ML20210E664
| ML20210E664 | |
| Person / Time | |
|---|---|
| Site: | Diablo Canyon  |
| Issue date: | 12/19/1984 |
| From: | NRC |
| To: | |
| Shared Package | |
| ML17083B484 | List:
|
| References | |
| FOIA-86-197 NUDOCS 8609250067 | |
| Download: ML20210E664 (11) | |
Text
-
O $
5 S
_ g e
50-323 ENCLOSURE 2 SAFEGUARDS SAFETY EVALUATION REPORT DIABLO CANYON NUCLEAR POWER STATION UNIT 2 t
I 8609250067 860905 PDR FOIA PDR HOLMES86-197
1.0 Introduction The Pacific Gas and Electric Company filed with the Nuclear Regulatory Commissio, for the Diablo Ca7yo, Nuclear Power Station physical security, safeguards conti7gency, and guard trai71,g a7d qualification pla,s.
This Safety Evaluation Report (SER) summarizes how the licensee has provided for meeting the requirements of 10 CFR Part 73. The SER is composed of a basic analysis that is available for public review, and a protected Appendix.
2.0 Physical Security Organization To satisfy the requirements of 10 CFR 73.55(b) the Pacific Gas and Electric Compa7y has provided a physical security orga7izatio7 that includes a Shift Security Supervisor who is onsite at all times with the authority to direct the physical protectio 7 activities. To implement the commitments made in the physical security pla7, traiqing and qualification plaq, and the safeguards contingency plan, writte7 security procedures specifyi7g the duties of the security organization
( members have bee 7 developed and are available for inspection.
I
_c, .. . . _ . ._ - _ - .
'N t , . ,
. , J< +
s
, . T i, , ,
The traini,g program a,d critica'l security tasks a,d odties for the security organizatio, perso77el are defi1dd.i7 the 1
"Diablo Canyon Nuclear Power Stati'o, Trai,17g and Qualification Pla7" which meets the requireme7ts of 10 CFR'Part 73, Appe7 dix B for the trai711g, equipping a7d qualificatio7 of the security orga71rati,o1 members. The physical security pla7 a7d the trai717g program provide comm'itments that' preclude
^
the assig7 ment of a7y individual to a security related duty or task prior to the 17dividual bei7g trai7ed, equipped and qualified to perform the assigned duty 17 accorda7ce with the approved guard trai117g a7d qualification pla7.
3.0 Physical Barriers 17 meeti1g the requireme7ts of 10 CFR 73.55(c) the applicant has provided a protected area barrier which meets the definitio1 17 10 C FR 73.2 (f) (1) . A 20 foot wide: isolation zo7e, to permit observatio7 of activities at the' perimeter, is provided (except for the locations listed in the' Appendix) alo79 both sides of barrier.
l The staff has reviewed those locations a7d determi7ed that the security measures 11 place are satisfactory a7d co7ti7ue i
to meet the requirements of 10 CFR 73.55(c).
' Illuminatio, of 0.2 foot-candles is mai', tai 7ed for the isolatio, zo,es, protected area barri6rs, a,d external -
[ portions of the protected area. ,
% 't E 9
h 6
E E _
~
i
. s S 4
\ f %
v.
4.0 Identification of Vital Areas The Appendix contains a discussion of the applicant's vital area program and identifies those arees a,d items of equipment
~
determined to be vital for protectio, purposes. Vital equipment is located withi, vital areas which are located within the protected area and which require passage through at least two barriers, as defi,ed in 10 CFR 73.2(f)(1) and (2), to gai, access to the vital equipment (except as noted in the Appendix).
Vital area barriers are separated from the protected area barrier.
The control room and central alarm station are provided with bullet-resistant walls, doors, ceilings, floors, and windows.
Based o, these fi, dings and the analysis set forth in paragr'aph C of the Appendix, the staff has concluded that the applicant's program for ide7tificatio7 and protectio 1 of vital equipment satisfies the regulatory intent. However, this program is subject to onsite validation by the staff i, the future, and to subsequent changes if found to be necessary.
5.0 Access Requirements I,.accordance with 10 CFR 73.55(d) a ll points of perso,7el a,d vehicle access to the protected area are controlled. The individual responsible for controlling the fi7al point of access into the protected area is located in a bullet-resistant structure. As part of the access co, tral program, vehicles i (except under emerge,cy co,ditions), personnel, packages, and
! naterials entering the protected area are searched for l
l
explosives, firearms a7d i,c.adiary devices by electronic search equipment and/or physical search.
Vehicles admitted to the protected area, except licensee designated vehicles, are controlled by escorts whe, in operation. Licensee designated vehicles are limited to on-site station functio 7s and remain 17 the protected area except for operatio7al mai7te7a7ce, repair, security and emergency purposes. Positive control over the vehicles is maintai7ed by personnel authorized to use the vehicles or by the escort p e'r s o n n e l . A picture badge / key card system, utilizi7g e7 coded information, identifies 17dividuals that are authorized u7 escorted access to protected and vital areas, and is used to control access to these areas. Individuals ,ot authorized unescorted access are issued no7 picture badges that indicate a, escort is required. Access authorizations are limited to those individuals who have a need for access to perform their duties.
U7 occupied vital areas are locked and alarmed. During periods of refueli7g or major maintena,ce, access to the reactor containme7t is positively controlled by a member of the security organization to assure that o7Ly authorized i,dividuals and materials are permitted to enter. I, additio,,
all doors and personnel / equipment batches into the reactor containment are locked a7d alarmed. Keys, locks,
r-combinations and related equipment are cha7ged on an a77ual basis. In addition, when a7 individual's access authorization has been terminated due to the lack of reliability or trustworthi7ess, or for poor work performa7ce, the keys, locks, combinations and related equipme,t to which that perso, had access are changed.
6.0 Detectio1 Aids I, satisfying the requirements of 10 CFR 73.55(e) the applicant has installed 17trusio, detectio, systems at the protected area barrier, at e7tra7ces to vital areas, and at all emergency exits. Alarms from the 17trusio, detection system a77unciate withi7 the co7tinuously ma77ed ce7 tral alarm statio7 and a seco7dary alarm statio, located within the protected area. The central alarm statio, is located such that the interior of the statio7 is not visible from outside the perimeter of the protected area. I, addition, the central alarm station is constructed so that walls, floors, ceilings, doors, a7d windvws are bullet-resistant.
The alarm statio,s are located and desig,ed 17 such a manner so a single act ca7,ot interdict the capability of calling l
j for assistance or responding to alarms. The central alarm i
( statio, co7tains no other functions or duties that would interfere with its alarm respo,se function. The i,trusic, detection system transmissio, lines and associated alarm l
[
i l
l l
_ . _ m- - - _ . . _ . . _ _ . . _ . - _ _ _ _ _ _ . - _ , , . _ . _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
I a7,u,ciation hardware are self-checking a7d tamper-indicating.
Alarm a77u7ciators 17dicate the type of alarm and its location whe,~ activated. A7 automatic indicatio7 of whe7 the alarm system is o7 sta7dby power is provided 17 the ce7 tral alarm statio7.
7.0 Communications ,
As required in 10 CFR 73.55(f) the applicant has provided for the capability of co7tiquous communicatio7s betwee7 the central and seco7dary alarm statio7 operators, guards, watchmen, and armed respo,se perso77el through the use of a conventional telepho7e system, and a security radio system. 17 additio7, direct communicatio1 with the local law enforceme7t authorities is maintained through.the use of a co7ventio7al telephone
~
system and two-way VHF radio links. All 7o7 portable commu1ica.tio1 Li7ks, except the co7ventio7al telepho7e system, are provided with a7 u7i7terruptable emerge 7cy power source.
8.0 Test a 7 d li a i,7 m e 7 a 7 c e Requireme7ts 17 meeting the requirements of 10 CFR 73.55(g) the applicant has established a program for the testing a,d maintenance of all i7 trusion alarms, emergency alarms, communication equipme7t, physical barriers and other security related devices and equipment. Equipment or devices that do not meet the desig, nerformance criteria or have failed to otherwise operate will be compensated for by appropriate compe7satory measures as defined in the "Diablo Canyon Nuclear Power Station Physical Security Pla," and in site procedures. The compensatory
~
7-measures defined i7 these plans will assure that the effectiveness of the security system is not reduced by failures or other co7ti,ge7cies affecting the operation of the security
. related equipme7t or structures. 17trusio7 detectio7 systems are tested for proper performance at the begi,71,9 a7d end of a7y period that they are used for security. Such testing will be conducted at least o7ce every seve7 days.
Commu71 cation systems,Ior o7 site commu71catio7s are tested at the begi7,i7g of each security shift. Offsite communications are tested at least o7ce each day.
Audits of the security program are co7 ducted o,ce every 12 mo7ths by perso77el i7depe7 dent of site security ma,agement a,d supervisio,. The audits, focusing o7 the effectiveness of the physical protectio 7 provided by the onsite security organization impleme7 ting the approved security program plans, include, but are 1ot limited to: a review of the security procedures a7d practices; system testing a7d mai7te7a7ce programs; and local law e7forceme7t assistance agreeme7ts. A report is prepared documenti7g audit findi7gs and recomme7 datio 7s and is submitted to the plant maqagement.
9.0 Response Recuirements In meeting the requirements of 10 CFR 73.55(h) the applicant provided #:r arned re ponders immediately available for response duties o7 all shifts consistent with the requirements cf the regulations. Co,siderations used in support of this
qumber are attached (see Appe7 dix). 17 addition, liaiso7 with local law enforcement authorities to provide additio,al respo7se support 17 the event of security eve 7ts has been established a7d documented.
The applica.,t's safeguards conti7ge7cy plan for deali7g with thefts, threats and radiological sabotage events satisfies the requireme7ts of 10 C FR Part 73, Appendix C. The plan ide7tifies appropriate security eve 7ts which could i7itiate a radiological sabotage event and identifies the applica7t's prepla77179, response resources, safeguards conti7gency.
participa7ts a7d coordinatio7 activities for each identified event. Through this plan, upo7 the detection of ab7ormal prese7ce or activities withi7 the protected or vital areas, response activities usi7s the available resources would be
~
initiated. The response activities and objectives include the neutralizatio7 of the existing threat by requiring the respo7se force members to 17terpose themselves between the adversary a,d their objective, instructions to use force commensurate with that used by the adversary, a7d authority to request sufficient assista7ce from the local law enforcement authorities to mai7 tail control over the situatio7.
To assist i, the assessment / response activities a closed circuit television system, providi,g the capability to observe the entire protected area perimeter, isolatio, l
~ ' *a - , _
.,- _g_
zo7es a7d a majority of the protected area, is provided to the security organizatio7.
10.0 Employee Screening Program In meeting the requirements of 10 CFR 73.55(a) to protect against the desig7 basis threat as stated in 10 CFR 73.1 (a ) (1 ) (i i), the Pacific Gas and Electric Compa7y has provided a7 employee scree 7i7g program. Perso77el who successfully complete the employee screeni7g program or its equivale7t may be gra7ted u7 escorted access to protected a7d vital areas at the Diablo Canyo, site. All other personnel requiring access to the site are escorted by persons authorized and trained for escort duties and who have successfully completed the employee scree 7ing program. The employee screeqing program is. based upo1 accepted industry standards and i7cludes a background investigatio,, a psychological evaluation, and a co7tiqui7g observation program. 17 additio7, the applica7t may recognize the screening program of other nuclear utilities or contractors based upo, a comparability review conducted by the Pacific Gas a7d Electric Company. The pla7 also provides for a "gra,dfather clause" exclusion which allows recognition of a certai7 period of trustworthy service with the utility or co7 tractor, as being equivale7t to the overall employee scree 7179 progran. The staff has reviewed the applicant's screening program against the accepted i7dustry standards (Ai4SI i13.17 1973) a7d has determi7ed that the program is 3cceptable.
- ENCLUSURE 3
- SALP INPUT EVALUATION DIABLO CANYON SAFEGUARDS REVIEW Criteria .
' Category
- 1. Management Involvement and Control in Assuring Quality 1 The applicant has provided consistent evidence of prior
- planning and assignment of priorities. Decision making is consistently at a level that ensures adequate management review.
- 2. 'Aoproach to Resolution of Technical Issues from a Safety 1 Standpoint
~
The applicant.has provided technically soun'd, timely, and thorough approaches in almost all cases.
- 3. Resoonsiveness to NRC Initiatives 1 The applicant provides timely, acceptable resolutions of issues
- 4. Enforcement History N/A
- 5. Reporting of Reportable Events N/A
- 6. Staffing (Including Management) '
1 i
Positions are identified, authorities and responsibilities are well defined.
- 7. Trainino and Qualification Effectiveness 1 The safeguards training and qualification plan and pro-cedures contribute to a well defined security program.
I
d . b N 1 O h(. A
.' 8.y M E % q %' UNITED STATES f
3 y..(jf );
e
[" NUCLEAR REGULATORY COMMISSION Mckd Q~N4 g WASH!NGTc N. D. C. 20555
%Q .i ,/ -
g p\ cay O %5 JAtt 2 8 13c6 I MEMORANDUM FOR: RSB Members .-Q N & %W
)
' FROM: Brian W. Sheron, Chief Reactor Systems Branch, DSI p;. L (.$ b
SUBJECT:
AUTO CLOSURE INTERLOCKS FOR PWR RESIDUAL HEAT REMOVAL (RhR) SYSTEMS - LX " 3 The purpose of this memo is.to bring all RSB members up to date on recent 46 MU decisions and issues regarding PWR RHR systems open permissive interlocks (OPI) and auto closure interlocks (ACI), and to set forth some preliminary guidelines for evaluating proposed changes.
Background ~
The Standard Review Plan Chapter for PWR RHR systems, SRP 5.4.7, contains Branch Technical Position RSB 5-1 that sets forth acceptable means of providing RHR system isolation. In particular, paragraphs B.1.b and B.1.c state, for the suction side isolation valves (i.e., valves between the RCS and the RHR pump suction):
"The valves shall have independent diverse interlocks to prevent the valves from being opened unless the RCS pressure is below the RHR system desigr) pressure. Failure of a power supply shall not cause any valve to change position."
"The valves 'shall have independent diverse interlocks to protect against one or both valves being open during an RCS'. increase above the design pressure of the RHR system."
The positions have traditionally been met for plants under review or licensed since RSB BTP 5-1 became' effective in 1978 by a set of circuits that prohibit suction valve opening until RCS pressure is below the RHR design pressure and initiate automatic suction valve closure when RCS pressure rises above the RHR design pressure. The suction isolation valves are never commanded to automatically open.*
CONTACT: W. Jensen, RSB -
X29406
^
Only the RHR suction valves to the RWST or to the containment sump must function during the injection (automatically) and recirculation (manually or automatically) phases of a design basis accident.
Q O L ObOb b 1 '
M N 2 8 13o3 RSB Members 1
! The purposes of the OPI and ACI are basically the same--to prevent a LOCA outside containment.(event V per WASH-1400). The OPI is intended to ensure that while the RCS is at full pressure, the RHR suction valves cannot be opened. Although safety relief valves are located on the suction piping, these valves would not be capable of preventing the RHR' system from being pressurized beyond its design pressure if the system were suddenly subjected to full RCS pressure."
l The ACI is also intended to girevent Event V LOCA, but during a different scenario. During a RCS startup from modes where the RHR system has been utilized, the operating procedures call for closure of the RHR suction valves before RCS pressure reaches the RHR safety relief valve (SRV) setpoint.** If the operator failed to close both suction isolation valves, then, absent ACIs, -
. the SRVs would lift. Startup could not proceed as the SRV is generally suffi-i ciently sized to prevent further pressurization. With the ACIs, operator error in failing to close both valves would not prevent startup since the ACI is generally, although not always, set at a pressure below the SRV setpoints.
In the absence of the ACI, if the operator closes only .one suction isolation valve and thus is able to continue the startup, a subsequent failure of the single clos'ed isolation valve would lead to an ' Event V. The purpose of the ACI is to close, or to. provide a backup to the operator to close the second suction isolation. valve.'"
With or without the ACI, there must be a valve mechanical failure (i.e, the
, . gate failing in such a way that the valve's isolation capability is lost) or a i hot short, (i.e., that electrically actuates the valve to open) for the Event V i to occur. The ACI is intended to reduce the probability of an Event V by backing up the operator in closing both isolation valves.
i The ASME code '(Section NB 3412.4) requires the open permissive interlocks but does not require the auto closure interlocks.
^ It is not known' if the suction valves could even be opened in this scenario, given the high differential pressure acting against the gate valve, and the relatively low motor torque.
. ^^
The intent is to prevent the SRV from lifting causing loss of coolant into the containment sump and the possibility that the SRV will not reset.
i
JAN 2 8 Jg3 RSB M2mbers Fire Protection Reviews ,
In the course of performing the fire protection reviews in accordance with 10 CFR 50.48 and Appendix R, the Auxiliary Systems Branch became concerned that a fire located in the control room or other plant areas could cause fire damage which results in hot shorts. These shorts could then result in the RHR suction valves opening and causing.an Event V. To remedy this concern, ASB has allowed PWR applicants and licensees to open at least one RHR isolation valve motor power supply breaker when in Modes 1, 2 and 3. Although this alleviates the fire protection concern, it has created two other potential non-conformances with BTP RSB 5-1: (1) the plant is no longer capable of being brought to the cold shutdown condition from inside the control room and (2) the failure to meet the position regarding the ACI, as described above.
The first issue has been addressed for only a few NTOL plants and has been resolved on a case-by-case basis by granting exceptions to BTP RSB 5-1 posi-tion. Two PWR applicants have shown that there is reasonable time for opera-tors to go to the motor control center (MCC), rack in the RHR suction valve motor power supply b'reakers and change the valve's position. Also, these ~
applicants have shown that the,re would be no severe environments through which the operators would have to pass to get to the MCC and return to the control room.
The second issue is just now coming to light. By allowing power to be removed from the suction valve motors when the reactor is in Modes 1, 2, and 3, the functional capability of the ACI may be defeated. That is, if the operator in the course of starting up the plant, shuts only one suction valve while pres-sure is below the, ACI setpoint, then removes power from both valves to meet the fire protection requirements, the ACI would not be capable of initiating valve motion to close the open valve when pressure reached the ACI setpoint.
RHR Pump Damage and LTOPS
. There are other issues.related to the RHR system ACI. .The industry in general seems to believe that the ACI is detrimental to safety. This belief arises from operational experience. There have been at least 26 events where RHR systems have been inadvertently isolated.* A large fraction of these events have been caused by the ACI shutting the suction valves due to an equipment malfunction or improper testing.
The inadvertent c.losure of the RHR suction valve (s) can have adverse conse-quences. First, it ,is the system used for removing decay heat when cold shutdown is initiatad. Although the expected RCS heatup rate would be low due to the low decay heat level's when the RHR system is in use, if the suction
^
EPRI, NSAC-52, Residual Heat Removal Experience Review and Safety Analysis.
NAN 28 1985 RSB Members ;
valve can not be reopened, other means of decay heat removal would have to be established (e.g., steam generators). Depending on the plant. condition, these i
other, methods may be' difficult to achieve.
Second, the RHR pumps may be destroyed without prompt operator actions. Events at Calvert Cliffs and Diablo Canyon have resulted in destruction of at least one of the RHR pumps due to cavitation and loss of bearing cooling.
Third, if the RCS is in a water solid condition, loss of RHR flow will result in a pressure transient since the charging pumps would be injecting into the RCS without any letdown flow. Although there are systems currently provided on
- all PWRs to mitigate this event (i.e. Low Temperature Overpr~ essure Protection
- Systems-LTOPS), there have been a number of transients initiated by inadvertent i
closure of the RHR isolation valves. -
- Kewaunee and Diablo Canyon Two plants have recently requested alterations in their RHR suction valve control circuitry that have forced the staff to consider the overall benefits and detriments of the ACI in light of the fire protection reviews and industry i experience. Kewaunee is a two loop W PWR with two RHR drop lines. In.
1 December, 19.83, the licensee requested complete removal of their ACIs. The
- utility believes that the ACI presents a high p'otential for inadvertent RHR isolation and, fo,r. Kewaunee, a loss of the LTOP system. -
A study conducted by Westinghouse to support the proposed change shows that r,emoval of the ACI, for Kewaunee, would be a safety improvement in that.the-l scenarios that result in low temperature overpressure transients would not be I
accompanied by RHR isolation, nor would the RHR system be overpressurized. The j licensee has propo' sed three means of preventing Event V: (1) alarms to indicate if a RHR isolation valve is not cicsed, (2) rewiring the motor control switches to close, but not open, both valves when one button is depressed, and (3) operating procedures that ensure all RHR MOVs are closed during reactor startups. The staff's review of the Kewaunee proposal is complete and has concluded that the Kewaunee proposal is acceptable.
Diablo Canyon is a four loop W PWR with only a single RHR drop line. As a result of allegation's made during the licensing process, the staff reviewed the RHR isolation valve operating procedures and found that the licensee should retain power available to the MOVs when the RHR system'is in operation.
! Previously, the licensee removed power from these valves when the RHR system
- was in use since a spurious RHR ACI actuation resulted.in a loss of RHR suction and damage to the RHR pumps.
4 I
e T
i 1
- , - - . ---.._,,m._------, ._, - - _ , , _ _ . _ _ _ . _ . ,. _ - - _ _ . - . - _ - . . .
UM 28 1955 RSB Members .
The licensee has modified its procedures to require power to be available to
. the RHR valves', but has subsequently requested that the staff permit power to be removed from the valves'. The staff is now requesting the licensee to address the possibility of removal of the ACI, since this is,.'in fact, the root cause of inadvertent closures, not the availability of power to the isolation valves. If the ACIs.were removed and an alarm installed to warn the
~
i operators should either of the two MOVs be in the incorrect position, pro-tection from Event V could be provided and inadvertent closure would be prevented. The review of the Diablo Canyon proposal has led to another concern- ~.f power is removed from the RHR MOVs to remove the possibility of an inadvertent closure, then no ready means would be available to isolate the RHR system should it rupture or develop a leak outside containment. The removal of power from the RHR MOVs for Diablo Canyon is, in essence, proposed caused by the various problems cited by Kewaunee and the' industry as a whole regarding -
! the ACI. .
RSB Position i The issue of RHR ACI reliability is being prioritized by SPEB. In the mean-time, proposals to change the RHR system isolation valve controls should be
, carefully considered, especially in light of the many overlapping concerns.
, There is,no reason, as yet, to allow or even encourage whole scale removal of the ACI. The request by each plant should be reviewed on a case-by-case basis.
As a minimum, hoWever, any proposal to remove the ACI should be substantiated by proof that the . change is a net improvement in safety. For example, requests forremovalofpowerortheACIshouldassessasjaminimum,thefollowing:
l 1. The means available to minimize Event V, concerns. .
- 3. The RHR relief valve capacity must'be adequate.
- 4. Means other than the ACI to ensure both MOVs are closed (e.g., single switch actuating both valves).
l
JAN 28 1985 R58 Members 5. Assurance.that the function of the open permissive ~ circuitry is not affected by the proposed change. .
- 6. Assurance that MOV position indication will remain available in the control room, regardless of the proposed change.
We are conducting our own probabilistic assessment as an adjunct to work being _
conducted by the industry. This work should be complete within the next few months. .
Brian W. Sheron, Chief
-. - Reactor Systems Branch, DSI cc: R. Bernero..
R. Houston T. Speis D. Eisenhut' W. Minners H. Vandermolen O. Parr J. Wermiel J. Wilson e
e
_ _ . . . . . .