ML20236G711
| ML20236G711 | |
| Person / Time | |
|---|---|
| Site: | Rancho Seco |
| Issue date: | 10/31/1987 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| References | |
| NUREG-1286, NUDOCS 8711030225 | |
| Download: ML20236G711 (199) | |
Text
o c
y j
,e
.~1 (NUREG4.1286' s-
/5
_I s
(
- Safety Evaluation Report irelated LtoDth~efrestart of
!RanchoiSeco Nuclear? Generating; Station',:: Unit:1, o
Lfollowin g ith e - eventL of: DecemberL26, 1985 '
1 Docket No. 50-312 q
- Sacramento Municipal Utility District'-
j
~
q A
1
'l 1
U.S. Nuclear. Regulatory -
j Commission ~
4 1
' Office of Nuclear Reactor Regulation j
o d
- October 1987 j
u yn neaux,?*$
J'* <
?.:y#,
j g
g l.
r ljjlef f l
s,
(-
- %,, o....f e
l.
l.:
')
b J
1 L
gPo2888;tBu8sA2 E
[. ',
.m g~-
r I
i i
NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in N RC. publications will be available from one of the following sources:
- 1. The NRC Public Document Room,1717 H Street, N.W.
Washington, DC 20555 2.' ' The Superintendent of Documents,' U.S. Government Printing Of fice, Post Office Box 37082,
. ashington, DC 20013-7082-W
- 3. The National Technical information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publications, it is r.ot intended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Public Docu-ment Room include NRC correspondence and internal NRC memoranda; NRC Office of Inspection -
and Enforcement bulletins, circulars, information notices, inspection and investigation notices; j
Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicar.t and j
licensee documents and correspondence.
The following documents in the NUREG series are available for purchase from the GPO Sales '
Program: formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission Issuances.
Documents available from the National Technical information Service include NUREG series j
reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.
Documents available from public and special technical libraries include all open literature items, such as books, journal and periodicai articles, and transactions. Federal Register notices, federal and i
state legislation, and congressional reports can usually be obtained from these libraries, j
Documents such as theses, dissertations, foreign reports and translations,and non-NRC conference l
proceedings are available for purchase from the organization sponsoring the publication cited.
Single copies of N RC draft reports are available free, to the extent of supply, upon written request to the Division of Information Support Services, Distribution Section,'U.S. Nuclear Regulatory Commission, Washington, DC 20555.
Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards Institute,1430 Broadway, New York, NY 10018.
h a
NUREG-1286 Safety Evaluation Report related to the restart of Rancho Seco Nuclear Generating Station, Unit 1, following the event of December 26,1985 Docket No. 50-312 l
Sacramento Municipal Utility District i
\\
U.S. Nuclear Regulatory
{
Commission Office of Nuclear Reactor Regulation October 1987
,>*u..,,,,
s
' A kbilh)/)
x,,,,,
l I
ABSTRACT On December 26, 1985, the Rancho Seco Nuclear Generating Station, owned and operated by the Sacramento Municipal Utility District (SMUD), experienced a loss of dc power within the integrated control system (ICS) while the plant was at 76% power. The ensuing reactor trip was followed by a rapid overcooling transient and automatic initiatio'n of the safety features actuation system (SFAS).
The overcooling transient continued until ICS dc power was restored 26 minutes after its loss.
Two letters from the NRC Region V Administrator (dated December 26,1985) confirmed that the Rancho Seco plant would not be returned to power operation i
until SMUD (the licensee) had provided the NRC with an assessment of the root cause of the transient and a justification as to why the Rancho Seco facility is ready to resume power operation.
In response, the licensee submitted the
" Rancho Seco Action Plan for Performance Improvement" on July 3, 1986; revi-I sions to that action plan were submitted on December 15, 1986 and Febraury 28, 1987. The NRC staff has reviewed the action plan and numerous other supporting documents submitted by the licensee.
The staff's evaluation of the information supporting restart of Rancho Seco is presented in this safety evaluation report.
1 l
l l
Rancho Seco Restart SER iii
~
CONTENTS Page.
t ABSTRACT..............................................................
iii 1
INTRODUCTION AND
SUMMARY
1 -
1 1.1 Issues for Which Additional Information Is Needed............
1-2 l
1.2 Issues'for Which Additional, Staff Inspection'Is Needed.......
1-2
)
1.3 Issues Currently Under Review by the Staff...................
1 {
2 BACKGROUND.......................................................
2-1 1
2.1 Discussion of December 26, 1985 Overcooling Event'............
2-1 i
2.2 NRC Actions, Principal Meetings, and Principal Correspondence...............................................
2-2' 2.3 S umma ry o f Li c e n s e e Re s po n s e.................................
2-3 2.3.1 Plant Performance and Management Improvement Program............................'...................
2-4 2.3.2 Evaluation of the Plant Performance'and Management Improvement Program...................................
2 3 RESOLUTION OF CONCERNS RELATED TO DECEMBER.26, 1985 EVENT..........
3-1 3.1 Issues of the Plant Systems Branch, the Electrical Systems Branch, and the Instrumentation and Control Systems Branch....
3-1 3.1.1 Integrated Control System and Non-Nuclear Instruments-tion System...........................................
3-1 3.1.1.1 ICS/NNI System Description...................
3-1 3.1.1.2 ICS/NNI System Power Supply and Distri-bution System Description....................
3-7 3.1.1.3 ICS/NNI System Operating History.............
3-9 3.1.2 ICS/NNI System Failure Modes and Effects on Plant Operation............................................
3-12 l
3.1.2.1 Root Cause of December 26, 1985 Loss-of-ICS-Power Event..................................
3-12 3.1.2.2 Loss of ICS/NNI System dc Power..............
3-14 3.1.2.3 Loss of ICS/NNI System ac Power..............
3-14 3.1.2.4 Loss of Instrument Air to ICS/NNI System Components...................................
3-15 3.1.2.5 ICS/NNI System Failure Modes and Effects Analysis.....................................
3-15 Rancho Seco Restart SER v
i 4
CONTENTS (Continued)
Page 3.1.2.6 Loss of Control Room Controls, Ade Backup Instrumentation...........quacy of 3-15 3.1.2.7 Discrepancy Between OTSG Level Strip Charts and SPDS..............................
3-15 3.1.2.8 Power Monitor Design.........................
3-15.
3.1.2.9 ICS/NNI System Maintenance Surveillance and Testing...............,..............,.....
3-15 i
3.1.2.10 Operator Response Procedures.................
3-16 3.1.2.11 ICS/NNI System Interactions With Safety-Related Equipment............................
3-16 l
3.1.3 Emergency Feedwater Initiation and Control System....
3-16 3.1.3.1 Description of EFIC System Desi Operation.....................gn and 3-19 3.1.3.2 EFIC System Evaluation......................
3-34 3.1.3.3 EFIC System Independence From ICS/NNI System.......................................
3-39 3.1.4 Main Feedwater System Response to ICS/NNI System Failures............................................
3-40 3.1.5 Steam Generator Overfill Protection Circuits..........
3-40 3.1.6 Main Steam System Response to ICS/NNI System Failures.............................................
3-40 3.1.7 TDI Diesel Generators.................................
3-40 3.1.8 Other Issues of the Electrical Systems Branch and the Instrumentation and Control Systems Branch............
3-42 3.1.8.1 Makeup and High-Pressure Injection System.......................................
3-42 3.1.8.2 Reactor Vessel Level Instrumentation.........
3-44 3.1.9 Summary of the Electrical Systems Branch and the Instrumentation and Control Systems Branch Concerns...
3-45 l
3.1.10 Achievement of Safe Shutdown Using Safety-Related Equipment.............................................
3-45 3.2 Plant Mechanical Systems....................................
3-45 l
1 3.2.1 Water Supply to Makeup /High-Pressure Injection Pumps..
3-45 3.2.1.1 Root Cause of Makeup /HPI Pump Failure........
3-46' 3.2.1.2 Assurance of Water Supply Sources...........
3 l 3.2.1.3 Makeup Pump Repair..........................
3-47 l
3.2.2 Effect of December 26, 1985 Overcooling Event on Reactor Coolant System Components....................
3-47 Rancho Seco Restart SER vi
CONTENTS (Continued)
Page 3.2.2.1 Effect of Transient on Reactor Vessel.........
3-47 3.2.2.2 - Fatigue Analysis for the Reactor Coolant l
System........................................
3-49 3.2.2.3 Technical Basis for Rancho Seco PTS Guidelines....................................
3-50 3.2.2.4 Fuel-in-Compression Limits....................
3-50 j
3.2.2.5 Potential for Core Lift.......................
3-51
]
1 3.2.3 Operation of Radiation Monitoring Systems After Containment Isolation..................................
3-51 3.2.3.1 Root Cause of Damage to Radiation Monitor R-15001.......................................
3-51 3.2.3.2 Effects of Containment Isolation on Systems Required To Operate Af ter SFAS Actuation......
3-51 1
3.2.4 Steam Generator Overfill and Flooding of Main Steam i
Headers.............................................
3-52 3.2.4.1 Evaluation of Steam Header Supports...........
3-52 3.2.4.2 Steam Line Support Inspection.................
3-52 3.2.4.3 Potential for Water Injection Into AFW Pump Steam Turbine.................................
3-53
- 3. 3 Plant Maintenance...................
3-53 3.3.1 Maintenance Program Evaluation.........................
3-55 3.3.1.1 Corporate Commitment to Maintenance...........
3-56 3.3.1.2 Written Goals and Objectives of the Mainte-nance Program.................................
3-57 3.3.1.3 Spare Parts / Material Readi ness................
3-57 3.3.1.4 Maintenance Supervision and Planning..........
3-61 3.3.1.5 Preventive Maintenance Program................
3-61 3.3.1.6 Maintenance Work Control......................
3-62 3.3.1.7 Maintenance Procedures..........
3-63 3.3.1.8 Operations / Maintenance Interfaces.............
3-65 3.3.1.9 Maintenance Work Request Backlog..............
3-65
- 3. 3.1.10 Mai ntenance ' T rai ni ng..........................
3-66 3.3.1.11 Licensee-Proposed Corrective Action for Restart and Performance Improvement...........
3-67 3.3.1.12 Maintenance Program Evaluation Conclusions....
3-68 3.3.2 Valve Preventive Maintenance Program 3-69 3.3.3 Operability Program for Manually and Remotely Operated Valves.....................
3-72 i
Rancho Seco Restart SER vii
CONTENTS (Continued)
Page 3.3.4 Maintenance Troubleshooting and Root Cause Determination Program....................................
3-74 3.3.5 Maintenance Conclusions.............................
3-75
]
3.4 Training and Operator Performance...
3-75 1) 3.4.1 Adequacy of Operator Training.........................
3-75 3.4.1.1 Review of Training Programs 3-75 3.4.1.2 Event-Related Training........................
3-76 3.4.1.3 System Training...............................
3-78 3.4.1.4 Emergency Procedure Training.................
3-79 3.4.1.5 Valve Training for Non-Licensed Operators....
3-79 3.4.1.6 Emergency Notification Training...............
3-80 3.4.1.7 Operator Retraining Due to Long-Term Shutdown.....
3-80 3.4.2 Minimum Staffing Requirements.........................
3-81 3.4.3 Incapacitated Operator..............................
3-81 3.4.4 PotentialrEccurity/ Safety Interface Issues............
3-81 3.5 Plant Normal and Emergency Procedures.......................
3-82 NeedforSvent-RelatedProcedures'.....................
3.5.1 3-82 3.5.2 Adequacy of ATOG Procedures (PTS)......................
3-83 3.5.3 Adequacy of Health Physics Procedures.................
3-84 3.5.4 Adequacy of Annunciation Procedures Manual.............
3-85 3.5.5 Methodology for Updating Emergency Operating Procedures 3-85 3.5.6 Adequacy of Emergency Procedures.......................
3-85 3.6 Human Engineering Considerations..............................
3-86 3.6.1 Simplified Schematics for Switches $1 and S2...........
3-87 3.6.2 Valve Position Indication......................
3-87 3.6.3 Control Room HVAC Noise..
3-88 3.6.4 Loss of ICS/NNI System Power Alarms.
3-88 3.6.5 Control Room Modifications.
3-89 3.7 System Review and Test Program...............................
3-90 3.7.1 Evaluation of SRTP.....................................
3-90 3.7.1.1 SRTP Overview..............
3-90 3.7.1.2 SRTP Evaluation.........
3-93 3.7.1.3 SRTP Review Conclusions......................
3-101 l
=
Rancho Seco Restart SER viii
CONTENTS (Continued)
Page 3.7.2 Augmented System Review and Test Program Inspection....
3-101 3.7.2.1 ASRTP Overview.........................
3-101 3.7.2.2 ASRTP Inspection Findings.....................
3-102 3.7.2.3 Licensee Response to ASRTP Findings..........
3-104 3.7.3 Review of Test Procedures and System Testing...........
3-107 3.8 Licensee Management and Organizational Considerations.........
3-107 3.8.1 Management and Organization Background...............
3-107 l
3.8.2 Evaluation of Licensee Management and Organization.....
3-108 3-110
- 3. 9 Retrospective Considerations..................................
3.9.1 FSAR Accidents That Presume Availability of Non-Safety-3-110 Grade Systems...................
l 3.9.2 Probability of Pressurized Thermal Shock (PTS) Events..
3-111 l
3-111 l
l 3.9.3 History of the EFIC System............................
4 RESOLUTION OF CONCERNS NOT RELATED TO THE DECEMBER 26, 1985 4-1 EVENT............................................................
4-1 4.1 Postaccident Sampling System...
4.1.1 PASS Design Description...............................
4-1 4.1.2 PASS Modifications....................................
4-2 4.1.2.1 Initial PASS Modifications....................
4-2 l
4.1.2.2 Evaluation of Initial PASS Modifications................................
4-2 4.1.2.3 Additional PASS Modifications 4-3 4.1.2.4 Evaluation of Additional PASS Modifications.................................
4-4 4.1.3 PASS Procedures and Training...........................
4-5 4.1.4 PASS Testing...........................................
4-6 4.2 Control Room / Technical Support Center HVAC System.............
4-6 4.2.1 HVAC Design and Installation..........................
4-6 4-7 4.2.2 HVAC Testing..........................................
4-7 4.3 Radioactive Liquid Effluent Releases..........................
4-8 4.4 Emergency Plan...............................................
4-8 4.4.1 Meteorology Program Improvements.....................
Rancho Seco Restart SER ix h-.
/
5 i
)
CONTENTS (Continued)
Page-i 4.4.2 Emergency Plan Training................................
4-10 4.4.3 Emergency Plan Implementing Procedures and Dese Assessment......
4-10 4.5 Conformance to the ' Guidelines of Regulatory Guide 1.97........
4-10 1
4.5.1 Background of RG 1.97 Issues...........................
4-10
- 4. 5. 2. Evaluation of Compliance With RG 1.97 Guidelines.......
4-11 4.5.3 Conclusion, RG 1.97 Issue....'..........................
4-12 4.6 Safety Parameter Display System...............................
4-12 4.6.1 SPDS Description....................................... 12 4.6.2 SPDS Design Issues....................................
4-14 f
v 4.6.2.1 SPDS Hardware'0esign Issues...................
4-14 i
4.6.2.2 SPDS Software Design Issues...................
4-16 i
4.6.3 SPDS Test Issues.....................................
4-19 4.6.4 SPDS Operational Issues...............................
4-19 4.6.5 SPDS Review Conclusions................................
4-20 i
4.7 Transamerica Delaval, Inc. (TDI) Diesel Generators............
4-20 4.7.1 TDI Diesel Generator Qualification.....................
4-20 4.7.2 Diesel Engine..........................................
4-21 4.7.3 Class 1E Electrical Systems Associated With the Diesel Generators......................................
4-21 4.7.3.1 Equipment Separation..........................
4-22 4.7.3.2 Raceway Separation......-......................
4-22 4.7.3.3 Internal Separation...........................
4-26 4.7.3.4 Raceway / Circuit Identification................
4-28 4.7.3.5 Conclusions...................................
4-28 4.7.4 Diesel Generator Fire Protection Considerations........
4-28 i
4.7.4.1 Introduction to Fire Protection Issue.........
4-28 4.7.4.2 Discussion of Fire Protection Issue'...........
4-29~
4.7.4.3 Evaluation of Fire Protection Issue...........
4-29 4.7.4.4 Fire Protection Conclusions..................
4-30 l
4.7.5 Diesel Generator Building Design.......................
4-30 4.7.5.1 Seismic Design of Diesel Generator Building 4.7.5.2 Tornado Design of Diesel Generator
. 4-30 Building.....................................
4-30
\\
Rancho Seco Restart SER x
1
-,J l
CONTENTS (Continued) j Page 1
4-31 j
4.8 Cable Discrepancies..........................................
i 4.8.1 Cable Discrepancy Background...........................
4-31
,l 4.8.2 Evaluation of Cable Discrepancies......................
4-34 4.8.2.1 ' Evaluation of Root Cause of Cable l
Discrepancies.................................
4-36 4.8.2.2 Cable Inspection Program......................
4-37 4.8.2.3 Evaluation and Disposition of Cable Deficiencies.................................
4-41 1
4.8.2.4 Actions To Correct Cable Deficiencies.........
4-42 4.8.3 Conclusions, Cable Discrepancies......................
4-43 4.9 Technical Speci fi cation Evaluation............................
4-43 1
1 1
FIGURES j
1 Page i
2.1 Plant Performand and Management Improvement Program...............
2-5 3.1 Rancho Seco basic plant control concept 3-3 l
3.2 Rancho Seco integrated control system.........,................
3-4 j
3.3 Model 820 integrated control system internal power distribution....
3-8 i
3.4 Integrated control system and non-nuclear instrumentation system 3-10 power consumption..................................................
3.5 Rancho Seco auxiliary feedwater system flow diagram and EFIC system i
control.........................................................
3-18 l
3.6 EFIC channel A..............................................
3-21 j
3.7 EFIC channel B....................................................
3-22 i
3.8 EFIC channel C..................................................
3-23 i
3.9 EFIC channel 0....................................................
3-24' 3-25 j
3.10 Typical EFIC channel............................................
3.11 EFIC system initiation of auxiliary feedwater 3-27 3-29 j
3.12 Main feedwater system..................
3-30 3.13 EFIC system isolation of main feedwater.....
3.14 Makeup /high pressure injection system'(simplified)................
3-43 3.15 The maintenance organization at Rancho Seco.........
3-58 l
3-109 3.16 Rancho Seco organization..........
4-35 4.1 Program for resolving cable problems...........................
l' TABLES 3.1 OTSG presse.re conditions that trigger vector logic......
3-32 3.2 Rancho Seco Maintenance Administrative. Procedures implemented as 1
3-59 of August 6, 1987.................
1 Rancho Seco Postart SER xi 1
f l
i
l~
TABLES (Continued) i Page 4.1 Rancho Seco postaccident sampling system..........................
4-1 4.2 Safety-related electrical cable deficiencies of Rancho Seco reported in LERs...................................................
4-32 4.3 Status of restart activities for Rancho-Seco cable issue..........
4-33 4.4 High priority (TS/ procedure / commitments) improvements needed
]
before restart..
4-45 APPENDICES A
Principal Meetings and Correspondence Related to the Rancho Seco Overcooling Event of December 26, 1986-B References
.j C
Acronyms and Other Initialisms l
D NRC Staff Contributors i
4
)
1 I
l Rancho Seco Restart SER xii
1 INTRODUCTION AND
SUMMARY
The Rancho Seco Nuclear Generating Station, operated by the Sacramento Munici-pal Utility District (SMUD, the licensee) is a 916-MWe Babcock.and Wilcox.(B&W)-
designed pressurized-water reactor located in Clay, California,-about 25 miles southeast of Sacramento.
The piant received an NRC operating license in 1974.
On December 26, 1985, Rancho Seco experienced a loss of dc power within the'
. integrated control system (ICS) while the plant was operating at 76% of rated.
power. _Following the loss of ICS dc power, the reactor tripped on high reactor coolant system (RCS) pressure.
The reactor trip was followed by an overcooling l
condition that actuated safety features and resulted in excessive RCS cooldown, i
The overcooling transient continued until ICS dc power was restored 26 minutes after its loss.
With the restoration of ICS dc power, the excessive RCS cool-down was stopped and the plant was stabilized.
Because of the potential significance of the event, the NRC Region V administra-l tor sent two Confirmatory Action Letters to the licensee on December 26, 1985, that delineated and confirmed the actions'the licensee would undertake before Rancho Seco could be returned to power operation.
In addition,_an NRC staff
team was dispatched to the site on December 27, 1985 to investigate the facts, causes, and implications of the incident.
The staff assessed the circumstances of the incident and concluded that the underlying causes were significant defi-ciencies in plant design and in the programmatic areas of maintenance,. testing, surveillance, training, operator performance, and plant normal and emergency procedures.
As a part of the assessment effort, the staff identified a number of issues and concerns that the licensee would have to address as a result of the event.
In response to the event, the licensee initiated a comprehensive Plant Perfor-mance and Management Improvement Program (PP&MIP) which was broader in scope than just the issues and concerns related to the December 26, 1985 overcooling transient.
The broad-based PP&MIP was developed in recognition of Rancho Seco's generally poor overall performance in the time leading up to the transient and was indicative of the licensee's efforts to look beyond the narrow focus of the transient.
The PP&MIP included the systematic assessment of approximately_4000 recommen-dations for corrective action and the extensive review and testing of 33 selected plant systems to demonstrate the functional capability of systems important to the safe operation of Rancho.Seco.
In this safety evaluation report, the staff evaluates in detail the licensee's cc prehensive response to the December 26, 1985 overcooling transient, providing the basis for determining whether Rancho Seco can resume power operations.
In performing this evaluation, the staff has utilized the information in (1) the Action Plan for Performance Improvement, submitted on July 3, 1986, and revised on December 15, 1986 and February 28,1987,(2) the Rancho Seco Restart Report submitted on December 15, 1986 and revised on July 9, 1987, and (3) numerous supporting documents, including technical specification change requests and i
Rancho Seco Restart SER 1-1
l q
j i
responses to staff requests for additional information.
The staff also con-ducted a number of ontite inspections and audits which provided additional i
bases for the conclusions discussed in this SER.
j At this time, a number of issues required for restart are still unresolved.
These are discussed in the body of this report and are summarized below.
Resolution of these issues will be discussed in one or more supplements to this report or in inspection reports to be issued before restart.
The purpose i
of this report is (1) to document the resolution of all restart issues that have been resolved at this time and (2) to identify the actions necessary to l
i resolve all currently open restart issues.
1.1 Issues for Which Additional Information Is Needed
{
A number of open items cannot be resolved until the licensee provides additional information to the NRC staff.
These are listed below, along with the section of this SER that defines the required information.
3.1.2.9 ICS/NNI System Maintenance, Surveillance, and Testing 3.1.2.10 Operator Response Procedures 1
3.1.10 Achievement of Safe Shutdown Using Safety-Related Equipment 4.3 Radioactive Liquid Effluent Releases 4.6.2.1 SPDS Hardware Design Issues 4.6.3 SPDS Test Issues 4.8 Cable Discrepancies 4.9 Technical Specification Evaluation 1.2 Issues for Which Additional Staff Inspection Is Needed A number of open items cannot be resolved until work at the Rancho Seco site is completed and the NRC staff has inspected the~ work and found it acceptable.
These are listed below, along with the section of this SER that defines the area to be inspected.
3.3.2 Valve Preventive Maintenance Program 3.4.1.1 Review of Training Programs 3.4.1.4 Emergency Procedure Training 3.4.1.7 Operator Retraining Due to Long-Term Shutdown i
3.5.6 Adequacy of Emergency Procedures 1
3.7.2 Augmented System Review and Test Program Inspection 3.7.3 Review of Test Procedures and System Testing
- 3. 8 Licensee Management and Organizational Considerations i
l 4.1.3 PASS Procedures and Training i
4.1.4 PASS Testing 4.2.1 HVAC Design and Installation
)
4.2.2 HVAC Testing l
4.4.2 Emergency Plan Training j
4.4.3 Emergency Plan Implementing Procedures and Dose Assessment j
1
- 1. 3 Issues Currently Under Review by the Staff A number of open items have not yet been resolved because the staff review is i
not complete, and no need for additional information or for onsite inspection Rancho Seco Restart SER 1-2 1
i has been defined.
These are listed below, along with the section of this SER that discusses the issue.
2.3.2 Evaluation of the Plant Performance and Management Improvement Program 3.1.2.2 Loss of ICS/NNI System dc Power 3.1.2.3 Loss of ICS/NNI System ac Power 3.1.2.4 Loss of Instrument Air to ICS/NNI System Components 3.1.2.5 ICS/NNI System Failure Modes and Effects Analysis 3.1.2.6 Loss of Control Room Controls, Adequacy of Backup Instrumentation 3.1.2.8 Power Monitor Design 3.1.2.11 ICS/NNI System Interactions With Safety-Related Equipment
{
3.1.3.2 EFIC System Evaluation 3.1.4 Main Feedwater System Response to ICS/NNI System Failures 3.1.5 Steam Generator Overfill Protection Circuits 3.1.6 Main Steam System Response to ICS/NNI System Failures 3.1.9 Summary of Electrical, and Instrumentation and Control Concerns 3.5.1 Need for Event-Related Procedures 4.7.1 TDI Diesel Generator Qualification 4.7.2 Diesel Engine 4.7.3 Class 1E Electrical Systems Associated With the Diesel Generators 4.7.5 Diesel Generator Building Design Rancho Seco Restart SER 1-3
2 BACKGROUND 2.1 Discust, ion of December 26, 1985 Overcooling Event At 4:14 a.m. on December 26, 1985, while operating at a steady 76% of rated power, dc electrical power was lost to the unit's integrated control system (ICS).
On loss of power to the ICS, a number of components controlled by_the ICS received a 50% demand signal and the following' automatic actions occurred:
(1) the closing to midposition of the startup and main feedwater flow control.
valves, (2) the opening to midposition of the auxiliary feedwater (AFW) flow control valves, atmospheric dump valves (/DVs), and turbine bypass valves.
(TBVs), and (3) the reduction of the main feedwater pumps' speed to a minimum speed of 2500 rpm.
Further, the loss of ICS also resulted in the loss of remote.
control of the affected valves from the control room.
The immediate effect of the loss of ICS was rapidly decreasing-feedwater flow, an undercooking condition, and a corresponding increase in reactor coolant system (RCS) pressure as the RCS heated up.
The plant operators noticed the undercooking condition but were unable to alleviate the rapid pressure increase, and the reactor tripped on.
overpressure 16 seconds after power to the ICS was lost.
Additionally, both AFW pumps initiated because of low pressure at the discharge side of the main feedwater pump and were delivering feedwater to the steam generators within l
seconds of the reactor trip.
Secondary side steaming through the open ADVs and f
l TBVs resulted in RCS heat loss significantly in excess of the generation of decay heat.
This significantly increased the rate of heat removal (i.e., over-cooling condition) and caused a rapid reduction in both RCS temperature.and pressure and corresponding shrinkage of the RCS (i.e., decreasing pressurizer i
level).
The plant operators recognized the overcooling condition and tha pres-'
surizer level decrease.
In response,-they initiated several actions to.miti-gate these conditions including:
(1) increasing the rate of addition of makeup water to the RCS, (2) manually starting a high pressure injection pump to add-additional water to the RCS, and (3) terminating AFW flow to (and steaming from) the steam generators by closing the AFW flow control valves, ADVs, and TBVs.
However, loss of ICS had resulted in the loss of remote manual control of the AFW flow control valves, ADVs, and TBVs, and operators were dispatched to operate the valves locally.
Approximately 3 minutes into the event, the RCS pressure decreased to 1600 psi.
This initiated the safety features actuation system.(SFAS).
SFAS initiation caused the start of the low pressure injection pumps, the emergency diesel generators, and control room heating, ventilation, and air conditioning (HVAC).
SFAS also sent start signals to the high pressure injection and AFW pumps and isolated the containment building.
All SFAS components functioned as designed.
Although the operators who were dispatched to locally operate the'ADVs, TBVs, and AFW flow control valves were able to terminate secondary side steaming by closing the ADVs and TBVs within about 10 minutes of initiation of the event, they encountered problems in trying to isolate AFW flow by closing the AFW flow control valves.
One operator thought he had completely closed the "B" AFW flow control valve, but he had left it partially open.
Although the "A" AFW flow control valve was closed, the operator believed it was still partially open; in Rancho Seco Restart SER 2
attempting to close it further with a " cheater" bar, he damaged the valve and l
i the valve reopened.
Efforts to close a downsteam manual isolation valve also
}
failed.
The "B" AFW flow control valve was subsequently closed all the way but the "A" AFW flow control valve and flow path to the "A" steam generator re-I mained open.
As a result, the steam generator overfilled and water flowed into the steam lines.
1 Approximately 26 minutes after the reactor trip, operators restored power to the ICS by reclosing two switches that had tripped in an ICS cabinet.
Once the ICS power was restored, operators regained remote manual control of the open I
AFW flow control valve and were able to close the valve, stop the overcooling, and begin stabilizing the plant.
total of 180 F in approximately 26 minutes.During the transient, the RCS cooled down a i
This rate of RCS cooldown was in excess of the limits in the plant technical specifications.
Although the RCS was safely depressurized to eliminate any pressurized thermal shock concerns within an hour of event initiation, the transient was not terminated without complications or damage to plant components.
i 16 minutes after the reactor trip, the source of water [i.e., borated waterApproximately storage tank (BWST)] for makeup pump addition to the RCS was isolated by the operators.
The makeup pump overheated and was destroyed because the operators i
failed to align the makeup tank to the makeup pump before isolating the BWST.
Further, as a result of this damage, approximately 1200 gallons of contaminated water spilled on the pump room floor.
However, the spill did not result in any significant onsite or offsite radioactivity release or dose of radioactivity to personnel, i
The " Unusual Event" declared by the licensee shortly after event initiation was terminated approximately 41 hours4.74537e-4 days <br />0.0114 hours <br />6.779101e-5 weeks <br />1.56005e-5 months <br /> later.
- 2. 2.
NRC Actions, Principal Meetings, and Principal Correspondence 4
On December 26, 1985, the day of the transient, the NRC Region V Administrator sent two Confirmatory Action Letters to the licensee that delineated and con-firmed the actions the licensee would have to take before returr.ing Rancho Seco to power operation.
Specifically, the licensee would (1) conduct a root cause analysis of the reactor trip that occurred on December 26, 1985, (2) provide the NRC with a briefing on the assessment of the root cause, and (3) provide justification to the NRC that the Rancho Seco facility is ready to resume power operation.
Additionally, the licensee would delay any repair work planned on equipment that malfunctioned during the incident until both licensee and NRC inspection teams had evaluated the event.
Because of the significance of the event, an NRC Augmented Inspection Team (AIT) of combined regional and headquarters personnel was sent to the site on December 27, 1985, and began initial investigatory efforts on December 28th, lhe preliminary results of these efforts indicated that the event was complex snd had potentially significant generic implications.
Accordingly, on Decem-ber 31st, the investigation was upgraded by establishing an Incident Investi-gation Team (IIT) consisting of NRC headquarters personnel with expertise in reactor systems, reactor operations, human factors, and instrumentation and control systems.
The IIT was charged with finding the facts of the incident, investigating the probable cause, and making appropriate findings and Rancho Seco Restart SER 2-2
conclusions that would form the basis for any future actions.
The team was to focus specifically on (1) the design and response of the ICS and (2) operator performance and training as they related to the loss of ICS during the event.
The report of the IIT (NUREG-1195, " Loss of Integrated Control System Power and Overcooling Transient at Rancho Seco on December 26, 1985"), including its findings and conclusions, was presented to the Commission at a public meeting on February 25, 1986.
The report concluded that the fundamental causes of the transient were design weaknesses and vulnerabilities in the ICS and in the equipment controlled by that system.
Further, these weaknesses and vulnerabil-ities were not adequately compensated for by other design features, plant proce-dures, or operator training.
In addition to the investigatory efforts of the IIT, NRC regional and headquar-ters staff initiated parallel efforts to assess the event and develop recommen-dations for corrective actions to be taken in response to the overcooling tran-sient.
These eff.srts were intended to provide the licensee with the NRC staff's early assessment of the problems and deficiencies identified in the re-view and corresponding issues that would require resolution before plant restart.
These efforts provided the basis for developing the licensee's i
I
" Rancho Seco Action Plan for Performance Improvement" (Rev. 0, July 3, 1986; Rev. 1, December 15, 1986; Rev. 2, February 28, 1987), scheduling subsequent l
meetings and exchange of correspondence to address identified issues and dis-1 cuss the licensee's plans for corrective action.
Since early February 1986,
(
the iicensee and NRC staff have met many times and have exchanged much corre-i spondence related to the rehabilitation of Rancho Seco.
Significant meetings and correspondence are listed in Appendix A.
(
In addition to the principal meetings and correspondence listed in Appendix A.,
i there have been numerous other meetings, conference calls, and exchanges of l
correspondence related to the licensee's action plan and the staff's related detailed review and evaluation of the action plan.
2.3 Summary of Licensee Response The licensee's initial response to the December 26, 1985 incident was focused primarily on correcting the problems and deficiencies and resolving the issues directly related to the overcooling event.
This response included an in-depth investigation of the event and determinations of root cause to gain a complete understanding of the implications and issues that would have to be resolved before the plant could restart.
An " action list" was developed and, upon com-pletion of the items on that list, it was the licensee's intention to forward closure reports for those items to the NRC to document the resolution of issues identified for corrective action.
This corrective action program was intended to support a quick return to power operations.
(Just one month after the event, the licensee expressed its intention to resume power operations on March 8, 1986.) However, on subsequent communication with the NRC and associated dis-cussions of issues in need of resolution (meeting on February 10, 1986 and issuance of the IIT report findings and conclusions on February 25, 1986), the licensee recognized that the identified design and programmatic deficiencies were symptomatic of more serious problems than those associated with just the overcooling event and would require a corrective action program that embodies more than the narrow focus of just the overcooling event.
Accordingly, in the spring of 1986, the licensee embarked on a comprehensive Plant Performance and 2-3 Rancho Seco Restart SER
Management Improvement Program (PP&MIP) that responded to a broader range of issues than just the problems and deficiencies related to the overcooling i
2.3.1 Plant Performance and Management Improvement Program The PP&MIP is designed to systematically evalcate the plant, its systems and their operation, and the management programs and organization necessary to sup-port the safe and reliable operation of Rancho Seco.
The specific goals of the PP&MIP are to:
(1) reduce the number of reactor trips, (2) reduce challenges to safety systems, (3) ensure that the plant remains within allowed ranges of reactor coolant system pressures and temperatures immediately following a reactor trip, (4) ensure compliance with license requirements, (5) minimize the need for operator actions outside the control room, and (6) improve the reliability and availability of the plant.
On the basis of anticipated benefits from the PP&MIP, the licensee established near-term performance goals for returning Rancho Seco to power operations.
Those goals include plant availability exceeding 60%, a forced outage rate of less than 10%, and fewer than three reactor trips per year.
The PP&MIP is structured to achieve these three goals by implementing four program elements or phases, as shown in Figure 2.1.
The first phase, called the input phase, is devoted to identifying issues or deficiencies in plant design, operations, procedures, training, maintenance, management, and manage-ment processes, and to developing recommendations for corrective actions that will support safe and reliable plant operation.
The second phase, called the evaluation and disposition phase, consists of screening and validating recom-mendations for their significance, merit, clarity, and duplication, and deter-mining an appropriate course of action or disposition for the recommendations.
The third phase, called the implementation phase, involves the actual implemen-tation of each of the dispositioned recommendations in an efficient, ef fective, and timely manner, consistent with their importance to safety.
The fourth phase, called the closure phase, ensures that closure of the implemented recommendations is complete in that the issues are adequately addressed and the implementation is in accordance with plant procedures.
More detail about each of the four phases in the PP&MIP process is provided below.
As shown in Figure 2.1, issues and deficiencies related to plant performance and recommendations for corrective action come primarily from three sources:
the Department Managers Hardware and Programmatic Recommendations, the Management Process Review Recommendations, and the Systematic Assessment Process Recommen-dations.
Further, recommendations for additional plant modifications or corrective actions may develop as " feedback" from the systems review and test program, a key element in the implementation phase.
The Department Managers Hardware and Programmatic Recommendations are developed from an assessment of the plant design, management, operations, and administrative system deficiencies based on existing reports and evaluations (e.g., NUREG-1195, INP0 Audit Reports, and the November 1984 " Management. Appraisal Report" by LRS Consultants).
The Management Process Review Recommendations are developed by a group that is established to review previous (i.e., the last 5 years) management audits and assessments and licensee responses and commitments related to these assessments, assessments of current management processes and functions, and abstracted assessments of management from other elements of the PP&MIP.
The Systematic Assessment Process is developed to perform a detailed review of the Rancho Seco Rancho Seco Restart SER 2-4
)
E n
n 4
R it ig L
o o e U f
A at s
an S
c i
h O
l Q
idl j
a f i F i
P L
ila reV C
V I i N
O W
s I
E
.t T
g s
m.
n&e s
n et v
t I
e t
s 3
A it n ne est i
n Vg qt s cn a s e E
em n
T s
o E R am mn e
r s m R
N e
it n e iot e q
s T
e sl e a
E a e gt is c e SmaR c
v v
t i
tno a ano Me n h
M r
r i r o
a f
iot r
n emP E t P
i ia p ap r
s t
p T st E
s d
e L
e o Mm d
m S ycT P
R M
I MO Sn A i Y -
.F I
u S
M 1
h-lI l
g C
in k
c a
E T
t rT s
d N N n
r N OSE e
o a
id o 2
c E
a nB e
I T asip d a E E r
mlyu L
UTI n
nwo a SA SC G 1
on G vu s
e o
ei OO r a J
mi t r
h SU A
P R A
mel f
P I L S N r
e ors r
o A I P 1
P c
e A
V D e
R M
R E
il gl i
s s
s n
n n
co t
o t
n io t
s&i it c n it r
aa e
ta 1
T ge md ms wd it es a) s msd2 a
e U Ma me e een ms r
en1 n
s gcie cel a P
.w v
es omC d r m a
a o em t
t e h
N pr s
Q r
r gm nPRm yssPm(
P I
DHr o ea o a
M SA o
o P c c
c e
e e
R R
R S
xOan7O vD o xD + % +c gmM 7U s
3 t
' c
design and experience as well as appropriate industry experience.
The Syste-matic Assessment Process develops recommendations from six areas or sources:
(1) precursor reviews, (2) plant staff interviews, (3) deterministic failure consequence reviews, (4) Babcock and Wilcox (B&W) Owners Group Safety and Per-formance Improvement Program (SPIP), (i) December 26, 1985 overcooling event and NUREG-1195, and (6) selected projec'.s (e.g., Motor Operated Valve Refurbish-ment Program, Implementation of IE Bulle:in 85-03 Items).
As shown in Figure 2.1, the Department Managers Hardware and Programmatic Recom-mendations and Management Process Review Recommendations are sent directly to the Performance Analysis Group (PAG).
The PAG is made up of the Nuclear Department Managers and is responsible for reviewing and determining the appro-priate disposition of the forwarded recommendations.
The recommendations from the Systematic Assessment Process are first sent to the Recommendations, Review and Resolution Board (RRRB).
The RRRB is a multi-discipline group of indi-viduals who have appropriate nuclear experience and training drawn from the Sacramento Municipal Utility District (SMUD), another B&W reactor facility, B&W, and the Rancho Seco architect / engineering firm (Bechtel).
The RRRB is responsible for screening recommendations for clarity and duplication, eval-uating the recommendations in relation to issues of concern, and recommending appropriate disposition and priority for the recommendation based on its merit and significance to safe and reliable plant operation.
Recommendations from the RRRB are sent either to the PAG for further consideration and disposition or, if the recommendation is system related, to an assigned systems engineer in the Systems Review and Test Program.
All recommendations sent to PAG are evaluated for appropriate course of action and, if they are found valid, are forwarded to the appropriate departments (e.g., maintenance, training, etc.)
for implementation.
When a recommendation has been implemented, including system testing if appropriate (e.g., requirement of the System Review and Test Program), the recommendation and a closure document are forwarded to the Quality Assurance (QA) Department.
The QA Department verifies that the rec-commendation is complete and validates the effectiveness of the recommendations as elements of the closure process, l
The PP&MIP included the systematic assessment of approximately 4000 recommenda-tions for corrective action and the extensive review and testing of 33 selected plant systems to demonstrate the functional capability of systems important to i
the safe operation of Rancho Seco.
The PP&MIP is also discussed in Section 3.7.1 of this SER.
i 2.3.2 Evaluation of the Plant Performance and Management Improvement Program following the December 26th event and its investigation, the licensee developed a systematic assessment program to identify and prioritize all issues that might negatively impact the future performance of Rancho Seco.
This program, known as the Plant Performance and Management Improvement Program (PP&MIP) was designed by the licensee to comprehensively identify all known problems that i
had occurred, or that could be anticipated to occur in the future, based on experience elsewhere.
The resolution of each problem was prioritized by the
)
licensee as a restart, near-term, or long-term item.
s 1
The program was described in detail by licensee procedure QCI-12, Plant Per-formance and Management Improvement Program.
This program developed prob-lem statements from several sources:
a precursor review of historical i
3 Rancho Seco Restart SER 2-6 Y
documents and recommendations; interviews with a cross-section of the plant staff (180 interviews); a deterministic failure analysis for the effect of loss of electrical power, instrument air, and control power on plant opera-tions; incorporation of relevant Babcock and Wilcox (B&W) Owners Group Safety j
and Performance Improvement Program (SPIP) recommendations; NUREG-1195, the l
Incident Investigation Team (IIT) report of the December 26th event; and other miscellaneous information, l
I The problem statements were organized by type or system, reviewed by two licensee boards to eliminate redundancy, and assigned priorities for implementation.
At the same time, the recommendations were combined with the functional and test requirements of each plant system to produce a. reference document for each system, the system status report.
l The NRC staff reviewed the licensee's program as recommendations were developed, and verified that it was organized and conducted as described by procedure QCI-12.
To evaluate the completeness of the set of recommendations produced by the j
program, the NRC's augmented system review and test program (ASTRP) inspection 1
(see Section 3.7.2 of this SER) involved intensively reviewing the system status reports for 5 of 33 key systems identified by the licensee.
One conclusion l
reached in the was that the licensee's QCI-12 process had been adequate in identifying problems.
In addition, the NRC staff reviewed the licensee's pro-
)
blem prioritization for two systems (nuclear service cooling water and nuclear
[
service raw water) and concluded that the licensee's problem prioritization was also adequate (Inspection Reports 50-312/87-13 and 50-312/87-20).
j i
1 However, two significant aspects of this SER evaluation remain unresolved.
The ASTRP inspection identified some examples which illustrated that the licensee's l
proposed resolution of some problems identified by the PP&MIP was inadequate.
1 The licensee has initiated a major rereview of engineering work to correct this problem.
A major reinspection of this effort and previous ASTRP findings is planned for early October 1987 to resolve this question, j
Inspection Report 50-312/87-13 identified that the licensee had, as the outage complexity grew, developed partially redundant lists of problem statements i
which were not completely consistent.
As a consequence, the licensee has not i
been able to clearly identify all of the currently identified problems which were intended to be fixed before restart.
This issue must be reviewed again 1
by the NRC staff when the licensee's single list is available, to complete i
the PP&MIP SER evaluation.
1 This SER item, therefore, remains open pending verification by the ASTRP reinspection and by the NRC staff inspection that the problem resolution and tracking portions of the PP&MIP are adequate.
Additional discussion of the-J resolution of this issue will be included in a supplement to this SER or in an NRC inspection report.
Rancho Seco Restart SER 2-7
l 3 RESOL TION OF CONCERNS RELATED TO DECEMBER 26, 1985 EVENT g
.o.
O it J l
y,u.r Q.u.
- ~ ci>
3.1 Pla tdElectrical;,and, Instrumentation and Control Systems 8ettes<
A 3
/\\
y 3.1.1 Integrated Control System and Non-Nuclear Instrumentation System l
3.1.1.1 ICS/NNI System Description l
ICS Description l
4 The integrated control system (ICS) is a non-safety-related system that coor-dinates the action of a variety of plant equipment to make the adjustments necessary to match power (megawatts) generated to power (megawatts) demanded by balancing steam production and steam usage.
The ICS was used first on Babcock and Wilcox (B&W)-designed fossil-fueled generating plants and later was adapted for use on B&W-designed nuclear plants.
The ICS is essentially the same for fossil-fueled plants as for nuclear plants, except that the input to controls that are unique to the nuclear plants (such as pressure control of the reactor coolant system) are provided by the so-called non-nuclear instrumentation (NNI) system.
1 The first nuclear application of the ICS was the Type 721 design which is installed in the two earliest B&W-designed plants (i.e., Oconee and Three Mile Island).
The second generation of the ICS is the Type 820 design which is installed at the Rancho Seco plant and at all other B&W-designed plants.
These two designs are similar at the functional level, but the detailed design and the actual hardware differ significantly, especially with regard to power distribution and manual control upon loss of power, which are discussed below.
The following description contrasts the integrated control scheme that charac-terizes the ICS with the discrete, separate control schemes that characterize non-B&W systems.
This section also describes the four major portions of the ICS and the interface between the ICS and the NNI system.
The nature of the ICS output control is presented, followed by a discussion of how these output sig-nals change upon loss and restoration of ICS power.
(1) Fundamental Control Scheme Operating nuclear power plants use three fundamental control schemes.
In each of these schemes, the reactor and the steam generator are considered as a unit (i.e., the steam production portion of the plant) and the main turbine and generator are considered as another unit (i.e., the steam usage portion of the plant).
The purpose of these control schemes is to match the megawatts produced (in the steam production portion) to the megawatts demanded by balancing steam production to steam usage.
In the first control scheme, the turbine generator responds to changes in electric demand, and the reactor and steam generator subsequently are Rancho Seco Restart SER 3-1
readjusted to maintain the needed steam conditions.
This scheme has the advantage of rapid, accurate, electrical output changes, though some steam flow instabilities may result.
In the second control scheme, the reactor and steam generator respond to changes in electrical demand, and the turbine generator is subsequently readjusted to satisfy the new demand.
This scheme has the advantage of good plant stability, but involves a slower response to changes in electrical demand.
The third scheme, which is used at Rancho Seco, combines the first two schemes into an integrated control scheme.
The objective of the combination is to take advantage of both fast plant response and good plant stability.
In the ICS, steam usage (i.e., steam flow) is controlled by modulating the turbine throttle valves to maintain a constant steam header pressure.
Steam production is controlled by maintaining a constant average temperature (Tave) in the reactor l
coolant system and modulating feedwater flow.
In this control scheme, the i
turbine steam header pressure is used as an index of whethet steam flow and j
steam production are in balance.
On the reactor and steam generator side, T l
is used as an index of whether feedwater and nuclear heat are in balance.
ave
]
Figure 3.1 illustrates the fundamental control concept of the ICS at Rancho Seco.
The ICS sends demand signals simultaneously to both the steam flow controls and the steam production controls.
This scheme achieves fast response by initially borrowing energy from the steam generators (resulting in reduced l
steam pressure) and subsequently redepositing the energy as the reactor power setpoint for the steam header pressure is artificially reduced temporarily.
This action causes the turbine governor valves to open further, immediately increasing steam flow and turbine generator output.
As the reactor and steam generator respond f.o their demand signals and produce more steam, the energy borrowed is replaced as the pressure returns to the original setpoint value.
The Rancho Seco integrated control scheme is a single, tightly interwoven, and complex system involving both feedback and anticipatory feed forward signals
]
throughout the plant.
Control schemes at other plants (e.g., at plants j
designed by Westinghouse and the General Electric Co.) use several electrically l
separate and independent control systems to balance steam production and steam usage.
For example, one control system maintains the turbine steam flow at a constant value; another control system matches feedwater flow to steam flow; and a third control system maintains reactor power at a constant value.
The l
primary advantage of separate control systems is that when a single control system fails, the other control systems are electrically independent, are not l
affected, and, therefore, tend to stabilize overall plant conditions.
When the i
power to the ICS fails, control of turbine steam flow, feedwater flow, and 1
power level are all affected.
(2) Block Diagram Figure 3.2 illustrates the four major equipment subsystems of the ICS:
the unit load demand, integrated master control, feedwater control, and reactor control.
1 Rancho Seco Restart SER 3-2
.g.
MEGAWATTS MASTER CONTROL DEMAND 1
1 r I r STEAM FLOW STEAM PRODUCTION CONTROL CONTROL (HEADER PRESSURE CONTROL)
(T,y,CO NTRO L) l BYPASS TURBINE FEEDWATER REACTOR CONTROL CONTROL CONTROL CONTROL 1
l i
I 4
ACTUAL Mwe 1
l l
i r 1 r i r i r 1 r l
BYPASS TURBINE FLOW PUMP ROD AND DUMP THROTTLE CONTROL SPEED POSITION VALVES VALVES VALVES CONTROL CONTROL L
J MEGAWATTS GENERATED Figure 3.1 Rancho Seco basic plant control concept Rancho Seco Restart SER 3-3
?
C LOAD LIMITS (MWel
{ TRACK)
DEMAND C
MBAMS g---~~------
C TRACKING INTEGRATED MASTER CONTROL MW jf
.q l o
I ACTUAL MWe J L I I II FW DEMAND Rx DEMAND CALCULATOR CALCULATOR l
l SP l
?.
HDR.
- PRESS, 1f 1I s
T.v.
y T
4 SP CTUA y
ACTUAL Rx C.L p
q PRESS u
TOTAL
.ve x
s CONTROL CONTROL g
m C.L 4
gg79,
T.v.
4 ACTUAL log A log B N
FLOW FLOW 1r y
1r ATM. DUMP LOOP A LOOPB jr VALVES FLOW FLOW TURBINE BYPASS lf CONTROL CONTROL VALVES VALVES VALVES ROD DRIVE SYSTEM lf MFW PUMPS SPEED I f lf TURBINE AFW (ICS)
CONTROL FLOW VALVES CONTROL VALVES l
Figure 3.2 Rancho Seco integrated control system Rancho Seco Restart SER 3-4
i i
I The unit load demand subsystem is the primary interface between the ICS and reactor operators and includes features for load setting (i.e., demand),
limiting plant runbacks, and automatic tracking to maintain plant conditions within predetermined limits.
The integrated master control subsystem serves several purposes.
First, it provides the desired electrical output power based upon the electric megawatt demand signal.
Second, it maintains a constant steam header pressure.
One output of the integrated master control interfaces with the electrohydraulic control unit of the turbine generator.
Another output signal controls the by-pass of steam around the turbine directly to the condenser (i.e., the turbine 4
bypass valves) and controls the dump of steam to the atmosphere (i.e., the l
l atmospheric dump valves).
It also calculates the demand signals for feedwater and reactor power.
The integrated master subsystem is the master control for l
the feedwater control and the reactor control subsystems.
I The feedwater control subsystem matches the actual feedwater flow to the feed-water demand signal from the integrated master control subsystem.
The total feedwater flow is also balanced between the two once-through steam generators (OTSGs) so as to maintain equal heat transfer (i.e., the returning cold-leg temperatures are maintained essentially equal regardless of OTSG fouling and the number of plugged tubes).
The feedwater control subsystem will receive a
" cross limit" signal from the reactor control subsystem if the difference between main feedwater (MFW) flow demand and actual MFW flow exceeds a predetermined limit.
(A cross-limit is an additional control signal that is produced when a controlled variable is outside the normal control range.)
The feedwater control subsystem sends a cross-limit signal to the reactor control
)
subsystem to reduce or increase power if the reactor power and reactor demand i
differ by a predetermined limit.
The feedwater control subsystem also includes a " Btu limiting" feature to limit the MFW demand signal so that the final steam temperature is maintained.
The primary output of the feedwater control subsystem is control signals to the MFW flow control valves (both startup and main) for each OTSG.
Another output controls the MFW pump speed in order to I
i maintain a specified pressure drop across the flow control valves as the MFW flow changes.
Another output modulates the auxiliary feedwater (AFW) flow control valves.
The reactor control subsystem matches the actual reactor power to the power demand signal from the integrated master subsystem, while maintaining T at a ave constant value.
The reactor control subsystem accomplishes this by sending signals to withdraw or insert the reactor control rods when the neutron power is outside a "deadband" around the neutron power demand.
The ICS is closely coordinated with the NNI system since the purpose of a control system is to adjust the actual value of a process variable to a desired (i.e., demand) value.
The NNI system provides the input signals to the ICS that represent the actual values of numerous plant variables.
When the signals representing plant variables are. accurate and the ICS is functioning properly, plant control is smooth.
If the NNI system signals are not accurate, the ICS cannot sense the discrepancies and will initiate control actions based upon the erroneously indicated conditions.
The resulting ICS control actions will not be appropriate and, as a result, a transient may be introduced throughout the plant that can be severe.
Rancho Seco Restart SER 3-5
Many of the indicators in the control room (both meters and recorders) are non-safety-related output devices and are in many cases part of the NNI system; hence, they are generally independent of the ICS.
However, there are exceptions that had not been generally recognized before the December 26th incident.
For example, the MFW flow recorders indicated a value near midscale because of the loss of ICS dc power, when MFW flow was actually zero.
(3) Output Signals
]
The electrical output signals of the ICS at Rancho Seco take various forms.
Throughout the internal modules of the ICS, a standard signal is used that varies between -10 V dc and +10 V dc.
For control valves throughout the plant, the ICS output signal reflects this standard signal (where -10 V dc corresponds a
to fully c'osed, 0 V de corresponds to a 50% open position, and +10 V dc corresponds to fully open).
This format was adopted because the ICS designers believed that the 50% positions, that would occur upon loss of ICS power, would I
result in a transient of less magnitude than either a fully closed or a fully open demand signal.
At Rancho Seco, the principal valves that are controlled by the standard 110 V dc signal are the turbine bypass valves (TBVs),
atmospheric dump valm s (ADVs), MFW flow control valves (both startup and main), and AFW (ICS) flow control valves, j
In addition, the ICS output signal to the turbine throttle valves (via the electrohydraulic control) is in the form of pulses.
Positive pulset cause the i
valves to open; negative pulses cause the valves to close; and zero output causes no motion.
The ICS output signal for the MFW pump speed varies from zero to +10 V dc.
A signal of 3.4 V or less corresponds to minimum speed and 7.3 V dc or greater corresponds to maximum speed.
The ICS output signal for the reactor control rods is either +5 V de, 0 V dc, or -5 V dc.
The positive voltage corresponds to rod withdrawal; the negative voltage corresponds to rod insertion; and 0 V de corresponds to no motion.
NNI System Description l
The NNI system measures plant process parameters and transmits information about them to the operator and/or the automatic (protective, regulat.ing, or l
auxiliary systems) controllers.
The NNI system provides signals used to l
indicate, record, alarm, interlock, and control five basic process variables:
pressure, temperature, flow, level, and component position.
The NNI system provides the input information about the process variables necessary for the operation of the integrated control system (ICS).
In addition, the NNI system provides instrumentation for measurement and control 'of process variables necessary for proper operation of the reactor coolant system, secondary plant system, makeup and purification system, core flood system, and decay heat removal system.
The functions of the NNI system primarily serve plant startup, operation, and shutdown.
The NNI system is not safety related and is independent of the plant protection system instrumentation (i.e., the r'eactor protection system and the safety features actuation system).
Rancho Seco Restart SER 3-6 l
1 i
3.1.1.2 ICS/NNI System Power Supply and Distribution System Description Proper operation of the ICS and NNI system is dependent on external ac electric power and internal de power.
This section provides a summary description of the power sources external and internal to the ICS/NNI system.
Detailed descriptions are provided in subsequent sections.
1 i
Alternating current (ac) power is needed for a variety of purposes, including-operation of field-mounted equipment that is controlled by the ICS, operation I
of signal conditioning modt.les within the ICS/NNI system, operation of inter-j lock / control relays within the modules, and operation of control room indicators (meters and recorders).
The first nuclear application of the ICS (at the three Oconee plants and the two Three Mile Island plants) was the Model 1
i 721 design.
In the 721 design, two separate 120-V ac power feeds are provided l
for automatic control and hand (manual) control of the ICS.
In this design, l
loss of ac power to the automatic controls will not affect the manual controls (i.e., manual control is still possible).
Also, each ICS/NNI system signal conditioning module has a 120-V ac input.
Low-voltage dc power is developed by a power supply within the module.
Since each module contains its own dc power supply, a loss of dc power will only affect the single associated module, much like other failures within the module.
l t
The later ICS/NNI system design, typical of the remainder of the B&W designed plants operating today (Arkansas Nuclear One, Davis-Besse, Crystal River, and Rancho Seco) is the Model 820 design.
In this design, redundant ac power feeds are also provided; however, the manual / automatic control station modules are so designed that power for manual control is not separate from power for automatic control.
Therefore, loss of power to the automatic controls also results in the loss of power to the manual controls.
Another significant design difference is that the Model 820 system uses a cen-tralized dc power supply system to provide power to all signal conditioning modules and interrelated interlock / control relays.
The dc power system includes a power supply monitor (PSM) module designed to shut off all dc power if the voltage on the de distribution buses falls outside a specified range.
When dc power is lost, either because of failures within the ICS/NNI system or because of operation of the PSM, all ICS or NNI system signal conditioning units are affected.
Operating experience has shown that the effect on plant equipment and the plant response that results from the loss of control capabil-ity can lead to complex transients, involving the actuation of safety systems, that challenge the ability of the operators to mitigate the transient without causing the primary system to undercool or overcool.
Figure 3.3 is a conceptual overview of the electric power distribution to the Model 820 ICS such as that used at Rancho Seco.
A primary (or normal) source of 120-V ac power is provided, as well as an active secondary (or backup) source.
Typically, an automatic bus transfer (ABT) device is provided to switch the 120-V ac loads from the primary source to the backup source when a failure of the primary source occurs.
The ABT is designed to provide transfer to the backup power source so that there is no noticeable effect on plant operation.
Rancho Seco Restart SER 3-7
Redundant 120-V oc Power Feeds n
p p-----
q Primary Secondary Automatic (Normal)
(Backup)
Bus g
Scurce Source Transfer g
O 12CLV ec Power l
(control relays, j
{
field equipment, a
panel meters, etc.)
g g
L S1 S2 q
g
(- + Room
)
I I
Alarms i
l I
i
+ 24-V V
+ 24-V V dc de do de l
l Power Power Power Power Supply Supply Supply Supply Outpute j
(p_
(p__
g
( > - - - _ _ -
n Power P
Supply j{
}{
Auctioneering j{
} {
Monitor u
Olodes a
p.
- 4 f
I~~~~+
ICS +24V de Bus 0
(
O.
l l
I ICS V de Bue m,
i m
II l
Note: NNI X and NNI.Y power distribution era elmiler.
124-V de Power (signal conditioning modules, switching releva, etc.)
Figure 3.3 Model 820 integrated control system internal power distribution Rancho Seco Restart SER 3-8 l
The dc power supply system consists of two pairs of redundant 24-V de supplies.
Each pair (one positive power supply and one negative supply) is energized by one of the two incoming 120-V ac feeders.
Each pair of supplies feeds the positive and negative 24-V de distribution buses through isolation diodes.
The diodes act to separate the supplies and to provide "auctioneering" between the redundant supplies (i.e., the supply with the higher output voltage will provide power to the loads).
Therefore, if the output voltage of either supply should fall for any reason, its redundant supply will assume the full load.
Accordingly, the loss of either one of the incoming ac power feeds or one of the redundant pairs of de power supplies should not have a direct effect on either the ac-or de powered portion of the ICS.
The dc power supply system includes equipment protective features for over-voltage, overcurrent, and undervoltage.
The undervoltage detection and " pro-tection" for all dc loads are provided by a single PSM module.
The PSM monitors the voltage within the positive 24-V dc distribution system and the negative 24-V de distribution system.
If either the positive or negative 24-V dc bus falls below a preset level, the PSM is designed to trip open both shunt trip switches ($1 and $2) to interrupt the incoming ac power feeds to all four dc power supplies.
The basis for this design is that the ICS/NNI system signal conditioning modules were specified, procured, and designed te function properly only when the supply voltage to them is within 10% of 24-V dc.
Therefore, when a degradation of dc power (beyond that for which the modules were designed to operate properly) is detected, the system is deliberately forced by design into a complete loss-of-dc power condition because the plant response to a complete loss-of-dc power is thought to be better defined / understood than the plant response to a degraded power condition which is unknown.
Figure 3.4 illustrates how ac and dc power are used throughout the NNI system and the ICS and its actuated equipment.
i 3.1.1.3 ICS/NNI System Operating History ICS Operating History On January 5,1979, a reactor trip occurred which was initiated by the loss of ICS dc power at Rancho Seco.
The trip was caused by a short-to ground in the ICS and resulted in a subsequent reactor cooldown that exceeded the limits in the plant technical specifications.
(The reactor coolant system was cooled by approximately 120 F in 15 minutes.) During this event, a technician performing a modification to the ICS accidentally shorted the circuit to ground, causing I
the 24-V dc power supply monitor to trip.
The loss of power resulted in the feedwater valves going to the mid-stroke position, which caused the reactor coolant system pressure to increase, causing a reactor trip.
Subsequent overcooling caused RCS pressure to decrease, causing SFAS actuation, which in turn caused AFW to initiate.
Thus, the course and consequences of this event were very similar to the December 26th incident.
During the 1979 event, there was a compounding problem of a switch error that caused a lack of indication of SFAS Channel A actuation.
On early occasions when ICS power was lost during its first year of operation, Rancho Seco experienced several transients caused by loss of power to the ICS.
These transients occurred because the ICS had only a single 120-V ac power Rancho Seco Restart SER 3-9
nh f
7 >
t o
_4
[
3 C
S
[
iC re n )t on r it l iAl a eP o(
p P
Y f
I'
" A
,p re) t t d
Pe n c
j r
/ v a a
E nPl l
OV o(
J C
8 1
1 a?
V I
- 8 0
1 1
I*
o t
l
)
e 4,
un o
3 d
Ao r
t
/ it n
2 V
N d a F
o A
r aS C
p nt 4
e H
(
L l
b.
2 o
w 1vP e
a c
J
_gR C
a o
r l l
S OV S
a
_g I
1 on A
C C
rr g s )4 le#
(
1 I
Ei S u.
db llll oa MC S
S C C I c
I (
e
)
a d
1 l
L UV 9-V leo n J
N ur io b
4 A
ntnt a
1 2
1 a
a C
1 ot MCS S
r C
I
(
tn t
io
+ 4A p
to S
c j
a r
sI r
J OV uN o
L t
lomt e pN r
a 1
n t o c h I m n oi 1
t o R d O So C
I k
I F n
Cr I
re w
e P
e o
l c
u I
d d
N o
M k
O-V N
d 4
I 2
N 1
N s
r s e et ct c
o i a
m rPs gV n
8 I
a 1
Nr 1
N T N' R? ?8 2(+ coy $
oay n
s t
supply (i.e., the system lacked a backup power supply).
The system was modified to provide a redundant power supply, a configuration which had served well before the December 26th event.
These earlier events did not result in excessive overcooling as did the 1979 and 1985 loss-of-de power events.
In the years immediately preceding the December 26th event, the ICS had become the subject of an ever-broadening preventive maintenance, calibration, and tuning program.
During plant startup in the fall of 1985, a comprehensive ICS i
tuning program had been achieved, as well as a program to minimize the effects l
of contact resistance buildup on switches and relays within the ICS.
As a result of this attention, the ICS was operating smoothly when the trip occurred on December 26th.
The December 26th transient resulted from the consequences of loss of ICS j
control.
However, the licensee stated that, in its experience, a properly tuned ICS can allow, and has many times allowed, the plant to remain on-line when electrical grid upsets or internal plant equipment malfunctions occurred.
The licensee is quite satisfied with the ability of the Rancho Seco ICS to.
j control the dynamic transfer of reactor generated heat.
NNI System Operating History On March 20, 1978, Rancho Seco experienced a severe transient as a result of a loss of power to the NNI system which provides the input signals to the ICS.
During this event, which has come to be known as "the lightbulb incident," an operator was removing a lightbulb from a back-lighted push button in the con-trol room.
While handling the bulb, he dropped it into the cavity left after removing the bulb retainer.
This caused a short circuit on the V dc NNI-Y power system, which was not adequately fuse protected.
The power supply monitor for the NNI-Y detected the low bus voltage caused by j
the short circuit and tripped the 120-V ac input switches ($1 and S2).
Al-though the initial problem occurred in the NNI system, it resulted in a mid-scale failure of signals being sent from the NNI system to the ICS.
Al-though the cooldown rate of the primary system was excessive (the plant was cooled 300 F in 80 minutes), the operators were able to stabilize the plant.
During the event, the safety features actuation system (SFAS) actuated auto-matically because of low RCS pressure.
Following this event, the licensee was concerned that this previously un-rehearsed situation had caused considerable uncertainty with respect to the validity of the instrumentation in the control room.
As_a result, the licensee conducted an extensive review of the event.
The specific changes made as a j
result of this review include installation of changes to reduce the likelihood that a dropped lightbulb would cause a short circuit j
installation of lower rated fuses to clear faults faster installation of a separate nower supply system for NNI system instrument selector switches Rancho Seco Restart SER 3-11
installation of fuses in NNI system circuits that previously had no fuses installation of new instrumentation independent of NNI preparation of procedures for loss of NNI and training of the operators on the use of the procedures j
I On March 19, 1984, a hydrogen explosion and fire occurred in the electrical 1
generator at kancho Seco while the plant was operating at 85% of full-rated power.
Following the explosion, the turbine was tripped manually from the control room, causing an immediate reactor trip.
The fire was extinguished automatically by the area CO system, and the plant was safely shut dowa.
2 Twice within the next several hours, the plant experienced a partial loss of NNI system power.
The March 19, 1984 loss of NNI was the result of a single failure of an inverter compounded by a separate undetected NNI system power supply monitor setpoint drift.
These failures caused the loss of the redundant NNI system power sources.
This event did not adversely affect the plant, although it did complicate the response to the explosion and fire.
3.1.2 ICS/NNI System Failure Modes and Effects on Plant Operation 3.1.2.1 Root Cause cf December 26, 1985 Loss-of-ICS-Power Event The licensee has evaluated the root cause of the December 26th event and has
)
reached the conclusions given below.
(1) Root Cause Evaluation by the Licensee The direct cause of the December 26th event was the loss of ICS dc power caused by a manufacturing error on a lug improperly installed on a factory prepared wire.
The resulting connection exhibited variable resistance at the input to the ICS power supply monitor (PSM).
The resulting variable voltage led to the PSM tripping when the ICS was still being supplied with nominal voltage and power.
Contributory Causes:
The power supply monitor is sensitive to resistance in series with its voltage input.
As little as 1 ohm was found to cause the trip point to increase.
Approximately 5 ohms was sufficient to cause the PSM to trip at its nominal operating voltage, 24 V dc.
Corrective action involves wiring the PSM directly to the dc source bus rather than to the end of the distribution bus.
The S1 and S2 source switches were found to have short' time-delay charac-teristics of approximately 0.15 second, although the specification is for 0.5 second.
This made the switches more sensitive to the short-term intermittent trip signals generated by the PSM.
To correct this problem, new switches had to be installed, a time-delay measurement had to be included in the surveillance test, and these corrective actions had to be applied in the similarly configured NNI systems.
Rancho Seco Restart SER 3-12
l Subsequent laboratory analysis of the PSM found an internal cold-solder joint which acted to reduce the sensitivity of the unit.
It was determined that this was not involved, and did not contribute to the event of December 26th.
The rewiring of the ICS cabinet, to connect the PSM directly to the power supply buses it monitors, minimizes the potential for intermediate contact
)
resistance to occur and thereby effect the voltage conditions on the buses or i
to the PSM.
Laboratory analysis of the $1/S2 power supply trip switches found that aging will change the delay time for the units.
To correct this problem, new switches had to be installed, a time-delay measurement had to be placed in the surveillance testing program for the ICS, and the switches had to be replaced before their 5 year life expired.
In response to the human factors concerns regarding the difficulty the operators had in determining the operate / trip condition of these breakers, new labeling and training have been provided.
l A recommendation that redundant PSMs be incorporated into the design was rejected on the basis of the excellent service record for the units (no fail-I i
ures to operate or inadvertent operations in approximately 100 service years) l and the fact that on December 26th the ICS PSM issued its trip signal as a I
result of sensing a low voltage at its input.
That low voltage was a result of-the loose lug on the interconnecting factory wiring.
j As a result of the loose lug on the factory cabinet wiring, an exhaustive
)
program to inspect, test, repair, and upgrade the terminations, both field and l
factory, was accomplished in all cabinets supplied by the Bailey Meter Company.
The systems involved were the ICS, NNI system, RPS, and SFAS.
More than 40,000 terminations were involved and more than 6000 manhours were expended.
Seven terminations were found which would not meet acceptance criteria, although the circuits were all operable.
These have been repaired and the electrical maintenance criteria have been revised to include similar inspections of cabinets in conjunction with routine maintenance.
l One new trip input was added to the ICS S1/S2 switches.
Upon loss of NNI, which provides signals that the ICS processes, the ICS S1/S2 switches will open.
This ensures that the plant will go to a known and safe post-trip condition during loss-of-NNI events.
For purposes of post-trip response, a icos of NNI will look similar to a loss of ICS.
Response to the loss of ICS is as described above, and will not cause the overcooling episodes that both loss of ICS and loss of NNI events have in the past.
(2) NRC Staff Evaluation of Licensee's Root Cause Determination The licensee's determination of the root cause of the December 26th event was evaluated by the NRC staff.
The evaluation was documented as item RV-E-5 in Inspection Report 50-312/86-07 and is also discussed in NUREG-1195.
This evaluaton focused on the. licensee's management system for locating and repairing (troubleshooting) damaged equipment in a controlled and systematic manner to determine root cause and appropriate corrective action.
Rancho Seco Restart SER 3-13
The staff also reviewed the licensee's process for locating and repairing spe-cific equipment damaged during the December 26th event.
The issue of " trouble-shooting" arose because of concerns expressed by the NRC Incident Investigation f
Team (IIT) about the original methods used by the licensee to locate and repair equipment, which the team believed required a more disciplined approach.
The licensee instituted additional controls over the troubleshooting activities to ensure that underlying problems were discovered.
This troubleshooting pro-gram was initially implemented in response to a reactor trip on October 2, j
1985 and provided for a more structured approach for dealing with event-related recovery activities.
During the investigation that followed the December 26th event and after extensive work with the IIT, the licensee expanded its trouble-shooting program to provide the additional documentation recommendations of the IIT for handling quarantined equipment to ensure preservation of "as-found" equipment conditions.
This consisted primarily in reformatting the troubleshoot-ing action plans to document the approach employed in developing areas for in-vestigation.
Additionally, rigid procedural adherence was stressed to ensure that the troubleshooting activity was conducted in the preplanned fashion 4
designed by the troubleshooting action plan and that all maintenance work was limited to prevent disturbing evidence.
Regarding the more subjective issue of the licensee's approach to trouble-shooting, the staff examined the issue from the standpoint of management systems that supported troubleshooting of the type performed for the IIT.
It was first found that " troubleshooting to determine root cause" had different meanings to different groups, particularly the definition of " root cause" it-self.
As noted above, to the licensee " root cause" addresses the programmatic problem or management deficiency that allowed the problem to develop.
This the licensee distinguishes from the " direct cause," which is the immediate problem or action that caused the event.
With regard to the determination of root cause, as defined by the licensee, the charter for the licensee's Incident Analysis Group (IAG) is described in Inter j
Departmental Procedure No. NO-004.
This procedure was examined, as were the i
root cause reports for the October 2, 1985 and December 26, 1985 events.
The NRC staff concluded that the IAG has performed a creditable job in these analy-Effectiveness of this work will, of course, depend on the responsiveness ses.
of the rest of the organization to the initiatives of the IAG.
In summary, the NRC staff has reviewed the licensee's evaluation of the root cause of the December 26, 1985 event and has documented its review in NUREG-1195 and as item RV-E-5 in Inspection Reports 50-312/86-07 and 50-312/87-08.
The staff finds the licensee's root cause evaluation acceptable, and considers this item to be resolved as a restart issue.
3.1.2.2 Loss of ICS/NNI System dc Power This issue is under review by the NRC staff.
The results of the staff evalua-tion will be given in a supplement to this SER.
3.1.2.3 Loss of ICS/NNI System ac Power This issue is under review by the NRC staff.
The results of the staff evalua-tion will be given in a supplement to this SER.
Rancho Seco Restart SER 3-14
3.1.2.4 Loss of Instrument Air to ICS/NNI System Components This issue is under review by the NRC staff.
The results of the staff evalua-tion will be given in a supplement to this SER.
3.1.2.5 ICS/NNI System Failure Modes and Effects Analysis This issue is under review by the NRC staff.
The results of the staff evalua-tion will be given in a supplement to this SER.
j 3.1.2.6 Loss of Control Room Controls, Adequacy of Backup Instrumentation
)
This issue is under review by the NRC staff.
The results of the staff evalua-J tion will be given in a supplement to this SER.
i 3.1.2.7 Discrepancy Between OTSG Level Strip Charts and SPDS
)
During the December 26th transient, at least one Rancho Seco operator reported 1
that the safety parameter display system (SPDS) did not display the same value for the once-through steam generator (OTSG) operate level as the OTSG operate level strip chart recorder indicated.
Specifically, it was thought that the SPDS OTSG levels indicated less than 100% when the OTSG 1evel strip charts indicated 100%.
The licensee's investigation of the root cause for the discrepancy between OTSG level strip charts and SPDS has been evaluated by the NRC staff and the results of the evaluation were documented as item RV-E-13 in Inspection Reports 50-312/
86-07, 50-312/87-08, and 50-312/87-13.
The cause of the discrepancy was ap-parently due to different transmitters and channels used by SPDS and the strip chart recorders.
Both instruments were tested by the licensee and found to be within. calibration.
Nevertheless, the SPDS levels read 1% to 2% less than the strip chart levels (similar to the observation during the event).
Analysis and testing also was performed by the licensee to verify correct operation of the algorithm used in SPDS for an OTSG. level up to 110% level.
Correct opera-tion of SPDS was demonstrated throughout this range.
The NRC staff concurs with the licensee's conclusion that this difference in indication between indicators probably occurred, but its magnitude was not sig-nificant.
Therefore, this item is considered resolved and is closed.
3.1.2.8 Power Monitor Design This issue is under review by the NRC staff.
The results of the staff evalua-tion will be given in a supplement to this SER.
3.1.2.9 ICS/NNI System Maintenance, Surveillance, and Testing This issue is under review by the NRC staff.
The staff needs additional infor-mation to complete its review.
Specifically, by letter dated August 14, 1987, the licensee was requested to provide the finalized ICS/NNI system maintenance /
surveillance test procedures used to periodically verify / demonstrate / ensure proper operation of the ICS/NNI system.
These procedures include:
Rancho Seco Restart SER 3-15
(1) ICS/NNI system functional tests (2)
ICS/NNI system calibrations (3) ICS/NNI system tuning (4)
ICS/NNI system power distribution system tests (e.g., power supply and power supply monitor alarm and trip setpoints)
(5) other ICS/NNI system periodic tests, inspections, monitoring performed to ensure proper system operation 3.1.2.10 Operator Response Procedures This issue is under review by the NRC staff.
The staff needs additional infor-mation to complete its review.
Specifically, by letter dated August 14, 1987, the licensee was asked to provide the final casualty procedures related to ICS/NNI system failures (e.g., loss of power), and the final annunciator re-sponse procedures related to the ICS/NNI system.
3.1.2.11 ICS/NNI System Interactions With Safety-Related Equipment This issue is under review by the NRC staff.
The results of the staff evalua-tion will be given in a supplement to this SER.
3.1.3 Emergency Feedwater Initiation and Control System To improve the reliability of AFW systems af ter the TMI accident on March 28, 1979, the NRC required all utilities to upgrade existing AFW systems, where necessary, to ensure timely automatic initiation when required.
The upgrade-involved qualifying the automatic initiation signals and circuits in accordance with safety grade requirements.
Section II.E.1.2, " Auxiliary Feedwater Systam Automatic Initiation and Flow Indication," of NUREG-0737, " Clarification of TMI Action Plan Requirements," specifies that this objective can be met by installing an AFW actuation system that conforms to the requirements of IEEE Standard 279-1971, " Criteria for Protection Systems for Nuclear Power Generat-ing Stations," and provides the following set of minimum requirements:
j I
(1) The design shall provide for the automatic initiation of the AFW system.
(2) The automatic initiation signals and circuits shall-be designed so that a single failure will not result in the loss of AFW system function.
(3) Testability of the initiating signals and circuits shall be a feature of the design.
(4) The initiating signals and circuits shall be powered from the emergency buses.
(5) Manual capability to initiate the AFW system from the control room shall be retained and shall be implemented so that a single failure in the manual circuits will not result in the loss of system function.
l
(
Rancho Seco Restart SER 3-16 L
' ~
(6) The ac motor-driven pumps and valves in the AFW system shall be included in the automatic actuation (simultaneous and/or sequential) of the loads to the emergency buses.
(7) The automatic initiating signals and circuits shall be designed so that their failure will not result in the loss of manual capability to initiate the AFW system from the control room.
Section II.E.1.2 of NUREG-0737 also required that safety grade indication of AFW flow to each steam generato' be provided in the control room.
For Babcock and Wilcox (B&W)-designed plants such as Rancho Seco, a minimum of two AFW flowrate indicators for each steam generator must be provided.
The auxiliary l
t feedwater flow instrument channels are to be powered from the emergency buses.
In addition,Section II.K.2.2, " Control of Auxiliary Feedwater Independent of the Integrated Control System," of NUREG-0737 requires that licensees of B&W-designed reactors provide procedures and training to initiate and control AFW independent of the non-safety-related integrated control system (ICS).
In response to these requirements, the licensee is installing an emergency feed-water initiation and control (EFIC) system.
The EFIC system will be operable before restart.
Auxiliary Feedwater System Description The following paragraphs describe the Rancho Seco AFW system as modified during the current outage which began after the December 26, 1985 event.
As is dis-cussed in Section 3.9.3 of this SER, the EFIC system could have mitigated the December 26th event if it had been installed at the time.
The AFW system pro-vides secondary coolant to the once-through steam generators (OTSGs) if the main feedwater (MFW) system becomes unable to perform this function or if AFW is needed to promote natural circulation in the reactor coolant system.
When monitored plant parameters indicate the need for it, the safety grade EFIC sys-tem will automatically initiate AFW flow to the OTSGs.
The AFW system may also be initiated manually at the discretion of the operator.
Following AFW system actuation, the EFIC system is designed to automatically control the levels in the OTSGs at one of three possible setpoints, depending upon the actual plant i
conditions.
The AFW system consists of two interconnected flowpaths/ trains.
Each train is capable of supplying AFW to either or both OTSGs.
Figure 3.5 is a flow diagram of the Rancho Seco AFW system.
This figure also identifies the EFIC system control signals to AFW system components.
The AFW system is designed to provide a minimum of 475 gpm of AFW to the OTSGs at 1050 psig within 70 seconds of a system initiation signal.
Flow for AFW sys-tem train A (which supplies AFW to OTSG B) is provided by pump P-319; train B flow (supplied to OTSG A) is provided by pump P-318.
Each pump has a rated capacity of 840 gpm at 1150 psig.
Flow-restricting venturis were added to the AFW injection lines to decrease the potential for overcooling and overfilling.
Either of the pumps can provide the required system flowrate to both OTSGs.
AFW system pump P-318 is a combination turbine / motor-driven pump that has the turbine and motor mounted on a common shaft.
Either motive force can drive the pump at rated capacity.
The primary motive force that receives an automatic start signal is the turbine.
The motor drive is not automatically initiated, Rancho Seco Restart SER 3-17
ER EHPS O
O M
C T
R A
E A
C n
E R
h 7
E T
p S
E
- u P
N P
8 1
j 1
0 9,
r 3
C 1
3_
o p_
C e
P 03 t
V p
P H
B A,
E C
T N
IO F
~
F
)'
ER g
b"'
7 u
28 1
s' C..
3
~
' " N.
VH j
20 8
L h. j" 1
~
A
~
8 2
3 N
A 2
3 8
LN 5
5 C:g2 g4E 0 0 A
F 2
,: b M
n -
n M2 7
1 E
v v E
2 3
g F
r A
5 S
0 o 8
2 C.h 2
R 7
e C
O j0 o,
5 s E
V V gu F
F C
2 2
C I
i y-m
- n F
7 E
V v
E 1
R I5 S 2
' O '
)
C 8
7 4
H s
)
4 C!
0 O
C ic 2
2
,C FF rF I
EO EO I-U j
E V
V OP OP H
H TY TY T
T
.(
-(
2 4
0
,: j A
9 T
i;3 L
- 1 T
L
)
E FC l
T F
l 4
C I
L L
EC
^
q,l
)
V TY C
u I
T(
FF a
ga OP s
TYT
-(
ri:
.3 t
r: l:
L A
A o
U r
)
N
)
A 3
A u
M 3
h-A,e
'k a.
eeg7l P
Y c',
T C
T Fi y
(
r l
(
[-
n E
c 1
E E
E e
3 9
R R
U U
T T
c;W Do ~ro McnO :$+cws+ mm w8$
o D
r
1 l
but can be started by the control room operator.
AFW system pump P-319 is i
strictly a motor-driven pump.
The steam supply for the pump P-318 turbine (K-308) is obtained from both OTSGs through 6-inch lines that contain check valves, locked-open manual valves, and motor-operated valves.
The check valve and motor-operated valve associated with each OTSG provide redundant isolation capability to preclude blowing down the intact OTSG in the event that a rupture (main steam 1'ine or main feedwater line) occurs in an OTSG.
The ac power for the pump P-319 motor is normally provided by 4160-V bus 4A2 through switchgear $4A2, and emergency backup is provided by emergency diesel generator A (GEA2).
The ac power for the pump P-318 motor is normally provided by 4160-V bus 482 through switchgear S4B2, and emergency backup is provided by emergency diesel generator B (GEB2).
The primary water source for both AFW trains is the seismic Category I conden-sate storage tank (CST), which has a minimum capacity of 250,000 gallons.
Backup sources of water are available from the onsite reservoir and the Folsom South Canal.
1 Isolation valves, control valves, check valves, flow-restricting venturis, and flow instruments are located in the flowpath between the AFW pumps and the OTSGs to control the flow of AFW to the OTSGs.
3.1.3.1 Description of EFIC System Design and Operation
(
The EFIC system at Rancho Seco is a four-channel, safety grade, seismically j
qualified, Class 1E AFW initiation and control system.
The EFIC system also j
provides control of the atmospheric dump valves, and is used to isolate main l
feedwater (MFW) flow under certain conditions, as discussed below.
The follow-
{
ing functions are accomplished by the EFIC syste-l (1) Monitor plant conditions and provide automatic initiation of AFW to both OTSGs (manual initiation capability for AFW is also provided).
(2) Provide automatic control of AFW flowrate to achieve and maintain proper OTSG levels, in accordance with established setpoints, to minimize overcooling and undercooking of the primary system (manual control capability for AFW is also provided).
(3) Provide automatic isolation of AFW and MFW flow to a depressurized (ruptured) OTSG.
(4) Provide automatic control of the atmospheric dump valves (ADVs) independent of the integrated control system (manual control capability for the ADVs is also provided).
(5) Provide automatic closure of the MFW isolation valves upon detection of high OTSG water level to prevent an OTSG overfill condition.
The EFIC system consists of four physically separate and electrically indepen-ent channels (A, B, C, and D) powered from Class 1E battery-backed emergency Rancho Seco Restart SER 3-19
buses S1A2-1, 51B2-1, 5102-1, and SID2-1, respectively.
The EFIC system in-strument channels, logic and control circuitry, and actuated / controlled equip-ment used to initiate and control AFW flow are powered from Class 1E diesel generator-backed or battery-backed buses that are separate from the buses pro-viding power to the ICS and non-nuclear instrumentation (NNI) system.
The EFIC system controls and indications are located on control console H1SS(E) in the main control room.
The EFIC system logic and actuation circuitry is located within four cabinets (one cabinet for each EFIC channel) in the nuclear service electric building (NSEB).
Certain EFIC system controlled equipment receives actuation / control signals directly from these cabinets (e.g., AFW flow control valves and ADVs).
Other EFIC system controlled equipment receives actuation /
isolation signals from the EFIC logic via trip. interface equipment (TIE) cabi-nets (e.g., MFW flow control and isolation valves, and AFW system pumps).
The TIE cabinet circuitry interfaces between the EFIC system actuation logic and field equipment.
Four TIE cabinets are provided in the NSEB.
For each train-1 of EFIC system-actuated equipment, one cabinet is used to interface between the EFIC system and Class 1E circuits, and another interfaces between the EFIC system and non-Class 1E circuits.
Each EFIC channel receives analogue inputs from steam gener' tor level and a
steamline pressure transmitters associated with each OTSG.
The level signals
'i are temperature compensated to provide an accurate indication of actual water level.
The EFIC system also receives initiation signals from the reactor pro-j tection system (RPS) and the cafety features actuation system (SFAS).
During plant operation, the EFIC system constantly monitors the input signals, and generates individual channes level protective action signals whenever process parameters exceed their preestablished setpoint values.
Actual system level actuation will take place only if at least two of the four EFIC instrument channels have initiated commands for protective action.
I Figures 3.6, 3.7, 3.8, and 3.9 illustrate the input and output signals associ-i ated with EFIC channels A, B, C, and D, respectively.
The EFIC system logic is subdivided into the following logic functions:
(1) Input Logic receives and provides individual channel level trip and bypass signals to the remaining portions of the EFIC system logic.
(2) Actuation Logic - initiates AFW system flow to the OTSGs.
(3) Control Logic - controls AFW system flowrate and 0TSG level (this logic also includes the ADV controls).
(4) Vector Logic - isolates AFW system flow to a depressurized 0TSG.
I (5) Isolation Logic - isolates MFW system flow to a depressurized 0TSG, or to an OTSG with a high-high water level.
Figure 3.10 is an overall block diagram of the EFIC system that shows the EFIC logic functions and the associated actuated equipment.
The EFIC system and its actuated / controlled equipment will be completely installed, tested, and fully _
operational at restart as governed by the Rancho Seco plant technical specifications.
Rancho Seco Restart SER 3-20
SLA N
G S
I L
S S
A T
N E
U G
1 I
P S
T S
U E
S O
L
'D yE A
1 D
S C
E T
S T
A A
N A
- s U
L O
L TT C
N O
CN S
AE M
I
" P AI N
1 U
O "Q
I T
NE A
I D
A N C R
I C
L T
O D I
I J
J M
T NI F
O A
E O
ST E i
R LS R S
L LRO S O
S O OTT X IT R RNUIE C
A )S T
T TOARR I
E E
N N C /T P C
C L
I J
J NL N
O O O A C CVbM&
F UB I
E MA EB DA MC CA N LAHTL CN A O
A C E ~ SE A
I O
CC F -
A VAAEV I
L T
R T M E TE I
S T
L P EN LLL L E
E P
SA B
N O T E EEE R
U N
N M NN A-T
/
FT A C
A R IP NN L
SCH J H E J
T I
N AC F
C B PIU AAAT A I
I I
E RF RQ GHHI G N
E(
TE SCCIS TN g
I r
g L
k V
A J
L C
IF U
J 3
3 E
_I.
gM
=
=
O E
S )S S)
S S
S
)
RR WL WL V
S EL EL LR U EO O
FOS FOS D D
V A VA S
VS SS ARE ARE A A
N LN LN EN EN TV TV R
D EW A G A G L
LE R E ANL BNL A O
I TOE VI VI
(
S S
S P S GOA GOA G T
ODN SCV SCV S A
R MTA W R W 'R U
E EUP F O F O C
T RH A
AT T
TN TU S
C C
NU NP A
BE E
AN AM G
{CS Mm T"
L S
T A
U N
E P
D G
1 T
E U
IS T
S O
A E
S UT A
D TN 1
L E
CAE S
C T
S A
fP A
N L
B" Q IU N
)
L O
O S
O C
N S
E I
L E
I B
N TA I
A
-=- @
C A
N C R
O I
C T
O I
TI T
B I
P
~
M A
O O
ST E O
LS R R
R SO B U E
LRO S B
L OTT X S
=
IF O RNUIE qI I I I I I I J
(
T R TOARR D
S
.E T N C /T P.
N A
N O O I
U __.
t C
O, 1
EB O CVb M&
IF CA C
DA T
A E
AC LAHT L C
/
N E SE N
, I I I I I I I FT A V8BEV I
U EN M LLL L E - T E B
C N8 M
TE CO M
qI I I I I I I J IM EEE N
IL O
C S
ETE C
P NNT-PI NN A P
AN E,U_.
C IU BAATB R
SUN I
L RQ GHHIG I
/
ATA F
N FCH N
E TE SCCIS b
IN SAC A
, I I I I I I I Q
HCR E yY T
B N
t r
g I
U C
I U
F I
3 E
p l
_, I I I i I I I *
)
N S W S )S S )S A
S E S R
D O EL EL R
r O
A UR U
C D T LN LN D
V A V A SO T
I SS F
T A T (I UL AG A G hR E
NI N
HE VI VI EN pl A C A R SN PS LN LE A
- S S
W R
R N
U T F O F O P O A
A t
T T
A M M C
C A
O E E BE C R S (V S (V G
G
'I M
4 WL WL V
FOS FOS D ARE ARE A TV TV ANL BNL B GOA GOA G SCV SCV S m8
= EQ" #m w.U
SLANG S
S I
L S
T A
~
U N
E PT G
1 U
IS S
O S
E A
D 1
L E
C T
S A
S LO A
N L
O S
C N
I I
S )S S )S EL EL V A VA LN LN A G A G VI VI C
S S
W WR S
, I I I I I I I J R
D F O F O P
A A T R
T
/
C C
C L
I F
G G
_i J A E BE I
N S (V S (V E
I I ii I i L 44 r
C f
l u
C h
J IFE f
l 3
3 SNO I
B T )S i I I l I I I J A E
)
C L S
ES vI S
N B D
R C
L R
LR U
_4 DA A
I O
F EO S E
ivc R
D VS SS
_ i I I I I I I I(
L M
O EN EN O C T
LE R E R
I S
CT A
E S P -
I P
C T
i I I I I I I J LO A
N E LN LO L_A F
A B PA PC I
E HIF
,i1 I I I I I L C(
RETN I
E8r po FoC3 mo w4w t
l
SLANG S
S I
L S
T A
U N
E PT G
1 I
U S
S O
S E
A D
1 L
E S
C T
S A
A N
L L
O O
C N
S I
S )S S )S EL E L V A V A I
L N LN A G AG D
VI VI S
S S
W W
R R
P F O F O R
A
/
T A T C
C IN A E BE G
G S (V S (V 44 r
n D
C L
J J
IF y
E o
3 T
SNO I
, i i I I I I I J T
C A)
)
S ES TICS S
R LR R
C h
N E D
U L
A I
EO O
F J
S B
VS S
E MA R
I S
D EN N
LE R E i I I i I I t M C O
(
E O
T S D S R
C C A
E I
, iI I I I I I J I
8 L T C
n N
HE PA PC I I i I I I L CB I
RE (F T
,iI I iI I I J N
A I
(
C L_J F
I E
I I I 1 I I I L 58E mm3 m3C3 h yr#
v l
ll l
il i LL }}L e w blll} l ~5b_ 5b _#!!!! I l1i~1 }}}l} ( Ill!!I ~ ~ l il i 1111 i'd i,1,l.!, iI,[.i, ililili lililiii 'j"i d--- i! ! i N.- .jjj jjjj .- ~.- 1111111]11 11 11 11 1hhh khhh nnn jj ri nn lllllil ll L slll 1 il o i jj!!!! !! ij!!!! q e tjc!b tjc # _l i -itiLT
- llli 11 gal!!1 j
y r;tijf r;;j; v 11-11 1111 lei,!,1, i,leiei, liiiiif Elilili III z 3.j g.- .:qqq .. e.- }}}}}l}$ }}}l}l}$ hhhh hhhh I'I 6 2 j j }} y j. ,l<d l h$fll}}}flflf gi 11)) lc c c l fl glgh j. II iie!5i m 1l
- 1. I 1
1 i uu i ~ 11 fim L 'I I.I I I k llllll1111 1111 I!!!!,!llllIfil 1: III"$ 11 11 1 i111! j!!! P !1 ti i i i i;l i liiilIlill! IllilililiiIJfill!!illi ll13 J a t h;ilis g r a111 =1.;'sy.;g .g r s a jp[hl i- ~ jl![! b ij ilth u ij y Il 1 s. 11 1 h a3 m. ,m a b s!! l! i!! i! s Rancho Seco Restart SER 3-25
EFIC System Initiation of AFW The EFIC system is designed to initiate AFW (1) on low water level in either OTSG (9 inches), (2) on low pressure in either 0TSG steamline (575 psig), (3) when all four reactor coolant pumps trip (this signal is provided to the EFIC system from the RPS), (4) on the loss of both MFW pumps at greater than 20% reactor power (this is an anticipatory trip signal also provided to the EFIC system from the RPS), and (5) on reactor building high pressure (4 psig), or (6) on reactor coolant system (RCS) low pressure (1600 psig). The EFIC system receives the reactor building high pressure and RCS low pressure signals from the SFAS. The EFIC system AFW actuation logic is arranged in a 1-out-of-2-taken-twice logic configuration. All four EFIC input logic channels provide AFW initiation commands to the AFW actuation logic modules which are physically located in the A and B EFIC channel cabinets. The EFIC system AFW system actuation logic is functionally shown in Figure 3,11. Actuation of AFW pump P-319 and the associated train A control valves occurs when the actuation logic modules in the A EFIC channel cabinet receive channel level " initiate" commands from EFIC system input logic channels A or B and C or D. Actuation of AFW pump P-318 and the associated train B control valves occurs when the actuation logic modules in the B EFIC channel cabinet receive " initiate" commands from EFIC system input logic channels A or C and B or D. Since all four EFIC channels monitor the I same parameters, they should all simultaneously issue initiate commands, thereby { actuating both AFW system trains. The channel level AFWS actuation signals are not " sealed-in" by the EFIC system input logic circuitry. However, once the 1-out-of-2-taken-twice actuation logic is satisfied, the system (train) level actuation signal is sealed in and cannot be reset until the initiating condi-tion has returned to normal and the actuation logic reset pushbutton is de-pressed. The actuation logic seal-in circuits ensure that completion of the associated protective actions occurs upon generation of a system level actuation signal. EFIC System Isolation of Main Feedwater (MFW) Before the December 26th event, the Rancho Seco plant used a non-safety-related i main steamline failure logic system (MSFLS) to isolate MFW flow to the OTSGs in the event of a failure of a main steamline (MSL). Main feedwater isolation was accomplished by the automatic closure of three valves in each feedwater line: the main flow control valve, the downstream series MFW stop valve, and a single startup MFW flow control valve located in a parallel line around the other two valves. Closure of the MFW stop valve was accomplished by the non-safety-related ICS. NUREG-1195 identified the following concerns regarding the MSFLS: (1) the valve arrangement does not appear to meet the single-failure criterion with respect to MFW system isolation, (2) the MSFLS is not a safety-related system but is used to perform a safety related function, and (3) the MFW system flow control valves might not be adequate for isolation. The MSFLS detected low steamline pressure (indicative of a main steamline break) via pressure switches on the steam header downstream of each OTSG. Two redundant MSFLS trains consisting of sensing elements, dc powered logic, and actuation devices were provided. Two pressure switches within each train were configured in a 2 out-of-2, energize-to-actuate, logic arrangement. When the NdNhD SGCo Restart SER 3-26
Asiutc r . T qA E C j D 6PA n o mi t teauB st y cic sag o C SL FI W R R l O O a E F n A g d + + tup u t o na
- e ta r
) e l l ) l n l ) te e e e e n n n n g n n n n t a t a t a t a o uh uh uh uh t pC A pC 8 pC C pC D n n n n I t ic I t ic I t ic I t c ni ng ng ng Ce g Ce Ce o C e o I mLo I o I I F mL F mL F mL F E u E u E u E u 8 r r r r s s s s N t t t t n n n n t ( ( ( A i I I i 7 tn n A" eo S"n p i W mta F ii u Aaut r c T qA E 7 t.la nn eg si D es r t N pu A i t f p . u la o n n n ga o mi is t e teauA t tua st r ycc pe sag n n i CS R R i e o I L eg r FW O O hl l E F t i Eiw A Y + t ) ) ) ) e le le t e n n n n n ' n n n t a t a t a t a uh uh uh uh pC A pC B pC C pC D n ic n n ic I tng i t c n c ni i t I t ni g ng Ce o Ce g Ce Ce o o I o F mL FI mL I mL FI mL F E u E u E u E u tr r r r t t t s s s s I I I n n n n ( ( ( if
- f. k 3 yDi+
1 +. V g:D
- C3OCO A s
DD
I logic was satisfied, solenoid-operated valves would actuate to block the control air to, and vent the air from, the MFW system flow cont rol valves, causing them to close. The ICS would then, in turn, close the MFW stop valves. The ICS is designed to close the stop valves when the main flow control valves go to less than 20% open. Af ter the December 26th event, the licensee modified the configuration of MFW system valves. An additional motor-operated isolation valve was installed in the MFW flowpath to each 0TSG downstream of the flow control and stop valves, as shown in Figure 3.12. The non-safety-related MSFLS was removed, and the MFW isolation function is now performed by the safety-related EFIC system. The EFIC system will isolate the MFW flow control and block valves, and the new isolation valves. During normal operation, the ICS still provides control of the MFW flow control and block valves. The EFIC system will isolate MFW flow to an OTSG when either a pressure of less than 600 psig or a high water level (setpoint to be determined later as dis-cussed in Section 3.1.5 of this report) is detected in that OTSG. Four redundant instrument channels, A, B, C, and D, are provided to monitor each of these parameters for each OTSG. The EFIC system MFW isolation logic is arranged in a 1-out-of-2-taken-twice logic (identical to the AFW system actuation logic) and is shown in Figure 3.13. MFW isolation to an OTSG occurs when the logic modules in EFIC system cabinet A receive commands from input logic Channels A or B and C or D, or when the logic modules in EFIC system cabinet "B" receive " initiate" commands from logic channels A or C and B or D. The EFIC system channel A cabinet MFW isolation logic isolates MFW valves FV-20525, FV-20529, and FV-20575 to OTSG A, and valves FV-20526, FV-20530, and FV-20576 to OTSG B. The EFIC system channel 8 cabinet MFW isolation logic isolates valve HV-20515 in the MFW line to OiSG A and valve HV-20516 in the MFW lhe to OTSG B. Since all four EFIC system input logic (sensing) channels monitor the samt: parameters, they should simultaneously issue commands causing all valves used for MFW isolation to an OTSG to close. Valves FV-20525, FV-20575, FV-20526, and FV-20576 are air-operated MFW flow control valves. MFW stop valves FV-20529 and FV-20530 are powered from 480-V motor control center (MCC) S2A3 and are backed up by diesel generator GEA2. The new downstream series isolation valves (HV-20515 and HV-20516) are powered from 480-V MCC 52B3, and are backed up by diesel generator GEB2. EFIC System Isolation of AFW The EFIC system includes logic used to isolate AFW flow to a ruptured or de-pressurized OTSG. This logic is referred to as the " feed only good generator" (F0GG) or " vector" logic. Upon actuation, the vector logic prevents the con-tinued addition of AFW to a depressurized 0TSG, thus minimizing the overcooling effects of a steam leak. The vector logic may isolate AFW to one OTSG only, never to both. Each of the four EFIC system channels contains vector logic. Each channel of vector logic receives OTSG pressure signals from each of the four EFIC system channel input logics. The pressure information received is (1) OTSG A pressure less than 600 psig, (2) OTSG 3 pressure less than 600 psig, (3) OTSC A pressure Rancho Seco Restart SER 3-28
R VY E B PN OO D I E R TL B' "A OAL M* TLO M* AR OOR AR EO MST EO TT I N TT SA WWO SA E F C R R OE NM OE T TN f E EG G 6 5 B U 1 1 5 5 C 0 C 0 2 I FI 2 FE V E VH H q q M-j- p "A A 9 5 0 6 2 7 3 7 V V V V5 C 5 5 C 5 F I F F 0 0 F 0 0 FI F E E M M
- ii..
. ii.: y C N' "A "A 5 6 2 2 S C _V5 C V I .F I F0 F 0 F 2 E 2 E J r r e i r 3 P 9 M A ,]..U J L P P A A 8 8 7 7 7 D 7 D 1 1 E E 1 1 3 3 3 E-E- 3 F F -P P P P N N I I A AM M t m +cm1& mN w*@ og " x$o O r
EFIC System MFW leoletion Logic A OR OTSO A f EFIC input OTSO A +
- M FW (Instrument Channel)
AND ' Logie A lsolation 4 OR EFIC System EFIC input MFW lsoletion finstrument Chennell
====.
==e i Logic B j Logic B EFIC input .-u finstrument Channel) w Logic C OR F EFIC input OTSG A linstrument Channel) AND = + MFW Logic D isoletion l
== i OR A 4 OTSO B OR EFIC Input 'O OTSGB (Instrument Chennell W l + MFW. AND Logic A g g,33,g;on OR EFIC input l (Instrument Channel)
=
m i Logic B EFIC Input
=
=
(instrument Channel) .w Logic C OR w EFIC input D OTSGB (Instrument Channell m i AND. + MFW Logic D O lsoletion 4 OR Figure 3.13 EFIC system isolation of main feedwater Rancho Seco Restart SER 3-30
l 100 psig greater than OTSG B pressure, and (4) OTSG B pressure 100 psig greater l than OTSG A pressure. Each vector logic channel also receives a vector / control " enable" signal from EFIC channel A and channel B upon AFW system actuation. The vector logic de-velops signals for open/close control of 0TSG A and 0TSG B auxiliary feedwater valves. The individual vector logics are not single-failure tolerant (i.e., a single failure could cause an inadvertent valve closure, or prevent valve clo-sure when required). However, the combination of four redundant and independ-ent vector logics, and the AFW system flow control valve / isolation valve arrangement (i.e., two parallel flowpaths for each OTSG, with two series valves in each path) ensure that any EFIC system single failure will neither prevent addition or isolation of AFW to an OTSG when required. The vector logic out-puts are in a neutral state until enabled by the control / vector " enable" from the channel A or B AFW actuation logics. When enabled, the channel A vector logic issues "close" commands to valves FV-20527 and FV-20528. The channel B vector logic issues "close" commands to valves FV-20531 and FV-20532. The channel C vector logic issues "open" or "close" commands to valves HV-20578 and HV-20581. The channel D vector logic issues "open" or "close" commands to valves HV-20577 and HV-20582. Table 3.1 shows the OTSG pressure conditions j that cause the vector logic to isolate AFW flow. ) i EFIC System 0TSG Level Control Control of AFW to the OTSGs is provided by control logic contained within channels A and B of the EFIC system. The control logic becomes active upon EFIC system actuation of AFW. The system is designed so that either channel will control water level in both OTSGs by controlling its own dedicated control valve for each AFW train. The EFIC system channel A control logic provides signals to air-operated valves FV-20527 (OSTG A) and FV-20528 (OTSG B) and I the EFIC system channel B control logic provides signals to solenoid-operated l valves FV-20531 (OSTG A) and FV-20532 (OSTG B) for control of AFW flow. l The duplication of control channels provides added assurance that sufficient AFW flow will be delivered to at least one OTSG to maintain water level. How-ever, duplication of the control channels does not preclude the possibility cf excessive AFW flow and consequent OTSG overfill. Operator intervention is relied on to prevent OTSG overfill. OTSG overfill will be addressed in Section 3.1.5 of a supplement to this SER. Flow-restricting venturis have recently been installed in the AFW system injection lines to reduce the AFW flowrate and to increase the response time available to the operator to cope with transients. There are three different modes of automatic level control, depending on whether one or more reactor coolant pumps are running and whether the "ECC setpoint" has been selected for emergency core cooling (ECC). With one or more reactor coolant pumps operating, the EFIC system level control logic automatic-ally controls OTSG level at a setpoint value of 27.5 inches. When none of the four reactor coolant pumps are running, the level controller automatically selects a setpoint of 317 inches, which is high enough to ensure good natural circulation. The third-level setpoint of 381 inches (the ECC setpoint) is manually selected if all four reactor coolant pumps are off and the plant is in a small-break LOCA transient. The ECC setpoint is used to promote condensation heat transfer from the primary system. Rancho Seco Restart SER 3-31
Table 3.1 OTSG pressure conditions that trigger vector logic OTSG A valves 0TSG B' valves Pressure status command command If 0TSG A & OTSG-B > 600 psig Open Open If 0TSG A > 600 psig & OTSG B < 600 psig Open Close If 0TSG A < 600 psig & OTSG B > 600 psig Close 0 pan If 0TSG A < 600 psig & OTSG B < 600 psig and 0TSG A & OTSG B within 100 psig Open Open If OTSG A < 600 psig & OTSG B < 600 psig and OTSG A - 0TSG B > 100 psig Open Close i If OTSG A < 600 psig & OTSG B < 600 psig and 0TSG B - OTSG A > 100 psig Close Open The licensee has stated that the level control system is based on a design utilized in other B&W reactor plants, and is expected to provide stable, reliable level control of the water level in the OTSGs. EFIC System Control of the Atmospheric Dump Valves (ADVs) The EFIC system channel A and channel B control logic also provides control of the two trains of atmospheric dump valves for steamline overpressurization control. Atmospheric ~ dump valves PV-20571 A, B, C and PV-20562 A, B, C are modulating control valves which relieve main steam to the atmosphere from main steamline A and main steamline B, respectively. EFIC system channel A will continuously monitor pressure in main steamline A and will signal PV-20571 A, B, and C to open if pressure in that line exceeds a setpoint value of 1020 psig. EFIC channel B will similarly control PV-20562 A, B, and C. Before the December 26th event and the subsequent installation of the EFIC system, the ADVs were powered and controlled by the non-safety-related inte-grated control system (ICS). The ADVs are now controlled by the safety-related EFIC system, which is electrically independent from the ICS. Two of the three ADVs per steamline are normally blocked during reactor opera-tion via upstream, local, manually operated valves. The unblocked ADV for each steamline has an associated upstream, normally open, remote, manually controlled, motor-operated valve that provides the operator with the ability to isolate a stuck-open ADV to prevent an uncontrolled steam release that could result in overcooling of the primary system. Although this valve is powered from the EFIC system buses, it can be operated independent of the EFIC system ADV control logic / circuitry. A single OTSG pressure transmitter is used to provide the input signal for each channel of ADV control logic. If an Rancho Seco Restart SER 3-32 l [
unblocked ADV fails to open, the downstream main steam safety valves (MSSVs) will open to relieve steam pressure, if? steam pressure exceeds the MSSV'open setpoints. The ADVs and their failure modes are discussed in detail in. ~ Section 3.1.6.1 of this report. EFIC System Interfaces The major systems that interface with the EFIC system are auxiliary feedwater system main feedwater system . main steam system once-through steam generator system electrical distribution system reactor protection system safety features actuation system interim data acquisition and display system safety parameter display system Appendix R remote shutdown panel (H2SD) plant instrument air system main control room panels / consoles (H1SS, H1RC) H2YS, and H2SF)- To ensure proper isolation between tn Class 1E EFIC system and non-Class.1E l systems with which it interfaces, the EFIC system design utilizes fiber optic cables, optical isolators, and isolation relays. EFIC System Bypasses The EFIC system design includes two types of bypasses: maintenance bypasses and shutdown bypasses. The bypass circuitry is contained in the input logic ~ portions of EFIC channels A, B, C, and D. The maintenance bypass circuit design provides individual EFIC system' input logic channel bypass capability for each of.the.four channels. The EFIC system. is designe'd to allow channel testing from the input terminals to the actu.ated device controllers without placing the channel in maintenance bypass. Placing an EFIC system channel in maintenance bypass inhibits / disables.that channel's capability to perform its associated protective function ~ Maintenance. bypasses are used to allow maintenance / repair of an inoperable channel during reactor operation without causing an unwanted / unnecessary channel trip. Placing an EFIC system channel in maintenance bypass automatically places the plant in a limiting condition of operation (LCO), in accordance with the plant technical specifications, where the inoperable / bypassed channel must~be restored _to an operable status within a specified time, or otherwise reactor operation is sus-pended or restricted to power levels at which the associated' protective action is no longer required. The channel is bypassed for maintenance by placing the key-lock mainte_ nance bypass switch'at the associated EFIC' system cabinet (in the NSEB) in the " MAINTENANCE BYPASS" position. Each EFIC channel key-operated-maintenance bypass switch actuates an associated bypass status light at its-local EFIC panel, and actuates an interim. data acquisition and display system (IDADS) alarm in the control room to indicate when the maintenance bypass switch is being used. The indi' cation associated with the IDADS' alarm will be continuously displayed in the control room for as long as the bypass condition exists. Rancho Seco Restart SER 3-33
i 3 Interlock features within the EFIC system maintenance bypass circuitry make it impossible to bypass more than one channel at a time. These interlock features ensure that the EFIC system is capable of performing its AFW actuation and MFW t isolation safety functions given a single failure when one channel is in maintenance bypass. The EFIC system AFW actuation logic also receives maintenance bypass signals l from the reactor protection system (RPS). Placing an RPS channel in bypass i disables the RPS input signal to the corresponding EFIC system channel. An l interlock feature is provided within the EFIC system channel input logic that j will only allow the corresponding EFIC system channel to be bypassed when an i RPS channel is bypassed. For example, if channel A of the RPS is placed in i maintenance bypass, only a channel A EFIC system maintenance bypass can be. i actuated, and EFIC channels B, C, and D are automatically prevented from being ) placed in maintenance bypass. Should either of EFIC channels B, C, or D be in maintenance bypass when EFIC channel A receives the RPS maintenance bypass signal, that EFIC channel will automatically be removed from bypass. Should a I second RPS maintenance bypass signal be received by the EFIC system, all EFIC maintenance bypasses will be cleared / disabled (i.e., no EFIC system channel can l be placed in maintenance bypass, and any EFIC system channel in maintenance l bypass will automatically be removed from bypass). I The EFIC system shutdown bypass design provides the capability to defeat the AFW system automatic actuation logic and MFW isolation logic, to ensure that actuation / isolation does not occur during normal reactor shutdown. The shut-down bypass logic is so designed that when the pressure in either OTSG drops below 725 psig, the reactor operator can manually initiate the shutdown bypass (before reaching the AFW actuation /MFW isolation setpoint value of 600 psig). A shutdown bypass cannot be initiated if the pressure in both OTSGs is greater than 725 psig. Each of the four channels of EFIC system shutdown bypass logic can be actuated by one of two dedicated shutdown bypass switches. One shutdown bypass switch for each channel is located in the reactor control room on console HISS (E), and the other shutdown bypass switch is located at the EFIC system channel cabinet. The shutdown bypass circuitry will " seal in" following actuation. The-seal-in can be removed by the shutdown bypass reset switch. The shutdown bypass will be automatically removed (restoring the EFIC system AFW actuation and MFW isolation protective functions) if the pressure in both OTSGs increases / returns to above 700 psig (i.e., if the permissive condition that allowed the bypass. condition to exist is no longer satisfied). The shutdown bypass condition for each EFIC system channel is continuously indicated in the main control room and at the EFIC system cabinets in the NSEB for as long as the bypass condition exists. 3.1. 3. 2 EFIC System Evaluation The EFIC design is being evaluated by the NRC staff for conformance to NUREG-0737, " Clarification of TMI Action Plan Requirements," Section II.E.1.2, " Auxiliary Feedwater System Automatic Initiation and Flow Indication." The requirements of NUREG-0737, Section II.E.1.2 can be met by providing a design for automatic AFWS actuation that meets the requirements of IEEE Standard 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations." Rancho Seco Restart SER 3-34
IEEE Standard 279 includes requirements regarding quality of components, com-f pliance with the single-failure criterion, independence of redundant channels, control and protection system interaction, channel / system bypasses, automatic / and manual initiation, test capability, and system status information provided to the control room operator. The automatic initiation circuits of the EFIC system are diverse, redundant, physically separated, electrically independent, and powered from battery-backed emergency buses. The two AFW pumps have diverse sources of motive power I (electric motor and steam turbine). AFW system pump P-319 is actuated by EFIC channel A. The steam supply to the turbine-driven pump (P-318) is initiated by EFIC channel B. The failure of either channel A or B may cause one of the two AFW pumps to be unresponsive to an AFW actuation signal. However, one operational pump is sufficient to supply the water requirements of the system. The EFIC and AFW systems are capable of providing sufficient AFW flow to the intact (pressurized) OTSG following a main steamline/ main feedwater line break coincident with a loss of offsite power and a worst-case /most-limiting single failure as discussed below, Upon rupture of OTSG B (upstream of the turbine throttle and control valves or downstream of the main feedwater isolation valve and associated check valve), an AFW system actuation signal is initiated by the EFIC system logic which sends " start" signals to the AFW pump P-318 turbine and the AFW pump P-313 motor. MFW flow to the f ailed 0TSG will be isolated by the l CFIC system isolation logic shown in Figure 3.13. MFW isolation on "TSG low pressure will occur given any single failure within the EFIC system isolation l logic or the MFW system isolation valves. l On the basis of the staff's review of the information provided by the licensee l concerning modifications to provide additional MFW system isolation valves, and j to initiate isolation of the new and existing valves by the safety-related EFIC j system, the staff concludes that the MFW isoiation function conforms to the single-failure criterion of IEEE Standard 279-1971. Therefore, the staff con-cludes that the NUREG-1195 concerns in this area have been resolved. The ade-quacy of the MFW system flow control valves for accomplishing MFW isolation, and the acceptability of the Rancho Seco FSAR analysis with regard to assuming the proper functioning of nan-safety-related systems to mitigate transient and accident events are discu', sed in Section 3.9.1 of this report. Assuming a loss of offsite power in conjunction with the rupture of OTSG B, emergency diesel generators GEA2 and GEB2 will receive " start" signals and will provide emergency ac power to vital bus 4A2 and vital bus 4B2, respectively. The following automatic and manual actions will occur or be available following the most limiting active single failures: If AFW pump / turbine P-318 fails, AFW pump / motor P-319, which receives a simultaneous EFIC " start" signal, will automatically supply AFW to OTSG A through the cross-connect line. The operator can also manually start the motor for AFW pump P-318 and supply AFW to OTSG A. j If the motor for AFW pump P-318 fails, there would be no direct impact because the AFW pump P-318 turbine and the AFW pump P-319 motor receive 4 Rancho Seco Restart SER 3-35 \\
simultaneous EFIC start signals, and both would supply water to OTSG A automatically. If one of the acti'le valves in the AFW flowpath to OTSG A fails and blocks flow, the active valve in the redundant parallel flow path, which is controlled by a redundant EFIC system channel, will open and allow flow to OTSG A from both AFW pumps P-318 and P-319. If AFW pump / motor P-319 fails, the turbine for AFW pump P-318, which receives a simultaneous EFIC " start" signal, will automatically supply water to OTSG A. If one of the valves in the AFW flowpaths to OTSG B fails to close to isolate flow, there,would be no consequences because its series isolation valve, controll?d by a redundant EFIC systet channel and powered from a separate vital ausy,wopld close to isolate AFW flow to depressurized \\ CVSG B1 i-t s If EDG GEA2 anc h associated vital bus $4A fahd the AFW pump P-318 tur-bine will rece!Ve an EFIC " start" signal and supply water to OTSG' A via valves controlled by EFIC system channel B,4anO powered from EDGlGEB2 and/or vital busI$4B. .\\ \\ + h I'f EDG GEB2 nd/or associaM ' vital 'bds'S4B Thil, the AFW pump P-319 motor will receive a'n EFIC "stad" signal'and supply rater to OTSG A via theAFW ' s cross-connectlinesandvalvescontselledbyEFlAsystemghannelA, Land. powered from EDG GEA2 and/or vital bus 54A. In /ddition, the AFW pum,rc ,( P-318 turbine,whichfeceivesasimultaneousEFIN"s, tart" signal,will y supply water to OTSG A. s s 4 I 'cj 'A simild di?cussion, lure of 0TSG A.to that above, which applies to the rupture of 0TS aholicahh j to the rt.p s tX 4 g When thd AFW system,is actuated, the four-channel EFIC AFW actuation system, ,effe tively becomes'a two-channe r qstem for OTSG water level cor&ol. Each of thetwoAFWtrainshasredundantvhvestocontrolthelevelintheOTSGs,and each of the redundant level cont?dl valves in a train is contro)?ed by a diffe"ent EFIC system control channS'l (A or B). Therefore, sufficient AFW flow to both OTSGs is ensured, given a single failure of any AFW flow control valve or its control circuitry ( g 3 \\ The AFY system level control valvesNndi the assqciated EFIC system control circt.it'ry are designed to ensure that suf ficicnt AFW flow is supp' lied to the OTSGs tollowing a single f ailure (i. t., 'the AFW flow control valves fail open s on a Oss of control air on loss of tuotive power). Hownver, because of this i design, a s Q ie failur overfill. ' The licenup,e DOH lead,to excessive AFW flow and subsequent OTSG considers this design characteristicdto be acceptable based on the, assumptio b tbt, ~aMhough a failed-open valve mu% result in over-filling, tde rate of i$ crease in*0liG level via AFW is slow, cind su1ficient time exists for operat'or intervention. AlthoughtheB&W-designedE9Csystem includes circuitry to prevent OTSG overfill by the AFW system, the 'ficensee has elected not to use this feature. The licensee's basis for.not allowing the 1 s a Rancho Seco Restart SJR / ', 3-36 } \\' ~
EFIC system to isolate AFW flow on OTSG high level is that the EFIC system also isolates MFW to the OTSGs. Therefore, a common mode failure could. result in EFIC system isolation of both MFW and AFW flow to the OTSGs. To avoid this, the licensee decided to allow the EFIC system to isolate only MFW, OTSG over-fill protection for an AFW overfill event will be provided by high level alarms on the IDADS and remote manual isolation using the AFW system control and iso-lation valves. This approach to OTSG overfill protection will be discussed in detail in Section 3.1.5 of a supplement to this SER. One of the level control valves in each of the two AFW trains is pneumatically operated (FV-20527 and FV-20528). The air supply for these valves is the plant air system, which is a non-safety-related system. To ensure operation of these valves, a 2-hour, seismic Category I, backup air supply has been provided for each valve train. The backup air supply will function only if the normal air ) supply is unavailable. The staff has reviewed this arrangement and considers l it acceptable. The instrument air system is further discussed in Section-l 3.1.2.4 of this report. The EFIC system consists of four redundant channels of safety-related circuits. Section 4.6, " Channel Independence," of IEEE Standard 279-1971 states that channels providing signals for the same protective function shall be independ-ent and physically separated to accomplish decoupling of effects of unsafe environmental factors, electric transients, and physical accident' consequences-documented in the design basis, and to reduce the likelihood of interactions I between channels during maintenance operations or in the event of channel malfunction. Regulatory Guide (RG) 1.75, " Physical Independence of Electric Systems," references IEEE Standard 384, " Criteria for Independence of Class 1E Equipment and Circuits," which sets forth criteria for the physical separation I of redundant safety-related circuits and equipment. All instrument / sensing channels providing inputs to the Rancho Seco EFIC system are dedicated to one of four redundant input logic channels. The redundant { instrument and input logic channels are physically separated and electrically l independent from each other. All communications between redundant EFIC system channels (e.g., channel bypass status information) are accomplished via fiber optic cables. The staff performed an onsite review of the physical separation provided between redundant Class 1E EFIC circuits, and between Class 1E EFIC circuits and non-Class 1E circuits, to determine if the installed design conforms to the separation criteria identified in Sections 5.6 (" Control Switchboards") and 5.7 (" Instrumentation Cabinets") of IEEE Standard ?84. This standard states that where physical separation by enclosures is not possible because of the plant design, either a barrier or a 6-inch minimum separation distance should be pro-vided. In those cases in which a barrier or 6-inch separation is not provided, the design must be analyzed to ensure compliance with RG 1.75, Revision 2, and IEEE Standard 384. The results of the staff's onsite review and a final conclusion regarding the acceptability of the EFIC system channel independence / channel separation design will be provided in a supplement to this SER. The staff is currently reviewing the licensee's analysis of compliance with RG 1.75, Revision 2, and the reso-lution of several separation nonconformances identified during the onsite review. Rancho Seco Restart SER 3-37
.The information available in the control room for the operators to assess EFIC system status / performance is provided by the interim data acquisition and dis-play system (IDADS), and instruments located on the EFIC system control console H1SS(E). The IDADS is a plant process computer system that monitors plant con-ditions and performs various calculation, trending, alarm, and post-transient data logging functions. Essentially all EFIC system status alarms are provided by the IDADS. The IDADS is a non safety-related system, and is isolated from the safety related EFIC system via an Anatec remote multiplexer system discussed in Section 4.5 of this report. The IDADS interface with the operators is two cathode ray tube (CRT) displays located in the primary operating area of the control room. IDADS displays are also provided.in the technical support center (TSC). Each IDADS alarm must be acknowledged by the operator, the condition that initiated the alarm must return to normal, and the IDADS alarm display must be " reset" in order for the alarm condition to clear. This design is similar to that of the control room main annunciators. During normal plant operation, each IDADS alarm condition sounds a bell, which can be distinguished from the main annunciator horn, and each alarm condition is logged by a printer in the control During a plant event (defined as a plant condition involving a reactor room. trip, SFAS actuation, EFIC system actuation, loss of offsite power, or main turb Me trip) the IDADS alarm bell is suppressed for "non critical" alarms. However, all alarm conditions will continue to be printed out in sequence. The IDADS includes a " plant event alarm summary" display (modeled after the main annunciator panels) that is automatically provided to the operators whenever a " critical" plant event alarm condition occurs (e.g., EFIC system actuation / isolation). The plant event alarm summary display is considered by the licensee to be of equal importance to the main annunciators. The IDADS displays use white to signify a normal plant condition, reverse magenta for alarm conditions, reverse yellow upon operator acknowledgement, and blinking white upon return to normal. The human factors aspects of the IDADS were evaluated and found acceptable as part of the detailed control room design review (DCRDR), which is discussed in a separate safety evaluation issued by NRC letter on August 14, 1987. The EFIC system status alarms provided by the IDADS include AFWS actuation MFWS isolation loss of reactor coolant pump (s) approach to trip on OTSG high/ low level and 0TSG low pressure OTSG overfill 0TSG low-level trip OTSG low pressure trip AFW flow test valve open EFIC system power failures EFIC system channel in maintenance bypass or module withdrawn vector logic isolation of AFW transfer of EFIC system control to the remote shutdown panel In addition to the information provided by the IDADS, the reactor operator has status indicators for EFIC system parameters on control room panels HISS (E), H1RC, H2YS, and H2SF, and local indications are provided on the EFIC system channel A, B, C, and D cabinets. Panel H1SS(E) provides the operator with the l immediate information needed to determine the status of the EFIC system and the OTSGs should the IDADS be unavailable, and provides the operator with the means to manually initiate EFIC system safety functions. The following indications are provided on HISS (E): Rancho Seco Restart SER 3-38
1 0TSG A and B narrow-range level 0TSG A and B wide-range level 0TSG A and B pressure AFW pump P-318 and P-319 discharge pressure dual indication of AFW flow to OTSG A and B flow indication for the AFW test line Controls are provided on H1SS(e) for manual operation of the AFWS pumps and valves. The operator has the capability to override EFIC control of the AFWS and assume manual control. Valve position indication is provided for the AFWS flow control valves, isolation valves, crosstie valves, and test valve. The circuits provided for manual initiation of AFW are designed so that a single failure will not prevent manual initiation, and so that failure of the automatic initiation circuits will not preclude manual initiation and vice versa. A discussion regarding the acceptability of EFIC system test features, test procedures, and technical specification operability and surveillance require-ments for the EFIC system will be provided in a supplement to this SER. The licensee has not yet finalized the EFIC test procedures. In summary, the staff has not completed its review of EFIC system isolation de-vices, channel independence / channel separation, testability and associated technical specifications, and compliance of EFIC with NUREG-0737 Sec-tion II.E.1.2 requirements. These issues will be discussed in a supplement to this SER. 3.1.3.3 EFIC System Independence From ICS/NNI System TMI Action Plan (NUREG-0737) Section II.K.2.2, " Control of Auxiliary Feedwater Independent of the Integrated Control System," requires that procedures and training for initiation and control of auxiliary feedwater independent of the ICS must be provided for B&W-designed reactors. 1 The AFW system design installed at the time of the December 26th event consisted of redundant (parallel) flowpaths to each OTSG with a single flow-control valve (FCV) in each path. For each OTSG, the FCV in one path was controlled by the ICS, and the FCV in the parallel flowpath was controlled by the SFAS. The design basis for having both an ICS-operated FCV and an SFAS-operated FCV was to ensure that there would always be an available AFW flowpath to each OTSG given a single failure of an FCV. However, if an SFAS-operated FCV should fail, the only means of providing AFW to the associated 0TSG would be via the non-safety-related ICS-operated FCV. Furthermore, assuming that an i AFW system pump is running, to isolate AFW flow to an OTSG would require suc-cessful operation of both the SFAS-operated FCV and the non-safety-related f ICS-operated FCV. The FCV controlled by the failed ICS could not be closed j during the December 26th event, which led to OTSG overfill and significant overcooling of the primary system. The newly designed / upgraded AFW system and safety related EFIC system do not have any interface with the non-safety-related ICS. The EFIC system provides l redundant safety related capability to initiate and isolate AFW flow to each i OTSG as discussed in Section 3.1.3.1 of this report. Section 7.2.3 of NUREG-l 1195, " Loss of Integrated Control System Power and Overcooling Transient at { Rancho Seco Restart SER 3-39
Rancho Seco on December 26, 1985," states that had the EFIC system been in-stalled, the overcooling event would have been much less severe, and probably would not have exceeded technical specification limits. The Rancho Seco procedures and operator training for initiating and controlling the AFW system are discussed in Section 3.4.1 of this report. Based on its review of the EFIC system design for initiation and control of the AFWS independent of the ICS and NNI system, the staff concludes that the Rancho Seco design conforms to the requirements of NUREG-0737, Section II.K.2.2. Therefore, this item is closed as a restart issue. 3.1.4 Main Feedwater System Response to ICS/NNI' System Failures This issue is under review by the NRC staff. The results of the staff evalua-tion will be provided in a supplement to this SER. 3.1.5 Steam Generator Overfill Protection Circuits This issue is under review by the NRC staff. The results of the staff evalua-tion will be provided in a supplement to this SER. 3.1.6 Main Steam System Response to ICS/NNI System Failures This issue is under review by the NRC staff. The results of the staff evalua-tion will be provided in a supplement to this SER. 3.1.7 TDI Diesel Generators In 1980, the licensee determined that plant modifications required by NUREG-0737 could not be powered by the existing emergency diesel generators. Consequently, the licensee decided to add two Transamerica Delaval, Inc. (TDI) diesel generators to augment the existing diesel generators. The licensee originally planned to install these new generators during the cycle 7 refuel-l ing outage (Spring 1985). This schedule was compatible with the installation of the majority of the Three Mile Island (TMI) modifications, as well as the implementation of emergency feedwater initiation and control (EFIC). Because the diesels purchased were made by TDI, operation of the diesels was delayed until cycle 8 because of the deficiencies identified on the Shoreham nuclear plant diesels. Recently, the licensee has decided to install the TDI diesel generators and to implement changes associated with its electrical distribu-tion system during the current extended outage. To solve the TDI generic problems, the licensee, as a part of an owners group with 11 other utilities, developed a major TDI generator requalification pro-gram. This requalification program has required both time (several years) and resources to complete. As part of this program, an initial design review and quality revalidation (DR/QR) report was submitted by the licensee to the NRC by a June 12, 1985 letter. The licensee's plans.for future activities in this program include: startup testing of the engines j Rancho Seco Restart SER 3-40
I r additional inspection following startup testing submission of testing and inspection results to the NRC as a revision to the initial DR/QR report implementation of a detailed maintenance and surveillance program The licensee's June 12, 1985 letter stated that it will address and close out all quality revalidation items which pertain to the phase I 16 major compon-ents before the final plant tie-in of these diesels during the cycle 8 refuel-ing outage. The 16 items will now be closed out before startup. In the event that quality revalidation items remain open on any phase II components, the licensee will address and close them out not later than the completion of the cycle 8 refueling outage. These new diesel generators have been housed in a new QA Category I diesel gen-erator building. Each generator has its own fuel oil storage tanks and trans-fer system, heat exchanger system, and Class 1E electrical power distribution and control (including load shedding and sequencing) system. The Class 1E electrical power distribution system is in the nuclear service electric build-ing (NSEB) and consists of 4.16-kV switchgear, 480-V motor control centers, 125-V dc buses, and 120-V vital ac buses. Before the final pcwer distribution configuration described herein, the follow-ing loads, presently powered from the existing diesel generators on loss of offsite power, will be powered from the new diesel generators: control room / technical support center essential HVAC 126 kW of pressurizer heaters NSEB battery chargers auxiliary feedwater pumps pressurizer heaters In addition to the transferred loads, the new diesel generators will power the following loads on loss of offsite power: NSEB HVAC new DG support systems The NRC staff review of the TDI diesel generators at Rancho Seco is discussed in Section 4.7 of this SER. Rancho Seco Restart SER 3-41
l 3.1.8 Other Issues of the Electrical Systems Branch and the Instrumentation and Control Systems Branch 3.1.8.1 Makeup and High-Pressure Injection System The high pressure injection system in a B&W plant is part of the seal injection i and makeup (SIM) system. The SIM system provides seal water for cooling and lubricating the reactor coolant pumps and provides makeup water to the reactor coolant system (RCS) during normal operation. The SIM system also provides high pressure injection (HPI) of borated water into the RCS during a loss-of-coolant accident (LOCA). The SIM system contains three identical pumps (two HPI pumps and one identified as a makeup pump), the associated valves, and a makeup tank (MUT). The SIM system is shown in Figure 3.14. During the December 26th event, a safety features actuation signal (SFAS) occurred because of low RCS pressure. This signal automatically closed the makeup pump suction valve (SFV 23608) from the MUT and caused other components of the SIM system to operate as designed. The event and the resulting opera-tor actions were described in NUREG-1195 (Section 5.4.2) where concerns are identified regarding the adequacy of the SIM system design. On the basis of those concerns, the staff required the licensee to evaluate the Rancho Seco SIM system design and to propose necessary hardware modifications addressing the following: (1) adequacy of the makeup and HPI protective interlocks and alarms (2) vulnerability of reactor coolant pump (RCP) seal water injection system to single failures concurrent with the loss of_offsite power The licensee responded to the staff concerns by letter dated October 30, 1986. The licensee's program to resolve these concerns is a two-step process. In the first step (interim) before the restart of the plant, improved operator training will be conducted and procedures will be revised to ensure correction of poten-tial operator error. The second step involves a thorough review of the SIM system design, and if necessary, proposal of design modifications including protective interlocks and alarms. The design review and any resulting modifi-cation will be conducted to (1) ensure timely automatic restoration of RCP seal, (2) provide adequate HPI pump miniflow under all identified operational modes, and (3) provide assurance that water from the borated water storage tank (BWST) will not be diverted by default to the radwaste system, In a subsequent submittal, " Seal Injection and Makeup System Status Report," Revision 1, dated August 6,1987, the licensee described its action plan to conduct a system design review to determine: whether a loss-of-flow trip on the makeup pump is a viable option whether interlocks on SFV-25003, SFV-25004, and SFV-23508, allowing a permissive to close BWST outlet valves only if makeup tank outlet valve is open, is a viable option whether a high priority alarm on improper makeup pump suction lineup, using a logic which will recognize pump (s) and valve (s) status is a via-ble option Rancho Seco Restart SER 3-42
N N N oN 'O O O O Cn S S n
- E C
"E E O; S E i N TN ?N N i = 2 E E V V L L s 2 A s n 1 a nug,, i gV o 8 a a 3 P u 2 pN u = gO. V v v vr F I F r K S S gT C S S A E M ) J N i d e i f VA [ i lpm i n s K c i W a ( M m S C e EE t HV N" s CL y PA OV s T S E n o A K i i C t EE c HV e CLA j P V n O T i. S e r u s se P r cd8" M y UP rJAP ^ P p 8'M M K 6 U U u P P h 46 P M g 32-i V h F S / N X p ue 5 46 k 32 a V M F fk rg S lA 1j S 8 4 R o 1 Y L 2 O 3 V F C S e !" P r !i ~ r j u t u g u i 0 F !5 E Hx 5j Su u a r r s 3 o o a cs2v vr T r S S s WB '5RE EO dD - s
l ( alternate methods of supplying seal water (loop) on a loss of offsite-power problems associated with the present design 3 As is discussed in Sections 3.2.1 and 3.4.1.2 of this SER, the staff has 1 l inspected the operator training and the revised procedures to make sure that. ] adequate training and procedures are provided to minimize the potential for operator error in operating the SIM system. The staff finds the first step (additional training and improved procedures to operate the SIM system) an { acceptable interim measure for restart and safe plant operation before comple-j tion of step two. This item is closed as a restart issue. 3.1.8.2 Reactor Vessel Level Instrumentation i Reactor vessel level instrumentation is being installed at Rancho Seco as part of the response to NUREG-0737, Section II.F.2, " Instrumentation for Detection of-Inadequate Core Cooling" and RG 1.97, " Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Follow-ing an Accident." The licensee's letter dated September 14, 1984 committed to implementation of the reactor vessel level instrumentation during the Rancho Seco cycle 8 refueling outage. However, by letters dated September 30 and December 30, 1985, the licensee indicated that because of procurement diffi-culties the design approach for the level instrumentation was being altered and a differential pressure (DP) system was being pursued. Nevertheless, the licensee reiterated its commitment to install the instrumentation during the cycle 8 refueling outage. The cycle 8 refueling outage is now scheduled to be-gin approximately a year and a half following restart from the present shutdown. By letter dated March 30, 1987, the licensee provided justification for in-terim operation without the reactor vessel level instrumentation from the time. of restart until the cycle 8 refueling outage. The licensee stated that the purpose of this instrumentation is to verify that cooling water is. reaching the core and this verification can be obtained via currently available alter-nate means, direct as well as indirect. The operator, via the safety param-eter display system (SPDS), has available Category 1 variables (hot-leg temperature, core exit temperature, RCS pressure, and pressurizer level) which will provide indication that adequate cooling is being provided in the core. In addition, Category 2 subcooling margin curves are available (SPDS) as well as Class 1 indication of T and P in the control room. The licensee sat sat stated that this temperature and pressure indication and the flow monitoring (Category 2) of the high pressure and low pressure injection systems (SPDS) I will provide the operator with sufficient information to determine that the core is being provided adequate cooling. The staff agrees with the justifi-cation that sufficient instrumentation is presently available to the operator in the control room to allow operation during the interim period until the reactor vessel level instruinentation is installed during the cycle 8 refueling outage. Therefore, this item is closed as a restart issue. Rancho Seco Restart SER 3-44 e_______________-____-_____----_--.----.-
3.1.9 Summary of the Electrical Systems Branch and the Instrumentation and Control Systems Branch Concerns This section was included in this SER in order to provide c summary table list-ing (1) each electrical, and instrumentation and cc-S ol (EI&C) safety issue for Rancho Seco, (2) the source document (s) in whic.h the concern was first identified, (3) the document (s) in which the concern was resolved, and (4) a summary description of the method of resolution. Since resolution of all EI&C concerns will be presented in a supplement to this SER, this section will also be deferred to a future supplement. 3.1.10 Achievement of Safe Shutdown Using Safety-Related Equipment This issue is under review by the NRC staff. Additional information is needed by the staff to complete its review. Specifically, by letter dated August 14, 1987, the licensee was asked to provide the results of a review of the adequacy of the plant design and emergency operating procedures with regard to the j ability to achieve a safe shutdown of the reactor following.the loss of any Class 1E or non-Class 1E bus supplying power to safety-related or non-safety-related instrumentation and controls. This issue was addressed for operating reactors through IE Bulletin 79-27, " Loss of Non-Class 1E Instrumentation and j Control Power System Bus During Operation."
- 3. 2 Plant Mechanical Systems l
3.2.1 Water Supply to Makeup /High-Pressure Injection Pumps The Rancho Seco design incorporates one makeup pump (P-236) and two high-pressure injection (HPI) pumps (P-238A and P-2388) which are installed in parallel. The makeup tank (MUT), with a capacity of 4500 gallons, serves as the normal water supply to the makeup pump and the A HPI pump (P-238A). The borated water storage tank (BWST), with a capacity of 450,000 gallons, provides water to the B HPI pump (P-2388) during normal operation and serves as an emergency water supply to all three pumps following a safety features actuation signal. The makeup /HPI pumps are designed to return the purified letdown fluid to the RCS and to supply the seal water to the reactor coolant pumps (RCPs) l during normal plant operation. One pump can provide sufficient flow for normal RCS makeup and seal water flow. Makeup flow to the RCS is automatically regu-lated by the reactor coolant volume control valve which operates on signals from the pressurizer level controller. The makeup pump can serve to supplement the HPI pumps during a safety features actuation, i l The MUT provides the normal supply for the makeup pump (P-236) through a line that contains a motor-operated suction valve (SFV-23508) at the MUT and a manual pump suction i. solation valve (SIM-001). On a safety features actuation, the suction valve from the MUT closes to isolate the MUT while the supply valves (SFV-25003 and SFV-25004) from the BWST open. Between the makeup pump b suction valve (SFV-23508) and manual isolation valve (SIM-001), common cross-connect lines are provided to supply water from the MUT to the two HPI pumps. There are two manual isolation valves between the makeup pump and each HPI pump. Normally, the makeup pump (P-236) and the A HPI pump (P-238A) take suc-tion from the MUT. Therefore, the associated cross-connect valves are open. j The B HPI pump (P-238B) normally takes a suction from the BWST, so its cross-connect valves are closed. 1 l f Rancho Seco Restart SER 3-45
During the December 26th event, the depressurization of the RCS below 1600 psig caused the actuation of the SFAS, which initiated HPI trains A and B. The makeup pump (P-236) remained in operation. As a feature of the SFAS, the HPI loop valves opened, suction valves from the BWST received an open signal, the HPI pumps started, and the suction valve from the makeup tank closed. Concur-l rently, the normal miniflow from each of the makeup /HPI pumps is isolated from the makeup tank making full pump capacity available for delivery to the RCS. After the required safety injection function had been met, the operators began to reestablish the normal makeup configuration. First, miniflow was reestab-lished to preclude damage to any pump as the pump flows were being throttled. I This led to a rapid filling of the makeup tank, which caused the operator to i then close the isolation valve from the BWST to the suctions of the makeup pump and the A HPI pump. However, the suction valve from the MUT was still closed. The A HPI pump had already been secured by this time, but the makeup pump was operated without a water supply for about 25 minutes. The pump was not secured until after the pump seal had been severely damaged. This in turn, led to the draining to the pump room floor of approximately 1200 gallons of MUT water when the operator opened the MUT outlet valve. During this time period, the RCP seal flow was supplied by the A HPI pump (P-238A) receiving water from the BWST via a supply line that had not been isolated. There was a short in-terruption of the RCP seal flow when the operator tried to use the makeup pump for seal injection. The operator immediately found that the makeup pump was damaged and shifted back to the A HPI pump for the RCP seal injection. The RCP seals did not suffer any damage as a result of the short interruption of its seal injection flow. 3.2.1.1 Root Cause of Makeup /HP1 Pump Failure The licensee addressed this issue in its Root Cause Report on the December 26th transient. The pump failure was attributed to the absence of adequate proce-dures for recovery from SFAS initiation. A contributing cause for the pump failure was a lack of operator understanding, which led to operator error. The NRC staff reviewed the licensee's root cause determination and documented its findings as item RV-E-15 in Inspection Report 50-312/86-07. As described in that report, the staff has reviewed the licensee's analysis and has concluded that the licensee adequately defined the causes of this failure. The staff concluded that the contributing cause might not have been present if the B&W simulator used to train Rancho Seco operators more closely corresponded to the configuration at the Rancho Seco plant. Specifically, the Rancho Seco configu-ration of the makeup tank and borated water storage tank was not simulated on the B&W simulator. In summary, the licensee has performed a satisfactory root cause analysis for the makeup pump failure and has completed training and procedure changes to prevent recurrence of this event. On this basis, this item is closed as a restart issue. 3.2.1.2 Assurance of Water Supply Sources With regard to corrective actions, the licensee has repa; red the damaged makeup pump and has written an event-related procedure on recovery from SFAS actuation. This procedure (Rancho Seco Procedure No. C.41) specifically instructs the i Rancho Seco Restart SER 3-46 l
operator to open the makeup tank outlet valve SFV-23508 before closing the BWST outlet valves SFV-25003 and SFV-25004 during recovery from SFAS and for re - establishing the normal makeup flowpath. Also, the licensee has trained opera-tors in the procedure changes to prevent recurrence of this specific item. The NRC staff reviewed the training'and procedures and also examined the consist-ency between the abnormal transient operating guidelines (AT0Gs) and Rancho Seco's emergency procedures. These were found to be acceptable. The above-stated change of plant operating procedure and the training of opera-tors were performed to ensure the water sources to the makeup system are accept-able to the staff for restart of the Rancho Seco plant. For long-term improve-ment, the licensee is studying options for providing the desired pump protection through interlocks, alarms or pump trips with the intent to provide assistance to the operator which will minimize the likelihood of similar future damage. The licensee also conducted a separate operational review of other pump suction / discharge configurations and procedures which support mode changes to ensure that a similar situation would not lead to damage to other pumps or equipment in the Rancho Seco plant. The staff has reviewed Section 9.2 of the Rancho Seco USAR, the new Rancho Seco Procedure No. C.41, the licensee's submittal dated December 15, 1986, and the Region V letter dated May 14, 1986 regarding NRC inspection of Rancho Seco. On the basis of the above evaluation, the staff concludes that the Rancho Seco design of the water supply sources is acceptable. This item is closed as a restart issue. I 3.2.1.3 Makeup Pump Repair Subsequent to the event, the manufacturer of the mal <eup pump evaluated the damage and determined that the pump could be repaired. The repairs involved a complete teardown; some machining was required on the casing. The entire rotating assembly was replaced with new components. Following reassembly and installation, a comprehensive acceptance test was performed on the pump. The NRC staff has inspected this item (see item RV-E-17 in Inspection Report 50-312/86-07). On the basis of the licensee's commitment to repair the pump, this item is closed as a restart issue. 3.2.2 Effect of December 26, 1985 Overcooling Event on Reactor Coolant System Components The licensee has analyzed the effects of the overcooling event on the RCS components that could be adversely affected by the event. This section describes the NRC staff's evaluation of the licensee's analysis. 3.2.2.1 Effect of Transient on Reactor Vessel The staff has reviewed the licensee's restart report, " Restart Report for the Rancho Seco Nuclear Generating Station Following the December 26, 1985 Overcooling Event," to determine whether or not the reactor vessel was damaged by pressurized thermal shock (PTS). In order to confirm that no damage was done to the reactor vessel by the December 26th overcooling transient, a number of calculations have been utilized: Rancho Seco Restart SER 3-47 l
Babcock and Q.3 Analysis Babcock and Wilcox (B&W) performed an analysis to assess the pressurized ther-mal shock concern; the analysis was titled " Fracture Mechanics Analysis of SMUD Transient" (B&W Document 32-1159785-00). The analysis was done as a linear elastic fracture mechanics (LEFM) analysis using the validated S&W computer program PCRIT. This program calculates the RCS pressure necessary to cause a reactor vessel flaw to propagate unacceptably, given the time / temperature his-tory of the transient. The program uses the vessel neutron fluence and vessel material data as inputs. The PCRIT program analyzed a range of flaw sizes from 1/40 to 1/4 the thickness of the vessel wall. The analysis was based on the ASME Code, Section XI, Appendix A. For the transient duration, the critical pressure was greater than 2750 psig. Since the critical pressure was at all times below 2750 psig during i the December 26th transient, and at no time during that event did transient pressure even approach 2750 psig, there is no predicted unacceptable flaw pro-pagation. The B&W fracture mechanics analysis of the SMUD transient concluded that the transient presented no challenge to the integrity of the reactor j vessel. j EPRI Analysis The Electric Power Research Institute (EPRI) Nuclear Safety Analysis Center also performed an analysis of the December 26th transient. That analysis was j based on the non-mandatory ASME Code, Section XI, Appendix E, " Evaluation of Unanticipated Operational Transients." 'This approach applies screening criteria which will, if they are satisfied, ensure ductile behavior of the reactor vessel material and no unacceptable propagation of an assumed vessel flaw. This non-mandatory appendix was designed to be applied if a plant violated its pressure-temperature limit curve established in accordance with ASME Code, Section III, Appendix G. Rancho Seco did not violate the limit curve during L the December 26th transient. However, the 100 F/hr cooldown rate basis for that curve was violated. It should also be pointed out that the cooldown rate assumed by Appendix E is j 400 F/hr. The basis and evaluation of Appendix E indicated that 400 F/hr should be bounding, and rates as high as 1200 F/hr were evaluated. Depending l on the calculation used, the December 26th transient may have had a cooldown rate that approached 1200 F/hr for several minutes. A more likely rate is estimated at 300 F/hr below 500 F (50 F in 10 minutes). The EPRI analysis demonstrated adequate structural integrity for the Rancho l Seco vessel as long as RCS pressure did not exceed the design pressure of 2500 psig, nor T ~ less than 55 F. These requirements were met since the C NDT minimum T -RT w s 169 F and the maximum pressure was less than 1700 psig. l C NDT SECY-82-465 (NUREG-1195) Analysis The analyses performed in SECY-82-465, " Pressurized Thermal Shock (PTS)," dated November 23, 1982, can be used to estimate how close the December 26th incident Rancho Seco Restart SER 3-48 I x
came to a condition in which brittle fracture of the reactor vesiel would be a serious concern. The likelihood of crack initiation in a reactor vessel that experiences a severe cooldown depends on several variables, including a criti-cal RCS pressure and temperature. If the final RCS temperature (T ) drops f below the reference nil ductility temperature (RTNDT) at high pressure,.the initiation and/or propagation of cracks can take place in the vessel wall. For the cooldown that occurred on December 26th, the critical'RCS temperature was approximately 170 F. Thus, the minimum RCS temperature of 385 F reached during the transient was 215 F above the temperature at which reactor vessel integrity would have been seriously threatened. NUREG/CR-2895 (0RNL/TM-7931) Analysis The staff also utilized in its evaluation the NRC report prepared by Oak Ridge National Laboratory, NUREG/CR-2895, "PWR Pressure Vessel Integrity. During Overcooling Accidents," dated January 12, 1983. Analyses in this report demon-strate that cracks will not initiate unless the downcomer water temperature drops below RTNDT + 30 F, even for very severe conditions, such as instanta-neous cooldown, 2500 psig pressure, high heat transfei, and a crack depth ratio l from 0.025 to 0.15. At Rancho Seco, the downcomer water was approximately i RTNOT + 170 F. This confirms the EPRI analysis based on Section XI criteria. On the basis of the above analyses, the NRC staff concludes that the conse-quences of the December 26th thermal transient, from the standpoint of thermal shock considerations, were not so severe as to cause damage to the ' reactor ves-sel nor to warrant a special nondestructive examination of the vessel.
- Thus, this item is closed as a restart issue.
} 3.2.2.2 Fatigue Analysis for the Reactor Coolant system Babcock and Wilcox (B&W) has performed an ASME Code Section III evaluation of RCS components for fatigue usage factor due to the. Rancho Seco overcooling events. This evaluation summarized the effects of all large and small over-cooling events that have occurred at Rancho Seco, including a significant transient that occurred on March 20, 1978. The fatigue analysis examined the limiting fatigue usage f actors in the reactor coolant piping, the pressurizer, l the control rod drive mechanism, and the reactor coolant pump casings. The Rancho Seco RCS was designed to accommodate 240 normal cooldowns at 100 F per hour. As a result of several transients during which this cooldown rate has l been exceeded, B&W has performed an evaluation of the cumulative usage factor i l for the entire RCS. i This evaluation concluded that the allowable number of. remaining cooldowns, at f 100 F per hour, should be reduced from 240 to 235. A total of 31 cooldown j cycles has been experienced to date, and thus the reduction to 235 allowable cycles is expected to have no adverse effect on the current design line of.- 40 years. The NRC staff finds this evaluation acceptable and considers this issue resolved. Therefore, this item is closed as a restart issue. j i a Rancho Seco Restart SER 3-49
3.2.2.3 Technical Basis for Rancho Seco PTS Guidelines During its review of PTS damage to the reactor vessel, the staff also evaluated the technical basis for the PTS guidelines in the Rancho Seco operating proce-dures. The guidelines used to define the PTS region meet or are more conserva-tive than the criteria for acceptability discussed in Section 3.2.2.1 above. The practical problem is that the PTS analysis requires numerous assum,ptions for the many parameters that enter into the calculations. Rather than require the operators to determine the validity or applicability of each assumption,- conservatism has been applied to each. For example, for fluid mixing (tempera-ture of water against the vessel wall), no forced flow is assumed to exist; the neutron fluence is assumed to be that of 32 effective full power years (EFPYs); a flaw size equal to the worst allowed by the ASME Code is assumed to exist; and a repressurization to 2500 psig is assumed to occur. The guidance given the operator by the operating procedures, if he should enter the undesired region, is simply to leave the region by lowering pressure. According to the licensee, there are too many variables involved to develop families of optimum curves for each possible plant condition. The numerous conservatism result in a very conservative definition of the " PTS Region." Therefore, entering this region does not necessarily indicate any immediate threat to the reactor coolant system, and the procedural guidance to leave the region is conservative. In its PTS guidelines, the licensee has established a very extensive (although conservative) PTS region. However, the guidelines allow the plant operators to impinge or enter the region with the stipulation that they move out of the region as soon as possible. The staff was concerned that this may desensitize the operator to the overall importance of avoiding the possibility of future PTS incidents. In response to this staff concern, the licensee revised its operator training programs to address the lessons learned from the December 26th event. The training programs now include the revised procedures and also include PTS recovery action training on the B&W simulator. On this basis, the staff finds the PTS guidelines acceptable. This item is closed as a restart issue. 3.2.2.4 Fuel-in-Compression Limits In order to prevent hydride reorientation damage to fuel rod cladding during depressurization/cooldown events, B&W has established an evaluation procedure and an acceptable range (fuel-in-compression limits) as a function of system pressure and temperature so that within this range of compressive stress there will be no damage resulting from hydride reorientation. Beyond the acceptable range (into the tensile stress range), some damage is likely. Thus, an assess-ment of the degree of damage is needed if the fuel-in-compression limits are exceeded. The fuel rod cladding during the December 26th cooldown transient at Rancho Seco was analyzed by B&W. was not exceeded at any time during the transient.The results showed that the acceptable ran Therefore, the cladding will be able to maintain its integrity in the event of a cooldown transient after restart. On the basis of this analysis, the staff concludes that the licensee has provided reasonable assurance that fuel rod damage resulting from hydride reorientation did not occur during the December 26th transient and is j Rancho Seco Restart SER 3-50
~ unlikely to occur during restart and subsequent operation. This item is closed as a restart issue. 3.2.2.5 Potential for Core Lif t Initial evaluation of the December 2'3th transient concluded that there was a possibility that during the transient the Rancho.Seco fuel assemblies could have been lif ted from the seated Nsition in the core plate and moved laterally. This could result in damage.to the fuel. The licensee analyzed the potential for assembly lift during the most limiting condition with four coolant pumps in operation and a combination of worst loca-The' result tion (maximum flow) and smallest assembly holddown spring constant. showed that there was enough margin for'all assemblies to remain seated in the worst combinaton of coolant flow and holddown spring constant.' The staff reviewed the licensee's analysis and concurs with the conclusions. Therefore, the staff concludes that the December 26th transient did 'not result ~ in damage due to lifting of the fuel assemblies in the Rancho Seco reactor. Further, the staff concludes that a cooldown transient during restart and subsequent operation will not result in fuel damage due to core lift. Therefore, this item is closed as a restart issue. 3.2.3 Operation of Radiation Monitoring Systems Af ter Containment Isolation 3.2.3.1 Root Cause of Damage to Radiation Monitor R-15001 During the December 26th event, about 80 minutes after initiation of the safety features actuation signal (SFAS) and corresponding containment isolation, a smoke alarm was received from the zone containing radiation monitor R-15001-which serves the reactor building. Operators determined that the source of smoke was the sample pump for the radiation monitor. The sample pun.p was shut down and the smoke soon cleared. l The licensee's investigation determined that the radiation monitor was isolated in accordance with its design. However, the design gave no consideration to the continued operation of the sample pump after receiving the isolation signal. In particular, while the sample pump cooling lines were' isolated, the pump it-self was not tripped. The licensee has installed an interlock to trip the sample pump on loss of cooling flow. The staff finds this modification accept-able and considers the radiation monitor damage issue resolved.. This item is closed as a restart issue. 3.2.3.2 Effects of Containment Isolation on Systems Required To Operate After SFAS Actuation The licensee examined the effects of containment isolation on other systems to verify that proper operation was ensured following SFAS actuation as required. The systems required to operate following SFAS actuation and containment isola-tion are those systems actuated by SFAS itself, i.e., high pressure injection, low pressure injection, containment building spray, and containment cooling. During the December 26th event, only radiation monitor R-15001 was observed.to be a hersely affected by con binment isolation. Rancho Seco Restart SER 3-51
I t Subsequent review by the licensee of the effects of containment isolation i determined that component cooling water (CCW) flow to the reactor coolant pump seal coolers was an additional desirable feature which should be continued following SFAS actuation. A previous modification had removed the automatic isolation signel to these valves, but this review determined that a loss of instrument air would also isolate CCW flow to the reactor building. To resolve this concern, a backup bottled air supply has been provided for the CCW con-tainment isolation valves to ensure they remain open on loss of normal instru-ment air supply. Other systems, such as the reactor building normal cooling, control rod drive cooling, reactor coolant makeup and letdown, and the reactor building normal sump and sample systems, are not adversely affected by auto-matic containment isolation as designed. The staff finds the licensee's i, response acceptable, and considers the concern regarding containment isolation following SFAS actuation to be resolved. Therefore, this item is closed as a restart issue. 3.2.4 Steam Generator Overfill and Flooding of Main Steam Headers i During the transient, OTSG A was overfilled with auxiliary feedwater. Approxi-f mately 13,000 gallons spilled into the "A" main steam line. Because of the j large difference between the temperatures of the steam line and auxiliary feed-water, a concern existed that high thermal stresses may have occurred. In addition, a further concern was voiced that the flooding may have caused water-hammer. Waterhammer noises were heard in tne turbine building some time after the flooding had occurred. 3.2.4.1 Evaluation of Steam Header Supports B&W has performed a stress evaluation of the main steam line using an augmented l 1 Class 2/3 fatigue analysis. This analysis was based on a method previously developed in the Mark I containment program, which permits an increase in stress for fewer than 7000 cyc.les of stress range. The evaluation considered the loads imposed by thermal stratification and thermal gradients. Fatigue usage factors were calculated for two cycles of this event, plus the OBE (operating-basis earthquake), DBE (design-basis earthquake), although not re-quired, and 1000 cycles of pressure / temperature loads. The results of this evaluation indicate that the fatigue usage factors for the most critical com-' l ponents in the steam line (such as the containment penetrations, the 24-inch steam generator nozzle / pipe joint, and a 24-inch /36-inch pipe junction) are all below 0.3 compared to an allowable limit of 1.0. The NRC staff has reviewed this evaluation and finds it acceptable. 3.2.4.2 Steam Line Support Inspection To resolve the waterhammer concern, walkdowns similar to those previously done under IE Bulletin 79-14 were performed by the licensee for the "A" main steam line and the "A" main steam line bypass to the condenser. The as-found con-figurations of the supports were compared to the configurations recorded during the previous walkdowns. No visible evidence of any adverse effects was found as a result of this configuration comparison. The licensee has also stated that the supports on bcth lines (spring hangers) were not affected by the over-fill dead weight condition itself, since these supports were originally designed Rancho Seco Restart SER 3-52
for hydrostatic loads to account for wet layup during plant shutdowns. The spring hangers are locked and act as rigid supports during this time. The structural integrity of the OTSG was also determined not to have been affected by the overfill event since the OTSG support skirt was designed considering the dead weight of the flooded 0TSG vessel. The' licensee's stress evaluation and the results of the licensee's piping walkdown were reviewed by the NRC staff (see item RV-E-8 in Inspection Report 50-312/86-07). Based on its review, the staff concurred with the licensee's conclusions. On this basis, this item is closed as a restart issue. 3.2.4.3 Potential for Water Injection Into AFW Pump Steam Turbine The licensee also evaluated the possibility that water may have been injected into the AFW pump steam turbine during the December 26th event. The licensee determined that 19,000 gallons of water would have been required to reach the line to the AFW steam turbine, whereas only 13,000 gallons were injected during the event. Therefore, the licensee concluded that no water was injected into this turbine. The NRC staff finds these evaluations acceptable and considers this issue resolved. 3.3 Plant Maintenance This section describes the maintenance program that existed during the NRC staff maintenance survey at the Rancho Seco Nuclear Power Plant before the i I December 26th event, and assesses the programmatic changes in the maintenance program that have been developed by the licensee that will affect the perfor-mance of maintenance activities.
Background
The December 26th transient was initiated by a loose wire in a single monitoring module in the non-safety-related ICS that interrupted all 124-V dc power, caus-ing a number of feedwater and steam valves to reposition automatically. In 1 addition, the event also caused the loss of remote control of the affected valves l from the control room. The immediate result was a reactor coolant system (RCS) undercooking condition followed by a reactor trip on high pressure. The licensee's subsequent search for root cause of the power failure indicated that the most probable cause was a connection crimp in the wiring between the +24-V dc bus and the power supply monitor. This, in turn, caused the module to sense undervoltage, which interrupted all dc power. The Incident Investigation Team (IIT) investigated the event but did not review the Rancho Seco maintenance program for programmatic weaknesses in the licensee's preventive maintenance program. These may have led to the looseness of the above-mentioned wiring between the +24-V dc bus and the power supply monitor module. The licensee found that a terminal lug was improperly crimped, which resulted in a loose connection between the wire and the lug. The licensee replaced the terminal and the NRC staff inspected it. The licensee also initiated an-effort to re-inspect all terminations in the ICS, NNI system, reactor protection system (RPS), and SFAS cabinets in the control room area. This effort has been ex-panded to other selected balance-of plant (B0P) equipment throughout the plant. The specification used during this reinspection wis more spec?fic and more stringent than the specification used when the plant was built. The reinspec-tion identified a number of crimped termination lugs that did not meet the new Rancho Seco Restart SER 3-53
1 l construction specification. These crimps were replaced and subsequently retested. After the event, the NRC conducted a limited review of the licensee's crimping tools and control of measurement and test equipment (M&TE) to assess the effectiveness of the calibrated crimping tool program on the terminal lug installations. The review uncovered three crimpers that were overdue for calibration. In addition, written procedures were not available to specifi-cally address crimping tool calibration and usage. The IIT also determined (NUREG-1195) that an auxiliary feedwater (AFW) manual valve could not be shut by the operators af ter the AFW/ICS flow control valve failed. This AFW manual isolation valve failed because no maintenance had been performed on it. Because there had been no maintenance program, the valve was inadequately lubricated; this inadequate lubrication caused the valve to seize. The licensee's systematic appraisal of licensee performance (SALP) evaluation for the period from December 1983 through May 1985 revealed that the licensee had a history of (1) not trending equipment performance, (2) inadequate super-visor attention to work performed in the field, (3) poor root cause analysis of equipment failure or malfunctions, and (4) an overall weakness in the training of maintenance workers. In October 1985, the NRC staff performed a maintenance survey to study the maintenance program and practices at Rancho Seco. The survey was conducted as part of the "NRC Maintenance and Surveillance Program Plan (MSPP)" (SECY-85-129, dated April 12, 1985). Rancho Seco was one of the eight nuclear plants selected for phase I of the MSPP. The results and details of the survey team observations have been documented in NUREG-1212, Volume 2. During this survey, the NRC iden-tified other programmatic weaknesses in the licensee's maintenance program. The Licensee's Programmatic Changes Previous inspection findings, along with programmatic weaknesses observed by the staff during the maintenance survey conducted in 1985, indicated that the licensee's preventive maintenance activities for equipment at Rancho Seco were minimal, and for some of the mechanical equipment in the plant, preventive maintenance was almost nonexisten This is evidenced by several incidents which included (1) the failure of an AFW flow control valve operator, (2) the failure of an AFW manual valve to operate, and (3) the l'censee's SALP evalua-tion. At the time of the staff survey in 1985, the Rancho Seco plant main-tenance department was in the process of increasing its staff and changing the organizational structure; this included a realignment of operating philosophy. However, the proposed organizational changes did not appear to have materialized, possibly as a result of a lack of corporate commitment. Afte the December 26th event, the lic asee identified weaknesses and implemented new actions in the maintenance depertment to address the broader need for improving performance. The new actions called for further reorganization, realignment of the plant's maintenance activities, and devising new programmatic changes to support plant activities. In order to verify the programmatic changes that were being developed and to determine if the changes can address those weaknesses that were identified during the 1985 survey, the staff conducted a limited followup site visit in February 1987. In addition, the staff has had recent discussions with the licensee to define the current status of the programmatic changes. Rancho Seco Restart SER 3-54 L
- heFollowupSiteSurvey A two-member NRC team visited Rancho Seco during the week of February 9-13, 1987, for the following purposes
(1) to obtain and verify information on the recent reorganization and program-matic changes in the plant maintenance department, and to determine what actions are being or will be implemented by the licensee (2) to identify those changes that may affect or address those weaknesses that were previously identified during the 1985 MSPP survey (3) to obtain and verify information on the licensee's incorporation of the-troubleshooting / root cause determination program within the maintenance areas Information was gathered by interviewing selected site management and craft personnel, by observing workshops and the M&TE tool room, and by reviewing randomly selected maintenance activities in progress. Site personnel inter-viewed included both SMUD employees and contractors from various-organizations. Recent Licensee Submittals To facilitate staff evaluation of the Rancho Seco maintenance program, the licensee submitted, by letter dated August 6, 1987, a chart showing the current maintenance organization. By a second letter dated August 6, 1987, the licensee submitted the Maintenance Administrative Procedures (MAPS) that are currently in use at Rancho Seco. By letter dated September 8, 1987, the licensee pro-vided additional information on the status of the key features of the Rancho Seco maintenance program: technical maintenance procedures, NUCLEIS computer program, measurement and test equipment calibration procedures, maintenance-work request backlog, maintenance training program, and manual and remotely operated valve maintenance program. 3.3.1 Maintenance Program Evaluation i During the 1985 survey, the survey team observed the following weaknesses in l the licensee's maintenance program (NUREG-1212, Vol. 2): (1) lack of corporate commitment (2) poorly defined and poorly integrated program goals and objectives ] (3) a cumbersome spare parts and material readiness program (4) inadequate supervision and planning (5) no formal and written goals and objectives for the preventive maintenance program (6) inefficient work control (7) inadequate maintenance procedures Rancho Seco Restart SER 3-55 i l j
(8) disorganized operations and maintenance interfaces (9) work request backlog (10) non-accredited maintenance training 3.3.1.1 Corporate Canmitment to Maintenance In 1985, just before the December-26th event, the lack of corporate commitment to recruit and train qualified professional and management personnel was evident. The licensee's personnel department knew that exempt salaries at Rancho Seco were lower than the industry average for comparable positions. The licensee's supervisory staff regarded this as a problem and the personnel department con-firmed that it had been difficult to recruit additional supervisory / management staff. In 1983, the maintenance department was reorganized; the position of maintenance superintendent was eliminated and the craft superintendent [ electric /I&C (instrumentation and control) and mechanical] absorbed his - functions. The procurement process for parts and special projects costing more than $20K. required a lengthy process which discouraged plant management from initiating tasks that could improve or enhance the reliability of plant systems or equip-Maintenance contracts were being constrained by the SMUD Board's policy ment. which required that the contract be awarded to the lowest bidder. In some instances, contracts were awarded to bidders who gave unacceptable quality. Currently, the licensee has reorganized the Maintenance Department and has hired several managers who were recruited from other nuclear utilities. Exempt salaries for plant management and professional staff were raised, and the new salary structure emphasizes " pay for performance." The new salary structure was approved by the SMUD Board in 1986. A new central planning group and a new scheduling unit were established in August 1986. The purpose ] of the planning group is to process, plan, and control work requests for corrective maintenance and modification activities. This group is staffed with experienced planners. The SMUD Board has also authorized onsite approval for any procurement or project cost up to $1M without the need to obtain Board approval. A new warehouse is planned for completion by the middle of 1989; additional funds will be provided for initial warehouse inventory. A new training facility, complete with simulator, training classrooms, and hands on equipment training areas, is scheduled for completion by 1989. A noteworthy program that demonstrates licensee management commitment to quality is a newly implemented program called "Make It Happen" which is being formalized in the Rancho Seco Management Process (RSMP) series. Several program objectives, as stated in the RSMP series, are: Quality Produces Reliability, Accountability Through Ef fective Delegation, People Perform the Work, and The Worker Knows His Job the Best. This program involves all levels of SMUD employees, through meetings between workers and their supervisors, for the purpose of obtaining a mutual understanding of methods and commitments to best improve quality of the work performed. These meetings are monitored by management consultants and the results of these meetings were observed to be well documented; in addition, commitments and progress are followed up on a routine basis. Rancho Seco Restart SER 3-56
3.3.1.2 Written Goals and Objectives of the Maintenance Program During the staff's survey in October 1985, the licensee's administrative policies and procedures were found to be informal and did not include the specific goals Maintenance and objectives for the different types of maintenance activities. activities such as preventive, corrective, and predictive maintenance; equipment failure data base; and trending were not well defined. Job descriptions, responsibilities, and performance indicators for various plant supervisors did I not have clearly written standards. In addition, craft activities in different disciplines were not well integrated. mechanical Currently, the Maintenance Department is organized into four areas: and facilities, electrical and I&C, work planning, and maintenance programs. l Each area is headed by a superintendent. The maintenance organization is shown l in Figure 3.15. The current maintenance activities, as well as the integration J I and reporting relationship within and among the department staff, have been clearly defined in written form since December 1986. A series of new Maintenance Administrative Procedures (MAPS) has been generated to reflect the 3 new management philosophy and to supply guidance for program changes. During j the staff's visit to the site in February 1987, MAP-0001 and MAP-0002 were in place and personnel were being trained in these procedures. In addition, the staff found that the plant administrative procedure AP-650, " Preventive Main-tenance Program" had been revised on August 24, 1986, and that activities for various maintenance tasks, especially programs for the conduct of preventive i I maintenance activities, were then defined. Interrelated activities and asso-ciated responsibilities to be performed by other plant departments were also specified. In February 1987, the NRC staff noted that most of the recent maintenance activities at Rancho Seco were controlled by guidelines from l AP-650; however, not all activities in this procedure were implemented. It ] appeared that the licensee was not performing activities in the area of trend-l ing of equipment failures as prescribed in AP-650. The NRC staff was told that some trending activities are being performed manually by the preventive main-tenance (PM) supervisor in each of the craft disciplines, and that the trending ] program would be integrated with other maintenance activities in the new com-Concurrent puterized nuclear maintenance information system, called NUCLEIS. with the development of new MAPS, other detailed individual technical main-tenance procedures for use in each of the four disciplines (mechanical, electrical, I&C, and racilities) have been developed, and existing procedures have been revised and/or expanded in accordance with the requirements of the newly established MAPS. Since the site survey in February 1987, the licensee has rewritten MAP-0001 and MAP-0002 and has developed a new series of MAPS. The MAPS currently implemented at Rancho Seco are listed in Table 3.2. 3.3.1.3 Spare Parts / Material Readiness During the survey in 1985, the staff found that the control of the spare parts inventory was on a Cardex system supported by a batch-loaded computer in such a way that the availability of spare parts could not be determined by maintenance The warehouse and personnel on a daily basis without consulting the warehouse. materials operational staff consisted of 18 people. Material requisition was controlled by the Purchasing and Stores Department located at SMUD headquarters and governed by cumbersome rules and regulations. An " inventory catalogue" was used for both safety-related and non-safety-related equipment, and items were being indexed by component number and not by generic name. In addition, spare Rancho Seco Restart SER 3-57 m
G N I N N A L P o T c N e L' S E S ^E D L A N o C E h I T c R N n E a L R C F E R P U t S a no i ta z T i E C N C O n N R l E a E /D g A LN r G N AE A CT o ETN I N INA RI e TR c AM CE n M EP a L U E n S e tn iam T e N h E T MD A N R E 5 T 1 ll G N OI 3 RR PEP e U r S ug i F EC TC N A A R N T E N TN OI CA M =C5 $8 Fu +r$ c $x wC t 4 D
Table 3.2 Rancho Seco MAPS implemented as of August 6, 1987 MAP No. Title Revision Date MAP-0001 Maintenance Department Organization and Rev. 0 07/02/87 Responsibilities MAP-0002 Control of Maintenance Activities Rev. 0 07/02/87 MAP-0003 Writing Guide For Maintenance, Test, and Rev. 0 07/02/87 Calibration Procedures MAP-0004 Control of On-Site Contractor and Vendor Rev. 0 07/02/87 Personnel s MAP-0006 Work Request Planning Rev. 0 07/02/87 j i MAP-0007 Maintenance Material Control Rev. 0 07/02/87 j MAP-0009 Preventive Maintenance Program Rev. 0 07/02/87 MAP-0011 Foreign Material Exclusion Rev. 0 07/02/87 MAP-0014 Maintenance Administrative Support Rev. 0 07/02/87 l MAP-0015 Maintenance Department Training Rev. 0 07/31/87 MAP-0017 Root Cause Determination Rev. 0 06/12/87 parts were ordered on the basis of a preestablished minimum number of each item and the memory of the plant staff of what had been needed in the past was relied upon to predict future orders. Warehousing procedures were minimal. A shelf-life program did not exist. Equipment failure data and nuclear plant reliability data system (NPROS) component history were not used or integrated in the spare parts and material management activities. Calibration of main-tenance and test equipment was loosely controlled, and the equipment tracking system was based on a manual checkout system that enabled the individual craft to check out equipment independent of other groups. Some tools pigeonholed in areas near the job sites, were " unavailable" when needed by some group, and many " clean" tools could be found in contaminated areas. M&TE calibration activities were governed by only one generic procedure (I-011) and, therefore, most of the calibration activities relied on the skills of the technician and not on specific equipment performance requirements. In February 1987, the staff found that the licensee was embarking on an exten-sive material / spare parts procurement and management program, manned by a staff of 113 people. The program is staffed with experienced personnel and.is broken down into four groups; each group has a separate superintendent. These groups are: Material Coordination, Procurement Engineering, Plant Procurement, and Material Control / Warehousing. A new 60,000-square-toot warehouse is planned for 1989, and the operating budget for the new program is estimated at $10M Rancho Seco Restart SER 3-59
each year for the next 3 years. Inventory value in February 1987 was estimated at $13.5M. A new computerized material management system was on line and 60% of the warehouse data base was loaded into the program. Safety-related material is presently purchased on site, and traceability and documentation is required for all items. Dedicated engineering and QC personnel who have been transferred to the Material Management Department from other plant technical organizations review technical and quality requirements on material requisi-tions. Procedures for material requisition, receiving, storage, handling, and in storage maintenance were in various stages of draft and review. On the basis of interviews with maintenance personnel, the staff learned that the availability of material and spare parts was a problem; material could not be installed because certificates were not verified and documentation was not in place. Since February 1987, the licensee has established a new MAP for preventive maintenance (PM). This MAP (MAP-0009) covers preventive maintenance activi-ties, material availability, and trending of equipment failure data. Informa-tion from NPROS will also be integrated with the revisnd PM activities. At the time of the February 1987 staff visit, calibration of Rancho Seco's individual instrument equipment was still controlled by generic calibration procedure 1-011. A review of AP-33 indicates that the licensee has established a program to control and issue M&TE equipment. In February 1987, the NRC staff examined a new set of M&TE labels and decals (eight in all) which the licensee used to keep track of tools and equipment as they are checke out. Checkout is { now a formal procedure and is controlled by the M&TE tool r am technician on a continuing basis. Currently, in the area of M&TE, the licensee has established a procedure to con-trol such equipment and to ensure that M&TE is calibrated at required intervals to maintain its specified accuracy. The licensee has also developed a number of new individual M&TE calibration procedures as well as calibration procedures for specific plant process instruments. The licensee currently states that i procedures for calibrating individual plant instruments that are needed for i restart have been developed and implemented. However, procedure I-011 is still used for calibrating some process instrumentation, Additional emphasis will continue to be placed on tracking measurement and test equipment usage. Before startup, all use of M&TE will be tracked by work request or other suitable means. More than eighty procedures exist for MT&E and fif ty specific procedures exist for process instrumentation calibration at this time. The licensee has stated that before startup, procedure I-011 will be replaced with more appropriate i procedures to ensure process instrumentation. is calibrated properly. The use of specific calibration procedures for process instrumentation, along with up-to-date procedural guidance for all plant instrumentation will ensure that quality is maintained. i i l Rancho Seco Restart SER 3-60
i l 3.3.1.4 Maintenance Supervision and Planning During the survey in 1985, the staf f found that the craft foremen were respon-sible for planning, scheduling, ensuring clearances, obtaining radiation work permits, and performing system walkdowns; as a result, the level of field super-vision on each job was less than needed to maintain a high level of quality. With the establishment of the planning and scheduling section, the foremen are now spending more time with the craft and have more time to review the completed work order packages. The time that the foreman spends on paperwork presently is estimated (by the foreman who was interviewed) to be one-third of the time that he would have spent before the planning group was formed in September 1986. 1 The planning group is staffed with experienced personnel recently recruited j from other nuclear facilities or under contract. ] 1 At the February 1987 site survey, the staff observed that planning was being performed by one health physicist, two quality engineers, and four operations i personnel who were loaned to the planning group to plan and coordinate schedul-I ing activities with other plant organizations. 'The planning group was using two, mixed, computerized systems: (1) the existing MIMS, which has in storage PM schedules and WR tracking for historical data and WRs closed out (it cannot be used to call out the status of each WR) and (2) an IBM PC network that has local data bases used for scheduling purposes and provides daily / weekly status of the on going WRs. Currently, the licensee is using a new nuclear maintenance l information system (NUCLEIS) with terminals located throughout the plant. This computer is used to integrate planning activities and material availability. The licensee states that the NUCLEIS work request control system went into the test phase in mid-May 1987. Testing was completed and the system went on line l the first week of June 1987. The system has been on line since and has per-formed well. NUCLEIS provides a variety of on-line reports and printouts making j information associated with backlog readily available to all organizations. Work requests are actually planned and printed through NUCLEIS which not only makes the data available, but ensures the data are accurate and detailed. Currently, a material coordinator from the Material Department is linked to each of the planning disciplines (mechanical, electrical, I&C, and facilities) for better integration. Activities in the planning group are currently controlled by MAP-0006, " Work Request Planning." 3.3.1.5 Preventive Maintenance Program During the survey in 1985, the staff found that the licensee had no formal written goals and objectives for its preventive maintenance (PM) program. PM activities were minimal and were independently executed by each craft discipline. l PM work was performed at the discretion of the foremen or supervisors in charge. l Input from NPRDS data and " systematic trending" of plant equipment historical records were not part of the PM activities. Currently, the licensee has documented a formal PM program in MAP-0009 with defined activities for PM activities. The PM program has been extensively Rancho Seco Restart SER 3-61
y 1 l expanded and improved since the December 26th event. Trending analysis and use of equipment history for input to the PM activities during its planning stage are prescribed in MAP-0009. The PM program was reviewed by the Institute of Nuclear Power Operations (INP0) and the INP0 comments have been incorpo-rated. The procedure specifies: (1) how PM activities and interfaces between the planning group and each of the planning disciplines are to be conducted, (2) criteria for selection of equipment needing PM, and (3) methods for inte-grating between mechanical, electrical, I&C, and facilities' corrective, preventive, and surveillance activities. In addition to the planning activities performed by the planning group, each maintenance discipline now has a dedicated PM supervisor, whose job is to-review completed corrective maintenance and preventive maintenance work order packages for inclusion into the equipment's historical data base. Each dis-cipline also has a dedicated PM foreman and crew to work on PM work packages. i The licensee has developed a large number of new PM procedures for equipment 4 that was not in the PM program before the December 26th event. Equipment covered by these procedures includes mechanical, electrical, and I&C equipment that was identified in the " post event system walkdown" program initiated by l the licensee. The walkdowns were conducted by plant operators and other experienced craf t personnel and supervisors to identify equipment that pre-viously received no PM and which, in their opinion, should have had PM. Each discipline also has two or more procedure writers dedicated to developing these i new PM procedures. INP0 Practices MA-302 and MA-307 and EPRI-NP-3416 were used as references, in addition to vendor manuals, during the writing of the new procedures. 3.3.1.6 Maintenance Work Control During the survey in 1985, the staff found that the licensee's work request (WR) control system was inefficient as judged by the Maintenance Department super-visors and craftsmen. WRs were often held up in the shift supervisor's office. Involvement of quality control (QC) personnel was minimal and after the fact. QC personnel did not randomly inspect the ongoing maintenance works. QC per-sonnel were not reviewing WR packages to determine if additional hold points should be required. There was no effective system for documenting maintenance performance data, such as man-hours expended, spare parts consumed, and recording unusual problems encountered during the performance of maintenance activities. MIMS only retained the synopses of what was done, the root cause of the problem was not recorded, and often the record was incomplete. MIMS was not maintenance dedicated, and was also used for storage of other corporate data. In its February 1987 site survey, the staff observed that the licensee had MAP-0002, " Control of Maintenance Activities" in place. Requirements for pro-cessing of WRs for safety related and non safety-related equipment are defined, and responsibilities of all maintenance personnel from the superintendents to the working crafts are outlined in the procedure. By letter dated August 6, 1987, the licensee submitted a new series of MAPS (Table 3.2). This new series of MAPS contained procedures that specify the steps to be taken in the deter-mination of root cause analysis, appropriate corrective actions, and in the review of the completed WR packages for technical conformity and completeness. Rancho Seco Restart SER 3-62 i
A 1 T i x % The planner is responsible for (1) compiling the work packages, (2) tracking the maintenance activities and modification activities to ensure that equipmert-history is retained and accessible for reference, and (3) ensuring that post i maintenance retest requirements are appropriately carried out. The foremen i and supervisors are responsible for the quality of the work. It is also their responsibility to ensure that the WR has a complete scope and applicable T procedures and that proper coordination with health physicists and shift super-ik O visors for RWPs and clearances to the job sites has taken place before the job is performed. Work requests are also reviewed for technical adequacy by main-tenance engineers. / The QC organization was completely reorganized in 1986. The organization is now divided into two areas: quality control and quality engineering (QE). In February 1987, the licensee's Quality Control Section had 26 inspectors and, because of the restart outage, was being augmented by 60 contract QC inspectors. The QC organization covers inspections for I&C, electrical, mechanical, non-destructive examination, procurement, warehouse material control (i.e., source ( inspection, receipt inspection, vendor auditing), and other construction and j maintenance activities. Contract QC inspectors are supervised by the licensee's supervisors. The QE section is involved with the day-to-day maintenance i activities such as reviewing procedures and WR packages for QC hold points. Two quality engineers are currently assigned to the planning group to review WR o packages and to help plan QC inspection activities. Both QE/QC sections are augmented by the audit-survey group which performs plant surveillance and vendor / procurement coni.rols. In February 1987, a quality control operational procedure (QCOP) was being formed to develop pro-cedures for QE/QC audit activities. Maintenance staff members who were interviewed indicated that the new QC organization is taking a very active part in the review of work packages for hold points and completeness. To overcome the previously identified deficiencies in documenting details of maintenance activities during planning, new work in the field, or making obser-vations of work performed, both planners and crafts personnel can now use the " Work Request Continuation Sheet" to add any other information as needed, lhe continuation sheets are added to the work package and when completed, the pack-ages are reviewed by the foremen and others as required. The NRC staff noted that the completed work activities were reviewed for work performed, then sum-marized and entered into the computer. However, the licensee has stated that the printout of the completed work requests is retained by the document control group and can be retrieved as needed. 3.3.1.7 Maintenance Procedures During the survey of 1985, the staff found that some Rancho Seco maintenance procedures had been developed before initial startup, and that additional pro-cedures were developed and added to the initial procedures on an "as-needed" basis. Some of the maintenance procedures were of a generic nature, and details of work activities were left to the skill of craft personnel and to information from vendor manuals. Work control was left to the foreman and supervisor in charge. Postmaintenance testing requirements were minimal and l Rancho Seco Restart SER 3-63
l l ~ I 6 equipment acceptability and operability yere' left to the discretion of Opera-
- 5 g
tions Department personnel to verify, duiQ surveillance testing. Procedures for equipment trending and use of an industry equipment data base such as.the nuclear plant reliability data system did not exist. At its February 1S'37 site survey, the staff found that the licensee Vas upgrad-ing procedures in a major effort. MAP-0003, " Writing Guide for Maintenance, Test and Calibration Procedure," was b W g d afted and had entered the final approval cycle. The licensee has stated that, as part of the programmatic improvement, this procedure was developed to provide consistency for procedure writing and upgrading. MAP-0003 Uses INP0 Guidelines 85-026 as a reference. MAV-0003 is currently in place. 4 .The licensee stated that in 1986, 44 new procedures were written, 74 procedures (were revise 1 durereviewd,wereperformed.101 temporary procedures were developed, and 61 biannual proce-In February 1987, in the area of individual lechnic31/ priddures, the licensee had approximately 569 new procedures in the process of ieve)opment (49 in electrical, 509 in I&C, and 11 in mechanical). The majority of these I&C procedures were generated to individualize the cali-bration of individual plant instruments. The licensee,has made trie commitment. that)proceduresforequipmentneededforrestartwill,teln'placebeforerestart. l In s'pite bf these new procelures, the NRC has found in a recent inspectkrL $ hat technica / proddures fo, thy maintenance of safety-related AFW air-operat<ra I valves huve not been devc~oyed and a large number of plant instruments were i still us'9g generic I&C c0 lbration procedure I-011. A Currently, the licensee h(tes that all maintenance procedures requi."eh to support restart have been identified and incorporated into the oveull project schedule. These procedures have individual completion dates to ercure that the procedure is available before it is needed to support any testing on main-tenance activity related to the startup effort. Below is a tabuMtion of the status of maintenance] procedures as of August 13, 1987. / p 3s _m lype of No. outstanding No. outstanding not procedure No. ap N ved required for restart reduired for restr.rt .I Surveillance 40 ig MS 29 t Mechanical 30 38 36 Electrical 86 8 \\ 10 Instrumentation v ! arid control ', 59 [' 36 43 k i ' Totals 215l 280 118 s', T q Work 3 request procedure MAP-0006, dated June 26, 1987, and preventive. maintenance i procedure MAP-0009, dated July 2, 1987, are currently used as controlling doc-uments for ongoing maintenance activities and related interfacing responsibil - ities arnt MAP-0006:jgplantorganizationr;. The follov/ing types of work are covered in 4 l corrective, retest, modification, PM, inservice irtspection, inservice testing, and surveillance te G1ng. Postmaintenance testing requirements are ,/ l e.' Rancho Seco Restart SER' 3-64 h " di 1 \\ +
also included in MAP-0006. Root.cause analyses for plant equipment is speci-fied MAP-0017. In addition to upgrading the maintenance procedures program, the licensee also has instituted a number of ongoing maintenance-related programs such as: the upgrading and refurbishment of motor-operated valves, the development of a plant welding manual, the preventive maintenance program for selected plant manual valves (manual Limitorque-operated valves, manual non-Limitorque-operated valves, and other manual valves important to process flow control in Class 1 and steam generator heat removal systems). A number of procedures for the MOV maintenance program and training craft personnel to inspect Limitorque operators were completed. The licensee has de/ eloped MAP-0003 for use in maintenance procedure writing and tracking to report the frequency and success of procedure use. This will provide a firmer control for future procedures review and upgrading process. 3.3.1.8 Operations / Maintenance Interfaces During the survey in 1985, the staff found that the maintenance staff's " stand-around time" was estimated to be between 30% and 50% because work requests were 1 of ten being held up in the Operations Department shif t supervisor's office l awaiting his signature. In addition to reviewing and approving work requests, the shift supervisor was required to attend shift turnover, to supervise con-trol room activities, and to perform plant walkdowns for 2 hours each day. During the February 1987 site survey, the staff found that the licensee had restructured the Operations Department so that the daily department activities I are divided into three main areas: (1) operational procedures and major pro-jects review, (2) training and conduct of operations personnel, and (3) opera-tion of plant equipment and systems. Each of these areas is headed by a j superintendent. The superintendent for plant equipment and systems is respon-l sible for coordinating equipment outages and plant maintenance activities. For l l each shift, there is a dedicated Maintenance Clearance Coordinator [normally, a senior reactor operator (SRO) is assigned to this task] who is responsible for i processing WRs, communicating with maintenance foremen, tagging out equipment, and keeping abreast of the status of maintenance activities that may interfere with plant operations activities. The NRC staff also noted that the number of licensed operators in the control room now has increased to six, as compared to the four who operated the plant during the staff survey in 1985. Communica-tions between maintenance, operations, and other organizations have become better organized through a number of daily, biweekly, and weekly meetings. The staff has observed that maintenance staff members, foremen, and representa-tives from other plant organizations routinely attended these meetings to plan the daily work schedulinq and to resolve any problems that may have been caused by plant conditions or tnat were discovered in the field. 3.3.1.9 Maintenance Work Request Backlog During the survey in 1985, the staff found that the licensee had a backlog of 490 preventive maintenance work requests at the end of August 1985. The backlog for corrective maintenance was 1633 at the end of September 1985. Only a small number of the backlog items represented high priority needs (i.e., needed to keep the plant operational). Rancho Seco Restart SER 3-65
During the week of the staff's February 1987 site visit, the licensee had a backlog of 294 preventive maintenance requests, of which 24 (22 in electrical and 2 in mechanical maintenance) were not performed when they were.due; the rest were delayed because of plant conditions. For corrective maintenance work, the licensee had approximately 3883 WRs to be worked on. The licensee has categorized the priorities of these corrective maintenance requests in the following manner: (1) 2304 are in the 006 category, i.e., needed for restart, and (2) 1579 are not needed for restart and are categorized as "non-006." The latter category is further divided into plant and nonplant equipment. The requests for plant equipment are those that are needed for cold shutdown, hot shutdown, power operations, equipment outage, and other categories. Requests l that are not for plant equipment are of the lowest priority. Because of the restart outage effort currently under way, the licensee is evaluating the number of corrective maintenance work requests in the non-006 category to ensure that all necessary maintenance activities required for-restart are performed before the restart. Currently, maintenance craft per-sonnel are working a two 10-hour-shift schedule (7 days a week) as compared to one shift and on call in 1985. In recent correspondence, the licensee stated that work requests are tracked by the NUCLEIS work request control system. By letter dated September 8, 1987, the licensee also stated that the current backlog is approximately 2900 work requests; of these, 1800 are required for restart. The basic definition of work requests required for restart are those that affect the safe, legal, or efficient operation or shutdown of the power plant. The licensee stated that the progress in meeting the backlog can be attributed to a highly detailed planning and scheduling process that ties all required I work by work request number to plant and schedule milestones. This level of planning and scheduling was not in place until the spring of 1987. With these tools, coupled with a new level of accountability that is now possible, the backlog has been reduced and the licensee is confident that all restart work requests can be completed before restart without impacting schedules. 3.3.1.10 Maintenance Training Before the NRC survey in September 1985, the licensee established the Nuclear Training Department (June 1985). This training department became an independ-ent organization under the direction of the Assistant General Manager (Nuclear). A number of training programs such as SRO, R0, and STA received INP0 accredita-tion in 1986; however, maintenance training and other training programs were not accredited. During the staff's 1985 visit, the licensee stated as a goal that 10% of the maintenance craft time will be used for classroom and workshop training; however, the training records reviewed indicated that only 4 to 5% of the craft time was expended on such training. In 1985, no training workshops existed for hands-on training. The training program was not yet fully developed; trainers were new to their jobs and were spending their time on developing course objectives, lesson plans, and a course program. i Rancho Seco Restart SER 3-66 i
l i In February 1987, the licensee revised the Nuclear Training Department's administrative procedure TDAP-0100 to describe the department's organization, mission, and responsibilities. The Maintenance Training Section is responsible for providing technical training in the following disciplines: I&C technician, electrical technician, electrical maintenance, mechanical maintenance, building maintenance, and matenial handler / tool repair. As indicated in the licensee's action plan, a number of selected training programs for maintenance personnel were being conducted to close out some NRC inspection findings, such as train-ing on essential heating, ventilation, and air conditioning (HVAC) system, valve disassembling / reassembling, and station batteries. During the February 1987 site visit, the staff noted that training materials and training courses were being rewritten and incorporated into the new department administrative series (IDAPs). Subjects and areas of training that are to be provided to maintenance personnel are determined by the craft job codes and the need to perform the job as recommended by the craft supervisor. While on site, the staff learned that the licensee's Maintenance Department carried out its own training on the recently developed MAP-0002. The planning group in the Main-tenance Department has carried out its own training on postmaintenance retest requirements. M0 VATS, a vendor,* provided training to maintenance engineers on motor-operated valve signature analysis and on the MOV (motor-operated valve) switch setting; craft personnel were trained on disassembly and assembly of MOVs. The Material Management Department has conducted its own training on the use of its temporary " desktop" procedures. Howser, the staff has further determined that new and current contract workers have received minimum formal training in work controls and use of procedures. The licensee is pursuing the INP0 accreditation for the maintenance and technician training programs and is anticipating accreditation in late 1987. The Nuclear Training Department had-19 maintenance trainers in August 1987. The Maintenance Training Superintendent has stated that training time for each of the maintenance disciplines in 1986 was between 6 and 8% of craft personnel time. It was explained to the NRC staff that this number may appear to be low because many new employees were hired toward the end of 1986 and did not par-I ticipate in training programs in 1986. The licensee has stated that because of l restart activities, the training time for the maintenance staff is currently l about 5% of maintenance staff time. At present, the overall training requirements for maintenance personnel are l specified in MAP-0015. 3.3.1.11 Licensee-Proposed Corrective Action for Restart and Performance Improvement As a result of the December 26th event, the licensee has reorganized the struc-ture of the Maintenance Department and has proposed modifications to improve the quality of the maintenance activities. The overall course of action includes implementing the new functional organization, preparing written goals and objectives, formalizing the preventive maintenance program, providing suf-ficient staffing (currently 265 people), emplacing new management with clearly defined job responsibilities, and initiating a new pay-for performance program to attract more qualified professional management and staff.
- MOVM s is an acronym for motor-operated valve actuator testing system and is also used as a generic term for an MOV testing program used for predictive maintenance.
Rancho Seco Restart SER 3-67
i The following are the licensee's new initiatives. To facilitate the work { process, the licensee established a planning group, a scheduling unit, and a new maintenance information computerized system. To improve material readiness, the licensee reorganized the Material Management Department and developed a j computerized system for material and warehouse control. To improve quality of 1 work performance, the licensee reorganized the Quality Control Department, creating a new QE section for engineering and holdpoints review. To enhance j communication between operations and maintenance staff, the licensee increased i the number of operations staff in the operations shift supervisor's office to l better coordinate maintenance activities with plant operational requirements. 1 The licensee has upgraded the administrative procedures, devising new proce-dures for work requests, establishing guidelines for troubleshooting and root cause analysis, formalizing postmaintenance testing activities and requirements, revising existing technical procedures, developing new preventive maintenance procedures, and improving the maintenance training program. The licensee has also committed to complete all category 006 WRs before the restart. The licensee intends to implement these planned actions; this represents a-long-term commitment to ensure increased reliability and improved performance ] of equipment. The staff has determined that the licensee currently has in place various second-tier documents to formalize the Maintenance Department responsibilities l as specified in the newly established MAP series, and has in place procedures l to control the work flow and to efficiently administer the daily activities of the department. On the working level, a number of procedures for M&TE preven-tive maintenance activities dealing with equipment, M&TE calibration, and plant instrument calibration were developed and are in place. Similarly, a large number of technical procedures remain to be written, reviewed, and approved. The procedures for activities in the planning section have been formalized, and criteria on postmaintenance testing requirements and incorporating the root causes in the new computer system have been developed. Concerning the licensee's procedure modifications program, the staff noted that, with the exception of the MAP series, the specific schedule for complet-ing all other individual equipment technical procedures for maintenance and preventive maintenance has not been given. The licensee intends to complete all of these activities before startup. The licensee has hired a number of well qualified managers who have worked at other operating nuclear facilities. Workers who were interviewed by the staff exhibit positive attitudes. Various daily, weekly, and biweekly meetings are the means by which organizations communicate with each other and by which management and workers communicate. 3.3.1.12 Maintenance Program Evaluation Conclusions Through interviews, witnessing onsite activities, and review of documents, the NRC staff has determined that the licensee is making progress in its program modifications that will improve the quality and efficiency of maintenance activities. The staff believes that these modif; cations, when implemented, will address those weaknesses in the licensee's maintenance program that the Rancho Seco Restart SER 3-68
l staff observed during the MSPP survey in 1986. On this basis, the staff finds I the Rancho Seco maintenance program to be acceptable. - The implementation of l the recent programmatic changes will be confirmed by inspection during and following the startup period, and results will be documented by a timely in-spection report which addresses that issue. 3.3.2 Valve Preventive Maintenance Program Events during the December 26th transient led the NRC staff to conclude that an improved preventive maintenance (PM) program for all valves was needed at Rancho Seco. The licensee also recognized this, but its initial concern was l limited to manually operated valves. Two manual valves failed to perform prop-l erly during the incident, demonstrating the reed for better PM. One of these two valves was the manual maintenance isolation valve in the auxiliary feed-3 water (AFW) line (FWS-063) wh4ch was completely stuck in the closed position i because of lack of maintenance. The other valve was SIM-003 which needed to be i closed to isolate the damaged makeup pump, but could only be operated with con-3 siderable difficulty. The licensee's investigation into the SIM-003 valve situation revealed that the problem with the valve had been previously iden-i tified. In its Root Cause Report, the licensee concluded that the limited I maintenance performed on the valve was ineffective in correcting the problem. The initial NRC staff inspection of the valve PM program was conducted in the spring of 1986 and was documented as item RV-MA-1 in Inspection Report 50-312/ l 86-07. In examining the PM program at that time, the NRC staff concluded that although a program existed, the program did not adequately address all valves ] in the plant. In particular, the program did not provide and apply criteria for inclusion of a valve in the PM program or apply criteria as to the type and frequency of PM for a particular type of valve or service condition. In a followup inspection in February and March 1987, the NRC staff reinspected the valve PM program. This was documented as item RV-MA-1 in Inspection Report 50-312/87-8. At the time of the inspection, the licensee had generated criteria for inclusion of valves into the PM program; these criteria were to be included in administrative procedure AP-650. Approximately 85% of the manually operated valves selected because of their safety role had been refurbished, at had 100% of the motor-operated safety valves. Eventually, the PM program will include check valves, relief valves, pneumatic valves, etc., but at the time of the inspection, this program had not been definitively described or scheduled for implementation. By letter dated September 8, 1987, the licensee described the current status of the Rancho Seco Valve Preventive Maintenance Program as follows: (1) Manual Valves The selection criteria for the manual valve program are completed and are included in MAP-0009. Manual valves may receive operation inspections, lubrication, or acoustical monitoring. l l Rancho Seco Restart SER 3-69
Category 1 This category includes all valves identifiedLas mandatory (for. inclusion into a PM program. The. purpose _of these valves.is nuclear plant safety. These are valves 1 required ~for'a controlled shutdown of the plant, keeping the plant shut down, bringing the plant to cold shutdown and maintaining ~ it there, and also for mitigating the consequences of a radiological..re-lease. Additionally, category 1: includes valves that may'be. stroked _.during-normal or defined tmergency conditions. The selection criteria'used to identify.these valves are: valv'es. identified in; casualty and emergency procedures SFAS standby valve lineups as' identified.in Administrative Procedure AP-4 Category 2 Group A: This _ category and group include all non-category 1 valves that' could impact system process flows in QA Class.1 systems, and are 21s inches or larger. Group B: This category and group include all-valves selected by good'engi-neering judgment for inclusion into the PM program. Their inclusion is. not mandatory. The= selection criterion for these: valves is economic,'and-selection is made on an individual basis. 'These are_the valves that', if' failed, could have a financial impact by reducing power operation or-1 affecting s'irface or. airborne contamination levels within the. plant. The- ] selection criteria used to identify these valves are: surveillance procedure SP.214.01 valves identified as having a history of high failure rates non-isolatable valve locked open and closed valves (surveillance procedure SP.214.03) valves in boric acid systems Category 3 This category includes all valves not entered'into the PM program because I they are seldom used and do not impact nuclear safety or economic con - sideration. Deficiencies identified with these valves-will be repaired on a corrective maintenance work request. The selection criteria used to identify these valves include, but are not limited to. I vent and drain valves instrument root valves All category 1 manual valve PM tasks will be: developed'a'nd_ performed before restart. This effort is currently in~ progress'and.is integrated into the Project Restart Schedule. (2) Motor-Operated Valves The selection criteria for the M0V program are completed and.are included in MAP-0009. Rancho-Seco Restart SER 3-'70 - J
General PM guidelines include predictive maintenance-(MOVATS) lube change out, stem lube, acoustic monitoring, ILRT (integrated leak' rate' testing) evaluation, stroke timing,-and packing replacement. Category 1 This-category includes all those valves _ requiring surveillance by Sec-tion-XI of the ASME Code as determined by the engineering' group. Category 2 This category-includes all other motor-operated valves; All of the category 1 MOV PM tasks.will be developed and ~ performed before i. restart. This effort is currently in progress and is integrated into the Project Restart Schedule. (3) Air-0perated Valves (A0Vs) The selection criteria for the A0V PM program are completed and are in-cluded in MAP-0009. General PM guidelines include stroke time, acoustical monitoring, lubri-cation, LLRT (local leak rate testing) evaluation, and operating inspections. Category 1 This category includes all those valves requiring surveillance by Sec-1 tion XI of the ASME Code as determined by the engineering group. 1 Category 2 This category includes all other QA1 or QA2 air operators for valves. Category 3 Thic category includes all air operators not included in category 1 or'2. The A0V PM tasks will be developed per the vendor's recommendation. This effort is currently ongoing for.all category 1 valves. This' effort will be completed before restart as will the performance of the individual.PM tasks on all category 1 valves above. The performance of these tasks wi31 be integrated into the Project Restart Schedule. All of the category 1 manual and motor-operated valves have been refurbished under specific action programs outside of the PM program. The remaining. actions are to include the followup task into the_PM= program to ensure the continued operability of these components. As stated above, this action is scheduled and being tracked and will be complete before restart. This item remains open as a restart issue until the licensee's valve PM program is fully implemented and is inspected by the NRC staff. The results of the-Rancho Seco Restart SER 3-71
staff inspection will be discussed in a supplement to this report or in an NRC inspection report. 3.3.3 Operability Program for Manually and Remotely Operated Valves During the December 26th event, the operators were unable to close AFW manual valve FWS-063. Subsequent investigations disclosed that the valve's operating mechanism had rusted because of lack of lubrication. The licensee replaced the rusted operator components and verified valve operability by str.oke testing the valve. The licensee determined that neither the valve stem nor packing had been damaged by the attempts to operate the valve during the event. The staff observed the repairs to FWS-063 and subsequent stroke testing of the valve. The licensee checked the operability of five ident'ical manual valves in other systems and found no other instances of binding in valve operation.
- However, the licensee's Root Cause Report did identify a problem with manual valve SIM-003.
(See Section 3.3.2.) { During the December 26th event, the manual operator of AFW control valve FV-20527 was damaged by the use of a valve wrench, causing a loss of manual. control of the valve. The licensee replaced the damaged manual operator of valve FV-20527 and issued specific guidance and restrictions on the use of valve wrenches on manual valve operators. In the spring of 1986, the NRC staff inspected the licensee's valve repair activities and observed the reassembly of the AFW control valve manual operator. (See item RV-MA-4 of Inspection Report 50-312/86-07.) The licensee conducted training on the proper manual operation of the valves and posted instructions on the valve as guidance to the operators to ensure proper operation. In a subsequent inspection in March / April 1987 (Ins,,ection Report 50-312/87-11), the staff reviewed the completed maintenance inspection data report (MIDR) for FV-20527 reassembly and inspection plan, MM-501, Rev:sion 2. The MIDR docu-mented the satisfactory operational testing of FV-20 ?.7, both manually (band-wheel) and by means of the air actuator under static system conditions. The licensee has stated that manual operation of AF) control valves with flow is an item to be completed before restart. At the time of the inspection, Special Test Procedure STP-1029 was being written and valves FV-20527 and FV-20528 were to be verified as manually operable under high differential pressure conditions during AFW system flow testing. Inspection Reports 50-312/86-07, 87-11, and 87-16 documented NRC staff inspec-tion of the licensee's inspection, repair, and testing of manual and remotely operated valves. Staff concerns regarding manual valve inspection and the preventive maintenance program were identified as item RV-MA-4 in Inspection Reports 50-312/87-11 and 87-16: (1) The listing of 142 valves selected by the licensee as critical to plant operations appeared to have been developed informally rather than via a formal, pre planned review process. The suitability and completeness of this listing needed further evaluation. l Rancho Seco Restart SER 3-72
(2) The valves had been inspected by maintenance personnel with little or no QC involvement. Many valves were accepted as is, and only minor upkeep was performed. No verifications of individual valve conditions was l I available. (3) Administrative Procedure AP-650, "PM Program," categorized manual valves in QA Class 1 systems that are required for controlled safe shutdown as categories 1 and 2A. Preventive and corrective maintenance had been per-formed on or planned for the category 1 valves, but the licensee's program did not include requirements to inspect and maintain the category 2A valves before restart. (4) Although the licensee had reported completed inspections and corrective maintenance on the 142 " critical" valves of item 1 above, sampling reinspection and observation of valve operation by the NRC inspectors found significant valve condition discrepancies, including fastener thread engagement deficiencies, valve handwheel marking and position indicator discrepancies, and packing and mechanical joint leaks. As immediate corrective action, the Maintenance Manager and QC Supervisor initiated an immediate 100% reinspection of the valves. The licensee's actions to resolve the above issues were inspected by the NRC staff in June 1987 (see Inspection Report 50-312/87-21). The licensee's reinspection program of item 4 above resulted in major revisions to inspection data sheets to include criteria identified by NRC inspectors and documented in Inspection Report 50-312/87-16. All inspections were performed by QC inspectors. Deficiencies were noted on the data sheets and work requests were issued for corrective actions. Additionally, the licensee continued with 100% inspection of the category 1 valves and had instituted a 100% inspection of 106 Limitorque manual geared operators subject to handwheel / position indicator discrepancies identified in Inspection Report 50-312/87-16. These inspections and resultant corrective maintenance activities were continuing at the time of the NRC' inspection docu-mented in Inspection Report 50-312/87-21. The NRC inspector reviewed the inspection data sheets for all of the 142 " critical" valves reinspected by the licensee. Sixteen valves were selected for visual inspection by the inspector, six of which were equipped with manual geared operators. The latter valves were exercised in the presence of the inspector to verify position indicator operability. The inspector confirmed that the licensee had initiated corrective action for all identified valve discrepancies. The category 1 valves not included in the 142 " critical valves" list are being progressively inspected; the task is being controlled via work requests and similar inspection data sheets. The NRC inspector also selected a sample of category 1 valves, confirming that their inspections had been initiated or completed and corrective actions had been initiated for discrepancies (6 work request packages involving 82 of'219 category 1 valves). Rancho Seco Restart SER 3-73
i On the basis of the sample revie'wed, the licensee's inspection process appears to be effective in identifying and correcting valve deficiencies. However, the inspector noted that the licenee's completion status keeping was cumbersome ] and required manual searches of many work requests, each applicable to some-times dozens of individual valves. Although all of the NRC inspector's questions were acceptably resolved by the licensee, the inspector observed that the licensee will need to exercise care to ensure that all valves are addressed as committed to the NRC. The NRC concern (item 3, above) that the licensee was not planning to inspect j category 2A valves before restart, as specified by AP-650, had been addressed by the licensee via the issuance of a new Maintenance Administrative Procedure, MAP-0009, " Preventive Maintenance Program," on June 24, 1987. The procedure was in the process of distribution for initial implementation at the close of the inspection. This procedure redefines the valve categorization so that all valves previously in category 2A per AP-650 which were also required for safe controlled shutdown,. keeping the plant in cold shutdown, or to mitigate the consequences of a radio-logical release, etc., would be included in category 1. Category 2A would include the remaining valves in QA Class 1 systems (not included in category 1) which could have an impact on system process flows and which are > 2-1/2 inches in size. The procedure makes preventive maintenance of category 1 items mandatory. The licensee advised that the AP-650 valve category lists would be revised to recategorize the valves accordingly. The schedule and personnel resources for this activity were being arranged during the inspection. Notwithstanding the above, the licensee's current program appears to address NRC concerns about pre-restart upkeep of critical valves. In summary, the licensee's operability program for manual and remotely operated valves has been inspected by the NRC staff. The results of the inspections have been identified as item RV-MA-4 in Inspection Reports 50-312/86-07 and 50-312/87-11. The NRC staff inspection of the licensee's program and baseline inspections are discussed in Inspection Report 50-312/87-11. Concerns regard-ing the licensee's program and baseline inspections were identified in Inspec-tion Report 50-312/87-11. The licensee's corrective actions for the concerns were inspected and documented by the NRC staff in Inspection Report 50-312/87-21. Based on that inspection, the NRC staff considers the licensee's corrective action and operability program for manual and remotely operated valves.to be acceptable. On this basis, the NRC staff considers this item to be closed as a restart issue. 3.3.4 Maintenance Troubleshooting and Root Cause Determination Program After the December 26th event, the licensee developed a systematic " trouble-shooting" plan to identify the root cause of the failure of the "A" AFW flow control valve. The troubleshooting plan contained maintenance instructions which provided detailed step-by step procedures for troubleshooting of each item of damaged equipment. The licensee also used this plan to determine the cause of the loss of 24-V dc power; this determination led to.the discovery of a loosely crimped terminal lug in the ICS power monitor module. The licensee Rancho Seco Restart SER 3-74
has developed MAP-0017 for use in root cause determination. The licensee stated that this will be included in the departmental administrative procedure manual. This document outlines the Maintenance Department policy and process for investigating equipment failures to ensure that the problems and not just the symptoms have been corrected. This information will be used, along with other trending data, as input to the predictive and preventive maintenance l program. The document specifies responsibilities for-the foreman, planner, and maintenance engineer in regard to the process. The procedure includes a re-i quirement for the investigator to define the (1) root cause, (2) immediate 1 corrective action taken, and (3) recommended supplemental action. MAP-0006, l which specifies procedural steps for work request planning, includes detailed instructions for preparing " troubleshooting work requests." j i Based on observing licensee troubleshooting activities of equipment that mal-l functioned during the December 26th event, the staff believes that if (1) MAP-0006 and MAP-0017 are implemented in the maintenance-related trouble-a shooting plan / root cause investigation program and (2) results for each l investigation are added to the computerized equipment data base, the licensee should have an effective troubleshooting and root caJse determination program -] and will enhance the planned preventive maintenance program at the Rancho Seco .i plant. The NRC staff considers this item to be cl; sed as a restart issue. 1 ? 3 3.3.5 Maintenance Conclusions The NRC staff has reviewed the overal) Rancb> Seco maintenance program and finds it acceptable, subject to its success ful implementation before restart. The staff inspection of valve preventive m.intenance at Rancho Seco revealed deficiencies in this area. The staff will conduct inspections before restart J l to verify resolution of valve preventive maintenance deficiencies and within l 6 months of restart to verify implementation of the overall maintenance program. ) The resolution of these issues will be discussed in a supplement to this SER or l in an NRC inspection report. 3.4 Training and Operator Performance 3.4.1 Adequacy of Operator Training 3.4.1.1 Review of Training Programs The licensee has four INP0-accredited training programs for Rancho Seco. The nonlicensed, licensed, senior licensed control room operator, and the shift technical advisor training programs were accredited in April 1986. The NRC staff plans to conduct a postaccreditation review during the fall of 1987. These reviews are conducted in accordance with the " Commission Policy Statement i i on Training and Qualifications of Nuclear Power Plant Personnel," of March 20, 1985 (SECY-85-1), which states, "The NRC will continue to closely monitor the-process [INP0 accreditation] and its results," and "It remains the continuing responsibility of the NRC to independently evaluate applicants' and licensees' implementation of improvement programs." The review will be conducted using NUREG-1220, " Training Review Criteria and Procedures." These procedures contain the criteria against which the implementation of the five elements of performance - based training are evaluated. Those five elements, which are essential to this - type of training are: Rancho Seco Restart SER 3-75
(1) a systematic analysis of the jobs to be performed (2) learning objectives that are derived from the analysis and that describe desired performance after training (3) training design and implementation based on'the learning objectives (4) evaluation of trainee mastery. of the objectives during training (5) evaluation and revision of the training based on the performance of trained personnel in the job setting To evaluate the Rancho Seco training programs, the NRC staff plans to review the licensee's training programs in late September 1987. In addition, this review will include a postaccreditation review, a review in keeping with the NRC policy as stated in SECY-85-1, which states that the NRC will continue to closely monitor the accreditation process and its results. The staff will select tasks for review from the licensee's accredited programs as well as from the maintenance training program. The review will focus on: (1) how the tasks were analyzed; (2) how training objectives were derived from the tasks; (3) how training for the tasks was designed, developed, and imple-mented; (4) how trainees were observed and evaluated during training to deter-mine their level of task mastery; and (5) how feedback on training, trainee evaluations, and on-the-job performance indicators are incorporated into revis-ion and evaluation of the training programs. On the basis of the results of the postaccreditation review, the NRC staff will report on the resolution of this issue in a supplement to this SER. 3.4.1.2 Event-Related Training i The December 26th event and the subsequent findings of the NRC Incident Inves-tigation Team (NUREG-1195) indicated a need for additional licensee training of operators. The overcooling event and subsequent licensee corrective actions resulted in an extended shutdown. The reduced level of plant operations during the extended shutdown reduced the competence level of'the operators and necessitated further licensee operator retraining. An NRC staff evaluation of the licensee's operator training on overcooling events, system response with varying rates of decay heat, and event awareness training was documented as item RV-0-9 of Inspection Report 50-312/86-07, issued on May 14, 1986. The inspection covered classroom, simulator, and " hands-on" training covering the accident sequence of events, overcooling events, emergency operating proce-dure (EOP) changes, plant modifications, integrated control system (ICS) opera-tion, entry into areas of unknown radiological conditions, manual operation of valves, and other event related training. The inspection included a review by the NRC staff inspector of sequence-of-events training, classroom training, and simulator training for licensed oper-alors. The inspection also included operator interviews and oral examinations Rancho Seco Restart SER 3-76 l
on the training provided in the above areas. The find'ngs.in these areas are described below. (1) Sequence-of-Events Training The licensee provided training to all operators on the sequence of events for the cooldown transient of December 26th. The purpose was to ensure that all operations personnel had a broad perspective of the cause of the event and the transient that followed. The class included a review of the major occurrences that took place and a discussion of the events, emphasizing problem areas that From a review of the class attendance sheets, the inspector verified arose. that all licensed and nonlicensed operators had received the training. (2) Classroom Training for Licensed Operators The licensee provided the licensed operators with classroom training in the i following areas. modifications to the atmospheric dump valves (ADVs), turbine bypass valves ] (TBVs), and AFW valves changes to the E0Ps recovery from SFAS actuation local manual operation of ADVs, TBVs, and AFW valves conduct of shift operations, including communications loss / restoration of ICS power entry into areas of unknown radiological conditions operator traps (differences between the B&W simulator and Rancho Seco) Local training for manual valve operation was given at the site and included " hands-on" training. All other classes were given in conjunction with the simulator training. The inspector reviewed the classroom outlines and trainee handouts and concluded that the classroom outlines and trainee handouts appeared to cover the significant points related to the transient and recent plant modifications. The inspector also verified that all licensed personnel had received the required training. (3) Simulator Training for Licensed Operators The licensee provided the licensed operatcrs with event and modification train-ing at the Babcock and Wilcox (B&W) simulator in Lynchburg, Virginia. A B&W-certified NRC license examiner observed portions-of the training in the following areas: overcooling events, including actions taken to preclude pressurized thermal shock (PTS) concerns Rancho Seco Restart SER 3-77
l loss of power failures of the ICS, including recovery and restoration makeup and purification system operation following SFAS actuation throttling and trip criteria for pumps and valves modifications and control room operation of'the ADVs, TBVs, and AFW valves differences between the simulator and Rancho Seco changes to E0Ps The examiner concluded that the retraining in the observed areas adequately i addressed the issues raised as a result of the October 2, 1985 and December 26, 1985 events. (4) Operator Interviews l During the week of April 7-11, 1986, NRC staff and an NRC contractor interviewed operating personnel at the Rancho Seco site. The purpose of these interviews l was to assess the effectiveness of the training by sampling the operators' l knowledge about the event of December 26th and the subsequent training that had been given. The questioning was derived from various sources including the NRC Incident Investigation Team (IIT) report (NUREG-1195), the licensee's Summary Report dealing with the event, and the classroom outlines and materials from the 1 training sessions. I On the basis of the results of this evaluation, the NRC concluded that the re-j l training given the operators in the areas of weakness demonstrated by the event i of December 26th had been effective. However, some items were noted which indicated some operator uncertainty in specialized areas. Although these specific areas or questions indicated'a need for some improve-ment (these were discussed at the exit interview on April 11,1985), the NRC examiners concluded that the licensee has been conducting an effective retrain-ing program. The licensee subsequently provided additional training for licensed and nonlicensed operators to address deficiencies noted. The addi-i tional training was inspected and the staff inspectors found that the addi-tional training was acceptable (Inspection Report 50-312/87-06). Therefore, this item is closed as a restart issue. 3.4.1.3 System Training The licensee's training in this area includes the following systems: (1) integrated control system, including actions to verify operability, responses to failures, and recovery from failure (2) makeup and letdown system to specifically include operation of MUT, BWST, and HPI under various conditions l Rancho Seco Restart SER 3-78 l
(3) steam generator and reactor level control to include throttling and trip criteria for various valves and pumps including RCP (4) operations of ADVs, TBVs, and AFW throttling valves (5) difference between the configuration of the B&W simulator and the con-figuration of the Rancho Seco plant The NRC staff inspected the licensee's system training and found it adequate in the above areas. This inspection was documented as item RV-0-10 in Inspection Report 50-312/86-07. This item is closed as a restart issue. 3.4.1.4 Emergency Procedure Training The NRC staff has conducted inspections in this area and has documented the results in Inspection Reports 50-312/86-06 (see item'RV-0-12) and 50-312/86-07. Specific items covered include the following: (1) the plant modifications being made before restart, the reasons for the changes, and the effect of these changes on emergency procedures (2) onsite and offsite notifications in an emergency, including a clear under-i J standing of what constitutes emergency situations (EPIP) (3) criteria and precautions for entry into a potentially highly contaminated area (4) recovery from ICS or NNI system failures, including recovery from SFAS .j Inspection Report 50-312/86-06 identified numerous instances in which the actions required by the licensee's Emergency Plan Implementing Procedures (EPIPs) were not performed. Inadequate training was considered to be the pri-mary cause of these problems. The licensee's corrective action for these problems consisted of specific training for the operating crews in the prin-ciples of command and control, specific actions required for an unusual event, and required emergency notification. This supplemental training was completed on September 4, 1986. The licensee's corrective actions were evaluated during the 1986 annual exercise and were found to be adequate. Inspection of the emergency preparedness exercise and the results of the inspection are docu-mented in Inspection Report 50-312/86-32. Before startup, the NRC staff will reevaluate the licensee's emergency response training program, including emer-gency response training for the control room staff. The results of the staff reevaluation will be provided in a supplement to this SER or. 'in an NRC inspec-tion report. 3.4.1.5 Valve Training for Non-Licensed Operators Valve training was inspected by the NRC staff and was documented as item RV-0-14 in Inspection Report 50-312/86-07. This inspection addressed the entire scope of retraining for nonlicensed operators. The NRC inspector attended a series of training sessions given on February 27 and 28, 1986. The material covered was: Rancho Seco Restart SER 3-79
L local manual operation of the AFW flow control valves,'ADVs, and TBVs entry into areas of unknown radiological conditions E0P and casualty' procedure changes ADV, TBV, and-AFW valve modifications command and control training (i.e., communications) The manual. valve operation session included.a detailed review of the components and operations of the valves'and valve operators, both manual and automatic. The class included " hands on" manipulation of each 'of the ' valves by all of the l class attendees. The class also covered the effects on the valves of a, loss of 1 instrument air and a loss of the'ICS..,The training inaluded procedures'for entry into areas of unknown radiological conditions. 4 1 The procedure changes, valve' modifications, and command and control' training sessions were aimed toward providing nonlicensed operators withla general knowledge of the changes, not a detailed understanding. This was appropriate to the duties of-these operators who are not required to use the-information when they are unsupervised. The staff verified that all nonlicensed operators had completed the training, and concluded that the sessions covered the appropriate material-The. staff noted that the manual valve operations training was limited to only the ADVs, j TBVs, and AFW valves. Consequently, the staff was concerned-that there may1be other valves in the plant that operate differently from these valves, and that these would need similar " hands on" training. This issue was~ evaluated, and j the inspector determined that the licensee had provided acceptable additional-training (see Inspection Report 50-312/87-06). On the basis of these inspec-tions, this item is closed as a restart issue. 3.4.1.6 Emergency Notification Training NRC Inspection Report 50-312/86-06 identified deficiencies'in the' licensee's implementation of its emergency-procedure for notification. The-failure to update State and local agencies and to notify plant personnel of. degraded plant conditions was identified as a violation. The quality-of the training was also considered a primary cause of this problem. The licensee's corrective action was to improve the training conducted for emergency notification' procedure and to provide supplemental training to further emphasize the importance'of' keeping State and local agencies informed of plant conditions..The supplemental train - ing was completed on April 1, 1986. On the basis of the licensee's performance during the 1986 annual exercise, the licensee's corrective action in this area appears satisfactory. This item is closed as a restart issue. 3.4.1.7 Operator Retraining Due to Long-Term Shutdown Realizing the length of time the unit would be shut down, the licensee estab-lished a program to ensure that licensed and nonlicensed plant operators clearly understand the technical and administrative actions. required to conduct plant heatup, power ascension, and shutdown. The program covers retraining in normal procedures, casualty procedures, emergency procedures, technical. specifications, special orders, and equipment limitations. A comprehensive simulator training program is included. Rancho Seco Restart SER 3-80
In addition to a review of normal and emergency plant control, the licensee established detailed training for actions and requirements involved in the startup testing program. In some cases, this will involve extensive crew briefings before major test evolutions. A direct interface between the engi-I neering group (startup) and the training group has been established to ensure accuracy and completeness of all startup testing training. In February 1987, the NRC staff inspected operator retraining necessitated by i long-term shutdown (see Inspection Report 50-312/87-06). When the licensee j i completes training on the final revised procedures, the staff will conduct a final inspection of this training. This issue will be discussed-in a supple-ment to this SER or in an NRC inspection report. f 3.4.2 Minimum Staffing Requirements Rancho Seco technical specifications and other regulatory commitments required seven individuals on shift during power operations: two senior reactor operators, two reactor operators, two nonlicensed operators, and one shift technical At the time of the December 26th incident, the operating crew was j advisor. comprised of four senior reactor operators (one of whom was the shift technical advisor), one reactor operator, and six nonlicensed operators. The current NRC requirement for power operations is two senior reactor opera-tors, two reactor operators, two nonlicensed operators, and one shift technical advisor. The licensee, therefore, meets the NRC's minimum staffing require-ments. On this basis, this item is closed as a restart issue. 3.4.3 Incapacitated Operator During the December 26th event, a senior operator collapsed. At.that time, the licensee committed to review the individual's fitness for duty and kept the At person from control room duties until the cause of the collapse was known. an inspection in the spring of 1986 (see item RV-0-11 of Inspection Report 50-312/86-07), the NRC staff reviewed NRC Form 396, " Certificate of Medical Examination," that the licensee submitted to confirm that the individual was fit to resume control room duties. The information supplied was sufficient to determine that the cause of the collapse was not related to any underlying medical condition that would prohibit the individual from performing control-room duties. Based on the above conclusion, this item is closed as a restart issue. 3.4.4 Potential Security / Safety Interface Issues Two security / safety issues were identified in the IIT report of the Decem-ber 26th event at Rancho Seco (NUREG-1195). The NRC staff inspected these issues and documented the results in Inspection Report 50-312/87-07. The results of the staf f inspection are given below. Rancho Seco Restart SER 3-81
Controlled Area Fence The non-continuous chain-link fence se0 ment located inside the tank farm (a vital area) marked " Caution: Controlled Area Boundary, No Admittance" inhibited the movement of operations personnel. During the December 26th event, one nonlicensed operator had to climb over this nonsecurity fence to.. expedite his movement, This fence, a nonfunctional remnant of-a radiation control barrier, was removed, satisfactorily resolving the issue. Lost Security Badge During the December 26th transient, after assisting in isolating the makeup pump, a nonlicensed operator noted he had lost his cardkey security badge. He was escorted to the control room and waited approximately 20 minutes to be issued a visitor badge so that he could operate doors to a vital area. The. i licensee has since issued nonphoto special "Z" (security) badges to the shift supervisor who is now prepared to immediately issue them, as needed, to autho-rized personnel. These Z badges allow immediate access to all vital areas in the plant in the event of a lost or damaged cardkey badge. On the basis of its inspection of the licensee's corrective action, the staff considers this issue satisfactorily resolved. l 3.5 Plant Normal and Emergency Procedures 3.5.1 Need for Event-Related Procedures i Failures of the ICS or NNI system can initiate ph# t upsets and at the same time degrade instrumentation and control systems which would potentially be utilized for responding to the events. Operator actions during a plant upset are guided by the plant Emergency Operating Procedures (EOPs) which were developed from vendor-developed abnormal transient operating guidelines (AT0Gs). The plant emergency procedures for Rancho Seco are based upon event symptoms and plant condition, rather than being specifically oriented to a particular transient or accident. This approach is potentially superior since it largely precludes the possibility of operators misdiagnosing the cause of a plant upset and taking appropriate actions based on this misdiagnosis. However, for these symptom-based proce1ures to be adequate, they must provide proper response for all credible plant 1psets as well as unambiguous guidance to the operating staff. The staff askec the licensee to demonstrate that the present symptom-based procedures are adequate for responding to ICS or NNI sys-tem failures. In its June 2, 1987 response, the licensee documented that current emergency procedures (as modified) are sufficient for dealing with all such events. The licensee demonstrated that all significant failure modes of the ICS or the NNI system result in one of three possible plant upsets: loss of subcooling mar-gin, excessive primary-to secondary heat transfer, or inadequate primary-to-secondary heat transfer. The licensee evaluated each of these possible responses and demonstrated that sufficient guidance is provided in one of three procedures: E.03--Loss of Subcooling Margin, E.04--Loss of Heat Transfer, and E.05--Excessive Heat Rancho Seco Restart SER 3-82 l l )
Transfer. These are supplemented by E.01--Immediate Actions and E.02--Vital System States Verification, which contain normal, post-trip actions. The licensee also demonstrated that sufficient instrumentation and control is available, independent of the ICS and the NNI system, to allow implementation of these procedures. Emergency feedwater control and turbine bypass are pro-vided by the independent EFIC system. Independent instrumentation is provided' by the safety parameter display system (SPDS) if NNI system power would be lost. l This system will identify those parameters potentially impacted by NNI system failures and provide adequate backup instrumentation. Main annunciator alarms indicate NNI system or ICS power failures, guiding the operators to utilize the SPDS. Both classroom and simulator training of the Rancho Seco operators emphasize reliance on these alternate systems following ICS or NNI system failures. 1 A number of procedural changes have been implemented to correct deficiencies identified f rom the December 26th event. In addition, procedures have been Plant modifi-put into place for recovery of ICS or NNI system power failures. cations have also been made so that, with no operator action other than normal plant trip response, loss of NNI system or ICS power does not cause loss of subcooling margin or serious overcooling er undercooking. The adequacy of modifications to ICS/NNI system and other plant hardware is addressed in Sec-tions 3.1.1 and 3.1.2 of this SER. I Because of the considerations discussed above, the staff concludes that the licensee has properly demonstrated that the current procedures provide ade-quate technical guidance for responding to ICS/NNI-system-initiated transients without the need for event-specific procedures, However, the staff is currently assessing the human factors aspects of these l procedures. The staff findings on their adequacy with respect to human fac-i tors concerns will be reported in a supplement to this SER, i i 3.5.2 Adequacy of AT0G Procedures (PTS) The December 26th event identified the existence of conflicting procedural guidance between the requirements of high pressure injection (HPI) and requirements for preventing the RCS overcooling limits from being exceeded. The current procedures clearly identify the requirement that full HPI must be maintained whenever there is insufficient subcooling margin. Continued HPI. af ter the recovery of subcooling margin has the potential for overcooling the reactor vessel and entering a pressure and temperature region where pressur-ized thermal shock (PTS) is of concern. As modified, the emergency procedures contain a PTS limit curve and specific guidance that HPI should be throttled to avoid the PTS-limited region. The licensee has demonstrated that throttling HPI to avoid PTS limits will not jeopardize core cooling, since PTS Limits and the subcooling margin curve are mutually exclusive limits with a permissible operating region between them. Procedure E.05 also clearly identifies that throttling HPI to meet the applica-ble PTS limits takes precedence over maintaining pressurizer level. The modi-fied procedures also provide guidance for responding to conditions where Rancho Seco Restart SER 3-83
thermal shock limits are exceeded, through depressurization actions utilizing pressurizer sprays, pressurizer vents, or the power-operated relief valve (PORV). For the reasons given above, the staff finds that the current procedures pro-vide adequate technical guidance for responding to PTS concerns during over-cooling events. This item is closed as a restart issue. 3.5.3 Adequacy of Health Physics Procedures Several deficiencies in the execution of procedures contained in the licensee's Radiation Control Manual (RCM) and the emergency plan implementing procedures (EPIPs) were found to exist during the December 26th event. Applicable instructions provided in the RCM and EPIPs were not fully implemented, and'in some cases, were found to be deficient. The specific procedures involved were: RCM: AP-305-28, "MCP Determination at Site Boundary for Radioactive Releases" EPIP: AP-507, "0nsite Radiological Monitoring" EPIP: AP-509, " Control Room Dose Calculations" EPIP: AP-511, " Technical Support Center Dose Calculations" The licensee has made interim revisions of procedures AP-509 and AP-511, and has completely reorganized the RCM. Procedures in the RCM were revised as needed during the reorganization process. Several different manuals were established from the reorganization of the RCM. They are: j 4 Radiation Control Radwaste Control Manual Environmental Monitoring Manual Dosimetry Manual Respiratory Protection Manual Instrument Manual Radiological Event Direction Manual Lessons learned from the December 26th event were included in the revisions to the EPIPs and the RCM. The revised EPIPs and RCM are now more compatible with one another, The health physics procedures have been reviewed during six inspections con-ducted by the NRC staff since the event (Inspection Report Nos. 50-312/86-16, 86-20, 86-27, 86-37, 87-05, and 87-22). The staff finds that the procedures meet technical specification requirements, have been developed consistent with American National Standards Institute (ANSI) Standard N18.7, and are adequate to support restart. This item is closed as a restart issue. Rancho Seco Restart SER 3-84
3.5.4 Adequacy of Annunciation Procedures Manual During the December 26th event at Rancho Seco, operators did not use the appro-priate annunciator response procedures; the licensee agreed to reexamine these l procedures. The licensee has reviewed the 568 annunciator response procedures and deter-mined that the format was difficult to follow and that many steps were out of order. The licensee is rewriting the 272 alarm response procedures that were judged to need rewriting to clarify them, make them more accurate, and account for engineering changes that have been generated by the outage. During this proc-ess, the licensee has committed to make these procedures more specific before restart by identifying, in addition to the source of the alarm, how to check alarms locally and what instrumentation to use. i These revised procedures will identify which casualty procedure to select for an alarming condition. The licensee intends to change the format for these procedures to one that incorporates the fau!t tree with subsequent actions. The NRC staff has inspected the licensee's efforts to upgrade the annunciation procedures manual (see item RV-0-15 of Inspection Reports 50-312/86-07 and 50-312/87-08). This item is closed as a restart issue because the licensee has committed to complete upgrading the annunciator response procedures (not including the for-mat change) before restart, and because the procedures rewritten at the time of the inspection (~45% of the total) were found to be adequate. 3.5.5 Methodology for Updating Emergency Operating Procedures In Inspection Report 50-313/86-07 (see item RV-0-12), the staff specifically addressed the need for establishing a program to ensure that procedure changes are made and training is completed when plant modifications are made. The staff verified that a program existed for the types of changes resulting from the modifications made as a result of the December 26th event. Furthermore, the staff verified that the licensee's program for accomplishing this has not varied from the program that existed before the December 26th event. Licensee failures in this regard, which may have contributed to either the October 2, 1985 or December 26, 1985 event, appear to be failures to adequately implement the program as it existed. Most notably, during the December 26th event, oper-ators did not recall that the atmospheric dump valves could be operated from the remote shutdown cabinet, a modification that had been made during the last ,erueling outage. Because the licensee's program for updating E0Ps is accept-able, this item is closed as a restart issue. 3.5.6 Adequacy of Emergency Procedures This issue was inspected by the NRC staff and was documented as item RV-0-4 of Inspection Reports 50-312/86-07 and 50-312/86-08. Rancho Seco Restart SER 3-85
The staff addressed the need for evaluating event-related as well as system-o related procedures as part of its review of the consistency of the licensee's i emergency procedures with the ATOG. The licensee's review determined a need for two additional event-related procedures, one dealing with the loss of ICS and one with the restoration of the reactor system after SFAS initiation. During this review, the staff examined the consistency between the ATOG and the E0P and also addressed the issue of event related procedures. This review was limited because the licensee was still adapting its procedures to the latest applicable AT0G. In addition, when comparing the requirements of Regulatory Guide (RG) 1.33 (November 1972), Appendix A, Part F, " Procedures for Combating Emergencies and Other Significant Events," with the station procedures, the staff noted that several procedures required by RG 1.33 were not in the station procedures manual. To meet the requirements of RG 1.33, the following six additional event-related procedures needed to be added: loss of integrated control system restoration after safety features actuation system ) loss of electrical power (and/or de l loss of 125-V dc or 120-V ac power) graded power source) (in particular, i i 1 loss of flux indication acts of nature (in particular, tornado and dam failure) irradiated fuel damage while refueling The licensee has committed to complete these six procedures before restart, but l had not completed them at the time of the staff inspections. Because the pro-cedures are complex and important, the NRC staff will review the final E0Ps before restart. The results of this review will be described in a supplement to this SER or in an NRC inspection report.
- 3. 6 Human Engineering Considerations In its action plan and in its restart report, the licensee stated that human factors engineering is an integral component of the configuration control and plant modification programs at Rancho Seco.
As such, each proposed-modifica-tion or change is programmatically reviewed to ensure that it incorporates the human factors philosophy set forth in the Rancho Seco detailed control room design review (DCRDR). The major benefit of integrating human factors engineering into programs at ' Rancho Seco is to ensure that a coordinated approach is taken and that the control room design basis not be invalidated. This section discusses specific items relating to the December 26th event, and their resolution. During the period from September 29 to October 2,1986, the NRC staff audited the human engineering considerations associated with control room design. Specifically, during the audit, the staff Rancho Seco Restart SER 3-86
-) (1) evaluated the process defined by the action plan to identify control room modifications (2) evaluated the modifications for compliance to the DCRDR process (3) solicited responses to the staff's concerns and comments on the licensee's Summary Report for the DCRDR Because of the scope and depth of the DCRDR, the results of the staff's evalua-tion of this consideration were issued in a separate safety evaluation dated f August 14, 1987. In that SER, the staff concluded that the Rancho Seco control 3 room meets or will meet the applicable requirements of NUREG-0737, In addition, the staff evaluated the control room modifications identified in the action plan. With regard to the action plan, the audit team concluded that the control room modifications resulting from the restart action plan incor-porate acceptable operational and human factors engineering considerations. The audit team did, however, identify a concern regarding the adequacy of the feedwater control system to meet operational requirements. The audit team requested that the licensee provide the staff with the feedwater control system restart plan, acceptance criteria, and a summary of results. The feedwater control system restart plan and acceptance criteria must be submitted for staff review before the tests. During the audit, the staf f evaluated several specific issues of concern related to human factors principles and the control room. Many of these con-cerns were identified in the staff's report on the overcooling event. The results from these specific evaluations are presented below. 3.6.1 Simplified Schematics for Switches S1 and S2 i At the time of the staf f audit, modifications to address this item were com- ) pleted on the ICS panel, including power supply status indication, breaker l position indication, and power supply schematics. The non-nuclear instrumen-tation (NNI) cabinets only had the power supply schematic installation at the time of the audit. On the basis of its visual survey of the modifications, the staff concludes that corrective actions implemented or planned are adequate. Therefore, this item is closed as a restart issue. 3.6.2 Valve Position Indication TBV, ADV, MFW control, and startup feedwater (FW) valve position indication provide the operator with positive indication (OPEN/MIDTRAVEL/CLOSE). TBV, MFW control, and MFW startup valves each will have a pair of indicating lights on control room panel H1RI. ADV position indication is grouped per steam line on H1RI. AFW control valve position is an analogue (0%-100%) indication located with the EFIC controls. During its audit, the staff evaluated proposed modifications for the valve posi-tion indications. The proposed modifications were implemented on the control board mockup. On the basis of its evaluation of the proposed modification, the staff concludes that the valve position indication concerns will be resolved by the planned modifications. Therefore, this item is closed as a restart issue. Rancho Seco Restart SER 3-87
3.6.3 Control Room HVAC Noise During the audit, the licensee provided the audit team with the " Control Room Technical Support Center Essential HVAC System Status Report," Revision 1, dated August 7, 1986. On the basis of its review of this report, the staff concludes that the licensee has established a program of identification, modification, and testing to resolve the noise concerns. Therefore, this item is closed as a restart issue. 3.6.4 Loss of ICS/NNI System Power Alarms Alarm for Integrated Control System Failure During the December 26th event, the "ICS and Fan Power Failure" alarm clerted i operators to ICS power failure. However, it appears that its importance was obscured because that alarm also serves as a trouble alarm for fan failure or for loss of one of the redundant ICS dc power supplies. Neither of the trouble alarms required immediate operator actions or initiates a transient. During the staff's audit, it learned that this problem has been resolved by separating the ICS failure alarm from the fan power failure annunciator tile. The ICS part of the alarm is now a single input annunciator tile, which indicates ICS trouble. The fan power failure part of the tile has been moved i into the computer alarm system. Evaluation of the modified "ICS TROUBLE" tile I in the control room revealed that what was formerly a human engineering discrepancy no longer presents a problem. Main Feedwater Flow Meters and Recorders Most of the indicators in the control room (both meters and recorders) are part of the NNI system; hence they are generally independent of the ICS.
- However, there are exceptions that had not been recognized before the December 26th incident.
For example, the main feedwater flow recorders are affected by the ICS power supplies. During the December 26th incident, the recorder failed to a value near mid-scale when the main feedwater flow was actually zero. The general problem of mid-scale failure of instrumentation on loss of power was identified during the detailed control room design review. The staff's contractor prepared an assessment of the feedwater instrumentation and described how the licensee will correct the problem by replacing the meters with light emitting diode (LED) displays during the next fuel outage (cycle 8). The licensee described an interim measure for mid-scale failure on loss of The interim measure consists of labels for all ICS and NNI system power. indications in the control room. Furthermore, emergency operating procedures-and training instruct the operators to use alternate indication in the event of loss of ICS or NNI system power. In a phone conference with the licensee's personnel on December 16, 1986, the staff obtained additional data. The staff learned that the meters and recorders associated with the ICS are identified with a purple label located under the meter. In addition, the staff noted that the ATOG-type display formats within the safety parameter display system contain data on steam generator water level. The steam generator water level { is closely related to the feedwater flow. Rancho Seco Restart SER 3-88
On the basis of this information, the staff concludes that the interim measures taken by the licensee to solve the problem of mid-scale failure on loss of power are adequate. Therefore, this item is closed as a restart issue. 3.6.5 Control Room Modifications The following modifications have been or are being made to.the control room by the licensee: EFIC controls and indication are being installed. TBV controllers and selector switches independent of ICS have been added in the control room. Annunciator changes include: ICS and NNI trouble and failure alarms electromagnetic operating valve (EMOV) actuation alarms interim data acquisition display system (IDADS) trouble alarm ICS and NNI system labels have been added for all indicators and recorders .j which receive signal or power from the ICS or the NNI system. Valve position indication for ADVs, TBVs, MFW, and startup FW valves are being added (see Section 3.6.2). 0TSG A and B labels and color padding for OTSG isolation switches have been added. A recorder has been added that will trend parameters usually used to take the plant from hot shutdown to cold shutdown. All trended parameters are independent of ICS/NNI system signals and power. The five recorders driven by the Bailey or Modcomp computers have been replaced with a single programmable recorder having 30 pens and 6 colors. ] The auxiliary steam reducing station has been modified to make the setpoint independent of ICS power. A heatup/coodown rate monitor has been added to H1SS. The safety parameter display system (SPDS) controls will be replaced with. improved control panels by restart. The nuclear service loading buses have been removed from the safety features panel. Controls for motor operators on MFW isolation valves will be installed oy restart. The SPDS is being upgraded to meet RG 1.97 Category 1 requirements and NUREG-0696 requirements for radiation monitoring, and to be independent from the NNI system for hot shutdown parameters. Rancho Seco Restart SER 3-89
l l l I The HPI flow indication has been made independent of thy D,I system. Control for motor operators on ADV and TBV isolation valves will be installed. / t The staff's review of the licensee's summary description of these items finds it consistent with the results of the staff's audit. Many of the modifications are not implemented at this time, but the licensee has committed to complete f them before restart. Based on the staff review discussed above and the licensee's commitment, this item is closed as a restart issue. j 3.7 System Review and Test Program Before the December 26th transient, a number of cbiteria (performance level monitoring, plant performance statistics, systematic assessments of licensee performance, and INP0 performance indicators) had indicated that Rancho Seco was below the industry norm for similar plants. Thisp, phs a 1984 evaluation by a consultant, moved the licensee's Board of Directors to take action to improve the performance level at Rancho Seco. Before these actions were impleriented, a number of undesirable operatir.g ex-periences, culminating in the event of 1 December 26th, demonstrated the impor-tance of the program. On the basis of the review of the, December 26th event by the NRC and the utility, the licensee his devehped.the ' Rancho Seco Action Plan for Performance Improvement" (a modified, expanded, and accelerated ver-sion of the previous action plan). g As part of the action plan, the licensee de0nloped a system review and test program (SRTP) whose objective is to, demonstrate before plant restart, that systems important to safety are capable of performing their required function. The SRTP has been developed to provide a comprehensive review and functional demonstration of the systems selected for inclusion in the program. The SRTP was also used to evaluate and resolve problems identified by the Plant. Perfor-mance and Management Improvement Program (PP&MIP). t i l' The staff perforrred its revieWin two parts. The first was to evaluate the' SRTP plan and its subsequent implementation. The second was to perform an augmented SRTP inspection by evaluating in detail eight selected systems. These two reviews are discussed in detail in Sections 3.7.1 and 3.7.2, respectively. ) 3.7.1 Evaluation of SRTP 1 I l 3.7.1.1 SRTP Overview J [ ( The fundamental objective of the SRTP, assidentified?in'the Rancho Seco action plan, is to ensure that systems important to saf ty,hre ready to perform their 9 intended functions. This will be accomplished b9 meetint{the following SRTP i specific objectives. Evaluate all system problems identified by the Plant, Performance and Management Improvement Program (PP&MIP). i-Rancho Seco Restart SER~ 3-90
? Develop an integrated program of corrective ' actions for implementation which will address system problems. Identify those systems that require special. consideration--under'the'SRTP. Identify system functions important'to the safe operation of.the plant. Develop and implement a testing program that will demonstrate.howfwell-those functions important to safe plant operation work. u All systems at Rancho Seco were reviewed,under the SRTP and divided into two categories. The first category, " selected systems,". includes 33 systems that.. are important to safe operation. The'second category,." additional systems,"' includes the 44 remaining major systems'at the plant.'.Both categories of sys- ' l! tems are being reviewed under the SRTP;..the review is concentrated on the. e l ) selected systems. The licensee has stated that it will.be up to the systems engineer (modeled after the INP0 Good Practice OP-209) and three organizations-(the'Recommenda - j tion Review and Resolution Board (RRRB), the Performance Analysis. Group (PAG),.. and'the Test Review Group (TRG)) to achieve these' program objectives. Systems Engineer The systems engineer is responsible for the following: receiving system-related recommendations from the RRRB and developing an-integrated system solution for presentation to the~ PAG determining system functions ensuring adequacy of system testing performing system walkdowns coordinating and dispositioning system deficiencies preparing test results summary and statement of operability preparing and presenting system status reports (SSRs) or. system investi-i gation reports (SIRS) to the PAG Recommendation Review and Resolution Board The RRRB is responsible for the following: l screening recommendations from the PP&MIP for clarity:and duplication-t evaluating issues and recommendations recommending disposition and priorities for the recommendations based on their technical merits Ranehn Coen.Dn-+-m+ CCD 9-Q1
~ F l f-p
- P j
\\ J 1 l 1 ensuringsystem-related)'ecommendationsaresenttotheSystemsEngineer s Perfogance Analysis Group ) 4 ThePAGQresponsibleforthereviewandagorovalofthefollowing: ,.s I system related modifications 1) maintenaqte and testing recommendations developed by,the SRTP, 4 i the integrated pr' ogram for resolution of system issueu system functional crittria 9 the syster ')re s tdt 'te's"!'ng. prograrr: i the system'operatigjal d,adiness determination u _y Inaddition,thePAGmaydesinata'ddditionalsystemsfor'M(low (upgrading). Test Review Group ( s' ( The TRG responsibilities ine)ude,'f(he following: 4, 4 ,s c t review of the test identification section of the SSR to confirm that pie-posed te"rt.ing will demonstrate all. system functional requirements impogtadlto safe plant operation 't I rev,ie4 of all test outlines to ensure that the scope and methodology ( de$,]tstratethesystemfunctions 7 rp iew of related spqcial test procedures and new or revised surveillance
- .cocedures, and recommend disposition to the Plant Review Committee review of all restart related test results TheTRGwillreviewallitemsinformalsos~sionanddocumentitsahtivities using meeting minutes and document review M rm y Each major system at Rancho Seco is.b.cin9' investigated as either a " selected" system or an " additional" system.
For'both systems, functional criteria are developed in combination with problem statementd.- All the systems in the selected system cat < gory as well as several spccific additional systems will Be-tested before restart. The results will be documented.,in the SSR for selected systers and in the SIRsfor additional systems. / The criteria utilized to identify the Sele ned systems" by the SRTP Director, which were ther? recommended to the PAG for tenGnent as selected systers, are as fc loc: ,j (1) We sistem has e histori of significant or recurring problems. u (2) The' system was related or contributed to the December 26th event. (3) The system is being significantly modified. (4) The system has significant potential for initiating or adversely affecting transients. 3 / Rancho Seco Restart SER l 3-92 i fr .____________x.
The criteria for selecting the " additional systems" are as follows: (1) The PP&MIP input phase has produced a recommendation for the system. (2)' An open work request existed against the system as of July 1, 1986. The SSR for selected systems was developed in three stages; each stage was (or would be) documented in separate revisions (Revisions 0, 1, and 2). -The purpose of the Revision 0 report was to initiate plant design and modification work. The contents of the Revision 0 report are an executive' summary,. a basic functional description of the system, and a listing of problem statements developed from the PP&MIP process and from the results of a review of open work requests. The Revision 0 report was reviewed and approved by the PAG and the Deputy General Manager, Nuclear. Upon approval, it was used by the systems engineer to initiate design activities, maintenance activities, and plant modifications. The Revision 1 SSR is utilized to identify the testing necessary for each selected system. It provides a more detailed description of system functions, additional problem statements from a review of open engineering change notices, open nonconformance reports, outstanding abnormal tags, and the identification of testing required to demonstrate functions important to sate plant operation I to be conducted before restart. The Revision 1 report was reviewed and approved by the TRG, PAG, and Deputy General Manager, Nuclear. Upon approval, preparation and implementation of test outlines and test procedures were initiated. A Revision 2 SSR will be prepared for each selected system on completion of system testing and will be utilized for final system acceptance, This report will contain everything from the Revision 0 and Revision 1 reports plus addi-tional problem statements documenting the results of system walkdowns, review I of maintenance history trend investigations, and a review of the Davis-Besse SRTP results given in NUREG-1177, " Safety Evaluation Report Related to the Restart of Davis-Besse Nuclear Power Station, Unit 1, Following the Event of June 9, 1985," dated June 1986. Revision 2 will also contain a summary of results of tests performed to date and an operability statement by the systems engineer. This report will be reviewed and approved by the TRG, PAG, and Deputy General Manager, Nuclear before restart. SIRS were also developed for all additional systems. These reports were utilized for final system acceptance and for consideration for upgrading addition systems to selected system status. The staff did not review these reports. 3.7.1.2 SRTP Evaluation The staff review of the Rancho Seco SRTP includes six tasks. These'are: (1) Evaluate the proposed SRTP to determine the degree to which it can achieve stated program objectives. Rancho Seco Restart SER 3-93
(2) Assess whether the list of systems important.to safe plant operation is sufficiently complete to provide reasonable assurance of safe plant opera-tion. This would include evaluation of specific justifications for excluding any safety-related systems. (3) Review the lists of system functions important to safe plant operation to determine whether they are complete with respect to specific system functions as well as plantwide system safety. (4) Review selected test outlines to ensure that they encompass all system functions required for safe plant operation and that-the systems'are tested under anticipated operating conditions. This would include review of proposed justifications for not testing any system function deemed important to safe plant operation or not testing systems at-anticipated-system operating conditions. (5) Review, witness, and evaluate the results of selected system tests. (6) Verify that the licensee has developed additional test procedures, per-formed these proceoures, and evaluated the results of these test' procedures. The staff review of tasks 1 through 3, above, is discussed below. Tasks 4 through 6, above, are covered in Section 3.7.3, below. Systems Within the SRTP Scope The following systems are included within the scope of the SRTP: reactor coolant decay heat removal seal injection and makeup (including high pressure injection) i i purification and letdown i nuclear service cooling water nuclear service raw water steam generator main steam main feedwater auxiliary feedwater reactor protection (including the anticipatory reactor trip system) safety features actuation emergency feedwater initiation and control integrated control non-nuclear instrumentation 125-V dc vital power 125-V dc non-vital power 120-V ac vital power 480-V ac 4160-V ac 6900-V ac radiation monitoring control room /TSC essential HVAC system component cooling water 1 1 Rancho Seco Restart SER 3-94 i
i plant air and instrument air auxiliary steam fire protection nuclear services electrical building essential HVAC reactor sampling emergency diesel generator The licensee considers these systems important to safe plant operation. The list includes nearly all the systems considered to be safety related. It should be noted that the SRTP goes beyond the listed systems to include the evaluation of other plant systems, including other supporting systems, to i ensure that systems important to safe plant operation can function as required, i The licensee has provided justification for safety-related systems not included as selected systems in the SRTP. Safety-related systems for the purpose of this review are those included in the plant technical specifications (TS) and those relied upon for the mitigation or prevention of design-basis accidents. Those systems and/or components falling within this definition but not included as selected systems addressed in the SRTP are as follows: 1 hydrogen purge system hydrogen analyzer boric acid pumps plant vent charcoal bed reactor building polar crane and auxiliary hoist snubbers fire detection system i fire suppression system radioactive liquid waste system i new and spent fuel storage facilities core flood tanks reactor building emergency cooling system reactor building spray system condensate storage tank system pressure boundary isolation valves control rod drive system containment isolation valves diesel fuel oil system auxiliary building and spent fuel building filter system radioactive waste effluent monitoring system radiological environmental monitoring system radioactive waste sampling and analysis system nuclear service electrical building emergency HVAC system nuclear instrumentation system plant computer system The staff sent a request for additional information (RAI) to the licensee on November 6, 1986 concerning those systems and/or components not part of the SRTP. The licensee responded to the RAI on December 5, 1986. The staff finds the licensee's response to that RAI acceptable. Rancho Seco Restart SER 3-95
The licensee's response addressed the following issues: upgrading a system to selected status specifying additional system testing in some areas providing clarification of system boundaries l offering proper justification for not including a system in the selected l
- category, t
In addition, the licensee has upgraded the following systems from additional to selected status with some qualifications: fire detection fire suppression radioactive liquid waste radioactive waste effluent monitoring radiological environmental monitoring radioactive waste sampling and analysis 1 ( nuclear service electrical building emergency (HVAC) The licensee has stated that the fire aetection and fire suppression systems are included in the fire protection system. The fire protection system, excluding the CO system, has been upgraded to selected system status. The-2 licensee specifies that the C0 system will be covered as an additional system 2 as described in the SRTP. The licensee has committed to test the CO2 system to demonstrate its functional aspects and to satisfy TS requirements during this outage. The equipment's functional requirements referenced in the TS for radioactive liquid waste, radioactive waste effluent monitoring, radiological environmental monitoring, and radioactive waste sampling and analysis systems relate to the operability of radiation monitoring equipment. The functional requirements of the radiation monitoring equipment are covered by the radiation monitoring system which has been upgraded to selected status. There are also operational restrictions, placed by the TS, on these systems (i.e., maximum inventories, types and frequencies of samples) that are beyond the scope of the SRTP. The staf f finds this response acceptable. The nuclear service electric building emergency HVAC system has been upgraded to selected system status with no qualifications. This is acceptable. The licensee has specified some testing to be performed before restart, and administered through additional system status, as justification for exclusion from selected system status for the following systems: core flood system reactor building emergency cooling system reactor building spray system control rod drive system auxiliary building and spent fuel building filter system The licensee maintains that the core flood system is a passive system requiring a minimum of testing to demonstrate proper operation. It has been reviewed as Rancho Seco Restart SER 3-96 3
an additional system for the SRTP. Routine testing includes' periodic calibra, tion of core flood tank pressure and leve11 instrumentation and a functional check of the discharge check valves. The-licensee is developing a'new pro-i cedure for.a' full stroke. test of the discharge check valves to be conducted 'when the vessel head is removed. Along with'an operational valve lineup, the staff expects this testing will demonstrate the functional aspects'of..the core flood system. The core flood system is a passive system requiring no operator action or~ con-l trol signal to actuate. Check valve movement will be demonstrated during-this-outage by a partial stroke functional check. The other requirements of this4 system are operational in nature, i.e., tank level and: pressure,-and, there fore, not within the scope of the SRTP. The utility has committed:to' perform a 1 discharge check valve full-stroke test during the next outage when the vessel head is removed. On this basis, exclusion from' selected system status is con-sidered to be acceptable, j The licensee has stated that the reactor building's emergency cooling system is being reviewed as a part of the balance of plant heating, ventilation, and air l conditioning which is an additional system. Before restart, the licensee will test this system by verifying proper initiation from both manual and automatic SFAS actuation verifying proper control room panel indication determining the system operating flow rates for each cooler analyzing charcoal samples offsite for adsorption efficiency' determining proper cooling water flows by nuclear services cooling water system testing demonstrating adequacy of the heat removal capability by testing or analysis. The above testing is considered adequate justification for exclusion from selected status and is. acceptable. The licensee has specified that the reactor building spray system is under review as an additional system in the SRTP. Since it plays an active role in accident mitigation, the systems testing has been reviewed to ensure all system safety functions are appropriately demonstrated. The utility has committed'to perform the~following testing during this outage: q manual and automatic SFAS initiation with pump. recirculation to the I borated water storage' tank (BWST) verification of pump performance spray flow instrument calibration Rancho Seco Restart SER 3-97
discharge isolation ' valve stroke testing, timing, and verification to open i automatically on an SFAS signal. l i Demonstration of a flow path through the spray headers and nozzles was I satisfactorily performed in 1985. The periodicity of this requirement is 10 years. Based on the completion of the testing described above, exclusion from selected l system status is acceptable. The licensee has specified that the control rod drive system is being reviewed as an additional system in the SRTP. Its only function for accident mitigation is to respond to a reactor trip signal. Before restart, rod insertion time testing and rod position indication checks, along with response to reactor trip 'l signals, will be performed and verified. This is acceptable' justification for exclusion from selected system status. l The licensee has stated that the auxiliary building and spent fuel building filter system is being reviewed as an additional system as a part of the balance of plant HVAC system. Testing that will be performed before restart i includes demonstration of system operation by manual initiation l determination of system flow rate and distribution l charcoal bed and high efficiency particulate air (HEPA) filters differen-tial pressure testing, filter efficiency, and adsorbency testing 1 Acceptable completion of the above testing to demonstrate this system's safety functinns is acceptable and sufficient justification for exclusion from selected system status, j By system boundary clarification, the utility has resolved the concerns for the following systems and/or components: dilution valve interlock condensate storage tank system pressure boundary isolation valves diesel fuel oil system The licensee has stated that the dilution valve and its interlocks are con-sidered as part of the purification and letdown system which is reviewed as a selected system in the SRTP. The function of the interlock to terminate a moderator dilution accident as referenced in Chapter 14 of the " Rancho Seco Nuclear Generating Station Updated Safety Analysis Report" (USAR) will be tested as a part of this system. The licensee has stated that the condensate storage tank system is included in the auxiliary feedwater system review, which is a selected system. This is acceptable. The licensee has stated that the pressure boundary isolation valves referenced in the TS are included in the decay heat removal and reactor coolant system selected systems. This is acceptable. Rancho Seco Restart SER 3-98
l The licensee has specified that the diesel fuel. oil supply-to the emergency diesel' generators (EDGs) is included in-the system status report for that system. Since the EDG is covered as a' selected system, this is an acceptable; response. The licensee has provided sufficient justification;for excluding the following; systems and/or components from selected system status: h"drogen purge system and the hydrogen purge' analyzer: boric acid pumps r reactor. building polar crane and auxiliary hoist snubbers new and spent fuel storage facilities containment isolation valves nuclear instrumentation system plant computer system The licensee has specified that the hydrogen purge system:and the hydrogen purge analyzer system are included in the system-investigation report (SIR) for - the waste gas system..These systems are periodically functionally tested.by. verifying the performance of the hydrogen purge blowers .) verifying the performance of the flow control valves j verifying the flow path stroking all automatic system valves quarterly calibrating the hydrogen analyzer every 18 months -) On the basis of the above testing and coverage by the SIR, exclusion of'the hydrogen purge system and the hydrogen purge analyzer from selected system j status is acceptable. j i The licensee has specified that the boric acid addition pumps _are included in ] the SIR for the borated water system which.is designated as an additional-system. The boric acid addition pumps are tested quarterly; they are also proven functional during normal operations. This is an adequate basis for exclusion from selected system status. The staff finds this acceptable. The licensee's position on the reactor building polar crane and auxiliary hoist is that no further testing is necessary for the 'following reasons: The TS restrictions are of an operational nature. There are no functional requirements important to safe plant operation. Their operation, inspection, and load testing have been re' iewed in v accordance with NUREG-0612. The staff finds that this is acceptable justification for no further testing under the SRTP. i The licensee proposed that the snubbers are routinely tested in accordance with-l Amendment 77 to the TS. This. amendment established a comprehensive testing' l program consistent with standardized TS requirements. In addition to the-extensive testing performed, the utility states that during the 1985 outage 23% of the safety-related hydraulic snubbers were rebuilt and during.this; outage-Rancho Seco Restart SER 3-99 a
i a 83% have been rebuilt. On the basis of the utility's proposal and the passive nature of this system, exclusion from further testing under the SRTP is acceptable. i l The licensee has stated that the new and spent fuel storag'e facilities serve no i active role in any analyzed accident. No functional testing will be performed, .{ as no functional requirements are implied by the TS. This is acceptable justification for no further testing under the SRTP. s 1 The licensee has specified that many containment isolation valves are an integral part of selected systems and will be tested in accordance with their SSR. Additionally, the licensee provided a list of additional valves which are not a part of a selected system. The licensee has committed to testing these l valves before restart, for the following functions: proper SFAS actuation (where applicable) control room indication 'l stroke time local leak rate i Pending completion of the above testing, the staff finds that this response is l adequate justification for exclusion from selected system status for those valves listed in the December 5, 1986 response. The licensee has specified that the nuclear instrumentation system is being reviewed as an additional system in the SRTP. This system performs the i function of monitoring reactor power level and providing this input to the i reactor protection system. The licensee maintains that this function is ade-quately demonstrated by routine calibration required by TS. All required calibrations will be current before restart; therefore, this is an acceptable justification for exclusion from selected system status. The plant computer system is under review as an additional system in the SRTP. The licensee has specified that this system does not perform any function with respect to accident mitigation. Also, testing and normal operation adequately demonstrate its function of support to core power distribution monitoring. This is adequate justification for exclusion from selected system status. On the basis of this review, the staff concludes that the 33 systerns selected for review under the SRTP and the testing committed to by the licensee provides assurance that the SRTP will meet its stated objectives. Revision 1 to the System Status Reports The review of the SSRs was performed at the Rancho Seco site by NRC contractor (EG&G, INEL) personnel. This review was designed to ensure that The system functions important to plant safety as specified in the USAR Chapter 14 (Amendment 4) and the TS (Rev. 73) were covered. Testing had been specified for each system function. Rancho Seco Restart SER 3-100
1 Safety-related problem statements were given a priority commensurate'with their importance. Significant typographical errors were corrected and omissions were identi-fied and were resolved with the respective engineers. Questions that arose from the reviews were resolved through meetings with the l SRTP management representative and system engineers. The review of SSRs listed in Section 3.7.1.2(1) found the proposed list of sys-tem functions to be complete and accurate with respect to both specific system functions and plantwide system safety functions. In addition, the proposed 1 testing, as described in Section 4 of the SSRs, was reviewed and appeared to adequately encompass all system functions required for safe plant operation. l Subsequent reviews of the Revision 1 SSRs revealed that certain systems engi-neers had been making changes in previously reviewed SSRs. These changes had been made but had not been evaluated by the original review groups or the NRC contract personnel. The staff told the licensee that this was unacceptable. Through NRC and NRC contractor discussions with the SRTP Director, a program I has been proposed to alleviate this situation. The program is pending formal approval and implementation by the licensee. The staff finds the licensee's program acceptable pending this approval and implementation. 3.7.1.3 SRTP Review Conclusions On the basis of its review described above, the NRC staff concludes that the Rancho Seco SRTP constitutes a potentially acceptable program which will demonstrate and document that the Rancho Seco systems important to safety are capable of performing their required functions. However, to be successful, the SRTP program must be properly implemented and the associated testing must be satisfactorily conducted. These aspects of the program are discussed in Sec-tions 3.7.2 and 3.7.3 of this SER. d 3.7.2 Augmented System Review and Test Program Inspection 3.7.2.1 ASRTP Overview The augmented system review and test program (ASRTP) inspection was conducted by the NRC staff and its consultants to complemer the programmatic evaluation of the SRTP described in Section 3.7.1. The objectives of the inspection were to evaluate the effectiveness of (1) the SRTP process and results and (2) the licensee's established programs for ensuring safety during plant operations after restart. The ASRTP inspection was performed by the NRC staff and its consultants between December 1, 1986 and February 12, 1987. The reviewers worked in the licensee's office reviewing documents and spent five weeks at the site. The review is described in Inspection Report'50-312/86-41. To accomplish the first objective, the inspection team reviewed the Rancho Seco SRTP which was developed to upgrade 33 important plant systems by identifying problems, correcting the identified deficiencies, and testing the systems to verify proper operation. The team reviewed the problem identification and Rancho Seco Restart SER 3-101
resolution phases of the SRTP as documented in Revision 1 of the selected sys-tem status reports, but the testing program could not be reviewed as it was not adequately developed at the time of the inspection. The following eight systems were selected from the 33 SRTP. systems for detailed review by-the in-spection team: auxiliary feedwater main feedwater instrument air emergency feedwater initiation and control (EFIC) 4160-V ac 480-V ac 120-V ac 125-V dc To accomplish the second objective, the inspection team reviewed the programs as implemented for the eight selected systems for the following functional areas: systems design change control maintenance operations and training surveillance and inservice testing quality assurance engineering programs restart management The specific findings in each area were presented as observations that the inspectors believed to be of sufficient importance to be considered in a sub-sequent evaluation of the licensee's performance. These observations, referred to as unresolved items, will be followed up in future NRC inspections, includ-ing another inspection by the ASRTP team before restart. 3.7.2.2 ASRTP Inspection Findings The more significant findings pertaining to the adequacy of the system review and test program (SRTP) and the effectiveness of programs to ensure continued safe operations after restart are summarized below. Although some strengths were identified in each of the areas inspected, the following summary focuses on the significant weaknesses identified during the inspection. System Review and Test Progran Concerns Although the SRTP problem identification process appeared generally effective, the inspection team identified instances in which the licensee's investigation into the identified problems lacked sufficient engineering and operational depth. The following are examples of technical concerns with the AFW system identified by the team that had not been detected by the licensee's problem review process. (1) Past testing of the AFW pumps has not demonstrated that the pumps are capable of providing the flow required by the Rancho Seco technical specifications. I Rancho Seco Restart SER 3-102
(2)' The condensate storage tank (CST) pressure relief valves appeared to have been set above the design pressure of the. tank and were not receiving thel . required inservice-testing, and the CST vacuum breakers appeared to be j incorrectly sized. (3) The turbine overspeed trip setting for the dual-drive AFW pump appeared.to ~ i be set above the maximum speed rating for the electric motor connected to the common shaft. (4) The SRTP evaluation of pump ' damage due to the runout condition experienced H during the December 26th event'did not consider potential pump degradation. ] Additionally, the proposed AFW system-design for restart, with the emer- '4 gency feedwater initiation and control (EFIC) system modifications,'was still susceptible to pump runout under certain situations.. At the exit-meeting, the licensee committed to install flow-limiting devices in the ] AFW system to prevent' pump runout. At.the time of the inspection, the SRTP priority system and restart plan did ~ not identify all problems that were to be corrected before restart. The~ team identified several problems that affected safe plant; operation and were not' currently scheduled for completion before restart. At the exit meeting,ithe licensee committed to correct the identified problems affecting safety and provide the NRC with a list of all problems that would be corrected before l restart. Selected system status reports (SSRs) did not appear to be. properly. controlled considering their importance as a basis for the NRC development of this SER. il System Design Change and Engineering Concerns The following deficiencies were identified with modifications being accomplished during this outage and not reviewed by the SRTP: (1) After installation of the larger BA and BB batteries, certain circuit .l breakers on 125-V dc buses SOA and SOB will apparently be:too small to reliably perform their function. (2) Inadequate implementation of design requirements resulted in the interim I data acquisition and display system (IDADS) computer inputs being incor-rect for the 125-V dc bus failure and the AFW pump runout alarms. (3) Modifications to the instrument air system appeared to provide incomplete-analyses for environmental qualification,. specify incorrect components to. L accomplish the intended design function, and incorrectly display installa-tion of components on the fabrication drawings. ] }l Examples of deficiencies were noted in the design calculations reviewed by the team, including the use of incorrect methods, assumptions, design inputs, and acceptance criteria. Additionally, in some instances, calculations did.not exist to support the design analyses. Significant deficiencies were noted in the control of. system drawings used for plant operations and deggn engineering projects. t 9 i Rancho Seco Restart SER 3-103 1
Programmatic Concerns l The surveillance and inservice testing program was found to have deficient procedures, improper procedure implementation, and inadequate evaluation of test results. l Deficiencies were identified with the implementation of administrative proce-dures for the control of plant systems and equipment status tracking. The Rancho Seco quality assurance (QA) program had previously been identified as a major problem area. Improvements had been initiated in the QA program, l but the team identified significant deficiencies in this area because the im-l provements were not implemented at-the time of the inspection. These improve-i ments were delayed as a result of QA involvement with the SRTP process and, consequently, the QA program was not ready to support an operating plant. Licensee corrective action programs had not been managed effectively in the past and, at the time of this inspection, adequate management attention was still not being applied to this area. 3.7.2.3 Licensee Response to ASRTP Findings In response to the ASRTP inspection findings, the licensee stated in its Restart Report that it has instituted a number of programmatic enhancements and addressed functionality / operability concerns. As with other potential inputs to the restart scope, the licensee processed all identified ASRTP inspection items in accordance with the Plant Performance and Management Improvement Program (PP&MIP) mechanism. On the basis of the results of the PP&MIP validation and approval, the licensee provided, in a May 15, 1987 submittal, a listing of items for which it intends to provide resolutions before restart. The PP&MIP mechanism determined that several of the ASRTP inspection team concerns constituted short-and long-term programmatic enhancements which could be completed on a deliberate schedule following restart without compromising nuclear safety. The licensee committed to address, in time, all ASRTP items. Response to AFW Functionality Concerns The ASRTP inspection team identified four technical / functionality concerns with the auxiliary feedwater system (see Section 3.7.2.2). In response to these concerns, the licensee accelerated several planned activities. The planned installation of modifications to the AFW full-flow test line was accelerated to be completed before restart. Planned revision of the AFW pump surveillance test procedure was completed. Flow-limiting orifices will be installed in the AFW lines to ensure that the AFW flow does not exceed the maximum allowable flow rate of 1800 gpm into a once-through steam generator (OTSG). The flow-limiting orifices restrict flow to 1300 gpm. Installation of the flow-limiting orifices constitutes an accelerated resolution of a licensee-identified discrep-ancy between the maximum possible AFW flow rate and the B&W-specified maximum allowable into the OTSGs. Documentation of the adequacy of the CST overpressure and vacuum protection, which would have occurred as part of the AFW system de-sign bases reconstruction, was accelerated to be furnished before restart. The discrepancy between the turbine overspeed trip setting for AFW pump P-318 Rancho Seco Restart SER 3-104 l
a l and the documented maximum speed rating for'the P-318 motor,. identified by the ASRTP~ inspection team, is being resolved with the manufacturer,- Hitachi, before restart.- AFW pump runout:is'not; completely precluded with the. installation'of-EFIC and the flow-limiting venturis. Howev'er,-the. licensee believes that the-probability is sufficiently low that pump runout protection,is not requir_ed. The ' licensee noted that..in an SER: supplement transmitted by NRC letter dated February 15, 1985, the NRC previously accepted the licensee's; position on=AFW pump runout in response to IE Bulletin 80-04. Response to Other ASRTP Concerns The licensee has stated that it-intends to submit a complete, formal reply to the signficant ASRTP inspection findings before'the ASRTP inspectionLteam's return to resolve its identified concerns. The most significant action taken upon examination of the ASRTP inspection team's observations has been.the' establishment of an Engineering Action Pl_an (Revision 0 was transmitted to the NRC on April 17,~1987). The Engineering Action Plan addresses improvements in.- .the design change process for future work j the design review of work performed during.the current. outage the baseline Rancho Seco design (system design bases) q Design assurance engineers within the engineering' disciplines have been.estab'- lished to (1) review and concur'with package' closure for Engineering Change. Notices (short term) and (2) assist with the detection, evaluation, and.reso-lution of programmatic and procedural-weaknessesJ(long' term)'. An independent calculation review team has evaluated a broad cross-section of, restart: packages, placing emphasis on unique or complex l calculations for safety-related applica-- .j tions. Their identified concerns, very similar.to_those of'the ASRTP inspec- { tion team, relate to completeness and attention lto detail, but no findings were-y identified that would affect the safe and proper operation of the' plant. A' good practices guideline is being prepared to improve the consistency of quality in engineering. calculations. Formal training'will be provided. The licensee stated that a cornerstone of the Engineering Action Plan is the thorough and deliberate reconstruction cf system design bases. -This is an extension of the reconstruction effort originally envisioned in the '.' Rancho Seco Action Plan," Revision 1, Section 1.4.2.. At that time,.the action plan recognized the need for " systems critical to secondary side' heat removal" to " undergo a long term and more extensive system review than that (provided by the SRTP)." The Engineering Action Plan calls for "the development of system design-basis documents for all important safety systems which will recapture key design criteria and, in the process, provide an in-depth review of system design" Following the augmented system review and test program (ASRTP) inspection, the licensee defined the programs being employed.to assess system. operational readiness in a July 1987 submittal...These programs, taken'as a whole, include and tie together a number.of special verification and assurance efforts. _The= individual programs will provide' input to the licensee's assessment of plantt operational readiness. The following programs'were developed to constitute'an overall plant sampling, review, and. verification of sufficient breadth and depth to permit an. informed management assessment of system and program conditions: 1 Rancho Seco Restart SER .3-105-
expanded ASRTP program SRTP system status reports B&W SRTP review Engineering Action Plan surveillance procedure technical review preventive maintenance program verification operator readiness program technical specification compliance / verification program quality vertical audit response to NRC ASRTP findings The multifaceted nature of these programs produces independent and redundant reviews of the many plant areas required for system operability. The inte-grated nature of these programs produces the thorough and comprehensive exami-nation from which confidence in plant readiness can be built.' These programs encompass existing plans for the licensee!s system engineers assigned to the system review and test program to assess system operational readiness as part of Revision 2 of the system status reports. They include'and focus on the followup of the ASRTP inspection. They provide assurance that engineering work done during this outage is adequate. The expanded ASRTP pro-gram provides a common and unifying evaluation of the activities under way in support of restart. It evaluates the overall effectiveness of programs established to ensure safety after plant restart. t l For each of these programs input areas to the licensee's assessment of plant operational readiness, a su,mmar detail the activity's purpose, y report will be prepared. This report will-scope, and methods. It will summarize the significant findings and the corrective actions taken and under way. It will provide a readiness assessment recommendation on the areas reviewed. Correc-tive actions will be performed in accordance with the Plant Performance and Management Improvement Program which remains the licensee's basis to delineate a phased approach to performance improvement and restart of Rancho Seco. Also as result of the ASRTP inspection effort, the licensee issued a procedure for controlling system status reports. System drawing control was verified by a special audit and new procedures, previously in preparation, were issued. Operations manag,ement has reemphasized the absolute necessity of exact prcce- ' dural compliance and control of plant systems and equipment status tracking. Efforts, begun before the inspection, on updating the surveillance and inser-vice testing program, upgrading the QA program, and refocusing management attention on corrective action programs, have continued. The system engineer-based organization, modeled af ter INP0 Good Practice OP-209, is expected to continue to identify and resolve system deficiencies. Ongoing corrective action mechanisms such as nonconformance reports (NCRs), occurrence description reports (0DRs), and engineering action requests (EARS) encourage all plant personnel to identify potential system deficiencies and-ensure adequate resolution by the responsible system engineers. The PP&MIP has brought about needed refocusing and rededication of the plant organization toward deliberate and through corrective actions. The second phase.of SRTP, l i the test portion, is an important validation of the effectiveness of the i Rancho Seco Restart SER 3-106
restart activities. Many of the programs developed during this outage, includ-ing ongoing system review and investigation, will require real plant operating experience in order to iterate toward optimum performance. j The NRC staff will conduct additional inspection (s) of the licensee's response to the ASRTP findings before restart, and will discuss the results in a supple-ment to this SER or in'an NRC inspection report. 1 3.7.3 Review of Test Procedures and System Testing The licensee's test procedures and system testing are being and will be j inspected by the NRC staff before restart. However, the licensee has not'yet 1 completed a significant portion of the system tests. Therefore, a meaningful evaluation of system testing cannot be performed at this time. The results of future staff inspections of this item will be provided in a supplement to this SER or in an NRC inspection report. 3.8 micensee Management and Organizational Considerations 3.8.1 Management and Organization Background Rancho Seco was started up and entered commercial operation with a staffing level and organizational structure that was typical of other similar nuclear plants at single-unit sites during the early 1970s. The plant organization was ] staffed for normal operations and was augmented during major outages with j t contractor support personnel. Major engineering needs were satisfied by an engineering design staff that utilized architect-engineer firms to design specific modifications or perform specific analyses. Plant' operation during 1 this period was good, with the single notable exception of turbine generator failures generic to the design of the turbine. After the March 28, 1979 accident at the Three Mile Island Nuclear Station _ Unit 2 (TMI-2), the Rancho Seco organization was expanded significantly in order to i deal with all the issues raised by TMI-2, a plant with a nuclear steam supply system (NSSS) similar to that of Rancho Seco. As a result, by 1985 a fourfold increase in staff was being administered with essentially the same people and organization that had been -in place in 1975. ] Following the TMI-2 accident, the licensee noted that Rancho Seco productivity began to suffer. Concurrently, the measurement indicators used by the NRC and INP0 began to show declining trends as they related to management effectiveness and plant performance. In response, the Rancho Seco Board of Directors commis-sioned a comprehensive study of its nuclear program. That study, documented in " Management Appraisal Report," by LRS Consultants, was completed in November 1984. The study convinced the Board that major changes were necessary in the management of the nuclear program to ensure that safety and reliability objectives and requirements could be maintained. The Board acted to implement the changes recommended by the study, and as a result, a revised organization was being put in place at the time the December 26th' overcooling transient occurred. Rancho Seco Restart SER 3-107
1 After the December 26th' transient, the Board engaged consultants from the Management Analysis Company (MAC) to manage the development and implementation of the " Rancho Seco Action Plan for Performance Improvement." The use of out-side contractors to manage and operate the facility was a short-term solution which has been phased out. 1 Efforts to fill all key management positions with licensee personnel are in the final stages. In the ultimate or permanent organization intended to be in j effect at the time of plant restart, the responsibility for the overall manage-ment of the nuclear facility rests with the Chief Executive Officer (CE0), J Nuclear. Reporting directly to the CEO, Nuclear are the Assistant General Manager (AGM), Technical and Administrative Services and the AGM, Nuclear Power-j i Production. The AGM, Nuclear Power Production is re'sponsible for the' opera-tion and maintenance of the plant. ' Directors who are responsible.for designated ] areas report to their AGMs. The CEO, Nuclear; AGMs; and four Directors have all been emplaced and the implementation of the final organization is proceeding. 3.8.2 Evaluation of Licensee Management and Organization The NRC staff is evaluating the licensee's management and organization and will l complete its review before startup. For restart, the' licensee must have in place an effective organization to operate and support the operation of Rancho Seco. The current Rancho Seco organization has been recently revised to sup-port plant operation as well as the many activities leading to startup. The staff has reviewed the licensee's new organizational structure and finds it acceptable. The Rancho Seco organization is shown in Figure 3.16. The staff has also reviewed the qualifications of the key managers in the Rancho Seco organization, and finds that the licensee has filled key positions with experienced personnel. 1 The CEO, Nuclear has about 29 years of nuclear experience, including about 4 years as Vice President of Arizona Public Services with responsibility for the Palo Verde Nuclear Plant. l The Assistant General Manager, Technical and Administrative Services has been at SMUD about 17 years and held the positions of Plant Manager and Plant Super-I intendent at Rancho Seco. The Assistant General Manager, Nuclear Power Production has about 10 years of nuclear experience, including about 3 years as General Manager of the Palisades Nuclear Plant. The Director, Technical Services has about 20 years of nuclear experience, including experience as Manager of the Nuclear Engineering Department at South Carolina Electric and Gas Company, i The Director, Nuclear Operations and Maintenance has about 14 years'of nuclear experience, including about 2 years as Branch Manager, Operations and about 3 years as Manager, Technical Services at Portland General Electric Company. The Director, Plant Support has about 25 years of nuclear experience, including several years as Assistant Manager, Nuclear Plant at Rancho Seco.
- l Rancho Seco Restart SER 3-108 I
f R "G N .E G G N E E RVO AMM OER T E TR P ^UU T GR ,C DO EMT N E A A RES ^ DNP I TE DST M NAE Y D SAMD S NA EC N N TN O - T 'T AT I T h-N N .MN ,A .T N T RCE RRE RG E R RE R L E T M EN M E OM OP R EEM G ST GI T F T G T O GT T AI R ANR A RR C R P AO R NM REM GC EAP NR A A E A N IA A N EA REU A P.P HP A R P A P AI P Y NT M CE MT T -AC I L E MTE S M E E M0 DC D D D D ND F T T art ' U A A E E Y ! 0, N R A T IL P L RP St . A NR E i R r N O TO TM O U EE GW O E C C TP M E R M EW RA TA AR GE I E SE S AI DL 1L V 5C NE S N C E 5U OC AR U A N M N I N . T .N T E T .T A .S N C N ~ A 1 R OE E I E R R NN RO
- N E O Rt A M E
E I M G TM E T E T GT T GNT P A T C I O N AAR A C R TER R E C . RR A NRA NI N A E e', FA N F -. D AM AE P AI AI P I MP E I P MAE E D MD S F E R O Y. L - O D - O D M D N .R C J U A M T. D O ER .AI N VA R T IE R. E F L U A Ca TL .CC. OE UC CU O UE. EN R NS. X B I E D F E , e' l T T c .R S R.N T T T T u N N gN N N O R E I E S T RRE E E OA M MM ETM E GA CM CEUM M TE E EE T AMG V R JAEOR EGDP E I T T CL ^GT R ONC L EC A S N RA R A ..l e. A A A ON E RAOE RU Y A E MFA S P P IDN^S [g Y P S P N I M D
- MRV E
E D D ' PE T. g D N .. N A E. M. 1 N.. t U T O.. H R. I A CT. E BM.. I P ~ L T A .I L E. SD. A T .UR T T T4 .PO..R.S. S G N f N N N0 1 E R R N RI E R G E M. RE 1 E E C E 1 N M .G R. OAC E C GA Rt IS GE MT r T ET G T A U. I AE ER N R A ON Cl E R C V L ..N O. N A N R E R N C I A E T A .A S. R E A UGP A CP AI O P M E., I S MNNE M IL D t t PD E t VRE R R D T 1 .E D E t ;.. E A E l G S N C A I MDV NR LAE A S &S RL EAE E NCV T L CT L I EI I .L L N .OI N . IA GNT R AO E RRVE 4 A E I R M ETRM Y. T C' R RT. GR GNE N ET T T T T 15 AE T . SFE. R AOS AT NTN R AA9A NC EA UA. S N CP ATC . DS. I E MM Jt S C E MS I P S I F E .D OF D A l I ^ CO mtOo :oD;,," $p T$e r ?g: o ~
7 g t The staff has reviewed the qualifications of key support personnel and key' plant personnel and find they have acceptable backgrounds and' experience and meet the relevant acceptance criteria of ' Sections -13.1.1and 13.'1.2-13.1.3 of ~ 'j NUREG-0800, the Standard Review Plan. The staff will inspect the full implementation of the revised organization before restart and will discuss the results of that inspection in a supplement; i to this SER or in an NRC inspection report. 3.9 Retrospective Considerations } t 3.9.1 FSAR Accidents That Presume Availability-of Non-Safety-Grade Systems As a retrospective consideration of the Rancho Seco overcooling event of Decem-i ber 26th, the staff has evaluated the Rancho Seco FSAR with regard to the use of non-safety grade systems in the accident. analyses. The licensee, in; response to the staff's request, has evaluated the transient and accident' analyses docu,- mented in Chapter 14 of the Updated Safety Evaluation Report-(USAR). The li-censee's evaluation determined that neither theICS, nor other non safety grade equipment was assumed to be available for the mitigation of transients or-j accidents with the following exceptions: j q (1) The main' steam line break (MSLB) evaluation consisted of two analyses: one assumed ICS actions and other other did not assume ICS or, operator. j' actions in the analysis. The licensee stated that the MSLB analysis that assumed ICS actions is conservative with respect to the estimation of offsite dose. The analysis assumes 1% failed; fuel and the technical spe-cification assumes steam generator tube leakage. The-ICS actionstare~' assumed to occur to maximize the feedwater inlet into the stean generators R and thus maximize the contaminated steam being. released to the atmosphere. The MSLB analysis without ICS or operator action is conservative with' respect to maximizing the potential for a return to criticality and poten-tial adverse effects on the fuel performance. -The staff has evaluated the a MSLB analysis document in Section 14.2.2.1 of the USAR and agrees with the licensee that the assumed ICS action in one MSLB analysis is conservative with respect to offsite dose considerations. (2) For the fuel handling accident, the releases are assumed to be filtered through the auxiliary building filters, which are not safety grade. The staff considers that the credit for these filters.is acceptable since they are subject to technical specifications and the system must be operating. during fuel handling operations. The basis of the staff's acceptance for this design is that the likelihood of a failure of the auxiliary building filters is sufficiently low. The staff has reevaluated Chapter 14 of the Rancho Seco USAR and the licensee's: submittal dated December 15, 1986 with respect to the transient and accident analyses. The staff has concluded that with the exceptions discussed above, the Rancho Seco analyses have not taken credit for the ICS, the.NNI system, or any other non-safety grade systems for mitigation of transients or accidents. Therefore, these analyses are acceptable and this issue is closed. -Rancho Seco Restart SER 3-110 l-
3.9.2 Probability of Pressurized Thermal Shock (PTS) Events In June 1983, the B&W Owners Group reported (BAW-1791, "B&W Owners Group Prob-abilistic Evaluation of Pressurized Thermal Shock") the results of any analysis that predicted, among other things, the probabilities of occurrence of overcooling transients as a function of various initiating events (e.g., loss of ICS power). The reported analyses were based on a B&W " generic plant configuration" intended to be representative of all B&W plants, including Rancho Seco. The BAW-1791 report and its analyses, results, and conclusions were considered in the development of the Commission's rules related to pressurized thermal shock (10 CFR 50.61, "Fractive Toughness Requirements for Protection Against Pressurized Thermal Shock Events"). However, the " generic plant configuration," which was the basis for the BAW-1791 findings, included an emergency feedwater control (EFC) system. At the time the BAW-1791 report.was issued (June 1983), the BWOG indicated-that it was planned to have the EFC or an equivalent system operational at all B&W plants within two years. At the time of the December 26th event, an EFC was not in place at Rancho Seco. As a result, some of the BAW-1791 report analyses were not directly applicable to the Rancho Seco plant configuration (which lacked an EFC system) and thus, underpredicted the frequencies of occurrence of some overcooling events. As a part of its corrective action program, the licensee committed to install an EFC system before restart. At Rancho Seco this system is called the emer-gency feedwater initiation and control (EFIC) system. With the installation of the EFIC system, Rancho Seco becomes a close representative of the " generic plant configuration" of BAW-1791, and the report findings, including the pre-dicted frequencies of various overcooling events, remain valid for the upgraded Rancho Seco configuration. Because the upgraded Rancho Seco design effectively 1 addresses the staff's concerns related to the applicability of the BAW-1791 report to Rancho Seco, this issue is closed. 3.9.3 History of the EFIC System The Rancho Seco emergency feedwater initiation and control (EFIC) system is a four-channel, safety grade, seismically qualified, Class 1E system. Its primary purpose is to provide automatic initiation and control of AFW independent ofThe the ICS and to provide AFW flow indication independent of the NNI system. EFIC system also controls the atmospheric dump valves, and is used to isolate main feedwater flow under certain conditions. The EFIC system is described in Section 3.1.3. It is being installed during the current outage and will be operational before restart. The regulatory requirement for a system such as the EFIC system originated from the NRC's TM1 short-term, lessons-learned requirements issued in 1979 after the accident at Three Mile Island. NRC's "Short Term Lessons Learned From TMl" (NUREG-0578) Section 2.1.7, which later became TMI Action Plan Section II.E.1.2, required actions to improve the reliability of the AFW system. One of the requirements was that the AFW system should be automatically initiated independent of the ICS. The intent of this Rancho Seco Restart SER 3-111
requirement was that AFW flow be initiated automatically and completely for any situation for which the operation of the. AFW system was necessary for safety. The licensee first responded to Section 2.1.7 (NUREG-0578) with a letter dated October 18, 1979 in which it committed to install a safety grade AFW initiation and control system, independent of ICS, during the 1981 refueling outage. NRC's " Clarification of TMI Action Plan Requirements" (NUREG-0737) included these requirements as Section II.E.1.2 and established a required implementa-tion schedule. The modifications were to be installed by July 1981. At the request of licensees whose plants had been designed by B&W, the NRC staff attended a presentation on September 4, 1980 of an extensive upgrade of the AFW systems which was to be undertaken generically. At this meeting, B&W and the B&W licensees introduced the EFIC system as the answer to many NRC requirements. EFIC would encompass extensive AFW upgrades, including those from a number of ongoing NRC concerns. The features of EFIC that are relevant to the December 26th event arise from the reliability analyses (i.e., TMI Action Plan Section II.E.1.2) and other safety-related requirements. EFIC also included an automatic AFW control system which addressed the OTSG overfill and RCS overcooling recommendations arising from NUREG-0667, and the concern regarding the spurious opening of ADVs upon loss of ICS power. The B&W plant licensees indicated that EFIC would be installed at a number of B&W-designed plants, including Rancho Seco. Arkansas Nuclear One Unit 1 (ANO-1) would be the " lead plant" for the EFIC system and would submit the conceptual design for NRC review by October 1980, install it at AN0-1 in early 1982, and install it at the last B&W-designed plant by late 1982. Thus, the EFIC system proposed for Rancho Seco in September 1980 would have included the fo'llowing features that are relevant to the December 26th incident: The ADVs and AFW (ICS) flow control valves would be controlled by the safety grade EFIC system and would no longer open on loss of ICS dc power. A safety grade MFW isolation would have been installed that would have prevented flow to the OTSGs from the condensate pumps. In January 1981, on the basis of the design information provided by the licensee in its November 17, 1980 letter, the NRC staff approved the preliminary design of the EFIC system as the response to Section II.E.1.2 for Rancho Seco. The licensee submitted a letter dated October 22, 1982 stating that the AFW automatic initiation system (which was now part of EFIC) would be installed during the 1983 refueling outage then scheduled for January 1983. In early 1983, the NRC determined that the safety upgrades to the AFW system including conformance to Section II.E.1.2, were sufficiently important that the most recent installation schedule should be required by an NRC Order. NRC issued this Order on March 14, 1983 and required that the licensee complete installa-tion of the AFW automatic initiation system as scheduled during the 1983 refueling outage. The Order also mentioned that the safety grade AFW flow control system would not be installed until 1984. t Rancho Seco Restart SER 3-112
The licensee's April 28, 1983 letter stated that the installation schedule for EFIC had slipped until a refueling outage in 1986. The reason given was that EFIC was closely related to both the ongoing detailed control room. design review 'and the implementation of RG 1.97, Revision-2 (postaccident monitoring instrumentation). The letter stated that this schedule change would not affect the part of the system dealing with Section II.E.1.2 (i.e., the AFW automatic initiation system). Apparently the licensee concluded in April 1983 that the EFIC system was no longer required to meet the commitment to provide an AFW automatic initiation system (i.e., II.E.1.2) because the licensee had improved the AFW initiation However, the system so that the AFW system would be initiated on SFAS. i licensee did not document this alternative response to the requirements of i II.E.1.2, and did not submit information to the NRC that explicitly stated that the alternate design would be used to satisfy the requirements in II.E.1.2, instead of the previously approved EFIC system. In addition, the licensee did not submit the alternate design to the NRC for review and approval. In the alternate design (i.e., non-EFIC), the AFW system would be initiated automatically under some accident conditions (i.e., RCS low pressure,- contain-ment building high pressure), but would not initiate under all conditions for which AFW initiation is necessary (e.g., loss of MFW). Thus,.this' alternate design may not have complied with the requirements of Section II.E.1.2 as described earlier. Thus, the fact that some automatic AFW initiation had been provided, combined i with the lack of specificity of the intent of the original NRC requirement, was sufficient for the licensee to conclude that it had complied with the require-1 ments of this item. Being under an NRC Order to implement Section II.E.1.2 by a specified date, and facing the schedule slippages to install EFIC, which the licensee originally committed to in its response to II.E.1.2, the licensee con-cluded that the earlier AFW initiation modifications had complied with the re-quirements of the Order, thus allowing it to avoid an extended plant outage because of a failure to comply with the NRC Order. In summary, the staff was led to believe that the EFIC. system would be installed in 1984 in response to a number of NRC requirements, including II.E.1.2. Ap-parently the licensee decided to install an alternate system in response to II.E.1.2. The licensee's intent to satisfy II.E.1.2 with this alternate design was not made clear to the NRC staff, was not approved by the staff, and may not have complied with the requirements of II.E.1.2. As a result, the EFIC system, some features of which would have reduced the severity of the December 26th incident, was not installed at the time of the incident. Summary The above discussion summarizes a complex history of commitments, interactions, and scope changes to satisfy the requirements of NUREG-0737, Section II.E.1.2. It is the licensee's position that the scope,-status, and schedule for the interim and final plant configurations met the requirements and intent of Section II.E.1.2. Rancho Seco Restart SER 3-113
W ( As a result of the extensive analysis of the December 26th event, and the sub-sequent systematic assessment of the facility, the licensee concluded that modifications to minimize the likelihood of reoccurrence were necessary. With i respect to providing control of AFW independent of the ICS/NNI system, the method selected by the licensee was to accelerate the installation of the EFIC system and make it operational before restart. This action resolves the con-cern about the degree of compliance with the requirements of Section II.E.1.2. Therefore, this issue is closed as a restart item. .) i i I l l l I Rancho Seco Restart SER 3-114
i l i 4 RESOLUTION OF CONCERNS NOT RELATED TO THE DECEMBER 26, 1985 EVENT In this section of the SER, the NRC staff presents its evaluation of safety issues that are not directly related to the overcooling transient of December 26, In the staff's judgment, these issues are sufficiently important to 1985. safety that they must be satisfactorily resolved before Rancho Seco is allowed to restart, 4.1 Postaccident Sampling System 4.1.1 PASS Design Description The postaccident sampling system (PASS) was installed at Rancho Seco to satisfy the requirements of NUREG-0737 and the clarification provided in the NRC letter issued to all licensees on July 12, 1982. The system was designed for complete i in-line remote monitoring and analysis. It is capable of obtaining samples of' the reactor coolant system (RCS) cold leg, reactor building sump, and the reactor building atmosphere. The in-line analysis capability of the PASS is shown in Table 4.1. i Table 4.1 Rancho Seco postaccident sampling system Original Current Backup PASS sample sample Sample analysis design method method Reactor coolant Isotopic In-line In-line Off site Total gas In-line In-line Calculation pH In-line In-line Off site 1 Conductivity In-li ne In-line Off site Boron In-line Grab on site Off site Chloride in 4 days In-li ne Off site Not required Oxygen Of f site Off site Not required 1 pCi/g to 10 Ci/g Yes Yes Yes 3 hr and <5 rem Each Each Not applicable Containment atmosphere Isotopic In-line Grab on site Calculation Hydrogen H monitors H monitors Grab on site 3 hr and <5 rem Yes Yes Yes The system is designed to function in the postaccident environment but is non-QA (quality assurance) Class 1 and non-seismic Category I. All valves required to operate and support PASS that are not accessible are environmentally Rancho Seco Restart SER 4-1 i
i qualified. As required by NUREG-0737, Item 11.8.3, Criterion 8, backup grab sample capability is provided. Provisions for analyzing the liquid grab samples at an offsite facility are also available. Onsite analysis for both the liquid and gas samples is provided. As required by the NRC's July 12, 1982 letter, the PASS is provided with an alternate power source that can be energized during a loss of offsite power. I l By letters dated October 13, 1982 and May 2 and June 17, 1983, the licensee described the PASS and how it satisfies the criteria of NUREG-0737, Item II.B.3. The NRC staf f's safety evaluation reports dated February 15 and September '2, 1983 accepted the PASS design as meeting the criteria of NUREG-0737, Item II.B.3. 4.1.2 PASS Modifications 4.1.2.1 Initial PASS Modifications By letter dated February 6,1986, the licensee informed the staff of several i changes to the PASS design as follows: (1) alternative analysis methods for boron and chlorides in reactor coolant and isotopic analysis in the reactor building atmosphere (2) backup calculational methods for' total gas in reactor coolant and iso-topic content of the reactor building atmosphere 1 (3) clarification of several PASS features 4.1.2.2 Evaluation of Initial PASS Modifications With regard to alternate analysis methods, the licensee's originally proposed-baron analysis method for reactor coolant using an in-line ion chromatograph has been replaced by onsite analysis of a grab sample usir.g an ion chromato-graph. The original chloride analysis method for reactor coolant using an in-line ion chromatograph has been replaced by offsite analysis of a grab sample within 96 hours. The original radioisotopic analysis method for the reactor building atmosphere using an in-line gamma spectrometer has been re-placed by onsite analysis of a grab sample using a gamma spectrometer. These changes in analysis methods f rom in-line monitors to grab samples are accept-able means for obtaining samples for making prescribed measures, and comply with the criteria of NUREG-0737, Item 11.B.3. With regard to backup calculational methods, the licensee stated that supple-mental calculational methods are being developed to determine (1) total gas in the reactor coolant using reactor building hydrogen concentrations and in core temperature and (2) isotopic content of the reactor building atmosphere using the reactor building high-range area monitors and isotopic mix vs. R/hr graphs. The licensee will use these calculational methods to back up grab sample analy-sis methods. This capability is not required by the criteria of.NUREG-0737, j Item II.B.3 and, thus, the licensee exceeds staff guidelines in this area. I 4 Rancho Seco Restart SER 4-2
'The licensee also provided additional information and clarification in order to avoid misinterpretation of the PASS capabilities as follows: The capability to obtain and analyze samples within three (3) hours is applied to one sample, either a reactor coolant sample, a reactor building emergency sump sample or reactor building at-mosphere sample. The reactor coolant sample will be obtained from the "B" loop cold leg drain via a connection to the pressurizer liquid sample 1 line. Although the capability exists to draw a sample from.the pressurizer, the procedures for PASS only takes samples from the "B" loop cold leg. The pressurizer sample line provided a. con-venient penetration of the reactor building but a pressurizer sample may not be representative of the circulating reactor l coolant during an accident. l Total gas is measured using expansion of the pressurized reactor ] coolant sample between two known volumes and measurement of pres-sure changes. Since this was considered a physical measurement and not an in-line chemical analysis, Criterion 8 was interpreted _ as not being applicable. Therefore, the PASS was not designed with any provision for a pressurized grab sample for total gas. This interpretation was reinforced by the wording in clarifica-tion (4) which indicates that pressurized reactor coolant samples are not required if dissolved gases can be quantified with un-j pressurized reactor coolant sample. The recommended oxygen in l Criterion 4 will be performed on the depressurized grab sample by l the offsite laboratory for dissolved oxygen. _] ) i The NRC staff has reviewed the above clarifications and concurs with these interpretations. They have no effect on the staff. conclusion regarding the l acceptability of the PASS against the criteria of Item II.B.3 of NUREG-0737. l Considering the clarifications given above, the NRC staff concludes that the proposed changes to the PASS analyses methods using grab samples instead of in-line monitoring meet the criteria of Item II.B.3 of NUREG-0737, and are, therefore, acceptable. Further, use of backup calculational methods is ac- ] ceptable, although this practice is not required by the criteria of Item II.B.3. l Finally, these clarifications to the PASS design are acceptable because they meet Item II.B.3 criteria. 4.1.2.3 Additional PASS Modifications By letters dated March 13, 1986; April 30, 1986; and May 4, 1987,Ethe licensee provided the following additional information on the PASS design: (1) calculational methods for total gas in reactor coolant and for isotopic content of the containment atmosphere for inclusion in the overall PASS program plan as an aid in evaluating certain accidents (2) a standard test matrix solution analysis (3) a commitment to perform time / motion studies for personnel dose assessment Rancho Seco Restart SER 4-3 l I 1 i
y 1 ^ ,,l i (4) modifications to improve the system reliability, maintainability, analy-- ( tical accuracy, and ALARA-(as low as reasonably achievable) commitments r4 [:p?,3 u (5) ranges and accuracies of analyses 4.1.2.4 Evaluation of Additional PASS Modifications With regard to-the development of calculational methods for total gas in reac-tor coolant and isotopic conteat of containment atmosphere, the staff'has determined this capability is not required by the criteria of NUREG-0737, Item II.B.3 and, therefore, these methods were not reviewed. However, the licensee has the option to provide these methods as an aid in evaluating-certain accidents. I Undiluted standard test matrix solutions were tested for pH and conductivity. Diluted standard test matrix solutions were used for boron and chlorids c' analyses. Analysis accuracies were adequate, indicating suitability of pro-cedures. The standard test matrix did not include the induced ' gamma radia, tion. This is acceptable since testing was done on diluted sample.1 whicli'. ^' would substantially reduce the PASS sample radiation level. In"additi.on, pH and conductivity probes are resistant to radiation effects at the undiluted standard test matrix concentrations. The ranges and accuracies for boron, chloride, and total gas have been experi-mentally determined for PASS in-line equipment and grab samples. The installed instrument ranges and accuracies meet Criterion 10 of Item II.B.3. 3 The boron concentration upper limit is 3800 ppm by in-line analysis and 3840 it ppm by grab sauple analyses. A 6000 ppm boron upper limit is recommended by RegulatoryaGuide 1.97. However, under accident conditions, reactor coolant'. boron. concentrations are not expected to exceed 2000 ppm. Therefore, the 3800 and 3840 ppm upper limits are acceptable. The NRC staff has determined that the modified PASS meets Criterion 7 and Criterion 10 of Item II.B.3 of NUREG-0737 and is, therefore, acceptable. The licensee has committed to perterm a :.ime/ motion study with new operating ~ procedures to ensure that operatra radiation exoosure will be within the General Design Criterion (GDC) 7/ exposure limit while obtaining and analyzing the PASS samples. The staff recommends'that the time / motion study be com-pleted before restart, and will inspect the study as part of the PASS testing inspection discussed in Section 4.1.4, below. The modifications being made to the Rancho Seco PASS to improve the system reliability, maintainability, analytical accuracy, and ALARA commitment do;not 4 directly affect the PASS design criteria in Item II.B.3 of NUREG-0737. Hs,M ever, proper training of PASS operators using the modified procedures 'is needed to demonstrate the performs.nce capabilities of the modified system and-p to ensure system operability. / On the basis of its evaluation, the staff concludes that the Rancho Seco PASS j meets all 11 criteria of Item II.B.3 of NUREG-0737., The completion of the time / motion study to show compliance with CCC 19, which is required by Cri-l terion 6 of Item II.B.3, will be inspected under Section 4.1.4, below. 4 This item is closed as a restart issue. '( J Rancho Seco Restart SER 4-4
'4.1.3 PASS Procedures and Training In conjunction with the modifications to the system hardware, the PASS operat-ing procedures have been completely revised to make them more user friendly The licensee and to overcome previously experienced operational difficulties. plans to have a minimum of five PASS operators ftlly trained and qualified in the use of the system before restart. Following restart, the licensee will con-tinue training additional chemistry technicians in the operation of the system to improve its flexibility. Core Damage Assessment Procedure By letter dated July 6, 1987 the licensee proposed a revision to the procedure for assessment of. core damage from post-accident sampling results (AP.56, Rev.3). The proposed revision consists of replacing the method for determining fractions of cladding-ruptured and overheated fuel using isotopic ratios in the fuel and the fuel gap by using the method by which the extent of core damage is estimated from the containment area radiation monitor indications. This modification is necessary because the method using isotopic ratios to estimate the extent of core damage was found to produce inaccurate results. The original procedure for predicting the extent of core damage from post-accident sampling results contained three methods for making this prediction: (1) preliminary estimation using such station indicators as incore temperature, containment radiation levels, and containment hydrogen concentration; (2) esti-l f mation of a degree of core damage from the specifically prepared graphs using normalized activity concentration measurements of different isotopes in postaccident samples; (3) separate determination of fractions of cladding-ruptured and overheated fuel using isotopic ratios in the fuel and in the fuel The procedure required that these methods be used in the sequence indi-gap. cated. It also had a stipulation that if the results determined by methods 1 and 2 indicate that there is no core damage, there is no need to use method 3. During the update of the procedure, the licensee found that predicting core damage by method 3 could be a source of considerable errors, some of them in a nonconservative direction. Although the method in its underlying concept is correct, in practice it exhibits serious limitations because accurate data for isotopic inventory in the fuel gap cannot be obtained. The-licensee decided to replace tnis method with a new one based on containment area radiation moni-tor indications. This revised method is semi quantitative and provides an estimate of the extent of cladding and fuel damage. The damages are classified into six ranges, starting with a minor reactor coolant leak (< 1%) and no fuel damage and extending to 100% cladding damage and fuel meltdowii. The estimates are made by comparing radiation monitor indications to the monitor response curves expressing containment atmosphere dose rates as a function of the time after reactor shutdown. This method will be employed after the initial esti-mates of core damage by method 1 are made and the results obtained by these two methods will be compared. The modified procedure requires that the final estimates be based on the results of all the methods used in the procedure. The NRC staff has reviewed the revised procedure with a special emphasis on the method for estimating ranges of cladding and fuel damage. The staff finds that this method, with properly functioning containment area radiation monitors, will i produce adequate results, l l Rancho Seco Restart SER 4-5
7 u O-t v. 7 .J _]* 1 4 % ]j ( On the basis of its evaluation, the NRC staff concludes that by replacing the p '3 f method giving erroneous results by a new, more reliable method,.the proposed [?,', j revision of the core damage assessment procedure improves the process by which core damage can be estimated. The revised procedure is consistent with the requirements of NUREG-0737, Item II.B.3 Mnd is, therefore, acceptable. Summarygf Staff Inspectjon of PASS Procedures and Training s The NRC staff has inspetted the PASS system and documented the results in Inspec-tion Reports 50-312/86-37 and SCr312/87-05 (see item.86-37-01), At the time of these inspections a nutricer of issues were open. The NRC staff will inspect the licensee's PASS traiiii.ng ail pro'tedures before restart to verify that they are s' acceptable for restart. ibis item will be discussed in a supplement to1this SER or in an NRC inspection report.
- <.1.f PASS N sting Testing of al? aspects of the operation of the PASS cannot be completed until t,ie, plant is in a hot slatcown condition, at full pressure and temperature.
L%ener, thflicensee has stated that all essential operating parameters will fully terted before r9, tart to demcastrate that the system will operate re-be# liably and w'ill produce accarate analytical results that comply with its commitrtents to the requirements of NUREG-0737. ./ TheNRCstaffhdsinspectedthePASSsystemanddocumentedtheresultsinInspec~ tion Reports 50-312/86-37, 50-312/87-05, and 50-312/87-22 (see item 86-37-01). At the time of these inspections, a number of issues were open. The NRC staff will inspect the PASS testing (including the time / motion study 3 discussed.in Section 4.1.2.4, aoove) before restart to verify that it is ' acceptJMb. f or restart. This item will be discussed in a supplement to this SER or ia in NRC inspection report.
- 1
- 4. 2 Control Room /fechnical Wpport Center HVAC System 4.2.1 HVAC Design and Installation The control room / technical snphort center (CR/TSC) essential air conditioriing (HVAC) system is designed to provide a suitable environment for equipment and station op dator comfort and safety.
During ce tain abnormal events, as noted below, the CR/TSC essential ~ air sys- - i tem is automatically actuated and started. Each of the CR/TSC essential air condition %gsystemtrafntiscomposedofthefollowing: (1) an essentia') filtration unit consisting of a moisture eliminator prefilter, electric digt heater coil two HEPA (high efficiency particulate air) g filten.bsjis,twocarbonfilterbanks,andaboosterfaq (2) di get elpansion cooling co p)and circulation fanan essential air handle 1 5 v J Rancho Seco Resta( W R. 4-6 s .x___'_J
(3) an essential condensing unit consisting of reciprocating refrigerant com-pressor, air-cooled condensing coils, condensing fans, receiver, and associated refrigerant piping and valves (4) an air distribution system consisting of common ductwork, automatic dampers, and other associated duct accessories. l The CR/TSC essential air system has been modified to perform the following functions: (1) Isolate the CR/TSC from potentially radiologically contaminated air during a radiological event. (2) Isolate the CR/TSC from air potentially containing toxic gas during a j toxic gas event. (3) Provide cooling for the CR/TSC during radiological, toxic gas, CR/TSC l high temperature, or loss of offsite power event by maintaining the CR/TSC temperature at 60 F or less. l Prevent infiltration of potentially radiologically contaminated air into (4) the CR/TSC during re :ic.ogical events by pressurizing the CR/TSC to 0.125-inch water gauge (WG) relative to outside atmosphere and adjoining areas. (5) Provide outside, filtered, conditioned supply air for CR/TSC ventilation during all modes of operation except a toxic event by maintaining a flow of 3200 cfm through the essential filtration unit. The licensee is currently preparing a system design habitability report. This report will be verified by the licensee during its system design review and The staff will be validated by the licensee by the associated test program. review of this item will be performed in conjunction with its review of testing covered in Section 4.2.2, below. 4.2.2 HVAC Testing The licensee has not completed testing its modified heating, ventilation, and air conditioning (HVAC) system for the control room and technical support center. An operable CR/TSC HVAC system is required by the Rancho Seco tech-nical specifications. The NRC staff will inspect the modified CR/TSC HVAC system before restart to verify operability. This effort will assess both the design adequacy and the licensee's test results, and will be discussed in a supplement { to this SER or in an NRC inspection report. j i 4.3 Radioactive Liquid Effluent Releases In April 1984, the licensee determined that since 1981 radioactive liquid effluent releases at Rancho Seco have been in excess of the dose design objec-tives of Appendix I to 10 CFR 50. The Rancho Seco Technical Specifications did not require meeting the Appendix I criteria until July 1984. At this time, the licensee has not shown that Rancho Seco is capable of operating within its current technical specification limits for radioactive liquid effluents. i Rancho Seco Restart SER 4-7 i t
In 1986, the NRC staff conducted an inspection to evaluate management of liquid radioactive effluents at Rancho Seco during 1985. The-inspection (documented in Inspection Report 50-312/86-15) disclosed significant deficiencies in the licensee's management of radioactive liquid effluents. At this time, the staff has no basis for evaluating the licensee's methods for controlling radioactive liquid effluents. To permit staff evaluation and approval before restart, the licensee has been requested by letter dated August 14, 1987, to submit the following: (1) a description of the radioactive liquid effluent systems, including piping and instrumentation diagrams (P& ids), design criteria, instrumen-tation, and control measures (2) an evaluation of these systems showing their capability for limiting radioactive liquid releases to the quantities permitted by-the technical specifications (3) the revised offsite dose calculation manual (0DCM) Before restart, the NRC staff will review, inspect, and evaluate the licensee's management of radioactive liquid effluents, and will discuss its evaluation in a supplement to this SER. 4.4 Emergency Plan 4.4.1 Meteorology Program Improvements By previous commitment, the licensee indicated that it will have an adequate onsite meteorology program.in place before restart. The NRC staff identified concerns about the adequacy of the Rancho Seco meteorological program as it relates to the emergency preparedness requirements that define the minimum meteorological monitoring requirements. The NRC staff has evaluated the adequacy of the short-term meteorological program improvements proposed by the licensee for restart. The staff evaluation follows. The regulatory requirements for emergency response at nuclear power plants with specific meteorological considerations characterized in the form of atmospheric transport and diffusion conditions as an integral part of the dose assessment capability are covered by the requirements of 10 CFR 50.47(b)(9); 10 CFR 50, Appendix E, IV.B; and 10 CFR 50, Appendix E, IV.E.2. These regulations state that emergency plans, facilities, and equipment at nuclear power plants shall be capable of determining the magnitude of, and continually assessing, actual and potential offsite consequences resulting from the release of radioactive material to the environment. To accomplish these regulatory objectives, knowledge of current transport and diffusion conditions is needed in order to assess the impacts of actual releases. Further, estimates of future or fore-cast conditions are needed in order to assess the impacts of potential releases. All of this information must be in a form that permits continual dose assessments. To develop the atmospheric transport and diffusion information of importance to emergency response, representative meteorological data and an appropriate model are required. Minimum meteorological data requirements for emergency Rancho Seco Restart SER 4-8 I
i response at nuclear power plants are outlined in Supplement 1 to NUREG-0_37 and 7 are considered in conjunction with the more' specific data collection guidance contained.in Regulatory Guides (RGs) 1.23, 1.101, and 1.97 (Revision 2)._ Atmo- ~ spheric transport and diffusion modeling; considerations for emergency response l are discussed in detail in RG 1.101. The' minimum meteorological information required for. emergency response purposes is a continuous record of reliable meteorological parameters (wind speed, wind direction, and a measure of atmospheric stability) as specified in Supplement 1 to NUREG-0737 and RG 1.97 (Revision 2) for site meteorology. These data should' be incorporated into a simple, rapid-running transport and diffusion model which is part of the dose calculation model to be utilized in the control room. From the time of initial licensing, the licensee has been measuring _ wind speed, wind direction, and air temperature at the 10-meter and 60-meter levels from a tower located at the site. Wind speed, wind direction, and atmospheric stability (temperature gradient with height) have been measured at.the_ appropriate levels to properly represent the diffusion and transport conditions for the purpose of estimating potential accident release. The measurements are recorded continu-However, historically, the data have'not been reli-ously in the control room. able and it has been questionable as to whether the measurements meet the guide-lines of RG 1.23 and RG 1.97 (Revision 2). These ' difficulties have resulted from instrumentation problems and inadequate quality control and quality assurance. 26, 1987, the licensee proposed modifications to the By letter dated February Rancho Seco meteorology and dose assessment programs which will be completed The licensee proposes to place the two temperature sensors located by restart. at the 10-meter tower elevation in the same shield in order to resolve the mea-The licensee sured temperature divergence problems noted with these instruments. also plans to provide indication of aspirator motor failure in the control room to enhance early detection and repair and thereby reduce the probability of the collect.on and use of erroneous data. In addition, the licensee will improve the quality control, quality assurance, and training programs related to the The licensee has also committed to purchase.a spatial meteorology program. and temporal variable dif fusion model before restart which will be~ incorporated into its dose assessment model. These changes will provide for better meteoro-logical data collection and assimilation per the guidelines of RG 1.23 and 1 RG 1.97 (Revision 2) for postaccident emergency response. i On the basis of its review of the existing and proposed modif_ications to the meteorological program, the staff concludes that with the planned improvements, the Rancho Seco facility will satisfy the minimum meteorological emergency pre-paredness requirements of 10 CFR 50.47 and 10 CFR 50 Appendix E and the guide-lines of RG 1.23 and RG 1.97 (Revision 2) at the time of restart. The onsite' meteorology program is, therefore, acceptable. The staff plans to continue dis-cussions with the licensee during and after implementation of.the program modi-fications. The staff recommends that the licensee continue to send' collected meteorological data on a quarterly basis to the staff to confirm that previously identified meteorological concerns have been resolved. This item is closed as a restart issue. Rancho Seco Restart SER 4-9
4.4.2 Emergency Plan Training The NRC staff's Inspection Report No. 50-312/86-14 identified numerous viola- { tions in the licensee's emergency response training program. The licensee's corrective action for those violations consisted of numerous initial and long-term actions. NRC Inspection Report No. 50-312/87-02, reporting on an inspec-tion conducted in March 1987, evaluated the licensee's initial corrective 4 actions and determined them to be adequate. This report also identified numerous areas that still require improvement. Before startup, the staff will reinspect the emergency response training program. The status of the.long-term corrective actions and the improvement items will also be inspected before restart. The staff will discuss the resolution of this issue in a supplement to this SER or in an NRC inspection report. 4.4.3 Emergency Plan Implementing Procedures and Dose Assessment Currently, the licensee is revising the emergency plan and the emergency plan implementing prccedures (EPIPs). Procedures for dose assessment, training, classifications, and drills and exercises are also being revised. The NRC staff will inspect these areas before restart and will discuss the results of its inspection in a supplement to this SER or in an NRC inspection report.
- 4. 5 Conformance to the Guidelines of Regulatory Guide 1.97 4.5.1 Background of RG 1.97 Issues The licensee was asked by Generic Letter 82-33 (also published as NUREG-0737, Supplement 1) to provide a report to the NRC describing how the postaccident monitoring instrumentation meets the guidelines of Regulatory Guide (RG) 1.97 as applied to emergency response facilities.
The licensee's response to Regula-tory Guide 1.97 was provided by letters dated April 15 and September 14, 1983; July 13, 1984; October 31, 1985; and January 13 and March 7,1986. Detailed reviews and technical evaluations of the licensee's submittals were performed by EG&G Idaho, Inc. under contract to the NRC, with general super-vision by the NRC staff. The initial review identified 11 exceptions to RG 1.97 recommendations which were not acceptable. The licensee responded with additional information justifying deviations from the guidance of RG 1.97. The NRC staff reviewed three of these deviations because they were associated with the staff review of the PASS and the SPDS. The other deviations were reviewed and evaluated by the staff contractor, EG&G. The contractor reported the re-sults of its evaluation in technical evaluation report (TER) EGG-EA-6940, "Conformance to Regulatory Guide 1.97, Rancho Seco Nuclear Generating Station," March 1987. In this report, EG&G concludes that except for the three devia-tions that it did not review, the licensee either conforms to, or has justified deviations from, the guidance of RG 1.97 for each postaccident monitoring variable. The NRC staff has reviewed the TER and concurs. Also, the staff has completed its review of the three deviations not reviewed by EG&G and finds the licensee's justification acceptable. After the generic letter was issued, NRC held regional meetings in February and March 1983 to answer the licensee's questions and concerns regarding NRC policy on RG 1.97. At these meetings, it was established that NRC review would address only exceptions taken to the guidance of RG 1.97. Further, where the licensee Rancho Seco Restart SER 4-10 l
I 1 explicitly stated that instrument systems conform to the provisions of RG 1.97, no staff review would be necessary. Therefore, the review discussed in this SER only addresses exceptions to the guidance of the regulatory guide. This section addresses (1) the licensee's submittals responding to the review policy described in the NRC regional meetings and (2) the conclusions of the review performed by EG&G and the NRC staff. 1 4.5.2 Evaluation of Compliance With RG 1.97 Guidelines In an interim report of June 28, 1985, the NRC staff identified 11 exceptions to the recommendations of RG 1.97 which were found unacceptable. The licensee was advised of these findings and responded with additional information which was reviewed and evaluated by the contractor. The results of this review were reported in TER EGG-EA-6940. This report found that, except for the three areas reviewed by the NRC staff, the licensee had either conformed to the RG 1.97 recommendations or had provided acceptable justification for. deviating from those recommendations for each postaccident monitoring variable. The areas reviewed by the NRC staff were (1) radiation level in the circulating primary coolant, (2) the accident sampling (primary coolant, containment air and sump) system, and (3) the provision of Category 1 indicators for the design and qualification of Category 1 accident-monitoring variables. The staff review of these areas is discussed below. For the measurement of radiation level in circulating primary coolant, one of the identified means of measurement was the postaccident sampling system (PASS) which was reviewed by the staff as part of the NUREG-0737 Item II.B.3 issue. In its safety evaluation report of July 28, 1983, the staff found that the PASS meets both the Item II.B.3 requirements and the RG 1.97, Revision 2 recommenda-tions and is, therefore, acceptable. Revision 2 recommended a maximum sensi-tivity (threshold) for the radioactivity determination of 10 pCi/ml. In its i submittal of July 13, 1984, the licensee committed to meet the recommendations of RG 1.97, Revision 3, which changed the maximum recommended sensitivity (threshold) for the radioactivity determination from 10 pCi/ml to 1 pCi/ml. In that submittal, the licensee stated that the PASS was capable of meeting the new maximum sensitivity, and the staff concluded in its safety evaluation re-port of March 22, 1985 that the PASS was acceptable because it meets the re-I quirements of NUREG-0737 Item II.B.3. The staff concludes that the stated sensitivity of 1 pCi/ml meets the recommendation of RG 1.97, Revision 3 and is acceptable. For the accident sampling (primary coolant, containment air, and sump) variable, the PASS is used to meet this RG 1.97 recommendation and, as above, this system was reviewed by the staff as part of the NUREG-0737 Item II.B.3 issue. The staff finds that the PASS meets the recommendations of RG 1.97, Revision 3 for this variable and is, therefore, acceptable. The PASS is also discussed in Section 4.1 of this SER. With respect to provision of continuous real-time display of design and quali-fication Category 1 accident-monitoring variables, the licensee proposed to use the SPDS which would be upgraded to Category 1 requirements to meet this recommendation. The licensee committed in a letter dated July 13, 1984 to provide both hardware and software which will meet the Category I requirements. The staff review of the capability of the licensee's hardware and software to meet the Category 1 requirements is being performed separately and the review Rancho Seco Restart SER 4-11 l
is discussed in Section 4.6 (below). On the basis that (1) the licensee has: committed to make the SPDS meet Category I requirements.and (2) the staff wi.ll, through its review, ensure that the SPDS meets those requirements, the staff considers this concern resolved. 4.5.3 Conclusion, RG 1.97 Issue On the basis of the staff's review of its contractor's TER and the licensee's submittals, the staff finds that the Rancho Seco design acceptably conforms ~to RG 1.97, Revision 3. Therefore, this item is closed as a restart issue. 4.6 Safety Parameter Display System The licensee's action plan for the restart of Rancho Seco includes upgrading the safety parameter display system (SPDS) to safety grade status. This re-quires the installation of Class 1E-rated input / output peripherals, i.e., input nultiplexers, output displays. The action plan also calls for incorporating-the RG 1.97 design and qualification Category 1 accident monitoring variables into SPDS displays. Previously, the Rancho Seco SPDS was non safety grade and had not postaccident requirements. However, the incorporation of RG 1.97, 1 design and qualification Category 1 accident-monitoring variables into the SPDS 1 requires postaccident availability of the system. The upgraded SPDS is the licensee's response to the Commission's requirements for an SPDS and for the j implementation of RG 1.97. The staff's safety evaluation for SPDS follows. { The staff's previous review of the non-safety grade SPDS identified several l i The staff discussed these concerns (NRC letter dated April 7, 1986) concerns. with the licensee. One concern was the clutter and high local density of data within the alphanumeric display formats. The high local density results in long search times for people who use the display. A second concern dealt with the integration of and the adequacy of radiation data to evaluate the radio-activity control function. A third concern dealt with the qualification of the isolation devices. These devices must isolate the upgraded.SPDS from electrical i interference with equipment and sensors in non-safety grade systems. l The staff's review of the licensee's compliance to RG 1.97 was conducted in two phases. In the first phase, the staff reviewed the exceptions taken by the licensee to the guidance of RG 1.97. The results of this review are in Section 4.5, above. Except for the display device (the SPDS), the review concluded that the licensee conforms to guidance or justified all deviations from the guidance of RG 1.97. j In the second phase of the review, the staff assessed the upgraded SPDS for conformance to the guidance of RG 1.97. This review began with an evaluation of the licensee's action plan and with an audit (NRC letter dated February 2, l 1987) of the design modifications. The next major step in the review is an audit of the hardware and the software in the system. 'The final step in the review j will consist of an audit of the software validation process and results. 4.6.1 SPDS Description The upgraded SPDS is a two channel system. Each channel consists of a color monitor, a video generator, processors, a control panel, an interface module, i Rancho Seco Restart SER 4-12 1
and a data acquisition system. The data acquisition system consists of a central control unit cabinet and ten remote multiplexer cabinets located throughout the plant. The data acquisition system is completely channelized and the output of all Class 1E sensors is input both to channel A and to channel B Class 1E multiplexer. To guard against common mode failures, each independent channel of the SPDS and the data acquisition system is powered from an independent Class 1E battery / diesel-backed ac power source. Furthermore, all RG 1.97 Category 1 variables are from Class 1E sensors and are processed through Class 1E multiplexer. Isolation devices are used in the system to isolate non-Class 1E systems from the SPDS and to isolate the redundant SPDS channels from each other. The SPDS interface consists of a pressure-temperature plot of water (presented as graphic segments on a cathode-ray tube). It displays the saturation line between liquid phase water and vapor phase steam. The model displays the current values of primary coolant pressure, hot-leg coolant temperature, and cold-leg coolant temperature. Also, the saturation temperature of secondary coolant water in the steam generator is presented. The above information is presented in the abnormal transient operating guidelines (AT0G) display format. From the data in the ATOG display format, the user of the SPDS may evaluate the subcooling of the primary coolant. The user may also evaluate the status of the heat transfer between the primary coolant system, the source, and the secondary coolant system, an intermediate heat sink. These data are useful af ter a reactor trip to evaluate the cooling of the reactor core and the heat transfer from the primary coolant system. These data are also useful during normal operations to evaluate the performance of the integrated control system. If not already displayed, the ATOG display format is presented automatically upon a reactor trip. The basic data presented in the display are described above. In addition, a post-trip window is identified within the display. Post-trip operation with process variables within the window indicates a normal response of the plant to the trip. Post-trip operation with process variables outside of the window indicates a possible challenge to safety systems. The process variables are outside the window during events such as overcooling, l undercooking, and loss of subcooling. l The window serves as a valuable post-trip aid to operators. It allows operators J I to evaluate quickly the status of the plant during a period of high operator workload. Because the data within the display are in the form of a model of l the process, it facilitates evaluation of core cooling, a critical safety j function. l One of the objectives of the action plan is to ensure that the plant remains in the post-trip window. The safety grade SPDS provides control room operators with a real-time means of evaluating this objective. The staf f's review of the upgraded SPDS covers three broad areas consisting of design, test, and operations. These issues are evaluated below. f i i I Rancho Seco Restart SER 4-13 ~
l l l 1' 4.6.2 SPDS Design Issues Both hardware and software' design issues were reviewed by the staff. The -hardware design issues consist of (1) equipment reliability (2) equipment qualification (3) fire protection (4) common mode faults The software design issues consist of ' :0 ?(1) the display of variables (RG 1.97) (2) the redesign of alphanumeric displays (3) the display of radiation variables (4) the design verification and validation program f(5) a walkthrough of selected computer program elements Hardware and software design issues are discussed in the following two sections. u 4.6.2.1 SPDS Hardware Design Issues Equipment Reliability A letter from the licensee, dated January 12, 1987, contains a report that l summarizes the analytical methods and results of a reliability analysis per-formed by the licensee. The study evaluated the unavailability of the SPDS and compared the results with the guidelines on availability stated in NUREG-0696. The unavailability estimates include the SPOS equipment from sensors to display hardware, including external power supplies. The analysis does not include software. A separate verification and validation task was' performed for software. The staf f, assisted by a consultant, reviewed the licensee's reliability report. The report described the tools and methods used to conduct the analysis. The staff's review finds the tools and methods acceptable for a reliability study. The staff also evaluated the results from the analysis. The licen'see's report l concludes that the SPDS meets the NUREG-0696 unavailability goal for all of the displays and some of the alerts. The containment isolation, decay heat-removal, and radioactivity alerts do not meet the guideline. These alerts have higher unavailabilities because they contain components that are not tested'at power since such testing may' endanger the safe operation of the plant. The unavailability goal in NUREG-0696 is 0,01, which is a guideline only. Furthermore, this guideline applies to a non safety grade display system. The staff has no guideline for the unavailability of a. Class 1E display system.- However, in the staff's judgment, the results of the licensee's analysis appear reasonable. Based on the staff's review described above, this item is closed. as a restart issue. As a confirmatory issue related to the display system, the staff requested addi-tional data from the licensee in two tasks. In task one, the staff asked the licensee to perform a reliability comparison between a digital data / display Rancho Seco Restart SER 4-14
i channel for the upgraded SPDS and an analogue data display. By letter dated March 30, 1987, the licensee agreed to provide the comparison by October 1987. In task two, the staff asked the licensee to provide reports, after restart, on the performance and availability of the display system. The staff plans to q monitor the initial performance of the display system. 1 I Equipment Qualification The staff asked the licensee to provide documents and data to show.that the up-1 graded SPDS complies with industry standards and regulatory criteria for safety-related systems. The licensee's response (letter dated November 20, 1986) contains commitments and describes work performed to qualify equipment. Envi-ronmental qualification will only be required for sensor inputs, since all portions of the system except field sensors are in a mild environment. Equip-ment im med outside the reactor building will be designed for use in that par-ticular area. Generally, the equipment will be designed for a 40 year service life and a design-basis accident (DBA) radiation dose. The 480-V transfec switches will be designed to meet separation requirements of IEEE Standard 384-1977 and IEEE Standard 344-1975 (letter from the licensee dated November 20, i 1986). The SPDS will be a QA Class 1 and seismic Category I system. Circuits having direct interface with SPDS cabinets will be Class 1E and will be routed in Class 1E raceways. Also, the electrical power will be from Class 1E uninter-ruptible power supply systems. The staff's safety evaluation of equipment qualification is incomplete because the licensee has provided insufficient data. To complete the evaluation, the staff needs equipment test data that demonstrate qualification of the display system in compliance with the guidance in RG 1.97. Resolution of this issue will be discussed in a supplement to this SER. Fire Protection The licensee described the display system's compliance to the requirements of Appendix R to 10 CFR 50 (letter dated November 20, 1986). Circuits of those variables that are required for Appendix R events are routed through the fire areas for that particular cnannel. That is, Channel A variables are routed through channel A fire areas, and channel B variables are routed through chan-nel B fire areas. In fire areas where circuits of channel A and channel B coexist, circuits of the channel not belonging to that fire area have been wrapped, except inside the control room. If a fire occurs in the control room, the licensee assumes that the upgraded SPDS is lost. Alternate shutdown capability for the plant is available from the emergency shutdown panel located outside of the control room. Therefore, there is not need to wrap the redundant SPDS circuits within the control room. The staff agrees with this conclusion. The staff's safety evaluation of the fire protection issue is inceiplete. The staff needs additional data on the quality and properties of the le wrap to complete its review. Resolutio'n of this issue will be discusse a supple-ment to this SER. Rancho Seco Restart SER 4-15
Common Mode Faults The staff asked the licensee to describe the features of the design process and of the display system that prevent common mode failures / errors. The licensee responded to the request in its letter dated November 20, 1986. The licensee's display system is a two-channel system. Each channel of the system is provided with independent Class 1E battery / diesel-backed ac power. Each processor within a channel polls all of the sensors in channel A and channel B through a data' bus. The instrument channels are isolated from each other through isolation devices. One central control unit select unit (CCUSU) controls the sensor polling process from the processor within each channel. The CCUSU communicates with-each channel through isolation devices. As all sensors within channel A and B are polled, the CCUSU coordinates the polling process. This ensures that each channel's processor is not polling the sensors at the same time. The single failure of the CCUSU results in the loss of one channel in the display system. The redun-dant channel continues to provide all of the data polled from the sensors. The licensee has provided information to show that there is adequate isolation between the two CCUSU channels, and to show that the CCUSU can withstand a single failure. The staff is reviewing this information. The resolution of these concerns will be discussed in a supplement to this SER. 4.6.2.2 SPDS Software Design Issues l The licensee's design process for the computer software contains efforts to re- ) duce the potential for common mode failure. These efforts consist of a verifi-cation for common mode failure. These efforts consist of a verification and validation program, reinstallation testing, and postinstallation testing of the system. The staff's review of these efforts is discussed below. RG 1.97 Implementation By letter dated March 30, 1987, the licensee provided the staff with data on j the implementation of RG 1.97. The schedule for implementing many of these variables has been accelerated to coincide with restart of the plant.
- However, the display of some of the variables is delayed to a later time.
These vari-ables, their design and qualification category, and cycle of implementation are: Variable Upgrade to Implementation j Coolant inventory New variable (Category 1) Cycle 8 ) Neutron flux Category 1 Cycle 8 Quench tank temperature Category 3 Cycle 8 Containment atmosphere temperature Category 2 N/A Component cooling water temperature Category 2 Cycle 8 ) to ESF system Pressurizer heater status Category 3 Cycle 8 In its letter, the licensee also justified an implementation delay to cycle 8 l l for these variables. The staff's review of the licensee's justification finds it acceptable. Staff comments on the coolant inventory and containment atmo-l sphere temperature issues are given below. Rancho Seco Restart SER 4-16
l The licensee's letter stated that the purpose for the display of coolant inven-tory is the verification that cooling water is reaching the core. Further, the letter stated this verification can be obtained by alternate means. The I operator, via SPDS has available Category 1 variables (hot-leg temperatures, hot-leg level, core exit temperature, RCS pressure, and pressurizer level). These variables will provide indication that adequate cooling is being provided ) in the core. In addition, Category 2 subcooling margin curves.are available { (SPDS) as well as Class 1E indication of saturation temperature and pressure in the control room. This temperature and pressure indication and flow monitoring (Category 2) of the decay heat, high pressure and low pressure injection systems (SPDS) will given the operator enough information to determine that the core is being provided adequate coolant. The staff agrees with the justification; how-ever, it wishes to emphasize that when the core contains saturated water, flow monitoring of the decay heat flow becomes critical in monitoring core cooling. j The staff suggests that the licensee emphasize this specific point in the training of operators. l In a letter dated March 30, 1987, the licensee stated that the key variables-l for controlling containment building environment are radiation, hydrogen concen-tration, and containment pressure. The licensee identifies these variables as Category 1 variables. The primary variable to measure accident mitigation and containment integrity is containment pressure. Containment pressure and tem-perature are coupled as a result of saturation conditions, which would e ist after containment spray initiation during an accident. For this condition, containment pressure provides a better indication of the general containment temperature rather than a localized temperature provided by individual tem-l perature sensors. To ensure containment cooling is functioning, the operator has several indica-tors. As an indicator of cooling by the containment spray system, instrumen-tation provides data on pump status (Category 2), Class 1E valve position, spray flow, spray water temperature, and containment sump water level (Cate-gory 1). Class 1E fan status (reactor building emergency cooling system), as well as pump and valve status for the nuclear service cooling water system, also provide data on containment cooling. Furthermore, in a letter dated April 30, 1987, the licensee described the emergency operating procedures. These proce-dures may be executed even if indication of containment atmosphere temperature is lost. On the basis of this information, the licensee provides containment tempera-ture as a Category 3 variable rather than a Category 2 variable. Upon a re-view of the licensee's data, the staff agrees with the licensee's rationale for containment atmosphere temperature as a Category 3 variable. The staff considers this item closed as a restart issue. Redesign of Alphanumeric Displays In response to staff concerns on the alphanumeric display formats (NRC letter dated April 7, 1986), the licensee redesigned the formats. During the staff's audit of February 9-12, 1987, the licensee provided the staff with a preliminary redesign of the display formats. A letter from the licensee dated April 30, 1987 contains the final redesign of the display formats. Rancho Seco Restart SER 4-17
The staff has reviewed the display formats and concludes that the variables are now grouped into functional sets, with each display page containing. functionally similar information. Page 1 contains parameters grouped by pressure and tem-perature. Page 2 displays parameters grouped by levels and concentrations. Page 3 contains parameters grouped by flows and radiation values. Pages 4 and 5 display valve positions. The staff finds the redesigned alphanumeric displays to be appropriately structured and acceptable. This item.is closed'as a restart. issue. i Display of Radiation Variables One of.the staff's concerns with the licensee's safety parameter display sys-tem was data for the radioactivity control function. The data contained in the display was insufficient to evaluate the function. The licensee's redesign of the display adds radiation variables to the sys-tem. A radiation alert block now exists on the post-trip and lower level displays. Also, the display contains radiation parameters consisting of con-tainment radiation, main steam line radiation, reactor building stack radia-tion, auxiliary building stack radiation, and radwaste area effluent. With these parameters, the staff finds the upgraded safety parameter display system adequate for evaluating the radioactivity control function. This item is closed as a restart issue. 1 Design Verification and Validation Program The staff has evaluated the licensee's verification and validation process used in the development of the upgraded safety parameter display system. Further-more, the staff's review evaluated the products generated by the process, and assessed the licensee's compliance with the guidelines within RG 1.152,. " Criteria for Programmable Digital Computer System Sof tware in Safety-Related Systems of Nuclear Power Plants." The review of the verification and valida-tion process was conducted during the staff's February 9-12, 1987 audit of the display system. The review concluded that there is an independent verification and validation process in place, which is formalized, well documented, and easily auditable. The staff's review also concluded that the verification and validation process complies with RG 1.152. From the results of its review, the staff made two recommendations to the licensee: (1) The verification and validation of the software should be expanded to include structural tests of the code. One method of structural testing is to verify access to each branch of the code. (2) Greater effort should be made to establish accurate acceptance criteria for validation tests and to enforce discrepancy resolution procedures. Based on its audit and review, the staff finds the licensee's design verifica-tion and validation program to be acceptable. This item is. closed as a restart issue. Walkthrough of Selected Computer Program Elements The staf f's review of the display system consisted of an on paper walkthrough of two signals: containment pressure and cold-leg temperature. The scope of { Rancho Seco Restart SER 4-18 i
the walkthroughs was from the sensor to the display screen. These walk-throughs were conducted during the staff's February 9-12, 1987 audit of the system. The staff was. successful in tracing the two signals through-the computer code, The signals were traced from the multiplexer to the display' screen. The walk-1 through was aided by the modular design of.the code. The walkthrough of the code serves to confirm the staff's evaluation of the verification and valida-tion process. The staff considers this item closed as a restart issue. 4.6.3 SPDS Test Issues Qualification of Isolation Devices The qualification of isolation devices is a major issue in the staff's. safety evaluation of the upgraded safety _ parameter display unit. The licensee has' a provided test data demonstrating the adequacy of the isolation devices to withstand the maximum credible fault. These data are under review by the staff. The staff will discuss this issue'in a supplement to this SER. j l Software Validation The staff's review of the products of the verification and validation process ) focuses upon the validation test plan and test results. The licensee's valida-tion of the software is incomplete. The staff plans to evaluate the licensee's validation test plan and test results near the end of the validation tests. To expedite the review, the staff will conduct an onsite audit to evaluate the validation test results. The staff requests that the licensee identify dates for the audit, consistent with the conditions identified above. The staff will discuss this issue in a supplement to this SER. j 1 4.6.4 SPDS Operational Issues Technical Specifications The staff expressed concerns about a technical specification for the upgraded SPDS. One concern focuses on how the licensee would use the technical specifi-cation in the event of modifications and changes to the SPDS. A related concern focuses on how configuration control for both hardwa're and software will be achieved and how modifications will be qualified and tested. By letter dated April 30, 1987, the licensee committed to qualify and test future modifica-tions of the system. The methods to be used for future modification will be commensurate with those used in qualifying and testing the original components. The staff finds this acceptable. By letter dated March 30, 1987 the licensee committed to submit to the staff a proposed technical specification for the up' graded SPDS before plant restart. The staff will review the technical specification and document the results'in the safety evaluation that will' accompany'the license amendment approving the technical specification change. Technical specification changes required for restart are discussed in Section 4.9 of this SER. Ranche Seco Restart SER 4-19
Performance Reports The upgraded Rancho Seco SPDS is the first of its kind. The use of computer-driven displays to comply with the requirements of RG 1.97 is rare. To confirm its safety evaluation of the design, the staff will monitor the operational performance of the upgraded SPDS after restart. The staff requests that the licensee provide reports on the performance and availability of the upgraded SPDS upon restart. The frequency of the reports may be decreased, depending on the availability of the display system through the first several reporting periods. Initially, the staff requests these re-ports on a quarterly basis. 4.6.5 SPDS Review Conclusions The staff's evaluation of the licensee's upgraded safety parameter display system is incomplete because of insufficient data from the licensee. The upgraded safety parameter display system serves as the licensee's postaccident monitoring device in compliance with RG 1.97. An acceptable safety evaluation of this system is required before the plant restarts. To complete the review of the upgraded safety parameter display system, the staff needs the following data from the licensee: equipment test data to support equipment qualification for operation the qualities and properties of the circuit wrap used for fire protection test data that demonstrate the qualification of the central control unit select unit for: electrical isolation single-failure criterion between the redundant channels test data that demonstrate the adequacy of the electrical isolation devices to withstand the maximum credible fault test data that validate the functions performed by the computer programs in the upgraded safety parameter display system Resolution of these issues will be discussed in a supplement to this SER. 4.7 Transamerica Delaval, Inc. (TDI) Diesel Generators 4.7.1 TDI Diesel Generator Qualification The licensee is implementing the recommendations of the TDI Owners Group, plus the additional actions identified in NUREG-1216. These actions are intended to demonstrate the adequacy of the TDI diesel generators for nuclear standby service as required by GDC 17 of Appendix A to 10 CFR 50. The licensee in-tends to implement the maintenance and surveillance program developed by the TDI Owners Group and described in NUREG-1226 to ensure the continued reliability and operability of the TDI engines for the life of Rancho Seco. Rancho Seco Restart SER 4-20
The staff is currently reviewing this issue. The results of the staff's eval- -uation will be discussed in a supplement to this report. 4.7.2 Diesel Engine This issue is under review by the NRC staff. The results of the staff evalua-tion will be provided in a supplement to this SER. 4.7.3 Class 1E Electrical Systems Associated With the Diesel Generators The installation of the TDI diesel generators results in four electrically independent onsite distribution systems. Each train now consists of two electrically independent diesel generators, 4160-V and 480-V distribution systems, and load sequencers..Each diesel generator is served by independent de control power systems. Each train remains. physically and electrically inde-pendent. The licensee states that the addition of the TDI diesel generators provides more than adequate margin and eliminates existing operational restrictions. The details of the emergency diesel generator (EDG) installation were included as part of Proposed Amendment No. 147 to the Rancho Seco Technical Specifications. During its review of Proposed Amendment No.147, the NRC staf f noted that the licensee had not adequately described how the electrical separation positions of Regulatory Guide (RG) 1.75 had been met. Through discussions with the licensee, it was determined that the specific requirements of RG 1.75 and IEEE Standard 384-1974 (IEEE 384) (which is endorsed by RG 1.75) had not been met in all cases. On June 2 and 3, 1987, the staff met with the licensee to discuss how the licensee would demonstrate acceptability of the EDG installation even though the specific criteria of RG 1.75 and IEEE 384 were not met in all cases. Subsequent to the above meeting, on June 26, 1987, the licensee submitted Engineering Report ERPT-E0220 entitled " Report on Conformance of Nuclear Service Electric Building (NSEB) and DG Building Electrical Installation to Regulatory Guide 1.75." This report documents.the discussions of June 2 and 3, 1987 regarding RG 1.75 compliance, and is the subject of this evaluation. RG 1.75 endorses, with specific exceptions, IEEE 384. Engineering Report ERPT-E0220 addresses the sections of IEEE 384 which are applicable to Rancho Seco and includes a discussion on how the specific requirements are met.. The staff's evaluation of the licensee's report is included below and is keyed to the IEEE 384 sections identified in the report. At Rancho Seco, there are two separate and completely redundant safety trains, trains A and B. These safety trains are totally independent and meet all RG 1.75 physical separation criteria with respect to redundant safety trains. Within each train, there are two redundant, safety-related (Class 1) channels. The physical separation of these redundant channels, within a safety train, from each other or from non-safety (Class 2) circuits is the subject of this evaluation. Although the equipment separation at Rancho Seco is in comp 1iance with the position stated in RG 1.75, not all cabling is separated by. the distances specified in the regulatory guide. However, the licensee has taken the approach to demonstrate by analysis, modifications, and/or tests that the non-conforming installed cable / wire configurations are acceptable. To Rancho Seco Restart SER 4-21
demonstrate this approach, the licensee has taken the position that tests con-ducted at other nuclear plants (River Bend and Vogtle) to demonstrate that less than optimum cable separataion is acceptable when certain modifications are made, are applicable at Rancho Seco. The licensee also takes the position.that any differences between insulating and jacketing materials of the cables tested and the cables installed at Rancho Seco are acceptable without retest because all cables are IEEE Standard 383-1974 (IEEE 383) qualified and because of the additional conservatism the licensee takes for each specific, non-conforming configuration. The licensee's submittal, Engineering Report ERPT-E0220, con-tains analyses of non-conforming configurations in the areas of raceway separation and separation of cables internal to control boards and cabinets, which are discussed below. 4.7.3.1 Equipment Separation This subject is covered in Part IV of IEEE 384. The new diesel generators are completely independeliu. each other. They are located in separate rooms in the diesel generator building which are separated by a 3-hour-rated fire wall. Each diesel generator has its own auxiliary systems, including ventilation. There are no shared or common systems. Electrical distribution equipment for each diesel generator is located in a separate room in the nuclear service electric building (NSEB). These rooms are separated by a 3-hour fire wall, and each room has its own ventilation system. The "A" diesel powers safety train A, and the "B" diesel powers safety train B. Battery chargers, batteries, inverters, and distribution panels associated with a safety train are located with other equipment of that train in their respective rooms in the NSEB, and are separated from redundant equipment of that train by at least 10 feet horizontally. Such separation of safety trains by 3-hour fire walls and separation of redundant equipment within a safety train by specified horizontal distance is in conformance with RG 1.75 and is, therefore, acceptable. 4.7.3.2 Raceway Separation This subject is covered in Part V of IEEE 384. A. Separation Between Class 1 and Class 2 Raceways 1. A minimum of 1-inch separation is maintained between Class 1 raceways (trays and conduits) and Class 2 enclosed raceways used for power and control circuits. The staff will find this acceptable on confirma-tion that the Class 1 trays are covered in accordance with RG 1.75. In a limited number of cases, Class 1 raceways and Class 2 conduits used for instrumentation circuits are allowed to touch each other. The instrumentation circuits use shielded cables qualified per IEEE 383, carry low energy signals, and are routed in instrumentation raceways. In these cases, the Class 2 instrumentation circuit raceways which are in contact with Class 1 raceways carry only Rancho Seco Restart SER 4-22 3 d
milliampere current even under faulted conditions. At these low energy levels, there is no credible fault that could cause overheat-ing of the Class 2 cables and associated raceway with attendant damage to the Class 1 cables. Therefore, the staff finds that having Class 2 conduits in contact with Class 1 raceways under the above conditions is an acceptable condition. 2. Class 2 trays are' separated from Class 1 trays by (a) a minimum distance of 3 feet horizontal and 5 feet vertical, (b) separation barriers installed in either the. horizontal or vertical planes, or (c) by installing solid covers on the Class 2 trays. The staff will find this acceptable on confirmation that the Class 1 and Class 2 cable trays that are not separated by the minimum distances or by 3 barriers have covers installed in accordance with RG 1.75. In some cases,- separation by one of the above methods is not pos-sible. These cases are limited to situations where Class 1 cables in conduit are in close proximity to an open Class 2 cable tray. In these cases, the Class 1 conduit will be wrapped with a 200% overlap (3 layers) of Siltemp 188CH. Tests conducted 'at other nuclear plants l-have demonstrated that faulted cables carrying 2600 amps and located { within 1 inch of target cables wrapped with a 100% overlap (2 layers) ) of Siltemp 188CH did not cause damage to the target cables. At Rancho Seco, there is additional protection as follows: (a) the target cables are in conduit, (b) separation is 1 inch or more, and (c) the target cables have an extra layer of.Siltemp 188CH. It is the staff's view that this added protection adequately compensates for any differences between the insulation and jacketing material of the cables tested and the cables installed at Rancho Seco. There-fore, the staff concludes that separation between Class 2 cable trays and Class 1 conduits as described above and in ERPT-E0220 will be acceptable. B. Separation Between Redundant Class 1 Raceways 1. Trays of redundant Class 1 systems (trains A and B) are installed in separate rooms (separated by 3-hour fire walls). This meets the positions of RG 1.75 and is acceptable. 2. Class 1 channels in cable trays are separated from redundant Class 1 channels in enclosed raceways by: (a) a minimum distance of 3 feet horizontally and 5 feet vertically, (b) separation barriers installed in either the horizontal or vertical planes, or (c) by installing solid covers on the cable trays. These methods of obtaining separation are in accordance with RG 1.75 and are acceptable. In some cases, separation by the above methods is not possible. These cases are limited and are described below, In some cases, Class 1 channels in cable trays are separated a. from redundant Class 1 channels in rigid conduits by at least 3 inches, but by less than the minimum distance pro-posed (1 foot) by RG 1.75. In these cases, the voltage is Rancho Seco Restart SER 4-23
l . limited to 480 V ac,. fault cables in the tray are limited to No. l 2/0 AWG, and the fault cable in the rigid conduit is limited to l a single 500 MCM. Tests conducted at other nuclear plants for. i similar installations have demonstrated that 500 MCM armored 1 cables without additional enclosure and.No. 2/0 AWG faulted j cables in free air located 3/4 inch below target cables in trays 1 and flexible conduits, respectively, did not cause damage to the f target cable when subjected'to 2600 amps until the faulted cables open-circuited. At Rancho Seco, the faulted and target cables are always in a rigid ronduit or a tray, and the minimum separation is 3 inches. This additional protection adequately compensates for any differences between the insulation and jacketing material of the cables tested and the cables installed i at Rancho Seco. Therefore, the staff concludes that the separa-tion between redundant Class 1 channels in cable trays and rigid conduits as described in the above paragraph in ERPT-E0220 is i acceptable. b. In a limited number of cases, separation of redundant Class 1 channel cables is less than that described in paragraphs B.2 or i B.2.a, above. These cases fall into two categories, as follows: (i) cable trays with faulted cables at least 1 inch but less that 3 inches from a redundant Class 1 channels in enclosed raceway and (ii) conduits with faulted cables at least 1 inch but less than 3 inches from redundant Class 1 channels in a cable tray. To compensate for this lack of physical separation, the target cables or the faulted cables will be wrapped with a 200% overlap (3 layers) vs. a 100% overlap (2 layers) of Siltemp 188CH. In addition, the maximum voltage is limited to 480 V ac, wrapped conduits are limited to a single 500-MCM faulted cable, and wrapped cables in the trays are limited to cables of No. 2/0 AWG or smaller. Tests conducted at other nuclear plants have demonstrated that faulted cables in free air, when located 1 inch below target cables in flexible conduits and wrapped with a 100% overlap (2 layers) of Siltemp 188CH, did not cause damage to the target cables when subjected to a 2600-amp fault current until the fault cables open circuited. At Rancho Seco, the faulted cables are either in conduit or trays and limited to No. 2/0 AWG or single conductor 500 MCM as described above, the separation is at least 1 inch, and a 200% overlap (3 layers) of Siltemp 188CH is used in all cases. This additional protection adequately compensates for any differences between the insula-tion and jacketing material of the cables tested and the cables installed at Rancho Seco. Therefore, the staff concludes that the separation between redundant Class 1 channels in cable trays and enclosed raceways / conduit as described in the above para-graph and in ERPT-E0220 will be acceptable. In a few isolated cases, separation between redundant Class 1 c. channel circuits meets the configuration stated in Rancho Seco Restart SER 4-24
paragraph B.2.a. above, but cables larger than No. 2/0 AWG are routed through the cable trays. These cases involve 120-V ac uninterruptible power supplies and are limited to the cables connecting the inverter and regulating transformer to the bypass switch, the transfer switch, and the distribution panel. The connections are made using a single 350-MCM conductor, or two single 250-MCM conductors. These circuits, however, are not' subject to the same fault current used in the test discussed in paragraph B.2.a; i.e., 2600 amps. The available fault current 4 was used to calculate the cable temperature rise under worst- ) case loading. The results of the calculation show that the cables, in any case, would not get hot enough to ignite the cable insulation and thus pose a threat to nearby circuits. On this basis, the staff concludes that routing of cables larger j than No. 2/0 AWG in cable trays when the available. fault current ] to these cables is limited by inverters / transformers and/or circuit breakers and fuses does not constitute a concern greater j than that evaluated in paragraph'B.2.a, above, and is, there-l fore, acceptable. d. At Rancho Seco there are four special cases which do not fit into any of the categories discussed in paragraph B.2.a, b, and c above. These special cases involve four, 16-inch-diameter pipe ducts that run between the NSEB and the auxiliary building. These four ducts are grouped in two pairs; each pair represents one safety train. The redundant safety trains-are separated by a 3-hour fire barrier. Within each pair of ducts, one duct is used for instrumentation circuits only and the other. duct is 4 used for power and control circuits. Within each duct, one group of redundant Class 1E channel circuits is routed through a 4-inch flexible conduit. The other channel circuits are in the 16-inch duct outside of and touching the 4-inch flexible duct. The instrument circuits carry low current even under faulted conditions and, as such, there is no credible fault that could cause a cable or cables in one redundant instrumentation channel to overheat and damage a cable or cables in the other redundant instrumentation channel. The staff, therefore, concludes that the installation of instrumentation cables in their respective 16-inch pipe ducts is acceptable. Each 4-inch flexible conduit in the 16-inch pipe ducts for power and control circuits contains one power and two control circuits for an auxiliary feedwater isolation valve. The power circuit (120 V ac) in each of these flexible conduits have adequate current protection to preclude a faulted condition which could overheat these power cables and cause damage to the cables inside the pipe duct in contact with the flexible conduit. In reverse, a faulted condition on the power cables (480 V ac) in the pipe duct could conceivably damage the cables in the 4-inch flexible conduit. In this case, an auxiliary feedwater supply path to a steam generator would be lost. However, there are two parallel auxiliary feedwater supply paths to each steam generator. Therefore, loss of one Rancho Se:o Restart SER 4-25
I supply path because an auxiliary feedwater isolation valve fails will not create a loss-of-feedwater event to a steam generator. A total loss of auxiliary feedwater to a steam generator would require a coincident failure in the other, parallel, auxiliary feedwater supply path whose power and con-trol circuits are outside the 16-inch pipe ducts. Based on the fact that a fault in the instrumentation pipe ducts'will not propagate and that a fault in the power and control pipe ducts will not result in unacceptable conse'quences, the staff con-cludes that the installation of the 16-inch pipe ducts between the NSEB and the auxiliary building is acceptable, t With one exception, enclosed raceway to enclosed raceway separa-1 e. tion of at least 1 inch is maintained. In the single exception, j a rigid conduit containing instrumentation circuits in one chan-nel is allowed to touch a flexible conduit containing redundant instrumentation circuits in the other channel. This 1-inch separation is in conformance with'RG 1.75 and is, therefore, acceptable. The single exception is acceptable because of the low energy circuits involved as discussed in paragraph A.1, above. 4.7.3.3 Internal Separation This subject is covered in Part VI of IEEE 384. A. Wiring Separation Within Enclosures 1. Wiring separation is met within enclosures by maintaining a minimun of 6 inches between redundant wiring and between Class 1 and Class 2 wiring, or by using a barrier to separate redundant Class 1 wiring and Class 1 from Class 2 wiring. Both of these methods are in com-pliance with RG 1.75 and are, therefore, acceptable. 2. Some internal wiring does not meet the separation criteria discussed in paragraph A.1, above. The specific cases of deviation from the separation criteria and the compensating measures proposed by the licensee are discussed below; In some cases, Class 1 instrumentation and control circuits a. (No. 8 AWG or smaller) in one channel are not separated from redundant channel Class 1 circuits or Class 2 circuits by the j required distance or by barriers. In these cases, one of the circuits is wrapped with a 100% overlap (2 layers) of Siltemp 188CH and then wrapped with 3M Scotch 69 glass cloth tape. Tests conducted at other nuclear plants have demonstrated that a control cable No. 8 AWG or smaller which is in contact with another control cable can be subjected to the worst-case elec-trical fault without the fault propagating to the touching l cable provided one of the cables is wrapped with a 100% overlap i (2 layers) of Siltemp 188CH. At Rancho Seco, a layer of glass i -tape over the Siltemp provides additional protective margin. This additional protection adequately compensates for any Rancho Seco Restart SER 4-26 i
differences between the. insulation and jacketing material'of-' 1 the cables tested and the cable installed at Rancho Seco. In addition, the circuits'to which this treatment will be applied ~ are low-energy circuits with inherently low fault current poten - tial. -Therefore, the staff concludes.that the method for demon-- strating adequate = separation of instrumentation and control cables (No. 8.AWG or. smaller) described above and in ERPT-E0220 will be acceptable. I b. In some cases, Class 1 multiconductor. instrumentation' and con-1 trol cables (No. 10 AWG and smaller) are not' separated from the redundant channel Class 1 or Class 2 cables by the. required distance or by a barrier. For these cases,. effective separation-is obtained by. installing a copper' braid over each individual i conductor from its termination back to the cable _ breakout,.and an additional' copper braid over the cable jacket from cable u breakout up to the point where at least 6 inches' of separation 1 is maintained. All copper braids touch each other and are. grounded at~one end. The individual braids are covered with a flame-retardant insulating tubing, and'Raychem WCSF-N' shrink tubing is installed over the cable jacket braid. In these- .j cases, both the faulted and target cables are protected. No tests have been conducted for.this specific configuration. However, results of tests conducted on No. 8 AWG. instruments-tion and control cables demonstrate adequate. protection when only one cable (faulted or-target) is_ protected and the cables-touch each other. For the cases covered in'this section,.both cables have additional flame-retardant insulation, and both have a ground path for fault currents. installed. In addition, the circuits to which this treatment will be applied.are low-energy circuits with inherently low fault current potential. On.this basis, the staff concludes that'the cable treatment. ] described in this paragraph provides protection which equals or exceeds the protection described in paragraph A.2.a, above and, therefore, will be acceptable. In four specific cases, Class'2 instrumentation cables are c. allowed to touch Class 1 cables without any compensating pro-visions. In 4.16-kV switchgear 54A2 and $4B2, Class.2 output-wiring from four isolating transducers in each switchgtar is in contact with Class 1 wiring. In Transamerica.Delaval, Inc. (TOI) diesel generator control panels H20GA2 and H2DGB2, Class 2 output. wiring from.five isolating transducers in each panel is allowed to touch Class 1 cables. The transducers will limit the short-circuit current to.such a low'value that the Class 2 wiring-can not get overheated and cause damage to-the Class 1 cables. The staff agrees with this position'and concludes,. therefore, that in these cases it is acceptable to.have Class 2 cables in contact with Class 1 cables. ' Rancho Seco Restart SER 4-27
i i t In multiplexer cabinets H4CDAR7:and H4CDAR9, cables carrying signals for redundant safety parameter display system (SPDS) D annels'are not separated from.each other-or from Class'2 cir-cui ts. A calculation (No. Z-SEP-E0693) has~been performed to show that all circuits are low energy circuits that cannot-damage each other, even under faulted conditions. Considering .this calculation, the' fact.that the SPDS.is properly isolated 'from safety protection systems, and that'there is redundant indication for the.SPDS in the other safety train, the staff concludes that the cable arrangement in multiplexer cabinets H4CDAR7 and.H4CDR9 is acceptable. 4.7.3.4 Raceway / Circuit Identification This subject is covered in Part VII of IEEE 384. The staff has reviewed the licensee's description of raceway / circuit identifi-j cation included as part of ERPT-E0220. The staff has concluded that the i licensee's identification scheme is in conformance with RG 1.75'and is, there- ] fore, acceptable. 4.7.3.5 Conclusions As noted above, not all cabling at Rancho Seco conforms to the positions of RG 1.75 with regard to physical separation. However, the licensee _has taken the approach to demonstrate by analysis, ' modifications, and/or tests that the non-conforming installed cable / wire configurations are acceptable. To demon-strate this approach, the licensee has taken the position that tests conducted 1 at other nuclear plants, demonstrating that less than optimum cable.separa-I tion is acceptable when certain modifications are made,'are applicable at Rancho Seco. The licensee also takes the position that any differences between J i insulating and jacketing materials of the cables tested and the cables in-stalled at Rancho Seco are acceptable without retest because all cables are qualified to IEEE Standard 383-1974 and because the licensee takes additional conservatism for each specific, non-conforming configuration.- The staff agrees with the licensee's positions,.and concludes that the licensee's approach to-demonstrating compliance with RG 1.75 is acceptable. This item is closed as a restart issue. However, the staff is'also reviewing other electrical aspects of the TDI diesel generators at Rancho Seco. The results of the staff's' review will be discussed in a supplement to this SER. 4.7.4 Diesel Generator Fire Protection Considerations 4.7.4.1 Introduction to Fire Protection Issue By letter dated October 2, 1986, the licensee submitted information pertainingE to the design of the Transamerica Delaval, Inc. (TDI) diesel generators (DGs), the DG building, and supporting systems. Included'with this information was a comparison.of the design to the relevant guidelines contained in BTP CMEB 9.5-1 and the criteria of Appendix R to 10 CFR 50, as well as a fire hazards analysis. Supplemental information was provided by letters dated December 19, 1986 and April 1, 1987. Rancho Seco-Restart SER-4-28
4.7.4.2 Discussion of Fire Protection Issue ) The walls and ceilings of the diesel generator rooms are composed of 3-hour fire-rated construction except for the non-fire-rated exterior walls. The l floor is made of concrete base slab. All openings in the common wall between i the two DG rooms are protected by 3-hour-rated seals. The radiator fan areas consist of an enclosed yard that is defined by block walls.and the adjoining l diesel building wall. The diesel fuel transfer pump vaults are located-underground, approximately 15 feet away from the radiator area walls. The walls, floors, and ceilings of these areas are constructed of concrete. -Shutdown-related systems located within these areas consist of cables and-components associated with the essential HVAC, emergency generators, and the electrical distribution systems. Redundant systems are separated from each' other by 3-hour fire-rated barriers. Combustible materials include quantities of oil and grease, cable insulation, and plastics. Fire protection includes pre-action-type sprinkler systems and fire detectors in the DG rooms, manual hose stations, and portable extinguishers. 4.7.4.3 Evaluation of Fire Protection Issue The staff had several questions / concerns with the licensee's description of the fire protection for this project. These concerns were addressed by the l licensee in the April 1, 1987 submittal. The licensee described that redundant shutdown systems at the DG building were separated by 3-hour barriers. The staff was concerned that insufficient separation may exist between these systems as they are routed to and through the power block. The licensee responded that 3-hour fire-rated barriers are maintained between these systems. This protection conforms with Section III.G.2.a of Appendix R to 10 CFR 50 and is, therefore, acceptable. The staff noted that unprotected steel beams were present in the structure and was concerned that during a fire the steel might fail with adverse consequences on the 3-hour barrier between redundant shutdown systems. The licensee responded that the rainforced-concrete floors and roof are designed to be structurally adequate without consideration of the steel beams. The beams functioned as falsework supports during construction and have been left-in place for piping / mechanical equipment supports. Failure of the beams will not affect the integrity of the structure. Beam failure may cause damage to piping and mechanical equipment. However, only one division of shutdown-related systems would be affected. On the basis of the' licensee's response, the staff considers this issue closed. The staff was also concerned that there may be bus ducts or.'other features which penetrate the common wall between the diesel generator rooms that may not have been sealed with a fire-rated material. The licensee responded that no such features exist in this wall. The staff noted that certain HVAC-ducts may obstruct the discharge of water from the ceiling-level sprinkler heads. The licensee responded'that sprinkler (s) will be added under such obstructions in conformance with Rancho Seco Restart SER 4-29 E
National Fire Protection Association (NFPA) Standard 13. This conforms with Section C.6.c of BTP CMEB 9.5-1 and is, therefore acceptable. The staff noted that sprinkler heads in the DG rooms appear.to be spaced 5 feet apart. The staff was concerned that discharge from one sprinkler would prevent others from functioning, a phenomenon known as cold soldering. The licensee responded that the sprinkler heads are located midway between and just above the roof beams and, therefore, are not subject to cold soldering. On the basis that the beams effectively shield individual sprinklers from the water spray of adjoining sprinkler heads, the staff considers this issue closed. The staff was concerned that the fire alarm system circuits were not electri-cally supervised in the DG building. The licensee responded that the fire alarm panel in the building will be upgraded to feature supervision. On the basis that this modification will permit single breaks or ground fault condi-tions of fire alarm circuits to be annunciated as a trouble condition in the control room, this issue is considered resolved. The staff was also concerned that the fire alarm panel was not listed by an independent testing authority. The licensee responded that upon completion of the above-referenced modification, the fire alarm panel will consist of a type that is listed by Underwriter's Laboratories. The staff considers this response acceptable. The staff requested clarification on the need for battery powered emergency lighting units in the building. The licensee responded that 8-hour battery-powered lighting units will be installed before restart. This conforms with Section C.6.g of BTP CMEB 9.5-1 and Section III.J of Appendix R to 10 CFR 50 and is, therefore, acceptable. Finally, the staff requested clarification concerning the changes in post-fire safe-shutdown procedures resulting from the completion of the project. The licensee summarized these changes and committed to revise the procedures before restart. The staff considers this issue closed. 4.7.4.4 Fire Protection Conclusions Based on its evaluation, the staff concludes that the design of the TDI diesels, DG building, and supporting systems conforms with BTP CMEB 9.5-1 and Appendix R to 10 CFR 50 and is, therefore, acceptable. The staff considers this issue closed. 4.7.5 Diesel Generator Building Design 4.7.5.1 Seismic Design of Diesel Generator Building The staff is currently reviewing the seismic design of the Rancho Seco diesel generator building. The results of the staff's evaluation will be discussed in a supplement to this SER. 4.7.5.2 Tornado Design of Diesel Generator Building The staff has evaluated the capabilities of TDI diesel generators and their ancillary components to withstand the effects of high winds, including Rancho Seco Restart SER 4-30
With four exceptions, all structures and components associated with tornadoes. the diesel generators are protected against the effects of the facility design-bas.s tornado of 175 mph and the missiles associated with these winds. The four items not adequately protected are: (1) the radiator building doors (2) the radiators (3) oil storage tank vent lines (4) day tank vent lines The licensee has committed to protect the radiator building doors from the effects of tornadoes before restart. The Rancho Seco diesel generator radiators are not protected from airborne tornado missiles that could over-top the radiator exterior walls. To address this issue, the licensee has performed a probabilistic risk assessment (PRA) of the likelihood of this occurrence. The licensee estimates that the probability of the over-topping rnado missiles damaging the radiators is approximately 5.6 x 10 8/yr. staff has questions about various assumptions used by the licensee in its assessment but agrees that the probability of occurrence of such an event is quite small. Because of the extremely unlikely occurrence of this event, the staff and licensee have agreed that either the staff's. concerns i with regard to these PRA assumptions will be resolved or that the licensee will protect the radiators from airborne tornado missiles during the next refueling outage after plant restart. The staff is currently reviewing tornado effects on the day tank and oil tank vents. The results of the staff's review will be discussed in a supplement to this report. With the exception of the day and oil tank vents, the staff concludes that:the probability of tornadoes or tornado missiles rendering the TDI diesel generators or any of the critical components of these diesel generators inoperable is l acceptably low. 4.8 Cable Discrepancies 4.8.1 Cable Discrepancy Background This section of the SER documents the NRC staff's review of the licensee's resolution of identified deficiencies and safety concerns regarding safety-related electrical cable installed at Rancho Seco. The most significant: deficiencies identified to date and reported to the staff in licensee event reports (LERs) are listed in Table 4.2. They include violations of 10 CFR Part 50 Appendix R separation criteria, design criteria regarding segregation of Class 1E cable according to service level, design criteria for. fill capacity of cable trays and conduits, and seismic design criteria for Class 1E electrical equipment. Before these deficiencies were identified, it had been alleged that. records that document electrical cable installation were missing and were not being .j properly controlled, and that data entered into the computerized cable if Rancho Seco Restart SER 4-31
'f Table 4.2 Safety-relatedelectricalc'abihdeficienciesItRanchoSeco reported in LERS Date LER Description August 8 985 85-16, Improper routing of shielded instrument cable Rev. 00, through power cable trays and conduits. This 01, 02 contributed to spurious isolation of a decay-heat removal suction isolation valve when electrical noise was induced in an instrument i cable connected to a prassure transmitter that i feeds control logic for the valve. 1 May 22, 1986 86-10 Redundant safety related instrument' csbie routed through a single fire area in violation of separation criteria in 10 CFR 50 Appendix R. February 4, 1987 87-13 Redundant safety-related instrument cable l routed through a single'firerarea in violation l of separation criteria in 10 CFR 50 Appendix R. February 5, 1987 87-16 Spare, non-terminated cable left coiled and unrestrained in 12 breaker cubicle cabinets, l invalidating seismic qualification of breakers that link ac electrical' power to safety systems. f February 25, 1987 87-24, Cable tray weight and fill conditions identi-Rev 00, fied as being beyond USAR design criteria. 01 March 10, 1987 87-26 Intermixing of power and control cables with Class 1E instrumentation cables contrary to requirements in USAR. tracking system may be inaccurate. A discussion of these allegations and subsequent followup action in response to the allegations is provided in NRC Inspection Reports 50-312/83-37 and 50-312/84-26. l The electrical cable problems identified at Rancho Seco have' caised two prin-I cipal safety issues: (1) what assurance is there that electrical cables at Rancho Seco are installed in accordance with applicable desig, criteria and NRC l requirements for safety related electrical equipment and (2) ; chat changss~ in l procedures and controls for design and installation of electscal cable are I being made to ensure that deficiencies of the past do not persist. I Action on the part of the licensee to address the cable issue was initiated i.r< 'f response to the allegation made in 1983. Following discovery and investiga-tion of the misrouted cables (described in LER 86-10), a plan for a limited { amount of cable inspection was developed. This plan was discussed with d the staff in late 1986. In January 1987, all' ongoing activities addressing cable-related problems were integrated into a single program under a single f l This program is discussed below in more detail. j program manager. 3 1 Rancho Seco Restart SER 4-32 c y-
=A Wg t Table 4.3 Status of restart activities for Rancho Seco cable issue Licensee's task" Licensee-Activity numbers. Task description - action remaining' . Incident 4,54-Document' level of. control Complete investiga-investigation-exercised by SMUD in in-tions'and submit stalling' cable 1975-1986- . documentation of, results-- 1 Incident 15,24,25,'- Determine root cause for Complete investiga - fn.estigation 55,56 LERs 85-16, 86-10, 87-13, tions and' submit 87-16, 87-24,.87-26 documentation of results-Inspection 16 -Clarify acceptance cri-Submit documentation' teria for inspection (i.e., major / minor / insignificant defects)' ) Inspection 19,20 Respond to NRC questions - None, pending staff on sampling plan acceptance Inspection 7 Justify not sampling ori-None, pending staff' ginal Bechtel construction. acceptance ,l work Inspection 1 Complete inspection iden-Perform inspections tified in 7/02/67 letter to staff Engineering 2,6,26 Resolve questions regard- . Submit documentation j evaluation / ing overfilled and over-of final dispositions disposition weight cable trays and-conduits - Engineering 2,9,43-50 Resalve power / control / Submit documentation: evaluation / instrument cable mixing of final dispositions disposi tion concerns identified in LER 87-26. Engineering 40,50,51 Evaluate and disposition-Submit documentation evaluation / cable routing discrepancies 'of final dispositions disposition Engineering 2 Resolve CRTS database dis-Submit'documente* ion j evaluation / crepancies other than cable of final. dispos?d ons .j disposition mixing, overfill, and over-weight for Class IE cables Corrective 3,21,22 Identify missing cable in-None, pending staff. action stallation records and ' acceptance improve procedural controls for records a i Correcti/e 8,29,30, Make field changes to cor-Complete field work a.: tion 32,3435, rect cable routing 37,38,39, . discrepancies-J 1 23 Corrective 27,28,31, Justify acceptance of cable Documentjustifications action 32,3336 routing discrepancies Correc*tive 18,52 Revise nuclear engineering; Submit documentation. action-procedures-of revision
- See Enclosure 2 of SMua letter dated July 21, 1987, Rancho Seco Restart SER 4-33
-J
sqf i + s tjh']d } gl' qk \\ &r N \\ 4.8.2 Evaluation of dabfe Discrepancies -l .scx ^% a' The Mcensee',s progrrf.'forlfesolving cable problems consists'of five principal tctidties: (1)fpal'gestigationandrootcauseevaluaticas (2) inspec-4. .J' ' >/s.Wn of a sample m tigstaPMi cable, (3). analysis oficabig ra6wa,y tracking { c 'i ystem (CRTS)*' data to Ydentify cable raceway design and fastaN ation deficien-icies, (4) engineering, evaluation and dispositj6ri of fdentiFe61 deficiencies, ).. S ' ) yand (5) implementation of corrective actions. 'The dih]ing and ' integration of l f [ 3 2 i these activities are shown in Figure 4.1. f A detaildi!11st of action items is [/- provided in the licensee's letter to NRC d'ted July 21, 1987. [. a f' The.licenehsprogramplanwas'trhsubmittedtothestaffinApril1987 k (letter d xed Aprih 3,1987). The staff reviewed the plan and provided com-i -i ments which are documented in a Gettm ito the. licensee dated May 1, 1987. The i licensee submitted a revised plarsy letter dateC Jply 21, 1987. The updated glan addresses the (staff comments, on the earlier vecsion. ,, e 't U 'd[elicenseesprogramisacceptabletothesta/fIecauseitprovides: j U <' (1)'Q,stematic'means of identifying cable problems through analysis of the I sy n a CRTS and inspection - r ) y; ', (2ilformal means for documenting, evaluating, and resolving identified ,1 deficiencies ,l I (3)'fomals detailed investigations of significant problems to identify root 1 C c'ebse and gem ric implications / 7 (4)' an expandable inspection program that uses'stqte-of-the-art inspection ~ technie,ues and is responsive to findings from root cause evaluations qf deficiencMs jdentified previously 4\\> ,il + (5) technical inanagement and overall program management by independent,on-traqtors (Bechtel and Impell) experienced in design and installation of sMety-related electric cable in nuclear power plants 'c isN,( ,T rad 19 4. 3 %fesides a summary of program activities under review by the stafn / and JA9 status of each as of July 21, 1987. Individual items from the litonsee's action plan list of tasks (letter dted Vuly 21, 1987) have hedn 5 grovoAd according to the broader activities being reviewed by the staff. \\ 4 The'staf f's' evaluation of the licensee's program is based on the review of' /" formal s@mittals (licensee's letters datFd responie'to staff regeests (NRC letters dat April 3 and July 21, 1987) made in ed May 1 and June 8, 1987) for ( .informat. ion and meetings conducted at the Rancho Seco site. The staff has reviewed the licensee's root cause evaluation of desig7 and installation pro-3g blems, scope and completeness of tne inspection program, engineering evaluation of identified problems, modifications to installed safety-related cable race-g/ / y s ways, and adequacy of corrective actions' regarding programmatic deficiencies. , I. i
- TheCRTSconsistsofacomputerizeddatabaseandasetofalgorithmsusedto,[
store, retrieve, and analyze design and im.callation information regardir.g'% electric cable and raceways in the plant j [r 3, ) + Rancho Seco Restart SER 4-3[ j s t F .~x.
'1 I f I I l Inspection Analysis of Guidance Program CRTS Data i f I I CRTS Deficiency / Problem / Incident Non-Conformance Conversion investigations Reports Reports I I f I f LERs Evaluation Recommended and Actions Disposition LER of Revisions Problems l f Engineering i Review I I f I I l f Improved I Procedures Plant Analytical and Modifications 4 Justifications l Controls 1 { I I I f implementation Q. Input or Output Corrective Actions Figure 4.1 Program for resolving cable problems j Rancho Seco Restart SER 4-35
Each of these areas is evaluated below. Cable issues to be resolved before restart are listed in Enclosure 2 to the licensee's letter of July 21, 1987 and are summarized here in Table 4.3. 4.8.2.1 Evaluation of Root Cause of Cable Discrepancies The Incident Analysis Group (IAG) within the licensee's organization is re-sponsible for investigating and analyzing operational events at Rancho Seco and making recommendations to management regarding long and short-term corrective actions. The group consists of four SMUD investigators and three contract personnel, in addition to the IAG manager. The IAG has performed a detailed investigation and root cause analysis of each of the cable problems identified in the LERs listed in Table 4.2. Investiga-tions of the 10 CFR Part 50 Appendix R violations (LERs 86-10 and 87-13) and the inadvertent decay heat removal (DHR) valve closure events (LER 85-16) are complete. Results of these investigations were discussed with the staff in meetings on June 16-17, 1987 and are listed below. (1) The cable routing discrepancies described in LERs 86-10 and 87-13 were the result of a field enginear failing to implement revisions to routing which had been directed and documented by design engineers. The cable route changes were part of a design change necessary in order to satisfy 10 CFR Part 50 Appendix R separation criteria for instrument cables feeding the control room and remote shutdown panel. (2) The root cause of the field engineering errors described in LERs 86-10 and 87-13 was failure to properly control design change documents during a period in which a large number of field changes were being made in cable routing. (3) Poor procedures and practices in quality control allowed failures to im-plement cable route revisions to go undetected. The licensee indicated that its procedures were not explicit on how to independently verify cable route, and that quality control (QC) inspectors frequently would only verify cable termination and not the route (i.e., trays and conduits). Procedures now in place at Rancho Seco require the QC inspector to witness the entire cable pull to ensure that QC signoff truly represents an independent verification of cable routes as well as terminations. (4) The causes of cable routing discrepancies identified on May 21, 1987* and June 16, 1987* appear to be similar to those described in item 1 above in that design changes were not implemented by field engineers. However, the field engineers involved were not the same as those involved in the LER 86-10 and 87-13 incidents. (5) Confirmatory tests showed that the spurious closure of the DHR isolation valve described in LER 85-16. Revs. 00, 01, and 02 was most likely due to
- These deficiencies have been reported in SMUD Occurrence Description Reports (ODRs) 604 and 723 and were discussed with the staff at meetings on June 17-18, 1987.
Rancho Seco Restart SER 4-36
a voltage spike on a pressure transmitter that feeds the isolation logic for the valve, and that the spike was induced in the cable to the trans-mitter when power cables in the same tray were energized. The misrouting of the instrument cable in the power cable tray has been traced back to an error made in the original design of the plant. Design and installa-tion records clearly show routing of the instrument cable through trays designated for power cables. The generic implications of this design error are currently being assessed through a systematic evaluation of cable and raceway design / installation records for all cables in the plant, including those specified in the original plant design. This evaluation has revealed additional cases of mixed Class 1E power / control / instrument cable. These cases are reported in LER 87-26. The following actions are necessary on the.part of the licensee to close out the issues discussed in this section'(4.8.2.1) of the SER: (1) Document and submit the findings and recommendations of investigations into the root causes of the cable problems identified in Table 4.2 and any other major cable defects identified in the currently ongoing inspection of cable routing. (2) Document the level of control exercised by the licensee in installing cable between 1975 and 1986 and submit this documentation for staff review. A thorough engineering evaluation of the procedures and specifications used to install cable in this period should be included. l (3) Provide the information requested by the staff in the June 8, 1987 letter from G. Kalman to G. C. Andognini. 4.8.2.2 Cable Inspection Program In December 1986, the licensee initiated plans for inspecting safety-related cable routes at Rancho Seco. The decision to inspect was. based on the dis-covery of misrouted cables in violation of 10 CFR Part 50 Appendix R separation criteria (LER 86-10) and growing concern about the accuracy and completeness of the data in the cable raceway tracking system. Accuracy of route data in the CRTS is necessary in order to use the CRTS instead of physical inspection to identify raceway locations in the plant where cable configurations vio-late design criteria because of design errors. The inspection plan is based on a random sampling technique that utilizes formal statistical methods to determine sample sizes. The objectives of the plan are to provide high levels of assurance that: (1) safety related cable installed or rerouted since initiation of commercial operation was properly routed and (2) the route data in the CRTS for cable installed or rerouted since initiation of commercial operation are accurate and complete. The scope of the plan included the approximately 2300 safety-related and safe-shutdown cables that were installed or rerouted since start of commercial operation. The 14,000 cables installed during the original construction of the plant were excluded from the plan based on: (1) lack of indication of installation errors in the original population Rancho Seco Restart SER 4-37 1 i
(2) differences between personnel, procedures, and controls used by the architect-engineer to' install original cable and those employed by the-licensee after plant turprer (3) differences in plant condition during original cable installation, i.e., new plant construction phase versus outages between operating phases (see licensee's letter dated July 24,1987) I Cables and raceways were inspected against the following acceptance criteria: (1) electrical design criteria per USAR Chapter 8 or SMUD Nuclear. Engineering Procedures (2) 10 CFR Part 50 Appendix R separation criteria (3) high-energy line-break accident (HELBA) criteria (4) heavy loads criteria (5) seismic Category 11/1 criteria The licensee's cable sampling plan divided the cables of interest (i.e., safety-related (SR) and safe shutdown (SSD)), into four populations, or lots, defined as follows: 1 lot 1: All the SR and $$D cables that have been physically rerouted from the time of commercial operation through December 22, 1986 (424 cables) Lot 2: SR and SSD cables that were installed from commercial operation of the plant through December 22, 1986 and never had their route vias revised (1702 cables) Lot 3: SR and SSD cables, that were installed from commercial opera-tion through December 22, 1986, have never had their route vias revised, and have questionable cable pull card (CPC) signatures (190 cabfes] Lot 4: All SR and SSD cables that have been physically rerouted be-tween commercial operation through December 22, 1986 and have questionable cable pull and signatures (78 cables) The " sample selection" from each lot was based on a random / stratified approach. The random / stratified approach was deemed to yield more information about the lot than a purely random approach. The random / stratified approach will ensure a reasonable probability that the sample includes the cables installed or rerouted in each year since the plant started commercial operation. The licensee's sampling plan is a sequential (multi stage) sampling. The sample sizes are calculated using the methodology proposed by Goodman (pp. 213-227 in' i NUREG/CP-0063). Sampling is continued through the various stages if the number of " major defects" detected exceeds preset acceptance criteria. A major defect is defined as a cable route that differs from the cable and raceway tracking Rancho Seco Restart SER 4-38
system (CRTS) recorded route and the difference constitutes a violation of the NRC requirements or plant design criteria listed previously. A signal-tracing technique has been used to verify most of the routes of cables selected for inspection (licensee's letter and attachments dated April 3, 1987). In other cases, usually involving a small number of trays,'a manual inspection technique is used that involves some equipment disassembly and technicians tugg-ing on each end of the cable (licensee's letter dated July 2, 1987). During the circuit-tracing inspection, some sample cables that are found deleted (i.e., disconnected but not physically removed), inaccessible, or located in contami-nated areas are replaced in the sample by additional randomly selected cables. Detailed procedures used for the sample inspections were provided to the staff in an attachment to the licentee's letter of April 3,1987. After a cable has been cleared for signal tracing and taken out of service, a special transmitter that emits a high-frequency (6000 Hz) signal is connected to it. Technicians then use a battery-operated, hand-held receiver to track the signal and verify that the cable of interest actually passes through trays and conduits listed on the CRTS record and drawings. The receiver provides clear audible and digital outputs when held within a few feet of the cable carrying the 6000-Hz signal. Tests and experiments were performed before sample inspections began to confirm that: (1) the tracer signal would not introduce unacceptable noise in cables near the test cable, (2) the remote receiver was capable of distinguishing between the cable of interest and other energized cable in the vicinity, and (3) barriers and shielding surround-ing hard-to-reach cable locations would not compromise the capability of the receiver to track the traced cable. Evaluation In the staff's view, the objective of a sample inspection of construction work is to determine with reasonable assurance that the number and significance of deficiencies in construction and quality assurance have not degraded safety margins to an unacceptable level. However, to be effective, a sample inspec-tion plan must include sample sizes derived with rigorous statistical methods and conservative acceptance criteria that are based on safety significance and that clearly distinguish isolated f ailures from those with common cause. In the past, the NRC staff has supported the use of sample inspections for assessing the scope and significance of problems associated with poor prac-tices in electrical construction and quality assurance. Notable examples in-clude: NRC Evaluation Team Inspection at Zimmer (NUREG-0969, April 1983) and inspection by an NRC Technical Review Team at Comanche Peak (NUREG-0797, Supple-ment No. 7). In addition, the Commission has accepted the use of sample inspec-tions to address construction / quality assurance issues in recent licensing pro-ceedings (e.g., Braidwood and Clinton). j i I The staff has reviewed the licensee's original sampling plan provided with its letter of April 3, 1987 and the licensee's subsequent commitments for expanded inspection documented in its letter of July 2, 1987. The staff met with the licensee on May 6, 1987 to clarify the cable problems at Rancho Seco and the licensee's proposed resolution of the problem using the statistical sampling approach. The staff had subsequent telephone conversations with licensee Rancho Seco Restart SER 4-39
l personnel'and had also discussed its concerns'with licensee: personnel during meetings on June 15 through June 18,.1987. .The staff review of the original sampling plan.-identified the following concerns: (1) Though reported in an NRC document (NUREG/CP-0063), the statistical methodology proposed there by Goodman (pp. 213-227), which is based on the likelihood density function.for selecting the' sample size, has'not bee ~n specifically endorsed by the NRC. (2)' The staff considers the cable sampling task a " hypothesis testing" of finite populations for which the hypergeometric probability' density func-tion is the appropriate basis for calculating required sample size. Previously approved 95/95 assurance programs have used this methodology. (3) For a given assurance level, the sample sizes derived using the hypothesis testing approach are larger than those derived using the-likelihood. density function approach used by the licensee. The hypothesis testing i approach, therefore, is more conservative and is t% preferred approach, The staff suggested the following options that are consistent with previously-approved sampling methodology and provide the required 95/95 assurance for-Lots 1, 2, and 3. It is noted that Lot 4 was 100% inspected, thereby provid-- ing 100/100 assurance of acceptability. The staff suggested that the licensee: revise the sample plan-to a one-stage sampling.and increase the sample sizes-as follows: For lot 1: with a total of 424 cables where one major defect.was identi-fied out of 49 cables inspected, the licensee should use either - a sample size of 113 cables.for a maximum of 2 defects or a sample size of 138 cables for a maximum of 3 defects - (either sample can include the already sampled and inspected 49 cables). For Lot 2: with a total of 1702 cables where.no major defects were iden-tified out of 56 cables inspected, the licensee should use either - a sample size of 91 cables for a maximum of 1 defect or a sample size of 121 cables for a maximum of 2 defectT (either sample can include the already sampled and inspected 56 cables). For Lot 3: with a total of 190 cables where no major defects were iden-tified out of 48 cables inspected, the licensee should use either a sample size of 78 cables for a maximum of 1 defect or a sample size of 101 cables for a maximum of 2 defect? 4 (either sample can include the already sampled and inspected 48 cables). In response to staff concerns and suggestions, the licensee proposed the i following changes in the sampling plan for the three lots in question (.see SMUD letter to NRC dated July 2, 1987): j I Rancho Seco Restart SER 4-40 a l
Lot 1 (424 cables)' 100% inspection will be carried out on' Lot 1 cables..The inspection will' consist of either signal tracing or hand tracing the! rerouted portions'of cables in the. Lot 1 population. Both signal tracing and hand tracing will be controlled by the existing procedures. Lot 2 (1702 cables) An additional 35' cables will ~ be signal traced.in Lot 2, thus: raising' the sample size to 91 for a maximum of I defect as suggested by the staff. Lot 3 (190 cables)
- Instead of 48 cables signal, traced as reported in thel action plan, therec were 51 randomly selected cables signal traced with no-major defect.
Based on.this result, the. sample size of Lot.3 was considered. adequate. The staff concludes that.100% inspection of. Lots 1 and 4 will provide suffici-ent assurance that the cable. routing in both lots is in compliance'with..the as - built drawings and,'accordingly, does not violate'the'. separation. criteria..The staff also concludes that' completion'of' successful inspections-'of the revised-samples for Lot 2 (91 cables.with a maximum of.1' major defect)'and. Lot 3-(51'- cables with no major defect)'will achieve a 95/95 assurance level, i.e., 95%. assurance that at least 95% of the cables: of Lots 2. and:3 are' correctly routed. The staff finds that this represents an adequate check of thoseLcable groups. f On June 18, 1986, NRC' staff members met withlicenseeLpersonnel at the Rancho Seco site responsible for signal-tracing cable. During this meeting, the staff discussed the signal-tracing inspection technique with.the engineers and tech-nicians who developed it and have been executing it, and witnessed the com-plete signal. tracing of one cable..On the. basis of these activities and its review of the' procedures used for sample. inspections, the staff concludes that the signal-tracing technique is an acceptable method for performing inspections of cable routing. 4.8.2.3 Evaluation and Disposition of. Cable Deficiencies Engineering evaluation and dispositioning are currently' being performed for each cable deficiency identified in nonconformance reports'. Deficiencies identified through analysis of the CRTS database as well as walkdown inspec-tions are-included. Final dispositions with. documentation for Class IE and 10 CFR 50 Appendix R safe shutdown and associated cables will be completed and submitted for staff review before plant restart. The issues being addressed include: intermixing of Class 1E cables with non-Class'1E cables,' intermixing of power, control, and instrumentation cables; overfilled and overweight cable trays; overfilled conduits; accuracy of CRTS for raceway' connections;:documen-tation discrepancies; and missing or unsigned cable pull and termination: cards. Licensee action necessary to close out this item is to document and submit final individual dispositions and their bases for-all Class 1E-(safety-related and safe ~ shutdown) cables. Rancho Seco Restart SER 4.41
l J ( l 4.8.2.4 Actions To Correct Cable Deficiencies Procedures In response to the programmatic problems that have been identified, the licensee has developed and implemented improved procedures for the following l activities: cable installation and termination; updating the cable raceway tracking system with new or revised data; control of design changes that re-quire modifications to the permanent plant, and contr'olled engineering draw- .{ ings and other controlled documents. These new procedures were put in place at various times since December 21, 1986. Some of the more important changes that specifically address problems that contributed to cable deficiencies are listed below. ) Field Engineering and Quality Control inspection requirements for cable installation have been improved in procedure MP/IS 307. An itemized cable l inspection record has been incorporated with places for signoffs by the Field Engineer and Quality Control Inspector following inspection of each individual item. Lack of a detailed, specific, itemized record contributed to wide variations in quality control practices for inspection of cable pulling activities. A new procedure (RSAP-305) has been written and implemented to ensure that resolutions of field problems encountered during cable pulling are properly documented and recorded as part of the permanent quality rec-ord. The new procedure governs the preparation and disposition of Field Problem Reports (FPRs). Failure to properly document resolution of field problems in the past led to minor discrepancies between actual cable routes and CRTS recorded routes. Use of Quality Control Inspection Procedure QCI-107 has been discontinued. Although this procedure was seldom used for cable installation, it autho-rized the destruction of cable pull cards and is probably the cause of some cards being lost. CRTS input documents are now being treated as engineering drawings and controlled per Nuclear Engineering Procedure (NEP) 4112 which governs drawing changes. Under this procedure, originals of the CRTS input i documents (including route listings) are being marked to show changes when revisions are made by design engineers, rather than issuing new forms. The existence and poor control of several route revisions con-tributed to inadequate control of work activities which led to the f ail-ure to implement route changes to cable installed to meet 10 CFR Part 50 Appendix R (see LERs 86-10 and 87-13). Cable Installation Procedure MS/IS 311 has been revised to enure that the interim termination of incomplete cable installments (i.e., coiled cable) will be left secured outside of permanent plant equipment cubicles before final installation. In addition to this, several other procedures will i be appropriately modified to ensure that the shift supervisor has a clear understanding of modification work being performed in permanent plant equipment. Also, procedures governing work requests for (1) securing, forming, and lugging cable or for (2) terminating cable will be amended to ensure that such work requests follow immediately after work requests Rancho Seco Restart SER 4-42
.i for the cable pull into permanent plant equipment cubicles. These changes have been made to correct deficiencies that led to unsecured coiled cable being left in safety-related electrical breaker cubicles (see LER 87-16). i The staff is currently reviewing procedural changes; this review will be com-pleted following receipt and review of the results of root cause investigations. l CRTS Enhancement The CRTS program is an engineering design tool used to perform design checks and calculations for configuring raceway and cable in the plant. Currently the CRTS program checks for: raceway continuity percentage fill in trays and conduits mixing of redundant separation channels racev ay service levels for compatibility The CRTS is being enhanced to perform calculation of cable tray weight checks on mixing of instrument cables with power and control cables These enhancements address deficiencies identified in LERs 85-16, 87-24, and 87-26. In addition to the above changes, a new procedure (NEAP-4127) has been written and implemented for controlling input of design information into the CRTS and output of quality construction records. 4.8.3 Conclusions, Cable Discrepancies The licensee's overall program plan for resolving cable problems has been re- ) viewed by the staff and is acceptable. Major action items to be completed l I before plant restart include documentation of root cause investigations, cable inspections, engineering evaluation and disposition of identified problems, and modifications of procedures and hardware necessary to correct cable deficien-cies. A detailed list of the actions to be completed before restart per the plan is provided in Enclosure 2 of the licensee's letter of July 21, 1987 and summarized here in Table 4.3. The resolution of this issue will be discussed in a supplement to this SER. 4.9 Technical Specification Evaluation l 1 On August 16, 1974, the applicant received a license to operate Rancho Seco. l The technical specifications (TS) appended to the Rancho Seco license were the last non-standard technical specifications issued to a B&W power reactor. There-fore, the Rancho Seco TS are very different in format and content from the stan-dard technical specifications (STS) issued to B&W plants licensed since 1974. I As a part of the NRC staf f's overall analysis of the operation of Rancho Seco following the December 26th event, the NRC staff compared the Rancho Seco TS against the STS for B&W plants. The licensee also evaluated the Rancho Seco TS to determine which TS should be upgraded before restart. On May 20, 1987, Rancho Seco Restart SER 4-43 1 I )
the licensee met with the NRC staff and agreed to upgrade before restart those parts of the Rancho Seco TS which could result in a significant improvement in plant safety. The licensee also agreed to provide a schedule for an overall update of the Rancho Seco TS. The NRC staff evaluated the risk importance of the items from the NRC's STS-Rancho Seco TS comparison to determine which items needed upgrading before restart. The staff used insights gained from probabilistic risk assessments of other B&W plants to make relative judgments of the risk importance of Rancho Seco systems. The staff identified systems that are risk important and for which the TS associated with the system did not compare well with the STS. For these items, the staff concluded that these particular TS should be addressed before restart to ensuro adequate plant controls on the operability of the system. On June 11, 1987, priority TS items and issues that the licensee believes should be resolved fore restart. The staff presented the list of highest priority TS items which resulted from the evaluation of risk importance. The licensee is reviewing the NRC's list. In addition, the staff suggested that the licensee should give strong consideration to a longer term effort of upgrading the entire Rancho Seco TS consistent with the B&W Owners Group upgrade program. The licensee tentatively agreed to the longer term approach. On the basis of the evaluations by the licensee and the NRC staff described above, the staff has concluded that the licensee should implement the follow-ing TS upgrade program for Rancho Seco before restart: (1) Table 4.4 is a list of 27 risk-important systems /TS items identified by the staff and not yet resolved by the licensee. l identified 34 risk-important systems /TS items at its JuneThe staff had previously 11, 1987 meeting with the licensee. ing 27 to be resolved at this time.Seven of the 34 items have since been resolved, leav The control of these systems to ensure operability should be resolved by the licensee and reviewed by NRC before restart. Acceptable methods of resolving these items include implementation of a TS amendment or procedural controls. The licensee has applied for TS amendments addressing some of these items (#19, 20, 21, and 22). Also, the licensee has proposed to submit TS amendment applications addressing others (#26 and 27). the rest of the list.The licensee has not proposed acceptable methods of resolving (2) The licensee has proposed to revise TS 3.0.1 through 3.0.4 to provide stronger overall control of the operability of all the systems addressed by these specifications. Although this item is not included in Table 4.4 because these specifications do not apply to any particular system, the NRC staff considers this revision to be important. Therefore, this issue should be resolved before restart. (3) As a long-term TS upgrade program for Rancho Seco, the licusee has committed to implement the new B&W STS that are being developed by the B&W Owners Group and the NRC. On the basis of its evaluation, the licensee has concluded that there are sev-eral other specifications in addition to those in Table 4.4 that should be Rancho Seco Restart SER 4-44 I
The NRC staff strongly encourages the licensee's upgraded before restart. efforts to upgrade these additional items; however, the staff is not making approval for restart contingent on these additional items. Implementation by the licensee of the program described above will provide ac-ceptable TS and procedural control of the operability of risk-important systems at Rancho Seco to allow the plant to restart. The staff will discuss the resolution of the technical specification issue in a supplement to this SER. Table 4.4 High priority (TS/ procedure / commitments) improvements needed ) I before restart Specification
- Improvement i
(1) Provide action statement on steam generator operability. STS 3.4.6 STS 3.5.2 (2) Provide action statement on ECCS injection system operability. (3) Provide action statement on ECCS core flooding system. STS 3.5.1 j 1 (4) Provide action statement on ECCS reactor building spray. STS 3.6.2.2 (5) Provide action statement on ECCS time out of service. RSTS 3.3.2 { J (6) Provide commitment for operability of ac onsite power STS 3.8.2 distribution. (7) Provide action and surveillance statements on re c tor STS 3.9.4 building penetrations during refueling. (8) Add a requirement for rod / channel position indication STS 3.1.3.3 operating. (9) Add a limiting condition for operation for unacceptable STS 3.1.3.5 j J rod-drop time. STS 3.1.3.5 (10) Add a rod program requirement. STS 3.2.2 (11) Add a requirement on nuclear heat flux--hot channel j factor. t STS 3.2.3 (12) Add a requirement on nuclear enthalpy rise--hot channel factor. STS 3.3.3.5 (13) Add commitment on remote shutdown instrumentation. STS 3.5.3 (14) Provide a commitment on operability of ECCS operability for operation / hot and cold shutdown. J STS 3.6.1.2 l (15) Provide commitment for overall integrated containment ) leakage. i Rancho Seco Restart SER 4-45 1
\\ a i j Table 4.4 (Continued) Improvement' i Specification * 'i (16) Provide commitment for limiting condition for operation STS 3.6.1.3 H and action statements for containment air locks. (17) Provide limiting condition for operation and action STS 3.6.1.5 statements on limits on containment air temperature. i ) (18) Provide action statement on containment structural integrity. STS 3.6.1.7 i (19) Provide regairement on operability of hydrogen analyzers. STS 3.6.5 (20) Provide commitment on operability of electrical power I systems during shutdown. STS 3.8.1.2 (21) Provide commitment on operability of dc distribution system during shutdown. STS 3.8.2 (22) Provide TS on fuel storage poolwater. STS 3.9.11 (23) Provide commitments to action statement on operation at STS 3.6.2.3 all levels for ECCS--reactor building emergency cooling. (24) Provide commitment on periodic check of isolation valves outside containment. STS 4.6.1.1. (25) Provide commitment on containment penetration conductor STS 3.8.4 j overcurrent protection device. (26) Provide action statements for operation with inoperable control rods. STS 3.1.3.1 (27) Provide action statements for reactor building integrity (subcritical). STS 3.6.1.1
- STS = NUREG-0103, Rev. 4, " Standard Technical Specifications for Babcock and Wilcox Pressurized Water Reactors," September 1980.
RSTS = " Technical Specifications for the Rancho Seco Unit 1," as amended through Amendment No. 83, issued February 3,1987. Rancho Seco Restart SER 4-46
APPENDIX A PRINCIPAL' MEETINGS AND CORRESPONDENCE RELATED T0.THE RANCHO SECO OVERC00 LING EVENT OF DECEMBER 26, 1986 i December 26, 1985 Region V Administrator (J. Martin) sends two Confirma-1 tory Action Letters to Sacramento Municipal Utility l District (SMUD). l January 24, 1986 SMUD provides NRC staff the list of action items and I schedule for the planned return of Rancho Seco to power operations (letter from R. Rodriguez, SMUD, to J. Martin and F. Miraglia, NRC). j February 5, 1986 NRC staff develops proposed action plan recommendations 1 in response to Rancho Seco overcooling transient (memo-randum from F. Miraglia to H. Denton). 4 February 10, 1986 NRC staff meets with SMUD in Region V to discuss event ~ root cause, the NRC staff list of action plan recommen-dations, and SMUD plans for corrective action. February 19, 1986 SMUD submits summary report, " Resolution of Issues Re-garding the December 26, 1985 Reactor Trip" (letter from l R. Rodriguez, SMUD, to J. Martin and F. Miraglia, NRC). j { .19, 1986' l February 24, 1986 SMUD submits Addendum 1 to the February summary report (letter from R. Rodriguez, SMUD, to J. Martin and F. Miraglia, NRC). February 25, 1986 Incident Investigation Team (IIT) presents to Commission findings and conclusions related to the December 26, l 1985 overcooling event. March 24 & 25, 1986 Senior NRC management (H. Denton) meets with SMUD rep-resentatives to discuss the December 26, 1985 overcooling event and SMUD corrective action program. April 7, 1986 NRC provides comments to SMUD on NRC Safety Evaluation Report, safety parameter display system (letter from J. F. Stolz, NRC, to R. J. Rodriguez, SMUD). April 18, 1986 NRC staff meets with SMUD in headquarters to discuss licensee's Plant Performance and Management Improvement Program. Note: SMUD is the licensee for the Rancho Seco Nuclear Generating Station, Unit 1. Rancho Seco Restart SER 1 Appendix A
May 12, 1986 NRC staff provides comments to SMUD on the adequacy, scope, and direction of the Plant Performance and Management Improvement Program (letter from V. Stello, NRC, to D. Lowe, SMUD). May 16, 1986 NRC Enforcement Conference in Region V concerning the October 25, 1985, event. May 30, 1986 SMUD submits Preliminary Action Plan for Performance Improvement (letter from J. Ward, SMUD, to D. Eisenhut, NRC). June 12, 1986 NRC. staff meets with SMUD staff in headquarters to dis-cuss the scope and content of the licensee's Preliminary Action Plan for Performance Improvement. June 17 & 18, 1986 NRC staff meets with SMUD staff at Rancho Seco site to discuss licensee's System Review and Test Program. June 20, 1986 NRC staff provides principal concerns to SMUD regarding i the licensee's Preliminary Action Plan for Performance Improvement (letter from F. Miraglia, NRC, to J. Ward, SMUD). June 20, 1986 NRC Enforcement Conference in Region V concerning emer-gency preparedness and radiation protection violations. July 3, 1986 SMUD submits Action Plan for Performance Improvement (letter from J. Ward, SMUD, to H. Denton and J. Martin, NRC). July 3, 1986 NRC staff provides concerns to SMUD regarding the li-censee's proposed Systems Review and Test Program (letter from F. Miraglia, NRC, to J. Ward, SMUD). July 29, 1986 NRC staff provides SMUD with preliminary comments on licensee's Action Plan for Performance Improvement (letter from H. Denton, NRC, to J. Ward, SMUD). August 14, 1986 NRC staff meets with SMUD staff in headquarters to dis-cuss detailed aspects of licensee's Action Plan for Performance Improvement. September 5, 1986 NRC staff requests additional information from SMUD regarding the Action Plan for Performance Improvement (letter from J. Stolz, NRC, to J. Ward, SMUD). September 15, 1986 SMUD submits Amendment 1 to Action-Plan for Performance Improvement (letter from J. Ward, SMUD, to F. Miraglia and J. Martin, NRC). October 22, 1986 SMUD receives Notice of Violation and $375,000 Civil Penalty related to the December 26, 1985, event. Rancho Seco Restart SER 2 Appendix A i
l November 19, 1986 NRC. staff meets with SMUD staff in headquarters to' dis-i l cuss licensee's progress in licensee's Action Plan for Performance Improvement. SMUD replies to Notice of Violation and imposition of j November 20, 1986 Civil Penalty (letter from J. E. Ward, SMUD,_to J. Taylor i and J. Martin, NRC). November 20, 1986 SMUD provides its reply to NRC request for information l (letter from J. E. Ward, SMUD, to F. J. Miraglia, Jr., NRC). SMUD replies to NRC request for information.(letter December 11, 1986 from J. E. Ward, SMUD, to F. J. Miraglia, Jr., NRC). December 15, 1986 SMUD submits the " Restart Report for.the Rancho Seco Nuclear Generating Station Following the December 26, 1985 Overcooling Event" (letter from J. Ward, SMUD, to j F. Miraglia, NRC). December 15, 1986 SMUD submits Amendment 2 to Action Plan for Performance Improvement (letter from J. Ward, SMUD, to F. Miraglia, 1 NRC). i January 12, 1987 SMUD submits its response to _NRC request for informa-tion (letter from J. E. Ward, SMUD,'to F. J. Miraglia, Jr., NRC). _l January 13 & 14, 1987 NRC staff meets with SMUD staff at site for inspection tour of facility modifications and improvements and discussion of status of Action Plan for Performance l l Improvement. January 20, 1987 SMUD staff briefs NRC staff in headquarters on status of the licensee's maintenance program. January 20, 1987 SMUD provides' interpretation of Confirmatory Action Letters for the conduct of' pre-startup activities (letter from J. Ward, SMUD, to F. Miraglia and J. Martin, NRC). January 28, 1987 SMUD staff and NRC staff meet with Commission to discuss the status of the licensee's Action Plan for Performance Improvement. February 2,1987 NRC reports on September 29 to October 2, 1986 audit at Rancho Seco site (letter from J. F. Stolz, NRC, to J. E. Ward, SMUD). February 28, 1987 SMUD submits Amendment 3 to Action Plan for Performance Improvement (letter from J. Ward, SMUD, to S. Miner, NRC). Rancho Seco Restart SER 3 Appendix A-
l March 11, 1987 NRC staff provides SMUD with results'of initial assess-ment of the licensee's System Review and Test Program (letter from J. Stolz, NRC, to J. Ward, SMUD). I March 30, 1987 SMUD submits CRDR/SPDS response to NRC requests (letter f rom J. E. Ward, SMUD, to F. J. Miraglia, Jr., NRC). March 30, 1987 SMUD provides implementation s~tatus of Regulatory { Guide 1.97 (letter from J. E. Ward, SMUD,.to i F. J. Miraglia, Jr.', NRC). ( April 10, 1987 NRC staff provides SMUD with results of the Augmented ) a Systems Review and Test Program inspection (letter from J. Partlow, NRC, to J. Ward, SMUD). i j April 13, 1987 NRC forwards Augmented Systems Review and Test Inspec-tion Report (letter from J. G. Partlow, NRC, to J. E. Ward, SMUD). April 17, 1987 SMUD forwards description of SPDS isolation methodology based on discussion at April 7, 1987 meeting (letter l from J. E. Ward, SMUD to F. J. Miraglia, NRC). i April 17, 1987 SMUD forwards " Engineering Action Plan for Rancho Seco Nuclear Generating Station" (letter from J. E. Ward, SMUD, to J. B. Martin, NRC). April 20, 1987 SMUD confirms commitments made during March 3,1987 meeting regarding radiological liquid effluent matters (letter from J. E. Ward, SMUD, to F. J. Miraglia, NRC). April 22, 1987 SMUD forwards summary of INP0 April 15, 1987 evaluation of plant, corporate support and operator training (letter from C. Wilcox, SMUD,_to J. B. Martin, NRC). April 23, 1987 SMUD forwards April 16, 1987 letter from Z. Pate to C. Wilcox outlining five issues stemming from INPO recent plant and corporate evaluations that must be addressed before restart of the facility (letter from J. E. Ward, SMUD, to F. Miraglia, NRC). April 27, 1987 NRC meets with SMUD in Region V to discuss SMUD's corrective action programs for restart (letter from J. B. Martin to C. Andognini forwarding minutes dated May 12, 1987). April 30, 1987 SMUD submits responses to staff questions regarding SPDS and request for additional information on Regula-tory Guide 1.97 concerning' reactor building tempera-ture, per March 30, 1987 commitment (letter from J. E. Ward, SMUD, to F. J. Miraglia, NRC). Rancho Seco Restart SER 4 Appendix A
April 30, 1987 SMUD informs staff of status of ongoing effort to re-solve NRC open items (letter from J. V. Vinquist, SMUD, to L. Miller, NRC). May 4, 1987 SMUD forwards additional information regarding modifi-cations to postaccident sampling system in an effort to improve system reliability and provide alternate analyses for boron, chlorides, and reactor building atmosphere radioisotopes (letter from J. E. Ward, SMUD, to F. J. Miraglia, NRC). i May 11, 1987 SMUD advises that utility will submit entire plant per-formance and management improvement program action list on May 18, 1987 (letter from G. C. Andognini, SMUD, to J. B. Martin, NRC). May 13, 1987 NRC staff requests additional information on Sec-J tion 3.2.4 of facility restart report regarding steam generator overfill and flooding of main steam headers (letter from G. W. Knighton, NRC, to G. C. Andognini, SMUD). May 15, 1987 SMUD discusses status of augmented system, review and test program (letter from G. C. Andognini, SMUD,.to J. Partlow, NRC). June 2, 1987 SMUD forwards additional information on overfill of i once-through steam generator and main steam line which ] occurred during December 26, 1987 transient (letter j from G. C. Andognini, SMUD, to F. J. Miraglia, NRC). l June 2, 1987 SMUD forwards additional information regarding effects j of December 26, 1986 overcooling-event; information supplements December 16, 1987 restart report (letter from G. C. Andognini, SMUD, to F. J. Miraglia, NRC).- June 4, 1987 SMUD forwards Revision 0 to " Engineering Action Plan" (letter from G. C. Andognini, SMUD, to D. Crutchfield, NRC). June 11, 1987 NRC staff meets with SMUD staff and NUS in headquarters regarding adequacy of technical specifications. June 17, 1987 SMUD forwards Engineering Report ERPT-E0214, " Electrical Termination Inspection and Upgrade Program Resulting From December 26, 1986 Integrated Control System Power Failure" (letter from G. C. Andognini, SMUD, to F. J. Miraglia, NRC). June 24, 1987 SMUD submits assessment regarding schedule and budget for successful restart of plant presented to utility board of directors on June 18, 1987 (letter from G. C. Andognini, SMUD, to J. M. Taylor, T. E. Murley, and J. B. Martin, NRC). 1 Rancho Seco Restart SER 5 Aapenaix A
1 June 29, 1987-SMUD forwards " Rancho Seco Action Plan ~for Restart" ~ for May'1987, advising that 2199' employees and con-tractors implementing program action items'which cover issues regarding maintenance,. inspection, training, procedures development, and management improvement - . issues (letter from G. C.'Andognini, SMUD, to S.> Miner, NRC). June 30, 1987 NRC letter ~ summarizes central issues discussed at' June 9, 1987 meeting regarding. issues.to be resolved. .and how to resolve.each issue before restart of plant (letter from T. E. Murley, NRC to G. C. Andognini,' SMUD). July 2, 1987 SMUD submits plan for expanded inspections of cable installations following discovery' of major defects in Lot 1 of sampling plan (letter from G. C. Andognini, SMUD, to F. J. Miraglia, NRC). July 8, 1987 SMUD forwards " Design Review / Quality Revalidation (DR/QR) Program for Rancho Seco TDI Diesel Generators" (letter from G. C. Andognini, SMUD, to F. J. Miraglia, NRC). July 20, 1987 SMUD submits revised " Restart Report for. Rancho Seco Nuclear Generating Station'Following December 26,-1986-Overcooling Event" (letter from G. C. Andognini, SMUD, to F. J. Miraglia, NRC), s July 22, 1987 SMUD letter discusses schedule for license changes, based on NRC technical specification evaluation' report-(letter from G. C. Andognini, SMUD, to G.'W.
- Knighton, NRC).
i July 28, 1987 SMUD forwards " Expanded Augmented Systems Review and Test Program (EASRTP) Evaluation Plan" and "EASRTP i Methodology Guidelines" (letter from G. C. Andognini,- SMUD, to D. Crutchfield, NRC). July 28, 1987 SMUD transmits report listing NRC open items completed since last report and summary status of all Priority A, B, and C items (letter from G. C. Andognini, SMUD, to L. Miller, NRC). August 6, 1987 SMUD forwards information on maintenance organization as described in July 20, 1987 submittal and Revision 1 to " Seal Injection and Makeup Systems Status Report"- 4 (letter from G..C. Andognini, SMUD, to F. J, Miraglia, NRC). ~ ~ 1 August 14, 1987 NRC transmits SER approving Rancho Seco detailed con-trol room design review (DCRDR) (letter from.G. Kalman, NRC, to G. C. Andognini, SMUD). 1 Rancho Seco Restart SER 6 ~. Appendix A 'I ^"
September 9, 1987-SMUD letter responding to NRC questions about maintenance program. i 1 I i j i i l Annandiv A Rancho Seco Restart SER 7
APPENDIX B REFERENCES American National Standards Institute, Inc., Standard N18.7, " Administrative Controls and Quality Assurance for the Operational Phase of Nuclear Power Plants," 1976. American Society of Mechanical Engineers, " Boiler and Pressure Vessel Code," Section III, Appendix G, " Protection Against Nonductile Failure." --, Section XI, Appendix E, " Evaluation of Unanticipated Operational .) 1 Transients." i Babcock and Wilcox, Document 32-1159785-00, " Fracture Mechanics Analysis of SMUD Transient." --, BAW-1564, "ICS Reliability Study." Babcock and Wilcox Owners Group, BAW-1791, "B&W Owners Group Probabilistic' Evaluation of Pressurized Thermal Shock," June 1983. l EG&G Idaho, Inc., EGG-EA-6940, "Conformance to Regulatory Guide 1.97, Rancho Seco Nuclear Generating Station," March 1987. Institute of Electrical and Electronics Engineers, Standard 279, " Criteria for Protection Systems for Nuclear Power Generating Stations," 1971. l --, Standard 344, " Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations," 1977. --, Standard 383, " Standard for Type. Test of Class 1E Electric Cables, Field Splices, and Connections for Nuclear Power Generating Stations," 1974. --, Standard 384, " Standard Criteria for Independence of Class 1E Equipment and Circuits," 1974 and 1977. --, Standard 422, "IEEE Guide for Design and Installation'of Cable Systems in Power Generating Stations," 1977. Institute of Nuclear Power Operations, "INP0 Good Practice," 0P-209. --, Guidelines 85-032. National Fire Protection Association, Standard 13, " Standard for the Installation of Sprinkler Systems." U.S. Nuclear Regulatory Commission, Generic Letter 82-33 (see NUREG-0737, Supplement 1). Rancho Seco Restart SER 1 Appendix B
--,' Generic' Letter 83-10, " Resolution of' TMI' Action. Item II. K. 3. 5, ' Automatic': , Trip of Reactor Coolant Pumps'," February 8,1983. --, IE Bulletin 79-14, " Seismic Analysis for As-Built Safety-Related Piping -Systems," July 2, 1979.- ~ --, IE Bulletin 79-27, " Loss.of Non Class-1E Instrumentation and Control Power-i System Bus During Operation," November 30,.1979. --, IE Bulletin 80-04, " Analysis of'a pWR Main Steam Line Break With Continued Feedwater Addition," February 8,1980. --, IE Bulletin 85-03. --, Information Notice 84-69. ---, Information Notice 85-58. --, Inspection Report 50-312/82-36. --, Inspection Report 50-312/83-37. --, Inspection Report 50-312/84-26. --, Inspection Report 50-312/85-16. --, Inspection Report 50-312/85-58 and Supplement 1. --, Inspection Report 50-312/86-06. l --, Inspection Report 50-312/86-07. --, Inspection Report 50-312/86-16. 3 \\ l --, Inspection Report 50-312/86-20. j --, Inspection Report 50-312/86-27. --, Inspection Report 50-313/86-32. --, Inspection Report 50-312/86-37. --, Inspection Report 50-312/87-05. --, Inspection Report 50-312/87-06. I -, Inspection Report 50-312/87-22. --, -Interim Report, June 28, 1985. --,.NUREG-0103, Rev. 4, " Standard Technical Specifications.for Babcock and Wilcox Pressurized Water Reactors," September 1980. Rancho Seco Restart SER 2 Appendix B _=
l 1 I --, NUREG-0560, " Staff Report on the Generic Assessment of Feedwater Transients l in Pressurized Water Reactors Designed by the Babcock of Wilcox Company," May 1979. --, NUREG-0578, "TMI-2 Lessons Learned Task Force: Status Report and Short-l Term Recommendations," July 1979. Resolution l ( --, NUREG-0612, " Control of Heavy Loads at Nuclear Power Plants: l of Generic Technical Activity A-36," July 1980. { l --, NUREG-0667, " Transient Response of Babcock & Wilcox-Designed Reactors," May 1980. --, NUREG-0696, " Functional Criteria for Emergency Response Facilities," Final Report, February 1981. --, NUREG-0737, " Clarification of TMI Action Plan Requirements," November 1980. Supplement 1, " Requirements for Emergency Response Capability," January 1983. --, NUREG-0800, " Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," LW9 Edition, July 1981. l 1 --, NUREG-1177, " Safety Evalution Report Related to the Restart of Davis-Besse Nuclear Power Station, Unit 1, Following the Event of June 9, 1985," June 1986. l --, NUREG-1195, " Loss of Integrated Control System Power and Overcooling ~ Transient at Rancho Seco on December 26, 1985," February 1986. --, NUREG-1212, Vol. 2, " Status of Maintenance in the U.S. N'uclear Industry. Descriptions of Programs and Practices," June 1986. i --, NUREG-1216, " Safety Evaluation Report Related to the Operability and l Reliability of Emergency Diesel Generators Manufactured by Transamerica Delaval, l l Inc.," August 1986. 1 --, NUREG-1220, " Training Review Criteria and Procedures," July 1986. l 1 --, NUREG/CP-0063, " Proceedings of the 1984 Statistical Symposium on National l Energy Issues," July 1985. --, NUREG/CR-2895, "PWR Pressure Vessel Integrity During Overcooling Accidents," Oak Ridge National Laboratory, January 12, 1983. --, SECY-82-465, " Pressurized Thermal Shock (PTS)," November 23, 1982. --, SECY-85-1, " Policy Statement on Training and Qualification of Nuclear Power Plant Personnel," March 20, 1985. --, SECY-85-129, " Maintenance and Surveillance Program Plan," April 12, 1985. 1 " Technical Specifications for the Rancho Seco Unit 1," through Amendment j No. 83, February 3, 1987. i l Rancho Seco Restart SER 3 Appendix B
APPENDIX C ACRONYMS AND OTHER INITIALISMS-1 ) ABT-automatic bus transfer ADV atmospheric dump valve -{ AFW auxiliary feedwater. AGM Assistant General Manager -AIT Augmented Inspection Team ANS American Nuclear Society A0V air-operated valve AP administrative procedure AP&L Arkansas Power and Light Co. ASME American Society of Mechanical Engineers-ASRTP augmented system review and test program AT0G abnormal transient operating guideline 80P balance of plant B&W Babcock and Wilcox BWST borated water storage tank CCUSU central control unit select unit CCW component cooling water CE0 Chief Executive Officer CFR Code of Federal Regulations CM corrective maintenance CPC cable pull card CR control room CR0 control rod drive ] CRT cathode ray tube CRTS cable and raceway tracking system CST condensate storage tank .l DBE design-basis earthquake DCRDR detailed control room design review OGM Deputy General-Manager 4 DHR decay heat removal DP differential pressure DR design review EAR engineering action request EC Emergency Coordinator ECC emergency core cooling EDG emergency diesel generator 'EFC emergency feedwater control EFIC emergency feedwater initiation and control EFPY ,ef fective full power year EMOV electromagnetic op'erating valve Rancho'Seco Restart SER 1-Appendix C--
l E0P Emergency Operating Procedure EP emergency procedure EPIP emergency plan implementing procedure EPRI Electric Power Research Institute FCV feed control valve F0GG feed only good generator FPR Field Problem' Report l FSAR final safety analysis report FW feedwater GDC General Design Criteri(on)(a) GF General Electric Company j t HELBA high energy line break accident HEPA high efficiency particulate air HPI high pressure injection i HVAC heating, ventilation, and air conditioning i IA instrument air IAG Incident Analysis Group IC ion chromatograph I&C instrumentation and control ICS integrated control system IDADS interim data acquisition and display system l IE Office of Inspection and Enforcement IEEE Institute of Electrical and Electronics Engineers IIT Incident Investigation Team ILRT integrated leak rate testing INP0 Institute of Nuclear Power Operations IR inspection report LC0 limiting condition of operation LED light emitting diode LEFM linear elastic fracture mechanics LER licensee event report LLD lower limits of detection LLRT local leak rate testing LOCA loss-of-coolant accident l LRS LRS Consultants MAC Management Analysis Company MAP Maintenance Administrative Procedure MCC motor control center MFW main feedwater MIDR maintenance inspection data report MIMS material and information management system MOV motor-oper6ted valve MOVATS motor operated valve analysis testing system MSL main steamline MSLB main steamline break MSLFS main steamline failure logic system MSPP Maintenance and Surveillance Program Plan MSSV main steam safety valve Rancho Seco Restart SER 2 Appendix C
y M&TE measurement and' test equipment: MU. makeup.,. .MUT makeup' tank. NCR nonconformance' report-NEP-nuclear' engineering' procedure. NFPA~ National Fire Protection Association NNI .non-nuclear instrumentation = NPRDS-nuclear' plant reliability dataxsystem 3 NRC. U.S. Nuclear Regulatory Commission-NSEB nuclear service electric building NSSS. .. nuclear steam' supply; system OBE operating-basis' earthquake 00R occurrence description report OTSG once-through. steam generator PAG Performance Analysis Group PASS postaccident sampling system PM preventive maintenance PORV power-operated relief valve PPIP Plant Performance Improvement Program PP&MIP Plant Performance and Management Improvement. Program PRA probablistic risk assessment PSM power supply monitor PTS pressurized thermal shock. PWR pressurized-water reactor QA quality assurance QC quality control QC0P quality control operational procedure QE quality engineering QR quality revalidation RAI request for additional information RC reactor coolant RCM Radiation Control Manual RCP reactor coolant pump RCS reactor coolant system RG regulatory guide R0 reactor operator RPS reactor protection system RRRB Recommendation, Review and Resolution Board RSMP Rancho Seco Management Process SALP systematic appraisal of licensee performance SER Safety Evaluation Report SFAS safety features actuation system SIM seal injection and makeup . SIR system. investigation report SMUD Sacramento Municipal Utility District SPDS safety parameter display system. SPIP Safety and Performance Improvement Program -SR safety related Rancho Seco Restart.SER 3 Appendix.C-
s SR0 senior reactor operator / SRTP system review and test program j e, SSD safe shutdown j j_ 'SSR system status report -l' )/ STA shift technical advisor a i' ci ? - STP special test procedure ',i j-T8V turbine bypass valva: y T Training Department's administrative procedure h' TDAP u TDI Transamerica Delaval, Inc. TER technical evaluation report TIE trip interface equipment TMI Three Mile Island TRG Test Review Group TS technical specifications 5 TSC technical support center g. e t y USAR " Rancho Seco Nuclear Generating Station Updated Safety / Analysis } Report" 4 UVD undervoltage device UVTA undervoltage trip attachment WR work request / i'j ') / 1 5 ) Rancho Seco Restart SER 4 Appendix-C s ~) i l
APPENDIX D NRC STAFF CONTRIBUTORS Name Organization I. Ahmed Electrical Systems Branch
- F. Allenspach Performance Evaluation Branch ^
W. Ang Reactor Projects Jranch# L. Beltracchi Reliability and Human Factors Branch ** L. Callan Diagnostic Evaluation and Incident Investigation Brancht A. Capucci Project Directorate III-1* y M. Caruso Project Directorate III-2* M. Cillis Emergency Preparedness and Radiological Protection Branch # H. Conrad Materials Engineering Branch
- J. Dyer Special Inspection Branch
- R. Ferguson Project Directorate I-4*
R. Fish Emergency Preparedness and Radiological Protection Branch # M. Hartzman Mechanical Engineering Branch
- r R. Jones Reactor Systems Branch
- L l
R. Kendall Instrumentation and Control Systems Jranch* J. Lazevnick Region I N. Le Performance Evaluation Branch
- C. Liang Reactor Systems Branch
- J. Miller Technical Specifications Branch
- L. Miller Reactor Projects Branch #
J. Persensky Humai. Factors Assessment Branch
- H. Rood Project Directorate V*
I. Spickler Radiation Protection Branch
- N. Thompson Structural and Geosciences Branch
- R. Weller Techrical Review Branchtt F. Witt Chemical Engineering Branch *
- 5. Wu Reactor Systems Branch
- G. Yuhas Emergency Preparedness and Radiological Protection Branch #
- 0ffice of Nuclear Reactor Regulation
- 0ffice of Nuclear Regulatory Research 10ffice of the Analysis and Evaluation of Operational Data tt0ffice of Nuclear Material Safety and Safeguards
- Region V Rancho Seco Restart SER 1
Appendix D
_-_-___-_ -.y &,')[ g/ 3-5 ;r- /
- a A
'{) t _i / u s. numan asautaion comssiou i aous i svuu a er,, o, r,oc,oo v.. ~,..,,,, ag,* '"o72E2 ' BIBLIOGRAPHIC DATA SHEET NUREG-1286 p 2 sE E INSTRUCTION THE REvf %d - J LE AVE St ANN. 2 TIT LE ANo SUSTIIL ) ' Safety Eval ion Ilyport Related to the Restart of. , g,,, y,,0,, c,,,g L Rancho Seco lear Generating Station, Unit 1 r' Following the,e/p of December 26, 1985 4 ,g u,, ,0N,,, 1987 b Oct9 er i, 7-r ~ (t vi,,on.s, P 5 ,, 04 u par issuno 9 n,- j' % f \\ Oct/b'er 1987 / j Division of Reactor P' et[s -III, IV, V and y._. C,.,,7, ~_ i ...._.~e..._..... f / / e *iN o" of~ r Num j t Special Projects J lf.t Nuclear Regulatory ission 'I ((
- , ' Office of fiuclear React egulation s
j I-I / / WasNincton. D.C. 20555 71 van o* aseosm f-~_ ~~
- ~~
io sei,nsoam6 onona.uo~ %.vi amo uniu~c,400 uw.,o, e, com r Safety Evaluation Report i Same as 7. above J O PER'Go COVtHED Heus ve daten t' \\ \\ / 1 / N 4 ,4 \\ f a sueettueNT An y mott, - 7 '( ) f* Docket No. 50-312.,
- 4 _
o 46staact aoo w a,., w (g. a lea Generating Skation &perienced a loss On December 26p 1985, c'hc Rancho Seco t' of dc power within the integraued cont ro'; s stem while the plant was at 76% power. The ensuing reactor trip was followed by rapiduvercoolindtransient and automatic i initiation Of the safety features actuati system. The overceding transient con-tinued until integrated control system p wer was restored 26 minutes after its g1 j loss. g t- / i j o the corrective actions baken by the f This report presents the att.fi's c-untion o licensee to prevent recurrence a to improve verall performance of Rancho Secn with respect to safety. j ,4 d [ t / 1 ~ l) / R / \\ I n y, y >I (* j 7 amos DI ptces 't avA%s.a ulv 14 DOCUvtNT ANAL v5is a Kt - sT ATEYENT ( k $af ety Evalt. ' ion Report p Unlimited < , Operating factors g a ~;- g Lo w o. eedwater y Ranc Seco Nuclear Generatir' Station / j s r Unclassified-4 / \\ n oe~v as ones ~oso Traus 't ,t \\ a.....nu ' '. y 4 { ( Unclassified i ,~ -,,as }7,. r \\ i..a i 8 / 1 .._ m utr ict i 9st.202.? A7 63233 t au,5 Govta4*cNT palhtik: L \\ -.____A:_______
y.. f.g r 1 .y, W', Vy i f-[D,y ',:p,n /e ff't Sh J,&,.m >;p;fOM,k ggxr 3-y fu;g~s .s I h k.
- w..,9 h.
' t. L ", W+.$ + N, w~.,. %+ %,@. @. - X QM_ c, s ~g.w t ,a::<t g . p1 %.-n. g,, ,u.vc C+el- .~ ? me, y DY D.':Qt N $><4 7,/,l,9p. s. y. +. t v tU ^
- \\
s-- ,?- t v.J .:.1, v, /- 1U WJ . i, .m j t..,.., ma qq.~ ' 'A _ $, cJUNITED STATESL 1 R&.-._ 's n c M+N, : c. w . :~, 3 + vJ -. ~ ~ e .c 8%,' @N. UCLEA6 REGULATORY;COMMI.SS. IO, Ni MMm,,j @h M,.3 Wj: ' ' %f
- 1 % g, +. < 'w
$, 'Ad.. 7 'y i. s 4 an i v n L , nasrcuss u w ;,q A. 2, ,.MF t -zc db A -.msp a msp a .mW' SHINGTONj DiC: 205B5x% s A <, #s.. m M ??' @% M ,5M.. n Q'l w, H;munwc.. J, cus s M Li n, i V..1 . i .yy d i m: e <,m e e ~' t 4 + ,4 ~ _ i:.y
- V
/p -c..,.~;. - ~N. cx-r r wo $0e T %,*v .g .?OFFCAL BUS' ~INESS?
- q,
d s '.x = > 4, yc i ~ "A'.'a= - n 7,", ,iPEN LTV FOR PAIVATE USEf_8300; .7s ...s gla. 4 . i W ;7 q. 1 g 4 -A W ' f ~ g g s
- t >
, : 7. > s. r t t32 < s.f i J. / I ..i -n ,i-ft a n, /.. .1 M, -p! r. 6 ,t ,..-im i h 1 p $e 6 ? [' g ,s o . _ 3 f' s}l '.
- 3',,
- b",'-
~. , & g, j(',.]j, -lg y.- '!.( .g r s f s f i ~h, y,t C j ~,3,A, , y,. 1 r a > + t + r..,-c ) Ir {; lQ k p A b l. e , n.t a 3' [3 4 4" .,,,t . q ". . 5 - 'O.y c g .y w' i rl ? T' ', ; i.h t U Ak t.., __ ^ ,J ' O 7 -i.2,: e ' bJ :,f; P. i,/' a r a,, : .q )y(2,+v. y. a O y h; 5 3 4, Qr '[/[ M.I k l- ,.J ;. g I ,f - =c 4 .( @/ (:[;] i m u, v m ,.4, I '( r $.c Q h, g g 1 ! 'h t ,f G ~[, ' y 4 jd M " f .. c '> j y 1 4 3 i .,q., gc .'t ".:,,_z d o %'o f' 7,4 ~ p] s ; t t
- x h -
,4 :, o' -.1+ f s s p, :4 > '.) i ', I C -)'S eg ,. m y(s 3 e sa
- b.
t4 / P >kd .<ts4 -) u T;f S ,p-., a,? y .c. 1 v ~., y h. k f. y ') y .. - q ;.( <f' ) I I ,I , ^.,w U. } ' ' ',%.-[ >\\ 'pr' y. f j g i 3 4
- ,,, /
/ 1 ~ S.y ',' E '\\ ."J % 5 ? n 'I,- \\ t l*' t 's
- .i
( {f $... d - Q:' / ; '.- Ol r f 7 j,, f', i , 3 I 5f*, .,.?, 9 y 7 1 51, .n 1 .); <t.y i y.~W 7
- f..
r y,r j ;,,. a t <..m y y g'C { ,1,C;, g (Q. y I y_,, Iy A, 4ar ,,,4, ^ ,3,4, *j w1e c 7 i .nr r n ^ -f,, h g y _ f.t j 3 1 .<), e e g ,y: 'l' J. \\ f ( } f' F i 3' j
- 4. j c
\\ F , j} % /^ g t e r,. s !' f. s<.6 p s J ' i.J s., . p.,,, aI [ 'i i !.. 'y" ,(f 4-,.p f h a.<..y7 4 + 3.p,,, i'. 1 o?- .%D i s v & -r > + -c. n - 6 f.;, ny!g /. s et z, s 4 1 5
- Q-i L
g h g s }y~ v n -[ e -; p';f:, >, _..l. 7 s, ^ j ,.g 4,u},.. ,t ,y.,, ,a J.0,-. , },y (~ g,g' g - s .p c ,Q ' j., <c 9 i ,Y \\ &gg, [E r
- . O O,h.,
1 t r \\ 5 ,4_ r <y,, Q e ,'. b.! .t D( i, \\ 'c 3 '. g i 2.i.,k. l u f 4 2 3v , p. vr 'y: 1 g.. A., h y t ) , p %, (' I L b '.) f T y a e e 1 i J \\ f:.. / i 9 y i m ..- 7 1 :n
- c. [,[ _ k
);e , e 4 7"'3,-. ' Ls. e,* ,.g., .s _,f'3 (.W',., +p I q - .gI q_ s .. [< I, , t.? ,,.'.2 J'. ) ., _; ( J, 1 ) g f. 'Y C1 !N t .. f,.N Y ,,lt ::, t s' '+ n g. f ) i' t. g <p% ,.-.u 1 ] ..i f, . ; > c :
- {
+ , l tc 1 d A h i - s ' A N. e_$ 3 :: f l q. v .S_. ,',. ~' ! ^ 'ft Q 4 :.' f U f1
- .,, i%
i
- '. 'i.
s 4 <; ' + i E g E q,,, .'h 4 1 ,,c, 3 '.fp y f,h ',
- f.,
. ' N g t [.d ' r t ',', 'j{g.t-. N' y-, g- - )'. i,').
- b '.c w
4 ^ ., f:l 4 s i.p 3 - :f. : \\ [.'t r! r s -s fj 9',,- ~j._c 1 b 3 t P .. _.ygi a .A* e i9 {, t, ; gf =c. Q f fn [ ',,'l' ,#,... l ) --y) 3 1 n %^. 4 ,r, o. ;', t Ig' tu 'i i 0, f 's ' - f. t 6 I' 1 y b 5 d I ] g t y, g I 'p, 2 - ? Y t _Jl._ - b "" - =- L y s}}