ML19337A434
| ML19337A434 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 09/15/1980 |
| From: | Toole R, Walsh P METROPOLITAN EDISON CO. |
| To: | |
| Shared Package | |
| ML19332B231 | List: |
| References | |
| ISSUANCES-SP, NUDOCS 8009260431 | |
| Download: ML19337A434 (17) | |
Text
-
b-g p
Oc g c3 TED CORRESPONDENT e
2 8FA "D'#0 7
LIC 9/15/80 t0 9 /g hkNl!$'
Z s
g UNITED STATES OF AMERICA NUCLEAR REGULATORY COMMISSION
~
BEFORE THE ATOMIC SAFETY AND LICENSING BOARD In the Matter of
)
)
METROPOLITAN EDISON COMPANY
)
Docket No. 50-289
)
(Restart)
(Three Mile Island Nuclear
)
Station, Unit No. 1
)
LICENSEE'S TESTIMONY OF PATRICK S. WALSH AND RONALD J.
TOOLE IN RESPONSE TO UCS CONTENTION NO. 9 AND ECNP CONTENTION NO. 1(c)
(SAFETY SYSTEM STATUS PANEL)
C l
D s6
OUTLINE The purpose and objective of this testimony is to respond to UCS Contention No. 9 and ECNP Contention No. 1(c), each of which challenge the adequacy of the methods used for monitoring safety system or component status at TMI-1.
Fur ther, the tes-timony discusses the impact of EFW valve closure on the outcome of the TMI-2 accident.
The testimony identifies the instru-mentation and administrative controls utilized at TMI-1 to assure that safety systems are not disabled.
-i-l
?
INTRODUCTION This testimony, by Mr. Patrick S. Walsh, GPU Plant Analysis Manager, and Mr. Ronald J.
Toole, Manager, TMI-1, GPU, is addressed to the following contentions:
UCS CONTENTION NO. 9 The accident at TMI-2 was substantially aggravated by the fact that the plant was operated with a safety system inoperable, to wit:
two auxiliary feedwater system valves were closed which should have been open.
The principal reason why this condition existed was that TMI does not have an adequate system to inform the operator that a safety system has been deliberately disabled.
To adequately protect the health and safety of the public, a system meeting the Regulatory Position of Reg.
Guide 1.47 or providing equivalent protection is required.
ECNP CONTENTION NO. 1(c)
The electronic signals sent to the control room in many cases record the wrong parameters and may, thereby, mislead the reactor operator.
For instance, in the case of the Electromatic Relief Valve ("ERV", the Metropolitan Edison designation is RC-RV2), the signal sent to the control room to indicate a closure of this valve indicates only the electrical energizing of the solenoid which closes the valve, not the actual physical valve closing itself.
This misleading signal aggravated the accident at TMI-2.
There is no reasonable assurance that this same problem, or comparable ones, cannot arise many times over at TMI-1.
It is the obligation of the Suspended Licensee to provide sufficient information on the performance capability of all pertinent components of the control system to reasonably ensure that electronic signals will record, accurately and in a timely manner, all l
necessary and correct parameters.
l
l l
l ECNP Contention 1(c) was limited by the Board to " signals sent I
to the control room" and further limited to core cooling systems and containment icolation systems.
(See First Special Prehearing Conference Order, dated December 18, 1979, at 38).
i RESPONSE TO CONTENTIONS BY WITNESSES WALSH AND TOOLE:
The assumption which underlies these contentions is that the accident at TMI-2 was substantially aggravated in that the plant was operated with a safety system inoperable.
Before turning to the merits of the contentions that the indication of safety system status at TMI-l is inadequate, it is important to note that the underlying assumption to UCS Contention 9 is invalid.
First, the Emergency Feedwater (EFW) System is not classified as a safety system.
Second, the closure of the EFW valves did not have a substantial effect on the eventual outcome of the TMI-2 accident.
Analyses (l) performed by GPU using the RETRAN code (2) indicate that even with the correct operation of EFW, the condition of the plant would have been identical 20 minutes following the start of the accident.
It should be noted that core damage did not occur until af ter reactor coolant pumps were turned off,100 minutes following the start of the accident.
These analyses compared two alternate scenarios with the actual accident sequence.
In the actual event sequence the reactor tripped from high pressure at 8 seconds due to loss of feedwater.
The power operated relief valve failed to reclose at 15 seconds.
The steam generators boiled dry at approxi-mately 1 minute and 45 seconds.
High Pressure Injection (HPI) was actuated at 2 minutes and 2 seconds and was throttled at 4 minutes and 38 seconds.
Emergency feedwater flow was initiated at 8 minutes and nominal steam generator conditions were achieved at approximately 20 minutes.
The two alternate scenarios ' that were analyzed are:
(1) emergency feedwater available from the beginning of the event with other accident events unchanged; and (2) HPI properly maintained with no emergency feedwater.
The results of the analysis of the first scenario indicate that simulated plant conditions were iden-tical to the actual event after about 20 minutes.
The results of the second scenario show that the core would have been adequately cooled by HPI even without emergency feedwater.
This second result is verified by the actual system response during the accident since Reactor Coolant System temperatures did not increase during the period when HPI started at approxi-mately 2 minutes until it was throttled at about 4 1/2 minutes.
The lack of EFW flow was discovered by the operators using indications of system conditions that were available on the main control board.
The EFW system was realigned 8 minutes after the reactor trip and approximately 6 minutes af ter the first indications of steam generator dryout.
The operators reacted to the fact that steam generator level was not increasing despite open control valves, and thus discovered the closed EFW block valves by checking the pump and valve control indications on the main control board.
The steam generator cont itions were returned to nominal design conditions 20 minutes after the reactor trip.
Thereaf ter, plant conditions were undistinguishable from conditions that would have existed if EFW had operated normally.
In addition, other analyses of the event (3,4,5) have concluded that the brief EFW isolation had no significant effect on th( outcome of the accident.
Consequently, the assumptions underlying UCS Contention No. 9 are invalid.
The thrust of the UCS contention is that the principal reason the improper EFW valve position existed during the accident was that TMI-2 did not have an adequate system to inform the operator that safety systems have been disabled.
The contention is not valid for either TMI-l or TMI-2.
At TM I-1, the Engineered Safety Features Actuation System (ESFAS) has indicating lights on the main control console indicating whether the HPI and LPI protective systems are fully enabled and indicating whether actuation bistables are reset or bypassed.
Annunciators will indicate a "not reset" cond ition,
a "not bypassed" condition and an "ES actuation trouble" condition which further alerts the operator to an abnormal condition.
Annunciators will also indicate abnormal status of core flood tank isolation valves (a portion of the ECCS).
In addition to these indicators and annunciators, a dedicated control panel in the control room indicates the status of all individual components that are actuated by the ESPAS.
This panel's display lights are color coded so that any exceptions to an automatic actuation are indicated to the operator.
Besides these features, procedures have been instituted in the following areas since the TMI-2 accident to verify the operational readiness of Engineered Safeguards Features (ESP)
Systems and EFW Systems.
1.
ESF Checklist This checklist verifies the readiness of ESF and EFW system components each eight-hour shif t.
It verifis; control room valve position and control switch positions for these systems.
The checklist is initiated by the of f-coing shif t, and reviewed and signed by the on-coming Control Room Operators, Shift Foreman and Shif t Supervisor.
2.
Administrative Valve Controls l
Critical valves in the ESF and EFW systems have been either locked or placed under routine surveillance.
This includes locking of manual overrides where applicable, and/or routine checking of manual override status as part of the Auxiliary Operator log sheet entries.
Locked valves are checked at defined intervals, established on the basis of their importance and frequency of use..
l l
1 3.
Log Sheets Non-control room indicated main flow path ESF and EFW valves will be checked at defined frequencies (once a shift or daily) to assure correct position.
The deter-mination of frequency is based on accessibility not only to the Operations Staff but to other personnel who may be working in the plant.
4.
Verification Prior to Surveillance or Af ter Mainter.'ance Proper ESF and EFW valve positions will be confirmed as an initial procedure step prior to initiating survell-lance tests on any ESF or EFW train.
Upon completion of the surveillance activity, the valves or switches that were manipulated will be verified by procedure to have been returned to the correct position.
Prior to returning components to service after maintenance or special testing, the affected components and all other components msnipulated during the maintenance will be verified to be in the correct post-maintenance position by two independent operators.
These individual administrative systems by their very nature provide various levels of backup to the primary control method.
This is illustrated on Figure 1 for valves.
Depending on the importance of the particular valve, one or more of the backup methods are applied to each valve.
These administrative controls inform t.,e operator of system status not only periodically, but also each time a safety system would be unavailable during testing or maintenance.
These methods are considered effective since an operator will be required to acknowledge that a safety system is disabled when he begins his shift and at any time during the shift the equipment is disabled.
Because of the required deliberate administrative action necessary to manipulate ESP or j
EFW components, these cot ols are conaldered to be as effective as automatic annt aciation of dicabled systems.
is implied from UCS Contention 9 that if a system It meeting the requirements of Regulatory Guide 1.47 had been installed at TMI-2, then the EFW system would not have been disabled.
If applied, Regulatory Guide 1.47 requires a display system which would provide automatic indication and alarm of safety system availability at the system level.
Continuous automatic indication of disabled safety systems, however, provides no guarantee that the operator will recognize and maintain awareness of the abnormal configuration.
Because of this, administrative controls still have to be depended upon to require the operator to overtly note status nn a status list or record system even if automatic annunciation is available.
This is recognized in Regulatory Guide 1.47, which itself states that:
" An acceptable way of aiding the operator's knowledge of plant status is to supplement administrative procedures with automatic indication of the bypass or -
inoperability of each redundant portion of a system that performs a function important to safety" (Emphasis added).
The Regulatory Guide also recognizes the limita.tions of the concept of automatic indicating systems:
It is recognized that automatic indication of inoperability or a bypassed condition is not feasible for all the possible means by which safety-related systems could be completely or partially rendered inoperative.
It also recognizes that:
Manual capability would [still] be useful in displaying those inoperable or bypassed conditions, whether deliberately induced or not, which are not automatically indicated.
The feasibility of automatic indication assumes certain conditions.
The Regulatory Guide states that:
Such a design is considered practical because:
(1) appropriate emphasis on testability (of safety systems] early in the design process can reduce to a mininum the number of bypasses needed for frequent activities such as testing and (2) ac-tivities such as modification, repair, and maintenance either are conducted infre-quently or can be restricted to times when plant conditions do not require the af fected system to be available.
It is implied that this requirement is not practical except early in the design process of a plant under construction and thus would not be practical when applied in a backfit situation such as TMI-1.
Further, it presumes that there is an infre-quent need to bypass safety systems.
Operational requirements for surveillance testing and preventative maintenance ac-tivities at TMI-1, however, require a significant number of brief periods of unavailability for safety systems or their supporting s1 stems.
Consequently, providing an automatic, consolidated, system level indication of bypass is not practical because the assumptions which form the basis for the practicality of the requirement are not valid for TMI-1.
In summary, Contention 9 of UCS is incorrect in its allegation that the TMI-2 accident was substantially aggravated by the fact tha t two Emergency Feedwater System valves were closed at the beginning of the event.
Additional administra-tive controls have been instituted since the TMI-2 accident to verify the correct status of critical components after testing, at shift change and at predetermined intervals during opera-tion.
The addition of an automatic system that meets the requirements of Regulatory Guide 1.47 would be an unnecessary addition of hardware that would not improve the protection of the health and safety of the public, since this system would also continue to rely on administrative controls to assure its effectiveness.
ECNP Contention 1(c) asserts that electronic signals sent to the control room may mislead the operator.
Licensee has performed a review of signals to the TMI-1 control room for the emergency feedwater system, emergency core cooling systems and containment isolation systems, and found no position indication that could miclead the operators by a demand indication rather than direct position indication such as the power operated relief valve in TMI-2.
Valve position indications for these _ _ _ _
systems were verified to originate from limit switches driven by the valve stem, and not from demand signals to the valve.
Other major components also have direct indication of operation.
The Emergency Feedwater System motor driven pumps have indications for motor breaker position, and pump discharge pressure, and will have feedwater flow instruments which are being installed, all of which will give a direct indication of pump performance.
Similarly, the steam driven emergency feedwater pump has indication of turbine speed and pump discharge pressure.
The high pressure injection pumps (makeup pumps) have motor breaker position indication, pump discharge pressure indication and flow indication.
Decay heat removal system pumps have motor breaker position indication, pump discharge pressure indication and flow indication.
All valves which are required to respond automatically to an ESFAS signal have special indicators on a dedicated control i
i panel in the control room which are color coded to inform the operator that the valves are in the proper position af ter an ESFAS actuation.
This allows the operator to note any excep-tions to an ESPAS actuation sequence within a short period of time.
Finally, modifications to the PORV to improve indica-tions of its performance are described in Licensee's Testimony on Valves and Valve Testing in response to UCS Contentions 5 and 6.
i i l
REFERENCES 1
The Use of RETRAN to Evaluate Alternate Accident Scenarios at TMI-2, T.
G. Broughton, N.
G. Trikouros, Proceedings.
of the ANS/ ENS Topical Meeting on Thermal Reactor Safety, April 6-9, 1980, p. 924.
2 EPRI CCM-5, RETRAN - A Program for One-Dimensional Transient Thermal Hydraulic Analysis of Complex Fluid Flow Systems.
3 Analysis of Three Mile Island - Unit 2 Accident, NSAC-1, July 1979, Nuclear Safety Analysis Center.
4 The Report of the President's Commission on the Accident at Three M'.le Island, October 1979.
5 Three Mile Island - A Report to the Commissioners and the Public, January 1980, Nuclear Regulatory Commission Special Inquiry Group.
vmvi:, NJuN1:IllMTIVE LulIT10L SirfWW Figure 1 IFWXN VALVE POSITIG4 MFil10D (UED EUI IIACKUP PEI10(E IUIUlrIAIJN AVAUAIIIE 'IO IEITUr EilltXI OlhNGE IS MME NDIPRL IIFN,IGNE2fr l.
Major Outage gerating Pmeedure AP 3011 Iock Shift R1 mover ES deck List / Shift qmmtor Intly Otmplete Valve Aligment Valm List / Shift dieck List / Shift
~
1 bur dieck List 2.
Preventive Prevtsitive Maintenance AP 1011 Inck Shift Wimover ES dieck List / Shift Operator Ibily Maintenance Procedure Valve IJst/ Shift dieck List / Shift 1 bur dock List 3.
Oorrective Surveillance Procedure AP 1011 Iock Shift htnover ES dieck List / Shift Ormtor Ibily Maintenance Valve List /Glift dieck List /9:1ft 1 bur deck List l.
Surveillance Surveillance Procedure AP 1011 Inck G11ft nimover ES dieck List / Shift Gerator Ihlly Procedure Valve List / Shift dieck List / Shift 1 bur deck List 5
Operatilig Surveillance Proceduru AP 1011 Inck Shift hirnover PS deck List / Shift qmmtor fully Procedure Valve List / Shift dieck List / Shift 1 bur deck List
- i. Gemtor Mistake operator Iogs njullment AP 1011 Iock Stift hinnver ES dieck List / Shift qmrator imily Statm cada tine le nnkes Valve, List / Shift dieck List / Shift 1 bur Onck I.lst changes. 11 e Ings are revicwed by tim Shift Fbrumn afxl Operatjono Fhgineer.
4
PATRICK S. WALSH Business Address:
GPU Service Corporation 100 Interpace Parkway Parsippany, New Jersey 07054 Education:
B.S.,
Chemical Engineering, Illinois Institute of Technology, 1969.
M.S.E., Nuclear Engineering, Catholic University of America, 1978.
U.S. Navy Nuclear Training Program, 1969 to 1970.
Ex pe r ience :
Plant Analysis Manager, GPU Service Corporation, 1979 to present.
Responsible for conducting evaluations of operating j
experience and technical performance of all GPU system nuclear generating stations.
Senior Engineer, Nuclear Analysis Section, GPU Service Corporation, 1978 to 1979.
Responsible for performing nuclear fuel thermal-hydraulic analyses and fuel performance analyses.
Senior Engineer, Nuclear Fuel Management Unit, Baltimore Gas and Electric Company, 1976 to 1978.
Responsibilities included the performance of fuel management analyses; evaluation of safety analyses required for license amendments; and, supervision of, and preparation of proce-dures for, core refueling, new and ir-radiated fuel inspection and spent fuel shipment.
Engineer, Startup Test Group, Baltimore Gas and Electric Company, 1974 to 1976.
Responsible for procedure preparation and supervision of hot functional, low power physics and power escalation testing of mechanical and instrumentation systems.
Of ficer, U.S. Navy, 1970 to 1974.
Held positions of Nuclear Submarine Engineering Department Division Officer and Nuclear Pro to type Instructor and Training Officer.
Professional Affiliations:
Registered Professional Engineer, New Jersey.
RONALD TOOLE Business Address:
Metropolitan Edison Company Three Mile Island Nuclear Station P.O. Box 480 Middletown, Pennsylvania i
Education:
B.S., Electrical Engineering, Newark College of Engineering, 1966.
Experience:
Manager, Three Mile Island Unit 1, Metropolitan Edison Company, February 1980 to present.
Direct responsibility for operating the unit in a safe, reliable and efficient manner; is responsible for off site radioactive discharges and bears the respcnsibility for compliance with the operating licenses and the rules and regulations of the Commonwealth of Pennsylvania; supervises the Operations Group and Maintenance Group and the Radioactive Naste Procescing and Shipment Group.
Responsibilities also include the authority to order the shutdown and cooldown of TMI-l whenever the health and safety of the public is endangered or when in his judgment a shutdown is warranted; authority to issue procedures, orders, and other directives required in the execution of the assigned responsibilities; authority to assign and prioritize requirements to 3
the Plant Engineering, Training and Administration and Services Groups; initiation and prioritization of corrective maintenance and preventive maintenance.
Unit Superintendent, Homer City Station, Pennsylvania Electric Company, 1979 to 1980.
Overall responsibility for engi-neering, maintenance and operation of two 650 mwe coal fired units.
Test Superintendent, Three Mile Island Unit 2, Metropolitan Edison Company, 1974 to 1978.
Full responsibility for the con-i struction, pre-operational and power i
escalation testing for Unit 2.
Assistant Test Superintendent, Three Mile Island Unit 1, Metropolitan Edison Company,
{
1971 to 1974.
Responsible for scheduling the test program from energizing the l
auxiliary transformers through commercial operation; supervised Shift Test Engineers in performance of testing; acted as Shift Test Director during low power physics and power escalation programs.
Station Engineer, Oyster Creek, Jersey Central Power and Light, 1968 to 1970.
Held position of Shif t Test Engineer; additionally, was responsible for training of operators (1970).
Licensed as CRO, September 1969; SRO, March 1980.
Distribution Engineer, Jersey Central Power and Light, 1967 to 1968.
Responsible for the design of overhead and underground residential power systems.
Construction Engineer, Pacific Gas and Electric Company, 1966 to 1967.
Supervised installation of electrical switchgear and power train for the Moss Landing Generating Station.
Professional Affiliations:
Babcock & Wilcox Station Management Committee.
l l
l W
M