ML20138F111
Text
d August 6, 1996 g
i NEMORANDLM T0: Jon R. Johnson, Acting Director Division of Reactor Projects l.
Region II 1
l FROM:
Frederick J. Hebdon, Director
/s/
Project Directorate II-3 Division of Reactor Projects I/II j
Office of Nuclear Reactor Regulation f
SU8 JECT:
TECHNICAL ASSISTANCE REQUEST (TIA 95-013)'IN ADDRESSING ISSUES i-RELATING TO THE ADEQUACY OF A 50.59 EVALUATION AT ST. LUCIE i
UNIT 2 (TAC NO. N93372) f i
l In a memorandum dated August 28, 1995, NRR assistance was requested in i
evaluating the acceptability of a 50.59 evaluation supporting isolation of a diesel generator fuel oil transfer system leak at St. Lucie Unit 2.
In addition, several generic questions concerning the relationship between h
Probabilistic Risk Assessment (PRA) evaluations and 10 CFR 50.59 requirements i
were presented for NRR response.
The Probabilistic Safety Assessment Branch, NRR, has completed its review of i
these issues. A discussion of these issues and NRA's. response to your questions is contained in the attached memorandum dated July 30, 1996. The positions stated in the attachment have been reviewed by the Office of the j
General Counsel and they have no legal objection to these positions.
i l
Docket No.: 50-389 i
Attachment:
As Stated cc w/ attachment:
R. Cooper, RI W. Axelson, RIII l
J. Dyer, RIV
Contact:
L. Wiens, NRR\\PDII-3 l
415-1495 i
.v St. Lucie Rdg. SVarga i
JRoe JZwolinski JFlack, SPSB i
AChaffee Klandis, RII DOCUMENT NAME: G:\\STLUCIE\\TIAI3.RES To receive a copy of this document, indicate in the box:
"C" - Copy without
\\/ Q attachment / enclosure "E" = Copy with attachment / enclosure "N" = No copy K L
OfflCE PDiles/LA
,a ID POII*3/ Pet f
lF P0ll*3/D 1) lQ l
u4fg OClerten
/W LWiens /W fuetuten W DATE 08/(m/96 OS/f/96" 08/ 6 /96
.,, - uo C.P.
,3 m Oh'/ 3 Ocl NPaC IRE CEliHI COPY
July 30. 1996 i
MEMORAMUM T0:
Frederick Hebdon, Director
/.
Project Ofrectorate I!-3 Division of Reactor Projects I/II FRON:
Essard J. Butcher. Chief Probabilistic Safety Assessment Branch Division of Systems Safety and Analysis
SUBJECT:
RESPONSE TO REQUEST FOR ASSISTANCE IN ADDRESSING ISSUES REGARDING ST. LUCIE EMERGENCY DIESEL GENERATOR FUEL OIL TRANSFER SYSTEM LEAK ISOLATION A W USING OPERATOR ACTION IN PtACE Of AUTOMATIC ACTION (TIA 95-013)
Plant Name:
St. Lucie Unit 2 Utility:
Florida Power & Light Co.
Docket No.:
5 & 389 TAC No.:
NB1372-Project Manager: Leonard A. Wiens Review Branch:
SPS8 Review Status:
Complete The attachment to tMs memorandur is our response to TIA 95-013.
It contains our responses to the specific questions raised by Region II regarding the 10 CFR 50.59 FPL Safety Evaluation (JPN-PSL-SENS-95-013), and the application of PRA methodology and related issues. If you have any questions regarding our respasse to the TIA request or regarding the licensee's PRA assessment which was included in the TIA, please contact John Schiffgens at 415-1074 (E-mail: JOS), or John Flack at 415-1094 (E-mail JHF).
In addition, we are in the process of developing a formal position on the use of PRA in the 10 CFR 50.59 process which will be sent to you in a separate memorandum.
Attachment:
As stated DISTRIBUTION Decket File SPSB Flie LWiens
- SEE PREVIOUS CONCURRENCES.
DOCUMENT NA n
E: G:\\STL.UCI.E0 TIA
.. c.e r.e.
r.
0FFICE SPSS:DSSA lE SPS8:DSSA
[E SPSB:DSSA lE SPSB:DSSA lE 00SSA
[E NAME
$Rosenberg*
JSchiffgens*
JFlack*
EButcher*
GHolahan*
OATE 5/29/06
$/29/96 5/29/96 5/31/96 6/11/96
( MI
/
OFFICE PEC4AtPM lE OGC/vm I E
/
l l
NAME 0Matthews AM F AAfs4 f_ /
DATE (f /.1[/96 1/1 $96 /V I
/ /96
/ /96 0FFIffAL RECORD COPY f/ ATTACMIENT 9 0 ' P O I O 9 O O e//6
f p
\\
UNffEOSTATES g
g N,UCLEAR REEUI.ATCRY CCMMISSION waseaworon. o.o. -
\\,,,,,
July 30, 1996 MDIDRAlOM TO:
Frederick Hebdon Director Project Directorate 11-3 Division of Reactor Projects I/II FRON:
Edward J. Butcher, Chief Probabilistic Safety Assessment Branch Division of Systems safety and Analysis
SUBJECT:
RESPONSE To REQUEST FOR ASSISTANCE IN A00RESSING ISSUES REGARDING ST. LUCIE ENERGENCY DIESEL GENERATOR FUEL 0!L TRANSFER S'ISTEM LEAK ISOLATION A N USING OPERATOR ACTION IN PLACE OF AUT0NATIC ACTION (TIA 95-013)
Plant Name:
St. Lucie Unit 2 Utility:
Florida Power & Light Co.
Docket No.:
50-389.
TAC No.:
M93372 Project Manager: Leonard A. Wiens Review Branch:
SPS8 Review Status:
Complete The attachment to this memorandum is our response to TIA 95-013.
It contains our responses to the specific questions raised by Region II regarding the 10 CFA'50.59 IPL Safety Evaluation (JPN-PSL-SENS-95-013), and the application of PRA methodology and related issues.
If you have any questions regarding our response to the TIA request or regarding the licensee's PRA assessment which was included in the TIA, please contact John Schiffgens at 415-1074 (E-mati: JOS), or John Flack at 415-1094 (E-mail JHF).
In addition, we are in the process of developing a formal position on the use of PRA in tho 10 CFR 50.59 process which will be sent to you in a separate memorandum.
Attachment:
As stated 1
l O!p (? g ()r h = ($ h ff
Y 6Lifdll ElilllW11 1.
Is the attached 10 CFR 50.59 FPL Safety Evaluation (JPN-PSL-SDis-95-013) considered acceptablef Ilo. The attached 10 CFR 50.59 FPL Safety Evaluation is not considered acceptable.
The 50.59 evaluation prepared by FPL for St. Lucie is not acceptable because it involves an unreviewed safety question. An unreviewed safety question exists because the proposed change introduces e new procedure and associated malfunction of a different type (operei,er error) and involves an increased probability of the malfunction of equipment important to safety (mechanical valva failure to open). Specifically, the 28 EDG fuel oil tsolation valve, which is a manual valve, is normally in a '0CKED OPDI position and requires no change-of-state for EDG operation. The proposed change involves operating with this valve in the closed position and opening it manually as needed. With the valve in the closed position, two new failure modes exist for the fuel oil supply system: failure of the operator to open the fuel oil manual isolation valve, and mechanical failure of the valve to open. One failure mode results in a malfunction of a different type, introducing operator error where no operator action was required before. The other increases the probability of malfunction of the valve, since the probability of failure to open is greater than zero, where it was zero before. Both increase the probability of malfunction of the 2SEDG.
In the evaluation, JPfl-PSL-Sells-95-013, Rev. O, page 8. FPL laproperly answered the question *Does the proposed activity 'ncrease the probability of occurrence of a malfunction of equipment important to safety previously evaluated in the SARf" by stating that "the compensatory actions assure the reliability of the EDG fuel oil supply."
In general, the introduction of compensatory measures suggests that there is an unreviewed safety question for which compensation is needed, hence, a 50.90 submittal should be prepared by the licensee and evaluated by the staff to detemine whether the compensation is adequata. Frequently, however, licensees refer to risk reducing features that are an integral part of the change as compensatory maasures. For example, introducing operator instructions for a newly instituted manual operation should not be considered a compensatory action nor should new administrative controls intended to assure sufficient time to perform the action. Although NRC Inspection Manual, "Part g900:
10 CFR Guidance," provides some 1 mited guidance on compensatory actions, the staff is in the process of better defining what constitutes appropriate us; of compensatory measures in 10 CFR 50.59 saferty evaluations.
In this case, the change consists of the licensee introducing a procedure and operating restrictions to replace an automatic ' supply on demand
- condition. The ' compensatory" actions were intended to make the procedure as reliable as the original configuration, however, they did not.
f
L
?.
I N licensee also stated that "the failure of the EDG fuel all isolation valve is possible* and provided a quantitative assessment.
Its 10 CFR 50.59 evaluation quantified the change in frequency of the loss of the B side electrical bus in conjunction with a i.00p initiating event. The result obtained was a 65 increase in the frequency per year 5
of the loss of the 283 4.16kV bus in conjunction with a LOOP. The report does not provide sufficient detail on model and assumptions to s
evaluate W Ilcensee's analysis.
It should be r.cted that for an appropriate analysis (i.e., one intended to demonstrate compliance with the previsions of 10 CFR 50.5g), the change should have been assessed in terns of W probability of malfunction of equipment gg the probability of occurrence or the consequences of an accident.
In this case the licensee should have explicitly evaluated the probabl11ty of malfunction of the B EDG.
2.
Free a PRA perspective, is it possible to completely mitigate a risk, once introduced?
Yes. Not only cas an introduced risk be mitigated, f.e., reduced, it can have a positive safety impact, i.e., the risk can be made lower than it was originally.
It is often a matter of economic balance; how much will it cost to reduce W risk.
It is frequently possible te put in place equipment, change egulpment configurations, and/or change procedures so as to effectively and sat'sfactorily mitigate r'sk (e.g.,
to mitigate W increase in risk associated with an increase in the probdility of equipment malfunction or accident initiation) in a cost effective manner when the introduced risk is fully understood. This is significant with regard to 50.g0 submittals.
10 CFR 50.5g evaluations are concerned with < dentifying unreviewed safety questions, i.e., with deciding whether a proposed change (a) may increase the probability of occurrence or the consequences of an accident or malfunction of equipment important to safety previously evaluated, (b) may crea$a a possibility for an accident or malfunction of a different type than any evaluated previously, or (c) II&d;ta a margin of safety as defined in the basis for any technical specification. That is. 10 CFA 50.5g la concerned with whether there may be a decrease in safety not with how
- arne* it may be.
3.
Is the licensee's position (that the risk of operator failure / error can be mitigated, probabilistically, through W i m, and training) valid?
Yes. Operator failure probabilities can be reduced through the use of improved procedures, proper training, inc m ud knowledge, etc.
However, it should be noted that although the probability of human error can be reduced or mitigated through procedures and training, it cannot be reduced to zero.
It should also be noted that for a given task, hardware is usually more reliable than human action, and the uncertainty associated with quantifying human action is usually greater than the uncertainty associated with hardware rel', ability. For example, if an automatic
J-.
harthstre action is substituted with a human action, the point estimates of the failure probabilities for the human performance are ponerally greater than for the hardware performance and W re is essa ly more uncertainty associated with W human error probability than there is with the hardware failure probability.
De probabilfstic estimattens of operater error rates presuppose the l
existence of precedures and training and 1f so, can ene then take credit for them in a deterstatstic mittgetten of risk?
In human reliability analysis (HRA), performance shaping facters (p5Fs) modify human error probabilities by accounting for the lupact of various facters en operater actions. p5Fs include procedures and training among e h r facters such as stress, environmental conditions, etc. Neuever, analysts will sometimes use " screening" values for homen error rates.
These screening values are usually bounding
- guesses
- and may not include performance shaping factor aspects.
late W r er not credit can be taken for the existence of precedures and training in a " deterministic mitigation of risk," is outside the pervleu of PRA. If by " deterministic mitigation of risk
- is meant " evaluation of W mitigation of risk using techniques other than probabilistic,"
one should be able to take credit for precedures and training in assigning an ' effectiveness measure
- to operator actions. N difficulty would brs in devising a " measure" and applying it systematically la a deterministic franework.
i 4.
Can 10 CFR 50.5g requirements (that the probability of failure of j
components important to safety not be increased if no unrovisued safety guestlan is deemed to exist) be satisfled 1f new fatlure mechantses are l
added to a prevleusly revleued system?
A proposed change, test, or experiment (CTE) can not be made under the provisions of 50.5g if it involves an unrevleued safety question. The stated change, resulting in the introduction of a new failure mechanism (e.g., replacing a manual valve with an MOV), would involve an unrevleued safety guestion, because it may result in a malfunction (of equipment toportant to safety) of a different type than any evaluated previously in W safety analysis report.
In addition, a change uhtch introduces a new failure mechanism, may increase W probability of malfunction of equipment (e.g., a train or system) important to safety previously evaluated, and thereby also constitute an unreviewed safety guestion.
5.
ptA insights are beginning to provide a more structured evalustian process for proposes changes to factittles and, as a result, are showing that changes (in a 10 CFR 50.lg context) present finite, although sen11, increases in the probabilities of fattures.
Is there a threshe'd value
-,.m,_.-
_ ~.,
nl,-
l i ;
-4 of increased probability (representing *nenligible' or *insimtficant" increases) below dich 10 CFR 50.5g criter' a (for demonstrat' ng that unrovisued safety questions de not exist) are satisfied?
No. According to the rule, the proposed CTE must not, nor have a credible potential to, result in a finite increase in W probability of failurs in order for it to be implemented under W provisions of 10 CFR 50.59.
4.
The response to a related TIA from Region II, transmitted via letter i
free you to Ehard troerusen dated June 13, 1993, stated in part that j
- IER has ne particular ehjection to the use of PRA in 10 CFR 50.59 evaluations but receemands that it play a supportive role in conjunction with other inputs, such as engineering judgement and operating l
experience." In the given case at St. Lucts, een PBA ins 1 Wits provide Informatten counter te (as opposed to supportive to) the 10 CFR 50.59 i
conclusions, is it appropriate to accept deterministic conclusions ever j
the PRA-indicated 1,ncrease in probabilities of failure?
i In general, when W re are differences in conclusions based on l
detersinistic considerations compared to those based on probabil'stic i
consi k itions, the solution is agi to simply accept one ever the other but to determine the reason for the differences. Fundamentally, such i
analyses, if done properly, should complement each other, the latter being an extension of the former.
In this regard, it shoold be kept in mind that engineering judgement about components and systems is lacorporated in PRA models, as is operating experience and associated data. The inputs to different assessments need to be consistent if the I
outputs or tesults are to be consistent. Frequently, differences can be reconclied by identifying and evaluating assumptions incorporated in the
{
assessments.
l i
s o
i
- - - -