BYRON 2008-0096, Submittal of Supporting Documentation for September 16, 2008 Regulatory Conference, Root Cause Investigation Report Content and Format, Page 45 of 73 Through End

From kanterella
Jump to navigation Jump to search
Submittal of Supporting Documentation for September 16, 2008 Regulatory Conference, Root Cause Investigation Report Content and Format, Page 45 of 73 Through End
ML083030331
Person / Time
Site: Byron Constellation icon.png
Issue date: 09/08/2008
From: Grundmann W
Exelon Generation Co, Exelon Nuclear
To:
Document Control Desk, Office of Nuclear Reactor Regulation
Shared Package
ML083030310 List:
References
BYRON 2008-0096, IR-08-003
Download: ML083030331 (29)
v  d  e


Text

23. AmACHMENT 4 - RISK EVALUATION BB PRA-017.91B PURPOSE This evaluation examines the risk significance associated with the failure to conduct a risk evaluation in accordance with the requirements of the Maintenance Rule section a(4) before removing power to 1SX033 and 1SX034 valves as part of maintenance activities during the refueling outage at Byron Unit 1. Byron Unit 2 was operating at power during the outage at Unit 1.

BACKGROUND On April 6, 2008, Byron staff members were making preparations to replace the 1SX034 valve with a newer and improved valve. In the process of isolating SX flow to the valve, the 1SX033 valve was closed using its motor operator. Although closed, the 1SX033 valve did not provide a completely water tight seal sufficient to allow removal and replacement of the 1SX034 valve without water leakage into the work area. For large (36") butterfly valves of this type, small leakage is not an unusual occurrence.

A decision was made to use the manual operator for 1SX033 to tighten the seal between the butterfly and the seat by manually closing the valve operator further than the motor operator could. While manually tightening the closure of the valve, operators notice a "pop" noise followed by a decrease in torque needed turn the valve operator. At that point, the effort to replace 1SX034 was stopped and troubleshooting to determine the status of the 1SX033 operator was begun.

As part of the troubleshooting efforts, both the 1SX033 and 1SX034 valves were fully opened using their motor operators. Power was then removed from both valves as part of the effort to investigate the condition of the 1SX033 operator. The open position is the normal operating position of both the 1SX033 and 1SX034 valves. This alignment cross ties the SX pump supply to the A and B headers within Unit 1. This allows one SX pump to provide flow for both trains during normal operations.

However, operators failed to recognize that removal of power for these valves disabled the remote isolation capability normally relied on in the event of an auxiliary building flooding condition (IR # 759945 [8]). Abnormal Operating Procedure OBOA PRI-8 [1]

directs operators to isolate the trains as part of steps to determine which train contains the leak so that it can be effectively isolated to limit the impact of flooding in the auxiliary building. Auxiliary Building flooding could impact both the unit in outage as well as the unit at power because of the nature of sharing inherent in the design of the SX system and the layout of the Auxiliary Building. Therefore, a risk evaluation for the condition should have been conducted for both the unit in outage and the unit at power METHOD and ACCEPTANCE CRITERIA An evaluation of the condition for both units should have been made prior to entering a condition where the both the 1SX033 and 1SX034 valves could not be isolated remotely from the control room in accordance with OBOA PRI-8. NRC Inspection Manual Chapter 0609 Appendix K [2] is the guiding document for conducting the significance determination process (SDP) for '"findings related to licensee assessment and management of risk associated with performing maintenance activities under all plant operating or shutdown conditions".

In the event that no assessment of risk was performed prior to maintenance activities, App. K provides a flow chart to assess the impact of the failure to assess the risk 9/8/2008 Page 45 of 73

implications of the maintenance. Portions of that flow chart applicable to this occurrence are reproduced below.

App. K indicates that for cases where no risk assessment was performed, the risk deficit is defined as follows:

"If the licensee did not perform a risk assessment at all, the actual risk increase (ICDPactual ) is the product of the incremental CDF and the annualized fraction of the duration of the configuration [i.e., ICDPactual = ICDFactual x (duration in hours) s (8760 hours0.101 days <br />2.433 hours <br />0.0145 weeks <br />0.00333 months <br /> per reactor year)], where ICDFactual = CDFactual - CDFzero-maintenance The risk deficit, ICDPD, is equal to ICDP when the licensee's performance deficiency involves not conducting a risk assessment."

App K identifies that the number of RMAs (risk management activities) is also a factor in determining the SDP "color". The flowchart shows how the combination of the risk deficit and the number of RMAs taken affects the final SDP evaluation.

Byron does not use a quantitative shutdown risk model for assessing and managing risk for outage situations, but does use a risk model for assessing and managing risk for operations at power. App K notes that qualitative assessments are done for the former in a Note in prior to Section 4.0 which invokes the flowchart noted above.

licensees who only perform qualitative analyses of plant configuration risk due to maintenance activities, or (2) performance deficiencies related to maintenance activities affecting SSCs needed for fire or seismic mitigation. When performance deficiencies are identifiedwith either 1 or 2 above, the significance of the deficiencies must be determined by an internal NRC management review using risk insights where possible in Page 46 of 73

Flowchart 1 Assessment af RIsk Deficit PerfnPmanc~tssiue

,,\%.

,-drd'finding ieiatd to\,

\'.'.\ RMs arhy?

/,,

,/"l Yes

\'Y I P

4

%tennine e n d risk (Step 4.i)

, /

,; "ie Risk Mcit"-,. -... - -- -- ...<. , *,.,

s Risk

,,,". 1

/^

\*. '-.

IJefici>.-\.,

. 2 1 EG jit3DPD) ur -.-b+:'~rPen ~insiin~'.t-Yes-/" 6 5 E-6 ( I C m j or ,>-tb

"-<  ? E-7 (iCERPD~~e-"' \,$5 E-7 (ILERPDj~p'

'." . i ' -\-., *

,, ,," i Yes 4 Yes Ye0

,,/-

, ..--. ,,/  %\

<,,,iiis Risk k ~ c i i i ,/ 5 or more R M 4 s . x ...- lor2 R*

\\

.. 1

. go taken?

( z t E-S [RDPOj or 'i~;-~~--)i:y,~ ,=yNa%. taken? ,-

".-;*r ES (~LERPD~ZI.'~ (Sfefr4.3f , ,

. ., ,," i i

i

\<.

'C "'

,/" -\.

rr Yes

--i I

-<-, /-I,'

To evaluate the implications of having the 1SX033 and 1SX034 valves' power removed there are two analyses that need to be pertormed. The first one involves the impact on the unit in outage and the second for the unit at power. T&RM ER-AA-600-1041 [6] provides guidance for performing SDP analyses. T&RM ER-AA-600-1012131 provides the guidance for documenting this evaluation.

Page 47 of 73

LERF values are more than an order of magnitude lower than CDF values for Byron.

The specific failure modes of the 1SX033 and 1SX034 valves have no impact on the LERF except through their impact on CDF. Therefore, calculations based on CDF are the more limiting cases.

ANALYSIS INPUTS and RESULTS For unit 1 which was in a refueling outage at the time that the valves had power removed, a qualitative assessment is required. During this period, the reactor head was removed and was flooded up so that fuel could be moved back into the reactor The spent fuel pool was at normal levels. Decay heat was being removed via the component cooling heat exchangers to the essential service water system.

According to the plant status reports prepared for each shift turnover during the outage in accordance with Attachment 1 to OU-BY-104 Revision 10 [7], there was in excess of 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> to core boiling in the event of a loss of cooling and over 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to core damage. Even if one were to assume a total loss of essential service water due to an auxiliary building flooding event with failure of both 1SX033 and 1SX034 to close, the amount of water required to keep the core and spent fuel pool covered and cooled is minimal. Fire protection water, an alternate cooling water source, alone would be more than adequate for those purposes. In addition recent changes made in response to the NRC security orders under section B.5.b would also be available if needed.

These are not included in this evaluation due to the sensitive nature of information related to those orders.

Given an SX leak in the Auxiliary Building at a rate of 7.6E-04 per year based on the flooding analysis notebook (BB PRA-012 Rev. 4 [4]) and a period of interest of 42.3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, the maximum frequency of loss of SX would be 3.7E-06 per year. Given the fact that the times to boil and uncovery were very long, and that fire protection water was available (along with other sources identified as part of the recent security inspections associated with section B.5.b of the NRC orders following the 911 1 events),

it is qualitatively presumed that the probability of core damage frequency deficit for the outage unit would be significantly below the 1E-6 value noted in the App. K flowchart.

Based on these qualitative insights, the SDP assessment for the outage unit would be Green.

For the unit operating at power, there are two scenarios where the loss of integrity of SX piping in the Auxiliary Building could affect risk. These are risks associated with leaks (flow rate ~ 2 0 0 0gpm) and with ruptures (flow rates >2000 gpm. In order to prevent core damage, the flooding analysis presumes that loss of the SX pumps and inability to maintain charging pump flow will lead to core damage. This is due to the potential reactor coolant pump (RCP) seal LOCA that could occur if charging (RCP seal injection) and component cooling water (CCW barrier cooling) were both lost.

Flooding induced failures of the SX pumps could lead to the loss of the RCP thermal barrier cooling capability via loss of CCW cooling while inundation of the charging pumps would lead to failure of RCP seal injection. Loss of SX would also prevent operation of RCS injection systems so that a RCP Seal LOCA would eventually lead to core damage due to lack of injection.

Page 48 of 73

The Flooding Analysis [4] indicates that the frequency of SX pipe ruptures (flow rates

~ 2 0 0 0gpm) is 9.6E-06 per year. For the 42.3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> duration, this is equivalent to a frequency of 4.6E-08 per year. Assuming that neither 1SX033 nor 1SX034 could be closed to isolate a rupture in accordance with OBOA PRI-8 in time to prevent loss of SX and loss of charging, the frequency would still indicate a Green condition per Appendix K of IMC 0609.

The frequency of leaks between 100 gprn and 2000 gprn is 7.6E-04 in the Flooding Analysis [4]. For the 42.3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> duration when neither the 1SX033 nor the 1SX034 valves were capable of closure in accordance with OBOA PRI-8, this equates to a frequency of 3.7E-06. However, even for the maximum flow rate among leaks (2000 gpm) it would take 10.8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> to reach the point (1.29 million gallons per the Flooding Analysis) where the charging pumps would be inundated (215 hours0.00249 days <br />0.0597 hours <br />3.554894e-4 weeks <br />8.18075e-5 months <br /> at the minimum leakage rate). BOP SX-22 [5] provides the procedure for isolating SX leaks at specific locations in the Auxiliary Building.

The probability of failure to isolate a leak is low for several reasons:

1. The time to isolate is between 10.8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> for a 2000 gprn leak and 215 hours0.00249 days <br />0.0597 hours <br />3.554894e-4 weeks <br />8.18075e-5 months <br /> for a I 0 0 gprn leak.
2. A procedure exists to specify valves to isolate any particular piping segment in the Auxiliary Building. In addition, Operators are trained in use of P&IDs for troubleshooting problems with systems that are not functioning as would be expected in procedures such as OBOA PRI-8.
3. Complete isolation of the affected segment per BOP SX-22 is not needed in order to stop the flooding. The impact of failure of closing 1SX033 and 1SX034 is that the A and B supply for the unit 1 trains are cross tied. Other means exist to isolate the supply side of either the A or B train without having to perform the complete isolation of a leaking pipe segment. Isolation of five valves (1SX004, 1SXO16A(B),

1SXOI 3A(B), 1SX2103A (1SX173), and ISX052A(B))in the major supply headers downstream of 1SX012A(B) would accomplish the same function as closing ISX033 or ISX034 for train isolation purposes.

4. With unit 1 in a refueling outage, there were more people on-site and in the Auxiliary Building than normally would be the case. Therefore, detection of the leak location and availability of staff to perform isolation steps would be enhanced.
5. Additional staff through manning of the Outage Control Center (and TSC/EOF if needed) would be available in plenty of time to diagnose and effect isolation.

Using the SPAR-H methodology, the value for probability of failure to isolate would be about 6.OE-02 (Attachment 2). When combined with the frequency of the condition (leaks between 100 and 2000 gprn with failure of 1SX033 and 1SX034 for 42.3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />) the result is about 2.2E-07. When combined with the rupture failure to isolate probability of 4.6E-08, the total for leaks and ruptures that could not be isolated would be 2.7E-07 which is well below the 1.OE-06 value in Appendix K, Using the nominal HRA methodology for Byron and Braidwood which involves the cause based decision tree (CBDT) method combined with the Accident Sequence 9/8/2008 Page 49 of 73

Evaluation Program (ASEP) time response curves for cognitive error and the Technique for Human Error Prediction (THERP) method for execution errors, the probability of failure to isolate for leaks would be about 2.3E-02 (Attachment 1). This would further reduce the frequency of failure to isolate for leaks but would have no impact on failure to isolate for ruptures. This results in the actual incremental CDF of 8.4E-08 from the leaks. Thus, the combined value for leaks and ruptures would be about 1.3E-07 (4.6E-08+8.4E-08) which is well below the 1.OE-06 threshold in Appendix K.

SUMMARY

Operators failed to perform a risk evaluation prior to engaging in maintenance activities that rendered portions of the SX system incapable of being used for isolating potential leaks or ruptures. In this condition, neither the 1SX033 nor 1SX034 valves could be operated remotely for purposes of train isolation in accordance with OBOA PRI-8. The plant was in the condition where both valves were open and incapable of remote operation for 42.3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />. Assuming that SX piping ruptures (>2000 gpm) could not be isolated by other means and assuming that operators could potentially isolate leaks (between I 0 0 gpm and 2000 gpm) before core damage would be assured, the actual core damage frequency associated with this configuration is about 1.3E-07 which is well below the 1.OE-06 threshold of Appendix K to IMC 0609 Figure 1 for evaluating the risk significance of such events. Therefore, the risk significance of this condition should be assessed as Green.

REFERENCES

1. Byron Abnormal Operating Procedure OBOA PRI-8, Revision 0.
2. USNRC Inspection Manual Chapter 0609 Appendix K.
3. T&RM ER-AA-600-1012, Rev. 7, Risk Management Documentation.
4. BB PRA-012 Rev, 4, Internal Flooding Analysis Notebook. March 2008.
5. Byron Operating Procedure BOP SX-22, Revision 1.
6. T&RM ER-AA-600-1041, Rev. 6, Risk Metrics - SDP & Event Analysis.
7. T&RM OU-BY-104, Rev. 10, Shutdown Safety Management Program Byron/Braidwood Annex.

Page 50 of 73

Attachment 1:

HEP for isolation Failure for Leaks When 1SX033 and 1SX034 Fail Page 51 of 73

Data Not Available. Branch #2 (variable name is '-p-a-2") is chosen because the procedures for isolating Auxiliary Building Flooding per BOA PRI-8 and BOP SX-22 are relatively new and limited training opportunities have been undertaken.

Data Available But Not Attended To. The workload is assumed high due to the fact that one unit is in a refueling outage.

Branch #8 is selected since Auxiliary Building flooding is alarmed via sump level alarms.

Communications issues. Branch #1 is a default for all HEP assessments. The Byron and Braidwood control room layouts have been subjected to formal human factors review &

validation . The plant policy is to emphasize &way communications; this is stressed in all training.

Available Information Misleading & Misinterpreted. Branch #4 is chosen because of the procedures are relatively new and training on them is limited.

Skipping the Relevant Step in the Procedure. Branch #8 is selected (Multiple procedures, E-0 and OA PRl-8, and BOP SX-22). With one exception, there is no requirement for using any place keeping aids. The exception is the use of Status Trees

[ST). Except for 'boxed' procedure steps (immediate, memorized steps), and steps identified by 'diamond symbol'

[for continuous actions), the procedure design does not include any feature that would prevent the operators from sverlooking a procedure step not "graphically distinct."

Misinterpretation of the Instruction. Branch #3 is selected

~ecause determination of the actual break location is a function 3f the ability of the staff in the Auxiliary Building to locate the eak and communicate that to the control room. Also, training -

3n the relatively new OBOA PRI-8 and BOP SX-22 is limited.

Error in Interpreting the Decision Logic. This CBDT is

oncerned with presence of logic statement(s) in procedure.

3ranch # I 0 is selected since the cited procedure steps include my written logic statements. Furthermore, it is assumed that he operators have received- -limited

--- - - .- -- - training

--- -- on this action.

Page 52 of 73

Attachment 2: SPAR-H Estimate of HEP 23.1. OSX-SX221SO-HVOA,Operators Fail to Isolate Leak per SX-22 when 1SX033 and 1SX034 fail to close Basic Event Summary Analyst: OEM Rev. Dat - 06116108 Reviewer:

Cognitive Methc SPAR-H Analysis Databa no33-34.HRA (06116/08, 507904 Bytes)

Table 1: OSX-SX22ISO-HVOA

SUMMARY

Cognitive Execution 4.8e-02 1.2e-02 6.0e-02 Plant:

Byron lnitiatina Event:

SX flood leak (100-2000 gpm)

Basic Event Context:

Following a leak (100-2000 gpm) in the SX system in the Auxiliary Building during one unit in outage, failure of 1SX033 and 1SX034 to close prevents train isolation due to cross tie on the supply side to both SX trains. OBOA PRI-8 Step 7 calls for identification of which train the leak is coming from and isolation of that train by closing the 1SX033 or 1SX034 valves to separate A and B train supplies. BOP SX-22 provides specific valve lists to isolate particular break locations, but no guidance related to addressing failures of particular isolation valves. However, the operators are trained to address SX leak isolation through review of the P&IDs to identify and secure isolation points. In this case, only the supply side for the affected train needs to be isolated because the train isolation of the discharge path via 112SX011 is presumed successful. There are five valves in each train downstream of the 1SX033 and 1SX034 valves which can accomplish this function. They are SX004 and SXO16(A/B) which are MOVs operable from the control room and SXOl3(A/B), SX052(NB), and SX2103A (SX173) which are manual valves operable locally. More than 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> are available to take this action before charging pumps are inundated.

9/8/2008 Page 53 of 73

Timinq:

10.00 Hours sw >

T 0.50 Hours TIj2 0.00 Minutes T 2.20 Hour delay n

Irreversible Cue Damagestate I

I t=O Timinq Analvsis: Assuming isolation of a manual valve requires 20 minutes and that 1 minute is needed for a valve in the MCR, the 5 additional valve isolations that would be required to make up for 1SX033 or 1SX034 failure would contribute 62 minutes to the manipulation time if the valves were addressed sequentially. Most other isolation cases include only a few manual valve manipulations and 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> would be a reasonable manipulation time for those valves. There are some cases, however, that require as many as 10 local valve closures. In these cases, 3.3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> would be required to isolate them sequentially. For this case, minimal parallel work is assumed: the 4.3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> of ex MCR work is assumed to be split among two crews so that it could be completed in about 2.2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. The MCR isolations are considered to be completed in parallel with the ex-MCR work and no additional time is added to address those actions.

The system window of 10 Hours is based on the time needed to reach critical flood volume 2 in the Flooding Analysis in BB PRA-012 Revision 3 for the worst leak rate (2000 gpm).

For the smallest leak size (100 gpm) it would take about 215 hours0.00249 days <br />0.0597 hours <br />3.554894e-4 weeks <br />8.18075e-5 months <br /> to reach that level.

The delay time of 30 minutes, which is the length of time to the cue, is based on the time to reach sump alarm levels with minimum leak flow, but would more likely be much earlier due to visual identification from a crew member due to the fact that one unit was in a refueling outage and numerous staff were in the Auxiliary Building.

Time available for recovery: 438.00 Minutes SPAR-H Available time (cognitive): 438.00 Minutes SPAR-H Available time (execution) ratio: 4.32 Minimum level of dependence for recovery: ZD Page 54 of 73

PART I. DIAGNOSIS (recommended choice based on timing nominal) information in bold) Nominal time 1 Extra time (between 1 and 2 x nominal 0.1 and > 30 min)

Expansive time (> 2 x nominal and X 0.01 30.min)

Insufficient Information 1 Based on the timing analysis, "expansive" time is available.

Stress Extreme 5 High X 2 Nominal 1 lnsufficient Information 1 I / The long time available before negative consequences will 1 reduce the stress for the scenario:

Complexity Highly complex X 5 Moderately complex 2 Nominal 1 Obvious diagnosis 0.1 lnsufficient Information 1 Low I X I10 Nominal /1 High 0.5 Insufficient Information 1 Procedures OBOA PRI-8 and BOP SX-22 are relatively new and limited training has occurred due to their recent implementation. In addition, the operators would be required to use P&IDs and information from plant staff to identify the location of the leak and means of isolating the condition when 1SXO33 and 1S X W failed to close. Therefore, a decrement to Low was chosen.

Page 55 of -73

PSF Levels Multiplier for Diagnosis The ~rocedureBOP SX-22 identifies appropriate isolation points for leaks in the SX system. When multiple isolatian valves fail to operate in accordance with QBOA PRf-8, the operators would rely on their training to help the isolate the leak using alternate valves. No procedure can be written to address aN failure cases and they are not expected to do so, but a degraded condition is used to account for the difficulties Fitness for Duty Unfit P(failure) = 1.0 Degraded Fitness 5 Nominal X 1 Insufficient Information 1 Work Processes Poor 2 Nominal X 1 Good 0.8 Insufficient Information 1 Diaanosis HEP:

4.8e-02 [Adjustment applied: 1.OE-2

  • 5.0e+00 / (1.OE-2 * (5.0e+00 - 1) + I ) ]

PART II. ACTION (recommended choice 9/8/2008 Page 56 of 73

PSFs PSF Levels Multiplier for Diagnosis I Insufficient lnformation Experiencenraining Low X 3 Nominal 1 High 0.5 lnsufficient information 1 I

Procedures 1 Not available 1 50 incomplete 20 Available, but poor 5 Nominal X 1 lnsufficient Information 1 MissingIMisleading 50 Poor 10 Nominal X 1 Good 0.5 insufficient Information 1 Fitness for Duty Unfit P(failure) = 1.O Degraded Fitness 5 Nominal X 1 lnsufficient Information 1 Work Processes Poor 5 Nominal X 1 Good 0.5 Insufficient Information 0.5 Page 57 of 73

Action Probabilitv:

1.2e-02 [Adjustment applied: 1.OE-3

  • 1.2e+01 1 (1.OE-3 * (1.2e+01 - 1 ) + I)]

PART Ill. DEPENDENCY no additional Comgleta earn- I 1 additional 5omplete cloie in time no additional High Merant P

additional High same no additional HiQh

    • ma I addsttonal Modetate not close I

different

-, O D addftional Moderate additional LV*

no additional Mo-ierate same adriitional Moderate ctore in time no additions1 Moderate d'ffei9nt additional Moderate no additior,al LOW sawie additional LOW not close no additional imu diflereol additional Low

.......................................... Zorc Task Failure WITHOUT Formal Dependence:

6.0e-02 Task Failure WITH Formal Dependence:

Page 58 of 73

I RM DOCUMENTATION NO. BB PRA-017.91B REV: 0 PAGE NO. 16 of 16 I STATION: Byron I UNIT($) AFFECTED: UNITS 1 and 2 I

Byron SDP Evaluation of Failure to Conduct a Risk Evaluation Prior to Disabling 1SX033 and 1SX034 Remote Isolation Capability

SUMMARY

(Include UREs incorporated):

This document evaluates the risk significance of operator failure to conduct a risk evaluation in accordance with Maintenance Rule section a(4) prior to beginning maintenance on the 1SX033 and 1SX034 valves. Both valves were opened and power was removed by opening their supply breakers. This disabled the ability to close the valves in response to SX floods in the Auxiliary Building.

IINumber of pages: Total 73 Daaes, includina this paae.

RM Document Level: Cateaory 2, per ER-AA-600-1012.

[ ] Review required after periodic Update I [ X ] Internal RM Documentation [ ] External RM Documentation Electronic Calculation Data Files: (Program Name, Version, File Name extensionlsize/date/hourfmin)

I Method of Review: [X 1 Detailed This RM documentation supersedes:

[ 1 Alternate [ 1 Review of External Document in its entirety.

Prepared by: / / 6/19/08 Print Sign Date Reviewed by: Young In / / 6/19/08 Print Sinn Date Approved by: / I fj119108 9/8/2008 Page 59 of 73

Page 60 of 73 ARACWMENT 5 -- CAUSE AND EFFECT ANALYSIS -- GENERIC Knowledge Based Decision Required Understanding Needs Improvement CAUSWREASON

  • CO notes require SRO to evaluate for Technical Specifications at time CO is placed; no reference to

+ Personnel do not recognize the potential risk significance of the 1SX033 and 1SX034 related to Auxiliary Building internal risk. ld flooding. (Dual Function high risk components) Knowledge based understanding required.

  • U2 OLR not evaluated for configuration change.
  • Cycle Manager 2 wasn't concerned with 1SX033 and 1SX034 availability to position from the MCR until Risk Engineer stated.

Process -- no flag or warning to alert personnel dual function high-risk components being used as isolation points on COs or WOs.

Training - less than adequate understanding of dual function Knowledge based understanding required.

high-risk components as they affect OLR.

Training - less than adequate understanding of Auxiliary Building internal flooding as related to plant risk.

Process -- no flag or warning to alert personnel dual function high-risk components being used as isolation

+ Process -- Dual function high-risk components are not identified in rule-based guidance available to Shift Managers, SROs, Cycle points on COs or WOs. 11 Managers, and Work Week Managers.

I Training - less than adequate understanding of dual function high-risk components as they affect OLR.

Training - less than adequate understanding of Auxiliary Training - licensed operator training learning objectives, lesson plan content does not address dual function high-risk components and their potential affect on OLR.

Building internal flooding as related to plant risk. Training - less than adequate review of auxiliary building internal flooding for plant processes and procedures.

9/8/2008 Page 61 of 73

identified in rule-based guidance available to Shift Managers, SROs, Cycle Managers, and Work Week Training - licensed operator training learning objectives, lesson plan content does not address dual function high-risk components and their potential affect on OLR.

Conclusions - Causes:

1. Dual function high-risk components are not identified in rule-based guidance.
2. Licensed operator training learning objectives and lesson plan content does not address dual function high risk components and their potential affect on OLR.
3. Less than adequate review of auxiliary building internal flooding for plant processes and procedures.
4. IneFfective risk management program administration oversight.

Page 62 of 73

Barrier Analysis Simplified tions - Is assessment of Risk acceptable?

Does reassessment of risk against the ongoing workweek risk file result in a green or yellow risk color as prescribed in Attachment 3? (The following requirement shall not delay nor impede restoration of the plant to a stable condition).

Shift Operations must reassess risk and document the result of the evaluation (risk color), even if there is no corresponding change in risk status, in the Shift Manager log.

Step 4.5.12 Shift Manager - Take appropriate actions to mitigate risk.

If emergent condition results in an orange or red risk color, or risk results are unavailable, the following compensatory measures must be enacted to mitigate the risk until such time as risk is reduced to an acceptable level.

If risk is indeterminate or PRA results are unavailable as described within Attachment 3, the site risk management engineer must be contacted to evaluate the risk. The site risk management engineer may provide a preliminary verbal evaluation based upon qualitative judgment pending completion of a quantitative risk assessment.

Y = Viable Barrier N = Non-viable Barrier F = Barrier Failed W = Barrier Weak S = Barrier Satisfactory

  • = Primary Barrier NA = Not Applicable Page 63 of 73

Barrier Expected Failed1 Successful procedure steps adequate; this is an execution issue.

2. Procedure content and usability Step 4.7.3.1, WC-AA-101-1002, Online Evaluate any priority work that has been proposed to be added to Scheduling the schedule. Evaluate impact on scheduled work and plant configuration. Determine if the work can be added to the schedule or should be rescheduled. Also evaluate the addition of Carryover, Short Cycle, or Sponsored Work. (Cycle Manager)

E-9 to 6.

Step 4.7.4.1, Evaluate any priority work that has been proposed to be added to the schedule. Evaluate impact on scheduled work and plant configuration. Determine if the work can be added to the schedule or should be rescheduled. Also evaluate the addition of Carryover, Short Cycle, or Sponsored Work. (WWM.WEC) E-5 to 1.

Step 4.7.4.13, Evaluate any priority work proposed to be added to the schedule.

Evaluate impact on scheduled work and plant configuration.

Determine if the work can be added to the schedule or should be rescheduled. Also evaluate the addition of Carryover, Short Cycle, or Sponsored Work. (WWM and WEC) end of E-1 Step 4.7.5.1, Evaluate work and assess risk. (WWM) E-0. Screening committee or shift manager identifies any additional emergent item. WWM will evaluate for impact on the schedule and ensure risk assessment is performed by Operations.

Y = Viable Barrier N = Non-viable Barrier F = Barrier Failed W = Barrier Weak S = Barrier Satisfactory

  • = Primary Barrier NA = Not Applicable Page 64 of 73

Barrier 1 I

Expected I Failed 1 Comments 1 Successful i Procedure steps adequate; this is an execution issue.

Step 8.2.4.4.

C/O'Sthat result in Online Risk changing to Orange or Red.

Step 10.3.1.8 VERIFY On-line Risk, Shutdown Risk and any applicable databases are updated as required.

I I I Attachment 5, Clearance PreparationiApprovalChecklist I I / Attachment 8, Clearance Authorization Checklist I I / Attachment 10, Clearance Manipulation Prejob Brief Checklist hazards* made under the clearance order process.

7. ToolslEquipment Y S Paragon modeled appropriately with more than usual Paragon conservatism built in regarding auxiliary building flooding.
8. Work Place Environmental N NA NA Conditions
9. Individual Readiness N NA NA
10. Fitness for Dutv N NA NA Y = Viable Barrier N = Non-viable Barrier F = Barrier Failed W = Barrier Weak S = Barrier Satisfactory
  • = Primary Barrier NA = Not Applicable Page 65 of 73

Organizational Processes and Values Barrier / Expected I Success/ I Comments Limited focus on risk background contained in operator initial and continuing training programs.

No formal training for work management personnel

14. Self Assessment and Corrective N NA NA Action Program
15. Operating Experience Program N NA NA
16. Job Scheduling Y F Outage schedule allowed configuration to exist that adversely affected Unit 2 OLR.

/ NA I I I

17. Staffing Levels N NA k I 1
18. Management Monitoring Y F Inadequate oversight of OLR for operating unit when opposite unit is in a refuel outage.

A I I Worker Behaviors Barrier and appropriate Y = Viable Barrier N = Non-viable Barrier F = Barrier Failed W = Barrier Weak S = Barrier Satisfactory

  • = Primary Barrier NA = Not Applicable Page 67 of 73

1 1 I related to risk management.

Barrier Expected Success/ Comments Failure

20. Self Checking N NA NA
21. Peer Checking Y F Defense not effectively used to independently validate plant conditions such an accurate risk analysis could be performed.

i I

22. Conservative Decision Making Y S When risk was analyzed the worst cases were evaluated that eventually led to the identification of the condition.
23. Task Preview 1 I

N 1, NA /NA I

24. Procedure Use and Adherence Y W Procedure use level 3; procedure not required to be in hand.

Steps generic in nature but do outline the steps necessary to be successful. However, applicable procedures not executed effectively to ascertain an accurate picture of OLR.

25. Stop Work When Uncertain Y S Compensating actions are taken when the affect on OLR related to plant configuration is recognized.
26. Problem Reporting N NA NA
27. Quality Control Hold Points N NA NA Y = Viable Barrier N = Non-viable Barrier F = Barrier Failed W = Barrier Weak S = Barrier Satisfactory
  • = Primary Barrier NA = Not Applicable Page 68 of 73

/ 30. Technical Specification N NA 1 NA Surveillance Requirements Barrier Expected Success1 Comments Failure

31. Technical Specification Limiting N NA NA Conditions of Operation
32. Equipment lnterlockslalarms N NA NA
33. Engineered Controls I

N I

NA I NA I

-7 Y = Viable Barrier N = Non-viable Barrier F = Barrier Failed W = Barrier Weak S = Barrier Satisfactory

  • = Primary Barrier NA = Not Applicable Page 69 of 73

Attachment 8 Barrier Analysis HOW BARRIER FAILED WHY BARRIER FAILED BARRIER TO EFFECTIVNESS Consider creating guidance that lists dual managers. Weaknesses related to recognition of dual function risk components that if unavailable in conjunction with its redundant component would result in an orange or red condition. Moreover, knowledge gaps were Reinforce expectations through training.

reliance on work Page 70 of 73

HOW BARRIER FAILED WHY BARRIER FAILED training programs.

develop, implement and evaluate training place to ensure that using the SAT process.

adequate transfer of Develop a formal mechanism to ensure knowledge related to OLW uate transfer of knowledge related to SDR when personnel when personnel changes are made.

changes are made onsider sending cycle and workweek gers to operator training related to OU-AP-104, Shutdown Consider revising OU-AA-101-1005 and/or 1005, Exelon Nuclear Page 71 of 73

HOW BARRIER FAILED WHY BARRIER FAILED operations and work management.

to the FMS activity menu.

ated to OLRlSDR Little documented management observation of OLRISDR activities.

FMS data was queried for Byron from 01/01/08 to 07/01/08 that identified -

12300 fundamentals scored. A keyword search was performed using "risk" that identified 19 observations for either OLR or SDR. This represents -

0.1 5 O h of the population.

The median value for this population is 0.4% with the average value being 1.1Oh.

Upon further review of FMS a task does not exist to assign OLR or SDR observations to.

plant conditions such an Page 72 of 73

Retrieved from "https://kanterella.com/w/index.php?title=BYRON_2008-0096,_Submittal_of_Supporting_Documentation_for_September_16,_2008_Regulatory_Conference,_Root_Cause_Investigation_Report_Content_and_Format,_Page_45_of_73_Through_End&oldid=2566074"