Semantic search

Jump to navigation Jump to search
 SiteQuarterTitleDescription
05000321/FIN-2018002-01Hatch2018Q2Enforcement Action (EA)-18-100: Unanalyzed Conditions for a Postulated Fire Discovered During NFPA 805 TransitionOn April 3, 2017, the licensee submitted Licensee Event Report (LER) 05000321, 366/2017-001-00: Unanalyzed Conditions for a Postulated Fire Discovered During NFPA 805 Transition documenting the discovery of a condition of non-compliance with the sites fire protection program (FPP). In preparation for transiting the fire protection licensing basis from 10 CFR 50.48(b) (Appendix R) to 10 CFR 50.48(c) (NFPA 805), a weak-link and operator manual action analysis was completed for Information Notice 92-18 type hot shorts on motor operated valves (MOV). The licensees examination of their Appendix R Safe Shutdown Analysis identified circuit configurations in multiple fire areas where an Appendix R postulated fire could impact the ability to achieve safe shutdown conditions. The licensee failed to protect MOV cables associated with the RHR and RCIC emergency cooling systems in fire areas 0024 (Main Control Room), 1203F (Unit 1 Reactor Building), 1205F (Unit 1 Reactor Building), and 2203F (Unit 2 Reactor Building). Specifically, the licensee failed to ensure that fire induced cable impacts cannot bypass the limit and torque switches and result in physical damage to the MOVs, thus preventing the MOVs from being operated from the Main Control Room, Remote Shutdown Panel, or locally. This condition could prevent operators from achieving and maintaining safe shutdown (SSD) of the plant in the case of a postulated fire. A licensee-identified non-compliance with 10 CFR Part 50, Appendix R, Section III.G.2, was identified for the licensees failure to protect one of the redundant trains of equipment needed to achieve post-fire SSD from fire damage. Specifically, the licensee failed to use one of the means described in Appendix R, Section III.G.2.a, b, or c to ensure that one of the redundant trains of equipment necessary to achieve and maintain hot shutdown conditions was protected from fire damage. The inspectors performed a detailed review of the information and documents related to the LER and discussed the condition with the licensee to assess the adequacy of the licensees compensatory measures and corrective actions. Corrective Action(s): Hourly fire watches and Fire Action Statements were initiated to address the postulated condition for the identified MOVs. Additionally, the licensee committed to completing physical plant modifications to the impacted MOVs during the next Unit 1 and Unit 2 plant refueling outages to rectify the issue of potential spurious operation of the associated MOVs associated with this LER. Corrective Action Reference(s): The licensee entered this issue into their Corrective Action Program (CAP) as condition reports (CRs) 10326399, 10326401, 10326402, 10326404, and 10326405. Enforcement: Violation: 10 CFR Part 50.48(b)(1) requires that all nuclear power plants licensed to operate prior to January 1, 1979, must satisfy the applicable requirements of 10 CFR Part 50, Appendix R, Section III.G. 10 CFR 50, Appendix R, Section III.G.2, states, in part, that where cables or equipment, that could prevent operation or cause mal-operation due to hot shorts, open circuits, or shorts to ground, of redundant trains of systems necessary to achieve and maintain hot shutdown conditions are located within the same fire area outside of primary containment, one of the following means of ensuring that one of the redundant trains is free of fire damage shall be provided: (a) separation of cables and equipment by a fire barrier having a 3-hour rating, (b) separation of cables and equipment by a horizontal distance of more than 20 feet with no intervening combustibles or fire hazards and with fire detectors and an automatic fire suppression system in the fire area, or (c) enclosure of cables and equipment in a fire barrier having a 1-hour rating and with fire detectors and an automatic fire suppression system in the fire area. Contrary to the above, the licensee failed to use one of the means described in Appendix R, Section III.G.2.a, b, or c to ensure that one of the redundant trains of equipment necessary to achieve and maintain hot shutdown conditions was protected from fire damage. Specifically from October 1974 to April 2017, the licensee had not met the requirements of 10 CFR Part 50.48(b) to identify and protect cabling of 51 Unit 1 and Unit 2 RHR and RCIC emergency cooling system MOVs in fire areas 0024 (Main Control Room), 1203F (Unit 1 Reactor Building), 1205F (Unit 1 Reactor Building), and 2203F (Unit 2 Reactor Building). On April 3, 2017, the licensee identified the failure to protect equipment that was required to mitigate fire events and determined that fire damage could cause mal-operation of the affected MOVs, potentially leading to fire induced cable impacts which bypass the limit and torque switches and result in physical damage to the MOVs, thus preventing the MOVs from being operated from the Main Control Room, Remote Shutdown Panel, or locally. A fire-induced failure could have caused the loss of the required Safe Shutdown components. Severity/Significance: Failure to protect one train of cables and equipment necessary to achieve post-fire SSD from fire damage for fire areas designated in the Fire Protection Program (FPP) as meeting Appendix R, Section III.G.2, was a performance deficiency. This finding was more than minor because it was associated with the reactor safety mitigating system cornerstone attribute of protection against external events (i.e., fire). Specifically, failure to protect safe shutdown cables and equipment from fire damage negatively affected the reactor safety mitigating systems cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Because this issue relates to fire protection and this non-compliance was identified as a part of the sites transition to NFPA 805, this issue is being dispositioned in accordance with Section 9.1, Enforcement Discretion for Certain Fire Protection Issues (10 CFR 50.48) of the NRC Enforcement Policy. The significance of this licensee-identified non-compliance with 10 CFR Part 50, Appendix R, Section III.G.2, was determined by the results of the IMC 0609, Appendix F, Fire Protection Significance Determination Process, Phase III Quantitative Screening Approach. The quantitative screening approach performed by a Region II Senior Risk Analyst resulted in a calculated delta core damage frequency (CDF) of less than 1E-04, which screens this noncompliance to less-than-red significance. Additionally, in order to verify that this noncompliance was not associated with a finding of high safety significance (Red), inspectors reviewed qualitative and quantitative risk analyses performed by the licensee. These risk evaluations took ignition source and target information from the ongoing HNP fire PRA to demonstrate that the significance of the non-compliances were less-thanthan 1E-4/year). The inspectors also performed walk-downs to verify key assumptions were applicable. Based on the ignition frequency of fire sources in the affected areas, inspectors determined that the significance of this non-compliance was less-than-red. The inspectors also noted that the values in the licensees quantitative analysis were conservative, in that they used screening values instead of more detailed values. This provided additional confidence that this non-compliance was not associated with a finding of high safety significance (Red). The inspectors determined that no cross cutting aspect was applicable to this performance deficiency because this finding was not indicative of current licensee performance. Basis for Discretion: The NRC exercised enforcement discretion in accordance with Enforcement Policy, Section 9.1, Enforcement Discretion for Certain Fire Protection Issues (10 CFR 50.48), a Confirmatory Order (ML16223A467) which extended the period for discretion, and Inspection Manual Chapter 0305. On April 4, 2018 (ML18096A955), the licensee submitted a license amendment request to adopt NFPA 805 and change their fire protection licensing bases to comply with 10 CFR 50.48(c). The inspectors reached this conclusion due to the fact that this issue was licensee-identified and will be addressed during the licensees transition to NFPA 805, it was entered into the licensees corrective action program, immediate corrective action and compensatory measures were taken, it was not likely to have been previously identified by routine licensee efforts, it was not willful, and it was not associated with a finding of high safety significance (Red).
05000289/FIN-2017003-01Three Mile Island2017Q3Licensee-Identified ViolationThe following violation of very low safety significance (Green) was identified by Exelon and is a violation of NRC requirements, which meets the criteria of the NRC Enforcement Policy for being dispositioned as a non-cited violation.Technical specification 4.1.4, Operational Safety Review, requires each remote shutdown system function shown in Table 3.5-4 shall be demonstrated operable by the performance of the following check, test, and calibration. The technical specification surveillance requirement 4.1.4.b states that the licensee shall verify each required control circuit and transfer switch is capable of performing the intended function in accordance with the licensees surveillance frequency control program, in this caseevery refueling interval. Contrary to SR 4.1.4.b, from January, 1987, until September 2017, Exelon did not verify that each required control circuit on the Unit 1 remote shutdown panel was capable of performing the intended function. Specifically, Exelon did not test four of the required six relays for the B EDG either by operation of the components or by performance of a continuity check. Exelons corrective action included entering this issue into the CAP as issue reports 4020064 and 4047426, developing a remote shutdown system testing procedure for the B EDG system, and the completion of a risk evaluation as required by surveillance requirement 4.0.2. The inspectors determined that the finding was more than minor because it is associated with the equipment performance attribute of the Mitigating Systems cornerstone and affected the cornerstone objective to ensure the reliability of systems that respond to initiating events to prevent undesirable consequences. It is of very low safety significance (Green) in accordance with NRC IMC 0609, Appendix F, Fire Protection Significance Determination Process, since the missed surveillance did not impact the ability to reach safe shutdown.
05000416/FIN-2017008-04Grand Gulf2017Q2Inadequate Alternative Shutdown Procedure StepGreen. The team identified a Green non-cited violation of Technical Specification 5.4.1.a for the failure to maintain adequate written procedures covering a fire in the control room. Specifically, the licensee failed to ensure that all steps in Procedure 05-1-02-II-1, Shutdown from the Remote Shutdown Panel, could be performed as written. Specifically, the licensees procedure did not provide specific guidance to the control room staff on how to actuate the low pressure core spray pump breaker lockout relay. The licensee initiated Condition Report CR-GGN-2017-03368 to address the deficiency and immediately implemented Standing Order 17-0009, which provides specific guidance to the control room staff on how to actuate the low pressure core spray pump breaker lockout relay. The failure to provide a procedure that operators understood to implement the requirements of the approved fire protection program for a fire in the control room was a performance deficiency. The performance deficiency was more than minor because it was associated with the procedure quality attribute of the Mitigating Systems Cornerstone and it adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, the alternative shutdown procedure failed to ensure operators could safely shut down the plant during a control room fire causing circuit faults. The team evaluated this finding using Inspection Manual Chapter 0609, Appendix F, Fire Protection Significance Determination Process, dated September 20, 2013, because it affected the ability to reach and maintain safe shutdown conditions in case of a fire. A senior reactor analyst performed a Phase 3 evaluation to determine the risk significance of this finding since it involved a postulated control room fire that led to control room evacuation. The Senior Reactor Analyst determined this finding was of very low safety significance. The finding did not have a cross-cutting aspect since it was not indicative of present performance in that the performance deficiency occurred more than 3 years ago.
05000440/FIN-2016004-01Perry2016Q4ECC B Heat Exchanger Flow Root Valves Out of PositionGreen. A finding of very-low safety significance and associated NCV of TS 5.4.1, Procedures, was self-revealed for the licensees failure to follow valve lineup procedure restoration requirements after an emergency service water (ESW) pump B and valve operability test. Specifically, incorrect valve manipulations of the root valves for 1P42R043B and 1P42R043A flow indicators caused the emergency closed cooling (ECC) heat exchanger B flow to read zero with flow through the heat exchanger. The incorrect flow indication rendered the remote shutdown panel inoperable. The licensee subsequently re-positioned the root valves, 1P42R043B and 1P42R043A, and restored the remote shutdown panel to operable. The licensee entered this issue into the CAP as CR 201612935. The inspectors determined that the performance deficiency for failure to follow procedure was more than minor and thus a finding because it was associated with the Mitigating Systems cornerstone attribute of human performance. The performance deficiency adversely affected the cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. The finding has a cross-cutting aspect in the area of human performance, avoid complacency because the licensee failed to ensure that individuals follow processes, procedures, and work instructions. Specifically the individual performing the surveillance did not utilize all the required human performance tools to prevent the error (H.12).
05000413/FIN-2016003-01Catawba2016Q3Licensee-Identified ViolationThe licensee identified a non-compliance with Operating License Condition 2.C.(5), for Units 1 and 2, for the failure to protect one of the redundant trains of equipment needed to achieve post-fire SSD from fire damage. Specifically, the licensee failed to use one of the means described in Branch Technical Position (BTP) Chemical Engineering Branch (CMEB) 9.5-1, Item C.5.b.2 to ensure that one of the redundant trains of equipment necessary to achieve and maintain hot shutdown conditions was protected from fire damage. Description: On June 2, 2014, the licensee submitted LER 413/2014-002-00 with Revision 01 submitted on December 1, 2014, which documented discovery of cable routing issues and postulated fire-induced circuit failures that could prevent operation or cause maloperation of equipment required to achieve SSD in the event of a fire. This condition was identified during the licensees transition to National Fire Protection Association Standard 805 (NFPA 805). During the transition to NFPA 805, the licensee identified multiple instances of cables for equipment required to achieve SSD not meeting the separation requirements of the current licensing basis. The licensee determined that this condition existed for 22 fire areas (FAs) across both units. The licensee characterized these issues as variance(s) from deterministic requirements (VFDRs). The conditions identified in the LER are related to VFDRs that met the following criteria: 1) VFDRs that required a plant modification to meet the fire risk criteria of NFPA 805, or 2) VFDRs where a potential concern existed with respect to NRC Information Notice (IN) 92-18, Potential for Loss of Remote Shutdown Capability During a Control Room Fire, dated February 28, 1992. The licensee determined that the deficiencies existed because of latent design deficiencies in the cable routing and circuit design. This LER was applicable to Units 1 and 2. Upon discovery, the licensee entered this issue into their corrective action program as PIP C-1401427, and implemented compensatory actions in the form of fire watches and/or control of transient combustible material for the affected FAs. Analysis. Failure to protect one redundant train of cables and equipment necessary to achieve post-fire SSD from fire damage was a performance deficiency. This finding was more than minor because it was associated with the reactor safety mitigating system cornerstone attribute of protection against external events (i.e., fire). Specifically, failure to protect safe shutdown cables and equipment from fire damage negatively affected the reactor safety mitigating systems cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Because this issue relates to fire protection and this noncompliance was identified as a part of the sites transition to NFPA 805, this issue is being dispositioned in accordance with Section 9.1, Enforcement Discretion for Certain Fire Protection Issues (10 CFR 50.48) of the NRC Enforcement Policy. In order to verify that this non-compliance was not associated with a finding of high safety significance (Red), inspectors reviewed qualitative and quantitative risk analyses performed by the licensee. These risk evaluations took ignition source and target information from the licensees fire probabilistic risk assessment to demonstrate that the significance of the non-compliances were less-than-Red (i.e. CDF less than 1E-4/year). Inspectors determined that cables associated with some of the VFDRs were not located in the zone of influence (ZOI) of any credible ignition source. For cables that were located in the ZOI of a credible ignition source, inspectors were able to perform a calculation to determine the change in conditional core damage probability (CCDP), based on the postulated fire-affected equipment not being available. Based on these screenings, inspectors determined that the significance of this non-compliance was lessthan-Red. A bounding risk assessment performed by a regional Senior Risk Analyst (SRA) reviewed the licensee and inspector risk evaluations and confirmed the CDF risk increase due to this condition was less than 1E-4, and therefore less than RED. The inspectors determined that no cross cutting aspect was applicable to this performance deficiency because this finding was not indicative of current licensee performance. Enforcement. Operating License Condition 2.C.(5), for Units 1 and 2, requires that the licensee implement and maintain in effect all provisions of the approved FPP as described in the UFSAR, as amended, for the facility and as approved in the SER through Supplement 5. BTP CMEB 9.5-1, which incorporated the guidance of Appendix A to BTP ASB 9.5-1 and the technical requirements of Appendix R to 10 CFR 50, established the regulatory and licensing requirements for the FPP at Catawba Nuclear Station (CNS). The CNS FPP was reviewed against and approved for conformance with BTP CMEB 9.5-1 in the SER through Supplement 5. BTP CMEB 9.5-1, Item C.5.b.1, requires that fire protection features be provided that are capable of limiting fire damage so that one train of systems necessary to achieve and maintain hot standby conditions from either the control room or emergency control station(s) is free from fire damage. BTP CMEB 9.5- 1, Item C.5.b.2 requires one redundant train to be protected from fire damage by one of the following specified methods: (a) separation of cables and equipment by a fire barrier having a 3-hour rating, (b) separation of cables and equipment by a horizontal distance of more than 20 feet with no intervening combustibles or fire hazards and with fire detectors and an automatic fire suppression system in the fire area, or (c) enclosure of cables and equipment in a fire barrier having a 1-hour rating and with fire detectors and an automatic fire suppression system in the fire area. Contrary to the above, the licensee failed to use one of the means described in BTP CMEB 9.5-1, Item C.5.b.2 to ensure that one of the redundant trains of equipment necessary to achieve and maintain hot shutdown conditions was protected from fire damage. Specifically, on April 2, 2014, the licensee identified the failure to protect equipment in accordance with the current licensing basis. The licensee determined that fire damage could prevent operation of, or cause maloperation of, components that were required to achieve and maintain SSD. This condition has existed since initial plant startup for Units 1 and 2. The licensee entered this issue into the corrective action program (PIP C-14-1427) and implemented compensatory measures in the form of fire watches and/or control of transient combustible material for the affected FAs. Because the licensee committed to adopt NFPA 805 and change their fire protection licensing bases to comply with 10 CFR 50.48(c), the NRC is exercising enforcement and reactor oversight process (ROP) discretion for this issue in accordance with the NRC Enforcement Policy, Section 9.1, Enforcement Discretion for Certain Fire Protection Issues (10 CFR 50.48) and Inspection Manual Chapter 0305. Specifically, this issue was identified and will be addressed during the licensees transition to NFPA 805, it was entered into the licensees corrective action program, immediate corrective action and compensatory measures were taken, it was not likely to have been previously identified by routine licensee efforts, it was not willful, and it was not associated with a finding of high safety significance (Red).
05000354/FIN-2016007-01Hope Creek2016Q2Inadequate Testing of Emergency Diesel Generator Takeover Switches and Remote Shutdown Panel Transfer/Isolation RelaysThe team identified a finding of very low safety significance, involving a noncited violation of Hope Creek Operating License Condition 2.C.(7) for failure to implement and maintain in effect all provisions of the approved Fire Protection Program (FPP). Specifically, PSEG did not adequately test the Emergency Diesel Generator (EDG) emergency takeover switches and Remote Shutdown Panel (RSP) transfer/isolation relays to assure they were capable of performing their intended function, as described in the FPP. PSEG subsequently performed additional testing and a detailed operability evaluation, which concluded that the effected equipment would function as intended. This finding was more than minor because it was similar to example 3.k of Inspection Manual Chapter (IMC) 0612, Appendix E, "Examples of Minor Issues," and was associated with the Protection Against External Factors (e.g., fire) attribute of the Mitigating Systems cornerstone and adversely affected the cornerstone objective to ensure the availability and reliability of systems that respond to initiating events to prevent undesirable consequences (i.e., core damage). The team performed a Phase 1 Significance Determination Process (SDP) screening, in accordance with IMC 0609, Appendix F, "Fire Protection SDP." This issue screened to very low safety significance (Green) because it did not affect the ability to reach and maintain a stable hot shutdown condition. The finding did not have a cross-cutting aspect because it was a legacy issue and was not considered to be indicative of current licensee performance.
05000354/FIN-2016007-02Hope Creek2016Q2Inadequate Testing of the Remote Shutdown Panel RCIC Flow Control Circuit (The team identified a finding of very low safety significance, involving a noncited violation of Hope Creek Technical Specification (TS) Surveillance Requirement (SR) 4.3.7.4.2, "Remote Shutdown System Instrumentation and Controls." Specifically, PSEG did not adequately test all components of the Reactor Core Isolation Cooling (RCIC) flow control circuit on the RSP to demonstrate operability. This finding was more than minor because it was similar to example 3.k of Inspection Manual Chapter (IMC) 0612, Appendix E, and was associated with the procedure quality attribute of the Mitigating Systems cornerstone and adversely affected the cornerstone objective to ensure the availability, reliability, and capability of the RCIC system. The inspectors evaluated this finding using IMC 0609.04, "Initial Characterization of Findings," and IMC 0609, Appendix A, Exhibit 2, "Mitigating Systems Screening Questions." This issue was determined to be of very low safety significance (Green) because it did not represent an actual loss of function of a single train mitigating system for greater than its TS Allowed Outage Time. The finding did not have a cross-cutting aspect because it was a legacy issue and was not considered indicative of current licensee performance.
05000458/FIN-2016007-03River Bend2016Q2Failure to Demonstrate that Appendix R Emergency Lights Satisfied their Maintenance Rule Performance CriteriaThe team identified a finding for the failure to provide an adequate monitoring and testing program to demonstrate that the required Appendix R emergency lights satisfied the licensees maintenance rule performance criteria. Specifically, the failure to provide an adequate monitoring and testing program could result in a large number of Appendix R emergency lights failing to last the required 8 hours without being detected. The team determined that, because the licensee had changed their program to a biennial replacement frequency for the 8-hour batteries, reasonable assurance existed that the lights would function long enough for operators to perform the time critical manual actions directed by their fire protection program. The licensee entered this finding into their corrective action program as Condition Report CR-RBS-2016-03177. The failure to establish an adequate monitoring and testing program to demonstrate that the required Appendix R emergency lights would satisfy the licensees maintenance rule performance criteria was a performance deficiency. The performance deficiency was more than minor because if left uncorrected, the performance deficiency would have the potential to lead to a more significant safety concern. Specifically, the failure to provide an adequate monitoring and testing program could result in a large number of Appendix R emergency lights failing to function for the required 8 hours without being detected through licensee monitoring and testing. The team determined this finding affected the Mitigating Systems Cornerstone. The team evaluated this finding using Inspection Manual Chapter 0609, Appendix F, Fire Protection Significance Determination Process, dated February 28, 2005, because it affected the ability to reach and maintain safe shutdown conditions in case of a fire. The team assigned the finding to the post-fire safe shutdown category since it impacted the remote shutdown and control room abandonment element. The team assigned the finding a low degradation rating since the ability to reach and maintain safe shutdown conditions in the event of a control room fire would be minimally impacted by the potential failure of the emergency lights to function for 8-hours. Because this finding had a low degradation rating, it screened as having very low safety significance (Green) in Task 1.3.1. The finding did not have a cross-cutting aspect since it was not indicative of present performance in that the performance deficiency occurred more than three years ago. Specifically, the licensee began performing the 8-hour discharge test on a small sample of the batteries more than three years ago.
05000373/FIN-2016007-04LaSalle2016Q2Alternate Shutdown Procedures Failed to Ensure RCIC MOVs Supply Breakers Were ClosedThe team identified a finding of very-low safety significance (Green) and associated NCV of the LaSalle County Station Operating License for the failure to ensure that procedures were in effect to implement the alternate shutdown capability. Specifically, the abnormal operating procedures (AOPs) established to respond to a fire at the main control room did not include instructions for verifying that supply breakers for three reactor core isolation cooling motor-operated valves (MOVs) were closed to ensure they could be operated from the remote shutdown panel. Fire-induced failures could result in tripping MOV power supply breakers prior to tripping the MOV control power fuses. The licensee captured the team concerns in their CAP as AR 02668854 and established compensatory actions to reset the affected breakers, if required The performance deficiency was determined to be more than minor because it was associated with the Mitigating Systems Cornerstone attribute of protection against external events (fire), and affected the cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. The finding screened as of very-low safety significance (Green) because it was assigned a low degradation factor. Specifically, the procedural deficiencies could be compensated by operator experience/familiarity and the fact that the AOPs included steps to verify other breakers at the same locations were closed would likely prompt operators to close the remaining breakers. The team determined that this finding had a cross cutting aspect in the area of problem identification and resolution because the licensee failed to take effective corrective actions for a similar issue identified in 2014. Specifically, the resolution of this issue included actions to revise the affected AOPs to include verifying all the reactor core isolation cooling MOVs supplied breakers were closed. However, the licensee failed to include all of the MOVs in the revised AOPs. (P.3)
05000269/FIN-2016007-01Oconee2016Q1Pressure Boundary of Motor Operated Valves Could be Breached Due to Fire- Induced Hot ShortAn unresolved item was identified regarding the licensees evaluation of certain motor operated valves (MOVs) in the NSCA. Specifically, based on the conclusions in the licensees NSCA, as well as subsequent evaluations, MOVs that are subject to a hot short that bypasses the torque or limit switch could result in damage to the valve that causes an unmitigated loss of reactor coolant system (RCS) inventory due to leakage through the damaged valves pressure boundary or the valves associated sealing components. Information Notice 92-18, Potential for Loss of Remote Shutdown Capability During a Control Room Fire, stated that fire damage could cause an electrical hot short that bypasses thermal overload protection for MOVs, and that this hot short could result in damage to the valve. As a part of the licensees transition to NFPA 805, the licensee identified a number of MOVs that could be susceptible to IN 92-18 type damage. These valves were classified as non-compliant components or variances from deterministic requirements (VFDRs). The subsequent evaluation of these valves by the licensees Fire PRA group determined that these VFDRs met the acceptance criteria of the Fire Risk Evaluation, as documented in OSC-9314, as being acceptable "as-is" and that no further action was required. These VFDRs and their FPRA dispositions were communicated to the NRC in the April 2010 Oconee NFPA 805 license amendment request (LAR). Subsequent to NRCs issuance of the SER, Oconee Valve Engineering determined that, due to the size of the installed motor/gearbox, 10 MOVs could potentially suffer IN 92-18 damage to the extent that the integrity of the valve body or bonnet could be compromised. Loss of valve integrity of the valve pressure boundary was not an assumption used in the FPRA evaluation. The licensee documented this condition in AR 01906086. After further evaluation, the licensee documented in AR 01999309 that 9 of the original 10 valves identified could potentially suffer IN 92-18 damage to the extent that the integrity of the valve body or bonnet could be compromised. For the 9 affected valves, the licensee has undertaken additional evaluations to determine whether some portion of the valve would fail before the valves pressure boundary is compromised, or that any possible leakage that may result can be bounded by the credited RCS make-up sourcein this case, the reactor coolant make-up pump. Inspectors determined that no immediate safety concern existed with this item because the licensee had implemented compensatory measures in accordance with the sites approved FPP. This item is unresolved pending inspector receipt and review of the licensees evaluation.
05000458/FIN-2015004-05River Bend2015Q4Failure to Follow Procedure Results in Inadvertent Draindown of Reactor Pressure VesselThe inspectors reviewed a self-revealing, non-cited violation of Technical Specification 5.4, Procedures, for the licensees failure to correctly implement procedure STP-200-0605, Remote Shutdown System Control Circuit Operability Test, Revision 307. The procedure was incorrectly performed leading to an unexpected configuration in which the reactor pressure vessel was aligned to the suppression pool, and approximately 360 gallons of reactor coolant were inadvertently transferred to the suppression pool. The licensee entered this issue into their corrective action program as Condition Report CR-RBS-2015-02354. The licensee restored compliance by restoring the system to a configuration that was consistent with plant operating procedures. Corrective actions included increased management oversight of remote shutdown system operation. The performance deficiency was more than minor, and therefore a finding, because it was associated with the Initiating Events Cornerstone attribute of configuration control, and adversely affected the cornerstone objective to limit the likelihood of events that upset plant stability and challenge critical safety functions during shutdown as well as power operations. Specifically, a loss of reactor pressure vessel inventory occurred due to the establishment of an unintended system configuration caused by the inadvertent repositioning of the reactor pressure vessel suction valve. The inspectors initially screened the finding in accordance with NRC Inspection Manual Chapter 0609, Appendix G, Shutdown Operations Significance Determination Process. Using Exhibit 2 of NRC Inspection Manual Chapter 0609, Appendix G, Attachment 1, Phase 1 Initial Screening and Characterization of Findings, the inspectors determined that the finding required a Phase 2 evaluation because the loss of inventory resulted in leakage to the suppression pool that if undetected or unmitigated in 24 hours or less would cause shutdown cooling to isolate. A Region IV senior reactor analyst performed a Phase 2 evaluation of this issue and determined the issue was of very low safety significance (Green) and represented a change to the core damage frequency of 3.8E-8/year. The event sequence was an actual loss of inventory which occurred after core refueling in the shutdown. Risk was mitigated by prompt operator recovery action to stop the loss of inventory along with the operating plant configuration, which had two residual heat removal pumps aligned for automatic injection, one control rod drive pump in operation at the time of the event, and all manual injection paths fully available to mitigate the event. This finding has a cross-cutting aspect in the area of human performance associated with avoid complacency because the licensee failed to ensure that individuals recognize and plan for the possibility of mistakes, latent issues, and inherent risk, even while expecting successful outcomes.
05000416/FIN-2015301-01Grand Gulf2015Q4Inadequate Plant Operating Procedures with Eight ExamplesTitle 10 CFR Part 50, Appendix B, Criterion V, Instructions, Procedures, and Drawings, states, in part, Instructions, procedures, or drawings shall include appropriate quantitative or qualitative acceptance criteria for determining that important activities have been satisfactorily accomplished. Contrary to this, The licensees Off-Normal Procedure ONEP 05-1-02-I-1, Reactor Scram, Revision 125, does not provide all necessary guidance on how to scram the reactor. Once the immediate action of placing the mode switch in the shutdown position is completed, all additional guidance for shutting down the reactor using alternate methods is contained in EP-2A. However, the first backup method of using the scram pushbuttons is missing from both of these procedures. This procedure deficiency was entered into the licensees corrective action program as Condition Report CR-GGN-2015-07209. The licensee is missing several off-normal procedures that are required by Technical Specifications based on commitments to NRC Regulatory Guide 1.33, Revision 2. Specifically, there are no off-normal procedures for 1) a total or partial loss of DC power, 2) electrical grounds, and 3) partial or total loss of all annunciators. The licensee is committed to revision 2 of this regulatory guide in its Technical Specifications. These procedure deficiencies were entered into the licensees corrective action program as Condition Report CR-GGN-2015-07209. The licensees Emergency Procedure 05-1-02-II-1, Attachment III, Shutdown from the Remote Shutdown Panel, Revision 47, does not include all of the required steps to complete the attachment. Step 3.2.5a of this procedure requires an operator to obtain one key while two keys are actually required to complete the task. One key is required to open the protective box covering the switch and a different key is required to operate the switch. This procedure discrepancy led to delays and confusion during examination administration by applicants and during examination validation by licensed operators. This procedure deficiency was entered into the licensees corrective action program as Condition Report CR-GGN-2015-07209. The licensees Emergency Procedure 05-S-1-EP-1, Attachment 6, Defeating Reactor Feed Pumps RPV Level 9 Trips, Revision 32, contains labeling discrepancies in that the relay nomenclature in the procedure does not match the nomenclature in the main control room cabinet 1H13-P612 Bay B. This caused confusion among both the applicants and licensed operators. The confusion delayed the completion of the task administered during the examination. This procedure deficiency was entered into the licensees corrective action program as Condition Report CR-GGN-2015-07209. The licensees System Operating Instruction 04-1-01-P41-1, Standby Service Water System, Revision 140, Section 4.2, contains labeling discrepancies in that the control board labeling for several switches do not match the nomenclature listed in the procedure for the associated switches. Specifically, steps 4.2.2A(4)(a), 4.2.2A(4)(b), and 4.2.2A(6) each have a discrepancy. This procedure deficiency was entered into the licensees corrective action program as Condition Report CR-GGN-2015-07209. The licensees Alarm Response Instruction 04-02-1H13-P870-2A-E1, Revision 134, for the residual heat removal (RHR) alarm RHR A PMP RM FLOODED contains non-conservative guidance to close the suction valve (valve 1E12-F004A) for RHR pump A without regard to ensuring that the pump is secured first. This creates a condition where the safety-related residual heat removal pump is tripped on interlock only in order to prevent damage. The expectation provided to the NRC by the operations staff is that the operators should first trip the residual heat removal pump and then shut the suction valve. This procedure deficiency was entered into the licensees corrective action program as Condition Report CR-GGN-2015-07209. The licensee was unable to locate any written guidance for placing a safetyrelated diesel generator in maintenance mode to prevent automatic start and subsequent overheat of the machine when cooling water is unavailable. According to the Updated Final Safety Analysis Report, Section 9.5, Revision LDC 05077, the diesel generator jacket cooling water system provides sufficient heat sink to permit the standby diesel engines to start and operate for 2 minutes without cooling water available. Procedures that were reviewed included SOI 04-1-01-P75-1, SOI 04-1-01-Y47, and ONEP 05-1-02-I-4. An additional NRC concern for this sequence is that there is no time critical action associated with securing these diesel generators when cooling water (standby service water) is not available. The licensee needs to review the risk management program and ensure that this is not assumed in the risk management profile or if it is assumed, then operators are trained and can implement the shutdown in the appropriate time to prevent equipment damage. This procedure deficiency was entered into the licensees corrective action program as Condition Report CR-GGN-2015-07209. The licensees Equipment Performance Instruction 04-1-03D21-1, Monthly Area Radiation Monitors Functional Test, Revision 37, has confusing guidance which led several applicants in not being able to complete the task administered during the NRC initial license examination. Specifically the procedure has a limit and precaution stating that not all ARM module function switches spring return to OPERATE after being taken to ALARM. Some must be manually returned to OPERATE after being taken to ALARM while the specific steps in the procedure have the operator place and hold function switch in alarm and then release. No guidance is given within the step to return the switch to operate and this creates a situation where the observation of indication returning to normal does not occur. A precaution in the front matter in the procedure stating that the equipment may not function as the procedure is written is not sufficient to meet the quantitative or qualitative acceptance criteria for determining that important activities have been satisfactorily accomplished. This procedure deficiency was entered into the licensees corrective action program as Condition Report CR-GGN-2015-07209. The failure of these eight procedures to have the appropriate qualitative and/or quantitative criteria to complete these activities was a performance deficiency. The finding was more than minor because it is associated with the procedure quality attribute of the Mitigating Systems cornerstone and adversely affected the cornerstone objective of ensuring availability, reliability, and capability of systems needed to respond to initiating events to prevent undesired consequences. Specifically, inadequate procedures could adversely affect the operating crews ability to take appropriate actions to ensure reactor safety is being maintained. Using Inspection Manual Chapter 0609, Appendix A, The Significance Determination Process (SDP) for Findings AtPower, dated June 19, 2012, the team determined that the finding was of very low safety significance (Green) because the finding: (1) was not a deficiency affecting the design and qualification of a mitigating structure, system, or component, and did not result in a loss of operability or functionality; (2) did not represent a loss of system and/or function; (3) did not represent an actual loss of function of at least a single train for longer than its technical specification allowed outage time, or two separate safety systems out-of-service for longer than their technical specification allowed outage time; and (4) did not represent an actual loss of function of one or more non-technical specification trains of equipment designated as high safety-significance in accordance with the licensees maintenance rule program for greater than 24 hours. The finding has a cross-cutting aspect in the area of human performance associated with procedure adherence because individuals did not follow the processes to change or correct procedures that contained incorrect, missing, or non-conservative guidance (H.8).
05000315/FIN-2015003-03Cook2015Q3Deletion of Hot Shutdown Panel ProceduresThe inspectors identified an Unresolved Item (URI) related to deletion of procedures used to operate the HSD. The UFSAR and TS bases describe the HSD and its use; therefore procedures to operate the panel should have remained in place. Licensing actions, including NFPA 805 conversion and transition to improved TSs complicate the current license bases requirements for the HSD. Description: In 2003, the licensee determined that the HSDs were not required under appendix R since local instrumentation panels had been installed. The licensee prepared a 50.59 screen that inappropriately concluded that the procedures could be deleted without assessing the deletion using a full evaluation. The licensee deleted the procedures but failed to address the discussion of the HSDs in the UFSAR and TS bases. Subsequent to deletion of the procedures, the licensee received approval to convert their TSs from custom TSs to improved TSs. The revised TS still discussed the HSDs; however, reference to specific instruments were moved from the TS to the TS bases. In addition to the conversion to improved TSs, the licensee also converted fire protection from appendix R to NFPA 805 via the license amendment process. This revision recognized that the local panels would be credited for achieving and maintaining safe shutdown from outside the control room. However, the HSD satisfies draft GDC 11, which is part of the current licensing basis, and states the license must be able to shutdown the reactor and maintain it in a safe condition if access to the control room is lost due to fire or other cause. In 2009, the licensee recognized the UFSAR still substantively discussed use of the HSDs despite the deletion of procedures for them, and entered this issue into the CAP; however, the CAP did not result in substantive changes to the UFSAR and also failed to recognize the improper screen performed in 2003. In reviewing this issue, the inspectors recognized that the issue involved multiple changes to the license bases and that multiple violations of NRC requirements might exist. Because of the interactions between various licensing actions and requirements, this issue will remain a URI pending better understanding of potential violations and the current license bases for the HSD. As part of the inspection, the inspector reviewed the requirements of TS 3.3.4, Remote shutdown Monitoring Instrumentation. This TS addresses five indication functions on the HSDs and the licensee continues to perform surveillances on these instruments. Therefore, instrumentation remains operable. In addition, the licensee has entered the condition into the CAP and developed new procedures to operate the HSD.
05000277/FIN-2015003-01Peach Bottom2015Q3Incomplete Testing of Components from the Remote Shutdown PanelsThe inspectors identified a Green NCV of Technical Specification (TS) 5.4.1.a after Exelon did not establish and implement procedures to adequately test the Unit 2 and Unit 3 remote shutdown panels (RSPs). Specifically, Exelons surveillance procedure did not test all the control circuits, as required by Surveillance Requirement (SR) 3.3.3.2.1, for the Unit 2 and Unit 3 RSPs. Exelons corrective actions included entering this issue into their CAP, the development of RSP testing procedures for the reactor core isolation cooling (RCIC), control rod drive (CRD), and emergency service water (ESW) system components, and a revision to the bases for TS 3.3.3.2 The performance deficiency (PD) was determined to be more-than-minor because it was associated with the Equipment Performance attribute of the Mitigating Systems cornerstone, and adversely affected the cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Additionally, examples 1.c, 4.l, and 4.m from IMC 0612, Appendix E, detail that a PD was more than minor if required TS surveillance testing is not performed and subsequent testing reveals that the equipment is out of specification or otherwise unable to perform a safety-related function. A detailed risk evaluation concluded that the issue was of very low safety significance (Green). This finding had a cross-cutting aspect in Human Performance, Avoid Complacency, because Exelon failed to recognize and plan for the possibility of latent problems.
05000275/FIN-2015002-04Diablo Canyon2015Q2Technical Specification 3.3.4 Not Met Due to Inoperable Remote Shutdown System FunctionThe inspectors reviewed a self-revealing Green, non-cited violation of Technical Specification 3.3.4 Remote Shutdown System, for the licensees failure to maintain adequate configuration control of fuses associated with an emergency diesel generator (EDG). The licensees failure to maintain adequate configuration control by not verifying that fuses were properly installed, and adequate post maintenance testing was performed, following maintenance activities was a performance deficiency. Specifically, following the 1R17 refueling outage, from approximately June 13, 2013 until November 22, 2013, EDG 1-3 would not have been able to perform its remote shutdown function due to not being able to be adequately operated at the local EDG control cubicle. The licensee entered this issue into the corrective action program as Notification 50595473, and took prompt actions to restore the fuses to the correct position and verify the positions of the fuses in the other EDG output breaker cubicles. The failure to properly install fuses in the local manual operation circuitry of EDG 1-3 was a performance deficiency. The performance deficiency was more than minor because it was associated with the protection against external events (fire) attribute of the Mitigating Systems Cornerstone, and it adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, it affected the ability to reach and maintain safe shutdown conditions in case of a fire causing a control room abandonment. The inspectors evaluated this finding using Inspection Manual Chapter 0609, Appendix F, Fire Protection Significance Determination Process," dated September 20, 2013. Because it affected the ability to reach and maintain safe shutdown conditions in case of a fire that led to control room evacuation, the Phase 2 methodology of Inspection Manual Chapter 0609, Appendix F, was not appropriate for this finding. Therefore, the senior reactor analyst performed a Phase 3 evaluation to determine the risk significance. The analyst determined that the performance deficiency only increased the risk of the plant as it related to the need to locally control EDG 1-3 following a postulated control room evacuation. The Senior Risk Analyst determined that the change in core damage frequency was less than 1 x 10-6, and the finding was not significant with respect to large, early release frequency. The analyst determined that this finding was of very low risk significance (Green). This finding had a cross-cutting aspect in the area of human performance associated with the work practices component, because the licensee did not ensure supervisory and management oversight of work activities, such that nuclear safety was supported (H.5).
05000382/FIN-2015007-05Waterford2015Q2Violation of Technical Specification 6.8.1.f for the failure to implement and maintain adequate written procedures covering fire protection program implementationThe team identified a violation of Technical Specification 6.8.1.f for the failure to implement and maintain adequate written procedures covering fire protection program implementation. Specifically, the team identified four examples where the licensee failed to maintain an alternative shutdown procedure that successfully mitigated all postulated alternative shutdown scenarios. This finding affects 10 CFR 50.48 and has been screened and determined to warrant enforcement discretion per the Interim Enforcement Policy Regarding Enforcement Discretion for Certain Fire Protection Issues (10 CFR 50.48). The licensee used Procedure OP-901-502, Evacuation of Control Room and Subsequent Plant Shutdown, Revision 28, to shut down the reactor from the remote shutdown panel in the event a control room or cable vault fire required evacuation of the control room. This alternative shutdown procedure provided steps for operators to transfer control of the credited safe shutdown equipment away from the control room to the remote shutdown panel and to achieve and maintain safe shutdown conditions from the remote shutdown panel. The team performed a timed walkdown of the alternative shutdown procedure. Based on the walkdown results, the team determined that the alternative shutdown procedure was not adequate to ensure that operators could successfully mitigate all postulated alternative shutdown scenarios. In particular, the team identified the following four scenarios where operators may not be able to achieve and maintain a safe shutdown: Example 1: Potential Loss of Credited Safe Shutdown Pumps The first scenario involved fire damage resulting in blown fuses for either the component cooling water or emergency feedwater pumps. In this scenario, the team determined the operators would be unable to control the affected pump from the remote shutdown panel, but the operators would be able to control the affected pump by manually operating the breakers that supplied power to the motors. The team noted that the alternative shutdown procedure did not provide any steps for operators to manually operate the breakers to control these pumps, which were required for safe shutdown. Example 2: Potential Spurious Opening of the Atmospheric Dump Valves The second scenario involved the spurious actuation of two atmospheric dump valves. The team noted that the licensee previously had a 10-minute requirement for operators to mitigate the spurious actuation of two atmospheric dump valves by taking manual control of an open atmospheric dump valve locally and then manually closing the valve. The team determined that the alternative shutdown procedure provided steps for operators to manually close an open atmospheric dump valve; however, the licensee removed the 10-minute requirement for operators to be able to perform this action. The licensee removed the 10-minute requirement based on its understanding that the spurious actuation of only one atmospheric dump valve was required to be analyzed and mitigated. The team referred to guidance in Regulatory Guide 1.189, Revision 2, which stated, in part, after control of the plant is achieved by the alternative or dedicated shutdown system, single or multiple spurious actuations that could occur in the fireaffected area should be considered... The team reviewed the licensees method for isolating the atmospheric dump valves from the effects of a control room or cable vault fire. The team determined that the circuits responsible for isolating the atmospheric dump valves were located within the control room complex and, therefore, could not be relied upon to isolate the atmospheric dump valves in the event of a control room fire. The team concluded that the licensee should have maintained the 10-minute requirement in the alternative shutdown procedure for operators to manually close a spuriously open atmospheric dump valve. During the timed walkdown of the alternative shutdown procedure, the team determined that it would take operators approximately 13 minutes to close a spuriously open atmospheric dump valve. Example 3: Potential Spurious Opening of a Pressurizer Spray Valve The third scenario involved the spurious opening of a pressurizer spray valve. In this scenario, the open pressurizer spray valve results in a rapid depressurization of the reactor coolant system, which could negatively impact the ability to achieve and maintain natural circulation. The licensee considered this scenario in the safe shutdown analysis. The licensee did not perform an analysis or calculation to determine the amount of time operators had available to mitigate this scenario. Instead, the licensee used engineering judgment to specify that operators had 10 minutes available to secure the spurious spray flow. The team was concerned that the 10-minute limit may not be sufficient to ensure that operators could achieve and maintain natural circulation. In response to the teams concern, the licensee modeled this scenario on the simulator. The team noted that the use of the simulator was not a preferred method; however, it provided a reasonable estimate for the amount of time available. The results of the simulator run indicated that the reactor coolant system would reach saturation pressure in less than 8 minutes. Once the reactor coolant system reaches saturation pressure, voiding begins in the reactor coolant system. This voiding could then negatively impact the ability to achieve and maintain natural circulation. The team determined that the alternative shutdown procedure provided steps for operators to trip the reactor coolant pumps, which would mitigate this scenario by eliminating flow through the pressurizer spray valves. During the timed walkdown of the alternative shutdown procedure, the team determined that it would take operators approximately 9 minutes and 15 seconds to trip all of the reactor coolant pumps. Scenario 4: Potential Overfilling of the Steam Generators The fourth scenario involved the potential overfilling of the steam generators. In this scenario, the open main steam isolation valves continue to provide steam to the turbinedriven main feedwater pumps, which continue to inject feedwater into the steam generators until they overfill. The team noted that the action to close the main steam isolation valves prior to evacuating the control room was an operator action within the fire area. The team determined that this action was not credited in the plants approved fire protection program; therefore, the operators must take action outside of the control room to ensure that the main steam isolation valves were closed. Because the licensee did not have an analysis establishing a time limit, the team was concerned the operators may not perform this action prior to main feedwater overfilling the steam generators. In response to the teams concern, the licensee modeled this scenario on the simulator. The team noted that the use of the simulator was not a preferred method; however, it provided a reasonable estimate for the amount of time available. The results of the simulator run indicated that the continued injection of main feedwater at full flow could overfill the steam generators in approximately 2 minutes and 30 seconds. The team noted that overfilling the steam generators would negatively impact the ability to remove decay heat. The team determined that the alternative shutdown procedure provided steps for operators to close the main steam isolation valves from outside the control room, which would mitigate this scenario by eliminating steam flow to the turbine-driven main feedwater pumps. During the timed walkdown of the alternative shutdown procedure, the team determined that it would take operators approximately 4 minutes and 30 seconds to close all of the main steam isolation valves.
05000373/FIN-2014008-01LaSalle2015Q1Failure to Ensure Circuits associated with Alternate Shutdown Capability Free of Fire-induced DaThe inspectors identified a finding of very-low safety significance (Green) and associated NCV of the LaSalle County Station Operating License for the licensees failure to ensure that the alternate shutdown capability was independent of the fire area. Specifically, in the event of a fire in the control room, the alternate shutdown capability for 16 motor operated valves (MOVs) associated with the Reactor Core Isolation Cooling (RCIC) may be affected, and may not be available due to lack of breaker fuse coordination. Fire-induced failures could result in tripping valve power supply breakers prior to tripping the control power fuses for several motor operated valves, thereby, potentially imparing the operation of RCIC from the Remote Shutdown Panel (RSP). The licensee entered this issue into their Corrective Action Program and established compensatory measures, and added steps to the safe shutdown procedures to reset the affected breakers if needed. In addition, the licensee intended to perform plant modifications to replace or revise existing breakers settings to correct the issue. The inspectors determined that the issue was more than minor, because fire induced circuits could impair the operation of RCIC and complicated shutdown of the plant in the event of a fire in the control room. The finding affected the Mitigating Systems Cornerstone. The finding was determined to be of very-low safety significance based on a detailed risk-evaluation. This finding was not associated with a cross-cutting aspect because the finding was not representative of the licensees current performance.
05000321/FIN-2014005-03Hatch2014Q4Licensee-Identified ViolationTitle 10 of the Code of Federal Regulations (10 CFR Part 50.54(q)(2)) requires, in part, that a holder of a license under this part shall follow and maintain the effectiveness of an emergency plan that meets the requirements in 10 CFR Part 50, Appendix E and the planning standards of 10 CFR Part 50.47(b). 10 CFR Part 50, Appendix E, Section IV.A.9 states, By December 24, 2012, for nuclear powe reactor licensees, a detailed analysis demonstrating that on-shift personnel assigned emergency plan implementation functions are not assigned responsibilities that would prevent the timely performance of their assigned functions as specified in the emergency plan, shall be included. Contrary to the above, on December 24, 2012, the licensees detailed analysis of onshift staffing was deficient in that the specific scenario involving a fire in the Main Control Room with dual unit remote shutdown panel operations was evaluated assuming a typical complement of 17 operations personnel vice the 14 specified in the licensees Emergency Plan and fire response plan. The licensee subsequently performed a detailed time-motion study and determined that all required functions could have been performed, but individual workload capacity would have been challenged. The NRC determined that with no identified loss or degradation of a planning standard function, the failure to complete the detailed analysis in accordance with 10 CFR Part 50, Appendix E, Section IV.A.9, was a very low safety significance issue (Green) as indicated in Inspection Manual Chapter 0609, Appendix B, Emergency Preparedness Significance Determination Process, Revision dated September 26, 2014. This violation was documented in CAR 11209. Immediate corrective actions included interim augmentation for on-shift positions and the on-shift staffing analysis was re-performed. Final incorporation into the licensees emergency plan is in progress.
05000458/FIN-2014004-03River Bend2014Q3Licensee-Identified ViolationTitle 10 CFR 50.65(a)(1) requires, in part, that holders of an operating license shall monitor the performance or condition of systems, structures, and components within the scope of the rule against licensee-established goals in a manner sufficient to provide reasonable assurance that such systems, structures, and components are capable of fulfilling their intended safety functions. Title 10 CFR 50.65(a)(2) requires, in part, that monitoring specified in paragraph (a)(1) is not required where it has been demonstrated the performance or condition of a system, structure, and component is being effectively controlled through appropriate preventive maintenance, such that the system, structure, and component remains capable of performing its intended function. Contrary to the above, from May 13, 2013, to February 28, 2014, the licensee failed to demonstrate that the performance of the remote shutdown system was being effectively controlled through appropriate preventive maintenance. Specifically, station personnel failed to appropriately evaluate repetitive component failures of Gould J11 relays across system boundaries, resulting in the remote shutdown system exceeding the functional failure criteria without implementing appropriate preventive maintenance to improve system performance. The licensee entered this deficiency into the corrective action program as Condition Report CR-RBS-2014-01006. The finding was more than minor since violations of 10 CFR 50.65(a)(2) necessarily involve degraded system performance which, if left uncorrected, could become a more significant safety concern. This finding has very low safety significance (Green) because the finding did not lead to an actual loss of safety function of the system or cause a component to be inoperable, nor did it screen as potentially risk-significant due to a seismic, flooding, or severe weather initiating event.
05000443/FIN-2014007-01Seabrook2014Q3Alternate Safe Shutdown Areas Affected by Smoke from Cable Spreading Room FireThe team identified a finding of very low safety significance, involving a non-cited violation of Seabrook Unit 1 Operating License Condition 2.F for failure to implement and maintain all aspects of the approved Fire Protection Program. Specifically, NextEra failed to ensure that intake air to the A and B remote shutdown panel areas was not contaminated from products of combustion resulting from a cable spreading room fire. NextEra promptly entered this issue into its corrective action program as condition reports AR 01977233 and AR 01982946. NextEra initiated compensatory measures in the form of four-hour roving fire watches. Long term corrective actions include determining options to eliminate the potential for smoke migration from a cable spreading room fire to the A and B essential switchgear rooms. This finding was more than minor because it was associated with the Protection Against External Factors (e.g., fire) attribute of the Mitigating Systems Cornerstone and adversely affected the cornerstone objective to ensure the availability and reliability of systems that respond to initiating events to prevent undesirable consequences. In accordance with IMC 0609, Appendix F, Fire Protection Significance Determination Process, Attachment 1, Step 1.6, a Senior Reactor Analyst examined NextEras probabilistic risk analysis based risk evaluation for the issue and determined this finding resulted in an increase in core damage frequency in the mid E-7 range (Green) or very low safety significance. This finding did not have a cross-cutting aspect because it was determined to be a legacy issue and was considered to be not indicative of current licensee performance.
05000416/FIN-2014007-01Grand Gulf2014Q2Possible Spurious Actuation of The Safety Relief Valves During Control Room Fire ScenariosThe team reviewed the licensees safe shutdown analyses, thermal hydraulic analysis, and the licensing basis for control room fire scenarios. The team identified three issues of concern that require additional information and inspection for resolution. Concern 1: Required Alternative Shutdown Scenarios The first issue of concern was associated with the identification of the control room fire scenarios that were required by the licensing basis to be considered and mitigated. The NRC promulgated guidance for alternative and dedicated shutdown capability in Generic Letter 86-10, Implementation of Fire Protection Requirements. In Question 5.3.10, Design Basis Plant Transients, the staff addressed the plant transients that should be considered in the design of alternative or dedicated shutdown systems. The staff stated that a loss of offsite power shall be assumed for any alternative shutdown area. In addition, the staff stated that the safe shutdown capability should not be adversely affected by a fire in any plant area which results in the loss of all automatic function (signals, logic) from the circuits located in the area in conjunction with one worst case spurious actuation or signal resulting from the fire. On February 24, 2005, the licensee identified a concern with the transient analysis for a control room fire and documented it in Condition Report CR-GGN-2005-00770. The licensee stated that, it appears that it does not assume the loss of offsite power concurrent with the loss of all automatic functions (signals, logic) in conjunction with the worst case spurious actuation or signal resulting from the fire as required by Section III.L of Appendix R and Generic Letter 86-10. On August 24, 2005, the licensee evaluated this concern and determined that the fire induced spurious actuation of the safety relief valves could occur in any of three ways: 1. A single intra-cable short within the control circuit cable could actuate an individual safety relief valve. The safety relief valve control cables were routed together within the control room with each cable containing multiple control conductors and multiple 125 Vdc conductors. 2. Two intra-cable shorts within two separate instrument cables or two intra-cable shorts within a single instrument cable could actuate all eight of the safety relief valves associated with the automatic depressurization system. 3. Two intra-cable shorts within two separate instrument cables to either Division I or Division II circuits could open all 20 safety relief valves. The licensee concluded in their evaluation that it is expected that the worst case spurious actuation or signal resulting from a fire in the control room would involve opening of 20 safety relief valves. On November 2, 2009, the NRC provided the following additional guidance for alternative and dedicated shutdown capability in Regulatory Guide 1.189, Fire Protection for Nuclear Power Plants, Revision 2: The licensee should consider one spurious actuation or signal to occur before control of the plant is achieved through the alternative or dedicated shutdown system for fires in areas that require alternate or dedicated shutdown. After the operators transfer control from the control room to the alternative or dedicated shutdown system, single or multiple spurious actuations that could occur in the fire-affected area should be considered, in accordance with the plants approved fire protection program. The approach outlined in Appendix D to NEI 00-01 provides an acceptable methodology for evaluating alternative and dedicated shutdown, when applied in conjunction with this regulatory guide. In addition, the second paragraph of Appendix G to NEI 00-01 provides information regarding the analysis of multiple spurious actuations for alternative and dedicated shutdown systems. The licensee continued to evaluate this concern through their corrective action program. On August 17, 2012, the licensee developed Engineering Report GGNS-EE-10-00003, Safe Shutdown Evaluation of Control Room Fire Scenarios, Revision 0. In this report, the licensee relied on guidance contained in Appendix G, Generic List of MSOs, to NEI 00-01, Guidance for Post Fire Safe Shutdown Circuit Analysis, Revision 2, when evaluating the effect of a control room fire spuriously actuating all 20 safety relief valves. Specifically, the licensee stated: In accordance with the second paragraph of Appendix G to NEI 00-01, scenarios that involve spurious operation of multiple safe shutdown components concurrent with failure of automatic functions need not be included in the analysis of impacts for the main control room. However, if plant response to such transients could negate the capability to achieve and maintain post-fire safe shutdown, a voluntary review of the postulated scenarios may be warranted to supplement a previously approved alternative shutdown capability that scenarios that involve the spurious operation of multiple safe shutdown components concurrent with the failure of automatic functions need not be included in the analysis of impacts for the control room. The team reviewed the NRC positions provided in Regulatory Guide 1.189, Revision 2, and discussed these positions with personnel in the Office of Nuclear Reactor Regulation. The team determined that the NRC endorsed the approach outlined in Appendix D, Alternative/Dedicated Shutdown Requirements, to NEI 00-01, Revision 2 (when applied in conjunction with Regulatory Guide 1.189, Revision 2). The team also determined that the NRC neither endorsed nor rejected the approach for analyzing multiple spurious actuations for alternative and dedicated shutdown systems outlined in Appendix G to NEI 00-01, Revision 2. The team was concerned that the licensee may not have adequately followed the guidance for identifying the control room fire scenarios that were required to be considered and mitigated. The NRC staff will need to perform additional review to determine if the plants licensing basis required the licensee to analyze and mitigate the spurious actuation of a single safety relief valve (due to a single intra-cable hot short in a single cable), the spurious actuation of the automatic depressurization system (due to two intra-cable hot shorts in a single cable), or the spurious actuation of all twenty safety relief valves (due to a single intra-cable hot short in two separate cables). Concern 2: Time Available for Operators to Depressurize the Reactor The second issue of concern was associated with the amount of time available for operators to depressurize the reactor during control room fire scenarios. For control room fires, the licensees alternative shutdown strategy required operators to take immediate actions to restore electrical power, align a residual heat removal pump in the low pressure coolant injection mode, and depressurize the reactor using six safety relief valves prior to the reactor vessel level reaching -160 . The licensee described the plant response during an alternative shutdown in Engineering Report GGNS-NE-10-00003, GGNS EPU Appendix R Fire Protection, Revision 2. This thermal hydraulic analysis calculated the amount of time for the reactor vessel level to reach -160 (assuming no high pressure injection sources were available) and the resulting maximum peak clad temperature. Using a nominal scenario with no spurious actuations, the licensee determined the reactor vessel level would reach -160 within 14.3 minutes and the reactor would experience a maximum peak clad temperature of 597 F. The team performed a timed walkdown of the alternative shutdown procedure and determined that it took operators approximately 12 minutes to align the equipment required for depressurizing the reactor and injecting with the residual heat removal pump. The licensee also analyzed the plant response using an alternate scenario with the spurious actuation of all 20 safety relief valves. In this alternate scenario, the licensee determined the residual heat removal pump would initiate in the low pressure coolant injection mode within 118 seconds to restore level, the residual heat removal pump would begin injecting water into the reactor within 153 seconds, and the reactor would experience a maximum peak clad temperature of 597 F. For the evaluation of the alternate scenario, the licensee relied upon guidance contained in NEI 00-01, Appendix G, to credit the automatic initiation of the residual heat removal pump in the low pressure coolant injection mode. The team noted that this assumption could be considered adequate for analyzing control room fire scenarios that were outside of the licensing basis, but would be considered inadequate for demonstrating compliance with control room fire scenarios that were required to be considered and mitigated since it credited the availability of electrical power as well as the automatic initiation of the residual heat removal pump. In either case, the team noted that the evaluation of the alternate scenario failed to account for the steps in the alternative shutdown procedure that directed operators to open the breaker for the residual heat removal pump prior to restoring electrical power and subsequently restarting the pump. The team performed a timed walkdown of the alternative shutdown procedure and determined that it took operators approximately 8 minutes to open the breaker for the residual heat removal pump and approximately 12 minutes to depressurize the reactor and restart the residual heat removal pump. The team was concerned that the licensees determination of the time available for operators to depressurize the reactor may be incorrect. Specifically, the team was concerned that the licensees determination that operators had 14.3 minutes available to take the required immediate actions prior to the reactor vessel level reaching -160 may be incorrect since the evaluation failed to assume any spurious actuations. As described in the previous concern, the licensee may be required to consider and mitigate the spurious actuation of a single safety relief valve, the automatic depressurization system, or all 20 safety relief valves. The team noted that the thermal hydraulic analysis did not evaluate the plant response to the spurious actuation of a single safety relief valve or the automatic depressurization system. The team required additional information in order to resolve this concern. Specifically, the team required a thermal hydraulic analysis that provided the plant response to the control room fire scenarios that were required to be considered and mitigated. This thermal hydraulic analysis will be used to determine the amount of time available for operators to restore electrical power, align the residual heat removal pump in the low pressure coolant injection mode, and prepare to depressurize the reactor prior to reaching a reactor vessel level of -160 . Concern 3: Isolation of the Safety Relief Valve Circuits The third issue of concern was associated with the isolation of the safety relief valve circuits. For control room fires, the licensees alternative shutdown strategy required operators to open two breakers (72-11A23 and 72-11B34) in order to ensure that the 14 non-credited safety relief valves were closed. The six credited safety relief valves were isolated from the control room via the use of transfer switches. The team was concerned that hot shorts in the control room could cause a spurious actuation that threatened the ability to achieve and maintain safe shutdown conditions. The team noted that the control room cabinets containing the safety relief valve circuits also contained other 125 Vdc circuits that may remain energized during an alternative shutdown. The team was concerned that hot shorts from one of these circuits could prevent the closure of safety relief valves (if spuriously open) or could spuriously open the safety relief valves after the control room was isolated and control transferred from the control room to the remote shutdown panel. The team required additional information in order to resolve this concern. Specifically, the team required an evaluation of the remaining circuits in the control room panels that contain the safety relief valve circuits in order to determine if any of these other circuits remain energized during an alternative shutdown. The licensee entered these issues of concern into the corrective action program as Condition Report CR-GG-2014-03690. These issues of concern are being treated as an Unresolved Item 05000416/2014007-01, Possible Spurious Actuation of the Safety Relief Valves During Control Room Fire Scenarios.
05000397/FIN-2014003-08Columbia2014Q2Licensee-Identified ViolationColumbia Generating Station Operating License, Condition 2.C(14), requires, in part, that the licensee shall implement and maintain in effect all provisions of the approved fire protection program as described in section 9.5.1 and Appendix F of the FSAR for the facility. Columbia Generating Station FSAR, Appendix F, Fire Protection Evaluation, section F.4.4.4, Detailed Fire Hazard Analysis by Area, states, in part, for the main control room (Fire Area RC-10), a design basis fire will be confined to the fire area and systems needed for post-fire safe shutdown will remain free of fire damage. Contrary to the above, prior to February 24, 2014, the licensee failed to implement and maintain in effect all provisions of the approved fire protection program as described in Appendix F of the FSAR. Specifically, because of unfused DC ammeters in the main control room, the licensee failed to ensure that for a design basis fire, the fire will be confined to Fire Area RC-10 and that the systems needed for post-fire safe shutdown will remain free of fire damage. This finding was identified by the licensee and entered in the licensees corrective action program as AR 303326 and AR 304147. A senior reactor analyst performed a detailed risk evaluation and determined that the associated change to the core damage frequency was approximately 3.8E-7. The change to the large early release frequency was approximately 5E-8/year. Therefore, the finding was of very low safety significance (Green). The dominant core damage sequences involved a control room fire initiating event in Panel P-800, loss of Division I and Division II emergency AC power sources, and failure of the high pressure core spray system (failure of either the diesel or pump). The Division II emergency diesel generator failed because of secondary fires. The ability to recover the Division I emergency diesel generator at the remote shutdown panel helped to minimize the risk.
05000440/FIN-2014002-02Perry2014Q1Failure to Ensure Required 3-Hour Fire Barriers (Seals) Were In-placeThe inspectors identified a finding of very low safety significance (Green) and associated non-cited violation of Perry Operating License Condition 2.C(6) for failure to establish a required 3-hour fire barrier as required by design. Specifically, on March 13, 2014, the inspectors identified four incomplete fire barrier seals in ceiling-level penetrations between the Division 1 and Division 2 battery rooms and the adjoining direct current (DC) switchgear rooms, and on March 14 identified the lack of a fire barrier seal in a ceiling-level penetration between the remote shutdown panel room and an adjoining alternating current (AC) switchgear room. The licensee implemented compensatory measures that included hourly fire watches and entered the issues into the corrective action program. The finding was determined to be more than minor because it was associated with the protection against external factors attribute of the Mitigating Systems cornerstone and adversely affected the cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, the lack of a barrier caused the required 3-hour barrier required by design to be non-functional. In Step 1.2 of Inspection Manual Chapter 0609, Appendix F, Attachment 1, Category of Fire Inspection Finding, the inspectors assigned Category 1.4.3, Fire Confinement, to the finding, which was determined to be of very low safety significance. For the battery room seals, the inspectors identified a cross-cutting aspect in the area of human performance, work management, where the organization implements a process for planning and controlling, and executing work activities such that nuclear safety is the overriding priority (H.5). Specifically, the licensee did not follow its procedures when the fire seal material was formed in the workshop and then installed in the openings instead of being formed in situ as required by the licensees procedures (H.5). The inspectors determined there was no crosscutting aspect associated with the lack of a fire seal in the remote shutdown panel room because it did not reflect current performance.
05000313/FIN-2013009-02Arkansas Nuclear2013Q4Failure to Maintain Adequate Staffing for Operators to Perform a Simultaneous Alternative Shutdown of Both Units and Staff the Fire BrigadeThe team identified an Unresolved Item (URI) concerning the failure to implement and maintain in effect all provisions of the approved fire protection program as defined by License Conditions 2.C.(8) for Unit 1 and 2.C.(3)(b) for Unit 2. Specifically, the licensee failed to maintain adequate staffing for operators to perform a simultaneous alternative shutdown of both units and staff the fire brigade. Further NRC staff evaluations will be required to determine if this issue is more than minor. The licensee provided the minimum operations shift staffing requirements in Procedure EN-OP-115, Conduct of Operations, Revision 14. This procedure required that the Unit 1 shift be comprised of a shift manager, control room supervisor, shift technical advisor, two licensed control board operators, two non-licensed auxiliary operators, a waste control operator, and a communicator. This procedure required the same staffing for Unit 2, but it noted that the Unit 2 communicator could serve as the alternate shutdown operator (a Unit 2 specific position). The licensee would use Procedure 1203.002, Alternate Shutdown, Revision 24, to perform an alternative shutdown for Unit 1 and Procedure 2203.014, Alternate Shutdown, Revision 26, to perform an alternative shutdown for Unit 2. The alternative shutdown procedure for Unit 1 required actions from the shift manager, control room supervisor, shift technical advisor, two control board operators, and two auxiliary operators. The alternative shutdown procedure for Unit 2 required actions from the shift manager, control room supervisor, shift technical advisor, two control board operators, two auxiliary operators, and the alternate shutdown operator. The licensee only required one communicator to respond to the technical support center to make the required notifications. The licensee would use Procedure 1203.029, Remote Shutdown, Revision 10, to perform a remote shutdown for Unit 1. The remote shutdown procedure required actions from the shift manager, control room supervisor, and two control board operators. Unlike the alternative shutdown procedure, it did not require actions from the two auxiliary operators. The licensee delineated operator responsibilities for alternative and remote shutdowns for both units in Calculation CALC-85-E-0086-02, Manual Action Feasibility and Common Results, Revision 4. The team noted that this calculation was not consistent with the current staffing. The calculation had not been updated after the 2007 addition of an auxiliary operator position or the 2012 addition of an alternate shutdown operator position for Unit 2. The team determined through discussions with the licensee that the fire brigade was composed of four non-licensed operators and one security officer. The waste control operator from each unit was assigned to the fire brigade and designated as the potential fire brigade leader, depending on the unit affected. In the event of an alternative shutdown of Unit 2, the licensee credited the waste control operator from Unit 2 as the fire brigade leader and the waste control operator from Unit 1, two auxiliary operators from Unit 1, and the security officer as the remaining fire brigade members. The licensee discussed operator responsibilities for an alternative shutdown of Unit 2 coincident with a remote shutdown of Unit 1, but did not discuss operator responsibilities for a simultaneous alternative shutdown of both units. The team concluded that the licensee failed to maintain adequate staffing for operators to perform a simultaneous alternative shutdown of both units and staff the fire brigade. Specifically, the licensee required actions from all operators other than the two waste control operators during a simultaneous alternative shutdown of both units. This left the two waste control operators and the security officer as the only assigned fire brigade members that could respond to a potential control room fire. The team reviewed the fire protection licensing basis. Since the control rooms were located in the same fire area, the team concluded that the licensee must be able to perform a simultaneous alternative shutdown of both units and staff the fire brigade. The team noted that the licensee did not have an exemption from this requirement. The licensee identified this non-compliance in 2006 and documented this issue in Condition Report CR-ANO-C-2006-00048, Corrective Action 36. In response to this concern, the licensee performed a risk evaluation but failed to initiate any corrective actions or compensatory measures. In 2007 and 2012, the licensee subsequently added the auxiliary operator and alternate shutdown operator positions, respectively, for an alternative shutdown of Unit 2. During each addition, the licensee failed to ensure the adequate staffing for operators to perform a simultaneous alternative shutdown of both units and staff the fire brigade. The licensee determined that alternative shutdown of both units would not be required since a fire in one control room would not be capable of causing circuit damage in equipment located in the other control room. The licensee developed detailed fire models to demonstrate this position as part of the transition to NFPA-805. The licensees License Amendment Request for Unit 2, dated March 27, 2012 (ML12087A113) has been submitted to the NRC and is under review by the NRC staff. The result of the NRC staff review of this analysis will be required to determine if this issue is more than minor. This issue is being treated as an unresolved item: URI 05000313;05000368/2013009-002, Failure to Maintain Adequate Staffing for Operators to Perform a Simultaneous Alternative Shutdown of Both Units and Staff the Fire Brigade.
05000458/FIN-2013007-04River Bend2013Q4Unresolved Item Associated with the Isolation of the Alternative Shutdown SystemThe team identified an unresolved item associated with the isolation of post-fire safe shutdown circuitry for control room fire scenarios. Specifically, the team identified that the licensee may not adequately isolate circuitry for the safety relief valves and the main steam isolation valves from the effects of a control room fire. In the event of a fire in the control room, the licensee must ensure control circuitry for equipment credited for post-fire safe shutdown is electrically isolated from the control room so that fire damage could not prevent the ability to achieve and maintain safe shutdown conditions. For valves that are required to close or remain closed for post-fire safe shutdown, the licensee must ensure that control room fires do not prevent the closure of the valves and do not spuriously open the valves once the control room has been isolated and control transferred from the control room to the remote shutdown panel. Example 1: Spurious Opening of the Safety Relief Valves The alternative shutdown procedure provided steps for operators to mitigate the effects of any single spurious actuation or signal resulting from a control room fire that occurred prior to transferring control from the control room to the remote shutdown panel. For the safety relief valves, the procedure directed operators to de-energize two 125 Vdc panels (ENB-PNL02A and ENB-PNL02B) in order to ensure that the 13 non-credited safety relief valves were closed. The three credited safety relief valves were isolated from the control room via the use of transfer switches. The team identified a concern that hot shorts in the control room could cause a spurious actuation that threatened the ability to achieve and maintain safe shutdown conditions. The team noted that the control room cabinets containing the safety relief valves also contained other 125 Vdc circuits that remained energized during an alternative shutdown. The team was concerned that hot shorts from one of these circuits could prevent the closure of a safety relief valve (if spuriously open) or could spuriously open the safety relief valve once the control room was isolated and control transferred from the control room to the remote shutdown panel. The team was also concerned that the safe shutdown analysis did not analyze for one or more safety relief valves remaining open during the plant shutdown. This concern applied to the 13 safety relief valves that did not have control transferred to the remote shutdown panel. In addition, the team noted that circuit failures could spuriously open multiple safety relief valves through the spurious actuation of the automatic depressurization system. The team was concerned that the spurious actuation of the automatic depressurization system could be considered a single spurious actuation or signal that fell within the bounds of the safe shutdown analysis. A similar concern was first identified during the 1997 fire protection functional inspection and documented in Inspection Reports 97-201 and 98-16. Example 2: Spurious Opening of the Main Steam Isolation Valves As noted in the previous example, the alternative shutdown procedure provided steps for operators to mitigate the effects of any single spurious actuation or signal resulting from a control room fire that occurred prior to transferring control from the control room to the remote shutdown panel. For the main steam isolation valves, the procedure directed operators to attempt to close the main steam isolation valves inside the control room and then de-energize the reactor protection system motor generator sets outside the control room. The reactor protection system provides power to the circuitry for the main steam isolation valve solenoids. When the solenoids are de-energized, the main steam isolation valves fail closed. The team identified a concern that hot shorts in the control room could cause spurious actuations that threatened the ability to achieve and maintain safe shutdown conditions. Specifically, the team identified that a portion of the trip logic circuitry was connected in the control room to the portion of the circuitry that energizes the solenoid valve for each main steam isolation valve. The trip logic circuitry was located downstream of where the reactor protection system bus was de-energized, and it did not contain a protective circuit device such as fusing or open contacts that would isolate the trip logic portion of the circuitry from the solenoid valve. The control room cabinet containing the trip logic circuitry also contained other 125 Vdc circuits that remained energized during an alternative shutdown. The team was concerned that hot shorts from these circuits could prevent the closure of the main steam isolation valves or could spuriously open the main steam isolation valves after the reactor protection system motor generator sets were de-energized. The team noted that one main steam isolation valve, either inboard or outboard, must close and remain closed in order to maintain inventory. The licensee entered these issues into the corrective action program as Condition Report CR-RBS-2013-03473. The team determined that additional inspection is required to determine if a performance deficiency exists. This issue of concern is being treated as an Unresolved Item URI 05000458/2013007-04, Unresolved Item Associated with the Isolation of the Alternative Shutdown System.
05000327/FIN-2013004-03Sequoyah2013Q3Licensee-Identified ViolationUnit 1 Technical Specification 3.3.3.5 requires, in part, that the remote shutdown monitoring instrumentation channels shown in Table 3.3-9 shall be operable with readouts displayed external to the control room. With the number of operable remote shutdown monitoring instrumentation channels less than required by Table 3.3-9, restore the inoperable channel(s) to operable status within 7 days, or be in Hot Shutdown within the next 12 hours. One AFW Flow Rate instrumentation channel per steam generator is required per Table 3.3-9. Contrary to the above, on February 26, 2013, the licensee determined that they had two AFW flow indicators (1-FI-3-147C & 1-FI-3-163C) inoperable longer than 7 days. The licensee entered the issue into the corrective action program as PERs 683145, 688013, and 717323. The finding was determined to have very low safety significance (Green) because there was no actual loss of safety system function, and there was no significant increase in the likelihood of a fire.
05000445/FIN-2013004-05Comanche Peak2013Q3Potential Motor-Operated Valve Single Spurious Operation VulnerabilityThe inspectors identified an unresolved item associated with fire-induced single spurious operations. The inspectors were concerned that a single hot short could cause the spurious operation of motor-operated valves and bypass their torque/limit switch, resulting in damage to the pressure boundary. On February 28, 1992, the NRC issued Information Notice 92-18, Potential for Loss of Remote Shutdown Capability During a Control Room Fire, to alert licensees of conditions that could result in the loss of capability to maintain the reactor in a safe shutdown condition in the event that a control room fire forced operators to evacuate the control room (i.e., alternative shutdown scenarios). Information Notice 92-18 was primarily concerned with the loss of control of valves required for alternative shutdown. Specifically, the Information Notice was concerned with the potential for hot shorts to cause the spurious operation of these motor-operated valves and bypass their torque/limit switch, potentially damaging the valves before operators could transfer control to the remote shutdown panel. In this situation, the valves may not be able to be operated manually or from the remote shutdown panel. The licensee evaluated this issue in Engineering Report ER-ME-089, Resolution of NRC Information Notice 92-18, Potential Loss of Remote Shutdown Capability Following Control Room Fire, Revision 0, dated December 29, 1993. The licensee evaluated the population of motor-operated valves that were required to be operated manually or remotely from the remote shutdown panel for alternative shutdown scenarios. This population consisted of 86 motor-operated valves. The licensee made modifications as necessary to ensure that these valves could be operated manually or remotely from the remote shutdown panel for all alternative shutdown scenarios. In 2010, the licensee began their evaluation of multiple spurious operations in accordance with Nuclear Energy Institute Document NEI 00-01, Guidance for Post-Fire Safe-Shutdown Circuit Analysis, Revision 2. Appendix G to NEI 00-01 contained the generic list of multiple spurious operations scenarios applicable to pressurized water reactors. This appendix contained a scenario (MSO-55) that considered valve failure due to a spurious motor-operated valve operation in conjunction with a short that bypassed the torque/limit switch. This scenario was described as follows: General scenario is that fire damage to motor-operated valve circuitry causes spurious operation. If the same fire causes wire-to-wire short(s) such that the valve torque and limit switches are bypassed, then the valve motor may stall at the end of the valve cycle. This can cause excess current in the valve motor windings as well as valve mechanical damage. This mechanical damage may be sufficient to prevent manual operation of the valve. Scenario only applies to motor-operated valves. Note this generic issue may have already been addressed during disposition of the NRC Information Notice 92-18. This disposition should be reviewed in the context of multiple spurious operations and multiple hot shorts. The licensee formed a multiple spurious operations expert panel, which met in March 2010, to review the generic list of multiple spurious operations contained in NEI 00-01. The multiple spurious operations expert panel meeting results were documented in Engineering Report ER-ME-130, Summary of Expert Panel Activities Related to Postulation of Multiple Spurious Operations for the CPNPP Fire Safe Shutdown Analysis, Revision 0, dated April 2010. The licensee initially concluded that scenario MSO-55 was already addressed in the fire safe shutdown analysis. On August 17, 2010, the licensee convened a supplemental meeting of the multiple spurious operations expert panel. The expert panel reconsidered multiple spurious operations scenario MSO-55 and concluded that a nonconformance existed. Specifically, the expert panel concluded that the licensee had addressed the concerns raised in Information Notice 92-18 for alternative shutdown scenarios, but did not address the concerns for scenarios where operators did not need to evacuate the control room. The licensee subsequently evaluated the larger population of motor-operated valves that are used or must remain intact for post-fire safe shutdown. The licensee concluded that modifications were needed for 57 valves. Ten of the valves required a mechanical modification, while the remaining 47 valves required an electrical modification. The licensee entered this issue into their corrective action program as Condition Report CR-2010-007806 and implemented compensatory measures. The inspectors identified an issue of concern with the potential for single spurious operations to damage the pressure boundary. The inspectors determined that additional inspection is required to determine if a performance deficiency exists. This issue of concern is being treated as an unresolved item URI 05000445/2013004-06; 05000446/2013004-06, Potential Motor-Operated Valve Single Spurious Operation Vulnerability.
05000458/FIN-2013003-02River Bend2013Q2Failure to Adequately Evaluate and Correct Degraded 125 Vdc Fused Disconnect SwitchesThe inspectors identified a non-cited violation of 10 CFR Part 50, Appendix B, Criterion XVI, Corrective Action, for the failure to identify and take prompt and adequate corrective actions to address a condition adverse to quality specifically related to the 125 Vdc fused disconnect switches located in the diesel generator building electrical distribution panels. The licensee addressed the underlying safety concern by cycling the disconnect switch to clean the corroded contact surfaces and performing voltage and current checks to verify circuitry operability. The licensee entered the finding into the corrective action program as Condition Report CR-RBS-2013-04247 The inspectors determined that this finding is more than minor because it is associated with the equipment performance attribute of the mitigating systems cornerstone and affects the cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, during a seismic event the partially seated, corroded knife blades could cause a loss of safety related 125 Vdc power to the Division 1 and 2 emergency diesel generators, reactor water recirculation pumps A and B, or Division 1 and 2 remote shutdown panels. In accordance with NRC Inspection Manual Chapter 0609, Attachment 4, Initial Characterization of Findings, and NRC Inspection Manual Chapter 0609, Appendix A, The Significance Determination Process for Findings At-Power, Exhibit 2, this finding screened as very low safety significance (Green) because the degraded condition was not a design or qualification deficiency; did not represent an actual loss of function of a system; did not represent an actual loss of function of a single train or two separate trains for greater than its technical specification allowed outage time; did not represent an actual loss of function of one or more non-technical specification trains of equipment designated as high safety significant; and did not screen as potentially risk significant due to a seismic, flooding, or severe weather initiating event. Because the most significant causal factor of the performance deficiency was the licensees failure to use consistent key words in the corrective action program to characterize the disconnect switch failures, this finding has a cross-cutting aspect in the problem identification and resolution area associated with the corrective action program component because the licensee did not periodically trend and assesses information from the CAP and other assessments in the aggregate to identify programmatic and common cause problems.
05000354/FIN-2013002-01Hope Creek2013Q1A Technical Specification Surveillance Procedure for Remote Shutdown Panel Instrumentation was Inadequately ImplementedA self-revealing NCV of very low safety significance of technical specification (TS) 6.8.1 and TS 3.3.7.4 resulted because PSEG did not properly perform the monthly TS surveillance requirement (SR) 4.3.7.4.1 which demonstrates operability of the remote shutdown system instrumentation and controls. Specifically, operators that performed the monthly surveillance did not identify that the reactor core isolation cooling (RCIC) turbine bearing oil pressure low indication was inoperable and, as a result, PSEG did not take the action required within the TS allowed outage time. PSEGs immediate corrective actions included entering the issue into their corrective action program as notifications 20567832 and 20567743, replacing the failed relay and initiating an apparent cause evaluation (ACE). This finding is more than minor because it is associated with the equipment performance attribute of the Mitigating Systems cornerstone and affected the cornerstone objective to ensure the availability and reliability of systems that respond to initiating events to prevent undesirable consequences. Specifically, when tested, the RCIC turbine bearing oil pressure low indication on the remote shutdown panel (RSP) was inoperable, and this condition went undetected for approximately one month. In accordance with IMC 0609.04, Initial Characterization of Findings, and Exhibit 2 of IMC 0609, Appendix A, The Significance Determination Process for Findings At-Power, issued June 19, 2012, the inspectors determined that this finding is of very low safety significance (Green) because the performance deficiency was not a design or qualification deficiency, did not involve an actual loss of safety function, did not represent actual loss of a safety function of a single train for greater than its TS allowed outage time, and did not screen as potentially risk-significant due to a seismic, flooding, or severe weather initiating event. The NRC determined the finding had a cross cutting aspect in the human performance area associated with work practices procedural compliance, because PSEG did not ensure that personnel work practices support human performance, in that, a licensed reactor operator (RO) incorrectly documented HC.OPST.SV0001 as satisfactory. Additionally, the senior reactor operator (SRO) that reviewed the test did not identify the procedure performance error.
05000528/FIN-2013008-01Palo Verde2013Q1Licensee-Identified ViolationThe following violation of very low safety significance (Green) was identified by the licensee and is a violation of NRC requirements which meets the criteria of the NRC Enforcement Policy for being dispositioned as a non-cited violation. License Condition 2.C.(6), Fire Protection, requires the licensee to maintain in effect all provisions of the approved fire protection program described in listed regulatory documents. Supplemental Safety Evaluation Report 5 states the alternative shutdown capability for PVNGS 1-3 complies with the requirements of Section III.L of Appendix R and, therefore, is acceptable. Title 10 CFR Part 50, Appendix R, Section III.L.3 requires that the alternative shutdown capability shall be independent of the specific fire area. Contrary to the above, the design of three circuits in the remote shutdown system was not independent from the effects of fire damage in the case of a fire in the control room. The licensee entered this deficiency in their corrective action program as Palo Verde Action Request 4311694 and Palo Verde Action Request 4329210 and issued Licensee Event Report 05000528; 529; 530/2012-005-00. The licensee has revised Procedure 40AO-9ZZ19, Control Room Fire, to address this finding. The finding was evaluated for safety significance using Inspection Manual Chapter 0609, Appendix F, Fire Protection Significance Determination Process, Attachment 1. The finding was assigned a low degradation rating due to the performance and reliability of the remote shutdown following a control room evacuation being minimally impacted by the finding. Based on the low degradation rating, the finding screened as having a very low safety significance (Green) in Phase 1, Task 1.3.1, Qualitative Screening for All Finding Categories, Question 1.
05000458/FIN-2012005-04River Bend2012Q4Failure to Follow Procedure for Lifting Leads Results in Inoperability of Standby Service Water FanThe inspectors reviewed a self-revealing, non-cited violation of Technical Specification 5.4.1.a due to a failure to follow work order instructions. Specifically, station personnel failed to follow the requirements of Procedure GMP-0042, Lifted Leads and Jumpers, Revision 13 when removing and reinstalling a time-delay relay for a standby service water cooling fan. This issue was entered into the licensees corrective action program as Condition Report CR-RBS-2012-06325. The failure to follow work order instructions is a performance deficiency. This performance deficiency is more-than-minor because it is associated with the equipment reliability attribute of the mitigating systems cornerstone to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, the failure to ensure the correct wiring to the standby service water fan time-delay relay resulted in the inability of the fan to be started locally, which is required for remote shutdown of the plant. In accordance with NRC Inspection Manual Chapter 0609, Attachment 4, Initial Characterization of Findings, and NRC Inspection Manual Chapter 0609, Appendix A, The Significance Determination Process for Findings At Power, Exhibit 2, Section A, question 3, this finding required a detailed risk evaluation because the finding represented an actual loss of function of at least a single train for greater than the technical specification allowed outage time. The risk of the condition was evaluated by a senior reactor analyst. The sequence that would result in a risk increase is control room abandonment with concurrent maintenance being performed on the alternate bank of 5 fans. This would leave only 4 functional fans in one division of standby service water, whereas 5 fans are needed per design to meet the safety function. The frequency of control room abandonment is approximately 5E-5/yr and the frequency of maintenance performed on one bank of standby service water fans is approximately 1E-2. Therefore, the frequency of a scenario where the failure of one fan to operate from the alternate shutdown panel would cause a measurable effect on risk is approximately 5E-7/yr. The other division of standby service water fans was unaffected by this condition. Accordingly, the significance of the performance deficiency was determined to be very low (Green). This finding has a human performance cross-cutting aspect associated with the work practices component in that the electricians failed to use adequate human error prevention techniques
05000289/FIN-2012004-02Three Mile Island2012Q3Remote Shutdown Relay 69X1RR Contact FailureOn December 22, 2011, the reactor building emergency cooling water pump discharge valve B (RR-V-1B) failed to open during performance of an engineered safeguards actuation system (ESAS) quarterly surveillance test. TMI declared RR-V-1B inoperable and entered a 72 hour limited condition for operation (LCO) in accordance with technical specification (TS) 3.3.2. TMI performed troubleshooting and determined that the remote shutdown (RSD) transfer selector switch relay (69X1RR), which is in series with the ESAS signal, exhibited intermittent contact make-up. The function of the RSD selector switch and associated relay (69X1RR) is to transfer control of RR-V-1B from the main control room to the RSD panel. The relay (69X1RR) was found in the open-state thus, inhibiting the ESAS actuation signal. The selector switch relay was cycled until proper contact make-up was achieved. TMI applied administrative controls to ensure the transfer switch relay (69X1RR) contact closed properly if the RSD transfer switch was manipulated prior to the relay replacement. RR-V-1B was successfully tested and declared operable on December 22, 2011. The relay transfer switch was replaced and tested satisfactorily on January 6, 2012. The last successful RSD functional test of RR-V-1B had been completed on November 10, 2011 during refueling outage T1R19. TMI concluded that the relay (69X1RR) had most likely not fully re-closed at the completion of the test. Thus, TMI determined that RR-V-1B was inoperable from November 10, 2011 through December 22, 2011. This issue constituted two violations of NRC requirements. Namely, a) the licensee made the reactor critical on November 24, 2011 (while starting up from T1R19), without all engineered safeguards valves associated with the reactor building emergency cooling system being operable as required by TS 3.3.1; and, b) and that RR-V-1B was inoperable for more than 72 hours, and the unit wsa no paced in a hot shutdown condition within 6 hours, as required by TS 3.3.2. However, the NRC concluded that it was not reasonably within the licensees ability to foresee and correct the relay failure that caused these violations. Specifically, the failure analysis of the relay identified that an unforeseen manufacturing defect caused the failure and that the relay exhibited no visual abnormalities or indications to the licensee that a defect existed prior to its failure. In addition, the NRC identified that no significant plant or industry operating experience existed on this style relay that would have alerted the licensee to this potential issue. Therefore, the NRC did not identify any performance deficiency associated with the violations. Inspection Manual Chapter (IMC) 0612, Appendix B, Issue Screening, directs disposition of this issue in accordance with the Enforcement Policy because there was no performance deficiency associated with the violations. The inspectors used the enforcement policy, Section 6.1, Reactor Operations, to evaluate the significance of this violation. The inspectors concluded that the violation is more than minor and best characterized as Severity Level IV (very low safety significance) because it is similar to Enforcement Policy Section 6.1, example d.1. Additionally, the inspectors assessed the risk associated with the issue by using IMC 0609, Appendix A, SDP For Findings at Power. The inspectors screened the issue, and evaluated it using Exhibit 3 of IMC 0609, Appendix A. Evaluating the criteria under the Barrier Integrity cornerstone, the finding did not represent an actual open pathway in the physical integrity of the containment and did not involve a reduction in function of hydrogen igniters in the reactor containment. Based on these reviews, the issue would screen as very low safety significance (Green). Because it was not reasonable for TMI to have been able to foresee and prevent the relay failure, the NRC determined no performance deficiency existed. Thus, the NRC has decided to exercise enforcement discretion in accordance with Section 3.5 of the NRC Enforcement Policy and refrain from issuing enforcement action for the violation (EA-12-164). Further, because the licensees action and/or inaction did not contribute to this violation, it will not be considered in the assessment process or the NRCs Action Matrix. This LER is closed.
05000456/FIN-2012003-06Braidwood2012Q2MSIV Hydraulic System DesignOn May 28, 2012, the 1A MSIV active-side hydraulic accumulator pressure was found at 3450 psig, which was below the operability limit of 4800 psig. This prevented manual isolation of the 1A main steam line via the main control room switch, which required the active-side accumulator and is required by Technical Requirements Manual (TRM) 3.3.y Condition D. Each MSIV also has a standby accumulator that could redundantly close the valve if an ESFAS signal was received, but not from the individual isolation control switch. The 1A MSIV standby accumulator pressure was 5400 psig, thus the 1A MSIV could have been closed by an ESFAS signal. The Action Statement for TRM 3.3.y Condition D required restoration of the individual steam line isolation capability within 48 hours. If that was not done, Condition D required the MSIV to be declared inoperable and TS.3.7.2 Condition A.1 to be entered, which required the MSIV to be returned to an operable status within 8 hours, or enter Condition B.1, which required the Unit to be in Mode 2 within 6 hours. During troubleshooting of the 1A MSIV active-side accumulator pressure issue, the licensee became concerned that they would not find and repair the active-side hydraulic problem prior to the requirement to enter Mode 2. As a result, the licensee elected to remove TRM 3.3.y Condition D from the TRM through the 10 CFR 50.59 evaluation process. As a result, the licensee was not required to declare the 1A MSIV inoperable provided the standby accumulator pressure was within operability limits. The inspectors reviewed the control logic for the MSIV control switches in the main control room and the remote shutdown panel. The inspectors noted that the MSIV control switches on the remote shutdown panels used only the active-side accumulator to reposition the MSIV. When the licensee removed TRM 3.3.y Condition D, they effectively removed any requirement to maintain the ability to close MSIVs from the remote shutdown panel. The inspectors reviewed procedures 0BwOA PRI-5, Control Room Inaccessibility Unit 0; 1BwOA PRI-5, Control Room Inaccessibility Unit 1; and 2BwOA PRI-5, Control Room Inaccessibility Unit 2; and did not identify a requirement to close the MSIVs prior to main control room evacuation. As a result, any MSIV with an active-side accumulator inoperable, which was allowed indefinitely by current site procedures, would not be closed prior to evacuating the main control room and would not be able to be closed from the remote shutdown panel. The licensees position was that there was no reason, purpose, or requirement for the MSIV control switches on the remote shutdown panel and no condition that would require repositioning them from the remote shutdown panel following evacuation of the main control room. The inspectors noted that Step 13.c of procedures 1(2)BwOA PRI-5 directed operators to close all MSIVs if RCS temperature dropped below 557oF. This step would need to be performed from the remote shutdown panel since the main control room was evacuated at Step 9. In addition, the inspectors questioned whether allowing one inoperable accumulator on each MSIV for an unlimited period of time had an effect on the ability of the ESFAS system to perform its safety function. Although only one of the two hydraulic accumulators was necessary to reposition each MSIV, each ESFAS train was assigned to a specific accumulator for each MSIV. For example, the A ESFAS train was assigned to the active-side accumulator on two MSIVs and the standby-side accumulator on the other two MSIVs. The B ESFAS train controlled the MSIVs using the opposite accumulators. As a result, there were certain combinations of accumulators that could be out of service on multiple MSIVs such that an inoperable ESFAS train would fail to close multiple MSIVs. At the end of the inspection period, the inspectors were reviewing whether this allowance satisfied the requirements of TS 3.3.2 and TS 3.7.2. At the conclusion of the inspection period, the inspectors had not completed their review of licensing documents related to this issue. As a result, this URI will remain open pending a review of the stations CLB and requirements associated with the remote shutdown panel and MSIVs.
05000255/FIN-2012002-06Palisades2012Q1Corrective Action for Potential Fire-Induced Motor Operated Valve DamageThe following finding that affects 10 CFR 50.48 was identified by the NRC and is a violation of NRC requirements. This finding has been screened and determined to warrant enforcement discretion per the Interim Enforcement Policy Regarding Enforcement Discretion for Certain Fire Protection Issues as described in the NRC Enforcement Policy. The inspectors identified an Unresolved Item (URI) during an NRC fire protection inspection in 1998 associated with a failure to adequately modify circuits for several Motor Operated Valves (MOVs). The inspectors determined that the licensee did not ensure that the MOVs would not be actuated by fire-induced hot shorts in the control room, bypassing their torque and limit switches as described in Information Notice 92-18, Potential for Loss of Remote Shutdown Capability During a Control Room Fire. The inspectors reviewed the Palisades licensing basis for the fire protection program, recent industry guidance and NRC documents related to fire induced circuit failures and determined that the finding was a violation of 10 CFR Part 50, Appendix R, Section III.G.3. Subsequent to the 1998 inspection the licensee began transition to 10 CFR 50.48(c) (National Fire Protection Association (NFPA) 805). Therefore, the licensee completed a risk-assessment evaluation (EA-PSA-FIRE-06-03, Owners Review of Use of the Palisades PSA to Evaluate the Importance of MOV Hot Shorts, Revision 0) for this issue to determine if it would qualify for enforcement discretion. The inspectors reviewed the evaluation and did not agree with some of the evaluation assumptions. Since the finding affected multiple MOVs, the inspectors performed a qualitative assessment for each valve separately in accordance with IMC 0609, Appendix F, Fire Protection Significance Determination Process, and determined that the finding was not associated with a finding of high safety significance (i.e., less than Red).
05000289/FIN-2012002-05Three Mile Island2012Q1Licensee-Identified ViolationTMI-1 fire hazard analysis requires two valves to achieve and maintain cold shutdown condition, including remote shutdown via local manual operation, one valve which is the B decay heat cooler shell bypass (DC-V-65B). On March 14, 2012 during valve diagnostic testing, Exelon discovered DC-V-65B manual handwheel drivegear was detached from the valve stem and had been so since identified on April 19, 2006. Contrary to license condition 2.C.(4) compensatory measures were not established for the loss of DC-V-65B to be operated manually and to perform its credited function. The cause of this violation is the failure to correct a degraded condition in a timely manner commensurate with its safety significance. Exelon entered this into the CAP as IR 1341582 and replaced the actuator on April 3, 2012. The inspectors determined that the finding was of very low safety significance (Green) in accordance with IMC 0609, Appendix F, Fire Protection Significance Determination Process, as a cold shutdown category with moderate degradation
05000424/FIN-2011005-03Vogtle2011Q4Licensee-Identified ViolationTechnical Specification (TS) 3.0.4, Limiting Condition for Operation (LCO) Applicability states in-part, When an LCO is not met, entry into a Mode or other specified condition in the Applicability shall only be made; a) When the associated ACTIONS to be entered permit continued operation in the Mode or other specified condition in the Applicability for an unlimited period of time; or b) After performance of a risk assessment addressing inoperable systems and components or c) When an allowance is stated in the individual value, parameter or other Specification. Contrary to this requirement on October 27, 2011 it was discovered by the licensee that Mode changes had been made contrary to TS LCO 3.0.4. Technical Specification (TS) 3.3.4, Remote Shutdown System, Limiting Condition for Operation (LCO) is applicable in Modes 1, 2, and 3 and requires two channels of Core Exit Thermocouples (CETC) to be operable. During startup from the refueling outage 2R15, one of the CETC channels credited for satisfying this requirement was inoperable but was not recognized as being inoperable until the unit was in Mode 1. Since mode changes were made with only one of the two required CETC channels operable, the unit was operated in a condition contrary to TS LCO 3.0.4. The inspectors used Inspection Manual Chapter 601, Phase 1 worksheets, mitigating systems cornerstone, to conduct an initial screening and characterization of this violation. The inspectors concluded, from this screening, that this violation was of very low significance (Green). The licensee has entered this issue into their corrective action program as CR 374623, completed an enhanced apparent cause determination, drafted LER 05000425/2011-001, and implemented a temporary modification to restore the channel to operable status. This licensee-identified violation is closed.
05000416/FIN-2011007-04Grand Gulf2011Q3Inadequate Corrective Actions To Assure Postfire Safe ShutdownThe team identified a noncited violation of 10 CFR 50, Appendix B, Criterion XVI, for inadequate corrective actions to address the potential for fire induced hot shorts to impact the ability to trip a control rod group as described in Information Notice 2007-07. The licensees evaluation of Information Notice 2007-07 stated in part, provisions have been included in 05-1-02-II-1, Shutdown from the Remote Shutdown Panel, to trip the proper reactor protective system breakers to ensure that the reactor scram occurs. The team noted that Procedure 05-1-02-II-1 contained a conditional statement for the operator to determine if opening the reactor protective system breakers is required. The procedure did not provide assurance that all control rod groups insert since the control room indications to be utilized by the operator were not identified and confirmed to be reliable during fires requiring control room evacuation. The licensee entered this finding into its corrective action program under CR-GGN-2011-02780, implemented compensatory measures to ensure the operators de-energized the reactor protection system, and implemented a procedure change. The failure to take adequate corrective actions to address the potential for fire induced hot shorts to impact the ability to safely shutdown the plant following a fire is a performance deficiency. The performance deficiency was more than minor because it was associated with the reactor safety mitigating systems cornerstone attribute for protection against external events (fire), and adversely affected the cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Since the finding involved control room evacuation, a Phase 3 SDP risk assessment was performed by a senior reactor analyst. Because a bounding change to core damage frequency was 9.58 x 10-7, and the finding was not significant with respect to large, early release frequency, this finding was determined to have very low safety significance (Green). The finding did not have a crosscutting aspect since it was not indicative of current performance. The licensee had incorrectly assessed the applicability of Information Notice 2007-07 more than three years prior to this finding.
05000397/FIN-2011006-01Columbia2011Q3Failure to Promptly identify and Correct Degraded Flood BarriersThe team identified a Green noncited violation of 10 CFR 50, Appendix B, Criterion XVI, Corrective Action, because Energy Northwest failed to promptly identify and correct degraded flood barrier floor coatings, which protected the Division 2 safety-related electrical switchgear room, remote shutdown room, and main control room from water intrusion. In 2002, flooding above the Division 2 electrical switchgear and remote shutdown rooms resulted in water intrusion into these rooms. The corrective action to prevent recurrence was to apply epoxy paint to the concrete floors above these rooms to ensure the floors would be leak tight. In April 2004, a degraded flood barrier floor coating was identified and operations staff requested an engineering evaluation. An hourly flood watch was established, however, an engineering evaluation was not performed to identify and correct the material deficiency and no justification was provided for establishing an hourly flood watch. The team determined that from April 2004, to September 14, 2011, at least 30 action requests were written that identified degraded epoxy coated flood barriers. Although the flood barriers were eventually patched, no engineering evaluation was performed to identify and correct the material deficiency. The team determined that the flood barriers were degraded approximately 36 percent of the time. The licensee entered this issue into the corrective action program as Action Request/Condition Report 249288. The finding was more than minor because it affected the Mitigating Systems Cornerstone objective to ensure the availability and reliability of systems that respond to initiating events to prevent undesirable consequences and if left uncorrected, could become a more significant safety concern because a flood in the area could adversely affect safety-related equipment. Using NRC Manual Chapter 0609 Attachment 4, Phase 1 - Initial Screening and Characterization of Findings, dated January 10, 2008, the finding initially screened as potentially risk significant due to the flooding hazard, however, it was determined to be of very low risk significance (Green) because there was no actual loss or degradation of the safety function of the equipment protected by the flood barrier. In addition, this finding had a crosscutting aspect in the area of human performance associated with decision making because the licensee failed to communicate to persons who have the need to know in order to perform work safely, the basis for the decision to implement an hourly flood watch and not perform an engineering evaluation in a timely manner (H.1 (c)).
05000416/FIN-2011007-01Grand Gulf2011Q3Failure To Provide An Adequate Alternative Shutdown ProcedureThe team identified a noncited violation of License Condition 2.C(41), Fire Protection Program, for failing to ensure that the postfire safe shutdown procedure for fires requiring control room evacuation could be performed within the critical times required by the approved fire protection program. Specifically, two crews of operators simulating performance of Procedure 05-1-02-II-1, Shutdown from the Remote Shutdown Panel, Revision 036, did not give priority to the required safe shutdown components which are protected against fire damage and did not complete the equipment alignments within the times required by the thermal-hydraulic analysis. The team confirmed at the end of each walkdown that the operators involved did not know what the credited shutdown equipment was for a postfire safe shutdown or the critical time limits to be met. The team also confirmed that the licensee had not performed timed walkdowns to validate that the procedure would complete the required actions for postfire safe shutdown within the times required by the thermal-hydraulic analysis. The licensee entered this into their corrective action program as CR-GGN-2011-02721, implemented compensatory measures to focus the operators priority on the required safe shutdown components and implemented a procedure revision. The failure to provide an adequate procedure to implement the requirements of the approved fire protection program for a fire in the control room is a performance deficiency. The performance deficiency was more than minor because it was associated with the reactor safety mitigating systems cornerstone attribute for protection against external events (fire), and adversely affected the cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Because the finding involved control room evacuation, a Phase 3 SDP risk assessment was performed by a senior reactor analyst. The scenario impacted operators being ready to emergency depressurize the reactor and reflood using a residual heat removal pump. Because a bounding change to core damage frequency was 4.13 x 10-7, and the finding was not significant with respect to large, early release frequency, this finding is of very low safety significance (Green). The finding did not have a crosscutting aspect since the primary cause did not fit any crosscutting aspects.
05000416/FIN-2011007-02Grand Gulf2011Q3Failure To Assure Equipment Required For Postfire Safe Shutdown Was Protected Against Fire DamageThe team identified a noncited violation of License Condition 2.C(41), Fire Protection Program, for failing to assure that equipment relied upon for safe shutdown following a fire in the control room was protected against fire damage. Specifically, Procedure 05-1-02-II-1, Shutdown from the Remote Shutdown Panel, Revision 036, relied on the automatic operation of and indications from the load shedding and sequencing system. The team identified that this system was not isolated from potential damage due to a fire in the control room and the procedure did not adequately address the potential that fire damage to the system could effect the postfire safe shutdown capability by spuriously starting or stopping electric loads. The licensee entered this into their corrective action program as CR-GGN-2011-02721. The failure to assure that equipment required to successfully implement the safe shutdown procedure for a fire in the control room was protected against fire damage is a performance deficiency. The performance deficiency was more than minor because it was associated with the reactor safety mitigating systems cornerstone attribute for protection against external events (fire), and adversely affected the cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Since the finding involved control room evacuation, a Phase 3 SDP risk assessment was performed by a senior reactor analyst. Because a bounding change to core damage frequency was 1.97 x 10-8, and the finding was not significant with respect to large, early release frequency, this finding was determined to have very low safety significance (Green). The finding did not have a crosscutting aspect since it was not indicative of current performance, in that the licensee had established the current procedure more than three years prior to this finding.
05000416/FIN-2011007-03Grand Gulf2011Q3Failure to Take Timely Corrective Actions to Protect Safe Shutdown Equipment From Fire DamageThe team identified a noncited violation of 10 CFR 50, Appendix B, Criterion XVI, Corrective Action, for failure to take timely corrective action to modify the control circuits for 33 motor operated valves that are relied upon during safe shutdown due to fire. Noncited violation NCV 05000416/2008006-04, Failure to Ensure That Damage to Motor-Operated Valve Circuits Would Not Prevent Safe Shutdown, documented the licensees inadequate review of Information Notice 92- 18, Potential for Loss of Remote Shutdown Capability During Control Room Fire. The licensee failed to develop modification packages such that motor operated valve control circuit modifications could be implemented during the fall 2010 refueling outage. As a result, 33 motor operated valves associated with safe shutdown equipment continue to remain susceptible to potential damage during spurious operation due to circuit hot shorts. The licensee has maintained a fire watch as a compensatory measure. The licensee entered this into their corrective action program as CR-GGN-2011-02779. The failure to take timely corrective actions to address the potential for fire induced hot shorts to impact the ability to safely shutdown the plant following a fire is a performance deficiency. The performance deficiency was more than minor because it was associated with the reactor safety mitigating systems cornerstone attribute for protection against external events (fire), and adversely affected the cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Since the finding involved control room evacuation, a Phase 3 SDP risk assessment was performed by a senior reactor analyst. Because a bounding change to core damage frequency was 9.58 x 10-7, and the finding was not significant with respect to large, early release frequency, this finding was determined to have very low safety significance (Green). The finding had a crosscutting aspect in the area of Human Performance associated with Decision Making, because the licensee failed to demonstrate that nuclear safety is an overriding priority. Specifically, the licensee did not promptly initiate control circuit reviews and implement modifications required for corrective actions after the licensees inadequate evaluation of Information Notice 92-18 was identified in the 2008 violation.
05000395/FIN-2011003-03Summer2011Q2Failure to Conduct Adequate Testing of Appendix R Fire SwitchesThe NRC identified an apparent violation (AV) of the Virgil C. Summer Nuclear Station Operating License Condition 2.C.(18), Fire Protection System, related to the licensee\\\'s failure to implement and maintain in effect all provisions of the approved fire protection program as described in the Final Safety Analysis Report (FSAR). Specifically, the licensee failed to adequately test the isolation function of all 10 CFR 50 Appendix R isolation local control transfer switches ( fire switches ), including the B EDG fire switch, designed to assure isolation of safe shutdown equipment from the control room in the event of a control room evacuation due to a fire. This resulted in the licensee not identifying a wiring discrepancy that had existed in the B EDG fire switch circuitry since original plant startup until its discovery on April 29, 2010, that would have defeated the Appendix R isolation function during a design basis fire event requiring evacuation from the Control Room. The issue was entered into the licensees corrective action program as condition report CR-10-01814. The failure to demonstrate proper Appendix R isolation capability of safe shutdown equipment controlled from remote shutdown locations during surveillance testing of Appendix R fire switches is a performance deficiency that was within the licensees ability to foresee and correct. The inspectors determined that the finding is more than minor because it was associated with both the procedure quality and protection against external events (i.e., fire) attributes of the Mitigating Systems cornerstone and it adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, the failure to adequately test Appendix R isolation contacts associated with fire switches contributed to not identifying a wiring discrepancy in the B EDG fire switch circuitry that defeated its Appendix R isolation function. This condition could have led to the improper operation of the switch or prevented the B EDG output breaker from automatically closing during certain fire scenarios due to fire damage of the electrical circuitry. In accordance with NRC IMC 0609, Significance Determination Process, the inspectors performed a Phase 1 screening analysis and determined that since the finding affected the fire protection defense-in-depth strategies involving post fire safe shutdown systems, the finding required a significance evaluation under IMC 0609, Appendix F, Fire Protection Significance Determination Process. Using Appendix F, Attachment 1, Fire Protection SDP Phase 1 Worksheet, the inspectors determined that the category of post fire safe shutdown was affected and the finding required a Phase 2 analysis by a senior reactor analyst. The significance of this finding is to be determined pending completion of the Phase 2 analysis. A cross-cutting aspect was not identified because the finding does not represent current licensee performance.
05000286/FIN-2011003-02Indian Point2011Q2Licensee-Identified ViolationTS 3.3.4 requires that the remote shutdown function of RCS cold leg temperature shall be operable, which, in part, is specifically met if wide range instrument TE413B is operable. Contrary to this requirement, on March 2, 2010, Entergy personnel determined that the switch used to transfer the cold leg temperature loop from the Control Room to the remote shutdown cabinet had evidence of high resistance on the contacts, and therefore rendered the instrument inoperable. Entergy concluded that the exact period of time the cold let temperature loop TE-413B was inoperable could not be determined, but TE-413B had exceeded its TS allowed outage time of 30 days. Entergy subsequently performed a surveillance test to demonstrate the current operability of the instrument and performed a revision to the surveillance procedure to provide adequate steps for performing Rli calibrations, switch contact resistance checks, and proper as found criteria. Entergy documented this issue in the corrective action program for resolution as CR-IP3-2009-04823. A Region I Senior Reactor Analyst evaluated the significance of the finding using IMe 0609, Appendix F, Fire Protection Significance Determination Process, and qualitatively determined that the finding screened as very low safety significance (Green). The basis for screening this post-fire safe shutdown finding as Green is that the inoperability of TE-413B, used for monitoring the condition of the reactor from outside the control room, could be readily compensated for by operators via verification of control rod position (maintenance of shutdown margin) and reactor temperature and pressure (negative temperature/pressure reactivity coefficients) until the operability of TE-413B could be restored. This finding is assigned a moderate degradation rating based upon Appendix F, Attachment 2, Table A.2.3 - Guidance for Ranking an Observed SSD Degradation Finding. Specifically, the SRA concluded that the inoperable TE-413B instrument equates to equipment or tools not staged or located as specified by procedures. This moderate degradation rating screens the finding to Green because it only affects the ability to reach and maintain cold shutdown conditions (Task 1.3.1: Qualitative Screening for All Finding Categories).
05000352/FIN-2011002-02Limerick2011Q1NoneUnit 2 TS LCO 3.0.4 requires that, when an LCO is not met, entry into an OPCON or other condition in the Applicability shall only be made if specified conditions in LCO 3.0.4 were met. TS LCO 3.3.7.4 Remote Shutdown System lnstrumentation and Controls, requires the RHR Heat Exchanger Bypass Valve (HV-C-S1-2F048A) Position Indication (0-10070) (Table 3.3.7.4-1, Instrument 15)to be restored to operable within 7 days or be in at least Hot Shutdown within the next 12 hours with an Applicability in OPCONS 1 and 2. Contrary to LCO 3.0.4, on April 11, 2009, Unit 2 entered OPCON 2 with the position indication for HV-C-51-2F048A inoperable and specified conditions in LCO 3.0.4 were not met. The cause of the failure to meet LCO 3.0.4 was due to less than adequate administrative barriers being present to allow licensed operators to properly assess the TS impact of the deficiency. Also, operators did not use all available tools and resources at that time to validate the initial operability determination. This issue was entered into Exelon\'s CAP as lR 1168410. The finding was determined to have very low safety significance (Green) in accordance with NRC IMC 0609, Attachment 4, Phase 1 - Initial Screening and Characterization of Finding, Mitigating Systems, because the finding did not represent an actual loss of safety function or screen as potentially risk significant due to a seismic, flooding, or severe weather initiating event.
05000498/FIN-2011002-02South Texas2011Q1Failure to Perform an Immediate Operability DeterminationThe inspectors identified a Green noncited violation of 10 CFR Part 50, Appendix B, Criteria V, Instructions, Procedures, and Drawings, for the failure to follow Procedure 0PGP03-ZX-0002, Condition Reporting Process, Revision 38. On January 13, 2011, the licensee wrote Condition Report 11-1261 which states, in part, Twenty-six transfer switches required by Technical Specification 3.3.3.5, Remote Shutdown System, appear to not be listed. Procedure 0PGP03-ZX-0002, step 4.3.2 states, in part, that conditions that may have an impact on the operability of a technical specification related system shall be screened as yes or indeterminate. The corrective action program supervisor that screened this condition report marked the operability as No. The inspectors questioned the licensee on January 14 and 18, 2011, as to why no immediate operability determination had been performed. The licensees corrective actions determined that an immediate and subsequent prompt operability determination was warranted. The inspectors interviewed the supervisor and determined that the supervisor did not use conservative assumptions and adopt a requirement to demonstrate that the proposed action is safe in order to proceed when screening the issue for operability. This finding was more than minor because it affected the Mitigating Systems Cornerstone attributes of Human Performance and Procedure Quality and affected the cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, the failure to recognize that risk-significant equipment is in a potentially inoperable condition and, as such, may not be able to perform its specified safety function would not be recognized and accounted for by operators. The inspectors performed the significance determination using NRC Inspection Manual Chapter 0609, Attachment 0609.04, Phase 1 Initial Screening and Characterization of Findings, dated January 10, 2008, because it affected the Mitigating Systems Cornerstone while the plant was at power. The finding was determined to be of very low safety significance because it was not a design or qualification deficiency; it did not result in the loss of a system safety function; it did not represent a loss of a single train for greater than technical specification allowed outage time; it did not represent a loss of one or more nontechnical specification risk-significant equipment for greater than 24 hours; and it did not screen as potentially risk significant due to seismic, flooding, or severe weather. In addition, this finding had human performance cross-cutting aspects associated with decision making in that the licensee did not use conservative assumptions and adopt a requirement to demonstrate that the proposed action is safe in order to proceed.
05000454/FIN-2010006-01Byron2010Q4Manual Actions Not Explicitly Approved

An unresolved item (URI) was identified by the inspectors concerning manual actions which had not been explicitly approved by the NRC. The inspectors identified that the licensee took credit for a number of manual actions to compensate for not having a train free of fire damage in non-alternative fire zones. Although some manual actions were described either in a safety evaluation report (SER) or licensing correspondence which was used as a basis for NRC approval in an SER, the majority of manual actions were not explicitly approved by the NRC. As an example, for Fire Zone 11.3-0, the safe shutdown analysis took credit for the following manual actions (not a full listing) to achieve a hot standby condition because one train would not be assured of being free of fire damage: 

 Step 1 of Procedure BOP FR-1T10, 11.3-0; 364 Auxiliary Building General Area; 1D-17, 1D-40, 1S-59, 2S-54, directed operators to establish a flow path to the operating charging pump from the refueling water storage tank (RWST) because a hot short could cause a spurious closure of the volume control tank (VCT) outlet valve, part of the normal flowpath. If an alternate flowpath from the RWST is not established, spurious closure of the VCT outlet valve could result in a loss of suction to the operating charging pump and subsequent damage to the pump.
 Step 3 of Procedure BOP FR-1T10 directed operators to open eight breakers to prevent a fault from tripping an upstream breaker for a credited electrical bus. (See Section 1R05.6.b(1) for a related discussion.)
 Step 8 of Procedure BOP FR-1T10 directed operators to locally start the 1A and 2B essential service water (ESW) pumps because control cables for the pumps could be damaged due to fire.
 Step 11 of Procedure BOP FR-1T10 directed operators to verify ESW flow to the 2A charging pump. If ESW flow could not be verified, the procedure directed operators to stop the 2A charging and 2A auxiliary feedwater pumps until ESW flow could be restored. Step 21 of Procedure BOP FR-1T10 directed operators to locally open the power supply breaker for Motor Control Center 231X1 to allow local manual operation of Valve 2SX033, ESW Pump 2A Discharge Crosstie Isolation Valve. Step 22 of Procedure BOP FR-1T10 directed operators to locally open Valve 2SX033 using its handwheel. The crosstie valve was needed to be open because Unit 2 Train A components (such as the 2A charging pump and 2A auxiliary feedwater pump) relied upon essential service water for cooling. However, the Train A essential service water pump could not be credited because its power cable was in the zone. Consequently, the Train B essential service water pump was needed to provide cooling water for the credited Train A loads. Valve 2SX033 could spuriously close because control cables went through the zone.

Procedures for a number of other non-alternative fire zones included similar manual actions. The inspectors noted that the licensee had informed the NRC of a number of manual actions as part of the licensing process. For example, by letter dated October 15, 1984, the licensee had identified a number of manual actions to address spurious operation of valves in response to Question 10.65. However, the majority of manual actions (including the examples listed above), were not explicitly identified during the licensing process and, as such, were not explicitly approved by the NRC. Amendment 3 to the Byron Station Fire Protection Report listed a number of assumptions for the safe shutdown analysis. Assumption 3, listed in Section 2.4.1.5 of Amendment 3, stated: For fires outside the control room, the operators are assumed to remain in the control room and to utilize the instruments and controls provided there to the greatest possible extent, in accordance with existing station procedures. When proper operation of equipment cannot be performed or confirmed from the control room, alternate procedures are utilized... Where the safe shutdown analysis shows that control cables from both redundant trains of equipment are located in the same fire zone, credit is taken for alternate shutdown via local operation of equipment as specified in various plant procedures... The inspectors noted that the licensee had used the term alternate to apply to procedures for fire zones other than those classified as alternative fire zones (i.e., other than the control room and the auxiliary electric equipment rooms). NUREG-0876, Safety Evaluation Report related to the operation of Byron Station, Units 1 and 2, documented the licensing basis approval by the NRC. Supplement 5 of NUREG-0876 relied upon Amendment 3 of the Byron Station Fire Protection Report for original licensing of Unit 1 for fire protection. Within the section titled Safe Shutdown Capability, of Section 9.5.1.4 of NUREG-0876, Supplement 5, the following statements were made by the NRC: Alternative shutdown capability in part, consists of local operation of equipment if the fire results in loss of redundant control capability. Local operations include local start and control of pumps and manual operation of valves and circuit breakers. For all local operation, accessibility of components and time restrictions were considered. These local operations are addressed in various plant procedures. Alternative shutdown capability also consists of utilization of diverse equipment as follows. To monitor reactor coolant hot leg temperature, the applicant ensured the availability of one of the following components, all of which provide an indication of hot leg temperature: reactor coolant wide range hot leg RTD\'s (resistance temperature detectors), core exit thermocouples, or heated junction thermocouples. Alternative shutdown capability also includes use of remote shutdown and instrument panels as discussed below. and Based on the above, the staff concludes that the post-fire safe shutdown capability for Byron complies with the guidelines of SRP (Standard Review Plan) Section 9.5.1, Position C.6.b subject to the following condition: The applicant shall complete the analysis of spurious operation of the pressurizer PORV\'s (power operated relief valves) and fully implement any necessary modifications prior to exceeding 5 percent power. The inspectors noted that sentences above describing local operation of equipment were located in the SER prior to the section titled Alternative Shutdown Capability. Based on the assumptions listed in Amendment 3 of the Fire Protection Report and the above SER language, the licensee had made the interpretation that the NRC had provided a general approval for the use of manual actions for non-alternative fire zones in addition to approval for alternative shutdown fire zones. The inspectors were not able to determine whether the SER language constituted a general approval of manual actions for non-alternative fire zones beyond those explicitly identified during licensing. This issue is a URI pending further review by NRC staff.

05000275/FIN-2010004-03Diablo Canyon2010Q3Inadequate Risk Assessment during Planned Maintenance ActivitiesThe inspectors identified a noncited violation of 10 CFR 50.65 after Pacific Gas and Electric failed to perform a risk assessment after plant conditions had changed. On July 13, 201 0, Pacific Gas and Electric identified that station personnel failed to complete Technical Specification Surveillance Requirement 3.3.4.2, Remote Shutdown System, within the specified frequency for both Units. As provided by Surveillance Requirement 3.0.3, the licensee performed a risk evaluation to extend the required surveillance completion time beyond twenty-four hours. The licensee initiated the missed surveillance tests and identified results were outside acceptance criteria. On July 26, 2010, Operations personnel declared several remote shutdown system functions inoperable because reasonable expectation no longer existed that remote shutdown system could perform its safety function. Pacific Gas and Electric failed to reassess the effect on plant risk resulting from inoperable remote shutdown system functions before continuing with scheduled maintenance. A subsequent risk assessment concluded that plant risk was in a higher risk category due to planned maintenance activities conducted during this time frame. The licensee entered the performance deficiency into the corrective action program as Notification 501331 841. The inspectors determined that the performance deficiency is more than minor because the performance deficiency affected the Mitigating Systems Cornerstone attribute of human performance and adversely affected the cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Also, the finding is similar to Example 7.e in Inspection Manual Chapter 0612, Appendix E, Examples of Minor Issues, because the overall elevated plant risk would put the plant into a higher licensee-established risk category. The inspectors concluded that the finding is of very low safety significance (Green) based on an actual incremental core damage probability deficit of less than 1x10-6 and an evaluation using Flowchart 1 of Appendix K of Inspection Manual Chapter 0609, Maintenance Risk Assessment and Risk Management Significance Determination Process. This finding had a crosscutting aspect in the area of human performance associated with the work practices component because the licensee failed to follow its maintenance risk procedure and reassess plant risk due to changing plant conditions (H.4(b)).
05000424/FIN-2010006-01Vogtle2010Q3Control Room Fire Alternate Shutdown Evaluation (X4C2301S035) Does Not Reflect Integrated Plant ResponseThe team identified an unresolved item (URI) related to the Control Room Fire Alternate Shutdown Evaluation (CRFASE), calculation number X4C2301S035. Specifically, the team found that the CRFASE does not reflect integrated automatic plant response to fire in the MCR requiring shutdown from the RSPs. Description: The CRFASE is an evaluation of the impact of a fire in the MCR on the operators ability to safely shut down the plant from outside the MCR. The evaluation addresses discreet spurious operation concerns on a system basis. The CRFASE provides time constraints and compensatory measures used to develop the operator actions, and sequencing of these actions, in procedure 18038-1, Operation from Remote Shutdown Panels. During review of procedure 18038-1 and the CRFASE, the team questioned whether certain operator actions contained in step 3 of procedure 18038-1, if unable to be performed from the MCR, would be able to be performed within established time constraints in order to prevent and/or mitigate the adverse effects of spurious actuations. These time constraints, adverse spurious actions, and the impact on the plant of these spurious actuations are described in the CRFASE. Specifically, the team questioned whether reactor coolant pumps #1 and #4 would be able to be tripped early enough from the RSP in time to prevent depressurization of the reactor coolant system to the safety injection (SI) actuation set point, in the event one pressurizer spray valve spuriously opens. The team also questioned whether main steam isolation valves (MSIVs) would be closed from the RSP in sufficient time to minimize the chances of a significant overcooling transient (as described in the CRFASE) in the event the MSIVs were not closed from the MCR in step 3. Subsequent to the on-site inspection, the licensee developed a simulator exercise guide for the purpose of validating the time necessary for an operating crew to perform the steps in procedure 18038-1, through the point of tripping reactor coolant pump (RCP) #1 and #4 from the RSP, given immediate evacuation of the MCR and subsequent spurious operation of a pressurizer spray valve. The licensee stated that the time at which the pressurizer spray valve was set to open during the simulator exercise was based on a timing analysis contained in Request for Engineering Review RER C071912101, Safe Shutdown Time Critical Operator Actions in 18038-1/2 and 17103A-C. When validating the simulator exercise guide, the licensee found that the CRFASE does not reflect integrated plant response for a control room fire as predicted through simulation. Simulated plant response was different from the response described in the CRFASE, in that an automatic SI actuation occurred approximately 6 minutes after plant trip due to decreasing RCS pressure arising from RCS cooldown caused by high auxiliary feedwater (AFW) flow. Additionally, in the simulated plant response, the SI actuation automatically isolated instrument air to containment, which caused the pressurizer spray valve to close before spurious operation of the valve was input into the simulator scenario in accordance with the timing analysis. As a result of questions raised by the team during subsequent in-office inspection of this issue, the licensee initiated Condition Report (CR) 2010112114 to revise the CRFASE to review integrated plant response for a control room fire. In a telephone call with the licensee on October 4, 2010, the team stated that additional information would be required concerning the nature and extent of differences between plant response specified or assumed in the CRFASE and simulated or actual plant response. The team discussed the nature of the additional information required in telephone calls with the licensee on October 4, 2010, January 6, 2011, and January 11, 2011. On January 26, 2011, the licensee provided information concerning integrated plant response obtained from plant-referenced simulator scenarios, relative to spurious component actuations and plant conditions described in the licensees CRFASE. During an initial review of this material, the team identified additional questions regarding the new information. During a final briefing of the inspection on February 9, 2011, the licensee informed the team that the information provided on January 26, 2011, needed to be revised for clarification, and additional information would be provided. This additional information is necessary for the team to determine whether the plant response to a control room fire as described in the CRFASE represents a performance deficiency, and to determine whether procedure 18038-1 is adequate for maintaining safe plant conditions while performing shutdown outside the MCR. A URI was opened pending receipt and review of this additional information which is identified as URI 5000424;425/2010006-01, Control Room Fire Alternate Shutdown Evaluation (X4C2301S035) Does Not Reflect Integrated Plant Response.
05000275/FIN-2010004-01Diablo Canyon2010Q3Failure to Identify a Degraded Fire BarrierThe inspectors identified a noncited violation of the Diablo Canyon Facility Operating License Condition (5), Fire Protection, after Pacific Gas and Electric failed to maintain the integrity of a fire door in the rated configuration. On August 19, 2010, the inspectors identified that Fire Door 223 was inoperable. Fire Door 223 was required to provide a 3-hour rated barrier between Fire Areas 5-A-4 and 5-B-4. A fire in either of these areas could have prevented operation of the auxiliary feedwater, auxiliary saltwater, or component cooling water pumps or steam generator level control from the remote shutdown panel. Equipment Control Guideline 18.7, Fire Rated Assemblies, required the licensee to either maintain Fire Door 223 operable or implement compensatory actions within one hour. The inspectors concluded the most significant contributor to the finding was that licensee personnel did not identify and enter the degraded fire door into1 the Corrective Action Program. The licensee entered the performance deficiency associated with this finding into the corrective action program as Notification 50336901 and completed repairs to the door on August 23,2010. The inspectors concluded that the performance deficiency was more than minor because the degraded fire barrier affected the mitigating systems cornerstone external factors attribute objective to prevent undesirable consequences due to fire. The inspectors determined that the inoperable door was a fire confinement category finding and that the fire barrier was moderately degraded because the door would not perform the rated fire barrier function. The inspectors concluded the finding was of very low safety significance because the degraded barrier would have provided a minimum of 20 minutes fire endurance protection and ignition sources and combustible materials were positioned that had a fire spread to secondary combustibles, the degraded barrier would not have been subject to direct flame impingement. This finding has a crosscutting aspect in the area of problem identification and resolution associated with the corrective action program component because the licensee did not implement a low threshold for identifying and entering issues into the Corrective Action Program (P.1 (a)).
05000458/FIN-2010006-04River Bend2010Q2Failure to Implement and Maintain in Effect all Provisions of the Approved Fire Protection ProgramThe team identified a noncited violation of License Condition 2.C.(10), Fire Protection, related to the licensee's failure to implement and maintain in effect all provisions of the approved fire protection program. Specifically, during testing required by the approved fire protection program the licensee failed to adequately test the remote shutdown emergency transfer switch functions used to assure isolation of safe shutdown equipment from the control room in the event of a control room evacuation due to fire. The switch functions had not been adequately tested since 1997. The failure to ensure isolation from the control room for safe shutdown equipment controlled from the remote shutdown panel during surveillance testing of emergency transfer switches is a performance deficiency. The finding was more than minor because it was associated with the procedure quality attribute of the Mitigating Systems Cornerstone in that it adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. The team evaluated the finding using Inspection Manual Chapter 0609, Appendix F, Fire Protection Significance Determination Process, because it affected fire protection defense-in-depth strategies involving post fire safe shutdown. Using Appendix F, Attachment 2, Degradation Rating Guidance Specific to Various Fire Protection Program Elements, the team determined that the finding constituted a low degradation of the safe shutdown area since the control room isolation feature was expected to display nearly the same level of effectiveness and reliability as it would had the degradation not been present. This finding screened as having very low safety significance (Green). This violation was entered into the licensees corrective action program as CR-RBS-2010-01783. Because the emergency transfer switch surveillance procedures had been in effect since 1997, there was no crosscutting aspect associated with the violation, in that it is not indicative of current licensee performance.
Retrieved from "https://kanterella.com/Special:Ask/-5B-5BCategory:Finding-5D-5D-20-5B-5BSystem::Remote-20shutdown-5D-5D/-3FSite/-3FQuarter/-3FTitle/-3FDescription/mainlabel%3D/order%3Ddescending/sort%3Dstart-20date/offset%3D0/format%3Dtable/searchlabel%3D-5BFindings-5D"