05000528/LER-2008-001

Note: All times listed in this event report are approximate and Mountain Standard Time (MST) unless otherwise indicated.

1. REPORTING REQUIREMENT(S):

This LER (50-528/2008-001-00) is being submitted pursuant to 10 CFR 50.73(a)(2)(i)(B) to report operation in a condition prohibited by Technical Specifications (TS). Specifically, TS Surveillance Requirement (SR) 3.3.11.2 requires verification every 18 months that each required Remote Shutdown System control circuit and transfer switch is capable of performing the intended function. Contrary to this requirement, the existing surveillance test procedure (STP) did not adequately verify that capability.

2. DESCRIPTION OF STRUCTURE(S), SYSTEM(S) AND COMPONENT(S):

The Remote Shutdown System provides the control room (CR) operator with sufficient instrumentation and controls to place and maintain the unit in a safe shutdown condition from a location other than the control room. Disconnect switches are provided in the control circuits for specified "B" train components, in order to prevent the inadvertent operation of components during a CR fire. The ability to achieve and maintain a safe shutdown condition requires that the Auxiliary Feedwater (AFW) system (EMS Code: BA) and the steam generator safety valves (EIIS Code: SB) or the steam generator atmospheric dump valves (EIIS Code: SB) be used to remove core decay heat and meet all safety requirements. The long term supply of water for the AFW System and the ability to borate the Reactor Coolant System (RCS, EIIS Code: AB) from outside the CR allow extended operation in Mode 3.

The disconnect switches have two positions; LOCAL/REMOTE and LOCAL. With a disconnect switch in LOCAL/REMOTE position, operation of the component is enabled both from the CR and from the local controls. With the disconnect switch in the LOCAL position, operation of the component is possible only at the local controls. The method of testing each disconnect switch involved placing the disconnect switch in LOCAL, then functionally testing the component from the local control and also verifying that the function was disabled from the CR. This functional testing of the transfer switch did not verify proper electrical isolation of each transfer circuit between the CR and the local control.

3. INITIAL PLANT CONDITIONS:

On February 1, 2008, Palo Verde Units 1, 2 and 3 were in Mode 1 (Power Operations), at approximately 100 percent power at the time of discovery of the condition. No additional equipment or components were inoperable at the time of the condition that contributed to this condition.

4.0CONDITION DESCRIPTION:

On February 1, 2008 at 1400, engineering personnel concluded during performance of the Component Design Bases Review (CDBR), that STP 40ST-9ZZ20, "Remote Shutdown Disconnect Switch and Control Circuit Operability," did not adequately test two valves: SIB-UV-615 and SIB-UV-625, Low Pressure Safety Injection (LPSI, EIIS Code:

BP) header injection valves to the RCS loops 2A and 2B. The STP provided a method to test the transfer of functional control from the CR to the local controls only, but did not provide a testing method to ensure a circuit fault would not impact the local control capability for SIB-UV-615/625. Engineering personnel reported the condition to CR personnel, and all three units entered TS SR 3.0.3, which permits a delay of up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or the limit of the specified frequency of the surveillance, to complete performance of the STP.

On February 6, 2008, at 1845, further evaluation by engineering personnel revealed that six additional valves were affected by the inadequate STP:

1. LPSI shutdown heat exchanger "B" bypass valve, SIB-HV-307, 2. LPSI Containment Spray to shutdown cooling heat exchanger "B" crosstie valve, SIB-HV-694, 3. Auxiliary Feedwater Pump "B" to steam generator (SG) 1 block valve, AFB-UV-34, 4. Auxiliary Feedwater Pump "B" to SG 2 block valve, AFB-UV-35, 5. Auxiliary Feedwater Pump "B" to SG 1 control valve, AFB-HV-30, and 6. Auxiliary Feedwater Pump "B" to SG 2 control valve, AFB-HV-31.

Engineering personnel informed control room personnel and TS SR 3.0.3 was entered for each of the affected valves.

On February 7, 2008, an extent of condition review was completed and the results indicated that 70 components were required to meet Appendix R safe shutdown criteria on each of the three units. Risk assessments had been performed for 4 of the 8 components that had already been entered into TS SR 3.0.3 (as identified above). Control room personnel declared the remaining affected components inoperable and TS Limiting Condition for Operation (LCO) 3.3.11 Condition B was entered. TS LCO 3.3.11 Condition B requires restoration of the inoperable switches or control circuits to an operable status within 30 days, or issuance of procedure changes that identify alternate disconnect methods or control circuits.

On February 14, 2008, a new STP, 40ST-9ZZ25, "Online Remote Shutdown Disconnect Switch Operability," was implemented to allow testing of remote shutdown system disconnect switches online.

On February 15, 2008, after extensive review of an engineering evaluation of the affected components by Operations, Operations Standards, Engineering, Probabilistic Risk Assessment, and licensing personnel, it was determined that the required disconnect switches and control circuits could appropriately be included under the provisions of TS SR 3.0.3, and, therefore, TS LCO 3.3.11, Condition B, was exited for the affected components. In accordance with the requirements of TS SR 3.0.3, a risk evaluation was performed by engineering personnel to manage the risk impact. This evaluation separated the 70 affected components into three categories:

1. components which already had an adequate degree of testing completed, 2. components which would require testing in the near-term based on the risk evaluation, and 3. components for which testing could be extended for up to one surveillance period (the maximum allowed by TS SR 3.0.3) based on the risk evaluation.

While performing testing of the components in Category 2 above, in accordance with STP 40ST-9ZZ25, three conditions were identified:

1. On February 21, 2008, station personnel observed an unacceptable resistance reading across the Unit 1 Auxiliary Feedwater Pump "B" to SG 2 block valve (AFB-UV­ 34). Upon investigation, a jumper was found installed in circuit breaker 1EPHBM3814.

The jumper was not shown on the applicable design drawings and apparently had been present since plant startup. With the jumper installed, it could not be assured that the disconnect switch would have isolated the local control circuit from potential faults due to a control room fire. A postulated hot short could re-close valve AFB-UV­ 34, thereby terminating AFW flow to Steam Generator 1. The jumper was removed and the component was tested successfully.

2. On March 2, 2008, station personnel identified that contacts 42 and 43 did not appear to change state when the disconnect switch for the Unit 1 Class 1 E 125VDC Train B battery breaker (1EPKBM4102) was taken to LOCAL. A jumper was subsequently found installed across these contacts. These contacts are not Appendix R safe shutdown contacts and, therefore, any fire induced failures would not have resulted in the loss of the 125VDC Train B battery breaker during a control room fire event. As such, Mode 3 was still capable of being achieved and maintained with this identified condition. The jumper was removed and the component was tested successfully.

valve position indication circuit for valve AFB-HV31. The missing conductor resulted in the valve position control room meter, 3J-AFB-ZI-31A, not displaying properly when the hand switch was taken to the LOCAL position, but did not impact the isolation function of the associated disconnect switch. As such, the safety function was not impacted. The conductor was installed and tested successfully.

The remaining components which were tested online passed satisfactorily. The other affected components are not risk significant and are being managed in accordance with TS SR 3.0.3 until the next available time for performance of the modified STP.

5. ASSESSMENT OF SAFETY CONSEQUENCES:

This condition did not adversely affect plant safety or the health and safety of the public.

The condition did not result in any challenges to the fission product barriers or result in any releases of radioactive materials. Therefore, there were no actual adverse safety consequences or implications as a result of this condition.

The effect of the jumper installed on Unit 1 AFB-UV-34 valve circuitry was evaluated for asymmetric steam generator operation and cooldown due to the postulated inability to feed one steam generator. Through comparison to bounding 10 CFR 50 Appendix R Fire Protection Analyses, engineering personnel concluded the condition did not exceed acceptance criteria for control room fire events. As such, the condition reported in this LER would not have resulted in a transient more severe than those analyzed in the updated Final Safety Evaluation Report Chapters 6 and 15. The condition did not have any nuclear safety consequences or personnel safety impact.

The condition would not have prevented the fulfillment of a safety function and did not result in a safety system functional failure as defined by 10CFR 50.73(a)(2)(v).

6. CAUSE OF THE CONDITION:

The direct cause of this condition was that the testing methods of the STP did not ensure that the intended function of isolation from the Control Room was met, in that each circuit was not individually verified to meet the requirements of TS SR 3.3.11.2.

The preliminary root cause for this condition is that persons experienced and knowledgeable of the requirements of 10CFR 50, Appendix R were not adequately involved in the development and revision of STP 40ST-9ZZ20, resulting in less than adequate technical reviews and incomplete implementation of the TS SR.

Contributing to this condition was that the original bases for the TS LCO and TS SR, as well as NRC Generic Letter 81-12, "Fire Protection Rule," were ineffectively translated into the original STP.

Further contributing to this condition was a failure to identify and effectively evaluate Operating Experience 0E-22204, which should have prompted a review of the existing STP to ensure that the requirements for isolation were adequately verified. Review of this OE incorrectly concluded that the OE was not applicable to PVNGS. On a separate occasion, review of this OE incorrectly concluded that if the condition identified in the OE existed at PVNGS, it would be identified during performance of 40ST-9ZZ20.

If upon conclusion of the root cause analysis, substantial information is identified that would significantly change a reader's perception of the cause or consequences of the condition, or if there are substantial changes in the planned corrective actions, APS will include that information in a supplement to this LER.

7. CORRECTIVE ACTIONS:

STP 40ST-9ZZ25, "Online Remote Shutdown Disconnect Switch Operability," was implemented to perform the surveillance for the components with higher risk as defined by the risk analysis.

The three identified non-conforming conditions (jumpers and missing conductor) were corrected.

STP 40ST-9ZZ20 will be revised to ensure that each circuit is verified to meet the requirements of the TS SR. This revised STP will be implemented during upcoming refueling outages on each unit in accordance with TS SR 3.0.3.

8. PREVIOUS SIMILAR CONDITIONS:

TS SR was met for certain AFW valve actuation relays and, as a result, did not account for full valve stroke time.

( Additionally, LER 50-528/2007-004-00 reported a condition where existing STPs did not ensure the Containment Spray system headers were full of water.

The corrective actions for these previous LERs could not have prevented the condition identified here, in that the previous events did not involve the same underlying concern or reason as this event, such as the same root cause, failure, or sequence of events.