ML19331D667
| ML19331D667 | |
| Person / Time | |
|---|---|
| Site: | Zion File:ZionSolutions icon.png |
| Issue date: | 08/29/1980 |
| From: | Naughton W COMMONWEALTH EDISON CO. |
| To: | Harold Denton Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML19331D668 | List: |
| References | |
| NUDOCS 8009030439 | |
| Download: ML19331D667 (33) | |
Text
/^N Commonwealth Edison
/
'T i) c One First N tional Ptiza. Chiccgo. Ilknois Address R: ply to: Post Offica Box 767 THIS DGCUMENT CONTAINS (j chicago. Illinois 60690 P90R QUAW PMES August 29, 1980 Mr. Harold R. Denton, Director Of fice of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555
Subject:
Zion Station Units 1 and 2 Implementation of Six Month Confirmatory Order items NRC Docket Nos. 50-295 and 50-304 Reference (a):
February 29, 1980 letter from H.
R. Denton to D. L.
Peoples
Dear Mr. Denton:
Reference (a) contained a Confirmatory Order dated February i
29, 1980 for Zion Station Units 1 and 2.
That Order required Commonwealth Edison Company to perform certain actions within six (6) months of the date of the Order.
Attachment A to this letter provides Commonwealth Edison's response to those items.
Please address any questions that you have concerning this matter to this office.
One (1) signed original and thirty-nine (39) copies of this letter and seven (7) copies of the attachments are provided for your use.
Very truly yours, 4.C
~
William F. Naughth Nuclear Licensing Administrator Pressurized Water Reactors WFN: rap Attachments 5848A w
8 0 0 90 3 0 'l 3 A
NRC Docket Nos. 50-295 50-304 ATTACHMENT A Commonwealth Edison Company's response to the NRC Staff's six (6) month items of Section F of Appendix A in Reference (a) follow.
F.1 Conduct a review of past Licensee Event Reports (LERs) at Zion Units 1 and 2.
These LERs shall be reviewed to identify design inadequacies (common mode failures, systems interactions, etc.), procedural and training inadequacies, and man-machine / human factor inadequacies.
Recommendations shall be submitted for correction of the base cause of the subject LERs.
Immediate corrections of deficiencies will be made when possible, with the required notifications to be made to the NRC.
Commonwealth Edison Company has conducted a review of past Licensee Event Reports (LERs) at Zion Station in accordance with the above item.
A report of the results of this review including the criteria and methodology employed is included in Appendix A to this letter.
As this report indicates, portions of the study are continuing.
I l
\\
. F.2 Meet meteorological acceptance criteria for emergency preparedness contained in Annex 2 to this Appendix, pending necessary equipment deliveries and installation (including computer hardware and software modifications).
During the interim period while modifications are being completed, real time forecasting will be available and provided by a consultant.
Commonwealth Edison Company's response to this item is contained in Appendix B to this letter which contains Revision 2 of a report entitled the " Commonwealth Edison Company Offsite Dose Calculation System."
This report describes a computer-based method for estimating the environmental impact of unplanned airborne releases of radioactivity from nuclear stations.
The Of fsite Dose Calculation System (ODCS) is designed to meet the meteorological criteria of NUREG-0654,
" Criteria for Preparation and Evaluation of Radiological Emergency Response Plans and Preparedness in Support of Nuclear Power Plants," and the requirements of Item F.2 of the February 29, 1980 Confirmatory Order for Zion Station.
As indicated in Appendix B, a real-time forecast will be provided during the period while modifications are being completed.
l
. F.3 Conduct a study to determine and document the method by which its plants comply with current safety rules and regulations, in particular those contained in 10 CFR Parts 20 and 50.
Commonwealth Edison Company has conducted c study to determine the method by which the Zion plants comply with 10 CFR Parts 20 and 50.
The results of this study are contained in Appendix C to this letter which contains a document entitled "10 CFR Parts 20 and 50, Compliance Study for Zion Units 1 and 2".
This report does not include the post Three Mlle Island plant modifications which are currently in progress.
_, ~. - -
. F.4 Evaluate the reliability and failure modes of selected systems / components as follows:
- a. Failure Mode Effects Analysis:
Examine the failure modes (random failures and consequences of outages in support systems) of the active components on the reactor coolant pressure boundary.
Assess the acceptability of these failure modes.
- b. Implement Failure Mode Ef fects Analysis for minor departures from operating, maintenance and emergency procedues.
- c. Explore ways to improve the reliability of those components with a particularly high failure rate as delineated in NUREG/CR-1205.
Commonwealth Edison Company has performed the recommended evaluations.
The reuslts of these evaluations follow,
- a. Commonwealth Edison has performed a failure mode and effects analysis of all active components on or within the reactor coolant boundary.
The review included:
reactor coolant pumps; relief and safety valves; pressurizer spray valves and auxiliary spray pumps; control rod drive mechanisms and housings; drain valves; and check and air operated valves interfacing with other systems.
All these identified failure modes have been considered in earlier plant reviews.
In particular, Chapter 14 of the Zion FSAR addresses the following items:
Control Rod Withdrawals; Control rod Mechanism Housing Ruptures; Reactor Coolant Pump Trips and Seizures; Startup of an Inactive Reactor Coolant Pump; and Primary System Pipe Ruptures that Bound Ruptures in Active Components on the Reactor Coolant System Boundary.
The Zion FSAR analyses bound the worst effects of single failures on the reactor coolant system boundary and have satisfactorily demonstrated acceptable system performance following such failures.
The details of the review are shown in Table F.4-1.
-S-In addition, a long term risk analysis is being performed by Pickard, Lowe and Garrick, Inc. (PL&G) to provide a detailed assessment of the dominant contributors to risk from the Zion Units.
Failures on the reactor coolant pressure boundary are considered in that work along with equipment and human failures in other areas of the plant.
Commonwealth Edison believes that a plant risk assessment is the proper vehicle for assessing the af fects on risk of specific plant failures.
The PL&G study will apply the basic techniques of WASH-1400 to determine the public risk due to operation of the Zion units.
The analysis will be site specific:
the hardware systems in place at each unit are being analyzed using fault tree techniques; modeling of human interaction is based on the existing plant procedures; local terrain, meteorology, and demography are being used in the consequence assessement.
Actual operating and maintenance histories from the units will be used to update generic industry data to obtain plant specific data.
Causes of equipment falure are being examined in detail and the final analysis will include the effects of random failures, human interactions,
- tests, maintenance, environmental factors, and various combinations thereof.
Results of the study will include identification of dominant contributors to risk - systems, components, causes, etc.
Although this PL&G study is scheduled for completion later this year, the NRC Staff is currently performing a detailed review of the study as it progresses.
- b. The analysis for the reactor coolant system in Table F.4-1 included ef fects from maintenance and procedures.
Detailed review of the effects of these procedures on power plant risk for other sytems is included in the PL&G risk analysis.
Minor departures from operating and maintenance procedures can lead l
only to abnormal conditions that can be corrected before components or systems are lost.
The more severe problems manifest themselves in the plant specific failure rate and initiating event frequency data developed for the plant risk study.
Detailed review of that cata, especially where it differs substantially from generic data, should provide clues l
to help identify problems that have developed due to departures from procedures and, more importantly, indicate ways in which procedures can be modified to help avoid problems.
l l
l
. Departures from emergency procedures have potentially more serious ef fects since the plant is in a degraded condition when these procedures are in use.
- However, most of the critical actions described in the emergency procedures occur automatically and are backed up by the operator (human interaction).
Before minor departures from emergency procedures could have great significance, some failures in the automatic equipment must have already occurred.
Errors such as securing an automatic function (ECCS for example) when still required must be considered major departures from emergency procedures and are handled explicitly in the forthcoming PL&G risk assessment.
Once again, review of plant data (specifically Licensee Event Reports (LERs) and reactor trip records) can provide valuable information.
Currently, emergency procedures are receiving considerable detailed attention.
The Zion technical staff has recently revised key emergency procedures to take advantage of the lessons learned at TMI.
Furthermore, Commonwealth Edison is reviewing the procedural recommendations of the Westinghouse Owners Group.
The Westinghouse Owners Group recommends restructuring the emergency procedures in a way that significantly enhances the likelihood of successful diagnosis and recovery.
- c. The Commonwealth Edison process for reviewing component failures includes the LER review process.
These review processes identify failure modes and implement corrective action to prevent recurrence.
One component which is identified in NUREG/CR-1205 is the turbine-driven auxiliary feedwater pump.
Modifications have been made on these pumps to improve reliability.
The risk study evaluation by PL&G when completed will identify not only those components with high failure rates, but more importantly those components important to overall plant safety.
The response to this item is most properly addressed in the context of the complete plant risk assessment i
study.
"Particularly high failure rate" of a l
component has no real meaning except in the context of system performance.
When used in combination with other equipment, a component with a seemingly low reliability, may provide an essential and acceptably reliable system function.
Moreover, redundancy and repairability can compensate for high failure rate leading to a high reliability group of low realibility components.
A major result of the PL&G risk study will be a ranking of components with respect to each ones' contribution to overall risk.
F.5. Attain. full compliance with NRC letters concerning AFWS reliaallity improvements.
To date, Commonwealth Edison has received one letter from the NRC Staff concerning AFWS requirements, specifically the September 18, 1979 letter from D. G.
Eisenhut to Cordell Reed entitled "NRC Requirements For Auxiliary Feedwater Systems At Zion Station Units 1 and 2."
In response to that letter Crmmonwealth Edison has submitted the following letters saich either meet or provide schedules for meeting thrs NRC requirements on AFWS:
- 1. October 18, 1979 letter from D. L. Peoples to D. G.
Eisenhut;
- 2. November 14, 1979 letter from D. L. Peoples to D. G.
Eisenhut;
- 3. December 18, 1979 letter from D. L. Peoples to D. G.
Eisenhut;
- 4. December 31, 1979 letter from D. L. Peoples to D. G.
Eisenhut (Proposed License Amendment Change);
- 5. March 12, 1980 letter from W. F. Naughton to D. G.
Eisenhut; j
- 6. March 18, 1980 letter from W. F. Naughten to D. G.
l Eisenhut (Response to Generic Request);
I
- 7. March 18, 1980 letter from W. F. Naughton to D. G.
l Eisenhut; and
- 8. May 1, 1980 letter from D. L. Peoples to H. R. Denton.
Based on a review of these letters and commitments contained therein, Commonwealth Edison concludes that full l
compliance has been achieved for the Zion units with regard to commitments made to NRC Staff for improving AFWS reliability.
Submittal of the AFW pump endurance test results will complete Commonwealth Edison's commitments to the NRC Staff regarding AFWS at Zion Station.
This report is currently in draft form and will be transmitted to the NRC Staff in the near future.
1 5848A 1
\\,
~.
Table F.4-1 ZION 1 AND 2 RC PRESSURE BOUNDARY FAILURE MODE AND EFFECTS ANALYSIS 1
i Fai re Component Cause Significance e
1.
Reactor Coolant Pumps (4) a.
Seize Bearing failure (motor or pump).
Rapid loss of flow in one loop Loss of component cooling water causing sudden loss of heat and seal water (2 minutes). Loss removal. Included as an initi-of component cooling water ating event ir the global risk (30 minutes).
study but not of major signifi-cance with respect to risk.
b.
Broken shaf t Faulty repair, poor design, Same as la.
~
improper materials.
c.
Trip Motor protective circuits, loss Less severe than seizure.
of ofIsite power.
d.
Sealleakage
- 1 Seal failure - 400 gpm LOCA. Can be severe enough to i
- 2 Seal failure (to RCDT)-
require ECCS actuation. Included
]
400 gpm in the global risk study as a 1
- 1 Sealleak off valve fails LOCA initating event.
j closed, leak off through #2 Seal.
- 3 Seal is a gas trap only.
e.
Overheating Loss of component cooling water Bearings overheat, bearing damage (30 minutes),
and possible seizure. Pump trip.
f.
Loss of electric Breakers trip, etc.
Trip affected pumps.
power
Table F.4-1 (continued)
ZION 1 AND 2 RC PRESSURE BOUNDARY FAILURE MODE AND EFFECTS AN ALYSIS (continued)
Fai e
Component Cause Significance e
2.
Power Operated Relief Valves (2) a.
Fail to open on Signal failure (air or control Pressurization of reactor coolant demand circuit).
system continues. Backup relief provided by second PORY (possible) and three ASME code safety valves, b.
Fail to open on Mechanical failure - binding.
Same as 2a.
demand N
c.
Spurious operation Inadvertent signal (testing).
Small LOCA, can occur as a result of a short in the control system. Can be isolated by motor-operated valve.
d.
Fails to reclose Signal does not clear.
Small LOCA, but very unlikely failure cause. Isolable by motor-operated valve.
e.
Fails to reclose Mechanical binding.
Most likely failure mode. Isolable by motor-operated valve.
f.
Fails to reduce Operator / procedures. PORY block Both PORVs blocked--only the ASME system pressure valves closed.
code safety valves remain to protect against overpressure.
Table F.4-1 (Continued)
ZION 1 AND 2 RC PRESSURE BOUNDARY FAILURE MODE AND EFFECTS ANALYSIS (continued)
Fai e
Component Cause Significance e
3.
ASME Code Safety l
Valves (3) a.
Fails to open on Maladjustment.
Valve opens at a slightly higher demand pressure. Very little plant significance, b.
Fails to open on Mechanical failure.
If all ASME code safety valves demand fail to open, a LOCA will certainly occur at some weak point in the system. Because of the safety valve design, it is extremely unlikely that all three will fail to lif t before some other component in the reactor coolant system breaks.
c.
Fails to rescat at Maladjustment.
Reactor coolant system pressure set pressure will blow out to below the design value. ECCS may actuate. Minor and self-correcting LOCA sequence.
d.
Fails to rescat at Mechanical failure.
LOCA.
set pressure.
Table F.4-1 (Continued)
}
ZION 1 AND 2 RC PRESSURE BOUNDARY FAILURE MODE AND EFFECTS ANALYSIS (continued) 1 l
Component Cause Significance Fa e
e 4.
Pressurizer Spray I
Valves (2) a.
Fails to open Circuit failure.
Minor, backed up by auxiliary spray from charging system and PORVs and ASME code safety valves.
j b.
Fails to open Mechanical failure.
Minor. Same as 4a.
l l
c.
Opens inadvertently Control circuit failure.
Can lead to a low pressure reactor j
trip and a safety injection signal.
a Can be deenergized to stop transients.
d.
Fails to close Control circuit failure.
Same as 4c.
e.
Fails to close Mechanical failure.
Will lead to a low pressure reactor 4
trip and a safety injection signal.
i.
Compensated for by pressurizer heaters.
5.
Pressurizer Auxiliary Spray Valve a.
Fails to open Circuit failure.
Backed up by PORVs and ASME code i
safety valves.
i i
i I
j i
1
Table F.4-1 (Continued) l i
ZION 1 AND 2 RC PRESSURE BOUNDARY FAILURE MODE AND EFFECTS ANALYSIS (continusd) i Fai re Component Cause Significance e
i b.
Fails to open Mechanical failure.
Same as Sa.
c.
Opens inadvertently Control circuit failure.
Same as 4c.
d.
Fails to close Control circuit failure.
Same as 4c.
e.
Fails to close Mechanical failure.
Same as 4e.
j 6.
Loop Drain Valves (3 drains per j
loop-l manual m
valve per drain) a.
Fails open Mechanical failure.
LOCA (RCDT). Very unlikely failure cause. (Manual valves).
7.
Reactor Vessel a
Vent i
a.
Fails open Mechanical failure.
LOCA (RCDT). Very unlikely failure cause,4-series parallel valve arrangement (1/2" line).
1
.s I
4
Table F.4-1 (Continued)
ZION 1 AND 2 RC PRESSURE BOUNDARY FAILURE MODE AND EFFECTS ANALYSIS (continued)
Fai e
Component Cause Significance e
8.
Letdown and Excess Letdown Isolation l
Valves a.
Fails open Control circuit failure.
Minor. Backed up by FC air-operated valve and manual valves. Flow restricted by orifice.
b.
Fails open Mechanical failure.
Same as Sa.
9.
Boron Injection Check Valves (Cold Leg) a.
Leak by Mechanical failure.
All check valves are backed up by ;r normally open motor-operated valve (1/2" line) and a common check valve for all four lines.
i l
Table F.4-1 (Continued)
ZION 1 AND 2 RC PRESSURL BOUNDARY FAILURE MODE AND EFFECTS ANALYSIS (continued)
Fa re Component Cause Significance e
10.
Safety injection System Check Valves (4) (Cold Led a.
Leak by Mechanical failure.
Check valves are backed up by other check valves. Regult t testing between the check valves to insure no leak by has been established (8" line). (Safety injection pumps and RHR pumps.)
w I1.
Safety injection System Check Valves (2)
(Hot Leg) a.
Leak by Mechanical failure.
Check valves are backed up by other check valves and normally closed i
motor-operated valves.
12.
Charging System Supply Check Valves (2) a.
Leak by Mechanical failure.
Check valves are backed up by other check valves.
Table F.4-1 (Continued) l ZION ! AND 2 RC PRESSURE BOUNDARY FAILL'RE MODE AND EFFECTS ANALYSIS (continued)
Fai re Component Cause Significance g{ e i
13.
a.
Fails open Mechanical failure / operator Interlocked with RCS pressure.
error.
Backed up by another normally closed MOV (14").
14.
l a.
Leak /ruptu: e Mechanical failure.
LOCA.
i 15.
Loop Drains (CVCS)
I a.
Fails open Mechanical failure.
LOCA (RCDT). Normally open manual valve aormally closed solenoid valve (2" lines)- 1 per loop.
Normally closed manual valve i per loop (2"line). All loop drains to CVC.S backed up by manually-operated normally closed valves in loop drain header.
1 i
{
l
Table F.4-1 (Continued)
ZION 1 AND 2 RC PRESSURE BOUNDARY FAILURE MODE AND EFFEC'IS ANALYSIS (continued)
Fai re Component Cause Significance A$ e 16.
RHR Hot Leg Discharge Check Vaives (Normal)
(2) a.
Fail open Mechanical failure.
Backed up by second check valve (each line) and two series MOVs, one normally open (inside containment),
one normally closed (outside containment). Minor impact.
17.
Loop Isolation Valves (8) a.
Fails closed Circuit failure.
Loss of flow in associated loop, possible reactor trip.
b.
Fails closed Mechanical failure.
Same as 17a.
c.
Rupture / leak Mechanical failure.
LOCA.
18.
Loop Bypass Valves (4) a.
Leak / rupture Mechanical failure.
LOCA (8" line).
}
NRC Docket Nos. 50-295 50-304 APPENDIX A LICENSEE EVENT REPORT (LER) REVIEW FOP.
ZION UNITS 1 AND 2 i
l
{
l p
-~
1.0 INTRODUCTION
AND
SUMMARY
Licensee Event Reports (LERs) are submitted in accordance with the reporting requirements set forth in the Zion Station Technical Specifications.
In most cases, the events reported have little, if any, impact on plant safety.
However, the LER reporting requirement j
does provide an operational feedback mechanism by which design inadequacies, procedural and training inadequacies, and
)
man-machine / human factor inadequacies can be identified and corrected to improve both plant reliability and overall safety.
In accordance with Item F.1 of Appendix A of the February 29, 1980 Zion Confirmatory Order, a review of past LERs for Zion Station was conducted by Commonwealth Edison.
This review was conducted in three phases:
j A.
Phase 1 consisted of developing a criteria and methodology for scanning past LERs to identify those warranting further attention; B.
Phase 2 consisted of the scan'per Phase 1 criteria to identify those LERs warranting further attention and also consisted of a second review to categorize the identified LERs into groups convenient for engineering evaluation; and C.
Phase 3 consisted of an evaluation to determine if the 4
original corrective action was suf ficient or additional action or study is warranted.
In summary, during Phase 1 a criteria was developed to scan past l
LERs for those events which demonstrated or suggested the existence 1
of potential common mode failures; procedural, training, man-machine / human factor inadequacies; or system interactions.
If any of these criteria were satisfied, then further attention w&s warranted.
Phase 2 utilized this criteria to scan approximately 543 past 4
LER reports.
In addition, repetitive occurrences of the same event br related events were identified.
Of the 543 reports scanned, 159 j
were deemed to warrant further attention.
Since the appropriateness l
of the original corrective' action was not considered during this scan, many of the 159 selected LERs will probably require no
~
additional study or corrective action.
For convenience of engineering evaluation, the 159 LERs were reviewed again and categorized into 40 separate groups, each contaning related LERs.
Usually she LERs in a group suggest a common problem or common equipment classification.
This categorization was done so that specialized personnel could review specific groups.
During this categorization, no deficiencies requiring immediate action were identified.
i 4
.g p,,mm......w__
,-.y.mmy.x,-
.m_.___m,_.-,,n.,_.-.,
,,.r-___,_,
,,.,..__p
. This is not surprising since the Commonwealth Edison system for reviewing LERs is quite extensive, as will be described later in this report.
Phase 3 is currently underway.
The 40 groups have been identified and an initial evaluation of each group is being made.
The final evaluation will be done by personnel with expertise in each of the groups.
The results of these evaluations will be I
submitted for Commonwealth Edison On-Site and O f f-Site approval.
In addition to the review contained herein, Commonwealth Edison also submitted to the NRC Staff on June 16, 1978 a report entitled
" Commonwealth Edison Co. Zion Station Systems Interaction Study."
This study which also involved an LER review was performed in response to an ACRS concern regarding possible systems interaction.
2.0 COMMONWEALTH EDISON SYSTEM FOR LER REVIEW Commonwealth Edison Company extensively reviews all LERs for appropriate corrective action.
The detailed review is conducted primarily by a Station Technical Staff Engineer.
This review which contains a written description of the required corrective action is submitted for approval by the Station On Site Review Committee.
This group consists of experienced supervisors covering operational, maintenance and engineering areas.
Many of these supervisors have senior reactor operator licenses.
Once approved by On Site Review, the report is submitted for review offsite.
The primary purpose for the offsite review is to determine if the corrective action is appropriate or sufficient.
In many cases, the Of f Site Review Function will reject the proposed corrective action, requiring additional review or actions by the station.
Typical additional requirements have involved equipment modifications, additional training, or revisions to operating or maintenance procedures, etc.
This review process not only applies to LERs but also to all plant deviations whether or not they are reportable events.
Over the years, Commonwealth Edisn has found that this review process has been quite successful in reducing both the frequency and i
severity of unusual occurrences at all its nuclear stations.
l In addition to this review process, Commonwealtn Edison's l
Offsite Review Group also generates an annual internal report which summarizes LER experience at all of its nuclear stations.
Each LER i
in this report is characterized by proximate cause, basic cause, system, equipment, status of reactor at time of incident, and effect on plant.
Tabulations of the number of LERs in these classifications are provided to various departments to highlight those areas deserving more attention from operators, designers, etc.
. Finally, in January 1978, Commonwealth Edison initiated a PRO (Professionalism) Program at all of its generating stations.
The goal of this program is to create in personnel an awareness of the need to perform their work in a professional manner.
This program provides for a formal investigation of all personnel errors with incentives for postive (good) performance including recognition and rewards and with sanctions for poor performance.
The Corporate PRO Committee meets monthly, reviews incidents to detect trends and decides upon corrective action.
a 3.0 Goals of LER Re-Review Commonwealth Edison considers its current LER review program more than adequate to satisfy the NRC requirements of the Zion 4
J Confirmatory Order.
However, in response to the Order Commonwealth Edison inaugurated an independent review of past LERs for Zion Station.
This study was formulated to reexamine the past LERs while incorporating the following improvements over the original reviews:
A.
Removal of time constraint.
The original reviews and analyses did not have the benefit of the experience gained in the time since the event occurred.
Events which seemed isolated at the time, may have recurred later.
Although the current review process is adequate to detect explicit recurrence through scans of previous LERs (by equipment i
name, type of event, etc), this review will improve the identification of repetitive events by removing the constraint of time.
B.
Benefit of experience.
The original reviews and analyses did not have the benefit of subsequent experience accrued since the event occurred.
In addition, over the years since the initial operation of the Zion units, different individuals have performed past LER reviews.
In this review, a single highly experienced person with a senior reactor operator license reviewed and categorized the LERs.
C.
Scope of Review.
The original LER reviews did not explicitly emphasize the concepts of common mode failure, systems interaction or human factors engineering.
This review utilized a checklist to track those LER events which could be classified in one or more of these categories and, therefore, warranting additional consideration.
4.0 PHASE 1:
CRITERIA / METHODOLOGY FOR REVIEW Phase 1 consisted of selecting the criteria / methodology for performing the review.
In accordance with the Order, the past LERs
. at Zion Station were reviewed against the following general criteria to determine if additional considerations were necessary:
a)
Common mode failures; b)
Procedural, training, man-machine / human factors inadequacies; c)
System Interacticns; and d)
Repetitive failures.
With the exception of repetitive failures, each of the other general criteria were broken down into specific checklists that included both definitions and checkpoints for testing the potential applicability of a given LER.
The definition of repetitive failure is self evident.
Exhibits 1, 2, and 3 contain the checklists for the general criteria listed in a), b) and c) above.
Note that the definitions and checkpoints adopted were purposefully broad so as not to eliminate from consideration some possibly important LERs.
The individual checklists were then combined into a master checklist for use in the Phase 2 scan.
5.0 PHASE 2:
LER SCAN AND CATEGORIZATION Phase 2 consisted of scanning the 543 LERs for the years 1975 (when LER system was established) through 1979 against the criteria of Phase 1 to determine which past LERs require reexamination.
In executing this scan, the original corrective action was not considered or utilized as a basis for elimination an LER for further consideration.
Of the 543 LERs scanned, 159 fell into one or more of the definitions and checkpoints of Exhibits 1, 2,
and 3, thus requiring additional consideration.
Table 1 illustrates a breakdown of the selected LERS as reviewed against the Phase 1 criteria.
As can be seen from this table, some LERs fell into or met more than one criteria.
The 159 LERS were then examined again and categorized into 40 separate groups to faciliate an engineering evalulation of related LERs in each group.
Table 2 lists each LER group by number and includes a characterization of the type of concern (common mode failure, systems interaction, etc.) as well as the number of LERs related to that group.
6.0 PHASE 3:
EVALUATION OF SELECTED LERs Phase 3 of the study consists of an evaluation to determine if the original corrective action for LERs in a given group was sufficient or whether additional action or study is warranted.
This phase is currently underway.
Initial evaluations of each of the 40 groups are being made to provide guidance for the final evaluation.
. These initial evaluations contain the Group title, LER numbers, a brief discussion of the related LERs, and a suggested action plan.
Exhibits 4 and 5 contain examples of this initial evaulation for LER Group 2, Solenoid Valve Failure, and LER Group 3, Radiation Monitor Valving Errors.
These initial evaluations are being assigned to personnel with expertise in the subject groups for a final detailed evaluation and recommended disposition.
These recommendations will be submitted for Commonwealth Edison On Site and Off Site approval before final disposition.
7.0 Conclusions Commonwealth Edison conducted a review of past LERs at Zion Station in accordance with the Zion Confirmatory Order of February 29, 1980.
The past 543 LERs were initially scanned against a criteria based on the concerns delineated in the Order item.
Of the 543, 159 met the review criteria and thus, require additional consideration.
The 159 LERs were ther reexamined and categorized into 40 groups for convenience in performing engineering evaluations.
Each grouo was initially evaluated to determine if the past corrective actions were sufficient, and to recommend or suggest additional action.
During these reviews and categorizations, no additional design, procedural and training, or man-nachine/ human factor inadequacies which could lead to significant degradation of unit operating reliability or safety systems capabilities were identified.
However, as the detailed evaluation of each group of LERs continues, any deficiencies requiring immediate corrective action will be made when possible, with the required notifications to be made to the NRC.
l _.
Exhibit 1 Potential Common Mode Failure Checklist 1.1 De finition:
A common mode failure is when two or more items of equipment ere rendered inoperable by the same cause.
A common mode failure is far more significant when equipment items serve a redundant function.
1.2 Was this event a common mode failure?
1.3 Did this event illustrate a potential for common mode failure?
1.4 Did the failure result from an external influence which could have affected other equipment?
For example, weather, power failure, earthquake, fire, etc. (Human error is specifically excluded.)
1.5 If this failure was caused by human error, procedural or training inadequacy, or man-machine / human factor inadequacy, could the same error, repeated, result in a common mode failure?
For example, if an instrument failed to trip due to an error in the calibration procedure, a potential for the failure of identical redundant transmitters is possible.
1.6 If this failure was caused by a systems interaction, was a potential for common mode failure present?
For example, an instrument failure due to high temperatures resulting from a HVAC failure is a sytems interaction and could result in a common made failure.
Exhibit 2 Potential Procedural, Training, Man-Machine / Human Factor Inadequacies Checklist
2.1 Definition
These categories of inadequacies are commonly present when human error occurs.
A procedure does not necessarily have to be written.
2.2 Was the cause identified in the original review as an installation error, or violation of procedure, or a procedural deficiency?
2.3 In the opinion of the reviewer, would a procedure change, additional training, equipment labeling, equipment layout or other personnel related changes have prevented the failure?
2.4 If the answer to 2.2 or 2.3 is positive, review this LER foc common mode failure potential.
a 9
-,im,
,s--
w--
---r-vv v
-v--v' y
rw v"
--m----
7 ruw y
'C
--vr-TW 7-+
" e
"i
4 Exhibit 3 Potential System Interaction Checklist
3.1 Definition
System interaction is a phenomenon whereby equipment is rendered inoperable'or severly affected by an unanticipated interaction with other equipment.
Excluded from this definition are obvious interactions for which design provisions exist.
For example, a diesel generator fire resulting from a DC power failure is a systems interaction.
Diesel generator failure to start due to a DC power failure is not a systems interaction.
3.2 Can this LER be characterized as a systems interaction?
3.3 If the answer to 3.2 is positive, reexamine this LER for common mode failure potential.
i l
I L
i
. ~,..
Exhibit 4 LER Group No. 2:
Solenoid Valve Failures I.
Subject LERS (YEAR - UNIT # - LER# - DVR#)
75-1-3-35 75-2-11-63 76-1-61-192 75-1-4-36 75-2-28-162 77-1-4-6 75-1-5-37 76-1-44-164 77-1-29-65 75-1-32-237 76-1-45-165 77-1-42-107 75-1-10-62 76-1-46-166 77-1-43-108 77-1-103-199 78-1-17-21 78-1-124-230 77-1-104-200 78-1-32-58 78-2-39-73 77-2-30-76 78-1-59-117 78-2-45-90 77-2-36-89 78-1-86-160 78-2-51-105 77-2-39-94 78-1-94-170 79-1-11-22 79-1-20-32 79-1-63-113 II.
Discussion 32 LERs resulted from f ailure of ASCO brand solenoid valves.
These valves are used primarily to control air operated valves and dampers.
The f ailure cause in each case was a foreign material (believed to be oil) baking into the gap between the plunger and the plunger sleeve.
These LERs were selected because the failure rate is sufficiently high that a possibility exists of one or more of these valves failing when required.
Various cures for this problem have been attempted:
An additional non-lubricated air compressor was installed to reduce the oil in the Instrument Air System.
Heavier duty solenoid valves were installed in some locations.
Valve internals have been replaced.
It is believed that the corrective actions have been succesful because of the reduced number of failures in 1979.
The few failures remaining seem to be the result of the residual oil remaining in the instrument air piping.
III.
Suggested Action Prepare a report which evaluates the status ol' the problem and recommends further corrective action if necessary.
It is suggested that the report include:
1.
A table _which identifies each safety related solenoid in the plant, the valve model, the date of each failure, and the date and description of each corrective action, i.e. cleaning, replacement, model change.
_ ~ _
~
. _ _ ~ __ _
Exhibit 4 (Continued) 2.
A plot of failure per calender quarter versus date.
3.
If the failures are more frequent for certain valves, list 2
those valves and attempt to find a common reason which makes them more susceptible to failure.
4.
Survey other plants for
- 1) Brand and model of solenoid used;
- 2) Whether lubricated or non-lubricated air compressors are used; and
- 3) Failure experience.
i d
Exhibit 5 j
LER Group No. 3:
Radiation Monitor Valving Errors I.
Subject LERs (YEAR - UNIT # - LER# - DVR#):
75-1-8-61 2
77-1-53-109 78-1-100-190 78-1-129-220
.i II. Discussion I
These LERs describe 4 occassions where radiation monitors were improperly isolated.
A possible contributing cause to these failures is that the valve numbers are not identified on the Piping and Instrument Drawings.
Thus the equipment operator must determine the appropriate valves to operate by examining the piping in the field.
The LERs do not discuss why the low flow alarm did not alert the operators that a low flow condition existed.
These LERs were selected because they suggest a potential man-machine / human factor problem.
III. Suggested Action:
Recommended Corrective Action.
Evaluate the priority given for repairing malfunctioning low flow alarms.
Evaluate the need to place valve numbers in the P & ID's.
't I
Table 1 Number of LERs per Phase 1 Criteria Selected for Additional Review Criteria Number of LERs Common Mode Fa11 rues 42 Systems Interactions 9
Procedural, Training, Man-Machine /
72 Human Factor Inadequacies Repetitive Failures 59 Total 182
s i
m.
~
m m..
=
Table 2 LER Groups
- of Group DESCRIPTION LERs 1
Water Hammer Damage (System Interaction) 2 2
ASCO Solenoid Valve Failure (Common Mode Failure 34 Repetitive) 3 Rad Monitor Valving Errors (Man-Machine / Human 4
Factors) 4 RCS Pressure Control (Training, Man-Machine / Human 2
Factors) 5 Operator Error Due to Written Procedure Error 5
(Procedural) 6 H.U.T. Presssure Control (Systems Interaction) 1 7
Mechanical and Electrical Maintenance Personnel 1
Errors Due to Written Procedure Errors (Procedural) 8 Effects of Low Voltage on Plant Equipment (Systems 1
Interaction) 9 Miscellaneous Operator Errors (Procedural Training 14 Man-Machine / Human Factors) 10 Containment Radiation Monitors (Repetitive Failures) 18 11 Boric Acid Tank Boron Concentration Low (Repetitive 2
Failures) 12 Miscellaneous Containment Isolation Valve Failures 5
(Common Mode Failure, Repetitive Failures) 13 Missed Surveillance Tests (Repetitive, Procedural) 10 14 Containment Spray Valve Failures (Repetitive, Common 3
Mode Failure) 15 Pressurizer Level Instrument Calibrations (Common 2
Mode Failure, Repetitive Failures) 16 Failure to take Samples for Radioactive Materials 8
Monitoring (Repetitive, Procedural) 17 Instrument-Loop Switch Left in Wrong Position 2
Following Calibration (Repetitive, Common Mode Failure, Procedural, Training)
=
~
Group
- of DESCRIPTION LERs 18 Failure of all DELTA-T Overpressure and Over-1 Temperature Circuits Due to Single Error (Common Mode Failure, Procedural) 19 Cold Weather Protection of Safety Related Equipment 2
(Common Mode Failure) 20 Air Craft Fire Detection Circuit Design Error 1
(Common Mode Failure) 21 Overexposure of Personnel (Procedural) 1 22 Reactor Coolant System Dilution (Systems Interaction, 2
Repetitive Failures) l 23 Accumulator Level Transmitters (Repetitive Failures) 1 24 Auxiliary Contact; (Common Mode Failure, Repetitive 5
Failures) 25 Reactor Coolant System Flow Transmitters (Repetitive 3
Failures) 26 Valve 8106 Failures (Repetitive Failures) 1 27 Leakage of Radioactive Material Through Electrical 1
Circuits (Systems Interaction) 28 Miscellaneous Instrument Failures (Repetitive, Common 6
Mode Failure) 29 Hagen Summator Design Modification (Common Mode 2
Failure, Training) 30 Errors During Release of Lake Discharge Tank (Training, 1
Procedural) 31 Snubber Problems (Common Mode Failure) 4 32 Administrative Control of Instruments During 3
Calibration (Repetitive Failures) 33 Pressurizer Level Loss Due to Testing (Procedural, 1
Training, Common Mode Failure) 34 Miscellaneous Instrument Mechanic Errors (Procedural, 1
Training) 35 Control Board Labling and Arrangement (Man-Machine /
2 Human Factors)
n.
n.
n
- of
. Group DESCRIPTION LERs 36 Ef fects of Rapid Lake Water Change (Systems 1
Interaction) 37 Operator Dependence on Computer (Man-Machine /
1 Human Factors, Training) 38 Miscellaneous Radiation Protection Personnel 2
Errors (Training, Procedural) 39 Miscellaneous Mechanical and Electrical Maintenance 1
Errors (Procedural, Training) 40 Improper Diagnosis and Repair of Instruments 2
(Procedural, Training)
..