ML19350B223
| ML19350B223 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 03/11/1981 |
| From: | Ross D Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML19350B218 | List: |
| References | |
| NUDOCS 8103200115 | |
| Download: ML19350B223 (10) | |
Text
.
UNITED STATES OF AMERICA NUCLEAR REGULATORY COMMISSION BEFORE THE AT0f11C SAFETY AND LICENSING BOARD In the Matter of THREE MILE ISLAND FJCLEAR GENERATING STATION UNIT NO. 1 NRC STAFF TESTIf10NY OF DENWOOD F. ROSS JR.
RELATIVE TO THE INTEGRATED CONTROL SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Q l.
Please state your name and position with the NRC.
A.
My name is Denwood F. Ross Jr., I am an employee of the U. S. Nuclear Reg;1atory Commission. My present position is Director, Division of Systems Integrati:n within the Office of Nuclear Reactor Regulation.
Q 2.
Have you prepared a statement of professional qualifications?
A.
Yes.
A copy of my statement of professional qualifications is attached to this testimony.
Q 3.
What is.the purpose of your testimony?
A.
The purpose of this testimony is to clarify responses to questions raised by the Board and partits in this proceeding reoarding the integrated control system (ICS). Specifically, why did the staff ask for a failure modes and effects analysis (FMEA) and did the results of the analysis satisfy its intended purpse?
Q 4.
Why did the staff ask for a FMEA on the ICS?
A.
Shortly after the accident at TMI-2, the staff began a study regarding the sensitivity of B&W-designed reactors to feedwater transients and the role that this sensitivity might play as a precursor or contributor to a TMI-2 type accident. :The staff examined the sequence of events that accompanied
'810820.0 T\\k
- 1 typicai B&W feedwater transients and the role that control and safety equipmeat played. This study was eventually published as NUREG-0560, " Staff Report on the Generic Assessment of Feedwater Transitats in Pressurized Water Reactors Designed by the Babcock & Wilcox Company" (May 1979). Based upon preliminary results obtained from this evaluation, the staff prepared a document entitled "NRR Status Report on Feedwater Transients in Bati Plants,"
dated April 25, 1979. This document was prepared for and discussed with the Commission on April 25, 1979. The purpose of the discussion with the Commission was to present the staff's views reoarding whether there was reasonable assurance of protection of the public health and safety in continued operation of the B&W plants pending improvements related to their response to feedwater transients. With respect to the role of the ICS in feedwater transients, the staff expressed five specific concerns:
1.
Was the reliability of the ICS satisfactory?
2.
The failure modes and effects r# the ICS had not been systematically analyzed.
3.
The ICS may. initiate 10-15% of all feedwater transients.
4.
The ICS controls the emeraency feedwater system (EFW) in some plants and could thus contribute to a total loss of feedwater.
5.
Even when the ICS works well, there may be, in response to a feedwater transient, wide swings.in reactor pressure, pressurizer level, and averaae reactor coolant temperature.
.Q 5. What was the mechanism used to resolve the staff's concerns identified above?
A.
As a. result.of the staff's concerns regarding the role of the ICS in initiating or exacerbating feedwater: transients, B&W connitted to perform a reliability analysis of-the ICS._ -The fornal ' submission of the scope and schedule for this
reliability analysis was presented in a letter from J. H. Taylor (B&W) to H. R. Denton (NRC) dated April 28, 1979.
Subsequently, the requirement to perform an Fi1EA of the ICS was incorporated into the confirmatory Orders issued to B&W-reactor licensees in May 1979 and the TMI-1 restart Order of August 9, 1979.
Q 6. Was the reliability analysis committed to by B&W in its letter of April 28, 1979 performed?
A.
Yes.
The reliability analysis committed to by B&W was submitted to the NRC on August 17, 1979. The report is entitled " Integrated Control System Re-1 hbility Analysis" (BAW-1564). By letter dated October 26, 1979, Metropolitan Edison Company stated it had reviewed BAW-1564 and that it was applicable to TMI-1. As stated previously in this proceeding by D. F. Thatcher of the NRC staff, the detailed review of BAW-1564, was subcontracted to Oak Ridge National Labcratory (ORNL). The NRC staff coordinator for this effort was D. F. Thatcher and the cognizant branch chief was R. M. Satterfield, Chief of the Instrumentation and Control Systems Branch. These individuals reviewed a draft evaluation supp11ed by ORNL in December 1979.
In fiay 1980, the staff completed its assessment of the ORNL final report and BAW-1564. The results of this assessment are contained in a menorar. Jam from R. Satterfield to P. Check, the Assistant Director for Plant Systems, dated May 9,1980.
In part this memorandum states:
"We have concluded that the ICS itself has a relatively low failure rate and does not appear to initiate a significant number of plant upsets. However, there are aspects of the plant control system and related components (mostly outside the ICS) for which improvements should be investigated.
B&W has recommended actions aimed at improving system performance and we plan to review licensee followup e
c on these recommendations."
As reported in the staff's TMI-1 Restart SER (NUREG-0680) at page Dl-1, the licensee has responded to some of the B&W recommendations contained in BAW-1564.
The s'Tff is continuing to followup on the adequacy of the licensee's actions regarding these recommendations.
-Q 7. Did the analysis serve the purpose for which it was intended? That is, did
'the analysis resolve the staff concerns regarding the role of the ICS in initiatino or exacerbating feedwater transients that the staff had in - April 1979 when it required that a FMEA of the ICS be conducted?
A.
Yes. As discussed in response to question number 4 of this testimony there were initially five concerns expressed by the staff that led to the FMEA of the ICS being required. The reliability analysis submitted by B&W coupled with additional staff and licensee actions that have taken place subsequent to_the issuance of the April 25, 1979 NRR-Status Report on Feedwater Transients have significantly reduced the staff's concerns
- regarding the role of the ICS in feedwater transients. Specifically with
~ egard to these concerns:-
r 1.
Was the reliability of the ICS satisfactory?
The staff has found no evidence that the ICS provides more frequent or more severe challenges to the' plant protectiot system than other control systems of similar' scope on other vendor-designed reactors. Examination of the operating history data presented in BAW-1564 shows. that only a.
small number of ICS' hardware malfunctions resulted in reactor trips (6 of 310 trips).-
w-4
2.
The failure modes and effects of the ICS had not been systematically analyzed.
BAW-1564 resolved this concern; however, as pointed out in the ORNL review of the FMEA, the functional block FMEA approach may have been selected as an economic expedient and may not have been the optimum technique for deriving the most useful information. ORNL suggested that if further pursuit of the failure consequences of the ICS was desired, a fault tree for loss of feedwater should be developed based on equipment diagrams rather than functional blocks.
This would allow assessment of the significance of multiple failures and some verification of the adequacy of the functional block diagrams. However, ORNL also pointed out that it was satisfied that failures within the ICS itself did not constitute a significant threat to plant safety and that further analysis of this type may not be economically justifiable. The staff concurred with this latter conclusion and elected not to pursue additional
-studies directly' associated with the ICS. However, detailed fault trees to allow the assessment of the significance of multiple failures are being developed as part of the B&W Owners' Group AT0G (" Abnormal Transient Operations Guidelines")progran. This ~ effort is discussed in the TMI-l Restart SER at page C8-49.
3.
The ICS may initiate 10-15% of all feedwater transients.
. As tabulated in. BAH-1564, out of the 310 reactor trips evaluated, the number of reactor' trips directly attributed to ICS -intemal failures was 6 (1.9%).
In addition, a total of 28 (9%) trips were caused by ICS control response.
(12 being feedwater oscillations,12 being.feedwater/ power mismatch, and four from miscellaneous causes). An additional 22 (7.1%) trips were caused i
I
~
i
by ICS input failures, nainly power supply failures or malfunctions to or of the non-nuclear instrumentation (NNI) and 45 (14.5%) trips were initiated by the failure of equipment actuated by the ICS.
In summary, it can be seen that the ICS itself is not a major contributor to reactor trips.
However, it can be seen from the data summarized above, that proper ICS system tuning to minimize feedwater oscillations, careful evaluation and modifications (if required) to ICS/NNI power supplies and inputs are important to proper system operation. These factors were brought to light in BAW-1564 as recomrcendations by B&W.
The licensee has responded to these recommendations in Suoplement 1, Part 3 of the TMI Restart Renort.
The staff will take appropriate follow uo action reaarding this resnonse.
4.
The ICS ', controls the emergency feedwatcr system (EFW) in some plants and could thus contribute to a total loss of feedwater.
- As discussed beginning on page Cl-11 of the staff's1TMI-l Restart SER, the licensee has cannitted to provide automatic initiation of the EFW system that is completely independent of the ICS.
In addition, the licensee has also committed to provide separate manual EFW flow control to the steam generators independent of the ICS. This will allow manual control of EFW flow'from the control room should a malfunction cf the ICS occur.
These modifications will be in place. prior to plant restart, In the long-term, the licensee has comnitted to install a safety-grade automatic steam generator level control system. This is the same interim and long-term solution to EFW/ICS separation that the staff authorized for the other B&W-designed operating reactors.
5.
Even when the ICS works well, there may be, in response to a feedvater transient, wide s_ wings in reactor pressure, pressurizer level, and averaae reactor coolant temperature.
The post-trip phenomene described above has occurred at operating B&W-designed plants and has often been termed " sensitivity".
The sensitivity issue relates to the close ccupling between the primary and secondary systems through the once-through steam generator (OTSG), whereas small changes in either heat removal from the OTSG or feedwater flow to the OTSG can cause significant changes in primary system parameters. Sone of the recommendations contained in BAW-1564 are aimed at minimizing this sensitivity.
Specifically, the recommendation dealing with ICS/ balance-of-plant tuning particularly with regard to the feedwater and condensate systems and the recommendations dealing with. preventing or mitigating the consequences of a stuck-open main feedwater startup valve and a stuck-open turbine bypass valve are aimed at reducing possible steam flow / feed flow mismatches that result in significant swings in reactor coolant system parameters.
1 In summary,.the staff expressed concerns regarding the response of B&W-designed reactors to feedwater transients during the April /May 1979 timeframe.
Since the staff had not performed a detailed review of the ICS, it was unsure of the role that the ICS might play in initiating and/or exacerbating
- feedwater transients; therefore the staff required that a FMEA of the. system be performed.
B&W performed the reliability analysis (including the FMEA) it had outlined to the staff in its April R28,1979 letter. The six J recommendations made by B&W in' BAW-1564 have been concurred in by ORNL
. and the NRC ' staff and have been transmitted to the licensee for action.
During the 20 months that have transpired since 2&W completed its reliability
.g.
analysis of the ICS, the staff has not identified any additional concerns regarding the role of the ICS in feedwater transients. The staff is satisfied that the reliability analysis of the ICS performed by B&W served the purpose for which it was intended.
Q 8. Why is startup of the TMI-l facility permissible prior to completion of all modifications related to the recommendations contained in BAW-1564.
A.
As pointed out in RAW-1564, power supply failure or malfunction to or of the NNI/ICS is the only event found in the analysis that could potentially cause a loss of main and emergency feedwater. This situation has been rectified to the satisfaction of the staff as discussed in response to question 7 above. The remainder of the recommendations deal mainly with improvements
'in control system reliability. While.the staff will followup on these recommendations to assure adequate licensee action is taken, the staff has not' identified any additional-ICS malfunctions that cannot be adequately mitigated by plant safety systems.
4 e
PROFESSIONAL QUALIFICATION 5 DEN ~n'30D F. ROSS, JR.'*.
MARCH 1980 I ar presently employed with the U. 5. Nu: lear Regulat:ry Consission, within the Office o' Nu: lear Rea:ter Regclation, as the Dire:to of the Division cf Systers Integration.
My work address is 7900 Norfolk Avenue, Bethesda, Md.
Tne functior.al assign =ents of the Division of Systems Inte; ation inclu e six systers areas (Reactor Systems, Instrument and Control Syste:s, Auxiliary 5 ste 3, Effluer.t Treatee. Systems, Po.er Systers, and Containment Systers) 3 as well as A:cident Evaluation, Radiological Assessment, Core Performance, and Systems Interaction.
Work assignments prior to this_present position include:
Acting Director, Division of Project Management Dire: tor, Bulletins and Orders Task Force (a post-TM -2 g-ou;)
Deputy Dire: tor,. Division of Proje:t Management Previously I served as Assistant Director for Reactor Safety (frc: 1/76 tc 10/75).
Tnis included supervising the a:tivities of the Analysis Branch, the Core Performance Bran:h, and the Reactor Systems Branch which, together, formed tbc Reactor Safety group. in DSS.
The work assignnents perfo med by Reactor Safety included eva' stion of emergency core cooling system response, as'vell as reactor core'and primary coolant system response to transient and other accident conditions.
(T l
$ i, \\
M
Prior to that assignment I served as Branch Chief of the Core Performance Bran:h for about 2-1/2 years.
Other job assignments. sin:e comir.y to USNRC (then AEC) in August 1957 include project manager assignments (or hajer ces-
-t-io t:r 10) fer several proje:ts, including Three Mile Island (Units 1 & 2);
Crysta' River Ur.it 3; Oconee 1, 2, and 3; and Quad Cities 1 & 2.
In additien, I se ved on a spe:ial task force revie ing ECCS perforence, in:1cding extence se wice at the ECCS rule-making hearing.
Prior to joining NRC I worked at the General Dynamics nuclear research facility at Ft. k:-th, Texas for 10 years, including 4 yea-s as ope ations supervis:r fe* three resea ch and test rea:ters.
I also worked for 1-1/2 yea *s at the MTF ETR operations at the NRTS, Idaho.
I have degrees in Civil Engineering (85, 1953); Mathematics (M3, 1953); and Na:1ea-Engineering-(M5 1950, and D. Engr., 1974).
P00R ORIGINAL
--