ML17309A846
| ML17309A846 | |
| Person / Time | |
|---|---|
| Site: | Crystal River, Saint Lucie  |
| Issue date: | 07/30/1996 |
| From: | Butcher E NRC (Affiliation Not Assigned) |
| To: | Hebdon F NRC (Affiliation Not Assigned) |
| Shared Package | |
| ML17309A847 | List: |
| References | |
| TAC-M93372, NUDOCS 9608010200 | |
| Download: ML17309A846 (5) | |
Text
(4~ll Rfq(
+
0 I
0 I
C CI 3
0
+**4' 1
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, O.C. 2056dER01 July 30, 1996 MEMORANDUM TO:
Frederick Hebdon, Director Project Directorate II-3 Division of Reactor Projects I/II FROM:
SUBJECT:
Edward J. Butcher, Chief Probabilistic Safety Assessment Branch Division of Systems Safety and Analysis
RESPONSE
TO REQUEST FOR ASSISTANCE IN ADDRESSING ISSUES REGARDING ST.
LUCIE EMERGENCY DIESEL GENERATOR FUEL OIL TRANSFER SYSTEM LEAK ISOLATION AND USING OPERATOR ACTION IN PLACE OF AUTOMATIC ACTION (TIA 95-013)
Plant Name:
St. Lucie Unit 2 Utility:
Florida Power 8 Light Co.
Docket No.:
50-389 TAC No.:
H93372 Project Manager:
Leonard A. Wiens Review Branch:
SPSB Review Status:
Complete The attachment to this memorandum is our response to TIA 95-013.
It contains our responses to the specific questions raised by Region II regarding the 10 CFR 50.59 FPL Safety Evaluation (JPN-PSL-SENS-95-013),
and the application of PRA methodology and related issues.
If you have any questions regarding our response to the TIA request or regarding the licensee's PRA assessment which was included in the TIA, please contact John Schiffgens at 415-1074 (E-mail: JOS), or John Flack at 415-1094 (E-mail JHF).
In addition, we are in the process of developing a formal position on the use of PRA in the IO CFR 50.59 process which will be sent to you in a separate memorandum.
Attachment:
As stated
RESPONSES TO SPEC FIC TIA 95-013 UESTIONS Is the attached 10 CFR 50.59 FPL Safety Evaluation (JPN-PSL-SENS-95-013) considered acceptable?
No.
The attached 10 CFR 50.59 FPL Safety Evaluation is not considered acceptable.
The 50.59 evaluation prepared by FPL for St. Lucie is not acceptable because it involves an unreviewed safety question.
An unreviewed safety question exists because the proposed change introduces a new procedure and associated malfunction of a different type (operator error) and involves an increased probability of the malfunction of equipment important to safety (mechanical valve failure to open).
Specifically, the 2B EDG fuel oil isolation valve, which is a manual valve, is normally in a LOCKED OPEN position and requires no change-of-state for EDG operation.
The proposed change involves operating with this valve in the closed position and opening it manually as needed.
With the valve in the closed position, two new failure modes exist for the fuel oil supply system:
failure of the operator to open the fuel oil manual isolation valve, a<<d'echanical failure of the valve to open.
One failure mode results in a malfunction of a different type, introducing operator error where no operator action was required before.
The other increases the probability of malfunction of the valve, since the probability of failure to open is greater than zero, where it was zero before.
Both increase the probability of malfunction of the 2BEDG.
In the evaluation, JPN-PSL-SENS-95-013, Rev. 0, page 8, FPL improperly answered the question "Does the proposed activity increase the probability of occurrence of a malfunction of equipment important to safety previously evaluated in the SAR2" by stating that "the compensatory actions assure the reliability of the EDG fuel oil supply."
In general, the introduction of compensatory measures suggests that there is an unreviewed safety question for which compensation is needed,
- hence, a 50.90 submittal should be prepared by the licensee and evaluated by the staff to determine whether the compensation is adequate.
Frequently,
- however, licensees refer to risk reducing features that are an integral part of the change as compensatory measures.
for example, introducing operator instructions for a newly instituted manual operation should not be considered a compensatory action nor should new administrative controls intended to assure sufficient time to perform the action.
Although NRC Inspection Hanual, "Part 9900:
10 CFR Guidance,"
provides some limited guidance on compensatory
- actions, the staff is in the process of better defining what constitutes appropriate use of compensatory measures in 10 CFR 50.59 safety evaluations.
In this case, the change consists of the licensee introducing a procedure and operating restrictions to replace an automatic "supply on demand" condition.
The "compensatory" actions were intended to make the procedure as reliable as the original configuration,
- however, they did not.
The licensee also stated that "the failure of the EDG fuel oil isolation valve is possible" and provided a quantitative assessment.
Its 10 CFR 50.59 evaluation quantified the change in frequency of the loss of the B side electrical bus in conjunction with a LOOP initiating event.
The result obtained was a
6X increase in the frequency per year of the loss of the 2B3 4. 16k) bus in conjunction with a LOOP.
The report does not provide sufficient detail on model and assumptions to evaluate the licensee's analysis.
It should be noted that for an appropriate analysis (i.e.,
one intended to demonstrate compliance with the provisions of 10 CFR 50.59), the change should have been assessed in terms of the probability of malfunction of equipment ~ the probability of occurrence or the consequences of an accident.
In this case, the licensee should have explicitly evaluated the probability of malfunction of the B EDG..
From a PRA perspective, is it possible to completely mitigate a risk, once introduced?
Yes.
Not only can an introduced risk be mitigated, i.e.,
reduced, it can have a positive safety impact, i.e., the risk can be made lower than it was originally. It is often a matter of economic balance; how much will it cost to reduce the risk.
It is frequently possible to put in place equipment, change equipment configurations, and/or change procedures so as to effectively and satisfactorily mitigate risk (e.g.,
to mitigate the increase in risk associated with an increase in the probability of equipment malfunction or accident initiation) in a cost effective manner when the introduced risk is fully understood.
This is significant with regard to 50.90 submittals.
10 CFR 50.59 evaluations are concerned with identifying unreviewed safety questions, i.e., with d
id' h
h p
p d
h g
t
) m i h
p b billty t occurrence or the consequences of an accident or malfunction of equipment important to safety previously evaluated, (b)
~ma create a
possibility for an accident or malfunction of a different type than any evaluated previously, or (c) reduces a margin of safety as defined in the basis for any technical specification.
That is, 10 CFR 50.59 is concerned with whether there ma be a deer'ease in safety not with how "lar e" it ma be.
Is the licensee's position (that the risk of operator failure/error can be mitigated, probabilistically, through procedures and training) validT Yes.
Operator failure probabilities can be reduced through the use of improved procedures, proper training, increased knowledge, etc.
However, it should be noted that although the probability of human error can be reduced or mitigated through procedures and training, it cannot be reduced to zero.
It should also be noted that for a given task, hardware is usually more reliable than human action, and the uncertainty associated with quantifying human action is usually greater than the uncertainty associated with hardware reliability.
For example, if an automatic
hardware action is substituted with a human action, the point estimates of the failure probabilities for the human performance are generally greater than for the hardware performance and there is usually more uncertainty associated with the human error probability than there is with the hardware failure probability.
Do probabilistic estimations of operator error rates presuppose the existence of procedures and training and if so, can one then take credit for them in a deterministic mitigation of riskT In human reliability analysis (HRA), performance shaping factors (PSFs) modify human error probabilities by accounting for the impact of various factors on operator actions.
PSFs include procedures and training among other factors such as stress, environmental conditions, etc.
- However, analysts will sometimes use "screening" values for human error rates.
These screening values are usually bounding "guesses" and may not include performance shaping factor aspects.
Mhether or not credit can be taken for the existence of procedures and training in a "deterministic mitigation of risk," is outside the purview of PRA. If by "deterministic mitigation of risk" is meant "evaluation of the mitigation of risk using techniques other than probabilistic,"
one should be able to take credit for procedures and training in assigning an "effectiveness measure" to operator actions.
The difficulty would be in devising a "measure" and applying it systematically in a deterministic framework.
4.
Can 10 CFR 50.59 requirements (that the probability of failure of components important to safety not be increased if no unreviewed safety question is deemed to exist) be satisfied if new failure mechanisms are added to a previously reviewed systems A proposed change, test, or experiment (CTE) can not be made under the provisions of 50.59 if it involves an unreviewed safety question.
The stated
- change, resulting in the introduction of a new failure mechanism (e.g.,
replacing a manual valve with an HOV), would i.nvolve an unreviewed safety question, because it may result in a malfunction (of equipment important to safety) of a different type than any evaluated previously in the safety analysis report.
In addition, a change which introduces a new failure mechanism, may increase the probability of malfunction of equipment (e.g.,
a train or system) important to safety previously evaluated, and thereby also constitute an unreviewed safety question.
5.
PRA insights are beginning to provide a more structured evaluation process for proposed changes to facilities and, as a result, are showing that changes (in a 10 CFR 50.59 context) present finite, although small, increases in the probabilities of failures.
Is there a threshold value
of increased probability (representing "negligible" or "insignificant" increases) below which 10 CFR 50.59 criteria (for demonstrating that unreviewed safety questions do not exist) are satisfiedT No.
According to the rule, the proposed CTf must not, nor have a
credible potential to, result in a finite increase in the probability of failure in order for it 4o be implemented under the provisions of 10 CFR 50.59.
The response to a related TIA from Region II, transmitted via letter from you to Edward Greenman dated June 23, 1993, stated in part that "NRR has no particular objection to the use of PRA in 10 CFR 50.59 evaluations but recommends that it play a supportive role in conjunction with other inputs, such as engineering judgement and operating experience.'n the given case at St. Lucie, when PRA insights provide information counter to (as opposed to supportive to) the 10 CFR 50.59 conclusions, is it appropriate to accept deterministic conclusions over the PRA-indicated increase in probabilities of failureT In general, when there are differences in conclusions based on deterministic considerations compared to those based on probabilistic considerations, the solution is not to simply accept one over the other but to determine the reason for the differences.
Fundamentally, such analyses, if done properly, should complement each other, the latter being an extension of the former.
In this regard, it should be kept in mind that engineering judgement about components and systems is incorporated in PRA models, as is operating experience and associated data.
The inputs to different assessments need to be consistent if the outputs or results are to be consistent.
Frequently, differences can be reconciled by identifying and evaluating assumptions incorporated in the assessments.