Text

,,

,A 9'

g GPU Nuclear Qggf 100 Interpace Parkway Parsippany. New Jersey 07054 201 263-6500 TELEX 136-482 Writer's Direct Dial Number:

(201) 316-7797 September 20, 1987 Dr. Thomas E. Murley, Director Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555

Dear Dr. Murley:

Subject:

Oyster Creek Nuclear Generating Station Docket No. 50-219 Safety Limit Violation On September 11, 1987, with the reactor in the cold shutdown mode, Safety Limit 2.1.E of the Oyster Creek License and Technical Specifications (TS) was exceeded due to operator error. Verbal notification to the Commission was made. GPU Nuclear immediately initiated and has been conducting its own assessment of the event, its causes, safety significance, and impact on the health and safety of the public. GPUN has cooperated fully with the NRC Augmented Inspection Team (AIT). This letter and its attachments are being submitted in accordance with 10 CFR 50.36(c)(1)(1)(A), section 6.7.1 of the TS, and as directed by Confirmatory Action Letter 87-12 dated September 11, 1987.

Attachment I to this letter contains the chronology of events preceding, during and following the violation of the safety limit. GPUN's technical evaluation is described in Attachment II. Attachment III addresses the corrective action for the safety limit violation only. Additional corrective j actions regarding maintenance activities and record destruction related to the i event are being addressed in separate submittals to the NRC. j 1

The safety limit requires that, during all modes of operation except when the reactor head is off and the reactor is flooded to a level above the main steam nozzles, at least two recirculation loop suction valves and their associated discharge valves will be in the full open position. The violation involved the operation of recirculation loop discharge isolation valves such that there were fewer than two fully open recirculation loops for a snort l period of time. At no time preceding, during or following the safety limit I violation, was the health and safety of the public compromised. The event did not cause any degradation to any physical barrier which guards against the uncontrolled release of radioactivity nor was there degradation to any plant system or component (safety relatea or balance of plant). At no time during the event were all five recirculation loop aischarge valves fully closed.

Tnroughout this event, none of the pertinent safety systems were inoperable, and thus, they were available and would have been expected to perform as designed if reauired.

SPUN recognizes the seriousnes; of violating a safety limit and has iesponded promptly and in great detail acros a crcad mectrum of potential p h

8709290493 870920 PDR ADOCK 05000219

~~

3ar is a part of the General Pubhc Uhhties System p' S PDR 1 1

\

Dr. T. E. Murley, Director Page 2 concerns. Recent analysis, however, indicates that the 2.1.E limit may be too restrictive. GPUN will therefore evaluate the submittal of an appropriate Technical Specification Change Request for NRC review and approval.

Of greater concern to GPUN at this time is the deliberate destruction of a portion of the Sequence of Alarms Recorder data. As you are aware, a thorough and comprehensive independent investigation was immediately initiated to ascertain the facts. The Commission's Office of Investigations is being kept informed of the results of that investigation.

By this letter, GPUN requests the NRC to find that the cause, and adequate corrective action to preclude reoccurrence of the safety limit violation have been identified, and remove the shut down imposed by 10 CFR 50.36(c)(1)(A).

GPUN has not completed its own reviews of the maintenance activities and record destruction. The results and corrective actions will be provided to and  ;

discussed with the NRC in advance of planned restart of the plant.  :

The attached report has been reviewed in at: idance with Section 6.5 of the Technical Specifications.

Very truly yours, Philip R. Clark President PRC/MWL/dmd(0382A)

Attachments cc: Mr. Hilliam T. Russell, Administrator Region I U.S. Nuclear Regulatory Commission 631 Park Avenue King of Prussia, PA 19406 Mr. Alexander W. Dromerick, Project Manager U.S. Nuclear Regulatory Commission Division of Reactor Projects I/II 7920 Norfolk Avenue. Phillips Bldg.

Bethesda, MD 20014 Mr. Lee H. Bettenhausen Chief Projects Branch No. I U.S. Nuclear Regulatory Conmission Region I 631 Park Avenue Kir; of Prussia, PA 19406 Document Control Desk U.S. Nuclear Regulatory Commission Washington, DC 20555 NRC Resident Inspector Oyster Creek Nuclear Generating $tation

.. . j I  !

l  ?

ATTACHMENT I The following description was established from multiple information sources and has been determined to be accurate as of the date of this submittal. If any significant change from this description is discovered, the requisite information will be promptly submitted.

Plant Conditions at the Time of the Event At the time of the occurrence, the Oyster Creek Nuclear Generating Station (OCNGS) reactor plant was in the cold shutdown mode, reactor water temperature was 140*F, and cooling for decay heat was being provided by the Shutdown Cooling System, which in turn was cooled by the Reactor Building Closed Cooling Hater (RBCCH) system. The reactor was vented. Recirculation Loops A, D, and E were idled with their pumps secured and their respective main discharge valves closed. Recirculation Loops B and C were in operation, each providing approximately 20,000 gallons per minute of flow. All five loops had their suction valves and discharge bypass valves open. Reactor water level was 156 inches above the Top of the Active Fuel (TAF). Maintenance was in progress to remove and replace the stem packing on valve V-5-167, an RBCCH isolation valve to primary containment. The A & D Recirculation Pump (RCP) Motor Generator (MG) sets were running to warm their oil in preparation for starting the A & D pumps and securing the B recirculation pump for preventative maintenance.

Initiating Event On September 10, 1987, a maintenance work request was approved to work on valve V-5-167. The tagout request specified V-5-167 to be backseated, however, for several reasons the valve was erroneously not fully backseated. The circuit breaker to the motor operator was tagged open. The manual handwheel for the valve was purposely not tagged to allow the option for an operator to manually backseat the valve if an increase in leakage through the stem packing was observed as the valve packing was sequentially removed. The maintenance technician was told to proceed slowly and carefully, and to stop if any increase in !eakage occurred. The stem packing for this valve consisted of eight (8) compressed packing rings.

Work began on this valve on September 11, 1987. At approximately 2:08 AM, a l maintenance technician removed four (4) packing rings fr( n the valve stem with j no change in leakage. When the fifth packing ring was disturbed, a large spray of water occurred from the stem packing area.

The control room was informed of a major spill in progress. The Group Operating Supervisor (GOS) was dispatched to the scene to evaluate the problem.

It was determined that the portion of RBCCW which cools the drywell (DW)

(including the recirculation pumps) was the source of the leakage.

Control Room Actions The following description was established from multiple information sources and has been determined to be accurate as of the date of this submittal.

Table I provides a chronology of the major events during this occurrence.

Some of the data presented in Table I (e.g., specific times) were derived or extrapolated from existing records. Any data preceded by "a" is a best i estimate, but cannot be definitively ascertained. Where necessary, i maintenance records have been utilized to establish reference points.

Shortly after receiving word on the status of the RBCCW leak from the GOS and knowing that RBCCW flow to the DW would have to be secured, thus depriving the RCPs of cooling, the reactor operator at the controls placed the control switch on the B recirc loop discharge valve in the close position. Shortly thereafter, an alarm was received "Less than Two Recirc Loops Open" - a safety  ;

limit violation of the Oyster Creek Technical Specifications. Data are unclear as to whether or not the operator closed the discharge valve for recirculation loop C. It appears'that the valve remained open and did not change position during this event. Analysis has shown that the position of the valve does not affect the safety significance of this event. The operator then reduced the speed of the B and C recirculation pumps in preparation for securing the pumps.

The operator then took the control switches for the A and D recirculation loop discharge valves to "open" to restore the recirculation loops to an allowed configuration. The operator then secured recirculation pumps B and C. The fuel zone level monitor did not activate at this time as the A & D recirc pump MG sets were running.

RBCCW to the recirculation pumps was then securea. Indicated reactor water level increased as expected due to the recirculation pumps being secured. The operators manually raised reactor water level as required by the Shutdown Cooling procedure to maximize the effectiveness of Shutdown Cooling with no recirculation pumps running. The alarm indicating less than two loops operating cleared as recirculation loop D discharge valve reached the full open position. The safety limit violation existed for about 2 minutes and 20  ;

seconds. The A & D MG sets were secured, energizing the Fuel Zone Level Monitoring System.

Approximately 35 minutes after RBCCW flow to the drywell was secured, V-5-167 was manually backseated and RBCCW flow was returned to normal. The discharge valve for recirculation loop B was opened. With normal cooling restored, recirculation pump D was started (discharge valve was closed, the pump started and brought up to speed, and the discharge valve re-opened; per procedure),

the discharge valve for recirculation loop B was then closed, t . _ _ _ _ _ _ - - - _ _ _ - _ _

recirculation pump A was started (discharge valve was closed, the pump started and brought up to speed, and the discharge valve re-opened; per procedure), and plant conditions returned to normal.

At 4:05 AM, a notification of the Safety Limit violation was made to the NRC on the Emergency Notification System telephone line.

ll1ill 4

a f t

a d o D n

• a 1 f s s s s o

e i w

e yr 2

t e i w

e i

w e

i w

e 're "re' r e

e g

a c v it v v v t t S t P r r ru r r r eu mp t uT t u np u e up e e e npA '

am o t cm t n

t n

t n

i m ro amV l oO R

A l o S n eo PC PCM S PC I SC I I I 7

6 s 1 p -

m 5 u -

p V e

7 D m m 8 o e )

9 d r h g

n f c 1

a s en n g t i A n nr al o o 1 i s oo l ot i 1

t k 3' a i f oo t c

R r c 2 t s cs u E a a W at i n )

t p m C l u ki d B

s o C oo ong m e M f r B s . t ae r r E o e Tb a T o f R id e c e l w P t k s g a g k g n d nl a o E n g n e n ag a aie l S o n i l i ea n mav o f i i m t l t e r e t d

I  : t r o e a t sDl n

S a c t c es n i t r t a i na i t r a a E T a h l c d i w a nno e N p g l o n m m oet s e E i mc e k s L V e i i l i rh r spa s c a E r e p ec e B p s d e ti o i i e o a F f n l eh f cur eq l b c

r A n o r a p d w c O o r dEd m e T E i

h j e u o7 .de n o o r

D d t ad t p t 6d g dl a t C e f M a a 1 eg nl f d N t i e g s D t a aed n e E t r f h i i I 5 at we e s e U - e 7 yr d p Q n a  : r t k a n E e t e me s r e

dV s g n

6 r u o

S S v s h ov e k n 1 D c e

t c p E t oo v t amci -

e Y D r n a oae 5d s s s

m u

d ) i w P rbb - n i R d e .l g f V aw P A n hW on o t t y7 o h 6 N a cC ri t a esl 6 mPl c s n I

uCt d h gi d 1 oCF t ( o M A oB nl m t e - rR i i I

L t R oi o l k s5 f n w  ; t s cu o o eao - ,

w S M a E B R nepV eW o R l R t ch i u

e i t o d nl p bDd e A P

S nit r l a o uf ( t v L c aw o o r st s o r a o

t l L e l a

A i

r G h st r S c M cdt c t a eh dS l V eer a n i pt nO d em P. e n myoe o v aC ewe e 1 R o apR C ms myt r r s g

r "

i er e( s ot es 2 t c pr s t e oc c m i d y a N

C a ns n e r c r paoenr t S h A

l a h o v or no c H

u ns ci a pu l s nf ot p s d c eaet e eo ou en c u i T n r t wT a l r s r st i Wn D S

a i n v t n k C ae c i dd e S S e nSis aC es " S "

e anal O Uh oS as e P. l i B E. B R M aR e G G t CG mG L R C r " 1 "

n )

g i M

n m A . . . .

i e 0 n n n n 7 7 nm 0 M i i i m

i m

1 5 5  % S ni 1 = m m /

uT O.

R - T2 3 4 5 b S 8 9 0 e e e 6 e 6 2

/

e (

9 lll l

e e e i e e e S t t t v t t c T t u t u t u r t u t u r A a np np np e np np u Vt am am am Rt am RR R am o O a l o l o l o A n l o AA A l o S MD PC PC PC SI PC SS S PC p

o t

s t

o n ) )

dd d ee i t t d c c 7 ee pp t

8 u xx 9

1 b ee

, d ss 1 e aa

( (

1 w

, o n l yy R o s r r E i oo B t k t t M c a nn E

T e e ee P l l vv E f nn S n e i i I h t l l I  : w ee S o  ; s s T l k s s E N F a ee E n n e vv d L V e e " l e E

p p B f f s B O O " 7 oo o F 6 l A O s s d 1 nn C t t n - oo ) )

T E r r a g5 ii ) ) l a a g n - t t dd l dd C

N t t en iV s

uu ee umm F uu ee t t E S S si bb t t U t an oe i i c c mm cc Q n e e e e l t r r ee eii ee E e v v r p c a t t pp vnn pp S v l l co l s s xx l i i xx E a a n d 6 o d i i ee aMM ee Y V V I s e 6 s e dd V R e p 1 i p ee s s oo s A e g

e g

wv p 5 o

- p r r aa

( (

et t g

aa

((

N ol i i r r l a r - t r oo r nn I

M a a FV t V t t t  ; ;

aww  ; ;

I h h d MM h oo MM L c c pe p  ; e p ee R R cDD R R E s s og m M s m uu AA s AA R i i or u R o u dd LL i s s LL P D D L a P Al P AA Dt t AA h L c  ; ; s s n n n c n A n MM WW naa W o o os o o o RR OO ooo OO i i ii i N s i AA LL i CC LL t t t D t Ol t LL FF t FF a a a a I a a AA aww l l l l T l 0O l oo OO u u u "A u A s u 1 2 LL ul l LL i

c r

i c

r r" c

i n i c

r L a C w S i c

r I I HH WW CC cFF r

i pp W

CC c c c e c I 9 c CC c oo CC

_ e e eh e 0 e LL e oo

. R R R t R W7 R VV AD R LL BC C - LL

" " " " C5 " P P " " " P P

_ D "A CD B E - C XX CC B E C C

" " " " " R V " kR R R " " " R R g

n i e nm ni 1

4 7

4 8

4 0 6 8 0

2 1

4 3  %.

8 9 3 3 3

4 91 4 5 uT  :  :  :  :  :  :

k 9 > 4 0 0 0 00 00 0 00 e <e 1 1 1 1 1 1 1 1 1 1

e e e t e e c t t a t t

_ r t u t u m t u t u u np np i np np

_ o R am am R t am am R R RRRR am S A l o l o A s l o l o A A AAAAl o S PC PC S E PC PC S S SSSSPC 7

8 9

1 1

1 R r E

B o t

M i E

T n P o E M S l e

I  : v S e )

T L d E N e E n e t L V e n c E

p o e B o Z p F x 7 A O e l e 6 v e 1 T E l n u s - d C a e F a 5 e ) ) ) )

)

N V p - n dddd E

) O ,

V e ) eeee d )

U t d e . l p d t t t t e d Q n eg e d e d o d e c ccc t e E e t r v e v e e t eeee pppp c ) t S v c a l p e t e s c e) d cd a E eh a p L a v o e xxxx pd eeeV Y pc V i e l l p eeee xet pt R xs r C s a C x et cxr e ceeag A ei e T A k V e s s ss s ep N D g M c s aaaa s r s E a e e s ( ( ( ( apxsS a I

M an a t G b g v a ( xea

( o h e ( r l (  ;;;; e (

I i c S r a a MMMM  ; s L ;t s  ;

o h V  ;

RRRR M sa;ui E G M s c M OOOO R a( MP D R M a i P Rl D M R i s n R NNNN A( R O u A v i o O L ;O nn N c n n L r D i N WWWW A ;MN oo MR r o o A e t OOOO Si i i p n a N LLLL I R Ait t P c t t O u o l O FFFF H OLH aa L e a a L S i u I NA R l l / t c T OOOO N N 2 u u I e a r A LLLL TOOT c c c c I c l i L R LLR r r N "D r rn I

n u c O WWWW B Bii A" i i o L a c e S CCCC I P P I H c c E n r R I CCCC VDDV ee T o e ed V e i t R R e E t c D W CBDA DDDD S n L n e C P PPP S e D r i R & C P P PP E u "A & u X a B CCCC CCCC Ld " At R M B A R R RRR R RR R g

n 3 i e 7 3 4 4 0 0 0 9 9 1 8 1 n n 1 3 3 2 0 0 0 4 1 4 4  :

ni  :  :  :  :  :  :  :  :  :  : : 0 uT 1 l 2 6 5 6 0 6 0 00 0 3 3 4 4 5 55  :

R 1 l 1 1 a s s s 1

.l

f R t e r e g o r a

e e l e e t t oh P c t u t u rS r np np t u am RR am ng oo o l o AAl o S P C SS P C CL .

e g

a .

s s .

s d s a nd p on c o r ect o s es f s a 2 l .

d 1 2 r r e a a yyh e

. c r rt l y ee vvg c

r y 7 een r oe 8 mk i o 9 e aar 1

ma t t u aad r

u 1

s e d d c m ' z s c 1

e l i s s e o R

t al dd m .

s ui r ri yd E y d t oot ee B S i u c c h y M v eee t o E n i m RRk r T ) o d o o st P no r as E m i p t i r . .t e S g a r r s sd c el ee m I 0 i h o t t e r e S

0 f t r uuv ppl ar l e E T 0, i t nn t

mma aw N 8 o oo oov E N c c c md L V 1

E s d d o o B ( y e e g ge oi F c sh n nd rr A d d n at ii r e O e e e b r r o l p T E s n g g ooc o C o e r en t t e r e N l p e ri ii r t m E C O m ava . oonn ,

ni t E ot U

Q n e e s eemmm c E e v ) v e el t e t S v l ) d l h m ur r t s n E a d ed a t i r n ees d e Y V et eV t oit t y r v R t ct n mees oe A e c er e o d g mm c N

g epa g nnl aa g ee I

r pxt r t ail r r n Rh M a xeS a n r uaai ,t I h e s pc h e ,ef ppt L c v wt s rf E s s ams e e nt t t e eo R

i a( ui e i es nnT d P D ( P D e n vrl a aa rd

h i l l l e or n ;M nn t l e e ppv c o o MR o o t n e l ec i R Aii f e n nh r r a R e t OL t t o n i ot eeV r a NA a a o s d w s l l dh y r ol ed , mR u OO luu ep b et oned rA p

c LL c c i e t oaS r r r f l d s ee ail i P Pii i e e d h h r rA e c DD c c t t n rTT e e h e e e o i r o ppf t R AAR R n) a ec - - O o S t t e e f

" P P " C N b u r r r r c e o B C C A "A R E o p e e on c

" R R" " N( mrt t t a ns i o eu uo n e n roc t p pM e uo i

t ypo o - net u mm t qi ui it omC C r

S a iS r o

t

- rC et T mP r

g o u mnA n 0 8 U t c i aV R i a 0 4 U n e r l O A nm 4 5

7

I S P P M S 7 8

ni .

s /

uT 0 0 5 k  :  :  : e ) ) ) ) ) ) 0 1 1 i t 1 2 $

4 5 b 2 o /

e N 4

L L

ATTACHMENT II Technical Evaluation INTRODUCTION Oyster Creek technical specification safety limit 2.1.E which was violated on September- 11, 1987, requires that:

"During all modes of operation except when the reactor. head is off and the reactor is flooded to a level above the main steam nozzles, at least two (2) recirculation loop suction valves and their associated discharge valves will be in the full open position.

• The technical specification basis for this safety limit is stated as:

" Specification 2.1.E assures that an adequate flow path exists from the annular space, between the pressure vessel wall and the core shroud, to the core region. This provides for good communication between these areas, thus assuring that reactor water level instrument readings are indicative of the water level in the core region."

Technical Specification safety limit 2.1.0, which was not violated during the September 11, 1987 event, requires that:

During all modes of reactor operation with irradiated fuel in the reactor vessel, the water level shall not be less than 4'8" above the top of the active fuel."

The purpose of this evaluation is to determine the safety significance of this event. This includes evaluating whether or not an adequate indication of core inventory was availaole throughout the event.

BACKGROUND OF SAFETY LIMIT 2.1.E Safety limit 2.1.E was put into effect immediately following an event at f Oyster Creek in May, 1979. j During the May 1979 event all five recirculation loop discharge valves were closed, effectively isolating the downcomer region from the core region (except for the five two-inch bypas., lines). This, in conjunction with  !

operating the Emergency Condenser System, caused the core region water level to go below the triple-low setpoint without actuation of the reactor Icw or double-low alarms. This situation results from the physical arrangement of the level instrumentation at Oyster Creek. The low and double-low signals are  ;

generated from an instrument that is sensitive t3 water level in the annulus I region. The triple-iow instrument is sensitive to water level within.the core i region. Thus, isolating these two regions can have the result of having j different water level readings from the two areas. As a result. an l unacceptable situation was created as stated in the NRC Safety Evaluation Report of May 30. 1979:

1

_ - _ _ - _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ ._ 1

{

1 l

"Although annulus level is appropriate for feedwater control and water inventory monitoring during normal and most upset conditions, it has no intrinsic safety significance except through its relationship with core water' level. The annulus, core area and recirculation lines form a large U-tube when the recirculation pumps are not running, and the two levels should be very nearly the same. When the recirculation pumps are running and the core is shutdown, the level in the annulus should be lower than the (collapsed) core level, and therefore should be a conservative indicator.

For the annulus level instrumentation to work properly, the annulus and the core area must be in good communication at the bottom. It is now apparent

'that the non-conservative situation (annulus level greater than core level) can exist if there is a restriction in the retir ulation lines."

"The primary safety concern for level instrumentation is that the level setpoints must be assured to occur in proper sequence. This implies that the core and annulus water volumes must not be partially isolated from one ,

another. Given this, all safety analyses remain valid and bounding."

As a result, the safety limit 2.1.E and its associated basis as cited above were added to the Oyster Creek Technical Specifications.

EVALUATION OF SAFETY ASPECTS OF THE SEPTEMBER 1987 EVENT The September 1987 event is described in Attachment I. During the September 1987 event:

(1) The plant was at cold shutdown at the initiation of the event and remained in that condition throughout the event.

(2) No loss of coolant inventory occurred.

(3) Reactor decay heat was being removed by the shutdown cooling system.  !

With the shutdown cooling and reactor water clean-up (RHCU) systems  ;

running, water would be transferred from the annulus to the core j regions if the water level in the core region was lower than the water level in the annulus. In fact, with the recirculation pumps or the #

shutdown cooling system operating the level in the annulus will be lower than that in the core region unless the vessel is flooded to above the steam separators.

(4) The five recirculation loop discharge valves were never simultaneously fully closed between the annulus and the core region. In addition, as in May 1979, all five pump discharge bypass isolation valves and suction valves were open throughout the event.

(5) At all times during the event there was adequate communication between i the downcomer and the core region. Therefore, all reactor water level  !

instruments were functional and would have alarmed in the proper  !

sequence. i e__--__-_

As noted above, the safety limit is associated with assuring that the core remains covered with water. Also, as noted above, with the shutdown cooling system (and/or RWCU system) in service, the water level will not be higher in the annulus than it is in the core region. A review of the annulus water level data from the transient period clearly shows that the water level remained well above the Low Level Alarm Setpoint throughout the event.

The temperature of the water in the core region did rise during the period when the recirculation pumps were tripped as inferred from the loop temperature behavior noted upon resuming forced circulation. This is a result of losing the forced cooling of the core region. Flooding up to natural circulation level would have ultimately limited the temperature rise by allowing natural circulation flow and cooling via the Shutdown Cooling System.

In order to assess the significance of the event, however, the potential result of taking no action following the isolation of the B loop and the securing of recirculation pumps B and C was examined. In doing this evaluation it was assumed that the shutdown cooling system and the RWCU system were not effective at removing any of the core decay heat and that the vessel water volume was heated uniformly. It was further assumed that the decay heat was that expected to exist 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after shutdown following an infinite operating period at full power, and that the reactor vessel remained at atmospheric pressure with a free venting. Based on these assumptions, it was estimated that the water in the vessel would begin to boil after approximately one hour. The boiling rate to balance decay heat would be 70 gallons (liquid) per minute A review of the rate of water level increase in the vessel as recorded during the transient shows that the CRD Hydraulic System was adding 70 gpm. Therefore, since decay heat will decrease with time, it is concluded that the core would never have been uncovered.

In conclusion, while Technical Specification safety limit 2.1.E was violated, the September 1987 event did not compromise the health and safety of the public and did not create the potential for core damage to occur.

FEATURES TO PREVENT VIOLATION OF SAFETY LIMIT The control switches for the recirculation pump suction and discharge valves at panel 3F in the main control room have hinged clear plastic covers. The control room switch covers were provided to minimize the possibility of inadvertent or inappropriate intentional isolation of more than three recirculation loops. The design and installation of these covers followed accepted human factors practices, i

Control Board Warning Tags for each of the five recirculation loops are located I

adjacent to the recirculation loop isolation valve control switches on control panel 3F.. The warning tags read:

" Caution, suction and discharge valves of at least two icirc loops must be open at all times"

_4 The warning tags in conjunction with the control switch covers were designed to improve human factors considerations as they apply to operator understanding of potential out-of-specification conditions within the systems. The warning tags were located adjacent to the switches instead of on the covers so that the tags would not interfere with the operator's ability to read the valve position indicating lights.

In conjunction with the establishment of the safety limit and the addition of the plastic covers to the valve switches, plant operating and surveillance procedures were reviewed following the May 1979 event. This review was conducted to assure that.the appropriate procedures had been adequately revised to reflect lessons learned from the May 1979 incident. Warnings and procedural limitations were incorporated to reinforce the requirement to maintain at least two loops in a fully open condition.

In addition to the above, during the cycle llR refueling outage in 1986 an alarm was added relative to recirculation loop availability. The alarm is designed to annunciate when the discharge or suction valves for fewer than two loops are in their full open position. Additionally, the color of the alarm annunciator is unique (green) from all other control room alarms. The alarm is set such that it will be initiated when the fourth valve clears its full open limit switch. After operator acknowledgement of this # larm, if for any reason the fifth loop is also isolated, the alarm reflashes to warn the operator of this condition. If the fourth and fifth valves are closed simultaneously, only a single alarm will be generated. Information on the condition of each of the valves is available to the operator through the valve position indicating lights. The alarm itself is designed to promptly alert the operator to the violation of a safety limit, which it did in this event, and is not intended to prevent the violation of the limit.

Operators have received training on this safety limit, the applicable procedures, and relevant control room indications.

EVALUATION OF HARDWARE ADEQUACY Prior to ultimately recommending the addition of the recirculation valve alarm, GPUN had considered (and designed) a recirculation loop interlock. This design was considered in response to the May 1979 event. During the review of the interlock design, however, it was decided that by simplifying the modification to only an alarm the functional requirements could be adequately met. The alarm provides positive active indication to the operator that a fourth loop has been isolated. Since isolation of a fourth loop does not cause any short l

term problems with core inventory, the operator has adequate time to recognize l and correct the problem indicated by the alarm. Therefore, a preventative interlock is not required.

l The alarm-only modification has the advantages of: (1) not requiring an j additional control switch for interlock bypass and additional indications on  !

the control board of a bypass condition. (2) greatly reducing the complexity of the valve control circuitry thereby minimizing the affect on circuit reliability: and (3) simplifying trainir; requirements and procedure changes.

l

It was concluded that the alarm-only modification was the preferable design and was adequate to provide assurance of safety. The adequacy of the hardware configuration was addressed in a January 30, 1986 submittal to the NRC.

This evaluation was concurred with by the NRC as documented in its letter of April 16, 1986, which stated:

"4.0 Conci!sion We have reviewed the proposed change for the II.K.3.19 requirement and we find it to be acceptable. One open recirculation loop is sufficient to assure adequate communication between the core and downcomer regions. The alarms plus adequate training should suffice to maintain one open loop."

Therefore, it was concluded that the combination of hardware and training changes were adequate to provide assurance of safety.

It is still viewed that the " alarm-only" system in conjunction with plastic covers and control board warning labels is adequate when combined with proper operator training. In the September 1987 event, the alarm performed its intended function of alerting the operator to the violation of the safety limit, and appropriate corrective actions were promptly taken well before any threat to safety existed.

The recirculation loop' isolation alarm does not prevent violation of the safety limit as defined in the Oyster Creek Technical Specifications, since it is not received until the limit has been violated. The possibility of changing the alarm such that it is actuated by closure of the third loop has been considered. To be effective, this would also entail having an administrative limit requiring that at least three loops be open. Without this administrative limit, it is still possible to close the third loop, receive and clear the alarm, and not take any further action to prevent the isolation of the fourth loop. Evaluation of this option, however, has shown it to be impractical.

When the reactor Shutdown Cooling System is operating it is necessary either to have the "E" recirculation pump operating or to have the "E" discharge valve closed in order to prevent the shutdown cooling flow from "short-circuiting" the reactor vessel by flowing back through the idle pump in the "E" loop. Similarly, when the Reactor Water Cleanup (RWCU) system is operating it is necessary either to have the "B" pump operating or to have the "B" loop discharge valve closed. Satisfying these conditions and simultaneously allowing for having a pump out of service due to maintenance severely limits operating flexibility. Therefore, it is not practical to impose a more restrictive administrative limit, and corresponding alarm to help prevent violation of the present safety limit.

The ultimate safety issue associated with this safety limit is maintaining adequate water in the core. Several indicators for water level are available to the operator. Since the May 1979 event, an additional water level instrumentation system has been added to tne plant. The Fuel Zone Level

(

I system provides level information for tne core region, although it is not l

l

normally used for plant operation, and has no alarms associated with it. This system becomes active when all recirculation pump motor generator set circuit breakers are tripped and, thus, provides supplemental information to the operator for events such as May 1979 or September 1987. The normal triple low alarm.was available throughout this event and would have indicated a level approaching the top of the active fuel.

EVALUATION OF PROCEDURE AND TRAINING ADEQUACY The configuration of the recirculation system at Oyster Creek in conjunction with other systems which are attached to it make it appropriate to use a variety of pump and valve line-ups in different operating modes. In procedure 301 (NSSS) the operator is instructed to close the discharge valve in preparation for placing a recirculation pump in operation. In addition, the operator is instructed to close the "B" discharge valve when the "B" pump is removed from service and the Reactor Water Clean-up System is operating, to close the "E" discharge valve when the Shutdown Cooling System is operating and the "E" pump is removed from service, and to close the discharge valve for any pump in preparation for taking it out of service. These instructions are appropriate in order to limit backflow through an idle recirculation loop.

Backflow does not present any physical threat to plant equipment, but it does represent a loss in effective flow to the core region. The discharge valves are also closed before taking a recirculation pump oct of service to prevent unconservative error introduction into the power range protective setpoints.

Closing the "B" and "E" loop valves in the conditions specified assures that the flow direction produced by the attached systems is correct and that it does not bypass the core region. The operator is, explicit'ly, cautioned at several places within procedure 301 of the requirement to maintain at least two loops open (for example: in section 4.0 " Operating the Recirculation Loop Valves", section 5.0 " Placing a Reactor Recirculation Pump in Operation -

Initial Startup", section 7.0 " Removing a Reactor Recirculation Pump from Service", and section 12.0 " Recovery from a Multiple Recirculation Pump Trip").

Reviews, however, have indicated that additional enhancements can be made to procedures which deal with operation of recirculation pumps and valves.

Similarly, other procedures contain cautions regarding the requirement to have at least two recirculation loops fully open (for example: Procedure 203.2

" Plant Cooldown from Hot standby to Cold Shutdown" Procedure 305 " Shutdown Cooling System Operation", Procedure 2000-ABN-3200.02 " Recirculation Pump Trip").

l Plant procedures affecting reactor recirculation pump operation were reviewed with consideration given to whether adequate statements were present which l warned the operator of the safety limit violation. The review included system operating procedures, station abnormal event procedures. diagnostic and restoration procedures, and alarm response procedures. This review did not reveal any inconsistencies in the instructions for recirculation loop isolation valve position. A normal practice used by operators to verify valve movement involves the observation of the simultaneous lighting of both the red (open)

and green (closed) lights. Since the alarm would have activated at the same time as the lighting of the green light, it is concluded that the operator would have a clear understanding of the action which resulted in the alarm, and would be at the location from which the appropriate corrective action (open alternative valves) would be initiated. Procedures were reviewed and, where needed, guidance to confirm the impact of instructions (i.e., cautions) was relocated in the procedure so that the guidance immediately precedes the instruction to take action. Procedures will be revised to give explicit guidance to operators when securing the final two recirculation pumps in off-normal plant conditions.

Operator Training Material, lesson plans 38 and 47, training content record for SRO upgrade program and licensed operator requalification - 2611/850.0.90 and 2612/831.0.10, respectively are consistent in defining the requirement for loop availability. It is apparent from the September 1987 event that for at least some period of time the operator failed to observe the loop availability requirement. As a result, all operators will receive supplemental training on the May 1979 and September 1987 events, procedural limitations on loop availability and the bases for them, and applicable control indications. In addition, the concepts and lessons learned from the September 1987 event are being added to the operator simulator training program.

EVALUATION OF SAFETY LIMIT The requirement to have two loops fully open is classified a " Safety Limit" in the 0yster Creek license and Technical Specifications. Per 10CFR50.36 (c)(1)(1)(A):

" Safety limits for nuclear reactors are limits upon important process variables which are found to be necessary to reasonably protect the integrity of certain of the physical barriers which guard against the uncontrolled release of radioactivity."

The process variable which is indicative of a possible threat to a physical barrier (i.e., fuel clad integrity) is the core region water level. This

" Safety Limit" is established separately (2.1.0) in the Oyster Creek Technical Specifications. The requirement regarding the open loops may be more correct!y defined as a " Limiting Condition for Operation." Per 10CFR50.36(c)(2):

" Limiting conditions for operation are the lowest functional capability or performance levels of equipment required for safe operation of the facility."

Since the requirement for having at least two of the recirculation loops fully open is intended to assure that other protective systems (e.g., the actuation sequence for safety systems) perform correctly, rather than to actually protect the fission product barrier itself, it appears to fall under the definition of a " Limiting Condition for Operation." Remaining in cold shutdown conditions l

l

[

E--______-._____

\

~8-requires operation of the shutdown cooling ,ystem or other similar cooling systems. The ability of these systems to maintain cold shutdown conditions is not dependent on having loop isolation or bypass valves open. Thus, a requirement to have the pump discharge valves open during cold shutdown conditions is unnecessary. For other plant conditions it is adequate to have only a single recirculation flow path open. Therefore, the requirement for open recirculation loops should apply to conditions other than cold shutdown and refcaling only and the limit should be one loop open, not two loops open, The design of the alarm has also been re-examined in light of the potential request to reduce the safety limit to an LCO. If the above change is made, appropriate alarm, procedural, and training modifications would be undertaken consistent with these changes.  ;

SUMMARY

1 While a safety limit was violated., there was adequate r. ore cooling during the  ;

event, and GPUN's evaluation shows that the event was not safety significant.

Featcres to prevent violations of the safety limit were reviewed. The control switch covers and control board warning tags are viewed to be adequate. While the alarm system warns the operator that the limit has been violated, it is not practical for it to alarm effectively to help prevent violation of the safety limit as currently written.

Operating procedures were determined to contain cautions regarding the requirement to have at least two recirculation loops fully open. However, additional enhancements have been found to be appropriate for procedures which j deal with operation of recirculation pumps and valves. The operation of the I recirculation loop isolation valves is dictated by operating conditions, The "B" and "E" loops have special requirements associated with them due to the attached clean-up and shutdown cooling systems. This, combined with maintenance needs, may make it necessary to have three loops isolated at one time. Therefore, it is not practical to establish a more restrictive  ;

administrative limit than having two loops open.

It has been previously concluded by GPUN and accepted by the NRC that one open recirculation loop is sufficient to assure adequate communication between the core and downtomer regions. The alarm modification which was installed during the 11R refueling outage meets the functional requirements of providing a l positive indication to the operator should a fourth loop be isolated.

Operators have been trained on the requirements for loop availability. At the ,

time of the event, the circumstances and urgency of securing the RCPs, because i of the impending loss of R6CCW, appear to have been uppermost in the operator's mind and he closed the discharge valve. as he had been trained to dD when normally securing recirculation pumps. momentarily overlooking the safety ilmit requirement. Supplemental training of the cperators will, howevcr, be undertaken to review the May 1979 and September 1987 events, the procedural limitations on loop availability and the bases for them, applicable control room indications, and steps to be taken to isolate recirculation loops and to secure recirculation pumps.

_ _ _ _ _ _ _ I

-o In addition, GPUN has reviewed Safety Limit 2.1.E. The original purpose of the limit was to assure adequate core region water level and the proper actuation sequence for safety systems. In this light, the requirement to maintain recirculation loops open may more correctly be classified a Limiting Condition for Operation (LCO).

Analyses show that with the Shutdown Cooling System running during cold shutdown conditions where the potential rate of inventory removal from the core region is limited, all five recirculation discharge valves could be safely closed. This conclusion is also supported by the April 16, 1986 NRC SER and NUREG 0737, which only required the interlock protection to be applied when the reactor was not; at cold shutdown.

Studies by GPUN and accepted by the NRC have also shown that a single recirculation loop is sufficient to traintain communication between the annulus and the core region. Therefore, any technical specification LCO or Safety Limit should only require that one recirculation path be fully open. The requirement to maintain two loops open could be retained as an administrative limit tc, reduce the possibili ty of violating a technical specification.

If.the above change is made, appropriate alarm, procedural, and training modifications would be undertaken consistent with these changes.

CONCLUSIONS The purpose of this evaluation was to determine the safety significance of the event and evaluate if an adequate indication of core inventory was available l throughout the event. It is concluded that:

1. The September 1987 event did not threaten the public health and safety, damage any equipment, or create the potential for core damage to occur.

2. Communication between the annulus and the core region was never lost.

Therefore, adequate indication of core inventory was available.  !

l 1 \

l l

b

s v

ATTACHMENT III

. Corrective Actions The following corrective' actions will be completed prior to restart:

(1) Procedures were reviewed and, where needed, guidance to confirm the impact of instructions (i.e., cautions) was relocated in the procedure so that the guidance immediately precedes the instruction to take action.

Procedures will be revised to give explicit guidance to operators when securing the final two recirculation pumps in off-normal plant conditions.

(2) Prior to plant restart, supplemental training of operators will be cenducted on the May 2, 1979 and September 11. 1987 events, the above

, procedure changes, procedural requirements for recirculation loop availability, the bases for those requirements, the importance of adherence to procedures, and the available control room indications applicable to safety limit compliance.

(3) Training will be held on the plant's Basic Principles Trainer (BPT)

Simulator incorporating the concepts and lessons learned from the September 1987 event.

The following corrective actions have commenced, but will be completed subsequent to the restart of the Oyster Creek plant:

(1) The concepts and lessons learned from the 1987 event will be integrated into the next training period on the Full Scope Simulator.

(2) Further evaluation of a Technical Specification Change Request to delete Safety Limit 2.1.E from section two of the Oyster Creek Technical Specifications and to add an appropriate Technical Specification Limiting Condition of Operation will be performed.

(3) If the above change is made, appropriate alarm, procedural, and training modifications would be undertaken consistent with these changes.

(4) GPUN will evaluate the fuel Zone Water Level instrumentation system for the appropriateness of the recirculation pump trip signal and the possible addition of an alarm.

o---_______________ _ _ _ _ _