nd leakage - -= = = = = = ~

= = =- === === ===

===

= -- =

=

t (with trip) e a: 80 IST Acceptance Criteria As-found leakage (w/o trip) 40 0 0 8 16 24 32 40 48 56 64 72 Hours after Diesel Start i I

"A 27 LONG TERM FIX A design team was assembled to evaluate the alternatives Design approach also fixes system maintenance issues Contract was developed and released to upgrade system Scope and schedule preceded

1 28 i LONG TERM FIX(cont) I Extenc ed schedule for air system modification 120 psig bypass modification separated from the j base modification and expedited (Part 21 fix) 1E power added to one compressor system on each diesel l Base modification expedited i j i

29 l l TEAM REVIEW Team formed to review history of condition Original licensing basis is silent on function of control air Station personnel were trained that the diesel would not trip on loss of air Procedure changes made in 1990 were to ensure indication and the ability to trip the diesel - not to prevent a trip No direct trip on loss of air exists after Part 21 issue is corrected .~.

30 DESIGN CONCLUSIONS Diesels were designed to run, and provide all safety functions, without control air Diesels do not trip without control air ~ Diesel trip on degrading air is due to diesel original design error discovered at RBS Modification to repair 120# un-bypass restores diesel to original design intent t Pneumatic logic design (air loss) should be further validated t

31 i

SUMMARY

i Questioning attitude by system engineer l discovered generic problem y Acutely aware of the significance of both diesels failing to perform Initial operability was reasonable and timely Part 21 was filec by the vendor on this design l error Work with TDI Owners Group to review design l (FMEA) - River Bend plans to host

32 Historical Perspective Root Cause Mike Krupa Manager, Corporate Assessments

1 33 DISCUSSION POINTS Scope of the Investigation j i i Root Cause Conclusions 1 Perspective on Historical Events l i l l

l 34 ROOT CAUSE ANALYSIS Root cause : Original design error Deficiencies found: - Re-instatement of bypassed trip logic (Part 21) with subsequent inadvertent trip from the 'P4' device - Loss of trip energy in a LOOP (non-safety function) - Loss of annunciators in a LOOP (non-safety function) m

I 35 ? CONTROL AIR FCKCTION The control air system has three functions: - Provides for annunciation of the EDG trip parameters - Shutdown the machine from any mode of operation - Provides for the bypass of the non-emergency trips j Engine design / experience- - Start & Run w/o control air j - Trips are bypassed with control air j - Trips are not functional w/o control air l l I

36 Training & Experience Paradigm Training, operating & testing history j reinforced the design intent RBS staff knew make up air not available in aLOOP l RBS staff knew low control air pressure resulted in: - Illogical annunciator response - Inability to normally shutdown the EDG i i

d 37 HISTORICAL PERSPECTIVE E Original design interface - Trip energy not available with loss of air - Annunciators not available on loss of air - Proceduralized make-up air (1990) Design validation / verification - Pre-operational & surveillance testing ) - Failure modes and effects j i l .j

38 i HISTORICAL PERSPECTIVE Special Report (1989) - Non-valid EDG trip from bearing temperature NRC Telephone call discussed (1990): - long term make-up air supply - moisture discovered in air system - procedures required to provide an alternate j source for air Procedures revised as discussed (1990) i Modification to air dryer completed ~

39 HISTORICAL PERSPECTIVE Change to the lockout set point (EDSFI) - 150 to 120 psig Secondary function bypassed the non-emergency trips - On emergency start this is not a problem since the EDG failed to start - The question on falling pressure during operation was reviewed after the bottles were aroceduralized .i --..-..s.

c i t 40 HISTORICAL PERSPECTIVE (Inspection Report Issues) Guidance for crediting operator action - Generic Letter 91-18 j - Operations Policy 19 - Information Notice 97-78 EDG was shutdown due to a lifted relief i valve (CR 98-0044) l

41 SCMMARY Extensive Review Effort Root Cause: Original Design Error Deficiency was not the lack of air, but the inadvertent trip generated as air pressure decays The documentation, training, and events supported the fact that control air was not required to perform the design function Significance of the interaction of design deficiency was not recognized until June 1998 i i ?

I 42 1 t CORRECTIVE ACTIONS i Dwight Mims General Manager, Plant Operations i \\ I i j

43 CORRECTIVE ACTIONS IMMEDIATE Staged pressurized air bottles / regulators for connection to air system -Improvements to bottle staging / segregation - Air regulators enhanced L s

b 44 l l CORRECTIVE ACTIONS IMMEDIATE ccet) Measured EDG air system leakage - Starting air pressure decay testing performed to obtain "as found" leakage - June 1998 i - Second starting air pressure decay test i performed - October 1998 h

45 CORRECTIVE ACTIONS IMMEDIATE cc 1) Informed operators of effects on control air system when air pressure is degraded . a

t 46 CORRECTIVE ACTIONS Short Term - Corrective action request issued to EDG vendor (vendor issued Part 21) - Initiated special investigation (SERT) team i l I

47 CORRECTIVE ACTIONS

• Short Term

- Modification to the non-emergency trip bypass logic - Class 1E power provided to one compressor on each diesel i

48 CORRECTIVE ACTIONS Long Term - Provide reliable air supply system l - Complete review of control system logic for all modes of operation j l i

49 CORRECTIVE ACTIONS Long Term (cont.) - Update design and licensing basis documentation - Update the vendor manual - Issue system design criteria 1 l

t 50 CORRECTIVE ACTIONS i

• Long Term (cont.)

- Revise training material - Revise operating procedures h t

51 CORRECTIVE ACTIONS Long Term (cont.) - Operating procedures reviewed for generic imalications - Engineering evaluated results of procedure reviews - Revise IST program for air system components , -. ~. - - - - -... - -, _ -

52 i CORRECTIVE ACTIONS u conclusions - Actions were taken to achieve: i Confidence in DG operability and performance of i safety function Improved reliability, availability and reduced operator burden (did not stop at root cause ofissue) ) - Significant effort and resources were applied to: l Assure that cause determination was thorough i Ensure complete understanding of system operation e Ensure related issues were identified ) l

53 CORRECTIVE ACTIONS

• Conclusions (cont.)

- RBS identified the issue to the industry - RBS taking leadership role in Owners Group to Share experience i Improve reliability l Assure common resolution - Lessons learned to be applied toward future problem solving on issues at RBS ---.-..-.,--c

54 SAFETY SIGNIFICANCE EVALUATION Paul Sicard Manager - Safety & Engineering Analysis

55 SAFETY SIGNIFICANCE Div I / II DG's credited for many Ch.15 events, including LOCA l Based on test data: l > 6 hrs before any non-emergency trips could occur Operator actions (use of air bottles) proceduralized Division III unaffected )

Diesel Air Receiver Decay Times 240 One Air Bank isolated 200 i g 160-7S f120< --- -= = -

=

= = = = = = = = = = = = = = = = = = = = = = = = =

= =

o. As-found leakage j (with trip) 1 E E 80 IST Acceptance Criteria As-found leakage (w/o trip) i 40 i 4 0 0 8 16 24 32 40 48 56 64 72 Hours after Diesel Start

57 SAFETY SIGXIFICANCE (cont.) Historic Industry Data: Median LOOP Duration of 1 hour (EPRI TR-110398) Reactor Qdecay: 7.0% at 1 mm.; l 0.78% at 6 hrs; j 0.58% at 14 hrs DG's most critical very early Div I/II DG's fully capable of performing safety ftmetion after LOOP for extendec time without opera 1:or action l 4

u 58 RISK SIGNIFICANCE PRA Analysis Assumptions - No credit for air bottles as backup l - No credit for diesel generator recovery - Plant specific failure rates & maintenance unavailabilities for Div I/II and Div III DG's - Probabilistically credits offsite power j availability and recovery t - No further LOOP recovery after diesels trip ? l 4 i

59 RISK SIGNIFICANCE Core Damage Frequencies: Baseline 1.95E-6/yr. Div I/II DG's run only 6 hrs 2.29E-6/yr. (18% increase) Non-risk significant, per EPRI/NEI PSA Applications Guide 6 hours very conservative bounding basis I I ,4 ,- e w -=r--- e- + m-

60 RISK SIGNIFICANCE: DIV.III DG LNAVAILABLE I Core Damage Frequency: Baseline 1.95E-6/yr. with Div. III DG unavailable 7.24E-6/yr. with Div. III DG unavailable and Div.I/II DG's work only 6 hours 8.72E-6/yr. (+20%)

6I CDF Sensitivities to DG Assumptions 2.38605 2.40E45 - A Baseline 2.20E-05 _ U Div I/II DG's Run only 6 hrs i ';p C Div I or 11 DG Unavailable

• c ' M 2.00E45 _

D Div til DG Unavailable E Div Ill DG Unavailable & W l.80E-05, Div 1/11 Run only 6 hrs ~[ F Div i and 11 DG totally unavailable HF" 1.60E-05 _ 5 ~ 1.40E-05 _ IR.. 1.20E-05 _ -.v Non-Risk Significant U 100E Permanent Change 8.72E46 .. ?s.. k[e 8.00E-06 _ 3.35E-06 7.24 sos my L w...- 6.00E s.o760s 4Gdi 'I!;k$ i=J[

4y#t kyyM f

4.00E 26 @M SW TP $35ses 2.29s 06 N ag Mi$s ed

• W*

2.00E-06 _ %m-g_ g gg gp q 7 0.00E+00 A ' '~ I I I I I l A B C D E F

{ 62 CONCLUSIONS f Greatest safety significance of diesels involves ability to perform safety function i early in event Limited impact on safety significance since I i Div I/II DGs would run for an extended j i period time l CDF increase due to the diesel air issue is non-risk significant per NEI/EPRI PSA Guideline

63 PRE-OPERATIONAL AND SLRVEILLANCE TESTS Rick King Director - Nuclear Safety & Regulatory Affairs

i 64 TESTING

SUMMARY

l l Vendor qualification or pre-operational testing did 4 not adequately verify that the design intent of the control logic was met Surveillance test 3.8.1.13 (24 hour run) was performed per Technical Specification requirements i f

65 DESIGN SAFETY FLNCTION Safety function of control logic: - Maintain non-emergency trips aypassed with diesel running in the emergency mode Allow continued diesel operation in emergency mode on degrading air pressure Allow continued diesel operation in emergency mode without air pressure I

66 1 VENDOR QUALIFICATION AXD PRE-OPERATIONAL TESTING Reviewed design and licensing basis requirements for testing of the subject design feature Vendor testing performed per RG 1.9, IEEE l 387-1977 - Require testing of diesel control and protective systems to ensure they perform their intended application l

67-VESDOR QUALIFICATION AND PRE-OPERATIONAL TESTING Pre-operational testing ) - RG 1.68 guidance specifies testing of the diesel i control system including protective devices whose malfunction or premature actuation may shutdown or defeat the operation of the systems ] l l

68 VENDOR QUALIFICATION AXD PRE-OPERATIONAL TESTIhD

Conclusion:

- While the control logic system was tested, no test of the bypass features involving degrading air pressure was identified - Vendor qualification or pre-operational testing was inadequate to identify the design error - This testing did not verify all design requirements of the control system (that it perform its safety function with loss of control air )

69 SURVEILLANCE 3.8.1.13 Tech Spec Requirements: - Verify diesel load carrying capabilities for a period of > 24 hours - Must be performed consistent with RG 1.108, paragraph C.2.a.3, " Testing" Verify full-load carrying capability for 24 hours Verify voltage and frequency requirements Verify cooling system functions

70 SLRVEILLANCE 3.8.1.13 Additional RG 1.108 Requirements: - Paragraph B, " Discussion" "The testing of the diesel generator unit should simulate, where practicable, the parameters of operation...and environments...that would be expected if actual demand were placed on the system." [ t

71 l SURVEILLANCE 3.8.1.13 Additional RG 1.108 Requirements (cont.) - Paragraph C.1. B " Regulatory Position" / " General" i "The design should include provisions so that the testing of the units will simulate the parameters of operation (outlined in C.2) that would be expected i if actual demand were to be placed on the system." Paragraph C.1.b Sub-paragraph (6) i All diesel generator protective trips should be in force during diesel generator unit testing." cs ~

.? 72 l SURVEILLANCE 3.8.1.13 I

== Conclusion:== ) - Surveillance 3.8.1.13 was intended to test the design load carrying capability - RG 1.108 specifies protective trips should be in force during this test l - Protective trips require air pressure to function - It is acceptable to perform Surveillance 3.8.1.13 with air pressure provided to the control system logic j - RBS is in compliance with SR 3.8.1.13 i l

73 ENFORCEMENT PERSPECTIVE I Rick King Director - Nuclear Safety & Regulatory Affairs l

74 APPARENT VIOLATION Failure of design control measures to adequately verify or l check that the safety-related diesel generator control air l instrument and controls systems remained functional during a LOOP Recognize the manufacturer's design was in error RBS identified the manufacturer's design error Old design error, generic to the industry Disagree with the wording - Manufacturer's design measures did not verify that the diesel would perform its safety function with loss of control air -1

75 APPARENT VIOLATION Failure to maintain diesel generator operability Agree that Part 21 impacted diesel operability A second violation is not warranted given the generic nature of the manufacturer design error l Operator procedure guidance - Operator attends diesel during emergency operation - Procedures recognize need for bottled air As found leakage rate supports time needed to connect air bottles I e

c 76 APPAREST VIOLATION Failure to document, report and promptly correct a significant condition adverse to quality i Disagree with the violation as worded Opportunity in early 1990 was viewed as an enhancement i to provide air for engine shutdown and control system indications. The design error was not identified at that time. Documentation, reporting and corrective action could not be expected without discovery and recognition of the condition i t

77 APPARENT VIOLATION Failure to document, report and promptly correct a significant condition adverse to quality (cont.) Later in 1990 we recognized that non-emergency trips were reinstated below the lockout set point (150 psig, later changed to 120 psig) The significance of this condition was not recognized It was not recognized that this condition would cause a diesel trip Corrective action did not completely address the issue ,-..-r ,+,,-.,n...,...,

78 APPARENT VIOLATION i Failure of pre-operational and operational testing to assure that-the EDG's would perform satisfactorily in service Vendor Qualification or Pre-Operational Testing did not fully assure that the control logic would perform as intended with degrading control air pressure Disagree with the violation of SR 3.8.1.13 (24 hour run) - This surveillance test should be run with diesel trips in force. This l requires control air pressure (RG 1.108) i

79 SAFETY SIGNIFICANCE l Recognize importance of EDGs to safety EDGs would have started and run for a significant period without operator action EDGs would have performed intended safety function with operator action Low actual / potential safety consequences - Non-risk significant m_ = -...

80 1 REGULATORY SIGMFICANCE l i Comprehensive corrective action to address j root cause Condition not programmatic Conditi.on was a generic design error Condition not repetitive or willful i J

81 l CIVIL PENALTY MITIGATION / DIS-CRETION FACTORS l Civil Penalty Mitigation l l 1 l - Identification Credit l - Age of the Issue l Original design issue / pre-operation j o l Prior opportunity to identify /1990 - Corrective Actions Comprehensive Discretion - Issue applicable to other plants / Part 21 issued - Age ofissue / original design error - - ' - - - - - - - ^ ^ - - - - - - - - - - - - - ^

82 SEVERITY LEVEL Condition does not meet criteria for Severity Level I violation-No actual event Condition does not meet criteria for Severity Level II violation - EDGs would have perfonned intended safety function for a period l oftime - Time available for actions by operators to maintain diesel ftmetion l As found leakage tests demonstrated adequate time to perform actions - Operators dispatched to the EDGs routinely - Procedures in place to attend diesel operation and to connect air bottles

83 SEVERITY LEVEL (cont.) If NRC decides a violation is warranted, only one severity level III violation should be considered for the manufacturer's design which was in error Three examples: - Inadequate design - Failure to recognize significance of un-bypassing non-emergency trips - Inadequate vendor qualification testing 1

84 i

SUMMARY

i No civil penalty is warranted - Identification - Corrective action credit Discretion is warranted due to special circumstances - Generic design issue / Part 21 - Age ofissue Conclusion - No violation should be cited - If violation cited, Level III - no civil penalty 6 .e

85 i i i i e t Closing Remarks 1 1 Randy Edington i Vice President, Operations i I I w + -.:}}