ML20098G891
| ML20098G891 | |
| Person / Time | |
|---|---|
| Site: | Byron  |
| Issue date: | 10/02/1984 |
| From: | Dick C, Hughes E BECHTEL GROUP, INC., COMMONWEALTH EDISON CO. |
| To: | |
| Shared Package | |
| ML20098G869 | List: |
| References | |
| OL, NUDOCS 8410050661 | |
| Download: ML20098G891 (17) | |
Text
{{#Wiki_filter:y m. t, 5 k6 Engineer for the-Midland Nuclear Plant (Consumers Power Company).- ForLinitial stages of the IDR I was the CCW system leader and, for the latter part of the review, the Project Manager for the Byron IDR. 3.; During my assignment to the Midland Nuclear Plant project-I experienced an Independent Design Verification Program' conducted by the Tera Corporation. My experience in reviewing nuclear project designs spans several years, as I have been a Chief Nuclear Engineer, Chief Mechanical Engi-
- neer, and Project Engineer, and in those positions reviewed numerous technical designs either as an off-project reviewer
. cur as the responsible issuing authority.
- 3. I have.been asked by' Counsel to explain the objective, implementation and results of an August 1984
. final report documenting _an independent design review of the Byron Station. I participated in the development and implementation of the IDR and I managed preparation of the IDR Final-Report. I was also requested by counsel to address the criticisms of the IDR report asserted by the Intervenors'in their September 12, 1984 Motion to Roopen the Byron Hearing Record. My discussion of these matters is set forth in the attached " Joint' Statement of Charles W. Dick O 4 c PDR
4,, 4 and Edward M. Hughes." The statements made therein are true and correct to the best of my information and belief.
"* 5 Edward M. Hughes Q Subscribed and s g to
.befor,e me this :
day
' of ' &/2114. < , 1984.
.p E
[ sut / M 7 74 % #./ W Notary Public
% Commission bgitas JaIiuary 14. M
7-y
' bh.{,[EO UNITED STATES OF AMERICA *g NUCLEAR REGULATORY COMMISSION 00I-3 jjjj ,,g BEFORE THE ATOMIC SAFETY AND LICENSING BOARD ,-
Cp r ;,
'In the. Matter of )
)
COMMONWEALTH EDISON COMPANY ) Docket Nos. 50-454 OL
) 50-455 OL (Byron Nuclear Power Station, )
Units l& 2) ) JOINT STATEMENT OF CHARLES W.' DICK AND EDWARD M. HUGHES
- 1. . Background and Purpose. During 1983, inspectors from NRC's Office of Inspection and Enforcement conducted a review of the design by Sargent & Lundy (S&L) of the Byron Station. The NRC review, called the " Independent Design Inspection" . (IDI) , raised a number of questions concerning S&L's design work. The questions were addressed by S&L and Commonwealth Edison Co. (CECO) in a response submitted to the NRC on December 30, 1983. One of the questions requested CECO to determine the need to conduct further audits or inspectionc of other systems designed by S&L. The purpose of these audits was to determine if items similar to those discovered during the IDI were present in these other sys-tems; and.if so, whether any corrective action was neces-sary. CECO ultimately concluded that additional audits or reviews of the S&L' design practices should be conducted to address the NRC concern and to provide further confidence in the design of the Byron Station. Bechtel Power Corporation (BPC) was commissioned to conduct these reviews.
e:- ______w
,.e
- 2. Systems Selected For Review. CECO, with the approval offthe NRC, selected the component cooling water (CCW) system,~ the essential service water (ESW) system, and the Class lE, 125 volt, de distribution system as the addi-tional-systems for review. The three systems selected for evaluationLunder the IDR cover a broad. sample of work i" the key _ areas of design engineering for Byron. These included work by the various engineering disciplines (e.g., mechani-cal, electrical and civil), important functional areas
-(e.g., fire protection and high energy line break analysis),
and both fluid and electrical systems. The review of these systems covered design work performed by S&L, including S&L work that incorporated design work by others. The selected systems permitted comprehensive sampling of design areas consistent with the stated objectives for the indepen-dent design review (IDR) performed by BPC.
- 3. IDR Program Plan. In accordance with CECO's direction, BPC developed a Program Plan which was reviewed by CECO and accepted by the NRC. The Plan established the framework for the performance of the design review of the three systems by BPC's independent design review team.
The Plan consisted of four tasks. Task-1 involved determining whether S&L's design documents for the systems selected implemented licensing commitments and other design requirements in the Byron FSAR. The selected systems were reviewed in Task-2 to determine if the technical commitments C:_ _ - _ - - _ _ _ _ = - _ .
- -and requirements identified under Task-1 were met in an adequate' technical manner. Task-3 provided an assessment of the effectiveness of the S&L design processes for the selected systems. Under Task-4, the results of Tasks 2 and 3 were analyzed to' determine what conclusions could be drawn with respect to the design of unreviewed systems, structures and components.
The Plan.was implemented in accordance with the requirements of a Quality Assurance Plan established by BPC for the Byron IDR. The QA Program provided assurance that the IDR was performed in accordance with the approved proce-dures, and that the results of the review were documented appropriately and were traceable to the observations and conclusions provided in the Final Report.
- 4. IDR Program Implementation. More than 25 indi-viduals encompassing the mechanical, control systems, civil /
structural and electrical disciplines.at BPC were directly involved in the IDR. Approximately 15,000 manhours were expended, about 2,120 points of evaluation were assessed and
.more than 1,165 documents were examined. A principal activ-ity in the.-IDR evaluation was the examination by reviewers
.of FSAR commitments, the Sargent and Lundy design criteria, and the design documents related to each technical area being evaluated. Based on the review of~this information, the reviewer would reach an initial conclusion as to whether
I. t commitments were met, whether technical adequacy existed based on the ability of the component to perform its in-tended function, and whether the design process was adequate for the areas reviewed. Potential deficiencies in those areas were documented as " Potential Observation Reports" by the reviewer to a system team leader and then submitted to the Level-1 Internal Review Committee for review and initial disposition. Thus, a complete analysis of each Potential Observation was processed by tha Level-1 Internal Review Committee. The Level-1 Committee determined initially whether the condition identified by the reviewer was meaningful and consistent with the scope of the IDR and, therefore, valid. If the observation was valid, the Level-1 Internal Review Committee judged whether the identified condition was potentially safety significant based on the information available at that time. If judged safety significant, the matter would be referred to the Level-2 Internal Review Committee for further review. The term " safety significant condition" used in the evaluation was defined by the Program, Plan as "a loss of safety function to the extent that there is a major reduction in the degree of protection provided to public health and safety." A similar definition is found in 10 C.F.R. Part 21 for a " Substantial Safety Hazard." In determining if a safety-significant condition existed, the standard used in applying the definition was whether the discrepancy noted in the Observation was a loss of safety
e function such that a safety-related system would have been
-unable to perform its intended safety function.
After the judgment as to safety significance was made, valid Observations were forwarded to S&L with the objective of gathering additional, clarifying infornation to confirm or deny the existence of apparent deficiencies. Following receipt of this additional information relating to the observation, final confirmation of the initial evalua-
-tion as to the existence of a safety-significant condition was made by the IDR Team. The procedure just described established a disciplined structure for the evaluation and disposition of each observation.
- 5. Program Results. Forty-nine potential observa-tions were generated as a result of the IDR team review. Of l these, thirty-five were deemed " valid" and were issued to S&L for response. Twelve of these thirty-five were resolved as not constituting deficiencies based upon further informa-tion or clarification from S&L. Twenty-one were resolved by.
correcting or by agreeing to correct inconsistencies in documents, by confirming adequacy of design features arrived at by judgment, or by modifying precedures. Two involved design changes. None of the Observations constituted a safety-significant condition regardless of the corrective action taken. Although at some places, it may have been unclear in the Final Report, the'BPC IDR team made its judgment as to whether a " safety-significant condition" existed for all Observations based on the existing design
+
c< , > t) g e Y
~
6 i
-{l conditions'found atithe' t'ime of generation of the Observation 5
and not-on any design condition expected to exist in the future as a resul't of the S&L commitments f to design changes. Should;the judgment of the Level-1 Committee tjany time
/
Lhave identified a safet significant condition, appropriate action would have been'taken in accordance with the Program Plan. s
- 6. . Observations Involving Design Changes. One of the s
corrective actions involving a design change was identified under Observation 8.9. This observation addressed a non-compliance with a Byron FSAR commitment (Table 8.1-1 and Appendix A, Reg. Guide 1.75). Tl[ecommitmentrequiredthat when nonsafety-related components lare3 connected to the 125 V dc' safety-related circuits, there must be.either two inter-t rupting devices in s'efies, actuated by fault current, or one 39 interrupting device actuated by safety injection, coincident i with.a loss of offsite power signal. The 125 V de safety-4 relatedcontrolcektercontainstwononsafety-relatedcom-
. 7 ponents for which l this commitment was not met. The circuits
- to these nonsafet'y-related components, a 'they existed in l :
the Byron design, were isolated'from the safety-related bus f by only one interrupting device actuated by fault current.
,Thb basis for the FSAR commitment stemmed from a concern that, without adequate isolation protection, failure in the 3.-
nonsahety-related circuits could degrade the Class lE bus such,that intended ' s,afety functions could not be accomplished. 1
,[
n Y 4
. S&L provided the IDR team with an analysis which adequately demonstrated in the team's judgment, that the exist-ing condition, even considering the potential that the existing breaker-failed to function, would permit the Class lE-bus to perform its intended safety function.
However, S&L/ CECO decided to-add a second set of fuses which meets the commitment. S&L further reviewed the non-IDR scope of design and reported finding no other instances where non-
' Class lE instruments fed from Class lE power supplies are connected upstream of the second isolation breaker without
~
this seccad set of fuses. The IDR team concluded, based on review of the S&L analysis, that no safety significant condition existed for the 125 V de system and, based on the extensive S&L review of other designs, that the particular condition was quite unlikely to recur. Therefore, it was'not a cause for a significant. concern elsewhere. The second design change was an unanticipated con-sequence of Observation Report 8.38. During the CCW system review, the IDR Team noted that the S&L-generated ASME design specification prescribed the piping design pressure for that portion of piping within the S&L design scope as 150 psig. A S&L calculation was made for the purpose of demonstrating, for a range of highly improbable scenarios, that adequate piping design capability for the various resultant pressures existed. Among the conditions examined in the S&L~ calculation was that of limited failure of the 1 . _ j
. reactor-coolant pump thermal barrier or the letdown heat exchanger resulting'in primary coolant inleakage to the CCW system. Such leakage into the CCW system could potentially produce a pressure in the CCW system greater than the estab-
~
lished Code design pressure of 150 psig. In response to the IDR Team inquiry, S&L stated that
'the various improbable scenarios examined did not represent Lnormal operating conditions. Code design pressure was selected based;on the Westinghouse system criteria. The IDR Team concluded that the design pressure selected by S&L was adequate.
-However, in the process of response coordination between Westinghouse and S&L, Westinghouse apparently concluded that it had not adequately addressed primary coolant inleakage condition in.its design of the'CCW system. Westinghouse apparently in-tended that the d'esign remain in compliance with Code allow-able stresses even for the primary coolant inleakage condition.
Westinghouse,. based on its procedures and interpretation of 10-C.F.R. Part 21 obligations, reported the potential over-pressure condition to the NRC, citing several operating plants and plants-under construction, including Byron 1 and 2, as affected plants. It appeared for the Byron CCW system that the potential pressure increase was easily detectable, that the leakage was isolable and that sufficient redundancy of
' safety systems exists in the Byron design to assure achiev-ing safe plant shutdown in the event of the postulated
. inleakage of primary coolant. Therefore it was the judgment of the IDR team.that the CCW system design was adequate to perform its required safety function and no safety signif-icant condition existed. Nevertheless, CECO, in conjunction with Westinghouse and S&L, implemented a design change to eliminate the potential occurrence of the overpressure condition by replacing the CCW surge tank relief valve with loop seal piping. Because no similar design was employed in otherEsafety-related systems by Westinghouse or S&L in the Byron plant, there is no reason to expect this situation is cause for a significant concern elsewhere in Byron.
It should be noted that for the above two observa-tions, which resulted in S&L commitments to issue design changes, it was the judgment of the IDR team that, without such design changes, the Byron design was still adequate to achieve safe plant shutdown considering both potential single active component failures and loss of off-site power.
- 7. HELB and MELB Protection. Observation Report 8.24
. questioned whether the CCW and ESW systems were adequately protected from the jet effects of postulated high energy line breaks'(HELB). Information furnished by S&L permitted the team to establish to its satisfaction that these systems
~
were adequately protected. The IDR team concluded, based on the review results, that no safety significant condition exists relative to'the CCW and ESW systems located inside containment. However,.S&L responses to Observation 8.24
~
v. prompted 1the IDRLteam to raise-questions as to the adequacy sof_the HELB' design process for jet effects. This issue was
= covered;by Observation 8.47.
Based on a review of S&L_ documentation, including some that was~not7 reviewed by the NRC inspectors, the IDR (team judge'd_that there was sufficient evidence that S&L had established early.in the design of Byron Station and in conformance with applicable licensing requirements, a HELB process to provide necessary plant protection.- However, the review team could not establish with high confidence that Ethis designiprocess was implemented with sufficient thoroughness land detail to assure that all required structures, systems and components necessaryfto achieve safe shutdown were completely protected from all potential jet effects inside econtainment. Therefore,-the review team concluded that a comprehensive-review of the existing design throughout containment for HELB protection' adequacy that resulted in very..few. design changes would establish that an adequate and effective process had been employed by the designer to
; achieve-such results.. S&L. conducted such a review, and the foregoing test.was satisfied by the fact that the preliminary ),
results' indicated that no. design changes were required. LExtensive BPC experience with HELB protection design and the various complex problems that must-be solved in that effort allowed the IDR team to conclude that such favorable review results provided evidence of the past existence of an
. adequate. design process.
4
..__'s__m______
~
The moderate energy line break (MELB) review by the'IDR team identified no situations where the existing design did n'ot meet MELB protection requirements. No Observation was_ issued for.this particular technical area. The IDR team
~
judged that its MELB review scope was in sufficient depth that the results provided the reviewers with reasonable c'onfidence.that the design process had been adequate to meet requirements.and that there was no reason to expect sig-inificant problems elsewhere in the plant.
^
- 8. Trends. As part of the Program Plan, the IDR made an analysis of the Observations, to analyze for trends and root causes, and possible implications for unreviewed, safety-related areas. Trending was one method of extrapolat-inggthe results of the IDR to arrive at whatever broader conclusions might be drawn with regard to unreviewed aspects of the S&L design.- It is an accepted approach, employed in many types of quality activities in the-nuclear industry, including other IDR's; however the use of a trending technique
-does not lead to any inference that meaningful trends necessarily exist or that meaningful conclusions always can be drawn from observed trends.
In the case of the Byron IDR, the task was per-formed by the IDR team making an analysis of each Observation Report to determine the predominant cause. The four trends which were identified as most frequently cccurring were related to undocumented judgments, FSAR control, changes t
-h-review, and code non-compliance. Each trend was analyzed and discussed in the IDR as to.its nature and significance.
In developing the Observation Reports a very strict standard of literal interpretation was applied to determine compliance with commitments, including code require-ments. - As noted, all of the Observations were individually regarded as of relatively minor importance with regard to
-technical. adequacy. 'There were no instances where the design was not technically adequate. Through application of the trending technique, similar conclusions were drawn as to the collective significance of the Observations for the systems-reviewed. With regard to systems not reviewed, there is'less certainty as to what the trending indicates, but it is most likely that more'of the same types of obser-vations would.be found and they similarly would not be important to the technical adequacy of the Byron design.
With respect to the trend relating to use of undocumented judgments, the IDR did not discover a judgment which, when questioned, did not prove to result in a tech-nically adequate present design. In several cases, S&L performed reanalyses or revised calculations, but in all
. cases their original judgment was verified as adequate based
~
on the design adequacy of the system, structure, or component in question. It is the conclusion of the IDR that this verification of the use of judgment is not a coincidence. Qualified, experienced engineers made these judgments based
on their previous experience and on generally sound tech-nical reasoning. Further, the G&L basic system designs were inherently conservative and generally possessed sufficient design margins which permitted successful use of engineering judgment.
'With respect to the trend regarding control over the FSAR, although there were observations made which indi-
~
cated that the PSAR.did not accurately reflect the actual design or that certain FSAR design statements were not fully incorporated into the design, there was no indication that these cases represented a pervasive situation in the Byron FSAR and that they.affected the safety of the plant. Use of the FSAR.as a design requirement document
. necessitates understanding its limitations. One of the unique situations created by the requirements of an IDR is
-that' a group of engineers generally not familiar with the specific and sometimes unique design criteria of a plant, are risked to perform a detailed review and to make a subse-quent assessment. One of the readily available and convenient tools for basing this review is the FSAR. This-is because the FSAR contains a wealth of information about a plant and
-because the NRC has used the document as a primary means of reviewing the plant.- However, what must be appreciated or judged in light of the overall design process is that the detailed design criteria or requirements of a plant are contained in thousands of other design documents (i.e.,
u
~ s drawings, specifications, procedures) which are not fully described or detailed in the FSAR. At certa #n times in the design process, these criteria or requiremeats can change without having an impact on plant safety or the design / analysis as reflected in the FSAR. This generally was the situation observed during the IDR of the Byron FSAR. Where FSAR changes were required as a result of an Observation for 1 clarification or to better define commitments, S&L stated that such changes would be made. With respect to the trend relating to review of changes, the process of design change control can very basically be broken down into three subprocesses assuming that design change itself has been accepted as technically sound. These processes are engineering coordination, design implementation, and "as-built" reconciliation. The review of the S&L design process indicated that each of these processes was controlled, but IDR Observations were made for each area related to reviewing changes and coordinating them within S&L. This indicated that certain minor deficiencies may exist in the S&L process but did not lead the IDR to conclude that the process is generally inadequate. Finally, with respect to instances of code noncompliance, the design of a nuclear power plant encompasses thousands of detailed criteria and requirements. These criteria are found in regulations, regulatory guidelines, codes, standards, and a variety of other documents. During
'~
F } l: ' o 4,- the' review of_the! Byron Station, it was determined that some specific aspects of the design did not strictly comply with certain detailed code requirements. It is not the role of the IDR to judge ~the basis for the code requirements, but in all cases where a noncompliance was noted, S&L verified that the design of the given system, structure, or component could perform its intended safety function. Based on the large number of code and licensing requirements reviewed, and the relatively minor nature of the deviations relative to the basic design requirement for systems to' perform necessary safety functions, it can be concluded that such noncompliances do not constitute a significant safety concern. This should not be construed as meaning that code noncompliances are an acceptable means of design,.but in the context of this review, the code noncom-pliances observed.did not (and would not if . they occurred elsewhere) significantly lower the degreelaf assurance in the technical adequacy of the plant.
- 9. Conclusions. Based on this review, the IDR team concluded that the design of the systems selected for review was adequate. This conclusion was based on the comprehen-sive sampling (breadth of scope and depth of detail) of the S&L design work that was performed by the IDR team and the
' fact that the results consistently indicated the design was
. technically adequate. The deficiencies found lacked safety significance, and in fact, were minor and well below the
L _,: threshold of significant technical conccrn for overall design adequacy. Moreover, it must be recognized that some deficiencier are likely to occur in any facility as large and complex.as a nuclear plant.
-The IDR work was performed and supported by well-qualified,-experienced individuals capable of evaluating the S&L work and the results of the IDR. Evaluations were made aof'the key areas of the design important to safety, and that work was-reviewed to assure careful examination of the systems reviewed. The IDR paralleled the IDI in such a way that the results of the two reports could be compared meaningfully.
Moreover, the IDR team was aware of the IDI findings, and as
- a consequence, they were sensitive to similar occurrences in the. systems reviewed under the IDR. The results of the two reports can be' compared and we conclude that some of the observations identified during the IDR were similar to those L-discovered by the NRC inspectors.
The S&L design processes reviewed in the IDR were common to the non-reviewed systems and these processes were generally found adequate. Although some deficiencies were found, they were minor and did not impair the intended safety function of~the systems reviewed or represent safety- ~ significant conditions. These deficiencies failed to indicate to the IDR team.that other systems, not reviewed, would be unable to perform required safety functions satisfactorily. Finally, the trend analysis incorporating these results
fleads to an expectation that similar results would be found
.in-the areas not' covered.by the IDR. That is, the design conditions likely would be judged as technically adequate if a' broader review in-those areas were. conducted. Based on
'the similarity of_the-results of the IDR and IDI and the relative unimportance of the IDR findings, it was the considered judgment of the IDR team that no further independent reviews
;or. audits of systems designed by S&L are warranted.
,}}