Text

Probabilistic Safety Study Applications Program for Inspection of Indian Point Unit 3 Nuclear Power Plant
	ML20140H307
Person / Time
Site:	Indian Point
Issue date:	03/31/1986
From:	Fresco A, Fullwood R, Taylor J; BROOKHAVEN NATIONAL LABORATORY
To:	; NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION I)
References
	CON-FIN-A-3453 BNL-NUREG-51973, NUREG-CR-4565, NUDOCS 8604040089
	Download: ML20140H307 (73)
	v • d • e

- -

NUREG/CR-4565 BNL-NUREG-51973 Probabilistic Safety Study Applications Program for Inspection of the Indian Point Unit 3 Nuclear Power Plant Prepared by J. H. Taylor, R. Fullwcod, A. Fresco Brookhaven National Laboratory uclear Regulatory S

4 t

ADO O DR DR

NUREG/CR-4565 BNL-NUREG-51973 l

L

- - -- - -- -++ ~ -~+- --- - - * - * +--* - + - - * ~ ' - ' ~ - - - - - * -

- . . ----m--

1 Probabilistic Safety Study Applications Program for Inspection of the Indian Point Unit 3 Nuclear Power Plant .

l Manuscript Completed: January 1986 Date Published: March loE Prepared by J. H. Taylor, R. Fullwood, A. Fresco Brookhaven National Laboratory Upton, NY 11973 Prepared for Region i Division of Reactor Projects U.S. Nuclear Regulatory Commission King of Prussia, PA 19406 NRC FIN A3453 i

l

1 I

NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government not any agency thereof, ne any of their emp;oyees, makes any warranty, expressed or implied, or assumes any legal liability of re-sponsibdity for any third party's use, or the results of such use, of any information, apparatus, product or process disclosed in this report, or represents that its use by such third party would not infringe privately owned rights.

NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources:

1. The NRC Public Document Room,1717 H Street, N.W.

Wast.ington, DC 20555

2. T he Superintendent of Documents. U.S. Government Printing Of fice, Post Ollire Box 37082 Washington, GC 20013 7082

3. The National Techncal information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publications, it is not intended to be exhaustive.

Referencad documents available for inspection and copying for a fee from the NRC Public Docu ment Roorre include NRC correspondence and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and licensce documents and corrr,spondence.

The following documents in the NUREG series are available for purchase from the GPO Sales Program: format NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regulations in the Code of Federa' Regulations, and Nuclear Regulatory Commission issuances.

Documents available from the National Technical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuctaar Regulatory Commission.

Documents available from public and special technical libraries include all open hierature items, such es books, journal and periodical articles, and transactions. federal Register notices, federal and state legislation, and congressional reports can usually be obtained from these libraries.

Documents suc4 es theses, dissertations, foreign reports and translations, and non NRC conference proceedings are availab;e fur purchase from the organization sponsoring the publication cited.

Single copies of NRC draf t repcrts are availab!e free, to the extent of supply, upon written request to the Di6sion of Technical Information and Document Control, U S. Nuclear Requiatory Com mission, Washington, DC 20555.

Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public, Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, frorn the Americari National Standards institute,1430 Broadway, New York, NY 10018.

l

'f

iii ABSTh M T By prioritizing the various areas o' interest for inspectica and by better defining inspection needs, the NT/, expects to make more effective use of finite inspection resources by c.ar.s

rating on those potential areas most significant to safety. Through reviev ..i application of the Indian Point ,

Unit 3 Probabilistic Safety Study . met re al data and event trec sodeling, and by utilizing related documents, a ter.nnical basis for prioritizing areas for NRC inspection has been developed. This was then tested at the plant site for the NRC Operating Reactor Inspectica Program, I&E Manual Chapter 2515.

Inspection activities addressed inclu/a normal operations, system and compo-nent testing, maintenance and surveillance. A computer program entitled NSPKTR, which was developed specifically for this program, modeled the inter-nal plant states to the system level and performed the risk and importance calculations.

e O

h e

1 1

l 1

1 1

]

V CONTENTS Page_

ABSTRACT ............................................................. iii LIST OF FIGURES ...................................................... v11 LIST OF TABLES ......... ............................................. vii ACKNOWLEDGEMENTS ................................,.....;........ ..... ix EXE CUT T VE SU MMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X i

1. INTRODUCTION ..................................................... 1-1

2. I&E CHAPTER 2515 ....................s............................ 2-1 2.1 Ou t li ne o f Cha p t e r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2.2 Reviev/Analyals ............................................ 2-2 2.2.1 Regional vs. Resident Inspection ...................., 2-2 2.2.2 Spe ci a l Empba s i s P r oce du re s . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 2 2.3 System Eased Procedures ................. 6.,......... 2-5 2.2.4 SALP................................................2-6 7.2.5 Survey Results ...................................... 2-7 F. PRA APPLICATIGNS .............. ................................. 3-1 I.1 I P P S S S u mma ry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 3-1 3.2 NSPKTR .........................................,........... 3-2 -

3.3 Importance Measuces ........................,............... 3-3 3.3.1 Birnbaum Importance ................................. 3-3 3.3.2 Inape.ction Importance ............................... 3-4 3.3.3 vesely-Fussell Importance ........................... 3-4 3.3.4 Risk Achie ve me n t Wo rth Ra t io . . . . . . . . . . . . . . . . . . . . . . . . 3-5 3.3.5 Risk Achievement Worth Increment .................... 3-5

! 3.3.6 Ri sk Ra du ct ion Wo rt h Ra t t o . . . . . . . . . . . . . . . . . . . . . . . . 3-6 3.3.7 Riak Reduction Worth Increment ...................... 3-6 3.3.8 HS j...........,....................................... 3-6 3.3.9 Palationships Setween the Ieportance Measures and 3ssic Results ....................................... 3-7 3.4 S u npa ry o f Ra s u l t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 3.4.1 Selecting Importance Measuree........................ 3-7 3.4.2 Jeportance Measu res for components . . ... . . . . . . . . . . . . . . 3-13

, 3.4.3 E x t. e rna l E ve n t s . . . . . , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3- 13 3f 4.4 Support Systens..,.................,.................. 3-13 l 3.5 SystAus Pd3ritizrtion...................................... 3-18 l

I l

i 4

l

. vi )

1 CONTENTS _(C9nt'd)

Page 4

SUMMARY

OF INSPECTIONS ....................,,...................,. 4-1 7

4.1 Inspection Preparation ..................................... 4-1 4.2 Sys tem ins pe ction Su mma ry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 a

4.2.1 Se rvi ce Wa te r Sy s t em . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 -

4.2.2 Reactor Protection System ........................... 4-5 4.2.3 Safeguards Actuation System ....................... . 4-8 4

5. RECOMMENDED CHAPTER 2515 CRANGES , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $_1

6. F E FE RE NCES . . . . . . . . . . . . . . . . . . . , . . . . . . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 I

I I

[

vii FIGURES Figure No. Page No.

3.1 Structuring of Scenarios - Relationship of Pinch Points..................................... 3-2 TABLES Table No. Page No.

2.1 Mi n i mi m P r o g ra m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 2.2 Basic Program....................................... 2-3 2.3 Resident Ins pector 's Procedure s . . . . . . . . . . . . . . . . . . . . . 2-4 2.4 Regional Inspector's Procedures..................... 2-4 3.1 Important Measure Rel at ionships . . . . . . . . . . . . . . . . . . . . . 3-8 3.2 Shifts in Importance According to Measures Used..... 3-10 3.3 Birnbaum Ranking of Aggregated IP3 Event Tree System 3-11 3.4 Health Effects-Inspection Importance Ranking of Aggregated IP3 Event Tree Sys tems . . . . . . . . . . . . . . . 3-12 3.5 Health Effects Inspection Importance of Compone nt Type s by Sys t em. . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14 3.6 Birbaum Importance Ranking for IP3 Accident Initiators.......................................... 3-15 3.7 Inspection Importance Ranking With Health Effects

.for IP-3 Accident Initiators (1 Fatality)........... 3-16 3.8 Scrvice Water Supports.............................. 3-17 3.9 Component Cooling Supports . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17 3610 Indian Point 3 System Prioritized by Inspection Importance Including Health Ef fects . . . . . . . . . . . . . . . . . 3-18 4.1 Indian Point Unit 3 Propabilistic Safety Study -

Based Inspection Major Failure Modes, Inspection Arcas and Findings - Se rvice Water System. . . . . . .. .. . 4-4 423 React or Prote ct ion Sys tem. . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 4.3 Safteta rds Actuation Sys tem. . . . . . . . . . . . . . . . . . . . . . . . . 4-9 5.1 Intian Point 3 Systems Prioritized by Inspection ImportAnce Iceluding Rea lth Ef f ect s . . . . . . . . . . . . . . . . . 5-3 5.2 Indian Point Unit 3 Probabilistic Sfety Study-Based Inspecticn Plan - Service Water System -

Failure Mode Ide n tif ica t ion . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 5.3 I&E Inspection Procedures for System Operation...... 5-6 5.4 Modified System Walkdown.....,...................... 5-7 I

J

! l l

l

! i

1 I

v111 ,

l TABLES (Cont'd)

Table No. Page No.

5.5 Indian Point Unit 3 Probahf listic Safety Study-Based Inspecion Plan - Reactor Protection System Failure Mode Identification......................... 5-11 5.6 I&E Inspection Procedures for RPS................... 5-13 5.7 Modified System Wa1kdown............................ 5-14 5.8 Failure Mode Identification......................... 5-15 5.9 I&E Inspection Procedures for SAS................... 5-16 5.10 Safeguards Actuation System - System Walkdown....... 5-17 I

e

~ _

J ir ACKNOWLEDCEMENTS The authors wish to thank their colleagues A. Fresco, A. Coppola, W.

Gunther, and J. Carbonaro for their valuable assistance in performing the on-site system inspections of the Service Water, Reactor Protection, and Safe-guards Actuation Systems and aleo in preparing the . system appendices (inspec-tion plans). Our appreciation is also extended to J. Higgine who provided overall guidence And to J. Usher who implemented the calculation of the cystem importances which formed the basis for the system prioritizatica. The valuable assistance from both B. Hillman, NRC Region I, and P. Koltay, NRC Senior Resident Inspector, significantly contributed to the realization of the objectives of this program.

Finally, we wish to thank our secretaries Jean Rarirez, Ann Fort and Sheree Flippen for their excellent typing skills.

4 i

4 d

xi EXECUTIVE

SUMMARY

PkA based inspection guidance was prepared based on a review of the Indian Point Probabilistic Safety Study (IPPSS) and fa miliarization with NRC inspec-tion procedures.

An interactive IBM-PC program was developed which calculated risk and importances for the affected plant systems. The Indian Point No. 3 plant sys-tema vere prioritized using selected importance measures. Additionally, the risk significant components in each system were identified. This inforcstion, coupled with a knowledge of NRC inspection procedures and previous inspection experience, enabled the preparation of inspection plans based on PRA guidance.

The developed methodology was tested on a trial basis at the plant site by performing inspections of the following systems: Service Water, Reactor Pro-taccion, and Safeguards Actuation. Inspection activities addressed ncrmal operations, system and component testing, maintenance and surveillance. The inspections were considered successful by all involved; the NRC, the Licensee and BNL. The primary reasons for success were twofold: 1) the systems focus, which enabled the asseesment of a systems ' health" and 2) the emphasis on sig-nificant risk contributors, which allowed more inspection time to be spent on those componente moet important to plant safety.

As a result of this effort it was concluded that inspections planned and conducted using PRA guidance can be productive and provide a different insight into plant activities.

The developed methodology is being used to prepare plant specific sets of system appen. dices which would provide guidance for inspection efforts. The appendices would be comprised of the following for each system; a table of dominant failure modes which identif.ies the dominant contti-bution to system risk, a table which identifies those NRC inspection procedures which can be used to review those components or actions identified in the first table, and a modified systees waltdown list which identifies the key components ,

f rom a risk point of view which .should be teviewed, d

i

1-1 1

1. INTRODUCTION By prioritizing the various areas of possible interest for inspection and by better defining inspection needs, the NRC expects to make more effective use of finite inspection resources by concentrating on those areas most signi-ficant to safety. Through careful review and application of the Indian Point Unit 3 Probabilistic Safety Study numerical data and event tree modeling and use of generic topical documents (2-6), a technical basis for prioritizing areas for NRC inspection has been developed and tested. Inspection activities addressed include normal operations, system and components testing, mainte-nance and surveillance.

Specifically, the objective of this study is to develop and test a prior-itization scheme for the NRC Operating Reactor Inspection Program, I&E Manual Chapter 2515 (7) by investigating the feasibility of adapting PRA results for use in this inspection program. Information developed in this assessment can help in making decisions for the allocation of resources for safety related maintenance and improvements by directing attention to the f ailure modes that dominate plant risk. In additiou, components that are major contributors to the dominant accident sequences will be identified.

This report documents the work performed for Task I of the "PRA Applica-tions Program for Inspection at Indian Point 3" (FIN A-3453), which consists of the following: 1) a review and analysis of Chapter 2515, 2) a determina-tion by interviews, of the current prioritization scheme (s), 3) development of a preliminary prioritization scheme using the Tadian Point 3 PSS and other available data, and 4) identification of potential changes to Chapter 2515 based on items 1, 2, and 3.

2-1 l

2. I&E MANUAL CHAPTER 2515 l Before a prioritization scheme of NRC inspections based on PRA techniques i can be developed, it is necessary to review and analyze the current NRC in- !

spection requirements for operating reactors, and other available aids for prioritization. I 2.1 Outline of Chapter I&E Chapter 2515 entitled, " Light Water Reactor Inspection Program -

Operations Phase" defines the NRC inspection requirements and provides gui-dance to those nuclear plants which have an operating license or fuel loading authorization. The chapter is organized into the following subject areas: 1)

Purpose, 2) Applicability, 3) Definitions, 4) Responsibilities and Authori-ties, 5) Discussion, 6) Resident Inspection Philosophy, 7) Regional Philoso-phy, 8) General Guidance, and Appendices A, B and C.

The purpose of the inspection program for the Operations Phase, as de-fined in the Chapter, is to "obtain sufficient information through direct ob-servation and verification of licensee activities to ascertain: 1) whether the facility is being operated safely and in compliance with regulatory re-quirements, and 2) whether the licensee's management control system is effec-tive."

As stated above, this program is applicable to those facilities having an operating license or fuel loading authorization, and remains in effect until the facility is retired in place or decommissioned. Definitions of inspection frequencies, and identification of organization responsibilities and authori-ties are provided.

In the Introduction, the point is made that inspection program and reac-tive demands exceed the available inspection resources. Thus the Chapter es-tablishes a priority system for inspection completion with emphasis on safety matters. This system divides the various inspection modules into three parts:

Minimum, Basic, and Supplemental. These are followed except if abnormal oper-ational incidents create new inspection priorities.

l The Minimum Program shall be completed at all operating f acilities with-out exception. The Basic Program should be completed, but may be redirected ,

or postponed based on unusual circumstances or manpower limitations. The Sup- l plemental Program requirements are based upon need or problems, as well as the availability of inspectors. The Basic and Supplemental Program requirements can be decreased or increased based on Systematic Assessment of Licensee Per-formance (SALP) and Performance Appraisal Ratings.

Resident and Regional inspection philosophies are addressed in the Chap-ter. The Resident Inspector provides the major onsite NRC presence for direct ,

observation and verification of licensee activities. The program provides for l a certain amount of independent inspection time for areas that have been iden-tified from the Resident Inspector's unique knowledge of the facility. Back-shif t and weekend inspections are also prescribed, for obvious reasons. j Region-based inspectors generally perform specialized activities at the plant or at the regional office. The Senior Resident Inspector must be cognizant of l sll NRC site activities. l l

2-2 The inspection programs used in the operations phase are intended to place emphasis on the elements of licensee activity most important to safety and to recognize licensee performance in order to efficiently use NRC inspec-tion resources. NRC inspectors are also required to analyze deficiencies, to identify trends which are indicative of service problems that require in-creased inspection activity or possible enforcement action.

Tables 2.1 and 2.2 summarize the inspection procedures contained in the Minimum and Basic Programs, respectively. A review of these tables provides an understanding of the types of subject areas that are addressed in inspec-tions. The tables only include those inspection activities with specific in-spection frequencies and have omitted those procedures with a frequency of "W" (When Required) although there are quite a number of procedures with this fre-quency. These are generally for non-routine discrete activities such as:

startup/ shutdown, plant trips, strikes, abnormal occurrences, I&E Bulletin follow up, and special Headquarters or Regional follow up.

2.2 Review and Analysis 2.2.1 Comparison of Regional and Resident Inspectors The prioritization needs of the Resident Inspector are different from those of the Regional Inspector. Among many other duties and inspection tasks, the Resident Inspector has a need to prioritize inspections among sys-tem and component related modules. The Regional Inspector is usually a spe-cialist within a group who concentrates in one specific area such as fire pro-tection, radiation protection, quality assurance, cte. Normally his functions are not precisely system related. These regional inspection modules are less likely to benefit from a Probabilistic Risk Assessment (PRA) systems prioriti-zation. In fact, the Region's prioritization needs are to decide which plants should be inspected. Region I is currently developing a program to prioritize plants for inspections using Systematic Assessment of Licensee Performance (SALP) ratings, Performance Appraisal Team (PAT) evaluations, population con-siderations, and special interaction from Region Management. The inspection procedures in Tables 2.1 and 2.2 have been reorganized, and are presented in Tables 2.3 and 2.4 to identify the division of responsibility between the Resident and the Regional Inspectors. The Resident Inspector's responsibili-ties require frequent direct observations and verifications, while the Re-gional' Inspector's responsibilities are more specialized in nature or program-matic, and are performed typically at intervals of a year or longer.

2.2.2 Special Emphasis Procedures Six procedures were identified in the statement of work for special em-p ha sis . They address operations, test and maintenance as summarized below:

Operational Safety Verification / Procedure No. 71707 - Control Room obser-vations are required of items such as LCO's, recorders, alarms, logs, and tag-outs. Operability of selected ESF systems is to be confirmed by verifying valves positions, breakers, leakage, lubrication and instrumentation. Other items that are addreseed are tagout procedure, shift tu rnove r, plant tours, radiation protection, security, housekeeping and problem identification pro-grams. Specific systems are identified for inspection of the above character-istics. PRA is mentioned as a method of selection.

2-3 i

l TABLE 2.1 Minimum Program Proc. No. Title or Subject Area Frequency

71707 Operational Safety Verification D/WK/BWK ,

4 8100 Series Security and Safeguards A 8300 end 8400 Radiation Protection A

Fr:quencies Code: D = Daily W = Weekly l BWK = Bi-Weekly I M = Monthly BM = Bi-Monthly S = Semi-Annual A = Annual 3 YR = Tri-Annual R = Refueling W = When Required TABLE 2.2 Basic Program Proc. No. Title or Subject Area. Frequency 71707 Operational Safety Verification D/WK/BWK +

71710 ESF System Walkdown BM 8100 Series Security and Safeguards A 8300 & 8400 Radiation Protection A i Saries

{

41700 Training and Requalification A i 41701 Training and Requalification A 61719 Containment Leak Rate Test W 61725 Surveillance Testing and Calibration 3 YR 61726 Monthly Surveillance Observation M 37700 Design Changes and Modifications A 62702 Maintenance Program

3 YR 62703 Monthly Maintenance Observation M 62704 Instrument & Electrical A 62705 Maintenance A 71711 Plant Startup from Refueling R 72700 Startup Testing Refueling R 64704 Fire Protection A ,

82200 Series Emergency Preparedness A, 3 YR !

, 80721 Environmental Protection Biennial 35701 Quality Assurance A

2-5 ESF System Walkdown/ Procedure No. 71710 - Requires independent verifica-tion of system status. Items to be considered are operability, system lineup, equipment condition, condition of cabinets and instrumentation, valve posi-tions, review of FSAR and technical specifications.

Maintenance Program / Procedure No. 62702 - Tri-annual programmatic review to ascertain whether the licensee is implementing a maintenance program that is in conformance with technical specifications, regulatory requirements, and codes and standards. For corrective and preventive maintenance, appropriate controls must be verified for administration, equipment control, special pro-cesses, cleanliness and housekeeping.

Maintenance Observation / Procedure No. 62703 - Monthly review to ascertain that maintenance activities are being conducted in accordance with approved procedures, technical specifications and appropriate codes and standards.

Consideration must be made of the following: no LCO violations, tagouts, per-sonnel, qualifications, procedures, spare parts, radiological and fire preven-tion controls, quality assurance and re-testing. These inspection require-ments must be completed on four maintenance activities.

Surveillance Testing and Calibration Control Program / Procedure No. 61725 Tri-annual programmatic review to ascertain whether the licensee has developed programs for control and evaluation of surveillance testing, calibration and inspections required by Technical Specification, ASME Section XI, and licensee calibration programs. Verification must be made that procedures, schedules and responsibilities have been established.

Monthly Surveillance Observation / Procedure No. 61726 - Inspections must be conducted to ascertain that surveillance of safety related systems or com-ponents is being conducted in accordance with license requirements. Consid-eration of the following must be made: procedural conformance with technical specification requirements, in place administrative controle, personnel quali-fication, LCO compliance, proper t esting and acceptable results, with the system being properly returned to service. The inspector must observe all aspects of one major surveillance test once per month and also witness select-ed portions of at least three other tests. A systems list is provided to aid selection.

2.2.3 System Based Procedures The PRA based prioritization schemes developed, by BNL have resulted !

in an ordered systems list with significant components identified as a I subset. With this in mind, it is worthy to note those inspection procedures in the minimum and basic programs which require the inspector to make a selection among various systems and components when implementing the procedure. These are noted below:

Procedure No. Title or Subject Area 71707(1) Operational Safety Verification 71710(2) ESP System Walkdown 61725(2) Surveillance l 61726(1) Surveillance 61700(1) Surveillance l I

1

1 l

2-6 4 Procedure No. Title or Subject Aree 62702(2) Maintenance 62703(2) Maintenance 62706(2) Maintenance 62705(2) Maintenance 56700(1) Calibration 37700 Design Changes and Modifications I 35701 Quality Assurance '

61720 Type B&C Leak Rate Tests 61724 Test and Measurement Program 73051 Inservice Inspection 73052 Inservice Inspection 73053 Inservice Inspectica 73755 Inservice Inspection 1

- Notes: (1) Procedure includes systems list for selection.

i

! (2) Scope of procedure could benefit from a systems list.

4 t

The value of this procedure breakdown will become apparent in Section 5 when potential changes to Chapter 2515 are discussed.

2.2.4 Systematic Assessment of Licensee Performance One current aid for inspection prioritization that is available to the NRC is their Systematic Assessment of Licensee Performance (SALP). According l to the iaR4 NRC Annual Report (8), the SALP is an:

" integrated NRC effort to collect available observations on a periodic

~

i basis and evaluate the-performance of each nuclear power facility in con-struction and operation based on those observations. The SALP process is '

a comprehensive review of the manner in which licensee management i directs, guides and provides resources for assuring plant safety. The

goal of a SALP review is to direct NRC and licensee attention toward i areas affecting nuclear safety that need improvement. l

! Part of the input to a SALP assessment consists of the past year's Licen- l see Event Reports, inspection reports, enforcement history and licensing !

l issues. Another important input consists of evaluations by resident in- ,

( spectors, licensing project manager and senior regional managers, all of !

whom 'are familiar with the facility's performance. No new data are spe- l

{

! cifically obtained as an input 1to a SALP assessment.

i The product of a SALP assessment consists of performance evaluations in a number of functional areas such as plant operations, maintenance, sur-l veillance, emergency preparedness, security and licensing issues..." !

JThe SALP reports can aid the NRC in determining which plants should re-

. ceive extra inspection emphasis, and within the plant, which functional areas I

should be examined in more detail. In fact,iss mentioned on'page 2-1, I&E

, Manual Chapter 2515 provides guidance of this type.

l

\

l

2-7 It should also be noted that a recent General Accounting Of fice (CAO)

Report to Congress (9) calls for an increased use of SALP in the inspection process. Specifically the report recommends an alignment of inspection procedures to the SALP functional categories.

It is clear that the SALP process has and will continue to be an impor-tant tool in providing guidance to the NRC in allocating inspection re-sources.

2.2.5 Survey Results The aforementioned GAO Report to Congress was based on an extensive national survey of NRC personnel at all organizational levels. Licensee par-ticipation was also eolicited and received.

The survey focussed on all aspects of the inspection process, from training and preparation techniques through analysis and trending of inspec-tion results.

The GAO survey and accompanying report addressed many areas of the NRC inspection process which are not pertinent to our study. However, the follow-ing significant points were made:

The NRC inspection program does assure a necessary level of safety.

The NRC Inspectors do not have enough time to examine all aspects of licensee activities in detail (hence, a need for prioritization of their activities is necessary).

As a basis for future inspections, the following should be incorpor-ated: previous inspection results, SALP reports, LFR's and INPO re-ports.

PRA techniques should be used more of ten as an aid in developing in-spection priorities.

It should be noted that these points are not necessarily new, but it does confirm a consensus by those NRC personnel sho were surveyed, and conclusions by a different government organization.

k 1

3-1 I

i

3. APPLICATION OF PRA TD PLANT INSPECTION This chapter describes the adaptation of the Indian Point Probabilistic Safety Study (IPPSS) to prioritize systems according to their safety impor-tance for use in prioritizing I&E Chapter 2515 inspections. Probabilistic Risk Assessment (PRA) of nuclear power plants was developed, primarily, to provide a measure of the radiological risk imposed on the public from a nuclear power plant. Such results were used in the Price-Anderson renewal public hearings, siting, NSSS suitability studies and many other applications.

In constructing a PRA, it is necessary to prepare a probabilistic/ physical model representing the plant before, during and af ter a postulated accident.

Such a detailed model has uses other than its original purpose of risk assess-ment.

To understand the process it is necessary to review the structure of the IPPSS (Section 3.1). Section 3.2 describes the NSPKTR code that was used for system prioritization. Section 3.3 discusses various ways to measure system importances, Section 3.4 discusses the bases for importance selection and de-scribes results obtained from NSPKTR and supplemental calculations, and Sec-tion 3.5 presents the final prioritized systems list.

3.1 The Indian Point Probabilistic Safety Study (IPPSS)

Pickard Lowe and Carrick, Inc. (PL6G) was contracted by Commonwealth Edi-son, Consolidated Edison and the New York Power Authotity to perform PRAs on their respective plants: Zion 1 and 2, Indian Point 2 and Indian Point 3 (ZIP). These studies (1) use common methodology distinct from the methodology used by the Reactor Safety Study (11). The ZIP methodology.was first demon-strated in the Oyster Creek PRA and subsequently, has been applied to TMI-1, Seabrook and Midland. Besides the distinctiveness of the methodology, the completeness and high level of effort (450 man-months on Zion alone) distin-guishes the work. As such, the IPPSS is a suitable vehicle for developing and demonstrating the usefulness of PRA for prioritizing plant systems and compo-nents and indirectly for prioritizing NRC inspections.

The IPPSS begins with a discussion of risk being formed of a triad of numbers: accident scenario, accident likelihood and the consequences of the accident. This is refined to the statement that risk is the probability and consequences of an accident. In practice, in the IPPSS, risk is treated as the product of probability and consequence. A plant risk is represented as the summation over individual accident sc.enario risks. Following RSS proce-dures, the IPPSS presents the cumulative probability that the consequences will be greater than a certain number.

In light of the definition of risk, it is clear that the first step i a risk analysis is a list of possible scenarios. This list may have as many scenarios as can be thought of and in the case of a nuclear plant, such a list can easily run into billions of scenarios. It is necessary, therefore, to develop methods for identifying scenarios, organizing and structuring the list so that it is tractable.

Thinking deductively, the event tree nethod may be used for organizing the myriad of possible scenarios which can emanate from any given initiating event. The plant event trees follow the scenarios up to the point where either the reactor is stabilized, or plant damage has occurred. At this

3-2 point, as suggested in Figure 3.1, a coalescence of scenarios or " pinch point" occurs. That is, given that a certain state, yj , of plant damage has occurred, the remainder, or downstream portion of the scenarios is the same irrespective of how that damage state was reached.

% 9 -

S h "I grma puwrsrus QE,, a ce ruur woost *g,^g"'"' srrt uootL !

I Figure 3.1. Structuring of Scenarios - Relationship of Pinch Points The next portion of the scenarios is modeled by a " containment event tree." This tree follows the progress of the scenarios through the contain-ment from the plant damage state to the occurrence or nonoccurrence of a re-lease of radioactivity to the environment. Thus, the entry states to the con-tainment event tree are the plant damage states, which are the exit states from the plant event tree.

The exit states from the containment exit tree are called "releasc cate-gories," each specifying a certain quantity and mix of radioisotopes released.

At this point, another pinch point occurs on the environment of a given cate-gory of release, which is the same irrespective of the particular scenario that led to that release.

The environmental ef fects are calculated by a " site model" which takes the release category as its input event, follows the movement of the radioac-tivity, and computes the final damage state, xg in terms of public health effects.

3.2 NSPKTR NSPKTR is a self contained, IBM-PC implementation of the Indian Point 3 Probabilistic Safety Study (IPPSS) for the internal plant ctates to the system level, intended to perform risk and importance calculations.

The IPPSS plant model for the internal accident sequences is in the form of 13 basic event trees plus 2 variations and an ATWS tece. The method of en-coding the trees in the NSPKTR program is in the form of Boolean logic state-ments.

The plant models are encoded as function statements in FORTRAN, and the failure rate data are entered as data statement blocks. The program is con-structed in 20 independent statements, 15 for each initiator event tree, 4 for ATWS, and I summarization segment. The largest segment required 170 K bytes to compete and the typical execution time is about 1 minute. The segments re-side on hard (fixed) disk for ease of access for correlation and condensation r results.

t The NSPKTR Program will prioritize plant systems using any of 8 importance measures, based on modifications to any number of system l

3-3 unavailabilities. Additionally, changes in total core melt risk or offsite ,

consequences can be calculated based on system unavailability modifications.

3.3 Importance Measures Importance measures provide a numerical indication of the risk reduction that may be achieved by a change in system or component availability. Impor-tance is usually measured with respect to core melt or public health effects.

By definition a derivative is a measure of the change in a dependent variable due to a change in an independent variable. Sensitivity measures in this class are the Birnbaum, Inspection Importance, and Vesely-Fussell.

Importance measures involving larger changes are the Risk Achievement Worth Ratio, Risk Achievemec' Worth Increment, Risk Reduction Worth Ratio, Risk Reduction Worth Increment, and MS 3.

In principle, importance measures may be developed for any independent variable. The concern of PRA is with systems and their components, hence, the following importance measures will be developed with respect to their failure rate.

It is possible to factor (12) the minimal cutsetl representation of risk into two terms - those containing the probability of failure of the 1-th component or system system and those not containing this term:

R=pA+Bg (3.3-1) where R represents the risk of core melt or health ef fects, pg represents the failure probability of the 1-th component or system, pgA is the risk of the systems containing component 1, and B is the risk of the systems not con-taining component 1. ]

3.3.1 Birnbaum Importance ;

l Birnbaum Importance is defined as:

l I = =A (3.3-2) by substitution of equation 3.3-1.

)

Interpretation - Birnboum Importance is the change in risk that is associated with a system's normal failure rate and that of a total system failure.

I 1

A system fault tree minimal cutset is defined as the smallest combination of component failures which, if they all occur, will result in system failure (the top event of the fault tree).

3-4 ,

l j

3.3.2 Inspection Importance !

This is defined by Fullwood (12) as the Birnbaum Importance multiplied by pt:

I g =p g I =pAg (3.3-3) hence, the part of the risk that contains the system of interest.

Interpretation - Inspection Importance is the risk of the accident sequences that involves system 1. Birnbaum Importance effectively sets pg to one while Inspection Importance merely assumes that the system fails at a rate equal to its failure probability, typically much less than one.

3.3.3 Vesely-Fussell Importance The Vesely Fussell Importance is defined as the fractional change in risk for a fractional change in probability:

3R I I =

=( )( )= +A= (3.3-4) pg by substitution of Equation (3.3-2).

Interpretation - Vesely-Fussell importance is the fractional change in risk due to a fractional change in pg. As a numerical example .at Indian Point the Vesely-Fussell importance for plant damage (like core melt) is 4.3x10-},

for the low head recirculation system. Equation 3.3-4 may be rewritten as 3p

.BR , 7VF 1 (3.3-5) l R 1 p '

i A 10% change in the low head recirculation system reliability produces:

(0.1)-(4.3 x 10 3) = 4.3 x 10 " !

f ractional change in risk due to core melt.

Before going further, it is, convenient to define Risk Achievement Worth, R ,g, and Risk Reduction Worth, Rg (4):

l l

l

3-5 R is the risk that results if the 1-th component or system is failed hence{pg=1. Referring to equation (3.3-1), this results in:

R+ = A + B (3.3-6)

R is the risk that results if the A-th component or system never fails, hence pg = 0. Again referring to equation (3.3-1):

=B (3.3-7)

Ri or the risk of all systems or ccmponents not including the system or component of interest.

3.3.4 Risk Achievement Worth Ratio The RAWR is defined es I

AR , R+t (3.3-8)

R Using Equation (3.3-7):

I AR , A + B (3.3-9)

A R B

From Equations (3.3 3.3-3), B=R-pgA=R-IfandA=I,soby substitution:

I +R pA I +R-1 I -I I = ~ ~ *~

R R R Interpretation - The Risk Achievement Worth Ratio is the ratio of the risk if system i has failed, divided by the normal risk. It is dimensionless and tends to be not as sensitive an indicator of importance as Birnbaum alone be-cause the change is masked by the risk of all other systems.

3.3.5 Risk Achievement Worth Increment l The RAWI is defined as !

I =R -R (3.3-11)

Comparing Equation (3.3-8) to (3.3-10), R+g = Ig + R - IgI and substituting this into (3.3-10):

If = I +R-I g

-R=I

-If (3.3-12) l i

3-6 Interpretation - The Risk Achievement Worth Increment is the probability of system i functioning, multiplied by the probability of all other systems in the cutsets containing i failing. It has the units of risk and would not seem to be as sensitive an indicator as Birnbaum or Inspection Importance alone.

3.3.6 Risk Reduction Worth Ratio The RRWR is defined as:

I = (3.3-13) 1 SubstitutingRi=B=R-ptA = R - If, Equation (3.3-14) becomes:

I = (3.3-14)

R-If Interpretation - The Risk Reduction Worth Ratio is the ratio of the " normal" risk to the risk if the system were perfect. Because the var *.able Ig ap-pears in the denominator in subtraction from the larger total risk, it is not as sensitive an indicator as, say, Inspection Importance. The Risk Reduction Worth Ratio is dimensionless.

3.3.7 Risk Reduction Worth Increment The RRWI is defined as:

I =R-R- (3.3-15) which becomes I =R-(R+If)=Ig; (3.3-16) hence, this is the same as Inspection Importance, and the interpretation of Section 3.3.1 applies.

3.3.8 Mj S This measure, termed SM j , was introduced by Higgins, et al., 1984 (13) and is defined as:

M $ = F[CM p(S ) = 1) - F[CM p(S ) = 0] (3.3-17) where F[CM P(S ) = X] is the core-melt f requency, given that the system ;

S is unavailable with probability equal to X. In terms of the previour, notation used in Risk Achievement Worth and Risk Reduction Worth, this can be i represented as: j l

3-7 M 8d = R+ - R (3.3-18)

UsingtherelationshipsR+=I!+R-Iffromequatione(3.3-9)and (3.3-10)andRJ=B=R-pA=R-I{fromEquations(3.3-1),(3.3-3),

g and (3.3-8), M Sj becomes:

M d = (I +R-If)-(R+If)

M83 - I8g (3.3-19)

Hence, the MS j importance is the same as the Birnbaum Importance by virtue of the linearity of the cutsets. The interpretation is the same as that of the Birnbaum Importance.

3.3.9 Relationships Between the Importance Measures and Basic Results Table 3.1 provides a comparison of the various importance measures in terms of Birnbaum, Inspection Importances and risk. These relationships were used in the NSPKTR code to derive importance measures for all measures except for the basic Birnbaum and Inspection Importance which were calculated as de-scribed in the previous section.

3.4 Summary of Results The previous sections in this chapter described the Indian Point PSS, the computer code used for prioritization, NSPKTR, and the assortment of impor-tance measures that are available. This section summarizes the results of implementing importance measure analysis using the IPPSS.

9 3.4.1 Selecting Importance Measures The use of a large number of importance measures is confusing and fur-thermore, it will be shown that the importance of systems and the ordering of one relative to the other for purposes of prioritizing inspection procedures depends on the importance measures used. It is therefore, necessary to prag-matica11y choose the optimum importance measure. This selection process is described in this section.

In selecting importance measures, it is first necessary to decide on an appropriate consequence measure. The two most commonly used are core melt and health effects. The core melt measure is used in PRA for simplicity to avoid dealing with the fission product transport and the health effects. It usually treats all core melts as the same, which is a very gross assum;

ion. Further-more, it does not consider the mitigating effects of the containment and the importance of maintaining the containment integrity. It does not consider the mitigating actions that may be employed in a slow melt as compared with a fast melt.

3-8 TABLE 3.1 Importance Measure Relationships Definition Equivalence 2

Birnbaum (Ig )

p Inspection (If) p pg I p1 Vesely-Fussell (I ) I /R pt Risk Achievement Worth R+ / R A

1+(IB_7)/R A

I A

Ratio * (I )

I l Risk Achievement Worth R+ - R I -I 1 1 1 Increment (IAI)

~

Risk Reduction Worth R/R R/(R-I )

RR 1 1 Ratio (Ig) i

~

I i Risk Reduction Worth R-R I A A Increment (If)

~

B M S3 R+ - R I j j j R{ = Risk Increase with system or component i failed.

l

R - Risk Reduction with system or component 1 perfect.

4 4

i

, , , , , , , , . - , ,- ,-. .,. , ~ . . , - - - --

3-9 For these reasons, it is suggested that importance measures that include health effects are more appropriate. They are also more appropriate to the NRC mission for protecting the public health and safety.

Of the various measures, Vesely-Fussell with health ef fects has consider-able attractive qualities. It is the fractional change in risk for a frac-tional change in system reliability. Deciding upon the correct value of risk to be used is not obvious. Some choices are total risk, internally initiated risk, or externally initiated risk. Inspection Importance has all of the use-ful properties of the Vesely-Fussell Importance for purposes of inspection prioritization without requiring normalization to risk. The difficulty with Birnbaum Importance is that it does not reflect the likelihood of failure; thus, a very important but highly reliable system such as the RWST has a high-er Birnbaum Importance than some other system that fails more frequently, and hence, should be inspected more frequently. For the reasons stated above, the Inspection Importance measure has been chosen for use in this study.

However, in order to enable the reader to draw their own conclusions, NSPKTR was used to calculate a number of the other importance measures as well for the IPPSS subsystems. Since the primary difference in importance measures is between those that consider system / component failure rate and those that do

' not, Inspection Importance was selected to represent the former group and Birnbaum Importance the latter group.

Table 3.2 shows the shif ts of relative importance of systems according to the importance measure used. This is represented using a cluster analysis of points. Five cluster groups are identified, with the A group being the most important and the E group the least important. The importance measures used were tL: Birnbaum with and without health ef fects, and the Inspection Im-portance with and without health ef fects. This table demonstrates the dif fer-ence in importance measures. The Refueling Water Storage Tank (#2) is very important to safe plant shutdown, and therefore, ranks high on the Birnbaum scale. However, it is a very reliable component, so when its failure rate is considered in the Ir.spection Importance its ranking drops to the bottom group.

The same rationale applies to Reactor Trip (#20). Note that the Inspection Importance of the Containment Fan Coolers (#7) increases when health ef fects (containment integrity) are considered. Furthermore, some components / systems remain at or near the top of the list in all cases, such as Electric Power.

l Tables 3.3 and 3.4 present an aggregation of the event tree " systems" into system grouping that are more f amiliar to plant personnel. The systems

! are prioritized according to descending values of Birnbaum and Inspection Im-portance. It will be noted that the two systema, reactor protection and elec-tric power are the top systems on both tables. The containment f an coolers rank high in Inspection Importance with health effects primarily because of the adverse health ef fects if the containment f ails. The passive, but impor- j

! tant kWST, goes from 5th rank in Birnbaum Importance to 18th rank in Inspec- !

tion Importance with health ef fects, primarily because of the high system re-liability.

l

3-10 TABLE 3.2

\

Shifts in Importance According to Measures Used l

Importance Measures Birnbaum W. Inspection W.

Health Health Birnbaum Effects Inspection Effects 1

f B A A B 1.

E.PWR C .C E E

2. RFUEL W STR. TK D D S.I. AC* SIG SA1 C C

3. B C C C

, 4. L.P. INJ/ACC B B D D j 5. CNNr SPRY E E E E

6. NaOH D B D D

7. R.C. FAN COOL A

C C A

8. L.H. RECIR E E E E

9. RECIR SPRAY C

C C

11. L.P. INJ C C

l C C C

12. HHI INJ A A A A I

14 . RCTR TRIP K3 C C C C

15. HH2 TNJ B B B B

16. AUX FDWTR/S. COOL L1 C D D C

' 17. BLEED

FEED OP1 C C B C 18 . R2 RECIR COOL B C C

20. RCTR TRIP K1 B B

D D B

21. S.I. ACT. SIC. SA2 B B B B

22. RCTR TRIP K2 D D C C

23. OP4 SYS DPRES* STAB E D B B

24. R3 RECIR COOL D D B B

25. FAN COOL CF2 E C C

27. MSIV TIP MS1 E E

C C D 30 . TURBINE TRIP TT1 E E D E

, 31. MSIV TRIP MS2 D D B B

32. BLEED

FEED OP2 E E E E

34. OP3 STAB TRNST E E E E

37. PWR RI'NBK K5 E E E E

40. RCP SEAL LOCA D E E E

46. TT2/MSIV CLS E E D D

47. AUX FDWTR*SEC COOL L2 D E B B

48. ATWS PRES RLF E E D D

50. MAN SCRAM K4 E E C C

50. BLEED

FEED *BOR OPS A

i

3-11 TABLE 3.3 Birnbaum Ranking of Aggregated IP3 Event Tree Systems Rank System IB 1 Reactor Protection 3.0 2 Electric Power 2.6 3 Aux. Feed /Sec. Cool 0.14 4 Safety Injection Signal 6.5-3 5 RWST 4.3-3 6 Low Head Recirculation 4.3-3 7 High Head Injection 4.2-3 8 Recire. Cooling 2.3-3 9 Turbine Trip 1.3-3 10 Bleed and Feed (op.) 3.1-4 11 Man. Scram 1.3-4 12 Cont. Spray 9.9-5 13 RC Fan Coolers 8.4-5 14 MSIV Closure /Turb. Trip 7.5-5 15 MSIV Closure 3.8-5 16 Secure Press. Relief (op.) 2.3-5 17 ATWS Pressure Relief 1.4-7 18 Stabilize Trans. (op.) 4.9-9 19 Power Runback 1.9-12 20 NA0H, Recir. Spray, OP4 Sys.

Depress. Stabilize, RCP Seal LOCA 0 Accumulator, LPIS NA for Birnbaum on Reliability Split Fraction l

1 l

l

3-12 4

TABLE 3.4 Health Ef fects-Inspection Importance Ranking of Aggregated IP3 Event Tree Systems System II

Rank 4

1 Reactor Protection 4.2-8 2 Electric Power 5.2-9 3 RC Fan Coolers 2.6-9 4 Safety Injection Signal 2.2-9 5 Containment Spray 2.2-9 6 Aux. Feed /Sec. Cool 2.1-9 7 Recire. Cooling 1.7-9 8 Bleed and Feed (op.) 1.6-9 9 Low Head Recire. 1.3-9 10 High Head Injection 2.7-10 l 11 Secure Press. Relief (op.) 2.2-10 12 Accumulator 2.0-10 1

13 Manual Scram 1.5-10

) Low Pressure Injection 1.3-10 14 15 MSIV Closure 1.7-11 i

16 Turbine Trip 1.1-13 17 Turb. Trip /MSIV Closure 4.8-13 18 ATWS Press. Relief 4.8-14 19 RWST 3.6-15

. 20 Stabilize Trans (op.) 5.3-17 21 Power runback 5.9-20 I 22 NA0H, Recirc. Spray, OP4 Sys.

Depress. Stabilize, RCP Seal LOCA 0 t

i J

l 3-13 l

l 3.4.2 Importance Measures For Components Considering the goals of this program, it is necessary not only to iden-tify and prioritize those systems important to safety, but also to identify the key components or actions that are the dominant contributors to a system's importance. This will reduce the inspection time required for a particular system.

Component importances were obtained by using the component's fractional contribution to system failure as presented in Section 1.6 of the IPPSS. These data are indicative of the impact of certain components on the system unrelia-bility. The results of this analysis are shown in Table 3.5.

As will be shown later, it is also necessary to consider event tree sys-tems interactions in order to identify all components that are important for inspection.

3.4.3 External Events While importance measures were not calculated for systems under external initiators, IPPSS Table 8.3-3A-1 (revised December 1983) allows the calcula-tion of initiator importance and provides additional insight into the impor-tance of the IP-3 systems. These results, obtained by analytical differentia-

< tion, are presented in Tables 3.6 and 3.7 for Birnbaum and Inspection Impor-tance, respectively. The highest ranking event in Table 3.6, Tornado, shows the misleading property of Birnbaum Importance in not considering the fre-quency of the initiator.

Although external events were not incorporated into the previously pre-sented techniques for prioritizing systems and components, qualitative deci-sions can be made regarding inspection emphasis by reviewing Table 3.7. For example, when conducting required fire inspections, the table points to the most risk sensitive areas. Additionally, since LOCA's lead the list, the In-spector should pay increased attention to piping leak detection systems and snubbers.

3.4.4 Support Systems Interpretation of the system ranking given heretofore can be misleading as presenting the most important systems in the plant. For these systems to function, support systems must operate. These support systems were not in-cluded in the NSPKTR computer code because they were not in the IPPSS internal events model (except for turbine trip loss of service water, reactor trip loss of component cooling water and the various electric power states).

The importance of these support systems was calculated as the sum of the importance of the front-line systems that they support. Table 3.8 lists the systems supported by setvice water, and Table 3.9 by component cooling water.

The importances of these systems and the total importance that may be attri-buted to these support systems are presented, with health effects considered.

3 14 TABLE 3.5 Health Effects insrection importance of Component Types by Systeg importance_ System _ Imoortance_

System Reactor Protect ion Systen 10. High Head injection 1.

Man. Valve 346 4.9-11 l Random Fallure of 2 Trains 2.1-0 MOV 1810 4.9.11 Failure to insert 1.0-8

Ck Valve from RWST l.0-10 Test and Maintenance 9.7-9 2/3 Pumps Fall to Start 1.1-11 Maintenance on 1 Pump

2. Electric Power Random on Other 1.1-11 Not decomposed Boron InJ. Valves Fall to Open 1.4-11 Common Cause 3.1 11

3. Reactor Contalnment Fan Coolers

11. Secure Pressure Rallet 2.2-10 Fallure of Teno. Cont. 2.6-9 Operator Error Valves 1104 and 1105 Rest < 21

12. Accueutator 4 Safety inJ. Act. Sig. l.6-10 MOV 1.8-9 Ch Valves 7.0-12 Test of 1 CH, Random Fallure of Other Random 4.4-10

13. Man. Scram Operator Error 1.5-10 Failure of Both CHs 14 Low Pressure inj. Systen

5. Containment Spray 9.5-10 MOV 892 9.6-18 Random 1.0-9 Ck Valve 741,8R1 1.1-11 Human Error Man. Valve 84,. 5.3-12 Aux. Feedwater/Sec. Cool!nq MOV 744 5.3-12 6.

Random Fallures 1.1-9 15. MSiv Closure l

Human Error 5.2-10 3.3-10 valve Failure (each of 4) 4.3-12 Common Cause 16 Turbine Trlp 7 Recirculatlon Cooling 1.7-10 Solenold valves in 1.1-13 Operator Error Turbine Stop 3 Saf. Inj. Pumps Fall 1.5-9 in 24 Hrs.

17 ATWS Press. Rollef Valve 4.R-14 ,

Hardware i

8. Bleed and Feed Mov 536, 539 1.8-10 18 Stabilize Transient PC Valve 456, 455C 6.0-10 4.2-10 1005 Human Error 5.3-17 Human Error 19 Power Runback

9. Low Head Recirculation s

Operator Error 991 f.3-9 1005 Instrumentation 5.9-20

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ . . _ _ _ _ _ _ _ _ . _ _ . . _ _A.

7 9

3-15 TABLE 3.6 Birnbaum Importance Kanking for IP3 Accident Initi,stors Rank Description IB 1 Tornado 13 2 Interfacing LOCA 1.

3 Seismie 1.2-2 4 Large LOCA 7.7-3 5 Medium LOCA 6.0-3 ,

6 Fire Total 5.3-3 Switchgear Eoom 62%

Electrical Tur.ncl 19%

Aux. Feedwater Pump Room 9.6%

Other Zones 6.4%

Cable Spreading Room 4.9%

7 Small LOCA 4.0-3 8 Steambreak inside Containment 1,2-4 9 Steanbreak Outside Containment 1.2-4 10 Steam Generator Tube Rupture 4.8-5 11 Turbine Trip Loss of Service Water 2.3-5 12 Torbine Trip Loss of Power 1.8-5 13 Reactor Trip Loss of Cowp. Cooling 1.4-5 .

14 Loss of Hain Feedwate,r 1.6-7 15 Turbine Trip 1.6-7 16 Loso of RCS Flow 1.6-7 17 Loss of IMSiv 1.3-7 18 P.eactor Trip 1.3-7 19 Core Power Ex:ursien 0

3-16 i

TABLE 3.7 ;

inspection Importance Ranking With Health Effects for I?-3 Accident Icitiators (1 Fatality)

Rank Description II -

1 Stall LDOA S.G-5 2 Latge LOCA 1.7-5 3 Mediau LOCA 1.3-5 4 Fire Tbtal i.3-5 Switchgear Room 34%

Aux. Poedvater Tump Room 26%

4 Other 1saes 17%

Cable spreadirg Room 13% i

, Electric 41 Tunnal 10%

i 5 Turbine Trip Lost of Power 3.9-5 1 6 Seismic 3.6-6 7 Steam Generator Tube r.up.ture 1.6-6 8 Tornado J.3-6 9 Loss of Main reedwater 6.0-7 i 10 Interfacing 00CA 5.7-7 11 Turbine Trip 4.3-1 .

12 Reactor trip 3.6-7 ,

13 Steambreak Inside Cont. 2.6-7 14 Steambreak Outside Cont. 2.6*7 15 Turbine Trip Loss of Service Water 5.0-8 16 Reactor Trip Loss of Comp. Coci. 3.1-8 4 17 Loss of RCS Flow 2.7-6 ,

18 Loss of IMSIV 1.2-8 !

19 Core Power Excursion 0 t

i e

4 e

l

r. -. _ _ __. ._ _

3

)

l 3-17 i

TABLE 3.8 Service Water Supports 11 Component Cooling Water System 3.9-7 Containment Fan Cooling 2.9-J3 Riectric Power - Diesel Gen. 3.0-7 Total 6.9-7 TABLE 3.9 i

Compom nt Cooling Supports 11 M .

Higb Pressure Safety Injectiott 2.7-7 Low Feessore Safety Injection 1.2-8 Rectrculatioc System 1.1-7 s i

Total 3.9-7 a

)

i e

s i

1 t

e

3-18 It is recognized that the technique used for support system--system in-portance is not rigorous, however explicit calculations would require recon-figuring of the fault trees and event trees and would take a considerable amount of time. In general PRA's have found support systems to be quite important since their failure leads to a failure of a number of front line systems. NUREG-1050, "Probabilistic Risk Assessment (PRA) Reference Document" concludes from studies of 15 PWR PRA's that Service Water is among the ten most important systems.

3.5 Systems Prioritization Using the information presented in Section 3.4 and the Inspection Impor-tance with health effects for system prioritization, Table 3.10 was prepared.

The systems from Tables 3.3 and 3.4 were combined where necessary, so that Table 3.10 more accurately reflects the system designations familiar to plant and inspection personnel. The three highest ranked systems are support systems, Service Water, Electric Power and and Component Cooling Water, based on the importances of the systems that fail if they fail. The fourth is a frontline system, Reactor Protection, because if it fails, the reactor power without shutdown is so great that the plant is severely taxed to remove the heat fast enough to avoid meltdown. These are followed by a number of front-line systems. This information, in conjunction with the Section 2 discussion of the I&E Chapter 2515 provides the basis upon which to develop a PRA-based prioritization scheme.

TABLE 3.10 Indian Point 3 Systens Prioritized by Inspection Importance Including Health Effects Service Water 6.9-7 Electric Power 6.0-7 Component Cooling 3.9-7 Reactor Protection 3.2-7 High Pressure Safety Injection 2.7-7 Secondary System (MSIV)* 1.8-7 Recirculation System 1.1-7 Reactor Coolant System (PORV)** 4.9-8 Auxiliary Feedwater 2.0-8 Low Pressure Safety Injection 1.2-8 Safeguards Actuation 1.2-8 Accumulator 7.8-9 Containment Spray 1. 4 -1 !

Containment Fan Cooling 2.0-13

Secondary System is significant due primarily to successful MSIV closure, and to a lesser degree by a successful turbine trip.

- Reactor Coolant System is dominated by PORV failure.

t 4-1 4.

SUMMARY

OF INSPECTIONS Prior to formulating any conclusions, it was decided to evaluate the merits of a PRA-based inspection by conducting three trial inspections at Indian Point No. 3. . This exercise was intended to be both a learning exper-ience and also to provide additional basis upon which to formulate the final recommendations.

4.1 . Inspection Preparation As in any good inspection process, preparation is a very important ele-ment. The inspections were to be system oriented with the IPPSS providing the guidance. The prioritized systems list from Section 3.5 was used for system selection. An audit plan was prepared for each system inspection which iden-

' tified the dominant failure mechanisms and those areas of inspection which would serve to mitigate or remove these failure mechanisms. Failure mechanism is actually a " catch all" phrase that considers many areas of review, includ-ing contemporary plant problems. This was necessary because in some cases component failure data used for PRA's may be somewhat outdated and, therefore, an inspection based on PRA input alone would not be as accurate as one that considers contemporary plant problems. The actual areas that were examined 4! for identification of the dominant f ailure mechanisms were the following:

1

1) significant contributors to system f ailure (IPPSS)

2) event tree level systems interactions (IPPSS)

3) pertinent insights gained from reviewing the IPPSS (i.e. assump-tions, assumed plant configurations, operational responses, etc.)

4) related I&E Bulletins and Notices ,

5) LER's and Reportable Deficiencies (50.55e reports), and

6) Resident Inspector interviews.

l l

j The link between dominant f ailure mechanisms and areas of inspection was in a

some cases fairly obvious, and where it was not, engineering judgement (based on past inspection experience) was used. Tables representing the dominant

! failure mechanisms vs. areas of inspection for the three selected systems are presented in the next section.

! There is one final note on inspection preparation and that is, the deter-mination of how to use the prepared information to actually conduct the in-spections. The appropriate inspection procedures that were already in exist-3 ence in the I&E Manual Chapter 2515 were reviewed for applicability, af ter i which, it was determined that the I&E inspection procedures were well written

, and provided the necessary guidance to execute the planned inspections. It (

l was decided to use the I&E inspection procedures as a basis to examine the identified areas of inspection, but not necessarily to be limited by them.

4.2 System Inspection Summary The systems selected for the trial inspections were: Service Water, Reac-tor Protection, and Safety Injection Actuation. Subsections 4.2.1 - 4.2.3 contain a discussion of the findings of each inspection along with a tabular presentation of the audit plan. The presentation of the inspection results

! emphasizes the findings in order to demonstrate the value of the inspections.

This emphasis on negative results might tend to imply poor performance by the 4

..---*=-ww-v-r e, ,m ---=----*------v- - - - - - , - w---1-aei-~+ ,- - . .e-,.,--w-,.,. --e-w-,.. *c---,wn-y i-

,,--y- ---+-.--,g--g- -e-oye.,- p w- *-w e -v

vge p-r-Tw*----reTevm---t-

4-2 licensee. This is not necessarily the case, as many areas reviewed during the inspection were found to be satisfactory. Separate technical reports were is-sued for each system reviewed (14-16).

The inspection preparation process provided two new approaches which con- I tributed to the success of the inspections:

l System Basis - The inspections were conducted on a systems basis. As a result each system inspected was examined in detail. This means that many programmatic areas (i.e., operations, maintenance, instrumentation, quality assurance, etc.) were reviewed, but only as they applied to the selected systems. This provided an assessment of the " health" of thef system. Typically, the NRC conducts its inspections on a programaatic basis and as a result a system is not completely assessed at any one time. Diis is not to say that programmatic inspections are not neces-sary; it is important to know if a licensee has an adequate operations program, maintenance program, etc. The point is that both types of in-spections are necessary. The system based inspection provides an overall assessment of a system's status which might not be apparent when each programmatic area is evaluated on an individual basis.

Emphasis on Significant Risk Contributors - The emphasis on the risk based significant contributors to system failure allowed more inspection time to be spent on those components most important to plant safety, thereby achieving the greatest payback per inspection hour. This ap-proach also guided the inspection towards some important areas which might not normally be examined.

At the completion of the inspections, it was concluded that the existing i

NRC inspection procedures were quite good and provided the necessary guidance for an inspector to do his job properly. Some minor changes could be made, and i are discussed in the next chapter. j It should be noted that once an onsite review is initiated, any signifi-cant discrepancies or problems that are uncovered should be followed up.

Therefore, although important areas for review can be identified in advance, it is almost impossible to predict where problems may exist. As a result, a few of the findings may seem only remotely related to the existing failure mode. However, this is the case for any inspection.

4.2.1 Service Water System The Service Water System is designed to supply cooling water to various primary and secondary heat loads. Six pumps supply coolant to two main head-ers, each header being supplied by three pumps. Either of the two headers can be used to supply the essential safety loads with the other header feeding the non-essential loads.

The relationship of the f ailure mode to inspection area is presented in Table 4.1. The " Findings" column in that table is keyed to the following summary:

a F

4-3

1) The valve numbering system can lead to confusion. Plant drawings have assigned the same number to similar valves in equivalent posi-tions. Procedural check-off lists assign a letter postscript.

Moreover, actual valve tag identification does not always agree with the other designations.

2) The gauges used for reading differential pressure across the pump discharge strainers are also used to determine when strainer clean-ing is necessary. Two of the six gauges were reading in excess of the manufacturer's recommended pressure differential. The gauges appear to be misapplied since their range is 0-200 pai, while the normal operating range is 0-15 psi.

3) The strainer electrical control panels were observed to be opened, internal wiring exposed, and the panel housings were rusted.

4) The service water inlet valves to the two Diesel Generators are man-ually operated and are located remotely. If these valves are mis-positioned such would not be recognized until the next surveillance test. The valves should be either locked in position or tagged to prevent inadvertent operation.

5) The strainer instruction manual was not controlled as required by plant administrative procedures.

6) The plant motor maintenance procedures do not require a retest of insulation resistance subsequent to maintenance at the time of motor restart.

7) A review of plant maintenance records indicates that the Service Water Pumps and strainers are very unreliable. Studies are underway by the licensee to determine appropriate replacements for this equiptent.

8) The licensee's ASME Saction XI commitments and the pump performance test take exception to Service Water flow measurement because no instrumentation is installed. This is of significant concern since the Service Water punps' capability to meet accident demands cannot be ascertained. The licensee does plan to install flow measuring instrumentation during the next outage.

9) The IPPSS identified the two manual header isolation valves as worthy of attention. Since there are presently no maintenance or surveillance requirements for these valves, it was recommended that a surveillance operability test be established.

10) The licensee's past maintenance . test requirement for Service Water pumps and motors is to conduct the pump performance test. This is a good philosophy except that no motor electrical parameters are re-corded. It is recommended that subsequent to motor repairs or main-tenance the motor current draw be measured for evaluation and trend-ing purposes.

4-4 TABLE 4.1 Indian Point Unit 3 Probabilistic Safety Study - Based Inspection Major Failure Modes, Inspection Areas and Findings Service Water System May 6-10, 1985 Failure Mode Inspection Area Findings

1. Random failure of header 1. a) Check surveillance re- 1,9 isolation valves quirements b) Check maintenance re-a) Header discharge check valve quirements SWN-100 fails closed c) ASME Sect. XI b) Header discharge valve d) Valve lineup SWN-98, 99 transfers closed e) System walkdown c) Nuclear header piping fails f) Hydro or leak tests

2. Random failure of 2 out of 3 2. a) Check surveillance and 2,3 pumps selected to supply the maintenance 5-8 nuclear header b) ASME Sect. XI 10 c) Operating procedures a) Pump fails to start or run d) System walkdown due to pump, motor, or control circuit failure b) Pump discharge check valve fails closed c) Strainer plugs d) Pump discharge valve trans-fers closed e) Expansion joint ruptures

3. Mispositioned Mode Selector 3. a) Check surveillance re- None Switch quirements b) Check administrative controls, routine c) Physically verify switch position d) Human factors of label-ling e) Operator training

4. Failure of diesel generator 4 a) Check maintenance and 4 outlet flow control valves surveillance FCV-1176 and FCV-1176A to b) AMSE Sect. XI open on demand and remain c) Physical inspection open for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months

_____j

l l

4-5 l l

4.2.2 Reactor Protection System The Reactor Protection System utilizes trip signals from various process sensors to de-energize and trip the reactor trip breakers. When the reactor trip breakers open, power is removed from the control rod drive magnetic coils which allow the rod control cluster assemblies to fall into the active fuel region of the case, thereby inserting negative reactivity and making the reac-tor subcritical.

The f ailure mode vs inspection areas are listed in Table 4.2. The findings columns in that table is keyed to the following summary of findings:

1) The calibration of the RPS channels is conducted in two distinct steps, one which checks the instrument itself (transmitter) and i another which tests the trip bistable. This methodology requires physically disconnecting the instrument circuitry at the bistable.

It is recommended that at the completion of the test procedure a final check be made to insure that the channel (loop) has been properly restored to service *r devise a method that does not require disconnection.

2) Modifications to the RPS circuit breakers are required based on the failure-to-trip incident which occurred at Salem. (Generic Letter 83-28). The installation of redundant and diverse environmentally qualified undervoltage and shunt trip relays will improve the circuit breaker trip function reliability. This modification should be implemented as soon as possible.

3) The Westinghouse owners Group (WOG) developed a number of recommen-dations for preventive maintenance of the RPS circuit breakers based on the problems experienced at Salem. It is recommended that the maintenance procedure for the RPS circuit breakers be revised to include taese. In addition, training of the maintenance personnel responsible for implementing the revised procedure should also be i

conducted.

4) Investigation into a recent spurious trip of one of the RPS circuit breakers resulted in a report which indicted that some deterioration of the auxiliary switch had occurred. Proper operation of the switch should be verified by testing, including a contact resistance test.

5) Vendor instruction manuals must be maintained and controlled to en-sure that the most current and accurate information is available, particularly for maintenance purposes. Technical manuals used by the Maintenance Department should be reviewed to insure that only con-trolled documents exist.

6) Three relay failures in the RPS logic have recently been experi-enced. These relay f ailures had occurred upon re-energization of the logic following scheduled testing. Based on these failures, as well as similar problems that have occurred at other operating nuclear power plants, it is recommended that this type of relay be replaced with one capable of withstanding the experienced voltage surges (Westinghouse NBFD).

J

4-6 TABLE 4.2 Indian Point Unit 3 Probabilistic Safety Study - Based Inspection Major Failure Modes, Inspection Areas and Findings Reactor Protection System June 17-20, 1985 Failure Mechanisms Inspection Areas Findings 4

1. LogicWigingFaults 1. a) Verify surveillance pro- 1 (1.7x10 / train) cedures, verify logic integrity.

b) Visually inspect for phy-i sical separation between channels.

c) Review past work testing requirements.

d) Review licensee analysis (if any) of fault impact.

2. Reactor Trip Breaker 2. a) Review breaker preventive 2,3,4 Fails C1gsed maintenance.

(1.2x10- / train) b) Verify surveillance test-ing including operation of the breaker.

c) Perform a visual inspec-tion of the breaker for i signs of unusual wear.

3. Bypass Breaker Stays 3. a) Determine administrative None Closed controls for racking in (9x10 3/ train) and closing the bypass breaker.

b) Verify procedures which call for use of the bypass breaker and return to its normal configuration.

c) Perform a visual inspection of the breaker.

d) Review breaker PM procedure.

4-7 TABLE 4.2 (Cont'd)

Failure Mechanisms Inspection Areas Findings 4 RCCAs Fagl to Insert 4. a) Review inspections and test- 5 (9.2x10- ) ing performed during refuel-ing outage.

b) Review surveillance data on tech spec required bi-weekly rod movements.

c) Review IP3 design for appli-cability to Info Notice 85-14 (Failure of rod to drive).

5. Trip Relgys Fail Closed 5. a) Review logic relay PM Program. 6 (6.3x10- / train) b) Review surveillances to verify inclusion of relays in testing.

c) Verify manufacturer's recom-meadations and industry exper- )

ience as incorpcrated in PM. 'l l

6. 6. a) Review instrumentation tech 7-10 l Instrume9t Failure (4.6x10- / loop) spec and compare to surveil-lance procedures. I b) Review technician qualifica- )

tions for those performing i surveillances.

c) Walkdown impulse lines to verify continuous sloping and valving arrangements (concern for line pluggage).

d) Review administrative con-trol of testing to insure proper return to service.

l

7. Wiring Fault in Power 7. a) Verify physical separation None to Bus of sources.

l (< 10 8) b) Review MG set alignment to in-l sure no means of paralleling. l l

4-8

7) Whenever an out-of-tolerance condition is found during surveillance testing of RPS instrumentation, an internal Significant Occurrence Report, (SOR) should be issued to ensure trends are detected.

Administrative Procedure AP-8, which describes the SOR, should be revised to include this commitment.

i

8) The source of information for the inputs to be used for calibrating RPS pressure transmitters is the Westinghouse instrument data sheet.

The instrument data sheet calibration values are incorporated into 1 the surveillance procedure technician instructions. A difference between .the Westinghouse data sheet and the approved surveillance procedure for the pressurizes level transmitters (3P3-R3, Rev.4) was found. It is recommended that documentation be reviewed and revised as necessary so that agreement exists.

1

9) Permanent labels should be attached to instrument racks and FPS in-

! struments located in the containment which clearly indicate in stru-ment identification, function, and associated channel. The labeling is inconsistent and could result in a common mode testing failure during maintenance or testing.

10) Current standard technical specifications require response time test-ing of selected RPS instruments. This type of testing verifies that the instrument senses the trip point and causes the trip function within a time f rame supported by accident analyses. Response time testing should be required at regular intervals for the pressurizer level transmitters which are susceptible to response time delays because of the capillary fill design.

4.2.3 Safeguards Actuation System l The Safeguards Actuation System receives signals from various plant sen-sors, processes this input through logic matrices, and sends actuation signals to emergency safeguards equipment, based upon plant conditions. Two separate and distinct functions are performed by this system: safety injection actua- l tion and containment spray actuation. Each of these distinct functions causes several other functions to occur in the plant. The system serves to limit damage in the event of breaks in the Reactor Coolant System or the secondary systems (main steam, feedwater, or steam generators).

The relationships between failure mode and inspection areas are listed in Table 4.3. The findings column in that table is keyed to the following summary ;

1) la a review of work requests for the SAS, it was noted that there were two requests within a month to re-calibrate the Safety Injection (SI) logic channel B 120 second reset time delay relay because it was i

out of specification. Any future problems with this relay should be investigated in greater detail to determine if any trends are evident.

1 4-9 TABLE 4.3 Indian Point Unit 3 Probabilistic Safety Study - Based Inspection Major Failure Modes, Inspection Areas and Findings 2 Safeguards Actuation System July 29 - August 2, 1985 Failure Mechanisms Inspection Areas Findings 4 A. Safety Injection Actuation

1. Random Failure of logic channels (3.6x10 "/ channel)

SI Automatic Actuation Relays a) Review logic relay 1,2 SIA-1 & SIA-2 Fail to Close (Preventive Mainte-nance (PM) program.

SI Manual Actuation Relays SIM & SIM-2 Fail to Close b) Review surveillances 3,4,5 i to verify inclusion of Equipment Actuation Relays relays in testing.

I Fail to Close 1 c) Verify manufacturer's l

Steam Line Isolation Relays recommendations and in-I dustry experience as in-l Containment Hi-Hi Pressure corporated in PM, e.g.,

l Relays Fail to Close IE 85-49 " Relay Calibra-tion Problem".

No Trip Signal from Pressuri-zer Low Pressure Network d) Perform visual inspec-(Logic relays and bistables) tion of relays.

No Trip Signal From Contain-ment High Pressure Network l (Logic relays and bistables) i

Shorts across reset relays a) Review surveillance to 6

and push buttons verify inclusion of re-set relays in testing.

l x

Shorts across normal defeat a) Review alarm response 6 I l

switches procedures.

DC power fuses open pre- a) Review surveillance to SAT j

maturely verify inclusion of j fuses in testing pro-l gram e.g. power sup-

plies alarmed.

4-10 TABLE 4.3 (Cont'd)

Failure Mechanisms Inspection Areas Findings b) Review maintenance practices concerning removal of fuses for personnel protection, e.g.,IE-85-51 "Inad-vertent Loss or In-proper Actuation of Safety Related Equip-ment".

2. Testing gnd maintenance Same as 1 above. 7,8 (5.0x10 / demand) 3.Commoncausefailureg6 N/A 11 (negligible, 2.9x10- / demand) ,

4. Random Failure of loop a) Review maintenance log 9,10 instrumentation to verify failure rate.

(negligible, 1.6x10 16/ demand)

B. Containment Spray Actuation

1. Random Failures of logic channels (1.9x10 "/ channel)

Containment Spray Relays a) Review logic relay and 1,2 AS1, AS2, SI-0, S2-0 bistable PM program.

Fail to Close b) Review surveillances 4

Containment Spray Auxiliary to verify inclusion of Relays SilX, S21X Fail to relays and bistables Close in testing.

No Trip Signal from contain- c) Verify manuf acturer's ment Hi-Hi Pressure Network recommendations and in-(Logic Relays and Bistables) dustry experience as incorporated in PM, e.g.

IE-85-49 " Relay Calibra-tion Problem".

d) Perform visual inspection of relays and bistables.

1 4-11 TABLE 4.3 (Cont'd)

Failure Mechanisms Inspection Areas Findings

+ Shorts across containment a) Review surveillances 7,8

! spray reset relays S1-R, to verify inclusion i S2-R of relays in testing

2. Test and Maintenance and Same as 1 above Randon Failures (5.0x10 6/

demand

3. a) Review instrumenta- 9,10,11 Instrume9tation Failures tion Tech. Spec. and (3.8x10- / demand) compare to surveil-

Containment Pressure Trans- lance procedures mitters fail to provide a

> trip signal b) Review calibration j procedures l c) Review technician qual-l ifications for those

' performing surveil-lances d) Review administrative control of testing to ensure proper return to service e) Walkdown impulse lines to verify continuous sloping and valving 4 arrangements (concern !

for line pluggage)

4. Common Cause Miscalibration N/A 10 i ("egligible, ofSens?5'/

3.0x10- demand) l l

i i

4-12

2) A procedure for monthly surveillance testing of the low TAverage bistable and relay circuitry should be established. Low TAverage s in combination with High Main Steam Line Flow, generates an SI sig- )

nal. These bistables are currently tested under the plant's Reactor j Coolant Loop Resistance Detector calibration procedure which is only '

I performed during refueling outages.

Even though it is not a technical specification requirement, to be consistent with the general philosophy concerning surveillance test-ing, a monthly procedure should be written such as currently exists for pressurizer pressure, containment pressure and steam line pressure.

3) An existing procedure on calibration of the Main Steam Flow transmit-ters should be upgraded to a safety-grade procedure reviewed by the Plant Operations Review Committee, consistent with other calibration procedures for SAS transmitters such as Main Steam Pressure, Pressur-I iser Pressure, Containment Pressure, etc. Also, a monthly PORC-approved procedure for testing the associated Main Steam Flow logic channel bistable and relay circuitry should be established, since similar tests for main steam pressure, pressurizer pressure, etc. are performed on a monthly basis.

4) The appropriate procedures should be reviewed and modified as re-1 quired to ensure that a final loop check from the transmitters to the histables is made to verify circuit continuity following testing or repairs. This would minimize the possibility of undetected shorts or discontinuities.

5) A statement in the Precautions and Limitations section defining ex-actly in what plant conditions the procedures may be implemented, i e.g., nornsi plant operation, cold shutdown, etc. for the following l procedures:

3PT-R3A " Safety Injection Test-Recirculation Switches" 3PT-R3B " Safety Injection Test" 3PT-R3E " Safety Injection Test-Containment Isolation" This would minimize the possibility of errors causing either spurious operation or disablement of SAS circuits during plant operation.

Also, in procedures 3PT-M14A&B " Safety Injection System Logic Channel

Punctional Test (A&B)", step 3.6.D should state that all switches l should be returned to their normal position and Safety Injection re-set as in 3.9.D.

l Currently the procedure just mentions PC-439A and 449A switches which

{ need returning to norms 1 position. This change will also return to normal position those switches listed in step 3.6C.

6) A determination should be made as to whether or not shorting of some normally open contacts of the Normal Defeat Switch and Reset Relay can defeat an entire channel of SI logic without causing a Control Board alarm, and thus remain undetected for 360 hours0.00417 days 0.1 hours 5.952381e-4 weeks 1.3698e-4 months or longer, as stated in PSS Section 1.6.2.2.3.4.2.1. The 360 hours0.00417 days 0.1 hours 5.952381e-4 weeks 1.3698e-4 months is one-half the interval between monthly tests. This is primarily a check on the

4-13 accuracy of the statement in the PSS because it would appear from a review of the electrical control schematics that any shorting of con-tacts which could energize the defeat portion of the SAS is alarmed, and would not go undetected for this time period. Operationa person-nel should be made aware if there is a possibility that this condi-tion could exist undetected.

, 7) The availability and content of manufacturer's instruction manuals and design drawings pertaining to safety-related equipment should be verified. Specifically, the controlled vendor drawing concerning the Hydrogen Recombiner Isolation Valve relay contact should be revised to conform to the same drawing appearing in the vendor manus 1.

l During a review of a safety-related circuit, a discrepancy was noted between a drawing in the controlled vendor manual and the controlled copy of the drawing with hydrogen recombiner isolation valves which 4

close on containment Phase "A" isolation. As it turned out, the ven-

! dor manual contained a correction which did not appear in the same revision of the controlled copy of the drawing. Errors of this na-ture have been cited in the previous reviews performed under this program (Service Water and Reactor Protection Systems). The impor-tance of accurate data can be essential to proper operation as well as to proper analyses, such as a PRA. As a result, the recommenda-tion that the licensee make a concentrated effort to verify the availability and content of manufacturers' manuals and derwings per-taining to safety-related equipment was made.

8) PORC-approved safety-grade procedures for corrective maintenance on SAS-related transmitters should be generated. Currently, although corrective maintenance and trouble shooting are performed, based on discussions with plant personnel, no procedures of any kind exist for such activities. A review of the available I&C maintenance files revealed maintenance work reports describing work performed on process instruments.

1

9) The labelling of transmitters, racks and other 1&C equipment should be improved in a manner similar to that currently being performed for )

valves. The labels should be permanent and clearly identify the in-st rume nt , function and channel.

l l During a plant walkdown, it was noted that most of the transmitters are grouped together in racks by function (i.e., containment pres-sure, steamline flow etc.), separated by steel plate partitions. The transmitters are separated, but channel segregation was not obvious and this could result in errors during testing or maintenance. As was noted in the RPS inspection, to minimize the potential for human errors, it is again recommended that all transmitter and their asso-cisted racks be af fixed with permanent labels which clearly indicate j the instrument identification number and describe the function of the component similar to what is being done with regard to safety related va lves . During the inspection some transmitters were labelled with felt-tip marker while others had no identification numbers except for ,

those provided by the manufacturer, which in some cases were 111egi- '

ble.

I 1

- -- l

4-14 i

i !

10) In a related matter, increased emphasis should be placed on comple- i r tion of the computerized instrument list, which is currently being l 1 generated, so as to provide a readily accessible method to physically locate various safety-related instruments.

I

11) A maximum response time for the initial review period of NRC Informa-

', tion Notices, a clearer definition of which individual is responsible for responding to a notice once distributed by the Resident Manager, t

and a tracking list to document the disposition of all notices, cir-I culars and bulletins should be established.

i I

7 Prior to the inspection, several I&E Information Notices were identi- l fled as potentially relevant to the IP3 SAS. The internal processing i of these notices is specified by Administrative Procedure AP-37 con-cerning feedback of operating experience to the plant staff. Accord-

! ing to that procedure, the Resident Manager determines which depart-

]'

ment heads or individuals should review sources of information from outside the organization, e.g. NRC Bulletins and Information No- l 1

tices. However it was noted that there is no maximum response dead- ;

! line. Tracking of responses is only performed by the Plant Opera-i tions Review Committee (PORC) and only when a particular source of q

outside information has been determined to be worthy of PORC review.

! As a result, the responses to some Information Notices may not be l provided for six months or longer. l l

1 i 1

. r t

s I

i 1

l I

1 A

i 4

d b

i I

. . , - - _ . . - . _ - , - - , . ,... _ - -. ..._~ ...,.,-.---.

5-1

5. RECOMMENDED CHAPTER 2515 CHANCES It would be useful at this juncture to restate the objective of this study which is to develop and test a prioritization scheme for reorienting the NRC Operating Reactor Inspection Program using PRA insights.

As the program progressed, the final recommendations began to become self-evident. For one thing, it was clear almost from the outset that major changes to Chapter 2515 were not necessary. The three tier system works well and the right procedures were assigned to the minimum category.

The final products seemed to be the tools used to perform the trial in-spections, in that the prioritized systems list and the list of risk signifi-cant components certainly provided the PRA based inspection guidance that was the goal of this effort.

Af ter discussion with NRC Region I personnel, a final product was jointly agreed upon. This product was a plant specific set of system appendices which could be used to provide guidance for inspection ef forts at a nuclear power plant. In addition to a prioritized systems list, a plant specific set of ap-pendices would be comprised of the following for each systemt

1) a table of dominant failure modes which identifies the dominant con-I tribution to system risk,

2) a table which identifies those NRC inspection procedures which can be used to review those components or actions identified in the first table, and

3) a modified systems walkdown list which identifies the key components from a risk point of view which should be reviewed.

The appendices as outlined above provide a phased approach to guidance; the dominant failure modes table provides the necessary basic PRA guidance.

The second and third tables provide additional specific guidance as necessary. ]

I l i

Sample appendices have been prepared for the three systems inspected and are located at the end of this chapter.

Conclusions l

As a result of this study it was concluded that inspections planned and conducted using PRA guidance can be more efficient than ones not having a risk basis and also provide a different insight into plant activities. NRC Region I agreed that the appendices concept had the potential to aid in the inspec-tion process and that this was the most important output of the program.

Three sample appendices, for the inspected systems, were developed and are included on the following pages.

l

?

5-2 l Future Work In order to fully evaluate the importance of PRA-based inspections, the system appendices should be completed for Indian Point No. 3 and also be de-veloped for other plants. This will then make these tools available to many 1

NRC inspectors for their use.

The PC-based computer program NSPKTR, should be further developed and tested to expand its usefulness in rapid risk assessment /importance calcula-tions for applications such as emergoney preparedness drills, plant modifica- l tion evaluation, and maintenance of a living PRA. Because of its short i response time, critical information can be provided in minutes, rather than I hours or days. l 1

I i

w

5-3 TABLE 5.1 f

! Indian Point 3 Systems i Prioritised by Inspection Importance Including Health Ef fects i

i i

j 1. Service Water System

2. Electric Power System i

3. Closed cooling Water System

4. Reactor Protection System i

5. High Pressure Injection System i 6. Main Steam System (MSIVs)

) 7. Recirculation System

8. Reactor Coolant System (PORVs)

I'

9. Auxiliary Feedwater System

10. Low Pressure Injection System i

11. Safeguards Actuation System

12. Accumulator System

)

l 13. Containment Spray 14 Containment Fan Cooling System

?

i I

I

5-4 TABLE 5.2

, Indian Point Unit 3 Probabilistic Safety Study-Based 1

Inspection Plan - Service Water System Failure Mode Identification Conditions That Can Lead to Failure i

1.a) Header Discharge Check Valve SWN 100-2 Fails to Open or Manual Insola-tion Valve SWN 98 Lef t in the Closed Position or Nuclear Header Piping

Rupture (SWPs 31,32,33)

J Two of the three Service Water Pumps are required to supply the desig-nated nuclear header for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months following an initiating event. Fail-ure of any of these valves in the closed position or a pipe rupture will prevent service water flow to the designated header. Testing of the header and pumps not in use according to the Technical Specifications l should reduce the probability of f ailure.

b) Hender Discharge Check Valve SWN 100-1 Fails to Open or Manual Isolation

, Valve SWN 99 Lef t in the Closed Position or Nuclear Header Piping Rup-ture (SWPs 34,35,36) ;

Two of the three Service Water Pumps are required to supply the desig-nated nuclear header for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months following an initiating event. Fail-ure of any of these valves in the closed position or a pipe rupture will prevent service water flow to the designated header. Testing of the header and pumps not in use according to the Technical Specifications should reduce the probability of failure.

2. Service Water Pumps (SWPs) 31-36 Fail to Start or Run a) Random mechanical pump failure.

l b) Motor mechanical pump f ailure.

c) Pump discharge isolation valves SWN 2-1 to 2-6 lef t in the closed position. l d) Pump discharge check valves SWN 1-1 to 1-6 f ail to open.

e) Pump discharge expansion joint ruptures. l l

Failure of any combination of two out of three pumps will prevent suf- l ficient service water flow from being provided to the essential header.

Testing of the pumps which are not in use according to the Technical Specifications should reduce the probability of failure.

3. Mode Selector Switch Improperly Positioned Failure of this system is dominated by the human error of mispositioning the modo selector switch. There is no indication in the control room to aid the operator in determining the correct position for this switch.

This error, if undetected, leads directly to system failure. Verifica-tion and review of the System Operating Procedures and Check-off Lists should reduce the probability of failure.

5-5 TABLE 5.2 (Cont'd)

Conditions That Can Lead to Failure 4 Diesel Generator SW Outlet Flow Control Valves FCV-1176 and FCV-1176A

Fail to Open on Demand and Remain Open for 24 Hours Failure to open both of these valves will cause unavailability of all three Diesel Generators. In the event of Loss of Offaite Power, the DGs are required to supply electrical power. Testing of valves according to 4

the Technical Specifications should reduce the probability of failure.

j

.4 l

1 l

l i

f f

5-6 TABLE 5.3 Indian Point Unit 3 Probabilistic Safety Study-Based Inspection Plan - Service Water System I&E Inspection Procedures for System Operation Procedure Failure Number Title Components Modes 61726 Monthly Surveillance SW Pumps 31-36 2 Observation Pump / Header Discharge 1,2

, Check Valves

{ Mode Selector Switch 3 DG Outlet Flow Control Valve 4 System Piping 1 62700 Maintenance SW Pumps and Motors 31-36 2 62703 Monthly Maintenance SW Pump Strainers 2 Observation Pump / Header Discharge 1,2 Check Valves

! Pump / Header Main Isolation 1,2 Valves 71707 Operational Safety SW Pumps 31-36 2 Verification 71710 ESF System Walkdown SW Pumps 31-36 2 Mode Selection Switches 3

SW Pump Local / Remote Switches 2 Pump Strainers 2 Key Valves and Breakers 1,2,3,4 as per Table 5.4 i

i i

l i

1

r 5-7 TABLE 5.4 Indian Point Unit 3 Probabilistic Safety Study-Based Inspection Plan - Service Water System Modified System Walkdown Component Position

1. Control Room l

SW Pump Selector Switch 31,32,33 34,35,36 (pumps supplying essential header)

TCV-1103 Cont. Temp. Controller MAN / AUTO MAN / AUTO

2. Intake Structure

SWN-2 A, B, C, D, E, F OPEN OPEN Pump outlet valves (6)

AP across Strainer (reading for READING each pump strainer)

SWN-4 Supply from 31,32,33 SWP SMUT OPEN Discharge Header

SWN-5 Supply from 34,35,16 SWP OPEN SHUT .

Discharge Header t

! 3. Valve Pit (SWS to Conventional Plant)

SWN SW Pumps 34,35,36 Discharge SHUT OPEN Isolation to conventional Essential header.

l l

SWN SW Pumps 31,32,33 Discharge OPEN SitUT ,

! Isolation to conventional Essential header. l

4. Valve Pit (Standby Service Water)

SWN SW Pumps 37,38,39 Discharge OPEN SHUT Isolation VLV to pumps 31,32,33 Discharge Hender I

I

5-8 TABLE 5.4 (Cont'd)

Essential pumps C.R. switch position Component 31, 32, 33 or 34, 35, 36

SWN SW Pumps 37,38,39 Discharge SHUT OPEN Isolation VLV to pumps 31,32,33 Discharge Header

SWN SW Pumps 31,32,33 Discharge OPEN OPEN Isolation VLV to nuclear services

SWN SW Pumps 34,35,36 Discharge OPEN OPEN l Isolation VLV to nuclear services 1

5. 480 Volt Bus Feeds to Service Water Pumps Bus No. 2A

No. 32 SW Pump Breaker RACKED IN to

Breaker Control Power Fuses RACKED IN Bus No. 3A

No. 35 SW Pump Breaker RACKED IN l

Breaker Control Power Fuses RACKED IN Bus No. 5 A i

No. 31 SW Pump Breaker RACKED IN

Breaker Control Power Fuses RACKED IN

No. 34 SW Pump Breaker RACKED IN

Breaker Control Power Fuses RACKED IN Bus No. 6A

No. 33 SW Pump Breaker RACKED IN

Breaker Control Power Fuses RACKED IN No. 36 SW Pump Breaker RACKED IN

Breaker Control Power Puses RACKED IN I

5-9 TABLE 5.4 (Cont'd)

Essential pumps C.R. switch position component 31, 32, 33 or 34, 35, 36

6. Service Water Transfer Panel

No. 1 pump switch REMOTE

No. 2 pump switch REMOTE

No. 3 pump switch REMOTE j

No. 4 pump switch REMOTE

No. 5 pump switch REMOTE

No. 6 pump switch REMOTE

7. CCR Air Conditioning SWN-94-A inlet to AC 32 CLOSED OPEN

SWN-94-B inlet to AC 31 CLOSED OPEN

8. SW to Diesel Generators

SWN-30 inlet stop from 31,32,33 OPEN CLOSED SWP header.

SWN-29 inlet stop from 31,32,33 SRUT OPEN SWP header.

SWN-62-5 inlet stop from 31,32,33 OPEN CLOSED SWP Header for No. 33 DC

SWN-62-6 inlet stop from 34,35 SHUT OPEN 36, SWP header for No. 33 DG

SWN-62-3 inlet stop from 31,32,33 OPEN SHUT SWP header for No. 32 DG

SWN-62-4 inlet stop f rom 34,32,33 SRUT OPEN SWP header for No. 32 DG l

SWN-62-1 inlet stop from 31,32,33 OPEN SHUT SWP header for No. 31 DG s

SWN-62-2 inlet stop from 34,35,36 SHUT OPEN SWP header for No. 31 DG 1

)

! I i

5-10 k l i

! TABLE 5.4 (Cont'd) l Essential pumps C.R. switch position l l

Component 31, 32, 33 or 34, 35, 36 l 9. Service Water Pipe chase (Cont. Coolers) i i

SWN-38 SW supply to fan cooler units SHUT OPEN j from 34,35,36 l ,

!

SWN-39 SW supply to fan cooler u.iits OPEN SHUT 6

) from 31,32,33

SWN-56 SW sp ply to rad moni'.or SHUT OPEN syphon from 34,35,36

SWN-60 SW supply to rad menitor OPEN SHUT syphon from 31,32,33 j IP3 SERVICE WATER SYSTEM PRIORITY VALVES AND SWITCHES NOTES:

j 1. The list of priority valves and switches for the service water system is

} extensivu because it takes all of these valves to establish the "essen- i tial" manifold. If at any time the position of one or more of these i valves does not correspond to the column indicated by the control room I selector switch position, then one or more essential loads will not be satisfied during an accident or emergency condition involving loss of

power. For example, with the selector switch position in the 31, 32, 33 i position, if SWN 30 is shut, the diesels will not receive any cooling water, and will eventually shut down on overtemperature. During normal plant operation, this fault would not be discovered because the diesels could be fed from SWN-29 which supplies water from the second (non-essen-tial in this case) manifold. '

2. The control room selector switch position 31, 32, 33 or 34, 35, 36 estab-lishes the essential manifold.

1 3. The AP across the strainers (intake structure) is not a normal part of the l system line-up check-off list (COL-RW 2), but should be included in the l inspectors observations since this reading will indicate the followings i

pump running or shutdown

Strainer condition (i.e., clogged) l

]

4 Breaker position (racked in) and pump switch position (remote) on the SW j transfer panel will enable pump operation from the control room during -

normal and emergency conditions.

l i

Y_ - - _ _ _ - - _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ - _ _ _ - _ _ _ _ - _ _ _ _ _ - _ _ _

5-11 TABLE 5.5 Indian Point Unit 3 Probabilistic Safety Study-Based Inspection Plan - Reactor Protection System i

Failure Mode Identificat'.on l'

Conditions That Can Lead to Failure

1. Process Instruments (Sensors and Bistables) Fail to Initiate a Reactor

Trip Signal Due to Calibration Error 1 ;

) Two or more redundant channels can fail in a common manner due to calibra- l tion errors. This could cause system failure for the monitored param-eter. Surveillance of the licensee's calibration activities and proced- ,

ures in accordance with the Technical Specifications and relevant NRC bul- l 1etins and information notices should reduce the probability of failure. l

)

i

2. Process Instruments (Sensors and Bistables) Fail to Initiate a Reactor Trip Signal Due to Maintenance Error I The failure to properly manipulate the process instrument valving prior to and following maintenance could result in system failure for the monitored I paramete r. Surveillance of the licensee's maintenance activities and pro-cedures with consideration of relevant NRC bulletins and information notices should reduce the probability of failure.

i 3. Process Instruments (Sensors and Bistables) Fail to Initiate a Reactor Trip Signal Due to Mechanical or Electrical Failure Two or more redundant channels can fail due to mechanical or electrical problems possibly resulting in system failure for the monitored parame-ter. Surveillance of the licensee's periodic testing activities and pro-cedures in accordance with the Technical Specifications and relevant NRC l t

bulletins and information notices should reduce the probability of fail- )

ure.

4 Reactor Trip Breakers Fall to Open 1

The failure of the reactor trip breakers to open when required could re-sult in electrical power being maintained on the control rod drive mecha-nisms thereby preventing control rod insertion. Surveillance of the l licensee's periodic testing and preventive maintenance activities and pro-

] cedures in accordance with the Technical Specifications and relevant NRC bulletins and information notices should reduce the probability of fai-lure.

l $. Logic Relays Fall to Open 4

The failure of the logic relay contacts to open based on a trip signal from the appropriate bistable could result in system failure. Surveil-lance of the licensee's periodic testing activities and procedures in

5-12 i

TABLE 5.5 (Cont'd) 4 Conditions That Can Lead to Failure accordance with the Technical Specifications and relevant NRC bulletins and information notices should reduce the probability of failure. c

6. Reactor Trip Bypass Breakers Fail to Open During surveillance testing, the bypass breakers may be closed to permit testing of the reactor trip breaker. Failure of the bypass breaker to trip could result in system failure. Surve(11anceofthelicensee'speri-odic testing and preventive maintenance activities and procedures in accordance with the Technical Specifications and relevant NRC bulletins and information notices should reduce the probability of failure.

7. Rod Control Cluster Assemblies Fail to Insert During most of the plant operating time, the Control Rod Drive Mechanisms hold the control rods withdrawn from the core in a static position by means of a stationary gripper which latches the rods by means of an applied magnetic field. The control rods drop by de-energizing the grip- i per. Restriction to rod movement could result in a failure to bring the reactor suberitical during a scram condition. Surveillance of the licen-see's periodic testing and preventive maintenance activities and proced-ures in accordance with the Technical Specifications and relevant NRC bul-4 letins and information notices should reduce the probability of failure.

8. Reactor Trip Breaker Undervoltage Relays Fall to Operate Failure of both trip breaker under voltage relays could prevent the rese-tor trip breakers from operating resulting in system failure. Surveil-

! lance of the licensee-s periodic testing and preventive maintenance activ-ities and procedures in accordance with the Technical Specifications and relevant NRC bulletins and informations notices of failure.

l I

I

5-13 TABLE 5.6 Indian Point 3 Probabilistic Safety Study-Based '

Inspection Plan - Reactor Protection System l

I&E Inspection Procedures for RPS l Procedure Failure Number Title Components Modes

, 56700 calibration Process Instruments 1 (Sensors & Bistables) 52051 Instrument Components and Process Instruments 1,2,3 Systems-Procedure Review (Sensors & Bistables) f 52053 Instrument Components and Process Instruments 1,2,3 Systems-Work Observation (Sensors & Bistables)

(Section 02.0lb) 52055 Instrument ComponentG and Process Instruments 1,2,3 Systems-Record Review (Sensors & B1 stables) 61725 Surveillance and Calibration Process Instruments 1 Control Program (Interlocks) i 61726 Monthly Surveillance Logic Relays 5 Observation Reactor Trip Breakers 4 Reactor Trip Bypass Breakers 6 Rod Control Cluster Assemblies 7 l

l 62702 Maintenance Reactor Trip Breakers 4 j (Section 02.03, Preventive Reactor Trip Bypass' Breakers 6 1 Maintenance) Reactor Trip Breaker UV Relays 8 l 71707 Operational Safety Process Instruments (Control 1,2,3 1 Verification Room Indication and Status Lights)

]

I 1

i f

__m . . . _ , . . . _ . _ _ , _ - _ , , , -. , _ _ _ _ . . _ _ . _

5-14 TABLE 5.7 Modified System Walkdown The Reactor Protection System is a normally energized system whose opera-bility must be assured by extensive surveillance testing. Observation of the conduct of this testing will provide the inspector with direct input regarding the safety function capability of the system. System walkdown during normal power operation will reveal little regarding the safety function status.

NORMAL OPERATION WALKDOWN

Component Required Status Actual Status

1. Reactor Trip Breakers RTA Closed RTB Closed

2. Reactor Trip Bypass Breakers BYA Open

, BYB Open

3. Annunciator Panel - RPS No windows illuminated (Top Section of CCR Supervisory Panel)

4. RPS Trip Status Panel No lights illuminated

5. RPS Permissive and Bypass Status No lights illuminated Panel ,

6. Process Instrumen't Bistables Mode Switch in OPERATE Mode Switches b

b

\

w s

y [

3

5-15 TABLE 5.8 Indian Point Unit 3 Probabilistic Safety Study-Based Inspection Plan - Safeguards Actuation System Failure Mode Identification Conditions That Can Lead to Failure

1. Process Instruments (Sensors, Signal Conditioners and Bistables) Fail to Initiate a Safeguards Actuation Signal (SAS) Due to Calibration Error Two or more redundant channels can fail in a common manner due to calibra-tion errors possibly causing system failure for the monitored parameter.

Surveillance of the licensee's periodic calibration activities and proced-ures in accordance with the Technical Specifications and relevant NRC bul-letins and information notices should reduce the probability of failure.

I

2. Process Instruments (Sensors, Signal Conditioners and Bistables) Fail to Initiate a SAS Due to Maintenance Error The failure to properly position the process instrument valving or other isolation prior to and following maintenance could result in system fail- I ure for the monitored parameter. Surveillance of the licensee's mainte-nance activities and procedures with respect to relevant NRC bulletins and information notices should reduce the probability of failure, i 1

3. Process Instruments (Sensors, Signal Conditioners and Bistables) Fail Due to Mechanical or Electrical Faults Two or more redundant channels can fail due to mechanical or electrical problems possibly resulting in system failure for the monitored parame-ter. Surveillance of the licensee's periodic testing and maintenance ac-tivities and procedures in accordance with the Technical Specifications and relevant NRC bulletins and information notices should reduce the prob-ability of failure.

4. Logic Relays Fail to Close When Required The failure of a logic relay contact to close based on a Safeguards Actua-tion Signal from the appropriate bistable could result in system failure.

Surveillance of the licensee's periodic testing and maintenance activities and procedures in accordance with the Technical Specifications and rele-vant NRC bulletins and information notices should reduce the probability of failure.

5. DC Power Fuse Opened Prematurely by Maintenance Error The opening of the DC power circuit supplying power to a SAS channel will cause loss of SAS capability. Surveillance of the licensee's maintenance activities and operating procedures with consideration of relevant NRC bulletins and information notices should reduce the probability of f ail-ure.

l l

5-16 J

TABLE 5.9 Indian Point Unit 3 Probabilistic Safety Study-Based Inspection Plan - Safeguards Actuation System l I&E Inspection Procedures for SAS Procedure Failure Number Title Components Modes 56700 Calibration Process Instruments 1,2,3 (Sensors, Signal Conditioners & Bistables) 52051 Instrument Components and Process Instruments 1,2 Systems-Procedure Review (Sensor, Signal Conditioners & Bistables) 52053 Instrument Components and Process Instruments 1,2,3 Systems-Work Observation (Sensors, Signal Conditioners & Bistables) 52055 Instrument Components and Process Instruments 1,2,3 Systems-Record Review (Sensors, Signal Conditioners & Bistables) 61725 Surveillance & Calibration Process Instruments and 1,2,3,4,5 Control Program Logic Control Circuitry (Sensors, Signal Conditioners Bistables, Logic Relays and Circuits) 61726 Monthly Surveillance Logic Control Circuitry 1,2,3,4,5 Observation (Bistables, Logic Relays and Circuits) 62702 Maintenance Process Instruments 2,3,5 (Sensors and Signal Conditioners) 71707 Operational Safety Process Instruments 1,2,3 Verification (Control Room Indication and Status Lights) 71710 ESF System Walkdown Process Instruments and 2,3,4,5 Logic Control Circuitry Status Lamps l

,,.m -

5-17 TABLE 5.10 Safeguards Actuation System System Walkdown The Safeguards Actuation System is a normally energized system which must ,

de-energize to actuate (close) the relay contacts (with the exception of the l Containment High-High Pressure network which must energize to actuate). Oper-ability mist be assured by extensive surveillance testing, the observation of which will provide the inspector with direct input regarding the safety func-tion capability of the system. System walkdown during normal power operation will only reveal whether the following circuits are properly aligned:

l I

i l

..y 1--, , - en

TABLE 5.10 (Cont'd)

Normal Plant Operation Status Check and Lamp Check i For the Logic Channel under Test, have licensee personnel open the appropriate panel doors. Verify that the appropriate Test Panel Lights are ON or OFF as indicted in the table below. For those lamps that are normally not illuminated, have licensee personnel press only those which are *.

NORMAL OPERATION WALKDOWN REQUIRED STATUS ACTUAL STATUS NO. COMPONENTS CHANNEL 1 CHANNEL 2 LIGHTS ON PANEL l-1 716 Safeguards Actuating Block Relay (Red) 0FF

717 Auto DC Power ON 718 Manual DC Power ON

, CONTAINMENT SPRAY LAMPS q -

719 Matrix 0FF

720 Master OFF

721 Actuating Relay ON STEAM LINE ISOLATION LAMPS 722 Flow Matrix 0FF DO NOT TEST #723 724 725 Actuating Relays 1,2,3 and 4 ALL ON 726 727 i Reference documents: NYPA Periodic Test Procedures 3PT-M14A/B both entitled, " Safety Injection System Logic Channel Functional Test," Rev. 10, February 25, 1985.

TABLE 5.10 (Cont'd)

REQUIRED STATUS ACTUAL STATUS NO. COMPONENTS CHANNEL 1 CHANNEL 2 CONTAINMENT ISOLATION B LAMPS 728 Master OFF

729 Actuating Relay ON LIGHTS ON PANEL l-2 SAFETY INJECTION LAMPS 736 Master OFF

730 Matrix 0FF

732 Y 733 Actuating Relays 1,2,3 and 4 ALL ON G 734 735 731 Block Matrix 0FF if pressurizer i pressure above '1900 psig, ON if below 1900 psig.

CONTAINMENT VENTILATION ISOLATION LAMPS 737 Master OFF

738 Actuating Relay ON

TABLE 5.10 (Cont'd)

REQUIRED STATUS ACTUAL STATUS NO. COMPCNENTS CHANNEL 1 CHANNEL 2 CONTAINMENT ISOLATION A LAMPS 73 9 Master OFF *

" ~ . -

740 741 Actuating Relays 1,2,3 and 4 ALL ON 742 743 ....**ee OFF if reactor not 7 92 Rx Trip Aux. Relay tripped, on other-wise.

FEEDWATER ISOLATION LAMPS Y 8

0FF* if reactor not 793 Feedwater Isolation Actuating Relay 1 tripped, on other-wise.

7 94 Feedwater Isolation Actuating Relays 2 0FF

795 7% Steam Generator Hi Level Matrix Lamps - ALL OFF

797 1,2,3 and 4 798 j

l 1

6-1

6. REFERENCES

1. Consolidated Edison Company of New York, Inc., Power Authority of the State of New York, " Indian Point Probabilistic Safety Study," 1982.

2. I. A. Papazoglou, et al, "Probabilistic Safety Analysis Procedures Guide," NUREG/CR-2815, January 1984.

3. PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants, Final Report, Vols. I and 2, NUREG/CR-2300, December 1982.

4. W. E. Vesely, et al, " Measures of Risk Importance and Their Applica-tions," NUREG/CR-3385, July 1983.

5. W. E. Vesely, and T. C. Davis, " Evaluations and Utilizations of Risk Importances," Battelle Columbus Laboratories, Draf t, Fourth Installment, March 15, 1985.

6. D. J. Campbell, et al, " Risk Assessment Application to NRC Inspection -

Technical Progress Report," Draft, ORNL/TM-9291, July 1984.

7. U.S.N.R.C. Office of Inspection and Enforcement, " Inspection and Enforce-ment Manual, Chapter 2515, Light Water Reactor Inspection Program -

Operations Phase," Issue Date January 1, 1984.

8. U.S.N.R.C. , "1984 NRC Annual Report," NUREG-1145, Vol. 1, p 100, June 1985.

9. U.S. General Accounting Office, "Better Inspection Management Would In-prove Oversight of Operating Nuclear Plants," GA0/RCED-85-5, April 24, 1985.

10. Inside N.R.C., "NRC's Keppler on the Prowl for Region III Chronic Problem Plants," pps 15-17, August 19, 1985.

11. U.S.N.R.C., " Reactor Safety Study: An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants," WASH-1400 (NUREG 75/014), October 1 1975.

12. "Probabilistic Risk Assessment: Fundamentals, Draf t Report for Interia Use and Comment," R. Fullwood, contributing editor, Draf t NUREG/CR-4441, October 1985.

13. J.C. Riggins, et al, " Limerick Systems Prioritization and Inspection Program Recommendations," Brookhaven National Laboratory Technical Report A-3451, October 1984.

14. J. H. Taylor and A. Coppola, "Brookhaven National Laboratory Technical Review Report, (PSS-Based Review of Service Water System), Indian Point

] Unit 3, May 6-10, 1985," dated May 20, 1985.

(

6-2

15. W. E. Gunther and A. N. Fresco, "Brookhaven National Laboratory Technical Review Report, PRA-Based Review of Reactor Protection System, Indian Point Unit 3, June 17-20, 1985," dated July 9, 1985.

16. A. N. Fresco and J. F. Carbonaro, "Brookhaven National Laboratory Techni-cal Review Report, PSS-Based Technical Review of Safeguards Actuation System, Indian Point Unit 3, July 29 - August 2, 1985," dated August 23, 1985. ,

17. J. C. Higgins, "Probabilistic Risk Assessment (PRA) Applications," Brook- l haven National Laboratory, NUREG/CR-4372, December 1985.

l l

l

.-- ,,-4 - . . --.-m -- - - --. -_- -, , - - ,-, ,

NRC roRu 335 1. REPORT NUMeE R IAss,pvescP OOC /

,, y U.S. NUCLEAQ REGULATORY CoMMISSloN NUREG/CR-4565 BIBLIOGRAPHIC DATA SHEET BNL-NUREG-51973 4 TITLE ANO SUUTITLE lAdd Volum* No.. of appecornatel 2.lLeaveDieski P bilistic Safety Study Applications Program for In ec ion of the Indian Point Unit 3 Nuclear Power Plant 1 RECIPIENT 3 ACCESSION No.

.c

/.AUTHoH 'l S. DATE REPORT CoMPLE TED J. H. Taylor, R. Fullwood, and A. Fresco "0N Tf January 1986 ti. PE HF oHMING HGAN1/ATioN N AME AND MAILING A00HESS ttactude Isa Codel DATE REPORT ISSUED

" "'" I"^"

Brookhaven.g National Laboratory j March 1986 Upton, New York 11973

6. fleave blankt G. (Leave Diank)

12. SPoNSoHING oHGANIZAflON NAME AND MAILING ADDRESS (tactode lea Codel

10. PROJECT / TASK /WoHK UNIT No.

Region I Division of Reacto\ r$rojects i t. FIN NO.

U.S. Nuclear Regulatory Commission A-3453 King of Prussia,. PA 19406 s

11 lYPt oF HtPoHT PE RIOD COVE RE D (/nclusive dests/ , ,

TINAL PIPORT

\

Its. SUPPLEMEN TAHY NoTL S 14 fleeve als>At IG. A85TH ACT C00.varns or lessJ 4

\

By prioritizing the various areas of possible interest for inspection and by better defining inspection needs,**.the NRC expects to make more effective use of finite inspection resourcesby* concentrating on those potential areas most significant to safety. Through re' view and application of the Indian Point Unit 3ProbabilisticSafetyStudy'knumericaldataandevent tree model-ing, and by utilizing related documents, a\ technical basis for prioritizing areas for NRC inspection has b'een developedi g This was then tested at the plant site for the NRC Operating Reactor Inspection Program, I&E Manual Chap-ter 2515. Inspection activities addressed inc\ude normal operations, s'; stem and component testing, maintenance and surveillance. A computer program entitled NSPKTR, which wad developed specificallyg for this program, modeled the internal plant stated to the system level and performed the risk and ist-portance calculations./

t

/ \

l /. KE Y WOHDS ANO ouCUMEN T AN ALYSIS 1 74 DE SC HIPT oH d

NSPKTR computer code PRA Guidance / ,

PRA Inspection QUidance r$ -

/

I lta IDE N TI F IE RS. OPE,N' E N DE D TE R MS 3

/

Ill AV AIL ABILI TYTST A TE ME N T 19 SECURITY CLASS (rms reporrt 28 No of PAGES Unclassified Unlimited 20 SE CUHs t Y CL ASS f fAs pect // PHsCE Un1 cas si fl ed .

N HC & ORM 33$ ett egg

.

ML20140H307

Contents

Text

SUMMARY

SUMMARY

SUMMARY

Navigation menu

ML20140H307

Text

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search