Information Notice No. 98-22: Deficiencies Identified During NRC Design Inspections
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
WASHINGTON, D.C. 20555-0001
June 17, 1998
|NRC INFORMATION NOTICE 98-22:||DEFICIENCIES IDENTIFIED DURING NRC DESIGN INSPECTIONS|
All holders of operating licenses for nuclear power reactors, except those licensees who have permanently ceased operations and have certified that fuel has been permanently removed from the vessel.
The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice to alert addressees to issues identified during recent design team inspections regarding the capability of selected systems to perform their design bases safety functions. It is expected that recipients will review the information for applicability to their facilities and consider actions, as appropriate, to avoid similar problems. However, suggestions contained in this information notice are not NRC requirements; therefore, no specific action or written response is required.
In October 1996, as a result of concerns that some plant configurations and operations were inconsistent with their design and licensing bases, the NRC formed three NRC-led teams of five contracted engineers from architect-engineer firms to perform design-focused, inspections of risk-significant safety systems. These inspections were implemented to evaluate the capability of the selected systems to perform their safety functions, the adherence of the selected systems to their design and licensing bases, and the consistency of the as-built configuration and system operation against the final safety analysis report (FSAR). The inspections were conducted in accordance with NRC Inspection Procedure 93801, "Safety System Functional Inspection," and focused on the engineering design and configuration control sections of the procedure. As of May 1, 1998, 16 inspections have been completed.
Description of Circumstances
The following summarizes the most significant technical and programmatic issues that have been identified by the 16 inspections completed to date. In some instances, there are ongoing NRC staff reviews concerning specific regulatory and technical aspects of the issues.
Modifications or Evaluations That Resulted in Operation of the Plant Outside the Licensing Bases
At some plants, there were issues concerning operation outside the licensing bases stated in the FSAR. At some plants, licensee 10 CFR 50.59 evaluations failed to identify unreviewed safety questions, and licensees made significant changes to plant operations or equipment without NRC's approval. In some instances, this was due to revisions to calculations that were not subject to 10 CFR 50.59 screening programs. At Farley and Perry, inspectors identified issues involving the lack of protection from tornado missiles. At Perry, the suppression pool cleanup (SPCU) system was frequently operated at power, which was inconsistent with the updated safety analysis report (USAR) description. Due to the system interface between the SPCU and the high pressure core spray (HPCS) system, whenever the SPCU system is in operation, the HPCS system must be aligned to the suppression pool as opposed to its preferred source, the condensate storage tank. At Diablo Canyon, the team identified a single-failure vulnerability with the component cooling water (CCW), auxiliary saltwater, and residual heat removal (RHR) systems and an inability to use the containment spray system during the containment recirculation mode of the RHR system.
At Cooper, the licensee made a modification to the reactor equipment cooling system which resulted in a leakage of 200 gallons per day from sampling valves that were inadvertently left in the open position. During the modification process, the need for controlling the position of these valves was not recognized. Therefore, in accident conditions, this leakage could have depleted the available water to the system, resulting in an inability of the system to support its long-term post-accident cooling functions.
Errors in Analyses for Emergency Core Cooling System (ECCS) Pump Suction Swap-over from Refueling Water Storage Tank (RWST)/Borated Water Storage Tank (BWST) to the Reactor Sump During a Loss of Coolant Accident (LOCA)
At five plants, licensees made errors in the calculations that were performed to ensure adequate coolant would be available to support operation of low-pressure pumps during and after swap-over from the RWST/BWST to the reactor building sump during a postulated LOCA. These errors resulted from the use of non-conservative reactor building pressures, valve stroke times, and operator response times; failing to account for limiting system configurations; and instrument uncertainties. The errors affected the calculations for setting the RWST/BWST level instrument alarms, the emergency operating procedures (EOPs), and technical specifications. At Three Mile Island (TMI), the licensee declared both the decay heat removal system and the reactor building spray pumps inoperable as a result of these concerns.
At D.C. Cook, the licensee did not sufficiently evaluate the instrument uncertainties and flow biases that would cause the RWST level instrumentation to indicate lower than actual level. In addition, the licensee was unable to demonstrate the adequacy of drainage paths from the inactive to the active containment recirculation sumps to support operation of the ECCS pumps with suction from the ECCS sump. On the basis of these concerns, the licensee declared both trains of the ECCS and the containment spray system inoperable and initiated a dual-unit shutdown.
At H. B. Robinson, a design modification by the licensee allowing for single safety injection (SI) pump operation resulted in insufficient net positive suction head (NPSH) for two of three SI pumps. At Ginna, the licensee implemented procedure changes after a slight negative NPSH was calculated for the RHR pump A.
At Wolf Creek, the licensee's RWST instrument loop uncertainty calculations did not consider density variations resulting from temperature changes and boron concentration, which affected the RWST alarm and swap-over setpoints and the accuracy of the RWST level indication.
Inadequate Testing of Safety-Related Components
Inspection teams identified numerous examples of inadequate testing of safety related components, including the lack of testing for certain molded-case circuit breakers at St. Lucie, Arkansas Nuclear One (ANO), and TMI; leak and functional testing of valves (including check valves) at TMI, St. Lucie, Ginna, Farley, D.C. Cook, Palisades, and Davis-Besse; post-modification testing of safety injection pumps at H.B Robinson; testing of the safety injection lock-out relay at Indian Point 2; and testing of sections of the auxiliary service water supply path and pumps at Diablo Canyon. In some instances, the licensees did not perform periodic tests, while in other cases, the testing was inadequate to demonstrate the operability of all safety functions. For example, the licensee tested certain check valves in the forward flow but not the reverse flow direction. At Vermont Yankee, the inspectors determined that testing of the RHR heat exchangers was inadequate because of invalid test instrument uncertainty assumptions.
Issues Concerning Implementation of Computer Evaluation Models Used for Analyzing ECCS Response to Design Basis Accidents
In three inspections, the team identified issues concerning the computer evaluation models used for analyzing the ECCS response to postulated design-bases accidents. At H.B. Robinson, the computer model indicated the existence of a second peak in fuel clad temperature that was significantly higher than the peak temperature reported by the licensee. At Ginna, the team identified errors in the analysis report that called into question the level of review and the validity of some inputs. At Indian Point 2, the licensee had not established procedural controls to ensure that input data assumptions used in the model would not be invalidated by plant modifications. The team also identified the lack of formal design control procedures between the licensee and the vendor for supplying and verifying the validity of input data and assumptions.
System Operation at a Temperature in Excess of the Design Basis
At three plants, the inspection team found that the plant had been operated while system ambient temperatures were in excess of the design or licensing bases. At Vermont Yankee, the licensee allowed the suppression pool temperature to exceed the design-basis temperature used in the analyses for the standby cooling system pump NPSH, containment pressure, piping stress, and equipment qualification. At D.C. Cook, the licensee operated the plant with the essential service water temperature (ultimate heat sink) in excess of the design-basis temperature, which could affect the qualified life of equipment in the control room and reduce the rate of heat removal from the spent fuel pool.
At Palisades, LOCA analyses concluded that the post-accident CCW temperatures could exceed the design-basis temperature; however, the licensee had not evaluated system performance at the higher temperatures.
Errors Made in Evaluating Post-accident Temperatures for Safety Related Pump Rooms
At four plants, licensees made errors in calculating the maximum pump room temperatures that would be expected during post-accident conditions. At Palisades, Ginna, and Indian Point 2, the calculations for the auxiliary feedwater pump rooms incorrectly used nominal rather than the maximum expected ambient temperature conditions before the accident. At Cooper, the licensee calculated the heat load for the RHR pump room using only one of the two pumps. Also at Cooper, operating procedures were inadequate to ensure that the maximum calculated RHR service water booster pump room temperature would not be exceeded.
Lack of Controls or Specified Outage Times for Limiting System Line-ups That Could Challenge Design-Basis Considerations
Inspectors identified issues pertaining to the lack of controls or specified outage times (either within technical specifications or administrative procedures) for ensuring systems are maintained in a configuration that would support all design basis considerations. At Cooper, the licensee had no controls in place to limit the time the RHR system is operated in the suppression pool cooling mode. In this mode of operation, the system would not be capable of automatically realigning into the injection mode given certain single-failure assumptions.
At Indian Point 2, inspectors found that there were no controls for taking instrument busses off their invertors and supplying them from alternate power sources. Under accident conditions, certain instrumentation would be lost because of the shedding of loads from the alternate sources. Also at Indian Point 2, inspectors found that there were no controls for limiting the time the SI system could be used to fill accumulator tanks. During this process, if a safety systems actuation occurred, a portion of the SI flow credited in the accident analysis would be diverted.
Other Significant Issues Identified During the Course of the Inspections:
At Vermont Yankee, the licensee operated the RHR pumps at minimum flow values that were significantly less than those recommended by the pump vendor.
At Robinson, control cables for all three SI pumps were routed in the same conduit in violation of single failure and separation criteria.
At ANO, vendor-specified flow limits for the steam generators were not incorporated into plant procedures. As a result, operators were unaware that flow limits were exceeded during a plant transient.
At D.C. Cook and Cooper, failures of instrument air regulators could result in the inoperability of redundant safety trains as a result of the over pressurization of air operated valves.
The majority of the issues identified have resulted from errors in the original design or design modifications, calculational errors, inadequate corrective action, inadequate testing, and documentation discrepancies. Many of the original design, design modifications, and calculational errors can be attributed to the inadequate specification and control of system and discipline interfaces, inadequately verified calculational assumptions, or the use of superseded calculations. Licensees failed to evaluate the impact of calculational revisions on other calculations, operating and test procedures. Changes to operating and test procedures were not always reviewed against the existing calculations to ensure calculational assumptions were still bounding. Also, the lack of a controlled, easily retrievable design basis has, in some instances, hindered the ability of licensee engineers to identify all design basis safety functions of a system or component.
Inadequate corrective actions have often resulted from weaknesses in root cause analyses or from failing to assign ownership to engineering issues. In addition, the depth of internal self assessments has not always been sufficient to identify configuration management weaknesses.
Additional details regarding the specific issues identified during the NRC design inspections can be found in the following NRC Inspection Reports:
|PLANT||INSPECTION REPORT #||ACCESSION #|
|H.B. Robinson 2||50-261/97-201||9708280104|
|Three Mile Island||50-289/96-201||9704210100|
|Arkansas Nuclear 1||50-313/97-201||9803120197|
|Donald C. Cook 1 & 2||50-315/97-201||9712030232|
|St. Lucie 1 & 2||50-335/96-201||9703280271|
|Joseph M. Farley 1 & 2||50-348/97-201||9705230286|
|Washington Nuclear 2||50-397/96-201||9704250204|
|Indian Point 2||50-247/98-201||9804020083|
This information notice requires no specific action or written response. If you have any questions about the information in this notice, please contact one of the technical contacts listed below or the appropriate Office of Nuclear Reactor Regulation (NRR) project manager.
Jack W. Roe, Acting Director
|Technical contacts:||Jeffrey Jacobson, NRR
(NUDOCS Accession Number 9806110395)