I guess you just have to hold your nose until the plant permanently shutdowns...
It was a good catch by the inspector..I wonder how it came to their attention?
October 27, 2014
Mr. Christopher Wamser
Site Vice President
Entergy Nuclear Operations, Inc.
Vermont Yankee Nuclear Power Station
Vernon, VT 05354
The inspectors evaluated a modification to the reactor building crane control system
implemented by engineering change (EC) 47998, “Reactor Building Crane Control
Upgrade.” The inspectors verified that the design bases, licensing bases, and
performance capability of the crane were not degraded by the modification. In particular,
the inspectors reviewed Entergy’s license commitments and NUREG-0612, “Control of
Heavy Loads at Nuclear Power Plants,” submittals and compared them to the 10 CFR
50.59 screening form. The inspectors reviewed modification documents associated with
the upgrade and design change, including replacement of the motor-generator sets and
direct current drive motors with digital drives and other control system changes. The
inspectors reviewed the factory acceptance testing and on site test procedures to ensure
Entergy appropriately tested all affected components. The inspectors also interviewed
engineering personnel regarding the modification.
b. Findings
Introduction. The inspectors identified a finding of very low safety significance (Green)
and an associated Severity Level IV NCV of 10 CFR 50.59 when Entergy made changes
to the reactor building crane that resulted in more than a minimal increase in the
likelihood of occurrence of a malfunction of an SSC important to safety previously
evaluated in the UFSAR. Specifically, Entergy did not recognize that they had removed
redundancy from the control system needed to qualify the crane as single failure proof.
Description. NUREG-0612 includes protection against “two blocking” among the
requirements for single-failure proof cranes. Two blocking occurs when the load block is
raised so high that it contacts the hoist block, and can result in breaking the wire ropes
and a load drop. Entergy has committed to meeting the requirements of NUREG-0612,
or a similar NRC-approved requirement, when lifting heavy loads near the spent fuel
pool in order to prevent a load drop that would damage the fuel assemblies.
On August 12, Entergy began post-modification testing for EC 47998, which upgraded
the controls on the reactor building crane, which is used for heavy load lifts during
refueling outages and transfer of spent fuel to dry casks. Among other changes, this EC
changed the drives on the main and auxiliary hoists from motor-generator sets to digital
drives.
The previous design protected against two blocking by using diverse upper travel limits
that would actuate redundant relays. These relays were connected to the “suicide field”
circuit in parallel. If either one actuated as a result of the load block hitting the upper
travel limit, the suicide field circuit would be completed and the direct current motor
would not be able to move either up or down, preventing a load drop. Additionally, these
same relays provided signals to set the hoist brakes. The NRC approved this design
under the safety evaluation for technical specification amendment 29 as acceptable
protection against two blocking.
The design for the new controls under EC 47998 did not preserve the independence of
the upper travel limits. The two redundant relays were connected in series to an input
on the digital drive controller. If either one actuated as a result of hitting the upper travel
limit, the controller would receive a signal that the limit had been reached, and would
follow its programming to trip the motor and send redundant signals to set the hoist
brakes. However, a single failure of the digital controller’s input buffer, or of the digital
controller itself, could remove all protection against two blocking. The screening done to
meet the requirements of 10 CFR 50.59 did not discuss the lack of redundancy, and
therefore, Entergy did not recognize that the change would require review and approval
by the NRC before the crane could be used in an application that required it to be single
failure proof.
Simmers, a contracted crane company, performed the design of the new crane control
system. The design underwent several changes during the development process, and
Entergy did not do a thorough review of the final design in order to identify the
weaknesses. The inspectors identified the inadequate protection against two blocking
and informed Entergy staff of the issue. Entergy initiated CR-VTY-2014-03028 and
entered the issue into the corrective action program.
On August 21, Entergy completed modifications to the crane under engineering change
notice (ECN) 51333 and ECN 52469 and restored the independence of the redundant
upper travel limits. With the completed modifications, the output from the redundant
relays feeds into two input buffers on the digital drive controller and provides a signal to
set the brakes as long as the crane operator is not driving the hoist down. No lifts were
performed by the crane while the inadequate protection against two blocking was
installed. Additionally, the crane was not operated over the spent fuel pool.
Analysis. The inspectors determined that the failure to properly screen the change was
within Entergy’s ability to foresee and correct and therefore should have been prevented
and was a performance deficiency. Specifically, Entergy failed to evaluate whether the
new design removed required redundancy and therefore could not be performed under
10 CFR 50.59.
The inspectors determined that the finding was more than minor because the change
would have required NRC review and approval in order to qualify the crane as single
failure
proof. Additionally, this finding was associated with the design control attribute of
the Barrier Integrity cornerstone and adversely affected the cornerstone objective of
providing reasonable assurance that physical design barriers (e.g. fuel cladding) protect
the public from radionuclide releases caused by accidents or events. Specifically, the
design change increased the likelihood of a heavy load drop, which could have impacted
the fuel in the spent fuel pool.
This issue impeded the ability of the NRC to perform its regulatory oversight function,
because the failure to follow the requirements in 10 CFR 50.59, “Changes, Tests and
Experiments,” resulted in Entergy not submitting the change to the NRC for approval.
Therefore, the enforcement aspects of this finding were processed using the Traditional
Enforcement process.
This violation is associated with a finding that has been evaluated by the SDP and
communicated with an SDP color reflective of the safety impact of the deficient licensee
performance. The SDP, however, does not specifically consider the regulatory process
impact. Thus, although related to a common regulatory concern, it is necessary to
address the violation and finding using different processes to correctly reflect both the
regulatory importance of the violation and the safety significance of the associated
finding.
The inspectors evaluated this finding using IMC 0609, Attachment 4, “Initial
Characterization of Findings.” The inspectors determined that the finding affected the
Barrier Integrity cornerstone and evaluated the finding using Appendix A, “The
Significance Determination Process (SDP) for Findings At-Power,” Exhibit 3, “Barrier
Integrity Screening Questions.” The inspectors determined the finding was of very low
safety significance (Green) because the crane was not operated over the spent fuel
pool, nor was there an actual load drop.
Per Subsection d.2 of Section 6.1, “Reactor Operations,” of the NRC Enforcement
Policy, this is a Severity Level IV violation, because it is a 10 CFR 50.59 violation that
results in conditions evaluated as having very low safety significance by the SDP.
This finding has a cross-cutting aspect in the area of Human Performance, Avoid
Complacency, because Entergy did not avoid complacency on the review of this design
by recognizing and planning for the possibility of latent issues. The 50.59 screening was
not reviewed to ensure it fully captured the final design from the vendor, and as a result,
the vulnerability introduced by the digital controller was not considered. [H.12]
Enforcement. 10 CFR 50.59(c)(2) states, in part, that a licensee shall obtain a license
amendment prior to implementing a proposed change that results in more than a
minimal increase in the likelihood of occurrence of a malfunction of an SSC important to
safety previously evaluated in the UFSAR. Contrary to this, on August 12, Entergy
returned the reactor building crane to use after implementing a change to the control
system that removed required redundancy, increasing the likelihood of occurrence of a
malfunction that could result in damage to spent fuel. Entergy restored compliance by
completing modifications to the crane that restored the independence of the redundant
upper travel limits. Because this violation was of very low safety significance and was
entered into the corrective action program (CR-VTY-2014-03028), this violation is being
treated as an NCV, consistent with Section 2.3.2.a of the Enforcement Policy. (NCV
05000271/2014004-02, Failure to Submit Reactor Building Crane Digital Control
No comments:
Post a Comment