05000454/FIN-2009007-03

Finding

Title

Concerns with Licensee\\\'s Margin to Overfill (MTO) Analysis Related to Steam Generator Tube Rupture (SGTR) Event.

Description

The inspectors identified an unresolved item (URI) related to the licensees evaluation of potential failures of the steam generator power operated relief valves (SG PORVs) during a postulated steam generator tube rupture (SGTR) event. Specifically, the licensees margin to overfill (MTO) analysis was based on the failure of a single SG PORV to open and did not consider the potential failure of two valves to open due to a common electrical system failure (most limiting single failure). The inspectors reviewed the function on the SG PORVs during a postulated SGTR event. After a SGTR the operators open the SG PORVs associated with the intact steam generators to cooldown and depressurize the reactor coolant system. This operation would be time critical to prevent overfilling the ruptured steam generator and allowing liquid to enter the steam piping. The licensees SGTR accident analysis was based on the single failure of one SG PORV to open when required; this was consistent with UFSAR Section 15.6.3 and Table 15.0-15. Failure of one SG PORV would enable operators to cooldown the reactor coolant system using the remaining two SG PORVs. However, these electric/hydraulic valves require 480V power to operate. The four SG PORVs (MS018A-D) are powered from two redundant 480V electrical busses. Each bus provides power to two SG PORVs. Therefore, the failure of a single electrical power supply could result in the failure of two SG PORVs to operate. The inspectors questioned if the single failure assumptions used in the SGTR MTO analysis were in accordance with the Byron licensing basis. In response to this concern, the licensee stated that this question had been previously addressed in detail and provided several corrective action documents that addressed the function of the SG PORVs during a SGTR event. The inspectors reviewed the following related corrective action documents: Issued Report (IR) 00680419 (initiated October 5, 2007), addressed local operator actions to open the SG PORVs after a SGTR. This IR questioned if the operators would be able to manually open the PORVs in the times assumed by the accident analysis. This IR identified that the single failure of one 480V bus would be more limiting than the loss of the entire 4kV electrical bus because all the ECCS pumps would continue to operate if only one 480V bus was lost. The loss of one 480V bus could result in the failure of two SG PORVs to open. The AR referred to a similar issue at Catawba Station, identified in 1997, which resulted in a LER. IR 00687783 (initiated October 22, 2007), addressed similar concerns to IR 00680419. A detailed licensing basis evaluation was performed to address these concerns in IR 00687783. This IR included an evaluation of the Byron current licensing basis (CLB) regarding postulated single failures. The IR evaluation stated, in part, The conclusion drawn from the review is that for the design basis SGTR event, when the phrase single failure is used, its meaning is restricted to only single active failures and is not intended to convey all types of potential failures (i.e., passive and active). IR 00706293 (initiated December 2, 2007), addressed various SGTR issues, including the MTO single failure concerns that were previously addressed by IR 00680419 and IR 00687783. Action AR 00706293-05 was initiated to perform a third party review of the SGTR single failure criteria. The independent review was completed on December 17, 2007. This review addressed the issue of passive verses active single failure, including an extensive review of regulatory requirements. The report stated, in part, With regard to the semantics of single failure vs. active single failure, there was nothing in the licensing history reviewed that specifically said passive failures do not need to be considered. Action AR 00713904 (initiated December 19, 2007), addressed the specific recommendations of the independent review report. The conclusions of this internal review did not agree with those of the independent reviewer (AR 00706293-05). The AR 00713904 re-review concluded that a passive single failure of electrical components did not need to be considered for the SGTR MTO accident analysis. This review addresses the apparent contradiction between the GDC and Chapter 15 of the SRP. Action AR 00713904-04 stated, in part, The SRP on accident analyses and the GDC were prepared for different purposes. The GDC set forth a conservative set of rules for design that are intended to achieve defense in depth. The performance objectives of the GDC are high-level goals relating to the health and safety of the public. The SRP on accident analysis provides specific direction regarding the methodology, assumptions, and acceptance criteria for detailed analysis of accidents and Anticipated Operational Occurrences (AOOs). For some accidents, the SRP may establish additional intermediate-level acceptance criteria at a lower level than the high level performance objectives of the GDC. It may be possible for a plant design to meet the high level performance objectives of the GDC for a broad spectrum of initiating events and failures (including multiple failures); but the ability to meet specific acceptance criteria in accident analysis may be contingent on the specific assumptions made (the SRP acceptance criteria was established with a specific set of assumptions in mind.) The review then addressed the question of why it was acceptable not to analyze for passive failures. The response to that question stated, The underlying technical basis for the SRPs approach to accident analysis is based on risk assessment methodology. Condition IV and other accident events have a very low frequency of occurrence. When combined with an additional random single active failure, the probability of the event combination is even lower (e.g., Condition IV events with two random active failures) would not add significant value in improving safety, and therefore is not required. A similar argument can be made for the combination of accidents with random passive failures. Finally, the review included a risk-based argument, which addressed how the above discussion related to the licensing of the SGTR accident analysis. This portion on the review includes a discussion of compliance with GDC 17, which states that the electrical system design meets the GDC 17 criteria but also includes the statement, GDC 17 does not address the intermediate-level acceptance criteria for the SGTR accident analysis of preventing overfill of the ruptured SG. For the SGTR the high-level performance objective of the GDC is met, with or without SG overfill; and, therefore, one need not distinguish between active and passive failures. The inspectors noted that the Byron licensing basis for SGTR events was based on the generic Westinghouse analysis. The Westinghouse SGTR analysis (WCAP-10698) was based on a three-loop reference plant and the failure of a single SG PORV to open but did not specifically address electrical bus failures. In the single failure evaluation section, the WCAP stated, common mode failures of all steam generator PORVs were not evaluated since electrical power and air supplies to the PORVs are largely plant specific... The associated NRC evaluation (dated March 30, 1987), concluded that the WCAP analysis methodology was conservative, but pointed out that there may be major design differences between plants and required plant specific information. Section D.5 of the NRC evaluation required the following plant specific information, A survey of plant primary and balance-of-plant systems design to determine the compatibility with the bounding plant analysis in WCAP-10698. Major design differences should be noted. The worst single failure should be identified if different from the WCAP-10698 analysis and the effect of the difference on the margin of overfill should be provided. In response to the NRC, the licensee provided the required plant specific information (Commonwealth Edison letter, dated April 25, 1990). This letter included revision 1 of the SGTR analysis for the Byron and Braidwood plants. The analysis stated, in part, The compatibility of the Byron/Braidwood systems with the WCAP-10698-P-A bounding plant analysis has been evaluated and no major design differences affecting the MTO exist. The same limiting single failures as identified in WCAP-10698-P-A and Supplement 1 of WCAP-10698-P-A were utilized in the analysis... The NRCs evaluation of the Byron/Braidwood plant specific SGTR analysis (NRC letter dated April 23, 1992) included a statement that the licensee had responded satisfactorily to this confirmatory issue. Based on review of these corrective action documents, review of available Byron licensing documentation, and extensive discussions with Byron personnel, the inspectors were concerned that the licensee did not correctly evaluate the potential failure of the steam generator power operated relief valves (SG PORVs) during a postulated steam generator tube rupture (SGTR) event. The application of the single failure criteria is addressed in 10 CFR 50, Appendix A, the definition of single failure states: A single failure means an occurrence which results in the loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be a single failure. Fluid and electric systems are considered to be designed against an assumed single failure if neither: (1) a single failure of any active component (assuming passive components function properly); nor (2) a single failure of a passive component (assuming active components function properly), results in a loss of the capability of the system to perform its safety functions.2 2 Single failures of passive components in electric systems should be assumed in designing against a single failure. The conditions under which a single failure of a passive component in a fluid system should be considered in designing the system against a single failure are under development. This definition of single failure clearly states that single failures of passive components in electric systems should be assumed in designing against a single component failure. Based on this, it did not appear valid to make a distinction between active and passive failures of electrical components in accident analyses. In addition, 10 CFR 50, Appendix A, GDC 17, states, in part: An onsite electric power system and an offsite electric power system shall be provided to permit functioning of structures, systems, and components important to safety. The safety function for each system (assuming the other system is not functioning) shall be to provide sufficient capacity and capability to assure that: (1) specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences; and (2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents. The onsite electric power supplies, including the batteries, and the onsite electric distribution system, shall have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure... The inspectors were concerned that the licensees position that GDC 17 does not address the intermediate-level acceptance criteria for the SGTR accident analysis of reventing overfill of the ruptured SG was not correct. The GDC 17 stated that onsite electric power supplies shall have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure. In accordance with the Byron licensing basis, preventing overfill of the ruptured steam generator was a safety function of the onsite electric power supply. Because the operator response time would not be adequate to locally open the SG PORVs after a SGTR event, the onsite electric power supply must be capable of performing that safety function, assuming a single failure (either active or passive). The licensee initiated IR 00897354 on March 25, 2009, to document the NRCs position on this issue; this IR stated that some mitigating actions would be initiated and stated that a new IR would be written upon formal receipt of NRCs position. The IR 00897354 did not include corrective actions to address the licensees single failure assumptions. The licensee also referred the inspectors to guidance included in NRC NUREG/CR 4893, dated May 1991. The inspectors reviewed the NUREG and noted that it discussed the assumption of worst single active failures in the analysis of SGTR events. However, the NUREG did not specifically address electrical failures and it was not clear if the reference to single active failures was applicable to electrical failures or just to fluid system failures. In addition, the inspectors reviewed the applicability of unresolved item (URI)05000454/2005002-06; 05000455/2005002-06 to this issue. As documented in NRC Inspection Report 05000454/2008008; 05000455/2008008 (dated May 5, 2008), the NRC determined that Byron was required to consider the passive failure of electrical components in the power supplies to essential service water cooling tower fans. This determination was based, in part, on the requirements of 10 CFR 50, Appendix A. The NRC determined that the provisions of 10 CFR 50.109(a)(4) were applicable, in that, a modification was necessary to bring the facility into compliance with the rules and orders of the Commission. The inspectors were concerned that this licensing basis issue was very similar to the SGTR MTO analysis issue, and that Byron failed to adequately evaluate the impact of this determination on the SGTR MTO analysis. The inspectors have discussed this design and licensing basis issue with NRC staff in the Office of Nuclear Reactor Regulation. Due to complexity of establishing the appropriate design and licensing bases for this issue, this item is considered unresolved pending further NRC review (URI 05000454/455/2009007-03(DRS)).

03
Site:	Byron
Report	IR 05000454/2009007 Section 1R21
Date counted	Mar 31, 2009 (2009Q1)
Type:	URI:
cornerstone	Barrier Integrity
Identified by:	NRC identified
Inspection Procedure:	IP 71111.21
Inspectors (proximate)	J Pearson J Bozga R Skokowski M Learn E Love C Tilton G Morell R Ng C Thompson B Bartlett J Robbins J Cassidy M Mitchell J Neurauter D Jones S Bakhsh T Go V Meghania Dunlopz Falevits C Brown C Baron S Lewis J Gilliam A Stone A Della Grec
INPO aspect
'
v • d • e

Finding - Byron - IR 05000454/2009007

2(2)3(4)4(6)5(3)6(0)7(5)8(2)9(0)402(0)403(1)404(0)502(0)

IR 05000454/2009007: 1 2 3 4 1

Finding List (Byron) @ 2009Q1

CCA Matrix: 2009Q1

	Q	CCA	Title
05000454/FIN-2008004-01	2008Q3	H.14	Isolating Carbon Dioxide Fire Suppression System in Upper Cable Spreading Rooms Without Prior NRC Approval
05000454/FIN-2008004-03	2008Q3	H.5	Missed Venting of the Safety Injection System Piping
05000454/FIN-2008004-02	2008Q3	H.6	Inadequate Preventative Maintanance for the Unit 2 Train B Station Air Compressor
05000454/FIN-2008009-01	2008Q4		Failure to Update the Boron Recycle and RHR System Descriptions in the UFSAR
05000454/FIN-2008009-02	2008Q4		Failure to Analyze Inlet Piping Loads and Establish an Adequate Hut Quench Volume
05000454/FIN-2008005-02	2008Q4	H.11 H.12	Failure to Evaluate Radiological Hazards for Airborne Radioactivitity
05000454/FIN-2008005-01	2008Q4	H.4 H.5	Failure to Remove or Evaluate Loose Debris Inside of Containment Prior to Applicable Mode
05000454/FIN-2009007-03	2009Q1		Concerns with Licensee\\\'s Margin to Overfill (MTO) Analysis Related to Steam Generator Tube Rupture (SGTR) Event.
05000454/FIN-2009007-04	2009Q1		Insufficient Design Bases for Second-Level (Degraded) Voltage Timer Settings
05000454/FIN-2009002-01	2009Q1	H.7	Failure to Perform an Adequate Risk Assessment that Accounted for All Risk Significant Structures, Systems and components that were Unavailable Prior to Maintenance Activities.
05000454/FIN-2009002-02	2009Q1		Failure to Adhere to Scaffold Procedures
05000454/FIN-2009007-01	2009Q1	P.5	Failure to Maintain/Extend the Qualification Basis for Molded-Case Circuit Breakers (MCCBs) Used In Safety-Related Applications Greater than 20 Years.
05000454/FIN-2009007-02	2009Q1	H.14	Inadequate Analysis of Molded-Case Circuit Breaker Test Data

Self-Identified List (Byron)

	Q	Title
05000454/FIN-2008005-03	2008Q4	Licensee-Identified Violation
05000454/FIN-2008005-04	2008Q4	Licensee-Identified Violation
05000454/FIN-2008005-05	2008Q4	Licensee-Identified Violation
05000454/FIN-2008005-06	2008Q4	Licensee-Identified Violation

[Byron Findings full list]

05000454/FIN-2009007-03

Navigation menu

Search