ML13340A091
| ML13340A091 | |
| Person / Time | |
|---|---|
| Site: | Nine Mile Point  |
| Issue date: | 11/01/2013 |
| From: | Constellation Energy Nuclear Group, EDF Group |
| To: | NRC Region 1 |
| References | |
| Download: ML13340A091 (47) | |
Text
ML13340A091 Nine Mile Point Unit 1 Regulatory Conference Loss of Shutdown Cooling November 1, 2013 Enclosure 4
NMP Participants Maria Korsnick CNO, COO and Acting CEO Chris Costanzo Site Vice President Jim Stanley Plant General Manager John Bouck Manager, Operations Elliott Flick General Manager, Fleet Engineering Bruce Montgomery Manager, Fleet Nuclear Safety & Security Terry Syrell Manager, Nuclear Safety & Security Jim Vaughn Shift Manager Larry Naron General Supervisor - Engineering Gareth Parry Industry PRA Consultant E. P. (Chip) Perkins Director, Licensing Enclosure 4
Agenda
- Opening Remarks Chris Costanzo
- Introduction Jim Stanley
- Summary of Event and Timeline John Bouck
- Additional Risk Mitigating Barriers Jim Vaughn
- PRA Analysis of Event Elliott Flick
- Lessons Learned and Conclusions Jim Stanley
- Questions Team
- Closing Remarks Chris Costanzo Enclosure 4
Nine Mile Point Unit 1 Loss of Shutdown Cooling Regulatory Conference Introduction Jim Stanley Plant General Manager Enclosure 4
Introduction We are extracting all of the learnings from the event
- Any unplanned loss of SDC is significant and does not meet our expectations
- Actions taken to respond rapidly and thoroughly
- Fixed procedures to prevent recurrence
- Restructured NMP2 outage schedule (LOOP/LOCA testing)
- Managing actions within our Corrective Action Program We have new data and information to show why the industry methodology for assessing human performance applied by NMP should be used to evaluate the significance of the event Enclosure 4
Introduction Technical difference between CENG and NRC Staff analysis of safety significance
- Difference is in how CENG and NRC Staff are handling HU elements
- Absent applying the RASP guidance HEP floor of 1E6, there is good agreement on CCDF between CENG and NRC Staff Summary: NMP believes, based on other risk mitigating factors, this event is of a very low safety significance Green Enclosure 4
Nine Mile Point Unit 1 Loss of Shutdown Cooling Regulatory Conference Summary of Event and Timeline John Bouck Manager, Operations Enclosure 4
Summary of Event and Timeline April 16, 2013, U1 was shut down for refueling Rx in cold shutdown (Mode 4), RV head installed but detensioned - drywell dome head is off
- RPV head is vented - 6inch vent pipe
- RPV level is at the RV flange / Time to boil: Approximately 2 hrs
- #12 SDC pump was in service
- #11 and #13 SDC pumps were available but breakers were racked out for LOOP/LOCA testing
- Prejob briefing to prepare for racking in breakers
- Operators were standing by locally to rack in breakers if necessary as a planned contingency; they were briefed with PPE staged
- Workers were in the reactor cavity at this time Normal RFO conditions Enclosure 4
Summary of Event and Timeline Loss of Power to Battery Board (BB) #12 1444 (T = 62m) to 1545 (T = 1)
- Control board annunciation and identification by Operators
- No equipment failures or faults
- SDC pump #12 continued to run (verified by Operators)
- Methodical and deliberate actions to restore power to BB
- 12 There were no equipment failures; SDC in service Enclosure 4
Summary of Event and Timeline Loss of Shutdown Cooling
- 1546 (T = 0): Closure of Static Battery Charger (SBC)171A attempted per N1OP47A, 125VDC Power Systems
- Momentarily energized BB#12 - but immediately tripped
- SDC Pump #12 tripped
- Original loss of DC power caused the high suction temperature relay to lose power
- Trip coil momentarily energized when BB #12 energized tripping SDC pump #12
- 1550 (T = +4m): Control Room Staff noted a change in critical parameters:
- RBCLC temperature dropped 67 degrees
- 0 amps on SDC pump #12
- Only took 4 minutes to diagnose the problem Through continuous review of critical plant parameters, Operators recognized the loss of SDC in 4 minutes Enclosure 4
Summary of Event and Timeline Recovery
- 1550 - 1603: First steps
- Shutdown safety risk reviewed
- Directed racking in breakers for #11 and #13 SDC pumps
- Electrical prints were reviewed and quickly identified the reason the SDC pump tripped
- 1603 (T = +17): SDC pump #11 started (SDC pump restarted in 17 min)
- Commenced efforts to restore SDC per procedure
- 1615 (T = +29m): SDC pump #13 started
- 1620 (T = +34 m): Coolant flow through core restored in accordance with procedures total rise in RPV water temperature: 30 degrees F
- 1648 (T = +62m): BB #12 power from SBC 171A with SDC pump #12 now available
- 1656 (T = +70m): SOP47A.1 and SOP6.1 exited (70 min after loss of SDC)
- 1711: Breaker for BB #12 is closed SDC pump restarted in 17 minutes Enclosure 4
Summary of Event and Timeline Summary
- SDC was not lost when Battery Board #12 was disconnected due to a HU error
- Loss of SDC was diagnosed in 4 minutes
- SDC pump was restarted in 17 minutes
- Coolant flow through core was restored in 34 minutes
- There were no equipment failures or HU errors associated with the loss or restarting of SDC
- Licensed Operators responded in accordance with standard practice, training, procedures, and preestablished contingencies
- Operators are regularly trained on loss of SDC (including simulator scenarios)
Prompt restoration of normal conditions Enclosure 4
Nine Mile Point Unit 1 Loss of Shutdown Cooling Regulatory Conference Additional Risk Mitigating Barriers Jim Vaughn NMP1 Shift Manager Enclosure 4
PRA Concept Overview Shutdown Cooling RPV Level Diagnose - - Diagnose And And Action - - Action Or CCDF Lost SDC but never lost RPV level make-up and management Enclosure 4
Three Success Paths with Redundancy Three Success Paths with Significant Redundancy
- #1) Normal Makeup
- #2) Identify Loss of SDC & Restore SDC
- #3) Identify Level Drop & Restore Level Reminder: Successful identification of any of the cues associated with any of the success paths (13) yields a successful outcome (e.g., no core damage)
Enclosure 4
Additional Mitigation Risk Factors
- 1 - BWR shutdown level control
- RPV makeup: Condensate/feedwater system
- RPV letdown: Reactor Water Cleanup System
- Any lowering RPV level due to boiloff would have been immediately addressed by adjusting makeup or letdown
- This Operator action is the primary barrier of maintaining core inventory at anytime during shutdown conditions A dedicated Reactor Operator was actively managing RPV level during the event - there was never a loss of RPV level control Enclosure 4
Maintenance of RPV Level in Cold Shutdown Monitor Level Raise Lower Flow Flow Going In Going Out Level too Or low?
Loss of DC or SDC had no impact on ability to maintain RPV level Enclosure 4
Three Success Paths with Redundancy Three Success Paths with Significant Redundancy
- #1) Normal Makeup
- #2) Identify Loss of SDC & Restore SDC
- #3) Identify Level Drop & Restore Level Reminder: Successful identification of any of the cues associated with any of the success paths (13) yields a successful outcome (e.g., no core damage)
Enclosure 4
Additional Mitigation Risk Factors
- 2 - Operators promptly recognized and diagnosed the loss of SDC. There were many opportunities for them to recognize the event in the CR Temperature Indications
- Reactor Building ClosedLoop Cooling - inlet and outlet temperatures SDC System Operation
- Loss of Pump Amperage Indication
- Loss of SDC Pump Discharge Pressure PPC Large Screen Displays set up to monitor critical parameters (screens displayed prominently with parameter trends atop panels in CR)
DA4267, RB 340 Fire Alarm - Steam would set off fire response on Refuel Floor Video #1 - Simulator scenario Operators recognized loss of SDC in 4 minutes Enclosure 4
Additional Mitigation Risk Factors
- 3 - There would have been additional obvious indications outside the CR of a loss of SDC
- Head was detensioned and vented and there were workers on the Refueling Floor; steam release would have been noticed
- Steam release would have set off one of many area radiation monitors (potentially prompting an Alert declaration)
- RP Techs in the area were continuously monitoring EDs; there are always RP Techs on the Refueling Floor during RFOs
- Outage Control Center (OCC) staff were monitoring activities on the Refueling Floor by communications and via cameras
- Video #2 - Emergency Condenser Operations - what does 40,000 gallons of water boiloff look like?
A loss of SDC would have been very obvious Enclosure 4
Additional Mitigation Risk Factors There were statements in the September 23, 2013, letter needing clarification:
SDC Pump Hi Temp Staff: Operator NMP: Annunciator is silent due to battery loss; missed it there was no alarm PPC Displays Staff: Operator NMP: Not relevant to analysis missed it Bus #12 Failure Staff: Operator NMP: Not relevant to analysis Alarm Log missed it It is not credible for the Operators to miss the loss of SDC Enclosure 4
Additional Mitigation Risk Factors Conclusions regarding recognizing and restoring SDC:
- Loss of SDC would be obvious
- Actions are well proceduralized and trained on
- Demonstrated response indicates crews are well prepared to respond to a loss of SDC and take action before RPV level is even challenged
- IF this fails, there are even more indications and contingencies to respond to a loss of level in a BWR Staff recognizes acceptability of manual actions Enclosure 4
Three Success Paths with Redundancy Three Success Paths with Significant Redundancy
- #1) Normal Makeup
- #2) Identify Loss of SDC & Restore SDC
- #3) Identify Level Drop & Restore Level Reminder: Successful identification of any of the cues associated with any of the success paths (13) yields a successful outcome (e.g., no core damage)
Enclosure 4
Additional Mitigation Risk Factors
- 4 - There were many CR instruments available that would have indicated a loss of level Multiple Level Indications (13)
- K panel Flange 3 to +3 ft flange level
- Fuel Zone Water Level Ch. 11 and 12 240100 *Reg Guide 1.97]
- K panel GEMAC 0100
- E panel GEMAC 0100
- F panel Ch. 11/12 Yarways 0100 *Reg Guide 1.97]
- F panel Ch. 11/12 GEMAC 0100
- F panel Level Chart Recorder 0100
- F panel Ch. 11/12 LoLoLo 33100 *Reg Guide 1.97]
PPC Large Screen Displays set up to monitor critical parameters (screens displayed prominently with parameter trends atop panels across the Control Room)
DA4267, RB 340 Fire Alarm - Steam would set off fire response on Refuel Floor Any single indication would have triggered the necessary Operator response Enclosure 4
Additional Mitigation Risk Factors Below are the 24 separate audible alarms associated with RPV Level (all available to the Operators during the event):
- F143/F446 Clear (RPS Hi Lvl, 95)
- F233 Clear (RPV Hi/Lo level, 83)
- F233 Alarm (RPV Hi/Lo level, 65)
- F113/F416 Alarm (RPS RPV Low Level, 53) *EOP/SOP Entry+
- F121/F428 Alarm (RPS Auto Trip, 53)
- F242/F343 Alarm (ATWS Ch. 11/12 Trouble, 5)
- F123/F426 Alarm (RPS RPV LoLo level, 5) *SOP Entry+
- F132/F437 Alarm (Vessel Isolation, 5)
- F135/F434 Alarm (Containment Isolation, 5)
- F146/F443 Alarm (RPS Core Spray Auto Start, 5)
- F142/F447 Alarm (Main Steam Auto Isolation, 5)
- F144/F445 Alarm (EC Auto Initiation, 5)
- F133/F436 Alarm (RPS Level LoLoLo, 10)
Video #3 - Multitude of CR indications (next)
Any single annunciation would have triggered the necessary Operator response Enclosure 4
Video #3- Multitude of CR Indications CENG a joint venture of I Constollatlan ..* .. eoF Enclosure 4 0 E:nwgy" '
Additional Mitigation Risk Factors
- 5 - Operators could have initiated makeup with a CRD pump from the Control Room
- This is contrary to the September 23, 2013, letter which concludes field actions are required. This is only true during non emergency, normal operations.
- Operator actions are included in the procedure and trained on in the simulator.
- Actions are straightforward and regularly trained on.
Enclosure 4
Additional Mitigation Risk Factors
- 6 - There were a number of other systems available to the Operators for RPV cooling and makeup
- Eleven (11) systems were available with varying makeup capacity in excess of an estimated 65 gpm boiloff rate
- Loss of BB#12 restricted 5 of the systems for 68 min after loss of SDC
- Operators are trained on all 11 systems in a variety of simulated accident scenarios, including loss of SDC events
- Operators are trained to use these systems in accordance with clear, well written procedures
- NRC Staffs Inspection Manual Part 9900: Technical Guidance (see C4) recognizes manual actions are acceptable in place of automatic systems with written procedures and training on those procedures beforehand Any single make-up system would have provided success Enclosure 4
Additional Mitigation Risk Factors
- 7 - Core Spray (with automatic initiation) was restored to availability 8.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> into event
- Could have been restored within 15 minutes - since SDC had been restored, restoration of Core Spray was in accordance with pre planning
- Core Spray restored prior to the 9hour projected RPV level reaching top of active fuel
- Had the Operators failed to take action to restore SDC or diagnose and manually inject, Core Spray would have injected automatically prior to uncovering fuel based on the timeline of the event
- Not recognized in September 23, 2013, letter Had NMP recognized Core Spray system availability and communicated this earlier to NRC Staff, a Phase 3 analysis may not have been needed Enclosure 4
Additional Mitigation Risk Factors
- 8 - There were many licensed Operators in the plant at the time of the event
- In addition to the licensed staff (2 ROs & 3 SROs), there were 5 SROs/4 ROs/2 additional licensed managers in and in close proximity to the CR during this event
- It is typical for additional licensed personnel to be in the plant during outages
- Clarification to the September 23, 2013, letter: There is recognized value of the extra licensed personnel
- NUREG/CR1278 (Section 18) credits four licensed CR personnel as the minimum group to address events
- NUREG/CR1278 (Section 19) recognizes the value of additional licensed personnel for recovery actions Additional staffing is not credited in PRA analysis Enclosure 4
Additional Mitigation Risk Factors
- NRC Staff agrees that there may be added worth to additional personnel, but the analyst knows of no other guidance on when, how, or if to credit additional personnel.
Conclusion:
Thus, this conservative choice in the analysis will inflate the risk associated with the event. With a 1.1E6 probability, more realistic modeling if available would likely drive the number to less than the 1E6 threshold for a white finding.
Additional factors would tend to drive PRA analysis results even lower.
Enclosure 4
Nine Mile Point Unit 1 Loss of Shutdown Cooling Regulatory Conference PRA Analysis of Event Elliott Flick General Manager, Fleet Engineering Enclosure 4
PRA Analysis of Event Summary View on PRA:
- Either of two independent operator actions would prevent core damage (restore SDC and maintain RPV level)
- CENG and NRC Staff evaluations determined no dependency existed for the operator actions
- CENG and NRC Staff quantitative evaluation of the individual operator actions closely agree
- Results diverge based on NRC assigning a minimum HEP value for the two combined independent actions:
- NRC Staff: SPARH; RASP Volume 1, Rev 2 (NRC Staff Guidance)
Reference:
Technique for Human Error Rate Prediction (THERP) is a technique used in the field of Human Reliability Assessment (HRA), for the purposes of evaluating the probability of a human error occurring throughout the completion of a specific task.
Enclosure 4
PRA Analysis of Event Event was evaluated using standard PRA techniques and principles Mitigation of this event required Operators to either:
- Restore SDC, or
- Maintain RPV above top of active fuel Initial plant conditions (approximate):
- 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to boiling in RPV
- 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> lowlow Level in RPV
- 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> for inventory to reach top of active fuel 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> were available to take actions.
Enclosure 4
PRA Analysis of Event Both CENG and NRC Staff analysis agreed: zero dependency associated with the two actions Dependency factors considered:
- Same Crew: a shift turnover would have occurred prior to a projected boiloff to top of active fuel;
- Common Cognitive: a variety of cues and procedures applied
- Same Time: cues occur over a lengthy time frame (hours)
- Adequate Resources: Extra personnel almost double the normal control room complement
- High Stress: we classified this as a nominal stress event
- Same Location: strong cues from both control room and refuel floor
- Timing: substantial time was available to act Agreement on zero dependency - differences between NRC Staff & CENG analysis of human performance factors.
Enclosure 4
PRA Analysis of Event The RASP handbook references EPRI Report 1021081 Establishing Minimum Acceptable Values for Probabilities of Human Failure Events, for these type of evaluations. From RASP handbook:
- EPRI Report 1021081 provides a more detailed approach in determining the level of dependence between HFEs and applying minimum joint probabilities. Based on the determination of the level of dependence, an analyst will assign a joint HEP of 105 (low dependence) or 106 (very low dependence). In addition, the report states that, if the criteria for independent HFEs are met, it should not be necessary to employ an alternative minimum value rather than the one calculated.
Minimum HEP should not always be applied.
Enclosure 4
PRA Analysis of Event CENG and NRC Staff agree:
- Risk Calculation (w/o the RASP guidance 1E6 quantification limit) is at least 5.6E8 Alignment of SDC and RPV injection NRC CCDP CENG CCDP No Joint HEP quantitative limit 6.1E8 5.6E8 Joint HEP quantitative limit 1E7 1.4E7 1.6E7 Joint HEP quantitative limit 5E7 5.4E7 5.6E7 Joint HEP quantitative limit 1E6 (using RASP Handbook 1.1E6 1.1E6 guidance)
NRC Staff & CENG calculations are close.
Enclosure 4
PRA Analysis of Event RASP guidance assigning a 1E6 limit for multiple HFEs
- Compensates for limitations in ability for existing PRA methods to evaluate the HEP for highly reliable actions
- However, 1E6 has no firm technical basis
- Applying the limit does not discriminate between cases where there are many versus a single success path
- Applying 1E6 may not significantly affect base CDF/LERF
- 1E6 was chosen as not to dominate the risk results Applying the minimum HEP has value in many cases; however it is not applicable to this case.
Enclosure 4
PRA Analysis of Event Applying 1E6 limit is inappropriate in this case
- Given the plethora of cues, it is inconceivable that the operators would not have the correct plant status assessment
- No mechanism (cognitive or physical) can be postulated that would result in a failure to respond in the time available
- 1E6 has no firm technical basis
- 1E6 is so conservative that it drives the outcome of the SDP Applying the minimum HEP significantly distorts reality and is inappropriate in this case.
Enclosure 4
Conservatisms Overstate Risk & Dilute Insights Inaccurate Characterisation of Risk
=
1E6 Quantitative limit conservatism
+
Overwhelming indications on Refuel floor and in the Control Room Conservatism
+
CR Staffing, Stress, Training Conservatism
+
Multiple indication and success path conservatism Layers of
+ Conservatism Crew Turnover Conservatism Enclosure 4
PRA Analysis of Event HRA modeling of actions with very low probabilities is challenging and the resulting HEPs are very uncertain Qualitative factors must also be considered to give an accurate assessment of risk Defense in Depth / Conservative PRA techniques distort risk perspective Riskinformed decisionmaking must recognize the limitations of quantifying very reliable, independent human actions Assessing plant performance should recognize qualitative risk mitigating factors and independence in this case.
Enclosure 4
PRA Analysis - LERF Analysis Large Early Release Frequency (LERF) analysis projects margin to public risk
- The NRC Staff evaluation assumes a large release occurs <2 hours after RPV level lowers to the top of active fuel
- Computer modeling (MAAP) concludes no appreciable release before 4.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />
- CENG and NRC Staff agree that a General Emergency evacuation could be effectively completed in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> (less than half the time before a projected early release per MAAP predictions)
There was a longer time to projected release.
Enclosure 4
PRA Analysis - Evacuation Study Risk to the public was very low; study showed evacuation could be effectively completed within 1 hr 40 minutes
- Commissioned an evacuation time estimate analysis using actual conditions at the time a General Emergency would be declared
- Used guidance in NUREG/CR7002, Criteria for Evacuation Time Estimate Studies There was time to evacuate the public.
Enclosure 4
Nine Mile Point Unit 1 Loss of Shutdown Cooling Regulatory Conference Lessons Learned and Conclusions Jim Stanley General Plant Manager Enclosure 4
Conclusions We are extracting all the learnings from the event
- Any unplanned loss of SDC is significant and does not meet our expectations
- Taken Actions - responded rapidly and thoroughly
- Fixed procedure problems to prevent recurrence
- Restructured NMP2s outage schedule (LOOP/LOCA testing)
- Managing actions within our corrective action program We have communicated new data and information to show why the industry methodology for assessing human performance applied by NMP should be used to evaluate the significance of event; Enclosure 4
Conclusions We believe the CENG PRA analysis for NMP1 is sound
- CENG PRA yields CCDF 5.6E8 for this event
- Analysis based on accepted industry methodology
- Includes conservatism /provides a more realistic picture of risk
- Potential human errors are understood and modeled
- Additional risk mitigating barriers
- Staff guidance (Part 9900): acceptable to credit manual actions
- An automatically initiated system (CS) was restored prior to the projected time of 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> (RPV level to top of active fuel)
- Operators never lost awareness and control of RPV level Summary: NMP believes, based on our analysis and other risk mitigating factors, this event is of a very low safety significance Green Enclosure 4
Questions and Closing Remarks Enclosure 4