ML021970063
| ML021970063 | |
| Person / Time | |
|---|---|
| Site: | Point Beach  |
| Issue date: | 04/29/2002 |
| From: | Nuclear Management Co |
| To: | Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML021970045 | List: |
| References | |
| Download: ML021970063 (55) | |
Text
Point Beach Nuclear Plant Potential Common Mode Failure Auxiliary Feedwater April 29, 2002
AGENDA
Ø Introduction (Mark Warner)
Ø System Design (Lori Armstrong)
Ø Risk Assessment (Jim Masterlark)
Ø Root Cause & Corrective Actions (Fred Cayia)
Ø Inspection Report Opportunities (Lori Armstrong)
Ø Operations Perspective (Jerry Strharsky)
Ø Reactor Oversight Process (Tom Webb)
Ø Conclusion (Mark Warner) 2
AFW SYSTEM DESIGN Lori Armstrong 3
AFW DESIGN BASIS
Ø Supply water to SG to remove decay heat and replenish SG inventory
Ø Safety-Related Functions:
§ Supply FW during accidents with main steam safety valve opening
§ Supply FW during accidents which require rapid RCS cooldown
§ Isolation capability 4
RISK ASSESSMENT Jim Masterlark 6
ORIGINAL IPE ANALYSIS
§ Used System Functional Method
- Failure modes based on design basis information
- Focused on need to feed steam generators
- Modeled open failure mode of recirc valve
- Accepted industry method
§ Operator actions were evaluated where they could be credited to mitigate a failure 7
ORIGINAL IPE ANALYSIS
§ Original IPE identified failure mode of recirc valve in the closed position
- Pump overheating potential outcome
- Discharge valve would only be throttled for decay heat removal - occurs late in event
- Recirc valve failure mode not modeled
- The PRA did not model that the flow could be stopped early in the event o Overfilling steam generators o Overcooling RCS 8
PRA UPDATE PROJECT
Ø Self initiated voluntary project
Ø Ongoing formal evaluation of PRA model
Ø Most risk significant systems evaluated first
Ø Revalidates model assumptions
Ø Four primary reasons for update
§ Validates changes in plant since original PRA model
§ Adds sophistication for better use of on line Safety Monitor
§ Update reliability and availability data
§ Expand Human Reliability Analysis 9
PRA UPDATE PROJECT
Ø Use of Failure Modes and Effects Analysis
§ Determines possible failure modes
§ Rigorous evaluation for each component
- Capture failure mode in fault tree, or
- Document reason that it is not included
§ Analyze to determine effect of failure modes on system operation
§ Determination of how component could get to each position analyzed
- Equipment failure
- Operator action
- Support system failure 10
§ Failure effects of Recirculation Valve
- Open position - flow diversion
- Closed position - potential for maloperation of pump
§ Human Error Analysis and Timeline Analysis
- Identified that discharge valve could be closed prior to gagging open recirculation valve 11
Ø Summary
§ The identification of this issue required the combination of a failure modes and effects analysis with time line studies from a Human Error Analysis
§ This combination of analyses is unique to the PRA 12
ROOT CAUSE, CORRECTIVE ACTION, and EXTENT of CONDITION Fred Cayia 13
PROBLEM STATEMENT
Ø EOP-0.1, Reactor Trip Response, did not contain the specific operator actions needed to :
§ Assure in all instances operators consistently control or stop AFW flow to prevent AFW pump damage under certain conditions
- Those conditions are loss of instrument air coincident with steam generator overfill or RCS overcooling 14
IMMEDIATE CORRECTIVE ACTIONS
Ø Immediate Actions
§ Information tags placed
§ Shifts briefed and trained on issue
§ Simulator training for each crew
§ Procedure changes
§ Notification made to NRC
§ Root Cause Evaluation initiated
- Multidiscipline RCE Team 15
ROOT CAUSE
Ø EOP validation process did not evaluate the interaction between:
§ Design
§ Procedure
§ Human Error Timeline Analysis
Ø Typical industry approaches have not included Human Error Timeline Analysis 16
COMPLETED ACTIONS
Ø Procedure Changes
§ EOPs
Ø Design Modifications to Recirculation Valve
§ Pneumatic backup
Ø EOP validation process has changed to incorporate PRA into the validation
Ø Simulator changed to model AFW pumps during response to low flow conditions 17
EXTENT OF CONDITION
Ø Previously evaluated four top risk significant systems
Ø EOP steps evaluated to ensure successful implementation on a loss of instrument air
Ø Reviewed PRA assumptions for operator actions on the next two risk-significant systems
Ø Systems reviewed comprise 80% of CDF risk 18
OTHER ISSUES IDENTIFIED
Ø Design Basis fire causes failure of AFW pumps
§ Compensatory fire rounds initiated
Ø Nitrogen back-up to charging pumps undersized for Appendix R event
§ Compensatory fire rounds initiated
Ø Potential to identify additional improvements 19
CONTINUING ACTIONS
Ø Continue the PRA project
Ø Factor PRA insights into
§ Operating Procedures
§ Operator training 20
INSPECTION REPORTS OPPORTUNITIES Lori Armstrong 21
INSPECTION REPORT OPPORTUNITIES
Ø Examples Listed by NRC
Ú GL 81-14 (AFW seismic issues)
Ú 1989 station blackout (SBO) submittal
Ú GL 88-20 (IPE submittal - 1993)
Ú 1997 AFW N2 backup modification
Ú 1997 IST - DBD discrepancy 22
ISSUE IDENTIFICATION
Ø Three elements need to be evaluated concurrently to identify this issue
§ Design
§ Procedural Guidance
§ FMEA Timeline Study 23
GL 81-14 (1981)
Ø GL 81-14 Requirement
§ Determine extent of AFWS seismic qualification
Ø PBNP Action
§ Performed reviews and walk-downs
§ Completed NRC Bulletin 79-14 AFW modifications
§ Installed AFW recirc valve supports 24
GL 81-14 KEY ELEMENTS
SUMMARY
Ø Design Review
§ Reviewed seismic adequacy of foundations, supports, and structures.
§ Ensured system would remain functional following a seismic event
Ø Procedures
§ Review of system operating procedures was not an expected response to the GL
Ø Therefore, this very specific design review would not identify the time dependent procedural vulnerability 25
GL 88-14 (1988)
Ø GL 88-14 Requirement
§ Review of instrument air system
- Emergency procedures and training
- Air operated safety-related components
Ø PBNP Action
§ Verified loss of IA procedure acceptable
§ Periodic training provided
§ Concluded IA not required for component/
system safety-related functions 26
GL 88-14 KEY ELEMENTS
SUMMARY
Ø Design
§ Verified performance of safety-related functions with loss of IA
§ Verified AFW recirc valves must fail close to assure AFW safety-related function
Ø Procedures
§ Verified that adequate procedures existed to address a loss of instrument air (gagging open recirc valve)
Ø FMEA Timeline
§ PRA techniques not available
Ø Lacking the Human Error Timeline Analysis tool, it was not expected to identify this issue 27
SBO RULE (1989)
Ø 10 CFR 50.63 requirement
§ Withstand a station blackout of a specified duration
Ø PBNP Action
§ No AOVs are required to operate for one hour to cope with a SBO
§ AFWS operation is independent of AC and IA for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />
§ Only turbine driven AFW pumps available
§ SBO Emergency Response Procedures 28
SBO RULE KEY ELEMENTS
SUMMARY
Ø Design
§ Verified units could withstand SBO
§ Prescriptive assumptions defined course of the event to demonstrate compliance with the rule
- High initial decay heat (100% power for 100 days)
- No additional independent failures
- All equipment operating or available and IA restored within one hour
Ø Based upon high decay heat load, not credible to stop flow in first hour 29
IPE SUBMITTAL (1993)
Ø GL 88-20 Requirement
§ Directed licensees to submit a program/schedule for completing an IPE
Ø PBNP Action
§ Performed an IPE using accepted industry method 30
IPE SUBMITTAL KEY ELEMENTS
SUMMARY
Ø Design
§ IPE uses system functional method
§ Pump overheating potential outcome
Ø Procedures
§ Verified recirc valves gagged open on loss of instrument air
Ø FMEA Timeline Analysis
§ Operator actions only modeled for mitigation of failure
§ Accepted industry method did not use FMEA Timeline Analysis
Ø Based on the method used this was not a missed opportunity 31
Ø NRC Inspection Report stated
§ DBD-01 stated recirc valve had safety-related open function
§ Open function not reconciled with fail closed safety function on loss of instrument air
Ø The DBD is an engineering tool and does not provide an operational perspective.
32
SUMMARY
Ø Design
§ DBD is an Engineering tool that contains the limits of designs and the reasons for these limits
§ Confirmed that the design basis requirements were adequately contained in the procedures
§ Performed a single failure evaluation to disposition conflict
- Result was a closed safety function for the recirc valve
Ø Not expected to assume the design basis approach would find the time dependent procedure vulnerability 33
AFW N2 MODIFICATION (1997)
Ø Inspection Report
§ Concern was not evaluating other air operated valves in the AFW system on a loss of IA, as part of this modification
Ø Modification Purpose 34
AFW N2 MODIFICATION KEY ELEMENTS
SUMMARY
Ø Design
§ Modification identified that recirc valve failed closed on loss of IA
§ Credited forward flow for pump protection
§ Subsequent PRA update incorporated modification to discharge valves
Ø Procedures
§ Reviewed for impact of design changes
Ø Therefore this design review was not a missed opportunity 35
IST-DBD ISSUE (1997)
Ø IST-DBD discrepancy identified via a condition report:
§ No open function testing of the AFW recirc line check valves
§ AFW recirc AOVs were open function tested in the IST program
§ DBD listed an open safety function for AFW recirc valves to prevent pump damage 36
IST-DBD ISSUE KEY ELEMENTS
SUMMARY
Ø IST Program periodically confirms the safety related functions of components
Ø Discrepancy resolution based on 1994 DBD evaluation
Ø Result was a closed safety function for recirc valves and no open safety function
Ø Revised DBD
Ø This design review would not find the time dependent procedure vulnerability 37
EVALUATION OF PRIOR OPPORTUNITIES Potential Missed Design Procedures FMEA Opportunities Timeline GL 81-14 (1981) AFW Yes N/A N/A Seismic GL 88-14 (1988) Loss of IA Yes Yes N/A SBO Rule (1989) Yes Yes N/A GL 88-20 (1993) IPE Yes Yes N/A Submittal AFW DBD (1994) Yes Yes N/A AFW N2 Backup Mod (1997) Yes N/A N/A IST-DBD Issue (1997) Yes N/A N/A
CONCLUSIONS
Ø AFW system design was acceptable
Ø Loss of Instrument Air procedure correctly identified recirc valve failure mode and manual actions for gagging open valve
Ø FMEA Timeline Analysis was required to identify the vulnerability in the EOP 39
OPERATIONS PERSPECTIVE Jerry Strharsky 40
OPERATOR TRAINING
Ø PRA based
§ Recognized industry strength
Ø AFW system and loss of IA transients previously identified as training significant
§ Frequent training on AFW and loss of IA transients
Ø Minimum flow requirements well known 41
DEMONSTRATED OPERATOR PERFORMANCE
Ø 1989 Loss of IA
§ Occurred during Unit 2 trip
§ Operators responded properly
§ Operating unit transient avoided
Ø 1998 AFW Pump Recirc Valve Found Failed Shut
§ Operator starting an AFW pump observed that recirculation valve did not open
§ Immediately secured the pump 42
OPERATIONS
SUMMARY
Ø Operator risk based training combined with the technical elements of component and system, operation and design, ensured our operators had the knowledge to properly diagnosis and respond to this condition
Ø Previous operator performance has demonstrated that appropriate actions are taken in response to events with similar concerns
Ø Confident in our operating crews ability to diagnose and respond to events of this complexity and significance 43
REACTOR OVERSIGHT PROCESS Tom Webb 44
REACTOR OVERSIGHT PROCESS
Ø The probabilistic risk assessment:
§ used realistic assumptions for equipment failure
§ used accepted assumptions for human performance
§ vulnerability had high safety significance
Ø
Conclusion:
§ Further regulatory action is not warranted 45
REACTOR OVERSIGHT PROCESS
Ø Old Design Issue Treatment (IMC 0305)
§ Licensee identified as a result of a voluntary initiative
§ Was or will be corrected
§ Not likely to be identified by routine licensee efforts
§ Does not reflect a current performance deficiency 46
Ø Old Design Issue: A finding involving a past problem in the engineering calculations or analysis, associated operating procedure, or installation of plant equipment that does not reflect a performance deficiency associated with existing licensee programs, policy, or procedure.
As discussed in section 06.06.a, some old design issues may not be considered in the assessment program. (emphasis added) 47
Ø Criterion 1: Licensee identified as a result of a voluntary initiative.
§ PRA model update initiative
§ Planned, formal process
§ Systematic and broad-scope
§ Documented
§ Continued integration of PRA
Ø
Conclusion:
§ This Criterion has been met 48
Ø Criterion 2: Was or will be Corrected
§ Procedure changes
§ Additional Reviews of EOPs and PRA
§ System design modifications
§ PRA Upgrade
Ø
Conclusion:
§ This Criterion has been met 49
Ø Criterion 3: Not Likely to be Identified by Routine Licensee efforts
§ Normal surveillance and QA could not identify
§ Not readily discernable by traditional engineering approaches
Ø
Conclusion:
§ This Criterion has been met 50
Ø Criterion 4: Does not Reflect a Current Performance Deficiency
§ PRA has and continues to validate the EOPs
§ Corrective action process has been restructured
§ New operating company and management personnel
§ NMC is embedding a culture which aggressively identifies and resolves issues
§ Potential Prior Opportunities 5 to 21 years old
- Activities beyond 2 years ago do not reflect accurately on current PBNP processes and performance
Ø
Conclusion:
§ This Criterion has been met 51
Ø Summary
§ Point Beach meets the four IMC criteria
§ NRC has already performed the appropriate supplemental inspection
§ IMC 0305 states that, the regional offices may take credit for previous inspection efforts in completing the requirements of the procedure.
Ø Conclusion
§ The NRC has completed all the required inspection of IMC 0305
§ The finding should not be aggregated into the action matrix 52
PROPOSED VIOLATIONS
Ø 10CFR Part 50 Appendix B, Criterion V:
§ Because the procedures did not include instructions to ensure the recirculation valves were open , the AFW pumps could be damaged under low flow conditions such as when the flow is throttled back to control steam generator level or to mitigate RCS over cooling. This issue is considered an apparent violation.
Ø NMC does not contest this proposed violation 53
PROPOSED VIOLATIONS
Ø 10 CFR Part 50; Appendix B Criterion XVI
§ On seven occasions between 1981 and 1997, the licensee was made aware of the susceptibility of the AFW system to this type of vulnerability, but the licensee failed to identify this significant condition adverse to quality.
This issue is considered an apparent violation
Ø NMC believes that this proposed violation should be withdrawn 54
CONCLUSION Mark Warner 55
Notes:
56