ML20129H991
| ML20129H991 | |
| Person / Time | |
|---|---|
| Issue date: | 07/17/1985 |
| From: | Advisory Committee on Reactor Safeguards |
| To: | |
| References | |
| ACRS-T-1430, NUDOCS 8507220117 | |
| Download: ML20129H991 (224) | |
Text
,
ORIGINAL
- d'#
UNITED STATES OF AMERICA
['j
(
N NUCLEAR REGULATORY COMMISSION In the matter of:
ADVISORY COMMITTEE ON REACTOR SAFEGUARDS Subcommittee on Scram System Reliability Docket No.
(x l
Location: Washington, D. C. l Date: Wednesday, July 17, 1985 Pages: 1 - 193 l ACRSOFFICECDPY'l s 30 Xo:1emove" rom ACTSFice ANN RILEY & ASSOCIATES
{ Court Reporters
,. d ([1 1625 I St., N.W.
Suite 921 4 \
Q. Washington, D.C. 20006 g'.
Y 65072201 PDR ACRS 7 B$O51f T-1430 PDR
.n .
1 l
, 1 UNITED STATES OF AMERICA 2 NUCLEAR REGULATORY COMMISSION 3 -
4 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS S SUBCOMMITTEE ON SCRAM SYSTEM RELIABILITY 6 -
7 8 Room 1146 9 1717 H Street, N.W.
10 Washington, D.C.
11 Wednesday, July 17, 1985 12 The Subcommittee on Scram System Reliability of the 13 Advisory Committee on Reactor Safeguards convened, pursuant to 14 notice, at 8:35 a.m., William Kerr, Chairman of the
!$- Subcommittee, presiding.
16 PRESENT: -
17 W. KERR, Chairman I
18 J. EBERSOLE, Member 19 D. WARD, Member 20 C. WYLIE, Memear 21 P. DAVIS, Consultant 22 W. LIPINSKI, Consultant 23 1
.. .e .NERT, Acre et.,, M.m .. :
c;) 2.
25
l 1
2
, 1 ALSO PRESENT:
1 2 E. HERNAN, NRR 3 F. HEBDON, AEOD 4 F. ROSA, NRC 5 S. MINOR, NRR 6 J. CROOKS, NRC 7 F. ROWSOME, NRC i-8 J. LITTLE, Westinghouse J-9 M. MITCHLER, Westinghouse
=. ;
.I 10 11 l
! 12 i
13 1
14
- 15
- I
- 16 17 l 18 l
19 l'
i.
l 20 21 1
- 22 o-
[
23 ,
24 l ' 25 4
' 4
-e -- r w.- 4,,,.w.,,----, .,n.-w., ,e,.wem..,,.,,,wnm,-w w ,m .n wo-omee------ -m-~e w-s m m -o w .w ---=e-ove~e me e~=~w==- -w w,--,s
d 1 P ROCEED I NG S 2 MR. KERR: The meeting will come to order.
3 This is a meeting of the Advisory Committee on 4 Reactor-Safeguards, Subcommittee on Scram System Reliability.
5 My namo is Kerr. I am Subcommittee Chairman. We 6 also have in attendance today Mr. Ebersole, Mr. Ward, 7 Mr. Wylie, and consultants Mr. Davis and Mr. Lipinski.
8 The cognizant ACRS Staff member of the meeting is 9 Mr. Boehnert.
10 Rules for participation in the meeting were 11 announced as part of the notice of the meeting in the Federal 12 Register June 28 of 1985.
13 A transcript of the meeting is being kept and will 14 he made available as stated in the Register notice. I will 15 ask that each speaker identify himself or herself and use the 16 microphone.
17 We have received no written comments from members of 18 the public, nor have we had requests for time to make oral 19 statements by members of the public.
20 In order that there be some at least minimum amount 21 of misunderstanding, I should emphasize that this is a meeting 22 of a recently constituted subcommittee on Scram System
( 23 Reliability. We recognize that the ATWS issue was resolved by 24 rulemaking and hence is not with us any more. However, some 25 recent operating experience and perhaps a certain amount of
l O %s 1 prudence seem to indicate to the ACRS that a continuing i
2 attention should perhaps be given to the Scram system, and we 3 hope that this meeting will contribute to the defining of some 4 _ appropriate measure of concern.
5 In our consideration of the issue, I, at lea 2t, 6 consider it worth noting that we have not yet had a failure to 7 scram, at least in the U.S. We have certainly had some 8 precursors. We have had some situations in which only partial 9 rod insertion occurred but through good luck, good design, 10 providence or whatever, we have at least not yet had a 11 situation in which no rod insertion occurred when the system ON 12 was called upon to scram.
13 I say that not in an effort to defend or criticize, 14 but rather to point out that if we are collecting data, I 15 think at least we ought to identify the data being 16 considered.
17 Second, it appears that in this country we have a 18 significantly larger number of unneeded scrams. One might 19 conclude that this is not related to scram system 20 reliability. Indeed, maybe one might conclude that they are 21 too reliable since t!.e y scram both when scrams are called for 22 and when scrams are not.
tq 23 I don't think, however,- that this is the case. It 24 seems to me too many scrams is also a matter for some concern, 25 for a number of reasons. In the first place, a scram does
E
N -
5
~
1 challenge other systems which are normally not in operation 2 and whose need to operate and reliability are uncertain.
3 In the second place, too frequent scrams may be 4 giving us a message. Possibly, for example, we are testing 5 too frequently. We find that a good many of these may be 6 associated with either maintenance or testing while the plant 7 is in operation, and I don't think we have looked seriously at 8 the question of testing frequency in terms of the potential 9 for causing unneeded scram.
10 In the third place, it seems to me, at least, that 11 we may be asking too much of scram systems. It is not clear 12 to me exactly what reliability level, quantitative reliability 13 level we are expecting. However, we do toss around 14 occasionally the number of a failure rate something like 10 to 15 the minus 5 per demand as an appropriate reliability level for 16 the scram system.
I 17 If we take this number, just for the sake of 18 discussion, it seems to me, at least from what I can see, to 19 be a higher reliability than is called for by any other 20 operating system on the reactor, and I would say that I doubt 21 if we can demonstrate in any way that I know of that level of 22 reliability is being achieved.
23 So it may be a goal, but I don't think we have any (d) u 24 way of knowing whether we are achieving it; and if, indeed, it 25 is a necessary or desirable goal, it may be -- maybe not in
\
i
\_e 1 existing remotors, but at least in future designs -- some 2 thought should be given to looking at systems which are so 3 designed that they can ride out a failure to scram and that 4 the consequences are not very serious.
l 5 In the fourth place, we observe, I think, insofar as i 6 I can interpret it from the IDCOR report, that ATWS is 7 calculated to contribute about 23 percent of the core melt 8 frequency for BWRs, and when taken in conjunction with some
- 9 other things -- and I'm not quite sure how to sort these out 10 -- about 9 percent of the core melt frequency for PWRs.
11 Now, whether this is appropriate is not commented on
\ 12 in this report and I don't know whether we have any sort of a 13 criterion. I don't think we do, but at least in the 14 discussion of quantitative safety goals, there is an 15 indication that if those s'a f e t y goals in something like their 16 present form are adopted as operational criteria or 17 operational goals, that would one would uneasy if any 18 well-defined sequence contributed more than about ten percent 19 of the core melt frequency.
20 There are a lot of " ifs" here, but if the 23 percent 21 contribution, for example, in IDCOR, which is represented as a i2 result from a set of PRAs, if it really is 23 percent, one would at least use a safety goal as criterion and have some (O) 23 24 concern about it. If the 9 percent for PWRs -- and that 25 report would give one the impression that just an ATWS by
,R 7 v) 6 1 itself is not enough. One has to have a couple of other 2 things in conjunction. If it is only 9 percent, perhaps one 3 might not be so concerned about it.
4 But I don't think there exists any sort of position, 5 and I'm not sure we can develop one, but at least it seems to 6 me it is worth looking at these kinds of things. All of this 7 is to say that in spite of having an ATWS rule, which I assume 8 does not mandate zero failure for the components of the scram 9 system, or even for the system itself, we don't, so far as I 10 can tell, have any performance criteria yet.
11 As a result of this, of course, if we have a
\ 12 component failure or subsystem failure, we are not quite sure 13 what to do about it. Certainly it's clear that one 14 investigates it and tries to learn as much as one can from the 15 failure, and if necessary, one tries to correct things; but 16 ate failures observed as what one would expect of imperfect 17 systems or are we seeing a greater number of failures than one 18 would anticipate or that one can tolerate or a reasonable 19 number?
20 I don't think we know. Perhaps we can't know, but at 21 least it would be helpful to me if, in addition to a rule, 1 22 have some idea what the implications of a rule were in terms b)
( 23 of performance criteria.
24 In discussions within the ACRS, some of which were 25 stimulated by a number of recent cases of breaker malfunction,
U we decided to try to explore performance of scram system 1
2 subsystems and to begin, for no particular reason other than 3 we knew what it was with the performance of the scram 4 breakers, to see if we could get some idea what one should 5 expect their performance to be and whether the performances 6 being observed is in keeping with that expectation.
7 That is, I'm sure, enough of an introduction from 8 me. I would ask my colleagues if they want to add anything.
9 Mr. Ebersole.
10 MR. EBERSOLE: Only a few words, Bill. I notice in 11 the notes here it said I had made a few observations related 12 to the ALARA principle. I might comment on that. Let me also
(
13 comment on your observation that we haven't had a failure to 14 scram.
15 We haven't had a primary vessel failure, we haven't 16 had a secondary vessel failure, we haven't had a large LOCA, 17 we haven't had most of the things that we would rather not 18 have. I don't like the implications that we simply wait 19 around for these things to happen to take some action if we 20 see some action might be accomplished which will substantially 21 inorease their reliability against having those things.
22 I don't like the reaction aspect. I would rather act
) 23 in front of something than behind it. It sometimes b :. t h e r s me 24 -- and I will just use kind of a crude model -- I think I'm a 25 primitive, anyway. If I'm going to cross a chasm 1000 feet
9 1 deep and I throw a 1 by 12 across it, 'I probably could argue 2 if the length and thickness and quality control and the 3 character of the wood and 10,000 other things are adequate 4 enough and it has been provided with QA and so forth, it won't 5 bend and break and I'll get across.
6 Then if I look at it a little bit harder, I find I 7 can use a 2 by 12 and I don't have to do all those messy, 8 complicated things and I have substantially improved
.9 assurance, less argument, probably in the long run less cost 10 to get across the chasm. When I see t .s e breaker systems, here 11 in the case of the BWR, being driven by nothing but float O 12 switches, in the case of the Westinghouse machine being driven 13 by these breakers with pivots and gresse and pins and springs 14 and the usual characteristics of a Goldberg or arat trap, I 15 get nervous and say there must be a better way, and how did we 16 get there and what can we do? O 17 I think I will stop at that point.
18 MR. KERR: Thank you, Mr. Chersole.
19 Mr. Ward.
20 MR. WARD: Nothing.
21 MR. KERR: Mr. Wylie?
22 MR. WYLIE: No.
23 MR. KERR: Mr. Davis, Oa 24 MR. DAVIS: No.
25 MR. KERR: Mr. Lipipakt.
n O_-
s MP. . LIPINSKI: I would like to support what 1
2 Mr. Ebersole has said. Right now we are focusing oJr 3 attention on a device that has very low reliability and seeing 4 if there is any way that we can guarantee its reliability in 5 getting to an acceptable level. The other way is to take 6 another viewpoint.
7 In general, mechanical systems are less reliable 8 than electrical systems. The total power for these rod 1 9 devices have been fed through these breakers such that the 10 power block is large, as opposed to having distributed them 11 individually to the individual drives. If these were 12 electronically interrupted through SCRs or other devices, then 13 the reliability would increase, plus the fact that they would 14 be distributed would give you many more devices, and this 15 i f would contribute to reliability.
16 But right now our attention is focused on a device 17 with poor reliability and trying to see whether there is some 18 fix that al!ows it to remain in the system and protect the 19 reactor.
20 MR. KERR: Without necessarily arguing with that 21 thesis, suppose we adopted it. What sort of reliability would 22 we want of the device that we use to replace it? Do we have 23 criteria in mind, do you think, that would say if you could v
24 achieve this, this is an acceptable reliaallitv? When I say 25 "we," I mean the community of regulatory ac:ivities.
11 f
(
1 MR. LIPINSKI We are back to the old discussion of 2 ATWS and numerical reliability goals we had set out early when 3 we tried to discuss whether systems were goed enough, and 4 effectively we would go back to those same numbers and apply 5 them to the particular systems.
6 MR. KERR: But when you say we know that the 7 breakers are unreliable, there is an implication there that 8 they are not reliable enough, I assume.
9 Now, what would be reliable enough, not necessarily 10 ir quantitative terms but in whatever terms? How could wo 11 tell a designer, o t ).o r than saying to use Component XYZ, what
,0
-- 12 would be an acceptable reliability, either qualitatively or 13 quantitatively?
14 MR, LIPINSKI. If you look at the number 3 x 10 to 15 the minus 3 for two breskers in series, and independent of how 16 many channels are up in front, the system reliability 17 generates to the reliability of these two breakers 18 functioning simultaneously. You end up with the number 9 x 10 19 to the minus 6, to tne order of 10 to the minus 5, 20 If we collectively agree that that number is 21 acceptable, then indeed the system as designed provides 22 aooeptable level of reliability.
) 23 If you want to move that number another decimal 24 place or two, they are not.
25 MR. KERR: What I am asking is do we have, do you
12 b,/~S 1 think, a number or something else at this point that we could 2 give to a designer and say if your system meets this criteria, 3 it's okay? I don't think we do at present, i l
4 MR. LIPINSKI: We had a number of 10 to the minus 7 !
5 with ten challenges per year, and that is where we started 6 out, saying we would like to see the ATWS --
7 MR. KERR: You can't possibly demonstrate that that 8 number is being met.
9 MR. LIPINSKI* You can on the basis of the fact that 10 if we say 10 to the minus 7 and we get it down to two devices 11 that determine that number --
12 MR. KERR: No, I'm stating what is it that we want 13 that can be demonstrated independently of systems? What sort f 14 of performance criterion is an appropriate one to use for
.\
15 future designs?
16 MR. EBERSOLE: Are you talking about in a numerical 17 context?
18 MR. KERR: No. I'm talking about any sort of context 19 which can be understandable to a designer. ,,
20 MR. EBERSOLE: Don't we want one which has a minimum 21 number of elements in series logic to get the function 22 performed? And this includes pivots, springs, grease.
23 administrative controls, you know, the usual things you have 24 to analyse.
25 MR. LIPINSKI: My general comment is, I just
1 l
13
(
i finished designs for the Idaho reactor. You don't send 2 everything through a single device in series and then 3 duplicate it to get reliability. If you want to release rods 4 --
l 5 MR. KERR: You are telling me how to design 6 something to meet a criteria, but you haven't given me the l 7 criteria.
i 8 MR. LIPINSKI: The other criteria is to specify 9 multiple devices beyond two that have very low reliability.
10 MR. KERR: Okay. We now have something called the 11 single failure criteria. Are you saying we ought to have a
\- 12 double failure criteria?
13 MR. LIPINSKI: That's right. The single failure 14 criteria is insufficient. Where you see this is on diesels.
15 Two lousy diesels still give you a lousy electrical system.
16 MR. KERR: Don't tell me what is no good; tell me 17 what we can substitute for it. I'm not trying to be critical, 18 but --
19 MR. LIPINSKI: The single failure criterion in its 20 day was satisfactory until we found out that having two bad 21 devices still didn't give you a level of reliability that you 22 would like to see. I will use diesels as a good example.
( ,, 23 You would have to go to multiplicities that are even higher 24 than a simple single failure.
25 MR. KERR: But where does one have to go?
l 14 1 MR. LIPINSKI: That depends on the device itself.
2 If you start looking at diesels and saying the probability is 3 only once in 100 and you want a number like once in 1 million, 4 then you are talking about going to three diesels. It's that 5 type of argument. I can only quantify --
6 MR. KERE: I know a lot of ways criteria cannot be 7 met or that one cannot specify. What I am suggesting is we 8 might be helpful to the community if we can arrive at some 9 sort of criterion that would be acceptable, and I don't see it 10 sitting out there at this point.
11 MR. LIPINSKI: Let me make a further comment. One,
\/ 12 if you are designing systems from scratch, new systems, you 13 can identify a reliability goal and you can apportion 14 reliability throughout the system and see whether the goal has 15 been met. Now you are asking a second question, how do wo 16 demonstrate it after the system is built, statistically. That 17 is another question.
l 18 MR. KERR: I'm asking you how you demonstrate it 19 anyway, statistically or otherwise.
20 MR. LIPINSKI: Anyway, when you are designing a 21 system, you can apportion reliability to the various 22 components in the system, and you look at the overall 23 performance of a system through reliability apportionment.
24 MR. KERR: But you don't have to demonstrate it; you 25 can just design it in.
_ _ ~ .
l 1
O 1 MR. LIPINSKI; Correct; but the data that you get to i
2 use in your analysis to verify that your design has not your 3 goal is an important part of that exercise because you have to 4 have a data table that is applicable for the components that 5 are used in your design. And if you are using multiplicity of 6 components, in general you are not looking at numbers that are 7 extreme for a single component. So therefore, you get into 8 designs that are redundant, two, three, four components 9 performing the same function and guaranteeing that the 10 cot . ions will get you the desired reliability.
11 Now, that is where the designer starts with his view t
ss 12 of the problem. Having put that system together and putting 13 it into operation, my concern then is the maintenance because 14 as the designer, you can look at that system and say, yes, it 15 will perform as specified; but if maintenance is not performed 16 and those components are not maintained at their individual 17 levels, that system will not give you the statistical --
18 MR. KERR: If you were a designer and designed a a 19 system that didn't work, you would say: Aha, the maintenance 20 broke down.
21 MR. LIPINSKI: No , let me qualify that. Day one 22 when that system goes into operation, it will have the lO j 23 reliability specified, but if somebody is not performing 24 proper maintenance and the reliability of individual 25 components is degrading with time, you will not have the
16 p
U system reliability that you thought you started with. So that 1
2 is a key ingredient.
3 MR. KERR: Would you say a part of the design (r's 4 responsibility is to take into account the effect of 5 maintenance on system performance?
6 MR. LIPINSKI: Yes. That comes about by selecting a 7 mechanical breaker that relies on lubricant, cams that can get 8 uneven and grab and stick, and that is part of his selection 9 process in picking a component that can operate reliably with 10 minimum maintenance as a function of time.
11 MR. KERR: Mr. Ward, this is not just going to be a
\~/ 12 " love-in" of the subcommittee.
13 MR. WARD: Walter, I understand your argument about 14 individual components and their real world reliabilities that 15 can be predicted and measu' red, but if you combine them in a 2 16 system, then, how do you assure yourself that they have a 17 common cause failure that makes the system reliability much 18 lower?
19 MR. LIPINSKI- .
Let me address that question because 20 I just went through that very painfully.
21 We designed a system that was supposed to have a 22 probability of failure to scram of 10 to the minus 7 per 23 experiment. This is on the TREAT teactor in Idaho.
(
24 The question is how do you guarantee that number in 25 view of the fact that you have ocmmon mode failures? We
l 1
I
. 17
( 1 effectively set a reliability goal that was about 10,000 times l
2 higher than we needed, just calculating independent failures i
3 without saying that common mode failures were present.
4 We then enumerated every conceivable common mode 5 failure we could think of, voltage, by undervoltage, 6 transients, temperature, and if you look at that system as a 7 design and say, what about this, you will find it on the 8 list. We exhaustively studied what common mode failures could j 9 conseivably affect the system.
10 The one guy is the maintenance man. To assign a l
11 number to him is very difficult. But when we are all through, 12 we can take our independent failure mode, degrade it by a 3
13 factor of 10,000, and say this is the reliability of the 14 system accounting for a degradation for common mode. And it 15 is that type of logic that you have to follow because there is 16 no absolute way to say that we will accommodate maintenance 4
17 failures that are going to cause common mode total failure of 18 that system.
19 If you postulate a common mode failure, it's in the 20 design of everything that can be put on the table and 21 identified as of today.
22 MR. WARD: Okay. That seems like a reasonable i
i
< > 23 approach. It's not entirely satisfying. I guess it comes back 1
4- 24 to you are still going to be haunted by the problem that what 25 you are concerned about is the system performance. If you are
d f
18
~
1 demanding extremely low failure rates of that, you will never 2 get any real world experience to confirm those failure sates.
3 MR. LIPINSKI- Let me qualify that. When I applied 4 the factor of 10 to the 4th there, by being realistic and 5 looking at our actual challenge rates, we ended up with a 6 demand number of 10 to the minus 3, which is a number that we 7 can statistically verify through operational experience.
8 The 10 to the minus 7 was an extreme number where 9 all of the assumptions that were fed in were the high side 10 values, but then if we became realistic and we fed in 11 realistic values, then that number became 10 to the minus 3.
\
12 That's not where the spread comes in with that factor of 10 to 13 the 4 from a realistic standpoint as we operate or collect 14 data and verify whether we are achieving our 10 to the minus 15 3, which can be statistically verified.
16 MR. KERR: Mr. Ebersole.
17 MR. EBERSOLE: There is sort of a pervasive quality 18 about the things like this that we are doing that I think goes 19 something like this. We always discuss what we have already 20 done, what we have obligated ourselves to defend, at least the 21 Staff, the vendor, the AE and the utility. We generate these 22 voluminous arguments about the characteristics of what we have
) 23 done.
24 I have failed to find in the original assembly of 25 the configuration all these arguments preceding the design
(v 1 process. We seem to be always doing the semi-legal thing of 2 defending what we have already done, which was done without 3 the same consideration. In short, there is a defensive 4 quality about everything we do like this. I think we ought to 5 get rid of that and try to adhere to what I guess I would 6 call a qualified consensus and, I hope, unbiased attempt to do
(
7 the best we can do with due consideration to costs and without 8 the numbers game.
9 MR. KERR: Jess, I don't know what it means if one 10 gives the designer the task of saying do the best you can do.
11 How does the designer interpret that? Is that the way you
- 12 would give instructions?
13 MR. EBERSOLE: I would see what that meant to him.
14 MR. KERR: If he does the best he can do, he has met 15 your criteria.
16 MR. EBERSOLE: I guess I would backcheck in a review 17 to see what happened.
18 MR. KERR: But this is a problem we face. How do we 19 tell people what sort of performance we want? Forget about 20 past experience and past mistakes; what can we do in the 21 future to specify the sort of performance --
! 22 MR. EBERSOLE: I would say you would have to draw 23 into a qualified consensus agreement that this is the best in 24 the present technology.
25 MR. KERR: I don't know what that means. Maybe good l
, l l
20
, O v
i designers do. I'm certainly not one.
2 MR. EBERSOLE It would not mean to me the use of --
3 MR. KERR: I can tell you a lot of things it 4 wouldn't mean. What I want to find out is how do we tell 5 people what we want in a way which can be interpreted by a 4.
6 designer?
7 MR. EBERSOLE: I was thinking about the landing gear 8 on a 747 as a case.
9 MR. KERR: Let's forget about all the things that 10 should not be done. What we want is what should be.
11 MR. EBERSOLE: You can't be proscriptive like that.
( 12 MR. LIPINSKI; We are faced with two problems. One, 13 we are looking at a system after the fact in our discussion.
14 MR. KERR: We don't have to be Inoking at systems 15 after the fact. We can learn from them, but let's learn from 16 them and then say in the best of all worlds, which is where 17 nuclear reactors operate, this is what we would like to see.
18 MR. LIPINSKI; The other aspect of it is cost 19 because if you say the best achievable --
20 MR. KERR: I didn't say the best achievable.
21 MR. LIPINSKI: I'm using that term that came up 22 earlier. If we are going to say best achievable, then best achievable has the highest cost going along with it.
( 23 24 MR. KERR: Not necessarily.
25 MR. LIPINSKI. The question, then, is where do you
21 a draw the line in terms of how good you want it to be versus 1
2 the cost?
3 MR. KERR: This is the kind of decision that people 4 in this business have to make. It's not easy. If it were 5 easy, it would have been solved a long time ago, I think.
6 MR. LIPINSKI: Let me comment about these 7 Westinghouse breakers. If we go back to ATWS --
8 MR. KERR: We are going to get to breakers later 9 on. What I want to see is if we have some way of specifying a 10 performance of a system which would be better than the one we 11 now have. We are going to talk about breakers later on in O 12 detail.
13 MR. LIPINSKI: The only other way is if you give a 14 designer a goal and he sets out to achieve that goal using 15 distribution of the reliab'ility against the various components 16 to see whether the system meets that goal 17 MR. KERR: So you would set up quantitative 18 reliability criteria?
19 MR. LIPINSKI Correct, and then let the designer 20 see whether he is achieving that goal. Now, you don't specify 21 how he has got to distribute it because that depends on the 22 components that he uses, how many components does he have to 23 use, what kind of testing is he going to require.
24 MR. KERR: Of course, all these things have to enter 25 it.
22 Q'v' 4
1 Are there other comments?
2 [No response.3 3 This brings us to what I hope will be some 4 insightful remarks, helpful comments from the NRC Staff. My 5 agenda has Mr. Hernan as Ivading things off.
6 MR. HERNAN: By default, I guess. I am Ron Hernan 7 of the NRR Staff. We had a little bit of difficulty 8 approaching who the right people would be to come to this 9 meeting to address the concerns of the subcommittee. We 10 understand it is kind of a kick-off meeting for the i
11 subcommittee.
12 Unfortunately, two of the people we vould normally 13 have brought are unavailable because of investigation of the 14 Davis-Besse event, those people being J.T. Beard and Tom 15 Dunning, but we think we can converse with you this actning on 16 some of the actions that are ongoing by both the NRR Staff and 17 the AEOD Staff.
18 We do have Fred Hebdon and one of his people from 19 AEOD, who can answer questions on what the Staff did about two 20 years ago in terms of accumulating data on scram breaker 21 reliability.
22 As you will note on your agenda, we have Frank 23 Rowsome, who should be here shortly, who will be able to give 24 his views on what he thinks may be appropriate in terms of 25 defining scram breaker and scram system reliability.
_ , _ . . _ _ _ . - _ , ~ - _ .
_ __-__. _. _ _ - _ _ _ . , _ . _ _ . . _ _ , _ . ~ _ _ _ _ . _ _ _ . . _ __ . . _ . .
g 23 d
1 I guess for openers I would like to guide your 2 attention to what we did in r e s p or.s e to the Salem ATWS event, 3 and the culmination of our investigation and action after that 4 event was in the form of Generic Letter 83-28, which was b* issued almost two years ago, on July 8, 1983.
6 That letter followed a Staff NUREG, NUREG 1000, e
7 which was entitled, " Generic Implications of ATWS Events at 8 the Salem Nuclear Power Plant." It also relied somewhat on 9 the data collection that was performed by AEOD.
10 Our actions or the actions we prescribed in that 11 generic letter deal with a large number of subjects requiring n'
'- 12 post-trip reviews following an unanticipated reactor trip to 13 be performed before startup commenced in order that the 14 utility understood the reason for the trip.
l 15 It involved establishing or at least revisiting the 16 listing of safety-related equipment at each plant in order 17 that both the utility and the NRC could assure that all I
18 components required to safely shut the plant down, if 19 required, were, in fact, on the safety-related equipment list 20 and had the proper credentials, maintenance and so forth.
21 The actions specified by the generic letter also got 22 into interfaces with the vendors of the various pieces of f
( 23 equipment, and we are talking largely of breakers but it 24 includes the other equipment in the reactor trip systems, 25 requiring that all utilities, by some date which was agreed
24 1 upon or negotiated between the utilities and the NRC, install 2 any outstanding modifications, for example, on scram breakers 3 that had been recommended by the vendors.
4 The generio letter also -- .
5 MR. KERR: Let me see. You say you require that all 6 utilities give you a date by which they were going to install 7 any modification that had been recommended by the vendors?
! 8 MR. HERNAN: That's correct.
9 MR. KERR: Did the Staff review those modifications 10 to conclude that they were likely to enhance reliability, or 11 was it just a matter of assuming the vendors understood their O
V 12 equipment.
13 MR. HERNAN: I'm reluotant to answer that question 14 myself. Faust Rosa was involved, and I think he can talk to 15 that question.
16 MR. ROSA: The answer is yes, we have reviewed 17 that, with particular emphasis on the implementation of the 13 automatic shunt trip. That is essentially complete on almost 19 all Westinghouse plants and other plants also.
20 As far as the implementation of the specific 21 modifications to the maintenance procedures and so forth 22 recommended by Westinghouse for the breakers themselves, we 23 didn't participate too much in that. That was done directly by 24 the utilities and Westinghouse, and I think they can verify 25 that.
25 1 MR. KERR: Thank you.
2 MR. HERNAN: So I hope that somewhat characterizes 3 or reviews for you the intent of the Staff in the generic 4 letter.
5 There was a question raised by Commissioner 6 Asselstine some months ago on where this whole effort stands.
7 Mr. Dircks' answer to Commissioner Asselstine was dated April 8 22, 1985, and I would like to summarise that for you. In 9 fact, I will read from the letter.
10 "Regarding full compliance with Generic Letter 11 83-28, the Staff has completed their review of most of the 12 responses from operating reactors to provide automatic 13 actuation of the breaker shunt trip attachment, and about half 14 of the applicable operating reactors have already installed 15 the shunt trip. The other half are expected to complete 16 installation at their next refueling outage, which in all 17 cases is before December 1986.
18 Regarding full compliance with the remaining high 19 priority items as defined in the Generic Letter, the Staff is 20 currently proposing to complete its review during the first 21 quarter of fiscal year 1986. Review completion of the other 22 items is currently scheduled for the first quarter of fiscal 23 year 1987, and final implementation of all the generic letter 24 items should therefore have been complete by December 31st, 25 1986.
1 I believe this to be the main --
2 MR. WARD: Excuse me. There was something that was 4
3 to be completed by the first quarter of 19877 4 MR. HERNAN: That's our review of other than the 5 high priority items in the letter. This Generio Letter I 6 believe to represent the major thrust of what the NRR Staff, 7 at least, is doing at this point in time in terms of improving 8 scram breaker and scram system reliability.
9 In addition to that, and partly as a result of an 10 event earlier this year at the Sequoyah plant, the Staff has 11 initiated a revisitation of whether something should be done
( 12 to improve the reliability of the Westinghouse solid state 13 circuitry that drives the undervoltage trip, specifically.
14 This effort was initiated by a member of the Staff
~
15 on its own volition. It has received support from Mr. Denton 16 and has subsequently been formalized into a proposal rather 17 than being totally prescriptive on what should be done, a 18 suggestion in general terms of what could be done, such as 19 addition of relays or other solid state devices to provide 20 diversity in the circuitry.
21 Our people that deal with generic issue d
22 prioritization are in the process of reviewing this proposal.
23 It was submitted to them in April of this year. We are having i 24 PNL take an independent look at the calculations that were 25 made involving risk and consequence, and we expect tc nave the
27 ,
I
( 1 input back from them by April 1st, and we expect to have this 2 item prioritized as a generic safety issue by September 1st of 3 this year.
4 What the specific recommendations will be or what 5 the ultimate priority comes out, I cannot comment on at this 6 point, but I do believe the Staff has been responsive to this 7 issue and that we are proceeding with looking at this 8 recommendation on a rather short time scale.
9 MR. WARD: What is the generio issue? What is the 10 title of the generio issue?
11 MR. HERNAN: It's Generic Issue No. 115, and it's O 12 entitled, " Reliability of Westinghouse Solid State Protection 13 System."
14 MR. KERR: Now, if I interpret Mr. Lipinski's 15 comments correctly, he would say the solid state system is 16 very reliable; it's the maintenance that broke down.
17 MR. HERNAN: I guess my response --
18 MR. KERR: I'm not defending or criticizing 19 Mr. Lipinski's comment. I'm trying to interpret it. But go 20 ahead. Your answer would be?
21 MR. HERNAN: I think my response to that concern 22 would be if the recommendations or the requirements of Generio 23 Letter 83-28 are properly implemented, there are provisions 24 for ensuring that you do the post-maintenance testing and 25 maintenance itself better than has been done in the past.
1 9
l l
(~N 28 k,
s 1 MR. LIPINSKI: On the issue of the solid state 1 2 equipment, going back earlier to ATWS when all the initial 3 analysis was done, Westinghouse had done their analysis. The 4 solid state part was-very reliable, but the numbers that 5 controlled the system were the two breakers.
6 And now you are saying you world like to improve the 7 solid state system, and as to its current reliability versus 8 your improvements, you will make it still more reliable, but 9 the breakers themselves are going to control the overall 10 system reliability.
11 I would like to see the analysis that allows you to 12 draw your conclusions that it is necessary.
13 MR. HERNAN: I guess we are looking more at the 14 actual events that have happened. There have been four 15 specific failures of the solid state circuitry that have been 16 caused by improper maintenance practices. Fortunately, most 17 of those were picked up by post-maintenance testing. The most 18 recent one, in sequoyah was not. Did not result in an ATWS 19 per se but resulted in one train failing to trip when it 20 should have.
21 MR. LIPINSKI; so your improvements effectively 22 would take care of maintenance errors and not being able to 23 degrade a system, which is my concern, the fact that initially 24 they showed it was a highly reliable system, and now you are 25 saying through maintenance you are verifying that its
(aD 1 reliability is not as initially calculated.
2 MR. KERR: What is verified is maybe it has been 3 tested too frequently. If the system hadn't been tested, it 4 wouldn't have degraded.
5 MR. LIPINSKI: No, no. Solid state testing does not 6 degrade the equipment.
7 MR. KERR: Here is an outstanding example of the 8 fact that testing did degrade the solid state system.
9 MR. WARD: The requirement for testing gives you the 10 opportunity for improper testing.
11 MR. LIPINSKI- If the test is designed properly --
12 okay? And this is one of the key problems --
13 MR. KERR: In the best of all worlds, you are 14 saying.
15 MR. LIFINSK!: Okay. This is another issue we have 16 not discussed. How do we verify that systems are performing 17 over time? The way you verify that is through testing, and as 18 critical as it is to pick up the initial components for the 19 reliability apportionment, you must design a test that 20 verifies the performance of the system. This test as designed 21 itself cannot degrade the system because you are testing. It i
- 22 is all part of the designer's --
q 23 MR. KERR: Don't you consider this a slightly .
1 4
24 otroular argument? You are saying we are going to design a 25 test that doesn't degrade the system, and when we have done l
O 30 V 1 that, we will know it doesn't degrade the system.
2 MR. LIPINSKI That is correct.
3 MR. KERR: That's a wonderful statement, but what 4 does it mean? .
5 MR. LIPINSKI: As a designer, I can give you 6 specific examples showing how you properly design the test, 7 verify the system is performing, and when you walk away from 8 that system, you know it's performing and your twat has not 9 degraded the system.
10 MR. KERR: That's what I thought.
11 Where were we? Mr. Ebersolof O
\%- 12 ME. IBERSOLE: I think, Walt, your concept is 13 predicated on the no, tion that there is a graduality in 14 degradation, yet there are some systems which you test and 15 test and test and all at once they fall off the preciptoe on 16 the first test that doesn't work. There was no graduality in 17 the indication that it was proceeding to failurei right?
18 MR. LIPINSXI. In general that shouldn't be.
19 MR. EDERSOLE: But there are devloes and systems 20 that don't reveal that they are on the verge of fa!!ure.
21 MR. LIP!N8XI: Then it's not a properly-designed 22 test because generally if the systems are redundant, they will g 23 fall in random, and that's what the test uncovers, random 24 component failures.
25 MR. EBERSOLE: A question I was going to ask of the
/~N 31 U 1 Staff. We pay a great deal of attention to the qualification 2 of wt1ders --
3 MR. KERR: Are we going to weld these breakers shut?
4 [ Laughter) 5 MR. EBERSOLE: No, I'm asking now where is the paper 6 record of the capability of the people who do the maintenance?
7 MR. KERR: Mr. Ebersole, please, let's not get into 8 welding today.
9 MR. EBERSOLE: No, no, Bill, you don't understand, 10 MR. KERR: I sure don't.
11 MR. EBERSOLE: I'm saying I have not yet heard of a 12 validation of the capabilities of the maintenance people. A 13 paper record of his competence to do these tests.
14 MR. KERR: Mr. Ebersole, this is maintenance. It's 15 important, but not in the subcommittee.
16 MR. EBERSOLE: Suppose that 1 invoke the thesis that 17 the people who do the tests are not qualiiked to do them?
16 MR. KERR: Let's talk about that 19 MR. EBERSOLE: That's what I'm talking about 20 MR. KERE: Let's not talk about welders.
21 MR. EBERSOLE: It's the same thing. Where is the 22 record analogous to the welder's record that says these people
) 23 are, in fact, qualified to do these tests, that they know all 24 about the facilities in testing these breakerst Do you have 25 such paper recordat
- -__ - . -. ~__ - _ _ _ . - ._
t 32 n
( l 1 MR. HERNAN: 1 think you are probably aware that the 2 Staff has no such initiative. We are concerned about the 3 quality of these people, of maintenance people, but we 4 consider this good management by the utilities.
5 MR. EBERSOLE: You leave this to the utility to say 6 Joe Blow or whoever tests these breakers knows how they workt 7 MR. HERNAN: I cannot specifically speak to the fact 8 of whether there is an inspection module required by the 9 resident inspector to look at this type of thing. I would 10 certainly hope there is. But the resident -- I would expect 11 to follow that very closely in the field, particularly a plant
("'\
(_,/ 12 that has had a historical problem.
13 MR. EEERSOLE: So at the moment, you don't look at 14 the qualifications of people who maintain these things?
15 MR. ROSA. This*is true. We don't look at the 16 qualifications of the maintenance --
17 MR. KERR: That's enough. You have answered the 18 question.
19 MR. HERNAN: Dr. Kerr. I'm not sure what you wanted 20 to take up next. We Jo have one Staff member that, if you 21 would permit, we would Itke to have his presentation next, and l 22 that was to review the Rancho Seco breaker problem.
l 23 MR KERR: I don't mind if a Staff member would !!ke j k l 24 to get away from this and get some work done, but 1 do want to 25 discuss a bit further the Generio Letter that you referred
33 fg b 1 to. So it's up to you. There is no particular sequence that 2 I have in mind.
3 MR. HERNAN: Perhaps it would make sense to finish 4 our discussion of the Generlo Letter.
5 MR. XERR: Okay. I think what I have is an extract 6 from the Generlo Letter, and there is a section called 7 " Reactor Trip System Reliability EPreventive Maintenance and 8 Surveillance Program for Reactor Trip Breakers, 4.2.3 Does 9 that sound vaguely familiar?
10 MR. HERNAN: Yes, it does. It is, in fact, Section 11 4.2.
12 MR. XERR: Now, licensees are required to desortbe 13 their preventive maintenance and surveillance program and to 14 have a planned program or periodio maintenance, and to trend 15 parameters. And I assume they record these things and 16 somebody looks at them. Then number 3 says that there shall 17 be info testing of the breakers, including the trip 18 attachments on an acceptable sample sise.
19 What is it that is being tested for, and what is an 20 acceptable -- what is the test supposed to tell the teatert 21 MR. ROSA: That particular item has been assigned to 22 the Equipment Qualiftoation Branch, and there is no 23 representative here.
24 MR. KERR: Somebody must have written it. They must 25 have had something in mind.
34 O
1 MR. ROSA: I would expect that the life testing i 2 would arrive at a number that describes the reliability of the 3 breakers.
4 MR. KERE: Well, life testing, to me -- so it's 1
5 really a reliability test, isn't it, rather than a life test' 6 I'm thinking on a very simplistio basis of the old bathtub i
I 7 ourve. A life test, to me, takes you out to the end of thia P
S ourve where the thing begins to wear out, whereas a I ?
9 reliability test gives one some idea of the expected failure 10 rate on the flat part of the curve.
11 MR. ROSA: I would expect that to be the case. They 12 are interested in both the reliability and the life of the l
13 breaker, I think both items of information are important.
14 MR. KERR: So it is meant to have -- does this mean 15 that each utility will do a life test or that somebody will do 16 a life test? What is the implication of thist 17 MR. ROSA I would expect that the utilities it would take the initiative to have their vendors do a life 19 test on prototype breakers.
20 MR. KERR: Is one simply trying to find out how 21 breakers work, or is there some soceptable performance and t
- 22 unsoceptable performance that one is looking fort l
() 23 MR. ROSA: I believe that we know how breakers j 24 work. The industry does, as well as the Staff.
25 MR. KRRR. I'm not sure that's the case, but I'll
\% ,/ .
i accept that as a basis for argument.
2 MR. ROSA: I think what we are interested in 3 is comparing these reliability numbers that are developed in 4 the course of these tests with those that we have assumed in .
5 our analyses.
4 MR. MFAR: And those that you assumed in your 7 analyses were .t o t based on tests?
8 MR. ROSA: They were based on industry experience 9 and so forth that was available prior to the problems --
10 MR. KERR: As far as you know, the industry has 11 never really run the kind of tests that you are asking them to 12 run here.
4 13 MR. ROSA: I believe they have. I don't know 14 that they have been documented to the extent that would be I iS necessary, really, to confirm --
16 MR. KERR: I guess I'm a little pussied that you 17 would require something without knowing whether it has been to done or not, but maybe you are not responsible for having 19 written this.
20 MR. ROSA: That's true.
21 MR. XERh At this point I'm not trying to be 22 orittsali l'm just trying to understand what the Staff had in 23 mind, what sort of data you wanted to get and what you would
%J 34 do with it when you got it.
25 MR. ROGA: As I said just a little while ago,
i l
r"N 36 I
1 1 think what was desired was the development of reliability 2 numbers and a design life for these breakers so as to compare t
3 these numbers with our assumptions.
4 MR. KERR: What number does the Staff find ,
S acceptable? You do the test. Is there some golno go range of 6 numbers that you are looking fort 7 MR. ROSA: I'm not in a position to address that.
4 Perhaps Mr. Rowsome here can do that.
[ 9 MR. KERE: I bet Mr. Rowsome didn't write this, but 10 maybe I'm wrong. Did you? Were you consulted when it was 11 writtent 12 MR. ROW 80ME: No.
13 MR. ROSA: I can tell you who wrote it. It was 14 written by a task force headed by Dr. Mattson, and he is .
15 no longer with the Commission, 16 MR. KERR: So in order to understand it, I will t
17 probably have to get in touch with Mr. Mattson.
18 MR. RO8A: I don't believe he could go any further i
19 than I have in answering your questions.
l 20 MR. HERNAN: Dr. Kerr. let me pursue that and try
( 21 and get an answer for you by the Commteston that is meeting 22 today4 23 MR. KERR: Okay.
l fx.)\ ,
24 MR. LITTLE: Jim Little, from Westinghouse. I guess i 25 I feel sorry for Faust Rosa getting grilled.
37 (s/ MR. KERR; I was not grilling Mr. Faust Rosa, 1
2 MR. LITTLE: Well, quissed. The answer to the 3 question is, yes, there are life oyole tests performed for the 4 breakers. The vendors did them in response to Generio Letter S 83-28. Yes, we do, and the plants attempt to get some 6 indioation of reliability in the life oyote tests. We get some l
7 indtoation what the 11te would be.
8 l'm going to cover that pretty much in detait about !
9 what we did in response to this event, speoittoally about life 10 cycle testing, about rettability estimates, about operating 11 plant data, so it will take some of the pressure off my C
\_ 12 regulatory brother over here.
13 MR. KERR: I don't want to put pressure on them at 14 all. They were the ones who asked that this be done, !
15 guess. Or maybe they went to you and said: tell us what we 16 should ask you to do and we will ask you.
17 CLaughter.1 it MR. LITTLE: I'm sure Roger Mattson didn't ask us --
19 MR. KERN: I don't think so, too. It to also hard 20 for me to believe that only Roger Mattson understood why this 21 was being required.
22 MR. LITTLE: That's probably true. But I will oover
() 23 24 that in detail.
MR. KERR1 rine.
25 Now, Mr. raust Rosa, I want you to sit down. 1*m L
l l
l 38
.A l
',Y 1 not going to shine a bright light on you when I ask these l
2 questions, but there is a fourth one that says periodio 3 replacement of breakers or components consistent with 4 demonstrated life oyotes. What does that mean?
I $ MR. ROSA: Well, you referred to the bathtub 6 curve a little while ago. I would expand what that means.
7 Once we establish the bathtub curves, breakers would be 8 replaced well before the upturn of the curve.
9 MR. MERR: You are telling me, then, that this is i 10 written but you don't know what you are going to require them I
l 11 to do? You are just going to require them to do something.
12 MR. ROSA: We would expect them to base what j 13 we would require them to do on the results of these life oyote i
14 tests.
15 MR, XERR: Let's suppose that they determine that 16 the life, whatever that means, is ten years. Are you going to l
l 17 have them replaced overy ten years or every five years? I'm l
le trying to understand the approach that to going to be taken, 19 what one is going to do with these data, i
20 MH. ROSA: I don't k riow that there will be a 21 spoolfle requirement in terms of years. I guess what we have 22 to rely on is the fast that the ultittles are ultimately
()
v 23 24 responsible for safety, and they would of themselves look at this data and implement a replacement program.
25 Mt. MERRt Anything they do is okay with you, thent
39
(']
Q 1 MR. ROSA:
Not anything.
2 MR. MERR; Well, I'm trying to find out what it is 3 that is acceptable and what is not, and at this stage I guess 4 you haven't decided. Is that a fair statement?
5 MR. HERNAN: Dr. Kerr, I think that's probably a 6 fair statement. If you look at the description of the 7 type of the review on that page of the Generie Letter, it says 4 that the Staff will perform a pre-implementation review for 9 those two items, and that after this review is done, a safety to evaluation will be issued.
11 MR. KERR: You mean you are going to do a separate
\- 12 one for each plante there won't be a uniform decision on this 13 replacementt 14 MR. HERNAN: I think that would depend on whether 15 the effort was an Owners Group effort, vendor's effort, or 16 individual effort by each plant. I think we are trying to not 17 be prosortptive and allow the industry many different options.
14 MR. MERR: I'm not being orttical of what is said 19 here; I'm just trying to understand it and understand what the 20 operational signifloanoe is. Now, my impression is there 21 aren't very many different breaker types used in reactors, 22 maybe three or four, or are there fifty 9
() 23 MR. HERNAN:
MM, KERR:
There is a relatively small number.
Now, does this imply, then, that 24 Okay.
25 one will run life oyote tests on those three or four, some
O 40 O i representative sample, and then, based on those life and 2 reliability tests, the Staff will conclude that they do or do 3 not find that acceptable? Or is it just that you want to know 4 what it is? I'm fishing. .
5 MR. HERNAN: As far as I know, our intent is the 6 former, that once we see the information, we will decide what 7 we consider acceptable and what we do not. We will try to get 8 you more information on that, also.
9 MR. KERR: Okay.
10 Did you feel grilledt 11 MR. ROSA: No, I didn't feel grilled, no more than 12 usual. But I would like to address that last point you made.
13 As a general rule, we have described a program that 14 is intended to improve reliability, and this is one of those 15 programs. And as a reviewer, as a review organisation here, 16 if an owners group and an individual Licensee commits to 17 implementing that program, we expect that he will be able to 18 use the results of what he finds out in these tests to 19 maintain the reliability of his system, and we don't normally 20 go beyond that point.
21 MR. KERR; Well, you tell me that you want to 22 improve the reliability, and that means either you know what
,) 23 it is, and you want it to be better, or that you don't know 24 what it is, but you have sort ut a gut feeling that it ought 25 to be better. And ii you don't know what it is, then it would
41
/)
V be difficult, I would guess, for the same reasons, to know how 1
2 much of an improvement has been effected, or even if an 3 improvement has been effected.
4 How will you tell that things have been improved.
5 MR. ROSA: Well, there are various numbers that have 6 been developed.
7 MR. KERR: You mean you're going to use numerical 8 oriteria to determine if there's been improvement?
9 MR. ROSA: As a guide to whether an improvement has 10 been made There are uncertainties in the numbers that are 11 used now,
\
12 MR. KERR: Of course.
13 MR. ROSA: And there will be uncertainties in the l 14 numbers that are being developed as a result of these tests, l
15 taking all these into consideration.
l l
16 MR. KERR: How much of an improvement are you going i
17 to ask fort 18 MR. ROSA: I don't know of any number that has 19 surfaced so far, a specifte number.
I 20 MR. KERR: At this point, almost any improvement I
21 will be scooptable.
P i
22 MR. ROSA: That's probably true.
i 23 MR. KERR: Suppose what is done doesn't really I
i 24 improve things, but it does sound reasonable, and that now is 25 a better maintenance program, better inspection program,
-,e. , - - - - , , ,-c-.n ,n- - - , , , , , _ . . . . , , . , . - . . ----.,y .,_.,__--..-.m.. ,,..,.,.,.n,_.,_._.,.,e..,,,e-._, . . , - - -
I 42 d better data, but we know what it is. Is that acceptable?
1 2 MR. ROSA: l' think we're going to forced to accept 3 something like that, in view of the uncertainties again in the 4 numbers.
! 5 MR. KERR: All numbers are uncertain that have to do 6 with equipment. So, you know, we're going to have to live 7 with the uncertainties. So we don't have goals for breaker 8 performance. We just sort of have a feeling that it ought to 9 be better.
10 MR. ROSA: I think that's a fair statement, yes.
l l 11 MR, KERR: Okay, Thank you, l
1 12 MR. WYLIE: Let me just make a comment in this 13 regard -- and maybe the Staff would like to respond to this --
14 but isn't it true that the only reportable failures tha,t are 15 reported on the breakers occur during the operation of the 16 plant, when they fail to operate during the testing, that 17 during the maintenance program and when they're working on the 18 breaker and post-maintenance? That hasn't been reported, the l 19 number of times these breakers fail when they are adjusting ,
l i
20 and calibrating them, and then they put them back in the i
21 cubicles, and they test them. If they fail, they pull them 22 back out and recalibrate them. You don't have that data.
23 MR. HEBDON: My name is Fred Hebdon from AEOD.
2 24 The requirement right now for reporting to the NRC 25 through the LER system would not require the reporting of
i singular random component failures either in operation or 2 testing. The requirement is to report things that could have 3 prevented t !. fulfillment of a safety function of a system.
4 However, the single-type failures -- single, random component 5 failures -- are reportable to the Nuclear Plant Reliability 6 Data System, and we very much intend to include that as part 7 of the program of collecting operational experience in plants.
8 As that system is developing and maturing, we are in 9 the process of developing methodology to analyse that data and 10 to include that type of data in the program that we have going 11 on right now.
[
\ 12 MR. WARD: I don't think he answered the question.
13 MR. WYLIE: I didn't think he did either.
14 What I'm saying is, maintenance men in the past have 15 pulled the breaker out because -- okay, shutdown and refueling 16 -- and he tested, and he may or may not have done what he's 17 supposed to. So he pulls it out, takes it and puts it on the 18 workbench, the test bench, and he does some testing, and it 19 fails.
20 How you don't get that type of information.
21 MR. HEBDON: It depends on two things. First of 22 all, it depends on when you are talking about, because we did s 23 change the LER reporting requirements the 1st of January 24 1984. So it's a different set of requirements before '84 and 25 '84 to the present.
44 1
%-l 1 Right now, if somebody goes out and does a test, and 2 he pulls the thing out, puts it on a test stand, even if it's 3 completely removed from the plant, and he finds that it's just 4 a random single failure, that type of thing is not reportable 5 as an LER, but it's reportable to NPRDS. If he finds it's a 6 generio problem or common mode problem -- it's not something, 7 just a single component type of problem -- then that sort of 8 thing should be reported as an LER.
9 The requirement is that he report anything that 10 could have prevented the fulfillment of a safety function of a 11 system, regardless of how or when he identifies it.
12 MR. WYLIE: That was after you changed the 13 requirements?
14 Mk. HEBDON: Yes. That requirement, of course, has 15 been in effect now for about a year and a half, so we're i
16 getting more and more data under the new requirement.
, 17 MR. WARD: Fred, that's a test that's sort of 18 testing the as-found condition specifically. What about 19 another test after he's made adjustments? What if he's making 20 adjustments on the bench -- do you understand what I'm asking?
21 MR. HEBDON: If he does subsequent tests as part of 22 the maintenance, as opposed to the as-found tests?
23 MR. WARD: Right.
24 MR. HEBDON: No. Generally I wouldn't think that 25 sort of thing would be reportable, because that's just sort of
45 mJ 1 the general maintenance program.
2 Hopefully, by the time he returns that thing, he's 3 go it into working order before he reinstalls it. He's tested 4 it to ensure that it is working properly.
5 MR. WYLIE: So they shut down the plant and he makes 6 a test, and it may have tested okay. He pulls it out for 7 maintenance, and he does sown work on it, and he tests it. If 8 it fails at that point, you say you report it to NPRDS?
9 MR. HEBDON: It depends on the nature of the 10 failure. If its just a single component failure, there's no 11 indication that it's a generic problem or ccamon mode --
(~
k 12 MR. WARD: That's a matter of judgment.
13 MR. HEBDON: That's a matter of judgment. That's 14 one of the things -- we did try to leave that judgment to the 15 Licensee.
16 MR. WYLIE: Basically he may or may not report it, 17 just based on his judgment.
18 MR. HERDON: That's correct.
19 MR. WYLIE: So now he takes it and he monkeys around 20 with it, and he gets it to working, calibrates it, it works, 21 it looks like it works fine. He takes it back and puts it 22 back in the cubicle, and he tests it, and it doesn't work, 23 Then he pulls it out and takes it back to the workbench. He f)
V 24 doesn't report that either, right?
25 MR. HEBDON: I would think that sort of thing would
46
( not generally be reported until he has certified by whatever 1
2 mechanism, plant procedures --
3 MR. WYLIE: It's up to his judgment as to whether 4 it's a generic failure or not, as to whether or not he has to 5 report it.
6 MR. HEBDON: It's up to his judgment whether or not 7 it's a generic problem.
8 I think just in the course of the way that people 9 would work on things, if he finds minor problems as he's going to along, and he's correcting them as he's finding them, that 11 sort of thing would generally not be reportable, if it's kw 12 something he's done as a result of the work he's doing.
13 MR. WYLIE: It may have been the fact that the 14 breaker frame is to light to design to.
15 , MR. HEBDON: If it's something that -- for example, 16 if he finds that the breaker frame is too light, and as a 17 result, these breakers have a potential common mode failure, 18 he's supposed to report that. And generally we get quite a 19 few reports of that type, particularly with something such as 20 reactor trip breakers.
21 MR. WYLIE: Has that been since you changed the 22 requirements?
23 MR. HEBDON: Yes. In fact, that's one of the main, 24 reasons we changed the requirements, because of the fact that 25 if these failures occurred when the component was not required
(~N) 47 5
v 1 to be operational, they were not required to be reported, and 2 we were very concerned about the fact that a lot of these 3 problems were not being reported to the system. So one of the 4 major changes in the LER rule that went into effect in 1984 5 was to say that the problems were reportable, regardless of 6 whether or not the system was required to be operational when 7 the problem was discovered.
8 MR. WYLIE: Thank you.
9 MR. HERNAN: Mr. Wylie, there is a situation 10 recently at Rancho Seco which kind of comes close to the 11 situation we're talking about. You may want to pursue that a
['N .
-- 12 little bit with Mr. Minor when he makes his presentation.
13 MR. EBERSOLE: What you said, maybe the frame of the 14 breaker is like just the act of putting it back in the cubiole 15 will distort it and cause'it not to work, or some other 16 mechanical portions of it will cause the margins of function 17 to be egraded; is this correct?
18 Incidentally, do the tests themselves validate this 19 interesting requirement that the forces, the margins of 20 function, the force policies are, in fact, adequate; not 21 merely that it works at all, but that it works with some 22 margin? ,
i 23 This was one of the interesting outgrowths of the 24 Salem investigation, that the spring constants were not 25 sufficient or the grease was too thiok, and although they
O 1 worked, you had no confidence in how they worked.
2 I wanted to know, you mentioned the sensitivity of 3 these breakers. Will you speak to that in the context of the 4 mechanical design, or just the sensitivity of them as a 5 functional entity?
6 MR. KERR: Do you understand the question, 7 Mr. Hebdon?
8 MR. HEBDON: I'm not sure. You're addressing the 9 question -- I was just commenting on the reportability. The 10 design of the breakers, I'm afraid somebody else would have 11 to respond to.
12 MR. EBERSOLE: I was going to the conclusion, once 13 you stuck them back into the casing or the housing, you may 14 have obscured or at least altered the margins to trip in the 15 force / balance context. So you really didn't know each time 16 they tripped what the margins to trip, in fact, were; is this 17 true?
18 MR. KERR: Mr. Minor, were you going to respond?
19 MR. MINOR: Yes. They are measured response times.
20 MR. EBERSOLE: They consider, then, if there is a 21 low margin of force, there will be a delay?
22 MR. MINOR: Yes.
23 MR. EBERSOLE: This is when it shears the grease, 24 right?
25 MR. MINOR: That's true. They also measure torque,
49 1 movement torque, but they do measure response time, and 2 there's a spec on maximum response time.
3 MR. EBERSOLE: I somehow find it revolting that we 4 have to use the shearing of grease as a parameter of operation 5 here.
6 MR. KERE: Perhaps we can go ahead with Mr. Minor's 7 presentation.
8 Excuse me. Mr. Davis?
9 MR. DAVIS: Just a short question. As I understand 10 it, the ATWS rule requires thtt Westinghouse plants install 11 this AMSAC system, which is n ATWS mitigation system. I O 12 don't recall exactly for which transients that system is 13 effective. But wasn't the purpose of that system to enable 14 the plant to ride through an ATWS without core damage? And if 15 so, will it, in fact, do that for all transients that are 16 being considered?
17 MR. ROSA: I'm not familiar with the details, but !
18 believe that's the case. That was presented to the Commission 19 by Westinghouse, and I believe that was verified by the 20 Westinghouse analysis, and that point was verified by the 21 Staff.
22 MR. DAVIS: That's also my recollection. It seems
( 23 to me like any scram breaker or SSPS reliability requirement 24 needs to be promulgated on the basis of the consequence of the 25 failure, and if this AMSAC system actually enables the plant
A 50
\.j 1- to ride through an ATWS event, it seems to me that reduces the 2 reliability requirement for these other components.
3 I'm not suggesting that we need to -- we can allow 4 ATWS to occur now, but it seems to me the consequence has to 5 he also considered.
6 MR. KERE: You mean the reliability requirement, 7 whatever it ist 8 MR. DAVIS: Yes, whatever it is.
9 Also I have seen recently some speculations that 10 emergency boration with PORVs locked open is an effective 11 scram backup system for some Westinghouse plants, if the 12 moderated temperature coefficient is below a certain value, 13 although I guess there is still some dispute about that. But 14 that would be a diverse scram system for the plant, if it 15 indeed worked.
16 MR. ROSA: I'm not the man to address that. I don't 17 have any knowledge of it.
1 i
18 MR. DAVIS: Thank you.
19 MR. XERR: Mr. Minor, ready to got You can operate j
20 from wherever you feel most comfortable.
21 MR. MINOR: I have some Vu-graphs.
22 My name is Sid Minor. I'm the project manager for 23 Rancho Seco. Rancho Seco is a B&W-designed plant.
24 [ Slide) 25 Rancho Seco has the G.E. AK-2-25 reactor trip
,~ . - - - - , - - _ , _ . . - - - , . . - . . . _ , . - , , , _ , - - - ,- n _ , , - , , _ . . - , - _ . _ , _ . _ , _ _ _ _ _._n,. . - . . _ . _ . . _ - - - .
51
]
j 1 breakers. During the refueling outage, they sent all their 2 reactor trip breakers to G.E. for refurbishing, and then it 3 went to B&W owners -- B&W for operability testing, for 4 verification, for functional testing.
5 Prior to plant startup, one of the reactor trip 6 breakers failed during post-maintenance operability 7 tests. They put it in the cabinet and it just failed to trip 8 at all.
9 The next thing said that all -- there were six of 10 them. All six of them had been refurbished at G.E. Atlanta 11 and certified by B&W in Lynchburg.
12 [S11 del 13 What was found was this paddle wheel here had jammed 14 against sthis. armature, and the armature did not move at all 3
3
- s n 15 , y } w' h e n t h't y tripped it.
, . 16 / \
[ Slide]
. 4 s 3 4 3 s
</ \
- il 17 N
- Wn e'n', t hi 'l i c e n s e e evaluated the problem, they found fp, - te i .s , ,,
) tPg dimensien between this rivet here and the armature was out
, l ,lg$
j 1P-
- L , 4 ,
T1 '
, 1
) p
- p f .) of speo. N 2 < N t f 3 I [S11deJ, 20 h t y, l' (
The specifications for that were something like 10
! $Q 21
{ }/ 3
'_\ ;?' }, , ,
. N !.' ' ' mild,}ir,d they isund this dimension something like between 50
?/ .- a f f%
{ l 23 /and 60. I t hink 'about 59mmils. They thought that caused this
. s,
-y 24 to jan. '
t ,
\ l
/ 25 , R. EBERSOIE.b We call that a roller rivet. Could
. i
- -- , ,, - ---,n jg
.s ,, s _. ,. 4 . _ - .
I i
52 )
(s v
1 you just briefly say what that does? I can't deduce from l l
2 looking at it. Does it roll on a surface? !
3 MR. MINOR: I'm trying to remember, looking at the 4 breaker, exactly what it does, and I'm not sure. It does move 5 and it has to move -- I remember shaking. It's fairly loose. 1 6 I don't remember what it's there for.
7 MR. DAVIS: Could you explain how that is supposed 8 to operate?
9 MR. MINOR: When you doenergize the thing, this 10 flips up. It rotates in this direction, hits this paddle, and 11 that paddle rotates and trips the breaker.
T 12 MR. EBERSOLE: The spring is the gismo that makes it 13 do that?
14 MR. MINOR: Yes, this spring is the gismo that makes 15 it do that. It's also the thing that sets the voltage, the 16 trip voltage.
17 MR. EBERSOLE: You certainly can't visualize even 18 the function of that roller rivet just by visualization on the 19 picture.
20 MR. MINOR: I'm trying to remember. We have a 21 breaker --
22 MR. KERR: Why don't you continue? We can probably 23 find out how that works later.
24 MR. EBERSOLE: Sure.
25 MR. MINOR: All right.
53
()N
\_
1 [ Slide]
2 They pulled all the reactor trip breakers and i
3 rechecked them completely and then reinstalled them and 4 everything worked all right.
5 MR. KERR: This refurbishing was done on the 2
6 strictest QA standards?
7 MR. MINOR: It was supposedly done under the 8 strictest QA standards, both the refurbishing and the 9 certifying.
10 MR. KERR: What do you mean, supposedly?
11 MR. MINOR: They were done at G.E., and I think the t'
12 licensee went back and did an investigation. They have a QA 13 program at G.E. They refurbish not only these. There are 14 other breakers they have refurbished.
15 MR. EBERSOLE: This is a one out of six product 16 failure in the refurbishing operation in this case. What is 17 the statistical average when they refurbish breakers?
18 MR. MINOR: I think this is the first and only one 19 they have seen so far since they refurbished. I don't know 20 how many they refurbished. There were quite a number of 21 them. The refurbishing on this thing was mainly lubrication.
22 MR. LIPINSKI They did nct mike the parts to see 23 if they worked?
24 MR. MINOR: They did, yes.
25 MR. LIPINSKI You said this one roller was under i I
/ 'N 54 (d )
1 dimension.
2 MR. MINOR: That was out of dimension, that's true.
3 MR. LIPINSKI; So they didn't mike it. If they did, 4 then the quality assurance of who miked it is bad.
5 MR. MINOR: It's a good question of how it occurred.
6 Did it occur -- did G.E. not mike it, or was it out when it 7 left GE , or did something happen while it was going 8 cross-country.
9 MR. KERE: It might have grown?
10 MR. MINOR: It might have dropped.
11 MR. LIPINSKI: If it's circular, did it only change 12 in one dimension? Did it change in all dimensions on the 13 circular part?
14 MR. MINOR: Measurement there is kind of difficult.
15 We have to push this thing down, so you are on that flat 16 surface, and then they measure the distance between them.
17 They were adjusted with these two screws here.
18 MR. LIPINSKI' They did not pull out the roller 19 rivet and look at the dimensions of the roller rivet.
20 MR. MINOR: No, no. It is just the clearance you 21 are talking about. It's strictly the clearance between the 22 roller rivet and this.
23 MR. WARD: It's supposed to be tight and it was 24 loose; is that the idea?
25 MR. MINOR: That's some of the things they are
- . . . - , . . . - - -...- .- - ,., -- , ,-_ ,.. -. ,- - --, ,,---,n_. , - - . . , . - - -
("% 55 1 investigating right now, is they are going to torque these 2 things. They did check to make sure they weren't hand loose.
3 MR. KERR: It seems to me the important thing here 4 is that it failed. I don't think we have to know the exact .
5 mechanism of failure.
6 MR. MINOR: SMUD has started on the program of 7 evaluating the failure. These last two statements aren't 8 quite correct.
9 [ Slide]
10 The utilities themselves are going to do the 11 evaluation, and this information notice has been published.
' 12 MR. WARD: Sid, a question. Item No. 3, the 13 failure. Was that reported as an LER to the NPRDSP 14 MR. MINOR: It was reported on the Hot Phone, and 15 I'm almost positive they are putting an LER together.
16 MR. WARD: That would qualify as an LERt 17 MR. MINOR: Did you want to say something?
18 MR. HERNAN: The question, again, becomes whether or 19 not it's a single random failure or whether or not its 20 indications of a potentially generic problem. In this case, I 21 would expect the licensee to report that as an LER. It 22 occurred on June 5th, if I read your note correctly, which y 23 means the LER is probably or hopefully in the mail 24 MR. WARD: But this was post-maintenance, 25 maintenance operability test.
. _ - . ~ - _ . . ..- _- __ ._. .. . , - __. - _ __ ,_ _ _. _ . .- ,. - ... . . _ . . . _ . - - . .
56 1 MR. MINOR: Prior to startup from refueling outage, 2 and they were checking it prior to startup. They were 3 installed in the cabinets --
4 MR. HERNAN: If they called it in on the Red Phone, 5 they will probably submit an LER because of the fact they are 6 virtually the same requirements.
7 MR. WYLIE: Let me ask a question. These breakers 8 had been sent back to B&W?
9 MR. MINOR: And G.E. Atlanta.
10 MR. WYLIE: And been refurbished, and they had been 11 shipped back to the plant. Did they test this breaker before
\/ 12 they installed it?
13 MR. MINOR: No.
14 MR. WYLIE: They did not.
16 MR. MINOR: Yes. Let me flash up the recommended 17 program for refurbishing these. I think we were discussing 18 this before. This is the B&W Owners Group recommended program 19 for refurbishing and certifying. The first eleven were done 20, by B&W and G.E. We are doing the last two. As a result of 21 what they have learned from this, now the utility is going to 22 do the whole thing. The recommendation now from the Owners
( 23 Group and also to the utilities. I don't know if SMUD is 24 going to check everything that came in.
25 MR. EBERSOLE: When that was shut down, were all the
57 O\ 1 breakers working all right?
2 MR. MINOR: Yes.
3 MR. EBERSOLE: So the damage was the result of 4 ma i n t eria nc e ?
5 MR. MINOR: I wouldn't think so. It could be. We 6 don't know.
7 MR. KERR: Does SMUD have evidence indicating they 8 got back the same breakers that they sent away? Does SMUD 9 have serial numbers that would indicate that they got back the 10 same breakers that they sent away?
11 MR. MINOR: I really don't know, but I would imagine f
12 they would be identified by numbers.
13 MR. WYLIE: Let me ask you, on these particular 14 breakers, the G.E. AK-25 breakers, have they replaced any 15 parts to the frames on these breakers as a generic 16 replacement?
17 MR. MINOR: I really don't know that. I think the 18 main thing they did was they lubricate this thing -- I think 19 one of those is a relube, I think No. 10. They may have 20 replaced some of the bearings during the refurbishing and put 4
21 some lubrication in, but the details of what they did, I'm not 22 sure, s
23 MR. WYLIE: The reason this one was reported was 24 that it had been reinstalled in the cubicle in preparation for 25 startup, and tested, and it failed.
1
/ ~ s. 58 U 1 MR. MINOR: Right.
2 MR. WYLIE: If these breakers that had been shipped 3 back and prior to installing them they had placed them on a 4 test bench ano it had failed and then they made some 5 adjustments, corrected it, and then tested it and it was okay, 6 then put it in the cubicle, would it have been reported?
7 MR. MINOR: Failed and they had readjusted? That !
8 really can't answer. I really don't know.
9 9 MR. WYLIE: Okay. Thank you.
10 MR. KERR: Does Mr. Hebdon know the answer to s
11 Mr. Wylie's question?
12 MR. HEBDON: I'm sorry, I didn't hear the question.
13 MR. KERR: Would you repeat, Mr. Wylie?
14 MR. WYLIE: In this case they reported because they 15 had taken the breakers as shipped back and installed them in 16 the cubicle and tested it, and then it failed at that point.
17 Had the breakers been shipped back as they had been to a lot 18 of the Owners Group people, and before they put those in the 19 oubicles, they tested them on the test bench and it had 20 failed, would it have been reported?
21 MR. HEBDON: Again, it is left somewhat to the 22 judgment of the licensee to decide if this is a condition that 23 they could have prevented and would have fulfilled the safety 24 function of the system. If he judged that it was, regardless 25 of when he identified the problem, then he should have
G' 1 reported it.
2 The answer is if, as this licensee did or apparently 3 did, he concluded that it was a situation that could have 4 prevented the fulfillment of the safety function of the 5 system, then he should have reported it if he found it even on 6 a test bench before and installed it back in the system.
7 MR. MINOR: If you look at the sequence of testing, 8 here is where they would have caught the out-of-dimension 9 rivet-to-armature clearance. The testing is down here. So my 10 guess is they would have just adjusted it.
11 That finishes what I have to say.
7%
%s 12 MR. KERR: Are there further questions? Mr. Davis?
13 MR. DAVIS: A quick one. I don't understand how the 14 refurbishing could have changed the clearance. Wouldn't that 15 have had to have existed before the breakers were sent for 16 refurbishing?
17 MR. MINOR: I think in order to refurbish, they have 18 to pull it apart. It could very well have moved this. In any 19 respect, that dimension is checked as part of the refurbishing 20 procedure, so one of the things the Itcensee is going to try 21 to establish is what the situation, what the dimension is at 22 0.E.
23 [ Slide]
l l
24 The trip voltage on this thing depends on two 25 things: the spring and the clearance between the rivet and the l
}
(s 60 1 armature. What they are going to do, B&W has taken a breaker 2 and has moved -- I think took two measurements on clearance, 3 I think at 3 mil and 60 mil, and saw a significant diiference 4 in the trip voltage.
5 What the licensee plans to do with this -- they 6 haven't touched that failed breaker at all. They pulled out 7 and left it as is so they can run back and do tests. What the 8 licensee hopes to do is by readjusting this to the 10 mil 9 speo, measure the trip voltage and move it down to 60 volts 10 and measure the trip voltage. They know what the trip 11 voltages were at both G.E. and B&W, and they hope to be able 12 to somehow establish that by that method where the problem --
13 did it slip enroute or was it sent out that way?
14 MR. XERR: This breaker also has a shunt trip?
15 MR. MIllOR : It worked.
16 MR. XERR: So it would have worked --
17 MR. MINOR: They tested it It worked.
18 MR. XERR. The fact that this one was jammed would 19 not have precluded that trip breaker?
20 MR. MINOR: They had started that on the seqttence of l
21 testing. I think this is the third breaker they tested. Two 22 of them were -- this undervoltage didn't work, but the shunt
( 23 did.
24 MR, WYLIE: I would suggest that there is an area of 25 ambiguity here as to when and where you don't report these
1 failures of tests. I would suggest that the Staff ask the 2 question of the licensees of these G.E. breakers what has been 3 their test experience when they receive these back, whether 4 they put them back in operation and test them or whether they 5 did it on the workbench.
6 I think you will find some things.
7 MR. MINOR: I think in general most of the utilities 8 that received these breakers, refurbished breakers back had 9 run through the sequence of tests before they installed them.
10 MR. WYLIE: I suggest this because I have been told 11 that there have been some other breakers that did not operate 12 when they received them back.
13 MR. WARD: But they weren't reported because it was 14 on the bench.
15 MR. WYLIE: No -- I guess they weren't. I think 16 Mr. Minor said this is the only case.
17 MR. MINOR: Complete failure. Some of them have not 18 met the response time, as I understand it, but this is the 19 first one I understand was complete failure. Didn't move at 20 all 21 MR. HEBDON: As I said, there is some judgment 22 allowed to the licensee in this area, and if there is a need
) 23 to get information on that specific issue, then that sort of 24 thing would be requested through an ISE bulletin. As !
25 understand it, ISE is planning to issue an information notice,
62
's i' l which would not generally require licensees'to provide
~
1 l
2 additional reports.
3 MR. WYLIE: That's a question of whether we are 4 really interested in reliability of breakers as to whether you 5 get the information.
6 MR. MINOR: Anything more?
7 MR. KERR: Further questions?
'8 [No response.3 9 Thank you, Mr. Minor, 10 MR. LIPINSKI' I would like to make an 11 observation. If this breaker is that sensitive to having that
\ 12 roller tested property, it is also going to have that same 13 problem with maintenance where it is performed on site, and I 14 think somebody better fully understand what has happened to 15 this particular breaker in terms of what the future problems 16 might be.
17 MR. KERR: Further comments?
18 [No response.]
19 I am going to suggest a ten-minute break at this 20 point. We will come back at about 20 minutes after.
21 [ Recess.3 22 MR. KERR: Mr. Hebdon?
23 MR. HEBDON: My name is Fred Hebdon. I am in the
)
24 Program Technology Branch in AEOD.
25 There were a number of aspects of this particular
63
^3 1 issue that I did want to touch on briefly this morning. After 2 the Salem ATWS event, of course there was a considerable 3 amount of interest in the question of whether or not the study 4 of operational experience would have predicted that a problem 5 such as the Salem ATWS would occur.
6 We did a study at that time. We discussed in that 7 study a number of different issues, including the 8 reportability of failures. And also this question of whether 9 or not the Trend and Pattern Analysis Program that we were 10 developing would have been able to predict something like the 11 Salem ATWS based on the information that was available before A
m- 12 the event.
13 It was not really a study of system reliability per t
14 se. It was really just a study of that one speoitto issue.
15 And we did find that befor'e the event that occurred at Salem, 16 the reliability or the failure rate of the reactor trip 17 breakers, not including the failures that occurred at Salem, 18 was about what we would have expected, based on information in 19 WASH 1400, for example.
20 As a result, we didn't feel that that parttoular 21 data would have led us to predict something of the nature of 22 Salem to occur in the future.
23 In addition, one of the points we did note was that
(
24 there was a considerable amount of activity that had gone on 25 in that parttoular area. There were bulletins, information
/'S 64 kss 1 notices, circulars that had been issued on that particular 2 subject, which also probably would have led us to conclude it 3 was not an area that we needed to look at in great detail.
4 Since that time, of course, the event at Salem and 5 reliability of reactor trip breakers has gotten considerable 6 attention, and as a result we have not devoted a great deal of 7 attention to that specific issue. One of the things we tried 8 to do because of the rather small size of our staff, is to not 9 spend a great deal of time looking into areas where we know
- 10 there is already a considerable amount of effort going on l
11 elsewhere on the staff, p_ \
l 12 So, although we do have a few studies associated 13 with related issues such as the problem with Westinghouse l
14 solid state equipment, as evidenced by the event in Sequoyah, 15 we don't have any studies going on right now directly related l
l >
16 to the reliability of reactor trip breakers or reliability of 17 the reactor protective system, i
18 I would point out there is data available. We have 19 data from the LER reporting that is available in the sequence 20 coding and search system that we operate. And there is also 21 some data available in the nuclear plant reliability data 22 system.
23 And that data, of course, is available to anyone 24 that is interested in studying the subject. And we can 25 provide that data to anyone that is interested in it.
A 65 1 The other thing is that we are working, as I 2 mentioned earlier, to develop a methodology to analyse trends 3 and patterns in NPRDS data. Now this is not focused 4 specifically on reactor trip breakers or reactor protective 5 systems, but on all different types of components that are in 6 'the NPRDS system, 7 As the NPRDS system is maturing, we are trying to 8 develop a methodology to analyse that data, and we hope to 9 have that program initiated in the not-too-distant future.
10 MR. EBERSOLE: May I ask a question.
11 Fred, sometimes I envision the BWR has a horrendous i
\_/ 12 64 billion complex that is literally hanging, or in an 13 inverted pivot configuration with three float switches at its 14 apex on which the safety of the plant hangs. Are you looking 15 at those float switches in an analogous way?
16 MR. HEBDON: As far as any specific study of the 17 float switchest 18 MR. EBERSOLE: And the reliability of them.
19 MR. HEBDON: Not that I know of.
20 MR. EBERSOLE: There is no counterpart study, for 21 instance similar to this or the breaker study on those float 22 switches?
23 MR. HEBDON: Remeasb e r , the study we did on the
(
24 breakers was not intended to be a definitive study on the 25 reliability of the reactor trip breakers. All ws were trying
4
/~N 66 1 to do in our study was to look at the question of the 2 reportability of these type of problems, and the question of 3 whether or not this Trend and Pattern Analysis technology or 4 methodology that we were developing would predict the problem.
5 What we found was that we didn't think it would 6 have.
7 MR. EBERSOLE: All I am asking is, is there a 8 counterpart study looking at these three float switches on 9 which the shutdown safety of the BWRs depends?
10 MR. HEBDON: No, we do not have a specific study in 11 that area.
12 MR, EBERSOLE: Why shouldn't there be?
r I
13 MR. HEB DO!1 : I don't know that I can answer that 14 specifio question. It is just not an area that we have 15 decided to initiate a study on.
16 MR. XERR: Mr. Ebersole, I think we need a graphic 17 of this picture you just painted with this tremendous pyramid 18 inverted and then maybe you could convince Mr. Hebdon --
19 MR. LIP!NSK!' I have a question for him.
20 MR. XERR: Mr. Lipinski 21 MR. LIPINSKI. We have had the opportunity to look 22 at the July 1983 AEOD report. And in here you point out that there is a lot of data that is missing. I think there is 26
'( ) 23 24 reactors unreported when you were preparing your plots in 25 here.
67
\j 1 Is that the correct number?
2 MR. HEBDON: I didn't do the actual study. But --
3 MR. CROOKS: Jack Crooks, AEOD.
4 At the time of the study there were 26 plants that 5 had not reported failures. We had checked with NRR who had 6 asked back through the owners' group if those plants had 7 failures bastoally on demand or during surveillance. And the 8 feedback that we had was that they did not.
9 In addition to that I had called probably a half 10 dozen sites and talked with the resident inspectors and asked 11 them if there were any failures that they were aware of that n
%- 12 maybe had not been reported. And they indicated, no.
13 So, on that rough calibration we felt those plants 14 probably didn't have failures; at least failures on demand or 15 during surveillance tests. There was a problem that the 16 maintenance type of failures just weren't being -- we weren't 17 picking up. You know the types of things that were discussed 18 before, that during maintenance and before putting the thing 19 back in service, there were failures. You know, people were 20 adjusting things and they weren't being reported.
21 MR. LIPINSXI* My concern was whether there was 22 something wrong with the reporting system and that is why you 23 didn't get the reports, even though they might have existed.
(
24 MR. CROOKS: Well, what we did is through the new 25 LER rule and what Fred has been saying, we had hoped to bring
l 1
fs 68 1 in failures and let people know more that we are interested in 2 the reactor trip break failures.
3 MR. LIPINSKI Okay. What you said is encouraging 4 then that these events did not have reportable events and 5 therefore the data should not be any worse than it is.
6 MR. CROOKS; Perhaps. I don't know whether 7 Westinghouse has any additional information. But that is the 8 story that we had. That was a concern and we tried to get the 9 *information. There didn't appear to be any.
10 MR. LIPINSKI Thank you.
11 MR. KERR: Mr. Ward?
) Fred, you said I think this is what (d 12 MR. WARD: --
13 the report said, that the Trends and Patterns analysis, if it 14 had been in place, would not have predicted the likelihood of 15 an event like Salem.
16 Is that correot' 17 MR. HEBDON: That's correct. Based on the 18 information that was available.
19 Now obviously, with different data. The whole point 20 of the system is to try and identify trends that are i
21 indicative of problems. But, with the data that was 22 available and the history that had been experienced to date
( 23 with reactor trip breakers, there didn't appear to be data 24 there that would have raised any, red flags that this is a 25 problem and somebody better do something about it.
e 69 O' 1 MR. WARD: Okay. But do you think with the new 2 system started in 1984, do you think the Trends and Patterns 3 Analysis Program now will be able to predict this sort of 4 thing? Or, are there other events of interest?
5 MR. HEBDON: I think there is maybe a little bit of 6 confusion as to what we concluded.
7 We concluded that the program would have identified 8 it if the data had been there. If the failures had been 9 there, the program would have found that this was a problem.
10 The failures were not there. There were not the 11 numbers of failures that would have flagged reactor trip C1 12 breakers as an outlier.
13 Now, if the failures occur and are reported, we 14 would still hope that the program would flag that type of 15 thing as an outlier, and would raise it as an issue.
16 Reporting of that type of data now relies very heavily on the 17 NPRDS system, particularly for the single component type of 18 failures.
19 And that type of thing for all classes of 20 components, not just reactor trip breakers is the type of 21 thing that we are trying to study in the study of the Trend 22 and Pattern Analysis of the NPRDS system.
f 23 So, we would expect the program now to identify 24 problems if the failures do occur.
25 MR. LIPINSKI wasn't one of the problems in how the
4 i
70 f
1 tests were conducted and how the data was recorded, because 2 they were not differentiating between the undervoltage and the l
i 3 shunt trip?
4 MR. HEBDON: No. The point is that prior to Salem 5 the failures just hadn't occurred. It wasn't that people 6 weren't reporting them, it wasn't that they were I
7 misunderstanding or anything else.
8 The data that we have, the best data that we can 9 find simply indicates that the failures just weren't there to 10 raise any flags.
11 MR. LIPINSKI: If I recall -- again it is a question l'
12 of sequence of time -- breakers were being tripped, but people 13 were not recognizing the undervoltage trips were not working 14 and they were getting trips on shunt trips. Then, after they 15 went into a thorough investigation after Salem, they found 16 this out to be true.
17 Whereas, had they been conducting a proper test and 18 differentiating between undervoltage and shunt trip, they 19 would have generated data saying undervoltage trips are not 20 working.
21 MR. HEBDON: That's a possibility. But there is no 22 way to know in hindsight whether or not they would or wouldn't 23 have found it if they had done the tests different17y.
24 MR. LIPINSKI: Well, if the undervoltage trip did 25 not trip and if they were doing a proper test they would have
I gg
)
1 found it. The point is, they did not find it because they 2 were not testing properly.
3 Now after the fact, they are looking at undervoltage 4 and shunt trips as individual events as part of the test !
5 procedures now. That was part of the problem as to why you 6 didn't see reported events, because they were not being tested 7 and reported properly.
8 MR. HEBDON: They should be reporting them properly 9 now.
10 MR. WYLIE: Mr. Hebdon, I'm not sure that is true.
11 Maybe the Staff will comment on this. At least my knowledge 12 is that you were able to distinguish whether it was a shunt or 13 the undervoltages are tripping when you are doing periodic 14 testing.
15 MR. LIPINSKI: That was a Rancho Seco problem. They 16 tested those breakers and found the UVs weren't working.
17 MR. WYLIE: Well, I don't know about that.
I 18 Based on the experience that I have had, you didn't
.l 19 have the shunt trip tripping. You were solely relying, prior 20 to Salem, on the undervoltage device.
21 MR. LIPINSKI: Depends on whose reactor you are 22 talking'about 23 MR. WYLIE: I'm talking about Westinghouse
)
24 reactors. You were able to determine whether the RPS was
)
25 working and the undervoltage trip was working at that time.
O 1 MR. EBERSOLE: Isn't it up to the utility, even on 2 Westinghouse breakers to put a shunt trip on if they wanted 3 to?
4 MR. WYLIE: Well, that came later. Shunt trips were 5 added later, after the Salem event.
6 MR. EBERSOLE: No, I mean even before.
7 MR. WYLIE: Well, some reactors did way back.
8 MR. EBERSOLE: Westinghouse?
9 MR. WYLIE: Yes. Well, way back.
10 MR. LIPINSKI. The point was though, after the Salem 11 event, people went back and they looked at their breakers, and b
\s- 12 there were cases where the UV trips were not functioning.
13 They were tripping on the backup trip.
14 MR. EBERSOLE: Did the Staff have a limitation op 15 the option of the operators to put a shunt trip on on the 16 grounds that it would blind their knowledge of function of the 17 shunt trip?
j 18 MR. ROSA: The Staff had no requirements for a 19 shunt trip prior to Salem.
20 MR. EBERSOLE: But did they have the inverse 21 requirements that there shall be no shunt trip because of the 22 blind --
i 23 MR. ROSA: No, they did not.
s 24 Some reactors had both shunt and undervoltage.
25 MR. EBERSOLE: For the ones that did, did they
f m 73 0 1 acknowledge at that time they would validate the continued 2 performance of the shunt trip?
3 MR. ROSA: That's the sad part, really. There is 4 sort of a mixed bag. Some utilities did independently test 5 their shunt and undervoltage. Others did not.
f MR. EBERSOLE: Mixed bag?
7 MR. ROSA: Right.
8 MR. EBERSOLE: Gotcha. Thank you.
9 MR. WYLIE: Faust, maybe you want to comment on 10 this. At least it has been my impression that most 11 Westinghouse plants did not have the shunt trip.
A ms 12 MR. ROSA: That's true.
13 MR. WYLIE: So basically it was the undervoltage 14 that was actually doing the tripping?
15 MR. ROSA: That Is right. On Westinghouse plants 16 that's true.
17 MR. EBERSOLE: The Staff does have kind of a general 18 rule, doesn't it, that if you want to add something to any 19 part of the design you can do so if it doesn't degrade 20 safety.
21 MR. ROSA: That also is true.
22 MR. EBERSOLE: But then the actual application of that little principle is hard to do, isn't it? If I remember, 23
(
24 that happened when we put them up at the control center at 25 Browns Ferry.
74 f~)
(N /
1 MR. KERR; Is that a question, Mr. Ebersolet 2 MR. EBERSOLE: I'm asking about the general 3 requirement, if it is optional for any utility to add 4 anything.
5 MR. ROSA: In the case of the shunt trip, the 6 optional shunt trip, prior to Salem it obviously didn't 7 degrade safety. Therefore, we would not have gone beyond 8 that.
9 MR. EBERSOLE: It did degrade safety. It blinded 10 the shunt trip function -- I mean the UV trip function.
11 MR. ROSA; It blinded that only during tests, 12 that's true. The shunt trip was --
13 MR. EBERSOLE: It blinded it at all times, if it 14 worked. You never knew whether the shunt trip was working or 15 not and yet that was the one you had required to do the job --
16 I'm sorry, UV trip.
17 MR. ROSA: I understand what you are saying, and you 18 are right.
19 MR. KERR: You could take the Fifth Amendment.
20 (Laughter) 21 MR. ROSA: True, the operation of the undervoltage 22 was blinded by the fact that the shunt was there, and the two 23 were not independently tested. You can't argue that.
(
24 MR. KERR; Are there further questions?
25 (No response)
. . . _ . . . , _- - . - m__ . -_.__ _
75 b(~' i Mr. Hebdon, you made the statement that the data 2 that existed would not have permitted you to predict Salem.
i 3 And I am not certain that I understand what you mean.
4 Certainly there were not data that would have said that one 5 should never expect a trip breaker f a i l'u r e . That certainly 6 wouldn't say I will predict Salem, but it would not make you 7 surprised that you got a failure of a trip breaker.
8 Now maybe you referred to the fact that there were 9 not very much data that predicted common mode failures. But
. 10 oven so there certainly wasn't anything in your consideration 11 of this that would say common mode failure is impossible.
O k s/
s 12 So, what is it that the data would not have 13 p e r m i '. t e d you to predict?
14 MR. HEEDON: Basically what it turns out is if you 15 calculated the failure rates that were being observed, those 16 failure rates were about what you would have expected.
17 MR. KERR: But they still are, even with Salem.
18 MR. HEBDON: That may be true. But the point that l'
19 we were trying to look at was, was the fatture rate of reactor 20 trip breakers sufficiently high that if we had been trending
- 21 failure rates of all components, that that would have somehow 22 raised a flag that there is a problem with reactor trip 1 i 23 breakers because the failure rate that we are seeing is I
i 24 substantially -- and whatever sutstantially is is not clear --
25 but substantially greater than what we would expect.
,,-.,~g,. --,,- , -,-.,-_--,-n- , . _ , . - - - - - - - , , - , - _ . , - . - - , - . - - _ - . _ _ , . . _ - - - . - - , - - - - - , , - - - - - , -
I.
(~N 76 i MR. KERR: If that is what you are saying, I 2 understand that.
3 MR. HEEDON: That was all we did. I mean, I don't 4 want to overse11 this study as more than what it was. It was 5 simply an effort to go in and see whether or not the failure 6 experience that had been seen with reactor trip breakers p r ?,o r 7 to Salem was such that it would have caused that particular 8 thing to come out as an outlier.
9 MR. KERR: I understand, I think. Thank you.
10 MR. DAVIS: What failure rate would trigger your 11 concern?
12 MR. HEBDON: We really have not developed the 13 thresholds yet. As it turns out, the failure rate that was 14 being observed is just about the same as the failure rate 15 predicted, or the failure rate assumed, let's say, in WASH 16 1400, 17 MR. DAVIS: 10 to the minus 3?
18 MR. HEBDON: Yes. That's in WASH 1400, and that is 19 what we were seeing. So, we didn't have to get into the 20 question of what threshold, at what threshold would we define 21 an outlier.
22 That is something that is very difficult to define, 23 and we are working quite a bit with INPO right now because
)
24 they are doing the same type of study and the same type of 25 methodology development that we are doing, where we are trying
77 V 1 to go through and calculate, for example, failure rates of 2 components.
3 Well, the problem you get into, particularly if you 4 do it on a per plant basis, you can end up with thousands and 5 thousands of failure rates And at what point do you define 6 your threshold and say anything above this particular 7 threshold I am going to be concerned about and I am going to 8 do something about it.
9 There is the perennial tradeoff of, you either set 10 the threshold fairly high to keep the number of alarms, so to 11 speak, down to something that you can deal with. But then you
\
12 run the risk of finding out later on that there was a real 13 problem in there and you missed it because you had your 14 threshold set so high.
15 It is a difficult issue. We don't have an answer to 16 it yet. It is something that we are trying to resolve now.
17 We have been working with INPO, of course, because they are 18 very interested in NPRDS as well and trying to develop this 19 program. And that is a very difficult tradeoff that we haven't 20 resolved yet.
21 MR. DAVIS: I appreciate what you are saying. When 4 22 I first got involved in this breaker failure rate, I looked at 23 some of the more recent PRAs to determine what they were
! 24 using. And I found the numbers buried all over the place. The 25 highest was in the Zion PRA, which was published, I believe,
78 p
O 1 in 1981, and it was essentially 10 to the minus 2 per demand, 2 which would have triggered some concern had I been worried 3 about the problem.
4 Other PRAs use something around in the order of 10 5 to the minus 4.
6 Most of these data bases are proprietary, and 7 so you can't really trace back to what data is really being 8 used to generate the numbers. But I was surprised that the 9 numbers varied so much and that there was in fact one as high 10 as 10 to the minus 2 that was actually being used. And I am 11 still concerned that there is so much variability.
s
! , 12 It seems like everyone should be operating from l
13 basically the same data base, and I can quote you numbers from
/
14 three PRAs all for Westinghouse plants, that used three 15 different numbers that var'ied by over a factor of ten.
16 MR. XERR: But Paul, isn't part of this based on 17 taking data on single failures and trying to make some 18 estimate on what the common mode failure rate is, which is i
19 just sort of a guessing game?
20 MR. DAVIS: T h e- numbers I am referring to are random 21 failures of single breakers.
22 Now this number then is used to predict a common i
23 cause contribution either by use of the beta factor method or
\
24 the binomial failure rate method.
25 These are single failure rate random numbers.
-yr _ . _ . _ _ _ , , _ , , , , . , , _ . _ - . _ _ . - - - , _ , _ . , . ,, _ _ _ , _ . _ - . . _ . _ . _ _._ _ - .
,%. v a
, ;. t >
'l s ,4 y .
f y. ., ; ). >
'I ff;q q .+. h, ', f (J, V y ;
+
l e
)} ,
4 1 MR. LIPINSKI. If de 1cok at these tables, if I
\
\ >
-2 recall ~ Zion was one of the poorer performers. So they i
[ ( i ,
, 3 pzoh a b 1:e used their statistical base to generate their numb e ['s . * * ' l
[4 . 2 s
N t / .s, js 5 5,4R . DAVIS: They may hkve used some plant specific
,l4
{ f f, '6 numbers.and used a Beysian technique to fold it into the other
, ; , - ^; ..
/ '
2 1
7 data. >
)
t L [
4
' g ~'-
g
- But-still there is a, concern, if there is this much 4 > i l
9 variability then we must be having some manufacturing problems y / ., +
l? 10 fram plant to plant.
J s 11 .
MR. LIPINSKI. Or / rA 3, n t e n a nc e .
'b 3
+
i 12 MR. WARD: Sounds mors'like maintenance.
- ,. ) ~
4
- 13 MR. DAVIS: That very well could be, t)
E 14 NYL I $': ' A que s t i on . In the AEOD report in the
./ ,
, M h. 7 15 > conolusions --
J.l
. 1
~
MR. K E R E '. ' Chuck, beforb you get to that, I want to
' .3 1 ,
a 1 17/ - ast\a q u et .s ion directly related, v:
) 18 MR. WYLIE: Go ahead.
li hr \'l,
',f19 '
U i MR. KERR: Mr. Hebdon, you said you had not yet u
h 1 a 20 ,e arrived at some sort of number in which you had become 21 ' concerned. It does appear, however, from what you said, the i
j22 data we used in WASH-1400 was sort of implicitly accepted as 1
4 .s tfs3 reasonable performance, because you said since things were
.j 24 about ths.tl we saw in WASH-1400 we weren't concerned.
\
d 25 Now, WASH-1400 I think was simply an effort to mou________-----._--_ .m
f k 80 i describe what was out there without drawing any necessary 2 conclusions about what is acceptable about performance of any 3 particular system. It appears at least implicitly you were 4 saying for this system, at least the WASH-1400 numbers are 5 probably okay.
6 MR. HEBDON: I think we were just using WASH-1400.
7 Of course, keep,in mind this study was done over two years 8 ago. But we were using those numbers simply as a basis for 9 comparison. I don't know that those would be the actual 10 numbers we would use.
It's a very difficult question deciding what is the
[~
%.s 11 12 basis and what do you set the thresholds at. We really don't 13 have an answer as to how we will do that in the future when we 14 have this type of program operating.
15 MR. KERR: I just wanted to see if I understood what 16 was said and I'm not sure I did, but the impression I got was 17 that since the numbers you were seeing out there seemed to be 18 about what had been used in WASH-1400, that things were 19 probably okay.
20 MR. HEBDON: Yes, I believe that's correct.
21 MR. XERR: Are there other questions?
22 MR. WYLIE: Yes. The AEOD report in the conotusions O 23 enumerates a number of deficiencies in recording and what have 24 you. Is that taken care of in Generio Letter 83-287 25 MR. HEBDON: I think most of the deficiencies we
p 81 V
1 found in the report are taken oare of more by the LER route 2 than by any other guidance.
3 MR. WYLIE: Okay.
4 MR. KERE: Are there further questions?
5 (No response) 6 Apropos of the details of breaker performance in 7 which you might get involved later on, has anybody in AEOD or 8 otherwise given serious thought to the possibility of 9 eliminating the undervoltage trip?
10 MR. ROSA: There was an informal proposal by GE I 11 believe to eliminate the undervoltage trip in this fashion;
[
C 12 draw your shunt trip voltage from upstream of the scram 13 breakers, r e c t i f y rag set generator output, and then simply use 14 the present trip signal to energize the shunt from that You 15 would have to have an auxiliary shunt trip power supply which 16 could be auctioneered to the rectified mg set voltage.
17 MR. KERR: There seems to be at least be 18 conventional wisdom that the shunt trip is much more reliable, 19 and since Mr. Ebersolo i t: in favor of simplicity, I'm sure 20 he'd go along with this.
21 [ Laughter.)
22 MR. EBERSOLE: Walt a minute.
k 23 [ Laughter) 24 1 do not now know, and I doubt that, the presence of 25 the shunt trip degrades the shunt trip function. Is this
I 82 t
v 1 correot?
2 MR. WARD: The presence of the UV?
4 MR, ROSA: I don't know that it does either, except 5 that it does complicate maintenance and testing procedures 6 significantly, which degrades the overall reliability.
7 MR. EBERSOLE: You can degrade the shunt trip by 8 having to do maintenance on the UV trip, so there are some l 9 degradation contributions. I think it would depend on that, 10 Bill. I don't know what the level --
11 MR. KERR: I wasn't suggesting that it should be 12 done. I don't know whether it should be done or not, but from 13 what little I've heard, it seems to me it's worth looking at.
14 MR. EBERSOLE: I agree.
15 MR. HEBDON: It has not been suggested by AEOD that 16 that be done.
17 MR. LIPINSKI: May I comment? There's a fail safe <
18 feature. That's why the UV trip --
i j 19 MR. KERR: I recognise that and I have never
. 20 understood why one picked out just this one component of the 21 scram system, because there are plenty of other parts of it 22 that are not fail safe.
23 MR. EBERSOLE: But you won't be compensated for I 24 that becausw you're using the output of the mg set to drive 25 the shunt trip.
- - - . - ,-- -_ _ _ . , - . _ _ _ _ . . _ _ _ . , _ , . _ . , . . , , - _ . . . _ ...,._._,._-.~.,-m,...,.,,m., _ _.
(
s 83 s
i MR. LIPINSKI: Again, this device is energized and 2 it operates on demand by removing power; whereas the shunt 3 trip operates on demand and you don't know when your demand 4 comes or the shunt trip is going to be there.
5 MR. KERR: Walt, what you really want I think is 6 overall reliability, fail safe or fail danger or whatever is 7 relevant. What you want is reliability.
8 MR. EBERSOLE: They've taken the power, though, from 9 the output of the mg set, which is, of course, --
10 MR. LIPINSKI: That may not have a context in the
^] 11 mega current.
G 12 MR. EBERSOLE: That's right.
13 MR. LIPINSKI If I look at the contacts themselves, 14 contacts are made, I know they're working. The question is l 15 will they work open on demand. Contacts that are open, I do 16 not know that they will close on demand. I think if you look 17 at the relative reliability between closed and open, the 18 olosed case is going to win in terms of high reliability.
19 MR. WARD: Closed to open?
20 MR. LIPINSK1; Yes, closed to open. But there are 21 other features that determine overall reliability.
22 MR. KERR: Only out of contact operation there might t
. 23 be.
24 MR. LIPINSK!: There are other parts of the system 25 that determine overall reliability.
t 84 1 MR. EBERSOLE: I guess the circuit would be driven 2 by AEU relay. The power supply would be from the magnet core 3 otrouit.
4 MR. KERR: Let's design it tomorrow.
5 (Laughter.1 6 Are there further questions on this topio?
7 (No response.)
8 Mr. Hebdon, does that conclude your comments?
9 MR. HEBDON: Yes, sir, it does.
10 MR. KERR: This brings us, I believe, if we follow
/~' 11 the agenda to Mr. Rowsome, and we would welcome any comments (s-12 you would care to make in the context of the discussion that 13 you've heard so far, and your wisdom.
14 MR. ROWSOME: Frank Rowsome of the Staff. Neither 1 15 nor my organisation has been involved in implementing the 16 bulletins and orders that emerged from the Salem event, so we 17 are non-participants.
18 I would point out, though, an analogy between this 19 and some concerns we've had in broader contexts. As 1 20 mentioned to you quite recently in the context of safety 21 goals, Harold Denton has been concerned that we're growing 22 increasingly dependent upon PRA results for regulatory
( 23 judgments. And yet, we function in a world in which we are 24 not getting the kind of feedback that would verify whether or 25 not assumptions made in PRA were being realised in operating
85 1 experience.
2 It's a kind of diffuse generic issue here, having to 3 do with agency policy. And the agency is a long way yet from 4 having a coherent policy on this subject.
5 But there is a smattering of people at all levels in 6 management who are concerned about this problem. Many of us 7 have, in one context or another, advocated what has come to be 8 called the safety assurance or reliability assurance concept 9 in which better documentation of reliability performance in 10 service and better validation of PRAs when they have been
/) 11 utilised in the licensing process in a case work application U
12 would obligate the licensee to verify from time to time 13 whether his operating experience was, in fact, consistent with 14 the quantitative estimates and would entail thresholds of 15 remedial action, at least one or two of which might entail 16 notification of the NRC if the experience observed is falling 17 significantly short of that assumed in the licensing 18 application PRA, 19 This has been a particularly troublesome feature in 20 our attempt to use PRA in the licensing of generio standard 21 plants where we simply have a paper design to work with, and e~ 22 the details of procurement, construction and so forth are not 23 ava!!able to be reviewed and considered under the severe 24 aooident policy and standardisation policy.
25 The PRA and a resolution in a case-specific context
4 i
1 of pending generic and unresolved safety issues depends to a i
2 large extent on the PRA. And we have not yet developed a 3 regulatory position on how we can verify or validate that 4 in the course of procurement and detailed design construction, 5 startup testing and operation. We can verify that we are, in 6 fact, getting what we thought we were getting in the standard 7 plant licensing exercise.
8 I see an analogy with some of the difficulties with j 9 the quality assurance program. We have historically over the ,
i 10 last few decades not availed ourselves of state-of-the-art
/}
v 11 tools of reliability engineering and reliability assurance 12 within the OA r,rogram. We all know horror stories about the 13 fact of needing qualified equipment leading people to be 14 unable to use proven, off-the-shelf equipment of high 15 reliability, narrowing the available number of vendors for 16 components and signiftoantly upping the cost.
A i 17 There have been numerous studies, though none that !
18 know of formally chartered by this agency, of the difference 19 in reliability of active components according to whether or 20 not they were nuclear safety grade or not. And these studies 21 have repeated shown that we are not, in fact, getting 22 appreciably higher reliability in safety grade active L 23 components and their counterparts in fossile plants and 24 balance of plant, non-safety grade equipment.
! 25 MR. WARD: Could I add, I'm surprised to hear you
l l
/
67
(
x 1 say there have been innumerable studies.
2 MR. KERR: Maybe he doesn't count very high.
3 Chaughter.]
4 MR. ROWSOME: If I said that I was certainly being 5 sloppy. I'm aware of three or four, although I can't give you 6 the references offhand.
7 MR. WARD: Are these within the agency or without?
8 MR. ROWSOME: Entirely without, and there are 9 continuing comparisons among databases that are done all the 10 time. For example, the old EE! database that I believe is now 11 managed by NERC on component reliability, having to do 12 principally with plant availability which covers fossile plant 13 equipment as well as nuclear plant equipment, has been on the 14 backs of many people's desks and is frequently used for 15 purposes of comparison with databases we have attempted to 16 extract from LER's and the like. And in general, comparable 17 equipment does as well in fossile plants as it does in safety 18 grade nuclear plants.
19 MR. WARD: The reason I asked is because a couple of 20 years ago, the ACRS asked this sort of question of you PRA l
21 people on the one hand, and of QA people and the staff on the 22 other hand, and we didn't get the sort of definitive answer to IO 23 the question that you are giving us here this morning, i 24 MR. ROWSOME: The stati has not itself sponsored 1
l 25 such a study or done a disciplined inquiry into it.
i
08 N_/
1 MR. WARD: Well, in one or more of our research 2 reports of two or three years ago, we asked the staff to do 3 this and they made sort of a token effort, and the conclusion 4 from that token effort is they could not really tell us there 5 was any difference in the performance of safety grade and 6 non-safety grade equipment, nr QA or non-QA equipment. But 7 that the study could not be considered really definitive.
8 That's the answer we got back from the staff to this 9 request, a rather specific request. How you're telling us 10 something rather difforent, that all along you knew the answer 11 to that question and the answer was there isn't any
\
l 12 difference.
13 MR. EBERSOLE; May I ask a question? I think a 14 broader base would be found in FAA-oortifteated equipment. !
l l
l 15 think the orttical difference may be, is it not true, that l
16 FAA-certificated equipment requires reliability indices 17 whereas NRC has no certification system and their le qualiftoation process has got little, if anything, to do with 19 reliability?
I 20 MR. ROWSOME: I think that's probably true.
21 MR. EBERSOLE: Is there any study available, I've 22 often wondered, that I could get my hooks into that showed FAA 23 oertificated equipment -- I'll just take an alternator as a 24 basto point -- is this, in fact, the same machine used on 25 truckst
89
%_/
1 MR. ROWSOM2: That's a good question. I don't know ;
2 the answer to it, but it's an interesting question.
3 MR. EBERSOLE: Do you happen to know whether they 4 used reliability indices in certifloating their equipment? I i ought to know that and I don't.
8 MR. ROWSOME: I can't speak to the details of FAA i
7 certification, but it's well known that aerospace industries 6 frequently make use of such standards, 9 MR. ESERSOLE: That's my general thought, 10 MR. DAVIG. I believe EPRI has a study to examine 11 that particular aspecti in other words, try to determine if Oi 12 FAA and other kinds of government agency requirements i 13 specifying reliability are really effective.
14 MR. WARD: Could we go back, Frank, to what I was 15 talking about? Do you have any response to what I said? !
16 guess ! can't expect you to know everything that's going on in 17 the 3000-person agency, but I'm just surprised that --
18 MR. ROWBOME: Remind me of the question.
19 MR. WARD: You have just told us that it is sort of 20 -- that the common wisdom shown by three or four studies 21 outside the agency, that equipment whloh has been ca!!ed 22 safety grade and given the pedigree of testing and so forth !
's
'- 23 that goes along with that doesn't perform any better than 24 simitar equipment whtoh has not been given the safety 25 pedigree.
/
90 1 You seem to be telling us that that is sort of 2 common wisdom and well understood. Where two years ago we 3 asked other people in the staff to find out whether this was 4 true or not and they came back and said it was an 5 imponderable; it cannot be learned or determined whether there i
~
6 is a difference.
7 MR. WYLIE: Let me ask, you're speaking of 8 performance in the context of reliability?
9 MR. WARD: Yes.
10 MR. WYLIE: Okay. There's other considerations !
11 think.
12 MR. ROWSOME: Let me try to clarify that a little 13 bit. The data for both safety grade and non-safety grade 14 equipment indicates quite wide scatter. There is in both 15 populations of equipment some lemons, and there is in both 16 populations of equipment some components that function with 17 extraordinarily high reliability. Both populations contain to very broad distributions associated with any generio class of 19 components, like valves, relays, breakers, pumps, motors and 20 the like.
21 One can clearly identify isolated instances in which 22 the qualiftostion process assootated with nuolear safety 23 grade equipment has caught problems and successfully dealt i
24 with them. But in addition, the less heavily regulated 25 maintenance practices in the fossile power generation part of
(3 7
/
l 91 1 the industry and balance of plant nuolear plants also does 2 some debugging, too, and has its own successes to its credit.
3 As I say, the distribution of component 4 reliabilities is quite broad in both populations. One would*
$ need far better data that 1 believe anyone has collected to 6 try to use sophisticated statisttoal signiftoance tests and 7 the like to get an accurate measure of to what extent 4 reliability correlates with qualtfloation.
9 But it's obvious on its face that the way we go 10 about qualification does not go to functional reliability so 11 much as it does to design adequacy. It is exceedingly rare
{G}
12 for quantitative life oyote reliability testing to be a part 13 of a procurement spec for a nuclear component as it is for a 14 balance of plant component, And this is true throughout the I
15 industry.
16 MR. LIP!NSKt: I have a question. One of the plants l
17 in the ACOD Report was set to 70, I think, db S0 breakers. In 18 that particular case, based on what you are saying, it would 19 he interesting to know what the experience was with the 64 20 breakers that were not involved in the reactor trip system and l
21 the breakers that were in the reactor trip system, l
22 I think the problem you are going to find is that
,O i
23 the fattures in those 60-some breakers are not required.
l 24 There is no requirement to report them.
l 25 MR. HERDON: It depends on where the breakers are l
1
/~'N
's ! 92 1 used. Some of those breakers are used in other safety-related 2 systems. As a result, the fattures would be reportable either 3 as LERs or in some cases reported to NPRDS. Some of the 4 breakers, I would think, are probably in totally 5 nonsafety-related functions, and the fattures of those 6 breakers certainly would not be reportable either to NPRDS or 7 as LERs.
I 4 MR. LIP!NSK!: Right. Under those conditions we 9 couldn't draw any conotusions between the so-called safety 10 breakers and the nonsafety breakers.
(}
LJ 11 14R . WARD: Because you only have data --
12 MR. LIFINSK!: On the safety breakers.
13 MR. WARD: Bill, it strikes me the Westinghouse 14 people might have an answer to this question that they would 15 be willing to share with us in their probability, rettability 16 data. e, 17 MR. KERR: They are going to talk very shortly.
16 MR. WARD: I don't think they are going to address l
- 19 this sort of question unless we ask them to.
20 Do you understand the question?
l 21 MR. LITTLE: I believe the question is how do the r
22 nonreactor trip system breakers of the same design perform in l
O" 23 the plant with respect to the way we have been collecting data 24 on the reactor trip system breakers. The answer to that is l
l 25 two parts. The first is that those breakers are not used in
i O 93
'Y 1 the same application. They do not use undervoltage trip 2 attachments. As a matter of fact, they don't use shunt trip 3 attachments; they use overourrent trip attachments. And as 4 Fred Hebdon already talked about, if they weren't 5 safety-related systems and they degraded the safety function, 6 it would appear as an LER, NPRDS entry, and we have not seen ,
7 failures in those components, t
4 1 guess I will be a little premature here in stating 9 the only failures that have occurred in Westinghouse db and 10 de breakers have been in undervoltage trip attachments and 11 not the breakers themselves, so we are really talking about 12 undervoltage tinp attachments where you mix up breakers i
13 interchangeably. We are only talking about undervoltage trip 14 attachments. There have been no shunt failures either, i 15 MR. WARD: What about the logie question, looking at 16 the broad spectrum of equipment that Westinghouse has 17 expertence with? Is there any notable difference in the 18 reliabt!!ty performance of equipment that is operated in the 19 plant as safety grade equipment and equipment that is operated 20 as nonsafety grade equipmentt 21 MR. LITTLE: From the studies we have done, and we
- 22 colleet reliability data across the spectrum of the plant 23 components, we do not see a major difference in a component 24 that has a safety classiftoation as opposed to one with a 25 commerotal classtfloation, The fact that a pump may or may
r I
l l
i 94 1 not have an "N" stamp really doesn't demonstrate that the pump 2 is more reliable.
3 What we have seen is the application of QA standards 4 is really a safeguard against design problems and those sorts 5 of things being in place- The appiteation of QA does not 6 increase the rettabilityt it safeguards against 7 unreliability. We manufacture most of our components to the l
4 same standard, 9 MR. WARD: The difference there escapes me.
10 MR. KERR: What is it there that guards against I
(~N 11 unrettability in the non-QA stuff that operates in the same 12 way?
l l 13 MR. LITTLE: Let me draw an example. The Class 1E l
14 electrical instrumentation gear, process control gear is 15 manufactured identtoally. The designs are identtoal to those 16 components we use in control and protection. What we do with 17 the protection-grade equipment is then quantfy that for Class 18 1E application, s'e i s a n o , environmental, search, withstand
. 19 ourrents, the whole nine yards of safety classifloation.
l l
20 ff the equipment survives those tests, it is 21 indeed qualifled and applied. It doesn't mean the equipment i
22 we manufacture for control system switches identtoal to that 23 equipment would not be capable of performing in the same esact
! 24 reliability manner as the prote6 tion-grade equipment. We do l
25 not generally design protection systems bestea11y because of l
l
! s :
95 1 the QA requirement. You design a system and then you quality 2 it. If it meets the qualifiestion requirements, it then is 3 indeed qualified.
4 So the qualification does not increase the S reliabilty of components; it assures the reliability of the 8 oomponents. And that is why we haven't seen a major 7 difference between the two. T I !
l 4 MR. KERR: I would say that was a statesmanitke 9 answer. !
10 MR. WARD: No, no. I think I understand.
11 MR. KERR: I think I do, too, I think it was very 12 well said. .
13 Mr. Rowsome, we interrupted you, I believe.
14 MR. ROWSOME: I thought I concluded, but I would be IS happy to answer questions.
16 (Laughter.3 ,
17 MR. KERR: In my opening comments, which you missed l 18 -- you were luoky -- I made the statement that we may be 19 asking too much of scram systems. I'm not quite sure what we l 20 are asking of them, but it seems to me that we set, 21 impliottly, at least, reliability requirements that cannot be i 4
1 22 demonstrated to be met and praattood. >
23 Has any thought been given to this kind of question 24 by the organisation with which you are assootsted? That is, I
25 do you look and say here is a subsystem, we really are maybe .
f l
!o -
If, for example, let's assume that 1 asking too much of this?
2 one uses a 10 to the minus 5 per demand as an appropriate --
i 3 not greater than 10 to the minus 5 per demand as an 4 appropriate number for the failure on demand of the total 5 scram system. Is that number really too hight Should one l 6 maybe consider designing systems that can tolerate scrams, j 7 let's say, or merely tolerate them?
8 l's not trying to focus on the scram system l 9 necessarily, but have you looked at this kind of question?
l 10 MR. ROWSOME: Well, let me give you a two-part
/"'T s s 11 answer. Individuals on the Staff have certainly thought about i
\_/
- 12 it. The institution has not brought itself to contemplate 13 standards development or basic reassessment of the way we do 14 business with regard to such concerns, so the institutional 15 answer is no, although individuals have certainly been i
16 concerned with it, and it has certainly arisen in particular 17 contexts such as the ATWS rule.
18 It is quite clear that some safety systems are much 19 more important than others by virtue of either the frequency 20 of challenge or the severity of the consequences of failure, 21 and we do not now in the regulatory process offootively
(
22 disortminate in terms of stringency of requirements, t
! i
( 23 stringency of QA and the like, stringency of reportage.
24 Many of us in the FRA community think it would be, 25 in fact, wise to use measures of importance to scale the
l l
97
\~ > l 1 allocation of emphasis in QA licensing, inspection and the 2 like, and that it might, in fact, be wise to set levels of 3 importance beyond which you do not go in design at all, and to 4 set other levels below which, if the importance is low enough, 5 the particularly expensive forms of qualification and the like 6 would then not be necessary, that off-the-shelf equipment 7 would suffice.
8 So that a designer would be offered the choice when 9 faced with a safety function of providing sufficiently rich 10 diversity and redundancy in ways of accomplishing a function, 11 that no one division of the system would have a high 12 structural importance and would afford levels up on levels of 13 opportunity to learn from experience should there be 14 unpleasant surprises associated with a function short of an 15 outright failure of the whole function.
16 And in that event, a stringent qualification and the 17 like would not be necessary. On the other hand, if one 18 chooses to put many of one's eggs in one basket, the 19 correspondingly more stringent requirements, including 20 rettability standards, reliability reportage, validation and 21 the like would be necessary.
22 MR. KERR; Thank you.
23 Mr. Ebersole.
24 MR. EBERSOLE: Frank, it is my impression that one 25 of the PWRs -- I won't say which one -- and certainly the BWR,
O O 98 1 when you look into its mitigative capabilities, you see a 2 rather nervous picture about the reliability of the mitigative 3 functions due to extreme high pressure in the PWRs and the 4 complex response the operator has to go through and the 5 reliability of the response of equipment on that boiler. If 6 you rely too heavily on that, you are simply going into 7 another reliability problem where I think the fruits of your 8 investigation are not likely to be as profitable as they are 9 here in the prevent mode.
10 I don't like to use fire escapes and parachutes and 11 life boats any more often than I have to, and preferably 12 never.
13 MR. KERR: Are there other questions?
14 CNo response,3 15 MR. KERR: Frank, in connection with the current 16 goals, I guess is the term to use, for performance of 17 auxiliary feedwater systems in PWRs, there is a reliability 18 something -- I am reluctant to use the term " requirement" 19 because I find myself caught in a maze which I don't 20 thoroughly understand, but at least that 10 to the minus 4 per 21 demand number exists in some fashion.
22 I'm not sure I know how it was arrived at. Perhaps
! I 23 it was a marriage of the idea and the practical that led to a l
24 choice of the number, but that, it would seem to me, is on the l
l 25 borderline of not being demonstrable by data.
. - . -. .=__ - - -
l l
99 i MR. ROWSOME: There is no requirement whatever to 2 follow up on that number. It is a number associated with the 3 rather stylized system reliability analysis done on the 4 licensing process following the format of the system 5 reliability studies done of the auxiliary feedwater system by 6 the Bulletins and Orders Task Force and the Probabilistic 7 Analysis Staff in the months after TMI, and used the same 8 stylized generic data and same modeling style, which doesn't 9 go to, for example, the reliability of the actuation logic or 10 a number of the auxiliary systems upon which the system may 11 depend.
(
12 It was a reaction to the discovery when those 13 studies of PWR aux feed systems were mass produced by the 14 Staff in late '79 that the kind of simplified fault tree
! 15 analysis that was being used there showed really very dramatic 16 differences in functional reliability from design tc design.
17 Failure probabilities varying by two or even three orders of 18 magnitude across the populations of designs were found, and it 19 was primarily to catch those outliers in a design sense that 20 this section of the Standard Review Plan was written.
21 The Staff never really bit off the intent of actual i 22 reliability qualification or verification at that level. You i \
23 are quite right, it would be very difficult, in fact, to 24 confirm 10 to the minus 4, and probably impossible to confirm i
25 10 to the minus 5, but that really wasn't the intent of the
1 r~T 100 1 exercise. The intent of the exercise was to close some of the i
2 loopholes in the single-failure criterion through which 3 systems with reliability problems of the kind that simple 4 fault tree analysis can reveal were getting past the licensing 5 process.
6 MR. KERR: I interpret that to mean that you would 7 not het your shirt on the relationship between that number and 8 the actual system reliability but you think there is some.
9 MR. ROWSOME: I think that's correct, yes.
10 MR. KERR: Now, there also was some statement about variability amongst systems, and it was variability in
[~]
N/
11 12 perceived reliability when using the simplified analysis. So f
13 you have to have some faith in the simplified analysis or you 14 would not believe the variability. There must be some t
15 relationship.
16 MR. ROWSOME: Yes, that's true. You can find in 17 HUREG-0611 and 0635 a long catalogue of design features which 18 unnecessarily comoromise the reltability of some of the 19 designs that were under review. The discovery emerged from 20 fault tree analysis and quantification with the standardised 21' generio set of data that Matt Taylor invented for the l
22 purpose. The validation that these were, in fact, unnecesarily 23 compromising aspects of design that ought to be rectified was 24 essentially engineering judgment from then on.
25 The Staff chose to require the fault tree analysis
t
' 101 '
1 according to the sama procedures, assumptions and style that d
r 2 had been done in those two NUEEOS of all new applicants for i 3 PWR operating licenses and chose to put in a numerical i
- 4 standard because it more or less captured the standards the '
, 5 individuals making the deterministic reviews of these design [
6 vulnerabilities had decided constituted their threshold of how i
.! 7 much fixing was enough on these vulnerabilities. !
8 So it was an attempt to capture retrospectively the 7
9 same kind of decision threshold that the Staff had used in 10 deciding which vulnerabilities tu fix when they looked at the ,
i
. 11 results of these fault tree analyses and looked at the j i \ l l 12 dominant failure modes of the designs in operating plants as t 13 of 1979. l I
14 It has not been a success regulator 11y speaking, as j 4
I o
15 a regulatory tool. The requirement for the fault tree 16 analysis has, in fact, I think, been effective in closing some 17 of the loopholes in the single failure criterion and getting it systems of better reliability design, but the numerical values i
i 19 in the Standard Review Plan have not pr.pved parthoularly J
20 useful in that regard, I !
j 21 Some people have used their penoil-sharpening l 22 exercise to try to demonstrate that very marginal designe j l
i
~ 23 should be accepted in the licensing process, and the Staff had I
- ' 24 to fall back on the original engineering judgment it had used i l
t 1
i 25 in arriving at these thresholds in the first place to deal !
i *
- - - , - - - _ ~ - . . - , - , , .-._ _-m~.m,---,.,_.-_,-_-,.mm_
r- -
t I i D
's 102 i with these issues.
j 2 In practice, 1 don't believe any licensing decision 3 has been improved by virtue of the fact that the Standard l 4 Review Plan mentions 10 to the minus 4, 10 to the minus S. It S has not been a useful feature of safety analysis to have those 6 numbers there.
7 MR. KERE: Well, it seems to me -- I had thought it 4 was perhaps a useful step in the direction of trying to use 9 reliability analysis, because it seems to me, it's in a system i
10 in which performance is such that you might collect enough 11 data over the years not to demonstrate 10 to the -4 maybe, but 12 to demonstrate perhaps 10 to the -3.
13 Indeed, it seems to me that this provides the Staff 14 an opportunity to do some experimenting and to reconsider that 15 approach to a system whtoh is obviously important and whtoh 16 may be in a realm in which, say to to the -3, if you really 17 oculd demonstrate 64, it might be seceptable, and the 10 to 18 the -3 might also be demonstrable.
19 Well, that doesn't have much to do with scram 20 systems, 21 MR. HRNNAN: Frank, correct me, if I'm wrong, isn't 22 the only case in the Standard Review Plan where you find the
) 10 to the -Se in the seetton relating aus feed
'/ 23 to to the -4, 24 systemet 25 MR. ROWSOME Oh, yes, that's true, it's unique to
i l ,
1 i I 103 1 PWR auxiliary feedwater systems.
2 Mt. DAVIS: Mr. Chairman, I had a related comment.
3 We were given a memorandum signed by Bernero. The subject is ,
4 enhancement of the reliability 9f Westinghouse solid-state 5 proteotton systems, in whtoh ! believe the Staff is proposing 4 some method to improve their rettahitity.
7 They go through an event tree analysis to do a I i
1 8 cost /beneftt assessment of this proposed itz. And one of the 1
9 things that appears to be important to that evaluation is the 10 auxtllary feedwater reliability. And the Staff ehose to use 10 to the -3 in that evaluation.
(}
V 11 13 It seems to me that that la a somewhat possimistle 13 number and not consistent with the Staff's previous number of i
14 10 to the -4. And furthermore, it is certainly much higher 15 than several of the recent PRAs that are on the street.
le I am wondering if there is some other basis for the !
17 use of that numbert it's no consistent with WA8H=l400 either, k it MR. ROWSOMtt it is consistent with the precursor it study. Cold functional fattures of the system came out about j 30 to to the -3 in the precursor study, t l 31 MM, DAVI5i That's correct. The ORNL precursor j i
23 study has a number of 10 to the -3, although there is some l \ 33 debate about. For example, as I understand it, the PNA has 10 34 to the 4 as their aux feed reliability number. It seems to !
- 3. me the resuits .,e ,utte do,endent on . hat ,ou ohoose. i, it l
,O 104 I was the precursor study that was used as a basis, then that's 2 the answer to my question. But it is not consistent with 3 other documents, 4 MR. ROWSOME: I don't remember how the study was S done well enough to know what the source was.
6 MR. KERR: In studies of that sort -- and I realise 7 Bernero -- 1 don't know how far this plan has gone, but is 8 there sort of an impitoit commitment to try to use realistto 9 numbers, or is there a commitment to use conservative numbers, 10 or is there no guidance of this sort availablet
( 11 MR. ROWSOME: There's no propensity on the part of a the Staff to use deliberatively conservative numbers, except 12 13 possibly in priorittsation of generlo issues where the penalty j 14 assootsted with being unduly possimistic is simply that you 15 allocate a Itttle more resources to what ultimately proves to 16 be a non-problem.
17 Outside of that arena, there is no propensity in the it use of system rettability numbers or PNA analyses among the 19 8taff to dellberately exaggerate. There is some anxiety on 20 the part of the Otaff that they may be seriously 21 underestimating, and that may drive them to be a !!ttle 22 conservative on ooossion, but there is certainly no polloy of 23 putting in conservative margins, 24 MR. KERR: You don't think Mr. Bernero has been
! 25 ineffeettve by his assoolation with his most recent
i i
A
( ) 105
%J 1 organisation?
2 MR. ROWSOME: I don't think so.
3 MR. ROSA: I believe I can shed some light on that 4 number. I believe it came from the SECY paper that went to 5 the Commission for their consideration in the ATWS rule, and 6 Tom Dunning, who wrote the letter you have in front of you 7 there, took that as being the most authoritative data that he 8 could use.
9 MR. DAVIS: My problem is not that the 10 to the -3 10 is a bad number. The problem is that it varies so much from PWR to PWR that using this result as a blanket generio O 11 12 requirement for all PWRs may, in fact, not be valid.
13 We know, for example, there are aux feed systems out 14 there that probably are not much better than 10 to the -3, but 15 we also know there are probably some that are in the 16 neighborhood of 10 to the -5.
17 1 guess my concern is, this assumes one number for 18 all PWRs and then draws some conclusions about the 19 oost/ benefit as it would occur if applied to all PWRs.
20 I realise this is always going to be a problem in 21 the app 1tostion of PRA, and I guess we just need to keep 22 watching for it.
23 MR. HERNAN: Keep in mind, though, as Frank 24 mentioned, when we're dealing with priorittsation of these 25 issues -- and that's exactly what this letter is that we're
i 106
(
1 talking about -- it's a request to the Division of Safety 2 Technology to prioritise this item, that sometimes our numbers 3 Twoul'd-. tend to be a little on the pessimistic side. It's not "A
4 to beninterpreted as the Staff deciding to apply 10 to the -3 5' to all types'of generio --
6 MR. DAVIS: Why don't you use a beta factor of .01 7 --f o r logic chainsr1n this same analysis? I would consider that I' 8 number to be on the optimistic side from other information l 9 I've seen.
".k .
10 But I don't want to debate this now. I'm just
-s 11 suggesting, these things have to be done pretty carefully to 12 have generic applicability.
13 MR. HERMAN: As I mentioned earlier this morning, 14 PNL is looking at this package from the same perspective that 1
o 15 I think you are discussing.
16 MR. KERR: You are probably not aware of the Davis 17 Theorem. There*s a theorem by a man named Davis that says to that the risk always increases with the number of reviewers.
19 It might be almost a quadratic increase, at least linearly.
20 MR. DAVIS: You used to put your name on that 21 theorem, too.
22 MR. KERR: 1-think credit should go where credit is
\ 23 due.
24 [ Laughter.3
(
- 25 MR. WARD. He took his name off after Okrent blasted
t
- V- 4, g .
fl t x
T %,
N , $
- s. g 4
J /'
e 1 -- could I ask, Ron, why,s in using -- trying to use 2 prioritized generic issues, there is sort of a specific bias s
4/
3 of conserve.tism in the evaluation? What is the attitude and 3-I t 4 philosophy?
- 9 b' 5 I just heard Frank say that there isn't any
,6 purposeful use of conservatism in any other use of PRA in the
,o ,
7 agency, exceqt for generic issues. jWhat is behind that?
{u 8 ,, MR. HERNAN: I think If"d like to defer that to oy ,, , ,/
a, f
)
9s y t.
Frank, since it's his. /,
s t' f f
/z tr 10 4,, MR. KERR: Yo,r've'just Leen made the guru of generic
.s' u 11 issues, Frank. h Nd1.\ / '/ ,
t - .
_y 4 y
- 12 MR. ROWSOME: S9B is under my direction, so that's
-s 13 part of my responsibility, at least the prioritization.
s ,
- It is the i ntont and has been the intent, without 11 y
15 any formal (policy development on the subject, to make PRA as
) ~
16 realistic as we know how to do. That's not to say that there
- s s 8
e ,
17 are'not i nstances in which conservative numbers are used or 4'x 4 ,
4 7 y 18 occasionally optimistid nimbers are used. Frequently,
// ,
19 developing a highly realistic model of either system 20 performanedforl/ Accident phenomenology or component reliability
./ o J {)+
'y 21 would be a massive undertaking that would require resources I
' hl 22 out,r/f proport, ion to the significance of the study or the uses
, x:
23 n; je t'o whi c h i t ?
w uld be put. i
{ .
'[ $, f Asd so in those contexts, it is common practice, 2? ' / ~
^ \. ;t .
D* y.
,s ,
25 b o t li i. wi t h < t h e, industry and with the Staff, to use the lease
[ ,
i I
l l
138 O~
1 conservative approximation that we can easily justify, when 2 forced to go to approximation, rather than just throw in the 3 sources and detailing every more complex models.
4 It's common practice throughout the industry and 5 NRC-sponsored PRAs-to start out with a model that is quite 6 primitive and quite conservative, frequently ignoring recovery 7 actions during the course of an accident or something of that 8 kind, in order to lay out the backbone of-the catalogue of 9 accidents to which a plant might be subject.
10 And, to get a picture --
['T 11 MR. WARD: Are you getting to the point as to why (j
12 generic issues are singled out?
13 MR. ROWSOME: Oh, you want me to emphasize that? I 14 can easily.
15 The purpose of a generic issue prioritization is to 16 allocate Staff resources to their resolution, to their 17 investigation and resolution. It is done very briefly, 18 typically in about two man-weeks.
19 MR. WARD: Why do you want a bias tosards 20 conservatism?
21 MR. ROWSOME: We want to be very conservative there, 22 because the penalty of dismissing a serious issue could be 23 significant to public health and safety, whereas the penalty 24 of allocating a Staff man-year to investigating an issue that 25 turns out to be of no safety significance is just that one
T' Q_,h 109 1 man-year lost.
2 So the penalty associated with being overly 3 optimistic in generic issue prioritization, but the penalty 4 assooisted with being overly pessimistic is very modest. It's 5 a little bit of Staff time and effort and money frittered 6 away.
7 As a result, we are deliberately quite conservative 8 in the prioritization studies, which attempt to discriminate 9 which candidate generic issues warrant prompt Staff resolution 10 and which don't.
11 MR. EBERSOLE: I'll ask a question about that. In 12 this statement about conservatism, when you look at cost, am I 13 not correct in saying you look at cost in the abbreviated 14 context, not including averted offsite and onsite costs, that 15 you look at it in the context of, you know, your thousand 16 dollars per man-rem, and that's about it.
17 MR. ROWSOME: In prioritization, we do discuss where 18 it is significant onsite losses as a subsidiary consideration, 19 although it does not appear in the S-soore, which is dollars 20 per person-rem. The person-rem figure is itself conservative 21 enough. The decision criterion on person-rem, the standard of 22 a thousand dollars per person-rem, is conservative enough to
" 23 develop offsite radiological property damage as well as health 24 effects.
25 MR. EBERSOLE: And what about onsite property
1 l
110 1 damage, loss of generation, all of this stuff, which is 2 presently a theme of argument in the safety goal area?
3 MR. ROWSOME: It does not appear in the S-score. It 4 does appear in the considerations and has, on occasion, 5 influenced the bottomline conclusion.
6 MR. EBERSOLE: But there's no consistent data. You 7 do or you don't consider these?
8 MR. ROWSOME: It's always considered. It never 9 appears in the S-score, but it's always considered.
10 MR. EBERSOLE: It never appears in the S-score.
11 MR. ROWSOME: The S-score is not necessarily the 12 determinant of the priority classification. We have 13 prioritized as high on some issues whose S-score would not 14 have warranted it and vice-versa.
15 MR. KERR: Further questions on this topic?
16 Mr. Lipinski? ,
17 MR. LIPINSKI; I'd like to back up to the memo from 18 Bernero to Siess, dated April 5th, on the Westinghouse l
19 solid-state protection system.
20 The use of the beta factor appears in this memo, and 21 I have yet to see a document from NRC which gives blessing to I 22 the beta factor as being a method for being used in analysis.
23 There have been contractor documents submitted to 24 the NRC, but never has the NRC said that these documents form 25 the basis for an acceptable method of analysis.
l
- 111 1 MR. KERR: Is that a question or statement?
2 MR. LIPINSKI: It's a question. I'm asking.
3 MR. KERR: What is the question?
4 MR. LIPINSKI: This is an NRC document. They have*
5 used the beta factor themselves. Where is the foundation, the 6 basis for using the beta factor in this analysis?
7 MR. KERR: Okay.
8 MR. ROWSOME: First of all, PRA, with a few isolated 9 exceptions, is not a licensing requirement, and so has never 10 received a standardized, approved set of procedures that this
["' 11 is the right way to do it, this is the wrong way to do it.
V) 12 There are procedure guides developed under NRC 13 sponsorship for the development and documentation of PRAs.
14 There's three of them that I know of, but none of them were 15 attempting to set a blanket policy saying, "This is the right 16 way, and the others are wrong ways." This is still an 17 exploratory tool, and it has never been codified the way 18 Appendix K calculations have been codified into a stylized 19 methodology, except for the few particular applications of 20 which this is clearly not one.
21 MR. LIPINSKI- Yes, but the beta factor right now
,, 22 seems to be snatching them out of the air, using it, and then 23 this filters right into your final result.
24 The question is, how are you snatching these 25 numbers? What's the basis for it?
112 1 MR. KERR: Walt, he's told you there's no NRC 2 policy, so it's a matter of individual preference as to how 3 one does a PRA. The weight given to that by the 4 decisionmakers is another question.
5 MR. LIPINSKI: But the beta factor method, there's a 6 fundamental assumption in there, because this is trying common 7 mode factors --
8 MR. KERR: But he's saying, there's not a standard 9 NRC way of doing it. Isn't that right?
10 MR. ROWSOME: That's right.
11 MR. LIPINSKI Okay. No further discussion.
12 MR. KERR: If you want to register a protest --
13 MR. LIPINSKI- I do. I register a protest, because 14 right now the beta factor is being promulgated throughout all 15 these PRAs, yet there has not been a good basis for saying 16 that this is really what you want to do. And yet when you 17 look at a PRA, that beta factor pops up.
18 MR. KERR: The beta factor is a wonderful tool to 19 make your answer come out the way you want it to come out.
20 MR. LIPINSKI: That's right. Snatch it up, put it 21 in. This filters out to your final answer.
22 MR. DAVIS: I disagree. It's better than that. The 23 beta factor itself is derived from common-cause failures that 24 have been observed, and in some cases, the data is very good.
25 MR. KERR: Once a common-cause failure has been
1 f~
113 ks/
m 1 observed, you can take account of it. It no longer becomes a 2 common-cause failure. It's a dependency. You need beta 3 factors only for unknowns.
4 MR. DAVIS: Well, there is still common-cause data 5 that leads to a single beta factor that can be used for other 6 kinds of systems that are similar.
7 MR. KERR: if you have data and can identify a 8 sequence, you don't need to cover them with a beta factor 9 anymore. You put it in as a dependency.
10 MR. DAVIS: The common-cause failure is a dependent
(~'h 11 failure, and you can handle it either way you want.
12 MR. KERR: But the uncertainty --
13 MR. WARD: The beta factor is a way of expressing 14 dependency.
15 MR. DAVIS: That's right.
16 MR. KERR: It's primarily a way of expressing 17 dependencies that you have not identified yet.
18 MR. WARD: Sometimes it's a way of expressing o.
19 guesses of dependency. Sometimes it's based on more than 20 that.
21 MR. DAVIS: It's more than to pull out of the air or 22 a guess.
\ MR. LIPINSKI; The beta factor is a number applied 23 24 to a constant failure rate on a component, and you are saying 25 that's determining common-mode. Common-mode can be determined
114 l 1 completely independent of a common-mode failure rate.
2 MR. KERR: There are a few other uncertainties in 3 FRA, too.
4 Mr. Rowsome, thank you. I think that takes care of ,
i.
1 5 the questions, and I believe brings us to our presentation by 6 Westinghouse, for which we're only about one hour late.
7 [ Slide]
i 8 MR. LITTLE: Good morning. I have been sitting 9 there with lots of anticipation, waiting to get up and, 10 hopefully, enlighten some people, and maybe reinforce what 1
11 some other people have already said.
! 12 My name is Jim Little. I'm the Manager of Operating 13 Plant Licensing Support in the Nuclear Safety Department of 14 the Nuclear Technology Division, and I am responsible for 15 following the issues with respect to reactor protection, 16 system reliability and functional design, and more notably, 17 the ATWS rulemaking process, over the past three years.
18 Today I am going to talk about what is alluded to in i 19 the agenda about protection system reliability to some extent, 20 efforts that we have initiated on our own and with the members 21 of the Westinghouse Owners Group, and talk a little bit in i
i t 22 detail about the Sequoyah event and what it means.
23 With me is Mr. Mike Hitchler, who is the Manager of 24 Plant Risk Assessment in our Risk Assessment Technology 1
25 Department in Nuclear Safety. He is going to get up and give
i i
s 115 1 the second half of this presentation and talk about the 2 reliability aspects of the protection system and how it 3 relates to overall plant safety, and many of the issues that 4 have been discussed in quite a lot of detail already this 5 morning.
6 There are about 70 people in the Nuclear Safety 7 Department who work exclusively on the issues of reliability i
8 and risk assessment as a full-time job in addition to that, j
9 [ Slide]
10 In our Engineering Department there is a reliability
[)
s./
11 engineering system that is responsible for the maintenance of 12 reliability data bases. They work very closely with 13 organizations like INPO and NPRDS. They also maintain the 14 Westinghouse reliability data base on Westinghouse supply 15 components and do many such analyses as trending kind of 16 analyses and investigative studies to what is happening in the 17 reliability arena.
18 I am going to talk about three areas this morning 19 that relate to the issue of protection system reliability, 20 response to the Salem event, the protection system reliability 21 analysis, that will be covered in more detail by Mr. Hitchler, 22 and I will talk about Sequoyah and what happened and what we 23 believe the implications are and the actions that we are l l
24 taking to look at that situation.
25 Before we go any further, I would like to point out
4 116 1 that a lot of terms have been used interchangeably here this 2 morning, and incorrectly so. I have already mentioned one of 3 them. The failures that we have seen have been undervoltage 4 trip attachment failures on reactor trip breakers, not reactdr 5 trip failure breakers. There never has been a reactor trip 6 breaker failure. There has been a failure of the breaker to 7 open caused by the failure of an undervoltage trip attachment 8 to actuate. There has never been a failure of a shunt trip 9 attachment to operate.
10 Shunt trip attachments have always been installed in 11 every Westinghouse reactor trip breaker from the first plant 12 on. Several plants in Westinghouse had the automatic 13 actuation of both the shunt and undervoltage trip attachment.
14 Due to the regulatory process on the criteria during the 1960s 15 of deenergize to actuate, the automatio actuation function of 16 the shunt trip on the breaker was removed.
17 It was maintained in the manual trip function, which 18 also the manual trip function doenergizes both the UV trip 19 attachment and energizes the shunt trip attachment and trips 20 the breaker, and in fact the actuation od the shunt trip 21 device was the actuation that caused the breaker to open on 22 the second Salem event.
O\ 23 MR. KERR: Mr. Little, let me see if I understand 24 your statement, which I think was that there has never been a 25 trip breaker failure.
117
\,,
1 MR. LITTLE: That's correct.
2 MR. KERR: Do you mean there has never been a 3 failure of a breaker of that type or there has never been a 4 failure of a breaker that was in a trip circuit, or just what 5 does that statement mean?
6 MR. LITTLE: There has never been a failure of a 7 model DB or model DS reactor trip breaker in service. There 8 have been failures of the undervoltage trip attachments on 9 those breakers to operate, not by the trip breaker itself.
10 MR. EBERSOLE: When you put that device in there, it 11 becomes an integral part of the breaker. Simply to isolate O 12 the rotating shaft device and say that never fails is, you 13 know, not admitting to the presence of an integrating device 14 which makes that breaker fail.
15 MR. LITTLE: The reason I'm making that 16 clarification is how many DB breakers are in the rest of the 17 plant. A voltage trip attachment has been the only failure, 18 and its only application is in the reactor trip system.
19 MR. KERR: Are you further extrapolating this to say 20 that there have been no failures in that type breaker and the 21 balance of plant applications?
22 MR. LITTLE: There have been no failures of that 23 model breaker to open in the balance of plant actuations.
1 24 MR. EBERSOLE: You are saying, in essence, if you l
I 25 rotate that trip shaft, it's going to work; correct?
118 1 MR. LITTLE: Correct.
2 MR. KERR: Let's see. Is it "You can be sure if 3 it's Westinghouse" or GE? I have forgotten. Westinghouse, I 4 think.
5 MR. LITTLE: The GE one, I can't make their 6 reliability statement.
7 MR. KERR: You are telling me you expect zero 8 failures?
9 MR. LITTLE: No, I did not say that. I said there 10 have been no failures, but I didn't say I didn't expect any N 11 failures.
12 MR. KERR: This extends over probably, what, ten 13 years of experience?
14 MR. LITTLE: Over 20 years of operation.
15 MR. EBERSOLE: Do you attribute that --
i 16 MR. KERR: Mr. Ebersole -- how many total breakers
- 17 would you guess?
18 MR. LITTLE: I don't know the total population of 19 the breakers. I believe there are approximately, let's see, 20 about 140 reactor trip applications.
21 MR. KERR: I'm talking now about the whole 22 population of breakers.
23 MR. LITTLE: Population of DB-type breakers is in 24 the tens of thousands.
25 MR. KERR: There has never been a failure?
- - . . . - _ _ _ _ _ - _ _ _ _ - _ - . _ , . . , _ , , , _ - . _ , _ _ . . ~ _ . - . , _ .._ - _- _ -.,..,_-.- . _ , - . _ _ - , _ _ _ _ -
119
\
i MR. LITTLE: Not to my knowledge.
2 MR. KERR: I'm asking the question because --
3 MR. LITTLE: Not to my knowledge.
4 MR. KERR: That's quite a different statement.
5 MR. LITTLE: We investigated with the reactor trip 6 switch division if they were aware of failures in service 7 similar to this application. They were not aware of any.
8 MR. KERR: I'm not talking about similar to this 9 application; I'm trying to understand what Westinghouse knows 10 about the reliability of that breaker because, as I think you
'\ 11 said, there is not a lot of difference between the way that 12 breaker is put together, whether it goes into a safety or 13 nonsafety application, and I am trying to get some feel for 14 how reliable one might expect it to be.
15 MR. LITTLE: I intend to show you some very 16 quantitative data on the survey we have done.
17 MR. KERR: If there has never been a failure, then 18 your data don't tell me much of a --
19 MR. LITTLE: I'll tell you about the failures.
20 MR. EBERSOLE: Mr. Chairman, may I ask a question?
21 MR. KERR: I'm finished. Yes.
22 MR. EBERSOLE: You say, yes, if you rotate the trip 23 shaft, it will work. Taking that as a basis, do you attribute 24 this reliability to the difference in the force margins, which l l
l 25 are 6 to 1 on the one hand, and 2 to 1 on the othert j l
i 120 1 MR. LITTLE: I don't know what you are comparing.
2 MR. EBERSOLE: You said here in your presentation 3 your UV trip has a 2 to 1 force margin ratio, whereas your 4
4 shunt trip had a 61, which automatically says you expect the 5 shunt trip to work better.
6 MR. LITTLE: Quicker.
I 7 MR. EBERSOLE: Quicker, and override lubricant 8 problems, et cetera. ' Suppose I invoke, though, the notion I
9 that how many failures have you had in actual accomplishment 10 of the rotation?
(~N 11 MR. LITTLE: If I'm allowed --
1 12 MR. EBERSOLE. This would account for qual failures, 13 failures to energize the circuit. Do you foll.ow me?
14 MR. KERR: He says he is going to cover that.
15 MR. LITTLE: Let me proceed.
16 [ SLIDE) .
17 First let's look at what the response to the Salem 18 event was. Westinghouse and the Owners Group have invested i i
19 quite a bit of resources and finances to the whole issue of 20 reliability protection system, all told. Westinghouse has 21 invested with respect to the Salem event about $1 million of 22 its own finances, and the Owners Group has invested 23 approximately $2 million of its finances to investigate a i
24 number of areas.
25 The response to the Salem event really focused on
/N 121 1 four points. I should point out these initiatives were 2 committed to by the Owners Group prior to the issuance of 3 Generio Letter 83-28, which required them for all licensees.
4 These initiatives actually formulated the basis for the 5 elements in 83-28.
6 The first was a commitment to perform a reliability 7 analysis of reactor trip switch gear operating experience in 8 detail. The second was to perform generio design to 9 incorporate the automatic shunt trip of reactor trip switch 10 gear for its application. The third was life cycle testing 11 and qualification of the undervoltage and trip and shunt trip 12 attachments for the switch gear. The fourth was to i
13 incorporate maintenance programs and distribute them to the 14 managers of the Westinghouse Utilities owners Group.
15 I will go on in a little more detail to talk about 16 reactor trip switch gear operating experience.
17 (Slide) 18 We did a survey of all the Westinghouse domestic 19 utilities to gather data. That covered 31 plants, all 20 operating reactors, and in some cases included some plants 21 that had not yet started up where data was available on 22 testing of breakers. About 250 reactor years of experience 23 over a 20-year period.
24 It addressed applications of both main and bypass 25 breakers. They requested failure data reports on the courses
.A o
122 1 of corrective actions taken, any information relating to a 2 failure of that component at any point in service, whether it 3 was preservice installation, whether it was maintenance or 4 whether it was actual autotrip.
5 We calculated in addition to that the actual number 6 of demands that these individual breakers would have seen from 7 all causes, autotrip testing, maintenance, whatever, to be 8 able to identify reliability on a plant-specific basis.
9 [ Slide]
10 Of the 26 plants that we had with DB-type breakers, approximately 10,000 DB UVTA cycles were reported. You can r~N 11 12 see from those three areas there were 22 reported events of 13 failure. Eighteen of those were deemed to be independent 14 failures, and we have labeled here four common causes for 15 Salem. ,
1 16 Westinghouse opinion is that a common cause is a 17 common cause. Because you tried it twice doesn't mean it was 18 the second common cause. In our opinion, this is the one 19 common cause of failure at Salem, which encompassed two 20 breakers on two events. But we treat this as one common cause 21 failure, but in the study identified it as four.
22 We looked at the data on an overall basis. What O
-s 23 that tells us is that the reliability is approximately in the 24 arena of 10 to the minus 3, what we expected and what we had 25 been using in PRAs.
s !
123 l 1 I would like to bring up a point that Mr. Davis 2 raised with respect to the Zion PRA study and talk about 3 three PRA studies performed by Westinghouse and, in fact, 4 performed by the group that Mike Hitohler manages. We used 5 plant-specific reliability data in performance of those PRA 6 studies.
7 The Zion plant happened to have four of those 8 failures, and that is why the reliability rate for those 9 breakers is higher than you will see for a generio failure 10 rate, and it is appropriate to use plant-specific data to 1 -1 update in a Boysian method a data base to establish a period 12 for the Zion plant.
13 I would also like to point out two other points.
14 The first is that AEOD states you cannot do a trend pattern 15 analysis to predict failure, and I agree with that totally. I 16 talked with Jack Heltemus last week and I agree with 17 everything they say. However, if you look at the plants that 18 have had problems, the problems were not an isolated instance 19 of a random failures; they were numbers of failures.
20 I took the Zion plant, for example. They had four 21 failures of those breakers. Zion, because of the failures of
}
22 those breakers, initiated a very aggressive manage / maintenance 23 program back in 1980 with those breakers, and since that 24 time, they have not had a failure of those breakers to actuate
! +
25 due to an undervoltage trip attachment failure.
N
((m,) 124 l
1 So the other point I guess I would like to make is 2 that someone stated we are not getting enough operating 3 experience to be able to factor in deliberations like this.
4 That kind of surprises me because I think that is the purpose 5 of this meeting. I think the Salem event certainly brought 6 this meeting to the forefront, so I guess I disagree with 7 that.
8 The other point I would like to make is that INPO 9 has a number of fairly aggressive programs, not only NPDRS but 10 programs like the see-in program to evaluate failures in plants. They also categorize these failures in anumber of
] 11 12 ways that look to see if another subsequent failure could have 13 resulted in a subsequent loss of safety functions. They 14 evaluate these for common mode failure potential, and I think 15 that effort is fairly commendable.
16 Someone mentioned about the maintenance area during 17 the meeting, and who was investigating the maintenance area.
18 INPO has yet again a maintenance practices program, 19 maintenance accreditation program. As a matter of fact, INPO 20 held a Reactor Trip Switch Gear Workshop last year. So there 21 are a number of areas I think it is very important to look at s 22 across the board at some of these areas when we are talking i
23 about this because many times it may not be a vendor who has 24 initiated something, it may not be the Staff, but there are 25 other functions that do things like that.
p '
125 1 So I don't think the only efforts are in the 2 regulatory arena in what is in the criteria.
3 Getting back to the DB 50 failure rates, basically 4 we looked at them. They were not random failures. They 5 occurred -- they seemed to occur randomly. They were not just 6 due to the spurious nature. If you look at the data base very 7 closely, you will find out these are maintenance failures.
8 The failures are a direct result of the maintenance-related 9 activities, either some failure to follow procedures correctly 10 or some inadequate maintenance, maintenance not being 11 performed. So in many cases the majority of this data where we 12 had identifiable causes, they were determined to be 13 maintenance related.
14 MR. WARD: Jim, to what extent would this 15 concentration of maintenance failures be related to whether or 16 not the system is designed for maintenance?
17 MR. LITTLE: I guess it points out a need that was 18 not addressed prior to this, and I think that need, the 19 responsibility of that problem rests on everybody.
20 Maintenance has been largely ignored in the past by not only 21 the vendors, the designers, but by the utilities and by the 22 regulators, and I think that is why you will see the big 23 emphasis on maintenance practices nowadays.
24 If you look at common cause, it dominates most 25 everything we have, and maintenance is the major factor in
i 126 1 common cause failures that we have seen. I guess basically we 2 are applying hindsight here. We get some operating experience
.3 that says maintenance is very important. I don't think it was 4 very well thought of back in those days by anyone.
5 So I guess I don't know how to answer that, Dave.
6 MR. WARD: But you seem to say it wasn't thought of 7 by anyone, including the designer, as well as the user. Is 8 that correct?
9 MR. LITTLE: That's correct. It was not adequately 10 thought of.
~ 11 MR. KERR: Is it being adequately treated now, in 12 your view?
13 MR. LITTLE: I think efforts like 14 managed / maintenance programs for safety-grade systems,-like 15 maintenance review programs, like the programs that INPO are 16 carrying out are certainly making a dent in the problem.
17 MR. WARD: All of those you mentioned seem to be 1
18 related to the programs for users. What about designers? Are 19 designers paying more atten' tion?
20 MR. LITTLE: Yes. As a matter of fact -- We will be 21 speaking in an area that I am pretty much familiar with but 22 not responsible for. Many of the new designs of components O
s- 23 that we do, particularly in the electrical area today, are 24 ease in testing without perturbating a system, are designed 25 for ease in maintenance. If you ever come to Westinghouse,
b 127
_/
1 I'm sure the people will be glad to show you how the cabinets 2 hold out.
3 You now have access to components. You now have a 4 snake in your hand with a voltmeter. We are also dealing with 5 a technology ten years old that is coming on line now. Many 6 people think Westinghouse solid state protection system is the 7 latest protection system. There are, in fact, 25 of those 8 systems. There is a Westinghouse integrated protection 9 system, which is microprocessor based. It has fiberoptics 10 isolation between components, and many of those things we 11 incorporated that we learned in the past are in the new 12 designs. ,
13 That doesn't mean it is cost-effective to rip out 14 the entira protection system for !a plant and install new state 15 of the art.
16 I guess the other point I would like to make with 17 respect to maintenance is you can have procedures and those 18 sorts of things, but there should be safeguards in procedures 19 like that. .Probably the best example when we talk about 20 safeguards is this preservice testing, post-maintenance 21 testing.
t 22 You find out many of the problems -- identically,
[t'! 23 Sequoyah -- c o u l'd have been totally avoided if that technician 24 had tested that component before declaring it to be back in l
So I think there are some practical things that l 25 service.
O 128 1 don't necessarily require state of the art but just a common 2 sense, cautious approach to performing maintenance on a plant.
3 MR. LIPINSKI. I have a question on your l'a s t 4 Vu-graph. You came up with the 1.7 x 10 to the minus 3 5 failures per demand.
6 For 10,000 failures, demands, that would be 17 7 failures. Yet you are showing 18 plus the fcur common cause.
8 Is.this a simple point estimate, or how did you 9 arrive --
10 MR. LITTLE: This number is just a simple point
[ 11 estimate. However, in the study that we did and distributed 12 to the Owners Group, there were point estimates and confidence 13 limits established for every plant in that study.
14 MR. LIPINSKI: This number has to be bigger than the 15 1.7 on the basis of 10,000.
16 MR. LITTLE: I believe the number is 9160 demands, 17 That should say approximately 10,000. I believe 9160 is the 18 number. I can show you the actual study if you would like.
19 CSlide) 20 With respect to DB 50 DS breakers, there were seven 21 failures. These failures were attributed to manufacturing 22 anomalies. In the specification of this design, there was
( 23 inadequate specification of tolerance of critical parts.
24 Clearly, that was overlooked by the designers. The 25 manufacturing variability, they accumulated in several of
y 129 1 these devices and resulted in a binding problem with the 2 undervoltage trip attachment. It was a design-related error, 3 clearly.
4 Westinghouse recognized that and we did an extensive 5 analysis as to what the cause was. We went back and provided 6 new devices at all Westinghouse plants, which were five plants 7 at that time, revised the manufacturing procedures to specify 8 the critical tolerances that were necessary. We required 100 9 percent inspection of those critical parts, which wasn't done 10 prior -.
11 MR. DAVIS: Mr. Little, that should be 10 to the 12 minus 3, I presume as your failure rate?
13 MR. LITTLE: Yes, it is. That means it fails, you 14 can walk away and it's still failing.
15 MR. DAVIS: In the Millstone .3 PRA which was done 16 by Westinghouse, there is a number in there of trip breaker 17 failures of 3.38 x to to the minus 4 per demand. Do you know 18 where that number came from? It doesn't seem to be consistent 19 with the numbers you have been showing us here.
20 MR. LITTLE: This was operating data.
21 MR. DAVIS: Millstone .3 has not operated yet, so 22 there can't be any plant-specific leverage on that data.
23 MR. LITTLE: I guess I will ask Mr. Hitohler to 24 answer that question.
25 MR. HITCHLER: That 3.8 x 10 to the minus 4 number
h v 130 1 is based strictly on their mechanical portions of the 2 breaker. It doesn't include the undervc1tage sections.
3 MR. DAVIS: That's accounted for elsewhere in the 4 reactor protection system reliability number?
5 MR. HITCHLER: That's correct.
6 MR. LIFINSKI. On these UVTAs for the DS, are these 7 the same as the DB or are these newly-designed UVs?
8 MR. LITTLE: The DS undervoltage trip attachment --
9 MR. KERR: Exouse me just a minute. I want to 10 understand that last question in light of the fact that the 11 Westinghouse DB breaker has never failed.
O
\
12 MR. LIP 1NSK!. We are talking about the undervoltage 13 trip attachment on the DB. Okay?
14 MR. KERR: I was quoted a number which I thought I 15 was told neglected the UV performance. What did it knolude if 16 it neglected the UV per.formance? I thought you told me that it 17 was the breaker performanoe, which I had been told earlier was 18 perfect.
19 MR. HITCHLER: We have no data that shows that we 20 have experienced those failures. Part of this process was to 21 say how far can we really trust the overall data bases. So as 22 part of this overall data assessment, we also used the Delphi 23 process in terms of saying how far can we really trust the 24 information we are getting.
25 MR. KERR: Okay. Thank you.
(N 131 1 MR. WARD: I wondered where they got the two 2 significant figures.
3 MR. DAVIS: It's actually 3.38.
4 MR. LIPINSK1: On the DS breakers, you designed a 5 new undervoltage trip attachment?
6 MR. LITTLE: The DS undervoltage trip attachment was 7 designed in the early 1970s and was a replacement for the DB 8 50 switch gear, which was a design from the late 1940s or 9 early 1950s.
10 MR. LIPINSKI. So the undervoltage trip attachments 11 on the DS are the DB UVs.
O. 12 MR. LITTLE: No. The two breakers and their 13 attachments are entirely different from each other. The 14 undervoltage trip attachments do not even function in the same 15 way.
16 MR. LIPINSKI. So where did these new undervoltage 17 trip attachments for the DS come from, again?
18 MR. LITTLE: They were romanufactured. We made new 19 undervoltage trip attachments for these plants as a result of
! 20 the binding problems we had on those five plants.
21 MR. LIPINSKI So they are a new design.
, 22 MR. LITTLE: No, they were romanufactured with 23 tighter tolerances and 100 percent inspection. Same identical 24 design. What we did now was a critical inspection and 25 respecification of some of the manufacturing tolerances and
m 132
~-
1 100 percent inspection of those and factory tested.
2 MR. KERR: What they did was to generate a higher 3 correlation between design and final product than existed 4 previously.
5 MR. LIPINSKI; That is what it sounds like: namely, 6 you had findings but you were not fabricating those UV --
7 MR. LITTLE: It wasn't that. What it was, the 8 drawings had tolerances specified in certain areas, and the 9 bind problem was an accumulation of statistics, accumulation 10 of tolerances that might specify 3 or 4 mils in this 11 direction, 3 or 4 mils in this direction.
12 What actually happened, you ended up with samples.
13 Everybody was in the left-hand corner of the room on those 14 particular samples. So what happened was their tolerances 15 added up for that particular device in the wrong direction. So 16 what we did was a tolerance analysis for the entire device, 17 and then from that device derived new tolerances for those 18 components, and then 100 percent inspected for the 19 as-manufactured tolerances to the new tolerances.
20 MR. LIPINSKI: Taking that philosophy, doesn't it 21 apply to the DB 50, as well?
22 MR. LITTLE: They were not attributed to design V 23 manufacturing tolerances. It was attributed totally to 24 maintenance practices. We did not find any design-related 25 problems with the DB 50 breaker.
m 133 1 MR. LIPINSKI. What happened with the one that was 2 retested in the factory and then installed in the plant and 4
3 not function? What do you conclude?
4 MR. LITTLE: You are talking about the Salem event?
5 MR. LIPINSKI; Yes.
6 MR. LITTLE: What happened with that function, it 7 did not work in the plant. I was there with Harold Denton 8 that day. The device was dropped in the box on the floor and 9 broke off the cap on the device, and it was installed with a i 10 broken part. I was at the site and we found the part at the 11 bottom of the box. The box was dropped.
12 MR. LIPINSKI; That explains why it wouldn't 13 function. It couldn't take the g test.
14 MR. LITTLE: As a matter of fact, we had a team of 15 metallurgists at Franklin Research Institute with an 16 electronic microscope. We force tested the tab. It showed it 17 can handle a 300-pound load before it broke. So we went to 18 many in-depth meetings to determine it wasn't a design 19 failure.
20 MR. LIPINSKI It was Class 1E but the g forces 21 exceeded the Class 1E spec.
22 [ Laughter.]
O 23 MR. LITTLE: Yes. The freight carrier was not Class 24 1E.
25 MR. EBERSOLE: May I ask you a question? Have there
134 V
1 ever been any incidents where you put the voltage to a shunt 2 trip and the coil was open?
3 MR. LITTLE: I guess I don't understand the
, 4 question.
5 MR. EBERSOLE: There was an open circuit in the 6 shunt trip coil. I'm just trying to focus on what you call 7 breaker failures.
~
8 MR. LITTLE: The only failures that I am aware of 9 are two: one is the shorting out of a transistor in the 10 voltage driver card. The other is a failure on undervoltage
- (~5 '11 trip attachment to actuate.
12 MR. EBERSOLE: You have never had an incident of 13 open circuited stunt trip coil?
14 MR. LITTLE: That's correct.
15 MR. EBERSOLE: Have you had incidents where the 16 ancillary circuitry didn't apply enough voltage to the shunt 17 trip coil, which, of course, you couldn't blame on the 16 breakers?
19 MR. LITTLE: No, we haven't.
20 MR. EBERSOLE: So these things have been infallible 21 as long as you could put voltage on the shunt trip coil.
22 MR. LITTLE: That's right. The shunt trip device is No i \/ 23 a very simple device and requires no maintenance.
l 24 maintenance is required for the shunt.
25 It's an electromatic --
V
,)
135
/
1 MR. EBERSOLE: It is remarkable you haven't had any i
2 open-circuited coils just because of statistics.
3 MR. LITTLEp I guess the point is the shunt coils i.
4 are normally de-ener'gized. You wouldn't expect an open 1
~
+ 5 s
circuit (o occur. 1 1
~
t MR. EBERSOLE: Right.
r
./ . \
6 1 y ;
?
7-#
MR. .LITTLE:
7 Then again, it makes you rethink the
+
\ < :. l 1 8 philosophy about energize to actuate versus de-energize to I .:3
'9 actuate.
10 fMR. EBERSOLE: Those are DC coils, aren't they?
11 MR. LITTLE: Yes, sir.
l
(%. <
, 12 i MR. EBERSOLE: When you open circuit after you have
,13 closed them, there i s a spike produced, isn't there?
[4 MR. LITTLE: , I don't know.
15 MR. EBERSOLE: There is. There is an inductive 16 spike that would be the, point of failure where you really hit 17 it with x times normal voltage. You know, it is when you open 18 the circuit --
19 MR. LITTLE: If;it is a quality, you would expect to 20 see that.
1 21 MR. EBERSOLE: You never had any punctured i 22 insulation, anything --
s- I' ~ 23 MR. LITTLE: We have qualified the operation of the pf ,'
24 1 shunt coil. .<
.4 2Lb MR. EBERSOLE: Are f.here any ancillary devices to
- w. .
t
o j
i)
\m-136 1 limit the r, pike when you open the circuit?
2 MR. LITTLE: Not that I'm aware of.
3 MR. EBERSOLE: There are numerous coil failures when 4 you open DC circuits.
5 MR. LITTLE: We haven't seen them --
6 MR. ERBERSOLE: They put little lightening arresters 7 across them for that purpose.
8 MR. WYLIE: On your DS breakers, you show five 9 plants, seven failures. Are those seven breakers?
10 MR. LITTLE: I believe there was a multiple on
. 11 those.
O 12 [ Slide]
13 Yes. There were multiple -- three plants -- no, 14 there are five. They were in different units. These are 15 utilities. Here are your seven failures. This is from the 16 proprietary report.
17 I might point out that with the DS breaker, on our 18 lower estimates, one data point we have from one of the 19 utilities on estimate was unreliable, so we discounted and 20 actually calculated to reliabilities.
21 MR. EBERSOLE: It seems the fly in the ointment is 22 the UVTA.
' 23 MR. LITTLE: Yes, sir.
24 MR. EBERSOLE: That is the one required by NRC.
25 Now we get back to the ancillary logio about getting
l l
1 1
137 1 the voltage application to the trip coil, which is still an 2 integral problem. Have you had any cases where you didn't get a
3 the voltage to the trip coil that can be called an integral 4 problem?
5 MR. LITTLE: I don't know what you mean by 1
6 integral. We had Sequoyah, where the voltage was not what I 7 want to say applied --
8 MR. EBERSOLE: That was the inverse. Of course,
. 9 that was a UV relay that applied the voltage, and it failed to 10 get there.
1 11 What about other cases in the industry at large
\_
12 where you failed to get the voltage application?
13 So we translate now to the rationale of does it --
14 is there anything intrinsically wrong with using hot circuitry 15 to trip the breaker, to get the rod down.
16 Do you know what I mean? I'm reversing the logic l
17 now. We are going to use a hot circuit.
18 MR. KERR: Maybe we ought to go on and hear what he 19 has-to say about breaker performance.
20 MR. EBERSOLE: He has just about said all that you 21 can say.
I 22 MR. LITTLE: No, no.
23 [ Laughter.]
24 [ Slide) 25 I have been sitting down so long this morning, I am
138 V
1 dying to talk.
2 With respect to the shunt coil modification, we 3 developed with the Owners Group a generic design, submitted it 4 to the Staff, for that modification to provide an automatic 5 backup to handle the trip attachment to enhance the 6 performance of that breaker. We worked closely with the NRC 7 and Owners Group on that design and development. The SER was 8 completed in a very expeditious manner. The plants are in the 9 process of performing the modifications now, and quite a few 10 have actually installed the shunt coil modification.
[] 11 [Slidel V
12 We did confirmation testing for the DB 50 13 undervoltage trip attachment to confirm a number of suspicions 14 about force factors, cyclic life effects, and to identify 15 whether a periodic maintenance guidance was adequate. I'm not 16 going to go over those details here. They are all written 17 down for you.
18 We had a pretty extensive test program. We cycled 19 UVTAs for 2500 cycles, interspersed them with shunt trips on a 20 reactor trip breaker to evaluate whether there are interactive 21 effects between the two, which we did not end up seeing. We 22 monitored them on the breakers. We took performance data, 23 force measurements and that sort of information.
24 Then after the test was performed, we took the 25 devices apart and submitted them to metallurgical examination
r'%
139 1 for wear.
2 [ Slide]
3 The results of that basically showed -- this was 4 related somewhat to the GE-AK breakers -- that the force 5 ratio, the force delivered by the undervoltage trip attachment 6 to the force necessary to trip the trip bar was a factor of 2 7 to 1 There was about 30 percent margin in the GE-AK-2 design 8 at that time. The shunt trip was greater than 6 to 1, so 1
9 there is quite a bit of reserve margin with respect to the 10 force of these devices.
11 We did experience two failures to trip in this test, 12 and we on subsequent investigation found out one of these 13 breakers trip attachments was due to inadequate lubrication.
14 The lubrication procedure was not correctly followed.
15 We decided to get some additional information. We 16 found a wear point identified. We proposed at that time prior 17 to completing the test a captive pin modification on one of 18 these latches, and we experienced two failures to latch, which 19 was the breaker -- the undervoltage trip attachment would not 20 latch, and therefore the breaker would not be able to be 21 closed. It would hit the trip bar continuously, and they 22 occurred in the nonperiodio lubrication tests.
l O 23 We took four brand new UVTAs with this new l
l 24 lubrication procedure, the captive pin modification. We i
25 experienced one failure to trip in 9800 trip demands. The
l l
l l
140 1 original test for this device was approximately 2500 trip 1
2 demands. We took it out through failure at this point.
3 We did see a marked performance improvement with 4 respect to forces measured for the test by this improved i
5 lubrication procedure, and the captive pin modification did 6 not contribute to that. That was really a little bit of an 4
7 overkill. We found no design deficiencies in the device.
8 We have adequate force margins. Wear was not a 9 factor in the failure to trip. It was always a factor in the 1
10 fail safe direction. Periodic force measurements and response 11 time measurements did not predict the failures for this, so 12 you cannot see necessarily a degradation in performanoe. It 13 was merely the fact of the periodic maintenance of these 14 breakers that was very important and the proper adherence to 15 those procedures.
16 The lubricati.on guidance can be improved. We did 17 improve it. This is an old slide from a 1983 briefing to the 18 Commissioners in November. It was revised. We established a 19 replacement life for these devices which was not done pr.or to 20 this. The switch gear predated those requirements. The l
1 21 replacement life is 1250 cycles, half of what we originally 22 tested the device for. You have seen up to 9800 devices with Ot 23 one failure, 9800 integrated trip demands -- excuse me -- with 24 one failure.
25 We estimate, based on 75 trip demands per year,
-e , , - - - , - , , , - - ,w-,-----nn,- - - , - , , - - - - - ,- -,,-,---------------~---,-ane,.-c-g
8
- 141
\
1 which include testing and maintenance, that the life of this 2 device is approximately 16 years. Many utilities have 3 installed cycle counters on these devices.
4 MR. KERR: The 16 years you selected was based on 5 taking about half of what you had tested tot 6 MR. LITTLE: That's correct.
7 MR. KERR: And you did not test --
8 MR. LITTLE: In one instance we did. We tested 9 9800.
10 MR. KERR: In the 2500, the breaker was still 11 performing satisfactority at the end of the 2500, so this i
12 choice of 16 years is not a wear-out time in any sense.
13 MR. LITTLE: That's right. We arbitarily divided by 14 2.
15 MR. EBERSOLE: What is the ultimate failure mode 16 when you gri,nd these things to the end of life?
17 MR. LITTLE: The ultimate failure mode is the device 18 will no longer latch. You cannot close the breaker any 19 longer, so it is in fail safe.
20 MR. EBERSOLE: It's a built-in conservatism.
21 MR. LITTLE: That's correct.
22 MR. LIPINSKI. Question. How was your 9800 trip 23 test conducted? About one cycle per minute?
3 24 MR. LITTLE: I don't know the specifies of it.
25 There were hold times in between that which were determined on
! 142
\s-)
1 the basis of how much heat was being generated in the 2 breaker. We had to be careful we did not burn out the closing 3 coils in the breakers because they are not designed for this 4 continuous oyole thing, but within that constraint, we wanted 5 to intersperse them as close as possible to try and generate 6 as much heat as we could. For example, to dry out lubricants 7 and that sort of thing. So it made sense to accelerate it.
8 MR. LIPINSKI: In actual applications, you would 9 have a breaker sit there for 18 months and then call for trip 10 on demand, and the lubricant could get gummy with time,
/T 11 whereas in this type of test you had your lubricant being 12 cycled rather frequently, not being allowed to gum up.
13 MR. LITTLE: That goes into the selection of 14 lubricant, and there was a lot of discussion about the 15 lubricant during Salem. Certain lubricants were ruled out 16 because they do attract dust and become gummy. The lubricant 17 here -- and I don't remember what the name of it is, but it 18 was specifically chosen because of its properties relating to 19 not attracting dust and that sort of thing.
20 MR. LIPINSXI: If I were to repeat these tests for 21 breakers that were sitting for 18 months and cycled them 9800 22 times, would I expect the same results?
23 MR. LITTLE: You would, and there are 35 plants that 24 repeat these tests every two months. They test one of these 25 breakers a month, and we haven't seen any failures.
I 143 Q
1 MR. WYLIE: That's what I was going to say. They 2 don't sit there for eighteen months. They oyole them and j 3 periodically test them.
4 MR. LITTLE: That's correct.
5 MR. EBERSOLE: Do you attribute this difference I
6 between reliability of the UVTA and the shunt trip ruling to 7 he based on this force margin difference?
I e MR. LITTLE: No. I attribute the reliability of the i
9 UVTA to be related to maintenance and the need to perform 10 maintenance The shunt trip device, because of it's nature, 11 is not a device that requires maintenanoe.
12 MR. EBERSOLE: You used the word " nature." Does 13 that also get back to the margin to function?
14 MR. LITTLE: No, I don't believe it does.
15 MR. EBERSOLE: Just different trigger work?
t 16 MR. KERR: That's correct.
17 MR. EBERSOLE: Sliding surfaces.
18 MR. LITTLE: That's correct. In once case, the DS 19 breaker, we did have a design defiotency in that device, and 20 that, we believe, we have corrected. We don't expect that i
21 again, due to that cause.
22 In the DB breaker, we have seen failures, and from 23 the day that we've seen them, it was totally due to inadequate i 24 maintenance. In the case of Salem, more than inadequate 25 maintenance.
o 144 1 MR. EBERSOLE: Would you argue, an undervoltage 2 relay used to apply voltage to the shunt trip ootl would be 3 better than the UV device that you have?
4 MR. LITTLE: Would I argue that?
5 MR. EBERSOLE: Do you follow me?
. 6 MR. LITTLE: I certainly follow you. It would not 7 be better than the combination of both, which is what we have 6 today.
9 MR. EBERSOLE: Yes, that's true. You've got the 10 other one in there.
11 MR. LITTLE: Yes. I think what we have today is a 12 combination of both. We do have a design which sit 11 will 13 deenergise to actuate. We do still have a design that has 14 something diverse to the UVTA. I think recognizing the nature 15 of the UVTA and its sensitivity to maintenance and improving 16 in that area, it was a wise decision to incorporate the other.
17 MR. EBERSOLE: So the problems, you would argue, if 18 any, are upstream?
19 MR. LITTLE: If there are problems, upstream, yes.
20 CSlide.1 21 We also performed cyclic life tests on the DS-416, 22 operated 2500. We did not see any failures on these tests.
23 We measured all kinds of things, as I've already mentioned, in 24 these tests. The testing is complete. These reports were 25 issued to the members of the Utility Owners Group, and we
._-.--.-.I i
l
(
145 1 established an identical qualified service life of 1250 2 operations as we did with the DB breaker.
3 CS11de.) r 4 Our conotusions were, design and manufacturing 5 deficiencies have been corrected. We confirmed it with 6 testing, made improvements in manufacturing and traceability 7 control. We extended our preshipment testing before they 8 leave the factory.
9 All Westinghouse plants with the switch gear to received replacement UVTAs, overseas as well.
11 The Westinghouse Owners Group also received 12 consolidated maintenance recommendations for this switch gear, 13 as well as the other switch gear.
14 (Slide.)
15 In terms of what that switch gear maintenance was, 16 we compiled all the reqommendations of switch gear maintenance 17 that we could find. We rewrote, in a sense, the maintenance 18 manual for switch gears. That covers not only the i
19 undervoltage trip attachments, but the entire breaker.
l 20 The recommendations include the results of our i
21 confirmation testing, specittoation replacement life, cautions 4
22 against field adjustments.
23 MR. EBER80LE. That latter statement there, you mean l '
i
! 24 there is some explicit statement to the maintenance people, 25 " Don't touch thisf" ,
I I
s
! 146 Q
1 MR. LITTLE: There absolutely is. There are no 2 field-adjustable components of undervoltage trip attachments. l l
3 We don't want maintenance people adjusting. We had seen 4 evidence of that in Salem.
5 The clarification was issued on the UVTA 6 lubrication. We identified additional lubrications, specified 7 lubricants and sources of that lubricant. At one time, an old 8 procedure specified a lubricant that was highly unavailable, !
9 believe, in one case was available in S0-gallon drums.
10 MR. EBERSOLE: How do you find the discipline of 11 using that lubricant or the wrong kind in the aspect of the
(
12 discipline of the owner utility operator's maintenance 13 people? Do you find they adhere strictly to tubrication 14 specificationst 15 MR. LITTLE: If I faced what Salem faced, !
16 guarantee you, if I were the utility, I would follow it pretty 17 olosely, especially if I had the chance of being audited 18 against it. It's a requirement of 83-28 to have received 19 maintenance instructions for that switch gear, and the 20 maintenance people are audited on their performance.
21 MR. EBERSOLE: Is it a ritual now to investigate l
22 what tubrication is, in fact, being applied to these devloest l
l \' MR. LITTLE: I don't see any reason for an l 23 24 investigation now --
25 MR. EBERSOLE: 1 mean to validate that they are
O 147 1 following the lubrication --
2 MR. LITTLE: That wouldn't be the responsibility of 3 the vendor; it would be the responsibility of the utility.
4 MR. EBERSOLE: Is that being done now, since this 5 lubricant is so important?
6 MR. ROSA: I would expect the Regional Inspectors 7 would audit. Whether they do it regularly or how often, !
8 don't know.
9 MR. EBERSOLE: And use the right stuff.
10 MR. ROSA: Yes.
Technical bulletins from Westinghouse
(N 11 MR. LITTLE:
12 were issued, and acknowledgement letters from the utilities 13 and lists of those bulletins are also supplied to the NRC 14C 14 people, and they audit the receipt of certain bulletins, and 15 we keep a record of the people we sent it to and receive 16 acknowledgements of important maintenance information like 17 this.
18 MR. LIP!NSK!: I guess the reat issue is, even 19 though 14C receive those bulletins, and it's in their 20 checklists, do they go out and verify this lubricant is on 21 those breakers, or are they just filing information and that's 22 the end of it?
23 [811de.3 24 MR. LITTLE: I guess I would like to talk a little 25 bit about Sequoyah and what happened at Sequoyah.
148 i MR. KERR: May I assume you have concluded that the
> 2 undervoltage trip attachment problem has been resolved for 3 Westinghouse breakers?
4 MR. LITTLE: That's correct.
5 MR. LIFINSK!: What's your final conotusion on 6 breaker reliability?
l 7 MR. EBERSOLE: Before you do, we did agree, didn't 8 we, that if we've got problems, they're upstream, like the one 9 you're about to talk about? This is an upstream problem?
10 MR. LITTLE: It sure is.
11 MR. EBERSOLE: What can we do, if anything, or 12 should we do about that?
13 Well, anyway, go on into your topic.
14 MR. LITTLE: That will answer your question.
15 Just a brief review as to what happened at 16 Sequoyah. It was an error made by'the technician performing 17 maintenance on the system. The procedures indleated that any i
18 measurements on undervoltage coils, you should withdraw the i
19 undervoltage driver cards to prevent damage to them. It was 20 not done.
21 They used a voltmeter that was incorrectly dialed 22 to the ammeter scale. As a result, it shorted out the Q-3 23 transistor on the integral driver card, which basically 24 disabled the card's ability to doenergise and actuate a j
25 reactor trip on loss of voltage.
149 1 The technician also did not perform 2 pre / post-maintenance testing with the built-in test equipment 3 that is part of the solid-state protection system, which is 4 a recommendation of 83-28 as well, to perform post-maintenance 5 testing to verify the adequate functioning of the device.
6 The !&E notice that came out on Sequoyah also 7 reinforced these points, in particular the testing immediately 4 after maintenance.
9 At Westinghouse, we looked at a number of things on 10 the card to make sure there were no design problems on the 11 card. We looked at a couple of options to the card. We did 12 this on our own initiative, not under contract to anyone to do 13 that or as a requirement to anyone to do that, to see, how can 14 we make this card less susceptible to a maintenance error like 15 this? This maintenance error had been seen before, not in 16 actual operation, but the same problem had occurred before.
17 We looked at a couple of options. One was applying 18 a current limit on the card to blow open, rather than short 19 the transistor. We didn't get acceptable results with that.
20 We looked at redesigning the driver card to limit 21 current. It became a complex design in order to do that. We 22 wanted to keep something basically simple, use the UV driver 23 cards to drive the shunt trip coils for diversity. This is a 24 major change in the protection system and would involve major 25 costs without necessarily great improvement and benefit.
M 150
(
1 We looked at interposing relay between that, found f
2 out that interposing relay between the driver oard and the i
4 3 undervoltage coil actually could cause increased spurious ,
4 trips and wouldn't address maintenance error in the protection S cabinets upstream of that relay.
. 8 The last point we looked at and which is probably 7 the best benefit and the easiest sort of thing is to add a j 8 fusible link in series with this card, which will not save the 1
9 transistor from its problem, but will disconnect the UV coil i
10 from the card, and as a result this system will not remain
' I will show diagrammatically what we have done
- 11 energized.
12 here.
13 CS11de.3 J
14 This is the undervoltage trip ooils on the main and 15 bypass breakers, the shunt relay trip which was added as a 1
16 result of the Salem event, the manual reactor trip switches --
! 17 two switches, this is duplicated in each train -- and the Q-3 18 transistor which shorted.
19 The addition of a fusible link here, putting a short 20 circuit across this coil, where the mistake that the operator 21 made would blow open this fusible link, disabling the card.
22 This channel, this whole channel, would from this point on be 23 in the trip condition, and the reactor trip breaker will not J
24 he able to be closed. So you don't even need any test 25 equipment to test this.
t 151 V
1 We do feel that there are adequate means in 2 existence now, besides the addition of this fusible link, to i
i 3 detect this problem. The performance of any one of those
! 4 steps could have avoided the Sequoyah problem. Correct 5 adherence to the procedures of post-maintenance testing would 6 have more than adequately done that.
7 We don't necessarily see this as an immediate new 8 requirement sort of thing, but this modification can be made 9 easily to the card, i
10 MR. EBERSOLE: What are the characteristics of the 11 fusible link that you propose?
- 12 MR. LITTLE
- I have Mr. Dave Xats, who is the 13 Manager of the Instrumentation and Control Group in the 14 Electrical Engineering Department to the !&C Division. He can 15 answer that question.
16 MR. KATZ: This link would be something that's 17 soldered on the card. It would not be a plug-in type of t
18 fusible link. It would be something that has a Westinghouse i
19 part number on it, so the wrong part oculd not be substituted 20 for it.
. 21 MR. EBERSOLE: So it's an integral part, j
-s 22 MR. KATZ: Made an integral part of the UV driver 23 card.
24 MR. EBERSOLE: What sort of a card value are we 25 talking about?
. .. -. -- - -. . _ . . . _ . .~ - - _ _ . - .
152 l
1 MR. KATZ: Two to three amperes.
2 MR. EBERSOLE: Thank you.
I 1
3 MR. LIPINSKI: The solution to this problem after 4 this maintenance error is to replace the link. You now have 5 to force them to test the circuit to find out whether the Q-3
, 6 is operable or not.
7 MR. LITTLE: Yes. The easy way is to test the 8 circuit, whether the Q-3 is operable now.
9 Okay, the card would not be able to be repaired at 10 the site. It would have to be returned to, in this case, 11 Westinghouse.
12 MR. LIPINSKI- So you're saying he's got to pull the 13 card and replace the card?
14 MR. LITTLE: He'd have to replace the entire card.
15 MR. LIPINSKI: I was afraid all he'd have to do is 16 replace the link, go back into operation --
l 17 MR. LITTLE: Depending on the fuse holder, you know, 18 you couldn't do that i
19 MR. LIPINSKI- He's got to pull the card to get rid 20 of it?
21 MR. LITTLE: He can't remove the card from the link 22 itself, l
23 MR. LIPINSK!: Okay.
24 MR. LITTLE: If he had a card that was bad, it had a i
a 25 fusible link missing, he wouldn#t be able to --
- - - , - . . . . , . . , . _ , , . . - - - , - - - - . . . . , _ . + . - _ _ , - - - , , . - _ _ - ..--..--m,,,,, -. _,mm.,-
, ~ . , - .,..c, , . , -
l I
153 1 MR. WYLIE: Did you say the fusible link is soldered 2 into the circuit?
3 MR. LITTLE: It's an integral part of the card.
4 MR. KATZ: It's soldered onto the circuit.
5 MR. WYLIE: It's soldered onto the circuit. Thank 6 you.
7 MR. KERR: I want to call attention to the fact that 8 that circuit diagram does have a ground showing.
9 [ Laughter.)
10 MR. LITTLE: You will notice closely, the ground is 11 there, only one, unless we want it to generate its own 12 kilowatts. We found the missing ground.
13 MR. LIPINSXI. What prevents people from putting a 14 shunt on the card? It's up to the operator to decide to 15 return the card to you and not put in a link on his own, like 16 a piece of copper wire?
17 MR. LITTLE: I guess you could apply that anywhere 18 in the plant, if you wanted to. What prevents someone from i
19 juryrigging anything? There's no design modification that 20 you could make that will prevent someone from doing something.
21 MR. LIPINSKI All utilities will return those 22 cards?
O 23 MR. LITTLE: The protection system is not going to 24 work very well for them if they don't.
25 MR. LIPINSKI: They could put in the copper wire.
l i
I
/'N 154 l
1 MR LITTLE: I'm not the NRC. I'm the designer of 2 the card. Make a little more robust with respect to a 3 maintenance error. That's what we've done. We've recommended 4 to the utilities. We're not going to require that they do it. .
5 MR. EBERSOLE: Give me an estimate of the 6 reliability of the shunt trip relay you put in there to 7 perform on demand.
8 MR. LITTLE: I believe --
9 MR. EBERSOLE: That's good relay.
10 MR. LITTLE: I believe there was some IEEE-500 data
'N 11 supplied for reliability on that, I think in particular with
)
12 respect to reliability of manual trip function in PRAs. I 13 don't know. Mike Hitchler has that.
14 MR. KERR: While he's looking for it, why don't you 15 continue?
16 MR. LIPINSKI; When you take that off, you notice a 17 diode across the UV coil, 18 MR. LITTLE: I guess at this point, I would like to 19 bring up a point on behalf of the Owners Group and in 20 particular one utility, Duke Power.
21 Ted McMeekin called me and asked me to provide some 22 information here. There's been a lot of interest about MG set 23 trips and deenergising the MG set and how really easy it would 24 be to design a diverse scram for Westinghouse PWRs.
25 Duke Power tested this process back in 1983 at the i
155 v
i Catawba Unit, which was not operating at the time. A few 2 points to give you some highlights.
3 It was somewhat of a juryrigged feasibility test.
4 They were operating one MG set at the time. The rods were not 5 in the core. The were looking to see if the grippers would I 6 disengage. They interrupted the seal to the MG set. They 7 never treated both MG sets in parallel to a common bus.
8 What Duke did in their PRA group was assess the 9 reliability benefit from doing something like that, if they 10 would get a reliability benefit The PRA organization at Duke
("' 11 Power said it was not a major improvement. It was on the 12 order of a factor of two improvement in reliability.
13 When we are talking about reliability, we're 14 looking for orders of magnitude on the order of 10. This was 15 counteracted by the complexity of the design and some concerns 16 they had specifically.
17 The specific concerns they had, and you've heard 18 them voiced before, in particular by me as part of the ATWS 19 rulemaking, were online testability, the function of two MG ,
I 20 sets in parallel. If I fail to deenergize the MG set, one of f I
21 the MG sets, I would motor the deenergised one and, in fact, 22 destroy that MG set,
\
23 How to construct the wiring and how to interface 24 that wiring with the protection system brings up a whole 25 number of issues related to the interaction of this system
..---~--._--._,,m~- - - , - - - - -,-n..,_-,,_-.,,,a e - - - - - - - - - , ,,w .-w,.,.,-,- -.,---,..,---,---,---nn-+--.-,.n,,- , , , ,
156 1 with the protection system, and avoiding that would make this, 2 indeed, part of the protection system and would increase the 3 complexity of the protection system greatly.
4 So based on a preliminary look at the benefit they*
5 would see by the deenergising of the MG set and the complexity 6 of the design, Duke Power independently concluded that it was 7 not worth the benefit. And I think the people who have been 8 commenting on ATWS rulemaking for a number of years support 9 that conclusion as well.
10 MR. EBERSCLE: Does Westinghouse agree with that?
11 MR. LITTLE: Yes. And we have written letters to 12 the ACRS and the Commission on that. And if you'll look in, 1 13 believe, the June 1983 letter, --
14 [ Slide.]
15 -- to ACRS and the October 1983 letter to the 16 Commission, you'll find that specifically stated.
17 1 guess one of the things that we wanted to discuss 18 a little bit was cost, the complexity of a design like that.
19 We have talked with both utilities and independently inside l
20 Westinghouse, and the order c. f that system would be somewhere i
21 in the range of half a million to three-quarters of a million 22 dollars to design and install, not necessarily procure.
23 MR. EEERSOLE: What was the contribution to 24 inadvertent trips that you foundt 25 MR. LITTLE: From the MG set failure, there was not
1 l
r 157 1 a specific design developed, but they were concerned about the 2 use of interposing relays between the protection system and 3 the MO set system and failure of a single relay.
4 MR. EBERSOLE: You were still driving it with the 5 ourrent protection system, weren't yout 6 MR. LITTLE: Yes. This is not a diverse scram 7 system.
8 MR. EBERSOLE: There was not an independent signal i
9 driving this, so that carried its own depreciating effects of to the diversity.
h 11 MR. LITTLE: That's correct. And if we look at --
12 MR. EBERSCLE: If you look at a diverse signal in 13 its own right, not a part of the protection system, how would 14 it have lookedt 15 MR. LITTLE: It would probably have looked more 16 reliable, It probably would cost a lot more money, probably 17 two or three million dollars, 18 MR. EBER00LE: Would you not think that the sensors 19 would be comparatively simplet 20 MR. LITTLE: No. I guess you could design a diverse 21 s e r asi sy s t em, but I guess we're talking about reliability 22 goals, and I'll probably drive home the point right now. I O
\' 23 guess we talked about limits of acceptability before, and how 24 do you define limits of seceptable 25 MR. EBERSOLE: Then we're in a common-mode failure
154
/' T 1 area, and that gets sticky.
2 MR. LITTLE. Let me finish for a second. 1 guess 3 the point, I would say, and the regulators have always focused 4 on, there were limits of unacceptability. At what point does S DNE occurt At what point is a system not reliable enough --
4 MR EBERSOLE: Walt a minute. You've already jumped 7 to DNA. You've already jumped into the thests that you have ;
8 mitigated systems, the relief valves, et cetera, et cetera, 9 and also the turid effects of having an ATWS, perhaps just the l 10 reputational failure.
11 MR. LITTLE: That's correct. So I guess our 12 approach is, does this system perform its funetton such that O 13 we get acceptable consequences? And we see that as a 14 combination of two disolplines; first, the deterministic one, 15 and second, the probablistic one, i to MR. ENER80LE: Let me hypothesise a moment.
17 MR. KERR: Let him innish a little, Jess.
18 MR. EBER80LE: You have to keep him in stream here.
19 MR. KERR; I don't want to interrupt him every half 20 sentence. Let him finish at least part of the presentation, 21 and then you can question.
22 MR, EBER50LE: When you come to a pause --
23 (Laughter.1 24 MR. LITTLE I guess the point we're making here --
25 and Mike Hitohler will demonstrate -- we have generated i
159 t extensive reliability studies of the protection system, v J 2 reviewed by the Staff and approved by the Staff, also 3 extensive transient analyses for ATWS events for a period of 4 about fifteen years, and they demonstrate, "Never mind the 5 reliability of the protection system; we're able to meet the 6 regulatory criteria for ATWS events. We meet the NRC-mandated 7 rettability estimate of 3 times 10 to the -5 in ATWS 8 rulemaking." As a matter of fact, we used, as a design 9 ortterton in our advanced protection systems, that that system 10 at a minimum should meet that reliablitty requirement, and we 11 expect it to be a couple of orders of magnitude better than 12 that.
O 13 I guess the point I'm trying to make here is that we 14 don't want to lock at rettability in isolation. We don't want IS to look at transtant analysts in isolation, but they go hand 16 in hand. We want to make sure the systems will adequately 17 perform in a rentable manner the functions they're supposed to it perform, 19 We can demonstrate with either one of those 20 methodologies and a combination of the two that we do, indeed, ;
, 21 perform that function, We treated the Salem reactor trip l
22 breaker with quite a lot of offort, We treated the l
1 1
! 23 undervoltage trip, the integral to driver card with quite a 24 lot of effort.
l 25 What we're saying here is, we don't think we should i
i
- - - - . - . . - , _ - . . - - - - _ . . . - , . _ . . . - - - - _ - , . - . - - . . - . - . . ~ , - - . . _ . . - - - - . _ - - . - - . . - - - . . . . _ . . .
160
(T i install separate diverse scram systems. We don't think we
\
2 should design around every problem. We think we should look 3 at the problem, identify what the causes might be, put things 4 in that might prevent those causes from happening, and keep an 5 eye on things that also mitigate the problem. And 1 believe 6 that's what we have done.
7 MR. EBERSOLE: What you have done is invoke the 8 mitigative competence of your design.
9 MR. LITTLE: I think Mr. Hitchler, who is about to 10 speak, is going to talk about the preventive aspects of it and 11 how we've looked at reliability, as well as transient 12 analyses.
(
- - 13 Let me introduce a little topio rather briefly. We 14 got into, prior to Salem, an industry and regulatory concern 15 about the basis and validity of current technical to specifications, spectitcally surveillance requirements and the 17 burden they are imposing on plant operations and the 18 complications of operations with the imposition of unnecessary 19 transients and shutdowns -- spurious trips, challenges to 20 safety systems. Overly stringent surveillance requirements 21 have resulted in these in many cases -- surveillance 22 requirements, in some cases, without a technical basis.
23 The TOP was identified to treat these things in a (j 24 realistic manner and on a quantitative basis to try and 25 formulate bases. Mike Hitohler is going to talk about
161 this program and what we did. He's also going to relate this
/~'}
v 1
2 program and the information I have already spoken about, 3 reactor trip breaker reliability and the Sequoyah event in 4 particular.
5 So why don't we let Mr. Hitohler speak and --
6 MR. KERR: Before Mr. Hitchler speaks, I want to 7 take a ten-minute break. I would propose to just carry on 8 through and forget about lunch, because I think we can finish 9 faster if we do, but I do think we need about a ten-minute 10 break at this point.
11 [Brief recess.]
12 MR. HITCHLER: Jim has been focusing up to this
\'
13 point on what kind of operating data we have had, specifically 14 talking about the breakers.
15 (Slide.3 16 This part of the discussion really talks more about
- 17 what does all this mean when you put at together. In other 18 words, you have to have an integrated approach to what can 19 happen when you start changing the re11 abilities, the 20 maintenance, that sort of thing.
21 The TOP program was identified to perform that 22 function. It is the first detailed quantitative study of the 23 RPS that has been accomplished t' o that point. When I say 24 " detailed," I'm talking about it from the standpoint of 25 actually looking at really what are the sensitivities to bisio
1 162 s .
1 assumptions in the reactor protection program, not so much 2 wh a t : is the bottom line.
3 So therefore we actually did initiate this in 4 September of '82. It's been ongoing for the last 5 approximately three years. We have expanded into the ,
6 engineered safeguard system with a continuing process for 7 updating in other systems. Also we accumulated data from 8 different places.
9 The study itself actually focused on the RPS j 10 unavailability, and we looked at the impact of alternative 11 component configuration surveillance intervals and also test i
12 and maintenance times, recognizing that can be a key variable
\' 13 in terms of different plants.
, 14 And finally, the question of whether the plant 15 equipment should be put in bypass during tests, what kind of 16 risks were being involved?
1 17 The methodology we chose was to use fault tree 18 analyses to come up with essentially RPS unavailability 19 estimates. We also developed a risk model that was based on 20 the Indian Point-3 PSS-and assessed the impact on inadvertent 21 trips and also on these relaxations. The report has been 22 reviewed for the past year and a half by Brookhaven. The 4
23 bottomline conclusion was that we were overconservative with ;
- 24 respect to issues, especially common cause. This analysis has 25 been done for both the solid-state and the relay systems. j 1
. 1
q ,
V
'/ 163 1 .[ Slide.)
2 In terms of what the results came out to, our 3 estimates are for a solid-state protection system, if you e
4 include common-cause factors, the number is about 2 times 10 5 'to the -5.
6 Mr. Little mentioned our decision-basis point for
[ the unacceptability criterion we use internally is essentially i 7, 8 3 times 10 to the -5.
9 So this is our estimate. I said, if you eliminate 10 common cause;and just look at it from the standpoint of the 11r. system configurations, there is roughly an order of magnitude 12 improvement. Common cause, I'm talking about here, means 13 hings that we cannot quantify, we cannot identify. As 14 Dr. Kerr mentioned, if you've had one of these occur, and you 5.
15 fix it, it's not a common cause anymore. It's a known 16 failure. So,these are,the unknowns or the things that start
"{ 17 to get you when you deal with very reliable systems, e
18 In terms of the anclysis --
l
(.
19 MR. WARD: So this is the unavailability up to the 20 breaker?
i
.o
\
21 MR. HITCHLER: Including the breaker. This goes all
. l 22 the way to the release of the rods.
23 MR. LIPINSKI: What's the probability for your
) 24 breaker that you used in this analysis?
25 MR. HITCHLER: I have to be careful here. I don't
\ ' -
- . ._______x___-_
164 1 want to be loose in my definition of different components.
2 The numbers we were using for the breaker itself and 3 for a number of components similar to that that was used in 4 the M111 stone-3.
5 MR. LIPINSKI It's roughly the square root of that 6 without the CCF number, which is 1.2 times 10 to the -3.
7 MR. HITCHLER: The unavailability here isn't 8 dominated totally by the breakers themselves. There are 9 contributions from bistable channels, also contributions from 10 the logic cabinets -- precisely those issues that we talked 11 about in Sequoyah.
12 MR. LIPINSKI: Usually they are redundant enough, 13 and from what I saw of the earlier analyses, the breakers 14 usually dominated that number.
15 MR. HITCHLER: Ignoring the common cause, really 16 what tends to dominate is a random failure of one breaker or 17 train and having the other train in test, that traditional 18 type of failure mechanism, so it isn't just a squaring of the 19' number. The number for unavailability due to testing is about 20 10 to the -2. With the mechanical breaker sections we talked 21 about earlier, it was about 3 times 10 to the -4.
22 In terr; of the unavailability, as we said, common 23 cause was essentially 90 percent of the unavailability f
24 estimates. As we mentioned before, we're just dealing with a 25 highly reliable system where we don't have much data, trying
165
/~N 1 to verify what can or cannot happen. So this is an expected
\
2 result.
3 The common cause contributions were essentially 4 totally dominated by common cause, you know, logic cabinet 5 breakers and so on. Bistables and analog chambers were a 6 relatively small contribution with respect to common cause.
7 The logic to that is, we have a lot of diversity 8 with respect to the process variable we monitored. Our 9 dominant cut sets in terms of where effects were, again it's 10 all in the breakers and the logic cabinets.
11 The effects of random failures in testing and 12 maintenance types of unavailability were relatively small. As 10 s 13 I said, bistables are negligible.
14 MR. DAVIS: Did you take any credit for manual 15 recovery of these failures, or would that be a factor, since 16 you're talking about trip breakers being the biggest problem?
17 MR. HITCHLER: Within the risk model, we took credit 18 for manual recovery. In terms of the unavailabilities we are 19 estimating here, there was no manual recovery.
20 MR. DAVIS: There is not credit taken for emergency 21 boration in that to number?
22 MR. HITCHLER: No. This is strictly the RPS.
23 MR. DAVIS: Thank you.
(j 24 [ Slide.]
25 MR. HITCHLER: I doing the analysis, we wanted to
166 C 1 look at a number of perturbations in the base model. There 2 were actually over 300 types of variations in terms of 1 3 testing, maintenance, bypass conditions. We ultimately chose I l
4 ten major areas where we wanted to do a very in-depth study.
5 What I'm showing here are three of the cases. The 6 base case here shows what is currently -- or was in the 7 standardized tech specs in 1982 -- in other words, what 8 allowance we have for testing times, what test intervals were 9 required, those kinds of assumptions.
10 What I'm showing here in terms of Case 1 and Case 2 11 is that Case 1 shows the maximum relaxation of the testing 12 functions that we requested. Caso 2 shows where we are right 13 now. The basic difference here is that we have only done an 14 SER with respect to totally relaxing the bistable and analog 15 chamber work, and you can see essentially we are allowing a 16 factor of 12 in the mean times to repair and maintenance 17 times. We are also allowing operating bypasses. In other 18 words, when you test a channel, you don't have to --
19 MR. KERR: Why did you choose six months instead of 20 an interval between refuelings, which would permit you to do 21 the testing during downtime?
22 MR. HITCHLER: As it turns out, we did look at the 23 one case. There were two factors. One, we didn't feel we
(_) 24 would ever be able to sell that, waiting for eighteen months 25 essentially to do the testing. Also, we found you started to ,
167
[% 1 pick up a sensitivity at six months for this number. At about 2 nine months, you start to see a dominance of failure rates.
3 I'll discuss some of the impacts. We get a tradeoff 4 here in terms of unavailability due to maintenance and 5 testing and higher failure rates. At about nine months, we ,
6 start to see those two starting to cancel each other out, and 7 the actual reliability going down.
8 As I said, there are roughly 300 combinations. We 9 looked at ten in detail, and they reported that the TOP WCAP.
10 [ Slide.3 11 The net results for the cases: We saw that the 12 overall coremelt frequency actually went down when we relaxed U(_ 13 the test interval maintenance requirements. For some of the 14 cases, there also was a small increase. The peak increase 15 was approximately one percent. The overall man-rem exposure, 16 again, was predicted for use in the Indian Point site was 17 .actually a reduction in the man-rems, if you relax the tech 18 specs in the case that we actually did the relaxation on, or a 19 very small increase.
20 Finally, we found from a financial standpoint, in 21 terms of reduced labor, meaning fewer test technicians are 22 going to have to be working on these things and also fewer 23 inadvertent trips, you had a large financial benefit in terms
) 24 of these cases. In each one of the case, we said we had a
,y 25 different mix.
168
[~'\ 1 MR. KERR: It seems to me, you also ought to include 2 the elimination of inadvertent trips as a safety plus. Maybe 3 it's implicit in some of what you said.
4 [ Slide.3 5 MR. HITCHLER: Here it is here.
6 MR. KERR: Okay.
7 MR. HITCHLER: Up here, I'm showing standard trip 8 unavailabilities, the actual contribution of ATWS-type 9 sequences, coremelt, also the number of inadvertent trips that 10 were predicted at the plant.
11 Up here, what you see is for Case 1 where we had the 12 . largest relaxation. We found we actually increased the trip b
V 13 unavailability by about a factor of 3. So we are seeing, 14 going out to six months in terms of test intervals for 15 breakers, very large relaxations which only translate to a 16 factor of 3 standard PRA. You're fooling yourself if you 17~ think that you know the numbers within a factor of 5. We 18 started getting bottom lines, which still is a lack of 19 sensitivity there. The coremelt number went up by about 20 the same amount, possibly a little higher.
21 However, based on the relaxation here, we found it's 22 estimated we would reduce our inadvertent trips from 1.7 to 23 1.13. So there actually was a search through all of the q, 24 Westinghouse plants to find out where the inadvertent trips 25 had come from and which ones were directly related to
169
/ \ 1 maintenance and testing.
2 You can see the overall change in core melt 3 frequency here. This is very minor. In terms of Case 2, Case 4 2 would only change the analog channels on the bistable 5 channel. For that case, what you actually find is the ATWS 6 contribution to core melt goes up in a very small fashion 7 here, very small amount; however, when you factor in the 8 reduction of the inadvertent trips, meaning you are not going 9 to challenge safety systems as often as you had originally 10 predicted, you actually end up with a small actual reduction 11 of the core melt frequency.
12 Going down here, we wanted to look at this in terms p-e 13 of --
14 MR. DAVIS: Question. Do you assume that failure to 15 scram always results in a core melt situation for these 16 transients?
17 MR. HITCHLER: Yes. That's consistent with the 18 modeling and mitigation models that were in the Indian Point 19 probabilistic safety study.
20 MR. DAVIS: Does this account for the fact that you 21 have the AMSAC modification on the plan?
22 MR. HITCHLER: No.
23 MR. DAVIS: What will that do to these numbers. You m
,) 24 are required to have that now; is that right?
25 MR. HITCHLER: Yes, that's required to be installed l
170
(g 1 in all these plants.
O Will it make them go to zero?
2 MR. DAVIS:
3 MR. HITCHLER: No. Common cause is still going to 4 get you.
5 MR. DAVIS: You don't know know how much they will 6 he reduced because of that modification?
7 MR. HITCHLER: I haven't propagated that through the 8 model. I can give you a gut feel at this point. The impact 9 is virtually no change.
10 MR. DAVIS: So that modification doesn't help at 11 all?
12 MR. HITCHLER: There is some small improvement. Let
\- ! 13 me tell you why I don't think there is going to be a big 14 change in that, and that's that if there is one thing we drive 15 into our operators when they are being trained on the 16 simulators, it's that you have one automatic function that you 17 do as soon as the plant receives an alarm of some type.
18 That's to check to see if the plant is tripped.
1 19 This has been verified on a number of simulators.
20 Also in actually the Salem event. The first thing they are i
21 told to do is mash that manual trip button, so the thing is 22 that when you have a model that actually starts to take into 23 account manual actions, you start to see there is very little O
( ,) 24 impact on that because the trip system is such a simple system 25 to actuate. It isn't as if you asked them to mash the safety
l 171 l
1 injection button where we would have to clean up boron for six
[j"g
\
2 weeks afterwards.
3 In this case it's a very simple action and the 4 consequences are trivial 5 MR. DAVIS: I thought you said these numbers did not 6 include manual coverage.
7 MR. HITCHLER: The unavailability estimates here are 8 strictly automatic actuations. When I come down here and say, 9 okay, what's the change in risk in terms of core melt, in 10 terms of man rem exposures, then you have to have an 11 integrated model and start factoring in manual actions, those 12 kinds of things.
\~- 13 MR. EBERSOLE: May I ask a question about common 14 cause failure? When Combustion came out with a core 15 protection calculator and put in solid state equipment to 16 actually drive the trip systems, one then brings up the common 17 cause failure due to ambient temperature conditions. Last 18 week we were hearing interesting stories about if you leave 19 equipment subjected to not very high departures from normal 20 temperature, you get all sorts of weird performance in the 21 solid state equipment.
22 I have thought that the Westinghouse system was not 23 vulnerable to this sort of thing. Of course, you always have 24 the manual backup. Am I right?
25 MR. HITCHLER: Let me give you my opinion at this
i 172 1 point. On a Westinghouse system, if we are going to have a a.
2 sensitivity to these kinds of spurious or these temperature .
j 3 ranges, where you will see this is really in terms of the j 4 drift from the setpoint, those kinds of functions as opposed 5 to what is driving this result, which is the logic cabinets.,
6 There is a 1/0 type of function. Also, we are not doing 7 on-line calculations here as you would on the core limit 8 protection devices.
9 In terms of our integrated protection system, we are 10 sensitive to the same kinds of issues you were hearing about 11 last week. The microprocessor. You may have to look at 12 spurious actuations.
13 MR. EBERSOLE: So you get setpoint drift, but that 14 wouldn't lead to any major problems 15 MR. HITCHLER: We have sufficient diversity, and 16 that's the key. -
17 MR. WARD: Mike, a question. As I recall in the 4 18 ATWS study, the NRC Staff estimated that the Westinghouse --
j 19 or the basis for its analysis was the Westinghouse plants with 20 AMSAC. Given an ATWS, the probability of core melt is about 21 10 percent. Are you familiar with that number? Do you have 22 any comments on that? Is that consistent with your kind of 23 thinking?
24 MR. HITCHLER: I went through that kind of logic, i
25 My comment at the time was it was too simplistic. It doesn't 4
i I
l l
_____._,_.-__,.,_,__,)
173 4
allow for different configurations. As I mentioned before,
( 1
\
2 you are highly susceptible to how well you are training your 3 p e opl e , how well their procedures are configured.
4 I would say the number really isn't anywhere near 5 that high, but again, I would have to talk about specific 6 cases. In general, I would say the number is probably more 1
7 like one percent, maximum five percent. Again, that is my 8 experience in terms of design of Indian Point.
9 In terms of our man rem exposure, just to put things 10 in the right context here, what kind of risks are we really 11 dealing with here, if you use the ALARA criteria or the $1000 12 per man rem, we are saying ATWS-type sequences for our base 13 case essentially are inducing $32 of risk per year, which is 14 extremely small.
15 Also, the i nadavertent trips that we are inducing on 16 the plant at overtesting is inducing essentially $200 worth of 17 risk, so when you come down here and do your actual 18 quantifications, relaxations, you find you actually get a 19 reduction in the expected man rem. Also, you have to come down 20 here and look at what are the economic benefits.
I 21 What I have done here is shown what we think is a 22 conserative basis for the expected savings per year at a plant 23 in terms of the reduced amount cf manpower you are going to 24 need for testing of channels and also what number of 25 inadvertent trips are you going to eliminate.
.ww---< w, , , , , ,,,---ww,---a w .--n, m-ww., , , n.,., -,,.,,-,-,-c- ,,w,--- ----n r- ----~,m, * - - - ,
174
[~5 1 What you can see is we are talking about saving 2 $147,000 per year in terms of the benefit versus the man rem 3 exposure here of $38, so the numbers just become ridiculous at 4 that point.
5 So that was just to show how that work was done.
6 Also an important thing here was we looked at the analyses 7 from the standpoint of where do we get the most payback. We 8 said we wanted this huge -- where we relaxed everything for 9 Case 1. You come down here and factor through the actual i
10 payback to the utilities and the industry. You find your 11 total savings would be $162,000, but nearly all of that came 12 strictly from the analog channels. So therefore, it just
' O 13 wasn't worth trying to justify the extended times because they 14 just aren't worth that much to us. You get all of your 15 payback here. It's the simplest thing. So we try to take 16 that kind of balanced approach all through the process, on the 17 unavailability estimates, the impact on risk, and actually 18 where we think we get the most benefits, the most safety 19 ultimately.
20 MR. KERR: Does that analysis take into account the 21 fact that the testing may actually make things worse?
22 MR. HITCHLER: In most cases the testing did make 23 things worse. In fact, that's what this item Case 2 shows.
24 That's why we have this reduction in core melt frequency here 25 and reduction in manpower for man rem.
175 1 MR. KERR: I had assumed much of that came from
("N 2 avoidance of inadvertent trips. That's not the case?
3 MR. HITCHLER: No.
4 MR. KERR: You actually made some model mistakes in 5 maintenance that could occur?
6 MR. HITCHLER: Mistakes in maintenance. Also, some 7 of these channels had to be taken out of service to retest 8 them.
9 MR. KERR: Thank you.
10 [ Slide]
11 MR. HITCHLER: Getting down to really the heart of 12 the issue. We are getting down to common cause 13 failures. That's really what you come down to. I guess I was 14 hearing a misconception as to what I define common cause 15 failures as being, what the numbers are that we use in the 16 analysis. The numbers in the analysis that we use state that 17 we are going to make errors in our design -- I think this is a 18 Freudian slip. It says " design defeats" as opposed to " design l 19 defects." Fabrications, quality control testing, all of these 20 are in there. ;
21 Common cause that I refer to are really things I 22 don't know about but I can recognize for systems that have 23 these kinds of reliabilities; that there are unknowns out 24 there. And they happen to have a fairly constant rate. Go 25 back into the data bases. You find that these kinds of things
- - - _.- -- - ~ _ . .- - - . _ _ _ _ _ . - -
176
/ 1 do happen. It just is an indication of the limits of the IEEE b} 2 codes and the design process. They are going to happen, so 3 therefore we put in factors to say we are going to make 4 certain our model can be forgiving enough even if we have this 5 fudge factor at this point.
6 There is science associated with these numbers. It 7 is based on what we have seen in the past and what's the rate 8 at which these things occur.
9 MR. KERR: Is qualitatively, then, the implication
' 10 that frequency of testing has some effect on the contribution 11 from common cause failures?
i 12 MR. MITCHLER: Very much.
13 MR. KERR: I must say I have a great deal of 14 skepticism i f that is the case, but that may be because I just f
15 haven't looked at it in that detail.
16 MR. HITCHLER: One of the examples I could use here 17 would be diesels, running diesels without being under load.
i 18 You are essentia11.y wearing them out.
l 19 MR. KERR: What I am saying is you told me, I think, 20 if I go much beyond six months in my test interval, I begin to 21 get some rather serious degradation in availability. Now, if 22 common cause failure accounts for 90 percent of the 23 unavailability, what that says to me is between six months and g 24 18 months, let's say, for refueling, I somehow am going to --
25 if I test every six months instead of every 18 months, I am 4
---.,.----4-.-_ . - . . , _ - _ - . . . - --__--w... ,,_....._----.m. -,,----,-.-.--_,_.,_.y-- r---._ __ %_--._, ,- , v--.-,,.--- ,--
177 1 going to significantly reduce common cause failure.
O' 2 Intuitively, I don't understand that.
3 MR. HITCHLER: You may reduce it in certain areas 4 but it is going to build up in others.
5 MR. KERR: But -- did I misunderstand? I thought ,
6 you were saying that it's better to test every six months than 7 overy 18 because I can show that I significantly reduced risk, 8 but common mode failure is responsible for 90 percent of that, 9 which says to me that if I test every six months instead of 10 every 18, I somehow reduce the common cause failure 11 contribution.
12 MR. MITCHLER: You reduce the common cause failure 13 contribution due to tests. As you go to 18 months, your mix 14 starts to change. What really happens at nine months, your 15 random failure probabilities start to dominate as opposed to y 16 your common cause failures.
17 MR. KERR: I didn't get that point.
18 Okay. You are saying you really believe this j 19 conventional wisdom that testing can restore things to the
- 20 original --
21 MR. HITCHLER: Almost original.
22 MR. KERR: It's an article of faith that may be 23 worth taking seriously.
24 MR. HITCHLER: One thing that is a major benefit in i 25 terms of this analysis also is the recommendation that we n-.,-.. - . - - - - - - , , - , - , . _ - . . , - - - - . , . . - , . - - . _ . .. . . - - . _ - . - . , - . - . . - . . . - . , _ - , . - - - - , - . . - . . - , . , , . . - . - - .
178
'~'N 1 always have staggered testing of components. That's what 2 really keeps the common cause under control. For example, 3 when we test breakers, we recommend you test one per month, so 4 staggered testing really helps to give some kind of higher 5 degree of confidence that we don't have these common mode 6 failures existing for long periods of time.
7 MR. KERR: Does that also probably mean that a 8 different crew does the test, or does the same crew generally 9 do that kind of testing? I will accept I don't know.
10 MR. HITCHLER: There is no guarantee. In fact, 11 that's what this is. We come down here with these breaker 12 functions. We are saying that you can get coupling. In this 13 case we are assuming for this kind of equipment and kind of 14 low failure rates, we are assigning a beta factor of 15 essentially .2, very high coupling degree.
16 MR. DAVIS: Where did that come from? Was that 17 deliberately chosen to be conservative or do you have data to 18 support that number?
19 MR. HITCHLER: It was chosen to be conservative.
20 The data we have in house, our estimates of the number would 21 be like .C5.
22 MR. DAVIS: Seabrook used .11 in their PRA, which 23 seems to be a reasonable number.
(O,) 24 MR. EBERSOLE: You staggered this maintenance on a 25 chronological basis. Shouldn't you really stagger it on the
179
[ 1 basis of the number of demands between maintenance? I mean
\_- l 2 just time may bring you no challenge.
I 3 MR. HITCHLER: We test every two months. What we '
4 are saying in essence, we have some kind of criteria for the 5 standby system.
6 MR. EBERSOLE: What you are anticipating is having a 7 callup of the system to see if it works before you maintain 8 the other channel That doesn't necessarily apply linearly 9 with time.
10 MR. KERR: I don't understand your question. Do you 11 understand his question? If you do, I don't have to.
12 MR. HITCHLER: I would like a little further i
'-'# 13 elaboration.
14 MR. EBERSOLE: Just to say x months or weeks, 15 whatever separation in maintenance doesn't define what 16 challenges may occur within that system to confirm it. You 17 are just using time as a parameter, and it may be meaningless 18 if there are no events in time.
19 MR. LIPINSKI- I think I understand his question.
20 You have to select the routine test interval, but then you 21 want to test everything simultaneously --
22 MR. EBERSOLE: I am saying you are testing 23 simultaneously. If there are no events between tests, if they 24 are irrespective of how long or short the time is. Time is 25 not a parameter.
180
[~N 1 MR. KERR: No, Jesse, these events occur at random, 2 so you have to assume that.
i 3 MR. EBERSOLE: Suppose that nothing had happened 4 since the last maintenance interval In essence, you would 5 have coincident maintenance.
6 MR. LIPINSKI. Yur operator is the common cause if 7 he is doing maintenance and goofs up everything --
8 MR. EBERSOLE: You can synthesize.
9 MR. KERR: It doesn't have to do with what happens 4
10 to the breaker. It has to do with what happens to the 11 maintenance people.
12 MR. H1TCHLER: One of the assumptions -- it's not an 13 assumption, it's actual data as to how much maintenance we 14 are actually doing in those cabinets. What is the average 15 time? In our poll, 18 utilities, it was essentially once per 16 year, peak of two per year, so really we don't have that high 17 a vulnerability or sensitivity to that kind of a judgment.
18 One of the hypotheses of your report in essence is 19 saying what kind of a procedure thould we have in place if 20 they go in there. -We have the procedures in place. The next 21 question is this thing: who is following it? So common cause 22 deals with those kinds of things.
23 In terms of the analog channels, nonlogic trip 24 breaker areas, we used essentially the Atwood model. It's a 25 common mode failure rate model based on actual plant
181
[~% 1 experience where you have miscalibration as being the dominant 2 common mode failure mechanism. Unfortunately, Core 1 didn't 3 have something similar for breakers; otherwise, we would have 4 preferred to be consistent.
5 [ Slide]
6 How does this relate, really, to the undervoltage 7 driver cards, common cause. Talk about what we had in the 8 model, what kind of base assumptions we had. I just had these 9 here just to keep in perspective where those cards physically 10 are.
11 With respect to common cause failure, we are in the 12 same cabinets, separate locations. Also, we have procedures O
-- 13 that specifically state you cannot do maintenance on both 14 channels at the same time. Also, maintenance is a fairly rare 15 event in terms of plant. As I said, it is about once per year 16 per train. So the probability of having two of these line up 17 for maintenance in the same test period is fairly low. In 18 other words, the same guide room, same operation within eight 19 hours2.199074e-4 days <br />0.00528 hours <br />3.141534e-5 weeks <br />7.2295e-6 months <br /> of each other is. fairly low, although it can happen, and 20 the model actually does include that kind of assessment.
21 Also, we have staggered testing, which means monthly 22 we are going to have testing on at least one of those channels 23 for one of those cards. So therefore, this system has certain
\ 24 inherent protection devices in terms of the procedures, the 25 location and the testing intervals to minimize common cause
4 4
182 1 effects.
v 2 [ Slide]
3 MR. KERR: You say it will eliminate common cause 4 failures, it will identify a failure in one train. I assume 5 'it won't tell you you have had a common cause failure but i t, 6 will tell you you have had a failure?
7 MR. HITCHLER: It will tell you if you do not have a l
8 common cause mechanism operating.
9 MR. EBERSOLE: Is there a similar statement about 10 maintenance on breakers?
11 MR. HITCHLER: Yes, although breakers have a very 12 high coupling factor., They have that .2 beta factor. Also, O 13 remembering the beta factor was chosen in light of the 14 analysis was being completed about the time of Salem. So we 15 wanted to have a conservative basis.
16 [ Slide]
17 I am going to use the Sequoyah event. I'm going to 18 postulate that's a random failure. It isn't. Just to give you i
19 a perspective on what's in the TOPS analyses right now. In 20 terms of we explicitly treat the Q-3 transistors and the other 21 transistors on the undervoltage cards, the TOPS WCAP assumed a 22 failure rate is essentially 2 x 10 to the minus 7 per hour of 23 operation, which translates into a demand on availability of 24 1.4 x 10 to the minus 4, which actually results in the 25 unavailability of the overall trip signal for one whole train w - - .--,,--.,nn . . , - _.,,m- r--. ,.-
183
/h 1 is 1.5 x 10 to the minus 4.
\ J
%d 2 MR. EBERSOLE: What is the time unit there?
3 .MR. HITCHLER: These are demand here. This is per 4 hour. If you assume one random failure for the Sequoyah event 5 as being our event, that's where we burned out this transistor 6 bearing during operation, these essentially are how the 7 numbers change, with the bottom line being here is the overall l
8 change in estimated core melt frequency from the base to using 9 the Sequoyah data as 100 percent valid data. It says it's .02 10 percent change in core melt for the Indian Point plant, which 11 should be valid for virtually all plants in terms of this kind 12 of sensitivity.
O 13 As I said, this failure really wasn't a random 14 failure. The failure was really a maintenance or breakdown in 15 the maintenance procedures.
16 [ Slide) 17 So I have done an analysis here to show what is the 18 impact if you put this into the maintenance portion of the 19 models and how you would explicitly treat it. In terms of the 20 TOPS analyses, we have a whole section that deals with 21 intervals and time for maintenance for each section of the 22 reactor protection system, including the undervoltage cards.
23 The maintenance period is once per year for the s j 24 specific card. Time to repair is about six hours to actually 25 diagnose the problem, pull the card out, which means the
~ . - . .
184 protection channel is unavailable for six hours.
[~ 1 2 In the TOPS analysis, we assumed that human errors 3 -- in other words, failing to follow procedures -- were 4 essentially a second order factor, a negligible 5 contribution. Here is the number that actually comes out of 6 the analysis for unavailability due to problems during 7 maintenance on those channels. That's in the TOPS WCAP. Also, 8 it's part of the overall SER, part of the basis for the SER K
9 relaxation.
10 What we did then was to go back and test whether or 11 not this hypothesis here that was negligible was an accurate
_. 12 or a good assumption. So what was done was we took the fault 13 analyses, the logic modules that we had in the past, and we 14 expanded those out to explicitly treat those kinds of failure 15 and see how things actually changed. So we used the Sequoyah 16 incident as our data. Part of data base used the fault tree 17 analysis.
18 We have 88.4 years of operating experience on those 19 undervoltage cards as of the last month, two driver cards per 20 plant. We also went back and verified that the procedures are 21 in place that you should be testing when you have done
, 22 maintenance on these cards, so every plant has that 23 recommendation in place.
O 24 Also, we have a two-month test interval for the (jl 25 logic cabinets. We are not taking any credit for any kind of s
_ . ~ - - , ,--
~ , - - , , , , - , - - - - , ., _ _ _ , , - - _ _ _ _ . , , .
185
[~^ 1 relaxation. Results -- and let me just show you first of all 2 the fault logic module.
3 [ Slide]
l 4 It was that in the TOPS work, essentially this 5 section up here, this unavailability due to normal maintenance 6 routine was in the model. We had it developed by saying if we 7 have something abnormal occurring which is a breakdown in 8 procedures and other factors, we came down here and we 9 developed an entire segment here that talks about are you in 10 maintenance, have you followed your procedure correctly, have 11 you gone back and tested what is the probability of human g_ 12 errors, equipment errors all down here.
(\. ) 13 Essentially, you swing from the standpoint of coming l
14 up with a number for the probability of not following that 15 procedure. So this was factored'in explicitly.
16 [Slidel 17 The bottom line came down to the unavailability per 18 train went from 6.85 E to the minus 4 to 6.90 E to the minus 19 4, which says the original boundary condition was a reasonable 20 assessment. This is really to take into account these human 21 errors that exist, 22 Increased unavailability was less than 5 x 10 to the 23 minus 6. This doesn't include common cause, probability of O
() 24 implementing the wrong procedure on two channels, but just 25 doing some quick assessement. Even if I assume I have 100
\
l i
186 l 1 percent coupling between frames, make the same error at the 2 same time on both frames, we still see the worst it could be 3 as a factor is 5 x 10 to the minus 6 for the failure of the 4 reactor protection system.
5 So in the worst of all worlds, this number won't 6 have a significant impact on the overall unavailability 7 assessment in the document. In reality, the coupling factor, 8 we have done an estimate, the number of the coupling should be 9 a number of about .04 just because of the staggered testing 10 and the probability of having random failures or having to do 11 maintenance in both channels very close together.
12 That is essentially the bottom line at this point, s
\w- 13 that we have modeled the field data and we still don't see 14 that there is an issue here. It's not a generic issue. We 15 feel that it wasn't unusual to expect that kind of a breakdown 16 at some point, but it was a breakdown or human error in terms 17 of somebody not following procedures, not from the standpoint 18 of something systematically wrong here.
19 MR. KERR; Any questions?
20 CNo response.)
21 MR. KERR; Do you have any suggestions for plant 22 operators to avoid or to decrease the likelihood that this 23 sort of maintenance error will occur other than getting rid of 24 stupid people?
25 MR. HITCHLER: I'm leery dealing with this size of a
187
['T 1 data base since we are dealing with one event during critical 5,g 2 operation, so I have no way of saying --
3 MR. KERR: You would certainly like to avoid people l 4 using the wrong kind of test instruments, and the implication 5 that people who did the test may not have been very well ,
6 trained or working under a hangover or something. Maybe 7 indeed this is not considered Westinghouse's responsibility.
8 I was just curious as to whether Westinghouse gets involved in 1
9 recommendations or do they sort of take the attitude that, 10 well, it's so obvious what one should do that we are not going 11 to tell a utility or utilities what to do.
12 MR. HITCHLER: I think it comes down to really O
13 cost-benefit at this point in terms of what Jim was showing, 14 in terms of that fusible link. Here we have a known failure 15 mechanism that's not important from the standpoint of risk but 16 it is also a dirt cheap thing to do. Therefore, as far as I'm 17 concerned, that kind of thing is worthwhile putting in.
18 If we are talking about redesigning the entire 19 protection cabinets --
20 MR. KERR: No. See, one of the things that bothers 21 me a little bit about all of our approaches to this is that in 22 spite of a number of people who have said we probably have 23 fairly good equipment and from now on the problems we have are 24 going to be people related, we still are emphasizing what can 25 we do with equipment. You factor a little bit of people into
~ . . _ _ . _ _ _ _.. _ - _ . _ . . _ _ _ _ _ _ _ _ . . - _ _ _ _ , _ _ . . . _ _ _ _ _ _ _ _ _ . - - _ _ _ _
I l
l 188
['T 1 your analysis when you talk about people pushing a trip 2 button, but it may well be that at some point -- and I'm not 3 sure but what we maybe have reached it -- that what we really 4 need to concentrate on, if indeed we do need to reduce risk, 5 is how we can select, train, motivate, whatever the people 6 responsible for operating these things, and it will be there 7 that one gets any possible increase in risk reduction.
8 Now, Westinghouse is no authority in this field, as 9 far as I know. I'm certainly not.We'are sort of doing what we 10 know how to do, which is risk analyses and equipment 11 design. When do we reach the point of diminishing returns?
- 12 Those are, of course, two questions. How far should
\
13 we go in risk reduction, but if we are going to try to achieve 14 more, how do we tell when we ought to quit playing around with 15 equipment and start looking at the people?
16 MR. LITTLE: Dr. Kerr, I guess I would like to 17 address that a little bit. Westinghouse isn't only in the 18 business of designing nuclear steam supply systems and 19 building plants and supplying instrumentation and doing high 20 powered technical analyses like PRA. Westinghouse is also in 21 the business and has been in the business for quite a while of 22 training reactor operators, training instrument technicians.
23 As a matter of fact, Mr. Katz, as I mentioned before, is in
/
I 24 the electrical engineering department of the Nuclear Services 25 Integration Division.
189 In that same building is located the plant simulator
(T 1 w) 2 in that building. We train utility personnel in how to 3 maintain this equipment. And in that same vein, when new 4 designs are developed, the people responsible for training in 5 maintenance review those designs, and a part of design review 6 is for that equipment.
7 So we feel that is very important. We see the 8 biggest area for improvement in plant operations and safety is 9 clearly maintenance. I think Mike Hitchler has demonstrated
'10 that today. A lot of the work that went into emergency 11 operating procedures after TMI was a result of a lot of effort 12 by people at Westinghouse. I think since that time, the focus
, -s' 13 has been on the maintenance area, quite a lot of focus on the 14 maintenance area.
15 Westinghouse has a large technical bulletin system 16 where we identify situations like Sequoyah. We let people 17 know what the events were, what the causes were, and we 18 provide recommendations to all those utilities that are 19 customers of Westinghouse, so we are very interested in that.
20 MR. KERR: Well, if one of my colleagues were here 21 today, he would ask you what your attitude is towards 22 selection tests which pick out people who have mechanical 23 ability. He is convinced that one can use these tests with
) 24 gratifying and important results.
25 Does Westinghouse as part of its'repertoir look at
d 190
- N 1 the efficacy or validity of tests designed to pick out people 2 who do or do not have mechanical ability?
~
3 MR. LITTLE: There are organizations in Westinghouse
. 4 that can do that sort of work, yes, in the Training Division.
5 MR. KERR: Do they believe that it has a high 6 measure of validity, or do you know the answer to that 7 question?
8 MR. LITTLE: I guess I'm not responsible for the 9 answer, but I know they don't rely on that criterion alone.
10 MR. KERR: I was just curious as to how seriously it 11 might be taken. I have an open mind on this, which means I 12 don't know anything about it; but at least one member of the
/
\
13 committee is convinced it could improve operating crews 14 markedly.
15 MR. LITTLE: I guess I'm not really the expert on 16 that.
17 MR. WYLIE: My last question of Westinghouse, which 18 is a large manufacturing company, do they use that criteria in 19 selecting their employees?
20 MR. LITTLE: Employees who do what?
21 MR. WYLIE: Go into the designing area at 22 Westinghouse. Do they select using aptitude testing for 23 employment? ,
g 24 MR. LITTLE: I only can relate to my own employment 25 history at Westinghouse. In spite of my universi y
191 1 credentials, I was given an aptitude test when I started at 2 Westinghouse.,* I don't tnow if I failed or passed.
J.
3 MR. WYLIE: Do they use that a screening criteria v
4 for new employees?
5 MR. LITTLE: I don't believe they do. I think they l
6 puse the university accreditation system to do that.
7 MR. WYLIE: What about their non-degreed employees?
8 MR. LITTLE: Non-degreed personnel people go through 9 a series of training programs and testing and on-the-job 10 performance, those sorts of things.
11 MR. WYLIE. They do not use any prescreening as part 12 of their employment?
'-- 13 MR. LITTLE: There is prescreening of people by 14 Westinghouse prior to Westinghouse hiring them. There is 15 prescreening of people by Wes'tinghouse prior to sending them 16 to sites unescorted as well. Observational reports by the 17 supervisors and psychological tests as well.
18 34R . WYLIE: Tha- a little different than aptitude.
19 MR. LITTLE *ta s true.
-20 MR. KERR: Are there other questions?
21 [No response.]
22 MR. KERR: , -I want to thank all of you who have f 23 participated, including some of the people who are not here,
(
- 24 and express my special appreciation to Westinghouse for the 25 !
/ contribution you have made. It has been quite helpful to me.
., t It $
192
/'S As I said earlier, I am not certain where this V
1 2 investigation should go from here, and I won't attempt today 3 -to decide that.
4 I would like for those of you who are here, if you 5 will, to give me, in addition to whatever evaluation you can, 6 make on what we have done today, a direction that you think 7 might be profitable as we explore, sort of, this general area.
8 First, we perhaps need some information on GE trip 9 breakers, which we either don't have or which may be readily 10 available, and then perhaps some analogue, or it may be even 11 trip breakers that are used on BWRs. Eventually we need 12 perhaps -- and we have already seen some evidence of a
13 broadened look made by Westinghouse -- I think we need to 14 consider this in other areas.
15 But I would welcome suggestions from you as to some 16 logical way that we might proceed, including a suggestion, if 17 this is your suggestion, that we have done enough. But I am 18 not trying to make this committee -- the life of this 19 committee as long as the life of the ATWS committee, because I 20 don't think I would live that long.
21 [ Laughter.3 l
22 Any further questions or comments?
h 23 [No response.]
24 MR. KERR: Meeting adjourned.
25 [Whereupon, at 1:45 o' clock, p.m., the meeting was
193 1 adjourned.]
2 3
4 5
6 7
8 9
10 11 12 13 14 15 16 17 18 l
19 20 i
21 l
22 23 24 25 l
l
-\ 1 CERTIFICATE OF OFFICIAL REPORTER 2
3 4
5 This is to certify that the attached proceedings 6 before the Unitad States Nuclear Regulatory Commission in the 7 matter of: ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 8
9 Name of Proceeding: Subcommittee on Scram System Reliability 10 11 Docl< e t No.
12 PIace: Washington, D. C.
18 Date: Wednesday, July 17, 1985 14 15 were held as herein appears and tant this is the original 16 transcript thereof for the file of the United States Nuclear 17 Regulatory Commission.
I le .
'] i/
/
g (Signature)
(Typed Name of Reporter) g g /( ,
Mimie Meldzer
[{
20 21 22 Q 23 Ann Riley & Associates, Ltd.
b 24 25 i
. \
f . i i
RANCHO SECO - REACTOR TRIP BREAKER TEST FAILURE O
JUNE 5, 1985 (S. MINER, NRR)
- RANCHO SECO HAS GE AK-2-25 REACTOR TRIP BREAKERS. i.
DURING REFUELING OUTAGE, ALL RTBS WERE REFURBISHED IN ACC'ORDANCE WITH B&'W OWNERS GROUP PROGRAM, PREPARED IN j
RESPONSE TO GL 83-28 0F JULY 8, 1983.
i
. PRIOR TO PLANT STARTUP, ONE REACTOR TRIP BREAKER (RTB)
FAILED DURING POST-MAINTENANCE OPERABILITY TESTING.
- ALL RTBS HAD BEEN REFURBISHED BY GE-ATLANTA AND CER BY B&W-LYNCHBURG.
- UNDERVOLTAGE TRIP PADDLE JAMMED AGAINST ARMATURE WI AP,t;ATUT:C IN ENERGIZED POSITION (SHUNT TRIP REMAINED OPERABLE).
- LICENSEE EVALUATION INDICATES UV TRIP ASSEMBLY ARMATURE / ROLLER-RIVET MEASUREMENT GROSSLY OUT OF SPECIFICATION.
ALL RTBS REINSTALLED AFTER PASSING REVISED POST- .
TEST PROCEDURES.
FAILED BREAKER TO BE EVALUATED BY B&W OWNERS GROU ..
- IE INFORMATION NOTICE IN PREPARATION.
O 2y
'. j l
l FIGUP.E 1 .
I ,
';s
.;*g I
\
TRIP SHAFT - ._f f&. c. I 4
UNDEAvcLTAGE. TRIP PADDLE
/
g
- S':
Y ,%.i.,..,... _J
\\\\\\\\\ .
. ~
- p.,
i l p ARMATURE \ \' '
q, \\\ Roi. TEA-AIver r
ses
\'
\' \\) g .
F 1 i
f i j
{+ FRAME e d p li '
@M j
I i
", c I
) -
%s colu n l ,
M ')
s J ..
UNDERVOLTAE TRIP OEVICE C0fL DE-ENERG!2ED
. i
,---------m- --
The Rancho Seco Unit 1 periodic maintenance program for the reactor trip breakers should include, on a six month basis:
- 1. Verification of breakers cleanliness and insulation structure; all foreign materials, such as paint, dust, or oil, should be removed to prevent electrical breakdown between points of different potential.
- 2. Verification of breaker physical condition, including wiring insulation and tennination, all retaining rings, pole bases, are quencher, stationary and movable contacts, and tightness of nuts and bolts.
- 3. Verification of proper manual operation of the breaker, including checks for excessive friction, trip bar freedom, latch
, engagement, operating mechanism alignment and freedom, and
! undervoltage trip (UVT) device armature freedom.
- 4. Verification of the optimum freedom of the armature as specified in General Electric Service Ady':e 175-9.35, item
- S1.
t
- 5. Verification of proper trip latch engagement as specified in Service Advice 175-9.35, item #2S.
l 6. Verification of undervoltage pick-up setting, as specified in Service Advice 175-9.35, item #S3, and dropout voltage.
- 7. Verification that the trip torque required on the trip shaf t is less than 1.5 pound-inches, as specified in Service Advice 175-9.35, item #4; "Before" and "After" maintenance torque valves should be recorded.
- 8. Verification of positive tripping by checking the adjustment between the UVT device and trip paddle as specified in Service Advice 175-9.35, item #SS.
- 9. Verification of proper trip response time as specified in Service Advice 175-9.35, item #S6.
4 I 10. Lubrication of trip shaf t and latch roller bearings with Mobil l 28 lubricant.
- 12. Examination and cleaning of breaker enclosure.
- 13. Functional test of the breaker prhr to returning it to
, service.
O
~
l 1
I ACTIVITIES 0F WESTINGHOUSE
& WESTINGHOUSE OWNERS GROUP INVOLVING REACTOR TRIP SYSTEM SWITCHGEAR AND PROTECTION SYSTEM RELIABILITY i
O
~
JAMES L. LITTLE MANAGER OPERATING PLANT LICENSING SUPPORT NUCLEAR SAFETY DEPARTMENT NUCLEAR TECHNOLOGY DIVISION
!O 4
- 1. 1 J'
i
,. l
{
I !
L 1
1 A
f i
l 0 RESPONSE TO SALEM EVENT >
l.
i 8 PROTECTION SYSTEM RELIABILITY ANALYSIS f
8 SEQUOYAH G !
1 i
i h
i
.m . a. _ - . - # .h.. -_ a _ .._3 __ _ __ .m__
RESPONSE TO SALEM EVENT
)
O RELIABILITY ANALYSES OF REACTOR TRIP SWITCHGEAR OPERATING EXPERIENCE 9 GENERIC DESIGN OF AUTOMATIC SHUNT TRIP 0F REACTOR TRIP SWITCHGEAR - DB-50 AND DS-416 MODELS S LIFE CYCLE TESTING AND QUALIFICATION OF UNDERV0LTAGE TRIP AND SHUNT TRIP ATTACHMENTS FOR DB AND DS SWITCHGEAR
-, 4 v
0 MANAGED MAINTENANCE PROGRAMS FOR DB AND DS
,- SWITCHGEAR ALL OF THESE ITEMS WERE COMMITTED TO BY THE WOG PRIOR TO THE ISSUANCE OF GENERIC LETTER 83-28 I
lO
~
REACTOR TRIP SWITCHGEAR OPERATING EXPERIENCE O '
O SURVEY OF 25 DOMESTIC UTILITIES TO GATHER DATA EXPERIENCE 31 PLANTS (ALL OPERATING DOMESTIC WESTINGHOUSE PWRs) ,
250 REACTORS YEARS OF EXPERIENCE FROM 1963 TO 1983 ADDRESSED BOTH MAIN AND BYPASS BREAKERS
- FAILURE' DATA REPORTS, COURSES, CORRECTIVE ACTIONS TAKEN CALCULATIONS OF NUMBER OF ACTUAL DEMANDS DUE TO AUTO TRIP, TESTING, MAINTENANCE, ETC, 1
9 O
DB BREAKERS WESTINGHOUSE RELIABILITY SURVEY O -
e SPONSORED BY WESTINGHOUSE OWNERS GROUP 0 26 PLANTS (99 UVTA DEVICES)
- 10,000 DB-50 UVTA CYCLES REPORTED e TESTING e PREVENTIVE MAINTENANCE e AUTOMATIC TRIPS 22 REPORTED EVENTS e 18 INDEPENDENT-(13 DURING TESTING OR PM) .
e 4 COMMON CAUSE (SALEM) 0 UVTA FAILURE RATE: APPROXIMATELY 1.7 X 10-3 FAILURES / DEMAND 0 CONCLUSIONS:
RELIABILITY RATES HIGHER THAN INITIALLY ASSUMED FAILURE RATES CONSISTENT WITH VALUES USED IN PRA'S AND TOPS 11 0F 13 MALFUNCTIONS REPORTED WITH IDENTIFIABLE CAUSES WERE MAINTENANCE-RELATED DIFFERING MAINTENANCE AND TESTING PHILOSOPHIES CAN YIELD ACCEPTABLE RELIABILITY NO REPORTED FAILURES IN SHUNT TRIP DEVICES OR REACTOR TRIP' BREAKERS EXCLUDING UVTAs O
DS BREAKERS L
l 0 FIVE PLANTS 1
- 2100 CYCLES i - 7 FAILURES (BINDING) 8 FAILURE RATE:
- 3.0 x 10 3 FAILURES / DEMAND CONCLUSIONS
'l
! 8 MALFUNCTIONS WERE ASSOCIATED WITH O -
MANUFACTURING TOLERANCE ANOMALIES DUE TO INADEQUATE SPECIFICATION AND INSPECTION e NEW DS UVTA DEVICES INSTALLED AT ALL WESTINGHOUSE PLANTS 0 REVISED INSPECTION PROCEDURES INSPECTS 100% OF CRITICAL PARTS e
O
- I SHUNT C0ll MODIFICATION O ..
WOG DEVELOPED GENERIC SHUNT TRIP DESIGN AFTER SALEM EVENT FOR DIFFERENT VERSIONS OF WESTINGHOUSE PROTECTION SYSTEM DESIGNS SHUNT PROVIDES AUTOMATIC BACKUP TO UVTA TO ENHANCE REACTOR TRIP SYSTEM BREAKER PERFORMANCE NRC/ WESTINGHOUSE /WOG WORKED CLOSELY ON DESIGN DEVELOPMENT AND REVIEW. SER COMPLETED AND PLANTS IN PROCESS OF PERFORMING MODIFICATIONS s
U
O ..
DB-50 CONFIRMATION TESTS e WESTINGHOUSE COMMITMENT TO CONDUCT AN EVALUATION PROGRAM -
MARCH 83.
'e TEST OBJECTIVES CONFIRM FORCES AND FACTORS AFFECTING FORCES EVALUATE CYCLIC LIFE EFFECTS CONFIRM PERIODIC MAINTENANCE GUIDANCE e TEST PLAN 5 UVTA'S
. 1 UVTA CONTROL SAMPLE - NOT CYCLED
. 2 UVTA'S CYCLED FOR 2500 TRIPS, WITH 300 SHUNT ,
' TRIPS INTERSPERSED AT THE 1200 AND 2400 CYCLE POINTS; PERIODIC LUBRICATION EQUIVALENT OF EVERY 1
2-3 YEARS OF OPERATION (200 CYCLES)
. 2 UVTA'S CYCLED FOR 2400 TRIPS WITH ONLY AN INITIAL LUBRICATION UVTA'S. MOUNTED ON DB-50 BREAKERS i
PERFORMANCE MEASUREMENTS TAKEN EVERY 200 CYCLES (BEFORE AND AFTER LUBRICATION)
METALLURGICAL EXAMINATIONS FOLLOWING TESTING i
1 l
l
RESULTS OF DB-50 UVTA CONFIRMATION TESTING Oe FORCE RATIOS: ;
' UVTA: 2-TO-1; SHUNT: GREATER THAN 6-TO-1 l e INITIAL UVTA TESTING:
2 FAILURES-TO-TRIP IN 7000 INTEGRATED TRIP DEMANDS (ATTRIBUTED TO EXCESSIVE FRICTION DUE TO INADEQUATE -
LUBRICATION -- LUBRICATION PROCEDURE CHANGED ADDITIONAL INSIGNIFICANT WEAR POINT IDENTIFIED --
CAN BE EASILY ELIMINATED BY A CAPTIVE PIN MODIFICATION 2 FAILURES-TO-LATCH (FAILSAFE) DUE TO LATCH HOOK WEAR
! (BOTH OCCURRED IN NON-PERIODIC LUBRICATION TESTS) ,
i e TESTS REPEATED ON 4 NEW UVTA's WITH IMPROVED LUBRICATION PROCEDURE AND CAPTIVE PIN MODIFIATION: ,
1 FAILURE-TO-TRIP IN 9800 INTEGRATED TRIP DEMANDS
'O .
(0CCURRED IN NON-PERIODIC LUBRICATION TESTS)
PERFORMANCE IMPROVEMENT ATTRIBUTED TO LUBRICATION PROCEDURE AND NOT TO THE CAPTIVE PIN MODIFICATION ,
e CONCLUSIONS i -
NO DESIGN DEFICIENCIES FOUND _. DEVICE IS SUITABLE FOR ITS APPLICATION -- ADEQUATE FORCE MARGINS EXIST WEAR WAS NOT A FACTOR IN FAILURE-TO-TRIP -- WEAR i TENDS TO BE IN FAIL-SAFE DIRECTION PERIODIC FORCE AND RESPONSE TIME MEASURElENTS DID NOT PREDICT FAILURES .
LUBRICATION GUIDANCE CAN BE IMPROVED (BASED ON i
LIMITED TEST SAMPLE) -- REVISED PROCEDURE SENT TO UTILITIES REPLACEMENT LIFE IS APPROXIMATELY 16 YEARS (BASED '
O ON 75 TRIP DEMANDS / YEAR) l :
. ~ ,--...--- , --- . - . _ , , - , - - . . - - - -
O ..
KEY CONCLUSIONS FROM DB-50 EVALUATIONS AND SURVEYS e DEVICE IS SUITABLE FOR ITS APPLICATION NO DESIGN DEFICIENCIES FOUND RELIABILITY CONSISTENT WITH ITS PURPOSE DEVICE HAS SUFFICIENT FORCE MARGIN TO TRIP THE BREAKER e FAILURES TEND TO BE MAINTENANCE-RELATED UTILITIES SHOULD NOT ATTEMPT FIELD ADJUSTMENT OF THE UNLATCHING MECHANISM LUBRICATION PROCEDURE HAS BEEN IMPROVED DIFFERING MAINTENANCE PHILOSOPHIES CAN YIELD ACCEPTABLE RELIABILITY -- WHAT IS IMPORTANT IS ATTENTION TO THE DEVICE O
I
CYCLIC LIFE TESTS O '
DS-416 UVTA TEST:
8 CYCLICLIFE'YESTINGCOMPLETED 0 UTILIZED SAMPLE SIZE OF 7 UVTA'S S EACH UVTA OPERATED A CIRCUIT BREAKER FOR 2,500 UV TRIP OPERATIONS WITHOUT A FAILURE e NO ADVERSE EFFECTS WITH 600 SHUNT TRIPS INTERSPERSED 8 PERIODICALLY MEASURED:
FORCES REQUIRED TO TRIP THE BREAKER FORCES APPLIED TO TRIP THE BREAKER
~
TRIP RESPONSE TIME FORCES DEVELOPED BY UVTA AT DIFFERENT GAPS DROP-00T VOLTAGE AND PICK-UP VOLTAGE 9 TESTING COMPLETE O REPORT ISSUED TO WOG ;
NO FAILURE OF UVTA OR SHUNT dVALIFIEDSERVICELIFEOF1250 OPERATIONS ;
O l l
WESTINGHOUSE CONCLUSIONS OF DS-416 EVALUATIONS 0 DESIGN AND MANUFACTURING DEFICIENCIES CORRECTED VERIFIED BY INDEPENDENT TECHNICAL REVIEW CONFIRMED BY TESTING IMPROVEMENTS MADE IN MANUFACTURING TRACEABILITY AND CONTROL EXPANDED PRE-SHIPMENT TESTING S ALL WESTINGHOUSE PLANTS WITH DS-416 REACTOR TRIP SWITCHGEAR HAVE RECEIVED REPLACEMENT UVTA'S (ALREADY SUPPLIED TO U.S. OPERATING PLANTS) 0 WESTINGHOUSE /WOG CONSOLIDATED MAINTENANCE RECOMMENDATIONS FOR DS-416 SWITCHGEAR O
WESTINGHOUSE INITIATIVES IN SWITCHGEAR MAINTENANCE 8 WE.GTINGHOUSE PERFORMED A COMPILATION OF ALL RECOMMENDATIONS-ON SWITCHGEAR MAINTENANCE FOR THE WESTINGHOUSE OWNERS GROUP 0 RECOMMENDATIONS INCLUDE RESULTS OF CONFIRMATION TESTING, SPECIFICATION OF REPLACEMENT LIFE, AND CAUTIONS AGAINST FIELD ADJUSTMENTS 0 CLARIFICATION ISSUED ON DB-50 UVTA LUBRICATION ADDITIONAL LUBRICATION POINTS IDENTIFIED LUBRICANT AND SOURCES SPECIFIED WESTINGHOUSE SUPPLIED LUBRICATION KITS TO UTILITIES 0 DOCUMENT COMPLETED FOR DB-50 AND DS-416 AND ISSUED TO WOG MEMBERS .
l i l O !
O . . SEQUOYAH INCIDENT .
O REACTOR TRIP BREAKER UNDERVOLTAGE COIL SHORTED BY TECHNICIAN USING VOLTMETER INCORRECTLY ON AMMETER SCALE.
INCIDENT DETECTABLE WITH BUILT-IN TEST EQUIPMENT DURING .
PERIODIC TEST.
IE INFORMATION NOTICE SUGGESTS TEST IMMEDIATELY AFTER MAINTENANCE.
O SHORT ON UV COIL CAUSES UV DRIVER CARD OUTPUT TRANSISTOR TO FAIL SHORT.
WESTINGHOUSE EXAMINED ALTERNATIVE DESIGN SOLUTION TO ADDRESS SEQUOYAH TYPE INCIDENTS.
CURRENT LIMIT ON POWER SUPPLIES TO CARD WAS INCREASED TO BLOW OPEN RATHER THAN SHORT TRANSISTOR - UNSUITABLE RESULTS.
()
4 REDESIGN UV DRIVER CARD TO LIMIT CURRENT TO SAFE VALVE FOR OUTPUT TRANSISTOR - EXTRA COMPLEXITY CAUSES INCREASED SPURIOUS TRIPS.
USE UV DRIVER CARDS TO DRIVE SHUNT TRIP COILS TO PROVIDE DIVERSITY - RESULTS IN MAJOR CHANGES IN PROTECTION SYSTEM.
INTERPOSING RELAY BETWEEN UV DRIVER CARD AND UNDERVOLTAGE COIL - INCREASES POTENTIAL FOR SPURIOUS TRIPS AND DOESN'T
! ADDRESS MAINTENANCE ERRORS IN PROTECTION CABINETS.
ADD FUSIBLE LINK IN SERIES WITH UV DRIVER CARD OUTPUT TRANSIS-TOR - WON'T SAVE TRANSISTOR BUT WILL DISCONNECT UV COIL FROM CARD FOR SEQUOYAH TYPE INCIDENT.
O WESTINGHOUSE TECHNICAL BULLETIN AND LETTER TO UTILITIES ARE DRAFTED
4 e
4 O
..~. .~___..-._,,-__m_.. . . - _ . . ,, ,~, _,__..m~-r,___..m._,_ . , - . _ _ _ _ _ _ _ . . . _ _ , _ _ _ _ , . ~ . , _ . - - , _ . , - , _ , . - - -
O 9" l C10 -
48V
^
o -
e' l >7.5 K o i , o o
, enworR ,
R13 < . .
, 3.l D l l* 4 LCR9 ggw fut 10 L A LINK r
=
I i *
/
R7 G3 .
UNIVERSAL 2
'J 3.57 Kld \
80ARD (
INPUTS INPUT ll "
i J Mana s i.
McAcreA Tg:P g)e-as i _
= - - - , ,
.= :: g,;. : I l sey CR12*
i s.s v J L W "*
i
- OB """" I ] [
ON " Y,g [
7 , , , , , ,
R14 <
d bbYPAss G
l W.1.; ;e 88 KI m< $
. ." m c ',, ' ---J 8
i " crit "J L EY _
m
+ay 3 [CRM o
R11 l m.: K >
$ ( MT1 c Nor T. ] {CR35EV UV OUTPUT CIRCUIT (vsaDJ '
my .
+aV d 6 R12 < l m.1 Kl> CR37 sMT2 c ", ,
j -
I I
XcR= Ev Y
I
REACTOR PROTECTION SYSTEM - TUP ANALYSTS B. BACKGROUND O INDUSTRY AND REGULATORY CONCERNS REDARDING THE BASIS A2 VALIDITY OF CURREE TECHNICAL SPECIFICATIONS - SPECIFICALLY SURVEILLANCE REQUIREME ES AND LIMITING CONDITIONS FOR OPERATION O 1HESE REQUIREMENTS CAN COMPLICATE PLANT OPERATION AND MAY RESULT IN UNNECESSARY TRANSIEES AND SHUTDOWNS 0 OVERLY STRINGEE SURVEILLANCE REQUIREMENTS ON THE RPS HAVE RESULTED IN INADVERTENT TRIPS CAUSING NEEDLESS CHALLENGES 10 THE SAFETY SYSTEMS P
O 10P: TECHNICAL SPECIFICATION OPTIMIZATION PROGRAM IS DESIGNED TO ADDRESS THESE CONCERNS ON A QUAEITATIVE BASIS e
O 4
2 . . _
O -
- arACTOR PROTECTION SYSTEM - 1DP ANALYSIS C. 10P PROGRAM O FIRST DETAILD QUAEITATIVE Su2Y OF THE RPS O INITIATED IN SEPTDSER 1982 0 STUDY OF RPS UNAVAILABILITY FOR ALTERNATE COMPONE E/ SYSTEM SURVEILLANCE IEERVALS, TEST AG MAIEENANCE TIMES, AND IQUIPMER BYPASS 0 ETHODOLOGY
- 1. FAULT TREE ANALYSIS - EVALUATE RPS UNAVAILABILITY
, ii. RISK ANALYSIS - EVALUATE IMPACT OF RPS UNAVAILABILITY ON CORE MELT FREQUENCY (CMF) AND MAN-RDt EXPOSURE - BASE ON INDIAN POI E PSS 0 REVIEWED BY BROOKHAVEN - GENERAL CONCLUSION WAS THAT RESULTS ARE CONSERVATIVE O
O . .
REACTOR PROTECTION SYSTEM - TOP AMAf YSTS .
D. TYPICAL RPS UNAVAILABILITY 0 UNAVAILABILITY WITH CCF = 1.5E-05 0 UNAVAILABILITY WITHOUT CCF 1.4E-06 0 CCF ACCOURTS FOR 9010F UNAVAILABILITY 0 CCF CONTRIBUTORS
- 1. TRIP BREAKERS AND LOGIC CABINETS - LARGE COWTRIBUTION
- 11. BISTABLE CHANNELS - SMAll CONTRIBUTION 0 DOMINANT CUTSETS
- 1. TRIP BREAKERS AND LOGIC CABINETS CCF - LARGE EFFECT
- 11. TRIP BREAKER AND LOGIC CABINET RANDOM FAILURE, TEST, AND MAINTENANCE - SMALL DTECT 111. BISTABLE CHANNELS - NEX;LIGIBLE EFFECT
(
O m,_,w.,9-.,.m.,-y.p---g--,, #m-t.y--- + - -g,-m g-y--- - ,.--w p,g w-_y --+--- ,__---.. --.- -_,m. .g,.m-,,-,_,-+---nm.y w.y.-.%.--
REACTOR PROTECTION SYSTEM - TOP AMAf YSTS O '
E. RPS UNAVAILABILITT IEREASE FOR RELAXED PARAMETERS WAS LESS THAN A FACTOR 0F 5 AS COMPARED TO THE BASE CASE F. CASES CONSIDERED .
BASE CASE CASE 1 CASE 2 TRIP BREAKERS TEST INTERVAL (M0EHS) 2 6 2 TEST TIME (HOURS) 2 4 2 MAI EENANCE TIME (HOURS) 6 12 6 LOGIC CABINETS TEST INTERVAL (M0EHS) 2 6 2 TEST TIME (HOURS) 2 4 2 MAINTENAEE TIME (HOURS) 6 12 6 BISTABLE CHANNELS TEST INTERVAL (MOEH) 1 3 3 TEST TIME (HOURS) 2 4 4 MAIEENAEE TIME (HOURS) 1 12 12 NOTE: MAIEENAEE IEERVAL IS 1 YEAR FVR ALL COMPONEWS
O -
. . REACTOR PROTECTION SYSTEM - 1DP ANALYSTS G. NET RESULTS O OVERALL CORE MELT FREQUENCY REDUCTION OR SMALL INCREASE O OVERALL MAN REM EXPOSURE REDUCTION OR SMALL INCREASE O FINANCIAL SAVINGS - REDUCED LABOR AND INADVERTENT TRIPS O
o O
REACTOR PROTECTION SYSTEM - TOP ANALYSIS f
G. NET RESULTS (C0ffr'D) s i
l BASE CASE CASE 1 CASE 2 ,
TRIP UNAVAILABILITY 1.44E-05 5.87E-05 1.48E-05 AW S CMF 1.59E-06 6.49E-06 1.64E-06 INADVERTENT TRIPS 1.70 1.10 1.20 CHANGE IN CMF - 4.8E-06 -2.0E-08 2
MAN REM EXPOSURE AWS MAN REM 3.84E-02 1.57E-01 3 95-02 INADVERTENT TRIP MAN REM 2.24E-01 1.45E-01 1.53E-01 CHANGE IN MAN REM - 4.0E-02 -6.52-02 4
ECONOMIC BENEFITS * ,
MAN POWER SAVINGS - $84,400 $83,200 TRIP REDUCTION SAVINGS - $78,100 $64,700 TOTAL SAVINGS - $162,500 $147,900
- BISTABLE CHANNELS TESTED IN BYPASS NOTE: ALL VALUES ARE PER YEAR O
. . . .~,-.m.___.,_._., , , _ . . . _..-
'AWS & RPS UNAVATr ABTt TTY DTECTS ON CMF
/
.c A. ANS DTECTS ON CMF 0; BASED ON INDIAN POIE PSS/WP SWDY ,
r ;'
0' A W S CMF 1.6E-06
, O TOTAL CMF 7 9E-05 4
0' AW S PERCENTAGE 2.0%
f i
B. RPS UNAVAILABILITY EFFECT ON CMF 0 BASED ON INDIAN POINT PSS/10P STUDY l 105 INCREASE BASE CASE FACTOR OF 10 IN UNAVAILABILITY
TRIP UNAVAILABILITY 1.44E-05 1.44E-04 1.53E-05 AWS CMF 1.59E-06 1.59E-05 1.75E-06
~
TOTAL CMF 7.90E-05 9.33E-05 7.92E-05 PERCEE CHANGE - 18.05 0.25 s
's ?
I O ,
2 i
i
~
l l
O - - C0tNON CAUSE FAILURE -
A. FAILURE OF MULTIPLE COMPONENTS OR SYSTEMS DUE TO A SINGLE SECONDARY EVENT !
B. ECHANISMS O DESIGN DEFEATS 0 FABRICATION, MANUFACTURING, QUALITY CONTROL VARIATION O TEST, MAINTENANCE, REPAIR ERRORS O HUMAN ERRORS O ENVIRONMENTAL VARIATIONS C. TOPS RPS SRIDY 0 CCF ACCOUNTS FOR 90% OF UNAVAILABILITY O TRIP BREAKERS - BETA FACTOR TECHNIQUE (B=0.2)
O ANALOG CHANNE.S - DETAILED TECHNIQUE BASED ON NUREG/CR-2771, C. L.
AIWOOD 0 LOGIC CABINETS - ADEQUATELY ACCOUNTED FOR WITH TRIP BREAKER DUE TO:
- 1. CONSERVATIVE BETA FACTOR VALUE APPLIED ii. LARGE CONTRIBUTION OF CCF 70 UNAVAILABILITY O ,
. _ _ --4_--4-- a___w w -- -.6-- -- e _an . - _A s s_ m__-_.,_.e-2%_
h
- meum COMMON CAUSE FAILURE UV DRIVER CARDS 0 LOCATED IN SEPARATE CABINETS ,
O PROCEDURES PROHIBIT SIMULTANEOUS MAINTENANCE ON LOGIC CABINETS O TESTING WILL IDENTIFY CCF WITHIN 720 HOURS (STAGGERED TESTING) l O
se l
l O
9 l
)
O IMPACT AR'JfMING FTM n EYPERTENCE AS RANDOM FAILURES O TOPS RPS ANALYSIS BASED ON TYPICAL RPS TRIP SIGNAL UNAVAILABILITY CUTSETS CONTAINING Q3 TRANSIS10RS O RESULTS ASSUMING RANDOM FAILURE 1923 IEE
' 'st-o7 6 a68-<rr O*'uas""o8^8"'oruvc^"o UNAVAILABILITY OF UV CARD 1.40E-04 4.65E-04 UNAVAILABILITY OF TRIP SIGNAL 1.51E-04 1.52E-04 CHANGE IN CORE MELT FREQUENCY - 0.0155 l
1 l
l l
- l l
. I O
l
f-1 IMPACT ASSUMING FIET h EYPERIENCE AS MAINTENANCE RM ATED .
A. TOPS ANALYSIS O UNAVAILABILM BASED ON IEERVAL AND TIME FOR MAIEENANCE i INTERVAL = 1 YEAR ii TIME = 6 HOURS 0 HUMAN ERRORS DURING MAINTENANCE ASSUMED NEGLIGIBLE O UNAVAILABIL M PER TRAIN = 6.85E-04 B. ESTIMATE OF INCREASED UNAVAILABILM TO ACCOUNI FOR HUMAN ERRORS DURING MAINTENANCE O BASED ON 1 EVENT - SEQUOYAH INCIDEE O FAULT TREE ANALYSIS O ASSUMPTIONS / PARAMETERS i 88.4 YEARS OF EXPERIENCE ON RPS ii WO UV DRIVER CARDS PER PLANT iii PROCEDURES REQUIRE TESTING FOLLOWING MAI E ENANCE iv WO MONTH TEST INTERVAL 0 RESULTS i UNAVAILABILM PER TRAIN = 6.90E-04 (ACCOUNTS FOR NORMAL MAINTENANCE ROUTINE AND ERRORS) 11 INCREASED UNAVAILABILITY - LESS THAN SE-06 I.E. NEGLIGIBLE iii THE ASSUMPTION OF COMMON CAUSE COUPLING OF 1.0 FOR MAINTENANCE ERRORS BENEEN TRAINS HAS NO EFFECT ON TOPS CONCLUSIONS O
s
,,,,w ,w-,,.- e , - ,---,, -- ~ , ,-e7 m - -----
m- - ---g-- r-
. . I e
f Wu4W4. lag;giV ..............................
OJE TO . Wit'luccJtr *taet,tf at. .
[%g ,Uu; S,IC,Dui,[0 g, ,gg *..F.E.D.C..A
. .,009..R.C.W.02
. . .. . .00 00 00.*.
\ 10eeFs04 15 JUL*05 9t4457
/\0006 f%
I WOm s Ate 0e w Miu'Em44*[ misfC4Asct ROJflut ROUilWE. FAILED
, SCCfl0E OF IRA 14 0002 0003 ,-
~
u-Oset0Ut 0 0500t-04 I
UNAWAILAtiLiff PR0040lLiff SF Out to FAILURE WAdtng FAILEO TRAls
/\ c004
.0,
[h PFf 4 4300t-03 r
- l FAILURE OtttCit0 FAILURE 501 Otittfl0 ,
0004 0007 l !
P90049;Llff O' e UuAta.Latistff PeasAtlLiff or uun#A. 40..ft er WC4A'04 70 C049C*f 0*C4A'04 mot TRAlu Otttt'14: FAiLURC OCftefle:
FAiLURt FAiLURC 0000 0000 0040 0018 P90' UC' PeueC UNf 0 0000t-On 1 4400t-04 2 0000t 03 1 4P00F-On
CONCLUSIONS 0 WEST'INGHOUSE AND WOG HAVE INVESTED CONSIDERABLE EFFORTS IN ADDRESSING PROTECTION SYSTEM RELIABILITY.
4 0 PROTECTION SYSTEMS RELIABLY PERFORM ACCORDING TO SPECIFICATION WHEN PROPERLY MAINTAINED AND TESTED.
O MODIFICATIONS TO REACTOR PROTECTION SYSTEM SHOULD BE CLOSELY EVALUATED FROM A NET SAFETY AND COST BENEFIT BASIS. THERE ARE NO INDICATIONS THAT A DIVERSE ACTUATION OF A REACTOR SCRAM IS WARRANTED
[ ')
EITHER FROM A RELIABILITY OR TRANSIENT PERFORMANCE (ATWS) BASIS.
il O
.