Review of Undected Failures of Safety Sys

ML20217C426
Person / Time
Issue date:	09/30/1997
From:	Ellen Brown, Pullani S NRC OFFICE FOR ANALYSIS & EVALUATION OF OPERATIONAL DATA (AEOD)
To:
Shared Package
ML20217C417	List: ML20217C413 ML20217C426
References
TASK-*****, TASK-AE AEOD-*****, AEOD-E97-02, AEOD-E97-2, NUDOCS 9710010394
Download: ML20217C426 (71)
v • d • e

Text

,. .

.....q AEOD/E97-02 REVIEW OF UNDETECTED FAILURES OF SAFETY SYSTEMS )

SEITEMBER 1997 Prepared by:

Sadanandan V. Pullani Earl J. Brown Reactor Analysis Branch

. Safety Programs Division Office for Analysis and Evaluation of Operational Data 9710010394 970926 PDR ORG NEXD .

1 a

i i CONTENTS 1 SUMhfARY . . . . . . . . . ................................. I 2 INTRODUCTION ................ '

2.1 Packground and Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.2 Scope and Limitations ................................. 2 3

D IS C US S I O N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1 Selection of Events and Basic Data for Analysis . . . . . . . . . . . . . . . . . . 3 3.2 Description of Events ... ................................ 4 3.3 Event Categorization .................................. 4 4 FINDINGS AND CONCI.USIONS ... .

.................... 5 4.1 Findinge .. . .. . ... . . . . ..... . . $

4.2 Conclusions . . . .. . .. .. . .. 8 5 REFERENCES . . . .. ...... . . . . .. .. .. . . 10 APPENDICES A Search Results for 1991,1992, and 1993 Events B Description of 1991 Events C Description of 1992 Events D Description of 1993 Events E Codes Used for Categorization of Eve:.ts F Categorization of Events G Distribution of Event Categories FIGURES 1 Time Elapsed Before Discovery ... ............. . ..... ... 6 iii

i i i

SUMMARY

The purpose of this evaluation was to identify undetected failures of safety systems in nuclear power plants. It represents further analysis and evaluation of information provided to the Nuclear Energy Agency (NEA) as part of a proposed worldwide generic study. A set of 33 such events was identified by a search of the 70 events found in the Accident Sequence Precursor (ASP) database for the time period 1991 through 1993. The ASP program is an 3 Office for Analysis and Evaluition of Operational Data (AEOD) program to use probabilistic l risk assessment technologies to estimate operating event significance in terms of the potential for core damage (Ref.1). The undetected failures were analyzed and evaluated with respect to their discovery methods, failure rate, failure causes, corrective and preventive actions by licen aes, and resulting regulatory actions.

The event data for 1991 through 1993 show that nearly 50 percent of the ASP events involved an undetected failure. Some failures remained undetected for a long time; four failures for a period of 1 to 10 years and another four for more than 10 years and up to 18 years. An additional four evcnts may have gone undetected from initial plant startup, while two others were u.vietected from the time of plant modification until discovered. This illustrates that unrecognized deficiencies existed and were not detected by programmatic activities. These deficiencies existed since original construction or were introduced during plant modifications that were performed sometime after operation commenced. Thus, plant modifications could be a source of undetected failures.

More than 75 percent of the failures were discovered via testing or analysis and evaluation of operational problems. Component failures, design deficiencies, or inadequate testing or maintenance procedures caused about 70 percent of the failures. The more frequent corrective or preventive actions l'/ en ')y licensees were design changes (plant modifications),

additional training or guidance for plant personnel, new or modified operating procedties, and modified maintenance procedures. Although the licensees' actions appeared apprc priate for the specific events, it is not clear that the effotts would generically apply to other plants.

Testing, the most frequent discovery method, was most often associated with one of three failure causes: compenent failure, design denciency, and inadequate testing or maintenance.

Ilowever, the data indicate that it would be incorrect to associate failure discosery via testing as the successful completion of a planned sequence to determine success or failure. For example, in approximately 60 percent of the events associated with these three failure causes, the failure detected or related deficiency revealed was not within the anticipated or defined purpose of the test. This illustrates a need for improved definition of post work actions (tests, procedures, etc.) intended to confirm or assure component or system operability.

Although there may be different perspectives about whether short duration events represent an undetected failure situation, our review indicates that there are lessons to be learned. We found that the events generally involved programmatic deficiencies that were discovered fortuitously. Thus, any event could have persisted for a longer time.

1

f 2 INTRODi'CTION 2.1 Background and Objective The NEA, in September 1994, proposed a worldwide generic study on undetected failures of safety systems in nuclear power plants (Ref. 2). L: December 1995, the NEA outlined the scope and content of the proposed study (Ref. 3). The purpose of the NEA study was to understand why failures remained undetected for a long time, and identify the measures - corrective and preventive actions by the licensees and regulatory bodies -

that would preclude or reduce the likelihood of such failures. AEOD supported the NEA study by providing data on 33 events, identified through a search of the ASP database.

These events occurred during a specified 3 year time frame (1991 through 1993) in nuclear power plants within the United States (Refs. 4 and 5).

AEOD decided to further analyze and evaluate the information it prcvided in support of the NEA study, with the objective of establishing whether the data exhibited trends or patterns.

The effort concentrated on review with respect to cause of failure, method of discovery, corrective and preventive actions by the licensee, and any regulatory actions which may have

, resulted.

2.2 ? cope and Limitations The ASP a J e itilizes several sources of operational data but Licensee Event Reports (LERs) are k y J~ninant source. The ASP information prior to 1993 has limitations when used for enalysis and evaluation because some technical information may not have been available when the LER was reported. For the 33 events studied in this report, the failure causes, discovery methods, and corrective and preventative actions used were those stated in

' lie LER, with no attempt made to independently verify its accuracy or completeness.

1 The search for regulatory actions related to an event was limited to identification of an Augmented inc ection Team (AIT) or incident Investigation Team (llT) as a result of the event, or NRL generic communication issued on the subject after the event. No attempt was made to search for NRC enforcement actions. The NRC generic communication applicable to a particular event was obtained through a search of the NRC Event Tracking System (ETS) for generic communications issued after the date of the event. It is possible that a generic communication previously issued on a similar prior event was sufficient to cover the current event and NRC decided not to issue another generic communication on the subject.

2 1

i i 3 DISCUSSION The NEA study scope defined undetected failures of safety systems to include "significant events where equipment (systems, components, logic circuitry, or structures) remained inoperable or would have been unable to fulfill correctly their safety functions, for an extended period of time until the condition was discovered" (Refs. 2 and 3). Although the scope of the NEA study was directed at failures existing for an extended period of time (defined by the NEA study as a period equivalent to or greater than one cycle duration or several test interval periods), the AEOD evaluation considered all the failures in the ASP database, irrespective of failure duration. The goal for reviewing events that existed for an extended period of time relates to the belief that some scheduled periodic action would be expected to have discovered the deficiency. This situation may not apply to short duration events. A review of the eight events of less than 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> duration revealed that they generally involved programmatic deficiencies. This includes multiple personnel errors in following procedures, inadequate procedures, and breakdowns or inadequate post maintenance testing and surveillance activides. The event discovery was a fortuitous result of some activity soon after occurrence rather than a deficiency that was revealed via a planned or scheduled action. However, the events could have gone undetected for much

( longer time periods.

The following is a summary of the methodology used in the AEOD evaluation. The findings and conclusions of the evaluation are given in Section 4.

1 3.1 Selection of Events and Basic Data for Analysis i

The ASP database was searched for events which occurred during the 3-year period 1991 through 1993 and which involved system unavailability with no actual occurrence of an initiating event. A nuclear power plant is vulnerable to the effects of certain initiating evems because of these unavailabilities. The initiating events considered were loss of coolant accident, loss of offsite power, steam line break, or plant trip. The search strategy was to select ASP events that were coded as a system being unavailable, but one of these initiating events bad not occurred.

The ASP event reports utilize conditional core damage probability (CCDP) as a means to assess a given event's importance (relative significance) from a risk perspective. For an undetected failure event, the CCDP was calculated by the ASP program using the occurrence frequency of the initiating event or events that would be affected by the undetected failure and the unavailability time stated in the LER. When the undetected failure existed for more than a year, an unavailability time of 1 year was used in the calculation. The ASP process defines events for which the CCDP is 2 E-6 as precursors. The CCDP range has generally spanned three decades - from E-6 to E-3 (Ref.1). Events with a CCDP 2 E-6 and < E-4 are considered relatively less important from a risk perspective than those events with CCDP 2 E-4. From 1991 through 1993, only the 1991 event at Shearon Harris Unit I had 3

e .

a CCDP > E-3 (see Appendix B, page B-13). During the time span 1991 through 1993, there were 10 events with a CCDP 2 E-4 (the more important events).

The events identified through the search are listed in Appendix A for the years 1991, 1992, and 1993. The same event associated with multiple units at the same site was counted as multiple events, thus totalling to 33 events. Appendix A identifies, for each event, the plant name, LER number, event date, event description (the title of the LER), CCDP, date of initial reactor criticality, plant age when the event occurred, plant electrical megawatt rating (Rate), plant type (T) (i.e., PWR [P] or BWR [B]), reactor vendor (V) (i.e., Westinghouse

[W], Babcock & Wilcox [B), Combustion Engineering [C), or General Electric [G]), the type of event assumed in the ASP analysis (i.e., unavailability of equipment needed for a loss of coolant accident [ULOCA), unavailability of equipment needed for a loss of offsite power

[ULOOP], unavailability of equipment needed for a steam line break [USLB), or unavailability of equipment needed for a plant trip [UTR.lP]), the failed system type (system) as categorized by the ASP coding list, and the system unavailability (Unav.) durativa (in hours [h], days [d], months [m] or years [y). The identified system types and their ASP codes are: reactor vessel and appurtenances (e.g., power-operated relief valve) (CA), residual heat removal systems and controls (CF), emergency generator systems and controls (EE),

engineered safety features instrument systems (18), other instrument systems not required for safety (IF), and emergency core cooling systems and controls (SF).

3.2 Description of Events Event descriptions are given by year in Appendices B, C, and D. The description includes event identi0 cation, event summary, failure cause(s), method of discovery, corrective and preventive actions by licensee, and resulting regulatory actions. Most of the information was obtained by searching event reports in the ASP, LER, and ETS databases. The AIT and IIT information was obtained by searching the AIT and IIT reports or the AEOD annual reports.

Some corrective actions identified by licensees were incomplete when the original LER was written and a status update via an LER revision was not submitted. These actions are identified by an asterisk (*), as shown in Appendices B, C, D, and F. The status of these actions was confirmed with the licensees as complete, except as specifically noted otherwise.

3.3 dvent Categorization The NEA investigative approach, as delineated in its letter dated December 4,1995 (Ref. 3),

was directed toward (A) understanding the failure and (B) identifying corrective and preventive actions. Each group was further subdivided to delineate specific aspects. Group A addressed failure causes and discovery methods (method which revealed the faih!re), while Group B addressed corrective and preventive actions. Seventy specific categories (cal, CB1, CCl, dol, D15 etc.) were established to fully describe the events. Appendix E contains a complete list of 70 alpha-numeric categorization codes used in this study. All categories listed in the NEA letter are included in Appendix E. Where a specific situation 4

. i did not match any of the categories listed in the NEA letter, additional categories were included in Appendix E.

Except for regulatory actions, the categorization was based on the description found in the actual LERs associated with the events or the event summaries included in Appendices B through D. The relevant parts of the wiite-up were extracted and included in Appendices B

, through D, along with appropriate codes (shown in bold characters), to provide the reader the basis and context of this categorization.

The results of categorization are given in Appendix F, separately for the 3 years. The distribution of the 33 events under various categor!es (ranked in the order of decreasing frequency) is given in Appendix G.

i 4 FINDINGS AND CONCLUSIONS The data provided in Appendices A through G, discuss,d above, form the basis for the following findings and conclusions.

4.1 Findings

J

1. Systems Failed: The type of system which failed for each event is indicated in Appendix A. Of the 33 events,14 events involved failure of emergency generator "

systems and controls,11 events involved failure of emergency core cooling systems, and 4 events involved failure of residual heat removal systems and controls. The remaining four events involved failure of: power-operated relief valves, a pump needed for recirculation after a LOCA, engineered safety features instrumentation systems, and other instrument systems not required for safety. Out of the 14 events involving failure of emergency generator systems and controls,6 events involved Keowee hydroelectric units which provide emergency power to Oconee Units.1,2, and 3, and which were the subject of a detailed AEOD study (Ref. 6). We remaining eight events involved emergency diesel generators at eight different plants.

2. Time Elansed before Discovery:

• The time elapsed before discovery, (i.e., the duration of system unavailability for each event) is given in Appendix A. Of the 33 events,8 were discovered within 0 to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />,11 within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 1 month,6 within 1 month to 1 year,4 within 1 year to 10 years, and 4 after 10 years (see Figure 1).

• Six failures remained undetected from initial plant startup (this ranged from a few months up to 18 years). Although not definitive, it appears that four additional events may have existed since initial plant startup, whi'e two others existed since a plant 5

modification occurred (post modification testing either did not reveal the situation or was not done).

No. of Events 12 10 8

\

6 4 .

2 0

/

so N

/ so

/ @

/ @

/

so 1

/e /

Y+/ "

s s Time Figure i Time Elapsed Before Discovery

• Th eight events of less than 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> duration generally involved programmatic deficiencies that were discovered fortuitously rather than through planned action,

3. Conditiona' Core Damate Probability: The CCDP for each event is given in appendices A, B, C, and D. The CCDP distribution was 1 event with CCDP 2 E-3, 9 events with CCDP 2 E-4 and < E-3,11 events with CCDP 2 E-5 and < E-4: and 12 events with CCDP 2 E-6 and < E-5.

4. Yearly Failure Rate: Thirty-three events involving undetected failures in safety systems were reported during the 3-year period 1991 through 1993, which is an average of 11 events per year. This represents about .1 per reactor year for the 109 U.S. operating reactors.

6

. i

5. Event Categorizatips Appendices B, C, id D indicate, for each of the 33 events, alpha numeric categorization codes detern ned for the failure cause; the discovery method (how the failure was discovered); the licensees's corrective and preventive action; and the regulatory action. Appendix F is an everit compilation, by year, for these four categorization groups. Appendix G shows the categorization group occurrence frequency (number of times the category occurred).

• Failure Cause J

The more frequent failure causes include: component failure (11 events), design deficiency (9 events), and inadequate testing or maintenance procedures (7 events).

Other failure causes were: conditions not previously considered in design basis reviews (4 events), maintenance error (4 events), inadequacies in design basis studies (3 events), foreign bodies left in piping (2 events), operator error (2 events),

deficiencies in operating procedure (2 events), inadequate implementation of operating experience feedback (1 event), and deficiencies in communication (1 event).

• Discovery Methods The more frequent discovery methods were either testing (17 events) or analysis /

evaluation of operational problems (10 events). Other discovery methods were:

preventive / corrective maintenance (3 events), Individual Plant Examination (IPE)

(1 event), response to NRC Information Notice, Generic Letter and Bulletins (1 event),

response to nuclear steam supply system (NSSS) vendor's information notices (1 event), operational problems (plant startup, normal operation, or shutdown)

(1 event), system line-up verification (1 event), and walkdcwns (1 event).

• Licensees's Correc ive and Preventive Actiom The more frequent corrective or preventive actions the licensees took were: design change or plant modification (15 events), additional training or guidance to plant personnel (13 events), new or modified operating procedure (12 events), and modified maintenance procedute (7 events). Other corrective or preventive actions the licensees took were: corrective maintenance, repair or replacemr.t of failed component (4 events), change to design basis (3 events), post-maintenance verification testing or examination (3 events), assessment of modifications' implementation and subsequent requalification (2 cents), removal of foreign material by flushing (2 events), new or modified administrative procedure or management directives (2 events), new or modified engineering or design procedure (2 events) and new or modified Technical Specifications (1 event).

7

• Regulatory Actions Seven of the thirty-three undetected failure events were cited as examples in seven different NRC generic communications to licensees (information notice, generic letter, or bulletin). Four of those seven events were also investigated by AITs. Of the 10 events considered relatively more important, CCDP 2 E-4, only the Shearon Harris Unit 1 event involving high-pressure injection system unavailability was cited in an NRC generic communication. None of these 10 events was the subject of an AIT.

6. Eailure a Cause/ Discovery Method Comnarisons:

• Testing, the most frequent discovery method, was most often associated with one of three failure causes: component failure, design deficiency, and inadequate testing or maintenance. Ho'vever, the data indic tes that it would be incorrect to associate failure discovery via testing as the completion of a planned sequence to determine success or failure. For example, in approximately 60 percent of the events associated with these three failure causes, the failure detected or related deficiency revealed was not within the anticipated or defined purpose of the test (for instance, surveillance testing caused component failure due to a latent system design deficiency, post maintenance testing was inadequate or not done, maintenance was done incorrectly, etc.).

• About 30 percent of the failures discovered during testing occurred during either special tests or an off nonnal variation of a surveillance test. These included valve failure during a test to verify conformance with Generic Letter 89-10. " Safety-Related Motor-Operated Valve Testing and Surveillance," an integrated automatic bus transfer test (not previously conducted) based on an IPE assessment, valve pressure locking following an ASME Code pipe pressure test after pipe repair, and the emergency power system becoming unavailable when a test selector switch was in an off-normal position (not previously tested in that position).

• The second most frequent discovery method, analysis / evaluation of operational problems, was most often associated with one of three failure causes: component failure, inadequacies in design basis studies, and inadequate testing or maintenance procedure.

4.2 Conclusions The ASP database for the period 1991 through 1993 contained 70 events which were identified as precursors to core damage events. Thirty-three of them involved undetected failures. Thus, the data illustrates that nearly 50 percent of the events are associated with unavailabilities that went undetected.

Many events involved undetected failures which remained undiscovered so that systems were rendered unavailable for long periods of time. The systems involved include: emergency 8

generator systems and controls, emergency core cooling systems, and residual heat removal systems and controls. Fourteen events (40 percent of the 33 events ) involved equipment unavailability for time periods exceeding 1 month and up to 18 years. Of these, fcur events went undetected between 1 and 10 years and four events went undetected for more than 10 years and up to 18 years. Although information is not definitive, an additional four events may have gone undetected from initial plan; startup, while two others were undetected from the time of a plant modification entil discovered. This illustrates the unrecognized deficiencies existed and were not detected by programmatic activities. These de0ciencies, in some instance, existed since original construction or were introduced di'*ing plant modifications that were performed sometime after operation commenced. Thus, plant modifications could be a source of undetected failures.

The average yearly failure rate was 11 events per year or .1 per reactor year for the 109 U.S. operating plants. Of the 33 events,29 occurrcJ at PWRs and 4 at BWRs. Ilowever the method of counting events as separate events when multiple units at a site were affected does impact these aspects. For example, three events at Oconee account for nine total events because each unit was affected and one event at Catawba affected both units. Thus, four PWR events count as eleven.

More than 75 percent of the failures were discovered via testing or analysis and evaluation of operational problems. The licensees' event analyses also indicated that cause of failure involved component failure, design deficiency, and inadequate testing or maintenance 1 procedures in about 70 percent of the events. All of the deficiencies were resolved through appropriate corrective or preventive actions. The more frequent corrective or preventive actions taken by the licensees were design change (plant modification), additional training or guidance for plant personnel, new or modified operating procedure, and modified maintenance procedure. Although the licensees' actions appeared appropriate for the specific events, it is not clear that the efforts would generically apply to other plants.

Testing, the most frequent di;covery method, was most often associated with one of three failure causes: component failure, design deficiency, and inadequate testing or maintenance.

However, the data indicate that it would be incorrect to associate failure discovery via testing as the completion of a planned sequence to determine success or failure. For example, in approximately 60 percent of the events associated with these three failure causes, the failure detected or related deficiency revealed was not within the anticipated or defined purpose of the prescribed test. This appears to illustrate a need for improved definition of post work actions (tests, procedures, etc.) intended to confirm or assure component or system operability.

There are different perspectives relative to what role short duration (less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />) events may play in undetected failures. This includes whether the event would be found significant because of the short time and whether the short discovery time represents an undetected event situation. However, irrespective of these issues, a review of the reported information indicates there are lessons to be learned. In general, the events involved 9

programmatic deficiencies and the situation was discovered through fortuitous circumstances.

Thus, specific situations could have persisted for a longer time.

5 REFEilENCES

1. Belles, R.J., et al., " Precursors to Potential Severe Core Damage Accidents,1994 A Status Report," NUREG/CR-4674. ORNL/NOAC-232, Vol. 21, December 1995.

2. Zermizoglou, R., Nuclear Energy Agency, Fax to E. Brown, U.S Nuclear Regulatory Commission, September 7,1995.

3. Clausner, Jean Pierre, Organization for Economic Cooperation and Development, Nuclear Energy Agency, letter to Members of the Working Group of the Generic Study on Undetected Faiiures of Safety Systems in NPPs, December 4,1995.

4. Brown, E.J., U.S. Nuclear Regulatory Commission, letter to R. Zermizoglou, Nuclear Energy Agency, September 6,1995.

5. Pullani, S.V., U.S. Nuclear Regulatory Commission, letter to Roger Zermizoglou, Nuclear Energy Agency, March 4,1996.

6. U.S. Nuclear Regulatory Commission, AEOD/S97-01, "Oconee Electrical System Design and Operation," March 1997.

10  !

1

9 0 APPENDICES

\

, i APPENDIX A Search Results for 1991,1992, and 1993 Events Note: This appendix identifies, for each event, the plant name, Licensee Event Report (LER) number, event date, event description (the title of the LER), conditional core damage probability (CCDP), date of initial reactor criticality, plant age when the event occurred, plant electrical megawatt rating (Rate), plant type (T) (i.e., pressurized water reactor (PWR) >

(P) or boiling-water reactor (BWR) (B)), reactor vendor (V) (i.e., Wes"nghouse (W),

Babcock & Wilcox [B], Combustion Engineering [C], or General Electric (G]), the *ype of initiating esent assumed in the accident sequence precursor (ASP) analysis (i.e., unavailability of equipment needed for a loss of coolant accident [ULOCA),

unavailability of equipment needed for a loss of offsite power [ULOOP], unavailability of equipment needed for a steam line break [USLB], or unavailability of equipmen: needed fut a plant trip [UTRIP]), the failed system type (system) as categorized by the ASP coding list, and the system unavailability (Unav.) duration (in hours [h], days [d), months [m] or years

[y]. The identified system types and their ASP codes are: reactor vessel and appurtenances (e.g., power-operated relief valve) (CA), residual heat removal systems and controls (CF),

emergency generator systems and controls (EE), engineered safety features instrument systems (IB), other instrument systems not required for safety (IF), and emergency core cooling systems and controls (SF).

LER No Date CCDP Init. Event System Plant Age Rate TV Critical Unava.

Description 1991 EVENTS:

206/91-014 1991/08/07 2.100E-006 ULOCA IB SAN ONOFRE 1 24.16 436 P W 1967/06/14 17h INOPERABLE VOLUME CCNTROL TANK LEVEL TRANShtITTERS 269/91-010 1991/09/19 1.200E-004 ULOCA SF*

OCONEEI 18.43 886 P B 1973/04/19 18.43y POTENTIAL FOR HYDROGEN ENTRAINMENT IN HPI PUMPS 270/91-010 1991/09/19 1.200E-004 ULOCA SF*

OCONEE 2 17.86 886 P B 1973/11/11 17.83y POTENTIAL FOR HYDROGEN ENTRAINMENT IN llPI PUMPS Indicates system failures since initial criticality / plant startup.

A-1

\

LER No Date CCDP Init. Event System Plant Age Rate TV Critical Unava.

Description 272/91-030 1991/09/20 4.400E-006 UTRIP CA SALEhi 1 14.78 1115 P W 197x 12/11 81d BOTil PORVS f AILED DUE TO LEAKING ACTUATORS 278/91-017 1991/09/24 3.300E-004 UTRIP SF PEACH BOTTOM 317.14 1%5 B G 1974/08/07 21d CONTROL WIRING FOR ADS / RELIEF VALVES FOUND DAhiAGED 280/91-017 1991/07/15 2.900E-006 ULOOP EE SURRY 2 19.04 788 P W 1972/07/01 13h BOTH EMERGENCY DIESEL GENERATORS FOR UNIT 2 INOPERABLE 287/91-010 1991/09/19 1.200E-004 ULOCA SF*

OCONEE 3 17.04 886 P B 1974/09/05 17.04y POTENTIAL FOR HYDROGEN. ENTRAINMENT IN llPI PUMPS 323/91-003 1991/09/01 2.100E-006 ULOCA SF DIABLO CY 2 6.03 1119 P W 1985/08/19 6h CONTAINMENT SUMP ISOLATION VALVES AND CONTAINMENT SPRAY PUMP DEENERGlZED DURING HOT SHUTDOWN 333/91-014 1991/08/05 9.500E-005 ULOCA SF*

FITZPATRICK 16.72 816 B G 1974/11/17 16.72y HYDRAULIC PRESSURE LOCKING OF TWO LOW PRESSURE ECCS INJECTION VALVES 336/91-009 1991/08/21 2.100E-004 ' ".00 0 EE MILLSTONE 2 15.85 870 P C 1975/10/l'1 15d BOTH DIESEL GENERATORS UNAVAILABLE AND UNIT SHUTDOWN 400/91-008 1991/04/03 6.300E-003 ULOCA SF HARRIS 1 4.24 900 P W 1987/01/03 > ly HPI UNAVAILABILITY FOR ONE REFUELING CYCLE BECAUSE OF INOPER.

A-2

. i LER No Date .CCDP Init. Event - System Plant Age Rate TV Critical Unava.

Description 423/91-011 1991/04/10 8.600E-004 ULOCA SF*

hilLLSTONE 3 5.21 1154 P W 1986/01/23 5.21y BOTil TRAINS OF llPSI INOPERABLE DUE TO RELIEF VALVE FAILURE 440/91-009 1991/03/14 5.300E-004 ULOOP EE PERRYl 4.77 1191 B G 1986/06/% 15d TWO EDGS INOPERABLE 445/91-012 1991/03/26 6.200E-005 ULOCA SF*

COh1ANCIIE PK, 10.97 1150 P W 1990/04/03 0.97y POTENTIAL CllARGING PUh1P UNAVAILABILITY DUE TO liYDROGEN VOIDS 1992 EVENTS:

1 261/92-013 1992/07/10 3.500E-005 ULOCA SF ROBINSON 2 21.81 700 P W 1970/09/20 1.5h St PUh1P OUT OF SERVICE 269/92-008 1992/07/17 2.800E-006 ULOOP EE OCONEEI 19.25 886 P B 1973/04/19 1.4d BOTH KEOWEE UNITS UNAVAILABLE 269/92-018 1992/12/02 3.200E-005 ULOOP EE OCONEE1 19.63 886 P B 1973/04/19 15d BOTIl KEOWEE UNITS POTENTIALLY UNAVAILABLE 270/92-008 1992/07!!7 2.800E-006 ULOOP EE OCONEE 2 18.69 886 P B 1973/11/11 1.4d BOTH KEOWEE UNITS UNAVAILABLE 270/92-018 1992/12/02 3.200E-005 ULOOP EE OCONEE 2 19.07 886 P B 1973/11/11 15d BOTil KEOWEE UNITS POTENTIALLY UNAVAILABLE c

A-3

i .

LER No Date CCDP Init. Event System Plant Age Rate TV Critical Unava.

Description 286/92-011 1992/07/06 1.200E-006 ULOOP EE INDIAN POINT 3 16.26 965 P W 1976/04/% 3.5d MULTIPLE EDGS INOPERABLE 287/92-008 1992/07/17 2.800E-006 ULOOP EE OCONEE 3 17.87 886 P B 1974/09/05 1.4J BOTil KEOWEE UNITS UNAVAILABLE 287/92-018 1992/12/02 3.200E-005 ULUCP EE OCONEE.$ 18.25 886 P B 1974/09/05 15d BOTil KEOWEE UNITS POTENTIALLY UNAVAILABLE 301/92-003 1992/09/18 9.900E-006 ULOCA SF POINT BEACli 2 20.31 497 P W 1972/05/30 10m PLUGGED S1 PUMP SUCTION 328/92-010 1992/07/17 1.900E-006 ULOOP CF SEQUOYAli 2 10.70 1148 P W 1981/11/05 17h EDG & RilR PUMP INOPERATIVE 483/92-011 1992/10/17 1.300E 005 ULOOP IF CALLAWAY 8.04 1171 P W 1984/10/02 18.5h LOSS OF MAIN CONTROL ROOM ANNUNCIATORS 1993 EVENTS:

213/93 006 1993/06/27 6.590E-005 ULOOP EE 213/93-007 IIADDAM NECK 25.94 582 P W 1967/07/24 > ly DEGRADATION OF MCC 5 PRESSURIZER PORV AND BOTH EMER 265/93-010 1993/04/22 6.000E-005 ULOOP EE QUAD CITIES 2 21.00 789 B G 1972/04/26 7m DEGRADATION OF BOTH EMERGENCY DIESEL GENERATORS A-4

. 1

l L.ER No Date CCDP Init, Event System l Plant Age Rate TV Critical Unava.

Description 289/93-002 1993/01/29 3.100E-006 ULOCA CF TilREE MILE IS 18.66 819 P B 1974/06/05 3h BOTil RilR llEAT EXCl{ ANGERS UNAVAILABLE 313/93-003 1993/09/30 5.100E-005 ULOCA CB ARKANSAS 1 19.16 850 P B 1974/08/06 14h BOTil TRAINS OF RECIRCULATION INOPERABLE FOR 14 II 412/93-012 1993/10/06 2.100E-006 UL' CA EE BEAVER VLY 2 26.17 836 P W 1987/08/04 - 3y FAILURE OF BOTil EDG LOAD SEQUENCERS 413/93 002 1993/02/25 1.500E-004 ULOOP CF CATAWBA 1 S.14 1145 P W 1985/01/07 42d ESSENTIAL SERVICE WATER POTENTIALLY UNAVAILABLE 414/93-002 1993/02/25 1.500E-004 ULOOP CF  ;

CATAWBA 2 6.80 1145 P W 1986/05/08 42d ESSENTIAL SERVICE WATER POTENTIALLY UNAVAILABLE 498/93-005 1993/01/22 1.200E-005 ULOOP EE SOUTH TEXAS 1 4.87 1251 P W 1988/03/08 - 25d UNAVAILABILITY OF ONE EDG AND THE TURBINE DRIVEN AFW PUMP A-5

APPENDIX B Description of 1991 Events

1. Event identificatiga LER No: 206/91 014 Event

Description:

Inoperabk volume control tank level transmitters Date of Event: August 7,1991 Plant: San Onofre 1

2. Event Summary The automatic actuation for realignment of the charging pumps from the volume control tank (VCT) to the refueling water storage tank (RWST) on low VCT level was disabled. In the event of a small break loss-of coolant accident (LOCA), and if manual realignment failed, the charging pumps would become gas bound due to hydrogen from the VCT. This condition existed for-17 h. The conditional probability of core damage associated with this event is 2.1 E-6.

3. Failure Cause(s)

The pioblems exhibited by LT-1100 were caused by loose fasteners in the transmitter which allowed some internal parts to bind and others (which should be locked together) to rotate

[CBl]. An investigation was initiated to determine why the level transmitter fasteners were loose. This investigation revealed that the vibration caused by welding and grinding done in the area caused the fasteners to become loose.

4. Method of Discovery Operators observed differences in the indicated VCT level between the two level channels (LT-2550 and LT-1100) and erratic level indication by LT 1100. Due to the erratic behavior of LT-llu0, a temporazj design change was requested to switch the automatic VCT level control function from LT-1100 to LT 2550. During a feasibility review ID17] of the change request, it was recognized that operation with blocked charging pump protection on low VCT level was contrary to the technical specifications (TS).

B-1

5. Licensee's Corrective and Preventive Actions __

LT-1100 has been repaired, calibrated, and returned to service [A41]. Procedures were revised to preclude simubneous disabling both trains of charging pump low volume control tank level protecth.a [ A40). A proposed Technical Specification (TS) change [A47l providing a 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowable out of service time was submitted. Improved operator guidance lA46]*

which will correlate emergency core cooling system (ECCS) components to the associated limiting condition for operation (LCO) and action statements is planned.

6. Renulatory Actions (None identified)

• Some corrective actions identified by licensees were incomplete when the original LER was written and a status update via an LER revision was not submitted. These actions are identified by an asterisk (*). The status of these actions was confirmed with the licensees as complete, except as specifically noted otherwise.

B-2 i

l

1. Event Identification LER No.: 269/91-010, 270/91-010, 287/91-010 Event

Description:

Potential for hydrogen entrainment in HPI pumps Date of Event: Septeniber 19,1991 Plant: Oconee 1, Oconee 2, and Oconee 3

2. Event Summary During an analysis of the letdown storage tank (LDST) high-pressure alarm set point, it was determined that the potential existed for hydrogen entrainment in the high-pressure injection (HPI) pumps during small break loss-of-coolant accident (LOCA) scenarios involving failure of either of the borated water storage tank (BWST) isolation valves to open. LDST hydrogen over pressure is normally :djusted so that the BWST will provide Dow to the i PI pumps during a safety actuation. In this situation, the higher BWST pressure seats the LDST outlet check valve and prevents hydrogen from expanding into the HPl pump suction piping. During review of a 1971 Babcock & Wilcox curve of maximum LDST pressure as a function of inventory, it was determined that the curve was based on an assumption that the LDST would be isolated within 6.5 min for certain scenarios. This action is not specified in the procedures.

In addition, the single valve provided for this purpose is not safety-related nor is it provided with safety related controls or power.

Subsequent analyses by the utility, which considered How related pressure drops, indicated that hydrogen entrainment would only occur if one of the BWST isolation valves failed to open. In this case, the additional pressure drop in the single operating line would allow hydrogen to expand into the HPI pump suction lines and damage the pumps.

The conditional core damage probability estimated for this event is 1.2 E-4.

3. Failure Cause(s)

The 1971 curve was based on calculations that addressed static head differences, but did not consider pressure drops due to now [ Call Calculations performed by the utility after this problem was discovered, which addressed Dow-induced pressure drops, indicated the existing LDST hydrogen pressure curve was adequate for most scenarios without closure of HP-23.

The one exception was a small-break LOCA during which one of the two BWST isolation valves fails to open. In this case, all HPI injection flow would pass through one suction supply line, which would lead to higher pressure losses and lower pressure in the suction supply header, and would result in hydrogen entrainment from the LDST and HPI pump damage.

B-3

4. Method of Discoven During an analysis [D17] of the LDST high pressure alarm set point, it was determined that the potential existed for hydrogen entrainment in the high-pressure injection (HPI) pumps during small-break LOCA scenarios involving failure of either of the BWST isolation valves to open.

5. Licensee's Corrective and Preventive Actions The operating procedure was revised [A40] to incorporate new letdown storage tank pressure and level curves. The emergency procedure was revised [A40) to include requirements for an immediate line up change in the event of a single failure of certain valves during e small break LOCA. Planned action includes development of a more restrictive curve [A42l* so that operator action will not be required.

6. Reculatory Actions (None identified)

B-4 l__-_-______-- - -----

.- i

1. Event Identification LER No: 272/91-030 $

Event

Description:

Both PORVs failed d'ie to leaking actuators Date of Event: September 20,1991 Plant: Salem 1

2. Event Summary The power-operated relief valves (PORVs) at Salem I were inoperable because of leakage

f. m the flange bolting area on the air-operated PORV actuators. It is assumed that both PORVs were inoperable for one half of their surveillance period (81 d).

The conditional probabiiity of core damage estimated for this event is 4.4 E-6.

3. Failure Cause(s)

Investigation of this event's root cause is continuing. The initiating cause of both PORY valves failing to open is equipment failure [CB1]*.

4. Method of Discovery On 9/20/91, a plant shutdown was in progress. The PORVs are used to provide over pressure protection at low reactor coolant system temperatures. In accordance with Surveillance 4.4.9.3.1.1 the PORVs were functionally checked [D15]. Both valves failed to open.

5.

Licensee's Corrective and Preventive Actions _

The diaphragm in each Copes-Vulcan actuator associated with the Unit I pressurizer was replaced [A411. The diaphragm manufacturer was asked to certify a diaphragm material for elevated temperature ser ice. It was determined that the actuator bolt pattern had been changed by the manufacturer and licensee staff is assessing whether current actuators need to be replaced (A39]*.

6. . Regulatory Actions (None identified)

, B-5

l t

1. Event identification LER No.: 278/91 017 Event

Description:

Control wiring for ADS / relief valves found damaged Date of Event: September 24,1991 Plant: Peach Bottom 3

2. Event Summary Improperly installed insulation on the automatic depressurization systeidsafety relief valves (SRVs) rescited in damage to SRV control wiring. This condition existed throughout the refueling cple. The high-pressure coolant injection (HPCI) system was also unavailable for periods of time during that interval. The conditional core damage probability estimated for this event is 3.3 E-4.

3. Failure Cama's)

TS cause of this event has been determined to be that the main steam relief valve (MSRV) insulation was improperly installed. The maintenance procedure ICClj used to remove and reinstall the MSRV thermal insulation did not p: ovide the necessary level of detail to ensure that the insulation was properly installed.

4. Method of Discovery On Lptember 24,1991, at 1300 hours0.015 days <br />0.361 hours <br />0.00215 weeks <br />4.9465e-4 months <br />, during the performance of routine preventive maintenance (D16] on the MSRV solenoid valves (SV) associated with the present Refueling Outage, the MSRV SV wiring insulation was discovered to be degraded. An investigation revealed that the MSRV thermal insulation was improperly installed during the previous Refueling Outage in 1989. This caused an unusually high temperature environment in the immediate vicinity of the SVs and associated wiring. This high temperature condition caused the MSRV SV wiring insulation to degrade. [LER 278/91017]

5. Licensee's Corrective and Preventive Actions The MSRV thermal insulation was removed and reinstalled properly and the solenoid valves were replaced. Administrative procedure A-26, " Plant Work Process," (A48] was revised to include sufficient detail to properly control installation and removal of thermal insulation {see Rev.1 of the LER]. Additional training was given to maintenance personnel [A461 f ree Rev.1 of the LER).

6. Regulatory Actions (None identified)

B-6

1

1. Event Identification LER No: 281/91-017

- Event

Description:

.Both emergency diesel generators for Unit 2 inoperable for 13 h Date of Event: July 15,1991 Plant: Surry 2

2. Event SurntnMY -

Both emergency diesel generators (EDGs) were inadvertently out of service at Surry 2 for 13 -

h.- EDG 3, the dual unit swing diesel, had been unavailable since May 7,1991, because of inadequate post maintenance testing. EDG 2 was removed from service for 13 h on July 15, 1991.

The conditional probability of core damage estimated for this event is 2.9 E-6.

3. Failure Cause(s)

The reason fc- the EDG 3 not reaching its required speed and frequency range was attributed to a cognitive error [CE2l on the part of utility personnel in that an approved work order step

-which specified a fast start test of EW #3 was not performed, A contributing cause was that the post-maintenance testing follower associated with the work package did not specify an i EDG fast start test be performed [CCll. '

4. Method of Discoverv i On August 9,1991, with Unit I and_ Unit 2 at 100 percent power, it was determined that Emergency Diesel Generator (EDG) 3 had been inoperable since May 9,1991. This determination was made while performing a root cause evaluation [D17l of the observed performance of EDG 3 during an August 2,1991, Engineered Safeguards Feature (ESF) actuation on Unit 2.

5. Licensee's Corrective and Preventive Actions EDG 3 was declared inoperable. The governor was adjusted [A41] and two consecutive fast starts (A45] were satisfactory. The governors for EDGs 1 and 2 were adjusted [A411 and two fast starts [A451 for each EDG confirmed speed and frequency were within specification.

6. Regulatory Actions

- (None identified)

B-7

1. Event identification L E R N a.: 223/91-003 Event

Description:

Containment sump isolation valves and containment spray pump deenergized during hot shutdown Date of Event: September 1,1991 Plant: Diablo Canyon 2

2. Event Summary Both Diablo Canyon 2 residual heat removal (RHR) containment sump isolation valves were depowered for 6 h in mode 4 by locally opening the valve breakers. In this mode, power should have been interrupted by opening series contactors in the control room, which would have allowed rapid restoration of power to the valves if their operation was required following a loss-of-coolant accideni (LOCA) The conditional core damage probability estimated for the event is 2.1 E-6.

3, Fa' lure Cause(s)

The root cause for the RHR pump suction valves having been deenergized in Mode 4 was inadequate procedure revision review [CE4]. The root cause for the CS pumps being deenergized in Mode 4 was personnel error, inattention to detail by the licensed operator issuing clearances ICE 3].

4. Method of Discovery While Diablo Canyon 2 was in hot shutdown, a walkdown [D13) of the control room boards revealed that power had been removed from both RHR containment recircuhtion sump suction valves,8982A and B.

The walkdown also revealed that, due to personnel error, the control power to both.

containment spray (CG) pumps had been d energized.

5. Licensee's Corrective and Preventive Actions Corrective actions included revising Operating Procedure L-5 [A40] and reviewing all other "L" series procedures, preparation of an Operations incident Summary, and sending memorandums to appropriate personnel to clarify when clearances will be approved and to emphasize responsibilities for thorough preparation and review of procedure revisions.[A46]

6. Reculatory Actions (None identified)

B-8

. i

1. Event Identification LER No.: 333/91-014 Event

Description:

Hydraulic pressure locking of two low pressure ECCS injection Valves Date of Event: August 5,1991 Plant: FitzPatrick

2. Event Summary Following repairs to an outboard low-pressure coolant injection (LPCI) valve, and with the plant shut down, the inboard injection valve failed to open. This failure was the result of hydraulic locking of the valve bonnet. Both the two LPCI and the two core spray (CS) injection valves were determined to be susceptible to this failure mechanism.

Based on leak rate testing results, two of the four valves could fail to open if the reactor vessel was rapidly depressurized as it would be following a large break loss-of-coolant accident (LOCA). The conditional core damage probability for this event is estimated to be 9.5 E-5.

3. Failure Cause(s)

On August 5,1991 the root cause of the actuator motor failure was determined to be hydraulic locking of the valve bonnet [CEl]. Both LPCI and core spray inboard injection valves were determined to be susceptible to this failure mechanism. All four valves were modified to place a bornet vent to the high pressure side of the valves.

4. Method of Discovery The plant was shut down on May 7,1991, to repair valves in both LPCI injection lines. On July 17,1991, following corrective maintenance (D16] for valve and actuator problems with the outboard LPCI injection valve, a hydrostatic test of the piping between the inboard (MOV-25B) and outboard (MOV 278) LPCI injection valves was performed. The hydrostatic test pressare was ~2100 psig. Upon completion of the test, the piping between valves was depressurized. A fill and vent of the system was initiated in preparation for returning the loop to service in the shutdown cooling (SDC) mode. Approximately 9 to 10 h after the completion of the test, the loop had been filled to the inboard LPCI injection valves. The operators attempted to open the 24 in. flexible wedge gate valve (MOV-25B) from the control room. The actuator remained energized for approximately 30 s aller which the motor actuator circuit breaker tripped.

B-9

0 4

5. Licensee's Corrective and Preventive Actions Short term corrective action: On August 5,1991 the root cause of the actuator motor failure was determined to be hydraulic locking of the valve bonnet. Both LPCI and core spray inboard injection valves were determined to be susceptible to this failure mechanicm. All four valves were modified to place a bonnet vent to the high pressure side of the valves. (A39]

Long tcim corrective actions: 1) Revise the plant hydrostatic test procedures to require post-test venting of the bonnets of any Dex-wedge or double-disc gate valves used as hydrostatic test boundaries [A43]. 2) Engineering will evaluate the future modification of other valves identified as susceptible to pressure locking but do not have to open to perfor.n a safety function [A49]*.

6. Regulatory Action _s An NRC Information Notice was issued on the subject [A18].

B-10

1, . . Event Identification LER No.: -336/91-009 Event

Description:

Both diesel generators unavailable and unit shutdown Date of Event: August 21,1991' Plant: Millstone 2

2. Event Summary

~

Botb emergency diesel generato s (EDGs) were found to exhibit erratic bd control,'a result of either a resistance change in the " droop" potentiometer in the electronic govemor controls or contaminated oil in the hydraulic actuator units. This second cause would result in EDG inoperability under all circumstances; the first caus: would only impact paralleled operation.

' Assuming, for the purposes of this analysis, that the EDGs would be inoperable following a postulated loss of otTsite power (LOOP), a constional core damage probability of 2.1 E-4 is estimated.

3. Failure Cause(s)

The failure of both EDGs was caused by erratic operation of each EDG's Woodward Govenor_ EG-A electronic control unit. Two potential causes were identified. The first involves large resistance changes [CBl] in the EG-A " droop" potentiometer, which can result

.in large load swings while the EDG is running paralleled to the grid. The " droop" potentiometer is not used when the EDG alone is supplying power to the safety-related buses, and its failure would not affect EDG operability during emergency operation. The second potential cause, which would impact EDG operability under all circumstances, involved contaminated hydraulic oil [CC1] in the hydraulic actuator unit--foreign material was found when the unit was disassembled.

4. Method of Discovery On August 21,1991, with the plant at 90% power and EDG 13U out of service for maintenance, redundant EDG 12U was running loaded and paralleled to offsite power to demonstrate operability [D15]. At the end of a 1-h run, the EDG load control became erratic.

EDG 12U output breaker was opened, and the EDG was reparalleled, but erratic speed control caused load swings that prevented reloading.

5. Licensee's Corrective and Preventive Actions The governoi units on each diesel generator were replaced (A40]. The maintenance departmera was directed to modify the maintenance procedure [A431* [not complete as 2/96]

to include flushing the hydraulic operator fluid to preclude oil contamination. Planning was initiated to upgrade the diesel generator controls with a replacement system of a newer design (A39]*.

B 11

6. Regulatory ActigBA (None identified) d B-12

't. Event Identification L E R N o.: 400/91 008.

. Event

Description:

. HPI unavailability for one refueling cycle because ofinoperable miniflow lines Date of Event: April 3,1991 Plant: Harris 1

[

2. Event Summary Harris is equipped with three charging / safety injection pumps (CSIPs) that provide charging and seal How during normal operation and provide high-pressure injection (HPI) during accidents. Each pump is provided with a normal minimum flow path and an alternate minimum flow path for pump protection. During normal operations, the minimum flow path is via the seal water heat exchanger back to the pump suction. During safety injection (SI) operation, this path is isolated, and two attemate paths via relief valves to the reactor water storage tank (RWST) are aligned. Tests conducted during a refueling outage revealed that both relief valves were failed, as well as associated piping. Had HPI been demanded during the operatin; cycle, sufficient flow would have been diverted via the attemate mininow system to fail the injection function. Under some circurastances, pump runout and failure could also have resulted.

The conditional core damage probability estimated for this event is 6.3 E-3.

3. - Failure Causeh)

The cause of this event was water hammer that apparently occurred because of an air void

- that remained in the alternate miniflow lines following previous testing and maintenance (LER 400/91-008]. The causes of air void were a design deficiency [CE1] (i.e., having no provision for venting) and inadequate maintenance procedure (CCll.

4, Method of Discoveiv Tests conducted during a refueling outage revealed that both relief valves were failed, as well as associated piping [D15].

5. Licensee's Corrective and Preventive Actions Supports were added [A39] to the test connection lines to prevent pipe cracking. The relief valve installation instructions were changed to require both filling the pipe prior to relief valve installation and venting the pipe through the relief valve after installation to eliminate the air void [ temporary fix]. Later, plant modifications ( A39] were made in 1992, replacing relief valves with orifices and changing the MOV logics (see the letter to NRC dated November 5,1992).

B-13

6. BSculaton' Actiool

. NRC Information Notice 92 61, Loss of liigh licad Safety injection, issued. [A18l

. Enforcement Conference was conducted on October 14,1992 (see Lette.- to NRC.

November 5.1992). (A19]

4 1

I B 14 E

1. Event identification LER No.: 423/91 011 Event

Description:

Doth trains of IIPSI inoperable due to relief valve failures Date of Event- April 10,1991 Plant: Millstone 3

2. Event Summary During testing of the high pressure safety injection (llPSI) system while in Mode 3, the "A" IIPSI relief valve lifted and would not rescat until the running IIPSI pump was stopped. Flow loss through the stuck open valve was 79 gpm. An investigation determined that the incident occurred because the design relief valve set pressure was too close to system operating pressure. A similar condition existed with the "B" 11 PSI relief valve; however, it was " gay 5d shut" dunng the test to prevent it from lifting, and therefore no failure of the "B" valve was noted. Had both valves lilled during accident conditions, the system would have been unable to perform its safety function.

The conditional core damage probability for this event is conservatively estimated to be 8.1 E-4.

3. Failure Capste The root cause of the event is design deGeiency [CEl]. The setpoint for the relief valves was too close to the operating pressure of the system.

4. Method of Discovery During testing of the high pressure safety injection (llPSI) system lD15l

5. Licensee's Corrective and Preventive Actions A test procedure was written, approved, and performed that utilized the appropriate steps of the surveillance procedure to duplicate the conditions that existed when the relief valve lifted.

Instrumentation was installed on the safety injection system to provide a trace of the actual pressure seen by the relief valve. The testing verined that the pressure in the system exceeded the relief valve setpoint pressure. The test procedure verined that other combinations of valve and pump manipulations did not subject the relief valves to pressures higher than their new lift setpoint [A39] of 2250 psia.

6. Reculatory Actions (None identined)

B 15

1. Event identi[tniip.D LER No.: 440/91 009 Event

Description:

Two EDGs inoperable Date of Event: March 14,1991 Plant: Perry 1

2. Event Summary Perry was operating at 100% power on March 14,1991, when the Division 2 emergency diesel generator (EDG) failed a surveillance test. Subsequently, the Division 1 EDG also failed its surveillance test. It took 11 h and 55 min to restore one EDG to operable status. It was later determined that one EDG had been inoperable for over 28 d, and the other EDG was potentially unavailable for 15 d. The conditional core damage probability estimated for this event (assuming both EDGs were unavailable for 15 d) is 5.3 E 4.

3. Failure Causefs)

The root cause of both events was equipment malfunction. The Division 2 DG field comact or K1 failed to close due to a component failure lCBil, which occurred at completion of the last successful diesel surveillance run during engine shutdown on February 14,1991. The Division 1 DG equipment malfunction was isolatad to the governor control circuit, which was serviced and tested prior to declaring the DG operable.

4. Method of Discovery Perry was operating at 100% power on March 14,1991, when the Division ? emergency diesel generator (EDG) failed a surveillance test. Subsequently, the Division i EDG also failed its surveillance test. [ DIS)

5. Lismsge's Corrective and Preventive Actiont Implemented design changes [A39) to enh nce reliability of the field contact or by monitonng critical component position and addition of an electrical seal in feature. Revised the periodic maintenance instruction (A43) to incorporate specific inspection criteria and service.

6. Reculatory Actions (None identified)

B-16

1. Event identincation LER No.: 445/91 012 I

Event

Description:

Potential charging pump unavailability due to hydrogen void expansion Date of Event: hiarch 26,1991 Plant: Comanche Peak 1

2. Event Summary Two hydrogen gas voids were identified in chemical and volume control system (CVCS) piping. One of the voids, in the boric acid tank (BAT) gravity feed line, was large enough to impact charging pump operation following use of the line or during safety injection (SI) when lower charging pump suction header pressures could result in expansion of the hydrogen void into the suction line. Tne conditional core damage r:obability estimated for 'his even:

is 6.2 E 5.

3. Failure Cause(s)

Evaluation of this event has identified the potential root cause to be hydrogen coming out of solution in the lower pressure CCP suction header and collecting in the vertical piping (CA2],

4. hiethod of Discovery On October 29,1990, Westinghouse sent a letter [D09l to CPSES regarding the fonnation and venting of hydrogen in the Chemical and Volume Control System (CVCS) (Ells:(CB)) in response to Nuclear Regulatory Commission (NRC) Information Notice (IN) 90 64, " Potential for Common hiode Failure of High Pressure Safety injection Pumps or Release of Reactor Coolant Outside Containment During a Loss of Coolant Accident."[D081 In this letter Westinghouse, identified locations in the CVCS suction piping where gases would tend to accumulate. Westinghouse recommended ultrasonic examination to monitor the rate at which gas accumulates in these locations.

Ultrasonic examination of the Chemical and Volume Control System (CVCS) suction piping was perform:d on h1 arch 4, through hiarch 15,1991, These examinations revealed voids in the alternate boration line and the gruity teed line from the Boric Acid Storage Tank (BAT).

5. Licensee's Corrective and Preventive Actions The gravity feedline from the boric acid tank was immediately vented. The feedline wili b monitored for hydrogen accumulation and based on the data, venting requirements will be established l A40)*.

B-17

l l

. i l

6. Ergplatory. Actions (None identified) s B 18

. s APPENDIX C Description of 1992 Events

1. Event identification LER Number: 26"02 013,261/92-014, and 201/92 018 Event

Description:

sfen h#ction Pump Out of Service Date of Event: Je 54; 1992, through August 22,1992 Plant: H. B. Rvo;ason, Unit 2

2. Event Summary Both safety injection (SI) pumps were out of ser vicc for 1.5 h on July 10,1992, while H. 3.

Robinson was at 100% power. The "B" Si pump was rendered inoperable because plastic shecting material obstructed the pump's recirculation line. The plastic material was believed to have been used during a design modification during the refueling outage that ended on June 18,1992. The "A" pump was out of service for 1.5 h on July 10,1992, because of a blown control power fuse in the pump's breaker closing circuit. On August 22,1992, with the plant operating at 100% power, the plant experienced a :ot91 loss of offsite power (LOOP) (See LER 261/92 017). Following the LOOP, on August 1.i 1992, the "B" SI pump recirculation line was again found to be obstructed with the plastic snecting material from the outage modincation.

The conditional core damage probability for the 1.5 h that both Si pumps were inoperable (LERs 261/92-013 and -014) is 6.2 x E 8. This is below the precursor cutoff value of E-6.

Therefore, this event is not a precursor but is included here since this is when the extended inoperability of the "B" Si pump began. The conditional core damage probability for the time period when the "B" SI pump was inoperable (LERs 261/92 013 and 018) is 3.5 E-5.

3. Failure Cause(s)

C The cause of this event is attributed to personnel error. Event investigation identified the cause of the "B" Safety injectian pump's reduced recirculation flow to be foreign material blockage [CCS] within the associated minimum flow recirculation check valve and flow orifice. This foreign material was subsequently identified as a plastic sheet material fabricated for use as purge dam material for welding operations associated with a recent modification to the RHR minimum flow recirculation system.

4. Method of Discovery On July 8,1992, at 2307 hours0.0267 days <br />0.641 hours <br />0.00381 weeks <br />8.778135e-4 months <br />, H. B. Robinson Unit No. 2 entered a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Limiting Condition for Operation (LCO) due to inadequate recirculation flow lD181 for "B" Safety injection Pump.

C-1

e .

5. Licensee's Corrective and Preventive Actions.

l The debris was removed via extensive system Dushing [A44). The safety injection system t

was then operated at design basis flow rates with no blockage occurring lA45). Subsequent testing under minimum Dow conditions did not cause blockage lA45). l

6. Renulatory Actions

• NRC Informatio1 Notice 92 85, Potential Failures of Emergency Core Cooling Systems Caused Ly Foreign Material Blockage, was issued. [AIS) k i

\

l l

C2 V

--,-m'm._,__,._~......_g. ,,,,,,..,....,.,,y__ .. __, _ , ,,,., , , , , . , ,, ,, . , , , . .,

. i f

1, liyent identification LER Number: 269/92 008, 9/92 008, 9/92-008 Event

Description:

Both Keowee Emergency Power flydro Units Unavailable Date of Event: July 16,1992 Plant: Oconee 1,2, and 3

2. Event Summary With all three Oconee units at 100% power and emergency power source Keowee 1 unavailable because of maintenance, a failed fuse was discovered in the control power circuit for an auxiliary power breaker on Keowee 2. This rendered Keowee 2 also unavailable. Both emergency power sources were unavailable for 34 h. The conditional core damage probability estimated for this event is 2.8 E 6.

3. Failure Cause(s)

The root cause of Keowce Unit 2's inoperability is Equipment failure lCHil. With the failure of the "lB" positive 10 amp ( OTIO ) fuse feeding ACB-8, one source of power available to the 2X Switchgear was lost, thus, rendering the CX Transformer and Keowee Unit 2 technically inoperable. It is not known exactly when the fuse blew, but it is assumed that on June 7,1992, at approximately 1400 hours0.0162 days <br />0.389 hours <br />0.00231 weeks <br />5.327e-4 months <br />, the "lB" p L'ive close fuse failed during the closure test performed on ACB 8 and the failure went unobserved until approximately 1200 hours0.0139 days <br />0.333 hours <br />0.00198 weeks <br />4.566e-4 months <br /> on July 16, 1992.

4 Method of Discovery On July 17,1992, at 1330 hours0.0154 days <br />0.369 hours <br />0.0022 weeks <br />5.06065e-4 months <br />, all three Oconee units were at 100% Full Power. With Keowee Unit 1 out of service for planned maintenance, it was discovered (as a result of an investigation lD17] for the cause of dim green and red indicating lights for the breaker position observed during an inspection of plant equipment) that the closing circuit fuse in ACB 8 breaker was blown causing an inoperability of Keowee Unit 2. With these conditions both onsite emergency power sources were technically inoperable.

C-3 1

5. Licensee's Corrective and Preventive Actions The Keowee Breaker Status checklist was revised (A40] to include additional breaker and indicator statte fr.t each breaker. The checklist also contains directions on what to look for and who to call for guidance on other than normal conditions, Planned actions include developing a rounds and turnover procedure (A40l* to enhance monitoring Keowee Hydro equipment. Keowee personnel will receive training (A46) about the procedures, checklist, and Technical Specification time limit requirements.

6. Reculatory Actigns (None identified)

• Some corrective actions identified by licensees were incomplete when the original LER was written and s status update via an LER revision was not submitted. These actions are identified by an asterisk (*). The status of these actions was confirmed with the licensees as complete, except as specifically noted otherwise.

C-4

o *

1. Event identification LER Number: 269/92 018, 270/92 018, 287/92 018 Event

Description:

Both Keowee Emergency Power liydro Units Potentially Unavailable Date of Event: December 2,1992 Plant: Oconee 1,2, and 3

2. Event Summary With all three Oconee units at 100% power, both emergency power sources, Keowee Hydro Units 1 and 2 (Keowee I and 2), were determined to be inoperable. A modification to the antipump relays in the Westinghouse (type DB) b:eakers at Keowee did not consider the reduced control circuit de voltage which would exist following a loss of offshe power (LOOP), when the battery chargers are not supplying the de buses. During emergency stait testing 6 d after completion of the modification (which simulated a LOOP) and in subsequent testing, certain Keowee breakers did not close when required. Both Keowee units were potentially unavailable for 15 d. The cond;tional core damage probability estimated for this event is 3.2 E 5. This estimate is a bounding estimate that assumes all impacted breakers fail following an actual LOOP and may be conservative for the observed event.

3. Failure Cause(s)

A design deficiency [ Cell in the anti pump relay scheme on DB 50 breakers associated with Keowee Hydro (KH) Units 1 and 2 Supply and Field Breakers resulted in both Kil Units being inoperable.

4. Method of Discovery During emergency start testing lD15] 6 d aller completion of the modification (which simulated a LOOP) and in subsequent testing [D15], certain Keowee breakers did not close when required. Both Keowee units were potentially unavailable for 15 d.

5. Licensee's Corrective and Preventive Actions Westinghouse DB type breakers at Keowee were modified [ A391 to remain energized for a longer time to ensure the breaker will close when the DC system voltage is degraded.

6. Reculatory Actions (None identified)

C-5 1

I

1. Event identification LER Number: 286/92-011 Event

Description:

Multiple EDGs Inoperable Date of Event: July 6,1992 Plant: Indian Point 3

2. Event Summary During survei!!ance testing of 480 V engineered safety feature (ESP) bus SA, it was discovered that a wire was not connected cerrectly in the relay circuits required to auto start emergency diesel generator (EDG) 33. During the time that EDG 33 was not available to perfonn its safety function, the other two EDGs were inoperable at various times. Two EDGs were simultaneously unavailable for a total of 3.5 d, reducing onsite ac power supplies below the minimum assumed in the Final Safety Analysis Report (FSAR). Even though this event occurred while the unit was shut down, other similar modifications and tests have been conducted while Indian Point was at power (e.g., see LER 286/90-005, p. B 184, Vol.14 of NUREG/CR-4674) that have resulted in more than one EDG being inoperable at the same time. Therefore, with no written policy indicating otherwise, it is credible that an EDG could be discovered inoperable during power operations coincident with the removal of another EDG from service for maintenance testing, or modifications. Consistent with the ASP methodology, this event was therefore modeled as if it occurred at power. The conditional core damage probability estimated for this event is 1.2 E 6.

3. Failure Cause(s)

The most probable cause of the event was the electrical connection at a compression type termination becoming loose due to thermal changes and vibration (CA21. A possible contributing cause was the wire being inadvertently jarre:1 by contractor electricians working in the area [CE2).

4. Method of Discoserv During surveillance testing lD15l of 480 V engineered safety feature (ESP) bus SA, it was discovered that a wire was not connected correctly in the relay circuits required to auto-start emergency diesel generator (EDG) 33. During the time that EDG 33 was not available to perform its safety function, the other two EDGs were inoperable at various times. Two EDGs were simultaneously unavailable for a total of 3.5 d, reducing onsite ac power supplies below the minimum assumed in the Final Safety Analysis Report (FSAR).

5. Licensee's Conective and Preventive Actions Direction and guidance l A46)* (currently scheduled to be implemented during the 1997 refueling outage) for periodically checking the tightness of compressinn+,p, damp-dcwn C-6

termination fittings will be developed. An administrative procedure (A48] was developed to control vendor activities at the site. The directive lA48] controlling preparation of work packages was revised to assure that all work packages prepared for contractor craftsmen use will include a precaution and limitation statement. This will alert craftsmen to review the wor'. area before starting work, use caution around safety related equipment, and report unintentional interactions with adjacent equipment to their supervisor.

6. Reculatory Actions (None identified)

C-7 t

I

1. Event identification LER Number: 301/92 003 Event

Description:

Plugged Safety injection Pump Suction Date of Event: September 18,1992 Plant: Point Beach 2

2. Event Summary Point Beach 2 was at 100% power on September 18,1992 while performing the A train containment spray (CS) pump quaderly test. When the pump failed to pass the test, it wa:

disassembled. A foam rubber plug, which had been installed in the RHR system 10 months earlier, was found in the suction line of the CS pump. This plug rendered the A train Si and RilR pumps inoperable for the 10 months it was installed. The conditional probability of subsequent core damage estimeted for this event is 9.9 E 6.

3. Eniture Causem The spray pump impeller suction was blocked by a foam rubber plug [CCS). The origin of the plug could not be conclusisely identified by the incident investigation team formed to investigate and recommend corrective actions following this event. Ilowever, the investigation team determined that the plug was most likely installed in a portion of the piping between the Unit 2 RilR Pump P 10A discharge and the Containment Spray Pump P 14A and Safety injection Pump P 15 A suctions as a temporary cleanliness barrier during system modifications performed during the Unit 2 Fall 1991 refueling outage, and subsequently not removed. This modification installed test lines allowing full flow testing of the RliR pumps. We committed to install this modification in response to potential concems with operating pumps at less than manufacturer's recommended minimum nows identified in NRC Bulletin 88 04, "Pe*:ntial Safety Related Pump Loss."

4. Method of Discovery Point Beach 2 was at 100% power on September 18,1992 while performing the A train containment spray (CS) pump quarterly test [D15).

5. Licensee's Corrective and Preventive Actions Full Dow tests (A45), subsequent to removal of a foam rubber plug [A44), demonstrated the containment spray pump was operable. Other tests veri 0ed operability of the RHR system and safety injection system. During a subsequent refueling outage, boroscopic examinations and radiography [A45] were conducted on potentially affected piping to determine whether foreign material was present. Management emphasized the importance of foreign material controls and cleanliness concerns to supervisors, engineers, QA personnel, and maintenance planners [ A46).

C-8

y i e i mimmi i

6. Regulatory Actions (None identified)

I C-9

1. Event identineation LER Number: 328/92 010 Event

Description:

Emergency Diesel Generator and Residual lleat Removal Pump inoperable Date of Event: July 17,1992 Plant: Sequoyah Nuclear Plant, Unit 2

2. Event Summary During performance of a surveillance procedure on the 2B B Residual lleat Removal (RilR) pump, it was found that 4.e mininow control valve continuously cycled open and closed when it should have remained opened. While the 28 B R11R pump was inoperable, the 2A A emergency diesel generator (EDG) was inoperable for 17 h and the 2A A centrifugal charging pump was inoperable for 6 h. The conditional core damage probability estimated for this event is 1.9 E 6.

3. Failure Cause(s)

An investigation determined the problem to be an incorrectly terminated wire on the now switch [CE2l. The wire was correctly terminated and the now switch was functionally tested and returned to service. LCOs 3.5.2 and 3.6.2.1 were exited at 2249 EDT on July 17, 1992.

A subsequent investigation into the event identified the root cause of the mislaid wire as being inattention to detail with an inadequate second party verincation. Maintenance personnel have been briefed on specinc problems identined in this event. A less than adequate post maintenance test (PMT) also contributed to the event (CCll. On July 28,1992, during the review [D17] of the event by the Plant Event Review Panel (PERP), it was discovered that a potential issue existed involving the RilR systems being outside of design basis of the plant.

4. Method of Discovery During performance of a surveillance procedure ID15] on the 2B B Residual licat Removal (RHR) pump, it was found that the mininow control valve continuously cycled open and closed when it should have remained opened. See section 2. above for additional discovery method: lD171

5. 1.icensees Corrective and Preventive Actions The instrument preventive maintenance data packages for the RiiR mininow switches were revised [A43] to req . ire independeat verification for wire connections and jumpers.

Maintenance craftsmen, planners, and procedure writers were briefed [ A46] on the need to conduct an adequate post maintenance test or specify independent veri 6 cation in lieu of such test.

C-10

4 8

l 6. Regulatory Actions (None identified) 1 C-11

1, Event identification LER Number: 483/92 011 Event

Description:

Loss of Main Control Board Annuncia' s Date of Event: October 17,1992 Plant: Callaway

2. Event Sunimary Callaway was at 100% power an October 17,1992. At 0100 hours0.00116 days <br />0.0278 hours <br />1.653439e-4 weeks <br />3.805e-5 months <br /> a ieplacement power supply for the annunciator system was being placed into sen' ice. Failure of this power supply had caused 198.nain control board (MCB) annunciator windows to fail and caused 76 to light. During this replacement process, a short circuit caused logic power supply fuses to blow, lighting 371 of 683 MCB annunciator windo > and thus causing the .muncist system to fail. Blown fuses in the four ficld contact power supplies were found and replaced about I h later. The operators assumed that this fuse replacement would return the annunciator system to normal operation, although anomalous behavior was still being observed. Actually, 164 annunciator windows remained inoperable. The remaining failed fuses were found and replaced, and the annunciator system was tested and con 6nned operable at 1937 hours0.0224 days <br />0.538 hours <br />0.0032 weeks <br />7.370285e-4 months <br />. 'Ihe conditional core damage probability estimated for this event is 1.3 E 5. This estimate may be conservative; the analysis was performed using screening human error probabilities HIEPs) and with limited information concerning the activities that were in progress at the time of the event.

3. Failure Cause(s)

The cause of the initial failure of the power supply was a short in the power transformer internal to the field power supply [CBil. During restoration following replacement of this power supply, a short occurred while removing jumpers (CE21, causing the fuses to blow.

4. Method of Discovery Callaway was at 100% power on October 17,1992. At 0100 hours0.00116 days <br />0.0278 hours <br />1.653439e-4 weeks <br />3.805e-5 months <br /> a replacement power supply for the annunciator system was being placed into service. Failure of this power supply had caused 198 main control board (MCB) annunciator windows to fail and caused 76 to light. During this replacement process, a short circuit caused logic power supply fuses to blow, lighting 371 of 683 MCB annunciator windows and thus causing the annunciator system to fail. [D16]

5. Licensee's Corrective and Preventive Actions The Operations Department procedures were changed (A40] to include detailed actions to be taken in case of annunciator failures. A possible modification [A39]* will be evaluated concerning improved RK system field power supply reliability, DC power redundancy, and C 12 s

1 power supply failure detection capability for operating crews. Power supply replacement practices were revised [A43] to include guidance for retesting RK system power supplies, requirements for direct Geld supervision, requirements for pre-job brienngs, and requirements to document work completion.

6. Renulatory Actions An NRC Augmented Team inspection (AIT) was conducted on this event (see AIT Report 50 483/92 018 for details).[A16)

NRC Information Notice 93 47, Unrecognized Loss of Control Room Annunciators, issued. lA18]

An NRC Enforcement Conference was condacted in November 1992. [ A19]

C-13

u.a ck.M+e -.A 2MMSh6+A-4M . Ad -'l ' --

di b-A .':'-'-'" MmMm A M A +2 "'

maAA m wh.al._"- , Ad d a A. el4.s= J2 4 ews. E dem MJmAM .M _4.1#AM e Ad M4_

4 1

l l

~l l

1

.b A

b t

i l

i a

7 f

P

'o ir b

I I

i 5

4 6

?

t k

S t

Y r

i 1

B f

l-I l

I.

f .

APPENDIX D Description of 1993 Events

1. Event identification LER Nos.: 213/93 006 and 007 AIT No.: 213/93-80, Event

Description:

Degradation of hiotor Control Pressurizer Power-Operated Relief Valve, and Emergency Diesel Gen rators Date of Event: June 27,1993 Plant: lladdarn Neck

2. Event Summary in part as a result of the lladdam Neck Individual Plant Examination (IPE), a decision was made by the licensee to pcrform an integrated test of the automatic bus traufer (AUT) scheme for motor control center (51CC) h1CC-5. Such a test had never been performed, although some of the individual components had been tested. Several important systems are directly dependent on hiCC 5 for their operation, including both trains of high and low pressure safety injection (liPSI and LPSI) and both normally closed pressurim power operated relief valve (PORV) block valves. On June 27,1993, the first test of the ABT scheme for hiCC 5 was unsuccessful. NiCC-5 was without power until an operator took local action to close a breaker. On hiay 25,1993, one of the pressurizer PORVs was found to have an air leak that would drain the air receiver if feed-and bleed were initiated. Also on hiay 25,1993, the licensee was performing a 24 h endurance run of the A- emergency diesel generator (EDG). After 22 h the EDG exhibited abnormal kilowatt, kilovar and ampere indications that led to the termination of the test. Components in the exciter centrol cabinet had failed due to everheating. The exciter control cabinet for the B EDG was also susceptible to this failure mode. The conditional core damage probability of this combined event is 6 5 E 5.

3. Failure Cause(s)

The root cause of this event was lack of adequate cooling [CEl] inside the excitation cabinet, roulting in the failure of the selenium rectifiers which ii,itially led to an abnormal field voltage condition and ultimately a loss of generator field. The failure mechanism is postulated to be the result of the combination of excessive heat generated due to the high electrical loading of the machine along with dust accumulation and loss of forced ventilation in addition to the age of the devices, it is uncertain whether both rectifiets failed togetb. or one failed and overstressed the other until it failed as well.

D1

4. higihod of Discovery la part as a result of the 11addam Neck Individual Plant Examination (IPE) [], a decision was made by the licensee to perfonn an integrated test of the automatic bus transfer (ABT) scheme for motor control center (htCC) MCC 5. Such a test had never been perfonned, although some of the individual components had been tested. Several important systems are directly dependent on MCC-5 for their operation, including both trains of high and low pressure safety injection (llPSI and LPSI) and both normally closed pressurizer power operated relief valve (PORV) block valves. On June 27,1993, the first test [ DIS) of the ABT scheme for MCC 5 was unsuccessful.

5. Licensee's Corrective and Preventive Actions Several design changes (A39] that reduce dependence of the specific MCC were implemented.

This included using another MCC as the power source for one residual heat removas charging pump suction valve, the main lube oil pump for charging pump A, and one PORV block valve. One PORY power source was changed from a semi vital panel to a vital panel.

6. Betulatory Action _t

. An NRC Augmented Nspection Team (AIT) investigated the event (see inspection report 50-213/93 80 for details).[A16)

. NRC Information Notice,93 81, Revision 1, Problems with C Relays in DB and DilP- Type Circuit Breakers Manufactured by Westinghouse, issued (see 1993 AEOD Annual Report, page 68). l A18l D-2

1. Event identincation LER Not: 265/93-010 Event

Description:

Emergency Power System Unavailable Date of Event: April 22,1993 Plant: Quad Cities 2

2. Event Summan>

During a surveillance test on April 22,1993, the Quad Cities swing diesel generator cooling water pump (DGCWP) breaker locked up on antipump protection. The licensee determined that the potential for lock up existed since the initial plant start up if the pump power source was aligned to Unit 2. A 1992 modification ensured that the cooling water pump would be powered from Unit 2 if a less-of offsite power (LOOP) occurred on that unit Unavailabilii, of cooling water for - 5 to 10 min is sufDeient to damage the DG.

About I month earlier, inadequate bearing oil level had been found in the Unit 2 dedicated diesel cooling water pump, the result of an incorrectly reassembled oiler. The pump would have been expected to fail ifit had been required to run for more than a short period of time.

The Unit 2 emergency power system was vulnerable to failure for a 7 month period beginning in August 1992.

The conditional core damage probability estimated for the event is 6.0 E 5.

3. Failure Cause(s)

The root cause for the 1/2 DGCWP not starting is a design deficiency [ Cell in the Bus 28 breaker close logic that has existed since the plant vas originally designed. This design deficiency would prevent the 112 DGCWP from auto-starting ifit was running on Bus 28, received a Bus 28 undervoltage trip and subsequently power was restored to Bus 28.

The problem was introduced into the Bus 18 pump control logic during the mstallation of modification M04-1/2 83 014 in 1985. T1.;s modification added the 1/2 DGCWP Feu t'ower Selector Switch to address Appendix R concems.Hewever, the probiva (c.;y existt for tha Dus 18 feed if the selector switch is placed in the Bus 18 position. The dus 18 posinou of the switch is not the normal lineup for the 1/2 DGCWP.

4. Method of Discovery During a surveillance test [ DIS) on April 22,1993, the Quad Cities swing diesel generator cooling water pump (DGCWP) breaker locked up on antipump protection.

D3 '

5. Licensee's Corrective and Preventive Actions Designed and installed modifications to the undervoltage contacts in the trip logic and close circuit lA391. Procedures were changed and drawing deficiencies were corrected. (A training session was held to assure mechanics understood assembly procedures for the DG cooling water pump.) [A46]

6. Reculatory Actions (None identified)

D-4

1. Event identification L E R N o.: 289/93 002 Event

Description:

Both Residual ifeat Rernoval Heat Exchangers Unavailable Date of Event: January 29,1993 Plant: Three Mile Island 1

2. Event Summary Three Mile Island 1 (TMI 1) was operating at 100% power on January 29,1993, when an operator aligned river water system valves to eypass both decay heat service (DilS) coolers.

The coolers remained unavailable for about 3 h. With the DHS coolers unavailable, it would not have been possible to remove heat from several safety related systems had they been demanded. The conditional core damage probability estimated for this event is 3.1 E-6,

3. Failure Cause(s)

The root cause of this event was personnel error lCE3]. The auxiliary operator (AO) bypassed both coolers at the same time in violation of established operator work practices.

The AO failed to operate the equipment in accordance with Adn'inistrative Procedure (AP) 1029, " Conduct of Operations," which would have required authorization from the Shift Supervisor, Shift Foreman, or CRO prior to manipulating the valves. Additionally, operation of both trains of ESAS components was in violation of operator work practices. Further evaluation will determine to what extent communications, work preparation, and work control by the shift personnel contributed to this event.

To a lesser extent, clarity of the procedural guidance also contributed (CE4]. The instructions in OPS S227 did not provide guidance for determining if a thermal transient would occur, did not specify that only one cooler at a time should be bypassed and that bypassing a cooler rendered the train out of service and started a TS time clock. However, the instructions in OPS S227 that contributed to this event could have been climinated entirely since they are not applicable to an operating station. If the guidance had been contained in the appropriate Operating Procedure, exposure to the biennial review process could have resulted in either enhanced presentation to clarify the use of this option or removed it entirely.

( 4. Method of Discovery During the performance of OPS S227 on January 29,1993, the non licensed AO failed to follow established operator work practices and bypassed both DC C 2A and DC C 2B simultaneously at about 0100 hours0.00116 days <br />0.0278 hours <br />1.653439e-4 weeks <br />3.805e-5 months <br />. The DR System was not required to be in operation, so neither DR Pump was operating.

D5 J

Control Room personnel were unaware that both coolers were bypassed until about 0330 hours0.00382 days <br />0.0917 hours <br />5.456349e-4 weeks <br />1.25565e-4 months <br /> when a licensed Control Room Operator (CRO) discovered this condition while attempting to determine the status of preparations for performing OPS S227 (D19). j

5. Licensee's Corrective and Preventive Actions ,

Operations surveillance procedures will be revised lA40]* to ensure that detailed procedural '

l guidpnce for evolutions that can potentially affect safe plant operation are placed in approved Opdating Procedures. Each operating crew will review [A46]* the event to ensure they understand the errors that were committed and how similar errors can oc avoided. A '

comprehensive human performance review will include assessing the role of supervision, communications, and improvements in work practices and controls.

6. Regulatory Actions  ;

(None identined) i F

i l

l

• - Some corrective actions identified by licensees were incomplete when the original LER-was written and a status update via an LER revision was not submitted. These actions are identi0ed by an asterisk (*). The status of these actions was conGrmed with the licensees as complete, except as speci0cally noted otherwise.

l D-6 w ,, a.,, , , - , . . - ,.,~. ,.. + - , . , , . , - , , . , - . . - - ,,..,-----,---~n-, ,-nm,.,.w.,, ,. , - . . ., --r,-

1, Event identification L E R N o.: 313/93-003 Event

Description:

Both Trains of Recirculation Inoperable for 14 h Date of Event: September 30,1993 Plant: Arkansas Nuclear One, Unit 1

2. Event Summan-On September 30.1993, an engineering evaluation was completed at Arkansas Nuclear One, Unit 1, which indicated that the B decay heat removal / low pressure injection (DilR/LPI) pump might have been incapable of performing its recirculation mode function following a loss-of coolani accident (LOCA). This condition existed from May 24,1993, wnile that ple t was at power, until the plant shutdown on September 9,1993. In addition, the A DilR/LPI pump was also inoperable for 14 h during this time period for routine maintenance and surveillance. The estimated conditional core damage probability for this event is 5.1 E 5.

3. Failure Cause(s)

In order to prevent thrust loading of the motor bearing, it is necessary to couple the motor to the pump with the motor in its magnetic center. Magnetic center is the position the motor would naturally seek if running uncoupled. The best way to determine magnetic center is to run the motor uncoupled. The plant procedure governing maintenance lCCll of P 34B instructs the craft to " scribe the motor shaft to mark magnetic center" prior to disassembly.

At this point, the pump and motor are still coupled, bu. n running, and there is no guarantee that the motor is actually at its magnetic center. The assembly portion of the procedure directs the craft to set the motor shaft to magnetic center before coupling. The procedure did not provide the necessary guidance for accurately determining the motor's magnetic center.

Therefore, the root cause of this condition was inadequate procedural guidance [CC1].

4. Method of Discovery On September 30,1993, an engineering evaluation (of an operational problem] [D17) was completed at Arkansas Nuclear One, Unit 1, which indicated that the B decay heat removal / low-pressure injection (DHR/LPI) pump might have been incapable of performing its recirculation mode function following a loss-of coolant accident (LOCA).

5. Licensee's Corrective and Preventive Actions The maintenance procedure (A43] was revised to incorporate guidance on how to correctly identify the motor magnetic center and couple the pump to the motor.

D-7 I

6. Regulatory Actions (None identified) 6 i

D8 .

.1t-- - -- - c._ - _ -

1. Event identification LER No.: 412/93 012 Event

Description:

Failure of Both Emergency Diesel Generator Load Sequencers Date of Event: November 4-6,1993 Plant: Beaver Valley 2

2. Event Surnmary On November 4,1993, the automatic loading capability of the 21 emergency diesel generator (EDG) on a safety injection (SI) signal failed during a test. Two days later, on November 6, 1993, the automatic loading capability of the 2 2 EDG on an Si signal also failed during a test. This failure would only occur when an Si signal was present coincident with a loss of the normal power supply to the engineered safety features (ESF) bus. The failure mechanisi..

had existed since November 1990. Operator actions would have been necessary to allow manual loading of equipment on the ESF buses. The conditional core damage probability estimated for this event is 2.1 E 6.

3. Failure cause(s)

The cause of the test failures wat the misoperation of a digital (microprocessor based) solid state timer associated with the Load Sequencer circuitry. An inductive voltage surge l Cell was produced by the de-energization of auxiliary relays within the Load Sequencer circuit during the SIS reset of sequencer operation. This caused the timer to misoperate resulting in tha failure of the sequencer [ chi].

4. Method of Discovery On November 4,1993, the automatic leading capability of the 21 emergency diesel generator (EDG) on a safety injection (SI) signal iailed dming a test [D15l. Two days later, on November 6,1993, the automatic loading capability of the 2-2 EDG on an Si signal also i failed durhg a test (DIS).

5. Licensee's Corrective and Preven.tive_ Actions Voltage suppression diodes were added [A39] to the auxiliary relays for protection from voltage surges. The motor driven auxiliary feedwater pump was modified [A39] to ensure correct operation during emergency DG sequencer operation. Engineering requirements guidelines (A49l* [this action still remain open) will be developed for the use of digital solid state components as replacements for electro mechanical or non sohd state components.

D-9

6. Bfgulatory Actions

. An NRC Augmented Team Inspection was conducted on this event (see AIT Report 50-412/93 81 for details).[A16]

. NRC Information Notice 94 20, Common-Cause Failure Due to Inadequate Design Control and Dedication, was issued. l A118]

- NRC Enforcement Actions, including Notice of Violation and Civil Penalty, were taken. [A19]

D-10 l

. i i

1. Event identificatio.J1 LER No.: 413/93 002, 414/93-002 >

Event

Description:

Essential Service Water Potentially Unavailable Date of Event: February 25,1993 Plant: Catawba 1 and 2

2. Event Summary On February 25,1993, with Catawba Unit I at 100% power and Catawba Unit 2 in a refueling shutdown, three of four essential service water (ESW) pump discharge valves failed to open during urveillance testing. Four ESW pumps serve both units. During normal operation, only one pump is used, if the pump with tbc operable valve tripped it would result in the loss of ESW to both units. The conditional core damage probability estimated for thL event is 1.5 E-4.

3. Failure Cause(s)

Failure of the RN pump discharge valves to open has been attributed to a lack of detailed information in the motor operated valve (MOV) torque switch srDo procedure, sizing variables that are possibly inadequate for these specific applications [ Call, {CA2l and'or a potentially degraded valve subcomponent [CBil.

4. Method of Discovery On February 25,1993, with Catawba Unit I at 100% power and Catawba Unit 2 in a refueling shutdown, three of four essential service water (ESW) pump discharge valves failed to open during surveillance testing [ DIS).

5. Licensee's Corrective and Preventive Actions The discharge butterfly valves which failed t3 open were adjusted to 20 degrees open and the torque switch was adjusted to provide maximum opening torque [A391. Planned actions include continued analysis of test data otamed with use of diagnostic equipment and additional tests to identify causes of higher than expected loads { A341*.

6. Reculatory Actions (None identified)

D-ll

e .

1. Event Identification LER Nos.: 498/93-005 Event

Description:

Unavailability of One Emergency Diesel Generator and the Turbine-Driven Auxiliary Feedy ater Pump Date of Event: December 29,1992, through Ja' uary 22,1993 Plant: South Texas Project, Unit 1

2. Event Summary For a period of ~ 25 d, South Texas Project (STP) Unit 1 operated with one emergency diesel generator (EDG) and the turbine-driven auxiliary feedwater (TDAFW) pump inoperable. The EDG was rendered inoperable because of binding of the fuel metering rods. The TDAFW pump was inoperable because of water intrusion into the turbine, which would have prevented the automatic start of the TDAFW pump. During this same period, a second EDG was removed from service for maintenance for a period of 61 h. The conditional core damage probability for this event is 1.2 E-5.

3. Failure Cause(s)

The primary cause of this event was the lack of proper work process control [CCll.

Contributing causes were inadequate implementation of lessons learned from industry operating experience [CC2] and inadequate verbal communications (CE5] which led to a lack of clearly defmed responsibility for ensuring paint was not applied inappropriately.

4. Method of Discovery On January 20,1993, Unit I was in Mode 1 at 95% power. Standby Diesel Generator 13 failed to start during a monthly surveillance [ DIS), due to paint which had been applied to the fuel injection pumps. The paint ran into the fuel metering rod ports and caused binding of the fuel metering rods.

5. Licensee's Corrective and Preventive Actions The fuel metering rods were cleaned and lubricated (A411. Efforts that have been or will be taken include revising work process control documents to include specific guidance on painting activities and pre-job briefings [A431*, enhancing the Operating Experience Review program (A46]*, performing a case study of the event for training purposes [A46)*, and including the event in the Licensed Operators Requalification Program ( A46]*.

6. Reeulatory Actions

. An NRC Augmented Inspection Team (AIT) investigated the TDAFW pump event (see combined inspection report 50-498/93 07 and 50-498/93-07 for details).l A16]

D-12 l

, e a

NRC Information Notice 93-51, Repetitive Overspeed Tripping of Turbine-Driven Auxiliary Feed Water Pumps, was issued. [A18]

4 D-13

4 4 0 APPENDIX E Codes Used for Categorization of Events Codes for Failure Cause and Type (Based on Cause)

Codes for items in groups a), b), c), and d) of part A) of the enclosure to the AEN/NEA Letter dated December 4,1995 and others not specifically listed (group e):

Causes in Group a):

(cal] Inadequacies in design basis studies (CA2] Conditions not previously considered in desip basis reviews Causes in Group b):

[CBl] Component failure (CB2] Deficiencies in environmental qualification (CB3] Deficiencies in fabrication and installation

[CB3] Unforeseen interaction between systems (CB4] Aging Causes in Group c):

[CCl) Inadequate testing or maintenance procedures (CC2] Ineffective operating experience feedback

_ (CC3] Inadequate implementation of modifications (CC4] Improper review or implementation of vendor recommendations (CC5]= Foreign bodies left in piping Causes in Group d):

[CD0] Combination of different failures Causes in Group e (Others):

[CEl]' Design deficiency

[CE2] Maintenance error

-[CE3] Operator error (CE4] Deficiencies in operating procedure

[CE5] Deficiencies in communication E-1

j . - .

Codes for Discovery methods Codes for items under "Mean or method of discovery" section of part A) of the enclosure to the AEN/NEA Letter da:ed December 4,1995 and other categories not specifically listed in that section:

[D01] Design review

[D02] Safety Assessment

[D03] Periodical Safety Reassessment (PSR)

[D04] Probabilistic Risk Assessment (PRA)

[D05] Individual Plant Examination (IPE)

[D06] Fortuitous (i.e., by chance)

[D07] National or international operating experience feedback

[D08] Response to NRC Information Notice (IN), Generic Letter (GL) and Bulletins (BL)

[D09] Response to NSSS Vendor's information notices

[D10] Functional inspections

[Dll] Augmented Team inspections (AITs) subsequent to significant events

[D12] Inservice inspections

[D13] Walkdowns

[D14] Questioning attitude Other Categories:

[D15] Testing

[D16] Preventive / Corrective maintenance

[D17] Analysis / evaluation of operational problems

[D18] Operational problems (plant startup, normal operation, or shutdown)

[D19] System line-up verification Code for Corrective and Preventive Actions Codes fcr items under categories 1),2), and 3) in part B) of the enclosure to the AEN/NEA Letter dated December 4,1995 and other iams not specifically listed in that part:

Reculatory Actions (Catecorv 1)

[All) Periodic safety reassessment

[Al2] Decennial inspections (specific to France)

{A13] Probabilistic Risk Assessment

[A14] Individual Plant Examination (specific to US)

[A15] Implementation of clearer Technical Specification surveillance requirements and limiting conditions of operation E-2 l

r- , .

Others:

[A16] NRC Augmented Inspection Team (AIT) investigated the event

- [A17] NRC incident Investigation Team (IIT) investigated the event

[A18] NRC Generic Communication ( Information Notice (IN), Generic Letter (GL), or Bulletins (BL)) issued included the event

[A19] NRC Enforcement Actions (Notice of Violation, Enforcement Conference, Civil Penalty, etc.) issued '

insichts from Licensee and Regulatory Efforts to Resolve Safety issues (Catecory 2)

[A21] Design Basis Reconstitution studies

[A22] Engineering evaluation studies

[A23] Generic studies reports

[A24] Operating experience feedback reports

[,1c 5] Assessment of significant operating events (e.g., Salem, ..)

Licensee's Action > datecorv 3)

[A31] Inservice testing procedure

[A32] Preventive maintenance programs

[A33] Post-maintenance procedures

[A34] Assessment of modifications' implementation and subsequent requalification

[A35] Trending specific parameters affecting component operation, and use of appropriate diagnostic tools

[A36] Premature aging anticipation policy

[A37] Inspection guides

[A38] Quality assurance Others:

[A39] Dc-ign change /phnt modification

[A40] New or modified operating procedure

[A41] Corrective maintenance, repair / replacement of failed component

[A42] Modified Design Basis

[A43] Modified maintenance procedure

[A44] Removal of foreign material by flushing

[A45] Post maintenance verifica'ioti testing / examination

[A46] Additional training / guidance to plant personnel

[A47] New or modified Technical Specifications

[A48] New or modified Administrative Procedure / Management Directives

[A49] New or modified Engineering / Design procedure E-3 i

c - . c _-

APPENDIX F Categorization of Events -

NOTE: This categorization is by codes in Appendix E for Failure Cause, Discovery Method, and Licensee's Corrective / Preventive Actions, and Regulatory Actions.

LER No. Description Corrective / Preventive Actions Plant Name Failure Discovery Licensee's Reculatory Cause Method I,1991 Events:

206/91-014: Inoperable volume control tank level transmitters San Onofre 1 (CB1), (D17] (A40),[A41),

269/91-010, .

270/91 010, 287/91-010: Potential for hydrogen entrainment in HPl pumps Oconee 1,2,3 (cal] (A40],[A42)*

[D17)

[A46)*,[A47]

272/91-030: Both PORVs failed due to leaking actuators .

Salem 1 (CB1)* - (DIS) [A39]*,[A'41) 278/91-017: Control wiring for ADS / relief valves found damaged -

Peach Bottom 3 (CCl) (D16) (A46),[A48]

281/91-017: Both emergency diesel generators for Unit 2 inoperable for 13 h Surry 2 (CE2),[CCl) (D17] (A41),[A45]

• Some corrective actions identified by licensees were incomplete when the original LER was written and a status update via an LER revision was not submitted. These actions are identified by an asterisk (*). The status of these actions was confirmed with the licensees as complete, except as specifically noted otherwise.

F-1

LER No. Description Corrective / Preventive Actions Plant Name Failur,e Discovery Licensee's Reculatory Cause Method 323/91-003: Containment sump isolation valves and containment spray pump deenergized during hot shutdc,wn Diablo Canyon 2 [CE3),[CE4] [Dl3] [A40),[A46]

333/91-014: Hydraulic pressure locking of two low pressure ECCS injection valves Fitzpatrick [CEl] [Dl6) [A39), [A43), [A18]

[A49]*

336/91 009: Both diesel generators unavailable and unit shutdown Millstone 2 [CBl],[CCl) [D15] [ A43]*, [ A39]*,

400/91-00S: HPI unavailability for one refueling cycle because of inoperable miniflow lines Harns 1 [CCl),[CEl] [ DIS) [A39] [AIS]

423/91-011: Both trains of HPSI inoperable due to relief valve failures Millstone 3 [CEl) (D15] [A39]

440/91-009: Two EDGs inoperable Perry 1 [CBl] [D15J [A43),[A39]

445/91-012: Potential charging pump unavailability due to hydrogen void expansion Comanche Peak 1 [CA2] [D08),[D09] [A40]*

• Some corrective actions identified by licensees were incomplete when the original LER was written and a status update via an LER revision was not submitted. These actions are identined by an asterisk (*). The status of these actions was confirmed with the licensees as complete, except as specifically noted otherwise.

F-2

LER No. . Description - Corrective / Preventive Actions

- Plant Name Eailure Discovery Licensee's Regulatory -

Cause Method 2.1992 Events:

261/92-013: Safety injection Pump Out of Service Robinson 2 (CC5] [ DIS]* [A44]*, (A45] (A18]

269/92-008, 270/92-008, 287/92-008: Botn Keowee Emergency Power Hydro Units Unavailable

- Oconee 1,2,3 [CBl] [D17] (A40]*, [A46]

269/92 018, 270/92 018, 287/92-018: Both Keowee Emergency Power Hydro Units Potentially Unavailable Oconee 1,2,3 (CEl] [D15] (A39) 286/92-011: Multiple EDGs Inoperable

[

Indian Point 3 [CA2),(CE2] [ DIS) (A40],[A46]*,

[A48]

301/92-003: Plugged Safety hjection Pump Suction Point Beach 2 [CC5] (D151 [A44],[A45],

[A46]

• Some corrective actions identified by licensees were incomplete when the original LER was

.-- written and a status update via an LER revision was not submitted.' These actions are identified by an asterisk (*). The status of these actions was confirmed with the licensees as complete, except as specifically noted otherwise.

F-3

LER No. Description Corrective / Preventive Actions Plant Name Failurg Discovery Licenste's Renulatos Cause Method 328/92-010: Emergency Diesel Generator and Residual Heat Removal Pump inoperable Sequoyah 2 (CE2],[CCl] [D15],(D17] [A43], (A46]

483/92 011: Loss of Main Control Board Annunciators Callaway (CBl],[CE2] [D16] (A39]*,[A40],

(A16],[A18]

(A43]

3 i

N

• Some corrective actions identified by licensees were incomplete when the original LER was written and a status update via an LER revision was not submitted. These actions are identified by an asterisk (*). The status of these actions was confirmed with the licensees as complete, except as specifically noted otherwise.

F-4

pe3 _

LER No. Description Corrective / Preventive Actions Plant Name Failure Discoverv- Licensee's Regulatory Cause Method 3.1993 Events:

213/93 006 213/93 007: - Degradation of Motor Control Pressurizer Power-Operated Relief Valve, and Emergency Diesel Generators Haddam Neck (CEl] [DOSJ,(D15] [A39]- [A16],

[A18]

265/93-010: Emergency Power System Unavailable Quad Cities 2 [CEl] [D15] [A39]

289/93-002: Both Residual Heat Removal IIcat Exchangers Unavailable TMl-1 [CE3],[CE4] [Dl9], [A40]*,[A46]*

313/93-003: Both Trains of Recirculation inoperable for 14 h Arkansas I (CCl] [D17] (A43]

412/93-012: Failure of Both Emergency Diesel Generator Load Sequencers

-Beaver Valley 2 (CBl],[CEl] [D15], (A39],[A49]* [ A16],-

(A18]

413/93-002, 414/93 002: Essential Service Water Potentially Unavailable Catawba 1,2 (cal],(CA2], (D15] [A34]*,[A39)

(CBl]

• Some corrective actions identified by licensees were incomplete when the original LER was written and a status update via an LER revision was not submitted. These actions are identified by an asterisk (*). The status of these actions was con 6rmed with the licensees as complete, except as specifically noted otherwise.

F-5

e s .. s Descriotion Corrective / Preventive Actions LER No.

Discovery Reculatory Plant Name Failure Licensee's Cause Method 498/93-005: Unavaila'oility of One Emergency Diesel Generator and the Turbine-Oriven Auxiliary Feedwater Pump

[CCl],[CC2], [ DIS), [A41],[A43]*, (A16],

South Texas-1

[CE5] [A46]* [A18]

• Some corrective actions identiRed by licensees were incomplete when the original LER was written and a status update via an LER revision was not submitted. These actions are identified by an asterisk (*). The status of these actions was confirmed with the licensees as complete, except as specifically noted ctherwise.

F-6

to.o-APPENDIX G Distribution of Event Categories Note: The number of events which fall under each code, as categorized in Appendix G, is counted and their distribution, ranked in the order of decreasing frequency, is given below:

Failure Cause Catenories:

[CBl] Component failure: 11 events (CEl] Design deficiency: 9 events

- {CCl] Inadequate testing or maintenance procedures: 7 events (CA2] Conditions not previously considered in design basis reviews: 4 events (CE2] Maintenance error: 4 events (cal] Inadequacies in design basis studies: 3 events (CC5]- Foreign bodies left in piping: 2 events (CE3] Operator error: 2 events (CE4] Deficiencies in operating procedure: 2 events (CC2] Ineffective operating experience feedback: 1 event (CE5] Deficiencies in communication: 1 event Discovery Method Catecories:

(D15] Testing: 17 events (D17] Analysis / evaluation of operational problems: 10 events (D16] Preventive / Corrective maintenance: 3 events (D05] Individual Plant _ Examination (IPE): 1 event (D08] Response to NRC Information Notice (IN),

Generic Letter (GL) and Bulletins (BL): 1 event (D09] Response to NSSS Vendor's information notices: 1 event

_ (D18] Operational proMems (plant startup, normal operation, or shutdown)- 1 event (D19] System line-up verification: 1 event (D13] Walkdowns: 1 event G-1

c oa * ,

Licensee's Corrective / Preventive Actions Categories:

[A39] Design change / plant modification: 15 events

[A46] Additional training / guidance to plant 13 events personnel:

[A40] New or modified operating procedure: 12 events

[A43] Modified maintenance procedure: 7 events

[A41] Corrective maintenance, repair / replacement of failed component: 4 events

[A42) Change to Design Basis: 3 events

[A45] Post-maintenance verification testing /

examination: 3 events

[A34) Assessment of modifications' implementation and subsequent requalification: 2 events

[A44) Removal of foreign material by flushing: 2 events

[A48) New or modified Administrative Procedure /

Management Directives: 2 events

[A49] New or modified Engineering / Design procedure; 2 events

[A47) New or modified Technical Specifications: 1 event Reculatory Actions Categories

[AIS) NRC Generic Communication ( Information Notice (IN), Generic Letter (GL), or Bulletins (BL)) issued included the event: 7 events

[A16] NRC Augmented Inspection Team (AIT) investigated the event: 4 events G-2

- _ - _ _ _ _ _ _ ._ _ _ _ _ _ _ _ - _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _