ML20136E414
| ML20136E414 | |
| Person / Time | |
|---|---|
| Issue date: | 12/26/1985 |
| From: | Dircks W NRC OFFICE OF THE EXECUTIVE DIRECTOR FOR OPERATIONS (EDO) |
| To: | Asselstine, Palladino, Roberts NRC COMMISSION (OCM), Office of Nuclear Reactor Regulation |
| References | |
| REF-GTECI-A-45, REF-GTECI-DC, TASK-A-45, TASK-OR NUDOCS 8601060560 | |
| Download: ML20136E414 (1) | |
Text
, - - _ _ - - - - - - - - - - - - - - - - - - _ - _ -
/ DEC 2 6 1985 MEMORANDUM FOR: Chairman Palladino Comissioner Roberts Comissioner Asselstine Comissioner Bernthal Comissioner Zech FROM: William J. Dircks Executive Director for Operations
SUBJECT:
AE0D CASE STUDY REPORT ON DECAY HEAT REMOVAL PROBLEMS AT U.S. PRESSURIZED WATER REACTORS Enclosed for your information is a copy of an AE00 case study report on decay heat removal problems at U.S. pressurized water reactors. This report docu-ments AE00's efforts, findings, and conclusions on the subject, and reflects the results of the peer review process. Recomendations from AE0D concerning this study have been forwarded to NRR for appropriate action.
I would be pleased to provide any clarification or further information that you may desire.
Crisinal signed by Jictor St.ello ,.,
William J. Dircks Executive Director for Operations
Enclosure:
As stated cc w/ enclosure:
SECY OGC OPE ACRS Distribution (w/o encl.)
' PDR FHebdon, AE0D PNorry, ADM ROAB SF
-) AE00 CF KSeyfrit, AE0D LBarry, RM H0rnstein, AE0D AE0D SF JRoe, A0/ED0 HDenton, NRR WLanning, AE00 CHeltemes, AE0D TRehm, A0/EDO GCunningham, ELD WDircks w/ encl.
TIppolito. AE0D VStello, DEDROGR ROAB CF EDO RF ROA M SC:
H0rnstein:jz B C:ROAB DD. D P ED0r i WL g KSeyfrit Tippol to C emes WDi' cks
///Ao/85 g 85 ///w/85 p./10/85 p, /85 p fh6/85
'I 9}0;o
$ trl iff g
,,c 4 95
{'$dhdkEP""
~. .. .. . .-
. . e i
AEOD/C503 CASE STUDY REPORT
- DECAY HEAT REMOVAL PROBLEMS AT U.S. PRESSURIZED WATER REACTORS December 1985 Prepared by: Dr. Harold Ornstein Office for Analysis and Evaluation of Operational Data U.S. Nuclear Regulatory Comission
- This report documents results of a study completed to date by the Office for Analysis and Evaluation of Operational Data with regard to a particular operational situation. The findings and recomendations do not necessarily represent the position or requirements of the responsible program office or the Nuclear Regulatory Comission.
4 -
3o (,07 h
N
. . s1 ,
~
TABLE OF CONTENTS :; <- .
Page EXECUTIVE
SUMMARY
. . . . . . . . . . . . . . . . . . . . . . . . . . . . I
1.0 INTRODUCTION
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.0 DECAY HEAT REMOVAL SYSTEM ....................... 5
.2.1 Functional Description and System Design . .. . . . . . . . . . 5 2.2 Consequences of the Loss of the Decay Heat Removal Function . . 12 2.3 Actions to Recover the Decay Heat Removal Function . . . . . . . 15 3.0 OPERATIONAL EXPERI ENCE . . . . . . . . . . . . . . '. . . . . . . . . '. 17 ,
3.1 Losses of Decay Heat Removal Systems . . . . . . . . . . . . . . 17 4.0 ANALYSISAk0EVALUATIONOFTHEUNDERLYINGORROOTCAUSESOFREPORTED DECAY ltEAT REMOVAL SYSTEM LOSSES . . . . . . . . . . . . . . . . . . 25 4.1 Human Factors . . . . . . . . . . . . . . . . . . . . . . . . . 25 4.2 Equipment Failures . . . . . . . . . . . . . . . .'; . . . . . 30 4.3 Technical Specification Deficiencies . . . . . . . . . . . . . . 31 -
5.0 FINDINGS AND CONCLUSIONS . . . . . . . . . . . . . . . . . . . . . . 34 5.1 Human Factors Considerations . . . . . . . . . . . . . . . . . . 35 s
5.2 ' Design Considerations - Flow Path from the Reactor Coolant System to the Decay Heat Removal System . . . . . . . . . . . . 36 5.3 Technical Specification Deficiencies . . . . . . . . . . . . . . - 38 s 6.0 PECOMMENDATIONS . . ........................40
7.0 REFERENCES
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 s APPENDICES ...............................46 Appendix A - Loss of Decay Heat Removal Systems at U.S.
Pressurized Water Reactors During 1982 and 1983 . . . . 46 Appendix B - Selected Loss of Decay Heat Removal System Events at U.S. Pressurized Water Reactors During 1984 . . . . . . 51 Appendix C - Decay Heat Removal System Losses at Davis-Besse . . . . 53
)
m h
LIST OF FIGURES 9
Pace Figure 1. Schem'atic Diagram of DHR Systems at U.S. PWRs . . . . 7 Figure 2. Schematic Diagram of Double Drop Line, Double Suction Line DHR System Configuration . . . . . . . . . . . . 10 Figure 3. Schematic Diagram of the Davis-Besse Plant's DHR Suction Bypass Line Configuration . . . . . . . . . . 11 Figure 4. DHR Recovt.ry Time Margin . . . . . . . . . . . . . . . 14 4
5 s
seen k
~
LIST OF TABLES Page Table 1. Plant Operational Modes . . . . . . . . . . . . . . . 6 Table 2. Some Backup Methods for Decay Heat Removal Upon Loss of the DHR System . . . . . . . . . . . . . . . . . . 16 Table 3. Frequency of DHR Losses . . . . . . . . . . . . . . . 18 Table 4. Duration of Reported DHR Loss Events ........ 20 Table 5. Categories cf 130 Reported Total DHR System Failures When Required to Operate (Loss of Function) at U.S.
PWPs 1976-1983 ................... 23 Table 6. Underlying or Root Causes of Reported DHR System Failures ...................... 26 e
a .
e EXECUTIVE
SUMMARY
The report analyzes U.S. pressurized water reactor (PWR) experience involving loss of operating decay heat removal (DHR) systems. Between 1976 and 1983, 130 loss-of-DHR events were reported to have occurred during approximately 500 reactor years of operation. The DHR systems are not safety grade systems on most operating plants. Only those plants that have the DHR systems designed and constructed to NRC's Branch Technical Position RSB 5-1 have truly safety grade systems. Total loss of the DHR systems under certain conditions could lead to core uncovery, and resultant fuel damage. The results of scoping analyses of total loss-of-DHR scenarios presented in this study indicate that for certain postulated events, unless timely corrective actions are taken, core uncovery could result on the order of one to three hours. To date, no serious damage has resulted from the loss-of-DHR system events that have occurred at U.S. PWRs. However, many of the events which have occurred thus far may serve as important precursors to more serious events.
Analysis of operating data indicates that the underlying or root causes of most of the loss-of-DHR system events are human factors deficiencies involving procedural inadequacies and personnel error. Most of the errors were committed during maintenance, testing and repair operations.
The leading category of loss-of-DHR ' events (37 of 130) was the inadvertent automatic closure of the suction / isolation valves, most of which resulted from human errors.
This uport presents summaries of loss-of-DHR events which occurred during the years 1982 and 1983, and the most significant loss-of-DHR events in 1984. Since the 1984 data base was not complete at the time of this analysis, the available 1984 data was used to confirm the observed trends in frequency and severity of loss-of-DHR events for prior years. Reference is made te an industry report, Nuclear Safety Analysis Center report NSAC-52, for sumeies of loss-of-DHR events which occurred during the years 1976 through 1981. Reference is also made to the findings of a recent probabilistic risk assessment that was done by the Nuclear Safety Analysis Center to quantify the risks associated with DHR (NSAC-84).
The analysis of recent operating data indicates that the situation involving loss-of-DHR systems is not improving. In terms of the frequency or duration of loss, no clear trend towards improvement is evident. However, it may be too early to see the results of the implementation of the recommendations contained in NSAC-52 or industry actions.
This report makes several recommendations based upon the potential safety significance of loss-of-DHR events. Implementation of those recommendations should significantly improve DHR system reliability and availability. The recommendations include: improving human factors by upgrading coordination, planning, and administrative control of surveillance, maintenance, and testing operations which are performed during shutdown; providing operator aids to assist in determining time available for DHR recovery and to assist operators in trendino parameters during loss-of-DHR events: upgrading the
training and qualification requirements for operations and maintenance staff; requiring the use of reliable, well-analyzed methods for measuring reactor vessel level during shutdown modes; modifying plant design to remove autoclosure interlocks and/or power to the DHR suction / isolation valves during periods which do not require valve motion; and clarifying plant technical specifications to eliminate ambig'ulties associated with operating mode definitions.
The report acknowledges NRC's ongoing efforts to address shutdown decay heat removal requirements (Unresolved Safety Issue A-45). The AEOD recommenda-tions are applicable to A-45, and should be considered in the resolution of this generic issue.
1.0 INTRODUCTION
The purpose of this study is to evaluate operational experience and to analyze the safety implications associated with total loss of decay heat removal (DHR) systems, [also referred to as the residual flat removal (RHR) systems, and shutdown cooling (SDC) systems], at U.S. pr*Parized water reactors (PWRs).*
The safety function of the DHR system is to transfer fission product decay heat from the reactor core at a rate which will assure that the fuel design limits and the reactor coolant pressure boundary design limits are not exceeded. An extended loss of the DHR function could lead to core uncovery, and associated fuel damage. (As noted in section 2.1, in addition to the DHR system there are systems which can be used to remove decay heat--e.g.
steam generators and the auxiliary feedwater system.)
We note that NRC's General Design Criterion (GDC) 34 requires the DHR safety function to be accomplished assuming a single failure. However, we also note that there have been numerous single failures which have caused losses of this system. During the years 1976 through 1983, the licensees have reported about 130 loss-of-DHR events. Most of those events were of a short duration; however, several have extended beyond an hour with some lasting more than two hours.
To date, no serious damage has resulted from the total loss-of-DHR systems at U.S. PWRs, and there has not been any danger to the public. Nonetheless, the large number of loss-of-DHR events which have occurred thus far (occurrence frequency of 0.25/ reactor year), may serve as important precursors which warrant corrective actions before a far more serious event occurs.
Numerous studies have been performed and numerous reports have been written on DHR systems. The most significant ones are:
o In 1975, WASH 1400 (Ref. 1) noted that the loss of the DHR function In this report, a total loss of a DHR system is defined as failure of both DHR (RHR, or SDC) trains to perform their function when required.
Such losses include momentary as well as long duration events.
Momentary events represent challenges to plant safety from which timely recovery has taken place. We view the many short and long duration loss-of-DHR events which have occurred thus far without any serious consequences as precursors. Analysis and evaluation of those events are necessary because timely recovery from similarly initiated events cannot always be assured. Inoperability of both DHR (RHR, or SDC) trains during times that they are not required to perform their function are not included as total losses. Similarly, DHR (RHR or SDC) systems which are administratively declared inoperable, but could still perform their function (e.g. , inoperability due to missed surveillance or faulty snubbers), are not included as total losses.
4_
subsequent to a transient can be a potentially significant contributor to the total risk associated with nuclear power plants.
o In 1980, the NRC declared " Shutdown Decay Heat Removal Requirements" an Unresolved Safety Issue (USI). Subsequently, the Office of Nuclear Reactor Regulation (NRR) has implemented task action plan A-45 to resolve this issue. The overall purpose of A-45 is to evaluate the adequacy of current licensing design requirements in order to ensure that nuclear power plants do not pose an unacceptable risk due to failure to remove shutdown decay heat.
o In 1982, Oak Ridge National Laboratory (ORNL) evaluated events involving DHR systems in U.S. PWRs-and U.S. boiling water reactors (BWRs) for the period June 1979 to June 1981 (Ref. 2).
ORNL found 38 loss-of-DHR system events which met their criteria for safety significance (which is equivalent to our definition of a total loss of a DHR system).
o In 1983, the Nuclear Safety Analysis Center (NSAC) published a report (NSAC-52, Ref. 3) which reviewed DHR losses at U.S. PWRs during the years 1976 through 1981. It made numerous recommendations which, if implemented, could have improved DHR system reliability and overall safety.
Interest in this case study was first initiated because of the large number of loss-of-CHR events which occurred at the Davis-Besse plant (see Appendix C). Subsequent analysis of the data, and additional licensee event reports (LERs) detailing DHR losses at other PWRs showed that the problems at the Davis-Besse plant were not unique to Davis-Besse or other Babcock and Wilcox (B&W) plants. As a result, the scope of the study also includes events which occurred at PWRs having reactors designed by Combustion Engineering (CE) and Westinghouse (W).
This report highlights some facets of DHR losses and DHR operations which are not addressed in previous reports, and it presents six recommendations which, if implemented, have the potential for significantly improving reactor safety.
l 2.0 DECAY HEAT REMOVAL SYSTEM l 2.1 Functional Description and System Design The DHR system is designed to remove fission product decay heat from the i reactor core. The safety function of the DHR system is to remove heat from the primary system at a rate that will enable operators to bring the plant from hot shutdown conditions to cold shutdown or refueling conditions (see Table 1), and to maintain the plant in such shutdown conditions for extended periods of time. For the transition phase associated with cooling the plant from operating pressures and temperatures after a reactor trip, for example, to hot shutdown, the steam generators and the auxiliary feedwater system are used to remove heat from the primary system. Upon reaching the reduced pressures and temperatures associated with the hot shutdown condition, the DHR system is activated.
During accident conditions, most DHR systems can be aligned to perform emergency core cooling functions [ low pressure coolant injection (LPCI),
recirculation, and in some designs containment spray]. In W and B&W plants,
- i
~ the DHR system can also act as a booster system to provide the net positive suction head (NPSH) required by the safety injection (SI) or high pressure injection (HPI) pumps for operation in the recirculation mode (" piggyback" operation). In B&W plants, the DHR system also provides auxiliary spray to the pressurizer to assist in depressurization after the reactor coolant pumps are secured.
The DHR system is typically composed of two redundant 100% capacity trains.
It is usually located outside containment. A schematic diagram of a repre-sentative DHR system appears in Figure 1. Most DHR systems have a single suction or " drop" line which is tapped off one of the reactor coolant system (RCS) hot legs. Because of the single suction or " drop" line design, most DHR systems are susceptible to loss of the ability to perform the decay heat removal function due to a single failure of a suction line valve. It should be noted that for most DHR systems, much of the systems piping and compo-nents are fully safety grade because they are used for the LPCI function.
In fact for most DHR systems, single failure vulnerability exists in the single suction or " drop" line which is not used with the LPCI function.
From the DHR pump discharge, the primary coolant flows through a heat ex-changer where heat is transferred to the component cooling water system.
After the primary coolant leaves the DHR heat exchangers, it returns to the reactor vessel. There are not many significant differences among DHR systems at U.S. PWRs. One significant difference is the location at which the DHR flow returns to the RCS. In B&W plants, the Di.R flow returns to the reactor vessel through piping which is shared with the core flood tanks' discharge. In other PWR designs the DHR flow returns to the reactor vessel through the cold legs. Other differences are: number of DHR system trains (2 vs. 3 trains), number of " drop" lines (newer plants having 2 vs. 1), W plants having letdown coming off the DHR system, and CE system 80 plants having single failure proof suction / isolation valve closure logic.
Most DHR systems operate at temperatures of 350*F or less, and at pressures less than 600 psig. Because the DHR system has a low pressure design and is located outside containment, significant efforts (administrative controls, system interlocks, etc.) are made to ensure isolation of the system when the l
Table 1 Plant Operational Modes
- Average Reactivity % of Rated Coolant Operational Mode Condition, K,ff Thermal Power ** Temperature
- 1. POWER OPERATION > 0.99 > 5%
> (TDHR) F
- 2. STARTUP > 0.99 1 5% > (TDHR) I
- 3. HOT STANDBY < 0.99 0
> (TDHR) F
- 4. HOT SHUTDOWN < 0.99 0 (TDHR) F> T,yg> 200*F
- 5. COLD SHUTDOWN < 0.99 0 1 200*F
- 6. REFUELING *** 1 0.95 0 1 140*F TDHR= temperature at which the DHR system is initiated (generally 280 F - 350*F)
As defined in B&W, CE, and W standard technical specifications (e.g.,
Ref. 4). Note - many plants do not use standard technical speci-fications.
- Excluding decay heat.
Fuel in the reactor vessel with the vessel head closure bolts less than fully tensioned or with the head removed.
FIGURE 1 -
SCHEMATIC DIAGRAM OF DHR SYSTEMS AT US PWRS N
N
\
\
TO REACTOR VESSEL la 88W PLANTS - VIA CORE lr, FLOOD TANK DISCHARGE I II LINES JL CE and W PLANTS VIA COLD LEGS :
SUCTION - le ISOLATION "
VALVES l 8 SINGLE B
" DROP" CO M PONENT j ,
LINE FROM COOLING" A RCS HOT WATER LEG Jg m . 2 a DHR '
HEAT -
PUMP l JL EXCHANGER FROM REACTOR l BLDG SUMP FOR RECIRCULAT'ON l
g
% I J
Q L
MODE OF LPCI l
_lS '
, 02 O H" ggAT n
g ExCHANoER l a BORATED WATER FOR II l INJECTION OF LPCI B&W PLANTS - FROM BWST " COMPONENT CEhW PLANTS - FROM RWST COOUNG"
--N CONTAINMENT WATER
RCS pressure exceeds the DHR system design pressure. Overpressurization and the potential rupture of the low pressure system is commonly referred to as an " interfacing LOCA - Event V." WASH-1400 (Ref. 1) showed that for the PWR studied (Surry, a W plant), Event V could represent a high risk core damage accident sequence.
DHR system requirements contained in the general design criteria (GDC) have changed over the years. The 1967 GDC did not address single failure aspects of the DHR system. The 1971 GDC, criterion number 34, requires the DHR system to meet the single failure criterion. Newer plants which are designed to the 1971 GDC do not fully meet GDC 34's single failure criterion.
Although some of the newer plants do have double drop lines and redundant valves,.the control circuitry in most of those plants is such that a single failure can cause a loss of the DHR system. Recognizing this, NRC has declared " Shutdown Decay Heat Removal Requirements" an Unresolved Safety Issue (A-45). To resolve A-45, NRR is evaluating the adequacy of current licensing design requirements in order to ensure that plants du not pose an unacceptable risk due to failure to remove shutdown decay heat. The specific objectives of the task include:
o Assess the safety adequacy of DHR systems in existing power plants for achieving both hot shutdown and cold shutdown conditions.
o Evaluate the feasibility of alternative measures for improving DHR system reliability, including diverse alternatives dedicated to the DHR function.
o Assess the value and impact (or cost-benefit) of the most promising alternative measures.
o Develop a plan for implementing any proposed new licensing requirements for DHR systems.
Many plants are designed such that single failures in the DHR suction /
isolation valve interlocks, and single instrument bus failures or single valve failures can result in the loss of the decay heat removal function of the DHR systems. (The LPCI function of the DHR system is not vulnerable to such a single failure.) The DHR suction / isolation valve interlocks are designed to prevent an interfacing LOCA (Event V) at the expense of interrupting DHR system operation. The functions of the interlocks are to:
o Prevent opening of the suction / isolation valves when the reactor coolant system (RCS) pressure exceeds the DHR system pressure.
o Assure that the suction / isolation valves are closed for plant startup and repressurization.
In essence, the suction / isolation valve logic is single failure proof with regard to closing the valves (to prevent an interfacing LOCA), but it ne-cessitates an interruption of the DHR system function. Justification for this prioritization (interfacing LOCA first, and decay heat removal second) is based upon the design decision that there is less recovery time, and greater risk, associated with the interfacing LOCA than with a loss of DHR.
- i 1
In an effort to reduce the single failure vulnerability of the DHR system, some.recent designs have two " drop lines" from the RCS, and two suction lines, each having motor-operated isolation valves in series (Fig. 2).
However, from the standpoint of the interfacing LOCA, the double drop line, double suction line configuration presents an additional failure path and, therefore, results in a higher risk than the single suction line configuration.
Most of the plants
- which have two drop lines and two suction lines have DHR suction / isolation valve closure logic which would close valves in both lines as a result of a single failure (e.g. control logic failure that closes the valves, or a single erroneous closure signal). Consequently, a single active failure could cause the loss of the decay heat removal function of the DHR system for such plants. For example, as noted in Reference 5, the Catawba plants, which have two drop lines, can lose both trains of DHR due to a single instrument bus failure. It should be noted that the control logic for most double drop line designs is fail-safe--where fail-safe implies prev.enting an interfacing LOCA, not sustaining DHR flow. As a result, the double drop line designs with the aforementioned closure logic do not represent any improvement against loss-of-DHR events associated with automatic closure of the suction / isolation valves. They do present a significant improvement against " stuck shut valve" problems.
As noted in Reference 6, Westinghouse has evaluated a recent licensee proposal to remove the autoclosure interlocks on the Kewaunee plant's DHR suction valves. The analysis concluded that for Kewaunee, such a modification would be a safety improvement. NRR has approved that modification.
In an attempt to provide redundant DHR flow paths, while minimizing the possibility of an interfacing LOCA outside containment, the Davis-Besse plant has a configuration which lies between the single and double drop line configurations. The Davis-Besse plant has one drop line with a smaller diameter bypass line as shown in Figure 3. The valves in the bypass line are manually operated (normally closed). This bypass configuration provides an additional flow path to enable DHR cooling in the event there is a problem with the suction / isolation valves; yet, it does not provide the Some plants with a double drop line/ double suction line configuration are:
Palo Verde 1, 2, 3 Vogtle 1, 2 San Onofre 2, 3 Shearon Harris 1 WPPS 3 Comanche Peak 1, 2
, Kewaunee Beaver Valley 2 l Catawba South Texas 1, 2
! Callaway Byron 1, 2 Summer Braidwood 1, 2 j Farley 1, 2 l
z i
10 -
l FIGURE 2 SCHEMATIC DIAGRAM OF DOUBLE DROP LINE, DOUBLE SUCTION LINE DHR SYSTEM CONFIGURATION N
\
\
\
l i
I
" DROP LINES ** l FROM TWO RCS l HOT LEGS
= AAlA e "
- c 9 u =
SUCTION / ISOLATION i 1 g
P 1 I EAT VALVES JL JL EXCHANGERS ha ha ha r 2 -
- ,, ,, , , i, g -
FROM RB I SUMP FOR l FROM RWST RECIRCULATION FOR INJECTION MODE OF LPCI MODE OF LPCI I
N CONTAINMENT
_ 11 _
FIGURE 3 SCHEMATIC DIAGRAM OF THE DAVIS-BESSE PLANT'S DHR SUCTION BYPASS LINE CONFIGURATION i
\ l
\
l !
BY PASS LINE WITH
, MANUALLY OPERATED VALVES (8" NOMINAL DIAMETER) l
>< >< l SINGLE DROP LINE l TO DHR FROM RCS B I ~ PUMPS LOOP HOT LEG MOTOR OPERATED SUCTION / ISOLATION VALVES (12" NOMINAL DIAMETER) l l
l l
lN CONTAINMENT
- 1r = y+-. - - _ . - - -. ---------.-.-r..-y
additional path and risk for a LOCA outside containment that is inherent in a double drop line configuration.
2.2 Consequences of the Loss of the Decay Heat Removal Function The time margin available for restoring the DHR system, or establishing alternate methods of heat removal (prior to bulk boiling, core uncovery, fuel damage, etc.) depends upon the RCS temperature, the decay heat rate (which is dependent upon time interval elapsed from reactor trip to DHR system failure and core power operating history), and the amount of RCS inventory. During some shutdown operations, the RCS may be partially drained (e.g., to perform steam generator inspections or repairs).
Decreased primary system inventory can significantly reduce the time -
available to recover the DHR function prior to bulk boiling and core uncovery.
It should also be noted that reduced primary system inventory can result in rapid heatup rates and decreased time margins available prior to primary system boiloff even though the DHR loss may happen many days after shutdown.
For example, Reference 7 indicated Sequoyah 2 had a 92*F heatup of the primary system water in 77 minutes with reduced RCS inventory, even though
-the reactor was shutdown 18 days before the DHR loss occurred.
The results of an AEOD scoping calculation showed that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after a reactor trip, in the absence of successful operator action, a partially drained RCS at a B&W plant could boil off enough coolant to uncover the top of the core approximately one hour after losing the DHR system. The calculation was based upon the assumptions that the RCS was drained down to the top of the hot-leg nozzle, the coolant in the reactor vessel was at a bulk temperature of 140 F, and the RCS was "open" to the atmosphere.
This analysis compares favorably with cperating experience and licensees' analyses. For example, References 8, 9 and 10 reported that on August 29, 1984, 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> after a reactor trip at ANO-2 (a CE plant), the DHR system failed while the plant was in a partially drained condition. The reactor vessel water heated up from 140*F to 205*F in abo ~ut 30 to 40 minutes.* In Reference 11, D.C. Cook (a W plant) reported the results of a corresponding analysis indicated that the onset of core uncovery would take place about 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after the loss of the DHR system. Recently, a foreign PWR e oerienced a loss-of-DHR during draindown. Subsequently, the foreign country's regulatory body performed a calculation and concluded that under slightly different conditions, in the absence of successful operator action, core uncovery could begin in about 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 20 minutes, with fuel failure beginning about two and one-half hours after the loss of the DHR system.
i
- The entire event lasted 50 minutes. However, during the first 20 minutes, DHR was provided by make-up water which was gravity fed f rot the RWST, and by oscillatory DHR system flow (flow was provided by the DHR pump which was cavitating).
The time available for recovery would be much shorter if the DHR loss is initiated by a LOCA (such as two events at Sequoyah which involved inadver-tent opening of the containment spray system). A LOCA could cause a rapid vessel draindown resulting in the loss of-DHR pump suction. NSAC calcula-tions indicate that under such circumstances, core uncovery could begin in 25 minutes (Ref. 3).
- 4. Another AE00 scoping calculation was performed for a loss-of-DHR event at a C
B&W plant shortly after activating the DHR system. It was based upon a
- licensee calculation (Ref. 12) which assumed a loss of the DHR system about three hours after reactor trip with a full RCS (no draindown). The results s
indicated that in the absence of successful operator action, the RCS would heat-up to saturation conditions, and pressurize to the low temperature overpressurization (LTOP) setpoint within one-half hour.* Upon reaching the LTOP setpoint, the RCS coolant would boil off at the LTOP setpoint pressure l and escape through the PORV. The results of our calculations indicate that
, core uncovery would begin within about two and one-half hours after the loss-of-DHR occurred.
The time available for restoring the decay heat removal function prior to core uncovery can be as short as about an hour and can extend up to many 4 hours or days. The time available depends upon the plant's operating history and status at the time of the DHR system loss. Figure 4 shows a typical time margin plot (time available for recovery of the DHR function vs. time after rod insertion that the DHR function was lost).
The results of AEOD's scoping calculations indicate that if losses of the
, DHR system occur during early stages of shutdown (e.g., 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after reactor trip) with the RCS partially drained, or shortly after activating the DHR system before the primary system is drained, corrective actions must be taken promptly to either restore the DHR system or to implement alternate methods for removing reactor decay heat. These calculations highlight the fact that a loss of the DHR system can lead to a safety significant event unless timely recovery actions are taken.
l Historically, the NRC and the U.S. nuclear community have considered hot
- standby to be a safe end state. As a result, until recently no probabilistic
! risk essessments of U.S. reactors have quantified the risks associated with operations in shutdown modes 4, 5, and 6.
i
- Because of recent interest in DHR, NSAC is funding probabilistic assessments i of the risks associated with modes 4, 5 and 6 at two plants (one PWR and one 8WR).
- Similarly, as noted in Reference 13, closure of the suction isolation valves at W plants have led to rapid LTOPs. They occurred because the plants were operating solid, and closure of the suction / isolation i valves isolated letdown without stopping make-up. In one case, the situation was further aggravated by the fact that the RCPs were i operating, and the LTOP relief valves were inoperable.
l i
4 i
FIGURE 4 7~
DHR RECOVERY TIME MARGIN TIME TO CORE UNCOVERY 6 - BEGINNING OF LIFE OF REACTOR FUEL 3 DAYS AT 100% POWER 5 -
5 5
5 4 -
m 2
P TIME TO START BULK BOILING
> BEGINNING OF LIFE OF REACTOR FUEL
@ 3 DAYS AT 100% POWER g3 -
8 m
2 -
TIME TO CORE UNCOVERY END OF LIFE OF REACTOR FUEL 255 DAYS AT 100% POWER TIME TO START BULK BOILING END OF LIFE OF REACTOR FUEL 1
255 DAYS AT 100% POWER 0 I l I 0 10 20 30 TIME AFTER ROD INSERTION AT WHICH DHR LOSS OCCURS (days)
STARTING CONDITIONS: RCS DRAINED TO HOT LEG CL, OPEN TO ATMOSPHERE, AVERAGE TEMPERATURE 140'F i
i
Because human factors are major contributors to DHR loss events (as dis-cussed in section 4), and because estimates of human performance have relatively large error bounds, we believe that quantification of the risk from DHR system ipsses during modes 4, 5, and 6 is s'ubject to greater error than most other reactor risks. In view of the extensive effort that is necessary to obtain a quantitative assessment of DHR risk, and because of
-the large uncertainty associated with such assessments, the undertaking of a probabilistic risk assessment on DHR systems is outside the scope of this case study.
Shortly after a draft of this case study was issued for peer review comment in July 1985, NSAC published their Probabilistic Risk Assessment of the Zion Nuclear Plants, NSAC-84 (Ref. 14). NSAC-84's evaluation of risk from DHR operation supports AEOD's position; e.g., in Reference 15, which forwarded
' EPRI's peer review comments on a draft of this case study, EPRI stated that one of the important lessons learned from the Zion DHR PRA project was that,
" Quantifying risk during shutdown is extremely difficult and that risk numbers in this regime are more uncertain than ' traditional'
, PRA results..."
Furthermore, EPRI noted that:
"An equally impori. ant lesson was that shutdown risk is highly plant specific, primarily because different plants use different procedures and system lineups during shutdown...,"
and, i
"We believe that especially for DHR, accurate bottom-line numbers based on generic PRA analysis techniques are neither achievable nor even desirable."
2.3 Actions to Recover the Decay Heat Removal Function As noted in section 2.2, the time available for recovery from a loss of the DHR system prior to uncovering the core can be as short as about an hour.
Except for LOCA initiated events (during which break isolation would have top priority), restoration of the DHR system function appears to be the preferred recovery method. In addition to restoring the DHR system, many alternate methods are available for removing decay heat when the DHR system is lost. Table 2 presents some backup methods which could be and have been used to remove decay heat upon loss of the DHR system. It should be noted that not all of the methods listed in Table 2 are available at all plants.
It is also important to note that use of miscellaneous makeup water sources (e.g., plant fire protection system) requires that precautions be taken to prevent boron dilution. Other than restoring the failed DHR system, there is no single backup method which is applicable for all loss-of-DHR events.
N
/
- , .._-.~. _ _ _ _ _ , _ . . - - - _ . . _ - - . _ , _ . _ ~ _ _ _ _. .- . _ ,
Table 2 Some Backup Methods for Decay Heat Removal Upon Loss of the DHR System
- RCS Intact-Vessel Head On RCS Incapable of Being Pressurized (RCS Capable of Being Pressurized) (e.g., Vessel Head Off or Detensioned, Manway Cover Off, LOCA Path Open and Unisolable,etc.)
Use of steam generators and RWST/BWST (gravity flooding if main condenser (requires condensate available) or auxiliary feedwater pump for secondary makeup)
Use of steam generators and HPI pumps to inject from RWST/BWST atmospheric steam dump valves (requires condensate or auxiliary feedwater pump for secondary makeup)
Normal charging and letdoyr Normal charging and letdown Spent fuel cooling system (cross-ties Spent fuel cooling system if available) (cross-ties if available)
Chemical and volume control Chemical and volume control system to inject cold water system to inject cold water from the RWST from the RWST Feed and bleed - HPI and PORV or Pool boiling with makeup pro-pressurizer safety valves ** vided from miscellaneous water sources (e.g., fire hoses)***
- Not all methods are available at all plants.
- Use of miscellaneous water sources (e.g., fire hoses would require that precautions are taken to prevent boron dilution).
_ 17
- l 3.0 OPERATIONAL EXPERIENCE 3.1 Losses of Decay Heat Removal Systems There have been many events in which both. trains of the DHR system were unable to perform their required decay heat removal functions. From 1976 through 1983, there have been reports of at least 130 events in which operating DHR systems failed.* This represents a frequency of about 0.25 per reactor year, based on about 500 years of commercial U.S. PWR operation.
There were about 90 events reported for the period 1976 - 1981, and there were about 40 more events reported which occurred during 1982 and 1983.
Ou'r analysis and evaluation of DHR system failures were based upon two groups of data: operating experience from 1976 through 1981 was obtained from LERs and Nuclear Safety Analysis Center report NSAC-52 (Ref, 3); and operating experience for the years 1982 and 1983 was obtained from LERs and NRC reports. The reader is directed to Reference 3 for sumaries of DHR system losses that occurred from 1976 to 1981. Appendix A of this report presents summaries of the DHR system losses which occurred during 1982 and 1983. Because the 1984 data base was not yet complete, the 1984 operating experience was not included in our statistical presentation of the catego-ries and causes of DHR system failures. However, the 1984 events were evaluated for significance in comparison to previous events. The most significant DHR system failures of 1984 are summarized in Appendix B.
We evaluated the loss-of-DHR operating data to determine if there were any significant trends. For the 130 reported events which occurred between 1976 and 1983, Table 3 shows that 11 plants accounted for 95 events (approxi-mately 8.6 events per plant). Essentially one-fifth (21%) of the 56 opera-ting PWRs covered by this study accounted for three quarters (73%) of the loss-of-DHR events.
Table 3 shows that the Davis-Besse plant has reported the most losses of DHR. However, Table 3 also shows that there has been a marked improvement at that plant since 1981. During 1980, the Davis-Besse plant experienced nine loss-of-DHR events, six of which involved inadvertent closure of the suction / isolation valves. The repeated DHR losses at Davis-Besse during the spring 1980 outage were reported to Congress in an Abnormal Occurrence Report (Ref. 1G). In Reference 16, the NRC stated that the licensee had a
" serious deficiency in management or procedural controls in many areas."
Subsequently, Davis-Besse management took action to improve administrative controls, operating and emergency procedures, and personnel training i associated with plant shutdowns. In addition, the plant's technical
, specifications were modified to allow removal of power from the DHR suction /
i isolation valvcw during plant shutdown (in order to preclude their inadvertent closure). It appears that since these improvements have been made, there have been no reported losses of the DHR system at the
- We have found 130 loss-of-DHR system events which were reported by licensees; however, there have been many other loss-of-DHR events which have not been reported to NRC.
Table 3 Frequency of DHR Losses 1 (1976 - 1983) 1976 1977 1978 1973 1980- 1981 1982 1983 Total ;
Davis-Besse 4 1 9 2 16 ;
Beaver Valley - 1 1 1 4 2 1 1 10 Calvert Cliffs - 2 -2 1 2 3 2 10 Salem - 2 2 8 10 Crystal River 3 2 2 2 9 Calvert Cliffs - 1 2 5 1 1 9 Trojan 1 5 1 7 North Anna - 1 1 2 2 2 7 North Anna - 2 4 3 7 Salem - 1 1 3 1 5 Farley - 1 2 2 1 5 McGuire - 1 2 1 3 Millstone - 2 1 1 1 3 ANO - 2 2 2 Ginna 2 2 Maine Yankee 2 2 Palisades 1 1 2 Rancho Seco 1 1 2 St. Lucie - 1 1 1 2 Sequoyah - 1 1 1 2 Turkey Point - 3 2 2 Turkey Point - 4 2 2 or a n 1 1 San Onofre - 1 1 1 Oconee - 1 1 1 Oconee - 2 1 1 Zion - 1 1 1 Surry - 1 1 1 Sequoyah - 2 1 1 Farley - 2 1 1
- McGuire - 2 1 1 Sumer - 1 1 1 130 Annual Freouency of DHR Losses- .06 .1 .5 .3 . 6 .5 .35 .5
(# of events)
(# of Operating PWRs)
--,.e. w- - - - - - , - --- .'-i--
Davis-Besse plant. (See Appendix C for additional details on DHR losses at Davis-Besse.)
Davis-Besse's loss-of-DHR events were the stimulus for IE Bulletin 80-12 (Ref. 17). That bulletin required 1:censees of PWR facilities to review their plants' capabilii.y to prevent DHR loss events; to review plant hard-ware and analyze procedures for adequacy of safeguarding against loss of redundancy and diversity of DHR capability. The operating data does not indicate that there has been an industry-wide improvement in loss of-DHR experience as a result of actions that were taken in response to IE Bulletin 80-12. Reference 18 summarizes actions taken by utilities in response to the IE bulletin. Our review of the plant responses does not indicate that there is a statistically significant correlation between compliance with the IE bulletin, and DHR system losses. (For example, some plants which have complied with the bulletin continue to have DHR loss events; whereas some plants that have not yet completed actions associated with the bulletin have not experienced any DHR system losses.)
From Table 3, we also note that Salem 2 has experienced an unusually high number of DHR losses in a single year. It had eight losses in 1983 (six during one outage and two during another outage). Four of those events involved inadvertent closure of the suction / isolation valves, three events involved DHR pump trip due to problems with the " safeguards equipment control" (SEC) system, and one event resulted from flooding of the service water bay (see Appendix A for details of those events). Subsequently, in 1984, Salem 2 had another loss-of-DHR event which involved inadvertent closure of a suction / isolation valve resulting from a procedural error during testing of the " pressurizer overpressure protection" (P0P) system.'
Table 3 indicates that until 1981, the Crystal River plant had nine loss-of-DHR events. There were between one and three losses every year for four years. Since 1981, there have not been any. The DHR losses at this plant seem to have stopped at about the same time that the plant implemented actions to improve their planning, coordination and management of outage and maintenance activities.
One measure of significance of loss-of-DHR events is the time interval that the DHR function was lost. Table 4 presents a summary of the duration of the loss of-DHR events which occurred during 1982 and 1983. It also summarizes the duration of ten significant DHR losses which occurred during 1984.
In 1982, there were 18 events, 14 of which lasted from about two minutes to about an hour. The duration of the other four events is unknown.
Deficiencies associated with plant management, administrative controls, maintenance and test activities at the Salem st? tion were addressed by the NRC subsequent to the 1983 Salem anticipated transient without scram events. We believe that the licensee has taken corrective action in these areas, and a general reduction in the frequency of loss-of-DHR events is anticipated as a result.
Table 4 Duration of Reported DHR Loss Events Duration 1982 1983 Ten Selected 1984 Events 0 - 4 minutes 4 4 0 5 - 9 minutes 3 4 1 10 - 19 minutes 0 3 1 20 - 29 minutes 1 1 2 30 - 39 minutes 2 1 0 40 - 49 minutes 2 1 4 50 - 59 minutes 1 0 0 60 - 69 minutes 1 0 1 70 - 79 minutes 0 1 0 80 - 89 minutes 0 0 0 90 - 99 minutes 0 0 0 100 - 109 minutes 0 0 0 110 - 119 minutes 0 0 0 120 - 129 minutes 0 0 1 Total Duration in 328 242 426 minutes (without (4 unknowns) (13 unknowns) unknowns)
J
In 1983, there were 28 events, 15 of which accounted for DHR losses ranging from under a minute to 77 minutes. The durations of the other 13 events are unknown.
Because the 1984 data base was not complete at the time of this report, we were unable to review all of the 1984 data. Our initial screening indicated that although there were a number of loss-of-DHR events during 1984, ten of those events were deemed to be significant. (Appendix B has descriptions of those ten events.) Those ten events ranged in duration from seven minutes to two hours. Because of recent changes in reporting requirements (new LER rule 10 CFR 50.73 effective January 1,1984), it is not possible to nake a direct comparison of industry performance by examining the duration and frequency of recent years' loss-of-DHR events. The new reporting require-ments are more stringent than those of previous years. Virtually all loss-of-DHR events and their durations are now required to be reported.
Variations in plant technical specifications and licensee interpretation of previous reporting requirements have resulted in many loss-of-DHR events which were not reported, as well as reports which were incomplete and did not include information about the durations of the events. For example, NSAC-84 (Ref.14), illustrates the discrepancy between the number of DHR losses that occurred at the Zion nuclear station and that which was reported to the NRC. By reviewing control room logs and maintenance records, the authors of NSAC-84 found that there were 21 loss-of-DHR events at Zion 1 and 2 which the licensee deemed to be unreportable (16 events in which there was autoclosure of the suction / isolation valves while the DHR system was operating, and five DHR losses which were attributed'to inadequate reactor vessel level measurement during draindown operations). In contrast, the licensee only reported one loss-of-DHR event through 1983.
In an effort to reduce the frequency of inadvertent suction / isolation valve closures, Zion plant procedures (as reported in Reference 14) call for deenergizing the valves in the open position before conducting setpoint t.alibration and prior to conducting work on the inverters. This has been effective in reducing the Zion station's valve closure frequency from one per outage to zero.
Examination of the data presented in Tables 3 and 4, and in Appendices A and B indicates that some plants have been having a disproportionate number of long duration DHR losses in recent years; i.e., North Anna 1 and 2 have had five long duration loss-of-DHR events in 1982, four long duration loss-of-DHR events in 1983, and in 1984 North Anna 2 had a two-hour loss.
McGuire 2 had three long duration DHR loss events during a three-week period between December 1983 and January 1984 (43 minutes, 62 minutes and 49 minutes). McGuire 1 had three loss-of-DHR events in 1982 and 1983, the longest of which lasted one hour.
The operating experience shows that North Anna and McGuire have experienced multiple and long duration loss-of-DHR events without apparent improvement.
The Calvert Cliffs plants have experienced multiple loss-of-DHR events
without apparent improvement. Other plants such as Crystal River, Davis-Besse, and Salem appear to have improved their performance as a result of increased management attention.
The fact that the number of DHR losses as well as the duration of losses in 1984 continue to be high (>15 events) tends to indicate that plant performance is not improving during shutdowns. However, it is important to note that
_ during the years 1982, 1983 and 1984, the longest duration event was two hours, whereas there were five events during the years 1976 - 1981 which were of longer duration. Althcugh many of the 130 loss-of-DHR events exceeded an hour, plant personnel have always been able to restore the DHR function prior to reaching an unsafe condition (core uncovery). Since none of the long duration events occurred immediately after shutdown, there were no serious consequences. However, under slightly different circumstances, some of the loss-of-DHR events could have led to sericus consequences. Figure 4 shows how recovery time varies as a function of the time after scram that the loss-of-DHR event occurs.
While none of the recorded DHR failures affected the health and safety of the public, some of the events caused significant plant disruptions, extended downtime, and expensive cleanup and recovery. The Oconee 2 DHR system loss, which occurred on September 18, 1981 (Refs. 19 and 20) is a good example of such an event.*
Our analysis of operating data included categorization of 130 DHR system failures that occurred at PWRs during the years 1976 - 1983. Table 5 presents the results and shows that events involving the suction / isolation valves and the DHR pumps accounted for about two-thirds of the DHR system failures.
More than one quarter of all reported DHR system losses which occurred
-between 1976 and 1983 involved automatic closure of DHR suction / isolation valves (37 events)** The underlying or root causes of most of the automatic valve. closure events were human factors (see section 4.1 for further discussion). Only two of the automatic isolation valve closure events were On September 18, 1981, while at 94% power, Oconee 2 developed a steam generator tube leak (25-30 gpm). A rapid plant cooldown and depres-surization was begun. The plant cooldown and depressurization were delayed when it was found that one of the DHR suction valves was stuck l closed, thereby making the DHR system unavailable. As a result, plant I cooldown was delayed for more than 17 hours1.967593e-4 days <br />0.00472 hours <br />2.810847e-5 weeks <br />6.4685e-6 months <br />. The primary to secondary l leak resulted in an accumulation of about 2 million gallons of con-taminated water in the turbine building. It took about 60 days to reprocess the contaminated water, and to clean up the secondary system and the turbine building.
l This does not include the 16 events that occurred at Zion Nuclear l Station which were not reported to the NRC.
I
Table 5 Categories of 130 Reported Total DHR System Failures When Required to Operate (Loss of Function) at U.S. PWRs 1976-1983 No. of Events (% of Events)
Automation Closure of Suction / 37 (28.5)
-, Isolation Valves Loss of Inventory Inadequate RCS Inventory Resulting 26 (20.0 in Loss of DHR Pump Suction 36 (27.7)
Loss of RCS Inventory Through DHR 10 (7.7)
System Necessitating Shutdown of DHR System Component Failures Shutdown or Failure of DHR Pump 21 (16.2) 29 (22.3)
Inability to Open Suction / Isolation 8 (6.1)
Valve Others 28 (21.5)
Total 130 (100.0)
legitimate responses to valid signals which correctly detected an RCS pressure exceeding the isolation setpoint, i.e. a low temperature overpressure event.
More than one quarter of all reported DHR system losses which occurred between 1976 and 1983 involved loss of RCS inventory (36 events).
Twenty-six of the loss of inventory events resulted in inadequate pump suction, cavitation or air binding. Many events of this type were significant because of their long recovery times. Recovery required refilling the RCS and bleeding off the air or vapor bound pump (s).
Appendix B indicates that in 1984 there were at least six such events which lasted between 25 minutes and 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.
About one-fifth of the reported DHR losses which occurred between 1976 and 1983 involved DHR system component failure. Twenty-one events involved shutdown or random failure of an operating DHR pump when the other pump or train was inoperable. Eight events involved previously closed suction / iso-lation valves that could not be opened.
4.0 ANALYSIS AND EVALUATION OF THE UNDERLYING OR ROOT CAUSES OF REPORTED DHR SYSTEM LOSSES Table 5 presents a listing of the categories of DHR system failures. In addition to categorizing the events, our analysis examined the licensee submittals to determine the underlying or root causes of the events.
Table 6 presents the results of our assessment.
It can readily be seen from Table 6 that the dominant underlying or root causes of DHP, system failures are human factors (procedural inadequacies, operator or technician errors, etc.). Human factors account for almost two-thirds of the events. Equipment failures were the second major underly-
'ng or root cause and accounted for about one quarter of the events.
4.1 Human Factors The operating data revealed that human factors are the dominant underlying or root causes of almost two-thirds of the DHR system losses.
The major human factors problems that were common to many DHR system losses include:
PROCEDURES A. During normal outage activities (maintenance / repair / test /
surveillance), procedures'often:
o omit caution statements regarding restoring equipment on completion of tasks, o fail to consider interactions with other tasks or equipment, o are poorly written and omit steps or contain ambiguous instructions, o fail to identify equipment the same way it is labeled or referred to by the operator.
B. During failure identification and recovery activities, procedures frequently:
o are not available or are not applicable for a loss-of-DHR event, o are incomplete or lack specificity, o refer to or depend upon indicators, instruments, alarms or annunciators that have been optimized for power operation but are inadequate for shutdown operations and/or are improperly placed for shutdown operations, o do not provide operators with information about times available for safe recovery, and how to track the course of the event.
g
\ .m
- 2 6 - J'~
N
, k ~~
- ^
~
Table 6
^
Underlying or Root Caus_es of Reported DHR System Failures w
~
s k t
c, ' No. of Events (% of Events).,
Human Factors X' s v 3 Inadequate / faulty procedures ~
. .( 49 l (37.7))
I Operator / technician errors '-
23 483 ,
(17.7) (63.9)
Inadequate / faulty procedures 11 combined with operator / -
(8.5)J technician errors -
x Equipment Failures y s.
s, t
.s Pumps, valves, relays, etc. 37 N (28.5) -
s x UnknownCaus$ 8 (6.2) ,
Human Factors Combined 1 (0.7) with Equipment Failures '
i W
Others 1 (0.7) w- .
~
Total 130, (100.0) s *'3 4
7; D ' ,
s r. +
4
'N t
\
=
. e, 9
s
OPERATOR AIDS (Instrumentation, Monitoring Equipment Alarms, Annunciators, etc.)
In performing normal outage activities and identifying / mitigating failurcs, man / machine interfaces are inadequate for ensuring task proficiency. Operator aids are usually designed for power operations and are often inadequate for use during shutdown. In general, operator aids during shutdown:
o are not available to monitor or track operations or events, o may be poorly placed relative to the task being performed, o are not integrated into operator tasks (e.g., infrequently monitored levels, temperatures, etc.).
- PERSONNEL ERRORS A. During normal outage activities, errors of omission and/or commission have been caused or affected by
o misunderstanding of procedures, instructions, and tasks, o unfamiliarity with equipment or tasks, o lack of understanding of importance of tasks and the interfaces with other ongoing tasks or activities, o accidents (bumping or dropping equipment),
o inadequate training.
B. During failure identification and recovery activities, recovery times have been adversely impacted by:
o operator unfamiliarity with instrumentation used for diagnosis and/or recovery techniques, o operator unfamiliarity with other ongoing activities, o inadequate operator training.
PLANNING For both normal. outage activities and event response activities:
o emhh'asisseemstobeonminimizingoutagetimeandmeeting technical specification requirements (limiting conditions for operation, etc.), not on equipment or system interaction, o interactions'between simultaneous activities may not be factored"into the task assignments or procedures (e.g.,
jumpering, blocking of circuits, and taking equipment out of service may not be accounted for).
Although the loss-of-DHR events associated with inadequate RCS inventory usually involved failures or inadequacies of equipment associated with i liquid level measurement, we viewed them as having been caused by human factors since most of these events represented breakdowns of the man /mschine l interface. These events typically resulted from inadequate and/or im-properly placed instrumentation, annunciators, alarms; inadequate monitoring procedures; inadequate training associated with level measurement system operation, or operator error.
Some of the most significant events involving human factors occurred while the primary coolant system was partially drained and the operators were misled on the status of coolant inventory by inaccurate liquid level instru-mentation. In many cases, the level instrumentation devices were incor-rectly calibrated, or were makeshift apparatus which were prone to failure and measurement errors (e.g., tygon tube sight gages). In most events of this type, the operators did not have advance warning of an inventory problem. A frequently observed scenario was one in which the RCS was drained down to the point where there was inadequate net positive suction head (NPSH) or air entrapment in the DHR pump. As a result, the DHR pump cavitated, could not deliver the design coolant flow, or even became air-bound. The first symptoms were usually increases in pump noise and changes in pump motor current which were caused by inadequate suction head and cavitation. In many events, the operators diagnosed the problem as a pump problem'when the cause was actually an inventory problem. As a result, in many cases, the operators activated the redundant pumps only to find that they also malfunctioned. It should be noted that continued operation of a DHR pump with inadequate NPSH or a closed suction valve could result in DHR pump failure."
Appendices A and B contain descriptions of 18 events which occurred in 1982, 1983, and 1984 which involved insufficient inventory and subsequent pump problems. 'Between 1976 and 1984 there have been ten events where the operators required about an hour or more to restore operability of the air or vapor bound pumps. Most' o'. the longer duration events occurred before 1982. In 1984 there were at least six low inventory events, two of which lasted more than an hour.
With regard to the lack of information available to operators during DHR operations, we note that many plants do not have (or have improperly placed) annunciators to warn of low DHR pump NPSH or low DHR flow. For example, in Reference 21, Diablo Canyon reported a DHR pump failure after operating for about an hour with a closed suction valve.
Regarding inadequate procedures'and training for mitigation or recovery from a DHR system loss, we note that in a recent LER (Ref. 22) Zion 1 reported a 45-minute loss of the DHR system due to draining of the primary system to a level below the DHR pump's suction line. The LER implied that there was no procedure available for responding to this event. The licensee stated that "a procedure for loss of RHR will be prepared," and "a procedure for a loss of RHR will be written to provide guidance in the proper actions to be taken in the event of an indicated loss of RHR." Reference 14 notes that there were at least five previous loss-of-DHR events at Zion caused by inadequate RCS inventory. However, none of those five previous events prompted the licensee to prepare procedures for recovering from such an event.
Subsequent discussions with operators at several plants that have experienced significant losses of DHR have indicated that plant personnel do not have adequate information about the time margins available for recovery from loss-of-DHR events prior to reaching bulk boiling, core uncovery or some other safety related threshold (i.e., tables or graphs showing time to reach bulk boiling or core uncovery as a function of time after reactor trip, such as that shown in Figure 4).
A poignant example of many of the aforementioned human factors concerns
-(e.g., procedures and man-machine interface) is documented in a recent NRC inspection report (Ref. 23), from which excerpts are reprinted below.
Licensee Monitoring of Core Cooling Parameters During Mode 6 Operation The NRC resident inspector expressed concern over the adequacy of surveillance practices provided by the licensee for monitoring proper core cooling during extended periods in which the Unit 2 reactor vessel was partially drained with the closure head detensioned.
...the reactor vessel was drained to the middle of the hot leg nozzle, which provides approximately six feet of water above the top of the core.
... Depending on the prior core power history and the length of time between reactor shutdown and head detensioning, core decay heat could be sufficient to boil the available water cover within Ivery short period of time (several hours) if proper-core cooling were not maintained. This vulnerable state of plant condition forms the basis for NRC concern.
Considering the plant conditions noted above, the following points were noted with respect to licensee monitoring of important core cooling parameters:
(1) There is no reactor vessel water level indication or alarm in the control room. The only current requirement for monitoring vessel water level is to monitor a temporary standpipe installed in containment on a once per-shift basis.
This could involve up to 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> between water level observations.
(2) There is no core cooling flow alarm in the control room.
Core cooling flow indication is available in the control room; however, it is only required to be monitored once_a_
shift.
(3) There is no direct reactor vessel water temperature indication or alarm in the control room, Available reactor coolant temperature instruments are located in stagnant portions of the coolant loop and not in the shutdown cooling flow path.
a 0
... Based on the limited availability of instrumentation or alarms in the control room and the infrequently required monitoring of key core cooling parameters by operations personnel, the NRC resident requested the licensee to evaluate these concerns and identify what action is considered warranted.
The licensee acknowledged the NRC concerns and took action to increase the monitoring of core cooling flow to every two hours until the refueling cavity was flooded. The licensee agreed to further evaluate the specific NRC concerns from the standpoint of the adequacy of control room instrumentation and surveillance procedures.
(Emphasis Added) 4.2 Equipment Failures Our analysis and evaluation of the operating data revealed that failure of equipment, such as pumps, valves, relays, etc., were the underlying or root causes of more than one quarter of the reported DHR system failures (36 of 130).
The data showed that almost all of these 36 events involved random single failures which occurred while the plants were in modes 5 or 6. The redundant DHR trains were frequently unavailable due to testing, maintenance or repairs as allowed by plant technical specifications. We believe that there were very few DHR loss events during mode 4 because only a small portion of shutdown time is spent in mode 4, and because many of the test, maintenance and repair activities associated with plant shutdown are not normally initiated until the plants are in modes 5 or 6.
We note that in a generic letter (Ref. 24), NRR required all operating PWRs to modify their plant technical specifications to " provide for redundancy in decay heat removal capability in all modes of operation." To date, all but
. two plaats have modified their technical specifications to meet the requirements of the generic letter. (Those two plants are Palisades, and TMI-1.) Although, the technical specifications required by the generic letter decreased the likelihood of DHR loss due to single failures, they did not fully assure DHR redundancy during all DHR modes. Implementing the technical specifications that were included with the generic letter do not prevent a licensee from disabling a train of DHR during times of high DHR heat load.
For example:
o The generic letter permits the plants to have only one train of DHR operable during periods of higher risk, i.e., high decay heat load during mode 4 and the early stages of mode 5.
o Licensees were not required to formulate detailed emergency procedures for loss-of-DHR and train their staff in their use.
o Standard plant technical specifications allow disablement of all DHR and RCS pumps for up to one hour if the RCS fluid exiting the core is at least 10 F subcooled. However under those conditions, it is
possible to reach saturation (lose the 10 F subcooling) and initiate boiloff within one hour.
We note that NSAC's study of DHR operating experience (Ref. 3) suggests that both DHR trains should be operable during the time of high decay heat (the few hours that the plants are in hot shutdown mode and the first few days of l cold shutdown). We endorse NSAC's concern for having such redundant DHR capability available during times of high decay heat.
4.3 Technical Specification Deficiencies Our review of loss-of-DHR events identified the potential for increased risk due to inadequate technical specifications, specifically concerning the necessary conditions required for the determination of " cold shutdown," and the absence of a requirement for vessel level monitoring equipment.
4.3.1 Mode Definition /Early Disabling of Equipment An early loss of the DHR system could effectively place the plant in a degraded mode while the plant has a higher decay heat generation rate, resulting in a shorter time available for a safe recovery. For example, the following scenario is currently possible:*
o During plant shutdown, mode determination is based upon " average coolant temperature." However, " average coolant temperature" is not defined in the standard technical specifications.** Thus, by selecting an inappropriate temperature to determine " average coolant temperature" an inaccurate and premature mode determination could result.
o Once a plant is declared to be in " cold shutdown" (mode 5) plant personnel may disable redundant equipment and initiate maintenance, surveillance or repair activities and the DHR system may consist of only one operable train.
o The plant becomes highly vulnerable to losing the DHR system due to a single component failure.
As noted in Table 1, standard technical specification definitions of operational modes depend upon " average coolant temperature." However,
" average coolant temperature" is not defined in the standard plant technical
- We are unable to ascertain if this scenario has actually occurred thus far. However, review of operating data leads us to believe that the-likelihood of occurrence is high.
No universal convention defines T,yg during modes 4, 5 and 6.
specifications. In an AEOD survey of resident inspectors at the operating B&W plants, it was learned that the B&W plants are not consistent in the methods they use to determine when cold shutdown conditions have been achieved. Most of the plants depend upon only one temperature measurement to make a mode determination. Some of the temperature readings that the B&W licensees use to determine when cold shutdown is achieved are:*
o Cold leg temperature o Hot leg temperature o DHR pump outlet temperature o DHR pump suction line temperature o DHR return line temperature However, we note that a reading of only one of these temperatures does not provide a valid indication of " average coolant temperature." Operating experience has shown that for B&W plants on DHR cooling, the " average primary coolant temperature" can be much higher than many temperatures being used for mode determination (Refs. 25 through 29). The hot leg tempera-tures,** especially coolant near the top of the " candy canes," in the reactor upper head region, in the pressurizer, and in the pressurizer surge line, may be at substantially hotter temperatures than the temperatures being used for mode determination. As a result of a premature designation of cold shutdown, it is quite likely that plant personnel may disable safety systems and defeat OHR system redundancy in order to initiate test, maintenance and repair operations which are allowed during cold shutdown, prior to actually achieving cold shutdown conditions. In essence, safety-related equipment which may be required during hot shutdown conditions may be bypassed or disabled prior to actually establishing the conditions required for their disablement.
We note that if some of the loss-of-DHR events had occurred while the primary coolant system temperature was higher, and the decay heat generation rate was higher, less time would have been available for recovery and core uncovery could have been reached. From the operating experience and our calculations, it appears that the risks associated with the loss-of-DHR can be significantly increased by the premature declaration of. cold shutdown and concomitant test, maintenance, and repair operations.***
, We have not canvassed resident inspectors at other PWRs; however, CE and W standard technical specifications define operational modes in a similar manner, and do not define " average coolant temperature."
Except for the area of hot leg U bends (J legs or candy canes) which is unique to B&W plants, most of this discussion is also germane to PWRs designed by CE and W.
One of the peer reviewer's comments on the draft case study recommended that a grace period be used to determine when DHR system redundancy can be defeated. Specification of such a grace period would depend upon DHR recovery time margin such as that which appears in Figure 4.
, . , . . -- - - ~ - . - - - . . - _ - ~ .- - _ - - - - - .
4 -
33 -
4.3.2 Absence of Requirements for RCS Level Measurement During Shutdown In add'ition to the 26 DHR losses which resulted from inadequate RCS inven-tory through 1983, our review of operating data has shown that there were at least six additional events in 1984. Those loss-of-DHR events involved incorrect or faulty level measurement of a drained RCS. Some of the loss-
, of-DHR events were of long duration (40 minutes to two hours) because of the time required to restore the air or vapor bound DHR pumps. Our review of 4 _ plant specific technical specifications revealed that there are no technical specification. requirements addressing RCS level measurement (equipment or procedures) during shutdown. We consider the absence of such requirements, especially during RCS draindown, a significant technical specification deficiency.
4.3.3 Omissions Regarding Equipment Operability As part of this case study, we reviewed the technical specifications of a number of plants. That review revealed that the technical specifications at Oconee 1, 2 and 3 are incomplete with regard to shutdown modes and DHR system
- . operability requirements; i.e.,
E the technical specifications for the Oconee plants do not define operation with RCS average temperature between 200 F
- and 525 F, and do not address DHR system
- operability requirements during all shutdown modes.
Our review of other plants' technical specifications did not identify omis-sions which are similar to those of the Oconee technical specifications.
However, since we did not review.the technical specifications for all plants,
- we are not sure that-there are no other operating plants which have similar
- omissions.
i-
',- The Oconee plants' technical specifications refer to the DHR system as j the Low Pressure Injection (LPI) system. ,
i o
-,-------.-----emer--- e.,r,w-,,--r, -v--- -
--m-w.-m- - m - rra.e - es- ,. -,- rT-~~m-e-- r--- -w"
5.0 FINDINGS AND CONCLUSIONS U.S. PWR experience has shown that during about 500 reactor years, 130 losses of operating DHR systems were reported (0.25 event per reactor year).
Some of those events lasted for several hours.
The operational data clearly indicate that human factors were the root causes of most of the loss-of-DHR events that have been reported to have occurred at U.S. PWRs through 1983. Inadequate procedures and operator /-
technician errors during testing, surveillance, maintenance, and repair operations were the root causes of c1most two-thirds of those loss-of-DHR events.
As noted in section 2.2, review of operatior,al data, licensee submittals, and scoping calculations all indicate that primary system boiloff and core uncovery can occur during certain events within a few hours after loss of the DHR system. The situation can be especially acute if the RCS is par-tially drained, if the event is initiated by a LOCA shortly after the DHR system is activated, or if the loss occurs during the first several days of plant shutdown. Fortunately, the plants have recovered from the loss-of-DHR events that have occurred thus far, before sustaining serious consequences.
In addition, under certain conditions,* primary system pressurization could occur at all types of U.S. PWR plants within 30 to 60 minutes after losing the DHR system. Such pressurization could challenge the low-temperature overpressure (LTOP) protection equipment. An extended failure to restore the DHR function could result in a small break LOCA, with primary system boiloff at the LTOP relief valve setpoint pressure. Continued boiloff could lead to core uncovery in as few as two to three hours.
The results of NSAC's probabilistic risk assessment (PRA) of loss-of-DHR events at Zion (Ref. 14) and Reference 15 support our position that a risk assessment of DHR system losses is of little real benefit because of the large uncertainty associated with the quantification of human factors events (human factors being the dominant cause of the DHR system loss events), the difficulty in obtaining accurate failure data, and the differences in plant designs. We view the many loss-of-DHR events which have occurred at PWRs thus far (one loss-of-DHR event every four (PWR) reactor years, which equates to more than a dozen such events each calendar year) as a signifi-cant group of precursors. We conclude that corrective actions are required to minimize the risk associated with DHR losses.
As noted in section 3.1, we have been unable to detect a significant i
industry-wide improvement in DHR loss experiences. If licensees were to incorporate the lessons learned from previous loss-of-DHR experiences, especially the recommendations provided in NSAC-52, we would expect to see a significant improvement in their DHR loss experience. However, the absence of such an industry-wide improvement, and the continued occurrence of DHR loss events, led us to conclude that many licensees may not be incorporating NSAC 52's recommendations.
With the RCS intact and the reactor vessel head on.
- )
5.1 Human Factors Considerations '
From our analysis and evaluation of operational data, we conclude that many plants do not pay adequate attention to the human factors aspects of plant operations, testing, surveillance, and maintenance during plant shutdowns.
As shown in Table 4, and as illustrated by the data appearing in Appendi-ces A, B, and C, faulty procedures and operator / technician errors associated with plant shutdown operations were the underlying or root causes of almost two-thirds (83 of 130) of the reported loss-of-DHR system events.
Based on operating data and discussions with plant personnel and reactor inspectors, we conclude that the techniques used for planning and coordina-tion vary widely from plant to plant and are frequently inadequate to prevent the occurrence of many loss-of-DHR events. (Loss-of-DHR events have frequently resulted from conflicting or interacting outage activities.)
Most plants have outage planning groups which look at outage scheduling from the standpoint of schedule and hardware availability. However, equipment and system interactions associated with ongoing test, surveillance, and maintenance activities do not necessarily receive adequate planning or attention unless there is a particular technical specification requirement associated with it. Improved outage planning which focuses on the timing of conflicting or interacting activities could significantly decrease the frequency of loss-of-DHR events.
With regard to the man / machine interface associated with DHR system operation and malfunctions, we found that for many plants:
o Existing procedures and equipment associated with RCS level monitoring during plant shutdowns are frequently inadequate and are failure prone. Inadvertent and undetected reduction of RCS inventory is a potentially significant contributor to risk associated with loss-of-DHR when the RCS is partially drained (26 events through 1983, and at least six more events in 1984). We conclude that more reliable instrumentation and procedures should be used to reduce the frequency and, thus, the risk due to inventory problems leading to loss-of-DHR events.
o Operator aids are not readily available to assist in the detection l of abnormal plant behavior while the plant is in modes 4, 5 and 6.
Instrument alarms and annunciators are not conveniently located to enable the operators to integrate them into normal and emergency procedures during shutdown periods. In addition, operator aids are not available to enable operators to trend RCS and DHR system parameters l during loss-of-DHR events (e.g. , temperatures, pressures, flows, etc.).
j We were informed by a reactor operator that during a recent DHR loss event, he had to rely upon his stopwatch and graph paper to determine how much margin was available prior to bulk boiling in the reactor.
Time margin information such as that depicted in Figure 4 is not generally available to operators to assist them in recovering frc=
l loss-of-DHR events (plot or table of time after DHR loss until bulk boiling or uncovery begins as a function of time after rod insertion at which DHR loss occurs).
1
36 -
o Operators usually are not provided with/or trained in the use of emergency procedures associated with casualties which occur during modes 4, 5 and 6. Specifically, emergency procedures for loss-of-DHR involving RCS level loss, pump failures (air or vapor binding), valve misalignment, DHR leakage, RCS leakage, boron dilution, inadvertent a
s system heatup or pressurization, etc.
o Based upon the_ corrective actions taken after loss-of-DHR events, we conclude that plant personnel, especially non-licensed operations and maintenance staff, are not sensitized or fully aware of the risks associated with their activities during plant shutdown. The risks during times of high decay heat rate, drain and fill operations, and during operations in which redundant equipment is disabled do not appear to be fully appreciated by all plant personnel.
5.2 Design Considerations - Flow Path from the Reactor Coolant System to the Decay Heat Removal System 5.2.1 Double Drop Line Configuration From our evaluation of the operating data, we conclude that adding a second 3 drop line to provide a redundant DHR suction flow path will not result in a significant improvement in DHR system reliability and availability.
Furthermore, the double drop line configuration may result in an overall increase in risk due to the increase in the probability of Event V. As an alternate to the double drop line configuration, a suction bypass line (as discussed in section 2.1) may provide a less expensive, and possibly safer (when considering Event V) method for improving DHR availability. We con-cluded that the use of a DHR suction bypass line would have contributed significantly to mitigating the September 1981 Oconee 2 event which resulted in significant onsite contamination and an extensive outage (see section 3.1). The suction bypass line would have introduced an alternate DHR flow path enabling a more rapid cooldown, thereby reducing the amount of leakage, contamination and down-time.
5.2.2 Inadvertent Closure of DHR System Suction / Isolation Valves As noted in section 2.2, closure of DHR system suction / isolation valves !
shortly after initiation of the DHR system could result in an LTOP challenge '
to the RCS at PWRs within 30 minutes,* with core uncovery occurring as early'as about two to three hours after valve closure.
l Operating data has shown that for DHR system operation, removal of power or removal of the autoclosure interlocks to the DHR suction / isolation valves
, can be a safe, effective method for preventing spurious suction / isolation Or within only a few minutes during " solid" operations as described in Reference 13.
1 1
- - , - , , + ,,.,,..,m-_,-.m--- --.-,,-,-cwee,,......--m, %.-..._ . . - . , r-~m_,...,,.,_ _vo-, -- ,. - . . ~ ~ ~ -ww y,, + -,-.-.,.,y ,.----e.. -.
valve closure. This design assumes that overpressure protection for the DHR system is provided by the DHR system relief valve. Since all plants do not have adequate relief t.hrough the DHR system, additional relief capacity may be necessary prior to removing power or the autoclosure interlocks to the suction / isolation valves.
This case study report has stimulated much interest in the subject of auto-closure interlocks. Based upon an earlier (1984) draft of this case study report, Sandia Laboratories performed a risk assessment as part of Task A-45 evaluating the competing risks associated with DHR suction / isolation valve closures and Event V. Their report (Ref. 30), " Potential Benefits Obtained by Requiring Safety-Grade Cold Shutdown Systems," was done for the Calvert Cliffs plants' configuration. Subsequent to their quantification of risks, Sandia concluded that:
"The lowest core melt frequency due to the combination of loss of RHR suction during cold shutdown and V-LOCAs is obtained when there are no autoclosure interlocks on the RHR suction valves... removing the overpressure interlocks from the RHR suction valves gives the best RHR suction arrangement for PWRs based upon this analysis.
...when interlocks are present, loss of RHR suction is the largest contributor to core melt frequency for all assumed values of P(CM-LRHRs).** However, when the interlocks are not present, the core melt frequency due to loss of RHR suction is comparable to or less than the V-LOCA core melt frequency for the "best estimate" cases.
Finally, we believe that the "best" RHR suction valve arrangement is to have a single suction line without primary system over pressure interlocks on the valves."
In response to the earlier draft of this case study, NRR reviewed the issue of "RCS/RHR Suction Line Interlocks on PWRs." NRR performed a prioritiza-tion evaluation (a simplified risk and cost assessment). As a result, on August 13, 1985, in Reference 31, the Director of NRR forwarded a cooy of his staff's prioritization of this issue, assigned it a "HIGH" priority ranking, and directed the Director of the Division of Systems Integration to take the actions necessary to resolve this issue.
It is also important to note that Westinghouse has evaluated Kewaunee's proposal for iemoving the autoclosure interlocks pn the DHR suction valves.
Reference 6 notes that Westinghouse's analysis r;.cluded that for Kewaunee, the proposed modification would be a safety impfovement. NRR has subsequently approved the modification. As noted in Reference 6, the effects of autoclosure interlock removal upon plant safety must be The Davis-Besse and Zion plants use this approach, and the Kewaunee plant has recently received NRC approval to remove its autoclosure interlocks.
- P(CM-LRHRs) = probability of core melt given that RHR suction is lost.
~
l
, evaluated on a plant by plant basis (because of the numerous plant-specific differences).
4 5.3 Technical Specification Deficiencies *
! 5.3.1 Mode Definition /Early Disabling of Equipment We found that most plants' technical specifications are imprecise with regard to the designation of plant operating modes because the average coolant temperatures are undefined. As a result, a premature designation of cold shutdown is possible, and thus equipment can be disabled or bypassed and DHR redundancy eliminated during conditions of high decay heat load. As noted in section 4.3, it is possible to enter a condition in which equipment may be bypassed prior to properly establishing the conditions required for
- the bypass. Thus, the plant is more vulnerable to loss-of-DHR due to a single failure, and with the higher decay hect, improper mode definition can reduce the time available to prevent core uncovery.
' We conclude that regulatory action should be taken to assure the proper definition of shutdown mode, and assure DHR redundancy during periods of high decay heat load. The use of a grace period ** based upon available DHR racovery time may be a viable alternative to the present practices.
5.3.2 Absence of Requirements for RCS Level Measurement During Shutdown Our review of technical specifications concluded that the lack of l requirements for RCS level measurement and monitoring during shutdown and draindown is a significant generic safety deficiency. Considering that:
o there have been a significant number of long duration DHR losses involving inadequate RCS level in recent years (including six in 1984),
4 and o the times available-for recovery prior to reaching unsafe conditions are relatively short, we have concluded that regulatory action should be initiated to ensure reliable RCS level measurement.
4
- These deficiencies may be viewed by some as human factors type deficiencies because of their impact upon plant operating procedures, etc.
l- ** Prohibit entering mode 5 until certain time, heatup rate, or recovery j' time criteria are met.
3 i
i.
i
5.3.3 Omissions Regarding Equipment Operability As noted in section 4.3.3, our review found three plants' technical speci-fications to be incomplete with regard to shutdcwn modes and DHR system operability requirements. We are not sure that there are no other plants with similar omissions. Furthermore, the plants having those deficiencies have been determined to meet the requirements of NRR's 1980 generic DHR letter (Ref. 24). We are unable to ascertain why the deficient technical specifications have not yet been modified, and we question if there are other plants that have been determined to meet the requirements of the generic letter, but that also have similar deficiencies.
.- - - _ - , , _ ._,_-...,o .. ,-._, - , , m_,,7 _ .__. ,. ,.,_c, - . _ , . , -
6.0 RECOMMENDATIONS (1) AEOD recommends that NRR assess the need for NRC requirements to improve planning, coordination, procedures, and personnel training during shutdown to ensure the availability of DHR.
We believe that significant improvements in DHR system availability and reliability can be achieved by focusing upon human factors aspects of plant shutdown. We recognize the fact that NRR is initiating a generic mainten-ance and surveillance program to look into some of these issues (Ref. 32).
We recommend that, as part of that effort, NRR should review industry practice and determine if guidelines or specific requirements are necessary to ensure plant safety during DHR system operation. Emphasis should be placed upon detailed planning of test, surveillance and maintenance activi-ties, and the equipment or system interactions which have frequently caused loss-of-DHR systems.
In addition, plant practices regarding the procedures and training of personnel for performance of normal (non-emergency) operations during shutdown should be evaluated. For example: all operations and maintenance staff (licensed and non-licensed) should receive training to assure that they become sensitized to the risks associated with plant shutdown. Empha-sis should be placed upon understanding the risks and high vulnerability associated with times of high decay heat rate, drain and fill operations, disabling redundant safety equipment, etc.
(2) AE0D recommends that NRR require PWR licensees to have a reliable method of measuring and monitoring reactor vessel level during shutdown modes of operation and corresponding technical specification requirements for operability.
Common industry practice using unanalyzed makeshift devices such as failure prone tygon tube sight gages to monitor RCS level during plant shutdown should be modified or discontinued. We recommend that NRR require the licensees to use reliable, RCS level monitoring instruments during modes 4, 5, and 6. Consideration should be given to requiring redundant level indication during modes 4, 5, and 6 to ensure availability of trending data, and to warn operators in advance of unacceptably low RCS level. In addition, plant procedures should be modified to assure that the frequency of RCS level monitoring is commensurate with plant status (e.g. , as noted in section 4.1, one plant could have monitored vessel level as infrequently as once every 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br />, whereas fuel uncovery could occur only a few hours after a loss-of-DHR). As a minimum, each plant's safety review committee should review the instrumentation and procedures used for RCS level measurement during modes 4, 5 and 6 to ensure that a high level of reliability is achieved.
(3) AE00 recommends that NRR require the licensees to improve the man-machine interfaces related to DHR operation.
We recognize that all DHR losses cannot be totally eliminated by good planning, good procedures, well-trained personnel, etc. We believe that if all licensees would perform human factors analyses of their plants' DHR operations, (including normal and abnormal conditions) and modify their
~
- 41 _
plant practices and man / machine interfaces accordingly, the risks from DHR losses would be significantly reduced. A model to use for such human factors analyses is one used by NRR (Ref. 33). Reference 33 requires licensees to perform specific task analyses, and to integrate instrumenta-tion, alarms and annunciators into normal and emergency procedures for transients and accidents occurring during power operation. As a minimum, we recommend that NRR consider requiring licensees to perform human factors reviews as described in Reference 33, but extend them to shutdown opera-tions, with emphasis on detection and mitigation of loss-of-DHR events.
The operators should be provided with information (such as Figure 4) outlining the time margins available for recovery from postulated loss-of-DHR events as a function of time from reactor trip for a representative set of DHR loss transients. Examples of such transients are: primary system filled at maximum DHR system temperature; primary system drained to minimum level and open to the atmosphere; RCS at refueling temperature, etc.
Information on time margins available would assist operators in recognizing the potential seriousness of the event, and assist them in choosing appropriate methods for restoration of the DHR function.
(4) AEOD does not recommend changing the design of DHR systems to include redundant drop lines.
Based upon our snalysis of the suction / isolation valve closure logic at plants having redundant drop lines, and operating data, we do not recommend adding a second drop line to plants that now have a single drop line configuration. Such a design change is being considered as part of A-45.
However, if NRR's A-45 task concludes that a single drop line configuration is unacceptable, and additional reliability is required, it is recommended that NRR consider a smaller diameter DHR suction bypass line as a possible alternative. The bypass line configuration which we believe worthy of consideration is one with remotely operated valves to which power is locked out (actuation to be performed outside containment), with manual overrides (inside containment) to provide additional assurance of their opening in the event of motor or power source problems. This design would represent an improvement over the Davis-Besse design which cannot be operated from outside containment. (See sections 2.1 and 5.2.1.)
(5) AE00 recommends that NRR consider removal of the autoclosure interlocks to minimize loss-of-DHR events.
In order to prevent inadvertent DHR suction / isolation valve closures (during DHR system operation) it is recommended that NRR consider either requiring the removal of the autoclosure interlocks to the DHR suction / isolation valves, or requiring removal of power to the DHR suction / isolation valves when valve motion is not required. Prior to implementing this recommenda-tion, it is necessary to ensure that there is adequate relief capacity to prevent overpressurization of the DHR system. (See sections 2.2 and 5.2.2.)
NSAC-52 (Ref. 3) had a similar recommendation.
(6) AEOD recommends that NRR's technical specification improvement program address the issue of DHR system redundancy to ensure that the DHR system is available during Mode 4 and the early stages of Mode 5.
In section c.2, we noted that even though NRR's generic letter on DHR addressed DHR system redundancy, plant technical specifications do not require DHR redundancy throughout periods of high risk (mode 4 and the early stages of mode 5). We also noted that test, maintenance, and other shutdown activities can be initiated during these periods. As a result, there is a high likelihood that a DHR loss could occur at a time when the risk is highest. Upon considering operational data and the plant practices, we believe that regulatory action is necessary to minimize the possibility of DHR losses during periods of high risk (early in shutdown).
We recommend that NRR's technical specification improvement program address the DHR system operating requirements so that licensees modify plant technical specifications to:
o assure all plants have proper shutdown mode definitions (as discussed in sections 4.3 and 5.3); and o ensure that both trains of the DHR system are operable during periods of high decay heat load, i.e., mode 4 and the early stages of mode 5.
(Presently, the applicable generic letter permits one train to be inoperable during this time.)
Since the loss-of-DHR experience has not greatly improved following the issuance of NSAC-52 and NRR's generic letter, we believe that technical specification modifications are necessary to ensure adequate redundancy. In addition, we feel that an information notice should be issued to reemphasize to the licensees the overall safety significance associated with the operation of the DHR systems.
t
,, , _ . . ,, .-y-r_.__,--- ,___----,--,--,,,.-,y,.,,.-,,,,..,-.-y ,uw_ -
43 -
7.0 REFERENCES
- 1. U.S. Nuclear Regulatory Commission, " Reactor Safety Study - An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants,"
WASH 1400 (NUREG-75/014), October 1975.*
- 2. J.A. Haried, Oak Ridge National Laboratory, " Evaluation of Events Involving Decay Heat Removal Systems in Nuclear Power Plants," USNRC Report NUREG/CR-2799, July 1982.*
- 3. Nuclear Safety Analysis Center / Electric Power Research Institute,
" Residual Heat Removal Experience, Review and Safety Analysis, Pressurized Water Reactors," NSAC-52, January 1983. Available from Research Reports Center (RRC) Box 50490, Palo Alto, CA 94303.
- 4. U.S. Nuclear Regulatory Commission, " Standard Technical Specifications for Babcock and Wilcox Pressurized Water Reactors," (NUREG-0103 Rev. 4), Revision of Fall 1980.*
- 5. Letter from H. B. Tucker, Duke Power Company, to H. R. Denton, NRC,
Subject:
Catawba Nuclear Station Docket Nos. 50-413 and 50-414, dated October 13, 1983.**
- 6. Memorandum from B. W. Sheron, NRC to RSB members, " Auto Closure Interlocks for PWR Residual Het Removal (RHR) Systems," January 28, 1983.**
- 7. Tennessee Valley Authority, Licensee Event Report (LER) 50-328/83-101 Sequoyah-2 Nuclear Power Plant, dated August 18, 1983.**
- 8. U.S. Nuclear Regulatory Commission, Region IV, Daily Report, August 31, 1984.**
- 9. Arkansas Power and Light Company, Licensee Event Report (LER) 50-368/84-023, Arkansas Nuclear One - Unit 2, dated October 1, 1984.**
- 10. Telephone Discussion between D.B. Lomax and J. T. Enos, Arkansas W,wer and Light Company, and H. L. Ornstein, NRC, November 9, 1984.
- 11. Indiana and Michigan Electric Company, Liccasee Event Report (LER) 50-316/84-014, D. C. Cook Unit 2, dated June 22, 1984.**
Available for purchase from National Technical Information Service, Springfield, VA 22161.
- Available in the NRC Public Document Room at 1717 H Street, N.W.,
Washington, D.C. 20555 for inspection and copying for a fee.
+
- 12. Letter from R. J. Rodriguez, Sacramento Municipal Utility District, to J. F. Stolz, NRC,
Subject:
Docket No. 50-312 Rancho Seco Nuclear Generating Station Unit No. 1, Low Temperature Overpressurization Protection (LTOP) Setpoint, dated February 15, 1984.*
- 13. U.S. Nuclear Regulatory Commission, Office for Analysis and Evaluation of Operational Data, Case Study No. AE0D/C401 " Low Temperature Overpressure Events at Turkey Point Unit 4," March 1984.*
- 14. Nuclear Safety Analysis Center / Electric Power Research Institute, 4
" Zion Nuclear Plant Residual Heat Removal PRA," NSAC-84, July 1985.
Available from Research Reports Center (RRC), Box 50490, Palo Alto, CA 94303.
- 15. Letter from A. D. Rossin, Electric Power Research Institute, to C. J.
Heltemes, NRC, September 3, 1985.
- 16. U.S. Nuclear Regulatory Commission, " Report to Congress on Abnormal Occurrences, April - June 1980," NRC - (NUREG-0090, Vol. 3, No. 2),
4 November 1980.**
- 17. U.S. Nuclear Regulatory Commission, Office of Inspection and Enforcement, Bulletin No. 80-12: " Decay Heat Removal System Operability," May 9, 1980.*
- 18. W. J. Foley, R. S. Dean, A. Hennick, Parameter Inc. , " Closeout of IE Bulletin 80-12: Decay Heat Removal System Operability," USNRC Report NUREG/CR-4005, June 1985.**
- 19. Duke Power Corporation, Reportable Occurrence Report R0-270/81-17, Oconee 2, dated November 13, 1981.*
- 20. Institute of Nuclear Power Operations, " Analysis of Steam Generator Tube Rupture Events at Oconee and Ginna,"82-030, November 1982.
- 21. Pacific Gas and Electric Company, Licensee Event Report (LER) 50-275/
84-004, Diablo Canyon Unit 1, dated February 2,1984.*
- 22. Commonwealth Edison Company, Licensee Event Report (LER) 50-295/84-031, Zion Unit 1, dated October 16, 1984.*
- 23. U.S. Nuclear Regulatory Commission, Inspection Report No. 50-206/84-04, 50-361/84-27, 50-362/84-28, San Onofre Nuclear Generating Station, December 21, 1984.*
Available in the NRC Public Document Room at 1717 H Street, N.W.,
Washington, D.C. 20555 for inspection and copying for a fee.
Available for purchase from National Technical Information Service, Springfield, VA 22161.
l l
I
- 24. U.S. Nuclear Regulatory Commission, " Generic Letter to All Operating
. Pressurized Water Reactors (PWR's)," from D. G. Eisenhut, June 11, 1980.*
- 25. U.S. Nuclear Regulatory Commission Inspection Report 50-269/81-14, 50-270/81-14, and 50-287/81-14, Oconee Facility, July 23, 1981.*
- 26. Letter from W. O. Parker, Duke Power Company, to J. P. O'Reilly, NRC,
Subject:
Oconee Nuclear Station, Docket No. 50-269, July 31, 1981.*
- 27. Nuclear Safety Analysis Center / Institute of Nuclear Power Operations,
" Steam Voiding in the Reactor Coolant System During Decay Heat Removal Cooldown," Significant Event Report 91-81, October 26, 1981.
- 28. Florida Power Corporation Inter-office Correspondence - Operations Advisory from P. F. Mckee (Nuclear Operations Superintendent) to Licensed Operators, April 21, 1981.
- 29. U.S. Nuclear Regulatory Commission, Office of Inspection and Enforcement, Circular No. 81-10: " Steam Voiding in the Reactor Coolant System During Decay Heat Removal Cooldown," July 2, 1981.*
- 30. D. R. Gallup, D. M. Kunsman, M. P. Bohn, Sandia National Laboratories,
- Potential Benefits Obtained by Requiring Safety-Grade Cold Shutdown Systems," USNRC Report NUREG/CR-4335, July 1985.**
- 31. Memorandum.from H. R. Denton, NRC to R. M. Bernero, "Senedule for Resolving and Completing Generic Issue No. 99--RCS/RHR Suction Line Interlocks on PWRs," August 13, 1985.*
- 32. Memorandum from H. L. Thompson, Jr. , NRC to H. R. Denton, " Maintenance and Surveillance Plan," August 2, 1984.*
- 33. U.S. Nuclear Regulatory Commission, " Clarification of TMI Action Plan Requirements," II.F.2 Instrumentation for Detection of Inadequate Core Cooling, (NUREG 0737), November 1980.**
Available in the NRC Public Document Room at 1717 H Street, N.W.,
Washington, D.C. 20555 for inspection and copying for a fee.
- Available for purchase from National Technical Information Service, Springfield, VA 22161.
- 46 l Appendix A -
Loss of Decay Heat Removal Systems at U.S. Pressurized Water Reactors During 1982 and l'983 Plant Date Docket # LER # Description of Event Ginna 04/12/83 50-244 83-015 Air binding of RHR pump (12 min. loss)
Ginna 05/01/83 50-244 83-017 Filling reactor refueling cavity - low RWST. Secured "A" RHR pump - Suction valve on operating "B" pump was closed.
(Durationofeventunknown)
Turkey Point 3 10/07/03 50-250 83-018 Flow restriction on component cooling water discharge valve on RHR neat exchanger.
(Duration of event unknown)
Turkey Point 3 10/08/83 50-250 83-019 Procedural error during 4 surveillance testing resulted in closure of suction / isolation valve (6 min. loss).
Salem 1 03/16/82 50-272 82-015 Vital bus tripped. Component cooling water and service water were lost. Redundant trains f
were out for maintenance.
(45 min. loss).
Surry 1 05/17/83 50-280 83-024 Inaccurate standpipe level indication - low RCS level, RHR pump cavitated.
of event unknown)(Duration Zion 1 03/17/82 50-295 82-011 Inadvertent (contractor person-nel) opening of inverter output breaker caused closure of the RHR pump suction valve. (3 min. loss)
Salem 2 05/14/83 50-311 83-024 RHR suction valve closed during (2 events) 05/15/83 operation. (Duration of events unknown)
The 05/14/83 event was triggered by a vital instrument bus which was de-energized for maintenance; the 05/15/83 event was triggered by a failed comparator.
L
Plant 'Date Docket # LER # Description of Event Salem 2 05/24/83 50-311 83-025 RHR pump trip caused by logic /
circuitry problem on the " safe-guards equipment control" (SEC) system. (Duration of event unknown)
Salem 2 06/23/83 50-311 83-031 Loss of RHR pump due to spurious actuation of the SEC system.
(Duration of event unknown)
Salem 2 06/23/83 50-311 83-032 Failed gasket in joint down-stream of check valve flooded the service water bay. Lost all service water, and thus cooling water to the RHR pumps, diesels, etc. (Duration of event unknown)
Salem 2 11/28/83 50-311 83-062 Vital bus transfer caused voltage spike which resulted in closure of suction / isolation valve. (Duration of event unknown)
Salem 2 12/20/83 50-311 83-066 Loss of vital bus - due to personnel error resulted in closure of suction / isolation valve (22 min. loss).
Rancho Seco 06/24/82 50-312 82-015 Simultaneous test and maintenance caused failure of bus, closure of the suction / isolation valve, and loss of DHR flow. (Duration of event unknown)
Calvert Cliffs 1 05/17/82 50-317 82-026 Spurious opening of breaker fran the operating DHR pump (2 min. loss).
Calvert Cliffs 1 10/12/83 50-317 83-061 Inadvertent isolation of shut-down cooling - caused by not deactivating isolation system when performing a hydro test on instrument sensing lines (30 min. loss).
e
-g-Plant Date Docket # LER # Description of Event Calvert Cliffs 2 11/22/82 50-318 82-053 Technician incorrectly de-energized a power supply panel; caused closure of a DHR return valve.
(4 min. loss).
Calvert Cliffs 2 11/24/82 50-318 82-054 DHR lost due to a failed poder supply. (Duration of event unknown).82-055 Vital inverter failed, caused Calvert Cliffs 2 12/28/82 50-318 an isolation of the DHR return line. (Duration of event unknown).
Calvert Cliffs 2 01/04/83 50-318 83-001 Inverter tripped during surveillance testing - caused isolation of the DHR return line. (15 min loss).
Calvert Cliffs 2 01/07/83 50-318 83-005 Test procedure error. Operating DHR purnp stopped due to test of recirculation actuation signal (9 min. loss).
Sequoyah 1 09/16/82 50-327 82-116 Power was removed to allow modification work on solid state protection system; RHR suction valve closed. (Duration of event unknown) 50-328 83-101 False RCS level indication by Sequoyah 2 08/06/83 makeshift tygon tube and rubber hose level instrument. RCS temperature rose from 103'F to 195'F in 77 min. Plant had been shut down 18 days earlier.
Beaver Valley 1 05/12/82 50-334 82-018 Failure to start RHR pump due to circuit breaker problem. RHR pump that had been operating was I- erroneously secured prior to attempt to startup idle pump.
(2 min. loss)
Beaver Valley 1 06/29/83 50-334 83-020 Construction worker made an error in making a design modifica-tion. De-energized bus feeding RHR pump - faulty procedures and communications between shifts (92 sec loss).
l i
Plant Date Docket # LER # Description of Event St. Lucie 1 03/29/83 50-335 83-021 Construction workers shorted a power supply causing closure of DHR suction / isolation valves (10 min. loss).
Millstone 2 01/06/82 336 82-002 Technician error during a pre-ventive maintenance test resulted in loss of a vital instrument panel, and autoclosure of the suction / isolation valves (7 min.
loss).
North Anna 1 10/19/82 50-338 82-067 RCS drained to below centerline (2 events) 10/20/82 of hot leg nozzles. RHR suction was lost because of low RCS level and incorrect level indication.
(10/19/82,36 min. loss; 10/20/82, 33 min. loss).
North Anna 1 01/22/83 50-338 83-003 Failed inverter, caused RHR suction / isolation -alve to close (4 min. loss).
North Anna 1 02/18/83 50-338 83-009 Both RHR pumps were cavitating.
Cause not determined (5 min.
loss).
North Anna 2 05/20/82 50-339 82-026 Lost suction to RHR pumps due (3 events) to draining of RCS and erroneous level indication (8 min., 26 min.,Ihr. losses).
North Anna 2 07/30/82 50-339 82-049 Lost suction to "A" RHR pump due to draining. Diagnosed as a pump problem. The "B" was then started and it also became airbound (46 min.
loss).
North Anna 2 04/14/83 50-339 83-023 Operator inadvertently opened a breaker, causing RHR suction /
isolation valve to close (<1 min.
loss).
North Anna 2 04/29/83 50-339 83-036 Loss of vital bus. RHR suction /
isolation valve closed. Caused by maintenance personnel con-ducting a test as loads were being transferred (<1 min, loss).
Plant Date Docket # LER # Description of Event North Anna 2 05/03/83 50-339 83-038 Inadequate monitoring of RCS level.
Loss of RHR pump suction. (Duration of event unknown)
Farley 2 09/28/83 50-364 83-042 Operating RHR pump failed while redundant pump was secured.
(Duration of event unknown)
McGuire 1 03/02/82 50-369 82-024 Low RCS level due to vessel draining and inaccurate level indication. Operating RHR pump started to cavitate, the other pump was undergoing main-tenance. (Event lasted 50 min. -
a licensee analysis indicated that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> were available prior to the onset of boiling.)
McGuire 1 06/24/82 50-369 82-053 Inverter failure caused closure of suction / isolation valve (6 min. loss)
McGuire 1 04/05/83 50-369 83-017 Low RCS level due to vessel draining and valved out level sensor. Both RHR pumps cavitated. (Duration of event unknown)
McGuire 2 12/31/83 50-370 83-092 Low RCS level due to draining and inadequat.1 level indication.
Running RHR pump had no flow (43 min. loss).
Summer 11/12/84 50-395 83-136 Bus transfer during plant modifi-cation caused an interruption of power to an ESF instrumentation bus. An erroneous overpressuriza-tion signal resulted causing suction / isolation valve closure, and interruption of DHR flow-(5 min. loss).
E
?
Appendix B Selected Loss of Decay Heat Removal System Events at U.S Pressur,ized Water Reactors During 1984 Plant Date Docket # LER # Description of Events Zion 1 09/14/84 50-295 84-031 While draining the RCS in preparation for primary -
secondary leak testing, the RCS level dropped below the DHR suction line. The liquid level was being read from a manometer type arrangement.
Incorrect level measurement resulted from the fact that '
, the mananeter reference leg was pressurized by nitrogen purge gas. RCS temperature
- increased from 110'F to 147'F (45 min. loss),
i Salem 2 02/09/84 50-311 84-002 While testing the pressurizer overpressure protection system a procedural error resulted in automatic closure of a suction /
j isolation valve (17 min. loss).
D.C. Cook 2 05/21/84 50-316 84-014 Procedural error with a partial-ly drained RCS, Simultaneous cperation of two DHR pumps cau:c1 vortexing at the loop suction. Both pumps became airbound (25 min. loss).
North Anna 2 10/16/84 50-339 84-008 Clogging of a standpipe used for RCS level monitoring resulted in a 64" error. Upon introduction of air, the operating pump cavitated.
The redundant pump was started and it also cavitated. Both pumps became airbound (2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> loss).
-s
Plant Date Docket # LER # Description of Event Trojan 05/04/84 50-344 84-010 During RCS draindown faulty level measurement led to air binding of the RHR pump.
The RCS was vented to atmosphere.
A tygon manometer configuration was being used to measure RCS level, however, " crud blockage" of the manometer tap led to erroneous level measurement.
RCS temperature went from 105'F to 201*F (40 min. loss).
ANO-2 08/29/84 50-368 84-023 During RCS draindown, faulty level instrumentation led to air binding of the DHR pump. A tygon manometer config-uration was being used -
however, the operators did not account for reactor vessel pressurization due to the presence of nitrogen purge gas.
RCS temperature went from 140'F to 205'F (Approx. 35 min. loss)
McGuire 2 01/09/84 50-370 84-001 During draining operations, a procedural deficiency led to inadequate NPSH/ air entrainment of the DHR pumps (1 hr. 2 min.
loss).
McGuire 2 01/15/84 50-370 84-002 Personnel error during testing.
Re-energizing power to the breakers for the suction /
isolation valves caused automatic closure of the suction / isolation valves. Valves were opened manually (49 min loss).
Summer 10/18/84 50-395 IE 1 DHR loop was out for surveil-Daily lance testing. An inverter Report failure caused closure of the operating loop's suction isolation valve. (25 min. loss).
Danmer 11/06/84 50-395 IE A procedural error in testing Daily relays on the bus supplying the Report DHR pump caused the bus to strip.
The associated diesel was out for maintenance (7 min. loss).
Appendix C Decay Heat Rem) val System Losses at Davis-Besse Some of the most striking data on DHR losses comes from a review of the Davis-Besse plant's op'. rating experience. From 1978 - 1981, the Davis-Besse plant accrued the larre.st number of reported DHR losses of any PWR: 16 events.* Seven of those events involved automatic closure of the suction /-
isolation valves. There had been seven previous closures of the suction /-
isolation valves during plant startup and testing; however, those seven events are not included in the tally of 16. Subsequent to 1981, there have been no DHR losses at the Davis-Besse plant. A detailed review of that plant's experience is quite enlightening.
Table C1 presents a listing of DHR suction / isolation valve events which have taken place at the Davis-Besse plant. Table C2 presents descrip-tions of all loss-of-DHR events wnich occurred at the Davis-Besse plant from startup testing through 1983.
Most of the inadvertent closures of the suction / isolation valves were due to human factors (operator errors, incorrect procedures, lack of procedures, etc.) and resultant failures of power supplies to the safety features actuation system (SFAS) channels. Most of the events which occurred sub-sequent to power operation were of short duration (four lasted four minutes or less and one lasted 18 minutes). Recovery from most of those events required only clearing the perturbing signals and reopening the isclation valves. There were two events which lasted much longer:
o On April 19,1980, a 2i-hour loss-of-DHR event was initiated by a failure of an instrument bus, which eventually resulted in the closing of the suction / isolation valves. Restoration of the DhR system was impeded by air binding of the DHR pump. The licensee's lack of procedures for restoring the air bound pump and the extensive modification and maintenance activities that were being conducted at the time contributed to tha*. event.
o That event was reported to Congress as an Abnormal Occurrence (Ref.16).
The abnormal occurrence determination was made on the basis that the event represented a " serious deficiency in management or procedural controls in major areas."
o On July 24,1980, a 50-minute loss-of-DHR event occurred as a result of suction / isolation valve closure. That event is of considerable interest because restoration of the DHR system was accomplished by using the suction bypass line to establish a flow path for the DHR system.
- The 16 loss-of-DHR events were complete losses of the DHR system function when the DHR system was required to remove decay neat.
x s After the 14th inadvertent suction / isolation valve closure event, the NRC approved an amendment to Davis-Besse's technical specifications allowing removal of power from the DHR suction /isoletion valves during plant shutdow1.
(To preclude returning the plant to power with the DHR suction / isolation valves open, the pressurizer heaters are interlocked with the DHR suction /
isolation valves. The pressurizer heaWs cannot be activated above the setpoint of the DHR relief valve if both of'the DHR isolation valves are open. The pressur,1zer, heaters are also interlocked so that if only one DHR isolation valve it closed, the heaters will shut off at a pressure below the DHR system design pressure.)
Subsequent to the implementation of the aforementioned technical specifica-tion amendment, the Davis-Besse plant has not experienced any further inadvertent DHR suction / isolation valve closures. It appears that the Davis-Besse plant's solution to the spurious DHR suction / isolation valve closure problems which have led to 'many loss of DHR system events has been effective. Furthermore, we note that assa: result of the April 19, 1980 event (21-hour DHR system loss), the li.censee took action to modify operating and emergency procedures to minimize the possibility of a recurrence.
Additional guidance was given to the plant staff on how to recover from loss-of-DHR events, including the venting of DHR pumps, and the implementation of backup cooling sources. Steps were also taken to improve administrative controls during shutdown. .
NRR's June 11, 1980 generic letter on DHR (Ref. 24) requested all PWRs to
- amend their technical specifications to provide for redundancy in DHR
- capacity. In response to NRR's generic letter on DHR, the Davis-Besse plant submitted an amendment to their technical specifications, indicating that an operable ssystem will always be kept in a standby state during modes 3-6 in order to assuct continuous DHR in the '
event that the operatingNeat removal system shouTd fail. / -
Subsequent to implementing the aforementioned %prpvements in DHR system
. operation, there have been no similar losses of the DHR system at tie Davis-Besse plant. It appears that the corrective actions that were ti. ken at the Davis-Besse plant have resulted in a s;Jostant'ial improvement in DhR System operation.
N
, 't
\
1% _ . . , . _ - - --, - - ._ - . .
4 L.
- 55 t, s Table C 1. DHR Suction / Isolation Valve Closure Eveats at s--
Davis-Besse Causing a Loss of the DHR Systen A
s Event Date ~ LER # Duration of DHR System Loss May 14, 1977 77-006 Not stated - during plant startup and testing May 14,1977 77-007 7 Not stated - during plant startup and testing May 27,1977 77-002 Not stated - during plant startup and testing May 28,1977 77-003 Not stated - during plant startup and testing June 12, 1977 77-005 Not stated - during plant startup and testing July 22,1977 /7-009 Not stated - during plant startup and testing June 28, 1979 79-067 18 minutes April 19, 1980 80-029 2) hours May 28,1980 80-043 2 minutes July 24,1980 80-058 50 minutes August 8, 1983 80-058 3 minutes August 13, 1980 80-060 5 minutes O
J l- ,
Table C 2. Losses of the DHR System at Davis-Besse LER # Date Description of Event 77-006 May 14,1977 During plant startup and testing, an I&C mechanic caused a short, thereby tripping an SFAS and an RPS channel. While trying to replace the blown fuse, an operator de-energized the wrong SFAS and RPS channels, thereby causing SFAS actuation, closing the DHR isolation valves. (Duration of event unknown)77-007 May 19,1977 During plant startup and testing, operator error caused a loss of essential power to an SFAS channel.
An error in restoring the power resulted in de-energizing another SFAS channel. SFAS actuation resulted, causing the DHR isolation valves to close.
(Duration of event unknown)77-002 May 27,1977 During plant startup and testing, while replacing a cover on a junction box containing an SFAS channel, a loose output lead shorted, resulting in closure of a DH2 isolation valve. (Durationof event unknown)77-003 May 28,1977 During plant startup and testing, a procedural error in recalibrating RCS pressure bistables on an SFAS channel resulted in closure of a DHR isolation valve. (Duration of event unknown)77-005 June 12,1977 During plant startup and testing, operators did not follow their procedures for SFAS monthly tests. As a result, a DHR isolation valve closed.
(Duration of event unknown)77-009 July 22,1977 Durir.g plant startup and testing, while inspecting (2 events) for loose electrical insulation, an I&C mechanic caused a current surge, which resulted in closing a DHR isolation valve. About 15 minutes later, after restoring the DHR flow, he caused another (identical) event which resulted in DHR isolation valve closure. (Duration of event unknown)78-060 May 28,1978 DHR flow was lost for about 2 minutes. An operator accidentally bumped a control switch de-energizing the bus supply power to the DHR pump.
Table C 2. (Continued)
LER# Date Description of Event 78-067 June 15,1978 Three loss of DHR events lasting a total of about (3 events) 2 minutes. Power was interrupted to the operating DHR pump. The other pump was inoperable at the time. Maintenance personnel accidentally bumped a relay tripping the operating DHR pump. An operator made two errors while trying to transfer power to an essential bus (resulting in two other power interruptions to the pump).79-067 June 28,1979 18-minute loss of DHR. During surveillance test-ing, a slipped alligator clip caused a short circuit and failure of power supply to an SFAS channel. As a result, DHR suction valve closed.80-030 April 18,1980 29-minute loss of DHR. Leakage of RCS water through a partially closed valve resulted in inadequate DHR pump NPSH and erratic pump flow operation. The pump was secured until the leak was stopped and RCS level restored. During the event, RCS temperature rose from 93*F to 103*F.80-029 April 19,1980 21-hour loss of DHR. Vibration from construction work actuated a ground fault relay. Due to an abnormal electrical lineup associated with outage activities, loss of power resulted in SFAS actu-ation. Control power to the DHR suction valves was lost, causing the suction valves to close. The SFAS actuation transferred the DHR pump suction to the BWST and then to the empty sump. The pump became airbound. RCS temperature increased from 90 F to 170'F while the vessel head was detensioned (140 F is the maximum temperature allowed while the vessel head is detensioned).80-043 May 28,1980 2-minute loss of DHR due to an inadvertent closure of a DHR isolation valve. An I&C mechanic was checking out a plant modification. Due to a test procedure inadequacy, the isolation valve interlock circuit was actuated, and the valve closed.80-044 May 31,1980 8-minute loss of DHR flow. The operating DHR pump was secured by a control room operator.
(An I&C mechanic took a DHR flow meter out of service to perform surveillance testing. Control room personnel were unaware of this. Upon seeing that the DHR system flow had dropped offscale, a control room operator stopped the pump.)
Table C 2. (Continued)
LER# Date Description 80-049 June 14,1980 DHR pump flow loss for about 2 minutes.
Inadvertent SFAS actuation caused DHR pump realignment to the BWST and BWST isolation. An I&C mechanic was restoring containment pressure inputs to SFAS following an Integrated Leak Rate Test. Because of a procedural inadequacy, SFAS was actuated and the DHR pump was realigned to deliver BWST water to the RCS and the refueling canal. When BWST level dropped to the low level limit, SFAS level 5 actuation took place closing the BWST isolation valve causing a loss of suction to the DHR pump.80-058 July 24,1980 DHR~ flow was lost for 50 minutes because of an automatic closure of an isolation valve. An electrician blew a fuse while conducting wire pulling operations associated with a plant design change. As a result of the blown fuse, an automatic closure of one of the DHR isolation valves took place, and the pump became air-bound.
The DHR flow path was restored by opening the maaual bypass valves. During the event, the hottest in-core thermocouple temperature rose from 104*F to 111*F.80-058 July 24,1980 DHR flow was lost for about 2 minutes due to an-inadvertent closure of one of. the DHR isolation valves. Subsequent to making a plant modifica-tion, an I&C mechanic performed restoration work out of sequence. As a result, one of the isola-tion valves closed.80-058 August 8,1980 DHR flow was lost for about 3 minutes due to an inadvertent closure of one of the DHR isolation valves. Valve closure occurred during maintenance when a bistable in the valve circuit was removed due to a procedural error.80-060 August 13, 1980 DHR flow was lost for about 5 minutes due to an inadvertent closure of one of the DHR isolation valves. Valve closure occurred during SFAS channel modification work. The I&C mechanic failed to fully defeat the automatic isolation valve trip prior to performing SFAS channel modification work.
Table C 2. (Continued)
LER# Date Description 81-004 January 7,1981 DHR pump failed to start due to a breaker problem. Electricians were able to restart the pump af ter a 15 minute delay.81-024 April 18,1981 2-minute loss of DHR flow. In response to "two burning potential devices" on a bus, the bus was isolated. An error was made in the sequence of transferring power and isolating the bus. Power was lost to the operating DHR pump.
V I
. . . _ _ _ _ _ . _ _ _ . _ _ , . . , . ._. .