Text

.

U: ITED STATES OF A!* ERICA I;UCLEAR REGULATORY COMMISS10t1

,BEFORE THE ATOMIC SAFELY Afl0 LICENSIfiG BOARD In the Matter of

)

)

SACRAMENTO MUf11CIPAL UTILITY

)

Docket No. 50-312 (SP)

DISTRICT

)

~

)

(Rancho Seco Nuclear Generating

)

Station)

)

HRC STAFF TESTIM 0i1Y OF DALE F. THATCHER RELATIVE TO THE INTEGRATED CONTROL SYSTEM (Board Question 16)

Q l.

Please state your name and your position with the NRC.

A.

My name is Dale F, Thatcher.

I am an employee of the U. S. Nuclear Regulatory Cormission.

I was responsible for the review and evaluation of instrumentation and control systems for Babcock & Wilcox (B&W) operating reactors fol1 wing the Three Mile Island Unit 2 (TMI-2) incident.

9 Q 2.

Have you prepared a statement of professional qualifications?

A.

Yes. A copy of my statement of professional qualifications is attached to the"NRC Staff Testimony of Dale F. Thatcher Relative to Direct Initiation Of Off-Normal Conditions In The Feedwater System ' filed in this proceeding.

There I also explain the nature.of ny responsibilities with respect to the Rancho Seco Nuclear Generating Station.

Q 3.

What is the purpose of your testimony?

A.

The purpose of my testimony is to respond to Board Question 16 which states:

Board Question 16 SMUD, the licensee, has done insufficient analysis of the failure mode and effects analysis of the integrated control system, and therefore, Rancho Seco is unsafe and endangers the health and safety of Petitioners, constituents of Petitioners and the public.

1/

002220 8

. Q 4.

Describe the Rancho Seco Integrated Control System (ICS).

A.

Trae ICS includes four subsystems.

The four subsystems are the unit load derand control, the integrated master control, the steam generator control, and the reactor control. The system philosophy is that control of the plant is achieved through fecd-fontard control from the unit load derand control.

The unit load demand control produces demands for parallel control of the turbine, reactor, and steam generator feedsater system through respective subsystems.

The integrated master centrol (IMC) is capable of automatic turbine valve con-trol from minimum turoine load to full output.

The steam generator control is capable of automatic or manual feedv.eter control from startup to full output.

The reactor control is designed for automatic or manual operation above 15%

output and for manual operation below 15%.

The basis function of the ICS is matching megawatt generation to unit load demand.

The ICS does this by co-ordinating the steam flow to the turbine with the rate of steam generation.

To accomplish this efficiently. the following basic reactor / steam-generator requirements are satisfied:

1.

The ratios of feedv;ater flov: and Btu input to the steam generator are bal-anced as required to obtain the desired steam conditions.

2.

Btu input and feedwater flow are controlled:

To compensate for changes in fluid and energy inventory requirements a.

at each load.

e b.

To compensate for teuporary deviatior.s in feedaater temperature re-sulting from load change, feed, tater heating system upsets, or final steam pressure changes.

Q'5.

What function is the Rancho Seco ICS intended to perform?

A.

The ICS provides the proper coordination of the reactor, steam generator, feed-water control, and turbine under all operatir.g conditions.

Proper coordination consists of producing the best load response to the unit load demand while recognizing the capabilities and limitations of the reactor, steam generator, Ilhen ~ ny single portion of the plant is at an feedsater system, and turbine.

a operating 1:dt or a control station is on nnual, the ICS design uses the limit or manual station as a load reference.

The ICS maintains constant average reactor coolant (RC) temperature between 15 and 100% rated power and constant steam pressure at all loads.

Optimum unit performance is maintained by limiting steam pressure variations; by limit-ing the inbalance between the steam generator, turbine, and the reactors; and by limiting the total unit load demand upon loss of capability of the steam generator feed system, the reactor, or the turbine generator.

The ICS provides limiting actions to ensure proper relationships between the generated load, turbine valves, feedwater flow, and reactor power.

In performing its functions, the ICS interacts with, i.e., it receives inputs from and provides outputs to, a number of other related plant control systems. For example, in controlling the reactor there is inter-action with control rod drive system, in controlling feedwater there is interaction with the feedwater pump control and the feedwater valve control, and in controlling the turbine there is interaction with the turbine electro-hydraulic control (EHC) system and the main steam valves such as atmospheric dump valves and turbine bypass valves.

In som operating L% plcnts including 1ri-2 ar.d T.inths Sece, the ICS also controis auxiliary (energency) feentater ficw during lcss cf r.ain feedwater or loss of all reactor coolant pumps via control valves responding to steam generator level signals.

Q 6.

With specific reference to the TMI-2 incident, does the ICS pose a safety concern in the view of tha NRC Staff with rdgard to its function to auto"1atically regulate auxiliary feedwater flow?

A.

At the time of the TMI-2 event, a specific safety concern was expressed with regard to the reliance on the ICS to regulate auxiliary feedwater flow for loss of main feedwater.

Q 7.

What was the nature of that-concern?

A.

There was concern that the ICS could fail or malfunction in some manner to prevent the supply of energency feedwater when required. Subsequent investigation suggests that the ICS at TMI-2 did perform its intended function.

Q 8.

Have any steps been taken at the Rancho Seco facility to deal with the ICS concerns relative to auxilfary feedwater flow raised by the TMI-2 incident?

If so, indicate what steps have been taken.

A.

As a result of the Cormission Order of May 7,1979, the Rancho Seco plant was to develop and implement operating procedures for initiating and controlling auxiliary feedwater independent of ICS control, In the NRC Staff " Evaluation of Licensee's Compliance with the NRC Order dated May 7,1979; " Docket No.

50-312, dated June 27, 1979, page 13, we concluded that the Rancho Seco plant could initiate and control auxiliary feedwater independent of ICS including starting the pumps and controlling the AFW bypass valves. Based on the measures

. taken at Rancho Seco to initiate and control auxiliary feedwater independent of the ICS, the Staff concluded that continued operation of Rancho Seco was acceptable.

Q 9.

ll111 any future steps be taken at Rancho Seco facility relative to the ICS and its function to control auxiliary feed <.ater flow? If so, please identify what those actions will be and the time frame within which they will be completed.

A.

Yas. In a letter dated October 18, 1979, J. J. Mattimoe to D. Eisenhut, the licensee corm'itted to install a safety grade auxiliary feedsater control system independent of the ICS.

The licensee has comitted to implement i.hese requirements during the 1931 refueling outage.

This would completely remove the initiation and control of the auxiliary feedwater system from ICS.

In addition, the system would meet requirements equivalent to those outlined in response to Question 10 of "NRC Staff Testimony of Dale F. Thatcher P. elative to Direct Initiation of Reactor Trip Upon The Occurrence of Off-flormal Conditions In The Feed. vater System".

Q 10.. For each step identified in response to Question 9 above, indicate why the Rancho Seco facility may continue to operate in the interim prior to cor:plete implemantation of the action to be taken.

A.

The implementation of the safety grade requirements will help ensure a highly reliable automatic initiation and control of auxiliary feedwater in the long term. However, in the interim, the procedures in place at Rancho Seco provide a fully independent method to initiate and control AFW should the ICS fail.

See: " Evaluation of Licensee's Compliance with the NRC Order dated May 7, 1979,"

pp.12-13 (June 27,1979). This coupled with the improvements in overall reli-

. ability of the Rancho Seco auxiliary feedwater system (See: Testimony of Phil Matthews in Response to Board Question CEC 1-6) provides assurance that the Rancho Seco auxiliary feedwater system will perform its function as required.,

Q 11. With specific reference to the THI-2 incident, does the ICS pose a safety concern in addition to that related to auxiliary feedwater flow?

A.

A general safety concern was expressed with regard to the con. plex role of the ICS in overall plant control, and whether or not it performs this function satisfactorily.

In order to determine the potential contribution of the ICS in plant upsets, the staff concluded that further investigation was needed.

Q 12. What furthar investigations are presently in progress?

A.

The NRC Staff believed that a failure mode and effects analysis of the ICS would provide a more comprehensive understanding of this control system and provide necessary guidance for determining the need for further requirements with respect to the ICS.

The licensee committed to submit a failure mode and effects analysis (FMEA) of the Integrated Control System to the NRC Staff as soon as practicable.

The Comission Order of May 7,1979 confirmed that this would be carried out in the long term.

A failure mode and effects analysis is a systematic procedure for identifying the modes of failure of a system and for evaluating their A FMEA is considered (as stated in IEEE 352-1975, "IEEE Guide consequences.

for General Principles of Reliability Analysis of Nuclear Power Generating Station Protective Systems") to be the first general step of a reliability analysis.

It can potentially provide some early useful information and provide a basis for later studies and/or analyses.

Ty;;cally a FMEA has been utilized as a tool to help systematically evaluate plant safety systems (such as the reactor protection and engineered

. safety features actuation system) to deter..ine if a single failure can prevent the system safety function.

It is a requirement that for plant safety systems no single failure shall prevent the system safety function.

Plant control systems such as the integrated control system (ICS) have typically not been required to meet this single failure criterion.

However, for any system, including a control system, a TMEA can ba used to identify failure modes which could lead to undesirable consequences.

B&W has performed an FMEA on the integrated control system (ICS) as part of its reliability analysis of the ICS. The other part of the reliability analysis is a review of the ICS' " Operating Experience". The FMEA and Operating Experience are documented in B&W Report BAW 1564, " Integrated Control System Reliability Analysis".

Based on the overall reliability analysis, the report makes recommandations to be evaluated on a plant-specific basis.

The recormendations highlight areas in which B&W believes improvements could potentially contribute to improved overall operation of the facility.

The majority of the recccmendations involved areas out' side the ICS itself, and were not specific in nature because of the des.ign differences which exist in these areas at the different plants.

Therefore, based on the recommendations, the NRC Staff requested (by letter dated November 7, 1979) that all B&W licensees evaluate the report's recommendations and include followup action plans. We are presently evaluating the responses.

In addition, Oak Ridge National Laboratory (ORNL) has reviewed the B&W report for the NRC Staff and reported its results in a Report Review, " Integrated Control System Reliability Analysis," trans-mitted to the Staff on January 21, 1980.

A copy of the ORNL report is attached to this testimony.

8-In addition, the NRC has one study underway entitled " Integrated Reliability Evaluation Program (IREP)." Althopgh this program is still being developed, it does have as one of its objectives to identify the risk significance of the close-coupling of primary and secondary coolant systems and of the systems interactions originating in the Integrated Control System at B&W reactor plants.

The results of this program may give some indication of the relative signifi-cance of the Integrated Control System in the overall risk from operation of B&W plants and, as a result, help determine the need fcr furtha.r study.

Q 13. What are the Staff conclusions in this area?

A.

The Staff concluded that each plant needed to evaluate (as requested) its specific design with respect to the potential for improvement as summarized in the report by B&W.

From the ORNl. Review, it appears that although tne ICS and related control systens contain areas which can potentially be improved, the ICS itself has proven to have a low failure rate and it does not appear to precipitate a significant number of plant upsets.

Specifically, the examination of the failure statistics revealed that only a small number of ICS malfunctions resulted in reactor trip (approximately 6 of 162).

From this data, ORNL concludes that the system is failure tolerant to a significant degree.

In addition, ORNL has suggested areas for further study. We are in the process of reviewing the ORNL final report and will determine any further action to be required by the licensee.

Q 14. Based on the Staff's review, are any further steps contemplated for the Rancho Seco facility relative to the ICS?

A.

The Staff's preliminary evaluation of the licensee's response (dated January 21, 1930, J. J. Mattimoe to R. Reid) to our November 7,1979 request indicates

.g.

that the licensee is inplemnting modifications or is in the process of evaluating moc.fications related to the recommendations of the B&W report (BAW-1564).

~

The licensee is implemnting a power supply modification related to the recomendation of the B&W report.

This modification is intended to increase power supply reliability and is to be completed during the January 1930 outage.

Other recomandations are being evaluated by the licensee, but at this time, no specific actions have been defined.

The Staff is continuing to study and review this area as I indicated in my response to Question 13 above.

However, the Staff has made no further specific recommendations in this area at this time.

Q 15.

Explain why cor'inued operation of the Rancho Seco facility is permissible prior to completion of the studies which the Staff has undemay.

A.

The bases for continued operation prior to the completion of all studies and/or analyses is that, although there are areas which could potentially be improved, the present ICS tas proven to have a low failure rate and does not initiate a significant nuuber of plant upsets.

In addition, ORNL has concluded that the analysis (BAW-1564) shows that anticipated failures of and within the ICS are adequately mitigated by the plant safety systems, and that many potential failures would be mitigated by cross checking features of the control system without challenging the plant safety systems.

DALE F. THATCHER PROFESSIONAL OUALIFICATIONS INSTRUMENTATION & CONTROL SYSTEMS BRANCH DIVISION OF SYSTEMS SAFETY t

I am a Senior Reactor Engineer in the Instrumentation and Control Systems Branch, Division of Systems Safety, Nuclear Regulatory Comission.

From May to December 1979, I was assigned to the Bulletins and Orders Ta:k Force as a technical reviewer in the area of instrumentation and control.

Just prior to this assignment I was a member of the NRR team which aided in the Three Mile Island Recovery Operation.

In the ICSB, my primary responsib'lity is to perform technical reviews of the design, fabrication, and operation of instrumentation and control systems for nuclear power plants. This review encompasses evaluation of applicant's safety analysis reports, generic reports and other related information on the instrumentation and control designs.

I graduated from Lehigh University with a Bachelor mf Science Degree in Electrical Engineering in June 1971..

From my graduation in Jure 1971 until my employment at the Comission, I was an Instrumentation Engineer with Gilbert Associates, Inc., an Architect-Engineering comr,any located in Reading, Pennsylvania. My responsibilities included the dr. sign and evaluation of various instrumentation and control systems including primarily the areas of reactor protection systems and other safety systems for virious domestic nuclear power plants.

I joined the Regulatory staff of the Atomic Energy Commission in March 1974 as a Reactor Engineer. Since then, I have participated in the review of instrumentation control and electrical systems of numerous nuclear power stations and standard plant designs.

In addition, I have participated in the formulation of related standards and regulatory guides.

I am a member of the Institute of Electrical a:,d Electronics Engineers (IEEE) and have participated in the developmut of IEEE Standard 379-1977, "IEEE Standard Application of the Single Failure Criterion to Nuclear Power Generating Station Class IE Systems" and other proposed standards.

4 INSTRUMENTATION AND CONTROLS DIVISION Report Review:

Integrated Control System Reliability Analysis **

Review by J. L. Anderson S. J. Ditto R. S. Stone Oak Ridge National Laboratory Oak Ridge, Tennessee 37830 4

R. A. Hedrick A. F. McBride J. R. Penlar.d Science Applicatiotis, Inc.t 4

• Research sponsored by the Division of Systems Safety, U. S. Nuclear Regula Pory Cor: mission under Interagency Agreement No. 40-544-75 with the U. S.

Separtment of Energy under contract W-7405-eng-26 with the Union Carbide. Corporation.

B3 R. L. Dungan, L. L. Joyner, G. P. Bennett, and C. W. Tally, Babcock & Nilcox, BAW-1564 (August 1979).

tUnder Subcontract No. ~

DUPLICATE DOCUMENT Entire document previously entered into system under:

ANO No. of pages:

19 APPENDIX A: QUESTIONS AND RESPONSES s

t 9

e

20 Af ter a preliminary review of the B&W analysis, we submitted several questions to B&W to obtain an expansion or clarification of information l

presented in their report or to obtain other information not contained in the report which may be germane to the review. B&W invited the reviewers, NRC staff members, and representatives of the Toledo Edison and Duke Power Companies to their facilities in Lynchburg, Virginia, to hear their responses to the questions. This meeting was October 23, 1979.

The questions and the reviewers interpretation of the responses follow.

The reviewers have added some additional interpretations and observations su=marized from the group discussion.

Ql.* There may be a significant difference between failure mdea or con-ditions uith an FEA that are based on functional block diagrams rather than on equipment block diagrams.

Were the functional failure assumptions compared with actual equipment failure mdes to assure that they are realistic and meaningful?

R.

Functional block diagrams were used to reduce the scope of the effort and allow the analysis to be accomplished in the requested time frame. As ctated in their report and in discussions, B&W believes that the functional approach is adequate and that ver*/ few cbservations would be in error as a result of. this choice.

C.

An ex' ample of a possible incorrect or incomplete conclusion arising from this approach is that failure considerations of the turbine bypass valve control do not include details of wnether condenser cooling is available and whether the control will be transferred to the condenser l,

dump or to the atmospheric dump. Also not considered is operator response or interference / interaction. This example was selected bect.use the recom-mendations of the B&W analysis include additional analysis of bypass valve failure.

Q2. Att assumptions of ICS eignal input failure appear to be either high or too, with some attempt to identify a "uorat case. " Some of the operable plants under revieu potentially could experience midscale failures.

There is some evidence that some midscate failures could be vorse than high or too failures, as experienced by the plant selected as typical, Rancho Seco.

Are there plans for including nidecate failures in the analysis and hou is the validity of the analysis compromised by not including midecate failures?

R.

B&W considers (1) midscale and multiple-input signal failures to be either outside the boundaries of the ICS or outside the scope of the review as determined by B&W, and (2) the high or low signal assumptions to be the worst case for single failures.

• Q, question; R, response by B&W; and C, comment by ORNL reviewers.

21 C.

We find no specific evidence to confim this assu=ption. With regard to multiple-input signal failures, operating experience confirms that this is a highly credible event which can result from the single failure of a power supply in the NNI in the input signal selection circuitry. An example of such a failure is the Rancho Seco event of March 20, 1978. We believe that the B&W decision not to include consideration of failures beyond the actual ICS cabinet terminals is a serious shortc ming of the analysis, especially since considerable operating experi... indicates that power supplies are not reliable. B&W recomends further analysis of the ICS and NNI power supplies based on this operating experience.

Q3.

Virtualty att of the evente/ failures considered in the analysie appear to be based on "nomat" conditions, that is, when att plant equip-ment is fhnationing at nominal design points.

Our timited information regarding the same operating eaperience suggests that many of the abnormal occurrences vere the direct result of some plant equipment not f%nctioning; for example, three primary pume instead of four vere running, one instead of tuo feedsater puma vaa running, one or more hand / automatic stations vaa in manuat, to name three instances. Since thees seem to be the more signif-icant initial conditions for unsatisfactory ICS perforrawe, hou is their omission justified? Were any of these " interesting" events analyzed but not reported?

R.

B&W did not miss any significant transients or protective system chtJ1enges by not incl.uding off-nomal, initial conditions. No unreported analyses were perfomed from off-nomal conditions.

C.

Since B&W did not confim this contention, we find it difficult to support. Our evaluation of plant events involving the ICS is that the majority of these events occurred from off-nomal initial conditions and/or with some function (s) of the ICS in manual or tracking modes. This experi-ence would tend to deny their assertion.

Q4. What process was used to determine the "effect on the NSS"? Neither the technique nor the justification is included in the analysia.

What verification techniques vere employed for the " effects" analysia?

R.

The effects were evaluated by knowledgeable people with plant experience.

QS. The POWR : PAIN IV (PT-IV) code obviously has a limited ability to simulate the NSS and BOP responses. Hou significant is this tir:titation on the analysis? In particular:

(a) Describe the extent to which the simulation uas used to predict resulta.

(b) Describe errors and uncertainties which might have reeutted from the Limited djnamic range and functional detait of the si.aalation.

(c) Describe to what extent the simulation reeutta vere verified with plant data.

22 (d) Describe the extent to uhich the simulation was valid or invalid for each of the individual plants and their differences, especially feed-uater systems.

(e) Was the simulation capable of dealing with off-normal operation, such '.

as three primary p: cps or partial man:uzt opemtion?

R.

PT-IV was used in about 75% of the cases to evaluate the effects on the NSS, along with supplemental " engineering judgment." This code nas the following features: two steam generators modeled in continuous space and discrete time; steam lines; feedwater pumps; feedwater heaters; condenser; pressurizer; turbine dynamics; and valves.

The primary system includes pump characteristics programmed from other codes as a table and appropriate transport lags (%10 s).

The pressurizer modeling includes the effects of surge flows, spray flows, internal flows with condensation and flashing, heaters, and safety and power-operated relief valves. The ICS model uses a dedicated digital computer (EAI-640) and is a digital model of an analog system utilizing functional blocks.

One feedwater valve model is used to represent all W valves.

Ihe limiting ranges of PT-IV are reported to be: primary pressure of 1500-3000 psi, secondary pressure of 500-1500 psi, temperature (primary and secondary) of '400-700*F, and feedwar.e" temperature of 350-700*F.

The hybrid model uses two EAI-680 analog computers and one CDC-1700 digital computer. Due to computer limitations, there is not much detail of the feedwater system. A more complete model (not PT-IV) would include pump drains, flash tank levels, and condensate pumps, as well as main feed pumps. The condensate pumps have suction pressure trips that sometimes actuate when the interceptor valves close. This is not medeled. Turbine trip is the transient used t6 check the code with plant data. The validity of the comparison is judgmental. The model is n_q valid at low powers.

C.

Within the limitations of the effects considered and the comparisons of the effects with plant data, we expect the results of PT-IV to be reasonably valid.

Q6. The ability of the ICS to respd property to its design basis and other pwbable conditions is not addressed.

That is, design problems associated with nomit operation or maneuvering are not included, unless a failure is assumed.

This may be outside the scope of the NRC request, but the intere.ations of the ICS feeduater systems observed in operating plants is:icate that this my be a valid concern.

Were the design probicme and conponent limitations associated with c=pected normat opera-tion analyzed and documented? Are these analyses available?

R.

B&W has no strong motivation to improve the performance of the ICS.

Its utility customers have no significant unresolved complaints about the ICS.

23 C.

Subsequent discussions with three plant owners confirm this acceptance.

Q7. Is there any connection, physical or phenomenological, betueen reactor protection system (RPS) sensore and ICS inputs? Which comon signals, if any, initiate trip, and uhat is the possibility that common-signal or signal-conditioning failures could initiate a plant tmnaient through the ICS, requiring a response of ths RPS to such signals.

R.

RPS signals are used by the ICS with suitable buffering. The redundancy provided in the RPS satisfies the requirements of IEEE-279.

Q8. MA categories for "causes," detection," and "propagetion potential" uculd yield helpful information. Has this type of infontation been gener-ated and is it available?

R.

Identification of component causes is not considered necessary.

Detection of component failures is not warranted, considering the low failure rate. The propagation potential for failures in analog systems is difficult to predict.

Q9. The impact of power supply failures appears to be inadequately addressed, eepecially considering that events of much more significance than those analyzed have occarred at operating vtan+s. Roo is the omission of these conciderations justified, and is more comprehensive s

pouer supply failure analysis availcble?

R.

Power supply reliability is a problem for the customers to resolve.

It is a recognized problem that must be resolved planc by plant. This is

.l one of the principal recommendations of the report.

Q10. A significant numb:r of trips appear to have occurred when portions of the system vere in a manual mde of operation.

What fraction of time is it estimated that control ctations are in a manual mode, and what are the problems associated uith this sede of operation of the ICS?-

R.

No data are available for the manual operating mode. Manual modes are judged to be used most of ten for startup and testing. The ICS is not designed to deal with many abnormal situations (e.g., odd alignment of equipment).

Q11. Hou veil does historical failure data on ICS 721 and 820 compare viih predictions based on nominal behavior? Is there evidence of acceb rated failure?

R.

A higher " burn-in" failure rate was experienced Lut it has leveled off. The long-term failure rate remains level. TMI-l and Oconee 1, 2, and 3 are 721 models. All others are 820 models.

Q12. hitiple failures are not annunciated.

Therefore, uncorrected failures may exist until other failures occur, resulting in effective multiple failures. It appears that multiple failure situations my have

24 a significant probability of occurrence. Rou is the omission of multiple failure considerations justified in the analysis? Might fault tree analysis have been a better technique for addressing the concerns eapressed and producing the results requested?

R.

The effort required to conduct a fault tree analysis is consid d

excessive. The FMEA report addresses failures considered to be "ia,.,rtant."

C.

The limited scope of the FMEA casts some doubt on this position.

Q13. The analysis does not include infomation to substantiate the B&W recomendation that improvement is needed in pouer supplies, signal selec-tion, and signal reliability. Please supply the analysis or the information ich led to this recanmendation. In particular, does B&W have specific recomendations to i.mprove the failure tolerance of the ICS?

R.

No additional data are available.

Q14. Operating experience reports and oral infomation not included in the analysis suggest that the ICS and the BCP system, including the CTSG, are sensitive to " tuning" and component problems, such as feebater valve speed and leakage.

Describe the edent to which these problems are significant, how they '1 ave led to misopemtion and RPS challenges, and hou they might be avoided. Are " tuning" problems inherent to this type of plant, or do they represent design deficiencies which can be corrected?

R.

The adequacy of tuning is based on customer acceptance. According to Licensee Event Report statistics, B&W plants have fewer total reactor trips and fewer feedwater trips than either of the other PWR types.

Q15. Many Licensee Event Reports, as well as this analysis, indicate that the opentor is implicated in a large number of occurrences of poor ICS opention. Many of these events also involve slightly off-normal conditions such as nonstandard pump and valve alignment.

Do these events represent design deficiency, opemtor twining deficiency, or a combina-tion of these? Does B&W have recomendations to correct these deficiencies and on uhat schehle can they be implemented?

R.

Most Problems occur due to maintenance, testing, or equipment problems that require manual intervention. Also, the system is not designed for fully automatic startup.

e

25 APPENDIX B: TRANSMITTAL LETTERS 9

9 I

e