ML20205F019
| ML20205F019 | |
| Person / Time | |
|---|---|
| Site: | Crystal River  |
| Issue date: | 10/09/1985 |
| From: | Stolz J Office of Nuclear Reactor Regulation |
| To: | Wilgus W FLORIDA POWER CORP. |
| References | |
| TAC-48921, NUDOCS 8511040115 | |
| Download: ML20205F019 (25) | |
Text
i October 9, 1985 yg3 g((
Docket No. 50-302 DISTRIBUTION G ocket jFile RIngram NRC4tri HSilver L PDR Gray File Mr. Walter S. Wilgus ORB #4 Rdg EBrach Vice President, Nuclear Operations HThompson H0rnstein Florida Power Corporation OELD WPaulson ATTN: Manager, Nuclear Licensing EJordan GEdison
& Fuel Management BGrimes P. O. Box 14042; M.A.C. H-3 JPartlow St Petersburg, Florida 33733 ACRS-10
Dear Mr. Wilgus:
In December 1981, the results of a study entitled " Crystal River 3 Safety Study" performed by Science Applications, Inc. were published as part of the Interim Reliability Evaluation Program (IREP). We had performed a review of this study in 1983 and the results of that review were previously available to you. The purpose of this letter is to transmit formally to you the enclosed review, which does not critique the methodology but rather concentrates on identification of dominant accident sequences and system failures and insights gained through the process of probabilistic risk assessment. We have identified actions and modifications which have already been made and further procedural or administrative actions which merit consideration for early implementation to address the dominant accident sequences and reduce the frequency of particular sequences and the overall probability of core melt. We recognize that since completion of this review, actions identified as proposed or planned (e.g., EFIC) have been completed.
No response to this letter is required.
Sincerely, s..as sIca ny JCra a. Bro q =,-
John F. Stolz, Chief Operating Reactors Branch #4 Division of Licensing
Enclosure:
As Stated cc w/ enclosure:
See next page
/$
OR 4:DL 0 4+DL HSilver;cf JS 10/g/85 10/^ /85 g{0Nh p
P
]
r-Mr. W. S. Wilgus Crystal River Unit No. 3 Nuclear Florida Power Corporation Generating Plant cc:
Mr. R. W. Neiser Bureau of Intergovernmental Relations Senior Vice President 660 Apalachee Parkway and General Counsel Tallahassee, Florida 32304 Florida Power Corporation P. O. Box 14042 Mr. Wilbur Langely, Chairman St Petersburg, Florida 33733 Board of County Commissioners Citrus County Nuclear Plant Manager Inverness, Florida 36250 Florida Power Corporation P. O. Box 219 Crystal River, Florida 32629 Mr.' Robert B. Borsum Babcock & Wilcox Nuclear Power Generation Division Suite 220, 7910 Woodmont Avenue Bethesda, Maryland 20814 Resident Inspector U.S. Nuclear Regulatory Commission Route #3, Box 717 Crystal River, Florida 32629 Regional Administrator, Revion II U.S. Nuclear Regulatory Commission 101 Marietta Street, Suite 3100 Atlanta, Georgia 30303 Mr. U1 ray Clark, Administrator Radiological Health Services Department of Health and Rehabilitative Services 1323 Winewood Blvd.
Tallahassee, Florida 32301 Administrator Department of Environmental Regulation Power Plant Siting Section State of Florida 2600 Blair Stone Road Tallahassee, Florida 32301 Attorney General Department of Legal Affairs The Capitol Tallahassee, Florida 322C4
-by
. Ins.ights Gained from the Interim Reliability Evaluation Program regarding the Crystal River 3 Nuclear Power Plant I.
INTRODUCTION
~~"
In December 1981, Sandia National ?aboratories published the results of the study entitled, " Crystal River-3 Safety Study" performed by Science Applications, Inc. as the Phase I project of the Interim Reliability Evaluation Program (IREP).
The project had three original objectives:
first, to perform a preliminary assessment of the probability of core melt and level of risk associated with the operation of the Crystal River-3 (CR-3) plant and compare the results with those of the Reactor Safety Study (RSS/ WASH-1400); second, to provide support for the broader investigation by NRC of the sensitivity of risk to feedwater perturbations associated with the once-through-steam generator (OTSG) and the Integrated Control System (ICS) in plants with reactors designed by Babcock and Wilcox; and third, ta provice a basis for the development of plans and procedures for IREP Phase II.
Following the probabilistic risk assessment (PRA) of CR-3, Phase II of IREP was initiated.
The continuation of this program sponsored by the Office of Nuclear Regulatory Research (RES) consisted of additional PRAs conducted on four plants (Arkansas Nuclear One Unit 1, Browns Ferry 1, Calvert Cliffs 1 and Millstone 1). The purposes of these PRAs, as well as the CR-3 Safety
I
-g.
Study, were to further,the development of appropriate methodology, to test it against various designs of plant systems and containments and to train NRC staff in the conduct of PRAs.
The IREP type analyser were principally concerned with the probability of core melt with no detailed review of containment failure ~or ofYsite can's'equences.
However, in most of the IREP
~
~
studies, containment failure modes and assignments of accident sequences to release categories were done using the results of accident sequence phenomenology evaluations published in May 1981, which were performed for a B&W reactor by Battelle Columbus Laboratories in support of the Reactor Safety Study Methodology Applications Program (RSSMAP, a RES sponsored program).
This was done to give some measurement of risk when comparing accident sequences., though consequences were not calculated for each specific site.
The purpose of this review is :o gain insights into system unavailabilities and accident sequences leacing to core melt as found in the conclusions of the CR-3 Safety Study.
This is not a critique of the methodology, data bases or calculations employed in the study.
This limited review is intended to identify the dominant accident sequences comprising the estimated overall probability of core melt associated with the CR-3 plant, the significant factors (both design and operational vulnerabilities and assumptions made in the course of the study) leading to the doninance of these sequences which may merit further investigation, and actions taken by the licensee in response to the conclusions of the the CR-3 Safety Study.
s 3-II.
SUMMARY
.0F.RESULTS The overall probability of core melt estimated for the CR-3 plant is 3.7 x 10 4 per reactor year (RY).
Consideration of external events was not in the
~scope of this analysis so this estimate is due to internal events only.
~~'
Eightsequences'ari~consi~dereddom'Tnintwithregardtocoremeltfrequency in the CR-3 PRA and they constitute approximately 88% of the overall probability of core melt.
Four sequences are initiated by a small small LOCA (designated B, effective area less than.087 sq. ft.) followed by 4
failure of Emergency Coolant Injection or Recirculation.
These sequences contribute 67% to overall core melt probability.
The other four sequences are transient initiated (three by Loss of Offsite Power (LOSP), one by Loss of Power Conversion System not due to LOSP) followed by failure of the Emergency Feedwater System, failure of Primary System Makeup (in these sequences, this is failure of the operator to establish feed-and-bleed) and failure to reduce containment pressure.
These sequences contribute 21% to overall core melt probability.
r-III. 00MINANT SEQUENCES Listed below are the sequences considered dominant with respect to core melt in the CR-3 Safety Study along with their estimated frequencies:
I o
G
.-s..
1)
B 5._.
4 2 LOCA.(small small) followed by failure of High Pressure Recirculation 1.7 x 10 4/RY This sequence represents 46% of total core melt probability.
2)
B523-LOCA (small small) followed by failure 4
of Emergency Coolant Injection and 6.5 x 10 5/RY a
Reactor Building Spray Injection This sequence represents 17% of total core melt probability.
3)
T T -
L ss of Offsite Power transient followed 2A 10 by failure of Emergency Feedwater, I
Primary System Makeup, Containment Pressure Reduction and Post Accident Radioactivity Removal 5.4 x 10 5/RY
^
(Sprays and Fan Coolers)
This sequence represents 15% of total core melt probability..
4)
T T-Loss of Offsite Power Transient followed 2A g by failure of Emergency Feedwater and Primary System Makeup 1.4 x 10 5/RY This sequence represents 4% of tc tal core melt probability.
I
+,.
5) 85 LOCA (small small) followed by failure 4g of Emergency Coolant Injection. This 9 x 10-6/RY sequence represents 2% of total core melt probability.
~
6)
(T -T2A)T8 L ss of Power Conversion System transient 2
(not due to LOSP) followed by failure of Emergency Feedwater and Primary System Makeup (feed-and-bleed).
This sequence 8.6 x 10 8/Rf represents 2% of total core melt probability.
7)
B5-LOCA (small small) follwed by failure 46 Emergency Coolant Recirculation and Reactor Building Spray Recirculation.
3.9 x 10 8/RY This sequence represents 1% of total core melt probability.
8.
T T-Loss of Offsite Power Transient 2A g followed by failure of Emergency Feedwater, Primary System Makeup (feed-and-bleed) and Post Accident Radioactivity Removal.
2.5 x 10 8/RY This sequence represents less than 1% of total core melt probability.
IV.
INSIGHTS / ACTIONS
- A.
Insights The overall core melt probability is 3.7 x 10 4/RY.
The dominant sequences represent 88% of the total, with 67% represented by small small LOCA initia.ted sequences and 2h% by transient initiated sequences.
~
1)
LOCA Sequences The dominance of these sequences is driven primarily by the initiator frequency and operator errors.
The treatment of human error in the CR-3 Safety Study results in operator error being the dominant failure mode of the safety injection and recirculation systems.
A relatively high probability of error is ttached to the performance of actions under accident conditions.
Specifically, the operator is subject to any of t
l severaP errors in the manual switchover from the injection phase to the recirculation phase and during the phases themselves:
1)
Premature Switchover - the operator configures for recirculation too soon causing pump cavitation due to insufficient net positive suction head.
2)
After terminating the low pressure injection pumps (which initiate upon the same ESAS signal which starts the high pressure pumps when RCS -
pressure is less than 1500 psig), the operator fails to reinitiate the low pressure pumps, the discharge from which the high pressure pumps j
take suction in the recirculation mode.
l l
,v..-
s 3)
The operator iradvertently turns off the high pressure pumps.
4)
The operator incorrectly reconfigures the system for recirculation.
~
~ '
~ ~
The sequence which domina'tes (46% ' contribution) the overall probability of core melt in the CR-3 study is the small-small LOCA followed by failure of High Pressure Recirculation sequence with an estimated frequency of 1.7 x 10 4/RY (designated B S ).
This sequence is essentially comprised of the 4 2 initiating event and human error.
The frequency of a small-small break LOCA '
assumed in the CR-3 study is 1.3 x 10 3/YR.
This figure does not include the contribution from Reactor Coolant Pump Seal Failures, those of which leakage is excess enough.to require high pressure injection, estimated to be I
about 10 2/YR.
This would increase the frequency of these sequences by roughly an order of magnitude.
The remainder cf the sequence, failure of High Pressure Recirculation, is due entirely to human error.
Attached to this evaluation (Enclosure 1) are the THERP (Technique for Human Error Rate Prediction) tree analyses performed in the Crystal River-3 study for human errors using the methodology described
'in NUREG/CR-1278 (Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, by A. D. Swain and H. E. Guttman of Sandia National Laboratories).
i
,c,--
-.n--
c
The human eriors which ' apply to this sequence are faults H*02 (operator makes an error in realigning valves for recirculation) and LO6 (operator prematurely shuts down low pressure pumps after having had to shut them down three times during injection).
The probability of these errors are estimated to be.08/ demand for fault H*02 and.05/ demand for LO6, combining to give a 1.3 x 10 1 contribution of human error failing High Pressure Recirculation in this sequence.
Referring to the THERP diagram, it is important to note the sources of these high probabilities of failure, especially where there is potential to reduce these factors or where there have been changes made since the time of the study which have already affected the probabilities of these errors.
The analysis of operator fault H*02 is based on the assumption of one operator in the control room throughout the injection phase and switchover to recirculation.
Post TMI staffing requirements would change this assumption since there must be two control room operators and one senior reactor operator in the control room. with the possibility of up to six others which' must be available during each shift (NUREG-0737).
Using the techniques in the Handbook of Human Reliability Analysis (NUREG/CR-1278) it was estimated in the ANO-1 IREP analysis that the increase in staffing could possibly give a factor of 10 improvement to this sequence.
The other sources of error in probability estimates are in the emergency procedures outlined in the THERP analysis, especially with regard to steps B, D and G, where poorly written
' rocedures increase the likelihood of operator error under accident p
conditions.
At the very minimunr,, it is necessary to ensure that the potential of reducing these errors and sequence frequency is recognized and is explicitly a part of the licensee's submittal of the Procedures Generation Package (PGP) containing procedural changes and operator training to be
~
~
' ~ "
, implemented in response to SECY 82-111, " Requirements for Emergency Response Capability." This is also true for error LO6, where upgraded procedures could reduce the probability of the operator failing to reinitiate the low pressure pumps for recirculation.
However, the recessity of shutting down the low pressure pumps during injection should be examined prior to instituting procedural changes.
Therefore, unless the above changes (staffing and procedural) are implemented, the likelihood of this sequence leading to core damage may be higher than that in the IREP study for CR-3.
- 2) Transient Sequences The dominant contributors to the occurrence of these sequences are primarily:
.32/yr loss of power conversion system not due to LOSP 1.78/yr l
Failure of backup emergency
.AC power from fossil units Crystal River 1 and 2
.36/ demand Failure of diesel A to start and run 6.2x10 2/ demand
~
Failure of battery B 3.2x10 8/ demand Failure of turbine driven emergency feedwater train 2.2x10 2/ demand
.e
Operator fails to correctly observe
- and diagnose the need for feed-and-bleed and therefore does not initiate the action 1.4x10 2/ demand
- The transient sequence with the highest frequency (designated T2A 10) 'I T
' " ' ' ~
5.4 x 10 5/RY is iiiitiated by a Lo'ss"of Offsite Power transient followed by
~
~
~
failure of Emergency Feedwater, Primary System Makeup, Containment Pressure Reduction and Post Accident Radioactivity Removal.
This sequence contributes 15% to overall core melt probability and upon examining the dominant cut sets, it is essentially a Station Blackout sequence (with potential for greater offsite releases thus increasing its importance in terms of risk to public safety).
For the dominant cut set, there is no recovery of AC power assumed which negates the possibility of any subsequent system operation (including feed and bleed).
It is important to note that failure of battery B fails both the B diesel (the breaker connecting the gererator to the bus fails to close) and the turbine driven emergency feedwater pump.
With simultaneous failure of diesel A, emergency cooling is dependent on the availability of emergency AC power from fossil Units 1 or 2.
The Loss of Offsite Power sequence frequencies were estimated to be about three times lower than they would have been if the two fossil units were not at the CR-3 site.
l
'*See THERP Diagram for " Feed and Bleed".
L.
The attached. correspondence (Enclosure 2) between NRC and the licensee outlines the proposed modifications addressing the DC dependency of the turbine driven EFW train and the licensee's responses.
~ ~ ~ ' '
Actions which are le~ss ha'rdware re'Tated, such as the capability of the operator to manually actuate the turbine-driven EFW pump locally and the availability of procedures for this action should be pursued with the licensee, although the factor of improvement may be only as high as two for this particular sequence.
Because this sequence could lead to substantial offsite releases, we believe that the above administrative procedural improvements are appropriate for early consideration, whereas further improvements in AC and DC power reliability would be pursued according to the resolution of NRC programs A-44 " Station Blackout" and A-30, "DC Power Study."
B.
Actions Listed below are the actions taken by the licensee both during the course of the study and in response to recommendations made by NRC prompted by the conclusions of the study with respect to broader issues (e.g., installation
'of the new B&W Emergency Feedwater Instrument Control System so that modifications to the steam line rupture matrix will provide emergency feedwater flow to the unaffected steam generator).
- l l
Among the actions t,aken and programs underway are activities which should specifically address the dominant accident sequences delineated in the CR-3 l
. Safety Study:
l l
\\
l
~"
1)
Plans for improved symptom-ort'ented procedures, including those for manuaf switchover, should be addressed in the licensee's Procedures Generation Package to be submitted in accordance with SECY 82-111,
" Requirements for Emergency Response Capability" which encompassed l
procedural changes and operator training required to implement the Anticipated Transient Operating Guidelines (AT0G).
2)
Task A-44, " Station Blackout" and A-30, "DC Power Study" are currently addressing the safety issues associated with loss of emergency AC and DC power.
During the course of the PRA, the licensee voluntarily took action to eliminate the AC power dependency via the component cooling medium in the steam-driven emergency feedwater train identified during the assessment.
The overall core melt probability estimated in the CR-3 study incorporated,
this modification in the EFW system.
The licensee verified the existence of Technical Specifications and implemented further administrative controls addressing the recommendation of a limiting condition for operation requiring prompt shutdown if both EFW trains become inoperative.
e
<, The licensee. cited.a Pump and Valve Test program submitted to NRC on July 25, 1979 and subsequent revisions in response to the recommendation of verifying the adequacy of the licensee's procedures regarding the checking of check valve position for those valves whose failure would cause a LOCA that blows
~ ~ ' '
down outside containment-(Event V)'.
It was noted in an early NRC review that the Decay Heat Closed Cyc'e Cooling Water System (DHCCCS) was a two train system supplying component ;ooling to several engineered safety features.
It was suggested that it would be prudent to modify the DHCCCS to include one or more properly engineered crossover points to reduce the common coupling of multiple systems.
The licensee performed a reliability analysis to assess the potential benefit to be derived from DHCCCS crossover point.
Their conclusion was that the maximum improvement factor of two is relatively insignificant i
considering typical uncertainties in actual data bases used in PRA analyses I
and therefore the suggested crossover points did not significantly increase the reliability of the affected Engineered Safety Feature Actuation Systems.
NRC suggested that the licensee review the steam line rupture matrix circuitry for actuation or failure modes which might disable both trains of emergency feedwater and that it may be appropriate to conduct a risk tradeoff study to l
determine if overall risk is indeed reduced by some modification.
l l
l 1
i l
l
[
r t
Flordia Power Corporation was aware of this co5cern.
The design of a new B&W Emergency Feedwater Integrated Control (EFIC) System has been finalized.
The licensee is in the process of procuring parts and processing about 16 modification design projects for the EFIC.
The complete EFIC system should
~
be rea,dy for operation after the fall of 1984 refueling outage.
v.
REFERENCES j
1.
A. A. Garcia, R. T. Liner, P. J. Amico, E. V. Lofgren, Science Applications, Inc., Crystal River-3 Safety Study, U.S. NRC NUREG/CR-2515, December, 1981.
I 2.
A. D. Swain, H. E. Guttman, Sandia National Laboratories, Handbook of' Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, U.S. NRC NUREG/CR-1278, October, 1980.
3.
U. S. Nuclear Regulatory Commission, Clarification of'TMI Action Plan Reauirements, NUREG-0737, November, 1980.
4 G. J. Kolb, Sandia National Lat:ratories, Interib Reliability Evaluation Program:
Analysis cf the Arkansas Nuclear One-Unit 1 Nuclear Power Plant, U.S. NRC h] REG /CR-2787, June, 1982.
l l
l
\\
\\*
')
A O
e 5
e e $904 6
9 OO 4
4 ENCLOSURE 1
~
TECHNIQUES FOR HUMAN ERROR RATE PREDICTION (THERP) DIAGRAMS FROM THE CRYSTAL RIVER-3 SAFETY STUDY P
e O
d 5
Ms
.i.
-., * ** * *
- e ! e r*: sett:-**; t: re:ir:.,lat : at: 1:ses core :c:11r; :a:ati:t:y,
{
- i.er. a E'
- * :ransient-ir: :e:. ::
E ".:.E A'. S v5 0'.:
- '*:1 M*02 (0.02)
(0.h99)
EIT:" ATE; PROBA5!t.ITY: 0.05 b
A (0.001)
(0.95)
(0.997)
B (0.05)
~
d C(0.003)
(0.99)
^
e
/ w
- (0.01)
N
( c. c. -- '
y
\\
\\ E {0.002) f (0.997)
N y
(0.003)
F g
(0.991 s REOU! RED ACTIONS:
a: 0:ert or c; ens at least one DHP su: tion to RB sump
- 0: erat:r c: ens at least ene OMP dis:r.arge to MUP su: tion
- C:erator pe*feres step to close OhF suction from EWST
- C: era::r c1cses se:ca.d DH8 su:tien, given that he tas c1csed first e: ' *:e*at:r starts a: least ene :-7
': ::e-a :r ;trferrs ste; :: c1:se MS sa: tion frem E.5T
- : era::r :1:ses se::nd MJ ss::ier., given nat ne e.ss elesed first i
- 55'J"
- T :0',5 :
- . :.alysis tase: er :*e c;erator i
- .
- e : ::t:Mities :f. ira:ve* e.tly stle: tin; an in::rre:: 0;rtr:1 is ass.; e: re;11;itle.
.e... e..e + : cae:t
- c. : ;;...:;. I. t.;y.:5*n'v.A*. :.t -
w.
a,A: Esti. ate. f?5EG/CR-1278. Tatie 20 20, line 4; te:asse of EWST alarn, treat es sn rt
- r
- :ecure, an: use low value te a se tne first i t. in a list is tne least likely to be :mitted.
0,E: Estimate. Scarce would be fiJREG/CR-1278. Table 20-20, line 4, but negative cepenaence wit *. a is assured because b is the second half of a step that incorporates an OR; that is, a requires performance of one er the other of two c;erations, c,C: Estimate. tiUREG/CR-1273. Table 20-20, line 4.
d,D: Estimate. h'ermally there would be complete dependency between d and c; but this step is enhedded in a procedure which requires most operations to take place on either of two panels, and d is tne performance of an operation en the other panel (the c;eration mast be cerformed en beth). The negative dependency between actions d and c is due to a poc-ly-written pro:edure, ficentily d would have a nigher prc:stility of su: cess than c, up te complete dependen:y.-
e.E: Es tima te.
fr.' REG /CR-1278 Tatie 2C-20, line a.
f,F: Estima te, frAEG/CR-1278 Table 20-20, line 4 g,,G : Es:tmate. See c (; relates to f as d relates te c).
REFEREri;ES:
l I
CR-3 Ecer;ency Frecedure EF-106, !.ess of Reacter Cocla. cr Reacter C olant Pressure,
[
Rev. 22, 10/25/79.
J Figure 5.6 Probability Estintion for Operator Fault H'02.
5-71 L
c.
~
riEit. e : ::f f c' }:.. ; essure cc: lent ir.ie::::- cy 0; erat:t. given a L'0 A
.r...,..
.e
..c. v.s...
0,.
i
-A
.r.e.. u.a. a r e.-
- 0. 0:-
ss LO6 (0.05) a
- ~
(0.95
]**
A(0.05) t
(*.C.C E (0.001)
)
a... s. m.,. n....
2 i..
Ali : erat:-s leave LFI runnin; wnen needed, ever. tr.:v;r. it would pre;erly have been I
a:
r turne: cff several tinet earlier in the'se uence.
~
t: All coeraters re:ognize lon-pressure condition and leave LPI running.
.e.
. s s..
e n.c.Ji..
- v. e.
1.
!Liti;1e c:erators work in:epen:ently. Any one cf :ne could commit a fault.
1:
.e..: - r..e. :.. :.e.:.t C : :..~ : ' : ". I '. v e t 'i. w.,' 'i.( -
n e. ". : Es:1 a:e. Ease: en ite 'nint-se:s ' :? era: Ors un:e ;ressure. Tre LOI is repeate:ly
- re
- :" a r.: :ne-e are :;eraters ;reser. wn: ci: r.:: igrn it ef f ;revicusly and tr.,us 4
.a~. :elie.e 1: sn: ale de turne: Off at this time.
- .E: Tr.e fe.1: is tr.at :ne : era;:- res; r.sible for n:..t::-ir.; prinary sys;e pressure will
-i s-ea. ; e : essure ir.:icat:, think tne pressure is t:0 higr., ar.: ;;rn cff LPI.
' :El!* ;2'E. Ta:ie 2*-E, line 1.
ine io.er boa.: cf uncertainty is used because stis
.'s a si- ~e :as, teir; :e '
e: 39:e-ri;r. I -ets, -i:* e-*ar:es E #0rman:e Cf sir:if
- r e.r: r.-..
.'R-1 Erergen:y F nev. cc,1,.,,4:<,.r.e:e:ure EF-105, Less cf Reactor Coolar.: c-Rea:: r. C clant Fressure,
/:.
Ficure 5.7 Probability Estimation for Operator Fault LO6.
l 5-72
t O
F..*
- e.t gre initiati:n c' *e:ircula-io.. giver a ;00A
.:r.... e s..v....
,0.3-1 EST:w.ATED FROEASI' fiY: 0.05 LO17 (0.05) a (0.95 A (0.05)
E...........,,..
...r..
....w..
a: ': era :- bases de:isien cr. sum; levei in:icater rather than on BWST low-level alarc.
e.: e..,.....
.c..la.e'. set:cint will n:: fail cr cause EWST alar :: go eff too soor..
S'.'E~I~
~E EASIS OF FROSAEILIT) ESTIMATES:
a.A: Estimate. IqREG/0K-1275, Table 20-20, line 5; the highest value is used since tne c:eraters re;crt a false belief with respe:: to the cue for initiating recirculttion.
r..:.::.:...e.c.
r.....
- -1 E..e ;e-ty Fr::edure EF-105 Less of Reactor Cociant er Reacter Coolant Pressure, Rev. 22, ::/25/7~.
- 's
- .ss:c s witr CR.3 0;erating personr.el, havember 1975.
s Figure 5.8 Probability Estination for Operator Fault L017.
3-l:
Sir.~-
.C.a.e: irt n ati:r cf re:irculatic. giver. ary LC~A E L EA*. SYt'EOL:
LO' ESTIM;TED'FRDSAEIL*ITY:' C.003 LO4(0.003) a (0.997)
A ('O.003) e a
o b
('1.0)
B (c) u..i...2.,.........n..e.
o a: 0:erater cetects B'.57 lo.-level alar:
t: Opera:cr begins retirculation ASSUMPTIONS:
1..
are: ability based on one coerator 2.
Anr.unciator is one ef.at:ut five actuated at the same time 2.
A::ter, is cc :letely tenendent upon alarm, sin:e :;eratin; crc:edare has c;erator esser.:ially waiting for the signal.
.e....:. n:
... :..c.r.e C.: :
- s:.
y 5iIy.m :.c.
a,A: f U:.E3/;E-1275, Table 20-4, line 5 0,E: Esticate. Eased. ar. assummtien cf cer:lete esper.dency.
r.s..
- - E e ;er.: :-::e:. t E:-;;f, *:ss :1 Rea:::r ::::ar.: :r :.ea:::r :::lar.: ;ressure, rev. 22, 10/25/7E.
Ficere 5.9 Probability Estimation for Operator Fault t.04.
9 6
m./-
a
^
i e
I A. '. * -
~."e a;;-f :J* f#,:f Pipr. :-e!s;*e to*ia-; it.je::::t by Opfrgt:, give 3:, g3 er
- -a *.!
- e r.* - i nc ute: LC'"
,v..
H.;*
.:-4..:
...............,i.: 0 00 5..y...
-r..
H01 (0.034) a (0.997)
A (0.003)
~ ',
t
(..
n..
- . t-..c s
/
(,....)
w ::
C (C.001) r.:v.. r:s av. 4 0..c.
a: C:t-at:r ;rre::1y reats LP! flow indicator
- 0: erat:- ::rre::iy calculates sa::o:lin;
- 0:e at:- a s:.ately n-::tles H" syster
- .v:-....c.
- l'.yst
- :ase: cr. sir.;ie c: era;:-
2.
- re:: su::::lir; :grves will os rea:, as there is r.: similar page nearty in the
- 'Et; c:erati:9s t: k
- . :.:. ".* T Y ' 5 *. *.*.;. # c -
e.:.
-:. :.:.::.e c.:.
.4
.. ;,.at.e 4.
.:..*e t,
- ' REG /0~-;271, abie 20121:ne *, six ceters. Adjaste: f:r cepen:ent rea:in;s wi n
- ,E:
..a ten:en:y f:* re: sery (n: in; an error on reading four r.eters will tend to prc:.:e
- rre::icn f errers en reters 1 ~, e :.) by t-ea tir.g as tnree in:epen:en readin;s.
- c. : Es tica te. A:ti:n is consicere: a complex task perforced.uncer stress (relatively nign error prchability), but cr.e ir. which a gross error is required to cause any trouble.
REFERENCES:
CR-3 Emergency Procedure EP-105, Loss of Reactor Coolant or Reactor Coolant Pressure, Rev. 22,'10/25/79.
CR-2 Cperating Procedure 07-103, Plant Curve Book, Rev. 20, 9/20/79.
Figure 5.10 Probability Estimation for Operator Fault H01.
5.N12
O
~
.c.....-
.al. -e :: esta: list a feet e-: :..ee: cperati:.. ;ive-a : ansier.: with loss ef e11 r
se:cn:ary cooling.
E00 LEAR. SYM50;: H03 ESTIMATED FROBAE!LITY: 0.014 H03 (0.014) a (0.997)
A (0.003) 1 b.
(0.99)
B (0.01)
C (C.999)
C (0.001) 9 a.
REQUIRED ACTIONS:
a: ':erater cete::s alare indicatin; ;ressure or temperature deviation
- 0:erater takes action t: initiate feed-and-bleed c: C e-et:r Or::ses corre:: controls for feed-and-blee: Ope-atic-
- !I."':
0'.5:
1.
A.elysis tase: en sincie c:erater 2.
Press.-e at: te cerature alerts a e two ou cf at:ut five tr.at will s:and at one time 2.
0 r.tre' reit ti:r.sr.i: :: ciner cen -ols assumed tc te ty;i:ai
.:. M::e-a:e (:::i.a stress assu e: -- !! rinutes t: ;e-fc. tas.
.5..y...,:
..... ;. :.. :.-n..
rr..:.:...i..
a.*:
N'.'F.I5 / ~E '.~ 72. Table 20 a, line E
- .E: inis re: i es.:iagncsis of pret;e. anc cncice cf c rre:: ;r::e:.;re, wnich must te cene witnin a time wincon of about 20 minutes. Tne ;rciability is based on the assu ;; ion tr.at the c;erator is net likely to misciagncse tne con:itio.. ATei5 is the only condi-tion witn similar symptoms, anc the reactor will not trip on AT',is, so it is noticeably different. h0te, however, that this event includes tne possibility of the operator regaroing the symptoms as unimportant, as well as his regarding them as sy=ptoms of a different problem.
c,C: Estimate. NUREG/CR-1278, Table 20-19, typical value REFEREN*ES:
CF-3 E trgen:y Frc:ecure EF-108, Less f 5 team Generater Feed, Res. 10, 8/2/'S.
OF.-3 Ecergency Prote:ure EF-103, Less et RC Flow /R0 Pu :: Tri;,.Rev. E, 6/2/75.
Ficare 5.11 Probability Estimation for Operator Fault H03.
5-76
O 9
e E
S 4
9 amt ee me e
e e
-m ENCLOSURE 2 CORRESPONDENCE AND BACKGROUND o
O e
.A CK b
y Florida TW ga n W '6 /J Power P f C-I 2
p&
u..;...-
November 6,1980 File: 3-0 ~
=--
Mr. Darrell G. Eisenhut Director Di.ision of Operating Reactors
" 5. Nuclear Regulatory Comission Kasnington, DC 20555 Sc:je:::
Crystal River Unit 3 Docket No. 50-302 Operating License No. DPR-72 IREP Study Reconcendation
- ear Mr. Eisenhut
- 1:-ida Power Corporation received and reviewed your letter of Sep-te,.c 30,1920 containing the recorraendations and coments submitted as an
'. ; o..t n o f the Interim Reliability Evaluation Program (IREP).
Actions t!. e Or completed by FPC on each cf these items are enumerated below:
Ensure that the licensee's voluntary action to eliminate the A:-
power dependency in the steam-driven' emergency feedwater tra;n is properly implemented.
This item is complete and has been verified by NRC-I&E Inspec-tors.
2.
Verify the existence of or add to the Technical Specifications a limiting condition for operation that requires prompt shutdown if the steam-driven emergency feedwater pump train and the electric-rotor-driven emergency feedwater pump train are both inoperative.
Technical Specifications LCO 3.7.12 and the applicable pa rd.-
graph 3.0.3 adequately address this recommendation.
Addition-ally, FPC has implemented further administrative controls.
Q U 'iY2/M
" e e a 0%ce 320t T"r 'os'th st'eef Sost"
- P O B:n 14N2 St Pe:e 50s ; F6.ca 33'33 81 3 em t t -
4, Mr. Darrell G. Eisenhut Page 2 November 6,1980 3.
Verify the adequacy' of the licensee's procedures regarding the checking of check valve position for those valves whose failure would cause a LOCA that blows down outside, containment and re-quire appropriate testing in the Technical Specifications.
A Pump. -and -Valve Test program was submitted to the NRC on July 25, 1979, and subsequent revisions per NRC_ request.
FPC's proposed program ~ meets Tech Spec 4.0.5 and ASME Section XI requirements.
4.
The comon DC power dependency between one diesel and the emer-gency feedwater system turbine admission valve should be elimi-nated. We note, however, that one of the suggestions madt by our contractor (to power the admission valve from both DC trains) may-not be desirable since it may compromise DC power redundancy. An EFS turbine steam admission valve that fails open upon loss of DC power may be appropriate.
As a result of Florida Power Corporation's Nuclear Safety Task Force efforts following the February 26, 1980, incident, an Engineering Study is underway by Gilbert Associates Inc. to add a third EFW pump that would ameliorate this concern.
In addition, a Modification Action Request has been written to consider installing a valve in parallel to the EFW turbine emission valve that would be powered from the other DC bus.
However, prior to installation, an engineering evaluation would be conducted to evaluate the overall contribution of such a codification.
E.
Additional investigation of the diesel-generator failure history is recomenced.
Emergency Diesel Generator (EDG) failure history (unscheduled maintenance) to date is as follows:
1977 - 21.0 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> 1978 -
6.0 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> 1979 - 59.0 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> 1980 - 110.0 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> 196.0 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> total to date NOTE:
These figures include a 96 hour0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> unavailability of EDG-18 reported on LER 80-030 which occurred July 31, 1980.
Total unavailability due to unscheduled maintenance during the past 44 months is 00.67, e
& HeVm.
0 Mr. Darrell G. Eisenhut Page 3 No vember,6,1980 6.
We recommend operator training and procedure review based on the IREP sequences.. It is our understanding that this is now under-way.
The adequacy of this training and procedure review should be ascertained.
~
Operator training an'd procedure review to assure inclusion of the
~
major concerns you expressed in your cover. -letter have been accomplished.
Other procedural changes and operator training will be required to implement the AT0G Program Guidelines when they are completed.
7.
The decay heat closed cycle cooling water system (DHCCCS) has two trains which are completely redundant.
This system provides com-ponent cooling to several engineered safety features.
Thus, a single failure would disable not only one train of DHCCCS but also one train of multiple engineered safety features.
It may be prudent to modify the DHCCCS to include one or more properly engineered cross-over points to reduce this common coupling of multiple systems.
The Engineered Safety Features Actuation Systems (ESFAS) consist of redundant trains, each train supplied by a separate train of the Decay Heat Closed Cycle Cooling System (DHCCCS).
Failure to achieve an ESFAS function, therefore, requires the failure of two trains, i.e.:
- both ESFAS trains, or
- both DHCCCS trains, or
- one DHCCCS train and the ESFAS train not supplied by the failed DHCCCS train.
It has been suggested that DHCCCS " crossover points" would elimi-nate the last double-f ailure combination,.thereby improving plant reliability.
A reliability analysis was performed to essess the potential benefit to be derived from DHCCCS crossover points.
The absolute improvement in plant reliability depends on numerical values assigned to various t.omponent failure rates.
There is consider-able debate within the industry as to appropriate failure rates.,
particularly in regard to the influence of human errors.
How-ever, the calculated analysis provided ranges for the relative improvement in plant reliability.
--.g g
-e,-
w
~ 4.,
4g Mr. Darrell G. Eisenhut Page 4 November 6, 1980.
Assumptions in the analysis were made such that. the maximum improvement in reliability would be achieved.
A measure of this improvement. is the factor F, defined as:
p, unavailability of ESFAS without crossover points unavailability of ESFAS with crossover points The maximum value for' the calculated " improvement factor" is 2.0.
When failure probabilities reported in the IREP study are
~~
used as input, the " improvement factor" is only 1.5.
The maximum improvement factor of two is relatively insignificant considering typical uncertanties (a factor of ten, or more) in actual data bases used in probabilistic risk assessment analyses.
We, there-fore, do not feel that the suggested crossover points signifi-cantly increase the reliability of Engineered Safety Feature Actuation Systens, which are already designed with large safety margins.
The included analysis is not directly applicable to the High Pressure Injection System (HPI).
The HPl System cons'ist's of two pumps in two trains with cooling water supplied from the DHCCCS, with a third purp supplied from the Nuclear Services Closed Cycle Cooling System (NSCCCS).
Additionally, the two DHCCCS-supplied pumps may be supplied with cooling water from the NSCCCS as the system is presently designed, which would make the addition of DHCCCS crossover points for the HP1 system unnecessary.
C.
Review the steam line rupture matrix circuitry for actuation or f ailure redes which night disable both trains of emergency feed-It may be appropriate to conduct a risk tradeoff study of water.
these systems to see if they do indeed reduce overall risk.
FPC is aware of the concern expressed.
We are actively pursuing the installation of the new B&W Emergency Feedwater Instrument y
vN.
Control Systec.
This new system will modify the steam line rup-Ff ture matrix and provide for emergency feedwater flow to the
~
sf p unaffected generator.
This concern was further addressed by FPC M
in their request to remove FWV-161 and 162 from the isolation matrix.
We are continuing to resolve concerns with NRR.
This modification will provide a passive flow path through the steam generators from the emergency feed pumps independent of control action.
All concerns should be resolved in the near future.
i
[*M
- Pb6 59490
'9-
--,y
.w,"'
4 y e
y
Mr. Darrell G. Eisenhut
' age 5 hove:6er 6,1980 9.
Consider the possibility of further modifications to the Emergen-cy Feedwater System.
The Crystal River 3 plant has a two pump EFS arrangement.
With action on items 1, 2, 4 and 8 above, the Crystal River 3 EFS is not notably unreliable.
However, here, as well as in othep EFS studies, we find inherent limitatipns in the two pump configuration
_ Responses.to Items 1, 2, 4 and 8 indicate our concurrence with this recommendation.
If you have any questions, please do not hesitate to ask.
\\ery truly yours, F 0RIDA POWER CORPORATION Yl - }. y.e al
, p_.
- . Y. Baynard vanager N.:: ear Support Services Department F=rry(M05)D3-2 O
e
--s._,_
__-y
.-,f g..,,
r m
--*-m
,1 s
STATE OF FLORIDA
- TOUNTY OF PINELLAS
, P. Y. Baynard states that.she is the Manage.r, Nuclear Support Services Department of Florida Power Corporation; that she is 'auth'orized on the part of said company to slgn and-file with the Nuclear Regulatory Com-
-mission the information attached hereto; a_nd that all such state ~ments
~
made and matters set forth'thdriin are tr,ue and correct to the best. of her knowledge, information and belief.
... y Y. 24.,.,s a i i
ru
/
/, /P. Y/ Bsynard
- Subscribed and sviorn to before me, a Notary Public in and for the State and County above named, this 6th day of November,1980.
'A
/
Notary Public f
Notary Public, State of Florida at Large, My Cornission Expires: June 8, 1984 PYB/MAHNotary(DN-98)
.