Restart Rept for Rancho Seco Nuclear Generating Station Following 851226 Overcooling Event

ML20211Q472
Person / Time
Site:	Rancho Seco
Issue date:	12/15/1986
From:	SACRAMENTO MUNICIPAL UTILITY DISTRICT
To:
Shared Package
ML20211Q378	List: ML20211Q374 ML20211Q472
References
WP3094P-0158B, WP3094P-158B, NUDOCS 8612190269
Download: ML20211Q472 (179)
v • d • e

Text

.

l

.' WP3094P/01588 RESTART REPORT FOR THE RANCHO SECO NUCLEAR GENERATING STATION FOLLOWING THE DECEM8ER 26, 1985 OVERC00 LING EVENT Prepared by the Staff of the SACRAMENTO MUNICIPAL UTILITY DISTRICT DECEMBER 15. 1986 e6121]$@{$$o$

PDR PDR obi 2 S

-1

- _ _ _ _ _ - _ _ _ _ _ _ _ - _ _ _ . 1

~

OUTLINE RANCHO SECO NUCLEAR GENERATING STATION SAFETY EVALUATION

1. Introduction

2. Background Discussion 2.1 Brief Discussion of December 26, 1985 Overcooling Event 2.2 Summary of NRC Actions and Correspondence 2.3 ' Summary of Sacramento Municipal Utility District's Response 2.3.1 Plant Performance and Management Improvement Program

a. Program Overview

b. Program Evaluation

. 3. Resolution of Identified Areas of Concern Related to the December 26, 1985 Overcooling Event 3.1 Plant Electrical, Instrumentation and Control Systems Issues I 3.1.1 Integrated Control System (ICSp and Non-Nuclear Instrumentation (NNI) - General Description and Operational Experience

a. ICS and NNI System Descriptions and History of Loss of ICS or NNI Power Events

b. ICS and NNI Power Distribution Systems

c. Power Monitor Design and Operation

d. Identification of Systems / Components Controlled by ICS and NNI 3.1.2 Loss of ICS or NNI DC Power l a. Root Cause for December 26, 1985 Loss of ICS DC l Pnwor and Corrective Actions

b. System / Component Response to Loss of ICS or NNI DC i Power

c. ICS and NNI Dackup Instrumentation and Controls

d. Indication / Annunciation of Loss of ICS or NNI Power

e. Interactions Octween ICS or NNI and Safety Related Systems

f. ICS and NNI Failure Modes and Effects Analyses 9 Proposed iiodifications Prfor to Restart l

l l

\ -7 l

(

. 3.1.2 (Continued)

h. ICS and NNI Maintenance, Surveillance and Testing

i. Operator Response / Procedures j.

Root Cause of Discrepancy Between OTSG Level Strip Charts and SPDS 3.1.3 Restoration of ICS or NNI DC Power

, a. System / Component Response to Restoration of ICS or NNI Power 3.1.4 Additional ICS and NNI Issues

a. System / Component Response.to Loss and Restoration of ICS or NNI AC Power

b. ICS and NNI Response to Loss of Instrument Air and Effect on Plant Operation

c. Loss of Offsite Power Coincident with Loss of ICS or NNI Power or Loss or Instrument Air

d. SMUD Response to ICS or NNI Concerns Identified as Part of the B&WOG Reassessment 3.1.5 Availability of Remote and Local Indications on Loss of ICS and NNI Power

a. R.G. 1.97 Instrumentation

b. Safety Parameter Display System (SPDS)

c. Interim Data Acquisition and Display System (IDADS)

d. Computer / Annunciator Systems

e. Other Indications 3.1.6 Emergency Feedwater Initiation and Control (EFIC)

a. EFIC System Design and Operation

b. Independence of EFIC from the ICS and NNI

c. AFWS/EFIC Failure Analysis

d. OTSG Overfill Protection 3.1.7 Main Feedwater System (MFWS)

a. MFWS Response to ICS or NNI Failures and Effect on Plant Operation

b. OrSG Overfill Protection Circuits 1

~

3.1.8 Main Steam System

a. Atmospheric Dump Valve Operation and Response to ICS or NNI Failures

b. Turbine Bypass Valve Operation and Response to ICS or NNI Failures

c. OTSG Isolation Capability (Main Steam Line Failure Logic) 3.1.9 Summary of Plant Modifications Designed to Prevent / Mitigate Transients Resulting from Loss of ICS or NNI 3.2 Plant Mechanical System Issues 3.2.1 Water Supply to Makeup /HPI Pumps

a. Hoot Cause of Makeup /HPI Pump Failure

b. Assurance of Water Supply Sources

c. Makeup Pump Repair 3.2.2 Effects of Overcooling Event on Reactor Vessel and Steam Generators

a. Analysis of Transient on Vessel and Steam Generators

b. Technical Basis for PTS Guidelines

c. Potential for Core List 3.2.3 Operation of Radiation Monitoring Systems Following Containment Isolation

, a. Root Cause of Radiation Monitor System Damago l b. Effects of Containment Isolation on Systems Required i to Operate Following ESFAS Actuation l

3.2.4 Steam Generator Overfill and Flooding of the Main Steam Headers

a. Evaluation of Steam Header Supports

b. Steam Line Support Inspection 3.3 Plant Maintenance 3.3.1 Maintenance Program 3.3.2 Operability Program for Manual and Remote Operated Valves 3.3.3 Valvo Preventive Maintenance Program

3.3.4 Troubleshooting / Root Cause Determination Program 3.4 Training and Operator Performance 3.4.1 Adequacy of Operator Training

a. Program Overview

b. ICS Off Normal Operation

c. Makeup System Operation

d. AFW lhrottling

e. AFW Pump Trip Criteria

f. Emergency Plan

g. Communications

h. ADV, TBV Operation i.

Difference Between B&W Simulator and Rancho Seco Plant J. Operation of Manual Valves (Including Hand Jacks)

k. Plant Modifications, Procedural Changes and Additions

1. Operator Retraining Due to Long Term Shutdown 3.4.2 Minimum Staffing Requirements 3.4.3 Incapacitated Operator 3.4.4 Potential Security / Safety Interface Issues 3.5 Plant Normal and Emergency Procedures 3.5.1 Need for Event-Related Procedures 3.5.2 Adequacy of ATOG Procedures (PTS) 3.5.3 Adequacy of Radiation Protection Procedures 3.5.4 Adequacy of Annunciation Procedures Manual 3.5.5 Methodology for Procedure Updating 3.5.6 Adequacy of Emergency Procedures 3.6 Human Engineering Considerations 3.6.1 Simplified Schematics for Switches S1 and S2 3.o.2 Valvo Position Indication 3.6.3 Control Room HVAC Noise

~

~

3.6.4 Alarm for ICS 3.6.5 Control Room Modifications 3.7 System Review and Test Program 3.7.1 Program Overview 3.7.2 Program Evaluation 3.7.3 Review of System Testing 3.8 Management and Organizational Considerations 3.9 Retrospective considerations 3.9.1 Evaluation of FSAR Accident Analyses that Presumed Availability of Non-Safety Systems 3.9.2 Roevaluation of Responses to Previous Reports on B&W Transients and Operating Experience (NUREG-0560, NUREG-0667, BAW-1564, Bulletin 79-27) 3.9.3 Probability of Pressurized Thermal Shock (PTS)

Events (BAW-1791) 3.9.4 EFIC System History

a. NUREG-0737, Item II.E.1.2 Justification

4. Resolution of Concerns Unrelated to the December 26, 1985 Overcooling Event 4.1 Post Accident Sampling System

a. System Modifications

b. Procedures and Training

c. Testing 4.2 Control Room / Technical Support Center HVAC System

a. Adequacy of Design and Installation

b. Modifications 4.3 Radioactive Liquid Effluent Releases

a. Assessment of Environmental Effects of Liquid Effluent Releases

b. Technical Specification Deficiencies

c. Long Term Rosolution 6-

)

i 4.4 Emergency Plan

a. Meteorology Program Improvements

b. Training

c. Procedures and Dose Assessment 4.5 Regulatory Guide 1.97

a. Implementation 4.6 Safety Parameter Display System (SPDS)

a. Upgrade to Safety Grade

b. Isolation Devices

c. Modifications (Format) 4.7 TDI Diesel Generator Qualification

a. TDI Diesel Generator Qualification

b. Technical Specifications

c. Class 1E Electrical System

d. Diesel Generator Building Design

e. Diesel Generator Building Fire Protection Systen

5. Summary and Conclusion Appendices Appendix 1: Cross-Reference to source material supporting Restart Report.

l l

.. j .

l

~

1.0 INTRODUCTION

On December 26, 1985, with the Reactor at 75% power, the DC control power to the plant's Integrated Control System (ICS) was lost. As a consequence of the design of the ICS, the plant experienced an overcooling event which exceeded the nominal cooldown rate of 100*F/hr.

The event was terminated by restoration of ICS DC power 26 minutes after a cooldown to 396*F from the normal shutdown value of $32*F. Although there was no fuel damage, or failure of safety equipment, the event was considered significant when viewed from the prospective of why it occurred. Rancho Seco has had a history of transient events which had challenged the plant safety equipment. The equipment had performed so as to protect the core and the public, but the frequency and scope of the events brought into question the viability of corrective actions taken or implemented to preclude recurrences and to enhance plant reliabillt f. As a result, the NRC issued a Conformatory Action Letter which caLsed a comprehensive, retrospective, and introspective look by the Sacramento Municipal Utility District (Owners and Operators of Rancho Seco) into its nuclear programs, personnel, management practices, and the design and operation of the nuclear plant.

This Restart Report brings into focus the results of the programs implemented to assure that the Rancho Seco facility is configured, managed, and supported consistent with the expectations of a modern nuclear utility in today's nuclear industry. Restarting Rancho Seco has involved thousands of individuals in a coordinated effort to seek out the weaknesses of past procrams and to implement effective management and facility improvements. These programs focused on improving the safety of the plant by reducing the likelihood that future transients will challenge the facility design basis, and at the same time, provide for improved facility reliability.

In the following sections of this report the event of December 26, 1985 will be described, as well as the direct rosponses to it. The programs which were implemented to define the necessary improvements for safety and reliability are explained, along with the resulting facility modifications and improvements. The final phase of the restart program is the demonstration of the effectiveness of these programs. This is being done by the System Review and Test Program (SRTP) which is reviewing the functional basis of the plant's systems and determining the testing which will be donc during the startup and return to power.

This testing will demonstrate not only the changes to the facility and the training of the plant staff, but the material condition of the facility following the restart program and the readiness of Rancho Seco to return to the Northern California electrical system as a safe, reliable, and dependable electrical resource.

2.0 BACKGROUNO DISCUSSION

.1 December 26, 1985, Overcooling Event Early in the morning of December 26, 1985, while operating at a steady 75% power, the reactor tripped on high pressure as a result of loss of main feedwater caused by an unexpected loss of DC power within the plant's Integrated Control System (ICS). The loss of ICS DC power caused the main feedwater pumps to reduce to minimum speed, causing Main Feedwater pressure to decrease which auto started both AFW Pumps and permitted the AFW ICS controlled valves to operate. Concurrently, all other control devices receiving inputs from the ICS received a "zero" volts signal which was interpreted as a "50% demar.d" command since the ICS operates on a -10 to +10 vdc range corresponding to O to 100%

demand. This resulted in several steam valves repositioning to the corresponding 50% open positions, and likewise, the Auxiliary Feedvater Control Valves opening to mid-position. The effect upon the Nuclear Steam Supply System (NSSS) was to provide a significantly increased rate

. of heat removal via both steam discharge and the addition of cold Auxiliary Feedwater to the Once Through Steam Generators (OTSGs). These effects combined to causo a rapid reduction in the temperature and pressure in the Reactor Coolant System (RCS). The pressure reduction reached the point where the engineered safeguards equipment, the Safety Features Actuation System (SFAS), actuated bringing into service the High Prossuro Injection (HPI) System (which had previously been operating on operator demand), the standby emergency Diesel Generators, the AFW bypass flow control valves, and isolation of the Reactor Building as it would in the event of a Loss of Coolant Accident. The high rate of reactor coolant injection from HPI was effective in establishing the reactor coolant inventory needed at the reduced temperature caused by the overcooling.

During the event, all safeguards and related equipment performed as designed, although post-event analyses identified desirable enhancements to non-safeguards related equipment and procedures. The event did progress sufficiently to constitute an " Overcooling" as a result of delays and complications in closing the open steam and feedwater control valves, lhe Reactor Coolant Pumps (RCPs) remained online through the transient.

The operating crew on duty had been augmented by an extra Senior Reactor Operator who was also a qualified Shift Supervisor. Early in the event he left the Control Room (this was appropriate, as he was not assigned a spocific duty station) and assisted in the work of post-trip recovery and equipment operation. Upon returning to the Control Room, af ter nearly a half hour of vigorous exertion, he became " lightheaded" and had to lie down. 1his was diagnosed as hyperventilation. Followup medical cuminations have not identified any reason for concern as to the individual's fitness for duty.

-9 .

2.1 During post-trip recovery activities, the suction to the Makeup Pump was ~

inadvertently isolated. This led to the rapid destruction of the pump seals and the release of approximately twelve-hundred gallons of reactor-coolant makeup water into the basement of the Auxiliary Building. The associated release of radioactive gases contained in the coolant constituted the primary source of radioactivity released during the event. An Unusual Event (as established by the facility Emergency Plan) was declared as a result of the SFAS actuation, which initiated the notification of the various emergency response agencies.

lhis event was defined by SMUD management to be unique and to require special study, analysis, and troubleshooting prior to authorizing a

plant restart.

1

.2 Summary of NRC Actions and Correspondence On December 26, 1985, the NRC Region V Regional Administrator sent a Conformatory Action Letter to SMUD stating that ". . . prior to return of Rancho Seco to power operations, ... a root cause analysis of the reactor trip (is to be done) . . . (and) a briefing'of your assessment of the root cause and your justification as to why the Rancho Seco facility is ready to resume power operations." Concurrently, an Augmor.ted Investigation Team was dispatched to the site from the Region V office.

Late on December 30, 1985, the District was notified that the NRC had elected to upgrade their involvement in the investigation of the event by replacing the Augmented Region V investigative team with an NRC Incident Investigation Team (IIT) charged with determining the:

1) Sequence of Events

2) Troubleshooting Action Plans to Determine Root Cause, and

3) Major Issues surrounding the event.

Interviews were held "on the Record" with the facility operating personnel involved in the event, its mitigation, and the District's investigative efforts.

An early effort established by SMUD, with concurrence by the NRC, was to develop the " Quarantined Equipment List", of that equipment whose failure influenced the event or operator efforts to stabilize the plant.

Details of the requirements for the process of systematic j

troubleshooting and reporting of findings, relevant to the Quarantined Cquipment, were developed and published in revisions to the District's documentation of its investigation program.

10 -

l

. . . _ , . - - . ~ . , ---

2.2 (Continued)

Oncs the IIT had completed its interviews, and agreed with the content of the developed Sequence of Events and the Troubleshooting Action Plans, it left the site to write its report and await the results of the troubleshooting efforts. The Rancho Seco staff provided these results, as they became available, directly, to the IIT and the NRC Site Resident Inspector. This material was compiled into the ITT's report on the event, NUREG-1195 " Loss of Integrated Control System Power and

, Overcooling Fransient at Wancho Secu on December 26, 1985."

Numerous meetings have been held between the NRC and SMUD during the recovery and restart period. 16,mse, along with significant

( correspondence, are highlighted k;elow. 1 February 10,,1986 SMUD presentation to Region V on 12-26-85 Event Root Cause and Corrective Actions; Walnut Creck, CA February 19, 1986 Submittal of the SMUD Summary Report, " Description and Resolution of Issues Regarding the December 26, 1985, Reactor Trip." A letter report to J. B. Martin, Region V Administrator and F. J. Miraglia,'Oirector PWR-B of the NRC from R. J. Rodriguez, AGM; Nuclear.

February 24,'1986 Submittal of Addendum 1 to the SMUD Summary Report.

February 25, 1986 IIT prssentation to NRC of NUREG 1195, " Loss of Integrated Contro! System Power hnd Overcooling

. Transient at Rancho Sei e on December 26, 1985."

March 24/25, 1986 NRC site visit, with presentations'by SMUD, to H. Denten, J. Taylor, et al on the December 26 event

- and restart programs, i i April 18, 1986 SMUD presentation to NRC/NRR on the Plant Performance and Management Improvement Program:

Bethesda, MD April 24, 1986 Sito visit, with presentations by SMUD, to NRC

_', Commissioner Bernth,al.

april 24, 1986 GMUD letter to F. Miraglia NRC PWR-B Director providing technical corrections on NUREG 1195.

May 12, 1986 LeLLor from V. Stello, NRC to SI UD General Manager

\ Q. K. K. Lowe providing NRC Staff views regarding

.' the adequacy, scope, and direction of the proposod.

improvemeol program. -

x x s

\

\ - ,

s s

~ . -

w

se _,

o 2.2 (Continued)

,_ , May 14, 1986 Site visit, with presentation by SMUD, to NRC Commissioner Asselstine.

'May 16, 1986 NRC Region V Enforcement Conference on Regulatory Significance of December 26, 1985, Event: Walnut Creek, CA June 6, 1986 Presentation to NRC Region V of the proposed Action Plan for Plant Performance and Management Improvement Program; Walnut Creek, CA.

June 12, 1986 Presentation to NRC/NRR of the proposed Action Plan for Plant Performance and Management Improvement Program; Bethesda, MD June 17/18, 1986 Visit to site with SMUD presentations to NRC Region

- V and NRR staff en details and progress of the Plant Performance and Management Improvement Program.

June 20, 1986 NRC F. Miraglia to J. Ward, AGM, Nuclear letter commenting on the June 12 presentation of the preliminary Action Plan for Plant Performance and,.

Management Improvement Program.

June 26, 1986 NRC IIT presentation of NUREG 1195 to ACRS Subcommittee; Washington, D. C.

l July 3, 1986 Submittal of Action Plan for Performance Improvement.

July 29, 1986 NRC H. Denton, Director NRR letter to J. E. Ward j

SMUD AGM, Nuclear providing comments from preliminary review of Action Plan.

August 4/5, 1986 Visit by President SMUD Board of Directors, General Manager, and DGM, Nuclear to senior NRC Management; Washington, D. C.

August 14, 1986 Presentation to NRC/NRR on Action Plan with emphasis l on ICS/NNI and AFW modifications, the System Review l and Test Program, and Program Milestones; Dothesda, nD.

t September 5, 1986 NRC J. Stolz letter to J. Ward SMUD DGM, Nuclear requesting additional information to support UER for Action Plan.

Sept 9mber 15, l'38 ti Submittal of amendnent 1 to, Action Plan for l

Performance Improvement. Included material in response to September S request.

2.2 (Continued)

November 19, 1986 Presentation to NRC/NRR on Action Plan Progress and Update, Bethesda, MD.

In addition to the above meetings and correspondence, there have been numerous meetings between SMUD and NRC staff members to review specific program and project details. This process is expected to continue through restart. l

' l

.3 Summary of Sacramento Municipal Utility District's Response

.1 Initial Program In addition to collecting the various data available following an event of this type, the Plant Manager immediately instituted a deliberate and detailed process to govern the investigations and troubleshooting necessary to establish the root cause(s) of the event. This program was intended to systematically prepare the facility for return to power operation. l l In anticipation of industry interest in an overcooling event such as the one experienced, particularly at those facilities using an ICS, the District invited the Institute of Nuclear Power Operations (INPO), the Electric Power Research Institute (EPRI/NSAC), and the B&W Transient Assessment Team to assist with investigating the event and reporting it to the Utility industry. The INPO team j developed a Significant Event Report (SER #3-86) which was issued l to the Industry on January 2, 1986.

l l

EPRI/NSAC assisted in the evaluation of the Pressurized Thermal Shock related questions and analysis as they pertain to the reactor

vessel and potential effects upon its service life. These results are discussed in A following section, which confirms no Reactor lC Coolant, System component degradation attributable to the f transient. The B&W TAP Team assisted in compiling the sequence of I events and in defining issues and areas which needed further l investigation. 1he team played an important role in developing the I troubleshooting plans for the ICS and the Maintenance Instructions (mis) which impicmented those plans. 1 hey also assisted in evaluating the procedural adequacy and operator response to the event.

A. Transient Analysis Organization A systematic troubleshooting process was established to provide the organization and process for insuring that all available and potentially useful material necessary to 9.ain a full understanding of the events of December 26th was obtained and utilized. It established an Action List which collected the developing issues and oversaw their resolution.

~

2.3 .1 A. The implemented troubleshooting program identified four major milestones needed to resolve an issue. These are as follows:

1. Troubleshooting Action Plan Following a description of the question, issue, or problem being investigated, a summiwy of information supporting the probable cause is daveloped. Included is a review of the component (s) maintenance, surveillance testing, and modification history. From this body of information, the potential root cause(s) are developed and an outline of the troubleshooting plans to prove / disprove each is presented.

2. Engineering Report This is a report of the results of the troubleshooting efforts and provides the conclusions and justification of the identified root cause.

3. Repair Action Plan

• Once concurrence is obtained that the root cause(s) have been identified, then those steps required to repair, change, or modify the apparatus or procedure for return to service are developed. This step is imposed to insure that repairs / changes are properly coordinated and that troubleshooting is complete and sufficient to allow repair.

4. Action Item Closure Report This report consolidates all of the developed information from the above efforts and completes the explanations and justification of root cause(s) of the item. It also provides for recommendations which will be useful in the development of lessons learned and programmatic improvements to guide in achieving excellence in operations and management while precluding recurrence.

Noto, root cause, as used in this section is defined as the direct cause of the failure, malfunction, or discrepancy. It is not necessarily the programmatic or underlying cause that allowod the failure, malfunction, or discropancy to occur. Ihat " root cause" is determined by the Rancho Seco Incident Analysis Group in a separate and independent analysis.

[

. 2.3 .1 A. 4. For those items placed upon the SMUD NRC/IIT Quarantined Equipment List, or if so designated by the Action List Coordinator, the entire four phase program described above was implemented. Several items were added to the Action List for tracking and management which did not require the full program. In those cases, a Closure Report alone was required and used to document the scope of the analysis, or investigation, and to report the conclusions and recommendations which resulted from analysis of the item.

B. B&W Owners Group Regulatnry Response Group (RRG)

Since the ICS is generic to the B&W designed NSS System, the NRC addressed its questions, which were of potentially generic interest to all B&W plants, to the RRG. this group met and/or communicated with the NRC, and in general, discussed issues which are beyond the scope of this' report.

~

2.3 .2 plant Performance and Management Improvement Program (PP&MIP)

The initial Transient Analysis program was directed at systematically determining the root cause of the event, while providing for corrective actions which would make recurrence unlikely and support a timely restart. With the issuance of NUREG 1195, new !ssues were introduced. lhese items have been referred to as the " Retrospective" issues, meaning Rancho Seco's history and SMUD's corporate philosophy and methods in implementing its nuclear programs. Several examples are given in NUREG-1195 wherein it was charged that a narrow focus was of ten taken in responding to issues and concerns with corrective actions often being insufficient to prevent recurrence or that they were delayed in implementation.

These concerns, as expressed in.NUREG 1195, caused a complete reassessment of the ongoing effort to restart Rancho Seco and subsequently resulted in a greatly expanded program known as the Plant Performance and Management Improvement Program (PP&MIP).

The Plant Performance and Management Improvement Program systematically evaluates the physical plant, its systems and operation, and the management programs necessary to support the safe and reliable operation of the plant. lhe first phase of the PP&MIP is devoted to developing recommendations which are specific to the needs of a successful nuclear operation. 1he second phase provides for dispositioning and prioritizing each recommendation.

while implementation and feedback processes are provided to insure effective resolution.

nn overview of the PP&MIP Program Elements follows.

2.3 .2 A. Systematic, Assessment Program This is a systematic review of the physical plant, its operating procedures, training, maintenance, and related areas impacting performance, including a look at industry and plant history. The details of these special tasks, and the procedural guidance for their implementation, are contained in Nuclear Plant Procedure QCI-12, " Plant Performance and Management Improvement Program (PP&MIP)." The objective of these retrospective tasks is to assure that plant affecting deficiencies are identified and brought to management attention such that necessary corrective actions can and will be implemented.

These special tasks include:

• Precursor Review

• Deterministic Failure Consequence Analysis

• B&W Owners Group - SPIP Program

• Plant Personnel Interviews

• 12-26 Event Evaluation

• NUREG-1195 Findings Each of these tasks is described below, as well as the Recommendations Review and Resolution Board (RRRB), and the Performance Analysis Group (PAG).

1

1. . PRECURSOR REVIEW PROGRAM The Precursor Review Program was to systematically review historical documents and recommendations for events or conditions that may be significant to Rancho Seco. From the events and conditions that were judged to be applicable and significant to Rancho Seco, a specific recommendation was made to improve the affected plant area (design, operations, maintenance, etc. .) to either preclude the occurrence or minimize the effect of the event or condition at Rancho Seco. The identified issues and improvement recommendations were input to the Recommendations Review and Resolution Board (RRRB) for disposition.

The Precursor Review Program is divided into two parts:

1. Review of Past Trips and Transients on 8&W Designed Plants The review of transients on B&W designed plants (transients 1 are defined in the B&WOG SPIP Program) consists of the following:

a. All Transient Assessment Program (TAP) Category C transients will be evaluated and investigated for their applicability and impact on Rancho Seco,

b. All Category B TAP events will be reviewed to determine if any of the recommendations made are applicable to Rancho Soco and to determine whether, because of plant differences, the transient could have been more severe at Rancho Seco,

c. All recommendations for Category A TAP transients will be reviewed to determino their applicability to Rancho Seco,

d. All Rancho Seco transients, starting from the Rancho Seco

" light bulb" event in 1978, will be reviewed.

These events will be reviewed with recommendations or concerns identified and passed on to the RRRB. The review program described above will be completed before plant restart.

2. Other Document Reviews In addition to the review of the above documents, the following will be reviewed by a multi-discipline experienced team:

a. Rancho Seco Licensee Event Reports and Occurrence Description Reports

b. Significant Operating Experience Reports (SOER) issued by the Institute of Nuclear Power Operations

1. 2. c. Bulletins issued by the NRC Office of Inspection and

• Enforcement

d. Notices, Circulars, and Generic Letters issued by the NRC

e. Babcock and Wilcox Reports (Preliminary Safety Concerns, Site Instructions, and other relevant B&W reports)

f. Review NUREG 0667, " Transient Response of B&W Designed Reactors" for open recommendations

g. Review NUREG 0560, " Staff Report on Generic Assessment of Feedwater Transients in PWRs Designed by B&W" this program provides for a reverse chronological review starting from 1985. Prior to startup, documents dating back to March 1978 will be revicwed. 'the Precursor Review Team will assess and make a recommendation as to the need and scope of any further reviews.

3. Criteria and Methodology for Precursor Evaluation Each document will be reviewed to determine whether issues are applicable to Rancho Seco. For each document, a Precursor Review Checklist will be completed For those issues which produce a recommendation, the Precursor Review Recommendation Form will be completed and forwarded to the RRRB.

2. DETERMINISTIC FAILURE CONSEQUENCE ANALYSIS Deterministic Failure Consequence Analysis is a technique to determine the consequences of failures of systems and equipment on power operation or post-trip response capability, and to evaluate related procedural guidance provided to the operators. The intent of the analysis is to identify areas where failures of plant systems or procedural inadequacies could potentially result in unnecessary reactor trips, unsatisfactory post-trip response, undue challenges to the operators, or unnecessary challenges to the safety systems. Recommendations were developed which will improve plant reliability, post-trip response, and operator performance when or wherever inadequacies or enhancements were identified.

the effect of loss of electrical power, instrument air, and control power were evaluated for impact on plant operations. These systems wore chosen becauso failuros in those systems closely approximate the consequences of most postulated plant system failures. The analysis identified affected systems which challenge or adversely offect the capability to mitigate transient conditions. No attempt was made to analyze every combination of failures which could occur. Yet, by starting with the assumed loss of an active component, and compounding the effect by assuming concurrent failure of components with common motive power or controls, a very wide range of likely partial loss of systems has been considered all the way through station loss of offsite power.

While the methodology was applied, considering for the most part the individual loss of power, Instrument Air, or ICS/NNI, the results can be evaluated in light of the assumption that all three conditions exist simultaneously. Such a situation is the basis for the decisicn to install a Class 1 Emergency Feedwater Initiation and Control (EFIC) System, plus Class 1 air supplies to certain valvss utilized in that event. Such an event would challenge (utilize) the plant safety systems, but with these new features, it should not cause adverse transient conditions or control problems.

1. Each system was analyzed as described below:

A. Loss of Electrical Power Teams analyzed each 480V bus, its source and loads. Each team reviewed the electrical elementaries beginning at the end loads. Each breaker off the Motor Control Center (MCC) or panel was " failed" ind iv idually . (Note: The

" failure" is an assumption, no physical positioning at circuit breakers, etc. , was required.) lhe consequence of failure of each load was then determined. The process was repeated for all MCCs and panels off a common 480V ,.?

bus. Once the consequence of loss of the individual M, )._

loads was evaluated, the loss of the source (s) was  %+

analyzed. kj

? >: -

41ce... -

2. 1. A. (Continued)

A similar analysis was performed on the 120/125V AC buses, except that the failure was assumed to include the inverter, battery, and alternate supplies.

Upon completion of the analysis of the individual 480V buses, the loss of the 4160V bus and loss of the individual transformers to offsite power was analyzed.

Finally, the loss of offsite power was analyzed.

B. Loss of Instrument Air An evaluation of the effects of loss of instrument air was also performed. Individual components (loads) on the Instrument Air System were " failed" and the affect upon the plant determined. 1he entire system was then

" failed" to determine the affect on the plant.

C. Loss of ICS/NNI The loss of ICS and NNI power supplies were evaluated to determine failure states and resultant actions or suggested modifications necessary to establish a known safo stato with little or no operator action.

D. IE Bulletin 79-27 Due to the number and scope of changes to ICS/NNI (the subject of this Bulletin) and the nature of the questions it asks (which are similar to the DFC approach), this Bulletin was ovaluated as a part of the DFC scope, and utilized the DFC approach.

2. prosess Recommendations developed during the analyses were submitted to the RRRB. Specific notes of those systems affected by the

" failure" which lead to the recommendation were made. These notes were forwarded to the relevant system engineer for consideration and resolution with other issues associated with that system.

l

3. 'B&W OMWERS GROUP PROGRAM - SAFETY AND PERFORMANCE IMPROVEMENT PROGRAM (SPIP)

1. In January 1986, the B&WOG initiated a new concept in their management of B&WOG activities. Instead of having projects undertaken by individual committees, task forces, or working groups, which were directed only at the group's goals, it was decided that projects would be focused around a few major programs. These programs have since been identified to be:

• Trip Reduction and Transient Response Improvement

• Availability Improvement

• Regulatory Commitments

• Economic Benefits Each of these programs has an organization to carry out its specific goals.

Safety and Performance Improvement Program (SPIP) is the major element of the Trip Reduction and Transient Response Improvement Program.

During the development of the Rancho Seco PP&MIP, reference was made to the B&WOG "STOP-TRIP" program. The "SPIP" and "STOP-TRIP" programs are the same, with SPIP being the program's finally adopted name.

.2 Objective The SPIP was established to improve B&WOG plant safety and performance. lhe program's stated objective is to:

Reduce the number of trips and complex transients on B&WOG plants and ensure acceptable plant response during those trips and transients which do occur.

The specific goals of the program are:

1) By the end of 1990,.the average per plant trip frequency will be less than two per year.

2) By the end of 1990, the number of complex transients, as i

classified by measurable parameters (Category "C") will be reduced to 0.1 per plant per year based on a moving three year average. (Note: GP[P Category "C" is similar to Action Plan Priority "1" criteria. )

b

3. 2. 2) The District is aggressively participating in the SPIP, as it does in the other B&WOG programs. Such involvement will ensure a broad perspective is taken with respect to plant improvements, as well as allow other B&W owners to benefit from the Rancho Seco Plant Improvement Program.

3. Program Scope The B&W Owners Group SPIP Program is similar in many ways to the District's Plant Performance Improvement Program.

However, it is designed as an extension and expansion from previous B&W Owners Group (B&WOG) activities aimed at reducing the number and severity of reactor trips which occur.

Recently, the program scope has been expanded to collect information and develop the response to the NRC Assessment of the " Sensitivity" of the B&W Designed NSS. Thus, a number of programs are already underway and recommendations are being prepared for evaluation and implementation by the member utilities. In addition, the B&WOG program is designed as an ongoing activity and thus will still be providing recommendations for plant improvement after the Rancho Seco Action Plan is comploted.

The SPIP process includes the following major elements:

• Define concerns

• Prioritize concerns

• Integrate, schedule and perform projects

• Issue project reports with recommendations

• B&WOG Stoering Committee approve and issue recommendations to owners

(

• Track implementation status with Recommendation Tracking System The most important aspect of the SPIP is the implementation of the recommendations at the B&WOG plants.

l l

l l

l i

3. 4. Methodology /Proctdure To ensure effective SPIP implementation at Rancho Seco, the District has assigned a SPIP Coordinator who provides the interface between the District and the B&WOG SPIP.

Additionally, the District's coordinator is a member of the SPIP Management Team. This latter role is a unique opportunity to provide program leadership and gain detailed insight that will aid implementation at Rancho Seco.

~'

The coordinator's role is summarized as follows:

• Ensure SPIP recommendations are promptly input to the RRRB.

• Follow up to ensure SPIP intent correctly interpreted.

• Regularly report implementation status to B&WOG and to the Performance Analysis Group (PAG).

• Provido results of other PP&MIP actions to the B&WOG for consideration of generic applicability and integration with SPIP.

5. Schedule-Time of Performance In recognition of the fact that the SPIP will extend beyond Rancho Seco restart, any recommendations issued by the SPIP af ter startup will be addressed through long-term follow-up programs.

4. PLANT INTERVIEWS

~

The interview program was intended to surface previously unresolved, but "known," problems which could (1) cause reactor trips and/or contribute to the severity of transients, and (2) degrado plant reliability or the optimal performance of the operating personnel. On this basis, the results of the plant staff interviews woro processed through the QCI-12 PP&MIP.

1. Project Scope This program interviewed personnel from key plant and nuclear support functional groups. These persons were encouraged to identify systems, components, or operational problems and concerns of which they are aware and provide recommendations on how to resolve them. One hundred and fifty-seven volunteers were needed to satisfy the representative selection criteria based upon MIL-STD-105D. This requirement was met in all areas and a total of 180 volunteers were interviewed.

2. Interview Methodology .

The interview program covered a cross section of plant personnel and was intended to encourage personnel to identify issues or' concerns of which they are aware that, when resolved, can contribute to optimal, reliable, or improved oporation. Interviews were conducted utilizing people who are skilled in the interview process. For the most part, these same people accomplished the Rancho Seco Control Room Design Review (CROR) interview program. They were assisted in preparing for the PP&MIP interview program by consultants who are experts in industrial human relations.

An introduction and question form was prepared and presented to each intervicwee prior to the interview. Each interviewee was asked for information about his/her background and was briefed as to the purpose of the interview. The questions on the forms were then discussed one-by-one. Each interviewee was asked to expand on each answer until the interviewers felt no further meaningful information was available.

lhe Interview Project Coordinator consolidated the compiled list of concerns / recommendations. He forwarded the recommendations to the RRR8 using the Recommendation /

Resolution sheets. The Interview Program Coordinator assured that the concerns and recommendations were acted upon and dispositioned to the RRRB.

- 24

4. 2. The program interviews, including evaluation and disposition of the recommendations will be completed prior to plant restart. Approximately 1,600 recommendations were developed prior to consolidation to eliminate duplication. These recommendations have all been processed through the RRRB.

5. DECEM8ER 26, 1985 EVENT EVALUATION A total of 150 analyses, studies, repairs, and modifications were initiated to investigato and recover from the loss of ICS and overcooling event. These resulted in approximately 500 recommendations for follow-up consideration. All have been processed by the RRRB.

Many of the 150 items on the Action List developed for this evaluation are specific to the findings given in NUREG-1195, and likewise show up on the NRC list of open issues coming from the event or its followup. As such, this effort developed much of the material contained in the responses to findings and issues which is given in this report.

6. ACTION PLAN MANAGEMENT PROCESS The unique nature of the District's Action Plan combined with the time frame of implementation has necessitated the development and implementation of a process to accommodate adjustments to the plan while assuring the general objectives and direction of the program a.e maintained. To accomplish this, the District has established the necessary organizational structure, assigned appropriate authority and responsibility and developed the necessary guidelines to assure the program accomplished its intended near and long term objectives.

A. Prioritization Criteria The purpose of the entire PP&MIP is to improve safety by providing modifications, enhancements, procedures, and training which will make the plant less likely to challenge a design basis (safoty systems) and to make it possible to improve plant performance (reliability). It is not credible to operate without ever having a reactor trip, the usual precursor to safety system challenges. The purpose of the PP&MIP is to assure that when trips do occur, they will be nominal and will not lead to dramatic over/undercoolings or significant safety system challenges. On this basis, the target requirement that the RCS pressure / temperature conditions remain in the nominal " Post-Trip" window was selected.

l l

1

d ,

6. A. Prioritization Criteria (Continued)

If a condition was detected in the Systematic Assessment Program, SRTP, or otherwise known, which could lead to conditions outside the post-trip window (as defined in the B&W Owners Group Abnormal Transient Guidelines) then it was prioritized to be resolved prior to restart. While not the only criteria used by management for prioritization and resource allocation, this was one of primary importance. The

- complete set of prioritization criteria are provided below.

Criteria for Prioritizing Restart Schedule

.i Actions to be completed prior to restart or completion of the restart test program

• Assure plant remains in post-trip window

• Assure compliance with technical specifications

+ Minimize the need for operator action outside the control room within the first 10 minutes of an event

.2 Actions to be initiated as promptly as practicable, schedule developed, resources assigned and maintained until completed (it is the intent to initiate these actions as soon as priority one action completions make resources available)

• Enhance ability to remain in post-trip window automatically

• Reduce reactor trips

• Reduce challenges to safety systems

.3 Actions to be programmed for the longer term

+ produce near-term programmatic benefits e Improve reliability

. Improve availability

• Major programmatic enhancements s

The organizational elements instituted to meet these requirements includa:

B. The Recommendation Review and Resolution Board (RRRB)

The RRRB is a multi-discipline group of individuals with nuclear experience and training drawn from SMUD, another utility with a B&W NSS, the NSS Vendor, and the Plant Architect Engineering firm. The functions of this Board are:

(a) to screen recommendations for clarity and duplication, (b) evaluate issues and recommendations, and (c) recommend a disposition and priority for the recommendation based on its technical merits. To guide the Recommendation Review and Resolution Board in making these technical assessments, and in prioritizing the implementation actions, the prioritization criteria were used.

In addition to screening and validating recommendations, the RRRB input each recommendation into a master data base which records and tracks each recommendation through its life cycle.

Once the RRRB has finished the validation process, the recommendation (valid or invalid) is forwarded to different organizations based on its characteristics for action. The alternate paths are: (a) Programmatic recommendations are sent directly to the Performance Analysis Group (PAG) for disposition, and (b) system related recommendations are sent to the assigned Systems Engineer, who in turn develops an integrated implementation and test plan for the system. This system plan is then sent to the PAG for disposition. The PAG, with the approval of the DGM, Nuclear, determines the course of action for these recommendations and sends them to the appropriate departments for implementation through the Action Plan or develops a justification as to why the recommendation is invalid.

C. The Performance Analysis Group (PAG)

The PAG is made up of the Nuclear Department managers, or in their absence their designees, that report directly to the Restart Implementation Manager (RIM). The function of this group is to review and determine the appropriate disposition, from a management perspective, of the recommended actions of the Recommendation Review and Resolution Board.

During this process, the recommendation is reviewed to determine whether the disposition of the recommendation (actions and priority) can be accommodated through existing programs or whether adjustments are necessary to assure the overall program objectives are met. This group also determines which department will have the responsibility for implementing the action (s) to satisfy the finding and recommendation.

6. C. The Performance Analysis Group is also charged with monitoring the implementation of the Action Plan. The need for, and approval of, changes to.the plan to assure the near and long term objectives are met will be developed by the Nuclear Projects Manager a xi approved by the Performance Analysis Group and the Deputy General Managor, Nuclear. This includes changes to the priority of individual action items.

D. Results of Systematic Assessment Program No restrictions were placed upon the systematic assessments which would result in suppressing recommendations for improvements in either management processes or the facility.

As a result, it was necessary for the recommendations to be given an independent detailed technical review by the RRRB for completeness and content before forwarding to either the Management Improvement Program, or to the System Engineers for action. These two programs are discussed below.

1. Management Improvement Program Programs developed by the nuclear department managers are being implemented to address the deficiencies contributing to the performance record and the December 26, 1985, event. These programmatic actions form the broad framework for the implementation of the findings from the Systematic Assessment process. The major programmatic action areas are listed below,

a. Management Effectiveness

b. Quality and Quality Assurance l

l

c. Training

d. Operations and Operating Proceduros l

c. Maintenanco Programs and Procedures

f. Health Physics and Radiological Controls 9 Appendix I Discharge Guidelines

h. Emergency Preparedness l i.  !!uman Factors

j. Management Information System

k. Commitment Management l

l l

6. D. 1. 1. Configuration Management

m. Materials Management

2. Plant Modifications and Maintenance Improvements In direct response to the December 26 event a number of desirable plant modifications and maintenance improvements were identified. The commitment to implement these was made prior to the development of the Systematic Assessment Program and the System Review and rest Program (SRTP). These items are specific to the mitigation of the root causes of the December 26 event.

• ICS and Interfacing Systems

• Non Nuclear Instrumentation System

• Foodwater and Steam Systems

• Emergency Diesel Generator Reliability

• Reactor Coolant System and Pressurizer

• Post-Accident Sampling System

• Control Room - TSC HVAC Operability and Reliability

• Instrument Air System Reliability

• Reactor Building Purge Flow Measurements

• Fire Protection System

• Motor Operated Valves

• Critical Pumps Failure on Loss of Suction

• Maintenance Programs and Actions

• Once Through Steam Generators

[n cach of these areas, a coordinated program is in place under the auspices of the relevant system engineer from the SRTP. Octaiis of the activitics affecting each item are contained in the Action Plan for Performance

[mprovement, Sections 48 and 4C.

6. D. 3. System Review and Test Program (SRTp) '

Recommendations for facility improvements are received by the system engineers assigned to each of the plant's 78 major systems. Details of how this SRTP functions are provided later in this report, yet it is important to realize that they consolidate the various system related recommendations, compare them to the system functional

• requirements and propose dispositions which are coordinated and effective to ensure closure of the recommendations. Testing requirements are reviewed and developed to demonstrate the appropriate degree of operational capability and readiness for operation of each system.

3.0 RESOLUTION OF IDENTIFIED CONCERNS RELATED TO THE DECEMBER 26, 1985 OVERC00 LING EVENT

.1 Plant Electrical, Instrumentation and Control Systems Issues

.1 Integrated Control System (ICS) and Non-Nuclear Instrumentation (NNI) - General Description and Operational Experience

a. ICS and NNI System Descriptions and History of Loss of ICS or NNI Power Events

.1 ICS System Description 1he following is excerpted from NUREG-1195, Section 3.1:

"The Integrated Control System (ICS) is a non-safety-related system that coordinates the action of a variety of plant equipment to make the adjustments necessary to match megawatts generated to megawatts demanded by balancing steam production and steam usage. The ICS was used first on B&W-designed fossil-fueled generating plants and later adapted for use on D&W-designed nuclear plants."

i i

i l

l l

3.1 .1 a. .1 (Continued)

The ICS is essentially the same for fossil plants as for nuclear plants, with the controls that are unique to the nuclear plants (such as pressure control of the reactor coolant system) being provided by the so-called Non-Nuclear Instrumentation (NNI) system.

The first nuclear application of the ICS was the Type 721 design which is installed in the two earliest B&W-designed plants (i.e. , Oconee and Three Mile Island). The second generation of the ICS is the Type 820 design which is installed at the Rancho Seco plant and all other B&W-designed plants. These two designs are similiar at the functional level, but the detailed design and the actual hardware differ significantly, especially with regard to power distribution and manual control upon loss of power which are discussed below.

The following description contrasts the integrated control scheme that characterizes the ICS with the discrete, separate control schemes that ...aracterize other systems. This section also describes the four major portions of the ICS and the interface between the ICS and the NNI. The nature of the ICS output control is presented, followed by a discussion of how these output si3nals change upon loss and restoration of ICS power. Finally, the ICS electric power distribution system is described.

Fundamental Control Scheme Operating nuclear power plants use three fundamental control schemes. In each of these schemes, the reactor and the steam generator are considered as a unit (i.e., the steam production portion of the plant) and the main turbine and generator are considered as another unit (i.e., the steam usage portion of the plant). The purpose of these control schemes is to match the megawatts produced (in the steam production portion) to the megawatts demanded by balancing steam production to steam usage.

3.1 .1 a. .1 (Continued)

In the first control scheme, the turbine generator responds to changes in electric demand, and the reactor and steam generator subsequently are readjusted to maintain the needed steam conditions. This scheme has the advantage of rapid, accurate electrical output changes, though some steam flow instabilities may result.

In the second control scheme, the reactor and steam generator respond to changes in electrical demand, and the turbine generator are subsequently readjusted to satisfy the new demand. This scheme has the advantage of good plant stability, but involves a slower response to changes in electrical demand.

The third scheme, which is used at Rancho Seco, combines the first two schemes into an integrated control scheme. The objective of the combination is to take advantage of both fast plant response and good plant stability.

In the ICS, steam usage (i.e., steam flow) is controlled by modulating the turbine throttle valves to maintain a constant steam header pressure. Steam production is controlled by maintaining a constant average temperature

, (Tave) in the reactor coolant system and j modulating feodwater flow. In this control scheme, the turbine steam header pressure is used as an index of whether steam flow and steam production are in balance. On the reactor and steam generator side, Tave is used as an index of whether feedwater and nuclear heat are in balance.

l Figure 3.1 illustrates the fundamental control l concept of the ICS at Rancho Seco. The ICS l sends demand signals simultaneously to both the

steam flow controls and the steam production controls. This scheme achieves fast response by initially borrowing energy from the steam l generators (resulting in reduced sloam pressure) and subsequently redepositing the energy as the reactor power setpoint for the l steam header pressure is artificially reduced temporarily.

1 1

~

3 n=en, UtNT LOAD J y= === OsmAse , =

1

- - = = = b 3

, TRACsusee

{

tew j IIffBSAAT50 8848V?% CO8ffROL

? m.mme

• 1 [

m g  ; $

g -

al i t t r .

M 000AAleO CALCULAT0m Am StaAAase i CALCULATOR '

beOR.

PASSS.

i f 1F

- 'm

} CTUA y Rs C.L.

. -].,

l TOTAL a

• s FW T m

E PEE 0 WATER CONTROL 4ttACTOR

$ C08ffROL PW C.L.

D C 'CTUA D Q PLOW Ptow I

v v v Loop A Loop a \

TunalNE BYPASS PLOW PLOW 1r I vALvas U CONTROL VALvas C00mt0L l l vatvas EMC a0 ggt I

1f hePW Punsps SPE80 II 1 i Tunsas l

CONTROL VALVES t

l l FIGURE 3.1 l

l l

l l

k

t

. s 3.1 .1 a. .1 (Continued)

This action causes the turbine governor valves to open further, immediately increasing steam flow and turbine generator output. As the reactor and steam generator respond to their demand signals and produce more steam, the energy borrowed is replaced as the pressure -

returns to the original setpoint value.

The Rancho Seco integrated control scheme is a single, tightly interwoven, and complex system involving both feedback and anticipatory feed forward signals throughout the plant. Control schemes at other plants (e.g., at Westinghouse and GE-designed plants) use several electrically separate and independent control systems to balance steam production and steam usage. For example, one control system maintains the turbine steam flow at a constant value; another control system matches feedwater flow to steam flow; and a third control system maintains reactor power at a constant value.

The primary advantage of separate control systems is that when a single control system fails, the other control systems are electrically independent, are not affected and, therefore, tend to stabilize overall plant conditions. When the power to the ICS fails, control of turbine steam flow, feedwater flow, and power level are all affected.

Block Diagram Figure 3.2 illustrates the four major equipment subsystems of the ICS: the unit load demand; integrated master control; feedwater control;

[ and reactor control.

l l

The unit load demand subsystem is the primary interface between the ICS and reactor operators and includes features for load setting (i.c.,

demand), limiting plant runbacks, and automatic tracking to maintain plant conditions within predetermined limits.

The integrated master control subsystem serves several purposes. First, it provides the desired electrical output power based upon the electric megawatt demand s ignal .

l l

1 l

1

i

~.

MEGAWATTS DEMANO MASTER CONTROL STEAM PLOW CONTROL STEAM PRODUN CONTROL IMEADER PRESSURE CONTROu (T CONTROU SYPASS TURSINE CONTROL CONTROL PEEDWATSR REACTOR CONTROL CONTROL

^

ACTUAL Mwe t r i f SYPAPS TURSINE FLOW PUMP ROD THROTTLE CONTROL VALVES SPEED POSITION VALVES VALVES CONTROL CONTROL t ,

f i MEGAWATTS GENERATED FIGURE 3.2

- . . , .-- --7.,m, -. . -.. ..-m- - . . - . - - . , ,_ ,,,e ,---p ,-w.w-- m,,,.y- - - --- -r- - - ,-,,- , -.

i k -

3.1 .1 a. .1 (Continued)

Second, it maintains a constant steam header pressure. One output of the integrated master control interfaces with the electro-hydraulic control unit of the turbine generator. Another output signal controls the bypass of steam around the turbine directly to the condenser (i.e., the turbine bypass valves) and controls the dump of steam to the atmosphere (i.e., the atmospheric dump valves). It also calculates the demand signals for feedwater and reactor power. The integrated master subsystem is the mastor control for the fecdaater control and the reactor control subsystems.

The feedwater control subsystem matches the actual feedwater flow to the feedwater demand signal from the integrated master control subsystem. The total feedwater flow is also balanced between the two once through steam generators (OTSGs) so as to maintain equal heat transfer (i.e., the returning cold leg temperato--s are maintained essentially equal regardles: of OTSG fouling and the number of plugged tubes). The feedwater control subsystem will receive a " cross limit" signal from the reactor control subsystem if the difference between main feedwater (MFW) flow demand and actual NFW flow exceeds a predetermined limit. (A " cross limit" is an additional control signal that is produced when a controlled variable is outside the normal j

control range.) The feedwater control l subsystem sends a " cross limit" signal to the l

reactor control subsystem to reduce or increase power if the reactor power and reactor demand differ by a predetermined limit. The feedwater

! control subsystem also includes a "8tu Limiting" feature to limit the MFW demand i signal so that the final steam temperature is maintained. The primary output of the l feedwater control subsystem is control signals to the MFW flow control valves (both startup and main) for cach OTSG. Another output controls the MFW pump speed in order to I maintain a specified pressure drop across the l f low control valves as the MFW flow changes.

onother output modulates the auxiliary feedwater (AFW) (ICS) flow control valves.

l 3.1 .1 a. .1 (Continued)

The reactor control subsystem matches the actual reactor power to the power demand signal from the integrated master subsystem, while maintaining T,q .at a constant value. The reactor control subsystem accomplishes this by sending signals to withdraw or insert the reactor control rods when the neutron power is outside a "deadband" around the neutron power demand.

The ICS is closely coordinated with the non-nuclear instrumentation (NNI) system since the purpose of a control system is to adjust the actual value of a process variable to a desired (i.e., demand) value. The NNI provides the input signals to the ICS that represent the actual values of numerous plant variables.

When the signals representing plant variables are accurate and the ICS is functioning properly, plant control is smooth. If the NNI signals are not accurate, the ICS cannot sense the discrepancies and will initiate control actions based upon the erroneously indicated conditions. The resulting ICS control actions will not be appropriate and as a result a transient may be introduced throughout the plant that can be severe.

Many of the indicators in the Control Room (both meters and recorders) are non-safety-related output devices and are in many cases part of the NNI system; hence, they are generally independent of the ICS. However, there are exceptions that had not been generally recognized prior to the December 26, 1985 incident. For example, the MFW flow recorders indicated a value near mid-scale due to the loss of ICS de power, when MFW flow was actually zero.

_ 3 7 __

3.1 .1 a. .1 (Continusd)

Output Signals The electrical output signals of the ICS at Rancho Seco take various forms. Throughout the internal modules of the ICS, a standard signal is used that varios between -10 Vdc and +10 Vdc. For control valves throughout the plant, the ICS output signal reflects this standard signal (where -10 Vdc corresponds to fully closed, zero Vdc corresponds to a 50 percent open position, and +10 VJe corresponds to fully open). This format was adopted because the ICS designers believed that the 50 percent positions, which would occur upon loss of ICS power, would result in a transient of less magnitude than either a fully closed or a fully open demand signal. At Rancho Seco, the principal valves that are controlled by the standard +/-10 Vdc signal are the turbine bypass valves (TBVs), atmospheric dump valves (ADVs), NFW flow control valves (both startup and main), and AFW (ICS) flow control valves.

In addition, the ICS output signal to the turbine throttle valves (via the electro-hydraulic control) is in the form of pulsos. Positivo pulses cause the valves to open; negative pulses cause the valves to close; and zero output causes no motion.

The ICS output signal fo- the NFW pump speed varies from zero to +10 Vdc. A signal of 3.4 Volts or less corresponds to minimum speed and 7.3 Vdc or greater corresponds to maximum speed.

The ICS output signal for the reactor control rods is either +5 Vde, zero, or -5 Vdc. The positive voltage corresponds to rod withdrawal, the negative voltage corresponds to rod insertion; and zero Vdc corresponds to no motion.

[

l

[ __ __ _ _ _ _ _ _ _

+ -

1

, 3 s

h. [

3.1 .1 a. .2 ICS Operatine Hi $ m

.s ~, . '

,(

The following paragraph is taken from NUREG-1195 '

Section 7.1.2.

~

\

1 E:

a.

' k:The First Rancho Seco Loss of ICS de pow Incident. (? e .

q On January 5, 1979, a reactor' trip occurred which was initiated by the loss of ICS de power g at Rancho Seco. The trip was caused by a .,

short-to-<jround in the ICS and resulted in a subsequent reactor cooldown which exceeded the limits in the plant%Technical Specifications.

s, ( '., '

(The reactor coolant system was cooled by approximately 120*F in 15. minutes.) During

~~ ') this event 7 a technician peAforming a c modification .to the ICS accidentally shoe ted

the circuit to ground, causing the 24;VDC power

! l 3 supply monitor to trip. The loss of power '

it resulted in the feedwater valyes-going to the mid-stroke position, which_ caused the reactor

~

, coolant system pressure to increase, causing'a reactor trip. Subsequent overcooling, caused RCS pressure to decrease, causing SFAS '~

~

actuation, wbich in turn caused AFW to initiate. 'Thus, the course 'and consequences' of this event were v'ery siwilar to the Decembar

~

26, 1985 incident. During the 19J7 event there was d* compounding problem of s a switch error that caused a lack of indication of SFAS i Channel a actuation.

.I

[

b. On early occasions when ICS Power was lost l' during its first year of operation, Rancho Seco underNent several transients caused.by. loss of _

power Eo the ICS. These tra'nsients/occ'urred ibecause the ICS had only a single 120 Vac power

> supply (i.e., the system lacked a backup power supply). The system was modified to provide a redundant power supply, a configuration which s had served well prior to. the~ Dodember 26, 1985 l event. ihese earlier ovants did not result in I. '

_ excessive overcoolings as' typified by the 1979 '

an'i 1985 loss of de power events.

,r e L i s

t l

l y

_ 39 _ ,>

l l . i.

l'

}

}

O 3.1 .1 m. .2 b. ICS Maintenance and Operations.

In the years immediately preceding the December 26, 1985 event, the ICS had become the subject of an ever broadening preventive maintenance, calibration, and tuning program. During the startup in the fall of 1985 a comprehensive ICS tuning program had been accomplished, as well as a program to minimize the effects of contact resistance buildup on switches and relays within the ICS. As a result of this attention, the ICS was operating smoothly when the trip occurred on December 26, 1985.

While the December 26, 1985 cransient resulted from the consequences of loss of ICS control, it must be appreciated that a properly tuned ICS can, and has, many times allowed the plant to remain on-line when electrical grid upsets or internal plant equipment malfunctions occurred. Its ability to control the dynamic transfer of reactor generated heat is most impressive.

.3 NNI System Description The Non-Nuclear Instrumentation (NNI) System is designed to apprise the operator and/or the automatic (protective, regulating or auxiliary systems) controllers of the process conditions that exist within various plant systems. The NNI System provides measurements used to indicate, record, alarm, interlock, and control five basic process variables. These basic process variables are:

pressure, temperature, flow, level, and component position. The NNI provides the required input signals of the process variables necessary for the operation of the Integrated Control System (ICS).

In addition, the NNI provides instrumentation for measurement and control of process variables necessary for proper operation of the Reactor Coolant System, Secondary plant System, Makeup &

l Purification System, Core Flood System, and Decay l Heat Removal System. The functions of NNI are primarily used for plant startup, operation, and I

shutdown.

~

3,1 .1 a. .4 NNI Operating History

a. The Rancho Seco Lightbulb Incident l The following is taken from NUREG-1195 Section 7.1.1:

On March 20, 1978, Rancho Seco underwent a severe transient as a result of a loss of power to NNI, which provides the input signals to the ICS, During this event, which has come to be known as "the lightbulb incident," an operator was removing a light bulb from a back-lighted push button in the control room. While handling the bulb, he dropped it into the cavity left after removing the bulb retainer. This caused a short circuit on the -24 VDC NNI-Y power system, which was not adequately fuse-protected.

The power supply monitor for the NNI-Y detected the low bus voltage caused by the short circuit and tripped the 120 VAC input switches (S1 and S2). Although the initial problam occurred in the NNI System, it resulted in a mid-scale failure of signals being sent from the NNI to the ICS. Although the cooldown rate of the primary system was excessive (the plant was cooled 300*F in 80 minttes), the operators were able to stabilize the plant. During the event, the Safety Features Actuation System (SFAS) actuated automatically because of low RCS pressure.

Following this event, SMUD was concerned that this previously unrehearsed situation had caused considerable uncertainty with respect to the validity of the inst.rumentation in the Control Room. As a result, SMUD conducted an extensive review of the event. lhe specific changes made

! as a result of this review include:

l

• Installation of changes to reduce the l

likelihood that a dropped lightbulb would cause a short circuit

. Installation of lower-rated fuses to provide faster clearing of faults

~

3.1 .1 a. .4 m. (Continued)

. Installation of a separate power supply system for NNI instrument selector switches

. Installation of fuses in NNI circuits that previously had no fuses

~

• Installation of new instrumentation independent of NNI

+ Preparation of procedures for loss of NNI and training of the operators on the use of the procedures

b. March 19, 1984 Partial Loss of NNI at Rancho Seco The following is taken from NUREG-1195 Section 7.1.6:

On March 19, 1984 a hydrogen explosion and fire occurred in the electrical generator at Rancho Seco while the plant was operating at 85 percent power. Following the explosion, the turbine was tripped manually from the Control Room, causing an immediate reactor trip. The fire was extinguished automatically by the area CO2 system, and the plant was safely shutdown. Twice within the next several hours, the plant experienced a partial loss of NNI power.

l The March 19, 1984 loss of NNI was the l result of a single failure of an inverter

! compounded by a separate undetected NNI l power supply monitor setpoint drift.

These failures caused the of the

! redundant NNI power sourt. .is occurrence did not adversely effect the plant, although it did complicate the response to the explosion and fire.

l l

I l

{ - -_

3 3.1 .1 b. ICS and NNI Power Distribution Systems f

l NUREG-11.95 Section 3.1.6 describes the ICS power i distribution system as configured on December 26 1985. i Figure 3.3 shows that configuration. The NNI was similarly configured. Modifications are being made which significantly revise this configuration to improve the reliability of the power distribution network and supplies to both systems.

New, battery and diesel generator backed inverters will be provided for both the normal and standby supplies to the ICS/NNI Systems. These are shown on Figures 3.4 and 3.5. Significant changes incorporated since December 26, 1985 are the ICS S1/S2 trip on Loss of NNI power, the connection of the Power Supply Monitors directly to the bus, (rather than at the end of the distribution daisy-chain), and the use of normal and backup inverters for the ICS/NNI. Other changes were made to the ICS/NNI DC power supplies themselves to insure that their current capacitics have adequate margin over the load requirements.

'I

e omou SIGB-1 Normal Supply opeons S1J Standby Supply

, % auto sus wwseren 3

f:  ; To ses actoans O

\ g g f p

- aceon ,

si ran poseen ami -

pastume I

o on '

= - := __ _ _ _ _ _ _ _ _ _ __ _ _ ____ _9 - -

,itus Powen SUPPLY P0we suppty

- - , c, I

.  ! I l

l1 l1, l' 1l l

11ll l . l'llll i I lI 1'

I

=

- _ _ _ _ _ - _ _i ii i i i I ,i i

lI

. o. -

2

o. ._ _ Il ll

<- ___J I '

i aucriassano osoons

' *- J l

+as vm u 3E Il 7I 25 l i

K.s sus .as vm icsaus ,

l' l 1 I II t -I

_ _ _ _ _ - ___a ICS Internal Power Distribution FIGURE 3.3 l

I

, EMERGENCY DIESEL CENERATOR POWER DISTRIBUTION - Train A i GEA GEA2

'  ; L

)

t)

I 53A -

I) 1) l)

)

MCC S2Al ~MCC S2A3

') -1) 1)

a H4BC2 H4BA2C2 H4BA2 H48GA m

j , ,_ _ _________q DC2 ._BA2 __BGA f

=

l) ) = ) E l) T l) SOC 2 i i TSOA2 .

g_gg i

') I) I I i SIC 2 SIA2 l SIGA

) 4 -

v N-lE

-l) l) sie sic 2-1 120VAC l SIA 12OVAC l)SI A2-1 12OVAC ) SlJ i I) I) I) I) ) l)

) U y 1r l' l '

y ErlC "C" 120VAc EFIC "A" , ICS NNI-X NNI-Y/Z ,

SPDS "A" ll2SD Shutzlown

"""'I FIGURE 3.4

EMERGENCY DIESEL CENERATOR POWER DISTRIBUTION - Train B GG il a

480V S38 G22

< k 480V S382 l

MCC $281 l) ' '

l)

, MCCl S283 i $ s I

l l \ _ __ _ __. t_ -

j H4BD2 11480207 M4802 H40NI H4 Set 7 =------------ g 4

I i , -

1

' I)

• i}

l I 882

~}5002~l i) T 802 l

l l

I) l T BNI I) 9 808

~~

g bE

. =

g

• i) l) i)

I '

,i!r .J. j lIr .

0E o q-- - No g

l l ESE

. .) -I?cavAC

, ,i 157-l . - 10 2-1

-) 120,VACI SINI-I 120V4C I SIG8-l

) ) i) ,) ,) ,) -

I ^C "'"

h) I) 1 120VAC SID I '

criC a sJs a- rn c o- I., oCs m3 al -wnmes uOnum.

FIGURE 3.5

3.1 .1 c -. Power Supply Monitor, Design and Operation The +/-24 Vdc paeer system within the ICS/NNI Systems also includes a power supply monitor module. This module monitors both the output voltage of each power supply and j the voltage on the +24 Vdc and -24 Vdc bus. If any power supply output falls below a predetermined level (i.e.,

23.5 Vdc), an annunciator alarm is activated in the control room. This alarm output is a " trouble alarm" (i.e., there is no immediate action required, but a loss of redundancy has occurred and a maintenance request should be initiated).

When the power supply ronitor detects low voltage on ,

either the +24 Vdc bus or the -24 Vdc bus (22.0 Vdc or  !

less) it actuates a " Power Supply Failure" annunciator alarm in the control room, interrupts the incoming 120 Vac power to all four dc power supplies c' y sending a trip signal to the Si and S2 switches. These switches include integral nonadjustable time delays 'such that the switches will trip to the "0FF" position if the bus voltage does not recover within 0.2 to 0.8 seconds. The rationale for opening those switches is that if the voltage falls outside this range the performance of the ICS is undefined.

Investigation of the ICS de power distribution after the Occcmber 26, 1985 trip, revealed a bad crimp of a solderless terminal lug connection on the positive 24Vdc distribution bus in the ICS cabinet #1. This bus is connected to the main positive 24Vdc power auctioneer bus panel in Cabinet #3. This bad termination point caused a high resistance in series with the power supply monitor

+24Vdc sensing lead. This resistance, which would have varied depending upon how bad the connection was and its state of deterioration, could have caused a sufficient voltage drop to cause the power supply monitor to trip Si and S2, the ac input to all de power supplies. This problem was further adversely affected by a higher than normal current flowing through this bad connection due to additional electronic modules that were fed by this bus.

The power supply monitor and 23 other electronic modules are installed in the ICS cabinet #2 that is fed by this bus. ICS cabinet #1 does not contain any de loads fed by this bus; it is only a distribution point.

• O 3.1 .1 c. (Continued)

The additional current drawn by the 23 electronic modules is calculated to be in the order of 500 ma and the 65 ma drawn by the PSM would cause a voltage drop sufficient to cause a trip by the PSM if the resistance was as little as four (4) ohms. The power supply monitor is set to trip at 22 volts dc. Therefore, a voltage drop of (0.565) x (4) = 2.26 volts would be sufficient to cause the PSM to trip.

The PSM is sensitive to resistance at the input terminals, because it is sensing a voltage that will be reduced due to the current drawn through any external resistance. The design that was installed in the ICS y during the December 26, 1985 trip subjected the PSM to unnecessary voltage drops on its sensing leads due to external resistance, because the PSM was included in a

" daisy chain" that provided power to 23 additional electronic modules. That is, the current required by the 23 electronic modules caused any external resistance to be more of a problem than it would have been if the PSM had been connected to the main de buses by its own L sensing leads. As discussed in the root cause determination, if the current across the assumed 4 ohm {

t resistor was only due to the PSM, i.e., 65 ma, the voltage drop would have been only 0.26 volts. The 0.26 volt drop would not have been enough to cause the PSM to trip. The voltage seen by the PSM would have been

+23.74V de, which is not low enough to trip the PSM.

Considering only the 65 ma current, the resistance required to lower the voltage to the trip voltage (22V) would bc 30.77 ohms. This value has been verified by the testing lab (SAIC).

Since the December 26, 1985 trip, a modification has been mado to the ICS power supply monitor sensing circuitry to wire two individual #20 AWG leads directly to two termination points on each of the main 24Vdc buses.

This modification will greatly reduce the possibility of problems with resistance between the buses and the PSM inputs, since each PSM sensing input will'be terminated to two independent points on each main bus.

Evidence, obtained after the December 26, 1935 trip, supports the District's belief that the power supply monitor did not fail but, in fact, performed its required function. Test results by Scientific Application International Corporation (SAIC) have shown that, although the PSM that was installed in the [CS did have a cold solder joint, this did not cause the 12/26/85 trip.

-- 4 8 -

3.1 .1 c. (Continued)

The shunt trip switches S1 and S2 were provided with the ICS and NNI de power supply auctioneer panels. These switches open the ac power to all de power supplies in these individual systems for loss of either the + or -

24Vdc buses. Ir. order to reduce the number of trips due to short duration power losses, the switches were to have approximately 0.5 seconds delay between the time the PSM demanded a trip and the time the switches actually opened. After the 12/26/85 plant trip, tests were performed on the switches from the ICS and found to trip in only 0.14 to 0.16 seconds.

The manufacturor, Heinemann Electric Co. , provided the information that the delay time is checked at the factory prior to shipment and is acceptable if the delay time is between 0.2 and 0.8 seconds. Also, they recommended

, replacement of the switches after five years of usage.

No design changes are deemed necessary, because operating experience has shown no spurious trips have occurred due

~

to reduced time delays. Also, SAIC stated that the delay.

was supply voltage sensitive and that delay increased with a reduction of supply voltage. At an ac voltage of 57 volts, the switches will not open at all.

This information will be considered in any design changes that might be made to reduce the possibilities of spurious trips. To increase the delay time, a series resistance can be inserted into the shunt trip circuit to provide up to several seconds of delay, if an analysis of the systems (ICS/NNI) shows that system performance is not detrimentally affected. During testing at SAIC, one of the switches was disassembled and inspected. It was found to be very clean inside and no damage or deterioration was evident.

Similar shunt trip switches to S1 and S2 are installed in both the NNI X and NNI Y power supply systems; two in NNI X and two in NNI Y. All S1 and S2 switches will be replaced every five (5) years per the manufacturer's recommendations.

l l

l 1

j 1

I l

~

3.1 .1 d. Identification of Cystems/ Components Controlled by ICS and NNI.

Subsequent to the installation of EFIC the following Systems / Components will be controlled by the ICS:

System / Component Drawing Pulser (77) N21.01-71 Turbine Gov Valve PY-20561, 63, 64, 66 N21.01-72 T8Vs E/P Rod Insert / Withdraw N21.01-75 Ocmand = Power

.

• FY-20525 E/P N21.01-79 MFW Valve Loop A

• FY-20575 E/P N21.01-79 SU Valvo Loop A

• FY--20526 E/P N21.01-80 MFW Valbe Loop B M FY-20576 E/P N21.01-80 SU Val' op B FW Pump Speed N21.01-81 Pump A FW Pump Speed N21.01-81 Pump B The following Systems / Components are controlled by the NNI:

HY-22011 E/P N15.07-76 Lotdown Bypass Flow Pressurizer Control, N15.07-64 iteater, Spray, EMOV FY-23606A N15.07-74 E/P RCP Seal Supply LY-21503 N15.07-74 E/P RC Hake--up Flow M Receive Priority close commands from Ef1C 3.1 .2 LOSS OF ICS or NNI DC POWER

a. Root Cause for December 26, 1985 Loss of ICS DC Power and Correctivo Actions The direct cause of the December 26, 1985 event was the loss of ICS de Power caused by a manufacturing error on a lug improperly installed on a factory prepared wire. The resulting connection exhibited variable resistance at the input to the ICS Power Supply Monitor (PSM). The resulting variable' voltage lead to the pSM tripping when the ICS was still being supplied with nominal voltage and power.

Contributory Causes:

1. The Power Supply Monitor is sensitive to resistance in series with its voltage input. As little as one ohm was found to cause the trip point to increase.

Appr'oximately 5 ohms was sufficient to cause the PSM to trip at its nominal operating voltage, 24 Vdc.

• Corrective action involves wiring the PSM directly to the de source bus rather than to the end of the distribution bus.

2. The Si and S2 source switches were found to have short timo delay characteristics of approximately 0.15 second, while the specification is for 0.5 second. This made them more sensitive to the short term intermittent trip signals generated by the PSM. Corrective action was to install new switches, include a delay-time measurement in the surveillance test, and to apply those corrective actions in the similarly configured NNI systems.

Subsequent laboratory analysis of the power supply monitor found an internal cold-solder joint which acted to reduce the sensitivity of the unit. It was determined that this was not involved, and did not contribute to the event of December 26.

The rewiring of the ICS cabinet, to connect the PSM directly to the power supply buses it monitors, minimizes the potential for intermediate contact resistance to occur and thereby effect the voltage conditions on the buses or to the PSM.

r .,

l

~

l 4 3.1 .2 .a Laboratory analysis of the S1/S2 Power Supply Trip switches found that aging will change the delay time for the units. Corrective Action was to install new switches and to place a time delay measurement in the surveillance testing program for the ICS. In response to the human factors concerns regarding the difficulty the operators had in determining the operate / trip condition of these breakers, new labeling and training have been provided.

A recommendation that redundant PSNs be incorporated into the design was rejected based upon the excellent service record for the units (no failures to operate, or inadvertent operations, in approximately 100 service years) and the fact that on December 26 the ICS PSM issued its trip signal as a result of sensing a low voltage at its input. That low voltage was a result of the loose lug on the interconnecting factory wiring.

As a result of the loose lug on the factory cabinet wiring, an exhaustive program to inspect, test, repair, and upgrade the terminations, both field and factory, was accomplished in all cabinets supplied by the Bailey Meter Company. The systems involved were the ICS, NNI, RPS, and SFAS. Over 40,000 terminations were involved and over 6000 manhours expended. Seven terminations were found which would not meet acceptance criteria, although the circuits were all operable. These have been repaired and the electrical maintenance criteria revised to include similar inspections of cabinets in conju,.ction with routine maintenance.

One new trip input was added to the ICS S1/S2 switches.

Upon Loss of NNI, which provides the signals the ICS processes, the SI/S2 switches will open. This insures that the plant will go to a known and safe post-trip condition during loss of NNI events. For purposes of post-trip response, a Loss of NNI will look like a Loss of ICS. Response to the Loss of ICS is as described above, and will not cause the overcoolings that both Loss of ICS and Loss of NNI events have in the past.

l

~

3.1 .2 b. System / Component Response to Loss of ICS or NNI DC Power NUREG 1195, Paragraph 3.1.4. described the Loss of DC Power to the ICS as follows.

Upon loss of de power within the ICS, there are three results.

• First, the various control modules lose power; hence, their outputs go to zero Vdc.

• Second, many switching relays lose power and go to the do-energized state.

• Third, manual control from the control room of ICS-controlled plant equipment is lost.

In summary, due to the zero Vdc outputs (as configured on December 26, 1985), the ICS causes the following automatic actions: T8Vs and ADVs go to the 50 percent stroke position; turbino throttle valvos remain "as is";

main and startup MFW flow control valves go to the 50 percent stroke position; speed of the NFW pumps goes to minimum; AFW (ICS) flow control valves go to the 50 percent stroke position; and the reactor control rods remain "as is." It should be noted that the setpoint for the "NFW pump discharge pressure low" has been selected such that when the MFW pumps are at minimum speed, the pressure switches trip and AFW is initiated automatically.

Upon loss of dc power, many ICS switching relays change state. One example is the relay associated with the operation of the stop valve for the main MFW flow control valve. The de-energized state corresponds to the startup MFW flow control valve being open less than 20 percent.

When this condition exists, or the relay is de-energized by a loss of ICS power, the NFW stop valve is closed, thus automatically isolating flow through the main MFW flow control valve (but not the flow through the startup MFW flow control valvo).

At Rancho Seco, when loss of ICS de power occurs and devices chango position automatically, operators in the control room lose remote control of ICS-controlled plant i

equipment. Hs a result, plant personnel must go to a variety of locations throughout the plant to operate LCS-controlled equipment manually (locally), a procedure that proved to be both time consuming and difficult to accomplish.

1 l

l i

i i

l I

l

3.1 .2 .h RESPONSE:

The following actions have been taken which specifically address the above concerns as identified Ln NUREG 1195.

1. Future results of loss of de power within the ICS.

The first two identified results, zero output from control modules and de-energized switching relays, will continue to occur when Rancho Seco restarts, although the B&W Owners Group is pursuing major ICS modifications which will address both of these conditions. Since it was impractical to institute such comprehensive changes prior to restart, the approach taken was to address the third " result".

Control of devices important to post-trip response has been made ir, dependent of the ICS and control provided to the operator from within the Control Room. This has been accomplished by assigning all Auxiliary Feedwater System related control functions to EFIC, including a Class 1 steam relief pathway through the Atmospheric Dump Valves (ADVs). At the same time, positive closure of the Turbine Bypass Valvos (T8Vs), and independent control of the Auxiliary Steam Header Supply will be provided. The Main and Startup Feedwater Control Valves remain on ICS, although EFIC has taken over the function of the Main Steam Line Failuro Logic which previously would isolate the main feedwater system when required. In any case, a new motor operated isolation valve prevents ICS demanded feed if conditions so warrant, as determined by EFIC.

2. Consequence of loss of de power to the ICS.

Both Main Fecdwater Pumps will be tripped on loss of l

ICS power. Loss of Main Feedwater Pumps will then cause a Reactor Trip if reactor power >20%,

otherwise the RPS will cause a reactor trip on high l RCS pressure. The Class 1 EFIC will then assume

! control of OTSG inventory and insure that subsequent overcooling /undercooling does not occur. All steam loads on the Main Steam Systen are controlled or isolatable from the Control Room, with controls which are independent of ICS, and provided with Diosol backed control and/or motive power.

Associated air operated valves are now provided with Class 1 bottled air / nitrogen backup supplies.

l l

s 3.1 .2 .b (Continued)

The frequency of occurrence of this event should be much less than in the past. This is due to the specific maintenance and modification programs (surveillances, terminal inspection / rework, new S1/S2 switches, new inverters) which will be completed prior to restart.

Furthormore, the consequences of the event are expected to be benign in that the trip will not lead to excessive over/undercooling. Rather, the normal post-trip pressure / temperature conditions will be achieved and maintained as controlled by EFIC.

3.1 .2 .c ICS and NNI Backup Instrumentation and Controls

.1 Available Instrumentation Independent of ICS/NNI The following instruments are lost on loss of ICS de power:

Instrument Description XI-11201 Neutron Error FR-20535 Loop A MFW Flow FR-20536 Loop B MFW Flow SI-30101 Generator Frequency Meter The MFW recorders are powered from NNI and the signal is conditioned by ICS. The indicator's power and signals como from NNI.

Upon loss of ICS de power the MFW pumps are automatically tripped and MFW flow indication is no longer required. Additionally, generator frequency is no longer needed and Noutron Error becomes meaningless after the subsequent Reactor Trip.

1 l

l

~

3.1 .2 .c .1 The following are backup indications and controls, located on or near the main control panel, which may be used on loss of ICS or NNI:

INDICATOR DESCRIPTION LI-20505A OTSG A Low Range Level LI-20505B OTSG A Low Range Level LI-20507A OTSG A High Range Level LI-205078 OTSG A High Range Level LI-20506A OTSG B Low Range Level LI-20506B OTSG B Low Range Level LI-20508A OTSG B High Range Level LI-205088 OTSG B High Range Level PI-20545A OTSG A Pressure PI-20545B OTSG A Pressure PI-20546A OTSG B Pressure PI-205468 OTSG B Pressure FI-31803 AFW Flow to OTSG A FI-31802 AFW Flow to OTSG A FI-31903 AFW Flow to OTSG B FI-31902 AFW Flow to OTSG B HIC-20527A AFW to OTSG A Control Valve FV-20527 HIC-20531 AFW to OTSG A Control Valve FV-20531 HIC-20528A AFW to OTSG B Control Valve FV-20528 HIC-20532 AFW to OTSG B Control Valve FV-20532 PI-30001 AFW Pump P-318 Discharge Pressure PI-31901 AFW Pump P-319 Discharge Pressure HIC-20571A ADV Control Loop A HIC-20562A ADV Control Loop B Hand / Auto TBV Control, Loop A Station Hand / Auto TUV Control, Loop B Station t'

3.1 .2 .c .1 SPDS has the following backup indication independent of ICS and NNI:

SPDS PT TRANSDUCER DESCRIPTION T9015 TE-21023C Tc Loop A T9014 TE-21024C Tc Loop B T9011 TY-21033 The Loop A T9010 TY-21030 The Loop B L9801 LT-20501 OTSG A Full Range L9802 LT-20532 OTSG B Full Range L9803 LT-20503A OTSG A Operate Range L9804 LT-205048 OTSG B Operate Range L9003 LT-26507 CFT A Level L9004 LT-26506 CFT B Level L9000 LT-23502A Makeup Tank Level F9000 FT-23603 Makeup Flow F9015 FT-22013 Letdown Flow F9001 FT-23805 HPI Flow SFV-23809 F9003 Fr.-23807 HPI Flow SFV-23811 F9002 FF-23806 HPI Flow SFV-23810 F9004 FT-23808 HPI Flow SFV-23812 F9005 FT-26003 Decay Heat A Flow F9006 FT-26004 Decay Heat B Flow L9005 LT-21503A PZR Level A L9006 LT-21503B PZR Level B L9007 LT-21503C PZR Level C L9818 Lf-20508A OTSG B High Range L9819 LT-20507A OTSG A High Range L9822 LT-205088 OTSG B High Range L9823 LT-20507 OTSG A High Range P9800 PT-20546A OTSG B Pressuro P9801 PT-20545A OTSG A Pressure P9802 PT-205468 OTSG B Pressure P9803 PT-205458 OTSG A Pressure L9601 LT-35809 CST Level L9602 LT-35810 CST Level

3.1 .2 .c- .1 (Continued)

In addition, instrumentation on the Boron Shutdown panel (in the Control Room) independent of ICS and NNI is also available:

INDICAf0R DESCRIPTION TI-21025F Tc Loop A II-21033A The Loop A LI-20501B OTSG A Level PI-20543E OTSG A Pressure PI-21043A RCS Pressure XI-00001C Neutron Source Range LI-21503E PZR Level LI-21503F PZR Level LI-21502D Makeup Tank Level TI-21024D -

Tc Loop B TI-21034A The Loop B LI-205028 OTSG B Level PI-20543F OTSG B Pressure To further auginent the above, a recorder will be added to the Control Room which will monitor the following parameters, independent of ICS or NNI:

?

INDICATOR DESCRIPTION PT-21043 RCS Loop A Pressure PT-21042 RCS Loop B Pressure LF-21503D PZR Level LT-23502C Makeup Tank Level IE-21024C Tc Loop B TE-31025C Tc Loop A LT-20501A OTSG A Level LT-20502A OTSG B Level lE-21033 The Loop A TE-21030 The Loop B XE-01019 Incore Thermocouple XE-01035 Incore Thermocouple PT-20543D OTSG B Pres'sure PT-20543C OTSG A Pressure XE-00005 Source Range A XE-00006 Source Range B FT-23606A RCP Seal Supply Fi-22013A Lotdown Flaw F T-23001a Makeup l' low PD T-23003 A Makeup Filter dp IE-20541A Gecondary Gtnam lemperature A IE-25042A Gecondary Gloam lemperature 0 3.1 .2 .c .1 On loss of NNI ac or dc power, procedures and training direct the operator to instrumentation independent of NNI and to ignore all NNI

,-- indication. The above listed instruments provide an adequate selection of independent and diverse indications to insure that the operator can adequately and promptly respond to loss of ICS/NNI events.

.2 Available Controls Independent of ICS/NNI

a. ICS Controlled Parameters Following installation of EFIC, durir3 normal operation the ICS will be controlling Main Feedwater Flow, Main Steam Pressure and Reactor power through the Main Fecdwater Pump Speed, Main /Startup Feedwater Control Valves, and Turbine Governor or Turbine Bypass Valves.

Upon loss of ICS and the subsequent reactor trip, EFIC will control feedwater flow and steam pressure via the Auxiliary Feedwater and Atmospheric Dump Systems. Main Feedwater will be isolated. Turbine Bypass Valves will fail closed and may be manually controlled and/or isolated from the Main Control Room. This allows the operator to steam to the condenser (if available) using TBV controls independent of ICS, If secondary plant steam is contaminated, this will reduce offsite dose effects. All other secondary plant steam loads continue to be remotely isolatable from the Control Room using diesel backed, electrically powered, isolation valvet. In this manner all secondary plant heat loads are controlled independent of the ICS.

.b NNI Controlled Parameters Independent controls are available for the important NNI controlled parameters. These parameters are primarily the RCS' Pressurizer Heaters, Pressurizer Spray, and RCS Makeup and Letdown flows. Loss of NNI causes a trip of -

the LCS, followed by a reactor trip. In this infrequent occurrence, RCS pressure is maintained by use of Pressurizar Heaters which are diesel backed and manually controlled from the Control Room independent of the NNI. The spray valves close on loss of control power.

Pressurizer inventory is manually cont rolled using the HP1 system as is done following most reactor trips.

.-- - . _ _._ .--__._---__L--_.

3.1 .2 .d Indication / Annunciation of Loss of ICS or NNI Power As configured on December 26, 1985, the ICS alarm annunciators were identified as "ICS or Fan Power Failure," the NNI was similar. These were multiple input annunciators which responded to low output voltages of a single redundant power supply, low 24 volt dc bus voltage, or a cabinet fan failure. Each of these inputs having a widely different significance of impact upon the plant. To resolve this dichotomy the alarm inputs have been regrouped to indicate either "ICS Trouble" or "ICS System Failure," (similarly for NNI). The corresponding annunciator response procedures have been improved and rewritten to reflect these changes. The operators have been trained on the significance and actions appropriate to each type of alarm. The details of the alarms are as follows.

. .1 ICS Failure Annunciator window H2PSB-64 "ICS SYSTEM FAILURE" will alarm on the loss of the + or - 24 Vdc power i buses only. This alarm gives the control room operators an indication that ICS is no longer functioning.

.2 ICS Trouble The main control room annunciator window "ICS TROUBLE" will alarm on any of the following conditions:

• Any fuse blown in the ICS system

• Any cabinet fan failure in the ICS system

• Any de power supply failure within the ICS system Blown tuse, fan failure and loss of a single power supply are all on the same window because the operator's response is the same for all three conditions. The operator has to go to the ICS cabinets to determine which fuse has blown, which fan has failed, or which power supply has failed.

If a blown fuse leads to a reactor trip, the operator will get other alarms both prior to the trip and post trip relating to the specific condition. The operator will respond to the specific alarms and then proceed to clear the blown fuse.

3.1 .2 .d .2 (Continued)

It was determined that none of these three items is

. - likely to cause a reactor trip, or present en unsafe condition during plant operations. All of thase items require investigation within the ICS cabinets to determine which fuse has blown (fuse holder indicates blown fuse), which fan has failed, or which power supply has failed (extinguished indicating light on ICS cabinet indicates failed power supply).

.3 ICS AC Power Transfer / Trouble In addition, ac faults within the ICS system ars annunciated as follows:

.a For a fault downstream of a fuse, the "ICS TROUBLE"' alarm will actuate on the blown fune.

.b For a fault between the Automatic B'us Transfer (ABT) and the fuses, the normal supply breaker will trip, the ABT will transfer to the alternato supply, and the associated breaker will also trip causing a loss of the alternate power supply, causing a total loss of power to the ICS system, the "ICS TROUBLE", "ICS SYSTEM FAILURE", and "ICS OR NNI 120 VOLT POWER TRANSFER", will all alarm on this condition besides displaying on the IDADS CRT for bus trouble and "non-vital power bus 1E/1F/1J trouble" alarms.

.c For a fault upstream of the ABT on the normal supply, the breaker will trip and the ABT will transfer to the alternate supply. The "ICS TROUBLE", and "ICS or NNI 120 VOLT POWER TRANSFER" will alarm on this condition. For a fault upstream of the ABT on the alternate supply, its breaker will trip. The "ICS TROUBLE" will alarm on this condition and "non-vital power bus 1E/1F/1J Trouble" will alarm. The ICS will remain in operation, 3

supplied by the alternate supply.

l l

~

. 3.1 .2 .d .4 NNI Failure Since NNI is similar to ICS, but with three distinct de power distribution systems, three annunciator windows will be used to alarm a loss of a + or - 24 Vdc power bus:

• "NNI Z FAILURE", alarms on a loss of -Z 24Vdc power bus e "NNI X FAILURE", alarms on a loss of +X or -X 24 Vdc power buses e "NNI Y FAILURE", alarms on loss of +Y or -Y 24 Vdc power busos Receipt of any of these alarms will also cause a ,

trip of the power to the ICS 24Vdc supplies, causing a loss of ICS de power.

.5 NNI Trouble .

1 An annunciator window will be established as "NNI TROUBLE" and will alarm on any of the following conditions:

• Any fuse blown in the NNI system

+ Any cabinet fan failure in the NNI system 1

• Any power supply failure within the NNI system Blown fuse, fan failure and loss of a single power supply are on the same window because the operator's response is the same for all three conditions. The operator has to go to the NNI cabinets to determine which fuso has blown, which fan has failed, or which power supply has failed. If a blown fuse leads to a reactor trip, the operator will get other alarms both prior to the trip and post trip relating to the specific condition. The oporator will respond to the specific alarms then proceed to clear the blown l fuse.

! It was determined that fan failure and power supply failure are not likely to cause a reactor trip, or l

present an unsafe condition during plant oporattons. A blown fuse may lead to a reactor trip, but all other indications and controls not associated with the blown fuse on the faulted I

l

~

+

3.1 .2 .d .5 (Continued) component, remain operable and present no problems in staying within the post trip window. All these items require investigation within the NNI cabinets to determine which fuse has blown (fuse holder indicated blown fuse), which fan has failed, or which power supply has failed (extinguished indicating light on NNI cabinet indicates failed power supply).

.6 NNI AC Power Transfer / Trouble AC faults within the NNI system are now annunciated as follows:

.a For a fault downstream of any fuse, within any of the NNI sub-systems (X, Y or Z), the "NNI TROUBLE" alarm will actuate on a blown fuse.

.b For a fault between the ABT and the fuses within the X power distribution system the normal supply breaker will trip, the ABT will transfer to the alternate supply and breaker.

This breaker will also trip, causing a total loss of X power to the NNI system. The "NNI TROUBLE", "NNI X FAILURE", "ICS OR NNI 120 VOLT POWER TRANSFER", "NON-VITAL POWER BUS 1E/1F/1J TROUBLE" will all alarm on this condition, as well as being displayed on the IDADS CRT.

.c For a fault between the ABT and the fuses within the Y and Z power distribution systems, the normal supply breaker will trip, the ABT will transfer to the alternate supply and this breaker will also trip, causing a total loss of Y and Z power to the NNI system. The "NNI TROUBLE", "NNI Y FAILURE", "NNI Z FAILURE",

"ICS OR NNI 120 VOLT POWER TRANSFER" will all alarm on this condition, as well as being displayed on the IDADS CRT.

.d For a fault upstream of the ABT in the X power distribution, the normal supply breaker will trip and the nBT will transfer to the alternate supply. The "NNI TROUBLE", "ICS OR NNI 120 VOLI POWER IRANSFER" will alarm on this condition and there will be a display on the IDAD's CRI' for bus trouble. A fault on the alternate supply, will cause its breaker to trip. The "NNI TROUBLE" and "ICG OR NNI 120 VOLT POWER TRANSFER" will alarm, and there will be a display on the ID40s CRT for bus trouble.

l l

3.1 .2 .d .6 (Continued)

e. For a fault upstream of the AST in the Y and Z power distribution on the normal supply, the breaker will trip and the ABT will transfer to the alternate supply. The "NNI TROUBLE," "ICS OR NNJI 120 VOLT POWER TRANSFER" and H2ES-66 will alarm on this condition and there will be a display on the IDADS CRT for trouble on the bus. For a fault on the alternate supply, the associated breaker will trip and the "NNI TROUBLE" and "NON-VITAL POWER BUS 1E/1F/1J

. TROUBLE" will alarm.

.e Interactions between ICS or NNI and Safety Related Systems As described in 3.1.2.c above, indication and controls are provided which are independent of both the ICS and NNI. Where necessary these are Class 1 and, in most instancos, the backup or independent feature is a Safety System. The design of the interfaces are such that the ICS/NNI interaction is benign. At most, the ICS/NNI is only able to initiate the condition which triggers the event which independently activates the safety system (s). For example, loss of NNI/ICS does not actuate the Auxiliary Fecdwater System. That is done by EFIC which is monitorina steam generator conditions via diverso and independent instrumentation. In additicn, EFIC controls inventory and pressure using separate pumps, pipes, and valves. Similarly, the HPI/LPI/SFAS/RPS systems are all independent of ICS/NNI for both initiation and control. Should the ICS or NNI become available during a period when the safety systems are in service, it requires a specific operator action to return control to the ICS/NNI. Operators are trained and practiced at making such transfers in a "bumpless" manner, meaning that they must be satisfied that the parameter is under control and ICS/NNI control is desired. Whenever the potential for adverse interactions exists, appropriate isolation devices are included and placed under control of the appropriate safety system.

Examples are the main foedwater block valves controlled by EFIC.

l I

1 1

I l _ .. . -__

3.1 .2 .e (Continued)

The RPS and SFAS protection safety systems provide ICS/NNI with significant input for process indication and control . There are a series of lower order protection systems that also interface with ICS/NNI for both' indication and control. Not necessarily in order of importanco, these are:

• RCP Power Monitors

• Turbine / Generator Protection

• Turbine Load Limit

• MFW Pump Discharge Pressure and Trip Status

• Secondary Pressure Control (Position status of TBV's)

• MFW Pump Status

• Condenser Vacuum and Differential Pressure Status These systems are interfaced with ICS/NNI in such a manner as to prevent ICS/NNI faults from being reflected back into the lower level control and protection schemes. Failures within the individual protection schemes may drive the NNI/ICS and could lead to a plant trip. Operator action would be required to compensate for such failures.

The NNI provides 23 process inputs to ICS. These inputs consist of various combinations of RCS flows and temperatures; OTSG pressures and levels; and feedwater flows, temperatures and differential pressures.

In addition to NNI inputs, ICS receives inputs from generator MWe and frequency (currently tuned out of the control scheme) and neutron power (high signal selected in ICS).

Each input to the ICS is buffered to ensure faults within the ICS are not reflected back to an input source.

A fault within an ICS input source that results in an invalid input signal will drive the ICS and therefore affect the ICS process outputs. This can lead to turbine load, feedwater and reactor power mismatches that may trip the reactor. Af ter a reactor trip the ICS control input requirements are reduced to those needed to control OTSG heat sink and, if necessary, the operator can manually control the affected parameter.

3.1 .2 .e (Continued)

Of the 23 NNI process inputs to ICS, 12 can result in a plant trip as a result of losing one of the 2 ac or 3 de NNI power buses. Since EFIC will be installed the potential for over or under cooling due to loss cf power to ICS/NNI is greatly reduced. For these reasons, the ICS is automatically tripped upon loss of NNI power.

Loss of the generator MWe can result in driving the ICS control scheme to full power, although an overpower condition is constrained by the ICS power limiter to 102%.

Loss of a single specific ICS input such as RPS, MWe or a single NNI signal is being addressed through the BWOG SPIP program, which is focusing on future enhancements.

Modifications are being developed which will eliminate two of the 12 NNI to ICS inputs that can result in a plant trip. This is an improvement recommended by the BWOG SPIP. These may not be available at restart.

The operator has adequate information on redundant SPDS channels to verify the plant has stabilized at hot shutdown. Additionally, trended process monitoring independent of NNI and ICS wii_ be provided in the Control Room to ensure the plant can be taken to cold shutdown without NNI. Manual operation of some process controls outside the Control Room will be required during cooldown; however, the results of these manual actions can be monitored from the Control Room.

The NNI receives RC flow signals fr om the RPS. However, they are~ buffered and auctioneered.

ihe NNI receives RC pressure signals from SFAS and RPS.

They are buffered but not auctioneered, t

1 l

l f

L

-3.1 .2 f. ICS and NNI Failure Modes and Effects Analysis (FMEA)

The B&W Owners Group I&C Committee has commissioned SAIC to perform a FMEA on Toledo Edison's Davis-Besse Plant for ICS and NNI. Upon completion of that FMEA, a comparison to Rancho Seco will be made and a FMEA will be done on the differences between the ICS and NNI Systems of the two plants. The FMEA on the difference between Rancho Seco and Davis-Besse is expected to be complete in the first quarter of 1987.

g. Proposed Modifications Prior to Restart The following' modifications will be complete prior tS plant restart, or as noted:

ICS ICS function generators will be upgraded to the latest Bailey revision as a priority 2 (post-restart) item.

ICS ac fuses will be replaced with smaller fuses where applicable.

Annunc'iators have been revised to alarm " trouble" or "failuro" of ICS.

TBV, MFW and SUFW valve positions will be indicated in the Control Room.

On loss of ICS power, the MFW pumps will be tripped.

On loss of NNI, the ICS de power will be tripped.

Electrical terminators found to be inadequate have been reterminated and retested.

The Auxiliary Steam Reducing Station will be modified so that setpoint control will not be lost on loss of ICS power.

On loss of ICS power the TBVs will go (or remain) closed, the operator can modulate the valves from the Control Room.

The neutron error indicator has been fused. It was the only externally powered instrument not previously fused.

One ac feeder breaker was resired to match the other breaker.

The PSM monitor sensory lines were rewired directly to the bus.

- bl -

i -

3.1 .2 .g (Continued)

The S1 and S2 breakers were replaced and labeled to make it easier to determine breaker position.

All ICS indicators and recorders were clearly labeled.

Minimus MFW pump speed will be reset to a higher rpm.

The old setting was near a pump / turbine critical speed.

The RC flow signal will be made more reliable by replacing it with a set voltage when all four RCps are running.

1 Startup feedwater flow will be deleted because it is not currently used.

FW temperature correction will be removed from the total FW demand signal because its effect is negligible.

The DC power supplies will be replaced to ensure sufficient margin between the current rating and current demand.

The AC power supplies are being replaced with more reliable sourcos.

lhe status of the ICS ABT will be input into IDADS to provido historic documentation of ABT transfers.

The runback rates for loss of NFW pump, RC pump or an asymetric rod condition have been decreased.

NNI The Power Supply Monitor (pSM) sensing lines were rewired to directly sense the power bus.

All NNI indicators and recorders have been clearly labeled to prevent operators from using failed instruments. Labels will be installed to distinguish ICS and NNI indication.

The NNI annunciator windows have been rewired and now alarm " trouble" or " failure" of NNI.

3.1 .2 g. (Continued)

The status of the NNI A8T will be input to IDADS to provide historic documentation of A8T transfers.

A dedicated multipoint recorder with key parameters independent of the NNI will be installed to assist the operators in taking the plant to cold shutdown in the ovent of loss of NNI.

I

' Critical parameters needed to get to hot shutdown will be mado available on the SPDS independent of NNI. ,

The NNI-Z bus fuse circuit will be modified to ensura that all Z bus fuse failures will alarm in the Control Room.

The HPI flow indication in the Control Room will be made independent of NNI power sources.

The existing Class 2 pressurizer water temperature signal will be upgraded to Class 1 for use in the SPDS. Class 1 temperature compensated pressurizer level indication will now be provided in the SPDS.

The existing feedwater differential pressure transmitters l are obsolete and difficult to get replacement parts.

The fcur transmitters will be replaced for improved delta P monitoring.

The Si and S2 breakers for all NNI power supply monitors have been replaced and labeled to make 8.t easier to determine breaker position.

1ho capacity of the NNI X de power supplies was found to be near the calculated maximum requirements. Higher capacity power supplies are being installed.

The ac power sources for the NNI will be replaced with higher reliability sources.

3.1 .2 h. ICS and NNI Maintenance Prior to Restart as a result of the loose lug in the power bus wiring, an exhaustive inspection program to inspect and repair lugs and wire wrap connections was performed in the ICS, the NNI, and several other systems.

3.1 .2 h. (Continued)

A module inspection and cleaning was performed in the ICS and NNI. Many modules were returned to Bailey for refurbishment and upgrades.

The ICS and NNI will be incorporated into the plant preventive maintenance program. This includes calibration of NNI loops, calibration of ICS modules, function tests, and tuning of the ICS. Power supplies and power supply monitors will also be tested. All praventive maintenance tasks will be performed prior to restart.

3.1 .2 i. Operator Response and Procedures lhis section concerns operator response and procedures only as related to loss and restoration of NNI or ICS

- power. Normal and emergency proceduros in general are covered in Section 3.5 below.

3.1 .2 .i .1 Procedures for Loss of NNI or ICS Power Procedural weaknesses related to ICS/NNI power loss, identified in NUREG-1195, were that:

• There was no specific emergency procedure for loss of ICS power (a procedure did exist for loss of NNI power).

• The annunciator procedure for loss of ICS power was inadequate.

RESPONSE

Emergency and Casualty Procedures lho Rancho Seco specific ATOG guidance prepared jointly by D&W and SMUD provided for the loss of ICS and NNI power by directing the operator to explicit procedures for those events. These procedures were included at SMUD's request and were based on the Rancho Seco loss of i

NNI procedures which had been developed and implemented at Rancho Seco prior to development of A10G. Loss of LCS power procedures had not yet been developed. however, I their value was recognized by GNUD. Due to an error, a g l

loss of ICS power procedure was not developed when the l

nIOG based LOPS were implemented in May of 1985.

l As discussed in Section 3.5.1/.2, failure to rapidly l terminate the overcooling on 11/20/05 was due to lack of specific criteria in AlOG for when to trip feedwater l

pumps, and not due to failuro to translato the AIOG 1.0is of ICS procedure informat ion into the f.0P's .

_ 70 _

L

i 1 -

3.1 .2 1. (Continued 0 The loss of ICS power procedure has been developed and implemented in a manner consistent with the ATOG philosophy. The operator is directed to look for ICS power available in Emergency Procedure E.02, Vital Systems Status Verification, and is directed to the event based Casualty Procedure for loss of ICS power. This procedure provides specific instructions for investigation and restoration of ICS power in a controlled manner, assuring a smooth transition of plant control back to the ICS. The Emergency Operating Procedures and loss of ICS Casualty Procedure require that plant conditions be under control prior to initiating action to restore ICS power. Diverting operator attention from efforts to control the plant to efforts to restore ICS power would result in unacceptable delays in gaining plant control, particularly if ICS power could not be rapidly restored. The plant, as modified for restart, will be automatically controlled to a hot shutdown condition on any loss of ICS or NNI ac or de power. Onco stabilized at hot shutdown, the operators can focus on restoring ICS or NNI power as appropriate.

Annunciator Procedures Annunciators for NNI and ICS have been modified to unambiguously indicato loss of NNI or ICS power. The associated annunciator procedures are being revised to provido or reference detailed procedures for identifying and treating the loss of power or other problem.

3.1 .2 1. .2 Operator Response to Loss of NNI or ICS Power Operator response weaknesses related to loss of ICS power, as identified in NUREG-1195:

• Operators who investigated the loss of ICS power did not adequately understand the ICS power system configuration. Excessive time was required to restore ICS power, e Operators reportedly did not fully recognize the loss of ICS DC power for two minutos.

- /1 -

I l

1

RESPONSE

Operator Understanding of ICS Power Configuration Neither procedural guidance nor posted power distribution drawings existed to assist the operator in restoring ICS power, thus operator memory was the sole basis for efforts to restore ICS power. The operators correctly recalled that the ICS power distribution system was nearly identical to the NNI system and took appropriate action to check proper system lineup, with the exception of closing the ICS 120V AC Si and S2 switches which appeared to them to be closed, when in fact they were open. Inadequate labeling of the S1 and S2 switch positions directly led to the incorrect evaluation of switch position. Improved labeling of the S1 and S2 switches, implementation of a specific procedure for loss of ICS power, posting of ICS power drawings, and ICS power distribution training have alleviated deficiencies in these areas. Most importantly, plant modifications and procedure changes have been made which cause the plant to be automatically controlled at hot shutdown upon loss of ICS or NNI power, or both, thus eliminating the reliance on operator action to restore ICS or NNI power.

Operator Recognition of loss of ICS Power Modifications to annunciators, and classroom and simulator training, have enhanced the ability to recognize loss of ICS or NNI power more rapidly.

Moreover, modifications have been made such that even if rocognition of loss of NNI or ICS power is delayed, the plant will be automatically controlled at hot shutdown.

Emorgoncy procedure changes have also been mado such that timely operator action is assured to control the plant should automatic controls fail and loss of ICS or NNI power not be recognized. The procedure changes consist of establishing or verifying the existence of explicit criteria (such as specific values of RCS temperature and pressure) when to initiate required actions.

3.1 .2 j. Root Cause of Discropancy Detween OTSG Lovel Strip Charts and SPDS During the 12-26-85 transient the operators reported that the SPDS did not road the same value for Of3G Operate Level as did the OISG Operate Level Strip Chart 9 ecord o r .

A detailed investigation concluded that the SPDS indicatos within 1 to /.% of tho 010G Lovel recorders.

This is an acceptable toleranco for this indication and no ce>rrective s tion is roquired.

- // -

~

3.1 .3 Restoration of ICS or NNI DC Power ICS/NNI memory modules will be modified to establish a

~

predictable state upon restoration of DC power.

The basic approach for ICS or NNI power restoration (following plant stabilization) is to establish plant conditions (through a pre-existing procedure for power restoration) such that there will be little or no effect on the plant regardless of the signals generated by the ICS or NNI ducira repowering.

For examplo, Turbine Bypass Valvos would be under control of their independent control circuits, or manually isolated, prior to power restoration.

However, with the previously described changes, which provide controls independent of the ICS, restoration of power will have no observable adverse effect on the plant. Only when the operator is satisfied that ICS demands are as desired will control be returned to the ICS. This resolves any concern about the offects of restoration of ICS power.

.4 Additional ICS and NNI Issues

.a System / Component Response to Loss and Restoration of ICS or NNI ac power.

As described in Section 3.1.1 above, the consequences of a Loss of de power to the ICS will lead to a reactor trip caused by the tripping of both MFP turbines. EFIC will initiate on low level in either OTSG and will provide AFW to both OTSGs with automatic level control. Heat removal will be provided by control grade control of the T8Vs powered from a source independent of ICS and NNI or Class 1 control of the ADVs controlled and powered by EFIC.

All attached steam loads to the main steam lines other than code safety valves will continue to be isolatable from the Control Room using diesel backed power and control circuits which are independent of the ICS/NNI power supplies or controls.

ICS de power will be tripped on either the loss of NNI de or ac power; the above scenario will then be true for both conditions together. Since the ICS de power supplies are directly supplied by the ac power sources, the offect of loss of ICS AC power is essentially the samo as loss of de power.

the loss of ac or de power to the individual compononts within the ICS/NNI has been reviewed by the Deterministic .

Failure Consequence Analysis Group for NNI/ICS, It was l found that failure of many individual components could lead to a reactor trip but only four parameters individually could take the plant out of the post tri9 window, the four parameters are listed with the action j to be taken to correct those conditions prior to startup:

. /) ..

3.1 .4 m. 1) AFW Initiation and Control.

EFIC will initiate and control AFW whenever a failed parameter has caused a high or low OTSG 1evel or low OTSG pressure.

2) ADV control ADVs will be controlled by EFIC without any NNI or ICS inputs.

3) TBV control T8Vs will fail closed on loss of power and, in addition, an alternato controller will be installed in the main Control Room which is independent of ICS/NNI power.

4) Auxiliary steam control

• Auxiliary steam control will be modified such that it will fail at setpoint on loss of power.

The restoration of power to each control loop will be individually evaluated and a determination made as to power-up position (0% or 100%). New memory modules will be installed which will allow the setting of this position. Thus, on restoration of power, the Hand / Auto station will power-up in hand and the final control element will drive to the preselected (0% or 100%)

position from the fail position.

- /4 -

~

3.1 .4 b. ICS and NNI Response to Loss of Instrument Air and Affect on Plant Operation

.1 Affect upon ICS The air supply system is called the Plant Air System which includes the Instrument Air System (IAS) and Service Air System (SAS). IAS provides dry and oil-free air for the operation of the air operated devices. The Plant Air System is classified as a non-safety system.

The normal instrument air supply for the control and actuation of the ICS controlled Main Feedwater and Startup Feedwater Control Valves comes from the plant air system. To assure that the MFW and SUFW valves will close and remain closed if required by EFIC (in the event of loss of offsite power or loss of the instrument air supply) a two hour, seismic class 1, backup supply of air will be provided. The backup system was designed using criteria provided in ANSI /ANS 59.3 standard. It uses two sets of high pressure bottles and reducing stations with one set supplying air to MFW, SUFW, and EFIC controlled AFW valves associated with OTSG A; one set supplying air to MFW, SUFW, and EFIC controlled AFW valves associated with OTSG B. Each set uses high pressure air bottles headored through a prossure reduction valve to supply air to the valve at a pressure of approximatoly 85 psig. Since the IAS supply pressure is approximately 100 psig, the backup air supply will only function if the IAS supply is unable to supply air. Check valves and excess flow check valves are provided to prevent flow from the backup supply into the instrument air supply and to isolate a depressurized branch of the air supply.

The normal instrument air supply for the control of the Turbino Bypass Valves (1BV's) comes from the plant Air System, The backup supply of air is provided through an independant set of high pressure bottles. Since the T0V's are not required to bring the plant to a safe condition for the loss of air event, the backup air is classified as a non-safety system, llowaver, the Class 1 Atmospheric Dump valvos (ADV's) EfIC controls are available to the

. operators, independent of LCG.

- /*> -

~

i .

3.1 .4 b. .1 (Continued)

Surveillance procedures are provided to monitor the pressure in the backup bottles, and low pressure alarms are provided in the IDADS. The setpoint for alarming is selected such that at least two hours of air remains in the bottles after the low pressure alarm in annunciated in the Control Room. Thic capability will be demonstrated by testing prior to restart.

The speed changer valve for t he Main.Feedpump furbine is also sup. fied with instrument air. Upon loss of ICS power, NrW pumps are tripped, hence this component is not required to function and does not require a backup air supply.

.2 Af fect upon NNI Air operated valves which are NNI controlled through Electric / Pneumatic converters are the letdown orifice bypass valve, pressurizer level makeup valve and seal injection flow control valve. The normal air supply for the control and actuation of these valves is from the Plant Air System. The letdown orifice bypass valve and pressuElzer level makeup valvo fail in the closed position upon loss of instrument air. The seal injection flow control valve fails in the open position upon loss of instrumont air. These failure modes are considered the " fail-safo" positions of the valves and do not have any adverse affects on the plant operation. In addition, thoso valves are not required to bring the plant to a safe shutdown condition for the loss of instrunent air ovent as determined by the Deterministic Failure Consequences Analysis Group; henco, these valvos do not require a backup air supply. However, the diesel-driven compressor does provido the instrument air upon loss or degradation of the Plant Air Gystem.

.3 Instrument Air Reliability

. The Rancho Seco Instrument Air System will be modified, prior to restart, as a result of the Deterministic Failuro Consequences (DFC) completed during the systematic Assessmont program, to includo backup design features which will significantly improve. system reliability, lhoso modifications will provide the capability to rospond to either a suddon or gradual loss of instromont air prossuru while meeting the recommendations of Regulatory Guido 1.00.1.

- /6 -

A 3.1 . 4 b. . 3 (Continued)

These modifications include a backup diesel-driven air compressor and dryer package which is independent of site support systems (e.g., cooling water, power, etc.,) and will start on low instrument air system pressure or loss of power to its battery charger. Independent compressed gas bottle supplies will also be provided for critical plant instrument air operated components as identified by DFC and serving EFIC components. This bottled gas system automatically supplies backup gas

to the air operated components when the normal air

! supply is lost or degraded. Testing of these modifications will be conducted with the plant on steam generator cooling (subject to PRC approval) for both a sudden and gradual loss of normal instrument air. A functional test will be performed

, on a component level to verify and document the capabilities of the new modifications. The scope of this integrated test is presently being developed by the system review and the test program system status report for instrument air. Proper backup system response to these conditions will be verified.

, The normal plant air supply is not considered a safety system. Therefore, it is not provided with emergency power. The backup diesel-driven air compressor is also not safety related, but since it is independent of normal plant support systems, it does provide redundant and independent instrument air. This gives a significant improvement in the reliability of the Instrument Air System.

- // -

, , . . . , - ---,----%----- - - , , , , - - w, , , - r- -- . . www-------gw -w,-w-w--- - -----

- - w,-,yc, 3 . -, -

.g ,- -- - - ,w-.- - - , , .

3.1 .4 c. Lcss cf Offsit] Pdwer Coincident with Lcss cf ICS Cr NNI

• Power or Loss of Instrument Air

1. Consequences of Losing Air Supply as a Result of Loss of Offsite Power Upon loss of offsite power, the normal air supply is not available. However, the new diesel driven compressor will start automatically upon sensing a low pressure in the normal air supply system. In addition, loss of power to the battery charger for the diesel driven compressor will also start this compressor automatically and provide the instrument air supply. Over and above this, a dedicated seismic Class 1 high pressure gas bottle system, with two-hour capability, will be provided for the ICS and EFIC components such as ADV's, T8V's, NFW, SUFW and AFW valves. The result of these features is that the consequence of a Loss of Offsite Power will not significantly affect the ability to control important components which use instrument air for control or motive power.

On the component level, loss of plant (instrument) air pressure will have no affect on the ADVs and T8Vs. On loss of plant and all backup instrument air, the ADV and TBVs will open due to steam pressure, which would require closing of the associated manual or motor operated isolation valves. The NFW and SUFW valves will " fall as is".

1he air operated AFW control valves will fail open, which will necessitate isolation by closing the series, motor-operated isciation valves.

The loss of air will cause the speed changer valve on the main foedwater pump turbine to open, which will drive the governor valve to the closed position dnd force the NFW pump to. minimum spood.

2. Loss of Offsite Power Concurrent with Loss of ICS/NNI On loss of ICS concurront with the loss of offsite power, RCPs will stop (due to loss of powor) and the Main Foodwater pumps will be tripped (due to loss of ICS). Loss of RCPs will trip the reactor (due to Power / Pump Irlp) from the RPG, and the turbino trips on a reactor trip. Loss of RCPs will causo Lf1C to initiato AlW and to raiso 0100 secondary lovol to the natural circulation felpoint. Iho plant will remain at hot shutdown todepondant of tho ICG or offsite power, independent diesel backed power suppilus to the four u 10 t.hannels are not afforted by the loss of offsite power or loss of ICS, other vital power. for valves, pumps, etc... is all s tandby d iesel generator suppl ied .

- /8

3.1 .4 c. 2. (Continued)

Concurrent loss of ICS/NNI will not complicate the loss of offsite power event, nor will its consequences be adverse to safety,

d. SMUD Response to ICS or NNI Concerns Identified as Part of the B&WOG Reassessment The B&W Owners' Group I&C Committee presented a preliminary ICS evaluation list to the NRC in September 1986.

, Since the problem list is preliminary and in the process l

of being reviewed and revised, the following discussion is also considered preliminary. The District's Restart Report and Action Plan identifies which modifications are planned for completion before restart.

1. Design Problems

a. Control Functions Outside of Non-Safety Systems With the installation of EFIC, AFW control and ADV control will be removed from the ICS.

b. Reliable Power Source The ICS and NNI have redundant ac and de sources, external loads aro fused, automatic bus transfer is provided. Rollable ac is provided. Tho ac power is provided from reliable battery backed sources,

c. Loss of All System Power (LOP)

Although loss of ICS or NNI power is readily apparent, planned modifications will increase the information available to the operator (e.g., Failure Alarms, Dreaker Labols, A8T History Information.)

In addition to the above actions to increaso

information to the operator, the District has planned or boqun a fusing coordinatton study,

, installed higher rated de power supplies, and rewiring of the Power Gupply Monitor sonsing linos to improvo rollability.

1

- /9

- -_ - _ _- . ._ = - - - _ _ - . -_- .-.

3.1 .4 d. 1. d. Mid-Scale Failure on Loss of Power As an interim measure, the District has labeled all ICS (and NNI) indication. Emergency Operating Procedures and training instruct the operators to use alternate indication in the event of loss of ICS (or NNI) power.

In addition, the District will address the issue of mid-scale failure in conjunction with the B&WOG I&C Committee,

e. Actuated Equipment Position on Loss of Power As addressed above, the control of secondary plant heat removal will be through the EFIC system. In addition, to insure that the ICS, on loss of ICS power, will not prevent the plant from going to a known safe state, the T8Vs will be controlled by an alternate power source, and the NFPs will be tripped. On loss of NNI power, ICS will be tripped. The failure modes of RC makeup control, RC letdown control and RC pump seal injection control have been analyzed and found to be acceptable,

f. Input Signals on Loss of Power Completion of a study of modifications to separate NNI X and Y and to eliminate NNI Z power is a short term goal. Thoso modifications will not be complete for startup. However, with the modification of tripping ICS on loss of NNI, the plant will go to a kncwn safo stato on loss of NNI X, Y or Z powor.

g. Restoration of Power The District has developed procedures that direct operators on the appropriate actions for ,

rostoration of power. In addition, the District intends to install analog memory modules for all hand / auto stations to ensuro predictability of Rosturation of Power positions of those components.

h. Input Gonsor/ Signal Rollability The District will address the concern of automatic solor. tion of valid input signals in conjunction with tho 0/.WOU I&C Committeo.

3.1 .4 d. 1. i. Control Improvements The District is evaluating additional recommendations to further enhance the reliability of the control portions of the system. This evaluation includes a review of past studies, as well as work currently underway by the B&WOG.

2. Programmatic Problems

a. Preventive Maintenance Rancho Seco has procedures for ICS and NNI maintenanco activitics. Additional PM procedures as well as enhancements to the PM prog ram.

b. System Tuning The District is currently revising it's ICS tuning program. lhe revised program will be used to tune the ICS during restart.

c. Diagnostics Continuous on-line monitoring of the ICS is not available at Rancho Seco. However, a history of base line data at various power lovels is available and is used in diagnosing ICS performancos,

d. Configuration Manaqoment Rancho Seco drawing revisions which have not yet been updated are readily availablo at Rancho Seco, and are intended to be incorporated at restart.

Vendor drawings originally included in the instruction manuals are not updated and Rancho Seco drawings are used for information only.

Ibc controlled drawings used for oporations and maintenance are revised and maintained.

t he infor mation book s that contain product descriptions and trouble shooting or calibration procedures are updated and controlled through the Rancho Seco Technical Library.

m 3.1 .4 d. 1. e. Trainina/0ualification The District is developing an ICS trainer and an ICS/NNI training program for engineers. The District uses the proper wire-wrapping tools and all I&C technicians have attended training on soldering equipment given by PACE, the equipment manufacturer.

3.1 .5 Availability of Remote and Local Indications on Loss of ICS/NNI Power

a. Regulatory Guide 1.97 Instrumentation The District's Regulatory Guide 1.97 Category 1 variables will all be installed for restart in accordance with the District's 09-14-04 and 10-31-85 submittals with the exception of Reactor Coolant Inventory and neutron flux.

lhe SPDS will be upgraded to meet the requirements of R.G. 1.97 for display of Category 1 variables including soismic qualification separation and isolation roquirements. Therefore, they will be totally independent of ICS and NNI. 1ho Category 1 variables will be represented on the post trip window as a value or as an alert in a human factored prosentation,

b. Safety Parameter Display System (SPDS)

Iho Rancho Seco SPDS was designed to moet the appropriato requirements of NUREG 0696, Reg. Guide 1.97, NUREG 0737, and Gupplement 1 to NUWEG 0/37. the SPDS was designed as a diagnostic tool compatible with the Abnormal Transient Operating Guidelines (ATOG) and the Emergency Operating Procedures (EOP's). The SPDS is shown in the Control Room on two independent color monitors. All GPDS inputs can be shown on either monitor (i.e., channol A data can be called up on Channel D CRT). There are five basic displays with operator selected enhancements and alphanumeric pages. Regardless of the scroon selected by the operator, nino alerts are available to direct the operator's attention to abnormal conditions. Goe figuro 3.6 for the ICS/NNI relationship to the independant GPDG.

Iho NG 1.9/ Rancho Soco Category i variables are displayed on the UPOG (with tho excoption of Reactor Coolant inventory and neutron flux) and the SPOS hardware moots the Category i roqulremonts of RG t.9/. The Rancho Sc(o RG t.9/ submittal identified the SPDS as the Ca t. ego ry i varlablo display location. Iho proposed changes to tho hPuh streen will add new parameters and throo new aler t s .

- 82

l s -

I.

I INST. NPUT =

z MULTIPLEXER SPDS ItPS SFAS INST 1 r 1 r y SIGNAL ISOLATION M[* CONVERSION =

NNI CABFJETS CABINETS = INDICATION

_ *Tloi (A) (A)

I - *OISG LEVEL i1

• orSo PRESS

=-CLASS 2 S trVEL

. [fc CLASSI'= l~ Elic neS  : COfjTROL

, l -

co l *

• PRESS IIEATEaS i

l ' '

• PHESS LEVEt i ,1 I f l

• ETC.

SIGNAL ISOLATION

[T =

CONVERSION -

CABitJETS CABINETS (a) (a) \

l

=  : INDICAIlON INST. iteur - MULTIPLEXER = SPDS

• Fw Ft.ow

. Isz (a) (u) .

. NeuTaoN Ennoa

= CONTROL ,

• MFW PtnAPS

""36 * '* W \/AI.VES ICS/NNI SPDS 1e CONTROL INDICATION * * -

n 3.1 .5 b. (Continued)

SPOS dependence on NNI driven inputs required to achieve hot-shutdown, will be eliminated prior to restart.

c. Interim Data Acquisition and Display System (IDADS)

The Interim Data Acquisition and Display System (IDADS) is the new Plant Computer System. IDADS consists of a central computer system with two Modcomp 7870 CPUs; various types of input multiplexing equipment, display terminals and hardcopy equipment in the Control Room and the Technical Support Center; and a Modcomp Classic II/75 computer, display terminals and hardcopy equipment in the Emergency Operations Facility. Plant inputs enter the system from the following sources:

1. The Bailey Multiplexer - all Bailey 855 computer inputs.

2. The Modcomp Multiplexer - critical plant parameters for redundancy in case the Bailey mux fails.

3. The Remote Multiplexer (Anatec) System - current additions to the plant.

4. The General Atomic Radiation Monitoring System -

radiation data from the RM-11 and RM-80. ..

d. Computer / Annunciator Systems lhe annunciator system provides visible and audible alarms when various plant systems or equipment operate abnormally. The visible and audible alarm may be presented by the Dailey 855, the Interim Data Acquisition and Display Gystem (IDADS), the Digital Radiation Monitoring System (DRMS) or a back-lighted window and chtmo, 3.1 .5 d. (Continued)

As part of an ongoing annunciator study, hardwired annunciator windows and computer alarms will be l prioritized. This study is scheduled for completion l prior to Cycle 8 (next fuel cycle) startup with resulting

modifications implemented as feasible.

The Plant Process Computer (Bailey 855) is primarily an operating tool that provides information to assist the operator in the efficient operation of the plant. The computer system consists of a computer mainframe, programming facility, local and remote analog input peripherals, logic I/O peripheral, operator console, and other human communication peripherals.

l The Bailey computer performs calculations necessary to provide useful operating information and data for off-line core performance analysis and general fuel management calculations. It can also provide performance l calculations for the balance of plant including turbine ,

l cyclo performanco calculations such as:

• Turbine cycle heat rate e Turbine performance

• Feedwater heater performance e Condenser performance the Bailey 855 displays the requested point value on two digital indicators in the Control Room, one on H1CO (the computer console) and the other H1RI (Reactor and Intograted controls console),

power for the annunciator system is independent of ICS/NNI power. Failures of ICS/NNI, or power supply troubles, are reliably annunciated for the spectrum of conditions which can exist with the ICS/NNI.

e. Other Indications I Failures of ICS/NNI power are readily known by the oporator, with or without the annunciators and alarms provided. 1his was demonstrated during the December 26, L985 ovont when in fact the operator deturmined, prior to l the reactor trip at approximately 14 seconds into the

! ovent, that the ICS was inoperativo, and that a trip was imminent.

Iho indications include, loss of indicator lights on the linNU/nulo stations, .nid sc.410 roadings un soveral instruments, Main f eedwater pump lurbine speed reduction. ;

g o, .

l l

l

\

3.1 .5 e. All of this is important knowledge for the operator, but not essential to post-trip actions or recovery. All activities following the reactor trip are governed by the symptom based Emergency Operating Procedures. These require establishing stable heat balance conditions, at hot shutdown parameters, prior to beginning to troubleshoot the causing event, for example loss of ICS/NNI power. As previously described, with EFIC, the decision to repower the ICS/NNI can be made at the operator's discretion. Repowering will not subject the plant to a further undesirable transient.

As a part of the CFIC AFW upgrade, Redundant r. lass 1 Steam Generator level, SG pressure, and AFW flow indication will be available on the main Control Room console.

.6 Eme rgency Feedwater Initiation and Control (EFIC)

Section 10.1.11 of NUREG-1195 makes the following statement.

"The NRC staff was led to believe that the emergency feedwater initiation and control (EFIC) system would be installed in 1984 in response to a number of NRC requiremants, including TMI Action Item II.E.1.2. Apparently SMUD decided to install an alternate system in response to II.E.1.2. SMUD's intent to satisfy II.E.1.2 with this alternate design was not made clear to the NRC staff, was not approved by the staff, and may not have complied with tho requirements of II.E.1.2. As a result, the EFIC system, some features of which would have reduced the savority of the December 26, 1985 incident, has not yet been installed at Rancho Seco."

DISIRICT RESPONSE The AFW/EFIC (II.E.1.2) scopo and schedule changes had boon provided to the NRC staff.

The NRC issued Safety Evaluation Reports in January and September 1982, assuming EFIC installation. On October 22, 1982, the District indicated that it would install interim safety grade AFW modifications and that Ef tC was separate and beyond the AFW upgrade requirements of NUREG-0737. The l

District indicated at that timo that CF tC would bo installod by Cyclo 7. This schedule was confirmed by the District on Docomber 14, 1982, at which time the Cyclo / outago was enpocted to occur in the Fall of 1984. 1he schedule for the intorlm safoty grade modifications was spociflod in a confirmatory order dated March 14, 1903,

- Ub

s .

o' 3.1 .6 (Continued)

On April 28, 1983, the District submitted a revised AFW system

. description describing the interim AFW upgrades. NRR confirmed their understanding in an SER on the status of the AFW system dated September 26, 1983.

Then, in a series of living schedule submittals, the District informed the NRC that the EFIC installation was scheduled in two phases (Cycle 8 and Cycle 9).

This approach was understood, and acknowledged, by the NNR staff during a meeting in October 1985, at which time, the District committed to accelerate the EFIC installation schedule to accomplish as much as possible during the Cycle 8 outago, with tSu balance of the installation to be completed during the Cjcle 9 outage.

- While it has been the District's position in the past that provision of s..foty grade auto start of AFW via the SFAS was sufficient to .neet the intent of NUREG 0737 item II.E.1.2, the point is no longer germane due to the decir'an to immediately install EFIC and related AFW upgrades. The upgraded AFW with EFIC meets fully the requirements of NUREG 0737 item II.E.1.2, including all long term requirements to design to IEEE-279.

This is underscored by the SER received for this concept in April, 1983.

A detailed submittal of the EFIC system is being provided separately. For purposos of general understanding, a functional description of EFIC is provided below.

- EFIC initiates Auxiliary Fecdwater (AFW), i.e., it will start both AFW pumps and position valves as necessary to food the steam generators. This is independent of ICS which will no longer controls AFW,

- EFIC automatically controls AFW flow to reach and maintain the proper steam generator level. The rate of level increase is automatically controlled, when necessary, as well as the level, which depend on whether or not the reactor coolant pumps are operating

} (i.e. forced or natural circulation).

- 131C dutoets secondary system breaks and isolates MFW and AlW to the af fected steam generator.

- 13 (C nionitors steam prussure and controls the atmosphoric dump valvos (ADVs) if secondary system pressure exceeds the post reactor trip sotpoint. It also controls safety grado steam pressuro for couldown to cold shutdown ronditions.

-8/-

~

3.1 .6 (Continued)

- A backup Seismic 1 air supply will be added to the MFW, AFW and ADV control valves to ensure closure of the MFW valves and control of ADVs and AFW valves for two hours af ter loss of offsite pcwer and therefore loss of normal air supply. An additional parallel and redundant set of AFW control valves is DC powered from a non-interruptible Class 1 source.

EFIC controls for the ADVs and one set of AFW flow control valves will be provided at the remote shutdown panel to allow control independent of the Control Room.

The conditions which cause EFIC to initiate AFW are:

low level in either steam generator

- loss of all reactor coolant pumps low pressure in either steam generator

- loss of NFW (Anticipatory Reactor Trip on loss of MFW pumps trip, from RPS)

- SFAS ECCS actuation (SFAS sends signal to EFIC)

The conditions which cause EFIC to isolate NFW to a Steam Generator are:

- low pressure in the steam generator

- very high water level in the steam generator The conditions which cause EFIC to isolate AFW to one steam generator or the other, but never both, are:

- low pressure in only one steara generator

- low pressura in both steam generators but one of them significantly lower than the other. (If both steam generators are low and within approximately 100 psid of each other, EF JC will feed both steam generators.)

lho LF LC and Af'W oloctrical components which assure AFW flow and control are powered from Class 1 cmcrgency diosol backed or battery backed sources. these sources are independent of those powering the ICS and NNI.

- 88

1 -

3.1 .6 (Continued)

The EFIC system initiates AFW via two 100% trains of AFW, i.e., either train is sufficient to supply the required AFW to both steam generators. Referring to Figure 3.1.6, the A channel of EFIC starts P-319 and controls flow to both SGs through FV-20527 and FV-20528. The B channel starts P-318 by opening valve HV-30801 and controls flow to both SG through FV-20531 and FV-20532. Either channel is sufficient to assure necessary AFW flow. Care has been taken to assure that the failure of a common electrical source will not prevent AFW from both trains from reaching at least one SG. Another EFIC function is to isolate AFW to a steam generator which has experienced a major steam line failure. This is accomplished using four channel logic which acts directly on the AFW isolation and control valves. As with the AFW initiation and control function, care has been taken to assure that a common electrical power source cannot prevent required AFW isolation.

.7 Main Feedwater System (MFW)

a. MFWS response to ICS or NNI failures and effect on plant operation.

On loss of ICS or NNI, the MFW pumps will be tripped.

Loss of FW will cause an EFIC initiation on low SG lovel. If the plant has been operating above the Anticipated Reactor Trip System (ARTS) trip point (20%),

ARTS will trip the reactor immediately. If the plant is operating below the trip point, an RPS trip on high RCS pressure will occur when the setpoint is reached.

Although the operators will have the ability to locally restart the MFW pumps if desired, AFW will be sufficient for removal of decay heat.

b. OTSG Overfill Protection Steam Generator MFW automatic overfill protection will be provided via EFIC in concert with the MFW control valves and MFW isolation valves. However, the overfill setpoint will be set at the maximum value of 619 inches. This will allow data collection to determine a safe margin between operation at high power lovels and the trip selpoint. Steam generator overfill protection, for an 6FW overfill event, will be via level alarms on IDADS, with remote manual isolation via the ArW Control and Isolation valvos.

)

n 3.1 .8 Main Steam System (MSS)

a. Atmospheric Dump Valve (ADV) Operation and Response to ICS or NNI Failure The ADVs are now controlled by EFIC. They receive no control signals from the ICS or NNI. previously, they were controlled by ICS to maintain main steam header pressure at or below setpoint. This. feature is retained, although it is EFIC which provides the control signal.

b. Turbino Bypass Valve (TBV) Operation and Response to ICS or NNI Failure During normal operation, a component failure within the ICS/NNI, or of an input pressure transmitter, could cause the TBV's to'open. This would be apparent as a reduction in electrical generator output, and operator action would be necessary to take manual control at the ICS HAND / AUTO controller, or to switch to the newly installed backup control selector. This feature provides control, independent of the ICS, of the TBV's whenever selected by the operator.

Should power be lost to the NNI, the ICS is tripped.

10Vs will close or remain closed on loss of ICS power.

Specific operator action is required to open the TBVs, using controls located in the Control Room.

ICS/NNI failures will not adversely affect the plant via the 10Vs.

l l

l-

HV-308cl] [ - E FIC-8'

,- --- TO EFsC

, eft:-4  ; (T1P CF A) '

' l EFIC,c EFIC-A o

'o 'd .

f T I

STEAM W ~

" A ATMOSPHERE '

If GEt4 HV-20581 FU-f0527 Fk' '31802 +

I "" t' 8 f 4 *ii.7J' HV-20571 FV-20531

~

A

HV-318 6 g

CCND a MANUAL > CONDENSER STOR

. , L.T e s 3png l EFIC-D EFIC-6 ,r-EFIC- A,8 s

o l e 4 CLOSE LT

'--- 4-TO EFIC 1 FE-31850 i

,r--TO EFIC (TYP OF4) o e' ll y EF#c-e , (TY P OF 4)

MAN UAl. Q EFIC C EF C-A HV-3182T g e-- EFIC-A M "f'

] lliW HV-20$82 FE-[OS28 M

TUR3.u T 4 [ Is[ h.

STEAN M I l GEta < l FE-31902 ADv'S 7 HVM578 FV-20532 P.319 PT I4 v  : i ,

'L -. -TO E (T'iP OF4)

EFIC AUAILIARY FEEDWATER CONTff t Figure 3.1.6

m 3.1 .8 c. OTSG Isolation Capability--Main Steen Line Failure Logic (MSLFL)

The MSLFL is being replaced by features contained within the EFIC system. EFIC contains Class i logic and controls which provide for proper OTSG isolation.

.9 Summary of Plant Modification Designed to Prevent / Mitigate Transient Resulting from Loss of ICS or NNI

a. Approach The conceptual approach has been to improve the reliability of mooting the post-trip requirements for secondary side heat removal, its control and indication.

One of the considerations was to insure reliable control of secondary heat removal without the ICS/NNI features.

To accomplish this, the District has accelerated its schedule for installing the Class 1 EFIC system (see 3.1.6). In addition, the following modifications support the objective of improved reliability of the control of heat removal.

b. Features of Specific Modifications

1. Isolation of Control Valves

• Each AFW control valve has a Class 1 motor operated isolation valve in series

• The TBVs and active ADVs have Class 1 motor operated isolation valves in series with them

2. ICS

• TBVs close on loss of ICS

• AFW control now provided by EFIC e ADV control now provided by EFIC i e Auxiliary steam control station now stays at sotpoint on loss of ICS power

• Increased capacity of DC power supplies

! e ICS/NNI main and standby AC power from now i

inverters of improved reliability

. Revised annunciator scheme I e ragged ICS/NNI powered / supplied instruments

! e Provided power distribution schematic on cabinet

. kolabeled S1/s2 switches

+ Replaced S1/S2 switches

• Upgraded survolliance/provontive maintenanco on ICS/NNI power supplies and components e Irip of ICG on loss of NNL 97 -

1 l

l

'\,

~ -

. 3.1 .9 b,.. 3. ~~NNI -

[ ,_

-

• Increased capacity of DC power supplies

• ICS/NNI main and standby AC power from new

, y dedicated inverters , -+ 2

• Revised annunciator scheme

.

• Tassed ICS/NNI powered / supplied instruments

,

• Provided power distribution schematic on cabinet

• Relabeled S1/S2 switches

• Replaced S1/S2 switches

• Established surveillance / preventive maintenance o'n ICS/NNI power supplies and components

• Trip of ICS on loss of NNI-

, .4 Main Turbine Controls There are no changes to the Main Turbine Controls, required to improve post trip responses.

.5 Auxiliary Feedwater System (AFW)

• Made independent of ICS/NNI

• Redundant Class 1 flow signals to control room console and SpDS e'

Class 1 backup air for control valves

• 4 channel safety grade initiation (EFIC)

• Deleted autostart of AFW pumps on low main feedwater pump pressure

• Automatic safety grade OTSG level control' (EFIC)

+ High level OlSG alarm -

• One train of AFW operable with only de power availabic

• Feed-Only-Good OTSG logic provided

6. Main Feedwater System (MFW) ,

• EFIC closes MFW/SUFW Control / Block Valves

• EFIC closes MOV Isolation Valves

• MFW and SUFW Valve Position in Control Room, independent of ICS/NNI e Class i back-up air provided to close MFAi and SUFW. valves on EFIC command

• MFW pumps auto trip on loss of ICS

7. Main Steam System (MSS)

+ .MSLFL replaced by Ef lC

• ADV's now controlled by EFIC, not ICS

• TSV's now close on loss of ICS/NNI e Class 1 back-up Air provided to ADV's

• ADV position indication in Control Room )

independent of ICS/NNI

- , )

1 3.1 .9 .b 7. Main Steam System (MSS) (Continued) l

• ADV Manual Control from Control Room or l Shutdown Panel '

• TBV Position Indication in Control Room independent of ICS/NNI 1

• TBV Manual Control from Control Room or closure from Shutdown Panel I

• Auxiliary Steam System Pressure Control setpoint ,

independent of ICS power  !

8. Safety Parameter Display System (SPDS) l

• Hot shutdown parameters Independent of ICS/NNI power and inputs

• Providos RG 1.97 Category 1 instrumentation (except Reactor Coolant Inventory and neutron flux)

• Provides OTSG operate level to within 2% of other Control Room indicators

9. Interim Data Acquisition and Display System (IDADS)

• Receives inputs from ICS/NNI

• Class II System Increased sample frequency for certain parameters to aid Post Trip Analysis

10. Instrument Air System (IAS)

• Provided independent Class I bottled air to I important valves

• Provided independent diesel driven compressor

! for backup

• Bottled air to ADV's, CCW RB isolation valves

11. Electrical Distribution l

l

• Provides independent and more reliable invertars for ICS/NNI normal and standby j requirements

• Provides new diesel generator capacity and load assignment for both AFW pumps /EFIC i

l 12. Control Room Annunciation e- Power supplies independent of [CS/NNI or GPDG

• Remains Class 11 System

. Revised [CS/NNE inputs for failure / trouble conditions I

l l

3.1 .9 c. Conclusion Control of secondary side heat removal is now assured for a wide range of possible faults and failures created by or in the ICS/NNI and Instrument Air Systems. Reliable controls, indications, and function support services are provided which not only address the findings in NUREG-1195, but go beyond to insure that challengas to safety systems are minimized and that post-trip plant behavior is as expected and does not challenge the plant.

licensing basis.

3.2 Plant Mechanical System Issues 3.2 .1 WATER SUPPLY TO MAK_EUP/HPI PUMPS

a. Situation The rapid overcooling which occured early in the December 26, 1985 event caused the RCS pressure to decrease below the 1600 psig setpoint of the SFAS, which initiated HPI trains A and B. Since there was no loss of ac power to the safeguards power buses, the Makeup Pump (which is the normal source of high pressure reactor coolant for RCS volume control and RC Pump seals) remained in service.

As a feature of the SFAS, the Reactor Building isolates on the assumption that a LOCA has occurred. Associated valving changes which occur are the opening of the suction valves from the BWST and closing the suction from the Makeup Tank. This has the effect of shifting the MU Pump suction from the NU Tank to the BWST in parallel with the A-HPI pump. Concurrently, the normal

" mini-flow" from each of the HPI/NU pumps is isolated from the Makeup Tank making full pump capacity available for delivery to the RCS.

Once RCS requirements for HPI/MU had been met, the operators began to reestablish normal makeup configuration. First, mini-flow was re-established to preclude damage to any pump as the pump flows were being throttled. This led to a rapid filling of the Makeup Tank, the receiver of the mini-flow, which' caused the operator to then close the isolation valve from the Borated Water Storage Tank (BWST). This was done to cause the NU pump to draw from the MU fank instead of the UWS T. Omitted was the reopening of the SFAS valve which had earlier automatically isolated the Makeup rank outlet. The result was failure of the pump approximately three minutes later due to lack of water

l n .

, i 3.2 .1 a. (Continued) flow. This in turn, led to approximately 1,200 gallons of MU Tank water being drained onto the pump room floor when the operator opened the MU Tank outlet valve.

Reactor Coolant Pump seal requirements were met from the available, and separate, HPI pump except for a 75 second period during switching of HPI pumps following the Makeup Pump failure. The design of the RCP seals is such as to successfully tolerate flow interruptions of this nature.

b. Root Cause of the Makeup Pump Damage A procedure specific to restoration of normal equipment lineups following SFAS initiation was not available.

This was the root cause of the damage. Procedural references in the EOPs for insuring pump suction / discharge paths were not consistently included.

Corrective action is to provide the missing procedure and add the appropriate caution steps.

As a result of identifying training is being a

. contributory cause, additional training has been given to the operators. It included the necessity and methods for providing and verifying adequate suction and minimum flow through pumps. Specifically to the Makeup /HPI pumps, training has been given on the revised procedures.

c. Assurance of Water Supply Sources A study was performed into the basis for the SFAS closure of the NU Tank suction / isolation valve. That study reconfirmed that isolation is necessary to prevent gas binding 'of the MU/HPI pumps when the BWST level decreases. Options for providing the desired pump protection through interlocks, alarms or pump trips are being studied with the intent to provide assistance to the operator, which will minimize the likelihood of similar future damage.

A separate operational review of other pump suction / discharge configurations, and the procedures which support mode changes, was made to insure that a similar situation would not lead to damage to other pumps or equipment.

d. Repair of Makeup Pump P-236 Subsequent to the event, the manufacturer of the Makeup Pump cualuated the damage and determined the pump to be repairable. The repairs involved a complete teardown with some machining required on the casing. The entire rotating assembly was replaced with new components.

Following reassembly and installation, a comprehensive acceptance test will be performed on the pump prior to restart of the facility.

3.2 .2 EFFECTS OF OVERC00 LING EVENT ON REACTOR VESSEL AND STEAM GENERATORS Very early in the December 26, 1985 event, the operators recognized the symptoms of overcooling and initiated actions necessary to restore normal post-trip conditions. The delay in terminating Auxiliary Feedwater flow to the steam generators took the RCS into the " Pressurized Thermal Shock" (PTS) region, identified on a operational curve showing i desired operating parameters, in the cooldown procedure. This l means that the pressure and temperature parameters of the transient were outside the bounds of the pressure and temperature parameters used in the pressurized thermal shock study in 1982. Other parameters of the RCS were well within the bounds of those parameters (e.g., end of life material properties, etc. ,) used in that study, BAW-1751.

An evaluation of the impact on the Reactor Vessel Beltline region revealed that the stress intensity experienced during the overcooling event was approximately twice that experienced during the normal design cooldowns. The effect on the vessel

" usage factor" was approximately ten times normal, but this region of the vessel is not the limiting portion of the Reactor Coolant System, as it is allowed to experience 900,000 cycles based upon fatigue.

The following four concerns were addressed-

1. Did the high cooldown rate, or any combination of RCS pressure and temperature, during the transient, result in damage to the reactor vessel? This is the Pressurized Thermal Shock (PTS) issue.

~

2. Did any combination of pressure and temperature, or the high cooldown rato, contributo excessive fatigue usage to the RCS? Would the end-of-useful-life fatigue usage exceed that allowed by the ASME Code,Section III?

3. Did any combination of RCS pressure and temperature result in damage to the nuclear fuel due to violation of the " Fuel in Compression Limits"?

4. Did operation of all four reactor coolant pumps below 500aF result in damage to fuel assemblies due to high lift forces?

-9/-

~

3.2 .2 4. .a High Cooldown Rate The transient of 12/26/85 was initially compared to another Rancho Seco transient which occurred on 03/20/78, and is sometimes referred to as the " Light Bulb Incident". The comparison showed that the 12/26/85 transient was less severe than the 03/20/78 transient.

Babcock and Wilcox performed an analysis to assess the PTS concern entitled " Fracture Mechanics Analysis of SMUD Transient (B&W Document 32-1159785-00)." The analysis was done as a Linear Elastic Fracture Mechanics (LEFM) analysis using the validated B&W computer program, pCRIT, which calculates the PCS pressure necessary to cause a reactor vessel flaw to propagate unacceptably, given the time / temperature history of the transiont. The program uses the vessel neutron fluence and vessel material data as inputs.

The PCRIT program analyzed a range of flaw sizes from 1/40 to 1/4 the thickness of the vessel wall.

The analysis was done based on the ASME Code,Section XI, Appendix n. For the transient duration, the critical pressure was above 2750 psig. Since the critical pressure was at all times above 2750 psig during the 12/26/85 transient, and at no time during the 12/26/85 transient did pressure even approach 2750 psig, there is no predicted unacceptable flaw propagation. The B&W Fracture Mechanics Analysis of the SMUD transient concluded that no challenge to the integrity of the reactor vessel resulted from the transient. This resolves the PTS concern.

.b EPRI Cooldown Analysis The Electric Power Research Institute (EFRI),

Nuclear Safety Analysis Center, also performed an analysis of the 12/26/85 transient. Their analysis was based on the then unapproved nonimandatory ASME Section XI Appendix XX " Evaluation of Unanticipated Operational Transients" This approach applies a l screening criteria which will, if it'is satisfied, assure ductile behavior of the reactor vessel material and no unacceptable propagation of an I assumed vessel flaw.

l i

3.2 .2 .4 .b (Continued)

This nort-mandatory Appendix was designed to be applied if a plant violated its NOT curve established in accordance with the ASME Code Section III, Appendix G. Rancho Seco did not violate the NOT curve during the 12/26/85 transient. However, the 100aF/hr cooldown rate basis for that curve was violated.

Since EpRI is not an approved vendor, in accordance with the SMUD Quality Assurance Program, the EPRI analysis alone could not be used for restart evaluation. Additionally, the non-mandatory Appendix, while well founded on a technical basis, had not been approved for official use at the time of the analysis.

It should also be pointed out that the cooldown rate assumed by the non-mandatory Appendix is. 400*F/hr.

lhe basis and evaluation for the non-mandatory Appendix indicated that 400*F/hr should be bounding, and rates as high as 1200aF/hr were evaluated.

Depending upon the calculation used, the 12/26/85 transient may have had i.cooldown rate which approached 1200aF/hr for several minutes. A more supportable rate is estimated at 300*F/hr below 500aF (50 F in ten minutes).

The EPRI analysis demonstrated adequate structural integrity for the Rancho Seco vessel as long as RCS pressure did not exceed the design pressure of 2500 psig, nor T -RTNDTS C less than 55aF. These requirements were met, the minimum TC-RTNDTS being 1690F, and tne maximum pressure was less than 1700 psig.

EPRI's report gives additional assurance that the Reactor Vessel was not damaged during the transient.

.c NUREG-1195 Cooldown Analysis In NUREG-1195 the NRC/IIT reviewed the Pressurized Thermal Shock implications of the event. The following excer"t from that report's paragraph 0.3.2

" Generic PTS An} lysis" is provided.

? ~

3.2 .2 .4 .c NUREG-1195 Cooldown Analysis The analyses performed in SECY-82-465 " Pressurized Thermal Shock (PTS)," dated November 23, 1982, can be used to estimate how close the December 26, 1985 incident came to a condition where brittle fracture of the reactor vessel would be a serious concern.

The likelihood of crack initiation in a reactor vessel which experiences a severe cooldown depends on several parameters, including a critical RCS pressure and temperature. If the final RCS temperature (Tf ) drops below the reference nil ductility temperature (RTNOT) at high pressure the initiation and/or propagation of cracks can take place in the vessel wall. For the cooldown which occurred on December 26, 1985, the critical RCS temperature was approximately 170*F. That is, the RCS temperature would have had to rapidly drop another 215*F (i.e., to an RCS temperature of 170*F) while maintaining pressure around 1400 psi to have seriously threatened reactor vessel integrity.

.d Fatique Analysis Babcock and Wilcox then performed an evaluation of RCS Components for Fatigue Usage Factor Due to Rancho Seco Overcooling Events. This evaluation provided a summation of all overcooling events, large and small, which have occurred at Rancho Seco, including the March 20, 1978 transient. The analysis done following the transient of March 20, 1978 was used as the basis for the analysis. Five overcoolings, of lesser magnitude than the 03/20/78 ovent, were accounted for by assuming a repeat of the 03/20/78 transient. Additionally, six transients were accounted for by taking advantage of two transient types already in the Functional Design Specification. These two transients, High RCS Pressure Trip and Rapid Depressurization, together envelope rapid cooldowns that terminate at approximately 500*F.

l The fatigue analysis looked specifically at the limiting components in the:

l

1. ftoactor Vessel

2. Steam Generators

3. Pressurizer

- 100 -

i e

3.2 .2 .4 .d - Fatique Analysis

4. Reactor Coolant Piping

5. Control Rod Drive Mechanism

6. Reactor Coolant Pump Casing Due to the interest on the effects of the overcooling on the "embrittled" beltline region of the Reactor Vessel, a' special analysis of this region was done. It determined that the result of the overcooling was to increase the regional stress by about a factor of two. In turn the effect of this stress is to limit the beltline region to 90,000 such cycles. Normal cooldowns allow 900,000 cycles. The cumulative effect of cooldown cycles is negligible with respect to fatigue on the Reactor Vessel shell/ beltline region.

The Rancho Seco Reactor Coolant System was designed to accommodate 240 normal cooldowns, at 100 degrees F per hour. There have been several transients during which this cooldown rate was exceeded and therefore, the Babcock & Wilcox Company was asked to determine the cumulative fatigue usage factor for the entire Reactor Coolant System. This evaluation concluded that the allowable number of remaining cooldowns, at 100 degrees per hour, should be reduced from 240 to 235. A total of 31 cycles of this transient have been used to date, thus the reduction to 235 allowable cycles is expected to have no adverse impact on the current design life of 40 years.

The results are that the end-of-component-life, ASME Code Section III fatigue usage factors, are not exceeded for any Reactor Coolant System Component.

.c Fuel-In-Compression Limits Babcock & Wilcox analysis has determined that the Fuel-In-Compression Limits were not exceeded at any time during the transient.

- 101 -

o 3.2 .2 .4 .f Core Lift Analysis The Babcock & Wilcox Thermal-Hydraulic analyses of the 12/26/85 Transient determined that the most limiting conditions for maximizing core lift occurred about 15 minutes into the event, at 0428 hours0.00495 days <br />0.119 hours <br />7.07672e-4 weeks <br />1.62854e-4 months <br /> just prior to the shutdown of the first Reactor Coolant Pump. Core lift with the three pumps remaining in service is not possible. The analysis assumed a best estimate flow of 109.6% with an additional 8% flow maldistribution. The result is B&W estimate that all fuel assemblies remained seated during the transient.

.g Technical Basis for PTS Guidelines PTS analyses require numerous assumptions for the many paramotors that enter into the calculations.

Rather than require the operators to figure out the validity or applicability of each assumption, conservatism has been applied to each. For example, for fluid mixing (temperature of water against the vessel wall), no forced flow is assumed to exist; the neutron fluence is assumed to be that of 32 EFPY; a flaw size equal to the worst allowed by the ASME codes is assumed to exist; an a repressurization to 2500 psig is assumed to occur following the cooldown.

The guidance given the operator, if he should enter the undesired region, is simply to leave the region by lowering pressure. There are too many parameters involved to develop families of optimum curves for each possible plant condition. The numerous conservatisms result in a very conservative definition of the " PTS Region." Therefore, entering I this region does not indicate any immediate threat to the reactor coolant system and the procedural guidance to leave the region is conservative.

t i

l

- 102 --

3.2 .3 Operation of Radiation Monitoring Systems Following Containment Isolation

a. Root Cause of Radiation Monitor R-15001 Damage As intended, radiation monitor R-15001 isolated on receipt of the SFAS initiation signal; however, R-15001's air pump and motor were not tripped. This occurred as a result of an isolation signal supplied to the valves for this monitor, but there was no interlock to trip the motor / pump. The isolation of R-15001 with its pump still running caused overheating of the blower seals.

Following the event an investigation was conducted to determine the circumstances which led to the monitor pump seals' failure. Investigation indicated that there was no consideration given to the need for pump interlock logic to secure the pump motors in the event of the R-15001 monitor isolation by SFAS. Without an interlock to secure the pump operation when the SFAS signal closes the isolation valves, pump damage will ultimately occur.

The damage to R-15001 had no radiological or control consequences during the December 26 event.

An interlock to trip the pump on loss of suction flow has been installed,

b. Effects of Containment Isolation on Systems Required to Operate Following SFAS Actuation The systems required to operate following SFAS actuation and containment isolation are those systems actuated by SFAS itself, i.e., HPI, LPI, CBS and Containment Cooling. Systems affected by containment isolation are many and varied. Yet for the most part, the impact is minimal. In the case of R-15001, it operated for over an hour before the pump seals were damaged. In all, the SFAS signal was present for approximately two hours on December 26, 198F Only R-15001 was observed to be stressed by the condition.

Subsequent review of the effects of containment isolation determined that the Component Cooling Water (CCS) flow to the RCP seal coolers was another desirable feature which needs to be continued following SFAS actuation. A previous modification had removed the automatic isolation signal to these valves, but this review determined that a loss of instrument air would also isolate Reactor Bu i ld ing-CCW .

- 103 -

O 3.2 .3 b. (Continued)

Installation of a backup bottled air supply to augment instrument air has resolved this concern. Other systems, such as RB Normal Cooling, Control Rod Drive Cooling, Makeup and Letdown, RB Normal Sump, and Sample Systems, are not adversely effected by automatic isolation. The damage to the radiation monitor was an isolated event which has been comprehensively investigated and resolved.

.4 OTSG Overfill and Flooding of the Main Steam Lines

a. Overview During the transient, OTSG A was overfilled with auxiliary feedwater. Approximately 11 to 13,000 gallons spilled into the "A" main steam line. Because of the large difference between the temperature of the steam line and auxiliary feedwater, there was a concern that high thermal stresses may have occurreo. In addition, a further consideration was that the flooding may have caused " water hammer". Water hammer noises were heard in the Turbine Building sometime after the flooding had occurred.

To resolve the thermal stress concern, a stress evaluation of the main steam line was performed using an augmented Class 2/3 fatigue analysis. This evaluation considered the loads imposed by thermal stratification l caused by cold water in the bottom half of the steamline and thermal gradient stresses caused by the thermal transient. Fatigue usage factors were calculated for two cycles of this event, plus the operating basis earthquake l

(OBE), design basis earthquake (DBE) and 1000 cycles of

pressurc/ temperature loads. The results of the stress evaluation indicate that the fatigue usage factors for l

the most critical components in the steam line are all below 0.3 compared to an allowable limit of 1.0.

To resolve the water hammer concerns, walkdowns similar to those assembled for previous I&E Bulletin 79-14 of the "A" main steam line.and the "A" main steam line bypass to the condenser were performed. Packages consisting of check lists and pipe support drawings were assembled for each walkdown. Using the pipe support drawing as a reference, a check of the support configuration was performed. This as found configuration was then compared to the as found configuration of the,[6E Bulletin 19-14  ;

walkdowns. No visible evidence of any adverse effects due to water hammer was found on the "A" main steam line or the "A" main steamline bypass to the condenser as a result of the configuration comparison.

l

- 104 -

l

[.-- -. , - ,. _ _, __ . , _ _ , _ _ . . _ _ _ _ _ _ _ _ __ _ _ . _ _ _ _ _ _ _ .__

3.2 .4 a. (Continued)

One anomaly was noted where the bypass line penetrates the Auxiliary Building wall. At this location, the sheet metal flashing covering the wall penetration was partially pulled from the wall. Since no apparent damage due to water hammer was identified, the pulled flashing may be due to thermal expansion of the bypass line. To ensure that water hammer did not occur in the area of the flashing, a dornil examination of the welds and piping of the bypass line is being performed. This examination includes approximately fifteen feet of pipe in each direction from the penetration and encompasses several changes in piping direction. Any postulated water hammer in this area would have been limited to this run of pipe.

1he results of the stress evaluations and the walkdowns indicate that the "A" main steam line and the "A" main steam bypass line to the condenser did not experience unacceptable stresses or water hammer. The follow-up verification described above for the bypass line will be completed prior to resumption of power operations.

1

- 105 -

3.2 .4 a. Evaluation of a separate potential effect of water in the steam main, namely that water may have been injected into the AFW Pump Steam Turbine, was evaluated. The result was that no water was injected, this was due to the fact that less than 13,000 gallons of water was spilled into the a-Steam line, and over 19,000 gallons is required to reach the line to the AFW steam turbine. The turbine continued to operate well throughout the event.

b. Cause and Corrective Action lhe OrSG's were allowed to overfill as a result of the reluctance of the operators to trip the AFW pumps, even though they had lost control of the AFW/ICS valves, coupled with the emphasis on monitoring OTSG Operate Level displayed on the SpDS (which was indicating 1 to 2%

less than actual. It should be noted that 100% Operate

• Level is approximately half full on the OTSG Full Range Instruments).

In the future, EFIC wil'1 provide OTSG level control, while the operator will have diverse monitoring and controls available if needed. Improvements have been made in the Emergency Operating procedures to insure that appropriate action statements are clearly described.

Training on these changes, coupled with simulator experience, denenstrates the usefulness of these improvements in preventing OfSG overfill.

3.3 PJ_a_nt Maintenanco During the December 26, 1985, overcooling event, and its subsequent root cause analysis, there were specific concerns developed which questioned the scope and content of the plant maintenance program and the material condition of the plant. The specific concerns were:

• periodic and preventive Maintenance of Mechanical Valves

• Operability of Manual and Remotely Operated Valves Viability of a Comprehensive Maintenance program o Adequacy of Maintenanco e Ability to Iroubleshoot and Resolve Equipment Malfunctions

- 106

3.3 (Continued)

Major efforts by the District to improve the material condition and maintenance program at Rancho Seco were underway prior to the 12-26-85 event. These included augmenting and hiring the maintenance management staff, providing people dedicated to the Preventive Maintenance (PM) program, providing specific maintenance procedures and training for the maintenance staff. although underway at the time of the event, these efforts had not progressed to the point where they could have been effective in preventing the identification of the concerns listed above. During the post-12-26-85 outage, these programs havo been implemented so as to revolve the concerns and provide for Improvements in the material condition of the plant necessary to suortrt plant restart. Details of the programs and actions taken to unlidate the material condition of the plant are discussed below.

.1 Maintenance _ Program Figure 3.3.1 shows the maintenance organization now in place at Rancho Seco. Significant to the success of both corrective and preventive maintenance programs are features of a centralized maintenance planning organization and an organizational structure which provides the Maintenance Manager with the controls to implement effective maintenance.

Along with this organization is the implementation of overall guidance in the form of an administrative procedures manual, a maintenance procedure writers guide, workmanship standards, and a significant expansion and enhancement of the maintenance procedures used to perform plant Electrical, Mechanical, and IAC maintenance.

The Maintenance Organization is actively seeking INPO accreditation, with a target of May, 1987, for accreditation of Maintenance Training in the Electrical, Mechanical, and I&C areas. An aggrossive on-the-job training program is underway which is already showing benefits for both incumbent and newly added maintenance technicians. Over $1.5 million was recently spent to provide equipment for the maintenance training program.

The Materials Management program has been completely overhauled. Exporienced people in this function have been brought in and have upgraded the Materials Management Organization to insure comprehensive programs for the procurement, engineering, quality, receiving, inspection, handling, and storage of plant equipment and materials.

-- 10/ -

m 3.3 .1 (Continued)

Within the expanded maintenance planning program, Quality Engineering is integrated into the development and review of the maintenance packages. This close tie to the facility quality program ensures that the need for standards, acceptance criteria, and inspection are appropriately included in each maintenance task.

.2 Operability Program for Manual and Remote Operated Valves The initial concern following the 12-26-85 event was the extent of the inoperability of manual valves in the plant.

The valve in question was in the Auxiliary Feedwater System and intended as a maintenance isolation valve, hence it was '

normally kept in a " locked open" condition. Following the event, operations established a list of valves which might be required to be operated to mitigate specific casualties on both active (pumps, valves) and passive (tanks, heat exchanges, pipes) equipment. The results of the exercising (stroking) of these valves did not show a generic problem as the result of the previous lack of either a programmatic pM program, or periodic stroking. Valves did receive PM to insure future operability, and one class of valves, manually operated with Limitorque operators, were identified as needing overhaul. As a result a plant wide effort has reworked all operators in this category to insure operability.

Remotely operable Motor Operated Valves have been identified as an industry wide concern. Rancho Seco developed a specific program to resolve the issue as stated in IE Bulletin 85-03.

Results of that effort showed enough problems to warrent expanding the program to minimum of all safety related Limitorque MOV's on site. This has been an aggressive program utilizing the MOVATS equipment, and will result in having confidence in the operability of all the MOV's at the time of restart.

.3 Valve Preventive Maintenance Program During the December 26, 1985, transient, there was a problem with a manual isolation valve on the Auxiliary Feodwater System. This problem was attributed to the fact that the valve had not been serviced as part of a proventive maintenance program. As a result of that incident the Valvo Preventivo Maintenance Program was expanded to include not l only safety and technical specitir.ation related equipment, but the secondary plant equipment as well. At present, under the Manual Valvo Program, wo havo looked at S/0 manual valves, 22 l check valves, and an additional 54 steam traps i

l

(

- 103 l

l i

l

3.3 .3 (Continued)

Initially 30 motor operated valves were to be inspected as part of the IE bulletin 85-03 program. This program has been expanded to minimum if all safety related motor operated valves for a total of 101. For each valve inspected, we are doing all required mechanical work, and packing changeouts as well as refurbishment of all motor operators and retesting using the MOVATS system.

Secondary plant pneumatically operated valves and relief valves, while not a part of the preventive maintenance task at this time, will be included as preventive maintenance tasks during 1987. At present, these valves are being addressed as corrective maintenance items.

This treatment of relief valves is appropriate as those capable of passing significant quantities of steam have

• recently had their setpoints checked and servicability verified.

.4 Troubleshooting / Root Cause Determination Program In January of 1985, the Incident Analysis Group was instituted at Rancho Seco to investigate and establish the root causes of complex or significant events or occurrences. For both of the reactor trips which occurred in the fall of 1985, and again following the 12-26-85 event, a systematic toubleshooting program was instituted. This program was modeled after that developed at Davis-Besse in June of 1985 and issued as Appendix B to NUREG-1154. As a result of these programs the root causes of the December 26 event were systematically determined and appropriate corrective actions developed and implemented.

To insure that a similar programmatic approach is taken when future equipment deficiencies or failures appear, a

" troubleshooting" procedure is being implemented. This program will be instituted at the discretion of the Maintenance Manager whenever circumstances suggest that the work required is other than routine. That is, the root cause is not apparent or that the discrepancy is a " repeat" condition where past corrective action has been ineffective in preventing reoccurence.

- 109 -

3.4 Trainine and Operator Performance

.1 Adequacy of Operator Training

a. Program Overview The Rancho Seco Operations Training Programs, being INPO Accredited, are required to be monitored and evaluated on a continuous basis. ' Periodic program evaluations and corrective actions are required for proper maintenance of the accreditation status. This network is an established method of training evaluation, and resolution, has significantly enhanced the process of identifying and resolving training discrepancies noted in a station-wide review of the December 26, 1985 event. Included within the accredited framework are proceduralized methods of identification, tracking, and verification of all modifications to Operations Training Programs.

Due to the magnitudo of the Restart evaluation programs and resultant equipment modifications, procedural revisions, and philosophy changes, an independent Restart Training Program has been implemented. Staffed by Senior Licensed Operations Instructors, the program is chartered to:

1) Perform an independent detailed review of the technical accuracy and content of classroom, simulator, and OJT training programs.

2) Evaluate and resolve all operator training weaknesses identified through the various investigative programs of the Restart Action Plan.

3) Develop a comprehensive program to provide all operations personnel with adequate training, prior to Restart, on the following items:

• Plant Modifications - Equipment Changes e Normal, Casualty, and Emergency Operating Procedure Revisions e Casualty Control Philosophy Changes e Requirements, Conduct, and Control of Startup Testing Events

• Diagnostic Evaluation Gkills i

110 -

l l

l

l 3.4 .1 a. 4) Implement a detailed program to train all operations personnel on the startup and return to power operations of the unit. This is to include all. 3 procedures, surveillances, logs, reports, and '

indications involved in returning the unit to power operation. Extensive use of the Simulator Facility is included.

l The exhaustive effort of the Restart Training Program has yielded substantial results in the operations training

. area. Licensed and non-licensed plant operators have, and will continue to receive, specially tailored courses covering the administrative and technical aspect of the unit Restart. Each student in the program will receive a total of over 200 contact hours of training. The commitment-to-excellence of the Restart Training Program for licensed operators is further evidenced by the substantial efforts and funding involved in the EFIC upgrade of the Sinulator Training Facility and also by the incorporation of several extensive vendor courses on specific items.

I As a programmatic plan, the Operations Training Department will continue to maintain a high status of accreditation of operator programs. The establishment of i

a' state-of-the-art Training Facility will significantly enhance the quality of operator training. A plant-specific simulator, now well into the development phase, will serve as a' capstone for providing a high standard of operations training.

b. ICS Off-Normal Operation Previous to the loss of ICS power on December 26, 1985, Operations Training Programs contained ICS malfunctions

' and resultant plant transients as a portion of both initial and continuing licensed training. ICS power distribution was addressed also. lhe consequences and transient involved by a loss of ICS power was not covered in detail.

During an extensive review of all Operations Training Programs involving ICS manipulations or classroom training, it was dotermined that the following enhancements would significantly increase the operators' understanding of ICS power loss and loss of instrument inputs:

1) Add ICS power loss and recovery to initial and continuing training in both the licensed and senior licensed operator programs.

- t il -

t Perform initial and follow-up training for licensed 3.4 .1 b. 2) operators at the Simulator Facility on ICS malfunction events including loss of ICS power.

3) Enhance the current ICS malfunction training to include a wider range of potential ICS-induced plant transients. This will include temperature, flow, level and pressure input failures and include significant manual operations.

The Restart Training program has contained lecture and simulator training to support the topics outlined above.

ICS power loss, instrument input failure control philosophy, and a detailed discussion of ICS power distribution and modifications are topics included in the program. Also included in the Restart Training Program is further simulator training with the newly installed Emergency Feedwater Initiation and Control (EFIC) system and how it affects ICS transients. The complexity and completeness of this entire program will adequately prepare the operator to identify and control all potential ICS transients.

c. Makeup System Operation Operation of the Makeup System, during both normal and safety features operation is an extensive topic in licensed training programs. However, understanding the seriousness and consequences of the makeup pump failure during the December 26, 1985 event, so as to enhance Operator Training Programs, and to prevent reoccurrence, the following resolutions were determined:

• Add emphasis on recovery of the makeup system following safety features operation including a discussion of C,41, " Recovery From SFAS Actuation" procedure.

• Modify the Simulator Facility to more correctly model makeup system operations.

l The Restart Training Program has addressed makeup pump operations in detail, including:

1) Sequence of events and lessons learned from the

.nakeup pump failure on Docomber 26, 1985.

7) Emergency Operating Proceduro modifications to address return of makeup system components to their

, normal configurations.

3) Dotalled discussion of Casualty Procedure C.41,

" Rec overy From Mfety F eatures Actuation"

- 112 -

3.4 .1 d. AFW Throttline The guidelines, and conditions under which they apply, for the control of Auxiliary Feedwater during transient conditions are contained in the " Rules" section of the Emergency Operating Procedures. These procedures and the philosophy of symptom-oriented plant control are topics addressed in both initial and continuing training for all Licensed Operators. The " Rules" portion of Emergency Procedures are required to be " committed to memory" and tested to that specification.

Topics to re-emphasizing AFW throttling criteria were included in the Restart Training Program. Specific discussion centered on ensuring a clear understanding of the conditions under which AFW must not be throttled, throttled to prevent overcooling, and terminated.

Simulator scenarios were used to strengthen that understanding . In addition, with the installation of EFIC, all guide}ines and " Rules" of the Emergency Operating Procedures affected by this feature are included in the Restart Training Program,

e. AFW Pump Trip Criteria The guidelines and criteria for cooldown prevention regarding AFW pump control are contained in the Emergency Operating Procedures (EOPs). Training to address AFW pump control is included in licensed training programs.

As a result of an extensive review of the E0P's, and subsequent enhancement of the AFW control subsections, retraining on these topics was included in the Restart Training Program. Classroom discussion and simulator drill scenarios, including the interface with the EFIC system, were utilized to ensure each licensed operator has a clear understanding of AFW control during abnormal plant conditions.

f. Emergency Plan Emergency Plan training is a required, continuing topic for all licensed operators. Classroom trainir.g is provided on the philosophy and use of the Emergency Plan and any rovisions as they occur.

lho Emergency Planning Department conducts frequent sito oxorcises to provido practical training in the uso and implementation of the Emergency Plan. In addition to this mothod of practical appiltation, oxtonsive Emergency Plan us.qe is included in simulator drill training conducted for all licensed oporators.

- 113 -

3.4 .1 f. The Restart Training Program included several classroom sessions and extensive simulator drills to enhance the current philosophy of Emergency Plan use. All revisions, made as a result of Restart efforts, will be included in this training,

g. Communications Training for the Control Room Communicator, in the form of actual OJT performance, has been conducted. This included operation of all telecommunications hardware and use of the applicable Emergency plan reporting forms.

Additional training in the Restart Training Program includes " Command and Control" and "Watchstanding Principles", both topics stressing the importance of clear communications during emergency conditions.

1he depth and scope of site emergency drills have increased, this also includes the increased emphasis on Communicator Training. The increased frequency of these drill scenarios will result in more frequent application of the Communicator skills. The more realistic scenarios which are utilized will ensure a "real time" training situation for Control Room Communications,

h. D u AD,V TBV Operation Extensive hands-on training is provided for each licensed and non-licensed plant operator on manual-local operation of the Turbine Bypass Valves (TOVs) and Atmospheric Dump Valves (ADVs). Detailed classroom instruction on the normal and emergency operation of the valves is also included.

Modifications performed on the TUVs and ADVs were addressed in the Restart Training Program. This includes EFIC-related control fur.ctions and the auto-close feature on loss of ICS power.

114

o 3.4 .1 1. Differences Between 8 & W Simulator and Rancho Seco An in-depth review of the capabilities and limitations of the relationship between the Rancho Seco Control Room and the Power Safety Simulator Facility has been performed.

In response to those particular findings, both Power Safety and the District have initiated actions to resolve as many of those discrepancies as physically possible.

In addition, extensive funding and effort have been expended on an EFIC upgrade to the Simulator in Lynchburg, Virginia. This hardware and modeling modification is intended to be a near perfect reproduction of the EFIC controls and characteristics of the Rancho Seco plant.

Additionally, Power Safety has begun an internal upgrade program to increase compatability in the following areas:

1) Makeup System operations including proper modeling of the makeup tank outlet valve controls

2) Safety Features Operation

3) Main and Auxiliary Feedwater Controls, including a detailed incorporation of EFIC Included in the Restart Training Program, and for all future utilization of the Power Safety Facility, is a specific lesson describing the extent of differences between the Rancho Seco plant and the Simulator. This lesson is conducted as the first item during the first simulator session of the training week. The Power Safety instructor physically walks each student through the various controls utilized at the Simulator.

As a final quality check, the Rancho Seco Operations Training department will have a licensed instructor assigned to each training crew to monitor and assist in Simulator Drill Scenarios.

J. Oporation__of Manual valves Following an in-dcpth' review of the actions required of plant oporators regarding manual valvo oporation, the Operations Training Programs have, and will continuo to be modified to include:

1) E x't.en s i ve hand s- on OJ 1 in the manual operation of the various typos of handwhool . controlled valvos expected to be encountered 115 -

3.4 .1 j. 2) Detailed classroom training on the normal and manual operation of the TBV's, ADV's, AFW valves and various limitorque valve configurations.

In addition, to resolve this concern immediately, the Restart Training Program has included the topics outlined above. Each licensed and non-licensed operator physically operated each valve listed above (TBV, ADV, AFW Centrol Valve). As outlined above, this will now be conducted on a periodic basis for initial and continuing non-licensed training programs.

k. plant Modifications, Procedural Changes and Additions As outlined in the Program Overview (Part a.), the Nuclear Training Department has established tracking methods to identify and follow all plant modifications and procedure revisions. Due to the large number of equipment and procedural revisions concerned with Restart, a separate staff has been assigned to track and develop training events, to support operations personnel's understanding of these changes.

An extremely intensive Restart Training Program is being implemented to carry out the training related to equipment and procedure changes. Nearly 200 contact hours per licensed /non-licensed operator will be conducted. lhis program also contains extensive OJT for non-licensed operators and two separate Simulator visits for licensed personnel. Detailed vendor courses are included for installation of two major new systems:

addition of EFIC and the TDI diesels.

1. Operator Retraining Due To_Long-Term Shutdown Realizing the length of the shutdown of the unit, a detailed program has been established to ensuro licensed and non-licensed plant operators clearly understand the technical and administrative actions to conduct all normal unit evolutions associated with heatup, power ascension and unit shutdown.

Normal Procedures, Casualty Procedures, Emergency Procedures, rechnical Specifications, Special Orders and Equipment Limitations are covered in great detail. A comprehensivo simulator Training Program is included in this section of the Restart Training Program.

- 116 -

. 3.4 .1 In addition to an extensive review of normal _and emergency plant control, a detailed course is established for actions and requirements involved in the Startup Testing Program. In some cases this will involve extensive crew briefings prior to major test evolutions.

A direct interface between Engineering (Startup) and Training has been established to insure accuracy and completeness of all Startup Testing Training.

m. EFIC Training and Simulator Trai_n_ig Including EFIC

, .1 An extensive training program has been developed for both licensed and non-licensed plant operators regarding the installation of Emergency Feedwater Initiation and Control (EFIC) System.

The training program developed for licensed operators is a five part course to address the detailed system operation, Control Room interface, and operation of the system during transient conditions. Specifically, the course is comprised of the following:

1) CLASSROOM LECTURE

" Introduction to EFIC" -- Basic functions and plant interface.

2) "EFIC -- DETAILED DESCRIPTION" -- Detailed electronic operation including parel controls.

3) OJT/WALKDOWN -- Identify and discuss all panel controls.

4) CLASSROOM -- Casualty scenarios discussed to include indications and operator panel actions required.

5) SIMULATOR TRAINING -- Plant transient scenarios which utilize the automatic features of EFIC.

(Simulator training program and modifications discussed below.)

4 1 - 11/

i

_ _ , _ _ _ _ _ _ .__ . - . - - - . - - - - - - - - - - - - - - - - - - -' ' ' ~ ^ ^ ~ ^ ^ ' ^ ' ^ ^ ' ' ' ~ ^ ' ~ ~ ^ * ~ ' ~ " ' ~ ~ ~

3.4 .1 m. (Continued)

The simulator training rurtion of the EFIC modification training program will include extensive operator interface with the EFIC panel during casualty drill scenarios. The Power Safety Training Simulator is modified to include the EFIC modifications installed at Rancho Seco. Both the hardware and software included in the Simulator upgrade are exactly identical to the system installed at Rancho Seco. Both the hardware and sof tware included in the Simulator upgrade are exactly identical to the system installed at Rancho Seco. All panel controls and indications are cosmetically identical to Rancho Seco Controls

.2 Minimum Staffing Regt{ireme,ny Additional staffing above that required by the Technical Specifications and other commitments was onshift during the 12/26/85 event. With staffing at the minimum required level, the required minimum staff is seven operators. (Two senior reactor operators, two reactor operators, two non-licenced operators and a shift Technical Advisor).

Plant Administrative Procedures require a minimum operations I crew of 10 operators plus one chemistry technician and two radiation protection technicians for a total of 14 individuals on shift. 1his staffing among other things allows for 6 flexibility in job assignments, on-the-job training and provides for more-than-adequate manpower to conduct and support routine operations activities and surveillance testing.

the existing rechnical Specification minimum staffing is considered to be adequate. Simulator training confirms that plant control can be attained in a timely manner from the control room with a minimum of ex-control Room activities.

Simulator instructors intentionally delay requested "in plant" simulated activities to emphasize and demonstrate that Control Room control is preferable and attainable. An over-cooling event such as the 12/26/85 ovent potentially could require significant inplant efforts to control the plant, but Emergency procedures have been revised to require that control room controls be used to terminate the overcooling, regardless of the status of NNI or ICS power. Simulator training, has confirmed the effoetiveness of these procedure changos.

- 118 -

3.4 ,2 (Continued)

The Plant Performance and Management Improvement Program has as an objective (as contained in the prioritization criteria for prior to restart items) to reduce the need for operator action outside the control room within 10 minutes of an event. An example of a restart improvement meeting this objective is the installation of an automatic starting diesel-driven air compressor backup to the plant air system.

No operator action is now required to restore the plant air system upon loss of offsite power.

.3 Incapacitated Operator The operating crew on duty December 26, 1985, had been augmented by an extra Senior Reactor Operator who was also a qualified Shift Supervisor. Early in the event he left the Control Room (this was appropriate, as he was not assigned a

- specific duty station) and assisted in the work of post-trip recovery and equipment operation. Upon returning to the Control Room, after nearly a half hour of vigorous exertion, he became " lightheaded" and had to lie down. Followup examinations have not identified any reason for concern as to the individual's fitness for duty.

.4 Potential Security / Safety Interface Issues During the December 26, 1985 event, one of the operators lost his security badge. He notified Security and they escorted him until a replacement badge was issued.

Concurrently, the reading time for the security area access card reader at the Control Room door began to impact the

~

timely dispatch, and return of operators as they established manual control of the various equipment outside the Control Room. The Shift Supervisor requested that Security post a guard at the door, thus allowing it to remain open for the duration of the event. A security officer was provided.

These hindrances did not significantly affect the outcome or timeliness of response to the event. Yet it is apparent that improvements could be made to ensure that Security is a part of event response and that affects of anticipatable occurrences, like misplaced badges, could be minimized by appropriato plans and procedures. Enhancements in the Rancho Seco Gocurity Plan and Procedures have been implemented which will improve the support provided by each organi/ation to insure optimum response to plant emergencios and transients, 119

f ,(<,;

). r '

jf

,e f se .

i e <.

3.5 Plant Normal.and Emertsency Procedures.

, s .

.1/.2 Need for Event Related Procedures'and Adeauacy of ATOG '

Procedures f f -

j.

The lack of a specific procedure for ICS power restoration ,

contributed to the excessive cooldowp on 12/26/85 and raised the issue of the need for event-relhted procedures tis related to the sympton-based ATOG Emergehy Procedures. Thn'ATOG concept of symptom-based emergency operating procedure-(EOPs) is valid for attaining' overall .',alant control and a'$sur;ing' ,

protection if the reactor core. Ebnif:relNed^bsualty ,.

proceduree'are a necessary, complement,,to th4 EOfs and ads in "~

place at Rancho Seco. '

t.  ;/ , ,

,- . r-

• The basic concept of the symptom based ATOG EmO 3ercy

, , g" '

,'" /f.f-Procedures 'is that any eve'st'whith is severe en&.gh to ,7/;,

initiate a plant trip wiliimani M t itse N as either a 1 css of, ,,

'subcooling margin, excessivo prioar) to ancondary heat, transfer (overcooling of the RCO or inadequate p/imary to,( '

secondary heat transfer (overheating of the RCS). The ~ r; operator is trained, and procedures provide guidance, te. '

rapidly identify these conditions. Separate yet coorditiated Emergenck Procedures are then provfJed te' treat each of tFMe ,

symptens regardless of the; specific iniciating event: ! oF r '.

example, it is not necessary for th$ operator to deter.nine W an overcooling is caused by a stuck open steam generator code

sahty value, a failed-open Saain feedwater regulating' valve, or an overfoed due to an-It.r Goatrol failure. He overe:>oling '

procedure contains all 6ecessarya 'ctions to terninute '

overcooling from any possible initiating failure, even if tho/ "'

actual failure is unknown. '

The validity of the ATOG approach has'been conftrmed by the validation and verification process conducted during ,' '

development of the plant-specifid E'JPs and reconfirmed by -

licensed operator requalification'aimulation training.

TN failure to promptly tarmlEate the r overcooling on 12/26/85 was caused by a lack of specifit yriteria, such as prossuried level or RCS temperature, for wh o to trip fooduuter pumps, and not by a flaw in the ATOG concept nor by failure to havo l implemented the ATOG loss of ICS stops. The lack of the critoria in the Rancho Seco E0Ps is due to those criteria m>t being in the original Af0G, and not an orror in the development and implementation of the A10G based EOPs. Had th ra been an avont related proceduro for loss of ICS rathor than the AIOG EOP's, the sam 6 lac k of specific criteria (for when to trip foodwater pumps).would have existed. Tho throo major divisions of the E0P's, (Loss of Subcooling, Excessive Haat frunsfer, and Inad9quate Hoat Transfer), now certain explici t cri teria to ao rure prompt arul correc t ac tions

+ 120 -

( ,s 3.5 .1/.2 (Continued)

Event-related (Casualty) procedures are a necessary compliment to the EOPs, These procedures contain the Operator actions to control readily identifiable events which may or may not cause a reactor trip, however, these actions are not required to assure proper core cooling. Any event which could jeopardize proper core cooling will result in excessive or inadequate primary to secondary heat transfer, or a loss of subcooling margin and a reactor trip. All necessary actions for these symptoms are contained in the EOp's. Should a loss of ICS power cause a reactor trip and an overcooling, the upgraded

' EOP's would rapidly terminate the event without the need to identify the initiating event as a loss of ICS power.

However, once plant control is attained and loss of ICS power is identified, the event related procedure for loss of ICS power would restore the ICS in a controlled manner.

.3 Adequacy of Radiation Protection Procedures Two operators made an emergency entry into the makeup pump room, which contained a spill of about 1200 gallons of reactor coolant, without respiratory protection or adequato protective clothing, neither of_.which was readily available. Procedures for emergency entries were inadequate.

The procedure for entry into areas of unknown radiological condition has been extensively revised to outline the requirements for such entries, and to specify the operators and health physics technicians responsibilities. An additional health physics technician has been placed on shift to provide dedicated support' for Operations normal and emergency activities. This individual attends Operation shift briefings and works closely with shift operators.

Emergency respirator equipment and protective clothing has been made available at a convenient location within the Auxiliary Building controlled area to improve emergency response capabilities.

Deficiencies were noted in the content of several Emergency Plan implementing procedures (EPIPs) related to radioactivity release alarm setpoints, assessment of offsite dose, and documentation requirements. The EPIPs have been revised to correct release alarm setpoints. The EPIPs for offsite dose assess.nont have been extensively revised and training conducted.

.4 Ade_quaclof Annunciation Proced_ures tjanual I.ack of adequate corrective action in the [CS power loss annunciator procodure indicated a potential weakness in the annunciator procedures manual.

171 -

3.5 .4 (Continued)

The lack of detail in the ICS and NNI Annunciator Procedures has been resolved by referencing the appropriate Casualty or Emergency Procedure and providing more detail to help the -

operator assess the significance of the alarm. The

, annunciator procedures are intended to direct the operator to investigate and correct very specific events, not to provide direction for overall plant control, which is accomplished by the EOPs complemented by the casualty procedures. The annunciator procedures are to be reviewed and upgraded as part of a long term effort on procedure improvement.

.5 Methodology For procedure Updating A modification to the' atmospheric dump valve (ADV) and turbine bypass value (TBV) controls was made to accommodate the Appendix R remote shutdown capability and incorporated it into the appropriate remote shutdown procedures. Although not intended for such use, the new controls could have been used to more rapidly close the ADVs and TBVs on 12/26/85 but were

( not included in any procedures other than the remote shutdown procedure. A potential area for improvement then, is to assure that all possible uses of a new or modified device are identified when making procedure changes associated with the plant modification. Identifying " unintended but useful" applications for plant modifications can be achieved by review of knowledgeable, trained operators. The Operations

~

Department has recently been reorganized and a specific group of operators, directed by a superintendent-level senior licensed operator, has been created and is responsible for updating and controlling operations procedures. This procedures group provides the manpower and expertise to provide for improved quality of procedure updating.

Additionally, a long term operations procedures rewrite project utilizing experienced contractors and SMUD personnel will provide a mechanism for identifying and incorporating procedure improvements. The rewrite project is planned to start in the first half of 1987.

i

.6 Ad_equacy of Emergency Procedures l

The 12/26/85 event revealed areas in which the Emergency l Operating Procedures (EOPs) were inadequate. These included:

1) Directions to terminato feodwater flow (i .e. , trip all oporating main or auxiliary foodwater pumps) to ter minate overcooling or steam generator overfill.

i

2) Avoiding pressurized thermal shock (pis)

3) Recovery from safety feature system actuation.

- 172 -

3.5 .6 (Continued)

Each of these concerns has been evaluated and appropriate change'made and training conducted. Overcooling events, which include steam generator overfill events, require prompt termination of feedwater flow. Although the EOPs contained the proper steps to close valves to terminate flow and to trip

'all feedwater pumps, if valve closure is unsuccessful, no plant parameter, such as pressurizer level or RCS temperature, were provided to assure feedwater pumps were tripped in a timely manner. These criteria have been developed, implemented and tested on the similator and found to rapidly terminate overcooling.

EOPs have been revised and training conducted to avoid conflict between avoiding PTS and maintaining pressurizer level. HPI flow may be throttled anytime RCS is subcooled, regardless of pressurizer level (or lack of it).

The lack of a procedure for recovery from safety features system (SFAS) actuation led to damage of the makeup pump due to running it with its suction valve closed. A specific casualty procedure was written for recovery from SFAS actuation and cautions have been added to the EOPs to provide assurance of proper operation of SFAS actuated equipment.

3.6 Human Engineering Considerations Human Factors Engineering is an integral component of the Configuration Control and Plant Modification Programs at Rancho Seco. As such, each proposed modification or change is programmatically reviewed to insure that it incorporates the Control Room philosophy set forth in the District's Detailed Control Room Design Review (OCRDR).

As a consequence of the large number of proposed modifications currently being considered; and installed, it was determined to be useful to define the Control Room as a " System" and treat it within the SRTP as such.

The major benefit is to insure that a coordinated approach is taken and that the Control Room Design Basis not be invalidated.

Following are specific items relating to the December. 26, 1985 event, and their resolution.

.1 Si_mplified Schematics for Switches S1 and S2 Simplified electrical schematics showing the power supply and distribution within the ICS cabinets have been installed on the (abinet doors. these specifically show Lho Si and S2 suitches. The schematics are similar to the previously installed sc hematics on the NN[ cabinets. Ihoy are made of durable engraved plastic laminato.

- 123

s- ,

r 3.6 .2 Valve Position Indication IBV, ADV, AFW, MFW control and startup FW valve position indication provide the operator with positive indication (OPEN/MIDTRAVEL/CLOSE). T8V, MFW control and MFW startup valves each have a pair of indicating lights on Control Room panel H1RI. ADV position indication is grouped per steam line on HlRI. AFW control valve position is an analog (0%-100%)

indication located with the EFIC controls.

.3 Control Room HVAC Noise The HVAC noise level problem has been incorporated in the Control Room / Technical Support Center Essential Air Conditioning System Status Report as problem 3, as follows:

SYSTEM PROBLEM 3 Excessive noise in the Control Room caused by operation of the Essential HVAC System.

DESCRIPTION: Operation of each train of essential HVAC equipment produces undesirable sound levels in the Control Room and impairs communication within the Control Room and while using the telephone. When both trains of equipment operate simultaneously, as occurs during automatic actuation of the essential system, the sound levels increase and have a severe impact on communication.

INVESIICATION: An evaluation of the noise and vibration levels of the essential HVAC System has been performed to establish the cause(s) of the high noise levels. Based on the results of this evaluation, immediate and long term resolutions will be pursued.

RESOLUTION OF PROBLEM: The following actions will be taken to resolve the problem:

1. A special test will be performed to evaluate the effect of reduced air flow on system noise levels and cooling capability.

- 174 -

3.6 (Continued)

2. If the above test demonstrates that reduced air flow will yield satisfactory reductions in system noise level while maintaining an acceptable level of cooling and pressurization capability, a modification will be implemented.

3. If the above test demonstrates that reduced air flow will not yield satisfactory results, Nuclear Engineering will provide an al. ternate resolution.

TESTING: Upon completion of any modification to the essential system for noise abatement, the balance of the system shall be verified and corrected as required. The noise levels shall then be measured to determine effectiveness of modification.

A BBN Laboratories Inc. study of Control Room noise levels was conducted on November 13, 1985. This study determined that the NUREG 0700 guidelines nf 65 dBA were not exceeded for single unit operation except for one location and this was found to be 66 dBA.

With both units operating, the so6nd level in the Control Room was between 69 and 72 dBA or 4-7 dB above the guidelines. The problem was compounded,'however, since with one unit operating the delta between the background sound level and the annunciators did not

, exceed the recommended 10 dB minimum.

A test was conducted by Babcock & Wilcox Company during the week of June 9, 1986, this test determined that the noise was created by excessive velocities in the Control Room ducts. The recommended solutions were to reduce velocities, extend ducting to reduce velocities, or to line the duct. It was noted that placing sound absorbing material in the duct would result in increased velocities and the desired results may not be obtained.

As stated in the SSR problem 3, a 20% reduction air flow test will be performed in December, 1986, and the results utilized to determine a permanent ~fix.

.4 Alarms on ICS As described in Section 3.1 of this report, the ICS/NNI alarms / annunciators have been completely revised. The key feature of these changes was to incorporate human engineering concepts into the annunciators. This resulted in two annunciators, one for " Trouble", the other for " Failure" This grouping resulted from a review of the required operator response to the various conditions requiring annunciation.

- 125 -

- u m 3.6 .5 Control Room Modifications 4 The following mod'ifications will be made to the control Room.

Install'ation of EFIC controls and indication

• TBV controllers independent of ICS will be added in the Control Room

. Annunciator changes include:

- ICS and NNI trouble and failure alarms

- PORV actuation alarm

- IDADS trouble alarm

- TDI diesel alarms ICS and NNI labels have been added for all indicators and recorders which receive signal or power from ICS or NNI e Valve position indication for ADVs, TBVs, MFW and startup FW valves will be added

• OTSG A and B labels and color padding for OTSG isolation switches has been added e A recorder will be added which will trend parameters required to take the plant from hot shutdown to cold shutdown. All trended parameters will be independent of ICS/NNI signals on power

• The five recorders driven by the Bailey or Modcomp computers will be replaced with a single 30 por 6 color programmable recorder

• The Auxiliary Steam Reducing Station will be modified to make the setpoint independent of ICS power

• A heatup/cooldown rate monitor will be added to HISS e The SPDS controls will be replaced with more rugged controls

• The nuclear service loading buses have been removed from the Safety Features panel i e Controls for motor operators on MFW isolation valves will i

be installed f e The SPDS is being upgraded to meet Regulatory Guide 1.97 Category 1 I

requirements, NUREG-0696 requirements for radiation monitoring and independent from NNI for hot shutdown parameters

• The HPI flow indication will be made independent of NNI

- 176 -

I o 3.7 System Review and Test Program (SRTP)

.1 Proeram Overview The objective of the System Review and Test Program (SRTP) is to demonstrate that systems important to safe plant operation are ready to perform their function prior to restart.

This program is being implemented by a System Engineer program modeled after INPO Good Practice OP-209. To support the SRTP the System Engineering organization has been expanded to 90 technical and support personnel.

All systems at Rancho Seco are being investigated to some degree. These have been divided into two categories:

Selected Systems which were originally 27 identified systems, and Additional Systems which included the 50 remaining systems. The results of the investigations have been documented in a System Status Report (SSR) for Selected Systems and in a System Investigation Report (SIR) for Additional Systems.

The criteria utilized to identify the Selected Systems by the SRTP Director, which were then recommended to the PAG for treatment as " Selected Systems", are as follows:

1. A history of significant or recurring problems.

2. The systen was related or contributed to the 12/26/85 event.

3. The system is being significantly modified.

4. The system has significant potential for initiating or adversely affecting transients.

The criteria for selecting the Additional Systems are as follows:

1. The QCI-12 input phase has produced a recommendation for the system.

2. An open work request existed against the system as of 07/01/86.

The program allows for upgrading Additional Systems to Selected Systems. Based on the quantity and significance of issues raised by the PP&MIP process, Additional Systems may be upgraded by the PAC to Selected System status. As of 11/17/86, five systems have been upgraded and there are now 30 Selected Systems (two Selected Systems woro incorporated into other Selected Systems).

- 12/ -

B 3.7 .

.1 (Continued)

The selection mechanism for determining which systems require a system review is the review process of the Plant Performance and Management Improvement Program (PP&MIP). This process identifies component and system problems based upon extensive review of Rancho Seco performance history, condition and design, as well as industry experience. The system related output of the PP&MIP are fed through the RRRB to the appropriate System Engineers. On the basis of this evidence, the System Engineer may recommend Additional Systems for upgrading to Selected System status.

The review of the Selected and Additional Systems under the System Review and Test Program has been documented in individual system reports. A System Status Report (SSR) has been prepared for each Selected System and a System Investigation Report has documented each Additional System Review.

.2 System Review System Status Report (SSR)

The SSR for Selected Systems has been developed in three stages with each stage documented in a separate revision (Rev.

O, 1 and 2). The purpose of the Rev. O report is to initiate plant dasign and modification work. 'lhe contents of the Rev.

O rep are an Executivo Summary, a basic System Functional Descr , .on and a listing of Problem Statements developed from the PP&MIP process and from the results of a review of open Work Requests. Ihis Rev. O report is reviewed and approved by the Performance Analysis Group and the Deputy General Manager, Nuclear. Once approved, it was used by the System Engineer to initiate design activities, maintenance activities and plant modifications through conduct of a " kickoff moeting."

The Rev'. 1 SSR is utilized to identify the testing necessary for each Selected System. It builds on the Rev. O SSR, providing a more detailed System Functional Description, additional problem statomonts from a review of open ECNs, open NCRs and outstanding Abnormal Tags, and the identification of testing required to demonstrate functions important to safe plant operation to be conducted prior to restart. The Rev. I report is reviewed and approved by the rest Review Group, Performance Analysis Group and Deputy General Manager, Nuclear. Once approved, the preparation and implementation of test specifications and procedures will begin.

- 120 --

. 3.7 .2 (Continued)

A Rev. 2 SSR is prepared for each Selected System and is utilized for final system acceptance. This report contains everything from Rev. 1 plus additional problem statements documenting the results of the system walkdown, review of maintenance history trend investigation, and a review of the Davis-Besse SRTP results. This revision will also contain a summary of results of tests performed to date and an Operability Statement by the System Engineer. This report is reviewed and approved by the Test Review Group, Performance Analysis Group and Deputy General Manager, Nuclear prior to restart.

System Investigation Report Overview System Investigation Reports (SIR) will be developed for all Additional Systems in two stages. The Rev. O SIR for each system will be utilized to get plant work started and to determine whether the system should be upgraded to Selected System status. The contents of the Rev. O report are an Executive Summary, a System Functional Description and a listing of Problem Statements developed from the PP&MIP process and from the results of a review of open Work Requests, open NCRs, outstanding Abnormal Tags and open ECNs.

The report also contains a justification for upgrading the system to Select Status or for maintaining the Additional System status. This report is reviewed by the PAG and by the Deputy General Manager, Nuclear.

Rev. 1 of the SIR for each system is utilized for final system acceptance and for consideration for upgrading to Selected System status. The contents of the Rev. 1 status report includes the Rev. O SIR plus any additional Problem Statements and an Operability Finding. This report is approved by the Performance Analysis Group and the Deputy General Manager, Nuclear.

.3 System Testing The System Status Report (Rev. 1) is designed to identify the restart testing program. Detailed system functions are developed for each system and tests are identified to assure that functions important to safe plant operation have boon tested prior to restart.

The Rev. 1 SSR is reviewed by the lost Review Group (lRG), a six man team with broad experienco in Design, Operations, Quality Assurance, Training and Testing, which is established as a fest Subcommittee under Section V[.K of the Plant Roview Committeo Charter.

- 129 w- - - , - - - n.- ., -m,- n-

O 4

3.7 .3 (Continued)

The responsibilities of the Test Review Group include the following:

• Review of the Test Identification section of the System Status Report to confirm that proposed testing will demonstrate system functional requirements important to safe plant operation.

• Review of all Test Specifications to assure that the scope and methodology demonstrate the system functions.

• Review of related Special Test procedures and. new or revised Surveillance Procedures and recommend disposition to the Plant Review Committee.

• Review of all restart related test results.

• The TRG will review all items in formal session and document their activities using meeting minutes and document review forms All newly identified testing to support the SRTP will be conducted by Test Engineers.

The System Review and Test Program Director will develop a training program for test engineers. This program will cover the generation of Test Specifications, the writing of procedures, the revision of procedures (both permanent and temporary changes), test conduct and the review of results.

Although the majority of the restart test program will be defined by the ongoing SRlP process, several major periodic and special testing activities have already been identified and include the following:

1. Loss of ICS/NNI Test

2. Loss of Instrument Air Test - both a sudden and a gradual loss of instrument air (similar to the recommendation in l

Reg. Guide 1.68.3) will be simulated with the plant on steam generator cooling (subject to the resolution of any unreviewed safety questions).

3. Integrated Leak Rate Test of Reactor Building.

( 4. Complete the Balance of Ten-Year In-Service Inspection l (except for those inspections requiring removal of the i

reactor vessel head). This includes required periodic pump and valve testing.

l f S. Integrated Engineered Safeguards Ac tuat ion lost.

I

6. Emergency Diosol Generatur Biennial [nspections.

- 110 -

3.8 Management and Organizational Considerations

1. _ Historical Perspective Rancho Seco was started up and entered commercial operation with a staffing level and organizational structure that was typical of other similar nuclear plants at single unit sites during the early 1970's. The plant organization was staf t ad for normal operations with the intent to augment staff during major outages with contractor support personnel. Major engineering needs were satisfied by a " downtown" engineering design staff which utilized Architect-Engineer firms to design specific modifications or perform specific analyses. Plant operation during this period was characteristically very good, with the single noteable exception of Turbine-Generator failures generic to the design of the turbine.

a. Effect of Three Mile Island Unit 2 Accident In the followup to the March 26, 1979 TMI-2 core damage accident, significant changes occurred at Rancho Seco.

As a unit with a similar NSS system, the issues which evolved required extensive analysis and incorporation of lessons-learned. A significant result of these efforts was to bring on-board increasing numbers of plant staff to implement the new programs and maintain the additional equipment installed within the facility. This growth in staff was not a part of any systematic plan to respond to the new requirements, but rather, an attempt to respond to specific issues by adding people. These people were concentrated at the worker level, with very little additional supervisory or management personnel.

The result was that by 1985 a fourfold increase in staff was being administered with essentially the same people, and organization that had been in place in 1975.

b. The SMUD_.8oard's_LRS Studj Following the 1MI-2 accident, Rancho Seco productivity began to suffer. The reasons were diverse and usually traceable to specific. component or industry deficiencies. Concurrently, the measurement indicators used by the NRC and INPO began to show declining trends as they related to nanagemont offectivonoss and plant performance. In re ,ponso, lho SMUD Uoard of Directors unnmissionod a comprohonsive study of the Dis trict's nuclear program. 1 hat study was completed in late 1984 and signaled tho Board that major changos were necessary in the manaqement of the nuclear program to insure that safoty and reliability objectivos and requirements could be maintained-

- 131 l

l

)

u .

3.8 .1 .b (Continued) ,

The focus of these improvements was on management improvements and the implementation of 'programmatric changes. Immediate actions were taken to implement these changes and, as a result, a revised organization with additional management capability was being emplaced at the time of the December 26, 1985 overcooling transient.

2. Plant Performance and Management Improvement Program (PP&MIP)

a. Action, Plan Beginning on December 26, the District initiated a comprehensive program to gain a full understanding of the event and to implement corrective action to preclude recurrence. Soon thereafter the NRC dispatched an Incident Investigation Team (IIf) to analyze the event and document its findings. Their report (NUREG-1195

" Loss of Integrated Control System Power and Overcooling Transient at Rancho Seco on December 26, 1985") was issued in February 1986 dnd introduced several issues which have been referred to as the " retrospective"

. issues. The'se were defined as previous Rancho Seco and industry events which were " precursors" to the December 26 event and which, it was charged, were not comprehensively responded te by Rancho Seco.

The District response to these issues was to develop the Plant Performance and Management Improvement Program (PP&MIP) which systematically evaluated the facility hardware and management systems to identify items or areas in which a " narrow focus" on issues may have been taken. Subsequent efforts to implement effectivo corrective actions, or resolve identified items, is focusing on demonstrating, by a test program, the material condition of the plant, and its readiness for power operation. Integral components of the PP&MIP are the management and associated programmatico changes which have been made to improve management involvement and control.

b. Spec _ific Management Actions Section 40 of the submitted Act_fon_ Plan details the programmatic changes and actions to bo implemented at Rancho Seco. Commitments as to scope and schedule are provided for measurement of progross. Where appropriato, these commitments have been tied to the specific findings in NURF.0-1195, or other opon ltoms identified by exter nal or regulatory agencies.

112 -

3.0 .2 .b (Continued)

The nature and comprehensiveness of the PP&MIP is such that the operability of the entire Rancho Seco facility, its procedures, training and operating staff, will be verified prior to restart and validated during the restart test program. The program is valuable as a confidence builder for the community, staff, the SMUD .

Board, and the regulating community,

c. SMUD Board Support The Board demonstrated its continuing commitment to the safe and reliable operation of Rancho Seco with the implementation of the LRS Study recommendations, even before the December 26, 1985 transient.

Since the overcooling event, the Board has continued its support by providing the financial resources and guidance necessary to implement an effective restart program. The evidence of this support is in the approval of the expanded management and staffing to implement the PP&MIP as well as the requisite funds to sustain the progrs Several meetings between SMUD Board members and the AC Staff and Commissioners have provided details of the plans, concerns, and issues relating to the restart of Rancho Seco, lhese interactions have significantly enhanced the viability of the PP&MIP while expediting its implementation.

3. Restart Program Management

a. The Role of Manag_ement Analysis Comp s (MAC)

Soon after the injection of the " Retrospective Issues" into the restart progran, the District recognized that it was necessary to accelerate its LRS Study defined goals to provide additional management scope and talent. For this reason the MAC organization, with its proven and experienced leaders in the operation of nuclear plants, was brought in to assist in the PP&MIP development and implementation. The timely addition of these experienced managers and supervisors from MAC (and others) has provided the dopth and strength to accomplish the objectivos of the PP&MIP.

. til -

i

,, e 3.0 .3 b. Transition Plan - 1 EZ-- 3 Turning over the management of Rancho Seco to outside contractors is only a short term solution to the proper management and operation of the facilit,y. It is SMUO's intent to promptly provide for a return to District staffing for the management and operation of Rancho

. Seco. This is to be accomplished by the assignment of

" Deputies" in the major management functions where either the prime, or deputy is a SMUD staff person. This allows for the training and support of the SMUD manager by a knowledgeable and experienced contractor / consultant until the point is reached that the workload and capabilities of the District's manager are to the point that a turnover can be effected. Details of this program will soon be provided as an amendment to the Action plan,

c. Transition Plan - Oreanization For a very large number of reasons the organization of the SMUD nuclear operation has evolved over the years into a complex and unwieldy collection of activities.

The Action Plan identified the need to streamline the organization and to enhance the capability of managers to control, direct, and support their functional responsibilities. To accomplish a comprehensive reorganization, the nuclear managers functioned as a task force, contacted other nuclear utilities with successful nuclear programs and obtained from them the concepts of what makes those programs successful. From this expertise, the approach taken was to define the functions necessary to operate the plant, the support of daily operations, and what was required to support the goals, objectives and needs of the nuclear mission. Once these functional requirements were clearly defined, the next step, that of establishing the proper level of staffing and scope of responsibilities, is to occur.

It is not expected that this revised organization will be completely implemented prior to restart. 1he present organization is working, but it does not provido an optimized structure or staffing for long term operations.

4. Summary The root cause of the December 26, 1995 overcooling event has boon assigned to management and its associated attitudos and capabilities. lho GMUD Uoard of Directors responded to the doclining trends in management indicators and Rancho Roco performanco in a positive manner both before and after the ovarcooling ovont.

- 114 -

3.

3.8 .4 (Continued)

As a result, Rancho Seco has inplace today a Plant Performance and Management Improvement Program which has systematically identified the shortcomings of the facility, in the environment of the 1980's, and implemented effective corrective measures which resolve the identified hardware and programmatice deficiencies.

While the restart test program will provide confidence as to the effectiveness of the many changes, it will remain for power operrtion to demonstrate that the investment of resources .rxi effort have met the goal of enhanced safety and improved reliability.

.9 Retrospective Considerations

.1 Evaluation of FSAR Accident Analyses that Presumed Availability of Non-Safety _ Systems The FSAR/USAR has been reviewed for possible non-conservative assumptions involving non-safety systems in accident analysis. Only one of possible interest was found, it being the reference event (MSLB) for the December 26, 1985 overcooling.

The Rancho Seco original FSAR description of the main steam line break (MSLB) consisted of two analyses:

• MSLB with ICS actions, and e MSLB without ICS or operator actions The MSLB analysis with ICS actions is conservative as it maximizes offsite doses. The analysis assumes 1% fallod fuel with the technical specification steam generator tube loakage.

The ICS actions are assumed to occur to maximize the cooldown time to decay heat removal system operation thus maximizing tne releases via the intact steam generator, lhe MSLR analysis without ICS or operator action is conservative with respect to maximizing the potential for a return to criticality and potential adverso ofrects on the fuel.

During the licensing phase of Rancho Seco, the issue of MStB inside the reactor building was raised, rhls concern was addressed by installation of automatic feedwater isolation, porformed by Iho Main SIcam ratluro I.vgic (MSFL). the MSFL is independent of the ICS, consists of redundant actuation thannols and is battory backed. [t is not safoty grade.

teactor Huilding Containment integrity is not required for the MSI0, as Ihe warst case for doso considoration is tho Mr.10

(>u t s ide the reattor bulIdinq t35

3.9 .1 The above design basis was clear in the original FSAR. The analysis for MSL8 without ICS, or operator action, was contained in a response to an NRC question. During the compilation of the Updated Safety Analysis Report, this analysis was poorly worded when incorporated into the text.

The separation of the "with and without ICS" analyses is not clear, and can lead to incorrect conclusions. The District is currently revising the description of the MSL8 analyses in the USAR for clarity. This clarification was included in the USAR update submitted in July, 1986.

The cooldown rate of the MSL8 analysis, without ICS or operator action, bounded that of the December 26, 1985 event.

The cooldown rate of the analysis was such that high pressure injection (HPI) was initiated in 23 seconds, followed by core flood tank (CFT) injection 47 seconds after event initiation.

During the December 26 event, HPI/SFAS initiation occurred after three minutes and the pressure never reduced to that needed for CFT injection.

A review has been made of the other design basis accident analyses in Chapter 14 of the USAR and it has been determined that ICS, or other non-safety grade equipment action is not assumed in the mitigation of those accidents, with the exception of fuel handling accidents. For the fuel handling accident, the releases are assumed to be filtered through the auxiliary building filters, which are non-safety grade.

Credit for these filters is appropriate as they are subject to Technical Specifications and the system must be operating during fuel handling operations. This design basis was clearly described and reviewed in the final Safety Analysis Report.

.2 Precursor Reports on B&W Transient and Operating Experiences (NUREG-0560, NUREG-0667, B AW-1564, IE Bulletin 19-27)

As a major component of the Systematic Assessment Program, 7 within the Action Plan for Performance Improvement, a comprehensive procursor review was performed. The process identified recommendations which not only addressed specific precursors, but also determined whether or not the District's previous analyses and reports on procursors was too narrow in scope and therefore worthy of additional action.

Approx imately 1,400 primary, .uid 3,000 secondary, docomonts were reviewed. Included in this review were NUREG 0560, NUREG-066/, HAW-IS64, and IE nulletin 19-2/. As a result of those reviews, approximately 500 recommendaljons were i

developed an'd submitted to the Action Plan review prowss (as l described by QCI- 17) for disposi t ion, the following discussion rotates to tho findings and status of each of the above subject precursor reports 116

(

L

3.9 .1 a. NUREG-0560, " Staff Report on the Generic Assessment of Feedwater Transients in Pressurized Water Reactors Designed by B&W."

NRC Generic Letter dated 06/11/79 transmitted NUREG-0560. As a result of the precursor review five recommendations were submitted to the Recommendation Review and Resolution Board (RRRB) in accordance with the QCI-12 program. A brief explanation and status of each recommendation follows.

.2 a. Recommendation 1 The Precursor Review Team (PRT) recommended that AFW studies be initiated to:

a. examine AFW upgrade requirements detailed in an NRC letter to SMUD, dated 04/27/19, to determine if further action is necessary and,

b. perform a reliabili,ty study of AFW in connection with main feedwater, power conversion, reactor protection, reactor coolant, and high pressure injection system and controls.

Status Since the District has committed to install EFIC, item (a) was judged complete. Item (b) was assigned a priority 2 under the responsibility of the system engineer. Validation of both items by Perforinance Analysis Group (PAG) review is still required.

Recommendation 2 lho PRT recommended a reliability study of the ICS Status This item was covered under thirteen separate recommandations by other branches of the QCI-12 process.

These items include improvement in input signal and power supply rollability. Of the recommendations fivo are priority 1; four are priority 2 and four are priority 3.

PAG review has been completed on all items.

It/

3.9 .2 .a (Continued)

Recommendation 3 As a result of pressurizer volume shrinkage, the HPI system is initiated after almost every reactor trip at Rancho Seco. The PRT recommended that a study be initiated to identify design changes to reduce the post-trip pressurizer drop rate.

Status This item was assigned a priority 3. PAG review is still required.

Recommendation 4 Based on the fact that main feedwater transients are the largest contributors to B&W plant trips, the PRT recommended that a study be conducted to:

a. reduce the number of and plant sensitivity to main feedwater transients and,

b. mitigate the consequences of these transients.

Status This item was assigned as priority 3. PAG review is still required.

Recommendation 5 NUREG-0560 found that the analysis on pre-TMI-2 operational transients was performed in a simplistic manner. The PRT recommended that improvement be made to conduct extensive analysis of operational transients.

Improvements identified were to:

a. Proceduralize requirements for transient analysis and,

b. Assure that contractor computer codes used to classify transients are more realistic (as to severity).

- 118 -

3.9 .2 .a (Continued)

Status This 1979 finding was judged to be outdated in its applicability because, since that date, the establishment of post TMI-2 industry wide concern has resulted in the conduct of extensive transient analyses. PAG review on this item is complete.

.b NUREG-0667, " Transient Response of B&W Designed Reactors."

The NRC conducted an extensive study of the role of the ICS as an initiator of transients in plants, like Rancho Seco, utilizing the B&W designed PWR. The study made 22 recommendations which have been reviewed for applicability by the Precursor Review Team and the results input for disposition. The status of the 22 items follows as Table 3.9.

.c BAW-1564, "ICS Reliability Study."

B&W report BAW-1564 identified six recommendations for plant specific investigation of ways to improve ICS reliability. The status of the District's actions with respect to those recommendations is provided below:

RECOMMENDATION 1 B&W recommends that the NNI/ICS power supply be reviewed for possible changes to enhance reliability and safety.

RESPONSE

The NNI/ICS power supplies have been the subject of several reviews and subsequent modifications to enhance reliability. As described earlier, the ICS/NNI now has its normal and standby 120 ac power coming from diesel backed inverters. In addition, new S1/S2 switches have been installed and surveillance / preventive maintenanco done on the power supply / distribution circuits. The root cause of the December 26, 1985 ovent was a bad " crimp" on a factory installed ICS power distribution wire. Over 40,000 terminations have boon subsequently inspected / tested / upgraded in cabinets supplied by that manufacturer. While a generic problem was not fouod. the effort should siqnificantly improve the confidenco in the hardware roliabi1ity.

i l

l

- 119 - i

v w 3.9 .2 .c RECOMMENDATION 2 B&W recommends that the input signals from the NNI/RPS system to the ICS--specifically the RC flow signal--be reviewed for possible changes to enhance reliability and safety.

RESPONSE

This recommendation is being implemented prior to restart. In addition, the District is participating in the BWOG program to review the other ICS inputs for ways to improve their reliability. This effort is a long-range program and will not be complete by restart.

RESPONSE

RECONMENDATION 3 B&W recommends that the ICS/ BOP system tuning, particularly feedwater condensate systems and the ICS controls, be reviewed for possible changes to enhance reliability and safety.

RESPONSE

The District had reviewed the ICS/B0p system tuning and had performed ICS tuning prior to the Docember 26, 1985 event. The ICS was performing in a well-tuned fashion at the time of the event. ICS tuning will also be performed during restart testing. ICS tuning is a part of the District's ICS maintenance program.

RECOMMENDATION 4 B&W recommends that main feedwater pump turbine drive minimum spoed control be reviewed for possible changes to prevent loss of main feedwater or indication of main feedwater to enhance reliability and safety.

This recommendation is being addressed in the System Status Report for the Main Foodwater System. With the installation of EFIC, it is no longer necessary to use MFP discharge pressure to initiate AFW pumps, hence the minimum speed can be set based upon operational requirements.

RECOMMENDAlION 5 H&W recommends that a means to prevent or mitigate the conseiluens'es of a stuck opun main foodwater startup valve be reviewed to enhance reliability and safety.

- 140 -

3.9 .2 .c RESPONSE Both the Main and Startup Feedwater Control Valves are being provided with Class 1 back-up air to insure motive power for closing. Furthermore, EFIC includes the installation and control of a new motor-operated valve downstream of the Main and Startup Feedwater valves which will give Class 1 isolation capaktlity for fe' dwater. e This satisfies this recommendation.

RJC_0mENOATION,q B&W recommends that a means to prevent or mitigate the consequences of a stuck-open turbine bypass valve be reviewed to enhance reliability and safety.

RESPONSJ Although Class 2 back-up air is being provided to the TBVs to insure motive power, the possibility of being mechanically stuck-open remains. Therefore, a motor-operated isolation valve is being installed upstream of the TBV's to insure a timely remote isolation capability.

d. IE Bulletin 79-27, " Loss of Non-Class 1E Instrumentation and Control power System Bus During Operation".

The precursor Review Group reviewed the District's original response to IE Bulletin 79-27 and determined that the response was no longer appropriate, as a result of design and operational changes, and that further  ;

technical review was required. The Deterministic Failure Consequence Analysis Group then reviewed the Bulletin for identification of instrumentation and failure l consequences. As a result of this review, i

recommendations were made for further evaluation of Identified failures and determination that proposed modifications would resolve the failure concerns. The recommendations were made in accordance with the Systematic Assessment program within the Action plan, lhe identiflod failure concerns are briefly described below. Engineering evaluation of each is underway with prioritios determinod by the PP&Mlp as doscribed above.

l

• Annuncial,lon of loss of power lo instrument and control

! power buses can bo imprnvod. l.oss of SIG is not i

annunciated. Loss of StGH-1 is annunciated on IDADS bul  !

IDADS is also lost if this bus falls.

l - 141 l

3.9 .2

• Loss of signal conversion cabinet H4SCA or H4SCB removes two HPI flow indicators. The flow indicators are called out in the Emergency Operating Procedures.

• Loss of SIE, SIF, SIJ (same power supply):

can cause loss of both SFAS instrument channels to NSRW, NSCW, CBS and the single 8WST level channel.

can cause loss of steam plant indications to operator.

would lead operators to trip RCPs on CCW flow indications (Lo-CCW Flow) and annunciation.

can cause loss of auxiliary boilers, especially below 385'F.

• Loss of SINI-1:

Prior to installation of EFIC, could cause all T8Vs and ADVs to fail closed thus impacting the ability to cooldown from the Control Room.

can cause the loss of SPOS.

.3 DAW-1791, "B&W Owners Group Probabil,istic Evaluation of Pr_es,surized_ Thermal _Sho_gk - Phase 1 Repor,t2 1he subject of PTS is addressed in Chapter 4 of the Rancho Seco USAR. rho Babcock and Wilcox report DAW-1791, "D&W Owners Group Probabilistic Evaluation of Pressurized Thermal Shock - Phase 1 Roport," June 1983, is reforanced and described. Numerous PTS ovents are ovaluated in DAW-1791 including events similar to the Docomber 26, 1985 ovent.

The B&W Owners Group has reviewed DAW-1791 since the December 26, 1985 Rancho Seco event. Overall, the report was found to still be valid. During the short term (prior to EFIC installation), the report underprodicts the frequoncy of occurrences for some overcooling events. The report becomes more representative with the installation of EFIC at Rancho Seco. With the PTS Rulemaking in Occcmber 1985, the NRC ostablished scrooning critoria for Pts. The Olstrict's responso to the screening critoria has been submitted, and will bo incurporated into the USAR in Iho 1986 updato scheduled for July 1987 submittal .

142

3.9 .4 (Continued)

EFIC System History The following material is selected from NUREG-1195, Section

! 7.2.

The requirement for a system such as Emergency Feedwater Initiation and Control (EFIC) System arose initially out of the accident at Three Mile Island in March 1979.

The primary purpose of the EFIC' system is to provide automatic initiation and control of AFW and AFW flow indication with a safety-related Class IE instrumentation system independent of the ICS and NNI systems. The system also fulfills several l

secondary purposes Lncluding providing one train of AFW that is diversely powered and independent of ac power, provide level control of the OTSGs (i.e., to provide automatic and

' reliable control of the AFW flow), and providing better control of paths of excessive steam flow that could decrease the time for OTSGs to boil dry (i.e., the ADVs),

i 1

Systeg DescriptioD -

The EFIC is designed as an independent safety-related Class 1E system. It is automatically initiated when any of the following plant conditions occur:

• Loss of main foedwater (as indicated by the MfW turbine bypass anticipatory reactor trip signal)

• Low water levol in either 01SG

+ Loss of all four reactor coolant pumps

• Low pressure in either 01SG e

Emergency core cooling system SFAS actuation (Roactor Building pressure high or RCS pressure low)

Upon actuation, EFIC will control AFW to maintain water level in the OTSGs. EFIC has two features to minimize overfill and overcooling. First, the rate at which AFW is added to reach the desired sotpoint is limited as necessary by automatically -

modulating the AFW flow control valves. Gocond ly , if the l

i level rearhos a very high levol, MfW is automatically isolated 1

by valve actlun.

for main steamlino or m tin feedline break protection. IlIC l will automatically isolate NFW to tho affeited OlGG when its i pr essure falls to loss than 600 psiq. Addit ionally, filG includos a food-only 4jond gonorator M W flow control.

141 i

l l

i -

l 3.9 .4 (Continued)

EFIC provides fail-safe ADV control. They will be controlled only by EFIC and not by the ICS. It should be noted that the TSVs will remain under ICS control, although independent control and auto closure on loss of ICS is being provided.

Separately, motor-operated isolation valves located upstream of the TBVs are installed for situations where OTSG isolation is necessary.

The design concept for the EFIC system originated from the NRC's IMI Short Term Lessons Learned (NUREG-0578) requirement issued in 1979 for automatic AFW initiation independent of the ICS. Since then, the EFIC system was expanded to satisfy a number of related requirements.

NRC's "Short Term Lessons Learned from TMI," (NUREG-05/8) item 2.1.7, which later became TMI Action Item II.E.1.2, required

, actions aimed at improving AFW system reliability. One of the requirements was that the AFW system should be automatically initiated, independent of the ICS. The intent of this requirement was that AFW flow be initiated automatically and completely for any situation for which the operation of the AFW was necessary for safety. The AFW initiation system was not required to be fully safety grade initially, but is was required to moot certain safety-grade requirements, such as the single failure criterion. A subsequent commitment was that eventually the AFW initiation system would be upgraded to fully safoty related.

CMUD first responded to requirement 2.1.7 with a lotter dated October 18, 19/9 in which they committed to install a safety-grado AFW initiation and control system, independent of ICS, during their 1991 refueling outage.

NRC's " Clarification of TMI Action Plan Requirements,"

(NUREG 0/3/) includod these requirements as item II.E.1.2, and established a required implementation schedulo. 1he modifications were to be insta,lled by July 1981.

lMI..Rygu,igement_ [If d A 0fW,,Sys.tcm Upgrado NUREC 0/J/ item It.K.1.1 required licensoes to porform tho following:

1. Analyto AlW system reliability using event-treo and fault treo logic los.bniquos, with particular emphasis on common cauw and sing,o-point failuros 2, Roview tho AlW system against tho NRC 9tandard Hovled Plan sertlon 10.4.9 and the assuelated firanch letholial Positton ALU 10 1.

144 -

3.9 .4 (Continued)

3. Re-evaluate the AFW flow rate design basis and criteria.

SMUD submitted the AFW reliability analysis by letter dated December 17, 1979. The NRC requested additional information about this analysis and the other two requirements, by letter dated February 26, 1900. One of the NRC questions concerned the fact that the loss of NNI/ICS power was not identified by SMUD as a single failure source for the AFW system. SMUD provided partial responses to this question in letters dated March 18, April 14, and May 14, 1980.

The May 14, 1980 response addressed the issue of loss of NNI/ICS power, stating that the power sources are battery-backed inverters that were assumed to be available under all operating conditions. The response went on to state that this assumption was required by the NRC, to maintain

• consistency with previous analyses. The NRC found this response acceptable.

As a result of this analysis, SMUD identified a number of AFW system upgrades that were needed to comply with II.E.1.1.

Introduction of EFIC At the request of the D&W-designed plant licensees, the NRC staff attended a presentation on September 4, 1980 regarding an extensive upgrade of the AFW systems which was to be undertaken generically. At this meeting, D&W and the licensees introduced the omergency feedwater initiation and control (EFIC) system as the consolidated answer to many NRC requirements. EFIC would encompass extensive AfW upgrades including those from a number of ongoing NRC concerns. Tho features of EFIC that are relevant to the December 26, 1985 incident arise from the reliability analyses (i.e., IMt action item II.E.1.2), and other safety-related requirements. EFIC also included an automatic AfW control system which addressed the 01SG overfill and RCS overcooling recommendations arising from NUREG-0667, and the concern rogarding the spurious opening of ADVs upon loss of ICS power.

Iho licunsons indicated that D iC would bo Installod at a number of 11&W deslyned plants, including Rancho Sct.o.

Arkanwa Nuclear one. Unit 1 (ANO-1) would be the " load plant" for the n 1C system, with submission of the conceptual doslyn for NRC roview by Octobor 1900, in'elallat lon at ANO l in oarly 19H2, and installation at the last HAW deslyned plant by lato 19H2.

14's -

i

}

s l 3.9 .4 (Continued)

Thus, the EFIC system proposed by SMUD in September 1980 would have included the following features that are relevant to the December 26, 1985 incident:

• The 40Vs and AFW (ICS) flow control valves would be controlled by the safety-grade EFIC system and would no longer open on loss of ICS dc power.

• A safety-grade NFW isolation would have been installed that would have prevented flow to the OTSGs from the condensate pumps.

Based upon the design information provided by SMUD in their November 17, 1980 letter, in January 1981 the NRC staff approved the preliminary design of the EFIC system as the response to Item II.E.1,2 for Rancho Seco, GNUD submitted a letter dated October 22, 1982 stating that the AFW automatic initiation system (which was now part of EFIC) would be installed during the 1983 refueling outage, then scheduled for January 1983. In early 1983, the NRC determined that the safety upgrados to the AFW system including conformance to II.E.1.2, were sufficiently important that the most recent installation schedule should be required by an NRC Order. NRC issued this Order on March 14, 1983 and required that GNUD complete installation of the AFW automatic

.inJti.agiqq system as schoduled during the 1983 refueling outago. The Order also mentioned that the safety grado AFW flow contrgl system would not be installod until 1984.

SMUO's April 28, 1981 letter stato that the installation sc.hodule for EFIC had slipped until a refueling outage in 1986. The reason given was that EFIC was closely related to both the ongoing Dotallod Control Room Design Review and the implementation of Regulatory Guido 1.9/, Revision 2 (post-accident monitoring instrumentation), the letter stato that this scheduto change would not affect the part of the system dealing with the Item II.E.1.2 (i.e. , the Af W automatic initiation system).

a. NUREG-0/3/, Itom I!.E.t.2 Justifleation ihn above discussion r elated to a complex history of (nmmitmonts, inter.u.tluns, and sinpo thangos to Sallsfy the requir ements of NURI O 0/1/, it em II .I I /, It was tho Distria-t 's posit inn t hat tho srnpo, status, .ind schedule for the Interim and final tonfigurattens root the requiremonts and intent of Item it.F I.2.

t o fi

. 3.9 .4 (Continued)

As a result of the extensive analysis of the December 26, 1985 event, and the subsequent systematic assessment of the facility, it was apparent that modifications to minimize the likelihood of reocurrence were necessary.

With respect to providing control of AFW independent of ICS/NNI, the selected method was to accelerate the installation of EFIC. This action resolves the concern as to the degree of compliance with the requirements of Item II.E.1.2. The actual details of EFIC are contained in the District's License Submittal for EFIC. It updates the description of EFIC, upon which the NRC EFIC Safety Evaluation Report was based, and provides the basis for accepting EFIC as meeting the requirements of NUREG-0737, Item II.E.1.2 at the time of restart.

4.0 Resolution of concerns unrelated to the December 26, 1985 Overcooling Event

.1 Post Accident Sampling System,(PASS)

a. System Modifications During its initial operation, the Post Accident Sampling System presented a number of operational difficulties to the plant staff including relatively low reliability and difficulty of performing maintenance. One of the major contributors to this reliability problem was seat leakage of a valves installed with the original system. The District decided that these leakago problems could not be properly overcome with improvod maintenance techniques and operating procedures and thorofore, decided that a complete replacomont of'all valves in the system was necessary to achieve the level of reliability considered nocessary. To accomplish this modification, a complete roarrangement of all of the internals of the samplo collection and analysis station was required. Whilo doing this, a number of other changes to the system plumbing were accomplished to enhance to the system flows, improvo analytical accuracy, reduce radiation omposure (for both normal plant uporations and accidont conditions), and improvo maintainability, iho basic uporallnq i.oncepts of the system have not boon changod; howevor, upgraded hardware is being installed in many ins t anco s .

14/

, .j ,ft 3

• . i

, .s /*

4.0 .1 b. Procedures and Training '

In conjunction with the modifications to the system hardware, the operating procedures have been completely revised to make them mere user friendly and to o m .ome operational diff,1culties previously emperienced,' The

, Distr;lct'will have 'a binimum bf five PASS syst4 operators fully' trained and, qualified in the ufo of,tbe -

system prior to restart and following restart,,uill continuef,rainingadditioralc'homistrytechniciansinthe' '

operation of tih> system to imorove our flexibility.'

. g

c. Testing ,

Although testirm of all aspects of the operation of the systent cannot be comp.leted until the falant.,is th a hot shutdown condition, at; fdt; pressure and temperature, all essential operating pat emeters will' be fully testM prior to restart'to, demonstrate that the syste.r will-operate reliably and.proh:e accurate analytical results which comply with our cor..mitments to ther requirements of NUREG 0/37. #

F

. .2 Control'7oom/ Technical Suhsport Center' HMC System

a. Ad4quacyofDesignanrb$siallation .

the Cor.:rol Room /Tec'nnical Support Center (CN/PiC)

Essential Air Conditioninq System is designed to provi je a suitable environment for equip <ennt and stat.ior, operator comfort und safety. '

i / ,

During enetain 4:bnornval events, 6.J noted below, ths l CR/ISC Essential Mr SystoNis automatically actuted .and sta-ted. The CR/TSCissential Air Conditionirig System'1s comprised tf ths,i f ollowit y ,

J/ , 7 Esse [ dial $',.41'ationLinitconsistingofamaasturo eliminator! f octric l duct beater coil, two itCPA filter bank,, two carbon filter banks and a booster fan. , ,

)

4 Cuential Air HandP.r consisting of a medium

..f f;L lancy fi t tor L61k, d ltat espans luti v.ollny coif and circulation fas ,' -

/

Fusontla! Condonsing Unit consistim of f ,

ret (procat i tu,1 re f r lycra'd compres s<'.. $ , ' j r c uo b c.nydonglng tolls, Londonsing fans. rotoi of and a n orlated rd,*rigerant piping and valvos, along with fourterin du'pors und assor lated duc t s .

Iho tiyn t em nes iqri Habi tiet. li ty Repor t i Feinq

. m ir ra aor i n., o ., ,,,ig , d.,, i,n , , n. . e, a .

v.ilidated by 1he asso.i.et.'d toat pr oq r .<m .

l} 0 ,-

/

l 7

, f f .

4.0 .2 b. Modifications The CR/TSC Essential Air System performs the following functions:

1. Isolation of the CR/TSC from potentially radiologically contaminated air during a radiological event by automatically closing 16 normal air conditioning system isolation dampers (eight isolation dampers are actuated by each train) and opening 12 essential air handler isolation dampers (six are actuated by each train).

2. Isolation of the CR/TSC from air potentially containing toxic gas during a toxic gas event by automatically closing 18 isolation dampers (nine isolation dampers are actuated by each train) and opening ten essential air handler isolation dampers (five are actuated by each train).

3. Provide cooling for the CR/TSC during radiological, toxic gas, CR/TSC high temperature, or loss of offsite power event by maintaining the CR/TSC temperature at 80*F or less.

4 Prevent infiltration of potentially radiologically contaminated air into the CR/TSC during radiological events by pressurizing the CR/TSC to 0.125 in WG relative to outside atmosphere.

5. provide fresh, filtered, conditioned supply air for CR/TSC ventilation during radiological and loss of offsite power events by maintaining a flow of 3,200 cfm through tho. Essential Filtration Unit.

PROGRESS REPORT

1. ECN R-0164 (Cu/TSC Radiation Detector System function change) has been issued for work. Drawings remain to be issued.

2. ECN R-01/2 (CR/TSC Radiation Detector ground installation) has been initiated.

3. ECN R-0314 (CR/TSC Normal Air System flow switch relocation) plant modification work is currently in progress.

4. ECN R- 0763 (installation of eight fire dampers betwoon t he Control Room and FSC) plant work is in progresa and scheduled to be complete on 11/21/86.

149 -

r

4.0 .2 .b (Continued)

5. ECN R-0764 (installation of two fire dampers in TSC Essential Supply and Return Air Ducts) plant work is scheduled to proceed in December. Drawings are currently being completed.

6. ECN R-0769 (CR/TSC Essential Condensing Unit Fan Cycling) drawings have been issued with plant work scheduled to proceed in December and January.

7. ECN R-0788 (CR/TSC Essential Filtration Unit Test Agent Injection Manifold) drawings are in .

preparation with plant work scheduled to proceed in December and January. j

8. ECN R-0789 (CR/TSC Essential Refrigeration System Instrument Isolation Valves) drawings have been issued with plant work scheduled to proceed in December and January.

9. ECN R-0904 (CR/TSC Essential Refrigeration System "

modifications to improved performance) plant work is scheduled to proceed in December and January.

ECN R-0904A (Hot Gas Bypass modification) drawings have been issued.

ECN R-0904B (Refrigeration System pumpdown modification) drawings are in preparation.

ECN R-0904C (Compressor Load Control modification) drawings are in preparation.

ECN R-0904D (Evaporator Coil Control Sequence modification) drawings are in preparation.

.10 ECN R-0911 (CR/TSC Essential Air Control Power Supply modification) drawings are in preparation with plant work scheduled to proceed in December and January

.11 ECN R-0938 (TSC Pressure Tap) is in preparation with plant work scheduled to proceed in January.

.12 ECN R-0939 (CR/lSC Essential Air Compressor Compartment modification to facilitate maintenance) on hold; all proposed modifications are not needed.

.13 FCN R-0940 ( Auxiliary Building /NSl;B Roof Iloist Monorail addition).

- I SO -

t

4.0 .2 .b .14 ECN R-0957 (CR/TSC Essential Air Compressor Operating Status Indication) drawings in preparation with plant work scheduled to proceed in January.

.15 ECN R-0989 (CR/TSC Essential Air Temperature Switch Setpoint change) plant work is complete.

.16 ECN R-1081 (CR/TSC Essential Filtration Unit Flow Transmitter) is in preparation with plant work scheduled to proceed in January.

.17 ECN R-1159 (CR/TSC Essential Refrigerant Receiver Sight Glass) in preparation with plant work scheduled to proceed in December and January.

.18 ECN R-1160 (CR/TSC Essential Refrigerant Power Insulation) in preparation with plant work scheduled to proceed in December and January.

.19 ECN R-1170 (CR/TSC Essential Compressor Compartment Ventilation) in preparation with plant work scheduled to proceed in December and January.

.20 Periodic maintenance on CR/TSC Essential Air System isolation dampers has been completed.

Implementation of several new maintenance procedures, in addition to design and fabrication of several safety lockout devices, was required to complete this task. Closure of the corresponding System Status Report problems is in progress.

.21 STP-1006 (CR/TSC Pressure Test) has been completed.

Data recorded during the test indicates the Control Room / Technical Support Center pressure levels and corresponding Essential Filtration Unit flow rates were satisfactory.

.22 SlP-1010 (CR/TSC Essential air System Reduced Air Flow Test) is scheduled to be performed during the week of 11/24/86,.

.23 Refrigeration System modification work on one train of the CR/rSC Essential Air System is scheduled to begin during the wook of 17/02/86.

l l

l

- 1%t -

l l

i I

, 4.0 .3 Radioactiva Liquid Efflu:nt R31eas:s ,

a. Assessment of Environmental Effects of Liquid Effluent Releases District staff has reviewed the following documents:

1. UCID-20267, Rancho Seco Liquid Effluent Pathway Aquatic and Terrestrial Dietary Survey Report, Lawrence Livermore National Laboratory (LLNL),

November 30, 1984

2. UCID-20295, Concentrations of Radionuclides in Fresh Water Fish Downstream of Rancho Seco Nuclear Generating Plant, LLNL, December 27, 1984

3. UCID-20298, Radionuclides is Sediment Collected Downstream from the Rancho Seco Nuclear Power ~

Generating Station, LLNL, February, 1985

4. UCID-20367, Environmental Radiological Studies Downstream from Rancho Seco Nuclear Power Generating Station, LLNL, March 22, 1985 -

5. UCID-20641, Environmental Radiological Studies Downstream from the Rancho Seco Nuclear Power Generating Station - 1985, LLN1, February 6, 1986

6. NUREG/CR-4286, Evaluation of Radioactive Liquid Effluent Releases from the Rancho Seco Nuclear Power Plant, Oak Ridge National Laboratory (ORNL), March 1986

7. NRC transmittal to District April 28, 1986 NRC Staff Assessment of the Environmental Radioactive Contamination in the Vicinity of the Rancho Seco Nuclear Power Plant

8. District transmittal to NRC March 15, 1985 Rancho Seco Liquid Effluent Pathway usage Survey Report

9. District transmittal to NRC March 29, 1985 1984 Annual Radiological Report

10. District transmittal to NRC May 27, 1986 1985 Annual Radiological Environmental Operating Report

11. NRC transmittal to District June 6, 1986 NRC Inspection Report No. 50-112/86-15

- 167 -

_ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - . - _ _ _ _ _ _ _ _ _ _ _ _ _ _ - . - - - - - - - - - - - - - - - - - - _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _______a

4.0 .3 a. Upon review of the above referenced documents, the District has concluded that the current level of residual radioactivity in the vicinity of Rancho seco does not justify any remedial environmental cleanup activities.

This conclusion is based upon the following:

• Levels of radioactivity observed in the liquid effluent environmental pathways have decreased and continue to decrease from the fall of 1984 to the present.

• No violation of 10 CFR 20 106(g) has been identified (NRC Inspection Report No. 50-312/86-15)

• Calculated radiation dose to a hypothetical individual via the liquid effluent pathway totaled only 2 millirem in 1985 (1985 Annual Radiological Environmental Operating Report)

However, the District will expand and improve the current Radiological Environmental Monitoring Program (REMP) to improve monitoring the transport of radioactive material in the environment surrounding Rancho Seco. The following improvements will be made:

.1 Transfer of the REMP from Chemistry to the Health Physics Support and Environmental Programs group.

.2 Difforentiating the environmental samples into

" control" and " indicator" sampler Control Samples - Environmental samples in locations far enough removed from Rancho Seco not to be affected by normal plant operation

- Samples to monitor fluctuations of the natural radiation environment and events beyond the District control (e.g. Chernobyl)

Indicator Samples - Environmental samples in known or potontial pathways of radiation exposure in the vicinity of Rancho Goco

- Samples to verify that effluent controls are adequate

- Samples to improve the environmental modoling parameters within the OlX'M

- 153 -

4.0 .3 a. .3 Updating of the contract with the environmental monitoring contractor

.4 Improved cooperative sample program with the State of California Department of Health Services, Radiological Healthy Branch, and the NRC

.5 Addition of a continuous water sampler on Clay Creek at the site boundary

.6 Additional air samplers near the exclusion area boundary radius (2100 feet)

.7 Establishment of sample gardens for both the gaseous and liquid pathways on District property

.8 Additional samples in the liquid effluent pathway

.9 procedure revisions

.10 Improved environmental records

b. Technical Specification Deficiencies District staff has reviewed the following documents:

e NRC transmittal to District June 6, 1986 NRC Inspection Report No. 50-312/86-15 e NRC transmittal to District July 22, 1986 Staff Evaluation of Rancho Seco Radiological Effluent Technical Specifications and Offsite Dose Calculation Manual Regarding Offsite Doses from Liquid Effluent District staff have also completed various internal reviews on the adequacy of the current Rancho Seco Technical Specifications including proposed amendments that the District has submitted to the NRC for approval.

The District is committed to submit a proposed amendment to the Rancho Seco Technical Specifications prior to startup that will fully comply with both the intent and the prescriptive requirements of NRC regulations and guides related to Radiological Effluent Technical Specifications (REIS).

- 154 -

4.0 .3 b. The following areas will be addressed:

.1 Definitions

.2 Maps

a. Restricted areas

b. 10 CFR 50 Appendix I Gaseous Effluent design objective boundary

c. 10 CFR 50 Appendix I Liquid Effluent design objective boundary

.3 Land Use Census to include the liquid effluent pathway

.4 Measurement and reporting of radioactivity in effluents

.5 Radiological Environmental Monitoring Program

.6 Offsite Dose Calculation Manual

.7 Environmental Protection Agency Requirements

.8 Typographical errors and incorrect references

c. Long Term Resolution The long term resolution for controlling the release of radioactive material in liquid effluents to conform with the numerical guides for design objectives in 10 CFR 50 Appendix I are numerous and involve the District's entire nuclear organization. The District is implementing a comprehensive plan to improve all aspects of offsite exposure control.

- 155

4.0 .3 c. Items that have already been completed include:

• Correcting the public record that Rancho Seco does discharge small amounts of radioactivity in the liquid effluent.

• Improved procedural and management controls on the release of radioactive liquid effluent and on the transfer of radioactive liquids into systems that eventually result in its discharge to the environment.

Improved radiological analysis of effluent samples

• Improved document controls on effluent release documentation

• Increased plant effluent discharge rate to 5000 gpm o Procedure revisions to comply with NRC IE Circular No. 80-18 (50.59 evaluations on changes to radwaste treatment systems)

• Transfer of the-Radiological Environmental Monitoring Program from the Chemistry to Health Physics Support and _ Environmental Programs group.

Items that are in progress and scheduled to be complete prior to startup include:

.1 ECN R0775 Revision 1 (Log No. 807, E.G)

Design change to improve facilities for segregating, processing, and disposing of potentially radioactive waste water.

.2 Revision of the Radiological Environmental Monitoring Program (REMP)

.3 Revision of the Offsite Dose Calculation Manual (ODCM) 5

- 156 -

~

. 4.0 .3 c. .4 Revision of the ALARA manual

.5 Improvements to the Radiation Monitoring System

.6 Submit to the NRC propos(d amendments to Technical Specifications related to RETS Longer term items include

.7 Addressing the-items in the Radioactive Waste System, System Investigation Report, Revision 0

.8 Train,ing of all appropriate personnel on the revised ALARA Manual

.9 Training of all appropriate personnel on their responsibilities for the control of radioactive material in effluent

.10 proposed gaseous effluent stack extensions to improve the gaseous effluent modeling within the ODCM

.4 Emergency Plan

a. Meteorology Program Improvements A backup meteorological system has been obtained and will be operational by restart. This system provides redundant micro computer interface with a commercial service and provides the metorological data needed for radiological dose projections during a declared emergency . A schedule has been adopted to replace appropriate meteorological tower instrumentation in an attempt to. resolve identified discrepancies.

b. Training Onsite Emergency Response Organization (ERO) Annual Training has been completed and records are available in the Nuclear Training Department (NTD) Library. All offsite ERO Training is scheduled to be completed on November 20, 1986; records are maintained,at the EOF and are scheduled to be transferred to the NID System before restart. Offsite agency training has been conducted as scheduled and records are maintainod at the EOF by the Emergency Preparedness Department. Lesson plans will be revised, materials updated and the 198/ ERO fraining cycle begun by June, 1987. Offsite training will continue per st.bodule.

- 15/ -

4.0 .4 c. Procedures and Dose Assessment Emergency Plan Procedures which reflect lessons learned from the December,1985 event will be updated and affected plant sections modified before restart. The balance of the procedures and affected plan sections will be updated by October 1987.

Dose assessment procedures and associated micro computer sof tware will be upgraded before restart. A schedule for upgrade of the primary dose assessment program has been implemented.

.5 Regulatory Guide 1.97

a. Implementation All Category 1 variables will be input into the upgraded SPDS prior to restart except for neutron flux and reactor coolant inventory. The remaining Regulatory Guide 1.97 variables will be implemented as follows:

.1 Reactor Coolant Inventory - Cycle 8 outage

.2 Neutron Flux - Cycle 8 outage

.3 RHR (Decay Heat) Heat Exchanger Outlet Temperature -

Cycle 8 outage

.4 Quench Tank (PRT) Temperature - Cycle 8 outage

.5 Containment Atmosphere Temperature - Cycle 8 outage

.6 CCW Temperature to ESF System - Cycle 8 outage

.7 Pressurizer Heater Status - Cycle 8 outage

.6 Safety Parameter Display System (SPDS)

a. Upgrade to Safety Grade

( .1 Redundant Class 1 power sources will be supplied to the SPDS Cabinet (H4SPDS), the SPDS display cabinet j

(H2SP), the Anatec Central Control Unit (H4CDAL) and l

all Class 1 multiplexers that accept Class 1 signals from remote sensors.

l .2 All signal and control cables will be routed in

redundant seismically qualified conduits or cable trays.

158 l

l

{

4. .6 a. .3 Cathode Ray Tube displays will be seismically qualified and installed in Cabinet H2SP.

.4 SPDS will be channelized into two completely redundant, separated and isolated channels including Regulatory Guide 1.97 Category 1 data from sensors to displays.

b. Isolation Devices Isolation devices will be tested and shown to be adequate between all redundant channels and non-1E sensor inputs and other equipment such as the IDADS.

.7 1DI Diesel Generator Qualification The following summarized the addition of the TDI Diesel Generators; for a detailed description please refer to the October 2, 1986, (JEW 86-152) submittal:

a. 'IDI Diesel Generator Qualification The. District is aggressively implementing the recommendations of the TDI Owners Group, plus the additional actions identified in NUREG-1216. These actions will demonstrate the adequacy of the TDI diesel generators for nuclear standby service as required by General Design Criteria 17 of Appendix A to 10CFR50. The District intends to implement the maintenance and surveillance program developed by the TDI Owners Group and described in NUREG-1216, which will ensure the continued reliability and operability of the TDI engines for the life of Rancho Seco. A detailed report covering the details of these actions will be submitted separately.

b. Technical Specifications The technical specifications related to the emergency diesel generators and Class 1 electrical distribution systems have been revised taking into consideration Generic Letter 84-15 and IE Notice 84-69.

- 159 -

4. .7 c. Evaluation of associated Class 1E Electrical System, Diesel Generator Building Design, and Fire Protection System The installation of the TDI diesel generators results in i

four electrically independent onsite distribution systems. Each train now consists of two electrically independent diesel generators, 4160V and 480V distribution systems, and load saquencers. Each diesel generator is served by independent DC control power systems. Each train remains physically and electrically independent. The addition of the TDI diesel gnerators provides more than adequate margin and eliminates existing operational restrictions.

d. Diesel Generator Building Design The building is designed with separation between Trains A and B. It is a Seismic Category 1 structure with provisions for tornado missile protection. The design is in accordance with R.G. 1.142-1978.

e. Fire Protecticn System The fire protection system in the new TDI diesel generator building is a preaction water suppression system in compliance with NFPA Applicance Standards and Paragraph G.1 of 10CFR Part 50, Appendix R.

5.0 Summary and Conclusions The District has prepared and implemented a comprehensive program-which addresses the concerns and findings identified in NUREG-1195

" Loss of Integrated Control System Power and Overcooling Transient at Rancho Seco on December 26, 1985."

This program, identified as the " Action Plan for Performance Improvement", goes beyond developing responses to the NUREG-1195 items, and addresses the programmatic root causes which lead to the situation that allowed the overcooling transient to occur. The Action Plan identifies commitments which will implement management and programmatic changes that establish attention to detail, responsibility, and clear criteria for prioritizing implementation of changes and improvements.

lho Action Plan establishes the " post-trip" window as the only attept able consequence for pos t--trip per for mance, irrespective of the operational event. The Systematic Assessment Program utili/ed this criteria to determine and prioritize the changes and corrective actions netossary to give Rancho Seco the confidence that future operational transients will be benign and not unnecessarily challenge safety systems or the plant design basis.

- 160 -

5.0 (Continued)

Numerous facility modifications and procedure changes have been

~made, or are underway, which will implement the enhancements necessary to achieve this new standard for performance. An expected benefit of these changes is that the plant should become more reliable, if for no other reason than that future trips will not result in complex transients requirire extensive analysis and corrective action.

Within the Action Plan a Systems Review and Test Program (SRTP) is described and committed. This program integrates the recommendations developed within the Systematic Ass'ssment e Program on a system basis, and will demonstrate the material condition of the plant prior to and during the restart testing and power escalation. programs. This test program is the validation of the adequacy of the Action Plan and the viability of the implemented corrective actions or modifications it developed.

Although the focus of this report is on the resolution of NUREG-1195 findings and issues, the scope of the Action Plan is such that improvements and enhancements will continue to be implemented well beyond the restart period. Items which further enhance reliability and operability were identified during the Systematic Assessment and System Review and Test Programs which do not enjoy a prior-to-restart priority. These are being scheduled and prioritized separately for commitment and submittal.

Frem the discussions provided in this report on the issues or findings identified in NUREG-1195, and with the submittal of selected specific documents, the District concludes that it has developed and implemented a comprehensive program which is expected to measurably improve the safety and reliability of Rancho Seco.

As such, the restart test program should be utilized as the measure of the facility and the plant staff's readiness to return Rancho Seco to power operation. That program is now underway with the expectation of returning to power operation during May of 1987.

- 161 -

i I

APPENDIX 1 CROSS-REFERENCE TO SOURCE MATERIAL SUPPORTING RESTART REPORT 12-15-86 WP31048/D-01558 SER INF0 AVAILABLE OR SECTION TOPIC SOURCE STATUS FORMAL SUBMITTAL COMMENTS

2. 0 Background Discussion 2.1 12-26-85 Overcooling NUREG-1195 Submitted Submitted Based on NUREG-1195 i RJR 86-75 Submitted Submitted Summary Report j Paragraph I.1 02-19-86 1

2.2 NRC Action an'd Correspondence Files Current Available 1 2.3.1 Sr1UD Response, PPAMIP Action Plan Submitted Submitted Based on Action Plan Amend-09-15-86 ment 1, Sept. '86, and Ammendent 2, Dec 15,1986 RJR 86-75 Submitted Submitted Paragraph I.2 02-19-86 3.1.1.a ICS/Nul Ganeral Descrip- HUREG-1195, Issued Available Revised to reflect tion 3.1, 7.1.1, Submitted l

commitment to EFIC for i 7.1. 6, Restart l

ICS/NNI-SSR Submitted Submitted System Status Report (SSR)

FOOTNOTES:

I

1. Summ'iry Report, transmitted to NRC on 2-19-86 as SMUD letter RJR 86-75. Discusses event details and i

proposed corrective actions as then known.

2. ALCR, Action List Closure Report. These were prepared for each item placed upon the " Action List" of analyses, actions, modifications, etc. which were specified under Systematic Troubleshooting Program defined by Plant fianager memo GAC 65-1001 Rev. 2.

3. SSR, Svstem Status Report, prepared by System Engineer on each selected system. Provides system

functional requirements, results of analyses and investigations, details of testing and modifications.

1 12-15-86 SER INFO AVAILABLE OR SECTIO!J TOPIC SOURCE STATUS FORMAL SUBMITTAL COMMENTS 3.1.1. h ICS/ UNI Power Distribu- NUREG-1195, Issued Available tion 3.1.6 and ILS/NNI-SSR Submitted Submitted SSR for ICS/NNI Section 1 Action List Due Submitted Closure Rept. 12-30-86 See NOM 86-94 and NOM (ALCR) Sect.86-132 3.c 3.1.1.c PSM Design a Operation ALCR 3.b Complete Available NOM 86-03, NOM 86-37, NOM 86-192, NOM 86-84 Investigation Report submitted 02-07-86 via NOM 86-94 Action List Due 12-30-86 NOM 86 Repair Action Plan Closure Rpt., submitted 06-05-86 via Item 3.c NOM 86-341 SSR for ICS Submitted Submitted Section 1.1 3.1.1.d Systems / Components ICS/NNI-SSR Submitted Submitted Revised to show Controlled by ICS/NNI Section 1.0 EFIC installation AL Engr. Rpt. Submitted NOM 86-85 3.c 02-07-86 F00Tt10TES:

4. ALER,' Action List Engineering Report, this report describes the findings of the Systematic Troubleshooting and predates the Closure Report.

5. N0li. Nuclear Operations Manager memo reference number on all transmittals of ALCR's and ALER's to NRC.

2- .

, 12-15-86 SER INFO AVAILABLE OR SECTION TOPIC SOURCE STATUS FORMAL SUBMITTAL C00MENTS 3.1.2.a Root Cause of 12-26 IAG 85-41 Complete Submitted to R-V Root Cause Report LOICS and Corrective date 03-19-86 & IIT date 03-19-86 Action i

ALCR 3.c In preparation Submit to R-V Includes results of PSM laboratory analygis, and

Sl/S2 '

, Summary Submitted Submitted RJR 86-75.

i Report 02-19-86 l

3.1.2.b Svstem/ Component Response NUREG-1195, Available on LOICS/NNI 3.1.4 ICS/NNI-SSR Submitted Submitted Includes changes to include EFIC.

ALCR l.j Submitted Submitted NOM 86-127 02-13-86 3.1. 2. c ICS/NNI Backup I&C SSR-ICS/NNI Submitted Submitted Includes EFIC changes.

3.1. 2. d Annunciation of LOICS/NNI SSR-ICS/NNI Submitted Submitted Includes EFIC changes.

3.1. 2. e Interactions with ICS/ SSR-ICS/NNI Submitted Submitted Includes EFIC changes.

NNI & Safety Systems ALCR 10.e Submitted Submitted NOM 86-124 02-12-86 i

3.1. 2. f ICS/NNI fella BWOG Later Later In progress.

1 i

I 12-15-86 SER INFO AVAILABLE OR SECTION TOPIC SOURCE STATUS FORMAL SUBMITTAL C000ENTS 3.1. 2. q Proposed Modifications ICS/NNI-SSR Submitted Submitted See listing in Section prior to Restart Restart Rpt. 3.1.9 of this report.

3.1. 9 3.1. 2. h ICS/NNI Haintenance ICS/NNI-SSR Submitted Submitted prior to Restart ALCR 3.c Submitted Submitted to R-V Via NOM 86-341.

06-05-86 Action Plan In Progress Submitted Action Plan Amendment 2 4C. due 12-15-86 will provide additional detail.

3.1.2.i Operator Response / ALCR Submitted NOM 86-174 & 178 Procedures 10.a/b/c/d 02-20-86 DFC on ICS Submitted Submitted with Canpleted 07-25-86 ICS/NNI-SSR

! 3.1. 2. ,1 Root Cause of UTSG ALLR 1.0 Submitted To R-V on 02-07-86 NOM 86-91 l

Operate Level Discrepancy ALCR 10.c Submitted To R-V on 02-22-86 NOM 86-178

RJR 86-75 Submitted Submitted l Par. V. l .9 02-19-86 L

o .

12-15-86 SER INF0 AVAILABLE OR SECTION TOPIC SOURCE STATUS FORMAL SUBMITTAL COMMENTS 3.1. 3 Restoration of ICS/NNI RJR 86-75 Submitted Submitted DC Power Par. V.3 02-19-86

ICS/NNI-SSR Submitted Submitted to NRR ICS/NNI separated from Safety Grade Heat Qval Systems ALCR 3.c.5.2 Submitted Submitted to NRC NOM 86-63 & NOM 86-72.

01-30-86 BWOG Study In progress To be submitted Long-term project 3.1.4 Additional ICS/NNI Issues ICS/NNI-SSR Submitted Submitted 3.1.4.a Response to Loss /Restora- ICS/NNI-SSR Submitted Submitted tion of ICS/WNI AC Power 3.1.4.b ICS/NNI Response to Loss DFC-ICS/NNI Complete Submitted of Instrument Air w/ICS/NNI-SSR 4

DFC-Inst. Air Complete Available SSR-ICS/NNI Submitted Submitted SSR-Inst. Air Available Available 11-30-86 3.1.4.c loss of Offsite Power SSR-ICS/NNI Submitted Submitted with Loss of ICS/NNI/

Inst. Air DFC-ICS/NNI, Complete Submitted DFC-Deterministic w/ICS/NNI-SSR Failure Consequences.

t

12-15-86 SER INFO AVAILABLE OR

• SECTION TOPIC SOURCE STATUS FORMAL SUBMITTAL COMMENTS 3.1.4.d Si1VD Response to ICS/NNI ICS/NNI-SSR Submitted Submitted Incorporate into SSR.

concerns from BWDG 3.1.5 Remote / Local Indications of Loss of ICS/NNI ,

3.1. 5. a R.G. 1.97 Instrumentation Design Engr. Submitted l

3.1. 5. b SPDS ICS/NNI-SSR Submitted Submitted 3.1.5.c IDADS ICS/NNI-SSR Submitted Submitted 3.1. 5. d Computer / Annunciator ICS/NNI-SSR Submitted Submitted Systems 3.1. 5. e Other Indications RJR 86-75 Submitted Submitjed Summary Report Par. V.3 02-19-86 3.1. 6 EFIC 3.1. 6. a EFIC Design & Operation NUREG-1195 Available 10.1.11 Action Plan Submitted Submitted Updated with Amendment 1 Finding B.11 09-15-86 to AP.

EFIC Submittal Submitted Submitted, Dec 86

o .

12-15486 SER INFO .

AVAILABLE OR

, SECTION TOPIC SOURCE STATUS FORMAL SUBMITTAL COMMENTS 3.1. 6. b Independence of ICS/NNI -

from EFIC ICS/NNI-SSR Submitted Submitted EFIC Submittal Submitted Submitted, Dec 86 3.1.6.c AFW/EFIC Failure Analysis EFIC Submittal Submitted Submitted, Dec 86 3.1. 6. d OTSG Overfill Protection EFIC Submittal Submitted Submitted, Dec 86 3.1. 7 liain Feedwater System i 3.1.7.a I1FWS Response to LOICS/NNI EFIC Submittal Submitted Submitted, Dec 86 ICS/NNI-SSR Submitted Submitted 3.1. 7. b OTSG Overfill Protection EFIC Submittal Submitted Submitted, Dec 86 Circui ts l

3.1. 8 Main Steam System 3 3.1.8.a ADV Operation on EFIC Submittal Submitted Submitted, Dec 86 j LOICS/NNI ICS/NNI-SSR Submitted Submitted i

3.1.8.b TBV Operation on EFIC Submitted Submitted Submitted, Dec 86 l LOICS/NNI 3

s

^

u 12-15-86 SER INFO AVAILABLE OR SECTION TOPIL SOURCE STATUS FORMAL SUBMITTAL COMMENTS 3.1.8.c OTSG Isolation (MSLFL) EFIC Submittal Submitted Submitted, Dec 86 ALCR 1.n.1/.2 Submitted Submitted NOM 86-114 02-08-86 1

3.1.9 Sumnary of Modifications ICS/NNI-SSR Submitted Submitted relating to LOICS/NNI 3.2.1 Water Supply to HPI/

Makeup Pumps l

l 3.2.1.a Root Cause of Makeup Pump l Damage Root Cause Submitted Submitted Report to IIT IAG 85-41 & R-V 03-19-86 Submitted RJR 86-75 Submitted Submitted Par. V.4.1 02-19-86

& Par. VII.3 ALCR 10.e/.d Complete To R-V on 02-22-86 NOM 86-178 ALCR 4.a/.b Complete Available NOM 86-52 3.2.1.b Assurance of Water Supply ALCR 10.c/.d Complete To R-V on 02-22-86 NOM 86-178 ALCR 4.a/.b Complete Available NOM 86-52 Action Plan Submitted Commitment 4C. 09-15-86

. a

I A <

12-15-86 SER INFO AVAILABLE OR SECTIDH TOPIC SOURCE STATUS FORMAL SUBMITTAL COMMENTS 3.2.c Makeup Pump Repair ALCR 4.a/.b Complete Available NOM 86-42 4 NOM 86-52 Action Plan Submitted In progress 4C. 09-15-86 3.2.2.a Effect of Overcooling ALCR 6.b.3 Submitted to R-V on NOM 86-118 on Reactor and 0TSGs 02-11-86 Several 88W Complete Available Analysis Trip Rpt. #75 Complete Available July 22,1986 NUREG-1195, Complete Available 8.3.2 EPRI Section Complete Available 1 XI, App. XX

! Analysis RJR 86-75 Submitted Submitted Summary Report Par. V.6 02-19-86 l

3.2.2.b Technical Basis for PTS Guidelines Action Plan Section 48 Training of Operatcrs Appendix 8.6 Submitted Submitted 09-15-86 3.2.2.c. Potential for Core Lift B&W Rpt. in Complete Available NOM 86-14 ALCR 6.b.1 01-13-86

12-15-86 SER INFO AVAILABLE OR SECTION TOPIC SOURCE STATUS FORMAL SUBMITTAL C000ENTS 3.2.3. Radiation Honitoring Action Plan Submitted Submitted Operator Training,

Systen Operation Section 48 folloising Containment Isolation 3.2.3.a Root Cause of R-lS001 Damage IAG 85-41 Submitted Submitted to IIT and R-V 03-19-86 ALCR 5.a/.b Complete Available NOM 86-38 RJR 86-75 Submitted Submitted Par.V.5 02-19-86 3.?.3.h Effects of Containment ALCR Complete Subnitted NOM 86-Isolation on Other RJR 86-75 Submitted To R-V on

! Systens Pa r. V. 5 02-19-86 i

3.2.4 OTSG Overfill and RJR 86-75 Submitted Submitted Summary Report 11SL Flooding Par. V.l.1 02-29-86 3.2.4.a Stean Line fieader ALCR 1.f.3 Complete To R-V on 03-13-86 NOM 86-232 -

Evaluation ,

! 3.2.4.b. Steam Line Support ALCR 1.f.3 Complete To R-V on 03-13-86 NOM 86-232 i

.i 4 's 12-15-86 ,

SER INFO AVAILABLE OR SECTI0ll TOPIC SOURCE STATUS FORMAL SUBMITTAL COMMENTS 3.3.1 Maintenance Program Program Description Action Plan Commitment 3.13 Action Plan Submitted Submitted Commitment -

48.5 03-15-86 Action Plan Submitted Submitted Commitment 4C. 09-15-86 3.3.2 Operability Program RJR-86-75 Submitted Submitted for Valves Par. V .11.8 02-19-86 Action Plan Submitted Submitted 4C.

ALCR 10.d Complete Submitted NOM 86-178, 02-22-86 3.3.3 Valve PH Program Action Plan Submitted Submitted MOVs 4C. 09-15-86 Action Plan Submitted Submitted Manual Valve PM 4C. 09-15-86 Action Plan Submitted Submitted Appendix B.3 09-15-86 ALCR ll.h Available Available NOM 86-177 PMs and Manual Valwe Stroking

~

12-15-86 SER INF0 A'VAILABLE OR SECTION TOPIC SOURCE STATUS FORMAL SUBMITTAL COMMENTS 303.4 Troubleshooting / Root RJR 86-75 Submitted Submitted Cause Program Par. I.48VII 02-19-86 Action Plan Submitted Submitted 3.1.5/6 02-19-86 Action Plan Submitted Submitted Appendix B.24 09-13-86 Action Plan Submitted Submitted Systematic Troubleshooting 4B.4 09-15-86 Procedure 3.4.1 Adequacy of Operator Action Plan Submitted Submitted Trainino 48.3 09-15-86 ALCR Complete To R-V on 02-22-86 Operation Assessment 10.a/b/c/d NOM 86-178 ALCR 9.b Complete Submitted NOM 86-262/263 04-14-86 3.4.2 Minimum Staffing Tech Spec Issued Issued Revision submitted Oct 85, Requi rements 6.1 update scheduled for 01-15-87.

Action Plan Submitted Submitted Appendix B.22 09-15-86 3.4.3 Incapacitated Operator ALCR 10.c Complete To R-V on 02-22-86 NOM 86-178 RJR 86-75 Submitted Submitted Summary Report Par. I.1 02-19-86

d' 12-15-86 SER INFO '

AVAILABLE OR SECTION TOPIC SOURCE STATUS FORMAL SUBMITTAL C0f0ENTS 3.4.4 Potential Security / ALCR 1.m Complete To R-V on 02-22-86 NON 86-176 Safety Interface RJR 86-75 Submitted Submitted Susumary Report Par V.l.7 02-19-86 3.5.1 Need for Event-Related Action Plan Submitted Submitted Commitment Procedures 4B.4 09-15-86 ALCR 10.a Complete Available NOM 86-174, 02-20-86 RJR 86-75 Submitted Submitted Par. V.10 & 02-19-86 Pa r. V. 9. 3 3.5.2 Adequacy of ATOG Action Plan 09-15-86 Submitted Commitment Procedures 4B.4 RJR 86-75 Submitted Submitted Par. V.8 02-19-86 ,

ALCR 10.a Complete Available NOM 86-174, 02-20-86 3.5.3 Adequacy of HP Action Plan 09-15-86 Submitted Commitment Procedures 48.4 ALCR 7.a Submitted Submitted to R-V Rev. 2 Submitted 03-10-86 via NOM 86-226 RJR 86-75 Submitted Submitted Par. V.8 02-19-86 Action Plan 09-15-86 Submitted HP Related Training 48.3 09-15-86 Commitment

12-15-86 SER INF0 AVAILABLE OR SECTION TOPIC SOURCE STATUS FORMAL SUBMITTAL C0f0ENTS 3.5.4 Adequacy of Action Plan Submitted Submitted Annunciator Procedures Appendix B.17 09-15-86 14anual ALCR 10.a & Complete Submitted NOM 86-178, 02-22-86 10.g 3.5.5 liethodology for Action Plan Submitted Submitted Commitment Procedure Updating Appendix 48.4 3.5.6 Adequacy of Emergency Action Plan Submitted Submitted Commitment Operating Procedures Item 09-15-86 48.4 ALCR 10.a Ccmplete Submitted NOM 86-174, 02-20-86 3.6.1 Siup4ified 51/$2 Action Plan Work Complete Submitted Commitment Schematics 4C.

ICS/NN1-SSR Submitted Submitted Commitment ALCR 3.f.12 Complete Available Installed by ECN 3.6.2 AFW Valve Position Action Plan Submitted Submitted See also EFIC Indication AFW-SSR Available Available Rev. 1 SSR

w  :

i .

12-15-86 i SER INFO AVAILABLE OR SECTION TOPIC SOURCE STATUS FORMAL SUBMITTAL C000ENTS

3.6.3 Control Room HVAC ALCR 1.r Due 12-15-86 Later Troubleshooting Plans

! issued by NON 86-239.

{ TSC/CR-SSR Rev. 1 Available Rev.1 Issued

Testing in Progress ,

CRDR HEDs Open Submitted 12-85 Action Plan Submitted Submitted Commitment 4C. 09-15-86 3.6.4 Alam for ICS ALCR ~>.g Complete Available NOM 86-143, 02-14-85 j

1 (Effect of Loss of Power)

) .. .

~

~ ~

N i

RJR E6-75 Submitted Submitted ., Suessar,y Report i Par V;4

.s 02-!9-86 ,

ICS/NNI-SSR Submitted Submitted '

! Action Plan Submittal Submitted - ~ Commitment.' *

40. 09-15-86_ ,

3 .. -

q i

3.6.5 i Control Roon Audit Report Issued Available Report on NRC m ~.s- s

! ilodifications NL 86-698 Audit of 9-29/lb-u2-86 '

of itJ-06-86 .

Submitted Due 12-30-86 Scheduled -

Control Room- Due 12-30-86 Scheduled SSR 3.7 SRTP Program Action Plan Submitted Submitted '

Section 4D 09-15-86 -

~

Audit Report LATER LATER Oct. 86 ,

f

., 12-15-86 SER INFO AVAILABLE OR SECTION TOPIC SOURrE STATUS FORMAL SUBMITTAL C0f00ENTS 3.8 Managementind[ Action' Plan Submitted Submitted Program and Major Organizational Section 1.0 09-15-86 Commitments

~

Considerations Section 2.0 '

Section 3.0 '

Section 48 s a

~

~

3.9.1 FSAR Accident Analysis, ALCR 1.p SubniittS Submitted to IIT NOM 86-55

,. 01-24-86 and RV Use of Non-Safety RJR 86-75 Submitted fSubmitted Systen Par. V.1.10 02-19-86 -

Action Plan Submitted Submitted "

~

Appendix B.14' 09-15-86

~

I r

3.9.2 Evaluation of Response . /

Action Plan Submitted Submitted "~

to Previous Transients 09-15-86 and Experiences Appendix 8.15.a Submitted Submitted Pc.Ser Supplies to ICS/NNI l '

09-15-86 .

B.15. B Submitted Submitted 01-05-79' Loss of ICS 09-15-86 B.15. c Submitted Submitted BAW-1554

, 09-15-86 '_ '

B.15.d Submitted Submitted IE. Bulletin 79-27 .

09-15-86 B.15.e Submitted Submitted- Loss of NNI at Crystal '

09-15-86 River B.15. f Submitted Submitted NUREG-0667 09-15-86 B.15 9 Submitted Submitted Loss cf NNI on 03-19-84 09-15-86 8.15.h Submitted Submitted Reference Plant Studies 09-15-86 i.(

[

l

l 9-o d}.

12-15-86 SER INFO AVAILABLE OR ' L SECTION TOPIC SOURCE STATUS FORMAL SUBMITTAL . COMMENTS l e  :. .,.

3. 9. 3 ~ Probability of PTS Action Plan Submitted S'ubmitted #

,2 '-

(BAW-1791) Appendix B.26 09-15-86 3.9.4 EFIC Systen History Action Plan Submitted Submitted , , ,f t Appendix 8.11 09-15-86 -

, 4.1 PASS Tech Spec Submitted l l Submittal  !

f l l

l PASS-SSR Available Available Rev.1 Approved Action Plan Submitted Submitted Commitment 4C.6 09-15-86 i

Action Plan Submitted Submitted Commitment '

48.8 09-15-86 4.? CR/TSC HVAC CR/TSC-SSR Due 12-15-86 Available Rev. 1 Issued ALCR 1.r Open Open NOM 86-239 Issued Troubleshooting Plans Action Plan Submitted Submitted Commitments 4C. 09-15-86 4.3 Radioactive Liquid Action Plan Submitted Submitted Appendix I Commitments Effluent Releases 48.7 09-15-86 l

Action Plan Submitted Submitted Commitment 48.6 09-15-86

12-15-86 SER INFO AVAILABLE OR SECTION TOPIC SOURCE STATUS FORMAL SUBMITTAL CO M NTS s

4.4 Energency Plan ,

4.4.a. Metrology Program Project Available Available Improvements Manager .,

4.4.b. Training Action Plan Submittal Submitted Commitments

48.3 09-15-86 1

4.4.c. Procedures and Dose Action Plan Submitted Submitted Commitments Assessment Section 09-15-86 48.8 4.5 Reg. Guide 1.97 Control Room Submittal CR-SSR Due 12-31-86 RG-1.97 Submittal 4.6 SPDS t

4.6.a Upgrade to Safety Grade Action Plan Submitted Submitted Commitment 4 4C. 09-15-86 ICS/NNI-SSR Available Available l

l

st. ,

c ._.

12-15-86 SER INF0 AVAILABLE OR SECTION- TOPIC SOURCE STATUS FORMAL SUBMITTAL Co mENTS 4.6.b Isolation Devices SPDS-SSR Available Available .

4.6.c Modifications SPDS-SSR Available Available .i 4.7 TDI Diesels Submittal Submitted Submitted Dec 86 1

I 4

_ _ _ _ _ _ _ _ - _ _ _ - - _ _ _ _ _ _ _ . . . . .