ML111260664
| ML111260664 | |
| Person / Time | |
|---|---|
| Site: | Fort Calhoun  |
| Issue date: | 05/06/2011 |
| From: | Kennedy K NRC/RGN-IV/DRP |
| To: | Bannister D Omaha Public Power District |
| References | |
| EA-11-025 IR-11-007 | |
| Download: ML111260664 (35) | |
See also: IR 05000285/2011007
Text
UNITED STATES
NUCLEAR REGULATORY COMMISSION
REGI ON I V
612 EAST LAMAR BLVD, SUITE 400
ARLINGTON, TEXAS 76011-4125
May 6, 2011
Mr. David J. Bannister, Vice President
and Chief Nuclear Officer
Omaha Public Power District
9610 Power Lane
Blair, NE 68008
SUBJECT: NRC INSPECTION REPORT 05000285/2011007; PRELIMINARY YELLOW
FINDING, FORT CALHOUN STATION
Dear Mr. Bannister:
On April 15, 2011, the U.S. Nuclear Regulatory Commission (NRC) completed an inspection at
the Fort Calhoun Station. The enclosed inspection report documents an inspection finding,
which was discussed with you and other members of your staff, on April 15, 2011. The finding is
associated with the June 14, 2010, failure of a reactor trip contactor (M2) in your reactor
protection system. The significance of this finding has preliminarily been determined to be
Yellow, a finding with substantial safety significance that could result in additional NRC
inspections and potentially other NRC action. The specific details of the significance of this
finding are described in Attachment 2 of the enclosed report. This finding was assessed based
on the best available information, using the applicable Significance Determination Process
(SDP). The final resolution of this finding will be conveyed in separate correspondence.
The technical details of the issue and associated NRC risk analysis were discussed with your
staff during the inspection and the exit meeting. Based on the discussions, we understand that
you have the following disagreements regarding our risk assessment: (1) you believe the NRC
did not give sufficient credit to operator actions after the failure of an automatic reactor trip, both
for the manual actions and the timing of those actions; (2) you believe the NRCs generic data
for reliability of the systems Vital Breakers CB-AB and CB-CD was too low; and (3) you believe
the NRC applied a higher common cause probability to Trip Contactor M1 than you determined.
Additionally, we understand you are in the process of performing a failure modes and effects
analysis on the failed contactor to determine if your apparent cause, what we assumed as the
failure mechanism in our analysis, is correct.
Fort Calhoun Station personnel replaced all four of the reactor trip contactors in the reactor
protection system on February 5, 2011, to address this issue. The finding is also an apparent
violation of NRC requirements and is being considered for escalated enforcement action in
Omaha Public Power District -2-
accordance with the Enforcement Policy, which can be found on the NRCs Web site at
http://www.nrc.gov/about-nrc/regulatory/enforcement/enforce-pol.html.
In accordance with NRC Inspection Manual Chapter (IMC) 0609, we intend to complete our
evaluation using the best available information and issue our final determination of safety
significance within 90 days of the date of this letter. The significance determination process
encourages an open dialogue between the NRC staff and the licensee; however, the dialogue
should not impact the timeliness of the staffs final determination.
Before we make a final decision on this matter, we are providing you with an opportunity (1) to
attend a Regulatory Conference where you can present to the NRC your perspective on the
facts and assumptions the NRC used to arrive at the finding and assess its significance; or.
(2) submit your position on the finding to the NRC in writing. If you request a Regulatory
Conference, it should be held within 30 days of the receipt of this letter and we encourage you
to submit supporting documentation at least one week prior to the conference in an effort to
make the conference more efficient and effective. If a Regulatory Conference is held, it will be
open for public observation. If you decide to submit only a written response, such submittal
should be sent to the NRC within 30 days of your receipt of this letter. If you decline to request
a Regulatory Conference or submit a written response, you relinquish your right to appeal the
final SDP determination, in that by not doing either, you fail to meet the appeal requirements
stated in the Prerequisite and Limitation sections of Attachment 2 of IMC 0609.
Please contact Jeff Clark at (817) 860-8147 and in writing, within 10 days from the issue date of
this letter, to notify the NRC of your intentions. If we have not heard from you within 10 days,
we will continue with our significance determination and enforcement decision. The final
resolution of this matter will be conveyed in separate correspondence.
Because the NRC has not made a final determination in this matter, no Notice of Violation is
being issued for the inspection finding at this time. In addition, please be advised that the
number and characterization of the apparent violation described in the enclosed inspection
report may change as a result of further NRC review.
In accordance with Title of the Code of Federal Regulations 10 CFR 2.390 of the NRC's "Rules
of Practice," a copy of this letter and its enclosure will be made available electronically for public
inspection in the NRC Public Document Room or from the NRCs document system (ADAMS),
accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html.
Sincerely,
/RA/ T. Pruett for
Kriss M. Kennedy
Director, Division of Reactor Projects
Docket: 50-285
License: DPR-40
Omaha Public Power District -3-
Enclosures:
NRC Inspection Report 05000285/2011007
w/attachments: Supplemental Information (A-1); Significance Determination Evaluation (A-2)
Distribution via ListServe
Omaha Public Power District -4-
Electronic distribution by RIV:
Regional Administrator (Elmo.Collins@nrc.gov)
Deputy Regional Administrator (Art.Howell@nrc.gov)
DRP Director (Kriss.Kennedy@nrc.gov)
DRP Deputy Director (Troy.Pruett@nrc.gov)
DRS Director (Anton.Vegel@nrc.gov)
Senior Resident Inspector (John.Kirkland@nrc.gov)
Resident Inspector (Jacob.Wingebach@nrc.gov)
Branch Chief, DRP/E (Jeff.Clark@nrc.gov)
Senior Project Engineer, DRP/E (Ray.Azua@nrc.gov)
Project Engineer (Jim.Melfi@nrc.gov)
Project Engineer (Chris.Smith@nrc.gov)
RIV Enforcement, ACES (Ray.Kellar@nrc.gov)
FCS Administrative Assistant (Berni.Madison@nrc.gov)
Public Affairs Officer (Victor.Dricks@nrc.gov)
Public Affairs Officer (Lara.Uselding@nrc.gov)
Branch Chief, DRS/TSB (Michael.Hay@nrc.gov)
Project Manager (Lynnea.Wilkins@nrc.gov)
RITS Coordinator (Marisa.Herrera@nrc.gov)
Regional Counsel (Karla.Fuller@nrc.gov)
Congressional Affairs Officer (Thomas.Combs@nrc.gov)
OEMail Resource
DRS/TSB STA (Dale.Powers@nrc.gov)
RIV/OEDO ET (Stephanie.Bush-Goddard@nrc.gov)
File located: R:\_REACTORS\_FCS\2011\FCS 2011-007 RP JCK
SUNSI Rev Compl. Yes No ADAMS Yes No Reviewer Initials JCK
Publicly Avail Yes No Sensitive Yes No Sens. Type Initials JCK
SRI:DRP/ RI:DRP/ SPE:DRP/ C:DRS/EB1 C:DRS/EB2
JCKirkland JFWingebach RVAzua TRFarnholtz NFOKeefe
/E-JAClark/ /E-JAClark/ /JMelfi for/ /E-JAClark/ /RA/
4/21/11 4/21/11 4/21/11 4/21/11 4/21/11
DRS/SRA ACES/OE C:DRP/PBE DRP/D
DPLoveless RLKellar JAClark KMKennedy
/RA/ /E-JAClark/ /RA/ /RA/
4/21/11 4/21/11 4/21/11 5/3/11
OFFICIAL RECORD COPY T=Telephone E=E-mail F=Fax
U.S. NUCLEAR REGULATORY COMMISSION
REGION IV
Docket: 50-285
License: DPR-40
Report Nos.: 05000285/2011007
Licensee: Omaha Public Power District
Facility: Fort Calhoun Station
Location: 9610 Power Lane
Blair, NE 68008
Dates: January 17, 2011 - April 15, 2011
Inspectors: J. Kirkland, Senior Resident Inspector
L. Micewski, Project Engineer
C. Steely, Operations Engineer
J. Wingebach, Resident Inspector
Approved By: Kriss M. Kennedy, Director
Division of Reactor Projects
-1- Enclosure
SUMMARY OF FINDINGS
IR 05000285/2011007; 01/17/2011 - 04/15/2011; Fort Calhoun Station, Baseline Inspection
Report; Maintenance Effectiveness and Identification and Resolution of Problems
The report covered approximately a three month period of inspection by resident inspectors and
two region-based inspectors. One apparent violation of preliminary substantial safety
significance (Yellow) was identified. The significance of most findings is indicated by their color
(Green, White, Yellow, or Red) using Inspection Manual Chapter (IMC) 0609, Significance
Determination Process. The crosscutting aspect is determined using IMC 0310, Components
within the Crosscutting Areas. Findings for which the significance determination process does
not apply may be Green or be assigned a severity level after U.S. Nuclear Regulatory
Commission management review. The NRC's program for overseeing the safe operation of
commercial nuclear power reactors is described in NUREG-1649, Reactor Oversight Process,
Revision 4, dated December 2006.
A. NRC-Identified Findings and Self-Revealing Findings
Cornerstone: Mitigating Systems
- TBD. The inspectors identified an apparent violation of Title 10 of the Code of
Federal Regulations (10 CFR) Part 50, Appendix B, Criterion XVI, Corrective
Action, for the licensees failure to ensure that the cause of a significant
condition adverse to quality was determined and corrective actions taken to
preclude repetition. Specifically, the licensee failed to identify the cause and
preclude the shading coils from becoming loose material in the M2 trip contactor
assembly of the reactor protection system that subsequently resulted in a failed
The inspectors determined that the licensees failure to preclude shading coils
from repetitively becoming loose material in the M2 reactor trip contactor was a
performance deficiency. The finding is more than minor because it affected the
Mitigating Systems Cornerstone, and it directly affected the cornerstone objective
to ensure the availability, reliability, and capability of systems that respond to
initiating events to prevent undesirable consequences. The inspectors evaluated
the issue using the Significance Determination Process Phase 1 Screening
Worksheet for the Initiating Events, Mitigating Systems, and Barriers
Cornerstones provided in Manual Chapter 0609, Attachment 4, Phase 1 - Initial
Screening and Characterization of Findings. The inspectors determined that the
finding represented the actual loss of a single train (i.e., each of the four
contactors are considered a train) of non-Technical Specification equipment,
designated as risk-significant per 10 CFR 50.65, for greater than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
Therefore, the finding was potentially risk significant and a Phase 2 analysis was
required. The inspectors determined that the pre-solved table does not contain a
target suitable for evaluating the finding of interest and informed the regional
senior reactor analyst that use of the risk-informed notebook would be necessary.
The senior reactor analyst completed a Phase 3 analysis using the plant-specific
-2- Enclosure
Standardized Plant Analysis Risk Model for Fort Calhoun, Revision 3.50 modified
to include a detailed modeling of the reactor protection system. The exposure
period of 64 days represented the 63 days from the last verification of contactor
operation, which is most likely the time of failure, until the failure of the quarterly
surveillance plus the 1-day repair time until de-energization of half the reactor
protection system. External events impacting the risk included seismic and
internal fire initiators. The resulting risk was calculated to be 2.6 x 10-5 indicating
that the finding was of preliminarily substantial safety significance (Yellow). The
final significance of this finding is to be determined (TBD). This finding has a
crosscutting aspect in the area of human performance, decision making
component, because the licensee did not use conservative assumptions in the
evaluation of the ongoing problems with the trip contactors
H.1(b)(Section 4OA2).
B. Licensee-Identified Violations
None
-3- Enclosure
REPORT DETAILS
1. REACTOR SAFETY
Cornerstones: Initiating Events, Mitigating Systems, Barrier Integrity, and
4OA2 Identification and Resolution of Problems (71152)
Cornerstones: Initiating Events, Mitigating Systems, Barrier Integrity, Emergency
Preparedness, Public Radiation Safety, Occupational Radiation Safety, and
.1 Selected Issue Follow-up Inspection
a. Inspection Scope
The inspectors reviewed the failure of a contactor in the clutch power supply system
associated with the reactor protective system. On June 14, 2010, the contacts
associated with the M2 contactor failed to open during performance of a quarterly
surveillance test. The inspectors considered the following during the review of the
licensee's actions:
- complete and accurate identification of the problem in a timely manner
- evaluation and disposition of operability/reportability issues
- consideration of extent of condition, generic implications, common cause, and
previous occurrences
- classification and prioritization of the resolution of the problem
- identification of root and contributing causes of the problem
- identification of corrective actions
- completion of corrective actions in a timely manner
The clutch power supply system consists of four DC power clutch power supplies, four
contactors (M-contactors), and other relays and contacts which work together to supply
power to control element drive mechanisms (see drawings on next two pages). The
control element assemblies are equipped with magnetic clutches, which couple the
control element assemblies with the control element drive mechanisms. The clutches
are powered from four DC power supplies, PS-1 through PS-4. Power supplies PS-1
and PS-2 supply power to 20 clutches, and power supplies PS-3 and PS-4 supply power
to 17 clutches. All clutches will remain energized if only half of their power supplies are
available. For example, if PS-1 is de-energized, the 20 associated clutches will remain
energized if PS-2 remains energized. Therefore, to de-energize the first 20 clutches,
both PS-1 and PS-2 must be de-energized, and to de-energize the other 17 clutches,
PS-3 and PS-4 must be de-energized. For a complete reactor trip (all 37 clutches), all
four power supplies must de-energize.
-4- Enclosure
Block Diagram
-5- Enclosure
Partial Line Drawing
-6- Enclosure
Power is supplied to the four DC power supplies from 120 Vac instrument busses.
Instrument bus A or B supplies power to PS-1 and PS-3, and instrument bus C or D
supplies power to PS-2 and PS-4. Power from the instrument buses to the dc power
supplies are controlled by one breaker and two sets of contacts in series. For dc power
supplies PS-1 and PS-3, the flow path is from the instrument bus, through breaker
CB-AB, through normally closed contacts M1 then M2, then to the dc power supplies.
Similarly, for power supplies PS-2 and PS-4, through breaker CB-CD, through normally
closed contacts M4 then M3, then to the dc power supplies. This configuration is such
that if power is lost from one instrument bus, the reactor will not trip because the
clutches still have power from the power supplies fed from the other instrument bus.
The M-contacts are controlled through the reactor protective system and the breakers
are controlled from the diverse scram system.
The reactor protective system consists of four channels of instrumentation. Each
channel monitors 12 safety parameters and each parameter input is derived from an
isolated instrument channel. Individual channel trips occur when the measurement
reaches a preselected value, and has input to three of six logic matrices. The logic
matrix trip relays are de-energized when two channels of the same measurement
channel trip.
The clutch power supply and reactor protective systems interface through six normally
closed contacts, in series, in each of four trip paths. The six contacts in each trip path
correspond to the six logic matrices in the reactor protective system. If a logic matrix trip
relay in the reactor protective system is de-energized, it opens the associated contact in
all four trip paths. Opening one of these contacts interrupts power to an interposing
relay, opening a contact which interrupts power to an M-contactor, which in turn opens
the M contacts, interrupting power to two clutch power supplies. Trip path 1 consists of
the M1 contactor and interposing relay 1, trip path 2 consists of the M2 contactor and
interposing relay 2, etc. Initiating a manual reactor trip from control board 4 also
interrupts power to the four interposing relays.
When a valid signal is generated in the diverse scram system, a normally closed contact
will open, interrupting power to a relay associated with the CB-AB and CB-CD breakers,
opening the associated breakers and interrupting power to the clutch power supplies.
Initiating a manual reactor trip from reactor protective system cabinet AI-31 will also
interrupt power to the breaker relays.
In order for the reactor to automatically trip upon a valid signal from the reactor
protective system, the contacts from either M1 or M2 must open (which interrupts power
to PS-1 and PS-3), and the contacts from either M3 or M4 must open (which interrupts
power to PS-2 and PS-4). The M-contacts will not open if power is not interrupted to the
interposing relay or the M-contactors, or the contacts associated with the interposing
relay or M-contactors do not open.
These activities constitute completion of one in-depth problem identification and
resolution sample as defined in Inspection Procedure 71152-05.
-7- Enclosure
b. Findings
Introduction. The inspectors identified an apparent violation of preliminary substantial
safety significance (Yellow) of 10 CFR Part 50, Appendix B, Criterion XVI, Corrective
Action, for the licensees failure to ensure that the cause of a significant condition
adverse to quality was determined and corrective actions taken to preclude repetition.
Specifically, the licensee failed to identify the cause and preclude the shading coils from
becoming loose material in the M2 trip contactor assembly of the reactor protection
system that subsequently resulted in a failed contactor.
Description. On June 14, 2010, the licensee performed a quarterly surveillance test on
the reactor trip contactors of the reactor protective system. During this test, the
M2 contactor failed to open as required. The licensee subsequently determined the
apparent cause was due to a shading coil falling out of its recess, breaking apart, and
lodging in the contactor mechanism such that it bound its contacts in the closed position.
Fort Calhoun Station does not use reactor trip circuit breakers. Instead, the reactor
protective system uses four trip contactors (M1 through M4). For these contactors to
successfully trip the reactor, either M1 and M3 or M4, or M2 and M3 or M4 must open.
Therefore, this is a one out of two, taken twice, coincidence logic. With M2 failed closed,
M1 must open to successfully trip the reactor. The failure of M2 reduced the reliability
and redundancy of the reactor protective system.
The shading coils of the trip contactors do not perform a direct safety function for the
mechanism. They serve to increase the life expectancy and reliability of the contactors.
The shading coils are rectangular strips of metal, not electrically connected to the
device, which produce opposing lines of flux to the main coil. They are maintained in
position, in their recess, by press fit (interference fit) to the contactor pole faces. The
shading coil is used to prevent excess vibration on the single-phase AC magnets that
must be electrically held in a closed position. A shading coil produces a second field to
apply a magnetic force when the primary field force is zero. With no other force present,
an AC magnet will partially open at each current zero. A vibration will develop at twice
the AC frequency. Without a shading coil to help hold the magnet closed during current
zero phase, this vibration could destroy the magnet pole face. Inspectors determined
that the licensee failed to identify that the shading coils being loose within the
mechanism posed a failure mechanism to the safety function of the contactor to open.
The licensee has documented several occurrences of shading coils dislodging from their
recess in the contactor assemblies since 1987. Since 2008, the licensee documented
two such instances of issues with the M2 contactor prior to its failure on June 14, 2010.
On November 3, 2008, after resetting the M2 coil, the AI-3 panel began chattering similar
to an unbalanced fan during performance of quarterly surveillance test IC-ST-RPS-0042,
Rev. 5, Quarterly Functional Test of RPS Trip Logic. The licensee documented this
characterization in Condition Report 2008-6624, and categorized the condition report as
a Level C (an adverse condition that requires a simple cause statement). In analyzing
the initial operability of the contactor, the condition report stated Operating experience
shows that coils and contacts can operate for extended periods making noise. The
-8- Enclosure
licensee concluded that, At this time, the M2 coil would trip and provide the protection it
is designed to provide. Troubleshooting determined the cause of the vibration to be a
shading coil that had fallen out of its recess and was lying across the coil. On
November 5, 2008, the shading coil was re-installed, and the vibration ceased.
The response to Condition Report 2008-6624 recommended that all four contactors be
replaced due to the age of the equipment and identified that the contactor model was
obsolete and no like-for-like parts were available for purchase. However, the licensee
identified a suitable commercially available substitute and initiated an engineering
change to replace all four contactors.
In November 2008, engineering change EC 44745 was sent to design engineering for
approval. It was initially assigned a high priority so that the contactors could be replaced
in the fall 2009 refueling outage. However, the priority was subsequently downgraded
and replacement of the contactor was not included in the 2009 outage. The licensee
inappropriately considered replacement of the contactors to be an enhancement only,
and re-scheduled the activity for the spring 2011 refueling outage. Consequently, review
of EC 44745 was assigned a low priority.
On March 20, 2010, Condition Report 2010-1378 was submitted describing Electrical
noise emanating from AI-3 cabinet has changed in pitch and volume. The inspectors
noted that due to the licensees continued lack of understanding of the potential
contactor problem(s), Condition Report 2010-1378 was cross-referenced to Condition
Report 2008-6624, resulting in Condition Report 2010-1378 being closed with no further
action.
On March 25, 2010, during the performance of quarterly Surveillance Test
IC-ST-RPS-0042, noises from the AI-3 cabinet became louder, which the licensee
documented in Condition Report 2010-1460 and performed an apparent cause analysis.
Troubleshooting again showed that the shading coil had come loose. The condition
report evaluation of safety significance again stated that This is not safety significant as
the contactor was able to remain energized with the contact closed, providing power to
the CEDM [control element drive mechanism] power supplies. The inspectors
concluded this was another missed opportunity for the licensee to identify the potential
negative impact of loose material in the contactor mechanism. On March 31, 2010, the
shading coil was re-installed; however, the vibration was not eliminated, only reduced.
On April 1, 2010, an engineer initiated Condition Report 2010-1586, in an attempt to
elevate the priority so that design engineering would again analyze EC 44745. This
condition report stated there were no spare parts for the contactors, the contactors were
obsolete, and that engineering change request EC 44745 was still in development.
Due to concerns by licensee personnel that the shading coil vibration had not been
eliminated on March 31, 2010, a work request was initiated in order to check the
contactor during a forced outage. On April 8, 2010, the reactor was tripped to enter a
forced outage, which opened the reactor trip contactors. However, the licensee stated in
an apparent cause evaluation for Condition Report 2010-2923, that they did not inspect
the contactors because of a lack of resources due to other work that needed to be
-9- Enclosure
accomplished during the forced outage. The plant was in this outage until startup
commenced on April 10, 2010. At that time the reactor trip contactors were again
closed.
On April 10, 2010, Condition Report 2010-1738 documented that after resetting the
reactor, per Surveillance Test OP-ST-RPS-0008, the M2 contactor started making noise
at the AI-3 cabinet. Electrical maintenance was notified and determined that the M2
shading coil had most likely come loose and was interfering with the normal contactor.
The initial operability basis stated, in part, At this time the M2 coil would trip and provide
the protection it is designed to provide. Work Request 149645 was initiated to address
the condition, which was subsequently assigned to Work Order 374724, which would
again re-install the shading coil, and was scheduled for August 9, 2010.
On June 14, 2010, quarterly Surveillance Test IC-ST-RPS-0042 was performed. During
Step 7.8.5 of Surveillance Test IC-ST-RPS-0042, the system did not perform as required,
in that the M2 coil did not open its associated contacts to drop out clutch power supplies
PS-3 and PS-1. The licensee documented this failure in Condition Report 2010-2923.
The system engineers evaluation of the condition report stated, Troubleshooting
determined that part of one of the shading coils had wedged [itself] between the
contactor and the yoke preventing the contactor from dropping out. The licensee further
concluded that was not safety significant as, The AI-3-M1 contactor would have caused
the power supplies to de-energize in the event of an actual trip signal.
The inspectors postulated that for the shading coil to jam the contactor in the closed
position, the shading coil would have to be out of its recess when the contactor
physically closed. Specifically, a loose shading coil could fall out of its recess when the
contactor is cycled open then jam when subsequently closed. This cycling occurred on
April 8 and 10, 2010. As evidenced by the failure to open on June 14, 2010, the
inspectors concluded the contactor was likely inoperable from April 10 through
June 14, 2010.
In the response to both Condition Reports 2010-1460 and 2010-2923, the licensee
evaluated the significance of a shading coil being out of its recess as not being
significant, as the contactor would still open as required. In these two instances, the
licensee failed to recognize the loose shading coil could adversely affect the safety-
related function of the contactor to open. The licensee also failed to recognize the
importance of the M1 contactor, and the resulting loss of the reactor protection system
reliability, given a failure of M2.
Analysis. The inspectors determined that the failure to identify the cause and preclude
the shading coils from becoming loose material in the M2 trip contactor assembly of the
reactor protection system, that resulted in a failed contactor, was a performance
deficiency. The finding is more than minor because it affected the Mitigating Systems
Cornerstone, and it directly affected the cornerstone objective to ensure the availability,
reliability, and capability of systems that respond to initiating events to prevent
undesirable consequences. Specifically, with M2 failed closed, M1 must open to
successfully trip the reactor. The failure of M2 reduced the reliability and redundancy of
the reactor protection system. The inspectors evaluated the issue using the Significance
- 10 - Enclosure
Determination Process Phase 1 Screening Worksheet for the Initiating Events, Mitigating
Systems, and Barriers Cornerstones provided in Manual Chapter 0609, Attachment 4,
Phase 1 - Initial Screening and Characterization of Findings. The inspectors
determined that the finding represented the actual loss of a single train (i.e., each of the
four contactors are considered a train) of non-Technical Specification equipment,
designated as risk-significant per 10 CFR 50.65, for greater than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Therefore,
the finding was potentially risk significant and a Phase 2 analysis was required. The
inspectors determined that the presolved table did not contain a target suitable for
evaluating the finding of interest and informed the regional senior reactor analyst that
use of the risk-informed notebook would be necessary. Therefore, the senior reactor
analyst completed a Phase 3 analysis using the plant-specific Standardized Plant
Analysis Risk Model for Fort Calhoun, Revision 3.50, modified to include a detailed
modeling of the reactor protection system. The exposure period of 64 days represented
the 63 days from the last verification of contactor operation, which is most likely the time
of failure, until the failure of the quarterly surveillance plus the 1-day repair time until the
M1/M2 half of the reactor protection system was deenergized. External events
impacting the risk included seismic and internal fire initiators. The resulting risk was
calculated to be 2.6 x 10-5 indicating that the finding was of preliminarily substantial
safety significance (Yellow). This finding has a crosscutting aspect in the area of human
performance, decision making component, because the licensee did not use
conservative assumptions in the evaluation of the ongoing problems with the trip
Enforcement. Title 10 of the Code of Federal Regulations, Part 50, Appendix B,
Criterion XVI, Corrective Action, states, in part, that measures shall be established to
assure that conditions adverse to quality, such as failures, malfunctions, deficiencies,
deviations, defective material and equipment, and non-conformances are promptly
identified and corrected. In the case of significant conditions adverse to quality, the
measures shall assure that the cause of the condition is determined and corrective
action taken to preclude repetition. Contrary to the above, between November 3, 2008,
and June 14, 2010, the licensee failed to preclude shading coils from repetitively
becoming loose material in the M2 reactor trip contactor. Specifically, the shading coils
becoming loose material in the M2 reactor trip contactor assembly was a significant
condition adverse to quality that subsequently resulted in the contactor failing. On
November 3, 2008, the licensee determined that the shading coil in the M2 trip contactor
had fallen out of its recess and had become loose material in the contactor. The
licensee further determined the trip contactors were obsolete and should be replaced.
However, the licensee manually pressed the shading coil back into place and continued
operations. On March 25, 2010, the licensee again identified the shading coil had fallen
out, as evidenced by associated buzzing noise. On March 31, 2010, technicians again
pressed the shading coil back into place during troubleshooting, but the noise
immediately resumed during the postmaintenance testing, indicating the shading coil did
not remain in place. Due to a lack of replacement parts, the licensee determined the
contactor would be left as is and they would continue to operate. On June 14, 2010,
the M2 trip contactor failed to open during a surveillance test because pieces of the
loose shading coil jammed the contactor in the closed position. The licensee failed to
identify that the loose parts in the trip contactor represented a potential failure of the
- 11 - Enclosure
contactor if they became an obstruction; and therefore, failed to preclude repetition of
this significant condition adverse to quality. The licensee has entered this condition into
their corrective action program as Condition Report 2011-0451. The licensee also
replaced all four of the reactor trip contactors in the reactor protection system on
February 5, 2011. Therefore, the NRC no longer has a concern with the potential failure
mechanisms discussed in the report with the previous reactor trip contactors. Pending
completion of the final significance determination, the performance deficiency will be
considered an apparent violation, AV 05000285/2011007-01, Failure to Correct a
Degraded Contactor in the Reactor Protective System.
4OA6 Meetings
Exit Meeting Summary
On April 15, 2011, the inspectors presented the inspection results to you and other members of
your staff. You and your staff acknowledged the issues presented. Your staff also reiterated the
differences they consider in assumptions or analysis in the NRCs risk analysis for this issue.
The inspector asked the licensee whether any materials examined during the inspection should
be considered proprietary. No proprietary information was identified.
- 12 - Enclosure
SUPPLEMENTAL INFORMATION
KEY POINTS OF CONTACT
Licensee Personnel
R. Acker, Station Licensing
M. Bare, System Engineer
J. Bozarth, System Engineer
H. Faulhaber, Division Manager, Nuclear Construction and Projects
M. Ferm, Manager, Systems Engineering
M. Frans, Manager, Engineering Programs
J. Goddell, Division Manager, Nuclear Performance Improvement and Support
D. Guinn, Supervisor Regulatory Compliance
H. Hackerott, Supervisor, Systems Analysis
J. Herman, Division Manager, Nuclear Engineering
T. Nellenbach, Plant Manager
J. Reinhart, Site Vice President
M. Smith, Manager, Operations
LIST OF ITEMS OPENED, CLOSED, AND DISCUSSED
Opened
05000285/2011007-01 AV Failure to Correct a Degraded Contactor in the Reactor
Protective System
LIST OF DOCUMENTS REVIEWED
Section 4OA2: Identification and Resolution of Problems
CONDITION REPORTS
199600356 2008-6624 2010-1378 2010-1460 2010-1586
2010-1738 2010-2923 2011-0451
WORK ORDERS (WO)
00321729 00372893 00301892
PROCEDURES
NUMBER TITLE REVISION
EM-RR-RPS-0201 Maintenance of M-Contactors for Clutch Power Supplies 6
IC-ST-RPS-0042 Quarterly Functional Test of RPS Trip Logic 5
OP-ST-RPS-0008 Reactor Manual Trip Test 12
A-1 Attachment-1
DRAWINGS
NUMBER TITLE REVISION
E-23866-411-003 Reactor Protective System Functional Diagram 4
ENGINEERING CHANGES (EC)
NUMBER TITLE REVISION
44745 Replacement for AI-3-M1/M2/M3/M4 contactors 1
MISCELLANEOUS DOCUMENTS
NUMBER TITLE REVISION /
DATE
Equipment Reliability (ER) Optimization Project at September 2010
OPPD Fort Calhoun
Meeting Agenda and Package for DNC PRC January 20, 2010
Subcommittee monthly meeting
FCSG-24 Corrective Action Program Guideline 27
STM38 System Training Manual Volume 38, Reactor Protective 20
System and Diverse Scram System
USAR-7.2 Instrumentation and Control - Reactor Protective 14
Systems
A-2 Attachment-1
ATTACHMENT
PRELIMINARY SIGNIFICANCE DETERMINATION
FAILURE TO CORRECT DEFICIENCIES IN THE REACTOR PROTECTION SYSTEM
The seven supplements referred to in this preliminary risk assessment are being
withheld from public disclosure in accordance with Section 2.390(d) of Title 10 of
the Code of Federal Regulations (10 CFR 2.390). These documents will be
provided to the licensee under separate cover.
A. Significance Determination Basis
The senior reactor analyst completed a Phase 3 analysis using the plant-specific
Standardized Plant Analysis Risk (SPAR) Model for Fort Calhoun, Revision 3.50
modified to include a detailed modeling of the reactor protection system. The exposure
period of 64 days represented the 63 days from the last verification of contactor
operation, which is most likely the time of failure, until the failure of the quarterly
surveillance plus the 1-day repair time until deenergization of half the reactor protection
system. External events impacting the risk included seismic and internal fire initiators.
The final change in core damage frequency was calculated to be 2.6 x 10-5 indicating
that the finding was of substantial risk significance (Yellow).
a. Phase 1 screening logic, results and assumptions
In accordance with NRC Inspection Manual Chapter 0612, Appendix B, "Issue
Screening," the team determined that the licensee failed to ensure the
availability, reliability, and capability of safety systems that respond to initiating
events to prevent undesirable consequences of safe shutdown equipment. The
finding is more than minor because it affected the Mitigating Systems
Cornerstone, and it directly affected the cornerstone objective to ensure the
availability, reliability, and capability of systems that respond to initiating events to
prevent undesirable consequences.
The team evaluated the issue using the Significance Determination Process
(SDP) Phase 1 Screening Worksheet for the Initiating Events, Mitigating
Systems, and Barriers Cornerstones provided in Manual Chapter 0609,
Attachment 4, "Phase 1 - Initial Screening and Characterization of Findings.
This finding affected the Mitigating Systems Cornerstone. The inspectors
determined that the finding represented the actual loss of a single train (i.e. each
of the four contactors are considered a train) of non-Technical Specification
equipment, designated as risk-significant per 10 CFR 50.65, for greater than
24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Therefore, the finding was potentially risk significant and a Phase 2
Estimation was required.
b. Phase 2 Risk Estimation
In accordance with Manual Chapter 0609, Appendix A, Attachment 1, "User
Guidance for Phase 2 and Phase 3 Reactor Inspection Findings for At-Power
Situations," the inspectors evaluated the subject finding using the presolved table
for the Risk-Informed Inspection Notebook for Fort Calhoun Power Station,
Revision 2.01a. The inspectors determined that the presolved table does not
contain a target suitable for evaluating the finding of interest and informed the
A-1 Attachment-2
Regional Senior Reactor Analyst that use of the risk-informed notebook would be
necessary.
The senior reactor analyst used the plant-specific risk-informed notebook to
estimate the risk associated with this finding. The following assumptions were
made:
1. Reactor Protection System Contactor M2 most likely failed on April 10, 2010,
when operators performed surveillance testing of the trip system prior to
restarting the reactor from a midcycle outage. The inspectors determined
that for the shading coil to jam the contactor in the closed position, the event
would have most likely been concurrent with the physical closing of the
contactor with the shading coil out of its recess. The inspectors determined
that vibration of the contactor during operation was insufficient to cause
catastrophic failure of the shading coil.
2. The failure was identified during a test of the system on June 14, 2010. It
took the licensee until June 15, 2010 to deenergize the vital power to the
contactor and confirm a half trip condition existed.
3. In accordance with Manual Chapter 0609, Appendix A, Attachment 2, Site
Specific Risk-Informed Inspection Notebook Usage Rules, Rule 1.1,
Exposure Time, the analyst evaluated the time frame over which the finding
impacted the risk of plant operations. The analyst determined that the
performance deficiency affected plant risk for 64 days. Therefore, the
exposure time used to represent the time that the performance deficiency
affected plant risk in the Phase 2 estimation was greater than 30 days.
4. In accordance with Manual Chapter 0609, Appendix A, Attachment 1,
Step 2.1.3, Find the Appropriate Target for the Inspection Finding in the Pre-
solved Table, the analyst determined that there was no appropriate target for
evaluating this performance deficiency. Therefore, the analyst utilized the
Risk-Informed Notebook for Fort Calhoun Station, Revision 2.01a to perform
the estimation.
5. In accordance with Manual Chapter 0609, Appendix A, Attachment 1,
Step 2.2.1, Select the Initiating Event Scenarios, the analyst determined
that only the anticipated transient without scram (ATWS) was affected.
Therefore, Table 3.9, SDP Worksheet for Fort Calhoun Power Station -
Anticipated Transients Without Scram (ATWS) was used for this estimation.
6. In accordance with Manual Chapter 0609, Appendix A, Attachment 2, Rule
1.2 Inspection Finding (Not Involving a Support System) that Increases the
Likelihood of an Initiating Event, the analyst increased the Initiating Event
Likelihood of the ATWS by one order of magnitude because the increase in
the frequency of the ATWS was not known.
7. The analyst determined that the failure of the M2 contactor did not directly
affect the ability of any other mitigation system to perform its function.
A-2 Attachment-2
8. The analyst gave no operator action credit for recovery of the M2 contactor
as discussed in Manual Chapter 0609, Appendix A, Attachment 1, Table 4,
"Remaining Mitigation Capability Credit." The requirements for such credit
(procedures, available parts and training under similar conditions) were not
met.
The dominant sequences from the notebook are documented in Table 1, and the
worksheet was provided as Supplement 2 to this document.
TABLE 1
Failure Reactor Protection System M2 Contactor
Phase 2 Sequences
Initiating Event Sequence Mitigating Functions Results
Anticipated Transient 1 ATWS-AFW 6
without SCRAM 2 ATWS-BORATE 7
3 ATWS-SRV 7
4 ATWS-TTP 8
Using the site-specific risk-informed notebook, the result from this estimation
indicated that the finding was of low to moderate safety significance (White).
However, the analyst determined that this estimate most likely increased the
initiating event likelihood by more than one order of magnitude and represented a
partial loss of capability of the manual reactor trip. Therefore, in accordance with
the recommendations of the site-specific risk-informed notebook, the finding was
evaluated by the analyst using Phase 3 methods.
c. Phase 3 Analysis
The following assumptions were made to support this Phase 3 analysis:
1. The Fort Calhoun plant-specific SPAR, Revision 3.50, as modified by the
analyst to include a detailed model of the reactor protection system, was the
best tool for quantifying the risk of the subject performance deficiency.
2. The M2 contactor was last cycled on April 10, 2010, when operators
performed surveillance of the trip system prior to restarting the reactor from a
midcycle outage.
3. Using best-available information, the inspectors determined that for the
shading coil to jam the contactor in the closed position, the event would have
most likely been concurrent with the physical closing of the contactor with the
shading coil out of its recess. The inspectors determined that vibration of the
contactor during operation was insufficient to cause catastrophic failure of the
shading coil. Therefore, Reactor Protection System Contactor M2 most likely
failed during the last successful cycle on April 10, 2010, prior to restarting the
reactor from a midcycle outage.
A-3 Attachment-2
4. The failure was identified during a test of the system on June 14, 2010. It
took the licensee until June 15, 2010, to deenergize the vital power to the
contactor and confirm a half trip condition existed.
5. In accordance with Manual Chapter 0609, Appendix A, Attachment 2, Site
Specific Risk-Informed Inspection Notebook Usage Rules, Rule 1.1,
Exposure Time, the analyst evaluated the time frame over which the finding
was reasonably known to have existed. Therefore, the analyst calculated an
exposure time of 64 days which includes the 63 days from April 10, 2010, to
June 14, 2010, plus the 1 day until the vital power to the contactor was
deenergized and a half trip condition confirmed to exist on June 15, 2010.
The 1 day was part of the repair time.
6. The baseline failure rate of an M-Contactor is 1.2 x 10-4/demand (Reference:
NUREG/CR-5500, Volume 10 Reliability Study: Combustion Engineering
Reactor Protection System, 1984 - 1998, Table C-7, Page C-22).
7. The analyst determined that the common cause failure probability should be
adjusted for the contactors. Essentially, there was an increased probability
that the contactors could have both failed in response to the same initiating
event. Common observations existed on both contactors, including: 1) at
least one shading coil would easily come out of its recess; 2) original
installation was during plant construction; 3) there were signs of age-related
fatigue; 4) subparts exhibited significant scratching and indentations; and
5) in November 2008 the licensee determined that the contactors were
obsolete and should have been replaced.
8. The analyst used NUREG 5485, Guidelines on Modeling Common-Cause
Failures in Probabilistic Risk Assessment, November 1998, for the common
cause assessment. The analyst used the alpha-factor method to evaluate
the common cause failure probability. This method is described in
NUREG 5485, Section 5.3. Parametric Representation of Common Cause
Basic Event Probabilities. The analyst used NUREG/CR-5500, Volume 10,
Reliability Study: Combustion Engineering Reactor Protection System,
1984-1998, Table E-6, Page E19 to determine the appropriate 2 factor for
Contactor M1. The 2 factor was 3.59 x 10-2/demand.
9. The analyst determined that the failure of the M2 contactor did not directly
affect the ability of any other mitigation system to perform its function.
10. Other than appropriately modeled manual trip actions, the analyst gave no
operator action recovery credit to restore the M2 contactor because there
was insufficient time to implement these actions before postulated
irrecoverable damage would occur and because parts were not available.
11. The failure to deenergize any 3 or more RPS clutch power supplies will result
in a failure of the automatic scram logic.
12. The failure to deenergize the following combinations of RPS clutch power
supplies will result in a failure of the automatic scram logic: PS1 and PS3;
PS2 and PS3; PS2 and PS4; or PS1 and PS4.
A-4 Attachment-2
13. The failure of either the associated M-contactor or the associated interposing
relay will prevent the trip contacts from opening. Example: If Interposing
Relay 1 fails to open, Contactor M1 will not deenergize. Also, if Contactor M1
fails, its contacts will not open. Therefore, given the failure of Contactor M2,
either Interposing Relay 1 or Contactor M1 failing would result in Clutch
Power Supplies 1 and 3 remaining energized.
14. Should the automatic RPS function fail to deenergize a clutch power supply,
the diverse scram system may cause the power supplies to deenergize by
opening Vital Breakers CB-CD and CB-AB.
15. The diverse scram system will only function to automatically trip the reactor
upon a high pressurizer pressure signal. Therefore, loss of coolant accidents
will not result in the diverse scram system initiating a reactor trip.
16. Manual Trip Pushbutton No. 1 is located on the main reactor control panel
and is designed to trip the reactor by deenergizing each of the M-contactor
coils.
17. Manual Trip Pushbutton No. 2 is located on the reactor protection system
panel and is designed to trip the reactor by deenergizing the holding
solenoids inside Vital Breakers CB-CD and CB-AB.
18. The baseline failure rate of a molded case circuit breaker with a normally
energized holding coil such as Vital Breakers CB-CD and CB-AB was
estimated as 2.5 x 10-3 /demand from binding of the holding coil plunger and
5.0 x 10-3 /demand from all other reasons (Reference EGG-SSRE-8875,
Generic Component Failure Database for Light Water and Liquid Sodium
Reactors, Idaho National Engineering Laboratory, 1990).
19. The probability that a licensed operator failing to manually trip the reactor
using Reactor Trip Pushbutton No. 1 upon failure of the automatic trip
systems is 1.5 x 10-3 /demand (Reference: SPAR-H Human Reliability
Analysis Method Worksheet, Supplement 3).
20. The probability that a licensed operator fails to trip the reactor with Reactor
Trip Pushbutton No. 2 upon failure of the automatic trip systems and the
failure of the reactor to trip upon actuating Manual Trip Pushbutton No. 1 is
5.0 x 10-1/demand based on the high dependency with the failure described
earlier (Reference: SPAR-H Human Reliability Analysis Method Worksheet,
Supplement 3).
21. Because the performance deficiency resulted in at least one shading coil in
both Contactors M1 and M2 being in a condition such that it would easily
come out of its recess, the analyst assumed that a seismic event could result
in the failure of the reactor protection system to initiate an automatic scram at
any time during the 1-year assessment period.
22. Based on analyst judgment, the analyst assumed that the failure described in
Assumption 21 would occur at or above the frequency that would cause a
A-5 Attachment-2
seismically-induced nonrecoverable loss of offsite power. At this frequency,
the offsite power resister stacks have sufficient countermotion in a single
plane that they break. The analyst noted that this level of seismic activity
would also likely fail a contactor with loose shading coils. However, the
analyst determined that the overall analysis was not very sensitive to this
assumption.
23. The analyst assumed that the probability of an anticipated transient without
scram (ATWS) was relatively low, even given the performance deficiency.
Therefore, the probability that a fire would initiate and be severe enough to
cause damage to plant equipment at the same time as an ATWS occurred
would be too low to cause a significant change in the overall analysis of
CDF.
24. Given Assumption 23, the analyst determined that the only fire scenarios that
would be significantly impacted by the subject performance deficiency would
be those that affect ATWS mitigation systems, specifically: emergency
boration; high pressure injection; auxiliary feedwater; shutdown cooling; and
high pressure recirculation.
Exposure Period
As documented in the main control room log, the reactor protection system trips
were tested on April 10, 2010, prior to restarting the reactor from a midcycle
outage. As documented in Assumption 3, this is when the failure of the M2
contactor most likely occurred. A quarterly surveillance of the system on
June 14, 2010, revealed that the contactor had failed. Therefore, the condition
existed 63 days before identification.
As stated in Assumption 4, it took an additional day for the licensee to
deenergize vital power to the contactor and verify that a half trip condition
existed. In accordance with the Risk Assessment of Operational Events
Handbook, Section 2.2, the exposure time for a component failure that was
determined to have occurred when the component was last functionally operated
should be the total time from the last successful operation to the unsuccessful
operation plus the repair time.
The total time from the last successful operation to the unsuccessful operation
was 63 days. The repair time until deenergization was 1 day. Therefore, the
total exposure time was then calculated to be the sum of these two, or 64 days.
Application of Recovery
As stated in the assumptions, other than appropriately modeled manual trip
actions, the analyst gave no operator action recovery credit for recovery of
Contactor M2 failure because there was insufficient time to implement these
actions before postulated irrecoverable damage would occur and because parts
were not available.
A-6 Attachment-2
Adjustment of Common Cause Component Failure Probability
As stated in the assumptions, reactor protection system Contactor M1 was
potentially affected by the performance deficiency. At least one shading coil
would easily come out of its recess, the contactor exhibited signs of age-related
fatigue, parts had significant scratching and indentations and the licensee had
determined in November 2008 that the contactor was obsolete and should have
been replaced.
The Risk Assessment of Operational Events Handbook, Volume 1, Internal
Events, Revision 1.01 stipulates, a component failure should be considered
independent (no common cause failure mechanism exists) ONLY when the
cause is well understood and there is no likelihood that the same components in
other trains or parallel component groups could fail for the same cause. A
presumption of zero common cause potential should be a rare occurrence.
The performance deficiency involved the licensees failure to correct the
degrading conditions of the reactor trip contactors in a timely manner. This
deficiency resulted in the failure of Contactor M2. The same performance
deficiency also applied to the other reactor protection system contactors.
Based on the inspection of Contactor M1, the analyst determined that there was
a likelihood that the same circumstances could exist in this contactor. Therefore,
the analyst determined that the failure probability of the common cause
component group (for Contactors M1 and M2) needed to be increased.
The analyst used NUREG 5485, Guidelines on Modeling Common-Cause
Failures in Probabilistic Risk Assessment, November 1998, for the common
cause assessment. The analyst used the alpha-factor method to evaluate the
common cause failure probability. This method is described in NUREG 5485,
Section 5.3. Parametric Representation of Common Cause Basic Event
Probabilities. The alpha factor model is a multi-parameter model which can
handle any redundancy level and is based on ratios of failures rates which makes
the assessment of its parameters easier when no statistical data are available.
The model has a simpler statistical model, and produces more accurate point
estimates as well as uncertainty distributions when compared to other parametric
models. The alpha factor model develops common cause failure frequencies
from a set of failure ratios and the total component failure rate.
For this specific case, there is a four-component common cause group,
Contactors M1, M2, M3 and M4. Assuming that Contactor M2 failed, the
conditional probability that Contactor M1 fails is of interest. For this particular
problem, the combination of one of M1 and M2 failing together or M3 and M4
failing together, a one-of-two-taken-twice logic scheme, must be evaluated.
There are two out of six such combinations in the group. Mathematically, the
conditional probability of Contactor M1 failing given that Contactor M2 has failed
is as follows:
A-7 Attachment-2
P(M1lM2) = P(M1 M2)
P(M2) (1)
In the basic parameter model, the numerator is given by Q2 if the independent
failures of two components is neglected (because they are negligible), and the
denominator is Qt.
Note: Qk is the probability that a specific group of k components fails from a
shared cause. (Q2 is a specific case of Qk)
Qt is the total component failure probability.
Neglecting independent failures of both components we have:
P(M1lM2) = Q2
Qt
If we assume the components are subject to a staggered-testing scheme, we
have :
Q2 = 2Qt
Substituting into Equation 1 gives:
P(M1lM2) = 2.
Note: k is the probability that when a common cause basic event occurs in a
common cause group it involves failure of k components.
According to NUREG/CR-5500, Volume 10, Reliability Study: Combustion
Engineering Reactor Protection System, 1984-1998, Table E-6, Page E19, the
alpha factor vector for the reactor trip contactors (four like components) is:
1 = 9.52E-1
2 = 3.59E-2
3 = 1.03E-2
4 = 2.20E-3
The common cause failure probability of Contactor M1 given that Contactor M2
has failed can be estimated as the 2 factor from the common cause component
failure group, or 3.59 x 10-2/demand.
The analyst noted that although the common cause failure probability of
Contactors M3 and M4 would also be increased, the impact would be
substantially lower than the impact of M1 failing because both M3 and M4 would
have to fail to cause a failure of the reactor protection system. The probability of
M3 and M4 failing from a common cause given a failure of M2 can be estimated
as 3.70 x 10-4/demand. This is two orders of magnitude less likely than the
failure of Contactor M1 alone and was not considered further in this analysis.
A-8 Attachment-2
Change in Risk from Internal Initiators
The analyst created a more detailed model of the reactor protection system than
that provided in the Fort Calhoun SPAR, Revision 3.50. Idaho National
Laboratories assisted in incorporating this model into the SPAR model and
validating the impact (the associated fault trees are provided as Supplement 4).
The analyst calculated the change in risk related to this performance deficiency
using the following method:
The analyst quantified the new model and reestablished a baseline risk for the
plant (1.24 x 10-5/year).
The analyst set Basic Event RPS-RYT-CF-M12, Common Cause Failure of
Contactors M1 and M2, to 3.59 x 10-2/demand indicating the increased common
cause failure probability derived above. This increase in common cause failure
probability indicated the new failure probability for Contactor M1 given that
Contactor M2 had already failed. The analyst then set Basic
Event RPS-RYT-CC-M2 Contactor M2 Fails to Open upon Demand, to the
house event TRUE, indicating that the contactor had failed to open on demand.
The analyst quantified the model and the results are provided in Table 2 below.
The analyst considered using the modified model in this manner to be the best
estimate of risk.
TABLE 2
Phase 3 Results
SPAR Quantification
Baseline 1.24 x 10-5/year
Case 1.57 x 10-4/year
Difference 1.44 x 10-4/year
64-Day Exposure 1.75 x 10-1 years
CDF (Internal) 2.53 x 10-5
Seismic Initiator 4.40 x 10-7/year
Internal Fires 1.29 x 10-6/year
CDF (External) 6.65 x 10-7
CDF (Total) 2.60 x 10-5
A-9 Attachment-2
Table 3 documents the major internal initiator sequences contributing
93.3 percent of the change in core damage frequency.
TABLE 3
Dominant Core Damage Sequences
Sequence Description CDF % of Total
Transient 16-12 Plant Transient, Failure of 7.95 x 10-5/yr 55.1
Reactor Protection System*,
Failure of Relief Valves to Limit
Reactor Pressure.
SLOCA 20 Small-Break Loss of Coolant 2.16 x 10-5/yr 15.0
Accident and Failure of the
Reactor Protection System*.
LOMFW 16-12 Loss of Main Feedwater, Failure 9.94 x 10-6/yr 6.9
of Reactor Protection System ,
Failure of Relief Valves to Limit
Reactor Pressure.
LOCHS 16-12 Loss of Condenser Heat Sink, 7.95 x 10-6/yr 5.5
Failure of Reactor Protection
System*, Failure of Relief Valves
to Limit Reactor Pressure.
MLOCA 5 Medium-Break Loss of Coolant 7.21 x 10-6/yr 5.0
Accident and Failure of Reactor
Protection System*.
TRANS 16-10 Plant Transient, Failure of 4.55 x 10-6/yr 3.2
Failure of Emergency Boration.
LOOP 23-12 Loss of Offsite Power, Failure of 3.57 x 10-6/yr 2.5
Failure of Relief Valves to Limit
Reactor Pressure.
SPURSGIS 16-12 Spurious Steam Generator 3.17 x 10-6/yr 2.2
Isolation Signal, Failure of
Reactor Protection System*,
Failure of Relief Valves to Limit
Reactor Pressure.
TRANS 16-11 Plant Transient, Failure of the 1.14 x 10-6/yr 0.8
Failure of Emergency Boration.
SGTR 21 Steam Generator Tube Rupture, 1.14 x 10-6/yr 0.8
Failure of the Reactor Protection
System*.
NOTE: Failure of the Reactor Protection System includes a failure of the reactor
protection system to generate an automatic reactor trip; failure of operator actions
to manually trip the reactor; and failure of the diverse scram system.
The analyst noted that, in accordance with Inspection Manual Chapter 0609,
Appendix A, Determining the Significance of Reactor Inspection Findings for
At-Power Situations, the internal initiators indicated that this performance
deficiency represented a finding of substantial safety significance (Yellow).
A-10 Attachment-2
Change in Risk from External Initiators
Seismic
The analyst used the techniques delineated in the Risk Assessment of Operation
Events Handbook, Volume 2, External Events, Revision 1.01, Section 4.0,
Seismic Event Modeling and Seismic Risk Quantification, to develop a
spreadsheet modeling the Fort Calhoun seismic hazard (Supplement 5). The
analyst then quantified the potential of having a seismically-induced loss of offsite
power with an ATWS (mitigated by a manual reactor trip) over the previous
1-year assessment period as a bounding condition. This was supported by
Assumptions 23 and 24. The results of this analysis are shown in Table 2.
Internal Fire
From the licensees Individual Plant Evaluation of External Events, the analyst
identified six fire areas that contained equipment needed for mitigating an ATWS.
These included fires in the main control room, cable spreading room, Fire
Area 20 (Auxiliary Building general area at ground level), and the charging pump
area. The analyst quantified the change in risk by evaluating the fire ignition
frequency, the nonsuppression probability, and the change in conditional core
damage probability with a known failure of the M2 contactor (See spreadsheet in
Supplement 6). The results of this analysis are shown in Table 2.
In accordance with the guidance in Inspection Manual Chapter 0609,
Appendix H, this finding would not involve a significant increase in risk of a large,
early release of radiation because Fort Calhoun has a large, dry containment and
the dominant sequences contributing to the change in the core damage
frequency did not involve either a steam generator tube rupture or an inter-
system loss of coolant accident.
Assessment of Licensees Risk Evaluation
The analyst also reviewed the licensees comments provided on the reactor
protection system fault tree. The following comments were assessed:
1. The human error probability for human failure event RPS-XHE-XM-SCRAM,
Operator Fails to Manually Trip the Reactor, is 1.0E-02. Analysis with
SPAR-H suggests that a more appropriate probability would be 7.5E-04.
The analyst calculated a new human error probability using the SPAR-H
method, derived by the Idaho National Laboratory (documented in
Supplement 3). The new value, representing the best available information
for this failure, was 1.5 x 10-3/demand as documented in Assumption 19.
In addition, the analyst requantified the assessment of this finding using the
licensees value as a sensitivity. The result indicated a change of much less
than 1 percent of the total core damage frequency of the case (See Table 4
A-11 Attachment-2
for results). Therefore, the analyst determined that this evaluation was not
sensitive to the probability of operators failing to manually trip the reactor.
2. The human error probability for human failure event RPS-XHE-ERROR,
Operator Fails to De-energize CEDM power Supply (Recovery Event), is
4.4E-01. Analysis with SPAR-H suggests that a more appropriate probability
would be 1.0E-03.
The analyst calculated a new human error probability using the SPAR-H
method, derived by the Idaho National Laboratory (documented in
Supplement 3). The new value, representing the best available information
for this failure, was 5.0 x 10-1/demand as documented in Assumption 20.
The analyst noted that the licensees analysis did not include the dependency
between this action and Basic Event RPS-XHE-XM-SCRAM. This
dependency is discussed under Assumption 20 and documented in
Supplement 3. The analyst determined that a dependency resulted based on
the action being performed by the same crew, close in time to the previous
action, and only one additional cue being the failure of the first action. After
discussing this with licensee analysts, they stated that there were no
additional cues or indications that could dispute this dependency.
However, the analyst requantified the assessment of this finding using the
licensees value as a sensitivity. The result indicated a change of much less
than 1 percent of the total core damage frequency of the case (See Table 4
for results).
Therefore, the analyst determined that this evaluation was not sensitive to the
probability of operators failing to manually trip the reactor.
3. It appears that there is logic representing test and maintenance, or bypass,
which would prevent an M coil from de-energizing. An example is
Gate RPS-TRIP-PTH1-BYP. These types of activities are not performed
online. Refer to drawing E-23866-411-003. An example of a test that is
performed uses holding coils to prevent the AD contacts from opening if the
RPS 2/4 trip logic is satisfied. However, any of the other 2/4 trip
combinations - AB, AC, BC, CD, or BD - would still de-energize the M coils.
For example, see the logic combinations at drawing coordinate C7.
The analyst noted that the trip and bypass functions are utilized on a trip unit
basis and do not affect the entire trip path. To assess the effect of this
modeling on the final evaluation, the analyst viewed all cutsets that included
the test/maintenance and/or bypass basic events. Only five cutsets were
greater than the 1 x 10-13/year truncation limit and these comprised less than
a tenth of a percent of the final change in core damage frequency.
The appropriate changes to the reactor protection system to reflect placing
trip units in the bypass or trip condition will be made prior to incorporating the
model into the SPAR for unlimited use. As a sensitivity study, the analyst
adjusted appropriate basic events so that all trip and bypass conditions would
A-12 Attachment-2
be removed from the final cutsets. This did not change the first three
significant figures from the best estimate result (See Table 4 for results).
Therefore, the analyst determined that this evaluation was not sensitive to the
trip and bypass fault trees in the modified SPAR model for the reactor
protection system.
4. It is unclear how gate RPS-DSS-NOSGNL would be used. Diverse Scram
System (DSS) is actuated by high pressurizer pressure, so presumably the
purpose of this gate is to disable automatic DSS for initiating events that
cannot result in high pressurizer pressure.
The analyst explained to the licensee analysts that their presumption was
correct. Gate RPS-DSS-NOSGNL was used to model Assumption 15 No
additional licensee comments were made on this subject.
5. Refer to drawing E-23866-411-003. The fault tree appears to be missing the
interposing relays IR-1, IR-2, IR-3, and IR-4. For example, see IR-1 at
drawing coordinate C7.
The analyst agreed with the licensee analysts. The interposing relays were
added to the model for completeness and to add a better understanding of
the risk associated with the performance deficiency. The fault tree was
updated to model the interposing relays as described under Assumption 13.
6. It appears that the fault tree does not contain failure events for the manual trip push buttons and DSS switches. Perhaps those are subsumed into the
human error probabilities.
The analyst agreed with the licensee analysts. The manual trip pushbuttons
and DSS switches were added to the fault tree for completeness. The fault
tree was updated to model the pushbuttons as described under
Assumptions 16, 17, 19, and 20.
7. Generic analyses performed by Combustion Engineering for ATWS scenarios
using best estimate model assumptions and acceptance criteria that was
used to support PRA success criteria indicates that success could be
achieved if only half of the CEDM clutches are de-energized for some
initiators.
The analyst assessed this comment by the licensee and noted that the
generic analyses performed by Combustion Engineering were not
incorporated into the licensees PRA model. The licensees model indicates
that the failure of more than two control rods to insert represents an ATWS.
Sans additional plant specific evaluation and a complete understanding of the
initiators involved in the study, the analyst continued to assume that best
available information indicates that a failure of half the control rods to insert at
Fort Calhoun Station represents an ATWS.
Additionally, the analyst evaluated the probability that a reactor trip signal
would result in only one half of the control rods inserting. The analyst noted
A-13 Attachment-2
that there are no specific active component failures in the reactor protection
system that would result in half the rods falling. For this to occur, the failure
of the M contactors would have to cause 2 of the 5 contacts to fail in the
closed position while an additional 2 would have to open.
Therefore, if this were determined to be a viable failure mechanism, it results
in a one in sixteen probability of the contactors failing such that half the
control rods would fall.
As a sensitivity, the analyst assumed that half the rods falling into the core
would only have a major impact on sequences that did not result in rapid
pressurization of the reactor coolant system. The analyst hand calculated the
worst-case results and determined that the change in risk was approximately
1.8 percent (See Spreadsheet in Supplement 7).
8. In your common cause model, 2 includes six combinations, but only 2 are
involved in the common cause failure of interest for this case. This results in
an overprediction of the failure probability of Contactor M1. We recommend
that the common cause failure probability for Contactor M1 given the failure
of Contactor M2 should be 1/3 2 as opposed to 2.
The use of 2 is clearly delineated in the section Adjustment of Common
Cause Component Failure Probability, above. Had we wanted the
conditional probability of any of the contactors failing (Contactor M1 or
Contactor M3 or Contactor M4), given a failure of Contactor M2, we would
have:
P (M1 M3 M4lM2) = P [(M1 M2) (M3 M2) (M4 M2)]
P (M2) (2)
Equation 2 is a special case of Equation 1. Under the rare event
approximation, and ignoring independent failures, this equation reduces to:
P (M1 M3 M4lM2) = 3Q2
Qt
Therefore, for the more general case suggested by the licensee, using
Equation 2 we would find the result to be:
P (M1 M3 M4lM2) = 3Q2 = 32Qt = 32
Qt Qt
Again, for the specific case of the probability that Contactor M1 fails given
Contactor M2 has failed, this suggests that 2 is the best representation of
this common cause failure probability.
A-14 Attachment-2
Additional Sensitivity Studies
To better understand the impact of the major assumptions on the final change
in core damage frequency and specifically address comments made in the
peer reviews, the analyst evaluated the following scenarios:
- The probabilities of operators failing to manually trip the reactor using
Pushbuttons 1 and 2, respectively, were replaced with the values
calculated by the licensees risk analysts;
- Channel trip and bypass terms were set to the house event FALSE,
indicating that they could not affect the failure of the reactor protection
system;
- The common cause failure probability for Contactors M1 and M2 was
replaced with common cause basic events representing the upper and
lower bounds of the range of probabilities for the failure of
Contactor M1 given that Contactor M2 failed. This probability range
was hand calculated by experts from Idaho National Laboratories;
- The model was revised to indicate that the diverse scram system
would trip the reactor following a small-break loss of coolant accident;
- The common cause failure probability for Contactors M1 and M2 was
reset to its original value and the independent failure probabilities of
each of the four contactors were increased as opposed to adjusting
the common cause failure probabilities. The probabilities used were
derived by dividing the one known component failure by the number of
contactor cycles estimated for a 1-year (Higher) and a 12-year
(Lower) period, respectively;
- The change in risk was hand calculated given that the M contactors
could fail in a manner that would cause 1/2 the control rods to fall into
the core and that 1/2 the rods would appropriately control reactivity for
lower pressure sequences (documented in Supplement 7); and
- The failure probability for Vital Breakers CB-AB and CB-CD were
replaced with values representing: 1) twice the failure rate, 2) the
failure rate of molded case circuit breakers without holding coils, and
3) the failure rate of reactor trip breaker shunt trips.
The results of these sensitivity studies are shown in Table 4.
A-15 Attachment-2
TABLE 4
Internal Events Sensitivity Study
Sensitivity Basic Event Initial Value Adjusted Baseline Case CDF Change*
Value
(Percent)
-5 -4 -5
Best 1.24 x 10 /yr 1.57 x 10 /yr 2.53 x 10 N/A
Estimate
Manual RPS-XHE- 5.0 x 10-1 1 x 10-3 1.24 x 10-5/yr 1.57 x 10-4/yr 2.53 x 10-5 0.00 %
Trip ERROR
RPS-XHE-XM- 1.5 x 10-3 7.5 x 10-4
Channel RPS-CBI-CF- 7.7 x 10-7 FALSE 1.24 x 10-5/yr 1.57 x 10-4/yr 2.53 x 10-5 0.00 %
Trip and ALL
Bypass RPS-CBI-CF- 1.7 x 10-6 FALSE
4OF6
RPS-CBI-CF- 1.7 x 10-7 FALSE
6OF6
RPS-RYL-CF- 1.6 x 10-8 FALSE
M12BYP
RPS-RYL-CF- 4.3 x 10-8 FALSE
ALL
RPS-RYL-CF- 1.6 x 10-7 FALSE
M12TM
Alpha RPS-RYT-CF- 3.59 x 10-2 4.80 x 10-2 1.24 x 10-5/yr 2.05 x 10-4/yr 3.38 x 10-5 (33.6 %)
Factor M12
Method
(High)
Alpha RPS-RYT-CF- 3.59 x 10-2 1.25 x 10-2 1.24 x 10-5/yr 6.30 x 10-5/yr 8.87 x 10-6 64.9 %
Factor M12
Method
(Low)
Small- Small-Break LOCA actuates Diverse Scram 1.24 x 10-5/yr 1.39 x 10-4/yr 2.22 x 10-5 12.1 %
Break System
Higher RPS-RYT-CC-M1 1.2 x 10-4 9.2 x 10-3 1.24 x 10-5/yr 4.95 x 10-5/yr 6.51 x 10-6 97.8 %
Independent
Failure Rate RPS-RYT-CC-M2 1.2 x 10-4 9.2 x 10-3
RPS-RYT-CC-M3 1.2 x 10-4 9.2 x 10-3
(1 year)
RPS-RYT-CC-M4 1.2 x 10-4 9.2 x 10-3
Lower RPS-RYT-CC-M1 1.2 x 10-4 7.6 x 10-4 1.24 x 10-5/yr 1.56 x 10-5/yr 5.61 x 10-7 74.3 %
Independent
RPS-RYT-CC-M2 1.2 x 10-4 7.6 x 10-4
A-16 Attachment-2
Failure Rate RPS-RYT-CC-M3 1.2 x 10-4 7.6 x 10-4
(12 years) RPS-RYT-CC-M4 1.2 x 10-4 7.6 x 10-4
Half Trip Half the Rods Falling would result in 1.22 x 10-5/yr 1.54 x 10-4/yr 2.49 x 10-5 1.7 %
Acceptable acceptable conditions for lower pressure
failures, but would occur only 1 in 16 times.
Circuit RPS-BSN-FO- 5.0 x 10-3 1.0 x 10-2 1.24 x 10-5/yr 2.30 x 10-4/yr 3.81 x 10-5 (50.7 %)
Breaker CBAB
Double RPS-BSN-FO- 5.0 x 10-3 1.0 x 10-2
Failure Rate CBCD
Standard RPS-BSN-FO- 5.0 x 10-3 2.55 x 10-3 1.24 x 10-5/yr 1.21 x 10-4/yr 1.90 x 10-5 24.9 %
Circuit CBAB
Breaker RPS-BSN-FO- 5.0 x 10-3 2.55 x 10-3
CBCD
Reactor RPS-BSN-FO- 5.0 x 10-3 3.29 x 10-4 1.24 x 10-5/yr 8.82 x 10-5/yr 1.33 x 10-5 47.4 %
Trip Shunt CBAB
Trip RPS-BSN-FO- 5.0 x 10-3 3.29 x 10-4
CBCD
- NOTE: The percent change shown is for combined internal and external events results.
A-17 Attachment-2