ML20032B093
| ML20032B093 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 12/15/1980 |
| From: | Keaten R, Long R, Tsaggaris A GENERAL PUBLIC UTILITIES CORP. |
| To: | |
| Shared Package | |
| ML20032B092 | List: |
| References | |
| NUDOCS 8111040412 | |
| Download: ML20032B093 (49) | |
Text
.
i,.,
DOCKETED US!1RC
'81 IDf -2 PS:10 W
OFFICE OF SECRETAE:
00CKETING & SERVICE BRANCH GPU ACCIDENT REVIEW TASK FORCE FINAL
SUMMARY
REPORT R. W. KEAEN R. L. LONG K
pp m
A. TSAGGARIS T. L. VAN WIDECK Ij/
l l
l Dece:aber 15, 1980 8111040412 011102 PDR ADOCK 05000 P
. +,.
.,,7
,7___,w.-
._,,-.,~.,,.__.._,,,,_,,,,..e-,.
--.w
+-.y-e---
g t l
]
TABLE OF CONTENTS PAGE NO.
4 1.
Introduction 1
II.-
Summary of Findings A.
Factors Related to the Trip of the Main Feedwater Pumps 5
B.
Rationale for the Control Room sad Staff Parsonnel
Response
10 C.
Emergency Plan Implementation 20 D.
Pressurizer Relief Valve Failure Hbde 24 E.
Pathways by Which Radioactive Fluids Were Transported 26 F.
Factors Leading to the Incorrect Status of EF-V12A and EF-V12B 29 G.
Adequacy of Assessment of the Extent of _ Damage to the Core 33 III.
Conclusions 35 IV.
Recommendations 38 V.
References 46 Table 1 - Key Elements of TMI-2 Accident of March 28, 1979 To Be Investigated by the GPU Task Force 3
Table 2 - Investigation Participants 4
Table 3 - Stuck Open PORVs in PW2s 25 Figure 1 - Principal Pathways for Release of C:seoug Radioactivity 26a i
-,e,-
,r---
3 m, - - -, - ~ w w,-,.
x
.-,....,._,..w,--
,,...., ~,...,..,..,
m
--.-,-~.
e a I.
INTRODUCTION On March 29, 1979, the day after the THI-2 accident, H. Dieckamp established a task force to review the events associated with the accident. Members of this task force proceeded to the site, but immediscely beca=e involved in supporting the plant operation. As a result, only limited investigative results were obtained.
On July 2, 1979, R. C. Arnold, Vice President-Generation, GPU Service Cor-poration establishsd a new task force to complete the investigation of key issues related to the accident. The specific issues considered by the Task Force are shown in Table I.
The charter of the task force was to perform the necessary investigations and make a report to GPU management, with recommendations.
In support of this charter the tark force established the f ollovira guide -
lines:
The task force will restrict its investigation to the key elcments of the TMI-2 accident listed in Table 1.
The investigation will address agencies other than the utility only in so far as they have a direct bearing on the accident.
The task force will be objective in its examination of the accident. No attempt will be made to justify events, actions or circumstances; nor will an attempt be made, to place blame for the accident.
The task force will make no attempt to address any liability for non-performance of contractual obligations.
The task force will not restrict the evaluation of its findings to the standards which existed at the time of the accident. The task force approach rather will be to examine the findings in light of the new understanding which has been gained as a result of the accident.
The task force will draw conclusions based upon the examination of the accident and the related events preceding and following the accident.
Constructive recommendations will be developed by the task force.
The
~
intent of the recoe=endations will be to identify and provide guidance in those areas whern impresement will result in improved performance and safety.
l In carrying out this investigation the task force pursued several types of activities:
1.
Detailed discussions were held with selected members of the plant staff covering (a) the events of March 28 and the following days and (b) previous plant and system policies and procedures which may have contributed to the accident. I
s.-
, s Q
o
^
2.
Plant doctments, including selected operating procedures, emer-gency procedures, and startup and test procedures, were reviewed for accuracy, *.horeughness and cit rity.
3.
Examinations were made of selected plant systems and components to determine their overall condition and conformance to design.
In addition tests were performed to determine the system and component response to certain conditions.-
4.
Testimony before other investigstive bodies was reviewed in detail, as were the findings of those bodies, where available.
J 5.
Selected analytical tasks were performed to support the investi-gations.
The task force received substantial assistance from many individuals, Some of the major participants are listed in Table 2.
This final report s ammarizes the results of the investigation.
Details r,3 the investigation are given in the references, which include a detailsd sequence of events and narrative description of :he accident. The summary of the findings in Section II is structured around the seven key elements listed in Table I.
Section III gives the conclusions drawn by the task force, and Section IV presents recommendations.
e l
1 l
I L
2-
---=---c-
,-..e,r.
i n r=e-.-.-r-,
r
.--r--m-.-r, t-r m
+---
---r-m,
+ + - ---- - - - -. - -
-r-
TABLE 1 EEY ELEMENTS OF TMI-2 ACCIDENT OF MARCH 28, 1979 TO BE INVESTICATED BY THE CPU TASK FORCE 1.
The factors related ce the trip of the main feedwater pumps including system design f eature s, equipment malfunctions, operating procedures and practices, awarenes i by operators, supervision and management of system problems prior to March 28 and significant actions by the auxiliary operators prior to and subsequent to the loss of feed conditions.
2.
The rationale for the control room and staff personnel response to the plant upset conditions during the first few hours, including informatica availability, procedural considerations and exercise of authority by supervision.
In pa:ticular, evaluate the circumstances that caused the operators to modulate high pressure injection when reactor coolant system pressure was abnormally low.
3.
The Emergency Plan implementation, including timeliness of declaration of site and general emergencies, notifications, identification of off-site releases, and communicat.on of plant status to appropriate management and public officials.
4.
The pressurizer electromacic relief valve failure mode, including f ailure data from other installations and consideration of full scale testing of a p;ototypical valve.
5.
The pathways by which radioactive fluids were t ransported from the Reactor Building to the Auxiliary Building, ine chronology of transfer and the quantities associated with the tr-tasfers.
6.
The factors. leading to the incorrect status of EF-V12A and EF-V12B at the time of the accident, including the reasons the surveillance procedures were written so as to simultaneously isolate both trains of emergency feedvater, the practices that apparently permitted the completion of the procedure without insuring attainment of proper valve lineup, and the reasons the improper positions of the valves could apparently exist undiscovered for 412ert tuo days.
7.
The adequacy of assessment by plant supervision and company management of the extent of the damage to the core, and the potential for off-site releases, including timeliness and flow of information and technical a ccura cy.
r
TABLE 2 INVESTIGATION PARTICIPANTS GEKERAL PART!OIPANTS:
T. G. Broughton, GPUSC L. Kittelson, Me t-Ed E. G. Wallace, CPUSC P. S. Walsh, CPUSC R. L. Williams, GPUSC CONTRIBUTORS TO SPECIFIC TOPICS:
Initiating Event:
G. Lehmann, GPUSC K. Lucien, EI W. Marshall, Met-Ed -
Pressurizer Relief " rive:
Q. Billingsley, GPUSC W. Bogert, GPUSC 1
Correa, GPUSC Radiation Release Pathways:
B. Center, EI J. Flaherty, EI L. Kripps, EI J. Paradiso, GPUSC Emergency Feedwater Valves:
J. Miller, Consultant J. J. Wagner, Penelec Sneak Circuit Analysis:
J. Gulat*, GPUSC J. Lawton, Met-Ed J. Tana, Ebasco E=ergency Ieedlinr. Discoloration:
R. Greenwood, Gilbsrt PLANT STAFF DILCUSSION PARTICIPANTS :
J. J. Blessing, CRO R. R. Booher, CRO K. P. Bryan, Shif t Supervisor C. C. Faus t, CRO R. Floyd, Unit II Oper. Sup.
E. F. Frederick, CRO K. R. Hoyt, Shift Foreman G. Kunder, Unit II Tech. Supt.
J. Loga 2, Unit II Supt.
l B. Mehler, Shif t Supervisor G. Miller, Station Manager F. J. Scheimann, Shift Foreman B. G. Smith, Shift Supervisor W. H. Zewe, Shift Supervisor General Assistance in Arranging Interviews R. Harbin, Met-Ed 1.
[
m
s
- i,
II.
SUMMARY
OF FINDINGS A.
FACTORS RELATED TO THE TRIP OF THE MAIN FEEDWATER PUMPS The investigation o$ the feedwater pump trip was directed both towards identifying the specific cause of the trip and performing a more general evaluation of the secondary side of the plant in terms of the adequacy of design, construction, installation, checkout, operating and main-
' enance practices.
In the course of the investigation a number of t
relevant features were identified.
1.
Cause of the Trig The immediate cause for the trip of the {eedvater pumps was a trip of the A and B condensate booster pumps.
The loss of these booster pumps resulted in a trip of the main feedwater pumps.
The condensate booster pumps tripped on low suction pressure, due to closure of the condensate polisher discharge valves. The auxiliary j
"A" operator who was in the area at the time reported that immediately af ter the trip he went to the polishers to make. the I
usual post-trip slignment and found that all of the discharge i
valves were closed. This condition was also observed later by the
(
shif t supervisor.
r Water in the incerument air system is believed to have caused the sudden closure of the condensate polisher discharge valves. An incident which occurred on July 5 1979, demonstrated that water will cause the valves to close.2, As the Number 8 polisher was being put into service the outlet valve oscillated and finally slanmed shut. When the air supply line to the Number 8 polisher valve. was opened, approximately 1/2 to 1 cup of water was obtained.
After the water was removed, the polisher was assin placed in service and functioned satisfactorily.
The source of the water which initiated the March 28 trip, however, 3
is still uncertain.
Two hypotheses were:
(1) the water was introduced into the Instrument Air System during attempts to l
unblock a plugged resin transfer line between the Number 7 Condensate Polishi~ng' Demineralizer and the Resin Receiving Tank; 1
1 and (2) a leak existed in the resin regeneration system which pe:aitted water to be transferred to the Instrument Air System at l
the Polishing Demineralizers.
i The second hypothesis was rejected after a chemical analysis of water found in the Condensate Polisher Demineralizer outlet valve actuators did not indicate the prer.ence of regeneration chemicals.
In addition, a daily check of the systems during a two week period of normal use including regeneration indicated no water had been added to the Instrument Air System.
l t-
g g - t Several formal tests were performed in an attempt to validate the first hypothesis. Water was injected into the instrument air supply at the condensate polisher control panels under various test conditions.
The test results showed that all of the condensate polisher discharge valves went shut only when an inlet stream con-sisting entirely of water was introduced into the water trap. This caused the water trap dump valve to open and remain open until the
~
water was passed.
As a. result, a loss of pressure downstream of the water trap was experienced.
In one test, the dump valve was jam-ed open by a f oreign material, tentatively identified as desiccant from the Instrument Air System air dryers.
An additional rasult of the tests which casts some doubt on the first hypothesis is that the pneumatically controlled stylus on the system chart recorders spewed water onto the charts.- This condi-tion was not found af ter the accident.
In addition, other systems which are normally supplied by the Instrument Air System and are located upstream of the Condensate Polishing System did not operate in an abnormal manner during the accident as would be expected if the water had been transferred through the Instrument Air' System to the Condensate Polishing demineralizer outlet valves.
4 Nevertheless, the state of knowledge of the system sad the test results lend credence to the hypothesis that the water was in-troduced into the Instrument Air System while r.ctempting to unplug a resic blockage by the use of demineralized water and fluffing air.
2.
System Design Features Investigations started prior to the TMI-2 accident have indicated that the condensate and feedwater systems operated very close to lesign limits when the plant was operating near full power.
The systems have very limited capabilie; to accommodate upsets or transients, in part apparently due to the lack of detailed tran-sient analysis performed as part of the system design procesc.
In '
addition, some component control systems were not normally operated in the " Auto" mcde due to bad expa.riences with component trips in this mode.
44 a result of these and other problems, the spare condensate and spare booster pumps would not start automatically to maintain the plant on-line in the event of an operating pump failure.
A design feature highly relevant to the accident was the inability of the system to accommodate loss of instrument air without inadvertent valve closure. The original design provided sensors which act to lock tne valves in their current (open) position upon loss of either instrument air or control power.
However, physical inspection revealed that this design protection had been negated both by disconnection of wires between the sensors and the associated solonoids, and by solenoids placed in the " manual.
v..
n---
t operate" position.1 Attempts to discover when and why these changes were made were unsuccessful occause they were apparently not documented.
]
The polisher bypass valve (CO-V12) was designed to be opened from the control rc om.
The valve motor operator overload heaters, however, were not adequately sized for the torque required to open the valve with a high differential pressure across the valve. The salve thus had to be operated manually on March 28.
Although verification of the valve operation in the presence of a differen-tial pressure was part of the original test plan, it was deferred Eto hot functienal testing and placed on the " incomplete work l
list."
This item was noted by Met-Ed to be a "significant item at
~
time of turnover." During the later hot functional testing, however, this test was apparently not performed.1 Another error found during the investigation was in the wiring arrangement of the condensate pump control circuit.
When the auto / manual mede selector switch was in manual, this circuit caused the "A" condensate pump to trip when the "A" condensate booster pump tripped.
This wiring error was in the 4160 Volt switchgear.
The wiring error was identified in November 1972 and a field change was initiated. For reasons unknown, howevetr, the alterations were completed for the A condensate and condensate bcoster pump not train.
The test program philosophy to accept without verification the internal wiring of components furnished as packaged units permitted this wiring error to escape detection during the preoperational testing of the circuits.
Still another prob
- em was the impact of turbine bypass flow on condenser level. The design resulted in direct impingement of the bypass steam onto the condenser level transducer, causing it to indicate an arti.ficially low level.
This caused full makeup-flow and high condenser level, with the potential for flooding the t
condenser and loss of vacuum. Work was in progress prior to March 28 to solve this problem.
A final example of a poor design feature is the configuration of the resin transfer line from the condensate polishers to the I
regeneration-tank.
This is a 2-1/2-inch diameter pipe with e leven 90* elbows.
The combination of resin transfer about once every two days and the torturous transfer path made resin blockage a not infrequent occurrence.
3.
uauipment Malfune.tions The basic malfunction which ultimately resulted in the unit trip was the inadvertent closure of the condensate polisher discharge valvas. In addition to initiating the sequence of events, the closure of these valves also made it impossible to reject con-densate from the hotwell. This condition directly contributed to 1
i l
.f.
e the high hotwell level problem which caused the shif t supervisor to go to the condenser area, as discussed in Section II-B.
A water hammer in' the condensate system piping, of undetermined origin, resulted in two cases of equipment malfunction.
The suction pipe for condensate booster pump A was observed to move by an auxiliary operator and resulted in the severance of an instrument air line to the condensate reject inhibit valva (CD-V57). This severance caused the valve to fail closed, which had no itmediate effect on system operation since the condensate flow path was already blocked by the closed polisher valve.
CO-V57-was.later opened manually to provide a flow path for the condensate to the storage tanks.
The water hammer also caused a leak in the flange joint in the booster pump A-suction piping downstream of the pump isolation valve (CO-V27A), which contributed to. the confusion in the condensate area.
The valve was shut approximately 15 4
minutes later to stop the leak.
4.
Operating Procedures and Practices Investigations 3 reveal that operation of the secondary plant was in general carried out in accordance with approved operating proce-dures.
The proce are for transfer of resins for regeneration, given in OP-2136-2.2, was used to govern that operation as it was performed immed *ately prior to the trip on March 28th.
The attention to that procedure is clearly indicated by the nine revisions that have been made to date.
The procedure did not, however, include instructions for clearing a resin plug if one developed, even though such plugs c curred frequently. Such operations should be performed in accordance with written in-structions con:aining at least guidelines and precautions.
The control roou operators' awareness of actions being taken by auxiliary operators in the plant was also explored. The control room operators interviewed stated that they were kept informed of activities outside the control room which could influence the plant performance. This viewpoint was also expressed by the shift supervisors ani shift foremen interviewed.
The investigation was limited to these interviews, but the consistent responses indicate that the operators were satisfied with the level of communication.
5.
Awareness of System Problems l
The plant staff members interviewed 3 have generally reported they were aware of the various problems in the secondary side of the plant.
It is not clear that the awareness was uniform at all levels of the organization.
In addition, although the maintenance staff was attempting to correct problems, it is not clear that adequate resources were dedicated to this purpose.
For example,
~
operators found water in the instrument air system many times, and L
- i. --.
had to blow ouc the system in order to get it to function correct-ly.
There is, however, no evidence that a systematic attempt was made to isolate and eliminate the source of the water ir the lines.
During interviews with the operators, the task force was informed that suggestions for improvements usually vanished into the system with no feedba:k.
Even in cases where rugr,estions were adopted, the suggestor was not always informed of the decision and when action might be expected. This problem may have been compounded by the fact that the operators apparently preferred informal rather than f ormal submittals of suggestions.
B.
RATIONALE FOR THE CONTROL ROOM AND STAFF PERSONNEL RESPONSE The accident sequence of events including operator actions is given in Ref. 4.
In summary, the power-operated relief valve on the Pressurizer opened and then setek open, creating a small-break loss of coolant acci-dent (LOCA). This eventually led to major core damage because no or:.e in the control room recognized that the plant was~ experiencing a LOCA.
The task force investigation has concentrated on identifying and understand-ing the f actors which led to this 1sek of perception and the subsequent The investigation results clearly show that a variety of errors.
different factors rather than one single factor led to these results.
The important factors are discussed in the following sections, with a view towards identifying underlying causes and developing corrective recommendations.
1.
Ef fect of the Leak Location A loss of coolant accident (LOCA) is one of the basic events analyzed to deconstrate that adequate reactor core cooling can be maintained under adverse conditions.
The analyses cover a spectrum of break sizes and locations, to demonstrate that all are within the design capability of the plant safety systems.
The results of these safety analyses also provide the data. base for plant opera-tion, operator training, and emergency procedures.
Althcugh different leak locations were considered in the safety analyses, the objective was to identify the locations providing the most. severe test for the engineered safety features. No emphasis was placed on determining whether any particular leak location might present special problems to the operators in recognizing or responding to the leak.
The data base for operator training and emergency procedures thus was inadequate to prepare the operacors to respond to the LOCA which occurred on March 28.
A leak from most locations in the reactor coolant system will re-sult in two symptoms: 1) decreasing reactor coolant system pres-sure, and 2) decreasing water level in the pressurizer.
Both the training programs and the emergency procedures for TMI-2 were based on the assumption that both these symptoms would be present if a LOCA occurred.
The TMI accident, however, was a leak from the pressurizer vapor space which resulted in a reduction of reactor coolant system pres-sure but an increase in the water level in the pressurizer.
Be-cause of the data base deficiency, neither the training programs nor the emergency procedures provided the operators any guidance in recognizing or responding to this type of leak. Furthermore, as discussed below, the operators did not have information on a pre-vious sinilar occurrence at another facility.
The cperators, therefore, interpreted the rising pressurizer water level as an indicatioe that the system water inventory was increasing rather than decreasing, and did not take the actions necessary to maintain adequate inventory..
g,gg..
3-y*.e,;qe v %
v-e
3.
Operator Training Inadequate operator training was clearly one of 'he most important factors which contributed to the accident.
The.kraining program included classroom work, hands-on simulator training, and in plant reviews and drills.
The program covered both normal operations and casualty response. This training was inadequate, however, to enablo the operators to handle the situation they faced on the morning of March 28.
The fundamental concept of the training program was to focus on single, separable situations.
Training in casusity response required that the operator recognize the symptoms associated with predefined single casualty events, and relate these symptoms to a specific emergency procedure which would govern the response.
There was no consideration of multiple failures with a potential for conflicting or distracting symptoms.
The events on March 28 resulted in a unique set of symptoms which did not correspond to any single set in the training program.
In addition, as discussed above, the training programs had emphasized the type of LOCA which results in loss of both reactor coolant system pressure and pres-surizer level, with pressure dropping to a few hundred pai.
In fact, the symptoms from the accident were that reactor coolant system pressure dropped only to the caturation pressure (about 1400 psi initially) and pressurizer level rose rather than continuing to fall.
Other aspects of the training also contributed to the problem. The B&W reactor operating philosophy is never to take the plant solid except for hydrostatic test. Although there are advantages to this approach, it resulted in lack of experience in taking the plant solid. Training included no discussion of conditions under which solid operation might be desirable or necessary.
In fact, taking the plant solid would have been a violation of the technical speci-fications as well as several operating procedures.
The situation was ecmpounded by the incapability of the B&W simulator to simulate solid plant operations and in fact, the simulator computer program became unstable when the pressurizer went solid.
The net effect was certainly to condition the operators against solid plant opera-tion.
I
~
The training program also placed little emphasis on the transition to natural circulation.
So far as the task force has found, there was no simulator training in natural circulation, and the only mention of it was in review of emergency procedures.
There appears to have been no experience in operaticg the plant in this mode.
Finally, the operators had not been trained in how to respond to a situation which fell outside the specific casualties they had studied.
In particular, there was no training which stressed the I
importance of focusing on preselected key plant parameters in such a case in order to determine the basic condition of the plant.
l i l
r
-,n
. _ ~
.2.
Operating and Emergency Procedures A review 5 of procedures relevant to the actions taken in the early hours of the accident revealed a significant weakness in the LOCA procedure (2202-1.3). This procedure is used to govern opera-tors' respanses to a loss of reactor coolant system pcessure and
~
loss of pressurizer level. ~ The procedure, however, does not cover.
the spectrum of possible leaks, but gives guidance for only two extreme cases:
(1) A small leak in which primary pressure -and pressurizer level decrease and then quickly stabilize without automatic HPI initiation.
(2) A major rupture, in which pressure and pressurizer level con-tinue to decrease and other symptoms appear such as decrease in core flood tank level and pressure.
s i
f Tnere is no guidance for how the operators should respond to a i
small-break LOCA in which pressure drops to the saturation pressure and stabilizes. As discussed above, there is also no guidance for a LOCA from the pressurizer vapor space, in which pressure de-creases but pressurizer level increases.
4 The operators referred to this procedure (2202-1.3) early on March 28, and a better procedure with more specific guidance for L6CA's falling between the two extremes might have been very helpful.
Even more crucic1, however, was the use of this procedure as a training document. As discussed below, operator refresher training in emergency procedures was accomplished by periodic review of the procedures.
Each time an operator went through this training process, he was encouraged to believe that if a LOCA occurred, reactor pressure would drop to a very lov level and pressurizer level would also drop.
During the limited procedure review which has been performed, other deficiencies have been found.
The actions required to place the plant in natural circulation were found in three separate proce-dures. The precautions associated with the transfer to natural circulation, however, were not the same in the three procedures, even though there is no reason why they should be different.
In particular, the procedure referred to on March 28 (Station Blackout 2202-2.1) did not include the caution found in other procedures against attempting natural circulation with less than 35'F subcooling in the reactor coolant system.
Finally, the general content of the procedures could be improved.
The intent of some procedures was not clear and should be explic-itly stated. The requirements for transfer between procedures were poorly covered.
There was no cross-reference system showing under what conditions a new procedure should be referred to and used.. -
Given this lack of training, the absence of the symptoms the operator had been trained to recognize as indicating a LOCA, and the perception by the operators that the reactor coolant system water inventory was increasing coupled with a conscious or subconscious orientation against solid plant operation, the failure to maintain fell EPI flow is understandable.
A more basic issue is that training was geared primarily to insure the operators would attain and maintain an operating license. This was based on the assumption that the licensing process reflected the knowledge required for safe operation.
The basic training documents were the plant procedures, with much less emphasis on technical infcomation such as contained in the FSAR.
Classroom training in emergency procedures, for example, consisted of the instructor readies the procedure to the class and elaborating on the areas he believed important.
On-the-job review likewise con-sisted of the operator reading an assigned set of procedures and taking a classroom examination on them. This was consistent with the emphasis on the licensing process, since examiners focused on procedural cocpliance and verbatim knowledge of immediate action statements.
In re trospect, this approach did not ensure a thorough understanding of basic plant response under a wide variety of con-ditions.
The general review of the training program revealed other weak-nesses. The staf f in the training department had shrunk in recent years.
Attendance at training classes had dropped below 50%, which triggered menos from the training department to the operations department.
It also required the training department to prepare large numbers of makeup lesson packages.
This resulted in the instructors spending significant amounts of time on paperwork and less time on lesson preparation.
Certain aspects of training which had been utilized previously, such as progressive formal certifi-cation of auxiiiary operators, had been dropped. Further investi-gation is needed to address the required training resources, the need to expand the program to cover more of the plant and support staffs, and special training needs for other members of the organization.
This investigation was deemed to fall outside the scope of the Task Force activities, and is being pursued by others (e. g. Re f. 6).
4.
Knowledge of Relevant Previous Events The nuclear industry has placed inadequate emphasis on insuring that information from significant safety occurrences at a parti-cular nuclear station are understood and widely disseminated to improve the operation at all nuclear stations.
The prior event most relevant to the ThI transient was a similar transient which occurred at Davis-Besse, in which a stuck open PORV resulted in similar symptoms to those observed at TMI and went unrecognized by the operator as indication of a small break LOCA for over 20 min-utes.
According to published testimony (Ref. 7) the technical - -_
~
l.
staff of the FSSS vendor reviewed this transient and recognized its significance, but this information was not disseminated to'other Had this information been effectively communicated to the users.
TMI operators both through an updated training program and a revised small-break LOCA procedure, the TMI-2 accident might have been avoided.
There is evidenes that previoua events even at.TMI were not used effectively to upgrade the training and procedures.
The March 1978 transient, for example, in which the PORY first stuck open,
. received inadequate attention.
Although an indicating light was installed in the control room to permit recognition of the parti-cular type of failure which had occurred, the task force found no evidence of a more general review of PORY failure modes and means i
of detection. No attention was given to use of the temperature monitors as a means of detecting an open valve, since the monitors were not installed for this purpose.
Had this transient been more fully analyzed, the need for improved means for identifying a stuck open PORV might have been recognized.
5.
Safety Analysis Philosophy l
An underlying reason for the operator's lack of knowledge of how to respond to the TMI small-break LOCA lies in the philosophy used in defining the design basis accidents for the plant and performing i
the associated safety analyses.
The approach, as set forth by NRC regulatory practice, has been to attempt to identify bounding acci-dents, and then to perform very conservative and bounding analyses of the possible consequences.
The results of these analyses are not reflective of actual plant response but rather of bounding responses used for licensing purposes.
A direct consequence of this approach is that little attention was given to prediccing the actual plant response to real events.
Training programs and operating procedures, therefore, did not have the data base needed to provide the operator with guidance on the anticipated plant gesponse. A further difficulty is that accidents which are theoretically smaller than the bounding accidents, but which because of their special nature present a unique set of symp-i coms to the reactor operatcrs, were not recognized as a special p roblem.
This was critical to the TMI accident.
Even though some analysis was made of a leak from the pressurizer, there is no evi-dence of any enphasis on the peculiar perception problems such a leak would present to the operators.
Still a further difficulty in the general approach to safety analysis has been concentration on the initial plant response, with no quantitative analysis of the potential problems that might arise later in the transient. This deficiency was also reflected in the simulator training programs, which were limited to the immediate responses to casualty ecoditicus.
j 6.
Previous Experience DII-2 had undergone several previous trensients in 9hich high pres-sure injection (HPI) had occurred.
The operators w convinced that HPI might occur on any reactor trip.gre, in fact, The basic reason for this relatively frequent occurrence of HPI was the small size of the pressurizer, which resulted in initiation of HPI for reactor trips ii of f-norcal conditions were present. The procedural requirements to manually secura lecdown and start an additional makeup pump following reactor crip are a reflection of the small pressurizer size; these actions were correctly performed on March 28.
Because of these previous experiences, coupled with information'in training progrsms and procedures, HPI following a reactor trip was not necessarily regarded as an indicator of a loss-of-coolant accident. Furthermore, in the previous occurrences of HPI, the proper action had been to throttle the HPI flow to control pres-surizer level.
Thus when HPi occurred on March 28, and was follow-ed by the pressurizer level stabilizing and then increasing, ope r stors repeated their previous actions. While the previous experiences probably would not in themselves have blocted the re-cognition of a LOCA, they certainly contributed significantly to the operator response to HPI.
Operators may in f act have become " desensitized" to abnormal condi-tions, due to previous experiences combined with some plant design features and conditions which existed jua.t prior to the event. At TMI-2, leaking pressurizer safety valves produced elevated-discharge pipe t.emperatures before the event. Reactor building sump pump operstion had become routine due to leakage.
Some radiation alarms were expected af ter a reactor trip. Following a loas of feedwater, steam generator levels normally decreased below the 23 inch alarm setpoint and remained there for several minutes.
l Such conditionu make it more difficult to recognize valid devia-tions from expected perfomance. For example, alarms which are l
" expected" may not receive the proper level of attention. Such au alarm is no longer a valid indication of abnormal conditions.
To determine if the condition is actually abnormal, the operator must l
consider the length of time the alarm condition exists,' how much the parameter exceeds the alarm setpoint and other conditions which could be af fecting the alarming parameter.
It may not be possible to apply this judgment to many alarms simultaneously.
l 7.
Use of Procedures l
l l
Some deficiencies were found in the use of procedures.5 spee_
ific examples are lack of attention to the low reactor coolant system pressure, the actions associated with operating the reactor l
coolant pumps under abnormal system conditions, and the attempt to j
transfer to natural circulation.
l l
l [
~
\\
The LOCA procedure (2202-1.3) which was referred to by the opera-tors states that " continued operation" depends upon the capability to maintain the reactor coolant system pressure above the HPI setpoint (1640 psig). While this procedure did not specifically mention the conditions which existed during the TMI accident, the operators should have recognised that the continued inability to restore reactoc coolant system pressure to the normal value was an indication that additional remedial action was necessary. They instecJ concentrated on trying to control pressuriser level, as L_ '
required by other procedures and the technical specification.
The Nuclear Plant Limits and Precautions procedure (2101-1.1) de-fines a specific operating envelope for the reactor coolant pumps in terms of reactor coolant system temperature and pressure. The actual reactor coolant system conditions moved outside this allow-(
able envelope very es.rly in the accident and remained there for u
over an hour prior to the time the pumps were actually turned off.
This is not to suggest that the pumps should have been turned off e
2c -
J earlier.
An early recognition, however, that the pumps were ex-posed to conditions outside their normal operating envelope might have f acilitated a correct diagnosis of the reactor coolant system conditions.
Procedure <211)t-1.1 also gives a limiting curve for the use of
~
C natural circulation-More speczfic prerequisites are given in 2102-2.3 " Decay Heat Removal via OTSG" and 2202-2.5 " Station Black-l out with Loss of Diesel Generators." One prerequisitt; is that the system be 35'F subcooled prior to attempting natural circulation.
The operators attempted to transfer to natural circulation withent meeting the requirement for subcooling and did not recognize that i
the hot leg was at saturation condition.
They felt that they had to ose natural circulation to avoid destroying the pump seals and thus causing a LOCA. As discussed above, the operators referred to a different procedure which did not include the requirement for subecoling, but which did reference the curve in 2101-1.1.
8.
Man-Machine Interfaces Several aspects of the man-machine interface in the TMI-2 control room contributed to the lack of recognition of the LOCA.
The most clear was the lack of positive position indication on the pilot-operated relief valve (PORV) and/or flow measurement in the PORV line.
As originally designed the PORV had no position indication.
This situation was changed, however, af ter the March 29, 1978, incident in which the PORV stuck open due to a faulty control signal.
Because of thir event a light was installed in the control room to indicate the state of the control demand signal to the PORV.
In the case of the March 28 accident, however, the control signal correctly indicated that the valve should be closed.
L[-
- t P'
{',
J.
R~
k Temperature indicators downstream of the POKV could be used to provide indication of continuing flow in the line, ani the opera-tors did in fact attempt to use them for this purpose.
The temper-ature readings however, were not permanently displayed tc the console operator, and had to be called up through the computer, which was not particularly conveniently located as discussed 'oelow.
- hen the shif t supervisor instructed an operator to call up and -
d read the temperature, the information was apparently3 miscommu-nicated back to the shift supervisor as 232*F rather than the actual reading of 285*F.
In addition to this confusion over the y
actual reading, no firm guids.nce had been given to the operators as to what comperature readings to expect if the valve 'did stick open.
The shif t supervisor believed that the March 1978 incident resulted in a downstream temperature of about 320*F.
The net result was that the temperature readings were interpreted as being caused by the earlier leakage followed by the momentary opening of the PORV.-
e
? -
Another problem was the location and type of instrumentation on the
~
reactor coolant drain tank (RCDT) which accepts fluid released by the PORV. The indication of this instrumentation is on a back panel which is not visible from the control console.
It further-more consists of only meters rather than recorders.
RCDT pressure was recorded by the reactimeter and thus was available subsequently for post-Era sient analysis. About 40 minutes into the transient, the operators enecked the readings on the drain tank as a test of whether there was a continuing leak throegh the PORV. At about 15 rinutes into the transient, however, the rupture disc on the drain tank had burst, reducing both temperature and pressure.
Since there was no recorder, the operators simply saw normal pressure in the cank.
In addition to these specific deficiencies, the general presenta-t!.on of information in the control room, particularly alarms, does not facilitate diagnosis of an abnorea' plant condition which af-fects many systems. Folicwing reactor trip it was normal for the operators to be presented with over 100 alarms occurring in a rela-tively short span of time. Many of these alarms were irrelevant following reactor trip, and only made it more difficult to sort out the important information. The system did not assign ~any priority to the various alarms, and there was little or no segregation of alarms by function to facilitate effective scann.*.ng.
The operator l
had only one achnowledge button to cover the entire set of alarms
~
l in the control coom.
It was therefore common practice not to j
acknowledge alarms when they were occurring rapidly, so that flash-l iag indications would continue.
The net result of this design was to force the operators to respond t, plant transients in an en-vironment of constant slarm buzzing, many flashing lights, and little help in sorting it all out.
The plant comp ster, which in principle could be of great assistance in this type of complicated situation, was not designed for this l -
L. %-
a ;
1
('
a m.
purpose. It was small cod parformad only liaitad datn icgging and display, tactions.
The Cathode Ray Tube (CRT) display unit was
.small, located mtside the normal range of vision of the control panel operator, t.id required an operator to move within a few feet of the display to read it.
The typewriter printers used for alarm and utility printouts were very slow and incapable of keeping up with the mass )f information normally generated following reactor trip. The alarn printer ran up to 1-1/2 hoert late on March 28th.
Furthermore, there was no prioritization or selection of alarms.
It is reported 3 that approximately 90% of the alarms folic, wing a reactor trip originated in the heater drain system and were irrelevant for the current plant conditions. The net result was that the operators had come to expect no assistance from the computer durin.; transients and used it only during staady-state plant operation.
9.
Secondary Side of Plant G-The conditions existing in the secondary side (see Ref. 4) appear T-to have contributed to the lack of recognition of the LOCA by diverting the attention of the shif t supervisor and at least one W
control room operator away from the reactor coolant system. The closed emergency feedvater valves, problems in the condensate system, and the water haanner effects all contributed.
TheerroneouUyclosedemergencyfeedwaterblockvalves(EF-V12's) exerted a significant influence on the plant behavior for the first few minutes.
Followicg the initial transient, the primary system average temperature began to rise because no heat sink was present.
As reactor coolant system pressure decreased and reached the saturation pressure in the system it became control' led by the RCS bot leg temperature (rather than by the pressurizer) and therefore also started to increase. Since pressurizer level was ri+'.ng and RCS pressure had (apparently) stabilized, the operators felt that modulation of IPI was appropriate. After the emergency feedwater block valves were opened, RCS temperature decreased, and pressure dropped down along the saturation curve. Both temperature and pressure finally leveled out at the values they would have reached sooner had the EFW valves been open initially.
It appears likely,3 however, that the operators ascribed the unusual RCS behavior to the inicial feedwater starvation followed by overfeed.
Thus, a certais bias against consideration of a LOCA may have been established by the initial system behavior.
(*
The condensate system also contributed significantly to the confu-i s ion. 3,8 The high hotwell level which resulted from closure of the condensate polisher discharge valves caused the shif t super-visor to leave the control room at about 0415 and go to the con-densate system area of the turbine building basement in an attempt to prevent loss of condenser vacuum. He made this decision based on his personal knowledge of earlier similar problems, and the T
availability of another shif t supervisor to remain in the control
! V, 9
.?
--,m._w..-..-,._+._--_----.----e--*----=e-=-
-=
room. The subsequent inability to open the pelisher bypass valve with the motor operator and the lack of a hand wheel for manual operation prolonged his absence from the control room until about 0500. The air line rupture and water leak which resulted from the water hammer probably also contributed. It is impossible to gauge the real effect of the shift supervisor's 45 minute absence from the control room, but his presence in the centrol room might have been helpful.
Another contributor was the water hammer noise on the Loose Parts
'~'
Monitor f or the "A" steam generator.
This noiae caught the atten -
tion of the control room operator controlling the feed system and
~
caused him to throttle the EF-V11 valves to reduce the theraal shock to the steam generators.
This may have further contributed to a focus on the secondary side of the platt as the source of problems.
p-L r --.
e s
19 -
m G
y
C.
EMERGENCY PLAN IMPLEMENTATION i
Review of the emergency plan implementation concentrated on five issues:
1.
Timeliness of the emergency declaration.
2.
Adequacy of information flow to state agencies.
L
.3.
Special conditions associated with the events of March 30.
4.
Identification of off-site radioactivity releases.
5.
Overall adequacy of the emergency plan.
The findings 9 in these areas are summarized in the following sections:
pp 1.
Timeliness of Emergevey Declaration Radiation emergencies were classified into three levels by the
~~
emergency plan:
local emergency, site emergency and general emer-gency.
The emergency plan requires that a local emergency be declared whenever two radiation monitors in the same building reach alarm leveler-On March 28, although two " process" radiation moni-tors in the sama building reached alarm levels, a local emergency was never declared because previous plant practice indicated that this criterion referred only to " area" monitors.
The timeliness of the site emergency declaration is subject to controversy. Most criteria for a site emergency involve radiation levels, and when radiation monitors indicated that these criteria were satisfied, the shif t supervisor did in fact declare a site emergency. One criterion for a site emergency, however, is not related to radiation levels.
This criterion requires that s' site emergency be declared whenever there is " loss of reactor coolant i
system pressuru coincident with a high reactor building pressure and/or high reactor building sump level." This is generally re-ferred to by the senior operators as the "LOCA criteria." The criterion does not specify exactly what constitutes loss of reactor i
i coolant system pressure or high building pressure.
On the morning
~
of March 28, the shif t supervisor did evaluate plant condicions against the criterion but, as discussed in a previous section, he
~
did not recognize that a small-break LOCA was occurring and, there-
)
fore, did not declare a site emergency at that time. The only i
clear conclusion is that the criterion as written was far too vague, and more specific criteria are required. Whether in fact l.
the shif t supervisor should have responded to this criterion by declaring a si':e amergency much earlier is the accident depends on the interpretation of the criterion.
l The criteria for declaration of a general emergency include the requirement that it be declared when the done monitor in the reactor containeest building reaches 81/hr. When this occurred at e
m-4 f,
1r
~-~,w,-
---,v.,,yr en-,
-.,-,e-
,n-e.
.e._---,
w,m-n,
.a..,
,,,,-,e-,.,-,
,,,~,,,,,--w---,,-_n,
--.--,,nu---,,,,,.
L.
cpproximately 0724, a gsnaral ensrgsacy was declarad by the Emergency Director (station superintendent).
2.
Information Flow A review of various Pennsylvania Emergency Management Agency (PEMA) los books and discussions with representatives of relevant agencies along with the testimony of state Bureau of Radiation Protection (BRP) personnel, indicate that once the emergencies were declared, prompt notification of all individuals required by the emergency g-plan was accomplished.9 The site emergency was declared at 0655 7"'
and by 0715 all the notifications had been completed.
Similarly 1
the general emergency was declared at 0724 and by 0740 the notifi-cations were complete. By 0815 on-site assembly and accountability was completed with all personnel accounted for.
11 Af ter emergencies are declared the emergency plan specifies that a
(({
line of communication be maintained with the Pennsylvania BRP.
The log books maintained by this agency and the testimony of agency a s..
officials indicate that the information flow regarding radiation releases was generally satisfactory for the needs of this agency.
The Unit I control room was established as the area from which radiological dose projections and monitoring on-and of f-site were dire c ted. Oper telephone lines were maintained with both the NRC i
~
and BRP. 2he-communications appear to have continued throughout the period when there were measurable releases of radioactivity.
Up-to-date information on plant status was not communicated as fully as desira ble to the senior utility management and the NRC.
It should be noted, however, that NRC personnel were in both control rooms by about 1000 hours0.0116 days <br />0.278 hours <br />0.00165 weeks <br />3.805e-4 months <br />, and they maintained continuous communication with their regional office.
3.
Events of March 30 At 0710 on Friday, March 30 Unit 2 began an approximate two hour venting of the makeup tank to the vent header.
This process was required to relieve the pressure buildup in the makeup tank _in order to resent the relief valve on the makeup pump suction. The vented gases normally flow to the vent header and are then trans-ferred by compression into waste gas decay tanks. Manual venting of the makeup tank for short intervals had been initiated on March 29 and was periodically repeated throughout March 30.
Releases to the environment occurred during each venting process due to leakage in the vent header system (see Section II E),
When venting started on Friday morning, radiation acaitoring teams surveyed -levels in the down-wind direction and a helicopter moni-tored the airspace over Unit 2.
The staff in the Unit I control room promptly reported the releases to the BRP, and continued to keep them informed regarding the current activity levels being
. u
released and the anticipated duration of the release. During the morning, however, suae of the operating crew in the Unit 2 control-room were unaware that this line of communication existed. To make sure that state agencies were awars of the events in progress, a
supervisor in the Unit 2 control room notified the PEMA that a release was in progress.
TLere was apparently some confusion in the communication and PEMA personnel interpreted one statement as indicating that an evacuation of surrounding personnel might become l
necessary.
~
The situation was further; complicated by an NRC misunderstanding.
c.
The readings taken Mareb 30 at 0800 by the helicopter monitoring the plume directly above Unit 2 were approximately 1200 mR/hr.
Since this coin:identally corresponded to an NRC prediction of the expected ground level doses in the event of a vaste gas tank rup-ture, officials in the NRC Bethesda office apparently interpreted the measured values as ground level readings. An NRC official then called the PEMA and recommended a local evacuation out to 10 miler-.
J Eventually the confusion was untangled, but a precautionary evacua-tion of pregnant women and small children was agreed upon by
{-
Pennsylvania and NRC officials (see Ref. 7).
4.
Identification of Off-Site Raleases Radiation monitoring teams were dispatched and began repor'ir.g on-and of f-site doses as of 0746 on March 28.
Initial radiation sur-vey results ou site in the downwind direction and off-site on the cact shore of the rive.r indicated radiation levels less than 1 mR/hr beta gamma.
The initial wind direction was toward the west shore. Realizing that it would take a monitoring team a significant amount of time to drive to the west shore, the Emergency Director requested the State Polic2 helicopter. The helicopter arrived on site at 0835 and picked up a monitoring team. The helicopter team reported radiation levels of less than 1 mR/br beta gamma in Goldsboro at 0842. The TMI Emergency Director concurrently dis-patched a monitoring team by vehicle to the west shore.
As field monitoring readings were received in the Gnit 1 control room, they were transmitted to the ERP over the established phone line. This method of information flow to the state began at 0725 on March 28 and continued for the next several weeks. During the first several weeks following the accident at Ieast four teams were used for monitoring, one team on the west shore, one on the east shore, one on aite and one in the helicopter.
Once it was realized that a leak existed in the veut hesder system, it became standard procedure to position the monitoring teams in the down wind direc-tion and place the helicopter over the vent stack during a makeup tank venting evolution.
O V
p y,
1 5.
Emergenev Plan Adequaev The emergency plan as written was effectively implemented.
In retro spec t, however, it is clear that the emergency plan which existed at the time of the accident underestimated the organiza-tional and communication difficulties which would arise. Tbe plan, training, and drills were designed to cope with rapidly developing scenarios which could be handled by an augmented on-site usergency l7 organization and a simplified communications network between the licensee and state agencies. This type of scenario was not the one-experienced at TMI.
The protracted series of events which actually occurred revealed inadequacies is the organizational support, in the communication
?
system and in the predefined info:mation flow network required for f
accident management. The TMI exterience showed that a large off-M-
site support organization is needed to assist the in plant organi-
~
zation and this organization grew out of necessity. The TMI-2 scenario permitted many organizations, both inside and outside CPU, to become involved in accident management and information release to the media and public. The events which occurred the morning of March 30 vividly point out the communication deficiencies in the plan.
There were a o problem areas with communication equipment.
Al-though adequate for initial notification., the phone capability in each control room was inadequate to cope with the subsequent com-munication load. The walkie-talkies used by the off-site monitoring teams did not pos'sess sufficient signal strength to provide reli-able communication capability at the longer distances traversed by the teams.
Until additional phone lines were added, communications with off-site support personnel were very restricted.
There was no predefined communication mechanism to provide adequate management awareness, utilize B&W, GPU and NRC technical support, and provide for unified releases of information to the media from a single s ourc e.
Off-site monitoring teams encountered two other problems.
- First, the DC/AC inverter units used to power the air samplers were used so heavily that a significant number of them burned out.
- Secondly, the SAM-2 analyzers were unable to accurately determine iodine
~
concentrations because the air sample charcoal cartridges became saturated with xenon. Analyzing iodine concentrations in a significant xenon cloud may in the future require sending the samples to an offsite counting lab.
N n b.
^
-.i
- -.- - ~ -.
D.
PRESSURIZER RELIEF VALVI FAILFRE MODE i
The TMI-II power-operated relief valve (PORV), also called a pilot-operated relief valve, is an electromatic relief valve manufactured by Dresser Industries.
This same valve is used on all but one of the B&W series 177 nuclear plants, and is also used on at least one Combustion Engineering plant (Palisades).
The most complete list of instances in which a power operated relief valve failed open is contained in a supporting staff report to reference S.
The 17 known instances in which the valve failed open are summarized in Table 3.
The failures at Beznau and Davis Besse occurred on valves supplied by other manufacturers.
Of the 8 failures of Dresser valves with known causes, 3 were electrical failures, 4 were mechanical failures, and 1 (Rancho Seco) was a leaking valve rather than a real failure.
It is significant that 5 of the 8 failures occurred prior to
~
?
commercial operation of the plant.10 w -
A review of the obssrved failure modes does not provide any clear indi-P cation of why the valve failed to close at TMI-2.ll Host of the probleas are not of a generic nature but rather random causes.
The one seneric failure mode associated with the Oconee-3 and Crystal River -
events was binding of parts which prevented closure of the pilot valve.
Dresser subsequenety initiated a design modification to prevent future failures of this type.
The PORVs on both TMI Units weta modified in 1977 per Dresser and B&W instructions.
The history of the TMI-2 PORV also does not reveal the cause of f ail-ure.ll The Unit 2 valve was originally installed in 1974 on Unit 1 as replacement for Unit i valve while it underwent modifications. The valve was returned to Unit 2 in September 1975. Minor modifications were subsequently made to the valve in 1977 and 1978 but none of these are suspected to hast led to its f ailure in 1979.
An earlist investigation 12 concluded that the PORY had been leaking prior to the accident.
This conclusian was based on the elevated tail ipe temperatures downstream of the PORV. A more thorough investigation 3 however, has shown that one of the code safeties had been leaking, and a repair request had beer. generated by the plant operating staff to I
repair it.
Since the PORV and safety valves discharge to a common l
header, the leaking' safety valve was the cause of the elevated tail pipe temperatures.
In summary the cause for the PORV failure in the open position cannot be determined from information currently available.
The failure mode may be determined cace the valve can be inspected.
2.
24 -
? :.
er
-*--v--
+--wv---e--
--mer
=,*,--4--rmw.--
--m--w w-----w----c
--wwr-r---m we-,-,----m-u---y.-r-e-
-n
-,w
-i-
---ww--
,n,y
, wwr
- s---
=-yg e-
--r,-,t--
+
TABLE 3 - STUCK OPEN PORVs in PWRs REACTOR DATE ASSIGNED CAUSE 7
Palisades **
9/71 Loss of powar
^
~
Oconee-2 **
8/73 Wiring error i
~ ~ -
Oconee-2 **
11/73 Pilot leakage t
hil-Beznau 8/74 Fractured housing ANO-1 f**
8/74 Pilot vent line Oconee-3 f**
6/75 Corroding leakage Crystal River **
11/75 Stuck solenoid Davis-Besse f 9/77 Missing relay Davis-Be s se 10/77 Pilot stem clearance THI-2 f**
3/78 loss of power Rancho Seco f**
6/78 Leakage TMI-2 **
3/79 Unknown
- Dresser supplied PORY
- Reported in NUREG-0560 Note:
The Rancho Seco event of 6/78 was included in the open PORV listing of NUREG-0560, but was apparently of leakage variety..
kw.
l E.
~ PATHWAYS BY WHICH RADIOACTIVE FLUIDS WERE TRANSPORIED The principal releases of radioactivity resulting from the TMI-2 ac-cident were gaseous releases which occurred _on March 28, 29 and 30.
i Several investigations have been car-i.ed opt to determine the pathways by which these releases occurred.7 1} s l13 GPU has sponsored an i
8 independent evaluation of the pathways 16 and this is believed to be the most thorough and definitive of the investigations.
It is now believed that the principal pathway for releases of gaseous activity (see Figure 1) was via leaks in the radwaste gas system into the auxiliary building and out the stack. On March 28 the radioactive gas was transported to the radweste system from vents on the reactor coolant drain tank and bleed tanks. The drain tank received the discharge from the ?ORV. The bleed tanks contained large amounts of radioactive gases probably due to lif ting of relief valves in the letdown and makeup system. On March 29 and 30 the radioactive gas in
_c i; _
the radwaste gas system resulted from deliberate venting of the makeup l
tank which was required to support safe operation of the plant.
These release paths as well as others which were smaller contributors to the total releases are discussed in the following sections.
i 14 1.
Gaseous Relaaars from the Radwaste Gas System s.
i Belium leak tests perfonned after the accident identified seven i
leaks in the RWGS. Six of these were on the discharge from the waste gas compressors:
five flange leaks and one valve body to i
bonnet leak.
The other leak was on a pipe common to the inlet of both compressors, on the outlet flange from a liquid drainer.
The existence of lacks in the system is supported by observations prior to the accident that, the vaste gas decay tanks would lose a couple of psi over the several day period after pressurization. Since the tanks were kept constantly at a pressure of greater than 80 psig i
for the day following the accident, leakage was likely.
It is believed that radicactive gases released through these leaks and thence through the station vent to the environment constituted a principal source of offsite doses.
There were several known releases from the radwaste gas system (RWGS) associated with the construction and testing of a discharge bypass line from the vaste gas decay tanks to the reactor building on March 30 and April 1.
These releases combined with those as-sociated with venting the makeup tank (discussed below) are believed to have accounted for essentially all of the releases on i
i March 29 and 30.
i 2.
Resetor Coolant Bleed Holdup Tanks
~
j The reactor coclant bleed holdup tanks are known (from shif t logs) to have received increases in inventory on the 28th.
In addition, extremely high levels of radiation (1000 R/Hr) existed in the area I
.O
_____.._n-._1_.-_____._,
.~
PRINCIPAL PATHWAYS FOR RELEASE OF GASEOUS RAC10 ACTIVITY 2.
RELIEF RELIEF VALVES VALVE!S)
NORMAL b~
LETDOWNI REACTOR VENTS RA0 WASTE
. e MAKEUP COOLANT GAS LEAKS V < STATION SYSTEM BLEED TANKS y
SYSTEM-n VENT M
VENT VENT f.;
PORV TO REACTOR 8 G'
X VALVES VALVEt q-2~
REUEF VALVES 2
REACTOR D AN COOLANT TANK SYSTEM STEAM GENERATOR LEAKS STEAM-CONDENSER CONDENSATE AIR SYSTEM EJECTOR O
FIGURE I g
if
-26a-
i of the tanks af ter the accident.
The bleed tanks are normally vented to the vent gas system, which utilizes two parallel com-pressors to transfer waste gas to the waste gas decay tanks. Since leaks were subsequently found in this system, this appears to be a part of the major release pathway on March 28.
In addition, the releases from the makeup and purification system (discussed below) probably caused a significant pressure buildup in the bleed tanks. Two relief valves on each tank (setpoint 20 psig) discharge directly to the station vent via the vaste gas system relief header, bypassing the vaste gas filters.
Pressure relief may thus have contributed to the releases.
3.
Reactor Coolant Drain Tank Vents The reactor coolant drain tank (RCDT) vent also discharges to the R*dGS vent header.
This vent line is normally open and discharges to the RWGS via the reactor building vent header.
Therefore, it is
[
probable that'during periods of high pressure, prior to the rupture i
disc bursting, water was discharged to the RWCS. Considering the pressures involved it is possible that the pressure relief valve on the reactor building vent header lifted, discharging water to the reactor building sump. Following the bursting of the rupture disc, opening of tht.PORV block valve caused sufficient pressurt buildup in the RCDT to transport high activity vapor to the radwaste gas vent header.
This was a viable pathway for release of radiation on March 28 until 0756 when the containment was isolated.
4.
Relief Paths from the Makeup & Purification System Pressures greater than normal were experienced in parts of the let-down portion of the Makeup-Purification system on March 28.
This resulted from flow restrictions caused by physical blockage of the purification filters and demineralizers by " crud" or boron per-cipitated from the reactor coolant system, and/or the accumulation of reactor coolant system gas in the makeup tank.
The increased pressure almost certainly resulted in the lifting of cne or more of the relief valves in the letdown system. This is confirmed by observed makeup tank level and letdown flow oscillations, which indicate relief valves opening and closing.
The letdown and makeup system contains various relief valves.
Cf these, MU-R3 is considered likely to have been a pressure relief path.
It is set at 130 psig and is upstream of the domineralizer filters (MU-FSA & B).
Blockage by solid matter filtered from the reactor coolant system would cause flow restrictions and higher than normal precsures in the section of the letdown line where MU-R3 is locate.d. As a result, reactor coolant (with higher than normal activity levels following the loss of cladding integrity) would be transported to the reactor coolant (RC) bleed holdup tanks and vented to the waste gas system. -
Relief valve MU-R1 is located downstream of the makeup tank.
Off 4
gassing in the makeup tank probably caused a pressure buildup suf-ficient to lif t MU-R1 (set point 80 psig) which also discharges to the RC bleed holdup tanks.
The lif ting of relief valvea MU-R5A & B is unlikely by either of the above mentioned mechanisms.
Pressure drops across both the 4
filters and demineralizers would prevent MU-RSA & B (located down-stream of the domineralizers) from seeing high pressures. The higher setpoint of 150 psig for MU-5A & B also supports the con-7J clusion that it was MU-R3 which provided the primary relief path.
.c High pressure in the makeup tank would be relieved by MD-R1, and check valves MU-V133 and MU-V107A & B (all located downstream of MU-R5A & B) would prevent backflow through the letdown line and out
~
MU-RSA & B.
g-NM Starting 0435 on March 29th the makeup tank was periodically vented L'.-
to the radwaste gas system vent header by opening MU-V13. Exam-ination of str.y chart recorders shows a strong, repetitive cor-i f relation between this venting and the increase in radiation levels on several area gamma monitors in the auxiliary building and fuel handling building.
It has been concluded by all investigations that releases associated with venting the makeup tank represent a large fraction cf the total releases on March 29 and 30.
There~ is no evidence of similar ve~nting activities on March 28th.
5.
Stea= Generster Leak Based on the behavior of steam generator "B",
the operators suspected on March 28 that a primary to secondary leak had oc-curred, and this was confirmed by subsequent water samples.
Steam generator "B", after being isolated at 0527, was reactivated at 0645.
Strip chart recorders (HP-UR-3236-CE 7) indicate a ga'seous release from the condenser vacuum pump exhaust beginning-at approximately 0700 with a rapid increase in activity. The dis-charge of the vacuum pumps bypasses the Auxiliary Building filters and is routed,directly to the station vent. Steam generator "B" was reisolated et 0704, and remained isolated.
The count rate on the exhaust monitor peaked at 0715, then decreased and stabilized
~
by about 0830.
Attempts to quantify the releases from this pathway were not totally succesnful. Based on the available information, however, the total releases from the secondary syster were believed to be l
substantially less than those via other pathways.
k '"
i 6.
Liquid Releases The large quantity of water which was released to the Auxiliary Building during the accident resulted primarily from leaks ir. the river water pump. These were known to be leaking prior to the ac-cident.
The relatively small quantity of radioactive water which led to contamination of the river water is believed to have been 1
released through normal operation of the liquid drainers in the radwaste gas system, since some of the conditions discussed above
}-.
undoubtedly led to significant quantities of radioactive water in the radwaste gas system.
F.
FACTORS LEADING TO THE INCORRECT STATUS OF EFv-12A AND B l
Investigations by several different bodies,7,12,15,17,18 have failed l
to identify the reason why the emergency feedwater block valves EF-V12A t
~
and 3 were found closed on the morning of March 28.
The valves are known to have been closed on March 26 as part of performance of Sur-c-p-veillance procedure 2303-M27A/B. Existing documentation and operator C3 testimony indicate that the valves were reopened at the completion of
?
the procedure. The signed checkoff list, however, was considered only
~~ '
an operating tool and was not kept, so the only documentation is an entry that the 0 tire procedure was completed.
There is no evidence as to whether or not the valves were subsequently closed either deliber-ately or inadve'rten'tly.
In particular,'no evidence of sabotage was found.
The task force did not reinterview the operators involved in the sur-veillance procedure, because the thoroughness of ths previous investi-gations made it unlikely that new information would be obtained. The investigation was rather centered on other aspects of the valve closure, including whether the surveillance pracadures violated technical specifications, the practices which should guarantee proper line up of safety systems, the reasons why apparantly incorrect pcsitiona could go undetected for a period of time, and such subsidiary factors as the possibility of a sneak circuit and the reason for the discoloration in one of the emergency feedwater train piping systems. These are discussed in the following sections.
i 1.
Surveillance Procedure Surveillance Procedure 2303-M27A/B is performed to ensure com-l pliance with technical specification 4.0.5.a.2, which references section 11 of the ASME boiler and pressure vessel code for in-service testing of class 1, 2 and 3 pumps and valves. The valve operability portion of the surveillance procedure includes the checking of the non-return check valves to ensure they do not leak.
4 It is the inclusion of this requirement in the procedure that led to having all feedwater paths to the steam generators simultane-ously under pressure during the surveillance test. This was initially accomplished with valves EF-VilA & 3, which are normally closed.
1 se g
- 3 4
o-e R,
. -,-,., -, - - ~, ~.,._.._ - -.
.m
The simultanaous closure of the 12A and B header isolation valves i
during the surveillance test was the direct result of a procedure change request (PCR) dated August 10, 1978.
This change, which called for the 12A and B valves to be in the closed position for the duration of the test, was requested because of leakage through the llA and 3. valves, which resulted in relatively cold water being introduced into the steam generator and thermally cycling the emergency feedwater nozzles.
The procedure change request was initiated by the Mechanical Maintenance Department, prepared by the Engineering Department, and reviewed and approved by the P('F : and GRC groups. - Procedure change requests have a nuclear safet} evalu-
~
ation section that must be filled out; section 2C questiont "Does the attached procedure change or reduce the margin of safety as defined in the basis for any technical specification." The answer given was "No".
" ~~.
The applicable technical specificatica, 3.7.1.2.a & b, defines the emergency feedwater systes as three independent steas' generator
~ *
~
emergency feedwater pumps and assaciated flow paths, and requires.
that it shall be operable as a limiting condition for operation.
- y j
one "systen" may be inoperable for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> but must subsequently be returned to servicg2or the plant be placed in hot shutdown with-t in the next 12 hears.
The specification makas no statement re-garding flow _ paths and/or components out of ser vice, and is unclear as to the real requirezent. While the surveillance procedure may not have violated the literal requirements, the Task Force believes that it was contrary to the intent of the specifications.
In con-trast the TMI-l surveillance procedure indicates that at no time may two emergency feed trains simultaneously be out of service.
It should be noted that Surveillance Procedure 2303-M14A/B'/C, Rev.
8 (Emergency Fnedvater System Valve Lineup Verification and Oper-ability Test anc Turbine Driven Emergency Feed Pamp Operability Test) (Rev. 7) also calls for sinultaneous closure of feedwater header block valves 12A and 123 during the test.
~
2.
Alternate Procedure for Surveillance Tests on Emergenev Feedwater Systems The procedure change that required closing the EF-V12 valves was
~
initiated because of concern that the EF-Vll valves leaked. An obvious alternative is reduce the leakage past these valves so that the EF-V12 valves can remain open.
If leakage cannot be stopped, the effect of the leakage should be evaluated to determine if the leakage and the thermal shock problem are in fact significant.
Another approach would be provision for the EF-V12 valves to open automatically on emergency feed demand. They could then be closed during testing..
._n.._,.,awa
==vv----~~--~"''#' ' ' ' ' ' ' ' ' ' ' ' ' ' ^ ~ * ' " " '
~ ' " ~
If none af the above approaches are practical, the ASME Power Test Code, Sem -ion T.I Subsection IWV 3521 allows check valve testing to be deferred to plant shutdown as follows:
" check valves shall be exercised to the position required to fulfill their function unless such operation is not practical during plant operation.
Valve s that cannot be exercised during plant operations shall be specifi-cally identified and shall be full stroke exercised during cold shutdown.
Full stroke exercising during cold shutdowns for all valves not full stroked exercised during plant operation shall be on a frequency determined by the intervals between shutdowns as follows: for intervals of 3 months or longer, exercise during each shutdown; for intervals of less than 3 months, full stroke exercise is not required unless 3 months have passed since the last shutdown exe rcis e. "
This postponement of testing would have to be justified by showing that testing during plant operation is not practical.
If so, the Technical. Specifications allow isolation of the emergency f eedwater P
system when i'n Mode 3 with the steam generator pressure below 800 psig, so testing could be performed with the EF-V12 valves shut in 1
[
this hot shutdawn condition.
3.
Why Improper Valve Alignment Went Undiscovered The procedur 1 and practices of the control room operators did not
~
require written documentation of the status of valve positions.
The operators vere expected to routinely monitor the bench board parameters and indicators available.
The actual watch-standing practices, however, apparently did not include a systematic check of safety system status as part of the routine duties.
Contrcl room operators interviewed by the task force reported 3 that they believe improperly aligned systems could have gone undetected for an extended period of time.
Shift turnover procedures also did not guarantee that incorrect alignment would be identified. Status lists or check lists were not used as part of the routine turnover.
The shift change routine would reveal a particular system misalignment only if the system were known to be in an abnormal condition or if a test was in pro--
gress at the tLae of turnover.
Since the test on March 26 was initiated and completed during the regular shif t hours, the on-p
~
coming shif t would only have been informed that the test had been successfully completed.
Finally, the color conven: ion used for indicating lights at THI-2 does not facilitate recognition of an Laproper system alignment, since red (or green) lights may be correct for some components and Laproper for othars.
F#.,
t
?
I l
4.
Survaillance Comp 1stian Practiets The general practice for completing a surveillance procedure was that the operator carrying out the test would camp.ete it and sign of f on a checklist. This checklist would then be taken to the shif t foreman who was expected to verify that all steps had been t
signed off, and to make and maintain a record that the procedure had been satisfactorily completed.
There was no provision for double checking either by the control room operators or by a second operator making an inspection in the plant, that the system was lef t in the correct alignment.
There was thus no verification of the completion of the procedure.
5.
Sneak Circuit Investigation A separate investigationl8 was carried out to determine if a sneak circuit or other unknown circuit anomaly could have e sused an
?"
inadvertent cic sure. of the EFV-12 valv'es.
The investigat_.a con-F6 sisted of a careful review of the design documentation followed by gg a detailed in plant hardware check.
The latter included-physical v;
inspection of congaaents and crbling, and trial operation of the~
~
valves from the various control stations.
It also included insula-tion resistar e measurements for all cables and conductor resist-ance measurements, compared to the calculated resistance of the known leng'th 5T the conductor.
No sneak circuits or other anomalies were found which could have resulted in accidental valve closure.
The local control station buttons have rubber caps which make inadvertent operations extremely unlikely. Other components in the circuit were found to be in a normal condition.
Three discrepancies, however, were found between the installed circuitry and the design requirements:
1.
In one case three canductors were tenminated to a single ter-minal point in direct violation of the design requirement that no more than two conductors be terminated at any one point.
This did not, however, affect the operation of the circuit.
2.
A spare limit switch which, in the design documentation, was shown unconnected to any circuit, was, in fact, wired into the circuit in series with the limit switch which should have terminated valve closure on reaching the desired torque.
The superfluous limit switch was actuated by the position of the valve actuator, and, due to the incorrect wiring, actually functioned to stop the valve closure prior to the time the desired torque had been achieved.
1-
~__.
l 3.
The overload heaters in the circuit wnich opened the valva were found to be undersized by a factor of three compared to the design requirements.
The est result was that if the valve had temporarily stuck while being opened, the undersized overload heaters might have prevented the necessary corque fro being exerted to complete the valv'e opening.
6.
Feedwater Pipe Discoloration Physical examination of the plant' indicated that the feedwater '
piping between EFV-11B and the containment penetration was sub-stantially discolored.
The discoloration was greatest at the p., int
~
of entry of the piping f oto the containment and in fact, the pain i
was actually blistered at this location.
The discoloration diminished upstream from tha containment entry.
Investigatioi has revealed that the discoloration was probably
'~
c&ased by hot water from eteam generator "B" flowing backwards in the discolored' line.
Such discoloration would occur if the cross-over check valve leaked or failed open, since there were many hours on March 28 when the pressure in steam generator "B" was signifi-cantly higher then that in steam generator "A".
A test performed by heating a section of pirt support painted with the same paint used in the eme gency feedwater line achieved the level of dis-coloratiori oTserved in the emergency feedwat.er line at temperatures ranging from 245*F for minimum discoloration to 420*F for the maxi-mum discoloration and blistering observed. The actual water tem-perature in stens generator "B" was above 420'F concurrently with the required pressure differential for at least 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> on March 28.
G.
ADEQUACY OF ASSESSMENT OF THE EXTENT OF DAMAGE TO THE G)RE 4
Based on interviews with operators and other station personnel prcsent in the control room early in the accidant. it appears that early perception of the core condition differed greatly from the current understanding.
The general opinion seems to have been that some fuel damage had occurred, but this was limited to cracking of some percentage of the fuel cladding.
Some quotationo referred to approximate.ly ~1% of the fuel having ruptured cladding.
i The high incore thermocouple readings taken at about 8:00 a.m. on March l
28 might have triggered recognition of the true core condition, but these readings were not widely known and were apparently not recognized as valid by the senior station management who did hear of them.
The task force found no indication that anyone made a substantial effort during the day of the accident to rigorously assess the likely state of the core.
The personnel who might have made such an assessment were concentrating on reestablishing a stable core cooling mode, carrying out '
i B
e
_~
the emergency plan, and communicating with the many agencies and individuals who needed information.
Realization of the presence of large quantities of hydrogen in the primary system appears to have first led to the realizatioh that core damage was major.
This assessment occurred late Thursday night, March 29 and early Friday morning, March 30.
(Ref 19).
)
E L
'L.
y e
1 F
6 O
O O.
g
III.
CONCLUSIONS This investigation of the TMI accident has concantrated on identifying and evaluating the b' sic factors which contributed to the accident or related a
events.
The approach has been to evaluate the significant factors using the perspective which has arisen as a result of the accident rather than pre-vious standards. The intent of the evaluation has been to identify those areas where performance improvements are desirable and achieveable.
The overall cocclusion of this investigation is that the D(I-2 accident was the result of a couplex combination of factors.
Problems arose from equip-ment design and/or operation, sof tware (e.g., training sad procedures), and buman performance. No single factor would have been sufficient to cause the accident.
Equipment problems were found to result from deficiencies in design, instal-u-
- ~ ' * -
lation, startup and test, operation and maintenance. Operation and mainte-nance problems in the condensate system, coupled with the limited capability of the system design to accommodate transients, rerulted in the unit trip.
Failure of the pilot operated relief valve (PORV) to reclose initiated the accident, and the plant operators had no direct indication of this failure.
The plant design was such that previous non-LOCA transients had led to oc-currerces of high pre'ssure injection (EPI), so initiation of RPI was not taken as a signal that En accident was in progress.
Problems with the secondary plant systems distracted the operators. Finally the limited ap-i plication of human engineering in the design of man / machine interfaces left the control room operators without ready access to some useful information, while besieging them with irrelevant alarms.
A basic software problem arose from lack of appreciation of the unique symp-toms which would result from this event. Ihe data base used for operator training and preparation of emergency procedures was limited to a LOCA which reduces both system pressure and pressuriser level.
The LLaited attention which had been given to the consequences of a leak from the pressuriser did not focus on the' difficulty in recognizing the leak, due to the rising pres-surizer level.
The operators also did not have access to information on the occurrence of a similar event at another plant. Furthermore, the simulator used for operator training did not have the capability for simulating a LOCA i
from the pressuri'zer vapor space.
The operators thus expected loss of both pressure and pressurizer level if a LOCA occurred, and were not equipped to i
recognize a LOCA from the pressurizer vapor space in which pressuriser level did not reflect the system inventory.
i A related problem arising from training and procedures was the attitude i
towards taking the plant solid. Although this was an appropriate ' esponse r
to the conditions which existed oc March 28, neither the training
- program nor the emergency procedures gave any guidance regarding conditions under which solid operation might be desirable or necessary.
7.n fact, taking the plant solid would have been a violation of technical specifications as well 1
t 4
L
~ _ _ _ _ _ _ ~ _ _, _.. _,_
l as several operating procedures.
Solid operation was used only for hydro-static testing, and never during normal operations, including refueling shutdowns.
Simulator training also did not include solid plant operation.
The net effect was to condition tb2 operators against colid plant operation.
k Other sof tware and human f actors played a role in the accident. Operator
(
training in general had placed emphasis on attaining and maintaining an NRC operating license; in entospect this approach did not guarantee a thorough h
understanding of tne plac t performapee under all f oreseeable situations.
Casualty training, including simulator training, stressed planned response
~
to predefined single failures, and did not deal with simultaneous multiple failures which present unique sets of symptoms to the operators, such as actually occurred at TMI.
No training had been given in response to events which were not predefined.
Emergency and operating procedure's were found to
~
provide unclear and in some cases contradictory guidance.
Errors in oper-M ator judgeneat delayed isolation of the leak and resulted in prolonged oper-ation at low reactor coolant system pressure.
Precautions and limitations in some emergency procedures were overlooked or not recognized as applicable.
Finally, the nuclest design and' regulatory process had emphasized conserv-ative bounding analyses of unlikely plant accidents, which were intended to confirm that the overall design criteria had been met.
For both unlikely accidents and expec'terplant transients, inadequate attention was given to predicting the most prooable plant response. Training programs and opera-ting procedures thus did not have a sufficient data base to provide the operator with all the needed informacion.
Review of the responses to the accident showed that the organizations in-volved had not perceived the magnitude nor duration of requirements in the post-trip period.
The protracted series of events which actually occurred pointed out inadequacies in the organizational support, in the communication system, and in the predefined information flow network required for effee-tive accident management. The TMI experience showed that a large off-site support organization is needed to assist the in plant organization. While information flow to the cognizant state agency regarding releases of radio-activity was ge'nerally adequate, there was at least one case of contra-dictory information beint; released.
Communication systems proved inadequate to properly inform utility mansgement and the NRC of plant status and prob-lems.
The task force investigations of other factors relevant to the accident led to the following conclusions:
(1) The root cause of the reactor trip was water in the instrument air lines to the solenoids on the condensate polisher discharge block valves; (2) The reason why the PORV stuck open cannot be determined until the valve can be inspected, if then; t
(3) The principal pathway for release of radioaccive material to the enviranment was gasecus releases from the Radwaste Gas system; 1
- ~
r (4) The raccon for the incorr:ct sectus of the amargancy fccdwstor block valves is not known.
(5) Plant staff and company management concentrated on plant cooldown, emergency response and communicetions on March 28 rather than assess-ment of total core damages.
Realization of the extent of core. damage resulted from discovery of the hydrogen bubble.
These invest:
also revealed problems which, although n 2t direct causes of the 4t, should be corrected. Attempts to determine the exact nature r nitiating event led to the discovery of (1) undocu-mented and in -
tses apparently arroneous modifications to secondcry syctes componeta,
- 1) system and component operating problems which should have been detected and corrected during initial plant startup, and (3) sub-standard practices'in modifications to electrical circuitry.
Investigation of the emergency feedvater valve closure revealed that watch standing pro-cedures and practices were inadequate to detect incorrect alignment of y-safety system components.
1 The task force did not perfoca a thorough review of the role played by TNI management relative to the identified problems, primarily because the man-agement structure was significantly changed from that which existed at the time of the accident.
The task force did, however, develop some recommen-dations for future management actions, as discussed in the next section.
On a broader perspective the fact 'that the identified problems span the scope of responsibility of nuclear vendor, architect / engineer, constructor, owner / operator and regulators suggests that the types of problems identified in this investigation are not unique to TMI.
The task force investigation was specifically confined to TMI-2, and therefore reflects the performance of organizations other than GPU/ Met-Ed only to the extent that those organi-zations directly participated in the TMI-2 project.
The measures of per-fonnance available prior to the accident, however, indicated that in areas such as total resources available, performance of operators on exams, etc.,
THI was at least as good ss the average nuclear plant.
It seems a permis-sible inference that the entire nuclear industry had become somewhat com-placent regarding the possibility of a transient leading to major core damage. Ihis attitude probebly stemmed from the outatanding safety record of the nuclear industry, coupled with a belief that current regulatory prac-
' ices provided adeanate protection.
In any event, it appears likely that mae industry in general would profit from a careful and critical review of its current levels of p'erformance and an upgrading of performance standards where appropriate.
- 37 =
m 4
O b
1 ll.-
IV.
RECOHMENDATIONS A.
General Recommendations The overall recommendation is for an upgraded standard of performance for all aspects of the nuclear related operation.
This requires two significant changes.
E 1.
Increased resources are required at the working level to support specific changes discussed below. This may be accomplished at least in part by Isproving the efficiency of the total operation.
but may siso requ!.
- added resources. This change in resource requirements and aliocation should be regarded as a continuing need.
2.
New standards of personnel performance are required at all levels in the plant organization.
This requires that fair and realistic qf" but strict stannards be set, communicated and enforced on a
?'
continuing basis.
b The responsibilities for the safe and reliable operation of the unit must be communicated to and understood by each individual associated with the unit. Everyone must understand that management will do its part in making,surz. that adequate resources are available at the working level, and that each member of the organization is expected to do his or her part in ensuring that these resources are effectively and efficient-ly utilized.
B.
Specific flecommenducions 1.
A comprehensive study of training needs should be conducted cover-ing all areas of the organization including operations, mainte-nance, health physics, quality assurance, and plant staff, and all levels of personnel including technicians, engineers, supervisors and management.
The result of this study should be used to modify the training program.
The revised program shon1d be structured to the groups that it will train. Operetors should be trained to recognize abnormal plant response, to identify accident causes from the diverse data sources
{
available to them, and then to apply their plant knowledge and use procedures effectively to correct the condition.
Supervisors should be trained to evaluate infermation and to make the decisions i
that re sult in proper action during casualty situations.
They must also be trained in methods of administering the plant to insure that operators are always aware of system and equipment status and are prepared to respond to abnormal situations. The plant engi-nearing staff must be trained in plant operations so that they are bett.er equipped to apply their knowledge to su9 port the operations i
staf f in areas of (a) procedure writing, review and implementation; (b) operations review; and (c) evaluating and advising during 4
abnormal plant conditions.
6 k -
o
--g=
- m_._.._a-war --
4
-.m--
m 2.
1 1
The operator training program should be carefully reviewed to en-sure that all operations which might be required under emergency
)
conditions are covered in the program, both in classroom training and at the simulator.
Specific operations which must be added to those previously covered in the training program include conditions under which the plant should be taken solid, methods f or operating the plant vhen solid, transition to natural circulation and opera-tion under natural circulation.
In addition, the training prngram should specifically instruct the operator in how to respond to a plant condition which does not appear to be covered by the pre-defined events emphasized in the training program.
It should include:
techniques for diagnosing the problem or problems; which e
plant parameters to focus on to insure basic saf2ty; methods to be used to bring additional technical resources to bear on the prob-lem; and the authority and responsibility of the operating staff to deviate from previous directions when required to respond to f,a unforeseen situations.
(.
, T ~~
A general review of the upgraded training program should be per-formed by an independent group to ensure that the entire spectrum a
of training needs is being addressed. Reviews of the upgraded
~~
training program which are completed include, (1) the Ad-Hoc Ad-visory Committees ou Personnel Selection & 'h sining and Man-Machine Inte rface,&,Cgemunication s, (2) the Penn State Pedagogical Review
~
Committee and (3) the THI-1 Operator Training Review Committee.
Ir. addition, plant management should require independent periodic r,ssessments to evaluate training effectiveness in satisfying the established needs of the program.
2.
Watch standing and shif t turnover practices should be upgraded.
Watch station responsibilities should be clearly defined. Fo rmal procedures to assure operator awareness of the plant status should be critically reviewed and revised to provide an efficient inte-grated and assageable method for obtaining and controlling plant status.
Evsluation of operator awareness by such techniques at random, Szanno2Leed checks (alertness drills) would also be use-ful.
Watch standing communications should be formalized and utilized uniformly.
3.
The emergency operating proced'ures should be completely revised.
The basic approach should be hierarchial response to all casualty conditions, to ensure that the basic nuclear safety needs are sat-isfied before addressing equipment protection and recovery activi-ties. A general diagnostic procedure should be developed to facil-itate identifiention of applicable emergency procedures and to assist in dealing with multiple casualties.
Specific procedures covering particular accident conditions would then be used for longer term recovery.
The intent of the actions required by a procedure should be clearly undet.c. slable to the user and tne technical basis should be thoroughly emphasized in the training program. A procedure should
. E
l-establish aime guidelines for completion of immedince end follow up
' actions to help the operator establish priorities, Syrptoms should be described in a manner that allows the operator to interpret the degree and probability of accident causes.
Conditions which must exist prior to overriding safety systems must be clearly defined.
Technical deficiencies in these and other procedsrch should be -
identified and corrected.
The interfacts between tnd among proce-dures should be clearly explained.
r, In order to improve the quality of procedures, an integ~cated pro-i L;
cedure development and review system needs to be implemented. The' specification far the system should clearly delinaate responsibili-ties for initial development, technical reviews, safety reviews and final product physical quality (e.g., legibility).
The technical review system should provide for a multiple level of review and t
revision by the using ' group, on-site engineering, and off-site
.n engineering and design groups. The final review by PORC or its 6T successor should concentrate on the s'afety issue addressed.. The
' ~ "
y grout responsible for the physical quality of the final procedure should ensure the procedure is ciaarly written and understandable for the specific using group, and that the print, figures and
~
tables are of good quality and legible, and understandable in the using environment (e.g., control room during a transient or main-tenance location as appropriate).
4.
Steps should be taken to ensure compliance with procedures.
Sug-gested methods include classroom training in use of procedures, emphasis on use of procedures. during simuistor training, and in-plant audits to reveal the extent to which procedures are used and complied with.
The inviolate nature of procedures in use during normal operations must be emphasized. Where procedurss for normal operations are found to be inadequate or in error, changes must be made insnediately using formal temporary and permanent change pro-Continuation of notsal operations without these appreted cesses.-
changes should not be allowed. For rapid transients' or ac:idents, i
guidelines for making deviations should be preestablished and emphasized as part of the training program. Situations in which deviations from procedures may be required should be discussed with operators and incorporated into compliance guidelines.
Positive steps, should be taken to insure that all modifications to plant equipment are reviewed and approved in advance, and art thoroughly documented.
i Improved administrative controls for ensuring completion of operat-ing, maintenance, and surveillance procedures should be implement-ed.
These might involve, for example, independent check-offs by an independent party.
I i
i 40 -
i 3
w.-....,...
.,m.,,
.,es--.__,.,,
.,_.,._.,,-e--,e.-,
,-r r-
-.~#.
.-m-
=
5.
A periodic raviov of th3 watchetcading orgcnization should be per-formed to ensure that the following guidelines are met on a con-tinuing basis.
The shif t supervisor and shif t foremen must be kept sufficienc-a.
ly free of other responsibilities that they can adequately perform their basic management function of assuring safe and efficient plant operation.
This requires, for example, that they have sufficient time to maintain current and detailed
~
knowledge cf the plant condition and status.
t "1^
b.
Adequate analytical capability must be immediately available at all times to ensure a technically correct and timely response l
to any unusual plant conditions.
The number of control room and auxiliary operators must be c.
i suf ficient to carry out all required operations, but should not N
be so large as to impair the efficiency of the operations.
u
, 7_
d.
The support required by the watchstanding operation auch as
_~
personnel, administrative, purchasing, etc., should be com-plately sa tisfactory in quantity, quality and timeliness.
The relationship between the watchstanding organizations at e.
~
Unit r rad Unit 2 shraid be appropriate for the then current e ~
coudition of the two pleam s.
At present this should imply two completely separate watchstanding organizations but f or future different conditions it may be desirable to explore other alternative s.
6.
The approach to emergency planning should be improved. This should include the development of a predefined off-site support organiza-tion staffed by in plant and technical suppert personnel.
Commun-ications concepts must be substantially upgraded and the equipment to achieve the concepts designed, purchased and installed.
In-plant communications should be based on systems used only by operators, and capable of use with respirators.
They should be compatible with off-site systems through plug-in phones or radios.
Both on site and off-site support centers should have real-time computer terminals with access to the plant data base. The commun-icatisa. of information from the company to tLe media must be or-ganized and th'e mechanisms defined. An amargene r classification system which provides for a better graded level of response must be developed.
The criteria which initiate emergineles must cover a broader range of plant problems and must be c.sarly and unambig-uously worded so that a minimum of discretionary judgewnt is, required to determine whether one has been exceeded.
i 7.
For all management level and operating positions in the new TMI organization and for other selected non management positions, the accountabilities of the position and the authorities delegated to
it should be clearly delineated. This should include entry quali-fications and standards used to measure the perfonnance of indivi-duals holding these positions. The interfaces between the plant operational staff and the supporting engineering and other techni-cal groups should be clearly and formally defined.
Considerable emphasis should be placed on insuring that all individuals involved understand how these interfaces ire to work and under what condi-tions they should be used.
The offsite groups should be assigned specific accountabilities to support che plant operation both on request and on a continuing basis.
The above information should be documented in an organization mancale u
~
8.
As soon as the new nuclear organisation is finalized and fully staffed, an independent team should conduct a thorough review to ensure that the organizational structure will achieve the desired M x.
performance in an effective and efficient menner. The review
~}a "
should also verify that each member within the organization
- j. -
understands how it will work and how his particular responsibili-3
~
ties relate to the total organization.
The review team should.also investigate whether resources are maximized at the point of work rather than in administrative overhead.
9.
The effectiveness of the plant operational review committee (PORC) or its egoivuient sh>uld be substantially improved. This may require improved committee organization and staff support, greater time commitment on the part of the senior members of the committee, and mora complete reviews prior to PORC review.
10.
The plant staff should be exposed to more technical data that would help them understand plant response. A formal method must be set up to insure this information flow on a continuing basis, and the involved portions of the organisations must be assigned specific accountabilities.
To support this function a central technical group should be charged with providing information drawn fram inci-j dent reports from other plants, transient analyses performed in support of safety evaluations, and other evaluations.
In addition, i
I this central group should review each TMI transient to determine l
the cause and to recommend measures to prevent or avoid reoccur-l rence of undesirable events.
Where appropriate, specific analytical tasks should be performed by a,upport organizations to i{
provide the operating staff with desired data.
11.
The overall information flow to the control room operator should be improved. An upgraded computer system, including modern input /
output devices with data format matched to operator needs should be provided. Trending ct; abilities should be improved and should include capability for multi parameter plots. The Unit 2 annunci-ator system should be changed, to provide a better method' of loca-ting and identifying alarms. Multiple acknowledge levels should be provided, and the location and grouping of important alarms should be reviewed.
Consideration should be given to the incorporation of a critical system status board or equivalent, which would make it r
.--.----,__,,,,.-_,..,,.,,..,,,..,.c,.
..,_.c.,-
easy for the operator to rapidly determine whether all safety
. systems tre in their operational state. This might be accomplished I
by a hard-wired panel in the control room or alternately might be accomplished through the expanded computar system.
The human engineering of the TMI 1 and 2 control rooms should be reviewed to identify the potential for human error. A comprehen-sive review should he conducted which considers the interactior. of operators with plant rystema, procedures and other operator aids during normal and off-normal conditions.
Changes recommended by the review should be.mplemented on a schedule consistent with plant optrational considerations. The TMI
.1 control room study currently in progress will satisfy this reccamengation.
The report of the Ad Hoc Cr Tittee on Man-hchine Interface contains addi-tional detailed recommendations for TMI-l and 2.
12.
The general coadition of the as-built -secondary side of the plant should be verified by a careful review of design requirements and a detailed comparison of the entire BOP to these requirements.
As-built drawings and associated documents should be verified and procedures and practices for control of all future changes should assure that these drawings / documents are kept current. Specific problems idestitied in this report (e.g. in section A.2, A.3, C.5,
& F.2) and-othars identified by the BOP review should be corrected prior to the restart of Unit 2.
13.
A formal suggestion system should be used which facilitates employ-ees making suggestions for improved plant operation, which ensures that thtse suggestions receive appropriate consideration, and which guarantees that tha employees will receive timely feedback on the disposition of their suggestion.
The system should be simple to use and should avoid generating a proliferation of paperwork which interferes with its operation.
For example, the system might uti-i r
lize a printed form for making suggestions and responding to' l
suggestions which consists of the original and two copies.
- The, suggestor would fill out the top portion of the form by hand, de-scr bing his suggestion and the reason why it should be adop_ted.
All three copies would be forwarded to a clerk who would log the suggestion and rehedule it for review by a management team with authority to make immediate decisions.
This review should occur perhaps once a month for suggestions submitted during the previous month. As a result of the review, the secretary would fill in the bottom of the form giving the disposition of the suggestion, the reasons and the anticipcted schedule of any action.
The original would then be forwarded to whichever department was assigned the action.
One copy would be maintained in the master suggestion file and the third copy returned to the original suggestor.
14.
A formal system should be implemented which documents degraded conditions of plant equipment and ensures corrective action is taken.
The sys tem should have as a primary objective an effective method of keeping operators on shift appraised of all critical
. ~
e i
=
-. =
l equipment that is.out of service or operating in a degraded mode.
The system should also f acilitate documenting of minor deficiencies without burdensome paperwork on the part of the operations or main-tenance staf f.
15.
Steps should be taken to ec are that desirable small improvements in the plant are not hindered by the difficulty in obtaining authorization to proceed with the improvements.
This might be accomplished, for example, hv making an annual resource fund avail-able to the Manager of Plant Operations who would be authorized to spend this money for desirable improvements in the plant operation or maintenance without further approval.
16.
A systematic evaluatior of the response of the secondary plant to anticipated transients shecid be performed. This should utilize a mathematical model of appropriate portions of the condensate feed-water and steam systems.
The results.should be used to identify
[-"
desirable improvements in control methods, setpoints, etc., in F
order to enhance the capability of the plant to withstand such
~
transients with minimum inte.rfuence with normal plant operation and minimum reliance on safety systems to protect the plant.
Additional analysis of plant performance is required to increase understanding of events which are likelv to occur during opera.
tion.
Analysis methods such as failure modes and effects analyses, safety sequence eisgrams and fault and event trees can be used to identify event aequences which may differ from those assumed in the design and licensing processes.
Additional analyses are also re-quired for each event to ensure recognition of the symptoms and response for che' full spectrum of severity of that event. The results of this work should be input to design reviews, procedures and training.
Recognizing that no attempt to predefine all possible failure methods and event scenarjos can be complete, analysis is also required to sid in diagnosis of plant conditions and development of guidelines for uction which do not depend on knowledge of the specific events which led to the existing condition.
17.
The plant has been designed to b'e tolerant of some degree of de-graded component and system performance. Operation with degraded conditions should be carefully evaluated to ensure that anomalies, individually or collectively, do not obscure abnormal performance dir,ectly or by reducing the sensitivity of the operator to symptoms of abnormal performance.
Such evaluations might include a review of the operatits and emergency procedures to determine which ones would be affected by the abnormal condition (s) and what the effect would be.
Anslysis, including simulation, might be required to enable a thorough evaluation.
Based on this re view, modifications to procedures, alterations of operating limits, alarm setpoints or monitoring requirements could be considered along with training of operators to sepport changes.
, - -, -, -,, -.,,,,..,, -, -. -. ~,.,,. - - -,,,,,.
, -, ~ - - - - - ~ -, - - ~
,~.e-o,
Tne final judgement as to whether to continue operations should be
~ based on the collective impact of the existing anomalies.
This
' judgement should be made by senior plant management.
Because of the difficulties of conducting such a objective evalua-tion, the goal should be to keep the number and degree of anomalies minimal.
18.
Finally, Senior Management must ensure that the improvements resulting from this accident contini.e in effect on a long term basis.
Unless chis point is effectively implemented, the improved performance may gradually degrade.
s P
Lhi v'
s e
e e,
O
V.
REFERENCES 1.
"TMI Unit 2 Loss of Feedwater Flow L2adin6 to the Accident of March. 28, 1979," K. P. Lacies Sept. 1,1979. Rev.1 July 1980.
2.
Het-Ed Memo dcted July 13, 1979 to J. k. FIoyd from Donald A Berry,
" Condensate Polisher Valve Malfunction."
3.
Task Force Interviews with:
W. Zewe & Crew - August 24 & 25, 1979 a.
b.
U. Zeve & Crew - September 19, 1979 c.
C. Faust - Septumber 19, 1979 4
d.
F. Scheimann, September 19, 1979 E. Frederick, September 19, 1979 e.
f.
J. Logan, September 19, 1979 g.
Bernie Smith & Crew, September 20, 1979 h.
George Eunder, September 20, 1979 4.
" Preliminary Annotated Sequence of Events, March 28, 1979," Rev. 1 dated July 16, 1979.
5.
TDR-054 (was TDR TMI-ill), " Analysis of TMI-2 Operator Response,"
P. S. Walsh and T. G. Ercughton, issued October 29, 1979.
" Report of Ad-Doc Advisory Committee on Personnel Selection Training, 6.
Man-Machine Interface and Communications," Iouis R. Roddis., Chairman, January 1980.
7.
"Repcrt of the President's Commissit on the Accident at Three Mile Island," Or.cober 1979 8.
"IMI Staff *nterviews Concerning the harch 28, 1979 Incident," Cowpiled by E. F. O 'Connor, JCP&L, May 9,1979.
l 9.
TDR-IMI-114, A. Tsaggaris, " Emergency Plan Implementation," June 1979 l
l.
10.
TDR-080 "PORV Reliability and Change Modifications," J. H. Corea, April 24,1980.
11.
Q. Billingsley, "PORV Failure Mode," TDR to be issued 12.
NUREG 0600 " Investigation into the March 28, 1979 TMI Accident by Of fice of Inspection cod Enforcement," USNRC dated August 1979.
~
l 13.
TDR-126 " Investigation of TMI-2 Pressurizer PORV Discharge Pipe Temperaturca," issued 2/28/80, Q. Billingsley, P. Maheshwari, et.al.
14.
" Analysis of TMI-2 Accident," Nuclear Safety Analysis Center Report NSAC-1. Appendix Routes.
I l
r
. 46 -
)
15.
"Three Mile Island - A Report to the (NRC) Commissioner and to the i
Public," M. Rogevin and G. T. Frampton, Jr., January 24, 1980.
16.
" Pathways for Transport of Radioactive Material Following the TMI-2 Accident," J. Paradiso (GPU), J. E. Flaherty (EU, July 1980.
17.
Memo J. Miller to R. C. Arnold, " Preliminary Report on Emergency Feedwater System," dated April 18, 1979.
18.
TDR 104, " Analysis of Testing of Emergency Feedwater Isolation Valves EF-V12A and EF-V123," Ebasco and J. Gulati, dated August 24, 1979.
19.
"Three Mile Island Accident Technical Support" by R. L. Iong, GPUSC, T. M. Crimmins, JCP&L, and W. W. kwe, Pickard, Love & Garrick, Inc.,
Submitted for publication in Nuclear Technolorv March 24, 1980.
4.
h
.