ML20127P703: Difference between revisions

From kanterella
Jump to navigation Jump to search
(StriderTol Bot change)
(StriderTol Bot change)
 
Line 537: Line 537:
4.1.1 Overpressure From Explosions At San Onofre Unit 1, the frequency of exceeding an overpressure on the site of 0.5 psi (capacity of reactor auxiliary building (RAB)) from explosions on the nearby railroad or highway is calculated to be 4.5 x 10 1 per year. This exceeds
4.1.1 Overpressure From Explosions At San Onofre Unit 1, the frequency of exceeding an overpressure on the site of 0.5 psi (capacity of reactor auxiliary building (RAB)) from explosions on the nearby railroad or highway is calculated to be 4.5 x 10 1 per year. This exceeds
   ;the current acceptance criteria in SRP Section 2.2. The acceptance criteria in SRP Section 2.2. state that if the risk is in excess of the 1 x 10-6 per year guideline, qualitative arguments demonstrating the conservatisms of the analysis can be made to show that the realistic risk is lower and, therefore, acceptable.
   ;the current acceptance criteria in SRP Section 2.2. The acceptance criteria in SRP Section 2.2. state that if the risk is in excess of the 1 x 10-6 per year guideline, qualitative arguments demonstrating the conservatisms of the analysis can be made to show that the realistic risk is lower and, therefore, acceptable.
As stated in the staff's safety evaluation forwarded by letter dated May 3, 1983, the licensee's analysis includes sufficient conservatisms so that the risk is judged to be substantially lower than 4.5 x 10-6 per year and thus modifications of plant structures are not warranted.
As stated in the staff's safety evaluation forwarded by {{letter dated|date=May 3, 1983|text=letter dated May 3, 1983}}, the licensee's analysis includes sufficient conservatisms so that the risk is judged to be substantially lower than 4.5 x 10-6 per year and thus modifications of plant structures are not warranted.
4.1.2 Frequency of Shipments Highway shipments of munitions and flammable gases, such as liquid propane gas, are the predominant contributors to the overpressure hazard. Data were collec-ted for the San Onofre Units 2/3 license review and were submitted for review for Unit 1 on November 12, 1981.      Because of the sensitivity of the results of the analysis to the frequency of shipments, the staff concluded in the topic evaluation that the licensee should update these frequencies to ensure that the analysis assumptions remain applicable.
4.1.2 Frequency of Shipments Highway shipments of munitions and flammable gases, such as liquid propane gas, are the predominant contributors to the overpressure hazard. Data were collec-ted for the San Onofre Units 2/3 license review and were submitted for review for Unit 1 on November 12, 1981.      Because of the sensitivity of the results of the analysis to the frequency of shipments, the staff concluded in the topic evaluation that the licensee should update these frequencies to ensure that the analysis assumptions remain applicable.
By letter dated October 31, 1983, the licensee noted that information on hazard-ous shipments past the site is required by the Unit 2/3 Technical Specifications to be collected and provided to the NRC every 3 years. This information was submitted on December 5, 1984. The licensee's report concluded that neither the : frequency of shipment nor types of hazardous materials have changed signifi-cantly. The staff concludes that these licensee actions are sufficient to address this concern and considers this issue to be resolved.
By {{letter dated|date=October 31, 1983|text=letter dated October 31, 1983}}, the licensee noted that information on hazard-ous shipments past the site is required by the Unit 2/3 Technical Specifications to be collected and provided to the NRC every 3 years. This information was submitted on December 5, 1984. The licensee's report concluded that neither the : frequency of shipment nor types of hazardous materials have changed signifi-cantly. The staff concludes that these licensee actions are sufficient to address this concern and considers this issue to be resolved.
   . 4.1. 3 Toxic Gases The staff in its topic evaluation concluded that the probability of toxic gases, from transportation. sources, being swept into the control room air vent in any 1 year period is approximately 5 x 10-6 The staff has also noted that there is onsite-storage of toxic materials.      Presently, no automatic. isolation of the control. ventilation system is provided. Current criteria require redundant ventilation systems for the control room.      The existing single-train ventilation system occupies most of the space in a room in the control building; therefore, installation of a redundant train would require substantial structural modifi-cations. Consequently, the staff recommended that the licensee perform an evalu-ation of the control room ventilation system, which would include a cost-benefit study of various system improvements to provide protection from both toxic gases and radioactivity (TMI Action Plan item III.D.3.4) with emphasis on the reliability of active components in the system.      By letter dated November 14, 1984, the licensee submitted a study of various improvements; none of the alternatives were determined to be cost effective. Installation of the toxic gas monitors is still being considered, however, since this option offered the greatest risk reduction contribution. The licensee's submittal is currently under staff review, and the staff conclusions for this issue will be reported I    in the final IPSAR.
   . 4.1. 3 Toxic Gases The staff in its topic evaluation concluded that the probability of toxic gases, from transportation. sources, being swept into the control room air vent in any 1 year period is approximately 5 x 10-6 The staff has also noted that there is onsite-storage of toxic materials.      Presently, no automatic. isolation of the control. ventilation system is provided. Current criteria require redundant ventilation systems for the control room.      The existing single-train ventilation system occupies most of the space in a room in the control building; therefore, installation of a redundant train would require substantial structural modifi-cations. Consequently, the staff recommended that the licensee perform an evalu-ation of the control room ventilation system, which would include a cost-benefit study of various system improvements to provide protection from both toxic gases and radioactivity (TMI Action Plan item III.D.3.4) with emphasis on the reliability of active components in the system.      By {{letter dated|date=November 14, 1984|text=letter dated November 14, 1984}}, the licensee submitted a study of various improvements; none of the alternatives were determined to be cost effective. Installation of the toxic gas monitors is still being considered, however, since this option offered the greatest risk reduction contribution. The licensee's submittal is currently under staff review, and the staff conclusions for this issue will be reported I    in the final IPSAR.
l San Onofre 1 SEP                        4-2 L
l San Onofre 1 SEP                        4-2 L


Line 578: Line 578:


4.4.3 Fracture Toughness ASME Code, Section III, imposes minimum fracture toughness requirements on carbon steel components. For 55 of the 112 components reviewed, the informa-tion was not sufficient to complete this review. The licensee should perform an evaluation of those items that are not exempt from current fracture tough-ness requirements.to determine if toughness of the material is sufficient to ensure component integrity and, if it is not, evaluate the consequences and demonstrate acceptability or replace the components.
4.4.3 Fracture Toughness ASME Code, Section III, imposes minimum fracture toughness requirements on carbon steel components. For 55 of the 112 components reviewed, the informa-tion was not sufficient to complete this review. The licensee should perform an evaluation of those items that are not exempt from current fracture tough-ness requirements.to determine if toughness of the material is sufficient to ensure component integrity and, if it is not, evaluate the consequences and demonstrate acceptability or replace the components.
4.4.4    Piping The current Class 1 piping design requirements are given in ASME Code, Sec-tion III, NB-3600. Calculations similar to those presented in Examples 1 and 2 in Section 4.2, Appendix A, of TER C5257-433 (enclosure to the SER forwarded by letter dated June 25, 1982), applicable to San Onofre Unit 1 plant design para-meters, should be performed on a sampling basis to assess the impact on the usage factor of gross discontinuities in Class 1 piping systems for a medium and large number of cyclic loads.
4.4.4    Piping The current Class 1 piping design requirements are given in ASME Code, Sec-tion III, NB-3600. Calculations similar to those presented in Examples 1 and 2 in Section 4.2, Appendix A, of TER C5257-433 (enclosure to the SER forwarded by {{letter dated|date=June 25, 1982|text=letter dated June 25, 1982}}), applicable to San Onofre Unit 1 plant design para-meters, should be performed on a sampling basis to assess the impact on the usage factor of gross discontinuities in Class 1 piping systems for a medium and large number of cyclic loads.
4.4.5 Valves Current ASME Code, Section III, design requirements regarding body shapes and Service Level C stress limits for Class 1 valves and pressure-temperature ratings for Class 2 and 3 valves are different from those used when the plant was designed. Sufficient information was not available to assess the valves in the above-stated areas. The licensee should verify, on a sampling basis, that Class 1 valve stress limits meet current criteria for body shape and Service Level C conditions and that the pressure-temperature ratings of Class 2 and 3 valves are comparable to current standards. If current criteria are not met, the licensee should take appropriate corrective action (analysis or upgrading).
4.4.5 Valves Current ASME Code, Section III, design requirements regarding body shapes and Service Level C stress limits for Class 1 valves and pressure-temperature ratings for Class 2 and 3 valves are different from those used when the plant was designed. Sufficient information was not available to assess the valves in the above-stated areas. The licensee should verify, on a sampling basis, that Class 1 valve stress limits meet current criteria for body shape and Service Level C conditions and that the pressure-temperature ratings of Class 2 and 3 valves are comparable to current standards. If current criteria are not met, the licensee should take appropriate corrective action (analysis or upgrading).
4.4.6    Pumps The staff in the topic evaluation concluded that codes, code classes, editions, code cases, and design calculations should be provided for nine of the pumps in the San Onofre Unit 1 plant. Proof of compliance with current fatigue analysis requirements for current Class 1 pumps (the reactor coolant pumps) should be established. The licensee should evaluate the design standards used for the other pumps in relation to current design standards and determine whether ade-quate safety margins exist.
4.4.6    Pumps The staff in the topic evaluation concluded that codes, code classes, editions, code cases, and design calculations should be provided for nine of the pumps in the San Onofre Unit 1 plant. Proof of compliance with current fatigue analysis requirements for current Class 1 pumps (the reactor coolant pumps) should be established. The licensee should evaluate the design standards used for the other pumps in relation to current design standards and determine whether ade-quate safety margins exist.
Line 594: Line 594:
(4) Gantry crane--failure could potentially affect safety-related equipment.
(4) Gantry crane--failure could potentially affect safety-related equipment.
It was the staff's recommendation in the topic evaluation that the licensee should ensure that structures and equipment can withstand the design-basis straight and tornado wind loadings or the licensee should demonstrate that their failure will not prevent reaching a safe shutdown condition.
It was the staff's recommendation in the topic evaluation that the licensee should ensure that structures and equipment can withstand the design-basis straight and tornado wind loadings or the licensee should demonstrate that their failure will not prevent reaching a safe shutdown condition.
By letter dated September 17, 1984, the licensee submitted a Tornado Hazard Analysis Report. This report presented results of a site-specific analysis of tornado windspeed as a function of probability of occurrence. This report con-cluded that, at the 10-4 per year frequency level, tornado windspeed is 59 mph; i  at 10-s, 103 mph; and at 10-7, 183 mph. The crossover point of the tornadic wind with the straight wind hazard function is 75 mph.
By {{letter dated|date=September 17, 1984|text=letter dated September 17, 1984}}, the licensee submitted a Tornado Hazard Analysis Report. This report presented results of a site-specific analysis of tornado windspeed as a function of probability of occurrence. This report con-cluded that, at the 10-4 per year frequency level, tornado windspeed is 59 mph; i  at 10-s, 103 mph; and at 10-7, 183 mph. The crossover point of the tornadic wind with the straight wind hazard function is 75 mph.
A staff contractor (Mcdonald) had previously developed a tornado windspeed probability curve for the San Onofre Unit 1 site. At the upper 95% confidence limit curve, the values are 10-4, 77 mph (straight wind); 10-5, 113 mph; and 10-7, 272 mph. An independent staff assessment of the wind / tornado hazard was also performed later. The findings of the second report are: at 10-4, 80 mph (wind); at 10-5, 135 mph; and at 10-7, 270 mph. The crossover point is at approximately 85 mph (4 x 10-5).
A staff contractor (Mcdonald) had previously developed a tornado windspeed probability curve for the San Onofre Unit 1 site. At the upper 95% confidence limit curve, the values are 10-4, 77 mph (straight wind); 10-5, 113 mph; and 10-7, 272 mph. An independent staff assessment of the wind / tornado hazard was also performed later. The findings of the second report are: at 10-4, 80 mph (wind); at 10-5, 135 mph; and at 10-7, 270 mph. The crossover point is at approximately 85 mph (4 x 10-5).
The next stage of the licensee's analysis for wind and tornado loadings is to perform an evaluation to demonstrate that there is adequate resistance for San Onofre 1 SEP                        4-6
The next stage of the licensee's analysis for wind and tornado loadings is to perform an evaluation to demonstrate that there is adequate resistance for San Onofre 1 SEP                        4-6
Line 610: Line 610:
A' formal inspection program as outlined in Regulatory Guide 1.127 has not been established for the site flood control structures or the service water reservoir.
A' formal inspection program as outlined in Regulatory Guide 1.127 has not been established for the site flood control structures or the service water reservoir.
The staff position is that such. program should be formalized and that the frequency. schedule and a copy of the developed inspection checklist for each structure should be submitted for staff review.
The staff position is that such. program should be formalized and that the frequency. schedule and a copy of the developed inspection checklist for each structure should be submitted for staff review.
By letter dated January 19, 1984, the licensee committed to develop a program in accordance with Regulatory Guide 1.127. The proposed prcgram was submitted on June 5, 1984. The program is generally acceptable; however, the staff iden-        t tified the need to make the following changes:    (1) add the north bluff includ-ing the service water reservoir (SWR) to the list of areas to be examined to ensure that the drainage over the bluff to the ocean is maintained and (2) modify the requirement for checking the north drainage ditch to be annually before the rainy season. The SWR is not required for decay heat removal because the new auxiliary feedwater storage tank is available. However, the SWR does provide the fire protection water supply. The licensee agreed to these changes and will incorporate them into the program.
By {{letter dated|date=January 19, 1984|text=letter dated January 19, 1984}}, the licensee committed to develop a program in accordance with Regulatory Guide 1.127. The proposed prcgram was submitted on June 5, 1984. The program is generally acceptable; however, the staff iden-        t tified the need to make the following changes:    (1) add the north bluff includ-ing the service water reservoir (SWR) to the list of areas to be examined to ensure that the drainage over the bluff to the ocean is maintained and (2) modify the requirement for checking the north drainage ditch to be annually before the rainy season. The SWR is not required for decay heat removal because the new auxiliary feedwater storage tank is available. However, the SWR does provide the fire protection water supply. The licensee agreed to these changes and will incorporate them into the program.
.As discussed in Section 1.4.3, during the last inspection of the intake struc-ture, significant degradation of the rebar was discovered. Enhanced surveil-lance of this structure would be appropriate to monitor any similar problems'in the future. The licensee agreed to these enhanced inspections in a letter dated October 18, 1984. Also, as discussed in the staff's safety evaluation forwarded by letter dated November 21, 1984, inspections of portions of the seawall should be performed to check for degradation. These considerations should be included in the inservice inspection program for water control structures.      The licensee will. provide the details of the proposed inspection program by                .
.As discussed in Section 1.4.3, during the last inspection of the intake struc-ture, significant degradation of the rebar was discovered. Enhanced surveil-lance of this structure would be appropriate to monitor any similar problems'in the future. The licensee agreed to these enhanced inspections in a {{letter dated|date=October 18, 1984|text=letter dated October 18, 1984}}. Also, as discussed in the staff's safety evaluation forwarded by {{letter dated|date=November 21, 1984|text=letter dated November 21, 1984}}, inspections of portions of the seawall should be performed to check for degradation. These considerations should be included in the inservice inspection program for water control structures.      The licensee will. provide the details of the proposed inspection program by                .
4.8 Topic III-4.A, Tornado Missiles 10 CFR 50 (GDC 2), as implemented by Regulatory Guide 1.117, requires, in part, that structures, systems, and components be designed to withstand the effects of a tornado, including tornado missiles, without loss of capability to perform their safety functions. Regulatory Guide 1.117 recommends that structures, systems, and components that should be protected from the effects of a design-basis tornado are (1) those necessary to ensure the integrity of the reactor coolant pressure boundary, (2) those necessary to ensure the capability to shut down the reactor and maintain it in a safe. shutdown condition (including both hot standby and cold shutdown), and (3) those whose failure could lead to radioactive releases resulting in calculated offsite exposures greater than 25%
4.8 Topic III-4.A, Tornado Missiles 10 CFR 50 (GDC 2), as implemented by Regulatory Guide 1.117, requires, in part, that structures, systems, and components be designed to withstand the effects of a tornado, including tornado missiles, without loss of capability to perform their safety functions. Regulatory Guide 1.117 recommends that structures, systems, and components that should be protected from the effects of a design-basis tornado are (1) those necessary to ensure the integrity of the reactor coolant pressure boundary, (2) those necessary to ensure the capability to shut down the reactor and maintain it in a safe. shutdown condition (including both hot standby and cold shutdown), and (3) those whose failure could lead to radioactive releases resulting in calculated offsite exposures greater than 25%
of the guideline exposures of 10 CFR 100 using appropriately conservative anal-ytical methods and assumptions. The physical separation of redundant or alter-nate structures or components required for the safe shutdown of the plant is not considered acceptable by itself for providing protection against the effects of tornados, including tornado generated missiles, because of the large number and random direction of potential missiles that could result from a tornado, as well as the need to consider the single-failure criterion.
of the guideline exposures of 10 CFR 100 using appropriately conservative anal-ytical methods and assumptions. The physical separation of redundant or alter-nate structures or components required for the safe shutdown of the plant is not considered acceptable by itself for providing protection against the effects of tornados, including tornado generated missiles, because of the large number and random direction of potential missiles that could result from a tornado, as well as the need to consider the single-failure criterion.
Line 641: Line 641:


Onofre Units 2 and 3, new geologic and seismologic information was developed for the site. The design basis for Units 2 and 3 is a 0.67g modified Newmark spectrum earthquake. The licensee initiated a reevaluation program for San Onofre Unit I using a ground motion input of 0.67g Housner spectrum. Following initiation of the SEP in 1978, this ongoing seismic reevaluation program was
Onofre Units 2 and 3, new geologic and seismologic information was developed for the site. The design basis for Units 2 and 3 is a 0.67g modified Newmark spectrum earthquake. The licensee initiated a reevaluation program for San Onofre Unit I using a ground motion input of 0.67g Housner spectrum. Following initiation of the SEP in 1978, this ongoing seismic reevaluation program was
;    incorporated into the SEP. The history and status of the seismic reevaluation program are detailed in the staff's November 21, 1984, letter transmitting the Contingent Recission of Suspension and attached safety evaluation.
;    incorporated into the SEP. The history and status of the seismic reevaluation program are detailed in the staff's {{letter dated|date=November 21, 1984|text=November 21, 1984, letter}} transmitting the Contingent Recission of Suspension and attached safety evaluation.
As part of this reevaluation program and as discussed in the evaluations for i
As part of this reevaluation program and as discussed in the evaluations for i
Topics II-4.A, B, and C (see Appendix E), the staff determined that the appropri-ate free-field seismic horizontal response spectrum to use for seismic reevalua-tion of San Onofre Unit 1 was the Housner spectrum anchored at 0.67g with a 10%
Topics II-4.A, B, and C (see Appendix E), the staff determined that the appropri-ate free-field seismic horizontal response spectrum to use for seismic reevalua-tion of San Onofre Unit 1 was the Housner spectrum anchored at 0.67g with a 10%
increase over a specified range. The vertical spectrum is the Housner spectrum anchored at 0.44g with a 10% increase over a small range. These response spec-tra are referred to as the modified Housner spectra.
increase over a specified range. The vertical spectrum is the Housner spectrum anchored at 0.44g with a 10% increase over a small range. These response spec-tra are referred to as the modified Housner spectra.
The licensee has completed analyses and modifications (as necessary) to upgrade the following structures, systems, and components to the site-specific reevalua-tion ground motion of 0.67g modified Housner spectra:
The licensee has completed analyses and modifications (as necessary) to upgrade the following structures, systems, and components to the site-specific reevalua-tion ground motion of 0.67g modified Housner spectra:
(1) all safety-related structures (2) main reactor coolant loop and components (3) piping and mechanical equipment whose failure could cause an accident requiring accident mitigating systems or that is required to reach a safe hot standby condition (4) electrical distribution systems and other support systems As discussed in the SER forwarded by letter dated November 21, 1984, supporting resumption of plant operation, the staff found that the seismic upgrading per-formed so far provides for sufficient equipment and systems to ensure that the plant can reach hot shutdown in the event of a 0.67g seismic event. It is the staff's position that the licensee should complete the analyses and implement l    necessary modifications by the end of the next refueling outage. The licensee has proposed criteria and methodologies for these analyses in a report forwarded by letter dated March 12, 1985. These criteria and methods are under staff review. The scope of these efforts includes equipment necessary to achieve cold shutdown and to provide accident mitigation. As noted in Sections 4.23.4, 4.23.5, and 4.23.6, seismic qualification of portions of the component cooling water system, containment purge system, and containment fan coolers ensures the containment isolation function. In addition, some of the criteria and methods that the staff found acceptable for interim operation (i.e., until the next refueling outage) require further justification and/or revision for long-term operation. These issues will be resolved in conjunction with the other analyses discussed above.
(1) all safety-related structures (2) main reactor coolant loop and components (3) piping and mechanical equipment whose failure could cause an accident requiring accident mitigating systems or that is required to reach a safe hot standby condition (4) electrical distribution systems and other support systems As discussed in the SER forwarded by {{letter dated|date=November 21, 1984|text=letter dated November 21, 1984}}, supporting resumption of plant operation, the staff found that the seismic upgrading per-formed so far provides for sufficient equipment and systems to ensure that the plant can reach hot shutdown in the event of a 0.67g seismic event. It is the staff's position that the licensee should complete the analyses and implement l    necessary modifications by the end of the next refueling outage. The licensee has proposed criteria and methodologies for these analyses in a report forwarded by {{letter dated|date=March 12, 1985|text=letter dated March 12, 1985}}. These criteria and methods are under staff review. The scope of these efforts includes equipment necessary to achieve cold shutdown and to provide accident mitigation. As noted in Sections 4.23.4, 4.23.5, and 4.23.6, seismic qualification of portions of the component cooling water system, containment purge system, and containment fan coolers ensures the containment isolation function. In addition, some of the criteria and methods that the staff found acceptable for interim operation (i.e., until the next refueling outage) require further justification and/or revision for long-term operation. These issues will be resolved in conjunction with the other analyses discussed above.
4.12 Topic III-7.8, Design Codes, Design Criteria, Load Combinations, and l            Reactor Cavity Design Criteria 10 CFR 50 (GDC 1, 2, and 4), as implemented by SRP Section 3.8, requires, in part, that structures, systems, and components be designed for the loading that will be imposed on them and that they conform to applicable codes and standards.
4.12 Topic III-7.8, Design Codes, Design Criteria, Load Combinations, and l            Reactor Cavity Design Criteria 10 CFR 50 (GDC 1, 2, and 4), as implemented by SRP Section 3.8, requires, in part, that structures, systems, and components be designed for the loading that will be imposed on them and that they conform to applicable codes and standards.
San Onofre 1 SEP                          4-11 l_
San Onofre 1 SEP                          4-11 l_
Line 662: Line 662:
Under Topic III-7.8, the effects of the combinations of these loads on structures, as prescribed in current NRC acceptance criteria, are to be evaluated. As a result of the seismic reevaluation program being conducted by the licensee, the staff has concluded that any structural modifications resulting from that pro-gram will be sufficient to resolve the load combination issue if the licensee can demonstrate that the seismic loads will dominate over the other loads, when taken in combination. Integrating the results of the vario 's structural loading issues will result in the most cost-effective and efficient method to determine the appropriate structural modifications to resolve all of the loading issues to enhance the overall safety of San Onofre Unit 1.
Under Topic III-7.8, the effects of the combinations of these loads on structures, as prescribed in current NRC acceptance criteria, are to be evaluated. As a result of the seismic reevaluation program being conducted by the licensee, the staff has concluded that any structural modifications resulting from that pro-gram will be sufficient to resolve the load combination issue if the licensee can demonstrate that the seismic loads will dominate over the other loads, when taken in combination. Integrating the results of the vario 's structural loading issues will result in the most cost-effective and efficient method to determine the appropriate structural modifications to resolve all of the loading issues to enhance the overall safety of San Onofre Unit 1.
The licensee will provide the necessary analyses and the recommended plant modifications by                                                                      .
The licensee will provide the necessary analyses and the recommended plant modifications by                                                                      .
4.12.2 Load Combinations for Reactor Containment As part of the topic evaluation, the staff contractor, in a report transmitted by letter dated September 21, 1982, provided an analysis for the combined main steamline break thermal-load plus 0.67g earthquake load indicated that the con-tainment sphere is under high compressive hoop stress in the sand-filled transi-l tion zone. This zone is around the sphere extending 6 ft down from plant grade, i
4.12.2 Load Combinations for Reactor Containment As part of the topic evaluation, the staff contractor, in a report transmitted by {{letter dated|date=September 21, 1982|text=letter dated September 21, 1982}}, provided an analysis for the combined main steamline break thermal-load plus 0.67g earthquake load indicated that the con-tainment sphere is under high compressive hoop stress in the sand-filled transi-l tion zone. This zone is around the sphere extending 6 ft down from plant grade, i
San Onofre 1 SEP                                                                                      4-12
San Onofre 1 SEP                                                                                      4-12


Assessment of the potential for buckling of the shell under this stress is very complex. Inward buckling of the shell could affect containment integrity.
Assessment of the potential for buckling of the shell under this stress is very complex. Inward buckling of the shell could affect containment integrity.
By letter dated March 30, 1984, the licensee provided an analysis that concluded that an adequate margin against buckling exists for the San Onofre Unit 1 sphere. This analysis is currently under staff review.            The staff will report on its conclusions in the final IPSAR.
By {{letter dated|date=March 30, 1984|text=letter dated March 30, 1984}}, the licensee provided an analysis that concluded that an adequate margin against buckling exists for the San Onofre Unit 1 sphere. This analysis is currently under staff review.            The staff will report on its conclusions in the final IPSAR.
4.13 Topic III-7.0, Containment Structural Integrity Tests 10 CFR 50 (GDC 16, 50, and 51), as implemented by SRP Section 3.8.2, requires, in part, that a reactor containment structure be provided and that suf ficient l margin exist to ensure that under postulated accident conditions the containment l  can accommodate the effects with consideration for uncertainties in determining material properties and residual and transient stresses. The obiective of Topic III-7.0 is the evaluation of the original containment structural integ-rity tests that have been performed against current criteria for such tests.
4.13 Topic III-7.0, Containment Structural Integrity Tests 10 CFR 50 (GDC 16, 50, and 51), as implemented by SRP Section 3.8.2, requires, in part, that a reactor containment structure be provided and that suf ficient l margin exist to ensure that under postulated accident conditions the containment l  can accommodate the effects with consideration for uncertainties in determining material properties and residual and transient stresses. The obiective of Topic III-7.0 is the evaluation of the original containment structural integ-rity tests that have been performed against current criteria for such tests.
1 ASME Code, Section III, Division I, Article NE-6000, specifies that a test pressure of 1.1 times the design pressure be used for the containment struc-tural integrity test.      At the time of the initial test, the peak calculated pressure (design pressure) was 46.4 psig; therefore, a margin of 1.15 to the test pressure of 53.4 psig existed.
1 ASME Code, Section III, Division I, Article NE-6000, specifies that a test pressure of 1.1 times the design pressure be used for the containment struc-tural integrity test.      At the time of the initial test, the peak calculated pressure (design pressure) was 46.4 psig; therefore, a margin of 1.15 to the test pressure of 53.4 psig existed.
Line 730: Line 730:
   .should be made to monitor systems that interface with the RCPB for signs of intersystem leakage through methods such as monitoring radioactivity and water levels or flow.
   .should be made to monitor systems that interface with the RCPB for signs of intersystem leakage through methods such as monitoring radioactivity and water levels or flow.
On the basis of its review of the available information for the leakage detec-tion systems at San Onofre Unit 1, the staff in the topic evaluation concluded that the systems used at San Onofre Unit I do not meet all of the recommendations of Regulatory Guide 1.45. Specifically, the staff determined that:
On the basis of its review of the available information for the leakage detec-tion systems at San Onofre Unit 1, the staff in the topic evaluation concluded that the systems used at San Onofre Unit I do not meet all of the recommendations of Regulatory Guide 1.45. Specifically, the staff determined that:
(1) The systems used for the detection of leakage from the RCPB to the contain-ment consist of the minimum three recommended in Regulatory Guide 1.45 plus additional systems. However, at the time the staff SER (letter dated March 7, 1983) was issued, the licensee had not determined the system sensitivities and response time.
(1) The systems used for the detection of leakage from the RCPB to the contain-ment consist of the minimum three recommended in Regulatory Guide 1.45 plus additional systems. However, at the time the staff SER ({{letter dated|date=March 7, 1983|text=letter dated March 7, 1983}}) was issued, the licensee had not determined the system sensitivities and response time.
(2)  Information on the description of the systems used to monitor leakage from the reactor coolant system to secondary systems is incomplete.
(2)  Information on the description of the systems used to monitor leakage from the reactor coolant system to secondary systems is incomplete.
(3) The San Onofre Unit 1 Technical Specifications do not contain requirements for the operability of the leakage detection systems.
(3) The San Onofre Unit 1 Technical Specifications do not contain requirements for the operability of the leakage detection systems.
Line 739: Line 739:
4.18.1 Leakage Into Containment At San Onofre Unit 1, the following systems are provided for RCPB leak detection:
4.18.1 Leakage Into Containment At San Onofre Unit 1, the following systems are provided for RCPB leak detection:
(1) sump level monitoring (2) sump pump actuation monitoring (3) airborne particulate radioactivity monitoring (4) airborne gaseous radioactivity monitoring (5) containment atmosphere pressure monitoring (6) containment atmosphere humidity monitoring (7) containment atmosphere temperature monitoring Also, the amount of leakage from the RCPB can be determined by performing the reactor coolant system hot leak rate test (San Onofre Unit 1 Operating Instruc-tion 501-12.2.7). This test is run at least every 7 days, arid the test run time is 4 hours.
(1) sump level monitoring (2) sump pump actuation monitoring (3) airborne particulate radioactivity monitoring (4) airborne gaseous radioactivity monitoring (5) containment atmosphere pressure monitoring (6) containment atmosphere humidity monitoring (7) containment atmosphere temperature monitoring Also, the amount of leakage from the RCPB can be determined by performing the reactor coolant system hot leak rate test (San Onofre Unit 1 Operating Instruc-tion 501-12.2.7). This test is run at least every 7 days, arid the test run time is 4 hours.
4.18.1.1 System Sensitivity By letter dated February 24, 1984, the licensee provided the following additional information on leakage detection system sensitivity.
4.18.1.1 System Sensitivity By {{letter dated|date=February 24, 1984|text=letter dated February 24, 1984}}, the licensee provided the following additional information on leakage detection system sensitivity.
With the sphere sump pump system, a 1 gpm leak can be detected in 80 min when a level switch starts a sump pump. Pump start is annunciated in the control room. In response to the pump start alarm, the operator logs the pump start time and then the pump stop time. Lights in the control room show pump status (running or not). A second pump starts at a higher setpoint; the annunciator is common to both. If the pumps do not start, another level alarm is reached after 86 additional minutes.
With the sphere sump pump system, a 1 gpm leak can be detected in 80 min when a level switch starts a sump pump. Pump start is annunciated in the control room. In response to the pump start alarm, the operator logs the pump start time and then the pump stop time. Lights in the control room show pump status (running or not). A second pump starts at a higher setpoint; the annunciator is common to both. If the pumps do not start, another level alarm is reached after 86 additional minutes.
If the pump starts, but because of equipment failure the alarm does not sound, the pump will pump out the sump contents to the decontamination drain tank.
If the pump starts, but because of equipment failure the alarm does not sound, the pump will pump out the sump contents to the decontamination drain tank.
Line 788: Line 788:
b
b


By letter dated November 7, 1983, the licensee noted that the present sampling and chemical control procedure for the primary system, which includes sampling of the CCW system, provides for monthly sampling of the C,CW for chlorides and sampling requirements while shut down.          In a letter dated January 19, 1984, the licensee noted that the chemistry limits for chlorides, fluoiides, and oxygen in the procedure comply with the Westinghouse Standard Technical Specification (NUREG-0452) limits.        The staff concludes that these pr      adures are adequate and Technical Specification changes to add these limits                                    'ot necessary.
By {{letter dated|date=November 7, 1983|text=letter dated November 7, 1983}}, the licensee noted that the present sampling and chemical control procedure for the primary system, which includes sampling of the CCW system, provides for monthly sampling of the C,CW for chlorides and sampling requirements while shut down.          In a {{letter dated|date=January 19, 1984|text=letter dated January 19, 1984}}, the licensee noted that the chemistry limits for chlorides, fluoiides, and oxygen in the procedure comply with the Westinghouse Standard Technical Specification (NUREG-0452) limits.        The staff concludes that these pr      adures are adequate and Technical Specification changes to add these limits                                    'ot necessary.
4.19.3 Testing of Recirculation Heat Exchanger The review under Topic VI-7.A.3 noted that the recirculation heat exchangers are not tested for leakage.        This issue was addressed under Topic V-10.A because the concern relates to leakage through a heat exchanger that could result in introduction of sump water (following a loss-of-coolant accident (LOCA)) into the component cooling water system.
4.19.3 Testing of Recirculation Heat Exchanger The review under Topic VI-7.A.3 noted that the recirculation heat exchangers are not tested for leakage.        This issue was addressed under Topic V-10.A because the concern relates to leakage through a heat exchanger that could result in introduction of sump water (following a loss-of-coolant accident (LOCA)) into the component cooling water system.
The recirculation heat exchanger is used to cool sump water during the recircu-lation cooling mode after a LOCA. There is only one heat exchanger.                                  If a leak existed or developed, radioactive water could enter the component cooling water system if the relative pressures in the two systems allowed it. However, the pressure in the heat exchanger is normally higher than peak containment pressure. Furthermore, because the CCW system is a closed loop, an additional failure would be necessary for a release after any leakage into the CCW.
The recirculation heat exchanger is used to cool sump water during the recircu-lation cooling mode after a LOCA. There is only one heat exchanger.                                  If a leak existed or developed, radioactive water could enter the component cooling water system if the relative pressures in the two systems allowed it. However, the pressure in the heat exchanger is normally higher than peak containment pressure. Furthermore, because the CCW system is a closed loop, an additional failure would be necessary for a release after any leakage into the CCW.
Line 815: Line 815:
A limit of 5 gpm leakage for the check valves is established in the plant Technical Specifications.
A limit of 5 gpm leakage for the check valves is established in the plant Technical Specifications.
The results of the limited PRA showed that the initiation of a LOCA due to re-verse leakage through these lines resulting from an MOV left open following its periodic testing and failure of the check valve is considered to be of medium risk significance. The limited PRA also noted that if procedures are established                                                i so that a second operator must verify the correct position of the M0V following the test, the LOCA frequency can-be reduced.
The results of the limited PRA showed that the initiation of a LOCA due to re-verse leakage through these lines resulting from an MOV left open following its periodic testing and failure of the check valve is considered to be of medium risk significance. The limited PRA also noted that if procedures are established                                                i so that a second operator must verify the correct position of the M0V following the test, the LOCA frequency can-be reduced.
As noted, in the licensee's January 19, 1984, letter, the check valves and MOVs are tested as part of Surveillance Procedure 501-12.9-9, " Safety Injection System Check Valve Test." This procedure instructs the operator to open and close the MOV during the test. During startup, the MOVs are verified closed as part of Procedure 501-4-17, " Safety Injection System Operation." Procedure 501-4-39, " Safety Injection System Alignment," requires verification of the M0Vs in the closed position before startup. As part of the shift review, the safety-related valve status is verified in the control room according to Procedure 501-14-5, " Operations Shift Relief and Status Logs."                                  MOV position indication is checked during the inservice testing of these valves (each refueling outage).
As noted, in the licensee's {{letter dated|date=January 19, 1984|text=January 19, 1984, letter}}, the check valves and MOVs are tested as part of Surveillance Procedure 501-12.9-9, " Safety Injection System Check Valve Test." This procedure instructs the operator to open and close the MOV during the test. During startup, the MOVs are verified closed as part of Procedure 501-4-17, " Safety Injection System Operation." Procedure 501-4-39, " Safety Injection System Alignment," requires verification of the M0Vs in the closed position before startup. As part of the shift review, the safety-related valve status is verified in the control room according to Procedure 501-14-5, " Operations Shift Relief and Status Logs."                                  MOV position indication is checked during the inservice testing of these valves (each refueling outage).
It should be noted that the design pressure of the feedwater discharge piping is 1,400 psig. Considering the margins inherent in the design of this piping, the ASME Code allows a pressure of 60% over design pressure under faulted conditions (2,240 psig). The two power-operated relief valves are set to open at 2,190 psig. The staff estimates that the probability of failure of this piping if exposed to RCS pressure is less than 0.5.
It should be noted that the design pressure of the feedwater discharge piping is 1,400 psig. Considering the margins inherent in the design of this piping, the ASME Code allows a pressure of 60% over design pressure under faulted conditions (2,240 psig). The two power-operated relief valves are set to open at 2,190 psig. The staff estimates that the probability of failure of this piping if exposed to RCS pressure is less than 0.5.
The staff concludes that, on the basis of the SIS design pressure and margin, procedures to verify that the MOVs are closed at two separate times before plant startup, and the Technical Specification limit on check valve leakage, modifications to the SIS are not warranted and that this issue is resolved.
The staff concludes that, on the basis of the SIS design pressure and margin, procedures to verify that the MOVs are closed at two separate times before plant startup, and the Technical Specification limit on check valve leakage, modifications to the SIS are not warranted and that this issue is resolved.
Line 838: Line 838:
   'on increasing pressure. The staff in its topic evaluation concluded that this difference from current criteria was acceptable on the basis of availability of the alarm and relief capacity of the overpressure mitigation system (OMS) as well as''the relief valve in the RHR system. This conclusion is also supported by the staff study on overpressure protection systems (AE00/C401), which found that automatic isolation of the RHR system may exacerbate an overpressurization transient and that sufficient relief capacity from the OMS can eliminate the.
   'on increasing pressure. The staff in its topic evaluation concluded that this difference from current criteria was acceptable on the basis of availability of the alarm and relief capacity of the overpressure mitigation system (OMS) as well as''the relief valve in the RHR system. This conclusion is also supported by the staff study on overpressure protection systems (AE00/C401), which found that automatic isolation of the RHR system may exacerbate an overpressurization transient and that sufficient relief capacity from the OMS can eliminate the.
f  concern of RHR system'overpressurization.
f  concern of RHR system'overpressurization.
During cooldown present procedures place the RHR system into service at 350 F and 350 psi. The surge volume in the pressurizer and the relief valve are available for overpressure protection of the RHR system if the OMS is not available. However, to provide protection for the RHR system, the staff recom-mended in its topic evaluation, forwarded by letter dated November 12, 1982, San Onofre 1 SEP                      4-25
During cooldown present procedures place the RHR system into service at 350 F and 350 psi. The surge volume in the pressurizer and the relief valve are available for overpressure protection of the RHR system if the OMS is not available. However, to provide protection for the RHR system, the staff recom-mended in its topic evaluation, forwarded by {{letter dated|date=November 12, 1982|text=letter dated November 12, 1982}}, San Onofre 1 SEP                      4-25


that Technical Specifications should be provided so that the OMS will be operable when the RHR system is in operation.
that Technical Specifications should be provided so that the OMS will be operable when the RHR system is in operation.
Line 846: Line 846:
affect the functions of the engineered safety features.
affect the functions of the engineered safety features.
The safety objective of this topic is to ensure that protective coatings inside the containment do not consist of material (such as cellulose, hydrocarbons, or chlorides) that could decompose in radiation environments, create a hazardous hydrogen rich environment, or cause material failures. The staff in its topic evaluation, therefore, recommended that the licensee commit to a periodic inspection and repair program.
The safety objective of this topic is to ensure that protective coatings inside the containment do not consist of material (such as cellulose, hydrocarbons, or chlorides) that could decompose in radiation environments, create a hazardous hydrogen rich environment, or cause material failures. The staff in its topic evaluation, therefore, recommended that the licensee commit to a periodic inspection and repair program.
By letter dated March 30, 1984, the licensee submitted the results of the inspection of the containment coatings that was performed during the current outage as well as plans for future inspections and repair.      On the basis of the inspection, the licensee committed to the following paint repairs before plant startup:
By {{letter dated|date=March 30, 1984|text=letter dated March 30, 1984}}, the licensee submitted the results of the inspection of the containment coatings that was performed during the current outage as well as plans for future inspections and repair.      On the basis of the inspection, the licensee committed to the following paint repairs before plant startup:
(1) Touch up reactor coolant pumps, containment hatch door, and heating, ventilation, and air conditioning (HVAC) recirculation fans.
(1) Touch up reactor coolant pumps, containment hatch door, and heating, ventilation, and air conditioning (HVAC) recirculation fans.
(2) Repair coatings on some piping with salt and pepper rusting and on piping where coating was applied over mill varnish.
(2) Repair coatings on some piping with salt and pepper rusting and on piping where coating was applied over mill varnish.
Line 866: Line 866:
San Onofre 1 SEP                                                                        4-27
San Onofre 1 SEP                                                                        4-27


As discussed in the licensee's January 19, 1984, letter, the necessary procedures will be implemented before resumption of power from the next refueling outage.
As discussed in the licensee's {{letter dated|date=January 19, 1984|text=January 19, 1984, letter}}, the necessary procedures will be implemented before resumption of power from the next refueling outage.
The staff finds this acceptable and considers this issue to be resolved.
The staff finds this acceptable and considers this issue to be resolved.
4.23.1.3 Redesign of BLOCK SIAS Annunciator Window In the December 6, 1982, safety evaluation, the staff concluded that the annun-ciator for blocking the safety injection actuation signal (SIAS) should be modi-fied to clarify the effects of blocking the signal. This modification entails redesigning the BLOCK SIAS annunciator window to indicate that when the SIAS is blocked, the' containment spray signal and the-SIAS inputs to the containment isolation signal are also blockad. Implementation of this modification does not entail physical changes to the present operating configurations, and, there-fore, the degree of safety will not be significantly enhanced. Furthermore,    I during normal plant cooldown, the automatic SIAS is manually blocked to prevent inadvertent actuation of safety injection. An RCS pressure bistable element generates an alarm (Alert to BLOCK SIAS) at 1,750 psig to advise the operator that the SIAS should be manually blocked before pressure is reduced as part of the cooldown. Should safety injection be required after blocking, manual actuation of both injection flow trains is possible by deliberate sequencer actuation via manual initiate pushbuttons located on each sequencer remote sur-veillance panel in the main control room. Automatic reset of the safety injec-tion block circuits will occur at a pressure of 1,900 psig in the pressurizer as the system is being brought to operating conditions. At that time, the safety injection block permissive indication will extinguish, indicating that the permissives have been reestablished.
4.23.1.3 Redesign of BLOCK SIAS Annunciator Window In the December 6, 1982, safety evaluation, the staff concluded that the annun-ciator for blocking the safety injection actuation signal (SIAS) should be modi-fied to clarify the effects of blocking the signal. This modification entails redesigning the BLOCK SIAS annunciator window to indicate that when the SIAS is blocked, the' containment spray signal and the-SIAS inputs to the containment isolation signal are also blockad. Implementation of this modification does not entail physical changes to the present operating configurations, and, there-fore, the degree of safety will not be significantly enhanced. Furthermore,    I during normal plant cooldown, the automatic SIAS is manually blocked to prevent inadvertent actuation of safety injection. An RCS pressure bistable element generates an alarm (Alert to BLOCK SIAS) at 1,750 psig to advise the operator that the SIAS should be manually blocked before pressure is reduced as part of the cooldown. Should safety injection be required after blocking, manual actuation of both injection flow trains is possible by deliberate sequencer actuation via manual initiate pushbuttons located on each sequencer remote sur-veillance panel in the main control room. Automatic reset of the safety injec-tion block circuits will occur at a pressure of 1,900 psig in the pressurizer as the system is being brought to operating conditions. At that time, the safety injection block permissive indication will extinguish, indicating that the permissives have been reestablished.
Line 880: Line 880:
   - The staff in the topic evaluation concluded that the fans that provide cooling for the diesel generators should be automatically loaded on a safety bus when the diesel generators start. The staff concluded that the diesel generator
   - The staff in the topic evaluation concluded that the fans that provide cooling for the diesel generators should be automatically loaded on a safety bus when the diesel generators start. The staff concluded that the diesel generator
   ~ could be running without adequate cooling capability and thus might overheat.
   ~ could be running without adequate cooling capability and thus might overheat.
In a letter dated January 19, 1984, the licensee. stated that the diesel generators will start. coincident with-a safety injection actuation signal (SIAS), loss of offsite power (LOP), or SIAS/ LOP. In the event of an SIAS, the diesel generators will start and the diesel generator radiator fans will be loaded automatically on the safety bus, which is powered by offsite power.      In the event of an LOP, the diesel generators will start but will initially run with zero load. In this situation, the initial operator action is to attempt to regain power from the switchyard. If power cannot be regained from the switchyard, the buses will be manually loaded on the running diesel generators, at which time, opera-tion of the radiator fans will be initiated. In the event of an SIAS/ LOP, the diesel generators will start and be automatically loaded. Once the diesel generators have reached full speed and voltage (approximately 10 sec after the event), the sequencer will cause the diesel generator circuit breaker to close, thereby energizing the buses that supply power to the radiator fans. Therefore, the fans will start 10 sec after the diesel generators for the SIAS/ LOP event.
In a {{letter dated|date=January 19, 1984|text=letter dated January 19, 1984}}, the licensee. stated that the diesel generators will start. coincident with-a safety injection actuation signal (SIAS), loss of offsite power (LOP), or SIAS/ LOP. In the event of an SIAS, the diesel generators will start and the diesel generator radiator fans will be loaded automatically on the safety bus, which is powered by offsite power.      In the event of an LOP, the diesel generators will start but will initially run with zero load. In this situation, the initial operator action is to attempt to regain power from the switchyard. If power cannot be regained from the switchyard, the buses will be manually loaded on the running diesel generators, at which time, opera-tion of the radiator fans will be initiated. In the event of an SIAS/ LOP, the diesel generators will start and be automatically loaded. Once the diesel generators have reached full speed and voltage (approximately 10 sec after the event), the sequencer will cause the diesel generator circuit breaker to close, thereby energizing the buses that supply power to the radiator fans. Therefore, the fans will start 10 sec after the diesel generators for the SIAS/ LOP event.
Thus, initiation of the diesel generator radiator fans by loading the bus requires operator action only in the event of an LOP. Approximately 30 min are available to initiate fan cooling for the diesel generators running at no load before the diesel generators start to overheat.                                            ,
Thus, initiation of the diesel generator radiator fans by loading the bus requires operator action only in the event of an LOP. Approximately 30 min are available to initiate fan cooling for the diesel generators running at no load before the diesel generators start to overheat.                                            ,
The staff also notes that station operating instructions for loss of offsite power explicitly state the need for restoring cooling to the diesel generator in this time period.
The staff also notes that station operating instructions for loss of offsite power explicitly state the need for restoring cooling to the diesel generator in this time period.
Line 936: Line 936:
The main concern in a PWR is for a steamline break that induces a hydraulic transient rupturing steam generator tubes resulting in a radiological release and uncontrolled LOCA outside containment.            This scenario would only happen if the pipe were to fall between the steam isolation valve and the stop valve. The failure probability of the steamline is this particular section is low.                                            The evaluation of the radiological consequences of this scenario (see Topic XV-17) has been performed assuming that the steam generator has not been isolated, and the staff found that the consequences were within acceptance criteria. The staff concludes that no modification to the steamlines is warranted; however, the staff recommends that appropriate procedures be developed to isolate these lines when required. The licensee will submit these procedures by                                                            .
The main concern in a PWR is for a steamline break that induces a hydraulic transient rupturing steam generator tubes resulting in a radiological release and uncontrolled LOCA outside containment.            This scenario would only happen if the pipe were to fall between the steam isolation valve and the stop valve. The failure probability of the steamline is this particular section is low.                                            The evaluation of the radiological consequences of this scenario (see Topic XV-17) has been performed assuming that the steam generator has not been isolated, and the staff found that the consequences were within acceptance criteria. The staff concludes that no modification to the steamlines is warranted; however, the staff recommends that appropriate procedures be developed to isolate these lines when required. The licensee will submit these procedures by                                                            .
4.23.8 Spare Penetrations During the topic review adequate information regarding the isolation and leakage testing of the following spare penetrations was not available.
4.23.8 Spare Penetrations During the topic review adequate information regarding the isolation and leakage testing of the following spare penetrations was not available.
Line                                                                                  Penetration Spare penetration                                                                    64 through 72 As noted in the June 28, 1983, letter from the licensee, these penetrations are sealed with blind flanges and the penetration design includes provisions for leakage testing. The staff considers this issue resolved.
Line                                                                                  Penetration Spare penetration                                                                    64 through 72 As noted in the {{letter dated|date=June 28, 1983|text=June 28, 1983, letter}} from the licensee, these penetrations are sealed with blind flanges and the penetration design includes provisions for leakage testing. The staff considers this issue resolved.
4.23.9 Air Locks and Hatches During the topic review adequate detailed information was not available regarding the appropriateness of isolation provisions for piping or instrument lines that may penetrate either the personnel air lock, emergency escape lock, or equipment access hatch.
4.23.9 Air Locks and Hatches During the topic review adequate detailed information was not available regarding the appropriateness of isolation provisions for piping or instrument lines that may penetrate either the personnel air lock, emergency escape lock, or equipment access hatch.
The licensee has since indicated that the only penetrations are in the external wall of the air locks. These penetrations are for test purposes. Each has at least one closed manual isolation valve under administrative control. On the basis of this information, the staff finds the provisions for isolation acceptable and considers this issue resolved.
The licensee has since indicated that the only penetrations are in the external wall of the air locks. These penetrations are for test purposes. Each has at least one closed manual isolation valve under administrative control. On the basis of this information, the staff finds the provisions for isolation acceptable and considers this issue resolved.
Line 954: Line 954:


4.25 Topic VI-7.C.2, Failure Mode Analysis (Emergency Core Cooling System) 10 CFR 50 (GDC 35), as implemented by SRP Section 6.3, requires, in part, that the systems provided for emergency core cooling be designed with suitable redundancy in components and features to ensure that system safety functions can be accomplished assuming a single failure.
4.25 Topic VI-7.C.2, Failure Mode Analysis (Emergency Core Cooling System) 10 CFR 50 (GDC 35), as implemented by SRP Section 6.3, requires, in part, that the systems provided for emergency core cooling be designed with suitable redundancy in components and features to ensure that system safety functions can be accomplished assuming a single failure.
Reviews of failure modes were initiated in the mid-1970s. Two studies, one in 1976 (letter dated December 21, 1976) and the other in 1977 (letter dated December 20, 1977), were completed. At San Onofre Unit 1, implementation of selected modifications was deferred to the SEP; interim procedures and system changes were installed pending completion of the SEP. These areas are discussed below.
Reviews of failure modes were initiated in the mid-1970s. Two studies, one in 1976 ({{letter dated|date=December 21, 1976|text=letter dated December 21, 1976}}) and the other in 1977 ({{letter dated|date=December 20, 1977|text=letter dated December 20, 1977}}), were completed. At San Onofre Unit 1, implementation of selected modifications was deferred to the SEP; interim procedures and system changes were installed pending completion of the SEP. These areas are discussed below.
4.25.1 Redundant Valve For Volume Control Tank Isolation Charging pump suction is normally from the volume control tank (VCT) through MOV/LCV 1100C. Upon a safety injection signal, suction is switched to the refueling water storage tank (RWST). Valve 1100C must close so that hydrogen will not be introduced to the charging pump suction when the VCT empties.
4.25.1 Redundant Valve For Volume Control Tank Isolation Charging pump suction is normally from the volume control tank (VCT) through MOV/LCV 1100C. Upon a safety injection signal, suction is switched to the refueling water storage tank (RWST). Valve 1100C must close so that hydrogen will not be introduced to the charging pump suction when the VCT empties.
Failure of MOV/LCV 1100C to close could damage the charging pumps. In the original design, an automatic transfer switch to transfer to the other power division was included. However, failure of this switch could have resulted in loss of both power sources to the valve so the automatic feature was removed.
Failure of MOV/LCV 1100C to close could damage the charging pumps. In the original design, an automatic transfer switch to transfer to the other power division was included. However, failure of this switch could have resulted in loss of both power sources to the valve so the automatic feature was removed.
Line 1,005: Line 1,005:
are also covered by plant procedures. Generic Letter 83-28 also addresses requirements for reactor trip breakers.
are also covered by plant procedures. Generic Letter 83-28 also addresses requirements for reactor trip breakers.
Several channels (manual, startup rate, safety injection) are not required by the Technical Specifications to be checked, tested, or calibrated. However, station procedures establish testing requirements for these channels at frequen-cies consistent with Standard Technical Specification requirements. Also, these channels are not relied on in the safety analyses for automatic reactor protection.
Several channels (manual, startup rate, safety injection) are not required by the Technical Specifications to be checked, tested, or calibrated. However, station procedures establish testing requirements for these channels at frequen-cies consistent with Standard Technical Specification requirements. Also, these channels are not relied on in the safety analyses for automatic reactor protection.
The staff performed a limited PRA of this issue for San Onofre Unit 1 to estimate the improvement if response-time testing of the reactor protection system (RPS) were required. The results of this assessment indicated that response-time test-ing has low safety significance. This occurs because response-time testing is concerned with events on the order of seconds and PRAs have shown that response times of minutes are sufficient, for RPS actuation, to ensure the success of the reactivity control function in time to allow other safety systems to act to prevent core melt. Functional tests, such as those currently performed                                                at San Onofre Unit 1, are sufficient to demonstrate functioning on the order of minutes. Therefore, it is the staff's judgment that response-time testing of the RPS is not required. However, the RPS testing currently covered by plant procedures should be incorporated into the Technical Specifications because of the safety significance of this system. By letter dated March 30, 1984, the licensee agreed to propose a Technical Specification change to incorporate channel testing, checking, and calibration requirements currently specified only by procedure. The licensee should submit this proposed Technical Speci-fication within 90 days following the issuance of the final IPSAR.
The staff performed a limited PRA of this issue for San Onofre Unit 1 to estimate the improvement if response-time testing of the reactor protection system (RPS) were required. The results of this assessment indicated that response-time test-ing has low safety significance. This occurs because response-time testing is concerned with events on the order of seconds and PRAs have shown that response times of minutes are sufficient, for RPS actuation, to ensure the success of the reactivity control function in time to allow other safety systems to act to prevent core melt. Functional tests, such as those currently performed                                                at San Onofre Unit 1, are sufficient to demonstrate functioning on the order of minutes. Therefore, it is the staff's judgment that response-time testing of the RPS is not required. However, the RPS testing currently covered by plant procedures should be incorporated into the Technical Specifications because of the safety significance of this system. By {{letter dated|date=March 30, 1984|text=letter dated March 30, 1984}}, the licensee agreed to propose a Technical Specification change to incorporate channel testing, checking, and calibration requirements currently specified only by procedure. The licensee should submit this proposed Technical Speci-fication within 90 days following the issuance of the final IPSAR.
1 San Onofre 1 SEP                        4-39
1 San Onofre 1 SEP                        4-39


Line 1,024: Line 1,024:
probability of the RPS due to failure combinations that contain unisolated                    I faults in nonsafety systems is about 10-0 to 10-8"; therefore, this issue                      ,
probability of the RPS due to failure combinations that contain unisolated                    I faults in nonsafety systems is about 10-0 to 10-8"; therefore, this issue                      ,
was considered to be of low risk significance.                                                '
was considered to be of low risk significance.                                                '
The licensee agreed to evaluate the isolation between the RPS channels to deter-mine if the protection function of these channels is adequate. This evaluation was provided by letter dated March 30, 1984, with supplemental information provided in a letter dated August 21, 1984a. The RPS channels evaluated by the licensee are discussed below.
The licensee agreed to evaluate the isolation between the RPS channels to deter-mine if the protection function of these channels is adequate. This evaluation was provided by {{letter dated|date=March 30, 1984|text=letter dated March 30, 1984}}, with supplemental information provided in a {{letter dated|date=August 21, 1984|text=letter dated August 21, 1984}}a. The RPS channels evaluated by the licensee are discussed below.
4.27.1 Remote Meters and Recorders The staff topic evaluation, forwarded by letter dated September 9, 1981, indi-cated that there is no isolation between the reactor protection system and remote meters and recorders. As a result, the staff was concerned that a short circuit in the recorders or cables associated with these devices may interfere with the proper functioning of the safety equipment. In addition, the staff was con-corned with the consequences of a failure in the recorder transfer switch that might interconnect redundant channels.
4.27.1 Remote Meters and Recorders The staff topic evaluation, forwarded by {{letter dated|date=September 9, 1981|text=letter dated September 9, 1981}}, indi-cated that there is no isolation between the reactor protection system and remote meters and recorders. As a result, the staff was concerned that a short circuit in the recorders or cables associated with these devices may interfere with the proper functioning of the safety equipment. In addition, the staff was con-corned with the consequences of a failure in the recorder transfer switch that might interconnect redundant channels.
In a safety analysis dated March 30, 1984, the licensee stated that reliance was placed on the separation and independence of the redundant safety channels.
In a safety analysis dated March 30, 1984, the licensee stated that reliance was placed on the separation and independence of the redundant safety channels.
In a response dated August 21, 1984a, the licensee identified the transfer switch as a Westinghouse W-2. This switch is used extensively in nuclear power plant safety applications and is seismically and environmentally qualified.
In a response dated August 21, 1984a, the licensee identified the transfer switch as a Westinghouse W-2. This switch is used extensively in nuclear power plant safety applications and is seismically and environmentally qualified.
Line 1,034: Line 1,034:
San Onofre 1 SEP                        4-41
San Onofre 1 SEP                        4-41


In the March 30, 1984, letter the licensee also stated that current limiting resistors are used in the recorder circuits. The resultant current caused by a recorder chart drive motor to pen motor short circuit would add or sub-tract, in the worst case, 25% of the signal from the affected circuit.                                                                                                    This may inhibit the protective action of that channel but will not propogate to other channels. Accordingly, this issue is resolved.
In the {{letter dated|date=March 30, 1984|text=March 30, 1984, letter}} the licensee also stated that current limiting resistors are used in the recorder circuits. The resultant current caused by a recorder chart drive motor to pen motor short circuit would add or sub-tract, in the worst case, 25% of the signal from the affected circuit.                                                                                                    This may inhibit the protective action of that channel but will not propogate to other channels. Accordingly, this issue is resolved.
4.27.2 Data Logger The staff SER forwarded by letter dated February 10, 1983, noted that the data logger is not isolated from the nuclear instrumentation system. The licensee's response dated March 30, 1984, Indicated that a 91,000-ohm resistor network be-tween the data logger and the nuclear instrumentation provides sufficient iso-lation. The resultant current represents approximately a 5% change in signal level and approaches the worst-case error expected in such instrumentation. The licensee also argues that the staff PRA shows that failure of such isolation schemes has little (1 x 109 0 per reactor year) effect on core-melt probability.
4.27.2 Data Logger The staff SER forwarded by {{letter dated|date=February 10, 1983|text=letter dated February 10, 1983}}, noted that the data logger is not isolated from the nuclear instrumentation system. The licensee's response dated March 30, 1984, Indicated that a 91,000-ohm resistor network be-tween the data logger and the nuclear instrumentation provides sufficient iso-lation. The resultant current represents approximately a 5% change in signal level and approaches the worst-case error expected in such instrumentation. The licensee also argues that the staff PRA shows that failure of such isolation schemes has little (1 x 109 0 per reactor year) effect on core-melt probability.
The staff has concluded that improving the nuclear instrumentation does not provide a significant improvement in the reliability of the system and is, therefore, not warranted.                                  The staff considers this issue to be resolved.
The staff has concluded that improving the nuclear instrumentation does not provide a significant improvement in the reliability of the system and is, therefore, not warranted.                                  The staff considers this issue to be resolved.
4.27.3 Feedwater Control The staff SER also noted that there is no isolation between the steam-to-feedwater flow mismatch channels and the feedwater controls.                                                                    The licensee has presented arguments for accepting this design that are similar to those that were made in the case of the remote meters and recorders (i.e., redundancy of channels, same quality standards). The staff agrees and, therefore, does not recommend modifications to this design either.
4.27.3 Feedwater Control The staff SER also noted that there is no isolation between the steam-to-feedwater flow mismatch channels and the feedwater controls.                                                                    The licensee has presented arguments for accepting this design that are similar to those that were made in the case of the remote meters and recorders (i.e., redundancy of channels, same quality standards). The staff agrees and, therefore, does not recommend modifications to this design either.
Line 1,079: Line 1,079:


acceptable bus conditions that will then define the setpoint for the degraded grid protection system.
acceptable bus conditions that will then define the setpoint for the degraded grid protection system.
The staff's SER for MPA 8-23 for San Onofre Unit 1 was forwarded to the licensee by letter dated June 23, 1982. In that letter, the staff found the licensee-proposed modifications and Technical Specification changes acceptable. These modifications consisted of replacing the existing relays with coincidence logic and corresponding Technical Specifications for limiting conditions for operation and surveillance requirements. The schedule for implementation will be determined in accordance with the licensee's integrated living schedule.
The staff's SER for MPA 8-23 for San Onofre Unit 1 was forwarded to the licensee by {{letter dated|date=June 23, 1982|text=letter dated June 23, 1982}}. In that letter, the staff found the licensee-proposed modifications and Technical Specification changes acceptable. These modifications consisted of replacing the existing relays with coincidence logic and corresponding Technical Specifications for limiting conditions for operation and surveillance requirements. The schedule for implementation will be determined in accordance with the licensee's integrated living schedule.
The staff's SER for MPA B-48 for San Onofre Unit I was issued by letter dated July 29, 1983. The licensee committed to perform a study to determine the optimized tap settings for the auxiliary transformer. The tap settings were modified before plant restart. The licensee in a letter dated December 20, 1984, submitted the study results. A voltage monitoring program to verify the results of the analysis is currently being conducted, and the results will be submitted shortly. The staff finds this commitment acceptable. This analysis and program will be evaluated by the staff and will be discussed in the final IPSAR.                                                                            .
The staff's SER for MPA B-48 for San Onofre Unit I was issued by {{letter dated|date=July 29, 1983|text=letter dated July 29, 1983}}. The licensee committed to perform a study to determine the optimized tap settings for the auxiliary transformer. The tap settings were modified before plant restart. The licensee in a {{letter dated|date=December 20, 1984|text=letter dated December 20, 1984}}, submitted the study results. A voltage monitoring program to verify the results of the analysis is currently being conducted, and the results will be submitted shortly. The staff finds this commitment acceptable. This analysis and program will be evaluated by the staff and will be discussed in the final IPSAR.                                                                            .
4.30 Topic VIII-3.B, DC Power System Bus Voltage Monitoring and Annunciation 10 CFR 50.55a(h), as implemented by IEEE Std. 279-1971, and 10 CFR 50 (GDC 2, 4, 5, 17, 18, and 19), as implemented by SRP Section 8.3.2, Regulatory Guides 1.6, 1.32, 1.47, 1.75, 1.118, and 1.29, and BTP ICSB-21, require, in part, that the control room operator be given timely indication of the status of the batteries and their availability under accident conditions.
4.30 Topic VIII-3.B, DC Power System Bus Voltage Monitoring and Annunciation 10 CFR 50.55a(h), as implemented by IEEE Std. 279-1971, and 10 CFR 50 (GDC 2, 4, 5, 17, 18, and 19), as implemented by SRP Section 8.3.2, Regulatory Guides 1.6, 1.32, 1.47, 1.75, 1.118, and 1.29, and BTP ICSB-21, require, in part, that the control room operator be given timely indication of the status of the batteries and their availability under accident conditions.
To ensure the design adequacy of the de power system battery and bus voltage monitoring and annunciation schemes so that the operator can (1) prevent the loss of an emergency dc bus or (2) take timely corrective action in the event of loss of an emergency de bus.
To ensure the design adequacy of the de power system battery and bus voltage monitoring and annunciation schemes so that the operator can (1) prevent the loss of an emergency dc bus or (2) take timely corrective action in the event of loss of an emergency de bus.
Line 1,094: Line 1,094:
The limited PRA performed for this topic assumed that with the present design, unannunciated faults are not detected until battery tests are performed each l
The limited PRA performed for this topic assumed that with the present design, unannunciated faults are not detected until battery tests are performed each l
refueling outage. With the additional annunciators, it was assumed that only half of the battery faults are assumed to be detected. Under these assump-tions, it was concluded that the unavailability of a 125-V dc bus could be reduced by a factor of 4. Because of the arrangement of de power supplies at San Onofre Unit 1 in which both dc buses can be powered either from a battery or from either diesel generator, this issue was considered to be of medium risk significance. For the UPS, the risk significance is, negligible because it affects only one valve in the safety injection system and the risk significance of that valve failure is dominated by mechanical failures.
refueling outage. With the additional annunciators, it was assumed that only half of the battery faults are assumed to be detected. Under these assump-tions, it was concluded that the unavailability of a 125-V dc bus could be reduced by a factor of 4. Because of the arrangement of de power supplies at San Onofre Unit 1 in which both dc buses can be powered either from a battery or from either diesel generator, this issue was considered to be of medium risk significance. For the UPS, the risk significance is, negligible because it affects only one valve in the safety injection system and the risk significance of that valve failure is dominated by mechanical failures.
l In a letter dated March 30, 1984, the licensee responded to the staff SER with an analysis of the existing instrumentation. In Table 2 of that discussion, the licensee noted that indication of breaker / fuse status is provided in the control rcom and a low voltage alarm is also provided in the control room. In addition, the licensee has stated that the alarms available in the control room when used in conjunction with local instrumentation and periodic testing pro-vide a suitable alternative to providing additional instrumentation.
l In a {{letter dated|date=March 30, 1984|text=letter dated March 30, 1984}}, the licensee responded to the staff SER with an analysis of the existing instrumentation. In Table 2 of that discussion, the licensee noted that indication of breaker / fuse status is provided in the control rcom and a low voltage alarm is also provided in the control room. In addition, the licensee has stated that the alarms available in the control room when used in conjunction with local instrumentation and periodic testing pro-vide a suitable alternative to providing additional instrumentation.
Past staff practice has been to require a battery current monitor. However, research by Yankee Atomic Electric Company (letter dated April 13, 1983, on SEP Topic VIII-3.B) indicates that a suitable sensitive current monitor is not commercially available. Currently available equipment that has the required range of current (from trickle charge to peak rated discharge) does not have the accuracy and precision necessary. The use of multiple instruments requires a switching system that could introduce a potential high resistance failure l
Past staff practice has been to require a battery current monitor. However, research by Yankee Atomic Electric Company ({{letter dated|date=April 13, 1983|text=letter dated April 13, 1983}}, on SEP Topic VIII-3.B) indicates that a suitable sensitive current monitor is not commercially available. Currently available equipment that has the required range of current (from trickle charge to peak rated discharge) does not have the accuracy and precision necessary. The use of multiple instruments requires a switching system that could introduce a potential high resistance failure l
that is more probable (because of operator error) than the current design presents.
that is more probable (because of operator error) than the current design presents.
Other methods to verify the battery is connected to the bus are the use of breaker and fuse status alarms or battery voltage monitoring and, to ensure that a high resistance does not develop because of corrosion or metal creep, a periodic inspection program.
Other methods to verify the battery is connected to the bus are the use of breaker and fuse status alarms or battery voltage monitoring and, to ensure that a high resistance does not develop because of corrosion or metal creep, a periodic inspection program.
Line 1,107: Line 1,107:
The limited PRA showed that the failure probability of containment integrity as a result of failure of low voltage electrical penetrations is several orders of magnitude smaller than other contributors to containment failure. Thus, this issue is rated low from a risk point of view. On the basis of monthly penetra-tion assembly testing, the staff concludes that modifications to the penetrations are not warranted. The staff considers this issue to be resolved.
The limited PRA showed that the failure probability of containment integrity as a result of failure of low voltage electrical penetrations is several orders of magnitude smaller than other contributors to containment failure. Thus, this issue is rated low from a risk point of view. On the basis of monthly penetra-tion assembly testing, the staff concludes that modifications to the penetrations are not warranted. The staff considers this issue to be resolved.
4.32 Topic IX-3, Station Service and Cooling Water Systems 10 CFR 50 (GDC 44, 45, and 46), as implemented by SRP Sections 9.2.1 and 9.2.2, requires that a cooling water system be provided, inspected, and tested and that the system be capable of transferring heat from structures, systems, and components important to safety to the ultimate heat sink. The staff in the topic evaluation concluded that the design of the service and cooling water system is adequate, except for the following.
4.32 Topic IX-3, Station Service and Cooling Water Systems 10 CFR 50 (GDC 44, 45, and 46), as implemented by SRP Sections 9.2.1 and 9.2.2, requires that a cooling water system be provided, inspected, and tested and that the system be capable of transferring heat from structures, systems, and components important to safety to the ultimate heat sink. The staff in the topic evaluation concluded that the design of the service and cooling water system is adequate, except for the following.
4.32.1 Component Cooling Water System Temperature Design Limits During the review of this topic, the IIcensee by letter dated November 2, 1981, provided the results of an analysis that indicated that the temperature at the component cooling water (CCW) heat exchanger could reach 227'f. This is 27F" more than the design temperature of 200'F. Therefore, the staff requested that the licensee either (1) demonstrate that this design temperature exceedance would not result in damage to the CCW system or the equipment it serves or (2) provide corrective measures, in a response dated January 19, 1984, the ifconsee quantified the conservatisms of the earlier analysis and estimated that the CCW system would not exceed design conditions with a more realistic analysis. The licensee performed San Onofre 1 SEP                        4-47
4.32.1 Component Cooling Water System Temperature Design Limits During the review of this topic, the IIcensee by {{letter dated|date=November 2, 1981|text=letter dated November 2, 1981}}, provided the results of an analysis that indicated that the temperature at the component cooling water (CCW) heat exchanger could reach 227'f. This is 27F" more than the design temperature of 200'F. Therefore, the staff requested that the licensee either (1) demonstrate that this design temperature exceedance would not result in damage to the CCW system or the equipment it serves or (2) provide corrective measures, in a response dated January 19, 1984, the ifconsee quantified the conservatisms of the earlier analysis and estimated that the CCW system would not exceed design conditions with a more realistic analysis. The licensee performed San Onofre 1 SEP                        4-47


scoping calculations to evaluate the heat removal capability of the CCW system considering various equipment configurations as part of the evaluation of Topic V-10.B (see staff SER forwarded by letter dated November 12, 1982). On the basis of these calculations, the staff determined that the CCW system is ade-quately designed to remove energy from the primary coolant system and other supporting components without exceeding design conditions.
scoping calculations to evaluate the heat removal capability of the CCW system considering various equipment configurations as part of the evaluation of Topic V-10.B (see staff SER forwarded by {{letter dated|date=November 12, 1982|text=letter dated November 12, 1982}}). On the basis of these calculations, the staff determined that the CCW system is ade-quately designed to remove energy from the primary coolant system and other supporting components without exceeding design conditions.
Therefore, the staff agrees with the licensee's assessment and concludes that no additional action is required.                        This issue is resolved.
Therefore, the staff agrees with the licensee's assessment and concludes that no additional action is required.                        This issue is resolved.
4.32.2 Independence of Component Cooling Water System Valves CV-737A and CV-7378 During the review of this topic, the staff found that sufficient information was not available to verify the full independence, (i.e., physical separation, power supplies, and interlocks) of valves CV-737A and CV-7378.
4.32.2 Independence of Component Cooling Water System Valves CV-737A and CV-7378 During the review of this topic, the staff found that sufficient information was not available to verify the full independence, (i.e., physical separation, power supplies, and interlocks) of valves CV-737A and CV-7378.
In a January 19, 1984, response, the licensee referenced a report, " Separation and LOCA Environment Assessment of San Onofre Unit 1 Emergency Core Cooling Systems," that had been forwarded by letter dated December 20, 1977, which documents that the independence of valves CV-737A and CV-7378, including routing of controls and power supplies and physical separation. The licensee stated that the independence is acceptable on the basis of the review criteria of Regulatory Guide 1.75.                          The report is currently under staff review, and the staff's conclusions will be presented in the final IPSAR.
In a January 19, 1984, response, the licensee referenced a report, " Separation and LOCA Environment Assessment of San Onofre Unit 1 Emergency Core Cooling Systems," that had been forwarded by {{letter dated|date=December 20, 1977|text=letter dated December 20, 1977}}, which documents that the independence of valves CV-737A and CV-7378, including routing of controls and power supplies and physical separation. The licensee stated that the independence is acceptable on the basis of the review criteria of Regulatory Guide 1.75.                          The report is currently under staff review, and the staff's conclusions will be presented in the final IPSAR.
4.32.3 Component Cooling Water System Passive Failure Although the pumps and heat exchangers of the CCW system are redundant, they are connected to single pipe headers for supply and return whose failure could disable the system.
4.32.3 Component Cooling Water System Passive Failure Although the pumps and heat exchangers of the CCW system are redundant, they are connected to single pipe headers for supply and return whose failure could disable the system.
The licensee, by letter dated March 30, 1984, noted that a seismically qualified alternative method for bringing the plant to a hot standby condition is available.
The licensee, by {{letter dated|date=March 30, 1984|text=letter dated March 30, 1984}}, noted that a seismically qualified alternative method for bringing the plant to a hot standby condition is available.
This method for shutdown does not require the CCW or salt water cooling (SWC) systems. In addition, as part of the fire protection safe shutdown issue, a dedicated shutdown system will be installed at San Onofre Unit 1. The licensee's conceptual design of this system also does not require the CCW or SWC systems but relies instead on use of the steam generators in a feed-and-bleed operation for reaching cold shutdown (see Section 4.34).
This method for shutdown does not require the CCW or salt water cooling (SWC) systems. In addition, as part of the fire protection safe shutdown issue, a dedicated shutdown system will be installed at San Onofre Unit 1. The licensee's conceptual design of this system also does not require the CCW or SWC systems but relies instead on use of the steam generators in a feed-and-bleed operation for reaching cold shutdown (see Section 4.34).
A Ilmited PRA was performed for this issue.                          The results indicated that with all the conservative assumptions related to passive failures, their contribu-tion to the total failure of the CCW system is about 6%. This contribution is jud0ed to be insignificant with respect to the overall risk.
A Ilmited PRA was performed for this issue.                          The results indicated that with all the conservative assumptions related to passive failures, their contribu-tion to the total failure of the CCW system is about 6%. This contribution is jud0ed to be insignificant with respect to the overall risk.
Line 1,125: Line 1,125:
risk associated with this valve-failure event is low. However, the results were based on valve-failure data for a valve design, which the staff four.d was not sufficiently representative of the actual installation; therefore, the staf f concluded that this issue may be of greater importance than indicated in the limited PRA. Subsequently, the licensee has determinsd,.as discussed in a
risk associated with this valve-failure event is low. However, the results were based on valve-failure data for a valve design, which the staff four.d was not sufficiently representative of the actual installation; therefore, the staf f concluded that this issue may be of greater importance than indicated in the limited PRA. Subsequently, the licensee has determinsd,.as discussed in a
                                                                     ~
                                                                     ~
May 7,1984, letter, that the tsunami gates need .not be closed to prevent site flooding in the event of a tsunami (see staff evaluation fornarded by letter dated August 27, 1984a). Accordingly, the licensee has removed the tsunami '
{{letter dated|date=May 7, 1984|text=May 7,1984, letter}}, that the tsunami gates need .not be closed to prevent site flooding in the event of a tsunami (see staff evaluation fornarded by {{letter dated|date=August 27, 1984|text=letter dated August 27, 1984}}a). Accordingly, the licensee has removed the tsunami '
gates. This action will ensure that tsunami valve failure will not contribute        !
gates. This action will ensure that tsunami valve failure will not contribute        !
to SWC unavailability.                                                              !
to SWC unavailability.                                                              !
Line 1,131: Line 1,131:
4.32.5 Independence of Salt Water Cooling System Components During the review of this topic, the staf f found that sufficient information' was not available to verify the full independence.(i.e., physical separation, power supplies, and interlocks) of valves POVS, POV6, MOV220A, and MOV7208.
4.32.5 Independence of Salt Water Cooling System Components During the review of this topic, the staf f found that sufficient information' was not available to verify the full independence.(i.e., physical separation, power supplies, and interlocks) of valves POVS, POV6, MOV220A, and MOV7208.
In a January 19, 1984, response the licensee referanced a report, " Separation and LOCA Environment Assessment of San Onofre Unit 1 Emirgency Core Coolirq Systems,"
In a January 19, 1984, response the licensee referanced a report, " Separation and LOCA Environment Assessment of San Onofre Unit 1 Emirgency Core Coolirq Systems,"
that had been forwarded by letter dated December 20, 1977, which addresses the physical and electrical separation of control and power cables for tNse valves. As discussed under Topic VI-7.C.2, the results of the above analysis are being evaluated to determine if modifications are required. This item will be covered by that review. Because this item will be incorporated and resolved    ~
that had been forwarded by {{letter dated|date=December 20, 1977|text=letter dated December 20, 1977}}, which addresses the physical and electrical separation of control and power cables for tNse valves. As discussed under Topic VI-7.C.2, the results of the above analysis are being evaluated to determine if modifications are required. This item will be covered by that review. Because this item will be incorporated and resolved    ~
in a related topic, this item is considered complete.                    '
in a related topic, this item is considered complete.                    '
4.32.6 Loss of Salt Water Cooling Pump Bearings Flush The SWC pump bearings are flushed by the service water supply system, which is not a safety grade system. Thus, t.he possibility exists that this fishing function could be lost when the demand for the SWC system would be greatest.
4.32.6 Loss of Salt Water Cooling Pump Bearings Flush The SWC pump bearings are flushed by the service water supply system, which is not a safety grade system. Thus, t.he possibility exists that this fishing function could be lost when the demand for the SWC system would be greatest.
Line 1,153: Line 1,153:
A limited PRA was performed for this issue. The results indicated that the probability of a ventilation system failure that fails the charging pumps, in combination with other system failures required to result in a core-melt-sequence, is small in comparison with the expected total core-melt frequency.
A limited PRA was performed for this issue. The results indicated that the probability of a ventilation system failure that fails the charging pumps, in combination with other system failures required to result in a core-melt-sequence, is small in comparison with the expected total core-melt frequency.
This issue was, therefore, rated to be of low risk significance.                '
This issue was, therefore, rated to be of low risk significance.                '
The licensee, by letter dated June 24, 1983, provided the results of an evalua-tion of this issue. On the basis of this evaluation, the licensee found that even if the single supply fan failed, the air exhaust fans of the containment sphere purging and exhaust system are of sufficient size to maintain adequate ventilation of the charging pumps.
The licensee, by {{letter dated|date=June 24, 1983|text=letter dated June 24, 1983}}, provided the results of an evalua-tion of this issue. On the basis of this evaluation, the licensee found that even if the single supply fan failed, the air exhaust fans of the containment sphere purging and exhaust system are of sufficient size to maintain adequate ventilation of the charging pumps.
On the basis of the low risk significance and containment ventilation avail-ability, the staff concludes that no modifications are warranted and considers this issue resolved.
On the basis of the low risk significance and containment ventilation avail-ability, the staff concludes that no modifications are warranted and considers this issue resolved.
4.33.'2  Sv:itchgear and Cable Spreading and 480-V Switchgear Rooms The switchgear and cable spreading room and 480-V switchgear room ventilation systems are vulnerable to a single active failure.      The staff in the topic eval-uation recommended that the licensee either demonstrate that ventilation of the equipment serviced by these systems is unnecesary or propose a corrective action.
4.33.'2  Sv:itchgear and Cable Spreading and 480-V Switchgear Rooms The switchgear and cable spreading room and 480-V switchgear room ventilation systems are vulnerable to a single active failure.      The staff in the topic eval-uation recommended that the licensee either demonstrate that ventilation of the equipment serviced by these systems is unnecesary or propose a corrective action.
Line 1,160: Line 1,160:
The results of a limited PRA rated the risk associated with the loss of the 480-V i
The results of a limited PRA rated the risk associated with the loss of the 480-V i
switchgear, room ventilation system as low. The basis of this conclusion was the assumption that the loss of this system would result in the loss of only one of the two ac power trains. The availability of the redundant ac power supply and the auxiliary feedwater system, both unaffected by the loss of ventilation in the 480-V switchgear room, reduces the significance of this event to a point where it would not significantly affect the core-melt frequency.
switchgear, room ventilation system as low. The basis of this conclusion was the assumption that the loss of this system would result in the loss of only one of the two ac power trains. The availability of the redundant ac power supply and the auxiliary feedwater system, both unaffected by the loss of ventilation in the 480-V switchgear room, reduces the significance of this event to a point where it would not significantly affect the core-melt frequency.
As discussed in the licensee's June 24, 1983, letter, new room ventilation
As discussed in the licensee's {{letter dated|date=June 24, 1983|text=June 24, 1983, letter}}, new room ventilation
       . systems were recently installed. Modifications in these areas to resolve Appen-dix R (10 CFR 50) fire protection concerns necessitated installation'of these
       . systems were recently installed. Modifications in these areas to resolve Appen-dix R (10 CFR 50) fire protection concerns necessitated installation'of these
       -systems. The new systems consist of air conditioning unit with backup supply and exhaust fans. However, the systems are neither safety grade nor powered from the emergency diesel generators. Therefore, the licensee in an August 21, 1984, letter provided the results of a room-temperature analysis for periods during both normal operating and postaccident conditions when room ventilation could be lost. On the basis of these results, the licensee has determined that the room air ambient temperature would not exceed 104 F, the normal qualification
       -systems. The new systems consist of air conditioning unit with backup supply and exhaust fans. However, the systems are neither safety grade nor powered from the emergency diesel generators. Therefore, the licensee in an {{letter dated|date=August 21, 1984|text=August 21, 1984, letter}} provided the results of a room-temperature analysis for periods during both normal operating and postaccident conditions when room ventilation could be lost. On the basis of these results, the licensee has determined that the room air ambient temperature would not exceed 104 F, the normal qualification
       -San Onofre 1 SEP                        4-51
       -San Onofre 1 SEP                        4-51


Line 1,172: Line 1,172:
   . topic evaluation the licensee was requested to either demonstrate that ventila-tion of the equipment in the battery and inverter rooms is unnecessary or propose a cortective action.
   . topic evaluation the licensee was requested to either demonstrate that ventila-tion of the equipment in the battery and inverter rooms is unnecessary or propose a cortective action.
The results of a limited PRA rated the risk associated with the loss of the administration building ventilation system as high.                                            The basis of this conclu-sion was the assumption that the failure of one of the station batteries as a result:of a loss of ventilation could have a significant effect on the core-melt frequency. Failure'of the ventilation system, that is, failure of a single fan, can be expected to occur more frequently than the loss of a dc power train as a result of battery faults. Battery faults generally are significant con-tributors to dominant accident sequences.
The results of a limited PRA rated the risk associated with the loss of the administration building ventilation system as high.                                            The basis of this conclu-sion was the assumption that the failure of one of the station batteries as a result:of a loss of ventilation could have a significant effect on the core-melt frequency. Failure'of the ventilation system, that is, failure of a single fan, can be expected to occur more frequently than the loss of a dc power train as a result of battery faults. Battery faults generally are significant con-tributors to dominant accident sequences.
By letter dated June 24, 1983, the licensee noted that loss of ventilation in
By {{letter dated|date=June 24, 1983|text=letter dated June 24, 1983}}, the licensee noted that loss of ventilation in
   .the battery room would not adversely affect equipment as a result of the small amount of heat generated by the batteries and their high heat capacity.                                              The main concern for battery room ventilation is hydrogen buildup.                                            There is a vent in the battery room roof as well as hydrogen monitors, which alarm in the con-trol room.
   .the battery room would not adversely affect equipment as a result of the small amount of heat generated by the batteries and their high heat capacity.                                              The main concern for battery room ventilation is hydrogen buildup.                                            There is a vent in the battery room roof as well as hydrogen monitors, which alarm in the con-trol room.
By letter dated August 21, 1984, the licensee pro.ided the results of'a thermal analysis performed for the inverter room.                                            The results of this analysis showed that the room air ambient temperature would not exceed 104 F even if a loss of room ventilation were to occur under normal operating or postaccident condi-tions. For most industrial equipment 104 F is the normal qualification temperature.
By {{letter dated|date=August 21, 1984|text=letter dated August 21, 1984}}, the licensee pro.ided the results of'a thermal analysis performed for the inverter room.                                            The results of this analysis showed that the room air ambient temperature would not exceed 104 F even if a loss of room ventilation were to occur under normal operating or postaccident condi-tions. For most industrial equipment 104 F is the normal qualification temperature.
On the basis of the above information, the staff recommends that the licensee develop a procedure for room cooling and hydrogen dispersion.
On the basis of the above information, the staff recommends that the licensee develop a procedure for room cooling and hydrogen dispersion.
4.34 Topic IX-6, Fire Protection 10 CFR 50 (Sections III.G and III.L of Appendix R) requires that fire protection features be provided for structures, systems, and components important to safe shutdown and that if separation and barriers between redundant safe shutdown equipment in a fire area do not meet the requirements of Section III.G.2,                                                  'l alternative or dedicated shutdown capability should be provided that can achieve safe shutdown conditions independent of the effects of fire in the area.
4.34 Topic IX-6, Fire Protection 10 CFR 50 (Sections III.G and III.L of Appendix R) requires that fire protection features be provided for structures, systems, and components important to safe shutdown and that if separation and barriers between redundant safe shutdown equipment in a fire area do not meet the requirements of Section III.G.2,                                                  'l alternative or dedicated shutdown capability should be provided that can achieve safe shutdown conditions independent of the effects of fire in the area.
San Onofre 1 SEP                                                      4-52 L
San Onofre 1 SEP                                                      4-52 L


At San Onofre Unit 1, equipment in several areas does not satisfy the above requirements. The licensee had proposed, in a letter dated June 30, 1982, extensive modifications and additions to existing plant systems to show compli-ance with Appendix R. Many of the changes are related to several SEP topics.
At San Onofre Unit 1, equipment in several areas does not satisfy the above requirements. The licensee had proposed, in a {{letter dated|date=June 30, 1982|text=letter dated June 30, 1982}}, extensive modifications and additions to existing plant systems to show compli-ance with Appendix R. Many of the changes are related to several SEP topics.
The staff approved the conceptual design of these modifications by letter dated November 18,.1982. The staff granted an exemption to the schedular requirements of 10 CFR 50.48(c) on March 23, 1983, which established October 31, 1983, as the date for determining the implementation schedule.                              l One of the major issues to be resolved with respect to fire protection relates
The staff approved the conceptual design of these modifications by letter dated November 18,.1982. The staff granted an exemption to the schedular requirements of 10 CFR 50.48(c) on March 23, 1983, which established October 31, 1983, as the date for determining the implementation schedule.                              l One of the major issues to be resolved with respect to fire protection relates
-to the 4,160-V switchgear cable spreading room, where cabling and equipment for both divisions of ac power are present. The original proposal would have in-volved relocation and addition of cabling to eliminate this concern.
-to the 4,160-V switchgear cable spreading room, where cabling and equipment for both divisions of ac power are present. The original proposal would have in-volved relocation and addition of cabling to eliminate this concern.
By letter dated April 24, 1984, the licensee submitted a revised proposal for achieving compliance with 10 CFR 50.48 and Appendix R. It involves a dedicated safe shutdown system consisting of a new diesel generator (non-safety-related) and associated switchgear, transfer switches, and the like. The proposed modi-fication should be minimally impacted by other SEP modifications. The licensee's proposal is under staff review. This issue will be resolved independent of the SEP issues. This issue is therefore considered complete.
By {{letter dated|date=April 24, 1984|text=letter dated April 24, 1984}}, the licensee submitted a revised proposal for achieving compliance with 10 CFR 50.48 and Appendix R. It involves a dedicated safe shutdown system consisting of a new diesel generator (non-safety-related) and associated switchgear, transfer switches, and the like. The proposed modi-fication should be minimally impacted by other SEP modifications. The licensee's proposal is under staff review. This issue will be resolved independent of the SEP issues. This issue is therefore considered complete.
l l'
l l'
4.35 Topic XV-1, Decrease in Feedwater Temperature, Increase in Feedwater Flow, Increase in Steam Flow, and Inadvertent Opening of a Steam Generator Relief or Safety Valve 10 CFR 50.34 requires that eacn applicant for a construction permit or operat-ing license provide an analysis and evaluation of the design and performance of structures, systems and components of the facility with the objective of assess-ing the risk to public health and safety resulting from operation of the facil-ity, including determination of the margins of safety during normal operations and transient conditions anticipated during the life of the facility. 10 CFR 50 (GDC 10-and 15), as implemented by SRP Sections 15.1.1 through 15.1.4, requires, in part, that plants be adequately designed to mitigate the consequences of feedwater system malfunctions that result in an increase in feedwater flow.
4.35 Topic XV-1, Decrease in Feedwater Temperature, Increase in Feedwater Flow, Increase in Steam Flow, and Inadvertent Opening of a Steam Generator Relief or Safety Valve 10 CFR 50.34 requires that eacn applicant for a construction permit or operat-ing license provide an analysis and evaluation of the design and performance of structures, systems and components of the facility with the objective of assess-ing the risk to public health and safety resulting from operation of the facil-ity, including determination of the margins of safety during normal operations and transient conditions anticipated during the life of the facility. 10 CFR 50 (GDC 10-and 15), as implemented by SRP Sections 15.1.1 through 15.1.4, requires, in part, that plants be adequately designed to mitigate the consequences of feedwater system malfunctions that result in an increase in feedwater flow.
Line 1,418: Line 1,418:
October 9,'1969        A tsunami gate fell down into the intake structure when        69-03 (see Appendix F) bond between the gate and attachment plate studs failed.
October 9,'1969        A tsunami gate fell down into the intake structure when        69-03 (see Appendix F) bond between the gate and attachment plate studs failed.
No disruption in flow occurred. Attachment design was improved.
No disruption in flow occurred. Attachment design was improved.
March 1975              Shaft of north SWC pump sheared because of fatigue from        July 24, 1980, letter' t                                      excessive vibration resulting from worn. shaft bearings.
March 1975              Shaft of north SWC pump sheared because of fatigue from        {{letter dated|date=July 24, 1980|text=July 24, 1980, letter}}' t                                      excessive vibration resulting from worn. shaft bearings.
January 16, 1978        A SWC pump breaker tripped open when the other pump.was        Licensee Event Report (LER) out for. maintenance.                                          78-01 (see Appendix F)
January 16, 1978        A SWC pump breaker tripped open when the other pump.was        Licensee Event Report (LER) out for. maintenance.                                          78-01 (see Appendix F)
March 10, 1980          Total loss of. saltwater cooling      shaft of south SWC pump  LER 80-06; AE00 report dated sheare'd (excessive. vibration from worn bearings),. air-      August 12, 1982._(attached to              .t operated valve on the north pump discharge failed closed-      Topic IX-3 SER); NUREG-0900, (desiccant contamination of solenoid "0" ring), and-          Vol. 3,'No. 3 (Abnormal auxiliary SWC pump did not function because of inadequate      Occurrence.80-7) priming (air leak into suction line).      The screen wash pumps were used to. provide cooling until SWC flow was restored.                                                                                                  1 July 7, 1980            South train air-operated discharge valve (POV-6) failed-      LER 80-031 to open because of burnt-out solenoid valve; wrong sole-noid had been installed during maintenance overhaul (ac installed, dc required).
March 10, 1980          Total loss of. saltwater cooling      shaft of south SWC pump  LER 80-06; AE00 report dated sheare'd (excessive. vibration from worn bearings),. air-      August 12, 1982._(attached to              .t operated valve on the north pump discharge failed closed-      Topic IX-3 SER); NUREG-0900, (desiccant contamination of solenoid "0" ring), and-          Vol. 3,'No. 3 (Abnormal auxiliary SWC pump did not function because of inadequate      Occurrence.80-7) priming (air leak into suction line).      The screen wash pumps were used to. provide cooling until SWC flow was restored.                                                                                                  1 July 7, 1980            South train air-operated discharge valve (POV-6) failed-      LER 80-031 to open because of burnt-out solenoid valve; wrong sole-noid had been installed during maintenance overhaul (ac installed, dc required).

Latest revision as of 01:42, 22 August 2022

Integrated Plant Safety Assessment Report,Systematic Evaluation Program - San Onofre Nuclear Generating Station Unit 1.Docket No. 50-206.(Southern California Edison Company)
ML20127P703
Person / Time
Site: San Onofre Southern California Edison icon.png
Issue date: 04/30/1985
From:
Office of Nuclear Reactor Regulation
To:
References
NUREG-0829, NUREG-0829-DRFT, NUREG-829, NUREG-829-DRFT, NUDOCS 8505240058
Download: ML20127P703 (558)
v  d  e


Text

{{#Wiki_filter:- - -- -- - -- - NURbG-0829 Integrated Plant Safety Assessment Systematic Evaluation Program San Onofre Nuclear Generating Station, Unit 1 Southern California Edison Company Docket No. 50-206 Draft Report U.S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation April 1985 

     +*"%

i 

   ~t,gy,j/

i

3 NOTICE 

                           ' Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources:
1. The NRC Public Document Room,1717 H Street, N.W.

Washington, DC 20555

2. The Superintendent of Documents, U.S. Government Printing Office, Post Office Box 37082,
             . Washington, DC 20013 7982
3. The National Technical information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publications, J it is not intended to be exhaustive.
                    ~

Referenced documents available for inspection and copying for a fee from the NRC Public Docu- l ment Room include NRC correspondence and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars,- information notices, inspection and investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers: and applicant and licensee documents and correspondence. The following documents in the NUREG series are available for purchase from the NRC/GPO Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and N RC booklets and brot.hures. Also available are Regulatory Guides, N RC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission Issuances. 

     . Documents available from the National Technical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.

Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and 

     . state legislation, and congressional reports can usually be obtained from these libraries.

Documents such as theses, dissertations, foreign reports and translations, and non-NRC conference proceedings are available for purchase from the organization sponsoring the publication cited. ] Single copies of NRC draft reports are available free, to the extent of supply, upon written request j to the Division of Technical information and Document Control, U.S. Nuclear Regulatory Com-mission, Washington, DC 20555.  ; 

     - Copies of industry codes and standards used in a substantive manner in the NRC regulatory process       l are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available L       there for reference use by the public. Codes and standards are usually copyrighted and may be           >
     . purchased frorn the originating organization or, if they are American National Standards, from the      )

American National Standards Institute,1430 Broadway, New York, NY 10018.

j NUREG-0829 l l Integrated Plant Safety Assessment ! Systematic Evaluation Program San Onofre Nuclear Generating Station, Unit 1 Southern California Edison Company l Docket No. 50-206 Draft Report  ! 

                                                  ~

, U.S. Nuclear Regulatory Commission l Office of Nuclear Reactor Regulation April 1985 l ,s* %a,, I 

                                                                                      \

\ t / a 

                                                  ' ABSTRACT

_The Systematic. Evaluation Program was initiated in February 1977 by the U. S.

Nuclear Regulatory Commission to review- the designs of older operating nuclear reactor plants to' reconfirm and document their safety. The review provides-(1) an assessment of -how these plants compare with current licensing safety

_ requirements relating to selected issues, (2) a basis for deciding on how 

                                                                                         ~

these~ differences should be resolved in an integrated plant review, and (3) a 

            . documented evaluation'of plant safety.

This report documents the review of ' San Onofre Nuclear Generating Station, Unit 1, operated by Southern California Edison Company. The San Onofre plant is one of ten plants reviewed under Phase II of this program. This report 

             -indicates how 137 topics' selected for review under Phase I of the program were addressed.~ Equipment and procedural changes have been identified as a result of the~ review.                                            -e
                                          ,                                    .4 l

I 4 \ 4- San Onofre 1 SEP iii J

4 CONTENTS Page 

       ' ABSTRACT .............................................................                        iii ACRONYMS AND.INITIALISMS..............................................                          xi

SUMMARY

..................... ......................................... xiii 1 INTRODUCTION............................................. ....... 1-1 1.1 Background.................................................. 1-1~

1. 2 Systematic Evaluation Program Objectives.................... 1-2 1.3' Description of P1 ant........................................ 1-3 l 1.4' Summary of Operating History and Experience................. 1-4 t-1.4.1 Summary of Oak Ridge National Laboratory Report t (March 27, 1967, Through December 31, 1981).......... 1-4 L 1.4.2 Operating Experience, January 1982 Through November 1984........................................ 1-7
1. 4.' 3 Regulatory Performance, June 1, 1983, Through.

September 30, 1984...................... ............ 1-8 l 2. REVIEW METH00.................................................... 2-1 2.1 Overview............... ................. .................. 2-1 2.2 Selection of Topic List..................................... 2-1 L 2.3 Topic Evaluation. Procedures................................. 2-2 2.4 Integrated Plant Safety Assessment.......................... 2-3 3 TOPIC' EVALUATION

SUMMARY

......................................... 3-1 

            ;3.1 Final San Onofre Unit 1-Specific List-of Topics Reviewed....                          3-1 3.2 Topics for Which Plant-Design Meets Current. Criteria Basis..................         .3-5
            . 3.3. or Was Acceptable Topics              on Another for Which Plant DesignDefined Meets-Current Criteria or Equivalent Based on Modifications Implemented by
                   .the Licensee...............................................                        3-5 L

4 INTEGRATED ASSESSMENT

SUMMARY

.................................... 4-1 4.1'~ Topic II-1.C, Potential Hazards or Changes in Potential Hazards Due to Transportation, Institutional, Industrial, and Military Facilities......................... 4-1 $' 4.1.1 .0verpressure From Explosions......................... 4-2 4.1.2- Frequency of Shipments...... ........................ 4-2 4.1.3 Toxic Gases........................ ................. 4-2 5 f v l San Onofre=1 SEP l b I

CONTENTS (Continued) P_ag 4.2 ; Topic II-3.A, Hydrologic. Description; Topic II-3.B, Flooding Potential and Protection Requirements; Topic"II-3.B.1, Capability of Operating Plants To Cope- 

               .With Design-Basis Flooding Conditions; and Topic II-3.C, Safety-Related Water Supply (Ultimate Heat Sink (VHS))......              4-3
         '4.3   Topic II-4.F, Settlement of: Foundations and Buried Equipment...................................................              4            4.4 Topic III-1, Classification of Structures, Components, and Systemsf(Seismic and Quality)...........................              4-3 e
       ~

4.4.1 Radiography Requirements..................... ....... 4-4 4.4.2 Pressure Vessels..................................... 4-4 4.'4. 3 Fracture Toughness................................... 4-5. 4.4.4 Piping............................................... 4-5 4.4.5 Va1ves............................................... 4-5 4.4.6 Pumps........................................ ....... 4-5; 4.4.7 Storage Tanks................... .................... 4-5 4.5 Topic III-2, Wind and Tornado Loadings...................... 4-6 4.6 ^ Topic III-3.A. Effects of High Water Level on Structures.................................................. 4-7 4.6.1 Groundwater.......................................... 4-7 4.6.2 Roof Loadings........................................ 4-7 4.7 Topic III-3.C, Inservice Inspection of Water Control Structures.................................................. 4-7 

        -4.8    Topic III-4.A, Tornado  Missiles.............................            4-8 4.9- Topic III-5.A, Effects of Pipe Break on' Structures, Components,-and Systems Inside Containment..................             4-9 4.10 Topic III-5.B, Pipe Break Outside Containment...............               4-10 4.11 Topic III-6, Seismic' Design Considerations..................              4-10 4.12 Topic III-7.8, Design Codes, Design Criteria, Load Combinations , and Reactor Cavity Design Criteria. . . . . . . . . . . . 4-11 4.12.1 Design Codes, Criteria, and Load Combinations.......               4-12 4.12.2 Load Combinations for Reactor Containment. . . . . . . . . . . 4-12 4.13 Topic III-7.0, Containment Structural Integrity Tests.......               4-13 4.14 Topic III-8.A, Loose-Parts Monitoring and Core Barrel Vibration Monitoring........................................              4-13 4.'15 Topic III-10.A.-Thermal-Overload Protection for Motors of Motor-0perated Va1ves....................................              4-14 4.16 Topic III-10.8, Pump Flywheel Integrity.....................               4-16 4.17 Topic IV-2, Reactivity Control Systems, Including Functional Design and Protection Against Single Failures....................................................              4-16 4.18 Topic V-5, Reactor Coolant Pressure Boundary (RCPB)

Leakage Detection........................................... 4-17 San Onofre 1 SEP vi I

CONTENTS (Continued) Page 4.18.1 Leakage Into Containment. .............. ....... .. 4-18 4.18.2 Intersystem Leakage..................... .......... 4-20 4.19 Topic V-10.A, Residual Heat Removal System Heat Exchanger Tube Failures........... .... ........... ........ ......... 4-20 4.19.1 Radiation Monitoring............... .... .. .. . ... 4-2 4.19.2 Sampling..................... .............. ....... 4-21 4.19.3 Testing of Recirculation Heat Exchanger.... ...... . 4-22 4.20 Topic V-11.A, Requirements for Isolation of High- and Low-Pressure Systems..................... ..... ......... . 4-22 4.20.1 Chemical and Volume Control System........ ...... .. 4-22 4.20.2 Safety Injection System......... ......... ......... 4-24 4.20.3 Long-Term Recirculation System...... .. ........... 4-24 4.21 Topic V-11.B, Residual Heat Removal System Interlock Requirements................................. ............ . 4-25 4.21.1 Residual Heat Removal System Interlocks........... . 4-25 4.21.2 Overpressurization Protection of Residual Heat Removal System................................. 4-25 4.22 Topic VI-1, Organic Materials and Postaccident Chemistry.. . . 4-26 4.23 Topic-VI-4, Containment Isolation System.................... 4-26 4.23.1 Electrical Aspects.................................. 4-27 4.23.2 Valve Actuation..................................... 4-29 4.23.3 Valve Type...... ........................ .......... 4-30 4.23.4 Valve Location.......... .................... .... 4-31 4.23.5 Isolation of Closed Systems......................... 4-31 4.23.6 Isolation of Air Handling Unit Cooling Lines.. ..... 4-32 4.23.7 Isolation of Branch Lines.............. . ... ...... 4-32 4.23.8 Spare Penetrations..................... ....... .... 4-34 4.23.9 Air Locks and Hatches.......... .......... .. .. .. 4-34 4.24 Topic VI-7.B. Engineered Safety Feature Switchover From Injection to Recirculation Mode (Automatic Emergency Core Cooling System Realignment)..... .... . ..... 1-34 4.25 Topic VI-7.C.2, Failure Mode Analysis (Emergency Core Cooling System)....................... ................ 4-3t 4.25.1 Redundant Valve for Volume Control Tank Isolation....................... .. .... ........... 4-36 4.25.2 Control Power for FCV-1115D, E, and F............... 4-37 4 i San Onofre 1 SEP vii

qt - - CONTENTS (Continued) c~ v 4.25.3 Hot- Leg Reci rcu l ati on. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-37 Other-Modifications................................. C L4.25.4 4-37 

              '4.26 Topic VI-10.A, Testing of Reactor Trip System and Engineered Safety Features, Includin Response-Time
                     ' Testing.............................g....... ...............

4-39' 4.26.1 Response-Time Testing of the Reactor Protection' System................................... 4-39 4.26.2 Testing of Engineered Safety Features............... 4-40 4.26.3 Testing of Support Systems.......................... 4-40 4.27 Topic VII-1.A, Isolation of Reactor Protection System From Nonsafety Systems, ' Including Qualification of Isolation Devices........................................... 4-40 

                    .4.27.1 : Remote Meters and Recorders.........................                                         4-41
                    -4.27.2_ Data Logger.........................................                                          4-42 4.27.3 Feedwater      Contro1...................................                                     4-42 4.28 Topic VII-3, Systems Required for Safe Shutdown.............                                           4-42
                    .4.28.1 Component Cooling Water Surge Tank Level Instrumentation.....................................                                        4-42 4.28.2 Adequate Seismic Category I Water Supply for the Auxil iary Feedwater System. . . . . . . . . . . . . . . . . . . . . .                  4-43 4.28.3 TMI Task Action Plan Item II.E.1.1, " Auxiliary Feedwater System Evaluation"........................                                        4-43 4.29 Topic VIII-1.A, Potential Equipment Failures-Associated With Degraded Grid Voltage..................................                                        4-44 4.30 Topic VIII-3.B, DC Power System Bus Voltage Monitoring and Annunciation............................................                                        4-45 4.31 Topic VIII-4, Electrical Penetrations of Reactor
                   -Containment.................................................                                         4-47 4.32 Topic IX-3, Station Service and Cooling Water Systems.......                                         4-47 4.32.1 Component Cooling Water System Temperature Design Limits.......................................                                       4-47 4.32.2 Independence of Component Cooling Water System Valves CV-737A and CV-7378..........................                                       4-48 4.32.3 Component Cooling Water System Passive Failure......                                         4-48 4.32.4 Salt Water Cooling System Supply Water Failure......                                         4-49 4.32.5 Independence of Salt Water Cooling System Components..........................................                                      4-49 4.32.6 Loss of Salt Water Cooling Pump Bearings F1ush...............................................                                       4-49 4.32.7 Salt Water Cooling System Reliability...............                                         4-50
        - San Onofre 1 SEP                                viii

77, CONTENTS (Continued) 

                                                                                              .P_ age.

4.33-Topic IX-5,-Ventilation Systems............................. 4-50 4 

                          ~4.33.1 Reactor. Auxiliary Building............... ..........       4-50 4.33.2 Switchgear and Cable Spreading and 480-V Switchgear Rooms.................................... 4-51 4.33.3 : ~ Administration Building _ (Battery Room and Inverter Room)...................................... 4-52 4.34 Topic IX-6, Fire Protection.............................. 7.        4-52 4.35 Topic XV-1, Decrease in Feedwater Temperature, Increase in Feedwater Flow, Increase in Steam Flow, and Inadvertent Opening of a Steam Generator Relief or Safety Valve.........       4-53 4.36 Topic XV-2, Spectrum of Steam System Piping Failures Inside and Outside Containment (PWR)........................       4-54 5     REFERENCES........................................        .............. 5-1      -

APPENDIX A -- TOPIC DEFINITIONS FOR SEP REVIEW APPENDIX B --'SEP TOPICS DELETED BECAUSE THEY ARE COVERED BY A TMI , TASK, UNRESOLVED SAFETY ISSUE (USI), OR OTHER SEP TOPIC APPENDIX C -- PLANT-SPECIFIC SEP-TOPICS DELETED, REFERENCE LETTER, AND REASON FOR DELETION APPENDIX D -- RISK BASED CATEGORIZATION OF SAN ON0FRE SEP ISSUES APPENDIX E -- REFERENCES TO CORRESPONDENCE FOR EACH TOPIC EVALUATED APPENDIX F -- REVIEW 0F OPERATING EXPERIENCE FOR SAN ON0FRE NUCLEAR 1: _ GENERATING STATION, UNIT NO. 1 APPENDIX'G -- NRC STAFF CONTRIBUTORS AND CONSULTANTS i s I 4

t i San Onofre 1 SEP_. ix E_

m-s t , ACRONYMS AND INITIALISMS ac- alternating current ACI American Concrete Institute 

         . ACRS        Advisory Committee on Reactor Safguards
         'AFW           auxiliary feedwater-AISC         American Institute of Steel Construction, Inc.

API American Petroleum Institute ASA 'American Standards Association ASB Auxiliary Systems Branch ASME American Society of Mechanical Engineers BTP branch technical position BWR boiling-water reactor CCW component cooling water CFR Code of Federal Regulations CIS containment isolation system CSAS containment spray actuation signal CV control valve CVCS chemical and volume control system DBE- design-basis event dc direct current ECCS emergency core cooling system ESF ' engineered safety feature FCV flow control valve FSAR Final Safety Analysis Report FTOL full-term operating license FW/SI feedwater/ safety injection GDC' general design criterion (a) gpm gallon (s) per minute HVAC heating, ventilation, and air conditioning HX heat exchanger ICSB Instrumentation and Control Systems Branch IEEE Institute of Electrical and Electronics Engineers IPSAR integrated plant safety assessment report IREP. Integrated Reliability Evaluation Program LCV level control valve LER licensee event report 

           'LOCA         loss-of-coolant accident LOP          loss of power MEB         Mechanical Engineering Branch MLLW        mean lower level water datum MOV~        motor-operated valve MPA          multiplant action miles per hour mph MWe          megawatt-electrical l

MWt megawatt-thermal j NRC U. S. Nuclear Regulatory Commission OMS overpressurization mitigation system ? ORNL Oak Ridge National Laboratory San Onofre 1 SEP xi l

PMF probable maximum flood PMP probable maximum precipitation PN0 preliminary notification of occurrence POL provisional operating license POV power-operated valve-PRA probabilistic risk assessment psi pound (s) per square inch psig pound (s) per square gage PWR pressurized-water reactor RAB reactor auxiliary building RCP reactor coolant pump RCPB reactor coolant pressure boundary RCS reactor coolant system RETS Radiological Effluent Technical Specifications RG regulatory guius RHR residual heat removal RPS reactor protection system RSB Reactor Systems Branch RWST refueling water storage tank SALP systematic assessment of licensee performance SAR safety analysis report SCE Southern California Edison Company SEP Systematic Evaluation Program SER safety evaluation report SI safety injection SIAS safety injection actuation signal SIS safety injection system SLSS safeguards load sequencer system SONGS San Onofre Nuclear Generating Station SRP Standard Review Plan SWC salt water cooling SWGR switchgear SWR service water reservoir T average temperature ave TAP Task Action Plan TMI Three Mile Island TS Technical Specifications VHS ultimate heat sink UPS uninterruptible power supply USI unresolved safety issue VCT volume control tank San Onofre 1 SEP xii

SUMMARY

                                   ~

LThe. Systematic Evaluation Program (SEP) was initiated by the U.S. Nuclear Regulatory Commission (NRC) to review the designs of older operating nuclear reactor plants to reconfirm and document their safety. The review provides (1) an assessment of'the significance of differences between current technical positions on safety-issues and those that existed when a particular plant was

licensed, (2) basis for deciding how these differences should be resolved in an integrated plant review, and (3) a documented evaluation of plant safety.

The review compared'the as-boilt design with current review criteria in 137 different areas defined as " topics." The " Definition" and other information for each of these topics appear in Appendix A. During the review, 48 of the 

     . topics'were deleted from consideration under the SEP because a review was being made under other programs (Unresolved Safety. Issue (USI) or Three Mile Island (TMI) Action Plan Tasks), or the topic was not applicable to the plant; that is,'the topic was applicable to boiling-water reactors (BWRs) rather than to pressurized-water reactors (PWRs) or the items to be reviewed under that topic did not exist at the site.      The topics deleted because they were being reviewed under either the USI or TMI programs are listed in Appendix B, and the topics deleted because they did not apply to the plant are listed in Appendix C.

Of the original 137 topics, 89 were, therefore, reviewed for San Onofre Nuclear Generating Station Unit 1; of these, 53 met current criteria or were acceptable on another defined basis. References for correspondence pertaining to safety evaluation reports (SERs) for each of the 89 topics appear in Appendix E. The review of the remaining 36 topics found that certain aspects of plant de-sign differed from current criteria. These topics were considered in the in-tegrated assessment of the plant, which consisted of evaluating the safety sig-nificance 'nd other factors of the identified differences from current design criteria arrive at decisions on whether modifications were necessary from an overall plant safety viewpoint. To arrive at these decisions, engineering judg-ment was used as well as the results of a limited probabilistic risk assessment study. This study and staff comments are in Appendix 0. Table 4.1 summarizes the staff's positions reached in the integrated assessment. In general, these fell into one or more of the following categories: (1) equip-ment modification or addition, (2) procedure development or Technical Specifi-cation changes, (3) refined engineering analysis or continuation of ongoing , cvaluation, and (4) no modifications necessary. Safety improvements are being planned as a result of the integrated assessment and are listed below. Some safety improvements have already been implemented by the licensee. These are discussed in Sections 3 and 4 but are not listed i below. The following descriptions summarize the corrective actions addressed by the integrated assessment. The sections in this report relating to the issue are given in parentheses. San Onofre 1 SEP xiii 3 

 -                                                                                  y s

SAFETY IMPROVEMENTS AGREED TO AND TO BE IMPLEMENTED BY THE LICENSEE AS A RESULT OF'SEP These improvements fall into three categories. The first category comprises hardware modifications or additions that the licensee has agreed to make and-that are required by the NRC. _The second category comprises procedural or Technical Specification changes that become part of the operating license. The third category comprises additional engineering analysis followed by corrective measures where required. These three categories are listed below, and the issues are discussed in sections of this report given in parentheses. Category 1, Equipment Modifications or Additions l l (1)- Install motor-driven auxiliary feedwater pump train (4.28.3 and 4.36). I 1 (2) Implement modifications to undervoltage protection-logic, including , Technical Specifications (4.29). (3) Install dedicated shutdown system for fire protection (4.32.3). Category 2, Technical Specification Changes and Procedure Development The staff's position regarding Technical Specification changes is that the proposed changes may be submitted all together following the completion of the  ; integrated assessment. The licensee should submit, within 90 days after the l issuance of the Final Integrated Plant Safety Assessment Report, a request for an amendment of the operating license to change the facility Technical Specifications. (1) Provide enhanced surveillance program for the water intake structure and incorporate other identified changes in the water control structure i surveillance program (4.7). l (2) Provide Technical Specifications for operability of leakage detection i systems (4.18.1.2). l (3) Provide procedures for handling potential failures of the leak detection systemsfollowingageismicevent(4.18.1.3). , (4) Provide Technical Specifications for the overpressure mitigation system l (4.21.2). (5) Develop a periodic inspection program for containment coatings (4.22). (6) Modify sequencer test procedures to use door control panel lights I (4.23.1.2). l (7) Provide administrative controls and/or locking devices for refueling i

water supply line branches (4.23.7.1). j (8) Develop procedures to isolate certain branches of the main steamlines (4.23.7.2),

t I 1 i ! San Onofre 1 SEP xiv i b

(9) Provide Technical Specifications for channel testing, checking, and calibration (4.26.1). (10) Provide Technical Specifications for containment spray actuation signal logic (4.26.2). (11) Implement room temperature monitoring program and hydrogen dispersion procedure (4.33.2 and 4.33.3). Category 3, Additional Engineering Evaluation It is the staff's position that all engineering evaluations and corresponding ! schedules for modifications be submitted on the established schedules as docu-mented in the appropriate report sections and as summarized in Table 4.1. (1) Evaluate the need for toxic gas monitors (4.1.3). (2) Analyze structure roofs for probable maximum precipitation loading (4.2 and 4.6.2). (3) Evaluate the potential long-term settlement of safety-related structures [ and components founded on backfill soil (4.3). (4) Demonstrate by inspection or analysis adequate quality standards (4.4). (5) Perform cost / benefit analysis to determine design windspeed and modifica-tions (4.5, 4.8, and 4.12.1). (6) Demonstrate that safety-related structures remain functional for short-term hydrostatic loads at plant grade and resist flotation (4.6.1). (7) Perform pipe break systems analysis, including fracture mechanics (4.9 and 4.18). (8) Perform a coordinated review of cable routing (4.9). (9) Perform analysis of pipe break outside containment systems (4.10 and 4.18). (10) Propose criteria and methodology, and perform analysis of the balance of safety-related piping and equipment (4.11). (11) Evaluate load combinations for reactor containment (4.12.2). (12) Evaluate the merits of the recommendeJ emergency core cooling system modifications (4.25.4, 4.32.2, and 4.32.5). (13) Assess adequacy of transformer settings on the basis of the results of the voltage monitoring program (4.29). (14) Analyze reliability of salt water cooling system (4.32.7). (15) Analyze steam generator overfill event for possible corrective measures (4.35). San Onofre 1 SEP xv l 

                                                                                    \

r i SAFETY IMPROVEMENTS REQUIRED BY THE STAFF AND TO WHICH THE LICENSEE DOES NOT AGREE The staff has determined that the following improvements or analyses are required, but the licensee either has not responded to or specifically disagrees with tha staff position. These issues are identified below and are discussed in the se:tions of the report given in parentheses. (1) Provide safe shutdown path that is protected from tornado missiles (4.8). (2) Provide automatic termination of injection flow on low tank level, and provide a backup to the single refueling water storage tank level indicator (4.24). TOPIC SAFETY EVALUATION REPORTS Copies of this report and the associated safety evaluation reports for the 89topicslistedinAppendixEareavailableforpublicinspectionattheNGC Public Document Room, 1717 H Street, N.W., Washington, D.C. 20555 and at p San Clemente Branch Library, 242 Avenida Del Mar, San Clemente, California e 92672. Copies of this report are also available for purchase from sources' indicated on the inside front cover. The review of the 89 topics was performed by the NRC staff and contractors listed in Appendix G. The members of the Integrated Assessment Team performing the integrated assessment of the 36 topics that did not meet current criteria are as follows: E. McKenna--Project Manager, Integrated Assessment, San Onofre Unit 1 W. Paulson--Sr. Project Manager, San Onofre Unit 1 M. Rubin--Risk Assessment Analyst A. D'Angelo--Resident inspector, San Onofre Unit 1 Ms. E. McKenna may be contacted by calling (301) 492-7468 or writing to the following address: E. McKenna Division of Licensing U.S. Nuclear Regulatory Commission Washington, D.C. 20555 San Onofre 1 SEP xyl

INTEGRATED PLANT SAFETY ASSESSMENT SYSTEMATIC EVALUATION PROGRAM SAN ON0FRE NUCLEAR GENERATING STATION, UNIT 1 1 INTRODUCTION

1.1 Background

In the late 1960s and early 1970s, the U. S. Atomic Energy Commission's (now . Nuclear Regulatory Commission) scope of review of proposed power reactor designs was evolving and somewhat less defined than it is today. The requirements for acceptability evolved as new facilities were reviewed. In 1967, the Commission published for comment and interim use proposed General Design Criteria for Nuclear Power Plants (G0C) that established minimum requirements for the princi-pal design standards. The GDC were formally adopted, though somewhat modified, in 1971, and have been used as guidance in reviewing new plant applicaticns since then. Safety guides issued in 1970 became part of the Regulatory Guide Series in 1972. These guides describe methods acceptable to the staff for implementing specific portions of the regulations, including certain GDC, and formalize staff techniques for performing a facility review. In 1972, the Commission distributed for information and comment a proposed " Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants," now Regulatory Guide 1.70. It provided a standard format for these reports and identified the principal information needed by the staff for its review. The Standard Review Plan (SRP, NUREG-75/087) was published in December 1975 and updated in July 1981 (NUREG-0800) to provide further guidance for improving the quality and uniformity of staff reviews, to enhance communication and understanding of the review process by interested members of the public and nuclear power industry, and to stabilize the licensing process. For the most part, the detailed accep-tance criteria prescribed in the SRP are not new; rather they are methods of review that, in many cases, were not previously published in any regulatory document. Because of the evolutionary nature of the licensing requirements discussed above and the developments in technology over the years, operating nuclear power plants embody a broad spectrum of desigr, features and requirements depending on when the plant was constructed, who was the manufacturer, and when the plant was licensed for operation. The amount of documentation that defines these safety-design characteristics also has changed with the age of the plant--the older the plant, the less documentation and potentially the greater the difference from current licensing criteria. Although the earlier safety evaluations of operating facilities did not address many of the topics discussed in current safety evaluations, all operating facili-ties have been reviewed more recently against a substantial number of ma;or safety issues that have evolved since the operating license was issued. Conclu-sions of overall adequacy with respect to these major issues (e.g., emergency San Onofre 1 SEP 1-1

core cooling system, fuel design, and pressure vessel design) are a matter of record. On the other hand, a number of other issues (e.g., seismic considera-tions, tornado and turbine missiles, flood protection, pipe break effects inside containment, and pipe whip) have not been reviewed against today's acceptance criteria for many operating plants, and documentation for them is incomplete.

1. 2 Systematic Evaluation Program Objectives The Systematic Evaluation Program (SEP) was initiated by the U. S. Nuclear Regulatory Commission (NRC) in 1977 to review the designs of older operating nuclear power plants in order to reconfirm and document their safety. The review provides (1) an assessment of the significance of differences between current technical positions on safety issues and those that existed when a particular plant was licensed, (2) a basis for deciding how these differences should be resolved in an integrated plant review, and (3) a documented evalua-tion of plant safety.

The original SEP objectives were: , (1) The program should establish documentation that shows how the criteria for each operating plant reviewed compare with current criteria on significant safety issues, and should provide a rationale for acceptable departures from these criteria. (2) The program should provide the capability to make integrated and balanced decisions with respect to any required backfitting. (3) The program should be structured for early identification and resolution of any significant deficiencies. (4) The program should assess the safety adequacy of the design and operation of currently licensed nuclear power plants. (5) The program should use available resources efficiently and minimize require-ments for additional resources by NRC or industry. The program objectives were later interpreted to ensure that the SEP also provides < safety assessments adequate for conversion of provisional operating licenses (POLS) to full-term operating licenses (FT0Ls). The final version of the inte-grated plant safety assessment report and 1 POL conversion safety evaluation report that will address the status of all appilcable generic activities (THI and USI), including those that formed the basis for deletion of specific SEP topics, will form a part of the basis for the Commission's consideration of the license conversion. Many of the plants selected for review were Ilcensed before a comprehensive set of licensing criteria had been developed. They include five of the oldest nuclear reactor plants and seven plants under NRC review for the conversion of POL 5 to FTOLs. The plants to be considered under the original Phase !! program were (1) Yankee (FTOL PWR) (2) Haddam Neck (FTOL PWR) (3) Millstone 1 (POL BWR) San Onofre 1 SEP 1-2

r (4) Oyster Creek (POL BWR) (5) Ginna (POL PWR) (FTOL conversion issued on December 10, 1984) (6) Lacrosse (POL BWR) (7) Big Rock Point (FTOL BWR) (8) Palisades (POL PWR) (9) Dresden 1 (FTOL BWR) (10) Dresden 2 (POL BWR) (11) San Onofre (POL PWR) In a press release dated August 31, 1984 (referenced in an NRC Daily Highlight issued on September 4, 1984), the Commonwealth Edison Company, licensee for Dresden Unit 1, announced that Dresden Unit 1 was being retired. Since the licensee was not planning to restart this plant, the NRC cancelled the SEP review of Dresden Unit 1. Therefore, the total number of plants being reviewed in Phase II is 10. 1.3 Description of Plant San Onofre Nuclear Generating Station, Unit 1, located in San Diego County near San Clemente, California, is a pressurized water reactor designed by the Wes-tinghouse Electric Company. The licensees are Southern California Edison Company and San Diego Gas and Electric Company. The architect / engineer is Bechtel Power Corporation. Two other pressurized-water reactors (San Onofre Units 2 and 3) are located on the site adjacent to Unit 1. The San Onofre site is situated on the Pacific Ocean (both Interstate 5 and the Atchinson, Topeka and Santa Fe Railroad run alongside the site). Southern California Edison, hereinafter referred to as the licensee, filed the

application for a construction permit on February 1, 1963. The construction permit was issued on March 2,1964. The initial submittal of the Final Safety Analysis Report was filed on November 12, 1965 and the initial provisional operating license was issued on March 27, 1967. The licensed thermal power rating is 1,347 megawatts-thermal (MWt).

The San Onofre Unit 1 primary coolant configuration consists of a reactor pressure vessel with three loops, each consisting of a hot-leg pipe delivering primary coolant to a U-tube (Series 27) steam generator with a reactor coolant pump in the cold-leg return. The pressurizer is connected to loop B by the surge line. The secondary system consists of the shell side of the steam generators, the steam piping to the turbine / generator, the condenser, and the condensate and feedwater piping and pumps returning feedwater to the shell side of the steam generator. Saturated steam is supplied to the turbine from the steam generators through a common horseshoe header which exits containment in two lines and then passes throu0h stop and governor valves. The steam flows through a high pressure turbine and four moisture separator-reheaters to the two low pressure turbines that exhaust to the main condenser. Turbine control is provided by an electro-hydraulic control. The main feedwater system consists of two electric-driven feedwater pumps that receive suction from the condensate pump discharge through the low pressure San Onofre 1 SEP 1-3

f-i heaters. The electric condensate pumps take suction off the main condenser hotwell. The feedwater pump flow is directed through the high pressure heaters, through the regulating valves, and to the steam generators. Reactor containment (1,210,000-ft3 net free volume) is provided by a 140-ft-diameter sphere which extends 40 ft below grade. It is supported by a concrete cradle between the steel shell and the soil. A concrete structure inside the sphere provides support and shielding for the equipment. A double-doored person-nel lock, a double-sealed equipment door, and an emergency escape hatch supply access to the containment. During 1976, a sphere enclosure building was con-structed which surrounds L5e containment and is a reinforced concrete structure with a 3-f t-thick cylindrie al wall and an arched composite roof consisting of 

;                        sloping steel beams and an 18-in, concrete slab. Other plant improvements made at that time included a new onsite emergency power system and diesel generator j                         building and associated modifications to the emergency core cooling system (ECCS).

1.4 Summary of Operating History and Experience San Onofre Nuclear Generating Station, Unit 1, received its provisional opera-ting license on March 27, 1967, achieved initial criticality on June 14, 1967, and began commercial operation on July 17, 1967. The reactor has a licensed thermal power rating of ],347 FWt and a design electric rating of 436 megawatts- ! electrical (MWe). i 1.4.1 Su.nmary of'0ak Ridge Naticaal Laboratory Report (March 27, 1967, through i December 31, 1981) , Presented below is a summary of the operating history of San Onofre Unit 1 from ! March 27, 1967, through December 31, 1981. Appendix F contains the full details of this history. l 1.4.1.1 Introduction Reactor availability at San Onofre Unit 1 for the period 1967 through 1981 was 68.3%. Reactor availability was above 70% except for 1968, 1973, 1977, 1980, ! and 1981. In these years the unit experienced extended shutdowns. In 1968, the

plant was shut down for 6 months because of a cable fire. A turbine blade j failure in 1973 required a 2-1/2-nonth shutdown for repair. Reactor coolant i pump and steam generator tube inspections, along with steam generator tube i plugging, required a 1-month shutilown in 1977. Steam generator tube repair also caused an 11-month shutdown for repair beginning in July 1980, resulting l

in the relatively low availability achieved in 1980 and 1981. The operating history review focused on data evaluation that was divided into

two segments: (1) evaluation of forced shutdowns and power reductions and
(2) evaluation of reportable events. Design-basis events (DBEs), which are i

defined in the Standard Review Plan (NUREG-0800), are failures that initiate system transients and challenge engineered safety features. In the forced shutdown and power reduction segment, the review identified DBEs and recurring ovents that indicate a potential operating concern. In the reportable event segment, which included environmental events and radiological release events, the review identified significant events and recurring events that indicate a i potential operating concern. Significant events were either DBEs or events with [ a loss of engineered safety function. San Onofre 1 SEP l-4 

                                                          '1.4.1.2 forced Shutdowns and Power Reductions                                                                       j Of the 154 forced shutdowns and power reductions at San Onofre Unit 1 between                                     ;

1967 and 1981, 27 were identified as DBEs of one of the following types: 1 (1) control rod maloperation (12)  ! (2) turbine trip (5) (3) increase in feedwater flow (4) + (4) loss of external electrical load (4) (5) loss of normal feedwater flow (1) (6) reactor coolant pump trip (1) l Of these 27 events, 21 resulted from equipment failure, 5 from personnel errors, and 1 from an offsite power disturbance. San Onofre Unit I has experienced an average of less than two DBEs per year with no discernible trend in the frequency with which DBEs have occurred. Control rod I maloperation caused 12 of the 27 DBEs. All 12 involved dropped control rods and occurred between 1967 and 1977, with 4 events occurring in 1968 and 3 in 1977. The problem has not occurred since 1977, 1.4.1.3 Reportable Events , In the reportable event segment of the operating review of San Onofre Unit 1, 327 events were examined. From 1967 through 1974, an average of 17 events per year was recorded; from 1975 to 1981, the average was 27 events. The increasing number of events reported can be attributed in part to events concerning steam generator and condenser tube leakage. The cause of the majority of the reportable events at San Onofre Unit I was inherent equipment failure (60%). Human error (including administrative, design, fabrication, installation, maintenance, and operator error) caused another 35% of the events. Other causes including weather, minor earthquakes, and offsite brush fires accounted for the remaining 5% of the events. Of the 237 events reviewed, 23 were identified as significant and are categorized as (1) lossofsafetyinjectionsystemfunction(3) (2) loss of salt water cooling flow (1)  ; (3) loss of offsite power (5)  ! (4) loss of emergency ac power supply (3) i

5) feedwater supply transients (3)
6) cable tray fires (2) ,
7) lossofboricacidinjectionpath(2)  ;

(8) failure of instrumentation channels caused by flooding (2)  ! (9) turbine overspeed (2) t  ! The first two types of significant events are discussed in this summary.  !

Two potential losses of safety injection function and one failure to actuate  !

safetyinjectionondemandhaveoccurredatSanOnofreUnit1. In 1967, 1 month before power operation, both safety injection recirculation pumps were declared inoperable. Moisture penetration of the motor windings caused both pumps to i I San Onofre 1 SEP 1-5

i fail resistance testing. The openings to the windings were sealed to prevent recurrence. In 1975, the licensee reported a potential single failure that would cause loss of at least a portion of the flow from both safety injection trains. Failure of either of the two safety injection pumps' discharge valves could a110w safety injection flow from both pumps to be routed to the steam generator rather than to the reactor coolant system. Administrative controls were established to pro-tect against such a failure, and subsequently extensive modifications corrected the problem. On September 3, 1981, a voltage regulator failure caused erratic instrument readings leading to a manual reactor trip. In the transient following the trip, safety injection actuation occurred as a result of a decrease in reactor coolant system (RCS) pressure. However, operators discovered that both the safety injec-tion valves had failed to open. Because the RCS pressure never dropped to the discharge pressure of the safety injection pumps, safety injection system flow would not have occurred even if the valves had opened. However, the valve failures affected both trains of safety injection. A design evaluation and further testing determined that the valves would not open against the design differential pressure. Design changes were evaluated and implemented to correct the problem. Augmented surveillance testing of these valves was also instituted. , On March 10, 1980, while operating at 100% power, San Onofre Unit I experienced a complete loss of flow from the salt water cooling system. The salt water cooling system is the ultimate heat sink for the component cooling water (CCW) system, which serves to cool certain safety-related equipment. The event involved a triple failure consisting of (1) shearing of the south salt water cooling pump shaft, (2) failure of the north salt water cooling pump discharge valve to open, and (3) failure of the auxiliary salt water cooling pump air priming system. As a result, the plant was totally without salt water cooling flow for 10 minutes, at which time an operator cross connected the screen wash pumps to provide salt water flow to a CCW heat exchanger. This limited the CCW temperature rise from 66*F to 82'F in the 10 minutes and brought the equilibrium temperature down to 70 F. The screen wash pumps are not classified as safety-related equipment. At 41 minutes into the event, the auxiliary salt water cooling pump was restored to service and flow through it to an inservice CCW heat exchanger began 17 min-utes later. Throughout the event, the unit remained at or near full power. A power reduction was initiated at first, but then stopped with only a 3-MW power decrease. The NRC cited the plant for two Technical Specification violations in this event. Although not in the original time frame for this examination of operating experience, three more events involving the salt water cooling system occurred in 1982 and are discussed here. On May 13, 1982, a complete loss of salt water cooling system flow occurred during maintenance. During this event, the unit was in cold shutdown. The event was caused by flooding of the intake structure as a result of inadequate maintenance procedures. On August 13, 1982, flow from the operable north salt water cooling pump was diverted through the idle south pump. This occurred as a result of unexpected opening of the south pump's discharge valve. An operator immediately closed the valve, and no observable reactor coolant system temperature increase occurred. On August 19, 1982, with 1 San Onofre 1 SEP 1-6

the south salt water cooling pump still out of service, the north pump had to be removed from service because of a smoking motor bearing. Necessary flow to the CCW heat exchangers was maintained by the auxiliary salt water cooling pump. These events are discussed further in Section 4.32. 1.4.1.4 Recurring Events In addition to individual events considered significant, there are five areas in which problems have recurred at San Onofre Unit 1 over portions of the opera-ting history. The problem areas were (1) inverter failures and losses of vital bus power (2) -steam generator leaks (3) dilution of primary coolant (4) tsunami gate closure (5) erroneous control rod indications There have been 21 occurrences of momentary loss of vital power, causing 5 shut- , downs and 9 power reductions. These events occurred from 1969 to 1979, with all i but one of the vital power interruptions due to inverter failures.  ! After the first 5 years of operation, steam generator tube leakage became a problem. Beginning in 1972, steam generator tube leaks began recurring, causing 9 forced shutdowns and 17 reportable events. Steam generator tube leakage problems and required repairs were the reason for the 11-month shutdown that began in July 1980. On four occasions, dilution of the primary coolant system resulted in reduced l boron concentration. The first of these events was due to secondary-to primary system leakage during tube plugging. Another secondary-to primary leakage that resulted in boron dilution was caused by a leaking block valve in the feedwater

system. The remaining two dilution events occurred because water was added to  ;

the primary system during decontamination of equipment. On three occasions, San Onofre Unit I has experienced inadvertent closure of 

                                                                                            ~

the tsunami gate, the salt water intake stop gate. These events occurred in

1967, 1968, and 1969 and were caused by a shorted limit switch, rupture of '
the accumulator reservoir tank, and failure of the gate's annular bolts, i respectively.

1.4.2 Operating Experience, January 1982 Through November 1984 i i On February 27, 1987, San Onofre Unit I was shut down for a scheduled 14-week outage so that the steam generators could be inspected and seismic modifica- , l tions to the turbine deck could be made. As part of the seismic reevaluation  ! of San Onofre Unit 1 under SEP, the staff concluded in a meeting on May 20, 1982, that because of the high stresses calculated in the seismic reevaluation, the  ! licensee needed to provide information that demonstrates that the facility meets l' j its Itcensed design basis before the plant would be permitted to restart. i In letters dated June 15 and 24, 1982, the licensee proposed a program to upgrade  ; the plant to current seismic design criteria rather than expend resources to ' evaluate the design against the original design criteria. That commitment was  ; confirmed by an order issued on August 11, 1982, which required that the licensee ' l l- San Onofre 1 $EP 1-7 1

maintain Unit 1 in a shutdown condition until the modifications were complete and NRC approval was obtained for restart. The plant was maintained in a shut-down condition until November 21, 1984, when the NRC issued authorization for resumption of power operation. The seismic design issue is ciscussed further in Section 4.11. 1.4.3 Regulatory Performance, June 1, 1983, Through September 30, 1984 An NRC report, issued on February 7, 1985, presented the findings of NRC's Systematic Assessment of Licensee Performance (SALP) of Southern California Edison Company, conducted in accordance with NRC Manual Chapter 0516. That review included an assessment of the licensee's performance with the objective of improving regulatory programs and was based on activities during the period from June 1, 1983, tarough September 30, 1984. The SALP board concluded that the licensee's operational and regulatory performance was acceptable and directed toward safe operation. The SALP board's conclusions for each of the functional areas were categorized as follows: Category 1 Reduced NRC attention may be appropriate. The attention and involvement of the licensee's management are aggressive and oriented toward nuclear safety; the licensee's resources are ample and effectively used so that a high level of performance with respect to operational safety or construction is being achieved. Category 2 NRC attention should be maintained at normal levels. The attention and involve-ment of the licensee's management are evident and are directed toward nuclear safety; the licensee's resources are adequate and are reasonably effective so that satisfactory performance with respect to operational safety or construc-tion is being achieved. Category 3 Both NRC and licensee attention should be increased. The attention and involve-ment of the licensee's management are acceptable and are directed toward nuclear safety, but weaknesses are evident; the licensee's resources appear strained er not effectively used so that minimally satisfactory performance with respect to operational safety and construction is being achieved. The SALP report addressed licensee performance with respect to all three San Onofre units. The overall ratings for the functional areas at the San Onofre site were as follows: Category 1: (1) quality programs and administrative controls (2) emergency preparedness (3) security and safeguards (4) startup testing (Unit 3) (5) maintenance San Onofre 1 SEP 1-8

Category 2: . (1) fire protection . (2) radiological controls t 

     -(3) surveillance (4) licensing activities.

(5)' plant operations-The refueling functional area was not applicable during the review period. From June 1, 1983, through September 30, 1984, the licensee event report (LER) system identified 14 reportable events for San Onofre Unit 1. Most of these events were not of major significance. One LER of particular interest is LER 84-008, which documents degradation of the intake structure reinforcing steel due to corrosion. To restore the structural capacity of this structure, steel plates were bolted to the walls. Cathodic protection is also provided (see also Section 4.7). t I San Onofre 1 SEP 1-9

2 REVIEW METHOD 2.1 Overview The Systematic Evaluation Program (SEP) review procedure represents a departure from the typical NRC staff reviews conducted to support the granting of a con-truction. permit or operating license for a new facility or a license amendment for an operating facility. A typical licensing review starts with the submittal by the utility of a safety analysis report (SAR) that describes the design of the proposed plant. The staff reviews the SAR on the basis of the Standard Review 

 ' Plan (SRP), Regulatory Guides, and Branch Technical Positions (found in the SRP) that constitute current licensing criteria. The guidelines in the SRP represent acceptable means of complying with licensing regulations specified in Title 10 of the Code of Federal Regulations (10 CFR).

The SEP was initiated by the NRC, and not by the licensee as part of an appli-cation for a license or request for a license amendment. The SEP procedure involves several phases of data gathering and evaluation so that an integrated assessment of the overall plant safety can be made. The various phases and their interrelationships are described below. 2.2 Selection of Topic List A list of significant safety topics was derived from existing safety issues during Phase I of the program. More than 800 items were considered in the development of the original list; however, a number of these were found to be duplicative in nature or were deleted for other reasons. Categories of topics that were deleted for other reasons are (1) those not normally included in the review of light-water reactors, (2) those related either to research-and-development programs or to the development of analytical evaluation models and methodology, and (3) those that are reviewed on a periodic basis in accordance with current criteria (e.g., fuel performance). The topics retained numbered 137; these were arranged in groups corresponding to the organization of the SRP. A " definition" was prepared for each topic to ensure a common understanding. This definition plus a statement of the safety objective for the review and the status of the review at that time is contained in Appendix A for ease of reference. During the course of this review, the number of topics that applied to all plants was reduced further because some topics were being reviewed generically under either the Unresolved Safety Issues (USIs) program or the Three Mlle Island (TMI) HRC Action Plan (NUREG-0660); also, dupilcates found within the SEP topics were deleted. Appendix B shows these topics along with the corresponding USI, TMI task, or SEP topic referenced. The basis for deletion appears in Appendix A under the Individual topics. Plant-specific deletions other than those common to all SEP plants were made to account for nonapplicability of particular topics to San Onofre Unit 1. The plant-specific topics that were removed for San Onofre Unit 1 and the basis for deletion are shown in Appendix C. San Onofre 1 SEP 2-1 

 'For San Onofre Unit 1, this deletion process resulted in 89 topics from the original topic list that formed the SEP review for San Onofre. The final list
 -of 89 topics that were reviewed appears in Section 3.1.
 .The milestones in the review of the SEP and the San Onofre Unit 1 plant are shown in Table 2.1.

2.3 ' Topic Evaluation Procedures Each SEP topic in Section 3.1 was reviewed to determine'whether the corresponding plant design was consistent with current licensing criteria such as regulations, guides, and SRP review criteria, or the equivalent of such criteria. Safety evaluation reports (SERs) for all 89 topics were issued to document the compar-ison with current licensing criteria and to identify potential areas for plant 

                                                                ~

modifications or. changes to plant Technical Specifications or procedures. Ref-erences for letters regarding the individual topic SERs are contained in Appen-dix E. These documents describe the detailed evaluations where conclusions are summarizs.d in this report. Topics were evaluated by one of two methods: (1) The MC staff reviewed and formally issued an SER to the licensee. This SER wts termed a draft because it was only one input element to the evalua-tion. The purpose of the draft SER was to verify the factual accuracy of 

                                                 ~

the described facility and to allow the licensee to identify possible alternite approaches to meeting the current licensing criteria. After a review of the licensee's comments on the draf t SER, factual changes were incorporated as needed, proposed 1titernatives were reviewed, and the SER was isst.ed in final form. (2)' The licensee submitted a safety analysis report, and the staff issued a final SEE based on a review of this submittal. After completion of the topic evaluation, the disposition of each topic was grouped according to one of the following results: (1) The plant is consistent with current licensing criteria and tFe topic re-view is considered complete. If the plant does r.ot meet current licensing criteria, but the present design is equivalent to current criteria, the topic is also considered complete. A justification for this conclusion is provided in the topic SER. The topics in this category are identified in Section 3.1 of this report by an asterisk. (2) The plant is not consistent with current licensing criteria, but the licensee has implemented design or procedural changes that the staff finds acceptable. Although the licensee committed to certain desigt or procedural changes during the course of the topic reviews for San (nofre Unit 1, and in some cases these measures were implemented, none of the topics were completely resolved by these commitments. (3) The plant is not consistent with current licensing criteria, and the dif-ferences from these criteria are to be evaluated as potential candidates for modifications. If the staff determines the difference is of immediate San Onofre 1 SEP 2-2

a I 3 safety significance, action is taken to resolve the issue promptly. If " the difference is not of immediate safety significance, the resolution is deferred to the integrated plant safety assessment to obtain maximum  ; benefit from coordinated and integrated backfitting decisions. The SEP m evaluation of all 89 topics led to the conclusion that 36 topics were not - consistent with current licensing criteria. All of these topics were considered in the integrated safety assessment and appear in Section 4. , The only one of the 36 topics found not to be consistent with current li-censing criteria and to be of immediate safety significance requiring - prompt action, is the capability of the plant to withstand a seismic event. g As part of the seismic reevaluation of San Onofre Unit 1 conducted under SEP, the staff concluded that because of high calculated stresses, the y j plant would not be permitted to restart from its then current outage in 1982, until the licensee could demonstrate that the plant meets its licensed  ? design basis. The licensee proposed a program to upgrade the plant to current seismic design criteria. As discussed later, the staff has deter- { ^ mined, based on its review of modifications to the facility and analyses ' submitted by the licensee, that continued operation of Unit 1 is acceptable - pending completion of the seismic upgrading program. Further details of T l this prompt action are provided in Sections 1.4.2 and 4.11. 

                                                                                       ]

2.4 Integrated Plant Safety Assessment O The objective of the integrated plant safety assessment is to make balanced and d integrated decisions on the application of current licensing criteria to SEP Factors considered important in reaching those decisions include facilities. - safety significance, radiation exposure to workers, and, to a lesser extent, implementation impact and schedule. i j A meeting was held with the licensee to discuss these factors as they related to the differences identified during the SEP review between actual facility design and current licensing criteria and to obtain the licensee's views on a safety significance and possible corrective actions. These factors were considered in reaching a decision on plant modifications and - are discussed in Section 4 for each identified difference between actual facility [ 

   ' ,gn and current licensing criteria. Because these factors sometimes rely on  ,

judgment, risk assessment techniques were used to the extent possible to supple- = ment the staff's judgments concerning safety significance. The probabilistic _ risk assessment (PRA) performed by Science Applications, Inc., along with com- 1 ments by the staff, appears in Appendix D. For reasons given in Appendix 0, only certain topics could be readily analyzed by a PRA. Of the total number of topics [ E considered in the integrated assessment, 17 were evaluated using PRA techniques. 

                                                                                     ]

h 1 1 5 2 1 0 San Onofre 1 SEP 2-3 

                                _ _ . _ _ _ . . ~ . . . ' ' '_ . , , .

Table 2.1 Topic list selection and resolution ORIGINAL PHASE I TOPIC LIST 800 Many of these topics were deleted because they were duplicative in nature, - were not normally included in the review of light-water rea;: tors, were related to research-and-development programs, or were reviewed on a periodic basis in I accordance with current criteria. FINAL LIST OF PHASE I TOPICS REVIEWED DURING PHASE II 137 (see Appendix A) Of the 137 topics, 24 were deleted because they were being reviewed generically under either the Unresolved Safety Issues (USIs) program or the Three Mile Island (TMI) NRC Action Plan (see Appendix B). k REMAINING TOPICS AFTER DELETION OF USIs AND TMI-RELATED TOPICS 113 t Of the remaining 113 topics, 24 were deleted because the topics did not apply r to San Onofre Unit 1 (see Appendix C). FINAL NUMBER OF TOPICS REVIEWED FOR SAN ON0FRE UNIT 1 89 (see Section 3.1 and Appendix E) t - TOPICS THAT MET CURRENT CRITERIA OR WERE ACCEPTABLE ON ANOTHER DEFINED BASIS 53 -(see Section 3.1) k TOPICS THAT MET CURRENT CRITERIA OR WERE ACCEPTABLE ON ANOTHER DEFINED BASIS AFTER MODIFICATIONS MADE DURING TOPIC REVIEW 0 t TOPICS CONSIDERED FOR BACKFIT IN THE INTEGRATED ASSESSMENT s 36 (see Table 4.1 and Sections 4.1-4.36) l r i San Onofre 1 SEP 2-4 E'

v 3 TOPIC EVALUATION

SUMMARY

         '3.1   Final San Onofre Unit 1-Specific List of Topics Reviewed Listed below are the 89 topics that were reviewed for San Onofre Unit 1. The topics with asterisks are those for which the plant meets current criteria or was acceptable on another defined basis.

TOPIC- TITLE II-1.A* Exclusion Area Authority and Control II-1.B* Population Distribution 

         .II-1.C          Potential Hazards or Changes in Potential Hazards Due to Trans-portation, Institutional, Industrial, and Military Facilities II-2.A*         Severe Weather Phenomena II-2.C*         Atmospheric Transport and Diffusion Characteristics for Accident Analysis II-3.A*         Hydrologic Description II-3.8          Flooding Potential and Protection Requirements II-3.B.1*       Capability of Operating Plant To Cope With Design-Basis Flooding L                        Conditions II-3.C*         Safety-Related Water Supply (Ultimate Heat Sink (UHS))

II-4* Geology and Seismology [II-4.A* Tectonic Province l II-4.B* Proximity of Capable Tectonic Structures in Plant-Vicinity 

         .II-4.C*         Historical Seismicity Within 200 Miles of Plant II-4.D*         Stability of Slopes II-4.F          Settlement of Foundations and Buried Equipment l

L III-l Classification of Structures, Components, and Systems (Seismic and Quality) III-2 Wind and Tornado Loadings 

     ,    III-3.A         Effects of High Water Level on Structures San 0nofre 1 SEP                         3-1 1

 ' TOPIC                 TITLE
  -III-3.C              -Inservice Inspection of Water Control Structures III-4.A             Tornado Missiles III-4.B*           -Turbine Missiles III-4.C*            Internally Generated Missiles-III-4.D*-           Site-Proximity Missiles (Including Aircraft)
   -III-5.A              Effects of Pipe Break on Structures, Systems, and Components Inside Containment III-5.B             Pipe Break Outside Containment

. III-6 Seismic Design Considerations III-7.B Design Codes, Design Criteria, Load Combinations, and Reactor Cavity Design Criteria III-7.0 Containment Structural Integrity Tests III-8.A Loose-Parts Monitoring and Core Barrel Vibration Monitoring III-8.C* Irradiation Damage, Use of Sensitized Stainless Steel, and Fatigue Resistance III-10.A Thermal-Overload Protection for Motors of Motor-0perated Valves III-10.B Pump Flywheel Integrity IV-1.A* Operation With less Than All Loops In Service 

     -IV-2                Reactivity Control Systems Including Functional Design and Protection Against Single Failures V-5                 Reactor Coolant Pressure Boundary (RCPB) Leakage Detection V-6*                Reactor Vessel Integrity V-7*                 Reactor Coolant Pump Overspeed
     -V-10.A               Residual Heat Removal System Heat Exchanger Tube Failures V-10.B*-             Residual Heat Removal System Reliability V-11.A              Requirements for Isolation of High- and Low-Pressure Systems V-11.B              Residual Heat Removal System Interlock Requirements San Onofre 1 SEP                              3-2

TOPIC TITLE VI-l' Organic Materials and Postaccident Chemistry i VI-2.D* Mass and Energy-Release for Postulated Pipe Break Inside Containment VI-3* -Containment Pressure and Heat Removal Capability ' VI-4 Containment. Isolation System  ! 

         'VI-6*          Containment Leak Testing VI-7.A.1*      Emergency Core Cooling System Reevaluation To Account for Increased Reactor Vessel Upper-Head Temperature VI-7.A.3*      Emergency Core Cooling System Actuation System VI-7.B         Engineered Safety Features Switchover From Injection to Recir culation Mode (Automatic Emergency Core Cooling System Realign ment)
        .VI-7.C*         Emergency Core Cooling System (ECCS) Single-Failure Criterion   i and Requirements for Locking Out Power to Valves, Including
                       . Independence of Interlocks on ECCS Valves VI-7.C.1*      Appendix K--Electrical Instrumentation and Control Re-Reviews VI-7.C.2       Failure Mode Analysis (Emergency Core Cooling System)

[ -VI-7.0* Long-Term Cooling Passive Failures (e.g., Flooding of Redundant Components) j-L -VI-10.A Testing of Reactor Trip System and Engineered Safety Features, Including Response-Time Testing VI-10.B* Shared Engineered Safety Features, .Onsite Emergency Power, and' Service Systems for Multiple Unit Facilities VII-1.A Isolation of Reactor Protection System From Nonsafety Systems, Including Qualification of' Isolation Devices 1VII-1.B* Trip Uncertainty and Setpoint Analysis Review of Operating Data Base VII-2*- Engineered Safety Features System Control Logic and Design g VII-3 Systems Required for Safe Shutdown VM-6* Frequency Decay VIII-1. A Potential Equipment Failures Associated With Degraded Grid Voltage m San Onofre 1 SEP 3-3

TOPIC TITLE VIII-2* ;0nsite Emergency Power Systems (Diesel Generator) VIII-3.A* Station Battery Capacity Test Requirements VIII-3.B OC Power System Bus Voltage Monitoring and Annunciation VIII-4 Electrical Penetrations of Reactor Containment IX-1* Fuel Storage IX-3 Station Service and Cooling Water Systems 

     .IX-4*         Boron Addition System (PWR)

IX-5 Ventilation Systems IX-6 Fire Protection XIII-2* Safeguards / Industrial Security 

   'XV           Decrease in Feedwater Temperature, Increase in Feedwater Flow, Increase in Steam Flow, and Inadvertent Opening of a Steam Generator Relief or Safety Valve
    -XV-2           Spectrum of Steam-System Piping Failures Inside and Outside Containment (PWR)

XV-3* Loss of External Load, Turbine. Trip, Loss of Condenser Vacuum, Closure of Main Steam Isolation Valve (BWR), and Steam Pressure Regulator Failure (Closed) 

   .XV-4*           Loss of Nonemergency AC Power to the Station Auxiliaries XV-5*          Loss of Normal Feedwater Flow
                                                                      ~

l XV-6* Feedwater System Pipe Breaks Inside and Outside Containment'(PWR) XV-7* Reactor Coolant Pump Rotor Seizure and Reactor Coolant Pump Shaft Break l XV-8* Control Rod Misoperation (System Malfunction or Operator Error) XV-9* Startup of an Inactive Loop or Recirculation Loop at an Incorrect l Temperature, and Flow Controller Malfunction Causing an Increase

in BWR Core Flow Rate XV-10* Chemical and Volume Control System Malfunction That Results in a Decrease in Boron Concentration in the Reactor Coolant (PWR)

XV-12* Spectrum of Rod Ejection Accidents (PWR) l San Onofre 1 SEP 3-4 L

W , 7 

     =
               -TOPIC.               ' TITLE

[XV-14*' . Inadvertent Operation of Emergency Core-Cooling System.and.Chemi- 

                                     . cal and Volume Control System Malfunction That Increases Reactor Coolant Inventory
                -XV-15*'               Inadvestent.0pening of a PWR Pressurizer Safety / Relief Valve or a
                                     -BWR Safety / Relief Valve
               " X'V- 16*              Radiological Consequences of. Failure of Small Line Carrying
                                     ' Primary. Coolant Outside Containment                                          ,
               "XV-17*               . Radiological Consequences'of Steam Generator Tube Failure.(PWR)
               'XV-19*               ' Loss-of-Coolant- Accidents' Resulting From Spectrum of Postulated Piping Breaks Within the Reactor Coolant Prsssure' Boundary.

XV-20* ' Radiological Consequences of Fuel-Damaging Accidents-(Inside and Outside Containment) XVII

  • Operational Quality Assurance Programt
               '3.2        Topics ~for Which Plant Design Meets Current Criteria or Was Acceptable on Another Defined Basis-As. listed in Section 3.1.

L3.3 Topics for Which Plant Design-Meets Current Criteria'or Equivalent Based on Modifications Implemented by the Licensee As described in Section 2.3; although the licensee committed to certain design 

                   ~                                                                               ~

and procedural changes during the course-of the topic reviews, none of the topics wereicom'pletely resolved by these commitments. As 'a result of SEP reviews, TMI- requirements, or generic, issues, the following 

               . modifications have been made to San Onofre Unit 1. Additional modifications or analyses,'as identified in Section 4 of_this report, will be required to resolve the:open items.

(1) .'insta11ation'of' grade beams under 480-V room slab and under. auxiliary feedwater pumps to' span backfill. soils (Topic ~II-4.F, Section 4.3) (2)'. seismic upgrades to safety-related structures and to equipment, piping, 

                                                                                                     ~
                          .and supports needed to maintain hot standby condition for 0.67g modified LHo'usner spectrum earthquakes (Topic'III-6, Section 4.11).
          - c
                -1The Operational Quality Assurance Program was reviewed according to the cri-teria.specified for-operating reactors in 1974 (see Appendix A).                                                NRC is cur-
                 -rently evaluating all aspects'of Nuclear Power Plant Quality Assurance. Pro-grams.      .

Additional review of this issue will be performed outside the context 

                 .of.the SEP.
               ' San ~0nofre-1 SEP.-                                                  3-5 u_            _     1.__--______1____        _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _     ______       _ _ _ _ _ _ _ . _ _ _ = - - - _ _ _ _ _ _ _ _ _ _ _

 -(3) surveillance and operability requirements for component. cooling water system radiation monitor (Topic V-10. A, Section 4.19.1)

(4) independent verification of correct valve position of motor-operated valves in the safety' injection system after testing (Topic V-11.A, Section 4.20.2) (5) inspection and repairs of containment' coatings (Topic VI-1, Section 4.22) (6) Technical Specifications implemented to maintain. purge valves locked closed when,above the cold shutdown mode (Topic VI-4, Section 4.23.1.1) (7) installation of new auxiliary feedwater storage tank, new parellel suction- 

       . paths (Topic VII-3, Section 4.28.2)

(8) modification of transformer tap settings based on voltage distribution. study (Topic VIII-1.A, Section 4.29) (9) removal.of tsunami gates (Topic IX-3, Section 4.32) (10) installation of check valves in the saltwater cooling system discharge and removal of air operators from discharge isolation valves (Topic IX-3, Section 4.32.7) 

 '(11) installation of non-safety-related ventilation systems in the switchgear rooms (Topic IX-5, Section 4.33.2)

J San Onofre 1 SEP 3-6

e  : 4 s 

  ]
       -4 ' INTEGRATED ASSESSMENT

SUMMARY

Table 4.1 shows the' list of topics' considered.in the integrated assessment, whether-Technical Specification requirements or modifications are needed, and whetherfor.not the' licensee proposes to modify San Onofre Unit 1. A more de-' 

        ; tailed description offeach. topic with identified differences follows.
        ' Implementation schedules have not'been yet completed by the licensee. This is consistent with the current status of the staff's~ integrated assessment review.

The licensee will be requested to complete implementation schedules for all plant modifications and procedure revisions following review by the Advisory. Committee on Reac_ tor Safeguards (ACRS) of this draft Integrated Plant Safety Assessment Report (IPSAR). Any_ proposed changes to the. San Onofre Unit 1 Tech-inical-Specifications resulting from recommendations in the SEP integrated assess-

ment'should be submitted within 90 days after the. issuance of the final IPSAR.

Implementation schedules and any requirements for preimplementation design review by the~ staff will be identified in the final IPSAR for San Onofre Unit 1. The differences from current licensing criteria identi*ied in this section were derived from the safety evaluation reports referenced in Appendix E. A limited-probabilistic risk assessment (PRA) has been performed for 17 of-the SEP topics with identified differences from current licensing criteria. This limited PRA is presented in Appendix D~and is based on issue-specific models developed from PRAs for similar plants and global insights from all PRA'experi-ence. This risk perspective has been used to judge the importance.of the iden-tified differences in relation to accident sequences leading to core melt, with Ldue consideration of the uncertainties in.the PRA techniques. In addition, the 

       ~ licensee has performe'd an integrated assessment, submitted by letters dated i      JJanuary 19, February 24, March 30, and.May 7,-1984, and has proposed corrective actions to resolve those issues considered significant.
      .The licensee's submittals have been evaluated by the staff and together with
       .the limited PRA results have been used as input to this integrated plant safety
           ~

assessment. Where the li.censee's proposed corrective actions are consistent with or equivalent to curre'nt licensing criteria, they constitute the basis for 

      'the staff's acceptance.- The-remaining issues were evaluated using the~ process-
described in Sectio'n 2.4.

L 4.1 Topic II-1.C, Potential Hazards or Changes in Potential Hazards Due to l Transportation, Institutional, Industrial, and Military Fac-ilities 110 CFR 50, Appendix A, General Design Criterion (GDC) 4, as implemented by SRP Section 2.2, requires,-in part,- that structures, systems, and components 

       'important to safety be -appropriately protected from dynamic effects that may result from events and conditions outside the nuclear power unit. Offsite

. . hazards that have the potential for causing onsite accidents leading to the releases of.significant quantities of radioactive fission products should have a sufficiently low probability of occurrence so that they are within the scope L of-the criterion of 10 CFR 100.10. San Onofre'l SEP 4-1 i f L: n

4.1.1 Overpressure From Explosions At San Onofre Unit 1, the frequency of exceeding an overpressure on the site of 0.5 psi (capacity of reactor auxiliary building (RAB)) from explosions on the nearby railroad or highway is calculated to be 4.5 x 10 1 per year. This exceeds 

 ;the current acceptance criteria in SRP Section 2.2. The acceptance criteria in SRP Section 2.2. state that if the risk is in excess of the 1 x 10-6 per year guideline, qualitative arguments demonstrating the conservatisms of the analysis can be made to show that the realistic risk is lower and, therefore, acceptable.

As stated in the staff's safety evaluation forwarded by letter dated May 3, 1983, the licensee's analysis includes sufficient conservatisms so that the risk is judged to be substantially lower than 4.5 x 10-6 per year and thus modifications of plant structures are not warranted. 4.1.2 Frequency of Shipments Highway shipments of munitions and flammable gases, such as liquid propane gas, are the predominant contributors to the overpressure hazard. Data were collec-ted for the San Onofre Units 2/3 license review and were submitted for review for Unit 1 on November 12, 1981. Because of the sensitivity of the results of the analysis to the frequency of shipments, the staff concluded in the topic evaluation that the licensee should update these frequencies to ensure that the analysis assumptions remain applicable. By letter dated October 31, 1983, the licensee noted that information on hazard-ous shipments past the site is required by the Unit 2/3 Technical Specifications to be collected and provided to the NRC every 3 years. This information was submitted on December 5, 1984. The licensee's report concluded that neither the : frequency of shipment nor types of hazardous materials have changed signifi-cantly. The staff concludes that these licensee actions are sufficient to address this concern and considers this issue to be resolved. 

 . 4.1. 3 Toxic Gases The staff in its topic evaluation concluded that the probability of toxic gases, from transportation. sources, being swept into the control room air vent in any 1 year period is approximately 5 x 10-6 The staff has also noted that there is onsite-storage of toxic materials.      Presently, no automatic. isolation of the control. ventilation system is provided. Current criteria require redundant ventilation systems for the control room.      The existing single-train ventilation system occupies most of the space in a room in the control building; therefore, installation of a redundant train would require substantial structural modifi-cations. Consequently, the staff recommended that the licensee perform an evalu-ation of the control room ventilation system, which would include a cost-benefit study of various system improvements to provide protection from both toxic gases and radioactivity (TMI Action Plan item III.D.3.4) with emphasis on the reliability of active components in the system.      By letter dated November 14, 1984, the licensee submitted a study of various improvements; none of the alternatives were determined to be cost effective. Installation of the toxic gas monitors is still being considered, however, since this option offered the greatest risk reduction contribution. The licensee's submittal is currently under staff review, and the staff conclusions for this issue will be reported I    in the final IPSAR.

l San Onofre 1 SEP 4-2 L

4.2 Topic II-3.A, Hydrologic Description; Topic II-3.B. Flooding Potential and Protection Requirements; Topic II-3.B.1, Capability of Operating Plants To Cope With Design-Basis Flooding Conditions; and Topic II-3.C, Safety-Related Water Supply (Ultimate Heat Sink (UHS)) 

                                                  ~

4 10 CFR~50 (GDC 2), as implemented by SRP Sections 2.4.2, 2.4.5, 2.4.10, and 2.4.11 and _ Regulatory Guides 1.59 and 1.27, requires,. in part, that structures, systems,.and components important to safety be designed to withstand the effects 

   - of natural phenomena such as flooding. The safety objective of these topics
   - (II-3.A, II-3.B, II-3.B.1, and II-3.C), is to verify that adequate operating procedures and/or system design are provided to cope with the design-basis flood.

During the review of the hydrology-related topics, the staff.has identified one issue for further evaluation. In the event of probable maximum precipitation (PMP), the fuel storage building and ventilation equipment building roofs would be subject to ponding, possibly resulting in loading in excess of the design bas'is for the roofs. 1 It is'the staff ~ position that the licensee should assess the capacity of the structures to withstand the load and, if necesary, provide corrective measures such as additional roof drainage (see Section 4.6.2). 4.3 Topic II-4.F, Settlement of Foundations and Buried Equipment 10 CFR 50 (GDC 2 and 44) and 10 CFR 100, Appendix A, as implemented by Regula. tory Guide 1.132 and SRP Section 2.5.4, require, in part, that foundations and buried equipment important to safety be adequately designed to perform their intencad fun'ctions in the event of settlement. 

   ' During excavations for seismic support modifications in 1982, it was found that the backfill soil beneath some safety-related structures and components was not as compacted as had been thought. The licensee determined the distribution of backfill soil and its relative compaction. Where safety related equipment or structures were supported by the backfill, evaluation of the effect on seismic capacity was performed and in some instances, modifications were made, such as

~ installation of grade beams to span the backfill soil. The licensee has concluded that with'those modifications, there will be no adverse static or dynamic settle-ment problems. The staff will. review the licensee's modifications to span the backfill soil and present the.results of the review in the final-IPSAR. Although the response to seismic events with existing soil conditions is being evaluated under Topic III-6, the staff is continuing its review of the poten-tial long-term settlement (non-seismic-related) of some safety-related struc-tures and components founded on backfill soil and will report on its findings in the final IPSAR. 4.4 . Topic III-1, Classif, cation of Structures, Components, and Systems (Seismic and Quality) 10 CFR 50 (GDC 1), as implemented by Regulatory Guide 1.26, requires, in part, that structures, systems, and components important to safety be designed, fab-ricated, erected, and tested to quality standards commensurate with the impor-tance of the safety functions-to be performed. The codes used for the design, San Onofre 1 SEP 4-3 

                                                                         ~
           ' fabrication, erection, and testing of the San Onofre Unit 1 plant were compared with current codes.
           - The development of the current edition of the American Society of Mechanical Engineers " Boiler and Pressure Vessel Code" (ASME Code) has been a process
          -- evolving from earlier ASME Code, American National Standards Institute, and other standards, and manufacturer's requirements. In general, the materials of construction used in earlier designs provide comparable-levels of safety.

The staff-.in-its topic evaluation identified several systems and components for- 

           -which the-licensee was unable to provide information to justify a conclusion that the quality standards imposed during~ plant fabrication and construction meet the quality standards required for new facilities.      The staff did not
            . identify any inadequate components. However, because of the limited information on the components _ involved, the staff was unable to conclude that, for code and standard changes deemed important to safety, the San Onofre Unit 1 plant met'the intent of current requirements. The information described below was requested in the topic SERs forwarded by letters dated June 25, 1982, and April 23, 1984.

It is the staff's position that the licensee should complete the evaluations 

          ' described below. As an alternative, since much of the requested information may not exist,_the licensee may evaluate the safety significance of the com-ponents and systems in question and show that they are either adequately moni-tored by a formal-inspection program or are of no consequence on the basis of risk or safety function. The results of the evaluation should be incorporated into the Final Safety Analysis Report update, which must be submitted within
          ~ 2 years after completion of the SEP review per the requirements of 10 CFR 50.71(e)(3)(ii). If'the results of the licensee's evaluations indicate that facility modifications or inspection program changes are required, those actions-should be reported to the staff.
           - As discussed in the January 19, and March 30, 1984, submittals, the licensee is studying various alternatives for the open items to minimize the effort required and still be capable of demonstrating the basis for equipment design margins. These proposals have not yet been submitted for staff review.

4.4.1 Radiography Requirements ASME Code, Section III, requires that Categories A, B, and C weld joints be radi- , ographed. Furthermore, ASME Code, Section III, 1977 Edition, requires that weld joints for Class 1 and 2 piping, pumps, and valves be radiographed. Because information was not available during the topic review, the staff concluded that the licensee should verify that (1) the control rod drive housing, (2) Class 2 and 3 vessels for which Code Case 1273N was not invoked and having welded joint thicknesses less than 1 in., and (3) Class 1 and 2 piping and valves designed 

          - only~to American Standards Association (ASA) B31.1 have been radiographed or subsequently volumetrically inspected. If neither has been done, the licensee should perform a volumetric inspection.

4.4.2 Pressure Vessels i The licensee.should demonstrate compliance with current fatigue analysis b requirements for all Class 1 vessels. f 

           - San Onofre 1 SEP                         4-4 l

l l.__..

4.4.3 Fracture Toughness ASME Code, Section III, imposes minimum fracture toughness requirements on carbon steel components. For 55 of the 112 components reviewed, the informa-tion was not sufficient to complete this review. The licensee should perform an evaluation of those items that are not exempt from current fracture tough-ness requirements.to determine if toughness of the material is sufficient to ensure component integrity and, if it is not, evaluate the consequences and demonstrate acceptability or replace the components. 4.4.4 Piping The current Class 1 piping design requirements are given in ASME Code, Sec-tion III, NB-3600. Calculations similar to those presented in Examples 1 and 2 in Section 4.2, Appendix A, of TER C5257-433 (enclosure to the SER forwarded by letter dated June 25, 1982), applicable to San Onofre Unit 1 plant design para-meters, should be performed on a sampling basis to assess the impact on the usage factor of gross discontinuities in Class 1 piping systems for a medium and large number of cyclic loads. 4.4.5 Valves Current ASME Code, Section III, design requirements regarding body shapes and Service Level C stress limits for Class 1 valves and pressure-temperature ratings for Class 2 and 3 valves are different from those used when the plant was designed. Sufficient information was not available to assess the valves in the above-stated areas. The licensee should verify, on a sampling basis, that Class 1 valve stress limits meet current criteria for body shape and Service Level C conditions and that the pressure-temperature ratings of Class 2 and 3 valves are comparable to current standards. If current criteria are not met, the licensee should take appropriate corrective action (analysis or upgrading). 4.4.6 Pumps The staff in the topic evaluation concluded that codes, code classes, editions, code cases, and design calculations should be provided for nine of the pumps in the San Onofre Unit 1 plant. Proof of compliance with current fatigue analysis requirements for current Class 1 pumps (the reactor coolant pumps) should be established. The licensee should evaluate the design standards used for the other pumps in relation to current design standards and determine whether ade-quate safety margins exist. 4.4.7 Storage Tanks . Compressive stress requirements for atmospheric storage tanks and tensile stress requirements for 0- to 15 psig storage tanks designed to ASME Code, Section VIII (1962), or American Petroleum Institute (API) 650, differ from those of Sec-tion III, Class 2 and 3, of the current ASME Code. Sufficient information was not available during the topic review to assess the significance of these changes for the tanks designed to earlier ASME Code editions or other code editions. The licensee should evaluate the margins of safety for (1) atmospheric storage tanks, which should be checked to determine if they meet current compressive stress requirements; (2) 0- to 15 psig tanks, which should be checked to determine if San Onofre 1 SEP 4-5

they meet current tensile allowable values for biaxial stress field conditions; and (3) tanks' designed to API-650. 4.5 Topic III-2, Wind and Tornado Loadings 10 CFR 50 (GDC 2), as implemented by SRP Sections 3.3.1 and 3.3.2 and Regulatory Guides 1.76 and 1.117, requires.. in part, that structures, systems, and components important~to-safety be designed U) withstand the effects of natural phenomena 

 .such as wind and tornado loadings, including tornado pressure drop loading.

Under Topic II-2.A, the staff in the topic evaluation recommended that a design straight windspeed of 75 miles per hour (mph) is acceptable for the site and that a tornado with a 10-7 per year frequency (a tornadic windspeed of 260 mph) and ap of 1.5 psi should be the design basis, j The existing design and construction of some structures do not meet current licensing criteria regarding the ability of safety-related structures to resist such wind and tornado loads. The following were identified in the topic eval-uation as items not meeting the prescribed loads. (1) Ventilation st'ack--stack failure could affect safety-related structures and components. (2) Components not enclosed in qualified structures--capacity of equipment has not been evaluated. (3) Some safety-related structures including ventilation equipment, fuel storage, turbine, reactor auxiliary building (above gra a), and control / administration building (other than control room)--failure could result in release to the environment or inability to shut down the plant. (4) Gantry crane--failure could potentially affect safety-related equipment. It was the staff's recommendation in the topic evaluation that the licensee should ensure that structures and equipment can withstand the design-basis straight and tornado wind loadings or the licensee should demonstrate that their failure will not prevent reaching a safe shutdown condition. By letter dated September 17, 1984, the licensee submitted a Tornado Hazard Analysis Report. This report presented results of a site-specific analysis of tornado windspeed as a function of probability of occurrence. This report con-cluded that, at the 10-4 per year frequency level, tornado windspeed is 59 mph; i at 10-s, 103 mph; and at 10-7, 183 mph. The crossover point of the tornadic wind with the straight wind hazard function is 75 mph. A staff contractor (Mcdonald) had previously developed a tornado windspeed probability curve for the San Onofre Unit 1 site. At the upper 95% confidence limit curve, the values are 10-4, 77 mph (straight wind); 10-5, 113 mph; and 10-7, 272 mph. An independent staff assessment of the wind / tornado hazard was also performed later. The findings of the second report are: at 10-4, 80 mph (wind); at 10-5, 135 mph; and at 10-7, 270 mph. The crossover point is at approximately 85 mph (4 x 10-5). The next stage of the licensee's analysis for wind and tornado loadings is to perform an evaluation to demonstrate that there is adequate resistance for San Onofre 1 SEP 4-6

smaller tornado loadings and that the risk associated with larger loadings is acceptable. The evaluation, using the licensee's windspeed probability curves, will determine the scope of modifications necessary for safety-related structures and systems at each probability level /windspeed identified. On the basis of a cost / safety benefit evaluation, the licensee will recommend a design windspeed and conceptual modifications, and an implementation schedule will be developed. This evaluation currently is scheduled for completion by the licensee in July 1985. The staff will judge the adequacy of the licensee's proposal based on the staff's wind hazard function described above. 4.6 Topic III-3.A, Effects of High Water Level on Structures 10 CFR 50 (GDC 2), as implemented by SRP Section 3.4 and Regulatory Guide 1.59, requires, in part, that plant structures be designed to withstand the effects of flooding. The safety objective of this topic is to ensure the function of safety-related structures with hydrostatic or hydrodynamic loading resulting from design-basis water levels when combined with other nonaccident loadings. The staff's review of this topic identified the following areas of concern. 4.6.1 Groundwater The staff in the topic evaluation determined that a groundwater level at plant grade is appropriate for assessing the capacity of structures to withstand the short-term hydrostatic loads. It is the staff's position that the licensee should demonstrate that safety-related structures remain functional and resist flotation for short-term hydrostatic loads for a groundwater level at plant grade. The licensee will submit the results of this evaluation and identify any necessary modifications by . Tne site grade elevation varies from 11 ft to 20 ft mean low level water (MLLW) datum. The staff in the topic evaluation concluded that for calculating load combinations, a groundwater level of 5 ft MLLW is appropriate. The licensee stated in the safety analysis for Topic III-3.A (October 20, 1983) that a 5-ft MLLW groundwater level was considered in the evaluation of load combinations on structures. The staff is evaluating the effects of load combinations in Topic III-7.B (see Section 4.12.1). 4.6.2 Roof Loadings As discussed in Section 4.2, the fuel storage building and the ventilation building would be subject to ponding over low points of the roof. The licensee should either demonstrate that the roofs can withstand the load or propose corrective measures. The licensee will submit the results of this evaluation and identify any necessary modifications by . 4.7 Topic III-3.C, Inservice Inspection of Water Control Structures 10 CFR (GDC 1, 2, and 44) and 10 CFR 100 (Appendix A), as implemented by SRP Sections 2.5.4 and 2.5.5 and Regulatory Guides 1.27, 1.28, 1.59, 1.127, and 1.132, require, in part, that water control structures built for use in conjunc-tion with a nuclear power plant, whose failure could cause adverse radiological consequences, be inspected routinely. The inspection is intended for water control structures used for flood protection (on or off site) and emergency cooling water systems. The safety objective is to ensure that water control San Onofre 1 SEP 4-7

i structures that are part of the ultimate heat sink are available at all times during both' normal and. accident-conditions. The staff in the topic review identified the following item. A' formal inspection program as outlined in Regulatory Guide 1.127 has not been established for the site flood control structures or the service water reservoir. The staff position is that such. program should be formalized and that the frequency. schedule and a copy of the developed inspection checklist for each structure should be submitted for staff review. By letter dated January 19, 1984, the licensee committed to develop a program in accordance with Regulatory Guide 1.127. The proposed prcgram was submitted on June 5, 1984. The program is generally acceptable; however, the staff iden- t tified the need to make the following changes: (1) add the north bluff includ-ing the service water reservoir (SWR) to the list of areas to be examined to ensure that the drainage over the bluff to the ocean is maintained and (2) modify the requirement for checking the north drainage ditch to be annually before the rainy season. The SWR is not required for decay heat removal because the new auxiliary feedwater storage tank is available. However, the SWR does provide the fire protection water supply. The licensee agreed to these changes and will incorporate them into the program. .As discussed in Section 1.4.3, during the last inspection of the intake struc-ture, significant degradation of the rebar was discovered. Enhanced surveil-lance of this structure would be appropriate to monitor any similar problems'in the future. The licensee agreed to these enhanced inspections in a letter dated October 18, 1984. Also, as discussed in the staff's safety evaluation forwarded by letter dated November 21, 1984, inspections of portions of the seawall should be performed to check for degradation. These considerations should be included in the inservice inspection program for water control structures. The licensee will. provide the details of the proposed inspection program by . 4.8 Topic III-4.A, Tornado Missiles 10 CFR 50 (GDC 2), as implemented by Regulatory Guide 1.117, requires, in part, that structures, systems, and components be designed to withstand the effects of a tornado, including tornado missiles, without loss of capability to perform their safety functions. Regulatory Guide 1.117 recommends that structures, systems, and components that should be protected from the effects of a design-basis tornado are (1) those necessary to ensure the integrity of the reactor coolant pressure boundary, (2) those necessary to ensure the capability to shut down the reactor and maintain it in a safe. shutdown condition (including both hot standby and cold shutdown), and (3) those whose failure could lead to radioactive releases resulting in calculated offsite exposures greater than 25% of the guideline exposures of 10 CFR 100 using appropriately conservative anal-ytical methods and assumptions. The physical separation of redundant or alter-nate structures or components required for the safe shutdown of the plant is not considered acceptable by itself for providing protection against the effects of tornados, including tornado generated missiles, because of the large number and random direction of potential missiles that could result from a tornado, as well as the need to consider the single-failure criterion. San Onofre 1 SEP 4-8

Several components and systems were identified as vulnerable to tornado missiles. As discussed under Section 4.5, the licensee has proposed to perform a cost / benefit analysis to determine appropriate plant modifications to protect against tornado generated missiles. It is the staff's position that the licensee should provide protection for sufficient systems and components to achieve and maintain a safe shutdown in the event of a tornado. The licensee's method of analysis and the staff's evaluation criteria are discussed in Section 4.5. i 4.9 Topic III-5.A, Effects of Pipe Break on Structures. Systems, and l Components Inside Containment l 10 CFR 50 (GDC 4), as implemented by Regulatory Guide 1.46 and SRP Section 3.6.2, i requires, in part, that structures, systems, and components important to safety ! be appropriately protected against dynamic effects, such as pipe whip and dis-l charging fluids, that may result from equipment failures. l The licensee has performed a screening analysis of the effects of pipe breaks inside containment using conservative criteria; several interactions remain unresolved. For these interactions, the safety-related equipment that could be affected by breaks includes the following: (1) support structures for steam generators, pumps, reactor coolant system piping, component cooling system piping, chemical volume and control system piping, safety injection system piping, and air system piping (2) residual heat exchanger (3) valves in the residual heat removal (RHR), safety injection, and chemical volume and control systems (4) RHR pumps, reactor coolant pump (5) transmitters As discussed in the licensee's January 19, and March 30, 1984, submittals, further evaluations including detailed systems / effects analyses and fracture mechanics analyses will be performed to resolve these concerns. The staff finds this commitment acceptable. Electrical components such as cable trays and raceways were not evaluated during this review because, at the time, the review was to be integrated with modifica-tions required by 10 CFR 50, Appendix R. However, as discussed in Section 4.34,

the licensee's approach for attaining compliance with Appendix R has changed.
Issues have been raised under several SEP topics (III-5.A, VI-7.C.2 (see Sec-

' tion 4.25.4), VII-1.A (see Section 4.27), and IX-6 (see Section 4.34)) relating to the degree of physical and electrical separation between cabling in the two electric power divisions. It is the staff's position that the licensee should  ! perform reviews of the cable routing for San Onofre Unit I considering these l San Onofre 1 SEP 4-9 l

issues (among others) to identify any corrective actions necessary to ensure availability of safety-related electrical equipment. The licensee will submit the results of these evaluations and identify any necessary modifications by 4.10 Topic III-5.8, Pipe Break Outside Containment 10 CFR 50 (GDC 4), as implemented by SRP Sections 3.6.1 and 3.6.2 and Branch I Technical Position (BTP) MEB 3-1 and ASB 3-1, requires, in part, that structures, systems, and components important to safety be appropriately protected against dynamic effects, such as pipe whip and discharging fluids, that may result from equipment failures. The licensee has provided screening analyses o'f the effects of pipe breaks ou't-side containment. As a result of.these analyses, the licensee has identified several interactions that failed to satisfy the acceptance criteria. The equip-ment that may be affected includes the following: (1) structural beams under east and west feedwater heater platforms (2) main steam system branch lines (3) auxiliary feedwater stean supply line (4) auxiliary feedwater discharge line (5) nitrogen backup supply for pneumatic components (6) containment sphere To finish the review, the licensee has described a study (Phase III) in a letter dated January. 19, 1984, that will include (1) further evaluation of high-energy-line interactions with structural beams (2) evaluation of electrical components (3) effects of' failure of steam supply line for turbine-driven auxiliary feedwater pump (4) resolution of other unresolved breaks The licensee has committed to perform the additional analyses for the inter-action described above in a fashion similar to that discussed in Section 4.9. The staff finds this commitment acceptable. The licensee will submit the results of this evaluation and identify any necessary modifications by 4.11 Topic-III-6, Seismic Design Considerations 

                                            ' 10 CFR 50 (GOC 2), as implemented by SRP Sections 2.5, 3.7, 3.8, 3.9, and 3.10 and SEP review criteria (NUREG/CR-0098), requires, in part, that structures, systems, and components important to safety shall be designed to withstand the effects of natural phenomena such as earthquakes.

l The seismic design basis for San Onofre Unit 1 for seismic Category A structures and components is what in today's terminology would be consistent with a 0.25g Housner spectrum operating basis earthquake and a 0.5g Housner spectrum safe shutdown earthquake. During the construction permit application review for San f San Onofre 1 SEP 4-10 1 m

Onofre Units 2 and 3, new geologic and seismologic information was developed for the site. The design basis for Units 2 and 3 is a 0.67g modified Newmark spectrum earthquake. The licensee initiated a reevaluation program for San Onofre Unit I using a ground motion input of 0.67g Housner spectrum. Following initiation of the SEP in 1978, this ongoing seismic reevaluation program was

incorporated into the SEP. The history and status of the seismic reevaluation program are detailed in the staff's November 21, 1984, letter transmitting the Contingent Recission of Suspension and attached safety evaluation.

As part of this reevaluation program and as discussed in the evaluations for i Topics II-4.A, B, and C (see Appendix E), the staff determined that the appropri-ate free-field seismic horizontal response spectrum to use for seismic reevalua-tion of San Onofre Unit 1 was the Housner spectrum anchored at 0.67g with a 10% increase over a specified range. The vertical spectrum is the Housner spectrum anchored at 0.44g with a 10% increase over a small range. These response spec-tra are referred to as the modified Housner spectra. The licensee has completed analyses and modifications (as necessary) to upgrade the following structures, systems, and components to the site-specific reevalua-tion ground motion of 0.67g modified Housner spectra: (1) all safety-related structures (2) main reactor coolant loop and components (3) piping and mechanical equipment whose failure could cause an accident requiring accident mitigating systems or that is required to reach a safe hot standby condition (4) electrical distribution systems and other support systems As discussed in the SER forwarded by letter dated November 21, 1984, supporting resumption of plant operation, the staff found that the seismic upgrading per-formed so far provides for sufficient equipment and systems to ensure that the plant can reach hot shutdown in the event of a 0.67g seismic event. It is the staff's position that the licensee should complete the analyses and implement l necessary modifications by the end of the next refueling outage. The licensee has proposed criteria and methodologies for these analyses in a report forwarded by letter dated March 12, 1985. These criteria and methods are under staff review. The scope of these efforts includes equipment necessary to achieve cold shutdown and to provide accident mitigation. As noted in Sections 4.23.4, 4.23.5, and 4.23.6, seismic qualification of portions of the component cooling water system, containment purge system, and containment fan coolers ensures the containment isolation function. In addition, some of the criteria and methods that the staff found acceptable for interim operation (i.e., until the next refueling outage) require further justification and/or revision for long-term operation. These issues will be resolved in conjunction with the other analyses discussed above. 4.12 Topic III-7.8, Design Codes, Design Criteria, Load Combinations, and l Reactor Cavity Design Criteria 10 CFR 50 (GDC 1, 2, and 4), as implemented by SRP Section 3.8, requires, in part, that structures, systems, and components be designed for the loading that will be imposed on them and that they conform to applicable codes and standards. San Onofre 1 SEP 4-11 l_

4.12.1 Design Codes, Criteria, and Load Combinations Code, load, and load combination changes affecting specific types of structural elements have been identified where existing safety margins in structures are significantly reduced from those that would be required by current versions of the applicable codes and standards. Specific areas of design code changes potentially applicable to the San Onofre Unit 1 plant have been identified for which the current code requires substantially greater safety margins than did the earlier version of the code, or for which no original code provision existed. Because of the extensive seismic reevaluation program (as discussed in Sec- + tions 1.4 and 4.11) for San Onofre Unit 1, which utilizes design codes such as American Concrete Institute (ACI) 349-76 and American Institute of Steel Con-struction (AISC) 1978, the staff concluded that the impact of code changes and criteria is being adequately addressed. [ The licensee is currently evaluating the ability of structures to withstand the effects of various loads, such as (1) the effects of settlement on foundations (Section 4.3) (2) the effects of groundwater (hydrostatic and hydrodynamic loads (Sec- ' tion 4.6.1) (3) the effects of wind and tornadoes (Sections 4.5 and 4.8) (4) the effects of postulated pipe breaks (Sections 4.0 and 4.10) (5) the effects of seismic events (Section 4.11) Under Topic III-7.8, the effects of the combinations of these loads on structures, as prescribed in current NRC acceptance criteria, are to be evaluated. As a result of the seismic reevaluation program being conducted by the licensee, the staff has concluded that any structural modifications resulting from that pro-gram will be sufficient to resolve the load combination issue if the licensee can demonstrate that the seismic loads will dominate over the other loads, when taken in combination. Integrating the results of the vario 's structural loading issues will result in the most cost-effective and efficient method to determine the appropriate structural modifications to resolve all of the loading issues to enhance the overall safety of San Onofre Unit 1. The licensee will provide the necessary analyses and the recommended plant modifications by . 4.12.2 Load Combinations for Reactor Containment As part of the topic evaluation, the staff contractor, in a report transmitted by letter dated September 21, 1982, provided an analysis for the combined main steamline break thermal-load plus 0.67g earthquake load indicated that the con-tainment sphere is under high compressive hoop stress in the sand-filled transi-l tion zone. This zone is around the sphere extending 6 ft down from plant grade, i San Onofre 1 SEP 4-12

Assessment of the potential for buckling of the shell under this stress is very complex. Inward buckling of the shell could affect containment integrity. By letter dated March 30, 1984, the licensee provided an analysis that concluded that an adequate margin against buckling exists for the San Onofre Unit 1 sphere. This analysis is currently under staff review. The staff will report on its conclusions in the final IPSAR. 4.13 Topic III-7.0, Containment Structural Integrity Tests 10 CFR 50 (GDC 16, 50, and 51), as implemented by SRP Section 3.8.2, requires, in part, that a reactor containment structure be provided and that suf ficient l margin exist to ensure that under postulated accident conditions the containment l can accommodate the effects with consideration for uncertainties in determining material properties and residual and transient stresses. The obiective of Topic III-7.0 is the evaluation of the original containment structural integ-rity tests that have been performed against current criteria for such tests. 1 ASME Code, Section III, Division I, Article NE-6000, specifies that a test pressure of 1.1 times the design pressure be used for the containment struc-tural integrity test. At the time of the initial test, the peak calculated pressure (design pressure) was 46.4 psig; therefore, a margin of 1.15 to the test pressure of 53.4 psig existed. In 1977, the loss-of-coolant accident (LOCA) postaccident pressure was recalcu-lated to be 49.4 psig. This calculation was performed using Revision 3A of the computer code BN-TOP 3. In 1981, an updated analysis of LOCA pressure was per-formed using Revision 4 of BN-TOP 3. This revision incorporated code changes made in response to staff comments. The peak pressure was 48.2 psig. The latest analysis of containment response to a main steamline break resulted in a calculated peak pressure of 53.3 psig. However, the licensee has also performed fracture mechanics evaluations to show that the double-ended main steamline rupture is not a credible event. Smaller line failures result in lower peak pressures. For the LOCA, for which containment integrity is more important for the protec-tion of public health and safety, the calculated peak pressures provide a margin ranging from 8% to 11%, which is comparable to the ASME Code recommen-dation of a 1.1 factor. Periodic leakage rate tests have been performed at a containment pressure of 49.4 psig. For the steamline break, the worst-case peak pressure would approach the initial test pressure; however, possible degra-dation of containment integrity would be much less significant in this case than for the LOCA, and there are margins inherent in the design of the contain-ment to compensate for small differences between test and peak presseres. On the basis of the comparable margin to ASME Code requirements and the lesser risk to containment integrity from a steamline break, the staff finds the results of the integrity test acceptable and no further action is warranted. 4.14 Topic III-8.A, Loose-Parts Monitoring and Core Barrel Vibration Monitoring 10 CFR 50 (GDC 13), as impicnented by Regulatory Guide 1.133, Revision 1, and SRP Section 4.4, requires, in part, that a loose parts monitoring program for San Onofre 1 SEP 4-13 l

the primary system of light-water-cooled reactors be provided. San Onofre Unit 1 does not have a loose parts monitoring program that meets the criteria of Regulatory Guide 1.133. A loose parts monitoring program conforming to the recommendations of Regula-tory Guide 1.133 could provide an early detection of loose parts in the primary system that could help prevent damage to the primary system. Such damage relates primarily to (1) damage to fuel cladding resulting from reheating or mechanical penetration (2) jamming of control rods , (3) possible degradation of the component that is the source of the loose part to such a level that it cannot properly perform its safety-related function Implementation of a loose parts monitoring program is being considered in Revision 1 to Regulatory Guide 1.133. If the staff decides to implement +he recommendations of this revision, then the need to implement a loose parts monitoring program on operating reactors will be addressed generically. The following factors were considered in making a recommendation that no loose-parts monitoring program be implemented at this time: (1) A summary of 31 representative loose parts incidents at 31 reactors (from the value-impact statement of Revision 1 to Regulatory Guide 1.133) indi-cates that structural damage occurred as a result of loose parts in only 9 incidents. None of these incidents caused a safety related accident. (2) Most loose parts can be detected during refueling inspections. (3) The results of the limited PRA of this issue for San Onofre Unit 1 showed that eliminating loose parts-induced transients by installing a loose parts monitoring system would have no effect on risk. Consequently, this issue is considered complete, and no further action or analysis is necessary at this time. 4.15 Topic III-10.A, Thermal-Overload Protection for Motors of Motor-Operated Valves 10 CFR 50.55a(h), as implemented by Institute of Electrical and Electronics Engineers (IEEE) Std. 279-1971 and 10 CFR 50 (GDC 13, 21, 22, 23, and 29), requires, in part, that protective actions be reliable and precise and that they satisfy the single-failure criterion using quality components. Regulatory Guide 1.106 presents the staff position on how thermal-overload protection devices can be made to meet these requirements. The objective of this review is to provide assurance that the application of thermal-overload protection devices to motors associated with safety-related motor-operated valves (MOVs) does not result in needless hindrance of the valves' performance of their safety functions. San Onofre 1 SEP 4-14

In accordance with this objective, the application of either one of the two recommendations contained in Regulatory Guide 1.106 is adequate. These recom-mendations are as follows: (1) Provided the completion of the safety function is not jeopardized or that other safety systems are not degraded, (a) the thermal-overload protection devices should be continuously bypassed and. temporarily functional only when the valve motors are undergoing periodic or maintenance testing, or (b) those thermal-overload protection devices that are normally functional during plant operation should be bypassed under accident conditions. (2) The trip setpoint of the thermal-overload protection devices should be established with all uncertainties resolved in favor of completing the safety-related action. With respect to those uncertainties, consideration should be given to (a) variations in the ambient temperature at the installed location of the overload protection devices and the valve motors (b) inaccuracies in motor heating data and the overload protection device trip characteristics and the matching of these two items > (c) setpoint drif t To ensure continued functional reliability and the accuracy of the trip setpoint, the thermal-overload protection device should be tested periodically. In San Onofre Unit 1, two motor-operated valves have thermal-overload protec- " tion devices that are not bypassed following an emergency signal, nor has it been shown that their trip setpoints were conservatively set. These valves are i the component cooling water (CCW) heat exchanger discharge valves. During power operation, one of the two valves is open and the other is closed. The operating train is rotated weekly. When residual heat removal cooling is desired, both valves are opened to provide full CCW flow. The closed valve is automatically opened on a safety injection signal. Once opened, these valves are not required to change position. Failure of the closed MOV to open will not result in loss of CCW since the other valve is already open. These MOVs are outdoors in the yard and have hand wheels so they can be manually operated, if necessary. The limited PRA rated the significance of this issue low because the reduction i

in failure rates for the MOVs achieved by bypassing the thermal-overload would l not have any significant effect on core-melt frequency.

! t Therefore, on the basis of the CCW configuration, the ability to operate the valves manually, and the low risk significance of this issue, the staff con-i cludes that modifications to the two MOVs are not warranted and considers this I issue to be resolved. I San Onofre 1 SEP 4-15 i l I

4.16 Topic III-10.8, Pump Flywheel Integrity 10 CFR 50 (GDC 4), as implemented by Regulatory Guide 1.14 and SRP Sec-tion 5.4.1.1, requires, in part, that methods be provided to minimize the potential for failures of reactor coolant pump flywheels which could generate missiles. The staff in the topic evaluation concluded that the inservice inspections that have been performed on the reactor coolant pump flywheels showed compliance with the guidelines of Regulatory Guide 1.14. However, the staff recommended that additions be made to the inservice inspection program to reflect compliance with the recommendations of the regulatory guide. By letter dated Ja'nuary 19, 1984, the licensee submitted Engineering Procedure 501-V-2.17, " Reactor Coolant Pump Flywheel Inspection," which describes the inservice inspection requirements and schedule for the flywheels. The frequency and type of inspection required by this procedure are consistent with the regu-latory guide recommendations. Therefore, the staff finds this inspection pro-gram acceptable and considers this topic to be resolved. 4.17 Topic IV-2, Reactivity Control Systems, Including Functional Design and Protection Against Single Failures 10 CFR 50 (GDC 25), as implemented by SRP Section 7.7, requires, in part, that the reactor protection system be designed to ensure that specified acceptable . fuel design limits are not exceeded for any single malfunction of the reactivity ' control systems, such as accidental withdrawal of control rods. The staff in the topic review identified several types of rod motion that could occur as a result of single malfunctions. The rod motions to consider are: (1) Two banks of control rods may move simultaneously. (2) A group or bank of shutdown rods may not move when commanded. (3) A group or bank of control rods may not move when commanded. (4) A group of shutdown rods could move inadvertently. (5) A group, bank, or banks of control rods may move. (6) A shutdown rod or a group or bank of shutdown rods may fall into the core. (7) A control rod or a group or bank of control rods may fall into the core. (8) A rod assembly could move in a direction opposite to the one commanded. The results of the limited PRA indicated that the risk significance of this issue is low because the most important consequence of a rod withdrawal acci-dent is localized power peaking in the fuel bundles in the vicinity of the withdrawn rod. Although localized power peaking could result in some cladding damage, no extensive fuel damage or melting would be expected. In previous comprehensive probabilistic risk assessments such as WASH-1400, it has been shown that the most significant contribution to the overall risk of opera-tion of a nuclear power plant comes from the accidents that involve core melt. Core performance for control rod misoperation events is addressed under Top-ic XV-8. The following events are explicitly considered in the Topic XV-8 review: uncontrolled withdrawal of a group and control rod group drop. The two-bank-withdrawal event was not explicitly covered under Topic XV-8. How-ever, as noted in the licensee's letter of August 21, 1984a, the reactivity insertion rate resulting from a two-bank rod withdrawal is within the range of San Onofre 1 SEP 4-16

rates considered in the analyses of the control rod group withdrawal event. The results of the group withdrawal analyses, as discussed under SEP Topic 

   .XV-8, confirmed that the safety limits are met.

The remaining rod motions that could occur as a result of single failures would not result in a configuration more severe than that considered in the control l- rod maloperation analyses. In those cases where rods might not move when move-ment was commanded by the rod control system, the rods would still scram if required. Rod position indications and limits on allowable misalignments

ensure that adverse power distributions do not occur.

I { Therefore, on the bsis of the above discussion, the staff finds the analyses l sufficient and considers this topic to be resolved. 4.18 Topic V-5, Reactor Coolant Pressure Boundary (RCPB) Leakage Detection 10 CFR 50 (GDC 30), as implemented by Regulatory Guide 1.45 and SRP Section 5.2.5, prescribes the types and sensitivity of systems and the seismic, indication, and testability criteria necessary to detect leakage of primary reactor coolant to the containment or to interconnected systems. Regulatory Guide 1.45 recommends that at least three separate leak detection systems be installed in a nuclear-power plant to detect unidentified leakage from the RCPB to the primary con-tainment of 1 gallon per minute (gpm) within 1 hour. Leakage from identified sources must be isolated so that the flow of this leakage may be monitored separately from unidentified leakage. The detection systems should be capable of performing their functions after seismic events that do not require shutdown and be capable of being checked in the control room. Of the three separate leak detection methods recommended, two of the methods should be (1) sump level and flow monitoring and (2) airborne particulate radioactivity monitoring. The third method may be either monitoring the condensate flow rate from air coolers or monitoring airborne gaseous radioactivity. Other detection methods--such as monitoring humidity, temperature, or pressure--should be considered to be , indirect indications of leakage to the containment. In addition, provisions 

  .should be made to monitor systems that interface with the RCPB for signs of intersystem leakage through methods such as monitoring radioactivity and water levels or flow.

On the basis of its review of the available information for the leakage detec-tion systems at San Onofre Unit 1, the staff in the topic evaluation concluded that the systems used at San Onofre Unit I do not meet all of the recommendations of Regulatory Guide 1.45. Specifically, the staff determined that: (1) The systems used for the detection of leakage from the RCPB to the contain-ment consist of the minimum three recommended in Regulatory Guide 1.45 plus additional systems. However, at the time the staff SER (letter dated March 7, 1983) was issued, the licensee had not determined the system sensitivities and response time. (2) Information on the description of the systems used to monitor leakage from the reactor coolant system to secondary systems is incomplete. (3) The San Onofre Unit 1 Technical Specifications do not contain requirements for the operability of the leakage detection systems. San Onofre 1 SEP 4-17 l

(4) None of the recommended leakage detection systems has been demonstrated to remain functional following a safe shutdown earthquake. (5) Not all of the leakage detection systems have provisions for testing operability and calibration during plant operation. 4.18.1 Leakage Into Containment At San Onofre Unit 1, the following systems are provided for RCPB leak detection: (1) sump level monitoring (2) sump pump actuation monitoring (3) airborne particulate radioactivity monitoring (4) airborne gaseous radioactivity monitoring (5) containment atmosphere pressure monitoring (6) containment atmosphere humidity monitoring (7) containment atmosphere temperature monitoring Also, the amount of leakage from the RCPB can be determined by performing the reactor coolant system hot leak rate test (San Onofre Unit 1 Operating Instruc-tion 501-12.2.7). This test is run at least every 7 days, arid the test run time is 4 hours. 4.18.1.1 System Sensitivity By letter dated February 24, 1984, the licensee provided the following additional information on leakage detection system sensitivity. With the sphere sump pump system, a 1 gpm leak can be detected in 80 min when a level switch starts a sump pump. Pump start is annunciated in the control room. In response to the pump start alarm, the operator logs the pump start time and then the pump stop time. Lights in the control room show pump status (running or not). A second pump starts at a higher setpoint; the annunciator is common to both. If the pumps do not start, another level alarm is reached after 86 additional minutes. If the pump starts, but because of equipment failure the alarm does not sound, the pump will pump out the sump contents to the decontamination drain tank. The detection time in this case would be more variable because it would depend on whether or not an operator noticed the pump running lights or how full the drain tank was (there is a high-level alarm, but the tank is considerably larger than the sump and other sources drain there as well). Smaller leaks can also be detected by this method, but the time to detect them will most likely depend on how quickly the leaks develop, what the previous leakage was, and other factors. There are also sump level indicators with control room readout. These systems are sensitive enough to show a 1 gpm leak but are dependent on plant operators noticing any changes because no alarms are provided. Using the airborne particulate monitor and assuming a base level isotopic activity, a 1 gpm leak can be detected (control room alarm) in 1 hour. San Onofre 1 SEP 4-18

Other indications include the following. The airborne gaseous radioactivity monitor has a 1 gpm sensitivity, but detec-tion time is longer than 1 hour. The sensitivity is dependent on the normal radiation level, which is itself dependent on power level, failed fuel, and core life. For a small leak and low radiation levels, this monitor may not detect the leak. At best, it can detect a leak after about 10 hours. Containment pressure, temperature, and humidity alarms can detect a 6.7 gpm leak within 1 hour. A 1 gpm leak will not be detected. These alarms are only considered as indirect indications of leakage to the containment. The RCPB-to-containment leakage detection systems at San Onofre Unit I have the capability to detect a 1 gpm leak, but the detection time is longer than I hour. The longer time to achieve this sensitivity is not considered to be of significance unless the resolution of Topic III-5. A, " Effects of Pipe Break on Structures, Systems, and Components Inside Containment," demonstrates that the current leak rate sensitivity is not considered adequate. The staff concludes that these leakage detection systems are adequate to detect a 1 gpm leak in an acceptable period of time unless the continuing review under Topic III-5. A identifies the need for improved leak detection capability. Because the issue of detection sensitivity will be resolved in another topic (see Section 4.9), this issue is considered complete. 4.18.1.2 Operability Requirements The San Onofre Unit 1 Technical Specifications do not contain limiting condi-tions far operation or surveillance requirements regarding the operability of leakage detection systems, as recommended by Regulatory Guide 1.45 and the Westinghouse Standard Technical Specifications (NUREG-0452). It is the staff's position that such specifications are necessary to ensure operability of the leakage detection systems and, therefore, timely detection of leakage from the reactor coolant system. The licensee has agreed to provide Technical Specifications once the required sensitivity (see Section 4.18.1.1) is established. Because this issue of operability will be resolved under another topic (see Section 4.9), this issue is considered complete. 4.18.1.3 Seismic Qualification The leakage detection systems do not meet the recommendations of Regulatory Guide 1.45 with regard to operability following a seismic event. Therefore, it is the staff's position that the licensee should provide at least one leakage detection system that will remain operable following a safe shutdown earthquake, or that the licensee should provide procedures that specify actions to be taken for a seismic event to ascertain the operability of leakage detection systems and any actions to be taken if systems are inoperable. The licensee will pro-vide the required information by _ _. 4.18.1.4 Testability Two of the required leakage detection systems, the airborne particulate and gaseous monitoring systems, can be tested during normal operation. The sump San Onofre 1 SEP 4-19

level monitoring system does not meet the recomnendations of Regulatory Guide 1.45 with regard to direct testability during plant operation. However, the perform-ance'of the weekly reactor coolant system hot leak rate test would serve as an indirect indication of the operability of the sump level monitoring system. Therefore, considering all the means provided for leak detection, the staff finds that the existing testing capabilities are acceptable. In summary, it is the staff's position that the leakage detection systems currently installed at San _Onofre Unit 1, although not meeting the explicit recommendations of Regulatory Guide 1.45, are adequate to detect small reactor coolant pressure boundary (RCPB) leakage within an acceptable timeframe. How- 'ever, the staff recommends that the plant Technical Specifications be upgraded to include operability requirements for these systems and at least one RCPB-to- s . containment leakage detection system should be upgraded for seismic qualifica-tion. However,' additional staff recorsmendations could be forthcoming if the licensee's analysis of pipe breaks inside containment (see Topic III-5.A, Sec-tion 4.9) demonstrates that other system upgrades are warranted. 4.18.2 Intersystem Leakage Provisions are nade to monitor reactor coolant leakage to interconnecting sys- ' tems, namely the component cooling system and the main steam system. Inter- 

-system leakage from the reactor coolant system (RCS) into the secondary system is monitored by the condenser air _ ejector monitor and the steam generator liquid monitor. A 1 gpm leak is within the sensitivity range of the instruments, but the alarm setpoints are such that the leak would not be detected within 1 hour.

Leakage between the RCS and the component cooling water system is monitored by high- and low-level alarms and a radiation detector. A 1 gpm leak could be detected in 6.4 hours. .The component cooling water surge tank is classified as a seismic Category A tank. As noted in Section 4.28.1 (Topic VII-3), the level sensor and alarms are not redundant, although a local sight gauge, checked once per shift, is also available. The secondary system air ejector and.the steam generator blowdown monitors need not be seismically upgraded because these are redundant components, and manual sampling for secondary activity can be performed if the monitors both fail. Radioactive leakage from the secondary system will also be monitored by instrumentation required by TMI Action Plan Item II.F.1, " Noble Gas Effluent Monitor." The staff has concluded that intersystem leakage would not contribute signifi-cantly to overall risk (see Sections 4.19 and 4.32) and, because of the avail-able leakage detection systems, the staff finds that the capability to detect intersystem_ leakage at San Onofre Unit 1 is acceptable. The staff considers this issue to be resolved. 4.19 Topic V-10.A, Residual Heat Removal System Heat Exchanger Tube Failures 10 CFR 50 (GDC 34) and 10 CFR 100 (Appendix A), as implemented by SRP Sec-tion 9.2.1, require, in part, that a residual heat removal system be provided with leakage-detection and isolation capability to limit possible releases of radioactive coolant to the environment. San Onofre 1 SEP 4-20

SRP Section 9.2.1 requires that the service water system include the capability for detection and control of radioactive leakage into and out of the system and prevention of accidental releases to the environment. The residual heat removal (RHR) system at San Onofre Unit 1 is normally at a higher pressure than the component cooling water (CCW) system. _Therefore, a tube failure.in the RHR heat exchar.gers would result in contamination of the 

 .CCW system. Furthermore, because CCW pressure at the CCW heat' exchanger is greater than that of the salt water cooling system at this heat exchanger, radioactive leakage to the environment could occur in the event of the highly unlikely simultaneous failure of tubes in a combination of one (or both)^ of the two RHR heat exchangers and one (or both) of the CCW heat exchangers. San
 -Onofre Unit 1 is provided with CCW system instrumentation to detect such an occurrence. As defense against leakage to the environment, the CCW system incorporates a radiation detector, and the surge tank of this system has high-and low-level alarms, which will indicate leakage either into or out of the system.

The results of tho limited PRA showed that because contamination from in-leakage of component cooling. water to the primary water system is a very low-frequency event, it is of low risk significance. This is based on the fact that this cent can only occur during refueling outages when primary coolant system. pressure is less than CCW system pressure. ) For leakage to the environment from the reactor coolant system to occur, tube failures in both the RHR and component cooling heat exchangers would be neces- i sary. The CCW surge tank level instruments should detect inleakage or outleak-age, inservice inspection is performed on the heat exchangers, and there is a radiation monitor on the CCW system. The results of the limited PRA showed that the risk from this event is also low. 4.19.1 Radiation Monitoring The San Onofre Unit 1 salt water cooling system does not incorporate a radia-  ! tion monitor as required by SRP Section 9.2.1, and the staff in its topic evaluation recommended that the licensee should install one. As an alterna-tive, surveillance and operability requirements for the CCW system radiation monitor could be included in the Technical Specifications. As noted in the licensee's letter of January 30, 1984, the Radiological Effluent Technical Specifications (RETS) (issued August 27, 1984) require channel checks, cali-bration, and tests of the CCW radiation monitor. The staff finds the RETS requirements alternatively acceptable and, therefore, this issue is considered to be resolved. 4.19.2 Sampling The staff in the topic evaluation concluded that the CCW system should be sampledifor chlorides and that sampling should be done during shutdown modes. Although station procedures cover primary sampling requirements, the staff concluded that Technical Specifications for leak detection (into the primary system) limits and sampling frequency for the reactor coolant system should be established. San Onofre 1 SEP 4-21 L b

By letter dated November 7, 1983, the licensee noted that the present sampling and chemical control procedure for the primary system, which includes sampling of the CCW system, provides for monthly sampling of the C,CW for chlorides and sampling requirements while shut down. In a letter dated January 19, 1984, the licensee noted that the chemistry limits for chlorides, fluoiides, and oxygen in the procedure comply with the Westinghouse Standard Technical Specification (NUREG-0452) limits. The staff concludes that these pr adures are adequate and Technical Specification changes to add these limits 'ot necessary. 4.19.3 Testing of Recirculation Heat Exchanger The review under Topic VI-7.A.3 noted that the recirculation heat exchangers are not tested for leakage. This issue was addressed under Topic V-10.A because the concern relates to leakage through a heat exchanger that could result in introduction of sump water (following a loss-of-coolant accident (LOCA)) into the component cooling water system. The recirculation heat exchanger is used to cool sump water during the recircu-lation cooling mode after a LOCA. There is only one heat exchanger. If a leak existed or developed, radioactive water could enter the component cooling water system if the relative pressures in the two systems allowed it. However, the pressure in the heat exchanger is normally higher than peak containment pressure. Furthermore, because the CCW system is a closed loop, an additional failure would be necessary for a release after any leakage into the CCW. The heat exchanger is maintained solid on the recirculation side with component cooling water passing through the heat exchanger through a miniflow line. Therefore, if a tube failure existed, water would leak from the CCW into the recirculation heat exchanger. Such a leak could be detected by falling CCW level in the surge tank. The CCW system is hydrotested each refueling outage. On this basis, the staff concludes that adequate testing is performed and that the potential for radiological release is minimal. The staff concludes that no further action is necessary. 4.20 Topic V-11.A, Requirements for Isolation of High- and Low-Pressure Systems 10 CFR 50.55a, as implemented by SRP Section 7.6 and Branch Technical Position (BTP) ICSB 3, requires that systems with lower design pressure ratings should be isolated from the reactor coolant system when it is at a pressure above the system design rating. The staff in its safety evaluation concluded that the following systems did not fully satisfy current licensing criteria for high- and low pressure isolation: (1) chemical and volume control system (2) safety injection system (3) long-term recirculation system 4.20.1 Chemical and Volume Control System 4.20.1.1 Charging Pump Discharge Valves The staff in the topic evaluation concluded that the charging pump discharge valves do not satisfy the applicable high-to-low pressure system interlock San Onofre 1 SEP 4-22

I criteria. The low pressure portions of the chemical and volume control system (CVCS) are on the suction side of the charging pumps. The only high pressure interface with the low pressure piping in the CVCS occurs across the charging pump discharge check valve for an idle charging pump. Pressurization of the suction piping from the operating pump could occur if the discharge check valve in the idle leg failed and the suction side whs isolated by closing the manual valve. For a loss-of primary-coolant l inventory to occur through the suction line, the other pump must be tripped and the check valve at the RCS loop must also be failed. \ The scenario considered in the limited PRA was reverse leakage past the two check valves during operation, with failure of the air-operated isolation valve to close. The frequency of this event is estimated to be approximately 1 x 10 6 per year. Although the magnitude is low, intersystem LOCAs bypassing containment can have significant consequences. However, for the idle pump's suction line to be pressurized, the manual valve on the suction side must be closed (see Figure V-11.A.1 of Appendix D). This aspect was not considered in the PRA calculation. Furthermore, check valve FCV-1112 is also in the flow path and would have to stay open for the LOCA path to exist. Also, inservice testing (full stroke exercising open and closed) of the discharge check valve is performed every 3 months. The suction side valve is normally open and is on the monthly safety-related valve alignment checklist. The other check valve is tested each refueling outage. If neither charging pump is running, the leakage path could develop without I closure of the suction valve (i.e., if both check valves fail). However, the plant cannot operate with both charging pumps out of service because of Tech-nical Specification limits. Therefore, because of the valve testing program and the valve alignment checklist changes, the staff concludes that modifica- { tions to the CVCS to meet the high-to-low pressure interlock criteria are not warranted and considers this issue to be resolved. 4.20.1.2 Letdown Piping The isolation valves of the letdown line do not have pressure-related interlocks to automatically close if RCS pressure increases above system design pressure. A relief valve is provided downstream of these orifices. The staff concern was l that for an event that isolated the letdown system outside containment coupled with a failure of the relief valve, a LOCA (isolatable) might occur. Therefore, the staff recommended in the topic evaluation that the licensee should provide a redundant relief valve or show that the radiological consequences of such a break are acceptable. Under Topic XV-16, the consequences of the limiting small-line break outside containment (larger than the CVCS letdow ) were shown to be acceptable if operator action to isolate the break occurred in 20 minutes. This time period is considered adequate for isolation of a letdown line failure considering available indications and autoclosure features on the letdown line valves (on low pressurizer level). The staff concludes that modifications to l the CVCS letdown piping are not warranted and, therefore, this issue is resolved. San Onofre 1 SEP 4-23 l

4.20.2 Safety Injection System Each safety injection branch has a motor-operated valve (MOV) and a check valve in series isolating the reactor coolant system (RCS) from the feedwater discharge piping. The MOVs do not have pressure-related interlocks -to prevent them from opening when RCS pressure is above safety injection system (SIS) design pressure. A limit of 5 gpm leakage for the check valves is established in the plant Technical Specifications. The results of the limited PRA showed that the initiation of a LOCA due to re-verse leakage through these lines resulting from an MOV left open following its periodic testing and failure of the check valve is considered to be of medium risk significance. The limited PRA also noted that if procedures are established i so that a second operator must verify the correct position of the M0V following the test, the LOCA frequency can-be reduced. As noted, in the licensee's January 19, 1984, letter, the check valves and MOVs are tested as part of Surveillance Procedure 501-12.9-9, " Safety Injection System Check Valve Test." This procedure instructs the operator to open and close the MOV during the test. During startup, the MOVs are verified closed as part of Procedure 501-4-17, " Safety Injection System Operation." Procedure 501-4-39, " Safety Injection System Alignment," requires verification of the M0Vs in the closed position before startup. As part of the shift review, the safety-related valve status is verified in the control room according to Procedure 501-14-5, " Operations Shift Relief and Status Logs." MOV position indication is checked during the inservice testing of these valves (each refueling outage). It should be noted that the design pressure of the feedwater discharge piping is 1,400 psig. Considering the margins inherent in the design of this piping, the ASME Code allows a pressure of 60% over design pressure under faulted conditions (2,240 psig). The two power-operated relief valves are set to open at 2,190 psig. The staff estimates that the probability of failure of this piping if exposed to RCS pressure is less than 0.5. The staff concludes that, on the basis of the SIS design pressure and margin, procedures to verify that the MOVs are closed at two separate times before plant startup, and the Technical Specification limit on check valve leakage, modifications to the SIS are not warranted and that this issue is resolved. 4.20.3 Long-Term Recirculation System The long-term recirculation lines from the charging pumps have a check valve, two motor-operated valves, .and an air-operated valve in series. This flow path is used only for postaccident response and the valves are normally closed. The discharge piping is designed for full RCS pressure; the safety concern is pressurization of the charging pump suction piping similar to the case discussed in Section 4.20.1.1 above. Although no system interlocks are present, the remote persibility of misaligning four valves in series and the testing of the check valve together with accept-able system procedures for valve alignment verification form an adequate basis for not making modifications to this system. This issue is resolved. San Onofre 1 SEP 4-24 

                                                                               .                                       -       _ . i

4.21 Topic V-11.8, Residual Heat Removal System Interlock Requirements 

  '10 CFR 50.55a, as implemented by SRP Section 7.6 and BTP ICSB 3, requires, in part, that the motor-operated valves (MOVs) used for the isolation of the RCS from other systems that have lower design pressure ratings should have independent and diverse interlocks. These interlocks should prevent the opening of the MOVs until the RCS pressure is below the system design pres-sure, and close them automatically when RCS pressure increases above the system design pressure.

4.21.1 Residual Heat Removal System Interlocks The residual heat removal (RHR) system does not satisfy current acceptance criteria with. respect to pressure interlocks. Isolation on both the suction 

  .and discharge sides is provided by two M0Vs in series. All the MOVs have position' indication in the control room and are normally closed during plant operation. The inboard set of valves has a pressure related interlock to prevent them from opening until RCS pressure is below RHR system design pres-sure. The other set of valves is under administrative control. In accordance with plant operating procedures, the valves are not opened to place the RHR system in service until the RCS pressure is reduced to 350 psi.

Failure of the interlock could result in overpressurization of the RHR system if an operator opened the RHR isolation valves when RCS pressure was too high. The results of the limited PRA showed that the probability of inadvertent 3 j opening of the isolation valves at high pressure (with failure of the pressure  ! interlock) is approximately 1 x.10 7 per year; thus, this issue is of low importance. This value is dependent on assumed human error rates for opening the valves and the probability of recovery from the accident. Thus, the staff believes there may be large uncertainty in this value. However, it should be noted that the RHR system is totally inside containment; therefore, even if the RHR system were to fail, a LOCA bypassing containment would not occur. The RHR system is not part of the emergency core cooling system equipment; 

  'thus, the capability to mitigate the LOCA is not affected. On the basis of
  .the above, the staff concludes that the features provided for RHR system isola-l tion are adequate and, therefore, this issue is resolved.

l 4.21.2 Overpressurization Protection of Residual Heat Removal System No interlocks are provided to automatically close RHR system isolation valves 

  'on increasing pressure. The staff in its topic evaluation concluded that this difference from current criteria was acceptable on the basis of availability of the alarm and relief capacity of the overpressure mitigation system (OMS) as well asthe relief valve in the RHR system. This conclusion is also supported by the staff study on overpressure protection systems (AE00/C401), which found that automatic isolation of the RHR system may exacerbate an overpressurization transient and that sufficient relief capacity from the OMS can eliminate the.

f concern of RHR system'overpressurization. During cooldown present procedures place the RHR system into service at 350 F and 350 psi. The surge volume in the pressurizer and the relief valve are available for overpressure protection of the RHR system if the OMS is not available. However, to provide protection for the RHR system, the staff recom-mended in its topic evaluation, forwarded by letter dated November 12, 1982, San Onofre 1 SEP 4-25

that Technical Specifications should be provided so that the OMS will be operable when the RHR system is in operation. At present, no Technical Specification on the OMS have been implemented. Revised proposed Technical Specifications, including the temperature / pressure conditions when the OMS is to be operable, are scheduled to be submitted by 4.22 Topic VI-1, Organic Materials and Postaccident Chemistry 10 CFR 50 (GDC 1, 4, 14, 31, 35, and 41 and Appendix B), as implemented by SRP Sections 6.1.1 and 6.1.2 and Regulatory Guide 1.54, requires, in part, that structures, systems, and components important to safety be designed to accommo-date the effects of and be compatible with the environmental conditions associ-ated with normal operating and postulated accident conditions. In particular, paints and organic materials used inside containment should not adversely 

         ~

affect the functions of the engineered safety features. The safety objective of this topic is to ensure that protective coatings inside the containment do not consist of material (such as cellulose, hydrocarbons, or chlorides) that could decompose in radiation environments, create a hazardous hydrogen rich environment, or cause material failures. The staff in its topic evaluation, therefore, recommended that the licensee commit to a periodic inspection and repair program. By letter dated March 30, 1984, the licensee submitted the results of the inspection of the containment coatings that was performed during the current outage as well as plans for future inspections and repair. On the basis of the inspection, the licensee committed to the following paint repairs before plant startup: (1) Touch up reactor coolant pumps, containment hatch door, and heating, ventilation, and air conditioning (HVAC) recirculation fans. (2) Repair coatings on some piping with salt and pepper rusting and on piping where coating was applied over mill varnish. (3) Repair coating on exterior surface of HVAC equipment where delamination may have occurred. 

 'The licensee-also agreed to develop a program to perform future periodic inspections of the containment coatings at intervals to coincide with contain-ment type A testing. This will result in a frequency comparable to the staff recommendation of once every 3 years. Therefore, the staff finds this commit-ment acceptable. The licensee will submit the details of the inspection program by               .

4.23 Topic VI-4, Containment Isolation System 10 CFR 50 (GDC 54, 55, 56, and 57), as implemented by SRP Section 6.2.4 and Regulatory Guides 1.11 and 1.141, requires isolation provisions for the lines penetrating the primary containment to maintain an essentially leaktight barrier against the uncontrolled release of radioactivity to the environment. San Onofre 1 SEP 4-26 L

i 

                   .Under Topic VI-4, the containment isolation system is reviewed. This includes a reexamination of the penetrations for compliance with GDC 54 through 57 as well as a review of the electrical, instrumentation, and control design.                                                                                                          The results of this review,-including identified differences from criteria, are discussed below.

The results of the' limited PRA for this topic showed that differences in the existing isolation provisions are of low importance to risk because the absolute failure probability of the penetrations of concern were small in comparison with the overall containment failure probability. However, the PRA did not consider the potential benefits that could be derived by mitigating leakage for non-core-melt accidents nor did it consider the detailed failure modes of " closed systems." 4.23.1 Electrical Aspects The scope of.the review and evaluation performed under Multiplant Generic Activity B-24 and Office of Inspection and Enforcement (IE) Bulletin 80-06, 

                    " Engineered Safety Feature (ESF) Reset Controls," encompasses the electrical aspects of this topic.                                    Staff evaluations on the electrical issues associated with containment isolation were issued on February 17 and December 6, 1982.

Specific issues raised in those evaluations are discussed below. 4.23.1.1 Purge Lines As part of the review of Generic Issue B-24, the staff concluded that maintaining the purge line isolation valves closed during modes 1 through 4 would preclude release of radioactivity through these lines should a loss-of-coolant accident occur. The licensee submitted a proposed Technical; Specification change on September 9, 1983, that would require a valve in each purge line to be locked closed during modes 1 through 4. The staff issued License Amendment No. 71 on February 17, 1984, to implement this requirement. This issue is therefore resolved. 4.23.1.2 Key Control and Control Panel Access Procedures for Sequencer Doors In the December 6, 1982, topic evaluation, the staff found that the sequencer test switches were not the spring-loaded type that automatically return to the non-test position. Therefore, it was possible that both sequencers could be placed in the test mode at the same time. A common annunciator for " Sequencer in Test" is provided for both sequencers and thus would not show that both sequencers were in the test mode. Although administrative controls have been established to prevent this, no physical features have been provided to augment these controls as recommended by staff guidelines. As discussed in the licensee's Nosember 22, 1982, submittal, each of the sequencer test panels has a lockable door with an indicator light. The test procedures will be revised to require that only"one door light be on when the " Sequencer in Test" annunciator is lit. The control panel access procedures in conjunction with the " door open" control panel lights for the sequencer doors will provide added assurance that both sequencers are not in the test mode at the same time. San Onofre 1 SEP 4-27

As discussed in the licensee's January 19, 1984, letter, the necessary procedures will be implemented before resumption of power from the next refueling outage. The staff finds this acceptable and considers this issue to be resolved. 4.23.1.3 Redesign of BLOCK SIAS Annunciator Window In the December 6, 1982, safety evaluation, the staff concluded that the annun-ciator for blocking the safety injection actuation signal (SIAS) should be modi-fied to clarify the effects of blocking the signal. This modification entails redesigning the BLOCK SIAS annunciator window to indicate that when the SIAS is blocked, the' containment spray signal and the-SIAS inputs to the containment isolation signal are also blockad. Implementation of this modification does not entail physical changes to the present operating configurations, and, there-fore, the degree of safety will not be significantly enhanced. Furthermore, I during normal plant cooldown, the automatic SIAS is manually blocked to prevent inadvertent actuation of safety injection. An RCS pressure bistable element generates an alarm (Alert to BLOCK SIAS) at 1,750 psig to advise the operator that the SIAS should be manually blocked before pressure is reduced as part of the cooldown. Should safety injection be required after blocking, manual actuation of both injection flow trains is possible by deliberate sequencer actuation via manual initiate pushbuttons located on each sequencer remote sur-veillance panel in the main control room. Automatic reset of the safety injec-tion block circuits will occur at a pressure of 1,900 psig in the pressurizer as the system is being brought to operating conditions. At that time, the safety injection block permissive indication will extinguish, indicating that the permissives have been reestablished. In regard to the impacted containment spray, actuation can be initiated as required by manually starting the refueling water pump and opening the appro-priate valves. 

   -The containment spray system is actuated on a two out-of-three high containment pressure signal and initiation of the SIAS. In the event the sequencer is' reset before the receipt of the two-out-of-three signal (reset 8 LOCK SIAS) initiation of containment spray could be defeated. The containment spray actuation cir-cuitry has been modified to include a seal-in relay contact to seal in the SIAS.

Therefore, reset of the sequencer will not defeat the actuation of the contai-nment spray system. The' sealing of the SIAS is released on reset of the con-tainment spray actuation signal. On the basis of the information provided above, the blocking of the automatic initiation of more than one engineered safety feature (ESF) occurs only when operating modes are changed, at which time this configuration is~ desirable. The benefit gained by implementation of the annunciator modification is' limited to additional information annunciated on the permissive display panel. Since operation of the SIAS block switch is an integral part of normal plant cooldown and part of routine operating procedures, reactor operators receive training to ensure familiarity with system operation. This familiarity includes operator awareness of the additional impacted ESFs and the procedures necessary to initiate those systems, should actuation be required. The current operator training program provides adequate information on the system interaction, and implementation of the proposed modification will not significantly enhance oper-ator awareness. Therefore, implementation of the proposed annunciator modifi-cation will not significantly enhance safety. Furthermore, this modification San Onofre 1 SEP 4-28

I t 

                                                                       ,         6 does not entail changes in system operation. For'these reasons, this modifica-tion is not warranted and the staff considers this issue to be resolved.

4.23.1.4 Automatic Loading of Diesel Generator Radiator Fans 

 - The staff in the topic evaluation concluded that the fans that provide cooling for the diesel generators should be automatically loaded on a safety bus when the diesel generators start. The staff concluded that the diesel generator
 ~ could be running without adequate cooling capability and thus might overheat.

In a letter dated January 19, 1984, the licensee. stated that the diesel generators will start. coincident with-a safety injection actuation signal (SIAS), loss of offsite power (LOP), or SIAS/ LOP. In the event of an SIAS, the diesel generators will start and the diesel generator radiator fans will be loaded automatically on the safety bus, which is powered by offsite power. In the event of an LOP, the diesel generators will start but will initially run with zero load. In this situation, the initial operator action is to attempt to regain power from the switchyard. If power cannot be regained from the switchyard, the buses will be manually loaded on the running diesel generators, at which time, opera-tion of the radiator fans will be initiated. In the event of an SIAS/ LOP, the diesel generators will start and be automatically loaded. Once the diesel generators have reached full speed and voltage (approximately 10 sec after the event), the sequencer will cause the diesel generator circuit breaker to close, thereby energizing the buses that supply power to the radiator fans. Therefore, the fans will start 10 sec after the diesel generators for the SIAS/ LOP event. Thus, initiation of the diesel generator radiator fans by loading the bus requires operator action only in the event of an LOP. Approximately 30 min are available to initiate fan cooling for the diesel generators running at no load before the diesel generators start to overheat. , The staff also notes that station operating instructions for loss of offsite power explicitly state the need for restoring cooling to the diesel generator in this time period. On the basis of the above discussion, the staff concludes that adequate time is available for operator action when it is needed, and, therefore, no modifications are warranted. The staff considers this issue to be resolved. 4.23.1.5 Override Capability for Reactor Coolant Sample Line Isolation Valves This issue is discussed in Section 4.23.2. 4.23.2 Valve Actuation 

 -The following penetrations were identified as having remote manual valves inside c9ntainment as isolation valves instead of automatic isolation valves as required by GDC 55 and 56:

Line Penetration Valve numbers Pressurizer sample 46 CV951, 953 (inside); CV992 (outside) Reactor coolant loop samples 47 CV955, 956 (inside); SV3302 (outside) San Onofre 1 SEP 4-29

Line Penetration Valve numbers Residual heat exchanger sample 48 CV962 (inside); CV957 (outside) Pressurizer relief tank gas sample 49 CV948 (inside); CV949 (outside) The isolation configuration for these 3/8-in. sample lines consists of a normally closed remote manual valve (inside) in series with an automatic valve (outside). All of the valves are normally closed except when samples are being taken. The automatic valves have a common override switch so that samples can be taken even if a containment isolation signal is present. The override does not result in automatic reopening of any valve. In regard to the manual override of the automatic isolation valves outside containment, Section II-E.4.2 of NUREG-0737 states that reopening of contain-ment isolation valves shall require deliberate action. This requirement is satisfied by the fact that two actions are required to open each line: one action to override the containment isolation signal and one action to open the valve. Providing modifications to these penetration lines to meet the explicit provisions of GDC 55 and 56 would not significantly improve the capability to isolate these lines. On the basis of the above considerations, the staff concluded that these lines have adequate isolation provisions and no modifications are warranted. Accord-ingly, this issue is considered to be resolved. 4.23.3 Valve Type The staff in the topic evaluation noted that the following penetrations have check valves outside containment as isolation valves instead of automatic isolation valves as required by GDC 55, 56, or 57: Line Penetration Instrument air header 13 Steam generator feedwater supply 7 Steam generator feedwater supply , 8 Steam generator feedwater supply 9 Penetration 13 has check valves both inside and outside containment as well as a pressure-regulated valve outside containment. The pressure-regulated valve closes automatically when supply pressure drops below 60 psig. This is higher thaq the peak accident design pressure. The valve will be automatically closed whenever the air supply pressure'will not ensure positive inflow to containment. The check valve also provides isolation for this nli-in. line. The staff concludes that this valving arrangement provides adequate isolation capability and, therefore, no modifications are warranted. The configuration of the feedwater lines was identified as a difference from current criteria because the boundary classification change (safety-related/ non-safety-related) occurred at the check valve. However, the check valve is backed up by both a flow control valve and an MOV on the main feedwater lines San Onofre 1 SEP 4-30 t

and by a flow control valve on the bypass line. These valves are automatically closed on receipt of a safety injection actuation signal. Therefore, the staff concludes that this valving configuration provides adequate isolation for these lines. The -in. chemical feed lines connect to the main feedwater lines on the con-tainment side of the check valve. Therefore, these lines are part of the isolation boundary. A check valve serves as the isolation valve. The staff has concluded in previous' risk assessments for other SEP plants that replacing ' the check valve with an automatic isolation valve would not significantly improve isolation reliability. Also, the potential leakage through such a small line, even if the valve were to catastrophically fail, is a negligible contributor to containment release. Therefore, the staff finds this valving arrangement acceptable and considers this issue to be resolved. 4.23.4 Valve Location The following penetrations have both isolation valves outside containment instead of one inside and one outside, as required by either GDC 55 or 56: Line Penetration Containment sphere purge air 15 Containment sphere exhaust air 16 One valve in each line is maintained locked closed whenever the plant is in operation. The relative benefits of one valve inside and one valve outside rather than two valves outside containment have been evaluated in other SEP integrated assessments, and the conclusion was that little improvement could be shown in moving a valve inside containment. This is because the probability of failure of both valves was greater than the probability of failure of the pipe between the containment and first isolation valve. These lines are also included within the scope of systems being evaluated under Topic III-6 for their seismic integrity (see Section 4.11). Because of the minimum improvement in containment isolation capability and low importance of containment leakage to overall risk, corrective modifications are not recommended. The staff considers this issue to be resolved. 4.23.5 Isolation of Closed Systems The following penetrations are lines that either enter or leave the containment sphere but are not open to the sphere free volume or the outside atmosphere. They are not provided with either automatic, remote manual, or locked-closed isolation valves as required by GDC 57. Line Penetration Component cooling water supply and 29 through 41 return These lines are equipped with local manual valves o~i,ide containment and, in some cases, check valves inside containment. San Onofre 1 SEP 4-31

The component cooling water (CCW) system is normally always in operation and provides postaccident functions. Thus, these lines will be pressurized when isolation is required. The CCW system is hydrotested each refueling outage to check for leakage. The CCW system is within the scope of systems for which seismic reevaluation and upgrading is continuing (see Section 4.11). The CCW lines inside containment are evaluated as potential targets for pipe break effects (see Section 4.9). On the basis of system use, the seismic reevaluation, and pipe break considerations, the staff concludes that adding remote manual or automatic isolation valves to these lines is not warranted. However, it is the staff position that the licensee develop procedures that would identify when these valves need to be closed to ensure containment integrity (e.g., when the system is depressurized or there is a break in the CCW system). Also, the licensee should include these valves in the system hydro test or justify their exclusior.. 4.23.6 Isolation of Air Handling Unit Cooling Lines The following penetrations are lines that enter or leave the containment sphere but are not open to the sphere free volume or the outside atmosphere. GDC 57 requires at least one isolation valve that is either automatic, locked closed, or capable of remots manual operation. Line Penetration Cooling water to air handling 4,5,6 units The licensee has indicated that lines 4, 5, and 6 are part of an essential closed system inside containment. Isolation provisions for each of these penetrations consist of a single remote manual isolation valve located outside containment. This arrangement satisfies the requirements of GDC 57. However, for GDC 57 to apply, the closed system inside containment should be of safety grade design. These lines are designated seismic Category A and are being evaluated under Topic III-6. Protection from pipe break effects is being considered under Topic-III-5.A. Therefore, subject to resolution of these topics, this issue is considered to be complete. 4.23.7 Isolation of Branch Lines The following penetrations have branch lines outside containment between the isolation valve and the containment, with open manual valves as containment ioslation valves: Line Penetration Refueling water 1, 2 Main steam 54, 55 4.23.7.1 Refueling Water Lines Line 1 (refueling water supply) branches into four parallel lines inside con-tainment; one parallel line is provided with a normally closed manual valve, San Onofre 1 SEP 4-32

i and the other three are each provided with a remote manual valve. Since line 1 has a postaccident safety function, namely, containment spray, automatic isola-tion of this line is not appropriate, and the use of remote manual valves in-side containment is acceptable. Outside containment, line 1 branches into main parallel lines, which have check valves, and into several smaller branch lines. With respect to the isolation valves outside containment, GDC 56 specifies that simple check valves are not s'ultable automatic isolation valves. However, the staff has determined that the use of a simple check valve outside containment is acceptable for the reasons stated in Section 4.23.3. A further consideration with respect to line 1 is that several instrument, test connection, and branch lines connect to this line, downstream (containment side) of the specified containment isolation valves outside containment. Valves on these connections are normally closed. The staff has reviewed the isolation provisions for this penetration and its associated branch lines and has determined that there is reasonable assurance that isolation will be provided if needed. Therefore, the staff finds these valving arrangements acceptable if appropriate administrative controls and/or physical locking devices are provided to ensure these connections are locked closed during operation. The licensee will evaluate and implement these actions by . Line 2 (refueling water return line) branches into four lines inside contain-ment, namely, two recirculation lines from the containment sphere sump, a bypass line from the containment sphere spray header, and the reactor refueling cavity drain line. The latter two lines are isolated from the refueling water return line during reactor operating modes 1 through 4, with single, or two series, closed local manual valves. Under accident conditions, the safety function of the refueling water return line is to recirculate the sump water for the recirculation mode of emergency core cooling and containment spray. Since there is only a single line penetrating cuntainment, and because of its safety function, containment isolation valves, per se, are not provided. There are numerous system valves to ensure that a single active failure of a component will not jcopardize the system safety function. If necessary, however, these valves can be closed to effectively isolate the containment. A further consider-ation is that the associated systems are engineered safety features and become extensions of the containment boundary; consequently, they constitute an appro-priate isolation barrier. However, it is the staff's position that the licensee should develop procedures to identify when these valves should be closed to ensure containment integrity (e.g., when they are depressurized or out of service, or there is a break in the line). The licensee will evaluate and implement these actions by . Therefore, the staff finds this design meets GDC 56 on some other defined basis and considers this issue to be resolved. 4.23.7.2 Main Steamlines Lines 54 and 55 are the main steamlines; each line is provided with a main steam isolation valve that is manually operated. These valves do not satisfy the requirements of GDC 57; however, the turbine stop valves and turbine control valves are available to automatically or remote manually isolate the San Onofre 1 SEP 4-33

main steamlines. However, upstream of the turbine stop valves and turbine con-trol valves are numerous branch lines that also would have to satisfy the require-ments of GDC 57. The staff has reviewed the isolation provisions for these branch lines and found their isolation arrangements meet the requirements of GDC 57, with the exception of (1) 1-in. lines to the flash evaporator / air ejector and (2) several 3/4-in. lines to the drain traps. The staff's concern with respect to these lines is the use of normally open local manual valves as iso-lation valves. The main concern in a PWR is for a steamline break that induces a hydraulic transient rupturing steam generator tubes resulting in a radiological release and uncontrolled LOCA outside containment. This scenario would only happen if the pipe were to fall between the steam isolation valve and the stop valve. The failure probability of the steamline is this particular section is low. The evaluation of the radiological consequences of this scenario (see Topic XV-17) has been performed assuming that the steam generator has not been isolated, and the staff found that the consequences were within acceptance criteria. The staff concludes that no modification to the steamlines is warranted; however, the staff recommends that appropriate procedures be developed to isolate these lines when required. The licensee will submit these procedures by . 4.23.8 Spare Penetrations During the topic review adequate information regarding the isolation and leakage testing of the following spare penetrations was not available. Line Penetration Spare penetration 64 through 72 As noted in the June 28, 1983, letter from the licensee, these penetrations are sealed with blind flanges and the penetration design includes provisions for leakage testing. The staff considers this issue resolved. 4.23.9 Air Locks and Hatches During the topic review adequate detailed information was not available regarding the appropriateness of isolation provisions for piping or instrument lines that may penetrate either the personnel air lock, emergency escape lock, or equipment access hatch. The licensee has since indicated that the only penetrations are in the external wall of the air locks. These penetrations are for test purposes. Each has at least one closed manual isolation valve under administrative control. On the basis of this information, the staff finds the provisions for isolation acceptable and considers this issue resolved. 4.24 Topic VI-7.8, Engineered Safety Feature Switchover From Injection to Recirculation Mode (Automatic Emergency Core Cooling System Realignment) 10 CFR 50 (GOC 35), as implemented by Item 19 of SRP Section 6.3 requires, in part, that the complete sequence of emergency core cooling system (ECCS) opera-tion from injection to long-term core cooling (recirculation) should be examined to ensure that minimal manual action is required, and that where manual action is San Onofre 1 SEP 4-34

needed, sufficient time is available for the operator to respond. The current procedures at San Onofre Unit 1 for switchover from injection to recirculation require a large number of operator actions during a short timeframe. Further, as discussed below, the instrumentation provided would not be adequate for an assumed worst-case single failure. Failure to terminate injection flow from the refueling water storage tank (RWST) at the correct time could damage the charging and refueling water pumps so that they could not be used for long-term post-LOCA cooling. l RWST level is monitored by a pneumatic indication channel and by a level switch alarm. This design does not satisfy BTP ICSB 20 (IEEE Std. 279) because of reliance on a single alarm to alert the operator to the need to initiate switchover. l The switchover from injection to recirculation modes is a two part process. At the 21% level in the RWST, the operator should terminate the flow from the main feedwater/ safety injection (FW/SI) pumps. At the 12% level, suction from the sump should be established by the operator. When the RWST level drops to 7%, it should no longer be used as the water supply because of net positive suction head / vortex suppression concerns. Because of the large flow rate from the feedwater pumps, the available time for the operator to perform the switchover is sensitive to the time at which the FW/SI pumps are tripped. If the pumps are not tripped at the 21% level, the level will drop to 7% in approximately 2 min. The licensee has proposed to raise the setpoint for termination of FW/SI flow to 30% tank level and the setpoint for recirculation to 21%. This change would provide more time to complete the switchover. Sump level instruments are also available and could be used to determine when actions should be taken. The only alarm provided is the level alarm (currently at 21%) on the RWST. The results of the limited PRA showed that the present switchover design has a medium risk significance. However, because of the short time periods involved, the staff is concerned that the human error contribution may be high; thus, this issue could have a high risk importance. The results of the limited PRA showed that installation of redundant RWST indicators would reduce the risk by a factor of 7, by reducing the contribution t1 risk from failure of the RWST level indicator. For the case of a fully dutomated switchover mechanism, a total reduction of a factor of 40 is calcu-lated based on eliminating the human error contribution. This analysis assumes the failure probability of the automatic switchover to be negligible. However, a fully automatic switchover also creates the possibility of an inadvertent switchover occurring before there is sufficient water in the sump. The critical aspect in the process is the termination of injection flow at the proper time. If this is done, there is time for the remaining actions to be completed manually. Therefore, the staff recommends that an automatic feature be installed to terminate the FW/SI flow on low RWST level (either at the present 21% level or at a 30% level). Furthermore, a backup to the single RWST level indicator should be provided for determining when the recirculation phase should begin. Sump level instruments could be used as the backup if the correspondence between RWST level and sump level is established and included in emergency procedures and operator training. San Onofre 1 SEP 4-35

4.25 Topic VI-7.C.2, Failure Mode Analysis (Emergency Core Cooling System) 10 CFR 50 (GDC 35), as implemented by SRP Section 6.3, requires, in part, that the systems provided for emergency core cooling be designed with suitable redundancy in components and features to ensure that system safety functions can be accomplished assuming a single failure. Reviews of failure modes were initiated in the mid-1970s. Two studies, one in 1976 (letter dated December 21, 1976) and the other in 1977 (letter dated December 20, 1977), were completed. At San Onofre Unit 1, implementation of selected modifications was deferred to the SEP; interim procedures and system changes were installed pending completion of the SEP. These areas are discussed below. 4.25.1 Redundant Valve For Volume Control Tank Isolation Charging pump suction is normally from the volume control tank (VCT) through MOV/LCV 1100C. Upon a safety injection signal, suction is switched to the refueling water storage tank (RWST). Valve 1100C must close so that hydrogen will not be introduced to the charging pump suction when the VCT empties. Failure of MOV/LCV 1100C to close could damage the charging pumps. In the original design, an automatic transfer switch to transfer to the other power division was included. However, failure of this switch could have resulted in loss of both power sources to the valve so the automatic feature was removed. A manual transfer capability is provided so that the MOV can be powered from either power train. The valve can also be manually closed. In addition, one of the two charging pumps was removed from the equipment automatically started by the sequencers. This pump would then be available for remote manual use in the recirculation mode even if the operating pump were damaged because of failure of the M0V. For the limited PRA the following four configurations were considered: (1) initial design--single valve with auto transfer switch, both charging pumps sequenced (2) present design--single valve, one pump locked out by sequencer, manual action to start it (3) proposed long-term design--two valves in series, both pumps sequenced (4) combination of (2) and (3)--two valves, only one pump automatically sequenced The core-melt frequency for these different cases was evaluated (core melt assumed to occur if charging system fails). The results t;aw that the initial configuration, with a core-melt frequency of 1 x 10-a per year, was of medium significance. Either the present design or the proposed design of two valves reduces this frequency to 1 x 10-9 per year. Case 4 would reduce it still further; however, the event frequency with the existing design (case 2) is so low and is comparable with the proposed design (case 3) that no further modifi-cations are warranted. On the basis of the reliability of the system as cur-rently designed, the staff concludes that no further action is necessary. San Onofre 1 SEP 4-36

4.25.2 Control Power to FCV-11150, E, and F Three flow control valves (FCVs) are used to regulate safety injection flow after the initial full-flow injection phase. These valves are air operated; a failure in the air system could prevent proper operation. The proposed modifi-cation was to provide a redundant source of air with automatic transfer. In the interim, manual transfer to a nitrogen backup was provided. The results of the' limited PRA showed that for the original configuration 

.(i.e., without nitrogen backup), the risk contribution of failure in the air.

system is of medium significance. With an alternate source of control power, with manual transfer to the emergency nitrogen supply (the present configura- 

. tion), the calculated core-melt frequency is 8.8 x 10-7 per year. This is considered to be of low risk significance.

The staff finds this modified configuration acceptable and, thus, no further modifications are warranted. Therefore, the staff considers this issue to be resolved. 4.25.3 Hot-Leg Recirculation As discussed under Topic IX-4, a flushing flow should be provided during.long- . term cost-LOCA recirculation to prevent boron' precipitation. The main hot-leg injection flow path at San Onofre Unit 1 is susceptible to single active failure because there are points where flow passes through a single' valve. An alternate injection flow path was developed by the licensee. With the primary path and the' alternate path, no single active failure of a component or diesel train could prevent hot-leg recirculation. Therefore, the staf f con- 'cludes that the system modification is acceptable and considers this issue to be resolved. 4.25.4 Other Modifications The single-failure studies mentioned above also included evaluations of physical and electrical separation and environmental qualification. The December 20, 1977, study also considered second-order effects, such as flooded equipment shortingLthe power supply. The following recommendations were generated from those studies: (1) Relocate air horn above elevation 4 ft, and provide a dripproof cover. (2) . Provide power-interrupt devices actuated on safety injection system (SIS) operation, or take other corrective action for pumps, valves, and other equipment that may be submerged during a LOCA and that are connected to 

       ' power supplies with a post-LOCA function.

(3) Reroute power cables to provide cable separation for several pumps and 

       -valves including the charging pumps, safety injection pumps, and component cooling water pumps.                                                        ;

(4) Reroute control cables to provide cable separation for pumps and valves including the charging pumps, feedwater pumps, and salt water cooling pumps. San Onofre 1 SEP 4-37

F (5) Arrange vital buses 1, 2, 3, and 4, and the utility bus and associated transfer switches to provide physical separation. Also provide for the physical separation of the input and output cables to those buses. (6) Provide missile barriers between the two charging pumps, the component cooling water pumps, and the two safety injection pumps, or confirm that the probability of missile impact or the energy of such a missile is sufficiently low. (Resolved under Topic III-4.C.) (7) . Provide missile barriers between the RWST and the safety injection pumps and the refueling water pumps, or confirm that the probability of missile impact or the energy of such a missile is sufficiently low. (Resolved under Topic III-4.C.) (8) l'y; ass thermal overload cutout switches for valves MOV 720A and B during 

           $15 conditions. (Resolved in Section 4.15.)
   -(9).~ Pro /ide isolation relays for PIC 1111X and PC605X controllers and LS 54 switch contacts.
(10) Provide separation and isolation for the pressurizer level and pressure j instrumentation in the control room console.

(11) Provide separation and isolation for the bistable output relays associated with the safety injection actuation signal. (12) Rewire station lighting system to eliminate presence of both power trains in a transfer switch. Also, separate emergency lighting to provide a con-nection to each of the dc buses while maintaining circuit independence. l ! (13) Remove 0C1 power from breaker 12C02 on 4,160-V bus 2C and all breakers on 4,160-V bus 18. Isolate the cabling between breaker positions 11C11 on 4,160-V bus 1C and 12C11 on 4,160-V bus 2C. l-(14) Align 480-V SWGR3 to the power associated with 4,160-V bus 2C and remove the DC 1 power from the switchgear. Isolate the cabling between break-er 1103 on 480-V SWGR 1 and breaker 1203 on 480-V SWGR 2. (15) Obtain environmental qualification data, or replace components with qualified units for specified equipment. (Covered by 10 CFR 50.49 Environ-mental Qualification of Electrical Equipment Program.) (16) Modify breaker circuitry for circulating air fans A-10, A-11, and A-12 to ensure they are locked out by the sequencer in the event of an SIS, or modify ducting to eliminate possibility of sucking water into fan units. Some of the above issues generated outside the SEP have been covered under other SEP topics (see notations above) or review programs outside the SEP such as the environmental qualification of electrical equipment. In some cases, other actions, such as the fire protection requirement for installation of a dedicated system for shutdown, with transfer switches, will eliminate the issue. The licensee has committed to evaluate the merits of each unresolved recommenda-tion to determine if modifications are warranted. The staff finds this com-mitment acceptable. The licensee will submit this evaluation together with San Onofre 1 SEP 4-38

recommendations for any necessary modifications by . The staff will report the status and results of the evaluations for these issues in the final IPSAR. 4.26 Topic VI-10.A, Testing of Reactor Trip System and Engineered safety Features, Including Response-Time Testing 10 CFR 50 (GDC 21), as implemented by Regulatory Guide 1.22 and the Westinghouse Standard Technical Specifications (NUREG-0452), requires, in part, that the reactor protection system be designed to permit periodic testing of its func-tioning including a capability to test channels independently. 10 CFR 50.55a(h), as implemented by IEEE Std. 279-1971 and IEEE Std. 338-1977, requires that response-time testing be performed on a periodic basis for plants with construc-tion permits issued after January 1, 1971. During the staff review of this topic, the following issues were identified. 4.26.1 Response-Time Testing of Reactor Protection System In the San Onofre Unit 1 Technical Specifications, the channel response time from channel trip to deenergization of the scram relay is not tested. However, the reactor trip breakers are tested and the rod drop time is measured and must be within specified limits (in the Technical Specifications). These aspects , are also covered by plant procedures. Generic Letter 83-28 also addresses requirements for reactor trip breakers. Several channels (manual, startup rate, safety injection) are not required by the Technical Specifications to be checked, tested, or calibrated. However, station procedures establish testing requirements for these channels at frequen-cies consistent with Standard Technical Specification requirements. Also, these channels are not relied on in the safety analyses for automatic reactor protection. The staff performed a limited PRA of this issue for San Onofre Unit 1 to estimate the improvement if response-time testing of the reactor protection system (RPS) were required. The results of this assessment indicated that response-time test-ing has low safety significance. This occurs because response-time testing is concerned with events on the order of seconds and PRAs have shown that response times of minutes are sufficient, for RPS actuation, to ensure the success of the reactivity control function in time to allow other safety systems to act to prevent core melt. Functional tests, such as those currently performed at San Onofre Unit 1, are sufficient to demonstrate functioning on the order of minutes. Therefore, it is the staff's judgment that response-time testing of the RPS is not required. However, the RPS testing currently covered by plant procedures should be incorporated into the Technical Specifications because of the safety significance of this system. By letter dated March 30, 1984, the licensee agreed to propose a Technical Specification change to incorporate channel testing, checking, and calibration requirements currently specified only by procedure. The licensee should submit this proposed Technical Speci-fication within 90 days following the issuance of the final IPSAR. 1 San Onofre 1 SEP 4-39

4.26.2 Testing of Engineered Safety Features The Technical Specifications contain requirements for surveillance testing (functional tests) of the engineered safety features. As discussed above, modifications to permit response-time testing are not warranted. However, for the containment spray actuation system channels, no limiting conditions for operation, operability, or surveillance requirements are included in the Tech-nical Specifications. A containment spray actuation signal (CSAS) is generated by a safety injection actuation signal (SIAS) (Iow pressurizer pressure, high containment pressure or manual) and high-high containment pressure. While the SIAS channels are covered by Technical Specification requirements, the CSAS logic is not. It is the staff's position that such a Technical Specification should be provided. The licensee should submit this proposed Technical Speci-fication within 90 days following the issuance of the final IPSAR. 4.26.3 Testing of Support Systems The staff in the topic evaluation determined that surveillance requirements are not specified in the Technical Specifications for support systems such as the component cooling water and salt water coo.ing water system. These systems are normally in operation during all plant modes although the required loads will va ry. By plant procedures, these systems are included in the inservice testing program. As required in this program, pumps are tested monthly and valves, in general, are stroked quarterly. One train of the component cooling water and salt water cooling systems is normally in operation; the operating train is rotated weekly. Valve alignment check lists are established for these systems, and positions are periodically verified according to station procedures. The frequency of valve position verification is equivalent to that required in the Standard Technical Specifications. Limiting conditions for operation in the Technical Specifications related to decay heat removal redundancy require the following: (1) In modes 1 and 2, two component cooling water pumps and two salt water cooling water pumps are required to be operable. (2) In modes 5 and 6, residual heat removal (RiiR) trains are required to be operable. Included in the definition of an RiiR train are its associated component cooling and salt water cooling components. The surveillance requirements include weekly verification of breaker alignment and power availability. These systems are used routinely during plant opera-tion and the surveillance requirements are equivalent to Technical Specifica-tion survelliance requirements. For these reasons, the staff concludes that adequate assurance of system operability is provided so that further Technical Specification modifications to establish surveillance requirements are not necessary. The staff considers this issue to be resolved. 4.27 Topic VII-1.A, Isolation of Reactor Protection System From Nonsafety Systems, Including Qualification of Isolation Devices 10 CFR 50.55a(h), through IEEE Std. 279-1971, requires, in part, that safety signals be isolated from nonsafety signals and that no credible failure at the San Onofre 1 SEP 4-40

output of an isolation device shall prevent the associated protection system channel from meeting the minimum performance requirements specified in the design basis. The staff in the topic evaluation concluded that the isolation of the RPS channels does not meet current acceptance criteria. The signals from the high neutron flux level, pressurizer pressure, pressurizer level, startup rate, and steam-to-feedwater-flow mismatch monitoring sensors are not isolated from the process recorders and remote meters. In addition, there is no isolation l between the nuclear instrumentation for startup rate and the data logger or l between the steam-to-feedwater-flow mismatch system and the Optimac computer l which controls steam g-anerator flow and level. l A limited topic PRA was performed assuming that if any fault occurred in an l unisolated recorder or controller, it would fall all the associated sensor i channels. This evaluation concluded that failures of the RPS as a result of l a lack of isolation did not contribute to the overall RPS failure rate. l According to NUREG-0460, the common mode failure of control rods to insert  : ! results in a scram failure frequency of about 3 x 10-5 per demand based on actual operating experience. This failure mode will not be reduced by quall-fled isolation devices. The results of the limited PRA showed that the failure . probability of the RPS due to failure combinations that contain unisolated I faults in nonsafety systems is about 10-0 to 10-8"; therefore, this issue , was considered to be of low risk significance. ' The licensee agreed to evaluate the isolation between the RPS channels to deter-mine if the protection function of these channels is adequate. This evaluation was provided by letter dated March 30, 1984, with supplemental information provided in a letter dated August 21, 1984a. The RPS channels evaluated by the licensee are discussed below. 4.27.1 Remote Meters and Recorders The staff topic evaluation, forwarded by letter dated September 9, 1981, indi-cated that there is no isolation between the reactor protection system and remote meters and recorders. As a result, the staff was concerned that a short circuit in the recorders or cables associated with these devices may interfere with the proper functioning of the safety equipment. In addition, the staff was con-corned with the consequences of a failure in the recorder transfer switch that might interconnect redundant channels. In a safety analysis dated March 30, 1984, the licensee stated that reliance was placed on the separation and independence of the redundant safety channels. In a response dated August 21, 1984a, the licensee identified the transfer switch as a Westinghouse W-2. This switch is used extensively in nuclear power plant safety applications and is seismically and environmentally qualified. Its use in this application is acceptable as long as the wiring meets accept-ance criteria. Appendix R concerns (Topic IX-6) have been resolved by the licensee's commitment to provide new instrumentation and controls at a new remote shutdown panel. Thus, the concern with regard to the effects of wiring failures in the control l panels and racks on safe shutdown is resolved. San Onofre 1 SEP 4-41

In the March 30, 1984, letter the licensee also stated that current limiting resistors are used in the recorder circuits. The resultant current caused by a recorder chart drive motor to pen motor short circuit would add or sub-tract, in the worst case, 25% of the signal from the affected circuit. This may inhibit the protective action of that channel but will not propogate to other channels. Accordingly, this issue is resolved. 4.27.2 Data Logger The staff SER forwarded by letter dated February 10, 1983, noted that the data logger is not isolated from the nuclear instrumentation system. The licensee's response dated March 30, 1984, Indicated that a 91,000-ohm resistor network be-tween the data logger and the nuclear instrumentation provides sufficient iso-lation. The resultant current represents approximately a 5% change in signal level and approaches the worst-case error expected in such instrumentation. The licensee also argues that the staff PRA shows that failure of such isolation schemes has little (1 x 109 0 per reactor year) effect on core-melt probability. The staff has concluded that improving the nuclear instrumentation does not provide a significant improvement in the reliability of the system and is, therefore, not warranted. The staff considers this issue to be resolved. 4.27.3 Feedwater Control The staff SER also noted that there is no isolation between the steam-to-feedwater flow mismatch channels and the feedwater controls. The licensee has presented arguments for accepting this design that are similar to those that were made in the case of the remote meters and recorders (i.e., redundancy of channels, same quality standards). The staff agrees and, therefore, does not recommend modifications to this design either. In addition, the consequences of failure of the feedwater control, either from an increase or decrease in feedwater demand, have been considered and resolved under Topics XV-1 and XV-5. Therefore, the staff considers this issue to be resolved. 4.28 Topic VII-3, Systems Required for Safe Shutdown 4.28.1 Component Cooling Water Surge Tank Level and Instrumentation 10 CFR 50 (GDC 13), as implemented by SRP Section 7.4, Regulatory Guide 1.53, and IEEE Std. 279-1971, requires that the instrumentation necessary for reaching and maintaining cold shutdown conditions meet the single-failure criterion. The component cooling water (CCW) surge tank level is measured by a single transmitter with indication and alarms provided in the control room. This does not satisfy Section 4.20 of IEEE Std. 279-1971. A local sight gauge is provided on the tank, which is checked once per shift. The surge tank level is an important parameter because it gives an anticipatory indication of possible CCW loss of water, which could lead to loss of the system function. Failure of the existing single sensor in the "high" condition could give an erroneous and misleading indication to the operator if the surge tank level was low. The operator might not detect a low CCW surge tank level San Onofre 1 SEP 4-42

under this condition in sufficient time to correct a problem in the CCW system. , Failure of the CCW system could affect the ability to shut down the plant. It  ! is noted, however, that the plant can be maintained in a hot standby condition,  ! removing decay heat through the steam generators, without reliance on the CCW  ; system. ' The limited PRA found this issue to be of low ri:k significance relative to frequency of initiation of small LOCAs from reactor coolant pump seal failures. Since (1) the plant can be safely maintained at hot shutdown for a time suf-l ficient to repair the failed CCW system, (2) the surge tank level can be read locally, and (3) the risk significance of this issue is low, the staff con-l cludes that no backfitting is necessary. This issue is considered to be l resolved. i l 4.28.2 Adequate Seismic Category I Water Supply for the Auxiliary Feedwater System 10 CFR 50 (GDC 2 and 34), as implemented by SRP Section 5.4.7, BTP RSB 5-1, ' and Regulatory Guide 1.139, requires, in part, that the seismic Category I water supply for auxiliary feedwater have sufficient inventory to permit , operation at bot shutdown for 4 hours followed by cooldown to conditions permitting initiation of residual heat removal. The inventory is based on the cooldown time assuming a single active failure and the availability of only onsite or only offsite power. During the topic review, the staff concluded that sufficient safety grade water was not maintained in a seismically qualified tank (s) to perform this function. The licensee has since installed a new tank of condensate water for auxiliary feedwater which is seismic Category I. The tank capacity is 240,000 gal. In i Amendment 82, issued on October 24, 1984, the staff approved Technical Speciff-cations for the revised auxiliary feedwater system design including survell-lance requirements for the new tank (150,000 gal required for operability). This volume is sufficient to perform a cooldown in accordance with BfP RSB 5-I. The staff finds this acceptable and therefore considers this issue resolved. 4.28.3 TMI Task Action Plan Item II.E.1.1, " Auxiliary feedwater System Evaluation" 10 CFR 50 (GDC 2 and 34), as implemented by SRP Section 10.4.9, requires, in part, that the auxiliary feedsater system be capable of performing its safety functions when required. The staff in the topic evaluation noted that a single (passive) failure of the common suction line from the condensate storage tank to the auxiliary feedwater pumps could disable the auxiliary feedwater system. Also as part of the Bulletins and Orders Task Force response to the Three Mlle Island (TMI) event, the reliability of auxiliary feedwater at all plants was reevaluated and recommendations for corrective actions developed. Thesu recommendations were incorporated into THI Item !!.E.1.1. l Recommendation GL-2 of TMI Task Action Plan Item II.E.1.1 recommended t. hat ' i Ilcensees install a redundant flow path (piping and valves) for auxiliary San Onofre 1 SEP 4-43 ' I

feedwater (AFW) supply. As part of the seismic upgrades, redundant parallel suction paths from the new AFW storage tank have been installed. The corres-ponding Technical Specifications have been issued as discussed in Section 4.28.2. Recommendation GL-4 of Item II.E.1.1 relates to unprotected normal AFW supply and the need to provide some means of protection. The new AFW storage tank is seismically qualified. Tornado protection is being evaluated as discussed in Section 4.8. To satisfy Recommendation GL-5, the licensee has proposed to install a third AFW pump, which would be electrically powered. The implementation of this item will be scheduled in accordance with the licensee's proposed integrated , living schedule for managing plant backfits. Two other aspects of item II.E.1.1 were referred to the SEP integrated assess-ment for resolution. These items are: (1) The AFW system should be reevaluated with respect to internally and externally generated missiles, pipe whip, jet impingement, quality and seismic design requirements, and the effects of earthquakes, tornados and floods. These concerns are addressed in the context of the resolution of various SEP topic reviews: Topic III-1 (quality), Topic III-2 (wind and tornados), Topics I!!-5.A/B (pipe break), Topic III-6 (seismic), and so forth. (2) The San Onofre Unit I design does not have the capability to automatically terminate AFW flow to a depressurized steam generator and provide flow to an intact steam generator in the event of a steam- or feedwater-If ne break. In fact, for some breaks, all three steam generators will be depressurized. As part of the topic review for Topics XV-2 (steamline break) and XV-6 (feedwater-line break), the San Onofre Unit I design of the main steam and AFW system was evaluated. Operator action is assumed to control AFW flow. Therefore, this issua is covered under these topic reviews. 4.29 Topic VIII-1.A. Potential Equipment Failures Associated With Degraded Grid Voltage 10 CFR 50 (GDC 17) requires an onsite and offsite electric power system to provide functionin0 of systems and components important to safety. The purpose of this topic is to ensure that a degradation of the offsite power system will not result in the loss of capability of redundant safety-related equipment and to determine the susceptibility of such eaufpment to the interaction of onsite and of(site emergency power sources. The topic of degraded grid voltage is being evaluated generically through Multiplant Actions (MPAs) B-23, " Degraded Grid Voltage Protection for Class IE Power Systems," and B-48, " Adequacy of Station Electrical Olstribution Voltages." The purpose of MPA B-23 is to determine the grid characteristics and to provide a suitable system to isolate the plant from the grid in the event of grid volta 0e degradation. The purpose of MPA B-48 is to determine the minimum San Onofre 1 SEP 4-44

acceptable bus conditions that will then define the setpoint for the degraded grid protection system. The staff's SER for MPA 8-23 for San Onofre Unit 1 was forwarded to the licensee by letter dated June 23, 1982. In that letter, the staff found the licensee-proposed modifications and Technical Specification changes acceptable. These modifications consisted of replacing the existing relays with coincidence logic and corresponding Technical Specifications for limiting conditions for operation and surveillance requirements. The schedule for implementation will be determined in accordance with the licensee's integrated living schedule. The staff's SER for MPA B-48 for San Onofre Unit I was issued by letter dated July 29, 1983. The licensee committed to perform a study to determine the optimized tap settings for the auxiliary transformer. The tap settings were modified before plant restart. The licensee in a letter dated December 20, 1984, submitted the study results. A voltage monitoring program to verify the results of the analysis is currently being conducted, and the results will be submitted shortly. The staff finds this commitment acceptable. This analysis and program will be evaluated by the staff and will be discussed in the final IPSAR. . 4.30 Topic VIII-3.B, DC Power System Bus Voltage Monitoring and Annunciation 10 CFR 50.55a(h), as implemented by IEEE Std. 279-1971, and 10 CFR 50 (GDC 2, 4, 5, 17, 18, and 19), as implemented by SRP Section 8.3.2, Regulatory Guides 1.6, 1.32, 1.47, 1.75, 1.118, and 1.29, and BTP ICSB-21, require, in part, that the control room operator be given timely indication of the status of the batteries and their availability under accident conditions. To ensure the design adequacy of the de power system battery and bus voltage monitoring and annunciation schemes so that the operator can (1) prevent the loss of an emergency dc bus or (2) take timely corrective action in the event of loss of an emergency de bus. IEEE Std. 279-1971, Section 4.20, requires that the " system shall be designed to provide the operator with accurate, complete, and timely information pertinent to its own status and to generating station safety. The design shall minimize the development of conditions which would cause meters, annunciators, recorders, alarms, etc. to give anomalous indications confusing to the operator." GDC 17 requires that an onsite electric power system and an of fsite electric power system shall be provided to permit functioning of structures, systems and components important to safety. The staff reviewed the de power system battery, battery charger, and bus voltage monitoring and annunciation design with respect to de power system operability status indication to the operator. More specifically, in the topic evaluation, the staff had proposed that, as a minimum, the following indications and alarms should be provided in the control room for the de power systems: l (1) battery current (ammeter - charge / discharge) l (2) battery discharge rate high alarm i (3) battery breaker or fuse open alarm (4) dc bus voltage (voltmeter) I San Onofre 1 SEP 4-45 l t

(5) de bus undervoltage/overvoltage alarm (6) de bus ground alarm (for ungrounded systems) (7) battery charger output current (ammeter) (8) battery charger breaker or fuse open alarm At San Onofre Unit 1, the de power systems consist of 125-V dc systems Nos. 1 l and 2 and the uninterruptible power supply (UPS) for safety injection valve MOV 850C. The staff in the topic evaluation concluded that there was no indication of battery current, charger current, dc bus voltage, or breaker / fuse status in the control room. The limited PRA performed for this topic assumed that with the present design, unannunciated faults are not detected until battery tests are performed each l refueling outage. With the additional annunciators, it was assumed that only half of the battery faults are assumed to be detected. Under these assump-tions, it was concluded that the unavailability of a 125-V dc bus could be reduced by a factor of 4. Because of the arrangement of de power supplies at San Onofre Unit 1 in which both dc buses can be powered either from a battery or from either diesel generator, this issue was considered to be of medium risk significance. For the UPS, the risk significance is, negligible because it affects only one valve in the safety injection system and the risk significance of that valve failure is dominated by mechanical failures. l In a letter dated March 30, 1984, the licensee responded to the staff SER with an analysis of the existing instrumentation. In Table 2 of that discussion, the licensee noted that indication of breaker / fuse status is provided in the control rcom and a low voltage alarm is also provided in the control room. In addition, the licensee has stated that the alarms available in the control room when used in conjunction with local instrumentation and periodic testing pro-vide a suitable alternative to providing additional instrumentation. Past staff practice has been to require a battery current monitor. However, research by Yankee Atomic Electric Company (letter dated April 13, 1983, on SEP Topic VIII-3.B) indicates that a suitable sensitive current monitor is not commercially available. Currently available equipment that has the required range of current (from trickle charge to peak rated discharge) does not have the accuracy and precision necessary. The use of multiple instruments requires a switching system that could introduce a potential high resistance failure l that is more probable (because of operator error) than the current design presents. Other methods to verify the battery is connected to the bus are the use of breaker and fuse status alarms or battery voltage monitoring and, to ensure that a high resistance does not develop because of corrosion or metal creep, a periodic inspection program. The licensee has detailed an acceptable inspection program, which is included in the plant Technical Specifications. The use of control room alarms to call the operators' attention to local battery meters is an acceptable alternative to providing additional monitoring in the control room. Accordingly, the staff has concluded that no modifications are warranted and that this topic has been resolved. San Onofre 1 SEP 4-46

4.31 Topic VIII-4, Electrical Penetrations of Reactor Containment 10 CFR 50 (GDC 50), as implemented by Regulatory Guide 1.63 and IEEE Std. 317-1972, requires, in part, that penetrations be designed so that the containment structure can accommodate, without exceeding the design leakage rate, the cal-culated pressure, temperature, and other environmental conditions resulting from any loss-of-coolant accident (LOCA). As a result of its review, the staff has concluded that with a LOCA environment inside containment, the low voltage ac and de penetrations do not comply with IEEE Std. 317-1972, Paragraphs 4.2.4 and 4.2.5, and Regulatory Guide 1.63, Paragraph C1, regardless of the initial assumed temperature, because the operating time of the backup circuit breaker is excessive. Excessive time l delay in the backup circuit breaker could allow fault currents to exist longer, which could cause excessive heating and consequent damage to the containment penetrations. Under this condition, the integrity of the containment could be compromised. Consequently, low voltage ac penetration and de penetration seal design tempera-tures would be exceeded in the event of a LOCA and failure of the primary pro-tective circuit breaker. The seal outside containment is at a lower temperature than the seal inside, which is exposed to the LOCA environment. The penetration assemblies are tested by pressurizing the space between the inner and outer seals monthly. The limited PRA showed that the failure probability of containment integrity as a result of failure of low voltage electrical penetrations is several orders of magnitude smaller than other contributors to containment failure. Thus, this issue is rated low from a risk point of view. On the basis of monthly penetra-tion assembly testing, the staff concludes that modifications to the penetrations are not warranted. The staff considers this issue to be resolved. 4.32 Topic IX-3, Station Service and Cooling Water Systems 10 CFR 50 (GDC 44, 45, and 46), as implemented by SRP Sections 9.2.1 and 9.2.2, requires that a cooling water system be provided, inspected, and tested and that the system be capable of transferring heat from structures, systems, and components important to safety to the ultimate heat sink. The staff in the topic evaluation concluded that the design of the service and cooling water system is adequate, except for the following. 4.32.1 Component Cooling Water System Temperature Design Limits During the review of this topic, the IIcensee by letter dated November 2, 1981, provided the results of an analysis that indicated that the temperature at the component cooling water (CCW) heat exchanger could reach 227'f. This is 27F" more than the design temperature of 200'F. Therefore, the staff requested that the licensee either (1) demonstrate that this design temperature exceedance would not result in damage to the CCW system or the equipment it serves or (2) provide corrective measures, in a response dated January 19, 1984, the ifconsee quantified the conservatisms of the earlier analysis and estimated that the CCW system would not exceed design conditions with a more realistic analysis. The licensee performed San Onofre 1 SEP 4-47

scoping calculations to evaluate the heat removal capability of the CCW system considering various equipment configurations as part of the evaluation of Topic V-10.B (see staff SER forwarded by letter dated November 12, 1982). On the basis of these calculations, the staff determined that the CCW system is ade-quately designed to remove energy from the primary coolant system and other supporting components without exceeding design conditions. Therefore, the staff agrees with the licensee's assessment and concludes that no additional action is required. This issue is resolved. 4.32.2 Independence of Component Cooling Water System Valves CV-737A and CV-7378 During the review of this topic, the staff found that sufficient information was not available to verify the full independence, (i.e., physical separation, power supplies, and interlocks) of valves CV-737A and CV-7378. In a January 19, 1984, response, the licensee referenced a report, " Separation and LOCA Environment Assessment of San Onofre Unit 1 Emergency Core Cooling Systems," that had been forwarded by letter dated December 20, 1977, which documents that the independence of valves CV-737A and CV-7378, including routing of controls and power supplies and physical separation. The licensee stated that the independence is acceptable on the basis of the review criteria of Regulatory Guide 1.75. The report is currently under staff review, and the staff's conclusions will be presented in the final IPSAR. 4.32.3 Component Cooling Water System Passive Failure Although the pumps and heat exchangers of the CCW system are redundant, they are connected to single pipe headers for supply and return whose failure could disable the system. The licensee, by letter dated March 30, 1984, noted that a seismically qualified alternative method for bringing the plant to a hot standby condition is available. This method for shutdown does not require the CCW or salt water cooling (SWC) systems. In addition, as part of the fire protection safe shutdown issue, a dedicated shutdown system will be installed at San Onofre Unit 1. The licensee's conceptual design of this system also does not require the CCW or SWC systems but relies instead on use of the steam generators in a feed-and-bleed operation for reaching cold shutdown (see Section 4.34). A Ilmited PRA was performed for this issue. The results indicated that with all the conservative assumptions related to passive failures, their contribu-tion to the total failure of the CCW system is about 6%. This contribution is jud0ed to be insignificant with respect to the overall risk. On the basis of the licensee's upgraded cooling alternative, the commitment to install a dedicated shutdown system, and the overall low risk of this event, the staff considers this issue resolved. The licensee has scheduled to install the dedicated shutdown system during the next refueling outage, currently scheduled to start on November 30, 1985. San Onofre 1 SEP 4-48

4.32.4 Salt Water Cooling System Supply Water Failure Although the SWC pumps and the heat exchangers are redundant, the supply of cooling water is taken from a common area, the intake bay. The intake bay area water supply is subject to disruption if either the tsunami gate or motor-operated valves fall closed. The licensee, as mentioned above (see Section 4.32.3), has a seismically quali-fled means to bring the plant to hot standby and soon will be able to bring the plant to hot shutdown and intends to provide cold shutdown capability indepen-dent of the SWC system. These modifications are partly addressed in the licensee's fire protection program and will ultimately be resolved under SEP Topic III-6. The auxiliary SWC pump can also be used to provide cooling water to the CCW heat exchanger, fhis pump is located in a separate pit, and its supply of cooling water is drawn from outside the tsunami gate and motor-operated valves. / A limited PRA was performed for this issue. The results indicated that the l risk associated with this valve-failure event is low. However, the results were based on valve-failure data for a valve design, which the staff four.d was not sufficiently representative of the actual installation; therefore, the staf f concluded that this issue may be of greater importance than indicated in the limited PRA. Subsequently, the licensee has determinsd,.as discussed in a 

                                                                    ~

May 7,1984, letter, that the tsunami gates need .not be closed to prevent site flooding in the event of a tsunami (see staff evaluation fornarded by letter dated August 27, 1984a). Accordingly, the licensee has removed the tsunami ' gates. This action will ensure that tsunami valve failure will not contribute  ! to SWC unavailability.  ! On the basis of the above licensee actions, the staff considers this issue resolved. 4.32.5 Independence of Salt Water Cooling System Components During the review of this topic, the staf f found that sufficient information' was not available to verify the full independence.(i.e., physical separation, power supplies, and interlocks) of valves POVS, POV6, MOV220A, and MOV7208. In a January 19, 1984, response the licensee referanced a report, " Separation and LOCA Environment Assessment of San Onofre Unit 1 Emirgency Core Coolirq Systems," that had been forwarded by letter dated December 20, 1977, which addresses the physical and electrical separation of control and power cables for tNse valves. As discussed under Topic VI-7.C.2, the results of the above analysis are being evaluated to determine if modifications are required. This item will be covered by that review. Because this item will be incorporated and resolved ~ in a related topic, this item is considered complete. ' 4.32.6 Loss of Salt Water Cooling Pump Bearings Flush The SWC pump bearings are flushed by the service water supply system, which is not a safety grade system. Thus, t.he possibility exists that this fishing function could be lost when the demand for the SWC system would be greatest. San Onofre 1 SEP 4-49

The licensee has since contacted the SWC pump supplier and found that these pumps can withstand a loss of bearing water for up to 30 consecutive days with the need of minimal operator actions. Therefore, adequate time would exist to take corrective action for this event. On the basis of this information, the staff considers this issue resolved. 4.32.7 Salt Water Cooling System Reliability The SWC system is a two-train system; one train is normally in operation with the other in standby. The second pump starts automatically on low discharge pressure. Each pump is aligned to deliver flow to one of the two CCW heat exchangers. The air-operated discharge valves are interlocked with the corres-ponding CCW heat exchanger inlet valves. However, no check valves were installed in the pump discharge lines; thus, reverse flow through the line could have resulted in reverse rotation of the pump. The auxiliary SWC water pump and the two screen wash pumps can be connected by valve operations to provide SWC flow. This system design historically has had reliability problems. The most severe case occurred in March 1980 when both of the SWC pumps as well as the auxiliary SWC pump became unavailable as a result of three separate failures (pump shaft break, failure of air-operated valve to open because of dessicant contamination, and loss of prime to the auxiliary SWC pump). Recurrent problems have also been experienced with the air operators and pressure switch for the discharge valves. Table 4.2 summarizes the past history of the SWC system failures. To correct some of these problems, the licensee has installed check valves in the two discharge lines. The automatically controlled air-operated valve operators have been removed; the valves are now manually operated valves, which are maintained in the locked-open position. Thus, system reliability will be enhanced. The licensee has also implemented design changes to eliminate the problem areas such as the discharge lines' valve configuration. The staff believes that these modifications will improve SWC system reliability. However, as recently as October 1984, system reliability was affected by operator error. Thus, the staff recommends that the licensee perform a reliability evaluation of the SWC system to determine whether any additional improvements are appropriate. 4.33 Topic IX-5, Ventilation Systems 10 CFR 50 (GDC 5, 19, 60, and 61), as implemented by SRP Sections 9.4.1, 9.4.2, 9.4.3, 9.4.4, and 9.4.5, requires, in part, that ventilation systems be provided and have the capability to provide a safe environment for plant personnel and for the operation of engineered safety features. The staff in the topic evaluation found the ventilation systems acceptable, except for the following items. 4.33.1 Reactor Auxiliary Building ! The reactor auxiliary building ventilation systems' single air supply unit is vulnerable to a single active failure of either the unit itself or the differential pressure switch. The staff in its topic evaluation recommended San Onofre 1 SEP 4-50 

    \   .
                                                                                               )

V 

                                                                                                 -1 l

that the licensee should either demonstrate that ventilation for the charging pumps is unnecessary or propose a corrective action. A limited PRA was performed for this issue. The results indicated that the probability of a ventilation system failure that fails the charging pumps, in combination with other system failures required to result in a core-melt-sequence, is small in comparison with the expected total core-melt frequency. This issue was, therefore, rated to be of low risk significance. ' The licensee, by letter dated June 24, 1983, provided the results of an evalua-tion of this issue. On the basis of this evaluation, the licensee found that even if the single supply fan failed, the air exhaust fans of the containment sphere purging and exhaust system are of sufficient size to maintain adequate ventilation of the charging pumps. On the basis of the low risk significance and containment ventilation avail-ability, the staff concludes that no modifications are warranted and considers this issue resolved. 4.33.'2 Sv:itchgear and Cable Spreading and 480-V Switchgear Rooms The switchgear and cable spreading room and 480-V switchgear room ventilation systems are vulnerable to a single active failure. The staff in the topic eval-uation recommended that the licensee either demonstrate that ventilation of the equipment serviced by these systems is unnecesary or propose a corrective action. A limited PRA was performed for this issue. The results indicated that a loss of ventilation in the switchgear and cable spreading room could affect both the normal and emergency trains of the ac power system. A ventilation failure-induced loss of the equipment in this room combined with a failure of the turbine-driven auxiliary feedwater pump portion of the auxiliary feedwater sys-tem would eliminate the standard means of removing heat from the core. Since the frequency of this combination of events is relatively high, comparable to 

     'the core-melt frequency for a PWR, this issue was rated to be of high risk significance.

The results of a limited PRA rated the risk associated with the loss of the 480-V i switchgear, room ventilation system as low. The basis of this conclusion was the assumption that the loss of this system would result in the loss of only one of the two ac power trains. The availability of the redundant ac power supply and the auxiliary feedwater system, both unaffected by the loss of ventilation in the 480-V switchgear room, reduces the significance of this event to a point where it would not significantly affect the core-melt frequency. As discussed in the licensee's June 24, 1983, letter, new room ventilation 

      . systems were recently installed. Modifications in these areas to resolve Appen-dix R (10 CFR 50) fire protection concerns necessitated installation'of these
     -systems. The new systems consist of air conditioning unit with backup supply and exhaust fans. However, the systems are neither safety grade nor powered from the emergency diesel generators. Therefore, the licensee in an August 21, 1984, letter provided the results of a room-temperature analysis for periods during both normal operating and postaccident conditions when room ventilation could be lost. On the basis of these results, the licensee has determined that the room air ambient temperature would not exceed 104 F, the normal qualification
      -San Onofre 1 SEP                        4-51

temperature for most industrial equipment, if room doors are opened and room lights are extinguished in a timely manner after loss of ventilation. To ensure that these actions will be performed in a timely manner if required, the licensee committed to implement a room temperature monitoring program. The staff finds this to be an acceptable resolution to its concern about loss of room ventilaticn subject to a confirmatory review of the details of this monitoring program and development of appropriate procedures. The licensee will submit this program by . 4.33.3 Administration Building (Battery' Room and Inverter Room) The staff in the topic evaluation concluded that the administration building 

 . ventilation system is susceptible to disabling single failures.                                            The control room, located in this building, has a separate ventilation system.                                             During the
 . topic evaluation the licensee was requested to either demonstrate that ventila-tion of the equipment in the battery and inverter rooms is unnecessary or propose a cortective action.

The results of a limited PRA rated the risk associated with the loss of the administration building ventilation system as high. The basis of this conclu-sion was the assumption that the failure of one of the station batteries as a result:of a loss of ventilation could have a significant effect on the core-melt frequency. Failure'of the ventilation system, that is, failure of a single fan, can be expected to occur more frequently than the loss of a dc power train as a result of battery faults. Battery faults generally are significant con-tributors to dominant accident sequences. By letter dated June 24, 1983, the licensee noted that loss of ventilation in 

 .the battery room would not adversely affect equipment as a result of the small amount of heat generated by the batteries and their high heat capacity.                                               The main concern for battery room ventilation is hydrogen buildup.                                             There is a vent in the battery room roof as well as hydrogen monitors, which alarm in the con-trol room.

By letter dated August 21, 1984, the licensee pro.ided the results of'a thermal analysis performed for the inverter room. The results of this analysis showed that the room air ambient temperature would not exceed 104 F even if a loss of room ventilation were to occur under normal operating or postaccident condi-tions. For most industrial equipment 104 F is the normal qualification temperature. On the basis of the above information, the staff recommends that the licensee develop a procedure for room cooling and hydrogen dispersion. 4.34 Topic IX-6, Fire Protection 10 CFR 50 (Sections III.G and III.L of Appendix R) requires that fire protection features be provided for structures, systems, and components important to safe shutdown and that if separation and barriers between redundant safe shutdown equipment in a fire area do not meet the requirements of Section III.G.2, 'l alternative or dedicated shutdown capability should be provided that can achieve safe shutdown conditions independent of the effects of fire in the area. San Onofre 1 SEP 4-52 L

At San Onofre Unit 1, equipment in several areas does not satisfy the above requirements. The licensee had proposed, in a letter dated June 30, 1982, extensive modifications and additions to existing plant systems to show compli-ance with Appendix R. Many of the changes are related to several SEP topics. The staff approved the conceptual design of these modifications by letter dated November 18,.1982. The staff granted an exemption to the schedular requirements of 10 CFR 50.48(c) on March 23, 1983, which established October 31, 1983, as the date for determining the implementation schedule. l One of the major issues to be resolved with respect to fire protection relates -to the 4,160-V switchgear cable spreading room, where cabling and equipment for both divisions of ac power are present. The original proposal would have in-volved relocation and addition of cabling to eliminate this concern. By letter dated April 24, 1984, the licensee submitted a revised proposal for achieving compliance with 10 CFR 50.48 and Appendix R. It involves a dedicated safe shutdown system consisting of a new diesel generator (non-safety-related) and associated switchgear, transfer switches, and the like. The proposed modi-fication should be minimally impacted by other SEP modifications. The licensee's proposal is under staff review. This issue will be resolved independent of the SEP issues. This issue is therefore considered complete. l l' 4.35 Topic XV-1, Decrease in Feedwater Temperature, Increase in Feedwater Flow, Increase in Steam Flow, and Inadvertent Opening of a Steam Generator Relief or Safety Valve 10 CFR 50.34 requires that eacn applicant for a construction permit or operat-ing license provide an analysis and evaluation of the design and performance of structures, systems and components of the facility with the objective of assess-ing the risk to public health and safety resulting from operation of the facil-ity, including determination of the margins of safety during normal operations and transient conditions anticipated during the life of the facility. 10 CFR 50 (GDC 10-and 15), as implemented by SRP Sections 15.1.1 through 15.1.4, requires, in part, that plants be adequately designed to mitigate the consequences of feedwater system malfunctions that result in an increase in feedwater flow. An increase-in-feedwater-flow event will be terminated when a safety injection signal is generated, since the main feedwater pumps are automatically realigned to provide emergency core cooling. As discussed in the topic evaluation, the concern is that the steam generator may be overfilled before the safety injec-tion signal is actuated and that a main steamline break may result from the weight of water in the line. The cooldown associated with such a break could be more severe than that for the design-basis steamline break (more water initially available for blowdown). The licensee has committed to evaluate this event to determine whether corrective measures are necessary to prevent violation of design limits. The staff finds this commitment acceptable. The licensee will proviue this evaluation and identify any necessary tr.odifications by . San Onofre 1 SEP 4-53

4.36' Topic XV-2, Spectrum of Steam System Piping Failures Inside and Outside Containment (PWR) 10 CFR 50'(GDC 17, 21, and 35), as implemented by SRP Section 15.1.5, requires, in part, that the most severe single active component failure should be assumed and_the_effect of loss of offsite power should be considered in an analysis of a spectrum of steamline breaks. Following a main steamline break, the main feedwater system will be_ realigned

to the safety. injection mode and the turbine-driven train of auxiliary feedwater will have no source of steam. This will leave only the motor-driven train of-auxiliary feedwater to remove decay heat unless main feedwater can be restored.

Therefore, a postulated single failure of.the motor-driven AFW pump would remove all means of feedwater addition to the steam generators for decay heat removal. The emergency procedures specify that-the main 'feedwater _ system should be realigned to the feedwater addition mode once safety. injection is terminated. The shutoff head of the feedwater pumps is approximately 1,020 psig. Therefore, after the initial depressurization, when reactor pressure. returns to above 1,200 psig, the feedwater pumps are not needed for safety injection and can be used for feedwater addition. If secondary system decay heat removal cannot be restored, primary feed and bleed would be necessary. Although analyses of feed-and-bleed capability have been done, this is an untested method. As previously discussed (Section 4.28.3), the licensee has committed to provide a third train of auxiliary feedwater (motor-driven). This design change will eliminate the concern regarding a single failure of the motor-driven auxiliary feedwater pump. The limite'd PRA determined that with the proposed hardware changes and with the above-described emergency procedures, risk to the public as a result of steam- 

   'line breaks at San Onofre Unit 1 is low.
  'The staff concludes that the proposed action is sufficient to resolve this issue; implementation of this action by the licensee will be completed by I

i 

  - San Onofre 1 SEP                        4-54
)

Table 4.1 Integrated assessment summary O SEP IPSAR Tech. Spe<. Modification 4 Topic Section changes or analysis Licensee Completion PRA No. No. Title required requirements agrees date results ]

  • II-1.C 4.1 Potential Hazards or Changes m in Potential Hazards Due to Q Transportation, Institutional, and Military Facilities 4.1.1 Overpressure From Explosions No None Yes -- --

4.1.2 Frequency of Shipments No None Yes -- -- 4.1.3 Toxic Gases No Study alternatives for control Yes Final -- room modifications on cost- IPSAR benefit basis. II-3.A. 4.2 Hydrologic Description, No See Topic III-3.A. -- -- -- 11-3.8, Flooding P:tential ar d 3 11-3.B.1, Prote.: tion Requirements; e II-3.C Capa'aility of Operating Plants $ To Cape With Design-Basis Flooning Conditions; Safety-Related Water Supply (Ultimate Heat Sink) II-4.F 4.3 Settlement of Foundations No Evaluate effects of backfill Yes Final -- and Buried Equipment soils on long-term settlement; IPSAR modify supports as necessary. III-1 4.4 Classification of Structures, Components, and Systems (Seismic and Quality) l 4.4.1 Radiography Requirements No Verify that specified components -- Per 10 CFR -- l have been radiographed or 50.71 l volumetrically inspected; other- (e)(3)(ii) ) wise perform volumetric inspection. 4.4.2 Pressure Vessels No Show compliance with fatigue -- Per 10 CFR -- analysis requirements. 50.71 (e)(3)(ii) 

  ~     '

m y Table 4.1 (Continued) o s SEP IPSAR Tech. Spec. . Modification % Topic Section . changes or analysis Licensee . Completion PRA . g No. No. Title . required requirements agrees date results H 111-1 4.4.3 Fracture Toughness No Evaluate to determine if material -- 

                                                                                                                -Per 10 CFR      --

m toughness is sufficient to prevent 50.71 @ failure. (e)(3)(ii) 4.4.4 Piping. No Assess impact on usage factor of -- Per 10' CF R 1 -- gross discontinuities in Class 1 50.71 piping for cyclic loads. (e)(3)(ii) 4.4.5 Valves No Verify on sampling basis that -- Per 10 CFR. -- Class 1 valve stress limits meet 50.71' criteria for body shape and Service (e)(3)(ii) Level C conditions; verify pressure-temperature ratings of Class 2/3 valves. 4.4.6 Pumps No Demonstrate fatigue analysis- -- Per 10 CFR -- compliance for reactor coolant 50.71 $ pumps; evaluate design of other (e)(3)(ii) 

                                                                 ' pumps.

4.4.7 Storage Tanks No Evaluate tanks to determine if -- Per 10 CFR -- specified stress limits are met. 50.71 (e)(3)(11) III-2 4.5 Wind and Tornado Loadings No Perform cost-benefit analysis of Yes 7/1/85 -- upgrading for different windspeeds. See Topics III-4.A and III-7.B III-3.A 4.6 Effects of High_ Water Level on Structures 4.6.1 Groundwater No Evaluate short-term hydrostatic -- -- -- load at grade. 4.6.2 Roof Loadings .No Demonstrate roofs can withstand Yes -- -- ponding load, or propose correc-tive measures. (Integrate Topic II-3.B.I.) 

                            . b7                                                        . Table 4.1 (Continued) 3
                             ' EE SEP      IPSAR                                  Tech.' Spec. Modification                            _

1; Topic Section changes or analysis Licensee Completion PRA. s No. No. Title required requirements agrees date results a bd III-3.C 4.7 Inservice Inspection of No Revise inspection program in Yes -- -- on Water Control Structures accordance with staff comments. 

                               $  III-4.A  4.8     Tornado Missiles'              No               Provide safe shutdown path that      --      --          --

is protected from tornado missiles (Integrate Topic III-2.) III-5.A 4.9 Effects of Pipe Break on -- Perform fracture mechanics anal- Yes -- -- Structures, Systems, and yses, systems analyses. Determine Components Inside Containment leak detection system sensitivity. (Integrate Topic V-5.) III-5.B 4.10 Pipe Break Outside -- Perform fracture mechanics Yes -- -- Containment analyses, systems analyses. III-6 4.11 Seismic Design Considerations No Complete analysis of remaining Yes Next . -- safety-related piping and refueling 

                               $"                                                                 . equipment and implement necessary           outage modifications,                               unless otherwise justified III-7.B  4.12    Design Codes, Design Criteria,

' Load Combinatians, and Reactor Cavity Design Criteria 4.12.1 Design Codes, Criteria, and No Confirm that seismic loads Yes -- -- Load Combinations dominate tornado loads and that correct combinations were used. (Integrate Topics II-3.B.1, II-4.F. III-2, III-5.A. III-5.B. and III-6 for structural upgrade.) 4.12.2 Load Combinations for Reactor No Evaluate potential for buckling. Yes -- -- .; Containment III-7.D 4.13 Containment Structural No None Yes -- -- Integrity-Tests

m 

$                                                                         Table 4.1 (Continued)1 o

IPSAR Tech. Spec. . Modification 5 SEP changes or analysis Licensee Completion PRA. ' -a Topic Section' agrees- date results No. No. Title required requirements E$ 

  ~

Loose-Parts Monitoring and No None- Yes. -- Low Ill-8.A 4.14 E@ Core Barrel Vibration Monitoring m None Yes. -- Low Ill-10.A 4.15 Thermal-Overload Protection No for Motors of Motor-Operated Valves None Yes -- 111-10.B 4.16 ' Pump Flywheel Integrity No None Yes -- 

                                                                                                                                            ' Low IV-2      4.17                 Reactivity Control Systems,     No Including Functional Design and Protection Against Single Failures V-5       4.18                 Reactor Coolant Pressure as                                 Boundary (RCPB) Leakage
 /n                                 Detection co 4.18.1               Leakage Into Containment Yes         --

4.18.1.1 System Sensitivity. No See Topic III-5.A. Provide Technica1' Specifications Yes 90 days -- 4.18.1.2 Operability Requirements. Yes after (TS) for surveillance of leak detection systems. (Integrate final Topic Ill-5.A.) IPSAR 4.18.1.3 Seismic Qualification No Provide procedures or qualify Yes -- -- one leak detection system. No None Yes -- 4.18.1.4 Testability < None Yes -- 4.18.2 Intersystem Leakage No V-10 A 4.19 Residual Heat Removal System Heat Exchanger Tube Failures Yes Low 4.19.1 Radiation Monitoring No None

(n g Table 4.1 (Continued) o

s SEP IPSAR Tech.' Spec. Modification 9% Topic Section changes or analysis  : Licensee Completion PRA-j No. No. Title required requirements, agrees- date; results,
   >"                               V-10.A 4.19.2     Sampling-                        No              None                                Yes                  -.

4.19.3 ' Testing of Recirculation Pk) None Yes -- -- Heat Exchanger V-11.A 4.20 Requirements for Isolation of High- and Low-Pressure Systems 4.20.1 Chemical and Volume Control System 4.20.1,1 Charging Pump Discharge Valves' No None Yes -- Low 4.20.1.2 Letdown Piping No None Yes -- -- a 4.20.2 Safety Injection System No None Yes -- Medium 8" 4.20.3 Long-Term Recirculation No None- Yes -- Low System V-11.B 4.21 Residua' Heat Removal System Interlock Requirements 4.21.1 Residual Heat Removal System No None Yes -- tow Interlocks 4.21.2 Overpressurization Protection Yes Provide TS.for operability -- 90 days -- of Residual Heat Removal System of overpressure protection system after when residual heat removal system final is in operation. IFSAR VI-1 4.22 Organic Materials 'and Post- No Institute periodic inspection Yes -- -- accident Chemistry program. VI-4 4.23 Containment Isolation System 4.23.1 Electrical Aspects

v-v g Table 4.1 (Continued) o g SEP IPSAR Tech. Spec. Modification 

 -  Topic Section                                changes        .or analysis                          Licensee Completion PRA
 ]  No. No.       Title                        required         requirements                      ' agrees   'date        results
  • VI-4 4.23.1.1 Purge Lines Yes None -Yes -- --

cn 

 $        4.23.1.2 Key Control and Control Panel No               Provide procedures for control      Yes       Next    .

Access Procedures for panel access. refueling Sequencer Doors outage 4.23.1.3 Redesign of Block SIAS No None Yes- -- - - - Annunciator Window 4.23.1.4 Automatic Loading of Diesel No None Yes -- -- Generator R2diator Fans 4.23.1.5 Override Capability for No Resolved in Section 4.23.2. Yes -- -- Reactor Coolant Sample Line Isolation Valves 4 4 4.23.2 Valve Actuation No None Yes -- Low o 4.23.3 Valve Type No None Yes -- Low 4.23.4 Valve Location No Seismically qualify lines. Yes -- Low See Topic III-6. = 4.23.5 Isolation of Closed Systems No Seismically qualify lines. Yes -- Low See Topic III-6. 4.23.6 Isolation of Air Handling No Seismically qualify lines. Yes -- Low Unit Cooling Lines See Topic III-6. 4.23.7 Isolation of Branch Lines 4.23.7.1 Refueling Water Lines No Provide administrative procedures -- -- Low and/or locking devices. 4.23.7.2 Main Steamlines No Provide procedures. -- -- Low 4.23.8 Spare Penetrations No None Yes -- Low 1

s Table 4.I' (Continued)'

S SEP IPSAR Tech.' Spec. Modification Q Topic Section changes or analysis Licensee- Completion PRA - g No. 'No. Title required requirements agrees date results F" VI-4 4.23.9 Air Locks and Hatches No None Yes -- -- (n Q VI-7.8 4.24 Engineered Safety Feature Switchover From Injection No . .. Provide automatic termination of injection and a backup to the Medium to Recirculation Mode single refueling water storage (Automatic Emergency. Core tank level indicator; review Cooling System Realignment) procedures and training. VI-7.C.2 4.25 Failure Mode Analysis' (Emergency Core Cooling System) Yes --' 4.25.1 Redundant Valve for Volume No None Low Control Tank Isolation 4.25.2 Control Power to'FCV-11150, No None Yes -- Low 3 i E, and F cn 4.25.3 . Hot-Leg Recirculation No None_ Yes -- -- 4.25.4 Other Modifications No Evaluate benefits of -Yes Final -- incorporating recommended IPSAR modifications. VI-10.A 4.26 Testing of Reactor Trip System and Engineered Safety Features,. Including Response-Time Testing 4.26.1 Response-Time Testing of Yes Include testing now in procedures Yes 90 days Low Reactor Protection System in TS. after final IPSAR 

                                                                                                                                                   'l u-g                                                              Table 4.1 (Continued) o                                                        Tech. Spec. Modification
    's      SEP       IPSAR 9      Topic     Section                                 changes        or analysis                         . Licensee Completion .PRA agrees    date g      No.       No. Title                           required       requirements                                                results
     "" -             4.26.2  Testing of Engineered Safety-   Yes            Include test for containment spray --           90 days     Low VI-10.A La                       Features                                       actuation in TS.                                after final 5"                                                                                                                      IPSAR 4.26.3  Testing of Support Systems      No             None                                  Yes'      --          --

VII-1.A 4.27 Isolation of Reactor Protection System From Nonsafety Systems, Including Qualification of Isolation Devices None Yes -- Low 4.27.1 Remote Maters and Recorders No None Yes -- Low 4.27.2 Data Logger No A None Yes -- Low jn 4.27.3 Feedwater Control No ru VII-3 4.28 Systems Required for Safe Shutdown , None Yes -- Low 4.28.1 Component Cooling Water Surge No Tank Level and Instrumentation Adequate Seismic Category I Yes None Yes -- -- 4.28.2 Water Supply for the Auxiliary Feedwater System . 4.28.3 TMI Task Action Plan Yes Integrated into Topics III-1, Yes -- -- Item II.E.1.1, " Auxiliary III-2, III-4.A. III-5.A. III-5.B. Feedwater System Evaluation" III-6, VIII-3, and XV-2. 4.29 Potential Equipment Failures .Yes Implement modifications and TS Yes Final -- VIII-1.A Associated With Degraded Grid for undervoltage protection. IPSAR Voltage Provide voltage monitoring program for tap settings.

p-l Table 4.1 - (Continued) E SEP . IPSAR Tech. Spec. Modification 

   &   Topic    Section                                   changes        or analysis                          Licensee Completion PRA l

No. No. Title required' requirements. agrees. date results 3 H 4.30 DC Power System Bus Voltage Yes Medium _VIII-3.B No' None --

g. Monitoring and Annunciation o

VIII-4 4.31 Electrical Penetrations of No None Yes -- Low Reactor Containment l IX-3 4.32 Station Service and Cooling l Water Systems i l 4.32.1 Component Cooling Water System No None Yes -- -- ! Temperature Design Limits

4.32.2 Independence of Component No Complete staff review of Yes Final. --

l Cooling Water System Valves licensee report on independence IPSAR CV-737A and CV-737B of subject. valves. i 4.32.3 Component Cooling Water Systen. No Install dedicated shutdown Yes Next Low 

   $                    Passive Failure                                  system. (Integrated with Appendix R requirements.)

refueling outage 4.32.4 Salt Water Cooling System No Complete staff review of Yes Final Low Supply Water Failure licensee report on IPSAR redundance of salt water cooling system water supply 4.32.5 Independence of Salt Water No See Topic VI-7.C.2 Yes -- -- Cooling System Components 4.32.6 Loss of Salt Water Cooling Pump- No None Yes -- -- Bearings Flush l 4.32.7 Salt Water Cooling System No Perform a reliability evaluation -- -- -- l Reliability of salt water cooling system to determine appropriate modifications. l IX-5 4.33 Ventilation Systems i ! 4.33.1 Reactor Auxiliary Building No None Yes -- Low i l

li?. us (,) Table 4.1 .. (Continu*d) o

3
   ' SEP   IPSAR                                   Tech. Spec.        Modification changes            or analysis                          Licensee Completion PRA 9%    Topic Section                                                                                         agrees    date~      results "8    No. No.     . Title                         required           requirements j
                                                                                                                    ~---        High/ Low-IX-5  4.33.2  .Switchgear and Cable Spreading No                 Implement temperature-monitoring     Yes and 480-V Switchgear Rooms                        program and procedures.

Develop a procedure for room -- -. High. 4.33.3 Administration Building . No (Battery and Inverter Room) cooling and hydrogen dispersion. Provide dedicated system. Yes Next -- IX-6 4.34 Fire Protection -- refueling outage XV-1 4.35 Decrease in Feedwater No Reanalyze to show that Yes -- -- Temperature. Increase in consequences are acceptab'.. or Feedwater Flow, Increase propose corrective measurts. in System Flow, and Inadvertent Opening of a 4, Steam Generator Relief or y Safety Valve -> Install additional train of motor- Yes -- Low XV-2 4.36 Spectrum of Steam System -- Piping Failures Inside and driven auxiliary feedwater.

  • Outside Containment (PWR)
                                                      .                                                                                                         .1
                                                                                                                                                       ,       :1 Table 4.2 Salt water cooling (SWC) system . reliability problems Event date              Description of event.               ,                          Reference' 5-              November 1, 1967        A tsunami gate inadiertently closed because of a shorted       67-13 (see Appendix F)-

H limit. switch that became' submerged;. switch was relocated. February 9, 1968 ~ During operation of stop gate'(gate was being moved for . 68-04 (see Appendix'F) switch relocation ~(see above)), accumulator reservoir tank ruptured. A rupture diaphragm and enlarged relief' valve 

                                                    .were installed.

October 9,'1969 A tsunami gate fell down into the intake structure when 69-03 (see Appendix F) bond between the gate and attachment plate studs failed. No disruption in flow occurred. Attachment design was improved. March 1975 Shaft of north SWC pump sheared because of fatigue from July 24, 1980, letter' t excessive vibration resulting from worn. shaft bearings. January 16, 1978 A SWC pump breaker tripped open when the other pump.was Licensee Event Report (LER) out for. maintenance. 78-01 (see Appendix F) March 10, 1980 Total loss of. saltwater cooling shaft of south SWC pump LER 80-06; AE00 report dated sheare'd (excessive. vibration from worn bearings),. air- August 12, 1982._(attached to .t operated valve on the north pump discharge failed closed- Topic IX-3 SER); NUREG-0900, (desiccant contamination of solenoid "0" ring), and- Vol. 3,'No. 3 (Abnormal auxiliary SWC pump did not function because of inadequate Occurrence.80-7) priming (air leak into suction line). The screen wash pumps were used to. provide cooling until SWC flow was restored. 1 July 7, 1980 South train air-operated discharge valve (POV-6) failed- LER 80-031 to open because of burnt-out solenoid valve; wrong sole-noid had been installed during maintenance overhaul (ac installed, dc required). . _ _ _ _ _ _ _ - _ _ . - - _ _ _ _ - _ - - - _ . -- -- - -- - - - - - - - - - - - - - - - - - -I

m ' Table 4.2 -(Continued) E y Event date Description of event - Reference 2 ' July 28',.1980 POV-6 failed te open automatically, but could be manually' LER 80-031 

         ~                           opened. .After above event, ac coil was replaced with a dc m                           coil;,however, it'was determined that the. spring force was
         @                        -too strong for de' coil to overcome. A new'de solenoid valve was installed to correct the~ problem.

June 9, 1981 SWC discharge of the component cooling water (CCW) heat LER 81-009 exchanger was partially blocked resulting in low flow. and malfunction of butterfly valve; cause was a buildup of gooseneck. barnacles. A'long shutdown had prevented heat treatment. January 18, 1982 POV-6 failed to open on demand until the plant operator IE Inspection Report 82-04 adjusted manual control of solenoid valve. 

         +

A' February 1, 1982 An air-operated discharge valve only closed halfway when IE Inspection Report 82-10 its pump was deenergized. February 8, 1982 While south train was being placed in service, pump LER 82-007 developed normal discharge pressure, but the discharge valve shut approximately 3 sec after pump start (three attempts). The cause was failed ~ pressure switch. March 19, 1982 POV-5 failed to open. IE Inspection Report 82-10 May 13, 1982 South SWC pump was removed from its pedestal for LER 82-015; maintenance. Water entered intake area from the hole. NUREG-0090, Vol. 5, No. 2 The water rose to within 2 in. of the elevation of (Abnormal Occurrence 80-7) north SWC pump motor vents. North pump was secured when update pump amperage and discharge valve cycled erratically. After water was pumped out and north pump restarted, discharge valve failed shut because of residual moisture in the pressure' switch and melted insulation'in a. relay. Procedures did not provide adequate precautions with regard to tide level.

gn . Table <4.2 (Continued) 

        =

u E?' Event'date Description of event Reference k August 13, 1982 With north pump in operation, POV-6, the other. discharge LER 82-024~, . . 

                                  ' valve, opened unexpectedly; reverse flow through the idle
r. .

IE~ Inspection. Report 82-32 vs . pump resulted; waterhammer and reduction in SWC system : 1 . 43 flow also occurred. .Cause was a misaligned manual-operator on POV solenoid control valve. j August 19, 1982 With south pump out for maintenance, north pump had to be LER 82-022

secured because of degraded motor bearing; salt. water intrusion from.a packing leak was the.cause. Motor was replaced.

October 13, 1982 POV-6 malfunctioned because of pressure switch problem. IE Inspection Report 82-32 October 29, 1982 POV-6 malfunctioned because of. operator error. IE Inspection Report 82-32, a monthly operating report for i J, October 1982 t u l December 16, 1982 Auxiliary SWC pump failed to develop required discharge Monthly operating report'for t' pressure during operability test; after drain trap. union December 1982 was tightened, it was restored to operability. March 16, 1983 Worker drilling concrete for rebar installation drilled PNO-V-83-14, into air line supplyin'g SWC pump discharge valves. AE00 Report No. AE00/T333 3 South discharge valve (pump was running) remained (October 31, 1983) open; north discharge valve remained closed. Air i line had been field-run and was. embedded in concrete; j its exact location was not shown on available drawings. ) October 10, 1984 - 

                                 'SWC flow was aligned to upper CCW heat exchanger (HX)       LER 84-12                      j while residual heat removal flow was aligned to the i

I lower CCW HX; therefore, no heat transfer to SWC

  • t-occurred. Cause'was inadequate plant status informa-tion; configuration was off normal because lower HX, '

i which is usually in use when north SWC pump is placed l in service, as had just been done, was out of service. i i

l l I l 5 REFERENCES Code of Federal Regulations, Title 10, " Energy" (includes General Design Criteria). Letter, December 21, 1976, from K. Baskin (SCE) to A. Schwencer (NRC),

Subject:

   ' Single Failure Analysis.
    -- , December 20,.1977, from K. Baskin (SCE) to A. Schwencer (NRC),

Subject:

Single Failure Analysis. 

    -- , July 24, 1980, from J. Haynes (SCE) to D. Crutchfield (NRC),

Subject:

Failure of Saltwater Cooling System. 

   --- , January 7,1981, from D. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

SEP Topic V-10.A. 

    -- , April 27, 1981, from D. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

SEP Topic II-2.A, " Severe Weather Phenomena." 

    -- , August 3,1981, from D. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

SEP Topic V-11.A. 

    -- , September 9, 1981, from D. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

Draft Safety Evaluation for SEP Topic VII-1.A. 

    -- , November 2,- 1981, from W. Moody (SCE) to D. Crutchfield (NRC),

Subject:

Topic Assessment for SEP Topic IX-3. 

    -- , November 12, 1981, from R. Krieger (SCE) to D. Crutchfield (NRC),

Subject:

SEP Topic II-1.C. ! -- , February 17, 1982, from D. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

Status of Generic Item B-24. 

    -- , June 4,.1982, from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VII-3, Systems Required for Safe Shutdown. 

    -- , June 15, 1982, from K. Baskin (SCE) to D. Crutchfield (NRC),

Subject:

Plans To Accelerate Enhancement of Facility Earthquake Resistance. 

    -- , June 23,1982, .from D. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

Degraded Grid Protection. 

    -- , June 24, 1982, from K. Baskin (SCE) to D. Crutchfield (NRC),

Subject:

I Proposed Implementation Plan for Accelerating Structural Upgrade.  ; 

    -- ,_ June 25, 1982, from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic III-1. 1 i San Onofre 1 SEP 5-1 ' 

  -- , June 30, 1982, from K. Baskin (SCE) to D. Crutchfield (NRC),

Subject:

Response to Generic Letter 81-12, " Fire Protection Safe Shutdown Analysis." 

  -- , August 11, 1982, from D. Crutchfield (NRC) to K. Baskin (SCE),

Subject:

Order Confirming License Commitments on Seismic Upgrading. 

  -- , September 21,-1982, from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic III-7.B. 

 -- , October 12, 1982, from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic III-4.C, Internally Generated Missiles. 

 -- , November 12, 1982, from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1 - SEP Topics V-10.B, RHR System Reliability; V-11.B. RHR Interlock Requirements; and VII-3, Systems Required for Safe Shutdown (Safe Shutdown Systems Report). 

 -- ,-November 18, 1982, from D. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

Alternate Safe Shutdown System. 

 -- , November 22, 1982, from K. Baskin (SCE) to D. Crutchfield (NRC),

Subject:

SEP Topic VI-4. 

 -- , December 6, 1982, from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VI-4 Containment Isolation System. 

 -- , December 27, 1982, from W.'Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic IX-3,

Attachment:

AE00/C204, Loss of Saltwater Cooling Event. 

 -- , February 1, 1983, from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VI-7.A.3. 

 -- , February 10, 1983, from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VII-1.A. 

 -- , February 24, 1983, from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

! SEP Topics VI-2.D, VI-3, VIII-3.B. 

 -- , March 7,1983, from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP l Topic V-5, RCPB Leakage Detection, San Onofre Nuclear Generating Station, Unit 1. i 

 -- , March 23, 1983, from D. Eisenhut (NRC) to R. Dietch (SCE),

Subject:

Exemption Regarding Time Allowed To Complete Fire Protection System. 

 -- , April 13, 1983, from J. Kay (Yankee Atomic Electric Co.) to D. Crutchfield (NRC),

Subject:

SEP Topic VIII-3.8. 

 -- , May 3,1983, from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic l II-1.C. ! -- , June 24, 1983, from K. Baskin (SCE) to D. Crutchfield (NRC),

Subject:

SEP l Topic IX-5, Additional Information. l San Onofre 1 SEP 5-2 

    -- , June 28, 1983, from R. Krieger (SCE) to D. Crutchfield (NRC),

Subject:

Additional Information on SEP Topic VI-4. 

    -- , July 29, 1983, from D. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

Safety Evaluation re: Adequacy of Station Electrical Distribution Systems. 

    -- , October 20, 1983, from R. Krieger (SCE) to D. Crutchfield (NRC),

Subject:

SEP Topic III-3.A, " Effects of High Water Level on Structures." 

    -- , October 31, 1983, from R. Krieger (SCE) to D. Crutchfield (NRC),

Subject:

Response.to Evaluation of SEP Topic II-1.C. 

    -- , November 7,1983, from R. Krieger (SCE) to D. Crutchfield (NRC),

Subject:

Additional Information for SEP Topic V-10.A. 

    -- , January 19, 1984, from M. Medford (SCE) to D. Crutchfield (NRC),

Subject:

Systematic Evaluation Program Integrated Assessment. 

    -- , January 30, 1984, from M. Medford (SCE) to R. Diggs (NRC),

Subject:

Amendment 70. 

    -- , February 17, 1984, from D. Crutchfield (NRC) to K. Baskin (SCE),

Subject:

Amendment 71 to License DPR-13. 

    -- , February 24, 1984, from M. Medford (SCE) to D. Crutchfield (NRC),

Subject:

Additional Information on Open Items for SEP Integrated Assessment. 

    -- , March 30, 1984, from M. Medford (SCE) to D. Crutchfield (NRC),

Subject:

Systematic Evaluation Program Integrated Assessment. 

    -- , April 23, 1984, from D. Crutchfield (NRC) to K. Baskin (SCE),

Subject:

SEP Topic III-1, Quality Group Classification of Components and Systems. 

    -- , April 24, 1984, from M. Medford (SCE) to D. Crutchfield (NRC),

Subject:

Conceptual Design for Dedicated Safe Shutdown System. 

    -- , May 7,1984, from M. Medford (SCE) to D. Crutchfield (NRC),

Subject:

Additional Information re: SEP Topics II-3.A, VI-7.8, VI-7.C.2, IX-3, and XV-1. 

    -- , June 5,1984, from M. Medford (SCE) to D. Crutchfield (NRC),

Subject:

Surveillance Program for Flood Water Control Structures and Service Water Reservoir, San Onofre Unit 1. 

    -- , August 21, 1984, from M. Medford (SCE) to W. Paulson (NRC),

Subject:

Analyses on Temperature Profiles for SEP Topic IX-5. 

    -- , August 21,1984a, from M. Medford (SCE) to W. Paulson (NRC),

Subject:

Information on SEP Topics IV-2 and VII-1.A. l 

    -- , August 27, 1984, from W. Paulson (NRC) to K. Baskin (SCE),

Subject:

Amendment No. 79 to License DPR-13 (Radiological Effluent Technical Specifications). San Onofre 1 SEP 5-3  ; l i 

-- , August 27,1984a, from W. Paulson (NRC) to K. Baskin (SCE),

Subject:

SEP Topics II-3.A II-3.B. II-3.B.1 and II-3.C. 

-- , September 4, 1984, from R. Gilbert (NRC) to H. Denton (NRC),

Subject:

Daily Highlight. -- , September 5,1984, from J. Haynes (SCE) to NRC,

Subject:

30 Day Report: Licensee Event Report 84-008. -- , September 17, 1984, from M. Medford (SCE) to W. Paulson (NRC),

Subject:

Tornado Hazard Analysis. 

 -- , October 18, 1984, from M. Medford (SCE) to W. Paulson (NRC),

Subject:

Intake Structure Degradation and Repair. -- , October 24, 1984, from W. Paulson (NRC) to K. Baskin (SCE),

Subject:

Amendment No. 82 to License 4ER-13, Auxiliary Feedwater System. -- , November 14, 1984, from M. Medford (SCE) to J. Zwolinski (NRC),

Subject:

Risk Assessment of Loss of Control Room Habitability. -- , November 21, 1984, from D. Eisenhut (NRC) to K. Baskin (SCE),

Subject:

Contingent Rescission of Suspension. -- , December 5,1984, from M. Medford (SCE) to J. Zwolinski (NRC),

Subject:

San Onofre Nuclear Generating Station, Offsite Hazards Evaluation 1984. -- , December 10, 1984, from D. Eisenhut (NRC) to R. Kober (Rochester Gas and Electric),

Subject:

License DPR-18 and FR Notice of Issuance. -- , December 20, 1984 from M. Medford (SCE) to J. Zwolinski (NRC),

Subject:

Auxiliary Transformer Tap Settings Optimization. -- , February 7,1985, from J. Martin (NRC) to D. Fogarty (SCE),

Subject:

Systematic Assessment of Licensee Performance. . -- , March 12, 1985, from n. Medford (SCE) to J. Zwolinski (NRC),

Subject:

Long Term Seismic Criteria and Methodology. Southern California Edison, " Final Safety Analysis Report," Docket No. 50-206, November 12, 1965. U.S. Atomic Energy Commission, Wash-1400, " Reactor Safety Study: An Asseum::nt of Accident Risks in U.S. Commercial Nuclear Power Plants." The Rasmussen Report, August 1974. U.S. Nuclear Regulatory Commission, AE0D/C401, " Low Temperature Overpressure Events at Turkey Point Unit 4," March 1984. -- , AE00/T333, " Degradation of Salt Water Cooling System Caused by Loss of Instrument Air," October 31, 1983. -- , Generic Letter 83-28, July 8, 1983, from D. Eisenhut (NRC) to all licensees of operating reactors,

Subject:

Generic Implications of Salem ATWS Event. San Onofre 1 SEP 5-4 

     -- , NRC. Manual Chapter 0516, " Systematic Assessment of Licensee Performance (SALP)," March 23, 1982.
     -- , NUREG-75/014 (formerly WASH-1400), " Reactor Safety Study," October 1975.-
     -- , NUREG-75/087, see NUREG-0800.
     -- , NUREG-0090, " Report to Congress on Abnormal Occurrences," Vol. 3, 1980; Vol. 5, 1982.
     -- , NUREG-0452, " Standard Technical Specifications for Westinghouse PWRs,"

Revision 4 (Draft), November 1981. 

    -- , NUREG-0460, " Anticipated Transients Without Scram in Light Water
   . Reactors," March 1980.
    -- , NUREG-0660,."NRC Action Plan Developed as a Result of the TMI-2 Accident,"

l Vols. I and 2, May 1980; Revision 1, August 1980. 

    -- , NUREG-0737, " Clarification of TMI Action Plan Requirements," November 1980.
    -- , NUREG-0800 (formerly NUREG-75/087), " Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," July 1981 (includes Branch Technical Positions).
    -- ,-NUREG/CR-0098, " Development of Criteria for Seismic Review of Selected Nuclear Power Plants," by N. M. Newmark and W. J. Hall, May 1978.
    -- , Regulatory Guide (RG) 1.4, " Assumptions Used for Evaluating the Potential Radiological Consequences of a Loss-of-Coolant Accident for Pressurized Water Reactors."
    -- , RG 1.6, " Independence Between Redundant Standby (Onsite) Power Sources and Between Their Distribution Systems."
    -- , RG 1.11 " Instrument Lines Penetrating Primary Reactor Containment."
    -- , RG 1.13 " Spent Fuel Storage Facility Design Basis."
    -- , RG 1.14, " Reactor Coolant Pump Flywheel Integrity," Revision 1 for comment.
    -- , RG 1.22, " Periodic Testing of Protection System Actuation Functions."
    -- , RG 1.26, " Quality Group Classifications and Standards for Water , Steam ,

and Radioactive-Waste-Containing Components of Nuclear Power Plants," Revision 3 for comment. 

    -- , RG 1.27, " Ultimate Heat Sink for Nuclear Power Plants," Revision 2 for comment.
    -- , RG 1.28, " Quality Assurance Program Requirements (Design and Construction)."

San Onofre 1 SEP 5-5 

  -- , RG 1.29, " Seismic Design Classification," Revision 2 for comment.
  -- , RG 1.32, " Criteria for Safety-Related Electric Power Systems for Nuclear Power Plants," Revision 2.
  -- , RG 1.45, " Reactor Coolant Pressure Boundary Leakage Detection Systems."
  -- , RG 1.46, " Protection Against Pipe Whip Inside Containment."
  -- , RG 1.47, " Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems."
  -- , RG 1.53, " Application of the Single-Failure Criterion to Nuclear Power
 . Plant Protection Systems."
  -- , RG 1.54, " Quality Assurance Program Requirements for Protective Coatings Applied to Water-Cooled Nuclear Power Plants."
  -- , RG 1.59, " Design Basis Floods for Nuclear Power Plants," Revision 2.
  -- , RG 1.63, " Electric Penetration Assemblies in Containment Structures for Light-Water-Cooled Nuclear Power Plants," Revision 2.
  -- , RG 1.70, " Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants."
  -- , RG 1.75, " Physical Independence of Electric Systems."
  -- , RG 1.76, " Design Basis Tornado for Nuclear Power Plants."
  -- , RG 1.97, " Instrumentation for Light-Water-Cooled Nuclear Power Plants To Assess Plant and Environs Conditions During and Following an Accident."
  -- , RG 1.99, " Effects of Residual Elements on Predicted Radiation Damage to Reactor Vessel Materials," Revision 1.
  -- , RG 1.102, " Flood Protection for Nuclear Power Plants."
  -- , RG 1.106, " Thermal Overload Protection for Electric Motors on Motor-0perated Valves," Revision 1.
  -- , RG 1.117, " Tornado Design Classi.ication," Revision 1.
  -- , RG 1.118, " Periodic Testing of Electric Power and Protection Systems,"

Revision 2. 

  -- , RG 1.127, " Inspection of Water-Control Structures Associated With Nuclear Power Plants," Revision 1.
  -- , RG 1.129, " Maintenance, Testing, and Replacement of Large Lead Storage Batteries for Nuclear Power Plants."
  -- , RG 1.132, " Site Investigations for Foundations of Nuclear Power Plants."

San Onofre 1 SEP 5-6 

   -- , RG 1.133, " Loose-Part Detection Program for the Primary System of Light-Water-Cooled Reactors," Revision 1.
   -- , RG 1.138, " Laboratory Investigation of Soils for Engineering Analysis and Design of Nuclear Power Plants."
   -- , RG 1.139, " Guidance for RHR To Achieve and Maintain Cold Shutdown (Guidance for Residual Heat Removal)," Revision 1 (proposed).

l -- , RG 1.141, " Containment Isolation Provisions for Fluid Systems," Draft i Revision 1. l U.S. Nuclear Regulatory Commission, Office of Inspection and Enforcement (IE), Bulletin 80-06, " Engineered Safety Features (ESF) Reset Controls," March 13, 1980. [ INDUSTRY CODES AND STANDARDS i

l. American Concrete Institute (ACI) Code 349-76, " Code Requirements for Nuclear Safety Related Concrete Structures."

l l American National Standards Institute (ANSI), N-170, " Standards for Determining l

Design Basis Flooding at Power Reactor Sites." '

American Institute of Steel Construction Code, " Specification for the Design, Fabrication and Erection of Structural Steel Buildings," 1978. American Society of Mechanical Engineers, " Boiler and Pressure Vessel Code"' (ASME Code), Sections III, VIII, and XI. American Standards Association (ASA), Std. 831.1, " Code for Pressure and Power Piping," American Society of Mechanical Engineers, 1955. Institute of Electrical and Electronics Engineers (IEEE), Std. 279-1971, 

  " Criteria for Protection System for Nuclear Power Generating Stations."
  -- , Std. 308-1977, " Criteria for Class 1E Power Systems for Nuclear Power Generating Station Safety Systems."
  -- , Std. 317-1972 " Standard for Penetration Assemblies in Containment Structures for Nuclear Power Generating Stations."

l San Onofre 1 SEP 5-7  !

APPENDIX A TOPIC DEFINITIONS FOR SEP REVIEW * 

     *The topic definitions and other data appearing in this appendix were assembled in April 1977; therefore, some references to organizations and other references 3

reflect the status of the review at that time. The basis for deletion of a topic because the review of a related TMI task, USI, or other SEP topic was identical ! to the review of the SEP topic was developed in May 1981 on a generic basis l and does not address the plant-specific design aspects. The plant-specific i deletions that are due to generic review or nonapplicability to the San Onofre ( Unit I design are given in Appendices B and C. I San Onofre 1 SEP u

Y. p CONTENTS i TOPIC ~ TITLE PAGE II-1.A Exclusion Areas Authority and Contro1.................. A-1 II-1.B Population Distribution................................ A-1 II-1.C Potential Hazards or Changes in Potential Hazards Due to Transportation, Institutional, Industrial, a nd M i l i t a ry Fa c i l i t i e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2 II-2.A Severe Weather Phenomena................................ A-3 II-2.B Onsite Meteorological Measurements Program.............. A-3 II-2.C Atmospheric Transport and Diffusion Characteristics fo r Acc iden t Ana lys i s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4 II-2.0 Availability of Meteorological Data in the Control Room.................................................... A-6 II-3.A Hydrologic Description.................................. A-7 

    -II-3.B         Flooding Potential and Protection Requirements.......... A-8 II-3.8.1      Capability of Operating Plant To Cope With Design-Basis-Flooding Conditions.....................................                                                A-8 II-3.C         Safety-Related Water Supply (Ultimate Heat Sink [ UHS]).. A-9 II-4           Geology and Seismology..................................                                                A-9
    .II-4.A         Tectonic     Province.......................................                                            A-10
    .II.4.8         Proximity of Capable Tectonic Structures in Plant Vicinity................................................                                                A-11 II-4.C        Historical Seismicity Within 200 Miles of Plant.........                                                 A-11 II-4.D        Stability of Slopes........................ ............ A-12 II-4.E:       Dam Integrity...........................................                                                 A-12 II-4.F        Settlement of Foundations and Buried Equipment.......... A-13 III-I         Classification of Structures, Components, and System (Seismic and Quality)...................................                                                 A-13 III-2         Wind and Tornado Loadings...............................                                                 A-14 III-3.A       Effects of High Water Level on Structures...............                                                 A-15 III-3.B       Structural and Other Consequences (e.g., Flooding of Safety-Related Equipment in Basements) of Failure of Underdrain Systems......................................                                                 A-15            1 III-3.C        Inservice Inspection of Water Control Structures........                                                A-16 III-4.A       Tornado Missiles........................................                                                 A-16 III-4.B       Turbine     Missiles........................................                                             A-17            i San Onofre 1 SEP                                A-tii

n CONTENTS (Continued) TOPIC: TITLE PAGE 

  'III-4.C          Internally Generate'd     Missiles...........................                                    A-18 III-4.0         Site-Proximity Missiles (Including Aircraft)............                                         A-19 III-5.A         Effects of Pipe Break on Structures, Systems, and Components Inside Containment...........................                                         A-19
  -III-5.B          Pipe Break Outside     Containment..........................                                     A-20
  .III-6            Seismic Design Considerations........................... -A-20 III-7.A        -Inservice Inspection, Including Prestressed Concrete Containments With Either Grouted or Ungrouted Tendons... A-21 III-7.B-        Design Codes, Design Criteria, Load Combinations, and Reactor Cavity Design       Criteria..........................                                   A-22 III-7.C         Delamination of Prestressed Concrete Containment Structures..... ........................................ A-22 III-7.D         Containment Structural Integrity Tests.................. A-23
   'III-8.A         Loose-Parts Monitoring and Core Barrel Vibration Monitoring..............................................                                         A-23 III-8.B-        Control Rod Drive Mechani sm Integrity. . . . . . . . . . . . . . . . . . . A-24 III-8.C-        Irradiation Damage, Use of Sensitized Stainless Steel, and Fatigue Resistance..................................                                         A-25 III-8.D         Core Supports and Fuel Integrity........................                                         A-25 III-9           Support Integrity.......................................                                         A-27 III-10.A        Thermal-Overload Protection for Motors of Motor-0perated Valves..................................................                                         A-29 III.10.B        P ump Flywhe e l I n te g ri ty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-29 III.10.C        Surveillance Requirments on BWR Recirculation Pumps and                                                 i Discharge Valves........................................                                         A-30  1 1

III-11 Component Integrity..................................... A-30 ' III-12 Environmental Qualification of Safety-Related Equipment. A-32 IV-1.A Operation With Less Than All Loops in Service........... A-33 i- IV-2 Reactivity Control Systems Including Functional Design and Protection Against Single Failures........... A-33 IV-3 BWR Jet Pump Operating Indications...................... A-34 V-1 _ Compliance With Codes and Standards (10 CFR 50.55a). . . . . A-34 V-2 Applicability of Code Cases............................. A-35 

  'V-3              Overpressurization Protection...........................                                          A-36 V-4              Piping and Safe-End Integrity...........................                                          A-36 V-5             Reactor Coolant Pressure Boundary (RCPB)

Leakage Detection....................................... A-37 San Onofre 1 SEP A-iv

r t b[ 'u 4: 3 CONTENTS (Continued) TOPIC ; TITLE PAGE I V '6 Reactor Vessel Integrity................................ A-38 V-7, " Rea.ctor Coolant Pump 0verspeed.......................... A-39 V-8 - Steam Generator (SG) Integrity.......................... A-39 V-9 Reactor Core Isolation Cooling System (BWR)............. A-40 V-10.A~. ' Residual Heat Removal System Heat Exchanger Tube Failures................................................ A-41 V-10.B Residual Heat Removal System Reliability................ A-41 V-11.A Requirements for Isolation of High- and Low-Pressure p Systems................................... ............. A-42 V-11.B.( Residual Heat Removal System Interlock Requirements..... A-43 V-12.A - 4 Water Purity of BWR Primary Coolant. .... .. ........... A-44 V-13 Waterhammer............................................. A-44 R 

                 .VI                Organic Materials and Postaccident Chemistry............ A-45 VI-2.A
                                   ~

Pressure-Suppression-Type BWR Containments.............. A-46 

                  .VI-2.B              Subcompartment Analysis................................. A-47 VI-2.C              - Ice Condenser  Containment............................... A-48 VI-2.0               Mass'and Energy Release for Postulated Pipe Break                l Inside Containment...................................... A-49 VI-3                 Containment Pressure and Heat Removal Capability........ A-50 VI-4                 Containment Isolation System............................ A-50
                'VI-5                  Combustible Gas Control................................. A-51 VI-6                 Containment Leak Testing................................ A-53 VI-7.A.1             Emergency Core Cooling System-Reevaluation To Account for Increased Reactor Vessel Upper-Head Temperature..... A-53
                 .VI-7.A.2             Upper Plenum Injection.................................. A-54 VI-7.A.3             Emergency Core Cooling System Actuation System.......... A-54 VI-7.A.4             Core Spray Nozzle Effectiveness......................... A-55
   ~'

VI-7.8 Engineered Safety Feature Switchover From Injection to Recirculation Mode (Automatic Emergency Core Cooling System Realignment)............................. A-56 

                - V,i. 7.C             Emergency Core Cooling System (ECCS) Single-Failure
      *                 ~
                            ,          Criterion and Requirements for Locking Out Power to j                        Valves, Including Independence of Interlocks on ECCS Valves.................................................. A-56 VI-7.C.1             Appendix K--Electrical Instrumentation and Control Re-reviews.............................................. A-57 VI-7.C.2             Failure Mode Analysis (Emergency Core Cooling System)... A-57 l

San Onofre 1 SEP A-v

CONTENTS (Continued) TOPIC TITLE PAGE VI-7.C.3 Effect of PWR Loop Isolation Valve Closure During a Loss-of-Coolant Accident on Emergency Core Cooling System Performance...................................... A-58 VI-7.D Long-Term Cooling Passive Failures (e.g. , Flooding of Redundant Components).............................. .... A-58 VI-7.E Emergency Core Cooling System Sump Design and Test for Recirculation Mode Effectiveness........ ....... . . A-59 VI-7.F Accumulator Isolation Valves Power and Control System Design.. .............. ... . ............ ............ A-60 VI-8 Control Room Habitability.. ........................... A-60 VI-9 Main Steam Line Isolation Seal System (BWR).. ......... A-61 VI-10.A Testing of Reactor Trip System and Engineered Safety Features, Including Response-Time Testing..... ..... .. A-62 VI-10.B Shared Engineered Safety Features, Onsite Emergency Power, and Service Systems for Multiple Unit Stations... A-63 VII-1.A Isolation of Reactor Protection System From Nonsafety Systems, Including Qualification of Isolation Devices. . . A-63 VII-1.B Trip Uncertainty and Setpoint Analysis Review of Operating Data Base... .............. .... .. .......... A-64 VII-2 Engineered Safety Features System Control Logic and Design.................................. ............... A-65 VII-3 Systems Required for Safe Shutdown... .. ..... .... .... A-66 VII-4 Effects of Failure in Nonsafety-Related Systems on Selected Engineered Safety Features. .. ... .... ... A-66 VII-5 Instruments for Monitoring Radiation and Process Variables During Accidents. ..... ........ . .......... A-68 VII-6 Frequency Decay. . .... .. ..... .. .. . ........ . A-70 VII-7 Acceptability of Swing Bus Design on BWR-4 Plants....... A-71 VIII-1.A Potential Equipment Failures Associated With Degraded Grid Voltage.. .................... ........... A-71 1 VIII-2 Onsite Emergency Power Systems (Diesel Generator)..... . A-72 VIII-3.A Station Battery Capacity Test Requirements....... .. . A-73 VIII-3.B DC Power System Bus Voltage Monitoring and Annunciation. . ... . . . . . A-74 VIII-4 Electrical Penetrations of Reactor Containment. . A-74 IX-1 Fuel Storage. . .... . ...... ...... . . . . .. . A-75 IX-2 Overhead Handling System (Cranes). . . ... .. .. .. A-76 IX-3 Station Service and Cooling Water Systems..... ..... . . A-77 San Onofre 1 SEP A vi

CONTENTS (Continued) TOPIC . TITLE. PAGE IX-4 Boron Addition System (PWR)............................. A-79 IX-5 Ventilation Systems..................................... A-79 IX-6 Fire-Protection......................................... A-80 p X Auxiliary Feedwater System.............................. A-81 XI-1 Appendix I.............................................. A-82 XI-2. Radiological (Effluent and Process) Monitoring Systems.. A-83 

 .XIII-1          Conduct of Operations................................... A-85                                       I XIII-2          Safeg'uards/ Industrial Security............ ............. A-87
 .XV-1            Decrease in Feedwater' Temperature, Increase in Feedwater Flow, -Increase in Steam Flow, and Inadvertent Opening of a Steam Generator Relief or Safety Va1ve............................ ............ A-87 XV-2            Spectrum of Steam System Piping Failures Inside and Outside Containment-(PWR)...............................                                      A-88 XV-3            Loss of External Load, Turbine Trip, Loss of Condenser Vacuum, Closure of Main Steam Isolation Valve-(BWR),

and Steam Pressure Regulator Failure (Closed)........... A-89 XV-4 Loss of Nonemergency AC Power to the Station Auxiliaries............................................. A-89 XV-5 Los s o f Normal Feedwater F1 ow. . . . . . . . . . . . . . . . . . . . . . . . . . . A-90 XV-6 Feedwater System Pipe Breaks Inside and Outside Containment (PWR)....................................... A XV-7 Reactor Coolant Pump Rotor Seizure and Reactor. Coolant Pump Shaft Break............ ........................... A-91 XV-8 Control Rod Misoperation (System-Malfunction or Operator Error)................. ....................... A-91 XV Startup of an Inactive Loop or Recirculation Loop at an Incorrect Temperature, and Flow Controller Malfunction Causing an Increase in BWR Core Flow Rate... A-92 XV-10 Chemical and Volume Control System Malfunction That Results in a Decrease in Boron Concentration in the Reacto r Cool an t ( PWR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-92 XV-11 Inadvertent Loading and Operation of a Fuel Assembly in an Improper Position (BWR).... .. .. ... ..... .. ... A-93 XV-12 Spectrum of Rod Ejection Accidents (PWR) . . . . . . . . . . . . . A-93 XV-13 Spectrum of Rod Drop Accidents (BWR)....... ........... A-94 XV-14 Inadvertent Operation of Emergency Core Cooling System and Chemical and Volume Control System Malfunction That Increases Reactor Coolant Inventory..... A-95 San Onofre:1 SEP A vii a

i r CONTENTS (Continued) TOPIC' TITLE- PAGE 

        ~XV-15            Inadvertent Opening of a PWR Pressurizer Safety / Relief Valve or.a BWR Safety / Relief Valve......................              A-95 XV-16            Radiological Consequences of Failure of Small Lines Carrying Primary Coolant Outside Containment. . . . . . . . . . . . A         .XV-17             Radiological Consequences of Steam Generator Tube
                         . Failure (PWR)........... ............................... A-97 XV-18            Radiological Consequences of Main Steam Line Failure Outside Containment.....................................                A-97
        ;XV-19            Loss-of-Ccolant Accidents Resulting From Spectrum of Postulated Piping Breaks Within the Reactor Coolant Pressure Boundary.......................................                A-98
       .XV-20:            Radiological Consequences of Fuel-Damaging Accidents (Inside and Outside Containment).... ........... ....... A-99 XV-21            Spent Fuel Cask Drop Accidents..........................                A-99 XV-22            Anticipated Transients Without         Scram....................        A-100 XV-23            Multiple Tube Failures in Steam Generators..............                A-101 XV-24            Loss of All AC  Power....................................               A-102
       .XVI.            ' Technical Specifications................................                A-102 XVII             Operational Quality Assurance         Program................... .A-103 San Onofre 1 SEP                                A-viii

n TOPIC: II-1.A Exclusion Area Authority and Control (1) Definition: The establishment of the exclusion area and the licensee's control over it are. reviewed at the construction permit / operating license stage. There-after,-the licensees are required to report any changes with safety implica-tions. The concern exists, however, that (1) the original review may not have been as thorough as currently done, or (2) changes may have occurred but have not been reported and reviewed. 'In particular, new activities within the exclusion area (for example, new recreational facilities or offshore oil drilling) and-topographical changes (for example, changes in water levels) may need to be reviewed. 

  ,( 2) Safety-Objective:

To assure that appropriate exclusion area authority and control is main-tained by the licensee. (3) Status: Selective reviews have been performed (San Onofre Nuclear Generating Station Unit 1) or are under way (Fort Calhoun) where changes in exclusion area boundary have become necessary. 

 -(4)

References:

1. Title 10, " Energy," Code of Federal Regulations, Part 100*
2. NUREG-75/087, " Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants - LWR Edition, " December 1975,"**

Section 2.1.2 

 -TOPIC:     II-1.8 Population Distribution (1) Definition:

Population distribution in the vicinity of operating plants may have changed since the initial review was performed at the construction permit stage. Special attention should be given to new housing and commercial, military, or institutional installations established since the initial population-distribution review. 

 -(2) Safety Objective:

New population distributions may require revision of low population zone (LPZ) and population center to assure appropriate protection for the public by complying with the guidelines of 10 CFR Part 100. Adjustments may have 

   '*Hereafter referred to as 10 CFR.
  **Hereafter referred ts as Standard Review Plan.

San Onofre 1 SEP A-1

to be made in' emergency' plans. New accident analyses may have to be per-formed to determine consequent conformance with 10 CFR Part 100 at new LPZ distances. P_otential need for additional er.gineered safety features (for. example, chemical sprays or better filters) exists. 

   .(3) Status:

Has been done on a selective basis only, that is, Pilgrim Unit 1 new population center. . 

  -(4)

References:

1. 10 CFR Part 100 2.' . Standard Review Plan, Section 2.1.3 TOPIC: :II-1.C. Potential Hazards or Changes in Potential Hazards Due to Trans-portation, Institutional, Industrial, and Military Facilities (1) Definition:

For operating plants-there are three concerns: 1 (a) New hazards created since the facility was licensed, ) (b) . Hazards considered for licensing but that have expanded beyond projec-tions or which were not reviewed against current criteria,- and -1 (c) Hazards that were not analyzed at the licensing stage because of lack-of regulatory criteria at the time. Nearby transportation, institutional, industrial, and military facilities may be threats to' safe plant operation due to: 

         .(a) Control room infiltration of toxic gases, (b) Onsite fires triggered by transport of combustible chemicals from offsite releases, (c) Shock waves due to detonation of stored or transported explosives and military ordnance firing, and (d). Onsite aircraft impact.
   ~(2) Safety Objective:

To assure that the control room is habitable at all times and that the postulated hazards will not result in releases in excess of the 10 CFR Part 100 guidelines by disabling systems required for safe plant shutdown. 

   -(3) Status:

Action has been taken on a selective basis only, for example, curbing of military air activity in the vicinity of the Big Rock Point Plant. Liquid San Onofre 1 SEP A-2

I l natural gas (LNG) hazards at Calvert Cliffs are under review. The review of older plants did not consider offsite hazards in detail (for example, aircraft traffic in the vicinity). , (4)

Reference:

Standard Review Plan, Sections 2.2.1 and 2.2.2 TOPIC: II-2.A Severe Weather Phenomena (1) Definition: Safety-related structures, systems, and components should be designed to function under all severe weather conditions to which they may be exp'osed. Meteorological phenomena to be considered include turnadoes, snow and ice loads, extreme maximum and minimum temperatures, lightning, combinations of meteorology and air quality conditions contributing to high corrosion 

    -rates, and effects of sand and dust storms.

(2) _ Safety Objective: To assure that the designs of safety-related structures, systems, and components reflect consideration of appropriate extreme meteorological conditions and severe weather phenomena. This effort would identify deficiencies in designs and/or operation that may contribute to accidental 

    . releases of radioactivity to the atmosphere resulting in doses to the public in excess of 10 CFR Part 100 or Part 20 guidelines (as appropriate to the design of the component or system).

(3) Status: Generic studies have been initiated to develop guidelines for extreme temperatures and lightning, and to the review the current Branch Positions on snow loads. Estimated completion dates are 6/1/78 or later. (4)

References:

1. 10 CFR Part.100 or Part 20
2. Regulatory Guide 1.76, " Design Basis Tornado for Nuclear Power Plants"
3. Standard Review Plan, Section 2.3.1
4. Branch Technical Position, " Winter Precipitation Loads," March 24, 1975
5. Inquiry by Chairman Rowden Concerning Lightning Protection, July 9, 1976
6. 10 CFR Part 50 TOPIC: 1I-2.B Onsite Meteorological Measurements Program (1) Definition:

To review the onsite meteorological measurements program to determine the f extent that the licensee complies with 10 CFR Part 50, Appendix E and ' Appendix I. San Onofre 1 SEP A-3 l

(2)' Safety Objective: To assure that adequate meteorological instrumentation to quantify the offsite exposures from routine releases is available and maintained. (3) Status: Onsite meteorological measurements programs are being reviewed as a part of the Appendix I evaluations. (4) References.

1. 10 CFR Part 50, Appendix E and Appendix I
2. Regulatory Guide 1.97, Rev.1, " Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident"
      -3.      Regulatory Guide 1.23, "Onsite Meteorological Programs"
      '4.      Standard Review Plan, Section 2.3.3 (5) Basis for Deletion (Related TMI Task, Unresolved Safety Issue (USI),

or Other SEP Topic): (a) TMI Action Plan Task II.F.3, " Instrumentation for Monitoring Accident Conditions" (NUREG-0660) Task II.F.3 requires that appropriate instrumentation be provided for accident monitoring with expanded ranges and a source term that considers a damaged core capable of surviving the accident environ-ment in which it is located for the length of time its function is required. Regulatory Guide 1.97, Revision 2, " Instrumentation for Light-Water-Cooled Nuclear Power Plants To Assess Plant and Environs 

             ' Conditions During and Following an Accident," issued December 1980, contains the required meteorological instrumentation to quantify the offsite exposure.

(b) TMI Action Plan Task III.A.1, " Improve Licensee Emergency Preparedness - Short Term" (NUREG-0660)- Task III.A.1 requires the evaluation of 10 CFR Part 50, Appendix E, backfit requirements in accordance with NUREG-0654, " Criteria for Preparation and Evaluation of Radiological Emergency Response Plans and Preparedness in Support of Nuclear Power Plants." Backfit require-ments include review of the Onsite Meteorological Measurement Program. The evaluations required by Tasks II.F.3 and III.A.1 are identical to SEP Topic II-2.B; therefore, this SEP topic has been deleted. TOPIC: II-2.C Atmospheric Transport and Diffusion Characteristics for Accident Analysis

(1) Definition

To review the atmospheric transport and diffusion characteristics assumed to demonstrate compliance with the 10 CFR 100 guidelines with respect to San Onofre 1 SEP A-4

m l 1 plant design,' control room habitability, and doses to the public during

and-following a postulated design-basis accident. This effort would examine the assumptions for:
        .(a) Effects of explosive concentrations from onsite or offsite releases of hazardous material for consideration in structural design, (b) . Calculation of relative concentration (x/Q) values for releases of radioactivity and toxic chemicals for consideration in control room habitability, and (c) Calculations of doses to the public resulting from releases of radio-activity to the atmosphere during and following a postulated design-basis accident.

This effort is considered necessary because most original reviews were performed using the assumptions provided in Regulatory Guides 1.3 and 1.4 which have been found to be generally nonconservative based on evaluation of over 50 sites with actual meteorological observations. (2) Safety Objective: To assure that the atmospheric transport and diffusion characteristics originally assumed to demonstrate compliance with the 10 CFR 100 guidelines are appropriate, considering additional onsite meteorological data and results of recent atmospheric diffusion experiments. (3) Status: A review of long-term (annual average) atmospheric transport and diffusion characteristics is ongoing for Appendix I evaluations independent of the SEP effort. A study has also recently been performed by the Hydrology-Meteorology Branch for the Division of Operating Reactors for review of the meteorological assumptions for estimating control room dose consequences resulting from post-LOCA purges through tall stacks. (4)

References:

1. 10 CFR Part 20 2.- 10 CFR Part'50, Appendix A and Appendix I
3. 10 CFR Part 100
4. Regulatory Guides 1.3, " Assumption Used for Evaluating the Potential Radiological Consequences of a Loss-of-Coolant Accident for Boiling Water Reactors" 1.4, " Assumptions Used for Evaluating the Potential Radiologcal Consequences of a Loss-of-Coolant Accident for Pressurized Water Reactors"
5. Standard Review Plan, Sections 2.3.4, 6.4, 2.2.1, 2.2.2, and 2.2.3 San Onofre 1 SEP A-5 w_

T 1 TOPIC: II-2.D Availability of Meteorological Data in the Control Room (1) Definition: Data from the onsite meteorological program should be available in the control room. (2) Safety Objective: To assure that the lincensee has appropriate meteorological logical data displayed in the control room to assess conditions during and following an accident to allow for (1) early indication of the need to initiate action necessary to protect portions of the offsite public and (2) an estimate of the magnitude of the hazard from potential or actual accidental releases. (3) Status: No work currently being done on this subject for operating plants. (4)

References:

1. 10 CFR Part 50, Appendix E and Appendix I
2. Regulatory Guide 1.97, Rev.1, " Instrumentation for Light-Water-Cooled Nuclear Power Plants To Assess Plant and Environs Conditions During and Following an Accident"
3. Regulatory Guide 1.23, "Onsite Meteorological Programs"
4. Standard Review Plan, Section 2.3.3 (5) Basis for Deletion (Related TMI Task, USI, or Other SEP Topic):

_(a) TMI Action Plan Task II.F.3, " Instrumentation for Monitoring Accident Conditions" (NUREG-0660) Task II.F.3 requires that appropriate instrumentation be provided for accident monitoring with expanded ranges and a source term that considers a damaged core capable of surviving the accident environment in which it is located for the length of time its function is required. Regulatory Guide 1.97, Revision 2, " Instrumentation for Light-Water-Cooled Nuclear Power Plants To Assess Plant and Environs Conditions During and Following an Accident," issued December 1980, contains the required meteorological instrumentation to quantify the offsite exposure. (b) TMI Action Plan Task III.A.1, " Improve Licensee Emergency Preparedness - Short Term" (NUREG-0660) Task III.A.1, " Improve Licensee Emergency Preparedness - Short Term," requires _the evaluation of 10 CFR Part 50, Appendix E backfit require-ments in accordance with NUREG-0654, " Criteria for Preparation and I Evaluation of Radiological Emergency Response Plans and Preparedness in Support of Nuclear Power Plants." Backfit requirements include review of the Onsite Meteorological Measurement Program. San Onofre 1 SEP A-6

p - (c) TMI Action Plan Task I.D.1, " Control Room Design Reviews" (NUREG-0660) 

                     - 6ask I.D.1, " Control Room Design Reviews," requires that operating L                     reactor licensees and applicants for operating licenses perform a detailed control room design review to identify and correct design deficiencies. This review will include an assessment of control room-layout, the adequacy of the information~provided, the arrange-ment and identification of important controls and instrumentation displays, the usefulness of the audio and visual alarm systems, the information recording and recall capability, lighting, and other considerations of human factors that have an impact on operator effectiveness.

The evaluations required by Tasks II.F.3, III.A.1, and I.D.1 are indentical to SEP Topic II-2.D; therefore, this SEP topic has been deleted. 

       ' TOPIC:   I I-3.' A Hydrologic Description
       -(1) Definition:
             . Hydrologic considerations are the interface of the plant with the hydro-sphere, the identification of hydrologic causal mechanisms that may require special plant design or operating limitations with regard to floods and water supply requirements, and the identification of sLrface-and groundwater uses that may be affected by plant operation.

These hydrologic considerations may have changed since they were reviewed at the licensing stage. A review of such changes, if any, should be per-formed including an assessment of their impact on the plants. (2) Safety Objective: To assure that the designs of safety-related structures, systems, and components reflect consideration of appropriate hydrologic conditions, and to identify deficiencies in designs and/or operations that could contribute to accidental radioactive releases. (3) Status: No work currently being done on this subject for operating plants. (4)

References:

1. 10 CFR Parts 20, 50, and 100
2. American National Standards Institute, ANSI N170-1976, " Standards for Determining Design Basis Flooding at Power Reactor Sites"
3. Regulatory Guide 1.59, " Design Basis Floods for Nuclear Power Plants"
4. Standard Review Plan, Section 2.4.1 San Onofre 1 SEP A-i

TOPIC: II-3.8 Flooding Potential and Protection Requirements (1) Definition: If the potential for flocds exists and protection is required, the type of protection (sand bags, flood doors, bulkheads, and so forth) will be reviewed to assure _that equipment is available and that provisions have been made to implement the required protection. (2) Safety Objective: To assure that safety-related structures, systems, and components are adequately protected against floods. (3) ' Status: Flooding protection requirements were reviewed on selected operating plants during the winter of 1976 due to the potential for flooding caused by ice accumulation and predictions for abnormally high_ spring runoff for some areas. , (4)

References:

1. 10 CFR Parts 50 and 100
2. Regulatory Guide 1.59, " Design Basis Floods for Nuclear Power Plants"
3. American Natianal Standards Institute, ANSI N170-1976, " Standards for Determining Design Basis Flooding at Power Reactor Sites"
4. Standard Review Plan, Section 2.4.10 TOPIC: II-3.8.1 Capability of Operating Plants To Cope With Design-Basis Flooding Conditions (1) Definition:

Protection against postulated floods is accomplished, if,necessary, by 

     " hardening" the plant and by implementing appropriate technical specifica-tions and emergency procedures.

These technical specifications and flood emergency procedures need to be reviewed for plants licensed prior to 1972 to establish the degree of conformance with current criteria. Flooding criteria used for the design of older plants are not known. (2) Safety Objective: Same as II-3.B (3) Status: Same as II-3.B 1 San Onofre 1 SEP A-8

(4) .

References:

1. 10 CFR Part 100
2. -American National Standards Institute, ANSI N170-1976, " Standards for Determining Design Basis Flooding at Power Reactor Sites" l
3. Regulatory Guide 1.59, " Design Basis Floods for Nuclear Power Plants"
4. Standard Review Plan, Sections 2.4.3, 2.4.4, 2.4.5, and 2.4.7 TOPIC: II-3.C Safety-Related Water Supply (Ultimate Heat Sink [ UHS])

(1) Definition: To determine the adequacy of onsite water sources with respect to providing safety-related water during emergency shutdown and maintenance of-safe shutdown. The location and inventory of safety-related water sources and the meteorological conditions to be used in evaluating both temperature and inventory of.the sources should be established. Considerations of ice, low water, leak-potential, and underwater dams should be included. In most cases, plants operating prior to 1973 will have to be reviewed to establish the degree of conformance with current criteria. Prior to the 

        . issuance of Regulatory Guide 1.27 in 1973, the Standard Format and Content (now Regulatory Guide 1.70) provided the only guidelines to prospective applicants on UHS requirements. Since compliance was not required and hydrologic and meteorologic criteria had not been established, usually only minimal data were provided.
 .(2) Safety Objective:

To assure an appropriate supply of cooling water during normal and emer-gency shutdown procedures. (3) Status: No' work currently being done on this subject for operating plants. 

 .(4)

References:

1. 10 CFR Part 100
2. Regulatory Guide 1.27, " Ultimate Heat Sink for Nuclear Power Plants"
3. Standard Review Plan, Sections 2.4.11 and 9.2.5 TOPIC: II-4 Geology and Seismology (1) Definition:

Prior to the adoption of Appendix A to 10 CFR Part 100 in 1973, the Stan-dard Format provided the only guidelines to prospective applicants regarding the type of geologic and seismic information needed by the Atomic Energy Commission staff. The applicant, because compliance with Regulatory Guide 1.70 was not-required, usually provided only minimal data. Therefore, a re-review of plants licensed prior to 1973 is needed in order to determine the adequacy of the plant design with respect to geologic and seisrr.ologic phenomena such as earthquakes, landslides, ground collapse, and liquefaction. I San Onofre 1 SEP A-9

r The review will also include ground motion and surface faulting and will establish'the ground-motion values and foundation conditions to be input into the structural reevaluation for seismic loads. (It is possible that some of the older plants would require assessing only the effects of new geologic and seismic discoveries on the site safety and the resulting design acceleration and/or the response spectra.) _(2) Safety Objective: To assure that accidents (for example, loss-of-coolant accident) do not occur and that plants can safely shut down in the event of geologic and seismologic phenomena which may occur at the site. (3) Status: Selected plants are undergoing reevaluation of geology and seismology (San Onofre Nuclear Generating Station Unit 1 and Humboldt Bay). A plan for reevaluating operating plants was developed in 1975-76 but has not been implemented pending formation of the Systematic Evaluation Program. (4)

References:

1. Standard Review Plan, Sections 2.5.1, 2.5.2, 2.5.3, 2.5.4, and 2.5.5
2. 10 CFR Part 100, Appendix A TOPIC: II-4.A Tectonic Province (1) Definition:

This subtopic covers a specific area within the major topic Geology and Seismology. Its purpose is to reassess the tectonic province for operat-ing plants based on more current knowledge. (A tectonic province is a region characterized by a relative consistency of the geologic structural features contained within. Tectonic provinces are used operationally as regions within which risk from earthquakes not associated with tectonic structures or faults is considered uniform. Usually the largest historical earthquake not associated with a specific structure can be assumed to occur anywhere within the same province.) (2) Safety Objective: To assure that plants can be safely shut down in the event of geologic and seismologic phenomena which may occur at the site. (3) Status: The Geosciences Branch is currently attempting to delineate the boundaries 1 of specific tectonic provinces (estimated completion date, fall 1977). The Site Safety Standards Branch is attempting to revise Appendix A to 10 CFR Part 100 so that the definition of tectonic province will more closely ' i conform to its operational use (estimated completion date, 1978). We cur-rently accept such provinces as generally proposed by King, Rogers, or Eardley. Limited subdivision of these provinces has been allowed based l on thorough geological and seismic analyses. San Onofre 1 SEP A-10

m _ _ (4)

References:

1. 10 CFR Part 100, Appendix A
2. King, P. B., Tectonic Map of North America; Washington, D.C., U.S.

Geological Survey, 1969

3. Rogers, John, The Tectonics of the Appalachians, N.Y., Wiley-Interscience, 271 p, 1970
                     .4. Eardley, A. H.~, " Tectonic Divisions of North America," Bulletin of the American Association of Petroleum Geologists, 35: 2229-2237, 1951 TOPIC:              II-4.B Proximity of Capable Tectonic Structures in Plant Vicinity (1) Definition:

This subtopic covers a specific area within the major topic Geology and Seismology. Its purpose is to determine the expected shaking character-istics at a plant site from known capable faults. The' ground motion associ-ated with an earthquake generated by a capable fault or a tectonic structure may be greater than that associated with earthquakes in the same tectonic province not related to the structure. (2) Safety Objectives: To assure that plants can be safely shut down in the event of geologic and seismologic phenomena which may occur at the site. (3) Status: No work currently being done on this subject for operating plants. (4)

References:

1. 10 CFR Part 100, Appendix A
2. Standard Review Plan, Section 2.5.2
3. Regulatory Guide 1.60, " Design Response Spectra for Seismic Design of Nuclear Power Plants"
     -TOPIC:              II-4.C Historical Seismicity Within 200 Miles of Plant (1) Definition:

Determination of the safe shutdown earthquake (SSE) is made with consider-ation of past seismicity in the vicinity of the plant. However, there is sometimes disagreement or inconsistency in reporting older earthquakes in the literature. Current high seismicity may also indicate possible hidden tectonic features. The historical seismicity within 200 miles of the plants will be reviewed including all earthquakes of Richter magnitude greater than 3.0 or of Modi-fled Mercalli intent,ity greater than III. Association with tectonic features and provinces should be included. San Onofre 1 SEF A-11

(2) Safety Objective: To assure that the SSE is compatible with past seismicity in the area. (3) Status: No work currently being done in this subject for operating reactors. (4)

References:

1. Richter, C. F., Elementary Seismology, W. H. Freeman and Company, San Francisco, Calif., 1958
2. 10 CFR Part 100, Appendix A TOPIC: II-4.0 Stability of Slopes (1) Definition:

Overstressing a slope may cause sudden failure with rapid displacement or shear strain which may damage safety-related structures. The possibility of movement is evaluated by comparing forces resisting tailure to those causing failure. An assessment of this ratio should be made to determine the safety factor. (2) Safety Objective: To assure that safety-related structures, systems, and components are adequately protected against failure of natural or man-made slopes. (3) Status: No work currently being done on this subject for operating plants. (4)

References:

1. Standard Review Plan, Section 2.5.5
2. 10 CFR Part 100, Appendix A
3. Naval Facilities Engineering Command, NAVFAC DM-7, " Design Manual -

Soil Mechanics, Foundations, and Earth Structures." TOPIC: II-4.E Dam Integrity (1) Definition: Dam integrity is the ability of a dam to safely perform its intended functions. These functions would normally include remaining stable under all conditions of reservoir operation, controlling seepage to prevent i excessive uplifting water pressures or erosion of soil materials, and providing sufficient freeboard and outlet capacity to prevent overtopping. (2) Safety Objective: To assure that adequate margins of safety are available under all loading conditions and uncontrolled releases of retained liquid are prevented. San Onofre 1 SEP A-12

p For many projects an important consideration is the necessity of assuring that an adequate quantity of water is available in times of emergency. (3) Status: Additional guidance on assuring the integrity of dams is currently being developed by the Office of Standards Development in Regulatory Guide 1.127, 

               " Inspection of Water-Control Structures Associated With Nuclear Power Plants,"

and through the geotechnical engineering service contract with the U.S. Army Corps of Engineers on design of structures such as ultimate heat sinks. (4)

References:

'- 1. Standard Review Plan, Section 2.5.6 2.. -10 CFR Part 100, Appendix A

3. U.S. Army Corps of Engineers, EM 1110-2-1902, " Engineering and Design Stability of Earth and Rock-Fill Dams," Office of Chief of Engineers, 1970
4. U. S. Army Corps of Engineers, EM 1110-2-2300, " Earth and Rock-Filled
Dams General Design and Construction Considerations," 1971
5. Regulatory Guide 3.11, " Design, Construction, and Inspection of Embankment Retention Systems for Uranium Mills" TOPIC: II-4.F Settlement of Foundations and Buried Equipment (1) Definitions:

Structural loads develop pressures in compressible strata which are not 

         -equivalent to the original geostatic pressures. .Settiement and differential settlement should be evaluated.

(2) Safety Objective: To assure that safety-related structuras, systems, and components are adequately protected against excessive settlement. (3) Status: No work currently being done on this subject for operating plants. (4)

References:

1. Standard Review Plan, Section 2.5.4
2. 10 CFR Part 100, Appendix A
3. Naval Facilities Engineering Command, N,AVFAC DM-7, " Design Manual -

Soil Mechanics, Foundations, and Earth Structures" TOPIC: III-1 Classification of Structures, Corrponents, and Systems (Seismic and Quality) (1) Definition: Plant structures, systems, and components that are required to withstand the effects of a safe shutdown earthquake and remain functional should be San Onofre 1 SEP A-13 E ___ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ___________ _ _ _____

classified as Seismic Category I. Systems and components important to safety.should be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety function to be 

    . performed. Review the classification of structures, systems, and components important to safety to assure they are of the quality level commensurate with their safety function.

(2) Safety Objective: To assure that structures, systems, and components will fullfill their intended safety functions in accordance with design requirements. To assure that structures, systems, and components necessary for safety will withstand the effects of the designated safe shutdown earthquake and will remain functional. (3) Status: There is currently no Division of Operating Reactors activity to confirm the classification of structures, components, and systems important to safety of operating reactors. (4)

References:

1. Standard Review Plan, Section 3.2.1
2. Standard Review Plan, Section 3.2.2
3. Regulatory Guide 1.26, " Quality Group Classifications and Standards for Water , Steam , and Radioactive-Waste-Containing Components of Nuclear Power Plants"
4. Regulatory Guide 1.29, " Seismic Design Classification" TOPIC: III-2 Wind and Tornado Loadings (1) Definition:

Review the capability of the plant structures, systems, and components to withstand design wind loadings in accordance with 10 CFR 50, Appendix A. The review includes the following: (A) Design Wind Protection; (B) Tor-nado Wind and Pressure Drop Protection; (C) Effect of Failure of Structures Not Designed for Tornado on Safety of Category I Structures, Systems and Components; (D) Tornado Effects on Emergency Cooling Ponds. (2) Safety Objective: To assure that Category I structures, systems, and components are adequately designed for tornado winds and pressure drop, that any damage to structures not designed for tornado generated forces will not endanger Category I structures, systems, and components, and that tornado winds will not prevent the water in the cooling ponds from acting as a heat sink. l (3) Status: This review applies to all plants. There are no ongoing reviews concern-ing this matter. San Onofre 1 SEP A-14

(( T !- (4)

References:

1. '10 CFR Part 50, Appendix A, General Design Criterion (GDC) 2
2. . Standard Review Plan, Sections 3.3, 3.8, and 9.2.5
3. Regulatory Guides 1.76, " Design Basis Tornado for Nuclear Power Plants"
              .1.117, " Protection of Nuclear Plants Against Industrial Sabotage" TOPIC:    III-3.A Effects of.High Water Level on Structures (1) Definition:

If the high water level for the plant is reevaluated and found to be above the original design basis, then review the. ability of the plant structures to withstand this water level. (2) Safety Objective: To provide assurance that floods or high water level will not jeopardize the structural integrity of the plant seismic Category I structures and that seismic Category I systems and components located within these structures will be adequately protected. (3) Status: 

       .This review applies to all plants.      There are no ongoing reviews concern-ing this matter.

(4)

References:

1. 10 CFR Part 50, Appendix A, GDC 2 ,
2. Standard Review Plan, Sections 2.4, 3.4, and 3.8
3. Regulatory Guides ,

1.59, " Design Basis Floods for Nuclear Power Plants" ' 1.102, " Flood Protection for Nuclear Power Plants" TOPIC: III-3.8 Structural and Other Consequences (e.g., Flooding of Safety-Related Equipment in Basements) of Failure of Underdrain Systems (1) Definition: 

       .Some plants rely on underdrain systems to limit the water table elevation at the plant to a safe level. Review underdrain systems of those facili-ties in which they are used.

(2) Safety Objective: To assure that the integrity of underdrain systems is maintained because a failure could lead to a rise in water table elevation which, in turn, could jeopardize the integrity of structures or the safety equipment within such structures. San Onofre 1 SEP A-15 1

n 

 ~(3) Status:

The structural consequences of the failure of underdrain systems were thoroughly reviewed during the construction permit review of Douglas Point Units 1 and 2 and Perry Units 1 and 2. There are no ongoing reviews of this topic for operating facilities. (4)

References:

1. 10 CFR Part 50, Appendix A, GDC 2  !
2. Standard Review Plan, Sections 2.4.13, 3.4, and 3.8 TOPIC: III-3.C Inservice Inspection of Water Control. Structures (1) Definition:

Review the adequacy of the inservice inspection program of water control structures for operating plants to assure conformance with the intent of Regulatory Guide 1.127. (2) Safety Objective: To assure that water control structures of a nuclear power facility (for example, dams, reservoirs, and conveyance facilities) are adequately inspected and maintained so as to preclude their deterioration or failure which could result in flooding or in jeopardizing the integrity of the ultimate heat sink for the facility. (3) Status: This review applies to all plants. There are no ongoing reviews concern-ing this matter. (4)

Reference:

Regulatory Guide 1.127, " Inspection of Water-Control Structures Associated With Nuclear Power Plants" TOPIC: III-4.A Tornado Missiles (1) Definition: Plants designed after 1972 have been consistently reviewed for adequate protection against tornadoes. The concern exists, however, that plants reviewed prior to 1972 may not be adequately protected, in particular, those reviewed before 1968 when Atomic Energy Commission criteria on tornado protection were developed. An assessment of the adequacy of a plant to withstand the impact of tor-nado missiles would include: (a) Determination of the capability of the exposed systems, components, and structures to withstand key missiles (including small missiles San Onofre 1 SEP A-16

7 with penetrating characteristics and larger missiles which result in an overall structural impact), (b) Determination of whether any areas of the plant require additional protection. The systems, structures, and components required to be protected because of their importance to safety are identified in Regulatory Guide 1.117. (2) Safety Objective: To assure that those structures, systems, and components necessary to ensure: (a) ~The integrity of the reactor coolant pressure boundary, (b) The capability to shut down the reactor and maintain it in a safe shutdown condition, and (c) The capability to prevent accidents which could result in unaccept-able offsite exposures, can withstand the impact of an appropriate postulated spectrum of tornado-generated missiles. (3) Status: The Regulatory Requirements Review Committee (RRRC) has approved case-by-case rereviews of plants against criteria in Regulatory Guide 1.117, which establishes the systems, structures, and components required to be protected against tornado missiles. This rereview was deferred pending the formation of the SEP. The RRRC is in the process of rereviewing Standard Review Plan, Section 3.5.1.4, which establishes appropriate missiles and impact velocities for new applications. Electric Power Research Institute (EPRI) has missile research in progress. (4)

References:

1. Standard Review Plan, Section 3.5.1.4
2. Regulatury Guide 1.117, " Tornado Design Classification" TOPIC: III-4.8 Turbine Missiles (1) Definition:

A number of nonnuclear plants and one nuclear plant (Shippingport) have experienced turbine disk failures. Rancho Seco has had chemistry problems leading to sodium deposits which caused stress-corrosion cracking of disks. Failure of turbine disks and rotors can result in high energy missiles which have the potential for resulting in plant releases in excess of 10 CFR 100 exposure guidelines. San Onofre 1 SEP A-17

Two areas of concern should be considered: (a) Design overspeed failures - material quality of disk and rotor, inservice inspection for flaws, chemistry conditions leading to stress-corrosion cracking, and (b) Destructive overspeed failures - reliability of electrical overspeed protection system, reliability and testing program for stop and con-trol valves, inservice inspection of valves. The focus of the review would be on turbine disk integrity and overspeed protection, including stop, intercept, and control valve reliability. (2) Safety Objective: To assure that all the structures, systems, and components important to safety (identified in Regulatory Guide 1.117) have adequate protection against potential turbine missiles either by structural barriers or a high degree of assurance that failures at design (120%) or destructive (180%) overspeed will not occur. (3) Status: No work currently being done on this subject for operating plants. Elec-tric Power Research Institute (EPRI) has missile research in progress. (4)

References:

1. Regulatory Guides 1.115 " Protection Against Low Trajectory Turbine Missiles" 1.117, " Tornado Design Classification"
2. Standard Review Plan, Section 3.5.1.3 TOPIC: III-4.C Internally Generated Missiles

-(1) Definition: Review the probability of missile generation and the extent to which safety-related structures, systems, and components are protected against the effects of potential internally generated missiles (including missiles generated inside or outside the containment). (2) Safety Objective: To provide assurance that the integrity of the safety-related structures, systems, and components will not be impaired and that they may be relied on to perform their safety functions following any postulated internally generated missile. (3) Status: No work currently being done on this subject for operating plants. Elec-tric Power Research Institute (EPRI) has missile research in progress. San Onofre 1 SEP A-18

(- (4)

Reference:

Standard Review Plan, Sections 3.5.1.1 and 3.5.1.2 TOPIC: 111-4.0 Site-Proximity Missiles (Including Aircraft) (1) Definition: Review the extent to which safety-related structures, systems, and compo-nents are protected against the effects of missiles postulated in Topic II-1.C. including postulated aircraft crashes and resulting fires. (2) Safety Objective: To provide assurance that the integrity of the safety-related structures, systems, and components will not be impaired and that they will perform their safety functions in the event of a site proximity missile. (3) Status: No work currently being done on this subject for operating plants. Elec-tric Power Research Institute has missile research in progress. (4)

Reference:

Standard Review Plan, Sections 3.5.1.5, 3.5.1.6, 3.5.2, and 3.5.3 TOPIC: III-5.A Effects of Pipe Break on Structures, Systems, and Components Inside Containment (1) Definition: Review the licensee's break and crack location criteria and methods of analysis for evaluating postulated breaks and cracks in high and moderate energy fluid system piping inside containment. The review includes con-sideration of compartment pressurization, pipe whip, jet impingement, environmental effects, and flooding. Regulatory Guide 1.46 does not require that cracks be postulated inside containment. However, the recent proposed revision to Standard Review Plan, Section 3.6.2, " Determination of Break Locations and Dynamic Effects Associated With the Postulated Rupture of Piping," recommends that cracks be postulated inside containment. Old and current plants are not postulating cracks. (2) Safety Objective: To assure that the integrity of structures, systems, and components relied upon for safe reactor shutdown or to mitigate the consequences of a postulated pipe break is maintained. (3) Status: This program has not been started for facilities licensed prior to about early 1974. Subsequent to that date, this topic was included in the operating-license review and has been completed for later facilities. San Onofre 1 SEP A-19

(4)

References:

1. 10 CFR Part 50, Appendix A, GOC 4
2. American Society of Mechanical Engineers, " Boiler and Pressure Vessel Code," Section III
3. Standard Review Plan, Sections 3.6.2 and 3.8
4. Regulatory Guides 1.46, " Protection Against Pipe Whip Inside Containment" i 1.29, " Seismic Design Classification" i TOPIC: III-5.B Pipe Break Outside Containment (1) Definition:

Review the licensee's break and crack location criteria and methods of analysis for evaluating postulated breaks and cracks in high and moderate energy fluid system piping located outside containment. The review includes consideration of compartment pressurization, pipe whip, jet impingement, environmental effects, and flooding. (2) Safety Objective: To assure that pipe breaks would not cause the loss of needed functions of safety-related systems, structures, and components and to assure that the plant can be safely shut down in the event of such breaks. (3) Status: This task is complete for all operating plants with the exception of three plants for which the review is in progress. (4)

References:

1, 10 CFR Part 50, Appendix A. GOC 4

2. American Society of Mechanical Engineers, "Boller and Pressure Vessel Code," Section III
3. Standard Review Plan, Section 3.6.1
4. Regulatory Guides 1.46, " Protection Against Pipe Whip Inside Containment" 1.29, " Seismic Design Classification"
5. Standard Review Plan, Branch Technical Position MEB 3-1, " Postulated
    .        Break and Leakage Locations in Fluid System Piping Outside Containment"
6. NUREG-0328, " Regulatory Licensing: Status Summary Report," (Pink Book)

Issue 3-25

7. Standard Review Plan, Section 3.6.2 TOPIC: III-6 Seismic Design Considerations (1) Definition:

Review and evaluate the original plant design criteria in the following areas: Seismic Input, Analysis and Design Criteria, Qualification of Electrical and Mechanical Equipment, Seismic Instrumentation, Seismic San Onofre 1 SEP A-20

l i i Categorization, and the effect of failure of non-Category I structures on the safety of Category I structures, systems, and components. l (2) Safety Objective: To ensure the capability of the plant to withstand the effect of earthquakes. (3) Status: Humboldt Bay and San Onofre plants are currently undergoing seismic review. Technical Assistance Contracts: (a) Seismic Conservatism (Lawrence Livermore Laboratory) (b) Elasto-Plastic Seismic Analysis (Lawrence Livermore Laboratory) (c) Seismic Review of Operating Plants (Newmark) (4)

References:

! 1. Standard Review Plan, Sections 2.5, 3.7, 3.8, 3.9, and 3.10

2. Regulatory Guides 1.12. " Instrumentation for Earthquakes" 1.60, " Design Response Spectra for Seismic Design of Nuclear Power Plants" 1.61, " Damping Values for Seismic Design of Nuclear Power Plants" i

1.92, " Combining Modal Responses and Spatial Components in Seismic Response Analysis" 1.122, " Development of Flood Design Spectra for Seismic Design of Floor-Supported Equipment or Components" TOPIC: III-7.A Inservice Inspection, Including Prestressed Concrete Contain-ments With Either Grouted or Ungrouted Tendons (1) Definition: Review licensee's inspection program for all Category I structures including steel, reinforced concrete, and prestressed concrete containments. The program should include investigations for possible corrosion and cracking of steel containments, excessive cracking of concrete structures, lift-off tests of tendons, periodic testing of prestressing tendons for contain-monts with grouted tendons, and possible deterioration of prestressed containments. (2) Safety Objective: To assure the' the licensee's inspection program will detect any damaging deterioration of the structures and that they will be capable of perform-ing as required by 10 CFR 50, Appendix A. (3) Status: This review applies to all plants. There are no ongoing reviews concern-ing this matter. San Onofre 1 SEP A 21

a 

                                                                                  .I (4)

References:

1. 10 CFR Part 50, Appendix A
2. Standard Review Plan, Section 3.8
3. Regulatory Guides 1.35, " Inservice Inspection of Ungrouted Tendons in Prestressed Concrete Containment Structures" 1.90, " Inservice Inspection of Prestressed Concrete Containment ,

Structures With Grouted Tendons" i TOPIC: III-7.B Design Codes, Design Criteria, Load Combinations, and Reactor Cavity Design Criteria (1) Definition: Review the design codes, design criteria, and load combinations for all Category I structures (that is, containment, structures inside containment, and structures outside containment). (2) Safety Objective: To provide assurance that the plant Category I structures will withstand the NRC specific design conditions without impairment or structural integrity or the performance of required safety functions. (3) Status: This review applies to all plants. There are no ongoing reviews concern-ing this matter. (4)

References:

1. 10 CFR Part 50, Appendix A GOC 2 and 4
2. Standard Review Plan, Section 3.8 TOPIC: III-7.C Delamination of Prestressed Concrete Containment Structures (1) Definition:

Review the design of prestressed concrete containment structures to assess the likelihood of delamination occurring in the shell walls or dome and to evaluate the consequences, if any. (2) Safety Objective: To assure that the licensee's design and construction methods have provided a structure which will maintain its integrity and will perform its intended function. Delaminations (internal cracking of concrete in planes roughly parallel to the surface) could possibly reduce the capability of the con-crete to withstand compression. San Onofre 1 SEP A-22 

 -(3) Status:

This review applies to all plants with prestressed concrete' containments. A desamination occurred in the domes of the Turkey Point and Crystal River prestrwssed concrete containments. No evidence of such occurrences have been reported at other plants; however, no specific inspections have been made for any delaminations. It is not clear if the Structural Integrity Test or the existing. inservice inspection programs would discover the existence of any delaminations. (4)

References:

Safety Evaluation Reports for Turkey Point (Docket No. 50-250/251) and Crystal River (Docket No. 50-302) TOPIC: III-7.D Containment Structural Integrity Tests (1) Definition: Review the licensee's structural integrity testing procedure to ensure compliance with the requirements of 10 CFR 50, Appendix A. (2) Safety Objective: To assure that the licensee's design and constructive methods provide a structure which will safely perform its intended functions. (3) Status: This review applies to all plants. To our knowledge, all containments have had a structural integrity test. This opinion should be verified. (4)

References:

1. 10 CFR Part 50, Appendix A
2. Standard Review Plan, Sections 3.8.1 and 3.8.2 TOPIC: III-8.A Loose-Parts Monitoring and Core Barrel Vibration Monitoring (1) Definition:

Inservice surveillance programs to detect loose parts and excessive motion of the main core support structure. (2) Safety Objective: To detect loose parts or excessive vibration before they can cause flow blockage or mechanical damage to the fuel or other safety-related components. (3) Status: The NRC staff currently requires applicants to describe and licensees to implement a loose part detection program. Guidance for such a program is San Onofre 1 SEP A-23

provided in a newly proposed Regulatory Guide 1.133, " Loose-Part L9tection Program for the Primary System of Light-Water-Cooled Reactors." The regulatory guide outlines the minimum system characteristics which the NRC staff feels are necessary for a workable system and combines this with a technical specification and reporting procedures for a complete and enforceable loose part detection program. The concept of detecting core barrel motion through use of excore neutron detectors is well established. A proposed regulatory guide that descrioes an acceptable core barrel vibration monitoring program has been tempora'ily placed on " hold" to permit the NRC staff and its consultants (Oak Ridge National Laboratory Inspection and Enforcement Group) time to evaluate apparently anomalous data from core barrel motion monitoring programs that are currently in service as part of the technical specification requirements for certain licensees. (4)

References:

1. Combustion Engineering, CE Report CEN-5(P), " Palisades Reactor Internals Wear Report," March 1,1974
2. Regulatory Guide 1.133, " Loose-Part Detection Program for the Primary System of Light-Water-Cooled Reactors" TOPIC: III-8.B Control Rod Drive Mechanism Integrity (1) Definition:

Review and evaluate the reliability, operability and any reported mechan-ical failures in control rod drives. (2) Safety Objective: To assure that the integrity and operability of control rod drives is adequately maintained so that they will be capable of normal reactor con-tral and prompt reactor shutdown, if required. (3) Status: The Division of Operating Reactors Engineering Branch is currently evaluat-ing the failure modes and internal component redesigns of BWR control rod drives to preclude stress corrosion and thermal fatigue cracking. There have been no reported generic failures of PWR drives. (4)

Reference:

c General Electric, NED0-21021, " Test Program for Collet Retainer Tube," June 23, 1976. San Onofre 1 SEP A-24

x wj 1, 

     -TOPIC: _ III-8.C Irrsdiation Damage, Use of Sensitized Stainless Steel, and Fatigue Resistance L (1). Definition:

Review the safety aspects that affect reactor vessel internals integrity for compliance with 10 CFR Part 50, including radiation damage, use of sensitized stainless steel, and fatigue resistance. (2) Safety Objective: l To assure continued reactor vessel internals' integrity and compliance with 10 CFR Part.50 and applicable industry Codes and Standards. a (3) Status: The Engineering Branch, Division of Operating Reactors, currently has no review programs relating to reactor vessel internals integrity. (4)

References:

             , 1.       10 CFR Part 50, Appendix A e 2.       American Society of Mechanical Engineers, " Boiler and Pressure Vessel
                       -Code," Section III
3. American Society of Testing Materials, ASTM A-262-70, " Standard Recommended Practices for Detecting Susceptibility to Intergranular Attack in Stainless Steels"
4. Regulatory Guides 1.37, " Quality Assurance Requirements for Cleaning of Fluid Systems and Associated Components of Water-Cooled Nuclear Power Plants" 1.44, " Control of the Use of Sensitized Stainless Steel" 1.61, " Damping Values for Seismic Design of Nuclear Power Plants"  !

l TOPIC: III-8.D Core Supports and Fuel Integrity (1) Definition: Abnormal loading conditions on the core supports and fuel assemblies due to seismic events or loss-of-coolant accidents (LOCAs) could cause fuel damage due to impact between fuel assemblies and upper- and lower grid plates or lateral impact between fuel assemblies and the core baffle wall. 

                                                      ~

The resulting damage could result in loss of coolable heat transfer geometry, make it impossible to insert control rods, or cause releases of radioactive ' materials due to fuel pin failure. (2) Safety Objective: To assure that all credible loading conditions on core supports and fuel assemblies will not result in unacceptable fuel damage or distortion. San Onofre 1 SEP A-25

(3) Status: The Division of Operating Reactors is currently reviewing the dynamic loads imposed on the fuel assemblies during a LOCA. Independent analyses are being conducted by staff consultants. (4)

Reference:

l American Society of Mechanical Engineers, " Boiler and Pressure Vessel Code," Section III (5) Basis for Deletion (Related TMI Task, USI, or Other SEP Topic): USI A-2, " Asymmetric Blowdown Loads on Reactor Primary Coolant System" (NUREG-0649J USI A-2 requires that an analysis be performed by licensees to assess the design adequacy of the reactor vessel supports and other structures to withstand the loads when asymmetric LOCA forces are taken into account. The staff has completed its investigation and concluded that an acceptable basis has been provided in NUREG-0609, " Asymmetric Blowdown Loads on PWR Primary Systems," January 1981, for performing and reviewing plant analyses for asymmetric LOCA loads. The structural acceptance criteria specified in NUREG-0609 are as follows: The structural integrity of the primary system including the reactor pressure vessel, reactor pressure vessel internals, primary coolant loop, and components must be evaluated against appropriate acceptance criteria to determine if acceptable margins of safety exist. Allowable limits and appropriate loading combinations are set forth in Standard Review Plans (SRPs), which are listed in the table that follows. The staff recognizes that in some specific cases where "as-built" designs are being reevaluated for asymmetric LOCA loads, these design limits may be exceeded. Acceptance of alternative allowable limits will be based on a case-by-case evaluation of the safety margins. Load-combination criteria in general were not addressed as part of this study. Currently the staff requires that seismic and LOCA response be combined, along with responses due to other loading as specified by the SRP. An acceptable method for combining elastically generated seismic and LOCA responses is provided in NUREG-0484. Acceptable methods for combining response generated by an inelastic LOCA analysis and elastic seismic analyses will be evaluated on a case-by-case basis. Since USI A-2 also requires the investigation of seismic and LOCA response be combined, the evaluation required by USI A-2 is identical to SEP Topic III-8.D; therefore, this SEP topic has been deleted. 1 San Onofre 1 SEP A-26 l l

Item SRP Section Reactor pressure vessel 3.9.3 Reactor internals 3.9.5, 3.9.1 Primary coolant loop piping 3.9.3 ECCS piping 3.9.3 RPV, SG, pump supports 3.8.3 Biological shield wall 3.8.3 Steam generator compartment wall 3.8.3 Neutron-shield tank 3.8.3 TOPIC: III-9 Support Integrity (1) Definition: Review the design, design loads, and materials integrity including corro-sion and fracture toughness and the inservice inspection programs of supports and restraints including bolting for the reactor vessel, steam generator, reactor coolant pump, torus, and other Class 1, 2, and 3 safety-related components and piping systems. (2) Safety Objective: To assure adequate support and/or restraint of safety-related systems and components under normal and accident loads so that they will not be pre-vented from performing their intended functions because of support failures. (3) Status: The Division of Operating Reactors has ongoing programs to review component supports. Current emphasis is on primary system supports and on piping system supports and restraints (snubbers). (4)

References:

1. American Society of Mechanical Engineers, " Boiler and Pressure Vessel Code," Section III
2. NUREG-0328, " Regulatory Licensing: Status Summary Report" (Pink Book), Generic Topics 3-5 and 3-43 (5) Basis for Deletion (Related TMI Task, USI, or other SEP Topic):

(a) USI A-12, " Fracture Toughness of Steam Generator and Reactor Coolant Pump Supports" (NUREG-0510 and NUREG-0606) The original scope of USI A-12 was the review of the steam generator and reactor coolant pump supports of pressurized water reactors. San Onofre 1 SEP A-27

~. . ,- .. .- .. .. - . . .. ~ . . . . . , . . . . . , . - -. .. . . However, the staff has expanded the review to include other support structures, such as boiling water reactor (BWR) vessel supports, BWR pump supports, pressurized water reactor (PWR) vessel supports and PWR pressurizer supports (NUREG-0577, Section 1.3). This expanded review will be undertaken in accordance with the guidance of Section 4 of NUREG-0577. (b) USI A-7, " MARK I Containment Long-Term Program" (NUREG-0649) Support integrity of the torus is being evaluated under USI A-7. Under this task, a short-term program that evaluated Mark I contain-ment has provided assurance that the Mark I containment system of each operating BWR facility would maintain its integrity and func-tional capability during a postulated loss-of-coolant accident. A longer term program for BWR facilities, not yet licensad, is planned wherein the NRC staff will evaluate the loads, load combinations, and associated structural acceptance criteria proposed by the Mark I Owners Group prior to the performance of plant-unique structural evaluations. The Mark I Owners Group has initiated a comprehensive testing and evaluation program to define design-basis loads for the Mark I containment system and to establish structural acceptance criteria which will assure margins of safety for the containment system which are equivalent to that which is currently specified in the ASME Boiler and Pressure Vessel Code. Also included in their program is an evaluation of the need for structural modifications and/or load mitigation devices to assure adequate Mark I containment system structural safety margins. (c) USI A-24, " Qualification of Class 1E Safety-Related Equipment" (NUREG-0371 and NUREG-0606) Snubber operability and degradation of seals are covered under USI A-24. (d) USI A-46, " Seismic Qualification of Equipment in Operating Plants" (NUREG-0705) Mechanical snubbers are covered under USI A-46. (e) SEP Topic III-6, " Seismic Design Considerations" Snubbers are evaluated for capacity under SEP Topic III-6. (f) SEP Topic V-1, " Compliance With Codes and Standards (10 CFR 50.55a)" Inservice inspection requirements for supports are covered under SEP Topic V-1, which refers to 10 CFR 50.55a. SEP plants currently have surveillance Technical Specifications on snubbers. The evaluation required by USI A-12, A-7, A-24, and A-46 and SEP Topics III-6 and V-1 is identical to the evaluation required by SEP Topic III-9; therefore, this SEP topic has been deleted. San Onofre 1 SEP A-28

TOPIC: III-10.A Thermal-Overload Protection for Motors of Motor-0perated Valves 

    . (1)' Definition:

The primary cbjective of thermal overload relays is to protect motor windings of motor-operated valves (MOVs) against excessive heating. This feature of thermal overload relays could, however, interfere with the successful functioning of a safety-related system. In nuclear plant safety system application, the ultimate criterion should be to drive the valve to its proper position to mitigate the consequences of an accident, rather than to be concerned with degradation or failure of the motor due to excess heating. (2) Safety Objective: To assure that (1) thermal overload protection, if provided for MOVs, should have the trip setpoint at a value high enough to prevent spurious trips due to design inaccuracies, trip setpoint drift, or variation in the ambient temperature at the installed location; (2) the circuits which bypass the thermal overload protection under accident conditions should be designed to-IEEE Std. 279-1971 criteria, as appropriate for the rest of the safety-related system; and (3) in MOV designs that use a torque switch instead of a limit switch to limit the opening or closing of the valve, the automatic opening or closing signal should be used in conjunction with a corresponding limit switch and thermal overload should remain as backup protection. (3) Status: The' staff position (Reference 1) is implemented on designs of new appli-cations (construction permit and operating license). (4)

References:

1 1. Standard Review Plan, Branch Technical Position EICSB 27, " Design Criteria for Thermal Overload Protection for Motors of Motor-Operated Valves"

2. Institute of Electrical and Electronics Engineers, IEEE Std. 279-1971, Criteria for Protection System for Nuclear Power Generating Stations"
3. Regulatory Guide 1.106, " Thermal Overload Protection for Electric Motors on Motor-0perated Valves" TOPIC: 111-10.8 Pump Flywheel Integrity (1) Definition:
          -Review the PWR reactor coolant pump flywheel inservice inspection programs of operating plants to assure that they comply with the intent of Regula-tory Guide 1.14 and review reports of flywheel flaws if found by inservice
           . inspections.    (BWR reactor coolant pumps do not have flywheels.)

San Onofre 1 SEP A-29

l -(2) Safety Objective: To assure that pump flywheel integrity is maintained to prevent failure at normal operating speeds and at speeds that might be reached under accident conditions and thus preclude the generation of missiles. (3) Status: The inservice inspection programs for flywheels of older PWRs have not- ) been reviewed for compliance with the intent of Regulatory Guide 1.14. l (4) Reference. l Regulatory Guide 1.14, " Reactor Coolant Pump Flywheel Integrity" TOPIC: .III-10.C . Surveillance Requirements on BWR Recirculation Pumps and Discharge Valves (1) Definition: At facilities which have completed the low pressure coolant injection system (LPCIS) modification, the recirculation pump discharge valves and bypass valves are now required to close upon initiation of LPCIS. The closure of these discharge valves is necessary to isolate a pipe break in a suction line to prevent loss of cooling water by reverse flow through the recircula-tion pump or its bypass line and out the break. (2) Safety Objective: To assure effective core cooling in the event of a BWR recirculation line break on the pump suction line by closing the pump discharge valve and bypass line valve. -(3) Status: All licensees of facilities with completed LPCIS modification have been sent letters requesting that they apply for a license amendment to incor-porate technical specification surveillance requirements on recirculation pump discharge valves and bypass valves. New BWRs have the LPCIS modifi-cation and technical specification surveillance requirements. (4)

Reference:

NUREG-0328, " Regulatory Licensing: Status Summary Report," (Pink Book) Issue 3-46, June 17, 1977 TOPIC: III-11 Component Integrity (1) Definition: Review licensee's criteria, testing procedures, and dynamic analyses employed to assure the structural integrity and functional operability of safety-related mechanical equipment under faulted conditions and accident San Onofre 1 SEP A-30

loads. Included are mechanical equipment such as pumps, valves, fans, pump drives, heat exchanger tube bundles, valve actuators, battery and instrument racks, control consoles, cabinets, panels, and cable trays. (2) Safety Objective: To confirm the ability of safety-related mechanical equipment having experienced problems to function as needed during and after a faulted or accident condition. The capability of safety-related mechanical equipment to perform necessary protective actions is essential for plant safety. (3) Status: This review is not currently under way in the Divisions of Operating Reactors. (4)

References:

1. 10 CFR Part 50, Section 50.55a
2. 10 CFR Part 50, Appendix A, GDC 2, 4, 14, and 15
3. Standard Review Plan, Section 3.9.2
4. American Society of Mechanical Engineers, " Boiler and Pressure Vessel Code," Section III,
5. Regulatory Guides 1.20, " Comprehensive Vibration Assessment Program for Reactor Internals During Preoperational and Initial Startup Testing" 1.68, " Initial Test Programs for Water-Cooled Nuclear Power Flants"
6. Institute of Electrical and Electronics Engineers, IEEE Std. 344-1975,
          " Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations"
7. Standard Review Plan, Section 3.9.3 (5) Basis for Deletion (Related TMI Task, USI, or Other SEP Topicl:

(a) USI A-46, " Seismic Qualification of tiquipment in Operating Plants" (NUREG-0606 and NUREG-0705) The component integrity (both structural integrity and functional operability) for safety-related mechanical and electrical equipment for all operating plants including SEP plants will be addressed in this new USI (A-46). (b) USI A-2, " Asymmetric Blowdown Loads on Reactor Primary Coolant System" (NUREG-0649) The assessment of faulted loads for the primary loop is being performed under USI A-2. Furthermore, the assessment of high-energy pipe breaks considers the effect of accident loads with regard to jet impingement, pipe whip, and other reaction loads. (c) SEP Topic III-6, " Seismic Design Considerations" The evaluation of equipment structural integrity under seismic loads will be performed under SEP Topic III-6. San Onofre 1 SEP A-31

rr i The evaluations required by USI A-46 and A-2 and SEP Topic III-6 are identical to SEP Topic III-11; therefore, this SEP topic has been

l. deleted.

TOPIC: III-12 Environmental Qualification of Safety-Related Equipment (1) Definition: 1 Safety-related electrical and mechanical equipment that is required to- j survive and function under environmental conditions calculated to result i from a loss-of-coolant accident (LOCA) or a postulated main steam line i break accident inside containment must be environmentally qualified. In addition, determine whether environment-induced failures of nonsafety- ' related equipment could interfere with the operation of safety equipment. Special attention should be given to the effect of beta radiation on exposed organic surfaces, such as gaskets. _(2) Safety Objective: To assure that the mechanical and Class IE electrical equipment of safety systems-has been qualified for the most severe environment (temperature, pressure, humidity, chemistry, and radiation) of design basis accidents. (3) Status: Westinghouse'is conducting a verification program which is expected to be completed by the end of 1977 for those plants qualified to IEEE 323-1971. The Office of Nuclear. Regulatory Research_is sponsoring programs relating to Class IE equipment qualification,~ the results of which can be utilized. to determine the adequacy of the equipment previously qualified. (4)

References:

1. NUREG-0153, " Staff Discussion of Twelve Additional Technical Issues Raised by Responses to November 3, 1976 Memorandum From Director, NRR, to NRR Staff,"' Issue 25, " Qualification of Safety-Related Equipment," December 1976
2. Division of Operating Reactors, 00R Technical Activities, Category B, '

Item 34, " Environmental Qualifications of Safety-Related Equipment (Post LOCA)," May 1977

3. _ Division of Systems Safety, DSS Technical Activities, Category-A, Item 33, " Qualification of Class IE~ Safety-Related Equipment,"

April 1977

4. Regulatory Guide 1.89, " Qualification of Class IE Equipment for Nuclear Power Plants" (5) Basis for Deletion (Related TMI Task, USI, or other SEP Topic):

USI A-24, " Qualification of Class IE Safety-Related Equipment" l (NUREG-0371 and NUREG-0606) The issue identified in Reference 1 (NUREG-0153, Item 25) and the review criteria, that is, Regulatory Guide 1.89, are identical to those specified in USI A-24. The Task Action Plan for USI A-24 San Onofre 1 SEP A-32

(NUREG-0371) covers the environmental qualification of both electrical and mechanical safety-related equipment. The. evaluation required by USI A-24 is identical to SEP Topic III-12; therefore, this SEP topic has been deleted. TOPIC: IV-1.A Operation With Less Than All Loops in Service (1) Definition: A number of BWR and PWR licensees have requested authorization to operate with one of the recirculation loops (BWR) or steam generator loops (PWR) out of service. These proposals are being reviewed generically with regard to analytical methods. Plant-specific reviews will be done to determine appropriate Technical Specification limits. Plant-specific reviews will address results of LOCA. analyses using generically approved methods. Analysis of accidents (other than LOCA) and operating transients result- 

     -ing from operation in the (N-1) loop mode have been-reviewed on.a " lead
     ' plant basis." Most of this effort has been completed.         Tests have been conducted by General Electric which.show that significant core flow asymmetries do not exist with single-loop operation for two-loop plants;        -

however,-there is backflow through inactive jet pumps. Therefore, for 

     . single-loop operation, modifications are necessary in trip settings which take inputs from jet pump drive flow. These will be determined on a plant-specific basis.

(2) ~ Safety Objective: To provide assurance that operation with less than all coolant loops in operation will not result in decreased safety margins. (3) Status: A combination of generic and plant-specific reviews-is being performed on both BWRs and PWRs. TOPIC: IV-2 Reactivity Control Systems Including Functional Design and 1 Protection Against Single Failures l l ( (1) Definition: General Design Criterion 25 requires that the reactor protection system be designed to assure that fuel-damage limits are never exceeded in the event of any single failure of the reactivity control systems. Reactivity control systems need not be designed single failure proof, but the protec-tion system (which is designed against single failures) should be capable of limiting fuel damage in the event of a reactivity control system single 

     -failure.

'(2) _ Safety Objective: To~ assure that'for all credible reactivity control system failures, the I protection system will limit fuel damage to acceptable limits. i 

               ~

San Onofre l SEP A-33

(3) Status: NRC has concluded that revisions to existing licenses.are not warranted. Staff effort on this issue will continue at a low level. 

  .(4)

References:

         - 1.      NUREG-0138, " Staff Discussion of Fifteen Technical Issues Listed in           I Attachment to November 3, 1976 Memorandum From Director, NRR, to NRR            j Staff," Issue No. 6, " Protection Against Single Failures in Reactivity
                 -Control Systems," December 1976.
2. ' Standard Review Plan, Section 15.4.3 TOPIC: IV-3 BWR Jet Pump Operating Indications (1) Definition:

If a jet pump BWR operates with a failed jet pump, it may be. impossible to reflood the core in the event of a LOCA. Some BWRs have experienced jet pump instrument sensing line failures. With a sensing line failed, 

         .it may not be possible to accurately measure core flow or to detect fail-ure of a jet pump.

(2) Safety Objective: To assure that the core flow can be determined. Also to assure the ability to detect a jet pump failure for a range of crack / break sizes at various locations on the pump. (3) Status: This issue is currently being reviewed for Dresden Units 2 and 3 and Quad Cities Units 1 and 2. The topic has generic implications for all jet pump BWR plants. (4)

References:

1. Letters from Commonwealth Edison Company to'NRC, dated September 19, 1975, March 3, 1976, and June 7, 1976.
2. Letter from NRC to Commonwealth Edison Company, dated January 19, 1976.
3. Memorandum from J. H. Sniezek, NRC, to D. L. Ziemann, dated November 19, 1975.
  . TOPIC:     V-1 Compliance With Codes and Standard (10 CFR 50.55a)

(1) Definition: Review the licensee's inservice inspection and testing programs for Class 1, 2, and 3 pressure vessels, piping, pumps and valves and other safety-related components to assure compliance with the American Society of Mechanical Engineers (ASME) Code, Sections III 'and XI, as required by 10 CFR 50.55a. This review will also include review of the inservice inspection and testing program applicable to isolation condensers of the early operating BWRs. San Onofre 1 SEP A-34

(2) Safety Objective: 

        'To assure that the-initial integrity of components is maintained through-out service life.
  -(3). Status:
        -NUREG-0081 was completed for reactor vessels not designed to ASME Code,
        -Section III. The Engineering Branch conducts a generic review of all plants for compliance with' inspection requirements of 10 CFR 50.55a(g) and fracture toughness requirements of 10 CFR 50.55a(i). This program will continue
                    ~

for the life of operating reactors. 

  ~(4)

References:

1. 10 CFR Part.50, Section 50.55a
2. American Society of Mechanical Engineers, " Boiler and Pressure Vessel Code," Sections III and XI
3. NUREG-0081, " Evaluation of the Integrity of Reactor Vessels Designed to ASME Code, Section I and/or VIII," July 1976
4. Memorandum from V. Stello, NRC, to B. H. Grier, October 12, 1976 TOPIC: V-2 Applicability of Code Cases (1) Definition:

Review Code Cases currently accepted by the NRC, as indicated in Regula-tory Guides 1.84 and 1.85. (2) Safety Objective: To assure that only those Code Cases which are acceptable to.the NRC are utilized by the licensee _in the design, fabrication, or repair of the plant. The use of Code Cases other than those contained in Regulatory Guides 1.84 and 1.85 are addressed on a' case-by-case basis to assess their acceptability. (3) Status: The Engineering Branch, Division of Operating Reactors, routinely reviews design modifications and component repairs (for example, reactor vessel nozzles) to assure compliance with NRC acceptable Code Cases. The program is ongoing on an as-needed basis. (4)

References:

Regulatory Guides ' 1.84, " Design and Fabrication Code case Acceptability - ASME Section III, Division 1" 1.85, " Materials Code Case Acceptability - ASME Section III, Division 1" San Onofre 1 SEP A-35

TOPIC: 'V-3 Overpressurization Protection 

      ;(1)- Definition:

Inadvertent overpressurization of the primary system at temperatures below the nil ductility transition temperature may result in reactor _ vessel fail-ure during~heatup and pressurization. _Such overpressure transients are l caused by pressure surges when the primary system is_ water solid.~ 'The i 

           -most severe. transients have occurred when'a charging pump starts up or          '!

inadvertent closing _of a letdown valve with a charging pump running. j Pressure temperature limits as a function of neutron fluence of..the I 

            -material _at the reactor vessel beltline are specified in 10 CFR 50,               j Appendix G. All_PWR licensees have been directed to institute' interim administrative procedures to prevent damaging pressure transients and on a longer time scale to provide permanent protection which will probably include hardware changes such as high-capacity safety relief valves.
      ~(2) Safety Objective:

To_ protect the primary system from potentially damaging overpressurization-transients du' ring plant pressurization and heatup. (3)~' Status: Generic review of all PWR licensee submittals is under way. Criteria for evaluation have been developed and refined by the Office of Nuclear Reactor Regulation and the Office of Nuclear Regulatory Research. An effort is being made to' complete the review sufficiently early to ensure installation of mitigating systems by the'end of 1977. .. (4)

Reference:

NUREG-0138,. " Staff Discussion of Fif teen Technical Issues Listed in Attachment to November 3, 1976 Memorandum From Director, NRR to NRR Staff," November 1976 (5) Basis.for Deletion (Related TMI Task, USI, or Other SEP Topic): USI A-26, " Reactor Vessel Pressure Transient Protection" (NUREG-0410) 4' Under USI A-26, licensees ~were requested to modify their systems and procedures to protect against low temperature overpressurization. All operating PWRs have made these modifications, and safety evalua-tion reports for the SEP plants have been issued. f The evaluation required by USI A-26 is identical to SEP Topic V-3; therefore, this SEP topic has been deleted. TOPIC': V-4 Piping and Safe-End-Integrity I (1) Definition: Review the safety aspects that affect BWR and PWR piping and safe-end integrity for compliance with 10 CFR Part 50, including fracture toughness, . . San On'ofre.1 SEP A-36 E 

    . flaw evaluation, stress corrosion cracking in BWR and PWR piping, and control of materials and welding.

(2) Safety Objective: 

    .To ensure continued piping integrity and compliance with 10 CFR Part 50 and applicable industry codes and standards.

(3) Status: The Engineering Branch, Division of Operating Reactors, is conducting an ongoing program that includes the as-needed review of those aspects necessary to ensure the continuing integrity of piping systems important to safety including stress corrosion cracking of BWR coolant pressure boundary piping. This program will continue for the life of operating reactors. (4)

Reference:

American Society of Mechanical Engineers, " Boiler and Pressure Vessel Code," Section XI (5) Basis for Deletion (Related TMI Task, USI, or Other SEP Topic): (a) -USI A-42, " Pipe Cracks in Boiling Water Reactors" (NUREG-0510) The scope of USI A-42 is the study of. stress corrosion cracking in BWR piping. NUREG-0313, Revision 1, " Technical Report on Material Selection and Processing Guidelines for BWR Coolant Pressure Boundary Piping," is the resolution of USI A-42 and presents staff positions. (b) USI A-10, "BWR Feedwater Nozzle Cracking and Control Rod Drive Hydraulics Return Line Nozzle Cracking" (NUREG-0649) (c) NRR Generic Activity C-7, "PWR System Piping" (NUREG-0471) The scope of this activity is the study of stress corrosion cracking in PWR piping. NUREG-0691, " Investigation and Evaluation of Crack-ing Incidents in Piping in Pressurized Water Reactors," recommends the same corrective actions (pp. 2-12) proposed for BWRs in NUREG-0313, Revision 1, USI A-42. The evaluation required by USI A-42 and Task C-7 is identical to the evaluation required by SEP Topic V-4; therefore, this.SEP topic has been deleted. TOPIC: V-5 Reactor Coolant Pressure Boundary (RCPB) Leakage Detection (1) Definition: Reactor primary coolant leakage detection systems are a significant means of preventing primary system boundary failure by identifying leaks before failures occur. San Onofre 1 SEP A-37

n (2) Safety Objective: To provide reliable and sensitive leakage detection systems to identify primary system leaks at an early stage before failures occur. (3) Status: This issue has been resolved for all plants which have recently received , an operating license by requiring conformance to Regulatory Guide 1.45. l Individual older plants have not been systematically reviewed and leakage  ! detection systems may need upgrading on a plant-by plant basis. l (4)

References:

1. Regulatory Guide 1.45, " Reactor Coolant Pressure Boundary Leakage Detection Systems"
2. Standard Review Plan, Section 5.2.5 TOPIC: V-6 Reactor Vessel Integrity (1) Definition:

Review the safety aspects that affect BWR and PWR reactor vessel and nozzle integrity for compliance with 10 CFR Part 50, including fracture toughness, neutron irradiation, evaluation of surveillance programs, operating limita-tions, inservice inspection and flaw evaluation, and transient analyses. (2) Safety Ojective: To assure continued reactor vessel integrity and compliance with 10 CFR Part 50 and applicable industry codes and standards. 

 .(3) Status:

The Engineering Branch, Division of Operating Reactors, is conducting ongoing programs that include the periodic review of aspects necessary to ensure the continued integrity of reactor vessels. These programs include 

       -BWR feedwater and control rod drive nozzle cracking, low upper-shelf toughness, radiation effects, reactor vessel materials surveillance, and updating of operating plants' inservice inspection programs and will continue for the life of operating reactors.

(4)

References:

1. .NUREG-0312, " Interim Technical Report on BWR Feedwater and Control Rod Drive Return Line Nozzle Cracking," July 1977
2. 10 CFR Part 50, Appendix G
3. Regulatory Guide 1.99, " Effects of Residual Elements on Predicted Radiation Damage to Reactor Vessel Materials" ,
4. American Society of Mechanical Engineers, " Boiler and Pressure Vessel "

Code," Section III, Appendix G

5. American Society of Testing Materials, ASTM E185, " Standard Recommended Practice for Surveillance Tests for Nuclear Reactor Vessels" San Onofre 1 SEP A-38 L
6. American Society of Mechanical Engineers, " Boiler and Pressure Vessel Code," Section XI
7. NUREG-0328, " Regulatory Licensing: Status Summary Report" (Pink Book),

Issue 3-9, 3-21, 3-41 TOPIC: V-7 Reactor Coolant Pump Overspeed (1) Definition: Review the potential for reactor coolant pumps to fail because of over-speed in the unlikely event of a major loss-of-coolant accident (LOCA). (2) Safety Objective: To assure that, in the event of a major LOCA, a reactor coolant pump assembly is not driven to a speed which would cause structural failure of the unit and result in missiles which could increase the consequences of the LOCA. Of greatest concern are the PWR pump flywheels because of their mass and rotational energy. (3) Status: An indepth review of this topic was performed by the Atomic Energy Commission staff and reported to the Advisory Committee on Reactor Safeguards (ACRS) 

    -in 1973 (Reference 1). The staff concluded that, because of the small
    . likelihood for the occurrence of a pump overspeed event that could seriously increase the consequences resulting from a LOCA (less than 10 8 per plant year), the action taken by the staff to assess this problem in a generic fashion outside the context of individual application reviews is an accept-able course to follow. A generic experimental program to be completed in 1978 by the Electric Power Research Institute is expected to provide data to verify pump model overspeed predictions.

(4)

References:

1. Letter from R. C. DeYoung, NRC, to Harold G. Mangelsdorf, ACRS, August 6, 1973, transmitting " Report on Reactor Coolant Pump Overspeed During a LOCA," August 3, 1973.
2. Regulatory Guide 1.14, " Reactor Coolant Pump Flywheel Integrity" TOPIC: V-8 Steam Generator (SG) Integrity (1) Definition:

Review the safety aspects affecting operation of steam generators includ-ing secondary water chemistry, tube plugging criteria, inservice inspec-tion, possibly including a dimensional inspection for proper evaluation of denting, steam generator tube leakage, tube denting, flow-4..*uced vibration of steam generator tubes, tube repair, and tube bundle or steam generator replacement. San Onofre 1 SEP A-39

n-  ; 

   -(2). Safety Objective:

To ensure that acceptable levels of integrity of that portion of the reactor coolant pressure boundary made up by the steam generator are maintained in accordance with current codes, standards, and/or regulatory criteria during normal and postulated accident conditions. The.' integrity of the steam generator is needed to ensure that leakage following a postu-lated design basis accident will not result in doses to the public in I 

         . excess of 10 CFR Part 100 guidelines and that the emergency core cooling
         . systems will-be able to perform their safety functions.                         l (3) Status:

Review of this topic is being performed by the Division of Operating Reactors (DUR). This effort will continue for the life of operating reactors. (4)

References:

1. Regulatory Guide 1.83, Rev. 1, " Inservice Inspection of Pressurized
               . Water Reactor Steam Generator Tubes"
2. Regulatory Guide 1.121, " Bases for_ Plugging Degraded PWR Steam Generator Tubes"
3. 10 CFR Part 50, Appendix A, GDC 30 and 32
4. 'NUREG-0328, " Regulatory Licensing: Status Summary Report" (Pink Book),

3-27 (5) Basis for Deletion (Related TMI Task, USI, or Other SEP Topic): USI A-3, A-4, A-5, " Westinghouse, Combustion Engineering, and Babcock and Wilcox Steam Generator Tube Integrity" (NUREG-0649) The definition of this topic and the references cited are covered by 

                .USI A-3, A-4, and A-5. The evaluation for USI A-3, A-4, and A-5 is-identical to SEP Topic V-8; therefore, this SEP topic has been deleted.

TOPIC: V-9 Reactor Core Isolation Cooling System (BWR) (1) Definition: Reactor core isolation cooling (RCIC) has not been classified as a safety system. On GESSAR, for certain small breaks, GE assumed credit for RCIC as a backup for HPCI. . The staff required GE to reclassify the RCIC system on the GESSAR 238 standard NSSS as a safety system. (2); Safety Objective: 1 To ensure that the'RCIC system is qualified as a safety system where credit is assumed in the safety analysis. (3) Status: 

         -GE has agreed to reclassify RCIC as a safety system on the GESSAR docket.

San Onofre 1 SEP A-40 p

TOPIC: V-10.A Residual Heat Removal System Heat Exchanger Tube Failures (1) Definition: Residual heat removal-(RHR) heat exchangers are designed to remove residual and decay heat so that the reactor can be placed in a safe cold shutdown condition and to maintain core cooling following a postulated loss-of-coolant accident. Some light-water reactors (LWRs) have a pressure control system on the cooling water piping system which maintains the pressure of the cooling water higher than the primary colant pressure in the primary coolant side of the heat exchanger during p Lnt cooldown operations. A leak in the. tubes could result in back leakage of coolant water into the primary . loop. Pressure in the cooling water side is maintained higher than that in the primary coolant side so that in the event of a tube failure there would be no leakage of radioactive fluids into the environ-ment. Cooling water passing from the cooling water side of-the heat exchanger into the primary coolant water could introduce impurities such as chlorides into the primary coolant system. 1 (2) Safety Objective: To assure that impurities from the cooling water system are not introduced into the primary coolant in the event of an RHR heat exhanger tube failure. (3) Status: Recently there have been several RHR heat exchanger tube failures at operating BWRs. This issue has been defined as a 00R Category B Technical Activity. TOPIC: V-10.8 Residual Heat Removal System Reliability (1) Definition: In all current plant designs, the residual heat removal (RHR) system has

a. lower design pressure than the reactor coolant system (RCS). In most current designs, the system is located outside of containment and is part of the emergency core cooling system. However, it is possible for the RHR system to have different design characteristics. For example, the RHR system might have the same design pressure as the RCS, or be located inside of containment. The functional, isolation, pressure relief, pump protection, and test requirements for the RHR system are of concern in the safety review of reactor plants. Three types of RHR system designs are defined in Branch Position RSB 5-1.

On June 24, 1976, the Regulatory Requirements Review Committee approved a revision of Standard Review Plan,-Section 5.4.7 requiring a capability to go from hot to cold shutdown without offsite power and that all components necessary for cooldown from hot shutdown must be designed to safety grade seismic I standards, and be operable from the control room. System must l be designed to meet the single failure criterion. San Onofre 1 SEP A-41

m (2). Safety Objective: 

        .To ensure reliable plant shutdown capability using safety grade equipment.

(3) Status: Because of vendor concern over the impact of the revision, a review was 

                      ~

conducted of three:PWR plants, and as a result of this review,-the staff is proposing that Branch Position RSB 5-1 be modified but that the functional-requirements be retained. (4)

References:

1. Standard Review Plan, Branch Technical Position RSB 5-1, " Design Requirements of the Residual Heat. Removal System"
2. Standard Review Plan, Section 5.4.7
3. Memorandum from E. G. Case, NRC, to L. V.-Gossick, July 15, 1976.
4. ' Summary of meeting September 22, 1976, " Capability To Achieve Cold Shutdown Using Safety-Grade Systems and Equipment," C. O. Thomas, Docket No. STN-50-545, October 5, 1976.

TOPIC: V-11.A Requirements for-Isolation of High- and Low-Pressure Systems (1) Definition: Several systems that have a relatively low design pressure are connected to the reactor coolant pressure boundary. The valves that form the inter-face between the high- and low pressure systems must have sufficient redundancy and interlocks to assure that the low pressure systems are not subjected to coolant pressures that exceed design limits. The problem is 

                                              ~

complicated since under certain operating modes (for example, shutdown cooling and emergency core cooling system injection), thete valves must open to assure adequate reactor safety. (2) Safety Objective: To assure that adequate measures are taken to protect low pressure systems connected to the primary system from being subjected to excessive pressure which could cause failures and in some cases potentially cause a loss-of-coolant accident outside-of containment. (3) Status: A preliminary review of a representative operating plant of each nuclear steam supply system vendor was undertaken. Each low pressure system connected to the reactor coolant pressure boundary and penetrating the containment was examined. The investigation of a few potential areas of concern is continuing. San Onofre~1 SEP A-42

TOPIC: ' V-1L B Residual- Heat Removal .Syste:n Interlock Requirements 

                       ~
                 "(1) . Definition:

The residual heat' removal.(RHR) system'is'normally located outside of primary containment. It is an intermediate. pressure system (usually 600 psia):and has' motor-operated.v'alve (MOV)' isolation valves connecting it to the reactor coolant system (RCS). If the RHR system.were inadvertently connected to the RCS .while the RCS. is at pressure,. a loss-of-coolant.acci-dent _(LOCA)'could' result with a-loss of all capability of core reflooding i Lsince the coolant inventory could be lost outside of containment. To prevent inadvertent opening of the MOVs while the RCS is at pressure, an "0 PEN PERMISSIVE" interlock is provided. 

',                           If the operator shuts'only one of the isolation valves prior to pressurizing.

the RCS,'there~is a single valve RCS pressure boundary. i ' To ensure-that both MOVs are shut during a startup and heatup, an " AUTO-l CLOSURE'.' interlock is provided that closes the MOVs. (2)- Safety'0bjective: [l To ensureithat operating reactor plants are adequately protected from 

                         'overpressurizing the RHR system and potentially causing a LOCA outside of F                           containment.

(3) Status: Several PWR plants do not have the auto closure feature on the RHR, and (- ;at-least one does not have the open permissive feature. Plants should be 4 reviewed on a case-by-case' basis factoring in (1) ASME Co'de safety valve + 

                         . setting and capacity, (2) interlocks, (3) closure time of MOVs, and (4) location of RHR.

5 (4)_

References:

1. Proposed Branch Technica1' Position RSB-5-1, " Design Requirements of l 'the Residual Heat Removal System" 2.- Regulatory Requirements Review Committee Meeting No. 50, June 24,1976 l

3 .' ~10 CFR Part 50, Appendix A, GDC 34

4. ' Memorandum from J. Angelo to R. C. DeYoung, V. Stello, et al., NRC,

Subject:

"RP-TR Staff Meeting'of February 13, 1974 Regarding the Requirements on Shutdown Cooling Systems," February 28, 1974
           ~                5.           Letter from R. Boyd, NRC, to C. Eiche1dinger, Westinghouse Electric Corporation, November 12,_1975
                         -6.             Letter from R.'Boyd, NRC, to I. Stuart, General Electric Company,

( November 12,'1975

7. Letter from R. Minogue,-NRC, to J. D. Geier, Illinois Power Company, L

July 8, 1975 i i- [ San Onofre 1 SEP. A u .. m .., _- _ _ _ _ _.. . _ _ _ _ .__ -._..___.a__.. ___

j' 

.~^

TOPIC: V-12.A Water Purity of BWR Primary Coolant (1) Definition: Review the primary water monitoring and reactor water cleanup system capa-bilities, including the water purity, to determine if the maintenance of the necessary purity levels complies with Regulatory Guide 1.56. Review limits on quality control,and defined provisions in the event of demineral- i izer breakthrough. l 

    .(2) Safety Objective:

To assure that the water purity level is acceptably low to minimize the potential for intergranular stress corrosion cracking of.austenitic stainless steel piping in the reactor coolant pressure boundary of BWRs, 

         . including assuring the implementation of Regulatory Guide 1.56.

(3) Status: Recommendations for.specifying the use of additional conductivity measure-ments and monitoring at various locations, plus the use of pH and chloride 

         -measurements, have been submitted to the Division of Standards Development to initiate a revision of Regulatory Guide 1.56, " Maintenance of Water Purity in Boiling Water Reactors," dated June 1973. To date, a generic review of operating BWRs has not been initiated and the current regula-tory guide has been implemented in the Technical Specifications of only a few operating plants.

(4)

Reference:

         ' Memorandum from R. E. Heineman, to R. B. Minogue, NRC,

Subject:

    " Request for Revision of Regulatory Guide 1.56," 1973 TOPIC: .V-13 Waterhammer (1) Definition:

Waterhammer events have occurred in light water reactor systems. Water-hammer events increase the probability of pipe breaks and could increase the consequences of certain events such as the loss-of-coolant accident. The types of waterhammer, the vulnerable systems (for example, contain-ment spray, service water, feedwater, and steam), and the safety signifi- , 1 cance of waterhammer have been identified and defined in a staff report of May 1977. (2) Safety Objective: To reduce the probability of waterhammer events that have the potential to lead to pipe ruptures in light-water reactor systems which are needed to mitigate the consequences of accidents or that might increase the consequences of accidents previously analyzed. I San Onofre 1 SEP A-44

1 l i (3) Status: Generic review is under way. On March 10, 1977,-an interdivisional Division of Operating Reactors / Division of Systems Safety technical review group 

       -was formed to investigate the waterhammer issue and to develop a program for its appropriate consideration in licensing reviews and for operating reactors. Consultant work has been performed by CREARE and Livermore Labs.

(4)

References:

1. " Water Hammer in-Nuclear Power Plants," NRC Staff Report, June 1, 1977
2. Wallis, G. B., P. H. Rothe, et al., "An Evaluation of PWR Steam
             . Generator Water Hammer" (draft), CREARE Inc., February 1977
3. Sutton,_S..B., "An Investigation of Pressure Transient Propagation in Pressurized Water Reactor Feedwater Lines" (preliminary),

Lawrence Livermore Laboratory, April 15. 1977

4. Office of Nuclear Reactor Regulation, NRR Technical Activities, Category. A, Item 1, " Water Hammer," May 1977 (5) Basis for Deletion (Related TMI Task, USI, or Other SEP Topic):

USI A-1, " Water Hammer" (NUREG-0649) The references cited in this topic were the precursors of USI A-1. 

              -The evaluation required for USI A-1 is identical to SEP Topic V-13; therefore, this SEP topic has been deleted.

TOPIC: VI-1 Organic Materials and Postaccident Chemistry (1) Definition: (a) Organic materials The design basis for selection of paints and other organic materials is not documented for most operating reactors. Therefore, there is ' a need to review the suitability of paints and other organic materials used inside containment, including the possible interactions of the decomposition products of organic materials with engineered safety features (such as filters). (b) Postaccident chemistry Low pH solutions that may be recirculated within containment after a design basis accident (DBA) may accelerate chloride stress corrosion cracking which may lead to equipment failure or loss of containment integrity. Low pH may also increase the volatility of dissolved 

             -iodines with a resulting increase in radiological consequences.

(2) ' Safety Objective: (a) Organic materials To assure that organic paints and coatings used inside containment do not behave adversely during accidents when they may be exposed to high radiation fields. In particular, the possibility of coatings clogging sump screens should be minimized. San Onofre 1 SEP A-45

~ (b) Postaccident chemistry To assure that appropriate methods are available to raise or main-tain the pH of solutions expected to be recirculated within contain-ment after a DBA. (3) Status: No work currently being done on this subject for operating plants. (4)

References:

1. Standard Review Plan, Sections 6.1.2 and 6.1.3
2. Regulatory Guide 1.54, " Quality Assurance Requirements for Protective Coatings Applied to Water-Cooled Nuclear Power Plants" TOPIC: VI-2.A Pressure-Suppression-Type BWR Containments (1) Definition:

BWR pressure-suppression-type containments (for example, Mark I containment) are subjected to hydrodynamic loads during the blowdown phase of a loss-of-coolant accident (LOCA). These loads have the potential for damaging the components and structures (wetwell, internal structures, restraints, supports, and connected systems) of the containment. During a relief valve blowdown into the suppression pool, the wetwell (torus) shell and safety / relief valve restraints may be overstressed. The hydrodynamic loads were not explicitly identified and included in the design of the Mark I pressure-suppression containment. (2) Safety Objective: To assure that the structural integrity of pressure-suppression pool con-tainments is maintained under hydrodynamic loading conditions. It has been determined that the upward forces during the blowdown phase follow-ing a LOCA potentially cause the Mark I torus to be lifted, causing fail-ure of connecting systems and supports and leading to loss of the contain-ment integrity. Structural modifications and/or changes in the mode of operation might be necessary to assure adequate safety margins. (3) Status: Mark I containments are currently evaluated in a two-step generic review program: The Short-Term Program (STP), completed May 1977, has focused on the determination of the magnitude and significance of hydrodynamic loads. In the Long-Term Program (LTP), to be completed by late 1978, the design basis loads will be finalized and the capability of the containment to withstand the loads within the original design structural margins will be verified. This verification will be based in part on research results from NRC and industry sponsored programs. As a result of the STP, the staff required that Mark I plants be operated with a drywell to wetwell differential pressure of at least 1 psi to reduce the vertical loads. In addition, some licensees have modified the torus support system for addi-tional safety margin. San Onofre 1 SEP A-46

i O (4)

References:

1. NUREG-0'328, " Regulatory Licensing: Status Summary Report," (Pink
Book) - Generic Issues (April 1977)
a. Mark I Containment - STP Technical Specifications
b. Mark I Containment Evaluation - STP
c. Mark I Containment Evaluation - LTP
d. Mark I Safety / Relief Valve Line Restraints in Torus
2. Division of Operating Reactors, D0R Technical Activities, Category A, April 1977 a.- Item 2, " Mark I Containment STP"
b. Item 3, " Mark I Containment LTP"
c. Item 23, " Mark II Containment"
3. Division of Operating Reactors, 00R Technical Activities, Category 8, Item 12, " Assessment of Column Buckling Criteria," May 1977
4. Division of Systems Safety, DSS Technical Activities, Category A, '

Item 31, " Determination of LOCA and SRV Pool Dynamic Loads for Water Suppression Containments," April 1977 (5) Basis for Deletion (Related TMI Task, USI, or Other SEP Topic): USI A-7, " Mark I Containment Long-Term Program" (NUREG-0649) Under this task, a short-term program that evaluated Mark I contain-ment has provided assurance that the Mark I containment system of each operating BWR facility would maintain its integrity and func-tional capability during a postulated LOCA. A longer term program for BWR facilities, not yet licensed, is planned wherein the NRC staff will evaluate the loads, load combinations, and associated structural acceptance criteria proposed by the Mark I Owners Group prior to the performance of plant-unique structural evaluations. The Mark I Owners Group has initiated a comprehensive testing and evaluation program to define design basis loads for the Mark I con-tainment system and to establish structural acceptance criteria which will . assure margins of safety for the containment system which are equivalent to that which is currently specified in the ASME Boiler and Pressure Vessel Code. Also included in their program is an evalua-tion of the need for structural modifications and/or load-mitigation devices to assure adequate Mark I containment system structural safety margins. The long-term program for USI A-7 will assure that all plants with Mark I containments are able to tolerate, without loss of function, the LOCA-induced hydrodynamic loads. The evaluation required by USI A-7 is identical to SEP Topic VI-2.A; therefore, this SEP topic has been deleted. TOPIC: VI-2.8 Subcompartment Analysis (1) Definition: The rupture of a high energy line inside a containment subcompartment can cause a pressure differential across the walls of the subcompartment. In San Onofre 1 SEP A-47

l l the case of a rupture of a PWR main coolant pipe adjacent to the. reactor vessel, the subcooled blowdown produces pressure differentials in the annulus between the reactor vessel and the shield wall and also within the reactor vessel across the core barrel. This asymmetric pressure dis-tribution. generates loads on the reactor vessel support and on reactor 

                  . vessel internals, on other equipment supports, and on subcompartment t' ruc-tures which have not been analyzed previously for most operating reactors.

(2) Safety Objective: To assure that the reactor vessel supports, reactor vessel internals, and other equipment supports and subcompartment structures are designed with l an adequate margin against failure due to these loads. The failure could result.in a loss of emergency core cooling system capability. (3) Status: The staff is reviewing the nuclear steam supply system vendor and architect-engineer design codes used to calculate the loads produced by the asymmetric pressure distribution. Analyses have been completed for a limited number of operating plants. The W TMD code is approved. 'Bechtel, Gilbert, and United Engineering have submitted codes for review. (4)

References:

1. NUREG-0328, " Regulatory Licensing: Status Summary Report," (Pink Book) - Generic Issue, Item 3-5, " Asymmetric LOCA Loads - PWR,"

April 1977

2. Division of Operating Reactors, D0R Technical Activities, Category A, Item 32, " Asymmetric LOCA Loads (Reactor Vessel Support Problem),"

April 1977

3. Division of Systems Safety, DSS T2chnical Activities, Category A, Item 14, " Asymmetric Blowdown Loads on Reactor Vessel," April 1977
4. Division of Project Management, DPM Technical Activities, Category A, Item 2, " Reactor Vessel Supports (Asymmetric LOCA Loads From Sudden Subcooled Blowdown)," April 1977 (5) Basis for Deletion (Related TMI Task, USI, or Other SEP Topic):
                    -     USI A-2, " Asymmetric Blowdown Loads on Reactor Primary Coolant System" (NUREG-0649)

The references cited in this topic were the precursors of USI A-2. The evaluation required for USI A-2 is identical to SEP Topic VI-2.B (see also SEP Topic III-8.D); therefore, this SEP topic has been deleted. TOPIC: VI-2.C Ice Condenser Containment (1) Definition: Operating experience from the D. C. Cook plant has indicated that sub-limation and melting of ice causes a loss of ice inventory and related functional performance problems for the ice consenser system. San Onofre 1 SEP A-48

(2) Safety Objective: To_ assure that a sufficient ice inventory is maintained and to assure the functional performance of the ice condenser system. (3) Status: The results of the surveillance program for ice inventory and of the functional performance testing (for example, operation of vent doors) are periodically reviewed by the staff to. determine whether the surveillance frequencies should be increased or other action should be taken. Recent surveillance testing-indicates that the ice inventory is acceptable and 

       .that the D. C. Cook plant can be operated safely for the current fuel cycle. CONTEMPT-4 long-term ice condenser code is expected to be completed by Edgerton, Germeshausen & Grier in October 1977.

(4)

Reference:

l_ Division of Operating Reactors, D0R Technical Activities, Category B, Item 53, " Ice Condenser Containments," May 1977 TOPIC: VI-2.0 Mass and Energy Release for Postulated Pipe Breaks Inside Containment j (1) Definition: Review the methods and assumptions of the mass and energy release model, including containment temperatures and pressure response, that were used in previously performed analyses of high-energy line breaks inside-containment, including the main steam line break. (2) Safety Objective: To assure that design basis conditions (for example, design pressure and temperature) for the containment structure and safety-related equipment are adequate. Determine if the models used in the earlier analyses provide adequate margins of safety when compared with the assumptions and models for current analytical techniques. (3) Status: Mass and energy release models, including containment response models, are being reassessed to determine the degree of conservatism in the pre-diction of the containment pressure and temperature transient resulting from a PWR main steam line break. Application of those models to operating plants is contingent on the results of this reassessment. Mass and energy release models for operating BWR plants are considered in the Mark I Long-Term Program and other BWR review efforts. o (4)

References:

1. Division of Operating Reactors, 00R Technical Activities, Category B, l May 1977 l l i

l San Onofre 1 SEP A-49

a. Item 1, " Pipe Break Inside Containment"
b. Item 2, " Mass and Energy Release to Containment"
    ' 2. Division of Systems Safety, DSS Technical Activities, Category A, April 1977
a. . Item 7, " Pipe Rupture Design Criteria"
b. Item 29, " Main Steam Line Break Inside Containment"
3. Division of Systems Safety, DSS Technical Activities Report, Item I-C.B.1, " Mass and Energy Release to Containment," December 1975  ;

TOPIC: VI-3 Containment Pressure and Heat Removal Capability (1) Definition: The temperature and pressure conditions inside containment due to a _ postulated loss-of coolant accident (LOCA), main steam line or feedwater line break depend on the effectiveness of passive heat sinks and active heat removal systems (for example, containment spray system). (2) Safety Objectiv'e: To assure that the maximum temperature and pressure following a LOCA, main steam, or feedwater line break have been calculated with conservative assumptions and to assure that the passive heat sinks and active heat removal systems provide the full heat removal capability required to main-tain the pressure and temperature below the design pressure and temperature of the containment, of safety-related equipment, and instrumentation inside containment. (3) Status: The modified CONTEMPT computer code properly accounts for the condensation of superheated steam on containment passive heat sinks. The effects on the design temperatures within the containment are being studied for plants under licensing review. (4)

References:

l. Standard Review Plan, Section 6.2.1.1.A
2. Division of Systems Safety, DSS Technical Safety Activities Report, December 1975
3. Division of Operating Reactors, D0R Technical Activities, Category B, Item 62, " Effective Operation of Containment Sprays in LOCA," May 1977 TOPIC: VI-4 Containment Isolation System (1) Definition: l Isolation provisions of fluid system of nuclear power plants limit the release of fission products from the containment for postulated pipe i breaks inside containment and thus prevent the uncontrolled release of '

primary system coolant as a result of postulated pipe breaks outside containment. Tt.is must be accomplished without endangering the perform- 1 ance of postaccident safety systems. Review the primary containment ' l San Onofre 1 SEP A-50

isolation provisions, in particular, the containment sump lines and fluid systems penetrating containment. Review the design bases for containment ventilation system isolation valves to determine potential releases from the containment. Review the containment purge mode during normal operation with respect to various accident scenarios and consequences including operation of containment purge valves, closure times, and leak tightness. (2) Safety Objective: To assure that the primary containment isolation provisions meet the require-ments of 10 CFR 50, Appendix A, General Design Criteria 54 through 57. Some of the operating plants may have too few or too many isolation pro-visions. Containment purging during normal operation in PWRs has raised a concern regarding the ability of the ventilation system isolation valves to close upon receipt of an accident signal. The use of resilient sealing materials in conjunction with the cycling of these valves has resulted in an increased degradation in the leakage integrity of the valve seats. To assure the adequacy of the maintenance and repair schedule to maintain the leakage integrity of the valves for the service life of the plant. To assure that containment purge operations will not adversely affect the consequences of postulated accidents. (3) Status: The functional performance of the sump lines and emergency core cooling systems is being reviewed in conjunction with the Appendix K submittals. Implementation criteria are being developed to apply the requirements of Branch Technical Position CSB 6-4 to containment purging practices and to improve the leakage integrity of ventilation system isolation valves. (4)

References:

1. 10 CFR Part 50, Appendix A, GDC 54 through 57
2. Standard Review Plan, Section 6.4.2
3. Standard Review Plan, Branch Technical Position CSB 6-4, " Containment Purging During Normal Plant Operations" TOPIC: VI-5 Combustible Gas Control (1) Definition:

Review the combustible gas control system to determine the capability of the system to monitor the combustible gas concentration in the containment, to mix combustible gases within the containment atmosphere, and to maintain combustible gas concentrations below the combustion limits (for example, by recombination, dilution, or purging). For facilities which share recombiners (portable) between units or sites, determine that the recom-biners can be made available within a suitable time. For facilities which utilize purging as a primary means of combustible gas control, determine the radiological consequences of the system operation. Reevaluate hydrogen production and accumulation analysis to consider (1) reduction of Zr/ water reaction on the basis of five times the Appendix K calculation amount and (2) potential increases in hydrogen production from corrosion of metals inside containment. San Onofre 1 SEP A-51 

    -(2) Safety Objective:

To prevent the' formation of combustible gas explosive concentrations in the containment or in localized regions within containment, following a postulated accident; to assure that the radiological consequences of the system operation are acceptable. (3) Status: Proposed 10-CFR 50.44 would permit a'BWR licensee to propose an alternate combustible gas control system in lieu of inerting. Four such proposals for containment atmosphere dilution systems are currently under review, and the COGAP II computer code is being revised to perform the system evaluations. (4)

References:

1. Proposed rule 10 CFR Part 50, Section 50.44
          '2.                   Division of Operating Reactors, D0R Technical Activities, Category A, Item 8, " Containment Purge During Normal-Operation," April 1977
3. Division of Operating Reactors, DOR-Technical Activities, Category A, Item 14, "Inerting Requirements / CAD," April 1977
4. Standard Review Plan, Branch Technical Position CSB 6-2, " Control of Combustible Gas Concentrations in Containment Following a Loss of Coolant Accident"
5. Standard Review Plan, Section 6.2.5 (5) Basis for Deletion (Related TMI TASK, USI, or Other SEP Topic):

(a) TMI Action Plan Task II.B.7, " Analysis of Hydrogen Control" (NUREG-0660) As a result of TMI Task II.B.7, short- and long-term rulemaking to amend 10 CFR 50.44 has been initiated. The short-term rulemaking (interim rule) requires that all Mark I and Mark II containments be inerted. It also requires that the owners of all plants with other containments perform certain analyses of accident scenarios involving hydrogen releases and furnish the staff with a proposed approach for mitigating these hydrogen releases. The longer-term rulemaking will address both degraded core and melted core issues. In the area of hydrogen control, it will pre-scribe requirements that are appropriate for operating plants as well as for plants under construction. (b) USI A-48, " Hydrogen Control Measures and Effects of Hydrogen Burns on Safety Equipment" (NUREG-0705) { Under USI A-48, a Task Action Plan nas been defined and is being j developed that encompasses the concerns in the Definition and the Safety Objective of SEP Topic VI-5. The evaluation required by TMI II.B.7 and USI A-48 is identical to SEP Topic VI-5; therefore, this SEP topic has been deleted, l San Onofre 1 SEP A-52 d

I i L B TOPIC: VI-6 Containment Leak Testing - (1) Definition: Certain requirements of primary reactor containment leakage testing for E water-cooled power reactors as described in Appendix J to 10 CFR Part 50 (issued February 1973) have been found to be conflicting, impractical for k implementation, or subject to a variety of interpretations. Review the primary reactor containment leak testing program for operating nuclear g plants.

(2) Safety Objective

To assure that the containment leak testing program provides a conserva-tive assessment of the leakage rate through individual leakage barriers and to assure that proper maintenance and repairs are conducted during L the service life of the containment. The testing acceptance criteria are established to ensure that containment leakage following a postulated accident will not result in offsite doses exceeding 10 CFR 100 guidelines. (3) Status: A generic review for compliance with Appendix J and the review of requested exemptions to the regulation is currently underway. Proposed revisions to Appendix J to improve the testing requirements are under development. (4)

References:

1. 10 CFR Part 50, Appendix J
2. 10 CFR Part 50, Appendix A, GDC 52 and 53 e 3. NUREG-0328, " Regulatory Licensing: Status Summary Report" (Pink Book),

f Generic Issue 3-10, " Containment Leak Testing - Appendix J," April 1977 L 4. Division of Operating Reactors, 00R Technical Activities, Category 8, [ Item 33, " Containment Leak Testing Requirements," May 1977

5. Division of Systems Safety, DSS Technical Activities, Category A, Item 30, " Containment Leak Testing," April 1977 TOPIC: VI-7.A.1 Emergency Core Cooling System Reevaluation To Account for

(; Increased Reactor Vessel Upper Head Temperature E f (1) Definition: Losy-of-coolant accident (LOCA) analyses for all Westinghouse reactors 3 were conducted assuming that the water in the upper head region of the 

 ~

reactor vessel was the same as the inlet water temperature because of a bypass flow from the downcomer to the upper head. Temperature measurements k; made by Westinghouse indicate that the actual temperature of the upper head fluid exceeds cold leg temperature by 50 to 75% of the difference i_ between hot leg and cold leg (inlet) temperature. All operating reactors were required to resubmit LOCA analyses using hot leg temperature for the 

 .        upper head volume.

t i [ San Onofre 1 SEP A-53 I I

(2) Safety Objective: To provide revised LOCA analyses with correct upper head temperatures to assure that peak clad temperature limits are not exceeded. (3) Status: Revised analyses have been received from all Westinghouse plants. All but three have been reviewed and approved. TOPIC: VI-7.A.2 Upper Plenum Injection (1) Definition: Emergency core cooling system (ECCS) evaluation of Westinghouse two-loop plants was performed assuming that low pressure pumped injection is delivered directly to the lower plenum. However, ECC coolant is delivered directly into the upper plenum. Interaction of the cold injection water with the steam exiting from the core during refill and reflood and the heat transfer effects during the downward passage to the lower plenum have not been adequately considered. (2) Safety Objective: To provide assurance that existing analyses with Westinghouse two-loop plants are acceptable either by showing that the present analyses are conservative, or by developing a new ECCS model which considers upper plenum injection. (3) Status: The staff met with the licensees and Westinghouse on January 11 and 26, 1977. The staff requested that the licensees formally submit the infor-mation presented at the January 26, 1977 meeting. Two Westinghouse reports have been received to date. The staff is continuing to evaluate the problem. Research requested by the Office of Nuclear Reactor Regulation and performed by the Office of Nuclear Regulatory Research in the semiscale facility provided basis for evaluation. TOPIC: VI-7.A.3 Emergency Core Cooling System Actuation System (1) Definition: Review the emergency core cooling system (ECCS) actuation system with respect to the testability of operability and performance of individual active components of the system and of the entire system as a whole under conditions as close to the design condition as practical. (2) Safety Objective: To assure that all ECCS components (for example, valves and pumps) are included in the component and system test. To assure that the frequency and scope of the periodic testing are adequate and meet the requirements of General Design Criterion 37. San Onofre 1 SEP A-54

(3) Status: New appiirations (construction permit and operating license) are reviewed in accordance with the Standard Review Plan and the references listed below. No specific activity for operating reactors is in progress. (4)

References:

l 1. Regulatory Guide 1.22, " Periodic lesting of Protection System Actuation Function"

2. Standard Review Plan, Branch Technical Position EICSB-25, " Guidance for the Interpretation of General Design Criterion 37 for Testing the Operability of the Emergency Core Cooling System as a Whole"
3. 10 CFR Part 50, Appendix A, GDC 37 TOPIC: VI-7.A.4 Core Spray Nozzle Effectiveness (1) Definition:

Core spray systems are designed with a nozzle or a set of nozzles arranged above the core in such a way that, following a LOCA, a spray of water will be distributed over the top of the core so that each fuel bundle will receive a specified minimum flow which will provide adequate core cooling. Recent test data for a single nozzle in a steam environment noted partial or complete collapse of the spray cone and/or a shift in the direction of spray. These effects were not included in earlier full scale spray tests in air. (2) Safety Objective: To assure adequate spray cooling following a LOCA. (3) Status: The NRC has reviewed and accepted spray system performance for multiple nozzle spray systems, but has not accepted spray systems with a single overhead spray nozzle. Recent teste in Florida on the Big Rock Point spray nozzle indicate incomplete core coverage. As a result of these tests, NRC is requesting further testing by GE of multiple spray nozzles. (4)

References:

1. Letter from K. Goller, NRC, to operating reactor branch chiefs,

Subject:

" Generic Issue - Effects of Steam Environment on Core Spray Dictribution for Non-jet Pump BWRs," December 7, 1976
2. General Electric, GE Topical Report NED0-10846, "BWR Core Spray Distribution" l

San Onofre 1 SEP A-55

4 TTOPIC: VI-7.B Engineered Safety. Feature Switchover From: Injection to Recirculation Mode (Automatic Emergency Core Cooling System ERealignment) 

      .(1)~ Definition:

Most PWRs require operator action to realign' emergency core cooling (ECC) systems for.the recirculation mode following a=LOCA. We have been requiring, on an ad hoc basis, some automatic features to realign'the ECCS from the injection to.the recirculation mode of operation. (2)) Safety Objective: 

            >To increase the reliability of long-term. core cooling by1not requiring operator action to' change. system realignment:to the recirculation mode.

(3). Status: A draft Branch Technical Fosition has been prepared which covers'both ECC-and containment spray systems. 'The proposed position is awaiting review by the Regulatory Requirements; Review Committee. (4)

Reference:

American National Standards Institute, Draft ANSI. Standard N 660, " Proposed American National Standard Criteria for Safety-Related Operator Actions" 

                                                                               ~
                                                            ~
      -TOPIC:      VI-7.C' Emergency Core Cooling System (ECCS) Single-Failure Criterion and Requirements for. Locking Out Power to Valves, Including Independence of- Interlocks on ECCS Valves-(1) 1 Definition:
              .The physical locking out:of electrical sources to specific motor-operated' valves required for the engineered safety functions of ECCS has-been required, based on the assumption that a spurious electrical signal at an inopportune time could activate.the valves to the adverse position; for example, closed rather,than'open, or opened.rather than closed._ There is some concern that interlock circuitry on ECCS valves may not be independent
              . such that a single failure of an interlock due to equipment malfunction or operator error could defeat more than one interlock and'cause the valves to be' cycled to the wrong position.

. L(2) Safety Objective: To ensure that all power-operated valves which could affect emergency core . Ecooling (ECC) system performance by being in the wrong position have power. removed except when'in use. 'This will ensure that ECC systems.are not- j defeated by having a valve in the wrong position. (3) Status: . The staff plans to-reconsider EICSB BTP-18 and RSB BTP-6-1. 

                                                                                                         -l San Onofre 1 SEP                         A-56

TOPIC: VI-7.C.1 Appendix K--Electrical Instrumentation and Control Re-reviews 

-(1) Definition:

During the Appendix'X reviews of some facilities initially considered, a detailed electrical instrumentation and control review was not performed. Re-review the modified ECCS of these facilities to confirm that it is designed to meet the most limiting single failure. (2) Safety Objective: To assure that the modified ECCS is designed to meet the most limiting (design basis) single failure. (3) Status: No current activity in the Division of Operating Reactors. (4)-~

References:

1. Regulatory Guide 1.6, " Independence Between Redundant Standby (Onsite)

Power Sources and Between Their Distribution Systems"

2. Institute of Electrical and Electronics Engineers, IEEE Std. 308,
             " Standard Criteria for Class IE Electric Systems for Nuclear Power Generating Stations" TOPIC:     VI-7.C.2 Failure Mode Analysis (Emergency Core Cooling System)

(1) Definition: Failure modes and effects criticality analyses-(FMECA) would be conducted for the purpose of systematically determining potential single failures in emergency core cooling (ECC) systems. (2) Safety Objective: To determine if single failures exist in ECC system as an aid in assess-ing overall plant safety. .(3) Status: FMECAs have been conducted on the hydraulic portion of ECC systems of 1 representative plant types. In addition, single-failure analyses were ' performed on each plant as a part of the required Appendix K analysis except for those plants with stainless steel clad cores. San Onofre 1 SEP A-57 l l

TOPIC: VI-7.C.3 Effect of PWR Loop Isolation Valve Closure During a Loss-of-Coolant Accident on Emergency Core Cooling System Performance (1) Definition: Some PWRs are equipped with loop isolation valves. -The effect of spuri-ous closure of a loop isolation valve during a LOCA has never been ana-lyzed. To ensure emergency core cooling system (ECCS) performance, power in some cases has been removed from loop isolation valves to prohibit spurious closure. (2) Safety Objective: 

          -To assure that all plants with loop isolation valves have power removed during operation, or that other acceptable measures are taken to preclude inadvertent closing.

(3) Status: In most cases power has been removed from loop isolation valves, and this is confirmed as part of staff ECCS performance evaluations. This has not been confirmed for all plants with locp isolation valves. TOPIC: VI-7.0 Long-Term Cooling Passive Failures.(for example, Flooding of Redundant Components) (1) Definition: The General Design Criteria require that the emergency core cooling sys-tems (ECCSs) shall be capable of providing adequate core cooling following a loss-of-coolant accident, assuming a single failure in emergency core cooling systems. The staff assumes the single-failure to be either an active failure during the injection phase, or an active or passive fail-ure during the long-term recirculation phase. The physical layouts of engineered safety feature pumps and components on some pressurized water +' reactors make them vulnerable to flooding that might result from passive failures in system piping. Protection for pipe cracks or ruptures is not required because of the low probability of occurrence during the ECCS recirculation mode. (2) Safety Objective: To provide for increased reliability of ECCSs by assuring that passive failures will not cause flooding and failure of ECCS valves and equipment. (3) Status-Issue identified by Fluegge in letter to Rowden, October 24, 1976. Staff response was prepared which concluded that "... consideration of this issue does not warrant revisions to any existing licenses or changes in present priority for addressing the treatment of passiv? failurer subsequent to a LOCA. ECCS passive failure criteria being implemented by the staff San Onofre 1 SEP A-58

require considerations of additional leakage but not pipe breaks beyond the initiating LOCA." (4)

Reference:

NUREG-0138, " Staff Discussion of Fifteen Technical Issues Listed in Attachment to November 3, 1976 Memorandum From Director, NRR, to NRR Staff," Issue No. 7, " Passive Failures Following a Loss-of-Coolant Accident," December 1976 TOPIC: VI-7.E Emergency Core Cooling System Sump Design and Test for Recirculation Mode Effectiveness (1) _ Definition: Following a loss-of-coolant accident in a PWR, an emergency core cooling 

       . system (ECCS) automatically injects water into the system to maintain core cooling. Initially, water is drawn from a large supply tank. Water discharging from the break and containment spray collects in-the contain-ment building sump. When the supply tank has emptied to a predetermined level, the ECCS is switched from the " injection" mode to the " recirculation" mode. Water is then drawn from the containment building sump.

ECCSs are required to operate indefinitely in this mode to provide decay heat removal. Certain flow conditions could occur in the sump, which could cause pump failures. These include entrained air, prerotation or vortexing, and losses leading to deficient net positive suction head. (2) . Safety Objective: To. confirm effective operation of ECCSs in the recirculation mode. (3) Status: Confirmation through preoperational testing is now required on all con-struction permits. Staff has been accepting scaled tests in lieu of preoperational tests at the operating-license stage. Some plants have required modification to achieve vortex control. (4)

Reference:

Regulatory Guide 1.79, "Preoperational Testing of Emergency Core Cooling Systems for Pressurized Water Reactors," (paragraph b(2)) (5) Basis for Deletion (Related TMI Task, USI, or Other SEP Topic): USI A-43, " Containment Emergency Sump Reliability" (NUREG-0510 and NUREG-0660) The definition of this topic and the references cited are covered by USI A-43. The evaluation for USI A-43 is identical to SEP Topic VI-7E; therefore, this SEP topic has been deleted. San Onofre 1 SEP A-59 I

TOPIC:' VI-7.F Accumulator Isolation Valves Power and Control System Design (1) Definition: For many loss-of-coolant accidents, the performance of the ECCS in PWR plants depends upon the proper functioning of the accumulators. The motor-operated isolation valve, provided between the accumulator and the .l primary system,.must be considered to be " operating bypass" (IEEE 279-1971)' because, when closed,-it prevents the accumulator from. performing the intended protective function. The motor-operated isolation valve should be designed against a single failure that can result in a loss of capability to perform a safety function.- ('2) Safety Objective: ) 

        .To assure that the accumulator isolation valve meets the " operation bypass" requirements of IEEE 279-1971, which states that the bypass of a protective function will be removed automatically whenever permissive conditions are not met. To assure that a single failure in the electrical system or single operator error cannot result in the loss of capability of an accumulator to perform its safety function.

(3) Status: Staff positions listed below are implemented on new applications. No systematic review program for operating reactors exists. (4) .

References:

        - 1. Institute of Electrical and Electronics Engineers, IEEE Std. 279-1971,
                " Criteria for Protection System for Nuclear Power Generating Stations"
2. Standard Review Plan, Branch Technical Position EICSB-4, " Requirements
               . on Motor-Operated Valves in the ECCS Accumulator Lines"
3. Standard Review Plan, Branch Technical Position EICSB-18, " Application of Single Failure Criteria to Manually-Controlled Electrically Operated Valves" TO.PE: VI-8 Control Room Habitability (1) Definition:

Control rooms in operating plants may not fully comply with General Design Criterion 19. This review should include, but not be limited to, analysis of the control room air infiltration rate, ventilation system isolability and filter efficiency, shielding, emergency breathing apparatus, short distance atmospheric dispersion, operator radiation exposure, and onsite  ; i toxic gas storage proximity. (2) Safety Objective: To assure that the plant operators can safely remain in the control room to manipulate the plant controls after an accident. J 

 . San Onofre 1 SEP                          A-60

4 4'-- .< . -y [ ('3) tStatus: 

                                  -;The Division of Operating-Reactors now reviews control room habitability
                                  'in operating plants when relatedLlicensing actions (for example, assessment
                                   'of BWR containment air; dilution system post-LOCA radiological. impact)
~
                                  . require it. :The Division'of Site Safety and Environmental Analysis has a
                                  ' technical assistance contract with the National Bureau of-Standards to IT measure the. control room' air infiltration rate at a:few operating plants.

These measurements.will.be used to gauge the conservatism of the assumed air infiltration rates currently.used by NRC. Some reviews-are now in- 

                                                                    ~

r ~ progress' for plants we have reason to believe do not meet General Design- ', F . Criterion 19 (San Onofre Nuclear Generating Station Unit ~1, Vermont Yankee,

St.'Lucie). ,
                          -(4)

References:

I: L1.  : Standard Review Plan, Section 6.4 ' 

                                  )2. ' 10.CFR Part 50, Appendix A, GDC-19
3. -Murphy, K. G., and K. M. Campe, " Nuclear Power Plant Control Room
                                                . Ventilation System Design for Meeting General Criterion 19," in Proceedings'of the. Thirteenth AEC Air Cleaning Conference, August
                                             -1974-1~                                 L4.       : Regulatory Guide 1.'78, " Assumptions for Evaluating the Habitability'
                                            .of a Nuclear Power Plant Control Room During a Postulated Hazardous
                                             = Chemical Release"
        ,                          5 '.      . Regulatory Guide 1.95, Rev. 1, " Protection of-Nuclear Power Plant'
                                            ; Control Room Operators Against an Accidental Chlorine Release"
                         ;(5)f asisB       for Deletion (Related TMI Task, USI, or Other SEP Topic):                 "

1TMI Action Plan-Task III.D.3.4,'" Control Room Habitability Requirements" (NUREG-0737) l '_The review criteria required by Task III.D.3.4 (NUREG-0737,-pp. 3-197) are identical to the review criteria specified in the Definition and 

                                                                        ~
                                                                ~

h -References.~of.SEP Topic VI-8; therefore,-this SEP topic-has been deleted. I 

                         - TOPIC: .VI-9 IMain Steam Line Isolation Seal System (BWR)
                         .(1)- Definition:
                                 ' Operating experience has indicated that there is a relatively high fail-ure' rate and variety of' failure modes for components of the main steam
                                  -l solation valve' leakage-control system in certain operating BWRs.
                         ,(2) Safety Objective:

< To assure that leakage rate limits are not exceeded and the resulting calculated offsite ' doses do not exceed 10 CFR Part-100 guidelines using

the staff's. assumptions.'

San Onofre'l'.SEP A-61  ; - 1 I

f 

 .(3) ' Status:

Experience from surveillance testing as reported in recent licensee. event reports is compiled by the Division of Operating Reactors to serve as a basis for identifying design improvements and for preparing recommendations for future revisions to Regulatory Guide 1.96.

(4)

References:

        -1.      Division of Operating Reactors, 00R Technical Activities, Category B,
                 " Main Steam Line Leakage Control System," May 1977
2. Regulatory Guide 1.96, " Design of Main Steam Isolation Valve Leakage Control Systems for Boiling Water Reactor Nuclear Power Plants"
3. Standard Review Plan, Section 6.7 TOPIC: -VI-10.A Testing of Reactor Trip System and Engineered Safety Features, Including Response-Time Testing (1) Definition:

Review the reactor trip system-(RTS) and engineered safety features (ESF) test program to verify RTS and ESF operability on a periodic basis and to verify RTS and ESF response time. (2)_ Safety Objective: 

         'To assure the operability of the RTS and ESF, on a periodic basis, including verification of sensor response times. To' ensure that the RTS and ESF test program demonstrates a high degree of availability of the systems and the response times assumed in the accident analyses are within the design specifications.
  -(3) Status:

The test program of the RTS and ESF of new license applications is reviewed in accordance with the Standard Review Plan, including applicable Branch 

        ' Technical Positions. Some licensees have agreed to perform response-time measurements. Operability testing is probably performed, in one form or another, for most licensees of operating reactors.

(4)

References:

1. Standard Review Plan, Branch Technical Position EICSB-24, " Testing of Reactor Trip System and Engineered Safety Feature Actuation System Sensor: Response Times"
2. Memorandum from V. Stello, NRC, to V. A. Moore,

Subject:

"GESSAR Second Round of Questions No. 2 and No. 9," October 12, 1973
3. Regulatory Guides 1.22, " Periodic Testing of Protection System Actuation Functions" 1.105, " Instrument Setpoints" 1.118, " Periodic Testing of Electric Power and Protection Systems" San Onofre 1 SEP A-62
    ' TOPIC: VI-10.8 Shared Engineered Safety Features, Onsite Emergency Power,-and Service Systems for Multiple Unit Stations (1)~ Definition:

The sharing of engineered safety features (ESF) systems, including onsite emergency power systems, and service systems for a multiple-unit facility can result in a reduction of the number and of the capacity of onsite systems to below that which normally is provided for the same number of units. located at. separate sites. Review these shared systems for multiple-unit stations. (2) Safety Objective: 

          -To assure that:    (1) the interconnection of ESF, onsite emergency power, and service systems between different units is not such that a failure, maintenance, or testing operation in one unit'will affect the accomplish-ment of the protection function of the systems (s) in other units; (2) the required coordination between unit operators can cope with an incident in one unit and safe shutdown of the remaining units (s); and (3) system over-load conditions will not arise as a consequence of an accident in one unit coincident with a spurious accident signal or any other single failure in another unit.

(3) Status: A systematic review of shared ESF, onsite emergency power, and service systems for operating multiple-unit stations is not being conducted. The EICSB Branch Technical Position is applied in the review of new licensee applications. 

    -(4)

References:

1. Standard Review Plan, Branch Technical Position EICSB-7, " Shared Onsite Emergency Electric Power Systems for Multi-Unit Stations"

,: 2. Regulatory Guide-1.81, " Shared Emergency and Shutdown Electric Systems for Multi-Unit Nuclear Power Plants" TOPIC: VII-1.A Isolation of Reactor Protection System From Nonsafety Systems, Including Qualification of Isolation Devices (1) Definition: Nonsafety systems generally receive controi signals from the reactor pro- i tection system (RPS) sensor current loops. The nonsafety sensor circuits are required to have isolation devices to ensure the independence of the RPS channels. Requirements for the design and qualification of isolation devices are quite specific. Recent operating experience has shown that some of the earlier isolation devices or arrangements at operating plants may not be effective. ' l l San Onofre 1 SEP A-63  ; l l 

                                                          .   .       _ --.-., . . . -     - -- 1

9. 

                      ~

(2)- _ Safety Objective: To-verifyothat1 operating reactors have RPS designs which provide' effective and~ qualified.. isolation of nonsafety systems-from safety systems to assure 

                                 'that safety systems will. function as required.
                      -(3) Status:
                                ' A limited; generic review'ofzisolation devices is being' performed by the Division'of-Operating Reactors'as.part of a followup on LER No. 76-42/IT for.Calvert Cliffs Unit 1 (TAC 6696). This limited generic review should be complete by August 1, 1977.

4 (4)

References:

                                ; 1.       Licensee. Event Report No. 76-42/IT, Calvert Cliffs Unit 1 (Technical 3 Assignment Control (TAC) No. 6696) 2 2.'    ? Standard Review Plan,--Section 7.2 B
                      ' TOPIC: 'VII-1.8 Trip Uncertainty and Setpoint Analysis Review of
                                                  -Operating Data Base 1(1); Definition:

As a result of Issue No. 13 in NUREG-0138 (Ref. 1) the staff is conducting .f a survey of plants at the operating-license stage of review to more ' 

                                -specifically-identify the margin between actual allowable trip parameter-                ,.
                                 ' limits-(from safety analyses standpoint) and actual reactor protection
                                . system'(RPS) setpoints specified in the Technical Specifications. .To' clearly identify the setpoint margins, both the ultimate allowable and-1                'the specified nominal setting will be identified in the. Technical
                                ' Specifications.
                         -(2) Safety Objective:

To~ assure that the margins between the allowable trip parameters and the - actual RPS.setpoints are adequate and properly' identified.  ; 

                      '(3) ' Status:

Implementation letters have been sent to the current applicants for 

                                -operating licenses. The Technical Specifications for operating reactors are only being changed to include both values if a particular plant-is
converting to Standard Technical Specifications.
~

F(4);-

References:

                  ,^.
                                . 1.       NUREG-0138, " Staff Discussion of Fifteen Technical Issues Listed in Attachment.to November 3, 1976 Memorandum From Director, NRR, to NRR
      ~

j Staff," . Issue No. -13, " Instrument Trip Setpoints in Standard Technical Specifications," November 1976

2. Memorandum from V. Stello, NRC, to R. Boyd,

Subject:

" Instrument Trip Setpoint Values," February 18, 1977 San Onofre 1 SEP                              A-64

=_

3. Division of Operating Reactors, 00R Technical Activities, Category B, Item 29, " Instrument Trip Setpoints on Standard Technical Specifica-tions," May 1977 TOPIC: VII-2 Engineered Safety Features System Control Logic and Design (1) Definition:

During the staff review of the safety injection system (SIS) reset issue (Ref.:1) the staff determined that the engineered safety features actuation systems (ESFASs) at both PWRs and BWRs may have design features that raise cuestions about.the independence of redundant channels, the interaction of reset features and individual equipment controls, and the interaction of the ESFAS logic that controls transfers between onsite and offsite power sources. Review the as-built logic diagrams and schematics, operator action required to supplement the ESFAS automatic actions, the startup and surveillance testing procedures for demonstrating ESFAS performance. 

    'Severa1' specific concerns exist with regard to_the manual SIS reset feature following a LOCA: (1) If a loss of offsite power occurs after reset, operator action would be required to remove normal shutdown cooling loads                                      >

from the emergency bus and reestablish emergency cooling loads. Time would be critical if the loss of offsite power occurred within a few minutes following a LOCA. (2) If loss of offsite power-occurs after reset, some plants may not restart some essential loads such as diesel cooling water. (3).The plant may suffer a loss of ECCS delivery for some time period before emergency power picks up the ECCS system. Review the ESF system control logic and design, including bypasses, reset features, and interactions with transfers between onsite and offsite power sources. (2) Safety Objective: To assure that the ESFASs are designed and installed so that the necessary automatic control of engineered safety features equipment can be accomplished when required. (3) Status: A review of ESFASs of operating PWRs is being performed by the Division of Operating Reactors as part of the followup action to Reference 1 (to be completed end of 1977). (4)

References:

    ~1. NUREG-0138, " Staff Discussion of Fifteen Technical Issues Listed in Attachment to November 3, 1976 Memorandum From Director, NRR, to NRR Staff," Issue No. 4, " Loss of Offsite Power Subsequent to Manual Safety Injection Reset Following a LOCA," November 1976
2. Division of Operating Reactors, 00R Technical Activities Category A, Item 22, " Loss of Offsite Power Subsequent to Manual Reset," April 1972 San Onofre 1 SEP A-65

V i 3. Regulatory Guide 1.41, Preoperational- Testing of Redundant Onsite 

                  -Electric Power Systems To Verify Proper Load Group Assignments"
     -TOPIC:    VII-3 Systems Required for Safe Shutdown (1) Definition:

Review plant systems that are needed to achieve and maintain a safe shut-down condition of the plant, including the capability for prompt hot 1 shutdown of the reactor from outside the control room. Included also, a l review of,the design capability and method of bringing a PWR from a high-pressure condition to low pressure cooling assuming.the use of only safety grade equipment. 

     -(2) : Safety Objective:
(1) To assure-the design adequacy of the safe shutdown system to (i) initiate automatically the operation of appropriate systems, including the reactivity control systems,.such that specified acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences or postulated accidents and (ii) initiate the operation of systems and components required to bring the plant to a safe shutdown.

(2) To assure that the required systems and equipment, including necessary 

                   -instrumentation and controls to maintain the unit in a safe condition during hot shutdown are located at appropriate locations outside the control room and have a potential capability for subsequent cold shut-down of the reactor through the use of suitable procedures.
            .(3) .To assure that only safety grade equipment is required for a PWR
                  . plant to bring the reactor coolant system from a high pressure condition to a low pressure cooling condition.

(3) Status: A survey of remote shutdown capability of operating plants was performed 

   ,         some time ago by the Division of Operating Reactors. A technical activity has been proposed by the Division of Project Management (see reference t             below) regarding safety objective (3).      No other activities are in progress.

(4)

Reference:

E Division of Project Management, DPM Technical Activities, Category A, Item 7, " Isolating Low Pressure Systems Connected to the RCPB," April 1977 TOPIC: VII-4 Effects of Failure in Nonsafety-Related Systems on Selected Engineered Safety Features . (1) Definition: l Potential combinations of transients and accidents with failures of l nonsafety-related control systems were not specifically evaluated in the [ original. safety analysis of currently operating reactor plants. Review San Onofre 1 SEP A-66 l k-

the effects of control system malfunctions as initiating events for anticipated transients and also as failures concurrent with or subsequent to anticipated events or postulated accidents initiated by a different malfunction (for example,'the effect of the loss of the. plant air system on the. plant' control and monitoring system). A complete discussion is provided-in Reference 1. (2) _ Safety Objective: To assure that.any credible combination of a nonsafety-related system failure with a postulated transient or accident will not cause unaccept-able consequences. (3) . Status: A technical assistance contract with Oak Ridge National Laboratory for failure mode analyses of control systems was initiated to determine sensi-tive areas of the plant designs. The results of this program in conjunc- 

.      . tion with the results of the failure mode and effects analyses for transients and accidents being performed under contract by Idaho Nuclear-Engineering Laboratory should provide a basis for any new review and safety requirements.

(4)

References:

1. NUREG-0153, " Staff Discussion of Twelve Additional Technical Issues Raised by Responses to November 3, 1976 Memorandum from Director, NRR, to NRR Staff," Issue 22, " Systematic Review of Normal Plant Operation and Control System Failures," December 1976
2. Memorandum from V. Stello, NRC, to R. J. Hart, December 23, 1976, NRR letter No. 46.
3. Division of Operating Reactors, D0R Task Force Report on SEP, Appendix B (TFL 118), November 1976
a. Item 33, " Safety Related Control Power"
b. Item 34, " Safety Related Instrumentation Power"
c. Item 56, "Effect of Failure in Non-Safety Related Systems During Design Basis Events"
d. Item 57, " Loss of Plant Air System (Effect on Plant Control and Monitoring)"
e. Item 77, " Safety Related Control and Instrument Power"
4. Directorate of Operational Technology, 00T Recommended List of SEP Subjects, C DOT 102, Item 100z, " Loss of Plant Air System (Effect on Plant Control and Monitoring)," Spring 1977 (5) Basis for Deletion (Related TMI Task, USI, or Other SEP Topic):

(a) USI A-47, " Safety Implications of Control System" (NUREG-0705 and NUREG-0606) The issue defined in Reference 1 (NUREG-0153, Item 22) is as follows: In evaluating plant safety, the effects of control system malfunctions should be reviewed as initiating events for San Onofre 1 SEP A-67 

  }

anticipated transients and also as failures'that cculd occur concurrently subsequent to postulated anticipated. 

                       ! events (initiated by a different malfunction) or postulated accidents.

The issue defined in USI A-47 is, in part, as follows: i 

                       .This issue concerns the potential for transients or acci-dents being made more severe as a result of the failure or malfunction of control systems. These failures or malfunc-
                       -tions may occur independently, or as a result of the acci-dent or~ transient under consideration, l

(b) USI A-17, " Systems Interactions in Nuclear Power Plants" (NUREG-0649 l and NUREG-0606) i The purpose of this task is to develop a .?ethod for conducting a disciplined and systematic review of nucleaa power plant systems, for both process function couplings of systems and space couplings, to identify'the potential sources and types of systems interactions that are determined to be potentially adverse. A report has been developed, " Final Report - Phase 1 Systems Inter-action Methodology Applications Program," NUREG/CR-1321, SAND 80-0384, whose objectives are:

1. To develop a methodology-for conducting a disciplined and systematic review of nuclear power plant systems which facilitates identification and evaluation of systems interactions that affect the likelihood of core damage.
2. To use the methodology to assess the Standard Review Plan to determine the completeness of the plan in identifying and evaluating a limited range of systems interactions.

The work done under USI A-17 may be useful in the development of USI A-47. The Definition of USI A-47 is identical to that of Topic VII-4; therefore, this SEP topic has been deleted. TOPIC: VII-5 Instruments for Monitoring Radiation and Process Variables During Accidents (1) Definition: The adequacy of the instruments for monitoring radiation and process i variables during accidents has not been reviewed for conformance with i Regulatory Guide 1.97. A generic review is planned to assess the licensee's l existing or proposed monitoring instruments during and following accidents 1 to determine the adequacy of their range, response, and qualifications, and to determine the sufficiency of,the variables to be monitored. Certain  ; instruments to monitor conditions beyond the design basis accidents will ' San Onofre 1 SEP A-68 J

also be required'in accordance with an Regulatory Requirements Review Committee (RRRC) determination (Reference 3). (2) Safety Objective: To assure that plant operators and emergency response personnel have available sufficient information on plant conditions and radiological releases to determine appropriate in plant and offsitt actions throughout the course of any accident. The instrumentation should also provide recorded transient or trend information necessary for postaccident evalua-tion of the event. The ability to follow the course of accidents beyond the design basis accidents is also required. (3) Status: Generic review of instrumentation to follow the course of accidents in operating plants and in all plants now under construction or seeking a construction permit will begin with the issuance of Regulatory Guide 1.97, Revision 1, this year. Submittals describing the facilities' postaccident instrumentation will be obtained from all operating licensees and reviewed by the end of 1978. The implementation of Regulatory Guide 1.97, Revision 1 on operating plants is proceeding independent of the SEP. The Regulatory Requirements Review Committee has determined that Revision 1 to Regulatory Guide 1.97 should be treated as a Category 2 item (backfit on operating plants on a case-by-case basis). (4)

References:

1. Memorandum from H. G. Mangelsdorf (ACRS) to L. M. Muntzing (Regulations), August 14, 1973
2. Memorandum from L. M. Muntzing (Regulation) to H. G. Mangelsdorf (ACRS), November 1, 1973
3. -Memorandum from R. B. Minogue (50) to E. G. Case (NRR), Enclosure, Proposed Revision 1 to Regulatory Guide 1.97, April 4, 1977
4. Standard Review Plan, Section 7.5
5. Standard Review Plan, Section 7.6
6. Standard Review Plan, Section ILS
7. Memorandum from T. A. Ippolito (EICSB) to Emergency Instrumentation Task Force Members, August 12, 1974
8. NUREG-0153, " Staff Discussion of Twelve Additional Technical Issues Raised by Responses to November 3, 1976 Memorandum from Director, NRR, to NRR Staff," Issue 21, " Instruments for Monitoring Both Radiation and Process Variable During Accidents," December 1976
9. Minutes of Regulatory Requirements Review Committee meeting, January 28, 1977
 -(5) Basis for Deletion (Related TMI Task, USI, or Other SEP Topic):

TMI Action Plan Task II.F, " Instrumentation and Controls" NUREG-0660 and NUREG-0737 There are three subtasks under Task II.F as follows: San Onofre 1 SEP A-69 

                            \
   ~ +                                                 1 T                                   *
   "D                 ,
                                           -(a); JII.F.11- Additional Accident Monitoring -Instrumentation .
                                            '(b) II.F.2 --Identification ~of'and Recovery From Conditions Leading.

to Inadequate-Core Cooling 

                                           .(c) 'II.F.3 - Instruments for Monitoring Accident Conditions LSpecific" position's on the. required instrumentation for II.F.1 and
                       <<                    II.F.2 are in:NUREG-0737 and Regulatory Guide 1.97, Revision 2              ~l
                                           -(December 1980).         Instrumentation need for-II.F.3 is also in             !

cRegulatory Guide 1.97,. Revision 2; The.emphasisLof TMI Task II.F is_the' monitoring of radiation and process; variables; guidance for this relies.primarily 'on Regulatory Guide l.97.. This is identical to the_ review proposed in Topic VII-5; 

                                           -therefore this SEP topic has been deleted.'                                -

TOPIC: - VII-6 -Frequency Decay 

     '                                                        ~
                                                                                                                  <       i
                      - (1) lDefinitioni
            ~

In an' issue of Re'ference 1 it is stated that the_ staff should require that , 

                                    .a postulated rapid decay of the frequency __of the offsite power _ system be-
                                    -included in the accident analysis.and that.the result be demonstrated to-
                                    'be acceptable. Alternatively, the reactor coolant pump (RCP)' circuit breakers should be designed to protection system criteria and tripped to separate ~the pump motors from the offsite power system.          Rapid decay of1
                                   - the frequency-of the offsite. power system has the potential for. slowing-down or. breaking .the RCP,- thereby reducing the coolant flow rates to levels not considered in previous analyses..

(2)' Safety Objective: ., To assure that the reactor coolant flow rate will not decrease below those assumed for a flywheel coastdown. 

                      - (3) _ Status:

L l' -Oak'. Ridge' National Laboratory, under a technical assistance program, is

' 1 currently reviewing the frequency decay rate and its effects-on RCPs.
'This program should be completed before the end of-this year and this issue  ?

[ resolved.- 1

(4) -

References:

                                                                                 }
    ,                              - 1.-     NUREG-0138, " Staff Discussion of Fifteen Technical Issues Listed in
                                           - Attachment to November 3,1976 Memorandum From Director, NRR, to               i l                                             NRR Staff," Issue No. 9, " Frequency Decay," November 1976

, 2._ Division of Operating Reactors, 00R Technical Activities, Category B, Item 27, " Frequency Decay," May 1977 l l I p ~ San Onofre 1 SEP A-70 l; 

    .h TOPIC: LVII-7: Acceptability o'f Swing Bus Design on BWR-4-Plants-(1): . 'Defi ni tion:                                1                   -
                           ;The swing bus in the' original BWR-4 design was used to provide power from either of two redundant electric sources to the low pressure coolant:

injection (LPCI) valves by meanssof an automatic transfer scheme. A single 

                            ' failure. in _the transfer-circuitry could result .in paralleling the two redundant electric power sources, thereby' degrading their functional capa-
                           'bilities. -Review licensee's swing bus automatic transfer circuitry to verify that it is~ immune to single failures which could lead to paralleling' g                             the two electric power sources.

(2) : Safety Objective: p :To assure.that the swing bus design will not propagate an electrical 

'                            failure between two redundant power sources due to a single failure in the automatic transfer circuit at the BWR-4 swing bus.
         ~

(3)~ Status: i- .During the course ofl generic review for compliance with emergency core j- cooling : system criteria ~ 10 CFR 50.46 and Appendix K, some licensees have. elected to modify the LPCI system.to take credit for a portion of the LPCI 4 flow. These facilities have replaced the swing bus design with a split' 

;                             bus configuration which complies with the requirements _of Regulatory Guide 1.6. Not all facilities required a modification of the LPCI to meet-
                            -.the criteria and have retained the swing bus design.

I- _The issue of the swing bus design was identified in Reference 1 and in addition in a letter from the Advisory Committee on Reactor Safeguards 

 ;.                         -(ACRS) dated. December 12, 1976, 1-                  (4) -

References:

} 1. NUREG-0138, " Staff Discussion of Fifteen Technical Issues Listed in 

                                   . Attachment to November 3, 1976 Memorandum From Director, NRR, to NRR
                                   - Staff," Issue No.-3, " Acceptability of Swing Bus Design.of BWR-4 Plants," November 1976 j                              2. Regulatory Guide 1.6, " Independence Between Redundant Standby (Onsite) p              _

Power Sources and Between Their Distribution Systems"

3. _10 CFR Part 50, Appendix A, GDC 17
4. Institute'of Electrical and Electronics Engineers, IEEE Std. 308,
                                     Standard Criteria for Class IE Electric Systems for Nuclear Power

>. Generating Stations" f TOPICi VIII-1.A Potential Equipment Failures Associated With Degraded. Grid Voltage (1):' Definition: i-A sustained degradation of the offsite power source voltage could result __in the loss of capability of redundant safety loads, their control circuitry, j 'and the' associated electrical components required to perform safety functions. b - San Onofre'1 SEP A-71 i

y _ (2) Safety Objective: To assure that a degradation of the offsite power system will not result in the loss of capability of redundant safety-related equipment and to determine the susceptibility of such equipment to the interaction of onsite and offsite emergency power. sources. (3) Status: A program plan has been developed which includes a short-term program for the review of the emergency power systems of operating reactors and a long-term program to identify those conditions affecting t1e offsite power sources which may require that additional safety measures be taken. (4)

References:

1. NUREG-0090-5, " Report to Congress, Abnormal Occurrences at Millstone 2, July-September 1976," March 1977
2. Memorandum from D. G. Eisenhut, NRC, to K. R. Goller,

Subject:

" Staff Positions (Short-Term Program)," April 20, 1977
3. Letters to licensees, August 12 and 13, 1976
4. Division of Operating Reactors, D0R Technical Activities, Category A, Item 9, " Potential Equipment Failures Associated with a Degraded Off-site Power Source," April 1977 TOPIC: VIII-2 Onsite Emergency Power Systems (Diesel Generator)

(1) Definition: Diesel generators, which provide emergency standby power for safe reactor shutdown in the event of total loss of offsite power, have experienced a significant number of failures. The failures to date have been attributed to a variety of causes, including failure of the air startup, fuel oil, and combustion air systems. In some instances, the malfunctions were due to lockout. The information available to the control room operator to indicate the operational status of the diesel generator was imprecise and could lead to misinterpretation. This was caused by the sharing of a single annunciator station by alarms that indicate conditions that render a diesel generator unable to respond to an automatic emergency start signal and alarms that only indicate a warning of abnormal, but not disabling, conditions. Another cause was the wording on an annunciator window which did not specifically say that the diesel generator was inoperable (that is, unable at the time to respond to an automatic emergency start signal), j when in fact it was inoperable for that purpose. The review includes the l qualification, reliability, operation at low loads, lockout, fuel oil, i and testing of diesel generators. (2) Safety Objective: l To assure that the diesel generator meets the availability requirements for providing emergency standby power to the engineered safety features. I San Onofre 1 SEP A-72 1 

                         *                                                                                  ~
                        - (3) Status:

Under astechnical assistance request ('in preparation), a' thorough evalua- 

                                   - tion of..all-reported failures, including a comprehensive evaluation of diese.1 man'ufacturer.and. utility procedures for inspection,; maintenance,                                       ,
                             ,           and operation, will be performed.' Letters were sent on March 29, 1977 to                                         :
                                   - all-the affected licensees requesting additional-information about diesel                                             '
                                   -- generator status indication in the control room. Our--intention is to i:                                   ' require-that at least~one annunciation be provided=in the control room
. which will alarm whenever the diesel generator is unavailable due to any L - lockout condition.

(4).

References:

1. ' Regulatory Guide 1.108, "Periodi_c Testing of Diesel Generator Units LUsed as Onsite Electric Power Systems at Nuclear Power Plants" NUREG-0328, " Regulatory Licensing: Status Summary Report" (Pink Book),-

2. Generic-Issue 3-11, " Diesel Generator Lockout," April 1977 

                         - TOPIC: - VIII-3.A Station Battery Capacity Test Requirements                                                              I (1)oDefinition:
                                    ' Review the. Technical Specification, including the test program,.with regard to the requirement for. periodic surveillance testing of onsite                                            '

Class IE batteries and the extent to which the test meets Section 5.3.6' of IEEE Std. 308-1971, to determine battery capacity.

(2) Safety Objective:

To assure that the onsite Class IE battery capacity is adequate to supply dc power to all safety-related loads required by-the accident analyses and is verified on a periodic basis. .This effort is needed.to ensure that the test to determine battery capacity includes (1) an acceptance test of ' battery capacity' performed in accordance with Section 4.1 of-IEEE Std., 450-1975; (2) a performance discharge test listed'in Table 2 of IEEE Std. l 308-1971, performed according to Sections 4.2 and 5.4 of IEEE Std. 450-1975; and-(3) a battery service-test described in Section 5.6 of IEEE Std. 450-1972, l to be' performed during each refueling operation. 

                          . (3) Status:
                                   - The review of station battery capacity test requirements is applicable to                                              !

all operating reactors. There is no ongoing effort on this subject for E operating reactors except for those reactors converting to Standard l 

                                   . Technical Specifications.

(4)

References:

1. Standard Review Plan, Appendix 7-A, Branch Technical Position EICSB 6 f 2. Institute of Electrical and Electronics Engineers, IEEE Std. 308-1971, 1974, " Standard Criteria-for Class IE Electric Systems for Nuclear F Power Generating Stations" i

San Onofre 1 SEP A-73 I r-, - - - * -,g- y --t -e, --rwyv , e.:-%u.,-m-, .n-we- -. w e. w . rr -.-.,,# 

                                                                                                     .        m-r~m+my---,.-m,.-ume+-.-.ws,,,     . c mm.m

                 =           -

7~ ' 

                                                                                                                  ;1 l

h.) . -' 

                                ~
                                                                                                                 -}
3. Institute of Electrical and Electronics Engineers, IEEE Std. 450-1975, '

.. - "Recommanded Practice.for. Maintenance, Testing, and Replacement of "' Large Lead Storage Batteries for Generating Stations and Substations" ," ~4 .' Memorandum from J. G. Keppler to R. H. Vollmer,-NRC, March 20, 1972

5. LMemorandum from V.> D. Thomas to R. Carlson, January 18, 1972

,', -TOPIC: 3VIII-3;B DC Power System Bus Voltage Monitoring and Annunciation 

                    !(1), Definition:

d Review'the de power. system battery, battery charger,-and bus voltage 

           ',                     monitoring and annunciation design with respect to dc power system operability status. indication to the operator. This information is

' - needed so that timely corrective measures can be taken in the event of loss of an emergency dc bus. 

                   -(2) : Safety 0bjective:
                                          ~

l 

                               ..To assure the design adequacy of the de power system battery and bus

! voltage moni.toring and annunciation schemes-such that the operator can (1) prevent the loss of an emergency dc bus or (2) take timely corrective action in the event of loss of an emergency dc bus. l (3)' Status: i The review of the:dc power system battery and bus voltage monitoring and annunciation adequacy as it relates to the loss'of an emergency dc bus is y applicable to all operating reactors. . This-topic is included in the NRR

Technical' Activity, " Adequacy of Safety Related DC Power. Supplies."'

L (4)f

Reference:

i Standard Review Plan,' Section 8.3.2 

                             ~

l., y . TOPIC: VIII-4' Electrical Penetrations of Reactor Containment i 

                    .(1) Definition:                                                                           '
Review the electrical penetration assembly with respect to the capability.

to maintain containment integrity during short-circuit current conditions L and mechanical integrity during the worst expected fault current vs, time conditions resulting from single random failures of circuit overload protection devices. (2) Safety' Objective: To assure that all electrical penetrations in the containment structure, , whether associated with Class IE circuits or non-Class IE circuits, are L designed not to fail from' electrical faults during a loss-of-coolant !-  : accident. I L L San Onofre'1 SEP- A-74 L

1 (3) Status: The subject of electrical cable penetrations was identified in Reference 1 and has been proposed as a Technical Activity Category A item by the Division of Systems Safety (Reference 2). The purpose of that activity is a reevaluation of the penetrations-to clarify and augment the design safety margin. (4)

References:

. 1. NUREG-0153, " Staff Discussion of Twelve Additional Technical Issues I Raised by Responses to November 3, 1976 Memorandum From Director, NRR, to NRR Staff," Issue 18, " Electrical Cable Penetration of Reactor Containment," December 1976

2. Division of Systems Safety, DSS Technical Activity, Category A, Item 36, " Electrical Cable Penetrations of Reactor Containment,"

April 1977

3. Regulatory Guide 1.63, " Electric Pentration Assemblies in Containment Structures for Light-Water-Cooled Nuclear Power Plants"
4. Institute of Electrical and Electronics Engineers IEEE Std. 317-1976,
                                   " Standard for Electric Penetration Assemblies in Containment Structures for Nuclear Power Generating Stations" TOPIC:                 IX-1 Fuel Storage (1) Definition Review the storage facility for new and irradiated fuel, including the cooling capability and seismic classification of the fuel pool cooling system of the spent fuel storage pool. Specifically review the expansion of the onsite spent fuel storage capacity, including the structural response of the fuel storage pool and the racks, the criticality analysis for the increased number of stored fuel assemblies at reduced spacing, and the capability of the spent fuel cooling system to remove the adoi-tional heat load.

(2) Safety Objective: To assure that new and irradiated fuel is stored safely with respect to criticality (k,f f ( 0.95), cooling capability (outlet temperature ( 150*F), shielding, and structural capability. (3) Status: Approximately two-thirds of the operating reactor plants have requested authorization to increase the storage capacity of their fuel storage pool. The applications are reviewed on a case-by-case basis. New or modified storage rack designs are reviewed against current design criteria; however, the existing pool structure is based on original design criteria. L San Onofre 1 SEP A-75

(4) References

1. Division of Operating Reactors, DOR Technical Activities, Category A, Item 27, " Increase in Spent Fuel Storage Capacity," April 1977 ,
2. American National Standards Institute, ANSI-210, " Design Objectives l for Spent Fuel Storage Facilities" l TOPIC: IX-2 Overhead Handling Systems (Cranes)

(1) Definition: Overhead handling systems (cranes) are used to lift heavy objects in the vicinity of PWR and BWR spent fuel storage facilities and inside the ' reactor building. If a heavy object (for example, a shielded cask) were to drop on the spent fuel or on the reactor core during refueling, there could be a potential for overexposure of plant personnel and for release of radioactivity to the environment. Review the overhead handling system, including sling and other lifting devices, and the potential for the drop of a heavy object on spent fuel, including structural effects. (2) Safety Objective: To assess the safety margins, and improve margins where necessary, of the overhead handling systems to assure that the potential for dropping a heavy object on spent fuel is within acceptable limits and that the po-tential radiation dose to an individual does not exceed the guidelines of 10 CFR Part 100. (3) Status: , Regulatory Guide 1.104, " Overhead Crane Handling Systems for Nuclear Power Plants," was issued for comment in February 1976 and references various industry standards. New applications (construction permit and operating license) are reviewed in accordance with APCSB Branch Technical Position 9-1 which is identical to Regulatory Guide 1.104. The review of overhead handling systems of operating reactor facilities is performed on a generic basis and has also been identified as a 00R Technical Activity Category A. (4)

References:

1. Regulatory Guide 1.104, " Overhead Crane Handling Systems for Nuclear Power Plants"
2. Standard Review Plan, Branch Technical Position APCSB 9-1, " Overhead Handling Systems for Nuclear Power Plants"
3. NUREG-0328, " Regulatory Licensing: Status Summary Report" (Pink Dook),

Generic Issue 3-22, " Fuel Cask Drop Analysis," April 1977

4. Division of Operating Reactors, 00R Technical Activities, Category A, Item 50, " Control of Heavy Loads Over Spent Fuel," April 1977 San Onofre 1 SEP A-76

(5) Basis for Deletion (Related TMI Task, USI or Other SEP Topic): USI A-36. " Control of Heavy Loads Near Spent Fuel" (NUREG-0649) The review criteria required by USI A-36 (Standard Review Plan, Section 9.1.4, and NUREG-0554) are identical to the review criteria specified in the References of SEP Topic IX-2 (BTP 9-1 and Regulatory Guide 1.104); therefore, this SEP topic has been deleted. TOPIC: IX-3 Station Service and Cooling Water Systems (1) Definition: Review the station service water and cooling water systems that are required for safe shutdown during normal, operational transient, and accident conditions, and for mitigating the consequences of an accident or preventing the occurence of an accident. These include cooling water systems for reactor system components (components cooling water system), reactor shutdown equipment, ventilation equipment, and components of the emergency core cooling system (ECCS). These systems also include the station service water system, the ultimate heat sink, and the interaction of all the above systems. The review of these systems includes the pumps, heat exchangers, valves and piping, expansion tanks, makeup piping, and points of connection or interfaces with other systems. Emphasis is placed on the cooling systems for safety-related components such as ECCS equipment, ventilation equip-ment, and reactor shutdown equipment. The following specific aspects of those systems will be considered in the review: (a) Physical separation of redundant cooling water systems that are vital to the performance of engineered safety systems components, (b) Availability of cooling water to primary reactor coolant pumps, (c) Requirements for makeup water of cooling water systems, (d) Effect of water overflow from tanks, (e) Circulating water system barrier failure protection. (2) Safety Objective: To assure that the station service and cooling water systems have the capability, with adequate margin, to meet their design objective. To assure, in particular, that (a) Systems are provided with adequate physical separation such that there are no adverse interactions among those systems under any mode of operation; San Onofre 1 SEP A-77

(b) Cooling water is provided to the bearings of the primary reactor coolant pumps by two independent essential service water systems for PWR plants to take credit for core cooling by pump coastdown. In addition, it should be demonstrated that the possibility of simultaneous loss of water in both essential service water systems by valve closure is sufficiently small; (c) Sufficient cooling water inventory has been provided or that adequate provisions for makeup are available; (d) Tank overflow cannot be released to the environment without monitoring and unless the level of radioactivity is within acceptable limits; (e) Vital equipment necessary for achieving a controlled and safe shutdown is not flooded due to the failure-cf the main condenser circulating water system. k (3) Status: The station service and cooling water systems of applications currently under review are evaluated in accordance with the Standard Review Plan (Sections 9.2.2 and 10.4.5). Some of the specific concerns identified above are under generic review or have been proposed for a technical activity in the Office of Nuclear Reactor Regulation in accordance with the references below. (4)

References:

1. Letter from R. F. Fraley (ACRS) to L. V. Gossick,

Subject:

                           " Analysis of Systems Interactions," November 1, 1976
2. Memorandum from B. C. Rusche to L. V. Gossick, ACRS Subcommittee on Systems Interactions, January 1977
3. Division of Project Management, DPM Technical Activities, Category A, Item DPM-15, " Systems Interactions in Nuclear Power Plants," April 1977
4. Memorandum to R. L. Tedesco, NRC, to D. B. Vassallo, Auxiliary Systems ,

Branch 02 on Yellow Creek Nuclear Plant, Item 010.42, (cooling water for RCP), January 31, 1977

5. Division of Systems Safety, DSS Technical Safety Activities Report,
              " Cooling Water System Makeup Water Requirements (For Safety Systems),"

December 1975

6. NUREG-0328, " Regulatory Licensing: Status Summary Report" (Pink Book),

Generic Issue 3-20. " Flood of Equipment Important to Safety (Generic)," April 1977

7. Olvision of Operating Reactors, 00R Technical Activities, Category A.

Item 15, " Flood of Equipment Important to Safety," April 1977 i San Onofre 1 SEP A-78 i

r TOPIC: IX-4 Boron Addition System (PWR) (1) Definition: Review the boron addition system (PWR), in particular with respect to boron precipitation during the long-term cooling mode of operation following a loss-of-coolant accident. (2) Safety Objective: To assure that boron precipitation will not impair the operability of valves or components in the boron adultion system which could compromise its capability to control core reactivity during the normal, transient, or emergency shutdown conditions or that would result in flow blockage through the core during the long-term core cooling mode following a loss-of-coolant accident. (3) Status: Operating PWR reactors, with the exception of the Combustion Engineering reactors, have been reviewed and found to be acceptable in regard to boron precipitation following a loss of coolant. There are still certain out-standing issues that need to be resolved on this issue for Combustion Engineering reactors. In regard to the precipitation of boron in the boron addition system in both BWRs and PWRs, certain older plants may not have Leon reviewed in sufficient detail to assure that system reliability is ad(quate. (4)

Reference:

Standard Review Plan, Section 9.3.4 TOPIC: IX-5 Ventilation Systems (1) Definition: Review the design and operation of ventilation systems whose function is to maintain a safe environment for plant personnel and engineered safety features equipment. For example, the function of the spent fuel pool area ventilation system is to provide ventilation in the spent fuel pool equip-ment areas, to permit personnel access, and to control airborne radioactivity in the area during normal operation, anticipated operational transients, and following postulated fuel handling accidents. The function of the engineered safety feature ventilation system is to provide a suitable and controlled environment for engineered safety feature components following certain anticipated transients and design basis accidents. (2) Safety Objective: To assure that the ventilation systems have the capability to provide a safe environment, under all modes of operation, for plant personnel (10 CFR Part 20) and for engineered safety features (for example, to assure that San Onofre 1 SEP A-79

the diesel room has redundant outside air intakes and removed from the exhaust discharge). (3) Status: The ventilation systems of plants under current review (construction permit and operating license applications) are currently evaluated in accordance with the Standard Review Plan. No specific issues or concerns have been identified for operating reactor plants. (4)

References:

Standard Review Plan, Sections 9.4.1 through 9.4.5 TOPIC: IX-6 Fire Protection (1) Definition: Review the fire protection program of operating reactor plants to determine whether improvements are required in accordance with the APCSB Technical Position 9.5-1, Appendix A (Reference 2). The fire protection program encompasses the components, procedures, and personnel utilized in carrying out all activities of fire protection and includes such things as fire prevention, detection, annunciation, control, confinement, suppression, extinguishment, administrative procedures, fire brigade organization, inspection and maintenance, training, quality assurance, and testing. The review includes such items as: (1) the use of insulation inside the containment and (2) the consequences of the inadvertent release of hydrogen into the plant. (2) Safety Objective: To assure that, in case of a fire within the plant, the integrity of the engineered safety features is not compromised and that the safe shutdown capability and control of the plant are not lost. (3) Status: A generic review of fire protection for operating plants is under way. All licensees were requested by letter (May 11, 1976) to submit an evaluation of their fire protection program for that plant in comparison with the APCSB Technical Position 9.5-1. Subsequently, in September 1976, the licensees were provided with Appendix A to the BTP 9.5-1 which presents acceptable alternatives for operating plants. (4)

References:

1. NUREG-0050, " Recommendations Related to Browns Ferry Fire," February 1976
2. Standard Review Plan, Branch Technical Position APCSB 9.5-1, Appendix A, " Guidelines for Fire Protection for Nuclear Power Plants Docketed Prior to July 1, 1976" San Onofre 1 SEP A-80

e I ! 3. Regulatory Guide 1.120, " Fire Protection Guidelines for Nuclear Power ! Plants"

4. NUREG-0328, " Regulatory Licensing: Status Summary Report" (Pink Book), Generic Issue 3-18, " Fire Protection," April 1977 l, 5. Division of Operating Reactors, 00R Technical Activities, Category A,

! Item 28,'" Fire Protection," April 1977

6. Division of Systems Safety, DSS Technical Activities, Category A, Item 32, " Fire Protection," April 1977
7. Letter from R. F. Fraley, ACRS, to L. V. Gossick,

Subject:

" Analysis of Systems Interactions - Item 6," November 1, 1976 TOPIC:       X Aux.iliary Feedwater System (1) Definition:

Review the auxiliary feedwater system, associated instrumentation, and connection between redundant systems. The review includes the aspects of pump drive and power supply diversity (for example, electrical and steam-driven sources), and the water supply sources for the auxiliary feedwater system. (2) Safety Objective: To assure that the auxiliary feedwater system can provide an adequate supply of cooling water to the steam generators for decay heat removal in the event of a loss of all main feedwater. Older PWR plants may not meet the requirement for pump drive and power supply diversity. (3) Status: Reviews for new license applications are performed in accordance with the Standard Review Plan. This topic is not under active review for operating plants. (4)

References:

1. Standard Review Plan, Section 10.4.9
2. Standard Review Plan, Branch Technical Position APCSB 10-1, " Design Guidelines for Auxiliary Feedwater System Pump Drive and Power Supply Diversity for PWR Plants" (5) Basis for Deletion (Related TMI Task, USI, or Other SEP Topic):

TMI Action Plan Task II.E.1.1, " Auxiliary Feedwater System Evaluation" (NUREG-0660) i The TMI-2 accident and subsequent investigations and studies high-I lighted the importance of the auxiliary feedwater (AFW) system in the mitigation of severe transients and accidents. Since then, the AFW systems have come under close scrutiny by the NRC and many improvements have been recommended to enhance the reliability of AFW . systems for all plants. The scope of the review outlined in the SEP San Onofre 1 SEP A-81 _. .. . . . . . . . . . .. . . . I

Topic X definition is identical to the scope of NUREG-0737, "Clarifi-cation of TMI Action Plan Requirements," Item II.E.1.1(2), which requires that each PWR plant licensee: Perform a deterministic review of the AFW system using the acceptance criteria of Standard Review Plan Section 10.4.9 and associated Branch Technical Position ASB 10-1 as principal guidance. The review criteria for the evaluations required by Item II.E.1.1(2) are identical to SEP Topic X; therefore, this SEP topic has been deleted. TOPIC: XI-1 Appendix I (1) Definition: A generic review of all operating plants to determine their capability to comply with Appendix I, 10 CFR 50, and to prevent explosions in the gaseous l radwaste system is currently underway. (2) Safety Objective: To provide assurance that radioactive gaseous effluents from the facility can be kept "as low as reasonably achievable" as defined in Appendix I, 10 CFR Part 50, and to assure adequate control of the mixture of gases in the gaseous radwaste system to prevent explosions. (3) Status: A generic review of all operating reactors (0Rs) for their capability to conform with Appendix I, 10 CFR Part 50, is currently under way by the Division of Site Safety and Environmental Analysis. Upon the completion of this review, new gaseous and liquid radiological effluent and monitoring Technical Specifications will be issued to all ors. This will include new Technical Specifications on gaseous radwaste systems which may contain explosive gas mixtures to meet present criteria. The estimated completion - date of this review is 1979. (4)

References:

1. 10 CFR Part 20
2. 10 CFR Part 50, Appendix I
3. 10 CFR Part 50, Appendix A
4. 10 CFR Part 50, Appendix A, GDC 60, 61, 63, and 64
5. Standard Review Plan, Section 11.3 (5) Basis for Deletion Topic XI-1 is being resolved by the following NRR generic topics: (a)

A-02, " Appendix I" and (b) B-35, " Confirmation of Appendix I Models." Resolution of these two generic topics will primarily result in Technical Specification changes and may require some minor hardware changes. At San Onofre 1 SEP A-82

-mammenmum -- I present, nothing more than the addition of monitoring instrumentation is foreseen. The implementation of Appendix I will, therefore, not affect the integrated assessment for SEP plants. In addition, the implementation of Appendix I will result in limiting conditions for operation to assist licensees in keeping the amount of l radioactive material released in effluents to unrestricted areas as low as is reasonably achievable. Since licensees are currently restricted in the types and amounts of effluents they can release, implementation of additional restrictions on releases should not impact operation of the plant. Based on the above, Topic XI-1 has been deleted from the SEP program. TOPIC: XI-2 Radiological (Effluent and Process) Monitoring Systems (1) Definition: Onsite radiological monitoring systems are used to: (a) Assess the proper functioning of the process and waste treatment systems, (b) Assure that radioactive releases do not exceed the appropriate guidelines, and (c) Measure actual releases to evaluate their environmental impact. There is concern about the adequacy of radiation monitoring systems. A survey of 12 plants has been initiated. The results of this survey will j indicate whether this area needs to be reviewed for all operating plants. Re-review would include the monitor's sensitivity, range, location, and calibration techniques. (2) Safety Objective: To provide reasonable assurance that the licensee adequately monitors the releases of radioactive materials in liquid and gaseous effluent and that the releases are properly restricted. To provide assurance that the licensee adequately monitors the operation of equipment that contains or may contain radioactive material. (3) Status: A technical assistance program has been initiated at Brookhaven National Laboratory with the scope including the above safety objectives. (4)

References:

1. 10 CFR Part 20, Section 20.106 l 2. 10 CFR Part 50, Section 50.36a l 3. 10 CFR Part 50, Appendix A, GDC 60, 61, 63, and 64
4. 10 CFR Part 50, Appendix I
5. Standard Review Plan, Section 11.5 San Onofre 1 SEP , A-83 l

l r (5)- Basis for Deletion Topic XI-2 is being resolved by the following NRR generic topics: (a) A-02, 

         " Appendix I" and (b) B-67, " Effluent and Process Monitoring Instrumenta-tion." A-02 is. discussed in Topic XI-1.        Generic item B-67 was subdivided
        -into four subtasks. The staff believes that events'since the inception of B-67 have largely, addressed the identified concerns or changed its thinking in regard to their safety significance.        The description and bases for
        ' deletion of each subtask are presented below.

Subtask 1: Monitoring of Radioactive Materials Released in Effluents 

       -Item III.D.2.1, Radiological Monitoring of Effluents ' requires an NRR evaluation of modifying effluent monitoring design criteria based on-TMI-2 and their experiences.
                                                                ~

Item II.F.1(1), Noble Gas Effluent Monitor of Clarification of the TMI Action Plan Requirements (NUREG-0737) is being implemented to require ade-quate monitoring capability during accident conditions. Subtask 2: Control'of Radioactive Materials Released in Effluents l l The purpose of this subtask was to review plant operating histories and prepare NUREG reports documenting the evaluations and recommending solu-tions to identified problems, i I~ Various staff actions since 1978 (including NUREG reports and IE Bulletins) have resulted in the staff conclusion that no continuing need for addi-tional staff guidance exists. Subtask 3: Effects of Accidental Liquid Releases on Nearby Water Supplies The purpose of this task was to perform a generic analysis of the conse-quences of liquid tank failures for those plants which received their license prior to issuance of the Standard Review Plan (SRP). Experience in performing SRP analyses for newer plants has indicated that 

         -it is highly unlikely that radioactive concentrations in the nearest potable water supply could exceed 10 CFR Part 20 values.

Subtask 4: Performance of Solid Waste Systems The purpose of subtask 4 war to perform an-industry-wide survey to deter- l mine the extent to which power plants could process wastes and to develop plans for' upgrading existing systems or adding new' systems. The NRC position relative to a requirement for an operable installed solid , radwaste system has changed and, therefore, this subtask is no longer- ) appropriate. For the above reasons, Issue B-67 is being deleted from the NRR list of l generic issues. Since-Issue B-67 is being deleted, only Generic Issue l A-02, " Appendix I" is appropriate to this topic. 

  ' San'.Onofre 1 SEP                              A-84 I

The resolution of I* sue A-02 is described in the Basis for Deletion for Topic XI-1. Topic XI-2 is being deleted from the SEP program for the same reasons. TOPIC: XIII-l ' Conduct of Operations (1) Definition: The organization, administrative controls, and operating experience will be reviewed. The existing organization and administrative controls will be compared with Standard Technical-Specifications and guidance provided in Regulatory Guides 1.8 and 1.33 to determine the adequacy of the staff to protect the plant and to operate safely in routine, emergency, and long-term postaccident circumstances. The plant operating history will be reviewed to assess the combinat;on of staff, operating controls and alarms, and administrative controls, in particular plant procedures, emergency planning, and offsite preparedness, to determine whether additional staff, qualifications, or administrative controls will be required for continued safe operation. (2) Safety Objective: To obtain reasonable assurance that the plant has enough people, with sufficient training and experience, and has administrative controls adequate to specify proper operation in routine, emergency, and postaccident conditions. (3) Status: Most of the older plants have staff members that meet the experience and educational requirements given in ANSI N18.1-1971 (endorsed by Regulatory Guide 1.8); however, a comparison against current criteria for the composite staff has not been made. These plants have provided training for subsequent plant staffs,-and plant experience has, in general,-demonstrated safe design and operation. Operating experience review is ongoing, and has been, in general, favorable. However, an analysis of this experience for trends, common elements, and potential hidden problems has not been systematically performed. A review of Section VI of operating reactor licensees' Technical Specifica-tions was begun in 1974 using Section VI of the Standard Technical Specifi-cations (STS) as a model. As of September 1975, these reviews had been completed and the plants licensed prior to this time had been found to: (1) be acceptable and upgrading was not required, (2) require upgrading of only the reporting requirements, or (3) require improvement to be comparable-to the STS-mo' del. Plants licensed after Se'ptember 1975 have been reviewed against the STS model. Further review of Section VI, 

              ~

therefore, will not be required. Emergency plans submitted at the operating-license stage complied with 10 CFR 50, Appendix E, 1970; however, these plans are not consistent with the guidance given in new Regulatory Guide 1.101, Revision 1,1977. 

 -San Onofre 1 SEP                        A-85

                                                                  - .-          .~ -   .. -     .-.-_-w.              --.     ~.

g ~. t s 

                            -(4)

References:

s

1. :Regul'atory Guides f 1.8,r" Personnel Selection and_ Training" 1.33, " Quality Assurance Program Requirements (Operations)"
                                      ; 2. - -American_ National' Standards Institute, ANSI _N18.1-1971, " Selection
and Training'of Nuclear. Power Plant Personnel"
3. American. National Standards In'stitute,' ANSI N18.7-1972 Revised,
                                              '" Administrative Controls and Quality Assurance ~ for the Operational .

Phase of Nuclear Power Plants": 

                                                                       ~
     <                                 -4;      Standard Technical Specifications, Section VI
5. 10 CFR Part 50, : Appendix: E- ,
                            ,          '6.    ' Regulatory Guide 1.101, Rev.'1,-:" Emergency Planning-for' Nuclear Power' Plants":

7.- Standard Review Plan, Section 13.3 .- i 

                   .                  - 8.    : NUREG 75/111, " Guide and. Checklist for Development and Evaluation of State:and Local: Government Radiological Emergency Response Plans In Support of Fixed Nuclear Facilities," October 1975-                       <
9. Environmental Protection Agency, " EPA' Manual of Protective Action Guides _and Protective Action for Nuclear Incidents," September 1975
10. -Memorandum'of Understanding, NRR and Office of State Programs on State an'd Local Preparedness, March'10, 1977 (5)L Basis for Deletion (Related TMI Task,-'USI, or Other SEP Topic):  :

J(a)l?TMI Action Plan 1 Task-I.C.6, "ProceduresEfor-Verification of-Correct t Performance of Operating Activities,"-(NUREG-0737)  ; Undet TMI1 Task I.C.6,'aireview of licensee procedur.es will be con-: ducted to' assure that an effective system-of v'erifying.the correct performance of operating activities exists. The purpose of this review is to provide a means of reducing human errors and improving the quality of normal, operation. References cited.for thistreview 

     +

are ANSI Standard-N18.7-1972 (ANS:3.2), " Administrative Controls and . Quality ' Assurancei for the Operational: Phase' of Nuclear. Power Plants," ~ t and Regulatory Guide 1.'33, " Quality _ Assurance Program Requirements 

        ~

(Operations)."- These are the'same references cited for Topic XIII-1. 

                                                                                              ~

(b) TMI~ Action Plan Task III.A.1, " Improve Licensee Emergency Prepared p  : ness - Short-Term," and Task III.A.2, " Improving Licensee Emergency [. Preparedness - Long-Term"-(NUREG-0660 and-NUREG-0737) b Under Task III.A.1, a review of 10 CFR Part 50, Appendix E.backfit L , ' requirements.is being' conducted in accordance with NUREG-0654, f - 

                                                " Criteria for Preparation and Evaluation of Radiological Emergency L                                                Response Plansand Preparedness in Support of Nuclear Power Plants."
                                              -The scope of NUREG-0654 covers-Standard Review Plan,-Section 13.3,z and NOREG 75/111.

Ll l - D Regulatory Guide 1.101 has been deleted and has been superseded by an' amended Appendix E to 10 CFR Part 50 (45 FR 55410, August 19, 

                                              '1980). Under Task III.A.2, a-review of licensee's emergency prepa-Eredness plans with respect to amended Appendix E will be conducted
                                              .in accordance with NUREG-0654.

I4: L ' SanOnofre1[SEPL A-86 V- . yq --

The evaluations required by TMI Tasks I.C.6, III.A.1, and III.A.2 are identical to SEP Topic.XIII-1; therefore, this SEP topic has been deleted. TOPIC: XIII-2 Safeguards / Industrial Security 

 '(1) Definition:

Industrial security will be included under the scope of the operations review. Design features to assess the plant's capability to prevent sabotage and protect the operating unit (s) at dual or three-unit sites with unit (s) under construction will be included. -Protective measures will be balanced against the sabotage threat. Fuel accountability will also be reviewed to assure that adequate inventory control procedures exist and the required' records are kept. (2) Safety Objective: 

        'To determine that the plant has adequate security forces, design features, procedures and plans, and other administrative controls to meet the postu-l lated sabotage threat. To assure that the fuel is adequately accounted for, that proper records are maintained, and the required reports are made.

_(3) Status: Each licensee currently has a security program and a fuel accountability program. Revised 10 CFR 73.55 has been published and submittals in accord-ance with its provisions were due May 25, 1977. These submittals are currently being evaluated. 

 .(4)

References:

1. 10 CFR Part 70
       ' 2. 10'CFR Part 73
3. Standard Technical Specifications, Section VI
 ' TOPIC:    XV-1. Decrease in Feedwater Temperature, Increase in Feedwater Flow, Increase in Steam Flow, and Inadvertent Opening of a Steam Generator Relief or Safety Valve (1) Definition:

Review the assumptions, calculational models used and consequences of postulated accidents which involve an unplanned increase in heat removal. An excessive heat ~ removal, that is, a heat removal rate in excess of the heat generation rate in the core,.causes a decrease in moderator tempera-ture which increases core reactivity and-can lead to a power level increase - and a decrease in shutdown margin. If clad failure is calculated to occur, determine that offsite dose consequences are acceptable. (2) Safety Objective:

  • To assure that pressures-in the reactor coolant and main steam systems are limited in order to protect the reactor coolant pressure boundary from San _Onofre_1 SEP. A-87

overpressurization and that fuel rod cladding failure as a result of departure from nucleate boiling ratio _is limited. 

   - (3) Status:                                                                         ,

During each reload review by the staff, the previously determined limiting transient is reviewed to determine if new core parameters are more restric-tive'than the reference analysis parameter values. (4)

References:

Standard Review Plan, Sections 15.1.1 through 15.1.4 

   - TOPIC:   XV-2 Spectrum.of Steam System Piping Fail'ures Inside and Outside of Containment (PWR)

(1) Definition: Review the assumptions, including use of nonsafety grade equipment and concurrent steam-generator or tube failure or blowdown of more than one steam generator, calculational models used, and consequences of postulated accidents which cause an increase in steam flow. The excessive steam flow reduces system temperature and pressure which increases core reactivity and can lead to a decrease of shutdown margin and departure from nucleate boiling ratio. (2) Safety Objective: To assure that (1) pressure in the reactor coolant and main steam lines is limited in order to protect the reactor coolant pressure boundary from overpressurization, (2) fuel damage is sufficiently limited so that the core will remain in place and intact with no loss of core. cooling capability, (3) doses at the nearest exclusion area boundary are a small fraction of 10 CFR Part 100 guidelines, (4) ambient' conditions do not exceed equipment qualification conditions (particularly nonsafety grade equipment used to mitigate the accident), (5) the-thermal and stress transients do not damage the reactor vessel, and (6) systems'necessary for safe shutdown are not damaged by the accident. (3) Status: Investigation of the effects of high-energy line failures-outside containment on other equipment was initiated as a generic issue in 1971 and all but a few facilities have been completed. New acceptance criteria have evolved during the review period. There was no similar investigation for failures inside containment. No reviews on operating plants of the effects on the reactor of concurrent steam generator or tube failure, or of blowdown of more than one steam generator have been performed. (4)

Reference:

 ;        Standard Review Plan, Section 15.1.5 San Onofre 1 SEP                        A-88 m

   -TOPIC:     XV-3 Loss of Externsi Lord, Turbine Trip, Loss of Cond nser Vacuum,. Closure of Main Steam Isolation Valve (BWR), and Steam Pressure Regulatory Failure (Closed)

(1)- Definition: 

          . Review the assumptions, calculational models used, and consequences of postulated accidents which involve a decrease in secondary heat removal.

The decrease in heat removal causes a suddent increase in system pressure and temperature. (2) Safety Objective: 

          -To assure that pressure in the reactor coolant and main steam systems is limited in order to protect the reactor coolant pressure boundary from overpressurization and that thermal margin for fuel integrity is maintained.

(3) Status: The consequences associated with these transients are compared during each reload review to the consequences found to be acceptable during previous reload. reviews. 

    '(4)

References:

Standard Review Plan, Sections 15.2.1 through 15.2.5 TOPIC: XV-4 Loss of Nonemergency AC Power to the Station Auxiliaries 

   -(1) Definition:
         ' Review the assumptions, calculational models used, and consequences of postulated accidents which involve the loss of nonemergency ac power (loss of offsite power or onsite ac distribution system) to station
                              ~

auxiliaries (for example, reactor coolant circulation pumps). This power loss will, within a few seconds, cause the turbine to trip and reactor coolant system to be isolated, which in turn causes the coolant pressure x ;and temperature to increase. (2) Safety Objective: To assure that the pressure in the reactor coolant and main steam systems i is limited in order to protect the reactor coolant pressure boundary from overpressurization and that thermal margin for fuel integrity is maintained. (3) Status: During each reload review by the staff, the previously determined limiting transientzis reviewed to determine if new core parameters are more restrictive than the reference analysis parameter values. 

    '(4)~

Reference:

Standard Review Plan, Section 15.2.6 San Onofre 1'SEP A-89

TOPIC: XV-5 ~ Loss of Normal Feedwater Flow (1) Definition: Review ttEassumptions, calculational models used, rid ' consequences of the postulated loss of feedwater flow accidents, which cause an increase in coolant pressure and temperature. l (2) Safety Objective: l To assure that pressure in the reactor coolant and main steam systems is limited-in order to protect the reactor coulant pressure boundary from 

        ~ overpressurization and that thermal margin _ for fuel integrity is maintained.

(3) Status: The consequences. associated with these transients are compared during each reload review to the consequences found to be acceptable during previous reload reviews. 

 ~(4)

Reference:

        . Standard Review Plan, Section 15.2.7 TOPIC:    XV-6 Feedwater System Pipe Breaks Inside and Outside Containment (PWR)

'(1) Definition: ~ Review the assumptions, calculational models used, and consequences of postulated accidents which involve feedwater line breaks of different sizes. A feedwater line break, depending on size, may cause reactor system heatup (by reducing feedwater flow.to the steam generator), or cooldown (by excessive energy discharge through the break). 

  .(2) Safety Objective:

To assure that pressure in the reactor coolant and main steam systems is limited in order to protect the reactor coolant pressure boundary from overpressurization and that thermal margin for fuel integrity is maintained and that any radioactivity release would result in doses at the site boundary well within 10 CFR Part 100 guidelines. (3). Status: The identification of the most limiting transients and the consequences I associated with these transients is evaluated during each reload review by the staff. _(4)

Reference:

Standard Review Plan, Section 15.2.8 

 -San Onofre'l SEP                          A-90

I TOPIC: XV-7 Reactor Ccolant Pump Rotor Seizure and Reactor Coolant Pump Shaft Break (1) Definition: Review the assumptions, calculational models, and consequences of seizure 

          .of the rotor or break of the shaft of a reactor coolant pump in a PWR or recirculation pump in a BWR. These accidents result in a sudden decrease in core coolant flow and corresponding degradation of core heat transfer and, in a PWR, an increase in primary system pressure. If clad failure
          -is calculated, determine that offsite consequences are acceptable.

(2) Safety' Objective: To assure that the consequences of a reactor coolant pump rotor seizure or reactor coolant pump shaft break are acceptable; that is, that no more than a small fraction of the fuel rods fail, that the radiological con-sequences are a small fraction of 10 CFR Part 100 guidelines, and that the system pressure is limited in order to protect the reactor coolant pressure boundary from overpressurization. (3) Status: Reviewed during each reload only if there is reason to believe that results would be different from the reference analysis; that is, only if a change _in core parameters invalidates previous analyses. (4)

Reference:

Standard Review Plan, Section 15.3.3 TOPIC: XV-8 Control Rod Misoperation (System Malfunction or Operator Error)* (1) Definition: Review the licensee's description of rod position, flux, pressure, and temperature indication systems and the actions initiated by those systems which can mitigate the effects or prevent the occurrence of various mis-operations. Review the descriptions of the input calculations and the calculational mcdels used and the justification of their validity and adequacy. .A transient of this type can result in achieving fuel melt temperatures and potential fuel damage. (2) . Safety Objective: To assure that the consequences of this event do not exceed specified fuel design limits and that the protection system action be initiated automatically.

  • Reviewed for PWRs only; Standard Review Plan, Sections 15.4.1 and 15.4.2 cover BWRs and no additional areas considered.

San Onofre 1 SEP A-91

(3) Status:

Reviewed during reload, Technical Specifications revised to compensate for changes in analytical results. -(4) Referer.ce: Star.dard Review Plan, Section 15.4.3 TOPIC: XV-9 Startup of an Inactive Loop or Recirculation Loop at _an i Incorrect. Temperature, and Flow Controller Malfunction-Causing an Increase in BWR Core Flow Rate-(1) Definition: Review BWRs for (1) startup of an idle recirculation pump and (2) a flow l controller malfunction causing increased recirculation flow. Review PWRs with. loop isolation valvesLfor.startup of a pump in an initially isolated inactive reactor coolant loop where the rate of flow increase is limited by the rate at which isolation valves open. For PWRs without loop isolation-valves, review startup of a pump'in any inactive loop. If clad failures are calculated, determine that offsite consequences are acceptable. (2) Safety Objective: To verify that the_ plant responds in such a way that the criteria regarding fuel damage and system pressure are met (that is, no more than.a small fraction of the fuel rods fail, that radiological consequences are a small fraction of 10 CFR Part 100 guidelines, and that the system pressure is. limited in order to protect the reactor coolant pressure boundary from-overpressurization.) -(3) Status: PWRs reviewed against the final safety analysis report, BWR reviewed at each reload, Technical Specifications required to preclude exceeding safety limits during transients. (4)

Reference:

Standard Review Plan, Sections 15.4.4 and 15.4.5 TOPIC: XV-10 Chemical 'and Volume Control System Malfunction That Results in a Decrease in Boron Concentration in the Reactor Coolant (PWR) -(1) Definition: 

     -Review the assumptions,_ calculational models used, and consequences of moderator dilution. An accident of this type could      result in a departure from nucleate boiling and a loss of shutdown margin.

San Onofre 1 SEP A-92

m . 

  ' y.7   s 4
               -:(2)~JSafety Objective:
                                                          ~

JTo confirm that the plant responds to the events in such a way-that the criteria regarding fuel . damage and system pressure are met and adequate 

                         ' time-allowed ~for the operator to terminate-the dilution before the~ shut-
                        -down. margin =is reduced. ::(Reactor coolant pressure and main steam pres-
                        ~ sure should be limited Lin order to protect =the reactor coolant pressure
                       . boundary from overpressurization.~) (Operator action;must'be initiated
                       -within 30 minutes following this event if refueling,' and within'15 minutes
during other modes'of operation.)
               .(3) Statusi

! 10nly reviewed'during initial operating-license review and not-thereafter. E a -The. consequences may'not have.been calculated in accordance'with current 

                        . practice.
               .(4) Reference-g                       . Standard Review Plan, Section-15.4.6 UTOPIC-          XV-11 Inadvertent Loading and Operation of a Fuel Assembly
                                      'in an Improper Position (BWR)                                         ,

y L(1) Definition: Review'the' spectrum of misloading events analyzed to verify that the worst- 

                                                                        ~
  &                  . situation undetectable.by incore instrumentation has b<.en identified.
                       ;This review will include an assessment of the plant's affgas;and steam
                                                                    ~

line radiation monitors to detect fue1 damage and.thei capability to 

                         ' automatically isolate the offgas system when necessary.
                                                                      ~

(2) . Safety Objective: To assure that a misloaded assembly is detected and if undetected will-not_ result in exceeding fuel safety limits or radioactive releases. ((3) ~ - Status: 

                       ; Reviewed during reloads, Technical Specifications developed to limit ~ con-sequences of worst misloaded assembly to small fraction of 10 CFR Part 100 guidelines. . Technical. Specifications setpoints.for radiation monitors alarm / isolation signals have been found deficient and have been updated on a case-by-case basis for several plants.
                                                  ~

(4)

Reference:

Standard Review Plan, Section 15.4.7 TOPIC: XV-12 Spectrum of Rod Ejection Accidents (PWR) - 

               -(1)~ Definition:

Review the assumptions, calculational models used, and consequences, 

                        -including radiological consequences, of PWR control rod ejection accidents,
San'Onofrel1 SEP A-93

and review the Technical Specifications regarding control of reactivity worth and technical . specifications on primary to secondary leakage. Ejec-tion of a control element assembly from the core can occur if the control element. drive mechanism housing or the nozzle on the reactor vessel head breaks off.circumferentially. The ejection of a control element assembly by the reactor coolant system pressure can cause a severe reactivity excur-sion. This accident may result in high doses for those plants where fuel failures are postulated _to occur as a result of the-accident. This accident ' usually determines the maximum allowable steam generator leak rate. (2) Safety Objective: To ensure that if a control element assembly ejection occurs, core damage is-minimal, no additional reactor coolant pressure boundary failures occur, the calculated radial average energy density is limited to 280 cals/gm at any axial fuel location in any fuel rod, and that the radiological conse-quences will not exceed appropriate limits. (3) Status: Releases through the containment ar:d/or steam generator leaks are analyzed for current plants, but were not reviewed routinely for older plants. -Many of the operating plants have'no leak Technical Specifications or they are excessively high. During each reload by the staff, the previously-determined limiting transient is reviewed to determine if the new ejected rod worth is more restrictive than the reference analysis values. (4) .

References:

1. [ Standard Review Plan, Section 15.4.8
2. Regulatory Guide 1.77, " Assumptions Used for Evaluating a Control
                . Rod Ejection Accident for Pressurized Water Reactors" TOPIC:     XV-13 Spectrum of Rod Drop Accidents (BWR)

(1) Definition: Review the assumptions, calculational models used, and consequences of BWR control rod drop accidents and review the Technical Specifications regarding control of rod activity worth. An uncoupled rod may hang up in the core when the control rod drive is withdrawn and drop later when the consequences 

         ~o f a rapid control rod withdrawal are most severe. An analysis of the radiological consequences from this accident will be included.

(2) Safety Objective: To' limit the effects of a postulated control rod drop to the extent that _-reactor coolant pressure boundary stresses are not exceeded and core damage is minimal. To assure that the radial average fuel rod enthalpy at any axial location in any fuel rod is limited to less than 280 cals/gm follow-ing the worst reactivity excursion and to assure that the radiological 

         -consequences do not exceed appropriate guidelines.

l San Onofre 1 SEP A-94 b

(3) Status: The potential for and reactivity consequences of an accidental control rod drop are now routinely evaluated prior to issuance of an operating license and.any time thereafter when changes could affect the accident results or probability of occurrence. Radiological consequences may not have been calculated in accordance with present practice. (4) .

Reference:

Standard Review Plan, Section 15.4.9 TOPIC: XV-14 Inadvertent Operation of Emergency Core Cooling System and Chemical and Volume Control System Malfunction That 

                   -Increases Reactor Coolant Inventory (1) Definition:

Review the assumptions, calculational models used, and consequences'of actuation of the high pressure coolant injection system or faulty operation of the volume control system. The chemical and volume _ control system regulates both the chemistry and the quantity of coolant in the reactor coolant system. Changing the boron concentration in the reactor coolant system is a part of normal plant operation, compensating for long-term reactivity effects. Actuation of these systems could increase the volume of coolant within the reactor coolant pressure boundary (RCPB) causing a high water level, possible high power level, and high or low pressure. If clad failure is calculated, determine that offsite consequences are acceptable. (2) Safety Objective: To assure that water added to the RCPB does not cause transients that exceed RCPB pressure limits or result in unacceptable fuel damage. ~No activity is released during the transient, but the transient may subsequently result in increased radioacti,vity in gaseous releases during normal operation. _(3) Status: This transient is now routinely analyzed prior to issuance of an operating license and any time thereafter when proposed changes would affect the transient resmits. Radiological consequences may not have been calculated in accordance with current practice. (4)

Reference:

Standard Review Plar., Section 15.5.1 TOPIC: XV-15 Inadvertent Opening of a PWR Pressurizer Safety / Relief Valve or a BWR Safety / Relief Valve (1) Definition: Revi,ew the assumptions, calculational models used, and consequences of inadvertent opening of a PWR pressurizer safety / relief valve or a BWR San Onofre 1 SEP A-95

p 1 safety / relief valve.- Loss of reactor coolant inventory and depressurizing action of the reactor coolant-system can occur if the PWR pressurizer

  • safety / relief valve or the BWR safety / relief valves open spuriously, or open when required but fail to reclose properly.

(2) Safety Objective: To preserve fuel cladding integrity during reactor coolant system depres-surization transients resulting from faulty operation of a relief or safety valve while at rated power. (3) Status: " l The transient is now evaluated prior to issuance of an operating license - and any time thereafter when proposed changes could affect the transient results. 

   .(4)

References:

1. Standard Review Plan, Section 15.5.1
2. Regulatory Guide'1.70, " Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants"
   -TOPIC:     XV-16 Radiological Consequences of Failure of Small Lines Carrying Primary Coolant Outside Containment
   -(1) Definition:
         . Review the assumption, calculational models used, and radiological conse-quences of failure of small lines carrying primary coolant outside con-
         -tainment and review the Technical Specifications associated with primary coolant radioactivity concentrations, isolation valve closure times, and isolation valve leakage limits. In the event of a rupture of any component.

in the instrument-lines outside primary containment, primary coolant and any radioactivity contained in the coolant or released to the coolant 

          'during the transient will be released if the instrument lines are connected to the reactor coolant pressure boundary. Primary coolant sample lines if broken outside primary containment can also allow coolant and radioactivity in the coolant to escape in the same manner. When these lines discharge to secondary containment, the integrity of the' secondary containment and the efficiency of the filtration systems must be determined.

(2) Safety Objective: To assure that any release of radioactivity to the environment is substan-tially below the guidelines of 10 CFR 100. (3) Status: The radiological consequences of small line breaks outside of primary con-tainment have been evaluated routinely since 1970 prior to issuance of operating licenses, but have not always included the effects of iodine spikes during the depressurization transient. San Onofre 1 SEP A-96 

 +d y__           c                        -
                    '(4)

References:

1.  ; Regulatory Guide 1.11, " Instrument Lines Penetrating. Primary Reactor
                                         . Containment"
2. ;10 CFR.Part 50,. Appendix A,' GDC:55.and 56
3. ' Standard Review Plan,.Section 15.6.2
                    . . TOPIC: 4 XV-17 : Radiological Consequences .of. Steam Generator = Tube Failure (PWR)

O(1) ' Definition: Review.the ass'umptions, calculational models used, and.conseque'nces'of a steam generator tube failure with and without loss of offsite power and review the Technical Specifications' associated with coolant activity con-centrations. Steam generator tube failures allow escape of reactor coolant into the' main steam system and to the environment. An analysis of the radiological consequences of this accident will be included. (2) LSafety Objective: 

                               'To4assurethdt4theplantrespondsinapropermanner.to-thisaccident, sincluding appropriate' operator actions, and to as'sure that radioactivityL released.following steam generator. tube failure (s) is a~small fraction of                                                             .
the 10 CFR -100 guidelines and within 10 CFR 100 for the case of a coincident
iodine spike.. ,
                                                   *~

1(3) . Status: 

                               -The iodine release mechanism may not have been' analyzed in accordance with present' assumptions and methods for some of the older PWRs. Some'operat-ing plants do not have iodine activity limits in their Technical Speci-ifications or have. inappropriately high limits.

(4) !

References:

1. Standard Review Plan,:Section 15.6.3 y 2. Regulatory Guide 1.5,." Assumptions Used for Evaluating the Potential Radiological' Consequences ~of a Steam Line Break: Accident-for Boiling Water Reactors'!

TOPIC: XV-18 ' Radiological Consequences:of Main Steam Line Failure 

                                                .0utside Containment
                       '(1) 1    Definition:
                             ' Review.the assumptions, calculational models used, and consequences of failure of a main ~ steam line outside containment and review the Technical-H
                                ; Specifications l associated with primary coolant activity concentrations
                               !and main steam isolation valve closure times.

, .(2) . Safety Objective: L 

                                -A: steam.line break outside containment allows ' radioactivity to escape to the environment.           To limit the-release of radioactivity to the environment L

San'Onofre(1.SEP- A m 

       ^
         , ,     ;'~        u ..               ,..._.a     -      . . _ , . - - , _ _ _ . . . _ . . _ . _ _ _ _ _ _ _ _ . - . _ . _ ~ . ~ . . _                        -

y " 

                                                     \

to'well within the: guidelines'of 10 CFR 100 in the-event.of a large. steam. 

   ~_

line' break,-the primary coolant radioactivity must be appropriately limited by' Technical Specifications. 

                                      ~

L(3)I St'atus: 

 -                                Some operating plants'do not have appropriate coolant activity Technical
Specifications.

2 -(4) :

Reference:

Standard Review Plan, Section'15.6.4 

                                          ~
                                                                 ~
                         ~ TOPIC:- XV-19 Loss-of-Coolant Accidents Resulting From: Spectrum of Postulated Piping Breaks Within the Reactor Coolant
                                                ' Pressure Boundary-
                           .(1); Definition:

0 ~ Review the.Ifcensee's analyses of the spectrum'of. loss-of-coolant accidents n _(LOCAs) including' break locations, break sizes,-and. initial conditions assumed, the evaluation model.used, failure modes, radiological-conse- 

                                 .quences,; acceptability of auxiliary systems, functional capability of the
                                 . containment', and the effects of blowdown loads. LOCAs are postulated-p                                    breakslin the; reactor coolant pressure boundary resulting_in a loss of
                                 ? reactor coolant at a rate in excess of the capability of the reactor cool-ant makeup system. LOCAs result in excessive fuel damage or-melt unless coolant is replenished.

(2)_ Safety Objective: t n. .To assure.that the consequences of loss-of-coolant accidents are accept-able; that is, that,the requirements of 10 CFR 50.46 and Appendix K to c '10 CFR 50 are met, that the radiological consequences of a design basis i- loss-of-coolant. accident from containment leakage and the radiological consequences of leakage from engineered safety features outside. containment

are.~ acceptable, and the structural-effects of. blowdown are acceptable.

. (3)~ Status: l' !: . Emergency core _ cooling system (ECCS)' evaluation _is a generic item which is currently.under review or is complete for all-operating reactors P (La, Crosse and San Onofre have stainless steel cores and have analyses completed' to -show conformance with the Interim Acceptance Criteria). Related' generic items currently.under review are reevaluations for increased vessel head fluid. temperatures _in W.PWRs, effects of core flow 

                                 ,on BWR.LOCA analyses, GE ECCS input errors, and non-jet pump BWR core
       ^                          : spray' cooling- coef ficients. Radiological consequences are not routinely rereviewed.

(4).

Reference:

                                  .StandaEd Review Plan, Section 15.6.5 and its Appendices

[ San Onofre 1 SEP- A-98 f

g. -

TOPIC: XV-20 Radiological Consequences of Fuel-Damaging Accidents (Inside and Outside Containment) '(1)' Definition: Review the assumptions, calculational models used, and consequences of postulated fuel damaging accidents inside and outside containment and review Technical Specifications associated with fuel handling-and ventilation system and filter systems, including interlocks .on fuel movement and damage from fuel cask drop and tipping. Include in the review the assumed activity available for release, decontamination factors, filter efficiencies, activity transport mechanisms and rates, ventilation system potential release pathways, and calculated doses. (2) Safety Objective: To. assure that offsite doses resulting from fuel damaging accidents, resulting from fuel handling, or dropping a heavy load on fuel are well within the guideline values of 10 CFR Part 100. (3) Status: The radiological consequences of fuel handling accidents inside contain-ment are currently being performed as a generic review for PWRs. The radiological.ccnsequences of fuel damaging accidents outside containment of operating plants are only evaluated if Technical Specifications are reviewed. (4)

References:

1. Standard Review Plan, Section 15.7.4
2. Regulatory Guide 1.25, " Assumptions Used for Evaluating the Poten-tial Radiological Consequences of a Fuel Handling Accident in the Fuel Handling and Storage Facility for Boiling and Pressurized Water Reactors" TOPIC: XV-21 Spent Fuel Cask Drop Accidents (1)~ Definition:

Review the potential for spent fuel cask drops, the damage which could result from cask drops, and the radiological consequences of a cask drop from fuel damaged within the cask under conditions exceeding the design basis impact on the cask. (2) Safety Objective: 

     -To assure that the damage to fuel within the casks and radiological consequences resulting from a cask drop are acceptable or that acceptable measures have been taken to preclude cask drops.

San Onofre 1 SEP A-99 

     ~(3) St'atus:

Fuel cask' drop analysis is a generic item which has been completed.on some plants or is currently under review for all other operating reactors. (4) ;

References:

1. Standard. Review Plan, Section 15.7.4
2. ~ Regulatory Guide.l.25 " Assumptions Used for Evaluating the Potential Radiological Consequences of a Fuel Handling Accident in the Fuel Handling and Storage Facility for Boiling and Pressurized Water Reactors"
3. NUREG-0328, " Regulatory Licensing: Status Summary Report" (Pink Book)

(5) Basis for Deletion (Related TMI Task, USI, or Other SEP Topic): 

                  .USI A-36, " Control of Heavy Loads Near Spent-Fuel" (NUREG-0649)

The review criteria required by USI A-36 (Standard Review Plan, Section 15.7.5) are identical to the review criteria specified in the References of SEP Topic IX-2; therefore, this SEP topic has been deleted. TOPIC: XV-22 Anticipated Transients Without Scram (1) Definition: Review the' postulated sequences of events, analytical models, values of parameters used in the analytical models, and the predicted results and consequences of events in which an anticipated transient occurs and is not followed by an automatic reactor shutdown (scram). Analyses of the radiological i consequences for these transients will be included. Failure of the reactor to shut down quickly during anticipated transients can lead 

           .to unacceptable reactor coolant system pressures and to fuel damage.

(2) Safety Objective: To' assure that the reliability of the reactor shutdown systems is high l

enough so that anticipated transient without scram (ATWS) events.need not i be considered or to assure that the consequences of ATWS events are accept-able; that is, that the reactor coolant system pressure, fuel pressure, l~

fuel thermal and hydraulic performance, maximum containment pressure, and radiological consequences are within acceptable limits. t l (3) Status: i t ATWS is a generic topic currently under review to determine a position-for all power reactors. BWR licensees have been requested to install reactor coolant pump trips as a short-term program measure. All licensees have submitted descriptions of the applicability of vendor generic ATWS ~ [ reports for their plants. The schedule for review of Class C plants, which includes those plants designated for Phase II of SEP, has not yet been developed. San Onofre 1 SEP A-100 u.

(4)

References:

1. NUREG-0328, " Regulatory Licensing: Status Summary Report" (Pink Book)
2. WASH 1270, " Technical Report on Anticipated Transients Without Scram for Water-Cooled Power Reactors," September 1973
3. Standard Review Plan, Section.15.8 and Appendix (5) Basis for Deletion (Related TMI Task, USI, or Other SEP Topic):

USI A-9, " Anticipated Transients Without Scram" (NUREG-0606) The reference cited in this topic, that is, NUREG-0328, was the precursor of-USI-A-9. The evaluation required for USI A-9 is 

                                     ~

identical to SEP Topic XV-22; therefore, this SEP topic has been deleted. 

      ' TOPIC: 'XV-23 Multiple Tube Failures in Steam Generators (1) Definition:

Assess the effects of multiple steam generator tube failures (ranging from leaks to double ended ruptures) as a result of pressure differentials that may occur following a loss-of-coolant accident (LOCA), steam line break, or anticipated transient without scram (ATWS) events. 

      .(2) Safety Objective:

Assure that the reflood of the core following a LOCA is possible and that the radiological consequences following these accidents are within the 10 CFR Part 100 guidelines. (3) Status: The consequences of multiple tube failures have not been analyzed for any plant-at the licensing stage. Work has been done for some operating plants, but ultimate goals have yet to be set. (4):

References:

1. . Prairie Island Nuclear Station, Docket Nos. 50-282 and 50-306
2. Turkey Point Plant, Docket Nos. 50-250 and 50-251
3. Surry Power Stations, Units 1 and 2, Docket Nos. 50-280 and 50-281
      -(5) Basis for Deletion (Related TMI Task, USI, or Other SEP Topic):
              '(a)- USI A-3, A-4, A-5, " Westinghouse, Combustion Engineering, Babcock and Wilcox Steam Generator Tube Integrity" (NUREG-0649)

Two of the tasks of USI A-3, A-4, A-5 are as follows:

1. Analyses of LOCA with Concurrent Steam Generator Tube Failures
2. Analyses of Main Steam Line Break San Onofre 1 SEP A-101

F The analyses required by these two tasks in USI A-3, A-4, A-5 cover two of the three events specified in the Definition. (b) 'USI'A-9, " Anticipated Transients Without Scram" (NUREG-0606) Pressure differentials.resulting from ATWS events have been determined to be no' greater than those resulting from main steam line break events (NUREG-0460, Volume 2, Appendix V). The analysis for ATWS event is,. therefore, covered under USI A-3, A-4, and A-5. i The evaluation required for USI A-3, A-4, A-5 is identical to SEP 1 

                 -Topic XV-23; therefore, this SEP topic has been deleted.                 !

TOPIC: XV-24 Loss of All AC Power (1) Definition: Review plant systems to determine that following loss of all ac power (onsite and offsite) the reactor is shut down and core cooling can be initiated. Loss of all ac power causes loss of most emergency equipment and instrumentation. (2) Safety Objective: To assure that with only dc power, equipment design, diversity, and operator action are sufficient to initiate core cooling within a short time period (typically 20 minutes). (3) Status: Not an explicit SRP topic. Availability of some ac power is assumed in all accident / transient analyses. Topic may be considered as an auxiliary fuel pump or reactor core isolation cooling pump diversity spinoff. (4) Basis for Deletion (Related TMI Task, USI, or Other SEP Topic): 

            -     USI A-44, " Station Blackout" (NUREG-0606)

The problem description of USI A-44 is identical to the Definition of SEP Topic XV-24, and the review of USI A-44 would be the same as Topic XV-24; therefore, this SEP topic has been deleted. TOPIC: XVI Technical Specifications J(1) ' Definition: 

           -The existing Technical Specifications, associated with SEP topics, will be compared with the Standard Technical Specifications for deviations.         '

Where significant differences exist, they will be identified and considered for upgrading. The bases for the specifications will be examined including trip setpoints and accounting for nuclear uncertainty. Where significant voids occur in existing specifications, appropriate values will be identified and considered for upgrading. San Onofre 1 SEP A-102 c

(2)' Safety Objective: To assure that the safety limits and operational safety measures are sufficiently specified for the plant to minimize the probability of acci-dents that could result from equipment failure, misoperation,'or human 

               ~

error. (3) Status: , See Topic XIII-1,_" Conduct of Operations" for Section VI status. The other sections of the Technical Specifications are reviewed only to the extent that reloads, license amendments, or generic problems require. (4)

References:

1. Standard Technical Specifications; Regulatory Guide 1.8, " Personnel Selection and Training," and Regulatory Guide 1.33, " Quality Assur-ance Program Requirements (Operations)"
       '2.   ' Standard Review Plan
3. Regulatory Guide 1.70, " Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants," Chapter 16
4. 10 CFR Part 50, Section 50.36 TOPIC: XVII Operational Qualit Assurance Program (1) Definition:

Review the Quality Assurance (QA) Program with respect to safe and reli- 

       -able operation of the plant.

(2) Safety Objective: Since 1973, significant new guidance for operational QA programs in the form of Regulatory Guides and WASH documents has been issued describing how to meet the_ criteria of 10 CFR Part 50, Appendix B. The objective of this guidance is to assure that operation, maintenance, modification, and test activities do not degrade the capability of safety-related items to perform their intended functions. 

 '(3)~ Status:

Generic review for compliance with currene standards is under way. As of May 1977, 50 of the 63 operating plants have QA programs which meet current criteria. The 13 remaining plants are currently under review, with an estimated completion date of July 1977. (4)

References:

1. 10 CFR Part 50, Appendix B
2. WASH-1283, Revision 1, " Guidance on Quality Assurance Requirements During Design and Procurement Phase of Nuclear Power Plants,"

May 24, 1974

3. WASH-1284, " Guidance on Quality Assurance Requirements During the
             ' Operations Phase of Nuclear Power Plants," October 26, 1973 San Onofre 1 SEP                        A-103 1
4. WASH-1309, " Guidance on Qu911ty Assurance RGquirGments During thQ Construction Phase of Nuclear Power. Plants," May 10,.1974-
5. American National Standards Institute, ANSI N18.7-1976, "Administra-tive Controls and Quality. Assurance for the Operational Phase of Nuclear Power Plants," February 19, 1976 U.S.~ Nuclear Regulatory Commission reports cited under " Basis for Deletion" include:

NUREG-75/111 Guide and Checklist for Development and Evaluation of , State and Local Government Radiological Emergency Response I Plans in Support of Fixed Nuclear Facilities" (Reprint of I WASH-1293), Oct. 1975. l 1 NUREG-0153~ " Staff Discussion of 12 Additional Technical Issues Raised i by Responses to November 3, 1976 Memorandum from Director, NRR, to NRR staff," 1976. NUREG-0313 " Technical Report on Material Selection and Processing. Guidelines for BWR Coolant Pressure Boundary Piping," July 1977. NUREG-0328 " Regulatory Licensing: Status Summary Report"~(Pink Book). NUREG-0371 " Approved Category A Task Action Plans," Nov. 1977. NUREG-0410 "NRC Program for the Resolution of Generic Issues Related to Nuclear Power Plants, Report to Congress," Dec. 1977. NUREG-0460 " Anticipated Transients Without Scram for Light Water Reactors," Vol. 2, Apr. 1978. NUREG-0471 " Generic Task Problem Descriptions - Category 8, C, and D Tasks," Sept. 1978. NUREG-0484 " Methodology for Combining Dynamic Responses," May 1980. NUREG-0510 " Identification of Unresolved Safety Issues Relating to Nuclear Power Plants--A Report to Congress 1979," Jan. 1979. NUREG-0554 " Single-Failure-Proof Cranes for Nuclear Power Plants," May 1979. NUREG-0577 " Potential for Low Fracture Toughness and Lamellar Tearing on PWR Steam Generator and Reactor Coolant Pump Supports," Sept. 1979. NUREG-0606 " Unresolved Safety Issues Summary," issued quarterly. NUREG-0609 " Asymmetric Blowdown Loads on PWR Primary Systems, Resolu-tion of Generic Task Action Plan A-2," Jan. 1981. NUREG-0649 " Task Action Plan for Unresolved Safety Issues Related to Nuclear Power Plants," Feb. 1980. San Onofre 1 SEP A-104

o L I".. I NU' REG-0654 L 

                                                    " Criteria for, Preparation and Evaluation of _ Radio 1'ogical P                                                    Emergency Response Plans and Preparedness-in Support of Nuclear Power Plants," Feb. 1980.-
           . NUREG-066'0, .                         "NRC ' ction Plan Developed as a Result of the TMI-2
           ?Rev.-1      .

Accident,"-Vols. 1 and 2, May 1980, Rev. 1,'Aug. 1980. NUREG-0691 " Investigation and Evaluation of Cracking Incidents in Piping in Pressurized Water Reactors," Sept. 1980. NUREG-0705 '" Identification of New Unresolved Safety' Issues Relating to Nuclear Power Plants," Mar. 1981. JNUREG-0737 " Clarification of TMI Action Plan Requirements ~," Nov. 1980. NUREG-0800 ' Standard Review Plan for the Review of Safety Analysis _ Reports for Nuclear Power Plants," July 1981 (formerly 4 ! NUREG-75/087). 

                                                                  ~

NUREG/CR-1321 

                                                  " Final Report'.                    Phase I. Systems Interaction Methodology Applications Program," Apr. 1980.

1 San Onofre 1 SEP A-105 s 

 .                                                                                                                                                                                                f

p~ . L ? - L APPENDIX B SEP-TOPICS DELETED BECAUSE THEY ARE COVERED BY A TMI TASK, UNRESOLVED SAFETY ISSUE (USI), OR 0THER SEP TOPIC 12 i k 1See " Basis for Deletion" in Appendix A under applicable SEP topic. 2 Letter from G. C. Lainas (NRC) to all SEP licensees,

Subject:

Deletion of Systematic Evaluation Program Topics Covered by Three Mile Island NRC Action Plan, Unresolved Safety Issues, or Other SEP Topics, May 1981. San Onofre 1 SEP L.

t -- r. SEP _ TMI, USI, or. Topic No. SEP title SEP No. TMI, U51, or SEP title 

               !!-2.8      Onsite Meteorological                           TM! II.F.3                     Instrumentation for Monitoring Accident Conditions Measurements Program                            TMI III.A.1                    Improve Licensee Emergency Preparedness - Short Tern II-2.0 -    Availability of Meteorological                  TMI II.F.3                     Instrumentation for Monitoring Accident Conditions Data in the Control Room                        TMI Ill.A.1                    Improve Licensee Emergency Preparedness - Short Tern TMI !.0.1                      Control Room Design Reviews
             .!!!-8.D      Core Supports and Fuel                          USI A-2                        Asymmetric Blowdown Load 6 on Reactor Primary Integrity                                                                     Coolant System
               !!!-9       Support Integrity                               USI A-12                       Fracture Toughness of Steam Generator and Reactor Coolant Pump Supports 051 A-7                        Mark I Containment Long-Term Program USI A                     Environmental Qualf fication of Safety-Related Equipment U5! A                     Seismic Qualification of Equipment in Operating Plants SEP III-6                      Seismic Design Considerations-SEP V-1                        Compliance With Codes and Standards (10 CFR Part 50, Section 50.55a)
              !!! 11       Component Integrity                             USI A-46                       Setssic Qualification of Equipment in Operating Plants USI A-2                        Asymmetric Blowdown Loads on Reactor Primary Coolant System
                                                                         . SEP III 6                      Seismic Design Considerations 111 12       Environmental Qualffication of                  USI A-24                       Qualification of Safety-Related Equipment
                         ' Safety-Related Equipment
            - V-3          Overpressurization Protection                   U5I A-26.                      Reactor vessel Pressure Transient Protection
                                                              ~

V-4 Piping and Safe-End Integrity USI A-42 Pipe Cracks in Bofileg Water Reactors V-8 Steam Generator Integrity USI A-3, Westinghouse, Combustion Engineering, and Babcock A-4, A-5 .and Wilcox Steam Generator Tube Integrity V-13 Waterhammer USI A-1 Waterhammer VI 2.A Pressure-Suppression-Type BWR USI A-7 Mark I Containment Long-Term program 

                         ' Containments VI-2.8       Subcompartment A.talysis                       USI A-2                         Asymmetric Blowdown Loads on Reactor Primary Coolant System VI 5         Combustible Gas Control                         TMI II.B.7                    Analysis of Hydrogen Control USI A-48                        Hydrogen Control Measures and Ef fects of Hydrogen Burns on Safety Equipment-VI-7. E      Emergency Core Cooling System                  U$1 A-43                        Containment Emergency Sump Reliability Sump Design and Test for Recir-culation Mode Effectiveness VI-8         Control Room Habitability                      TMI III.D.3.4 Control Room Habitability Requirements VII-4'       Ef fects of Failure in Nonsafety- USI A-47                                     Safety Implications of Control system Related Systems on Selected                    USI A-17                        Systems Interactions in Nuclear Power Plants Engineered Safety Features t

VII*5 Instruments for Monitoring TMI II.F.1 Additional Accident Monitoring Instrumentation Radiation and Process Variables TMI II.F.2 Identification of and Recovery From Conditions Lead-During Accidents ing to Inadequate Core Cooling TMI II.F.3 Instruments for Monitorin2 Accident Conditions IX-2 Overhead Handling Systems U$1 A-36 Control of Heavy Loads Near Spent Fuel Pool (Cranes) X_ Ausiliary Feedwater System TMI II.E.1.1 Auxiliary Feedwater System Evaluation XIlll Conduct of Operations TMI !.C.6 Procedures for verification of Correct Performance of Operating Activities TMI III.A.1 Improve Licensee Emergency Preparedness - Short Term TMI III.A.2 Improving Licensee Emergency Preparedness - Long Term 

,            XV 21       Spent Fuel Cask Drop Accident                    U5I A-36                       Control of Heavy Loads Near Spent Fuel Pool XV-22       Anticipated Transients Without                  U51 A-9                         Anticipated Transients Without Scram Scram XV-23       Multiple Tube Failures in Steam U5I A 3,                                       Westinghouse, Combustion Engineering, and Babcock Generators                                      A-4. A-5                        and Wilcox Steam Generator Tube Integrity
                                                                      - USI A-9                          Anticipated Transients Without Scram XV 24       Loss of All AC Power                            USI A-44                        Station Blackout
          -San Onofre 1 SEP                                                                       B-1 N
                                                    --___.._.___._.__.____________._.______.__.______.____._____.______.______..______.___________.____._a

i+ ? + APPENDIX C 

                           . PLANT-SPECIFIC SEP TOPICS DELETED,' REFERENCE LETTER, AND REASON FOR DELETION l .-

l-1 f= f- 

    ^

4 San Onofre.1 SEP-

SEP '. Date of topic No. SEP title letter Reason for deletion of to ' 4.E Das Ittegrity . 11/16/79 Not appilcable to site 

      !!!-3.R         Structural and Other Conse-          11/16/79     Not appilcable to site because site does not have quences (e.g. , Flooding of -                     a system whose function is to lower tne groundwater .

Safety-Related Equipment in Base- . table ments) of Failure of Underdrain Systems III-7.A ' ' Inservice Inspection, including '5/7/81 Not applicable to this facility's design 

                   - Prestressed Concrete Containments With Either Grouted or Ungrouted Tendons III-7.C         Delanination'of Prestressed       ' 11/16/79      Not applicable to this facility's design Concrete Containment Structures
      !!!-8.8      . Control Rod Drive Mechanism           10/U80     ' Not applicable to pressurf red water reactors' (PWes)

Integrity 

      !!!-10.C      ' Surveillance liequirements on 8WR 11/16/79        Not applicable to PWRs Recirculation Pumps and Discharge Valves                                     *
    .IV-3             BWR Jet Pump Operating               5/7/81       Not applicable to PWRs Indications V             Compliance With Codes and            1U27/81      Reviewed under inservice inspection / inservice test Standards (10 CFR 50.55a)                         program -

V-2 Applicability of Code Cases 1U16/79 Not applicable to PWRs V-9 Reactor Core Isolation Cooling .11/16/79 Not applicable to PWR$ System (BWR) V-12.A . Water Purity of 8WR Primary 11/16/79 Not applicable to PWRs Coolant VI-2.C - Ice Condenser Containment 1U16/79 Not applicable to this unit's Containment design VI-7.A.2 Upper Plenum Injection 5/7/81 Not applicable to this facility's design V-7.A.4 Core Spray Nozzle Effectiveness 5/7/81 Not appilcable to PWRs V!+7.C.3 Effect of PWR Loop Isolation 11/16/79 Not applicable to this facility's design Valve Closure During a Loss-of-Coolant Accident on Emergency Core Cooling System Performance VI-7.F Accumulator isolation Valves 1U16/79 Not appilcable'to this facility's design Power and Control System Design VI-9 Main Steam Line Isolation Seal 1U16/79 Not applicable to PWRs System (BWR) VII-7 Acceptability of Swing Bus 1U16/79 Not applicable to PWRs Design on BWR-4 Plants . XI-1 Appendix !- 12/4/81 Being resolved under generic activity A-02,- 

                                                                        "Appendia I," and B-35, " Confirmation of Appendix I Models." (See " Basis for Deletion" in Appendix A under topic XI-1.)
   . XI 2             Radiological (Effluent and           12/4/81      Being resolved under generic activity A-02, vrocess) Monitoring Systems                       " Appendix I." (See " Basis for Deletion" in
                                                                      - Appendia A under Topic X1-2.)

XV-11 Inadvertent Loading and Operation 10/1/80 Hot applicable to PWRs of a Fuel Assembly in an Improper Position (BWR) , XV-13 Spectrum of Rod Drop Accidents . 1U16/79 Not applicable to PWRs (BWR) XV-18 Radiological Consequences of' 10/1/80 Not appllCable to PWRs Main Steam Line Failure Outside 

                   -Containment XVI              Technical Specifications             11/5/80      Will be addressed af ter completion of the integrated assessment San Onofre.1 SEP.                                                 C-1

t APPENDIX D RISK BASED CATEGORIZATION OF SAN ONOFRE SEP ISSVES l i San Onofre 1 SEP 

                                                                               =

SUMMARY

OF STAFF REVIEW 0F SAI REPORT "PISK BASED CATEGORIZATION OF SAN ON0FRE SEP ISSUES" The staff has reviewed the risk assessment performed by Science Applications, Inc. (SAI) for the San Onofre Unit 1 SEP issues (SAI-83-131-WA, Rev. 1) and is in general agreement with the recnninendations and conclusions presented in the report. However, we have some additional recommendations regarding SEP Topics V-11.A and VI-7.B. In Topic V-11. A, there are two issues of concern. The first issue is that given reverse flow past the CVCS check valves, if the CVCS purps are not running, the low pressure piping could be exposed to the high pressure reactor coolant and a LOCA outside containment might occur. In their evalua-tion of this issue, SAI rated the risk of a LOCA outside containment as low and made no recommendations for modifications. However, due to the potential for a containment bypass LOCA, the staff recommends that the licensee verify the pressure isolation capability of the charging pump discharge check valves at each refueling. The second issue in Topic V-11.A, is the lack of pressure-related interlocks in the SIS. SAI rated the risk of a LOCA outside containment to be medium given a left open MOV and a failed check valve in the same injection line and SAI made a recommendation for system modifications. SAI's analysis failed to account for the design rating of the injection lines. These lines were designed for 1400 psia. It is the staff's opinion that if it can be demonstrated that this piping has a low probability of failure when subjected to full reactor system design pressure, that the risk would be acceptably low. In Topic VI-7.B, the issue is the short amount of time available for manual switchover from the injection mode to recirculation mode given the present system design. In their analysis of the issue, SAI rated the risk of core melt due to a large LOCA and failure o# the ECCS (inadequate switchover) as medium. SAI recommended a redundant RWST level indicator and an automatic switchover mechanism. The staff recognizes that only one charging pump is autostarted and thus, only one pump could be damaged if the switchover were not completed in a timely fashion. Because of this, the staff finds it sufficient to provide an automatic trip of the feedwater/ safety injection pumps on low level instead of an automatic switchover mechanism. This will significantly increase the time available for operator action. Further description of the system design and details of the SAI report follow. San Onofre 1 SEP

U s r SAI-83-131-WAJ ( Revision 1 l l u 

 =

J 1 RISK BASED CATEGORIZATION OF 

                                      -SAN ON0FRE. SEP ISSUES
                                      =
         .                                   - Bahman Atefi Daniel Gallagher t.
                                                                                    +       :

July.18, 1984 Prepared for: U.S. Nuclear Regulatory Commission Washington, D.C. [ Contract NRC-03-82-096

San Onofre l'SEP

V 6 

                                                                       - ACKNOWLEDGEMENTS-The authors wish to acknowledge the technical contributions of the following people to this report:

Michael Choi William Galyean - Phuoc Le Paul Liang William Lindsay. Robert Liner Frank Wimpey i 4, 4 San Onofre 1 SEP Appendix D a 

     ~ ,1 + ,     ,-,.+<.~,-a,e,,      v. , -c+.--,-.- , ..,,,, ,, ,      +--,,,,,,,,,.w..    . . , , - , , , , .        , , , .      - - , - .~.        ,-,-v-   , ,--'

TABLE OF CONTENTS Section ge EXECUTIVE ~

SUMMARY

. . . . . .-. . . . . . . . . ... . . 1 I       INTRODUCTION. . . . . . . . . ... . . . .:. . . . . . .      1 II        METHODOLOGY FOR CATEGORIZATION OF SAN ON0FRE SEP ISSUES  .....................                          2 III-       RESULTS:. . . . . . . . . . . . . . . . . . . . . . . .      7 IV -      ANALYSIS  .......................                           14 V        REFERENCES.-. . . ... . . . . . . . . . . . . . . . . . 144 r

San Onofre 1 SEP- Appendix D

EXECUTIVE

SUMMARY

This is an Executive Summary of the report, " Risk-Based Categorization of San _ Onofre SEP Issues." The main report provides details of the analysis n used to classify the San Onofre SEP issues with respect to their impor-tances to risk. These classifications have been performed using proba-bilistic risk assessment (PRA) techniques. The issues have been examined from the perspective of the impact their resolution would have on risk from the plant. The classifications.are based 

  -on the criteria given in Table Ex-1.        Following are discussions of each issue, their classifications based on these criteria, and the supportive results of our_ analysis which were judged by these criteria.

The methodology adopted in this study was to examine the impact of each issue on the systems they affect and assess the importance of the issue by qualitative and quantitative consideration of a simplified fault tree developed for the particular system under consideration and insights of other PRAs. For each issue, we estimated the impact its resolution would 

 - have on the San Onofre ' fault trees and thus the impact on the risk at San Onofre. The San Onofre fault trees referred to here are the simplified fault trees-that were developed for each issue when it was determined that such a fault tree would be necessary for the resolution of the issue. The
  " dom _inance" of a fault tree indicates whether that fault tree would appear-in the dominant accident sequence. Since no comprehensive Probabilistic               -l Risk Assessment _(PRA) analysis has been performed for the San Onofre, over-l all results of other PRAs performed in the IREP, RSSMAP and Reactor Safety             'l
 -Study on the plants which are similar. to San Onofre were used for judgments.            l related to the effect of a system on dominant accident sequences.

Table Ex-2 gives the results of the classification of the issues as high, mediun, or low importance to risk. The numbers denote the issues. The rest of this executive summary consists of brief summaries of each of. the issues evaluated and its risk resolution. The main report contains l more detailed discussions of the methodology and the analysis of each issue. San Onofre 1 SEP i Appendix 0 

                                                  ~

i 

 ;;-                              TABLE EX-1
 "                         Classification of Issues Classification                               Criterion
           =High                         Resolution of issue dominates value of the top ~ event of a dominant fault tree or dominant sequence event.

Medium Resolution of issue impacts but does not' dominate value of top event of dominant fault tree or dominant sequence event. Low' Resolution of issues'has no impact on value of top event of dominant fault 1 tree or dom'inant sequence event. J 1 l L t ' San Onofre 1 SEP- ii Appendix D

TABLE EX-2 Classification of Issues Importance to Risk H_i_!Lh ' IX - 5 Ventilation Systems Medium V - ll.A Requir'ements for Isolation of High and Low' Pressure Systems VI - 7.B ESF Switchover from Injection to Recirculation Mode 

                    -(Automatic ECCS Realignment)

VI - 7.C.2 Failure Mode Analysis ECCS VIII - 3.B DC Bus Voltage Monitoring Low III --8.A Loose Parts Monitoring III - 10.A Thermal Overload Protection for Motors of Motor Operated Valves. IV - 2 Reactivity Control System Including Functional Design and Protection Against Single Failure V - 10.A Residual Heat Removal System Heat Exchanger Tube Failure V - 11.B RHR Interlock Requirements VI - 4 Containment Isolation System VI - 10.A Response Time Testing VII - 1.A RPS Isolation 

    .VII - 3         Systems Required for Safe Shutdown VIII - 4         Electrical Penetrations of Reactor Containment IX - 3        Station Service and Cooling Water Systems XV - 2        Spectrum of Steam System Piping Failure Inside and Outside of Containment Resolved          (These issues were analyzed for the draft, but completely resolved by the time the final report was completed.)-

VII - 2 Engineered Safety Features (ESF) System Control Logic and Design XV - 7 Reactor Coolant Pump Rotor Seizure and Reactor Coolant Pump Shaft Break l San Onofre 1 SEP iii Appendix 0 i

Y-III-8.A ~ Loose Parts Monitoring and Core Barrel Vibration Monitoring The San Onofre Nuclear Power Station does not have a . loose parts moni-toring system (for loose parts within the reactor coolant pressure boundary) to meet the requirements of Regulatory Guide.l.133. Features lacking for the system would include sensors on the' exterior surface of the RCPB capable of detecting acoustic disturbances, system sensitivity specifications, alert 

      "  levels, data acquisition modes and other, system and procedural requirements.

The loose parts that would be detected b'y a loose parts monitoring system, lacking at San Onofre, have not been a significant cause of tran-sients at ' nuclear power plants. Due to the relatively high transient-frequency.from other causes the elimination of loose parts induced tran-sients has a small effect on the core melt frequency. This issue is of low risk significance. , III-10.A Thermal Overload Protection for Motors of Motor Operated Valves Current criteria requires that the thermal overload protection for moto'rs of MOVs be bypassed during emergency operation. Additionally the trip -set points of the thermal overload protection for the motor operated valves should be established such that with all the uncertainties included, the valve be capable of completing its safety related function. In the analysis of this issue no evaluation of the adequacy of the current set points- for the thermal overload protection of MOV's was performed. To determine the effect of bypassing of the thermal overload protection for MOVs during emergency operation, the contribution of thermal overload failure on the total failure of the MOV on demand was calculated. It was shown that bypassing of the thermal overload protection results in a 14W reduction in the failure probability of MOVs on demand. The only system with an unbypassed MOV is the Component Cooling Water System (CCWS). The effect of reduction in failure demand probability of the MOVs on this system was evaluated. It was found that the overall effect of this reduction'in MOV failure rate on the failure probabilities of the CCWS system is San Onofre 1 SEP iv Appendix D

negligible. Thus, -it is' concluded that bypassing of the M0V's thermal overload protection device has a very small effect on the overall core melt frequency. , Consequently, the risk significance of this issue is rated low. IV-2. Reactivity Control System Including Functional Design and Protection Against Single Failure General Design' Criteria (GDC) 25 requires that no s' ingle failure of the reactor control and protection system, such as rod withdrawal, would result in reactivity and. power increases that could exceed fuel design. 

     . limits. -In San Onofre 'it was found that single failures in the reactor trip system could lead to malfunctions such as multiple rod withdrawals that could exceed fuel design limits.           Rod withdrawal . accidents are contributors to the frequency of initiation of transients in light water reactors. As long as the mitigating systems designed to mitigate the consequences of these transients function correctly, no core melt accident would result.

The 'most important consequence of a rod withdrawal accident is localized power peaking in the fuel bundles in the vicinity of the withdrawn control rod.. This localized power pesking could result in some cladding damage but no fuel damage or. melting is expected., In the previous comprehensive proba-bilistic ~ risk assessments such as WASH-1400 it has been.shown-that the most significant contribution to the overall risk of operation of a Nuclear Power Plant comes from the accidents that involve core meltdown. Consequently the rod withdrawal accidents that do not lead to core meltdown are not expected to-contribute significantly to the risk of operation of this plant and are ranked low from risk. significance point of view. V-10.A Residual Heat Removal System Heat Exchanger Tube Failures San Onofre currently does not meet the criteria for monitoring of the 

    ;possible leakage of primary coolant through component cooling and salt water cooling systems to the environment.
           'The possibility of_ in leakage from component cooling water system to
    .the primary water system is extremely low. This event can only occur during shutdown periods where the primary side of the residual heat removal heat exchangers are at a pressure that ranges from 70 psig to 420 psig and the San Onofre 1-SEP                                v                               Appendix D
                                        - - _ _        _   __    y      ,9 ]

                                          ,         . . .               ~   .-

Z l'.

secondary.s'ide, which is the component cooling water, is at a pressure of 4 65-75 psig._, The salt water cooling system which removes heat from component- '
                            ~ cooling water system and is the source of possible impurities is at 30 psig and .is always at_ a lower pressure than component cooling water system.
                                                                                                                                                             ]
                                                 ' The frequency-of primary coolant leakage ~ to the environment was con-
                           .servatively calculated by looking at failure probabilities of component and salt water cooling systems heat exchanger failures. The frequency of.

this event was calculated to be 6.8x10-8/ year. Considering the low fre-4 quency of this event'and low significance of its consequences compared to a core melt-accident, the overall effect of this issue on the risk due to operation of the San Onofra plant is judged to be very small. Thus, this - 

                                                               ~
                              = issue is ranked low with respect to risk.

V-11.A -Requirements For Isolation of High and Low Pressure Systemt } There are three systems at San Onofre that are connected to the main , coolant system and have lower pressure than the main coolant system. TheseL systems ~are the residual heat removal system (RHRS), safety injection , 

                          . systems (SIS)'and the chemical and volume control system (CVCS). The current design of these systems does not meet the NRC criteria that requires j                         -' existence of a pressure interlock mechanism such that the possibility of

, exposure of the low pressure segments of the above systems to the main coolant ~and subsequent initiation of a LOCA can be avoided. ^The RHRS system requirements are discussed under topic V-11.B'"RHR Interlock Requirements." a j The safety injection system including the long term recirculation system and chem'ical and volume control system were analyzed to find the probability of a' leakage from RCS to the low pressure segments of the above. systems. The results showed that the probability of the main coolant leakage to the CVCS i and long term recirculat' ion system due to failure of various check valves resulting in a possible LOCA is 9.4x10-7 and 7.0x10-7 per year respectively. The. probability of initiation of a LOCA outside containment as a result of reverse leakage in the SIS is 1.7x10-8 The' scenario leading to this LOCA i consists of failure to close the safety injection system MOTS following a refueling outage test and failure of a check valve while reactor is at i ! power. To reduce this frequency, two possible improvements to the system ' ) 

                         - can be suggested. - The first one consists of addition of 'a pressure inter-                                                         '

i lock' to the safety injection system MOV's. This reduces the frequency of.a i iSan Onofre 1 SEP vi Appendix D we--gr w.-.-,#e-.em,w,_,.r.,,_,_,,.,y, , , , .,__,,,,.,,,__4 _y _ ,_%,, ,.qyv,-y y, ,,.e.,,,-,yw,. , . . -

  • LOCA'to 2.8x10-8/ year. An alternative to this is-to assure that the MOV,'s 1- are closed before the reactor is taken back to power by adding a second cre'w.

that'.would check the status of the MOV's at the end of the refueling outage. This will reduce.the frequency of the LOCA to 1.7x10-6/ year. The frequency , of initiation of a LOCA due .to reverse leakage in'the.CVCS and long term !' recirculation system are sufficiently low that they are not expected to

contribute significantly to the overal frequency of initiation of a LOCA.

1 Thus, these-are ranked low.with respect to risk. In the case of the SIS 

          ..this frequency is sufficiently high that we would rank its risk significance as medium.

V-11.B 'RHR Interlock Requirements i j The . isolation of the primary coolant system and the residual heat ( . removal system (RHRS) at San Onofre is currently provided by two MOVs at the j suction and two'at the discharge line. Since the RHRS system is a low pressure system the concern is that in case of an inadvertent opening of these MOVs during . plant cooldown at pressures above RHRS design pressure, , the low pressure piping and components of,the RHRS wculd be exposed to high i pressure primary coolant and a LOCA could be initiated. Of the four MOVs isolating the primary coolant system and RHRS, two MOVs, one on the 

          -discharge and one on the suction, are connected to a pressure sensor so that                                      ,

if the primary coolant pressure is above RHRS design pressure they would not open. The other two MOVs are administrative 1y controlled by the shif t supervisor. Thus,-.for the RHRS to be exposed to a high pressure, two ! .f ailures must occur. First, a human error.on the part of the shif t super-

' visor must occur such that the MOVs would be opened when the primary coolant j

! pressure is above the RHRs design pressure AND the pressure sensor must fail l l to prevent.the opening of one of the M0'Vs upon detecting a high pressure. l The probability of a core melt due to this scenario was calculated to be l 1.2x10-7/yr. If.'the administrative 1y controlled MOVs are replaced by MOVs !. . with pressure sensors this core melt frequency reduces to 5.7x10-8/yr. { Although no,PRA for ;an Onofre has' been done, based on PRAs for similar PWRs in the IREP,. RSSMAF and WASH-1400, the frequency of core melt is estimated to.be in'the range of 3x10-5 to 2x10-4/yr. Thus, the above core melt , frequencies have a very smal'1 effect on the overall core. melt frequency and I addition of another pressure sensor to the present interlock system does not i San Onofre 1 SEP vii Appendix D i 

   .a-_           _ , . - _ _ _ , ~ . _ . - _   .__._.u                             _ . _ _ , , , . - . _ , _ _ _ _

seem to be necessary. Consequently the risk significance of this issue is ranked low. 

 .VI Containment Isolation System-Many of the containment penetrations in the San Onofre plant do not meet the NRC's current General Design Criteria. These penetrations f all         .

into several categories. The probability of f ailure of these penetrations in the current con-figuration and with the recommended ' modifications was evaluated. It was 

-found that although a very small reduction in the f ailure probability of these penetrations can be realized by changing to the recommended configuration, the absolute failure probabilities of these penetrations are so small that the contribution of these failures to the total containment penetration would be insignificant. Thus, changing from the present isolation configuration to the recommended configuration does not seem to be necessary. Because of the very small effect of the present isolation' system cor. figuration on the total-probability of isolation failure, this issue is rankti low as far as the risk is concerned.

VI-7.8 ESF Switchover from Injection to Recirculation Mode (Automatic ECCS Realignment) The switchover from Emergency. Core Cooling injection to recirculation in the San Onofre plant is currently performed manually. The operator is instructed by an alarm to reduce the injection flow cnce the Refueling Water Storage Tank (RWST) level has dropped to 21%. The switchover tasks must be 1 initiated by the operator once the RWST level has dropped to 12% and should ' be completed before the level drops below 7% to avoid any possible damage to the pumps. The time available to the operator to complete the switchover tasks-is between 5.8 to 10 minutes depending on the assumed rate of flow. l Current NRC criteria recommends a minimum of 20 minutes for the manual switchover operation. In addition, currently there is only one level indi-cator from RWST to the control room that would be used by the operator to , initiate the recirculation. I San Onofre 1 SEP viii Appendix 0 f i 

                                                             .                            r
To analyze this issue a fault tree for the failure of the recirculaticn.

system was developed- and quantjfied. The results ~ showed that the failure probability of the current San Onofre recirculation mechanism- is 2.5x10-2, Based on a large LOCA frequenc'y of 1.0x10-4 per year this lead to a core melt frequency of 2.5x10-6/ year. i 2 Two alternatives.to this configuration were _ analyzed. In the first case', addition of a set of redundant annunciated level instruments to the- 

        ^ RWST was considered. This' change resulted in reduction of the failure-

,s probability of the recirculation system to 3.7x10-3 which is a factor of 7 

)       . smaller than the present configuration. This leads to a' core melt frequency of 3.7x10-7/ year.

, The second case analyzed was the addition of an automatic switchover . mechanism. This addition resulted in a further reduction in the f ailure [ probability of' the recirculation system to 6.0x10-4 which is a factor of 6 l smaller than the case with redundant level indicators but manual switch-over. -The core . melt frequency in this case is 6.0x10-8/ year. It should be

noted that an automatic switchover mechanism has a basic drawback in that initiation of an inadvertent switchover before there is sufficient water in
the sump could result in possible pump cavitation and damage. Since the exact core melt frequency for the-San Onofre is not known, the importance of the above scenarios are evaluated by comparing the above core melt proba-bilities with the typical core melt probabilities developed for similar PWRs
                                            ~
- in the' IREP,- RSSMAP and Reactor Safety Study. - Based 'on these evaluations,-

the overall core melt frequency is in the range of 3x10-5'to 2x10-4/ year. i -Thus,'it seems that the core melt frequency due to the present configuration 4 of the recirculation system at San Onofre would have a moderate contribu-4 tion.to the total core melt probability. The' order--of magnitude reduction in this core melt frequency as a result of introduction of a set of redun-dant annunciated RWST level indicators would make this contribution essen-tially insignificant. This implies that the further reduction in this frequency based on the addition of an automatic switchover mechanism does 

    ,      not offer much benefit from the risk point of view. Based on the core melt frequency of the current design of the San Onofre, this issue is ranked as
          -medium with respect to risk.
      -San Onofre 1 SEP                              ix                              Appendix D 1

VI-7.C.2 Failure Mode Analysis ECCS Therelare four items _ identified in this issue that could disable part of the Emergency core Cooling System (ECCS) due to single f ailures. The licensee'has agreed to the NRC recommendations on two items and has 1 

         , suggested dodifications to the systems addressed by the other two items.

These items which~are analyzed in this issue are:

a. -installation of. redundant valve in series with valve MOV/LCV 1100C from volume control tank (VCT) to the charging pumps. Failure of.

MOV/LCV 1100C to close may cause cavitation of the two charging 

                         -pumps. downstream of the valve because hydrogen from the volume control tank could enter the pump suction.

b.s Installation of redundant control power and instrument air for flow control-. valves FCV-11150, E and F at the injection lines of the charging pumps. Loss of air pressure or power causes these valves 

    ..                  to close with possibility of loss of ECCS recirculation to the three cold leg injection lines.

For. the first item. above four cases were analyzed. These include 1) the original configuration,2) the licensee proposed configuration (i.e., the ~ existing configuration) consisting of removing one of the charging pumps from the sequencer that would start it upon a safety injection system and l manual' transfer 07 power from redundant motor control centers (MCC) that 

         . provide power to the MOV/LCV 1100C,3).the NRC recommended configuration

[ where a second MOV is added to the system in series with the.MOV/LCV 1100C, l- and the last case.is the same as the licensee proposed case except that a (- 'second MOV is also added in series with MOV/LCV 11000. The analysis showed-that the current design could result in a core melt frequency of 1.0x10-6/ year. The proposed licensee changes and NRC recommended configurations i both reduce the above core melt frequency by three orders of magnitude to 1.0x10-9/ year. The last case will result in another three orders of magni- [ tude reduction in core melt probability. It is concluded that either the L licensee proposed modification (Case 2) or NRC recommended changes (Case 3) I is sufficient to reduce the core melt frequency. i l San Onofre 1 SEP x Appendix D E

1 e For. the second l item'.the proposed interim configuration of air supply 1 system - with a new emergency airi supply was analyzed. The modified configuration has a failure. probability of 8.8x10-4 Based on a small LOCA 

                                                        ~

I 

                  -of $0x10-3/ year, this results in a core melt frequency of 8.8x10-7/ year.

l It was noted that the failure probability of.either' air supply system, i.e., f the old system'with no redundancy and the new system is dominated by the F . assumption'of annual testing of various components of the system which would 

                  -have been'the case for the old non-redundant system. If after modification
of.the system and existence of redundancy the components are tested more -
' frequently, the failure probability of the system would be reduced even

_ further. - 0verall, without any proposed modifications, the risk significance 

                                                 ~

! .of this issue would be ranked medium. With the above modifiestions in place the risk significance of this issue reduces to low. j ~ 

                   'VI-10.A Testing of Reactor. Trip Systems and Engineered Safety Features, Including Response Time Testing 4

Two-issues were identified: 1) response time testing is not performed and 2) no provision for channel checks of the steam flow channels is 4 included _in the technical specifications. In PRA analysis, the timing of . . system action is relatively unimportant because the time periods measured by ) response time testing are very short when compared to the actual amount of time the system can begin to function to prevent core melt. Functional i? testing, which is performed at. San Onofre, is sufficient to test system operation within a' reasonable time. Thus, the importance of response time {: testing to risk is low. Channel checks, on the other hand, do not have a significant_effect on the reliability analysis of the reactor trip system. Thus, the importance of channel checks to risk is low. i- VII-1.A Isolation of Reactor Protection System from Non-Safety Systems Current criteria require that non-safety systems receiving output from i the RPS have isolation devices to insure the independence of the RPS chan-nels. ;At the San Onofre 1 plant proper isolation devices are lacking

between remote meters and process recorders and the following RPS trip signals:

San Onofre 1 SEP xi Appendix D l .

4-P 4_ pressurizer pressure 

                                          .presurizer level
                                          -steam-to-feedwater flow mismatch high flux level high startup rate neutron monitoring reactor coolant. flow.1 Additionally, there is no isolation between the steam-to-feedwater flow mismatch channel and the Optimac computer.or between the nuclear instrumen-I ltation and a data logger. (Utility personnel state the data logger,is.no                                                           ~

longer connected -to the nuclear instrumentation.) A simplified fault-tree . 'was constructed to represent these trip signals including the effects of unisolated non-safety system faults. The analysis of this fault tree showed that the non-safety- system faults did not . contribute significantly to the 

                           .RPS failure probability (dominated by the common mode mechanical failure 'of the. rods to insert).            We therefore rate this issue to be of low risk ~
- significance.

l VII-2 . Engineered Safety Features (ESF) System Control Logic and Design b Safety grade systems are required by current criteria to be adequately ~ isolated from non-safety systems. ESF- current loops are required to have 

 +

isolation devices to ensure electrical independence of the ESF channels. At San Onofre 1 proper isolation devices may not be utilized for the contain-ment isolation signal and the safety injection signal. The isolation device . .used for the safety' injection signal is an.. input buffer module. The - containment isolation signal is. isolated through the use of relays and relay contacts. Assuming that the input buffer modules do not supply adequate 

                           ' isolation for the safety injection signal, the effects of f aults in non-                                                               l 1e                 safety systems on the safety injection signal were analyzed. The probabil-ity of a signal failure due to unisolated faults was calculated to be of the same magnitude as safety injection system f aults in other nuclear power-t" i

1 Not. included in SEP branch evaluation; however, utility claims this I signal's lack of isolation is identical to pressurizer pressure and level signals l l San Onofre 1 SEP xii Appendix D 

)
   . . ~ . , . . . - - -  . - a,_ .. I _ . __ _ ;. _ , _ __            - . . . , _ _ , _ , . _ - _ - - _ _ _ , _ _ _ . _ , _ _ . _ . , _ . . _ . , , _

plants. This implies that faults in non-safety systems could be a signifi-cant contributor to safety injection signal failure at San Onofre 1. Adequate isolators between the safety injection signal and the non-safety systems would effectively eliminate the non-safety effects. After completion of the analysis of this issue, the licensee demonstrated that sufficient isolation exists between the safety and non-safety grade systems. Thus, this issue is completely resolved. VII-3 Systems Required For Safe Shutdown The only issue under this topic is the lack of redundancy in the Component Cooling Water System (CCWS) surge tank level indicator. Currently the water level in the surge tank is monitored by one level indicator which is connected to an alarm in the control room and would warn the operator of the low water level in the surge tank. In addition there is a visual gauge that is checked once every refueling. If low water level in the surge tank is detected operator can add makeup water to the tank manually. The concern in this issue is that given a leakage and f ailure to detect the low water level in the surge tank, the CCWS can cavitate and fail the operation of the system. This failure among other things could result in the failure of the main coolant pump seal creating a small-small LOCA. The probability of occurrence of this event was calculated to be 1.1x10-4/ year. This is an order of magnitude smaller than the overall probability of occurrence of a small-small LOCA of 1.0x10-3/ year. Considering all the conservatism involved in the analysis of this scenario and small contribution of this event to the initiation of a small-small LOCA which itself partially contributes to the total core melt probability of this plant, the significance of this issue is ranked low from risk point of view. VIII-3.B DC Power System Bus Voltage Monitoring and Annunciation There are two DC power systems at San Onofre 1, the 125V DC system and the uninterruptable power supply (UPS). Each of these systems should have sufficient control room indication to allow for operator action to 1) pre-vent the loss of a DC bus or 2) recover a DC bus if power is lost at the bus. The San Onofre 1 plant'does not have all of the required annunciators and monitors for either DC power system. San Onofre 1 SEP xiii Appendix D

Fault trees were constructed to model the two DC power systems. These fault trees were evaluated for the systems as they are now and for the systems assuming the proper annunciators are added. (Properannunciation reduces -the detection ~ interval for most battery system f aults.) The analysis showed that for both battery systems a reduction in the battery i system unavailability is achievable with the improved annunciation. However l since the UPS supplies power to only one component (a safety injection valve) whose failure probability is dominated-by mechanical valve failures, the reduction in the UPS unavailability does not significantly affect the safety injection system unavailability. This is the only system the UPS could affect; therefore the reduction in UPS unavailability is not signifi-cant. Due to multiple power supplies to each of the 125V DC system 

' batteries, both diesel generators can be used for each battery system, the failure probability of the unannunciated battery system is smaller at San Onofre I than at most nuclear power plants. The reduction in the battery system unavailability, due to improved annunciation, will not have as significant an effect as it would at other nuclear power plants. However, it should still have an effect on the risk due to core melt. We therefore rank this issue to be of medium risk significance.

VIII-4 Electrical Penetrations of Reactor Containment This issue addresses the adequacy of the electrical penetrations in maintaining containment integrity during'a LOCA given an overloaded circuit. 

'For the low voltage penetrations analyzed no secondary circuit protection was provided (as required by present criteria). In this analysis the failure probability of containment isolation was calculated by considering f ailure probability of DC and low voltage AC penetrations. Failure probability of each of the above penetrations due to an overload was next                     I multiplied by the total number of penetrations to get the total probability                   ,

of containment isolation failure due to this event. The results show that failure probability of containment isolation due to failure of low voltage  ; electrical penetrations is several orders of magnitude smaller than other contributors to the failure of the containment isolation. Thus, this issue is ranked low from risk point of view. i San Onofre 1 SEP xiv Appendix D

IX-3 Station Service and Cooling Water Systems Several issues related to the Component Cooling Water System (CCWS) and 

   - Salt Water -Cooling System (SWCS) were identified by the NRC for this topic.

Among these, one issue for the CCWS and one for SWCS were relevant for analysis using PRA techniques. For the CCWS the importance of passive failures consisting of- pipe rupture and heat exchanger failures was analyzed. To do this a simple fault tree for the CCWS was developed and quantified. : With all the conservatism included in the assumptions for the passive failures the contribution of these failures to the failure of the CCWS is about 6%. Thus, the contribution of the passive failures to the overall core melt frequency was. judged to be insignificant. The issue related to the SWCS is the significance of failure of tsunami stop gates after reactor shutdown when the heat load is at its maximum and lack of sufficient time for the operator to correct the situation. In particular, it was found that during the maximum heat load conditions on SWCS, .if one of the tsunami stop gates fails the water inver. tory in the screenwell will eventually be depleted. If the salt water flow is completely lost, there is only about 3 minutes before the water temperature in the CCWS increases above the design temperature. To evaluate the 

   'importance of failure of the tsunami stop gates, the unavailability of the SWCS following reactor shutdown was evaluated. This unavailability consists
  .of the frequency of reactor scram time the unavailability of the tsunami gate valves during the approximately 24 hours of maximum heat load following a reactor scram. The probsbility of this event was calculated to be 6.4x10-6 / year.

This frequency is considered lower than unavailability of SWCS due to hardware failure. Additionally, if SWCS is failed for an extended period of time, RHRS can be shutdown to reduce the heat load on SWCS. In this case the main coolant will heat up somewhat and the heat can be removed using the main heat exchangers. Considering these facts, the 'ontribution of this event to the risk associated with the operation of this plant is judged to be low. IX-5 Ventilation Systems This topic addresses the need to provide further analysis to determine ' the need for ventilation to assure system operability. This in itself does not serve to reduce risk; however, a finding that ventilation is not needed I i San Onofre 1 SEP xv Appendix D

4 .a 1% in certain areas could serve to " reduce" the per~ceived potential. for risk 

 ~^

signi fica nce. The analysis performed was conservative and serves to indicate the upper bound- for potential risk, thus _ indicating for which areas further analysis should' be carried out. The conclusions for each plant area analyzed. follow. 

             .               _'A loss of ventilation in the switchgear and cable spreading room would affect _both trains of the AC power system, both normal and emergency. A-ventilation failure induced loss of the equipment in this room combined with a failure of the turbine driven auxiliary feedwater pump portion of the auxiliary feedwater system would eliminate -the standard means of remov.ing theat from the core. The' frequency of this combination of events is rela--

tively high, comparable to the core melt frequency for a PWR. For this reason we rate this issue to be of high risk significance. A-loss of ventilation in the 480V switchgear room will affect only one train of the AC power system. The consequences of losing' one AC power train are'significantly less- than those when both AC trains are lost. The avail- 

     ,                ability of a redundant AC power supply and the auxiliary feedwater system.

virtually unaffected by a loss of ventilation in the' 480V switchgear room. 

                     -reduce the significance of this event to a point where it would not signi-ficantly affect the core melt frequency. We rank this issue to be of low risk significance.
        ,                   - The reactor auxiliary building ventilation system provides ventilation for the charging pumps. The probability of a ventilation system failure that fails the charging pumps, in combination with other system failures required to result in a core melt sequence, is small in comparison with the expected core melt frequency. This issue is therefore rated to be of low risk significance.
                            .The failure of one of the station batteries due to a loss of ventila-tion could have a significant effect on the San Onofre 1 core melt fre-quency. Failure of the ventilation system, a single fan, can be expected to occur more frequently than the loss of a DC power train due to battery faul ts. Battery faults generally are significant contributors to dominant accident sequencas. This' issue is therefore rated to be of high risk sig-nificance.

San Onofre 1 SEP xvi Appendix D

XV-2 Spectrum of Steam System Piping The concern in this issue is to show that the plant has the ability to mitigate consequences of steam line breaks. Overall, it was shown that the pressure in the reactor coolant and main steam systems will stay below the design pressure following a steam line break. The simultaneous blowdown of 

  .all three steam generators can cause a pressurized thermal shock to the reactor pressure vessel. This issue is being considered as a part of the generic unresolved safety issues. Loss of a single motor-driven-auxiliary feedwater pump could disable the decay heat removal via steam generators if a main feedwater pump is not realigned to perform the auxiliary feedwater pump function. The Licensee has proposed to add a second motor driven auxiliary feedwater pump that would eliminate the above concern.

Consequently the significance of this issue is ranked low from risk point of view. XV-7 Reector Coolant Pump Rotor Seizure and Reactor Coolant Pump Shaft Break Given a loss of forced flow due to reactor coolant pump rotor seizure or shaft break NRC evaluation shows that there is no effect on the minimum DNBR. But it could not be concluded whether the reactor coolant pressure would exceed the allowable limits. Lookir.g at the various causes for reactor coolant pump failure, experience has shown that only about 2% of the pump failures are due to the above causes. Given the small probability of overpressurization of main coolant system based on this event and small consequences of the event compared to core melt accidents, the importance of this issue is ranked low from risk point of view. Although analyzed, this issue was completely resolved before completion of the final report. 4 San Onofre 1 SEP xvii Appendix 0

L l I. Introduction 

            .This report will present the analysis and results for the risk-based categorization of issues identified by the USNRC Systematic Evaluation Program (SEP) for the San Onofre Nuclear Power Plant.

Section II will discuss.the methodology, Section III will present our results for San Onofre, and Section IV will give the analysis performed for p each San Onofre SEP issue. i A brief discussion of the. analysis and results for each issue is given in the Executive Summary of this report. I t i l j San Onofre 1 SEP 1 Appendix D i

II. Methodology for Categorization of San Onofre SEP Issues The United States Nuclear Regulatory Commission (USNRC) Systematic 

       ' Evaluation Program (SEP) is identifying deviations from current licensing requirements for older nuclear power plants. This project evaluates those issues:which are amendable to study by probabilistic risk assessment (PRA) techniques, for the San Onofre plant. The result of this evaluation is the categorization of these issues by the impact their resolution would have on risk. This categorization will be used as input to the USNRC decisions on what hardware and procedure changes will be required for the nuclear plants as the product of the SEP.

Not' all of the issues identified ~are easily addressed by well-defined PRA techniques. In particular, issues which address the ability of.the power plant to safely deal with events for.which the frequency and/or effects on plant systems are unknown are not evaluated in this study. PRA examines accident scenarios for which the initiating event frequencies are relatively well known and probabilities of system failures are estimated by detailed consideration of system configuration, random component failures, and system interactions. Thus the issues evaluated are those which address systems or plant features during normal operation or accident situations of relatively well-known frequency where that system or plant feature may be demanded. Issues excluded are those dealing with seismic, tornado, or flooding events for which the frequency of a given severity event, or any such event, is not well known. Also excluded are issues dealing with high energy line breaks, where it is not the frequency, but the effects on systems, which is not known. Treating these issues in the framework of PRA would generally be at the edge of the state-of-the-art (since event frequencies, etc., are not 

                                                                ~

well known) and thus our confidence in the risk-based categorization of these issues would be less than for the results of our analysis of those issues which fit well into present PRA considerations. . Since no probabilistic risk assessment has been performed for the San Onofre Nuclear Power Plant, the results of other PRAs performed in the l IREP, RSSMAP and reactor safety study on similar PWRs were used for judg- ! ments on the importance of an issue to the risk. San Onofre 1 SEP 2 Appendix D t

The method adopted in this study was to examine the impact of each issue on the systems it affects and assess the importance of the issue by both quantitative and qualitative consideration of the f ault- trees and the results and insights of other PRAs. For each issue, we consider the 1mpact its resolution would have on the unavailability of the system unger consideration by developing a simple f ault tree for the system or subsystem of interest. If the impact of the proposed changes on unavailability of the system under consideration is significant, the next step is to evaluate the impact of the issue on the core melt sequences that includes failure of the system'under consideration. If we could ascertain no impact on the top event of any dominant fault tree (or event in any dominant sequenca) due to resolution of an issue, we classified the issue's importance as low. If the resolution of the issue' affects but- does not dominate a f ault tree (or event), the issue was  : classified as of medium importance. If the resolution of the . issue domi- . nates the value of the top event of any dominant fault tree (or event), the  ; issue's importance was classified as high. { In general, the evaluation was done in consecutive phases in order to  ; reduce the amount of work as much as possible while still gettir.g the required insights to assure a proper ranning. t Phase I - Evaluate the effect of the SEP issue resolution on the , particular event or component it is associated with. That is, deter- ) mine if there is a frequency / reliability change induced on the event / component by resolving the issue as suggested by the NRC. If there is essentially no effect, no further analysis is required and the risk significance is low. If there is an effect, proceed to Phase II. Phase !! - Evaluate the effect of the frequency / reliability change 

   ' found in Phase I on the overall reliability of the systems which it impacts. If there is essentially no effect, no further analysis is required   and the rist dignificance is low. If there is an effect, proceed to Phase !!!.
                                                                                  ?

San Onofre 1 SEP 3 Appendix D

Phase III - Evaluate the effect of the reliability change found in  ! Phase II on perceived plant risk / core melt frequency. If there is essentially no effect, the risk significance is low. If there is an effect but it does not involve tha perceived dominant contributors to risk, the risk significance is moderate. If there is an effect and it involves a perceived dominant contributor to risk, the risk signifi-cance is high. From this description, it can be seen that some subjective judgment is required for Phase III as to what are the perceived dominant contributors to risk and what is the perceived total plant risk / core melt frequency. To some extent, this is based on the experience gained from other PRAs done on similar plants. In general, when an issue was judged using other PRAs the ranking of tha issue was based on the PRA which showed the greatest effect. Thus, if an issue was shown to be dominant (high) for any one of the PWR PRAs considered, it was concluded that it might also prove to be dominant for San Onofre, and it was ranked high. On the other hand, in order to be ranked low, the issue would have to be shown to be low for all of the PWR PRAs considered. It is obvious that this will result in a more conservative analysis. The overall study methodology is given in flowchart form in Figure 1. The importance of an issue is determined by the impact of resolution of the issue on the San Onofre fault trees or events and the dominance or nondom-inance of accidents containing those f aults or events. The impacts are developed from the SEP branch evaluations of the issues and the fault trees developed for each issue. The " dominance" of the San Onofre f ault trees and events is determined as previously stated from the results of cther PRAs performed in the IREP, RSSMAP and reactor safety study on similar PWRs. The resulting classifications are given in Table 1. I A discussion of each issue and its classification is given in the Executive Summary of this report. The next section provides a brief ) overview of the results of this study. San Onofre 1 SEP 4 Appendix D

i Plant FSAR, IREP ANO-1 Drawings , RSSMAP Sequoyah l RSSMAP Ocone: i Procedures RSS Surry PRA Ritsults l 1 l l l l I o i Proposed "E'" " g SEPB Component / l Modi fica tions g,Eunt i I I Impact on l l System Reliability l ( Pha e p II) l u l g Impact on l ~' Plant Risk l l (Phase III) l l l l . Importance of Issue Figure 1. Study Methodology San Onofre 1 SEP 5 Appendix D

I Ta ble 1 m ., Classification of' Issues Classificatios Criterion High x Resolution of issue dominates value of the top event of a dominant fault tree or dominant sequence event. Medium 

                                                . s                    Resolution of issue impacts but does not dominate value of top event of dominant fault tree or dominant
 -)          .                                                           sequence event.
                        \

Low- Resolution of issues has no impact on valde-of top event of dominant fault tree or dominant sequence event. s s k { s San Onofre 1 SEP 6 Appendix 0 

         ,                                                        e '

III. Results E s There were 39 issues identified by the Systematic Evaluation Program Branch for the San Onofre Nuclear Power Plant. Of these,17 were outside i the scope of our analysis and 22 were within our scope. Of the 22 issues which were within the scope of our analysis, there were 2 issues that were completely resolved by the SEP Branch before the start of our study, and 2 

 ;    that were completely resolved before completion of the final report. Table i    2 gives those issues we did not analyze and Table 3 gives those issues we did analyze.

k Each issue was analyzed for classification by the criteria described in p the previous section of this report. That is, we assessed whether resolution of the issue would affect the fault trees which were developed i for the particular issue at San Onofre and quantified the effect. The fault trees were examined to determine the resulting change in the top event (s), I and other PWR PRAs were reviewed to characterize the affected fault trees by whether they would be part of dominant accident sequences. E [ Table 4 presents the results of our analysis. For each issue, the i system or accident event that the issue potentially impacts, the change in [ unavailability due to resolution of the issue and the component or system [ for which this was calculated (Phase I), whether the issue affects the top event of the f ault tree (s)/ event (s), whether the f ault tree (s) or event (s) i affected would appear in any dominant accident sequences (Phase III), and, [ based on applying thecriteria of Section II to all of the above results, the resulting classification of the issues are given. Table 5 gives a list of [ the classifications of the issues as high, medium, or low importance to [ risk. A discussion of the classification of each issue is given in the i Executive Summary of this report. F E San Onofre 1 SEP Appendix D . 7

Table 2 SEP Issues Not Evaluated

1. II-1.C Potential Hazards or Changes in Potential Hazards due to Transportation, Institutional, Industrial, and Military Facilities
2. II-3.A Hydrological Description
3. 11-3.B Flooding Potential and Protection Requirements
4. II-3.B.1 Capability of Operating Plants to Cope With Design Basis Flood Conditions
5. II-4.F Settlement of Foundations and Buried Equipment
6. 111-1 Quality Group Classification of Components and Systems
7. III-2 Wind and Tornado Loadings
8. III-3.A Effects of High Water Level on Structures
9. III-3.C Inservice Inspection of Water Control Structures
10. III-4.A Tornado Missiles
11. III-7.B Design Codes, Design Criteria, Load Combinations and Reactor Cavity Design Criteria
12. III-10.8 Pump Flywheel Integrity ,

i

13. V-6 Reactor Vessel Integrity
14. VI-1 Organic Materials and Post-Accident Chemistry i San Onofre . . e 8 Appendix 0 l

I Table 2 (continued) SEP Issues Not Evaluated VI-6 Containment Leat Testing 15.

16. VIII-1.A Potential Equipment Failures Associated with Degraded Grid Voltage
17. XV-1 Decrease in Feedwater Temperature, Increase in Feedwater Flow, Increase .in Steam Flow, and Inadvertent Opening of a Steam Generator Relief or Safety Valve
          ~

San 0nofre 1 SEP 9 Appendix D

Table 3 SEP Issues Evaluated

1. III-8.A Loose Parts Monitoring and Core Barrel Vibration Moni- j toring
       ' 2.

III-10.A Thermal - Overload Protection for Motors of Motor- I Operated Valves

3. IV Reactivity Control Systems Including Functional Design and Protective Against Single Failures
4. V-5** Reactor Coolant Pressure Boundary (RCPB) Leakage Detection
5. V-10.A RHR Heat Exchanger Tube Failures
6. -V-10.B* RHR Reliability
7. V-11.A- Requirements for Isolation of High and Low Pressure Systems
8. .V-11.B RHR Interlock Requirements
9. VI-4 Containment Isolation System
10. VI-7.A.3* ECCS Actuation System I
  !     11. VI-7.B     ESF Switchover from Injection to Recirculation Mode (Automatic ECCS Realio m nt)
12. VI-7.C.2 Failure Mode Analysis ECCS i
13. VI-10.A Testing .of Reactor Trip System and Engineered Safety ,

Features, Including Response-Time Testing I San Onofre 1 SEP 10 Appendix D L-'

Table 3 (continued) SEP Issues Evaluated

14. VII-1..A Isolation of Reactor Protection System Non-Safety Sys-tems, Including Qualifications of Isolation Devices
15. VII-2+ Engineered Safety Features (ESF) System Control Logic and Design
16. VII-3 Systems Required for Safe Shutdown
17. VIII-3.B DC Power System Bus Voltage Monitoring and Annunciation
18. VIII-4 Electrical Penetrations of Reactor Containment
19. .IX-3 Station Service and Cooling Water Systems 20.- IX-5 Ventilation Systems
21. XV-2 Spectrum of Steam System Piping Failure Inside and Outside of Containment (PWR)
  -22. XV-7+         Reactor Coolant Pump Rotor Seizure and Reactor Coolant Pump Shaft Break i
    *This issue was resolved by.the SEP Branch prior to this evaluation.
   ** Final SER not available for analysis                                            1
    +These issues, although analyzed, were completely resolved before comple-         I tion of the final report.

San Onofre 1 SEP 11 Appendix D

Vatle 4 Results of Analysis Dominant Affects Affects or Affects System core Melt Non Dominant Risk h Event /Coeone_nt_ Event / Component unavailability Risk Centributor $1onificance 

       !!! - B.A      Transients              No                 -          -             -        Low
     .III - 10.A Valves                       No                 -          -             -        Low IV - 2       Transients              No                -           -             -        Low V - 10.A Primary Leakage to Envirosuent        No                -           -            -         Low V - 11.A LOCA Outside Containment (a)CVCS                 No                -           -             -        Low (b) Longterm Nectrculation       No                -           -            -         Low (c) SIS                 Yes               -          Yes        Non-DOM      Medium V - 11.8 LOCA Outside Containment           No               N/A          -            -         Low VI - 4       Contairment Integrity             No                -           -            -         Low VI - 7.B      ESF Switchover           Yes              Yes         Yes        Non-DOM      Medium VI - 7.C.2 ECC$                        Yes             Yes          Yes        Non-DOM      Medium VI - 10.A    RPS sensors /

relays No - - - Low VII - 1.A RPS sensor channels Yes No - - Low VII - 3 ISGl$ MOVs No - - - Low VIII - 3.B DC Power Supplies Yes Yes Yes Non-DOM Medium VIII - 4 Contalment Isolation No - - - Low IX - 3 Passive Failures No - - - Low II - 5 (a)NeoctorAus111ery Butiding No - - - Low (b) Station Battery Neem Yes Yes Yes DOM High (c)480V$witchgear Noam ventilation Yes Yes to - Low { l (d) Cable Spreading Area j Ventilation Yes Yes Yes DOM High IV - 2 Offsite Consequences No - - - Low San Onofre 1 SEP 12 Appendix D

TABLE 5 Classification of Issues Importance to Risk l l Hiih . j IX - 5 Ventilation Systems 2 Medium V - ll.A ' Requirements for Isolation of High and Low Pressure Systems VI - 7.B ESF Switchover from Injection to Recirculation Mode (Automatic ECCS Realignment) VI - 7.C.2 Failure Mode Analysis ECCS VIII 3.B DC Bus Voltage Monitoring i Low III - 8.A Loose Parts Monitoring 

    -III - 10.A             Thermal.0verload Protection for Motors of Motor Operated Valves IV - 2                Reactivity Control System Including Functional Design and Protection Against Single Failure V - 10.A            Residual Heat Removal System Heat Exchanger Tube Failure V - 11.8           RHR Interlock Requirements VI - 4               Containment Isolation System VI - 10.A            Response Time Testing VII 'l.A               RPS Isolation VII - 3                Systems Required for Safe Shutdown VIII - 4                Electrical Penetrations of Reactor Containment IX - 3               Station Service and Cooling Water Systems XV - 2               Spectrum of Steam System Piping Failure Inside and Outside of Containment Resolved             -(These issues were analyzed for the draft, but completely resolved by the . time the final report was completed.)

VII - 2 Engineered Safety Features (ESF) System Control Logic and Design XV - 7 Reactor Coolant Pump Rotor Seizure and Reactor Coolant Pump Shaft Break San Onofre 1 SEP 13 Appendix D

1 m . IV. Analysis Following is the-analys'is for each topic to determine its importance .to risk, i i j 4 4. t L 6 (..- .  ? i d A s.. t

  • I

,. i 

                                                                                                                                            'l i:

I  ; 

                                                                                                                                          .I l

i l r 

                            ~

San-Onofre 1 SEP: 14 Appendix 0 

       ~

t > 

                                                                                             . . - _ _ . - _ _ ~ _ - . . . _ . _ . . . __

III-8.A Loose-Parts Monitoring and Core Barrel Vibration Monitoring

1. NRC Evaluation A loose-parts monitoring system as required by Regulatory Guide 1.133 does not' exist at San Onofre.

i

2. NRC Recomendations Install a loose-parts monitoring system to detect loose parts in the '

Reactor Coolant Pressure Boundary.

3. Systems Affected Loose parts can cause transient events by causing damage within the reactor coolant system.
4. Comments None
5. Analysis The only concern, from a risk perspective, of loose parts is that they may cause a transient which challenges the plant and its safety systems.

There is ample data on transients to show that the contribution of.this initiator to the total frequency of initiation of a transient is negligible. That is, because the historical transient rate is so high, several per reactor year, and the historical contribution to this frequency by loose parts has been negligible. Eliminating loose-parts-induced transients will have no effect on the transient frequency and no effect on risk. , l

6. Conclusions i l

1 Eliminating loose-parts-induced transients by installing a loose-parts monitoring system would have no effect on rist. We therefore rank the risk significance of this issue as low. San.Onofre 1 SEP 15 Appendix D l

III-10.A Thermal Overload Protection for Motors of Motor-Operated Valves (MOVs)

1. NRC Evaluation Thermal overload protection for MOVs should be. bypassed, under accident conditions, by ECCS signals. Also, trip set points should be set high enough to prevent spurious trips due to certain conditions such as (a) variations in the ambient temperature, (b) inaccuracies in the design of the thermal overload device, and (c) setpoint drif t. At San Onofre 1, it was found that the thermal overload device of four MOVs do not meet the above
   ' requirements.
2. NRC Recomendation Therma 1' overload protection for the above MOVs should be modified such that it is bypassed when an ECCS signal is received.
3. Systems Affected Of the four MOVs having unbypassed thermal overload devices, two (MOVs 813 & 814) are identified in the Residual Heat Removal System but they are not required to change their state during or following an accident. There-fore, it is judged that the function of these two valves are not affected by any. failure of the thermal overload protection device.

The remaining unbypassed MOVs (720 A & B) are associated with the Component Cooling Water System. Thus, failure of either of these two MOVs will affect the Component Cooling Water System (CCWS) and all the components and systems that are dependent on CCWS for heat removal. I

4. Coments The concern in this issue is that a spurious trip of a thermal overload protection device could cause a safety-related valve not to open during accident conditions, even though nothing is wrong with the valve. However, by bypassing the thermal overload protection, the danger of damaging the  ;

valve increases, and this reduces the possibility of recovering the I I 1 San Onofre 1 SEP 16 Appendix D

operability of the valve. This negative effect on system reliability will 

      -not be addressed.
5. Analysis This analysis will address the reliability of a valve both with and without thermal overload bypass. 'The failure rate per demand of a motor-operated valve can be.found in Appendix III of the Reactor Safety Study (WASH-1400) on Table III-2-1; this failure rate is AD (M0V) = 1 x 10-3/d, and is a combined f ailure rate; that is, it represents valve failure from all~ modes.- This implies that failures due to unbypassed thermal overloads are included in the f ailure rate.* Therefore, the failure rate for the MOVs with unbypassed thermal overloads is A D(MOV/NOBY) = 1 x 10-3/d In order to determine the f ailure rate of valves with their thermal overload devices bypassed, it is necessary to find out the contribution of thermal overload device failure to the valve failure rate.

The failure rate per hour of a thermal relay (common quality, ground-fixed environment) can be .found in Section 1, Nonelectronic Parts Reliabil-ity Data (NPRD-2). The failure rate is AS (TS) = 4 x 10-7/hr. i 

       *It is valid to say this since thermal overload devices are seldom, if ever, bypassed during test.

San Onofre 1 SEP 17 Appendix D

In order to determine the demand failure rate -it is necessary to have a : test interval. In WASH-1400, demand failure rate for MOVs is based on monthly testing, thus the number of hours in a month (720) will be applied to the equation -j S* j Af. l 

  ~

where T is the test interval. This equation gives 

                                       -7 AD (TR) = (4x10 /hr)(720 hr/ months) . 1,4x10-4/d
      .Thus the ~damand failure rate of a valve with the thermal overload bypassed is AD (MOV/BY) = AD (MOV/NOBY) -D A (TR) = 1.0x10-3/d - 1.4x10-4/d
                             = 8.6x10-4/d, or approximately a 14 percent decrea'se in the valve failure rate .by.

bypassing the thermal overload. As was mentioned earlier the two motor operated valves of concern, namely MOVs 720A & 7208, are associated with the Component Cooling Water System (CCWS). During normal operation,'only one' heat exchanger and one pump'are necessary to carry the designed load. This is also true for plant cooldown condition or other abnormal conditions although both heat exchangers and all three pumps are normally used to expedite heat removal. For this issue, the first configuration - where only one heat ' exchanger and one pump are required is, analyzeo. Figure III-10.A-1 shows a simplified diagram of the Component Cooling Water System. To evaluate the effect of the MOVs with and without thermal l overload bypass on the availability of the CCWS a fault tree for this system 

                                                                     ~

was developed and is shown in Figure III-10.A-2.' According to Figure III- ) 10.A-1 M0V 720A is no'rmally open, while MOV 720B is normally. closed. Thus, failure of the thermal overload protection device would not affect the operation of M0V 720A during abnormal conditions since it does not change the ' position under these circumstances. The fault tree shown in Figure San Onofre 1 SEP 18 Appendix.D

III-10.A-2 -is next quantified using the data shown in Table III-10.A-1 (WASH-1400). The unavailability of the CCWS is 1.95x105 . Removal o'f 'the thermal Loverload bypass' from MOV 720B has no noticeable effect on the unavailability of this system. s 6; Conclusion The above analysis shows that, although bypassing the thermal overload-protection device of MOV does reduce the demand failure rate of the valve, such action would not significantly change the probability of failure of the affected system. Therefore, the risk significance of this issue is ranked low. San Onofre 1 SEP 19 Appendix D

i i

s S
  • CCW SURGE H TANK M HX-D A CV-A D MV-D < MV-2A 4 de MV-1 A p4_

MOV p.g AUXIWARY 720A COOLANT 8 CV-8 SYSTEM g ' 4 X i gy.28 X 4 E MV-E 

                                                                                                                       <    ;;               >4--                                     P-8 MOV                          C         CV-C ro 7208    HX-E                4    N                           MV-2C C                                                                                             MV-1 C                         >4-P-C
                                                                                                                                       =
                                                           @                                                   Figure lit-10.A-1. SIMPLIFIED SCHEMATIC OF THE COMPONENT 3                                                                    COOLING WATER SYSTEM R

s-o

o o s INSUFFICIENT Q 

   -s FLOW TO THE AUXILIARY (D                                               COOLANT SYSTEM H

m NO FLOW NO FLOW THROUGH HEAT PIPE RUPTUR E THROUGH CCW q EXCHANGER LINES PUMP LINES O O s PR - -- i l l 

)

4 NO FLOW NO FLOW NO FLOW NO FLOW NO FLOW 

'     THROUGH LINE                  THROUGH LINE                    THROUGH LINE    THROUGH LINE THROUGH LINE D                           E                               A                B             C 1

A SilEET 2 A SHEET 3 SHEET 2 A SHEET 4 A SilEET 4 V 3 Figure lil-10.A-2. FAULT TREE FOR THE EVENT "lNSUFFICIENT FLOW TO THE AUXILIARY COOLANT SYSTEM" SHEET 1 { X i o 4

m NO FLOW 

                          $                                                                                             3         THROUGH LINE o                                                                                               \                  D 5                                                                                         SHEET 1 b

y #% MOV 702A HEAT EXCHANGER MANUAL VALVE 

                                                                                                                   . FAILS TO .                       D LARGE TUBE                        MV-D FAILS TO                       '

REMAIN OPEN LEAK REMAIN OPEN MOV720A HXD MVD ! NO FLOW 3 THROUGH LINE i A I SHEET 1 em MANUAL VALVE CHECK VALVE CCWS PUMP A MANUAL VALVE , MV-1 A FAILS TO CV-A FAILS TO DOES NOT MV-2A FAILS TO REMAIN OPEN REMAIN OPEN START REMAIN OPEN E lE ' R MV2A E MVI A CVA PA ( Figure III-10.A-2. (CONTINUED) SHEET 2

o S o 

    ?                                                 NO FLOW :

2 THROUGH LINE . H E M SHEET 1 1 e% l i i HEAT EXCHANGER MOV 7208 M ANUAL VALVE E LARGE TUBE MV E FAILS TO FAILS TO OPEN LEAK REMAIN OPEN U HXE e% MVE j l 1 MOV 720B MOV 7208 i FAILS TO OPEN FAILS TO ON DEMAND l REMAIN OPEN

g-I 1 .

i MOV720BD MOV720BR ) SHEET 3 i g

  • 15 R Figure III-10.A-2. (CONTINUED) s' o

.i i i l i . I

NO FLOW 4 THROUGH LINE SHEET 1 n i ; 

                                              -%                                              1 MANUAL VALVE          CHECK VALVE                               MANUAL VALVE MV 18 FAILS TO        CV 8 FAILS TO         CCWS PUMP B DOES NOT START        MV 28 FAILS TO REMAIN OPEN        REMAIN OPEN                                REMAIN OPEN O

MV18 OCV8 O PB O MV2B 4 

.                                          NO FLOW 5 g            THROUGH LINE SHEET 1 n

l ) 1 MANUAL VALVE CHECK VALVE MANUAL VALVE l MV 1C FAILS TO CV C FAILS TO CCWS PUMP C DOES NOT START MV 2C FAILS TO , REMAIN OPEN REMAIN OPEN REMAIN OPEN  ! ! O MV1C OCVC OPC O MV2C - l l Figure ill-10.A-2. (CONTINUED) SHEET 4 l San Onofre 1 SEP 24 Appendix D ~ . - - _ _

Table III-10 A-1 Failure Rates for Vafious Faults Shown on Figure III-10.A-2 Fault Failure Failure Fault Uneva11 ability Coments identifier Mode Rate Duration (Hours) MVIA.MV18 Manual valve fails 1.0x10-4/D - 1.0x10-4 MVIC.MVD,. to remain open MVE MV2A.' MV28,MV2C MOV7208 Motor operated 1.0x10-3/D - 1.0x10-3 Thermal overload valve does not unbypassed open on demand 8.6x10-4 Thermal overload bypassed MOV720AR, Motor operated 1.0x10-4/D - 1.0x10-4 MOV7208R valve fails to remain open CVA.CV8,CYC Check valve fails 1.0x10-4/D - 1.0x10-4 to remain open HXD HXE Heat exchanger 3.0x10-8/Hr 6570 1.gx10-4 Failure rate, large tube leak upper bound of small pipe rupture. Fault duration, every refueling. PA.P8,PC Pump does not 1.0x10-3/D - 1.0x10-3 start l PR Pipe rupture 3.0x10-9/Hr 6570 1.9x10-5 Failure rate, . upper bound of ) large pipe rupture. Fault l duration, every refueling. i t San Onofre 1 SEP 25 Appendix 0

1 IV-2 Reactivity Control Systems Including Functional Design and Protective Against Single Failures

1. NRC Evaluation General Design Criteria (GDC) 25 requires that no single f ailure of reactor protection system such as rod withdrawal would result in reactivity
    .and power increases that could exceed fuel design limits. The reactivity           'O' control system does not have to meet a single ~f ailure criteria. In San Onofre Nuclear Power Plant it was found that single failures in the reactiv-ity control system could result in malfunctions such as two banks or sub-
,    groups of control rods moving out instead one or a subgroup bank or. banks of control rod moving out inadvertently. Additionally, other malfunctions such as lack of Control rod movement upon rod withdrawal command or inadvertent rod drops were also postulated as a result of a single failure.
2. NRC Recommendations No specific recommendation was provided except that the particular events mentioned above must be considered in the evaluation of SEP Topic XV-8.
3. Systems Affected c The only system affected by this issue is the reactivity control system.
4. ' Comments l

Rod withdrawal accidents are contributors to the frequency of initiation of transients in the lightwater reactors. As long as the mitigating systems designed to mitigate the consequences of these transients function correctly, no core melt and consequently risk to the public would l result. The most important mitigating system in case of rod withdrawal l accidents that must function first is the reactor protection or scram system. I San Onofre 1 SEP 26 Appendix D

5. Analysis The only accidents of concern following a single f ailure in the reactivity control system is the rod withdrawal accidents. Other malfunctions that result in the blocking of the rod withdrawal or dropping of the rods in the core cannot lead to large reactivity insertions that l could result in a core melt accident if the reactor protection system fails.

The most important consequence of rod withdrawal accident is local power peaking in the vicinity of.the region where the rod has been withdrawn. Following this power increase various mechanisms designed to detect this 

     . localized power peaking will initiate a reactor trip. Some cladding damage in the fuel bundles that are in the vicinity of the control rods that have been withdrawn would be expected due to sudden increase in the local power production. But no fuel melting or damage is expectead in these fuel bundles. Previous comprehensive Probabilistic Risk Assessments such as WASH-1400 have shown that the most significant contribution to the risk due to operation of a fluclear Power Plant is from accidents that involve core meltdown. Consequently rod withdrawal accidents which do not lead to core meltdown are not considered risk significant.
6. Conclusion Single f ailures in the reactivity protection system do not have a significant effect on the overall risk due to the operation of the San-Onofre Nuclear Power Plant and thus are ranked low from the risk point of view.

i San Onofre 1 SEP 27 Appendix D

g. u , 

         ~

V-10.A Residual Heat Removal Heat Exchanger Tube Failures

1. NRC Evaluation' ,

The-San Onofre nuclear reactor plant does'not meet the current criteria regarding the _ monitoring of potential leaks to the environment from the pr'imary cooling ' system through the component cooling water system into the salt water cooling sy' stem.

2. 'NRC Recommendation
                          . Recommendations are un' der review by NRC.
3. ' Systems Affected The systems affected by this issue are the Primary Coolant System -the Residual Heat Removal System the Component Cooling Water System, and-the S'al t . Water System.

1 4.- Comments In the San Onofre Unit 1 the primary side of the Residual Heat Removal 

                ~ System heat exchangers (primary coolant system) is at a pressure of 70-420 psig and the secondary side (Component Cooling. Water System) is at 65-75 psig. The pressure differential allows leakage from the primary coolant The secondary side of the-system . into the - Component Cooling Water System.
                . Component Cooling heat exchangers (Salt Water Cooling. System) is at 30 psig which-is lower than the primary side. This pressure differential allows L                 . leakage from the Component Cooling Water System into tihe Salt' Water Cooling System.

l During normal plant operation there is little chance for intrusion of chloride and other detrimental impurities that would exist in the salt water system tc enter the component cooling water system. ' The salt water cooling l system cools only the component cooling water system' and it would be shut-down in ~ case 'of a component cooling water shutdown. Thus, there is also

  • i i l

San Onofre 1 SEP 28 Appendix D L - - . _ _ . _ - .. .- _. - 

                -          .-        .-                  ..           _  . . - . .  --         _ ~. ___ _ _
            ~ .                                              -

i 7 little chance of leakage of contaminants during component cooling water system shutdown. 

                  .At present a radiation monitor alerts operators to leakage from the RHR
                                                                                                              ^
        - heat exchangers. - The Component Cooling Water System has high and low level alarms on the surge tank to alert operators.to leak' age into or out of the p          system. The-component cooling water is sampled weekly during the power operation of the plant..

4

5. LAnalysis Based on previous comments' the only issue of concern is the possible leakage of primary coolant to the environment via the component cooling'and p . salt water cooling system.

, . A simplified schematic of the R'esidual Heat Removal System is presented ! ' in; Figure V-10.A-1. Figure V-10.A-2 shows a simplified fault tree for the possible leakage paths from the primary coolant system to the environment.

As.can.be seen from the fault. tree, one of the two residual heat exchangers and one of-the two component cooling. heat exchangers must fail-while the 4 -Residual Heat Removal System is in operation in order for leakage from the primary coolant system to occur. The frequency of leakage from the primary.

l coolant system to the environment.is 2(frequency of failure of residual heat exchanger) x 2(possibility of failure of component cooling heat exchanger). t- The frequency of failure of the residual heat exchangers and the l component cooling heat exchangers was calculated by using the upper bound for a small. diameter pipe break from WASH-1400. This failure rate is 3x10-8/hr. Assuming a refueling outage every 18 months and consequently  : 

       ; testing of the heat exchangers every 18 months, the frequency of failure of

~ the heat-exchanger-is calculated from the relationship AT/2. In this i relationship, A is the failure rate of the component and T is the time between tests. Based on this, the frequency of f ailure of the heat l- exchanger is 1.3x10-4/yr. i , San Onofre I SEP 29 Appendix 0

Thus, the frequency of leakage from the primary coolant system to the environment through the Residual Heat Removal System, Component Cooling Water System, and Salt Water Cooling System is conservatively calculated to be i 2(1.3x10-4/yr) x 2(1.3x10-4) or 6.8x10-8/yr. Considering the low frequency of this event and the relatively low importance of the consequences of this leakage compared to the consequences of a core melt accident, it is clear that this event should not contribute significantly to the overall risk of the plant.

6. Conclusions The frequency of a leakage from the primary coolant system to the environment was conservatively calculated to be 6.8x10-8/yr. Considering the consequences of a leakage and the consequences of a core melt accident, it is clear that this event does not have a signific' ant effect on the overall risk due to operation of this plant. Thus, we rank the risk signif-icance of this issue as low.

l 4 San Onofre 1 SEP 30 Appendix D

l l I i i l HX 3 ~ HX-1 SWCS c  : HX 4 H X-2 l L SWCS o o RESIDUAL HEAT REMOVAL COMPONENT COOLING _ [ i SYSTEM SYSTEM l U U e [ 

                                                                                                                          =

COMPONENT COOLING PUMP SYSTEM RCL: REACTOR COOLANT LETDOWN l Figure V-10.A-1. SIMPLIFIED SCHEMAT1.C OF RESIDUAL HEAT REMOVAL SYSTEM, COMPONENT COOLING SYSTEM AND SALT WATER SYSTEM San Onofre 1 SEP 31 Appendix 0

s o

S LEAKAGE FROM Q PRIMARY COOLANT o SYSTEM TO g ENVIRONMENT h l FAllURE OF , COMPONENT FAILURE OF COOUNG HEAT RESIDUAL HEAT EXCHANGERS EXCHANGERS 

                                                                                                                                            +                                                                +

to 

                ~                                                                                                                        em                                                              em FAILURE OF                                                     FAILURE OF                            FAILURE OF                            FAILURE OF COMPONENT                                                           COMPONENT                           RESIDUAL HEAT                          RESIDUAL HEAT COOUNG HEAT                                                                COOUNG HEAT                           EXCHANGER #1                          EXCHANGER #2 EXCHANGER #1                                                                  EXCHANGER #2 E

IS R Figure V-10.A-2. FAULT TREE FOR THE EVENT " LEAKAGE FROM PRIMARY E COOLANT SYSTEM TO ENVIRONMENT" o

k V-ll.A Requirements for. Isolation of High and Low Pressure Systems 

                                                                                                                 . 1
11. NRC Evaluation -

At San Onofre Unit 1 there are three systems connected to the reactor coolant system (RCS)- that have a lower design pressure rating than the RCS.- These three systems ,are the residual heat removal system (RHRS), the- safety injection system (SIS) and the chemical and volume control system (CVCS). 

          . For.these systems the following conditions do not meet current criteria regarding isolation of. low pressure systems.
1. None of the RHR system isolation valves automatically close if. RCS pressure increases above RHR system design pressure, and the outboard isolation valves have no pressure-related interlocks as
r. 11 red '.sy- Branch Technical Position (BTP) RSB-5-1. The inter 1r,eks for the inboard isolation valve's are neither diverse nor independent.
                  ;2. .The' safety.. injection system and long-term recirculation system motor-operated isolation valves have no pressure-related interlocks required by Standard-Review Plant (SRP) 6.3.
3. The chemical and volume control system isolation valves have no pressure-related interlocks as required by BTP EICSB-3.
2. .NRC Recommendation Modification of the RHR system is not necessary until the low temperature overpressurization protection review is completed. The SIS and long-term recirculation system motor-operated isolation valves should be modified to satisfy the review criteria of SRP 6.3 or an. acceptable check valve test program should be implemented. The modification is recommended due to the severe consequences of a LOCA outside the containment.

The CVCS discharge isolation valves should be modified to satisfy BTP EICSP-3 or a redundant relief valve should be installed or demonstrate that a break in this line will not violate 10 CF.R 100 limits. San Onofre 1 SEP 33 Appendix D

MW .

3. Systems Affected ,

The systems affected by this issue are the safety injection system (SIS), the long-term recirculation system, and the chemical and volume 

        . control system (CVCS).
4. Comments l

1 

              .The adequacy of the overpressurization protection on the safety                                                             !

injection system, the long-term recirculation system, and the chemical and I volume control system will be evaluated in this issue. The RHRS interlock requirements are addressed in topic V-ll.B. m

5. Analysis Figure V-11.A-l_ shows. the simplified schematic of the CVCS during normal operation'. The concern about the discharge line of the CVCS is that given reverse flow past the check valves, if the CVCS pumps are not running the low pressure piping of the CVCS could be exposed to the high pressure reactor coolant and a LOCA outside containment might occur. To find the probability of this scenario a simplified fault tree for the event " Reverse Leakage of RCS to the Charging 1 Pumps" was developed and is shown in Figure V-11.A-2. This fault tree was next quantified using the data shown in Table V-ll.A-1. .The probability of reverse leakage and initiation of a LOCA based on the assumptions given in Table V-11.A-1 is 9.4x10-7 The safety injection system (SIS) consists of two loops which draw water from Refueling Water Storage Tank (RWST) and inject to all three cold legs through a common header. Figure V-ll.A-3.shows a simplified schematic of this system. The concern in this case again, is possibility of reverse leakage past the feedwater pumps.

For a leakage path to exist in the safety injection system one of the motor operated valves must be open along with the failure of one check valve on the same injection line since the piping after MOV's is only qualified for 1900 psi of pressure. San Onofre 1 SEP 34 Appendix D

The inadvertent opening of any of the three motor operated valves during normal operation is an extremely unlikely event. A more credible scenario consists of opening of these valves during refueling for tests and the human error in failing to close them after the reactor is taken back to power. The frequency of this event is less than one per year since refueling at San Onofre is performed approximately every 18 months. But for the present calculations this frequency is conservatively assumed to be one per year. I 1 The probability of initiation of a LOCA due to this scenario can be represented as: F HE - (CV4 + CV5 + CV6) where F = frequency of initiation of the ca.enario (once a year) HE = human error in failure to close the MOVs CV4 = injection line check valve failure probability CV5 = injection line check valve failure probability CV6 = injection line check' valve failure probability Using the data shown in Table V-11.A-1, the probability of reverse leakage and possible LOCA outside the containment in this case is 1.7x10-5/ year. To reduce this frequency of initiation of a possible LOCA, two improvements to the system can be suggested. The first improvement is to add a pressure interlock to the MOV's. In this case if after refueling these MOV's are left open and the reactor is brought to power, the increase in coolant i pressure would automatically result in closure of the M0V's before the pressure is too high to damage the system. Based on a pressure sensor f ailure probability of 2.7x10-7 per hour (WASH-1400) and testing of the pressure sensor in every refueling outage, i.e., an exposure time of 6570 hours, the probability of failure of the pressure senscr is 1.7x10-3 This i reduces the frequency of a possible LOCA outside containment to 2.8x10-8 per l year. An alternative to this modification is to try to reduce the l probability of human error in leaving the MOV's open. This can be done by l requiring a separate person to check the position of the MOV's using a written checklist before the reactor is taken back to power. In this case, the probability of failure to detect the original error can conservatively San Onofre 1 SEP 35 Appendix D l I

be assumed to be 0.1 (NUREG/CR-1278, Table 20-9). This reduces the fre-quency of initiation of a LOCA outside containment to 1.7x10-6 per year. For the long term recirculation system, leakage past the check valves on the charging side of the charging pumps designated as CV9 and CV10 and shown in Figure V-11.A-4 is the top event analyzed. The initiation of this scenario is similar to the last case except that in this case there are two sets of motor operated valves, namely MOV 356, 357, 358 and MOV 18, 19 that must be left open after test during refueling. Assuming the tests on the two sets of MOVs are performed separately, the probability of initiation of a LOCA due to thir scenario can be represented as: F HE1 HE2 - (CV9 + CV10) where F = frequency of initiation of the scenario (once a year) HE1 = human error in failure to close the first set of MOVs HE2 = human error in failure to close the second set of MOVs CV9 = check valve failure probability CV10 = check valve failure probability Using the data shown in Table V-11.A-1, the probability of reverse leakage in this case is 7.0x10-7/ year.

6. Conclusions The probability of initiation of a LOCA leading to a core meltdown due to reverse leakage in the CVCS, SIS and long term recirculation system was analyzed. For the CVCS and long-term recirculation system the probability of this event is 9.4x10-7 and 7.0x10-7 per year respectively. This proba-bility for the SIS is 1.7x10-5 To reduce the frequency of reverse leakage in the SIS, two modifications were analyzed. The first one consists of addition of a pressure interlock to the MOV's. This will reduce the frequency of reverse leakage to 2.8x10-8 per year. An alternative to this 1 is to add a written procedure for the checking of the status of these M0V's l

San Onofre 1 SEP 36 Appendix D

before the reactor is taken back to power. .This will reduce the frequency of the reverse leakage to 1.7x10-6 per year. Considering the very con-servative assumptions used in defining the scenarios for these calculations j and the low frequency of the results, the probability of a core melt acci-dent due to the reverse leakage in the CVCS and long-term recirculation 

  ' systems does not contribute significantly to the overall risk due to opera-l   tion of this plant and thus are ranked low from a risk point of view. In case of SIS, the current configuration results in a relatively high frequency of-initiation of a LOCA outside containment. Thus, the importance of the SIS reverse leakage is ranked medium with respect to the risk associated with the operation of this plant.

l 1 l l L h San Onofre 1 SEP 37 Appendix D 

 $                                                                                O O                                                                                0 l                           I u    :         >4--I   :                      .

9 l'l H A: >c M1 i 

                                                                                                          ,  n           =

s toorA m 

                                                                          -1 ll l-L:          INSIDE I

OUTSIDE CONTAINMENT CONTAINMENT l 

                                                                    .6 If I                                             l O                                       M
                 @                                                                                  >3 g                 CV1 A01 VOLUME REGENERATIVE                                                         I                  I HEAT EXCHANGER                                 I                                  CONTROLTANK i ,

l 

                                                                                                 '                                             l l                                                                                                 l
                                                                                                        -             a CV2 m         -

CHARGING PUMPS g 

                                                                                                        +             w CV3 q)         +

E a E Figure V-11.A-1. SIMPLIFIED SCHEMATIC OF THE CHEMICAL AND VOLUME o CONTROL SYSTEM (CVCS) DURING NORMAL OPERATION

a

o REVERSE s saaraGE

' 3 OF RCS TO THE S CHARGING PUMPS 2 

       -                                                                                                               F3 l

i n; 

       ~

i l ' l I FAILURE OF REVERSE FLOW , I CV2 OR CV3 TO CHECK VALVES CV2 AND CV3 4 T T 1 I  : t a CHECK VALVE CHECK VALVE AIR OPERATED CHECK VALVE Cv2 ALLOWS CV3 ALLOWS VALVE A01 CV1 ALLOWS 4 REVERSE FLOW REVERSE FLOW NOT CLOSSED REVERSE FLOW t i O O A O CV2 CV3 CV1 I I i AIR OPERATED OPERATOR EMR i VALVE A01 NOT CLOSING FAILS TO CLOSE A01 

        -$                                                                                                                        AOV O

OPE i

'a .

I s' Figure V-11.A-2. FAULT TREE FOR THE EVENT " REVERSE LEAKAGE OF j o RCS TO THE CHARGING PUMPS" l 1

o 

  @                                                                                                INSIDE                   l           OUTSIDE
  %                                                                                             CONTAINMENT                  '

CONTAINMENT 

  ;;                                                                                                                        I u                                                                                                                         l
  • 8 i O CO EG MO 1 HV1 W TER m ! STORAGE TANK LOOP 3 I SAFETY (RWST)

COLD LEG ?O ' FEEDWATER INJECTION - CVs MOV2 PUMPS PUMPS 

                                                                                                                            !                                                                                                                          l h                        HV COLD LEG
                                            '                                                                           ?4                    M                                         W
  $                                                                                               CV6       MOV3            ,                HV2  CVS
                                                                                                                            .I
                                                                                                                            .l l

l l i 2 E Figure V-11.A-3. SIMPLIFIED SCHEMATIC OF THE {2 SAFETY INJECTION SYSTEM o

4 o S REFUEL-4 Q m ING WATER H STORAGE vi TANK Q l (RWST) FCV 883 LOOP C m 1 CPI COLD LEG MOV368 1115F ' MOV18 U8 I V 11 M u MV1 m LOOPa I CHARGING COLD LEG 'm "' pumps /' MOV357 1115E , , CV2 MV2 { Ou  :: MOV19 I i d m 

   .=

LOOP A mL l y LCV COLD LEG 4 -- CV10 CP2 11 D 

;                          MOV356             1115D
                                           'l                  m u     MOV     u        MOV sesA             8668                      RECIRCULATION
                                                           "'^**""""'"

Cvs .Cvs l SP1 v SP2 i CONTAINMENT SUMP 

  -E j  A                               Figure V-11.A-4. SIMPLIFIED SCHEMATIC OF THE LONG TERM
  $                                                 CORE COOLING SYSTEM o

E a 

    ?
     ,,                                                              Table V-11.A-1     Failure Rates for Various Faults Shown on Figure V-11.A-2 m

9 Fault Failure Failure Fault Unavailability Conunents Identifier Mode Rate Duration CV1, CV4, Check Valve 3.0x10-7/Hr 6570 Hrs 1.9x10-3 Checked every CVS,.CV6 Reverse refueling CV2,'CV3, CV7, Leakage 3.0x10-7/Hr 15 Years 3.9x10-2 Never checked R CV8, CV9, for reverse CV10 flow A0V Air operated 8.3x10-7/Hr 6570 Hrs 5.4x10-3 Checked every valve fails to refueling close OPE Operator error - - 1.0x10-3 NUREG/CR 1278, to close A0V Table 10-2 HE, HEl, Human error 3.0x10-3 NUREG/CR 1278, 

   .g           HE2                                           Close MOVs after                                                 Table 20-20 lE                                                         test x

q I 

                 'V-11.8             RHR, Interlock Requirements' 4                  2 1         NRC Evaluation The current design of the Residual Heat Removal System.(RHRS) at San
                 .Onofre includes two motor operated valves (MOVs) on the suction and two on

[ .the discharge side to isolate the RHRS from the main coolant' system. The two MOVs c'osest to the reactor coolant system (RCS) have pressure 

                  ' interlocks to prevent them from opening if the RCS pressure is above RHRS design pressure. However, both valves use the same pressure sensor. The
. 'other MOVs do not have any pressure interlocks. This configuration does not
                                          ~

comply with the NRC's requirement of diverse and independent pressure inter-locks for isolation of the RHRS and main coolant system.

2. NRC Reconsnendation
                      ~

No modifications to the RHRS interlock mechanism are recommended until ! .the low temperature overpressurization protection review (USI-A-26) is . completed.'

3. . Systems Affected Only the residual heat removal (RHR) system is affected by this issue.
                                                                ,                                                                                           l
                                                                                                                                                            ?
4. Consnents -

i 

                             -None
5. Analysis-The' scenario of most concern is the cooldown from hot shutdown to cold.

shutdown and initiation-of residual heat removal system operation. If the MOVs connecting the main coolant system and RHRS are opened at a pressure 

                - which is considerably higher than the design pressure of the RHRS, possibility of~ damage to the RHRS piping and components and initiation of a LOCA ~would exist. The first event in the sequence of events that could lead                                                               !

to the above scenario for LOCA is an error by the shift supervisor in opening the MOVs much above the design pressure of the RHRS. Based on 4 

      - San Onofre 1 SEP                                          43                                           Appendix D 4

y ..- - - - - .- ,......w_.. , - ,e ,. ~4 ,.h-.-,,.,#-,,- ,. ,, .y-,..y, , , ._,--,n,,.--..my - . - . _ - - - , - , , , 

. Handbook of Human Reliability (NUREG/CR 1278) an error of commission similar to this action has a probability of 3.0x10-3, Af ter initiation of the accident there are several indicators in the control room to help the operator . realize a LOCA has occurred. At this point-his corrective actions would include isolation of the MOVs if possible and initiation of the low pressure injection system to make up for any lost fluid.- Since the reactor is shutdown and only decay heat is being removed there is a. reasonable amount of time, on the order of 30 minutes or so, for the operator to
- recover his. error before any substantial core damage would occur. In the
. Interim Reliability Evaluation Program (IREP), the failure of the operator to recover from an error resulting in an accident when he has in the order of 30 minutes to one hour was estimated to be 3x10-2, Based on WASH-1400 data, the frequency of failure of pressure sensors is 2.7x10-7 per hour. Assuming an annual refueling and consequently annual testing of the pressure sensor, the pressure sensor u'navailability is calculated from the relationship AT/2.            In this relationship A is the f ailure rate of the component and T is the time between tests. Based on this, the unavailability of the pressure sensor is 1.4x10-3 Thus failure of the RHRS isolation in this case becomes the probability of an error of commission (3x10-3) times the unavailability of the pressure sensor (1.4x10-3) leading to a LOCA frequency of 4.2x10-6/yr. The core melt frequency in this case would be equal to (4.2x10-6) x (3x10-2) .

1.2x10-7/yr. An alternative is to use two independent pressure sensors, one for the upstream RHR's MOVs and one for the downstream RHR's MOVs. This entirely eliminates the human action. The failure of the RHRS isolation in this case becomes the algebraic product of the unavailabilities (1.4x10-3) of the pressure sensors leading to a LOCA frequency of 1.9x10-6/yr. The- ' core melt fequency in this case would be equal to (1.9x10-6) x (3x10-2) = 5.7x10-8/yr. Since no PRA has been performed for San Onofre, the exact core , melt probability of this plant is not known. Probabilistic risk assessments ' performed on similar PWRs in the IREP, RSSMAP and WASH-1400 have shown that the core melt frequency for a typical PWR ranges from 3x10-5 to 2x10-4 Thus, the contribution of the core melt frequency of 1.2x10-7 to these values is judged to be very small. San Onofre 1 SEP 44 Appendix 0

6. . Conclusion The-current procedure for initiating of the residual heat removal system, ' consisting of opening of two M0V's with preventive pressure sensors from control room and two other MOVs with administrative control results -in the possibility of core melt on the order of 1.2x10-7/yr. The independent diverse pressure interlocks echanism reduces this ; >ssibility of core melt to L 5.7x10-8/yr. Since the cor.vibution of these fre tuencies to the overall core melt frequency is judged to be small, no chan jes in the RHR interlock system seem to be necessary. Thus, we rank the r sk significance of this issue as low.

d 

  - San Onofre 1 SEP                         45                                         Appendix D

l VI-4 Containment Isolation System

1. -NRC Evaluation 1

Many of the San Onofre containment penetrations currently do not meet i NRC's current General Design Criteria. Table VI-4-1 lists these pene- 

     'trations and their areas of non-compliance.
2. NRC Reconnendation Change penetration configurations to meet the General Design Criteria (GDC).

3.- Systems Affected The ability of the containment penetrations to isolate and insure containment integrity is affected by the configurations of the penetrations.

4. Comments The containment penetrations were analyzed, those found not in compliance categorized depending on the particular configuration of the penetration. The unavailabilities of the containment penetrations were calculated using the available information which did not include any details on the isolation valves. Therefore, the results presented are not intended as a definitive analysis, but instead are meant for comparison purposes only, i 5. Analysis i

1 There are five cases where the particular configuration of the l containment penetration does not conform to the General Design Criteria. , The five cases are characteristic of penetrations which have an identical configuration and therefore are treated collectively. In the first case two penetrations are described, while others are characteristic of from one

to two penetrations each.

I l San Onofre 1 SEP 46 Appendix 0

I l Each penetration case is drawn in both the "before" and "after" config-urations in regard to their meeting the GDC. As mentioned previously, detailed information on the valves used for containment isolation was not available; therefore, the analysis does not consider either control or motive power or isolation signals received by the valves. Valves outside l l- containment are assumed to be checked monthly, resulting in a f ault exposure time for most events of 360 hours. Those components inside containment are assumed to be checked yearly and therefore are given a fault exposure time  ! of 4,380 hours, l Only those penetrations four inches or larger in diameter are I considered significant in terms of possible containment leakage (see WASH- l 1400, Appendix II, Section 5.12).

6. Conclusions i The results of the analysis of the current and NRC recommended config-urations for various containment penetrations show that the failure probability of the existing configuration is very low. Typically the failure probability of containment isolation is in the order of 10-3 (WASH-1400). The modest changes shown in this analysis have a very small effect on the failure probability of the containment isolation. Thus, no changes in the containment isolation configuration seem to be necessary. From the risk point of view this issue is ranked low.
                                                                                                  .l l

l i l San Onofre 1 SEP 47 Appendix 0

1 Case I: Applies to penetration #A-1A, A-lC Present configuration FLOW CONTROL I VALVE CLOSED SYS. Q

1. C. PPA ppg OPEN SYS.

O.C. NV1 GDC Required Configuration AUTO M PPB PPA MV1 The boolean equations which describe these configurations are as follows: Before: PPA * (PPB + NV1) After: PPA * (PPB + MV1) Using the failure rates presented in Table VI-4-3, the following unavail-abilities were calculated. Case 1 before: 4.4E-7 * (3.6E-8 + IE-1) = 4.4E-8 Case 1 after: 4.4E-7 * (3.6E-8 + IE-3) = 4.4E-10 i l l l l i San Onofre 1 SEP 48 Appendix D l l

Case II: Applies to penetration #A-1B, A-lD Present Configuration MANUAL CLOSED SYS. PPA OPEN SYS. O.C. l.C. GDC Required Configuration g CLOSE 5 PPA PPB Mv1 The boolean equations which describe these configurations are as follows: Before: PPA After: PPA * (PPB + MV1) Using the failure rates presented in Table VI-4-3, the following unavail-abilities were calculated. Case II before: 4.4E-7 Case II after: 4.4E-7 * (3.6E-8 + lE-3) = 4.4E-10 1 San Onofre 1 SEP 49 Appendix D 

                                                                                      . . - - . ~ . - . . -   -- l

l Case III Applies to penetration fA-9A resent configuration: R.M. O CLOSED SYS. PPB 1.C.BUT PPA %A OPEN SYS. p% 0.C. NOT ESF NV1 GDC required configuration AUTO CLOSE 1 PPA PPB NV2 The boolean equations which describe these configurations are as follows: Before: PPA * (PPB + NV1) After: PPA * (PPB + NV2) Using the failure rates presented in Table VI-4-3, the following unavail-abilities were calculated. Case III before: 4.4E-7 * (3.6E-8 + IE-1) = 4.4E-8 i Case III after: 4.4E-7 * (3.6E-8 + 3E-4) = 1.3E-10 San Onofre 1 SEP 50 Appendix D

Case IV Applies to penetrations #A-98, A-14 Present configuration: j REMOTE MANUAL OPEN SYS. 1.C.BUT ppg ppe OPEN SYS, NOT ESF VN O.C. SYS. NV1 GDC required configuration: AUTO CLOSE O PPA PPA 1 PPB CV1 NV2 The boolean equations which describe these configurations are as follows: Before: PPA * (PPB + NV1) After: PPA * (MV1 + PPA) * (PPB + NV2) Using the failure rates preented in Table VI-4-3, the following unavail-abilities were calculated. Case IV before: 4.4E-7 * (3.6E-8 + IE-1) = 4.4E-8 Case IV after: 4.4E-7 * (IE-3 + 4.4E-7) * (3.6E-8 + 3E-4) = 1.3E-13 Case V Applies to penetration fB-18A San Onofre 1 SEP , 51 Appendix 0

1 l Present configuration: O R.M. OPEN k J SYS. O.C. V3 NV3 O R.M. PPA L J PPB VM NV4 CV2 1 C R.M. L. O . g j V3 NVS l l CV3 kJ V3 V1 GDC required configuration: C R.M. L J VM NV3 R.M. O R.M. PPA A J PP8 MV2 l C R.M. @ R.M. f L J Vi NV5 

                                             )(

MV3 i V1 LJ j VM San Onofre 1 SEP 52 i Appendix 0

The boolean equations which describe these configurations are as follows: Before:- (NV3 + NV4 + NV5 + V1 + PPA) * (PPB + CV2 + CV3) After: (NV3 + NV4 + NV5 + VI + PPA) * (PPB + MV2'+ MV3) Using the failure rates presented in Table VI-4-3, the following unavail-abilities were calculated. Case V before: (IE-2 + 1E-2 + IE-2 + IE-2 + 4.4E-7) * (3.6E-8 + 1.1E-4 + 1.1E-4) = 8.8E-6 Case V after: (IE-2 + IE-2 + IE-2 + 1E-2 + 4.4E-7) * (3.6E-8 + IE-1 + IE-1) = 8E-3 1 4 

                                                           .a-San Onofre 1 SEP                          53                          Appendix 0

TABLE VI-4-1 Penetration # Deficiency A-1A A 

             'A-lC                                             A A-1B                                             A A-ID                                             A A-9A                                             A,B A-98                                             A,E A-14                                             A,B B-18A                                            A NOTES:

A. Valve type: deviates by not having an automatic isolation valve outside containment. B. Valve number: deviates by'not having an isolation valve inside containment. i i i San Onofre 1 SEP 54 Appendix D

o

?

l TA8LE VI-4-2 Penetration # Unavailability Present GDC Configuration Required A-1A 4.4E-8 4.4E-10 A-1C 4.4E-8 4.4E-10 A-18 4.4E-7 4.4E-10 A-1D 4.4E-7 4.4E-10 A-9A 4.4E-8 3E-7 A-98 4.4E-8 3E-7 A-14 4.4E-8 3E-7 8-18A 8.8E-6 8E-3 l l l San Onofre 1 SEP 55 Appendix D w_. - - _ - - _ = _ _ _ _ _ _ - _ - _ _ __l

o TA8LE VI-4-3 FAULT SIM1ARY Fault Event Sub Event Failure Exposure Sub Event Total Name Description Rate Time Unavailability Unavailability ppg Pipe Rupture IE-10/hr 4.4E+3 hrs 4.4E-7 4.4E-7 PPB Pipe Rupture 1E-10/hr 360 hrs 3.6E-8 3.6E-8 (0.C.) NV1 Rupture 1E-8/hr 360 hrs 3.6E-6 (A0V.NOFO. manual Falls to operate 3E-4/ demand 3E-4 close) Operator fails IE-1/ demand IE-1 1E-1 to act MV1 Rupture 1E-8/hr 360 hrs 3.6E-6 (MOV. NOF0 auto close) Fails to close 1E-3/ demand IE 3 IE-3 CV1 Internal leakage 3E-7/hr 4.4E+3 hrs 1.3E-3 (check valve) Rupture 1E-8/hr 4.4E+3 hrs 4.4E-5 1.3E-3 NV2 Rupture 1E-8/hr 360 hrs 3.6E-6 (A0V.NOFO. auto close) Falls to operate 3E-4/ demand 3E-4 3E-4 NV3.NV4.NV5 Rupture 1E-8/hr 4.4E+3 hrs 4.4E-5 (A0V.NCFO. manual) Fail to restore 1E-2 1E-2 1E 2 after T or M V1 Rupture 1E-8/hr 4.4E+3 hrs 4.4E-5 (manual valve NCFO) Fail to restore 1E 2 1E-2 1E-2 after T or M i CV2.CV3 Internal leakage 3E-7/hr 360 hrs 1.1E-4 l (check valve) l Rupture IE-8/hr 360 hrs 3.6/E-6 1.1E-4 t ! MV2.MV3 Rupture 1E-8/hr 360 hrs 3.6E-6 (MOV.NOFO. sanualclose) Fatts to operate 1E-3/ demand 1E-3 Operator fails 1E-1/ demand 1E 1 1E-1 to act NOTES: [ Donand probabilities are based on presence of proper input control signals. Auto isolation valves are assmed to move to position of greater safety on loss of power. Fault esposure time ass ees monthly checking of components outside containment and yearly checking for those components inside containment. San Onofre 1 SEP 56 Appendix D

VI-7.B ESF Switchover From Injection To Recirculation

1. NRC Evaluation The current procedure for switchover from injection mode to recircula-tion mode at San Onofre Nuclear Power Plant consists of manual switchover of the pumps from the injection source, namely the Refueling Water Storage Tank (RWST) to the . recirculation source, -namely the containment sump. Current NRC guideline indicates that automatic switchover is preferable to manual switchover. But in case of manual switchover, the guideline indicates that there should be sufficient time (20 minutes) available to the operator to perform the switchover tasks. Currently the operator is instructed to
 -initiate the switchover from injection to recirculation when the RWST level has dropped to 12% (32,472 gallons). This switchover action must be completed before the RWST level drops to below 7% (18,644_ gallons) so that no damage to the pumps would occur. The time between 12% and 7% RWST level which is essentially .the time available to the operator for switchover is between 5.8 to 10 minutes depending on the assumed flow rates. Addition-ally, there is only one pneumatic level indicator that would provide information on the RWST water level. A second level switch also exists which only initiates an alarm once the RWST level has dropped to 21%. Thus, given the lack of redundancy in level indication and shorter than recommended period time for manual switchover to recirculation, there is a possibility of failure to perform the switchover tasks before the RWST water level has dropped so low that pump damage might occur.
2. NRC Recomendation Because the time available to the operator to perform the manual switchover tasks is shorter than the guidelines' recommended time, addition of an automatic mechanism for the switchover from injection to recirculation was recoronended.
3. Systems Affected The Emergency Core Cooling Recirculation System, including the charging pumps which are part of the long term recirculation system, is the system affected by this issue.

San Onofre 1 SEP 57 Appendix D ________-__-_-__A

4. Connents None
5. Analysis The main concern in this issue is related to a scenario where a large break LOCA has occurred and the safety injection, feedwater, refueling water and charging pumps have started to deliver water from RWST to the core. The combined maximum flow rate of these pumps is 22,405 gpm. Based on a RWST volume of 241,172, it takes about 8 minutes to reach the RWST low-level which is at 21% of the RWST volume. At this point an alarm will sound and the safety injection pumps and feedwater pumps are tripped by the operator and charging pumps are realigned to pump water through safety injection lines. Figure VI-7.B.1 shows the simplified schematic of the Emergency Core Cooling Injection system. Figure VI-7.B.2 shows the simplified schematic of the Emergency Core Cooling Injection at reduced flow and Emergency Core Cooling Recirculation. Note that at reduced flow the charging and refueling pumps continue to draw water from RWST. Once the RWST level drops to 12%

the operator is instructed to initiate recirculation flow to the core from the sump. Depending on the flow rate it takes anywhere between 6 minutes to 10 minutes until the RWST level has dropped to 7%, below which possible 

  . damage to the pumps might occur. During this whole period there is only one level indicator that would provide information to the operator on when the switchover should be initiated.

A f ault tree for the event " Failure of the Emergency Core Cooling Recirculation system" was developed and is shown in Figure VI-7.B-3. The contribution of various faults to the top event in this fault tree can be divided into f aults under " Failure to Switchover to Recirculation Mode" (see Sheet 1 of the fault tree) E "Other Faults" such as mechanical, electrical or other failures that reult in failure of the system to deliver sufficient water to the core. To quantify this tree, failure rates for various faults shown on the f ault tree were calculated and are shown in Table VI-7.B-1. The data in this table are from WASH-1400 and IEE-Std-500. The " Top Event" (TE) can be written as l San Onofre 1 SEP 58 Appendix D

l TE =.(Failure to.Switchover to Recirculation Mode) + 

                .(Other Faults)'                                                               .i The failure to switchover to recirculation mode can' further be broken down as is shown in the fault tree:

l TE = [ Operator Error in Reading the Level Indicator (OPE 1)) + [ Operator. Error in Performing Switchover Tasks (OPE 2)) + [ Failure of the RWST Level Indicator (LI)) + (Other Faults) After quantifying the fault tree the results are: , TE = OPE 1 + OPE 2 + 2.2x10-2 + 1.2x10-4 The operator error of commission in reading a recorder (OPE 1) is 1.0x10-4 based on existence of an annunciator (NUREG/CR-1278). The operator error of omission when using a written procedure (OPE 2) with a long list.(greater than 10) of tasks is 3.0x10-3. (NUREG/CR-1278). Thus the total probability of f ailure of the recirculation system is 2.5x10-2 Note that the single f ailure of the water level indicator has the biggest contribution to this failure. Now let us look at two alternatives. First a case where redundant, annunciated RWST level indicators are installed, i.e., a second level indicator is added to the present design of the system. In this case, because of the redundance in the water level indicators,- the failure rate of l 1evel indicators reduces to 4.8x10-4 This reduces the Top Event probability to 3.7x10-3, which is a f actor of 7 smaller than the original value. The second case of interest is the automatic switchover. In this case it can be assumed that the probability of operator errors OPE 1 and OPE 2 would go to zero. Because of addition of the automatic switchover mechanism, there should be a contribution to the Top Event due to failure of this ' mechanism. Let us' assume that this contribution is negligible. Based ) on these assumptions the lowest f ailure probability for the Top Event in this case would be 6.0x10-4, which is a f actor of 6 smaller than the case San Onofre 1 SEP 59 Appendix D i 

      .with redundant level indicators but manual switchover.                                                 It is important to note that an automatic switchover mechanism has a general drawback of possi-bility of an inadvertent switchover before there is sufficient water in the sump. This action could result in the possible pump cavitation and damage.

Let us now look at the frequency of core melt due to initiation of a  ! large LOCA and failure of the recirculation system. The frequency of initiation of a large LOCA is 1.0x10-4/ year (WASH-1400). Thus, the core 

     . melt frequency based on initiation of a large LOCA and failure of the recirculation system is 2.5x10-6/ year for the current San Onofre design.

This core melt frequency reduces to 3.7x10-7/ year for the case with redundant annunciated RWST level indicators but with manual switchover. The core melt frequency for the case of automatic switchover is' further reduced to 6.0x10-8/ year. Since no probabilistic risk assessment has been performed for San Onofre, the exact core melt frequency of this plant is not known. But previous PRAs for similar PWRs in the IREP, RSSMAP and reactor safety study have shown that the overall core melt frequency is in the range of 3x10-5 to 2x10-4 Thus, the core melt frequency due to failure of the switchover from injection to recirculation in the current San Onofre design 

    . would have a moderate contribution to the overall core me'lt frequency. The improvement in this frequency of a factor of 7 due to addition of redundant annunciated RWST water level indicators is sufficient to make the contribution of this event to the total core melt frequency fairly small.

Obviously an automatic switchover mechanism reduces this core melt contribution even further.

6. Conclusions The frequency of core melt due to a large LOCA and failure of the ECCS recirculation system in the current design of the San Onofre Nuclear Power Plant has a moderate effect on the overall core melt frequency. A factor of 7 decrease in this core melt frequency can be realized if a set of redundant 1

annunciated RWST level indicators are installed. Further reduction in core ' melt frequency can be realized by installing an automatic switchover l mechanism. The core melt frequency in the case where a set of redundant annunciated RWST level indicators have been installed is small enough that the change to an automatic switchover system does not seem to be necessary. The overall risk significance of this issue is ranked medium. San Onofre 1 SEP 60 Appendix 0

3 o M
!   C = r. =
$ :4 '

y e "grE TA8 set m" OM fRWST1 o COLD LEO 4 C FEEDWATER 18d CTIOes - -- N Pua8PS M X COLD LEO CV TO IDEACTOR _ mm ftEFUELI800 CAWITY ' CV m 

~  '**"""'

S,R , SYSTEM 

                =                      i in m
                                    -lit-
   '* 7.R7"' ;

SYSTEM 

                                       ;f:                                            Q REFUELIDIG A                       WATER PUt4PS N                                                           l l
    'c ol g ^ e           W               -po-        '"EMY V'             1 REGEteERATIVE HEAT ENCHANGER
                                                  '            3 g                                                       'U E

a t' E Figure VI-7.5-1. SIMPLIFIED SCHEMATIC OF THE EMERGENCY CORE c3 COOLING INJECTION SYSTEM

i SN5 TOE dol &OE 3 CONI AaNMENT CONI AINME N T - TO RE AC10A 3 cv557 O' Re sutuNo : >< g -- REputtsNG o, CAvtTY g M - 3 

                                                                                  -{Cv518 WATE R STORAGE ggg, O     TO SPHERE                                    g v,
,= -

u , e u - T, m Ref uf tlNG T WAIER PUMPS cvue I e-x= l LOOP C . lrev CPt _ coto tEG ~ 

                                   ,on,,           = , y ,,                                  i m

cva LCv Mv1 11004 g C14ARGANG l ROOP5 . a PUMPS I g CD'D LEG - uonsi nisE Mov's M MV2 u cv2 I 

                                       "                             ~          ~
                                                                                             /,                                          tcv Movis iOOP A                                             _                                 cv.                                       nooo CMD REG _

ubcss M 150 I i M 

                               ,         MOv u                           sees                                 nacincutAllON
                    .u.G.v A                           g Hi Al EXC64ANGE R cvs                 cvs     !

5"' 5"* Figure VI-7.B-2. SIMPLIFIED SCHEMATIC OF THE EMERGENCY CORE COOLING SYSTEJWI IN THE REDUCED g FLOW AND RECIRCULATION MODE x CON AsuMtN soup O 

                                                                                           -           --i-um-mm              . . _ _ _

[ g EME RGENC1r CORE COOLING RE C8HCUL AT80N O SYSTE M f Asts TO h DEtIVtR SHFFICif NT 

%                                                                      WATER TO THE CORE 5

e-* 

$a                                                                            -%

FAltuRETO NO FLOW SWITCH OVER TO NO FLOW Tl8 ROUGH NO FLOW TO THROUQt BNJECTION MOV*$ 18 AND 19 RECIRCULATION MODE tsNES A. 8 ANO C MOV S IS AND IS ( 1 5 6 m to SHEET 2 SHEET 4 SHEETS NO FLOW THROUGH NO FLOW THROUGH NO FLOW THROUGH INJECTION LINE INJECTION tlNE SNJECTION &lNE TO LOOP A TO LOOP S IO LOOP C [2 3 4 SHEET 3 SHEET 3 SHEET 4 E A Figuro VI-7.B-3. FAULT TREE FGR THE EVENT" EMERGENCY CORE COOLING SHEET 1

5. RECIRCULATION SYSTEM FAILS TO DELIVER SUFFICIENT 2 WATER TO THE COHE" o

N b 8g5 E E8 a E8 O b r a. E55 3E 8z! Eeu < gb a. o 5 s w 3 E 8g z 

                                          =,            o 56            3 8II 45:

E " l 

                                          ==m           m EzB           W a

od oz 3 o$0 9 

       >w*                                              u.

EEbE 1-agei 

        $bD 1:*

mE 

          /U               w E              8 ObQ    9 v".-

sg8 

                           =fm3 5

San Onofre 1 SEP 64 Appendix D 

  =

NOnOw NOnOw o THROUGH THROUGH g 2 muECnON uNe wuECnON uNe 

  ?                                          TO LOOP A                                     SHEET 1               TO LOOP 5 en SHEET 1 m

T T I I I I MOV 356 AIR OPERATED MOV 357 AIR OPERATED DOES NOT VALVE 1115D DOES NOT VALVE 1115E OPEN FAILS TO OPEN FAILS TO REMAIN OPEN REMAW OPEN A O A O 

                                     -Q                 A01115D                                           -%                    A01115F m                                                                                                                       I                            I MOV 356                             NO                                   MOV 357                              30 0 DOES NOT                        ACTIVATION             MOV356           DOES NOT                       ACTIVATION              MOV 357 OPEN ON                           gm                 PLUGGED            OPEN ON                             ggggg              PLUGGED DEMAND                                                                  DEMAND O

MOV356D O SISA MOV356P O O MOV357D OSISS O MOV357P NO AC NO AC POWER POWER 

 ,                               O   ACA OACB                                          SHEET 3 a

n Figure VI-7.B-3. (CONTINUED)

3 NO FLOW No iLOW O 4 INJE INE 5 Ts 19 TO (OOP C SHEET 1 SHEET 1 2 p n X; , 7 o MOV 368 AIR OPERATED MOV MOV 19 ooEs No, vAtvE msF oocs ,18, o oOEs NOr M" RE N A O A A  ; e% A01115F -% e% MOV368 DOEs NOT V 368 OPEN ON ACTIV TION PLUOO O o*"^aa s4GNE l I I I m m 0 sesA 0 MOvaseP MOv is DOEs NOT N y",o" 

                                                                                                                                                                                         ,o ACTIVATION smMAt MOV 19 Ns MT
                                                                                                                                                                                                       "",g no ACTIVATION SIGNAL
                                                                                                - AC
                                                                                              ' "'"                                                              O MOviso O

sisA O MOviSO Osist MOV 18 NO AC MOV 19 NO AC PLUGGED POWER PLUGGED POWER O MOV18P OACA O MOVISP OACS SHEET 4 15 a 

                 ;-                                                                                                                       Figure VI-7.B-3.     (CONTINUED) o

J O NO FLOW TO 8 6 goy is a 13 

  -s
  • SHEET 1 e

i m 1 T I ! NO FLOW ! THROUGH NO FLOW TO 3 CHARGING PUMP CHARGING PUMP UNES 1 & 2 UNES 1 & 2 l O /\ 7 SHEETS I I 1 t NO FLOW NO FLOW 4 THROUGH THROUGH UNE1 UNE 2 i j j -% e% l I I MANUAL VALVE CHECK VALVE CHARGING PUMP MANUAL VALVE CHECK VALVE CHARGING PUMP MV1 FAILS TO CV3 FAILS TO CP1 FAILS MV2 FAILS TO CV4 FAILS TO CP2 FAILS REMAIN OPEN REMAIN OPEN TO RUN REMAIN OPEN REMAIN OPEN TO RUN i ! @ MV1 CV3 CP1 MV2 CV4 CP2 i? l a

& Figure VI-7.B-3. (CONTINUED) SHEET 5 a X U

i j I

3 - O NO FLOW TO o 7 CHARGING PUMP 

                                                              -g LINES 1 & 2 y                                                                                                            SHEET 5 (n

O 

                                                            $                                                                                                                                   T I                               I                    I                                  I MOV 11008 & D                     CHECK VALVE          RECtRCULATION Fast TO OPEN                           AILS          MT X HA                               THR UGH SUMP LINES OCV2 O

HX A SHEET 7 I I MOV 11000 MOV 11000 cn FAILS TO OPEN FAES TO OPEN CD T T I I I I I I I I MOV 11008 *IN NO AC NO ACTIVATION N 11000 PLUGGED FAES O N F NO AC NO ACTIVATION MOV 11000 g POWER SIGNAL POWER SIGNAL PLUGGED dO OPEN O 0 MoviiO0er 0 MOviiO0eO 0 ACA 0 SISA 0 MOV110000 0 ACB 0 SISB 0 MOV1100nP SHEETS 

                                                      ?

15 o

9. Figure VI-7.B-3. (CONTINUED) x O

t.n CD s O NO FtOW THROUGH s a SuasP uNES O 1&2 O SHEET 6 H f m rT1

T I

I ! NO FLOW THROUGH esO Flow SURE UffE 1 THROUGH SUedP UNE 2 f% 7% l i O 4D Suhr PUAAP SUMP PUhr CHECK VALVE esOV8804 SP1 FAILS SP1 FAILS Suer Puer CHECK VALVE ' CVS FAILS TO FAKS SP2 FAILS cvs FAILS TO TO START TO RUS8 REGAAIN OPEN TO OPEN TO Muse REAAAIN OPEN SPID SPIR CV5 e% SP2R CVS 1 i neOV eseA FAsLS TO OkN 900 AC 000#0000 PtuGGED ACTIV TON j 000 DERAApfD POWER S4GNAL PLUGGED  ! i 1 

  @                      MOV866AP             MOV866AD                   ACA                    SISA                    MOV866BP 4

a x SHEET 7 j c Figure VI-7.B-3. (CONTINUED) 1

Table VI-7.B-1 Failure Rates for Various Faults Shown On Figure VI-7.B-3 Fault Failure Mode Failure Fault Unavailability Comments Ider.tifier Description Rate Duration j MV1.MV2 Manual valve falls 1.0x10-4/D - 1.0x10-4 to remain open MOV3580,MOV357D, Motor Operated Valve 1.0x10-3/0 - 1.0x10-3 MOV3560,NOV180, does not open on MOV190,NOV220080, demand POV 110000, W D66AD ACA AC power train A 1.0410-3/D - 1.0x10-3 AC8 or 8 unavailable 313A Actuation signal 1.0x10*4/D - 1.0x10-4 5158 train A or 8 unavailable MOV358P.MOV357P, Motor operated valve 3x10-7/Hr 4380 1.3x10-3 Test for plug M0Y356P.MOV18P, plugged annually MOV190,0V11008P, POV11000P, MOV866AP.MOV8668P CV1.CV2,CV3,CV4, check valve fails 1.0x10-4/D - 1.0x10-4

CVS, CV6 to open A011150,A01115E, Air operated valve 1.0x10-4/D - 1.0x10-4 A01115F fails to remain open I

i i i I I i i San Onofre 1 SEP 70 Appendix D

P Table VI.7.B-1 Continued Fault Failure Mode Failure. Fault Unavaila- Comments Identifier ~ Description Rate Duration bility HX Heat exchanger c -

Very small large tube leak probability SP1 Pump does not' 1.0x10-3/D -

1.0x10-3 

             . start on demand LI         Failure of the               5.1x10-6/Hr                          4380                2.2x10-2                 Annual. test RWST level indicator i

San Onofre'l SEP 71 Appendix D

VI-7.C.2 Failure Mode Analysis ECCS

1. NRC Evaluation Four items are identified in this issue that require modifications so that the possibility of disabling ECCS due to single failures would be eliminated. These are: ,

Item 1. Installation of redundant undervoltage relays on each of the 4160V busses IC and 2C so that automatic start of the diesel generators would not be prevented. Item 2. Installation of a redundant valve in series with valve MOV/LCV 1100C from volume control tank to the charging pumps. Failure of MOV/LCV 1100C to close may cause cavitation of the two charging pumps downstream of the valve because hydrogen from the volume control tank could enter the sump suction. Item 3. Modifications to provide independent and redundant hot leg recirculation flow control capability. Loss of any of the five valves in the normal hot leg recirculation flow path could result in loss of this flow path. Item 4. Installation of redundant control power and instrument air for flow control valves FCV-1115D, E and F. Loss of air pressure or power cau:;es them to close with consequent loss of water transfer to the three cold leg injection lines.

2. NRC Recommendation 1 The NRC recommendations are based on utilities suggested solutions.

The Licensee has completed modifications related to item 1. Item 3 is l related to environmental qualification of values and is not appropriate for analysis.using PRA techniques. For the other two items, current recommendations are: l San Onofre 1 SEP 72 Appendix D

Item 2. Install a redundant MOV/LCV valve in series with MOV/LCV 1100C, return the system to its original configuration and retain existing operation procedures or install a redundant MOV/LCV valve in series with MOV/LCV 1100C and retain existing (interim modified) station operating procedures. item 4. The interim nitrogen supply system currently in place is acceptable as a permanent source of redundant air to FCV 1115, D, E and F if administrative measures are taken to provide control room monitor-ing of the nitrogen tank pressure and/or annunciator identifications of low pressure condition or the nitrogen tank supply should be replaced by an independent plant air supply. The three way valve should be automated to transfer to the alternate air supply if either supply monitor indicates low pressure or no pressure and an automatic transfer switch should be installed to transfer bus power to the alternate supply as required.

3. Systems Affected The operation of the charging system, for coolant injection and recir-culation, is affected by this issue.
4. Comments Item 2. The manual operations associated with the initial, interim modified, and NRC recommended electrical and mechanical features of the MOV/LCV 1100C power and control systems dominate the analysis. A range of estimated human error rate, based on WASH 1400 Appendix III data and discussion, is assigned for control room operations in the interpreta-tion of the four possible system configurations following a LOCA. The basic human error rate,1.0E-1 from WASH-1400 Appendix III, is assigned for operator action to close MOV/LCV 1100C manually. Since these error estimates do not include detailed consideration of actual control room j conditions encountered at San Onofre nor time sequences for postulated
                                                                                         ]

post LOCA events as related to automatic and station manual operation San Onofre 1 SEP 73 Appendix D

procedure events, two recommended modification options are specified without priority. As discussed in. WASH-1400 Appendix III, monthly test intervals are assigned for those system elements for which per hour failure rates are assigned in the same document. i Item 4. Pneumatic pressure is normally supplied at all times to FCV1115 D ' E and F by the plant instrument air system or the interim alternate bottled nitrogen system which was added in response to NRC comments. Either of the two systems are connected to the three flow control valves by operation of a manually activated solenoid three-way valve. Thus, failure of this valve due to operator error must be considered.

5. Analysis
        ' Item 2. Figure VI-7.C.2-1 shows a simplified diagram of the piping section of interest to item 2 in the chemical and volume control system (CVCS). 'The probability of failure of the charging pumps due to failure to isolate the flow path from volume control tank (VCT) to' the pumps is analyzed for four cases of interest. In this first case the original configuration of the system is analyzed.       In this case, upon receiving a safety injection (SI) signal, MOV/LCV 1100C should close automatically. If the valve does not close due to lack of electrical power from MCC1, the auto transfer switch should automatically switch to MCC2.                  .

The failure probability of the flow path from the VCT to the charging pumps is the probability that MOV/LCV 1100C fails to close upon receiving an SI signal. This can be evaluated by the following expression: PFI = PMVI = P11 + PMECH where, San Onofre 1 SEP 74 Appendix D u-

PFI = Probability of flow path failing from the VCT to the charging pumps for case I PMYI = _ Probability of MOV/LCV 11000 failing to close given an SI signal for case I P11 = Probability of loss of power to MOV (motor operated valve MOV/LCV 1100C) PMECH= Probability M0V fails to close on demand due to mechanical failure P11 is calculated as follows: 

            .P11 = PMCC1 x (PAUTO v PMCC2) where, PMCC1 '= Failure probability of BUS MCC1 PMCC2 = Failure probability of BUS MCC2 PAUTO = Failure of. automatic transfer system therefore, PFI = PMVI = [PMCC1 x (PAUTO + PMCC2)] + PMECH Using the failure rates shown in Table VI-7.C.2-1 (WASH-1400), the above expression can be quantified as:

PFI = 3E-6 x (IE-4 + 3E-6) + IE-3 PFI = IE-3 

           -Thus,    given occurrence of a        small     LOCA with a frequency of 1.0x10-3/ year (WASH-1400), if the MOV/LCV 1100C is not clused on time the charging pumps can be disabled with a probability of 1.0x10-3 and long term recirculation will be lost. This results in a core melt frequency of 1.0x10-6/ year.                                                                 l San Onofre 1 SEP                            75                              Appendix 0 l

e , , , . - - c -,, ,, - 

                                                                               . , , ,   .----s --

The second case anal'yzed is the existing configuration of the system which has been implemented by the licensee to eliminate this probl em. In this case the automatic transfer of MCC1 to MCC2 is elimi-nated by two operator actions. In addition, one of the charging pumps was removed from the list of components which are automatically started i by a sequencer following initiation of an accident. This will eliminate the possibility of one of the pumps being cavitated before the recirculation is established. Thus, . in this case two failures must occur before the ECCs system fails due'to the loss of the charging pumps: (1) MOV/LCV 11000 must fail to close, and (2) the charging pump that is removed from starting automatically upon receiving an SI signal must fail to start during the recirculation phase. The failure probability of the charging pumps in , this casa can be expressed as: PTII = PMVII x PCP where. PTII = Failure of ECCS due to loss of charging pump contributions PMVII= Probability of MOV/LCV 1100C failing to close given an SI signal for case II PCP = Failure of a charging pump to start on demand PMVII= PMCC1 * (P1II + P211 + PMCC2)

  • P3II + PMECH l

j where, P11I = Failure of-operator to manually transfar to MCC2

l. P21I = Failure of operator to manually close racked out circuit breaker l

t San Onofre 1 SEP 76 Appendix D b

P3If = Failure probability of operator to go on manually close MOV/LCV 1100C if it does not close PCP = Failure of charging pump to start on demand therefore, PTII = [(3E-6 x (IE-2 + IE-2 + 3E-6) x IE-1) + 1E-3] x (IE-3) PTII = 1E-6 Based on this the probability of core melt is 1.0x10-9/ year. The third case it the configuration proposed by the NRC where a 

     -second MOV is added to the piping from VCT in series with MOV/LCV 1100C. Thus, this case is the same as case I, except that an extra M0V is instailed in series with MOV/LCV 1100C. The failure of the flow
     . path from the VCT to the charging pumps then becomes:

PFIII = P11 + (PMECH x PMECH) where, PFIII = The probability of the flow path failing from the VCT to the charging pumps for case III P11 = The probability of the loss of power to MOVs PMECH= Failure probability of the extra MOV to close on demand due to mechanical failure (same as for MOV/LCV 1100C) After quantifying the above expression we get: PFIII = 3E-6 x (IE-4 + 3E-6) + (IE-3) x (IE-3) PFIII = 1E-6 _ l San Onofre 1 SEP 77 Appendix D l l

This failure probability is the same as Case II and results in a core 

 - melt probability of 1.0x10-9/ year.

The last case is the same as Case II, except that a M0V is added in series with MOV/LCV 11000. The failure probability of the charging pumps in this case can be expressed as: l PTIV = PMCC1 x (PIII + P211 + PMCC2) x P311 + (PMECH x PMECH) x PCP where,. PTIV = Failure of ECCS due to loss of charging pump contributions PTIV = [3E-6 x (IE-2 + IE-2 + 3E-6) x (IE-1) + (IE-3) (IE-3)] (IE-3) 

      .PTIV = IE-9 The core melt probability in this case would be 1.0x10-12/ year.

The results for the four cases above are summarized here: SYSTEM Fall.URE DUE TO 

 -CASE           CONFIGURATION                  CHARGING PUMP CAVITATION I          Initial system                      1E-3 II           Interim System Modification         1E-6 III          NRC Requested Modification           IE-6 IV           Current Interim System with         IE-9 a MOV added in Series Item 4. Figure VI-7.C.2-2 is a simple schematic diagram of the
  . electrical monitor and control systems for the electrical supplies and of the air and nitrogen pneumatic supplies to FCV 1115 D, E and F.

San Onofre 1 SEP 78 Appendix D

The failure probability of the air supply system can be expressed as: FAS = FPIR * (FNEAS + FMATV) where, FAS = failure probability of the air supply system FPIR = failure probability of the plant instrument air system FNEAS = failure probability of the new-emergency air supply system FMATV = failure probability of the manual air transfer valve The failure of the plant instrument air system is equal to FPIR = FREG1 + FVP + FCV1 where, FREG1 =. failure of the regulator 1 FVP = failure of the valve positioner FCV1 = failure of the check valve 1 The failure probability of the new emergency air supply system is equal - to FNEAS = FREG2 + FEPC where, FREG2 = failure probability of the regulator 2 FEPC = failure probability of the electric / pneumatic converter San Onofre 1 SEP 79 Appendix D

Using the data shown in Table VI-7.C.2-1 the expression for the failure of the air supply system can be quantified as FAS = (1.7E-2 + 7.8E-3 + 1.0E-4) * [(1.7E-2 + 8.7E-3) + 1.0E-2] l where failure o,f the manual air transfer va,1ve is assumed to be l dominated by - the' basic human error of 1.0E-2. This results in .a failure probability of the air supply of 8.8E-4. The failure of the air supply will result in failure of the ECCS in the recirculation mode. - Based on a small LOCA frequency of 1.0E-3/ year and air supply failure of 8.8E-4 a core melt frequency of 8.8E-7/ year would result. If the manual air transfer valve is replaced by an automatic transfer sytem with a failure probability of 1.0E-4, the failure of the air supply system reduces to 5.3E-4. Note that the effect of replacing the manual switchover by an automatic system is not very high because of the dominance of the failure of either air supply system by failure of the regulator. The failure of the regulator is high because of the assumption ~ about annual testing of this component. In the old configuration where there was no redundancy in 'the air supply system, various components of the system could not be tested frequently. In the new configuration where redundancy in the air supply system is added, more frequent testing of the components, for example on a monthly basis, can be performed. This would reduce the unavailability of the air' supply system considerably.

6. Conclusion Item 2. Failure of the MOV/LCV 1100C to close resulting in possible i cavitation of the charging pumps in the present configuration could result in a core melt frequency of 1.0E-6. The proposed changes by the licensee reduces this core melt frequency by three orders of magnitude.

This reduction can also be realized if the configuration is changed to the NRC recommended configuration,

j. . Item 4. The probability of failure of the air supply system with the l

licensee proposed changes is in the order of 8.8E-4. This could lead to a core melt frequency of 8.8E-7/ year. Further modification of this configuration 'by replacing the manual air transfer valve by an San Onofre 1 SEP 80 Appendix 0

automatic transfer system reduces the possibl'e core melt frequency to 5.3E-7/ year. Additional reduction in failure probability of .this system can be realized if the components of the system are tested more frequently. Overall, .without any proposed modifications', the risk significance of this issue would be ranked medium. With the above modifications in place the risk significance of this issue reduces to low. i 4 i San Snofre 1 SEP 81 Appendix D

1 Table VI-7.C.2-1 Failure Rates for Various Faults Related to Failure of the Charging Pumps and Air Operated Valves Fault ' Failure Failure Fault Unavailability Conenents l Identifier Mode Rate Duration  ! Description (Hrs) PMCC1 Failure of MCC1 E-7/hr 24 3E-6 Based on a 24 hour period PMCC2 Failure of MCC2 E-7/hr 24 3E-6 PAUTO Failure of automatic 1E-4/d IE-4 transfer bus PMECH Mechanical failure IE-3/d 1E-3 of MOV P111 Operator failure to 1E-2 1E 2 perfom manual transfer P211 Operator failure to IE-2 1E-2 close circuit breaker P3!1 Operator failure to 1E-1 1E-1 close MOV PCP Charging pump fails IE-3/d IE-3 to start FREG Fr.11ure of regulator 4E-6/hr 4380 1.7E-2 Based on annual test FVP Failure of valve 1.8E-6/hr 4380 7.8E-3 Based on positioner annual test CV1.CV2 Failure of the IE-4/d 1E-4 check velve l FEPC Failure of E/P 1E-6/hr 4380 8.7E-3 Based on Converter annual test San Onofre 1 SEP 82 Appendix 0 

  =

o S - FROM LETDOWN LINE 7 g LOOP A w f VOLUME CONTROL TANK MOV TO CHARGING LINE LCV M LOOP A 1100C h i TCV1 8 

                                                                                                'A      Q          ><:

i k V CHARGING PUMPS

X i

EH : 

!                                                                                                                    FROM REFUELING l                                                                                                                  WATER STORAGE TANK i  &

) 3 Figure VI-7.C-2-1. SIMPLIFIED SCHEMATIC OF A SECTION OF THE CVCS i .i

vs 03 3 NEW REGULATOR NEW REG 2 O EMERGENCY " " S AIR SUPPLY r y d to 

                                                                                                                                                           '~
         >*                                                                                                                                                                                                                   NEW ELECTRIC /PNEOMATIC v3                                                                                                                                                                                                                                 CONVERTER E/P m                                                 NEW                                                                                          ;                                                    O
         '                                                MANUAL                                                                                                          4-20 MA OR O-10 V                                            /,'           //

CONTROLLER *-  : CONTROL SIGNAL ' o ,, 125 VDC yF MANUAL THREE WAVE CV2 AIR TRANSFER NEW CHECK J VALVE VALVE m E .( h 

                                                                                                                                                                                                                                                               / a F

Cvl ~ V " ' 00 j i 4 PT 1115C YE 1115C PC 1115C FC 1115C VALVE

:  :  ?  ; e  : POSI-TIONER o < , < , o o o I L------ FCV 1115F W 2 O T

115 VAC VITAL BUS 4 REGULATOR REG 1 PLANT d INSTRUMENT AIR // l E Figura VI-7.C-2-2. NEW REDUNDANT AIR SUPPLY SYSTEM FOR THE g AIR OPERATED VALVES FCV 1115D, E, F

4 VI-10.A Testing of Reactor Trip System and Engineered Safety Features, Including Response Time Testing

1. NRC Evaluation The Technical Specifications for San Onofre Unit No. I were compared iz with the standard technical specifications fur current pressurized water )

reactor-licensing. It was found that, for the reactor trip system, one  !

signal is not subjected to 'a channel functional test as frequently as
       . required in the standard technical specifications; seven channels are not
       ' checked, tested or calibrated as required .in the standard technical specifications; and several channels that are part of the RTS for the standard technical specifications are not part of the San Onofre Unit 1 RTS.
       -Additionally, the channel. response time between channel trip and the operation'of the reactor trip relay is not required to be tested.

r For the Containment Spray System, selected as typical of ESF systems surveillance requirements 'were non-existant for systems that are required to 

       - operate in support of the containment spray system.
2. NRC Reconsnendations The licensee should.1mplement a . prog: am for response time testing of all reactor protection systems (including engineered safety features systems i . such as containment isolation). 'In addition, the licensee should amend the Technical Specifications to correct for the other omissions noted above (Section 1. NRC Evaluation).
3. Systems Affected The systems affected by this issue are the RPS and the ESF actuation

( systems. l

4. Comments The important ' aspect of response time testing to be considered when examining its impact on risk is the relatively short time period involved in the response time test. The time involved in response time testing is -

San Onofre 1 SEP. 85 Appendix D 

  ,     . - . - .   .     ,-          .                   --.,..-.,n,. < - , . , - , , , ,,-.....,.n,     , - , , - . , - - , . , - , - , . , - - , . . -

l normally on the order of a few seconds. When considering the operability of a system in a risk analysis the time. constraints on system operation are considerably longer than a few seconds. System operation in time intervals greater than a few seconds can be considered a successful operation of the system, i.e., the system performs its function to prevent a core melt. With this amount of time available, the short time periods measured in response time testing are not significant. Therefore, it can be said that response-time testing does not affect overall plant risk. No further analysis of this issue is required. Any functional test will demonstrate ability to function within seconds or minutes, since the test would be called a failure ong before those excessive amounts of time had passed. This argument applies also to ECCS systems. In the Interim Reliability Evaluation Program (IREP) study of Millstone Unit 1, it was determined that an ECCS System was successful, from the point of preventing core melt, if it was in operation within one-half hour. The issue of channel checks is somewhat similar, although in the opposite sense. In the case of channel checks, they do not actually test the functioning of the actuation signals, since no components are actually caused to change state to represent an accident condition. Thus, in doing a FRA, channel checks do not affect the f ailure rate of any equipment since they do not alter the time between real (i.e., functional) tests. No further analysis of this issue is required.

5. Analysis No analysis is required for this topic.
6. Conclusion 1

I The issues discussed have no effect on component or system reliability, ' therefore, on risk from core melt. This is because the NRC recommendations  ; do not serve to increase surveillance from a PRA standpoint. For this reason we rank the importance of this issue as low. San Onofre 1 SEP 86 Appendixb

r l I VII-1.A Isolation of Reactor Protection System from Non-Safety Systems 4 i 1. NRC Evaluation Current criteria requires that non-safety systems receiving output from the reactor protection system (RPS) have isolation devices to insure the independence of the RPS channels. San Onofre 1 complies with the current licensing criteria except for the following. There are no isolation devices between the remote. meters and process reco'rders and 1) the pressurizer pressure trip logic, 2) the pressurizer level trip logic, 3) the steam-to-feedwater flow mismatch trip signal, 4) the startup rate neutron monitoring system, and 5) the high flux level trip signal. Additionally there is no isolation device between the data logger and the nuclear instrumentation, and between the steam-to-feedwater flow mismatch system and the Optimac computer.

2. NRC Recommendation The adequacy of the present design should be justified by the licensee or suitably qualified isolators'should be installed at the San Onofre 1 plant.
3. Systems Affected
            .The only system affected by this issue is the reactor protection system
      .(RPS).
4. Coments Both the pressurizer pressure and level trip signals lack the same
      . isolation devices. Each of the three trip channels for these two trip signals lacks proper isolation from an indicating meter.- Additionally there-

, is a recorder that can be connected to the trip channels (any one of the three) that is not properly isolated from any of the trip channels. An electrical failure of the recor der could conceivably affect all three channels. San Onofre 1 SEP 87 Appendix D

I In the steam generator steam-to-feedwater flow mismatch trip channels each ofsthe three trip channels output to a process recorder. The recorder is not properly isolated. A level and flow controller also receives a signal from_ all three flow mismatch trip channels and is not properly i isolated. The final; area' where proper isolation may not be present is the nuclear l instrumentation channels. -Recorders and the data logger may not be properly isolated from the source range and intermediate range nuclear channels. Each of the four power range channels (including 'the intermediate chann'el) is connected to control room power level indicators. Proper isolation may not . exist between the power range channels and the indicators. Also there are two dual. pen recorders that can be used for any of the power range i- channels.

- Information from. plant personnel indicates that the data logger j referenced for the intermediate power range trip channel is_ not used at San
Onofre 1 -and does not receive an output signal from the intermediate range >

j nu' clear channel. Also the reactor coolant flow channels .are of similar 

        ' design to the pressurizer level and pressure channels. The reactor coolant j         flow indicators' receive an output from the reactor coolant flow trip-channels and are not isolated. The effects of the lack of isolation on this
trip signal are therefore addressed in this analysis.

p 5. Analysis A trip signal from any one of the five trip parameters being analyzed here (high flux, pressurizer pressure, pressurizer level, coolant flow, and steam-to-feedwater flow mismatch) will cause a reactor trip. The startup L rate _ channel will produce either a reactor trip or a rod withdrawal block. l .Each of 'the four high' flux channels consists of. two flux monitors, an , amplifier, a bistable and relay. To trip the reactor two of the four high flux level channels must generate a trip signal. The three channels of the- , pressurizer pressure, pressurizer level, coolant flow and steam to feedwater l flow mismatch trip logic are combined .in a two out of three logic; to 

       -generate a trip signal two of the three channels for any parameter must                   j indicate a trip condition. Each of the channels for these parameters consist essentially of a relay, bistable and the appropriate sensor                      1 JSan Onofre 1 SEP.                           88                              Appendix D s

i

transmitter (flow, level, pressure). The steam-to-feedwater flow mismatch channels each contain two flow transmitters. Using this information a simplified fault tree for these trip signals was produced. This f ault tree is shown in Figure VII-1.A-1. The circuitry required to produce a two out of three or two out of four logic is not specifically modelled. However, this should not significantly affect the analysis of the contribution of faults in unisolated non-safety systems to RPS failure. The unisolated system faults can affect the trip signals in two ways. In the case of meters and indicators attached to a particular channel the unisolated fault in the meter will affect only that channel. The recording devices that can be used on multiple channels for a particular trip parameter were assumed to be able to affect all of the channels for that trip parameter. For example, a f ault in the two dual pen recorders used in the high flux channels was assumed to affect all four high flux channels. The unisolated f aults are modellea in the f ault tree shown in Figure VII-1.A-1. Data for this analysis is shown in Table VII-1.A-1. This data is developed from IEEE STO 500-1977. The test intervals are taken from the information provided for Topic VI-10.A. Since it has been assumed that the unisolated faults in the recorders, meters, etc. affect the performance of the RPS these f aults would be detected during the RPS channel functional tests. Therefore the test interval is the same for these faults as for the RPS channel equipment. Not all of the trip signals can be expected during all transients. Therefore, the f ault tree was analyzed for two relatively restrictive cases. In one the trip signals assumed to be present were: pressurizer pressurel , r 1 The unisolated faults would affect both high and low pressurizer pressure trips. Therefore, the f ault tree models an off normal pressurizer condi-tion since an unisolated fault is assumed to fail the pressure signal. San Onofre 1 SEP 89 Appendix D l .. .

pressurizer level, high flux and steam-to-feedwater flow mismatch (condi-tions present in a transient such as a loss of feedwater). The second case (representative of a transient such as a loss of coolant flow) assumed that the following trip signals would be present: pressurizer pressure, pres-surizer level, high flux, and coolant flow. For both of these cases the failure probability of the RPS due to failure combinations that contain unisolated f aults in non-safety systems is less than 1E-10. The combination of faults that would fail only the nuclear instrumentation and pressurizer signals is on the order of magnitude of IE-9. In most previous PRAs the f ailure rate used for the RPS has been on the order of 3E-5. This is due primarily to the common mode mechanical failure of the control rods to insert. It is reasonable to assume that the failure to scram probability for the San Onofre 1 plant would be similar to that for other PWRs. Therefore, the contribution (of less than 1E-10) of unisolated faults in non safety systems would be negligible. The lack of isolation in the high start up rate instrumentation has not been specifically modelled for this analysis. However, the effects on that signal should be similar to those for the high flux signal since in both cases an unisolated f ault would f ail that signal. The lack of isolation in the high start up rate instrumentation should not significantly affect the RPS failure probability. l

6. Conclusion The lack of isolation between the RPS and the non-safety systems does not significantly affect the RPS f ailure probability. It will therefore .-

l-have virtually no effect on the expected core melt frequency. We rate this issue to be of' low risk signficance. m [ , San Onofre 1 SEP 90 Appendix 0 , 

                                                                                                       ,s

l l- Table VII-1.A-1 Component Failure Rate Test Interval Unavailability A o(hr-1) (hr) Flux Channels Neutron Flux Detector 1.4E-5 168 1.2E-3 Bistable 3.0E-6 168 2.5E-4 Relay 3.0E-6 168 2.5E-4 Amplifier 2.3E-6 168 1.9E-4 Power Level Indicator 4.6E-6 168 3.9E-4 Recorder 6.8E-6 168 5.7E-4 Steam-to-Feedwater Flow Mismatch Channels Pressurizer Pressure Channels Pressurizer Level Channels Flow Transmitter 6.0E-6 336 1.0E-3 Level Transmitter 5.1E-6 336 8.6E-4 Pressure Transmitter 5.7E-6 336 9.5E-4 Relay 3.0E-6 336 SE-4 Bistable 3.0E-6 336 SE-4 Recorder (all types) 6.8E-6 336 1.1E-3 Meter 4.6E-6 336 7.7E-4 Flow / Level Controller 2.3E-6 336 3.4E-4 Coolant Flow Channel l Flow Transmitter 6.0E-6 2190 6.6E-3 Relay 3.0E-6 2190 3.2E-3 l Bistable 3.0E-6 2190 3.2E-3 Meter 4.6E-6 2190 5.0E-3 l l 1 San Onofre 1 SEP 91 Appendix D l

l lll Ill i liI\ - WS L N LN I OE E F N RTA A _ l UN H T NP LA I L C AI L A OP F L R A OIR T CT O N I OWG COI S OFL N N O FRT I T OON* TA U OSCL B S NSAO' OEO' I RT R LRC TL E Z L NU I R RN EA OA UU CF SSI G I SSS EE RRI P PPR O T A EM HE T ST RY N OS F Y ET PSE EE I RF ER R TA RT U T S USL HIP L L UN LP A I I AR F GRA AO T N A I F OL H FN I STA OUI XG _ pint SD R UG NLS F PE DIS RT DL A EO I FS I I R LN E PU Z I P M I F RIRL U T A SO I S L N S E EG R E P L VIS A 1 A. O / R H 1 - N O MDE" AET T C I I NEEA A V TFW' S M e r u i g L F HA WCN OT G I LAI W P FMS OI LR OSP I MFT L NIMR F A RHA T E T ECN S TT OWMS NDS AAI G A EI EM F 

    $:SSy s          w@                      e                                 E j g.,X0 ill           Illl        l

E tM lAN s s I A T2A s3F 04 3 3 D R TENEIT ATE t I otM u SAL e E - NFV U EL RS E - R TK E 3 LTA e,,LL R,AES emf V I ug NL E S2 LN 43 I f NA semAF s E ,vSH A R T Rt C T L P Y AX L S EA L I R.Af P3 1 F a4 R T 

                                                                                                        )

E IX I S D IALs A E T1A S3F U St4 N I 2 D R T E TITNE N A TE t O I OAML C SAL e E ( NFV U EL 1 R R RS - NE S t a, 2 E Tl t IM tE u A. ER EN 3 R ,,LL AES LIA e RUVN / ugNNts EMF VS 1 1 I I US E 2 sgoNA t NsLA syoAF iN 3 l l Af H E,sI A 4T FR C P Rg D P R T L V Y e AX 5 r R B EA u fe I R 1A 14 g t i u.m e A P3F F RI4 outN NsrG T sv$ FE 8 RR e E nY 5 aAt A l A 1 l D tmF s E N E R 1 Ise T AIND D R L Y E t tR NE _ I T Ou9O 0 _ IT A L TE S. FA2C O LM I I _ E N R U _ L SAL e E NFV U E L t AR O 

                                                                                              )

i t - s LT L k ms sEME 0LT 3E i I RI 4VM TES eP"M R TME LdNi A _ oOEO R _ R Nf _ T Y AX L EA s I R 0A d r3F e4 i T mD" oso D o n H imm t ew >vv$aE o ll lI

I i m I OD l 3 NOl#GHFtUX i -- \ TRIP $8GNAL O ! m L2 H T g i I I RECORDERS 2 WC AR RE OER at UNISOt ATED f tuM CHANNELS SO4 AT E D F Aug y FAHLT 3/4 i NO TRIP SIGNAL N IN# I U AL NO TRIP SSGN AL NO TRr StGNAL POWER LEVEL FRN WTERME- FROSI POWER FROM POWER CHANNEL 2 NATE N ER LEVEL CitANNEL LEVEL CHANNEL CHANNEL 3 (D P1 P2 I l l l l _ l l l LJMSOLATED CHANNEL 2 CHANNEL 2 CatANNfL 2 UNISOLATED CHANNEL 3 CHANNEL 3 CHANNEL 3 FAutT - CH 2 AMPtiFIER FLUMLEVLL SIST Alst Ee Ht L AY FAutT - CH 3 FLUM B EVEL AMPtaFIER etSTABL E/ PELAY E FAltUAE I L MOMTORS Fall FAltuRE F AstuRE AT MONITORS F Att F AlLUM E AT 

                                           \em                                                                                r%

I I I I Flu 4 LEVEL pluMLEVEL FluNttVER FlUMttVEL MOMIOR 5 MOMIOR6 MONIIOR 7 MONIIOR8 g F 44L S F Alt S F Alls Fasts ts e 3 

    .C2.

n.

  • Figure Vil.1.A-1. (CONTINUEO) o

3 i o NO PRESSUR82ER ' 3 3 PRESSURE O TRIP SIGNAL 

        ~

l m 

                  .                                                                                                     O
                                                                                                            'I                           I
                                                                                                                                                                         '1 RIP REL AY Af f ECTED DEPENOS ON WHETHER I                                                                                                        UNISOtATED                 F AILURE IN                            HIGH OR LOW PRESSURE TRIP FAULT IN               PRESSURI2ER 3 PEN                   PRESSURE RECORDER                  CHANNELS 2/3 I                                                                                                                       I NO TRIP SIGNAL                                             NO TRIP SIGNAL                                            NO TRIP SIGNAL FROM                                                       FROM                                                         FROM
        @                                                             PRESSURI2ER -                                              PRESSURIZLR m                                                              PRESSURE                                                    PRESSURE PRESSURMER PRESSURE CHANNEL 1                                                  CHANNEL 2                                                   CHANNEL 3 m                                                          em                                                           em i

I I I I I I TRIP RELAY' UNISOLATED TRIP RELAY, UNISOLATED WSOLATED F AULT IN TRIP RELAY, 430 - X 431 - X F % ULT IN F AULT IN PRESSURE PRESSURE 432 - X FA8LS pggg3 pgg PRESSURE METER 1 METER 2 METER 3 1 i PRESSURE TRIP PRESSURE TRIP PRESSURE TR ANSMITT ER INSTABLE TRANSMdTTER SISTAELE TRANSMITTER 88 STABLE y PT430 FAILS FAILS PT431 FAILS falls PT432 7Asts FA8lS v Ea S x o Figure Vil-1.A-1. (CONTINUED)

l e!. 383 

                                                      -  sE5;3 115' 34                                   ;
                                               !:                           8                 !

s 1r!. - is: a:: s  :: -

1. .

s.r. : i .- i-s g*aw 

                                               .g.
                                               ..-                      $85    -
                                                                        =3in!

o W c3 3 2 8s- a 

                                                         .s ti!.
  • 1..1 z 5:

s a!: o ri,g a>:s o 

                               .!e                  ,

ai. 4 zu- s.!i SE 3 $* ,. 

    *3                                           .                                      "
     ;yg                                                                08"
    -:,s                                   -   !!                 -
-2 13;
    .:o                                        I -
l:

e

- 3 35 a
s. u.

82 

                                                        =E.

385 

                                                        .s.tu.83 113 s..

5.I Il. 3ss 

                                                                 ~

2li ga g: l 13< - g!- I. s. 

                               .l
                               .i l

s,ui  : ' 

                               $o:                                      g.
                                                 .                        st  -
                                           -   a3 2                 -

325 I: i 1 1 San Onofre 1 SEP 96 Appendix D

e a S e k 9 FAILURE IN COOLANT FLOW (D TRIP CHANNELS 4a 

 =

M n/3 2 I 9 I NO TRIP SIGNAL COOLANT FLOW COOLANT FLOW F810M COOLANT TRIP SIGNAL TRIP SIGNAL FLOW CHANNEL 1 CHANNEL 2 FAILS CHANNEL 3 FAILS n n n 

                                                           -                                                       --                                             -s e

l I I TRIP RELAY bNISOLATED TRIP RELAY UNISOLATED TRIP RELAY UNISOLATED FC 100-X F AULT IN FC 110-X FAULT IN FC 120 X F AULT IN FAILS FLOW METER 1 FAILS FLOW METER 2 FAILS FLOW METER 3 O O O O O O i TRIP FT 400 TRIP FLOW TRIP FLOW SISTABLE 100 (FLOW TR ANS- BISTABLE 110 TRANSMITTER 86 STABLE 120 'IR ANSMITTER FAILS MITTERI FAILS FAILS FT410 FAILS FAILS FT420 5 AILS E O O O O O O i E 

 'l n

a Figure VII-1.A-1. (CONTINUED)

o 8 

               ?-

m g P1 P2 m NO TRIP S4GNAL NO TRIP SIGNAL FROM < FROne PONER R,AAE LEVEL L T T I I I I I I I I UNISOLATED [ TED N L1 CHANNEL 1 F Flux LEVEL RISTASLE/ CHANNEL 1 L TE MS M R y E S E Y g INDICATORS g INDICATION FAtt FA8 LURE O O A O A O T T I I I I FLUX LEVEL FLUX LEVEL FLUX LEVEL FLUX LEVEL ' h00NITOR 1 AAONITOR 2 RAONITOR 3 840NITOR 4 FA8LS FAILS FA8LS FAILS l E ta e i

5. ,

Figure Vil-1.A-1. (CONTINUED) X c l

7 1 J IVII-2" Engineered Safety Features (ESF) System Control Logic an'd Design l 1.. NRC Evaluation L Non-safety- systems that receive signals from safety systems, for. exam-p ple, the RPS and ESF, must' be adequately isolated from the safety systems. Non-safety circuits receiving signals from ESF sensor current loops are required to have isolation devices-to ensure electrical independence of the 

<              ESF channels. .Two of the signals generatd by the ESF may not be properly isolated from the non-safety systems at San Onofre 1. These signals are the
             - containment isolation signal and the safety injection signal.

! 2. - NRC Recommendation The licensee should demonstrate that the isolation devices currently in. , use between the input signal channels and the safeguard load sequencing 

             - system (safety injection signal), containment spray and the containment isolation system are adequate. If this can not be done the isolators should be replaced with acceptably qualified isolators.
3. Systems Affected The systems affected by this issue include the safety injection system, containment spray system, and the containment isolation system.
4. Comments l Two of the three signals affected by this issue will not be analyzed b here. The containment spray signal as evaluated in the technical evaluation report by EG&G Idaho, Inc. was found to have adequate isolators between it and non-safety systems. The containment isolation' system is isolated from l
non-safety systems by the use of relays and relay contacts. This type of L . isolation has been determined to be acceptable.

i Therefore, only the safety injection signal will be analyzed in this report. Qualification of the existing isolators is beyond the scope of this analysis. The assumption is made that'the isolators currently in use do not i adequately protect the safety injection signal from f aults in non-safety 

        . San Onofre 1.SEP                               99                              Appendix 0

l l systems. For this reason the results of this analysis should be used only to determine whether the isolators' qualifications should be evaluated. Only after it has been determined that the isolators are.indeed inadequate, i.e., they do not provide the required protection, should they be replaced.

5. Analysis The signal of interest for the safety injection signal is the
    -pressurizer pressure signal.      This signal is not properly isolated from the 3 pen recorder that can be connected to any one of the three pressurizer pressure channels. Also each pressurizer pressure channel outputs a signal to a pressure indicating meter. This meter is not properly isolated from the safety system.     (The safety injection signal is generated from the same sensors that produce a trip signal. These unisolated components are the same components for which an analysis was performed for Topic VII-1.A)

Before the pressurizer ~ pressure signal is transmitted to the safety injection system logic it passes through an input buffer module. This is the isolation device presently in use at the San Onofre 1 plant. The pressurizer pressure signals are input into both subchannels of the two load sequencers. The output from each pressurizer pressure transmitter goes to two bistables. One bistable transmits to sequencer train A, the second to sequencer train 8. The outputs of the three bistables in one sequencer train are arranged in two two-out-of-three logic matrices, one each for the two subchannels for the sequencer. (Figure VII-2-1 is a logic diagram for the pressurizer pressure signal for the safety injection sys-tem.) The input buffer modules are located between the bistables and the two-of-three logic matrices. For this analysis it is assumed that an unisolated f ault in the non-safety system could propogate through the bistables and the safety injection system logic. With this assumption an unisolated f ault could f ail the safety injection system. There are three meters and one recorder attached to the pressurizer pressure sensors that are not isolated. Using the data I developed for Topic VII-1.A.the unavailabilities of .nese indicators are 7.7E-4 for the meters and 1.1E-3 for the recorder. The unavailability of l the saf tty injection signal due to these f aults would be the sum of the ' unavail abilities, 3.4E-3. San Onofre 1 SEP 100 Appendix D

i-The safety injection signal system for nuclear plants with similar safety injection signals (i.e., pressurizer pressure and containment pressure arranged in a 2 out of 3 matrix with two sequencer trains each with 2 subchannel inputs) generally has a failure probability on the order of 10-3 The contribution of the non-isolated faults is of this magnitude and even slightly larger than the normal system failure probability. If the input buffer modules supply adequate isolation, or are replaced with adequate isolators, then the unisolated f aults in the recorder and  ! meters would - affect only the pressurizer pressure signal. Failure of the 'l indicating meter on each sensor channel would affect only that sensor channel and the f ailure of the recorder would affect only the pressurizer pressure signal and not tha containment pressure signal. The availability of a second initiation si]nal would significantly reduce the effect of 

   -faults-in the non safety systems that could affect the pressurizer pressure signal.

With the bistable outputs properly isolated the failure probability of the pressurizer presure signal alone is 1.1E-3, due primarily to the failure of the recorder failing all three pressurizer pressure sensor channels. A simplified f ault tree for the pressurizer pressure signals is shown in Figure VII-2-2. The data used is the data developed in Topic VII-1.A. For the safety injection signal to f ail the containment pressure signal must f ail in addition to the pressurizer pressure signal. With the effects of faults in the pressurizer pressure signal limited to that signal the failure probability of the San Onofre 1 safety injection signal can be expected to be of approximately the same value as in other nuclear plants with similar systems, i.e.,10-4 to 10-3,

6. Conclusion Under the constraints imposed by the assumptions made for this analysis

< this issue would be rated to be of high risk significance. After completion of this analysis, the licensee demonstrated that sufficient isolation exists 

   'between the safety and non-safety grade systems.                Thus, this issue is completely resolved.

San Onofre 1 SEP 101 Appendix D

5 ' PRESSURIZER PT430 PT431 PT432 o PRESSURE 8 TRANSMITTERS 

?

to H m, PYC PYC 3000A 30008 BISTABLES 4 X 43 EX 43 X PYC sC g 2/3 2/3 2/3 2/3 o - HI Hi Hi Hi CONTAINMENT CONTAINMENT CONTAINMENT CONTAINMENT PRESSURE PRESSURE PRESSURE PRESSURE 1/2 1/2 1/2 1/2 

                                                                           \

jy SEQUENCER A SEQUENCERB i a ^ x o Figure VII-2-1. SIS - PRESSURIZER PGESSURE SIGNAL LOGIC

I 

~

M DE 3 safety o y sutences mananaa O pastunt H Up , m I ' " I I ,l smETv suffy nutenOs. aufenO. SaGenet A annanas a FanuftE panunE I #% #% ! I I I I 1 

            "Er s.seten                                                    TOSS Op annanaa an                                                         "

A TO MOUEseCEn ,MyOu.E,,,O e-m TO M M W n 8 i ( (. 1 l m I I x I i 1 TL M SEOuffeCEft A SEQUE88CEn E - ^ ~ -SEOUE88CER 8 i OF MoufseCEn A  :- ^ ^ TL y suScataadesEL X ^^^ L y j faEs FanunE FAnunE FAnuftE I l F3 n n n t 4

r- .

l I I l l 1 l l l SEQUEseCEn A SEOutpeCEn A SEOuf feCEn 8 sEOuf adCEn S

suSCseassesFL X OTHEn ses suSCHA80RIEt y OTDeEn $8B T -- - ^^ TL X OneEn ses suSCteessesEt Y OfteEn seS Pett ssusterEn MBATIO8e rett ssufterEn IRIITIATIO90 PatssustelEn IpseitATIOed PetEssuftsfEn IBfIDATIO8e estEssunE Seamus e AE riussunE sesmAts ran . rett ssunE sacasats ean entssunE saamatstast senseAaannusu saosest eanunE sanseat eanunE secesAt eanunE V

u ! $ Figure VII-2-2. FAULT TREE FOR FAILURE OF SIS DUE TO

E '

PRESSURIZER PRESSURE SIGNAL FAULTS" , x ! O i 1 I i 4

gkg k c st I 1,4 1 . = o 11;* 111 4- ((p @ $M O 

                       ~

po 1 O 

                                        -  IMi O it          I gk
  • I5
                      .--                              A
                           'n     -        ==

o 

                                           \tly        e t          %

u 

           ~~
                                            ,t
                                }    [
                                            \f= O 4-{) @ -IM                          ge      o San Onofre 1 SW                104                 Appendix 0

1 VII-3 Systems Required For Safe Shutdown i

1. NRC Evaluation The only issue under this topic is the lack of redundancy in the Component Cooling Water System (CCWS) surge tank level indicator. Given a leakage in-the system, a single failure of the low-level instrumentation can result in depletion 'af water and failure of the CCWS.
2. NRC Recommendation A redundant, Class lE surge tank level instrument must be added to the system.
3. Systems Affected The Component Cooling Water System and all the systems that are dependent on CCWS for heat removal are affected by this topic.
4. Comments None.
5. Analysis The water level in the CCWS is currently monitored by a level indicator which is connected to an alarm in the control room. A low or high water level in the CCWS will set off the alarm. In addition there is a visual gauge where the water level is checked once every shift. If the water level is low in the CCWS surge tank, the operator can manually initiate addition of water to the tank. The concern in this case is that given a leakage in the system, if the low water level in the surge tank is not detected the CCWS pumps can be cavitated resulting in the f ailure of CCWS. This would effect the performance of many systems that are dependent on CCWS for heat removal. Among these lack of cooling of the main coolant pump seals could result in the failure of the seals and initiation of a small-small LOCA.

San Onofre 1 SEP 105 Appendix D

l Figure VII-3-1 shows a simple fault tree for the event " Cavitation of CCWS' Pumps Due to a Leakage." To. evaluate the frequency of this event, the probability of Various basic events shown on the fault tree must be determined.- Since there is not much data on the probability of occurrence of different leakage rates this probability niust be estimated. It is known I that.the probability of a small-small'LOCA (pipe break with equivalent l diameter of 1/2 to 2 inches) is 1.0:10-3 per year (WASH-1400). Thus, the probability of a small leakage must be higher than this. Also, the proba-bility of a pump seal leakage is 11 the order of 2.0x10-2 per year. Based on these numbers a conservative prcbability of small leakage of 0.1 per year will be used for this analysis. The CCWS surge tank level indicator is tested every six months. Using a level indicator f ailure rate of 5.1x10-6 (IEEE-Std. 500) and an exposure time of 2160 hours, the unavailability of the level indicator is 1.1x10-2, The probability of failure of the operator to respond to an alarm is 1.0x10-4 (NUREG/CR-1278, Table 20-3). For the visual checking of the gauge every shift, it is assumed that a simple checklist exists for performance of this. task as a part of many other checks. The probability of f ailure to detect a low water level is conservatively assumed to be 0.1 per check (NUREG/CR-1278, Table 20-a). It is further assumed that the leakage in the system can be high enough that during one shift the water level can get below the low level alarm. This implies that only one visual shift failure [ . combined with the failure of the level indicator is sufficient to result in depletion of the water in the CCWS surge tank. Based on all above assump-l tions, the-probability of cavitation of CCWS pumps due to leakage is calcu-l lated to be 1.1x10-4 per year.

6. Conclusion The. probability of failure of the CCWS due to a leakage and failure to detect low water ' level in the CCWS surge tank is conservatively calculated '

to be 1.1x10-4 per year. This failure among other things could result in failure of the main coolant pump seals and initiation of a small-small LOCA. The probability of th.is event is one order of magnitude smaller than the overall probability of initiation of a small-small LOCA of 1.0x10-3, Considering all the cons _ervatism involved in this analysis and small - contribution of this event to the initiation of a mall-small LOCA which San Onofre 1 SEP 106 Appendix D

,r = - o 

                -itself. partially contributes to the overall. core melt probability, the significance of this issue is ranked low from risk point of view.

1 San Onofre 1 SEP 107 Appendix D h_ .-

i CAVITATION OF CCWS PUMPS DUE TO A LEAKAGE [D . l l FAILURE TO DETECT ' LEAKAGE LOW WATER LEVEL IN CCWS SURGE TANK [D < FAILURE TO DETECT FAILURE TO DETECT LOW WATER LEVEL LOW WATER LEVEL USING LEVEL USING VISUAL G AUGE INDICATOR m 1 1 LEVEL INDICATOR OPERATOR FAILURE HARDWARE FAILURE TO RESPOND TO < THE ALARM I r i Figure Vil 3-1. FAULT TREE FOR THE EVENT " CAVITATION OF i i CCWS PUMPS DUE TO A LEAKAGE" l San Onofre 1 SEP 108 Appendix 0

c I l VIII-3.B DC Power System Bus Voltage Monitoring and Annunciation

1. NRC Evaluation The control room annunciators and monitors for the DC power system of a nuclear power plant should provide the operator with adequate information regarding the status of the DC power system. The information provided in the control room should allow the operator to a) prevent the loss of a DC bus and b) take timely corrective action in the event of a loss of an emergency DC bus. The 125V DC system control room annunciators at San Onofre 1 consist of bus undervoltage, bus ground, charger trouble and battery breaker trip alarms. The control room indication for the uninterruptable r wer supply (UPS) consists of a system failure alarm.

The contr . vn indications lacking at San Onofre 1 include: battery current charger output current bus voltage charger output voltage battery high discharge rate bus undervoltage (UPS only) bus overvoltage (UPS only) bus ground (UPS only) battery breaker status (UPS only) charger output breaker status.

2. NRC Recomendation The SEP staff has recommended that as a minimum six control room indications and alarms be added to the San Onofre 1 plant. These indications and alarms are Battery current (ameter charge / discharge)

Battery charger output current (ameter) DC bus voltage (voltmeter) San Onofre 1 SEP 109 Appendix D

DC bus ground alarm (for ungrounded systems) 

            . Battery breaker or fuse open alarm Battery charger output breaker or fuse open alarm
3. Systems Affected 4
                                                                                 )

The DC power system and the UPS are the only systems directly affected by this issue.

4. Comments This analysis is based in part on the results of NUREG-0666, "A Probabilistic Safety Analysis of DC Power Supply Requirements for Nuclear Power Plants." The analysis of detectable versus nondetectable battery faults is based on the NUREG-0666 analysis. Data not taken from NUREG-0666 is generic plant data.
      .The UPS supplies power to MOV 850C, one of the three safety injection valves. It is not required to supply p'ower to any other component. Its charger receives power from MCC 3. The remaining two safety injection valves are powered from MCC 1 and MCC 2.
5. Analysis A fault tree for the UPS is presented in Figure VIII-3.B-1. The modifications proposed for the system annunciation will affect the battery unavailabilities and the detection intervals for the faults in the rest of the system. With the proper annunciation devices faults in the system will  !

be detected immediately. Only half of the battery faults can be expected to be detected by the improved annunciation system. This is based on the results of NUREG-0666. In this report an evaluation of plant LERs showed that even in plants with the required annunciation systems half of the , battery faults were not detected until battery tests. The assumption is l made that with the present system annunciation all faults are not detected I until system tests. For this system the tests are performed every 10 months, at refueling. ' San Onofre 1 SEP 110 Appendix D

The UPS supplies power to MOV 850C (a safety injection valve) and to no other components. Therefore it is possible to not only evaluate the effect of ~ improved annunciation on the UPS but'also on'the safety injection system. The data used to evaluate the system is presented in Table VIII-3.B-1. Using this data and the f ault tree in Figure VIII-3.B-1 the UPS ! unava11 abilities, for the- system with the present annunciation devices, is 3.2 E- 4. With the modified annunciation this unavailability is reduced to 

            .approximately 1E-6.                                                                                                                                                 l The UPS powers only one of three safety injection valves all three of which must fail to'open to fail the. safety injection system.                                                                These valves are tested during refueling outages. The probability of an MOV failing to i              open can.be calculated as-
                                           -1/2 AT where A = valve failure rate = 2.8E-6/hr (from WASH-1400)

T = test interval = 13140 hrs. For these valves the failure probability .is 1.8E-2. The failure of the UPS [ .affects .only one of the three valves, and only increases the valve failure

probability by 3E-4, less than a 2% increase. This is an insignificant
increase in the failure probability of one valve.

i-i There are three sources of power for each of the 125V DC system trains. Both 125V DC system buses are powered by a battery and two battery chargers. For each bus one battery charger is powered through a bus connected to diesel generator #1. The other battery charger can receive power from diesel generator #2. During a loss of offsite power both 125V DC buses can be powered by either one of the diesel generators. A fault tree for each of l_ the 125V DC buses is shown in Figure VIII-3.B-2. i l- . i As in the analysis for the UPS it has been assumed that any faulted l condition that is not annunciated will not be detected until the battery San Onofre 1 SEP 111 Appendix D 

 -ar-+= w      -*a.       , e---w,9--i%.4w     **-+w--- ,,--ye.N-   ,e--=.w,, w&p-e+wpy -

esy-rw--c-**y,--g&tw--,-w ., w m m - w waum-t---t-MM---t - e-- rz m e r y

tests at refueling, approximately every 18 months. Data for this analysis is presented in Table VIII-3.B-2. The unavailabilities of a single 125V DC bus with the present annunciators are 4.1E-4 with a loss of offsite power and SE-6 with no loss j of offsite power. With the proposed annunciator modifications these unava11 abilities are reduced to 1.1E-4 and IE-6, respectively. The reduction for the case involving a loss of offsite power is 3E-4, a reduction by a factor of 4.

6. Conclusion The proposed annunciator modifications reduce the battery system unavailabilities for both the 125V DC system and for the UPS. The reduction of the UPS unavailability is not significant since the UPS supplies power to only one component, a safety injection system valve, whose failure is dominated by mechanical valve f ailures. The f ailure of the UPS does not significantly affect the valve failure probability. Failure of the 125V DC system affects several systems. Therefore the proposed modifications would probably have a significant effect on the core melt frequency. However, the failure probability of a 125V DC bus as calculated for San Onofre 1 is less than that calculated for the risk based analysis for previous SEP plants.

(See for example the Risk Based Categorization of Haddam Neck SEP Issues, SAI-83-128-W A.) This is primarily due to the arrangement of the DC power supplies. .Both buses can be powered from three sources; the battery and both diesel generators. Based on the results of the analysis of the 125V DC system we rank this issue to be of medium risk significance. I I I l I San Onofre 1 SEP 112 Appendix 0

Table VIII-3.B-1 UPS Data Sumary Fault Failure Rate Exposure Time Unavailability (hrs-1) (hrs) Scitchboard - Local Faults 6 ' Switchboard - Test / Maintenance ~10-7 NO AC to Battery Charger 1 LOSP 3E-2 No LOSP 10-6 Battery Charger - Local Faults "As is" 2.8E-6 65702 1.8E-2 

      " Mod"                            2.8E-6           13           2.8E-6

-Battery Charger Breaker - Fails Open "As.is" 1E-6 6570 6.6E-3 

      " Mod"                            1E-6             1             1E-6 Battery Breaker - Fails Open "As is"                           1E-6          6570            6.6E-3
      " Mod"                            1E-6             1             1E-6 Detectable Battery Faults "As is"                           0                -               -
      " Mod"-                           SE-7             1            SE-7 NonDetectable Battery Faults                                                       <
      "As is",                          1E-6          6570             6.6E-3
      " Mod"                            SE-7          6570             3.3E-3
1) for a loss of offsite power (LOSP) unavailability is dominated by a f ailure of diesel generator to start, for non LOSP unavailability is probability of AC bus fault
2) 6570 hours is 1/2 of 18 months 3)Ihr-lengthofdemandonsystem 1

i San Onofre 1 SEP - 113 Appendix D i

Table VIII-3.B-2 125V DC System Failure Data Fault l Failure Rate Exposure Time Unavailability I (hrs-1) (hrs) Switchboard - Local Faults -1E-6 Switchboard - Test / Maintenance ~1E-6 Diesel Generator Failure to Start 3E-2/d 3E-2 LOSP 1 or 0 Battery Charger - Local Fault "As is Annunciation" 2.8E-6 6570 1.8E-2 

          " Modified Annunciation"          2.8E-6                1            2.8E-6 Battery Charger Breaker - Fails Open "As is Annunciation"              1E-6               6570            6.6E-3
          " Modified Annunciation"          1E-6                  1              1E-6 Detectable Battery Faults-
          "As is Annunciation"              0                     -                 -
          " Modified Annunciation"          5E-7                  1              SE-7 NonDetectable Battery Faults "As is Annunciation"              1E-6               6570            6.6E-3
          " Modified Annunciation"          5E-7               6570            3.3E-3 Battery Breaker - Fails Open            IE-6                 1               1E-6 i

l San Onofre 1 SEP 114 Appendix 0 t

DC SWITCHBOARD FAILS l T t SWITC'4BO AR D NO POWER OUT OF gy 8ERV)CE SWITCHBOARD E A NT O A T I I NO POWER LOCAL FAULTS TO AT SWITCHBOARD SWITCHSOARD G 1 l _ l F M NO POWER BATTERY FROM CHARGER SATTERY T T ' I I I I I LOCAL BATTERY NON. DETECTA8LE 

                                                                                 'A   "

FAULTS CHARGER TO DETECTABLE I " 8ATTERY BUS BREAVER BATTERY BATTERY CHARGER OPEN FAULTS FAULTS OPEN O O O O O Figure Vill 3.51. SIMPLIFIED UPS FAULT TREE San Onofre 1 SEP 115 Appendix D

LOSS OF POWER AT12tvOC SUS 1(2) n _ 1 BUS ital F AILS LO;;, = :R 

                                                                        ,u, ,(,
                                                                                                 =:F        S=

yon yggy om j MAINTENANCE O l LOSS OF PowtR PROM SATTERY 1(2) A E 

                                                                        -    E                  y LOSS OF P0wtR                    DETSCTABLE            NON OttiCTASLt         SATTERy PROM sATTERY                                                                                              LOSS OF POWER BATTERY FAULTS           BATTERY FAULTS      GREANER 1(21                    FROM GATTERY CMARetRSIC1                     BATTERY Ital            SATTERY 121      FAILS 70 optN                    CHAmoin AfDs A                               O                       O                  O                              A
        .AT,ER.                L..SOFP.WER                   .A-tm.                          .ATTER.                        .. TER.

CMAR0am elC) 70 SATTERY CHAmoen CHAN'stm CMAmotm FAULTS CMARGER SICy BREANER StC) FAutts 3A17tny BREANtm AfDs FAILS TO OPEN taARgER Agos FAILS 70 CPEN O A O O O P LOSS OFPowtR i i TO BATTERY CHANGER AIDI L0st OF POWER LOSS OF AC TO 480V SWOR 2 4eev SWOR 2 tMCC 1 Al tesCC 1 A1 r, o ' ( i 1 I LOSS OF AC 400v SWOR 1 A 

             #                                                                                    twC 2el Loss of power                                                                            Lg5 Loss                PROM omett                                                                             onartE OF                0840RATOR 281)                                                                          Powt R OFFSITE cower                                                                                                                        j 1

l P 1 I I I OffECTASLE iso 80 OST8CTASLE SATTERY DetSEL DATTGRV FAULTS SATTemy FAutTS BREAmtR 2(1) OGNORATOR 2113 SATTSRV 3(1) BATTERY 211) FA4LS TO OPEN FAsLaTO START 1 O O O O l Figure Vill 3.5 2. SAN ONOFRE 1125V DC SYSTEM FAULT TREE l San Onofre 1 SEP 116 Appendix 0 i L

VIII-4 Electrical Penetrations of Reactor Containment

1. i*RC Evaluation Adequate protection for the following electrical ~ penetrations does not i- exist at San Onofre:

The DC penetration (EPC-6) does not meet current requirements of RG 1.63 and IEEE Std 317 for any short circuit conditions with a > failure of the primary breaker. Current criteria requires that for each penetration, protective systems should provide primary and secondary protection devices to prevent a single failure .in conjunction with' a circuit overload from impairing containment integrity.- These requirements were developed to prevent a single failure from allowing excess current in the penetration conductors that could adversely affect penetration seals.

2. NRC Recomendations

,. The recommendations propose that the design of backup protection for most low voltage (less than 1000V) AC and all DC penetrations at San Onofre be. modified to provide adequate, coordinated protection against all postulated faults inside of containment assuming.the failure of the primary protection device.

3. ~ Systems Affected Th'e system affected is the containment isolation system.
                                                                    ~
       '4. Comments In a LOCA environment electrical penetrations may not be capable of maintaining their -integrity given a failure of the f ault protection devices and the existence of an electrical fault.

San Onofre 1 SEP-- 117 Appendix D

5. Analysis A penetration f ault in a LOCA environment requires that two events occur. .First an electrical fault (circuit overload) must exist and the breaker (protection device) on that circuit must fail to isolate the circuit. The data used in this analysis is shown in Table VIII-4-1. The failure of an electrical penetration due to a fault would be:

Pj = (number of cables penetration containment) x P (electrical component failure) x P (Breaker failure). For the DC circuits this would be (PDC) DDC = (10) (3.6E-5) (IE-3) = 3.6E-7 For the low voltage AC circuits this would be (PAC) PAC = (20) (3.6E-5) (IE-3) = 7.2E-7 The combined failure probability for these electrical penetrations is (PTelec) PTelec = PDC + PAC 

                     = 3.6E-7 + 7.2E-7
                     = 1.08E-6
6. Conclusion The failure probability of containment integrity due to an electrical penetration not currently meeting the GDC, caused by an overloaded circuit is calculated to be 1.08E-6.

This failure probability is much smaller than the failure of contain-ment isolation due to other causes. Thus the risk significance of this issue is ranked low. San Onofre 1 SEP 118 Appendix D

z e Table VIII-4-2 Failure Data Sumary FAILURE FAILURE RATE

  • FAULT EXPOSURE TIME UNAVAILABILITY Solid state device 1E-7/ hour 360 hours 3.6E-5 fails shorted Circuit breaker 1E-3/ demand IE-3
  • Data taken from WASH-1400 i.

l i r San Onofre 1 SEP 119 Appendix D

IX-3 Station Service and Cooling. Water Systems

1. . 'NRC Evaluation Several ' issues related-to the Component Cooling Water System (CCWS) and Salt Water Cooling System (SWCS) were identified by:the NRC for this topic.
 --Among these, the following-issues are relevant for analysis using PRA-techniques. - For the component cooling water . system, possible passive.

failures of:the system and its importance must be addressed. For the salt water cooling system possibility _of failure of tsunami or stop gates and its effect on the SWCS availability under accident conditions must'be evaluated.

2. .NRC Recommendation Applicant should analyze various issues of concern and submit the results to the NRC for further evaluation.
3. Systems Affected Besides component cooling and salt water cooling systems, all other components and systems such as reactor coolant pumps, residual heat removal system, recirculation heat exchangers that are cooled by. the component cooling' water system are systems affected by this issue.
4. Comments None
5. Analysis A simplified schematic of the component cooling water system is shown 1 in Figure IX-3-1. To evaluate the importance of the passive f ailures, a fault tree for the event " Insufficient Flow To The Auxiliary Coolant System" I was developed and is shown in Figure IX-3-2. Note that during normal operation only one CCWS pump and heat exchanger is in service. During cooldown periods where the maximum heat load is imposed on the CCWS, all
- three pumps and both heat exchangers are used. In this case loss of two pumps and one heat exchanger does not result in failure of the system and San Onofre 1 SEP                              120                           Appendix D

only results in lower rate of cooldown. But for the present analysis failure of any pumps or heat exchangers is conservatively assumed to fail the system. The fault tree for the CCWS is next quantified using the data shown in Table' IX-3-1 (WASH-1400). With all the conservatism included in the calculation of passive failures consisting of pipe rupture and heat exchanger failure, the total contribution of these failures to the failuie of the CCWS is about 6%. Thus, the contribution of the passive failures to the failure of the CCWS is not very significant. The salt water cooling system circulates water from the intake struc-ture through CCWS heat exchanger to remove the heat transferred to the CCWS. Figure IX-3-3 shows a simplified diagram of this system. The concern in this issue is related to the possibility of failure of the stop gates and complete unavailability of the SWS to remove heat. During normal operation, NRC's evaluation has shown that if the gate valves fail closed there is sufficient time for the operator to correct the situation before water temperature in CCWS and other systems cooled by SWS is too high. But right after a reactor shutdown, whether normal or due to an accident, heat load on SWCS is high and if the gate valves are closed the water inventory in the screenwell will eventually be depleted. If the salt water flow is completely lost there is a short time (in the order of three minutes) before the water temperature in CCWS exceeds the design temperature. The accident scenario consists of a reactor shutdown followed by failure of tsunami gate valve. Since the refueling at San Onofre is every 18 months the frequency of normal shutdown is less than one. But to this we must add abnormal shutdowns. Thus, a frequency of one shutdown per year is ' taken to include abnormal scrams. The failure probability of the gate valve i s 1.0x10-4/D (W ASH-1400). This demand failure probability is based on a monthly test. Thus, the hourly failure rate for the gate valve can be calculated from the relationship:

x. 2g T

where A is the hourly failure rate of the gate valve q is the unavailability of the gate valve per demand T is the time between two consecutive tests. San Onofre 1 SEP 121 Appendix D

From this relationship an hourly failure of 2.7x10-7/ hour can be found. Following a reactor shutdown the high heat load on SWCS continues for about 24 hours. Af ter that the heat load is low enough that it would be like normal operation where there is sufficient time for correction of the situa- l tion even if the gate valve fails closed. Thus the unavailability of the gate valve during the maximum heat load conditions is 6.4x10-6 This 

  ' unavailability combined with the shutdown frequency of once per year results in a f ailure frequency of 6.4x10-6/ year for the SWS due to closure of the gate valve. This frequency is considerably lower than failure probability of SWCS due to hardware f ailure. Additionally, if SWCS is f ailed for an extended period of time, RHRS can be shut down to reduce the heat load on SWCS. In this case the main coolant will heat up somewhat and the heat can be removed using the main heat exchangers. Thus, the possibility of a serious accident as a result of faliure of the tsunami gate valve is negli-gible.

J. Conclusions The contribution of passive failures to the total failure probability of the component- cooling water system was calculated using a simple fault tree for the system. It was shown that with all the conservative assumption related to the passive failures, their contribution to the total failure of the CCWS is about 6L This contribution is judged to be insignificant with respect to the overall risk of operation of this reactor. The importance of failure of tsunami stop gates in the salt water cooling system following a reactor shutdown was also evaluated. The acci-dent scenario consists of simultanecus failure of the tsunami gate valve and a reactor scram. The probability of this event leading to complete unavailability of the SWS is 6.4x10-6 This probability is considerably lower than failure probability of SWCS due to hardware failure. Thus, the contribution of the SWCS unavailability a!; a result of tsunami gate valve closure to the risk associated with the operation of this plant is judged to be low. San Onofre 1 SEP 122 Appendix 0

Table IX-3-1 Failure Rates for Various Faults Shown on Figure IX-3-2 Fault Failure Failure Fault Unavailability Cossnents identifier Mode Rate Duration (Hours) MVIA.MV18, Manual valve fails 1.0x10-4/D - 1.0x10-4 MVIC MVD, to remain open MVE MV2A, MV28,MV2C

  • MOV7208 Motor operated 1.0x10-3 /D - 1.0x10-3 valve does not open on demand MOV720AR, Motor operated 1.0x10-4/D - 1.0x10-4 MOV7208R valve fails to remain open CVA.CVB,CVC Check valve fails 1.0x10-4/D - 1.0x10-4 to remain open HXD,HXE Heat exchanger 3.0x10-8/Hr 6570 1.9x10-4 Failure rate, large tube leak upper bound of small pipe rupture.

Fault duration. l every refueling. PA PB,PC Pump does not 1.0x10-3/D - 1.0s10*3 start PR Pipe rupture 3.0x10-9/Hr 6570 1.9x10-5 Failure rate, upper bound of large pipe rupture. Fault duration, every refueling. San Onofre 1 SEP 123 Appendix D 

 -          t t              ?

!1 Table IX-3-2 Failure Rat'es for Various Components In the Salt Water Cooling System Component Failure Failure Unavailability ] Mode' Rate Hydraulic Gate Fails to remain 1.0x10-4/D 1.0x10-4 Valve open Motor operated Fails to remain 1.0x10-4/D 1.0x10-4 Gate Valve .open Butterfly Valves Fails to remain 1.0x10-4 /D 1.0x10-4 open SWCS Pump Fails to start 1.0x10-3/D 1.0x10-3 l- on demand Heat Exchanger Large Tube Leak c c l f l l i l l l l l t i San Onofre 1 SEP 124 Appendix 0 L___ _ _ _ _ _ _ _ _ _ _ . _ - __ _ _ _ _ _ _ _ _ _ _ _ _ _

s S t O H CCw SURGE g TANK l M HX-D A Uv'A D MV-D X . MV-2A

>4- MV-1 A >4-

.' AUMlUARY MOV p-A COOLANT 720A g CV-B 

            +-  SYSTEM                :                                   +    2                 MV-25 1                                                    M                            MV-15                        X 1

E MV-E

D4-- P-B 4
      ~                                                                       C          CV C MOV
      $                                            7205   HX-E                     X      N   3 MV-2C i

M V-1 C >4-P-C 

           "                                                                                                           o j

l  :  : i l 1 l g Figure IX-3-1. SIMPLIFIED SCHEMATIC OF THE COMPONENT j 'g COOLING WATER SYSTEM a 

    ;T e

i

E 3 INSUFFICIENT o FLOW TO THE S AUXILIARY Q COOLANT SYSTEM u 9 l l NO FLOW NO FLOW THROUGH HEAT P9PE THROUGH CCW EXCHANGER RUPTURE PUMP LINES LINES , e  % PR r% E$ NO FLOW NO FLOW NO FLOW NO FLOW NO FLOW THROUGH LINE THROUGH LINE THROUGH LINE THROUGH LINE THROUGH LINE D E A B C 1 2 3 4 5 SHEET 2 SHEET 3 SHEET 2 SHEET 4 SHEET 4 u" u M Figure IX-3-2. FAULT TREE FOR THE EVENT " INSUFFICIENT y FLOW TO THE AUXILIARY COOLANT SYSTEM" SHEET 1 O

NO FLOW y y THROUGH 3 LINE D o SHEET 1 h b i $ 

  ~

1 i 4 MOV 720A HEAT MANUAL VALVE FAILS TO EXCHANGER D MV-D FAILS TO REMAIN OPEN LARGE TUSE LEAK REMAIN OPEN l l MOV720A HXD MVD I w l U NO FLOW THROUGH

UNE A
i l l i

l MANUAL VALVE CHECK VALVE CCWS PUMP A MANUAL VALVE ] MV-1 A FAILS TO CV-A FAILS TO DOES NOT MV-2A FAILS TO l REMAIN OPEN REMAIN OPEN START REMAIN OPEN i i ,# i E o i E MV1 A CVA PA MV2A 1 7 e

Figure IX-3-2. (CONT
ieUED) SHEET 2 l

i

s E NO FLOW E THROUGH LINE 3 2\ E
                                                               ~                                                                                                                                              SHEET 1 E,

e% i 1 i l i i' HEAT EXCHANGER MOV 7208 MANUAL VALVE E LARGE TUBE FAILS TO MV-E FAILS TO LEAK OPEN REMAIN OPEN t g HXE ,,,,,% MVE 1 h i MOV 7208 MOV 7208 ! FAILS TO OPEN FAILS TO ON DEMAND REMAIN OPEN i 4 i j MOv720eo MOV720sn SHEET 3 

  )                                                       a
                                                          ?.
 !                                                            R                                                                                                                                                 Figure IX-3-2.     (CONTINUED)
  !                                                          7 i                                                          o
   )

l l

NO FLOW E 

 =                                         o                THROUGH LINE 0

o SHEET 1 I MANUAL VALVE CHECK VALVE CCWS PUMP 8 MANUAL VALVE l MV-18 FAILS TO CV-8 FAILS TO DOES NOT START MV-28 FAILS TO REMAIN OPEN REMAIN OPEN REMAIN OPEN i MV1B OCV8 PS MV28 l l C , NO FLOW l 5 THROUGH LINE C SHEET 1 T I MANUAL VALVE CHECK VALVE CCWS PUMP C MANUAL VALVE MV-1C FAILS TO CV-C FAILS TO DOES NOT START MV-2C FAILS TO REMAIN OPEN REMAIN OPEN REMAIN OPEN 5 l a MviC CvC PC MV2C l E SHEET 4 l o Figure IX-3-2. (CONTINUED)

r o 2 

  -                               U      1i     N        N           HM Tso=Ana sToe M

GATES A swes ,; ccws ;w; = 

                ~

puesps -- HEAT EXCHANGERS A pH v N N W --N t: o I I AUXIUARY ! SWCS i Puese i ) 3 E Figur Ix-3-3. s4MPLIFIED DIAGRAM OF THE SALT WATER COOLING SYSTEM l "g i E i o i 1

F IX-5 Ventilation Systems

1. NRC Evaluation The ventilation systems at a nuclear power plant must have the capability to provide a safe environment for plant personnel and for the engineered safety features. The systems reviewed under this topic are those defined as systems important to safety as outlined in Regulatory Guide 1.105. At San Onofre 1 the ventilation systems that service safety systems are the control room area ventilation system, the reactor auxiliary building ventilation system (RABVS), fuel storage building ventilation system and the engineered safety features ventilation system.

The main function of the RABVS is to provide ventilation for the areas within the building, which includes the charging pump room. The supply of fresh air to this building is provided by a single f an. Thus the ventilation system is subject to single f ailures that could disable the system. In the engineered safety features ventilation system there are three areas where the ventilation system does not meet current criteria. These are the switchgear and cable spreading area, the 480V switchgear room, and the administrative building. The switchgear and cable spreading ventilation system consists of a single fan that does not meet the single failure criteria. The equipment of interest in this area are the 4160V switchgear,480V switchgear No.1 and cables. The essential equipment in the 480V switchgear room includes the 480V switchgear and cabling for the reactor protection and control system, instrumentation, emergency power and other safety related equipment. Ventilatinn for this area consists of a single fan which fails to meet the single failure criteria. The administrative building ventilation system supplies heating and cooling to provide a comfortable working environment in the administrative building. The safety function performed by this system is the ventilation San Onofre 1 SEP 131 Appendix D ____-___-_____ _ _ - - _ _ _ _ ~

of the battery and inverter areas. Loss of ventilation to these rooms, especially the battery room where a loss of ventilation could lead to hydrogen buildup, could affect the operation of the batteries and inverters. The ventilation system does not meet the single failure criteria. l These are the only four areas where the San Onofre 1 ventilation i systems do not meet current criteria.

2. NRC Recomendation
  • For the ventilation systems not in compliance with current criteria the NRC has recommended that the licensee should provide analyses showing that ventilation to those areas is not required for an acceptable operating  ;

environment. If unable to do so, the licensee should propose corrective measures for each ventilation system.

3. System Affected I The systems affected include the chemical and volume control system (CVCS), the AC power system and the DC power system, q
4. Comments The effects of a loss of ventilation to areas housing safety-related equipment are being evaluated by the staff of San Onofre 1, but the results are not available for this study. Therefore this analysis will be based on i the information provided and conservative assumptions to assess the poten-tial risk due to failure of the ventilation systems..

The assumption is made that all safety-related equipment requires adequate ventilation to function properly. Therefore, a loss of ventilation I will impair the operation of this equipment. A second assumption is based  ; on results from previous PRAs, It is assumed that cable operability (i.e., l the ability to conduct electricity) is not affected by a loss of ventila- l tion. This assumption is based on previous PRA findings that cables do not generate a significant amount of heat while in operation, and are able to San Onofre 1 SEP 132 Appendix D  !

retain their integrity even when exposed to an elevated temperature environ-ment. Even in the case where cables are placed in the same area as heat-generating equipment, under extreme (high temperature) condition, the equipment is deemed to fail (and therefore stop generating additional heat) before the cables would. Thus, this analysis will assume that ventilation is not required for cables to maintain their integrity. With these assumptions the analysis for the risk potential associated with the failure of the ventilation systems is presented in the following section. Unless otherwise stated all data is WASH-1400 data.

5. Analysis The, loss of ventilation in the switchgear and cable spreading room can affect San Onofre 1 in two ways. Loss of ventilation could lead to a f ailure of the AC power system during normal operation leading to a plant trip, i.e., loss of ventilation could be an accident initiator. Alter-nately, following an accident initiator, LOCA or transient, the loss of ventilation in this room could cause a loss of AC power hindering efforts to mitigate the results of the original initiating event.

The frequency of a loss of ventilation in the switchgear and cable spreading room is the frequency of failure of the single fan that provides ventilation in the room. This can be determined from the equation AT where A = fan failure rate = 2.8E-6/hr T = hours in a year = 8760 hrs /yr. The f an f ailure rate is based on IEEE-500 data. The frequency of fan failure is 2.5E-2/yr. Under the assumptions of this analysis, that a loss of ventilation fails all equipment in a room except cabling, this would be the frequency of a loss of all AC power, i.e., station blackout. All AC power is lost since the 4160V switchgear is in this room and both onsite and offsite power require that this switchgear be operational. This is a very large frequency San Onofre 1 SEP 133 Appendix D

for a station blackout. - For comparison purposes consider that the frequency. -of a loss of offsite power (.1/yr) plus the mechanical f ailure of the two diesel generators to start (3E-2/ demand for each diesel) yields a station j 

, blackout frequency of approximately 1E-4/yr.       This is normally a dominant            j station blackout sequence;.

To lose all. cooling to the core the only1 failure required other than a total loss of AC power would be the failure of the turbine driven auxiliary i feedwater pump train. The failure of this portion of the auxiliary feedwater system can be approximated by modeling the f ailure of the pump itself. Assuming a mission time of 24 hours, consistent with the assump-tions made in the IREP studies, the f ailure probability of the turbine driven auxiliary feedwater pump would be: Ad+At c where Ad = turbine driven pump failure to start probability 

                          = 3E-3 Ao = operating failure rate = 3E-5                                      ,

t = 24 hours. This yields a pump failure probability of 3.7E-3. Combined with the frequency of a loss of ventilation this yields a frequency for a loss of cooling to the core of (3.7E-3)(2E-2/yr) 

                = 7.4E-5/yr.

T In response to an accident initiator the failure of the fan would still lead to a loss of power. However, in this case the time interval of concern is only the time following the initiator. Since the ventilation system is required it must have been operating prior to the initiating event. Using the mission time following an initiating event from the IREP studies,24 hours, the probability of fan failure.following an initiating event would be (2.8E-6/hr)(24hr) 

                = 6.7E-5.

San Onofre 1 SEP 134 Appendix 0

Loss of AC power would fail all normal means of cooling the core except for the turbine driven auxiliary feedwater pump. As calculated above, the failure' probability of the turbine driven auxiliary feedwater pump train can be approximated as 3.7E-3. For the initiating event frequency we will use a transient frequency of 8/yr which is consistent with the ANO-1 IREP study. From this the frequency of a loss of cooling to the reactor core caused in part by loss of ventilation in the switchgear and cable spreading room would be F(loss of cooling) = F(transient)P(vent failure)P(aux. feed. failure) 

                                                     = 8/yr (6.7E-5)(3.7E-3)
                                                     = 2E-6/yr Loss of cooling to the core will eventually lead to a core melt. The plants used as a reference for this analysis typically have core melt fre-quencies on the order of 3E-5 to IE-4.                                                          Loss of ventilation in the switchgear and cable spreading room can conceivably result in core melt frequencies of this magnitude. Thus it would be a dominant contributor, under the constraints imposed by the assumptions of this analysis, to plant risk.                                                                                                                                                                               '

The analysis for a ventilation failure in the 480V switchgear room is similar to that for the switchgear and cable spreading room. The major difference is that a loss of ventilation in this room affects only one of , the two AC power trains. One result of this difference is that following a transient both auxiliary feedwater pumps would normally be available. (The electric driven pump can be powered through either AC power train.) The loss of the switchgears in this room would affect the recirculation system (one of the two pumps), the residual heat removal system (one of the two pumps), the salt water system and the component cooling water system. Failure of the switchgear in this room would degrade the operation of these systems, e.g., remove redundancies, but would not fail any of the systems. Through the use of the auxiliary feedwater system it is possible to maintain San Onofre 1 in a hot shutdown condition. This system is virtually unaffected by the loss of ventilation in this switchgear room. From PRAs 

   -done on plants with similar auxiliary feedwater systems the failure San Onofre 1 SEP                                                                     135                                                           Appendix 0 t
                                                                             ~--,-----.-----,---n .                               n - - - -- , - , -          - - - - - - - , - , . , -
                   - , , - , . ~ . , . , - , , _ , - , - - , - - - - - - - -                            - . . , - - - - - - - . -

probability of the auxiliary feedwater system is on the order of 3E-4. The I combination of a 480V switchgear room ventilation system f ailure, as an i accident initiator (Frequency = 2.5E-2/yr), and auxiliary feedwater system failure has a frequency of 8E-6/yr. To achieve a core melt the unaffected portions of the core cooling systems, the residual heat removal and recirculation systems, would also have to fail. These failures would reduce the frequency of core melt due to a ventilation failure by a couple orders of magnitude below 8E-6/yr, to a point where this type of event would not significantly affect the core melt risk at San Onofre 1. If the ventilation system f ails following a transient initiator the frequency of the combination of transient, ventilation failure and auxiliary feedwater failure is approximately F(transient)P(vent failure)P(aux. feedwater failure) 

           =(8/yr)(6.7E-5)(3E-4)
           = 1.6E-8/yr This combination would not significantly affect the core melt frequency of San Onofre 1.

Loss of the reactor auxiliary building ventilation system affects the charging pumps. No other components important t'o safety are affected. There are two components in this ventilation system whose failure will result in the loss of the ventilation system. These are the air supply unit (A-25) and a differential pressure switch used to shut off the air supply unit. The air supply unit will be modeled as a single fan with a failure rate of 2.8E-6/hr. As in the previous analyses the probability of the air handling unit failing following an accident initiator is 6.7E-5. From IEEE-500 the failure rate for the differential pressure switch is 2.85E-6/hr. In the 24 hours following an accident initiator the pressure switch probability of failure would be (2.85E-6/hr)(24 hrs) 

                 = 6.8E-5 San Onofre 1 SEP                          136                            Appendix D

The probability of loss of ventilation to the charging pumps would be the sum of the two failure probabilities, 1.4E-4. In response to a LOCA the charging system can be used in conjunction with the safety injection system to provide inventory to the reactor coolant system. LOCA frequencies for PWRs range from lE-4 to 2E-2/yr depending on the LOCA size and the plant of interest. Using the larger LOCA frequencies the frequency of a charging system f ailure due to a ventilation system 

     -failure following a LOCA would be (1.4E-4)(2E-2/yr)
                                 = 3E-6/yr.

For core damage to occur the safety injection system must also f ail. The f ailure of this additional system would reduce the frequency of the combination of events to a value below lE-6/yr. (At San Onofre 1 the safety injection system consists of the two feedwater pumps and two safety injection pumps. One feedwater and one safety injection pump comprise one train of the safety injection system. Although the San Onofre 1 safety injection system is not typical because of the use of the feedwater pumps the redundant trains and initiation logic is similar to other PWR safety injection systems. These safety injection systems typically have failure probabilities on the order of 10-2 Therefore it is not unreasonable to assume that the additional safety injection f ailure required to lose the coolant makeup capability, given a LOCA, with a ventilation failure induced failure of the charging pumps would have a frequency of less than lE-6/yr.) If ventilation is required for the station battery room and the i inverter room, both in the administrative building, then a f ailure of the administrative building ventilation system could affect the core melt frequency at San Onofre 1. Only one set of batteries is located in this i battery room; therefore, loss of ventilation to this area does not affect the entire DC power system. Ventilation to these artas is supplied by a single fan. From the calculation performed for the switch gear and cable spreading room the frequency of ventilation system failure will be 2.5E-2/yr. With the assump-tion that ventilation is required for the inverters this is the frequency of San Onofre 1 SEP 137 Appendix D 

    . a transient.- (The loss of all three inverters will result in control rod insertion.) This is not a significant fraction of the expected transient H

frequency for a PWR: on the order of 6-10/ year. However, this initiator - could also cause a loss of one of the DC power trains. The loss of ventila- l 

    -tion could result in the failure of the battery chargers and batteries of DC power train-1.                                                                    l
          ~T he; analysis for SEP topic VIII-3.B provides an unavailability for a DC
power train given a loss of offsite power of 4.1E-4. Even if we assume one loss of offsite power per year the_ ventilation induced loss of DC power train 1 is significantly larger than the system f ailure frequency due to other causes. Although the ventilation system failure affects only one DC power train it is a significant contributor to the DC power train f ailure frequency. .The proven importance of the DC power system for PWRs makes the contribution of ventilation system failures a high risk significance topic.

(The failure of the ventilation system after a transient initiator is also risk significant. The probability of a fan failure, as calculated in the switchgear and cable spreading area ventilation _ analysis, following a transient is 6.7E-5. This is slightly more than 10% of the failure proba-bility of the DC power train following a loss of offsite power. Although the ventilation f ailure would not be the dominant contributor to the DC power train 1 failure probability, it would be a significant contributor.)

6. Conclusion In analyzing the potential risk due to a loss of ventilation in these four areas of the plant it has been assumed that ventilation is required for all the equipment in each area. .This assumption results in a conservative estimation of the effects of a loss of ventilation. Therefore, the results of these analyses should be considered as an absolute upper bound on the potential significance of the ventilation system f ailures. These results should be used to determine whether further analysis of ventilation system requirements is needed. A ranking of low risk significance implies no further analysis is needed6 A ranking of high or medium implies that further analysis as to the need for ventilation is reconnended.

San Onofre 1 SEP 138 Appendix D

1 

.                          . Ventilation. failures in two of the areas analyzed here do not signifi-cantly affect the risk due to failure of the systems in those areas. The
                 -loss of ventilation in both the reactor auxiliary building and the'480V
switchgear. room does affect the system, or subsystem, reliability but not ,
                .the core. melt risk, to any'significant extent. This is due primarily to the                l
fact that the equipment in these two areas supply redundant capabilities.

The charging pumps in the reactor auxiliary building provide _the same 

 ;                function, following a LOCA,:as the safety injection system. Loss of venti-                 '
                ,lation in the 480V switchgear room affects only parts of one of the AC power

! . trains. For these two areas the loss of ventilation is rated as of low risk j significance.. J' . - A' loss of ventilation in the switchgear and cable spreading room could j result in the ' loss of all AC power._ With the single fan, the frequency of a 1 . ventilation system f ailure causing a loss of all AC power is relatively 

                'high. Station blackout generally is a significant contributor to plant risk. We therefore rate this issue to be of high risk significance.

l If ventilation is required for the station batteries, both for heat removal and to prevent hydrogen buildup, the failure of a single fan could lead to the loss of one train of the DC station power system. The loss of-the station batteries has generally contributed to the dominant accident sequences,in PWR PRAs. The frequency of battery failure due to ventilation  !

system failure is relatively high, when compared to other possible methods of losing the batteries. For these reasons, we rate this issue to be of i
high risk significance.

[ For this issue it must be remembered that it has been assumed that ventilation is required for all the equipment in the areas analyzed. The l results of this analysis should be used only to determine if further f -analyses of the ventilation requirements are needed. i-i l - 1 i . i j San Onofre 1 SEP 139 Appendix D f

i XV-2 ' Spectrum of Steam System Piping > 

                           ' 1. . NRC Evaluation                                                              l
                                  'NRC staff evaluation of this topic considered ;the system's ability to

- mitigate or prevent the consequences of steam line breaks. Due to design features of the secondary side of the steam generator systems at San Onofre Unit 1.the staff's evaluation also considered steam . generator thermal shock. The'NRC staff concluded that for steam line breaks'the following:- o the pressure in the reactor coolant and main steam systems-is maintained well below the design pressure in all cases analyzed o' .that for ttee worst case that after 200 seconds the reactor coolant system stabilized at 1200 PSI and 2500F o 'the Licensee's proposed addition of a motor -driven auxiliary feedwater pump.will eliminate the vulnerability to loss of function due to the postulated single f ailure of the existing motor driven pump. With regard to steam generator thermal sh0CK the staff Concludes the steam. generators should not lose their component integrity or their ability to cool the primary system.

2. NRC Recomendations The Licensee should address the qualification of the main feedwater system to function in the required mode under accident conditions.
3. Systems Affected Steamline breaks have the potential for offsite consequences. Several subsystems are also affected, e.g., main and auxiliary feedwater system, steam generators, emergency response procedures, etc.

San Onofre 1 SEP 140 Appendix 0

4. Comments The NRC review of the analysis of a spectrum of postulated steamline breaks at San Onofre Unit 1 concludes that with respect to steamline breaks it is acceptable. The staff further concludes that installation of a third auxiliary feedwater p6mp (motor driven) will provide assurance that in the event of a steamline break the reactor secondary cooling system will not be vulnerable to a single failure scenario.
5. Analysis .

None

6. Conclusion Given the changes in the emergency procedures aad the hardware changes that have been completed the public risk due to steamline breaks at San Onofre Unit 1 are low.

t San Onofre 1 SEP 141 Appendix 0 

                 ._. .-  - . _ ,        - - - - - , . . . - . - - - - - - ,_     - - - ,   -- . . . _ . 1

XV-7 Reactor Coolant Pump Rotor Seizure and Reactor Coolant Pump Shaft Break

1. NRC Evaluation On loss of forced reactor coolant flow NRC staff concludes that loss of flow does not affect minimum DNBR. However, NRC could not conclude whether peak reactor coolant pressure would exceed the allowable limits. For reactor coolant pump rotor seizure or shaft break, NRC could not conclude whether the consequences of these events satisfy the review criteria.
2. NRC Recomendation The Licensee should demonstrate that the consequences of the loss of flow satisfy the review criteria or are acceptable on another basis.
3. Systems Affected Primary reactor coolant systems failure causes fuel damage and leads to offsite consequences.
4. Comments None
5. Analysis PRAs have shown that the dominant contributor to risk from a nuclear power plant is a core melt accident. Although it is conceivable that a loss of flow in the primary due to a pump seizure or shaft break could lead to fuel damage and offsite consequences, the probability of such an event is small. On loss of coolant flow or low flow conditions the reactor safety system automatically scrams the reactor. To have any offsite consequences requires failure of the safety systems (RHR, etc.) or breach of the contain-ment system. The probability of reactor coolant pump failure, including leakage / rupture, " loss of function" and "does not continue to run" is 3x10-6/hr (NUREG/CR-1205, P 35). The data on which this estimate is based shows that only 2 of 124 events involved a running pump (i.e., a reactor San Onofre 1 SEP 142 Appendix 0

coolant pump) " loss of function" or "does not continue to run" failure. The seizure of a rotor or shaft break would be a " loss of function" or "does not continue to run" f ailure. Thus the probability of rotor seizure or shaf t break is less than 5x10-8/hr. On an annual basis the probability is on the order of 4x10-4 or less. The overall probability of a shaft break or rotor

seizure causing offsite consequence would be the product of the probability of the f ailure times the probability that the reactor protective system fails, a small probability.'
6. Conclusions This issue has low potential for significantly reducing the risk from the operation of the San Onofre Unit 1. Additionally, this issue was com-pletely resolved before completion of the final report.

l San Onofre 1 SEP 143 Appendix 0

REFERENCES

1. Baranowsky, P.W., A.M. Kolaczkowski and M.A. Fedele, "A Probabilistic Safety Analysis of DC Power Supply Requirements for Nuclear. Power Plants," NUREG-0666, April 1981.
2. IEEE Guide to the Collection and Presentation of Electrical, Electron-ics, and Sensing Component Reliability Data for Nuclear Generating Stations, IEEE Std 500-1977(1977).
3. Kolb, G.J., et. al., " Interim Reliability Evaluation Program: Analysis of the Arkansas Nuclear One - Unit 1 Nuclear Power Plant," NUREG/CR-2787. June 1982.
4. Memorandum for D.G. Eisenhut, NRC, from T.E. Munly, NRC, on the subject of Reactor Coolant Pump Seal Failure.
5. Reactor Safety Study An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants, WASH-1400 (NUREG-75/014), U.S. Nuclear Regulatory Comission, October 1975.

6 Swain, A.D., and H.E. Guitmann, " Handbook of Human Reliability Analysis With Emphasis on Nuclear Power Plant Applications," NUREG/CR-1278, October 1980.

7. Nonelectronic Parts Reliability Data, Reliability Analysis Center, Rome Air Development Center, NPRD-2.

San Onofre 1 SEP 144 Appendix 0

AFPENDIX E REFERENCES TO CORRESPONDENCE

FOR EACH TOPIC EVALUATED i

l l' I i . T San Onofre 1 SEP

SEP Topic No. Date Reference II-1.A 11/7/79 Letter from D. L. Ziemann (NRC) to J. H. Drake (SCE), l

Subject:

San Onofre Unit 1 - SEP Topic II-1.A. ! II-1.B 11/7/79 Letter from D. L. Ziemann (NRC) to J. H. Drake (SCE), l

Subject:

San Onofre Unit 1 - SEP Topic II-1.B. II-1.C 5/3/83 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic II-1.C, Potential Hazards Due to Nearby Industrial, Transportation and Military Facilities (San Onofre Unit 1).

II-2.A 4/27/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1 - SEP Topic Il-2.A, Severe Weather Phenomena. II-2.C 11/18/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

SEP Topic II-2.C, Atmospheric Transport and Diffusion Characteristics for Accident Analysis (San Onofre Unit 1). II-3.A 1/31/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1 - SEP Topics II-3.A, Hydrologic Description; II-3.B, Flooding Potential and Protection Requirements; II-3.B.1, Capability of Operating Plants To Cope With Design Basis Flooding Conditions; and II-3.C, Safety-Related Water Supply (Ultimate Heat Sink). 8/27/84 Letter from W. Paulson (NRC) to K. Baskin (SCE),

Subject:

San Onofre Unit 1 - Hydrology Issues. II-3.8 See references for Topic II-3.A. II-3.B.1 See references for Topic II-3.A. II-3.C See references for Topic II-3.A. Ib 4 11/18/82 Letter-from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

San Onofre. Nuclear Generating Station, Unit 1 - SEP Topics II-4, Geology and Seismology, and II-4.B, Proximity of Capable Tectonic Structures in Plant Vicinity. II-4.A 9/16/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

Free Field Ground Motion To Be Used in the Seismic Reevaluation of San Onofre Nuclear Generating Station, Unit 1. 8/16/84 Letter from D. M. Crutchfield (NRC) to K. Baskin (SCE), l l

Subject:

Seismic Ground Motion - San Onofre Nuclear l Generating Station, Unit 1. San Onofre 1 SEP E-1

SEP Topic No. Date Reference II-4.B 11/18/82 See reference for Topic II-4. II-4.C See references for Topic II-4.A. II-4.0 11/12/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic II-4.D, Stability of Slopes - San Onofre Unit 1. II-4.F 12/1/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic II-4.F, Settlement of Foundations and Buried Equipment - San Onofre 1. II-4.F 11/13/84 Letter from W. Paulson (NRC) to K. Baskin (SCE),

Subject:

SEP Topics II-4.F, Settlement of Founda-tions - Evaluation of Sea Wall, San Onofre Unit 1. 

   'III-1        11/18/81  Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

SEP Topics III-1 and VII San Onofre Unit 1. 6/25/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic III-1, San Onofre Nuclear Genera-ting Station, Unit 1. 1/26/83 Letter from R. W. Krieger (SCE) to D. M. Crutchfield (NRC),

Subject:

SEP Topics III-1 and III-7.B (San Onofre Nuclear Generating Station, Unit 1). 4/23/84 Letter from D. M. Crutchfield (NRC) to K. Baskin (SCE),

Subject:

SEP Topic III-1, Quality Group Classification of Components and Systems - San Onofre Nuclear Genera-ting Station, Unit 1.- III-2 2/1/83 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic III-2, Wind and Tornado Loadings - i San Onofre Unit 1. 4/26/84 Letter from D. M. Crutchfield (NRC) to K. Baskin (SCE),

Subject:

SEP Topics III-2, Wind and Tornado Loadings and III-7.8, Design Codes, Design Criteria and Load Combinations - San Onofre Unit 1. II'-3.A 12/13/84 Letter from J. Zwolinski (NRC) to K. Baskin (SCE),

Subject:

SEP Topic III-3.A, Effect of High Water Level on Structures - San Onofre Nuclear Generating l Station, Unit 1. III-3.C 11/27/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1 - SEP Topic III-3.C, Inser-vice Inspection of Water Control Structures. San Onofre 1 SEP E-2 i 

 'SEP Topic No. Date.      Reference III-4.A    11/19/82    Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic III-4.A, Tornado Missiles, San Onofre Unit 1. III-4.B 2/1/83 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic III-4.8, Turbine Missiles, San Onofre Unit 1. III-4.C 10/12/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

Systematic Evaluation Program III-4.C, Internally Generated Missiles - San Onofre Unit 1. III-4.D '11/16/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic III-4.D, Site Proximity Missiles - San Onofre Unit 1. III-5.A 4/26/84 Letter from D. M. Crutchfield (NRC) to K. Baskin (SCE),

Subject:

SEP Topic III-5.A, Effects of Pipe Break on Structures, Systems and Components Inside Containment San Onofre Nuclear Generating Station, Unit No. 1. III-5.B 4/23/84 . Letter from D. M. Crutchfield (NRC) to K. Baskin (SCE),

Subject:

San Onofre Unit 1 - SEP Topic.III-5.B, Pipe Break Outside Containment III-6 11/21/84 Letter from D. G. Eisenhut (NRC) to K. Baskin (SCE),

Subject:

Contingent Rescission of Suspension. 

 'III-7.B     9/21/82     Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

Systematic Evaluation Program III-7.B,. Design Codes, Design Criteria and Load Combinations San Onofre Unit 1. 1/26/83 See reference for Topic III-1. 4/26/84 See reference for Topic III-2. III-7.D 4/23/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1 - SEP Topic III-7.0, Containment Structural Integrity Test. I III-8.A 12/28/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

Systematic Evaluation Program Topic III-8.A, Loose Parts Monitoring and Core Barrel Vibration Pro-gram - San Onofre Unit 1. III-8.C 1/29/80 Letter from D. L. Ziemann (NRC) to J. H. Drake (SCE),

Subject:

San Onofre Unit 1 - Irradiation Damage, Use of Sensitized Stainless Steel and Fatigue Resistance (SEP Topic III-8.C). San Onofre 1 SEP E-3 

                                            ~   .          - - - - - -

SEP Topic No. Date Reference III-10.A 7/24/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

SEP Topic III-10.A, Thermal-Overload Protec-  ! tion - San Onofre Unit 1. J III-10.B 11/8/79 Letter from D. L. Ziemann (NRC) to J. H. Drake (SCE),

Subject:

Completion of Topic III-10.B, Pump Flywheel Integrity - San Onofre Unit 1. IV-1.A 11/13/79 Letter from D. L. Ziemann (NRC) to J. H. Drake (SCE),

Subject:

San Onofre Unit 1 - SEP Topic IV-1.A. IV-2 1/3/83 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1 - SEP Topic IV-2. V-5 3/7/83 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic V-5, RCPB Leakage Detection, San Onofre Nuclear Generating Station, Unit 1. V-6 3/5/80 Letter from D. L. Ziemann (NRC) to R. Dietch (SCE),

Subject:

Completion of SEP Topic V-6, Reactor Vessel Integrity - San Onofre Unit 1. 1/10/84 Letter from W. Paulson (NRC) to K. Baskin (SCE),

Subject:

San Onofre Nuclear Generating Station, Unit 1 - SEP Topic V-6, Reactor Vessel Integrity. V-7 1/7/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

Systematic Evaluation Program Topic V-7, Reactor Coolant Pump Overspeed - San Onofre Unit 1. V-10.A 1/7/81 Letter from D..M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

SEP Topic V-10.A, Residual Heat Removal System Heat Exchanger Tube Failure - San Onofre Unit 1. V-10.8 11/12/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1 - SEP Topics V-10.B, RHR System Reliability; V-11.B, RHR Interlock Requirements; and VII-3, Systems Required for Safe Shutdown (Safe Shutdown Systems Report). V-11.A 8/3/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

SEP Topic V-11.A, Requirements for Isolation of High and Low Pressure Systems Safety Evaluation for San Onofre Unit 1. San Onofre 1 SEP E-4

i SEP Topic No. Date References V-11.8 2/4/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic V-11.B, RHR Interlock Require- 

                            ,ments - San Onofre Unit 1.

11/12/82 See reference for Topic V-10.B VI-1 7/13/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VI-1, Organic Materials and Post-Accident Chemistry (San Onofre Unit 1). VI-2.D 1/12/82 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

Systematic Evaluation Program (SEP) for San Onofre Nuclear Generating Station, Unit 1 - Evaluation Report on Topics VI-2.D and VI-3. VI-2.0 5/27/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

Systematic Evaluation Program (SEP) for San Onofre Nuclear Generating Station, Unit 1 - Evaluation Report on Topics VI-2.D and VI-3. 2/24/83 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topics VI-2.D, VI-3 and VII-3.B, San Onofre Nuclear Generating Station, Unit 1. VI-3 See references for Topic VI-2.D. VI-4 3/3/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

Forwarding Draft Evaluation Report of SEP Topic VI-5, Containment Isolation System for the San Onofre Nuclear Generating Station, Unit 1. 9/16/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1 - SEP Topic VI-4, Containment Isolation Systems. 12/6/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1 - SEP Topic VI-4, Containment Isolation System (Electrical). VI-4 10/27/83 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

San Onofre Nuclear Generating Station, Unit 1 - SEP Topic VI-4, Containment Isolation System (Electrical). VI-6 8/12/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1 - SEP Topic VI-7.A.1. 

   -VI-7.A.3       11/18/81  Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VI-7.A.3, ECCS Actuation System Safety Evaluation Report - San Onofre Unit 1. 

   . San Onofre 1 SEP                      E-5

SEP Topic No. Date References VI-7.A.3 2/1/83 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VI-7.A.3, ECCS Actuation System Final Safety Evaluation Report - San Onofre Nuclear Generating Station, Unit 1. VI-7.B 9/4/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VI-7.B, San Onofre Unit. 1. 11/24/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1, SEP Topic VI-7.B, ESF Switchover From Injection to Recirculation Mode (Automatic ECCS Realignment). VI-7.C 1/6/83 Letter from W. Paulson (NRC) *.o P. Dietch (SCE),

Subject:

SEP Topics VI-7.C, ECCS Single Failure Criterion and Requirements for Locking Out Power to Valves, and VI-7.C.2, Failure Mode Analysis (San Onofre Unit 1). VI-7.C.1 8/3/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VI-7.C.1, Appendix K - Electrical Instrumentation and Control (EI&C) Re-reviews, Safety Evaluation for San Onofre Unit 1. VI-7.C.2 1/6/83 See reference for Topic VI-7.C. VJ-7.D 8/18/78 Letter from D. G. Eisenhut (NRC) to J. H. Drake (SCE),

Subject:

Evaluation.of Eight SEP Topics. VI-10.A 8/28/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VI-10.A, Testing of Reactor Trip System and Engineered Safety Features, Including Response-Time Testing, Safety Evaluation for San Onofre Unit 1. 4/28/83 Letter from W. A. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VI-10.A, Testing of Reactor Trip System and Engineered Safety Features, Including Response-Time Testing, Final Safety Evaluation Report for the San Onofre Nuclear Generating Station, Unit 1. , VI-10.8 11/15/79 Letter from D. L. Ziemann (NRC) to J. H. Drake (SCE),

Subject:

SEP Topic VI-10.8 - San Onofre Unit 1. VII-1.A 9/9/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE), Subject- SEP Topic VII-1.A, Isolation of Reactor Protection System from Non-Safety Systems, Including Qualification of Isolation Devices - San Onofre Unit 1. San Onofre 1 SEP E-6

i SEP Topic No. Date Reference VII-1.A 2/10/83 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VII-1.A, San Onofre Unit 1. VII-1.B 8/17/78 See reference for Topic VI-7.D. VII-2 11/17/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VII-2, Engineered Safety Features (ESF) System Control Logic and Design - San Onofre Unit 1. VII-2 3/30/83 Letter from W. A. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VII-2, Engineering Safety Features (ESF) System Control Logic and Design - San Onofre Unit 1. VII-3 11/18/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VII-3, Systems Required for Safe Shutdown, Draft Safety Evaluation for San Onofre. 6/4/82 Letter frpm W. Paulson (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1 - Evaluation of SEP Topic VII-3, Systems Required for Safe Shutdown (EICS Matters). 11/12/82 See reference for Topic V-10.8. VII-6 8/28/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

Topic VII-6, Frequency Decay (San Onofre Unit 1). VIII-1.A 11/23/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VIII-1.A, Potential Equipment Failures Associated With Degraded Grid Voltage - San Onofre Unit 1. VIII-2 3/2/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VIII-2, Onsite Emergency Power Systems - Diesol Generator Safety Evaluation for San Onofre Unit 1. 7/31/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VIII-2, Onsite Emergency Power Systems - Diesel Generator, Safety Evaluation for San Onofre Unit 1. VIII-3.A 11/7/79 Lettar from D. L. Ziemann (NRC) to J. H. Drake (SCE),

Subject:

SEP Topic VIII-3.A, Safety Evaluation for San Onofre Unit 1. S n Onofre 1 SEP E-7

SEP Topic No. Date Reference VIII-3.B 1/28/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VIII-3.B, DC Power System Bus Voltage Monitoring and Annunciation, Revised Safety ' l Evaluation for San Onofre Unit 1. 7/24/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VIII-3.B. 2/24/83 See reference for Topic VI-2.0. VIII-4 12/31/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VIII-4, Electrical Penetrations of Reactor Containment - San Onofre Unit 1. 12/6/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic VIII-4, Electrical Penetrations of Reactor Containment Safety Evaluation Report for San Onofre Nuclear Generating Station, Unit 1. IX-1 12/7/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

Topic IX-1, Fuel Storage, SONGS 1. IX-3 12/27/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic IX-3, Station Service and Cooling Water System - San Onofre Nuclear Generating Station, Unit 1. IX-4 7/16/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1 - SEP Topic IX-4. IX-5 11/2/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

Forwarding Evaluation Report of SEP Topic IX-5, Ventilation Systems for the San Onofre Nuclear Generating Station, Unit 1. IX-6 12/2/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic'IX-6, Fire Protection - San Onofre Nuclear Generating Station, Unit 1. XIII-2 1/22/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

Amendment No. 51. XV-1 7/22/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

San Onofre 1 - SEP Topic XV-1. XV-2 1/29/80 Letter from D. L. Ziemann (NRC) to J. H. Drake (SCE),

Subject:

Completion of SEP Topic XV-18 (XV-2) - San Onofre 1. San Onofre 1 SEP E-8

SEP Topic No. Date Reference XV-2 12/17/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1 - SEP Topic XV-2. 

     ~XV-3                 8/26/81                  Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

SEP Topic XV-3, XV-19 (Systems) - San Onofre Unit 1. XV-4 4/5/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topics XV-4, XV-12 (Systems) and XV San Onofre Unit 1. XV-5 3/14/83 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1 - SEP Topic XV-5. XV-6 3/3/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1 - SEP Topic XV-6. XV-7 10/5/83 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

SEP Topic XV-7, San Onofre Unit 1. XV-8 11/19/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1 - SEP Topics XV-8 and XV-12 (Systems). XV-9 2/24/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1 - SEP Topic XV-9. XV-10 3/29/83 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1 - SEP Topic XV-10, Chemical and Volume Control System Malfunction That Results in a Decrease in Boron Concentration in the Reactor Coolant. 4/27/84 Letter from D. M. Crutchfield (NRC) to K. Baskin (SCE),

Subject:

San Onofre Unit 1 - SEP Topic XV-10. XV-12 1/29/80 Letter from D. L. Ziemann (NRC) to J. H. Drake (SCE),

Subject:

SEP Topic XV-12, Radiological Consequences - i San Onofre Unit 1. 4/5/82 See reference for Topic XV-4. XV-14 2/22/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1 - SEP Topic XV-14. XV-15 4/20/82 Letter from W. Paulson (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1 - SEP Topic XV-15. XV-16 4/5/82 See reference for Topic XV-4. San Onofre 1 SEP E-9

l l l 

           ' SEP Topic No. Date     Reference XV-17         1/29/80  Letter from D. L. Ziemann (NRC) to J. H. Drake (SCE),      )

Subject:

San Onofre Unit 1 - SEP Topic XV-17, Radio-  ! logical Consequences. 12/7/81 Letter from D. M. Crutchfield (NRC) to R. Dietch (SCE), j

Subject:

San Onofre Unit 1 - SEP Topic XV-17 (Systems). XV-19 1/29/80 Letter from D. L. Ziemann (NRC) to J. H. Drake (SCE), L

Subject:

San Onofre Unit 1 - SEP Topic XV-19, Radio-logical Consequences. 8/26/8I See reference for Topic XV-3. XV-20 1/17/80 Letter from D. L. Ziemann (NRC) to R. Dietch (SCE),

Subject:

San Onofre Unit 1 - SEP Topic XV-20. 3/28/80 Letter from J. G. Hayes (SCE) to D. L. Ziemann (NRC),

Subject:

San Onofre Unit 1 - SEP Topic XV-20. XVII 11/20/79 Letter from D. L. Ziemann (NRC) to J. H. Drake (SCE),

Subject:

Completion of SEP Topic XVII - San Onofre Unit 1. O r San Onofre 1 SEP E-10

1 APPENDIX F REVIEW OF OPERATING EXPERIENCE FOR SAN ONOFRE NUCLEAR GENERATING STATION, UNIT NO. 1 San Onofre 1 SEP

NSIC-201 Contract No. W-7405-ens-26 Nuclear Safety Information Center Engineering Technology Division REVIEW OF H E OPERATING EXPERIEN E HISTORY OF SAN ONOFRE 

 ,                                                                                   UNIT NO.1 THROUGH 1981 FOR 1BE NUEEAR REGULATORY
!                                                                                        CONNISSION'S SYSTENATIC EVALUATION PROGRAN M. L. Casada, JBF Associates, Inc.

A. B. Crawford, ORNL/NSIC K. H. Harrington, JBF Associates. Inc. G. T. Nays, ORNL/NSIC July 1983 Prepared for the U.S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation j Under Interagency Agreement DOE 40-544-75 Prepared by the OAK RIDGE NATIONAL LABORAlt)RY Oak Ridge, Tennessee 37830 operated by UNION CARBIDE CORPORATION 

,                                                                                                                                                                    for the DEPAR11 EDIT OF ENERGY F-iii

CON 11!NTS f.111 LIST OF TABLES .................................................. F-viii LIST OF FIGURES ................................................. F-ix EXECUTIVE

SUMMARY

    ...............................................                                        F-xii
1. SODPE OF REVIEW ............................................. F-1 1.1 Availability and Capacity Factors ...................... F-1 1.2 Review of Forced Shutdowns and Power Reductions ........ F-2 1.3 Review of Reportable Events ............................ F-9 1.4 Events of Environmental Laportance and Releases of Radioactivity .......................................... F-9 1.5 Evaluation of Operating Enperience ..................... F-17
2. SOURMS OF INFORMATION UTILIZED IN TEE REVIEW ............... F-19 2.1 Availability and Capacity Factors ...................... F-19 2.2 Forced Reactor Shutdowns and Power Reductions .......... F-19 2.3 Reportable Events ...................................... F-19 2.4 Environmental Events and Releases of Radioactivity ..... F-19
3. TEGNICAL APPROAG FOR EVALUATIONS OF OPERATING RISTORY ........................................... F-22 3 .1 Significant Shutdowns and Power Reductions ............. F-23 3.1.1 Criteria for significant shutdowns and power reductions ............................ F-23 3.1.2 Use of criteria for determining significant shutdowns and power reductions .................. F-23 3.1.3 Non-DBE shutdown and power reduction ca tegoriz a tion .................................. F-23 3.2 Significant Reportable Events .......................... F-28 3.2.1 Criteria for significant reportable events ...... F-28 3.2.2 Use of criteria for determining significant r epo r t s bl e ev e n t s ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-28 3.2.3 Reportable events that were not significant ..... F-28
4. OPERATING EXPERIENG REVIEW OF SAN ONOFRE UNIT NO.1 ........ F-32 4.1 Summary of Operational Events of Safety Laportance ..... F-32 4.2 General Plant Description .............................. F-32 F-v

2a11 4.3 Availability and Capacity Factors ...................... F-32 4.4 Forced Reactor Shutdown and Forced Power Reductions .... F-35 4.4.1 Review of reactor shutdowns and power I reductions ...................................... F-35 ) 4.4.1.1 Yearly summaries for San Onofre Unit No. 1 .................................. F-35 4.4.1.2 Systems involved ....................... F-42 4.4.1.3 Causes of forced reactor shutdowns and forced power reductions ................ F-43 4.4.1.4 Non-de sign basis events ................ F-43 4.4.2 Review of design basis events ................... F-43 4.4.2.1 D1.2 feedwater system malfunctions that result in an increase in feed- l water flow ............................. F-45 4.4.2.2 D2.2 loss of external electric load .... F-47 4.4.2.3 D2.3 turbine trip ...................... F-47 4.4.2.4 D2.7 loss of normal feedwater flow ..... F-47 4.4.2.5 D3.1 single and multiple reactor cool-ant pump trips ......................... F-47 4.4.2.6 D4.3 control rod as1 operation .......... F-47 4.4.2.7 D5.1 inadvertent operation of ECCS during power operation ................. F-48 4.4.3 Trends and safety implications of forced reac-tot shutdowns and forced power reductions ....... F-48 4.4.3.1 Pressuriser relief valves .............. F-48 4.4.3.2 Turbine overspeed ...................... F-49 4.4.3.3 Condenser tube leakage ................. F-4 9 4.4.3.4 Indications of dropped control rods .... F-50 4.5 Reportable Events ...................................... F-50 4.5.1 Review of reportable events from 1967 to 1981 ............................................ F-50 4.5.1.1 Yearly summaries ....................... F-50 4.5.1.2 Systems involved in reportable events .. F-56 4.5.1.3 Causes of reportable events ............ F-58 l 4.5.1.4 Radioactivity release summary of reportble events ....................... F-58 4.5.1.5 Ravironmental impact s===ary of reportable events ...................... F-58 i 4.5.2 Review of significant events .................... F-61 4.5.2.1 Loss of safety injection system  ; function ............................... F-61 4.5.2.2 Equipment disabled by cable tray fires .................................. F-64 4.5.2.3 Loss of offsite power .................. F-65 4.5.2.4 Loss of enersency AC power supply ...... F-67 4.5.2.5 Failure of multiple salt water cooling pumps .................................. F-67 F-vi

f.AA1 1 4.5.2.6 Loss of boric acid inj ection paths ..... F-68 4.5.2.7 Instrumentation channels fall due to flooding ............................... F-69 4.5.3 Trends and safety implications of reportable events .......................................... F-69 4.5.3.1 Inverters and vital bus power .......... F-69 4.5.3.2 Steam generator tube leaks ............. F-73 4.5.3.3 Dilution of primary coolant ............ F-73 4.5.3.4 Tsunami gate closure ................... F-74 4.6 Evaluation of Operating Experience ..................... F-74 REFERENCES ...................................................... F-76 Appendix A.1 SHUDOWN AND POWER REDUCTION TABLES ............... F-81 Appendix A.2 REPORTABLE EVENT CODING SHEE15 .................... F-112 I I I i t l F-vii

LIST OF TABLES HEEhf.E 211 1.1 Codes for causes of forced shutdown or power reduc-tion and methods of shutdown .......................... F-3 1.2 Codes for systems involved with the forced shutdown. Power reduction, or reportable event .................. F-4 1.3 Components involved with the forced shutdown or power reduction ............................................. F-7 1.4 Codes for data collected on plant status, component status, and cause of reportable events ................ F-10 1.5 Codes for equipment and instruments involved in re-portable ' events ....................................... F-ll 1.6 Codes used for reportable events abnormal conditions ............................................ F-12 3.1 Initiating event descriptions for DBEs as listed in 

            . Standard Review Plan, Chap.15 (revision 3)                    ........... F-24 3.2     NSIC event ca tegories for non-DBE shutdowns                   ........... F-26 3.3     Reportable event criteria             significant        ...............       F-29 3.4     Reportable event criteria - conditionally signifi-cant ..................................................                        F-30 4.1     Ave 11 ability and capacity factors for San Onofre Unit No. 1 ............................................                        F-34 4.2     Forced shutdown summary for San Onof re Unit No.1                       ..... F-36 4.3     Power reductions sammary for San Onof re Unit No.1                        .... F-37

. 4.4 NSIC primary category sammary for non-DBE shutdowns ! for San Onofre Unit No. 1 ............................. F-44 4.5 DBE initiating events at San Onof re Unit No.1 ........ F-4 6 4.6 Summary of systems involved in reportable events at San Onofre Unit No. 1 .............................. F-57 4.7 Summary of causes of reportable events at San i Onofre Unit No. 1 ..................................... F-59 1 4.8 Summary of radioactivity releases at San Onofre Unit No. 1 ............................................ F-60 4.9 Summary of significant events catesories at San Onof re Unit No.1 ................................. F-62 4.20 Tabulation of reports categorized as sisnificant [ for San Onofre Unit No. 1 ............................. F-63 l l l l F-viii I 

                                          ~ . _       _     .                   . . - -                         ,_               . . _ . .    .-     --                          ~

LIST OF FIGURES Flaure IAAR. 4.1 San Onofre plant site ................................. F-33 4.2 Number of condenser tube leakage events ............... F-51 4.3 Number of reported events per year at San Onof re Unit No. 1 ........................................... F-52 4.4 Nesber of partial vital power losses ................. F-70 6 4 F-ix i l 

        .,   .-, . , . , . ., , , , , - . . . , , . .         .m  , . . , . _ _ . . _ . . - . . _ . _ _ . , _ .               _.           ..    . _ _ . , _ _ . _ _ _ _ _ . . ,

REVIEW OF THE OPERATING HISTORY OF SAN ONOFRE UNIT NO.1 THROUGH 1981 i EXECUTIVE

SUMMARY

l ! The Systmaatic Evaluation Program Branch of the Nuclear Regulatory Commission (NRC) is conducting the Systema tic Evaluation Program (SEP) for the purpose of determining the safety margins of the design and operation of ten of the older operating commercial nuclear power plants in the United States. These ten plants are being reevaluated in terms of present NRC licensing requirements and regulations. Thus, the SEP is intended: 1

1. to establish documentation that shows how these ten plants compare with current acceptance criteria and guidelines on significant safety issues and to provide a technical rationale for acceptable departures from these criteria and guidelines,
2. to provide the capability for making integrated and balanced deci-sions with respect to any required backfitting, and
3. to provide for the early identification and resolution of any poten-tial safety deficiency. ,

i The SEP evaluates specific safety topics based on an integrated review of' 

 .the overall ability of a plant to respond to certain design basis events including normal operation, transients, and postulated accidents.

As part of the SEP, the NRC contracted with the Oak Ridge National Laboratory to perform operating history reviews. These reviews are in-tended to augment the SEP's safety topic review and to aid in the deter-mination of priorities for required backfitting during the integrated a s se s sment. Each review includes collection and evaluation of availabil-ity and capacity factors, forced shutdowns, forced power reductions, re-portable events, environmental events, and radiological release events. This summary presents the results from the review of the operating j experience of the San Onofre Nuclear Generating Station Unit No.1. San

Onofre Unit No. 1 is.a Westinghouse Electric Corporation pressurized-water

, react'or of 436 MW(e) net maximum dependable capacity. The facility is operated by Southern California Edison (SCE) and jointly owned by SCE and San Diego Gas and Electric Campany. Bechtel Corporation was the archi-tect/ engineer and constructor of the plant. The plant lies entirely with-in the Camp Pendleton Marine Reservation near San Clasente in San Diego County, California. The plant is operated under provisional operating i license DPR-13, isssed on March 27, 1967. The date of initial criticality was June 14, 1967 and commercial operation commenced July 17, 1967. Reactor availability at San Onofre Unit No.1 for the period 1967

through 1981 was 68.3%. Reactor availability was above 70% except for the j years
1968,1973,1977,1980, and 1981. In these years the unit experi-

! enced extended shutdowns. In 1968, the plant was shut down for six months ! due to a cable fire. A turbine blade f ailure in 1973 required a twd and one-half month sht tdown for repair. Reactor coolant pump and steam gener-ator tube inspections, along with steam generator tube plugging required a i F-xi

l 1 l 

           . one month shutdown in 1977.
                               ~

Steam generator tube repair also caused an 11 month shutdown for repair beginning in July,1980, resulting in the rela- l 4 tively low availability achieved in 1980 and 1981. The operating history review focused on data evaluation which was l divided into two segments: (1) evaluation of forced shutdowns and power reductions and (2) evaluation of reportable events. Design basis events (DBEs), which are defined in NRC's Standard Revies Plan, are f ailures that

initiate system transients and challenge engineered safety features. In
the forced shutdown and power reduction se gment, the review identified ,

DBEs and recurring events that indicate a potential operating concern. In' l the reportable event segment, which included environmental events and i radiological release events, the review identified significant events and I recurring events that indicate a potential operating concern. Significant . events were either DBEs or events with a loss of engineered safety func-l tion. Forced Shutdowns and Power Reductions Of the 154 forced shutdowns and power reductions at San Onofre Unit No.1 be tween 1967 and 1981, 27 were identified as de sign ba sis events of one of the following types: i , 1. control rod saloperation (12) .

2. turbine trip (5),
3. Increase in feedwater flow (4),
;            4. loss of external electric load (4),
5. loss of normal feedwater flow (1), and
6. reactor coolant pump trip (1).

2 Of these 27 events, 21 resulted from equipment f ailure, five f rom person-nel errors and one due to an offsite power disturbance. Ean Onofre Unit No. I has experienced an average of fewer than two DBEs per year with no discernible trend in the frequency with which DBEs have occurred. Control rod saloperation caused 11 of the 27 DBE events. l All 11 involved dropped control rods occurring be tween 1967 and 1977, with 4 events occurring in 1968 and 3 in 1977. The problem has not occurred since 1977. Renortable Events l In the reportable event se pnent of the operating review of San Onof re i Unit No.1, 327 events were examined. From 1967 through 1974, an average j of 17 events per year was recorded while from 1975 to 1981, the average j was 27 events. The increasing number of events reported can be attributed i in part to events concerning steam generator and condenser tube leakage. The cause of the maj ority of the reportable events at San Onofre Unit 1 

          ' No.1 was inherent equipment f ailure (60%). Human error (including admin-l           1strative, de si gn, fabrication, installation, maintenance and operator

! -error) caused another 35% of the events. Other cause s including weather, minor earthquake s, and of fsite brush fires accounted for the remaining 5% of the events. F-xii

, Of the 237 events reviewed, 23 were identified as si gnificant, and are categorized as: o loss of safety inj ection system function (3), o loss of salt water cooling flow (1), o loss of of f site power (5),

l. o loss of emergency AC power supply (3),

l o - feedwater supply transients (3), i o cable. tray fires (2), o . loss of boric acid inj ection path (2), o instrumentation channel s f ait due to flooding (2), and o turbine overspeed events (2) . t The first two types of significant events are discussed in this saamary. 

                     . TVo potential losses of safety inj ection function and one f ailure to actuate on demand have occurred at San Onof re Unit No.1.                                                         In 1967, one month prior to power operation, both safety inj ection pumps declared in-ope rabl e. Noisture penetration of the motor windings caused both pumps to f ail megger testing. .The licenses sealed openings to prevent reoccur-7 rence.

In 1975, SCE reported a potential single f ailure that would cause loss of at least a portion of the flow from both safety inj ection trains. Failure of either of the two safety inj ection pumps' discharge valves could allow safety inj ection flow from both pumps to be routed to the steam generator rather than to the reactor coolant system. Administrative controls were established to protect against such a failure and subse- ! quently extensive modifications corrected the problem. On September 3,1981, a voltage regulator f ailure caused erratic in- 

,           strument readings leading to a manual reactor trip.                                                         In the transient fol-lowing the trip, safety inj ection actuation occurred due. to a decrease in reactor coolant system pressure. However, operator surveillance dis-covered that the safety inj ection valves both f ailed to open.                                                        Since the RCS pressure never dropped to the discharge pressure of the safety inj ec-tion pumps, SIS flow would not have occurred even if the valves had opened.                 This event represents f ailure of .both trains of safety inj ection.

A design evaluation and further . testing determined that the valves would not open against the design differentisi pressure. De sign change s were evaluated and implemented to correct the problem. Augmented surveillance testing of these valves was also instituted. On March 10, 1980, while operating at 100% power, San Onofre Unit No. , 1 experienced a camplete loss of flow from the salt water cooling system. l The salt water cooling system is the ultimate heat sink for the component l cooling water (CCW) system, which serves to cool certain safety-related

equipment. The event involved a triple f ailure consisting of (1) shearing

! of the south salt water cooling pump shaf t, (2) failure to open of the north salt water cooling pump discharge valve, and (3) failure of the auxiliary salt water cooling pump air priming system. As a result, the plant was totally without salt water cooling flow for 10 min, at which time an operator cross connected the screen wash pumps to provide salt water flow to a CCW heat exchanger. This limited the CCW temperature rise (from 66 to 82*F in the 10 min) and brought the equilibrium temperature I l i F-xiii l

down to 70*F. The screen wash pumps are not classified as safety-related equipment. At 41 min into the event, the auxiliary salt water cooling pump was restored to service and flow through it to an in-service CCW heat ex-changer began 17 min later. Throughout the event, the unit remained at or near full power. . A power reduction was initiated at first, but then stop-ped with only a 3 NW power decrease. The NRC cited the plant for two technical specification violations in this event. ! Although not in the original time frame for this examination of oper-i sting experience, three more events involving the salt water cooling sys-i tem occurred in 1982 and are discussed here. On May 13, 1982, two more complete losses of salt water cooling system flow occurred during mainte-nance. . During these events, the unit was in cold shutdown. The events i were due to flooding of the intake structure caused by inadequate mainte-j nance procedures. On August 13, 1982, flow from the operable north salt l water cooling pump was diverted through the idle south pump. This oc-

curred due to unexpected opening of the south pump's discharge valve. An l operator immediately closed the valve and no observable reactor coolant system temperature increase occurred. On August 19, 1982, with the south I saltwater cooling pump still out of service, the north pump had to be re-moved f rom service due to a muoking motor bearing. Necessary flow to the I CCW heat exchangers was maintained by the auxiliary salt water cooling pump, which although connected to an emergency bus, does not meet all seismic qualifications.

1 Recurrina Events l In addition to individual events considered significant, there are five areas in which problems have recurred at San Onof re over portions of the operating history. The problem areas were: o inverter railures and losses of vital bus power, o st e am generator leaks, o dilution of primary coolant, o tsunami sate closure, and o erroneous control rod indications. There have been 21 occurrences of momentary loss of vital power, causing 5 shutdowns and 9 power reductions. These events have occurred f rom 1969 to 1979, with all but one of the vital power interruptions due to inverter f ailures. Af ter the first 5 years of operation, steam generator tube leakage became a problem.- Beginning in 1972, steam generator tube leaks began recurring, causing 9 forced shutdowns and 17 reportable events. Steam generator tube leakage problems and required repairs were the reason for the 11 month shutdown that began in July 1980. On four occasions, dilution of the primary coolant system resulted in reduced boron concentration.- The first of these events was due to second-ary to primary system leakage during tube plugging. Another secondary to primary leakage that resulted in boron dilution was caused by a leaking block valve in the feodwater system. The remaining two dilution events F-xiv I [

o occurred due to water being added to the primarr systen during decontamin-ation of equipment. On three occasions, San Onofre has experienced inadvertent closure of the tsunami gate, the salt water intake stop gate. These events occurred in 1967,1968, and 1969 and were due to a shorted limit switch, rupture of the accumulator reservoir tank, and f ailure of the gate's annular bolts, l respectively. ' l Conclusions For this analysis of San Onof re Unit No.1 operating history,154 shutdowns and power reductions were reviewed along with 327 reportable events and other miscellaneous documentation concerning the operation of San Onof re Uni t No.1. The obj ective was to identify those areas of plant operation that have affected plant safety. This review identified three areas of concern for San Onofre Unit No. 1. The first concern involves the safety inj ection system. The two potential f ailures and one f ailure on demand for the safety inj ection system represent unacceptable response by an engineered safety feature. The total loss of salt water cooling flow in 1980 would have been a more serious event if it had occurred during the early stages of residual heat removal operation. The continued problems with the system make the salt water cooling system a second area of concern identified in this re-view. Finally, the recurring problems with vital bus power caused by inver-ter f ailures is of concern. Although single inverter f ailures c're' of I limited consequence, the number of f ailures experienced at San Onof re pro-vide s the potential for concurrent f ailures. Reference

1. Nuclear Regulatory Commission, " Accident Analysis for the Review of Safety Analysis Reports for Nuclear Power Plants," Chap.15 of Stand-ard Review Plan, NUREG-0800 (July 1981).

1 l \ l i F-xv

e REVIEW OF THE OPERATING EXPERIENG HISIVRY OF SAN ONOFRE UNIT NO.1 THROUGH 1981 FOR THE NUCLEAR REGULA1 DRY COMMISSION'S SYSTEMATIC EVALUATION PROGRAM ! 1. S00PE OF REVIEW l L The assessment of the operating experience review for San Onof re Unit - No.1 covered the time from initial criticality through 1981. The da ta collection and evalua tion included the following aspects of operation: 

             . availability and capacity factors, _ forced shutdowns and power reductions, reportable events, events of environmental importance and radioactivity rel ea se s, and evaluation of _ the operating , experience in total. Tables at the end of Chap. I show the codes assigned to operational aspects of forced shutdowns, power reductions, and reportable events. These codes are used in the reporting of data collected during the review of operating e xpe rience.

1.1 Availability and Canacity Factors Both reactor and unit availability factors were compiled for all years.- Starting with 1974, the unit capacity factors using the design - electrical rating (DER) in net megawatts (electric) and the maximum de-pendable capacity (MDC) in net megawatts (electric) were complied as well. Data for the capacity factors were not available from earlier years. The two availability and two capacity f actors are defined as follows:

1. reactor availability =

J ' hours reactor critical + reactor reserve shutdown hours x 100 ,

, period hours
2. unit availability =

hours generator on line + unit reserve shutdown hours x 100 , period hours not electrical energy generated

3. unit capacity (DER) = x 00 ,

period hours x DER net t ! net electrical energy generated E 4. unit capacity (MDC) = *

  • period hours x MDC net

{ F-1 1 4 y .c.- , - , , , .-m-e . - , - - . , - - - . , - . ,,,.--4 , - , - - ..-v _%-.---v- - - - -,, , _ - - , .- . - - - . - - - . . , - - , .

4 Reserve shutdown hours are the amounts of time the reactor is not critical or the unit is shutdown for administrative or other similar reasons when operation could have been continued. 1 I i 1.2 Review of Forced Shutdowns and Power Reductions Forced shutdowns and power reductions were reviewed, and data were collected on each incident. Scheduled shutdowns for ref ueling and mains tenance were not included in the review. How eve r, if a utility had a re-fueling outage scheduled, the plant experienced a shutdown as a result of , an abnormal event prior to the scheduled refueling,' the utility reported l that the ref ueling was being rescheduled to coincide with the current shut down, and the utility reported the cause of the shutdown as ref ueling, then this shutdown was considered as forced. Only that portion of the outage time concerned with the abnormal event, not the ref ueling time, was included in the compilations. The power reductions were included to provide information and details that may have been associated with a previous or subsequent shutdown. The power reductions are included in the proper chronological sequence with the shutdowns in the data tables for the forced shutdowns and power reduc-tions (see Appendizes). The following data were compiled annually for the forced shutdowns and power reductions:

1. date of occurrence,
2. duration (hours),
3. power level (percent),
4. notation of whether the shutdowns were also reportable events [e.g.,

a licensee event report (LER) or abnormal occurrence report (AOR)],

5. summary description of events associated with the forced shutdown or 4

power reduction,

6. cause of shutdown (Table 1.1),
7. method of shutdown (Table 1.1),
8. system taken fras NURBG-0161 (Ref.1) that was directly involved with

!' the shutdown or power reduction (Table 1.2),

9. component directly involved with the shutdown or power reduction (Table 1.3), and
10. categorization of the shutdown or power reduction. l Each shutdown or power reduction was placed in one of two sets of signif-icance categories. The shutdowns and power reductions were first evalu-ated against criteria for design-basis events (DBEs) as described in Chap.

15 of the Standard Review Plan.: If the shutdown or power reduction could not be categorized as a design-basis initiating event, then it was placed ) in one of a series of Nuclear Safety Information Center (NSIC) ca te gorie s. ' For further discussions of the tro sets of significance categories, use of the categories, and a listir3 of them, see Sect. 3.1. The listings for the cause, shutdown method, system involved, and I component involved along with their respective codes are those used in the NUREG-0020 series (" Gray Books") on shutdowns. Note that the information l F-2

Table 1.1. Codes for causes of. forced shutdown or power reduction and methods of shutdown i Causes A Equipment failure B Maintenance or testing C Ref ueling D Regulatory restriction E Operator training and license exams F Administrative G Operational error. H Other

Nethods 1 Manual

, 2 Manual scram 3 Automatic scram 4 Continuation 4 5 Load reduction 9 Other I F-3 

      , . _ .  - _ - ,  -r.,- -~  --      ..e--,- , ,--. , , - . , , - .,,-- - , , - ~ --,, - , . . , , - - - . . .- -

Table 1.2. Codes for systems involved with the forced shutdown, power reduction, or reportable event System Code Reactor . RX Reactor vessel internals RA Reactivity control systems RB Reactor core RC Reactor coolant and connected systems CX Reactor vessels and appurtenances CA 

# Coolant recirculation systems and controls                      CB Main steam systems and controls                                 CC Main steam isolation systems and controls                       CD Reactor core isolation cooling systems and controls             CE Residual heat removal systems and controls                     -CF Reactor . coolant cleanup systems and controls                  OG Feedwater systems and controls                                  CH Reactor coolant pressure boundary leakage . detection systems   CI Other coolant subsystems and their controls                     CI Engineered safety features                                         SX Reactor containment systems                                     SA Containment heat removal systems and controls                   SB Containment air purification and cleanup systems and controls   SC Containment isolation systems and controls                      SD Containment combustible control systems and controls -          SE Emergency core cooling systems and controls                     SF Core reflooding system                                       SF-A Low pressure safety inj ection system and controls           SF-B High pressure saf ety inj ection system' and controls        SF-C Core spray system and controls                               SF-D Control room habitability systems and controls                  SG Other engineered safety feature systems and their controls      SH Containment purge system and controls                        SH-A Containment spray system and controls                        SH-B Auxiliary feedwater system and controls                      SH-C Standby gas treatment systems and controls                   SR-D Instrumentation and controls                                       IX Reactor trip systems                                            IA Engineered safety feature instrument systems                    IB    !

Systems required for safe shutdown IC  ; Safety-related display instrumentation ID l Other instrument systems required for safety IE Other instrument systems not required for safety IF l F-4

4 Table 1.2 (continued) System Code Electric power systems EX l Off site power systems and controls EA AC onsite power systems and controls EB DC onsite power systems and controls EC Onsite power systems and controls (composite ac and dc) ED Emergency generator systems and controls EE Emergency lighting systems and controls EF Other electric power systems and controls BG Fuel storage and hand 11ag systems FX New fuel storage f acilities FA Spent-fuel storage f acilities FB Spent-fuel pool cooling and cleanup systems and controls FC Fuel handling systems FD Auxiliary water systems WX Station service water systems and controls WA Cooling systems for reactor auxiliaries and controls WB Domineralized water makeup systems and controls WC Potable and sanitary water systems and controls WD

Ultimate heat sink facilities WE ,

Condensate storage facilities WF Other auxiliary water systems and controls WG Auxiliary process systems PX Compressed air systems and controls PA Process sampling systems PB i Chemical, volume control, and liquid poison systems and PC . controls Failed-fuel detection systems PD Other auxiliary process systems and controls PE Other auxiliary systems AX Air conditioning, heating, cooling, and ventilation systems AA and controls

' Fire protection systems and controls AB l Communication systems AC Other auxiliary systems and controls AD Steam and power conversion systems HI Turbine generators and controls HA Nain steam supply systems and controls (other than CC) BB Main condenser systems and controls HC
Turbine gland sealing systems and controls HD Turbine bypass systems and controls HE i

4 F-5

Table 1.2 (continued) System Code Circulating water systems and controls HF Condensate cleanup systems and controls HG Condensate and feedwater systems and controls (other than G) HH Steam generator blowdown systems and controls HI Other features of steam and power conversion systems (not HJ included elsewhere) Radioactive waste management systems MX Liquid radioactive waste management systems MA Gaseous radioactive waste management systems 301 Process and ef fluent radiological monitoring systems NC Solid radioactive waste masagement systems MD Radiation protectica systems BX Area monitoring systems BA Airborne radioactivity monitoring systems BB Other XX 

                                                  ~Not applicable                                                 ZZ 4

F-6

Table 1.3. Camponents involved with the forced shutdown or power reduction s . .< 

              /              Component type                                                        Including l-         Accumul a tors -                                                          Scram accumulators j                                                     Safety inj ection tanks
                             !                                                      Surge tanks Air dryers /                                                     $ ~i Annunciator modules'                                                      Alarms Bells B uz'ze rs Clazons Horns Gongs                                                                          .

Sirens' Batteries and chargers Chargers Dry cells Wet cells 4 Storage cells Blowers Compressors Gas circulators Fans 1 Ventilators

Circuit closers /interruptors Circuit breakers Contactors Confro11ers Starters Switches (other than sensors)

Switchgear Control rods Poison curtains Control rod drive sifchanisms Domineralizers Ion exchangers Electrical conductors Bus Cable Wire I i Engines, internal combustion Batane engines Diesel engines l Gasoline engines Natural gas engines Propane engines i Filters Strainers Screens Fuel elements Generators Inverters Heaters, electric l F-7 ) l 

                                                                        )

Table:1.3 (continued) Component type Including  ! Heat exchangers Conde nse rs 

                                      -Coolers Evaporators                      l Regenerative heat exchangers Steam generators Fan coil units Instrumentation and controls Mechanical function units              Mechanical controllers Governors Gear toxes Varidrives Couplings Motors                                 Electric motors Hydraulic motors Pneumatic (air) motors Servo motors

' Pene trations, primary containment air locks Pipes, fittings Pumps Recombiners Relays Shock suppressors and supports Transformers Turbines Steam turbines Gas turbines Hydro turbines Valves Valves Dampe rs Valve operators Ve s sel s, pressure Containment vessels Dry wells  ; Pressure suppression Pressurizers Reactor vessels F-8 

                                  -       ~_           .        - .       -      _.                     .                      . _ _ _ _ . .. -   ,        _            -

listed under the " System' involved" column in the data tables in Appendix-A.1 Indicates (1) a general classification of erstems (fully written out) and (2) a specific system, which is coded with two letters, within 

                         . the _ general classifica tion.

l . 1.3 Review of Resortable Events l The operating events as reported in LERs and LER predecessors [e.g., A0s, unusual event reports, reportable occurrences (ROs)] were reelewed. 

 !                         These types of reportable events were retrieved fram the NSIC computer
  ;                        flie.- Approximately six years agoe operating experience information for
;_                         operating nuclear power plants was input to the NSIC file for the period of time before LERs were reviewed. Any documents that contained LER-type I                         information (such as equipment f ailures or abnormal events) were coded or indexed so that they could be retrieved in the same manner as an LER.

Primarily, this involved various types of operating reports and general correspondence for the late 1960s and early 1970s. l The following information was recorded for each reportable event 4 reviewed:

1. LER number or other means of identification of report type,
2. NSIC accession number (a unique identification number assigned to
 ;                                    each document entered into the NSIC computer file),

! 3. date of the event, 4. date of the report or letter transmitting the event description,

5. status of the plant at the time of the occurrence (Table 1.4),
6. system involved with the reportable event (Table 1.2), I i 7. type of equipment involved with the reportable event (Table 1.5),
 ;'                           8.      type of instrument involved with the reportable event (Table 1.5),
9. status of the component (equipment) at the time of the occurrence (Table 1.4),
10. abnormal condition associated with the reportable event (e.g.,

e corrosion, vibration, leak) (Table 1.6),

11. cause of the reportable event (Table 1.4), and
12. significance of the reportable event.

1

As a step in the evaluation process, each reportable event was screened using the criteria further discussed in Sect. 3.2.

Note that in the tables of reportable events in Appendix A.2 for San Onof re Unit 1, comments and/or details on the events were included. f 1.4 Events of Environmental Innortance and j Releases of Radioactivity i l Any significant or recurring environmental problems were summarized 1

based on the review of forced shutdowns, power reductions, reportable i

events (environmental LERs), and operating reports. Routine radioactivity releases were tabulated as well, and releases that resulted in reportable 

;                         events were reviewed and are discussed in Sect. 4.5.1.4.

i t i F-9 

    ----'wei, y ----t-*t--T-7    w wm        w-e ewv+y   -p-mme               wuwww-yww Mumvag-wet w v wvw e-v = y=ww e wtwt--                  g w+ &v e-   eq+w-t*-v-   ee*e we-M t- m,-te-

Table 1.4. Codes for data collected on plant status, component status, and cause of reportable events i l Camponent Cause of reportable l Code Plant status status event I A Construction Maintenance Aaninistrative error and repair B Ope ration Operation Design error C Ref ueling Testing Fabrication error D Shutdown Inherent error E Installation error F Lightning G Naintenance error H Operation error I Weather i F-10 

             -                                         -_ = ,                  - _--                               _-     -_-              - -.                  ---- - -  _ . -             . =

Table 1.5. Codes for equipment and instruments involved in reportable events Code Code i Eeuinment ! A Accumulator W Internal combustion . engine B Air drier I Notor C Battery and charger Y Nozzle D Bearing Z Pipe and pipe fitting E Blower and dampers AA Power supply F Breaker BB Pressure vessel G Cables and connectors CC Pressurizer R Condenser DD Pump I Control rod EE Recombiner 

.         J       Control rod drive                                                                 FF                Seal K       Cooling tower                                                                     OG                Shock absorber L       Crane                                                                             IDI               Solenoid N       Domineralizer                                                                      II               Steam generator N.      Diesel generator                                                                 JJ                 Storage container 0       Fastener                                                                          KK                Support structure
P Filter / screen LL Transformer i Q Flange NN Tubing R Fuel element NN Turbine S Fase 00 Valve T Generator PP Valve, check U Rest exchanger QQ Valve operator V Heater 4

Instrumentation A Alarm L Power range instrument l B Amplifier N Pressure sensor C Electronic f unction unit N Radiation monitor D Failed fuel detection instrument 0 Recorder E Flow sensor P Relay F In-core instrument Q Seismic instrument G Indicator R Solid state device H Intermediate range instrument S Start-up range instrument I Level sensor T Switch l J Neteorological lastrument U Temperature sensor l K Position instrument l I t 4 F-11 T w -T ^--e-- .w-t4--, ,-+y,, - 

                                                  .-,y         m -..-=-y---,w-       -wgwv-w.r-ww.p,-w--.-m-g.y.--            y*v-se--w--g      -y---wrw--eg-w.,y-,       -www,m*- - . + --es-se+-e--

C t Table 1.6. Codes used for reportable evente-abnormal conditions Nechanical. AA Normal wear / aging /end of life: expected ef fect of normal usage AB Excessive wear / clearance: camponent (especially a moving camponent) experiences excessive wear or too much clearance or gap exists be-cause of overuse, lack of tubrication AC Deterioration / damage: component is no longer at an acceptable level of quality (e.g., high temperature causes rubber seals to chemically 

  ~ break down or deteriorate, insulation breaks down)

AD Break / shear: structural camponent physically breaks apart (not when something " breaks down") AE Warp / bend / deformation:- shape of component is physically distorted AF Collap se : - tank or compartment has an external pressure exerted that reaults in deformation AG Seize / bind /jas: component has inhibited movement caused by crud, foreign material, mechanical bonding, another component AB Excessive mechanical loads: mechanical load exceeds design limits AI Nechanical fatigue: f ailure due to repeated stress AI Impact: the result of the force of one obj ect striking another AK Improper lubrication: insufficient or incorrect lubrication AL Nissing/ loose: component is missing from its proper place or is loose or has undesired free movement AN Wrong part: incorrect camponent installed in a piece of equipment AN Wrong material: incorrect material used during fabrication or in-stellation A0 Weld-related failure: failure caused by defective weld or located in . the heat-af fected zone AP Vibration other than flow induced: vibration from any cause other , than fluid flow , AQ Crud buildup: buildup of foreign material such as dust, sticks, trash (not corrosion or boron precipitation) At Corrosion / oxidation: unanticipated attack i AS Dropped: component is dropped (includes control rod that is 

   " dropped" into core)

AT Leak, internal, within systems leak from one part of a system to another part of the same system AU Leak, internal, between systems: leak from one system to a different sy st em , AV Crack: defect in a camponent does not result in a leak through the wall F-12

Table 1.6 (continued) At Leak, external: defect in a component results in a leak from the system that is contained in an onsite building l Al Leak to environment: leak not resulting from a cracked or broken component l AY Was opened /transf ers open: component is/was opened by error or spur-i iously opens i AZ Was closed / transferred closed: component is/was wrongly closed by ~ , error or spuriously closes BA Falls to open: component is in the closed state and fails to open on demand (e.g., the circuit breaker " fails to open" when an overcur-rent occurs) BB Fails to close: component is in the open state and fails to close on demand BC Ma1 position or maladj ustment: component is out of desired position (e.g., normally open valve is closed) or adjusted improperly (not for instrument drif t or out of calibration) BD Failure to start / turn on: component f ails to start on demand BE' Stopped /f ailed to continue to run: component f ails to continue run-ning when it has previously started ' BF Tripped: component automatically trips on or of f (desired or unde- 

                  .       sired) (e.g.,         the turbine tripped because of overspeed, the circuit breaker tripped because of overspeed, or the circuit breaker tripped because of overload)
       'BG             Deenergized/ power removed: component on system loses its driving potential but not necessarily electrical power [e.g., (1) a fuse blows and there is no power to a sensor, and the sensor is deener-gized; '(2) a valve closes of f the steam supply to a turbine, and the turbine has no driving power]
                                                           '~

BH Energized / power applied: component or system gains its .triving po-tential but not necessarily electrical power (e.g., valve is opened allowing steem to turn a turbine) l l BI Unacceptable response time: component does not respond to a demand ! within a desired time frame but does not otherwise f all (e.g., a I diesel generator fails to come to full speed within the time con-l straint) l BJ High pressure: higher than normal or desired pressure exists in a l component or system (A211 A21 include instrument misindications) i l F-13 

      .e1 4     a   w   -              5ma. .4J-4   A.4F-A.A-   -.D  a . Lk+ - - . 'M. & -

a e=a 4; * -~- -- -. Table 1.6 (continued) BE Low pressure: lower than normal or desired pressure exists in a com- j

- ponent or system (A211 Rai include instrument misindication) l BL High temperature
component experiences a higher than normal or de-i sired temperature BN. Low temperature: component (or system) experiences a lower than nor-mal or desired temperature l BN Freezing: fluid medium (e.g., water) freezes in or on a component  !

B0 Excessive thermal cyc11as: frequent changes in temperature that ' could result in metal fatigue or cracking BP Unacceptable heatup/cooldown rate: heatup or cooldown rate exceeds limits-BQ Thermal transient: system experiences an undesired or unstable 

          . thermal transient or thermal change
BR Excessive number of pressure cycles
system experiences an undesired number of significant pressure changes (e.g., pressure pulses as F from a positive displacement pump)

BS High level / volume: higher than normal or desired level or volume exists (actual or potential) in a component, such as tank or sump, or area, such as anziliary building (not for instrument misindica- ' tion) lower than normal or desired level or volume r l BT Low level / volume: l exists in a component (not for instrument misindication) $ BU Abnormal concentration /pH: an abnormal (either high or low) concen-tration of a chemical or reagent exists in a fluid system or an ab-j. normal pH exists (does not include abnormal boron concentrations) BV Abnormal boron concentration: process system control rod has an ab-normal boron concentration from burnup, dilution, or overaddition i BW Overspeed: speed in excess of design limits BI Cladding failure: cladding of a component f ails (e.g., the cladding j

of a fuel pellet is breached, and radioactive fuel leaks out)

BY Burning /anoking: component is on fire or msoking i' BZ Engaged: component engages or meshes (this is not to be used when a component binds or becomes stuck or j ammed) CA Disengaged / uncoupled: component disengages, loses required fric- - tion, or is no longer meshed (as in sears): for example, the clutch on the motor disengages from the shaft (this should not be used for dropped control rods) i i F-14

l 1 Table 1.6 (continued) l Elec tric/ ins trument s EA Excessive electrical loads: electrical loads exceed design rating i EB Overvoltage/ undercurrent: component f ailure produce s an over-

voltage / undercurrent condition other than open circuits EC Unde rvol tage/overcurrent
component f ailure produces an under-l voltage /overcurrent condition other than shorts ED Short circuit / arcing / low impedance : electrical component shorts or arcs in the circuit or has a low impedance including shorts to ground
EE Open circult/high impedance / bad electrical contact: electrical com-ponent has a structural break, or electrical contacts f ail to con-tact and fall to pass the desired current EF Erratic operation: camponent '(especially electrical or instrument) a behaves erratically or inconsistently (if an instrument produces a bad but constant signal, use "BG": if an instrument produces an in-consistent signal use "EF")
BG Erroneous /no signal
electrical component or instrument produces an erroneous signal or gives no signal at all (not for out-of-calibra-
,                               tion error)

EH Drift: a change in a setting caused by aging or change of physical characteristics (does not include personnel errors or a physical 4 shift of a component) EI Dat of calibration: component (particularly instruments) become out l of adjustment or calibration (does not include drif t) < EJ Electromagnetic interference: abnormal indication or action result-ing from unanticipated electromagnetic field , EK Instrument snubbing: dampening of pulsating signals to an instrument Hydraulic HA High flow: higher than normal or desired flow exists in a compo- , nent/ system (does not include instrument misindication (see code i M) RB - Low flow: lower than normal or desired flow exists in a component / system (does not include instrument misindication) l- HC No flow or impulse: fluid flowing through a pipe, filter, orifice, f or trench or the fluid in an impulse line (e.g., instrument sensing line) is blocked completely or decreased due to some foreign mate-i rial, crud, closed (either partially or completely) valve or damper, l or insufficient flow area 1 i I l T-15

Table 1.6 (continue d) HD Flow induced vibration i HE Cavitation 1 HF Erosion I HG Vortex formation j HH Water hammer HI Pressure pulse / surge HJ ' Air / steam binding HK Loss of pump section HL- Boron precipitation Other OA Declared inoperable: component or system is declared snoperable as required by Technical Specifica tions but may be capable of partial-ly or completely performing its desired duties when requested (a component / system that is concletely f ailed should not use this code) OB Flux anomaly: flux characteristics of the reactor core are not as required or desired (e.g., flux spike due to -menon burnout)- OC Test not performed: operator or test personnel falls to perform a required test within the required period OD Radioactivity contamination: component, sy st em, or area becomes more radioactive than desired or expected OE Temporary modification: an installation intended for short term use (usually this is for maintenance or modification of installed equip-ment) 0F Environmental anomaly OG Airborne release OH Waterborne ~ release OI Operator cmamunication DJ Operator incorrect action OK Procedure or record error F-16

1.5 Evaluation of Oneratinn Emnerience The operating history of the plants was evaluated based on a review that inycived screening, categorizing, and campiling data. Judgments and conclusions were made regarding safety problems, ope ra tion s, trends (re-l carring problems), or potential safety concerns. Events were analyzed to detennine their safety significance from the information provided through the various operating reports and the review process. The final safety analysis reports provided specific plant and equipment details when nece s sa ry. From the information provided through the various operating reports and the review process, events were analyzed to determine their safety significance, using the final safety analysis reports to provide specific plant and equipment details when necessary. 4 4 F-17 

          .    -   _          .-  -       -_ - _ =          _ -           . -              - . - -  . --

t

2. SOURCES OF INFORMATION USED IN THE REVIEW t

Several sonroes of information including periodic (annual, quarterly, and monthly) NRC publications were used in the review. Same source s con-tained information relative to more than one area within the scope of the l r ev iew. I 2.1 Availabl11tv and Canaelty Factors

The availability and capacity factors were either extracted or calcu-lated from data given in the Gray Books 8 from 1974 through 1981 (the first Gray Book was issued in May 1974). Prior to 1974, annual or semiannual reports were used to complie availability factors only.

4 ] ] 2.2 Forced Remotor Rhmtdowns and Power Radnetions 9 i Review of the forced power reductions involved checking the following sources for accuracy and completeness of details. i 1. Nuclear Power Plant Operating Esperience for 19XX, for the years 1973-1990 (Ref s. 4-10) . The report for 1981 has not been published.

2. NUREG-0020 series 8 (Grey Books).
3. Annual or semiannual reports of the San Onof re Unit No.1 plant f rom the time of startup through 1977. For 1977 through 1931, monthly operating reports were used because the utilities were no longer re-4 quired to flie annual reports. The review of power reductions in-volved primarily the annual, semiannual, sad monthly reports.

2.3 Resortabis Events The NSIC computer file of LERs was the primary source of information in reviewing reportable events. Material on the NSIC computer file con-sists of the approprints bibliographic material, title,100-word abstract, j- and keywords. When additional information on the event was needed, the , . original LER (or squivalent) was consulted by examining (1) those full-i aited copies on file at NSIC (for the years 1976-1981)* (2) the microfiche l file of docket material at NSICs or (3) the appropriate operating report l (semiannual, annual, or monthly) . 2.4 Enviro-- ntal Events and Reinassa of Radioactivity t Events of environmental importance were obtained as a result of con- l

. ducting the overall review of the plant's operating history, and the sources of information involve all types of documents listed thus f ar..

! The data for radioactivity releases were compiled primarily fron RadioaotEve Naterlata Reteased from Nuotear Power Ptante ~ Annuat Report F-19

I977 (Ref. 11). This report presents year-by-year comparisons for plants is a number of different categories (such as solid, gas, liquid, noble  ; gas, and tritium) . Data for 1978 were taken from Radioactive #aterfate Released from Nuclear Power Plante ~ Annual Report 1978 (not.11). Date ' for 1979 through 1981 were compiled from the ananal environmental reports i submitted by the licensees. ] 1 l F-20

3. ' TEGNICAL APft0&G p0R EVALUATIONS OF OpBRATING EISTORY Forced shutdowns (and power reductions) and reportable events were the two areas foessed on in the evaluation of the operating history of the plants of interest. Given the large number of both forced shutdowns and reportable events, it was necessary to develop consistent review prose-deres that levolved screening and ostegorising of both type osastronees.
                                  ' Af ter the events were screened and eategorised, the study then assessed the safety significanoe of the events and analysed the estegories of events for various trends and resucring problems.

The review approach with respect to operational events (forced shut-downs and reportable occurrenees) consisted primarily of a three-step pro-eess: (1) comp!!stion of information on the events, (2) screening of the events for 'signifloanee using selected criteria and guidelines, and (3) evaluation of the significanoe and importance of the events from a safety standpoint. The evaluations were to determine those areas where safety problems existed in terms of systems, equipment, procedsres, and human error. Shutdowns were evaluated against the DDRs found in Chap.15 of the Standard Review Plan.8 The DBEs are those postulated disturbance e in process variables or postulated malfunctions or fallares of equipment that the plants are designed to withstand and that liseaseos are espeeted to analyse and include in safety analysis reports (SARs). The SAR provide a the opportunity for the ef fects of anticipated prosese disturbanees and postulated ommponent f a!!stes to be esamined to determine their conse-quensee and to evaluate the espab!!!ty be!!t into the plant to control or sesommodate such f ailures and situations (or to identify the !!altations of espected performance). The intent is to organise the transients and aseidents seasidered by the 11eensee and presented in the SAR in a manner that w!!!

1. ensure that a suf fielently broad spectrum of initiating events has been considered.
2. sategorise the initiating events by type and espected f requeney of occurrence so that only the limiting esses in each group need to be quantitatively analysed, and
3. permit the consistent appliention of specifle neceptance criteria for each postulated initiating event.

Baek postalsted initiating event is to be assigned to one of the following eategories:

1. leeresse in heat renoval by the secondary system (turbine plant),
2. decrease in heat renoval by the secondary system (turbine plant),
3. deeresse in reestor coolant system flow rate,
4. anomalies la resotivity and power distribution, S. Inerosse in reestor coolant leventory,
6. decrease in reactor ecolant inventory,
7. radionstive release from a subsystem or component, or
8. anticipated transients without seren.

F-22

nose shutdowns identified as design-basis initiatins events were eategorised as such. If the shutdown was not a ISE, then it was assigned a category from a list developed by NSIC to indleate the nature and type of error or f ailure. he NSIC sategories for shutdowns not caused by ISEs were examined as part of a trends analysis. Reportable events were screened using the criteria presented in Sect. l 3.2 and were categorised according to their significance. H e information collected on the reportable events was used to analyse trends for all re-portable events, both sisaffisant and not significant. i 3.1 Slam 1flaamt Shutdomma and pasar Radastloma } For the purposes of comp!!!as !aformation and evaluation, power re-destians were treated in the same manner as forced shutdowns. 1 3.1.1 Critarla for alanifiaast ahmtdomma and monar redmatlema As indleated previously, the oscurrenees identified as ISEs were used as eriteria to estesorise and note sisalfisant shutdowns, n ose events are listed la Table 3.1 as they are found in Chap.15 of the Standard Review Plan.* l 8 3.1.2 Una af arliarla for datarminima alam1flaamt ahmidowns and newer z.adma1. Inns 

!        Generlo design-basis initiating events such as "Amorease in heat re-1 novel by the secondary system" or " decrease la remotor coolant system flow rate," were used as primary fless for reviewiss the forced shutdowns (and power reductions). Once the senerie type of event was identified, the particular initiatins event was determined from the dotatis assoaisted with the shutdown. For esemple, if the reactor shuts down beesuse of an

- ineresse in heat removal beesuse a feedwater regulator velve f atted open, the shutdown is a generie type 1 ISE. Speelfies11y, based on the initiat-ins event (valve f ailed open), it is a 1.2 ISE "feedwater system mal-i function that results in an increase in feedwater flow." Same shutdowns 3 were readily identifiable as specific IEEs, such as trippins of a main ecolant pump, e 3.1 ISK. Once sategorised as a IEE, the shutdown was son-r sidered significant regardless of the resulting ef fest on the plant (be-eause a IRE had been initiated). l De review of events asemed that loss of flow from one feedwater loop was suffielent to quality as a 2.7 ISE " loss of normal feedwater i flow." 3.1.3 Nam-IEE ahmidaan and mover radmatiam antamariaation 2 hose shutdowns that were not ISRs were assigned NstC estesories I (Table 3.2) to provide more information on the f ailure or error assoaisted l with the skutdown. With these estesories, more specific types of errors F-23

i i Table 3.1. Initiating event descriptions for DBEs as listed in Chap.15, Standard Review Flan (Revision 3)

1. Increase in heat ra-aval by the secondary system 1.1 Feedwater system malfunction that results in a decrease in feedwater camperature 1.2 Feedwater system malfunction that results in an increase in feed-water ficw 1.3 Steen prtreure regulator malfunction or failure that results in ,

increasing steam flow ' 1.4 Inadvertent opening of a steen senerator relief or safety valve 1.5 Spectrum of steen system piping f ailures inside and outside of containment in a pressurised-water, reactor (PWR)  ; 1.6 Startup of idle roeiresintion pump 1.7 Inadgertent opening of bypass resulting in increase in steam flow

2. Deeresse in heat r---val by the secondarv svaten 2.1 Steam pressure regulator malfunettom or failure that results in deeressing steem flow l 2.2 Loss of esternal electric load 2.3 Turbine trip (stop valve closure)  !

2.4 Inadvertent closure of main steam isolation valves 2.5 Loss of condenser vaesum 2.6 Coincident loss of onsite and esternal (of fsite) se power to the station 2.7 Loss of normat feedwater flow r 2.3 Feedwater piping break 2.9 Feedwater system galfenettons that result in an increase in feed-water temperature

3. Deeresse in remator ecolant avstem flow rate 3 .1 Sinste and multiple remotor coolant pump trips 3.2 Bo!!!as-water remotor (BWR) restrostation loop controller mal-fanation that resnits in decreasing flow rate l 3.3 Reactor ecolant pump shaf t seizure .

3.4 Rosetor coolant pump shaf t break

4. Ramativity and never distribution a=a==11es
,                                  4.1 Uncontrolled control rod assembly withdrawal from a soberitical or low power start-up condition (assuming the most anf avorable reactivity conditions of the core and remotor sociant system),

including control rod or tasporary control devise renova! error during refueling 4 4.2 Uncontrolled control rod assembly withdrawal at the particular ' power level (assuming the most unfavorable reactivity conditions , of the core and remotor coolant system) that yields the most severe results (Iow power to full power)  ; 4.3 control rod maloperation (system unt funotion or operator error), i including matoperation of part length control rods j i > F-24

Table 3.1 (continued) 4.4 Start-up of an inactive reactor coolant loop or recirculating loop at an incorrect temperature. 4.5 A malfunction or failure of the flow controller in a BWR loop that results in an increased reactor coolant flow rate 4.6 Chemical and volume control system malfunction that results in a decrease in the boron concentration in the reactor coolant of a PWR 4.7 Inadvertent loading and operation of a fuel assembly in an in-proper position 4.8 Spectrum of rod ej ection accidents in a PWR 4.9 Spectrum of rod drop accidents in a BWR

5. Increase in reactor coolant inventorv 5.1 Inadvertent operation of energency core cooling system during power operation.

5.2 Chemical . and volume control system malfunction (or operator error) that increases reactor coolant inventory 5.3 A number of BWR transients, including items 1.2 and 2.1-2.6

6. Decrease in reactor coolant inventorv 6.1 Inadvertent opening of a pressuriser safety or relief valve in either a PWR or a BWR 6.2 Break in instrument line or other lines from reactor coolant pressure boundary that penetrate contalmeent 6.3 Steam generator tube f ailure 6.4 Spectrum of BWR steam system piping failures outside of contain-ment 6.5 Lose-of-coolant accidents resulting from the spectrum of postu-lated piping breaks within the reactor coolant pressure boundary, including steam line breaks inside of containment in a BWR 6.6 A number of BWR transients, including items 1.3, 2.7, and 2.8
7. Radioactive release from a subsystem or connonent 7.1 Radioactive gas waste system leak or failure 7.2 Radioactive liquid waste system leak or failure 7.3 Postulated radioactive releases due to liquid tank failures 7.4 Design basis fuel hand 11ag accidents in the containment and spent f uel storage buildings 7.5 Spent fuel cask drop accidents
8. Anticinated tranatents without scram 8.1 Inadvertent control rod withdrawal 8.2 Lors of feedvetor 8.3 Loss of ac power 8.4 Loss of electrical load 8.5 Loss of condenser vacuum 8.6 Turbine trip 8.7 Closure of main steam 11ae isolation valves "These laitiating events were added for BWRs to be more specific than DRE events 5.3 and 6.6.

F-25

I Table 3.2. NSIC event categories for non-DBE shutdowns 1 N 1.0 Equipment f ailure 

                                                                                                                                     )

N 1.1 Failure on demand under operating conditions ' N 1.1.1 Design error N 1.1.2 Fabrication error N 1.1.3_ Installation error l N 1.1.4 End of design life / inherent f ailure/ random i _11are N 1.2 Failure on demand under test conditions l N 1.2.1 Design error . N 1.2.2 ' Fabrication error I N 1.2.3 Installation error N 1.2.4 End of design life / inherent f ailure/ random f ailure N 2.0 Instrumentation and control anomalies N 2.1 Hardware f ailure N 2.2 Power supply problem N 2.3 Setpoint drift 

,                         N 2.4          Spurious signal N 2.5          Design inadequacy (system required to function outside de-sign specifications)

N 3.0 Non-DBE reductions in coolant inventory (leaks) N 3.1 In primary system N 3.2 In secondary system and auxiliaries N 4.0 Fuel / cladding f ailure (densification, swelling, failed fuel elements as indicated by elevated coolant activity) N 5.0 Maintenance error N 5.1 Failure to repair component / equipment / system N 5.2 Calibration error N 6.0 Operator error N 6.1 Incorrect action (based on correct understanding on the part of the operator and proper procedures, the operator turned the wrong switch or valve - incorrect action) N 6.2 Action on misunderstanding (based on proper procedures and l improper understanding or misinterpretation on the operator's part of what was to be done - incorrect action) N 6.3 Inadvertent action (purpose and action not related, for example, bumping against a switch or instrument cabinet) N 7.0 Pro'cedural/ administrative error (incorrect operating or testing procedures, incorrect analysis of an event - failure to consider i certain conditions in analysis) N 8.0 Regulatory restriction N 8.1 Notice of generic event i N 8.2 Notice of violation N 8.3 Backfit/ reanalysis d ? F-26

Table 3.2 (continued) N 9.0 External events N 9.1 Hasan induced (sabotage, plane crashes into transformer) 

             .N 9.2 Environnent induced (tornado, severe weather, floods, earthquake)

N 10.0 Environmental operating constraint as set forth in Technical Specifications i 4 F-27 

    .      .   . .   . _ _ , . . . - . - _ - _ ~ .          -.

and f ailures could be examined through tabular summaries to focus the re-viewer's attention on problem areas (safety related or not) that were not revealed by the DBE categories. The causes (Table 1.1) for non-DBE shutdowns taken from the Gray Books are limited and very general, while NSIC cause categories are more specific. Thus, . as an exemple, the number of Gray Book causes noted as . egalpment f ailure should not be expected to equal those identified as I equipment f ailures with the NSIC categories. Other NSIC categories, such  ; as component f ailure, could be classified as an equipment failure if the only available designations for cause were those listed in the Gray Books. 3.2 Sinnificant Renortable Events .3.2.1 Criteria for slanificant renortable events Tho groups of criteria were used in de termining significant report-able events. The first set of criteria (Table 3.3) indica tes those events , that are definitely significant in terms of safety; they are termed sig-nificant. The second set of criteria (Table 3.4) indicates events that may be of potential concern. These events, which might require additional information or evaluation to determine their full implication, were noted as ' conditionally significant. '3.2.2 Use of criteria for determinina slanificant resortable events The reportable events were all reviewed, applying the two sets of criteria for significance rather liberally. A number of significant events and conditionally significant events were noted. The events initially identified as significant or conditionally significant were analyzed and evaluated further based on (1) engineering judgment; (2) the sy s t em s, equipment, or components involved; or (3) whether the safety of the plant was compromised. The final evalua tion for significance consid-ered whether a DBE was initiated or whether a safety function was compro-mised so that the rrstem as designed could not mitigate the progression of events. Thus, the number of events finally categorized as significant was reduced considerably by these steps in the review process. 3.2.3 Resortable events that were not slanificant i l Those reportable events not identified as significant or conditione ally significant were categorized as not significant (with an "N" in the l significance column of the coding sheets in the appendizes). These events and the events rej ected during the additional review step were further reviewed by compiling a tabular sammary of the systems to detect trends and recurring problems (Table 1.4 provides a listing of the systems). F-28

Table 3.3. Reportable event - criteria - significant 

  " '8 '7 g         ,,f,                                                      Event description S1                 TWo or more f ailures occur in redundant systems during the
l. same event S2 TWo or more failures due to a common cause occur during the same event S3 Three or more f ailures occur during the same event S4 Component f ailures occur that would have easily escaped detection by testing or examination S5 An event proceeds in a way significantly different from what would be expected S6 An event or operating condition occurs that is not envel-oped by the plant design bases S7 An event occurs that could have been a greater threat to plant safety with (1) dif ferent plant conditions, (2) the advent of another credible occurrence, or (3) a different progression of occurrences i S8 Administrative, procedural, or operational errors are com-mitted that resulted from a fundamental misunderstanding of plant performance or safety requirements S9 Other (explain) f i

F-29 

    .=         .                    .    . _.                      . . -  - - .                                                   _.

Table 3.4. Reportable event criteria - conditionally significant Category of conditional Event description j significance j I C1 A single f ailure occurs in a nonredundant system C2 TWo apparently unrelated f ailures occur during the same event C3 A problem results in an offsite radiation release or ex-posure to personnel C4 A design or manufacturing deficiency is identified as the cause of a failure or potential fsilure C5 A problem results in a long outage or maj or equipment i damage C6 An engineering safety feature actuation occurs during an event C7 A particular occurrence is recognized as having a signif-- icant recurrence rate o C8 Other (explain) I l t 6 d F-30 i

4. OPERATING EXPERIENG REVIEW 0F SAN ONOFRE UNIT NO.1 i

4.1 Sammary of Operational Events  ! o f . Safe tr .Innertance  ! l

This study reviewed the operational history of San Onofre Unit No.1 to indicate those areas of plant performance that have compromised plant saf e ty. The review included a detailed examination of plant shutdowns, I power reductions, reportable events, and special environmental reports.

The criteria used to show degradations in plant safety were

1. events that initiated a design basis event (DBE), and
2. events that compromise. safety functions designed to mitigate the propagation of DBE initiating events.

i Shutdowns and power reductions indicated the number and types of DBEs en-tered. Reportable events and special environmental reports indicated DBEs and the number of times each engineered safety function was lost. The results of the operational review identified 26 DBEs entered and 15 losses of safety function. 4.2 General Plant Descrintion San Onofre Nuclear Generating Station Unit No.1 is a Westinghouse pressurized water reactor (PWR) with 436 NWe not maximum capacity. The owners are Southern California Edison, who serves as the operating agent, and San Diego Gas and Electric Campany. The architect / engineer is Bechtel Corporation. .The plant is subj ect to provisional operating license DPR-13, issued on March 27, 1967, pursuant to docke t number 50-206. San Onofre Unit No.1 achieved initial reactor criticality on June 14, 1967 by means of boron dilution. The generator first synchronized to the grid on July 17, 1967. On January 1,1968, commercial operation com-menced at a nazimum not power of 385 MWo. Full not power of 430 NKe was ' first achieved on December 27, 1968 and the plant was licensed for 450 MWe-gross on September 20, 1969. Located near San Clemente in San Diego County, California, the plant i lies entirely within Camp Pendleton Marine Reservation (Fig. 4.1) . Thus the immediate surrounding area is sparsely populated. The nearest city of 50,000 or more people is Oceanside, California located seventeen miles a southeast of the plant with a population of 80,000. Within thirty miles of the plant, there are four cities and a population of 410,000. Within i

fif ty miles, there are twenty-nine cities and a population of 3,600,000.

The plant is sixty-two miles southeast of Los Angeles and fifty-one alles i northwest of San Diego. 4.3 Availability and Canacity Factors Table 4.1 contains the availability and capacity factors for San Onof re Unit No.1. San Onofre Unit No.1 began commercial operation of F-32

C 

                             ~

N ,f ~\ 

       /     ,

jf hbj("k);fk'l 4i u- 

  &,m.,;s)u.

olirl 

                  '9'K/,'          i i
                                        ;3 E

5 

                   ' !!/ t     -

iel 

                                 /      l ldf f'h                '

6yffAA/i -= e \///o , 

  ,i n"a f

F-33 

                                                                                                                                                                                                           "i Table 4.1. Availability and capacity factore for See Geofre 1 1967              196 8 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979 1980 1981 Total Seacter availability                        62.5              42.3   76.7   83 .7   94.5         79.3        63.7       M .9 87.9 72.2 64.3     81.7     98.4 ' 22.6     28.0 68.3
 *st I       Dait availability                           M .4              41.5   75.8   83.0    93.4        .77.8 62.8              M .! 87.4 70.2 63.7     80.2     90.2       22.3 26.7 68.0 w                                                          #                #      #       #           #       #
  • Delt sayestty ( S C) fester" 17.8 34.4 69.8 31.3 88.S 75.2 60.3 59.5 M.2 65.5 61.1 79.1 87.9 21.3 20.4 65.7 Unit capacity (SER) factor 17.8 # 34.4# 69.8# 81 .3 88.0 75.2 60.3 83.5 M .2 65.5 61.9 70.1 87.9 21.3 20.4 65.7 "WC = nestem dependable espeetty.

MR = deelse eteetrieel reting. 5eed (W e) grose.

January 1,1968. The reactor availability in the period 1968 through 1981 was above 70% except for five years: 1968, 1973, 1977, 1980 and 1981 In 1968, the reactor shut down for over six months due to cable 

              . tray fires which occurred on February 7 and March 12.                        The reactor shut down for approximately two and one-half months in 1973 to repair a turbine blade f ailure.             In 1977, the reactor shut down for one month due to re-                                -

l actor coolant pump inspection, and steam generator tube inspection and ' ! plugging. Steam generator tube repairs caused the reactor to shut down s for eleven months in 1980 and 1981 beginning in July,1980. In the four- L teen years of commercial operation, the reactor availability has averaged 68.3% while unit availability averaged 68.0%. Unit capacity (MDC) is the same as unit capacity (DER) for San Onofre Unit No.1 and averaged 65.7%. 4.4 Forced Reactor Shutdowns and Forced Power Reductions Tables A.1.1 through A.1.15 in Appendix A provide a comprehensive summary of forced shutdowns and forced power reductions at San Onofre Unit i No. 1. Tables 4.2 and 4.3 summarize Tables A.1.1 through A.1.15 for , forced shutdowns and forced power reductions, re spe ctively. The duration of the event is rounded to the rearest hour for forced outage s. All power reductions are defined as outages of zero hours duration for computing unit capacity and availability factors and forced outages rates. 4.4.1 Review of reactor shutdowns ==A nower reductions There were 107 forced shutdowns and 47 power reductions for the r'e - porting period 1967 through 1981 with an average of seven forced outages

per year. The average time the unit was shut down due to these occur-rences was 1774 h/ year. Two outage s, one in 1968 (cable tray fire) and one in 1980 (steam generator repair), were responsible for 12507 h of downtime amounting to 47% of the total forced outage downtime experienced through 1981. If those two events were not considered, the average down-time due to forced shutdowns was 940 h/ year. Approximately one-fourth of these occurrences were identified as DBE-initiating events as defined in l Sect. 3.1.1.

4.4.1.1 Yeariv s----ries for San Onofre Unit No. 1 12.11 i on June 14, 1967, San Onofre Unit No.1 achieved initial criticality by boron dilution. The generator was first synchronized to the grid on July 16. During turbine overspeed testing on July 17, salt water leakage into the condenser was noted. A turbine blade failure sent metal fras-ments into the condenser, causing salt water leakage. All of the blades in the last four stage rows required replacement. The outage lasted ~1080 i h and accounted for almost 2/3 of the forced outage down time for 1967. On September 11, the unit shut down for ~192 h due -to excessive vi-bration in the circulating water pump and a leaking pressuriser safety l F-35

g.:~:- 

                                                         ,:     :        =.
g ~. j- .c:~s.g .g,
                                                                                              -                            g   ,s .g. .c     :    ~a n g ;. : -
                                                                                                                                                              ; . . . . : , : . ,c t 3      .A                          ..                      -

_2 

                                                                                                                                                              ~
                                                                                                                                                                       - - -                               1 e
                                             ., .g.3 s
                                                                                  ~;
                                                                                                    -g
                                                                                                               -j.
                                                                                                                               .j -5t
                                                                                                                                                  .: ~;
                                                                                                                                                        - s
                                                                                                                                                                           -g .g .g
                                             , . .    ~ . .=                .:                      .:                                            .: .:                   .~i               .c
5,.  : - : -

2 e +2- *E-j . 

                                                                                                              -7
                                                                                                                        -E
                                                                                                                                                           -j -S I S-E -f
e.  : ~ .2
                                                  .           -j -E-E ~E                              .E           -E                             -E l-       .            -2 7                           :: ) . x.-2      +j.
                                                                      -3            5        - s- Is:      .E -E .
                                                                                                                              ~3                  -5 fj      _
                                                                                                                                                                                -3
                                .r)e y

s: . , - 

                                                      .e..g           .g.E 1
                                                                                                   ~,              .g                             .,., . .
                                                                                                                                                                           .s u               '

1  : . .: ..g g .;- ~; 

                                                                                                                              .c                           Jg        .g y             ,
                            .        e            -

J t [ } . ~: , 2; .; 

                                                                                             ~ g .g                                               .'s .g . ;                    .g 3:

tu p 

                                                        . c 5            -
                                                                    '                                          ~

3 u., ,1

~; -i a
                                                                                  -?1                         -21             -5                  I ?s-n !?                                        l
                                                        .                           .                                                                  .         .                                g
                                                                                                                                                                ^
                         ;t          :       =g =f-9                             -5          -E                                                   *g-y :S                  fj                     l e}j s-          t                  :. :                                                                                                 .               .                     .

i s. :5 *!*E . . ~ .E Is. - ! ~ .9 -s .E fj -s  ! 

                 .>       .}                                                                                                                                                 _

I 

                   +
                          'a;       e e
                                                     -S                                                                                           .c   -

J 

                     ,      +
                     '                                                                                                                                                                            g 3        ;                                              g'       2 3.;                                                tgre                 5
                                             . . . ..V.'.s m      : :                         :            -:                         s                                         :

1 I 

                                                        ~
                                                                     ~           .:          . g .;                                         .c                                                 :3 i .f        .   ~{ .
                                                                                                 . 3
                                                                                                                                             .c                                                33 j.
                                    ,,1-.,

t" . 

                                                                     ~g
                                                                                 ~g
                                                                                            .. .-= );                                                  -
                                                                                                                                                  .i ::;             :g
                                                                                                                                                                                ~g
1}

o - 3; ,

3. JJ f

' g 5 1- i 1 p8 1 1 y i- I 'I !! % 3 - 11 e lii i 

                                                          !1                        I$ i           's ~* 3 8I 3I II II               :     .i    )1 t.
                                                                                                                                                           ' 1 I *i E    l   l      1.

II *i )) 1 i 

                                                      * !. !                        lI      2-     is a58. . . g /. I3
  • 1- ' 1 gl II
n. e ll l .: 1:. { !{I
                                                                                                                                                                                      ,        3 1

si- .i 5 5 - 1 .2 i I. J .: [e j.r i gs I 1.. [e g .1. I }- l ]l j - 

                                                     .3-1-                                                a   u a                 1{-  2 g

g 1i - 1 3[. - - 

                                                                                                                                                                 -r-            3
                                                                                                                                                                                                     -1 l IIt                                 , ] ~1 1 :. :Il ll y                                                   3                                   3   .

t. 5 s l - 31 31.I se 12 j ]}} =si 

                                                                                         !2  ~           i j 1i 9[

l j.-v'I] 2 e.l 8 s.I!l s11.':g 3 a 

                                                                                                                                             !] ja sj ll a I .'l j )i 1
                                                                                                                                                                            ' :           -3 ii
                                                                                                                                                                                                       ))
                                             >s 2 j}<                            }iJ
                                                                                                                                                                                               ))n,j jj
                                                          > :       a            ;1.v,1            a     ,,,J                 :      . .         a..seiei1                                               ,
                                           '                                     J F-36
                                                      ?

4 x, b Table 4.3. . Power Reduction Summary for San Onofre ! 1967 ~ 1968 1%9 1970 '1971 ~1972 19?3 1974 1975 1976 1977 1978 1979' '1980 1981' Total -

1. Power reductione '
1. Total number 4-
2. Cause 1 2 3 12 3 7 10 2 3 47
a. Equipment failure 4 2, 3
b. Maintenance or testing 6 1 3 2 1 2 24
c. Reguistory restriction. 5 2 3 7 1 1 19
d. Operator training / license esas O
e. Administrative s 0
f. Operational error
g. Other %1 .

I 1 3 1 7 u II. Total number of DBE related power 1 1

  • reductione (included in totale of ..

g part I) , III. Systen involved - 1 Reactivity control (RS) . 1 1

2. Eigh-pressere safety injection 1 1 2 6 system (SF-C) 1 1
3. Reactor trip (IA) ---
4. Offeite power systes and con- 2 2

trole (EA),' . I. I

5. Oasite systems and controle 3 1 1 (composite AC and DC) (ED) 2 -7 6 Turbine-Generators (BA) ~
7. Main condenser systens and
  • l 1 2 controle (BC) 7 2 2 8 2
                                                                                      "                                                       1         22 8 Circulating water systems and                                            ^

controle (RF)  !  ! 1 3

9. Condensate and feedwater eye- .

1 tems and controle (RB) 1 1 1 4-l 

                                                                                                                                                             .M.

i t

valve. The vibration was caused by pulling in an excessive amount of marine growth into the circulating water system. The unit shut down on July 9 and December 12 because malfunctioning or defective electrical equipment was resulting in control rod drops. On Octc.sr 19, a f al se indication of a fully inserted control rod from a bad connector in the position indication circuitry resulted in a unit shut-dow n. Dropped rods and f alse indications of dropped rods were recurring events in San'Onofra Unit No. l's early operating history. Section 4.4.3.4 discusses indication of dropped rods. On December 5, the reactor tripped during a power increase due to an incorrectly set reactor overpower set point. The overpower protection was set at 85% power. During the power increase the protection was not reset and reactor trip resulted when power output reached 85%. The warning alarm failed to operate as the set point level was approached. l With one circulating water pump out of service, the unit was manually tripped when an inadvertent closure of the tsunami gate occurred on November 1,1967. A shorted limit switch caused the closure. 12 0 There were nine forced outages accounting for 5105 h of downtime in 1968. The first outage occurred on February 7 when a fire started in the cable . tray containing the cables leading to sphere electrical penetration ' EPO-4. The cause of the fire was electrical and mechanical overloading of power cables for the pressurizer heaters. A month later, on March 12, another cable f ailure resulted in a fire. The cause of this cable f ailure was a higher than design thermal loading of _ circuits that supply the pres-surizer heaters. These two events shut down the reactor for 4618 h and are discussed in more detail in Sect. 4.5.2.2. 

              ,In 1968 there were four events of dropped or bottcmed control rods (March 4, March 9, September 9, and September 26 which shut down the reac-tor for a total of 180 h (see Sect. 4.4.2.6).

Beginning December 9, an increased taaperature in valve discharge piping indicated leakage through a pressurizer relief valve. Obse rvation continued until December 28 when the unit was shut down. It remained down for 244 h.- Pressurizer relief valves are discussed in more detail in Sect. 4.4.3.1. 12 0. In 1969, there were nine forced outages accounting for 2122 h of downtime. There was one maj or outage this year which commenced on June ,

20. The unit shut .dswn for 1193 h to allow inspection of the turbine- 1 generator and to make modifications to the steam generator moisture separators.

l n On March 22 and August 10, the unit shut down for a total of 394 h to replace leaking. pressurizer relief valves. On October 9, the unit was l' removed fram operation for 165 h when the tsunami gate slipped from its anchor bolts and fell into the-intake tunnel. J F-38

On April 7, a load runback resulted fran an unexplained f also dropped rod signal. This f also signal necessitated a power reduction to investi-gate the problem. On August 14, a relay malfunction caused several con-trol rods to drop and the reactor was manually tripped. Failure of a re-circulation valve motor winding caused the plant to remain shut down for ( 86 h. l l lila Only one forced outage interrupted operation in 1970. On May 29, a reactor trip occurred subsequent to a manual turbine trip. The turbine trip was due to an acceleration rate greater than desired. The reactor 

     - tripped because 2 of 4 power channels indicated greater than 10% power.

The total forced outage downtime for the year was two h. 1111 The reactor availability factor of 94.5% for 1971 was the highest achieved during the time period covered by this review. There were twelve forced outages totaling 426 h downtime. This year was the first in which , the unit shut down to repair leaking condenser tubes. The unit shut down on June 27 for 17 h and October 27 for 104 h for this cause. On November 1, 3, and 5, the unit was shut down three times to obtain additional data on turbine overspeed characteristics (see Sect. 4.4.3.2). 1111 There were twelve forced outages totaling 661 h in 1972. The initial repair of leaking steam generator tubes occurred during this year. On ( July 8, a leak in "C" steam generator tube was detected. Sampling began and continued until the leakage was ~100 gal /d. On July 19, the unit shut I down for 177 h to repair the leak. On September 12, analysis determined that the "A" steam generator was experiencing primary to secondary side leakage. Sampling began and continued until the leakage was over 100 , gal /d. The unit was then shut down for 155 h on October 13 for repairs of l the tube leaks. On April 30, during startup, the reactor and turbine tripped due to a turbine trip caused by high steam generator water level. The high level resulted from failure of the positioner on the main feedwater regulating , valve. This event is discussed in more detail in Sect. 4.4.2.1. l On February 25, March 4, and March 24, the unit shut down for a total of 23 h because of additional turbine overspeed problems and testing. In-dication of dropped control rods continued to occur causing a unit shut-down on September 20 and power reduction on December 9. ARIL l f There were only three forced outages in 1973. However, total down-l time was 2083 h. The maj or outage for the year started on October 21 and accounted for 1974 h downtime. Bearing vibration and salt water leakage indicated turbine problems existed. While shutting the unit down, a F-39 i

i feedwater control error caused overcooling, resulting in safety inj ec-tion actuation and a reactor trip. Section 4.4.2.1 de scribe s this event in detail. On January 6, the unit shut down for 108 h to locate and repair "A" i I steam generator tube leaks. For more information on this and subsequent steam generator tube leaks refer to Sect. 4.5.3.2. On January 10, the reactor tripped when No. 4 vital bus was transferred from the backup power supply to the normal power supply. j On February 20, an indication of a dropped rod occurred during a l Power reduction for condenser cleaning. On August 17, another power re- I duction was initiated when f ailure of an inverter caused a load transfer. 121.i In 1974, there were four forced outages totaling 614 h. The longest outage began on April 27 when the unit shut down for 547 h to repair steam generator and reheater tube leaks and to repair a leaking pressurizer saf e ty _ valve. On June 11 and June 14, the unit initiated a power reduction as a result of automatic load runbacks. Problems with inverters which supply power to nuclear power range monitors caused the runbacks. On October 21, the reactor was manually tripped during a load increase when control rods in subgroup 8 dropped. 1211 Of the four forced outages totaling 143 h, the longest outage of 1975 commenced on June 11. The unit shut down for 127 h to repair pressurizer relief valves and to plug leaking steam generator tubes. On February 19, an inverter f ailed causing a spike in a pressurizer 

               - level channel. This forced the unit down for 4 h.                               On April 22, the reac-tor tripped while transferring the No. 4 vital bus back to its normal power supply.

1221 Nine forced outages totaled 178 h in 1976. On July 30, the unit shut l down for 101 of the 178 h to repair leaking steam generator tube s in "C" steam generator. On March 23 and March 29, the unit reduced power to investigate salt water in-leakage into the condenser. On rive days (January 8, January 26, January 29, Februa ry 6, and July 2), the unit reduced power in order to plug leaking condenser tubes. The unit scrammed on February 9 and reduced power on September 25 and 26 because of problems with inverters. The events on September 25 and 26 also caused erroneous indications of dropped control rods. On April 17 through 19, there were four events involving turbine over-speed resulting f rom incorrect turbine trip settings. The unit was shut down a total of 42 h. 4 F-40

4 J 1 M i During 1977, there were ten forced outages totaling 761 h. On Sep- 

                 - tomber 9, the reactor shut down for reactor coolant pump inspection, steam generator inspection, and plugging of leaking tube s in the steam genera-tors. - .On July 1 and 2, the unit reduced power in order to plug leaking tube s in the south half of           "B" condenser.

On April 14 there was an erroneous indication of a dropped rod and actual ' dropped rod events occurred on May 18 and June 9. The unit shut down a total of 50 h during these events. O 1 4 There were five forced outages totaling 495 h of downtime in 1978. On April 5, the unit shut down'for 472 h (95% of the year's forced down-time) in order to inspect the. steam generators. This shutdown was re-i quired by NRC.

On March 29 and June 9, the unit reduced power in order to plug leak-ing condenser tube s. On March 22 and May 18, the unit reduced power due to erroneous dropped rods indications. i i M T'.e 1979 reactor availability factor was 90.4%. This was the second hist ot in the operating history of San Onofre Unit No.1. There were six forced outages totaling 857 h. On April 5, the unit shut down for 82 h to repair a condenser tube leak and to repair the feedwater flow straight-eners. In addition, there were seven other occasions (February 23, August 30, September 7, November 29, twice on November 30, and December 12) in-volving condenser tube leaks which necessitated the unit to reduce power to repair or plug the lesking tube s.

On June' 1, the unit went down for 394 h to plug leaking steam genera-tor tube s. On September 14, the unit shut down for 234 h in order to repair refueling water pap suction piping and to replace several pipe sec-tions on the safety inj ection line. On November 7, the unit shut down for 133 h due to loss of 480 V bus No.1 (see Sect. 4.5.3.1) . M 

                       .The 1980 reactor availability factor was 22.6%. This was the lowest reactor availability reported for San Onofre Unit No.1 in the time in-l                 terval of this review. Although there were only five forced outage s, the five accounted for 4581 h of downtime. Af ter completing refueling on July                                                 '

12, the unit remained shut down for 4152 h to complete steam generator tube repair. On January 26, the unit shut down for 392 h in order to effect TNI modifications. On February 17, the unit reduced power to repair a salt i water leak into the condenser. . On January 16, the unit shut down for 38 h due to a steam flow / feed-water flow mismatch caused by a construction worker who accidently struck the closing circuit control relay to the east feedwater pump. 'I I F-41 

                                                                                ~ -- -

12.11 In 1981 San Onofre Unit No.1 continued the shutdown to repair steam 

    - generator tubes for an additional .4023 h.       This was the primary contrib=-       )

tor to the reported reactor availability of 28%. The reactor returned to operation on June 17, 1981, and experienced nine forced shutdowns and

- three power reductions in the remainder of the year.

4.4.1.2 Systems involved. There were seventeen systems involved in j the 154 forced outages and power reductions (Tables 4.2 and 4.3) . For

several of these events, more than one system was invoired in the event.

In these case s, the outage time was charged to each system involved. Four systems which each were involved in twenty or more events were: (1)- Turbine-Generators and Controls - Twenty-nine events involving the turbine generator and controls system totaled 5186 h. Two outage s (July 17,1967, October 21, 1973) dealing with turbine blade f ailures and one dealing with modifications of moisture . separators (June 20, 1969) accounted for the majority (82%) of the outage time for this system. (2) Main Condenser and Controls - Twenty-seven events involved the main

condenser and controls totaling 2751 h of downtime. Most of these events were power reductions for the purpose of repairing minor con-denser tube leaks. The outage s of July 17, 1967 and October 21, 1973, resulted from turbine blade damage causing salt water in-leakage to the condenser.

(3) Reactivity Control - The reactivity control system accounted for twenty events ar.d 393 h of downtime. Almost all of these events dealt with dropped rods or indications of dropped rods. This was a recurring problem in the early operating history of San Onofre Unit 

           . No.1, but has not reoccurred since May 1978. -

(4) Coolant Recirculation - Trenty-one events totaled 6987 h of downtime 4 because of failures involving the coolant recirculation system and controls. The . two events (February 7,1968, Mr.rch 12,1968) in 1968, dealing with the cable tray fires, acct nnted for 70% of the outage time. TWo other systems were involved with a significant number of forced shutdowns: (1) Main Steam Supply sixteen times totaling 12334 h, and (2) Condensate and Feedwater ten times totaling 696 h. The additional eleven systems each were involved in forced shutdowns fewer than nine times and averaged less than three shutdowns per system. Eight of these eleven grstens had less than 400 h charged to them with an aver-age of 183 h. The remaining three systems were: (1) High pressure safety inj ection -- four events for 3699 h, (2) Onsite power systems and controls - five events for 1476 h, and j (3) Emergency generators and controls one event for 740 h. i F-42 4

4 4.4.1.3 Causes of forced reactor shutdowns and forced nower reduc-11951 Equipment failure accounted for seventy-eight outage s and twenty-four power reductions (Tables 4.2 and 4.3) . The total forced outage down-time through 1981 due to equipnent f ailure was 17,948 h. Steam generator

problems, leaking pressurizer relief valves, turbine blade failures, i dropped control rods, failure of inverters, and turbine overspeed problems accounted for most of the equipment f ailures.

Maintenance and testing accounted for sixteen outages (7535 h) and nineteen power reductions. Modifications to the moisture separators, in-spections, condenser tube leaks, and steam generator tube leaks accounted for most of these events. i The unit shut down twice due to regulatory required inspections of

the steam generators and for TMI modifications. During 1978 the unit re-
duced power for extended periods due to an administrative decision to de-
,       fer fuel depletion.

l There were only seven events related to operational error totaling 222 h. There were primarily two areas involved. The first dealt with incorrect settings for turbine overspeed while the second dealt with f alse indications of dropped rods due to introduction of spurious signals. The only event of maj or importance was the unexpected opening of a feedwater pump saf ety inj ection valve during maintenance which occurred on August

18, 1978. Opening the valve resulted in dilution of the refueling water storage tank (RWST). The unit reduced load and added boric acid to the REST to compensate for the dilution.
There were five events related to other causes. TWo of these were 4

due to brush fires around San Clemente. One resulted in a loss of one train of offsite power on January 21, 1976 and the second required a pre-i contionary power reduction on the following day. The event of January 16, 1980, involved steam flow /feedwater flow mismatch resulting from an in-advertent action of a construction worker. On May 21, 1975, the reactor was manually tripped due to seaweed blocking flow into the intake struc-ture. An offsite power disturbance that resulted in a scram on March 8, 1978, due to low voltage is discussed in Section 4.4.2.5. 4.4.1.4 Non-desian basis events. There were 127 non-DBEs of which eighty-one were forced shutdowns and forty-six were power reductions (Table 4.4). These events can be classified into the following cate-sories: (1) pressurizer relief valves (seven events), (2) steam generator tube leaks (nine events), (3) leaks in the condenser (twenty-five events), (4) turbine overspeed protection (fourteen events), (5) power buses and inverters (twenty-six events), and I (6) others. ! The first five categories deal with recurring events and are discussed in Sect. 4.4.3 or Sect. 4.5.3. 4.4.2 Review of desian basis events There were twenty-seven design basis events (DBEs) accounting for 18% of the total nunber of events and resulting in twenty-six forced outages F-43

Table 4.4. NSIC primary category summary for non-DRE shutdovas and power reductions for Sea Onofre 1 1967 1968 1%9 1970 1971 1972 1973 1974 1975 1976 1977 1978' 1979 1980 1981 Total

1. Equipment fallares 2 3 8 2 2 4 1 2 1 7 5 4' 5 3 7 56 .
2. lastrumentation and control smaasties 2 1 1 .. I 2 1 2 2 12
3. Non-DBE reductions la coolant inves- 2 2 2 4 3- 1 2 1 8. 4 2 10 1 42 tory (leaks)

M 4. Fuel / cladding failure 0 h 5. Maintensace error 0

6. Operator error 1 -1 I I I I I- I 8
7. Procedural /adaialetrative error 3 1 4
8. Regulatory restriction 1 1 2
9. Eaternal events 1' 2 3
10. Environmental operating constraint- O tech. specs.

TOTAt. 7 5 11 2 '10 9 3 6 4 18 10 10 16 6 10 1 27

l i (Table 4.5). The total downtime associated with the outages was 4000 h.  ! Six DBE category types occurred with f sur categories having more than one j event. I 4.4.2.1 D1.2 Feedwater system malfunctions that result in an in- 1 i- crease in feedwater flow. Four events occurred that are considered design-ba si s DI.2 events. On April 30, 1972, the unit had j ust completed a nor-mal reactor startup and was operating on line at 55 MWe with load being l l slowly increased. The auxiliary feedwater regulators were in service .and controlling steam generator water level s. As the feedwater block valve to "C" steam generator was opened, flow increased rapidly causing the turbine and reactor to trip f rom high level . in "C" steam generator. The high level resulted from failure of the positioner on the main feedwater regu-lating valve. The primary coolant temperature experienced a temperature 

;                            drop of 91*F.                              Safety inj ection equipment was actuated ~12 min af ter the reactor trip. As a result, feedwater flow to the steam generators ceased
                           - and the cooldown in the primary systaa terminated.

Nine minutes af ter actuation, the safety inj ection system was se-cured. The operation of the . safety inj ection system was normal. How ev e r, since the minimum reactor coolant system pressure was significantly above the main' feed pump shut-of f head, no borated refueling water was delivered to the reactor coolant system through the normal safety inj ection flow path. Approximately 900 gallons of borated water were delivered to the coolant system through the normal charging path. An analysis to evaluate the thermal effects of this incident concluded that the reactor coolant system did not undergo any damage due to the thermal transient and the unit could be safely returned to operation.24,as The second feedwater system malfunction that resulted in an increase in feedwater flow occurred on October 21, 1973. The unit was being re-moved from service to investigate turbine problems indicated by bearing vibration and salt water leakage. During the unit shutdown, rapid cool-down of the primary cooling system retuited in the initiation of the

safety inj ection system and a reactor trip.

Blowdown on all three steam generators was commenced at 12:15 a.m. and a unit load decrease was initiated. At 1:18 a.m., the turbine was in an unloaded status and a no load trip alarm was received. At 1:19 a.m. l the turbine stop valves closed, and since feedwater control was still on automatic, the feedwater regulator valves went to 80% open. As a result reactor coolant temperature and pressure began decreasing rapidly. The operator changed reactor and feedwater control to manual in an a t tempt to increase temperature. Steam generator levels were increasing rapidly and pressuriser level had decreased to 10%. At 1:21 a.m., the safety injection system initiated and the reactor tripped. Approximately 1300 gal of borated water from the refueling water storage tank entered { the primary system through the charging pumps. l Safety inj ection had functioned a s required. However, in restoring l' s the system to standby, the Loop B safety inj ection valve was partially l inoperable. The valve mounting bolts and a nearby pipe hanger had f ailed. Further investigation indicated the damage to the Loop B piping was due to water hammer. The cause of the overcoollas event was assessed as f ailure to place feedwater control in manual prior to removing the turbine from service. l l F-45 i 

   -.x.,,,-- , .---. - , -              . - , , , _ + - , _ ~ - - - - . - - . . , - -           .....-,,n.        - - - - . , - , . , , . . , , , , , - , , , . . , - , - - -     ,,-~.nn ,, .-

        .                                  _ . , .  +                ,.o...                      s  _ . , - , . . - . . _ ... . _ . . , ..                                          . . ,
                                                                                         . i .i.
                                                                                                                                                                                                      ...)
                                                                                                                                                                                                                     . ;n s                                                               a 4

1 

                                                                                                                                                                                                                       ^?

Table 4.5. DBE tattiating events at San Onofre 1 DBE cate- 1967 1968 1969 1970- 1973 1972 1973 1974 1975 1976 1977 1978 '8979 '1980 1981 Totelk .. gory Dt.2 2 .4,

1. Feedwater system asifunctions that 1 1 result in en increase in feedwater flow 4

y ~ 2. Loss of esternal electric load D2.2 2 2-

3. ~ Turbine trip D2.3 3- t. 5

[ 1 I I

  • 4. Loss of norant feedwater flow . D2.7
5. Single and multiple reactor coolant D3.1 1  !

pump tripe . 2 4 3 12-

6. Control rod asloperation -. M.3 1 1 1 Total - 2 4 2 0 .2' 3 2 1 0 3 3 2 0 t '2 27 I
                                                                                                                                                                                                                         =

4

Additionally, changes in steam generator control upon turbine trip were co nsi de red.18 ,17 The last two DBE DI.2 events occurred in 1981. The first resnited in l- a scram and seven hour shutdown on June 18, 1981. An instrumentation and control malfunction resulted in a steam and feed flow mismatch, causing the reactor trip. On September 3,1981, a voltage regulator failure ini-tiated an overcooling event requiring a manual scram. The recovery from the f ailure resulted in a significant reportable event and is described in Section 4.5.2.1. 4.4.2.2 D2.2 Loss of external electric load. There were four events associated with the category -- loss of external electric load. The first loss of load event occurred on June 22, 1971. Both the Chino and Santiago lines relayed and the generator tripped on overspeed. On July 12, 1971 the unit tripped from a generator out-of-step condition again resulting in turbine overspeed. In the third event, the main exciter motor failed mechanically when being started on July 27, 1972. The problem was deter-4 mined to be rubbing between the rotor and stator. On July 29, 1972, the unit tripped from loss of main generator field and experienced a turbine overspeed._ The turbine overspeed events are described in Section 4.4.3.2. 4.4.2.3 D2.3 Turbine trin. There were five events associated with the category -- turbine tri.?. On January 9,1969, the unit was removed off line af ter a routine test of the stop valves produced a spurious partial turbine trip. Investigation revealed that the turbine auto stop oil sup-ply pressure was low due to a badly scored seat and disc in the autostop oil dump valve. During startup, twice on April 17, 1976 and once on April 18, 1976, a spurious turbine trip resulted in a reactor trip. The cause was an incorrect setting of an overspeed trip device. On September 12, 1978, the turbine and reactor tripped while performing bearing low oil i pressure tests. , 4.4.2.4 D2.7 Loss of normal feedwater flow. On January 16, 1980, the unit tripped frce steam flow /feedw .ter flow mismatch. The trip was caused by a construction worker who accidently struck the closing circuit control relay to the east feedwater pump normal discharge valve. This resulted in a rapid decrease in feedwater flow and the resultant trip.18 4.4.2.5 D3.1 Sinale and multinle reactor coolant namn tries. On March 8,1978, the reactor tripped frce a loss of coolant flow signal. The low flow condition occurred when a severe voltage reduction at the reactor coolant pump motors resulted from a power system disturbance. This reduced pump speed such that a low flow condition existed. The dis-turbance was due to a fault occurring on the San Diego Gas and Electric Company power grid which interties to San Onofre. 4.4.2.6 D4.3 Control rod maloneration. There were eleven forced outage s due to dropped rods. The problems with dropped rods were of four types: (1) relay malfunctions (3), (2) slave cycler malfunctions (2), (3) gripper coil malfunctions (3), and (4) connector malfunctions (1), l t F-47 

  , ~ - -       ,,~----,--,4
                                    ,- ---,            , - , . ,    ,-w- ,,n-------,,----,--,---,,e-,,n, -            -,---w ,  ,

        ~ On two additional occasions, October 21, 1974 and April 14, 1977, rods dropped for unknown reasons.

On July 9,1967, a timer relay malfunctioned which caused rod drops 

         -in subgroup 4 of control -rod group No.1. On September 9,1968, all five rods on subgroup 7 slipped frma 117 'to 40 steps due - to BF relay f ailures.

On August 14, 1969, control rods associated with subgroup 7 dropped into the core due to an intermittently open contact of a BF type relay in the rod control logic. 

               - On March 4,1968, cleaning of the rod controls slave cycler contacts j        . was in' progress and the subgroup No. 6 slave cycler had been replaced with a shutdown cycler so that the contacts could be cleaned. An attaapt was made to cycle the rods one step and subgrcup No. 6 was dropped to 160 steps. The slave cycler was examined and no reason for f ailure was found.

On September 26, 1968, the control rods on subgroup 8 dropped into the cr ie while a slave cycler f ailure alarm was being cleaned. This occurred when en operator manually opened, closed, and reopened the half power con-tactor while attempting to clean a slave cycler f ailure alarm. The cause was due to improper operation of the slave cycler clutch. On March 9,1968, the unit was shut down when physics data indicated a bottomed control rod. Investigation revealed that the polarity of the movable gripper coil had been reversed during repairs to penetration EPC-4. On May 18 and June 9,1977, a gripper coil failed causing four j' rods to drop which caused the unit to be manually tripped. On December 12, 1967, five control rods in subgroup 7- dropped because of bad connectors in the vessel head. The defective electrical components i' - were replaced. 4.4.3~ Trends and safety isolications of forced reactor j shutdowns and forced nower reductions l There were five maj or trends associated with forced outages and power reductions. These trends can be classified into one of the following categories of problems concerning: i (1) pressurizer relief valves,

(2) turbine overspeed, i (3) leaks in the condenser, (4) indications of dropped rods, (5) power buse s 'and inverters, and (6) steem generator tube s.

l l- The pressurizer ' relief valves and the turbine overspeed problems mainly j l 4 occurred during early years of operation. Leaks in the condenser occurred 1 

        - throughout San Onof re's operating history with most of these resulting in forced power reductions.       Problems with power buses and inverters occurred        j af ter the first five years of operation. As well, problems pertaining to              j steam generator tube s surf aced following the first five years of opera-tion. . Problems with power buses and inverters and steam generator tubes              )

I are discussed in Sects. 4.5.3.1 and 4.5.3.2, respectively. 4.4.3.1 Pressurizer relief valves. Problems with the pressurizer relief valves occurred primarily during the first three years of opera-tion. On October 1,1957, the unit shut down for 216 h to repair two F-48 l

pressurizer power relief valves and a bypass valve in a steam line. On l December 9,1968, leakage through pressurizer relief valve RV-533 was ob- 1 served by an increase in temperature 'in valve discharge piping. Observa-tion continued until a normal shutdown was required on December 28, 1968, ! . lasting 84 h. On March 22, 1969, leakage through pressurizer relief valve j EV-533 was observed and the unit was shut down to repair the valve. Other scheduled work.was accomplished at the time which caused the reactor to remain of f11,ne for 314 h. On August 10, 1969, the unit shut down for 80 h to correct leakage of three pressurizer relief valves. On April 27, 1974, during a shutdown to repair steam generators, repair of a pressurizer re-lier valve was also accomplished. On June 11, 1975, the unit shut down to repair safety valves EV-532 and EV-533. 4.4.3.2 Turbine oversneed. There were fourteen shutdowns caused by turbine overspeed or overspeed protection problems. On June 22, 1971, a f ault on the San Onofre-Chino 220 kV line and a concurrent opening of the

San Onofre-Santiago 220 kV line breakers caused a partial unloading of the j unit. Downward drif t in the backup overspeed device set point resulted in a complete electrical unloading of the units at a frequency of 61 Hz.

Instrumentation indicated that the turbine generator reached a maximum of 133% of normal speed. Three weeks later on July 12, 1971, the unit shut down due to a generator "out-of-step" condition caused by low generator excitation. This resulted in a complete electrical unloading of the unit. Instrumentation indicated that the turbine generator reached a maximum of 133% of normal spe e d. As a result of these two incidents, unit load was restricted to 80% of full power pending an evaluation of turbine overspeed characteristics. The results of this evaluation indicated that the unit load could be in- , creased to full power provided (1) that condenser backpressure is a mini-zum of 1.5 in. of mercury absolute and (2) that the emergency overspeed trip was set at 104%. Load was increased to full power on August 9,1971. On July 29,1972, the unit tripped due to loss of the main generator field, during transfer. to the main exciter. The unit had been operating with a spare, portable exciter. During the event the turbine reached 133% overspe ed. Six additional shutdowns (November 1, November 3, and November 5, , 

                                                                                               ^

1971; February 25, and March 4,1972; and March 19, 1976) were done to ( test the overspeed setting and gavef data on overspeed characteristics. Four events (March 24,1972, April 17,1976, April 17,1976, April 18, 1976) resulted from incorrect settings of the overspeed trip and re-quired resetting of the mechanical overspeed device. On May 29, 1970, the i turbine was observed to be accelerating too f ast and the unit was manually l shut down. 4.4.3.3 Condenser tube leakane. Leaking condenser tubes caused five l shutdowns and nineteen power reductions at San Onofre. The first time leaking condenser tubes became a problem was on July 17, 1967. The r e-currence frequency did not increase until 1976, but continued to be high through 1979, decreasing in 1980. Five shutdowns specifically to repair condenser tube leaks inter-rupted operation on July 17,1967; June 27 and October 27, 1971; October 21, 1973; and April 5, 1979. On two occasions, July 17, 1967 and October l 

  -21, 1973, turbine blade f ailures caused salt water inleakage and resulted in 1080 and 2490 h of downtime, respectively.

l I l F-49 

    - -                                   _ _ _ -      .       _  . _ ~ ,     --       - -          . . - _ . _ - -

The first power reduction because of condenser tube leaks did not occur until'1976. However, as Fig. 4.2 indicates, condenser leaks caused recurring power reductions through 1981. Power reductions to repair condenser tubes occurred on January 8, January 26, January 29, February 6, March 23, March 29, and July 2,1976; July 1 and July 2,1977; March 2, and June 9,1978; February 23, August 30, September 7 November 29, 4 November 30, and December 2,1979; February 17, 1980 and August 20, 1981. 4.4.3.4 Indications of dronned control rods. There were 14 ovents which resulted frca indications of dropped control rods. Most of these were power reductions. Seven of these events (December 9,1972, June 11 and June .14,1974, February 9 and February 17, 1976; and September 25 and Sept maber 26, 1976) were associated with problems related to power buses 

;                      and. inverters and are discussed in Sect. 4.5.3.1.           TWo of the-events

( Sept embe r 20, 1972 and T hruary 20, 1973) are discussed in Sect. 4.4.2.6. On October 19, 1967, the unit was shut down due to a falso indication of dropped control rods. On April 7,1969, the unit reduced power due to 

                      ' an unexplained f alse dropped rod signal.          On March 22, 1978, an erroneous signal indicated dropped control rods.

On August 7,1976, the unit reduced power due to a relay coil failure producing an erroneous dropped rod signal. On May 18, 1978, a grounded rod position indication grstem component caused an erroneous dropped rod s i gnal . 4.5 Renortable Events This study reviewed 327 reportable ' events fras San Onofre Unit No.1. + The events included miscellaneous reports, abnormal occurrence s (AO), station incidents (SI), and licensee event reports (LER) filed by the utility for various equipment failures or technical specification viola-tions. The information in the reportable events was coded as discussed in Sect. 1.3. The tables compiling this coded information are in Appendix A, 

.                      Part 2.

1 4.5.1 Review of renortable events from 1967 thronah 1981 l Figure 4.3 illustrates the number of reportable events per year sub-mitted by the Southern California Edison Company. The number of reported 

                      - events romained relatively constant over the first half of San Onofre's Operating history. The second half tended to have increasing numbers.

The years 1967 through 1974 average 17 events per year while the years

1975 through 1981 averaged 27 events per year. Reports of steam generator  ;

and condenser tube leakage were maj or contributors to the trend of in-creased numbers of reportable events. Peak reporting years were in 1980 and 1981 with 39 and 33 events, respectively. 4.5.1.1 Year 1r s 

                                                     -eles. The following sections present a summary of reportable events for each year of operation for San Onofre from 1967 through 1981. A single event which occurred in 1966 was also included in
  '                    this study even though it occurred prior to initial criticality. During installation, a steam generator was dropped one foot during a lif t. The 4                        steam generator withstood the subsequent hydraulic test, but 32 inconel i

F-50

7-7, 6-yk 5 5-Number of Shutdowns or - s Power Reductions 4 - 

                                                                           /

3- ? , M 2 2 2-y 1 - 1 1 1 n? 1967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979 1980 1981 YEAR Figure 4.2 Number of Condenser Tube Leakage Events

r. ,

40 39' 35 33 31 30 .. 

                                                                                                              /

s 26 s 25 25 , 23 . Number of 20 < , Reported Events gg 18 , 18 18 17 ' 17 +- 

                                                                                                                ,   s m                                                              16     16 w

15 - ' 14 

                                                                                                                               ~

12 gg 10 . ym.; , , 5 s ge. ... 

                                                                                                                ~
                                                               %                /        ,'                                        '%

2967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979 1980 1981 YEAR Figure 4.3 Number of Reported Events Per Year at San Onofre 1 f

tubes were deformed and several tube support sheets were crushed. After making repairs and plugging tubes, the steam generator was placed in ser-vice. 1111

~

San Onof re Unit No. I's initial criticality occurred in June 1967. This analysis examined 17 events that were _ reported during 1967. Two of , those events are considered significant, one involving f ailure of both safety injection pumps and the second a spill of radioactive water from the radweste system. The first significant event occurred two weeks prior to initial criticality. Both safety inj ection pumps were declared inoper-able when they failed megger tests. This common cause f ailure is dis-cus sed in Sect. 4.5.2.1. The second event involved the overflow of a rad-a waste tank due to operator error and is described in Sect. 4.5.1.4. Of the remaining 15 events for 1967, 5 involved control rods or con-trol rod drive mechanisms. These included two instances of inadvertent

rod drops, two f also or erratic rod position indications and one rod that
.      mechanically j ammed.

liff Fourteen reportable events were reviewed for San Onofre for 1968. 

!       Two cable tray fires occurred, the second of which resulted in a five i

month shutdown. These signifiant events are discussed in Sect. 4.5.2.2. Also significant during the year was an event in which crysta111 stion of boron in the lines required boration by an alternate means. , The remaining 11 events were not significant individually. Seven of them however, involved control rods. Five of these events were occasions when rods inadvertently dropped partially or completely into the reactor core. TWo control rod anomalies were wiring f aults.

1111 Twenty-five reportable events were recorded for 1969. Fourteen of
these were termed " abnormal occurrence s (AO)." This terminology was used
prior to the current " licenses event report (LER)" and does not correspond
to the current use of AO's as significant events that are reported to Con-j gress by the NRC. One of the 25 events was identified as significant in this analysis. It involved another instance of boron crystallization in-

[. hibiting adequa te horation (Sect. 4.5.2.6) . The remainder of the events ! were insignificant and involved a variety of plant systems. , 1112 In 1970, San Onof re reported 17 abnormal occurrence s. In addition to those events, this review also included a reactor coolant pump event in , which the pump flywheel was replaced when inspection revealed a cracked bore. None of the events examined were deemed significant. Five of the events were f also control rod position indications, due to recurring LVDT fa!! ares. Three events involved safety inj ection system pumps or valves, i F-53

1211 Seventeen abnormal occurrences at San Onof re were reported in 1971. From these, this review identified two significant events, both involving occurrences of overspeed by the plant turbine. These occurrence s required investigation and turbine modification and are de scribed in Sect. 4.4.3.2. Of the remaining 15. events, 4 involved the reactor trip system, 2 result- 

 . ing in inadvertent reactor scrans due to f abrication and maintenance errors.

1211 San Onof re reported 16 events in 1972. Two significant events occur-red. Abnormal occurrence 72-07 reported an overcooling event due to an exce ssive feedwater flow rate. This was caused by a regulating valve f ailure and is de scribed in Sect. _4.4.2.1. The second significant event was a recurrence of overspeed problems with the turbine, experienced sub-sequent to a loss of . generator field.- Of the remaining 14 events, three events describe primary to second-ary leakage in the steam generator. These are the first instances of steam generator tube leakage reported for San Onof re. 1211 In 1973, reportable events at San Onofre were reported as station incidents (SI). Sixteen such events were reported for the year. TWo of those events were considered significsnt. SI 73-08 was a significant event involving loss of of f-site power und subsequent f ailure of an emer-gency diesel generator. This event is de scribed in Sect. 4.5.2.3. The second significant event was another overcooling event due to excessive feedwater flow. The transient resulted in actuation of the safety inj ec-tion system. This event is described in more detail in Sect. 4.4.2.1. In addition to the diesel generator f ailure in SI 73-08, four other diesel generator f ailures were reported during the year-(SI 73-03, SI 73-04, SI 73-7, and SI 73-12) . Prior to 1973 only two diesel generator f all-ures had been reported, both in 1972. 1211 

       ' Thelve station incidents were reported by San Onof re for 1974. Of these twelve reported events, only one was deemed significant.      SI 74-06 involved leakage of cooling coils in containment, causing flooding and f ailure of a number of reactor vessel detector thimbles. This resulted in a reactor trip and is discussed in Sect. 4.5.2.7.

One of the other events reported in 1974 was a sabotage threat against San Onof re which the FBI reported. The FBI received a telephone call from a Los Angeles man who claimed that a car with several persons was in route to San Onof re to " blow up" the generating station. The threat later proved to be a hoax. F-54 i

1911. 1 San Onof re reported 24 events in 1975, three of which were signifi-cant events. During a design review required by the NRC, a single valve f ailure was identified that could have potentially defeat the safety in-jection system. This discovery was reported as SI 75-06 and is discussed in Sect. 4.5.2.1. On consecutive days in August, the plant reported j failure during testing of two different diesel generators due to inade-quate cooling causing high cooling water temperature. These events are described in Sect. 4.5.2.4. TWo other diesel generator f ailures (SI 75-02 and SI 75-04) were miso among the rest-of the 24 events for 1975. i 121f Eleven events were reported to the NRC as Licensee Event Reports (LERs) in 1976. The review also examined station incidents (SI) that San Onof re continued to record in its annual operating report. Table A2.11 shows only those sis that describe events in addition to .the LER events. Twenty non-LER events were included in the. review of 1976 operating experience, including 17 station incidents. Of these, one was demned sig- , nificant. It was a loss of of f-site power event caused by a brush fire. The event (SI 76-02) is described in Sect. 4.5.2.3. The 31 total events for 1976 included five reports describing f ailure of an inverter in the on-site power system. Three of these f ailures occurred on the same day and are discussed in Sect. 4.5.2.1. An addi-tional five reporte involved minor problems with spent fuel shipping j casks. These included cracked lif ting lugs, minor. leaks and administra-tive errors in handling and shipping. 1211. Eighteen events were included in the review of 1977 operating ex-perience. Fourteen of the eighteen were LERs. None of the events were considered significant. The problems presented by the reports were varied, including continued steam generator tube leakage, administrative errors and maintenance and design deficiencies. In 1978,17 events were reported. Of the 17, one LER described a significant event. The event involved f ailure of two inverters for the containment spray actuation system. < Four of the remaining 16 events reported occurrences involving the high pressure safety inj ection system, while an additional three events involved feedwater system equipment. Although these events were reported as feedwater system events, some feedwater equipment is used in_ a safety inj ection role. None of the events were considered significant however. I 1212. San Onof re submitted 26 LERs in 1979. Review of these reports iden-tified no significant events. Five of the LERs involved events concerning F-55 

     - -.                                                                   _ . . _ , . . . . _ _ _ . _ , . . ~

loss of or failure to collect required environmental data such as drinking water samples and sea . temperatures. These included loss of four environ-mental radiation dosimeters due to vandalism. In Novembe r, four LERs re-Ported the discovery of pipe supports missing in three different systems 1219. In 1980, San Onofre Unit No. I submitted 39 Licensee Event Reports, the largest nunber of reports in any year. Four of those events were con-sidered significant._ The first of these was a cooling transient due to loss of a feedwater pump. The event was due to construction personnel in the area and is de scribed in Sect. 4.4.2.4. A.second significant event occurred in March 1980 when all the salt water cooling flow for the plant ceased. The event was the result of pumps and valve failures, due to a number of causes and is described in Sect. 4.5.2.2. During ref ueling in April 1980, the third significant event occurred. Due to a seal failure, source range nuclear instrumenta-tion was flooded and f ailed. This event is described in Sect. 4.5.2.7. The final significant event of 1980 occurred in November and involved loss of on-site AC power to all station auxiliary loads. The event was caused by an operator error and is described in Sect. 4.5.2.3. 1981 San Onof re Unit No.1 reported 30 events in 1981. Also three events reported as LERs in 1982 actually occurred in 1981. Of these 33 events, one event is considered significant.- It involved f ailure to open of two safety inj ection valves, thereby disabling both trains of safety inj ec-tion. The event which occurred on September 3,1981, was due to a de sign error and is ~ discussed in Section 4.5.2.1. 4.5.1.2 Systems involved in renortable events. A sanmary involved in reportable events is given in Table 4.6. The table totals the system codes, listed in the " system" category of Appendix A.2 and gives the number of times a reported event involved each system by year. The most frequently reported systems were:

1. coolant recirculation systems (29),
2. reactivity control systems (29),
3. condensate and feedwater systems (23),
4. . onsite power systems (composite ac and dc) (19),
5. emergency generator systems (22), and
6. circulating water systems (18).

Eighteen of the 29 coolant recirculation system failures were damage to or leaks in the steam generators. The only other maj or contributors f rom -l this system were the reactor coolant pumps which accounted for six of the reports. The maj ority (18 of 29) of reports involving the reactivity control system involved f alse indications of droppea rods. Ten reports concerned actual incidents of dropped rods and stuck control rod drives. The final 

                                                                                )

F-56 

                                                                                                         ..., , - ~ ,- ~                         _

r < e Table 4.6. Summary' of eyotease involved in reportable evente at San'Onofre i Syst ee 1966 1967 1968 1969 1970 1971 '1972 ' 1973 - 1974l-'1975 1976 '1977. 1978 . 1979 1980 ; 1981 y. gel Reactor vessel internale (RA) .. seactivity control (as) 5 2, 

                                                                                                                                                                           -I                                                      g.

7 5 5 1. I , Reactor core (RC) I' I, 1- 

                           . Reactor vessel (CA).                                                                                     I                                                                                         29 -

I 2 i Coolant recirculation (CB) .  ! 2 1- I 4 Besidual heat removal (CF) 1 lI - 3- 1 I 2 4 3 3- 

                                                                                                                                                                                                             . ~

6 29 . teactor centstament (SA) . t  ! 1 2 Contatseest teolettoo (59) .1 

                                                                                                                                                                                  ,2 I  '2             6 I

i ' Low pressure safety injection (SF-B) - 'l 2 I. 'I 3 1- -2 10 

                                                                                            .I                                                                    Is Nigh presure safety tajection (SF-C) ~                                             3                               I                                                                         3        3'-

Control rose habitability (SC) - ' I 4' I '3' 4 17 Containeent oprey (SH-B) l I Auxillery feeduster (SM-C) 2 3- I '2 8 Beactor trip (IA) ;I I 2 2 1 '4 3 Bastneered safety feature inst rument (IS)- 1 2- - 2- 2' 'IT Sofety related display instrumentation (ID) I I 2-I 3 m Other toetrumente, safety (IE) I 3 other instrumente, non-eafety (lF) 4 4 Of fette power (EA) I 2 2 3 6 , AC onette powr (EB) 1 2 I I I 2 6 t DC onette souer (EC) I fI P 1 6 ! thette power (composite AC and DC) (ED) 2' 2 I 7 I 3 l guergency generator IEE) 2 1 3 6- I- .l 19 l- u Spent-fwel storage (FS) 2- 5 8 4- 1 I 2 8 2 3 22 i N Fuel hand!!ng (FD) 5 2 7 Stetton service unter (WA) I I 2 Cooling for reactor auntilaries (WS) I I Compressed str (PA) I I 2 I I .. 6 Cheetcal, volume control and Itquid poleon 1 2 2- 2 2 (PC) 1 I I I I I i 12 i Air conditioning, heating, cooling and I- :1 ventilation (AA) 2 Turbine generatore (HA) Meta stese supply (HS) 1 I 1 4 ,3 I I 2 I I . II Circulot tag water (HF) I I 2 3 II 2 +3 2 3 Condensate and feedwater (HN) 2 1 5 18 2 1 2  ! Liquid radioactive easte management (HA) 2 1 1 2' 4 3 5 1 23 i ' Procese and ef fluent radiological monitor-- 3 3-lag (MC) 3 3 Area moottoring (BA) Airborne radioactivity monitoring (BO) I 1 I .2 System code not applicable (ZZ) 2 1 3 I I 9 i 2 3 4 1 2 'l3 Total 1 17 15, 25 LA - 18 - '16 14 12 25 38 18 19 28 - 43 33 

                                                                                                                                                            -                                                                            o

_ _ _ _ _ _ _ _ _ s . . _ _ _ 4 - 

                                                                                                                                         +-        -

I event occurred due to a weld f ailure causing one or two rodlets to remain in the core. All 19 of the composite ac and de onsite power system events were inverter failures. The events for the remaining three systems were not attributable to any. single type or class of f ailures. 4.5.1.3 Causes of renortable events. Table 4.7 lists the causes of i reportable events by year. The largest group of events (196) were those 

  - caused by inherent equipment f ailure. Human errors accounted for 113         i events. These errors included administrative, design, fabrication,             l Installation, maintenance. . and operator errors.

Four events resulted from severe weather conditions. This included I two losses of environmental data and two cases of excess fish and seaweed impingement at the intake. Three other reports of excess aquatic material at the intake were reported but were not attributed to weather conditions, so are listed as -due to other, unspecified causes.- This . category al so includes the eleven earthquakes reported by San Onof re Unit No.1, one brush fire that caused a loss of of f-site power lines in 1976 and a 1974 sabotage threat that turned out to be a hoax. 4.5.1.4 Radioactivity release s----rv of resortable events. Table 4.8 gives a summary by year of the total radioactivity released from San Onof re Unit No.1. Only three radioactivity releases resulted in . report-able events. There were no releases in excess of the Tech. Spec. limits. The first reportable event reporting a radioactivity release occurred while pumping out a radwaste tank on June 28, 1967. ^ Radioactive liquid was being pumped through a monitor tank which had a f aster pump-out rate and a low-level cutoff which must be reset manually. The operator was called away during the operation and could not reset the cutof f, resulting in the tank's overflowing. The overflow was routed to the reactor auxil-inry building sump, which on high level is autaastically pumped to the decontamination drain tank. This tank also overflowed causing the sump to backup through the floor drains, flooding the lower levels of the auxil-inry building.18 The second radioactivity release event occurred during November 1967. Draining primary loops to replace defective resistance temperature deflectors transferreJ considerable radioactive crud to the liquid waste tanks. Spills near the coolant drain tank caused smears to reach 538.820 DPN/sq. ft. Finally on March 5,1976, during the testing of the spent f uel cask and air pallet systan, radioactive contmaination was spread to clean areas of the plant. A temporary clean area became contaminated by the scatter of dry material during the handling of the spent f uel cask head. A smear survey revealed that contamination had been spread to the maintenance shop, the turbine plant, and the administration building. Only one en-playee, the supervisor of plant maintenance, had evidence of personal con - temination. A decontamination team cleaned all contaminated areas.se 4.5.1.5 Environmental innact s=--arv of resortable events. There were 33 environmental events reported at San Onof re other than the radio-activity release events. Sixteen of the events resulted from the loss of or f ailure to take -environmental da ta. This lack of data resulted from numerous causes and were not attributable to a single type of f ailure. Eleven earthquakes were sensed at San Onof re. None of the earthquakes F-58 

                                                                , _,                  ,-                                  1.                                               -

1 .. g I - 

                                                                                                                                                                        -(              I Table 4.7. Sumunary of causes of reportable events at San onofre I i

Cause l%6 1%7 1%8 1%9. 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979. 1980 '1981 Total' , Administration i 2 3 l~ .6 13 i Design 2 -2 2 1': 3 2' 2 1' - 5 '5 25 ' q Fabrication 2 1 1 2 2 . 2 I 11 I Inherent failure 7- 10.- 20 16 10 14 , 9 10 17 18 8 13 14 15 15 ' 1 96 -

5. ~ -$ Installation 2 2- 1 2- 2 '5 5. 2 21 i Maintenance 1 1 1- 1 2 .. 1 1 1 .6 3- 18 operator 3 1 2 2 3 2 I- 1 4 3~ '1 23' Weather l' I- 2 4

, -Other I i 1 3 4- 1 I 3- 1 .. 16 .i 4 t i i

_ _ _ . _ _ _ . _ . _ _ _ . _ _ _ _ _ _ _ _ _ _ . _ . _ . . - _ . _, _ _ _ - . , _ . ~ . _ _ _ _ _ _ _ _ _ _ _ _ . , ._ __. . _ _ _ . _ __ _ _ _ . _ _ _ _ y A r Table 4.8. Summary of radioactivity released at Saa Onof re llett' No. l 8 

                                                                                   .1967          '1968          1969                1970                      1971 -               1972            1973               1974'               1975-    1976            1977     1978               1979'           1980'    '1983 I Carborne                                                  b             b                   d                                                    -

1.10E+04, -1.78E+03 Total noble gases 4.02E+00 4.83E+00 2.56t+02 4.2E+02' 7.67E+03 1.91E+04 1.IlE+03 4.16E+02 1.54E+02 1.81E+03 6.0$E+02. 1.05E+03' I.10E+01 - Total 1-131 h4 NA NA NA NA ' 4.43E-05 4.20E-01 1.88E-04 4.50E-03 4.13E-03 1.8tE-04 2.285-04 't.22E 2.33E-04 7.46E-04 Total hatogens NA NA NA NA NA 4.42E-05 6.5E-01 2.3tE-04. 2.45E-OL 4.48E-03 1.81E-04 2.2tE-04 1.22E-04 2.53E-04 I.44E-03 Total particulates NA NA NA . NA NA 4.30E-04 .1. 2E+00 8.74E-05 3.58E-02 1.82E-05 4.838-06 2.50E-03 2.10E 8.41E-01 9.35E-0 3 Total tritium M4 ' NA '2.47E+00 2.09E+0! 5.36E+01 2.81E+02 . 2.698+02 ,9.14E+01 3.43E+01 4.7 2E+0! 7.57E+01 5.75E+0! 2.8 2E+0I 3.69E+01 4.70E+00 Lieutd Total mixed proJuct 3.17E-01* 1.64E+00* 8.00E+00* 7.60E+00- 1.54E+00 3.03E+01- 1.60E+01' 5.04E+00 1.22E+00 7.43E+00. 9.84E+00 1.18E+01 1.10E+01 l.12E+0I 4.4tt+00f ~ [ e Total tritium Total noble gasee NA NA ' NA NA 3.53E+03 NA 4.80E+03 . 4.57E+03 5.59E+01 3.06E+01 3.48E+03 4.07E+03 5.43E+00 - 5.36E+0! 3.81E+03 3.37E+00 4.00E+03 4.77E+00

3. 39E+03 - 1.79E+03 2.50E+03 1.26t+01 - 4.8tt+00 ' l.00E+01 2.32E+03 1.0 3E+03 1.t!E+01 . 2.90E+00
                                                                                                                                                                                                                                                                                                                       .I.41E+01 NA O Solid Total                                         NA            l.13E-OL      4.05E+0u            1.0 9.+0i            1.19E+00                 7.97E+01         3.8tt+02          2.30E+02    2.60E+01 - 6.98E+02             6.02E+01 ~ 7.17E+00          9. 24 E+01      4.35E+02     6.20E+02 NA = not avellable.

8 Ferted covers June throusta December 1967. Reported as total liquid release. Eeported as total gaseous release. keported as total beta and gamma activity of gaseous releases. Eeported as total beta and Eamma activity of liquid releases. IFirst sta months of 1983 only. b

4 caused equipment damage. Five events were impingement of fish or debris on the intake screens. The final event was a brush fire which knocked out ef f site power lines and is discussed in Sect. 4.5.2.3. i ! 4.5.2 Review of sinnificant events j The analysis of the operating history of San Onof re examined report-l able events using the criteria described in Section 3.2 for potentially 

          - and conditionally significant events.                  These reportable events were then considered significant by this review if they met one of these criteria:
1. an event in which the f ailure or f ailures initiated a ' design basis event (DBE) as listed in Table 3.1, or
2. an event in which the f ailure or f ailures compromised a function of the engineered safety features.
Twenty-two events at San Onofre met the significance criteria above.

Table 4.9 summarizes the significance ca tegories from Table 3.3 for these , events. The total in the table is 32 because 9 of the events required two significance ca tegories to describe the event. The events designated as significant are discussed below and are grouped as:

1. loss of saf ety inj ection system function (3),
2. failure of salt water cooling flow (1),
3. loss of offsite power (3),
4. loss of emergency AC power supply (3),
5. cable tray fires (2),
6. loss of boric acid inj ection path (2), and
7. instrumentation channels f all due to flooding (2).

in addition, six of the significant events were DBEs reported as report-able events and are discussed in Sect. 4.4. Table 4.10 summarizes all significant events discussed. 4.5.2.1 Loss of safety infection system function. TWo reported events presented potential failure of the safety injection system at San Onofre. In addition, in 1981, an actual failure of the safety inj ection system occurred when a demand was present. In the last month prior to power operations in 1967, both safety in- ! jection recirculation pumps were decalared in operable during messer test-

j. Ing. Moisture penetration of the motor windings caused the pumps to f all
;         the test due to low resistance to grounding. The pumps were removed from service, the windings were dried out and potential sources of in leakage

! were sealed to assure submerged operation.31 In 1975, Southern California Edison Campany (SCE) and Westinghouse reviewed the design of the San Onofre Unit No.1 safety injection system. On February 28, 1975, Westinghouse notified SCE of a potential single l f ailure which could prevent the safety inj ection system from satisfying its design requirements for same accident situations. Specifically, fail-ure of one of the two feedwater pump discharge valves to close might have resulted in a portion of both trains of the safety inj ection flow being diverted to the steam generators. F-61 

  . _ . _ _ . _ _ _ _ . - _ _ . . _ _ , . _ . _ _ . .             , . . _ . . ,                                                                                            _                 __      _        _ _ . _                           . _ , . _ .                 =. .

7 ,. _ ,_ ,- s 

                                                                                                                                                               % <-           . -F                        i                              ,                ,            ...
                                                                                                                                                                                                                            ,                                         .r' y  i
                                                                                                                                                                                                                                                                ~

s.. 

                                                                                                                                                                                                                       .3.,                                                        ,
                                                                                                                                                                                                                                                                            - TV
                                                                                                                                                                                                                                                                    ;. o '
                                                                                                                                                                                                                                                                                        .j sq
                                                                                                                                                                                                                                                                                      .l
                                                                                                                                                                                                                                                                                       'l s

Table 4.9. Summary of significant event categories at San Onofre Unit No. I r 1966 1967 1968 1969 1970 1971 1972 1973 1974- 1975- 1976  : 1977 1978 ,1979 - 1980 1981 Total i I I 2-  ! 2 I 9 

                                            $1 - Two or mre f attures la redundant systems                                                                                                                                                                                        8.

1 1 2 m $2 - hso or are f attures due to a common 1 3 1 I caus. 3 

                *g                          S3 - three or more f attures                                         2 1

I 4 p 2 57 - Creater threat to plant safety with 'j dif ferest plant conditions or the advent ' of another credible occurrence I 8' I S9 - other 1 2 .2 I l' 2 6 1 2 2 3 1 3 1 7 4 32" Total a A total of 22 events were identified as significant with more than one significant category assigned per event for some events. 

                                                                                                                                                    ~
                                                                                                                                                                                                       .. _ _ _ _ _ _ _ _ _ _ . . -~.                       .                       .
7. r f

[wi s Table 4.10.' Tabulation of reportable events' categorised as sigalficant for San Onofre Unit.1 [Beport. 

                                                                                                                               ' Discussed
                              -Event    . Report ~ : Significant no.                   : no.

Event description la date. category section , 67-04 . 6/2/67 7/15/67 >si, s2 Both safety injection recire, pumps removed for 4.5.2.1~ repair after failing messer_ testing 66-03J .2/7/68~ i 2/ 26/6 8 82, 83 Minor cable tray fire- '4.5.2.5 07 '3/12/68 , 4/8/68 ~ 's2, 53 Cable tray. fire resulted in 5 month shutdown, 4.5.2.5 y _also boron injection failure l 68-14" 10/14/68: 11/25/68 si, s2 No flow from boric acid tressfer pumpa due to 4.5.2.6 boros crystallisation- '~ 69-08 7/15/69 10/27/69 89 . Boric acid injection pump plugged due to boron 4.5.2.6 crystallisation A071-06' 6/22/71 Monthly 39 Imes of two off-site power lines and s'ubsequest 4.4'.3.2 report turblae overspeed 9 6/71 A071-10' ' 7/12/71 Monthly. 89 Cenerator out'-of-step condition results in 4.4.3.2

  • .. report turbine overspeed 8/71
             -A072-07       4/30/72-    5/9/72            89                  Excessive feedveter flow due to regulating          4.4.2.1-valve failure -     ,

72-03 7/29/72 8/28/72 89 Turbine overspeed occurs due to toes of sesera- - 4.4.3.2 

                                                                               ' tor field l              SI 73-08i     6/7/73      7/6/73            51, 82              less of of f-site power and failure of one          4.5.2.3
diesel generator i 81 73-13 10/21/73 _ 10/22/73 89 overcoolies event causes treasient requiring 4.4.2.1-safety injection l.
           ' st 74-06                                                                                                             4.5.2.7 7/7/74      7/15/74           S2                  Reactor trip due to flooded detector thimbles potential safety lajection f ailure due' to        '4.5.2.1 SI 7 5 2/28/75' 3/31/75                89
          ~

einste failure found 

            ~81 75-17       8/12/75     9/12/75           81                  Diesel semerator #1 overheets                       4.5.2.4 81 75-18      8/13/75-   ~9 /12/75          81                  Diesel generator #2 overheate                       4.5.2.4 SI 76-02      1/21/76     2/25/77           81                -Loss of offsite power due to brush fire              4.5.2.3-

, .LER 80-02 .1/16/80 1/ 28/ 80 ~S9 Construction worker caused feewater pump trip 4.4.2.4 LER 80-06 3/10/80 3/24/80 81, 83 Loss of salt water cooling flow 4.5.2.2 i LER 80-15 4/22/ 00 5/ 5/ 80 87 4 kV and 480 V oasite and offaite power lost 4.5.2.3 1. (LER 80-16 4/20/80- 5/20/ 80 .- 81, S2 Source range monitor faite due to flooding , 4.5.2.7 I' LER 80-38 '11/22/00 1 2'/ 9/ 80 87 AC power to station susiliaries lost 4.'5.2.3 

            - LER 81-20     9/3/81-     9/14/ 81          81                Safety injection valves fall to opea disabling        4.5.2.1 safety injection s'

e -. F-63 L

g , 

                                          '              y s-                    -

e , , 4 Sefety inj ection for San Onof re Unit No. I requires realignment of the main fe6dwar.er pumps. Rather than taking suction f rom the condensate discharge,1 thy received borated water from the refueling water storage tank, pumpedf by two saf ety inj ection pumps.- The feedwater pmps' . normal < discharge to the steam generators must close and injection valves must 

         - open to provide a path to the three reactor vessel cold legs.

The.Vestinghouse. analysis showed that if one of the two motor . 'l operated valves in,the normal discharges fros'the feedwater pumps did not s j i' close, portions of the flow from both pumps could be diverted to the steam ge ne'ra tor. For accidents where the secondary system presiure was lower i- than the reactor coolant pressure, the situation of fered th's greatest po- 

         , tential for f ailure of safety inj ection. .           <
                                                                       ~

Administrative controls were initiated to mitigste the potential for this single poin_t f ailure of the safety inj ection uysten. . Design changes were scheduled fcr the 'next ref ueling outare. '$ubsequent requirements by the NRC res'alted: in additional ' single f ailure armlyses of the safety in-jection system and ext hsive modifications.88-h ' < On September 3,1981, the unit was' opekating normally at 390 M(e), 87% reactor power. A voltage regulator f ailure caused erratic instrument indications and the' operators manually tripped the reactor. In the tran-

'sient following the mannal trip, .e' valid safetysinj ection actuation signal was received. However, both safety inj ection valves HV 851 failed to open i- thereby preventing - safety inj ection flow, had it been required. Tests confirmed that the valves did not meet design requirements and would not open under the design differential pressare. Design changes to correct the problem weire evalua te'd, approved by the NRC 'and have been implemented.

Also, augmented surveillance testing of the valves was t instituted.s4 4.5.2.2 Loss of salt water coolina ' flow. _On March 10,1980 while operating at 100% power, San Onofre Unit No.1 experienced a' complete loss I . of flow from the salt water cooling system. He salt water cooling system is the ultimate heat sink for the component cooling water (CCW) system, which' serves to cool certain safety-related equipment. The event involved a triple f ailure consisting of (1) shearing of the south salt water cool-4 ing pump-shaft, (2) failure to open of the north salt water cooling pump discharge valve, an'd (3) failure of the auxiliary salt water cooling pump - air priming system. As a result, the plant was totally without sal t water 

                                                             ~
.        - cooling flow for ten minutes, at which time an operator cross connected

'- the screen wash pups to provide salt water'f tpw to a CCW heat exchanger. I This limited the CCW temperature rise (from 66*F to 82eF in the ten min- 

   ~

utes) and bought the equilibrims temperature down to 706F. The screen wash pumps are not classified as safet'y-related equipment. At 41 minutes into the ' event, the auxiliary salt water cooliiig pump was restored to service and flow throtish it to an in-service CCW trat exchanger began seventeeg minutos later. Throughout the event, ths: unit remained at or usar full power. A power reduction was initiate,d sta first, but then sto$ ped with only a 3 NW power decrease. The NRC cited the plant for two technical specification violations in this event.8 688 Another eveni involvint the salt water cooling system occurred on 3 July 28,1980. When the ' south cooling water ptssp was placed in operationi the pep discharge air-operated valve failed to open autcmatically. N-operator in attendance opened the valve manually ahd flow was established. i l - 1 F-64

L As a test, 'the pump was shutdown, allowing the valve to close automati-cally. On restart of the pump, the valve again f ailed to open. The salt water cooling flow requirmaents for the plant were met by the north salt 

     - water. cooling pump throughout the event.

Review of the history of the valve that f ailed indicated that problems had existed with it ,since the preventive maintenance overhaul of !? June 29,1980. The maintenance action involved conversion of the ~ air operator from AC to DC solenoid operation. This was considered equipment repair rather than a modification, so was not subj ect to design change r eview s. Plant personne1~ were counseled concerning the procedures that should have been followed for such modifications. Also a new DC solenoid 

     - valve was installed in the air operator.8 7 Although not in the original time frame for this examination of operating' experience, three more events involving the salt water cooling system occurred. in 1982 and are discussed here.           On May 13, 1982, two more complete losses of salt water cooling system flow occurred during mainte-nance. : During these events, the unit was in cold shutdown.           The events were due to flooding of the intake structure caused by inadequate main-tenance procedures.se On August 13, 1982, flow from the operable north salt water cooling pump was diverted through the idle south pump. This occurred' due to unexpected opening of the south pump's discharge valve.

An operator immediately closed the valve and no observable reactor coolant system ' tmaperature increase occurred.88 On August 19, 1982, with the south saltwater cooling pump still out of service, the north pump had to be removed from service due to a smoking motor bearing. Necessary flow to the CCW heat exchangers was maintained by the auxiliary salt water cooling pump, which although connected to an emergency bus, does not meet all i seismic qualifications.se l 4.5.2.3 Loss of offsite nower. AC power is essential for maintain-ing the reactor in a safe condition for most operating situations. Three 

     - losses of of f site power were reported for San Onof re, one resulting in no source of AC power being immediately available. These events are de-scribed below, siong with a partial loss of of f site power that resulted
     - from common cause f aults of multiple power lines.

On June 7,1973, a loss of of fsite power occurred at San Onof re with subsequent f ailure of the No.1 diesel generator. The reactor was in a refueling outage and the C auxiliary transformer was down for maintenance. The station's auxiliary power needs were supplied by the main transformer ' and the A and B auxiliary transformers. The main generator neutral cur-rent transformers had been shorted and grounded.in preparation for per-forming the high potential test on the main generator. At 1:56 a.m. , June 7, the east vacuum pump was started. At that in-stant the Unit 1 main transformer relayed due to C phase' differential pro-tection. This caused a loss of of fsite power, de-energizing' the'4 kV and 480 V buse s. At 1:59 a.m., the No.1 and No. 2 diesel generators were started and connected to the 480 V auxiliary buses. Essential equipment including the residual heat removal pumps were restarted. At 2 : 50 a.m. , the No.1 diesel generator voltage control failed caus-ing the No. 2 diesel to trip on overload. The No I diesel was removed f rom service. The No. 2 diesel was restarted and the bus re-energized. It.was determined that the unit differential relay operation was due to o F-65 c

l the ground wire for the main generator current transformers being applied to the dif ferential relay terminals, a maintenance error. This situation was corrected and the main generator was re-energized without further in-cident.- At-6:55 a.m., the station auxiliary power system was returned to normal and the diesel generator was stopped. l In addition.to the maintenance error which disabled of f site power, there was a f ailed capacitor in the' Mo. 1 diesel generator. The capacitor was replaced and the diesel was operable at 6:25 p.m. on June 7, 1973.82  ; 

     !      On January 21, 1976, the reactor tripped at 4:19 a.m. due to concur-rent loss of two of f site power _ lines. The Santiago-San Onofre and Chino-San Onof re 220 kV lines both' relayed open due to a brush fire beneath them. This common cause loss of two lines recurred intermittently dur-ing the day as the lines were returned to service and relayed again due to the fire. The system disturbances also opened other lines including two 138 kV lines - to San Onof re.'- Off site power to the plant was maintained throughout the day and the reactor returned to critical operation at 9:29 a.m. and full load operation at 4:30 p.m.88 For a 4, min period on April 22, 1980, all AC power to plant equip-ment was unavailable. . The unit- was in ' cold shutdown for ref ueling, with AC power to the site supplied through one 220 kV circuit breaker in the switchyard to the A and B auxiliary transformers. Auxiliary transformer C and the No. I diesel generator were out of service for maintenance. Both safeguard load sequencing systems were also out ~ of service.

At 11:07 a.m. , a test technician performing routine relay testing on auxiliary transformer C f ailed to block open a set of relay contacts which subsequently tripped the 220 kV circuit breaker supplying power to the si te. This resulted in a loss of power to all the 4 kV and 480 V buses. The inservice diesel generator (No. 2) was manually started by the control-room operator. Howeve r, of f si te power was restored a t 11:11 a.m. , prior to loading the diesel. Af ter verifying the trip was not due to equipment failure, the 220 kV circuit breaker was reclosed. During the 4 min period, no power was available to the charging pump, residual heat remeval pumps,1 component cooling water pumps or the -salt water cooling pumps. However, no significant temperature increases were noted.during the event.as On November 22, 1980, with the reactor in cold shutdown and the 

    . reactor coolant system drained to aid loop, AC power to two 4 kV buses was momentarily ~ 1ost. This resulted in a 15 second interruption of power to the operable CVCS charging pump, the residual heat removal pumps the com-
ponent cooling water pumps and the salt water cooling pumps. However, no significant temperature increases were noted in any of these systems dur-ing the incident.  ;

At the time of the incident, the main transformer and auxiliary - transformers A and B had bee,n returned to service and switching had been performed . to transf er 4 kV buse s 1-C and 2-C f rom auxiliary transf er C to auxiliary transformers A and B. During the transf er however, the control operator had inadvertently opened the bus tie breakers. This allowed 4' kV breakers 1-C and 2-C to become de-energized when auxiliary transformer C was de-energized. Power was restored within 15 seconds by re-energizing auxiliary transformer C. Both diesel generators started automatically but were not required. F-66

_ . _ - _ _ _ ._ _ _ _ ~ l l I The event was the result of an error by a licensed operator. The j event was reviewed with the plant operators to preclude recurrence.s4 4.5.2.4 Loss of emermency AC nower sunniv. A potential loss of meersency AC power was-revealed when each.of the two diesel generators f ailed during .the semi-annual testing conducted in August 1975. The test l requires both diesel generators be operated at rated load for 1 h. This l is in addition to weekly and refueling outage testing. During the test conducted on August 12, 1975, the No. I diesel generator tripped due to high cooling water taaperature af ter 35 min of ope ra tion. The radiator heat exchanger air passages were blocked with corroded portions of the radiator cooling fans. To correct the problem the radiator was cleaned and the diesel generator tested satisf actorily. On the next day, August 13, 1975, the semi-annual test of the two diesel generators was conducted again. On this occasion, the No. 2 diesel generator tripped due to high cooling water temperature af ter 20 min of ope ration. Investigation revealed that the cap closure on the coolant system . standpipe was leaking. The cooling system was not maintaining suf-ficient pressure and coolant to operate properly. The leakage was -routed to a . drain and was not observable to operating personnel. A repair of the leak was made, and the drain line was modified to allow identification of leakage. s An actual loss of emergency power generation capacity occurred on Nov embe r 19, 1981. With diesel generator 2 shutdown to annual mainte-nance, diesel generator 1 failed to start, tripping on overspeed. Main-tenance of diesel generator 2 was halted and it was returned'to service and started within the two hour Tech. Spec. limit. The f ailure to start of diesel gene'rator 1 was due to low governor oil level, which resulted following preventive maintenance. No evidence was found of oil leakage from the governor. Procedures for checking oil level had not required the oil level check to be made during engine operation, as, required by the manuf acturer.8 8 4.5.2.5. Eaulement disabled by cable trav fires. On two occasions, 

      ' San Onofre Unit No.1 experienced cable tray fires which af fected power and control cables to a number of plant rystems. On Februa ry 7,1968, a fire occurred in cables leading to a penetration. Prior to the event, the unit was in power operation. The 480-V bus ground alarm initiated, indi-cating a 100% ground on the No.1480-V bus. A loud noise was heard and a security officer reported a fire at the southeast side of the containment sphere. Heating and ventilating alarms sounded. Fire fighters controlled the fire within 5 min.                    The No.1 and No. 3 480-V buses were . connected restiting in both buses indicated grounding. By opening various breakers, l

the ground was cleared when the Group C pressurizer heater breaker was opened. LAt this point, a power reduction was initiated to remove ' the unit 

     ' f rom service.

Inspection revealed that the penetration and 65 cables were damaged 

     -by the fire. The cables were located in two cable trays one over the other. No damage was found inside containment, either to the connectors t

or cables. The cause of the fire was determined to be overloaded and over-(. heated cables for the pressurizer heaters. The damaged cables were re-placed with larger size cables and ventilation of the penetration area was impr oved. The total down time for the unit was 286 h and 44 min.

F-67
                                                                                    - - _ _ _ _ . - - ~

4 i r ! 1 _On March 12, 1968, the second cable tray fire occurred. While at i power operations, various alarms sounded, including a 480-V system ground. ] D The operator attempted to identify the cause of the alarus. Within 5 min, j ( smoke' was reported coming f rom the No. 2 480-V switch gear' roca. Fire was !. ' observed in three cable trays in the roca and 13 min into the event the l -- reactor was manually tripped. Assistance in fighting the fire was pro-I. vided by the Marine Corps fire department and the fire was extinguished 35 l min after being reported. l: During the fire, the diesel generator feed cables were identified as l lL the source of the ground on the No. 2 480-V bus but since the ground was (' between the breakers and the bus, the entire bus was removed from . service. '- This disabled a large number of undamaged electrical items. In fighting the fire, the fire pumps f ailed to start and alternate pups were made available. 

                            - A plant cooldown was started and since power was lost to the boric      l
i. , acid inj ection pump, the boric acid transfer pop was utilized for bora-l tion. Four hours into the cooldown, the cooldown was halted because the
                    ' boron concentration was decreasing rather than increasing due to blockage of the transfer pump flow by boric acid crystals. Alternate boration was provided and the cooldown completed. Damage from the March 12th fire in-l cluded 185 electrical circuits, sections of three cable trays,18 control l

transformers, knife switches in pressurizer heat cabinet, heating and ven-tilating annuncistor panel and smoke damage to certain other equipment. i Investigation af ter the second fire altered the assessment of the ( cause of the two fires. Undersize cabling for the pressurizer heaters l remained a contributing f actor but also considered important was mechan- ! ical overloading of cables in crowded cable trays. This contributed to

.the thermal overloading that caused the fires. Corrective actions were

) extensive,. requiring addition of cable trays, rerouting of cables, cable l upgrading and replacement, and changes in electrical fault isolation. The 

                    . unit returned to service Sept. 8, 1968.87 4.5.2.6 Loss of boric acid infection naths. During the shutdown following the fire of March 12, 1968, cooldown was halted due to f ailure L                     to 'inj ect boron for reactivity control (see Sect. 4.5.2.3) . The cause given was suction line blockage by boric acid crystals. This caused fail-ure of the boric acid inj ection pap and both boric acid transfer pups.          ,

On October 14, 1968, the unit again experienced blockage of the boric acid inj ection pump and both boric acid transfer pumps. Periodic recircu-lation flow 'and improved heat tracing were identified as necessary for adequate system operation.s s A similar event occurred on July 15, 1969 when the boric acid inj ec-tion pump discharge became clogged with boric acid crystals. Tempe ra ture s in the discharge piping were found to be 110*F at one point, while pre- I L cipitation occurs a temperatures below 130*F. Installation of a recircu- , lating pump and raising-the heat tracing system setpoint was accomplished I to correct the problem. Other occurrences of single f ailures due to boric acid crystalliza-tion were reported (SI 74-03, LER 76-07, and LER 77-06) . However, no losses of inj ection capability were noted. l l F-68 i

l l 4.5.2.7 Instrumentation channels fail due to floodina. On two occa-sions at San Onof re, .f ailure of multiple instrumentation channels occurred due to flooding. 

             ~

Failure of two power. range instrument channels due to flooding caused an inadvertent reactor trip on July 7,1974. The reactor trip occurred due to an indication of overpower on nuclear instrument channels 1206 and 1207. . Three other instrument channels f ailed also. At 10:15 a.m. , a routine auto start test of the turbine plant cooling 

        . water pumps was conducted. A flow disturbance during the test f ailed two gaskets in a control rod drive mechanism cooling f an.                               There was no know1-edge of_the failure at this time. By 10:50 erratic instrument readings and control rod drive mechanism taaperatures indicated a cooler leak. As action to secure the leakage was taken, the reactor tripped due to the                                       >

overpower indication. Other channels-indicated no over power condition actually existed. However, due to the number of channels af fected, bora-- tion of the reactor was initiated. A total of 3400 sal of water leaked through the cooler gaskets. Of this amount, ~140 gal collected in the detector thimbles. All affected in-strumentation was inspected and replaced as necessary. A design change was accomplished to provide additional drainage for the coolers in-volved.88 During ref ueling operations on April 20, 1980, two source range in-strumentation channels f ailed. Although alternate channels were available for indication of neutron level, no audible alarm was operable as re-quired. Refueling operations were suspended to allow repairs to be accom-p11shed. Investigation revealed leakage through the seal between the reactor vessel and reactor cavity. The leak allowed water to enter the neutron detectors and PVC amps. The refueling canal was drained, the seal 're-paired. The detectors and alarms repaired and replaced in service.48 4.5.3 Recurrina nroblems in renortable events In addition to the individually significant events, the review of the reported events at San Onofre Unit No.1 identified five areas in which problems recurred over portions of the operating history. These five problem areas were:

1. Inverter f ailures and losses of vital bus power,
2. steam generator tube leaks, l 3. dilution of primary coolant,

! 4. tsunami gate closure, and

5. erroneous control rod indications.

Erroneous control rod indications are discussed in Sect. 4.4.3.4. 4.5.3.1 Inverters and vital bus nower. There were 21 occurrences of j the momentary loss of vital bus power, causing five shutdowns and nine power reductions. As illustrated by Fig. 4.4, these events occurred in j the period from 1969 to 1979. Inverter f ailures caused all but one of the i losses of vital bus power. The exception was a phase-to phase short in i 1979. i t F-69

1 8 9 1 0 8 9 1 9 1 7 9 1 8 1 7 9 1 s e _ s _ 7 s 1 7 o 9 L 1 r e 6 w 6 7 o 9 P 1 l a 5 5 t 3 7 i 

                           ,      9   V 1

l i a 

                                % 4 2             7 R t 9 A  r 1 E  a Y P 3   f 2             7    o 9

1 r e b 2 m 1 7 u 9 N 1 4 1 4 1 7 9 e 1 r u g 0 i 7 F 9 1 9 6 3 9 1 _ 8 6 9 1 7 . 6 9 1 . 6 5 4 3 2 1 s t n f e ov E r ed b e mt ur No p e R

I i j The first vital power loss occurred on March 5,1969. The No. 1 vital bus transferred to its back-up power supply when the No.1 inverter 

     - experienced a fuse f ailure. This interruption resulted in a nuclear dropped rod signal and initiated a unit load decrease.

l A turbine runback occurred on November 24, 1969 when blown fuses j failed inverter No. 3. The load runback was terminated manually and the blown f ases were replaced. Maintenance personnel found no cause for the blown fuses. 

           'On December 18, 1969, the f ailure of No. 2 vital- bus inverter initi-4 ated a turbine runback. The inverter failure was triggered by a f ailed
     . power switch in the control rod position recorder.       The unit resumed 450 MW(e) operation the same day.
           . The No. 4 inverter f ailed on March 23, 1971, indicating a dropped

, rod. Investigation revealed a shorted capacitor in the transformer cir . j cult. The capacitor was replaced and inverter No. 4 returned to opera- ! tion. The No. 3 vital bus transferred from the No. 3 inverter to its emer-gency. power source on December 9,1972. The transfer caused a momentary I power loss to nuclear instrumentation channel 1207, leading to a nuclear dropped rod indication. Investigation revealed that the inverter low 

. voltage power supply had failed.

i On January 10, 1973, the reactor tripped when No. 4 vital bus was 

!     transf erred from the backup power supply to the normal power supply. The
;     control power switch to the No. 4 voltage regulator was inadvertently bumped causing it to open.

j On August 17,1973, the No. 2 inverter, which normally supplies power to power range channel 1205 and the rod position voltage regulator, a failed and the load transferred to the backup power source. The resultant i voltage transient caused a power reduction with indication of a dropped i rod. l The unit reduced power due to a momentary power loss to nuclear power channel 1207 on June 11, 1974. A spare channel drawer was . installed in NIS channel 1207 and operated overnight. Three occurrences of channel I' spiking occurred during the period the spare was in service. However, an i operator in continuous attendance at the control console prevented further power reductions. On June 14,1974, the No.1 inverter, which normally j supplies power to nuclear power range channel 1208, failed and its load t transferred to the backup source. The resultant voltage transient caused I a spike on channel 1208 which initiated a " Nuclear Dropped Rod Stop." In-vestigation revealed that a shorted silicon controlled rectifier in the inverter caused the inverter input fuse to open, thus doenergizing the inverter. While testing a pressuriser level channel on February 19, 1975, s second level channel spiked due to f ailure of the No. 2 inverter, causing l the unit to trip. Investigation revealed that a telecommunications crew, [ working in the DC switchgear room adj acent to the inverters, bumped the ! inverter ' cabinet with the foot of an extension ladder and tripped the No.

2 inverter. The No. 2 inverter would not return to service af ter the l

f ailure. Continued investigation indicated that there was a f ailed campo-nont in the undervoltage logic circuit board that should have caused the F-71

___ . _ _ . . _ _ - _. -_ - . _ _ _ _ _ _ _ . _ ~ _ . . _ . _ _ . _ 1 ! laverter to trip. Testing of the circuit breaker verified that the under-voltage trip device was sticking. Apparently, bumping' the cabinet was all that was required to cause the circuit breaker to operate since .the logic 

                         ~

circuit board had f ailed at some prior time.81 On April 22,1975, the No. ' 2 inverter was returned to service and the 

            ' No. 2 vital bus was transferred to the No. 2 inverter, which is the normal
j. power supply. During the transfer it was noted that No. 4 vital bus had transferred to its backup power supply. When the No. 4 vital bus was re-A turned to its normal supply, the reactor tripped. Investigation revealed that permissive circuit P-7 was momentarily de-energized during the trane-for putting the "at power" trips in service.

An internal short caused an oil-filled capacitor to expand and rup-i - ture in the No. 3 inverter on October 19, 1975. A discussion with the manuf acturer determined that the f ailure was randon and the voltage rating , was more than adequate for the service. The laverter was repaired and I + vital bus No. 3 returned to inverter power.* On February 9,1976, a power reduction was initiated when No. 2 in-verter was found with zero output, a "f u se ope n" al a rm, and an obviously failed oil filled capacitor. When vital bus No. 2 transferred to its backup power, the ensuing voltage transient caused a spike in nuclear power channel 1205 which initiated a nuclear dropped rod' signal. On February 17,1976, the No. 4 inverter failed and the load trans-ferred to its backup source. The resultant voltage transient caused a spike on channel 1206 initiating a nuclear dropped rod alarm. No power i reduction ensued as unit was operating at less than 70% of full load. On August 23, 1976, vital bus No. 1~ transferred to its backup power source. This transfer was the result of a component f ailure in the No.1 inverter. The momentary loss of power precipitated a transfer of all three steam generator feedwater level control grstems f rom their normal power supplies which are fed from vital bus No.1 to their backup sup- 

            . plies. The backup positive 15 V power source- had malfunctioned. The re-sult was a loss of stems and feedwater flow signals to the three steam generator level control systems. Under these conditions the steam / feed water flow mismatch reactor trip was inoperable.

On September 25, 1976, vital bus No. 3 transferred to its backup { source resulting in a power reduction. An inspection revealed a failed oil-filled capacitor in inverter No. 3. The ensuing voltage transient caused a spike in the output of a nuclear power range channel, which initi-l ated the nuclear dropped rod runback circuit. A half hour later, vital bus No. 2 transferred to its backup source resulting in 'a power reduction. l The transfer resulted from a fuse failure in No. 2 inverter. The spike in 4 channel 1205 initiated the nuclear dropped red circuit. Inspection re- . vealed f ailed camponents in the No. 2 inverter. Another half hour later, i vital bus No. 3 transferred to its backup source a second time resulting , , in a third power reduction. Investigation revealed a f ailed capacitor in the No. 3 laverter. This event also was a direct result of a capacitor 

;            f ailure in the AC output filter circuit.                                    Inspection revealed a terminal lug on a cable at one of the inductor terminal evidenced heating and arc-ing. The cable was improperly terminated resulting in high resistance between the cable and the lug.8*

i- During normal operation on June 14, 1977, an inverter de input fuse j opened. A single capacitor bank fa!!ed resulting in the failure of an i , F-72 4 

  ,s~m s--,                                    ,,,,.,,__.__,.,,,,.,,____,_._.,,.,..,_,_,..-,.n-._,,,,n,                                               - - - , , . , . , , -., --

E i 

                                                                                                                         )

i l additional capacitor bank and the fuse opening. The redundant supply was l available and af ter all affected parts were replaced, normal power resumed H

through the inverter. i

! On June 7,1978, the same inverter which f ailed on June 14, 1977 I failed again as the result of a capacitor failure. The capacitor f ailure precipitated the f ailure .of a silicon controlled rectifier and the dc in- 1 put fuse. All affected components were replaced. ' j Only.one loss of vital power was not the result of an inverter f ail-ure.. On November 7,1979, the unit shut down due to the loss of the 480 V bus No. 1. The cause of this event was a rodent bridging two energized , phases of the bus.- 4.5.3.2 Steam senerator tube leaks. Af ter the first five years of ope ra tion, steam generator tube leakage became a problem. Beginning in 1972, steam generator tube leaks began recurring, causing 9 forced shut-downs and 17 reportable events. 1 The single event prior 1972 occurred during construction in 1966. _ A steam ' generator was dropped one foot during a lif t af ter it was inside 

,             containment. The generator withstood the hydraulic test, but 32.Inconel

' tubes were deformed and several tube sheets crushed. The damage was re - paired and tube plugged. Calculations showed that the plugged tubes would not change plant characteristics. Leaks f rom steam generators were identified on February 2, July 19, ' i and October 13, 1972: January 51973; April 25,1974; April 13 and June l 11,1975; July 1,1979: and July 12, 1980. The most extensive repairs were made during the shutdown which commenced on J uly 12, 1980 and con-tinued for 4152 h. Prior to 1976, the problem of steam generator tube leaks was consid-ered to be tube wall thinning around the antivibration bars. However, it was discovered that the antivibration bars were wearing and their in-tegrity canpromised. In conjunction with a visual inspection of the "C" steam generator on September 30, 1976, an antivibration bar was removed i for inspection. In several locations, the tube had worn into the bar. l This problem was corrected by the design and installation of additional antivibration bars with rectangular cross section.se In July 1980, Southern California Edison (SCE) installed leak tight

brazed sleeves on tubing identified with significant intergranular attack.

Intergranular attack was occurring at the top of the tubesheet for tubes j located in the central region of the steam generators. SCE encountered difficulty with implementation of the brazed sleeve j oints in deep sludge and developed an alternate design utilizing mechanical joints.4s j Other problems associated with steam generator tube leaks included l dilution of the primary system. The next section discusses that problem. 4.5.3.3 Dilation of crimary coolant. On four occa sions during ex-i tensive steam generator repair, water leakage into the primary coolant system reduced the boron concentration. Operators closely monitored boron concentration, reactor water level and other indicators and stopped the positive reactivity insertion. The first event occurred on October 1,1977. At the conclusion of eddy current testing,13 tubes in the "B" steam generator were explosively 4 l i i l l F-73

F l i plugged. The water level on the secondary side was raised to shield en-playees working in the area. Approximately one-half hour later the opera-tor noticed the secondary side level had decreased. An additional tube was leaking. The total change in boron concentration was 75 ppe from 1614 to 1609 ppa. *

  • The final three dilutions of the primary system occurred during the steam generator repairs in 1980. On July 5 and 6,1980 leakage past '
 ' inflatable seal s occurred during decontmaination. . On two occasions     a rise in reactor vessel was noted. Each time work was halted and boron concentration was monitored. A maximum decrease of 400 ppm of boron was measured.4s On September 1,1980, water leakage through a feedwater block-valve diluted the primary systen during steam generator tube inspection.

A maximum dilution of 35 ppe occurred.** The last primary system dilution occurred on September 22, 1980 and was again the result of leakage past inflatable seals during decontamination. A boron dilution of 55 ppe occurred during this event.*' 4.5.3.4 Tsunami ante closure. The tsunami gate is the salt water 

 -intake stop gate.      Its closure cuts of  f salt. water cooling flow. There were three occasions when San Onofre experienced the closure of the tsunami gate. On November 1,1967, a shorted limit switch caused the gate to close with one circulating water pump out of service. -Rupture of the accumulator reservoir tank caused the gate to f ail on February 9,1968.

Finally on October 9,1969, the tsunami gate slipped f rom its annular bolts and fell into the intake tunnel. 4.6 Evaluation of Oneratina Exnerience This analysis studied 154 shutdowns and power reductions, 327 ~ report-able events and other miscellaneous documentation concerning the operation of - San Onof re Nuclear Generating Sta tion Unit No.1. The obj ective was to indicate those areas of plant operation which have compromised plant safety. This review identified three problems which should be of con-tinued concern. The first area involved the safety inj ection system. Section 4.5.2.1 detailed three events in which the safety injection system was actually or potentially lost. Another reason for concern are the number of random - f ailures associated with the safety inj ection system. During saf ety in-jection, part of the feedwater system is used to deliver water to the reactor core. Some failures of the feedwater system would also affect the function of those components in their safety inj ection role. If the number of times the safety inj ection system was involved were combined with the number of ' times the feedwater system was involved, the combina-tion would have the largest population of failures in reported events (see Table 4.5 in Sect. 4.5.1.2) . Regardless of the total number of events, it is an area that may require further investigation. The second problem area identified in this review of operating ex-perience is 'the continuing problems with the salt water cooling system. The event resulting in total loss of salt water cooling flow would have been a more serious event if it had occurred during the early stages of F-74

k residual heat renoval operation. - Also, the continuing problems with the rystem in 1982 indicate a need for close examination of the system. The final area for potential continued f ailures involved inverter failures. A single inverter f ailure has little consequence. How ev e r, ?- with the number of f ailures exhibited at San Onof re Unit No.1 the po-tential for concurrent f ailures is greatly enhanced.

Steam generator and condenser tube leaks continued to plague San Onof re through 1981. Associated with maj or steam generator repairs, dil u-tion of the reactor coolant boron concentration also continued to recur during = 1980. Other problems such as dropped control rods, pre s suriz er relief valves, turbine overspeed and tusunami gate closure occurred only over short periods of time and were solved.

i s 1 I F-75

REFEREN GS

1. ~ Nuclear Regulatory Commission, Instructions for Preparation of Ibta i Entry Sheets for Licensee Event Report (TER) File, NURBG-0161, July 1977. 1
2. Nuclear Regulatory Commission, " Accident Analysis for the Review of Safety- Analysis Reports for Nuclear Power Plants," Chapter 15 of Standard Review Plan, NUREG-0800 (July 1981) .
3. Nuclear Regulatory Commission, Licensed Operating Reactors - Status Stenmary Report, NUREG-0020, Nay 21,1974, issue through Vol. 5, No.

1, (January 1981) .

4. U.S. Atomic Energy Commission, Nuotear Power Plant Operating Experi-ence During 1973, 00E-ES-004 (December 1974) .
5. . Nuclear Regulatory Commission, Nuotear Power Plant Operating Experi-enos 1974-1975, NUREG-0227 (April 1977) .
6. Nuclear Regulatory Commission, Nuotear Power Plant Operating Experi-enos 1978, NUREG-0366 (December 1979) .
7. Nuclear Regulatory Commission, Nuclear Power Plant Operating Experi-ence 1977, NURBG-0483 (February 1979) .
8. _ Nuclear Regulatory Commission, Nuclear Power PZant Operating Experi-
        - ence 1978, NURBG-0618 (December 1979) .
    '9. Nuclear Regulatory Commission, Nuclear Power PZant Operating Experi-ence 1979, NUREG/CR-1496 (ORNL/NUREG/NSIC-180) (May 1981) .
10. ' Nuclear Regulatory Commission, NucIsar Power PZant Operating Experi-ence 1980, NUREG/CR-2378 (ORNL/NURBG/NSIC-191) (October 1982) .
11. Nuclear Regulatory Commission, Radioactive Materials Released from Nuclear Power Plants - Annual Report 1977, NURBG-0521 (January 1979) .
12. Nuclear Regulatory Commission, Radioactive Materlats Released from Nuclear Power Plants - Annual Report 1978, NURBG/CR-1497 (March 1981).
13. Nuclear Regulatory Commission, Reports to Congress on Abnormat Occur-rences, NUREG-0090
14. Letter f rom Robert N. Coe, Southern California Edison Company, to Dr. Peter A. 'Norris, Director, Division of Reactor Licensing, U.S.

Atomic Energy Commission, Nay 9, 1972. F-76 

                                        --                                                           _ - . == . . . . . .

l l l l

15. Letter from Robert N. -Coe, Southern California Edison Company, to-Director, Directorate of Licensing,~ U.S. Atomic Energy Commission, May - 3 0, 197 2. -
16. ' Letter from H. L. Ottoson, Superintendent, Southern California Edison Company, to Mr. H. Engelken, Director, Directorate of p Regulatory Operations,' Region V, SI 73-13, October 22, 1973.

t' 17. Letter f rom Robert N. Coe, Southern California Edison Company, to Nk. John F. O' Leary, Director, Directorate of Licensing Regulation, U.S. Atomic Energy Commission, October 31, 1973.

18. Letter f rom H. L. Ottoson, Manager, Nuclear Generation, Southern California Edison Company, to Director, Of fice of Inspection and En-
                - forcement, Region V, U.S. Nuclear Regulatory Commission, LER 80-002/

01T-0, Jansury 28, 1980.

19. Southern California Edison Company, San Onofre Nuotear Generating.

Station - Operation Report No. 3 - for the Month of June 1 M7, July 15, 1967. .

20. Annuat Operating Report of San Onofre Nuclear Generating Station Unit 1 For 1976, Southern California Edison Company. and San Diego Gas and Electric Company, Februa ry 25, 1977.
21. Southern California Edison Company, San Onofre Nuclear Generating Station - Operation Report No, 3 - For the Month of June 1N7 July 15, 1967.
22. Letter by David J. Fogarty, Southern California Edison Company, to Division of Reactor Licensing, Office of Nuclear Reactor Regulation, U.S. Nuclear Regulatory Commission, SI 75-06, March 31,1975.
23. Letter from Southern California Edison Company, to Albert Schwencer, 4 Chief Operating Reactor-Branch No.1, U.S. Nuclear Regulatory Commis-sion, December 21, 1976.
24. Letter from H. B. Ray, Station Manager, Southern California Edison
               -Company, to R. B. Engelken, Director of Of fice Inspection and En-l                 forcement, U.S. Nuclear Regulatory Commission, LER 81-021/01T-0, Septembe r 14, 1981.

! 25. Letter from H. Ottoson, Southern California Edison, to R. Engelken, Director, Of fice of Inspection and Enforcement, U.S. Nuclear Regulatory Commission, LER 80-06, March 24,1980. i

26. Letter from Carlyle Michelson, Director, Office for Analysis and Evaluation of Operational Data, to Harold R. Denton, Director, Of fice 4

of Nuclear Reactor Regulation, U.S. Nuclear Regulatory Commission, March 4,1982. F-77

4

27. Letter from H. Ottoson, Southern California Edison, to R. Engelken, Di. rector, Of fice of Inspection and Enforcement, U.S. Nuclear Reguia-tory Commission, LER 80-031, August 21, 1980.

1

28. Le tter f rom H. B. Ray, Southern California Edison, to R. Engelke n, l P.egional Administrator, Of fice of Inspection and Enf orcement, U.S.

Nuclear Regulatory Commission, LER 82-015. June 14,1982. l

29. Letter from H. B. Ray, Southern California Edison, to R. Engelken, Essional Administrator, Of fice of Inspection and Enforcement, U.S.
Nuclear Regulatory Commission, LER 82-024, October 26, 1982.
30. Letter from H.-B. Ray, Southern California Edison, to R. Engel ke n, kegional Administrator, Of fice of Inspection and Enforcement, U.S.

Nuclear Regulatory Commission, LER 82-022, September 2,1982.

31. Letter-from Robert N. Coe, Southern California Edison Company, to the Deputy Director for Reactor Proj ects, Directorate for Licensing, U.S.

Atomic Energy Commission, July 6,1973.

32. - Southern California Edison Company, Annual Operating Report pf San Ongfre Nuclear Generating Station Unit 1 for 1976, Station Incident 76-2, February 25, 1977.
  ' 33. Let6er from H. L. Ottoson, Southern California Edison Company, to l           Region V, Of fice of Inspection and Enforcement, U.S. Nuclear Reguia-tory Commission, May 5,1980.
34. Letter from J. G. Haynes, Southern California Edison Company, to R. H. Engelken, Director, Of fice of Inspection and Enforcement, Re-

^ sion V, U.S. Nuclear Regulatory Commission, LER 80-038, December 9, 1980.

35. Letter f rom David J. Fogarty, Southern California Edison Company, to
          'Mr. Angelo Giambusso, Director, Division of Reactor Licensing, Of fice of Nuclear Reactor Regulation, Sept embe r 12, 1975.
36. Letter from H. B. Ray, Southern California Edison Company, to R. H.

Engelken, Of fice of Inspection and Enforcement, Re gion V, U.S. Nu-clear Regulatory Commission, LER 81-029, December 17, 1981.

37. Letter from Robert N. Coe, Southern California Edison Company, to Mr. Peter A. Morris, Director, Division of Reactor Licensing, U.S.

Atomic Energy Commission, May 20, 1968.

38. Southern California Edison Company, San Ongfre Nuclear Generating Station Operation Report For the Month qf Catober 1968, November
1968.

l F-78 

                                -   . - . - . ~ = -      _ - - _ _ - - -     . - - . _ _-

f 1 l 39. Letter from William R. Gould, Southern California Edison Campany, to Mr. John F. O' Leary, Director, Division of Licensing, U.S. Atomic Energy Commission, July 15, 1974. r

40. - Le tter f rom H. L. Ottoson, Southern California Edison Campany to Re-gion V, Of fice of Inspection and Enforcement, U.S. Nuclear Rossatory Commis sion, LER 80-016, May 20,1980.

l 41. San Onofre Nuotear Generating Station Semi-Annuat Operating Report No.16 for the Period Including January 1,1975, to June 30, 1975, i Southern California Edison Campany. 42.' San Onofre Nuclear Generating Station Semi-Annuat Operating Report No.17 for the Period Including July 1,1975 to December 31, 1975. Southern California Edison Company and San Diego Gas and Electric Company. 

<   43. Letter from J. G. Haynes, Manager of Nuclear Operations, Southern California Edison Campany, to R. H. Engelken, Director Of fice of In-i~       spection and Enf orcement, U.S. Nuclear Regulatory Canaission, LER 80-           7 014/03L,-0, July 22, 1980.                                                       l
44. Letter f rom J. T. Head, Jr., Vice President, Southern California' Edison Company, to R. H. Engelken, Director, Of fice of Inspection and t Enforcement, U.S. Nuclear Regulatory Commission LER 77-014/01T/0, Octobe r 14, 1977.
45. Letter f rom H. L. Ottoson, Manager of Nuclear Operations, Southern ,

California Edison Company to R. H. Engelken, Director, Office of Inspection and Eaf orcement, Region V, U.S. Nuclear Regulatory Commis- 

!        sion, LER 80-029/ 01L-0, July 21, 1980.
   '46. Le t t e r f rom J. G. Hay ne s, Manager of Nuclear Operations, Southern         ,

California Edison Campany to R. H. Pagelken, Director, Office of In-spection and Enforcement, Region V, U.S. Nuclear Regulatory Commis-sion LER 80-034/03L-0, September 17, 1980. i '47. Le t ter f rom J. G. Hayne s, Manager of Nuclear Operations, Southern Company, to R. H. Engelken, Director, Of fice of Inspection and In-forcement, Region V, U.S. Nuclear Regulatory Commission, LER 80-036/ l 03L-0, Octobe r 3,1980. I 1 F-79 l

Appendix At San Onofre Unit No. 1 Part 1. Forced shutdown and power Reduction Tables 9 F-81 .

m 1 Table AI.1 199 Forced Shutdowns and Power Reductions for San Onofre 1 DSE(D)/ Date Duration Power Reportable Shetdown System Component ESIC(N) Description Cause (1967) (IIrs) (1) Event thod Involved Involved Event Category 1 7-9 N/A 0 thile performing operator training A 3 Reactor Relays D4.3 start-ups with the reactor. (R3) unexplained rod drops occurred in subgroup 4 of control rod group No.1. Investigation revealed that a timer relay was malfunctioning. 2 7-17 1C80 13 LTR During turbine overspeed testing. A 1 Steam & Turbines N1.1.4 8/67 salt leaks were noted in the Power condenser. Inspection oY turbine (EA) revealed significant blade damage. All of the blades in the four last es stage rows were replaced. s 3 u 3 9-11 192 LTR Cait shutdown due to excessive A 1 Steam & Pumps N3.1 11/20/67 circulating water pump vibration Power Valves and leaking preseurizer spray (HF) valve. Upon investigation, high Reactor circulating water pump pressure and Coolant high pressure differential across the (CB) condenser were also detected. Also the system was pulling in an excessive amount of marine growth following a heat treat of the circulating water system the previous day. 4 10-1 216 LTR Repair of leak on east main steam A 1 Steam & Valves N3.1 10/9/67 line mainte unce block valve bypass Power valve. Also two pressurizer power (HS) relief valves were also repaired. Reactor Coolant (CB)

3 Tahle A1.1 (continued) Power Reportable D3E(D)/ Date Duration -Shotdown System Compcnent 

 ""                          Event               Description               Cause                                             NSIC(N)

(1967) (Hrs) (%) Method Involved Involved Event Category 5 10-10 144 30 Reactor tripped by inadvertent C 3 Instrumenta- Instrumenta- N2.4 signal in the variable low pressure tion & Controls tion & Controls-trip channel. Occurred while (IA) circuitry was being tested with one channel placed in the trip mode for testing. 6 10-19 75 Unit taken off line due to false A 1 Reactor Instrumenta- N2.4 indication of inserted control rod. (RB) tion & Controls 7 11-1 24 90 LTR With one circulating water pump out A 3 Steam & Circuit N1.1.4 7 m 12/11/67 of service, the unit was ====11y tripped due to an inadvertent closure Power Closers / W (HF) Interrupters of the tsuna=f gate. A shorted limit (Switches) switch was found to be the cause of the closure. 8 12-5 85 Reactor trip ad on incorrectly set C 3 Instrtmenta- Instrumenta- N6.1 overpower set point. tion & Controls tion & Controls (IA) 9 12-12 12 LTR Unit was manually tripped when A 2 Reactor Instrumenta- D4.3 1/15/68 five control rods in subgroup 7 (RB) tion & Controls were dropped. Defective electrical ccuponents replaced.

r i y i Table A1.2 1968 Forced Shutdowns and Power Reductions for San Onofre 1 D M D)/ Date' Duration Power Reportable Shutdown System Co :ponent NSIC(N)' (1968) (IIrs) (2) Event Method Involved Involved Event. Category I l-24 72 Unit taken of f line for contairment - A 1 g,,cgor Valves N3.1 inspection after increased radiation Coolant Ins trumenta- 

                                                " level was detected in the sphere.                         g)                             tion & Controls Inspection of the sphere revealed two leaking RTDs on the "A" coolant loop and the packing glands on the pressurizer spray valves leaking.

2 2-7 286 95 LTR Reactor manually tripped af ter A 2 Reactor -Heaters, N1.1.4 ' 2/26/68 fire was observed in sphere electrical Coolant Electric penetrations. Probable cause was (CB) Electrical overloaded power cables for the Conductors pressurizer heaters. (Cable) m 3 3-4 6 Cleaning of the rod control slave C 3 Reactor Control' D4.3- 

  &                                              cycler contacts was in progress and                        (RB)                     ~ Rod s-the subgroup #6 slave cycler had been                                                     Drive replaced with a shutdown cycler so that                                                   Mechanisms the contacts c uld be cleaned. An attempt was made to cycle the rods one step and subgroup #6 was dropped to 160 steps.

The slave cycler was examined and no reason for the failure was found. 4 3-9 43 LTR Unit taken off line when physics data G ~3 Reactor Control D4.3 

                                   .4/68         indicated a bottomed control rod.'                         (RB)                   ' Rod Investigation revealed that the                                                           Drive the polarity of the movable gripper                                                       Mechanisms coil had been reversed during repairs to penetration EPC-4.

                                                                                                                                                   ,              , vy l

a J 

                                                               ' Table A1.2 .(Continued)

Duration . Power h portable DBE(D)/ Date No. SA,tdown -System Component NSIC(N). (1968) (Hrs) (%) . Event Description . Cause Method- Involved .- Involved Event. Category' l 5 3-12 4332 90 LTR Unit manually tripped after a fire A 2 Reactor . Heaters, N1.1.4 j .4/8/68 occurred in a cable tray in the -Coolant Electric-l switchgear area.. Probable cause . Electrical (CB) was overloaded pressurizer heater Conductors. cables. (Cable) 6 9-9 43 While preparing to roll the turbine A 3 Reactor Control D4.3' all five rods in subgroup 7 slipped (RB) Rod from 117 to 40 steps and the reactor Drive tripped immediately. Prtbable cause Mechanisms l was traced to RF relays in rod control ! system racks. 7om 7 9-19 152 LTR 12/68 Unit removed off line to repair,the A 1 Auxiliary Valves N1.1.4 - letdown isolation valve packing, replace Process Instrumenta-three failed reactor coolant system (PC) tion & Controls ! RTDs,' adjust the load rur.back arming Beactor Pumps-l point and perform other minor maintenance. Coolant Also reactor coolant pump "A" was found (CB) rotating backwards as a result of the anti-rotation pawls not properly engaging. These were modified on all three pumps. 8 9-26 87 33 LTR Unit manually tripped when control A 2 ~ Reactor Control D4.3 12/68 rods in subgroup 8 dropped into the (RB) Rod core while a slave cycler failure Drive 

                                                . alarm was being cleaned. (This                                                 Mechanisms occurred when an operator manually

! opened, closed, and reopened the I half-power contactor while attempting ! to clear a slave cycler failure alarm.) The cause of the slave cycler failure 

                                                ' was due to improper operation of the slave cycler clutch, f
                                                                                                 -m

                                                                                                                                                  -l Table A1.2 (Continued)

DBE(D)/ Date Duration Power Reportable Shetd own System- Component 

    ,
  • D scription Cause NSIC(N)

(1968) (Hrs) (%) Event Method Involved Involved Event. Category. 9 12-28 sS4 100 LTR Leakage through the pressurizer relief A 1 Reac tor Valves N3.1 2/69 valve RV-533 was observed on 12-9-68 Coolant by increased temperature in valve (CB) discharge piping. Continued observation mode until a normal shutdown was initiated. M I 03 m I I l 4

Table A1.3 1969 Forced Shutdowns and Power Reductions for San Onof re 1 DBE(D)/' Duration Power Reportable Shutdown System Component NSIC(N) Date Description Cause (Hrs) (Z) Event Method Involved involved Event (1969) Category s160 Continuation of outage of 12-29-68 A -4 Valves N3.1 1-1 Reactor repair of relief valve. Coolant (CB) Unit removed off line after a routine A 1 Steam & Valves' D2.3

1) 1-9 44 LTR test of the stop valves produced a Power 2/69 spurious partial turbine trip alarm. (RA)

Investigation revealed that the tur-bine auto-stop oil supply pressure was low due to a badly scored seat and disc in the auto-stop oil dump valve. Power reduction. Vital bus inverter A 5 Electric Inverters N1.1.4

2) 3-5 0 failure. Power mm (ED)'

E Reactor tripped oue to relay malfunc- A 1 Steam & Relays N1.1.1 CD 3) 3-8 14 75 Power tion in turbine control valve servo-motor. (Replaced the turbine control (RA) valve control oil plungers as the original design permitted the control valve servomotors to oscillate at high frequency.) Unit shutdown to replace pressurizer A 1 Reactor Valves N3.1

4) 3-22 314 100 safety valves and repair components Coolant contributing to reactor coolant sys- (CB) tem leakage.

100-50 Power reduction. Load runback was A 5 Reactor Instrumenta- N2.4

5) 4-7 0 tion &

experienced due to unexplained false (RB) dropped rod signal. The load run- Controls back pressure switch had drifted.

n > T n , , a 

                                                                        .,. Table A1.3 (Continued) '                                                                                         '
                                                                                                                                                                                        .1 Date Duration-- Power Reportable                                                                                                                   DSE(D)/
              *                                                                                                - Shetdown         System             Component,.

(1%9) (Hrs) (2) . Event . NSIC(N) 

                                                                                                                 . Method      Involved              Involved          . Event .-

Category

6) 4-29 6 While hear treating the circulating A .1 vater system a routine stop valve test
                                                                                                                             ~ Steam &            .. Valves             .N1.1.4 l' owe r was performed. The left hand stop valve                                 (BA) failed to reopen and the unit was removed from service. The left hand stop valve auto-stop oil solenoid dump valve had a piece of foreign material in it.                                                                                                                             '
7) 6-20 1193 - Unit shut' down to inspect the turbine- 8 1' Steam & Turbines N1.1.1 '

generator and modify the steam genera- Power Heat Exchangers tor moisture separators. (HA) (HS) (Steam Cenera-tors) 7 8) 8-10 80 Unit shut down to correct leakage of A 1 Reactor g three_ pressuriser relief valves. Coolant Valves ' N3.1

9) 8-14 86 (CB)
                                                       . Reactor tripped when control rods as.-         A           3        Reactor                 Instrumenta--       D4.3 sociated with subgroup 7 dropped into                                 (R8)                   tion &

the core due to an intermittent open - Reactor Controls contact of a BF type relay in the rod Coolant. y,1,,, control logic.. Valve maintenance kept (CB)

the plant shut down for. 86 hours.

l 10) 10-9 165 LTR Unit removed from service due to the .A 1 Steam & Valves . N1.1.4 ' 10/24/69 intake stop gate (tsunami gate) which Power had slipped from its anchor bolts and (HF) dropped into the intake tunnel. , - - -- - . . . .. -. -~. .- -

Table A1.3 (Cont inued) - , 

  "**    Date  Duration ' Power Reportable                                                                             DBE(D)/

(1969) (Hrs) Description Shutdown System Component (%) Event Cause NSIC(N) Nethod Involved Involved Event Category

11) 10-28 60 LTR Unit shutdown to repair the root A 1 Reactor 2/12/70 valves of the pressurizer instru- Valves N1.1.4 ment column. Coolant
12) 11-24 (CB)

Power reduction. Vital bus inverter A 5 Electric failure. Inverters' N1.1.4 Power

13) 12-18 (ED)

Power reduction. Vital bus inverter A 5 Inverters failure. Electric N1.1.4 Power (ED) m I CD

7 Table A1.4 1970 Forced Shutdowns and Power Reductions for San Onofre 1 DBE(D)/ Date Duration Power Reportable Shetdown System Component NSIC(N) 8** Event Description Cause (1910) (Hrs) (Z) Method Involved Involved Event Category 1 5-29 2 0 LTR During startup, the turbine was A 2 Steam & Turbines 31.1.4 7/10/70 manually tripped when it was Power noted that the turbine acceler- (HA) ation was faster than desired. The reactor tripped due to 2 of 4 power channels indicating greater than 10% power. m a O j

G l l I Table A1.5 1971 Forced Shutdowns and Power Reductions for San Onofre 1 DBE(D)/ Date Duration Power Reportable Shetdown . System Cocponent NSIC(N) 

   **                                                    Description               cause (1971)  (Ers)    (%)     Event                                                     Method       Involved     Involved         Event Category-1   3-18      8                         A reactor trip was experienced due to    A      3          Instrumenta-  Instrumenta-    N2.4 a spurious signal from Channel I var-                      tion &'       tion &

lable low pressure trip circuit while Controls Controls l Channel 111 was in a tripped position (IA) for maintenance. yeactor 2 5-1 183 Unit was removed from service to re- 8 1 y,1y , 33,1 pair a pressurizer spray valve flange Coolant Instrumenta-leak, replace five reactor coolant sys. (CB) gion & tem RTDs and to plug reheater tu'e Steam & Controls leaks. Power Pipes. Fittings (HH) 3 6-22 6 LTR Unit was tripped by backup overspeed A 3 Electric Circuit L2.2 protection when a 220 KV line relayed. l y 8/12/71 Power Closers / l 8 (EA) Interrupters 

 $                                                                                                                   (Switch gear) i    4   6-25    28                          Unit removed from service to repair      B       1        Steam &        Pipes,          N3.2 the HP turbine extraction drain piping.                   Puwer          Fittings leak test main condenser tubes, and                        (HA) inspect equipment in the containment sphere.

5 6-27 17 Unit removed from service to repair A 1 Steam & Pipes, N3.2 condenser tube leaks. Power Fittings (IIC) 6 7-9 32 Unit was removed from service to B 1 Eicctric Circuit N1.1.4 allow switchyard construction work. Powr closers / (EB) Interrupters (Switchgear) l 

                            .--                                                                                        - _= -
                                                      ' Table A1.5 (Continued)

DEE(D)/ Date Duration Powe~ Reportable SN.tdown' System . Component NSIC(N) No. Event Description cause (1971) (Ers) (Z) Method Involved Involved Event Category 7 7-12 12- Unit tripped from a generator out-of- A 3 Steam & Heat D2.2 step condition. Pwe r Exchangers (HA) (Steam Cer.erators) 8 7-24 30 Unic removed from service to allow & 1 Electric Circuit N1.1.1 switchyard construction work. Power Closers / (EB) Interrupters (Switchgear) 9 10-27 104 Unit removed from service to repair A 1 Steam & Pipes, N3.2 reheater tube leaks and apply epoxy . Power Fittings q to de condenser tube inlet ends. (HH) I $ 10 11-1 3 Unit manually tripped to obtain addi- A 2 Steam & Power Turbines N7.0 tional data on turbine overspeed char-acteristics. (HA) II 11-3 3 Unit manually tripped to obtain addi- A 2 Steam & Turbines N7.0 tional data on turbine overspeed char- Power teristics. (BA) 12 11-5 3 Unit manually tripped to obtain addi- A 2 Steam & Turbines N7.0 tional data on turbine overspeed char- Power teristics. (RA)

Table A1.6 1972 Forced Shutdowns and Power Reductions for San Onofre 1 Date Duration Power Reportable DEE(D)/ 80' Shetdown System Component NSIC(N): 

          '(1972)  (Hrs)     (Z)     Event                   Description             cause Method        Involved   Involved:        Event Category
1) 2/25 7 Unit removed of f line for balancing A 1 Steam & Turbines N1.1.4 of turbine shaft and mechanical - Power overspeed trip testing. (EA)
2) 3/4 4 Unit removed of f line to conduct A 1 Steam & Turbines ~ N1.1.4 turbine overspeed tests. Power (HA)
3) 3/24 12 Unit removed from seteice to" reset A 1 Steam & Turbines N2.3 the turbine mechanical overspeed Power trip set point. (RA)
4) 4/29 s12 Unit removed from service to perform A 1 Steam & Valves N1.1.1 modifications to the main steam Power
   .g                                           control valves.                                             (HB) e e   5)   4/30     27       12   LTRs         During startup, the reactor tripped     A W                                                                                            3           Steam &   Valves          DI.2 5/9/72       due to a turbine trip on a high                             Power 5/30/72      steam generator level signal. Fall.                         (HH) ure of positioner of main feedwater
                                               - regulating valve.

i

6) 5/18 162 Unit removed from service to B 1 Steam &' Valves N3.2 '

inspect the turbine control valves. Power Heat complete reheater and condenser (HA) (HC) Exchangers repairs. and perform miscellaneous (HH) l maintenance. i

7) 7/19 177 Unit removed fro a service to repair A 1 Steam & Heat 'N3.1 a tube leak in stea:r. generator C. Power Exchangers (On 7/8 a slight increase in radio- (H8)- (Steam active concentration, channel 1216;
                                                                       '                                              Cenerators) was noted.) Analysis indicated leak was on "C" steam generator.

Sampling began with leak rates calculated through 7/18 when leakage was approximately 100 gal /d. 'S 

                                                                                      #                                           g-A
 ,                                                                   m                                e

m , 4  % . 4 Table A1.'6-(Continued) 

 .,                                                                                                                                                          ..DEE(D)/

Sh tdown. System. Component NSIC(N)' - i Date Duration- Power. Reportable Description  ; Cause ' 

                                                                                                                                         ' Involved.            Event i
      ##*                                 Event                                                             -Method       . Involved (1972)   (Hrs)     ?(Z)                                                                                                                           Category .

,s 

                                                                                                  . A'                      Steam &         Generators.         D2.2 33         0            ~ During'startup, the main exciter                           .3 l       8)     7/27                                motor failed mechanically when                                            Power,        - and Motors being started. The problem was                                           '(HA)
                                  " g             determined to be rubbing between the rotor and stator.
                                      ^

Steam & Generators D2.2

9) 7/29 3 '100 LTR Unit tripped from loss of main A 3 generator field. Power 8/28/72 e (HA);

( Instrtamenta- . N1.1.4 During a " Control Rod Exercise Test" A 2 Reactor.

10) 9/20 4 62 tion &

an automatic load limit runback was s -. (RB) inirf ated from " Nuclear Dropped Rod" Controls circuitry. The reactor was manually f tripped and the control rod cir-cuitry inspected. Contactors and y relays cleaned but no abnormal e conditions were found. e 

                                                 ' The reactor was manually tripped                  A          2            Steam &'       Passps              N1.1.4 9/20      65             LTR 1Q                               9/29/72    after a high temperature alarm was.                                       Power                                                    l received on the east main feed                                            (HH)                                                    ,

ptsap inboard motor bearing. Exces-sive thrust bearing clearance was , I found in the pump. Steam & Heat N3.1 10/13 155 on 9/12/72, analysis determined A 1 Exchangers

12) Power that the "A" steam generator was experiencing primary to secondary (HB)- (Steam side. leakage. Sampling began and Generators) continued until 10/13 when leakage was over 100 gal /d. Thus unit removed from service to repair "A" steam generator tube leakage.
5. Reactor Instrtsnenta- N6.3
13) 12/9 0- 100-60 Power reduction..'A transfer of No. 3 .C '
                                                                                                                                           -tion &

vital bus from the No. 3 inverter to (RB) Electric Controls its emergency power source caused a . - momentary power loss to NIS channel Power.. Electrical 1207 initiating a " Nuclear Dropped (ED) Conductors Rod" indication. -(BUS) m, W m

1 , 

         ,                                           ;c                                                                                                                                       '
                                                                                                                                                                                                                  -l Table A1.7 1973 Forced Shutdowns and Power Reductions for San Onofre 1,                                                                 _
                                                                                                                                                                                                             ;1 4                                                                                                                                                                                        'DBE(D)/.               .

Date/ Duration .Powerf Reportable System . -Component SSIC(N) No* DMM i h - . Shetdown . (1973) (Hrs) (t)- Event Method Involved - Involved Event' ! Category -

1) 1/6 108 100' LTR The unit was removed from service A 1' Steam & Heat N3.1 2/15/73 for locating and repairing "A" Power. ' Exchangers '  ;,

steam generator tube leaks. (On _(RB) ., (Steam . , 11/2/72, analysis indicated a leak - 

                                                                                                                                                                      . Generators)       3, existed between steam generator..

primary and secondary systems.) ~ > Sampling began and ' continued until leak rate was approximately 100 gal /d. -

2) 1/10 1 0 ' During startup the reactor tripped - As 3
  • Electric Electrical' 36.3 when No. 4 vital bus was* transferred Power Conductors-
from the backup power supply to the .(ED) (BUS)- , '*

4 

                                                                         . normal pcwer supply. It is believed                                                         Circuit
that the control power switch to No. 4 Closers /

l y voltage regulator was inadvertently Interrupters' i 4 > opened by being bumped. (Switches) w

3) 2/20 0 T-f Power reduction. While unit load was A 5 . Reactor- Control. N1.1 being reduced for a condenser tube (RB) Rod Drive cleaning outage, observation of the Mechanisms' rod position recorder indicated that a control rod had gone from 200 to 145 steps on the recorder. _

Power reduction. -Initiated when 5 ~^"

4) 8/17 0 100-75 A - Electric Generators 'N1.1 failure of an inverter caused a load Power .(Inverters)~

transfer. (Voltage transient) (ED)

5) 10/21 1974 100 LTR Unit was being removed from service A 3 , Steam &. Turbines D1.2.

10/22/73 to investigate' turbine problems, indi- Power Heat 10/31/73 . cated by bearing vibration and salt (HA) (HC) Exchangers water leakage when a safety injection Engineered .(Condensers) actuation and reactor trip was Safety Instrtsmenta-experienced. l Investigation revealed - Features tion & turbine blade failure. (ST-C) Controls 

                     ~~
                                                                                                                                                                 .7 Table A1.8 1974 Forced Shutdowns and Power Reductions for San Onofre 1 DLE(D)/

Date Duration Powet 5.eportable Shutdown System Component NSIC(N) No. Descript, ion Cause (1974) (Hrs) (2) Event Method Involved involved Evenc Category 1/1 516 Continuation of the October 21, A 4 Steam & Turbine D1.2 

                                            ' 1973 outage.                                                Power                Heat (HA) (HC)            Exchangers (Condensers)
1) 4/27 547 100 Repair of steam generator and 8 1 Steam & Heat N 3.1 reheater tube leaks and repair of Power Exchangers leaking pressurizer safety valve. (HB) (Steam Prior to shutdown there were indi- Generators) cations of a partial loss of fan capacity in generator hydrogen gas blower.
  • t1 e
2) 6/11 0 100-40 Power reduction. . Automatic load A 5 Instrumenta- Instrumenta- N2.4 jf limit runback initiated by a tion & tion ~&

momentary spike of a nuclear power Controls Controls channel. (IA)

3) 6/14 0 100-40 Power reduction. Automatic load A 5 Instrumenta- Generators N1.1.4 limit runback initiated when an tion & (Inverters) inverter which supplies power to Controls nuclear power range channel 1208 (IA) failed and its load was transferred to the backup source.
4) 7/7 55 100 LTR Trip from indiccted overpower condi- A 3 Reactor Control N3.1 7/15/74 tion caused by water intrusion into (RB) Rod Drive detectors of two power range Instrumenta- Mechanisms channels due to. gasket failure on tion & Instrumenta-cooler of rod drive cooling fan. Controls tion &

(IA) Controls 

                 ., -        . .    . - - . . -            , ~ - . , - .         ..   ,w.     . . ~ . ~ ~ --. >                 w -                  +     .
                                  %                                                                                                                t
                         .                                                                                                                                                      3     <

x 

                                                ,4                                                                                               r                                        -#

N , 4 Table'A1.8.(Continued). Date- Duration 'Powe: 'Reportabis.: DBE(D)/ 

  '"**                                                                 . Description                    Cause
                                                                                                                ' Shutdown           -System .         . Component.      . ESIC(N):

(1974) (Hrs) (%) Event. Method. Involved Involved 

                                                                                                                                                                           ' Event' Category
5) 7/9' 0' 70-35 Power reduction.. While increasing' A. 5 . Steam & Valves . N1.1.4 J load there appeared to be a flow. Power' restriction in the feedwater line '(HH) to steam generator "C". Upon.

investigation.:the flapper'of the associated check valve was:found detached from.the are and-lying in the. check valve body thus causing

y. a flow restriction.

s e " 6)' 8/20 5 100 LTR . Spurious trip on indica'ted pres- 'A '3- Reactor Instrumenta-' N2.4 8/20/74 surizer high level while testing Coolant, tion & level channels. (Cs) Controls

7) 10/21 7 0. While returning to full load, unit ~ 'A 2 Reactor Control. D4.3
                                                   . was manually tripped.because of                                                  (RB)               Rod Drive dropped rods (control bank 2' Mechanisms slipped into core).'No cause found.

W m

a Table A1.9 1975 Forced Shutdowns and Power Reductions for San Onof re 1 DEE(D)/ Shutdown System Component NSIC(N) 

      .Date  Duration Power Reportable                                        Cause No.                                                Description                         Method        Involved  Involved          Event (1975)  (Hrs)     (Z)   Event Category 4     100              While testing a pressurizer level      A           3                    Cenerators        N1.1.4
1) 2/19 Reactor channel, a second level channel (Inverters) spiked due to a failure in the (CB)

No. 2 inverter. Trip from pres-surizer high level. While transferring the No. 4 vital A 3 Electric Electrical N6.3

2) 4/22 2 Power - Conductors-bus back to its normal power supply the reactor tripped. (ED) (BUS)

Reactor manually tripped from H 2 Steam & Pipes. N9.2

3) 5/21 10 100

,, restricted circulating water Power Fittings g flow caused by seaweed fouling (HF) gj intake structure. Shutdown to repair pressurizer B 1. Steam & Heat N3.1

4) 6/11 -127 safety valves. Also plugged Power Exchangers leaking steam generator tube. (RB) (Steam Reactor Generators)

Coolant Valves (CB)

r Table A1.10 '1976 Porced Shutdowns and Power Reductions for San Onof ra 1 DEE(D)/ Date Duration Power Reportable Shutdown System Component FSIC(N) E** escr ption Cause (1976) (Hrs) (%) Event Method Involved Involved Event Category

1) 1/8 0 100-50 Power reduction. Plug 3 leaking B 5 Steam & Heat N3.2 tubes in north half of "A" con- Power Exchangers denser. Also heat treat cir- (HC) (Condensers) culating water tunnels.
2) 1/21 7 Loss of off-site power due to fire H 3 Electric Electrical N9.0 burning in San Clemente area. Powe r Conductors (EA)
3) 1/22 0 100-60 Power reduction. Load reduced as H 5 Electric Electrical N9.0 a precautionary measure when Power Conductors
 ]1                                         brush fires reached vicinity of                                 (EA) wo                                         220 kv transmission lines.

v

4) 1/26 0 100-10 Power reduction. Leaking condenser B 5 Steam & Heat N3.2 tube in north half of "A" condenser Power Exchangers resulted in an increased turbine (HC) (Condensers) exhaust backpressure.
5) 1/29 0 100-50 Power reduction. Plug leaking B 5 Steam & Heat N3.2 condenser tube in north half of Power Exchangers "A" condenser. (HC) (Condensers) j
6) 2/6 0 100-50 Power reduction. Condenser tube B 5 Steam & Heat N3.2 leakage corrected Power Exchangers (HC) (Condensers)
7) 2/9 4 100 Spurious spike in pressurizer A 3 Reactor Inst r umenta- N2.4 level caused by inverter problem Coolant tion &

while second channel was in test * (CB) Controls

8) 3/19 0 100-25 Power reduction. Replace internals A 5 Steam & Valves N1.1.4 in "C" steam generator feedwater Power line check valves. (HH)

Table A1.10 (Continued) DBE(D)/ Date Duration Power Reportable Shetdown System Component NSIC(N) Event D s ription 'Cause Involved (1976) (Hrs) (2) Method Involved Event 

                                                                                                                              . Cate gory
9) 3/23 0 100-50 Power reduction. Investigate A 5 Steam &> Heat N3.2 condenser salt water in-leakage. Powe r - Exchangers (HC) (Condensers)
10) 3/29 0 100-50
                                                 ~
                                          ' Power reduction. Investigate              A      5      Steam &    Heat              N3.2.

condenser salt water in-leakage. Power Exchangers (HC) .(Condensers) 11)- 4/17 9 33 During startup, spurious turbine A 3 Steam & Turbines D2.3 trip resulted in a reactor trip. Power (HA) 4/17 7 33 During starrup toward full power. A 3 Steam & Turbines D2.3 no 12) j, spurious turbine trip resulted in a reactor trip. Power (HA) c) o Turbine trip due to incorrect G 3 Steam & . Instrumenta- D2.3

13) 4/18 20 15 setting of an overspeed trip device. Power tion &

(HA) Controls 14a 4/19 6 75 Load was being reduced for prepara- B 3 Steam & Valves N1.1.4 tion of overspeed testing when a Power faulty thermocouple indicated (HB) thrust bearing temperature on east feedwater pump was increasing. Unit removed for.overspeed tests and repairs to "B" steam generator feed-water line check valve. 8 100 LER While unit at reduced load for heat A 3 Instrumenta- N1.1.4

15) 6/28 76-004 treating the circulating water ""**",[
                                                                                                      ,,g,     tion &

system, the."C" loop reactor Controla- 

                                                                                                  '(CB) coolant flow transmitter failed resulting in trip from reactor coolant full load low flow indication.

0 100-75 Power: reduction. Plug leaking B 5 Steam & Heat N3.2

16) 7/2 Exchangers condenser tube. Power (HC) (Condensers)

Table A1.10 (Continued)' DBE(D)/- Date Duration Power Reportable Shetd own System Component- NSIC(N) No* Description Cause (1976) (Hrs) (%) Event. Method Involved . Involved Event Category if) 7/14 16 100 Repair a control oil leak on the A 1 Steam & Valves N1.1.4 No. 2 turbine control valve. Power (RA)

18) 7/30 101 100 LER Repair leaking steam generator A 1 Steam & ' Heat N3.1 76-006 tubes on "C" steam generator. Power Exchangers (HB) (Steam
                                                                                                             . Generators)
19) 8/7 0 100-60 Power reduction. Relay coil failed A 5 Reactor Relays N 1.1. 4 nq which resulted in an erroneous (RB) e indication of a dropped control rod.

r* $3 20) 7 9/25 0 76-70 Power reduction. Failures of No. 2 A 5 Electric Generators. N1.1.4 

                                           . and No. 3 inverters supplying vital                   Power       (Inverters) power buses resulted in an erroneous                   (ED) indication of a dropped control rod.
21) 9/26 0 76-70 Power reduction. No. 3 inverter A 5 Electric Generators N1.1.4 failed resulting in an erroneous Power (Inverters) '

indication of dropped control rod. (ED) 

                                           . Table A1.11 1977 Forced Shutdowns and Power Reductions for San'Onofre 1 DBE(D)/:

Date' Duration ' Power- Reportable Shetdown System Component NSIC(N) g* D m ript h Cm (1977) (Hrs) (Z) Event Method . Involved- Involved Event Category I) 4/14 26 .90 Received two erroneous rod A 1 Reactor Instrumenta- "D4.3 bottom lights. ' Manually (RB) tion &- tripped the unit. Controls

2) 4/21 27 100 Failure of both reactor cavity A 1 Engineered Blowers - N1.1.4 cooling fans. Manually tripped Safety (Fans) the unit. Features (SB)
    ' 3)       5/18     14       100                    Failed gripper coil on control'    A         2-           Reactor l        Control           D4.3 rod group-- dropped four rods.                            (RB)             Rod Drive 7                                                      Manually tripped the reactor.                                              Mechanisms o    4)       6/9'     10       100                    Failed' moveable gripper coil      A         2            Reactor          Control           D4.3 N                                                      on shutdown rod group - dropped                           (RB)             Rod Drive four, rods. Manually tripped                                               Mechanisms the reactor.
5) 6/10 4 90 Inadvertent trip during routine C 3 Instrumenta- Instrumenta . 'N6.1 weekly testing of power range tion & tion &

NIS instrtmentation. An overtrip Controls Controls channel had been reset prior to (IA) testing another channel.

6) 7/1 0 7-50 Power' reduction. Plug leaking. B 5 Steam & ' Heat N3.2 tube in south half of "B" Power Exchangers condenser. (HC) (Condensers)
7) 7/2 0  ?-50 Power reduction. Plug additional- B 5 Steam & Heat' N3.2 tube in mouth half of "B" con- Power Exchangers denser. (HC) (Condensers)
8) 8/17 0 100-60 Power reduction. Repair a ground A 5 Steam & Motors N1.1.4 in circulating water pump motor. Power leads. (HF)
9) 9/9 646 95 LER Reactor coolant pump inspection, B 1. Reactor Pumps N3.1 77-013 S/C inspection, S/C plugging.

Coolant . Heat (CB) Exchangers Steam & (Steam Power- Generators) (HB) 

        . . . . . , _ . . . ,      _         .m       .      . -            m   . .        ,           . . . .               _ . . .               . . . . ,

L 4 

                                                                                                                                                                                     ?~
                                                                                                                                                                                                  ;4 ' . .*
                                                                                                                                                                   .{.
                                                                                                                                          !     J 4

a. 

                                                                                     ' Table A1.11 (Continued),-
                                                                                                                                                                                      -DBE(D)/

D.a te Duration Power . Reportable ~ Shetdown System ' Component., 'NS!C(N) N*' Event Description Cause ' (1977) (Hrs) (Z) Method Involved- Involved . Event - Category -

10) 10/6 2, 0: Reactor trip breaker undervoltage 'A 3. Electric ' Relays- N1.1.41
.                                                                  -relay stuck in de-energized.                                        i Power position.                                                                 (ED) 11).      10/6           4        0                Reactor trip breaker undervoltage               A      3          >
                                                                                                                                            - Electric                Relays             N1.1.4 -

relay stuck in de-energized- Power position. . (ED) 

    'ct
-12) 11/19 25 100 . Repair SIS recirculation valve. B 1' . Engineered Valves. N1.1.4 5

a y La Safety 

                                                                                                                                            - Features (SF-C) -

, 13) 12/29 3 95 Repair steam leak on turbine drain B 9 Steam & . Pipes. N3.2

line. Turbine generator off-line. Power Fittings-

, Reactor remained critical. (HA) 4 i i l-i t 

                                     -                                              w--        -                                                  ?r ,

                                                                                                                                                          =                                                                                   _

g- , 

                                                                                                                                        -                 t'                                _
                                                                                                                                                                                                      <     s                                                         ,         ,       ,

e ' - 

                                                                                                                                                                                   -                                                        - - - - - - -- -                    - - -                       -

j -- --- Y  % 

                                                                                                                                                                                                    ,     -m
                                                                                                                                                                                                        --4.
                                           -                                                                                                u                                                         -

Lble A1.13 1979 Forced Shutdowns and Power Reductions f'or San Onofre l' DBE(D)/. 

                      .Date   Duration Power      Reportable-                                                          Shetdown           System'             ~ Cocponaut               -ESIC(N)
             "**                (Hrs)      (2}      Event                          Description               . Cause '

Method- . Involved Involved Event-(1979). Categorf

1) 2/23 0 100-70 Power reduction. Plug leaking 'AJ 5 ' Steam & , Heat. N3.2 condenser tubes. Power Exchangers (HC) (Condensers)
2) ~4/5 82 100 LER Repair,a major condensar tube leak A 1 Steam & Heat. N3.2 .

79-002 .and the feedwater flow straighteners. Power Exchaagers: . (HC).:(HH). (Condensers) Pipes. Fittin gs y 3) 4/22 0 100-33 Power reduction. Repair of a steam 

                                                               . leak in turbine steam extraction B         5             Steam &

Power. Turbines Pipes. N3.2- 

          >4 line.                                                                 (HA)                    Fittings Q
4) 5/14 4 ~ 100' Unit trip from 2 out of 3 variable B, 3 Instreenta- Instr menta-- N6.3 low pressure trip' channels while tion & tion &

performing Delta T and TAVE tests. Controls Controls (IA)

5) 6/1 394 95 LERs Steam generator tube leak - tubes B 1 Steam &' Heat- N3.1 79-008 plugged. Power Exchangers 79-010 (HB) (Steam
                                                                                                                                                               - Gene rators) .
6) 8/29 10 95 Replace low voltage power supply A 1 Instrumenta- Relays N1.1.4 on #2 sequencer. tion &

Controls (IB)

7) 8/30 0 100-50 Power, reduction. Condenser tube B 5 . Steam & Heat N3.2 leak. Power Exchangers (HC)- (Condensers).
8) 9/7 0 100-60 Power reduction. Condcaser tube B 5- Steam & Heat N3.2 leak. Power Exchangers -
                                                                                                                                        . (HC)-                  (Condensers).
                                                ,                                  _    s                                                                          _ _ _ _ _ _ _m_.-

a Table A1.13 (Continued) DBE(D)/ Date Duration Power Reportable Shutd own System Component (Hrs) Event Description Cause NSIC(N) (1979) (%) Met hod Involved Involved Event Cate gory

9) 9/14 234 100 LER Repair refueling water pump suction A 1 Engineered Pipes. N1.1.4 79-016 piping and replace pipe section on Safety Fittings 79-013 safety injection line. Features (SF-C)
10) 10/23 0 100-25 Powen reduction. Decreasing con- G 5 Steam & Heat N1.1.4 denser vacuum from an open inter- Power Exchangers connection between condenser and (HC) (Condensers) mg the hotwell.

I >d 11) 11/7 133 100 LER Loss of 480V Bus No. 1. A 2 Electric Electrical N1.1.4 $3 79-017 Power Condustors (EB) (BUS)

12) 11/29 0 100-65 Power reduction. Condenser tube B 5 Steam & Heat N3.2 leak. Power Exchangers (HC) (Condensers)
13) 11/30 0 100-80 Power reduction. Condenser tube B 5 Steam & Heat N3.2 leak. Power Exchangers (HC) (Condensers)
14) 11/30 0 100-80 Power reduction. Condenser tube B 5 Steam & Heat N3.2 leak. Power Exchangers (HC) (Condensers)
15) 12/12 0 100-60 Power reduction. Locate condenser B 5 Steam & Heat N 3. 2 tube leakage. Power Exchangers (HC) (Condensers)
16) 12/16 0 100-80 Power reduction. Repair south A 5 Steam & Pumps N1.1.4 circulating water pump. Power (HF)
                                           ~

r; Table A1.14 1980 Forced Shutdowns and Power Reductions for San Onofre 1 DBE(D)/ Date Duration Power Reportable Shetdown System Component NSIC(N) No. Event Description Cause (1980) (Hrs) (%) Method Involved. Involved Event Category

1) 1/16 38 100 LER Unit tripped from steam flow / feed- H 3 Steam & Relays D2.7 80-002 water flow mismatch trip caused Power by construction worker who acci- (HH)
                                             *dently struck the closing circuit control relay to the east feedwater pump normal discharge valve.
2) 1/26 372 100 Unit off line for TM1 modification. D 1 NA NA 38.0 N 3) 2/11 0 7-60 Power reduction. Turbine low A 5 Steam & Turbines N1.1. 4 h

O governor oil pressure. Power (HA) oo

4) 2/12 8 60 Unit off line to repair the turbine A 1 . Steam & Turbines N1.1.4 governor control oil pressure Power system. (HA)
5) 2/17 0 100-66 Power reduction. Repair salt leak B 5 Steam & Heat N3.2 in the condenser. Power Exchangers (HC) (Condensers)
6) 3/6 11 100 LER Unit manually off line to replace A 1 Reactor Valves N1.1.4 80-011 pressurizer relief tank rupture Coolant diaphragm. (CB)
7) 7/12 4152 O LER Steam generator tube repair. Con- B 4 Steam & Heat N1.1.4 80-014 ' tinuation of refueling outage af ter Power Exchangers refueling complete. (HB) (Stems Cenerators)
                                                                                                                                         ~

      -          .-        .   ~.       ,-.                     . ,-                .
                                                                                          ~.      . . . . .a      . ..     .     ,    ..-             ,     ,  -1       --

4 I . T' \- ll " Table A1.15 1981 Forced Shutdowho and Power Reductions'for San Onofre 1 

                                                                                                   ~

[ '. l DBE(D)/ Date- Duration . Power. Reportable ' Shutdown System ' Component. 

                    - "**-                                                               . Description               Cause                                                        NSIC(N)'

(1981) (Hrs) (1) - Event htW . Invo W Involved Event Category - , I t I 

                             '1/1             4023        0    .LER         '. Continuation of the 7/12/80 outage       8       4           : Steam & '             Heat          'N1.1.4
                                                                ~80-014       for steam generator tube repair.                                Power                 Exchanger (HB)                 (Steam Generator)"
1) 6/18^ 7 18 Steam-feed flow mismatch caused a ;A 3 e Steam & : .Instrumenta- D2.7 reactor trip. Power tion &
                                                                                                                                            ~(HB)                   Controls
2) 6/19 19 6 The turbine was taken off line 8- 1 Turbine Turbine N1.1.4.

for testing. Generators and Controls 

                                                                                                                                            '(HA)
3) 6/21 16 25 The unit was shut down when the A 2 .ESF Instrumenta- N1.1.4 .
                                                                              #2 safeguard loads sequencer                                    Instrument            tion &

7 failed to test properly. . (18) ' . Controls 

                .8     4)     6/29             '17       85                   Leak in "A" steam generator feed .        A       1             Condensate -          Instrumenta- N1.1.4 water flow sensing line.                                        & Feedwater           tion &

(HH) Controls

5) 7/2 59 85 _ Reactor tripped due to false A 3 Reactor Relays N2.1 indication of high startup Trip rate. Relay in intermediate System range power monitor replaced. (IA) ,
6) 7/11 38 85 ' Leaking equalizing valve on the . A 3 Reactor Valves N2.1 sensing line to a reactor coolant Vessel and loop low flow transmitter caused Appurterances scram. Valve and transmitter (CB)
                                                                            .were replaced, s

i e 

    -   ____m--

r Table A1.15 1981 Forced Shut-downs and Power Reductions for San'Onofre 1 DBE(D)/ Duration Power Reportable Shutdown System Component NSIC(N) Date DescriPtion Cau.se N0* (1) . Event Method Involved Involved Event (1981) (Hrs) Category 740 90 LER Tire occurred due to lube oil leak A 1 Emergency -Engines. N1.1.4

7) 7/17 81-017 in the #1 diesel generator. Generator and Controls (EE)

Power reduction to repair salt A 5 Main Heat N1.1.4

8) 8/20 0 90-60 vater leak in condenser. Condenser Exchangers (HC) (Condenser) 0 90-52 Power reduction due to low B 5 Main- Heat N1.1.4
9) 8/22 Exchangers vacuum caused by vacuum pump Condenser seal water problem. (HC) (Condenser)

A Condensate Pipes. N1.1.4 p 10) 8/26 11 90 Manual shutdown to repair feedwater flow sensing line 1 

                                                                                                             & Feedwater   Fittings m

y leak. (HH) LER Voltage regulator failure required A 2 Emergency Valves D1.2

11) 9/3 1466 87 81-20 manual scram. Safety injection Core LER actuation occurred and two valves Cooling 81-21 failed to open with design differ- (SFC) ential pressure. Values were Electric redesigned and replaced. Power (ED)

Power reduction to 372 Mw caused A 5 Steam & 57.0

12) 12/24 0 90-85 Power by inadequate vacuum resulting from insufficient steam to the (HH) air ejectors.

Appendix A: San Onofre Unit No. 1 Part 2. Reportable Event Coding Sheets 1 1 F-112 1 - ._ j 

                                    -                 .. ,      m             .             .- .           -

Jr T;1blo'A2. I Coding Sheet for ' R portabl3 Event 3 Ct SM Cdsfra l '-'1966. s 

                                                                                                                                               ^

ESIC . ACCESSION EVENT REPORT PL ANT CORPONENT ABNORMAL SIGNIFICA NCE seRBER -56882R DAT E ; _ D AT E STATUS SYSTEN EQUIPMENT INSTRGRENT STATOS CONDITION CAUSE CATEGORY C055ENTI-66-01 18057 000066 040066 A- CB II . 'A AS G C7' Steam generator was' dropped'during construction. C

Table 12. 2 Coding Sheet for Reportable Events at San Onofre .1 -1967 NSIC ACCESSION EVENT BEPORT PLANT . COMPONENT ABNORMAL SIGNI FICENCE NUMBER NUMBER DAT E D AT E STATUS SYSTER EQUIPMENT INSTRUBENT STATUS CONDITION CAUSE CATEGORY COMMENT 67-01 23143 051967 012668 A RB J GG AG. C' N A control rod drive mechanisa jassed due to a broken latch pin. 67-02 31250 051867 061567 1 S1 C AY G N Containment integrity was broken by opening both airlock doors. 67-03 31250 050067 061567 A HB II C AY H N Borated water was admitted to turbine side of steam generator anting testing. . 6 7 - 04 060267 071567 A SFB DD C ED E S1,S2 Both safety injection recirc pumps removed for repair after failing segger testing. 

           ]{

s 67-05 3 251 062867 071567 B 51 BB .I B BS,OD H E Radwaste tank overflowed due to operator 

           $*                                                                                                                                                 inattention.

67-06 070967 080067 B RB J P B EF D- N Timer relay salfunction 

                                                                                                                                                             -caused control rod drops.

67-07 63382 071767 080067 B H& HN C AD C N Turbine blade damage during turbine overspeed test caused salt water leakage. 67-08 070067 080067 D CB DD C ED D N Low segger readings on RCP's caused by wet nitrogen. 67-09 31253 091167 100967 B CA CC,00 B 10 D E Leaking pressuriser safety valve. 67-10 31254 100067 112067 B HF DD B HC,RD D N Excessive vibration of main circulating pumps 

                                                                                                                                                             . due to mussels in sea water intake lines.

s T:bl9 A2. 2 (cstt itued) NSIC ACCESSION EVE NT REPORT PL ANT COMPO4ENT ABNORMAL SIGNIFICANCE NUMBER NUMBER Dar E DATE . STATUS SYSTEM EQUIPRENT INSTRUMENT ' STATUS CONDITION CAUSE CATEGOR Y COMMENT 67-Il 31254 100067 112067 B RB J K B EG 'D C7 ~ False indication of control rod in core. 67-12 31254 100067 112067 B A1 Z B- AE B- N '. Reactor head ventilation ' - duct collapsed.- 67-13 31255 110167 121167 B HF 00 K 'B. ED D C7 ' Closure of tsunaal gate because of shorted limit switch caused a scram. 67-14 31255 110067 128167 B 51 BB B BS,OD H N Radioactive spills near coolant drain tank. 67-15 38256 123267 011568 8 RB J B AS E C7- Five control rods dropped. 67-16 31256 120067 011568 B RB J K B EF D C7 Control rod indicators 

   ,,                                                                                                                     were erratic.

8 F* 67-17 31256 120067 011568 B CB II - B BB B N Steam generator "B" had a C high delta T.

T bl9 A2. 3 C2 ding Sheet for Brportabl3 Ev33t3 Ct Saa Ostfra 1 - 1968 a NSIC ACCESSION EVENT REPORT PL ANT COMPONENT ABNORMAL SIGNI FIC A NCE NUMBER DAT E DATE STATUS SYSTER EQUIPMENT INSTRUMENT STATUS CONDITION CAUSE CATEGORY- COMBENT-NUMBER 68-05 012068 020868 B HF U B HB 3 N Condenser ' flow blocked by debris. 68-02 31257 010068 020868 8 RB J K B EE D N CR indicator light lit due. to open circui t. 020768 022668 EB G B BY B,E S2,S3 Fire in cable tray. 68-03 23360 B 6 8-04 020968 030068 B HF P B AG D C7 Intake stop gate accumulator reservoir tank ruptured. 030468 040068 BB J C AL D C7 Control rod subgroup 68-05 B slipped into reactor. 68-06 31259 030968 040068 B RB J B BD G N Bisvired control rod drive. 031268 040868 EB G B BY E S2,S3 Fire in cable tray. Five 68-07 24817 B sonth shutdown. 

 ?r 68-08               080068 090068    D      SFB      00         E          C       AZ         D        N         Faulty flow comparator f ailed to close IPCI g[                                                                                                                  valve.

C AS D C7 Two control rods dropped 68-09 090768 100068 D RB J into core during tests. B D N Five control rods slipped 68-10 42736 090968 120068 B RB J P AQ causing scran. 092268 120068 CB DD B CA D N During shutdown coolant i 68-11 42736 D pump rotated backwards. B AS D C7 Control rod group dropped 68-12 42736 092668 120068 B RB J due to clutch failure. 100168 110068 BB J B AS D C7 CR subgroup 8 dropped. 68-13 B 101468 112568 PC 3 B HC B S1,52 No flow in boron transfer 6 8-14 29676 B pumps due to boron crystallization.

T0013 12. 4 Coding Sheet f or Rs p or tchla Eien ta ct Sl 50 COf f ra 1 - 1969 NSIC ACCESSION EVENT REPOAT PLANT COMPONENT ABNORM AL SIGNIFICANCE NUMBER NUMB ER DAT E D AT E STATUS SYSTEM EQUIPMENT INSTRUMENT , STATUS CONDITION CAUSE CATEGORY COMMENT 69-01 34905 010769 020069 D CA 00,CC A AU D N Leaking pressurizer spray valve. 69-02 34905 010969 020069 D HA 55 B AU D N Oil leak in turbine auto stop valve. 69-03 030569 040069 B RF P B AL D N Traveling screen shear pin 

                                                                                                                                                               . failure.

6 9-04 030569 040069 B ED S B EE D C7 Inverter failure on No. I vital bus.- 69-05 38753 000069 070 369 B RB J K B EG D N, Excessive turbine load runback due to spurious signal from CR position Indicator. 69-06 38751 000069 072269 B SD 00 C AI G N Leak in two containment isolation valves. m j, p. 69-07 38750 000069 072269 B SFB C C EG D N Partial f ailure of flou 

                         '4 comparator of safety injection systes.

69-08 39060 071569 102769 B PC DD B BY B 59 Boric acid pump plugged due to crystallization of boric acid. 69-09 081369 090069 B IA U B EF D N RTD failure caused unit trip. 69-10 081369 090069 B HH 00 B AT D N FW control valve f ailed open due to air line failure. 69-Il 081469 090069 B RB J P B EF D W Control rod dropped due to intermittent relay. operation. A069-06 100369 110069 B BB && N B- EG D N Stack gas monitor power supply failed. 1069-07 100669 110069 B AA E,HM B HB D N Control rod shroud cooling fan belt failure. I

I Table 42, 4 (continuedt . NSIC A CCESSION EVENT REPORT PL ANT COMPONENT ABNOEM AL SIGNI FICA NCE NUMB ER NUMBER D AT E D AT E STATUS SYSTEM EQUIPRENT INSTRUMENT STATUS CONDITION CAUSE CATEGORY COMMENT 1069-08 39059 100969 102469 8- HF '00 B 'AD B C7 Tsunami gate broke from attachment plate. A069-09 101469 110069 B SFB QQ C EE D N Saf ety injection recirc valve motor winding failed. 1069-10 102269 110069 B BB K B EF D C7 Grounded LTDT caused 

                                                                                                                 . erratic CR position indication.

1069-11 102769 110069 B ZZ OF Z N An earthquake was felt at San onofre.- 1069-12 102769 110069 B PC 00 B AG D N Vapor seal head tank fill valve failed open. A069-13 42745 102869 021270 B CA 00 B AU C N Leaking root valves of pressurizer instrument 78 column. 

 >a
 $$ A069-14             102969 110069       B     HH        QQ                    B       AD      D       N       Feedvater pump discharge valve motor operator fell off.

1069-15 112069 120069 B ED 'S B EE D C7 No. 3 inverter failed due to blown fase. 1069-16 112969 120069 B RB K E EG D C7 Erroneous rod botton indication given by failed bistable. 1069-17 112969 120069 B RB K B EG D C7 Erroneous rod botton indication 91ren by failed bistable. 1069-18 121069 010070 B Il S I B EE D N Pressurizer level indicator failed upscale due to blown fuse. A069-19 121869 010070 B ED AA B EE D C7 Inverter for vital bus 82 failed. __ _ ___ _ W

Tchl3 12. 5 C#dicg Sheet for R2 port;b13 Ev00t3 ct 5:3 Ca2f ra 1 - 1970 NSIC ACCESSION' EVENT REPORT PLANT ' COMPONENT ABNOEHAL SIGNIFICANCE NUMBER N U M B ER DATE D AT E STATUS SYSTEM EQUIPMENT INSTRUMENT S FAT US CONDITION CAUSE CATEGORT COMBENT A070-Ol 010770 020070 B PC DD B HB D N North charging pump shaft. broke. 1070-02 021670 030070 B RB K B EG D C7 Failed LTDT caused CR position indication.- 1070-03 021770 030070 B RB K B EG D C7 Failed LTDT caused CR position indication. 1070-04 020570 030070 B EB MH B AU D C7 Steam generator tube leak. 1070-05 040870 040070 B RB K B EG D C7 Failed LTDT caused erroneous rod position indication. A070-06 041370 040070 B HB QQ C 13 D 5 Turbine control valves suddenly and spuriously changed ,3 positions. i [7 A070-07 3200 052970 071070 B HA NN B BF H N Turbine manually tripped u> due to over acceleration. 1070-08 052970 060070 B RB K B EG D C7 Failed LVDT caused erroneous rod position indication. 1070-09 072770 080070 B IA L B EG D N A somentary spike occurred on a flux channel. A070-10 082470 090070 B S FC F C BF D N West safety injection recirculation pump breaker spuriously tripped. 1070-11 091270 100070 B ZZ BF Z N A moderate earthquake was felt at San Onofre. A070-12 091070 100070 B PC DD B HB D N North charging pump shaft cracked. 1070-13 58006 101970 111670 B SFC 00 C BB D N A safety injection system isolation valve stuck open.

Tablo A2. 5 (etct inued! ' NSIC-ACCESSION EVENT EEPORT PLANT CORPONENT ABNORRAL SIGNIFICANCE NUMBER NUMBER DATE D AT E STATUS SYSTEM EQUIPMENT INSTRONENT STATUS CONDITION CAUSE CATEGORY COMMENT A070-14 58006 110470 111670 B SFC 00 C- AD,ED. D N Damaged safety injection systen pump discharge . valve. 1070-15 112170 120070 B RB K B EG D C7 Failed LYDT caused erroneous CR position indication. 1070-16 112770 120070 B- HB .U B EG D E Failed thermocouple on the east FN pump gave an 

                                                                                                   ,        erroneous signal.

1070-17 120370 010071 B zz D N. Contractors leased van damaged. 70-01 60821 000070 121570 D CB DD C AV D N Cracked reactor coolant pump flywheel. Y C o

Y Tablo A2. 6 Codirg Sheet for Rzpret*bl3 E?o2t3 ct San Cesf ra 'l' - 1971 NSIC ACCESSION- EVENT ' EEPORT PL ANT CORPONENT ABNORM AL ' SIGNIFICANCE-NUMBER NUMBER D AT E D AT E STATUS SYSTEM EQUIPMENT INSTRU5ENT STATUS - CONDITION CAUS E , CATEGORY COMBENT A073-01 020971 020071 B ZE OF. 1- I A moderate earthquake was. felt at San Onofre. A071-02 031871 030071 B IA N B EF C W Cold soldered joints in a low pressure trip circuit caused scran. 1071-03 032371 030071 B ED S B BG D C7 No. 4 inverter failed.due to a capacitor failure. 4071-04 041571 040071 B IA M B E8 D N- A failed capacitor in a low pressure trip circuit caused a drif t in the trip set point. A071-05 042771 040071 B CB DD U B EG D N A RCP thermocouple gave an erroneous indication y due to static charge {* of unknown origin. A071-06 062271 060071 B EA,HA B BG D S9 Loss of offsite power lines caused turbine overspeed. A071-07 062671 060073 B RB J,5 B EE D N Fuse failure caused partial immobility of two CRD's. 1071-08 070771 070071 B HA QQ C ED D E Turbine load limit valve actor f ailed during a test. Ao71-09 072171 070071 B HA T & BC G N Gradual decay of generator excitation because maintenance took too long. A071-10 072171 '070071' B HA NW C BW D S9 Generator out-of-step condition caused 3 turbine overspeed. A071-II 083171 080071 B 2Z OF Z N A small earthquake was recorded at San onofre. 1 v

Tablo A2. 6 (usctirued) BSIC ACCESSION EVENT- REPORT PLANT' . - CONPON ENT ABNORMAL SIGNIFICANCE NUMBER NUMBER DATE. D AT E STATUS.SYSTER EQUIPMENT INSTRUMENT STATUS ' CONDITION CAUSE CATEGORY. COMMENT-A071-12. 092171 090071 B IA H. B EH D N & zener diode failure in a low pressure . trip - circuit caused a drif t in the trip. set point. 1071-13 092371 090071 B RB J,S B EE D N Fuse failure caused, partial immobility of two.CED's. 1071-14 093071 C90071 B _ZZ OF Z N & small earthquake was 

                                                                                                                                   ' recorded at San Onof re.

1071-15 110971 h0071 B ' SRC DD C OC 1 N AFW pump. tests were scheduled nonthly instead of bi-veekly. A071-16 111371 110071 B IA 5 B ER G N A bad soldered joint in a low pressure trip . nn circuit caused a drift in the trip set point. 4 I$ - 1071-17 55346 122671 022572 D HB 00 C BA D E Two steam relief valves f ailed to open on test. ,. i

Il 

                                   -Tcb13 A2. 7 C;dicg Sheet for Riptrt:bl3 Ev Rt3 ct San Cacfra 1 - 1972 NSIC A CCESSION EYENT REPORT PLANT                                            .

COMPONENT ABNORM AL SIGNIFICANCE NUMBER NUMBER DATE D AT E STATUS SYSTEM EQUIPMENT INSTRUMENT STATUS CONDITION CAUSE CATEGORY COMMENT 

  .A072-01               010072 012872      C. EE            QQ                                 C           BB    D      W      DG fuel line isolation valve failed to close.

1072-02 69325 010072 012872 C SD- 00,QQ C AG,AH D N An isolation valve f ailed to close. A072-03 55249 010072 -021372 C RC R C BI H N Cladding f ailure occurred in two fuel rods. 4072-04 021272 020072 C PC QQ C ED D N Seal water filter bypass valve failed open during a test due to a shorted valve operator. A072-05 020272 020072 C CB M5 B AG D C7 Steam generator tube f leaked. 1072-06 040772 040072 B HA QQ C EF D N Turbine control valve spuriously changed 

                                                                                           -                                        positions, 78 w

[j A072-07 71397 043072 050972 B RH QQ B AB D $9 . Excessive feedvater flow due to a regulating valve failure. A C'- ' #~ 84464 050272 050072 B HA 00,Q0 P B AG,AZ D E Two turbine control valves in the main steam system failed. A072-09 060572 060072 B IA I B OJ H N Operator bumped into a flux monitor causing a unit runback. 72-01 78514 070872 021573 3 CB II B AU D C7 Steam generator C. tubes leaked. 72-02 78514 071872 021573 B EE N C EE D N Diesel generator had broken wire in the exciter field. 72-03 74190 072972 082872 B HA NN.T B BF,EE D S9 Turbine overspeed when unit tripped due to loss of generator load. e

( l. l-Tabla _A2. 7 (cictirmed) MSIC COMPONENT ABNORMAL SIGNIFICANCE ACCESSION EVENT REPORT PLANT . . . CATEGORY C05 MENT NUBBEE NU5BER DAT E D AT E STATUS SYSTEM EQUIP 5ENT INSTRU5ENT STATUS CONDITION CAUSE 091272 021573 CB II B 'AU 'o C7 ' Steam generator C tubes 72-04. 78514 B leaked. B AU D C7 Steam generator A tubes 7 2-05 78514 091272 021573 B CB II 

                                                                                                                                                         ' leaked.

C AS D C7 Four control rods slipped. 72-06 78514 092072 021573 D RB J 120972 021573 -ED AA B EE D C7 Inverter on vital bis No. 72-07 78514 B 3 failed. l l 

                               ?

O

Tcbl9 12. 8 Ccding Shrat for Riportablo Ev20t3 ct Sa2 Onsfr3 1- 1973 NSIC 

           -ACCESSION EVENT REPORT PLANT                               COMPONENT ABNORMAL       SIGNIFICANCE NUMBER   NUMBER    DAT E   DATE STATUS SYSTEM EQUIPMENT INSTRU5ENT   STATUS CONDITION CAUSE   CATEGORY         COMMENT S I73-01             010573 082873    .B    CB       II                  B       AU        D     'C7     Steam generator A tubes leaked.

SI73-02 018073 082873 B ED AA I B EE H_ C7 Operator inadvertently bumped a switch deenergizing the inverter to vital bus No. 4. SI73-03 79373 021373 030873 B EE N U C HB,BL D N Overheating of diesel generator No. 2 due to stuck cooling water thermostats. SI73-34 79468 021673 031273 B EE N C AD D N Failure of fuel injection pump for diesel generator no. 1. SI73-05 022073 082873 B RB J T B AY D C7 A switch spuriously opened as in the CBD positioner /, and a CR slipped into ha the core. un SI73-06 022173 030873 B ZZ OF Z N A moderate earthquake was felt at San Onofre. SI73-07 050873 082873 B EE P B AQ D N Diesel generator failed because of a clogged filter in the air start mechanism. S I73-08 81591 060773 070673 D EA,EE LL,N B ED D S I,S2 Loss of of fsite power due to transformer trip. Also one diesel generator f ailed. SI73-09 071473 022574 D ZZ OF Z N A small earthquake was sensed at San Onofre. SI73-10 080673 022 574 8 ZZ OF Z N A small earthquake was sensed at San Onofre. SI73-II 081773 070673 B ED 1A B EE D C7 Inverter No. 2 failed.

i 

                                                                 ' Tablo 42. 8 (estti med)

NSIC ACCESSION EVENT BEPORT PLANT . COBpONENT ABNORMAL SIGNIFICANCE' NUMBER NUMBER DAT E D AT E STATUS SYSTEM EQUIPMENT INSTRUMENT ST AT US CONDITION CAUSE.- CATEGORY COMMENT S I7 3-12 87066 101673 112073 B ED N C AB h N Faildre of fuel pump ' for. diesel generator. S I73- 13 87016 102173 102273 B HH,SFC. 00,0Q B HA,HH. H S9 During. power reduction, unit tripped due to. excessive FN flow. ' SIS ' actuated. Motor 

                                                                                                                                     ' operator of SI valve was damaged by water hammer.

SI73-14 102873 022574 D ZZ OF Z N A small earthquake was felt at San onofre. SI73-15 112973 022574 D EA F B EE D 5 Electrical disturbance in offsite grid. SI73-16 121873 011474 D SD 00 C AN D N Containment isolation valve failed leaky. Y C l 4

T;bl9 A2. 9 Codlig Sheet f!r Esport bl5 Ev03t2 Ct 'SO2 Ontfra 1 - 1974 NSIC ACCESSION EVE NT REPORT PLANT COMPONENT ABNORMAL SIGNIFICANCE NUMBER WUM B ER D AT E DATE STATUS SYSTEM EQUIPMENT INSTRUMENT ST AT US CONDITION CAUSE CATEGORY COMMENT SI74-01 011474 020874 D HB 2,KK B AD D N Main steam line knee support found sisplaced. SI74-02 022474 081474 B IA M B EH D N Loop B low pressure trip set point high. SI74-03 040374 081474 B PC 00 B HL D N Boron crystallization prevented operation of-BAT disch3rge valve. SI74-04 061174 081474 B IA L B EG D N Spurious high flux indication caused turbine runback. SI74-05 061474 081474 B ED AA P B ED D C7 No. 1 inverter failed due to shorted SCR. SI74-06 94768 070774 071574 D NB U L B AU B S2 Leaking cooling coils flooded detector il thimbles, causing a reactor trip. SI74-07 070974 021275 B HH PP B AL D N Fu check valve to steam generator C failed. SI74-08 042574 081475 B CB II B AU D C7 Tube leak in steam generators "A" and "C". 4 SI74-09 072474 021275 B ZZ Z N FBI reported -a sabotage threat. SI74-10 95378 081374 093074 B EE N,DD C AG D N Diesel generator cooling pump seized. 5174-11 082074 021275 B IA I B EG D N Spurious trip from pressurizer level indicator. 1 SI74-12 102174 021275 B RB J B AS D C7 Subgroup 8 control rods dropped into the core. 4

q Tcb13 12.10 Crdirg Sheet fzr B2portab13 Ev20tc at S03 Omrfra 1 - 1975. NSIC ACCESSION EYENT REPORT PLANT C05 PONE 4T ABNORMAL . SIGNIFICANCE NU5B2R NUMB ER DATE DATE STATUS SYSTEM EQUIPMENT INSTRUMENT STATUS CONDITION CAUSE CATEGORY COMMENT S I75-01 011375 082075 - B IA C,5 B EH D N Low pressure trip setpoint drift. S I75-02 93568 011475 012275 B EE N C 10 D N Diesel generator f ailed due to separation of pulley from drive shaft. SI75-03 02:275 082075 B RF U B EG D N Circulating water delta T monitor f ailed. SI75-04 100574 021275 031275 B EE N,DD C HB B 5 Diesel generator failed due to insufficient flow of fuel transfer - pump. B BG D C7 No. 2 inverter failed, SI75-05 021975 082075 B ED AA tripping the reactor. SI75-06 022875 033175 B SFB 00 B OK B 59 Potential safety injection ,3 failure due to single i Ej valve failure. co SI75-07 031575 061675 C SD 00 C BB D N Leakage of containment isolation valve. I 040275 082075 FD L B AL D E Fuel transfer system was SI75-08 C da ma ged. D C7 No. 2 inverter failed, SI75-09 042275 082075 C ED AA B BG tripping the reactor. 042575 082575 B IA L B EH D N Overpower trip set point SI75-10 drifted. 041375 082575 C CB II C AU D C7 Steam generator 1 tubes SI75-il leaked. 041875 082575 EA F C BG H N Operator deenergized two 4 SI75-12 B kg buses during a trip. 052175 082575 B HF P B AQ Z N Heavy influx of sesgrass SI75- 13 clogged the traveling screens. 

                                                                    ' Table A2.10  (continued)

NSIC ACC ESSION EVENT REPORT PL ANT COMPONENT ABNORMAL SIG NIFIC A NCE NUMBER N UM B ER CAT E D AT E STATUS SYSTEM EQUIPMENT INSTRUMENT ST ATUS . CONDITION CAUSE CATEGORY COMMENT SI75- 14 104065 061975 070775 B BA,BB N B OC H E Air and drinking water samples not taken. SI75-15 061175 082575 B CB II B AU D C7 Steam generator C tube ' leaked. S I75- 3 6 070975 000075 B HF T B BB D N Chlorination microswitch failed to discontinue chlorination. S I75- 17 106454 08l275 091275 B EE N,U B AR D S1 Diesel generator el overheats due to blocked cooling. S I75- 18 106455 081375 091275 B EE .N,TF B AW B S1 Diesel generator 82 overheats due to loss of cooling water. SI75-19 082075 000075 B PC DD C AG D N South boric acid transfer pump bearing seized. I S175-20 082075 000075 B EB J C B BC D C7 Control rod group 3. 3 [l e skipped steps. SI75-22 101975 -000075 B ED AA C B BY D C7 Oil filled capacitor in the No. 3 inverter failed. SI75-23 000075 8 HH Z B AL D N FW flow straightening device became loose. SI75-24 108558 001175 112575 8 BB N B OC H N Offsite particulate filters not collected ! for two weeeks. 4 y

Table 42.11 . Coding Sheet for Reportable Events at Sea Onofre 1 - 1976 MSIC ACCESSION ETENT REPORT PL ANT COMPONENT ABWORM AL . SIGNIFIC&WCE NUMBER NUMBER D AT E D LT E STATUS SYSTEM EQUIP 8ENT INSTRUMENT ST AT US CONDITION CAUSE CATEGORY CONNENT. L EE76-01 '184077 032276 032376 .B FB 0 B AO' C N. Crack in shipping cask lifting device. LER76-02 050376 022577 B FB 0 B 10 C N Crack in shipping cask lifting device. LER76-03 115452 052076 061876 B HB II,00 E B AU . D N Leak.in instrument v61Te caused low steam i generator flow indication. LER76-04 115878 062876 071476 B CB E B EG D N Loop C flow transmitter failure caused spurious trip. LER76-05 060176 072676 8 ID && L B ED D N Arial monitoring system f ailed due to shorted Power supply. LER76-06 187666 073076 082576 B CB II B AU D. C7 Steam generator tube 71 failed. 

-a

{j LER76-07 117154 073176 082576 D PC DD C HC B C4 Boric acid transfer line was blocked by boron crystallization LER76-08 118184 082376 091676 B ED 14 8 EE D C7 Inverter No. I failed causing loss of feedvater control. LER76-09 119784 000076 .311676 C BA KK C AI,HD B N Thermal shield flerare supports failed. LE476-10 119783 000076 091576 C BA KK C AI,HD 5 E Steam generator tubes had defects. LER76-11 120269 000076 120176 C CB II,KK C AB D C7 ' Steam generator antivibration bars were worn. SI76-01 010176 022577 B ZZ OF Z N & small earthquake was - sensed at San Onofre. 

                                                                    -Table 12.11  (continued)

NSIC A CC ESSION EYENT BEPORT PLANT COMPON ENT ABNORMAL SIGNIFICANCE NUMBER NUMBER D AT E D AT E STATUS SYSTEM EQUIPMENT INSTRUNENT STATUS CONDITION CAUSE CATEGORY. COMMENT SI76-02 210176 022577 8 EA G B BG Z. 51 Loss of offsite power due to brush fire. S I76-03 220976 022577 B IB I. C EG D N Spurious pressurizer high level signal f tipped reactor. SI76-04 220976 022577 B ED AA C B BY D C7 Oil-filled capacitor in the No. 2 inverter failed. SI76-05 221776 022577 B ED 1A B BG D C7 No. 4 inverter failed tripping reactor. 5I76-06 030576 022577 B FB JJ B OD H N Contamination was spread from spent fuel cask area. SI76-07 032776 022577 B FB JJ B OC H N Spent fuel cask shipped without knowledge of ' jf . amount inside. e yf SI76-09 041776 022577 5 RA C B BF G N Turbine tripped due to low . overspeed setting. SI76-11 041776 022577 B HB D,DD B BF D E FN Pump vibration caused high bearing temperature. SI75-12 041976 022577 B HH PP B AL D N FN check valve-seat became disconnected. SI76-15 070276 022577 B FB JJ B AI D E ShippiD7 Cask neutron shield leaked borated glycol. SI76-16 072676 072577 B EB C B BY E N Brief construction fire scorched electric cable jackets. SI76-21 082376 022577 B ID AA K B EG D C7 Bod botton indicator power supply failed causing rumback. 1

1 

                                                                                                                                            .{

Tablo 12. II (crti .ned) MSIC A CCESSION EYENT REPORT PLANT C05POWENT ABNORMAL SIGNIFIC ANCE DATE STATUS SYSTEN ' EQUIP 5ENT INSTRUEENT . STATUS CONDITION CAUSE CATEGORY, COMMENT NUBBER NUBBER D AT E . 

                     '092576 022577     B     ED       AA         .C          'B      BY       D       C7     ' Oil-filled capacitor in SI76-23 the No. 3 inverter failed.,

S176-24 092576 022577 B ED AA B BG D C7 .No. 2 inverter failed. 092576 022577 AA C B BY D C7 Oil-filled capacitor la 3176-25 B ED the No. 3 inverter failed. 101876 022577 EE OF E N A moderate earthqcato was. S I76-26 B felt at San Onofre 111601 000076 030176 B IF U B EG D N Of fshore temperature 76-1 sensors 'f ailed. 115877 000076 062876 .B EE KK B AT E N Voids found in diesel 76-2 generator building vall. Y. 000076 071576 IF U B EG I N offshore temperature r 76-3 115878 B sensors failwd due to-gj rough seas.

Table A2.12 Coding Sheet for Reportable Events at San Onofre 1 - 1977 NSIC ACCESSION EYENT REPORT PLANT C05PONENT ABNOREAL SIGNIFICANCE NUMBER .NUMBLR DAT E DATE STATUS SYSTEM EQUIPMENT INSTRUMENT ST&TOS CONDITION CAUSE- CATEGORY COMMENT LER77-91 122203 011777 020477 D BB. B OC 1 N Airborne samples sot collected. L ER77-02 122204 011777 020777 D SBB Z C AB C N Corrosion in containment - spray piping. LER77-03 122832 .082477 021877 .D WB 5,DD A .AU 1 N . Leak in RER pump cooling water line due to line

being cut into.

LER77-04 122133 021577 030277 D S HB Z C A0 E N Two leaks found in containment spray ' 

                 .                                                                                                   system.

i LER77-05 123082 022077 030477 D SA C AI G N Leak in containment vessel due to drilled holes. LER77-10 125174 041777 051377 B CB 00 B AU D N Beactor coolant systes

no leak through valve j, packing.

I 77-01 124898 042177- 051177 8 ' IF U C AL D E offshore temperature sensor found to be missing. LER77-06 125175 042677 052577 B PC DD B BC D C4 Failure of boric acid transfer pump due to boron precipitation. 

,    LER77-07         125181  051077 052577     B      EE      N,KK                  C       AL         E     N      Fuel oil bypass line supports omitted on i                                                                                                                     diesel generators.

77-02 126491 060177 062977 B IF U C AL D N Of fshore temperature sensor found to be missing. 77-03 061677 071277 D FB 00 B AY D N Spent ' fuel shipping cask drain valve found opea, j LER77-08 125703 061477 070177 B ED -QQ,S -B BB D C7 Inverter deenergized by fuse failure. 1

1 Table A2.12 (continued) - NSIC ACCESSION EVENT REPORT PLANT COMPONENT ABNORMAL . SIG NIFIC A NCE NORBER NUMBER DAT E D AT E STATUS SYSTEN EQUIPMENT INSTRUNENT STATUS CONDITION CAUSE CATEGORY C05 MENT 

                                                                                                                                                     ~

LER77-09 129554 072977 082577 B CA CC B OK B .N Pressurizer heat-up rate nonconservative. 77-04 127978 073077 081877 C FB 00 B Af H N . Spent fuel shipping cask - drain valve found open. L ER 77- 12 128944 080977 090877 B SA FF B OC C N Deficiency found in electrical penetration documentation. LER77-11 128890 082477 090777 B SFC DD B BH B N Charging pump circuitry change f ails to eliminate single f ailure ef fect. LER77-13 129778 091977 100377 D CB II,KK C AB D C7 Tube vall thinning due to anti-vibrational bars. L ER77-14 130702 100177 101477 D CB II,KK & BT,10 D C7 Inadvertent dilution of reactor coolant due to 72 steam generator leak. s. v

r q Table A2.13 Coding' Sheet for Reportable Events at San Onofre 1- 1978 NSIC ACCESSION EVENT REPORT FLANT COMPONENT ABNORBAL SIGNIFICANCE NUMDER NUMBER D AT E D AT E STATUS SYSTEM EQUIPMENT INSTRUNENT STATUS CONDITION CAUSE CATEGORY COMMENT LEB78-Of 135)S3 011678 021078 B HF DD,F P B BF D N Saltwater cooling pump breaker trips cpen when other pump is down for maintenance. LER78-02 136374 013078 022378 B SRB 00 C BB D N Containment spray valve fails to close in testing. LER78-03 137341 031578 032878 B SHB C B BF D N Two containment spray actuation system inverters tripped. LER78-04 138234 032878 042578 B EE N C AG D M Diesel generator fails to . start due to lack of lubrication. LER78-05 138253 041878 051078 D SFC 00 C AE,AS D N Safety injection valve opens slowly due to m distorted valve shaft. l4 LER78-06 138254 042678 051978 B SFC B HB B N Reanalysis of small break LJ 

                                                                                                                                         LOCA indicated lover than anticipated flow.

LER78-07 139587 060778 062978 B ED S C B BF D C7 Input fuse to inverter fails. LER78-08 140322 071878 080978 B EE N C AG D N Diesel generator fails to start due to binding of linkage. LER78-09 143321 080178 080978 B HH E B AL D W Flow straightener became dislodged and lodged against feedvater flow orifice plate. LER78-10 140353 081878 091478 8 HH,SPC 00 B BH G N Feedvater pump safety injection valve inadvertently opened. LER78-11 141389 102378 110678 C HH CG C HH,AH D N Shock absorbers found 

                                                                                                                                          ' inoperable.

Table A2.13 (continned) NSIC A CCESSION EYENT REPORT PL ANT CONPONENT ABNORNAL- SIGNIFICANCE NUNBER NUNBER DAT E DATE - STATUS SYSTE5 EQUIPNENT INSTRONENT STATUS CONDITION CAUSE CATEGORY CORRENT LER78-12 14l196 102378 112178 C SFC Z C AR D. N Leaks found in charging Pump discharge line.- LEt78-13 142839 112578 122078 B HH E B AL D N Flow straightener dislodged. LE278-14 145212 120578 010379 B SRB 00 A AY H N Hydrazine additive pump recirc valve lef t open. 78-01 091378 101378 B HF P B AQ I N Large quantity of fish impinged on intake 

                 .                                                                                                             screens during storas.

78-02 091878 101878 MC P B AL Z N Settling plates damaged by increased marine activity. 78-03 063078 101378 B EC U B EG D N Two temperature sensors ng failed. e E$ 73-04 101078 121978 B HC U B EG D N Two temperature sensors en failed.

Table A2.14 Coding Sheet for Reportable Events at San Onofre I- 1979 NSIC A CCESSION EVENT PEPORT PLANT COMPON ENT ABNOBRAL SIG NI FIC A NCE NUMBER NUMBE2 DAT E D AT E STATUS SYSTEM EQUIP 5ENT INSTRUMENT STATUS CONDITION CAUSE CATEGORY COMMENT LER79-01 147264 010979 020779 B SD QQ C BB D N Containment air unit cooling water valve failed to close. L EB79-02 150075 040479 050479 B HH E B AL D N Flow straightener dislodged.- LEB79-03 149445 040479 050379 B SD CO C BB D N Containment air' unit cooling water valve failed to close. LER79-04 151481 010979 041979 B BB N B OK & N Loss of benthic survey data not reported. LER79-05 151480 040279 042779 B IF U B AG D N Sea temperature data lost due to instrument malfunction. LER79-06 149247 041379 051179 B DB N B ASL D E Four environmental "8 radiation dosimeters 5 lost due to vandalism. w LER79-07 150036 042379 052279 3 HB E B EG D N Steam flow indicator failed.

LER79-08 150253 060479 061879 D CB II C AU D C7 ' Leaking steam generator j tubes.

LEB79-09 150252 060579 061979 D HH GG C HH,AB D N Feedvater line shock absorber fails. l LER79-10 152656 060579 061579 D BB II C AO E N Cracks in steam generator I feedwater nozzle to reducer velds. L ER79-11 151831 080679 083179 8 BB B OC ( N A N Drinking water sample lost. L ER79- 12 151034 0B0579 083079 8 HF B OC A N Fish ispingement data not collected. LER79-13 152654 090679 091179 B SHB 3 C 10 D N Cracks in suction piping from containment spray pumps. l i

Tablo 12.14 . (2ontinued) NSIC- . . ACCESSION EVENT REPORT PLANT CORPONENT ABNORMAL SIf dI FICA NCE BWNSEP NUESER DATE DAT E STATUS SYSTER EQNIPMENT INSTRURENT STATOS . CONDITION CAUSE CATEGORY CORRENT LERT3-14 152236 082979 092879 .8 EC E C. EE D. N 15 VDC power supply f ailed disabling one diesel generator and one safety lajection train. LER79-15 154812 092579 100979 B SD FF A 15 R N Containment personnel air lock left open for 10 seconds. LE179-16 154815 091579 100579 D SFC E C 10,A D N Crack-like indication in safety injection line veld. LEt?9-17 153395 110779 112179 8 EB T BF, ED D C7 Short circuit in 4807 bus due to rodeat. LER79-18 153387 110979 112679 D NA KK,FF C AL E N Pipe support missing. LER79-19 153668 111679 113079 B EE KK C AL E _N Pipe supports missing. O LEI 79-20 153669 112679 120779 D NB EK C AL E N pipe supports missing. c2 LER79-21 153670 111479 121279 B EC P B BF D N Load sequencer power supply trips off. lea 79-22 153819 113079 121779 D WB KK C AL E N Pipe supports missing LE579-23 153873 101079 121179 8 CB,IA CC N C EI E N Low Fressure trip safety setting too lov on one pressure chamael. LEE 79-24 153936 120379 013180 8 HR E,I B OK 5 W Eodifications made to equipment without approved design change. LER79-25 153496 101179 011180 B CB,IA F,5 B EG D N T-ATG converter fails. LEt?9-26 153937 122679 011080 B SMC DD.D C AB,1K R N Steam driven aux feedvater pump bearing fails.

Table A2.85 Coding Sheet for Reportable Events at San Onofre 1 - 1980 BSIC A CCESSION EVENT REPORT PLANT COMPONENT ABNOBH AL SIGNI FICA NCE NUMBER NUEBER D AT E D AT E ST ATUS SYSTES EQUIPMENT INSTRU5ENT STATUS CONDITION CAUSE CATEGORY COMMENT L EE 80-01 154456 011080 012580 B HF 2,NK C BC E N Piping supports f all to meet seismic criteria. L E280-02 154455 011680 082880 8 HH 00 P B BF G S9 Construction worker bumped a relay tripping a FW pump. LER80-03 154623 010980 020580 B S D, P A QQ,HH B BB D C8 Service water containment isolation valve f ails to close due to clogged air line. L EE 80-04 154623 010980 020580 B SD,PA QQ,HR B BB D C8 Service water containment isolation valve fails to close due to clogged air line. L Es 60-05 155571 021860 022980 B HF H B HB I N Condenser cooling water flow partially blocked by seaweed due to severe weather. 1 j, LER80-06 155475 031080 032480 B HF DD B HC D SI,53 Loss of all salt water ga cooling flow to plant. LE380-07 155983 022480 032D80 B STC Z B HE D N Crack found in charging pump discharge line, due to cavitation. L Ea 80-08 156134 031880 040980 8 HF KK & HD,1R D N Saltwater cooling system pipe supports fail. LER80-09 155441 033180 040280 B BB B B OC I N Benthic data not taken when required due to severe weather. LEE 80-10 156333 031880 040980 B S rc DD.D B AB D E Charging pump thrust bearing fails. LER80-11 156334 031080 040880 B PC CC B AD H N Pressurizer relief tank rupture disk ruptures , due to overfilling. l l l l 1 1 i

Tablo 12.15 (contimmed) NSIC A CCESSION EVENT EEPORT PLANT CD5POWENT ABNOBRAL SIGNIFICENCE NURSER 5055ER DATE DATE STAT 85 SYSTES EQUIPMENT INSTRUNENT STATNS CONDITION CAUSE . CATEGORY CORRENT L EP 80-12 156205 032480 042180 B EE .N.DD B BF D N Diesel generator feel oil transfer pumps fail due to water flooding due to failure of surp pumps. LE280-13 157052 032980 042890 B SG S B As G N Control room energency air treatment system dampers f ail closed due to wrong f ase. LE380-ta 166740 041480 072280 C CB II C 10 D C7 9 steam generator tubes found to be leaking. LE380-15 158278 042280 050580 D El P A BF G 57 4 kT and 480 Y onsite and of fsite power lost. LEn80-16 156982 042080 052080 C IE FF S B EG D SI,S2 Source range nuclear instrumentation f ails during refueling due to seal leakage. LEt80-17 156956 050580 051480 C FD PP B AU D N Erroneous boron results 5[ from reactor refueling c) cavity due to contamination of chemistry sample. LER80-18 156925 050680 051680 C IE F A AE B N Incore flux thimble bent. LER80-19 158666 051080 052280 D CF EK C AL E N Pipe support found to be missing. LEE 80-20 158570 05:380 052880 D HH,53 GO C AH E N Failed hydraulic snabters found. LER80-21 158571 051580 052980 D HH KK C HD,HH D E Feedwater pipe supports found to have failed. LE580-22 156924 050780 052080 D CB z C AT C N Pinhole f ound in reactor coolant pump seal injection pipe. 

   . _ _ - - . . - - .         - .~~          - - --~.. - --

t;blo 42.15 (roat insed) i NSIC ACCESSION - EVENT REPORT PL ANT COMPONENT ABNORNAL SIGNIFICANCE 

                                                                                                                                                           ^

menBEF NUNBER C&TE D AT E STATUS SYSTES EQUIPNENT INSTSUNENT STATUS CONDITION CAUS E CATEGORY CONMENT lea 80-23 157678 052380 061880 D WB U A A0 G N Flaw found la component cooling water heat exchanger veld. LERSO-24 158572 051680 052980 D HB I C AO E N Indications found'in saia steam piping welds during radiographic examination. ! LZ380-25 1586 21 050580 060680 D CB DD C 10 C N 

                                                                                                                                       ~

Linear indications f ound I in reactor coolant pump flywheel bores l during dye penetraat . examination. LEte0-26 158275 060980 061080 D SA,HB Z C AD B N Steaa line break analysis l fails to consider peak l containment pressure. l LE580-27 160255 052880 062380 D HR 3 C AO 3 N Faulty welds found in 

     ,n                                                                                                                         feedwater piping.

i y* , LERB0-28 160254 C61280 063080 D SFC EE C A8 E N Inadegaate pipe guides found on safety injection system ( , injection lines. L ER BO-29 158289 070580 072180 D CB II,FF A AU D C7 Reactor coolant system diluted due to leakage i of inflatable plugs used to isolate steam generators. LEB80-30 158778 040480 072380 B IF U B AG D N Ocean thermal sonitoring data mot taken due to i l actor failure. LIa80-31 159580 072880 082180 D EF QQ B AM G N Saltwater cooling pump discharge valve f ails to open due to wrong spring installed. l l LIE 80-32 160238 071780 081880 D PA,7A QQ B BB B W Containme nt . isolation valve in service water systes f ailed to close due to desiccant contamination of instrument air.

Ta!>13 : 42.15 (roatiamed) NSIC ACCESSION, RTENT REPORT PLANT C05P05ENT ABWORBAL SIGNIFICANCE-BeWBER NO35ER .DATE DATE STATUS SYSTER EQWIPRENT IWSTABRENT STATES CONDITION CAUSE ' CATEGORY COERFWT LE300-33 160315 090280 091680 -D IB P C- EG B E Sequencer relays fall to 

                                                                                                                                                                                                      . reset SIS properly daring test.

lea 80-34 160322 090180 091780 D CB II A AU G C7 Reactor coolant dilution due to steam generator lea k. ' LER80-35 1605I0 091880 101080 D ID T C ED 8 p' Containment isolation panel reset switches 

                                                                                                                                                                                                      . f ound defective.

LIR80-36 160162 092280 100380 D CB II & 45 D C7 Beactor coolaat dilation due to seal failure daring steam generator - decontamination. l lit 00-37 160875 111379 102780 B IF' 5 B AG D W Ocean thereal monitoring 

                   .                                                                                                                                                                                   data mot taken due to actor failuret
  *cs M

L 2380-38 161910 II2280 120980 .D EB. F B AY. E S7 AC. Power to all station 

  "                                                                                                                                                                                                    auxiliaries lost dee to operator opening wrong breaker.

LER80-39 162578 101280 122380 D EE E C AK B E Diesel generator turbocharger thrust bearings worn due to inadequate lubrication.

TcC13 A2.16 Coding Sheet for Reportnblo Evento Ct Sa7 Oncfre I- l'.' 81 CSIC A CCESSION EFENT EEPORT PLA3T C3;PONENT ACNORMAL SIENIFICANCE DORBER BU M BER EAT E D AT E ST ATUS SYSTER EQUIPMENT INSTRUMENT STATUS CONDITION CAUSE CATEGORY CONMENT LEs81-01 163843 011681 011981 C SFC C,P B EF B -C4 Design review indicated that loss of power during safety injection sequencing would cause SIS loads to not load. LEB81-02 164271 020281 021788 D HH 0,E C AL E N Bolts required for seismic qualification of a feedwater line were missing. LEB81-03 166464 041781 060381 C SFB EK C AG D C2 Two mechanical snubbers for the safety injection system were found inoperable. LER81-04 166143 041681 050481 D SFB QQ AC A N Safety injection recirc valves were not qualified for ,, necessary environment. s g[ LI581-05 166391 033181 051181 B BA OC A N Personnel failed to 64 conduct semi-annual crop sonitorigg required by ETS. LER81-07 166668 051588 060183 D CF D3 8 C4 RHR pump couplings were replaced due to failure of similar items under test. LES81-06 166646 042881 051881 D IB G AN,01 B C4 Safety-related circuits with terminal blocks in containment require replacement. LEtti-08 166734 052481 062381 D RS II A A E, AY D N Damage to steam generator thermal sleeve, cracks in feedring and debris found in SG feed nozzle.

Tabla A2.16 (continuedi MSIC A CCESSION EVENT BEPCET PLANT CosPONENT ABuoRaAL SIGNIFICANCE 555B ER BU ME E2 DAT E D AT E STATDS SYSTES EQUIP 5ENT INSTRUMENT STATUS CON DITIO N CAUSE CATEGORY C05 NENT L E381-09 166736 060981 060981 D EB U,00 A HB,AG 'D N Component cooling water heat exchanger and valve blocked by-barnacle growth. LE181-10 166738 060381 062581 D SA B AY D 5 Durirg shutdown both airlock doors were. twice opened simultaneoasty due to . damaged mechasisa. LIE 81-il 178971 C51081 070281 C AD E B AU,0D D C3 Beach sand found contaminated by inadvertent leakage through a non-radioactive drain line. L EI81-12 167722 062381 072281 B IA 5 B EI A N Low pressere trip setpoints were ws nonconservative due to J. a procedural error. 1E381-13 167705 061881 072781 B CJ 00 B AT H E PORY open briefly twice daricq normal pressure 4 transient due to controller being turned off. LEt81-14 1678*3 063088 o'2781 B IA E B EG D C2 Failure of two flow sensors allows power operation greater than indicated power level. L E381- 15 167849 063081 072281 B EE E B Er BT G B Diesel generator trippea due to labe oil leaking from a drain valve lef t opea. L ER81-16 168875 071381 072481 D SA B AY D 3 Both personnel airlock doors were open simultaneously, due to damaged latching mechanism.

TOS13 A2.16 (Iont iteed) NSIC 

               - ACCESSION EVE NT BEIORT PLANT                                   CD5PONENT ABBOEM AL      SIGNIFICANCE NUMBER     N U M B Eh DAT E   D AT E STATUS SYSTEM E2UIPPENT INSTRUNENT    STATUS CONDITION CAUSE   CATEGORT         COMMENT LE381-17       168076   071483 061281     B      EE      5,L                             AW,5Y C                D       N      Fire occurs in diesel

! generator building due to f atigue f ailure of . a lobe oil line. L E3 81-18 168122 071781 073183 D M5 JJ B As,0G A N Escessive oxygen l'a the vaste gas taak ignited causing tank damage. LEE 88-89 169331 083683 091383 8 FC 8 AN,AO D 5 On two occasions, excessive leakage occurred on a charging peep seal water line. lea 81-20 168929 090383 093481 B STB 00 B BA 8 S2,57 Design error causes l f ailure of two salves resulting in f ailure of both trains of SIS. LEB81-21 168830 090381 091481 B E8 AA B ED D C6 foltage regulator f ailure l 

   ]s p.

caused erratic l ** - feedvater cont rol and l 

   '"                                                                                                               resalted la safety injection actuation.

12883-22 196629 100381 302083 D CC CG,EF C BT D 5 Seal leak causes loss of hydraulic fluid in l main steam systes 1 saubber. LE981-23 171003 092585 181681 D Sas AA B BG D N Loss of CSAS power supplies caused inadvertent j containment spray actuation. LE381-24 370073 102581 110381 D SD 00 C 88 C C4 Three manually operated isolation valves failed to close initially when actuated. LERSI-25 170073 102585 810383 D SD 00 C B5 D 5 Ca dif ferent dates, two air operated isolation - l 

                                                                                                                   . valves f ailed to close.

I i

a, 1 J Tablo C2.16 (continaed) ISIC ACCESSI05 EYEST FEPORT PLAST COMP 05ENT ABBOBRAL SIGNIFICANCE apn8ER BUBB ER DAT E D AT E STATBS SISTER EQUIPMENT INSTEWRENT STATES CONDITION CAUSE CATEGORY CON NENT LE581-26 171051 180281 116681 0 Src go C Be E C4 valve failure caused diversion of SI flow to the condensor. 1E588-27 171133 110981 112381 B SFC BY A 5 Procedural deficiency results in adequate boroa concentration la REST. LEne2-28 17104S 103083 III381 D SFC R C EG B C4 Safeguards load sequencer f ailed to operate due to desiga error causing LOOP. LE381-29 171700 134981 128789 B EE 5 C BD G B Diesel generator failed to start due to lov oil level la governor af ter maintenance. mg LEE 81-30 173818 111581 121481 D BB P 5 A EG,9C G B Two weekly air samples 8 vere invalid due to II O' misalignment of filters by personnel. lea 82-03 372n?6 521281 030582 D EB I B AD,40 D 5 Control rod weld failure causes one or two rodlets to remain in the core. LEB82-06 47260a 112081 030282 8 SBB 00 C A5 D 5 During maintenance of refueling water pumps water was inadvertently sprayed into contaissent. L E382- 83 375125 100281 060182 D MA OC,05 A 5 Bidpoint and end point somitoring were omitted dettag a plammed liquid release. l i 1

APPENDIX G NRC STAFF CONTRIBUTORS AND CONSULTANTS i San Onofre 1 SEP

This Safety Evaluation Report is a product of the NRC staff and its consultants. The NRC staff members listed below were principal contributors to this report. A list of consultants follows the list of staff members. NRC Staff Name Title Branch T. Quay Section Leader Accident Evaluation A. Wang Technical Assistant ACRS Staff R. Anand Mechanical Engineer Auxiliary Systems A. Singh Mechanical Engineer Auxiliary Systems J. Wermiel Section Leader Auxiliary Systems S. Kirslis Sr. Chemical Engineer Chemical Engineering J. Wing Sr. Chemical Engineer Chemical Engineering J. Guo Sr. Structural Engineer Containment Systems C. Li Reactor Engineer Containment Systems M. Chatterton Reactor Physicist Core Performance A. Gilla Nuclear Engineer Core Performance F. Kantor Team Leader Emergency Preparedness Licensing (I&E) G. Staley Hydraulic Engineer Environmental & Hydrological A. Cardone Geologist Geosciences L. Reiter Section Leader Geosciences F. Burrows Reactor Engineer Instrumentation & Control (Instrumentations) B. Singh Project Manager Licensing Branch #3 F. Litton Sr. Materials Engineer Materials Engineering Y. Li Mechanical Engineer Mechanical Engineering R. Fell Nuclear Engineer Meteorology & Effluent Treatment J. Levine Meteorologist Meteorology & Effluent Treatment E. Markee Sr. Meteorologist Meteorology & Effluent Treatment R. Hermann Sr. Project Manager Operating Reactors Branch #2 W. Paulson Sr. Project Manager Operating Reactors Branch #5 G. Cwalina Sr. Reactor Operations Operating Reactors Program (I&E) Engineer R. Prevatte Reactor Systems Engineer Power Systems M. McCoy Nuclear Safety Engineer Procedures and Systems Review V. Leung Nuclear Engineer Reactor Systems E. Marinos Nuclear Engineer Reactor Systems A. D'Angelo Resident Inspector Region V M. Rubin Sr. Reactor Engineer Reliability & Risk Assessment R. Silver Sr. Project Manager Research & Standards Coordination J. Watt Sr. Reactor Engineer Research & Standards Coordination K. Campe Site Analyst Siting Analysis N. Chokshi Structural Engineer Structural & Geotechnical

0. Rothberg Structural Engineer Structural & Geotechnical M. Boyle Integrated Assessment Systematic Evaluation Program Project Manager S. Brown Integrated Assessment Systematic Evaluation Program ProjectManager P. Chen Sr. Mechanical Engineer Systematic Evaluation Program T. Cheng Sr. Structural Engineer Systematic Evaluation Program San Onofre 1 SEP G-1

F' Name Title Branch C. Grimes Chief Systematic Evaluation Program E. McKenna Integrated Assessment Systematic Evaluation Program - Project Manager T. Michaels Sr. Integrated Assessment Systematic Evaluation Program ProjectManager D. Persinko Integrated Assessment Systematic Evaluation Program ProjectManager R. Scholl Sr. Integrated Assessment Systematic Evaluation Program Project Manager B. Jagannath Geotechnical Engineer Waste Management Engineering (NMSS) 

    'J. Pearring      Geotechnical Engineer        Waste Management Engineering (NMSS)

G. Alberthal* F. Burger

  • P. DiBenedetto*

M. Fletcher

  • K. Hoge*

R. Jackson

  • H. Levin
  • T. Loomis*

R. Snaider* Consultants Name Company Topic Report Date F. Farmer EG&G, Idaho III-10.A October 1980 VI-7.C.1 October 1980 VIII-3.B January 1981 S. Mays EG&G, Idaho V-11.A December 1980 V-11.B December 1980 D. Morken EG&G, Idaho VI-10.A July 1981 VII-1.A August 1981 VII-2 August 1981 B. Shinde11 EG&G, Idaho VIII-2 June 1980 A. Udy EG&G, Idaho VI-4 November 1980 VI-7.A.3 October 1981 VIII-4 November 1981 D. Weber EG&G, Idaho III-1 October 1981 VII-3 October 1981 R. Agarwal Franklin Research Center III-1 June 1982 D. Barrett Franklin Research Center III-2 September 1982 A. Gonzales Franklin Research Center III-7.8 August 1982 T. Stilwell Franklin Research Center IX-5 August 1982 M. Casada JBF Associates, Inc. Operating July 1983 Experience K. Harrington 'JBF Associates, Inc. Operating July 1983 Experience D. Bernreuter Lawrence Livermore National II-4 October 1981 Laboratory

  • No longer with the Nuclear Regulatory Commission.

) San Onofre 1 SEP G-2 

                                         -3 Name          Company ^                      Topic      Report Date

! T. Lo Lawrence Livermore National III-7.B' Hay 1982 Laboratory

T. Nelson Lawrence Livermore National III-6 May 1982 l Laboratory l ..J. Selan Lawrence Livermore. National VIII-1.A January 1982 l Laboratory .

VIII-1.A May 1982 W. Stein Lawrence Livermore National Laboratory . D. Vreeland Lawrence Livermore National VI-2.0 October 1981 Laboratory A. Crawford Oak Ridge National Operating July 1983 Laboratory Experience G eMays Oak Ridge National Operating July 1983 Laboratory Experience J. Mcdonald Texas' Tech University II-2.A May 1980 G. Overbeck Westec V-10.8 June 1981 J. Scherrer Westec II-3.A September 1982 II-3.B September 1982 II-3.B.1 September 1982 II-3.C September 1982 l-l l l l l l San Onofre 1 SEP G-3

1. EETOa7 NW8E a (Asserve1bv DOC /

[,~,",,c P c R u 335 u.s. NuctE4a cEcutATony commiss ON BIBLIOGRAPHIC DATA SHEET NUREG-0829 Draft 4 TITLE AND SUBTITLE (Add Volume No., af eprmiratel 2. (Leave olank/ Inte ted Plant Safety Assessment Report, Systematic Evalu n Frogram - San Onofre Nuclear Generating Station d. RECIPIENT'S ACCESSION NO. Unit 1 uthern California Edison Company - Docket 7.NOTH h S h D 5. DATE REPORT /OMPLE TED April [ MONTH l YEAR 1985

9. PERFORMING ORGANIZ ON N AME AND M AILING ADDRESS (Inctu* lip Co*J DATE R[ ORT ISSUED Division of Licens p 85 Office of Nuclear Re tor Regulation ep,uat U. S. Nuclear Regulato Commission Washinaton. D.C. 20555 [*"'*'*'*>
12. SPONSOkING ORGANIZATION N AME D M AI LING A DD RE SS (Inclu* I.p Co*)

p 

                                                                                            "'"""~

Same as #9 above. 13 TYPE OF REPORT PE COVE RE D (Inclusive datest (Draft Report) Technical Evaluation 

                    ^
  "PIr$' ins"to"0"ock'etNo.50-206
16. ABSTR ACT 1200 words or less!
                                                           \[                                ""'"#

The Systematic Evaluation Program was init' d in February 1977 by the U. S. Nuclear R:gulatory Commission to review the desig o lder operating nuclear reactor plants ta confirm and document their safety. T e rev provides (1) an assessment of how these plants compare with current lice ing safe requirements relating to selected issues, (2) a basis for deciding on h these dif ences should be resolved in an integrated plant review, and (3) a d umented eval . ion of plant safety. This report documents the review o San Onofre Nuclea enerating Station, Unit 1, cperated by Southern California E son Company. The Sa nofre ] facility is one of 10 plants reviewed under Phase I of this program. This 3 ort indicates how 137 tcpics selected for review unde Phase I of the program we addressed. Equipment and procedural changes have be identified as a result of t review. it KEY WORDS AND DOCUMENT ANALY S 17a DEbCRIPTORS Systematic Evaluation P ogram 17b. IDENTIFIERS /OPEN ENDE D TERMS

18. AV AiLABILITY STATEMENT 19 SE CURtTY CLASS (Th,s reporrl 21 NO OF PAGES Unlimited Unclassified S UR TY LA S (Th,g pap) 22 PRICE NRC FOAM :335 m en L A

, UNITED STATES r , em an NUCLEAR REGULATORY COMMISSION - *******g'8** l WASHINGTON, D.C. 20666 wam o c. essent %.e4: OFFICIAL BUSINESS PENALTY FOR PRIVATE USE, $300 . { l 120555078977 1 1AN U's f4RC AU M-DI V 0F TIDC POLICY E P uti AGT BR-POR Nuc. E G W- SO 1 W A SHI;4GT ON OC 20555 

                                                                                                                   )

{ 

                                                                                                                -)

i Ig _ _ _ _ - - - - _ _ __ __}}

Retrieved from "https://kanterella.com/w/index.php?title=ML20127P703&oldid=3465108"