Semantic search

Jump to navigation Jump to search
 SiteQuarterTitleDescription
05000443/FIN-2014007-01Seabrook2014Q3Alternate Safe Shutdown Areas Affected by Smoke from Cable Spreading Room FireThe team identified a finding of very low safety significance, involving a non-cited violation of Seabrook Unit 1 Operating License Condition 2.F for failure to implement and maintain all aspects of the approved Fire Protection Program. Specifically, NextEra failed to ensure that intake air to the A and B remote shutdown panel areas was not contaminated from products of combustion resulting from a cable spreading room fire. NextEra promptly entered this issue into its corrective action program as condition reports AR 01977233 and AR 01982946. NextEra initiated compensatory measures in the form of four-hour roving fire watches. Long term corrective actions include determining options to eliminate the potential for smoke migration from a cable spreading room fire to the A and B essential switchgear rooms. This finding was more than minor because it was associated with the Protection Against External Factors (e.g., fire) attribute of the Mitigating Systems Cornerstone and adversely affected the cornerstone objective to ensure the availability and reliability of systems that respond to initiating events to prevent undesirable consequences. In accordance with IMC 0609, Appendix F, Fire Protection Significance Determination Process, Attachment 1, Step 1.6, a Senior Reactor Analyst examined NextEras probabilistic risk analysis based risk evaluation for the issue and determined this finding resulted in an increase in core damage frequency in the mid E-7 range (Green) or very low safety significance. This finding did not have a cross-cutting aspect because it was determined to be a legacy issue and was considered to be not indicative of current licensee performance.
05000445/FIN-2008006-01Comanche Peak2008Q2Inadequate POST-FIRE Safe Shutdown ProcedureThe team identified an unresolved item associated with Technical Specification 5.4.1.d concerning the failure to maintain adequate written procedures covering fire protection program implementation. Specifically, Procedure ABN-803A, Response to a Fire in the Control Room or Cable Spreading Room, Revision 8, which is used to perform an alternate shutdown, may be inadequate to assure that the charging pump relied on for achieving post-fire safe shutdown would not be damaged because of a loss of suction. During an alternate shutdown, the charging pump is necessary to support the reactivity control and reactor coolant makeup functions by providing borated water from the refueling water storage tank. Description. During normal plant operations, the chemical and volume control system normally operates to allow a continuous feed (charging and seal injection) and bleed (letdown and seal leak-off) for the reactor coolant system. Normally one centrifugal charging pump is in operation. In the event of fire in the main control room or cable spreading room, inventory makeup is intended to be accomplished using the Train A centrifugal charging pump with the refueling water storage tank as a source of borated water makeup. Procedure ABN 803A included procedural steps to establish a suction path from the refueling water storage tank to the charging pumps. However, the inspection team determined that if the charging pump credited for safe shutdown was running at the time of the fire, a spurious closure of one of the two series-connected volume control tank outlet valves (1-LCV-112B or 1-LCV-112C) prior to successfully opening one of the refueling water storage tank outlet valves would result in a loss of suction and damage to the credited charging pump. The refueling water storage tank to Charging Pump Suction Valves 1-LCV-0112D and 1-LCV-0112E are motor-operated isolation valves and are connected in parallel to the suction of the charging pumps. Each valve is controlled from a switch on Panel CB-06 in the main control room. Prior to evacuating the main control room and establishing control at the remote shutdown panel, operators are directed in Section 2.3, Step 4(g), of Procedure ABN-803A, to open refueling water storage tank Suction Valves 1-LCV-112D and 1-LCV-112E. However, these actions are not credited because they were not approved by the NRC, since the time available to perform actions prior to evacuating the control room may be very limited. From a review of related wiring diagrams, the inspection team determined that the occurrence of a single short to ground for each valve could preclude the success of this step. In addition, although the procedure includes a back-up action outside the main control room to ensure refueling water storage tank Suction Valve 1-LCV-112E is open, this step was not performed for at least 20 minutes, based on the teams observations during a walk-through of the procedure. Analysis. Failure to ensure that Procedure ABN-803 contained sufficient instructions to ensure that the Train A centrifugal charging pump would be available in a control room evacuation was potentially a performance deficiency. The team determined that this finding was more than minor because it is associated with the Protection Against External Factors attribute of the Mitigating Systems cornerstone and could affect the availability, reliability, and capability of systems that respond to fire events to prevent undesirable consequences. Volume control tank outlet Valves 1-LCV-0112B and 1-LCV-0112C are motor-operated valves connected in series in the line from the volume control tank to the charging pumps. In the main control room, each valve is controlled from a switch located on the same panel (CB-06) as the refueling water storage tank suction valve switches. Should either of the volume control tank outlet valves spuriously close during the time prior to successfully opening one of the refueling water storage tank suction valves, the operating charging pump could be damaged. If the credited charging pump is in operation and is damaged, operators may not be able to achieve the reactivity control and reactor coolant makeup functions required for post-fire safe shutdown using the protected train. The team initiated an evaluation of this finding using the Significance Determination Process in Manual Chapter 0609, Appendix F, Fire Protection Significance Determination Process, because it affected fire protection defense-in-depth strategies involving post fire safe shutdown systems. However, additional analysis, to be performed by a senior reactor analyst, is needed to determine the safety significance of this issue. The licensee has entered this issue into their corrective action program as Smart Form SMF-2008-000488-00. Enforcement. Technical Specification 5.4.1.d states that written procedures shall be established, implemented, and maintained covering fire protection program implementation. Procedure ABN-803A, Response to a Fire in the Control Room or Cable Spreading Room, Revision 8, implements this requirement for fires requiring the main control room to be evacuated. The team was concerned that procedural guidance may have been inadequate to prevent damage to the protected centrifugal charging pump if it was in operation at the time of a fire requiring an evacuation of the main control room. Pending completion of additional analyses to determine if a credible fire scenario exists for this concern and to determine the safety significance of this finding, this issue is being treated as an unresolved item: URI 05000445; 446/2008006-01, Inadequate Post- Fire Safe Shutdown Procedure
05000445/FIN-2013004-05Comanche Peak2013Q3Potential Motor-Operated Valve Single Spurious Operation VulnerabilityThe inspectors identified an unresolved item associated with fire-induced single spurious operations. The inspectors were concerned that a single hot short could cause the spurious operation of motor-operated valves and bypass their torque/limit switch, resulting in damage to the pressure boundary. On February 28, 1992, the NRC issued Information Notice 92-18, Potential for Loss of Remote Shutdown Capability During a Control Room Fire, to alert licensees of conditions that could result in the loss of capability to maintain the reactor in a safe shutdown condition in the event that a control room fire forced operators to evacuate the control room (i.e., alternative shutdown scenarios). Information Notice 92-18 was primarily concerned with the loss of control of valves required for alternative shutdown. Specifically, the Information Notice was concerned with the potential for hot shorts to cause the spurious operation of these motor-operated valves and bypass their torque/limit switch, potentially damaging the valves before operators could transfer control to the remote shutdown panel. In this situation, the valves may not be able to be operated manually or from the remote shutdown panel. The licensee evaluated this issue in Engineering Report ER-ME-089, Resolution of NRC Information Notice 92-18, Potential Loss of Remote Shutdown Capability Following Control Room Fire, Revision 0, dated December 29, 1993. The licensee evaluated the population of motor-operated valves that were required to be operated manually or remotely from the remote shutdown panel for alternative shutdown scenarios. This population consisted of 86 motor-operated valves. The licensee made modifications as necessary to ensure that these valves could be operated manually or remotely from the remote shutdown panel for all alternative shutdown scenarios. In 2010, the licensee began their evaluation of multiple spurious operations in accordance with Nuclear Energy Institute Document NEI 00-01, Guidance for Post-Fire Safe-Shutdown Circuit Analysis, Revision 2. Appendix G to NEI 00-01 contained the generic list of multiple spurious operations scenarios applicable to pressurized water reactors. This appendix contained a scenario (MSO-55) that considered valve failure due to a spurious motor-operated valve operation in conjunction with a short that bypassed the torque/limit switch. This scenario was described as follows: General scenario is that fire damage to motor-operated valve circuitry causes spurious operation. If the same fire causes wire-to-wire short(s) such that the valve torque and limit switches are bypassed, then the valve motor may stall at the end of the valve cycle. This can cause excess current in the valve motor windings as well as valve mechanical damage. This mechanical damage may be sufficient to prevent manual operation of the valve. Scenario only applies to motor-operated valves. Note this generic issue may have already been addressed during disposition of the NRC Information Notice 92-18. This disposition should be reviewed in the context of multiple spurious operations and multiple hot shorts. The licensee formed a multiple spurious operations expert panel, which met in March 2010, to review the generic list of multiple spurious operations contained in NEI 00-01. The multiple spurious operations expert panel meeting results were documented in Engineering Report ER-ME-130, Summary of Expert Panel Activities Related to Postulation of Multiple Spurious Operations for the CPNPP Fire Safe Shutdown Analysis, Revision 0, dated April 2010. The licensee initially concluded that scenario MSO-55 was already addressed in the fire safe shutdown analysis. On August 17, 2010, the licensee convened a supplemental meeting of the multiple spurious operations expert panel. The expert panel reconsidered multiple spurious operations scenario MSO-55 and concluded that a nonconformance existed. Specifically, the expert panel concluded that the licensee had addressed the concerns raised in Information Notice 92-18 for alternative shutdown scenarios, but did not address the concerns for scenarios where operators did not need to evacuate the control room. The licensee subsequently evaluated the larger population of motor-operated valves that are used or must remain intact for post-fire safe shutdown. The licensee concluded that modifications were needed for 57 valves. Ten of the valves required a mechanical modification, while the remaining 47 valves required an electrical modification. The licensee entered this issue into their corrective action program as Condition Report CR-2010-007806 and implemented compensatory measures. The inspectors identified an issue of concern with the potential for single spurious operations to damage the pressure boundary. The inspectors determined that additional inspection is required to determine if a performance deficiency exists. This issue of concern is being treated as an unresolved item URI 05000445/2013004-06; 05000446/2013004-06, Potential Motor-Operated Valve Single Spurious Operation Vulnerability.
05000454/FIN-2010006-01Byron2010Q4Manual Actions Not Explicitly Approved

An unresolved item (URI) was identified by the inspectors concerning manual actions which had not been explicitly approved by the NRC. The inspectors identified that the licensee took credit for a number of manual actions to compensate for not having a train free of fire damage in non-alternative fire zones. Although some manual actions were described either in a safety evaluation report (SER) or licensing correspondence which was used as a basis for NRC approval in an SER, the majority of manual actions were not explicitly approved by the NRC. As an example, for Fire Zone 11.3-0, the safe shutdown analysis took credit for the following manual actions (not a full listing) to achieve a hot standby condition because one train would not be assured of being free of fire damage: 

 Step 1 of Procedure BOP FR-1T10, 11.3-0; 364 Auxiliary Building General Area; 1D-17, 1D-40, 1S-59, 2S-54, directed operators to establish a flow path to the operating charging pump from the refueling water storage tank (RWST) because a hot short could cause a spurious closure of the volume control tank (VCT) outlet valve, part of the normal flowpath. If an alternate flowpath from the RWST is not established, spurious closure of the VCT outlet valve could result in a loss of suction to the operating charging pump and subsequent damage to the pump.
 Step 3 of Procedure BOP FR-1T10 directed operators to open eight breakers to prevent a fault from tripping an upstream breaker for a credited electrical bus. (See Section 1R05.6.b(1) for a related discussion.)
 Step 8 of Procedure BOP FR-1T10 directed operators to locally start the 1A and 2B essential service water (ESW) pumps because control cables for the pumps could be damaged due to fire.
 Step 11 of Procedure BOP FR-1T10 directed operators to verify ESW flow to the 2A charging pump. If ESW flow could not be verified, the procedure directed operators to stop the 2A charging and 2A auxiliary feedwater pumps until ESW flow could be restored. Step 21 of Procedure BOP FR-1T10 directed operators to locally open the power supply breaker for Motor Control Center 231X1 to allow local manual operation of Valve 2SX033, ESW Pump 2A Discharge Crosstie Isolation Valve. Step 22 of Procedure BOP FR-1T10 directed operators to locally open Valve 2SX033 using its handwheel. The crosstie valve was needed to be open because Unit 2 Train A components (such as the 2A charging pump and 2A auxiliary feedwater pump) relied upon essential service water for cooling. However, the Train A essential service water pump could not be credited because its power cable was in the zone. Consequently, the Train B essential service water pump was needed to provide cooling water for the credited Train A loads. Valve 2SX033 could spuriously close because control cables went through the zone.

Procedures for a number of other non-alternative fire zones included similar manual actions. The inspectors noted that the licensee had informed the NRC of a number of manual actions as part of the licensing process. For example, by letter dated October 15, 1984, the licensee had identified a number of manual actions to address spurious operation of valves in response to Question 10.65. However, the majority of manual actions (including the examples listed above), were not explicitly identified during the licensing process and, as such, were not explicitly approved by the NRC. Amendment 3 to the Byron Station Fire Protection Report listed a number of assumptions for the safe shutdown analysis. Assumption 3, listed in Section 2.4.1.5 of Amendment 3, stated: For fires outside the control room, the operators are assumed to remain in the control room and to utilize the instruments and controls provided there to the greatest possible extent, in accordance with existing station procedures. When proper operation of equipment cannot be performed or confirmed from the control room, alternate procedures are utilized... Where the safe shutdown analysis shows that control cables from both redundant trains of equipment are located in the same fire zone, credit is taken for alternate shutdown via local operation of equipment as specified in various plant procedures... The inspectors noted that the licensee had used the term alternate to apply to procedures for fire zones other than those classified as alternative fire zones (i.e., other than the control room and the auxiliary electric equipment rooms). NUREG-0876, Safety Evaluation Report related to the operation of Byron Station, Units 1 and 2, documented the licensing basis approval by the NRC. Supplement 5 of NUREG-0876 relied upon Amendment 3 of the Byron Station Fire Protection Report for original licensing of Unit 1 for fire protection. Within the section titled Safe Shutdown Capability, of Section 9.5.1.4 of NUREG-0876, Supplement 5, the following statements were made by the NRC: Alternative shutdown capability in part, consists of local operation of equipment if the fire results in loss of redundant control capability. Local operations include local start and control of pumps and manual operation of valves and circuit breakers. For all local operation, accessibility of components and time restrictions were considered. These local operations are addressed in various plant procedures. Alternative shutdown capability also consists of utilization of diverse equipment as follows. To monitor reactor coolant hot leg temperature, the applicant ensured the availability of one of the following components, all of which provide an indication of hot leg temperature: reactor coolant wide range hot leg RTD\'s (resistance temperature detectors), core exit thermocouples, or heated junction thermocouples. Alternative shutdown capability also includes use of remote shutdown and instrument panels as discussed below. and Based on the above, the staff concludes that the post-fire safe shutdown capability for Byron complies with the guidelines of SRP (Standard Review Plan) Section 9.5.1, Position C.6.b subject to the following condition: The applicant shall complete the analysis of spurious operation of the pressurizer PORV\'s (power operated relief valves) and fully implement any necessary modifications prior to exceeding 5 percent power. The inspectors noted that sentences above describing local operation of equipment were located in the SER prior to the section titled Alternative Shutdown Capability. Based on the assumptions listed in Amendment 3 of the Fire Protection Report and the above SER language, the licensee had made the interpretation that the NRC had provided a general approval for the use of manual actions for non-alternative fire zones in addition to approval for alternative shutdown fire zones. The inspectors were not able to determine whether the SER language constituted a general approval of manual actions for non-alternative fire zones beyond those explicitly identified during licensing. This issue is a URI pending further review by NRC staff.

05000456/FIN-2012003-06Braidwood2012Q2MSIV Hydraulic System DesignOn May 28, 2012, the 1A MSIV active-side hydraulic accumulator pressure was found at 3450 psig, which was below the operability limit of 4800 psig. This prevented manual isolation of the 1A main steam line via the main control room switch, which required the active-side accumulator and is required by Technical Requirements Manual (TRM) 3.3.y Condition D. Each MSIV also has a standby accumulator that could redundantly close the valve if an ESFAS signal was received, but not from the individual isolation control switch. The 1A MSIV standby accumulator pressure was 5400 psig, thus the 1A MSIV could have been closed by an ESFAS signal. The Action Statement for TRM 3.3.y Condition D required restoration of the individual steam line isolation capability within 48 hours. If that was not done, Condition D required the MSIV to be declared inoperable and TS.3.7.2 Condition A.1 to be entered, which required the MSIV to be returned to an operable status within 8 hours, or enter Condition B.1, which required the Unit to be in Mode 2 within 6 hours. During troubleshooting of the 1A MSIV active-side accumulator pressure issue, the licensee became concerned that they would not find and repair the active-side hydraulic problem prior to the requirement to enter Mode 2. As a result, the licensee elected to remove TRM 3.3.y Condition D from the TRM through the 10 CFR 50.59 evaluation process. As a result, the licensee was not required to declare the 1A MSIV inoperable provided the standby accumulator pressure was within operability limits. The inspectors reviewed the control logic for the MSIV control switches in the main control room and the remote shutdown panel. The inspectors noted that the MSIV control switches on the remote shutdown panels used only the active-side accumulator to reposition the MSIV. When the licensee removed TRM 3.3.y Condition D, they effectively removed any requirement to maintain the ability to close MSIVs from the remote shutdown panel. The inspectors reviewed procedures 0BwOA PRI-5, Control Room Inaccessibility Unit 0; 1BwOA PRI-5, Control Room Inaccessibility Unit 1; and 2BwOA PRI-5, Control Room Inaccessibility Unit 2; and did not identify a requirement to close the MSIVs prior to main control room evacuation. As a result, any MSIV with an active-side accumulator inoperable, which was allowed indefinitely by current site procedures, would not be closed prior to evacuating the main control room and would not be able to be closed from the remote shutdown panel. The licensees position was that there was no reason, purpose, or requirement for the MSIV control switches on the remote shutdown panel and no condition that would require repositioning them from the remote shutdown panel following evacuation of the main control room. The inspectors noted that Step 13.c of procedures 1(2)BwOA PRI-5 directed operators to close all MSIVs if RCS temperature dropped below 557oF. This step would need to be performed from the remote shutdown panel since the main control room was evacuated at Step 9. In addition, the inspectors questioned whether allowing one inoperable accumulator on each MSIV for an unlimited period of time had an effect on the ability of the ESFAS system to perform its safety function. Although only one of the two hydraulic accumulators was necessary to reposition each MSIV, each ESFAS train was assigned to a specific accumulator for each MSIV. For example, the A ESFAS train was assigned to the active-side accumulator on two MSIVs and the standby-side accumulator on the other two MSIVs. The B ESFAS train controlled the MSIVs using the opposite accumulators. As a result, there were certain combinations of accumulators that could be out of service on multiple MSIVs such that an inoperable ESFAS train would fail to close multiple MSIVs. At the end of the inspection period, the inspectors were reviewing whether this allowance satisfied the requirements of TS 3.3.2 and TS 3.7.2. At the conclusion of the inspection period, the inspectors had not completed their review of licensing documents related to this issue. As a result, this URI will remain open pending a review of the stations CLB and requirements associated with the remote shutdown panel and MSIVs.
05000458/FIN-2009002-03River Bend2009Q1Licensee-Identified ViolationLicense Condition 2.C(10) specifies that the licensee shall comply with the requirements of the fire protection program as specified in Attachment 4 to the license. The Updated Safety Analysis Report, Section 9B.4.7, specifies, in part, Fire protection features shall be capable of limiting fire damage so that one train of systems necessary to achieve and maintain hot shutdown conditions from either the control room or emergency control station(s) is free of fire damage. Contrary to the above, on May 21, 2007, the licensee determined that they failed to ensure that the Division 1 emergency diesel generator, which was required to achieve hot shutdown, remained operable, hence, free of fire damage under all conditions. Specifically, if service water became unavailable because of a spurious actuation (e.g. valve closure) coincident with a loss of offsite power, the emergency diesel generator could potentially fail prior to transfer of control to the remote shutdown panel. The licensee promptly implemented appropriate compensatory measures and initiated plans to correct the deficiency. The licensee documented this deficiency in Condition Report 2007-02102 and planned to correct the deficiency in 2009. This finding had very low safety significance (Green). This item is further discussed in Section 4OA3.2
05000458/FIN-2010006-04River Bend2010Q2Failure to Implement and Maintain in Effect all Provisions of the Approved Fire Protection ProgramThe team identified a noncited violation of License Condition 2.C.(10), Fire Protection, related to the licensee's failure to implement and maintain in effect all provisions of the approved fire protection program. Specifically, during testing required by the approved fire protection program the licensee failed to adequately test the remote shutdown emergency transfer switch functions used to assure isolation of safe shutdown equipment from the control room in the event of a control room evacuation due to fire. The switch functions had not been adequately tested since 1997. The failure to ensure isolation from the control room for safe shutdown equipment controlled from the remote shutdown panel during surveillance testing of emergency transfer switches is a performance deficiency. The finding was more than minor because it was associated with the procedure quality attribute of the Mitigating Systems Cornerstone in that it adversely affected the cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. The team evaluated the finding using Inspection Manual Chapter 0609, Appendix F, Fire Protection Significance Determination Process, because it affected fire protection defense-in-depth strategies involving post fire safe shutdown. Using Appendix F, Attachment 2, Degradation Rating Guidance Specific to Various Fire Protection Program Elements, the team determined that the finding constituted a low degradation of the safe shutdown area since the control room isolation feature was expected to display nearly the same level of effectiveness and reliability as it would had the degradation not been present. This finding screened as having very low safety significance (Green). This violation was entered into the licensees corrective action program as CR-RBS-2010-01783. Because the emergency transfer switch surveillance procedures had been in effect since 1997, there was no crosscutting aspect associated with the violation, in that it is not indicative of current licensee performance.
05000458/FIN-2012005-04River Bend2012Q4Failure to Follow Procedure for Lifting Leads Results in Inoperability of Standby Service Water FanThe inspectors reviewed a self-revealing, non-cited violation of Technical Specification 5.4.1.a due to a failure to follow work order instructions. Specifically, station personnel failed to follow the requirements of Procedure GMP-0042, Lifted Leads and Jumpers, Revision 13 when removing and reinstalling a time-delay relay for a standby service water cooling fan. This issue was entered into the licensees corrective action program as Condition Report CR-RBS-2012-06325. The failure to follow work order instructions is a performance deficiency. This performance deficiency is more-than-minor because it is associated with the equipment reliability attribute of the mitigating systems cornerstone to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, the failure to ensure the correct wiring to the standby service water fan time-delay relay resulted in the inability of the fan to be started locally, which is required for remote shutdown of the plant. In accordance with NRC Inspection Manual Chapter 0609, Attachment 4, Initial Characterization of Findings, and NRC Inspection Manual Chapter 0609, Appendix A, The Significance Determination Process for Findings At Power, Exhibit 2, Section A, question 3, this finding required a detailed risk evaluation because the finding represented an actual loss of function of at least a single train for greater than the technical specification allowed outage time. The risk of the condition was evaluated by a senior reactor analyst. The sequence that would result in a risk increase is control room abandonment with concurrent maintenance being performed on the alternate bank of 5 fans. This would leave only 4 functional fans in one division of standby service water, whereas 5 fans are needed per design to meet the safety function. The frequency of control room abandonment is approximately 5E-5/yr and the frequency of maintenance performed on one bank of standby service water fans is approximately 1E-2. Therefore, the frequency of a scenario where the failure of one fan to operate from the alternate shutdown panel would cause a measurable effect on risk is approximately 5E-7/yr. The other division of standby service water fans was unaffected by this condition. Accordingly, the significance of the performance deficiency was determined to be very low (Green). This finding has a human performance cross-cutting aspect associated with the work practices component in that the electricians failed to use adequate human error prevention techniques
05000458/FIN-2013003-02River Bend2013Q2Failure to Adequately Evaluate and Correct Degraded 125 Vdc Fused Disconnect SwitchesThe inspectors identified a non-cited violation of 10 CFR Part 50, Appendix B, Criterion XVI, Corrective Action, for the failure to identify and take prompt and adequate corrective actions to address a condition adverse to quality specifically related to the 125 Vdc fused disconnect switches located in the diesel generator building electrical distribution panels. The licensee addressed the underlying safety concern by cycling the disconnect switch to clean the corroded contact surfaces and performing voltage and current checks to verify circuitry operability. The licensee entered the finding into the corrective action program as Condition Report CR-RBS-2013-04247 The inspectors determined that this finding is more than minor because it is associated with the equipment performance attribute of the mitigating systems cornerstone and affects the cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, during a seismic event the partially seated, corroded knife blades could cause a loss of safety related 125 Vdc power to the Division 1 and 2 emergency diesel generators, reactor water recirculation pumps A and B, or Division 1 and 2 remote shutdown panels. In accordance with NRC Inspection Manual Chapter 0609, Attachment 4, Initial Characterization of Findings, and NRC Inspection Manual Chapter 0609, Appendix A, The Significance Determination Process for Findings At-Power, Exhibit 2, this finding screened as very low safety significance (Green) because the degraded condition was not a design or qualification deficiency; did not represent an actual loss of function of a system; did not represent an actual loss of function of a single train or two separate trains for greater than its technical specification allowed outage time; did not represent an actual loss of function of one or more non-technical specification trains of equipment designated as high safety significant; and did not screen as potentially risk significant due to a seismic, flooding, or severe weather initiating event. Because the most significant causal factor of the performance deficiency was the licensees failure to use consistent key words in the corrective action program to characterize the disconnect switch failures, this finding has a cross-cutting aspect in the problem identification and resolution area associated with the corrective action program component because the licensee did not periodically trend and assesses information from the CAP and other assessments in the aggregate to identify programmatic and common cause problems.
05000458/FIN-2013007-04River Bend2013Q4Unresolved Item Associated with the Isolation of the Alternative Shutdown SystemThe team identified an unresolved item associated with the isolation of post-fire safe shutdown circuitry for control room fire scenarios. Specifically, the team identified that the licensee may not adequately isolate circuitry for the safety relief valves and the main steam isolation valves from the effects of a control room fire. In the event of a fire in the control room, the licensee must ensure control circuitry for equipment credited for post-fire safe shutdown is electrically isolated from the control room so that fire damage could not prevent the ability to achieve and maintain safe shutdown conditions. For valves that are required to close or remain closed for post-fire safe shutdown, the licensee must ensure that control room fires do not prevent the closure of the valves and do not spuriously open the valves once the control room has been isolated and control transferred from the control room to the remote shutdown panel. Example 1: Spurious Opening of the Safety Relief Valves The alternative shutdown procedure provided steps for operators to mitigate the effects of any single spurious actuation or signal resulting from a control room fire that occurred prior to transferring control from the control room to the remote shutdown panel. For the safety relief valves, the procedure directed operators to de-energize two 125 Vdc panels (ENB-PNL02A and ENB-PNL02B) in order to ensure that the 13 non-credited safety relief valves were closed. The three credited safety relief valves were isolated from the control room via the use of transfer switches. The team identified a concern that hot shorts in the control room could cause a spurious actuation that threatened the ability to achieve and maintain safe shutdown conditions. The team noted that the control room cabinets containing the safety relief valves also contained other 125 Vdc circuits that remained energized during an alternative shutdown. The team was concerned that hot shorts from one of these circuits could prevent the closure of a safety relief valve (if spuriously open) or could spuriously open the safety relief valve once the control room was isolated and control transferred from the control room to the remote shutdown panel. The team was also concerned that the safe shutdown analysis did not analyze for one or more safety relief valves remaining open during the plant shutdown. This concern applied to the 13 safety relief valves that did not have control transferred to the remote shutdown panel. In addition, the team noted that circuit failures could spuriously open multiple safety relief valves through the spurious actuation of the automatic depressurization system. The team was concerned that the spurious actuation of the automatic depressurization system could be considered a single spurious actuation or signal that fell within the bounds of the safe shutdown analysis. A similar concern was first identified during the 1997 fire protection functional inspection and documented in Inspection Reports 97-201 and 98-16. Example 2: Spurious Opening of the Main Steam Isolation Valves As noted in the previous example, the alternative shutdown procedure provided steps for operators to mitigate the effects of any single spurious actuation or signal resulting from a control room fire that occurred prior to transferring control from the control room to the remote shutdown panel. For the main steam isolation valves, the procedure directed operators to attempt to close the main steam isolation valves inside the control room and then de-energize the reactor protection system motor generator sets outside the control room. The reactor protection system provides power to the circuitry for the main steam isolation valve solenoids. When the solenoids are de-energized, the main steam isolation valves fail closed. The team identified a concern that hot shorts in the control room could cause spurious actuations that threatened the ability to achieve and maintain safe shutdown conditions. Specifically, the team identified that a portion of the trip logic circuitry was connected in the control room to the portion of the circuitry that energizes the solenoid valve for each main steam isolation valve. The trip logic circuitry was located downstream of where the reactor protection system bus was de-energized, and it did not contain a protective circuit device such as fusing or open contacts that would isolate the trip logic portion of the circuitry from the solenoid valve. The control room cabinet containing the trip logic circuitry also contained other 125 Vdc circuits that remained energized during an alternative shutdown. The team was concerned that hot shorts from these circuits could prevent the closure of the main steam isolation valves or could spuriously open the main steam isolation valves after the reactor protection system motor generator sets were de-energized. The team noted that one main steam isolation valve, either inboard or outboard, must close and remain closed in order to maintain inventory. The licensee entered these issues into the corrective action program as Condition Report CR-RBS-2013-03473. The team determined that additional inspection is required to determine if a performance deficiency exists. This issue of concern is being treated as an Unresolved Item URI 05000458/2013007-04, Unresolved Item Associated with the Isolation of the Alternative Shutdown System.
05000458/FIN-2014004-03River Bend2014Q3Licensee-Identified ViolationTitle 10 CFR 50.65(a)(1) requires, in part, that holders of an operating license shall monitor the performance or condition of systems, structures, and components within the scope of the rule against licensee-established goals in a manner sufficient to provide reasonable assurance that such systems, structures, and components are capable of fulfilling their intended safety functions. Title 10 CFR 50.65(a)(2) requires, in part, that monitoring specified in paragraph (a)(1) is not required where it has been demonstrated the performance or condition of a system, structure, and component is being effectively controlled through appropriate preventive maintenance, such that the system, structure, and component remains capable of performing its intended function. Contrary to the above, from May 13, 2013, to February 28, 2014, the licensee failed to demonstrate that the performance of the remote shutdown system was being effectively controlled through appropriate preventive maintenance. Specifically, station personnel failed to appropriately evaluate repetitive component failures of Gould J11 relays across system boundaries, resulting in the remote shutdown system exceeding the functional failure criteria without implementing appropriate preventive maintenance to improve system performance. The licensee entered this deficiency into the corrective action program as Condition Report CR-RBS-2014-01006. The finding was more than minor since violations of 10 CFR 50.65(a)(2) necessarily involve degraded system performance which, if left uncorrected, could become a more significant safety concern. This finding has very low safety significance (Green) because the finding did not lead to an actual loss of safety function of the system or cause a component to be inoperable, nor did it screen as potentially risk-significant due to a seismic, flooding, or severe weather initiating event.
05000458/FIN-2015004-05River Bend2015Q4Failure to Follow Procedure Results in Inadvertent Draindown of Reactor Pressure VesselThe inspectors reviewed a self-revealing, non-cited violation of Technical Specification 5.4, Procedures, for the licensees failure to correctly implement procedure STP-200-0605, Remote Shutdown System Control Circuit Operability Test, Revision 307. The procedure was incorrectly performed leading to an unexpected configuration in which the reactor pressure vessel was aligned to the suppression pool, and approximately 360 gallons of reactor coolant were inadvertently transferred to the suppression pool. The licensee entered this issue into their corrective action program as Condition Report CR-RBS-2015-02354. The licensee restored compliance by restoring the system to a configuration that was consistent with plant operating procedures. Corrective actions included increased management oversight of remote shutdown system operation. The performance deficiency was more than minor, and therefore a finding, because it was associated with the Initiating Events Cornerstone attribute of configuration control, and adversely affected the cornerstone objective to limit the likelihood of events that upset plant stability and challenge critical safety functions during shutdown as well as power operations. Specifically, a loss of reactor pressure vessel inventory occurred due to the establishment of an unintended system configuration caused by the inadvertent repositioning of the reactor pressure vessel suction valve. The inspectors initially screened the finding in accordance with NRC Inspection Manual Chapter 0609, Appendix G, Shutdown Operations Significance Determination Process. Using Exhibit 2 of NRC Inspection Manual Chapter 0609, Appendix G, Attachment 1, Phase 1 Initial Screening and Characterization of Findings, the inspectors determined that the finding required a Phase 2 evaluation because the loss of inventory resulted in leakage to the suppression pool that if undetected or unmitigated in 24 hours or less would cause shutdown cooling to isolate. A Region IV senior reactor analyst performed a Phase 2 evaluation of this issue and determined the issue was of very low safety significance (Green) and represented a change to the core damage frequency of 3.8E-8/year. The event sequence was an actual loss of inventory which occurred after core refueling in the shutdown. Risk was mitigated by prompt operator recovery action to stop the loss of inventory along with the operating plant configuration, which had two residual heat removal pumps aligned for automatic injection, one control rod drive pump in operation at the time of the event, and all manual injection paths fully available to mitigate the event. This finding has a cross-cutting aspect in the area of human performance associated with avoid complacency because the licensee failed to ensure that individuals recognize and plan for the possibility of mistakes, latent issues, and inherent risk, even while expecting successful outcomes.
05000458/FIN-2016007-03River Bend2016Q2Failure to Demonstrate that Appendix R Emergency Lights Satisfied their Maintenance Rule Performance CriteriaThe team identified a finding for the failure to provide an adequate monitoring and testing program to demonstrate that the required Appendix R emergency lights satisfied the licensees maintenance rule performance criteria. Specifically, the failure to provide an adequate monitoring and testing program could result in a large number of Appendix R emergency lights failing to last the required 8 hours without being detected. The team determined that, because the licensee had changed their program to a biennial replacement frequency for the 8-hour batteries, reasonable assurance existed that the lights would function long enough for operators to perform the time critical manual actions directed by their fire protection program. The licensee entered this finding into their corrective action program as Condition Report CR-RBS-2016-03177. The failure to establish an adequate monitoring and testing program to demonstrate that the required Appendix R emergency lights would satisfy the licensees maintenance rule performance criteria was a performance deficiency. The performance deficiency was more than minor because if left uncorrected, the performance deficiency would have the potential to lead to a more significant safety concern. Specifically, the failure to provide an adequate monitoring and testing program could result in a large number of Appendix R emergency lights failing to function for the required 8 hours without being detected through licensee monitoring and testing. The team determined this finding affected the Mitigating Systems Cornerstone. The team evaluated this finding using Inspection Manual Chapter 0609, Appendix F, Fire Protection Significance Determination Process, dated February 28, 2005, because it affected the ability to reach and maintain safe shutdown conditions in case of a fire. The team assigned the finding to the post-fire safe shutdown category since it impacted the remote shutdown and control room abandonment element. The team assigned the finding a low degradation rating since the ability to reach and maintain safe shutdown conditions in the event of a control room fire would be minimally impacted by the potential failure of the emergency lights to function for 8-hours. Because this finding had a low degradation rating, it screened as having very low safety significance (Green) in Task 1.3.1. The finding did not have a cross-cutting aspect since it was not indicative of present performance in that the performance deficiency occurred more than three years ago. Specifically, the licensee began performing the 8-hour discharge test on a small sample of the batteries more than three years ago.
05000498/FIN-2011002-02South Texas2011Q1Failure to Perform an Immediate Operability DeterminationThe inspectors identified a Green noncited violation of 10 CFR Part 50, Appendix B, Criteria V, Instructions, Procedures, and Drawings, for the failure to follow Procedure 0PGP03-ZX-0002, Condition Reporting Process, Revision 38. On January 13, 2011, the licensee wrote Condition Report 11-1261 which states, in part, Twenty-six transfer switches required by Technical Specification 3.3.3.5, Remote Shutdown System, appear to not be listed. Procedure 0PGP03-ZX-0002, step 4.3.2 states, in part, that conditions that may have an impact on the operability of a technical specification related system shall be screened as yes or indeterminate. The corrective action program supervisor that screened this condition report marked the operability as No. The inspectors questioned the licensee on January 14 and 18, 2011, as to why no immediate operability determination had been performed. The licensees corrective actions determined that an immediate and subsequent prompt operability determination was warranted. The inspectors interviewed the supervisor and determined that the supervisor did not use conservative assumptions and adopt a requirement to demonstrate that the proposed action is safe in order to proceed when screening the issue for operability. This finding was more than minor because it affected the Mitigating Systems Cornerstone attributes of Human Performance and Procedure Quality and affected the cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, the failure to recognize that risk-significant equipment is in a potentially inoperable condition and, as such, may not be able to perform its specified safety function would not be recognized and accounted for by operators. The inspectors performed the significance determination using NRC Inspection Manual Chapter 0609, Attachment 0609.04, Phase 1 Initial Screening and Characterization of Findings, dated January 10, 2008, because it affected the Mitigating Systems Cornerstone while the plant was at power. The finding was determined to be of very low safety significance because it was not a design or qualification deficiency; it did not result in the loss of a system safety function; it did not represent a loss of a single train for greater than technical specification allowed outage time; it did not represent a loss of one or more nontechnical specification risk-significant equipment for greater than 24 hours; and it did not screen as potentially risk significant due to seismic, flooding, or severe weather. In addition, this finding had human performance cross-cutting aspects associated with decision making in that the licensee did not use conservative assumptions and adopt a requirement to demonstrate that the proposed action is safe in order to proceed.
05000528/FIN-2008002-09Palo Verde2008Q1Licensee-Identified ViolationTechnical Specification Surveillance Requirement 3.3.11.2 requires that each remote shutdown system disconnect switch and control circuit is verified capable of performing the intended function. Contrary to the above, between January 20, 2008 and March 15, 2008, Procedure 40ST-9ZZ20, \\\"Remote Shutdown Disconnect Switch and Control Circuit Operability,\\\" Revision 10, did not verify all circuit paths associated with each disconnect switch were adequately tested. This issue affected all the disconnect switches to the remote shutdown panel. The licensee entered into TS Surveillance Requirement 3.0.3 for a missed surveillance, performed a risk evaluation, and tested the most risk-significant disconnect switches to verify that these disconnect switches could perform their intended function. Of the risk-significant disconnect switches tested, the licensee identified that one disconnect switch associated with Unit 1 AFW pump to SG 1 block Valve AFB-UV-34 would not have been capable of performing it\\\'s intended function due to an electrical jumper installed in the closing circuit. This valve is in the flow path from the motor driven AFW pump to SG 1. However, the potential failure of this valve would not have affected the ability to maintain a shutdown condition, because the flowpath to the SG 2 was not affected. The finding was entered into the CAP as PVARs 3129077, 3135575, 3136664, 3138937 and 3144595. Using Manual Chapter 0609, \\\"Significance Determination Process,\\\" Appendix F, \\\"Fire Protection Significance Determination Process,\\\" the finding is determined to have very low safety significance because at Step 1.3, Qualitative Screening Approach, the finding only affected the ability to reach and maintain a cold shutdown condition.
05000528/FIN-2013008-01Palo Verde2013Q1Licensee-Identified ViolationThe following violation of very low safety significance (Green) was identified by the licensee and is a violation of NRC requirements which meets the criteria of the NRC Enforcement Policy for being dispositioned as a non-cited violation. License Condition 2.C.(6), Fire Protection, requires the licensee to maintain in effect all provisions of the approved fire protection program described in listed regulatory documents. Supplemental Safety Evaluation Report 5 states the alternative shutdown capability for PVNGS 1-3 complies with the requirements of Section III.L of Appendix R and, therefore, is acceptable. Title 10 CFR Part 50, Appendix R, Section III.L.3 requires that the alternative shutdown capability shall be independent of the specific fire area. Contrary to the above, the design of three circuits in the remote shutdown system was not independent from the effects of fire damage in the case of a fire in the control room. The licensee entered this deficiency in their corrective action program as Palo Verde Action Request 4311694 and Palo Verde Action Request 4329210 and issued Licensee Event Report 05000528; 529; 530/2012-005-00. The licensee has revised Procedure 40AO-9ZZ19, Control Room Fire, to address this finding. The finding was evaluated for safety significance using Inspection Manual Chapter 0609, Appendix F, Fire Protection Significance Determination Process, Attachment 1. The finding was assigned a low degradation rating due to the performance and reliability of the remote shutdown following a control room evacuation being minimally impacted by the finding. Based on the low degradation rating, the finding screened as having a very low safety significance (Green) in Phase 1, Task 1.3.1, Qualitative Screening for All Finding Categories, Question 1.
Retrieved from "https://kanterella.com/Special:Ask"