ML20196H444
| ML20196H444 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde, San Onofre  |
| Issue date: | 06/19/1997 |
| From: | Reinhard R AFFILIATION NOT ASSIGNED |
| To: | Racquel Powell NRC OFFICE OF ADMINISTRATION (ADM) |
| Shared Package | |
| ML20196H431 | List: |
| References | |
| FOIA-97-232 NUDOCS 9707250194 | |
| Download: ML20196H444 (35) | |
Text
.
l..
l?l" MORRISON & FOERSTER ur SAN FRANCBCO A170RNEYS AT LAW NEW YOKK LDSANGE12S WASHINGTON,D.C.
SACRAMENTO 425 MARKET STREET IDNDON ORANGE COUNTY SAN FRANCECo.CAIDORNIA 94105 2482 BRUSSELS PAID ALTO TELEPHONE (415)2684000 HONGKONG WAINtJT CREEK TELEFACSTMILE (415)2684522 SINGAPORE DENVER TOKYO June 19,1997 l
Writer's Direct Dial Number (415) 268-7469 l
Mr. Russell Powell FOIA/PA RE(AJEST l
U.S. Nuclear Regulatory Commission (NRC)
CaseNm 9'/- a B A FOIA Officer Dans Flodd.
l,- M - 97 Washington, D.C. 20555-0001 AcdonOR:
Pu/
i RalstedCaso:
Re: Freedom ofInformation Act Request
Dear Mr. Powell:
Pursuant to the Freedom ofInformation Act,5 U.S.C. Q552, we hereby request any documents or materials submitted by the Southem California Edison Company concerning i+s San Onofre nuclear facility in response to the NRC's 1996 (and any later) solicitation.)f admission of problems from licensees. Attached to this letter is a copy of a Wall Street Journal article dated June 18,1997 which describes the specific NRC solicitation effort we have in mind when submitting this request. In addition, we also request any such information submitted by the licensee for the Palos Verde facility in l
Please be advised of our willingness to pay fees for processing this request as described in NRC regulations. The material may be sent to me at the above address.
l Thank you.
l l
Very truly yours, l
Robert J. Reinhard Environmental Analyst 3
l l
kfbbo194'970723 7
i 1
L 3,
- S MQ.*
" NdDhi!$dA, JUNE 18,1997 B1
.4.
l THE WALL STREET J0URNAL.
f I
l
- HARKETPLACE
- h&8 u
L.
.i'
- f XucLear Plants Face Huge Coststo Fit 6. 61 ems i
,. -.,",5 7 4 [..
?fh,
,doinhs.
ve already been By Ross Kusa D(yem T-the lwo rtac-af}
e Staff Reporter of Tuz wau. sTmasT Jovanat
,, tdfit.thl!
~' plant, owned by Unicom Pressure sensors at the Zion nudear-power plant near Chicago won't survive CM., anith(
' ecticut Yankee reac-hot acddents. Until a recent fix, emer-9. tor ed'by Northeast Utill-e er of the Maine gency-coolant monitors were significantly 2007 Closed permanently in December.1996 t*y owners led by Cdh h Power Co.,
inaalrate at the Diablo Canyon plant in i
Northeast Utilities-jdid Mrly shutdown islikelyif
..d tan' Tbdad. A factorin allthese
,.N.
k,iWAi'UliIAMMi' 2013 ] Off-line pending safety reviews. Owner Unicom Co p. says -
jf6]det'ed cost of fixingtechni-I gi neither plant is worth upgrading and both likely wi!I closeC California. Vermont Yankee is studying a g permanentlyaround 2005.
.s.
permanent solution for a ventilation sys-QM,. e. @ eeraMe reae N
i tem that wouldn't supply enough air for 2008 Off-line pending safety reviews. Owners led by Cei*ral 7:
I*
4+
1 control-room operators in a crisis. Suppos-Maine Power say safe or closure likely.
5 cend S Howa& hour. nat edly fall-safe emergency cooling pumps 2009 On-line. Ovmer GPU inc. mufling sale or closura.
w6ufd_
tide plants like Illinova Corp.'s are flawed at the Salem nuclear facility in
,ClintadWitam Centerior's Perry.
O!!fo, pfant; arid GPU Inc.'s Oyster Creek i
l These disdosures are part of an un-cense expires.) More conservative. NRC 1 acility14 ew Jersey, all of which ran f
j usual confessional exercise in which utill-Agency officials say the volunteered infor-
.with varjab e costs around 2.5 cents or commissioner Nils Diaz estimates only one j
ties have told the U.S. Nudear Regulatory mation raises overall safety concerns for Commission of hundreds of cases in which many nudear plants - and analysts and dozen early shutdowns. He won't name, 'rdort according to a Utility Data 4
they have failed to meet the technical power-company executives expect some plants - but the deanup b!I! for decommis. arialysis of 1995 filings, the m 4
termsof theirlicensestooperate.TheNRC older plants may have to spend as much as sioning that many facilities would be in the available. Oyster Creek is slated sure or sale; Illinova and Centerior say began soliciting admissions of problems $100 mi!!!on each to.M to snuff.
vicinity of $7 b!Ilion.
3 l
from the nation's 109 nuclear-power plants Coupled with state t s to deregulate "There's never been a bloodletting like they have since made improvements.
last October partly in response to whistle-power markets, this additional spending this," says Stephen Maloney, a ut111tles Unidom and the other utilities say their blowers' complatnts about its own lax over-may be enough to prompt the early shut-consultant in Boston. Centerior Energy deci$1ons stem from economics, not safety sight at several fadlities.
down of two dozen nudear plants over the Corp.'s president for power generation, concerns. But in the nuclear industry, the The plants were promised freedom next five years, says Bear Stearns analyst Gary Leidich, says: "A lot of utilities are two are inextricably IInked. When regula-from most sanctions, but the exercise is Dan Scotto. (An early shutdown is one looMng really seriously at shutting down if -tors demand more safety precautions and 1
nonetheless proving costly for some: occurring before a plant's operating 11-the; have a big regulatory problem."
Pfcase na7: fb Pbge B4, Cblenn 5
< ~
l
.....e,.-..
v-r--
---w
.w-wrv=---
.y-
".- m y : yw==~ y iT B
- a. v. a. ;.
_,,uh..u
. a.f a _. -..........
m[.
?.'
o INDUSTRY FOCUS Nuc ear Plants Face Huge Costs Cbntinued From Page Bf benefits they bring. Executives cheered oversight, operating costs rise - often to when the NRC's Mr. Diaz, who is consid-levels that aren't competitive with other ered more lenient than Dr. Jackson, said at forms of power pmduction.
a recent regulatory conference that few of Maine Yankee's owners have shelled the findings raise pressing saiety issues.
out $13 million a month for replacement But even Mr. Dias says companies power since December, when the plant was weren't living up to a promise made about taken off-line'so engineers ~couhl fireproof six years ago to make sure they had in control wires as described by licensing place all the safeguards their planning dccuments. Zion told regulators in April documents describe. He notes a recent that some stress monitors on steam tubes spotcheck of the remaining Three Mile would likely fallin the accidents they were Island reactor in Pennsylvania that ques-supposed to help detect, while other de-tioned whether pumps could switch be-Vices were never tested to see if they cobld tween two supplies of coolant quickly withstand high temperatures. Both condi-enough to prevent the reactor's. fuel core tions could make it difficult to prevent a from heating up dangerously during some i
radioactive leak, and the latter problem. accident scenarios.
i "has existed since original installation in Despite the amnesty, the agency may 1973," the plant's report states..
fine owner GPU because the problems To'n Malman, Unicom's chief nuclear weren't found by the company. Govern-officer, cays the devices will be tested and ment inspectors found a similar issue at replaced if necessary before Zion runs the Salem 1;lant in New Jersey, which again:lle says the issues weren't spotted owner Public Service Electric & Gas Co.
before because "we've never had the pledges to fix before restarting the reactor question raised before,"
this summer, la other cases, Diablo Canyon man-Ralph Beedle, senior vice president of agers say that they have since recalibrated the industry-funded Nuclear Energy Insti-the faulty measuring instruments and that tute, acknowledges the findings but says pubile safety wasn't endangered because utilities never made the promise described operators had other ways to measure cool-by Mr. Diaz, who didn't become a commis-ant levels. At the Vermont Yankee nuclear sion member until last year. Rather, says plant, pperators have since set aside more Mr. Beedle, the NRC cut back on its own portable ventilation fans to keep air in the inspections around 1991 because of budget control room breathable in accidents.
tightening.
Collectively, such problems weaken the
'"When you have a vast array of regula-plants' multiple defenses against acci-tions, some things don't get done the way dents, says NRC Chairman Shirley J'ack.
the managers say they should," says Mr.
son. "When we didn't look as hard or as Beedle, who adds that the industry has directly for these issues, the industry made safety progress during the same didn't look either," she says.
period by reducing radiation exposure to Supporung that, the U.S. General Ac-workers. "Are those things that don't get countin'g Office yesterday released an au-done putting the plants at risk? I'd argue' dit criticizing the NRC for tax enforcement no, but in the meantime you take the of its Own rules at the Millstone facility in heat."
Waterford, Conn.; Nebraska's Cooper Early closures will force the ques-plant; and Salem. To improve its effective-tion of whether electriccompany rate-ness, the auditors wrote, the agency must payers or utility shareholders should pay start " holding the licensees accountable for billions of dollars of cleanup expenses, for fixing their plants' problems reore which were supposed to be collected over promptly and addressing management is-the plants' expected life spans. Few plants sues more directly." The reviewers did have yet collected even half of their total praise some recent changes, such as the decammienlaning costs, averaging $582 NRC's insistence that plants meet the million apiece. Unicom estimates it will terms of their licensing documents.
cost $600 million to dispose of the Zion plant Privately, company managers say that after it caes, of which only $250 million
, effort and others begun by Dr. Jackson has been collected. The utility says it may i r.ren't hntified hv the theremental safety seek rate increases to meet the costs.
\\-
ce,anutswer. hasrets t,wrp Palo Verde Nuclear James M. Levine TEL (602)393 5300 Mad Station 7602 a
Generating Station Senior Vice President FAX (602)393-6077 P o. Box 52034 Nuclear Phoenix, AZ 85072-2034 102-03862-JMlJAKKlRJR February 6,1997 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk ffe ! O Mail Station P1-37 Washington, DC 20555-0001
Dear Sirs:
Subject:
Palo Verde Nuclear Generating Station (PVNGS)
Units 1,2, and 3 Docket Nos. STN 50-5281529/530 Voluntary Initiative to Review Final Safety Analysis Report (FSAR)
On October 18,1996, the NRC published revisions to its " General Statement of Policy and Procedure for Enforcement Actions" to address issues associated with departures from the FSAR, 61 Fed. Reg. 54,461 (October, 18, 1996). The purpose of this letter is to inform the NRC that Arizona Public Service (APS) will be conducting a voluntary initiative to review the PVNGS FSAR. Additionally, on January 9,1997 the NRC issued minutes of a November 12,1996 meeting with APS in which this voluntary initiative was discussed. This letter also provides clarification of the intended scope of this initiative as described in those meeting minutes.
The review will verify plant design, operating, testing, and configuration information and descriptions contained in the PVNGS FSAR against the "as-built", "as-operated", and "as-tested" plant as well as the reconstituted design basis. The review will use the PVNGS Condition Reporting process to document and correct any identified discrepancies. The Condition Reporting process includes the attributes of root cause, operability determination, and reportability.
This voluntary initiative will commence in February 1997, and be completed by October 1998. Any changes to the FSAR as a result of this effort will be incorporated in the normal 10 CFR 50.71(e) update of the FSAR.
l l
9 T - 6 (a T T
}
}
.. -... = - -. -.,.. -. -
t-l 'h U.S. Nuclear Regulatory Commission
. ATTN: Document Control Desk l
Voluntary. initiative to Review Final Safety Analysis Report Page 2 Should you have any questions, please contact Scott A. Bauer at (602) 393-5978.
Sincerely, l
.hw<.lO~.m
/
-JMllAKK/RJR/rlh h
cc:
K. E. Perkins L. J. Callan J. W. Clifford -
K. E. Johnston i
J
'l i
i i
l I
l
corrnstrment. hamer,m,. to,rgy.
Palo Verde Nuclear James M. Levine TEL (602)393 5300 Mail Staton 7602 i
Generating Station Senior Vice President FN' t602)393 6077 P O Box 52034 Nuclear Phoenix, AZ 85072 2034 102-03859-JMUAKK/ GAM February 11,1997 I
/
Y Wb U. S. Nuclear Repdatory Commission ATTN: Document Control Desk QV
~
Mail Station P1-37 i
Washington, DC 20555-0001
Reference:
Letter cated October 9,1996, from James A. Taylor, Executive Director for Operations, USNRC, to O. Mark DeMichele, President and Chief Executive Officer, APS," Request for Information Pursuant to 10 CFR 50.54(f) Regarding Adequacy and Availability of Design Bases Information" I
Dear Sirs:
Subject:
Palo Verde Nuclear Generating Station (PVNGS)
Units 1,2, and 3 Docket Nos. STN 50-528/529/530 Response to NRC Request for Information Pursuant to l
10 CFR 50.54(f) Regarding Adequacy and Availability of Design Bases information 4
in the referenced letter, the Nuclear Regulatory Commission (NRC) requested Arizona Public Service Company (APS) to submit information that will provide the NRC added confidence and assurance that PVNGS Units 1,2 and 3 are operated and maintained within the design bases and that any deviations are reconciled in a timely manner. In response, the requested information is provided in the Enclosure to this letter.
APS has performed a number of activities and implemented programs to establish confidence that the PVNGS Units are maintained and operated in accordance with the current design documents and that any deviations will be reconciled in a timely manner.
The facility operating licenses were issued for PVNGS Units 1,2, and 3 in 1985,1986, and 1987, respectively. APS conducted a major design bases project at PVNGS from 1991 through 1995. This project developed design basis manuals (DBMS) for 57 select systems and 9 topical issues, performed validations of the DBMS, and reverified and/or reconstituted design calculations and instrumentation and control system setpoints.
This project was conducted consistent with the guidance in NUMARC 90-12, " Design 8>
mm N-
L l
Response to NRC Request for information Pursuant to 10 CFR 50.54(f) Regarding
- Adequacy and Availability of Design Bases Information l
Page 2 Basis Program Guidelines," dated Octcber 1990. NUMARC 90-12 was endorsed by 3
the NRC as providing a useful framework and worthwhile insights to utilities l
undertaking design basis programs'. APS has also developed the Safety Analysis Basis Document (SADB). This document is a compilation of the detailed information that forms the bases of the PVNGS safety analyses. PVNGS procedures require the DBMS and SABD be kept updated. The documents are accessible to plant personnel.
Appendices A and B in the Enclosure contain descriptions of the development and scope of the design bases and SABD projects.
1 4
l Other projects have been conducted by APS that verified or validated various aspects of the PVNGS design bases. These projects, described in Sections 2.0 and 3.0 of the i
Enclosure, included: 1) the emergency operating procedures rewrite; 2) fire protection l
design reconstitution; 3) equipment qualification enhancement; 4) vendor technical manual project; 5) reload process improvement; 6) reactor power uprate; and 7) i l
improved technical specification conversion. In addition, APS performed a review of i.
corrective action items, audits and assessments, as described in Sections 2.0 and 3.0 l
of the Enclosure, which supports the conclusion that there is adequate confidence that i
PVNGS operating, maintenance and testing procedures; system, structure, and l
component configuration; and performance are consistent with the design bases.
j APS has had design and configuration control and corrective action processes and procedures in place at PVNGS since issuance of the operating liconses. The current i
processes and procedures, described in Sections 1.0 and 4.0 of the Enclosure, have evolved as a result of contituing improvement opportunities and are expected to continue to change when additional improvements are identified. PVNGS personnel are made aware of procedure changes, as procedure compliance is a foundation for PVNGS performance.
The information in the Enclosurt is applicable to all three PVNGS units. The three PVNGS units each utilize the Combustion Engineering System 80 reactor design and were licensed under a common Final Safety Analysis Report. The design / configuration control processes, design reconstitution programs, and corrective action processes are common to the three PVNGS units.
The rationale for concluding that plant procedures, configuration, and performance are i
consistent with the design bases is based, in part, on a reasonable assurance standard
{
consistent with the intent of 10 CFR 50, Appendix A, Criterion 1, and 10 CFR 50, Appendix B. Based on the design-related projects, results of audits, and the evaluations and self-assessments discussed in the Enclosure, APS concludes that i
' NRC Policy Statement, " Availability and Adequacy of Design Bases Information at Nuclear Power Plants," noticed in the Federal Register (57 FR 35455, August 10, 1992).
l l
I l
Response to NRC Request for information Pursuant to 10 CFR 50.54(f) Regarding Adequacy and Availability of Design Bases Information l
Page 3 there is adequate confidence that the configuration and performance of the as-built PVNGS units are consistent with the design bases, and that the current processes and programs provide reasonable assurance that the plant configuration will be maintained consistent with the design bases.
Should you have any questions, please contact Angela K Krainik at (602) 393-5421.
Sincerely, I
/ e/ (
h i
JMUAKK/ GAM /
Enclosure:
Response to NRC Request for Information Pursuant to 10 CFR 50.54(f)
Regarding Adequacy and Availability of Design Bases Information l
cc:
L. J. Callan J. E. Dyer K E. Perkins J. W. Clifford i
K E. Johnston i
i i
l l
l l
Response to NRC Request for information Pursurnt to 10 CFR 50.54(f) R:g rding 1
Adequacy and Availability of Design Bases information Page 4 STATE OF ARIZONA -
)
) ss.
COUNTY OF MARICOPA )
1, J. M. Levine, being first duly swom, do hereby state and affirm that I am Senior Vice President - Nuclear, Anzona Public Service Company (APS), that I am authorized to submit the attached letter and Enclosure on behalf of the company, and that the statements l
in the letter and Enclosure are true and correct to the best of my information, knowledge and belief.
l IA
~
Y J. M. Levine l!
j SwornTo Before Me This //
Day Of /E4nwiu
.1997.
0
/~'
' Notary Public My Commission Expires I
" OFFICIAL SEAL" A. K. Kraink Notmy Public Mzona Egees I
1 i
l t
(
f ENCLOSURE
. Response to NRC Request for Information Pursuant to 10 CFR 50.54(f) Regarding Adequacy and Availability of Design Bases Information i
i l
I i
l i
t
1 i
Response to NRC Request for Information Pursuant to 10 CFR 50.54(f) Regarding Adequacy and Availability of Design Bases Information Table of Contents Paae l
)
l Executive S u m ma ry........................................................................................
1.0 -
Description of engineering design and configuration control processes, i
d including those that implement 10 CFR 50.59,10 CFR 50.71(e), and i
' Appendix B to 10 CFR Part 50. (NRC Request (a])...................................1-1 1.1 I n t rod uct ion...................................................................................
.1.2 General Administrative Controls................................................................. 1 -2 1.2.1 10 C F R 50. 59 P roce s s.................................................
....................1-2 1.2.2 10 CFR 50.71(e) UFSAR Update Process............................................1-3 1.2.3 P roced u re C on tro l............................................................................
1.2.3.1 Procedure Development, Revision and Cancellation...................1-4 1.2.3.2 Temporary Procedure Changes................................................... 1 -4 1.2.4 Verification of Plant Activities...........................................................1 -5 i
1.2.4.1 Worker Verification,........................................................ 1 -5 1.2.4.2 S econd Pa rty Verification..................................................... 1 -5 1.2.4.3 independ ent Verifica tion......................................................... 1 -5 4
1.2.4.4
' Independe nt In s pectio n............................................................ 1 -5 1.2.5 Te s t i ng C on tro l........................................................................... 1 -6 1.2.5.1 S urveillance Te sting................................................................ 1 -6 i
1.2.5.2 Fire P rotection Te sting.......................................................... 1 -6 1.2.5.3 I n-S e rvice Te sti ng...................................................................... 1 i 1.2.5.4 In-Service in spection................................................................... 1 -6 1.2.5.5 -10 CFR Part 50, Appendix J Testing...........................................1-6 1
1.2.5.6-P o st-Maintenar % Te sting....................................................... 1 -7 1.2.5.7 Post-Modification Te sting............................................................. 1 -7 l
1.3 Operational Configuration Controls..........................................................1-7 1.3.1 O pe ra tio n al C ontrol...........................................................................
1.3.1.1 Operational Control of Work....
.............................................1-7 1.3.1.2 Tagging and Clearance Procedures..........................................1-7 1.3.1.3 System Alignment C ontrol.......................................................... 1 -8 l
1.3.1.4 10 CFR Part 50, Appendix R Fire Protection..............................1-9 1.3.1.5 S pe ci al Va ri a nce s......................................................................
1.3.1.6 Operability Determinations..................................................... 1 -10 1.3.2 Maintenance Control.................................................................... J 1.3.2.1 Work C ontrol Proce s s.................................................... 1 -10 1.3.2.2 Deficiency Work Documents.........................,.................... 1-11 1.3.2.3 Repetitive Maintenance.................................................. 1 -1 1 i
1 4
1 Response to NRC Request for information Pursuant to 10 CFR 50.54(f) Regarding Adequacy and Availability of Desigri Bases information g
I
- Table of Contents
^
i Paae I
1.3.2.4 Equipment Qualification (EQ) Work Documents..........................1-12 1.4
' Design Controls...............................................................................
l 1.4.1 De sign Record C ontrol......................................................................... 1 -12 1.4.1.1 Design and Technical Document Control.................................1-12 i
1.4.1.2 Record Administration................................................................
4 i
1.4.2 Configuration Document Update Control............................................1-14 1.4.2.1 Change Identification................................................................. 1 -14 1.4.2.2 C hange N otification................................................................... 1 -14 1.4.2.3 Review Docu me ntation..............................................................
1.4.2.4 R e v i s ion.......................................................................
e l
1.4.3 De sign C hange Control....................................................................... 1 1.4.3.1 Plant Modification Proce ss......................................................... 1 -15
~
1.4.3.2 M a te rial C ontro!....................................................................
1.4.3.3 Nuclear Fuel Reload Process.....................................................1-21 2.0 Rationale for concluding that design bases requirements are translated into operating, maintenance, and testing procedures. (NRC Request (b])... 2 2.1 I n t rod u cti o n...........................................................................
2.2 P roced u ra l C ontrol s.....................................................................
2.3 Ve rificatio n Activiti e s.....................................................................
2.3.1 D e sig n B a se s P roject......................................................................... 2 2.3.2 Safety Analysis Basis Document Project............................................. 2-1 2.3.3 Emergency Operating Procedure (EOP) Rewrite................................ 2-2 2.4 Corrective Actions, Audits and Assessments................................................ 2-2 2.4.1 Main Steam and Feecwater Isolation Valves........................................ 2-2 2.4.2 Control of Main Steam Support Structure Envelope............................. 2-3 2.4.3 PVNGS Nuclear Assurance Audit 95-007, Procurement &
Material Control (April 1995)..................................................................2-3 2.4.4 PVNGS Nuclear Assurance Audit 95-015 Technical Specification /
License Conditions (August 1 99 5 )......................................................... 2-3 2.4.5 PVNGS Nuclear Assurance Audit 96-004, Fuel Integrity / Reactor Safety (March 1996)..............................................................................2-4 2.4.6 PVNGS Nuclear Assurance Audit 96-015, Technical Specification /
License Conditions Operation (August 1 996)...................................... 2-4 2.4.7
. NRC Generic Letter 96 Testing Of Safety-Related Logic Circuits Validation Assessment (Ongoing)....................................................... 2-4 2.4.7.1 Scope...........................................................................................2-4 11
s Response to NRC. Request for information Pursuant to 10 CFR 50.54(f) Regarding Adequacy and Avaliability of Design' Bases information t
Table of Contents
.Page 1
o 2.4.7.2 initial Results.....................................................................
2.4.8. U F SAR Asse ssment..............................................................
i 2.5 C oncl u sion........................................................................... -
4 i b 3.0 -
Rationale for concluding that system,' structure, and component configuration and performance are consistent with the design bases.
- ( N RC Request [c))..................................................................................
L j3.1.
Introd ucti on.................................................................................
I 3.2 Procedural Control s...........................................................................
3.3 Verification Activitie s...................................................................................
e, 3.3.1 -
De sign & se s Project............................................................................ 3 3.3.2
. Fire Protection Design Program and 10 CFR 50, Appendix R 1
R econ stit ution...........................................................................
3.3.2.1 Fire Barrier Design Basis Reconstitution..................................... 3-2 i
3.3.2.2 TH E R M O-LAG i s s u e s.............................................................
I 3.3.2.3.
Safe Shutdown Validation............................................................ 3-2 l
.3.3.3.
Civil Design Basis Walkdown s........................................................... 3-2 3.3.4 Equipment Qualification Enhancement Project..................................... 3-3 i'
3.3.4.1 Scope............................................................................................3-3 3.3.4.2 EQ Enhancement Project............................................................. 3-3 j
3.3.4.3 Results.......................................................................................3-3 i'
3.3.5 Vendor Technical Manual Program And Consolidation Project............. 3-4 4
3.3.6 Core Reload Process improvement Program....................................... 3-4 3.3.7 NRC Generic Letter 89 Motor Operated Valve Program................ 3-4 3.3.7.1 Scope...........................................................................................3-4 0
3.3.7.2 Results.........................................................................................3-5 3.3.8 P ower U prate Project.........................................................................
3.3.9 Improved Technical Specifications Project (ongoing)............................ 3-5 3
3.3.9.1
-Scope......................................................................................3-5 3.3.9.2 Results....................................................................................3-6 3.3.10 ' Unit Specific Lighting Drawing Verifications.......................................... 3 6 3.3.11 Control Wiring Diagram, instrument Loop Wiring Diagram and -
i Document Cross Reference List Verifications...................................... 3-7 3.3.12 - Independent inspection......................................................................
j 3.3.13 System Engineering Plant Walkdowns................................................. 3-8 3.3.14 Evaluation of Reactor Trip Events................................................... 3-8 3.4 Corrective Actions, Audits and Assessments.............................................. 3-8 f
iii
t Response to NRC Request for information Pursuant to 10 CFR 50.54(f) Regarding -
j Adequacy and Availability of Design Bases Information Table of Contents Paae j
.3.4.1 Redundant Overcurrent Protection................................................ 3-8 i
3.4.2 Emergency Diesel Generator Jacket Water Cooler............................... 3-9 F
3.4.3
- Equipment Qualification Condensate Drainage / Accumulation C onfi gurati on........................................................................................ 3; 3.4.4 Steam Line Break Analysis................................................................... 3-9 4
eo
~3.4.5 Fire in U nit 2......................................................................................
3.4.6 Degraded Grid Voltage impact............................................................ 3-10 l
3.4.7 Potential For Auxiliary Feedwater Pump Overspeed.......................... 3-10 L
3.4.8 Potential Air Operated Valve Design Deficiency................................. 3-11 3.4.9 D oo r C ontrol.....................................................................................
3.4.10 E s se n tial C hille rs............................................................................... 3 3.4.11 Tagg ing and C le arance................................................................ 3-12 3.4.12 10 C F R 50. 59 Reviews.................................................................... 3-13 3.4.13 PVNGS Audit 94-016, Equipment Qualification Program (December i
).
1994)................................................................................................3-13 3.4.14 PVNGS Audit 95-004, Design Control (March 1995) and PVNGS Audit 95-021, Safety Systems Outage Modification c
inspection (SSOMI), (December 199 5)............................................. 3-14 4
i 3.4.15 PVNGS Audit 96-002, Engineering & Corrective Action
?-
Effectiveness (March 1 996 )...........................................................
[
3.4.16 PVNGS Audit 96-20, integrated Self-Assessment of PVNGS Maintenance Rule (April 1 996 )........................................................... 3-1 4 3.4.17 PVNGS Audit 96-015, Technical Specifications / License Conditions (August 1996)....................................................................................3-15 s
3.5 C oncl u s io n...................................................................................
i 4.0 Describe the processes for identification of problems and implementation j
of corrective actions, including actions to determine the extent of
,~
problems, actions to prevent recurrence, and reporting to the NRC. (NRC Reque st [d]).....................................................................................
2-4.1
. I ntrod ucti on..........................................................................
4.2 Condition Reporting Process..................................................................... 4-2 4.3 Work C ontrol P roce s s....................................................................
4,4 Warehouse Discrepancy Proce ss............................................................ 4-4 4.5 '
Industry Operating Experience Process............................................... 4-4 4.6 C orrective Action Tra cking..................................................................... 4 -5 i:
1 iv 3
4 4
litesponse to NRC Request for Information Pursuant to 10 CFR 50.54(f) Regarding Adequacy and Availability of Design Bases information 4
. Table of Contents t.
a Paae 4 -
.The overall effectiveness of the current processes and programs in 5.0 concluding that the configuration of the plants is consistent with the design bases. ( N R C Request (e))........................................................................... 5-1 l-5.1 I nt rod uction...........................................................................................
. 5.2 Basis for Overall Effectiveness...................................................................... 5-1 5.2.1, Design Bases and Configuration Validation Projects............................. 5-1 i
5.2.2 Internal Audits and Self Assessments................................................... 5-2 5.2.3 Availability of Design Basis information................................................ 5-2 i
5.2.4 Corrective Action Program Effectiveness............................................. 5-2 l
5.2.5 External Assessments......................................................................... 5-4 i
5.3 C oncl u s io n................................................................................................. 5 k-4 APPENDIX A - DESIGN BASES PROJECT Description of the design bases project (design review program), including
[
- A.0 1
identification of the systems, structures, and components (SSCs), and plant-level design attributes. The description includes how the program
' ensures correctness and accessibility of the design basis information and that the design bases remain current......................................................... A-1 A.1 ~
I n t rod ucti o n..............................................................................................
i A.2 De sign B a sis Manuals (D B M s)................................................................. A-1 A.2.1 P re p a ra t i on..................................................................................... A-1 4
[
A.2.1.1 S y st e m D B M s........................................................................... A-1 A.2.1.2 To pi ca l D B M s................................................................................. A-2 p
A.2.2 - D B M Verifi cation.................................................................................. A A.2.3 D BM Va lidation.....................................................................................
l A.2.3.1 Comprehen sive Validations........................................................ A-2 A.2.3.2 S a m ple Vali dation s........................................................................ A-3 A.2.3.3 Results.....................................................................................A-4
.A.2.3.4 Testing Requirements identified in Design Basis Manual............. A-4 4
A.3 Calculation Reverification and Reconstitution............................................. A-5 A.3.1
- I ntrod uct ion...................................................................................
1 A.3.2 Reverificati on..................................................................................
4
.A.3.3 Recon stitut ion.............................................................................. A A.3.3.'1 Mechanical........................................................................ A-5 i
A.3.3.2 E lectri ca l........................................................................ A-6 I
A.3.3.3 S e tpoi n t s............................................................................ A-6 3
o 9
V w
or..
-.+-z--
y 1.r
+ = - + -
l I.
Response to NRC Request for information Pursu, ant tc 10 CFR 50.54(f) Regarding l-Adequacy and Availability of Design Bases Information
~*
Table of Contents Paae L
A.3.3.4 Civil.............................................................................................A-7 A.3.3.5 Radiation Monitoring..................................................................... A-7 l
A.4 Design Basis Control................................................................................ ;
[
Accessibility.......................................................................................
A.4.1 i
A.4.2 Administrative Controls for Maintaining DBMS...................................... A-7 t'
A.4.3 Training for U sers of DBM s.................................................................... A-7 Table 'A-1, Design Basis Project: Systems............................................................... A-8 L
Table A-2, Design Basis Project: Topicals.............................................................. A-9 APPENDIX B - SAFETY ANALYSIS BASIS DOCUMENT i
B.0 Description of the Safety Analysis Basis Document. The description includes how the program ensures correctness and accessibility of the L
safety analysis basis information and that the safety analysis bases remain current..........................................................................................................B-1 B.1 I n trod u ctio n..................................................................................
B.2 Safety Analysis Basis Document (SABD)...................................................... B-1 8.2.1 Basis...............................................................................................B-1 B.2.2 Purpose.................................................................................................B-2 B.2.3 S ummary of SAB D Contents............................................................... B-3 B.2.3.1 C o m mo n D a t a.....................................................................
B.2.3.2 Events...........................................................................................B-3 B.2.3.3 Systems....................................................................................B-3 B.2.3.4-Reload...........................................................................................B-3 B.2.3.5 M i scell a neou s...................................................................
B.2.3.6 Physics........................................................................................B-4 B.2.4 SAB D Section Application..................................................................... B 4
~
B.2.4.1.
Nuclear Fuel Management (NFM) Application............................... B-4
'B.2.4.2 Engineering Use and Application................................................ B-4 B.3 SABD Maintenance and Administrative Controls.......................................... B-4 B.3.1 Calculation Basis and Change Process................................................ B-4 B.3.2 Implementation..........................................................................
B.4 D ocument at ion.....................................................................
B.4.1 Initial Implementation of SABD.......................................................... B-5 B.4.2 - SAB D U pgrade P roject.....................................................................
B.4.3 Technical Specifications Review......................................................... B-6 B.4.4 Development of SAB D Sections........................................................... B-7 vi
I l-
[
Response to NRC Request for information Pursuant to 10 CFR 50.54(f) Regarding Adequacy and Availability of Design Bases Information l
l Table of Contents l
Paae
(
l B.4.5 Reload Process improvement Program............................................... B-7 1
B.4.5.1 Checklist Development.............................................................. B-7 1
B.4.5.2 C heckli st Application.................................................................... B -7 B.4.6 P e rsonnel Trainin g........................................................................... B-8 j
B.4.7 Acce s s i bili ty....................................................................................
l l
l i
l 1
l l
1 VII
1 J
EXECUTIVE
SUMMARY
i The NRC issued a letter on October 9,1996, requiring each nuclear power plant licensee to submit information that will provide the NRC added confidence and assurance that their nuclear plants are operated and maintained within the desi;;n L
bases and any deviations are reconciled in a timely manner.. Specifically, the NRC i
l required the following information for each licensed unit-1 i
i
- L
.(a)
Description of engineering design and configuration control processes, including L
- those that implement 10 CFR 50.59,10 CFR 50.71(e), and Appendix B to g
10 CFR 50; i
'(b)
Rationale for concluding that design bases requirements are translated into i
operating, maintenance, and testing procedures; (c)
Rationale for concluding that system, structure, and component configuration i
and performance are consistent with the design bases; i.
(d)
Processes for identification of problems and implementation of corrective l
actions, including actions to determine the extent of problems, actions to prevent j
recurrence, and reporting to NRC; and (e)
The.overall effectiveness of current processes and programs in concluding that i
the configuration of the plants is consistent with the design bases.
't in addition, the NRC request states that in responding'to items (a) through (e), indicate whether any design review or reconstitution programs have been undertaken, and if so, provide a description of the review programs, including identification of the systems, structures, and components and plant-level design attributes.
Responses to each of the items requested by the NRC are provided in this Enclosure and are briefly described below.
Section 1.0, the response to NRC request (a), describes the current PVNGS engineering design and configuration control processes, including the specific elements that implement the requirements of 10 CFR 50.59,10 CFR 50.71(e) and
. Appendix B to 10 CFR Part 50. The processes described include those for general
' administrative controls, operational configuration controls, and design controls. The general administrative controls include those for 10 CFR 50.59 screeninglevaluation, 10 CFR 50.71(e) UFSAR update, procedure control, verification of plant activities, and
. testing control. The operational configuration controls include operational control and maintenance control. The design controls include desigr' record control, configuration document update control, and design change control.
viii
k i
l Section 2.0, the response to NRC request (b), provides a three-fold basis for l
concluding that design bases requirements are translated into operating, maintenance, and testing procedures. The first basis is that procedural controls have been l
implemented to ensure design bases information is kept current in plant procedures.
l l
Secondly, verification activities have reviewed the content of selected plant procedures against the design bases. The third basis is that the results of a review of corrective action items, audits, and assessments support the conclusion that there is adequate j
confidence the operating, maintenance, and testing procedures are consistent with the i-design bases.
Section 3.0, the response to NRC request (c), provides a three-fold basis for concluding that system, structure, and component configuration and performance are
= consistent with the design bases. The first basis is that procedural controls have been implemented to ensure operations, maintenance, modifications, and testing are conducted in a manner which maintains configuration and performance consistent with the design bases. Secondly, verification activities, including periodic testing, have i
.been conducted validating the actual plant configuration and performance against the design bases. The third basis is that the results of a review of corrective action items, j-audits, and assessments support the conclusion that there is adequate confidence that system, structure, and component configuration and performance are consistent with 1
i the design bases.
Design review or reconstitution programs undertaken at PVNGS include the design bases project and Safety Analysis Basis Document project. These projects are referenced in Sections 2.0 and 3.0 in the Enclosure, and are described in detail in j
Appendices A and B.
Section 4.0, the response to NRC request (d), provides a description of the PVNGS corrective action program. The PVNGS corrective action program consists of..
i processes that are used when adverse conditions are identified. The processes provide for determining the atent of the condition, developing corrective actions to prevent recurrence of significant adverse conditions, and identifying the potential need c
to report the. condition to regulatory agencies. The three processes that make up the PVNGS corrective action program are: 1) the condition reporting process; 2) the work
. control process; and 3) the warehouse deficiency process.
r Section 5.0, the response to NRC request (e), describes the overall effectiveness of the current processes and programs in place at PVNGS and concludes that there is adequate confidence that the configuration and performance of the as-built PVNGS units are consistent with the design bases, and that the current PVNGS processes and programs provide reasonable assurance that plant configuration will be maintained a
consistent with the design bases. This conclusion is based on: 1) design bases project i
and other verification activities that provide a baseline of conformance to the design i
-bases; 2) results from internal audits and self-assessments indicate that, overall, the processes important to maintaining plant configuration are effective; 3) design bases
}
lx
-. - ~.
. +
1 information is readily available to the plant staff for comparison against plant configuration and identification of configuration issues; 4) an effective corrective action
)
]
program assures issues which could effect design basis or plant configuration are resolved in a timely manner; and 5) positive feedback from extemal assessments that -
provide an additional cbjective viewpoint of the PVNGS processes and programs.
Appendix A contains a description of the PVNGS design bases project that was performed during the period of 1991-1995, The design bases project, which utilized the j
guidance of NUMARC 90-12, included the preparation, reverification, and validation of design basis manuals, and the reverification and/or reconstitution of design calculations and setpoints.
. Appendix B contains a description of the Safety Analysis Basis Document project. The Safety Analysis Basis Document is a compilation of the detailed information that forms 4
the bases of the PVNGS safety analysis. This project, completed in 1996 by APS and 4
Asea Brown Boveri-Combustion Engineering personnel, included a design review of
- the documents that were used to produce the PVNGS UFSAR and subsequent core l
reload analyses.
l.
Based upon the above, APS concludes that there is adequate confidence that the configuration and performance of the as-built PVNGS units are consistent with the design basis and that the current processes and programs provide reasonable assurance that plant configuration will be maintained consistent with the design basis.
e 5
i i
i l
j X
i
?
1.0 Description of engineering design and configuration control processes, including those that implement 10 CFR 50.59,10 CFR 50.71(e), and Appendix B to 10 CFR Part 50. - (NRC Request [a])
1-
-1.1
. Introduction The following provides a description of the engineering design and configuration control processes in place at PVNGS including those that implement 10 CFR 50.59, 10 CFR 50.71(e) and Appendix B to 10 CFR Part 50.
The PVNGS administrative and configuration control processes contained within the administrative control program are used to operate, maintain, test and change PVNGS i
systems, structures and components within the specifications, limitations and requirements
- of the design bases and licensing requirements. Administrative and configuration control 1
i processes, defined in approved and controlled procedures, comply with 10 CFR Part 50, i
. Appendix B and implement the requirements of 10 CFR 50.59 and 10 CFR 50.71(e). These
.i processes have been in place since initial licensing and are subject to continuous improvements.
Administrative control program' procedures contain the required processes to technically review and approve procedure and configuration changes prior to implementation and to L
maintain the design bases documentation as current and accessible.
This section provides summary descriptions of the current processes for general -
administrative control, operational configuration control and design control, including those which implement 10 CFR 50.59,10 CFR 50.71(e) and 10 CFR 50, Appendix B. The following processes are described:
General administrative controls, including:
10 CFR 50.59 process; 10 CFR 50.71(e) UFSAR update process; e
_ procedure control; e
verification of plant activities; and e
testing control.
e Operational configuration controls, including:
operational control; and e
maintenance control.
e Design controls, including:
design record control; e
configuration document update control; e
design change _ control, including; plant modification process; e
1-1
.__.7_..
J e
material control process; and f
. nuclear fuel reload process.
[
1.2 General Administrative Controls 1.2.1 10 CFR 50.59 Process I
Proce' ural controls are in place at PVNGS that implement the requirements of d
j 10 CFR 50.59. These controls ensure that prior NRC approval is obtained for clianges in
' the facility or procedures described in the Updated Final Safety Analysis Report
~(UFSAR), or tests or experiments not described in the UFSAR, that involve an unreviewed safety question or a Technical Specification change. The controls include:
- A 10 CFR 50.59 procedure that provides a single source reference for site i,
compliance with 10 CFR 50.59; and i
- specific requirements in the engineering design and configuration control
}
processes to assure compliance with 10 CFR 50.
The 10 CFR 50.59 procedure incorporates NRC guidance and the guidance of the nuclear industry document, NSAC-125, " Guidelines for 10 CFR 50.59 Safety Evaluations." The 10 CFR 50.59 procedure:
l ll provides an initial four-question screening to determine if a proposed change requires a Technical Specification change or a 10 CFR 50.59 evaluation;
[
provides a seven question evaluation, if needed as identified by the initial i
screening, to determine if the change involves an unreviewed safety question; e defines specific responsibilities of personnel performing or independently l
reviewing a 10 CFR 50.59 screening / evaluation; h
- requires specific training and qualification for personnel performing a 10 CFR 50.59 screening / evaluation, including initial and biennial training, and requires specific training and qualification for personnel' performing an e
[
independent review of a 10 CFR 50.59 screening / evaluation, including initial and biennial training.
i
[
The 10 CFR 50.59 procedure and required training include references to documents used when performing 10 CFR 50.59 screenings and evaluations. Many of these U
documents, including the text of the operating licenses, Technical Specifications, UFSAR, l
NRC safety evaluation reports, design documents and the safety analysis basis
[
- document, are available to station personnel electronically on the computer network to be used as aids for finding information in the controlled documents.
4 i
1 i
l 12 i~
l
l 10 CFR 50.59 semenings/ evaluations are performed in conjunction with other processes when applicable. The following engineering design and configuration control processes, described in section 1.0, contain requirements to assess changes and perform 10 CFR 50.59 screenings / evaluations when needed to ensure compliance with 10 CFR 50.59:
procedure development, revision and cancellation; e
deficiency work documents; modification development and preparation; e
modification implementation; e
temporary modification process; e-material evaluations; e
i material discrepancy notice; and nuclear fuel reload analysis.
e 1.2.2 10 CFR 50.71(e) UFSAR Update Process The requirement of 10 CFR 50.71(e) to update the Updated Final Safety Analysis Report (UFSAR) is implemented at PVNGS by administrative control procedures. -The licensing document maintenance procedure establishes the process to capture the identified UFSAR changes for submittal to NRC in periodic updates. The specific steps in the engineering design and configuration control processes that require changes be assessed to ensure compliance with 10 CFR 50.71(e) are identified in the process descriptions in this enclosure. Changes in the UFSAR originating from other than plant j
changes or procedure changes can also be made to ensure the UFSAR is maintained as current. The following process elements include requirements to identify and document required UFSAR changes for compliance with 10 CFR 50.71(e):
1 1
procedure development, revision and cancellation; modification development and preparation; and nuclear fuel reload analysis.
e The UFSAR text is available to plant personnel electronically for full-text computer searches as an aid to identifying the effects of plant changes on the controlled UFSAR and performing 10 CFR 50.59 screenings / evaluations.
l I
l l
1-3 i
+
l
~
1.2.3 Procedure Control The following processes comply with the requirements of 10 CFR Part 50, Appendix B, to.
provide assurance that applicable design bases, as defined in 10 CFR 50.2, are correctly
. translated into procedures used to operate, maintain and test systems, structures and.
components.
1.2.3.1 - Procedure Development, Revision and Cancellation PVNGS procedures require that prior to developing, revising or canceling a procedure, a determination be made if the procedure action is within the design bases and licensing requirernents; if not, a 10 CFR 50.59 screening / evaluation is required.
l The UFSAR is updated as necessary, Procedure controls:
j e. define qualification requirements for personnel performing procedure technical reviews; l
require the responsible procedure owner to assign personnel that are familiar with procedure control requirements for procedure development, revision and cancellation; require identification and performance of appropriate cross-organization reviews; require procedure changes to be coordinated with changes to other documents; require a technical review; and require verification and validation of the emergency operating procedures.
1.2.3.2 Temporary Procedure Changes
. Procedures control and do ument temporary chenges to implementing procedures.
Emergency operating procedures are excluded from the temporary change process.
Temporary procedure char,ges:
are reviewed to assure the change does not alter the objective of the procedure or affect the design bases or licensing requirements; are approved by two members of the supervisory staff, one of which is a shift j
supervisor or control room supervisor with an SRO license on the affected j
j unit; and l~
are reviewed and approved through the normal procedure revision process within fourteen days and incorporated by revision or canceled.
I p
1-4
_ _ _ ~ -.
~. _ _ _ _. _ _ _. _ _ _ _ _.. _ _, _ _ _. _... _ _. _ _ _ _
2 I
i 1.2.4 Verification of Plant Activities 1
. Verification of plant activities is provided in applicable procedures to implement Quality l
Assurance requirements in accordance with UFSAR section 17.2.4.2. Verification j
activities consist of 1
e worker verifications, a
second party verifications; e
l independent verifications; and j
i e
i e
independent inspections.
Verifications are performed for the purpose of establishinC acceptance of activities and structures, systems and components within the Quality Assurance scope. Instructions are included for:
identification of activities requiring a verification; e
identification of structures,- systems and components requiring verification; e
identification of the organization responsible for the verification; and e
e documentation of the verification.
1.2.4.1 Worker Verification j
Worker verification provides a confirmation of the activity quality provided by the j
worker who performed the tasks (i.e., the worker checks the quality of his/her own j
task [s]).~
l l
1.2.4.2-Second Party Verification
'l Second party verification is performed during activities where a second check of the work is desired to provide an additional measure of the quality of the work performed.
L 1.2.4.3 Independent Verification i
Independent verification is performed on activities where an independent review of I
correct performance is desired or when required by code, standard, or regulatory
- commitment.
1 1
1.2.4.4 Independent inspection j
L Independent inspection is performed on activities in which a high degree of independence is desired to assure correct performance was accomplished or when i
j required by code,' standard, or regulatory commitment.
15
. _ _. _. _. - ~
i L
I p
1.2.5 Testing Control Test controls provide assurance that adequate testing is performed to demonstrate l:
systems, structures and components ability to perform satisfactorily while in service.
These controls include:
e. performing tests in accordance with reviewed, approved and controlled test instructions which incorporate, reference, or are bounded by the requirements
)
and acceptance criteria from applicable design documents; l
i i
determining the extent of testing based on the complexity of the modification or maintenance ;
requirements for control of jumpers and lifted leads ; and providing for the returning of systems to operational configuration after test i
completion including verifications as required.
Types of tests performed include:
l 1
1.2.5.1 Surveillance Testing Testing used to implement surveillance requirements identified in PVNGS Technical Specifications.
1.2.5.2 Fire Protection Testing Performed to verify features properly function and continue to meet design
)
requirements of the fire protection system.
1 1.2.5.3 in-Service Testing _
Periodic testing of certain ASME Code Class 1,2, and 3 safety-related pumps and valves performed to assess operational readiness in accordance with the coda.
r.
ASME pump and valve testing results are reviewed in accordance with the requirements of ASME Section XI, and corrective actions are taken for results which fall in alert and/or required action ranges, as defined in the ASME code.
1 i
1.2.5.4 in-Service inspection Performed periodically to examine ASME Code Class 1,2, and 3 components and their supports to assess their structural and leak-tight integrity.
1.2.5.5 10 CFR Part 50, Appendix J Testing
{
Performed periodically to verify the leakage integrity of the containment building.
1-6
l l
I l
f 1.2.5.6 Post-Maintenance Testing Performed to determine satisfactory completion of a maintenance activity, that plant equipment configuration was not altered, and that the identified problem has been l
corrected.
1.2.5.7 Post-Modification Testing l
Performed to validate satisfactory configuration change completion by performance of pre-approved test (s) that verify systems, structures and components are capable of performing in accordance with the design requirements.
1.3 Operational Configuration Controis l
The following operational administrative controls are used to maintain configuration control within design bases and license requirements during plant operation.
1.3.1 Operational Control 1.3.1.1 Operational Control of Work Requirements for operations review and approval of work are defined in procedures, which iticlude:
review of the work document for effect on the plant, reportability and equipment operability; review and approval of retest requirements and changes as specified in the work document; review and approval of scheduled and emergent work prior to performance; review and tracking of equipment operability status for Technical Specification and fire protection compliance; verification of completion of operations retest requirements; an.
declaration of operability and restoration to service.
1.3.1.2 Tagging and Clearance Procedures f
Tagging and clearance procedures are used by the operations staff to control plant configuration consistent with design requirements and provide safe equipment conditions for maintenance, modifications or testing. Tagging and clearance procedures:
define responsibility in determining whether equipment may be removed from e
l service; specify authority to release equipment for work; e
17
f t
l
- require reviews for overall effect on plant; require identification by tags when in a controlled condition;
' require independent tag placement and equipment alignment verification;
- require review and approval prior to modifying clearance;.
require restoration prior to returning equipment to service; and u'
- provide for independent verification, as required.
1.3.1.3 System Alignment Control Controlling system alignment consistent with design requirements is provided in procedures that include:
methods of verification, including:
- - self checking;-
concurrent verification; and j
l independent verification; e
identification of activities requiring verification; e
system lineups provided as appendices; e
i reviews of system alignment changes by the Shift Supervisor, Control Room e
Supervisor, or Work Control Senior Reactor Operator prior to performance; methods for verifying the desired position of the component; e
requirements for d.cumentation of component position changes; e
requirements for the locking of valves, breakers, and components which L
include:
major valves in the flowpath of safety-related systerns; f
valves that affect major plant equipment or evolutions; e
locking required to meet licensing requirements; e
periodic verification of locking and correct position; and e
1 independent verification for restoration.
e d
i L
18 l
l
requirements in Modes 1 - 4 that components are aligned to their normal position on restoration of the last clearance. If the component is not retumed to normal position then a clearance remains in place or a special variance is approved to track the deviation from the normal alignment;
- - requirements in Modes 5 and 6 that components are aligned to their normal l
position on functional systems; documentation of independent verification of restoration of designated systems; and requirements for functional testing following manual operation of motor-operated valves.
1.3.1.4 10 CFR Part 50, Appendix R Fire Protection Controls are provided in procedures to assure safe shutdown equipment is identified and maintained in a configuration that supports safe shutdown capability in
- compliance with Generic Letter 81-12 and 10 CFR Part 50, Appendix R as identified in the UFSAR. These controls include:
identification, in an electronic equipment database, of safe shutdown equipment required during fire events; identification of safe shutdown and fire protection equipment in work documents by electronic link to the equipment database; i
identification and tracking of degraded or impaired safe shutdown equipment e
required during fire events, and the implementation of appropriate I
compensatory measures-i identification, in an electronic cable and raceway database, of 10 CFR 50, Appendix R cables; and identification, in the electronic cable and raceway database, of 10 CFR 50, e
Appendix R cable raceways requiring separation.
1.3.1.5 Special Variances Special variances are used by the Operations Department to document, review and approve temporary changes to operating, abnormal operating and alarm response procedures when current equipment configuration requires a change to the l
procedure. This process requires:
i evaluation to confirm the change does not alter the objective of the procedure l
or affect design or license requirements; i
1-9
?
I L
i technical review and approval of the change by two members of the -
i e
l operations supervisory staff, one of which is the Shift Supervisor or the -
1 Control Room Supervisor.with an SRO license;
- the Unit Operations Department Leader to review and approve / disapprove the special variance within fourteen days of the initial approval; and cancellation of the special variance when no longer required.
e 1.3.1.6 Operability Determinations -
Operability determinations are conducted to evaluate and document the ability of a system, structure or component to perform its specified function when a1 indication of j
a potential deficiency, loss of quality, degradation or non-conformance is
- encountered. - This determination is performed by approved procedures which j
Implement NRC Generic Letter 91-18. Engineering evaluation is provided iden
. required.
(
1.3.2 Maintenance Control l
Administrative control of work processes is used to maintain operational configuration
)
l consistent with the design bases during maintenance using computer based documents that are linked to controlled equipment and material databases.
1.3.2.1 Work Control Process 1.3.2.1.1 Identification Maintenance work documents identify systems, structures or components requiring maintenance and are reviewed and evaluated by operations personnel for the effect on operable status. Refer to section 4.0 for additional details on the i
corrective action program.
i 1.3.2.1.2 Work Instructions.
Maintenance is performed using a computer based work document that includes the necessary information and controls to rework the system, structure or component to design configuration. Development, approval and use of the work document include:
specification of clearance and tagging requirements; p
development of instructions using controlled equipment databases including e
bills of materials, vendor manuals and design documents; i
[
- - identification of prerequisite activities if required; I
1 10
l l
preparation or incorporation of testing instructions if required for post e
maintenance, operability, and parts provided through the commercial grade
!s.
l dedication process; identification and completion of verification requirements; e
e -identification and verification of correct equipment / system / component; identification of special material storage and handling requirements if e
required; development of requirements for validation of component performance; e
e technical review and approval; a process for review / approval of work document changes; a id
'e i
. operation's operability screening of the work document.
1.3.2.2 Deficiency Work Documents Non-conforming conditions dispositioned as " repair" or "use-as-is" are evaluated by
- engineering using a work document. Documentation includes:
engineering disposition; o
10 CFR 50.59 screening / evaluation; design input review / checklist; e
e' engineering document changes; testing; e
e turnover activitieF configuration document updates; and e-independent technical review / checklist.
e 1.3.2.3 Repetitive Maintenance The repetitive maintenance process consists of activities performed to prevent or predict failu: : of selected plant structures, systems and components. Repetitive maintenance is used to maintain specific structures, systems and components within L
design operating criteria and maximize component life.
l f-1 11
~.. - - - -. ~ - ~ -.
\\
l' l
l l-I 1.3.2.4 Equipment Qualification (EQ) Work Documents l
The maintenance process includes periodic replacement of EQ subcomponents/
l components to maintain the identified equipment qualification. This is implemented L
by EQ work documents. EQ work documents for EQ equipment with an identified qualified life are controlled and tracked using repetitive maintenance tasks with a specific EQ designation.
o i
1.4L. Design Controls The following design control processes utilize approved and controlled documentation that l
includes' procedures, drawings, specifications, calculations, design basis manuals, vendor-technical manuals and non-process software applications / databases to maintain and change 1
L design configuration consistent with the design bases.
l 1.4.1 Design Record Control
~1.4.1.1 Design and Technical Document Control l
'i Procedures provide the requirements, methods, and responsibilities for the control of-design documents that include:
l evaluation of change; implementation and documentation of design input review including review of l
design basis input documents using a checklist; implementation and documentation of independent technical review using a.
b checklist; qualification requirements for performance of design document activities; e
review and approval requirements for design documents and design document e
changes; and engineering design manual control including design basis manuals.
l 1.4.1.2 Record Administration 1.4.1.2.1 Record identification of Unit Affiliation l
' Design documentation numbering identifies documents as:
L unit specific - document supports a single plant unit; common unit - document supports a common system utilized by multiple.
i e
plant units; and multiple unit - document supports multiple plant units.
1 12
. =.
1.4.1.2.2 Records Database Status, distribution and revision of design records are administered utilizing an electronic database. The records database provides status of design documents, as well as identifying and statusing engineering document changes prepared for design changes. Engineering document changes are referenced to the respective plant modification and the engineering documents for which the changes have been prepared.
1.4.1.2.3 Record Updates and Revisions Prior to a structure, system or component being retumed to operability, engineering document changes are attached to control room drawings used for plant operation and safe shutdown. The drawings used include:
piping & instrumentation diagrams; e
single line diagrams; e
elementary diagrams; e
loop diagrams; and e
logic diagrams.
e Upon completion of implementation of a plant modification in a unit, the following activities are initiated, as applicable:
updating the status of the engineering document change (s) in the records e
database to reflect the as-built configuration; incorporation of the unit specific and common unit engineering change e
documents into the design documents to reflect as-built configuration ;
posting of the multiple unit engineering document changes with the design e
documents to reflect as-built configuration; and if the modification is complate for all affected units, incorporation of the e
multiple unit engineering document changes to revise the multiple unit design documents to reflect as-built configuration.
1.4.1.2.4 Record Database Accessibility The records database is computer accessible. This database reflects the current status of design documents and engineering document changes and can be used to determine design change and as-built configurations. Engineering document change incorporation and posting are required within procedurally allotted time durations to maintain design document configuration consistent with as-built configuration.
1 13
d i
4 5
i 1.4.2 Configuration Document Update Control Design control activities for a plant modification include reviews to identify resulting changes to operations and maintenance plant configuration documents including procedures, and other changes such as simulators and training. These reviews are
. based on changes to design output information and result in notificat on of the i
responsible owner for the affected configuration documents. Responsibilities and -
activities include:
i 1.4.2.1 Change identification i
The responsible individual (s) for the plant modification performs the review evaluation during. plant modification development. The evaluation identifies existing plant configuration documents requiring revision due to the plant modification design output document changes. The evaluation is completed by interfacing with the responsible owners for the potentially affected configuration documents.
I 1.4.2.2 Change Notification Once the affected configuration documents are identified, the responsible individual notifies the respective responsible owners of required changes.
1.4.2.3 Review Documentation e
Configuration document reviews are documented, included in and maintained as a j
part of the plant modification document. The documented information includes:
the affected configuration document numbers; j
e the respective responsible. departments; j
e the implementation cycle; i
e scheduled milestone for completion; e
scheduled completion date; e
i actual completion date; and e
verification signature /date.
This information is tracked and statused in a computer database. Summary of the actions performed and/or the justification is also documented.
o
)
4 1 14
4 1.4.2.4 : Revision o
Responsible owners update th affected plant configuration documents in accordance
~
e l
with the scheduled milestones.- The responsible individual verifies and documents that the 'affected plant configuration documents are updated within the identified milestones. Configuration documents used by Operations for plant operations and safe shutdown are completed prior to the affected equipment being retumed to 4
operable status. Other configuration document revisions are initiated as tumover 3
activities following return of affected equipment to operable status and are typically j:
completed prior to plant modification closure completion. Items not completed are -
tracked to completion using the computer database.
i-1.4.3 Design Change Control Changes to structures, systems or components and the design and configuration documents are performed through the plant modifications, material control and nuclear
[
(fuel reload processes.
y
{.
1.4.3.1 Plant Modification Process Plant modification process procedures control changes to plant configuration and -
l define the requirements for initiation / approval, deve.lopment, preparation, implementation and close out. The processes include design modifications, I
temporary modifications and process software changes.
e j-1.4.3.1.1 Modification initiation / Approval l
If a need for a plant modification is identified, engineering:
i interfaces with operations and maintenance; j
e i
investigates technical options; i'
e evaluates pote'tially affected design bases; e
evaluates related regulatory and/or industry concems; e
[
e ' develops a proposed modification; and 4
obtains approval of management.
e 1.4.3.1.2 Modification Development and Preparation A design change document is prepared by engineering that includes and
]
documents, as applicable,:
10 CFR 50.59 screening / evaluation; UFSAR changes if applicable, for compliance with 10 CFR 50.71(e);
I e
1 1-15 y
3 ye-
.,g.
r.ife
.c._w.,
design input review / checklist ;
e design analysis; e
engineering document changes, including design basis manuals, drawings, e
vendor manuals and equipment databases; l
installation specifications and requirements; e
material specifications, requirements and procurement; post modification testing requirements; e
verification testing of changed process software; reviews to identify maintenance and operations configuration document changes including procedures; completion of required discipline and cross-organizational reviews; completion of independent technical review / checklist; required management approvals; and required operations approvals.
a 1.4.3.1.3 Implementation Werk Document Development The work control process controls modification work document development, review and approval. Engineering reviews the document prior to approval. In addition to the work control requirements, the plant modification design requirements specified by engineering are included as required for:
post modification testing; e
verifications of design characteristics; e
installation configuration as-built verification; e
installation specifications and instructions; and e
- - engineering reviews, validations and inspections.
1.4.3.1.4 Modification implementation implementation activities are accomplished by unit specific work documents controlled by a computer database. Implementation includes installation, testing, and turnover, with the affected equipment maintained in a controlled status until released for operation. Documentation changes identified during implementation are resolved by engineering evaluation and disposition that includes:
1-16
- -.... - - - - -. ~. -
~ _...
m review of the existing 10 CFR 50.59 screening / evaluation; l
review of the design analysis and design reviews;
(
i amendment of the design change documentation; and l
e
- independent technical review.
1 1.4.3.1.4.1 Installation Installation activities are performed, coordinated, documented, verified and approved in accordance with a work document. Installation activities are coordinated through operations by approval of the work document and release of the affected equipment for work after prerequisites have been completed and i
the equipment clearances / tagging established. Following completion of.
installation activities, configuration related verification activities include:
required verifications of affected equipment or work; and
- engineering review to verify the installed as-built configuration to design -
documentation that may include walkdowns, if specified by engineering.
1.4.3.1.4.2 Testing Required testing is performed in accordance with instructions included in the approved work document. Testing is coordinated with operations for j
equipment control and plant conditions required to perform the specified testing. If required, the following activities are completed prior to testing:
changes to the clearances / tagging; and functional release of the equipment to operations from maintenance for
=
operation of the equipment during testing.
1.4.3.1.4.3 Turnover to Operations The following unit-specific turnover activities are completed prior to the modified system being returned to operable status:
engineering evaluation and acceptance of the testing results; i
update of the unit specific control room drawings used for plant operation and safe shutdown by attaching the engineering document l
changes; i
update of the configuration documents used for plant operation and safe l
shutdown including procedures;
~
1 17
.-- -... ~
J 3
operations training notification, if required; and e.
closure of the implementation work document..
Operations reviews the activities to accept the modified system for return to i
operable status,
'1.4.3.1.5 Turnover of Records Following turnover of the system to operations, the applicable design change documentation is transmitted for record retention. This action provides as-built i
configuration control by initiating:
status / administration of engineering document changes; l
revision of unit specific and common unit documentation; and i
i e
- - electronic equipment database update.
1.4.3.1.6 Modification Close Out Following modification completion in all affected units, close out activities are 1
completed as applicable including:
multiple unit engineering document change revisions are initiated, including l
i design basis manuals and design databases; 4
configuration document updates not required for plant operation or safe 4
shutdown;
\\
if applicable, the UFSAR change is initiated; and closure of the design change document in the work control database.
l 1.4.3.1.7 Temporary Modification Process I
Temporary modifications (T-Mods) are approved, temporary minor design changes
. to plant components or systems. T-Mod design analysis,10 CFR 50.59 screening / evaluation, design reviews, independent technical reviews and J
approvals are equivalent to those performed for a permanent plant modification.
- The T-Mod procedure provides the requirements for initiation, development, approval, implementation / restoration, close out and conversion to permanent
. design. Additional controls include:
design document annotations for T-Mod specific configuration changes; e
review to identify, document and coordinate affected procedure / document changes such as surveillance tests and operations procedures; specific tagging of each T-Mod in the plant; e
1-18
l e ' semi-annual engineering walk-down of active T-Mods in each unit; and T-Mod copies are maintained the control room area for operations use.
e A T-Mod may be converted to a permanent design change through the plant modification process described in section 1.4.3.1.
1.4.3.1.8 Process Software Control Computer software is controlled as installed plant equipment using the plant modification and maintenance processes. Process software control provided in I
procedure includes:
identification of software configuration for each plant process using its i
e constituent software configuration items; definition and documentation of the design requirements for the process e
computer software in the process computer system's software baseline; and identification, documentation, control, evaluation, and approval or ~
e disapproval of changes to software design requirements or configuration using an approved change control process.
1.4.3.2 Material Control Material control procedures require that materiais procured and issued for use in the plant comply with the design and maintain plant configuration. Design document control and plant configuration control of materials are summarized in the following sections.
1.4.3.2.1 Material Design Documentation Electronic material databases are used to maintain configuration control of materials. Features c ' these databases include:
bill of material data identifying engineering approved material;
~ procurement specification data identifying the technical and administrative e
requirements for procurement; receipt inspection requirements; e
material storage requirements; and e
equipment database records linked to the model specific bill of material.
j e
i 1-19
1.4.3.2.1.1 Material Documentation Changes Material documentation changes are evaluated, documented, and independently reviewed. The development and revision of design data conforms to the following design change control process elements:
modification development and preparation; and
- material evaluations.
1.4.3.2.1.2 Material Evaluations Replacement parts substitution is evaluated to verify the abilities of a replacement component or part to perform the design basis function required of the original component or part. Material evaluations require independent technical review and a 10 CFR 50.59 screening / evaluation.
1.4.3.25 Material Procurement Purchate orders convey material technical and administrative requirements to the manufr,cturer/ vendor. Changes to the purchase order technical requirements are independently verified by engineering. Material which does not pass the required receipt inspection is dispositioned in accordance with the corrective action progtam as described in other sections of this response to NRC Request (d).
4 1.4.3.2.3 Material Storage Material storage requirements are identified in the materials database.
1.4.3.2.4 Material Discrepancy Notice The warehouse discrepancy process is used to document adverse issues associated with the receipt or maintenance of material, parts, and components.
Material discrepancies are dispositioned in accordance with the corrective action program as described in section 4.4.
1.4.3.2.5 Materialissue to the Field Material requests are electronically generated and control release of approved material for installation in the plant, if the requested material is quality related and is not on the controlled bill of material for the equipment identified, an electronic bill of material exception is generated and is evaluated and dispositioned by j
j engineering.
1-20
s i
.1.4.3.3
. Nuclear Fuel Reload Process The nuclear fuel reload process is accomplished in accordance with procedures. The
- process results in the procurement of new fuel assemblies and reload analyses i
validating that each fuel reload conforms to the design bases and licensing i
requirements.
1.4.3.3.1' ~ Fuel Management The fuel management phase includes:
development, review and managemen' t approval of design input ;
e
- use of computer codes to' generate an optimized fuel pattern within fuel design specifications; and documentation and approval of the optimized fuel pattern used to begin fuel e
e assembly procurement and reload analysis.-
1.4.3.3.2' Fuel Assembly Procurement The fuel assembly procurement process is contractually controlled and includes:
uranium conversion and enrichment services; fuel assembly fabrication performed under the vendor's APS approved e
quality assurance program; t
fabrication inspections; and e
assembly receipt inspection.
1.4.3.3.3
. Reload Analysis The reload analysis process implements the applicable requirements of 10 CFR
+
Part 50, Appendix B and UFSAR 17.2. Relcad analyses validate that the fuel reload conforms to the design bases and licensing requirements. The reload analyses include:
l 10 CFR 50.59 screeninglevaluation of reload ;
- identification of the UFSAR and other licensing document changes, as applicable, to comply with 10 CFR 50.71(e);
design input review; e
1 e design basis accident analyses; 1-21
i methodology approved by the NRC and documented in the safety analysis basis document (see Appendix B for a description of the safety analysis basis document);
development of design output products, including:
)
e I
full core load map; plant computer constants; e
core data book; e
I core operating characteristics repott; and start-up test predictions; and e
independent technical review.
1.4.3.3.4 Installation, Verification and Testing The fuel assemblies and reload computer constants are installed in the plant and verified in accordance with procedures. The testing processes, outlined in the procedures, further verify acceptable reactor core fuel loading, design output installation, and core performance using design output products. These processes include:
PVNGS Reactor Start-up and Power Ascension Testing;
.l Reactor Engineering Surveillance Testing; and Core performance monitoring.
l 1 22
l:
i L
2.0 Rationale for concluding that design bases requirements are translated into l
operating, maintenance, and testing procedures. (NRC Request (b])
2.1 Introduction The rationale for concluding that design bases requirements have been translated into operating,' maintenance, and testing procedures has a three-fold basis:
j procedural controls have been implemented to ensure design bases information is
[
e kept current in plant procedures; verification activities have reviewed the content of selected plant procedures against l
L i
the design bases; and
.the results of a review of corrective action items, audits, and assessments support l
the conclusion that there is adequate confidence the operating, maintenance, and -
testing procedures are consistent with the design bases.
The following sections describe this rationale in more detail.
l 2.2 Procedural Controls The foundation for ensuring design bases information is accurately' maintained and translated into operating, maintenance and testing procedures is the procedure control i
program. The specific program requirements and controls are summarized in section 1.0.
2.3 Verification Activities i
Verification activities have been performed to assure design bases are accessible and have been translated into operating, maintenance, and testing procedures. These activities are summarized below; 2.3.1 Design Bases Prc*ect i
As part of the design bases project, selected validation of design basis manuals and setpoint calculation reverification assured that operations, maintenance and testing procedures are consistent with plant design and technical specifications. The design l
bases project and setpoint calculation reverification is described in Appendix A.
l 2.3.2 ' Safety Analysis Basis Document Project This project validated UFSAR Chapter 15 safety analyses and captured the details of the design bases for these analyses. This project verified that the applicable design bases were appropriately captured in the UFSAR. This project also verified that the design bases for the Technical Specifications limiting conditions for operations parameters were properly documented. Where questions were raised about the Technical Specifications, applicable procedures were reviewed to validate proper implementation. The safety a
I analysis basis document project is described in Appendix B.
21
. ~
i
')
1
+>
4 E
1 l
2.3.3 Emergency Operating Procedure (EOP) Rewrite i.
This activity used extensive verification and validation to ensure that design bases requirements are correctly translated into the EOPs and included:
a review of EOPs against the PVNGS UFSAR and Safety Evaluation Reports, and "e
l other licensing documents; development of a technical guideline which provides the basis for each major task within the EOPs; identification and verification of plant specific EOP setpoints through the setpoint calculation reverification project described in Appendix A; evaluation of licensing and design bases documents including cross-discipline review; validation of the procedures in the plant simulator; and e
a plant walk-through to verify labeling, accessibility to perform the action and e
availability of emergency lighting.
2.4 Corrective Actions, Audits and Assessments The design bases project described in Appendix A was completed in 1995 and established a baseline of conformance to the design bases.. A review of corrective action items, audits, and assessments has been completed to verify that there were no significant programmatic problems since 1994 that would affect the implementation of design bases information into procedures. Examples of relevant significant issues and audit conclusions are provided below. These self-identified issues demonstrate a continuing self-critical culture. Although some of the issues discussed below can be characterized as weaknesses, they do not undermine the overall effectiveness of the procedure control processes.
2.4.1 Main Steam and Feedwater Isolation Valves LER 1-95-011-00 (self-identified)
APS identified that the inservice testing for the main steam and feedwater isolation
. valves' operating air subsystems did not account for worst case design basis conditions.
As a result, with the subsystems operating at a lower than normal pressure, the tests did J
not provide assurance that the valves were operable. The plant procedures that implement the testing were revised to account for the worst case design basis conditions.
This condition was identified as a result of the validation of the main steam design basis manual and demonstrates the effectiveness of the validation effort in identifying design basis implementation weaknesses.
l 22
' i I
i 2.4.2 Control of Main Steam Support Structure Envelope
{L
' LER 2-96-005-00 (self-identified)
Design basis, equipment qualification calculations were performed based upon the 4
{.
' assumption that a personnel hatch in the main steam support structure would be closed preventing high temperatures and flooding in adjacent spaces. Plant procedures did not t
provide control of the personnel hatch to ensure that it remained closed consistent with j
the design basis assumption. Plant procedures were revised and signs were installed to control hatch access consistent with the design basis. Corrective actions that have been completed included a validation of doors, hatches and floor plugs to ensure correct p
controlled barrier identification has been incorporated into plant procedures. Additional information on door and hatch control is provided in Section 3.4.9.
'2.4.3 PVNGS Nuclear Assurance Audit 95-007 Procurement & Material Controi (April 1995) f Audited areas included material storage / shelf life / housekeeping, control of procurement i
activities, trending of vendor performance, and corrective action effectiveness. The audit.
concluded, in part, that procedures for procurement and control of materials are a
l developed and their implementation ensures compliance with applicable requirements.
New or revised vendor design and performance data is evaluated for its effect on plant materials, equipment, and procedures.
f 2.4.4 PVNGS Nuclear Assurance Audit 95-015 Technical Specification / License Conditions (August 1995):
The audit assessed the effectiveness and performance of programs and processes that
[
ensure conformance of plant operations to surveillance requirements. Audited activities l
~ included the primary coolant sources outside containment program, surveillance test j
program and its implementation, surveillance test scheduling and frequency, operability determinations, Technical Specifications and amendments, limiting conditions for operation, and corrective action effectiveness. The audit concluded that surveillance procedures are established and implemented to ensure PVNGS operates in'accordance with Technical Specifications and applicable license. conditions with the exception of a weakness identified in the primary coolant sources outside containment program.
Testing for this program was not being performed within the required periodicity. The root cause was attributed to unclear wording, which was isolated to the surveillance test package review sheet. LER 2-95-006-00 was submitted to the NRC and applicable j
procedures / instructions were revised.
I i J J
2-3 4
2
,, + -
,,e
~
f i-
).
2.4.5 PVNGS Nuclear Assurance Audit 96-004, Fuel Integrity / Reactor Safety (March 1996)
L The audit evaluated PVNGS preparation for fuel handling. The audit scope included' l
programs and procedures utilized during refueling, maintenance and control of equipment, observations of fuel handling-related activities, and training. The audit concluded that PVNGS procedures and training implement correct fuel handling l
practices. The audit noted the frequency for performing a spent fuel pool annual inventory.was not in accordance with the UFSAR..While the periodicity satisfied the requirements of 10 CFR 70.51(d), it was not in agreement with the UFSAR. The UFSAR states the spent fuel pool and new fuel storage racks are inventoried bi-annually.L A change was initiated to revise the UFSAR to be consistent with the requirements of 10 L
CFR 70.51(d).
2.4.6 PVNGS Nuclear Assurance Audit 96-015 Technical Specification / License Conditions Operation (August 1996)
This audit evaluated various elements of the surveillance testing, Technical Specification, and operability determination programs. The audit reviewed eight surveillance tests with emphasis on validating implementation of the requirements of upper tier documents such as the UFSAR and design bases. The audit concluded that surveillance testing and license document maintenance programs were effectively implemented. Design basis-manual reviews revealed some component parameter conflicts with other engineering output documents. For example, the safety injection design basis manual text had differing data than the calculation for safety injection tank volume and pressure. These items were not considered significant and resolved through the corrective action program.
o 2.4.7 NRC Generic Letter 96 Testing Of Safety-Related Logic Circuits Validation Assessment (Ongoing) 2.4.7.1 Scope The NRC Generic Letter (GL) 96-01 validation assessment started in May 1996 and is currently in progress. The assessment is an additional verification of consistency between the plant design bases, configuration, and performance., GL 96-01 requested that nuclear plant licensees compare electrical schematic drawings and logic diagrams for the reactor protection system, emergency diesel generator load
- shedding and sequencing, and actuation logic for the engineered safety features systems, to plant surveillance test procedures, to verify that portions of the logic -
circuitry, including the parallel logic, interlocks, bypasses and inhibit circuits, are o
adequately covered in the surveillance procedures to fulfill Technical Specification surveillance requirements. The project is more than 75% complete. Scheduled completion is discussed in letter 102-03672, dated April 15,1996 from APS to NRC.
2-4
~.
~, _
i-l
'i 2.4.7.2~
Initial Resuits The GL 96-01 validation assessment has, to this date, evaluated over 600 logic
' circuits per unit and identified discrepancies in testing associated with the following
- items:
inadequate testing of lockout (seal-in) relays associated with the auxiliary feedwater actuation signal; inadequate testing of the shunt and undervoltage trip circuits for the reactor -
trip switchgear breakers; inadequate testing of emergency diesel generator loss of power / override I
l' circuit;
- -inadequate testing of essential chiller start bypass logic circuit;
.i
)
evaluation of core protection channel overlap testing; l
4 inadequate testing of logic circuitry for the containment purge isolation i
actuation signal; and j
inadequate testing of override circuits for auxiliary feedwater regulation and e
isolation valves actuated on auxiliary feedwater actuation signal.
The first two items, listed above, resulted in Technical Specification 3.0.3 / 4.0.3 H
entries, and Licensee Event Report 1-96-007-00 was submitted to report the discrepancies. In all cases, where new testing was required due to the items listed above, no failures were encountered and there were no consequences to plant safety.
Therefore, it is concluded that these testing deficiencies did not adversely affect conformance of plant performance with the design bases. Deficiencies identified i
during the GL 96-01 review are documented and evaluated for resolution through the corrective action prograr", as appropriate.
2.4.8 UFSAR Assessment An' assessment was performed which reviewed eleven system descriptions in the UFSAR and examined the plant administrative controls for maintaining the UFSAR. This assessment used the guidance from Nuclear Energy institute (NEI) Guideline 96-05 and
- was completed in December 1996. ' The systems reviewed were selected based on 10 CFR 50.65, Maintenance Rule, risk significance. The systems' UFSAR descriptions of operating, testing, and maintenance practices were ' eviewed against current plant r
practices. Processes used to update the UFSAR system descriptions for modifications and procedure changes were also reviewed. Additionally, programs and activities such as work-around lists, standing ' orders and night orders, and Technical Specification clarifications were reviewed.
p 25
-. ~
. ~
~
The assessment identified that UFSAR system descriptions were generally consistent with plant configuration and procedures. The assessment did find some differences between UFSAR descriptions and actual plant procedures and system configuration.
Some of these differences are attributed to modifications developed under an old
. procedure that did not require verification of changes to the UFSAR upon modification completion and an emergency operating procedure rewrite effort that did not initiate the -
required UFSAR changes.' in these cases it was determined that the changes'had been appropriately evaluated in accordance with the 10 CFR 50.59 program. As a result of the modification finding, the assessment was expanded to review other modifications that 2 were developed prior to program improvements. These discrepancies have been
- captured in the PVNGS corrective action program for review and resolution.
The results of this assessment led to the decision to perform a more extensive UFSAR review initiative. The scope and duration of this voluntary initiative are discussed in letter 102-03862, dated February 6,1997 from APS to the NRC.
.)
2.5 Conclusion APS has established procedural controls'to assure that design basis information is
)
translated into plant operating, maintenance and test procedures. The effectiveness of these procedural controls has been assessed through verification activities, as well as through. a review of corrective actions, audits and assessments. Based upon this information, APS concludes that there is adequate confidence that the operating, maintenance and testing procedures are consistent with the design basis.
1 i
s 2-6
l 3.0
' Rationale for concluding that system, structure, and component configuration and performance are consistent with the design bases. (NRC Request [c)).
~
' 3.1 Introduction L
The rationale for concluding that system, structure, and component configuration and
- performance are consistent with the design bases has a threefold basis
procedural controls have been implemented to ensure operations, maintenance, e:
modifications, and testing are conducted in a manner which maintains configuration
. and performance consistent with the design bases l
verification _ activities, including periodic testing, have been conducted validating the '
l actual plant configuration and performance against the design bases; and the results of a review of corrective action items, audits, and assessments support the conclusion that there is adequate confidence that system, structure,~and i
component configuration and performance are consistent with the design bases, I
The following sections describe the rationale in more detail.
3.2 Procedural Controls j
- The foundation for ensuring system, structure, and component configuration and performance are consistent with the design bases is the procedure controls for operations, maintenance, modifications, and testing. The specific program requirements and controls were summarized in Section 1.0.
3.3 Verification Activities Verification activities have been performed to assure that actual plant configuration and performance are consittent with the design bases. These activities are summarized below:
3.3.1 Design Bases Project
- As part of the design bases project, selected validations of design basis manuals included plant walkdowns of the physical configuration of the respective systems. Overall, there were no significant procedural or programmatic deficiencies identified which compromised nuclear safety. Based on validation results, the validated systems were found to be functional and there were no findings that indicated the system would fail to perform it's intended function. The design bases project is described in Appendix A.
3.3.2 ~ Fire Protection Design Program and 10 CFR 50, Appendix R Reconstitution A 10 CFR 50, Appendix R reconstitution effort was completed in December 1992. The reconstitution effort entailed a major re-analysis for compliance with 10 CFR 50,.
l l
Appendix R, as described in NRC Generic Letter 81-12, " Fire Protection Rule," and PVNGS Technical Specifications. Output documentation included a set of engineering calculations and studies and revisions to:
3-1
n.. - -.
i L
3.3.4'
. Equipment Qualification Enhancement Project 3.3.4.1 Scope The equipment qualification (EQ) program provides assurance that certain safety-4 related and post-accident monitoring equipment, as defined by 10 CFR 50.49, sections b(1), b(2) and b(3), will function during the design conditions postulated for ~
I plant normal and abnormal operation, design bases accidents, and the post-accident duration.' The PVNGS EQ program processes establish that identified equipment is qualified in accordance with IEEE Standards 323-1974, and 344-1975, and that the Lqualification is established, maintained and verified throughout the qualified life of the component.
. 3.3.4.2
. EQ Enhancement Project The EQ program enhancement project was conducted from 1992 through.1994 to examine design bases and perform design verifications. The major activities included:
and EQ procedures; e'
revalidation of the 10 CFR 50.49 EQ master list; development of EQ data files, development of EQ configuration detail drawings; and e
performance of EQ as-built field verifications of installed EQ equipment.-
e 3.3.4.3-Results As-built verification walkdowns of approximately 4000 components were performed, issues identified during the walkdowns have been corrected.. Examples which required parts replacement included unapproved / unidentified wires in limitorque actuators; J
e insufficient condensate drainage paths from electrical terminal boxes, motors and MOV actuators (see LER 1-95-010-01 in section 3.4.3 of this response);
and deficient electrical splices utilizing Raychem@ heat' shrink or tape.
e l
3-3
i 3.3.5 Vendor Technical Manual Program And Consolidation Project The vendor technical manual program revision, initiated in 1991, converted most specification-based technical manuals to individual vendor technical documents, which were then contained in system or component based vendor technical manuals. The consolidation project was completed in December 1993. Activities included:
linking equipment with the new vendor technical manuals in the controlled e
equipment database; and contacting vendors to assure vendor manuals were current.
e 3.3.6 Core Reload Process improvement Program
)
APS, in partnership with Asea Brown Boveri Combustion Engineering Nuclear Operations, completed the reload process improvement program in October 1996. This 4
program provides assurance that the design bases are maintained during each core reload through evaluation of check lists which compare the core design characteristics to those corresponding to design bases lirrais. The current des'gn bases of PVNGS were utilized in the development of both the check lists and the bounding transient analyses.
In order to gain the fuel management flexibility while meeting the design bases limits, two i
changes to the Technical Specification were completed. Also, changes to the core operating limits report were made, generally restricting operation under certain conditions but also increasing the allowable most negative moderator temperature coefficient.
UFSAR changes were initiated to reflect the new bounding analysis.
3.3.7 NRC Generic Letter 89 Motor Operated Valve Program j
3.3.7.1 Scope The motor operated valve (MOV) program commenced in June 1989. The program:
established the d ' sign bases conditions under which the MOVs must functior:
e performed testing or analyses to demonstrate that MOVs would function under e
design bases conditions; performed an initial static baseline diagnostic test for MOVs in the program e
and established periodic testing; and performed dynamic testing of selected valves which involved stroking the e
valve at, or as close to as practicable, the design bases conditions. This test is performed to qualify the valve, and similar valves, and thus qualify static set-up methods using an in-situ dynamic test.
3-4
l l
l 3.3.7.2 Results There are 336 MOVs within the scope of the NRC Generic Letter 89-10 program at PVNGS. Static diagnostic testing has been performed on all 336 MOVs. A total of 256 valves have been dynamically tested. NRC closed PVNGS Generic Letter 89-10 motor operated valve program in NRC Inspection Report 96-15, dated September 27, 1996.
The following design modifications have been completed or are in progress in the three PVNGS units:
upgraded the actuator size of 18 MOVs; upgraded the actuator gear ratio of 60 MOVs; and e
' upgraded the actuator and valve of 30 MOVs.
3.3.
"ower Uprate Project
\\
The power uprate project involved comprehensive licensing and design bases reviews and evaluations to provide assurance that operation at 2% higher thermal pawer would be acceptable. Amendments to PVNGS operating licenses and technical specifications were approved by the NRC and implemented in the three PVNGS units in 1996.
3.3.9' improved Technical Specifications Project (ongoing) 3.3.9.1 Scope The improved technical specifications project commenced in August 1995. The first phase of the project was completed in October 1996 when the improved technical specifications submittal was sent to the NRC. During the first phase of the improved technical specifications project, the PVNGS current technical specifications were evaluated and compared to the standard technical specifications contained in
- NUREG-1432, Revision 1, " Standard Technical Specifications for Combustion Engineering Plants." The specifications contained in NUREG-1432 are generic and do not have plant specific information contained within them. Therefore, it was necessary to obtain PVNGS plant specific information to complete the improved technical specifications project. In cases where the current technical specification's parameters were directly carried over to the improved technical specifications, a detailed review of the system design bases was not necessary. In cases where the current technical specifications did not contain a design parameter used in the improved technical specifications, it was necessary to perform a review of the design bases of the system to extract the necessary information to complete the improved technical specifications.
3-5
-4 3.3.9.2 Results During the course of the improved technical specifications project, the following two l
notable discrepancies were identified:
An assumption in the design calculation for the maximum containment building accident pressure was not conservative. The' assumption was that the internal containment building pressure initial condition would be atmospheric pressure l-(0 psig). However, the current Technical Specifications allow the internal containment pressure to be as high as 2.5 psig. The resulting containment building accident pressure is within containment design pressure. A Technical Specification amendment request was submitted to the NRC to correct this discrepancy in letter number 102-03831, dated December 27,1996.
Anhydrous trisodium phosphate (TSP) was contained in baskets located in.the l
containment of all three units as opposed to dodecahydrate TSP as delineated i
[
in the Technical Specifications. The original design basis specification was l
based on anhydrous TSP, therefore, plant operations were not affected. The -
Technical Specifications and UFSAR were revised to accurately reflect the design basis. Applicable procedures have been updated to ensure anhydrous L
TSP remains in the baskets. The Technical Specifications were corrected with j
l
.an amendment issued under emergency circumstances by the NRC on May 15, l
1996, and License Event Report 1-96-002-00 was submitted to the NRC.
j 3.3.10 Unit Specific Lighting Drawing Verifications in 1991 and 1992, a project was undertaken to unitize lighting drawings for the control, auxiliary,' main steam support structure, diesel generator, corridor, and turbine buildings.
This effort resulted from an analysis of a reactor trip event in March 1989 and subsequent evaluation of the essential and emergency lighting systems. Activities included:
field walk-downs and development of new unit specific drawings; L
verification of the adeque of lighting levels for the normal, essential and 1
emergency lighting systems and walkdowns of 10 CFR 50, Appendix R safe shutdown lights and circuits; identification of corrective actions, including design changes, for areas not i
e meeting the design requirements or design bases.
l l
l'
{
L i
3-6
.~2
_ _. ~. _ _ _
5 I
l 3.3.11. Control Wiring Diagram, instrument Loop Wiring Diagram and Document Cross Reference List Verifications in 1988 a project was undertaken to create control wiring diagrams, instrument loop
- wiring diagrams, and a corresponding document cross-reference list. Discrepancies between drawings or between drawings and the as-built plant were identified and reported on discrepancy reports. The discrepancy reports resulted in field walkdowns and validations and various resolutions, depending on the type of discrepancy.;The
~ document cross-reference list was created as a tool to be used during the project to provide a ca oss reference to pertinent documents which correspond to each control wiring diagram or instrument loop wiring diagram, such as the piping and instrument drawing, the single line diagram, physical location drawings, and UFSAR sections. By project l-completion in December 1991, control wiring diagrams included 95 systems and l
approximately 13,tX)0 drawings and instrument loop wiring diagrams included 53 systems and approximately 2900 drawings.
i 3.3.12 ' independent inspection l
Independent inspections are performed as necessary to assure systems, structures and components are maintained consistent with design requirements. The extent to which
- independent inspection is applied to maintenance activities is based on the fellowing:
- - effect of a malfunction or failure of the item on plant safety or reliability; effect of improper performance of the activity on plant safety or reliability; complexity or uniqueness of the item or activity; e
the quality history of the item or activity (significant quality deficiencies previously identified); and special proce'ss cr activity where it is not possible to verify quality by subsequent -
L inspection and/or testing.
Configuration deficiencies have been identified in the welding program and in Raychem splices. - With the exception of deficient weldments, identified deficiencies were minor in nature. Appropriate corrective actions were taken to correct the hardware conditions or revise the design drawings and to address the human performance issues that contr;ibuted to these deficiencies.
- Not withstanding these issues, the overall results of the independent inspection program l
support the conclusion that there is adequate confidence that systems, structures, and j
comporients are consistent with the design basis.
l l
1 3-7
T i~
3.3.13 : System Engineering Plant Walkdowns
' A process for monitoring the performance of structures, systems, and components is included in the system engineering program requirement to perform regular system walk-downs Monitoring items are specified relating to design bases verifications and includes verification that system temporary modifications are properly identified and are still valid.'
4 i-3.3.14 Evaluation of ReactorTrip Events
' Reactor trips are evaluated to ensure the plant performed as required by design. These i
evaluations include:
safety limit reviews to ensure safety limits were not exceeded; i
e an overall plant performance evaluation to assess integrated system and F
component performance; an evaluation of plant protection system performance to verify all required e
L actuation's occurred at the correct setpoint; and a control system response evaluation to validate performance in accordance with i
e design.
3.4 Corrective Actions, Audits and Assessments 1
The design basis project and validations described in Appt.ndix A of this enclosure were 3
completed in 1995 establishing a baseline of conformance te the design bases. A review of i-corrective action items, audits, and assessments has been corapleted to verify that there l
were no significant programmatic problems since 1994 that would affect the consistency of i
plant configuration and performance with the design basis. Examples of relevant significant i
corrective actions and audit conclusions are provided below. These self-identified issues I
demonstrate a continuing self critical culture. Although some of the issues discussed below can be characterized as weakresses, they do not undermine the overall effectiveness of the L
configuration control processes, t
3.4.1 Redundant Overcurrent Protection LER 1-95-004-01 (self-identified)
During a calculation reverification project, APS determined that contrary to design basis requirements, redundant overcurrent protection was not provided on 34 electrical
' containment penetration circuits in each of the units. During the initial design of PVNGS the penetration protection calculations performed used non-conservative assumptions.
)
The affected circuits were modified to comply with the design requirements.
In addition, APS identified six circuits designed with redundant overcurrent protection that were not included in the surveillance procedure. Therefore, surveillance testing was not performed as required. The procedure was reconciled with the updated design calculation and testing completed satisfactorily on the 6 identified circuits.
3-8
l d
(
t 3.4.2 Emergency Diesel Generator Jacket Water Cooler LER 1-95-005-00 (self-identified)
During a transportability evaluation of a previously identified problem in Unit 2, APS
' determined that tubesheet blockage (primarily corrosion nodules) found in the Unit 1 j
i emergency diesel generator - B jacket water cooler would have reduced the minimum required heat rejection through the cooler. This condition potentially could have affected L
the diesel generator's performance under design basis accident conditions. A preliminary evaluation determined that the formation of the corrosion nodules was due to o
. the failure of the epoxy coating that lines the carbon steel spray pond supply piping. The j
heat exchangers were inspected and cleaned. Interim corrective actions include reassessment of the cooler inspection / cleaning frequency as discussed in the subject LER.
i j
3.4.3 '
Equipment Qualification Condensate Drainage / Accumulation Configuration 1
k
. LER 1-95-010-01 (self-identified) f During the equipment qualificat!on enhancement project, approximately 60 installations in
[
the three units were identified as having questionable condensate drainage / accumulation i
configuration following a high energy line break. Analysis and subsequent walkdowns l'
identified that these installations required modifications to ensure proper drainage or prevent moisture accumulation and ensure equipment performance would be consistent with the design bases. Modificaticns to install weep holes and to seal conduits were completed.
4 3.4.4 Steam Line Break Analysis f-LER 1-95-002-01 (self-identified)
During a review of the steam line break analysis it was discovered that Technical Specification limiting conditior ; for operation were inconsistent with steam line break
. analysis assumptions for validation of the temperature dependent shutdown margin while in mode 3 above 500 degrees F. More restrictive limits were administratively controlled j.
by procedure updates while appropriate Technical Specification changes were approved by the NRC. The calculational errors in the design bases were corrected and the associated Technical Specifications and plant procedures were revised to reflect the corrected design basis. This deficiency was identified as part of an action to review the safety analysis assumptions and groundrules document in order to prevent recurrence from a deficiency previously reported in LER 1-94-002-02.
a 4
3-9
l l
l 3.4.5 Fire in Unit 2 LER 1-96-001-01 (self-revealing)
An electrical fire in a Unit 2 lighting transformer was attributed to a condition outside the -
design basis of the plant. The condition app,x d to all three units where a fault in either regulating transformer in the train A or B direct current equipment room could cause a fire f
in the equipment room and the control room.~ The investigation conducted subsequent to the fire revealed that an electrical design was not in accordance with design requirements resulting in an improperly grounded circuit and inadequate circuit protection. An investigation for inappropriate grounding of low voltage power distribution
' systems was initiated and has identified fourteen components in each unit requiring modifications. Compensatory measures were implemented as appropriate, until the modifications are completed.
3.4.6 Degraded Grid Voltage' impact LER 1-93-011-01 (self-identified)
During the design basis calculation reverification it was identified that, under certain accident scenarios at lower switchyard voltages within the designed range specified by the UFSAR, substandard voltages may exist within the onsite Class 1E electrical -
distribution system. Interim corrective actions included controlling switchyard voltage in the upper portion of normal switchyard voltage. Two new Technical Specification action statements were approved by the NRC to respond to degraded voltage situations and ensure plant operations is within the design bases. The NRC was briefed by APS in September 1996 on the status of the Voltage Regulation Improvement Project.
3.4.7 Potential For Auxiliary Feedwater Pump Overspeed LER 1-95-013-00 (self-identified)
A very low probability event was identified during which the auxiliary feedwater system was found to be unable to perform a component-level design basis function to automatically provide water to the steam generator upon an auxiliary feedwater actuation signal.- During the design bases review for an auxiliary feedwater modification, a condition was identified where the possibility existed of incurring an overspeed trip of the steam driven auxiliary feedwater pump. ' This event was valid only for a limited range of main steam line breaks with a loss of power and single failure on the motor driven j
auxiliary feedwater pump. Emergency operating procedures and operator actions are capable of mitigating the event with the reset of the turbine overspeed and/or start of the non-seismic motor driven auxiliary feedwater pump from the control room. A design change has been installed in one PVNGS unit to correct the design deficiency and will be installed in the other two units as described in the LER.
4 l
3-10
L i
1 L
3.4.8 Potential Air Operated Valve Design Deficiency LER 1-95-007-01 (self-revealing) j APS determined that the bench settings of the air-operated letdown containment isolation valves adversely affected the ability of the valves to perform their 10 CFR 50, Appendix R safety function to isolate letdown. Seat leakage of an air operated letdown isolation valve, questioned by an NRC resident inspector, led to an engineering evaluation which
~ identified that air operated valve bench settings could adversely affect the ability of the valves to perform their function to isolate letdown. The evaluation determined that during postulated fires in fire zones outside of the control room, a condition could exist in which the letdown line would not be effectively isolated in accordance with the existing Pre-Fire Strategies and as required by 10 CFR 50, Appendix R.
An evaluation of the event revealed the valves had undersized air actuators and bench sets which were too low to provide adequate valve seating force. Modifications were completed to restore the affected letdown isolation valve configuration to be consistent with design bases. The modifications included the installation of stiffer actuator springs, new limit switches, adjustment of the' valve stroke length, and revised bench set pressures.
3.4.9 Door Control Doors are part of the plant design to ensure ventilation envelopes are maintained consistent with the Technical Specifications and the design bases. LER 1-96-003 identified that in August 1996 maintenance workers improperly propped open a door creating a flow path which could not be compensated for by the essential filtration units.
l Calculations demonstrated the offsite dose consequences would have remained within L
10 CFR 100 limits under postulated loss of coolant accident conditions while the door was open.- The NRC issued Notice of Violation (NOV) 528/96-13-01 identifying three j
l occasions, including the one in LER 1-96-003-00 discussed above, where doors were
~ blocked open or removed without notifying Operations or without compensatory measures in place, contrary to approved procedures. Each of these events was identified by APS, and an evaluation identified that previous corrective actions had not been adequate to prevent recurrence of improper door control.
As discussed in the APS response to the NOV, an evaluation of the barrier control events determined that they occurred as a result of inconsistent door labeling schemes, weak procedure requirements, and lack of worker knowledge and awareness of controlled door i
requirements. Corrective actions have been implemented that include walkdowns to document current field labeling on doors, installation of temporary labels, a review to verify the field installed doors adequately reflect the design requirements, procedure changes to improve communications, and site wide communication of the door issues.
j L
i r
[:
3-11 I
-~..--. - - - - -...... -.. - - - -.-
d I
L 1
3.4.10 Essential Chillers j
NOV 50-528/529/530/95-25-01, 02, 03 (regulator identified)
Three NOV's were issued by the NRC conceming the operations of the PVNGS' essential chillers.
In December 1995 maintenance personnel corrected chiller refrigerant level without documentation which resulted in refrigerant level above the maximum operability level.
In November 1995 an Operability Determination was not performed when credit for manual actions were taken to compensate for degraded essential chiller-condition due to excessive oil addition.
In January 1996 it was identified that no testing had been performed to measure essential chill water leakage to demonstrate the leakage requirements of the design bases manual were met.
None of these events presented a significant impact to essential chiller operation.
Weaknesses in communications and adherence to the corrective action program were recognized and are being addressed to prevent recurrence. Corrective actions that were identified included the enhancement of preventive maintenance tasks, a revision to the essential chill water design bases manual, and the preparation of an essential chill water testing requirement document. These corrective actions will ensure continued essential chiller compliance with the design bases.
j i
3.4.11. Tagging and Clearance The PVNGS' tagging and clearance program is used to control plant configuration j
consistent with design requirements and provide safe equipment conditions for
)
maintenance, modifications, and testing as described in Section 1.3.1.2. In 1994 PVNGS identified an increase in taqing and clearance deficiencies primarily related to industrial -
i safety. In response, corrective actions were taken including the establishment of a multi-discipline team to evaluate PVNGS clearance and tagging practices compared to INPO best practices plants. Based upon the team's recommendations, the tagging and clearance procedures were revised and training was conducted to re qualify personnel.
Tagging and clearance performance has improved but has not consistently met expectations for the preparation of tagouts. Monitoring and evaluation with emphasis on tagout preparation are continuing. A review of tagging and clearance deficiencies in 1995 and 1996 identified a very small portion that involved mispositioned components.
3-12
4 i.
3.4.12 - 10 CFR 50.59 Reviews Support for the conclusion that system,' structure, and component configuration and performance are consistent with the design basis is also provided by an ongoing process -
l of evaluating the performance of 10 CFR 50.59 evaluations. Based upon prior identified program weakness, a 10 CFR 50.59 review team was established. The review team performs an independent monthly review of a sample of the _10 CFR 50.59 screenings
,~
and evaluations. The conclusion from these reviews is that the 10 CFR 50.59 program is
- generally effective in ensuring changes to the licens ng and design bases are evaluated i
to determine if prior NRC approval is required.
l Based on continuing evaluations of the 10 CFR 50.59 program, two significant adverse l
Condition Report / Disposition Requests were evaluated, performance issues identified, and root causes determined. In addition, APS identified an off-site condition where a new i
transmission line was installed over two existing transmission lines that involved an unreviewed safety question not identified prior to the installation. APS evaluated this j
[
condition and determined that offsite power grid stability remains within design requirements and submitted a request for NRC review in letter number 102-03832, dated
- December 27, _1996.
' In response to the identified programmatic weaknesses, corrective actions have been implemented to strengthen 10 CFR 50.59 program implementation.' The corrective i
l
' actions include continued scrutiny of completed evaluations, aggressive monthly j
assessments, and improved electronic access to licensing basis documents to further j
. strengthen program implementation. An enhanced training program was developed to 4
j.
address identified performance issues, and qualified evaluators were required to attend j
l retraining to retain their qualifications. Additionally, a quarterly newsletter is issued to j
keep evaluators informed of current issues and/or identified deficiencies.. These ongoing sctions are pursued to continuously improve program' effectiveness.
}
3.4.13 PVNGS Audit 94-016, Equipment Qualification Program (December 1994)
A 1991 self-assessment concluded that the existing equipment qualification program would not effectively ensure continued qualification of equipment.' In response, a j
comprehensive equipment qualification enhancement program plan was developed and 1
implemented. The scope of Audit 94-016 was to review and assess the effectiveness of the resulting equipment qualification program. The audit concluded that the enhanced equipment qualification program effectively ensured continued qualification of equipment.
4 4
L it 3-13
L j
3.4.14 ' PVNGS ' Audit 95-004, Design Control (March 1995) and i
, PVNGS Audit 95-021, Safety Systems Outage Modification inspection (SSOMI), (December 1995) l
~ Audits95-004, design control processes, and 95-021, safety systems outage modification-i inspection, evaluated the effectiveness of processes and programs for the control of 4-j design modifications. Audit 95-004, conducted in February and March 1995, concluded
.that the PVNGS design modification process would ensure compliance with 10 CFR 50,-
Appendix B requirements as well as ANSI N45.2.11-1974, "American National Standard Quality Assurance Requirements for the Design of Nuclear Power Plants." Audit 95-021, conducted between September and December 1995, utilized vertical-slice audit r
[
techniques to assess design, procurement, installation, testing, safety analysis and turnover of modifications during a refueling outage, including one modification that was
- partially installed and required an "as left' evaluation for any effect on the facility. - Both i
audits utilized field inspections to verify consistency between "as built' installations and -
r f
design bases. Minor deviations were identified and resolved under the corrective action j
program, and did not require hardware changes to resolve the deficiencies. The most j
significant finding from these audits concluded that independent design reviews did not i
always ensure design documents were correct and complete prior to issuance. This was l
identified as a significant adverse condition and comprehensive' corrective actions were implemented to improve human performance. The Nuclear Assurance Division continued I
to monitor design review performance throughout 1996 and concluded that corrective actions were effective.
4,.
[
3.4.15 PVNGS Audit 96-002, Engineering & Corrective Action Effectiveness l
(March 1996) i Self-Assessment / Audit A-002 was conducted in February and March 1996, using vertical-slice inspection techniques to evaluate engineering activities as they relate to i
maintaining the design bases and improving system performance. The scope of this
. assessment included, in part, the status and configuration of temporary modifications installed in the plant. The self-assessment team observed that PVNGS had reduced the number of temporary modifications by approximately 80% between April 1995 and March 1996. The team verified that installed temporary modifications had received appropriate i[
. design and safety reviews and been adequately tested. Ten temporary modifications i
were inspected in the field and each one was found to be installed correctly.
3.4.16 PVNGS Audit 96-20, integrated Self-Assessment of PVNGS Maintenance
[
' Rule (April 1996) h-The 10 CFR 50.65 maintenance rule program monitors the effectiveness of maintenance
.to_ ensure structures, systems, and components are performing within prescribed j
operating design parameters. The assessment concluded in part that performance i
monitoring was well established and comprehensive.
p d
)
3-14
1 I
l 3.4.17 PVNGS Audit 96-015, Technical Specifications / License Conditions (August 1996) l The audit concluded in part that surveillance testing was being effectively implemented.
Performance of surveillance tests by control room personnel was considered to be a strength. The operators displayed strong use of self-verification techniques and exhibited good command and control.
3.5 Conclusion The results of corrective actions, audits and assessments, completion of verification activities, and procedure controls in place to govern operations, maintenance, modifications and testing that have been performed at PVNGS allow APS to conclude that there is adequate confidence that the configuration and performance of the as-built plant is consistent with the design bases and that the current processes and programs provide reasonable assurance that plant configuration will be maintained consistent with the design bases.
l 3-15 i
i L
t
..c i.
4.0 -
Describe the processes for identification of problems and implementation of L
corrective actions, including actions to determine the extent of problems,
{
actions to prevent recurrence, and reporting to the NRC. (NRC Request [d]):
4.1:. Introduction 4
The PVNGS corrective action program consists of processes that are used when adverse conditions are identified. The processes provide for determining the extent of the condition, l
developing corrective actions to prevent recurrence of significant adverse conditions, and identifying the potential need to report the condition to regulatory agencies. The three processes that make up the PVNGS corrective action program are: 1) the condition reporting process; 2) the work control process; and 3) the warehouse deficiency process. The following terms are used in the corrective action program:
4 Adverse condition is defined as any item or activity that does not conform to i-requirements. Adverse condition includes failures, malfunctions, deficiencies, deviations, defective material and equipment, and non-conformances; j
Sianificant Adverse Condition is defined as an adverse condition, that if left e
uncorrected, significantly affects the safe, reliable, and economic production of electricity. The condition reporting process is the exclusive process on-site for evaluating significant conditions. Criteria for significant adverse conditions include:
.- severe or unusual plant transients; safety system malfunctions or improper operation; e
major equipment damage; e
fuel handling or storage events; j
e excessive radiation exposure or severe personnel injury; e
e ~ excessive discharge of radioactivity; conditions which result in non-routine reporting to the NRC; j
e NRC Notice of Violanon, Severity Leveis I - IV; i
deficiencies in design, analysis, operations, maintenance, testing, procedures, or e
training that are likely to result in any of the previous eight criteria; other events involving nuclear safety or plant reliability that are judged to be e
significant due to their causes or consequences; significant quality issues; e
maintenance rule functional failure; and e
situations in which human intervention prevented a nuclear safety event.
e.
APS has maintained a corrective action program at PVNGS, as required by 10 CFR 50, Appendix B and the PVNGS quality assurance program, since the issuance of the initial operating licenses. Over the years, APS has simplified the corrective action program to three processes. Additional detail on each of the three processes is provided below.
4-1
j 4.2 Condition Reporting Process Condition Report / Disposition Requests are used to identify, document and resolve non-l hardware adverse conditions. The Condition Reporting process includes the following elements.
Adverse conditions, other than hardware or warehouse discrepancies, and all significant adverse conditions are identified on Condition Report / Disposition Re-quests which can be initiated by anyone working at PVNGS, including APS or contractor employees.
Conditions which could adversely affect operational equipment are routed to the affected control room for Shift Supervisor review, including review for immediate reportability.
New Condition Report / Disposition Requcsts are reviewed, normally each work day, by a cross-discipline committee for classification (significant, potentially-significant, adverse, or review) and for assignment.
Conditions which are potentially reportable are assigned to the PVNGS Nuclear Regulatory Affairs Department for a reportability determination.
Potential!y-significant adverse and significant adverse conditions are reported at routine plant management meetings.
Significant adverse conditions require identification of root cause, implementation of interim corrective actions when appropriate, and development of corrective actions intended to prevent recurrence.
Significant hardware conditions identified through the Work Control process require evaluation through the Condition Reporting process, while the correction of the hardware deficiency itself utilizes the Work Control process.
Reactor trips are evaluatea to ensure the plant performed as required by design.
These evaluations include:
Safety limit reviews to ensure safety limits were not exceeded; An overall plant performance evaluation to assess integrated system and e
component performance; An evaluation of plant protection system performance to verify all required actuation's occurred at the correct setpoint; and A control system response evaluation to validate performance is consistent with l
design.
Human performance evaluations may be conducted when plant management l
determines that such an evaluation would be appropriate.
1 i
i 4-2
l Conditions may be classified as potentially-significant when additional information is required to finalize the condition classification.
Conditions classified as Adverse require evaluation for the likelihood the condition, or like condition, exists in other locations, and development of corrective actions to resolvo the condition.
Condition Report / Disposition Requests that document recommendations or identify enhancements which are not adverse conditions are classified as Review.
l The Licensee Event Reports and Audit / Assessment findings' discussed throughout this Enclosure are examples of issues identified and resolved through the Condition Reporting Process. The Condition Reporting Process also includes the Differing Professional Opinion i
(DPO) process which provides individuals a mechanism to appeal condition reporting document resolutirins or other technical decisions.
PVNGS' Quality Assurance Program requires Nuclear Assurance Division concurrence for dispositions to significant adverse conditions. In addition, the Nuclear Assurance Division concurs with the evaluation of conditions identified through their oversight activities and l
performs assessments of the effectiveness of selected adverse and significant adverse l
conditions. Significant adverse condition evaluation results are also forwarded to the Off-
. Site Safety Review committee.
4.3 Work Control Process -
Work control process documents are used to identify, track and resolve hardware deficiencies:
hardware deficiencies can be' identified by anyone working at PVNGS, including APS or contractor employees, on a work request document; hardware deficiencies are reviewed by operations for the following, and a condition-reporting document is initiated when required:
. effect on operability; effect on 10 CFR 50, Appendix R; and e
immediate NRC reportability.
e
- - hardware deficiencies are reviewed by maintenance for:
scope of the deficiency; and e
extent of the condition.
a Condition Report / Disposition Request is required for.
Maintenance Rule functional failure evaluation; maintenance program non-compliance; and e
i i
consideration for equipment root cause analysis.
e 43 1
_ _ _ _ ___ _ _._.______._ _._.__.__=~ _ _ _.._.
F hardware deficiencies are dispositioned for rework or scrap using corrective l
maintenance work documents, or repair or use-as-is using deficiency work documents; e ~ deficiency work documents for repair or use-as-is dispositions, as described in l
Section 1.0, receive:
4 an engineering evaluation; 10 CFR 50.59 review; design input review;'and review for document changes.
e 4.4 Warehouse Discrepancy Process A warehouse discrepancy notice is used to document adverse issues associated with material, parts, or components in the PVNGS warehouse. Warehouse discrepancy notice requirements include:
-e
~ personnel that identify discrepancies during receipt, handling, storage or issuing material to initiate a warehouse discrepancy notice and to ensure the material is segregated and identified with a hold tag; a designated - responsible individual who will evaluate and disposition the material;
]
e for repair or use-as-is dispositions, technical justification is provided as well as a 10 CFR 50.59 review; and deficient material is screened for 10 CFR Part 21 reportability.
e 4.5 Industry Operating Experience Process The industry operating experience process is used to screen industry information to facilitate incorporation of lessons learned from the industry into plant design, programs, and vperating practices. Documents which are determined to be relevant to PVNGS are entered into the condition reporting process, described in section'4.2, for evaluation and, if appropriate, corrective action identification. Industry operating experience documents include:
NRC Information Notices; INPO Significant Operating Experience Reports; e
o INPO Significant Event Reports; and e
Other information received from industry sources.
Industry operating experience information is also provided to significant adverse condition I
investigation teams to assist with root cause determination and development of corrective actions to prevent recurrence.
l 4-4
l l
l l
4.6 Corrective Action Tracking Corrective actions identified in the condition reporting process are prioritized and tracked to
. completion in the commitment action tracking system. Corrective actions identified for plant l
hardware are prioritized and tracked to completion in the station information management system. The commitment action tracking system and station information management system are computerized systems that provide tracking capability and historical information that is available for station operating experience reviews. APS maintains an ongoing trending analysis process for PVNGS.
l 4-5
l
)
t j'
5.0.
The overall effectiveness of the current processes and programs in concluding that the configuration of the plants is consistent with the design bases.
(NRC Request [e])
5.1
' Introduction APS concludes that the PVNGS processes and programs provide reasonable assurance that the configuration of the as-built plant is consistent with the design bases. This conclusion is based on:
design bases project and other verification activities that provide a baseline of l
conformance to the design bases; results frorn internal audits and self-assessments indicate that, overall, the processes important to maintaining plant configuration are effective; design bases information is readily available to the plant staff for comparison against e
plant configuration and identification of configuration issues; an effective corrective action program assures issues which could effect design basis or plant configuration are resolved in a timely manner; and positive feedback from external assessments that provide an additional objective j
viewpoint of the PVNGS processes and programs.
APS recognizes that some design bases issues have been identified as a result of continuing efforts to improve design bases documentation, through internal and external oversight activities, and, occasionally, through self-revealing events. These_ issues have been included in evaluating the overall effectiveness of the PVNGS processes and programs.
5.2 Basis for Overall Effectiveness 5.2.1 Design Bases and Configuration Validation Projects Design bases project and other verification activities provide another check on the overall effectiveness of PVNGS' processes and programs. The design bases project was conducted consistent with the guidance in NUMARC 90-12, " Design Basis Program Guidelines," which.was endorsed by the NRC as providing a useful framework and worthwhile insights to utilities undertaking design basis programs. APS has also developed the safety analysis basis document, which is an organized compilation of the l
detailed information in one document that forms the basis of the PVNGS safety analyses.
The design basis manuals and safety analysis basis document are required to be kept updated, and are accessible to plant personnel. Appendices A and B of this response contain more complete descriptions of the development and scope of the design basis project and safety analysis basis document project.
5-1
-. - - _. - - - -. - ~. -. - - - - - -
Other projects have been conducted by APS that verified or validated various aspects of the PVNGS design basis. These. projects, described in more detail in section 3.0, t
included emergency operating procedures rewrite project, fire protection design
. reconstitution project, equipment qualification enhancement project, vendor technical manual project, reload process' improvement project, and reactor power uprate project. In -
. addition, APS has conducted, and will continue to conduct, audits and self assessments that verify or validate the plant design bases, and identify any deficiencies for correction.
l 5.2.2 Internal Audits and Self Assessments The PVNGS audit process incorporates the regulatory requirements and license commitments contained in 10 CFR 50 Appendix B, administrative Technical Specifications, the PVNGS Quality Assurance Program (UFSAR Section 17.2) and applicable ANSI standards. Self-assessments supplement the formal audit process and l
may identify additional opportunities for correcting or improving wcrk processes and personnel performance.
The goal of internal audits and self-assessments is to provide feedback to management l
necessary to determine, with adequate confidence and assurance, that the processes utilized to maintain systems, structures, and components consistent with design are effective. Weaknesses have periodically been identified by the audits and self-
}
assessments, however, they have not been significant enough to conclude that the i
cverall processes were ineffective. When weaknesses are identified they are evaluated under the corrective action program, as described in section 4, for significance, potential effect on operational equipment, potential NRC reportability, transportability or extent of.
the condition, and to determine corrective actions to resolve the weakness. Examples of audit and self-assersment findings and conclusions were provided in the previous sections of this response.
5.2.3 Availability of Design Basis Information
' Design basis information has been made available for day-to-day operation and maintenance through hard copy records. In addition, the UFSAR and most design basis manuals are available and searchable electronically.
5.2.4 Corrective Action Program Effectiveness Training received by personnel involved in configuration management, coupled with their experience, enhances their ability to identify configuration problems. The corrective action program has been effective when problems are identified in determining the extent:
of conditions, completing root cause evaluations for significant conditions, and developing corrective actions which are intended to prevent recurrence of significant adverse conditions. Completion of corrective actions are monitored by management to assure that regulatory requirements for timeliness are being met.
l l
l t
5-2
~
__.______.m._
4 1
l
- PVNGS audits routinely evaluate the effectiveness of corrective actions within the scope of each audit and resolve specific weaknesses identified. Overall implementation of the l'
corrective action program is also assessed semi-annually through corrective action audits
. in accordance with administrative Technical Specifications. In addition, a Nuclear i
' Assurance sponsored self-assessment was conducted of the condition reporting process L
in late 1996. The following examples provide audit, self-assessment, and performance l
i monitoring results of the corrective action program-
- . The last three semi-annual audits of corrective action program effectiveness were conducted in September 1996, March 1996 and October 1995. These audits concluded that the program and associated processes were generally effective in identifying conditions adverse to quality; in assessing the significance of identified conditions; in determining the root cause(s) for significant adverse conditions; and
)
l in tracking the resolution of conditions adverse to quality. Continued management oversight and improvements to the program during this period have i
contributed to the consistency of root cause analysis methods, as'well as improved performance as measured by the time to closure for condition reports.
The most recent audit of the corrective action program, conducted in September 1996, concluded that corrective actions were sufficient to prevent recurrence of significant conditions adverse to quality in eleven (11) out of twelve (12) l conditions reviewed. The one condition for which corrective actions were deemed l
ineffective pertained to an industrial safety; tagging and clearance, issue outside L
the PVNGS power block, and did not adversely affect the design basis configuration.
Audit findings and conclusions have been supplemented by a November 1996 self-assessment of the PVNGS condition reporting process, that utilized a consultant external to the APS organization. The self-assessment concluded the program was well organized, defined and implemented. The program was determined to be effective in identifying, evaluating, resolving and preventing recurrence of problems. The self-assessment also identified prioritizaticd and classification of condition reporting documents as an area of good performance.
Individuals working at PVNGS maintain a self-critical environment as demonstrated by the number of condition reporting documents written. (In 1994, 1995, s,d 1996 approximately 2600, 2800, and 3100 were written respectively.)
The PVNGS monthly trend report tracks site goals. In 1994 PVNGS established j
performance goals for condition reporting document evaluation and goals for j
completion of corrective actions to ensure timely corrective action. The number of
~
condition reporting document evaluations completed in greater than the goal of 30 q
days has been reduced from 157 in December 1994 to 13 in December 1996.
i The number of condition reporting documents open for greater than the goal of L
180 days has been reduced from 504 in December 1994 to 47 in December 1996.
l 5-3 "7-
&T---4 y'
31 y
-t Tgr-r Mu-r-=
?
- -+9 T
- frv &
-i-T' r':
Monthly goals have been established for the number of open corrective maintenance deficiencies that are established on a work group discipline basis.
The number of open non-outage corrective maintenance work orders have been reduced from approximately 2300 in December 1995 to approximately 1600 in December 1996.
5.2.5 External Assessments PVNGS' latest SALP Report, 50-528/96-99; 50-529/96-99; 50-530/96-99, dated 7/5/96, concluded that PVNGS has established the programs and processes required to achieve and maintain superior performance, it also concluded that appropriate management attention is evident at all levels. The SALP report recognized that self-assessments and self-identification of deficiencies have become a fully accepted practice. The self-critical attitude was noted throughout the facility.
NRC Inspection Report 50-528/96-01; 50-529/96-01; 50-530/96-01 was conducted utilizing NRC Inspection Procedure 40501 to determine the effectiveness of PVNGS'self-assessment of engineering and corrective action programs, Audit 96-02. It concluded that a qualified self-assessment team had conducted an independent and objective assessment of engineering and corrective action activities. The inspection confirmed PVNGS' conclusion that engineering and corrective action programs were effective and improving.
5.3 Conclusion Based upon the above, APS concludes that there is adequate confidence that the configuration and performance of the as-built plant is consistent with the design bases and that the current processes and programs provide reasonable assurance that plant configuration will be maintained consistent with the design bases.
4 j
- - _ - ~. - -. - _ _ -
l I
l APPENDIX A - DESIGN BASES PROJECT
- A.0 Description of the design bases project (design review program), including identification of the systems, structures, and components (SSCs), and plant-level design attributes. The description includes how the program ensures correctness and accessibility of the design basis information and that the l
design bases remain current.
A.1 '
Introduction During the period of 1991-1995, PVNGS performed a large design basis project. -The project contained two major components:
- design basis manuals, including preparation, verification, and validation; and
]
e.
calculation reverification / reconstitution.
J A.2 Design Basis Manuals (DBMS)
)
A.2.1 Preparation l
A total of 57 System and 9 Topical DBMS were prepared during the design bases project.
Tables A-1 and A-2 list the system and topical DBMS, respectively. The format and 1
content of the DBMS are in accordance with the guidance provided in NUMARC 90-12,
" Design Basis Program Guidelines" and NUREG-1397, "An Assessment of Design Control Practices and Design Reconstitution Programs in the Nuclear Industry".
Following the technical review and issuance of each DBM, a verification was performed -
and, for the majority of DBMS, an additional validation effort was performed. These verification and validation efforts are described in Sections A.2.2 and A.2.3, respectively.
A.2.1.1 System DBMS The selection of systems to be evaluated was primarily based upon a critical systems approach which ranked the system according to its effect on probabilistic risk assessment, safety analyses, reactor trip hazard, and power generation. The purpose of the system DBMS is to provide an accurate, accessible, and clearly defined understanding of the system's design bases to ensure consistency is maintained between the physical plant configuration and the plant design bases. The system DBMS provide a reference to information and are not intended to replace existing
- design documents. Instead, the DBMS contain the significant information related to the systems' functions, and, in conjunction with the design documents that are referenced, provide enough information to permit users to evaluate the safety or functional effects of both conceptual and physical plant changes and activities. For ease of use, the majority of system DBMS were written in a tabular format. This format was developed as a result of a user needs assessment that was performed prior to preparation of the DBMS.
A-1
. _.. _. _. _ _ _. _. _ _. _. _ ~ _.. _ _ _ _ _ _ _ _ _. _ _ _ _ -. _
l i
i i
l
' A.2.1.2 Topical DBMS '
Topical DBMS provide the design basis requirements and other similar information that is common to a number of systems (e.g.,' seismic, high energy line break, moderate energy line break) or the design basis requirements for a non-system related plant area such as structures. Not every topical subject had a DBM prepared.
The selection of which topical areas warranted a separate DBM was made based L
upon the application to multiple systems and the design basis significance of the topical. Applicable topical requirements were addressed in each system DBM. A topical design requirements table was utilized in each system DBM in order to i
consistently apply the topical design requirements.' In the topical design requirements
. table a brief description of the topical area is given and, if applicable,' a reference is made to the topical DBM. A detailed, system specific, description of how the topical j
area applies to the particular system is also provided.
D A.2.2 DBM Verification
)
l The verification effort assured the technical accuracy of the DBM by performing a cross g
. check of the DBM and the respective source / input documents. The DBMS were also compared to the design bases descriptions in the UFSAR to identify any inconsistencies.
A typical verification consisted of a one to three-person team and required an average of 1
about 120 man-hours.
A.2.3 DBM Validation The DBM validations performed were either comprehensive (13 systems) or sampling level (41 systems and 2 topicals) validations. Tables A-1 and A-2 are annotated to
. indicate the type of validation performed on each DBM. - A typical maprehensive validation, on the average, required about eight man-months. Since the comprehensive validations were not in the original scope of the design basis project, a number of system
)
DBMS received both sampling level and comprehensive validations. A typical sampling j
level validation required on the average about 500 man-hours. Both types of validations included a plant walkdown of the accessible portions of the respective system. The L
scope of each walkdown was to review environmental conditions, configuration and interfacing / supporting systems for consistency with the DBM.
4 A.2.3.1 Comprehensive Validations The comprehensive validations included the following objectives:
review operating, emergency operating, maintenance, testing, and administrative procedures associated with the validated system to verify design bases requirements and Technical Specification limiting conditions for operation and surveillance requirements were satisfied; i
A2 l
~ _ _.
t i
i F
4 verify the values used 'as acceptance criteria, setpoints, and operator decision j
points in the implementing documents are consistent with the values in the i
- DBM, with the only adjustment needed being an allowance for instrument i
uncertainty; f
e. review the DBM for design requirements that are not tested in existing or pre-
]
operational procedures;.
review design calculations to verify assumptions and results regarding system i
operating configurations and operating limitations are consistent with the DBM and implementing procedures; e'
verify the results of corrective action' documents are included in implementing -
documents; e
as necessary, prepare draft revisions of surveillance tests and operating e
l procedures and initiate changes for other documents,- such as the UFSAR, system training manual, and system / performance engineering test manual associated with the validated system to ensure the procedure and design requirements are satisfied; review results of new instrumentation and controls setpoint and ' uncertainty j
calculations including setpoints, acceptance criteria, assumptions, and requirements that must be implemented or validated by plant procedures; prepare draft revisions to associated DBM tables as required; and
- I verify design basis information on the validated system is accurately reflected in the UFSAR.
=A.2.3.2 Sample Validations The sample validations included the following oMactives:
~
validate selected parameters of the applicable system DBM to ensure that the design basis information is consistently reflected in the physical plant, operating procedures, design documents, test procedures, maintenance procedures and documents, and Technical Specifications; utilize selective sampling vertical slice inspections, similar to safety system functional inspection level review of the validated system to identify missing information in the design bases, operating or design output documents; confirm that the system DBM accurately reflects the design basis of the system by selecting a representative sample of parameters from the DBM for review; and conduct a comprehensive review of the UFSAR and Technical Specification sections related to the selected parameters of the validated system.
A-3
~
e t
LA.2.3.3 Results During the design basis project, upon identifying a potential design bases deficiency or information discrepancy, the responsible engineer would evaluate the significance of the deficiency. Deficiencies which were determined to have potential design / safety significance, potential operability or NRC reportability concems were evaluated and dispositioned through the corrective action program. Deficiencies which were determined not to have potential significance'were dispositioned in accordance with design bases project procedures. During the design bases project,832 items were
. identified, evaluated, and dispositioned.
i-The results of comprehensive and sample validations were documented in reports which summarized identified discrepancies between the DBM and UFSAR, i.
calculations, PVNGS procedures, analyses and Technical Specifications. Overall, i
there were no significant procedural or programmatic deficiencies identified which compromised nuclear safety. Based on validation results, the validated systems were found to be functional and there were no findings that indicated the system would fail i
to perform it's intended function.
Currently, DBM deficiencies and new work items are reviewed for significance and resolved through the corrective action process, if applicable, or completed through normal work processes. DBM corrective actions and work items are tracked and routinely reviewed against goals established to' ensure accuracy and reliability of the 4
l DBM's. As of January 30,1997,78 items are being tracked to completion.
1 h
A.2.3.4 Testing Requirements identified in Design Basis Manual i
In 1994, NRC Inspection Report 50-528/94-12; 50-529/94-12; 50-530/94-12 noted a weakness in the connection between design bases calculations and the acceptance criteria provided in ASME Section XI insewice testing surveillance tests for components without performance limits specified in Technical Specification surveillance requirement <. In March 1996, PVNGS revised the " System Performance Testing Requirements" table of selected DBMS of safety related and maintenance rule high risk significant systems to specify the periodic system level performance testing requirements which would validate system functional design requirements. During development of the table, design limits and performance testing requirements were identified.
A-4
~. _._ _._. _ _. _ - _ _ _ _ _. _ _. _. _. _ _. _ _ _ _ _ _. _.. _.
F i
4 A.3 - Calculation Reverification and Reconstitution i
l A.3.1 Introduction A major obstacle encountered during the pilot DBM effort was the identification of the l
- source documents that defined the required design bases. There were many calculations, engineering evaluations, and design changes that included aspects of the
~
1 design bases. Some of the calculations conflicted with each other or were partially l
redundant. Much of the required design bases information was missing. As a result, determining the current design _ bases, the adequacy of the analysis, and the correct analysis for any given parameter and configuration were time consuming and aifficult. In order to address these challenges, APS management made the decision to 4
- reverify / reconstitute the PVNGS design basis calculations. The reverification and 7
reconstitution efforts are described below.
A.3.2 Reverification.
l The existing calculations for the DBM systems were reviewed. For the systems designed by ABB Combustion Engineering, the nuclear steam system supplier, this included a review of a large volume of proprietary design basis documents recently turned over to i
APS. During the reverification:
design basis calculations were identified and the redundant and unnecessary e
]
calculations were canceled; and i
i design basis calculations were verified to be consistent with the established
-+
design basis as defined in the DBM.
A.3.3 Reconstitution The Mechanical, Electrical, Civil, Radiation Monitoring, and I & C disciplines performed
- extensive calculation reconstitution. The reconstitution effort created new design basis calculations which became the design basis calculations for the respective DBMS.
Reference to the design basis calculations is given in various tables of the DBMS. A complete list of the design basis calculations is provided in a calculation summary table of each DBM.' The following descriptions are provided for the calculation reconstitution effort performed in each discipline area.
1 A.3.3.1 Mechanical Over 100 overlapping, redundant, and sometimes conflicting mechanical calculations were consolidated into approximately 10 design calculations.
A-5
)
A.3.3.2. Electrical As part of the electrical calculation reconstitution effort, over 200 existing calculations were screened and it was determined that approximately 50 of these were in need of -
revision as they did not reflect the as-built condition of the plant. In addition, many of
. the existing calculations were' based on mainframe computer programs which were l'
inaccessible to PVNGS personnel,- difficult to maintain, and sometimes,
i incomprehensible. The design basis project prepared approximately 20 new L
streamlined calculations which reflect the existing plant configuration. As part of this effort, software programs were developed and qualified in-house to perform. loading,
~
voltage regulation, and short-circuit calculations for AC and DC distribution and p
control circuits. The new programs allow personnel to determine the effects of the various design basis scenarios and attain a greater depth of understanding of the electrical system response.
A.3.3.3 Setpoints l
l The setpoint project was initiated in August 1991 to evaluate, and reconstitute where-necessary, the design bases for instrumentation and control system setpoints and to verify that a consistent and industry accepted method of documenting, performing, and implementing setpoint design criteria and verifying instrumentation and control setpoints was established and implemented at PVNGS.
The methodology for performing instrument setpoints and loop uncertainty calculations is detailed in a departmental design guide which is based on NRC Regulatory Guide 1.105 " Instrument Spans and Setpoints," and ISA Standard 67.04, 1988, along with the draft version of ISA 67.04,1994, as guidance. This project was completed in February 1996 and included:
- evaluations of instrument uncertainties;
- : establishment of administrative control methods to evaluate safety-related.
and/or Technical Specification setpoints to verify that design bases setpoint calculations are consistently generated and properly controlled; adjustment of maintenance and operations procedures and methods so that e
margins and assumptions in the calculations were not violated; and preparation of new setpoint calculations for setpoints, with the e.xception of the
^
core protection calculators (CPC) and centrol element assemblies calculators (CEAC) digital systems values, contained in:
PVNGS Technical Specifications;
. NRC Regulatory Guide 1.97, as committed in UFSAR Section 1.8; and I
emergency operating procedures.
A-6
b
- A.3.3.4 Civil i
7 l
The design basis for seismic category I supports located within seismic category 1 '
i
' structures was reconstituted. In this reconstitution:
~
4
. more than'1000 control building hanger analyses were performed; I
design basis calculations for seismic category I steel framing structures were e
i pe Tormed. Structural steel load monitoring systems have been generated for i
- open steel framing platforms which comprise the sh :tural suppor6 system in seismic category I structures;.
review / evaluation of the effects of high density elastomer penetration seals on
[
pipe stress analyses for hot fluid systems and the moderate energy line break j
crack evaluation was performed. Thermal movements were found to be within i
the acceptable range and there were no adverse effects due to piping stress
[
analyses; and GTSTRUDL (structural analysis) software enhancements were performed e
i I
which provides automated capabilities to analyze and code-check cold-form steel shapes commonly used for raceway and HVAC supports.
A.3.3.5 Radiation Monitoring Over 50 overlapping, redundant, and sometimes conflicting, radiation monitoring
.l calculations were consolidated into about 15 design calculations.
l i
' A.4 ' Design Basis Control A.4.1. Accessibility '
I To provide access to the design basis information, electronic documents were created for i
most DBMS and reconstituted calculations. Access to these electronic documents is available through the PVNGS computer network. Paper copies of the DBMS are available in technical libraries at several locations at PVNGS, and calculations are available from document retention.
'A.4.2 Administrative Controls for Maintaining DBMS During the initial preparation of the DBMS, the control of the manuals was performed in accordance with DBM procedures. After completion of the project in 1995, these procedures were subsequently canceled and control of the DBMS was incorporated into the existing design and configuration control procedures.
A.4.3 Training for Users of DBMS Upon completion of the design basis project, training was given to potential users of the DBMS. The training provided instruction on how to use the DBMS and on the process
. utilized to update DBMS when required by design and configuration changes.
A-7
Table A-1 Desig n Basis Project: Systems l
- 1. 13.8 KV AC Non-Class 1E Power (NA)
- 30. Extraction Drain (ED)
- 2. Auxiliary Building HVAC (HA)(a)
- 31. Feedwater Control System (SF-FWCS) (a)
- 3. Auxiliary Feedwater(AF)(a,b)
- 4. Control Element Drive Mechanism
- 33. Fuel Building HVAC (HF)(a)
Control System (SF-CEDMCS)(a)
- 34. Fuel Handling (FH)
- 5. Chemical Volume Control System
- 35. Fuel Pool Cooling and Cleanup (PC) l (CH)(b)
- 36. Incore Instrumentation (RI)
- 6. Class 1E 125v DC Power (PK)(a)
- 37. Instrument Air (IA)(a)(see note 3)
- 7. Class 1E 4.16 Kv AC Power (PB)(a)
- 38. Scrvice Gas (GA)(a)(see note 3)
- 8. Class 1E 480V AC Power (Motor Control
- 39. Loose Parts & Vibration Monitoring (a) (SV)
)
Center)(PH)(a)
- 40. Main Generation (MA)
- 9. Class 1E 480V AC Power (Switchgear)
- 41. Main Steam (SG)(a,b)
(PG)(a)
- 42. Nuclear Cooling Water (NC)(a)
- 10. Class 1E Instrument AC Power (PN) (a)
- 43. Offsite Power (NO)(a) l.
- 11. Core Operating Limit Supervisory
- 44. Post Accident Sampling System (SS)(a)
System (RJ-COLSS)(a)(see note 1)
- 12. Core Protection Calculator (SB-CPCs)
(QSPDS)(SH)(a)
(a)(see note 1)
- 46. Radiation Monitoring (SQ)(a)
- 13. Condensate (CD) (a)
- 47. Reactor Coolant (RC)(b)
- 14. Containment Building HVAC (HC)
- 48. Reactor Power Cutback System (SF-RPCS) l
(a)
- 16. Containment Purge (CP)(a)
- 49. Safety Equipment Status Sys. (ES) (see
- 17. Control Guilding HVAC (HJ)(a) note 4)
- 18. Diesel Generator Building HVAC (HD)(b)
- 50. Plant Annunciator System (RK%see note 4)
- 19. Diesel Generator Building (ZG)
- 51. Reactor Protection System (SB) (a)
- 20. Diesel Generator (DG) (a,b)(see note 2)
- 52. Reactor Regulating System (SF-RRS) (a)
- 21. Class 1E Ltandby Power (PE) (a,b)(see
- 53. Safety injection (SI)(a,b) j l
note 2)
- 54. Security System (SK)
- 22. Diesel Fuel (DF) (a,b)(see ne' ' 2)
- 55. Seismic Monitoring (SM)(a)
- 23. Emergency Lighting (QD)(a)
- 56. Station Blackout Gas Turbine (NE)
- 24. Emergency Response Facility at
- 57. Steam Bypass Control System (SF-SBCS)
Acquisitions and Display System (a)
(ERFDADS)(SD)
- 26. Essential Chilled Wate:-(EC) (a,b) i
- 27. Essential Cooling Water (EW) (a,b) i
- 28. Essential Spray Pond (SP)(a,b) i
- 29. Execre Neutron Monitor (SE)(a)
Note 1 - The RJ-COLSS and the SB-CPCs systems are combined into one DBM with the designator CA.
Note 2-The DG, [T. r.d PE systems are combined into a single DBM.
Note 3-The lA v.d GA systems are combined into a single DBM.
Note 4-The ES and RK systems are combined into a single DBM.
a-Sample validation performed.
l b-Comprehensive validation performed.
l A-8
Table A-2 Design Basis Project: Topicals
- 1. Containment isolation Topical (CL) (a) 2.
Electrical Topical (E2) 3.
Equipment Qualification Topical (E1) 4.
Hazards Topical (C2) 5.
Human Factors Topical (J1)(a) 6.
Regulatory Guide 1.97/ Post Accident Monitoring Topical (P1)
- 7. Seismic Topical (CS) 8.
Category l Buildings Topical (C6) 9.
Fire Protection Topical (FP) 1 A-9
APPENDIX B - SAFETY ANALYSIS BASIS DOCUMENT B.0. Description of the Safety Analysis Basis Document. The description includes how the program ensures correctness and accessibility of the safety analysis basis information and that the safety analysis bases remain current.
B.1 Introduction The PVNGS Safety Analysis Basis Document (SABD) is a compilation of the detailed information that forms the bases of the PVNGS Safety Analysis. A design review of the documents that were used to produce the PVNGS Updated Final Safety Analysis Report (UFSAR) and subsequent core reload analyses was completed in 1996 by PVNGS and Asea Brown Boveri-Combustion Engineering (ABB-CE) personnel. The original documents were supplied primarily by the nuclear steam supply system vendor, ABB-CE, and the architect-engineer (AE), Bechtel Engineering Corporation, spanning a 20-25 year period.
l B.2 Safety Analysis Basis Document (SABD)
B.2.1 Basis The safety analysis design bases of PVNGS is derived from:
vendor and utility calculations; e
Internal and extemal correspondence between various organizations; j
the Code of Federal Regulations (10 CFR Part 50);
e NRC Regulatory Guides and NUREGs; ASME codes; and industry guidance such as EPRI recommendations.
e Input parameters have changed during core reloads due to fuel-dependent phenomena and plant-dependent or regulatory requirements. The SABD compiles the design bases information into one location, and provides quick access to this information. The SABD enhances the Nuclear Fuel Management (NFM) Department's ability to understand and perform the safety and reload analyses and to accommodate future plant and reload changes. The SABD, along with other design bases documents, aids PVNGS personnel
. in conducting 10 CFR 50.59 evaluations and reviews.
B1
I s
.B.2.2 Purpose The SABD was developed to accomplish the following:
' Capture the details of the design bases and document the methodology of the
).
safety analyses for PVNGS that have evolved over a 20-25 year period This-includes the applicable computer codes and basic assumptions used in the analyses.-
Document the plant initial conditions, initiating event assumptions, operator action requirements, and single failures assumed in the analyses.
i Document the NRC acceptance criteria based on Standard Review Plan ;SRP) l' and other industry practice. Any deviations from the SRP acceptance criteria
~
were documented. The Safety Evaluation Reports (SER) form the basis for such an evaluation.
Organize key system dependent parameters and assumptions in cross-reference l
tables by plant system, associated event, and the corresponding Technical Specifications.
Compare the results obtained over the years in various vendor and AE analyses with those reported in the UFSAR and verify that the applicable design basis was appropriately captured.
Verify that the design bases for the Technical Specifications LCO parameters l
were properly documented.
i i
Document the relationships of the LCOs to the safety analyses, especially those LCOs that affect:
1 peak primary system pressure; peak secondary system pressure; e
Departure from Nucleate Boiling Ratio (DNBR);
fuel failure;.
radiological dose consequences; and peak linear heat rate.
Provide a means to assess the effect of a pisnt, system, or component change on the safety analysis bases of PVNGS.
i l'
l L
B-2
B.2.3 Summary of SABD' Contents l-L The development of the SABD required data collection, validation, and evaluation.
Previous reload analyses and associated references were reviewed, and a summary was included in each SABD Events section. This effort also documented details of the UFSAR. When errors were found, they were identified and resolved through the
(
corrective - action process. This resolution process did not result in any new changes to trip or actuation setpoints, but documented what already existed. A review was performed for each section in accordance with an APS procedure to determine any adverse effect on the plant and plant procedures.
The SABD is organized into the six primary sections which are briefly described.below.
L B.2.3.1 Common Data j
The Common Data section is used in safety analyses, including core reloads, and is characterized as fuel cycle or_ event independent. This section may also include data l
which is chosen conservatively to be bounding for future fuel cycles. A key feature of l
this section is a cross reference matrix that identifies the relationship (e.g., input, L
output, and dependencies) between the LCOs and the reload analyses.
B.2.3.2 Events l
h The Events sections present data which is chosen specific to a single UFSAR Chapter 15 event or event category and include a brief description of the event, specific.
l required analyses acceptance criteria, and the results of the licensed analysis of record. Initial conditions, important modeling assumptions, analysis techniques, operator actions, or system performance / availability requirements are identified for each event presented. The Events sections also describe the relationship between the event and specific LCOs in more detail than that provided in the cross-reference matrix.
B.2.3.3 Systems The Systems sections contain safety analyses data specific to an individual system.
They identify specific events for which safety analyses credits the operation of a specific system for mitigating the event and performance requirements of the system for each of those events.
o B.2.3.4 Reload The Reload section describes the non-UFSAR Chapter 15 analyses examined and performed for each core reload. These analyses include the margin setting analyses.
initial conditions, inputs and analysis methodology, and system performance /
j availability requirements are also defined.
i B-3
l B.2.3.5' Miscellaneous l
' Non-UFSAR Chapter 15, non-reload analyses are described in this section of the
.SABD.- Currently, the anticipated transient without scram is the only non-UFSAR ~.
L Chapter 15, non-reload analysis described in this section.. Expanding this section to -
include analyses performed to address past and future emergent issues is an on-l
. going evaluation process.
B.2.3.6 Physics The core physics inputs and analysis methodology to support various transients are i
documented in this section. Physics it. puts to both UFSAR Chapter 15 and non-1 l-Chapter 15 transients are addressed.
B.2.4 SABD Section Application B.2.4.1 Nuclear Fuel Management (NFM) Application i
- The Common Data, Events, Reload and Physics sections were developed primarily for NFM personnel, who have the responsibility for UFSAR Chapter 15, and Fuel 1
Engineering personnel at ABB-CE.
B.2.4.2 Engineering Use and Application The Systems section was developed primarily for system engineers,' Shift Technical l
Advisors and design engineers. The systems sections summarize the analyzed.
values, modeling characteristics, and associated Technical Specifications for a given system parameter (such as alarm or trip setpoints) and associated event. The cross reference matrix between LCOs and SABD Event and Reload sections provides a quick reference to personnel considering changes to LCOs or plant systems or components that may affect plant safety analyses. Detailed relationships between LCOs and the safety analyses are described in the SABD Event and Reload sections.
B.3 - SABD Maintenance and Auministrative Controls B.3.1 Calculation 3 asis and Change Process l
To ensure correctness, the SABD sections were written and reviewed in accordance with
' APS procedures for design and analysis controls. APS procedures control evaluation of potential revisions to the SABD and define a change process to identify and track the revisions against SABD sections. The change process may be initiated as a result of:
plant modifications; e
changes to analysis inputs or outputs; e
changes to analysis methodology; and e
B-4
.s
o any other change that has been identified as affecting the SABD sections, such as changes in plant parameters used in the reload analyses.
The plant modifications procedure includes a requirement to determine and document modification effects and to notify the single point of contact in the NFM Transient Analysis (NFM-TA) group for required actions. The 10 CFR 50.59 evaluation also requires contacting the NFM-TA single point of contact for potential adverse effects on the safety analyses. The NFM-TA designated engineer may check the SABD, UFSAR, Technical Specifications, and other documents, and consult with other engineers as part of the j
evaluation. The reload analysis teams are made aware of changes that could effect the reload analyses.
i NFM design outputs that may effect PVNGS engineering design and configuration are
{
processed in accordance with the plant modifications procedure. Revisions to SABD
)
sections undergo reviews to determine effects on plant operating procedures and on analyses supporting other transient events.
B.3.2 Implementation j
Each SABD section was developed, reviewed, and implemented in accordance with APS
)
procedures. Subsequent revisions are controlled by the same process. Analysis parameters important to the Technical Specifications have been included in each SABD event section as part of the SABD Upgrade Project. Errors or changes in the event analyses are identified, tracked, and resolved in accordance with the PVNGS corrective action process when found.
B.4 Documentation B.4.1 Initialimplementation of SABD The initial implementation of the SABD in May 1994 primarily addressed:
documenting the sources of the descriptions in the PVNGS UFSAR Chapter 15 Accident Analyses (Sections 15.1 through 15.6);
providing details to supplement the information presented in the UFSAR; and e
including detailed information about the primary computer code for modeling transient events, Combustion Engineering System Excursion Code, and the interfaces of the plant safety systems to the safety analyses as described in UFSAR Chapter 15.
B-5
o B.4.2 SABD Upgrade Project The Safety Analysis Basis Document upgrade project was undertaken to expand the SABD to provide:
a PVNGS method for comprehensive design control of core reloads; e
emphasis on the control of safety analysis assumptions; and e
input and methodology which support the licensing bases.
Based on the time in plant life during which this project was scheduled, the upgrades to the SABD event sections were bounded by cycle 6 reload analyses for the three PVNGS units. Analyses beyond cycle 6 were considered outside the scope of the project and will be handled in accordance with the NFM design controls process.
B.4.3 Technical Specifications Review As part of the SABD upgrade project, Technical Specifications which are either input to, or supported by, specific accident or reload analyses, were reviewed to verify that the analyses and Technical Specifications are mutually consistent. This effort was also credited as a response to a commitment to the NRC to complete a long-term project to review safety analysis assumptions and ground rule documents.
This upgrade project was completed for the SABD event and pertinent reload sections by the end of June 1996. This review revised the UFSAR Chapter 15 (Sections 15.1 through 15.6) event sections except as noted in the following descriptions:
The loss of flow and large main steam line breaks analyses were reviewed for consistency with the Technical Specifications. Revisions to these SABD sections were completed by the end of October 1996.
The control element assembly ejection analysis was reviewed for consistency with the Technical Specifications, The review verified that the original analysis.I record remained current through cycle 6.
The double ended break of a letdown line outside containment and the steam generator tube rupture analyses were reviewed for consistency with the Technical Specifications. The review verified the original analysis of record remained current through cycle 6.
B-6
.. -. ~ - - --
h B.4.6 ' Personnel Training As a design bases document for the fuel safety analysis, the SABD is available for consultation during the preparation of 10 CFR 50.59 evaluations for plant modifications.
The 10 CFR 50.59 requalification training presented in the last two quarters of 1996 included instructions on the use of the SABD.
B.4.7 Accessibility The non-proprietary SABD sections are available electronically and in the PVNGS technical libraries. This arrangement makes the SABD available to PVNGS personnel, including system, design, and maintenance engineers. The non-proprietary sections are primarily the sections that would be needed by engineering for evaluation of plant modifications. Selected sections, which are designated proprietary, such as physics and reload analysis, have restricted access because they contain detailed information on.
analysis methodology and code configuration. This information is applicable only to the NFM engineering function. However, these sections are available to 10 CFR 50.59 evaluators and reviewers.
i l
l i
i 1
1 I
i B-8
l ls_-o-u,,io,. m,,
J EDISON execetive v>ce r<estee"'
\\n (D/3ON IWlNs 4(10\\ d ComPse Fe'oruary 12,1997 i
{
U. S. Nuclear Regulatory Commission Attention: Document Control Desk Washington, DC 20555-0001 Gentlemen:
Sut jet-Docket Nos. 50-361 and 50-362 Requent for Information Pursuant to 10 CFR 50.54(f) Regarding Adequacy and Availability of Design Bases information San Onofre Nuclear Generating Station (SONGS) Units 2 and 3 This letter provides Southern California Edison's response to a letter from James M.
Taylor (NRC) to John E. Bryson (Edison),
Subject:
" Request for Information Pursuant to 10 CFR 50.54(f) Regarding Adequacy and Availability of Design Bases Information,"
dated October 9,1996 and received by Edison on October 15,1996. The letter expresses the NRC's concern that the design bases may not be sufficiently understood and documented by some licensees to conclude their current facility configuration is consistent with the design bases or to support operability determinations and 10 CFR 50.59 evaluations in a timely manner.
Enclosures A through F contain Edison's responses to NRC request items (a) through (e) and its inquiry regarding design bases review and reconstitution programs. These enclosures contain descriptive information about various historical and current programs and processes. These programs and processes are changed from time to time to incorporate improvements and/or changes to work organization / processes. All such changes are made in accordance with applicable regulations and Licensing requirements. Therefore, these program and process descriptions should not be considered as commitments, but rather as " descriptions" of the current programs and processes.
Edison has completed and planned a number of rigorous engineering and assessment efforts which assure the adequacy and availability of design bases information.
In 1994 Edison completed its Design Bases Dacumentation (DBD) Program begun in 1989. This program generated twenty-eight System and Topical DBDs. The program was intensive, involving in excess of 400,000 man-hours of effort and a rigor exceeding the requirements specified in NUMARC 90-12, " Design Basis Program Guidelines."
When NUREG-1397, "An Assessment of Design Control Practices and Design Reconstitution Programs in the Nuclear Industry," was issued in 1991, Edison assessed i' o ikn m 2244 Ninut Gime \\tc.
wm,m mo
-07l4 818502 leM
\\
gy x
e Document Control Desk 4 Other efforts provide Edison confidence that systems not specifically covered by the l
DBDs are consistent with their design bases. Edison's responses to Generic Letters l
89-10 (Motor Operated Valves) and 89-04 (Inservice Testing) provide assurance that
. the configuration and performance of safety related pumps and valves are consistent with their design bases requirements.
l Edison initiated a Setpoint Caiculation Program in 1990. Edison completed the first phase of this program in 1993. This phase assured that safety related instrument
]
setpoints and associated surveillance test requirements (with the exception of those i
related to a not yet installed upgrade of the radiation monitor system) are consistent with their design bases. Edison completed the second phase of this program in 1994.
This phase assured that values in Emergency Operating Instructions used to support substantive operator decisions reflect their design bases. Post Accident Monitoring instrumentation and Remote Shutdown Monitoring instrumentation covered by the L
Technical Specifications were included in this phase of the program.
The third phase of the program began in 1993. This phase focuses on Technical Specification instruments which support accident mitigation or assure operation within initial conditions assumed in accident analyses. To date, approximately 40% of the required calculations have been completed.
The fourth and final phase of the program will address instrument uncertainties where the Technical Specifications do not provide specific surveillance test acceptance criteria. This phase will begin 1997. The third and fourth phases of the program will be completed by October 1998 and will provide further assurance of consistency between i
design bases and Technical Specification requirements. A detailed program description will be submitted via separate correspondence.
Edison declared no instruments inoperable as a result of calculations performed in the first three phases of the Setpoint Calculation Program which, to date, has evaluated the majority of safety.significant instrumentation covered by the Technical Specifications.
Edison expects similar results in the balance of the program.
Edison's current Updated Final Safety Analysis Rersort (UFSAR) Review Project will verify accuracy of UFSAR requirements with respect to design bases calculation results, implementing procedures, and the as-operated as-tested plant. To date Edison has reviewed roughly two-thirds of the UFSAR sections and has identified no safety significant issue. Edison expects similar results in the balance of this project.
To assure consistency is maintained between the plant and its design bases, Edison classified its DBDs as Design Disclosure Documents to assure they are controlled and maintained current. Edison scanned the DBDs and the UFSAR into the site computer f
- network thereby making them available for their widespread use in the performance of work activities.
l f
l
f State of California j
County of San Diego By:
Harold B. Ray Executive Vice Preside l
i dbfRAej 97.
.19 Subscribed and sworn before me this day of o
)
Comt # 1033763 h"
Notary Pubic - Colfornlo j
M i s.w k%1-tA W '
4 we - rd M.,m j nogg y
.-,,n l
l l
i i
ENCLOSURE A Page 1 This enclosure responds to information request (a) which solicits a
" Description of engineering design and configuration control processes, including those that implement 10 CFR 50.59,10 CFR 50.71(e), and Appendix B to 10 CFR Part 50. "
1.
OVERVIEW Edison has established programs and processes for control of the plant and configuration which are responsive to the requirements of these Nuclear Regulatory Commission (NRC) regulations. Implementation of these programs and processes has been routinely audited by Edison and inspected by the NRC. These audits and inspections have demonstrated that the programs and processes are effective in controlling activities to assure that the design bases of the plant are maintained.
1ssues raised by these audits and inspections have been acted upon by Edison in a timely manner, including appropriate enhancements to process controls to further strengthen the design and configuration control programs.
11.
BACKGROUND The design bases of San Onofre Nuclear Generating Station, hereafter referred to as San Onofre, Units 2 end 3 are defined in the Updated Final Safety Analysis Report (UFSAR), specific Design Bases Documentation (DBD), and selected design analyses, calculations and other design documentation. The original plant design was controlled in the 1970s by the Engineer-Constructor (Bechtel) and the NSSS Supplier (Combustion Engineering, hereafter referred to as ABB-CE) using design control procedures deve;oped to respond to 10CFR50 Appendix B (Reference 20) Criteria Ill and VI and Regulatory Guide 1.64 (Reference 21). Design documents (i.e.,
calculations, specifications, drawings, etc.) were developed, reviewed and approved in accordance with these procedures by the originating design organization. Interfaces were controlled by multi-discipline reviews within the originating design organization and externalinterface reviews between Edison, Bechtel and ABB-CE design groups.
The resulting design documents formed the basis for the plant configuration and the design bases descriptions included in the UFSAR (Reference 5).
Prior to full power operation of San Onofre Units 2 and 3, a Topical Quality Assurance Manual (TQAM) (Reference 2) was developed and issued by Edison to define the quality assurance program for the subsequent operations phase of San Onofre Units 2 and 3. The TQAM was based on the requirements of Topical Report SCE-1-A (Reference 1), which is invoked by reference in the San Onofre Units 2 and 3 UFSAR Chapter 17 and was approved by the NRC. Procedures were developed within Edison to implement TQAM design control and configuration provisions. Similar procedures were developed by Bechtel and ABB-CE for control of design activities within their l
organizations. Design changes were prepared by Edison's engineering organizations, Bechtel and ABB-CE in accordance with these design control procedures to support
ENCLOSURE A Page 3 Exhibit A provides an overview of the design control and configuration control processes employed at San Onofre Units 2 and 3. Exhibit B provides an overview of j
the Edison corrective action process as described in Enclosure D to this submittal.
A.
Design Control The desico control processes implemented at San Onofre Units 2 and 3 are defined in approved and controlled procedures which reflect the guidance of Regulatory Guide 1.64 (Reference 21) and ANSI N45.2.11 (Reference 30).
Process enhancements and procedure revisions have been made since the operating licenses were issued in February 1982 (Unit 2) and November 1982 (Unit 3). The revisions made in 1989 and 1990 formed the fundamental foundation of the processes used today. The procedure for " Design Process Flow and Controls"(Reference 101) provides an overview of the design process controls.
Major plant modifications are processed using Design Change Packages (DCPs) as described in the procedure for " Development, Review, Approval and Release of Conceptual Engineering Packages and Design Change Packages"(Reference 102).
DCPs incluce a description of the design change (i.e., reason for the change, functionni objective of the change, impact of the change on site programs and procedures and a design criteria discussion), a 50.59 safety evaluation, a review of licensing and design document impact, applicable drawing changes documented in Interim Design Change Notices (IDCNs) or new drawings, DBD changes, identification of computer software changes, calculation changes / impacts, construction safety assessment, material list, test guidelines and vendor documents / references. Changes to licensing documentation (e.g., Technical Specifications, Licensee Controlled Specifications, UFSAR, etc.) are also included in the DCP. DCPs are prepared by design teams and undergo design reviews (1) within the originating design disciplines; (2) outside the discipline; and (3) outside of the engineering organization by impacted groups as described in the procedure for " Document Review and Approval Control" (Reference 107). Field changes to DCPs are formally processed and controlled using Field Interim Design Change Notices (FIDCNs) in accordance with References (102) and (107) and the procedure for " Field Change Notice and Field interim Design Change Notice"(Reference 103). at completion of DCP installation and associated verification testing, the modification is formally turned over to the Operations
)
organization. Following DCP turnover and acceptance, drawing changes included in the DCP are converted to Design Change Notices (DCNs) to reflect the as-built plant configuration. New and existing station procedures (e.g., operations, maintenance, testing, etc.) affected by the design change, are identified and scheduled for updating to support the turnover or to support future plant needs.
NRC approval of licensing document changes, where required, is normally obtained l
prior to DCP issuance. If NRC approval is outstanding at the time the DCP is issued, l
conditions are included in the DCP to obtain this approval before design change use in l
an operational mode governed by the licensing document change. Following turnover
ENCLOSURE A Page 5
(
physical plant configuration change impact but, which may impact plant procedures, l
are submitted to affected station organizations for impact review and initiation of l
associated plant procedure changes.
Engineering specifications and changes are prepared, reviewed and approved in l
accordance with the procedures for " Specifications / Mini-Specifications" (Reference 108) and " Document Review and Approval Control"(Reference 107). Three types of specifications are typically used: equipment procurement specifications; field construction specifications; and ASME Code design specifications. These specifications are prepared by a responsible engineer, reviewed by an independent reviewer and other reviewers impacted by the specification to assure the requirements j
are technically adequate and conform with applicable codes, standards or other requirements.
Design documents submitted by vendors in support of-equipment procurement are 1
l reviewed and approved by Edison engineers in accordance with the procedures for
" Processing of Supplier Documents"(Reference 109) and " Document Review and Approval Control"(Reference 107) to assure conformance with the requirements of the procurement documents and compatibility with Edison design requirements for the related DCP or FCN. Changes to design documents submitted by vendors to support equipment fabrication / installation are reviewed and approved by Edison in a similar manner. After equipment installation, the vendor design documents are used in conjunction with the design drawings to define the plant configuration and are updated and maintained in a manner similar to design drawings as described above.
Nuclear fuel design changes, reload analyses and other core analyses are documented by generating or modifying calculations and/or by preparing a Reload Analysis Report (RAR) and reload Facility Change Evaluation (FCE). Assumptions and inputs for each reload are documented in the Reload Ground Rules which are based on plant design bases and configuration details. The Reload Ground Rules are reviewed and approved by the affected engineering groups within NEDO, Station Technical and NFM as well as other affected groups such as Operations and Licensing. A 50.59 safety evaluation and review of design basis information are required in support of the RAR and FCE. For San Onofre Units 2 and '3, Cycles 1 through 8, fuel design changes and reload analyses were prepared and approved by ABB-CE in accordance with the ABB-CE Quality Assurance manual and procedures as apprcved by Edison. For the Unit 2 Cycle 9 reload and the Unit 3 Cycle 9 reload, the RAR and FCE will be prepared by Edison's NFM organization. Supporting calculations have been prepared by NFM using ABB-CE methodology and procedures as part of the reload technology transfer process. These calculations either have been or will be independently reviewed and approved by ABB-CE. For subsequent reloads, Edison's procedures will be adapted to the process and utilized. UFSAR and design basis update revisions will reflect the Cycle 9 reload design. The above processes are controlled in accordance with the procedures for " Documentation of Safety Analysis" (Reference 113), " Reload Ground Rules Control Methodology"(Reference 114),
f
" Installation of CECOR Geometry and Coefficient Libraries"(Reference 115),
ENCLOSURE A Page 7 121) describes the process in detail. The SEE may also provide the design or configuration change documents necessary to authorize installation in specific applications when, and if, the substitute item is to be installed. SEE's may authorize installation of piece parts if primary or secondary design documents are not affected.
FCNs in combination with SEES are used for component level changes or changes impacting primary or secondary design documents. FCNs are required to have a specific 50.59 safety evaluation unless they pcos a screening (see Section IV discussion below).
C.
DCP Installation l
~
Plant configuration can be impacted during DCP installation and therefore activities affecting installation are controlled in accordance with the following procedures:
" Preparation, Review and Approval of Nuclear Construction Administrative e
Procedures"(Reference 122)
" Preparation, Review and Approval of Component Test Procedures"(Reference e
123)
" Preparation, Review and Approval of Preoperational Test Procedures e
(Reference 124)
" Review, Evaluation and Approval of Test Results"(Reference 125) e
" Design Change Process"(Reference 126) e
" Construction Work Orders" (Reference 127) e
" Construction Problem Report"(Reference 128) e
" Component Testing" (Reference 129) e "DCP Turnovers"(Reference 130) e
" Conduct of Work"(Reference 131) e
" Field Change Notices" (Reference 132).
e When the DCP is issued to the field, installation is controlled under Construction Work Orders (CWOs) by the Construction organization. Certain aspects of the DCP installation may be performed by the Maintenance organization under Maintenance Orders (MOs). The DCP turnover package identifies the CWOs/MOs that implement the design change. Each CWO/MO contains a detailed work plan describing the work instructions necessary to install that portion of the design change. The CWO/MO references the design documents being implemented. Work instructions may be stand alone or invoke the requirements of detailed construction specifications and procedures that delineate site specific or industry quality standards. Construction specifications and procedures (and changes) are reviewed, approved and controlled.
CWOs/MOs are reviewed by Operations Equipment Control (EC) to determine if Operations procedures and instructions require revision prior to placing the system in service. Testing to verify proper installation of the work is also performed using CWOs/MOs and standard or unique test procedures. Test guidelines and acceptance criteria (including appropriate vendor equipment requirements) that are unique to the design change are specified in the DCP. Work completion is verified by the work l
organization and in selected cases by Quality Control (QC) inspection or test
ENCLOSURE A Page 9 installation is also performed using CWOs/MOs and standard or unique test procedures. Test guidelines and acceptance criteria are specified in the FCN package where applicable. Work completion is verified by the implementing organization and in selected cases by QC inspection or test witnessing. Construction or Station Technical verifies plant as-built conditions associated with FCN installation when the work has been completed. Following work completion, the system is placed into service by Operations including any in-service testing. The balance of activities is as described for DCP installation.
E.
Temporary Modifications The procedure for " Temporary Modification Control" (Reference 133) describes how Edison classifies Temporary Modifications and defines the process and configuration control requirements applicable to each classification. The Temporary Facility Modification (TFM) as described in the procedure " Temporary Facility Modifications" (Reference 155) is the preferred method of controlling temporary modifications however other methods such as Nonconformance Reports (see Enclosure D),
Operations procedures, Maintenance procedures, Design Change Documents (FCNs),
etc., may be employed as described in Reference (133) if they are more appropriate for the situation. Temporary Modifications have a specific 50.59 safety evaluation unless they pass a screening (see Section IV below) either as part of the procedure controlling the work activity or as part of the Engineering document (e.g., TFM, NCR, FCN, etc.) associated with the Temporary Modification.
Barrier impairments are controlled by the procedure for " Control of San Onofre 2 and 3 Barriers" (Reference 164). This procedure provides controls over plant barriers (i.e.,
doors, hatches, etc.) that are required to be placed in a temporary configuration for maintenance, modification or other activities and subsequently restored to the design basis configuration. A 50.59 safety evaluation is performed for each barrier impairment.
F.
Software Configuration Quality affecting plant software and engineering analysis software are developed, reviewed, approved, revised and controlled in accordance with the procedures for
" Engineering, Construction and Fuel Services Software Quality Assurance"(Reference 119), " Software Development and Maintenance" (Reference 134) and " Control of Computer Based Systems"(Reference 156) These procedures include provisions for documenting the software requirements, design, safety evaluation, test plans, test results, procedure impact, user notification and training. Centrol of Core Protection 4
Calculator (CPC) and Core Operating Limits Supervisory System (COLSS)
Addressable Constants Changes are provided in accordance with the procedures for
" Control of Core Protection Calculator Addressable Constants"(Reference 188) and
" Control of Plant Physics Data Books, COLSS Addressable Constants and Reactor Engineering Data Transmittals"(Reference 189).
ENCLOSURE A Page 11 i
to issue. WAs include clearance boundary definition and tagging instructions, the MO or CWO used to perform the work and system alignment / component position and restoration requirements. Independent verification is required to assure proper alignment / position and restoration as described in the procedure for " Control of System Alignments"(Reference 147). EC employs a detailed reference guide for WA evaluation. The reference guide also addresses evaluating special precautions such as fire protection, structural integrity, flooding and potential high energy impingement.
Within Reference (145) are special provisions that may be implemented by Operations shift management under certain specific conditions when plant work must proceed in an expedited manner and time does not permit a formal WA to be processed.
1.
Vendor Manuals Vendor manuals containing installation, operation, and maintenance instructions for equipment are initially received as part of the procurement of the equipment.
Equipment vendors are periodically contacted by San Onofre personnel to assure that the current vendor requirements applicable to the San Onofre supplied equipment are available. Vendor information received as a result of the initial equipment procurement and subsequent contacts are evaluated for incorporation into Operations and Maintenance procedures in accordance with the guidance of NRC Generic Letter 83-28 " Vendor Interface For Safety Related Components" (Reference 22) and NRC Generic Letter 90-03 " Relaxation of Staff Position on GL 83-28 Item 2.2 Part 2" (Reference 23) and the process controls included in the procedures for " Vendor information Review Program Manual Compilation, Review, and Approval"(Reference 152),"Ulaintenance Engineering and Services Document Assessment and Tracking System" (Reference 153), and, " Configuration Document Change Control for Vendor Information" (Reference 154).
IV.
IMPLEMENTATION OF 10CFR50.59 REQUIREMENTS The requirements of 10CFR50.59 are implemented in accordance with approved and I
controlled procedures. Edison utilizes the guidelines contained in NSAC-125
" Guidelines for 10CFR50.59 Safety Evaluations"(Reference 31). Safety evaluations are performed by personnel with pertinent technical expertise in the UFSAR, Technical Specifications, Licensee Controlled Specifications, etc. Personnel performing safety evaluations and screenings have access to design bases information contained in the UFSAR, DBDs and design documentation using site wide computer systems such as TOPIC, Nuclear Document Management System (NDMS), Nuclear Consolidated Data Base (NCDB), and Nuclear Document Information System (NDIS) and hard copy and microfiche records maintained in CDMC controlled files which are retrievable using j
NDIS and NDMS computer systems. The following methods are used to determine the need for a safety evaluation and the corresponding preparation and review of the safety evaluations:
Specific requirements for 50.59 safety evaluations applicable to proposed permanent facility changes covered by the DCP process are defined in the i
i i
-- - ~
- releaso paths or capabilities of radiological instrumentation,' and operational characteristics of replacement items to perform equivalent design functions. The U
- results of the screening or the safety evaluation are included in the NCR safety evaluation section, which is reviewed and approved as part of the engineering i
disposition approvals i
I Specific requirements for 50.59 safety evaluations applicable to Temporary e
Facility Modifications (TFMs) and Barrier impairments are defined in the.
procedure for " Temporary Facility Modifications" (Reference 155) and the i
procedure for " Control of San Onofre 2 and 3 Barriers"(Reference 164) respectively. A safety evaluation is completed and reviewed and approved as part of the TFM or Barrier Impairment.
[
=
Changes to San Onofre procedures and instructions described in the UFSAR or
' tests and experiments not described in the UFSAR are required to pass a screening or have a written 50.59 safety evaluation per the procedure for
_l "Unreviewed Safety Question Screening Criteria and Environmental Evaluations for Orders, Procedures and Instructions" (Reference 149) and the form "Unreviewed Safety Question Screening Criteria"(Reference 150). The i
' screening is performed by plant personnel using the'following criteria:
"Does the new procedure / procedure change:
1.
Alter system / component performance or the design configuration of a system important to safety?
2.
Alter the setpoint data or acceptance criteria of a system important to safety?
3.
Alter the required actions as a result of not meeting the acceptance criteria?
4.
Alter Technical Specification (TS)/ Licensee Controlled Specification l
(LCS) numerical data or violate TS/LCS provisions?
4.
5.
Reduce the required level of approval for a plant activity?
6.
Alter processes for handling, processing, monitoring or releasing licensed radioactive material not contained in plant systems?
7.
Reduce operations margins or the conservatism of system operation for a l
system important to safety?"
A positive response to any of the questions requires the procedure change to be reviewed by personnel knowledgeable in the plant licensing and design requirements. If this review' determines a safety evaluation is not required, a
~
technical justification is included in the procedure change package. If a formal 50.59 safety evaluation is required, it is prepared, reviewed and approved in support of the procedure change by these personnel The 50.59 safety evaluation performed as part of the design change process by Engineering is typically used as the safety evaluation for procedure changes that are used to implement the design change scope, provided that the procedure changes are
l ENCLOSURE A-Page 15 l.-
l controlled by the provisions of the procedure for " Control of Licensing Document l
Changes"(Reference 112). The revision process addresses two categories.
l Revisions that are initiated through the design change process and revisions initiated by other processes.
Revisions resulting from a design change are captured as part of the design change since e review of the UFSAR impact is required. UFSAR changes are forwarded to NRA at the issuance of the design change. The change is logged into NRA and a hard copy file maintained in a central location. Once the design has been implemented and turned over, the final change package is transmitted to NRA by the Configuration l
Control organization. This is included with the hard copy file.
Revisions to the UFSAR may also result from changes to procedures, changes to design calculations or analyses, correspondence, operating license changes, changes to administrative information, and as-found conditions. Under these situations a UFSAR change package, including a safety evaluation where applicable, is prepared.The package is logged and a hard copy file is maintained! Review and approval is required from various Edison organizations for these packages.
Between updates, changes for the UFSAR are accessible to plant personnel by site based computer systems and files maintained within NRA. On a refueling interval cycle, the approved change packages are assembled into an amendment to the UFSAR. The following information is also reviewed for changes to be included in the amendment: the Quality Classification List (0-List); the Environmental Qualification (EQ) Master List; the Piping and Instrumentation Diagrams; the Electrical One-Line Diagrams; and the Updated Fire Hazards Analysis drawings. The UFSAR amendment is submitted to the NRC after internal review by impacted organizations within Edison.
VI.
IMPLEMENTATION OF 10CFR50 APPENDIX B REQUIREMENTS A quality assurance program to implement the requirements of 10CFR50 Appendix B was established by Edison at the initial design phase of San Onofre Units 2 and 3 and has been continuously implemented by Edison, its contractors and suppliers through the construction, startup and operation phases. The quality assurance program is described in Topical Report SCE-1-A (Reference 1) and is referenced in UFSAR Chapter 17. It has been approved by the NRC. The Topical Report addresses the eighteen criteria of 10CFR50 Appendix B. Revisions are made when there are changes in organizational responsibilities and methods of program implementation.
These are provided to the NRC. Reductions in commitments require prior NRC review and approval.
The Topical Report requirements are implemented through the provisions of the San Onofre Topical Quality Assurance Manual (TQAM, Reference 2), and through a series of approved procedures and instructions many of which are referenced in this enclosure.
l.
ENCLOSURE A.
~
~~
Page 17 o
NRC inspection Report 95-26 (January 1996) (Reference 65) documents an inspection of engineering and technical support and 10 CFR 50.59 safety evaluations. The following was concluded for this inspection:
Edison was effectively implementing the requirements for control of nonconforming items.
Edison design documentation was thorough and reflected good engineering practices.
Edison system engineers were very knowledgeable of their systems, both from a configuration standpoint and in reference to current developments affecting the systems.
Minor discrepancies were identified in the UFSAR. Edison corrected the specific deficiencies noted by the NRC and performed reviews to determine the extent of the problem. These reviews determined that a systematic review and update of the UFSAR was required.
It was noted that' a 50.59 screening evaluation is performed to determine the need for a formal safety evaluation but.the screening does not require 1
that a basis be provided in the event a 50.59 safety evaluation is not required. An example was noted related to an FCN for the replacement of a flow-limiting orifice with a gate valve in the Reactor Coolant Gas Vent System (RCGVS). The UFSAR description of this system had not been updated to reflect the FCN design change. A formal 50.59 safety evaluation was subsequently performed by Edison, which concluded that no unreviewed safety question was identified. A UFSAR change request was initiated to update the UFSAR.
A Notice of Violation was issued for procedural noncompliance related to the UFSAR update process and the safety evaluation process, NRC SALP Report 95-99 (February 1996) (Reference 59) for the period of July 1,1994 through December 30,1995 noted strengths in engineering programs and procedures, design engineering role in assuring plant safety, the high level of engineering presence in the plant to support maintenance activities and engineering self-assessments and resultant corrective action.
NRC Inspection Repo. 96-02 (April 1996) (Reference 60) documents a routine resident inspection related to an IPAP observation related to TCNs where actual procedure changes were being implemented prior to management approval. In addition there were a number of TCNs against some procedures. Separately, the inspector determined that the abnormal alignments procedure was being used for special tests, including nonstandard operation of high pressure safety injection pumps, multiple valve manipulations, and testing of associated check valves. The abnormal alignments were not approved by senior site management prior to implementation. The impact of these deviations from administrative procedures were determined to have no safety significance. Edison revised the procedure program for handling of TCNs to establish more effective controls. In i
l
ENCLOSURE A Page 19 j
change in plant function and/or design bases has occurred. The results of these reviews are documented with the FCN description of change with appropriate reference to the UFSAR sections.
The specific issues raised during the above NRC inspections do not represent areas of safety significance that would compromise the design bases of San Onofre Units 2 and
- 3. Edisor has acted upon these specific issues in a timely manner and has initiated appropriate enhancements to the process controls in the affected areas.
B.
Licensee Event Reports (LERS)
~
LER 2-95-007 (May 1995) (Reference 80) - Incorrect Core Protection Calculator e
(CPC) addressable constants were provided by ABB-CE and Edison personnel erroneously entered the Unit 2 values into the Unit 3 CPCs. An engineering evaluation concluded that both San Onofre Units 2 and 3 remained within design bases limits during the period the incorrect addressable constants were installed. The correct addressable constants were subsequently installed.
LER 2-95-009 (June 1995) (Reference 81) - UFSAR commitments to Regulatory Guide 1.9 required Emergency Diesel Generator (EDG) electrical load sequencing be arranged such that the minimum output voltage of the EDGs would not drop below 75 percent of nominal. A review of potential EDG loading scenarios concluded that the minimum generator voltage would momentarily dip to about 60 percent in certain cases, but the EDG would satisfactorily perform its intended design function.
LER 2-95-014 (September 1995) (Reference 82) - The electricci system logic was modified to address degraded grid voltage conditions. The modification did not include an audible or visual flashing alarm for a change in breaker control status to alert the operators of the need to enter a Technical Specification Action Statement when two sources of offsite power were lost.
LER 2-95-016 (December 1995) (Reference 83) - An engineering review of j
potential interactions between Emergency Core Cooling System (ECCS) components and steam that could be released from hypothesized High Energy Line Breaks (HELBs) concluded that steam released from a rupture of one of these systems could have traveled through ventilation systems to ECCS and other safe shutdown system components, potentially creating a harsh environment in which some components were not designed to operate. Edison installed design changes to mitigate the consequences of these postulated accidents.
LER 2-95-017 (January 1996) (Reference 84) - A single analyzer monitors Toxic Gas isolation System (TGIS) butane and propane but uses different carbon counts to establish the ppm reading for each gas. This allowed the propane l
channel to be calibrated at a higher setpoint level than allowed by the Technical l
t-NGLUbuKt: A regez 2 examinations. These VT-2 examinations were not performed in conjunction with system leakage tests on five occasions, prior to or immediately upon the return to service, on systems and/or components that require the tests as designated by the ASME Codes Engineer on ASME Repair Specifications. The lack of VT-2 exams was determined to have no safety significance. Corrective actions were taken to revise procedures to clarFy responsibilities for performing VT-2 examinations.
SCES-508-95 " Plant Systems" (Reference 307) - This audit verified that several e
key plant systems (Main Steam Safety Valves, Main Steam isolation Valves, Atmospheric Dump Valves, Auxiliary Feedwater System Pumps, and Emergency Chilled Water) were being tested in accordance with the Technical Specifications. No deficiencies were identified.
SCES-519-95 " Procurement Document Development" (Reference 308) - This audit examined the actions of the Procurement Engineering group with regards to procurement document development. The results showed that good judgement and engineering knowledge were employed during the development of these types of documents. Minor deficiencies were identified and corrected as a result of this audit.
SCES-524-95 " Design Control Processes Implemented by NEDO" (Reference 309)- This audit concluded that NEDO generally implements the design control process in a satisfactory manner. The audit found a number of minor errors and inconsistencies, which were caused by a lack of attention to detail by the engineering staff. These problems were corrected and procedure improvements were also provided related to change controls for drawings, calculations, and the UFSAR.
SOS-032-95 "MMP 2060 Operations and Maintenance Procedure Changes" e
(Reference 310)- This surveillance reviewed Operations procedures changes that implement the degraded grid voltage design change (MMP 2060). The audit concluded that the procedure changes satisfactorily addressed the MMP requirements except for requirements related to minimum voltage for diesel generator testing. Procedure changes were subsequently provided by Operations to address this area.
Note: The MMP was a design change process previously used for minor design changes. The DCP or FCN processes are presently used for design changes previously documented using MMPs.
SEA 95-002 " Vertical Assessment of DCP 2&3-6984.00SJ (Excore Safety Channel Neutron Flux Detector Replacement)" (Reference 311) - This assessment concluded that the replacement excore detector design, procurement, manufacturing, installation and testing was satisfactory. Minor
ENCLOSURE A Page 23 SOS-013-96 " Spent Fuel Pool Cooling" (Reference 320) - This surveillance o
reviewed licensing documents and station procedures related to spent fuel pool cooling to assure consistency of requirements. The station procedures reviewed were, for the most part, consistent with the licensing documents reviewed.
Three Operations procedures were identified and revised to assure consistency of requirements among other Operations procedures, the UFSAR and the design calculations.
SEA-96-004 " Configuration Control Assessment" (Reference 322) - This assessment was to determine the acequacy of controls of engineering and licensing documentation requirements that impact station activities, communication of these requirements to station organizations and incorporation of these requirements into station procedures and documentation. The assessment concluded that the engineering and licensing information had been correctly incorporated into most of the affected station procedures and documentation. The assessment reviews resulted in additional action items to revise station documents to reflect enginee, ring requirements. As a result of this assessment and previously issued CAR-004-96, improvements were instituted in the communication, documentation and tracking of engineering recommendations for station procedure changes.
SEA 96-007,"Self Assessment of Engineering and Fire Protection"(Reference 323)- An assess, ment was conducted by a team of Edison and other utility peer reviewers using NRC inspection procedures. The assessment reviews were conducted in the following areas: (1) Vertical Slice Review of Chilled Water System; (2) General Engineering Capabilities; (3) Design Change Review for Selected DCPs and FCNs; (4) Temporary Modifications (TFMs); (5) Engineering Problem Resolution; (6) Operations / Maintenance Support; (7) Independent Review and Operational Experience; (8) System Engineering; (9) Station Management; and (10) Fire Protection Program.
The overall conclusions related to the engineering programs were as follows:
Enginee.ing is meeting program requirements.
For the areas reviewed, it was noted the material condition of the plant is well maintak sd and plant equipment receives adequate engineering attention.
Strengths were noted in the following areas:
(1) Strong engineering organizations exist and the engineering staff is knowledgeable, experienced, and exhibits strong analytical capabilities; (2) Engineering is responsive to plant safety / operability issues; (3) NEDO generates fundamentally sound designs that work well:
(4) Engineering computer tools and trending are comprehensive.
Areas for improvement included attention to detail in preparation and review of design documentation and scheduling of lower priority engineering tasks
~ $NCLOSllR A
~
Page 25 generic weaknesses in the process controls or represent areas of safety significance that would compromise the design bases of San Onofre Units 2 and 3.
Vill. CONCLUSION Edison has established programs and processes for control of the plant and configuration which are responsive to the requirements of 10 CFR 50.59,10 CFR 50.71(e), and Appendix B to 10 CFR Part 50. Implementation of these programs and processes have been routinely audited by Edison and inspected by the NRC. These audits and processes have demonstrated that the programs and processes are effective in controlling activities to assure that the design bases of the plant are maintained. Issues raised by these audits and inspections have been acted upon by Edison in a timely manner, including appropriate enhancements to process controls to further strengthen the design and configuration control programs.
l l
l l
EXHIBIT B I
CORRECTIVE ACTION PROCESS (Refer to Enclosure D for Process Description)
Problem V
AR Q
Note (2) v i
Y l
V Plant Equipment Non-Eq ipment Impact Performance Problem Problem V
AR Committee V
E Review (Note 3)
Problem Resolution Note (1)
-Engineering Evaluation v
-Design Document & Change v
-Plant Procedure Change investigation Problem Resolution
-Other
-MO/CWO (Work Document)
-NCR (repair, accept-as-is) v
-TFM (temporary change in config)
Corrective Actions
-50.59 (to support interim &
- Process Changes y
final config changes)
- Training
-Design Change Documentation h
- Other i
l V
V Notes: '
(1) The Diweson trwestigation Report (DIR) was previousy used b a similar manner to the present Event Report (ER).
(2) Corrective Acdon Requests (CARS), Protim.) review Reports (PRRs), Regulatory Commtmert Tracking System (RCTS) actions, Non-Regulatory Action Tracking System (NATS) actions, Ste Problem Reports (SPRs) and other problem documentation were also previousy used in a similar manner to the Action ReW (AR) to identry problems, The AR system is intended to replace al of these prothm reporting systems when it is fupy implemented.
(3) Preaminary operatWity assessments are provided by ttw AR Committee in a timely manner to satisfy the requirements of Generic Letter 91 18 (Reference 24).
I
\\
ENCLOSUREB Page 1 l
l This enclosure responds to information request (b) which solicits the:
" Rationale for concluding that design bases requirements are translatedinto operating, maintenance, and testing procedures;"
1.
OVERVIEW Edison has confidence that it has adequately translated design bases requirements into operating, maintenance and testing procedures because the required processes are performed in accordance with formal process controls; are subject to independent reviews; and have been in many cases re-performed in accordanca with more recent and more rigorous standards.
II.
ORIGINAL PROCEDURE DEVELOPMENT Edison originally developed its operating, maintenance, and testing procedures using preoperational system testing procedures, prerequisite component testing procedures, and the reactor startup testing procedures as a guide. The design bases requirements and assumptions of the Bechtel and Combustion Engineering (ABB-CE) design documents were incorporated in preoperational, prerequisite, and startup test procedures which were formally reviewed and approved by Bechtel and ABB-CE.
Edison later revised the Emergency Operating Instructions (EOls) in response to the requirements of the Nuclear Regulatory Commission's (NRC's) Three Mile Island (TMI)
Action Plans. For this revision ABB-CE developed generic guidelines for reviewing EOls which were approved by the NRC. ABB-CE developed plant specific guidelines by incorporating the design bases information for San Onofre Units 2 and 3 into the generic guidelines. With the original EOls and the plant specific guidelines, a project team of Edison personnel from Operations, Engineering, and Analysis and ABB-CE personnel developed the upgraded EOls. The upgraded EOls received tabletop reviews and were verified on the simulator. Walkdowns were performed to verify information in the EOls was correct and that the steps could be performed as written.
Once completed, the project team turned over the EOls to Operations for training, simulator use, and implementation in the control room.
111.
PROCEDURE DESIGN BASES VERIFICATION This section demonstrates Edison has recently verified the translation of the design bases requiremerits in many of the operating, maintenance, and testing procedures.
As the result of the efforts described below, Edison has performed detailed reviews of design bases requirements in the subject areas. Thus, Edison has reasonable assurance that design bases requirements are translated into operating, maintenance, j
and testing procedures.
ENCLOSURE B Page 3 Specification Review Methodology," " Electrical interlock Functional Testing Review Methodology,"" Post-Modification Testing Review Methodology," and " Inservice Testing (IST) Review Methodology" (References 177,178,179,180, and 199). The plant procedure review provided reasonable assurance that the procedures were consistent with the design bases and that the design bases requirements cited in the procedures were accurate and current and, where possible, based on revision controlled documents.
The DBD Program was intended to compile the plant design bases and to confirm that the physical plant configuration and plant operations are consistent with the plant design bases. Edison documented, evaluated, and subsequently dispositioned by the Open item Report process, as specified in the procedure, " Design Bases Documentation Open item Report" (Reference 181) discrepancies and inconsistencies found during the procedure review. Edison's Corporate Document Management Center (CDMC) system contains results of the procedure review and associated engineering evaluation.
Furthermore, the reviews of the Ols and AOls related to cystems for which DBDs were performed, as well as reviews of the EOls, identified no discrepancy that would have resulted in a unit shutdown nor was any discrepancy determined to be repo1able.
Thus, Edison expects that any design bases discrepancy in those portions of Ols and AOls not reviewed as part of a DBD effort will similarly be of relatively low significance.
B.
Emergency Operating Instruction Review Edison developed and used Bases and Deviation Documents (BDDs) for the Operator Action Topical DBD (also known as the EOl Topical DBD). The objective of the BDD effort was to document the ABB-CE Emergency Procedure Guideline (EPG)(CEN-152, Revision 3) (Reference 34) accident mitigation strategy and deviations therefrom as related to San Onofre Units 2 and 3. The effort resulted in nine EOl BDDs, including screening technical deviations between the EPGs and the San Oriofre Units 2 and 3 EOls.
The BDDs identify technical deviations between the EPGs, and the EOls, as well as the bases for the accident mitigation strategies encompassed in the EOls. Technical deviations are departures from ABB-CE's technical requirements based on application to site specific functions that reflect a change in intent of a step or in strategy of the EPG. Where a technical deviation existed, an engineering analysis was identified that justified the deviation. Edison evaluated deviations between the ABB-CE EPGs and the San Onofre Units 2 and 3 EOls during development of the BDDs.
The Bases Document of the BDD includes an overview of the emergency and the mitigation strategy. It provides the intent and functional objective of each EOl step.
The Deviations Document of the BDD provides a technical description of all deviations, assesses their safety significance, including whether a 50.59 safety evaluation is l
required, and provides a technical justification for any deviations, including references.
t
ENCLOSURE B Page 5 Instrumentation and Remote Shutdown Instrumentation covered by the Technical Specifications were included in this phase of the program. No instrument inoperability was identified as a result of these calculations.
l Edison initiated the third phase of the program in 1993. This phase focused on Technical Specification instruments whose values represent settings that function to l
mitigate accicents, and values for parameters which represent limiting initial conditions assumed for postulated accident or abnormal operational occurrences. To date, Edison has corrpleted approximately 40% of these calculations, and no instr iment has been determined to be inoperable.
The fourth and final phase of the program will address instrument uncertainties where the Technical Specifications do not provide specific surveillance test acceptance criteria. This phase will begin in 1997.
The Setpoint Calculation Program, to date, has generated approximately 185 calculations and has evaluated the majority of safety significant instrumentation covered by the Technical Specifications. There have been no cases where an ir,strument was determined to be inoperable as a result of a calculation. Edison's completion of the third and fourth phases of the program will provide further assurance that there is consistency between design basis calculation results and Technical Specification surveillance requirements.
E.
Generic Letter 89-10 (Motor Operated Valve) Prograrn The San Onofre Units 2 and 3 Generic Letter 89-10 Program demonstrates the capability of safety related motor operated valves (MOVs) to operate when subjected to worst case design bases conditions. The objective is: (1) to demonstrate the va!ves in the program will satisfy their design basis functions under worst case differential pressure and flow conditions, and (2) to assure the valves' continued capability to satisfy these requirements.
Edison's Nuclear Engineering Design Organization (NEDO) developed an MOV design standard and computer code to efficiently control the preparation and documentation of the MOV setpoint calculations. For each of the 89 valves per Unit, NEDO identified critical valve parameters (e.g., actuator type and size, setpoints, system parameters,etc.). They prepared operational bases calculations to determine the bounding design basis conditions, (e.g., differential pressures, maximum expected line pressures, and flow rates) under which each valve may need to function. NEDO also prepared valve weak link calculations to determine the valve component's structural capacity. The operational bases calculations, weak link calculations, and degraded voltage calculations were combined to produce valve setpoint calculations.
Maintenance revised its procedures to be consistent with the vendor recommendations and to encompass program requirements. Station Technical developed and executed test procedures whereby valves were tested at conditions as close to design bases
ENCLOSURE B Page 7 G.
Tcchnical Sp:cification Surveillanco Test Procsduro Verification In January 1997, Edison undertook an initiative to verify surveillance procedure compliance with the newly implemented Technical Specification Improvement Program (TSIP) Technical Specifications. This initiative is the result of Edison identifying inconsistencies in the procedural surveillance requirements and the TSIP Technical Specifications for diesel generator testing. This verification program involves a comprehensive review of Technical Specifications and Licensee Controlled Specifications (LCS) surveillance requirements and verifying accurate incorporation in the associated surveillance procedures. Furthermore, the program includes a 4
comprehensive review of the surveillance tests of record to assure compliance with the Technical Specification and LCS requirements.
Surveillance test results or information which may not meet Technical Specification acceptance criteria are identified under the Action Request Program guidelines. This assures that each discrepancy is evaluated to determine if the discrepancy is nonconforming to design requirements, if there is an impact to operability, or if the discrepancy is potentially reportable to the NRC.
ARs generated as a result of this review have been evaluated for operability and reportability. On February 4,1997 a Licensee Event Report (LER) was submitted which noted several instances where Edison should have requested delayed implementation of the TSIP Technical Specifications surveillance requirements. Other instances were noted where either the Technical Specification wording or the Technical Specification Bases wording could have been improved to provide additional clarity of meaning. In addition, in two instances, Edison requested and was granted a i
Notice of Enforcement Discretion (NOED) for continued operation of San Onofre Unit 3 until the next refueling outage; in each case Edison determined that the systems were i
IV.
PROCEDURE CHANGE PROCESS The procedure change process at San Onofre Units 2 and 3 is designed to assure that design bases requirements are translated into the operating, maintenance, and testing procedures. This section discusses the administrative controls and the practices within
~
the Operati;ns, Maintenance, Station Technical and NEDO organizations for the procedure change process.
As discussed in Enclosure A, changes to operating, maintenance, and testing procedures can originate either in NEDO as a result of a design changs or design development activities that do not result in changes to the plant, or in the responsible organizations to. address corrections, clarifications, lessons learned, or enhancements.
Edison defines the processes for changing or generating operating procedures to accommodate design modifications in approved and controlled procedures, including the " Author's Guide for Preparation of Orders, Procedures and Instructions,"
ENCLOSURE B Page 9 H
that the procedures and activities meet equipment and system requirements. This l
review is important because improvements in the technical content, testing or
]
l monitoring frequency, maintenance frequency, and format can improve system l
performance. System engineers use their experience and knowledge of system requirements, operating maintenance history, vendor requirements, and industry operating experience to assure that operating and maintenance procedures address l
the potential causes of component and system problems and degradation. Generally, Operations and Maintenance will request system engineer review prior to any change in technical content to operating and maintenance procedures.
As described in Enclosure A and briefly reiterated here, this procedure change process is under established administrative controls. Each procedure change must have a 50.59 safety evaluation or a 50.59 screening which indicates the safety evaluation is not required. The safety evaluation is performed by individuals cognizant of the design bases requirements. In addition to the procedure control, as discussed above, both Operations and Maintenance maintain in-house writer'; guides for their procedure writers. Also, technical changes to procedures are generally reviewed oy system engineers. These aspects provide reasonable assurance that the design bases requirements are accurately translated into th9 operating, maintenance, and testing procedures.
V.
CONCLUSION Development of the existing uperating, maintenance, and testing procedures and the efforts Edison has undertaken, which included design bases verification, provides Edison confidence that the design bases requirements have been translated into operating, maintenance, and testing procedures. Many of the existing procedures were based on the preoperational, prerequisite, and startup testing procedures from startup of the units. These procedures contained the design bases requirements of the plant to assure system and component operability. Following the original procedure development, the DBD Program verified the design bases requirements in many of the operating and testing procedures. Other efforts performed by Edison, in particular the Setpoint Calculation Program and the Technical Specification Surveillance Verification, verified the design bases requirements in many operating, maintenance, sad testing procedures. The combination of the DBD Program and other efforts has resulted in verification of design bases requirements for a large number of procedures.
The procedure change process gives Edison confidence that design bases requirements will continue to be translated into operating, maintenance, and testing procedures. The process is administratively controlled and organizational proctices provide additional assurance that design bases requirements will be adequately translated.
Theref,re, Edison has reasenable assurance that design bases requirements are trans ad and will continue to be translated into operating, maintenance, and testing proceoures.
l
r This enclosure responds to information request (c) which solicits the; r
" Rationale for concluding that system, structure, and component configuration and performance are consistent with the design bases;"
1.
OVERVIEW Edison's current processes and programs are effective in maintaining system, structure, and component configuration and performance consistent with the design bases. These processes and programs have been performed in accordance with formal process controls,' subjected to independent reviews, and, in many cases,'re-performed to.be consistent with more recent and more rigorous standards.
This response is divided into the following elements:
Configuration Consistency o
Independent Design Verification Prerequisite, Preoperational, and Reactor Startup Tests Systems and Components Structures Performance Consistency e
Prerequisite, Preoperational, and Reactor Startup Tests Post-modification / post-maintenance testing Technical Specification / Licensee Controlled Specification surveillance testing Other periodic surveillance programs Each of these activities is described below, and.a summary conclusion provided regarding the consistency of the plant configuration and performance with the design bases.
II.'
CONFIGURATION CONSISTENCY The original San Onofre Units 2 and 3 configuration was established during the initial design phase and later translated to the field for construction via design drawings.
During the construction phase, walkdowns, quality assurance inspections, and
' independent contractor evaluations confirmed the original configuration of structures, systems, and components was consistent with the design drawings. After construction activities, system preoperational and reactor startup testing further substantiated the consistency of the configuration with the design basis. Edison's design and
- configuration control process managed the configuration after commercial operation.
Edison conducted a Design Basis Document (DBD) Program from 1989 to 1994 to validate and/or reconstitute design basis information. Walkdowns were performed as part of the DBD Program to verify as-built plant systems were consistent with the
ENCi.OSUR5 C ~
~
^
~ ^ ~ ~
Pag d '
~
l letters from Edison to the NRC dated December 3, and December 29,1981, and April 5,1-982 (References 6, 9, and 10).
These independent design verifications corroborated that the original San Onofre Units 2 and 3 configuration was consistent with the design bases.
B.
Prerequisite, Preoperational, and Reactor Startup Tests Prerequisite, preoperational, and reactor startup tests provided a solid ir.itial baseline l
for structures, systems, and components configuration and performance consistency
' with the design basis.
Edison developed prerequisite, preoperational, and reactor startup tests to encompass all testing activities commencing at the completion of construction and ending at the completion of power ascension testing. These tests demonstrated that the components and. ystems were configured and operated in accordance with the design s
bases. The program and organization utilized for original startup testing is described in Section 14.2 of the Updated Final Safety Analysis Report (UFSAR) (Reference 5).
Testing established baseline performance data for equipment and systems. Edison used normal operethg and emergency procedures to perform the initial test program, thereby verifying the correctness of the procedures to the extent practicable.
Edison performed prerequisite component tests on systems or portions of systems to verify that individual components were properly installed and adjusted. Preoperational tests were system level tests-conducted prior to fuel loading to demonstrate that structures, systems, and components met performance requirements. During these tests, initial system performance requirements were demonstrated and measured against acceptance criteria specified in the test procedures. Results were documented, and where acceptance criteria could not be met, Edison implemented appropriate corrective actions to bring the system into specification. This testing provided baseline system and component performance characteristics, and established benchmark values of acceptance criteria for subsequent system and component testing. This testing also confirmed the configuration of plant systems was consistent I
with the design bases requirements.
The reactor startup tests consisted of precritical tests, initial-criticality low power tests, and power ascension tests. This testing demonstrated that the plant would operate as designed and was capable of responding to anticipated transients and postulated accidents as described in the FSAR. In summary, as reflected in the SER (Reference 50), the prerequisite, preoperational, and reactor startup test results showed that the plant can be safely operated and that performance levels can be maintained in accordance with the safety requirements established in the FSAR.
At the NRC's request, Edison performed additional plant testing after initial startup to demonstrate compliance with Branch Technical Position RSB 5-1, " Design Requirements of the Residual Heat Removal System" (Reference 69). Edison
+
Inspection for evidence of adverse degradation due to age, environment, l
l or physical interactions, which could have impacted essential functions.
Verification that major equipment (using nameplate data) was consistent with the system design bases parameters and values.
- The DBD engineers documented the walkdowns, including the description of any significant observations. When open issues were identified, Open item Reports (or other appropriate plant reports) were generated to capture the concern, and categorized as to the significance of the issue (Reference 181). The combination of l
these walkdowns, and, when required, any corrective actions, provided further confirmation the as-built plant configuration is consistent with the DBDs.
Edison completed twenty-eight System and Topical DBDs. These DBDs covered the majority of systems included in the current Technical Specifications and the majority of risk significant items. The DBD effort included detailed reviews of design bases information and the reconstitution of missing or deficient analyses and calculations.
Edison did not complete DBDs for all Technical Specification systems. The details and Edison's rationale for this were provided to the NRC in a letter dated October 6,1993.
(Reference 12). Edison has confidence that the configuration of Technical Specification systems that did not have a DBD performed is consistent with design bases requirements. _ Specific elements of systems that did not have a DBD performed were reviewed for configuration consistency as parts of other Edison efforts. Examples of these design bases reviews include:
(1)
Evaluation of motor operated valves in response to Generic Letter 89-10, (2)
Review of inservice testing of pumps and valves in response to Generic Letter 89-04, (3)
Edison's Setpoint Calculation Program, and (4)
Edison's UFSAR Review Project.
2.
Generic Letter 89-10 (Motor Operated Valve) Program The San Onofre Units 2 and 3 Generic Letter 89-10 Program was established to l
demonstrate the capability of safety related motor operated valves (MOVs) to operate when subjected to design basis conditions. The objective of the program is: (1) to demonstrate the valves in the program will satisfy their design basis functions under i
worst case differential pressure and flow conditions, and (2) to assure the valves' continued capability to satisfy these requirements.
l=
Edison's Nuclear Engineering Design Organization (NEDO) developed an MOV design standard and computer code to efficiently control the preparation and documentation of
ENCLOSUREC Page 7 which met the IST screening criteria to identify and document the applicable tests and
)
acceptance criteria as required by the corresponding design basis accident analysis.
Seven hundred forty (740) valves were originally in the IST Program. As a result of the review of approximately 3660 valves (total for both Units) not originally in the IST program, about 275 safety related valves were added to the IST program. From the review of approximately 740 valves originally in the IST program, Edison found about 180 valves required additional seat leakage or stroke time testing. In certain cases, Edison made plant modifications to support new valve testing.
Edison updated over 80 Operations and Engineering test procedures to reflect the additional population of valves and the revised tests and acceptance criteria. The final set of valve baseline tests was performed during the Cycle 8 refueling outages in 1995.
Edison added the entire IST program population of valves to the Nuclear Consolidated Data Base (NCDB) for more efficient identification, tracking, and trending of the IST Program valve testing.
As a result of this effort, the corresponding safety related pump and valve configurations and performance test acceptance criteria were verified to be consistent with design basis requirements.
4.
Setpoint Calculation Program In response to NRC inspections conducted in 1989 and 1991, Edison initiated a I
Setpoint Calculation Program. This program covers four major areas: safety related instrument setpoints, values in EOls, Technical Specification instrument setpoints, and Technical Specification surveillance test acceptance criteria.
In 1993, Edison completed the first phase of this program which evaluated safety related instrument setpoints and associated surveillance test requirements (with the exception of those related to a not yet installed upgrade of the radiation monitor system). As pait 6 this phase, a number of areas were addressed. Edison generated total loop uncertainty calculations. Setpoint values were reviewed to establish consistency with the. design basis. Instrument loop calibration techniques and tolerances were reviewed against associated surveillance test requirements. No instrument inoperability was identified as a result of these calculations.
In 1994, Edison completed the second phase of the program which evaluated instrument uncertainties for those values in EOls and Remote Shutdown Procedures used to support substantive operator decisions. Edisen generated instrument uncertainty calculations for these parameters. Post Accident Monitoring instrumentation and Remote Shutdown Monitoring Instrumentation covered by the Technical Specifications were included in this phase of the program. No instrument inoperability was identified as a result of these calculations.
i l
Edison initiated the third phase of the program in 1993. This phase focused on Technical Specification instruments whose values represent settings that function to
~
6.
Routine Operations Activities i
Operations personnel monitor key plant parameters to assess changes outside expected limits, and to take appropriate corrective actions in accordance with their procedures. They also perform routine plant system walkdowns to verify' proper operational configuration, alignment, and material condition. Performing these routine i
activities provides additional assurance that the plant configuration is and will be maintained consistent with the design bases, to the extent reflected in plant operations procedures.
7.
Routine Station Technical System Engineer Activities Station Technical System Engineers supplement the Operations group by having responsibility for monitoring and trending plant equipment performance in assigned system (s). The Station Technical System Engineer provides technical support and guidance to Operations and Maintenance, reviews and approves Design Change Packages (DCPs) against assigned system (s), and accepts system DCPs when post-I modification testing is complete. The system engineer is responsible for temporary modifications to the system, This assures that temporary modifications receive the proper review, that the aggregate of such changes are evaluated, and any impacts to the design bases of the system are understood by the Station Technical System 1
Engineer.
The Station Technical System Engineer conducts periodic plant walkdowns to identify
)
deficiencies and to assure previous corrective actions have been implemented. The frequency varies, but it is expected that the Station Technical System Engineer will perform a partial system walkdown at least weekly. The Station Technical System Engineer is also expected to perform a walkdown in a specific area as soon as possible following any system operational status change, maintenance activity, plant i
transient or design change. Where possible, the Station Technical System Engineer maximizes the benefit of the walkdown by including Maintenance and/or Operations personnel involved with the system. By virtue of these walkdowns, actual plant i
configuration and conditions are regularly observed and, where warranted, promptly -
corrected.
The Station Technical System Engineers' routine activities provide further assurance that the plant configuration is and will be maintained consistent with the design bases.
D.
Structure Configuration 1
Bechtel developed the original design of San Onofre structures utilizing design control procedures to assure that design disclosure documents accurately reflected inputs, assumptions, and results of design bases calculations and analyses. Edison and the NRC each performed a unique and independent evaluation that further corroborated Bechtel's original design related to seismic design bas as, discussed previously in this l
l l
ENCLOSUREC
} age l i Since that time, Edison has utilized and continues to utilize a wide variety of programs to assure that the performance of the plant is consistent with the design basis requirements. Continued performance consistent with the design bases is assured through: Technical Specification and Licensee Controlled Specification surveillance testing, post-modification and post-maintenance testing prior to Operations turnover, and other periodic surveillance activities that monitor plant performance and material plant conditions. These programs are described below, and, when combined, provide reasonable assurance that the performance of plant structures, systems, and components is consistent with the design bases.
A.
Prerequisite, Preoperational, and Reactor Startup Tests As discussed previously in this Enclosure, prerequisite, preoperational and startup testing programs provided a solid initial baseline for structures, systems, and components performance consistent with the design base.c This testing demonstrated that the components and systems would perform in accordance with the design bases and FSAR. Testing established baseline performance data for equipment and systems. Edison performed prerequisite tests, preoperational tests, and reactor startup tests. Prerequisite component tests on systems or portions of systems verified that individual components were properly installed and adjusted. Preoperational tests were system level tests conducted prior to fuel loading to demonstrate that structures, systems, and components met performance requirements. During these tests, initial system performance requirements were demonstrated and measured against acceptance criteria specified in the test procedures. This testing provided baseline system and component performance characteristics, which established benchmark values of acceptance criteria for subsequent system and component testing.
The reactor startup tests, which consisted of precritical tests, initial-criticality low power tests, and power ascension tests, demonstrated that the plant would operate in accordance with design and was capable of responding to anticipated transients and postulated accidents as described in the FSAR. As summarized in the SER (Reference 50), the initial performance and startup test results showed that the plant can be safely operated and t:.at performance levels can be maintained in accordance with the safety requirements established in the FSAR.
At the NRC's request, Edison performed additional plant testing after initial startup to demonstrate compliance with Branch Technical Position RSB 5-1, " Design Requirements of the Residual Heat Removal System." Edison conducted natural circulation cooldown testing on each Unit. The test results demonstrated acceptable plant and system performance as documented in the NRC's SER (Reference 69).
4 i
L ENCLOSURE C Page 13 l
preoperational,and startup testing procedures and verified during startup). Changes l
to these surveillance test procedures, including acceptance criteria, are controlled in accordance with the processes outlined in Enclosure A.
Tests are performed and reviewed by qualified personnel in accordance with written procedures and instructions. The data collected during surveillance activities, and the acceptability of tnat data, is documented before declaring continued operability or returning a system or component to operable status. When required, the cognizant supervisor reviews, evaluates, and approves the collected data and acceptability determination prior to restoring the equipment / system to operable status. Surveillance data that do not meet the acceptance criteria are identified under the site problem identification and tracking program (Action Request Program). A prompt determination of operability is made, and required actions are proposed to correct the deficiency, consistent with the Action Request system gu;delines.
1.
Technical Specification Surveillance Test Procedure Verification in January 1997 Edison undertook an initietive to verify surveillance procedure compliance with the newly implemented Technical Specification improvement Program (TSIP) Technical Specifications. This initiative is the result of Edison identifying inconsistencies in the procedural surveSlance requirements and the TSIP Technical Specifications for diesel generator testing. This verification program involves a comprehensive review of Technical Specifications and Licensee Controlled Specifications (LCS) surveillance requirements and verifying accurate incorporation in the associated surveillance procedures. The program also includes a comprehensive review of the surveillance Tests of Record to assure compliance with the Technical Specification and LCS requirements.
Surveillance test results or information that may not meet Technical Specification acceptance criteria are identified under the Action Request Program guidelines. This assures that each discrepancy is evaluated to determine if it is nonconforming to design requirements, if there is an impact to operability, or if the discrepancy is potentially reportable to the NRC.
ARs generated as a result of this review have been evaluated for operability and reportability. On February 4,1997 a Licensee Event Report (LER) was submitted which noted several instances where Edison should have requested delayed implementation of the TSIP Technical Specifications surveillance requirements. Other instances were noted where either the Technical Specification wording or the Technical Specification Bases wording could have been improved to provide additional clarity of meaning. In addition, in two instances, Edison requested and was granted a Notice of Enforcement Discretion (NOED) for continued operation of San Onofre Unit 3 until the next refueling outage; in each case Edison determined that the systems were operable.
D.
Oth:r Periodic Survsillance Programs Other periodic surveillance programs provide additional assurance that the configuration, operational readiness, and performance cJ systems and components is 4
maintained. Examples of these programs are: Reliability Centered Maintenance, Flow Accelerated Corrosion, Generic Letter 89-13 performance testing, Operator rounds and shiftly walkthroughs, and. Station Technical System Engineer State-Of-the-System i
Reports.
1.
Reliability Centered Maintenance A Reliability Centered Maintenance (RCM) approach forms the basis for the RCM -
l Preventive Maintenance Program at San Onofre Units 2 and 3. RCM utilizes decision logic to identify the preventive maintenance requirements of equipment according to 4
the operational consequences of each failure and the degradation mechanism responsible for these failures.
i i
The RCM method focuses on identifying plant systems, their respective subsystems, the functional failures of the subsystems and the component failure modes contributing to the functional failures. Applicable and effective preventive maintenance tasks are j
specified to minimize the exposure to those component failure modes which affect i
plant safety or operability.
2.
Flow Accelerated Corrosion Program The Flow Accelerated Corrosion (FAC) Program identifies piping components in the turbine process cycle that have experienced high wear or have the potential for significant pipe wall thinning. Affected lines are mainly in the feedwater, steam extraction, and heater drain systems. The program relies, in part, on EPRI's CHECWORKS computer program and algorithms contained therein to envelope and select compor1ents showing wear. These components are then examined by ultrasonic testing of wall thickness. When the results of the examination analysis warrant, piping and components are replaced with upgraded erosion-resistant materials (where possible), to reduce further FAC pipe wall thinning and resulting iron transport to the steam generators. The program complies with EPRI-NSAC 202L," Recommendations for an Effective Flow Accelerated Corrosion Program," the EPRI-sponsored computer program CHECWORKS, and site procedures. The FAC Program is under constant review and improvement through training within Edison and through participation in EPRI-sponsored training and utility user groups.
1 3.
Generic Letter 89-13 Performance Testing i
Consistent with the guidance contained in Generic Letter 89-13., " Service Water System Problems Affecting Safety Related Equipment," Edison ' performs periodic visual inspection and testing of safety related heat exchangers in cooling water systems.
4 i
Y m
e
Maintenance, reviews and approves DCPs against assigned system (s), and accepts J
system DCPs when performance testing is complete. The System Engineer is also responsible for temporary modifications to the system. This assures that temporary modifications receive the proper review, that the sggregate of such changes are evaluated, and that any impacts to the performance of the system are understood.
On a nominal quarterly basis, the Station Technical System Engineer generates a State-of-the-System report for most important-to-safety systems. This report provides a broader, " project manager" perspective on system performance, identifies performance trends, and develops action plans for improvement. An assessment of the material condition, overall performance of the system, and precursor parameters that are used to monitor and detect declining performance trends are also included.
The system level parameters reflect measures of system availability and reliability and, where applicable, recommendations for improvements are provided. These regular activities by the Station Technical System Engineer provide additional assurance that the plant performance remains consistent with design bases requirements.
IV.
CONCLUSION in summary, the original San Onofre Units 2 and 3 configuration was established during the initial design phase and translated to the field for construction via design drawings. Walkdowns, quality assurance inspections, and independent contractor evaluations confirmed the original configuration of structures, systems, and components was consistent with the design drawings during the construction phase.
Component prerequisite, system preoperational and reactor startup testing established a baseline for configuration and performance consistent with the design bases.
Post-modification and post-maintenance testing assure consistency of the configuration and performance with the design bases. Technical Specification and other periodic surveillances assure that the capabilities and performance levels of important systems and components have not degraded unacceptably from the design bases.
Edison conducted an extensive Design Basis Document (DBD) Program from 1989 to 1994 to validate and/or reconstitute design bases information. DBD engineers performed walkdowns to verify as-built plant systems were consistent with the DBDs.
The Design Basis Document Program reconfirmed the design basis requirements and the consistency of the plant configuration. Other Edison programs are not system-specific, and consider multiple design bases requirements reaching horizontally across many safety related systems and components.
Edison's improved design and configuration control processes, along with post-modification and post-maintenance testing, preserve consistency with the design bases. Plant personnel monitor the operational state of the plant, including configuration and performance acceptability. System walkdowns are routinely performed by Operations and Station Technical Systems Engineers.
i l
L e
i i
i 1
ENCLOSURE D i
l 1
l i
ENCLdSUREd
~
~~~
~
~
eage4 which uses a multi-disciplined screening committee to determine the significance of the data and direct the AR to the appropriate organization for resolution. This concept brings together the results of self-assessments of San Onofre activities identified by line organizations, the Nuclear Oversight Division (NOD) and outside auditing groups.
The AR Program allows the integration of information from a variety of sources and strengthens the overall processes of self-assessment and corrective action.
Ill.
CORRECTIVE ACTION AND SELF-ASSESSMENT A.
Action Request Program The AR Program was designed to capture problems or concerns into a single system.
This allows any worker to identify a problem or concern without worrying about who should address and disposition it. An AR is used to track and resolve corrective actions identified from self-assessments. in conjunction with the AR Program implementation, San Onofre management established a " lower threshold of event reporting" This lower threshold captures equipment and human performance trends that could not be captured with the preceding problem reporting programs.
The procedure. " Action Request / Maintenance Order initiation and Processing,"
(Reference 157) documents the methodology for using the AR Program. A flow chart of the problem reporting and resolution process at San Onofre is provided in Exhibit B of Enclosure A. The AR program provides two primary flow path options as follows:
1.
Equipment Related issues issues that have the potential to impact plant equipment functions, introduce equipment or system operability or reportability considerations, or require corrective field work, are directed to the AR Committee for review. The AR Committee includes senior management representation from several site divisions including ' Operations, Maintenance and Station Technical. Each member of the AR Committee is familiar with and has ready access to documents (Technical Specifications, Design Basis Documentation, Updated Final Safety Analysis Report, etc) necessary to discharge the Committee responsibilities. The AR Comraittee reviews new equipment-related ARs and characterizes each issue in terms of operability, reportability and priority.
Assignments generated by the AR Committee may include NCRs, formal root cause evaluations, operability assessments, engineering evaluations for cause or procedure / program changes. Preliminary operability assessment by the AR Committee satisfies the Generic Letter 91-18 (Reference 24) requirement for timely (within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />) operability assessment of conditions adverse to quality on important-to-safety systems and equipmert. The AR Committee also serves to improve consistency in the application of management standards to problem evaluation through their management status and experience. Site staff training on the AR system emphasizes the AR Committee path as the most conservative
" Licensee Event Report System"(Reference 174). The LER evaluation most often elitninates the need to report the event separately under 10CFR21 criteria.
B.
Event Report Program l-The Event Report Program (Reference 171) is the single program used by the Nuclear l
l Divisions to evaluate and trend human performance and program related events at San
~
l Onofre. Event Reports (ERs) are assigned within the AR System to assure the event is
(
accurately characterized and when appropriate, a root cause evaluation is initiated and j
corrective action taken. An ER is classified into one of four levels based on the degree of event significance as determined by actual consequence and complexity. Event
' trending information (such as failed barrier and cause) identified during the investigation is entered into the AR trending system by the individual ER Division Coordinators (a specialist assigned from within the Division). Event Trend Reports (ETRs) are generated based on the frequency of similar barrier and cause failures.
These reports are used to anticipate possible problems in other, apparently unrelated, areas or divisions so that appropriate corrective actions can be implemented prior to a possible event. Corrective actions are entered into and tracked to completion via the AR tracking system.
ERs are generated to assure that events caused by human performance, programmatic or organizational deficiencies are evaluated such that appropriate action is taken to prevent recurrence. The ER Program encourages workers to report events regardless of the event consequence. The result has been to develop a broad database that allows trend identification and analysis for emerging or potential issues.
NOD is currently performing a quarterly evaluation to identify trend patterns across the Nuclear Divisions. The trending analysis is incorporated into the NOD quarterly report which is distributed to Vice Presidents and Nuclear Division Managers.
C.
Root Cause Program Criterion XVI of 10CFR50, Appendix B, requires that the cause of significant conditions adverse to quality be determined and corrective action taken to preclude repetition.
10CFR2 and 10CFR50.73 contain similar requirements for response to Notices of.
Violation and submittal of Licensee Event Reports. The Edison Topical Report Quality Assurance Program (Chapter 17 of the UFSAR) also requires NOD to make detailed recommendations for improving plant safety (Section 17.2.20.1, Reference 3). These requirements involve determining the root cause of s.ignificant events occurring at San Onofre.
' Edison established the Root Cause Program via Directive D-005, (Reference 165) to provide the formal management framework within which events contrary to quality and safety are promptly and properly evaluated for root cause. The Root Cause Program encompasses human performance issues and provides the basis for (a) required reporting or regulatory response and (b) corrective action to prevent recurrence. NOD
-m.-
e-
~ - - -
D.
Industry Event Program The Edison Topical Report Quality Assurance Program (Chapter 17 of the UFSAR,.
. SCE-1-A) requires that the ISEG examine plant operating characteristics, NRC design and operating experience information that may indicate areas to improve plant, issuances, industry advisories, Licensee Event Reports and other sources of plant safety. The industry Event Program for evaluating those types of information is the subject of Reference 167. The program was developed to verify that information pertinent to plant safety originating from the nuclear industry is evaluated and provided l
to appropriate organizations within San Onofre and Edison. The program operates in conjunction with the LER System discussed later under Section IV. NOD ir directly l
responsible for evaluating industry operating experience reports (OERs) and identifying appropriate corrective actions to the responsible organizations. The ISEG Supervisor screens incoming OERs and periodically convenes an ISEG Screening Committee to consider applicable OERs for a detailed and documented evaluation.
The sources of operating experience information (OERs) include but are not limited to:
1)
NRC Information Notices (ins),
2)
INPO Significant Operating Experience Reports (SOERs),
3)
INPO Significant Event Reports (SERs),
4) 10CFR21 reports originating outside Edison, l
5)
Combustion Engineering Technical Bulletins (CETBs) and 6)
Other applicable vendor notifica.tions.
ISEG evaluations are at a level of detail commensurate with the significance of the I
event to the safety of San Onofre operation. When deemed appropriate as part of the evaluation, detailed corrective actions are formulated and directed to the Cognizant Functional Division Manager (CFDM) for implementation. Corrective actions j
commonly consist of making detailed recommendations for revising procedures, I
conducting training, modifying equipment or activities connected with maintenance and
.I operations or other means of improving plant safety or reliability. Formal tracking is accomplished through the AR tracking system if the corrective action is a San Onofre commitment or Regulatory Commitment Tracking System (Reference 159) (RCTS) if it is an NRC commitmer't.
H E.
Nuclear Oversight Reporting _ Program NOD identifies problems during routine performance of assessments, surveillances, l
audits, quality inspections and performance based observations. A comprehensive audit schedule covering the criteria of 10CFR50 Appendix B assures proper oversight by NOD in required areas to verify that San Onofre complies with the regulatory requirements.
" Planning and Scheduling of Audits"(Re_ference 169) defines the scope of NOD audit activities. The Audit Criterion Table of the procedure establishes the minimum l
program areas to be audited (as defined in the regulatory and license commitments),
l
ENCLOSURE D Page 8 l
- Reporting events in accordance with 10CFR50.72 and 73 is provided in procedures
" Notification and Reporting of Significant Eventi"(Reference 160) and "Ocensee Event Report (LER) System" (Reference 174).- The first procedure (Reference 160) delineates the immediate reporting requirements of 10CFR50.72 for the Operations staff and directs Operations to contact Compliance for additional reporting guidance.
The report is the. responsibility of the Nuclear Regulatory Affairs (NRA) Compliance section. The LER Procedure (Reference.174) addresses event reportability determination as the first step. The Compliance Engineer is advised to review applicable information in the effort to determine if an event is potentially reportable.
l
. This review includes operator logs, Shift Technical Advisor reports, CARS, NCRs, ARs, L
ERs, and any other applicable document. Once a determination is made, the Compliance Reportability Supe'rvisor is notified and, if appropriate, a timely notification
-.of the event is made to the NRC.
The. Compliance Engineer proceeds through the LER investigation. preparation, review t
and approval process. The procedure provides detailed informaton for each of these phases. If necessary, a management briefing meeting is held te discuss the event, i
reportability,. issues, actions to be taken, preliminary cause ar. corrective actions.
The LER is reviewed and approved by cognizant organizations. Commitments made in
- the LER are incorporated into the Regulatory Commitment Tracking System (Reference 159) with the approval of the appropriate manager. The final LER is reviewed and approved by the Vice President, Engineering and Technical Services and the Vice President, Nuclear Generation.
V.
EDISON AUDITS AND ASSESSMENTS i
NOD performs periodic audits and surveillances of the reporting programs. The most
- recent audits covering the programs are described below:
1)
SEA 96-003," Assessment of Action Request Process"(Reference 319) co'ncluded that the AR process was generally implemented in accordance with procedural requirements and that the engineering evaluations.were technically adequate. However, tL.re were instances where Station Technical personnel had not established consistent work practices for assignment and closure of followup activities associated with ARs. Station Technical completed corrective actions in October 1996 and closed AR 960301568.
2)
' SCES-615-96, " Biannual Corrective Action Audit" (Reference 326) evaluated the adequacy of the root causes identified in DIRs. It was found that the root cause analysis techniques did not consistently identify the underlying cause of incidents involving human performance. Corrective action was completed with the development and implementation of the AR Program in December 1995 and l
the associated ER Program '.
1 4
m e.,e wa e
classification of deficiencies and corrective actions tracking. Edison took action to implement a new and easier AR Program in December 1995.
NRC SALP Repcrt 95-99 (Reference 59), continued to identify strengths in the area of the corrective action systems and characterized them as effective in resolving equipment design and engineering procedural deficiencies. Root Cause analysis for L
equipment ceficiencies and performance issues was also cited as a strength in this latest report.' The report also identified a need for NCR process improvement, which has been accomplished.
Vll.
CONCLUSION I
Edison has established _ extensive and effective programs at San Onofre to identify i
problems, determine their extent and provide appropriate resolution. For significant
)
conditions adverse to quality, the programs require the cause to be determined and appropriate corrective actions implemented to prevent recurrence. Processes are in
- place to identify conditions that are reportable to the NRC in accordance with license -
conditions. Edison audits and NRC inspections have demonstrated the effectiveness of these programs and processes.'
1 w-n v
e.-
n.
ENCLOSURE E Page 1 l
L This enclosure responds to information request (e) which solicits:
l l
"The overall effectiveness of your current processes and programs in concluding that the configuration of your plant (s) is consistent with the design bases."
1.
OVERVIEW L
Edison has completed and planned a number of rigorous engineering and assessment i
efforts which assure the adequacy and availability of design bases information.
II.
. DISCUSSION In 1994 Edison completed the Design Bases Documentation (DBD) Program begun in
)
1989. The program generated twenty-eight System and Topical DBDs. This program was intensive, involving in excess of 400,000 man-hours of effort and a rigor exceeding the requirements specified in NUMARC 90-12, " Design Basis Program Guidelines." ~
When NUREG-1397, "An Assessment of Design Control Practices and Design Reconstitution Programs in the Nuclear Industry," was issued in 1991, Edison assessed its program plan and associated procedures to assure they did not contain the common weaknesses cited by the NRC. Similarly when NRC policy statement,
" Availability and Adequacy of Design Bases information'at Nuclear Power Plants "
(57FR35455) was issued, Edison's DBD project team reviewed it and incorporated it into its DBD Manual and the DBD Program Plan.
Edison's DBD Program included review of design bases calculations, generation of new drawings such as instrument loop diagrams and Appendix R safe shutdown logic diagrams, and acquisition or reconstitution of missing or inadequate calculations. It also involved documented plant verification walkdowns and reviews of operating
)
instructions and surveillance test procedures. For the areas covered, the DBD Program assured Edison that the configuration of the plant is consistent with the design bases.
The areas covered by the DBD Program account for the majority of the systems contained in the current Technical Specifications. Systems covered by the Technical i
Monitoring instrumentation, Remote Shutdown System, Containment Systems, Control Specifications for which formal DBDs were not developed are: Post Accident Room Emergency Air Cleanup System, Fuel Handling and Storage Systems, Class 1E 120V AC System, and Emergency Diesel Generators. Although these systems were included within the original program scope, Edison decided not to develop DBDs for them based on safety classification, risk significance., the extent of available design bases information, coverage by a Topical DBD, and the influence of other ongoing programsc Edison advised the NRC of this action.
l-Edison believes that its decision in 1994 to reduce the original scope of the DBD l
Program was appropriate. However, Edison is raising its standards in light of the rising y
w
~
c
h ENCLOSURE E Page 3 l
The Setpoint Calculation Program, to date, has evaluated the majority of safety l
sigriificant instrumentation covered by the Technical Specifications. Edison declared no instruments inoperable as a result of calculations performed in the first three phases. Therefore, there is a low likelihood that the balance of this effort will reveal an l
operability issue.
t l
Edison's current Updated Final Safety Analysis Report (UFSAR) Review Project will verify accuracy of UFSAR requirements with respect to design bases calculation results, implementing procedures, and the as-operated as-tested plant. To date Edison has reviewed roughly two-thirds of the UFSAR sections and has identified no safety significant issues. Edison expects similar results in the balance of this project.
To assure consistency is maintained between the plant and its design bases, Edison classified its DBDs as Design Disclosure Documents to assure they are controlled and maintained current. Edison scanned the DBDs and the UFSAR into the site computer network thereby making them available for their widespread use in the performance of work activities.
Edison employs formal controls on its design, configuration control, and procedure processes, the overall effectiveness of which have been corroborated by internal and regulatory audits and inspections. NRC Inspection Report 95-201 (December 1995) documented the Integrated Performance Assessment Process (IPAP) at San Onofre covering the period from September 1993 to October 1995. This detailed assessment by the NRC found that processes to control the design bases at San Onofre Units 2 and 3 were adequate. In the area of engineering, the IPAP report indicated Edison's overall performance was superior. The IPAP report found engineering self-assessments to be thorough and concluded that trained engineers thoroughly performed safety evaluations for plant modifications. Design changes and work requests contained proper safety evaluations, post-work testing and acceptance criteria, and assessments of the impact of the change on licensee programs. The IPAP report characterized the Motor Operated Valve (MOV) and Inservice Testing (IST) programs as good. The review of the system engineering program noted that the system engineers knew their systems and completed the required training. System engineers were involved in problem analysis, the IST program, and trending of pump and valve performance, and performed adequate coordination with maintenance, design engineering, and operations.
- 111, CONCLUSION in light of completed programs, planned efforts to perform intensive design bases information verifications, the expected low likelihood of future safety significant issues related to the adequacy or availability of design bases information, and effective processes to control changes to plant configuration, Edison has reasonable assurance that it is effectively assuring that the configuration of San Onofre Units 2 and 3 is consistent with its design bases
-~.
.(
1 l
This enclosure responds to the request for information regarding design bases l
reconstitution which reads;
-y U
If design review or reconstitution programs have been completed or are being
.\\
conducted, provide a description of the review programs, including identification of the systems, structures, and components (SSCs), and plant-level design attributes (e.g., seismic, high-energy line break, moderate-energy line break).
-\\
The description should include how the program assures the correctness and i
accessibility of the design bases information foryourplant and that the design bases remain current. If the program is being conducted but has'not been completed, provide an implementation' schedule for SSCs and plant-level design attributes review, the expected completion date, and method of SSC
'l prioritization used for the review.
1.
OVERVIEW This Enclosure demonstrates the thoroughness of San Onofre's design review and' reconstitution programs and identifies those systems, associated components, and plant-level attributes (called Topicals) which have been, or will be, addressed as part of the program. Additionally, it outlines the measures implemented to assure correctness and accessibility of design bases information and to assure the design bases remain current. A program status is provided for those items not yet complete.
II.
BACKGROUND Operating licenses were received for San Onofre Units 2 and 3 in February 1982 and November.1982, respectively. As a recent vintage plant, numerous design bases issues were addressed during the licensing process (Reference 50).
4 A prime example is the seismic design adequacy reviews conducted by the Nuclear Regulatory Commission (NRC) as well as independent evaluations commissioned by Edison and performed by Torrey Pines Technology, a subsidiary of General Atomic
.(References 6,9,10, and 50). These efforts consisted of a comprehensive review of-
)
. the seismic design to verify that the seismic design bases specified in the Final Safety i
Analysis Report (FSAR) had "een correctly translated into design documents used by j
- the Engineer-Constructor (Bechtel) and equipment fabricators. - The NRC concluded j
that ";.. the design verification p'rogram was acceptably designed and implemented to
.j
- uncover systematic design deficiencies that may exist in the design of San Onofre Units 2 and 3."
lThe need to develop DBDs for Units 2 and 3 became evident after a variety of challenges to operation, maintenance, and design of these. facilities during the initial stages of transition from a constructi'on based organization to an operating plant j
environment. The culmination of these events was : Safety System Functional Inspection (SSFI) of the Units 2 and 3 Component Cooling Water (CCW) and Saltwater
- Cooling (SWC) Systems which resulted in several Notices of Violation and Deviation.
.i
ENGLOSUREF Page 3 Nonetheless, the NRC acknowledged Edison's efforts to improve the setpoint methodology program and observed that setpoint calculations performed under the new program appeared to be adequate and absent the types of errors noted in older calculations. In response to the SMTI, Edison identified the causes of the engineering quality concerns and implemented corrective action. Further, Edison broadened the 1
scope of its setpoint program and, in July 1992, issued the Setpoint Calculation Program.
Over the next several years, as the DBD Program matured and additional design 4
bases issues surfaced, the DBD effort was used as the vehicle to facilitate resulution.
Since 1990, the emphasis that Edison has placed on effectively implementing the IAETS Task Force recommendations and other efforts to improve plant performance can be measured, in part, by NRC observations and SALP Category ratings of Edison engineering. Engineering performance has steadily improved. For the most recent period, July 1994 through December 1995, which included an NRC Integrated Performance Assessment Program audit (Reference 58), Engineering was rated superior, SALP 1.
Edison continues to evaluate plant specific and industry concerns as well as conduct i
self assessments to assure the design bases is current and consistent, and takes necessary actions where appropriate.
Ill.
DBD PROGRAM DESCRIPTION As mentioned above, Edison's design review and reconstitution activities began with a DBD Pilot Program in 1989. The Pilot Program was conducted in accordance with
)
written procedures contained in a controlled Pilot Program Manual. For Units 2 and 3, the Instrument Air System (IAS) was selected as the pilot system.
)
Throughout 1989, and as an integral part of developing the Pilot Program, Edison i
participated in the industry initiatives focused on establishing design bases program guidance. In particular, Edison was a primary contributor to the Region V Engineering Manager's Forum document entitled, " Guidelines for the Establishment of Design Bases Documentation Programs" This document, issued in May 1989, provided much of the framework and information cor"ained in NUMARC 90-12, " Design Bases Program Guidelines."
The Pilot Program concluded with an in-depth self-assessment of the IAS DBD and, thereby, the effectiveness of the program. Assessment perscnnel received SSFI training and employed vertical slice methodology. The assessment identified significant shortcomings in Pilot Program assumptions, research process techniques, and DBD content and format. The lessons learned from the Pilot Program, together with Region V and NUMARC guidance, were incorporated into the full DBD Program that commenced in January 1990.
ENCLOSURE F Page 5.
/
- classification, risk significance based'on the Units 2 and 3 probabilisitic risk '
s - assessment. and the extent of available design bases information. Other ongoing l
engineering programs were also reviewed from a redundancy / duplication of effort perspective.' Edison concluded that of the nineteen candidates evaluated, sufficient.
t justificat. ion existed for reducing the program scope by thirteen System and four Topical DBDs. Details of this program change were provided to the NRC (Reference
' 12).:
The work performed under the auspices of the DBD Program and by the dedicated DBD Project Team was completed during 1994. Incomplete tasks were assigned to the applicable line organization for completion as part of a documented turnover process (Table F.1). Through the end of 1994, the total DBD Program man-hours exceeded 400.000 As list'ed in Table F-2, DBD Program efforts resulted in twenty-eight (28)
Units 2 and 3 System and Topical DBDs and several essential design reconstitution projects.
IV.'
DBD RESEARCH AND DEVELOPMENT Based on the nature of the issues that led Edison to the commitment of initiating a DBD Program, the San Onofre Design Basis Reconstitution and Documentation Program evolved to become one of the more ambitious programs undertaken in the industry.
The San Onofre DBD program used a two-step process to assure that the design bases documents accurately reflected the source design documentation, the design y
output documents accurately reflected the design bases, the plant configuration was maintained in accordance with the design output documents, and the operating instructions and licensing documents accurately reflected the design bases. Since
'SSFis had identified weaknesses at San Onofre, the philosophical approach was to l
challenge the adequacy and integrity of the facility against its design bases rather than to presume the existence of a condition of functionality and operability.
The first phase o'f the process was an extensive review and verification of the design bases, design, operations, configuration, maintenance, testing, and licensing commitments of a system or topical (Plant level design issue) and normally took over i
one. year to complete. The second phase of the process was a series of mhlti
.l disciplinary reviews of the completed Design Bases Document by DBD supervision, an independent Review Engineer, and cognizant personnel from the Nuclear Engineering Design. Organization (NEDO), Nuclear Fuel Management (NFM), Station Technical, Operations, and Licensing as well as a separate validation by an outside entity when deemed appropriate.
The program used the 10CFR50.2 definition of Design Bases to establish its primary focus and, thus, undertook to define the functions of the system or topical as well as the controlling parameters and their value or range of values necessary to assure those functions. The primary functional requirements and controlling parameters were l-determined based on a review of upper tier documents such as the Code of Federal p
ENCLOSURE F Page 7 preparation checklist for each DBD was annotated in accordance with quality procedure req'uirements to indicate where reductions were taken.
Research was performed by a DBD engineer and reviewed by an independent reviewer.
In addition, some elements also required the review of the DBD supervisor. When open issues were identified, Open item Reports (OIRs) or other appropriate plant reports were generated to capture the concern and categorized as to the significance of the issue (Reference 181). The DBD Engineer assessed operability and reportability of OIRs.
Operability and reportability were evaluated at initiation and resolution of the OIRs, and where appropriate, as additional information became available. The processes for conducting these reviews were consistent with NUREG-1397, Section 4.3 (Reference 29).
Items deemed inoperable were processed into the NCR system for validation whereas items deemed potentially reportable were coordinated with NEDO and Licensing for validation and reporting to the NRC, as required.
The second phase of this process to develop complete and accurate DBDs ::onsisted of multidisciplinary, multi-departmental reviews of the document at various stages of completion (Reference 175). For systems, these reviews were designed to assure that the DBDs adequately addressed the functions; system operability requirements; component parameters for system functionality; system interfaces; codes, standards, and regulatory documents; and programmatic issues and additional design considerations as well as significant design modifications and summaries of design bases affecting calculations.
These reviews had the added benefit of familiarizing the various San Onofre organizations
- with the DBDs.
The San Onofre DBD Program was evaluated against NRC and industry initiatives and plant considerations throughout the course of the program to assure that the program would meet or exceed the various requirements imposed upon it.
V.
DBD VALIDATION As outlined in section 3.7.1 of NUREG 1397, "DBD Verification" is the process of checking that the information contained in the DBDs has been correctly and consistently translated from source documents, whereas " Validation" is the process of assuring that the physical plant and the DBDs are consistent (also called field validation), that system configuration and functionality is accurately represented by design documents as well as that information contained in other plant documents is consistent with the information in the DBDs. While this was not the precise use of terms adopted during DBD development, they will be used in this description to distinguish between different aspects of the process used to confirm the accuracy of the DBDs and related plant documents and configuration.
The research phase of the DBD development, discussed above, performed by the DBD Engineer and the DBD Independent Reviewer within the individual research procedures included the full spectrum of verification and validation elements, as defined above. The l
review phase of DBD development was designed to assure that the DBDs adequately described system (or topical) design, configuration, functionality, operational, and I
ENCLOSURE F_
Page 9 o ' Using nameplate data, verification that major equipment are consistent with the system design bases parameters and values.
The walkdowns were well documented, including descriptions of any significant observations and supplementary photographic documentation.
Assessment and oversight involvement was also of paramount importance throughout program implementation. in the case of seven (7) Units 2 and 3 DBDs, an independent contractor, United Energy Services Corporation, was retained to perform an assessment of DBD quality.1 This included assessments of the pilot DBD in 1989, and later four (4) l System DBDs and two (2) Topical DBDs. Beginning in 1990, Edison's Nuclear Oversight Division conducted annual audits and reviews of the DBD Program (References 301-305.
- 318); During the development of DBDs for San Onofre Unit 1, problems were identified with the correctness and consistency of the DBDs. Appropriate actions were taken to improve procedures and provide additional training to DBD engineers to improve attention
- to detail. Throughout the production of DBDs for San Onofre Units 2 and 3, the audits determined that the DBDs were generally prepared in accordance with procedures and that given the size and complexity of the DBDs that the preparation was competent and thorough. Nonetheless, areas of improvement were generally identified and appropriate actions taken on recommendations.
These reviews also assessed the OIR process and control. The reviews found that the OIRs were processed consistent with procedures and were effective in identifying probing questions concerning the plant design bases. Nonetheless, significant improvements i
were made to the OIR process throughout the program. Procedural upgrades were made to document assessment of reportability and operability issues at the time of OIR initiation and again at OIR resolution.
Throughout the program, methods of categorizing OIRs were continually updated and improved to assure that plant personnel and DBD management could _readily assess significance of the concern and establish work priorities. The OIR process and closure rates were trended, and reports were transmitted to those organizations with significant numbers _of open OIRs. In addition, the procedural requirement in the preparation procedures'and style guide (Table F-1) that OIR issues be identified at the relevant location of the DBD text usin, a bold type as well as a requirement to summarize OIRs open at the time of issuance in Appendix A of the DBD existed throughout the program and assured the integrity of the DBD despite the existence of open OIRs.
i
~ In addition to the above mentioned audits, the NRC examined the DBD Program. NRC
]
Inspection Report 92-20 dated August 13,1992, (Reference 70) stated, "A Region V i
inspector performed an informal review of the licensee's design bases documentation (DBD) program during the weeks of May 18 to 21 and June 8 to 11,1992. This review primarily focused on inspection of plant systems to assure that these systems actually -
exhibited selected safety significant design characteristics documented by the DBD Program. The inspector reviewed each system's DBD, identified several verifiable safety significant characteristics for each system, and then inspected each system to verify the e-
-n n
v
ENCLOSURE F Page 11 o
DBD-SO23-TR-AA. Accident Analysis DBD-SO23-TR-AA, Accident Analysis, contains a summary and historical record of the safety analyses of each San Onofre Unit based upon the Analyses of Record (AORs) for each event. Part I has been issued and covers 29 events. Part II, addressing the remaining 29 events, has been written but not issued. Both Part I and Part ll will be updated to reflect the Units 2 and 3 Cycle 9 AORs and issued by the end of 1997.
The safety analysis design bases of the San Onofre Units are contained in the Reload Ground Rules (RGR) and AORs. The AORs are reviewed every cycle and the results are documented in the Reload Analysis Report (RAR). The review is performed by affected San Onofre engineering groups. Based upon these results, the AORs may be revised to reflect the reload design and other plant changes as reflected in the RGR. The RGR, RAR, and up to date AORs are complete and available to San Onofre engineers to resolve issues related to the plant safety analyses.
Completion of this DBD is an existing commitment made to the NRC in 1988 (Reference 7).
e Setpoint Calculation Proaram In response to NRC inspections conducted in 1989 and 1991, Edison initiated a Setpoint Calculation Program. This program is providing rigorous engineering bases for safety related instrument setpoints, values in Emergency Operating Instructions, Technical Specification instru' ment setpoints, and Technical Specification surveillance test acceptance criteria.
In 1993, Edison completed the first phase of this program which evaluated safety related instrument setpoints and associated surveillance test requirements (with the exception of those related to a not yet installed upgrade of the radiation monitor system). As part of this phase, a number of areas were addressed. Edison-reviewed setpoint values to establish consistency with the design bases. It reviewed instrument loop calioration techniques and tolerances against associated surveillance test requirements and generated total loop uncertainty calculations.
In 1994, Edison completed the second phase of the program which evaluated instrument uncertainties for those values in Emergency Operating Instructions used to support substantive operator decisions. Edison generated instrument uncertainty calculations for these parameters. Post Accident Monitoring. Instrumentation and Remote Shutdown Monitoring instrumentation covered by the Technical Specifications were included in this phase of the program.
Edison initiated the third phase of the program in 1993. This phase focuses on Technical Specification instruments whose values represent settings that function
ENCLOSURE F Page 13 consistent with that design bases. The enhancements made to design control processes ov'er the last several years will assure that the design bases remains current and that its integrity is not compromised.
Vill.
CONCLUSION
- Edison committed to the development of Design Bases Documents based on the positive impacts to understanding and control of the design bases and the ancillary improvements to consistency of operations, efficiency and adequacy of modifications, and improved performance of technical staff. The twenty-eight DBDs were developed in a complete, thorough, and well-documented process designed to assure correctness an9 adequacy of the design basis information and to validate the plant and plant documentaaon against this design bases. The DBD Program provided added assurance that the design bases remains current and accessible.
e e
ENCLOSURE F Page 15 l
TABLE F-2 l
f UNITS 2 AND 3 SYSTEMS. TOPICALS AND RECONSTITUTION PROJECTS SYSTEM DBDs DBD-SO23-120 6.9kV,4.16kV, and 480V Electrical Systems DBD-SO23-140 1E 125V DC and 250V DC Systems l
DBD-SO23-145 Non-1E 125V DC and 250V DC Systems DBD-SO23-360 Reactor Coolant System
. DBD-SO23-365 S_ team Generators and Secondary Side DBD-SO23-390 Chemical and Volume Control System L
DBD-SO23-400 Component Cooling Water System DBD-SO23-410 Saltwater Cooling System j
DBD-SO23-470 Excore Nuclear Instrumentation System DBD-SO23-540 Instrument Air and Backup Nitrogen Systems DBD-SO23-590 Fire Protection and Detection Systems DBD-SO23-690 Radiation Monitoring System DBD-SO23-710 Plant Protection System DBD-SO23-740 Safety injection, Containment Spray, and Shutdown Cooling Systems DBD-SO23-780 Auxiliary Feedwater System DBD-SO23-800 Emergency Chilled Water System TOPICAL DBD_s DBD-SO23-TR-AA Accident Analysis DBD-SO23-TR-AR Appendix R Safe Shutdown CDD-SO23-TR-CS Codes and Standards DBD-SO23-TR-EQ Environmental Qualifications DBD-SO23-TR-FP Fire Protection DBD-SO23-TR-HF Human Factors Engineering DBD-SO23-TR-HZ Hazards Analysis DBD-SO23-TR-IS In-Service Testing,1st Ten Year interval DBD-SO23-TR-IS2 in-Service Testing,2nd Ten Year Interval DBD-SO23-TR-OA Operator Actions DBD-SO23-TR-PL Plant Level Topical DBD-SO23-TR-SF Single Failure MAJOR ANALYSES. CALCULATION AND DRAWING RECONSTITUTION PROJECTS o Instrument Setpoint Design Bases Calculation Program o Instrument Loop Drawing Development Project o Electrical System Design Bases Calculation Development Program GL 89-10, Motor Operated Valve Program (Design Bases Calculation Development) l o
9
ENCLOSURE G -
Page 1 The following is a list of acrorry + used throughout this document.
l ABB-CE - ASEA Brown Boveri - Combustion Engineering i
AC. Alternating Current AFW - Auxiliary Feedwater J
ANSI-American National Standards Institute l
AOR - Analysis of Record AR - Action Request ASME - American Society of Mechanical Engineers BDD - Bases and Deviations Documents BOM Bi.Il of Material i
CAP - Corrective Action Program CAR - Corrective Action Request CC - Configuration Control CCN - Calculation Change Notice CCW - Component Cooling Water CDMC - Corporate Document Management Center CE - Combustion Engineering CETB - Combustion Engineering Technical Bulletin CFDM - Cognizant Functional Division Manager CFR - Code of Federal Regulations CGI - Commercial Grade item I
COLSS - Core Operating Limits Supervisory System CPC - Core Protection Calculator CWO - Construction Work Order DBD - Design Bases Document / Documentation DC - Direct Current DCN - Design Change Notice DCP - Design Change Package DIR - Division investigation Report DPTF - Design Process Task Force EC - Equipment Control ECCS - Emergency Core Cooling System l
EDG - Emergency Diesel Ger ;rator EDSFl - Electrical Distribution System Functional Inspection EEC - Engineering Evaluation for Cause EOl - Emergency Operating Instruction EPG - Emergency Procedure Guidelines EPRI - Electric Power Research Institute l
EQ - Environmental Qualification ER - Event Report ESFAS - Engineered Safety Features Actuation System ETEC - Energy Technology Engineering Center FAC - Flow Accelerated Corrosion FCE - Facility Change Evaluation FCN - Field Change Notice l
y NUMARC - Nuclear Management and Resources Council:
i
, x.NUREG -' Nuclear Regulation ODERi Operations Division Experience Report C
l'
. OER - Operating Experience Report OIR - Open item Report '
. OPG - Operations Procedures Group (P&lD - Piping and Instrumentation Diagram
.PBO - Performance Based Observation i
PE - Procurement Engineering PEP - Procurement Engineering Package PM - Preventive Maintenance.
POG Plant Operations Group PPS - Plant Protection System PRA -' Probabilistic Risk Assessment PRR.- Problem Review Report QA - Quality Assurance QC. Quality Control RAR - Reload Analysis Report RCE - Root Cause Evaluation' RCGVS - Reactor Coolant Gas Vent System
{
-RCM - Reliability Centered Maintenance RCTS - Regulatory Commitment Tracking System RGR - Reload Ground Rules.
RMO - Repetitive Maintenance Order RPS - Reactor Protection System SALP - Systematic Assessment of Licensee Performance SCC - Structures, Systems and/or Components SCE - Southern California Edison
.SDE - System Design Engineer SEE'- Substitution Equivalency Evaluation j
SER Significant Experience Report /(NRC) Safety Evaluation Report
{
SFP - Spent Fuel Pool
- SIAS - Safety injection Actuation Signal-
- SMTl - Setpoint Methodologies Team inspection SONGS - San Onofre Nuclear Generating Station SOER - Significant Operating Experience Report SRP - Standard Review Plan
. SSFA - Safety System Functional Assessment r
.SSFl.- Safety System Functional Inspection STEC - Station Technical-SWC - Salt Water Cooling TCN - Temporary Change Notice -
TDIR - Technical Division investigation Report TE - Technical Evaluation TER - Test Exception Report TFM - Temporary Facility Modification L
.,,-_~_.....,n.
.-.n--.n,-
- -.~_
-.nn..
.nn.-
.. -. ~. - -..-...... _.- -. -..... _,
j
=
1 l
l l
1 l
l 1
I i
f 1
1 ENCLOSURE H l
1 I
f r
n----,-
e r
n.-
p
ENCLOSURE H Page 2
. Industry G:nsric Guidance 30 ANSI N45.2.11-1974 " Quality Assurance Requirements for the Design of Nuclear Power Plants" 31 NSAC-125 (Jur e 1989)" Guidelines for 10CFR50.59 Safety Evaluations" 32 CE NPSD-925," Guideline for Addressing instrument Uncertainties in Emergency Operating Procedures and Technical Specifications", January 1994 34 CEN-152, Revision 3, " Emergency Procedure Guidelines" NRC Transmittals to Edison 50 NUREG-0712, Safety Evaluation Report related to the operation of San Onofre Nuclear Generating Station, Units 2 and 3 dated February 1981; Supplement 1 dated February 1981; Supplement 2 dated May 1081; Supplement 3 dated September 1981; Supplement 4 dated January 1982; Supplement 5 dated February 1982; and Supplement 6, dated June 1982.
51 Letter, J. B. Martin (NRC) to D. J. Fogarty (Edison), NRC Inspection of San Onofre Nuclear Generating Station Units 2 and 3 (CCW/SWC), dated August 3,1988 52 Letter, J. B. Martin (NRC) to K. P. Baskin (Edison), Systematic Assessment of Licensee Performance, dated November 25,1988 53 Letter G. M, Holahan (NRC) to H. B. Ray (Edison), NRC Inspection Report No. 50-361 and 362/89-200 (EDSFI), dated January 12,1990 54 Letter, J. E. Tatum (NRC) to H.B. Ray (SCE) et al, Generic Letter 89-13, Service Water System Problems Affecting Safety Related Equipment, SONGS 1,2 and 3, dated February 23,1990 55 Letter, R.P. Zimmerman (NRC) to H.B. Ray (Edison), NRC. Inspection of SONGS Units 2 and 3, dated April 12,1991 56 Letter, J. B. Martin (NRC) to H. B. Ray (Edison) Systematic Assessment of Licensee Performance, dated October 3,1991 57 Letter C. A. Van Denburgh (NRC) to H. B. Ray (Edison), NRC Inspection Report Nos. 50.206, 361, 362/93-26, dated September 27,1993.
58 NRC Inspection Report No. 50-361/95-201 and 50-362/95-201 (Final IPAP) dated December 21,1995 59 Systematic Assessment of Licensee Performance (SALP) Report 95-99, dated February 7,1996 60 NRC Inspection Report 96-02, dated April 11,1996 61 NRC Inspection Report 96-05, dated July 8,1996 64 Letter, T.P. Gwynn (NRC) to H. B. Ray (Edison) dated December 16,1996, NRC Inspection Report 50-361/96-17; 50-362/96-17 and Notice of Violation 65 NRC Inspection Report 95-26, dated January 19,1996 66 NRC Inspection Report 96-08, dated August 12,1996 67 NRC Inspection Report 96-10, dated December 13,1996
(
68 NRC Inspection Report 96-15, dated December 17,1996 69 Letter, D. E. Hickman (NRC) to K. P. Baskin (Edison), Safety Evaluation of Natural Circulation Cooldown Test, dated February 24,1988 70 NRC Inspection Report 92-20, dated August 13,1992 l
ENCLOSURE H Page 4 0
118 Procedure SO123-XXXVI-2.7 Rev 0 " Control of Nuclear Fuel Management Reduced instruction Set Computer 600 Computer Network" 119 Procedure SO123-XXIV-5.1 TCN 1-1 " Engineering, Construction and Fuel Services Software Quality Assurance" 120 Procedure SO123-XXXil-2.1 Rev 4 " Quality Affecting Technical Evaluation / Procurement Classification and Acceptance Process" 121 Procedure SO123-XXXil-2.18 Rev 2 " Substitution Equivalency Evaluations (SEES)"
122 Procedure SO123-XXIX-2.1 Rev 2 " Preparation, Review and Approval of Nuclear Construction Administrative Procedures" 123 Procedure SO123-XXVI-2.4 KNs 1-3 and 1-4 " Preparation, Review and Approval of Component Test Procedures" 124 Procedure SO123-XXVI-2.5 TCN 1-4 " Preparation, Review and Approval of
)
Preoperational Test Procedures 125 Prccedure SO123-XXVI-2.6 TCN 1-5 " Review, Evaluation and Approval of Test Results" 126 Procedure SO123-XXIX-2.10 TCN 1-2 " Design Change Process" 127 Procedure SO123-XXIX-2.14 Rev 2 " Construction Work Orders" 128 Procedure SO123-XXIX-2.16 Rev 2 " Construction' Problem Report" 129 Procedure SO123-XXIX-2.31 Rev 1 " Component Testing" 130 Procedure SO123-XXVI-2.32 TCNs 1-5,1-7 and 1-9 "DCP Turnovers" 131 Procedure SO123-XXIX-2.33 TCNs 0-5,0-6 and 0-7 " Conduct of Work" 132 Procedure SO123-XXIX-2.35 Rev 3 " Field Change Notices" 133 Procedure SO123-XV-5.1 Rev 2 " Temporary Modification Control" 134 Procedure SO123-V-4.71 Rev 2 " Software Development and Maintenance" J
135 Procedure SO123-1-1.3, Rev 5 " Work Activity Guidelines" i
136 Procedure SO123-I-1.7, TCN 5-3 " Maintenance Order Preparation and Processing" I
I 137 Procedure S0123-11-15.3 Rev 5 " Temporary System Alteration and Restoration" 138 Operating Procedures Group Writer's Guide.
139 Procedure SO123-VI-0.9 Rev 5 " Author's Guide for Preparation of Orders, Procedures and Instructions" 140 Procedure SO123-VI-1 TCN 16-1 " Review / Approval Process for Orders, Procedures and Instructions" 141 Procedure SO123-0-20 Rev 3 "Use of Procedures" 142 Procedure SO123-0-22 Rev 1 " Temporary Facility Modification Control" 143 Procedure SO123-VI d 0.1 Rev 11 " Temporary Change Notices" l
144 Procedure SO23-6-29 Rev 5 " Operation of Annunciators and Indicators" 145 Procedure SO123-XX-5 Rev 4 " Work Authorizations" 146 Procedure SO123-XX-5.1 Rev 1 " Work Authcrizations !ssue, Release and Modifications" 147 Procedure SO123-0-23 Rev 3 " Control of System Alignments" 148 Procedure SO123-XV-5 Rev 6 " Nonconforming Material, Parts or Components" 149 Procedure SO123-VI-1.3 Rev 4 "Unreviewed Safety Question Screening Criteria and Environmental Evaluations for Orders, Procedures and Instructions" 150 Form PF(123)109-1 Rev 5,"Unreviewed Safety Question Screening Criteria" 151 Procedure SO123-XXI-1.11 Series " Training Program Descriptions" 152 SO23-XV-2.2 TCN 0-2, " Vendor information Review Program Manual Compilation, j
Review, and Approval"
~ ENCLOSURE H Page 6 l,.
185 Procedure SO123-Xil-20.1 Rev 2 " Material Test and Receipt Lab Program j
implementation" l
m-a l
186 Procedure SO123-Xll-20.2 Rev 2 " Material Test and Receipt Personnel Quahfications Standards" 187 Procedure SO123-Xil-20.4 Rev 2 " Receiving Inspection" 188 Procedure SO23-V-4.7 Rev 10 " Control of Core Protection Calculator Addressable Constants" 189 Procedure SO23-V-13 Rev 2 " Control of Plant Physics Data Books, COLSS Addressable Constants and Reactor Engineering Data Transmittals" 190 Procedure SO123-Ill-5.20 Rev 9 " Assignment, Maintenance, Control and Distribution of Offsite Dose Calculation Manuals" 191 Procedure SO123-XXXV-1.5 TCN 1-1 " System Functional and Boundary Definition Methodology" 192 "UFSAR Review Plans and Guidelines," Revision 1, August 1996 193 Procedure SO123-XXXV-1.2 TCN 0-1 " Calculation Review Methodology" 194 Procedure SO123-XXXV-1.3 Rev 0 "Setpoint Review Methodology" 195 Procedure SO123-XXXV-1.7 Rev 0 " Motor Operated Valve Review Methodology" 196 Procedure SO123-XXXV-1.12 Rev 1 " Evaluating the Environmental Qualification Master List" 197 Procedure SO123-XXXV-1.15 Rev 0 " Spurious Circuit Actuation Evaluation" 198 Procedure SO123-XXXV-1.9 Rev 1 " Licensing Bases and Commitments Review
' Methodology" 199 Procedure SO123-XXXV-1.13 Rev 2 "In-service Testing Review Methodology" 200 Procedure SO123-XV-51 Rev 0, " Identifying and Assessing Impact to Site Programs and Procedures" Edison Audits, Assessments, Surveillances, Task Force Results 300 Independent Assessment of Engineering and Technical Support Task Force Report, August 1988, CDM C881005G0004 301 Surveillance Report SOS-075-95, " Radiation Monitoring System DBD Open item Reports", dated November 29,1995 302 Audit Report SCES-024-90 " Design Control" 303 Assessment Report SEA-92-001, "DBD Open item Report Process", dated March 20,1992 304 Audit Report SCES-346-93," Design Bases Documentation, _ November 5,1993 305 Assessment Report SEA-94-002, " Design Bases Documentation Packages", March 2,1994 306 Audit Report SCES-507-95 " Station Welding and ASME Code Section XI Repair / Replacement Program" l
307 Audit Report SCES-508-95 " Plant Systems (MSSV, MSIV, ADV, AFW Pumps, System, Emergency Chilled Water)"
308 Audit Report SCES-519-95 " Procurement Document Development" 309 Audit Report SCES-524-95 " Design Control Processes implemented by NEDO" 310 Surveillance Reports SOS-032-95 (6-6-95) and SOS-061-95 (8-2-95), "MMP 2060 Operations and Maintenance Procedure Changes" 4
l
- ,g - (d.E soomtRN CAUFORMA - _
, f MEDISON c'2-"
' An EDISON IxitRNATIONAL Company N
s.S,d 1.._. i.i 1 May 1, 1997
'[fd. & - 51997 g
{
t
',7
-~-..-..,~.,,,w REGION IV 1 U. ' S. Nuclear Regulatory Comission Attention: Document Control Desk Washington, DC 20555-0001 Gentlemen:
Subjecti Docket Nos. 50-361 and 50-362 i
Request for Information Pursuant to 10 CFR 50.54(f) Regarding Adequacy'and Availability of De' sign Bases Information San Onofre Nuclear Ge'nerating Station (SONGS) Units 2 and 3
Reference:
Letter dated February 12, 1997 from Harold B. Ray (Edison) to the Document Control Desk (NRC);
Same subject This letter is to clarify certain information in the above referenced letter.
Specifically, page 2 of the cover letter, page.1 of Enclosure E, and page 4 of Enclosure F state that Edison's Design Basis Documentation (DBD) program t
included the generation of new Appendix R safe shutdown logic diagrams.
The DBD program initiated a major effort to generate a new set of Appendix R safe shutdown logic diagrams to replace its existing ones.
Although the generation of new diagrams was initiated, they were never completed or issued.
i In the course of the effort an assessment indicated that it would be more cost-effective to revise the original logic diagrams than to complete the new ones. Therefore, work on the new diagrams was terminated.
i The Appendix k safe shutdown logic diagram effort produced a report
- identifying issues requiring resolution including deficiencies in the existing logic diagrams. These logic diagram. issues were_ formally documented and tracked. The last issue was closed in December of 1996. Despite the change in ' direction, the overall effort achieved its original objective which was to generate a set of reliable Appendix R' safe shutdown logic diagrams.
I I
P. O. Box 128 San Clemente. CA 92674 0128 M- ( 03 3 i
L 714 368 1480 l'
Fax 714 368-1490 2 lIYi U G tw
~
l
_. ~-.
,a d
a a
Document Control Desk 2
Should you have any questions or require additional information regarding this, please contact me.
Sincerely, g-cc:
E. W. Herschoff, Regional Administrator, NRC Region IV' K. E. Perkins, Jr., Director, Walnut Creek' Field Office, NRC Region IV i
J. A. Sloan, NRC Senior Resident Inspector, San Onofre Units'2 & 3 M..B. Fields, NRC Project Manager, San Onofre Units 2 and 3 i
l e
I
e q
p uru k
UNITED STATES 8*
f j
NUCLEAR REGULATORY COMMISSION e
t WASHINGTON, D.C. 20666 4001
%,.....,/
October 21, 1996 EGM 96-005
' MEMORANDUM T0:
Hubert J. Miller, Regional Administrator Region I Stewart D. Ebneter, Regional Administrator Region II
.A. Bill Beach, Regional Administrator Region III L. Joe Callan, Regional Administrator Region IV Roy Zimmerman, Associate Director for Projects. NRR Ashok C. Thadani, Associate Director for Inspection and Technical Assessment NRR Robert Burnett, Director, Division of Safeguards and Transportation. NMSS Carl J. Paperiello, Director. Division of Industrial and Medical Nuclear Safety, NMSS John T. Greeves Director Division of Waste Management, NMSS FROM:
James Lieberman, Director Office of Enforcement
SUBJECT:
ENFORCEMENT GUIDANCE MEMORANDUM - ENFORCEMENT ISSUES ASSOCIATED WITH FSARS. SECTION 8.1.3 ENFORCEMENT OF FSAR COMP'TMENTS The Commission has recently approved the attached modifications to the Enforcement Policy to address departures from the FSAR. It addresses:
4 1
Enforceability of the FSAR 2.
Severity Levels for 50.59 and 50.71(e) violations 3.
Severity Level for reporting l
4.
Minor violations 5.
Application of the corrective actions factor for civil penalty assessments 6.
Enforcement discretion including a two year incentive period followed by use of discretion to escalate civil penalties to provide incentives to
~
encourage voluntary initiatives to identify FSAR discrepancies.
}
gnnm m y
l Multiple Addressees These are significant changes and the staff involved with reactor inspections.
licensing, and enforcement activities should be familiar with them.
In addition, to maintain consistency in the enforcement process, the use of a Notice of Deviation to address a FSAR discrepancy requires prior approval from the Director. Office of Enforcement.
This is because most discrepancias with the FSAR should be considered violations under 10 CFR 50.59.
Notices of Deviations may only be used for failure to meet an FSAR commitment if the failure does not cause the licensee to be in violation of any specific requirement includlng 10 CFR 50.59.
Also OE should concur on use of minor violations for FSAR discrepancies in cases where minor violations are written up in an inspection report.
OE intends to coordinate with NRR before concurring on the use of Notices of Deviations or minor violations associated with the FSAR.
This process will be revised after experience is gained using the modified policy.
Pending a revision to section 8.1.3 of the Enforcement Manual. " Enforceability of FSAR Commitments." the guidance in the enclosed Statement of Considerations to the changes in the Enforcement Policy should be used in developing enforcement sanctions.
Where there is a conflict between section 8.1.3 and the Statement of Considerations, use the Statement of Considerations.
Appropriate changes will be made to the Enforcement Manual to reflect these Policy modifications.
Enclosure:
As stated cc:
J. Milhoan. DEDR H. Thompson. DEDS J. Goldberg. 0GC F. Gillespie. NRR
14
. Multiple Addressees Deviations may only be used for failure to meet an FSAR commitment if the failure does not cause the licensee to be in violation of any specific requirement including 10 CFR 50.59. Also OE should concur on use of minor violations for FSAR discrepancies in cases where minor violations are written up in an inspection report.
OE intends to coordinate with NRR before concurring on the use of Notices of Deviations or minor violations associated with the FSAR.
This process will be revised after experience is gained using the modified policy.
i Pending a revision to section 8.1.3 of the Enforcement Manual, " Enforceability of FSAR Commitments," the guidance in the enclosed Statement of Considerations to the changes in the Enforcement Policy should be used in developing enforcement sanctions.
Where there is a conflict between section 8.1.3 and the Statement of Considerations, use the Statement of Considerations.
I Appropriate changes will be made to the Enforcement Manual to reflect these Policy modifications.
Enclosure:
As stated cc:
J. Milhoan, DEDR H. Thompson. DEDS J. Goldberg, DGC F. Gillespie, NRR DISTRIBUTION:
.JLieberman, OE DE Staff Enforcement Coordinators RI, RII. RIII. RIV EGM File Day File PDR NUDOCS D:0E YES YES JLieberman NO NO Doc Name:
G:\\EGMFSAR.JL
Multiple Addressees
[7590-01-P]
NUCLEAR REGULATORY COMMISSION
[NUREG - 1600]
Policy and Procedure for Enforcement Actions:
Departures from FSAR AGENCY:
Nuclear Regulatory Commission.
ACTION:
Policy statement:
Revision.
SUMMARY
The Nuclear Regulatory Commission (NRC) is amending its General Statement of Policy and Procedure for Enforcement Actions (Enforcement Policy) to address issues associated with departures from the Final Safety Analysis Report.
DATES:
This revision is effective on [Date of Publication in the Federal Register].
Comments are due on or before (30 days after publication in the Federal Register).
)
ADDRESSEES: Send written comments to:
The Secretary of the Commission, " S.
Nuclear Regulatory Commission, Washington, DC 20555. ATTN:
Docketing and Pfla##
l Multiple Addressees Service Branch.
Deiiscr comments-to:
11555 Rockville Pike, Rockville.
Maryland 20852, between 7:45 am and 4:15 pm, on Federal workdays.
Copies of comments may be examined at the NRC Public-Document Room. 2120 L Street, NW.
(Lower Level), Washington, DC, FOR FURTHER INFORMATION CONTACT: James Lieberman, Director, Office of Enforcement, U.S. Nuclear Regulatory Commission, Washington, DC 20555 (301)-415-2741.
SUPPLEMENTARY INFORMATION:
As a result of increased regulatory attention to Part 50 licensees' adherence to the Final Safety Analysis Report and the Updated Final Safety Analysis Report (FSAR), both licensees and NRC have identified numerous failures to conform to these documents.
Given these findings, the Commission has reviewed the current Enforcement Policy to determine if additional guidance is needed to treat compliance issues associated with departures from the FSAR.
The Commission has concluded that the guidance in the current Enforcement Policy. NUREG-1600, published in the Federal Register (60 FR
.34381; June 30, 1995) should be revised.
Many operating licenses contain a finding which states that the licensed facility is as described in the FSAR. as amended and revised.
In accordance with 10 CFR 50.59, the Commission allows licensees to make changes to the i l l
l
' Multiple Addressees.
facility or procedures described in the FSAR and to perform certain tests or experiments not described in the FSAR without prior NRC approval provided i
evaluations are performed to demonstrate that the change does not involve an j
unreviewed safety question and the change does not conflict with a technical specification.
Specifically,10 CFR 50.59(a) provides:
i 1
The holder of a license authorizing operation of a production or utilization facility may (1) make changes in the facility as described in the safety analysis report. (ii) make changes in the procedures as described in the safety analysis report, and (iii) conduct tests or experiments not described in the safety analysis report, without prior Commission approval, unless the proposed change, test, or experiment involves a change in the technical specifications incorporated in the license or an unreviewed safety question.
If an unreviewed safety question or a change to a technical specifications is involved.10 CFR 50.59(c) requires that the licensee submit l
l an application for a license amendment pursuant to 10 CFR 50.90. before making l
the change or departing from the FSAR.
l-Section 50.59(b) requires that the evaluation be documented in writing and maintained and reports of the changes be submitted to the Commission.
Periodic updates to the FSAR are required by 10 CFR 50.71(e) to reflect l 1
l.
Multiple Addressees changes made under 10 CFR 50.59.
The regulatory process is predicated on the assumption that when the license is issued, the facility, procedures, tests, and experiments will be as-described in the FSAR.
Thus,10 CFR 50.59 is primarily a prospective requirement.
Section 50.59 requires a process to be followed in' evaluating proposed changes from the description of the facility and its procedures described in the FSAR.
However, 10 CFR 50.59 is also used to form the basis for citations when the facility or procedures never met the description in the FSAR.
These cases represent de facto changes from the FSAR.
A failure of the facility to conform to the FSAR may also mean that the FSAR may contain inaccurate or incomplete information, subjecting the licensee to enforcement action for a violation of 10 CFR 50.9.
In addition, failure to meet a specific commitment in the FSAR which describes how the licensee was to meet a regulatory requirement, may be a violation of that regulatory requirement.
In some cases, the departure from
-the FSAR, if it does not involve a change to the facility, procedures, or tests or experiments described in the FSAR, may not cause the licensee to be in violation of any legal requirement.
In such cases, the departure from the i
FSAR would not be a violation, and only a Notice of Deviation may be warranted.
l _.
1 i
l
/ Multiple Addressees V
l
. Thus, there are a variety.of requirements that can'be used to form the l
basis for enforcement action to address departures from the FSAR.-- Each l
potential-' enforcement case ~is reviewed on-its merits to determine which-requirement. orLset of requirements.,is appropriate to base ~the' enforcement-
. action on. Given a violation of NRC requirements, the next step in the j
f
. process is to determine the severity level of the violation based on the j
- safety. and regulatory significance of, the violation.
The Enforcement Policy l.
- provides. definitions of severity levels (Section IV. Severity of Violations) i
' and examples (Supplements I - VIII) which are used in categorizing the..
i severity levels of violations.
j i
Revisions to the NRC Enforcement Policy
'Given the variety of discrepancies from.the FSARs that have been
- recently found, additional guidance has been developed to address severity
. levels to categorize violations of 10 CFR 50.59 and 50.71(e) and reporti m i
requirements, application of the corrective action factor in Section VI.B.2.c.
of the Enforcement Policy.. use of Section VII.B.3 of the Enforcement Policy, Enforcement Discretion for. Violations Involving Old Design Issues, and applying enforcement discretion to increase sanctions in'this area under Section VII.A.2 of the Enforcement Policy.
L l
l,
,+r r vwt w.,
c---p r=
y y.-a g
- a r,
s----,--
- -7 girvy---
- Y-'"v+=.-P-vtr' 9
' Multiple Addressees In developing this guidance, the Commission considered the following two
-principles: (1) the importance of licensees performing appropriate evaluations to ensure that _there are not unreviewed safety questions or conflicts with technical specifications, and (2) the importance of maintaining and controlling changes to the FSAR so that both the licensee and the NRC understand the regulatory envelope that has been established for the facility.
The changes to the Enforcement Policy described below should make it clear to licensees that the Commission believes that failures in either area can be significant and can justify substantial regulatory action.
The Commission recognizes that not every unreviewed safety question is a
'significant safety issue.
However, until the question is reviewed and understood, there is an uncertainty in the basis for the Commission's safety decision in licensing the plant.
Therefore, the failure to follow the regulatory process established by 10 CFR 50.59 regardless of the actual safety significance of the change, when there is an unreviewed safety question 1
or a conflict with a technical specification, is a significant regulatory l
concern.
Licensees must ensure that they are in conformance with the FSAR as it was a key element for the basis for the Commission's decision in licensing the plant and continues to be an important consideration in current licensing I
actions.
The enforcement process is a tool that the Commission intends to use j i L
1
l l
' Multiple Addressees to emphasi.ze the importance of achieving this conformance and deter violations from continuing in this area.
1.
Severity Levels The definitions and examples of severity levels in the current Enforcement Policy provide sufficient guidance to cover most potential violations. Additional guidance is needed to address violations of 10 CFR l
50.59 and 50.71(e) which are the requirements that likely will most often be 1
used to address departures from the FSAR.
Currently, two specific examples 1
are provided to categorize violations of 10 CFR 50.59 in Supplement I. Reactor Operations and no examples specifically address violations of 10 CFR 50.71(e).
The first example. I.C.S. provides that a Severity Level III violation would involve:
A significant failure to meet the requirements of 10 CFR 50.59, including a failure such that a required license amendment was not sought.
This example includes changes involving unreviewed safety questions and conflicts with technical specifications.
It also includes situations not involving an unreviewed safety question where the licensee would need to perform a detailed evaluation before it would have had a reasonable expectation that an unreviewed safety question was not involved without the L
Multi'le Addressees p
performance of a detailed evaluation.
This is significant because of the importance of licensees using the required process for maintaining and operating the' facilities in accordance with the design and procedures described in the FSAR when there is uncertainty as to whether an unreviewed safety question is present. An after-the-fact evaluation that demonstrates that an unreviewed safety question was not involved would, in general, not mitigate the regulatory significance of failing to perform an appropriate evaluation prior to implementation of the change.
The second example, I.D.2. provides that a Severity Level IV violation would be a failure to meet the requirements of 10 CFR 50.59 that does not result in a Severity Level I, 11. or III violation.
Revised Examples of Severity Levels Consistent with the above two principles, tie changes to the Enforcement Policy provide additional examples to categorira severity levels for violations associated with failures to meet the FSAR. The current two examples described above are deleted and the following ten examples are being added to the policy:
1
' Multiple Addressees Severity Level II One example-of 'a Severity Level II problem (the term " problem" is used
)
here-since more than one violation is involved) is proposed.
Example I.B.42 addresses inspection findings involving a number of failures to meet 10 CFR 50.59 including several unreviewed safety questions, and/or conflicts with a technical specification. involving a broad spectrum of problems affecting i
multiple areas, some of which impact the operability of required equipment.
This situation is a very significant concern, the definition of a Severity Level II problem, because of the breadth of the process failures and the impact on equipment. operability as well as the licensing envelope.
As to Severity Level II violations or problems, the Enforcement Policy provides that the base civil penalty for a Severity Level II violation or problem is $88.000.
However,Section VII.A.1.a of the Policy provides that discretion should be considered for Severity Level II cases.
In assessing civil penalties for cases meeting the above example. discretion will be
. considered, consistent with the Policy, based on the number and nature of the violations and the breadth of the problem that warranted the Severity Level II categorization in determining whether civil penalties substantially in excess 1
The examples are numbered in accordance with the numbering used in the changes to the Enforcement Policy. '
l
' Multiple Addressees i
of the base amount are warranted. This will include consideration of assessing separate civil penalties for each violation-that is aggregated into l
the Severity Level II problem.
Severity Level III Four examples of Severity Level III violations are added that demonstrate a significant regulatory concern, the definition of a Severity Level III violation:
Example I.C.10 involves an unreviewed safety question, and/or conflict with a technical specification.
Example I.C.11. addresses the failure to perform the required evaluation under section 50.59 prior to implementation of the change in those situations in which an extensive evaluation would be needed before a licensee would have had a reasonable expectation that an unreviewed safety question did not exist.
The fact that a post-implementation 1
evaluation demonstrated that no unreviewed safety question existed would not mitigate the regulatory significance of the failure to perform the required evaluation prior to implementation of the change. These two examples encompass the prior example I.C.S.
Example I.C.11 is set out as a separate example to give clearer notice.
Example I.C.12 addresses programmatic failures (i.e., multiple or recurring failures) to meet the requirements of 10 CFR 50.59 and/or 50.71(e) l l
i _.
~.
1 l
~
Multiple Addressee's l
which show a significant lack of attention to detail resulting in a current safety or regulatory concern about the accuracy of the FSAR or a concern that 10 CFR 50.59 requirements are not being met.
This example addresses a current programmatic failure or past programmatic failure of current concern to meet.
10 CFR 50.59 or 50.71(e). Application of this example requires weighing factors such as: a) the. time period over which the violations occurred and existed. b) the number of failures, c) whether one or more systems, functions, or pieces of equipment were involved and the importance of such equipment, functions, or systems, and d) the potential significance of the failures Example I.C.13. addresses the failure to update the FSAR as required by 10 CFR 50.71(e) where the failure to update the FSAR resulted in an inadequate decision that demonstrates a significant regulatory concern.
This example addresses a significant failure associated with 10 CFR 50.71(e) where the l
violation adversely impacted other decisions such as whether or not a license amendment is needed or whether or not an NRC licensing action should be taken.
An example of such a violation would be the failure to update the FSAR to delete a reference to equipment that had been properly. removed from the l
facility. As a result an inadequate decision was made that an unreviewed safety question was not present for a subsequent change to the facility based on the presumed presence of equipment that the FSAR erroneously indicated was
- i 4
1
?
Multiple Addressees
)
i still present in the plant.
' Severity ' Level IV l
,Four examples of Severity Level IV violations are added that demonstrate q
~
violations of more than minor concern which left uncorrected, could become a more significant concern, the. definition of a Severity Level IV violation.
2 Example I.D.5 addresses relatively isolated violations of 10 CFR 50.59 not involving severity 'evel II or III violations.that do not suggest a programmatic failure to meet 10 CFR 50.59.
Example I.D.6 addresses a relatively isolated failure to document an evaluation where there is evidence that an adequate evaluation was performed prior to the change in the facility or procedures, or the conduct of an experiment or test.
Example I.D.7 addresses a failure to update the FSAR as required by 10 CFR 50.71(e) where an l
adequate evaluation under 10 CFR 50.59 had been performed and documented.
l These three examples are, by their nature, less significant than a Severity l
Level III violation.
l l
l
(.
Relatively isolated violations or failures would include a number of 2
.recently discovered violations that occurred over a period of years and are not indicative of a programmatic safety concern with meeting the requirements of 10 CFR 50.59 or 50.71(e).
JMultiple Addressees l
Example I.D.8 addresses a past programmatic failure to meet 10 CFR 50.59 and/or 10 CFR 50.71(e) requirements not involving Severity Level II or III violations that does not reflect a current safety or regulatory concern about the accuracy of the FSAR or a current concern that 10 CFR 50.59 requirements a're not being met. This example is similar to example I.C.12.
However, it is less significant because it does not involve a current performance issue nor does it have a current impact. This would address past programmatic issues wher-e both the cause-and the impacts have been corrected.
The determination of whether a violation or grouping of violations should be considered a severity level III or IV matter will require exercise of. judgement to determine if the failures are sufficiently broad and programmatic to warrant a finding of significant regulatory concern.
To maintain consistency and fairness, the regions will coordinate with the Office of Enforcement on severity level IV cases where there is a potential to categorize the violations at a severity level III.
i i
l
' Multiple Addressees Minor Violations l
An' example is added to address minor violations which are not subject to formal enforcement action under the Enforcement Policy and are not normally addressed in inspection reports.
Example I.E addresses a failure to meet 10 CFR 50.59 requirements that involves a change to the FSAR description or procedure, or involves a test or experiment not described in the FSAR, where i
there was not a reasonable likelihood that the change to the facility or procedure or the conduct of the test or experiment would ever be an unreviewed safety question. The example also addresses a failure to meet a 10 CFR 50.71(e) violation, where a failure to update the FSAR would not have a 4
material impact on safety or licensed activities.
This example is provided because 10 CFR 50.59 covers the complete FSAR.
However, there are some descriptions in the FSAR of the facility or procedures that have very little or no relevance to safety and are of little or no regulatory concern.
Nevertheless, by the specific terms of the regulation, changes to the facility as described in the FSAR must be evaluated.
Violations in these areas are by definition minor and if included in an inspection report would be non-cited pursuant to section IV of the Enforcement Policy such as a change to the location of sanitary sewer lines (in contrast to natural gas pipelines) in owner controlled areas.
The focus of this l
i i
I L
Multiple Addressees
~
example is on plant equipment, procedures, tests, or experiments described in l
.l l'
the FSAR that would not reasonably have any impact on safety regardless of the change.
If the change involves equipment, procedures and tests that have some safety purpose the violation should normally be considered to be of more than a minor concern.
2.
Corrective Action j
ror
'ive action is a key element in considering the appropriate sanction.
w discussion of corrective action in Section VI.B.2.c. of the Enforcement Policy has been expanded to provide that in response-to violations-of 10 CFR 50.59', corrective action should normally be considered prompt and comprehensive only if the licensee (1) makes a prompt decision on operability, and either (2) makes a prompt evaluation under 10 CFR 50.59 t' the licensee intends to maintain the facility or procedure in the as found condition, or (3) promptly initiates corrective action consistent with Criterion XVI of 10 CFR 50, Appendix B if it intends to restore the facility or procedure to the FSAR description.
It is important for licensees to recognize the need'for l
these actions because until such actions are taken the violation continues unabated.
3.
Reporting l
l
~
' Multiple Addressees I
Section IV.D. of the Enforcement Policy provides that unless otherwise categorized in the Supplements the severity level of a violation involving the failure to make a required report to the NRC will be based upon the significance of and the circumstances surrounding the matter that should be reported.
The Policy has been clarified to make it clear that failure to make a required report under 10 CFR 50.72 cnd 50.73, if the matter not reported involves (1) an unreviewed safety question (ii) a conflict with a technical specification or (iii) any Severity Level III violation. is -a significant regulatory concern..The NRC needs such information concerning significant issues to carry out its regulatory responsibilities.
4.
Old Design Issues
]
Section VII.B.3, Violations 1 wolving Old Design Issues of the Enforcement Policy addresses enforcement discretion for old design issues and may be applicable to some 10 CFR 50.59 violations to the extent that voluntary
. action by a licensee identifies a cast problem. such as in engineering, design, or installation.
This discretion addresses violations that would not i
.likely be identified by routine licensee efforts such as normal surveillance or quality assurance activities.
Identification of past violations through 4
required efforts would be treated using the normal policy.
j~
This provision was originally adopted to encourage voluntary initiatives I
j L
' Multiple Addressees I
l to establish design reconstitution programs such as licensee initiated safety systems functional inspections to identify and correct past design' errors.
This section places a premium on licensees identifying issues before degraded equipment is called upon to work.
Similarly, application of this provision in the policy to past FSAR issues could encourage licensees to establish 1
programs with goals to ensure full compliance with the FSAR licensing basis
]
l and determine if there are unknown unreviewed safety questions that have not been identified and addressed.
To justify the exercise of Section VII.B.3 discretion, licensees must take comprehensive corrective action. The policy provides that licensees should expand their reviews, as necessary, to identify other failures from similar root causes.
Thus, in applying this discretion.
as with any significant violation associated with 10 CFR 50.59 and 50.71(e),
the licensee should be taking broad corrective action to ensure that the licensee is meeting its licensing' basis.
The corrective action should have a defined scope and schedule.
The Commission-intends to utilize Section VII.B.3 of the Enforcement Policy to provide incentives to encourage licensees to identify and correct violations which are not normally identified through current surveillance and quality assurance activities.
Enforcement action would normally at be taken l
against a licensee if the licensee identifies violations up to and including
. l
[
l
' Multiple Addressees i
-Severity' Level II associated with the FSAR by a voluntary initiative l
(including either a formal program or informal effort where issues are identified through a questioning attitude of an employee), provided the licensee takes comprehensive corrective action and appropriately expands-the scope of the voluntary initiative to identify other failures with similar root I
causes.
If this enforcement discretion is utilizeo, the licensee's' voluntary initiative must be described in writing and be publicly available. The staff will reference and summarize the licensee's voluntary initiative, including
-the scope and schedule for corrective action, in an inspection report and will follow the licensee's corrective action until complete as an inspection report open item.
Section VII.B.3 discretion would not normally be applied to departures from the FSAR if:
l a)
The NRC identifies the violation unless it was likely in the i
staff's view that the licensee would have identified the violation in light of l
the defined scope, thoroughness, and schedule of the licensee's initiative 1
l (provided the schedule provides for completion of the licensee's initiative l
within two years of this policy change):
t l
b)
The licensee identifies the violation as a result of an event or i
surveillance or other required testing where required corrective action l
j
' Multiple Addressees identifies the FSAR issue:
'I c)
-The-licensee identifies the violation but had prior opportunities to ao_so (was aware of the departure from the FSAR) and failed to correct it earlier:
d)
There is willfulness associated with the violation:
e)
The licensee fails to make a report required by the identification of the departure from the FSAR: or f)
The licensee either fails to take comprehensive corrective action i
or fails to appropriately expand the corrective action program. The corrective action should be broad with a defined scope and schedule.
Applying this discretion should further the objectives of the Enforcement Policy to encourage identification and correction of violations as well as provide deterrence for future violatio_ns.
The Commission recognizes the importance to provide licensees with incentives to embark on voluntary initiatives to identify and corr _ect FSAR discrepancies.
However. licensees should be designing and implementing their programs with goals to have these discrepancies identified in the near term.
Therefore, it is not appropriate to continue indefinitely the granting of enforcement discretion in cases where the NRC identifies the violations. As provided above in i_ tem a. for NRC identified violations use of Section VII.B.3
..a I
g Multiple Addressees enforcement discretion for FSAR discrepancies will consider the schedule for
[
lthe licensee's voluntary initiative.and when NRC identified the violation.
[
The two year period will provide a' reasonable time period and incentive.for licensees to plan and conduct appropriate reviews to ensure that their r
facilities meet the descriptions in the FSAR and take necessary corrective P:
- l Laction.
The staff will continue'to document in inspection reports the 3
~
results of its inspections against the FSAR and other than the exception noted in item a above, will. continue enforcement for. NRC-identified violations.
Following this two year period, if a Severity Level II ($88.000) or III b
($55.000) violation 1s identified, the Commission intends to use its 2
discretion.to increase the fine'and 'could assess civil penalties for each.
}
violation or problem of $110.000 which may be further escalated after
}
considering the number and nature.of the violations, the severity of the I.
violations,'whether the violations were continuing and who identified the l
violations (and if the licensee identified'the violation, whether exercise of j-
-Section VII.B.3 enforcement discretion is warranted), rather than the normal i
E
. assessment-factors.
This approach is intended to increase the incentive for licensees-to take timely action:to ensure that their facilities match the FSAR.
For er_mple, if a single Severity Level III violation is identified by the NRC and.it lasted for more than one day, a civil penalty of $220.000 could -.
' Multiple Addressees be assessed.
If the licensee identified the same violation and application of enforcement discretion under Section VII.B.3 was not warranted, a civil penalty.of $110,000 ($55,000 X 2 days) could be assessed for the example cited above which will provide some recognition of the licensee's efforts.
Sec' tion VII.A.1 of the Enforcement Policy is being amended consistent with this i
approach.
In summary, to encourage licensees promptly to undertake voluntary initiatives to identify and correct FSAR noncompliances, the NRC is modifying Section VII.B.3 of the Enforcement Policy to provide for:
(1) the exercise of discretion to refrain from issuing civil penalties and, in some instances, citations for a two year period where a licensee undertakes voluntary initiative to identify and correct FSAR noncompliances that will be compieted within that two year period, and
.(2) the exercise of discretion to escalate the amount of the civil penalties for FSAR/50.59 noncompliances identified by the NRC subsequent to the two year voluntary initiative period.
Amounts of Penalties The amounts of penalties reflected in this Notice and the accompanying Policy Statement are based on the current Policy Statement that was revised on October 4, 1996 and published in the Federal Reaister on t
l Multiple Addressees (61 FR
).
The revised penalty amounts apply to violations occurring or l
continuing after [30 days after publication of the previous Fed Reg Notice].
l l
'Otherwise the amounts in the Policy Statement at the time of the violation will be'used in assessing any civil penalty.
Paperwork Statement-This policy statement does not contain a new or amended information collection requirement subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.-).
Existing requirements were approved by the Office of Management and Budget, approval number 3150-0136.
The approved information collection requirements contained in this policy statement appear in Section i
VII.C.
Public Protection Notification The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number.
Small Business Regulatory Enforcement Fairness Act In accordance with the Small Business Regulatory Enforcement Fairness Act of 1996, the NRC has determined that this action is not a major rule and i
has verified this determination with the Office of Information and Regulatory l
Affairs of OMB. l
l l
l
' Multiple Addressees i
Accordingly, the NRC Enforcement Policy is amended as follows:
GENERAL STATEMENT OF POLICY AND PROCEDURE FOR NRC ENFORCEMENT ACTIONS l
1.
In Section VI., add the following language at the end of paragraph B.2.c.
VI.
Enforcement Actions B.
Civil Penalty.
2.
Civil Penalty assessment.
c.
Credit for prompt and comprehensive corrective action
- In response to violations of 10 CFR 50.59, corrective action should normally be considered prompt and comprehensive only if the licensee (i) Makes a prompt decision on operability: and either (ii) Makes a prompt evaluation under 10 CFR 50.59 if the licensee intends to maintain the facility or procedure in the as found condition: or (iil} Promptly initiates corrective action consistent with Criterion XVI i
of 10 CFR 50. Appendix B if it intends to restore the facility or procedure to the FSAR description.
2.
In Section VII., add the following language as paragraph h. at the end of paragraph A.1.g.:
l
_._m 1
fMult'iple Addressees R
VII Exercise of Discretion-A.
Escalation of Enforcement Sanctions.*
h.
Severity Level'II or III violations associated with' departures from the Final ' Safety Analysis' Report identified after two years from [date of-
.{
this Federal Reaister Notice].
Such a violation or problem would consider the j
l number and nature of the violations,~ the severity of the violations, whether.
I the violations'were continuing, and who identified the violations (and if the licensee identified the-violation, whether exercise of Section VII B.3
. enforcement discretion is warranted),
3.
In Section,VII. add at the end of paragraph B.3:
i B.
Mitigation of Enforcement Sanctions.L*
~
3-Violations Involving Old Design Issues. *
- )
i
]
l Section VII.3.3 discretion would not normally be~ applied to departures l
from the FSAR if:
F
. a)
The NRC identifies the violation unless it was likely in the staff's view that the licensee would have identified the. violation in light of
'the defined scope, thoroughness, and schedule of the licensee's initiative i
L (provided the schedule provides for completion of the licensee's initiative.
- 27 i
l t
l-l
" Multiple Addressees within two years after [date of this Federal Reaister Notice];
b)
The licensee identifies the violation as a result of an event or surveillance or other required testing where required corrective action identifies' the FSAR issue:
c)
The licensee identifies the violation but had prior opportunities to do so (was aware of the departure from the FSAR) and failed to correct it earlier:
d)
There is willfulness associated with the violation';
e)
The licensee fails to make a report required by the identification of the departure from the FSAR: or f)-
The licensee either fails to take comprehensive corrective action or fails to appropriately expand the corrective action program. The corrective action should be broad with a defined scope and schedule.
4.
In Supplement I, paragraphs C(5) and D(2); are removed and paragraphs B(4), C(10), C(11). C(12). C(13). C(14). D(5), D(6), D(7), D(8) and E are added to read as follows:
Supplement I - Reactor Operations B.
Severity Level II - Violations' involving for example:
4.
Failures to meet 10 CFR 50.59 including several unreviewed safety l
l
' Multiple Addressees I
questions, or conflicts with technical specifications, involving a broad spectrum of problems affecting multiple areas, some of which impact the l'
operability of required equipment.
C.
Severity Level'III - Violations involving for example:
l 5.
[ Reserved]
10.
The failure to meet 10 CFR 50.59 where an unreviewed safety question is involved, or a conflict with a technical specification. such that a license amendment is required:
I 11.
The' failure to perform the required evaluation under 10 CFR 50.59 i
prior to implementation of the change in those situations in which no unreviewed safety question existed, but an extensive evaluat' ion would be needed before a licensee would have had a reasonable expectation that an unreviewed safety question did not exist:
12.
Programmatic failures (i.e., multiple or recurring failures) to meet the requirements of 10 CFR 50.59 and/or 50.71(e) that show a significant
- lack of attention to detail, whether or not such failures involve an i
unreviewed safety question, resulting in a current safety or regulatory l
concern about the accuracy of the FSAR or a concern that 10 CFR 50.59 i
t g
l l
e
' Multiple Addressees requirements are not being met. Application of this example requires weighing l
factors such as: a) the time period over which the violations occurred and existed, b)-the number of failures, c) whether one or more systems, functions, or pieces of equipment were involved and the importance of such equipment, functions., or systems, and d) the potential significance of the failures:
i 13.
The failure to update the FSAR as required by 10 CFR 50.71(e) where the unupdated FSAR was used in performing a 10 CFR 50.59 evaluation and as a result, an inadequate decision was made demonstrating a significant i
regulatory concern: or 14.
The failure to make a report required by 10 CFR 50.72 or 50.73 associated with (a) an unreviewed safety question, (b) a conflict with a technical specification. or (c) any other Severity I.evel III violation.
D.
Severity Level IV'- Violations involving for example:
2.
[ Reserved]
5.
Relatively isolated violations of 10 CFR 50.59 not involving severity level II or III violations that do not suggest a programmatic failure to meet 10 CFR 50.59.
Relatively isolated violations or failures would I
include a number of recently discovered violations that occurred over a period l
' Multiple Addressees of years and are not indicative of a programmatic safety concern with meeting 10 CFR 50.59 or 50 71(e):
6.
A relatively isolated failure to document an evaluation where there is evidence that an adequate evaluation was performed prior to the change in the facility or procedures, or the conduct of an experiment or test;
'7.
A failure to update the FSAR as required by 10 CFR 50.71(e) where an adequate evaluation under 10 CFR 50.59 had been performed and documente'd:
or 8.
A past programmatic failure to meet 10 CFR 50.59 and/or 10 CFR 50.71(e) requirements not involving Severity Level II or III violations that does not reflect a current safaty or regulatory concern about the accuracy of the FSAR or a concern that 10 CFR 50.59 requirements are not being met.
E. Minor Violations A failure'to meet 10 CFR 50.59 requirements that involves a change to the FSAR descripticn or procedure, or involves a test or experiment not described in the FSAR, where there was not a reasonable likelihood that the change to the facility or proce;ure or the conduct of the test or experiment would ever be an unreviewed safety question. In the case of a 10 CFR 50,71(e) j violation, where a failure to update the FSAR would not have a material impact i
on safety or licensed activities.
The focus of the minor violation is not on 4 !
l
i
' Multiple Addressees i
the actual change, test, or experiment, but on the potential safety role of i
the system, equipment. etc that is being changed, tested, or experimented on.
Dated at Rockville. MD this day of
. 1996.
FOR THE NUCLEAR REGULATORY COMMISSION John C. Hoyle.
Secretary of the Commission.
~
. \\
g
..