IR 05000454/2009007

From kanterella
Revision as of 00:42, 22 December 2019 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
IR 05000454-09-007 (Drs), 05000455-09-007 (Drs); on 02/23/09 - 03/27/09; Byron Station, Units 1 and 2; Component Design Bases Inspection (CDBI)
ML091310664
Person / Time
Site: Byron  Constellation icon.png
Issue date: 05/11/2009
From: Ann Marie Stone
NRC/RGN-III/DRS/EB2
To: Pardee C
Exelon Generation Co
References
IR-09-007
Download: ML091310664 (52)
v  d  e


Text

May 11, 2009

SUBJECT:

BYRON STATION, UNITS 1 AND 2 NRC COMPONENT DESIGN BASES INSPECTION (CDBI) INSPECTION REPORT 05000454/2009007(DRS);

05000455/2009007(DRS)

Dear Mr. Pardee:

On March 27, 2009, the U.S. Nuclear Regulatory Commission (NRC) completed a component design bases inspection at your Byron Station, Units 1 and 2. The enclosed report documents the inspection results, which were discussed on March 27, 2009, with Mr. B. Adams and other members of your staff.

The inspection examined activities conducted under your license as they relate to safety and compliance with the Commissions rules and regulations and with the conditions of your license.

The inspectors reviewed selected procedures and records, observed activities, and interviewed personnel.

Based on the results of this inspection, two NRC-identified findings of very low safety significance were identified. The findings involved violations of NRC requirements. However, because of their very low safety significance, and because the issues were entered into your corrective action program, the NRC is treating the issues as Non-Cited Violations in accordance with Section VI.A.1 of the NRC Enforcement Policy.

If you contest the subject or severity of these Non-Cited Violation, you should provide a response within 30 days of the date of this inspection report, with the basis for your denial, to the U.S. Nuclear Regulatory Commission, ATTN: Document Control Desk, Washington, DC 20555-0001, with a copy to the Regional Administrator, U.S. Nuclear Regulatory Commission -

Region III, 2443 Warrenville Road, Suite 210, Lisle, IL 60532-4352; the Director, Office of Enforcement, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001; and the Resident Inspector Office at the Byron Station. In addition, if you disagree with the characterization of any finding in this report, you should provide a response within 30 days of the date of this inspection report, with the basis for your disagreement, to the Regional Administrator, Region III, and the NRC Resident Inspector at the Byron Station. The information you provide will be considered in accordance with Inspection Manual Chapter 0305.

In accordance with 10 CFR 2.390 of the NRC's "Rules of Practice," a copy of this letter, its enclosure, and your response (if any), will be available electronically for public inspection in the NRC Public Document Room or from the Publicly Available Records System (PARS) component of NRC's Agencywide Documents Access and Management System (ADAMS),

accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html (the Public Electronic Reading Room).

Sincerely,

/RA/

Ann Marie Stone, Chief Engineering Branch 2 Division of Reactor Safety Docket Nos. 50-454; 50-455 License Nos. NPF-37; NPF-66 Enclosure: Inspection Report 05000454/2009007 and 05000455/2009007 (w/Attachment: Supplemental Information)

cc w/encl: Site Vice President - Byron Station Plant Manager - Byron Station Manager Regulatory Assurance - Byron Station Senior Vice President - Midwest Operations Senior Vice President - Operations Support Vice President - Licensing and Regulatory Affairs Director - Licensing and Regulatory Affairs Manager Licensing - Braidwood, Byron, and LaSalle Associate General Counsel Document Control Desk - Licensing Assistant Attorney General Illinois Emergency Management Agency J. Klinger, State Liaison Officer, Illinois Emergency Management Agency P. Schmidt, State Liaison Officer, State of Wisconsin Chairman, Illinois Commerce Commission B. Quigley, Byron Station

SUMMARY OF FINDINGS

IR 05000454/2009007(DRS), 05000455/2009007(DRS); 02/23/09 - 03/27/09; Byron Station,

Units 1 and 2; Component Design Bases Inspection (CDBI).

The inspection was a 3-week onsite baseline inspection that focused on the design of components that are risk-significant and have low design margin. The inspection was conducted by regional engineering inspectors and two consultants. Two findings of very low safety significance were identified which were associated Non-Cited Violations (NCVs). The significance of most findings is indicated by their color (Green, White, Yellow, Red) using Inspection Manual Chapter (IMC) 0609, Significance Determination Process (SDP). Findings for which the SDP does not apply may be Green, or be assigned a severity level after NRC management review. The NRCs program for overseeing the safe operation of commercial nuclear power reactors is described in NUREG-1649, Reactor Oversight Process, Revision 4, dated December 2006.

NRC-Identified

and Self-Revealed Findings

Cornerstone: Mitigating Systems

Green.

A finding of very low safety significance (Green) and associated NCV of 10 CFR Part 50, Appendix B, Criterion III, Design Control, was identified by the inspectors for the failure to maintain the qualification bases for safety-related equipment. Specifically, the licensee failed to maintain/extend the qualified life of the Westinghouse molded case circuit breakers (MCCBs) after the manufacturers qualifications ended at 20 years as required by 10 CFR Part 50, Appendix A and B. As a result, the licensee issued a condition report and performed an engineering evaluation, which supported continuing qualification of the MCCBs and an operability evaluation, which found the MCCBs operable.

The inspectors determined that the finding was more than minor because not maintaining qualified components in safety-related systems structures and components (SSCs) could lead to the inability to respond to design basis events. The finding screened as of very low safety significance because the finding was a design or qualification deficiency confirmed not to result in loss of operability or functionality. The inspectors identified a cross-cutting aspect associated with this finding in the area of problem identification and resolution because the licensee did not effectively incorporate pertinent manufacturers operating experience into maintaining the qualification of the MCCBs. (P.2.(b)) (Section 1R21.3.b.(1))

Green.

A finding of very low safety significance (Green) and associated NCV of 10 CFR Part 50, Appendix B, Criterion XVI, Corrective Actions, was identified by the inspectors for the failure to identify, and take corrective action to address adverse mold case circuit breaker (MCCBs) test results. Specifically, the licensee failed to recognize an excessive test failure rate, assess the impact on the installed MCCBs, promptly replace all failed MCCBs, and evaluate the past and current operability of the attached loads. As a result, the licensee issued a condition report and an operability evaluation, which found the MCCBs operable.

The inspectors determined that the finding was more than minor because not ensuring the function and operability of all required MCCBs supplying safety-related SSCs could lead to the inability to respond to design basis events. The finding screened as very low safety significance because it would not result in the total loss of a safety function.

Specifically, the licensee evaluation showed that there was no loss of breaker coordination. The inspectors identified a cross-cutting aspect associated with this finding in the area of human performance, decision making because the licensee did not use conservative assumptions in decision-making. (H1.b)(Section 1R21.3.b.(2))

Licensee-Identified Violations

No violations of significance were identified.

REPORT DETAILS

REACTOR SAFETY

Cornerstone: Initiating Events, Mitigating Systems, and Barrier Integrity

1R21 Component Design Bases Inspection

Main article: IP 71111.21

.1 Introduction

The objective of the component design bases inspection is to verify that design bases have been correctly implemented for the selected risk significant components and that operating procedures and operator actions are consistent with design and licensing bases. As plants age, their design bases may be difficult to determine and an important design feature may be altered or disabled during a modification. The Probabilistic Risk Assessment (PRA) model assumes the capability of safety systems and components to perform their intended safety function successfully. This inspectible area verifies aspects of the Initiating Events, Mitigating Systems, and Barrier Integrity cornerstones for which there are no indicators to measure performance.

Specific documents reviewed during the inspection are listed in the Attachment to this report.

.2 Inspection Sample Selection Process

The inspectors selected risk significant components and operator actions for review using information contained in the licensees PRA and the Byron Station, Standardized Plant Analysis Risk (SPAR) Model, Revision 3.21. In general, the selection was based upon the components and operator actions having a risk achievement worth of greater than 2.0 and/or a risk reduction worth greater than 1.005. The operator actions selected for review included actions taken by operators both inside and outside of the control room during postulated accident scenarios.

The inspectors performed a margin assessment and detailed review of the selected risk-significant components to verify that the design bases have been correctly implemented and maintained. This design margin assessment considered original design reductions caused by design modification, or power uprates, or reductions due to degraded material condition. Equipment reliability issues were also considered in the selection of components for detailed review. These included items such as performance test results, significant corrective action, repeated maintenance activities, maintenance rule (a)(1) status, components requiring an operability evaluation, NRC resident inspector input of problem areas/equipment, and system health reports. Consideration was also given to the uniqueness and complexity of the design, operating experience, and the available defense in depth margins. A summary of the reviews performed and the specific inspection findings identified are included in the following sections of the report.

This inspection constituted 27 samples as defined in Inspection Procedure 71111.21-05.

.3 Component Design

a. Inspection Scope

The inspectors reviewed the Updated Safety Analysis Report (USAR), Technical Specifications (TS), design basis documents, drawings, calculations and other available design basis information, to determine the performance requirements of the selected components. The inspectors used applicable industry standards, such as the American Society of Mechanical Engineers (ASME) Code, Institute of Electrical and Electronics Engineers (IEEE) Standards and the National Electric Code, to evaluate acceptability of the systems design. The NRC also evaluated licensee actions, if any, taken in response to NRC issued operating experience, such as Bulletins, Generic Letters (GLs),

Regulatory Issue Summaries (RISs), and Information Notices (INs). The review was to verify that the selected components would function as designed when required and support proper operation of the associated systems. The attributes that were needed for a component to perform its required function included process medium, energy sources, control systems, operator actions, and heat removal. The attributes to verify that the component condition and tested capability was consistent with the design bases and was appropriate may include installed configuration, system operation, detailed design, system testing, equipment and environmental qualification, equipment protection, component inputs and outputs, operating experience, and component degradation.

For each of the components selected, the inspectors reviewed the maintenance history, system health reports, operating experience-related information and licensee corrective action program documents. Field walkdowns were conducted for all accessible components to assess material condition and to verify that the as-built condition was consistent with the design. Other attributes reviewed are included as part of the scope for each individual component.

The following 16 component design reviews constituted 16 inspection samples as defined in IP 71111.21.

  • Motor Driven Auxiliary Feedwater (AFW) Pump (2AF01PA): The inspectors reviewed the following component attributes:
(1) the design and licensing basis of the component as documented in design and licensing documentation;
(2) the motor driven auxiliary feedwater pump to verify its capability of providing makeup water to the steam generators;
(3) the pump design parameters for transferring the pump suction source;
(4) the calculations, and operating procedures related to these functions;
(5) the pump cooling, room cooling, recent pump test results, and component nameplate data;
(6) the automatic and manual pump control logic;
(7) the results of the load flow and voltage calculation to determine whether sufficient power was available to start the motor during worst case degraded voltage and service conditions;
(8) the pump performance and brake horsepower requirement to determine whether the motor was adequately sized for the worse case load condition and whether this rating was adequately included in the diesel generator loading calculation;
(9) the electrical and cable drawings to verify separation from other trains and divisions and to check for safety/non-safety interfaces;
(10) corrective actions and trending data to assess potential component degradation; and
(11) recent pump related preventative maintenance and corrective actions. In addition, the inspectors performed walkdowns of the auxiliary feedwater pump to verify the material condition of the components.
(1) motor operated valve (MOV) calculations and analysis to ensure the valve was capable of functioning under design conditions which included calculations for required thrust, maximum differential pressure, and valve weak link analysis;
(2) diagnostic and inservice testing (IST) results to verify acceptance criteria were met and performance degradation would be identified;
(3) the electrical and cable drawings to verify separation from other trains and divisions;
(4) the licensees actions taken in response to vendor and generic communications;
(5) power and control sources and control logic for this valve and;
(6) voltage drop for both power and control circuits, overload and short circuit protection for the valve motor.
  • Component Cooling (CC) Water Heat Exchanger Outlet Isolation Valve (2SX007): The inspectors reviewed the following component attributes:
(1) MOV calculations and analysis to ensure the valve was capable of functioning under design conditions. This included calculations for required thrust, maximum differential pressure, and valve weak link analysis;
(2) diagnostic testing results were reviewed to verify acceptance criteria were met and performance degradation would be identified;
(3) the control logic and power and control sources for this valve;
(4) the voltage drop for both power and control circuits; and
(5) the overload and short circuit protection for the valve motor.

The inspectors reviewed the following component attributes:

(1) the diesel driven essential service water makeup pump to verify its capability of providing water to the essential service water cooling tower basins under post-accident conditions;
(2) the design basis of the component as documented in design and licensing documentation;
(3) the pump design with regard to flow and head capacity, nameplate data, pump and diesel cooling, adequate submergence and net positive suction head (NPSH), and minimum flow capability;
(4) the component licensing basis, calculations, and operating procedures related to these functions;
(5) recent pump test results, pump strainer design, fuel system design, the combustion air supply, the exhaust system design, and component nameplate data;
(6) the design of the diesel engine electrical starting system, batteries and charger;
(7) recent preventative and corrective maintenance activities;
(8) the trending data to assess potential component degradation;
(9) licensees actions in response to vendor and generic communications; and
(10) the pump control logic and power sources. In addition, the inspectors performed walkdowns of the pump, diesel driver, and fuel oil system to verify the material condition of the components.
  • 2A Pressure Operated Relief Valve (PORV) (2RY455A): The inspectors reviewed the following component attributes:
(1) the air-operated valve (AOV)calculations and analysis to ensure the valve was capable of functioning under design conditions, including low temperature overpressure (LTOP) conditions.

This included calculations for required thrust, maximum differential pressure, and valve weak link analysis;

(2) accumulator sizing calculations, system air pressure leak tests, preoperational test results, and set point analysis and calibrations, including the upcoming set point change for the low accumulator pressure alarm to ensure sufficient air was available in the accumulators on a loss of instrument air, the inspectors reviewed;
(3) diagnostic and IST results to verify acceptance criteria were met and performance degradation would be identified;
(4) the air-operated valve control logic and the control power source; and
(5) the circuit protection and adequacy of voltage.
  • 2A Pressurizer Relief Isolation Valve - Block Valve (MOV) (2RY8000A): The inspectors reviewed the following component attributes:
(1) the MOV calculations and analysis to ensure the valve was capable of functioning under design conditions. This included calculations for required thrust, maximum differential pressure, pressure locking analysis, and valve weak link analysis;
(2) diagnostic and IST results to verify acceptance criteria were met and performance degradation would be identified; and
(3) the electrical and cable drawings to verify separation from other trains and divisions.
  • 2A Safety Injection (SI) Pump (2SI01PA): The inspectors reviewed the following component attributes:
(1) the SI system hydraulic calculations such as NPSH, vortexing, and pump deadheading to ensure that the pumps were capable of providing their accident mitigation function. This included verifying issues identified in the previous CDBI had been adequately addressed;
(2) the capability to switchover the suction source to the discharge of the residual heat removal pumps;
(3) the vendor specifications and pump curves to ensure that these parameters had been correctly translated into calculations, as required;
(4) pump minimum flow requirements were assessed to ensure they were in accordance with vendor recommendations;
(5) the design basis requirements to ensure that they were correctly translated into test acceptance criteria;
(6) completed pump surveillances to ensure that actual performance was acceptable. This included the quarterly and comprehensive IST pump surveillances, along with the system flow balance tests;
(7) the preventive and corrective maintenance history to determine whether any recent maintenance issues could adversely impact the functions of the pump;
(8) the automatic and manual pump control logic and the results of the load flow and voltage calculation to determine whether sufficient power was available to start the motor during worst case degraded voltage and service conditions; and
(9) the pump performance and brake horsepower requirement to determine whether the motor was adequately sized for the worse case load condition and whether this rating was adequately included in the diesel generator loading calculation.
(1) the emergency diesel generator design related to EDG room temperature, cooling system performance, and fuel availability and quality;
(2) the Fuel Oil transfer pump circuitry to verify electrical separation;
(3) the vendor manual, one-line diagram, equipment specification, and the vendor nameplate rating to determine the diesel generator rated output capability;
(4) the breaker control logic and power source, diesel/generator start logic, minimum voltage available at breaker close and trip coils, protective relaying and fuse and breaker coordination;
(5) the EDG loading study for the worse case design basis loading conditions;
(6) the results of surveillance tests to verify that the diesel generator test conditions enveloped design basis and Technical Specification requirements;
(7) the normal and off-normal operating procedures to determine whether appropriate load ratings and limitations were incorporated;
(8) selected pumps and fans to determine that break horsepower loads were determined and based on conservative design and operating conditions; and
(9) the modification and corrective maintenance history to determine whether any recent modifications or maintenance issues could adversely impact diesel generator load capability. In addition, the inspectors performed walkdowns of the EDG to determine the material condition and the operating environment of the components.
  • 4160Vac Essential Switchgear Bus 242 (2AP06E): The inspectors reviewed the following component attributes:
(1) essential switchgear bus 242 and its capability to supply adequate voltage to the loads;
(2) the automatic and manual transfer schemes and logic between alternate offsite sources and the emergency diesel generator;
(3) the control power sources and available voltage to ensure that adequate voltage would be available for the breaker open and close coils and spring charging motors;
(4) the breakers rating protective relays setting and calibration, available short circuit and capability of the breaker to interrupt fault currents;
(5) the load flow conditions to determine whether the transformers had sufficient capacity to support their required loads under worst case accident loading conditions;
(6) voltage drop calculations to verify that adequate voltage was available at buses and components at various voltage levels under worst loading and degraded voltage conditions;
(7) the degraded voltage analysis and setting and calibration of undervoltage and degraded grid voltage relays, grid voltage profile during previous ten years and communication between grid and plant operators;
(8) the maintenance history of breakers and selected corrective action reports; and
(9) the related breakers preventive maintenance to determine whether any recent maintenance issues could adversely the functions of the pump. In addition, the inspectors conducted plant walkdowns to determine the material condition and the operating environment of the switchgear, breakers and protective relaying.
  • Crosstie Capability of Switchgear Bus 242 (2AP06E) and 2B Emergency Diesel Generator (2DG01KB): The inspectors reviewed the following component attributes:
(1) the crosstie capability of the 4160Vac essential bus and its sources to other plant essential buses and to the ESF Component Cooling (CC)switchgear bus;
(2) the interlocks provided between the various supply and tie breakers, automatic and manual transfer schemes and logic adopted and the electrical separation and isolation at the CC switchgear;
(3) the breaker control power sources and available voltage to ensure that adequate voltage would be available for the breaker open and close coils and spring charging motors;
(4) Breakers rating and protective relays setting and calibration as well as the protective relay coordination between supply and tie breakers; and (5)maintenance history of breakers. In addition, the inspectors conducted plant walkdowns to determine the material condition and the operating environment of the CC switchgear and physical separation provided among incoming and outgoing cables.
  • 480Vac MCC 232X-2 (2AP27E): The inspectors reviewed the following component attributes:
(1) the 480 Vac essential motor control center (MCC) and its capability to supply adequate voltage to the loads;
(2) the voltage drop calculation related to this bus to confirm that adequate voltage was available to the components supplied by the bus under worst loading and degraded voltage conditions;
(3) the bus and breaker rating and the protection provided, including short circuit calculations and breaker coordination;
(4) the automatic and manual transfer schemes and logic between alternate offsite sources and the emergency diesel generator; and
(5) selected corrective action reports. In addition, the inspectors conducted plant walkdowns to determine the material condition and the operating environment of the motor control center.
  • 125Vdc Station Battery 212 (2DC02E): The inspectors reviewed the following component attributes:
(1) electrical calculations for the 212 safety-related 125Vdc station battery. These included battery sizing and loading, room hydrogen generation, battery capacity for design basis events and a station blackout event, and the voltage drop calculations;
(2) the inspectors verified the stations design capability to cross-connect to the opposite unit if necessary and that adequate voltage existed to allow for this design feature;
(3) the battery surveillance tests and performance history including verification of cell voltage, charging, specific gravity, electrolyte level, and temperature corrections to ensure acceptance criteria were met and performance degradation would be identified; and
(4) operating procedures associated with the battery and its associated chargers to ensure they were in accordance with vendor recommendations. In addition, the inspectors conducted a visual inspection of the batteries to assess the physical and material condition of the batteries and reviewed condition reports to verify identification of adverse conditions or trends.
  • Battery Charger 212 (2DC04E): The inspectors reviewed the following component attributes:
(1) the electrical calculations for the safety-related battery chargers including sizing and voltage drop calculations;
(2) periodic testing and test data to ensure acceptance criteria were met and any degradation would be identified;
(3) condition reports, and assessed the physical and material condition of the chargers; and
(4) the maintenance program on the electrolytic capacitors to verify proper identification of adverse conditions or trends.
  • 125Vdc Bus 212 (2DC06E): The inspectors reviewed the following component attributes:
(1) the 125Vdc buses and panel breakers associated with battery 212 and fuse sizing to ensure that their short circuit interrupting capability was adequate for the available short circuit current; and
(2) verified the minimum voltage required on the DC Bus will be available to carry the safety-related loads.

In addition, the inspectors performed a visual inspection on observable portions of the 125Vdc distribution center to assess material condition.

  • Fire Protection (FP) Pump (0FP03PB): The inspectors reviewed the following component attributes:
(1) the diesel driven fire protection (FP) pump;
(2) the design and licensing basis of the component as documented in design and licensing documentation;
(3) the pump design with regard to flow and head capacity, nameplate data, pump and diesel cooling, adequate submergence and NPSH, and minimum flow capability;
(4) the component licensing basis, calculations, and operating procedures related to these functions;
(5) pump strainer design, fuel system design, the combustion air supply, the exhaust system design, and component nameplate data;
(6) the design of the diesel engine electrical starting system, batteries and charger;
(7) recent pump test results; and
(8) recent preventative maintenance and corrective actions. In addition, the inspectors performed field walkdowns of the pump, diesel driver, and fuel oil system to verify the material condition of the components.
  • Steam Generator PORV and Block Valves (1MS018A (Hydraulic) and 1MS019A (Manual): The inspectors reviewed the following component attributes:
(1) the steam generator power operated relief valve (SG PORV) and block valve design related to their function during a steam generator tube rupture (SGTR) event;
(2) the design and licensing basis of the components as documented in design and licensing documentation; and
(3) the valves design with regard to their capability to open and close as required by plant accident analyses. The review included valve calculations, test results, and post accident environmental conditions. In addition, the inspectors evaluated the potential single failure of valves and associated power supplies under accident conditions as well as the operator action times associated with opening and closing the valve.

b. Findings

(1) Failure to Maintain/Extend the Qualification Basis for Molded-Case Circuit Breakers (MCCBs) Used in Safety-Related Applications Greater than 20 Years
Introduction:

A finding of very low safety significance and associated NCV of 10 CFR Part 50, Appendix B, Criterion III, Design Control, was identified by the inspectors for the failure to maintain the qualification basis for safety-related and important-to-safety MCCBs greater than 20 years old.

Description:

On February 25, 2009, the inspectors identified that the licensee failed to maintain/extend the qualification basis for the installed Westinghouse MCCBs that were greater than 20 years old. Specifically, Procedure LS-AA-115, Operating Experience Procedure, Revision 13, Attachment 4, OPEX [operating experience] Document List/Classification, requires a formal review of Westinghouse Technical Bulletins.

1, OPEX Reviewers Guidelines, provides detailed steps for reviewing any OPEX and recommending actions to appropriately incorporate the results of the review into applicable licensee processes.

Assignment report (AR) 534100, West TB-06-2 MCCB Aging, dated September 21, 2006, Assignment 02 was initiated to perform a subject matter expert review of Westinghouse Technical Bulletin (TB) 06-2. In AR 534100, Assignment 02, approved on December 6, 2006, the reviewer responded NO to the Step 4 Question, Does this OPEX have any impact on the Operability of structures, or components?

The reviewer answered NO to Step 10 of Attachment 1, Are there other plant systems/applications affected by this OPEX document? The licensee response to the Step 16 Question, Does this OPEX document have any impact on design data in controlled databases? was Not at this time. The inspectors noted that the action plan in Step 26 did not address extending/maintaining the qualification of the Westinghouse MCCBs that were greater than 20 years old. Specifically, there was no documented response to the TB-06-2 conclusion, in part, For safety-related applications, the qualification basis must be maintained and extended for the breakers over 20 years old.

Section 8.1.16, Qualification of Class 1E Equipment for Nuclear Power Plants, of the Byron USFAR states, in part, that the licensee complies with the intent of IEEE 323-1974. The IEEE 323 defines qualified life as, The period of time, prior to the start of a design basis event, for which equipment was demonstrated to meet the design requirements for the specified service conditions. NOTE - At the end of the qualified life, the equipment shall be capable of performing the safety function(s) required for the postulated design basis and post-design basis events. Paragraph 4) of Section 6.9, Extension of Qualified Life, of the IEEE 323, states, Periodic Maintenance, testing, and replacement/refurbishment programs based on manufacturers recommendations and sound engineering practices may be used to extend the equipments qualified life, where justified. Paragraph 6) states, Qualified life may be extended if it can be shown through subsequently developed data that an age-conditioning procedure, which limited the life of Class 1E equipment, is in fact conservative. Designated as acceptable for extending qualified life, the subsequently developed data shall contain quantitative evidence justifying the extended qualified life.

The TB-06-2 stated, the qualified life/design life extension can be justified by using a combination of a preventive maintenance program and aging analysis based on the actual service conditions. The statement in TB-06-2 was in agreement with the statements in IEEE 323.

Based on the above, the inspectors concluded that the reviewer had incorrectly answered the questions in AR 534100. Specifically, because the bulletin involved the qualifications of the MCCBs, it had an impact on operability, impacted multiple safety-related systems, and involved design data.

After questioning by the inspectors, the licensee generated Engineering Change (EC) 374545, Documentation of Justification for Continued Use of Westinghouse Breakers for Greater Than 20 Years and of Out of Tolerance Breakers Following a Surveillance [test] Until The Breakers Are Replaced, dated March 6, 2009. The inspectors reviewed EC 374545 and noted the evaluation focused on MCCBs that tested high above the acceptance tests value until a replacement MCCB could be scheduled.

The licensee also determined the continued use of Westinghouse type HFB breakers that had been in service greater than 20 years to be acceptable based on the type/apparent cause of breaker out-of-tolerances; similar Braidwood experiences (same type and age of MCCBs), PM Program/testing procedures, maintained breaker coordination, maintained short-circuit and overload protection, and breaker performance monitoring. However, the inspectors noted that no subsequent developed data containing quantitative evidence justifying the extended qualified life was presented.

Specifically, the licensee had started the MCCB test program in 2001 and did not have any second round results to compare to the first round.

After additional discussions, the licensee generated AR 898543, Westinghouse TB 06-02 Review Issue - 2009 CDBI, on March 27, 2009, to document the lack of quantitative evidence that the Byron MCCBs were performing better than the norm discussed in TB-06-2 and that the licensee had maintained/extended the Westinghouse type HFB MCCB qualified life past 20 years. The inspectors noted that licensees discussion centered on multiple samples of the MCCBs with similar test results over several outages as the basis for stating that a negative trend due to aging did not exist.

Analysis:

The inspectors determined that the failure to maintain/extend the qualified life of the Westinghouse molded case circuit breakers (MCCBs) was a performance deficiency. The performance deficiency was determined to be more than minor in accordance with IMC 0612, Power Reactor Inspection Reports, Appendix B, Issue Disposition Screening, because the finding was associated with the Mitigating Systems cornerstone attribute of equipment performance and affected the cornerstone objective of ensuring the availability of multiple safety-related systems and components to respond to initiating events to prevent undesirable consequences. Specifically, not maintaining qualified components in safety-related SSCs could lead to the inability to respond to design basis events.

The inspectors determined the finding could be evaluated using the SDP in accordance with IMC 0609, Significance Determination Process, Attachment 0609.04, Phase 1 - Initial Screening and Characterization of Findings, Table 4a for the Mitigating Systems cornerstone. The finding screened as of very low safety significance (Green)because the finding was a design or qualification deficiency confirmed not to result in loss of operability or functionality. Specifically, no actual loss of function could be attributed to operating with MCCBs greater than 20 years old and the licensee was able to justify maintaining/extending the qualified life based on no evidence that the MCCB test failure rate had increased. A licensee operability evaluation found the MCCBs to be operable.

This finding has a cross-cutting aspect in the area of problem identification and resolution because the licensee did not effectively incorporate pertinent manufacturers operating experience into maintaining the qualification of the Westinghouse MCCBs.

(P.2.b)

Enforcement:

Title 10 CFR Part 50, Appendix B, Criterion III, Design Control, requires in part, that measures shall be established for the selection and review for suitability of application of materials, parts, equipment, and processes that are essential to the safety-related functions of the structures, systems, and components.

Contrary to the above, from November 8, 2006 to March 27, 2009, the licensee failed to review the suitability of the components essential to the design basis specifications.

Specifically, the licensee failed to maintain/extend the qualified life of the MCCBs after the manufacturers qualifications ended at 20 years; as required by 10 CFR Part 50, Appendix A and B. Because this violation was of very low safety significance and it was entered into the licensees corrective action program as CR-898543, this violation is being treated as an NCV, consistent with Section VI.A.1 of the NRC Enforcement Policy (NCV 05000454/455/2009007-01(DRS)).

(2) Inadequate Analysis of Molded-Case Circuit Breaker Test Data
Introduction:

The inspectors identified a finding of very low safety significance (Green)and associated NCV of 10 CFR Part 50, Appendix B, Criterion XVI, Corrective Actions, in that the licensee had failed to properly evaluate the impact of molded-case circuit breaker (MCCB) problems identified during testing.

Description:

In 2001, in response to MCCB failures noted in the industry, the licensee initiated a MCCB testing and preventive maintenance program for both units. The licensee identified a 1.26 percent failure rate for the last four outages; however, a breaker was only considered to have failed if it did not trip or if it failed to coordinate with the upstream feeder breaker (the licensees maintenance rule failure criteria).

The inspectors reviewed the MCCB acceptance-test results from previous groups of MCCBs tested and noted the following results:

  • In B1R14 (the Fall 2006 outage), 87 of 150 MCCBs tested passed, 59 breakers tripped out of tolerance (magnetic instantaneous trip), 2 failed to trip, 1 failed to reset, 1 failed the thermal trip test for a 42 percent failure rate;
  • In B2R13 (Spring 2007), 18 of 94 breakers tested failed, a 19 percent failure rate;
  • In B1R15 (Spring 2008) 30 of 113 MCCBs tested failed, a 26.5 percent failure rate; and
  • In B2R14 (Fall 2008) 21 of 119 MCCBs tested failed, a 17.6 percent failure rate.

Of total population of 569 safety-related MCCBs, the inspectors noted that 476 (277 fixed magnetic and 199 adjustable magnetic) had been tested during the four outages.

Out of the 199 adjustable magnetic MCCBs, 128 failed the test (121 out-of-tolerance, 7 failed to trip or failed to reset), a 64.3 percent failure rate. There was a 1.8 percent failure rate (5 of 277) in the fixed magnetic MCCBs.

The inspectors noted that the actual acceptance test failure rate for either of the adjustable or fixed magnetic trip MCCBs was higher than the licensees noted failure rate of 1.26 percent. The licensee viewed the out-of-tolerance high test result as acceptable conditions for operability and therefore, did not include these in the failure rate. The inspectors identified the following concerns:

  • Procedure MA-AP-723-450, Molded Case Circuit Breaker ODEN Testing, Revision 0, Step 3.2.8 stated, A breaker failure is when a breaker does not trip within its trip range [emphasis added] or does not provide breaker coordination.

The inspectors noted that the licensees failure rate did not include those breakers which did not trip within the trip range.

In response to the inspectors questions, the licensee stated that the breaker performance was monitored based on population sampling of breaker types.

Specifically, a population of a breaker type was tested at every outage and the collective results would be used to determine acceptability of the remaining population not tested. In only recognizing a 1.26 percent failure rate, the licensee did not identify the negative performance trend therefore, did not adequately assess the acceptability of the total population or did not initiate appropriate action to plan and accomplish corrective actions in a timely manner. The inspectors also noted that the licensee had not taken any actions to address an initial 42 percent breaker failure rate and similar results from subsequent outage testing.

  • The licensee did not immediately replace installed MCCBs that failed to trip within the trip range. The licensee initiated an operability determination to justify continued operation until such time that it could be replaced. The inspectors were informed that the licensee considered the risk of replacing the failed breaker immediately and performing the required post-maintenance tests (PMTs) to be greater than the risk of leaving breakers that tripped out-of-tolerance high in service. When the inspectors pointed out that, as a requirement for testing, the electrical panel was de-energized and ideal for MCCB replacement and the PMTs, the licensee agreed that there would be no additional risk for the individual task. However, the licensee was concerned that the unplanned work could lead to human performance and coordination issues incurred by changing outage plans and scope.
  • The inspectors reviewed five condition reports (CRs) generated for MCCBs, which failed to trip within range. For four of the five CRs, the licensee concluded the MCCBs were operable because breaker coordination was maintained and the feed to the load was not impacted. This was for trip acceptance values from 11.2A to 34A. The fifth CR (827831) was for a 3A MCCB and the coordination was again the subject of the comments. The licensee noted that the 10A test value for this breaker was less than 3741A (the test value for the largest MCCB on the MCC) and that the largest MCCB coordinated with the feeder breaker; therefore, the [failed] 3A breaker was operable in this condition. The inspectors noted that the operability determinations did not address the design operability of the load with the failed MCCB where the wire ampacity is normally 125 percent of the expected full load current and the breaker is less than or equal to the wire ampacity. The inspectors concluded that shift management did not have sufficient information to make an informed operability decision.
  • In CR 897630, CDBI - Byron Inspection Testing Issues, dated March 25, 2009, the licensee stated that breakers left in place would be replaced during the next work window or outage. However, when asked if any failed MCCBs were still installed in the plant, the licensee identified seven safety-related MCCBs that had not been replaced; two from the last (October 2008) outage, four from the September 2006 outage, and one from the April 2007 outage. The inspectors noted that with the exception of the two MCCBs identified during the October 2008 outage, the remaining MCCBs should have been replaced in accordance with the licensees procedures and that the operability of these breakers should have been reassessed when the licensee failed to or decided not to replace the MCCBs.

While investigating Assignment 03 to CR 897630, the licensee found eight additional safety-related MCCBs that had failed testing in September 2003 and had neither a CR nor a WR generated to address the condition; therefore, no operability determination had been made between the test failure and the time of discovery. The licensee noted this condition in CR 907731, OOT Safety-Related HFB Breakers Installed Since September 2003, dated April 15, 2009. The licensee concluded the MCCBs were operable based on previous evaluations and coordination determination.

The inspectors determined that the licensee did not appropriately address failures of MCCBs to trip within the expected trip range. Specifically, MCCB test results indicated an excessive failure rate on adjustable-magnetic trip MCCBs; the operability determinations were narrowly focused (mainly on coordination only); the licensee had not promptly assess the impact on other safety-related, important-to-safety, and fire protection MCCB populations; the operations shift management did not have adequate information to assess operability of MCCBs; and the licensee had not replaced MCCBs which failed testing in a timely manner.

Analysis:

The inspectors determined that the licensees failure to properly evaluate adverse MCCB test results was a performance deficiency. Specifically, the licensee failed to have an adequate program to ensure the continued functionality and operability of the installed MCCBs that fall under the test program. The performance deficiency was determined to be more than minor in accordance with IMC 0612, Power Reactor Inspection Reports, Appendix B, Issue Disposition Screening, because the finding was associated with the Mitigating Systems cornerstone attribute of equipment performance and affected the cornerstone objective of ensuring the availability of multiple safety-related systems and components to respond to initiating events to prevent undesirable consequences. Specifically, not ensuring the function and operability of all required MCCBs supplying safety-related SSCs could lead to the inability to respond to design basis events.

The inspectors determined the finding could be evaluated using the SDP in accordance with IMC 0609, Significance Determination Process, Attachment 0609.04, Phase 1 - Initial Screening and Characterization of Findings, Table 4a for the Mitigating Systems cornerstone. The finding screened as of very low safety significance (Green)because the finding would not result in the total loss of a safety function. Specifically, the licensee evaluation showed that there was no loss of breaker to supply breaker coordination.

This finding has a cross-cutting aspect in the area of human performance because the licensee did not use conservative assumptions in decision making and did not adopt a requirement to demonstrate that a proposed action is safe in order to proceed rather than a requirement to demonstrate that it is unsafe. Specifically, the decision to define a MCCB failure using a maintenance rule focused definition instead of the definition found in MA-AP-723-450 resulted in a significantly lower failure rate. As a result, the licensee did not identify the negative performance trend and therefore, did not adequately assess the acceptability of the total population. (H.1.(b)).

Enforcement:

Title 10 CFR Part 50, Appendix B, Criterion XVI, Corrective Action, requires, in part, that conditions adverse to quality are promptly identified and corrected.

Contrary to the above, in September 2003, eight safety-related MCCBs failed acceptance tests (a condition adverse to quality); however, the licensee failed to promptly identify and correct this condition. Specifically, the licensee did not initiate a work request, a condition report, or an operability evaluation until April 2009. Because this violation was of very low safety significance and it was entered into the licensees corrective action program as CR 907731, this violation is being treated as an NCV, consistent with Section VI.A.1 of the NRC Enforcement Policy (NCV 05000454/455/2009007-02(DRS)).

(3) Concerns with Licensees Margin to Overfill (MTO) Analysis Related to Steam Generator Tube Rupture (SGTR) Event.
Introduction:

The inspectors identified an unresolved item (URI) related to the licensees evaluation of potential failures of the steam generator power operated relief valves (SG PORVs) during a postulated steam generator tube rupture (SGTR) event. Specifically, the licensees margin to overfill (MTO) analysis was based on the failure of a single SG PORV to open and did not consider the potential failure of two valves to open due to a common electrical system failure (most limiting single failure).

Description:

The inspectors reviewed the function on the SG PORVs during a postulated SGTR event. After a SGTR the operators open the SG PORVs associated with the intact steam generators to cooldown and depressurize the reactor coolant system. This operation would be time critical to prevent overfilling the ruptured steam generator and allowing liquid to enter the steam piping. The licensees SGTR accident analysis was based on the single failure of one SG PORV to open when required; this was consistent with UFSAR Section 15.6.3 and Table 15.0-15. Failure of one SG PORV would enable operators to cooldown the reactor coolant system using the remaining two SG PORVs. However, these electric/hydraulic valves require 480V power to operate.

The four SG PORVs (MS018A-D) are powered from two redundant 480V electrical busses. Each bus provides power to two SG PORVs. Therefore, the failure of a single electrical power supply could result in the failure of two SG PORVs to operate. The inspectors questioned if the single failure assumptions used in the SGTR MTO analysis were in accordance with the Byron licensing basis. In response to this concern, the licensee stated that this question had been previously addressed in detail and provided several corrective action documents that addressed the function of the SG PORVs during a SGTR event.

The inspectors reviewed the following related corrective action documents:

  • Issued Report (IR) 00680419 (initiated October 5, 2007), addressed local operator actions to open the SG PORVs after a SGTR. This IR questioned if the operators would be able to manually open the PORVs in the times assumed by the accident analysis. This IR identified that the single failure of one 480V bus would be more limiting than the loss of the entire 4kV electrical bus because all the ECCS pumps would continue to operate if only one 480V bus was lost. The loss of one 480V bus could result in the failure of two SG PORVs to open. The AR referred to a similar issue at Catawba Station, identified in 1997, which resulted in a LER.
  • IR 00687783 (initiated October 22, 2007), addressed similar concerns to IR 00680419. A detailed licensing basis evaluation was performed to address these concerns in IR 00687783. This IR included an evaluation of the Byron current licensing basis (CLB) regarding postulated single failures. The IR evaluation stated, in part, The conclusion drawn from the review is that for the design basis SGTR event, when the phrase single failure is used, its meaning is restricted to only single active failures and is not intended to convey all types of potential failures (i.e., passive and active).
  • IR 00706293 (initiated December 2, 2007), addressed various SGTR issues, including the MTO single failure concerns that were previously addressed by IR 00680419 and IR 00687783. Action AR 00706293-05 was initiated to perform a third party review of the SGTR single failure criteria. The independent review was completed on December 17, 2007. This review addressed the issue of passive verses active single failure, including an extensive review of regulatory requirements. The report stated, in part, With regard to the semantics of single failure vs. active single failure, there was nothing in the licensing history reviewed that specifically said passive failures do not need to be considered.
  • Action AR 00713904 (initiated December 19, 2007), addressed the specific recommendations of the independent review report. The conclusions of this internal review did not agree with those of the independent reviewer (AR 00706293-05). The AR 00713904 re-review concluded that a passive single failure of electrical components did not need to be considered for the SGTR MTO accident analysis. This review addresses the apparent contradiction between the GDC and Chapter 15 of the SRP. Action AR 00713904-04 stated, in part, The SRP on accident analyses and the GDC were prepared for different purposes. The GDC set forth a conservative set of rules for design that are intended to achieve defense in depth. The performance objectives of the GDC are high-level goals relating to the health and safety of the public. The SRP on accident analysis provides specific direction regarding the methodology, assumptions, and acceptance criteria for detailed analysis of accidents and Anticipated Operational Occurrences (AOOs). For some accidents, the SRP may establish additional intermediate-level acceptance criteria at a lower level than the high level performance objectives of the GDC. It may be possible for a plant design to meet the high level performance objectives of the GDC for a broad spectrum of initiating events and failures (including multiple failures); but the ability to meet specific acceptance criteria in accident analysis may be contingent on the specific assumptions made (the SRP acceptance criteria was established with a specific set of assumptions in mind.)

The review then addressed the question of why it was acceptable not to analyze for passive failures. The response to that question stated, The underlying technical basis for the SRPs approach to accident analysis is based on risk assessment methodology. Condition IV and other accident events have a very low frequency of occurrence. When combined with an additional random single active failure, the probability of the event combination is even lower (e.g., Condition IV events with two random active failures) would not add significant value in improving safety, and therefore is not required. A similar argument can be made for the combination of accidents with random passive failures.

Finally, the review included a risk-based argument, which addressed how the above discussion related to the licensing of the SGTR accident analysis. This portion on the review includes a discussion of compliance with GDC 17, which states that the electrical system design meets the GDC 17 criteria but also includes the statement, GDC 17 does not address the intermediate-level acceptance criteria for the SGTR accident analysis of preventing overfill of the ruptured SG.

For the SGTR the high-level performance objective of the GDC is met, with or without SG overfill; and, therefore, one need not distinguish between active and passive failures.

The inspectors noted that the Byron licensing basis for SGTR events was based on the generic Westinghouse analysis. The Westinghouse SGTR analysis (WCAP-10698) was based on a three-loop reference plant and the failure of a single SG PORV to open but did not specifically address electrical bus failures. In the single failure evaluation section, the WCAP stated, common mode failures of all steam generator PORVs were not evaluated since electrical power and air supplies to the PORVs are largely plant specific The associated NRC evaluation (dated March 30, 1987), concluded that the WCAP analysis methodology was conservative, but pointed out that there may be major design differences between plants and required plant specific information. Section D.5 of the NRC evaluation required the following plant specific information, A survey of plant primary and balance-of-plant systems design to determine the compatibility with the bounding plant analysis in WCAP-10698. Major design differences should be noted.

The worst single failure should be identified if different from the WCAP-10698 analysis and the effect of the difference on the margin of overfill should be provided.

In response to the NRC, the licensee provided the required plant specific information (Commonwealth Edison letter, dated April 25, 1990). This letter included revision 1 of the SGTR analysis for the Byron and Braidwood plants. The analysis stated, in part, The compatibility of the Byron/Braidwood systems with the WCAP-10698-P-A bounding plant analysis has been evaluated and no major design differences affecting the MTO exist. The same limiting single failures as identified in WCAP-10698-P-A and Supplement 1 of WCAP-10698-P-A were utilized in the analysis The NRCs evaluation of the Byron/Braidwood plant specific SGTR analysis (NRC letter dated April 23, 1992) included a statement that the licensee had responded satisfactorily to this confirmatory issue.

Based on review of these corrective action documents, review of available Byron licensing documentation, and extensive discussions with Byron personnel, the inspectors were concerned that the licensee did not correctly evaluate the potential failure of the steam generator power operated relief valves (SG PORVs) during a postulated steam generator tube rupture (SGTR) event. The application of the single failure criteria is addressed in 10 CFR 50, Appendix A, the definition of single failure states:

A single failure means an occurrence which results in the loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be a single failure. Fluid and electric systems are considered to be designed against an assumed single failure if neither:

(1) a single failure of any active component (assuming passive components function properly); nor
(2) a single failure of a passive component (assuming active components function properly), results in a loss of the capability of the system to perform its safety functions.2 Single failures of passive components in electric systems should be assumed in designing against a single failure. The conditions under which a single failure of a passive component in a fluid system should be considered in designing the system against a single failure are under development.

This definition of single failure clearly states that single failures of passive components in electric systems should be assumed in designing against a single component failure.

Based on this, it did not appear valid to make a distinction between active and passive failures of electrical components in accident analyses.

In addition, 10 CFR 50, Appendix A, GDC 17, states, in part:

  • An onsite electric power system and an offsite electric power system shall be provided to permit functioning of structures, systems, and components important to safety. The safety function for each system (assuming the other system is not functioning) shall be to provide sufficient capacity and capability to assure that:
(1) specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences; and
(2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents.

The onsite electric power supplies, including the batteries, and the onsite electric distribution system, shall have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure The inspectors were concerned that the licensees position that GDC 17 does not address the intermediate-level acceptance criteria for the SGTR accident analysis of preventing overfill of the ruptured SG was not correct. The GDC 17 stated that onsite electric power supplies shall have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure. In accordance with the Byron licensing basis, preventing overfill of the ruptured steam generator was a safety function of the onsite electric power supply. Because the operator response time would not be adequate to locally open the SG PORVs after a SGTR event, the onsite electric power supply must be capable of performing that safety function, assuming a single failure (either active or passive).

The licensee initiated IR 00897354 on March 25, 2009, to document the NRCs position on this issue; this IR stated that some mitigating actions would be initiated and stated that a new IR would be written upon formal receipt of NRCs position. The IR 00897354 did not include corrective actions to address the licensees single failure assumptions.

The licensee also referred the inspectors to guidance included in NRC NUREG/CR 4893, dated May 1991. The inspectors reviewed the NUREG and noted that it discussed the assumption of worst single active failures in the analysis of SGTR events. However, the NUREG did not specifically address electrical failures and it was not clear if the reference to single active failures was applicable to electrical failures or just to fluid system failures.

In addition, the inspectors reviewed the applicability of unresolved item (URI)05000454/2005002-06; 05000455/2005002-06 to this issue. As documented in NRC Inspection Report 05000454/2008008; 05000455/2008008 (dated May 5, 2008), the NRC determined that Byron was required to consider the passive failure of electrical components in the power supplies to essential service water cooling tower fans. This determination was based, in part, on the requirements of 10 CFR 50, Appendix A. The NRC determined that the provisions of 10 CFR 50.109(a)(4) were applicable, in that, a modification was necessary to bring the facility into compliance with the rules and orders of the Commission. The inspectors were concerned that this licensing basis issue was very similar to the SGTR MTO analysis issue, and that Byron failed to adequately evaluate the impact of this determination on the SGTR MTO analysis.

The inspectors have discussed this design and licensing basis issue with NRC staff in the Office of Nuclear Reactor Regulation. Due to complexity of establishing the appropriate design and licensing bases for this issue, this item is considered unresolved pending further NRC review (URI 05000454/455/2009007-03(DRS)).

(4) Insufficient Design Bases for Second-Level (Degraded) Voltage Timer Settings.
Introduction:

The inspectors identified an unresolved issue (URI) related to licensees failure to develop adequate design bases for the second level (degraded) voltage timer settings. Specifically, the licensee failed to evaluate the impact of operating and/or starting safety-related equipment at a voltage as low as 75 percent of the 4.16 kV nominal bus voltage for as long as 5 minutes and 40 seconds during an event involving a degraded grid voltage condition without a loss of coolant accident (LOCA) signal.

Description:

The inspectors determined that the licensee did not have an analysis to demonstrate the ability of the safety-related loads to mitigate an event involving a degraded grid voltage condition when a LOCA signal was not present. Specifically, the inspectors found that, during a degraded grid voltage condition, if a LOCA signal was also present, after approximately ten seconds, the emergency diesel generators would start and accept the safety-related loads according to the prescribed load sequencing.

However, if a LOCA signal was not present, the inspectors found that, after the ten-second delay, the degraded voltage condition resulted in an alarm in the control room and the start of a five-minute timer.

The inspectors noted that Section A.4 of IEEE 741-1997, Degraded Voltage Relay Time Delay Settings, states, in part, that: After the voltage setpoint for the degraded voltage relays has been established, additional analysis is required to determine the appropriate time delays. These analyses will involve investigation of transient conditions, such as block motor starting and the effect of increased load currents from degraded voltage operation, on both protective device operation and equipment thermal damage. Two time delays should be determined by: a) the first time delay should be of a duration that establishes the existence of a sustained degraded voltage condition (i.e., longer than a motor starting transient). Following this delay, an alarm in the control room should alert the operator to the degraded condition; and b) the second time delay should be of a limited duration such that the permanently connected Class 1E loads will not be damaged or become unavailable due to protective device actuation Protective devices (i.e., circuit breakers, control fuses, etc.) for connected Class 1E loads should be evaluated to ensure that spurious tripping will not occur during this time delay period.

Consideration should also be given for restarting/reaccelerating the loads, should transfer to the alternate or standby power source be required.

Similarly, NUREG 0800, Branch Technical Position (BTP) 8-6 states: In addition to the undervoltage scheme provided to detect LOOP [loss of offsite power] at the Class 1E buses, a second level of undervoltage protection with time delay should be provided to protect the Class 1E equipment. This second level of undervoltage protection should satisfy the following criteria: a) The selection of undervoltage and time delay setpoints should be determined from an analysis of the voltage requirements of the Class 1E loads at all onsite system distribution levels and b) Two separate time delays should be selected for the second level of undervoltage protection based on the following conditions: i The first time delay should be long enough to establish the existence of a sustained degraded voltage condition (i.e., something longer than a motor-starting transient). Following this delay, an alarm in the control room should alert the operator to the degraded condition ii. The second time delay should be limited to prevent damage to the permanently connected Class 1E loads The bases and justification for such an action must be provided in support of the actual delay chosen.

Functionally, the Byron degraded voltage protection was consistent with the recommendations of IEEE-741 and BTP 8-6 in that the design included two levels of undervoltage protection and two separate time delays for the degraded voltage condition. However, the inspectors noted that, while the licensee had developed an adequate justification for the setting of the undervoltage relays and the first time delay, the licensee had not developed a technical justification for the second time delay.

The need for a full evaluation of degraded voltage conditions was originally identified by the NRC in 1976 and 1979 as a result of events at Millstone and Arkansas Nuclear One.

These events and subsequent similar events were discussed in various NRC generic communication vehicles, including NUREG-0900-5 and Information Notices (INs) 79-04, 89-83, and more recently, IN 2000-06. In IN 89-83 the NRC described specific concerns with degraded voltage conditions and stated that, in the Millstone event, a grid voltage drop combined with voltage drops produced by the step-down transformers reduced the control power voltage within individual motor control centers and individual 480 Volt controllers to a level that was insufficient to actuate the main line controller contactors.

As a result, when the motors were signaled to start, the contactor control power fuses were blown making several motors inoperable.

As indicated previously, at Byron, a degraded voltage condition without a LOCA resulted in the undervoltage relays sounding an alarm in the control room and initiating a five minute timer. Based on the alarm response procedure, if the alarm was the result of a degraded voltage, the operators were required to call the grid operator to determine whether the grid voltage could be increased and monitor the bus voltage. If the voltage dropped below 75 percent, the operators were required to initiate a transfer of the loads to the emergency diesel generators. In comparison, with a LOCA present, the degraded voltage relays were set to automatically transfer the safety-related loads to the emergency diesel generators when the bus voltage dropped below 92.5 percent of the nominal voltage (4160 Volts).

The inspectors were concerned that, if the voltage at the 4 kV bus dropped to slightly above 75 percent of the nominal voltage, the operating motors would experience approximately a 28 percent increase in current, also considering the design voltage of the motors (4000 V). If operated within the design limits and properly protected, these motors would most likely experience no major damage. During the intervening five minutes, however, the increase in motor load current could result in spurious breaker trips and the automatic restart of the same or redundant motors with consequent further decrease in system voltages. At the lower voltage buses, the voltage drop would be greater than 25 percent due to losses in step-down transformers, cables, and other interposing devices. This voltage drop, complicated by potential motor starts, including the potential start of the motor-driven auxiliary feedwater pump, if a plant trip occurred, could result in adverse consequences that the licensee had failed to evaluate.

Discussions with the licensee regarding this issue indicated that the design was accepted by the NRC during the original review and provided a copy of the safety evaluation report (SER) issued by the NRC in February 1982. In the SER, it is stated that: if the degraded voltage is not corrected within 5 minutes, the bus will automatically disconnect from the offsite power source and connect to its onsite diesel generator. This is in conformance with the staff position and is, therefore, acceptable.

Subsequently, in April 1989 following a meeting with the NRC to address the adequacy of the undervoltage protection scheme utilized at the Dresden Station, Commonwealth Edison (CECo) wrote to the NRC and committed to implement administrative controls and associated operator training, which directs the operator to immediately take action to disconnect safety buses if the 4160 Volt power supply drops below 75 percent of the nominal bus voltage The objective of this procedure is to minimize to less than one minute, if possible, the time that safety-related motors and other equipment could experience severe undervoltage (below 75 percent) in the extremely unlikely event that such conditions are sustained for more than several seconds. This commitment was made for the five plants owned by CECo at the time of the meeting, including Byron. As in the SER case, the meeting minutes addressed only one variable, i.e., the minimum voltage level but not the duration. Therefore, it is not immediately evident that the NRC intended to accept a 75 percent voltage for five minutes. Furthermore, the meeting pertained to the Dresden plant and the design limitations may be different. The licensee was unable to produce any documentation that was provided to the NRC in support of their design/operation of the electrical system.

The FSAR and the Technical Specification (TS) were consistent with the SER. They both acknowledged the existence of a five-minute timer, but neither the FSAR nor the TS bases addressed the voltage level at which the plants are allowed to operate for the specified period.

In response to the NRC concerns the licensee issued IR No. 892610. In the IR, the licensee indicated that they would develop a technical basis for the five minute delay. In the interim, they were revising the alarm procedure to direct the operator to separate the emergency buses from the system auxiliary transformer, upon confirmation that a degraded bus voltage condition (below 92.5 percent) existed.

This issue is considered unresolved pending:

(1) evaluation of the licensees technical basis for the time delay between the on-set of a degraded voltage condition and the transfer to the diesel generators, without a safety injection (SI) signal; and
(2) discussion with NRR to determine the licensing and design basis (URI 05000454/455/2009007-04 (DRS)).

.4 Operating Experience

a. Inspection Scope

The inspectors reviewed five operating experience issues to ensure that NRC and industry generic concerns had been adequately evaluated and addressed by the licensee. The operating experience issues listed below were reviewed as part of this inspection:

  • Westinghouse Technical Bulletin (TB) 06-2, Aging Issues and Subsequent Operating Issues for Breakers That are at Their 20 Year Design/Qualified Life; UL certification/Testing Issues Update;
  • IN 2008-20, Failure of MOV Actuators with Magnesium Alloy Rotors;
  • IN 2006-22, New Ultra Low Sulfur Diesel Fuel Oil Could Adversely Impact Diesel Engine Performance; and
  • IN 2008-02, Findings Identified During Component Design Bases Inspections (Inspection Related Areas).

b. Findings

A finding of low safety significance was identified during review of Westinghouse TB-06-02 (for details see Section 1R21.3.b(1) of this report).

.5 Risk Significant Operator Actions

a. Inspection Scope

The inspectors performed a margin assessment and detailed review of six risk-significant operator actions. These actions were selected from the licensees PRA rankings of human action importance based on risk achievement worth values. Where possible, margins were determined through a review of the assumed design basis and UFSAR response times and performance times documented by job performance measures results and by PRA analysis assumed operator response times. For the selected operator actions, the inspectors performed a detailed review and walk through of associated procedures. The inspectors also performed in plant observations for other important operator actions with a qualified senior reactor operator and an equipment operator to assess licensed operator and non-licensed operator knowledge level, adequacy of plant procedures, and the availability of special equipment required to perform the risk-significant operator actions out in the plant.

The following operator actions were reviewed:

  • establish high/intermediate head ECCS pumps;
  • manually open air-operated valves (AOVs) IA-065 and IA-066;
  • close SI-8806 or CV-112D and CV-112E or SI -8813 or SI-8814 or SI- 8920 valves during local emergency control of safe shutdown equipment; and
  • effects on the operability evaluation for margin to S/G overfill following S/G tube rupture event.

b. Findings

No findings of significance were identified.

.6 Modifications

a. Inspection Scope

The inspectors reviewed 6 permanent plant modifications related to selected risk significant components to verify that the design bases, licensing bases, and performance capability of the components had not been degraded through modifications. The modifications listed below were reviewed as part of this inspection effort:

  • EC 370002, Establish Criteria for ESF Battery Inter-Cell Connection Resistance;
  • EC359963, Revise Unit 2 Low Temperature Overpressure Protection System (LTOPS) Setpoints and Heatup/Cooldown Curves to Reflect Change to Pressure and Temperature Limitations Report (PTLR);

This activity is not considered an inspection sample.

b. Findings

No findings of significance were identified.

OTHER ACTIVITIES

4OA2 Identification and Resolution of Problems

Main article: IP 71152

.1 Routine Review of items Entered Into the CAP

a. Inspection Scope

The inspectors reviewed a sample of the selected component problems that were identified by the licensee and entered into the corrective action program. The inspectors reviewed these issues to verify an appropriate threshold for identifying issues and to evaluate the effectiveness of corrective actions related to design issues. In addition, corrective action documents written on issues identified during the inspection were reviewed to verify adequate problem identification and incorporation of the problem into the corrective action program. The specific corrective action documents that were sampled and reviewed by the inspectors are listed in the attachment to this report.

b. Findings

No findings of significance were identified.

4OA6 Management Meetings

Exit Meeting Summary

On March 27, 2009, the inspectors presented the inspection results to Mr. B. Adams, and other members of the licensee staff. The licensee acknowledged the issues presented. The inspectors confirmed that none of the potential report input discussed was considered proprietary.

The inspectors confirmed that none of the potential report input discussed was considered proprietary.

ATTACHMENT:

SUPPLEMENTAL INFORMATION

KEY POINTS OF CONTACT

Licensee

B. Adams, Plant Manager
C. Gayheart, Operations Manager
S. Greenlee, Engineering Director
V. Naschansky, Electrical/I & C Design Manager
D. Gudger, Reg Assurance Manager
T. Hulbert, Reg Assurance NRC Coordinator
E. Blondin, Mechanical/Structural Design Manager
B. Perchiazzi, Sr. Manager Designing Engineering
B. Youman, WM Director
M. Justice, System Engineer - counterpart
E. Stender, System Engineer - counterpart
A. Corrigan, System Engineer - counterpart
A. Daniels, NOS Manager
K. Passmore, Electrical Systems Manager
M. Ryterski, System Engineer
B. Quigley, System Engineer
D. Sargent, System Engineer
F. Lentine, Washington Group
P. Simpson, Cantera Licensing
L. Schofield, Cantera Licensing

Nuclear Regulatory Commission

A. M. Stone, Chief, Engineering Branch 2, (DRS)
B. Bartlett, Senior Resident Inspector
J. Robbins, Resident Inspector
M. Abid, Reactor Inspector, Observer
J. Dalzell, Inspector in Training
J. Corujo-Sandin, Inspector in Training

Attachment

LIST OF ITEMS

OPENED, CLOSED AND DISCUSSED

Opened

05000454/455/2009007-01 NCV Failure to Maintain/Extend the Qualification Basis for Molded-Case Circuit Breakers (MCCBs) Used in Safety-Related Applications Greater than 20 Years.

(1R21.3.b.(1))

05000454/455/2009007-02 NCV Inadequate Analysis of Molded-Case Circuit Breaker Test Data. (1R21.3.b.(2))
05000454/455/2009007-03 URI Concerns with Licensees Margin to Overfill (MTO)

Analysis Related to Steam Generator Tube Rupture (SGTR) Event. (1R21.3.b.(3))

05000454/455/2009007-04 URI Insufficient Design Bases for Second-Level (Degraded)

Voltage Timer Settings. (1R21.3.b.(4))

Closed

05000454/455/2009007-01 NCV Failure to Maintain/Extend the Qualification Basis for Molded-Case Circuit Breakers (MCCBs) Used in Safety-Related Applications Greater than 20 Years.

(1R21.3.b.(1))

05000454/455/2009007-02 NCV Inadequate Analysis of Molded-Case Circuit Breaker Test Data. (1R21.3.b.(2))

Attachment

LIST OF DOCUMENTS REVIEWED

Retrieved from "https://kanterella.com/w/index.php?title=IR_05000454/2009007&oldid=2285325"