ML20206T104
| ML20206T104 | |
| Person / Time | |
|---|---|
| Site: | Davis Besse  |
| Issue date: | 06/30/1986 |
| From: | De Agazio A Office of Nuclear Reactor Regulation |
| To: | |
| References | |
| NUREG-1177, NUDOCS 8607070490 | |
| Download: ML20206T104 (259) | |
Text
, -.
NUREG-1177 Safety Evaksation Report
! related to the restart of Davis-Besse Nuclear Power Station, Unit 1, following the event of June 9,1985 l Docket No. 50-346 Toledo Edison Company U.S. Nuclear Regulatory Commission Offico of Nuclear Reactor Regulation June 1986 l 1 f ~%,,
l l
1 "eR7188!R88888846 S PDR l
v y NOTICE Availability of Reference Materials Cited in NRC Pub!ications Most documents cited in NRC publications will be available from one of the following sources:
- 1. The NRC Public Document Room,1717 H Street, N.W.
Washington, DC 20555
- 2. The Superintendent of Documents, U.S. Government Printing Office, Post Office Box 37082, Washington, DC 20013-7082
- 3. The National Technical Information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publications, it is not intended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Public Docu-ment Room include NRC correspondence and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and licensee documents and correspondence.
The following documents in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission issuances.
Documents available from the National Techr;ical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.
Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legislation, and congressional reports can usually be obtained from these libraries.
Documents such as theses, dissertations, foreign reports and translations, and non-NRC conference proceedings are available for purchase from the organization sponsoring the publication cited.
Single copies of NRC draf t reports are available free, to the extent of supply, upon written request to the Division of Technical Information and Document Control, U.S. Nuclear Regulatory Com-mission, Washington, DC 20555.
Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards Institute,1430 Broadway, New York, NY 10018.
- - ~~~~
i 1
NUREG-117/
Safety Evaluation Report i related to the restart of
(
Davis-Besse Nuclear Power Station, Unit 1, following the event of June 9,1985 Docket No. 50-346 =
Toledo Edison Company U.S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation June 1986
,+ =n ,ua
~
. :.../
l
ABSTRACT On June 9, 1985, the Davis-Besse Nuclear Power Station, operated by the Toledo Edison Company, experienced a partial loss of main feedwater while the plant was at 90% power. The ensuing reactor trip was followed by spurious isolation of the steam generators which initiated a chain of events involving a number of equipment malfunctions and several operator errors ultimately interrupting all feedwater for a short period of time. By the time operators were able to restore feedwater, both steam generators had dried out.
A letter from the Director of the Office of Nuclear Reactor Regulation, pursuant to 10 CFR 50.54(f) of the Commission's regulations, confirmed that the Davis-Besse facility would not be restarted without NRC approval. The letter also requested that Toledo Edison submit its program for resolving numerous concerns identified by the staff. In response, the license submitted the Davis-Besse Course of Action report. The staff has reviewed that document and other sup-porting material submitted by the licensee; the staff's evaluation of that in-formation is presented in this report.
Davis-Besse Restart SER iii
TABLE OF CONTENTS Page ABSTRACT .................... ... ............ .......................... iii ABBREVIATIONS........................ ................................ .. ix 1 INTRODUCTION .... ... ............ ................................... 1-1 2 BACKGROUND DISCUSSION ......................... ...................... 2-1 2.1 Brief Description of the Event ........ ........... ........... . 2-1 2.2 Summary of NRC Actions ........................... ........... .. 2-1 2.3 Summary of Toledo Edison Company Response ......... ............. 2-2 3 EVALUATION OF TOLEDO EDISON COMPANY ACTIONS .......................... 3-1 3.1 Management and Programmatic Aspects ............................. 3-1 3.1.1 Management Restructuring ................. ... ........... 3-2 3.1.2 Maintenance ...... ... . ................................ 3-4 3.1.3 Procedures and Training .................................. 3-6 3.1. 3.1 Plant Operating and Emergency Procedures ....... 3-7 3.1.3.2 Role of Shift Technical Advisor.................. 3-10 3.1.3.3 Reporting of Events ............................. 3-11 3.1.3.4 Security .. ................. ................... 3-12 3.1.3.5 Training .... . ................................. 3-13 3.1.4 Operating Experience Feedback and Post-Trip Review . . . . . . . 3-16 3.2 Plant Review . ..... ........................................... 3-16 3.2.1 Event-Specific Investigations ........................... 3-16
? . 2.1.1 Auxiliary Feedpump Turbine Overspeed and Control ...... ............................. 3-18 3.2.1.2 Auxiliary Feedpump Turbine Trip Throttle Valve ..................... .................... 3-19 3.2.1.3 Spurious Steam and Feedwater Rupture Control System Actuation and Spurious Main Steam Isolation Valve Closure ........................ 3-20 3.2.1.4 Main Feedpump Turbine and Control Failure ...... 3-24 3.2.1.5 Turbine Bypass Valve, SP-13A2, Actuator Failure ........................................ 3-25 3.2.1.6 Power-0perated Relief Valve Malfunction During the Event on June 9, 1985 ........... .......... 3-26 3.2.1.7 Motor-0perated Valve Operator Malfunctions ..... 3-28 Davis-Besse Restart SER v
i TABLE OF CONTENTS (Continued)
Page 3.2.1.8 Source Range Nuclear Instruments ............... 3-29 3.2.1.9 Main Steam Safety Valves and Atmospheric Vent Valves ...................... .................. 3-33 3.2.1.10 Startup Feedwater Valve, SP-7A ................. 3-34 3.2.1.11 Spurious Transfer of Auxiliary Feedwater Suction to Service Water ............................... 3-35 3.2.2 Thermal Transient Effects on Reactor Coolant System Components .... ............ ............................ 3-36 3.2.2.1 Reactor Vessel .................... ............ 3-36 3.2.2.2 Pressurized Thermal Shock ...................... 3-37 3.2.2.3 Once-Through Steam Generator ................... 3-38 3.3 Improvement Programs and Plant Modifications ................... 3-40 3.3.1 Evaluation of Plant Modifications ....................... 3-40 3.3.1.1 Steam and Feedwater Rupture Control System ..... 3-40 3.3.1.2 Auxiliary Feedwater System ..................... 3-43 3.3.1.3 Motor-Driven Pumps ............................. 3-52 3.3.1.4 Safety Features Actuation System ............... 3-52 3.3.2 Ongoing Improvement Programs ............................ 3-57 i
3.3.3 Control Room Review and Improvement ..................... 3-60 l 3.3.4 Staff Evaluation of 29 Safety-Significant HEDs........... 3-63 3.4 System Reviews and Test Program ................................ 3-64 3.4.1 Program Overview ........................................ 3-65 3.4.2 Program Evaluation ...................................... 3-66 3.4.2.1 Ability To Meet Program Objectises ............. 3-67 3.4.2.2 Systems Within SRTP Scope ...................... 3-68 3.4.2.3 Review of System Functions ..... ............... 3-71 3.4.2.4 Results ........................................ 3-72 4 DECAY HEAT REMOVAL RELIABILITY AND CAPABILITY ........................ 4-1 4.1 Auxiliary Feedwater System Before June 9, 1985 .................. 4-1 4.2 Auxiliary Feedwater System Before Restart After the Event on June 9, 1985 ........................................... 4-1 4.3 Makeup /High-Pressure Injection (MU/HPI) Cooling ................. 4-2 5 SINGLE-FAILURE CONSIDERATIONS ........................................ 5-1 5.1 Safety Features Actuation System ................................ 5-1 5.2 Reactor Protection System ....................................... 5-2 Davis-Besse Restart SER vi
TABLE OF CONTENTS (Continued)
Page 5.2.1 Analysis of Internal Changes .. ........ .... ... .... .. 5-2 5.2.2 Analysis of External Changes ............ . ....... .. 5-2 6 CONCLUSION .. ... ..... .. .. ...... ....... ..... .. ........ . . . 6-1 APPENDIX A LETTER DATED AUGUST 14, 1985, FROM H. DENTON (NRC) TO LICENSEE REQUESTING INFORMATION APPENDIX B MEMORANDUM DATED AUGUST 5, 1985, FROM W. DIRCKS TO STAFF:
ACTIONS RESULTING FROM THE INVESTIGATION OF THE JUNE 9
[1985] DAVIS-BESSE EVENT (NUREG-1154) ll APPENDIX C SUPPLEMENT TO THE TECHNICAL EVALUATION REPORT OF THE DETAILED CONTROL ROOM DESIGN REVIEW FOR THE DAVIS-BESSE NUCLEAR POWER
( STATION APPENDIX D TECHNICAL EVALUATION REPORT OF 29 SAFETY-SIGNIFICANT HUMAN ENGINEERING DISCREPANCIES AT THE DAVIS-BESSE NUCLEAR POWER STATION --
APPENDIX E REFERENCES Davis-Besse Restart SER vii l
ABBREVIATIONS AFPT auxiliary feedpump turbine AFW auxiliary feedwater AFWS auxiliary feedwater system APG action planning group APT action planning team ASME American Society of Mechanical Engineers ATOG abnormal transient operating guideline BTP branch technical position B&W Babcock & Wilcox Company CFR Code of Federal Regulations CST condensate storage tank DA decision analysis DCRDR detailed control room design review DSA Disaster Services Agency (State of Ohio)
ECCS emergency core cooling system El emergency implementing E0P emergency operating procedure FCR facility change request GDC general design criterion (a)
HED human engineering discrepancy HPI high pressure injection I&C instrumentation and control IE Office of Inspection and Enforcement IIT Incident Investigation Team ISEG Independent Safety Engineering Group IST inservice testing K-T Kepner-Tregoe [ method]
LER licensee event report LMFW loss of main feedwater LOAC loss of all ac LOOP loss of offsite power MDFP motor-driven feedpump MFP main feedwater pump MFPT main feedwater pump turbine MFW main feedwater '
Davis-Besse Restart SER ix
MOV motor-operated valve MOVATS motor-operated valve assembly testing system MSIV main steam isolation valve MSPP Maintenance and Surveillance Program Plan MU makeup MWO maintenance work order NRC U.S. Nuclear Regulatory Commission OTM overspeed trip mechanism OTSG once-through steam generator PA problem analysis PAT Performance Appraisal Team PEP Performance Enhancement Program PORV power-operated relief valve PPA potential problem analysis P-T pressure-temperature PTS pressurized thermal shock RCS reactor coolant system RG regulatory guide R0 reactor operator SA situation, appraisal SALP Systematic Assessment of Licensee Performance SER Safety Evaluation Report SFAS safety features actuation system SFRCS steam and feedwater rupture control system SFTA systems function and task analysis SG steam generator SPDS safety parameter display system SR0 senior reactor operator SRP Standard Review Plan SRTP System Review and Test Program STA shift technical advisor SUFP startup feedwater pump SWS service water system TAP Task Action Plan TBV turbine bypass valve TED Toledo Edison TSD training systematic development TSV turbine stop valve T&T trip throttle Davis-Besse Restart SER x
1 INTRODUCTION By letter dated August 14, 1985 (Appendix A), NRC requested that the Toledo Edison Company (hereafter also referred to as the licensee) and Cleveland Elec-tric Illuminating Company, pursuant to 10 CFR 50.54(f), provide under oath or affirmation their plans and programs to resolve a number of concerns directly and indirectly related to the event on June 9, 1985. These concerns were grouped into the following general areas:
(1) completion of the investigation of the event on June 9, 1985, including analysis of the equipment failures, determination of the fundamental cause for failure, implications for other equipment, and corrective actions (2) the plant-specific findings regarding the event (3) the programmatic and management issues that cortributed to the event The staff's evaluation of the licensee's response is given in this Safety Evaluation Report. In performing this evaluation, the staff has used and relied on the information in the licensee's Course of Action report, submitted on September 10, 1985, and revised by additional submittals dated October 1, October 16, October 31, November 16, December 13, 1985, and January 3, February 13, and April 10, 1986. The licensee submitted related information on November 30, December 2, December 5, December 9, and December 16, 1985, and January 2, February 26, February 28, March 12, and April 18, 1986.
Additionally, a team of NRC specialists assisted by contractor personnel has conducted two onsite assessments of the licensee's maintenance program to gain assurance that the licensee is making progress with maintenance issues.
The August 14, 1985, letter to the licensee and this Safety Evaluation Report are organized differently. This resulted, in part, because the licensee began to prepare the Davis-Besse Course of Action report before the August 14, 1985, staff letter was issued; because the two documents were developed indepen-dently, they did not share a common structure. The licensee did, however, assure that all the issues raised by the staff letter are addressed in the Course of Action report. Additionally, the staff's review of the licensee's submittal was organited by systems or disciplines rather than along the nar-rower specific concerns of the staff letter. Table 1.1 cross references the Course of Action report, the staff letter, and this Safety Evaluation Report.
In a number of cases, the staff has relied upon commitments made by the li-censee to complete certain actions. Where applicable, these commitments are identified in the appropriate sections of this report and are subject to veri-fication through inspection by the staff. No issues related to the June 9, 1985, event at Davis-Besse remain to be resolved.
Davis-Besse Restart SER l-1
In sevetal instances, the staff has used the " Standard Review Plan (SRP) for the Review of Safety Analysis Reports for Nuclear Power Plants" (NUREG-0800) in its evaluations to determine the acceptability of programs or systems. It is impor-tant to note that meeting the SRP is not a requirement for the Davis-Besse Nuclear Power Station, since at the time the licensee's application for an operating li-cense was reviewed, the SRP was not applied as a basis for licensing. The SRP is a valid basis for gauging acceptability because it is used to determine the mini- -
mum requirements for plants currently being licensed; however, not meeting the SRP requirements does not necessarily indicate unacceptability.
A number of potential generic issues were identified on the basis of the review of the Davis-Besse Incident Investigation Team's findings (NUREG-1154) and during the staff's ongoing review of the Davis-Besse event. Restart of the Davis-Besse plant is not dependent on the processing of these potential generic issues. Generic issues include possible deficiencies in the design, construc-tion, or operation of several or a class of nuclear power plants. The review, evaluation, prioritization, and resolution of potential generic issues by the staff is usually managed on a schedule separate from plant-specific licensing actions. In the case of the Davis-Besse event, the staff did not identify a need for immediate staff actions of a generic nature. Accordingly, the generic issues identified resulting from the Davis-Besse event will be resolved in the longer term.
Table 1.1 Safety Evaluation Report cross-referenced to 10 CFR 50.54(f) letter items and Course of Action report section SER 10 CFR 50.54(f) Course of Action report section letter item (C0A) section 3.1.1 IIIA, IIID II.B.1 3.1.2 IIIA, IIIB II.B.1, II.B.3 3.1.3.1 IIA 6, IIA 12, IIB 1 II.C.4 3.1.3.2 IIA 4 II.C.6 3.1.3.3 IIA 6 II.C.4 3.1.3.4 IIA 3, IIA 10 II.C.4, II.C.2 3.1.3.5 IIB 1, IIB 2, IIIA II.C.2, II.C.4, II.C.5, II.B.1 3.1.4 IIIA II.B.1 3.2.1 IA, IB, IC, IIAS, IIA 11 II.C.1, II.C.2 3.3.1.1 IIA 2, IIAS, IIB 2 II.C.1, II.C.2, II.C.3, II.C.4, II.C.5 3.3.1.2 IIAS, IIA 7, IIB 2 II.C.1, II.C.2, II.C.4, II.C.5 3.3.1.3 IIA 7, IIB 3 II.C.2 3.3.1.4 IIB 4 II.C.3 3.3.2 IIIC II.B.2 3.3.3 IIA 9, IIB 2 II.C.2, II.C.4, II.C.5 3.4 IIA 13 II.C.7 4.1 IIAS, IIA 7, IIA 10 II.C.1, II.C.2 4.2 IIAS, IIA 7 II.C.1, II.C.2 4.3 IIA 1, IIA 8 II.C.1, II.C.3 Davis-Besse Restart SER 1-2
2 BACKGROUND 2.1 Brief Description of the Event During the early morning on June 9,1985, one of the two main feedwater pumps at the Davis-Besse Nuclear Power Station tripped on overspeed while the plant was operating at 90% power. Approximately 30 seconds later, the reactor and turbine were tripped automatically on high reactor coolant pressure. Shortly after the reactor tripped, a spurious steam and feedwater rupture control sys-tem (SFRCS) trip caused the main steam isolation valves to close, which re-sulted in interruption of steam to the remaining feedwater pump causing it to trip within several minutes. Subsequent to this loss of all main feedwater, an operator error, malfunctions of one safety-related valve in each auxiliary feedwater (AFW) discharge line, and overspeed trips of both safety-related auxiliary feedwater system (AFWS) pump turbines resulted in a loss of all sources of feedwater to the steam generators for a period of about 12 minutes.
Within about 12 minutes, feedwater was restored; however, separate actions by the operators were required to correct the operator error, open the valves that had malfunctioned, reset the overspeed trips on the AFWS pump turbines, and restart and control the turbine-driven AFWS pumps. Actions from outside the control room were necessary to open the valves and restart the pumps. While operators acted to restore AFW flow, other operator actions, also from outside the control room, were taken to place a non-safety-related motor-driven startup feedwater pump into service. Before any feedwater could be restored, the once-through steam generators essentially had boiled dry. Furthermore, a number of additional equipment problems complicated the event. Nevertheless, the opera-tors were successful in restoring AFW flow and stabilizing the plant without any abnormal radioactivity release, any core damage, or any major damage to the plant. Details of the event and the findings of a special NRC investigating team are reported in NUREG-1154.
2.2 Summary of NRC Actions On June 10, 1985, NRC Region III issued a confirmatory action letter that stated that the licensee would take certain actions to establish the causes of the mal-functions and determine the corrective actions to be taken, to perform evalua-tions with respect to the reactor vessel and steam generators, and to perform confirmatory testing. The letter also stated that the licensee would obtain Region III concurrence b. fore restarting the unit.
On the same day, the NRC Executive Director for Operations sent a team of tech-nical experts to the site to find out what happened, to identify the probable cause of the event, and to make appropriate findings and conclusions to form the basis for possible followup on actions.
The report of the investigating team (NUREG-1154) and a memorandum to the NRC staff from the Executive Director for Operations identifying actions to be taken were released on August 5, 1985. The memorandum is in Appendix B of this Davis-Besse Restart SER ?-1
SER. The memorandum established the framework for a letter dated August 14, 1985 (Appendix A), to Toledo Edison Company requesting information on subsequent findings regarding the cause of the equipment failures and the corrective ac-tions to be taken by Toledo Edison Company. This letter also superseded the June 10, 1985, Confirmatory Action Letter issued by Region III.
- 2. 3 Summary of Toledo Edison Company Response Toledo Edison Company (the licensee) responded to the NRC request for infor-mation with the submittal of a document entitled " Davis-Besse Course of Action" on September 10, 1985. This document has been revised periodically in response -
to NRC requests for additional information and with additional supporting infor-mation as it has become available.
The Course of Action report describes (1) the programmatic actions Toledo Edi- :
son Company has taken to improve its management structure, particularly with respect to plant maintenance; (2) the results of investigations into the causes of malfunctions of equipment and the corrective actions to be taken; (3) other procedural and system modifications and improvements made to minimize the possi-bility of a recurrence of a similar loss of feedwater; and (4) the program for review of systems important to safe operation of the facility to uncover problems that could potentially interfere with the ability of the systems to perform their intended functions and to identify the corrective actions necessary to remedy any ,,
problems.
t Davis-Besse Restart SER 2-2
3 EVALUATION OF TOLEDO EDIS0N COMPANY ACTIONS 3.1 Management and Programmatic Aspects Over the past several years o'f operation at Davis-Besse, the staff has iden-tified deficiencies through enforcement actions, a Performance Appraisal Team (PAT) inspection, and Systematic Appraisal of Licensee Performance (SALP) eval-uations, as well as through more routine inspection and licensing contacts.
In late 1983, Toledo Edison Company (the licensee), in response to a request from the NRC Region III Administrator, initiated the Performance Enhancement Program (PEP) to improve regulatory performance. Modifications to this program were made in response to the latest SALP (January 1984) and, before the event on June 9, 1985, the licensee had initiated efforts to strengthen the organiza-tion and ensure improved performance.
The Incident Investigation Team identified 18 principal findings and conclu-sions (NUREG-1154). Most of these findings and conclusions relate directly or indirectly to the weak performance of the Nuclear Mission management and to the overall quality of maintenance and training--some of the same programmatic aspects identified by the SALP, PAT, and other regulatory programs. Accord-ingly, the August 14, 1985, letter requested that the licensee address "the programmatic and management issues that have contributed to this event and more generally to the recent performance of Davis-Besse." The specific areas of concern were as follows:
(1) adequacy of management practices including control of maintenance programs, use of operational experience, degree of engineering involvement, testing, root cause determination of equipment misoperation, licensed and non-licensed operator training, and post-trip reviews (2) adequacy of maintenance program, including maintenance backlog, maintenance procedures and training, vendor interface, and correction of identified g, deficiencies (3) adequacy of the resources committed to the Davis-Besse facility for investi-gating the event, resolution of the findings and conclusions before restart, and implementation of longer term measures to improve overall performance (4) adequacy of procedures, equipment, and training for quickly and efficiently starting or restarting equipment for loss of feedwater mitigation (5) adequacy of programs to minimize the likelihood of inadvertent isolation of AFW to both steam generators (including training of the plant opera-tors and human factors aspects of the SFRCS control room equipment)
(6) adequacy of plant operating procedures including verification that plant procedures involving drastic action are sufficiently precise and clear to ensure timely implementation Davis-Besse Restart SER 3-1 l
(7) adequacy of the licensee's procedures and training for reporting events to the NRC Operations Center 3.1.1 Management Restructuring The licensee has restructured the organization that has responsibility for the Davis-Besse Nuclear Power Station. This organization is called the Nuclear Mission. The Nuclear Mission is under the direction of the Senior Vice Presi-dent, Nuclear, who previously reported to the Chairman and Chief Executive Officer of Toledo Edison Company. However, a subsequent change that became effective on January 1,1986, has the Senior Vice President, Nuclear reporting to the President and Chief Operating Officer of Toledo Edison Company. A recent merger of Toledo Edison Company and Cleveland Electric Illuminating Company, will alter eventually the organization with respect to the chain of authority through which the Senior Vice President, Nuclear reports and through which fi-nancial resources are allocated. The merger, however, should not alter the organizational structure below the Senior Vice President, Nuclear.
The licensee has retained the services of Mr. J. Williams, Jr. , as Senior Vice President, Nuclear effective July 1,1985 for a period of time up to approximately 18 months. Mr. Williams is a retired Vice Admiral who served for 37 years in the Navy. He has commanded two nuclear powered submarines and held the position of Commander of the U.S. Submarine Force Atlantic Fleet. After leaving the Navy, he became Director of Nuclear Construction and Testing for the Electric Boat Division of General Dynamics Company. Before joining Toledo Edison Company, Mr. Williams served as Senior Vice President, Nuclear Operations for Cincinnati Gas and Electric Company during 1983 and 1984.
When Mr. Williams' contracted assignment is completed, he will be succeeded by Mr. Donald C. Shelton. Mr. Shelton served in the U.S. Navy for 19 years and attained the rank of Captain. He is currently an engineering consultant with the Stone & Webster Engineering Corporation.
Six functional organizations of the Nuclear Mission report directly to the Senior Vice President, Nuclear. These are Nuclear Projects, Nuclear Engineering, Nuclear Training, Nuclear Safety and Licensing, Quality Assurance, and the Plant Manager. In addition, an Assistant Vice President, who is responsible for provi-ding support services, nuclear fuel, emergency preparedness, environmental moni-toring, and information services, reports to the Senior Vice President, Nuclear.
This management structure is shown in Figure 3.1.
The Nuclear Projects Division manages the facility modificatiun effort by assisting in planning and scheduling as well as implementing modifications to the nuclear facilities, and provides contract administration services for the Nuclear Mission.
The Nuclear Safety and Licensing Division provides regulatory management and independent reviews of the activities that could affect nuclear safety of other Nuclear Mission divisions.
The Nuclear Training Division provides training to station personnel. This includes the training of licensed and nonlicensed operators and maintenance personnel for the Davis-Besse station. The licensee has expanded the training staff for Davis-Besse and is constructing an expanded training facility. The licensee has committed to install a plant specific simulator.
Davis-Besse Restart SER 3-2
The Quality Assurance Division develops and implements a quality assurance pro-gram for the Davis-Besse station. Additionally, it implements the station In-service Inspection Program.
The Nuclear Engineering Group provides engineering support for operation, main-tenance, and facility changes, and for evaluation and resolution of regulatory, operation, and maintenance problems. The Nuclear Engineering Group has been expanded from a single division to four separate and expanded departments.
These are the Nuclear Facilities Engineering, Operations Engineering, Nuclear Plant Systems, and Engineering Service Departments.
The Operations Engineering Department provides direct day-to-day engineering I support to the Davis-Besse station. The former station Technical Section is included in the Operations Engineering Department. The Nuclear Facilities Engineering Department provides design engineering services to support addi-tions and modifications. The Nuclear Plant Systems Department provides systems engineering support and services for resolving problems and for ensuring proper installation, operation, maintenance, and testing for optimum system perform-ance and reliability. The Nuclear Engineering Services Department provides engineering services in the areas of design document control, design draf ting, configuration management, and engineering change control administration.
A new division, reporting to the Assistant Vice President, Nuclear Operations, is responsible for records management, computer systems management, and docu-mentation and correspondence control. This group contains the Records Management organization which previously had not been part of the Nuclear Mission organization.
The organization under the Plant Manager has been reorganized. Those indi-viduals who report to the Plant Manager include a Chemistry and Health Physics Director; Technical Support Manager; Plant Services Manager; Assistant Plant Manager, Maintenance; Assistant Plant Manager, Operations; and a Planning Superintendent. The functions formerly performed by the Technical Support Section were transferred to the Operations Engineering Department of the Nuclear Engineering Division. The new Technical Support Section ensures compliance with applicable codes and regulations and provides a station review for design changes to ensure that they address station needs and concerns.
Toledo Edison Co. has hired Mr. L. Storz as Plant Manager. Mr. Storz has worked since 1983 as Assistant Plant Manager at the Waterford Nuclear Steam Electric Station, Unit 3. Before that, he was Assistant Plant Manager, Operations, at the V. C. Summer Nuclear Station for 3 years. From 1972 to 1979, Mr. Storz held various positions at the Point Beach Nuclear Plant, including that of Superin-tendent of Operations. He has held Senior Reactor Operator licenses for the Point Beach and Summer plants.
The staffing for the Nuclear Mission is being increased from 699 individuals to approximately 930; most of these individuals will be located at the site.
The staff has reviewed the organizational structure and finds that it meets the acceptance criteria of Section 13.1 of the Standard Review Plan (NUREG-0800).
The Standard Review Plai, (SRP) is used to establish minimum acceptable require-ments for plants currently being licensed, but, as stated previously, its use is not a requirement for older, previously licensed plants such as Davis-Besse.
Davis-Besie Restart SER 3-3
However, because the SRP requirements are met, the staff concludes that the revised Davis-Besse organization is acceptable. However, the staff recommended that the licensee consider the establishment of an Independent Safety Engineer-ing Group at the Davis-Besse station. The licensee has stated that a Department of Nuclear Safety has been established within the Nuclear S&fety and Licensing Division. Part of the assigned responsibilities of this department closely approach those identified in Item I.B.1.2 of NUREG-0737 for the responsibil-ities of an Independent Safety Engineering Group. The staff considers that the licensee has been responsive to this recommendation.
3.1.2 Maintenance The Incident Investigation Team (IIT) concluded in NUREG-1154 that the licensee's lack of attention to detail in the care of plant equipment was the underlying cause of the loss both of main and auxiliary feedwater. The team also concluded that the licensee has a history of attending to problems, maintenance, and testing of equipment, and of evaluating operating experience related to equip-ment in a superficial manner and, as a result, the root causes of problems are not always found and corrected.
As a result of the IIT conclusion and other past indications of poor mainten-ance practices, the staff identified a need to evaluate the conduct of mainten-ance at Davis-Besse. In mid-September 1985, the staff conducted a maintenance survey at Davis-Besse consistent with the Maintenance and Surveillance Program Plan (MSPP) being implemented by NRC's Division of Human Factors Safety at other sites.
The objectives of the maintenance survey at Davis-Besse were (1) to obtain information regarding past maintenance practices consistent with the MSPP (2) to obtain information about changes affecting the conduct of maintenance that have been or will be implemented subsequent to the event on June 9, 1985 (3) to highlight any identified omissions or weaknesses in the maintenance program that have been or will be implemented after the event on June 9, 1985 The NRC team observed that weaknesses impeding the conduct of maintenance had existed in the following areas:
(1) corporate commitment (2) spare parts / material readiness (3) supervision (4) preventive maintenance (5) maintenance backlog (6) maintenance procedures (7) communications (8) defined responsibilities (9) training Davis-Besse Restart SER 3-4
Subsequent to the event on June 9, 1985, the licensee independently identified j weaknesses in the maintenance program at Davis-Besse and undertook measures to correct those weaknesses. The weaknesses and proposed corrective actions are i 4
described in the licensee's submittal dated September 10, 1985. These correc-tive measures were in the process of being implemented at the time the staff conducted the survey. The staff concluded from that survey that modifications to the maintenance program were being implemented by the licensee to address )
these weaknesses; however, because the modifications were in the early stages of development, the staff found that it was too early to judge the effective-ness of the modifications, although the initiatives by the licensee to improve the conduct and control of maintenance appeared to be appropriate based on field observations provided by the staff. The staff recommended that the ability of
'he new maintenance organization to function as designed be demonstrated before restart and that another survey be conducted after the changes had been in offect for a reasonable period of time.
A followup survey was conducted by the staff in late March 1986. The staff "eexamined the areas of corporate commitment, spare parts / material readiness, supervision, preventive maintenance, maintenance backlog, maintenance proce-dures, communications, defined responsibilities, and training. Also reviewed was the functioning of the planning and scheduling organization and the imple-mentation of administrative procedures.
The staff determined that the licensee had made considerable progress in all areas except maintenance backlog since the previous site visit. Although some problem areas still exist, they are not considered to be major programmatic weaknesses ization. and do not appear to affect the functioning of the maintenance organ-Overall, as intended. Particularthe new maintenance organization appears to be functioning strengths noted were in the areas of maintenance train-ing and spare parts and material readiness.
The warehouse inventory has been completed and a computerized inventory track-ing system as well as mechanical systems showing the status of parts is in place.
The expediting and procurement process has been successful in obtaining the necessary parts to accommodate tne field work. Overall, good management tech-niques have been applied to the spare parts and material readiness area, so that parts are now available to support field personnel.
The staff toured the maintenance training facilities and interviewed both the maintenance instructors and the craft personnel who are receiving the training.
The staff did not, however, review the training program to the level of detail to which the staff currently reviews operations training.
The maintenance training laboratories that were under construction at the time of the previous visit have been completed and are well equipped. The training shift concept and the training council concept have been implemented and main-tenance personnel are being trained. A point to note is that management imple-mented the training shift concept during this outage rather than after restart which, the staff believes, exemplifies management's commitment to the mainten-ante training program.
Construction is under way on a new 100,000 ft2 maintenance facility. This five-story structure will contain office and shop space and is scheduled to be com-pleted by November 1986.
Davis-Besse Restart SER 3-5
The NRC staff investigated the area of outstanding Maintenance Work Orders (MW0s).
Although a considerable number of MW0s have been completed, the number outstand-ing still remains high because new ones have been generated. Not all MW0s are related to plant operability or plant safety; therefore, rather than review absolute numbers of MW0s, the NRC staff focused on the licensee's ability to manage and control the MW0s. The staff concluded that the licensee is able to effectively manage the open MW0s. All MW0s have been prioritized and a deter-mination has been made as to whether completion of the FN0 is necessary for restart.
The licensee has stated that MW0s that may affect plant performance will be completed before restart or will be scheduled for completion commensurate with their significance. The licensee has not identified to the staff which MW0s will be outstanding at restart; however, the licensee has prioritized MW0s on z systems important to safety as to whether or not they are required to be com- u pleted before restart. The licensee has stated that the following criteria are F applied to determine which MW0s are to be completed before restart: L (1) required for restart from the System Review and Test Program (SRTP) (refer to Section 3.4 for a description of the SRTP)
(2) required by the action plans for the event on June 9, 1985 (3) required to ensure the operability of the 34 systems reviewed by the SRfP (4) necessary to ensure containment integrity I (5) necessary for safe operation of systems required for plant operation MW0s that do not meet the above criteria are not required for restart. Region
! III staff will monitor outstanding FN0s to ensure continued control and progress.
The staff reviewed approximately 1000 MW0s not scheduled for completion before testart to as'certain the licensee's compliance with the stated bases for making this determination. This was done by reviewing the titles of the MW0s to iden-tify those that might not meet the MWO required-for-restart criteria. The major-ity of MW0s reviewed conformed with the licensee's restart criteria. The team questioned some items, but the licensee was able to justify their dispositions in almost all cases. The licensee agreed to reconsider those cases where the qualitative discussion it presented did not satisfy the staff. The staff con-cluded that the licensee's stated criteria are acceptable and that the licensee is applying consistently the stated criteria for determining those FN0s needed to be completed before restart. A summary of MWO status is given in Table 3-1.
The staff concludes that the licensee has made considerable progress in the area of plant maintenance. The new maintenance organization is functioning as designed; no major identifiable weaknesses are evident. The few problem areas noted by the staff are not considered major programmatic weaknesses and they do not adversely affect the functioning of the maintenance organization.
3.1.3 Procedures and Training The IIT found that the operators, licensed and non-licensed, performed well during the event to restore decay heat removal, stabilize the plant, and bring Davis-Besse Restart SER 3-6 l,
the plant to a safe condition withcut any major damage to equipment or release of radioactivity. The operators were found to have performed well as a coordi-nated group and provided timely corrective actions from outside the control room. These actions, which prevented a potentially more serious event, indicate that the operators generally were aware of plant conditions and responded to them in a deliberate manner. However, this noteworthy performance was not with-out problems. Operator errors occurred, procedures were not strictly complied -
with, and man-machine interface problems were revealed.
The licensee has reviewed the operational significance of the event. The follow-ing sections present the staff's evaluation of the licensee's actions taken relative to operating procedures and training.
3.1. 3.1 Plant Operating and Emergency Procedures Premature Actions To Control Steam Header Pressure on Reactor Trip At Davis-Besse, some operators had routinely lowered the steam header pressure
( after a reactor trip to reduce the likelihood of challenges to steamside safety valves. This practice had developed because safety valves have a history of sticking open. Premature reduction in steam system pressure can result in ex-cessive reactor coolant shrinkage and reduction of pressurizer level. The li- -
censee stated that it will provide additional training for its operators before startup from the current outage to discourage premature reduction of pressure in the steam system. The training will cover calculations of the ef fects of g premature steamside pressure reduction on the reactor coolant system. The training also will reinforce the necessity to take specific corrective action if a safety valve is malfunctioning. __
The licensee has stated that manual reduction of steam header pressure after reactor trip is called for only when there has been an equipment malfunction such as a stuck-open steam system safety valve, and that the existing proce-dures provide for the identification and mitigation of these malfunctions. The licensee has cited actions taken to improve the steam system safety valves and thereby increase operator confidence in their reliability. Although operator concern for avoiding safety valve challenges would seem valid because of pre-vious valve performance, the licensee has justified the acceptability of the Davis-Besse design and procedures so that manual steam header pressure control should not be needed to avoid delayed reseating of the valves. In addition, pro-cedures are available to address malfunctions. On the basis of its judgment that the licensee is achievi'ig a reasonable balance, the staff finds the present procedures acceptable.
Recognition of Steam Generator Dryout Conditions During the event on June 9, 1985, plant conditions were reached for which emer-gency procedures required taking actions to mitigate a lack of heat transfer and initiation of makeup /high pressure injection (Md/HPI) cooling; however, these actions were not taken. At the time the conditions occurred, the personnel re-sponsible for reading and directing emergency procedures were distracted from that task by other tasks that had to be performed from outside the control room.
This delayed recognition of plant conditions. In addition, control room instru-mentation needed to apply the decision criteria specified in the guidelines to determine steam generator dryout were not adequate.
Davis-Besse Restart SER 3-7 l
The licensee stated that the emergency procedure will be modified to include specific criteria to indicate lack of heat transfer, requiring the initiation of MU/HPI cooling. These criteria are a hot-leg temperature greater than or equal to 600 F when there is reactor coolant system flow or a core exit thermo-couple temperature greater than or equal to 600 F in the event of no flow. The bases for this change are Babcock & Wilcox (B&W) loss of-feedwater analyses that indicate that if MU/HPI cooling is initiated within 10 minutes after the hot-leg temperature reaches 600 F, the core will not be uncovered. The B&W analyses indicate that the 600'F criterion will not result in spurious initiation of MU/HPI. On the basis of these analyses, the staff finds acceptable the new criteria for initiation of MU/HPI cooling and the licensee's proposed program to ensure compliance with procedures.
Steam and Feedwater Rupture Control System A review (by the licensee) of Emergency Procedure EP-1202.01, "RPS, SFAS, SFRCS E Trip or Steam Generator Tube Rupture Emergency Procedure," that was used during the event on June 9, 1985, uncovered an error in one of the tables in the proce-dure. The operators use this table to verify proper SFRCS response following a trip co.idition. The table did not properly designate the steam generator drain valves' and startup feedwater valves' positions under full trip conditions.
The errors will be corrected in a revision to EP-1202.01 before restart. The staff finds this acceptable.
In addition, the staff is reviewing the licensee's procedures generation pack-age that describes the program for upgrading the emergency operating proce-dures in accordance with the requirements of Generic Letter 82-33, " Require-ments for Emergency Response Capability (Supplement 1 to NUREG-0737)." The verification and validation of the emergency operating procedures and changes thereto, as, described in the procedures generation package, should provide assurance that this sort of error will not be repeated.
Adequacy of Cont'rol Room Instruments To Support Decision Steps in EP-1202.01 During the event on June 9, 1985, operators failed to recognize steam generator dryout conditions when they occurred. Although this is partly attributable to the Senior Reactor Operator leaving the control room to perform other necessary tasks to regain feedwater flow and, thus, interrupting the reading of the proce-dure in which dryout conditions are defined, it is questionable whether the steam generator level stated in the procedures could be read with sufficient accurac using control room instrumentation to determine with precision when the dryout criterion had been reached. The licensee stated that EP-1202.01 and all procedures for abnormal occurrences will be reviewed before restart with regard to the adequacy of existing control room instruments. If necessary, instruments will be color coded to denote important parameters to support sig-nificant actions of EP-1202.01 and other procedures for abnormal occurrences.
The licensee concluded that instruments for recording s.eam generator pressure, condensate flow, and steam generator level require fine, graduation and that labeling could be improved in some instances. The licensee indicated that the adequacy of instrument sensitivity was considered during the review and no de-ficiencies were discovered other than to apply feed-and-bleed initiation criteria.
The staff concludes that the licensee's review with regard to instrumentation adequacy to support EP-1202.01 is acceptable.
Davis-Besse Restart SER 3-8
Operation of Valves AF-599 and AF-608 Not in System Procedures i
' During the event on June 9, 1985, the operators experienced difficulty reopening valves AF-599 and AF-608 that had failed to open automatically when the operator corrected the erroneous SFRCS low pressure manual actuation. They were not familiar with the circuitry and control logic for these valves, and guidance on the operation of these valves was not available in the appropriate system opera-l ting procedure, SP-1106.06. The licensee stated that it will add this guidance to SP-1106.06, including any modifications resulting from followup of the event.
The staff finds this acceptable. The licensee's measures to increase operator familiarity with the circuitry and control logic for AF-599 and AF-608 and the NRC staff's review of those measures are discussed in Section 3.1.3.5 of this SER.
Realignment of Auxiliary Feedpump Miniflow Recirculation Flowpath During the event on June 9, 1985, a considerable amount of condensate was lost N via a minimum flow recirculation flowpath to the floor drains. The loss of a E L_
large amount of water by this path would require a transfer of auxiliary feed-water suction to the service water system (a less preferred source because of water quality, but a safety grade supply). The licensee has added a step to the emergency procedure to realign the auxiliary feedwater recirculation path to the condensate storage tank to conserve the preferred water. The staff finds no safety implication with this modification and finds it acceptable. -
Auxiliary Feedpump Suction Transfer to Service Water At Davis-Besse, low auxiliary feedpump suction pressure results in an automatic transfer of pump suction from the condensate storage tank (preferred source) to the service water system. No procedural guidance exists for transferring the suction source back to the condensate storage tank, if appropriate.
The licensee has stated that procedural changes will be made to provide spe-cific criteria for deciding if and when to transfer AFW pump suction back to the condensate storage tank. The licensee stated that this transfer back to the condensate storage tank as a suction source does not involve disabling the automatic transfer to service water. Therefore, as continued availability of auxiliary feedwater is assured, the staff finds this acceptable.
Main Steam Isolation Valve (MSIV) Status During the event on June 9, 1985, operators did not recognize that the MSIVs had closed until several minutes into the event. The licensee will add veri-fication of MSIV status to the Supplementary Actions in the emergency procedure.
The staff finds this addition acceptable.
Manual Versus Automatic Safety System Actuation During the event on June 9, 1985, operators anticipated the automatic operation of the SFRCS and manually actuated the system. liowever, an operator error in actuating the system resulted in an incorrect system configuration and contribu-ted directly to subsequent events.
Davis-Besse Restart SER 3-9
The licensee has evaluated the practice of anticipatory action to manually initiate safety functions and concluded that it is neither desirable to preclude such anticipatory operator action nor to require the reactor operator (RO) to obtain specific permission from the control room Senior Reactor Operator (SRO) before acting. However, the licensee did clarify control room protocol so that when the SR0 is in the control room, the R0 will inform the SR0 of his intent to take anticipatory action. The SR0 may direct that the action not be taken.
The licensee has reinforced its simulator training program to reflect this policy.
The staff notes that the staff SER on the B&W generic guidelines (Generic letter 83-31) on which Davis-Besse emergency procedures are based states that "since each (operator) error of importance will manifest itself as an abnormal system or plant response and will be treated accordingly, operator error is adequately covered." Hence, Davis-Besse guidelines already provide some measure of compen-sation for random operator error. The staff finds the licensee's measures ac-ceptable.
Operator Performance of Significant Actions Following the event on June 9, 1985, a concern arose as to whether plant proce-dures requiring significant action are unambiguous to ensure timely implementa-tion. The significant action of concern during the event was the initiation of MU/HPI cooling. This mode of cooling is required on entry into the section on emergency procedures for treating lack of heat transfer. The licensee has in-dicated that the Operations Superintendent will stress to all plant operators that it is mandatory to follow emergency procedures for situations in which the procedures prescribe specific immediate actions based on engineering analyses and/or procedure development techniques. However, the licensee also indicated that operators must rely on their training and judgment in plant operation and trans:ent response, particularly where procedures do not prescribe specific and/or immediate actions. In addition, the emergency procedures will be reviewed before restart to ensure clarity and explicitness where significant actions are required.
The staff finds that the above measures can ensure adherence to emergency pro-cedures and are acceptable.
3.1.3.2 Role of Shift Technical Advisor The licensee has changed the work schedule for Shift Technical Advisors (STAS) so that the duty is now carried out in 12-hour shifts rather than 24-hour shifts.
The STA now spends the entire shift within the protected area and has an office within 1 to 2 minutes' walking distance of the control room. The STA, by proce-dure, is required to respond to the control room within 10 minutes when called.
The administrative procedure that assigns the responsibilities and authority of the STA has been revised to instruct the STA to participate in each shift turn-over with the Shift Supervisors. The STA will also be kept abreast of signifi-cant events that affect plant safety or performance.
For the long term, additional STAS are being trained so that on completion of their training there will be enough STAS to be assigned to operating shifts and to rotate on the same schedule as that shift. STAS will be SR0 licensed.
Training of these additional STAS will be completed by January 1, 1987.
Davis-Besse Restart SER 3-10
The staff has reviewed the changes, both short and long term, and finds that they provide for increased awareness of plant status and increased STA avail-ability to the control room, meet Item I.A.1.1 of NUREG-0737, and, therefore, are acceptable.
3.1.3.3 Reporting of Events Guidance on reporting events to the NRC Operations Center was contained in sections of Administrative Procedure AD 1839.00, " Station Operations." This comprehensive procedure contained the administrative controls established for the various duties of the onshift crew.
Regarding notifications associated with Emergency Plan activations, the proce-dure correctly stated that the NRC Operations Center was to be called following the initial notification of local governmental authorities, but not later than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after any emergency declaration. The procedure also stated that, al-though the Shift Supervisor was responsible for making initial incident reports, the Shift Supervisor has the prerogative of selecting a knowledgeable person to maintain an open line with the Operations Center until released by NRC person-nel. The procedure indicated that all conversations with persons in the Opera-tions Center would probably be recorded by the NRC and that the Shift Supervisor need only record in the unit log the fact that the NRC had been contacted.
Since the event on June 9, 1985, the licensee has initiated actions to refine procedural guidance on contacting the NRC Operations Center. The licensee concluded that, in conversations with the NRC on the early morning of June 9, the STA did not adequately convey specific plant conditions, the reason for the notification, and the severity of the transient. The licensee also concluded that onshift personnel were not sufficiently prepared to answer the NRC Duty Officer's specific questions. The licensee determined that the procedural guidance on providing information to the NRC was inadequate. Consequently, the licensee revised Procedure I.D 1839.00 to ensure that onshift personnel will be prepared to anticipate the NRC's information needs and questions. The licensee has committed to complete training of all licensed personnel and STAS on the revised procedure before restart. The staff considers the licensee's correc-tive action and schedule acceptable.
A Severity Level IV Notice of Violation was issued to the licensee because the State of Ohio's Disaster Services Agency (DSA) was not notified of the Unusual Event declaration on June 9, 1985, until after it had been terminated, or at ;
least 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> after it had been declared. As stated in Inspection Report !
No. 50-346/85023, the licensee had already completed corrective measures de- 1 signed to ensure prompt notification of State and county officials of any Emer- I gency Plan activation.
On June 9, 1985, the licensee's emergency implementing (EI-series) procedures, referenced in Procedure AD 1839.00, required its personnel to contact the Ottawa l County Sheriff's dispatcher, who is on duty 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> a day, within 15 minutes of any emergency declaration. The dispatcher was procedurally required to con-tact the Ohio DSA, as well as various local officials. However, the dispatcher's procedure was flawed in that it contained different guidance on how to notify State officials, depending on which of the four emergency classes had been de-
! clared. For any Unusual Event declaration, the dispatcher was to contact a local representative (Resident Radiological Analyst) of the Ohio DSA who, in Davis-Besse Restart SER 3-11 l
turn, would contact DSA's 24-hour Duty Officer in Columbus, Ohio. For any of the other three emergency classifications, the dispatcher was procedurally re-quired to contact the Ohio DSA's Duty Officer, who would then notify DSA's local analyst.
In mid-June 1985, the licensee revised relevant EI-series procedures to require that its personnel notify both the county Sheriff's dispatcher and the Ohio DSA's 24-hour Duty Officer following any emergency declaration at the Davis-Besse station. These revisions were made at the request of the Governor of Ohio. In July 1985, representatives of the Ohio and Ottawa County DSAs informed NRC staff that the dispatcher's procedures wculd be revised so that the dispatcher would also call the State's 24-hour Duty Officer after any emergency declaration at Davis-Besse. These measures should prevent a failure to promptly notify State and county officials of any Emergency Plan activation.
3.1.3.4 Security During the event on June 9, 1985, operations personnel were dispatched to several locations within the plant to reset, recover, and locally operate equip-ment. In getting to and operating the equipment, personnel had to pass through security doors controlled by key card access systems, pass through a locked hatchway, and operate locked valves. Although all doors and locks were opened, there is concern for the potential of not being able to operate necessary equipment because of access problems.
Availability of Keys During the event, the Shif t Supervisor had to leave the control room to obtain keys. The licensee has now installed an emergency-key locker in the control room panel area containing keys necessary for emergency operations. The staff considers this an adequate resolution to the problem, provided that the oper-ating crew has access to a key to the locker.
Locked Valves Numerous valves throughout the plant are locked in their desired position by chains and padlocks, and their operation is under administrative control. This system was implemented to fulfill a TMI Action Plan commitment to prevent unauthorized operations that could render necessary systems unavailable. The event on June 9,1985, caused the licensee to recognize the need to balance security requirements against the possibility that the valves may have to be manually repositioned quickly in emergency situations. The licensee has pro-posed to improve the availability of locked-valve keys for emergency use. Each of the four plant zone operators will be provided with an emergency-use-only key ring that contains a locked-valve key. The key ring will be turned over to the oncoming operator as part of the shift relief. The staff finds this pro-posal an acceptable balancing of the conflicting needs.
Security Door Access to Vital Areas Vital areas within the plant are secured using a key card system controlled by a central security computer. Because of problems with access experienced in the past and the concern for quick access during emergencies, the licensee has eval-uated several alternatives and implemented a system to address the balancing of )
i I
Davis-Besse Restart SER 3-12 l l
these concerns. Evaluation of this item has been addressed in accordance with applicable safeguards procedures. The licensee's system was determined to be acceptable.
3.1.3.5 Training Absence of SR0s from the Control Room During Use of Emergency Procedures For a period during the event, both SR0s left the control room to perform necessary activities elsewhere in the plant. This interrupted the reading of Emergency Procedure EP-1202.01 and led to a delay in deciding the course of action.
The licensee has revised procedures to require that once actions required by EP-1202.01 have begun and the SR0 has assumed the duties of Procedure Director, that SR0 will remain in the control room until relieved by another SRO. To ensure adherence to these requirements, Administrative Procedure AD 1839.00, which governs the conduct of shift operations, will be revised before restart to reflect this requirement. To ensure that SR0s are aware of this requirement, they will be trained on this revision before startup. In addition, this re-quirement will be covered by the biennial Licensed Operator Requalification Program.
The staff concludes that the revised procedure and training should ensure that SR0s are aware of and adhere to the requirements. By regulation 10 CFR 50.54(m)
(2)(iii), an SR0 must be present in the control room at all times except when the reactor is in cold shutdown or refueling. The licensee has been advised by the NRC (letter from J. Stolz to R. Crouse, dated June 14, 1984) that this re-quirement is met if there is an SR0 ire the control room the majority of the time and whenever his presence is not required by duties elsewhere in the plant.
Therefore, even though there was no SRO in the control room for a short period during the event, the provisions of 10 CFR 50.54(m)(2)(iii) were not violated.
Role of Interim Emergency Duty Officer Whenever emergency situations exist, the Shift Supervisor must assume the responsibilities of the Emergency Duty Officer. During the event on June 9, 1985, the Shift Supervisor became overburdened and had to prioritize his duties consistent with training and guidance provided in the Emergency Plan. The licensee has revised its training program for STAS to prepare them to assume the role of Emergency Duty Officer during the time that the Shif t Supervisor is unavailable. This will assist the Shift Supervisor, who maintains ultimate responsibility. The appropriate EI 1300-series Emergency Plan Implementing Procedures have been modified to indicate this responsibility. The licensee provided training to the STAS that included the delegation procedure. This training emphasized the necessity for the STA to remain aware of plant condi-tions as they pertain to emergency action levels so that the interim duties of the Emergency Duty Officer can be assumed when delegated by the Shift Supervisor.
The Nuclear Training Division will educate Shift Supervisors and Assistant Shift Supervisors on this process through normal licensed operator training on proce-dure revisions. The staff concludes that the procedures and training will en-sure understanding of the delegation process and the role of the STA when serv-l ing as Emergency Duty Officer.
l Davis-Besse Restart SER 3-13 l
Other Infrequent, Difficult, or Critical Operator Actions In performing the actions required during the event on June 9, 1985, the opera-tors experienced some difficulties. As part of the training systematic develop-irent (TSD) process, the licensee has conducted a job analysis to identify those critical and difficult tasks that require additional training. In conjunction with these task lists, the Operations Department conducted a review of EP-1202.01 and all procedures to be followed during abnormal events. The licensee has provided a description of how tasks were identified for additional training as well as a summary of the results of the review. If further review verifies that the tasks are appropriate, they will be incorporated into restart training.
Classroom training will include complete review of selected abnormal procedures.
On-the-job training will be provided for tasks for which training in the job setting is better.
Conducting a job analysis to generate task lists for training on and reviewing of procedures to be followed during abnormal events can ensure the appropriate training for infrequent, difficult, and critical tasks. The programs, were submitted by the licensee on February 26, 1986, and are being reviewed by the staff. Staff evaluation of the programs will be the subject of an SER separate from this report.
Incomplete Understanding of the Loss-of-Feedwater-Event Analyses Interviews with operators following the event on June 9, 1985, revealed ques-tions regarding the understanding of the loss-of-feedwater-event analyses, particularly with regard to assumed specific timeframes and equipment configura-tions. All licensed operators will receive training relative to the results of specific loss-of-feedwater analyses and revised procedures relating to lack of heat transfer before startup. The licensee stated that the training program being developed will ensure that all licensed and nonlicensed operators under-stand the loss-of-feedwater-event analysis. The program will include at least the following:
(1) a comparison of the event on June 9, 1985, with the analysis, assuming feedwater was not restarted and operator action to commence feed-and-bleed cooling began at 30 minutes (2) a discussion of nine cases of a complete loss-of-feedwater transient at 102% of full power (These cases will consider different combinations of operator action times, relief capacities, and equipment availability.)
(3) a discussion of the engineering basis for MU/HPI cooling (This discussion will include parameter selection criteria, setpoint criteria, and plant responses consideration to determine when MU/HPI cooling should be initiated.)
The assumptions used in the analysis, the specific results of the analysis, and how the assumptions and specific results of the analysis relate to EP-1202.01 will be included in the discussions. Revisions made to EP-1202.01 resulting from the loss-of-feedwater analysis will be incorporated into this training program.
Davis-Besse Restart SER 3-14
i i
All licensed individuals and Shift Technical Advisors must pass a written exam-ination to ensure a complete understanding of the loss-of-feedwater analysis and the relationship of this analysis to EP-1202.01. The staff concludes that the training program described by the licensee is adequate and should ensure that operators will acquire satisfactory understanding of loss-of-feedwater-event analyses.
Performance of Manual Pressure-Temperature Plotting When Safety Parameter Display System Is Not functioning During the event on June 9, 1985, with the safety parameter display system (SPDS) out of service, the operators did not manually plot reactor coolant sys-tem pressure and temperature as they had been trained to do. To facilitate manual pressure-temperature (P-T) plotting, when appropriate, the licensee has stated that the following actions have been taken:
(1) During the 1985 annual simulator requalification training, at least 1 of the 5 days of training was conducted with an inoperable SPDS. It was observed that operators performed manual P-T plotting during appropriate transients. This will be a requirement in all future annual simulator requalification training.
(2) A plastic-covered P-T graph and writing device has been provided on the operator console in the control room to be used if the SPDS is unavailable.
The staff finds these actions acceptable.
Resetting of Auxiliary Feedpump Turbine Trip Throttle Valve Because operators were not familiar with resetting the overspeed trip mechanism, they experienced difficulty restarting and controlling the auxiliary feedwater turbines after overspeed trips during the event on June 9, 1985. The licensee now requires hands on training for all plant operators and licensed personnel on resetting the trip throttle valve and turbine overspeed mechanism from a tripped condition during a simulated accident. The staff finds that this mea-sure addresses the specific problem and is acceptable.
AF-599 and AF-608, Auxiliary Feedwater Containment Isolation Valves' Operating Logic During the event on June 9, 1985, operators experienced difficulty reopening j valves AF-599 and AF-608 from the control room. Operator actions reflected some confusion about the circuitry and control room switches for these valves.
The licensee will train all operators on the functioning of these valves, in-cluding any physical modifications that may result from followup of.the event. l The staff finds this measure appropriate and acceptable provided the training includes testing on all aspects of these valve functions.
Improper Manual Steam and Feedwater Rupture Control System Actuation A complicating factor during the loss-of-feedwater event on June 9,1985, was !
improper manual actuation of the steam and feedwater rupture control system (SFRCS). The licensee stated that before startup from the current outage, it l
1 Davis-Besse Restart SER 3-15
will train all licensed personnel on proper actuation of the SFRCS for all com-binations of actuations, including any changes made to the SFRCS as a result of followup of the event. Training will include simulator exercises and will identify potential negative consequences of improper actuation. The staff finds this training acceptable.
3.1.4 Operating Experience Feedback and Post-Trip Review The licensee's program for the feedback of operating experience is currently described in Section 6 of Administrative Procedure AD 1839.04, Shift Technical Advisor, under the title of " Operating Experience Assessment Program." The STA receives information on in-house licensee event reports (LERs) and Davis-Besse Transient Assessment Program, and from external sources such as other B&W Tran-sient Assessment Program reports, Institute of Nuclear Power Operations (INPO)
Significant Operating Event Reports, Nuclear Network Reports, and NRC IE Bulle-tins and Information Notices.
Significant information is sent to appropriate section or department heads and the Training Manager for inclusion into training programs. Important items are sent to the Station Commitment Tracking Clerk. The licensee's Quality Assurance Section periodically audits the STA operating experience assessment program duties.
The responsibilies of the operations assessment program have been transferred to the Operations Engineering Department of the Nuclear Engineering Division as of January 1986. The program's scope will continue to encompass those elements of the current program and will focus on additional topics of operating experi-ence interest. Important items will be tracked internally by the group respon-sible for the programs operation. Operations assessment program procedures based on Operations Engineering Department standards will be in place by June 1986.
The staff finds that this program meets the acceptance criteria for the feed-back of operating experience of Standard Review Plan (SRP) Section 13.5.1.
The licensee reviewed its management practices for post-trip reviews in re-sponse to Generic Letter 83-28, Item 1.1 (Post-Trip Review). The staff has reviewed (1) the licensee's criteria for determining the acceptability of re-start, (2) the chain of command for responsibilities for post-trip review and evaluation, (3) the methods and criteria for comparing the event information with known or expected plant behavior, and (4) the criteria for determining the need for an independent assessment of the event. The staff found these manage-ment practices acceptable.
3.2 Plant Review 3.2.1 Event-Specific Investigations On June 10, 1985, the day after the loss-of-feedwater event at Davis-Besse, the NRC Region III Office issued a confirmatory action letter indicating, among other things, that the licensee was not to perform any activities on equipment that had malfunctioned during the event until the IIT was able to review the-proposed activities. The IIT met with the licensee's representatives to ensure agreement about which equipment should be placed on the " freeze list" and to Davis-Besse Restart SER 3-16
I establish a plan of action for determining the fundamental causes for equipment malfunctions. The following 12 items were placed on the freeze list:
(1) MFPs turbine and controls (2) SFRCS and associated instrument channels (3) auxiliary feedpump turbines and controls (4) MSIVs including controls--actuating circuits, pneumatic supplies (5) startup feedwater valve SP-7A and controls (6) source range instrument channels (7) turbine bypass valve (TBV) SP-12A2--any other components for which there is found an indication of waterhammer damage traps and drains associated with No. 2 TBV header: MS 2575, MS 737, MS 739, ST 3, ST 3A (8) POPV and controls and acutation system (9) main steamline safety valves and atmospheric vent valves (10) AF-599 and AF-608 valves, actuators, and controls (11) MS-106 and controls (12) SW valve and controls on J W alternate supply The licensee set about developing troubleshooting plans to ensure that these 12 activities would be conducted in a controlled, systematic manner and to ensure that adequate records of the as-found condition of the equipment were maintained.
The licensee developed general guidelines to be followed while conducting in-vestigations into the causes of failures of equipment; these guidelines are contained in Appendix B of NUREG-1154. For each of the 12 items on the freeze list (above), the licensee has prepared Findings, Corrective Actions, and Generic Issues reports which are included in the licensee's Course of Action report.
In general, these reports present the results of locating and eliminating trouble in the equipment, reviewing past problems with the equipment, hypoth-esizing about possible failure causes and evaluating each hypothesized cause, and determining the most likely cause for the failure experienced. When appro-priate, any generic concerns with regard to other plant equipment were identi-fied. Actions to correct the problems and prevent recurrence are also identi-fied. This section presents the results of the staff's evaluation of the li-censee's investigations relating to equipment that. failed during the event.
The staff's conclusions with regard to the adequacy of the investigations and the appropriateness of corrective actions are discussed.
l
! Davis Resse Restart SER 3-17
l l
i 3.2.1.1 Auxiliary Feedpump Turbine Overspeed and Control The staff has reviewed the licensee's' Findings, Corrective Actions, and Generic Implications report entitled "Overspeed Trips of the Auxiliary Feed Pump Tur-bines on June 9, 1985 at Toledo Edison's Davis-Besse Nuclear Power Station" !
concerning the problems associated with an overspeed trip of the two auxiliary l feedpump turbines (AFPTs). The AFPT is a steam-driven turbine that drives the auxiliary feedwater pump. Both of the auxiliary feedwater pumps (AFPs), includ-ing the turbine and overspeed trip mechanism (OTM), are identical except for ,
the model of the governors.
Each AFPT is fed from its respective steam generator (SG); that is, SG No. 1 feeds AFPT No. 1 and SG No. 2 feeds AFPT No. 2. In addition, there are cross-connections so that SG No. 1 can feed AFPT No. 2 and SG No. 2 can feed AFPT
- No. 1. These cross-connected lines at the time of the event on June 9, 1985, were normally closed. During the event, a low-level signal from SG No. 1 opened the steamline to AFPT No. 1. When the operator tripped (5 seconds later) both channels on low SG pressure, the normal steamlines were isolated and the cross-
- connected steamlines were opened. The licensee has determined by analysis that a large quantity of condensate could have been formed when steam was admitted to the cold cross-connect lines. The condensation in the steamlines formed water slugs at the AFPTs and could have caused the overspeed of the AFPTs.
The licensee has proposed three different scenarios to explain how this water slug could have caused the AFPT to trip on overspeed. In the first scenario, the water slug in the governor valve caused the valve to open too far in an 4 attempt to maintain turbine speed. When the water cleared the valve, the valve admitted too much steam and the AFPT tripped on overspeed. In the second
- scenario, the water flashed as it entered the turbine and thereby accelerated the turbine until it tripped because of the sudden expansion. The third scenario was hypothesized to be similar to the first scenario except the water slowed down the turbine and the governor valve opened to maintain speed. When the water cleared the turbine, the governor valve was open too far and the turbine tripped on overspeed. To support this hypothesis, the licensee also calculated the quantity of condensate that could be formed in the normal lines used to power the AFPTs. When compared, the quantity of condensate formed in the line from SG No. 1 to AFPT No. 1 was almost as much as from SG No. 2 to AFPT No. 1. The licensee could not explain why AFPT No. 1 had never tripped on overspeed when fed from SG No. 1. In addition, the licensee has not determined how or why the condensate resulted in the overspeed tripping of the AFPTs. The identification of the root cause was done hypothetically and the licensee does not propose to perform any verification tests.
The licensee has proposed maintaining all steamlines from the steam generators to the AFPTs at full pressure and temperature up to the turbine inlet isolation valves, which are approximately 10 feet from the turbines, by keeping open the-cross connect steamline isolation valves. The turbine inlet isolation valves are to be replaced with pneumatically operated control valves. Thus, on a'n initiation signal, the new valves will be required to open. The isolation valve from each steam generator to its respective AFPT would be normally closed and, therefore, would also be automatically opened. The failure to open the isolation valves will not prevent the AFPTs from getting steam because the cross-connect isolation valves are open. This valve lineup has been tested by Davis-Besse Restart SER 3-18 i _ _
the licensee using auxiliary steam. The AFPTs can only achieve a speed of 3200 rpm using auxiliary steam and, therefore, no testing has been performed for overspeed conditions.
On the basis of its review of the licensee's Findings, Corrective Actions, and Generic Implications report, the staff believes that the licensee has identified the most probable cause of the overspeed trips of the AFPTs and has taken the appropriate corrective action.
3.2.1.2 Auxiliary Feedpump Turbine Trip Throttle Valve The staff has reviewed the licensee's Corrective Actions and Generic Implemen-I tations report entitled "AFPT Overspeed Trip Throttle Valve Problem" concerning the problems associated with resetting the trip throttle (T&T) valve during the June 9, 1985, event at Davis-Besse. The T&T valve is a steam admission valve to the Terry turbine that drives the AFW pump. Both of the AFW pumps, including the turbine, T&T valves, and overspeed trip mechanism (OTM), are identical at Davis-Besse. However, at the time of the event, the turbine governor systems were not alike.
The OTM consists of a spring-loaded tappet in the turbine casing. The tappet is struck by a spring-loaded weight when the weight is pulled sufficiently away from the turbine shaft by centrifugal force. When the tappet is struck, it moves away from the turbine shaft and releases the spring-loaded trip linkage.
The linkage releases the latch on the T&T valve allowing the spring in the T&T valve to close the valve. Resetting the AFPT overspeed trip involves moving the linkage, resetting the OTM, resetting the latch on the T&T valve, and re-engaging the valve operator to the valve internals. If the linkage is not moved far enough, the OTM will not reset and, if the T&T valve latches, the latch will hold only because of the friction between the parts of the linkage.
The problem, as identified in the licensee's report, involved three areas:
(1) improper procedures, (2) inadequate training, and (3) insufficient trip status indication at the AFW pumps. On the basis of its review of the li-censee's submittal, the staff finds that the licensee has adequately identified the root causes of the equipment operator's inability to reset the AFW pump after being tripped on overspeed. In general, NUREG-1154 indicates that the equipment operators performed their tasks associated with resetting the AFW pump trips as well as possible given the information and training provided. It is the staff's opinion that if any one of the above areas had not been deficient the equipment operators probably would have been successful in resetting the AFW pumps.
i l
The licensee has proposed the following corrective actions:
(1) Modify the appropriate procedures to reflect the proper reset sequence for the OTM.
(2) Modify the testing procedures to ensure that the T&T valve and 0TM are reset after testing.
(3) Provide operator training on the theory of operation for the OTM and T&T valve.
1
, Davis-Besse Restart SER 3-19
(4) Provide hands-on tiaining in the proper resetting of the OTM and opening of the T&T valve with a minimum steam pressure of 800 psi.
(5) Design and install local position indication of the OTMs and position indication of the T&T valves.
(6) Post simplified operating instructions near the T&T valves.
(7) Paint the yoke of the T&T valve, the latch-up lever, trip yoke, and con-necting rod (for both AFPTs) in yellow to distinguish this equipment as important to the operation of the overspeed trip (in addition, the manual trip level will be painted red).
(8) Improve communication for the equipment operators between both pump rooms and with the operators in the control room.
These corrective actions are to be completed before leaving cold shutdown (Mode 5), except for item 4, which will be completed while the plant is in hot shutdown (Mode 3). The licensee identified additional clanned actions to cor-rect discrepancies noted during the course of its investigations. These actions include additional surveillance tests, preventive maintenance, and replacement of some components.
On the basis of its review of the licensee's submittal, the staff believes that the licensee has identified the root causes of the operators' inability to reset the AFPTs. On the basis of the identified root causes, the staff believes that the licensee has proposed reasonable corrective actions.
3.2.1.3 Spurious Steam and Feedwater Rupture Control System Actuation and Spurious Main Steam Isolation Valve Closure The steam and feedwater rupture control system (SFRCS) at Davis-Besse is an engineered safety feature to monitor plant parameters (steam generator level and pressure, differential pressure between the steam line and main feedwater line for each steam generator, and the loss of all four reactor coolant pumps),
initiate auxiliary feedwater (AFW) flow, and isolate a ruptured steam generator and redirect AFW flow to the intact steam generator. ' Valves controlled by the SFRCS to isolate a ruptured steam generator include the main steam isolation valves (MSIVs).
During the event on June 9, 1985, main feedwater (MFW) flow was lost as a result of a trip of the MFW pump turbine No. 1 and spurious closure of both MSIVs result-ing in loss of steam to the MFW pump turbine No. 2. The NRC investigation con-ducted after the event indicates that the operators believed that either a par-tial or full actuation of the SFRCS may have closed the MSIVs. However, the control room annunciator panels had not indicated that an SFRCS actuation oc-curred, and other equipment that normally would have responded to an SFRCS full trip did not actuate. A review of the computer alarm log after the event re-vealed that an SFRCS actuation channel No. 2 full trip on steam generator low level had occurred. The SFRCS actuation occurred immediately after a reactor trip and turbine trip on high reactor coolant system pressure. At the time of the SFRCS low-level actuation, the water level.in both steam generators was above the SFRCS low-level trip setpoint. The licensee has performed an analy-sis to determine the root causes for the spurious SFRCS actuation and MSIV closures.
Davis-Besse Restart SER 3-20
The SFRCS at Davis-Besse consists of two actuation channels. In general, actua-tion channel No. 1 provides output signals to actuate equipment associated with loop No. 1 (i.e., valves in lines associated with SG No. 1, AFWS trair. No. 1, etc.), and, similorly, actuation channel No. 2 actuates equipment associated with loop No. 2. Each actuation channel consists of two redundant logic channels, one of which is ac powered and the other dc powered. In order for the equip-ment to actuate, most SFRCS-actuated equipment requires both logic halves of its associated actuation channel to trip. Th'is is referred to as a full trip.
The trip of a single logic channel is referred to as a half trip. The MSIVs require full trips to isolate. However, unlike most SFRCS equipment, a trip of either actuation channel will close both MSIVs. The SFRCS uses a deenergize-to actuate trip logic (i.e., a logic channel will trip on loss or failure of its power supply).
Eight Rosemount 1152 differential pressure (dP) transmitters are used to monitor steam generator level for the SFRCS. Each logic channel receives inputs from two SG 1evel instrument channels, one channel associated with each SG. For a given logic channel to trip, either of its two associated instrument channels must sense that SG level is below the SFRCS low-level setpoint. Thus, both MSIVs will close on an SFRCS low-level trip by either actuation channel when j each of its two logic channels senses low level in either SG.
The licensee's analysis to determine the root cause for the spurious SFRCS actuation and closure of the MSIVs included testing to determine SFRCS SG level instrument channel response times, actuated equipment response times, and actua-tion and reset times of the SFRCS trip alarms. The analysis also included visual inspections of SFRCS components, and tests to determine whether electrical inter-connections or interference existed between redundant SFRCS logic circuits, or between the turbine trip circuits and the SFRCS. Tests were also performed to determine whether the SG level transmitters were in calibration. The results of this testing and an analysis of data available from the event on June 9, 1985, have led the licensee to the following hypothesis for the root cause of the spurious SFRCS actuation and MSIV closures. The licensee believes that pressure pulses in the main steamlines caused by rapid closure of the turbine stop valves (TSVs) induced oscillations in the SG level instrumentation that caused a momentary full trip of SFRCS actuation channel No. 2 on low level, and that the full trip remained long enough to initiate MSIV closure, but automati-cally reset before other SFRCS equipment could be actuated. The SFRCS does not include logic or actuation channel seal in circuits that require manual reset to clear the protective action signals and restore the SFRCS to its normal (non-trip) condition.
The licensee has reviewed data available from Davis-Besse and from other nuclear plants to determine the effects of sudden TSV closure on SG level-sensing instru-mentation. Data recorded during a preoperational turbine trip test from 75% of full-rated power at Davis-Besse show that oscillations occurred in the sensed /
indicated SG level (by the startup range level transmitters that provide inputs to the SFRCS). The oscillations caused indicated levels to be 50 inches or more below the actual level immediately following turbine trip. The oscillations were of short duration, less than 200 milliseconds (msec), and the amplitude of the oscillations decreased significantly after several cycles. The licensee reviewed transient reports from three other nuclear plants that revealed oscil-latory behavior in the level transmitter outputs following reactor / turbine trips, l
l Davis-Besse Restart SER 3-21
apparently caused by pressure oscillations in the main steamlines caused by TSV closure. Bailey BY dP level transmitters were installed during the Davis-Besse turbine trip test. During the fourth (1984) refueling outage, these transmit-ters were replaced with Rosemount 1152 transmitters. Because the Rosemount transmitters are considerably more responsive and sensitive than the Bailey transmitters, the licensee believes that the amplitude of the transmitter output oscillations would be greater than exhibited by the Bailey transmitters during the test. The licensee believes the oscillations in the Rosemount 1152 trans-mitter outputs, caused by steamline pressure oscillations from TSV closure on f turbine trip, were the root cause for the spurious SFRCS actuation during the I event on June 9, 1985. !
A reviu of Figures 3.2 and 3.3 of NUREG-1154 which show SG level as a function of time during the event indicates that the transmitter output oscillations would have to be approximately 70 to 90 inches in amplitude, only slightly greater than the oscillations exhibited by the Bailey transmitters, to cause the spurious SFRCS low-level actuation. An analysis performed for the licensee by MPR Associates has estimated that the apparent level swing shown by the Rosemount 1152 transmitters following turbine trip from 100% power could be several times greater than that shown by the Bailey transmitters. This is caused by the increased sensitivity of the Rosemount transmitters and the change in the instrument sensing line hydraulic configuration associated with the in-stallation of the Rosemount transmitters. It was estimated that the effects for the SFRCS actuation channel No. 2 would be more pronounced because of the level transmitter configuration. The licensee believes that the SFRCS full-trip control room annunciator point did actuate at the time of the trip, but that, because the trip was present for only a short duration and because the annunciator circuit does not seal in, the annunciator had returned to normal by the time the operators looked to see if an SFRCS trip had occurred. On the basis of a review of the licensee's analysis, the staff concurs with the licen-see's determination of the root cause for the spurious SFRCS actuation.
The SFRCS equipment is actuated by several different types of components, in-cluding ac and dc motor-operated valve starters, solenoid valves for air- ,
operated valves, and solenoid valves for pneumatic pilot valves that are used !
to initiate MSIV closure. The licensee has performed tests to determine the l minimum time required for an SFRCS low-level trip signal to exist to cause the various types of SFRCS components to actuate. The test results show that the MSIVs have the fastest actuation times. MSIV closure will occur 7.5 msec fol-lowing an SFRCS actuation signal. Air-operated valves have the second fastest actuation time at 12.9 msec. The dc motor starter actuated valves were slowest to actuate at 66 msec following an SFRCS trip. On the basis of these component actuation times, the licensee has concluded that the root cause for the closure of the MSIVs during the event on June 9, 1985, was pressure oscillations in the main steamlines caused by rapid TSV closure. This caused short-duration oscil-lations in the SG level instrumentation that, in turn, caused a momentary full trip of SFRCS actuation channel No. 2. The trip was of sufficient duration to close only the MSIVs. Because the SFRCS actuation signals do not seal in, the l SFRCS low-level signal automatically reset (cleared) as the level oscillations decreased and before other SFRCS equipment could actuate. The staff concludes that the licensee's determination of the root cause for the MSIV closures during the event on June 9, 1985, appears to be valid.
Davis-Besse Restart SER 3-22
The licensee has performed tests and analyses to determine the validity of other hypotheses for the spurious SFRCS actuation and MSIV closures. It was hypothesized that inadvertent interactions (cross-talk) between redundant SFRCS logic channels may have caused a partial actuation of the SFRCS and the resulting spurious closure of the MSIVs, and generated the computer alarms. The hypothe-sis has been discounted because one logic half of an SFRCS actuation channel is ac powered, the other half is dc powered, and the power supplies are electrically independent (shared power supply returns are not used). Additionally, the licen-see has performed tests verifying that there is no interference or cross-channeling between the main turbine trip circuits powered from non-Class 1E supplies and the SFRCS circuits powered from separate Class lE supplies. Another hypothesi _s proposed that circuit malfunctions / anomalies resulting from the changeover to the Rosemount transmitters during the 1984 refueling outage caused the spurious SFRCS/MSIV actuations. This hypothesis has also been discounted because the integrated SFRCS test performed following the modifications verified proper operation of both the system logic and the SFRCS functions associated with low level in either steam generator. It was also hypothesized that the MSIV closures were caused by failures within the MSIV circuits independent of the SFRCS. The licensee has discounted this hypothesis because testing performed on the MSIVs subsequent to the event verified proper operation of the MSIV closure circuitry, the MSIV solenoid valves, and the pneumatically operated pilot valves. On the basis of the preceding, the licensee has determined that oscillations in the SG 1evel instrumentation is the most likely root cause for the spurious SFRCS/MSIV actuations.
The planned corrective action to be implemented by the licensee before restart is to filter the induced oscillations in the SG 1evel instrumentation following a turbine trip to avoid spurious actuation of SFRCS equipment. The licensee has estimated the frequency of the pressure disturbance caused by TSV closure to be 1.25 Hertz (Hz). The licensee has determined that a filter having a band pass from 0 Hz to 0.1 Hz (i.e., the transmitters will not respond to oscillations with frequencies greater than 0.1 Hz) will provide the necessary filtering and still provide the system response necessary to meet the requirements of the Davis-Besse Technical Specifications. The licensee has stated that an adjustable filter exists on the amplifier boards in the SG level transmitters. A new filter setting will be established to accomplish the necessary signal attenuation (fil-tering), and the transmitters will be tested to ensure proper calibration and response time. This modification does not involve any SFCRS hardware or circuit modifications, and is considered sufficient to prevent spurious SFRCS/MSIV actua-tions caused by system-induced oscillations in the SG level instrumentation from TSV closure. The staff concludes that there is reasonable assurance that the licensee has successfully identified the root cause for the spurious SFRCS/
MSIV actuations and has taken appropriate corrective action to prevent recurrence.
Additional corrective actions to be taken by the licensee will be to develop surveillance procedures to periodically (quarterly) verify proper operation of the SFRCS logic channel power supplies, and provide a seal-in feature for the SFRCS full-trip control room annunciator point that requires the operator to acknowledge the full-trip condition to clear (reset) the annunciator. '
Before and during power operation (Mode 1), the licensee will perform testing on the SG startup range level instrumentation supplying signals to the SFRCS to determine the magnitude and frequency of hydraulic and/or electronic noise as sensed by this instrumentation. This monitoring will remain in place until the adequacy of the corrective actions has been verified. The licensee is also Davis-Besse Restart SER 3-23
performing tests, to be completed before resuming power operation (Mode 1),
that will determine the effects of the increased sensitivity of the Rosemount transmitters used to monitor reactor coolant system (RCS) flow. These trans-mitters provide inputs to the reactor protection system, and are the only other Rosemount 1152 transmitters used to provide control or trip functions at Davis-Besse. The licensee has concluded that, with the possible exception of the RCS flow transmitters, there are no generic implications from the spurious SFRCS/MSIV actuations applicable to other systems at Davis-Besse. The short-duration os-cillations that caused momentary actuation of the SFRCS should not cause similar responses in other systems because the SFRCS is the only safety-related system using the Rosemount transmitters in which operator action is not required to reset the trip condition. The staff agrees that the root causes for the spur-ious SFRCS/MSIV actuations do not appear to have generic implications for other systems at Davis-Besse.
On the basis of the results of the licensee's root-cause analysis, the staff has concluded that there is reasonable assurance that the licensee has success-fully identified the root cause of the spurious SFRCS low-level actuation and spurious closure of the MSIVs that occurred during the event on June 9, 1985, and that the licensee has taken appropriate corrective actions to prevent its recurrence. The staff will evaluate the results of the tests discussed above to be performed by the licensee before and during power operation (Mode 1) when the tests have been completed.
3.2.1.4 Main Feedpump Turbine and Control Failure Both main feedwater pumps (MFPs), including the steam-turbine drives, speed control systems, and overspeed trip mechanisms (OTMs) are identical.
The main feedwater pump turbine (MFPT) speed is controlled by an electronic-hydraulic control system consisting of the following subsystems:
(1) signal converter circuitry (2) speed pickup feedback circuitry (3) speed summation and valve lift reference circuitry (4) operator / pilot valve position feedback and servo amplifier circuitry The signal converter circuitry accepts a speed setpoint signal and produces a reference signal that corresponds to the demand feedwater flow requirement.
The speed pickup feedback circuitry provides the signal that corresponds to the speed of the MFPT. This signal is determined by automatic selection of one of two redundant signals. Each signal is generated by a pickup that monitors the passing of a toothed wheel mounted on the shaft of the MFPT.
1 The reference speed signal and the actual MFPT speed are summed and compared by l the speed summation and valve lift reference circuitry. This circuitry produces a speed error signal and a valve lift reference signal. This reference signal is summed with the valve position feedback signals from the pilot valve and the operating cylinder by the operator / pilot valve position feedback and servo-amplifier circuitry that produces a valve position error signal. This error signal drives the servo valve to change the position of the pilot valve and l operating cylinder. Thus, the steam admission valve opens or closes to develop a zero error signal and thereby maintains the turbine speed at its predetermined value.
Davis-Besse Restart SER 3-24
The problem, as identified in the licensee's report, is the result of the fail-ure of the frequency to voltage converter in the speed summation circuitry.
This failure, which resulted in a fixed output of 0.0 volts, has been attrib-uted by the licensee to a failed-open capacitor.
On the basis of its review of the licensee's findings report, the staff believes that the licensee has identified the root causes of the overspeed tripping of the MFPT. On the basis of the identified root causes, the staff believes that the licensee has proposed reasonable corrective actions.
3.2.1.5 Turbine Bypass Valve, SP-13A2, Actuator Failure The turbine bypass valves are part of the turbine bypass system and are used to control the flow of steam entering the condenser from the bypass header. Their-purpose is to minimize loss of condensate to the atmosphere by directing steam flow to the condenser. These valves themselves are not important to safety nor are they safety related in terms of fulfilling their function in the plant.
The safety-related or important-to-safety implications of this failure are as follows:
(1) The talve disk and stem were separated before the event for an unknowli-period of time. This indicates that planned maintenance and/or inspection was deficient. A saterhammer occurred in the piping upstream of the valve and, coupled with the impact from the loose disk on the valve stem, damaged the valve actuator. The valve was not operational before the event and the licensee's maintenance plan did not discover it.
(2) The common drain and isolation valve was closed, although it should have been open. This valve and its associated header serve the turbine bypass valves and are intended to drain condensate from the lines to help prevent a waterhammer event. The procedures have been revised to ensure that this valve is open during normal operation for proper drainage of the turbine bypass valve header.
(3) Steam traps are provided in the turbine bypass header lines from the steam generators for the purpose of draining condensate from the lines to minimize a potential waterhammer. One steam trap (on the turbine bypass header) was blocked with debris and thus was improperly maintained. This indicates that planned maintenance and/or inspection procedures were deficient for these items. Revised procedures and improved preventive maintenance should prevent recurrence.
(4) There are missing loose parts in the system. The potential effects on equipment or systems that are safety related or important te safety have been assessed by the licensee. It has been determined that there is no damage to safety-related equipment because the loose parts would either be retained in the sparger, through which the valves discharge, or would likely not be carried from the main condenser if the parts passed through
! the sparger.
(5) The cause of separation of the valve seat from the stem was the loss of a l cotter pin locking device that allowed the connecting nut to back off. The licensee will modify preventive maintenance procedures by November 1986 to Davis-Besse Restart SER 3-25
require more inspections during the next two refueling outages to ensure i proper valve assembly. Subsequent inspection periods will be determined on the basis of results of these inspections.
3.2.1.6 Power-0perated Relief Valve Malfunction During the Event on June 9, 1985 During the event on June 9, 1985, the pressurizer power-operated relief valve (PORV) opened three times to relieve pressure. The third time the PORV opened, it did not reseat as it should have when power was removed from the actuating solenoid at the low pressure setpoint. By the time the operator closed the block valve, the pressure had dropped approximately 300 psi below this setpoint.
When the block valve was subsequently reopened, the PORV was found to be closed.
The Davis-Besse PORV is a Crosby-style HPV-SN pilot-operated valve with a solenoid actuator. The solenoid moves to open the pilot valve when electri-cally energized and returns to close the pilot valve when electrical power is removed. The pilot valve, when open, provides a vent path to the main valve disk that is then opened by the inlet system pressure. The main valve disk should reseat when the pilot valve recloses to seal off this vent path.
l The licensee conducted an investigation to determine the causes of the PORV failure. The PORV has been removed from the pressurizer, dismantled, and inspected. The PORV vendor, Crosby, also participated in the valve inspection and found several abnormalities:
(1) Three of eight inlet flange nuts were loose.
(2) The adjusting bolt locking nut in the pilot valve linkage was loose, and only a cotter pin was in place to operate the adjusting bolt.
(3) There was minor steam cutting on the pilot seat and disk.
(4) A brown substance, speculated by the licensee to be boric acid, was found on the valve body in the vicinity of the pilot valve.
(5) A sliver of metal from the bellows housing flexitallic gasket and a small gouge in the outside edge of the gasket surface were found.
Foreign material found in the pilot-sensing tube caused the pilot disk to leak during leak testing performed after the transient. The licensee indicates the material was a liquid lubricant and would not affect the ability of the valve to open and close.
The licensee has concluded that none of these abnormalities could have caused the failure on June 9, 1985. Several other possibilities for the failure have i been hypothesized by the licensee, including (1) differential thermal expansion between the main disk and the valve body caused by nonuniform heating upon actuation (Calculations by the licensee show that clearances are more than adequate to preclude this type of bind-ing action.)
l Davis-Besse Restart SER 3-26 j 1
1
(2) other mechanical malfunctions, such as loose or misaligned internal parts (3) broken solenoid coil linkage (4) control system malfunction The licensee has determined that none of these is a very likely cause, and has also determined that, more probably, foreign material lodged in the pilot disk and seat.
The staff agrees that this could have been a probable cause of failure, espe-cially considering the long period of time during which foreign material could have collected since the PORV was last actuated; the licensee hat not stroked the PORV since September 1, 1982. The valve is m uired to be stroked, accord-ing to the plant inservice testing (IST) program for pumps and valves, at each cold shutdown. Therefore, the licensee has not met the plant IST requirements for the PORV since September 1, 1982. The long period of time without actua-tion of the PORV may have contributed to the degradation of the valve operability and the lack of knowledge thereof.
Before the next restart, the licensee proposes to stroke the valve eight times at reduced pressure (nominally 700 psig) and three times at full pressure (nominally 2155 psig) during the plant restart to ensure that the valve is operable. Additionally, the licensee has proposed to stroke test the PORV at each cold shutdown to ensure its reliability during future plant operation.
The licensee's commitment to stroke test the PORV in accordance with the plant IST program requirements is acceptable to the staff. Furthermore, the staff finds the licensee's proposed startup stroke testing program to be acceptable for ensuring initial operability. Routine periodic testing during cold shut-down is likely to uncover problems with opening or closing the PORV. As required by Section XI of the ASME Boiler and Pressure Vessel Code, the PORV must be repaired and retested if the valve fails a test.
The licensee is also investigating whether an alternative PORV design would be more appropriate. This could involve a future plant modification should such a change be deemed necessary. Any PORV design that has not already been qualified by full-flow testing as required by NUREG-0737, Item II.D.1, must be so quali-fied. In addition, any changes to the plant PORV inlet and discharge piping configuration must also be analyzed as required by Item II.D.1.
Although the licensee has not been able to identify positively the cause of the PORV failure, the staff has concluded that the post-event evaluation was thorough. This evaluation identified a number of valve installation deficen-cies, degradation mechanisms, and IST deviations that together offer clear evi-dence of at least a lax attitude before the event on the part of the licensee relative to PORV operability. The staff has concluded that the testing to be performed by the licensee, both during startup and inservice, complemented by I the additional PORV investigative effort yet to be performed, should provide l increased assurance of PORV operability for the Davis-Besse plant. I l
l Davis-Besse Restart SER 3-27
3.2.1.7 Motor-Operated Valve Operator Malfunctions During the event of June 9, 1985, the failure of valves AF-599 and AF-608 to reopen when the control room operator reset the low steam generator pressure SFRCS trip complicated the operators' efforts to restore feedwater to the steam generator. Another valve, MS-106, also malfunctioned during the event. This valve apparently cycled from closed to open to closed in only about one-third the expected stroke time. Based on these. failures, a comprehensive program
- was initiated to ensure that all MOVs important to safety will function at l design-basis conditions if called on. This program includes a thorough reeval-uation of each MOV's design and functional requirements and a testing program.
Valves AF-599 and AF-608 are normally open valves in the AFW discharge lines to each steam generator. Either of these valves is provided a close signal from 1
a low pressure SFRCS trip of the associated steam generator. The valves, there-fore, were required to close on demand against the differential pressure devel-oped by the AFW system. However, because of the possibility of inadvertent
- closure of both valves (due to operator error as occurred during the event),
the valves also should have been required to open against the maximum possible i
differential pressure. Valve MS-106 is required to open against high differ-ential pressure to admit steam to a steam-driven AFW pump turbine.
The licensee has conducted an investigation to determine the causes of the fail-l ures of these valves and has concluded that all three failures resulted from improperly adjusted motor-operator torque switches and torque bypass switches.
The licensee has developed a comprehensive methodology to be used for adjusting the torque, torque bypass, and limit switches of these valves and other safety-related motor-operated valves. The program includes a total of 167 such valves.
The cornerstone of the licensee's program is the application of the motor opera-ted valve assembly testing system (M0 VATS). M0 VATS is a signature-tracing tech-
, nique which provides simultaneous measurements of valve steam thrust or torque, the timing and sequence of torque, bypass, and limit switch operation and the 1 current to the valve operator motor. The licensee's program requires extensive 1 inspection of the valves before testing and includes a check of the valve stem, wiring, equipment qualification, lubrication, and packing.
2 Another important aspect of the licensee's motor-operated valve program is the testing of a representative sample of valves under their most limiting conditions.
The staff has reviewed Revision 6 dated January 3, 1986, of the Davis-Besse Course of Action report, and the licensee's submittal of April 10, 1986, which is the response to a request from the staff for additional information, dated March 11, 1986. The staff finds the corrective actions, when completed for all the nuclear safety-related motor-operated valves at Davis-Besse, is sufficient to preclude future failures similar to the failures experienced by valves AF-599, AF-608, and MS-106 on June 9, 1985.
It is important to recognize that analysis alone is not sufficient to ensure the operability of a motor-operated valve. Although the analysis-based procedure can provide some useful information with regard to torque switch adjustments, the valve should be tested under the most limiting conditions that it is expected to operate. If this cannot be done, then a test that confirms part of the oper-ability of the valve should be performed. For example, stroking a valve under no-load conditions confirms that a proper operator-valve interface exists, that Davis-Besse Restart SER 3-28 l
1
nothing is interfering with the travel of the valve disk, and that the valve is able to unseat. It does not ensure the valve will function under its fully loaded condition, but it does provide evidence that an appropriately designed valve should function under such conditions.
The purpose of M0 VATS is to verify by test that the motor-operator torque and bypass switches are properly set. As improperly set switches were the root causes of the failures of the valves on June 9,1985, the staff is assured that this failure mechanism has been addressed. During testing, the valve is stroked, generally under no-load conditions. Thus, the remaining concerns are whether
, the valve has been designed properly and whether valve degradation has occurred.
- The Davis-Besse Nuclear Engineering Procedures NEP-091 and NEP-092 contain the methodology to ensure that the valve is properly designed to meet its present most limiting opening and closing requirement. To address whether valve degra-dation has taken place, a representative sample of valves under their most limit-ing conditions is to be tested. The licensee has grouped valves by type (gate or globe) and size (8 inches or less or greater than 8 inches). This grouping results in three categories. One category is globe valves 8 inches or less in diameter; another category is gate valves 8 inches or less in diameter; and another category is gate valves greater than 8 inches in diameter. The propor-tion of valves tested in each of these categories is 21%, 26%, and 21%, respec-tively. Of 110 valves, 26 are tested. There are 21 hydrostatic tests and 5 full-flow tests. Within each category, valves with the lowest ratios of torque available to torque required were selected for testing. When the tests are complete, the results will be indicative of the remaining safety related valves in the plant.
]
I The staff concludes that the licensee has determined the root cause of the mal-functions of valves AF-599, AF-608, and MS-106 during the June 9,1985, event at Davis-Besse. The licensee has proposed corrective actions to prevent similar failures from occurring again. The staff has reviewed the work and finds the licensee's corrective actions acceptable. When implemented, the corrective actions should be sufficient to ensure that nuclear safety-related motor-operated valves at Davis-Besse will perform their function as intended. The licensee
- shall confirm, before restart, that Davis-Besse procedures NEP-091 and NEP-092 are complete for all nuclear safety-related motor-operated valves.
3.2.1.8 Source Range Nuclear Instruments Source range nuclear instrument channel NI-1 (also referred to as channel No. 2) was inoperable before and throughout the June 9, 1985, event. During the event, when the neutron level, as indicated by the intermediate range nuclear channels, fell to a predetermined level, the source range nuclear channels were activated.
However, the redundant NI-2 (also referred to as channel No.1) remained at less than 10 1 count /sec rather than indicating about 105 counts /sec. This unavailability loss of both nuclear channels was an unnecessary problem that the reactor operator had to cope with because he was required to verify shutdown margin requirements, which included initiating emergency boration.
Problems with this instrumentation have been chronic; some problems have been present since the plant was first constructed.
Davis-Besse Restart SER 3-29
On the basis of a review of the licensee's Findings and Corrective Action reports for NI-1 and NI-2, the staff listed the many anomalies that were discovered via the systematic troubleshooting plans for NI-1 and NI-2, respectively. These lists follow.
Troubleshooting Findings for NI-1 (Channel No. 2) f (1) Detector Assembly (3 Anomalies) 1.1 Triaxial Amphenol connector, which interfaces the integral mineral-insulated detector cable to the triaxial cable to/from the preampli-fier, was improperly assembled.
1.2 Detector was not positioned at the core midplane.
1.3 Masonite spacers used to block area around detector signal cable in detector thimble plug were too short (i.e., 5 inches vs. 18 inches).
(2) Preamplifier Assembly (7 Anomalies) 2.1 Detector cable connector had its center pin pushed in approximately 1/4 inch and off center.
2.2 No grounding wire was connected to outer preamplifier box.
2.3 Bulkhead connectors on preamplifier inner and outer boxes had high-resistance connections to triaxial shields because connectors were mounted on painted surfaces.
2.4 None of the cable connectors at the preamplifier had 0 rings installed.
2.5 Detector cable bushing on outer box had inadequate clearance from detector cable connector, causing a potential ground loop.
2.6 Detector and high voltage connectors' appear to be nickel instead of silver.
2.7 Fiber shipping washers had been left in some bulkhead connectors, preventing proper meshing and tightening of connectors. l (3) Penetration Assembly (No Anomaly)
, (4) RPS Instrument Cabinet (4 Anomalies) 4.1 Connection to station safety ground bus was loose.
4.2 Output connector for high voltage power supply had a crushed 0-ring.
4.3 Fiber shipping washers had been left in some bulkhead connectors, preventing proper meshing and tightening of connectors.
4.4 " Blue Ribbon" connector on high voltage power supply was chipped and cracked.
Davis-Besse Restart SER 3-30
(5) General (3 Anomalies) 5.1 Operation of instrument cabinet door switches (provide annunciator indication of open door) for RPS, safety features actuation system (SFAS), and SFRCS cabinets caused high-level spikes at input to count rate amplifier module.
5.2 Every Amphenol connector was tarnished; many Amphenol connectors contained metal flakes.
5.3 Operation of some SFAS-controlled motor-operated valves caused some spiking observable at the input of the rate-of-change amplifier module.
Troubleshooting Findings for NI-2 (Channel No. 1)
(1) Detector Assembly (1 Anomaly) 1.1 Leaking seal plate allowed rust to form at connection box at top of detector thimble.
(2) Preamplifer Assembly (9 Anomalies) 2.1 Low-voltage cable connector was loose on cable.
2.2 High-voltage bulkhead connector was extremely loose; 0-ring was not installed.
2.3 High-voltage cable connector did not have 0-ring installed.
2.4 Ground wire to outer box was not installed.
2.5 Connectors for high voltage and detector appear to be nickel instead of silver.
2.6 Bushings were not installed where cables enter outer box.
2.7 Bulkhead connectors on outer box for detector and high voltage were loose; i.e., mounting nuts only finger tight.
2.8 Printed circuit board was not mounted securely inside preamplifier box.
2.9 Shipping washers were left in some bulkhead connectors, which pre-vented adequate tightening of connectors.
(3) Penetration Assembly (4 Anomalies) 3.1 Resistance was substantially high for signal cable.
3.2 Signal cable connector was loose on cable.
3.3 Shipping washers were left in some bulkhead connectors, which pre-vented adequate tightening of connectors.
Davis-Besse Restart SER 3-31 l
3.4 Intermittent losses of continuity for center conductor of signal cable. l (4) RPS Instrument Cabinet (3 Anomalies)
W 4.1 Coaxial connector to count rate amplifier was not locked.
4.2 High-voltage cable connector appears to be nickel instead of silver. 1 4.3 High-voltage cable connector did not have 0 ring installed.
(5) General (3 Anomalies) 5.1 Cabinet door switches (for annunciator) for RPS, SFAS, and SFRCS cabinets caused high level spikes.
5.2 Every Amphenol connector was tarnished; many contained metal flakes.
4 5.3 Some SFAS-operated motor-operated valves caused spiking on input to I
start up rate (SUR) meter.
The number of anomalies for NI-1 and for NI-2 constitute evidence of lack of proper maintenance of this nuclear safety-related equipment. Furthermore, many of the anomalies originated from installation errors during the construction of the plant and went uncorrected for 8 years of plant operation.
The many anomalies are clearly enough to have caused the malfunctions related to the event on June 9, 1985. The staff notes that the two lists share some
- general characteristics
(1) A large number of the anomalies vere related to the preamplifier assembly.
(2) A large number of tne anomalies were related to triaxial connectors, both those mounted on the bulkhead and those mounted on cables.
(3) The NI-2 channel containment penetration, which is generally considered to be a re' .ively passive component, hence not as likely to fail as more active components, had serious anomalies (see item 3, of NI-2 list) l These characteristics suggest that components );hich are either difficult to get
- to or not very likely to fail cannot be neglected. Furthermore, the character-istics suggest a generalized problem with triaxial connectors. The staff notes that the licensee is addressing the generalized connector problem with improved procedures and training.
The licensee identified the following root causes for the failures of NI-1 and NI-2, respectively.
NI-1 high resistance connections in the bulkhead connectors on the preamplifier, caused by mounting the connectors on painted surfaces (item 2.3, NI-1 list) improper assembly of the triaxial connector at the detector interface (item 1.1, NI-1 list)
Davis-Besse Restart SER 3-32
. - . _ , __ .. . - _ - _ -. .____ - - ~
l l
NI-2 high-resistance and intermittent connections related to the containment penetration assembly (items 3.1 and 3.4, NI-2 list) generally poor condition of connectors, caused by improper assembly, lack of proper cleaning, and poor maintenance (item 5.2, NI-2 list)
The staff views these items as the licensee's determination of the most signifi-cant of the anomalies discovered. In the staff's experience, a single factor is rarely the cause of problems in pulse-type nuclear instrumentation. Most often many factors contribute to the problem in varying degrees of severity.
Subsequent to those corrective actions that have been completed, the channels have been monitored cont'.nuously for substantial periods of time, evidencing no further instances of proalems. For NI-1 this period was 6 weeks, for NI-2, 8 weeks. On the basis of its review and field observations subsequent to corrective actions, thr. staff concludes that there is reasonable assurance that f
most, if not all, sigr.ificant contributors have been identified.
The licensee's Findings and Corrective Action report states that although most corrective actions will be completed before plant restart, certain corrective actions will be performed on conditions that are not major contributors to the problems; these actions are to be completed after plant restart. The staff has reviewed the specific basis provided for these deferrals. In view of the sub-stantial periods of problem-free operation of the instrumentation channels, the staff finds acceptable the deferral of additional corrective actions.
The staff concludes that the systematic and thorough efforts to find and fix the trouble involving the source range nuclear instrumentation channels has revealed a substantial number of causes for the problems. The most significant causes appear to be improper installation of triaxial connectors on the pre-amplifier (for NI-1), intermittent high-resistance connections in a containment
~
penetration assembly (for NI-2), and the generally poor condition of triaxial connectors. After reviewing the licensee's reports, the staff concludes that the significant contributors to the problems have now been identified and that the corrective actions have been effective in improving the performance of these instrumentation channels.
3.2.1.9 Main Steam Safety Valves and Atmospheric Vent Valves During the Davis-Besse loss of feedwater transient of June 9, 1985, the main steam safety valves (MSSVs) and the atmospheric vent valves (AVVs) opened to relieve main steam pressure. The maximum allowable pressure was not exceeded; however, there were several anomalies which resulted in unusual pressure fluc-tuation owing to improper opening and closing of MSSVs and AVVs during the transient.
The AVVs (one per steam generator header) are air-operated, variable position-type, relief valves. Several times during the event one of the AVVs remained open too long or did not open to a full position when required. The licensee has determined that the AVV malfunctioned because of problems in the control system and not in the mechanical part of the valve. Therefore, with the repair Davis-Besse Restart SER 3-33 l
of the control system, the AVVs should be in good working condition. The reli- >
ance of the operators upon the AVVs during this event, as in the past, to lower system pressure in order to reseat the MSSVs (during abnormal blowdown) empha-sizes the importance of these valves, even though they are not " safety-related" equipment.
The MSSVs are Dresser type 3700 spring-actuated safety valves. All 18 MSSVs (9 per header) are believed to have opened during the event and some either did not open at the proper setpoint or remained open too long. There were also system pressure oscillations indicating MSSV chattering of the valve disks and seats. The licensee has postulated possible adverse vibratory interactions with the main steam piping in one steam header. A study has been performed by the licensee and modifications are being made before restart so that both pip-ing trains are adequately supported. Dresser Industries, the MSSV vendor, also raised a question about the adequacy of the valve inlet pipe size and its capa-bility to supply steam flow to the valve inlet without excessive loss of pres-sure. The diameter of the inlet piping is slightly less than the inlet flange diameter of the MSSVs. This is not in conformance with Dresser standard recom-mendations for installation of the MSSVs. Tests conducted by the National Board of Boiler and Pressure Vessel Inspectors have verified that the existing plant inlet configuration will not produce significant pressure losses. The licensee has committed to document the results of these tests within 90 days following the end of the current outage. - -
Because of concerns about the ocerability of the MSSVs and how they performed during the event, all 18 MSSVs (and 2 spares) have been tested at Wyle Labora-tories. In addition to measuring pressure setpoint, the tests determined disk lift at full flow and the valve blowdown. Some valves were outside the 1% set-point range and some test runs indicated blowdown as large as 19%. Many valves leaked excessively and most were disassembled, inspected for damage, and repaired.
Upon disassembly, the licensee found several problems including worn or deformed guides, eroded seats, disk misalignment, gross leakage, and one bent stem.
After refurbishing, all the valves were again full flow tested. All valves exhibited setpoints within 1% tolerance, achieved rated lift, blowdown no great-er than 5%, and no chattering.
The licensee has advised that all MSSVs have been fitted with lift stops to prevent disk collar and spindle damage. This is to address a Dresser Industries 10 CFR 21 notification.
The staff has reviewed the information made available concerning the inplant performance of the MSSVs and the testing and corrective action taken to demon-strate MSSV operability. Although the licensee has not been able to identify positively the cause of the poor MSSV performance, the staff has concluded that the postevent evaluation has been thorough and several degradation mechanisms have been identified and remedied. Therefore, the MSSVs in their present condi- )
tion are acceptable for the purpose of plant restart. However, the licensee u. l has committed to submit a plan within 90 days following restart for inspec' ting l the MSSVs at each refueling outage so that the type of degradation mechanisms l recently found can be identified and expeditiously corrected should they recur.
3.2.1.10 Startup Feedwater Valve, SP-7A The staff has reviewed the licensee's Findings and Corrective Actions report regarding the apparent failure of the startup feedwater valve, SP-7A, during Davis-Besse Restart SER 3-34
the event on June 9, 1985. The licensee states that the results of the tests and analysis indicate that (1) the failed SFRCS channel No. 4 indication for SP-7A resulted from a random or normal end-of-service life indicating light-bulb failure, and not from a system anomaly; (2) SP-7A was capable of providing a tight shutoff and responded in accordance with design during the June 9,
, 1985, transient; (3) the indicated flow through SP-7A resulted from out-of-calibration and ambient temperature effects on the flow transmitter; and (4) there were no significant findings regarding generic implications. The reports do not include the event data and test data cited and the detailed de-sign information necessary to enable the staff to independently verify the spe-cific step-by-step results of the analysis and test program. However, on the basis of its review of the methodology employed and on the reported results of the program, the staff concludes that there is reasonable assurance that the conclusions reached in regard to the root cause and generic implications of the l indicated malfunctions of valve SP-7A and its controls are valid, and provide l an acceptable basis for the corrective actions taken with respect to valve SP-7A 1 and its controls.
i 3.2.1.11 Spurious Transfer of Auxiliary Feedwater Suction to Service Water The staff has reviewed the Findings, Corrective Actions, and Generic Implica-tions report concerning the spurious transfer of the auxiliary feedwater (AFW) pump No. 1 suction from the condensate storage tank to the service water system (SWS). The condensate storage tank is the non-safety-related primary source of water for the AFWS. When the AFWS is needed and either the condensate storage tank is not available or has been emptied by the AFWS, a safety-related transfer system transfers the suction from the condensate storage tank to the SWS. The SWS is the safety-related secondary source of water. The transfer is initiated upon a low suction pressure signal and is designed to transfer the suction to the alternate source of water without damaging the AFW pumps.
During the event on June 9, 1985, the suction for AFW pump No. 1 transferred to the SWS while there was ample water in the condensate storage tank. AFW pump No. 2 did not experience any transfer. The licensee indicated that the pres-sure drop across the suction strainers in conjunction with the piping losses and load changes on pump No. 1 resulted in' the low suction pressure. Although the pressure drop across the strainers in the suction line of pump No. 2 and the effects of loads changes would be similar to that experienced by pump No. 1, the piping losses would be less for pump No. 2 and thereby would not result in the transfer to the SWS. The licensee's proposed solution is to remove the strainers immediately ahead of each pump and to increase the mesh size of the strainer in the common suction line from the condensate storaga tanks. In addition, the licensee has changed the low suction pressure setpoint j to provide greater margin and added a 10-second time delay to provide greater margin and thereby reduce spurious transfers to the SWS resulting from rapid AFW pump speed changes. The licensee has stated that the manufacturer has indicated that the pumps can operate for several minutes with inadequate suction pressure without experiencing damage. Therefore, the addition of the i 10-second transfer delay is acceptable. !
In its SER dated February 21, 1984, concerning TMI Action Plan (TAP) Item II.E.1.1, the staff stated that the licensee met recommendation GS-4 by having an automatic transfer of the AFW suction to the alternate source of water and by having an automatic isolation of the AFW turbine steam inlet lines at a suc-tion pressure of 1 pr.ig. These two features provide protection of the pumps Davis-Besse Restart SER 3-35
r i
l i I 1 )
i
- for cavitation. In response to the additional short-term recommendation No. 1, i the licensee stated that the low-level alarm setpoint on the condensate storage l tank corresponds to approximately 200,000 gallons of water in the tank, which i is more than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />'s worth of water.
Because of the automatic transfer'of the AFW pump No. 1 suction on June 9, i 1985, it is not clear whether the required Technical Specification volume in-1 the condensate storage tanks could actually have been pumped by the AFWS. .The i modified transfer setpoint should provide greater assurance that the entire condensate storage tank (CST) volume can be used. The licensee has proposed additional testing to verify the new transfer setpoint.
1 For the review of Item II.E.1.1, the staff considered the need to lock open
- single or multiple valves in series which could interrupt flow from the water. l 1 source (s) to the pumps and from the pumps to the steam generators. The staff j recommended removing the strainers. Strainers are usually installed during j construction and used during system preoperational testing where there is the i possibility of items entering the suction of the pumps. After preoperational
, testing, the strainers are usually removed. Clogging of strainers has caused l two events of loss of all AFW in the precursor study. Therefore, the staff
- continues to recommend removal of the strainer in the common suction line, j eliminating a possible common mode failure. This is discussed further in 4
Section 3.3.1.2.
i
- On the basis of this review, the staff believes that the licensee has identi-l fied the root causes of the spurious transfer of the AFW pump No. 1 to the SWS.
i ,
3.2.2 Thermal Transient Effects on Reactor Coolant System Componen'.s j After the reactor trip event on June 9,1985, the reactor coolant hot- and s cold-leg temperatures generally followed the normal post-trip pattern for about
- 6 minutes. At this time, the water levels in both steam generators began to j fall from the normal post-trip levels because of the lack of any feedwater. '
4 Hot- and cold-leg temperatures began to increase from approximately 550 F, and within 12 minutes they reached 595 F. By that time, the feedwater had been
- restored and the reactor coolant began cooling again. The temperature had j reached 545 F within the next 6 minutes. During the vessel cooldown, the peak i pressure was approximately 2400 psi. After evaluating the transient, the licensee concluded that the transient did not impair the structural integrity I of the reactor vessel. The staff has reviewed the analyses submitted by the
} licensee to confirm the licensee's conclusions.
i '
i During the transient, large differential temperatures were. produced across cer-tain components of the once-through steam generators (OTSGs) as a result of cold feedwater contacting the auxiliary feedwater nozzles, main feedwater nozzle, l
and tubes. The licensee has submitted analyses of'the most highly stressed
- components of the OTSGs resulting trom the transients to determine if any ad-i verse effects may have been p %duced. The staff has reviewed the analyses to confirm the licensee's conciusions.
4 3.2.2.1 Reactor Vessei I
- The staff utilized the computer code VISA to evaluate the effect of this tran-
! sient on reactor vessel integrity. This code, documented in NUREG/CR-3384, i
l Davis-Besse Restart SER 3-36
(
performs a fracture mechanics analysis which can be used to determine the crack size required to initiate a brittle fracture of the reactor vessel. The amount of neutron irradiation damage is dependent on the neutron fluence and chemical composition (percentage of copper and nickel) in the limiting beltline weld.
The neutron fluence at the peak flux location and percentages of copper and nickel for the limiting beltline material in the Davis-Besse reactor vessel
]i were determined from the material and neutron fluence data provided in B&W
! Report BAW-1543, Revision 2, " Integrated Reactor Vessel Material Surveillance Program," May 1985.
1
- For this transient, the VISA code calculated that the crack required to initiate brittle fracture would have to be at least 3.75 inches deep. Volu-J metric inspection of the limiting weld in the Davis-Besse reactor vessel was j last performed in 1975, before the plant was put in commercial operation, and no significant indications were reported. Since this inspection, the reactor ,
vessel has operated for only 3.59 ef fective full power years. On the basis of
- the methods used to fabricate and inspect the beltline welds and the small amount of operating time at Davis-Besse, the staff considers it unlikely that a 3.75-inch-deep crack would be preexisting in the Davis-Besse beltline during this transient. Hence, initiation of a crack, which would cause brittle frac-ture, is unlikely. On the basis of this analysis, the staff concludes that this transient did not cause structural damage to the reactor vessel, which would preclude future operation of the facility.
3.2.2.2 Pressurized Thermal Shock 1
In accordance with 10 CFR 50.61, " Fracture Toughness Requirements for Protec-tion Against Pressurized Thermal Shock (PTS) Events," the Davis-Besse reactor i vessel was evaluated. 10 CFR 50.61 provides screening criteria to indicate that the risk from PTS events is acceptable when the calculated value of RT PTS
- is less than 270 for longitudinal welds and less than 300 F for circumferential welds. The limiting weld in the Davis-Besse reactor vessel is the middle (beltline) circumferential weld. Hence, the RT f r this weld must be less PTS than 300 F to satisfy the screening criteria. Additionally, a method for eval-uating PTS events is contained in the staff's generic evaluation of PTS as doc--
umented in SECY 82-465.
! In accordance with the prescribed methods of 10 CFR 50.61(b), the licensee has
- submitted the results of the required Rf calculations (reference licensee PTS correspondence, Serial No. 1236, January 20, 1986). The licensee reported that i the RT at the inside surface of the limiting weld when the Davis-Bes,se tran PTS
, sient occurred was 156 F. This calculated value of RT is substantially less than the established screening criteria. PTS i
1
- Figure D-9 in SECY 82-465 provides a generic evaluation'of the effect of PTS transients on the critical values of RTNDT, final water temperature, Tf , pres-sure and the cooldown rate to cause crack initiation in a reactor vessel. The cooldown rate is expressed as p, the reciprocal time constant. For the Davis-Besse transient, the most rapid cooldown occurred during the first 5 minutes.
This results in a p of approximately 0.04 min 1 The staff's most current meth-od of predicting the increase in RT resulting from neutron irradiatio'n damage NDT is documented in proposed Regulatory Guide (RG) 1.99, Revision 2, " Radiation l l Davis-Besse Restart SER 3-37 i
_ -. 2- -
Damage to Reactor Vessel Materials." Using the method documented in RG 1.99 (Rev. 2), the RT NDT at the inside surface of the limiting weld when the Davis-Besse transient occurred was 168 F. Figure D-9 indicates for the transient that the final water temperature must be below the RT NTD f r the weld metal to cause crack initiation. Because the RT NDT f r the limiting weld is 168 F and the lowest water temperature during the transient was 545 F, the water tempera-ture in the vessel would have had to drop an additional 377 F to cause crack initiation and to be a significant PTS event.
3.2.2.3 Once-Through Steam Generator In the licensee's evaluation, the following components of the once-through steam generator (OTSG) were considered to be the most highly stressed during this event and were evaluated for the critical loads experienced during the transient as shown:
(1) auxiliary feedwater nozzle i (2) main feedwater nozzle l
(3) auxiliary feedwater jet impingement on tubes (4) axial compressive load in tubes resulting from shell to tube thermal mismatch (5) thermal shock on the lower tubesheet i The stresses in the auxiliary feedwater (AFW) nozzle were reviewed because of
- the large temperature difference imposed on the nozzle by cold AFW. A review of this stress and fatigue analysis of the nozzle shows that the analyzed transient in the original design of these nozzles is more severe (AT between shell and AFW = 530 F) than the transient experienced on June 9, 1985 (AT = 501 F). The fatigue usage factor in the design analysis is based on 875 AFW initiations and is determined to be 0.55 (versus an allowable value of 1.0). This covers all specified design transients, but is, in fact, solely because of AFW initiation with the high stresses that result from the injection
, of cold AFW into the hot nozzle. The effect of the transient experienced on 1 June 9, 1985, on the fatigue usage factor of the AFW nozzle is, therefore, considered to be acceptable.
The stresses in the main feedwater (MFW) nozzle were reviewed because of the large temperature difference imposed on the nozzle by shutdown feedwater acti- i vation. In the original stress report, a case was considered in which 90 F feedwater was injected into a nozzle at 535 F; therefore, AT = 445 F. The fatigue usage factor for the nozzle was 0.4, which is less than the allowable value of 1.0.
On the basis of data from the event on June 9, 1985, the shell temperature before MFW initiation conservatively is assumed to be 572.5 F; the nozzle temperature is assumed to be equal to the shell temperature. The feedwater temperature at initiation is 411 F. The AT for this case is then AT = 162 F.
4 Davis-Besse Restart SER 3-38
Because the analyzed AT (445 F) is greater than the actual AT (162 F), it is concluded that the event on June 9, 1985, is bounded by the stress report. The effect of this transient on the fatigue usage factor of the MFW nozzle is negligible.
An evaluation of bolting stresses and fatigue on the auxiliary and main feed-water nozzle bolts submitted by the licensee indicates that the event on June 9,1985, did not have significant effects on the fatigue life of the bolts that attach the nozzles to the steam generator shell.
The stresses resulting from impingement of cold AFW on hot OTSG tubes was re-viewed because of the large AT involved. In the original design calculations, it was assumed that 40 F auxiliary feedwater impinges on a tube at 626 F.
Using 29,400 cycles as a basis, a fatigue usage factor equal to 0.33 was cal-culated for AFW impingement alone. The combined usage factor for all tran-sients was 0.39, which is well below the allowable value of 1.0.
During the event on June 9, 1985, the reactor coolant temperature before AFW initiation was 592.5 F. On the basis of thermocouple data, the AFW temperature was about 70 F. Therefore, AT = 522.5 F, which is less than the AT analyzed, and the event is bounded by the original design calculations.
A temperature difference between the tubes and the shell induces an axial load in the tubes because of the axial restraint imposed on the OTSG tubes by the two tubesheets. This load is tensile when the shell temperature is greater than the tube temperature and compressive when the tubes are hotter than the shell. A AP across the tubesheet and tubes also induces axial loads in the tubes. Both AT and AP must be considered when evaluating the final tube load.
Temperature data from the event of the June 9, 1985, show that in this case, the t 12 temperature (assumed equal to the average reactor coolant temperature) is h 'er than the average shell temperature (based on thermocouple readings).
The shell and tube temperatures for the two generators were as follows:
t
- Temperature Component SG 1 SG 2 Shell 533 F 521 F Tube 593 F 593.5 F On the basis of these temperatures and the corresponding pressures, the compressive tube loads for SG 1 and SG 2 are 751 lb and 994 lb, respectively.
The effect of these loads on the natural frequencies of.the tubes and lateral tube deflections has been determined to be acceptable on the basis of test data. A single occurrence of this load cycle during the transient has been shown to have a negligible effect on the fatigue usage factor of the tubes.
A review of the stress analysis of the tubesheet relative to the thermal shock from the transient indicates that the increase in the fatigue usage factor t
Davis-Besse Restart SER 3-39 l
l
resulting from the transient will be negligible. The calculated fatigue usage factor in the original design of the tubesheet was determined to be 0.15, which indicates that a large margin was available. The temperature differential during the single stress cycle imposed during the transient resulted in a negligible increase in the fatigue usage factor for the tubesheet. It is, therefore, concluded that the structural integrity of the tubesheet remains :
unaffected by the transient of June 9,1985. I l
On the basis of a review of the results of the stress analysis of OTSG compo- )
nents, the staff concludes that the structural integrity of the OTSGs was not impaired as a result of this event.
3.3 Improvement Programs and Plant Modifications This section evaluates the facility improvements that have been undertaken following the event on June 9, 1985. Nearly all these improvements focus on improving the reliability of the AFWS and the steam and feedwater rupture con-trol system that initiates the AFWS and controls isolation of a steam generator when required. Improving the reliability of these two systems increases the confidence that continued decay heat removal will be available.
One important facility modification undertaken by the licensee is the addition of a pump that, although not safety grade, can function as a 100% capacity AFW pump. This new addition, which is electric motor driven, provides diversity to the AFWS that has been totally dependent on steam for pump drive.
Improvements have been made in the control room to enhance the ability of the operators to perform their duties; that is, improve the human factors design aspects, to the safety features actuation system to improve channel separation, and to the balance-of plant-to minimize the challenges to safety systems.
In addition to the program to improve the physical plant, the licensee also has a program under way to improve the Nuclear Mission's regulatory performance.
This program has been in effect for several years and was undertaken at the request of NRC staff.
3.3.1 Evaluation of Plant Modifications l 3.3.1.1 Steam and Feedwater Rupture Control System The steam and feedwater rupture control system (SFRCS) is designed as an engi- l neered safety features system to monitor plant parameters (steam generator water level and pressure, differential pressure between the steamline and main feedwater line for each steam generator, and the loss of all four reLctor i coolant pumps), and under plant conditions indicative of a main steamline '
break, main feedwater line break, or loss of heat sink to initiate appropriate actions to isolate a ruptured steam generator and initiate AFWS flow to the intact steam generator (s). Valves controlled by the SFRCS to isolate a rup-tured steam generator include the main steam isolation valves (MSIVs), the l MFW regulating and startup valves, and the AFWS containment isolation valves.
The SFRCS also controls the AFWS steam admission and pump discharge valves.
The FSAR Chapter 15 analysis of a double-ended main steamline break upstream of an MSIV (Section 15.4.4.2.3) states that both steam generators will blow down, Davis-Besse Restart SER 3-40
resulting in SFRCS isolation of the main steamlines and MFW and AFW lines to both steam generators. Following isolation, the intact steam generator will repressurize to above the low steam generator pressure SFRCS actuation setpoint of 600 psig causing the associated AFWS containment isolation valve to reopen, allowing AFW flow to be initiated. A single failure of the AFWS containment isolation valve to reopen would prevent AFW flow to the intact steam generator resulting in loss of the preferred method of decay heat removal from the primary system. The Incident Investigation Team concluded that neither the.SFRCS nor the AFWS met the single-failure criterion for all design-basis accidents. The staff's preliminary review of the SFRCS design following the event on June 9, 1985, concluded that the SFRCS was unacceptable because it was not capable of performing its required safety functions (providing AFW flow to the intact steam generator) following a design-basis event and a single active failure.
Furthermore, the staff raised concerns regarding the SFRCS's capability to cut off all sources of feedwater to both steam generators, requiring operator inter-vention and successful operation of several active components to reestablish core cooling.
The licensee formed a Decay Heat Removal Task Force, which evaluated and recom-mended improvements to the AFWS and SFRCS. These are discussed in Section II.C.2 of the Course of Action report. The licensee has performed a single-failure analysis of the SFRCS to ensure that, for each analyzed event, given any credible active single failure, AFW would be available to the intact steam generator. This analysis included (1) a review of SFRCS electrical sche-matic diagrams of all actuated components to verify that single failures could not affect both trains of SFRCS-actuated equipment and (2) a review of the Class 1E electrical power system to verify electrical independence between SFRCS trains.
The short-term recommendation proposed by the licensee for implementation before restart to resolve the staff's concern on complete isolation of feed-water to both steam generators is to modify the SFRCS logic to prevent isola-tion of AFW flow to both steam generators if steam generator low pressure con-ditions were to be sensed in each steam generator; only the first steam gen-erator with a low pressure condition will be isolated.
Additional modifications to the SFRCS to be implemented before restart to im-prove system performance and reliability include (1) modifying the SFRCS logic to prevent the unneeded isolation of the main steamlines and main feedwater lines when steam generator low-level condi-tions are sensed (2) filtering the steam generator low-level and high-level SFRCS actuation signals to prevent spurious actuations caused by pressure transients (e.g., turbine stop valve or MSIV closures)
(3) providing a seal-in circuit and dedicated manual reset feature for the SFRCS full trip control room annunciator point which require the operator to perform a deliberate and separate action to clear (reset) the annunciator (4) providing additional cooling capability for the cabinets hcusing the SFRCS electronic power supplies ,
Davis-Besse Restart SER 3-41
For low pressure in one steam generator, the SFRCS will continue to isolate the associated main steamline, main feedwater line, and auxiliary feedwater line to that steam generator, and align AFWS flow to the other steam generator.
However, with the modified SFRCS logic, if pressure in the second steam genera-tor should fall below the trip setpoint value, AFWS flow will continue to be provided to the second steam generator. Upon isolation of the first steam generator, a signal is generated to block (prevent) isolation of the second steam generator. Therefore, only one steam generator may be isolated at a time by the SFRCS in response to steam generator low pressure conditions ensuring that one steam generator is available for decay heat removal. The normally open AFWS containment isolation valve associated with the intact steam genera-tor will remain open, thus resolving the staff's single-failure concern regard-ing failure of the valve to reopen following isolation. Because the remaining SFRCS initiation signals do not actuate the AFWS containment isolation valves (closure of these valves can only be initiated by an SFRCS low pressure trip),
the staff concludes that the modifications discussed above are sufficient to resolve the concern identified in NUREG-1154 regarding SFRCS and AFWS compli-ance with the single-failure criterion with respect to opening an AFWS contain-ment isolation valve to feed an intact steam generator.
In addition to the SFRCS logic modifications, the licensee has performed a re-analysis of a main steamline break event upstream of an MSIV that shows that the pressure in the intact steam generator would remain above the 600 psig SFRCS low pressure initiation setpoint, as sensed at the SFRCS low pressure tap location just upstream of the associated MSIV. In addition to closing the MSIVs, an SFRCS steam generator low pressure signal will initiate closure of all turbine stop valves (TSVs). The licensee has stated that the TSVs are designed as safety-related isolation valves. The TSVs are designed to close within 1 second of an SFRCS low pressure trip, as compared with the MSIVs, which require approximat @y 6 seconds to close. The results of the analysis show that the pressure in the intact steam generator will remain above 730 psig, assuming the TSVs close. If a TSV fails to close, the analysis shows that pressure in the intact steam generator could fall as low as 580 psig, causing SFRCS low pressure isolation of the AFWS containment isolation valve.
The licensee claims that, for this case, the NUREG-1154 SFRCS single-failure concerns regarding failure of the AFWS containment isolation valve to reopen are not valid because failure of this valve would constitute a second failure, which is beyond the single-failure criterion. However, the FSAR Chapter 15 analysis of a double-ended steam line break which was used as the licensing basis for Davis-Besse does not take credit for TSV closure in response to a main steamline break. The licensee has stated that no common failure exists that could prevent a TSV from closing and also prevent the reopening of the AFWS containment isolation valve. The licensee has also stated that the effects of an open turbine bypass valve would be terminated by MSIV closure in the steamline associated with the intact steam generator. However, the Davis- i Besse Technical Specifications currently require that the TSV closure time not i exceed 6 seconds. Therefore, to be consistent with the above analysis and to ensure that any TSV degradation is detected, the licensee has committed to pro-pose a license amendment to require that the TSV response time be no greater than 1 second. This will be completed within 90 days following restart.
On review of the remaining changes proposed for the SFRCS before plant restart, the staff has concluded that these changes will result in increased SFRCS relia-bility. The SFRCS logic modification to prevent main steamline and main feed-Davis-Besse Restart SER 3-42 l
water line isolation on steam generator low level wil1 permit continued main feedwater flow to the steam generators and decay heat removal via the main con-denser. The licensee is performing confirmatory analyses to ensure compliance with accident analyses acceptance criteria for loss-of-feedwater and loss-of-offsite power events following this modification. The SFRCS main steamline and main feedwater line isolation circuitry on steam generator low level will be disabled if the results of the analyses verify that this modification is acceptable.
The proposed SFRCS modifications to provide filtering of the steam generator low-level actuation signals and to provide a seal-in feature for the SFRCS full-trip alarm are designed to prevent the undesirable conditions (i.e...
spurious SFRCS actuation on steam generator low level and operator confusion regarding whether an SFRCS actuation has taken place) that occurred during the event on June 9, 1985. These modifications represent an overall improvement to the SFRCS and are acceptable. The proposed modification to provide additional cooling for the SFRCS electronic power supplies is designed to eliminate pro-blems caused by overheating of the supplies and is acceptable.
On the basis of the results of the licensee's analyses and the short-term modi-fications to the SFRCS to resolve the single-failure concerns identified in NUREG-1154 with respect to reopening an AFWS containment isolation valve to feed an intact steam generator, the staff concludes that the design of the SFRCS is acceptable to allow plant restart. The staff also concludes that the short-term modifications to the SFRCS are sufficient to resolve staff concerns regarding SFRCS isolation of all sources of feedwater to both steam generators.
3.3.1.2 Auxiliary Feedwater System The AFWS was reviewed in accordance with Section 10.4.9 of the Standard Review Plan (SRP), NUREG-0800. Although the SRP is directed toward the review of plants before they are licensed, it may also be used for operating plants, keeping in mind that deviations from the SRP do not necessarily constitute unacceptability. Deviations may be reviewed further on a case-by-case basis for operating plants. An audit review of each of the areas listed in the
" Areas of Review" portion of the SRP sect' ion was performed according to the guidelines provided in the " Review Procedures" portion of the SRP section.
Conformance with the acceptance criteria formed the basis for the evaluation with respect to the applicable regulations of 10 CFR 50.
The staff reviewed the AFWS against the acceptance criteria of SRP Sec-tion 10.4.9 as follows:
(1) General Design Criterion (GDC) 2, " Design Bases for Protection Against Natural Phenomena," as related to structures housing the system and the system itself being capable of withstanding the effects of earthquakes.
Acceptability is based on meeting Position C.1 of RG 1.29 for safety-related portions and Position C.2 for non-safety-related portions.
(2) GDC 4, " Environmental and Missile Design Bases," with respect to structures housing the system and the system itself be.ng capable of withstanding the effects of externally generated missiles and internally I generated missiles, pipe whip, and jet impingement force; associated with pipe breaks. The basis for acceptance for this criterior,is set forth in SRP Sections 3.5 and 3.6.
Davis-Besse Restart SER 3-43
(3) GDC 19, " Control Room," as related-to the design capability of system instrumentation and controls for prompt hot shutdown of the reactor and potential capability for subsequent cold shutdown. Acceptance is based on meeting Branch Technical Position (BTP) RSB 5-1 with regard to cold shutdown from the control room using only safety-related equipment.
(4) GDC 34, " Decay Heat Removal," and GDC 44, " Cooling Water," to ensure (a) the capability to transfer heat loads from the reactor system to a heat sink under both normal operating and accident conditions d
(b) redundancy of components so that, under accident conditions, the safety function can be performed assuming a single active component failure (this may be coincident with the loss of offsite power for certain events)
(c) the capability to isolate components, subsystems, or piping, if required, so that the system safety function will be maintained In meeting these criteria, the recommendations of NUREG-0737, "Clarifica-tion of TMI Action Plan Requirements," shall also be met. An acceptable-AFWS should have an unreliability in the range of 10 4 to 10 5 or less per demand based on an analysis using the methods and data in NUREG-0611.
(5) GDC 45, " Inspection of Cooling Water System," as related to design provi-sions made to permit periodic inservice inspection of systems, components, and equipment.
(6) GDC 46, " Testing of Cooling Water System," as related to design provisions made to permit appropriate functional testing of the system and components to ensure structural integrity and leaktightness, operability and perform-ance of active components, and capability of the integrated system to function as intended during normal, shutdown, and accident conditions.
The following evaluation discusses the implementation of these acceptance criteria and follows the order of the " Review Procedures" portion of SRP Sec-tion 10.4.9. This evaluation also incorporates the results of the staff's review of the licensee's response to Item II.E.1.1, " Auxiliary Feedwater System Reliability," of NUREG-0737 that includes (1) an evaluation against the deterministic criteria of the SRP (2) an evaluation against the generic recommendations of NUREG-0737 (3) an evaluation of system reliability based on the licensee's reliability study Description of the AFWS The A M is designed to supply an independent source of feedwater to the' steam generators when the normal feedwater system is not available, to maintain the heat sink capabilities of the steam generators. The AFWS is an engineered safety feature system that is relied upon to aid in preventing core damage in the event of transients such as loss of normal feedwater, a steam system pipe l rupture, or small-break loss-of-coolant accident. The system consists of two Davis-Besse Restart SER 3-44 ;
__ _. = - . . - .-
~
redundant safety-related essential trains, each with its own steam-turbine-driven pump, associated valves, piping, controls, and instrumentation. A non-safety- 1 related motor-driven feedpump (MDFP), associated valves, piping, controls, and l instrumentation are also able to provide flow equivalent to one AFW pump to either steam generator. Each AFW pump and the MDFP are capable of supplying water to either or both steam generators. Each AFW pump has a design flow of 1050 gpm (which includes 250 gpm minimum recirculation) at 1050 psig. One turbine-driven AFWS train is completely independent of ac power. Each of the AFW supply paths (including the MDFP) to the steam generator contains two check valves and a motor-operated isolation valve. The flowpath from the MDFP includes two check valves and a flow control valve. During normal plant operation, steam to the AFW pump turbines will be provided up to the steam admission valves, which are within approximately 10 feet of the turbines, via the cross-connect lines from the opposite steam generator. On initiation of the AFWS, the isolation valve in the steamline to its respective steam generator will be automatically opened.
Steam flow to the steam turbine is limited by a 2.5-inch-diameter orifice in each steamline. MDFP runout is prevented by presetting the motor-operated flow control valve on the discharge of the pump.
The primary sources of water for the AFWS are the two non-safety-related con-densate storage tanks (CSTs). The two tanks are hydraulically connected by an interconnecting line with two manual, locked-open valves. The secondary source of water for the turbine-driven AFW pumps is the safety grade service water system (SWS) with an automatic switchover from the CST on low suction pressure at the pumps. The licensee has committed to provide a connection to the SWS for the MDFP before Cycle 6 operation. The transfer to the SWS for the MDFP will be performed manually from the control room.
GDC 2 The only interfaces between safety related components and non-safety-related components for the two turbine-driven pump trains are the suction line from the CST and the injection from the MDFP to the AFW lines to the steam generators.
In both cases, a seismic Category I check valve and motor-operated isolation valve are in the seismic Category I portion of the piping which provides ade-quate separation. The safety-related portion of the AFWS is located in the safety-related seismic Category I auxiliary building and inside containment.
The MDFP is not safety related and is located in the basement of the non-safety-related non-seismic Category I turbine building adjacent to the auxiliary build-ing wall. The licensee has provided the results of an analysis of the turbine building for a 0.2 g earthquake using the guidelines of RGs 1.60 and 1.61. The results indicate that the turbine building will not collapse on any of,the AFW pumps. The MDFP may be damaged from some falling debris, but the roof of the auxiliary building, which is inside the turbine building, is capable of with-
. standing the effects of falling debris. Because the MDFP is in the basement of the turbine building, it is protected from high winds, tornadoes (up to a wind-speed of approximately 200 mph), most externally generated floods, and most
- trajectories for tornado generated missiles. The safety-related portions of the AFWS are protected from earthquakes, external floods, high winds, tornadoes,.
and most tornado generated missiles.
The suction line from the CST to the AFWS passes through the turbine building and, therefore, could fail as a result of a safe shutdown earthquake. The licensee has stated that the pump manufacturer had indicated that the AFW pumps l
Davis-Besse Restart SER 3-45 i
-__.4 . _ . _ . _ _
b-Y l
could be operated for several minutes with inadequate suction pressure wit'out r sustaining damage. The loss of the suction line would result in low AFW pump !
i suction pressure, which would cause automatic transfer of suction to the SWS following a 10-second delay. Because the transfer could be expected to occur i in less than half a minute and several minutes would be required before the pumps are damaged, the unprotected suction line and the 10-second delay in l automatt'c transfer to the SWS are acceptable. l l
On the basis of its review of the information submitted, the~ staff concludes i that the requirements of GDC 2 and the guidelines of RG 1.29, Positions C.1 and C.2, concerning protection from natural phenomena and seismic qualification are satisfied.
- GDC 4 i
The M0FP and safety-related portions of the AFWS are protected from most t
tornado generated missiles because they are in the basement of the turbine
, building and the seismic Category I auxiliary building and inside containment.
The only areas that would permit tornado generated missiles to damage safety-related equipment are several small openings in the auxiliary building roof that are covered with louvered gratings. The licensee has provided the results
! of a probabilistic assessment that indicates that the probability of a tornado missile entering these openings is less than 10 7 per year. Although not as well protected, the MDFP is surrounded by 12-inch-thick reinforced concrete walls on two sides, a 10-inch-thick turbine deck above, and the concrete turbine pedestal and turbine generator. These structures and objects. limit the possible trajectories for tornado generated missiles.
Separate cubicles are provided for each AFW pump to prevent internally generated missiles from damaging more than one pump. The separate cubicle enclosures for the turbine-driven pumps protect each turbine-driven AFW pump from each other and the MDFP from potential missiles originating from the j turbine-driven pumps. The MDFP is not protected from internally generated missiles that could be generated by a main feedwater pump or the booster pump.
The AFWS trains are not used during startup and shutdown; therefore, they are
- not designed as high-energy lines as prescribed in the criteria of SRP Sections 3.6.1'and 3.6.2, except for the steamlines to the turbines,.which are maintained hot and pressurized up to within 10 feet of t!.. turbines. The l
licensee has provided the results of a new high energy-line-break cnalysis and has verified that no safety related equipment will be adversely affected by pipe whip and jet impingement.' New subcompartment environmental analyses were.
performed to determine the maximum temperatures and pressures. developed as the-result of a high energy-line break. The methods used by the licensee and the results of the analysis are reasonable. The licensee has identified some i instrumentation and equipment that are not qualified for this harsh environment and is required to replace all of the unqualified components with qualified components before restart. A pipe break in one turbine-driven AFW pump room will result in a harsh environment that will pass from the room through the openings in the roof. The licensee has performed an analysis that demonstrates that the effluent from one AFWS compartment will not adversely affect the environmental conditions in the second compartment.
i i
Davis-Besse Restart SER 3-46 I
On the basis of the above, the staff concludes that the requirements of GDC 2 and 44 and the guidelines of RG 1.29, Positions C.1 and C.2, concerning protec-tion from natural phenomena, seismic qualification, and the ability to provide adequate cooling water are satisfied.
The staff concludes that the safety-related portions of the AFWS satisfy the requirements of GDC 4 regarding protection against missiles and pipe breaks.
GDC 19 The turbine-driven AFW pumps are initiated on low steam generator level, low steam generator pressure, loss of the four reactor coolant pumps, high steam generator level, and high steam generator to main feedwater differential pres-sure. Manual initiation is accomplished by simulating one of these conditions by operator action in the control room. The control and instrumentation for the turbine-driven AFW pumps are safety grade. The operation of the MDFP is from the control room with non-safety grade controls and instrumentation. The MDFP and associated equipment are normally aligned to receive power from one diesel generator. Operating this equipment with power from the other diesel generator requires some operator action from outside the control room. The licensee has committed to make the necessary modifications that would permit aligning all necessary MDFP associated equipment to either diesel generator from within the control room before Cycle 6. Therefore, the staff concludes j that the AFWS provides adequate instrumentation and control for prompt initia-tion of a shutdown using safety-related equipment in accordance with the re-quirements of GDC 19 and the guidelines of BTP RSB 5-1.
GDC 34 and 44 Each AFW pump is designed to provide sufficient flow necessary for residual heat removal over the entire range of emergencies requiring AFWS function in accordance with the conservatisms assumed in the accident analysis. These emergencies include the following accident / transient conditions:
(1) loss of main feedwater (2) loss of offsite power (3) secondary system pipe rupture (4) cooldown following steam generator tube rupture (5) small-break loss-of-coolant accident The safety-related portion of the AFWS functions automatically as required in the event of a loss of offsite power. The decay heat transfer path from the steam generators under this condition is to the atmosphere via the atmospheric ve't valves. One of the turbine-driven AFW trains functions independently of any ac power and thus is not affected by a loss of all ac power. Power to the
, redundant turbine-driven AFW pump is provided by an emergency diesel 1
generator. Power for the MDFP is normally provided by either of the two emer-gency diesel generators. Driving steam for the turbine-driven pumps is provided from either of the main steamlines upstream of the main steam isolation valves and is discharged to the atmosphere. Each steam-driven AFW pump is provided with an air-operated steam admission valve that opens on a signal to start the pumps. Any power or air failure will result in the valve failing open. A check valve is provided in each steam supply to prevent flow reversal. Each AFW pump discharge is provided with a normally open Davis-Besse Restart SER 3-47
motor-operated isolation valve and two check valves in the feedlines to each steam generator. The discharge from each AFW pump also has a full-flow pump testing return line to the CST. Therefore, the staff concludes that the requirements of GDC 34 and 44 with respect to the ability of the AFWS to transfer decay heat from the reactor coolant system under a loss of offsite power are satisfied.
The AFWS is designed to accommodate a single failure in any active system com-ponent without loss of function. AFW can be supplied from three redundant trains, two 100% capacity turbine-driven trains, and one 100% capacity motor-driven train, each capable of supplying both steam generators. Each AFW pump is supplied by a common suction line from the CST through locked-open manual valves. The safety-related turbine-driven AFW pumps have an automatic transfer to the backup safety grade service water supply, the SWS. The licensee has committed to provide a manually initiated transfer system to the SWS for the MDFP before Cycle 6 operation. The licensee does not propose removing strainer S-257 in the common suction line to the turbine-driven AFW pumps. The staff believes that failure or clogging of the strainer could result in the loss of CST water to the safety grade AFWS. Therefore, its removal is recommended by the staff. The staff believes that removing the strainer would provide addi-tional assurance for adequate feedwater to an intact steam generator in the event of a postulated design-basis accident concurrent with a single failure.
The licensee does not agree with this staff recommendation. On February 13, 1986, the licensee wrote to the NRC the following:
The mesh size of the strainer in the common suction lines has been increased, and the baskets in the two pump-specific suction lines have been removed.
The strainer in the common suction line remains to protect the pumps from large pieces of debris which could potentially damage both pumps.
The recent seismic event at the Davis-Besse site highlights the possi-bility of generating debris in the common suction line. In the event the suction strainer becomes clogged and restricts flow, a low suction pressure will be created and the pump suction will automatically trans-fer suction to the safety grade service water system. This would bypass the restricted strainer, thus avoiding a common mode system failure. Without this strainer, debris could affect both pumps which would not be correctable by the auto-transfer.
The staff has considered the licensee's basis for not removing the strainer.
There is no regulatory basis to require its removal; therefore, the staff will consider if appropriate backfit procedures will be applied.
Adequate isolation is provided for the AFWS from nonessential systems. There-fore, the staff concludes that the AFWS meets the requirements of GDC 34 and 44 with respect to single failure.
Adequate AFW flow is ensured to the steam generators in the event of the loss of offsite and emergency onsite ac power by relying on the safety-related turbine-driven pump train (AFP-1), which can perform its safety function inde-pendent of ac power for at least 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. Loss of all ac power will not affect the positioning of motor-operated valves in the AFP-1 subsystem. Because Davis-Besse has a very short dryout time, potentially less than 5 minutes, a third Davis-Besse Restart SER 3-48
source of the AFW flow is from the 100% capacity MDFP. This pump and its aux-iliaries can be manually loaded onto either emergency onsite diesel generator and manually initiated. Therefore, the staff concludes that the AFWS meets the requirements of GDC 34 and 44 and the guidelines of BTP ASB 10-1 with regard to AFWS power diversity.
The licensee has described the design of the AFWS to prevent feeding a faulted steam generator and to maintain at least minimum flow to the intact steam gen-erator. Normally one turbine-driven AFW pump is aligned to each steam generator.
Upon identification of a faulted steam generator, the safety grade SFRCS isolates the faulted steam generator from its respective turbine-driven AFWS pump and realigns to the good steam generator. The MDFP does not have any automatic isolation but is protected from excessive pump runout by presetting the flow control valve to maintain a minumum discharge pressure on the pump. The AFW flow is not throttled to avoid the occurrence of waterhammer. The licensee has tested the safety grade portion of the AFWS to determine the potential for waterhammer. The results of the test indicated that no waterhammer had occur-red. The addition of the MDFP does not alter significantly the AFWS piping configuration; therefore, no waterhammer is anticipated as a result of the in-stallation of the MDFP. Thus, the staff concludes that the AFWS meets the re-quirements of GDC 34 and 44 with respect to its ability to transfer heat under accident conditions and provide isolation to ensure system function. The AFWS also meets the recommendations of NUREG-0737 concerning throttling for water-hammer prevention.
GDC 45 The AFWS componente'are located in areas that are accessible during normal plant operation to permit inservice inspection. A second operator is provided to independently verify the proper AFWS valve position following restoration to service of an AFWS train after testing or maintenance. Therefore, the staff concludes that the AFWS meets the requirements of GDC 45 regarding provisions for inservice inspection.
GDC 46 Provisions for AFWS testing and inspection are included in the design. Each AFW pump is equipped with a recirculation line to the CST for periodic func-tional testing. Local manual realignment of valves is required to accomplish this testing, and constant communication with the control room is provided.
When one AFWS train is being tested, the other train is available for automatic operation. The MDFP is not automatically initiated. Pe-lodic surveillance testing of the essential pumps and their associated flow trains is identified in the Technical Specifications. The licensee has committed to propose a Tech-nical Specification for the MDFP similar to the existing Technical Specifica-tion for the turbine-driven AFW pump. The MDFP is not covered by the American Society of Mechanical Engineers (A5ME) Code,Section XI, testing program, and, therefore, the MDFP Technical Specification should require verification of the pump flow rate at least once every 18 months. The licensee will submit a pro-posed Technical Specification for staff review within 60 days after restart.
Therefore, the staff concludes that the AFWS meets the requirements of GDC 46 with respect to functional testing and surveillance.
1 Davis-Besse Restart SER 3-49
The MDFP will use some of the electrical components that were previously used for the lower flow capacity startup feedwater pump (SUFP). The licensee has stated that the SUFP will be returned to operable status before Cycle 6 opera-tion. During the refueling before Cycle 6 operation, the manual valves that isolate the high-energy line associated with the SUFP will be replaced with remote, manually operated valves which will be controlled from the control room. l Therefore, the staff's evaluation of the SUFP, as discussed in its safety eval-uation dated November 20, 1984, supporting Amendment No. 83 (January 8, 1985) is still applicable.
Additional Modifications (1) Automatic Transfer of the AFW Suction to an Alternate Source In its SER dated February 21, 1984, concerning the TMI Action Plan (TAP)
Item II.E.1.1, the staff stated that the licensee met recommendation GS-4 by having an automatic transfer of the AFW suction to the alternate source of water and by having an automatic isolation of the AFW turbine steam inlet lines when the suction pressure drops to 1 psig. These two features protect the pumps from cavitation. In response to the additional short-term recommendation No. 1, the licensee stated that the low-level alarm setpoint on the condensate storage tank corresponds to approximately 200,000 gallons of water in the tank, which is more than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />'s supply of water.
Because of the spurious transfer of AFW pump No. 1 suction on June 9, 1985, it is not clear whether the required Technical Specification volume in the CSTs could actually have been pumped by the AFWS, The licensee has modified the transfer setpoint to provide greater assurance that the specified CST volume can be used. The licensee has proposed additional testing to verify the new transfer setpoint. Subject to acceptable test results, the staff finds this change acceptable.
(2) Replacement of Isolation Valves in Steamlines Modifications to the steamlines to the AFW pump turbines include replace-ment of a manual isolation valve, which is located approximately 10 feet upstream of the turbine, with a normally closed, fail-open, air-operated flow control valve. With this new valve, the steam isolation valves in the cross-connect lines are to be left open to maintain most of the steamlines hot and pressurized.
(3) Other Concerns A number of events have occurred in which hot water leaked into AFW systems and subsequently flashed to steam, thereby disabling the AFW pumps. IE Bulletin 85-01 informed operators of these events and requested that certain actions be taken to mitigate such occurrences.
Since all isolation values in the discharge line from the MDFP to the steam generators will be left open, the staff requested that the licensee address the requirements of IE Bulletin 85-01 with respect to the MDFP.
Davis-Besse Restart SER 3-50 l
l
The bulletin requested that the following actions be taken to mitigate occurrences of steam binding:
Develop procedures for monitoring fluid conditions within the AFWS on a regular basis during times when the system is required to be oper-able. This monitoring should ensure that fluid temperature at the AFW pump discharge is maintained at about ambient temperature.* Moni-toring of fluid conditions, if used as the primary basis for preclud-ing steam binding, is recommended on each shift.
Develop procedures for recognizing steam binding and for restoring the AFWS to operable status, should steam binding occur.
In response to the staff's concern, the licensee has committed to requiring monitoring the temperature of the MDFP discharge piping at least twice a day at approximately 12-hour intervals. An operator will monitor the piping, by touch, to ensure that the MDFP is near ambient temperature.
This monitoring will be required when the plant is in Mode 1 at greater than 38% of full-rated power (the condition at which the MDFP serves as a backup AFW pump).
In the event a steam or motor-driven AFW pump is identified as steam bound, the normally open pump discharge valve will be closed after which the steam i
' will be vented, thereby allowing the pump casing and discharge piping to be filled with cool water from the condensate storage tank. The frequency of monitoring will be increased from twice a day to six times a day (every 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) until specific corrective action has been taken once a pump has been identified as steam bound. A steam-bound pump will then be declared to be inoperable and a deviation report will be prepared accordingly.
System Procedure SP 1106.28 has been prepared for the motor-driven AFW pump. The procedure will be approved by the licensee and implemented, and training will be completed before plant restart from the current shutdown.
The staff has reviewed the licensee's proposed actions with respect to steam binding of the MDFP and finds.that they are acceptable.
The suction valves to the CST will be placed in the open position and will have their power removed. Removing power from the valves is acceptable, but the licensee must confirm that all the valves also are locked in the open position or are otherwise protected from manual repositioning.
Several other miscellaneous changes were made such as cutting and capping the line from the deaerator, which previously had two~ locked-closed valves, and replacing one AFW pump turbine speed governor; these changes had been planned before June 9, 1985. The staff has reviewed these changes and has concluded that they have no adverse effect on the reliability or opera-bility of the AFWS.
Although there have been no quantitative analyses to determine the improve-ment in the availability of the AFWS because of these changes, these changes, except for removal of the strainer in the common suction line will tend to i
provide a more available AFWS and are, therefore, acceptable.
! QThis is not intended to require elaborate instrumentation. A simple means of I monitoring temperature, such as touching the pipe, is a satisfactory approach.
Davis-Besse Restart SER 3-51 l
. _~ - . - = -. - . =- - --
4 I
l l
3.3.1.3 Motor-Driven Pumps j l On June 9, 1985, there were two full-capacity, steam, turbine-driven, AFW pumps i and one low-capacity, non-safety-related, startup feedwater pump (SUFP) at ;
Davis-Besse. The SUFP was designed to deliver feedwater flow at approximately l 200 gpm to the main feedwater nozzles of the steam generators. This pump was
! howered from a 4160-V non-safety-related bus which can be powered, if necessary, l from either diesel generator through manual action from the control room. The i operation of the SUFP was previously reviewed by the staff (SER supporting l Amendment No. 83, dated January 8, 1985) before startup following the fourth
! refueling outage. As a result of that review, certain license conditions were j imposed on the licensee with respect to the use of the SUFP. One license condi-tion required the licensee to install a new motor-driven feed pump before start-j up for Cycle 6. The licensee has installed a new, full-capacity non-safety-j related motor-driven feedwater pump (MDFP) to meet this license condition.
The MDFP is manually started from the control room and will feed both steam generators. The MDFP is capable of being powered by either onsite emergency
, diesel generator, as was the SUFP. However, if diesel generator No. 2 is unavailable, transferring to the other generator requires operator action from outside the control room to transfer a vital lube oil pump to diesel generator d
No. 1. At restart and for the remainder of Cycle 5, the CST will be the only source of water available to the MDFP when it is operated as an AFW pump. When not in operational Modes 1, 2, and 3, the pump can be aligned to take suction from the deaerator and discharge into the feedwater system. The electrical switchgear that previously powered the SUFP is now used to power the MDFP. The
.! licensee has indicated that the SUFP will be returned to an operable status'at
': a later time; thus, the results of the staff's review of the SUFP are still applicable. The installation of the MDFP brings Davis-Besse into compliance
- with the power diversity requirement of BTP ASB 10-1 and is, therefore, i acceptable.
In a letter dated February 13, 1986, the licensee stated that automatic initia-
- tion of the MDFP is not provided because of concerns with potential overcooling i of the steam geneators. The need for automatic initiation will be evaluated as part of the comprehensive AFWS reliability study to be submitted after restart.
Also, the licensee has committed to provide a backup safety-related source of water for the MDFP by installing a connection to the seismic Category I service
- water system (SWS) before startup from the next refueling outage. However, in j keeping with the non-safety related design philosophy for the MDFP, utilization i of the SWS source will be by manual action. No automatic transfer feature will
! be provided for the MFDP since the two safety-related AFW pumps would be
- available to supply water to the steam generators automatically should the CST be depleted. The staff finds the above commitments acceptable.
{
3.1.3.4 Safety Features Actuation System
- Following an inadvertent safety features actuation system (SFAS) actuation at Davis-Besse on December 5, 1980, it was discovered that hardwired electrical i connections exist between circuitry associated with redundant SFAS instrument and logic channels 1 and 3. Specifically, the power supply returns (floating commons) for the 115-V dc and +24-V de supplies within the SFAS cabinets.for
! channels 1 and 3 were electrically connected. Similar connections existed be-l tween SFAS channels 2 and 4. Although no specific concerns regarding the SFAS 4
- Davis-Besse Restart SER 3-52
rwu,e vn w ,*--ev-9 ---e* - m +.i..,---v..--,-$ 5- -im --.-,---e --
.*e =es - -v++ --g -
l power supplies and the independence between redundant SFAS channels were identi-fied by the Incident Investigation Team or the staff following the June 9, 1985,
! event, the licensee was asked to address the adequacy of other safety features l in light of the single-failure concerns related to the SFRCS and the AFWS. The licensee has addressed the single-failure concerns of this system (SFAS) and
- the staff's evaluation of that issue is presented in Section 5 of this report.
However, the licensee also decided to resolve the outstanding independence issue and to make necessary modifications during the current outage.
The Davis-Besse SFAS uses a 2/4 "deenergize-to-actuate" logic for the actuation of engineered safety features equipment. Each of four instrument / sensing chan-t nels (for each monitored SFAS parameter) provides inputs to each of four logic channels. Each logic channel provides an output when any two or more of its inputs are in a tripped condition. The outputs of logic channels 1 and 3 are combined to form SFAS actuation channel I which initiates SFAS equipment in train 1. Similarly, SFAS logic channels 2 and 4 are combined to form SFAS
, actuation channel 2, which initiates equipment in train 2. Both logic channels
- associated with an actuation channel must be tripped in order to cause an SFAS 1
actuation. Before the SFAS actuation on December 5,1980, a short circuit within a +15-V dc power supply associated with SFAS instrument channel 1 re-sulted in 120-V ac on the shared (floating) return between channels 1 and 3.
This caused bistable setpoints within both channels to deviate from their nor-mal values, in some cases exceeding Technical Specification limits. This condition existed for several days before the SFAS actuation.
4 Following the December 5, 1980, event, the staff's review of the interconnec-
- tions between redundant SFAS channels raised the following concerns: (1) An i
electrical fault on a shared power supply return could potentially cause a i
' spurious SFAS actuation and (2) an undetected fault (the shared power supply returns are not continuously monitored for fault conditions) coupled with a single failure within a channel unaffected by the fault could potentially prevent SFAS actuation when needed. The licensee instituted monthly surveil-lance testing to determine the presence of extraneous voltage on the SFAS
- commons. However, the staff did not consider this surveillance frequency suf-ficient to identify and correct fault conditions before adversely affecting components within redundant SFAS channels. The staff concluded that the Davis-Besse SFAS design does not comply with the requirements of Section 4.6 (Chan-nel Independence) of IEEE Standard 279-1971.
To resolve the staff's concerns regarding the common ties between redundant SFAS sensing and logic channels, the licensee proposed to permanently connect 4 the floating commons to the instrument ground. The SFAS was functionarily tested successfully in this configuration. With the floating commons connected to the instrument ground, the effects of power supply failures similar to that which occurred before the inadvertent SFAS actuation on December 5, 1980, would 4 be limited to a single SFAS instrument or logic channel. The licensee, however,
! cautioned that grounding the commons could degrade system reliability and that ground faults or stray voltages occurring subsequent to grounding could damage
, an instrument channel. The licensee concluded that this configuration would result in a greater potential for SFAS damage and is considered highly undesirable.
On reviewing the licensee's proposal to ground the floating commons, the staff concluded that although permanent grounding of the shared floating commons may 1
Davis-Besse Restart SER 3-53 i
- . - - - - - . - - - - -- - - - - - - l
resolve SFAS channel independence concerns, additional information supporting SFAS connections to the instrument ground system was required because the Davis-Besse plant has had a history of problems regarding the instrument ground system and its relationship to the station ground system. The specific concern was that inadvertent ties exist between these systems at other than the design-ed common tiepoint. Given an electrical fault, loop fault current could pro-duce an induced voltage in systems connected to the instrument ground, possibly affecting system operability. The licensee submitted an analysis which demon-strated that safety systems would perform as intended given the worst-case sta-tion electrical fault condition with the inads2rtent ties present between the instrument end station ground systems. The staff concluded that the installed instrument-station ground system was acceptable based on the understanding that there were no inadvertent ties between the SFAS instrument ground (i.e., the floating returns) and the station ground, and therefore, that faults could not be postulated that would adversely affect the engineered safety features of the facility. The staff requested that the licensee provide additional information demonstrating that connecting the floating power supply returns (SFAS instru-ment grounds) to the instrument ground system was an acceptable approach to resolving the SFAS channel separation concern, and that the operability of the SFAS will be assured following such a modification.
< The licensee has considered several alternate methods to resolve the issue.
Options considered by the licensee included (1) continuous monitoring of the 15-V dc and +24-V de SFAS power supply commons for electrical fault conditions, (2) connecting the power supply commons to the instrument ground system as dis-cussed above, (3) physically removing all interconnections between redundant SFAS channels, thus separating the power supply returns, and (4) separating the sensor / instrument channel power supplies from the logic / actuation power supplies, and removing the connections between redundant instrument channel power supplies.
The licensee has decided to implement option 4.
The Davis-Besse SFAS design uses 115-V dc and +24-V dc power supplies. The V dc supplies provide power to sensor / instrument channel components only.
The +24-V dc supplies provide power to logic / actuation channel components only.
The +15-V de supplies provide power to both the instrument and logic portions of the SFAS. The SFAS dc power supply design uses a floating ground system, i.e., the power supply returns (commons) are isolated from the SFAS cabinet structure which is connected to the instrument-station ground system. The floating returns for SFAS instrument channel 1, logic channel 1, instrument channel 3, and logic channel 3 are electrically connected (hardwired). Similar connections exist between SFAS channels 2 and 4. These connections between redundant SFAS channels led to the channel independence and single-failure con-cerns identified by the staff. The floating return configuration had been se-lected to reduce the number of contacts (and thus the amount of field run wiring) from SFAS relays and control switches needed to actuate SFAS equipment, and to reduce the potential for degradation of SFAS performance given a fault voltage existing between the SFAS de common and the SFAS cabinet structure.
To provide electrical independence between redundant SFAS instrument channels, four new +15-V de supplies will be used to provide power to instrument channel components. New power supplies will be added to SFAS cabinets 2 and 4, and existing spare +15-V dc supplies will be used in SFAS cabinets 1 and 3 (these spare supplies were originally provided for automatic test circuitry which is 1
Davis-Besse Restart SER 3-54
i no longer used). These supplies will provide power to instrument channel com- ,
ponents only. The existing SFAS +15-V dc supplies that were previously used '
for both instrument and logic channel components will now be used to provide power to SFAS logic / actuation channels components only. The four instrument I channel +15-V de supplies will be electrically independent from each other, and I each supply will be electrically separated from its corresponding +15-V dc logic channel power supply. Thus, each SFAS instrument channel will have its own dedicated +15-V dc and V dc power supplies. These supplies will share the same floating ground (dasignated as the " sensor common"). The sensor com-mons of redundant SFAS instrument channels are not connected, thus maintaining channel independence. Each SFAS logic / actuation channel will have its own de-dicated +15-V dc and +24-V dc power supplies which share a separate floating ground (designated as the " logic common"). The sensor common and logic common within each SFAS cabinet are not connected, thus maintaining electrical separ-ations between the sensor and logic portions of the SFAS. All connections which previously tied the sensor and logic commons together and tied redundant instrument channel supply commons together have been eliminated.
The above modifications can be accomplished by circuit modifications within the four SFAS cabinets. The electrical separation of redundant sensor commons will ensure that the effects of SFAS power supply failures similar to that which occurred before the inadvertent actuation on December 5, 1980, will be limited to a single SFAS instrument channel (i.e. , multiple / redundant channels will not be affected). In addition, since the floating power supply return configuration has been retained, the above modifications will not make the SFAS more vulner-able to spurious trips or equipment damage from electrical faults, and connec-tions between the SFAS and the instrument-station ground system have been avoided.
Following the SFAS modifications, the logic commons for SFAS logic / actuation channels 1 and 3 will remain electrically connected as will the logic commons for channels 2 and 4. SFAS logic channels 1 and 3 are combined to actuate SFAS equipment in train 1 (powered from division 1). Both channels 1 and 3 must trip to cause actuation. SFAS logic channels 2 and 4 operate in a similar fash-ion to actuate equipment in train 2 (powered from division 2). Because the logic / actuation channels associated with a given train of SFAS equipment are not electriclily independent, an electrical fault condition associated with a shared logic common could disable both logic / actuation channels and, therefore, disable the sa'ety function of one train of SFAS equipment. However, this situ-ation is not considered more limiting than other failure modes such as loss of divisional power. when SFAS equipment in the redundant train is relied on to accomplish required safety functions. Furthermore, since the two logic / actuation channels associated with a given SFAS train are arranged in a 2/2 (logical "AND")
configuration a single failure of either logic / actuation channel will preclude the SFAS safety functions of a single train. However, four electrically inde-pendent logic / actuation channels are not required to comply with NRC regulations.
A four-channel design in which dependent logic channels are combined to form two electrically independent actuation channels, such as the Davis-Besse design, is acceptable if properly implemented. Therefore, the electrical connections between redundant logic commons are considered acceptable provided that ade-quate isolation exists between the sensor and logic portions of each SFAS chan-nel (so that faults within the logic portion cannot affect instrument / sensor channel p?rformance), and that faults within the logic portion of the SFAS are detectable.
Davis-Besse Restart SER 3-55
Two types of interfaces occur between the instrument / sensor portions and the logic / actuation portions of the Davis-Besse SFAS. The first and most frequently used interface occurs at the bistable module outputs. Each bistable for each SFAS monitored parameter (containment radiation, containment pressure, reactor coolant pressure, and borated water storage tank level) provides four isolated outputs, one output to each SFAS logic channel. Thus, even the output signal to the associated logic channel is isolated. Isolation is provided by optical-electronic devices housed in the bistable modules used to generate block permis-sives that allow manual bypass of the reactor coolant low pressure trip func-tions. Here, relay coil-to-contact isolation is used between the logic channel
(+24-V dc relay side) and the instrument channel (+15-V dc contact side). The staff concludes that the isolation provided between the sensor channels and logic channels is acceptable to maintain sensor channel independence. All other instrument channel circuits (e.g. , indicators, annunciator outputs, computer outputs, etc.) are isolated using relay coil-to-coil contact isolation or current-to current converters. The licensee has stated that the physical sep-aration between redundant SFAS sensor and actuation channels, reviewed and ap-proved during plant licensing, has not been compromised as a result cf the SFAS modifications discussed above.
The licensee has proposed testing following implementation of the modifications to demonstrate that instrument / sensor channel portions of the SFAS have been effectively isolated from the logic / actuation portions of the SFAS. Specifi-cally, the resistance between the sensor common and the logic common for each SFAS channel will be measured to verify electrical separation. In addition, the resistance between the sensor common and the SFAS cabinet structure, and the logic common and the SFAS cabinet structure for each SFAS cabinet will be measured to verify isolation of the SFAS from the instrument-station ground system. The acceptance criteria for these tests will be a resistance of greater than 10 megohms. The staff concludes that these tests and the acceptance cri-teria are acceptable to demonstrate adequate isolation. However, the staff requests that a similar resistance test be performed between redundant SFAS sensor ccmmons to verify that all connections between redundant sensor channels have been eliminated. If the only connections between redundant SFAS sensor channels in the original design were due to the shared dc commons by sensor and logic channels and the subsequent sharing of logic commons in the actuation circuits for SFAS equipment, then this test will reaffirm the effectiveness of the modifications to provide isolation between sensor channels. The results of these tests should be submitted for staff review. The licensee has committed to perform the routine monthly SFAS surveillance tests following the modifica-tions to verify the functional performance of SFAS sensor and logic circuits.
Surveillance test procedure ST 5031.03, " Containment Pressure to SFAS Calibra-tion," requires monthly testing for ac voltage potential between each SFAS logic common and the station ground. This test is used to detect power supply or other failures similar to that which occurred before the inadvertent SFAS actu-ation on December 5, 1980. Following the SFAS modifications, this testing will continue, and will be extended to include the SFAS sensor commons testing monthly for ac voltage potential between each SFAS sensor common and the station ground.
The monthly testing of the SFAS logic commons is necessary because an electrical fault on one of the floating logic commons may not be easily or quickly detected. ,
The staff considers that the monthly surveillance frequency is the minimum ac- l ceptable for detecting faults that may have occurred, and for taking appropriate l
Davis-Besse Restart SER 3-56
corrective actions to ensure that the SFAS is not degraded below an acceptable level.
Based on the review of information provided by the licensee by letter dated December 16, 1985, and an audit review of the field change procedure, including revised electrical schematic / elementary diagrams of the SFAS, the staff con-cludes that the modifications proposed by the licensee are sufficient to re-solve staff concerns regarding independence between redundant SFAS instrument channels and to bring the Davis-Besse SFAS design into conformance with Section 4.6 (Channel Independence) of IEEE Standard 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations." Therefore, the staff concludes that the proposed modifications to the Davis-Besse SFAS are acceptable pending successful completion of the post-modification tests. The acceptability of the modifications is based in part on continued monthly testing of the SFAS instru-ment and logic commons to detect for degraded voltage conditions.
3.3.2 Ongoing Improvement Programs Item IIIc of the staff's letter dated August 14, 1985, requested reexamination of the adequacy of the implementation of the Performance Enhancement Program (PEP) and any other ongoing corrective action program.
The licensee reexamined incomplete commitments of the PEP and Systematic Assess-ment of Licensee Performance (SALP) response for implementation adequacy. The results of that review were presented in the licensee's Course of Action report.
The Course of Action report divided incomplete commitments into three categories.
Category 1 includes actions that will receive high management priority for ac-celerated implementation. Category 2 includes actions near completion that are not high priority items but that will be completed as scheduled in the Course of Action report. Category 3 includes actions to be accomplished in the normal course of business.
Performance Enhancement Program In the autumn of 1983, the NRC staff asked the licensee to initiate a regulatory improvement program because of declining licensee performance. The program was to determine areas where corrective actions were warranted, establish the re-quired corrective actions, and implement those actions. The licensee agreed to develop such a program which it named the Performance Enhancement Program (PEP).
Initial efforts focused on identifying the areas to be reviewed, selecting the conceptual methodology for conducting the reviews and establishing corrective actions, and establishing an organization to implement PEP. Sixteen areas were selected for review:
(1) personnel policies and staffing (6) maintenance (2) mission staffing capabilities (7) training (3) management oversight (8) quality assurance (4) safety management (9) licensing (5) station operations (10) engineering (11) configuration management (14) productivity and quality of work (12) integrated living schedule plan (15) security (13) fire protection (16) records management Davis-Besse Restart SER 3-57
The review process selected was the Kepner-Tregoe (K-T) method that uses a number of steps to arrive at a corrective action. Those steps are situation appraisal (SA), problem analysis (PA), decision analysis (DA), and potential problem analysis (PPA). SA is used to recognize, separate, and prioritize concerns. PA diagnoses the concern and develops possible causes for it. DA determines the best balanced corrective action to deal with the cause of the concern. PPA analyzes the potential problems associated with the corrective action to determine the appropriate response to those problems.
The PEP organization encompassed a steering group responsible for making major decisions regarding the design and scheduling for PEP activities, an administra-tor,16 action planning teams (APTs), and a consultant group. The APTs were responsible for performing a K-T analysis on concerns in their designated area and developing an action plan to resolve the concerns.
In December 1983, the licensee informed the staff of the areas requiring cor-rective action under the PEP. The staff asked the licensee to identify and/or establish interim corrective measures where appropriate until final corrective action under the PEP could be implemented. The licensee determined that 95 interim corrective actions were ongoing or completed and identified 40 addi-tional actions. Generally, these interim actions were completed or integrated into the final PEP.
The PEP was divided into three phases. Phase 1 involved training the APTs on the K-T method and the performance of SA and PA on the areas of concern. Phase 2 included evaluation of probable causes identified from PA and providing action plans through DA/ PPA. Phase 3 was to include integration of interim PEP items into the PEP, establishment of implementation plans from the action plans phase, and resolution of any outstanding issues from Phases 1 or 2.
In Phase 1 which began in March 1984, 121 pas were completed and 336 specific concerns were identified for further evaluation. These specific concerns were then categorized into the following six groups in Phase 2:
(1) management leadership (2) human resources development (3) information/ decision support systems (4) safety / licensing management (5) station performance (6) technical support systems The 16 APTs were condensed into six action planning groups (APGs) to accommodate the new concern categories. DA/ PPA was performed and approximately 45 action plans were generated by the completion of Phase 2 by July 13, 1984.
Phase 3 began in late July 1984 and was to be complete with the implementation of the approved action plans. At the beginning of Phase 3, steering group re-view of the action plans began and DA/ PPA continued on any remaining concerns.
Eventually, 54 action plans were approved by the steering group and some type of implementation plan was issued. As of July 1985, 9 action plans had been i
completed.
Davis-Besse Restart SER 3-58
~
I The staff considers the process used to identify items of concern to be a logi-cal and acceptable method. The K-T methodology was followed and is adequate.
Action plan generation appears to be specifically directed at correcting root causes. However, generation and implementation of some of the implementation plans was not timely. The original scope of some of the action plans was not maintained in the implementation plans.
The most recent systematic assessment of licensee performance (SALP) report (December 6, 1984) identified significant deficiencies in the licensee's performance during the assessment period from April 1, 1983, to August 31, 1984.
Therefore, the staff asked the licensee to identify corrective actions planned to improve performance in plant operations, maintenance, emergency preparedness, quality programs, and training. The licensee identified those corrective ac-tions in letters dated February 4 and March 4, 1985. These letters identify a number of PEP action plans and other corrective actions to improve the li-censee's performance. Sixty-six of the identified actions remained incomplete in July 1985.
A number of the SALP response actions were also PEP actions. The operations section actions resulted in improved operations department performance, but actions requiring Nuclear Mission support in other areas were untimely and in-complete. Specific examples include reduction of jumpers and lifted wires, and system-by-system review of the plant. Maintenance section actions were unsuc-cessful in controlling vendor manuals in the field and did not significantly reduce the maintenance work order backlog. Emergency preparedness actions were successful in improving performance in this area, as exhibited in licensee per-formance in the 1985 summer emergency preparedness exercise. The quality pro-grams area showed improvements in expanding those areas requiring a safety eval-uation. The training area had significant actions still incomplete.
The staff generally concludes that management corrective actions that had been 1 implemented failed to promptly and adequately resolve the problems that had j been identified. In the PEP, the three deficiencies noted exemplify a lack of commitment of necessary resources and of the failure of senior management to
~
properly overview the progress of PEP.
With regard to the licensee's prioritization of incomplete commitments, the three implementatior categories are generally acceptable. Additional priori-tization of these corrective actions is not warranted before restart. Cate-gory 1 iten.s are appropriate and deal with the important issues that will re-quire significant management overview. The final implementation dates appear to be timely. All the Category 2 items are acceptable and no further informa-tion is needed. Incorporating the Category 3 actions into the normal course of ,
business is fundamentally sound because this will provide direct accountability for performance of these actions. The interim PEP and SALP response actions have been presented adequately insofar as how and when these corrective actions shall take place. However, the licensee has stated that the PEP implementation plans originally established may not be the actual corrective action product to deal with the identified problems. No schedule has been provided for completing these items. Continued staff attention will be required to ensure that PEP receives adequate oversight by corporate management and the necessary commit-ment of resources to implement fully the corrective actions identified.
Davis-Besse Restart SER 3-59
3.3.3 Control Room Review and Improvement The staff has completed its evaluation of the licensee's responses to the staff's concerns regarding the adequacy of control room instrumentation and the human factors aspects of control room SFRCS design. These responses have been reviewed also with respect to the issues identified in the report entitled " Pre-Implementation Audit of the Detailed Control Room Design Review (DCRDR) of the Davis-Besse Nuclear Power Station," which was sent to the licensee by letter dated July 2, 1985. On the basis of this evaluation, the staff has made the determinations that follow.
Control Room Instrumentation and Control Adequacy The staff will evaluate the adequacy of control room instrumentation and control (I&C) in a separate SER relating to the detailed control room design review (DCRDR). For the staff to complete this review, the licensee must submit satis-factory responses to the items identified in the following paragraphs and in '
" Supplement to the Technical Evaluation Report of the Detailed Control Room Design Review for the Davis-Besse Nuclear Power Station" (reproduced in Appen-dix C to this SER). This issue need not be resolved before restart but is in-cluded here for completeness.
Programs To Reduce the Likelihood of Inadvertent Isolation of Auxiliary Feedwater to Both Steam Generators The licensee's proposed work plan shown in Exhibit 5 of its submittal dated September 30, 1985, should result in adequate human factors improvements to the steam and feedwater rupture control system panel. These improvements would minimize the likelihood of inadvertent isolation of auxiliary feedwater to both steam generators. The retraining of control room operators with respect to l
these modifications and their impact on the manual actuation of the SFRCS are addressed in Section 3.1.3.5. This will complement the training required for licensed operators on all plant modifications as a part of the plant modifica-tion process. l Detailed Control Room Design Review The licensee provided satisfactory responses to most of the staff's concerns identified in the preimplementation audit report. However, additional informa-tion is required for several DCRDR elements so the staff can complete its review in accordance with Supplement 1 to NUREG-0737. The staff's evaluation of each element is presented below. l (1) Qualifications and Structure of the DCRDR Team The licensee has committed to the involvement of human factors specialists in its Systems Review and Test Program (Section 3.4 of this SER) and in the facility change request (FCR) process during and after completion of the DCRDR. The licensee's commitment to the human factors element in the DCRDR satisfies the concerns of the staff and will meet this requirement of Supplement 1 to NUREG-0737.
Davis-Besse Restart SER 3-60
4
- (2) Function and Task Analysis The licensee has committed to update its systems function and task analysis (SFTA). The SFTA upgrade activities will include the following
(a) an analysis of operator tasks, information and control requirements, and required characteristics of instruments and controls necessary to monitor and assess the various challenges and failure modes of the radioactivity release critical safety function (b) a reanalysis of operator actions for steam generator tube rupture to ensure comprehensive identification of information and control re-I quirements
' (c) an analysis of required characteristics of . instruments and controls for all operator tasks required during emergency operations After staff approval of the licensee's SFTA performed to develop upgraded plant specific emergency operating procedures (EOPs), the staff will deter-l mine whether the results of the SFTA were satisfactorily applied to the DCROR to determine instrument and control characteristics.
j (3) Comparison of Display and Control Requirements with a Control Room Inventory I The staff concluded that because the SFTA was not complete, the comparison
! or verification of the information and control requirements and required characteristics of instruments and controls with the control room mockup is incomplete.
i The licensee has committed to verify equipment availability and human engi-neering suitability for the requirements that are developed from the activ-ities necessary to upgrade the SFTA. The licensee's verification approach j will satisfy the staff's previous concerns.
l (4) Control Room Survey The staff concluded that the control room survey conducted up to the time of the preimplementation audit was satisfactory. However, the following I
aspects of the control room were not evaluated:
(a) the new couponents added to the control room since the survey was performed 4
(b) the annunciator system flash patterns i '
The licensee has committed to complete the control room survey. The li-censee must provide documentation of the assessment and resolution of any human engineering discrepancies (HEDs) identified from the review of new
! components added to the control room and any HEDs associated with annunci-
- ator system flash patterns. These activities should satisfy the require-i ments of Supplement 1 to NUREG-0737 for the conduct of a control room survey.
- Davis-Besse Restart SER 3-61
(5) Assessment of HEDs The staff concluded previously that there had been no systematic review of individual HEDs to determine the presence of cumulative and interauive effects upon the assessment of HEDs. In addition, the licensee had lot used human factors expertise in downgrading the safety significance of 29 HEDs. During a meeting between the staff and the licensee on October 9, 1985, the licensee proposed a method for determining cumulative and inter-active effects. The approach would use various HED data base fields to enable the identification of component or problem interaction. The staff finds the licensee's proposed approach acceptable. The staff will review the results of this approach as a part of the Davis-Besse DCRDR and will report its findings in a separate SER.
The licensee identified 29 safety-significant HEDs. The staff has deter-mined that these HEDs must be corrected before restart, or a justification must be provided which demonstrates that the plant can be operated safely with uncorrected HEDs. The licensee's actions regarding these HEDs and the staff's evaluation are addressed in Section 3.3.4 of this SER.
(6) Selection of Design Improvements The staff concluded that the following activities were necessary for the licensee to meet this DCRDR requirement:
(a) Perform and document a systematic process of selecting design improve-ments.
(b) Ensure consideration of cumulative and interactive effects of individ-ual HEDs on the entire integrated control room improvement program.
(c) Improve HED documentation for completeness, clarity, accuracy, and audibility.
(d) Develop solutions to HEDs and implementation schedules that are acceptable to the NRC staff.
For the staff to close out this requirement of Supplement 1 to NUREG-0737, the licensee should provide the following documentation:
(a) proposed work plans for the special studies (except for the SFRCS panel)
(b) several sample HEDs that demonstrate the upgrading of HED documenta-
! tion l
(c) all the proposed corrections to HEDs, including those to be performed during and after the current outage (d) justification for HEDs not corrected or partially corrected (e) an implementation schedule for each HED correction, including the rai,lonale for schedule delays beyond the sixth refueling outage Davis-Besse Restart SER 3-62
._._ __. ~. .- . _ _ _ _ __ _ .. . - _ .
, These items need not be resolved before restart but are included in this
! SER for completeness. However, the licensee has stated in a letter dated February 13, 1986, that documentation items (a) and (b) will be provided l no later than 1 month following restart from the current outage and docu-
- mentation items (c), (d), and (e) will be provided before restart from the next refueling outage.
I (7) Verification That Im)rovements Will Provide the Necessary Corrections Without Introducing iew HEDs
- The licensee has committed to use human factors specialists as active inte-gral members of the DCRDR team to develop and verify human engineering j design changes.
The implementation of this verification process should resolve the staff's i concerns regarding fulfillment of this requirement of Supplement 1 to i NUREG-0737.
(8) Coordination of the DCRDR With Other improvement Programs j The licensee did not provide documentation of a systematic plan to coor-
, dinate all emergency response initiatives. The licensee only described l points of integration of the various improvements, which the staff con-cluded was a loosely coordinated program. For the staff to close out this requirement, the licensee is required to provide documentation that expli-
! citly discusses the status and integration of the results of each review i with each of the initiatives in Supplement 1 to NUREG-0737. This issue 4 need not be resolved before restart but is included in this SER for
- completeness.
3.3.4 Staff Evaluation of 29 Safety-Significant HEDs
- As a result of the Davis-Besse DCRDR, 29 HEDs were identified as having varying 1 degrees of safety significance. These 29 HEDs were identified by the licensee i in the Davis-Besse Summary Report dated June 29, 1984. The June 9, 1985, event l at Davis-Besse involved the systems in which the 29 safety-significant HEDs had been identified. Subsequently, it was determined that those 29 HEDs must be resolved, either by permanent correction or by interim measure, before plant j startup would be allowed.
I l The staff utilized the services of Science Applications International Corporation (SAIC) to assist in reviewing the licensee's resolutions of the 29 safety-i significant HEDs. The review process included analysis of formally submitted documents, meetings between the staff and the licensee, both at the site and in i Bethesda, Maryland, and telephone conversations between the staff and the li-i censee. The SAIC report, included in this SER as Appendix D, details each HED
! and offers sections entitied "SAIC's Technical Evaluation-Conclusions and Staff
- Positions" and " Action To Be Completed by TED*." The staff has reviewed the
- SAIC report and endorses it in all respects.
! Appendix D describes a number of actions to be completed by the licensee before l restart or by completion of the next (5th) refueling outage. Details of these OTED = Toledo Edison.
Davis-Besse Restart SER 3-63
actions, which were committed to by the licensee, are found in the " Actions" section for each specific HED listed in Attachment 3 to Appendix D. The actions required are summarized below by type of action and time frame for completion.
hardware modifications to be completed to correct six HEDs, before restart additional or special training of control room operators, before restart, on hardware modifications made to correct six HEDs confirmation, before restart, for five HED that good human factors practices were followed in implementing hardware modifications completion, before the end of the next (5th) refueling outage, of special studies and associated hardware modifications for 18 HEDS l
l The staff concludes that the licensee's permanent and interim corrective actions adequately address the 29 safety-significant HEDs. This conclusion, however, is contingent upon the follosing:
(1) Confirmation that all actions required before restart, as described above and in Appendix D, have been completed. Where hardware modifications are involved, details of these modifications should be made available to the staff.
(2) All special studies and associated hardware modifications are completed before the end of the next (5th) refueling outage. Results of the special studies and details of hardware modifications should be made available for staff review before implementation.
(3) All DCRDR HEDs are corrected by the end of the sixth refueling outage.
3.4 System Reviews and Test Program i
The design weakness of the SFRCS ard the inadequate maintenance and testing of
! the AFW isolation valves, AF-599 and AF-608 brought to light during the June 9, 1985, event raised broad concerns about the adequacy of safety systems and en-gineerad safety features at the Davis-Besse facility. Specifically, the staff letter of August 14, 1985, requested that the licensee provide its plans and programs to resolve these concerns relating to 1
(1) the adequacy of safety system testing including verification that safety systems are tested in all configurations required by design-basis analysis (2) the adequacy of other engineered safety features, including design consid-erations, in light of the single-failure vulnerabilities identified in the VRCS and AFWS To aodress these concerns and others related to equipment maintenance and prob-lems of a recurring nature, the licensee established the System Review and Test l Program (SRTP). The SRTP is designed to provide a comprehensive evaluation and functional demonstration of systems included within the scope of the program, i
' The program is intended to identify and rectify problems that could affect the ability of the systems to perform their intended function.
l l Davis-Besse Restart SER 3-64
The scope of the SRTP addresses a nascent concern of the staff which relates 1 to the reliability of certain systems and hardware not considered to be impor-tant to safety. The concern centers upon those systems, such as main feedwater, that perform an important process function which, when disrupted, can result in j a challenge to a system important to safety. For example, an improved main feedwater system reliability will result in fewer challenges to auxiliary feed-f water systems thereby decreasing risk. The licensee has designed the SRTP to y encompass all systems which are important to safe plant operation. This program, j when completed, is expected to have contributed to a substantially improved i facility with respect to reliability and safety.
t 3.4.1 Program Overview 1 The objectives of the SRTP are to identify important and recurring design, maintenance, and operations problems and to determine the corrective actions required to evaluate the scope of existing periodic testing and identify additional 3 testing needed to ensure system operability I
j -
to conduct a test program to ensure the systems function as intended to verify adequacy of modification completed during the current outage The first two of these objectives have been completed. The SRTP is in progress and will continue through reactor criticality and during power escalation. i The designation of systems that are important to safe plant operation was based upon a consideration of a number of attributes as follows:
The system performs an active safety function, j -
System malfunction could lead to challenges to safety systems.
1 j
Malfunction could result in abnormal plant transients.
The system is important to preventing, detecting, or mitigating plant transients.
l -
The system has a history of unreliable performance, l -
The system was associated with the June 9, 1985, event.
To achieve the stated program objectives, the licensee established the System Review Group (SRG), the Joint Test Review Group (JTG), and the Independent Pro-cess Review Committee (IPRC).
i The SRG is responsible for the following:
1 (1) determining the scope or boundary of assigned systems and identifying sup-j port and interfacing systems (2) identifying system or component functions important to safe plant operation Davis-Besse Restart SER 3-65
(3) reviewing existing surveillance testing for adequacy with respect to demon-
,. strating system functions i (4) reviewing system performance documentation to identify recurring mainten-ance or operational problems (5) conducting system performance interviews with maintenance and operations personnel knowledgeable about past system performance (6) identifying and proposing system modifications, additional testing, and other corrective actions as appropriate ,
i The JTG is responsible for developing and processing system or other test proc-
! edures identified as necessary by SRG, and reviewing completed test packages for acceptability.
1 The IPRC oversees the program and is specifically responsible for review and acceptance of SRG generated system review reports, review and approval of pro-1 posed corrective actions, review of proposed draft test outlines, as necessary, l and review of test result summaries.
3.4.2 Program Evaluation j The staff has established an eight point program to review the SRTP. The eight
! points are 1
(1) Evaluate the proposed SRTP to determine the degree to which it can achieve stated program objectives.
4 (2) Assess whether the list of systems important to safe plant operation is 1
sufficiently complete to provide reasonable assurance of safe plant opera-tion. This would include evaluation of specific justifications for ex-
- cluding any safety-related systems.
(3) Review the lists of system functions important to safe plant operation to
! determine whether they are complete with respect to both specific system i
functions and plantwide system safety functions.
l (4) Review selected test outlines to ensure that they encompass all system i functions required for safe plant operation and that the systems are tested j under anticipated operating conditions. This would include review of pro-posed justifications for not testing any system function deemed important l to safe plant operation or not testing systems at anticipated system oper-ating conditions.
l
, (5) Review, witness, and evaluate the results of selected system tests.
(6) Verify that the licensee has developed, performed, and evaluated the re-suits of remaining test procedures.
l (7) Audit maintenance record reviews, personnel interview results, test leader j qualifications, etc. n i I
(8) Observe SRTP meetings such as JTG meetings, IPRC meetings, etc. l l
Davis-Besse Restart SER 3-66
^
This SER documents the first four points of the staff's review program. The remaining points will be documented in subsequent inspection reports to be issued through NRC's Region III office.
3.4.2.1 Ability To Meet Program Objectives To evaluate the SRTP, a staff and staff contractor group was formed. This group j consisted of eight individuals who provided continuous onsite coverage from November 1985 through March 1986. Intermittent (approximately 50%) coverage l was provided after March. During restart and power escalation, continuous onsite
! coverage will be provided to witness testing. The initial onsite coverage began l during the formative phase of the licensee's SRTP. Therefore, staff concerns and comments were incorporated as the program developed. This resulted in a significant time savings to the licensee as opposed to waiting for completion of the program before initiating staff review.
The SRTP draf t implementing procedures, as initially written, lacked specifi-city with respect to the degree to which system reviews were to be documented, i the degree to which system testing requirements were to be identified and pursued,
- and the degree to which system interface problems were to be identified and 4 resolved. In most cases these actions were left to the discretion of the re-sponsible system engineer and thus, the overall success of the program relied heavily upon the experience, plant knowledge, consistency and vigor of the SRTP participants. These deficiencies were corrected and the final procedures are
- more definitive in many areas, including program documentation requirements, treatment of system interfaces and support systems, approval of milestones, etc. Consequently, the staff concludes that the licensee's SRTP implementing procedures define a program which can fulfill stated objectives. The ultimate success of the program remains dependent upon the performance of SRG, JTG, and XPRC during the remainder of the systems test program. Therefore, future NRC review and inspecticn activities will focus upon the performance of these pro-gram organizations.
The SRTP, as initially defined, made inconsistent use of existing surveillance (those tests required to satisfy Technical Specification requirements) and per-formance testing (operational testing of' systems bey'ond that which is required
. by Technical Specification). Responsible system engineers were directed to review surveillance and performance tests to determine whether these tests ade-quately demonstrated system functions, but tha actual performance and review of surveillance and performance test results were done outside of SRTP organi-zations. Thus, although a surveillance test might be relied upon by SRTP to demonstrate a system function, SRTP could not verify that the particular sur-
, veillance or performance test had, indeed, been completed satisfactorily. The l licensee has resolved this concern in the final SRTP implementing procedures.
l' The Restart Test Group Charter now specifies that.the JTG will review test re-sults for those surveillance tests identified in the SRTP test index. This ensures that SRTP will now be able to review the results of all tests upon which it is relying to demonstrate that systems important to safe plant operation are ;
functioning as intended. 1 The SRTP, as initially defined, lacked definitive guidance regarding the degree to which previous successful test results should be used to demonstrate that systems function. The staff was concerned that excessive reliance on previous test results could invalidate SRTP conclusions. The staff was also concerned j Davis-Besse Restart SER 3-67
that reliance upon previous test results to demonstrate that systems are func-tional should be minimized. Only in exceptional cases where, for example, it is not prudent to run a particular test, or where a fully satisfactory test has been completed in the recent past, should previous tests results be considered.
The final SRTP implementing procedures require responsible system engineers to provide specific justification in those instances where restart testing is not recommended. This resolves the staff concern.
The initial implementing procedures did not include a written requirement that system functions important to safe plant operation would be tested under the anticipated system operating conditions to the extent practical. For example, if a valve is expected to open with a 1500-lb differential pressure across its seat, then testing should be designed, to the extent practical, to be performed under those expected conditions. The program has been revised to require a comparison of actual operating or emergency conditions to test conditions.
The initial program had no requirement for system walkdowns. Consequently, the success of the review aspects of SRTP became overly dependent upon the adequacy of previous maintenance, modification, and other plant documentation. The li-censee has now resolved this concern by requiring system walkdowns to identify such things as obvious equipment damage, visual evidence of equipment malfunc-tions, and potential human engineering deficiencies.
The staff concludes that the proposed SRTP, with the modifications made by the licensee to address the staff's concerns as discussed above, should be capable of achieving the stated program objective.
3.4.2.2 Systems Within the SRPT Scope .
The following systems are included within the scope of the SRTP:
reactor coolant high pressure injection core flooding decay heat removal and low pressure injection cor.tainment spray containment emergency ventilation containment air cooling and hydrogen control makeup and purification electrical 125/250-V dc (includes battery room heating and ventilation) electrical 4.16-kV (13.8/4.16-kV transformers)
- electrical 480-V distribution (includes inverters and required transformers)
- electrical 13.8-kV (includes startup and auxiliary transformers)
- emergency diesel generators (includes "Q" fuel oil tanks and diesel room ventilation) instrument ac power (includes inverters and required transformers) anticipatory reactor trip control rod drive control incore monitoring (includes core exit thermocouples) reactor protection
- steam and feedwater rupture control safety features actuation integrated control /non-nuclear instrumentation Davis-Besse Restart SER 3-68
security control room normal and emergency heating and ventilation station and instrument air 1 -
station fire protection component cooling water service water auxiliary feedwater main steam steam generator main feedwater gaseous radwaste postaccident sampling miscellaneous containment isolation valves The licensee considers these systems important to safe plant operation. The list includes nearly all the systems considered to be safety related. SRTP activities go beyond the listed systems to include other supporting systems, such as ventilation systems, to the extent necessary to ensure that systems important to safe plant operation can function as required.
3 The licensee has provided the justification for safety related systems not in-cluded within the SRTP. (Safety related systems, for the purpose of this dis-cussion are considered to be those (1) included on the Davis-Besse Q-list, (2)
' included in the plant Technical Specifications, or (3) relied upon for mitiga-tion or prevention of design-basis accidents.)
Those systems falling within this definition but which are not included in the SRTP are as follows:
containment radiation monitoring seismic and meteorological monitoring radiological liquid effluent monitoring 345-kV electrical containment air locks snubbers fuel handling and storage
+
cranes and hoisting equipment seismic Category I piping supports and hangers emergency core cooling system room sump pumps buildings and structures The licensee has not included the containment gaseous and particulate gctivity monitors in the SRTP because these monitors provide no alarm or trip function.
However, the containment radiation monitors which provide input signals to the safety features actuation system are included in the program. The staff con-cludes that the most important monitors are included and the exclusion of moni-tors that provide no trip or alarm function is acceptable.
The seismic monitoring system performs no active safety function, and failure or malfunction of this system has no effect on plant operations, plant opera-tional safety, or availability. Therefore, the exclusion of this system is acceptable to the staff.
Davis-Besse Restart SER 3-69
The meteorological monitoring system performs no active safety function. The licensee has reviewed the operational history of this system for the past two years. The results indicate dose assessment capability was available approxi-mately 99.6% of the time, which exceeds the 90% availability criterion speci-fled in RG 1.23. Furthermore, in accordance with the licensee's emergency plan, the meteorological monitoring system capability is backed by the ability to obtain the necessary information from the National Weather Service (Cleveland) or the Fermi Nuclear Power Plant (Monroe). Based on the system's recent per-formance and the provision for backup capability, the licensee determined that this system poses no concern relative to plant operations or to the public health and safety. The staf f considers this adequate justification for excluding this system from the SRTP.
The licensee has stated that the monitoring instruments in the radioactive liquid and gaseous effluent monitoring systems are subjected to frequent surveillance tests. These tests have indicated no generic or major problems. Furthermore, both liquid and gaseous effluent monitoring capabilities are examined annually in conjunction with the NRC's Confirmatory Measurement Program. Based on the demonstrated conformance of these systems to Technical Specification requirements, the licensee has concluded that a review of these systems is not required.
The monitors which are relied upon for detecting and mitigating steam generator tube ruptures are included in the SRTP. The main condenser off gas monitors and main steamline radiation monitors are included in the scope of the steam generator system review. The waste gas system oxygen monitor is part of the gaseous effluent monitoring instrumentation and will be addressed as part of the review of the gaseous radwaste system. This is acceptable to the staff.
The licensee has stated that the Technical Specification requirement addressing the 345-V electrical system pertains to the availability of offsite electrical sources, and that testing of such sources would be impractical and not feasible.
This is acceptable to the staff since the onsite distribution systems are in-cluded in the program.
The licensee has stated that containment air locks and snubbers are passive components. The air locks are routinely operated and leak tested in accordance with Technical Specification requirements, and consideration under SRTP is, therefore, unnecessary. Similarly, snubbers are routinely checked for oper-ability, and SRTP consideration is unnecessary. Given the operation-oriented objectives of SRTP, these are acceptable exclusions to the staff.
The spent fuel cooling and fuel handling area ventilation systems are included I with the fuel handling and storage system. The licensee has committed to re- !
view the fuel handling area ventilation system af ter restart and proposes not to review the spent fuel pool cooling system because
- The large volume of the spent fuel pool (300,000 gallons) will act as a passive long-term heat sink if the spent fuel pool cooling system is lost.
- The decay heat removal system can be aligned to cool the spent fuel pool if both trains of the spent fuel pool cooling should become inoperable.
- The system is in continuous operation so that its functional operability is monitored on an ongoing basis. The redundant spent fuel pool pump and Davis-Besse Restart SER 3-70
cooler can be placed in service if problems are detected with the string that is in operation.
Based on the above, the staff concludes that there is adequate justification for excluding the spent fuel pool cooling system from the SRTP.
Cranes and hoisting equipment are not included in the SRTP because they play no active role in mitigating or controlling abnormal plant transients and they are not associated in any way with the systems that were required to be operable for the June 9, 1985, event. These components are not among the fluid, elec-tric, or instrumentation systems on which the analysis of the program for oper-ability has been focused. Additionally, the handling of heavy loads has been addressed under an NRC generic issue (Nil"EG-0612). This is considered adequate justification for excluding this equipmo t from the SRTP.
The licensee is presently performing a detailed inspection program on seismic Category I hangers and supports. This program was under way before the June 9, 1985, event and is subject to a separate Region III Confirmatory Action Letter.
The review of snub]ers and supports will continue as a separate NRC activity.
The licensee has excluded the emergency core cooling system (ECCS) room sump pumps from SRTP because they are not required to mitigate any design-basis acci-dent sequence. The licensee has reviewed the ECCS room semp pumps to the extent needed to ensure proper ECCS capability. Based on this review, the licensee anticipates no challenge to the normal operation of the ECCS room sump pumps.
The staff considers that this is an adequate basis for excluding this equipment from SRTP.
The licensee has excluded passive Q-structures from the program. The staff's review has identified no basis for challenging this decision.
Based upon its review described above, the staff has concluded that the list of systems important to safe plant operation is sufficiently complete to enable the SRTP to achieve its objective.
3.4.2.3 Review ci System Functions The licensee is committed to document the functions of all systems included within the scope of the SRTP. IPRC-approved system function reports were sup-plied to the staff and were used in this review. Criteria used by the staff to verify system functions included (1) system functions as documented in Chapter 15 of the Updated Safety Analysis Report (USAR), (2) system functions discussed in the applicable safety analysis chapter, and (3) the Davis-Besse Nuclear Power Station Licensing Safety Evaluation Report, NUREG-0136. The USAR and SER infor-mation was supplernnted by review of plant procedures, training information, and the Davis-Besse Technical Specifications.
The system functions associated with systems determined to be important to safe plant operation as identified by the licensee in the IPRC-approved STRPs were reviewed to the above criteria.
The staff's review of the system function's documentation revealed several areas in which clarification was needed or additional function was to be identified.
The licensee committed to modify the documentation appropriately.
Davis-Besse Restart SER 3-71
The makeup and purification system and system functions identified in the IPRC-approved STRP reviewed by the staff did not specifically address the function of letdown isolation on a high-temperature signal to mitigate a letdown line pipe break. The licensee committed to revise the Davis-Besse USAR to clarify what systems and system functions are assumed to mitigate a letdown line pipe break discussed in USAR Section 15.4.
The anticipatory reactor trip system and system functions identified in the IPRC-approved SRTP reviewed by the staff did not specifically address the inter-lock function that prevents reset before the initiating signal has cleared.
The licensee committed to verify proper operation of this interlock during the system testing.
The control rod drive system and system functions identified in the IPRC-ar. proved SRTP reviewed by the staff did not specifically address tt.e reactor runback to 15% power. Runbacks are addressed in the integrated control system and system functions are identified in the IPRC-approved SRTP. However, the ICS function does not address the runback function as a safety function. The main steam system and system functions identified in the IPRC-approved SRTP did not speci-fically address the function of the turbine bypass. The licensee committed to revise the USAR to update the discussion provided in Section 15.2 on the turbine trip analysis to indicate that the anticipatory reactor trip system provides the mitigating functions and delete the discussion concerning reactor runback and turbine bypass as mitigating functions.
The control room normal and emergency ventilation system identified in the IPRC-approved SRTP did not specifically address the function of control room isolation on auxiliary building high radiation. The licensee agreed this function should be included, and committed to add this function to the current list of system functions.
3.4.2.4 Results The SRTP has proven to be a valuable and productive approach to identifying problem areas. D_uring the system reviews, the licensee uncovered approximately 150 problem areas which the licensee deemed necessary to resolve before restart; also identified were approximately 700 problem areas which will be corrected
) after restart. For the problem areas to be corrected before restart, facility change requests, maintenance work requests, or requests for engineering evalua-tion have been prepared.
f Some examples of problem areas revealed in the systems review follow:
l l -
Control room emergency ventilation system Roof-mounted condenser units are not missile protected.
Refrigerant system will not start and run in water-cooled condensing mode without operator action.
Control components are improperly maintained, calibrated, and installed.
Sluggish operation of damper hydromotors operate sluggishly at low ambient temperature.
Davis-Besse Restart SER 3-72
l l
l Potential flooding of pit containing decay heat removal system valves i
Motor operated valves are not qualified for submergence.
Packing leaks allow accumulation of water.
No provisions exist for water removal during plant operation and for j water level indication.
Inadequate ventilation in service water pump room Ventilation flow is inadequate by more than one order of magnitude to remove pump heat during design-basis conditions.
Recirculation of discharged air from operating exhaust fans to idle exhaust fans should not occur.
Improper installation of fire dampers in through-wall ducts Thermal expansion space is filled with foam or grout.
Damper is not properly attached to the sleeve.
Orientation is incorrect.
Retaining angles are improper.
Some examples of problem areas revealed by the test reviews follow:
Inadequate performance tasting requirements for safety-related heat exchangers Lack of performance basis for acceptance criteria for safety-related pump testing Inadequate leak check requirements on some check and isolation valves (both testing method and allowable leakage)
Incomplete acceptance testing for RCS hot-leg level instrumentation Incomplete operability checks of standby flowpaths (e.g. , decay heat removal pump /high pressure injection pump " piggyback" alignment)
Some examples of problem areas revealed during initial system testing follow:
Improperly wired containment air cooler fan and less than designed flow capacity Inadequate flow and distribution of ventilation for service water pumps Improper lower air pressure limit for multiple starts of emergency diesel generator Davis-Besse Restart SER 3-73 l
Corrective actions have been taken by.the licensee regarding (1) changes made to restore the system to its original design bases described in the FSAR or'(2)
~
changes made according to 10.CFR 50.59. No changes were made by the licensee ,,
that required a license amendment and staff approval.
I i
i
~
Davis-Besse Restart SER 3-74
llllllll
.a I
R=
=m
=
- RO _
R I
. =O~C T
E N
GT NC O
u mRE rfN I
uu r D
m0 fR u
5 R G
I
.=G
.'E A
,GR
,NO
.=m mE t T
MC uE 5N SO A
=R rT C O
-aO I
E N
GR e NO NT r NC MEN u TO t c
u r
t s
SR
.IO T t I (nC S
N mEN n
. m ci
,0 l SO e N
r an t m m MR iI a0nrE n0Mt ia1Sr e saOF F I
swO I g sP R uru O .msM m
s aG1 A
.TN R a
n o I1 V(
U ,tsO i
a N
I .FT
.GC A E r m
NN N EAO Ne .a e t
s I m s
_N u R
i e ri u B s -
s "M"
i E
N D
R t v sS A a
=U T D
I
=M t
'a uO r 1 r
SR .
TO CT EC 3
E
.EN PO e
,sR 1EG r u
I v=A M g R
E PnR S i
G A
F I WI I
T N
A M tR nE I
eGA m NA sR I s
.sR o
nO I ,nC T
,uE N
mO e
.mG aN mII A
I
,um nn iu uI n r
o C ," mmM o E : amEm :@ Yum j
i l
Table 3.1 Licensee's summary of the status of maintenance work orders (MW0s)
Number of MW0s Corrective Preventive Modifications Existing on June 9, 1985 1339 405 111 Created since June 9, 1985 5996 1554 1027
! Closed since June 9, 1985 (as of March 31,1986) 4878 1550 620 Remaining as of March 31, 1986 2457 409* 518
- Backlog to be eliminated before restart - no PM work order outstanding.
4 i
Davis-Besse Restart SER 3-76
4 DECAY HEAT REMOVAL RELIABILITY AND CAPABILITY 4.1 Auxiliary Feedwater System Before June 9,1985 At the time of the event on June 9,1985, the auxiliary feedwater system (AFWS) consisted of two turbine-driven auxiliary feedwater pumps and associated valves and piping. Three water sources we'e available to the AFWS pumps: the conden-sate storage tank (CST), the service water system, and the fire water system.
The CST was the normal water source for the system, however, if a low suction pressure condition was sensed, the AFW suction would automatically transfer to the service water system. Manual action is required to transfer suction to the deaerator storage tanks.
The AFWS was actuated by the steam and feedwater rupture control system (SFRCS). The SFRCS was provided primarily to prevent the AFWS from pumping water to a faulted steam generator. When the AFWS is actuated by the SFRCS on signals other than low steam generator pressure, the steam to drive the tur-bines of the AFWS pumps and the discharge of each pump are aligned with the associated steam generator. Each of the AFWS pumps is rated at 1050 gpm when pumping against a steam generator pressure of 1050 psig; 250 gpm of the 1050 gpm is used for recirculation flow. However, if the SFRCS is actuated on low steam generator pressure, the flowpath of the system is altered to prevent feeding a ruptured steam generator. The isolation of feedwater to the faulted steam generator is accomplished by closing the AFWS containment isolation
- valve and the AFW discharge valve. Feedwater is supplied to the intact steam generator by both pumps through the appropriate cross-connect valve and piping.
The steam supply valves for the turbine-driven pumps are also realigned to pro-vide steam for both pumps from the intact steam generator.
After the accident at Three Mile Island, the staff required all licensees who j held pressurized-water-reactor licenses to perform a reliability (unavailability) study of the AFWS. The staff reviewed the submittal by the licensee and also
[ performed an independent analysis. The analysis addressed the following three transient conditions and the results as indicated below.
Transient Unavailability LMFW - loss of main feedwater 1.6 x 10 3 LOOP - loss of offsite power / loss of main feedwater 2.8 x 10 8 LOAC - loss of all ac power / loss of main feedwater 3.4 x 10 2 A comparison of these unavailability figures with those in NUREG-0611 and NUREG-0635 shows that transient conditions at Davis-Besse fall into the low I range for the LMFW and LOOP transients. l 4.2 Auxiliary Feedwater System Before Restart After the Event on June 9, 1535 Before restart, the AFWS will consist of the two safety grade turbine-driven pumps as described previously and the new motor-driven feedpump as described Davis-Besse Restart SER 4-1
= _ _
in Section 3.3.1.3. With the additional system modifications discussed in Section 3.3.1, the staff concludes that the reliability of the overall AFWS has been increased based on comparison of the results of the reliability study for the AFWS configuration before the event on June 9,1985 as discussed in Section 4.1, with the results of the following reliability study for the AFWS configuration as it will be before restart:
Unavailability Transient before restart LMFW 9.1 x 10 5 LOOP 1.1 x 10 8 LOCA 3.3 x 10 2 The staff has reviewed the licensee's reliability analysis for the AFWS config-uration before restart and concludes that the modifications to be completed be-fore restart have improved AFWS reliability by at least a factor of 5 for the LMFW and LOOP transients. This assessment is based on a combining of the li-censee's calculated reliability for these two transients with additional credit that was not included in the licensee's values for recovery actions. The staff considers the AFWS sufficiently reliable to permit restart. The staff notes that the calculated AFWS unavailability does not meet the 10 5 to 10 4 per demand criter ion of SRP Section 10.4.9 which is applicable to the LMFW and LOOP tran-sients. Although compliance with the requirements and criteria identified in the Standard Review Plan is not a requirement for Davis-Besse, the comparison provides a useful measure to determine if reasonable system upgrades should be recommended by the staff.
The licensee has committed to completing and submitting a detailed reliability study for review. Depending on the results of this study, the licensee may conclude that further modifications to improve reliability may be justified.
The staff will review the licensee's detailed reliability study and may make additional recommendations. The licensee's detailed study should be submitted for review within 90 days after restart.
4.3 Makeup /High-Pressure Injection (MU/HPI) Cooling In response to the staff's concern regarding the adequacy of the Davis-Besse loss-of-feedwater analyses, the licensee provided the results of several best-estimate analyses for a loss-of-all-feedwater event. These analyses were per-formed by the Babcock and Wilcox Company (B&W) using the RELAP5/M002 computer code. The licensee stated that the acceptability of the RELAPS/ MOD 2 program and the modeling techniques used was established by benchmarking the RELAPS/
M002 code to OTIS test 230299. The purpose of these analyses was to assess the adequacy of the plant emergency (abnormal transient operating guidelines, ATOG) procedure as well as to determine the time available for operator response for mitigating the consequences of a loss-of-all-feedwater event.
i The operator actions modeled in the analyses were based on the current Davis-Besse ATOG procedure. Following the determination that both a lack-of-heat transfer condition and a lack-of-feedwater condition exist, the procedure re-quires the operator to:
Davis-Besse Restart SER 4-2
(1) Open the power-operated relief valve (PORV) and the PORV block valve.
(2) Open pressurizer and hot-leg high point vent lines.
(3) Actuate both makeup (MU) pumps.
(4) Align high pressure injection (HPI) pumps in a piggyback mode.
This mode of cooling is defined as the MU/HPI, or alternatively " feed-and-bleed,"
cooling mode.
The licensee performed two sets of calculations. The first set examined the consequences of the event on June 9, 1985, assuming that auxiliary feedwater had never been recovered. Operator action to initiate the MU/HPI cooling mode was modeled. The results demonstrated that core uncovery would not have occurred, given initiation of MU/HPI cooling within the first 30 minutes of the event.
The second set of calculations examined a loss-of-all-feedwater event assuming full power operation. The analysis used the following assumptions:
(1) Reactor is at 102% of full power.
(2) Loss of feedwater is initiated by 10-second ramp down.
1 I
(3) Decay heat is based on American Nuclear Society Standard ANS 5.1-1979.
i l (4) Reactor trips on high pressure of 2300 psig; turbine trips 1 second after reactor trip.
(5) PORV capacity of 216,000 lb/hr steam and 2500 psia is based upon testing performed on the Davis-Besse PORV by the manufacturer, Crosby, and at the Duke Power Co.'s Marshal Station.
(6) Reactor coolant pump trips on loss of subcooling margin.
(7) PORV actuation is modeled.
(8) Makeup flow prior to operator action maintains pressurizer level at 198 inches.
Operator action to initiate feed-and-bleed cooling was assumed 10 minutes after the hot-leg temperature reaches 600 F A temperature of 600 F was calculated to occur at 96 seconds into the transient. Revised procedures require implementing MU/HPI cooling when the hot-leg temperature reaches 600 F. The core remained fully covered with a two phase mixture and was acceptably cooled.
On the basis of these analyses, the licensee concluded that, with the use of existing plant equipment and timely operator action, feed-and-bleed (MU/HPI) cooling could be successfully used to prevent core uncovery and thereby main-tain core cooling for a loss-of-all-feedwater event.
The staff has performed independent calculations to examine the response of the Davis-Besse plant to a loss-of-all-feedwater event and to confirm the adequacy of the operating procedures. Report LA-UR-85-3083 (Line, Nassersharif, and Boyack,1985) documents calculations performed at Los Alamos National Laboratory Davis-Besse Restart SER 4-3
using the TRAC code, which examine the Davis-Besse transient of June 9,1985, and calculate possible alternate sequences. The report concludes that even if auxiliary feedwater was never recovered during the June 9 event, operator action to implement MU/HPI cooling as late as 34 minutes after reactor trip would have prevented core uncovery.
In addition to the TRAC calculations, the staff has performed several calcula-tions, using the RELAP5/ MOD 2 code and the nuclear plant analyzer, to examine the time available for the operator to initiate MU/HPI cooling assuming initial full power operation. These calculations confirm the licensee's conclusions that if MU/HPI cooling is implemented within 10 minutes after the hot leg reaches 600*F, the core will remain covered and acceptably cooled.
On the basis of its review of the licensee's calculations, and its own calcula-tions, the staff concludes that MU/HPI cooling could be successfully used for core cooling, following a loss-of-all-feedwater event, if timely operator action is taken.
I i
r d
Davis-Besse Restart SER 4-4
i i
5 SINGLE-FAILURE CONSIDERATIONS One of the conclusions of the Incident Investigation Team was that "Neither the SFRCS system nor the auxiliary feedwater. system at the Davis-Besse plant meet the single-failure criterion for all design-basis accidents." The staff, there-fore, requested that the licensee address the adequacy of other engineered safety features, including design considerations, in light of the single-failure vulner-abilities identified in the SFRCS and auxiliary feedwater system.
This section provides an evaluation of the safety features actuation system (SFAS) and the reactor protection system (RPS) with respect to this concern.
Evaluations of the SFRCS and AFWs are presented in Sections 3.3.1.1 and 3.3.1.2, respectively where the single-failure concern for those systems is addressed.
5.1 Safety Features Actuation System A design analysis of the Davis-Besse SFAS was performed by the licensee to determine the susceptibility of the system to single failures and to identify any set of conditions where, given a single random failure, the SFAS safety
- function may be compromised. The analysis encompassed all components actuated by the SFAS, sensors associated with SFAS, and associated electrical power trains.
The approach and methodology used by the licensee for this analysis are consis-tent with those contained in Section 6 of IEEE 379-1977 and ANSI /ANS-59.9-1981.
Systems (both process as well as electrical power systems) and components which constitute the SFAS were reviewed in this analysis. Where system operation was required for completion of an SFAS function, the components were reviewed at j the system level and verification of system independence was made.
The electrical power system which supports SFAS was included as part of this i
analysis since this system (both ac and dc) interacts closely with SFAS-actuat-ed equipment. The electrical power system was reviewed to verify independence between the redundant load groups. The process system review included a verifi-cation that redundant process components are powered from separate electrical load groups. Components internal to the SFAS electronics cabinets were not part of the new single-failure analysis because the vendor analyzed this aspect during the original licensing of the plant. No internal electronic changes have been made affecting this evaluation.
A related issue of shared power supply commons within the SFAS was under review by the staff before the June 9, 1985, event. Davis-Besse personnel are modify-ing the SFAS to resolve this issue in such a manner that single failures associ-ated with the common grounding of the power supplies are not in question. The staff's evaluation of the planned modifications is presented in Section 3.3.1.4.
Based on the staff evaluation of the licensee's analysis of the Davis-Besse SFAS and its constituent components, the staff concludes that no single failure within the SFAS can compromise the safety functions of the syster.
Davis-Besse Restart SER 5-1
4
- 5.2 Reactor Protector System A design analysis of the Davis-Besse RPS was performed by the licensee to da-monstrate that no single failure of equipment added as part of the anticipatory reactor trip system (ARTS), the changeover to Rosemount RC flow transmitters, or any other changes or additions to reactor trip system equipment directly interfacing with the NI/RPS can prevent the reactor protection' system (RPS) from performing its safety function. The licensee's analysis used the the scope and format of Babcock and Wilcox B&W Topical Report BAW-10003A, "Qualifi-cation Testing of Protection System Instrumentation," except where a change I involved a significant deviation from the base-scope RPS configuration and l interface with the reactor trip system. The analysis followed the methodology of B&W Topical Report BAW-10003A to show that the changes analyzed are effectively channelized and that no single failure will impair the performance of any RPS channel other than that channel in its own vital power division.
5.2.1 Analysis of Internal Changes l 1
B&W Topical Report BAW-10003A analyzes the base-scope RPS for single failures within the reactor trip module and in the inter-subsystem interface. Single failures within the subsystems are shawn to be confined to the affected sub-systems if suitable isolation and redundancy are provided between subsystems.
Those changes that meet the criteria of internal changes transcend neither sub-system physical nor electrical boundaries (by definition). Although those
- changes are not covered explicitly by the single-failure analysis of BAW-10003A, 4
they do fall within the limits of that analysis because of their confinement I within single channel boundaries.
Based on the above, the licensee concluded that no single failure of hardware associated with the internal changes can prevent the RPS from performing its-protective function and that no single failure of hardware associated with these internal changes can cause a spurious subsystem trip. Therefore, those changes categorized as internal changes are implicitly covered by the analysis in BAW-10003A and do not prevent the RPS from meeting the single-failure criterion.
]
5.2.2 Analysis of External Changes (1) Anticipatory Reactor Trip System The anticipatory reactor trip system (ARTS) is four channel system that performs a reactor trip on loss of both main feedwater pumps or on a turbine trip above a predetermined power level. The anticipatory trip on a turbine trip is inhib-ited when reactor power, as determined from RPS flux signals is below a specified ,
level. Each RPS subsystem sends a flux signal to the, ARTS subsystem in its own i vital power division. Each ARTS subsystem sends subsystem trip signals to, and receives trip signals from, each other ARTS subsystem. .Each ARTS subsystem contains a trip combination logic which sends a trip command to the RPS sub-system in its own vital power division. The ARTS trip command (open contacts to trip) is connected in series with, and downstream of, the reactor trip module at the RPS cabinets.
-The overall analysis of the interface between the ARTS and the RPS consists of separate analyses of the flux signal interface and the trip command interface.
Davis-Besse Restart SER 5-2
(2) Flux Signal Interface The RPS flux signal interface with ARTS was accomplished at the RPS end by wiring out an analog flux signal from a previously unused isolation / buffer amplifier within the flux summing amplifier module. The signal is terminated at terminal boards withi.) the RPS subsystem cabinet and an interconnecting cable carries the signal to the associated ARTS subsystem cabinet.
The flux signal interface between ARTS and the RPS was analyzed by considering the fault conditions that can be presented to the RPS and the ARTS (shorts, grounds snd opens per B&W Topical Report BAW-10003A) and analyzing their effects on the ability of the RPS to perform its safety function. Hisperformance of the RPS subsystem was considered precluded if the connection between the RPS and ARTS subsystems is accomplished in a way that eliminates the possibility of fault voltages at the RPS flux output terminals that exceed the isolation capa-bilities of the buffer / isolation amplifier used to isolate the flux signal sent to the ARTS. Section 7.2.2.1 (4.7) of the Davis-Besse USAR states the isolation capabilities of a buffer / isolation amplifier identical to the one used to iso-late the flux signal sent to the ARTS. Even in the event of a misperformance of a single RPS subsystem, redundancy will allow the RPS to perform its safety function.
The licensee con-luded that no single failure of the flux signal interface can prevent the RPS from performing its safety function. Also, no single failure i of the flux signal interface within the isolation capability of the RPS buffer /
isolation amplifier (as given in the USAR) can cause a spurious subsystem trip.
l (3) Trip Signal Interface I The RPS trip single interface with ARTS consists entirely of RPS terminal points
! to connect the ARTS trip command (open relay contacts) in series with the RPS trip relay output contacts. No changes have been made to the PRS circuitry as
, a result of this change. The trip signal interface between ARTS and the RPS i was analyzed by considering the fault conditions that can be presented to the RPS by the ARTS (shorts, grounds and open per B&W Topical Report BAW-10003A)
, and analyzing their effects on the ability of the RPS to perform its safety function.
! The analysis examined the postulated faults in the trip signal interface for J
all four possible combinations of RPS and ARTS subsystem trip states within the same vital power division. The results of the analysis show that no single failure within the ARTS to RPS trip signal interface can prevent the RPS from performing its safety function. Single failures within the trip signal inter-face an cause trip commands to be sent to the undervoltage coil of a single trip breaker but will not cause a reactor trip. 1 (4) Flow Transmitter Replacement This chan;e replaced Bailey type BY dp transmitters used to measure RC flow with Rosemount type 1153 dp transmitter. As with the ARTS trip signal inter-face, only the terminal wiring at the RPS has been changed. No other hardware or wiring modifications to the RPS cabinets is involved.
Davis-Besse Restart SER 5-3
.. - _ - - _ _ _ . - -. - .. - .~. . . - -
j.
The Bailey transmitter provided a 0 to 10-volt de signal to the RPS proportional to dP. The Rosemount dP transmitters provide a 4 to 20-milliamp output signal proportional to dP. The current signal is converted to a voltage signal using a Foxboro I/E converter. The converters, one for each flow dP signal, are lo-cated in the postaccident monitoring equipment racks. Each of these racks is-associated with a separate vital power division and is physically and electri-cally separated from the postaccident monitoring equipment racks associated with the other three vital power divisions. The Rosemount transmitters are powered from four independent vital power sources; essential power busses YlA, Y2A, Y3, and Y4.
The physical and electrical separation of the flow dP signals associated with each RPS subsystem is equal.to the separation which existed before the change in transmitters. Because of this maintained separation, any single failure is confined within the bounds of the power division in which it occurs. Therefore, no single failure within the reactor coolant flow dP strings in the RPS can prevent the RPS from performing its safety function. The analysis has shown that single failures of equipment involved in external changes cannot prevent j the RPS from performing its safety function. Single failures of equipment in-I volved in the flow transmitter replacement may cause a spurious trip signal.to l be sent to the reactor trip module in the affected channel providing one input j to the 2/4 logics in each RPS subsystem. This is consistent with a similar failure analyzed in B&W Topical Report BAW-10003. The RPS system trip logic 3
becomes effectively 1/3. Single failures of equipment involved in the ARTS i trip signal interface can result in a spurious trip command being sent to one j (of four) trip breakers, but because the interface is downstream of the reactor s trip module, only one subsystem is involved and the RPS system trip logic re-mains 2/4.
The staff concludes that the results of the licensee's analyses of the single-failure vulnerability of the RPS are valid.
t i
I i
l 1
(
I Davis-Besse Restart SER 5-4 i
6 CONCLUSION Based on the staff's detailed evaluation of the licensee's actions taken to improve the overall performance of the Davis-Besse Nuclear Power Station with respect to safe operation and to resolve the staff's concerns related to the event of June 9,1985, the staff concludes that the Davis-Besse Nuclear Power Station may resume operation. This conclusion is contingent upon the licensee's implementation of those actions which the licensee committed to complete prior to restart and which are part of the basis for the staff's evaluation. These actions have been identified in this SER where applicable.
The staff believes that the actions taken or to be completed by the licensee, and the testing of systems to be done before startup and during power escalation, provide reasonable assurance that the plant has been improved beyond or restored to its original licensing basis and, therefore, the health and safety of the public will not be endangered by the resumption of power generation.
The system testing will be monitored by the staff and evaluation of the testing results will be reported separately.
i Davis-Besse Restart SER 6-1
L l
i APPENDIX A
! LETTER DATED AUGUST 14,.1985, FROM H. DENTON (NRC) TO LICENSEE REQUESTING INFORMATION i.
- I 4
I i
i
)
i,
?
i 1
i l
Davis-Besse Restart SER Appendix A i l
l ,
l l
l l
Q MQ g, g UNITED STATES g S NUCLEAR REGULATORY COMMISSION c 'j W ASHINGTON, D. C. 20b55
%4.....,/ mm u em Docket No. 50-346 Toledo Edison Company ATTN: Mr. Joe Williams, Jr. )
Senior Vice President, Nuclear 1 Edison Plaza 300 Madison Avenue Toledo, Ohio 43652
Dear Mr. Williams:
On June 9, 1985, Toledo Edison Company's Davis-Besse Nuclear Power Plant was operating at 90% power when it experienced an event that involved the loss of all feedwater. After the complete loss of main fecdwater, an operator error, malfunctions of two containment isolation valves in the safety-related auxiliary feedwater system, and overspeed trips of both steam turbine-driven auxiliary feedwater pumps resulted in the loss of all sources of feedwater to the steam generators. Recovery from this event involved operator actions outside the control room, the addition of feedwater from the (non-safety related) startup feedwater pump, and restoration of feedwater from the two steam turbine-driven auxiliary feedwater pumps.
The NRC subsequently investigated the circumstances of this event and documented its conclusions in NUREG-1154 (Loss of Main and Auxiliary Feedwater Event at the Davis Besse Plant on June 9,1985). An advanced copy of that report was sent to you on July 26, 1985. The investigation concluded that the underlying causes of this event were: (1) the lack of attention to detail in the care of plant equipment; (2) a history of perforising troubleshooting, maintenance and testing of equipment, and of evaluating operating experience relating to equipment in a superficial manner and, as a result, the root causes of problems were not always found and corrected; (3) the engineering design and analysis effort to address cquip(ment and problems was frequently either not utilized or was not effective;4) that equ These underlying causes are indicative of significant progransnatic and manage-ment deficiencies. Accordingly, we have identified the following general areas of concern which must be addressed in your response to this event:
- 1. Completion of the investigation of the June 9, 1985 event, including analysis of the equipment failures, determination of the root causes, deterinination of the implications for other equipment, and completion of corrective actions.
- 2. The plant-specific findings regarding this event.
- 3. The prograsunatic and management issues that have contributed to ttis event and more generally to the recent perforinance of Davis-Besse.
Davis-Besse Restart SER 1 Appendix A
, - . .s . ni. -_ -- . . - . - - . _ -
Mr. Joe Williams, Jr. !
Additional information on these general areas of concern are identified in the '
enclosure to this letter.
Pursuant to 10 CFR 50.54(f), you are requested to furnish, under oath or affirmation, no later than 30 days from the date of this letter, your plans and programs to resolve the concerns identified above and in the enclosure.
The plans and programs should specify those actions to be completed prior to restart of Davis-Besse and include a schedule for any longer term actions.
We are prepared to meet with you in our office in Bethesda, Maryland to discuss your plans and program prior to the submittal of your written response and as soon as your program is sufficiently well-defined to make such a meeting useful.
Over the past few years we have identified deficiencies through enforcement ,
actions, Perforriance Appraisal Team (PAT) inspections, and Systematic Appraisal I of Licensee Perfomance (SALP) evaluations, as well as through more routine '
inspection and licensing contacts. In late 1983 Toledo Edison initiated a I Perfomance Enhancement Program (PEP) to improve regulatory perfomance at Davis-Besse. Modifications to this program were made in response to the most recent Systematic Assessment of Licensee Perfomance (SALP) and, more recently, Toledo Edison made management changes to strengthen perfomance. Prior to the availability of NUREG-1154, you outlined in a July 18, 1985 letter, an initial program to identify and implement those measures necessary to return Davis-Besse to safe operation. While these programs for responding to the June 9,
! 1985 event and for improving your performance may have considered some of the concerns in NUREG-1154, they should be reexamined in accordance with the above request.
As you are aware, on June 10, 1985, the NRC Region III Office issued a 1 Confimatory Action Letter documenting actions you have taken or will take regarding this event. This letter supersedes that letter, as lead responsibility l for NRC staff actions relating to facility restart has been assigned by the !
Executive Director of Operations to NRR. Consistent with your discussion with l Region III on June 10, 1985, it remains our understanding that you will not restart the Davis-Besse facility without NRC approval.
Sincerely,
/ A Harold R. Denton, Director Office of Nuclear Reactor Regulation
Enclosure:
Areas of Concern Relating to the June 9, 1985 Loss of Feedwater Event cc w/ enclosure:
See next page Davis-Besse Restart SER 2 Appendix A
1 I
ENCLOSURE AREAS OF CONCERN RELATING TO THE JUNE 9,1985 LOSS OF FEEDWATER EVENT I. Completion of the Event Investigation A. Completion of the investigation of the equipment malfunctions and operator errors that occurred during the June 9,1985 event.
B. Detennination of the root causes of the malfunctions and errors that occurred during the event and the implications to the rest of the plant.
C. Corrective actions needed to assure the reliability of the systems which can mitigate loss of feedwater events.
II. Concerns Directly Related to the June 9,1985 Event A. Concerns identified in NUREG-1154:
- 1. The adequacy of the analyses for loss of feedwater events, including time margins and consequences of alternative sequences.
- 2. The adequacy of the design and operation of the SFRCS, j including spurious actuations, seal-in features for SFRCS-actuated equipment, and single failures.
- 3. The potential adverse effect of plant physical security
< and administrative features (locked doors, locked equipment, etc.) on the operator's ability to gain j timely access to equipment to mitigate accidents.
- 4. The availability of and role for the Shift Technical Advisor assistance during complex operating events.
- 5. The reliability of the Auxiliary Feedwater (AFW)
. containment isolation valves and other safety-l related valves.
- 6. The adequacy of Toledo Edison Company's procedures and training for reporting events to the NRC Operations Center.
- 7. The reliability of the AFW system and turbine-driven pumps, including the need for a diverse pump.
- 8. The reliability of the PORV.
Davis-Besse Restart SER 3 Appendix A l
2
- 9. The adequacy of control room instrumentation and controls.
- 10. The acceptability of the provisions which resulted in the inability to place the startup feedwater pump in service from the control room.
- 11. The resolution of those equipment deficiencies listed on Table 5.1 of NUREG-1154 and not addressed by other items, above.
- 12. The adequacy of plant operating procedures including verification that plant procedures ,
involving " drastic" action are sufficiently precise I and clear to ensure timely implementation.
- 13. The adequacy of safety system testing including i verification that safety systems are tested in
- all configurations required by design basis 1 analysis.
B. Additional NRC concerns:
- 1. Adequacy of procedures, equipment and training for quickly and efficiently starting or restarting ,
equipment for loss of feedwater mitigation.
- 2. Adequacy of programs to minimize the likelihood of inadvertent isolation of AFW to both steam generators (including training of the plant
- operators and human factors aspects of the SFRCS control room equipment).
l 3. The plans and program for the installation (,f the i new startup feedwater pump in accordance with the i j license condition of January 8, 1985. !
i 4. Adequacy of other engineered safety features, including design considerations, in light of the single failure vulnerabilities identified in the SFRCS and auxiliary feedwater system.
III. Management and Programatic Concerns
- A. Adequacy of management practices including control of i
maintenance programs, use of operational experience, degree of engineering involvement, testing, root cause I determination of equipment misoperation, licensed and '
- non-licensed operator training, and post trip reviews.
l Davis-Besse Restart SER 4 Appendix A i
_ . - ~ , , - - - _ , - - . . - - - - - - - , - - - - - - , , - - --- - - - - - - - - - - - - ~~-A '~ ^ ^ ' - ' - ~ ~ - ^ ^ - ~ ~
3-B. Adequacy of the maintenance program, including maintenance backlog, maintenance procedures and training, vendor interface and correction of identified deficiencies.-
C. Adequacy of the implementation of the Performance Enhancement Program (PEP) and any other ongoing corrective action programs.
, D. Adequacy of the resources committed to the Davis-Besse facility for investigation of the event, resolution of the findings and conclusions prior to restart, and implementation of longer term measures to improve overall performance.
i l l l
l i
I l Davis-Besse Restart SER 5 Appendix A l l
_ _ _ . _ _ - _ ___ - __,m., .~, , - .,_,... . _ . , _ _ . , . . _ , _ _ _ . . _ . - , - , . _ , , , _ . . _ . . - - _ , , _
T APPENDIX B MEMORANDUM DATED AUGUST 5, 1985, FROM W. DIRCKS TO STAFF: ACTIONS RESULTING FROM THE INVESTIGATION OF THE JUNE 9 [1985] DAVIS-BESSE EVENT (NUREG-1154) 4 i
i I
l r
i t
l i
)
i i
! Davis-Besse Restart SER Appendix B
. . - - . . _ . - , , ~ . - - _ - - - _ . . _ . . - - , _ - - _ , , . - _ - . - - - - , _ _ . -
- , - - . - . - - . . - - - - -- ~ _ _
s
[,,suc\" UNITED $TATES
[r. . c. .j;, NUCLEAR REGULATORY COMMISSION wasHawatow. o. c.20sss i k,,,,,/ AUG G 51985 MEMURANDUM FOR: Harold R. Denton, Director, NRR James M. Taylor, Director, IE Robert B. Minogue, Director, RES C. J. Heltemes, Jr., Director, AEOD James G. Keppler, Regional Administrator, RIII FROM: William J. Dircks Executive Director for Operations
SUBJECT:
STAFF ACTIONS RESULTING FROM THE INVESTIGATION i
0F THE JUNE 9 DAVIS-BESSE EVENT (NUREG-1154)
An advance copy of the subject report was transmitted to you by memorandum dated July 22, 1985 from the Davis-Besse Team Leader, C. E. Rossi. The report documents the Team's efforts in identifying the circumstances and causes of the June 9,1985 event, together with findings and conclusions which form the basis for identifying follow-on actions.
You will note from the report that the licensee has not completed trouble-shooting and the detemination of root causes for all equipment failures or malfunctions. Consequently, the results of future troubleshooting or analysis activities may fom the casis for additional follow-on actions. The identifi-cation of these additional actions is a responsibility of the normal program office. The responsibility for the followup and reporting on the licensee's continued troubleshooting and determination of root cause for equipment failures is Region III.
The purpose of this memorandum is to identify and assign responsibility for generic and plant-specific actions resulting from the investigation of the Davis-Besseevent(documentedinNUREG-1154). In this regard, you are requested to review the enclosure which specifies staff actions resulting from the investigation of the June 9 Davis-Besse event. You are requested to determine the actions necessary to resolve each of the items in your area of responsibility and, where appropriate, identify additional staff actions or revisions as our review and understanding of this event are refined.
Plant-specific actions required for plant restart should receive priority attention.
Although the NRC Team that investigated the Davis-Besse event did not identify major NRC deficiencies, nonetheless this event provides an opportunity to learn !
from experience and to feed back the pertinent lessons into our activities.
Consequently, all responsible program managers should conduct an in-depth and searching reappraisal of the effectiveness of their programs and the lessons of the Davis-Besse event. In sum, how can we make our programs more effective Davis-Besse Restart SER 1 Appendix B
! l l - . --- -- - .-. . -
l 1
l l
and the NRC a better reg 'latory agency? For example, what actions are needed when a utility continues to receive low SALP ratings; what impediments or !
procedures are delaying decisions regarding needed plant upgrades; how can effective corrective action be achieved when plants have a history of maintenance deficiencies; and what should be done when voluntary licensee improvement programs prove less than satisfactory? We need to reflect on these and similar questions and identify further, perhaps more focused actions )
to gain needed improvements. j l
In view of the importance of this subject, I intend to have periodic progress l review meetings. The first meeting will be in September, and at that time you should be prepared to: (1) discuss the schedule and status of each item with-in your responsibility listed in the enclosure or that you have identified; and (2) provide a written sumary of those actions you have identified for achieving improvements in your program areas. Further, I request that you 1 prepare a written status report on the disposition of your items (and I anticipated actions for uncompleted items) within six months. -Every effort should be made to dispose of these items promptly.
The enclosure is based directly on the NRC Team's report. Accordingly, it does not include all licensee actions, nor does it cover NRC staff activities associated with nonnal event followup such as authorization for restart, plant inspections, or possible enforcement items. These items are expected to be defined and implemented in a routine manner. Overall lead responsibility for staff actions relating to facility restart is separate from this effort and rests with NRR. Additionally, NRR is responsible for coordinating and promptly communicating the staff's requirements which must be resolved before operations at Davis-Besse may be resumed. Other offices involved in plant-specific actions are to coordinate their efforts with NRR.
Separately from this action, I will be di.icussing with you further how we may improve the IIT procedures based upon the experience with the Davis-Besse Team.
T/
f 4
William Dircks A ,
Executive Director for Operations
Enclosure:
As Stated cc w/ enclosure:
J. Davis, NMSS T. Murley, RI l J. N. Grace, RII R. Martin, RIV J. Martin, RV i
l l
Davis-Besse Restart SER 2 Appendix B
STAFF ACTIONS RESULTING FROM THE INVESTIGATION OF THE JUNE 9 DAVIS-BESSE EVENT
(
Reference:
- 1. Item 1: _ Adequacy of the licensee's management and maintenance practices.
(
Reference:
Conclusion Section 8)
Action Responsible Office Category (a) Evaluate and take action on NRR Plant-specific the licensee's response to findings relating to corrective actions and preventive main-tenance problems (including testing, root cause determina-tion of equipment misoperation and operating experience).
(b) Evaluate and take action on the Region III Plant-specific licensee's response to findings concerning management practices (e.g., control of maintenance programs and post-trip reviews).
- 2. Item: Completion of analyses for loss of feedwater events.
(
Reference:
Section7)
Action Responsible Office Cateoory Evaluate the time margins and NRR Plant-specific consequences of alternative sequences for a loss of feed-water event at Davis-Besse.
- 3. Item: Adequacy of the Steam Fedeter Rupture Control System (SFRCS).
(
References:
Section 5 2.2 snd Finding 6)
Action Responsible Office Cateoory Review the design basis for SFRCS NRR Plant-specific and the susceptibility of the SFRCS to: a) spurious actuations involving such items as MSIV closure; and b) single failures.
l l
f l Davis-Besse Restart SER 3 Appendix B
- 4. Item: Interaction of plant security features and operator actions.
(
References:
Section 3.6 and Finding 9)
Action Responsible Office Category Evaluate the effect of security NRR Plant-specific features (locked doors, locked Generic t equipment, etc.) on the operator's l ability to gain prompt access to equipment required to perform safety actions outside the control room in accordance with emergency procedures.
- 5. Item: Availability of the Shift Technical Advisor (STA)
(
References:
Section 6.1.3 and Finding 14)
Action Responsible Office Category Evaluate the time available and NRR Plant-specific role for STA assistance during Generic complex operating events.
- 6. Item: Reliability of the AFW containment isolation valves and other safety-related valves.
(
References:
Section 5.2.5 and Findings 4, 5, 6, and 15)
Action Resoonsible Office Cateoory (a) Monitor the licensee's Region III Plant-specific troubleshooting activities.
(b) Evaluate the licensee's engineer- NRR Plant-specific ing report on root cause analysis and proposed corrective actions.
(c) Detemine if the safety function NRR Plant-specific of the AFW containment isolation valves has been properly specified, i.e., are the valves required to open as well as close for design basis events.
(d) Verify that these valves constitute NRR Plant-specific a single failure point for the AFW system for certain design basis events.
Davis-Besse Restart SER 4 Appendix B
Action Responsible Office Category (e) Determine that the procedures for Region III Plant-specific adjustments of the AFW isolation valves such as torque switch bypass switches are clear and proper, and that the associated training programs are adequate. Confirm that adjust-ment settings are consistent with plant procedures.
(f) Determine if the engineering NRR Plant-specific basis for the specification of the adjustments for safety-related valves such as the torque switch and torque switch bypass switch settings are adequate for all design basis events.
(g) Evaluate the test program for NRR Plant-specific the AFW containment isolation valves to confirm operability for all design basis events.
(h) Evaluate whether other safety- NRR Plant-specific related valves in Davis-Besse may be subject to the same type /
cause of failure.
(i) Conduct a review of failures of AEOD Generic safety-related motor-operated '
valves and provide an assessment of pertinent failure modes affecting valve performance under design basis conditions.
(j) Determine if further generic corres- IE Generic pondence, such as an NRC Bulletin, is warranted'on this type /cause of failure of safety-related valves.
- 7. Item: Adequacy of emergency notifications.
(
References:
Section 6.1.4 and Finding 12) l Action Responsible Office Catecory l (a) Verify the adequacy of the Region III Plant-specific
- licensee's procedures and j training for reporting of events to the NRC Operations Center.
l Davis-Besse Restart SER 5 Appendix 5
i i
(b) Review the adequacy of NRC IE Generic l guidance for determination of severity levels when plant '
conditions vary and may be stable when the licensee has an. opportunity to report.
(c) Review the adequacy of shift IE Generic staffing for assuring that knowledgeable individuals will be available for properly implementing the emergency plan during complex and long operational events.
- 8. Item: Reliability of the AFW pump turbines.
(
References:
Sections 5.2.4 and 6.2.4 and Findings.4, 8, and 15) i Action Responsible Office Category
, (a) Monitor the licensee's Region III Plant-specific 1 troubleshooting activities including possible hot plant t operation to confim failure mode, i (b) Evaluate the licensee's engineer- NRR Plant-specific ing report on root cause analysis
. and proposed corrective actions.
1
- (c) Evaluate the licensee's response NRR Plant-specific and corrective actions relating to the unreliability of the auxiliary feedwater system (including the need for a third pump and turbine trip reset capability).
j (d) Verify that the AFW system has Region III Plant-specific i been adequately tested to con-firm system configuration involved with design basis events.
(e) Review the implementation of Region III Plant-specific the operator training program to assure proper operator actions, such as resetting of trip throttle valve.
(f) Conduct a review of past AE00 Generic operating experience and determine the causes for overspeed turbine trips.
Davis-Besse Restart SER 6 Appendix B
(g) Detemine the need for further IE Generic generic correspondence on this failure mode /cause.
- 9. Item: Reliability of the PORV.
(
References:
Sections 5.2.8 and 6.2.1 and Findings 10 and 13) l Action Responsible Office Cateoory (a) Monitor the licensee's Region III Plant-specific troubleshooting activities.
(b) Evaluate the licensee's NRR Plant-specific engineering report on root cause analysis and proposed corrective actions.
(c) Detemine the need for a NRR Generic test program to establish reliability.
(d) Detemine if surveillance tests NRR Generic are necessary to confim opera-tional readiness.
(e) Detemine if additional NRR Generic protection against PORY failure is necessary, i.e.,
automatic block valve closure.
- 10. Item: Adequacy of control room instrumentation and controls.
(
References:
Sections 6.1.1, 6.1.2, and 6.2.2 and Findings 10, 11, 17 and 18)
Action Responsible Office Cateoory (a) Evaluate the adequacy of NRR Plant-specific
- the SFRCS actuation controls and associated training program.
(b) Evaluate the adequacy of NRR Plant-specific the installed control room instrumentation to allow operators to make the necessary and prompt detemination for procedure conformance and PORV position.
l Davis-Besse Restart SER 7 Appendix B l
Action Responsible Office Category _
(c) Determine if NRC requirements NRR Plant-specific should be revised regarding: Generic (1) SPDS availability; and (2) the need for plant-specific simulator.
- 11. Item: Need for isolation of the startup feedwater pump.
(
References:
Section 5.1.3 and Finding 7)
Action Responsible Office Category Reassess acceptability of the NRR Plant-specific I provisions which resulted in the inability to place the startup feedwater pump in service from the control room. i I
- 12. Item: Resolution of equipment deficiencies.
(
References:
Section 5 and Table 5.1)
Action Responsible Office Category (a) Monitor the licensee's Region III Plant-specific troubleshooting activities.
(b) Evaluate the licensee's NRR Plant-specific engineering report on the root cause analysis and corrective action for the equipment listed on Table 5.1 and not addressed by other items in this action plan.
(c) Detemine the need for IE Generic generic correspondence on equipment problems.
- 13. Item: Adequacy of plant procedures.
(
References:
Sections 6.1.1 and 6.1.2 and Findings 10 and 17)
Action Responsible Office Category Verify that plant procedures NRR Generic involving " drastic" actions are required to be sufficiently precise and clear to ensure prompt implementation.
Davis-Besse Restart SER 8 Appendix B I
1 1
- 14. Item: Adequacy of safety system testing.
(
Reference:
Finding 15) f Action Responsible Office Category Evaluate the NRC requirements NRR Generic and guidance to assure that safety systems are tested in all configurations required by the design basis analysis.
- 15. Item: Acceptability of current safety assessment methods.
(
References:
Findings 1 and 2)
Action Responsible Office Category Assess the implications of RES Generic multiple independent and connon mode failures as they relate to departures from design assumptions and specifications used in probabilistic safety analyses.
i I
Davis-Besse Restart SER 9 Appendix B l
4 APPENDIX C 4
SUPPLEMENT TO THE TECHNICAL EVALUATION REPORT a
0F THE DETAILED CONTROL ROOM DESIGN REVIEW-FOR THE DAVIS-BESSE NUCLEAR POWER STATION i
i I i l
i t
4 l
i i
Davis-Besse Restart SER Appendix C
SUPPLEMENT TO THE l TECHNICAL EVALUATION REPORT OF THE DETAILED CONTROL ROOM DESIGN REVIEW FOR THE 1
DAVIS-BESSE NUCLEAR POWER STATION December 6, 1985 Prepared by:
Science Applications International Corporation
- 1710 Goodridge Drive- <
McLean, Virginia ~ 22102 i
(
- Under Contract to
., U.S. Nuclear Regulatory Commission
, Washington,' D.C. 20555 l
1 l
Davis-Besse Restart SER i Appendix C
i i
I TABLE OF CONTENTS I
Section Pale
- 1. Qualifications and Structure of the DCRDR Team . . . . . . . 1
- 2. Function and Task Analysis . . . . . . . . . . . . . . . . . 2
- 3. Comparison of Display and Control Requirements With a
. Control Room Inventory . . . . . . . . . . . . . . . . . . . 3
- 4. Control Room Survey .................... 4
- 5. As sessment o f HEDs . . . . . . . . . . . . . . . . . . . . . 4
- 6. Selection of Design Improvements . . . . . . . . . . . . . . 6
- 7. Verification That Improvements Will Provide the Necessary Corrections Without Introducing New HEDs . . . . . . . . . . 10
- 8. Coordination of the DCRDR With Other Improvement Programs . . . . . . . . . . . . . . . . . . . . . . . . . . 11
SUMMARY
AND CONCLUSIONS ....................... 12 REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 1
1 Davis-Besse Restart SER iii Appendix C i 1
i l
l l
SUPPLEMENT TO THE l TECHNICAL EVALUATION REPORT OF THE DETAILED CONTROL ROOM DESIGN REVIEW FOR THE DAVIS-BESSE NUCLEAR POWER STATION This report documents the findings from a review of Toledo Edison (TED)
Company's Appendix C.S.1 to Revision 4 of the Davis-Besse Course of Action (C0A). Appendix C.S.1 documents TED's C0A related to deficiencies in its Detailed Control Room Design Review (DCRDR) being conducted at its Davis-Besse Nuclear Power Station (Reference 1). Based upon the findings of a pre-implementation audit conducted the week of April 29, 1985, the NRC staff concluded that it was unable to close out any of the nine requirements associated with conducting a DCRDR in accordance with Supplement 1 to NUREG-0737 and that an NRC/TED management meeting be held in Bethesda to discuss the status of the Davis-Besse DCRDR (Reference 2). The NRC met with TED on October 9,1985, to discuss the.DCRDR; the minutes of this meeting were documented and transmitted to TED (Reference 3). TED submitted its C0A attached to a letter dated November 16, 1985. The findings from a review of Appendix C.5.1 of the C0A are described below as they pertain to each of the DCRDR requirements of Supplement 1 to NUREG-0737. These findings reflect the conclusions of the NRC and SAIC.
- 1. Qualifications and Structure of the DCRDR Team The NRC audit team found during the pre-implementation audit that TED's plans for performing the activities remaining to be completed did not include an adequate level of involvement of human factors specialists. The remaining DCRDR activities were the development and conduct of the ipecial studies, and the development and verification of HED corrections. In the meeting, TED and its human factors consultant, Essex Corporation, stated that human factors specialists for these and other activities will be
' involved as follows:
e A dedicated project leader from Essex Corporation has ' been estab-lished.
Davis-Besse Restart SER 1 Appendix C
e A human factors specialist will be dedicated to each special study.
e Human factors specialists will be involved in the development and verification of HED corrections.
e Human factors specialists will be involved in the upgrading of the System Function and Task Analysis, the survey of components added to the control room since the survey was last performed, the reassessment of HEDs, the production of control room design stan-dards and conventions, and the upgrading of DCRDR data collection and HED forms.
Throughout the C0A, TED reaffirmed its commitment to this level of involvement of human factors specialists in the DCRDR. In addition. TED has committed to the involvement of human factors specialists in its current Systems Review and Test Program and in the Facility Change Request (FCR) process during and after completion of the DCRDR. TED's commitment to the human factors participation in the DCRDR satisfies the concerns of the NRC and will meet this requirement of Supplement 1 to NUREG-0737. Also, TED's commitment to human factors involvement after the DCRDR is completed is commendable.
- 2. Function and Task Analysis
, During the pre-implementation audit, the NRC audit team found TED's System Function and Task Analysis (SFTA) to be incomplete. The NRC audit team concluded that the following activities should be performed in order to meet the Function and Task Analysis requirement:
- 1. Analyze operator tasks, information and control requirements, and required characteristics of instruments and controls necessary to monitor and assess the various challenges and failure modes of the Radioactivity Release critical safety function.
- 2. Comprehensively analyze information and control requirements and required characteristics of instruments and controls for Steam Generator Tube Rupture.
Davis-Besse Restart SER 2 Appendix.C
l
't j 3. In addition to items 1 and 2, analyze required characteristics of instruments and controls for all emergency operator tasks.
l l In-the meeting, TED stated that it will upgrade the SFTA. In the C0A, j TED reaffirmed its commitment. The SFTA upgrade activitites will include j the following:
}
l
- 1. An analysis of operator tasks, information and control require-ments, and required characteristics of instruments and controls
- necessary to monitor and assess the various challenges and failure modes of the Radioactivity Release critical safety function.
- 2. A reanalysis of operator actions for steam generator tube rupture
- to ensure comprehensive identification of information and control requirements.
1,
}
- 3. An analysis of required characteristics of instruments and controls l for all emergency operator tasks. ,
) In summa ry. TED's SFTA upgrade will satisfy the NRC's previous
] concerns. However, the SFTA performed to satisfy DCRDR requirements should be an extension of the NRC-approved SFTA performed to develop the upgraded
[ plant-specific E0Ps. The NRC will conclude on the adequacy of the SFTA l performed to satisfy DCRDR requirements after TED receives'NRC approval of the SFTA performed to develop the plant-specific E0Ps.
- 3. Comparison of Display and Control Requirements With a Control Room
. Inventory The NRC audit team concluded that due to the incompleteness of the i SFTA, the comparison or verification of the information and control require-i ments and required characteristics of instruments and controls with the control room mock-up could not be considered incomplete. -The NRC audit team concluded that in order to close out this element of the DCRDR requirements, l
! TED must perform a verification of equipment availability and human engi- l l neering suitability for the requirements that are developed from the activi-
- ties necessary to upgrade the SFTA to completion. In the meeting and in its j i
( Davis-Besse Restart SER 3 Appendix C
. . _ _ _ _ . _ . _ _ . _ . _ . _ . . _ _ - , _ _ , . - _ , . . , _ . . . _ . . . . . _ , . ~ _ , , . - _ - ,
I proposed SFTA upgrade approach,' TED indicated that this will be done. TED reaffirmed this commitment in the C0A. TED's intended verification approach will satisfy the NRC's previous concerns. However, the. adequacy of this verification process will be dependent on the adequacy of the SFTA relative to upgraded plant-specific E0Ps.
- 4. Control Room Survey The NRC audit team found that the control room survey conducted up to the time of the pre-implementation audit was satisfactory. However, the I following aspects of the control room were not evaluated:
e The new components added to the control room since the survey was performed.
e The annunciator system flash patterns.
TED stated in the meeting that the new or added components in the 1
control room will undergo .a human factors evaluation. In addition, the
- annunciator system flash patterns have undergone a review by.Essex and will be handled as an HED in the annunciator study. TED reaffirmed this commit-ment in its C0A. These activities will satisfy the NRC's concerns regarding the control room survey, and the requirements of Supplement I to NUREG-0737 for a control room survey will have been met. TED should provide to the NRC documentation af the assessment and resolution of any HEDs identifled from the review of new components added to the control room and the HED associated with annunciator system flash patterns. l l
- 5. Assessment of HEDs
- The NRC audit team concluded during the pre-implementation audit that TED's assessment of HEDs was not acceptable due to deficiencies in the following areas
e The consideration of cumulative and interactive ef fects of individual HEDs.
i e The reprioritization of 29 safety-related HEDs.
Davis-Besse Restart SER 4 Appendix C
The NRC audit team found that there was no systematic review of indi-vidual HEDs to determine the presence of cumulative and interactive effects upon the assessment of HEDs. In the meeting, the NRC learned that through the use of HED database possessed by Essex, TED will consider the cumulative and interactive ef fects of individual HEDs upon the HED assessments. A review of the capabilities of the computerized HED database found that the approach proposed should be effective in identifying cumulative and inter-active effects. The proposed approach is to use various HED database fields (e.g., problem type or NUREG-0700 guideline discrepancy, component title or type) to enable the identification of component or problem interactions.
TED stated that in instances where interrelated HEDs with varying categori-zations are found, lower categorized HEDs will be upgraded.
TED's intent in the reprioritization of the 29 safety-significant HEDs associated with the special studies was to establish scheduling priorities in the completion of the ten special studies. A result of this reprioriti-zation was the downgrading of the safety significance of all 29 HEDs as it relates to the implementation of HED corrections. The reprioritization assigned later implementation dates to the corrections of these 29 safety-significant HEDs. In addition to this delay in the implementation schedule of corrections to safety-significant HEDs, the NRC audit team found the reprioritization to be unsatisfactory due to the absence of human factors input. Overall, the NRC found the reprioritization of the 29 safety-significant HEDs to be unacceptable since (1) the safety significance of each of these 29 HEDs was downgraded from its original assessment; (2) the reprioritization did not include human factors input whereas the original assessment did; (3) the justification for reprioritizing these 29 sa fety-significant HEDs was not satisfactory.
In the meeting, TED stated that it and Essex will reassess the 29 safety-significant HEDs. TED stated that while some of the HED corrections will be performed prior to the rest, all corrections to the 29 HEDs will get priority attention. In the C0A, TED stated that these 29 safety-significant HEDs have been reviewed with human factors personnel involvement in conjunc-tion with the work of the Systems Review Group. TED states, "The outcome is that action will be taken on a minumum of 12 of the 29 sa fety-signi ficant HEDs during the current outage" ( Appendix C.5.1,p.13). This statement indicates that the assessment of some of the 29 safety- significant HEDs Davis-Besse Restart SER 5 Appendix C
relative to the correction implementation schedule has been revised from that given in the January 31, 1985, submittal (Reference 4). However, it is not clear which of the 29 safety-significant HEDs are affected. Although it can be assumed that those HEDs associated with the SFRCS and the June 9, 1985, event are among those revised, TED should identify by HED number which HEDs are to be corrected in the current outage.
In summary, TED's plans for the reassessment of HEDs for cumulative and interactive effects and its review of the assessment of the 29 safety-significant HEDs relative to the implementation of HED corrections appear to be acceptable. In order to close out this requirement, TED needs to identify by HED number which HEDs are to be corrected in the current outage.
- 6. Selection of Design Improvements Based on the findings of the pre-implementation audit, the NRC audit team concluded that the following activities were necessary in order for TED to meet this DCRDR requirement:
o Carry out and document a systematic process of selecting design improvements.
e Ensure cumulative and interactive effects of individual HEDs that will be corrected, not corrected, or partially corrected upon the whole integrated control room improvement package are considered.
e Improve HED documentation for completeness, clarity, accuracy, and auditability.
e Develop solutions to HEDs and implementation schedules that are acceptable to the NRC.
At the time of the pre-implementation audit, TED had made little progress toward the identification and resolution of HED corrections since the submittal ten months prior to the Summary Report. No systematic, rigorous process for identifying and selecting among alternative corrections to HEDs had been developed or employed. TED had developed corrective actions or justifications for not taking corrective actions for only 50% of Davis-Besse Restart SER 6 Appendix C l
the HEDs listed in the Summary Report. In the meeting, TED had discussed but not documented its process for selecting HED corrections. In the C0A, TED states that it plans to develop and select design improvements in the special studies. TED provided the work plan for the SFRCS panel special study as a sample of the process for developing and selecting design im-provements. Although the SFRCS panel work plan appears to be satisfactory in and of itself, the various special studies TED will be performing are sufficiently unique so that a conclusion on the adequacy of the sample work plan cannot be generalized to the others. In order to progress towards the resolution of the NRC's concern regarding the process for selecting design
! improvements, TED should provide work plans for the other special studies.
The NRC audit team found no integrated approach to the development of HED corrections. The approach taken by TED appeared to promote a piecemeal method of selecting and implementing HED corrections without adequate con-sideration of cumulative and interactive effects of HEDs. In the meeting, and in the C0A, TED responded to this concern by stating that the HED database will enable cumulative and interactive effects of HEDs to be con-sidered. The HEDs considered will include all HEDs, not just those associ-ated with the special studies. As mentioned in the Assessment of HEDs section of this report, the HED database appears to be suitable for performing this function.
4 TED stated in the meeting and in the C0A that it upgraded and completed the HED documentation found during the pre-implementat' ion audit to be incomplete, ambiguous, and inaccurate. TED stated that all components involved with each HED have been recorded for traceability through the HED correction process. To close out this particular NRC concern, TED should provide several HED samples which demonstrate the upgrading of HED documen-tation (e.g., examples of "before and after").
i A review of the Summary Report found many instances where the responses
- to HEDs were not finalized, and were ambiguous, uninformative, or otherwise unacceptable to the NRC. The NRC audit team stated in the pre-implemen-tation audit report that in order to meet the requirements of Supplement 1 to NUREG-0737, TED should develop solutions to HEDs and implementation schedules that are approved by the NRC. TED stated in the meeting that it intends to do so. TED reiterated this intention in the C0A by stating that Davis-Besse Restart SER / Appendix C
i l
through the use of such aids as the on-line HED database, the design improvements selected will be agreeable to the NRC.
In response to the NRC's concerns regarding the schedule for implemen-tation of HED corrections, TED stated the following in the C0A (Appendix C.S .1, p.8):
" Toledo Edison has revised the schedule. Under the new schedule, all 29 HEDs identified as safety significant in the Summary Report and further classified as either of high or medium safety significance in the January i 1985 supplementary letter will be corrected during the current outage or the first following refueling outage (referred to as the 5th Refueling Outage) currently
} expected in 1986/87. All other HED corrections, including those categorized as low or non-safety sig-nificant, will be made during the second planned (sixth) refueling outage (currently expected in 1988) or will be defined in Facility Change Request (FCR) packages for implementation according to the Integrated Living Schedule."
l The portion of the statement in which TED says, "... or. will be defined in Facility Change Request (FCR) packages for implementation acording to the Integrated Living Schedule," raises a concern for the timeliness in which corrections are to be made to llEDs categorized as low safety significance in the January 1985 supplementary letter or as nonsafety significant. In the schedule for implementing HED corrections, the NRC requires that the cor-rections of safety-significant HEDs associated with the Steam Feedwater Rupture Control System (SFRCS), Feedwater (FW) System, and Post Accident Monitoring (PAM) System be implemented prior to restart. All other sa fety-significant HED corrections, including those for HEDs categorized as low in the January 1985 supplementary letter, should be implemented by the end of the fifth refueling outage. All other HED corrections should be implemented by the end of the sixth refueling outage. The following statement in the C0A indicates TED's intentions to comply with this implementation schedule but cites the probability that HED corrections will be implemented after the sixth refueling outage (see Appendix C.5.1, p.29):
Davis-Besse Restart SER 8 Appendix C
"It is expected that all DCRDR programs will be closed out by the end of the second planned (6th) refueling outage following restart (tentatively scheduled in 1988). At that time, all HEDs will have been resolved, and those designated for backfit or design change will have had the appropriate FCRs developed. It is antici-pated that some of these FCRs may not be implemented during the sixth refueling outage. The decisions concerning those HEDs to be delayed beyond the sixth refueling outage will be documented. This documentation will be available for staf f review. Other HEDs which have been designated as not requiring design modifi-cation will also have appropriate justification for that designation."
TED indicates in this statement that documentation of dec'sion: concerning those HEDs delayed beyond the sixth refueling outage will be available for NRC review. In order to progress towards the resolution of the NRC's concern regarding the schedule for implementation of HED corrections, TED should provide after completion of the special studies an implementation schedule for each HED correction including the ratiunale for acnedule delays beyond the sixth refueling outage.
In summary, the concerns of the NRC regarding TED's performance of activities in the area of selecting design improvercents have not been resolved to the point of being able to close out this requirement of Supple-ment I to NUREG-0737. TED has satisfactorily demonstrated the capability for considering the cumulative and interactive effects of individual HEDs that will be corrected, not corrected, or partially correc Md. The other concerns of the NRC associated with the selection of design improvements that have not been resolved are the following areas:
e The process of selecting design improvements e The upgrade of HED documentation e The development of solutions to HEDs and implementation schedules Davis-Besse Restart SER 9 Appendix C
In order to progress towards the resolution of these areas of concern and to close out this requirement of Supplement 1 to NUREG-0737, the following documentation should be provided by TED:
e The work plans for the special studies (except for the SFRCS panel).
o Several sample HEDs which demonstrate the upgrading of HED documen-tation (e.g., examples of "before and after").
l e All the proposed corrections to HEDs, including those to be per-formed during the current outage and afterwards.
e Justifications to all those HEDs not corrected or partially corrected.
e An implementation schedule for each HED correction, including the rationale for schedule delays beyond the sixth refueling outage.
The HED documentation should be detailed enough to provide a clear descrip-tion of the HED, the systems and/or components involved, and the proposed HED corrections or justifications for not correcting, or partially correcting HEDs. Particular attention to detail should be given to the proposed HED corrections and justifications for not correcting or partially correcting HEDs. Proposed HED corrections should be described in sufficient length and detail to provide the NRC with an unam iguous picture of the backfit that has been or will be implemented. Justifications for not correcting or partially correcting HEDs should be in similar detail and should address behavioral or operational factors involved in each HED. The format used for the HED Report form with the level of detail discussed above is recommended.
- 7. Verification That Improvements Will Provide the Necessary Corrections Without introducing New llEDs The NRC audit team found that no systematic, rigorous process for veri-iving HED corrections was developed or employed. In addition. TED's design cha,'ge process (via FCRs) did not include a human factors review in verifying design changes. The NRC audit team concluded in its report that a system-atic, rigorous methodology for verifying design improvements should be per-Davis-Besse Restart SER 10 Appendix C
formed and that this process should involve human factors specialists as active, integral members of the DCRDR team. TED stated in the meeting that expert judgment with the aid of the control room mock-up served as the process for verifying some of the " simple" HEDs. For " complex" HEDs, such as those involved in SFRCS, criteria were used as the basis of the verification.
TED stated that a human factors specialist will be involved in the FCR process during the DCRDR. After the DCRDR, a human factors specialist will be involved in the FCR process on an as-needed basis. In the C0A, TED provides a fairly detailed description of the approach it will take to verify design improvements (Appendix C .S .1, p.14 ). In general, the approach described consists of the following steps:
e Application of NUREG-0700 criteria by human factors specialists.
e " Checks" made in the special studies to ensure that changes are consistently made across groups of related components.
e In the special studies, final verification of proposed HED cor-rections in the mock-up whenever applicable.
e Verification of FCRs by human factors specialists.
e Post-implementation verification of HED corrections by the multi-disciplinary team.
Implementation of this verification approach will resolve NRC concerns regarding TED's fulfillment of this requirement of Supplement 1 to NUREG-0737.
- 8. Coordination of the DCRDR With Other Improvement Programs The NRC audit team concluded from its findings that although Davis-Besse's organizational structure should enhance TED's ability to coordinate improvement programs, there was no evidence that any coordinat' ion had occurred other than the use of E0Ps as the basis of the SFTA. A systematic approach to integrate the improvement programs had not been established. In the meeting TED cited its ability to coordinate the improvement programs through its organizational structure and the FCR process. However, the Davis-Besse Restart SER 11 Appendix C
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __m_ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
actual points of integration or interfaces and the iterative processes among the improvement programs appeared to be uncertain.
l In the C0A, TED describes the points of integration of various improve-ment programs in what could be called loosely a coordinated program. The improvement programs referred to are DCRDR, E0P upgrade, SPDS, and training. 1 The mechanism in common to changes from these programs is the Facility Change Request (FCR) process. TED's discussion of the points of integration within these programs and processing of changes through the FCR process demonstrates its knowledge and capability of performing the coordinating function - with one exception - the integration of the Reg. Guide 1.97 instrumentation review. Prior to initiation of the DCRDR, TED did provide the following discussion of the Reg. Guide 1.97 review in its letter dated April 15, 1983
, (Reference 5) in response to Generic Letter 82-33:
1 "This initiative will be integrated with the DCRDR such that methods utilized during the DCRDR to perform system function reviews and task analysis will also be utilized for identifying TYPE A variables as part of the Reg.
Guide 1.97 review. In addition, the results of the Reg.
Guide 1.97 review will be factored into ongoing E0P developtrent, the control room inventory portion of the DCRDR and SPDS design."
However, TED presents no explicit discussion in the C0A of the the status and integration of the results of this review with the other improvement programs. In order for the NRC to close out this requirement of Supplement 1 to NUREG-0737, TED needs to provide documentation describing the status and integration of the results of the Reg. Guide 1.97 review with the other l improvement programs.
I StMIARY AND CONCLUSIONS TED has addressed all of the concerns identified in the pre-implemen-4 tation audit report relative to DCRDR requirements. In addition, TED has updated operator comment forms, has ensured all HEDs identifled in the operator forms are documented, and is establishing human factors standards Davis-Besse Restart SER 12 Appendix C
and conventions for some aspects of the Davis-Besse control room design.
Based on the documentation provided in the C0A, TED has committed to the l following milestones:
o Completed during current outage:
Implementation of corrections to safety-significant HEDs associated with SFRCS, FW, and PAM e Completed during current outage o_r fifth refueling stage (expected j in 1986/87):
Implementation of corrections to HEDs categorized as high or medium safety significant in the January 1985 supplementary letter
- Upgrade of task analysis, survey of new control room compo-nents, and reassessment of HEDs Completion of special studies Implementation in the control room of standards for labels and location aids
- o Completed during sixth refueling outage (expected in 1988) g will ,
be defined in FCR packages for implementation according to the
{ Integrated Living Schedule:
Implementation of corrections to HEDs categorized as low safety significant in the January 1985 supplementary letter
- Implementation of all other HED corrections
- Completion of the DCRDR With the exception of the implementation of corrections to the low safety-significant HEDs, these milestones appear to be the same as those discussed with TED in the meeting. In the meeting. TED appeared to indicate that those l
l
! Davis-Besse Restart SER 13 Appendix C l
I particular HED corrections would be implemented by the end of the fif th refueling outage.
Based on discussion with TED in the meeting and a review of its C0A, NRC conclusions on the status of TED's compliance with the requirements of Supplement 1 to NUREG-0737 and the remaining action items for TED are presented below for each element of the DCRDR requirements.
I
- 1. Qualifi ations and Structure of the DCRDR Team i
TED's commitment to human factors participation in the DCRDR satisfies the concerns of the NRC and will meet this requirement.
- 2. Function and Task Analysis TED's SFTA upgrade approach will satisfy the NRC's previous con-cerns. The NRC will conclude on the adequacy of the SFTA performed
} to satisfy DCRDR requirements af ter TED receives NRC approval of
! the SFTA performed to develop the plant-specific E0Ps.
- 3. Comparison of Display and Control Requirements With a Control Room Inventory TED's veri fication approach will satisfy the NRC's previous con-cerns. However, the adequacy of the verification process will be j dependent on the adequacy of the SFTA relative to the upgraded plant-specific E0Ps.
- 4. Control Room Survey TED's additional survey activities will satisfy the concerns of the NRC and will meet this requirement.
! 5. Assessment of HEDs
=!
! TED's additional HED assessment activities will satisfy the con-
- cerns of the NRC and will meet this requirement. In order to close i
j Davis-Besse Restart SER 14 Appendix C
. _ _ _ _ _ _ _ _ __ _ __ _ _ ,. _~ .__
f out this requirement, TED needs to identify by HED number which HEDs are to be corrected in the current outage.
- 6. Selection of Design Improvements TED has satisfactorily demonstrated the capability for considering cumulative and interactive effects of individual HEDs. In order to progress towards the resolution of NRC concerns and to close out this requirement, TED needs to provide the following documentation:
e The work plans for the special studies (except for the SFRCS panel ) .
e Several sample HEDs which demonstrate the upgrading of HED documentation (e.g., examples of "before and after").
e All the proposed corrections to HEDs, including those to be
- performed during the current outage and afterwards.
e Justifications to all those HEDs not corrected or partially corrected.
e An implementation schedule for each HED correction, including the rationale for schedule dalays beyond the sixth refueling outage.
- 7. Veri fication That Improvements Will Provide the Necessary Corrections Without Introducing New HEDs TED's implementation of the HED correction verification approach
)
described in the COA will satisfy the concerns of the NRC and will l meet this requirement.
)
- 8. Coordination of the DCRDR With Other Improvement Programs TED's discussion of the points of integration within these programs
, and processing of changes through the FCR process demonstrated its knowledge and capability of performing the coordination function.
Davis-Besse Restart SER 15 Appendix C
In order to close out this requirement, TED needs to provide docu-mentation describing the status and integration of the results of
}
the Reg. Guide 1.97 review with the other improvement programs.
1 In summary, in order to complete NRC review of the Davis-Besse DCRDR and conclude on the adequacy of TED's plans for upgrading instruments, controls, and equipment in the control room. TED needs to provide the docu-mentation described above. TED's methodology for resolving the human factors deficiencies related to the operator interface associated with the June 9,1985 event (e.g., SFRCS) is acceptable to the NRC if implemented as described in the C0A.
t I
i 5
1 I
f 1
I
- .. I t
i l
Davis-Besse Restart SER 16 Appendix C i
I
_ . _ , _ __ . _ . _ _ . . _ _ . . _ _ _ - _ _ _ _ , _ _ . _ _ _ _-. _ ._. -_ - - . . _ . - ~ _ ___,_
i REFERENCES
- 1. " Appendix C.5.1 - Specific Actions Related To Control Room Deficien-cies," Appendix to Revision 4 to the Davis-Besse Course of Action
- (C0A), attachment to letter from J. Williams, Jr., TED, to H.R. Denton, USNRC, dated November 16, 1985.
i
- 2. " Pre-Implementation Audit of' the Detailed Control Room Design Review of.
I the Davis-Besse Nuclear Power Station," attachment to memorandum from W.H. Regan, Jr., USNRC, to W.T. Russell, USNRC, dated June 18, 1985.
i
- 3. " Minutes of NRC Meeting with Toledo Edison Concerning the Detailed
- Control Room Design Review of Davis-Besse Nuclear Power Station,"
l attachment to memorandum from W.H. Regan, Jr., USNRC, to J.F. Stolz, USNRC, dated November 8,1985.
- 4. " Supplement 1 to NUREG-0737 Detailed Control Room Design Review Imple-mentation Schedule." attachment to letter from R.P. Crouse. TED, to J.F.
j Stolz, USNRC, dated January 31, 1985.
4
- 5. " Response to Supplement No.1 to NUREG-0737 Requirements for Emergency '
Response Capability (Generic Letter No. 82-33) " attachment to letter from R.P. Crouse. TED, to D.G. Eisenhut, USNRC, dated April 15, 1983. ,
l
- 6. NUREG-0737 Supplement 1, " Requirements for Emergency Response Capa- ,
bility " USNRC, Washington, D.C., December 1982, transmitted to reactor licensees via Generic Letter 82-33, December 17, 1982.
1 i 7. NUREG-0700, " Guidelines for Control Room Design Reviews," USNRC, ,-
Washington, D.C., September 1981.
i Davis-Besse Tac No. 51154 i
SAIC/1-263-07-557-16
- Contract No. NRC-03-82-096 Davis-Besse Restart SER 17 Appendix C l
i APPENDIX D
! TECHNICAL EVALUATION REPORT 1
j OF 29 SAFETY-SIGNIFICANT HUMAN ENGINEERING DISCREPANCIES
} AT THE DAVIS-BESSE NUCLEAR POWER STATION 4
1 I
t.
1 i
i i
4 l
I i
e I
i t i ,
i
! l l
i i
l' i
i' 4
Davis-Besse Restart SER Appendix D I
TECHNICAL EVALUATION REPORT OF 29 SAFETY-SIGNIFICANT HUNAN ENGINEERING DISCREPANCIES AT THE DAVIS-BESSE NUCLEAR POWER STATION May 19, 1986 Prepared by:
Science Applications International Corporation 1710 Goodridge Drive McLean, Virginia 22102 4
Under Contract to:
U.S. Nuclear Regulatcry Commission Washington, D.C. 20555 Contract NRC-03-82-096 1
l l
Davis-Besse Restart SER i Appendix D l i
FOREWORD .
This Technical Evaluation Report documents the findings and conclusions regarding Toledo Edison's (TED's) resolution of 29 safety-significant human engineering discrepancies (HED) identified during the Detailed Control Room Design Review (DCRDR) underway at the Davis-Besse Nucle'ar Power Station.
Following the June 9,1905, loss-of-feedwater event (NUREG-1154), resolution of these HEDs was made a condition for restart of the plant.
The review process consisted of an examination of documentation submitted by TED as well as on-site and off site meetings between the licensee, the NRC, and Science Applications International Corporation (SAIC). TED's resolu-tions of the HEDs were evaluated with respect to the requirements of NUREG-0737, Supplement 1. SAIC provided technical assistance to the NRC under contract NRC-03-82-096, Technical Assistance in Support of Reactor Licensing ,
Actions. SAIC's technical evaluation of TED's efforts to resolve the safety I
concerns regarding the 29 HEDs associated with plant restart is documented in this report, which was formatted for NRC use as part of the Davis-Besse restart Safety Evaluation Report.
Davis-Besse Restart SER ii Appendix D
TABLE OF CONTENTS i i
Section Page
1.0 INTRODUCTION
. . . . . . . . . . . . . . . . . . . . . . . 1
2.0 BACKGROUND
. . . . . . . . . . . . . . . . . . . . . . . . 2 3.0 REVIEW APPROACH AND METHODOLOGY ............. 5 4.0
SUMMARY
OF EVALUATIONS . . . . . . . . . . . . . . . . . . 7 5.0 ACTIONS TO BE COMPLETED BY THE TOLED0 EDIS0N COMPANY . . . 8 5.1 Restart Actions to Be Completed by TED ....... 8 5.2 Fifth Refueling Outage Actions to Be Completed by TED ....................... 12 5.3 Sixth Refueling Outage Actions to Be Completed by TED ....................... 15
, 5.4 HEDs That Have Been Resolved by TED . . . . . . . . . 16 REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 ATTACHMENT 1 - Davis-Besse Human Engineering Discrepancy (HED)
Report ....................... 18 ATTACHMENT 2 - Human Factors Verification of Design Improvements . . 20 ATTACHMENT 3 - Synopses of 29 Safety-Significant HEDs Identified at Davis-Besse With SAIC's Technical Evaluation to Include Actions to Be Completed by TED ....... 23 l
Davis-Besse Restart SER 'iii Appendix D
1.0 INTRODUCTION
The focus of this Technical Evaluation Report (TER) is the Davis-Besse Detailed Control Room Design Review (DCRDR) and the safety-significant human engineering discrepancies (HEDs) identified in the Davis-Besse Summary Report. The Summary Report documents the results of the DCRDR and was submitted to the Nuclear Regulatory Commission (NRC) on June 29, 1984 (Reference 1). In this report, Toledo Edison Company (TED) has identified 29 safety-significant HED's related to the integration of operator actions with control room panel arrangement, layout and design which may signifi-cantly impact the ability of the control room operators to perform plant emergency actions, tasks and steps as part of the plant Emergency Operating Procedures (EOPs). These HEDs have been linked to the restart of the Davis-Besse Nuclear Plant because of their association with systems involved in the June 9,1985, loss-of-feedwater incident (Reference 2). A brief discus-sion of this event is included below along with a detailed evaluation of the efforts TED is currently pursuing either to correct the 29 HEDs prior to restart or to adequately justify delaying implementation of permanent cor-rective actions until the next refueling outage.
On June 9, 1985, one of the two main feedwater pumps tripped while the plant was operating at 90% power, resulting in a reactor and turbine trip on high reactor coolant system pressure approximately thirty seconds later. Soon after the reactor tripped, both main steam isolation valves spuriously closed, resulting in a complete loss of main feedwater. In addition, other events occurred, including a control room operator error during actuation of the Feedwater Rupture Control System (SFRCS), malfunctionc of two redundant valves in the safety-related auxiliary feedwater system, and overspeed trips of the two redundant, steam turbine-driven au.xiliary feedwater pumps. The combination of all these events resulted in a total loss of ali sources of feedwater to the steam generators, leaving them with the potential for boiling dry if feedvater was not restored. However, the timely response of the operators, working quickly both inside and outside the control room, brought the plant to a stable shutdown without any abnormal release of radioactivity or any major damage to the unit.
The aftermath of the June 9, 1985, event focused the NRC's attention not only upon the circumstances surrounding the equipment failures that Davis-Besse Restart SER 1 Appendix D
i i
initiated the loss of feedwater event but also upon the operator actions !
that took place during the event. In general, the operator actions are to be commended. However, there were instances when decisions made by the operators, and their ensuing actions, created time delays or resulted in human error which adversely impacted .the activities being undertaken in the control room to shutdown the plant safely. A chronology of the events and the actions taken by the operators in NUREG-1154, " Loss of Main and Auxiliary Feedwater Event at the Davis-Besse Plant on June 9, 1985" (Reference 2), describes in detail the NRC investigative team findings.
Prior to the June 9, 1985, event, TED was aware that major safety-signifi-cant issues were present in the control room and that these human engineer-ing discrepancies had been assessed by TED as having a potential for-affect-ing the safety of plant operations. These HEDs were discovered as a result of the NRC requirements for utilities to develop an emergency response capability, as identified in Supplement I to NUREG-0737, that would provide an overall enhancement of operator ability to comprehend plant conditions and cope with emergencies (Reference 3). Integrated within this NRC initia-tive is the design of the Safety Parameter Display System (SPDS), design of instrument displays based upon Regulatory Guide 1.97 guidance, control room design review, development of symptom-oriented emergency operating proce-dures, and operator staff training.
1 The June 9, 1985, loss of feedwater event directly involved several of the systems in which these HEDs had been previously identified. This provided the NRC with supporting operational evidence that the 29 safety-significant HEDs should be tied to plant restart initiatives. This TER addresses the 29 HED corrective actions that have been committed to by TED not only prior to restart but also continuing through the fifth and sixth refueling outages.
TED, in a February 28, 1986 submittal, has committed to completing all DCRDR items and resolving all HEDs by the end of the sixth refueling outage (Reference 4).
2.0 BACKGROUND
The information listed below is a summary of the DCRDR activities and related restart efforts that have transpired between the NRC and TED.
1 Davis-Besse Restart SER 2 Appendix 0
DCRDR Program Plan June 1983 The DCRDR was to be conducted in accordance with the TED Program Plan (Reference 5), to meet the requirements of the NRC's Supplement 1 to NUREG-0737, " Requirements for Emergency Response Capability." Although no dates for start and completion of milestones for the entire DCRDR were given, a time span of 12 months was stated for the duration of the DCRDR.
DCRDR Summary Report June 1984 In the DCRDR Summary Report, TED identified safety-significant human engi-neering deficiencies (HEDs) and presented justifications for leaving some safety-significant HEDs partially corrected or uncorrected and proposed corrective actions for others. The Summary Report was found by the NRC to be inadequate for evaluation because not all HED descriptions or implementa-tion schedules were finalized. TED committed to submit a schedule for completing the special studies to address HEDs and implementation of result-ing corrective actions. This submittal is described below.
Supplemental Information Submitted January 1985 TED's January 31, 1985, submission of supplemental information included a revised assessment of the 29 safety-significant HEDs along with a schedule for determining all HED dispositions by the spring of 1989 (Reference 6).
The NRC decided to conduct a pre-implementation audit of the DCRDR at Davis-Besse.
NRC Pre-implementation Audit of the Davis-Besse DCRDR April 1985 Based upon the April 1985 pre-implementation audit of Davis-Besse's DCRDR, it was determined that minimal progress had been achieved on the DCRDR since the submittal of the June 1984 Summary Report. For instance, while TED's original assessment process for HEDs was found to be generally acceptable, TED reprioritized the 29 safety-significant HEDs. This change in HED prior-ities concerned the NRC because TED downgraded the safety-significance of some of the HEDs, postponed TED's commitment for implementing corrections i
and neglected to involve human factors expertise in any part of the revision process. Furthermore, during the audit, it was found that of the ten Davis-Besse Restart SER 3 Appendix D
special studies planned by TED, only three were currently being pursued, and human factors expertise was only going to be used for the Labels and Loca-tion Aids Study. Inadequacies were also noted in TED's approach for select-ing design improvements. These inadequacies included the lack of a system-a ic methodology for identifying alternative corrections, the proposed extended time period, inadequate HED documentation, and inadequate disposi-tion of some HEDs.
Loss of Main and Auxiliary Feedwater at the Davis-Besse Plant June 1985 See the NRC report NUREG-1154 (Reference 2) for an extensive description of the June 9, 1985, event.
Pre-Implementation Audit Report June 1985 Based upon the April 29 - May 3, 1985, on-site audit at Davis-Besse, the NRC determined that minimal effort had been expended by TED since the submittal of the Summary Report in June 1984. In addition, no human factors expertise had been utilized in the reprioritization of safety-significant HEDs, in developing corrective actions, or in developing nine out of the ten planned special studies. The NRC found that TED had no formal documented plan or statement of objectives for performing the ten studies. Finally, the DCRDR activities that were audited and the safety-significant HEDs (SFRCS, PAM, and AFW panels) that were reviewed contained information relevant to docu-mented errors committed by the control room operators during the June 9, 1985, event (Reference 7). Based upon the on-site review, the NRC was unable to close out any of the DCRDR elements and recommended a meeting be ,
held with the licensee to resolve the identified problems with the DCRDR '
program.
I NRC/TED Meeting on DCRDR Plant Restart Efforts October 1985 ]
The NRC met with TED on Octcber 9, 1985 (Reference 8), to discuss the NRC concerns stemming from the April 1985 DCRDR auait, the June 9, 1985, event, and the restart efforts being undertaken by TED's proposed System Review and Test Program (SRTP). TED addressed all concerns related to the DCRDR that were identified in the pre-implementation audit report. The SRTP was formed in response to the June 9 event, and its function was to deal with identi-Davis-Besse Restart SER 4 Appendix D
i l
l l
fied problems within plant safety systems and to review corrective actions, as well as any system testing that should be performed prior to restart.
Some of the DCRDR corrective actions, such as the examination of the safety-significant HEDs identified by the DCRDR, were performed as part of the SRTP.
Davis-Besse Course of Action November 1985 In November 1986, TED submitted its Appendix C.5.1 to Revision 4 of the Davis-Besse Course of Action (C0A) which documents TED's deficiencies in its DCRDR (Reference 9). The NRC concluded that the C0A addressed all of the concerns identified in the pre-implementation audit and committed TED to milestones for the DCRDR-related activities. However, TED still needed to provide documentation of its plans for upgrading the HEDs that had previous-ly been identified in the control room.
3.0 REVIEW APPROACH AND METHODOLOGY In a February 28, 1986, submittal, TED provided brief descriptions of 29 safety-significant HED's identified during the DCRDR that were to be addressed prior to restart. Of the 29 safety-significant HEDs, only 15 were to be resolved prior to restart. TED's justifications for not addressing the other 14 HEDs were unclear and did not provide a sufficient level of detail to allow the NRC to complete a comprehensive review of TED's submit-tal.
The NRC decided on-site review was necessary to audit TED's documentation so that the NRC could make a determination of the restart implications for all 29 HEDs. Between March 31 and April 2, 1986, the NRC staff and their consultants, Science Applications International Corporation (SAIC), were on-site at Davis-Besse Nuclear Plant to review the DCRDR documentation pertain-ing to the 29 safety-significant HEDs. They determined that TED was not fully prepared and could not produce, at the time, auditable evidence of the DCRDR processes for each of the 29 HEDs (Reference 10). Under these circum-stances, the NRC was unable to continue with the audit. An agreement was reached whereby TED would submit to the NRC by April 15, 1986, the proper documentation of the DCRDR processes for each of the 29 HEDs. The NRC would Davis-Besse Restart SER 5 Appendix 0 l
then conduct a thorough review of TED's restart initiatives (Reference 11).
For each HED, the documentation was to include:
e Safety-significant category of each HED '
e Components or item involved e Problem description i e Specific error related to the HED e Assessment justification e Disposition 1
e Schedule e How appropriate solutions were developed e How HED solutions were verified to detemine whether the solution l was effective in correcting the discrepancy and how TED's verifica- I tion process determined that no new HEDs were generated by imple-menting the solution e How cumulative effects were evaluated for related HEDs.
In respone to the NRC request TED submitted the required documentation in a package which contained information presented in the following attachments.
Attachment 1 - TED's format used for each HED report submittal Attachment 2 - TED's format used for human factors verification of the design improvement Attachment 3 - Synopses of TED's submittal for the 29 individual HED packages with SAIC's technical evaluation to include actions to be completed by TED The NRC and SAIC reviewed the 29 HED packages in detail, and as some concerns still remained that could not be resolved by the documentation, TED was asked to participate in a meeting on April 23, 1986, with the NRC and SAIC in Bethesda, Maryland. During this meeting, additional. information was orally exchanged that clarified the outstanding concerns. The results of SAIC's technical evaluations of the 29 safety-significant HEDs are summar-ized in the following section.
Davis-Besse Restart SER 6 Appendix D
4.0
SUMMARY
OF EVALUATIONS These findings and conclusions are based on two sources of information.
First, the DCRDR provided a methodology and organization to follow that led to the identification of the 29 safety-significant HEDs in the Davis-Besse Summary Report. Second, since the June 9, 1985, event, TED has provided, through the series of meetings and submittals described above, information that describes the 29 HEDs and the efforts made by the licensee to resolve the major safety concerns related to the HEDs. The primary sources of-information that describe the 29 HEDs, TED's efforts to resolve them, and a schedule for implementation of corrective actions are TED's April 15, 1986 submittal that included information on each of the 29 HEDs and the April 23 meeting between the NRC and TED.
The fundamental conclusion to be drawn is that, contingent upon fulfillment of commitments made by the licensee (to be described below), the Davis-Besse plant cculd be operated without undue concern for public safety attributable to the 29 safety-significant HEDs. In addition to corrective actions already taken, TED has committed to further corrective actions prior to restart and to others before or during the fifth refueling outage, expected approximately one year after restart. Moreover, TED has committed to ensure that operators are instructed on safe operating practices in the control room and on implemented corrective actions such as design modifications and procedure changes.
Since some of the commitments were made orally at an informal meeting (April 23,1983), TED should provide documentary evidence of fulfillment of actions committed to before restart, subject to ccnfirmatary review and acceptance in the course of subsequent DCRDR review.
Many actions already undertaken or committed to prior to restart are of a temporary or interim nature, pending the outcome of special studies to be completed by the fifth refueling outage. While these interim actions are acceptable for purposes of restart, they do not fulfill TED's prior commit-ment to perform a comprehensive human factors engineering review of the Davis-Besse control room and to take appropriate steps to reduce the chances for operator errors in the course of coping with emergencies.
7 Appendix 0 Davis-Besse Restart SER
Section 5.0, which follows, describes, for each of the 29 HEDs, the actions which should be completed by TED. Attachment 3 provides a synopsis of each of the HEDs and actions to be completed by TED, summarizes the SAIC and NRC staffs' position, and reiterates the corrective actions that should be taken by TED for restart and for the fifth and sixth refueling outages.
5.0 ACTIONS TO BE COMPLETED BY THE TOLEDO EDIS0N COMPANY Corrective actions for the 29 safety-significant HEDs are discussed in the following sections with respect to the implementation schedules identified in TED's Course of Action (Revision 4), e.g., restart, fifth refueling outage, and sixth refueling outage (Reference 9). All of the 29 HEDs have been addressed below; however, in some of the HEDs, TED has identified multiple corrective actions at the component level. Therefore, several of the HEDs are repeated in different sections. For these HEDs, multiple ;
corrective actions are to be partially implemented before restart, and the remaining corrective actions are carried over into the fifth refueling outage for completion. The HEDs appearing more than once are: HED 5.1.006, HED 5.1.007, HED 5.1.009, HED 9.1.001, HED 9.2.005, HED 9.2.020, and HED 9.2.033.
5.1 Restart Actions to Be Completed by TED In addition to the corrective action agreed to by TED for each of the safety significant HEDs listed below, additional restart programs have been commit-ted to in TED's C0A submission dated November 16, 1985, Revision 4, Section 4.1 " Restart Programs" (page 19). Also, in TED's April 15, 1986, submittal of the 29 HED packages, the licensee committed to identifying the responsi-bilities and processes for inclusion of good human factors engineering as l part of plant design modifications that are developed as part of the Facility Change Requests (FCR).
HED 4.1.004 - Accidental Actuation of Controls Positioned Too Close Together TED's labeling enhancements for this HED should involve good human factors guidelines developed in accordance with TED's Label and Location Aids Special Study. Demarcation will be used on panel C-7505, and additional consideration will be given to covering the PORV controls. Since these Davis-Besse Restart SER 8 Appendix D
changes, to be accomplished prior to restart, have not been fully described or documented, TED should provide documentary evidence for all solutions developed as part of the interim corrective actions for this HED. Solutions should be subject to confirmation in subsequent DCRDR reviews.
HED 5.1.006 - Parameter Range Exceeds Scale Value TED has agreed to confirm that the corrective actions described below are implemented in the control room. TED should follow up after the restart with a thorough human factors evaluation of all interim solutions and should develop final corrective actions which have been reviewed by the human factors verification process.
- The RCS wide range pressure is being expanded to 0-3000 psig and implemented as part of Regulatory Guide 1.97 requirements to support post-accident analysis prior to restart.
- The wide range makeup flow scale range will be expanded to 0-500 gpm by using an existing dual scale meter. However, the use of multiple scale meters has already been identified as an HED. At best, this is an interim solution, since the potential for operator error still exists. This, in conjunction with HED 5.1.009, which also deals with multiple scale indicators, should be resolved after restart by means of the installation of separate meters with individual scales to provide, proper precision, range, and accuracy for each scale.
HED 9.2.006 - Violation of Operator Expectancy - SFAS Trip Buttons Confirmatory action should be provided for this interim solution. In addi-tion, a human factors verification and validation should be performed using the proper E0P tasks which control room operators would normally perform in the use of the pushbutton controls. !
i i
Davis-Besse Restart SER 9 Appendix 0
HED 9.2.047 - Decay Heat Pump /HPI Pump Mimic Relationships Are Unclear Corrective actions should be implemented to minimize errors, and TED has agreed to confirmatory action for verification that the design solution resolves human factors concerns. l I
l j HED 6.1.012 - Labels That +Are Not Placed Above the Panel Elements They Describe TED is committed to ensure that corrective actions being implemented in the control room involving placement of interim label enhancement, make use of good human factors guidelines. This practice will ensure that corrective
)
- actions implemented in the control room will not require additional changes
! as a result of the Label and Location Aids Special Study.
1 l
! HED 9.2.004 - Related Controls and Displays Not Located Together Procedures and training should be incorporated into upgraded restart initia-tives so the operators are aware of and familiar with the corrective actions being implemented in the control room.
HED 9.2.028 - Potential For Misleading Feedwater Flow Indication Since this corrective action involved a logic change and no physical modifi-cations the only action agreed to by TED is to ensure that procedures and
- training address any. impact upon operators using the wide range scale for indicating feedwater flow during startup conditions.
i
- HED 9.2.043 - SFRCS Block For Startup Feedwater Valves Located Outside of Control Room I
1 TED should ensure that control room operators are thcroughly trained on the new placement of the feedwater control valve switches and that the labeling
+
conforms to good human factors guidelines as developed in TED's Label and Location Aids Special Study. 1 l
Davis-Besse Restart SER 10 Appendix D
HED 9.2.001 - SFRCS Display Arrangement Does Not Support Verification of Actuation Tasks TED has committed to provide additional training to control room operators which is specifically related to the SFRCS actuation identification, or to place emphasis in the appropriate sections of existing training plans to ensure the operators' familiarity with existing control modifications and with the steps necessary to identify and actuate the SFRCS system.
HED 9.2.033 - Spatial Relationship of Auxiliary Feedwater Components As indicated in HED 9.2.020, the AFW-related components on panel C-5717 should be clearly grouped to improve the ability to distinguish AFW compo-nents from SFAS components. Relabeling enhancements and removing the spare controls in the SFAS Incident Level 4 group next to the AFW controls will be accomplished with additional training on existing systems to include mofifi-cations implemented to AFW should be completed prior to restart.
HED 5.1.007 - Pointers on Meters Do Not Fail Off-Scale TED should conduct training to ensure that operators are aware of the potential for the present HPI meters to fail and are able to recognize this situation and respond properly.
HED 5.1.009 - Multiscale Meters That Are Confusing to Read Interim labeling enhancements for the auxiliary feed pump indicators should be installed until the permar.ent corrective actions, which are to be addressed during the SFRCS Special Study, can be installed during the next (fifth) refueling outage as part of the centralized SFRCS panel. The cor-rective actioris for the wide range indication and meter scale deficiencies associated with the makeup flow indication and meter scale deficiencies associated with the makeup flow indication should be developed and installed prior to restart. TED should provide the NRC with inputs which describe how the instrument and control characteristics were considered in the develop-ment of the interim or permanent hardware fixes applied to the control boards.
Davis-Besse Restart SER 11 Appendix D
HED 9.2.005 - Misleading Panel Arrangements for ICS Input Select Switches Interim labeling enhancements should be completed prior to restart. TED should provide the NRC with inputs which describe how the instrument and control characteristics were considered in the development of the interim or permanent hardware fixes to the control boards prior to restart. i HED 9.2.020 - SFAS Incident Isolation Component Arrangements Are Inconsis-tent For all interim fixes that involve labeling, TED will conduct a study to ensure that good human factors guidelines have been followed, and the l
results of the study will be submitted prior to restart. Presently, label-ing corrections, which are intended to enhance grouping of AFW components, and to remove spare controls in the SFAS Incident Level 4 group are under consideration.
5.2 Fifth Refueling Outage Actions to Be Completed by TED In addition to the corrective action agreed to by TED for each of the safety-significant HEDs listed below, additional activities have been committed to in TED's Course of Action submittal dated November 16, 1985, Revision 4, Section 4.2, "Fifth Refueling Outage Programs" (page 25). The SAIC review team's position is that all special studies should be completed by the end of the fifth refueling outage, with appropriate FCRs detailing the final corrective actions. These FCRs should be implemented by end of this outage.
HED 5.1.006 - Parameter Range Exceeds Scale Value A new wide range auxiliary feedwater indication will be incorporated into the SFRCS Special Study and will be installed. The E0Ps are not dependent upon this AFW indication for successful execution of operator actions.
Davis-Besse Restart SER 12 Appendix 0
1 HED 9.2.001 - SFRCS Display Arrangement Does Not Support Verification of Actuation Tasks During the SFRCS Special Study, TED has agreed to consider this HED in conjunction with all other SFRCS-related HEDs, such as 9.2.042, 9.2.018, and 9.2.054, in order to ensure that these HEDs are addressed in a coordinated fashion. The resulting design developments, _such as a centrally located arrangement of SFRCS controls and displays, are currently scheduled to be implemented by the next (fifth) refueling outage.
HED 9.2.033 - Spatial Relationship of Auxiliary Feedwater. Components
+
Final resolution of the AFW controls and displays in SFAS Level 4 should be identified during the SFRCS Special Study and implemented by the fifth refueling outage.
HED 5.1.007 - Pointers on Meters Do Not Fail Off-Scale TED has agreed to upgrade the HPI meters from category III to category II and to include them in the ongoing Display Study with a view toward replac-ing meters that fail center-scale with meters that fail off-scale.
DHED 9.2.084 - Information Displays Not Available in Control Room o
The Display Special Study will evaluate the generic problem of demand-versus-actual indications. Corrective actions should be completed during the next (fifth) refueling outage.
HED 9.8.007 - Displays That Do Not Provide the Precision Accuracy Required TED should implement corrective actions identified by the Displays Special Study.
HED 9.2.007 - Displayed Auxiliary Feedwater Flow Indication Not Sufficiently
} Accurate Corrective actions that result from the SFRCS Special Study to improve reliability and accuracy should be implemented.
l Davi3-Besse Restart SER 13 Appendix D l
___ - - \
HED 9.2.042 - Steam Generator Level Inputs to SFRCS and Control Room Indica-tions Differ During the SFRCS Special Study, TED should consider the inclusion of a steam generator level indicator from the SFRCS. level input strings to provide the operator with a direct indication of the level signal feeding SFRCS. Cor-rective actions developed from the SFRCS study should be implemented. i 1
HED 5.1.009 - Multi Scale Meters That Are Confusing to Read Permanent corrective actions identified by the SFRCS Special Study should be installed as part of the centralized SFRCS panel. I 1
HED 9.2.005 - Misleading Panel Arrangement for ICS Input Select Switches 1 Final corrective actions should be identified during the SFRCS Special Study and installed.
l HED 1.7.010 - No Lamp Test; Dual Bulbs or Dual Filament Bulbs 1 The Display Special Study will examine the components indicated in this HED.
Some discrepancies will be resolved with the addition of the new SFRCS panel. Presently, TED is attempting to locate dual filament bulbs.
HED 9.2.018 - Availability / Consistency of SFRCS Information.
During the SFRCS Special Study, TED has agreed to review the changes made to the SFRCS annunciator configuration. Any additional corrective actions identified should be completed.
HED 9.2.020 - SFAS Manual Indication Switches Are Not Located or Arranged to Support Emergency Task Sequences Final resolutions which should be implemented are those developed from both the Displays and the Controls Special Studies addressing the reactor coolant pump controls and displays and SFRCS Special Study resolutions for the AFW controls and displays.
Davis-Besse Restart SER 14 Appendix 0
HED 9.2.054 - SFRCS Manual Initiation Switches Are Not Located or Arranged to Support Emergency Task Sequences As part of the SFRCS Special Study, TED should continue to consider both the SFRCS manual initiation switches and other SFRCS actuated components.
Additional modifications relating to this HED should be implemented during the next-(fifth) refueling outage.
HED 5.1.029 - Meters With Pointers That Have Parallax Problems As part of the Display Study, TED has agreed to develop recommendations that will generate corrective actions for the PAM panel which should be impl e-mented by the fifth refueling outage.
HED 9.2.083 - Information Displays Not Available in Control Room TED has committed to install an annunciator status indication entitled "ICS in Track" as part of the overall ongoing Annunciator Special Study in order to provide the control room operators with a direct and immediate indication of ICS status.
I HED 3.1.037 - Annunciators With Inputs From More Than One Plant Parameter Setpoint Is Not Avoided This HED should be resolved as a result of the Annunciator Special Study.
HED 5.1.002 - Indicator Lights That Indicate System or Equipment Status When Off The corrective action to resolve this HED should be developed as part of the Display Special Study.
5.3 Sixth Refueling Outage Actions to Be Completed by TED TED has committed to close out all DCRDR programs by the end of this outage and to resolve all HEDs by that time. TED indicates that there may be some HEDs for which FCRs detail only the proposed solutions for the HED and that some of these solutions may not be implemented during the sixth refueling Davis-Besse Restart SER 15 Appendix D
d outage. It is the SAIC review team's positon that TED should not only complete the FCRs for all HEDs requiring corrective actions, but should implement those changes in the control room by the end of the sixth refueling outage.
5.4 HEDs That Have Been Resolved by TED Based upon a review of TED's documentation and follow-up discussions, SAIC and the NRC staff concluded that the corrective actions developed for these four HEDs should effectively resolve prior concerns. No further actions is required for these corrective actions.
l 1
HED 1.7,011 - Pushbuttons/ Indicator Lights Have Shorted Out During Bulb Replacement HED 6.1.015 - Temporary labels, Magnetic Label s, and Information Tags Obscure Components HED 9.2.030 - Reactor Coolant System Temperature Display Visibility HED 9.2.065 - Unreliable Control Room Displays l
l l
l Davis-Besse Restart SER 16 Appendix D
REFERENCES
- 1. " Detailed Control Room Design Review for the Davis-Besse Nuclear Power Plant" Summary Report, attachment to letter from R.P. Crouse, TED, to J.F. Stolz, NRC, dated June 29, 1984.
- 2. NUREG-1154, " Loss of Main and Auxiliary Feedwater Event at the Davis-Besse Plant on June 9,1985," USNRC, Washington, D.C., July 1985.
- 3. NUREG-0737, Supplement 1, " Requirements for Emergency Response Capabil-ity," USNRC, Washington, D.C., December 1982, transmitted to reactor licensees via Generic Letter 82-33, December 17, 1982.
- 4. Letter from Joe Williams, Toledo Edison Company, to John F. Stolz, NRC, forwarding descriptions of DCRDR HEDs to be addressed, Serial No.1252, February 28, 1986 (with attachment).
- 5. " Detailed Control Room Design Review Program Plan for the Davis-Besse Nuclear Power Plant," attachment to letter from R.P. Crouse, TED, to J.F. Stolz, NRC, dated June 15, 1984.
- 6. " Supplement I to NUREG-0737 Detailed Control Room Design Review Imple-mentation Schedule," attachment to letter from R.P. Crouse, TED, to J.F. Stolz, USNRC, dated January 31, 1985.
- 7. " Pre-Implementation Audit of the Detailed Control Room Design Review of the Davis-Besse Nuclear Power Station," attachment to memorandum from W.H. Regan, Jr., USNRC, to W.T. Russell, USNRC, dated June 18, 1985.
- 8. " Minutes of NRC Meeting with Toledo Edison Concerning the Detailed Control Room Design Review of Davis-Besse Nuclear Power Station,"
attachment to memorandum from W.H. Regan, Jr., USNRC, to J.F. Stolz, USNRC, dated November 8, 1985.
- 9. " Appendix C.5.1 - Specific Actions Related to Control Room Deficien-cies," Appendix to Revision 4 to the Davis-Besse Course of Actior.
(C0A),_ attachment to letter from J. Williams, Jr., TED, to H.R. Denton, USNRC, dated November 16,.1985.
- 10. " Davis-Besse Nuclear Power Plant DCRDR Audit - Trip Report, March 31 -
April 2,1986," Science Applications International Corporation, McLean, VA, April 16, 1986.
- 11. Letter from Joe Williams, Toledo Edison Company, to John f. Stolz, NRC, forwarding descriptions, status, and proposed plans for resolving 29 HEDs identified by DCRDR, Serial No. 1271, April 18, 1986 (with attachment).
i l
Davis-Besse Restart SER 17 Appendix D l
ATTACHMENT 1 ,
/
DAVIS-BESSE i HUMAN ENGINEERING DISCREPANCY (NED) REPORT l
l l
\
I Davis-Besse Restart SER 18 Appendix 0
ATTACHMEh7 1 PAGE: ~
of ~
DAVIS-BESSE RUMAN ENGINEERING DISCREPANCY (RED) REPORT RED RO: !
TITLE:
CATEGORY:
STATUS:
DATE ORICINATED:
ITEMS INVOLVED:
PROBLEM DESCRIPTION:
NUREG-0700 PARA:
DATA SOURCE:
SPECIFIC ERROR:
I I ASSESSMEhi JUSTITICATION:
DISPOSITION:
SCHIrt1E:
INTERIM / FINAL DISPOSITION APPROVAL: DATE FINAL IMPLEMENTATION APPROVAL: DATE 1
JRL/006 1
Davis-Besse Restart SER 19 Appendix D
i i
ATTACHMENT 2 HUMAN FACTORS VERIFICATION OF DESIGN IMPROVEMENTS I
l 1
Davis-Besse Restart SER 20 Appendix 0
ATTACHMENT 2 NED N3.
Sheet I of 2 Page I of 2 NUMAN FACTORS VERIFICATION OF DESIGN IMPROVEMENT BRIEF DESCRIPTION: )
TYPE OF VERIFICATION: Initial Interim Implementation BASIS OF REVIEW:
Documentation Review (specify document number)
FCR Request FCR Concept Design FCR Detailed Design Maintenance Work Order Procedure Other Hardwate Assessment AFFECTED COMPONENTS:
THE HUMAN FACTORS REVIEW WAS CONDUCTED IN THE FOI.I.0 WING MANNER:
Yes No N/A A. Comparison with NUREG-0700 guidelines B. Comparison with T/A I&C regts C. Operations review and comments D. Walk-throughs E. Other (specify)
Davis-Besse Restart SER 21 Appendix 0
ATTACHMENT 2 ED No.
Sheet 2 of 2 Page 2 of 2 TE HLHAN TACTORS EVIEW ESULTED IN A TINDING THAT TE DESIGN IMPROVEMENT:
Will fully satisfy the human factors concerns in the ED.
Will partially satisfy the human factors concerns in the MED.
Will not satisfy the human factors concerns in the ED.
JUSTIFICATION:
THE DESIGN IMPROVEMENT (WILL) (WILL NOT) RESULT IN ANY NEW EDs. (IDENTITY NEW EDs IF APPROPRIATE.)
JUSTIFICATION:
FURTER h1 MAN TACTORS REVIEW (IS) (IS NOT) REQUIRED.
JUSTIFICATION:
i REVIEWER: DATE:
Davis-Besse Restart SER 22 Appendix 0 l
l i
ATTACHNENT 3 SYNOPSES OF 29 SAFETY-SIGNIFICANT HEDs IDENTIFIED AT DAVIS-BESSE WITH SAIC's TECHNICAL EVALUATION TO INCLUDE ACTIONS TO BE CONPLETED BY TED i
l l
Davis-Besse Restart SER 23 Appendix D
INTRODUCTION Each synopsis of TED's 29 safety-significant human engineering discrepancies (HED) from Davis-Besse is composed of a package of material submitted by TED on April 18, 1986. The following synopsis describe the HEDs and proposed :
actions to be taken by TED to include:
e HED number e Items involved e Problem description e Specific error related to the HED e Assessment justification e Disposition e Schedule.
Following each HED synopsis is SAIC's technical evaluation, to include a conclusion and staff position and actions to be completed by TED. l f
l b
Davis-Besse Restart SER 24 Appendix D
4 SYN 0PSIS OF TED's SUBMITTAL
[ HFD NO.: 9.2.001 TITLE: SFRCS Display Arrangement Does Not Support Verification of Actuation Tasks
. ITEMS INVOLVED:
Panel No. Instrument No. Description ,
C5709 HIS-3871 Auxiliary Feed Pump No. 2 Discharge to Steam Generator No.1 Isolation Valve HIS-3872 Auxiliary Feed Pump No. 2 Discharge to Steam
- Generator No. 2 Isolation Valve
- HIS-5889A Auxiliary Feed Pump 1 Steam Inlet Valve
- HIS-5889B Auxiliary Feed Pump 2 Steam Inlet Valve PI-505 Auxiliary Feed Pump 1 Discharge Pressure PI-509 Auxiliary Feed Pump 2 Discharge Pressure FI-4521 Auxiliary Feed Pump 1 Feedwater Flow FI-4522 Auxiliary Feed Pump 2 Feedwater Flow 1
SI-815 Auxiliary Feed Pump Turbine No. 1-Speed SI-816 Auxiliary Feed Pump Turbine No. 2 Speed 1
C5721 HIS-780 Main Feedwater to Steam Generator No. 1, Block Valve i HIS-779 Main Feedwater to Steam' Generator No!. 2 Block Valve i HIS-611 Steam Generator No. 1 Drain Valve Isolation i HIS-603 Steam Generator No. 2 Drain Valve Isolation
! C5712 FIC-ICS33B Main Feedwater Startup Flow Control Valve 1 i ZI-SP68 Main Feedwater Flow Control Valve Position 1 FIC-ICS33A Main Feedwater Startup Feedwater Control i Valve 2 l ZI-SP6A Main Feedwater Flow Control Valve Position 2 3
LI-SP981 Steam Generator No. 1 Startup Range Level 4
LI-SP9Al Steam Generator No. 2 Startup Range Level
, C5799 FI-4630 PAM Panel Auxiliary Feedwater Flow to Steam Generator 1 .
C5798 FI-4631 PAM Panel Auxiliary Feedwater Flow to Steam Generator 2 C5706 HIS-3869 Auxiliary Feed Pump No. 1 Discharge to Steam
,i Generator No. 2 Isolation Valve i HIS-3870 Auxiliary Feed Pumo No. 1 Discharge to Steam
] Generator No.1 Isolation Valve j C5717 HIS-ICSilB Main Steam No. 1 Atmospheric Vent Valve HIS-ICSilA Main Steam No. 2 Atmospheric Vert Valve HIS-394 Steam Generator-1 Main Steam Warm-Up Drain l Isolation Valve 1
HIS-375 Steam Generator 2 Main Steam Warm-Up Drain Isolation Valve HIS-101 Main Steam Isolation Valve No.1 Davis-Besse Restart SER 25 Appendix D I
Panel No. Instrument No. Description HIS-100 Main Steam Isolation Valve No. 2 HIS-601 Steam Generator 2 Main Feedwater Stop Valve HIS-612- Steam Generator 2 Main Feedwater Stop Valve HIS-608A Steam Generator 1 Auxiliary Feedwater Isolation Valve HIS-608B Steam Generator 1 Auxiliary Feedwater Isolation Valve HIS-599A Steam Generator 2 Auxiliary Feedwater Isolation Valve HIS-599B Steam Generator 2 Auxiliary Feedwater Isolation Valve HIS-106A Main Steam Line No. I to Auxiliary Feed Pump Turbine No.1 Isolation Valve HIS-106E Main Steam Line No. 2 to Auxiliary Feed Pump 1 Turbine No. 1 Isolation Valve 1 HIS-107A Main Steam Line No. 2 to Auxiliary Feed Pump Turbine No. 2 Isolation Valve HIS-107E Main Steam Line No. I to Auxiliary Feed Pump Turbine No. 2 Isolation Valve PROBLEM DESCRIPTION:
Controls and displays of the Steam and Feedwater Rupture Control System (SFRCS) and SFRCS actuated equipment are located on various control room panels (see list of items involved). On either a manual actuation or auto-matic actuation of SFRCS, the control room operator cannot see all asso-ciated displays from one location to confirm proper SFRCS actuation.
The SFRCS is a fully automated system and proper system operation is not dependent on operator verification, but in the event of incomplete or impro-per automatic actuation, the control display arrangement would delay the operator's identification and response to the problem. ;
SPECIFIC ERROR:
Delay in complete verification or omission of verification of proper SFRCS actuation.
ASSESSMENT JUSTIFICATION:
The items involved in this HED include all indications and controls specifi-cally associated with the verification of system actuation. This HED addresses the ability to verify system actuation and the problem is generic to all components; therefore, specific evaluation of each is not required.
The error assessment category it II since the problem was identified during the verification and validation process and since no actual operator errors attributable to this problem have been identified. If improper SFRCS actua-tion went undetected as a result of this error, the safety related function Davis-Besse Restart SER 26- Appendix D f
=
of maintaining proper steam generator heat removal capabilities could be degraded; therefore, the significance categorization is A-M.
DISPOSITION:
Although the overall problem identified in this HED has not been specifi-cally addressed by a hardware modification at this time, major system design changes are currently being developed which will resolve this problem.
The SFRCS special study identified in the DCRDR Summary Report provides the focus for the integrated look at all SFRCS related HEDs. Preliminary results of this integrated review of SFRCS problems has identified the need for improved control room information on SFRCS input parameters (see HED 9.2.042) and SFRCS actuation logic status (see HED 9.2.018), in addition to a centrally located arrangement of SFRCS controls and displays necessary to permit a rapid verification of proper actuation. The design- development effort necessary to assure that SFRCS-related HED's are optimally addressed has been initiated and the implementation of these changes is currently scheduled for the next (5th) refueling outage.
The existing configuration of SFRCS controls and displays is acceptable because of the design modifications that have been implemented during the current outage and because of the control room operator's training and past experience with the SFRCS system.
This HED is associated with the verification of proper SFRCS system actua-tion. Consequently, those system design changes which reduce the likelihood of improper system actuation or which improve the operator's ability to perform the verification will lessen the significance of this HED. Several system design modifications have been implemented during the current outage which increased the probability of proper actuation. The modifications made to the physical arrangement of the SFRCS manual actuation switches (see HED 9.2.054) have assured proper SFRCS response to a manual actuation.
Modifications made to the SFRCS system logic and to actuated equipment also increase the probability of proper actuation. For example, the configuration of the Auxiliary Feedwater System steam supply in the standby mode (maintaining steam headers in the hot condition) has improved the reliability of the starting and continued operation of the Auxiliary Feed pump turbines. The reliable operation of motor operated valves has been improved by new maintenance and testing techniques. The SFRCS system logic has been modified to prevent total isolation of both steam generators.
The operators ability to identify the cause of an SFRCS actuation has been improved by changes made to the annunciators associated with SFRCS actuation (see HED 9.2.018) which gives the operator additional time to perform the task of actuation verification.
- The control room operators are very familiar with the layout of SFRCS related controls and displays. Operator training has routinely stressed proper SFRCS actuation. The improper manual SFRCS actuation which occurred l
Davis-Besse Restart SER 27 Appendix D
on June 9, 1985 was very quickly recognized by the operators. Additional equipment mal functions which occurred on June 9, 1985 were also quickly !'
recognized by the operators.
The SFRCS has had many actuations in the past, some of which have involved individual component failures which the operators have always identified and i corrected with the present configuration. This rapid identification of improper system actuation is possible because verification of the major SFRCS system functions can be quickly accomplished without verifying the specific status of each actuated component. The specific operator task in the Emergency Operating Procedure (EOP) related to this HED are statements that require the operator, after any auto or manual SFRCS actuation, to
" verify proper SFRCS actuation for the trip parameters present." The speci-fic guidance in the procedure on how to accomplish the step lists the annunciators used to determine the-trip parameter and references a table which should be used to verify the components have actuated correctly. The table is laid out by trip parameter, to give desired component state and
. control room panel location. The effect of an operator error in this 'ask would only be relevant if an improper component actuation had actually occurred. A failure of the SFRCS to properly actuate would lead to an RCS overcooling or overheating symptom. The symptom based E0P would direct the operator to a procedure section which deals with all the possible causes of the symptom.
The operators have also been trained that overcooling or overheating are always caused by loss of SG inventory or loss of SG pressure control. The appropriate procedure section will require a reverification of proper SFRCS actuation. Since the operator has entered a procedure section that specifi-cally addresses secondary plant failures, and his training and plant know-ledge also tells him he has a failure related to SG inventory and pressure control, any initial verification error would be corrected at this point as he makes the reverification looking specifically for a failed component.
Based on the fact that the symptom based E0P requires continual verification and checking for cause until the symptom is mitigated and based on the fact this has not been a specific problem in the past, operation of the plant in
, the present configuration is justified until the change can be made in the
- 5th refueling outage.
SCHEDULE:
Implementation of corrective actions identified by the SFRCS Special Study will be implemented during the next (5th) refueling outage.
SAIC's TECHNICAL EVALUATION CONCLUSIONS AND STAFF POSITION:
Improper actuation of SFRCS would lead to either overcooling or overheating of the RCS. The symptom-based E0Ps in this case would direct the operator to look for the cause of the problem. In addition, familiarity of the control room operators with the SFRCS layout, emphasis on the importance of Davis-Besse Restart SER 28 Appendix 0 i
- verification of SFRCS actuation during operator training, the quick recognition of the improper actuation of SFRCS by the operators during the June 9, 1985 incident, and licensee actions described below, indicates this HED need not preclude Davis-Besse restart.
ACTIONS TO BE COMPLETED BY TED During the SFRCS special Study, TED has agreed to consider this HED in conjunction along with all other SFRCS-related HEDs such as 9.2.042, 9.2.018, and 9.2.054 to order that these HEDs are addressed in a coordinated fashion. The resulting design developments, such as a centrally located arrangement of SFRCS controls and displays, are currently scheduled to be implemented during the next (5th) refueling outage.
Furthermore, TED has committed to provide additional training to control room operators which is specifically related to the SFRCS actuation identification or to place emphasis in the appropriate sections of existing training plans to assure the operators familiarity with existing control modifications and with the steps necessary to identify and actuate the SFRCS system.
Davis-Besse Restart SER 29 Appendix D
SYN 0PSIS OF TED's SUBMITTAL HED N0.: 9.2.033 TITLE: Spatial Relationship of Auxiliary Feedwater Components ITEMS INVOLVED:
Panel No. Instrument No. Description C5709 HIS-3871 Auxiliary Feed Pump No. 2 Discharge to Steam Generator No.1 Isolation Valve HIS-3872 Auxiliary Feed Pump No. 2 Discharge to Steam Generator No. 2 Isolation Valve HIS-5889A Auxiliary Feed Pump No. 1 Steam Inlet Valve HIS-5889B Auxiliary Feed Pump No. 2 Steam Inlet Valve PI-505 Auxiliary Feed Pump 1 Discharge Pressure PI-509 Auxiliary Feed Pump 2 Discharge Pressure FI-4521 Auxiliary Feed Pump 1 Feedwater Flow FI-4522 Auxiliary Feed Pump 2 Feedwater Flow SI-815 Auxiliary Feed Pump Turbine No. I Speed SI-816 Auxiliary Feed Pump Turbine No. 2 Speed C5799 FI-4630 PAM Panel Auxiliary Feedwater Flow to Steam Generator 1 C5798 FI-4631 PAM Panel Auxiliary Feedwater Flow to Steam Generator 2 C5706 HIS-3869 Auxiliary Feed Pump No. 1 Discharge to Steam Generator No. 2 Isolation Valve HIS-3870 Auxiliary Feed Pump No. 1 Discharge to Steam j
Generator No.1 Isolation Valve HIS-608A Steam Generator 1 Auxiliary Feedwater Isolation Valve HIS-608B Steam Generator 1 Auxiliary Feedwater Isolation Valve .
HIS-599A Steam Generator 2 Auxiliary Feedwater Isolation Valve HIS-599B Steam Generator 2 Auxiliary feedwater Isolation Valve HIS-106A Main Steam Line No. I to Auxiliary Feed Pump Turbine No.1 Isolation Valve HIS-106E Main Steam Line No. 2 to Auxiliary Feed Pump Turbine No.1 Isolation Valve HIS-107A Main Steam Line No. 2 to Auxiliary Feed Pump Turbine No. 2 Isolation Valve HIS-107E Main Steam Line No. I to Auxiliary Feed Pump Turbine No. 2 Isolation Valve PROBLEM DESCRIPTION:
The displays and indications associated with the AFW System are not- cen-trally located, which complicates the task of verifying proper system opera-Davis-Besse Restart SER 30 Appendix D
I i
4 tion. This HED is essentially the 'same as HED 9.2.001, applying to a subset of those components actuated by SFRCS.
! SPECIFIC ERROR:
1 Control substitution errors, display substitution errors, time delays in operating the AFW System, using displays or actuating controls out of sequence.
ASSESSMENT JUSTIFICATION:
This is a generic problem associated with all Auxiliary Feedwater System displays and controls, therefore, this HED will be generically assessed.
. Although the distribution of the Auxiliary Feedwater System controls and displays complicate the task of verifying proper system operation, the necessary information is available in the control room and proper system operation is not dependent on operator verification. While the components associated with Auxiliary Feedwater System operation are not centrally
! located, proper system operation can be verified without specifically veri-fying that each associated component has been properly actuated by SFRCS.
Proper AFW System operation can be verified using steam generator level and pressure indications and additionally by monitoring primary system indica-tions including pressurizer level and RCS pressure. When considered by itself the likelihood of improper operator action as a result of this speci-fic problem is very low. Considering other HEDs associated with the9.2.005, SFRCS i
and AFW System (see HED 5.1.006, 5.1.007, 5.1.009, 9.2.001, j 9.2.007, 9.2.020,9.2.954), this HED has been conservatively categorized as IIA-M.
i 4
DISPOSITION:
! The controls and displays on vertical panel C-5717 are hand indicating switches used primarily to verify proper automatic SFRCS actuation of speci-fic components. Once proper SFRCS actuation of these components has been 3
verified, further monitoring of the indications on C-5717 is not required unless an additional initiating event changes SFRCS actuation, in which case the E0P directs the operator to re-verify ' proper component actuation.
j Except for verification of specific component actuation, the operator uses the more centrally located controls and indications on the main console (panels C-5706 and C-5709) for continued monitoring of AFW System operation.
) The disposition to HED 9.2.020, which will more clearly group the AFW related components on panel C-5717, will improve the ability of the operator i to distinguish the AFW controls / indications now nested in the SFAS Level 4 Incident group from similar and proximate controls. This will improve the operator's ability to properly identify the- AFW components on C-5717, there-by mitigating the probability of error associated with this HED.
A major effort to centralize and improve the arrangement of SFRCS and - AFW l
l related components has-been initiated in conjunction with the SFRCS Special Study. The implementation of the corrective actions identified are to be l
l- 31 Appendix D i Davis-Besse Restart SER i
,,---v --- w-- ro-e, ---e, mm me- <-um--n-- ---- -v- r~~
made during the next .(Sth) refueling outage. Additional discussions on the impact of the existing SFRCS and AFW control / display configuration on the use of the E0Ps is provided in HED 9.2.001.
SCHEDULE:
Corrective actions for this HED are to be developed in conjunction with the SFRCS Special Study and implemented in the next (5th) refueling outage.
SAIC's TECHNICAL EVALUATION CONCLUSIONS AND STAFF POSITION:
1 This HED is a subset of HED 9.2.001. As was discussed for that HED a combination of operator familiarity with the layout, operator training and the actual response of the operators to a real case indicates that this is not a major problem. In this particular case the licensee has committed to specific additional training of the operators.
ACTIONS TO BE COMPLETED BY TED As indicated by HED 9.2.020 the AFW related components on panel C-5717 will be clearly grouped to improve the ability to distinguish AFW components from SFAS components. Relabeling enhancements and removing the spare controls in the SFAS Incident Level 4 group next to the AFW controls will be accom-plished prior to restart. Final resolution of the AFW controls and displays in SFAS Level 4 should be identified during the SFRCS Special Study and implemented by the fifth refueling outage.
Additional training er, existing systems to include modifications implemented to AFW should be completed prior to restart.
l l
l Davis-Besse Restart SER 32 Appendix D i
SYN 0PSIS OF TED's SUBMITTAL HED NO.: 5.1.007 TITLE: Pointers On Meters Do Not Fail Offscale ITEMS INVOLVED:
Meter / location Description Cateaory
> PI SP128 Steam Generator Pressure III PI SP128 Steam Generator Pressure III LI SP981 Steam Generator Level IIA-M LI SP9Al Steam Generator Level IIA-M FYI HP 3A High Pressure Injection Flow III FYI HP 3B High Pressure Injection Flow III FYI HP 3C High Pressure Injection Flow III FYI HP 3D High Pressure Injection Flow III FI DH 2A Decay Heat Flow III FI DH 2B Decay Heat Flow III PROBLEM DESCRIPTION:
When these instruments fail the failure of the meter is not apparent to the operator and the pointer fails center scale as opposed to off-scale. The Bailey Meter equipment supplied with the NNI and ICS systems will fail to center scale on loss of power to the meter but these are monitored by an annunciator alarm circuit for blown fuse. The individual meter (s) affected by the blown fuse can be determined by the operator therefore the failure would be apparent to the operator before he would take action based on the meter reading. This set of meters is therefore not included in this HED.
The meters listed above are not supplied power by the NNI or ICS Systems.
The redundant pressurizer level indicators on panel C5705, LIRC14-3 and LIRC14-4, also fail center scale when the meter power is lost. These meters are powered via separate safety grade power supplies. The failure would be apparent before action was taken by comparison of the meters to each other and comparison with the temperature compensated pressurizer level recorder on the same panel. These meters are therefore not included in the HED.
SPECIFIC ERROR:
With no method of determining the meter is failed, if the meter pointer failure position is on scale, the operator might take action based on the failed meter.
ASSESSMENT JUSTIFICATION:
A new Administrative Procedure has been implemented which requires a control room operator to fill out a Critical Systems Checklist and a Critical Para-meters Checklist prior to assuming duties in the control room. Readings from all the meters on this HED are on the checklists. A center scale l
I Davis-Besse Restart SER 33 Appendix D, -
l
indication on flowmeters FYI HP3A, FYI HP38, FYI HP3C, FYI HP3D, FI DH28, and FI DH2A would be immediately apparent to the operator at this time as a failed indicator based on the pump status (off) which is also on the check-list. The operator will then be aware of the failed meter status and will not take actions based on the meter reading. The error assessment category for these six meters is therefore category III.
A center scale indication on PI SPl2B or PI SP12A would be immediately apparent to the operator at this time as a failed indicator based on compar-ison with plant status, e.g., it is not possible for one SG to be operating at 600 psig at steady state power. For these conditions to be true the reactor and SFRCS System would have tripped and a plant transient would be in progress. The operator will then be aware of the failed meter status and will not take actins based on the meter reading. The error assessment
, category for these two meters is therefore Category III.
A center scale indication on LI SP981 or LISP 9Al could possibly be diagnosed as a normal indication in the highly unlikely condition that the comparison was being made at the one unique power level that corresponds to this level.
These indicators vary in a linear fashion from 40" at 28% power to approxi-mately 160" at 100% power. The center scale failure position is 125". The operator uses this indication in the Emergency Procedure (EP) for two different tasks. The first is for a reactor trip without an SFRCS isolation trip the operator is required to verify MFW response is proper. The guid-ance given to make this verification is that MFW flow (recorder and indi-cator on the same panel) and SG level decrease. The step was written to require checking both parameters for the specific reason of not wanting the operator to take action based on one indication which might be failed. At this time the operator would notice the level indicator at center scale not decreasing and would make a comparison with the two other level indications (di f ferent ranges which overlap the meter failed at center scale) on the same panel and realize the indicator was failed. Further, the contingency action identified in the EP to be taken if the verification cannot be made is addressed by the operation action required to prevent SG overfill. The EP step requires tripping the MFPs only if MFW flow will not decrease to a SG and the -same SG level is increasing. This step is again written to prevent inadvertent action in case of a failed indicator. At this point the opator would clearly identify the the level meter as failed since by opera-tor training he knows it is not possible to decrease MFW flow to a SG and not cause the level to decrease. He has three level indications and two flow indications on the same panel to use for this task. The error assess-ment category for these two meters for this task is therefore Category III.
The second task in the EP which requires the operator to use this indication is after an SFRCS actuation (which by design also causes the reactor to trip) to verify proper SG level control by the AFW System. At this point if the operator failed to make a comparison with the two ranges of SG level mentioned in the first task he could defeat the safety function for this AFW train by taking manual control and attempting to lower the level by decreas-ing AFW flow. Although the operator is not likely to continue this action until the SG is dry (based on two other SG level indications and the opera-l Davis-Besse Restart SER 34 Appendix D
1 tors expectancy of seeing SG level decrease when feedwater flow is decreas-ed) the error assessment category is II. Since the potential exists for degrading a safety function the significance category is A-M.
DISPOSITION:
Although the potential for operator error as a result of this problem exists, a redundant safety grade SG level meter is goig to be installed in the control room for each SG. This meter will be supplied by a transmitter which is independent of the present LI SP981 instrument string. Addition of these redundant SG level strings will provide a safety grade meter for comparison use by the operator when peforming the required tasks in the EP.
The operator will then have a method of positively determining the meter is failed and will not take action based on an indication with a non-apparent failure. The addition of new safety grade SG level instruments is planned in conjunction with installatin of the new SFRCS panel (HED 9.2-001 HED 9.2-033) and is planned for completion in the 5th refueling outage.
The meters listed in this HED are powered from essential power from the Auxiliary Shutdown Panel.
SCHEDULE:
Modifications from the SFRCS special study will be implemented in the next (5th) refueling outage.
SAIC's TECHNICAL EVALUATION CONCLUSIONS AND STAFF POSITION:
The main concern in this HED was related to High Pressure Injection System (HPIS) flow where having two meters for the same pump showing two different readings, one midscale due to power failure and one the actual flow, would be confusing to the operator. The licensee indicates that failure of power
) to the HPSI flow meters for each pump would fail both of the meters midscale. In addition, the licensee indicates that their symptom-oriented procedures prohibits the operators from changing the HPSI flow unless the operators can, based on other indicators, verify that the core is covered and properly cooled. This reduces the possibility of inappropriate operator action based on the failed meters. Thus, this HED should not affect the Davis-Besse restart decision.
ACTIONS TO BE COMPLETED BY TED TED has agreed to upgrade the HPI meters from category III to category II and to include them in the ongoing display study with a view toward replacing meters that fail center-scale with meters that fail off-scale.
Prior to restart, TED should conduct training to ensure that operators are aware of the potential for the present meters to fail, are able to recognize this situation and to repond properly.
l Davis-Besse Restart SER 35 Appendix
I SYN 0PSIS OF TED'S SUBMITTAL HED NO.: 9.2.084 TITLE: Information Displays Not Available in Control Room ITEMS INVOLVED:
Deaerator level control valve position indication PROBLEM DESCRIPTION:
There is no display in the control room to indicate the actual valve posi-tion of the deaerator level control valve, which complicates the operator's evaluation of secondary side transients affecting the deaerator level. The deaerator level control indicates the demand signal sent to the control val ve , but not the actual valve position. The valve has a history of sluggish operation, and the operator is not sure that the valve is responding during a transient.
SPECIFIC ERROR:
Delay in determining control valve position, delay in evaluating secondary side transient.
ASSESSMENT JUSTIFICATION:
Although this condition has not caused any reactor / turbine trips, it has led to confusion in post trip conditions and could potentially contribute to the inability to correct the transient at power, resulting in a reactor / turbine trip. Because this problem has occurred, the error assessment category is I.
The use of this control is outside the scope of the emergency operating procedure. Under some circumstances, it could contribute to a reactor /tur-bine trip, but has no other bearing on safe plant operation. The signifi-cance category is B-L.
DISPOSITION:
The HED will be examined as part of the Display Special Study which will evaluate the generic problem of demand versus actual indications.
Deaerator level indication is available in the control room and can be used to infer the control valve position. Addition of the valve position indica-tion prior to restart is not required.
SCHEDULE:
The Display Special Study will commence following restart.
Davis-Besse Restart SER 36 Appendix 0 l
SAIC's TECHNICAL EVALUATION CONCLUSIONS AND STAFF POSITION:
The deaerator level is indicated in the control room. In addition, there is a high and low deaerator level alarm. The combination of these provides sufficient information to the operator such that complete resolution of this HED is not essential to a restart decision.
ACTIONS TO BE COMPLETED BY TED The Display Special Study will evaluate the generic problem of demand versus actual indications. Corrective actions should be completed during the next (5th) refueling outage.
i d
i Davis-Besse Restart SER 37 Appendix D i
+
i SYN 0PSIS OF TED's SUBMITTAL 3
HED NO.: 9.2.030
- TITLE: -Reactor Coolant System Temperature Display Visibility-ITEMS INV0l.VED:
Panel 5710: TI-RC4, Unit RC Tc TRS-RC3, RC Th Panel 5718: TI-RC4B1, RC Tc NR Loop 1
- TI-RC4Al, RC Tc NR Loop 2
! TI RC381, RC Tc WR Loop 1 TI-RC3A1, RC Tc WR Loop 2 TI-RC482, RC Th NR Loop 1
, TI-RC4A2, RC Th NR Loop 2
, PROBLEM DESCRIPTION:
The problem is that whenever Tc and Th are outside of the 520-620 degree F range, the operator has no displays available at the C-5709 console to compare Th and Tc.
3 At the console (Panel C-5709), the only displays the operator.has to work with are narrow range Tc, narrow range Th, and WT, all of which are operable in the range 520-620 degree F. No wide range displays of Th or Tc are 4
available on the console.
4 Vertical panel C-5718 has wide range Tc, as well as narrow range Th and Tc,
- but does not have wide range Th.
The PAM panel has wide and narrow range indications for both Th and Tc.
- Therefore, the only place in the control room where hard-wired wide range
- displays of both Th and Tc exist is the PAM panel. The PAM panel is approx-4 imately 15 feet to the left of the operator position at console C-5709, j where the AFW controls are. . The operator cannot read the PAM displays from
- the console and must go over to the PAM panel to compace Th and Tc.
SPECIFIC ERROR:
l Display reading errors or timing delays in comparing Tc and Th. i j ASSESSMENT JUSTIFICATION:
1 This- HED concerns a problem generically associated with the components listed and is therefore assessed generically. Comparison of Tc and Th is required in for situations: (1) verify primary to secondary heat transfer, (2) ' check for natural circulation, (3) check for inadequate core cooling, and (4) check for excessive heat transfer (overcooling).
Davis-Besse Restart SER 38 Appendix 0
^
l l
The potential for error occurs whenever the operator is required to compare l Tc to Th and Th is not within the range of 520-620 degrees F. Whenever this l situation occurs, the operator must either use the PAM panel displays or the SPDS to compare Th and Tc. None of these situations requires a time criti-cal response that would be compromised due to the time required to use one of these positions in the control room to compare Th and Tc.
Although other significant HEDs exist with respect to the PAM panel indica-tions (see HED 5.1.029, 9.8.007) this HED is not specifically affected by PAM panel indicator inaccuracies. The potential for operator error as a result of this problem is low and this HED has been categorized as III.
DISPOSITION:
Under normal post trip conditins, narrow range Tc and Th instruments will be on scale and adequate instrumentation exists on both the front console and vertical panel to verify natural circulation.
Because the tasks involving comparison of Tc and Th are not sufficiently time critical to preclude the operator obtaining Tc and Th from one of the locations in the control room where appropriate displays exist, no change to physically install a wide range Tc or Th on the console is necessary.
SCHEDULE:
Complete.
SAIC's TECHNICAL EVALUATION CONCLUSIONS AND STAFF POSITION:
The concern in this case was related to accident scenarios where the primary
! system temperature is higher than 620 F and the operator needs to check Tc i and Th frequently. The licensee indicates that there are no accident scenarios where the primary system temperature is greater than 620 0F and the operators need to track the movement of Tc and Th frequently. Thus, this HED is resolved.
I ACTION TO BE COMPLETED BY TED None.
Davis-Besse Restart SER 39 Appendix 0
SYNOPSIS OF TED's SUBMITTAL HED NO.: 9.8.007 TITLE: Displays That Do Not Provide the Precision or Accuracy Required 3 ITEMS INVOLVED:
Panel Component ID Description Cateaory i C-5798 TIRC386/TIRC482A Loop 1 Temperature IIA-L TIRC3A6/TIRC4A2A Loop 2 Temperature IIA-L TI 4628 Incore Temperature IIA-L C-5799 TIRC3BS/TIRC484 Loop 1 Temperature IIA-L TIRC3A5/TIRC4A4 Loop 2 Temperature IIA-L TI 4627 Incore Temperature IIA-L i
C-5712 LI SP981 Steam Generator Startup Level #1 IIA-L LI SP9Al Steam Generator Startup Level #2 IIA-L I PROBLEM DESCRIPTION:
2 Operators indicated that the displays listec above do not provide the preci-sion or accuracy required.
SPECIFIC ERROR:
Misinterpretation of display information. Misread the display.
ASSESSMENT JUSTIFICATION:
The Post Accident Monitoring (PAM) Panel C5798 and C5799 is by design intended to be a backup monitoring system. The only meters on the PAM panel which are referenced by the' Emergency Procedure (EP) to be used for an i
operator task are the incore thermocouple meters (TI 4627 and TI 4628) and the wide range hot leg temperatures (TIRC3A5, TIRC385, TIRC3A6 and TIRC3B6),
and the margin to saturation meters (TDI 4950-TDI 4951). The margin to saturation meters are large digital displays and are.not associated with the problem described in the HED. The incore thermocouple meters are the primary indication to be used for determination of inadequate core cooling
- (ICC) conditions. Entry into the EP section for ICC and the operator i actions in the ICC section are based on the indications from these meters. i The meters are readable to the accuracy required by the procedure. The meters are readable to one half of one scale increment (5 degrees F) i I accuracy which is more ' accurate than the technical basis which defined the l procedure steps. The error assessment category for these meters is there-
- fore III.
The wide range hot leg temperatures are only used as a backup indication to the four control panel mounted hot leg temperature meters (two of the control panel meters are safety grade and two are NNI system powered). The 7
Davis-Besse Restart SER 40 Appendix 0
operator task required by the EP is the initiation of the " Feed and Bleed" cooling mode, after a complete loss of all feedwater to the SGS, when either loop hot leg temperature reaches 600 degrees F. The PAM panel meters are only required by the EP if all the control panel hot leg temperature indica-tion has been lost. In the unlikely event all. four control panel hot leg temperature meters are lost the operator would have to make the determina-tion based on the PAM panel hot leg meters which are also readable to 5 degrees F accuracy. The EP criteria of initiation at 600 degrees F is more than 5 degrees F below the initiation temperature required by analysis. The error assessment category for these meters is therefore III.
If these PAM panel hot leg temperatures are also lost, the incore thermocou-ple temperature meters mentioned above are used by the operator. These have the same readable accuracy as the hot leg temperatures as mentioned above.
Considering other HEDs related to the DAM panel, this HED has been conserva-tively upgraded to IIA-L for PAM panel indications.
The Steam Generator (SG) level indication is required to verify an adequate heat sink is available for post trip decay heat removal capability. Proper operatin of the main or auxiliary feedwater control systems is verified by ovserving proper post trip SG level. The SG startup level meters themselves
- can easily bt read to enough accuracy to indicate adequate inventory for decay heat renoval. HED 9.2.42 addresses the concern that operators have with the precision of these meters in relation to SFRCS low SG trip.
DISPOSITION:
As described in the Assessment Justification section, continued operation with the present design of the PAM panel will not adversely affect peform-ance of E0Ps. However, due to other HEDs associated with this panel, the Special Study on Displays to be completed after restart is expected to l recommend major changes to these displays. These changes are expected to be completed in the 5th refueling outage.
The Disposition of HED 9.2.42 addresses concerns with the SG startup level indication. The short term fix of increasing the margin between SG low level limit control and the SFRCS low SG level trip set point will reduce the likelihood of SFRCS trips and challenges to safety systems.
SCHEDVLE:
The Display Study generated corrective actions with respect to the PAM panal indications will be implemented in the next (5th) refueling outage.
l i
i Davis-Besse Restart SER 41 Appendix D i
SAIC's TECHNCIAL EVALUATION CONCLUSION AND STAFF POSITION:
The main concern in this HED is related to the accuracy of the steam generator level indications which are addressed in HED 9.2.042.
ACTIONS TO BE COMPLETED BY TED TED will implement corrective actions identified by the Display Special Study during the next (5th) refueling outage.
i l
l 1
Davis-Besse Restart SER 42 Appendix D
, . - - - - . , ~ . - - , , ,- - - - - - - , - - - - - - - - - - - - - - - - - . - - - - , - . m y ,
SYNOPSIS OF TED's SUBMITTAL HE0 NO.: 9.2.007 TIT (E: Displayed Auxiliary Feedwater Flow Indication Not Sufficiently Accurate ITEMS INVOLVED:
FI-4521 and FI-4522, Auxiliary Feedwater Pump 1, 2 Flow Indication PROBLEM DESCRIPTION:
The normal Auxiliary Feedwater (AFW) flow indication on the main contral console is less accurate than the flow indication on the Post Accident Monitorng (PAM) panel. The indication on the PAM panel is derived from a differential pressure sensor, while the flow indication on the main console is based on an ultrasonic flow device. The ultrasonic flow device is less
, accurate and occasionally results in indicated flow discrepancies between the two indications. The differential pressure based indication on the PAM panel is more accurate but inconvenient to use with AFW controls on the main console.
SPECIFIC ERROR:
Decision errors based on inaccurate information in using ultrasonic flow indication. Time delay in using PAM panel indication.
ASSESSMENT JUSTIFICATION:
i The problem associated wih both Auxiliary Feed Pump flow indications are identical, and this HED can, therefore, be generically assessed. The inaccurate or unreliable flow indication and the resulting discrepancy between flow indications can potentially cause confusion. As directed by
- the Emergency Operating Procedure the operator, however, does not take control action on the basis of a single indication, and proper AFWS opera-tion is more approriately verified using steam generator (SG) levels and pressure. Auxiliary Feedpump operation can further be verified through pump speed and pump discharge pressure indications. While the operator may benefit from a general indication of AFW flow rate. The error potential of this HED by itself is relatively low. Taken in conjunction with other SFRCS and AFWS HEDs (see HED 5.I.006, 5.1.007, 5.1.009, 9.2.001, 9.2.020, 9.2.033), this HED has been conservatively categorized as IIA-L.
DISPOSITION:
These instruments now have a more rigidly defined refueling channel calibra-tion requirement and monthly channel check requirement which did not exist at the time of the operator interviews. This requirement will provida improved reliability and accuracy which fully addresses this HED. This problem will be further addressed in conjunction with the SFRCS Special i
Davis-Besse Restart SER 43 Appendix D i
Study. The ultrasonic flow devices will be replaced with differential pressure based instrumentation, which will also have an expanded range to correct the related portion of HED 5.1.006. These modifications are to be implemented in the next (5th) refueling outage.
SCHEDULE:
Refueling calibration and monthly channel check surveillance test procedures have been established. Corrective actions resulting from the SFRCS Special Study will be implemented within the next (5th) refueling outage.
SAIC's TECHNCIAL EVALUATION CONCLUSIONS AND STAFF POSITION:
, The licensee indicates that the operators rely substantially on SG pressure and level and no specific operator actions are taken solely based on AFWS .
flow. In addition, the new channel checks and calibration requirements should improve the reliability and accuracy of the AFWS flow meters.
Finally, the licensee has committed to replace the ultrasonic flow devices by differential pressure-based instrumentation during the fifth refueling i outage. Thus, this HED should not affect the restart decision.
ACTIONS TO BE COMPLETED BY TED !
i Corrective actions that result from the SFRCS Special Study to improve reliability and accuracy should be implemented during the next (5th) refueling outage.
l Davis-Besse Restart SER 44 Appendix 0
SYNOPSIS IF TED's SUBMITTAL HED N0 2 : 9.2.042 TITLE: Steam Generator Level Inputs to SFRCS and Control Room Indications Differ ITEMS INVOLVED:
Steam Generator level inputs to Steam and Feedwater Rupture Control System (SFRCS) Steam Generator level inputs to Integrated Control System (ICS)
Control Room Steam Generator level indications LI-SP981 and LI-SP9Al PROBLEM DESCRIPTION:
Steam Generator level inputs ~ feeding the SFRCS differ from those feeding the ICS and the Control Room startup level indications. The instrument strings contain different types of components and are calibrated differently.
Consequently, the indicated levels do not always agree. Operators have reprted that this condition has led to SFRCS actuation on low steam genera-tor level even though the Control Room meter indicated an acceptable level.
SPECIFIC ERROR:
Interpretation errors, errors of omission (failure to correct decreasing steam generator level).
ASSESSMENT JUSTIFICATION:
Since such events have occurred, the error assessment category of this HED is I.
Although the instrument string indication differences can lead to an
- unnecessary SFRCS trip, the instrument strings are sufficiently accurate to assure proper SFRCS operation and Auxiliary Feedwater system level control such that no safety function is compromised. The significance classifica-
> tion of this HED is A-L.
DISPOSITION:
FCR 85-201 has been implemented to modify the ICS low steam generator level limit. The modification will increase the limit by 5 inches to a nominal 40 inches, thus providing an additional margin to the SFRCS low level trip setpoint. This modification itself should eliminate unnecessary SFRCS trips and does not create any new :EDS since only a control setpoint is affected.
An additional corrective action is to be considered in the SFRCS Special i Study. The inclusion of a steam generator level indication from the SFRCS i level input strings is being considered. This would provide the operator l with a direct indication of the level signal feeding SFRCS. l l l l
Davis-Besse Restart SER 45 Appendix D l_____ . - . - - - _ .-.
f SCHEDULE:
FCR 85-201 has been completed. Additional corrective action developed in conjunction with the SFRCS special study will be implemented in the next (5th) refueling outage.
SAIC's TECHNICAL EVALUATION CONCLUSIONS AND STAFF POSITION:
The concern in this HED is the possible operator confusion due to actuation of the AFWS based on low SG level when the control room SG level indicators !
show sufficiently high SG 1evel that AFWS actuation is not necessary. The interim solution given by the licensee is to increase the SG 1evel at which AFW is automatically actuated so that the difference between the point where the AFWS is actuated and the indications in the control room is reduced. ,
The licensee has also committed to studying the addition of a SG level l indication in the control room that is fed from SFRCS level input strings so j that the difference between the SG action level and the obscured level in the control room is eliminated. The interim solution offered by the licen-see is sufficient to allow the restart without significant concern from this 1 HED.
ACTION TO BE COMPLETED BY TED During the SFRCS special study, TED should consider the inclusion of a steam generator level indicator from the SFRCS level input strings to provide the operator with a direct indication of the level signal feeding SFRCS.
Corrective actions developed from the SFRCS study should be implemented during the 5th refueling outage.
l l
1
[
1 l,
Davis-Besse Restart SER 46 Appendix 0
SYN 0PSIS OF TED's SUBMITTAL HED N0. : 5.1.009 TITLE: Dual Meter Indicators that are Confusing to Read ITEMS INVOLVED:
Cateaory FIMU31/FIMU34, Makeup Flow Indication High/ Low Range IIA-M PIS05/FI4521, Auxiliary Feed Pump 1 Discharge Pressure / Flow IIA-M PI509/FI4322, Auxiliary Feed Pump 2 Discharge Pressure / Flow IIA-M PROBLEM DESCRIPTION:
The meters listed each have two pointers and two scales within a single meter case. Both have been identified as being potentially confusing to read. The makeup flow indication has two scales which represent a low range and a wide range flow and can be confusing to read because of the close proximity of the scale graduations. The Auxiliary Feed Pump (AFP) discharge pressure and flow indications for both Pumps 1 and 2 have caused confusion with respect to which scale indicates which parameter.
SPECIFIC ERROR:
It is possible for an operator to become confused when reading dual scale a
meters and take inappropriate action.
4 ASSESSMENT JUSTIFICATION:
- The dual meter indicators listed provide potential for confusion when read-ing the meters. The two dual indicating meters associated with the AFPs 'may be considered together with respect to this HED, while the assessment of the makeup flow indication must be considered independently.
l Although the discharge pressure and flow indicators of the AFP meters may be confused for one another, proper operation of the Auxiliary Feedwater System (AFWS) is more directly indicated by steam generator levels and pressures such that an incorrect operator action on the basis of an incorrectly read discharge pressure or flow alone is very unlikely. AFP turbine speed is also available for each turbine to provide additional indication of pump operation.
Although the error assessment potential as the result of this HED alone is low, it has been conservatively categorized as IIA-M after consideration of other related HEDs affecting SFRCS and AFWS (see HED 5.1.006, 9.2.001, 9.2.007,9.2.020,9.2.033).
The scale arrangement and the makeup flow indication may cause the operator to misread the indicated makeup flow. However, Emergency Operating Proced-i Davis-Besse Restart SER 47 Appendix 0 l
i
ures direct the operator to maintain maximum makeup flow when makeup flow is required, and, therefore, the operator should not take inappropriate actions based on an erroneous reading. Although the potential for performing inappropriate actions as a result of this condition is low, the meter can be confusing to read, and considering the significance of RCS makeup flow in the feed and bleed cooling mode as a backup to normal and AFW, the category of this component problem is IIA-M.
DISPOSITION:
Different labeling enhancements are currently being evaluated for applica-tion to the AFP meters prior to restart. The intent of the enhancement is to more clearly identify the individual scales. This problem will be com-pletely addressed in the SFRCS Special Study. The AFP indications are to be included as a part of the centralized SFRCS panel arrangement to be installed in the next (5th) refueling outage.
The wide range indication of makeup flow has been expanded to include the maximum anticipated flow range as described in HED 5.1.006. This will reduce potential confusion in high makeup flow situations, but does not directly address the scale problem. In conjunction wih the range modifica-tion, the meter scale must be changed. The specific modification is currently being developed, and a new scale face or the installation of two meters will address this concern completely prior to restart.
SCHEDULE:
The labeling enhancement for the AFP indicators will be finalized and installed prior to restart and final corrective action will be taken during the next (5th) refueling outage in conjunction wih SFRCS panel installation.
Corrective action for the makeup flow indication will be developed in con-junction with the correction to HED 5.1.006 prior to restart.
SAIC's TECHNICAL EVALUATION CONCLUSIONS AND STAFF POSITION:
The interim solution offered by the licensee consists of proper labeling of the AFW pump discharge pressure / flow indications to reduce the confusion due to two different scales on these indicators. In addition, this HED will be studied in more detail beyond the restart date. The interim solution elimi-nates any immediate concerns about this HED with respect to the restart decision.
ACTIONS TO BE COMPLETED BY TED Interim labeling enhanccments for the AFP indicators should be installed prior to restart with the permanent corrective action to be addressed during the SFRCS Special Study and installed during the next (5th) refueling outage as part of the centralized SFRCS panel.
The corrective actions for the wide range indication and meter scale Davis-Besse Restart SER 48 Appendix D l
deficiencies associated with the makeup flow indication should be developed
- and installed prior to restart. Finally, TED should provide the NRC with inputs which describe how the instrument and control characteristics were
' considered in the development of the interim or permanent hardware fixes applied to the control boards prior to restart. '
i 4
5 i
i l
4 i
i i
- Davis-Besse Restart SER 49 Appendix D i
SYN 0PSIS OF TED's SUBMITTAL HED NO.: 9.2.005 TITif: Misleading Panel Arrangement for ICS Input Select Switches ITEMS INVOLVED:
HS SP128/PI SP128, Steam Generator 1 Pressure HS SP12A/PI SP12A, Steam Generator 2 Pressure HS SP982/LI SP981, Steam Generator 1 Level HS SP9A2/LI SP9A1, Steam Generator 2 Level PROBLEM DESCRIPTION:
When two redundant parameter signals are available and selectable by hand switch, the selected signal is normally indicated on an associated display.
In the case of these four switches and their associated indicators the signal displayed is fixed such that manipulating the apparently associated selector switch does not affect the display variable, but does affect the input to the Integrated Control System (ICS) for control. These four switches have been labeled ICS INPUT SELECT to distinguish them from similar instrument select switches. These four switches are an exception to the general design of instrument select switches in the control room.
SPECIFIC ERROR:
Incorrectly associating the display with the proximate control.
ASSESSMENT JUSTIFICATION:
The problems associated with the four switch / display combinations listed are identical, and their assessment may be considered generic. The inconsistent control display relationship creates the potential for an operator to incor-rectly assume that redundant signals are available for these indicators.
Although the potential for a misinterpretation of the display exists, inappropriate operator action on the basis of a single display is unlikely since the Emergency Operating Procedure and operator training stresses the use of associated information wherever possible. These indicators, however, are used to support the verification of proper Auxiliary Feedwater (AFW)
System operation and taken in conjunction with other associated HEDs on AFW and SFRCS (see HED 5.1.007,9.2.001,9.2.020,9.2.033), the category of this HED has ben conservatively set at IIA-M.
An additional consequence of this problem is the potential for an operator to incorrectly transfer an inaccurate or failed signal into the ICS.
Although the effects of such an error would be quickly identified by Control System actions, under certain conditions the error may result i.: a reactor trip. Station procedures require a preferred instrument swi+ch lineup and clearly require the operator to check the indication via the omputer prior i l
Davis-Besse Restart SER 50 Appendix 0 l
to selecting an alternate instrument. Therefore, it is unlikely that an operator would transfer a failed signal into the ICS during power operation.
DISPOSITION:
Different labeling modification are being evaluated as an enhancement for this HED prior to restart. The optins under consideration are intended to indicate the specific relationship between the indicator and the hand switch, and since the selection option will only be applied to these speci-fic switch / display combinations, the inconsistency with the convention used in the remainder of the control room will be clearly evident. This labeling modification will provide an acceptable resolution to this particular condi-tion, however, this HED will be considered further in conjunction with the SFRCS Special Study.
SCHEDULE:
The labeling enhancement will be finalized and implemented prior to restart and any additional corrective actions identified in conjunction with the SFRCS Special Study will be implemented in the next (5th) refueling outage.
SAIC's TECHNICAL EVALUATION CONCLUSION AND STAFF POSITION:
Based upon both discussions and documentation submitted by TED, the staff i concludes that the interim solutions proposed for labeling modifications will substantially resolve the staffs concerns related to incorrectly associating the involved displays and controls.
ACTIONS TO BE COMPLETED BY TED Interim labeling enhancements should be completed prior to restart. Final corrective actions should be identified during the SFRCS Special Study and installed during the 5th refueling outage. TED should provide the NRC with i inputs which describe how the instrument and control characteristics were considered in the development of the interim or permanent hardware fixes to I the control boards prior to restart.
I 1
l l
l l
Davis-Besse Restart SER 51 Appendix D l
l l
SYN 0PSIS OF TED's SUBMITTAL HED N0.: 1.7.010 TJJT11: No Lamp Test; Dual Bulbs or Dual Filament Bulbs ITEMS INVOLVED:
Panel ID Component ID Comoonent Description Catecory C5703 HIS MU2B Letdown Isol III HIS 3971 Mu Pump Suction III l
C5704 HIS DHilA Control Power Off Ind III I HIS DH12A Control Power Off Ind III l HIS DHil Decay Heat Suction III HIS DH12 Decay Heat Suction III HIS DH1517 Decay Heat Suction III HIS DH1518 Decay Heat Suction III HIS DH830 Decay Heat X Connect III HIS DH831 Decay Heat X Connect III q
! C5705 HIS RC11 PORV Block III J
HIS RC2-6 PORV Pilot Lyr Position III HIS RC2-1 Press Spray Control Vlv III HIS RC10 Press Spray Block Vlv III HIS 2735 Aux Spray to Pressurizer III HIS 2736 Aux Spray to Pressurizer III C5706 HIS 3869 AFP Discharge IIA-L HIS 3870 AFP Discharge IIA-L l
HIS 3871 AFP Discharge IIA-L HIS 3872 AFP Discharge IIA-L C5709 HIS 5889A AFP Steam Inlet IIA-L HIS 5889B AFP Steam Inlet IIA-L C5716 HIS HP32 HPI Minimum Flow Isol III HIS HP31 HPI Minimum Flow Isol III HIS DH64 DH to HPI Piggyback III HIS DH63 DH to HPI Piggyback III C5717 HIS ICS11B Atmospheric Vent Valve IIA-L HIS ICS11A Atmospheric Vent Valve IIA-L HIS 107A Mn Stm Line 2 to AFTP2 IIA-L HIS 107E Mn Stm Line 2 to AFTP2 IIA-L HIS 601A MFW Containment Isol IIA-L HIS 106A Mn Stm Line 1 to AFPT 1 IIA-L HIS 106E Mn Stm Line 2 to AFPT 2 IIA-L HIS 612A MFW Containment Isol IIA-L HIS 394 SG Warm Up Drains IIA-L Davis-Besse Restart SER 52 Appendix 0
Panel ID Component ID Component Descriotion Cateaory HIS 375 SG Warm Up Drains IIA-L C5721 HIS 779 MFW Block Isolation IIA-L HIS 780 MFW Block Isolation IIA-L HIS 611 Steam Generator Drains IIA-L HIS 603 Steam Generator Drains IIA-L PROBLEM DESCRIPTION:
Lamp test, dual bulbs or dual filament bulbs are not provided for the majority of the indicator lights on the control boards. Since the presence of a light is the primary means by which light indicators communicate a message, it becomes essential that the light signal be physically reliable.
Unreliable bulbs (burned out) can cause loss of information and misinterpre-tation of displayed information by the operator. Most of the light indica-tions in the control room have more than one light to indicate status such as open or close indications on a valve or on and off indications on a pump.
The normal condition for most indications is one or the other light illumi-nated, and the operator is alerted to an abnormal condition when no lights are on. For valves that the operator or an automatic control system has changed the position of, the operator must wait for the stroke time of the valve to verify the new desired position. Thus, a burned out bulb would alert the operator to an abnormal response but could delay verification of the new desired position. (At Davis-Besse both lights are off during a portion of a valve's stroke time. Also, both lights are off if the valve has no power with a few exceptions where separate power is provided for position indicating switches.) In some cases additional indications such as flow indication or alarms can be used to verify proper valve position. If an automatic system has repositioned a component and the new position indi-cator light is burned out, the proper function has been performed, but the operator's ability to verify proper operation has been delayed.
The indicators listed in this HED are those that have a potential for delaying operator verification of proper system response as required by Emergency Operating Procedures.
Control room indicators that have dual bulbs, lamp test checks and dual indicating status are not included in this HED.
Electrical breaker position indicators are not included in this HED. The control room indication is green light on for breaker open and red light on for closed. The absence of a light alerts the operator to an abnormal condition. Most pumps also have amp meters and often flow indication is also available. Electrical breaker position change is instantaneous, and the operator is immediately aware of a real failure of a breaker to operate.
Pump and fans that are started by the Safety Features Actuation System (SA) have Safety Features Actuation Monitor (SAM) lights which separately verify proper component operation. A dim SAM light indicates that a SA signal is present, and the component is in its proper SA position. A SAM light off Davis-Besse Restart SER 53 Appendix D
indicates 1) No SA signal OR 2) a SA signal, but the component is NOT in its proper SA position. The SAM lights are grouped in SA incident levels, and an unlit (burned out) SAM light is easily recognized. In this case the operator would have to verify proper component position by other indication.
The SAM lights are tested routinely by a surveillance test.
Switches with two positions that instantaneously light a status light (such as AFPT governor mode selector switch) are not included in this HED. These switches are only operated by the operator. The position indication is instantaneous, and the operator would be alerted to a burned out bulb. The indication does not prevent proper component operation.
SA operated (Containment isolation and Engineered Safety Features equipment)
.l valves are partially included in this HED. Valves that are only automati-cally operated by the SA system are not included as SAM lights provide a direct backup. SA operated valves that are also operated by the Steam and Feedwater Rupture Control System (SFRCS) are included in this HED. (SAM l lights do not indicate upon SFRCS actuation.)
SPECIFIC ERROR:
i Misinterpretation of Displayed Information - Loss of Information ASSESSMENT JUSTIFICATION:
. When this HED was originally evaluated, operator interviews indicated that an error had occurred. Thus, a category of I was given. Since numerous safety-related components were associated with this HED, and the specific evaluation of the consequences of a misinterpretation of each indicator light was not performed, a generic safety significant category of "A" was assigned. A specific evaluation of each listed item resulted in the addi-tional significance categorization of "L" since the consequences of indivi-dual misinterpretations was determined to be minor. The list of components that have a potential for delaying operator verification of safety system operation was determined to be a listing of valve positions. These valves all have at least two indicators - open and closed. The individual compo-nent categories listed in the Items Involved Section reflect the most recent I review of each item with respect to error assessment and safety signifi-cance. This HED remains categorized as IA-L overall since the operators interviewed reportedly experienced problems. However, since no specific examples of failures were provided, the following evaluations do not assume problems have occurred and no individual error assessment categories of I i
- are assigned. The following is a justification for each of those items.
Comoonent ID Component Descriotion HIS MU2B Letdown Isolation Emergency Operating Procedures direct the operator to close this normally open valve in case of a reactor trip to conserve RCS inventory. A burned out close Davis-Besse Restart SER 54 Appendix 0
1 Comoonent ID Component Description !
[
indicator light would alert the i operator to an abnormal condition. ,
. Letdown flow indication is pro- l vided near this hand indicating '
switch (HIS). Also, the Emergency
) Procedures direct the operator to i
close an air operated valve in l
' series if MU2B has no power. The ;
error assessment of this component i problem is, therefore, low and is categorized as III.
l HIS 3971 Makeup Pump Suction Emergency Operating Procedures
- 3-Way Valve from direct the operator to "close" -
Makeup Tank (MUTK) MU3971, i.e., to shift suction a or from Borated from the MUTK to the BWST under 1 Water Storage Tank various plant conditions. Failure (BWST) of the "close" indicating light will not prevent the valve from i being in its correct position. The i operator will be alerted to an abnormal condition with both 4 lights out. The. error assessment i i
of this component problem is, therefore, low and is categorized r as III.
HIS DH11A Decay Heat Suction Emergency Operating Procedures HIS DH12A from the Reactor do not require the use of.these Coolant System (RCS) HIS's.
Control Power Off Indication ,
i HIS DH11 Decay Heat Suction .The Emergency Procedures do' direct '
HIS DH12 from the RCS placing a DH pump on suction from .
the RCS per the System Operating ;
Procedure. The System Operating i Procedure directs closing the i local breaker to' place power on these valves and then directs proper' opening.of these valves.
Any burned out light bulbs would be observed and corrected at this time. Therefore, a burned out light is insignificant. Appendix R Fire concerns require..that the local breaker be opened for DH11 and DH12 during power operation.
Therefore, HIS DH1,llIS DH12, Davis-Besse Restart SER 55 Appendix D~
3 o
. ._,,, .J - _- __ . . . . , , - - , _ _ - - - - . _ - ...
Component ID Component Descriotion HIS DH11A and HIS DH12A all have no lights during power operation.
The control power off indication is only lit when power is avail-able - local breaker closed -
and the operator has pushed HIS DHllA-12A to remove control power from the Control Room. No operator confusion should result from this condition. All four HIS's are next to each other and no lights lit. The operators know l that the local breakers are open and know how to restore valve power. The error assessment of this component problem is, there-fore, low and is categorized as III.
HIS DH1517 Decay Heat Pump Emergency Operating Procedures HIS DH1518 Suction from RCS direct the operator to change the position of these valves under HIS DH830 Decay Heat Loop various emergency conditions.
HIS DH831 Cross-connect (Except DH1517 and DH1518 which Isolation the Emergency Procedure directs to be operated per the System HIS 2735 Auxiliary Spray to Operating Procedure).
HIS 2736 Pressurizer HIS HP32 High Pressure All of these valves are motor HIS HP31 Injection Minimum operated and normally powered Flow Isolation with either_an open or close light lit. Therefore, a burned HIS DH64 Decay Heat Pump out light would indicate an HIS DH63 Discharge to High abnormal condition to the Pressure Injection operator. Changing the light Pump Suction bulb would be the operator's normal action to verify proper valve position, and would quickly resolve the concerns with this 1 HED. This would result in a very i short delay in performance of I Emergency Operating Procedure )
actions. The only case for these listed valves where this delay could be at all significant would be a delay in verification of opening DH63 and DH64 to allow Decay Heat High Pressure Injection Davis-Besse Restart SER 56 Appendix D
i Component ID Comconent Descriotion Pump " piggyback" operation for Feed and Bleed operation. Feed i and bleed analysis shows that i Makeup Pumps provide sufficient cooling, and RCS pressure remains above DH/HPI piggyback pressure for at least two hours. There-fore, aislight delay in piggyback operation will not adversely affect E0P peformance. The error assessment of this component problem is, therefore, low and is i categorized-as III.
HIS RC11 PORV Block Emergency.0perating Procedures (Isolation Valve) direct the operator to change the position of these valves under HIS RC2-6 PORY Pilot Level various accident conditions. The Position PORV is also_ automatically opened at 2450 and closed at 2400. These valves have an open and a close light and are located together on the front console. The operator would be alerted to an abnormal condition with no light indica-tion. The PORV has an annunciator alarm to indicate flow triggered
! by an acous' tic monitor. Two
- channels of acoustic monitors also 4 provide flow indicatin meters and
- position lights on the Post i Accident Monitor (PAM) panels.
Also, two channels of position lights are provided on the front
. console near HIS RC2-6. This was i installed this outage (FCR 85-171)
! and resolves the' concerns for this HED for HIS RC2-6. Therefore, a
- failed PORV pilot lever position light on HIS RC2-6 would not-prevent the operator from verifi-cation of proper PORV operation as required in Emergency Operating Procedures. The PORV block motor
- operated isolation valve (HIS RC11) is used as a backup to PORV operation. When desired to have flow through the PORV, the PORV 1 block valve RC11 must be open and 1 Davis-Besse Restart SER 57 Appendix D.
~ . - . - . . - - - - , .- . . .. .
Component ID Component Description when desired to ensure flow has stopped through the PORV, the block valve is closed. Therefore, a failed indicator light on RCll will have no significance on performance of Emergency Operating Procedures. The error assessment of this component problem is, therefore, low and is categorized as III.
HIS RC2-1 Pressurizer Spray Emergency Operating Procedures Control Valve direct the operator to reposition these valves under various HIS RC10 Pressurizer Spray accident conditions. Both valves Block (isolation are motor operated and have an valve) open and closed indication. The spray control valve also has an amber light for 40% to 45% open indication which is the position the valve goes to when in auto-matic and a high pressure occurs.
The operator would be alerted to a condition where no lights are lit.
The spray control valve would have no lights lit if placed in a throttled position by the opera-tor. He would know of this con-dition and in this condition high or low pressure signals would automatically position the valve to a lit position upon an RCS pressure change. The valves are in series and located together on the front console. If a bulb failed the operator can quickly check the position of the other valve and observe RCS pressure and pressurizer heater operation to determine if spray is occurring.
If the ember light is burned out and the operator wants spray flow, he can position the valve to open and check the 100% open red light.
Thus a barned out light would not significantly delay the perform-ance of Emergency procedures. The error assessment of this component Davis-Besse Restart SER 58 Appendix D L_ _ __ -.
Component ID Component Description problem is, therefore, low and is categorized as III.
HIS 3869 AFP Discharge Emergency Operating Procedures HIS 3870 AFP Discharge direct the operator to verify HIS 3871 AFP Discharge proper SFRCS automatic positioning HIS 3872 AFP Discharge of these valves. HED 9.2-001 "SFRCS Display Arrangement Does Not Support Verification of HIS 5889A AFPT Steam Inlet Actuation Tasks" addresses the HIS 5889B (at AFPT Air Operated) problem with location of these (and other) controls on various HIS ICS11B Atmospheric Vent Valve Control Room panels. HED 9.2-033 HIS ICS11A (Air Operated) " Spatial Relationship of Auxiliary Feedwater Components" addresses HIS 106A Main Stm Line 1 to the problem with location of these AFPT 1 (and other) controls on various HIS 106E Main Stm Line 1 to Control Room panels. A burned out AFPT 2 light could delay the operators HIS 107A Main Stm Line 2 to ability to verify proper position AFPT 2 of these valves although a no HIS 107E Main Stm Line 2 to lights lit condition would exist AFPT 1 and alert the operator to a HIS 601A Main Feedwater Contain problem. The proper operation of Isol the SFRCS can be inferred from the HIS 612A Main Feedwater Contain control room indications as Isol further described. Based on other HIS 394 Steam Generator warm HED's associated with SFRCS, the HIS 375 up drain (air operated) category of this HED for SFRCS HIS 779 Main Feedwater Block related components is conserva-HIS 780 (control valve isol) tively set at IIA-L. The follow-HIS 611 Steam Generator drain ing discussion provides additional HIS 603 containment isolation detail for each of the SFRCS actuated components.
HIS 3869 AFP Discharge These valves are associated with HIS 3870 AFP Discharge Auxiliary Feedwater Pump Opera-HIS 3871 AFP Discharge tion. The function of the AFWPs HIS 3872 AFP Discharge in an accident is to both, start HIS 5889A AFPT Steam Inlet taking steam from the proper Steam HIS 5889B AFPT Steam Inlet Generator and pumping AFW into the HIS 106A Main Stm Line 1 to proper SG and maintaining proper AFPT 1 level in that SG(s), SG level and HIS 106E Main Stm Line I to pressure indication and alarms can AFPT 2 verify proper SG level. AFPT HIS 107A Main Stm Line 2 to discharge pressure, speed and flow AFPT 2 indication is available to verify HIS 107E Main Stm Line 2 to proper AFPT operation.
AFPT 1 Davis-Besse Restart SER 59 Appendix D
Component ID Component Descriotion HIS ICS11B Atmospheric Vent Valve These valves are associated with HIS ICS11A Atmospheric Vent Valve isolation of steam from the SG's HIS 394 SG Warm Up Drain and function to stop steam HIS 375 SG Warm Up Drain releases and conserve steam to HIS 611 SG Drains operate the AFPTs. These valves HIS 603 SG Drains are all closed during normal plant operation and receive SFRCS close signals. It is unlikely that a delay in verification of Emergency Operating Procedures would occur.
HIS 601A Main Feedwater Cont These motor operated normally open Isol isolation valves are associated HIS 612A Main Feedwater Cont with isolation of main feedwater Isol to the SGs and function to isolate HIS 779 Main Feedwater Block MFW due to leaks or control mal-HIS 780 Main Feedwater Block functions causing an overfeed conditions. They are in series with a bypass control valve around 779 and 780. The bypass control valve also receives a SFRCS close signal and has a demand meter in the Control Room. Therefore closure of Valve 601 stops all feedwater to SG#2 and closure of 612 stops all feedwater to SG#1.
Closure of the bypass control valve and its associated bleck valve stops all feedwater flow to it's SG. Also feedwater flow indication is available to indicate all feedwater flow has been stopped to each SG.
DISPOSITION:
The control room operators routinely tour the control room to survey controls and indications. Their instructions to inspect indication for burned out light bulbs have been emphasized to assure their responsibility is clear. This survey is an effective mechanism for identi fying bulb failures for the normally lit indicator on the valve switch listed in this HED.
The displays indicated in this HED will be examined in the Displays Study after restart. As described in the ASSESSMENT JUSTIFICATION section the impact on performance of the Emergency Operating Procedures is minor. The potential for error is most significant for the Components actuated by the SFRCS. The design and installation of a new SFRCS panel as described in HED Davis-Besse Restart SER 60 Appendix D
9.2-033 will improve this HED by adding redundant indication for some components.
SCHEDULE:
The directive for the operator's Control Room tour already exist. Improve-ments made as a result of the SFRCS special study will be implemented during the next (5th) Refueling Outage.
SAIC's TECHNICAL EVALUATION CONCLUSION AND STAFF POSITION:
All of the bulbs except one have alternative indications in the control room and are available for operator verification. The one bu:b that caused concern in this HED was related to the possibility of switch from makeup tank (MUTK) to the boron tank (BWST) when one tank is empty and the indica-tor light is burnt out. In such a case taking suction from an empty tank could lead to pump caritation and possible damage. The licensee indicated that low level alarms for both tanks are provided in the control room to alert the operator about this problem. Based on this fact, this HED should not have any affect on the restart decision.
ACTION TO BE COMPLETED BY TED The Display Special Study to be completed by the 5th refueling outage, should examine the displays indicated in this HED. Some descrepancies in this HED will be resolved with the addition of the new SFRCS panel the 5th refueling outage. Presently TED is attempting to locateduring dual filament bulbs.
Davis-Besse Restart SER 61 Appendix D l
SYNOPSIS OF TED's SUBMITTAL HED NO.: 9.2.018 TITLE: Availability / Consistency of SFRCS Information ITEMS INVOLVED:
Alarm Location Description 8-6-1 SFRCS Full Trip 12-1-3 SFRCS Channel 1 DP Half / Full Trip 12-1-4 SFRCS Channel 2 DP Half / Full Trip 12-2-3 SFRCS Channel 1 SG Level Half / Full Trip 12-2-4 SFRCS Channel 2 SG Level Half / Full Trip ,
12-5-3 SFRCS Channel 1 Main Steam Low Pressure Trip I 12-5-4 SFRCS Channel 2 Main Steam Low Pressure Trip PROBLEM DESCRIPTION:
The status of Steam and Feedwater Rupture Control System (SFRCS) logic including the SFRCS trip conditions is difficult to identify.
The existing SFRCS alarm arrangement provided annunciators for the status of each SFRCS actuation channel, but did not clearly identify the condition which tripped the respective actuation channel. For example, a low steam generator pressure in Steam Generator 1 would cause the annunciator labeled "SFRCS CH 1 MAIN STEAM LOW PRESSURE TRIP" and the annunciator labeled "SFRCS CH 2 MAIN STEAM LOW PRESSURE TRIP" to alarm, indicating that.both SFRCS actuation channels had sensed the low pressure condition. However, the alarm window provides no indication of which steam generator pressure condi-tion caused the trip. ,
1 An additional condition which complicates the operator's ability to identify ';
SFRCS logic status is that the SFRCS alarms generally indicate either a half or a full trip of either actuation channels. Each SFRCS actuation channel ;
consists of two redundant sensing channels. If either sensing channel 1 detects a tripped condition, the SFRCS actuation channel will register a half trip. A full trip occurs when both sensing channels register the condition. The annunciators "SFRCS CH 1 SG LEVEL HALF / FULL TRIP" would alarm when either sensing channel of Actuation Channel 1 registered a low steam generator level condition. SFRCS equipment is actuated primarily on a full SFRCS trip. Therefore, this alarm condition can lead to confusion as to whether equipment should or should not be actuated. An additional SFRCS annunciator labeled "SFRCS FULL TRIP" located on a separate annunciator panel can, however, be used to confirm that a full trip condition exists.
An additional problem with the SFRCS annunciators is that the SFRCS trips and the associated alarms do not seal in, even though actuated equipment will remain in its safety position. This can result in confusion when a momentary trip condition develops which causes a full SFRCS trip and Davis-Besse Restart SER 62 Appendix D
f actuates equipment prior to clearing. During such an event, the operator might inadvertently acknowledge and reset an SFRCS related annunciator as he acknowledges and resets other Control Room annunciators that may exist at i the time of the event. He could then be confused as to why SFRCS actuated equipment was in its safety condition without a corresponding indication of a trip.
SPECIFIC ERROR:
Decision error due to lack of information. Confusion or delay in verifica-tion of system operation.
ASSESSMENT JUSTIFICATION:
This HED is associated with a general condition involving the annunciators listed, therefore, the assessment of this HED is generic.
j While this condition has caused operator confusion on several occasions, there have been no clearly identifiable operator errors as a result of this condition. The error assessment category is, therefore, II.
I This condition can cause a delay in the verification of proper SFRCS. actua-tion and could potertially interfere with the SFRCS function if the operator .
- were to take incorrect actions as a result of this condition. The likeli-l hood of the operator taking incorrect action on the basis of these indica-f tions alone, howeser, is very low. Other control room indications such as '
steam generator level and pressure can help identify the cause of an SFRCS
- trip. Taken in conjunction with other HEDs associated with the SFRCS (see j HED 9.2.001, 9.2.033, 9.2.042, 9.2.054), the significance of this HED has conservatively been set at IIA-M.
l f,
DISPOSITION:
! FCR 85-232 has modified the annunciators associated with the low steam.
generator pressure condition such that separate annunciators for a low pressure condition on Steam Generator 1 and/or 2 now exist. Clarification of the loop dependency of this condition is useful in that the equipment actuated on a low steam generator pressure differs depending on the steam generator which first reaches the low pressure trip setpoint.
The annunciators associated with the other plant conditions which cause SFRCS trip have been modified by FCR 85-232 to reflect SFRCS logic changes
, initiated during the current outage. The SFRCS Channel 1 (and 2) DP Half /
Full Trip has been changed to SFRCS Channel 1 (and 2) High Level /DP Half /
'! Full Trip. Similarly, SFRCS Channel 1 (and 2) Steam Generator Level Half /
Full Trip has been changed to SFRCS Channel 1 (and 2) Low-Level / Reactor Coolant Pump Half / Full Trip. These annunciator changes group the- plant conditions which result in the same type of SFRCS actuation into a common annunciator. Therefore, the operator can easily determine the expected
- SFRCS response on the basis of a single set of annunciators. Although the annunciators will not clearly indicate which of the conditions caused the
)
Davis-Besse Restart SER 63 AppendixD;
trip, the operator's task of identifying proper SFRCS actuation can be completed since the expected response is the same for either condition.
While the loop dependency of other trip conditions such as low steam genera-tor level or steam generator to feedwater differential pressure have not been separated, equipment actuation on these condition does not depend on where the condition occurs.
An additional modification to the "SFRCS Full Trip" annunciator completed by FCR 85-167 now causes that annunciator to seal in with any full SFRCS trip and requires the operator to press a separate dedicated reset button on the main console to clear this annunciator.
For additional details on the operators' use of these annunciators in the verification of proper SFRCS actuation as directed by the Emergency Operating Procedure, see HED 9.2.001.
These changes have resolved the problems associated with the SFRCS annuncia-tor configuration. This configuration will be further studied as part of the SFRCS Special Study, and additional changes to the SFRCS annunciators should be completed in the next (5th) Refueling Outage.
These modifications produce no new HEDs (see the attached Verification of Design Improvement form).
SCHEDULE:
The modifications discusses in the Dispositions section associated with FCR 85-232, and 85-167 have been completed. Additional changes resulting from the SFRCS Special Study will be implemented in the next (5th) refueling outage.
SAIC's TECHNICAL EVALUATION CONCLUSION AND STAFF POSITION:
Among the different conditions that could result in the initiation of AFWS, the low SG pressure signal indicates a possible leakage or break in one of the SG loops. In addition, the equipment actuated depends on which steam generator first reached the low pressure set point. .The licensee has modified the annunciators associated with the low steam generator pressure so that the operator knows which one caused the trip. This eliminates the concern over this HED.
ACTION TO BE COMPLETED BY TED During the SFRCS Special Study, Ted has agreed to review the changes made to the SFRCS annunciator configuration. Any additional corrective actions identified should be completed during the next (5th) refueling outage.
Davis-Besse Restart SER 64 Appendix D l
l l
SYNOPSIS OF TED's SUBMITTAL HED N0.: 9.2.020 TITLE: SFAS Incident Isolation Component Arrangements are Inconsistent ITEMS INVOLVED:
Panel C-5717: SFAS Isolation Panel RCP Controls / Displays in SFAS Incident level 2 Groupino HIS-MU59C, RCP 1-1 Seal Ret Isol Viv HIS-MU59D, RCP 1-2 Seal Ret Isol Viv HIS-MU59A, RCP 2-1 Seal Ret Isol Vlv HIS-MU598, RCP 2-2 Seal Ret Isol Vlv HIS-MU66C, RCP l-1 Seal Inj Isol Vlv HIS-MU66B, RCP 2-2 Seal Inj Isol Vlv HIS-MU33, RC Norm MU Isol Vlv HIS-MU660, RCP l-2 Seal Inj Isol Vlv HIS-MU66A, RCP 2-1 Seal Inj Isol V1v HIS-MU38, RCP Seal Ret Isol Viv AFW Controls /Disolavs located in SFAS Incident level 4 Grounina HIS-106A, MS Line #1 to AFPT #1 Isol Viv HIS-106E, MS Line #2 to AFPT #1 Isol Vlv HIS-608A, SG 1 AFW Isol Viv .
HIS-6088, SG 1 AFW Isol Vlv HIS-608E, Open Circuit Half Trip Reset HIS-107A, MS Line #2 to AFPT #2 Isol Vlv HIS-107E, MS Line #1 to AFPT #2 Isol Vlv i HIS-599A, SG 2 AFW Isol Vlv l HIS-5998, SG 2 AFW Isol Vlv HIS-599E, Open Circuit Half Trip Reset PROBLEM DESCRIPTION:
Components listed are (1) Reactor Coolant Pump (RCP) valve controls and displays on the Safety Features Actuation System (SFAS) panel which receive i SFAS Level 3 signals, but are physically located among similar components grouped as Level 2, and (2) Auxiliary Feedwater (AFW) controls and displays physically grouped with SFAS Level 4 components, but which receive no Level 4 SFAS actuation signal.
-PCP controls / displays in Level 2, but which receive Level 3 actuation signal, are each cleary marked with " LEVEL 3 400" on the SFAM (Safety features Actuation Monitor) lights associated with each component. Upon SFAS Level 2 actuation, all components in the Level 2 grouping should have lit SFAM lights, as the panel was originally designed. However, RCP compo-Davis-Besse Restart SER 65 Appendix D
nents listed were changed to actuate at Level 3 in a prior outage, but were not moved. The " yellow board" concept to ensure proper SFAS actuation, therefore, does not work noew because these ten components do not actuate until Level 3. Time to verify proper SFAS actuation and probability for operator error are, therefore, increased.
AFW controls in Level 4 do not receive. Level 4 actuation signals. They, therefore, cause the operator more difficulty in verifying proper actuation of Level 4 actuation because not all SFAM lights in the Level 4 component grouping will light up upon Level 4 SFAS actuation. Although SFAM light components are physically located adjacent to six of the ten AFW components, and Cutler-Hammer hand indicating switches are next to two others, all eight of these adjacent components are spares and not connected to anything.
Having i.hese similar, but disconnected, components adjacent to the AFW controls complicates the operator's task in verifying proper SFAS Level 4 actuation because the components look similar to Level 4 actuated components around them.
SPECIFIC ERROR:
Additional time to verify proper SFAS actuation for Level 2 and Level 4, and increased probability of operator error in properly verifying.
ASSESSMENT JUSTIFICATION:
The problems associated with the listed components can be treated in two generic groups. The RCP controls and displays in SFAS Incident Level 2 and the AFW controls and displays located in SFAS Incident Level 4. The incon-sistent grouping of controls and displays of SFAS actuated equipment could lead to incomplete or inaccurate verification of SFAS actuation. Controls associated with these groupings are isolation valves, and the function of centainment isolation on SFAS actuation is completed by redundant isolation valves on most process systems. The consequences of incomplete or improper verification are, therefore, relatively minor.
No other significant HEDs exist with respect to the RCP controls and dis-plays, therefore, this conditions has been cate? rized as IIA-L. Other significant HEDs exist with respect to the AFWS and the SFRCS (see HED
, 9.2.001, 9.2.033, 9.2.054), however, and this condition has conservatively categorized as IIA-M.
DISP 0SITION:
Various options for a relabeling enhancement are currently being evaluated for installation prior to restart. The modification is intended to clearly indicate those components which are improperly placed in their respective groups. The modification will also include the removal of spare controls in the SFAS Incident Level 4 grouping next to the AFW controls. These enhance-ments will substantially improve the existing condition.
Davis-Besse Restart SER 66 Appendix D
Couplete resolution of the RCP controls and displays grouped in SFAS Inci-dent Level 2 will require their relocation to the Incident Level 3 group.
Specific details of this modification will be developed as a part of the Displays and Controls Special Studies to be conducted after restart.
Final resolution of the AFW controls and displays grouped in SFAS Incident Level 4 will be identified in conjunction with the SFRCS Special Study and implemented in the next (5th) refueling outage. See HED 9.2.001 for an additional discussion on the impact of the existing arrangement of SFRCS and AFW related controls and displays on the use of the Emergency Operating Procedure.
SCHEDULE:
The labeling changes and modifications for removal of spare switches will be finalized and implemented prior to restart. The specific changes associated with removing the RCP controls and displays will be developed in conjunction with the Displays and Controls Special Study to begin following restart.
Additional changes to the AFW Components will be identified in conjunction with the SFRCS Special Study and implemented in the next (5th) refueling outage.
SAIC's TECHNICAL EVALUATION CONCLUSION AND STAFF POSITION:
The main concern with this HED is the possibility of incomplete or inaccurate verification of SFAS actuation. Based upon the documentation submitted by TED and the discussions at the meeting, the staff. concludes that the interim solutions developed by TED to be implemented prior to restart, followed by the additional Special Studies reviews and resulting corrective actions, substantially resolve the staffs concerns related to this HED.
ACTIONS TO BE COMPLETED BY TED For all interim fixes that involve labeling, TED will conduct a study based upon good human factors guidelines to establish appropriate interim labeling fixes prior to restart. Presently labeling corrections are under consideration to enhance grouping of AFW components. In addition, TED should remove spare controls in the SFAS Incident Level 4 group prior to restart.
Final solutions, which should be implemented during the next (5th) refueling outage, are those developed from the Displays and Controls Special Study addressing the RCP controls and displays and SFRCS Special Study resolutions for the AFW controls and displays.
Davis-Besse Restart SER 67 Appendix 0
SYNOPSIS OF TED's SUBMITTAL HED N0.: 9.2.054 TITLE: SFRCS Manual Initiation Switches are not Located or Arranged to Support Emergency Task Sequences ITEMS INVOLVED:
Panel C-5721, SFRCS Manual Initiation Switches Components: HIS-4869A, SG 1-1 Low Stm Press HIS-4807AA, SG 1-2 Low Stm Press HIS-4869BB, SG 1-2 Low Stm Press HIS-48708B, SG 1-1 Low Stm Press HIS-4869C, SG 1-1 FW P ;
HIS-4870C, SG 1-2 FW P 1 HIS-4869D, SG 1-1 Low Wtr Lvl HIS-4870D, SG 1-2 Low Wtr Lvl HIS-4869E, Loss of RCPs HIS-4870E, Loss of RCPs Related SFRCS Controls and Displays:
Panel No. Instrument No. Descriotion C5709 HIS-3871 Auxiliary Feed Pump No. 2 Discharge to Steam Generator No.1 Isolation Valve HIS-3872 Auxiliary Feed Pump No. 2 Discharge to Steam Generator No. 2 Isolation Valve HIS-5889A Auxiliary Feed Pump No.1 Steam Inlet Valve HIS-5889B Auxiliary Feed Pump No. 2 Steam Inlet Valve PI-505 Auxiliary Feed Pump 1 Discharge Pressure PI-509 Auxiliary Feed Pump 2 Discharge Pressure FI-4521 Auxiliary Feed Pump 1 Feedwater Flow FI-4522 Auxiliary Feed Pump 2 Feedwater Flow SI-815 Auxiliary Feed Pump Turbine No. 1 Speed SI-816 Auxiliary Feed Pump Turbine No. 2 Speed C5721 HIS-780 Main Feedwater to Steam Generator No. 1 Block Valve HIS-779 Main Feedwater to Steam Generator No. 2 Block Valve HIS-611 Steam Generator No. 1 Drain Valve Isolation HIS-603 Steam Generator No. 2 Drain Valve Isolation C5712 FIC-ICS33B Main Feedwater Startup Flow Control Valve 1 ZI-SP6B Main Feedwater Flow Control Valve Position 1 FIC-ICS33A Main Feedwater Startup Feedwater Control Valve 2 ZI-SP6A Main Feedwater Flow Control Valve Position 2 LI-SP981 Steam Generator No. 1 Startup Range Level LI-SP9Al Steam Generator No. 2 Startup Range Level i ,
! I I l Davis-Besse Restart SER 68 Appendix D
Panel No, Instrument No. Descriotion C5799 FI-4630 PAM Panel Auxiliary Feedwater Flow to Steam Generator 1 C5798 FI-4631 PAM Panel Auxiliary Feedwater Flow to Steam Generator 2 C5706 HIS-3869 Auxiliary Feed Pump No. 1 Discharge to Steam Generator No. 2 Isolation Valve HIS-3870 Auxiliary Feed Pump No. 1 Discharge to Steam Generator No.1 Isolation Valve C5717 HIS-ICS11B Main Steam No. 1 Atmospheric Vent Valve HIS-ICS11A Main Steam No. 2 Atmospheric Vent Valve HIS-394 Steam Generator 1 Main Steam Warm-Up Drain Isolation Valve HIS-375 Steam Generator 2 Main Steam Warm-Up Drain Isolation Valve HIS-101 Main Steam Isolation Valve No.1 HIS-100 Main Steam Isolation Valve No. 2 HIS-601 Steam Generator 2 Main Feedwater Stop Valve HIS-612 Steam Generator 2 Main Feedwater Stop Valve HIS-608A Steam Generator 1 Auxiliary Feedwater Isolation Valve HIS-608B Steam Generator 1 Auxiliary Feedwater Isolation Valve HIS-599A Steam Generator 2 Auxiliary Feedwater Isolation Valve HIS-599B Steam Generator 2 Auxiliary Feedwater Isolation Valve HIS-106A Main Steam Line No. I to Auxiliary Feed Pump Turbine No.1 Isolation Valve HIS-106E Main Steam Line No.'2 to Auxiliary Feed Pump Turbine No.1 Isolation Valve HIS-107A Main Steam Line No. 2 to Auxiliary Feed Pump Turbine No. 2 Isolation Valve HIS 107E Main Steam Line No. I to Auxiliary Feed Pump Turbine No. 2 Isolation Valve PROBLEM DESCRIPTION:
This HED actually addresses three separate but related human factors problems: (1) The Steam and Feedwater Rupture Control System (SFRCS) manual initiation switch layout is inconsistent and prone to human error. (2) The SFRCS manual initiation switches are separated from other related SFRCS controls and displays. (3) The SFRCS manual initiation switches are located lower than recommended guideline height on vertical panel C-5721.
-At the time the HED was generated the Steam Generator low Steam Pressure trip switches located on C-5717 are located in the top two rows and arranged in an "X" pattern. To trip Steam Generator 1 on low pressure, the operator would hit the top row, left and second row, right switches. To trip Steam Generator 2 on low pressure, the operator would hit the first row, right and Davis-Besse Restart SER 69 Appendix D
second row, left switches. If the operator activates both switches in either the first row or the second row, he isolates both steam generators.
With regard to the second human factors problem, the operator must check displays on panel C-5717, C-5709, and the PAM panels to verify proper SFRCS actuation. HED 9.2.1 also addresses this problem. The Control Room opera-tor cannot see all associated SFRCS displays from one location to confirm proper SFRCS actuation because the displays are located on several panels in the control room. Once manualy initiated, SFRCS operation is fully automa-tic and not dependent on operator verification. However, in the event of improper or incomplete actuation, the separation of displays from the manual initiation controls would delay the operator's identification of, and response to, the problem.
The third human factors problem is that the manual initiation switches are located below guideline height on Panel C-5721.
SPECIFIC ERROR:
Delay in complete verification of proper SFRCS actuation.
ASSESSMENT JUSTIFICATION:
The first human factors problem, SFRCS manual initiation switch layout, is Error Assessment Category I since the June 9, 1985 incident involved an operator error isolating both Steam Generator 1 and Steam Generator 2 as a result of the crossover layout. Safety significance is A-H.
The second problem, separation of controls and related displays, is Error Assessment Category II. The June 9 incident did not demonstrate that the operators had difficulty diagnosing improper SFRCS actuation once the error in manually isolating both steam generators had occurred. Safety signifi-cance is A-M.
The final problem, location of the SFRCS manual initiation switches below recommended minimum height, is Error Assessment Category II. Safety signi-ficance is A-L.
DISPOSITION:
The first human factors problem under this HED has been' fully corrected by hardware and logic modifications to rearrange and guard the SFRCS manual initiation switches. Attachment 3 shows the revised layout which is not implemented in the Control Room.
The logic change involved separation of the steam generator high pressure trip from the steam generator hi-low pressure trip, and incorporating the steam generator high pressure trip switch function with the loss of RCPs trip switch function. The manual initiation switches were then laid out in the following order, top to bottom:
1 l
l Davis-Besse Restart SER 70 Appendix D I _ _ _
Row 1 SG 1/2 HIGH LVL Row 2 SG 1 STM PRESS LOW Row 3 SG 2 STM PRESS LOW Row 4 SG 1/2 P STM/FW Row 5 SG 1/2 LOW LVL/ LOSS OF RCPs Row 1 is unguarded. rows 2 and 3 are guarded with a clear plexiglass guard which has two doors held closed by a guard which will only allow one door to be opened at a time, thereby preventing inadvertent isolation of both steam generators. Row 4 is guarded with a clear plexiglass hinged door. Each switch in the bottom row has an individual guard composed of a plastic frame holding a clear plexiglass slide, which is slipped out to enable actuation of the manual initiation switch.
This arrangement (1) is a substantial improvement in operational and func-tional layout, and (2) is guarded in a manner which essentially eliminates the possibility of inadvertent improper actuation. This disposition com-pletely addresses the human factors concerns in Part 1 of this HED.
Part 2 of this HED is totally redundant to HED 9.2.001. Please refer to that HED for further discussion of disposition and the associated justifica-tion.
The modification to the SFRCS manual initiation switch arrangement discussed as Part 1 of this HED placed the two switches most likely to be used by the operator for manual initiation of SFRCS at an acceptable height. The other four sets of manual initiation switches are still lower than desirable, but use of those switches in other than a test situation is very unlikely. This HED will remain under consideration as a part of the SFRCS Special Study.
Additional modifications to the SFRCS manual initiation switches and SFRCS actuated components identified in conjunction with this Special Study will be implemented in the next (5th) refueling outage.
SCHEDULE:
The modifications to the SFRCS switch arrangement are complete. Additional modifications identified as a part of the SFRCS Special Study will be imple-mented in the next (5th) refueling outage.
SAIC's TECHNICAL EVALUATION CONCLUSIONS AND STAFF POSITION:
The SFRCS logic and hardware for manual initiation switches have been changed so that the most frequently used switches are at the top and other switches are guarded from inadvertent initiation. The SFRCS will be further analyzed beyond the restart date and any modifications identified as a result of the SFRCS special study will be implemented in the 5th refueling outage.
i Davis-Besse Restart SER 71 Appendix 0 1
i
- . ACTIONS TO BE COMPLETED BY TED As part of the SFRCS Special Study, TED should continue to consider both the SFRCS manual initiation switches and other SFRCS-actuated components. Addi-tional modifications relating to this HED should be implemented during.- the next (5th) refueling outage.
i i
4 1
l Davis-Besse; Restart SER 72 Appendix D I
SYN 0PSIS OF TED's SUBMITTAL HED NO.: 4.1.004 TITLE: Accidental Actuation of Controls Positioned Too Close Together ITEMS INVOLVED:
Panel ID: C-5703 HIS-3971, "From MU Tank /From BWST" HIS-MU54, " Makeup Tank H2 For Hydrogen Supply Valve" Panel ID: C-5705 HIS-2735, "DH Auxiliary Spray Isolation Valve" (No. HIS-2735 Label)
HIS-2736, "DH Auxiliary Spray Thrt Valve" HIS-RCIO, "RC PRSR Spray Isolation Valve" HIS-RC2-1, "RC PRSR Auto Spray Valve" HIS-RC2-2, " Heater Bank 2 336 Kw E-61" HIS-RC2-3, " Heater Bank 3 504 Kw E-62 F-61" HIS-RC2-4, " Heater Bank 4 364 Kw F-61 F-62" HIS-RC2A, " Essential Bank 1 126 Kw E-12A" HIS-RC28, " Essential Bank 2126 Kw F-12-A" PROBLEM DESCRIPTION:
The makeup system and pressurizer spray and heater controls listed above on the respective panels are arranged in close proximity to one anothr. The PORV and PORV Block controls are also located near the Spray and Spray Block controls. There is sufficient room for proper manipulation of each of the controls, but their close proximity and the associated clustering of labels can result in confusion in the selection of appropriate controls, resulting in the inadvertent actuation of the wrong control.
I SPECIFIC ERROR:
Inadvertent control actuation.
4 ASSESSMENT JUSTIFICATION:
The control room operators have reported that errors of this nature have occurred, therefore, the error assessment category is I. Discussions with the operators identified the above controls as having the described problem.
Improper actuation of the components on Panel 5703 would not adversely !
impact the safety related function of maintaining make'up pump suction l
because appropriate interlocks exist to protect the pump. Improper opera-tion of these controls during the performance of Emergency Operating Proce-dures could delay the transfer of Makeup Pump suction to the Borated Water Storage Tank (BWST) which is performed to ensure an adequate borated water 1 Davis-Besse Restart SER 73 Appendix D
i source to the Makeup Pumps. An automatic transfer to the BWST will occur on
. low MUTK level if the operator fails to perform this transfer. Thus the impact on performance of the Emergency Operating Procedures is minimal.
Improper actuation of a component on C-5705 would result in an opposite than
- . expected response in Reactor Coolant System pressure which would alert the I operator as he is taking manual pressure control at the time. . Also, alarms would warn the operator prior to a reactor trip or safety features actua-
- tion. .0ther pressure controls in automatic would attempt to correct any improper manual actuation and, thus make improper actuation pressure excur-sions slow acting. Improper operation of a single pressurizer pressure
- control switch would have a minimal effect on a transient during the per-i formance of Emergency Operating Procedures. Directives in the Emergency i Operating -Procedures would compensate for an error and would stabilize the .
plant. Improper actuation of the components on Panel C-5705 could impact )
the- safety function of pressurizer pressure control by creating a temporary i pressure excursion which could challenge safety systems by resulting in a reactor trip or possible safety features actuation.
Operation of the PORV instead of the spray could cause a plant trip.
Therefore, the safety significance category of this HED is A-L.
! . DISPOSITION:
1 This HED will be substantially resolved prior to restart by labeling
- enhancements. The confusion switches on panel C-5703 will be eliminated by the addition of a 3-way valve symbol and modified switch engravings (see the attached drawings).
- Demarcation lines will be provided to help minimize the confusion associated ,
with controls on C-5705. The complete correction of this portion of the HED !
. will require a complete re-labeling of the -associated components. These. !
labeling changes will be identified in conjunction with the Label and Loca-J tions Aids Study to' be completed after restart, and the labeling modifica- i tions will be implemented in the next (5th) refueling outage. <
l Additional consideration is being given to placing a cover over the PROV controls. The decision on such a change will be finalized, and the modifi-4 cation, if any, will be installed prior to restart.
SCHEDULE:
Label changes are to be completed-prior to restart. Additional considera-tion will be given to this HED in the Label and Locations Aids Special Study after restart.
I i
l J
I Davis-Besse Restart SER 74 Appendix D i.
- . - - , , , - . . .., . - , . . , , , - - . . < - - - . - , . - . - - - - - - . ~ - - . . - - - - - . . - ~ . - - - - . --- - --.-,. , .
I l
l SAIC's TECHNICAL EVALUATION CONCLUSIONS AND STAFF POSITION:
Based upon the documentation submitted by TED, the staff concludes that the interim solutions developed by TED prior to restart will substar.tially resolve the staffs concerns related to inadvertant actuation of controis on panel C-5703 and panel C-5705.
ACTIONS TO BE COMPLETED BY TED Prior to restart, TED should develop labeling enhancements involving good human factor guidelines developed in accordance with TED's own Label and Location Aids Special Study. Demarcation will be used on panel C-7505 and additional consideration will be given to covering the PORV controls. Since these changes, to be accomplished prior to restart, have not been fully documented, TED should provide documentary evidence for all solutions developed as part of the interim corrective actions for this HED. Solutions should be subject to confirmation in subsequent DCRDR reviews.
4 Davis-Besse Restart SER 75 Appendix D l
SYNOPSIS OF TED's SUBMITTAL HED NO.: 5.1.006 TITLE: Parameter Range Exceeds Scale Value ITEMS INVOLVED:
Cateaory PIRC2B4, 2B3, 2A4, 2A3, 284A, 2A4A, RCS Wide Range Pressure III FIMU31, Makeup Flow Indication IIA-M FI4630, FI4631, Auxiliary Feedwater Flow IIA-M PROBLEM DESCRIPTION:
The parameters indicated by the meters listed have possible ranges that are too large for the scale, and additional wide range instrumentation is not provided.
SPECIFIC ERROR:
Misinterpretation of displayed values.
ASSESSMENT JUSTIFICATION:
The maximum indicated value for the Reactor Coolant System (RCS) pressure is 2500 psig. Normal RCS operating pressure is 2155 psig, and the resulting margin to the 2500 psig maximum indication is sufficient for all operator control actions. Although the potential for RCS pressures in excess of 2500 psig does exist under certain special circumstances, no useful operator actions can be taken at pressures in excess of this value that would not already have been taken prior to reaching 2500 psig. Since operator know-ledge of specific RCS pressures in excess of 2500 psig is not required, the potential for misinterpreting the display'is very low. This component problem is categorized as III.
The actual auxiliary feedwater (AFW) flow rate and makeup flow can poten-tially exceed the maximum indicated value on the respective meters. Misin-terpretation is, therefore, possible, and the error assessment category for these two indicators is II.
The AFW flow indication can go to full scale when an Auxiliary Feed Pump is started and during operation of the AFW System due to the cyclic operation of the Auxiliary Feed Pump Turbines (AFPT). The normal AFW flow required for decay heat removal is approximately 800 gpm and is within the 1000 gpm range of the AFW flow instruments. When the steam generator level is being increased, the AFW flow indication can be pegged high.
Emergency operating procedures (E0Ps) direct the operator to ensure AFW System operation and maximum flow until the proper steam generator level is Davis-Besse Restart SEi' 76 Appendix D I
reached. In addition to AFW flow, the operator has pump discharge pressure and pump speed indication and should not be misled by a flow meter that is pegged high. The key parameter the operator is directed to maintain is proper steam generator level.
Although the significance of an AFW flow indication that has pegged high is minimal, the significance classification of this particular component problem has conservatively been placed at A-M because of considerations of other Human Engineering discrepancies associated with the AFWS and its automatic actuation system, the SFRCS.
Although a specific knowledge of makeup flow rate is not necessary for proper system operation, the information is useful in the operator's evalua-tion of the proper feed and bleed cooling required by the E0P in the event of loss of all feedwater. Consequently, the safety significance of this component problem is categorized as A-M.
DISPOSITION:
Although an expanded range indication of RCS pressure is not necessary to support operator actions, an additional wide range pressure indication of 0-3000 psig is to be installed per FCR 86-036 to support Regulatory Guide 1.97 requirements. This indication would be useful to support post-accident analysis.
As discussed in the Assessment Justification section, the successful comple-tion of the E0P actions is not dependent on specific auxiliary feedwater flow indication. A wide range AFW flow indication is, however, planned for incorporation into the modifications associated with the SFRCS special study. The new wide range indication is to be installed during the next (5th) refueling outage.
FCR 85-328 has been implemented which increases the range of the previous 0-160 gpm makeup flow indication to 0-500 gpm. This range increase will very effectively bracket the maximum anticipated two pump flow of 350 gpm. As indicated by attached Verification of Design Improvement form, this modifi-cation introduces no new HEDs. The modification expanded an existing scale that is included as a part of a dual scale indicator. The low range makeup indication of 0-40 gpm has not been modified. While the HED on multiple scale indicators has not been corrected (see HED 5.1.9), no new HEDs have been initiated and the widened scale does address this HED with respect to the makeup indication completely.
SCHEDULE:
The installation of the wide range makeup flow will be completed under FCR 85-328 prior to restart. The wide range AFW flow indication will be installed during the next (5th) refueling outage.
Davis-Besse Restart SER 77 Appendix D 1
SAIC's TECHNICAL EVALUATION CONCLUSIONS AND STAFF POSITION:
Based upon corrective action committments by TED, a review of TED's documentation the staff concludes that the three parameters identified in this HED need will not adversely impact restart.
- The RCS wide range pressure is being expanded to 0-3000 psig and implemented as part of Regulatory Guide 1.97 requirements to support post-accident analysis.
- A new wide range AFW Indication will be incorporated into the SFRCS Special Study to be installed during the 5th refueling outage. The E0P's are not dependent upon this AFW indication for successful execution of operator actions in the control room.
- The wide range makeup flow scale range will be expanded to 0-500 gpm prior to restart by using an existing dual scale meter. How-ever, the use of multiple-scale meters has already been identified as an HED. At best this is an interim solution, since the potential for operator error still exists. This in conjunction with HED 5.1.009, which also deals with multiple-scale indicators, should be resolved after restart by means of the installation of separate meters with individual scales to provide the proper precision, range and accuracy for each scale.
, ACTIONS TO BE COMPLETED BY TED Prior to restart, TED has agreed to confirm that the corrective actions to the wide range makeup flow scale range mentioned above are implemented in the control room. TED should followup after the restart with a thorough human factors evaluation of all interim solutions and should develop final corrective actions by the 5th refueling outage.
l Davis-Besse Restart SER 78 Appendix D r
SYNOPSIS OF TED's SUBMITTAL HED N0.: 9.2.006 TITLE: Violation of Operator Expectancy - SFAS Trip Buttons ITEMS INVOLVED:
HIS-2020, HIS-2021, HIS-2022, HIS-2023 - SFAS Trip and Reset Buttons PROBLEM DESCRIPTION:
The Safety Features Actuation System (SFAS) manual trip and reset pushbut-tons are located in a row near the top of the SFAS panel. The reset push-buttons are of the same round shape and type as the reactor and turbine trip pushbuttons and the SFAS trip pushbuttons are square. During the DCRDR verification and validation walk-throughs, the operators indicated that in one case an operator pressed the reset pushbutton instead of the trip push-button.
SPECIFIC ERROR:
Activation of improper control.
ASSESSMENT JUSTIFICATION:
The four sets of trip and reset buttons listed are identical in appearance; therefore assessment of this HED is generic. Since this error has report-edly occurred, the error assessment category is I. Although the error can momentarily delay the actuation of the SFAS, the operator would quickly recognize his error as he attempted to verify proper system actuation.
Also, the system is fully automatic and, if required, would actuate at the appropriate setpoint. Therefore, the significance category is A-L.
DISPOSITION:
The similarity between the SFAS reset buttons and other trip pushbuttons can be minimized with appropriate labeling. The SFAS trip buttons themselves are of a different type and are easily distinguishable from the reset buttons. The pushbuttons are relatively high on the panel and the " reset" label over the top of the button may be partially obscured for operators of less than average height. This condition promotes the tendency to rely on the reset / trip button shape similarity. This problem will be corrected by '
placing an additional reset and trip label below the four pairs of pushbut-ton controls (see attached label sketches) in order to provide a prominent identification of the trip and reset functions. This additional labeling does not generate any new HEDs (see attached Verification of Design Improve-ment form). The available panel space provides ample room for the labeling.
No other actions to correct this HED are necessary. l Davis-Besse Restart SER 79 Appendix D l
l __
SCHEDULE:
1 The labels will be added prior to restart. l SAIC's TECHNICAL EVALUATION CONCLUSIONS AND STAFF POSITION:
Based upon a review of the documentation submitted by TED, the staff is in agreement on the interim solution for relocating labels for the manual trip and reset pushbuttons below the pushbuttons. However, since the pushbuttons are relatively high up on the control panels and partially obscured in their present location, there is some concern about the appropriateness of the solution as a final fix. Fortunately, TED plans further human factors verification and review of this potential problem and it is recommended that NUREG-0700 guidelines be used as the basis for assessing a permanent design solution with particular emphasis on height placement of control and displays.
ACTIONS TO BE COMPLETED BY TED TED should confirm that the interim solution is implemented prior to restart. In addition, a human factors verification and validation should be performed using the proper E0P steps that control room operators would normally perform in the use of these pushbuttons.
l l
i Davis-Besse Restart SER 80 Appendix D !
SYN 0PSIS OF TED's SUBMITTAL HED N0.: 9.2.047 TITLE: Decay Heat Pump /HPI Pump Mimic Relationships Are Unclear ITEMS INVOLVED:
Panel C-5716: HIS-DH6A, HIS-DH6B, Decay Heat Pump Control HIS-1523, HIS-1524, HPI Pump Control Mimics PROBLEM DESCRIPTION:
The decay heat pump control is located directly above the high pressure injection (HPI) pump control on vertical panel C-5716. The decay heat mimic is orange and the HPI mimic is red. Each switch has indicator lights above and component label below. Because of the proximity of the two switches, the similaritydn color of the mimics for HPI and decay heat, and the fact that the component's label is somewhat obscured by the control switch, operators have inadvertently activated the decay heat pump instead of the HPI pump.
SPECIFIC ERROR:
Control substitution error. Operator activates decay heat pump while intending to activate HPI pump.
ASSESSMENT JUSTIFICATION:
If the HPI pump is started in a post-trip situation, the operator confirms activation from loop flows, pump amps, and related indications. If operator activates decay heat pump instead of HPI and' fails to verify activation, degradation of ability to manage the transient results until the operator realizes HPI has not been activated. Probability of error is I because error has occurred. Safety significance is A-M.
DISPOSITION:
This HED will be resolved by labeling and mimic modifications (see attached drawings). Component labels will be moved to the left side of each switch to improve label visibility. Modifications to the mimic to clarify proper association of the switch with the proper system mimic will be made. The mimic and label modifications will be implemented prior to restart. No new l HEDs have been created by this change (see attached Verification of Design '
Improvement form).
SCHEDULE:
This will be complete prior to restart.
l Davis-Besse Restart SER 81 Appendix D
SAIC's TECHNICAL EVALUATION CONCLUSIONS AND STAFF POSITION:
Based upon a thorough review of TED's submittal,. this HED will be corrected prior to restart by implementing proper labeling and mimic modifications.
This corrective action will clarify the proper association between the decay heat pump control switch and the HPI pump control switch in order to minimize occurrences of inadvertent activation by the operators of the decay heat pump instead of the HPI pump.
ACTIONS TO BE COMPLETED BY TED To minimize errors, corrective actions should be implemented prior to restart and TED has agreed to confirmatory action for verification that the design solution resolves human factors concerns.
l I
Davis-Besse Restart SER- 82 Appendix D-
SYNOPSIS OF TED's SUBMITTAL HED NO.: -1.7,011 TITLE: Pushbuttons/ Indicator Lights Have Shorted Out During Bulb Replacement ITMES INVOLVED:
The potential for this problem exists on most control room indicator lamps.
PROBLEM DESCRIPTION:
During indicator lamp replacement, the potential for creating an electrical short in the control or indicator circuit exists because the metal bulb extractor can contact the grounded lamp housing during the process. Depend-ing upon the control or indicator circuit configuration, unplanned control actions or power supply failures may result.
SPECIFIC ERROR: .
Loss of information or inadvertent control actuation.
ASSESSMENT JUSTIFICATION:
Since this problem has reportedly occurred at Toledo Edison and at other utilities, the error assessment category is I. Since the error can affect safety related equipment with a wide range of consequences including the potential for degrading a safety function, it is assigned significance category of A-M.
DISPOSITION:
This HED has been rectified by replacing the metal bulb extractor with a simple plastic version which precludes the grounding problem. Additionally, the replacement of indicator lamps in the switchyard panel is now performed by electricians since those lamps are powered by 120VAC and have a higher potential for arcing. The indicator lamps on the switchyard panel have the highest potential for causing unplanned control actions. These corrective 1 actions were taken in December of 1984 and have eliminated the problem. No new HEDs have been introduced as a result of these changes (see attached Verification of Design Improvement form).
SCHEDULE:
1 Complete.
Davis-Besse Restart SER 83 Appendix D
SAIC's TECHNICAL EVALUATION .
CONCLUSIONS AND STAFF POSITION:
Based upon a review of the documentation submitted by TED, the staff agrees with the disposition of this HED. The corrective action implemented by TED has effectively prevented any subsequent grounding of electrical circuits during bulb replacement. This HED is resolved.
ACTIONS TO BE-COMPLETED BY TED None.
i j
i i
l Davis-Besse Restart SER 84 Appendix 0 l
l
- i. __ _ - -. _ . . _ _,
SYN 0PSIS OF TED's SUBMITTAL HED N0.: 3.1.037 TITLE: Annunciator With Inputs From More Than One Plant Parameter Setpoint Is Not Avoided ITEMS INVOLVED:
Panel EC Title 1 1.5 Essential Bus El Source Brkrs NTNM 1.6 Essential Bus F1 Source Brkrs NTNM 2 1.4 BA Mix Tk Lvl 2.3 BA Add Tk 1 Lvl 2.4 BA Add Tk 2 Lvl 3.3 BA Add Tk 1 Temp 3.4 BA Add Tk 2 Temp 4.2 RC Letdown or MU FCT DP 5.3 RC MU Tk Lvl MU16-1 5.4 RC MU Tk Lvl MU16-2 3 1.1 Ctmt Refueling Canal Lvl 2.2 SFP Lvl 4 4.4 RC Przr Lvl 5 Not per NUREG-0700 p. 6.3.1.2c(1) 6 1.4 RCP Seal in Total Flow 7 5.3 Misc Wst Mntr Tk or Flt Trbl 5.4 RC DT Lvl 9 1.4 New Lube Oil Strg Tk Lvl 1.7 Fire Wtr Strg Tk Lvl 2.1 N Hdr Press 2.4 U!edLubeOilStrgTkLvl 3.4 Dsl Oil Strg Tk Lvl 5.4 Aux Blr Drm Lvl 10 2.3 MFPT 1 Lube Oil Tk Lvl 2.4 MFPT 2 Lube Oil Tk Lvl 11 3.4 EE Surge Tk Side 1 Lvl 3.6 EE Surge Tk Side 1 Lvl 12 5.1 SG 1 Out Stm Temp 5.2 SG 2 Out Stm Temp 13 1.3 LP FW Htr Drn Tk 1 Lvl 1.4 LP FW Htr Drn Tk 2 Lvl 1.5 HP FW Htr 1-4 Lvl 1.6 HP FW Htr 2-4 Lvl 2.3 LP FW Htr 1-2 Lvl 2.4 LP FW Htr 2-2 Lvl 2.5 HP FW Htr 1-5 Lvl 2.7 HP FW Htr 2-5 Lvl 3.3 Dear Strg Tk 1 Lvl -
3.4 Dear Strg tk 1 Lvl
( 3.5 HP FW Htr 1-6 Lvl Davis-Besse Restart SER 85 Appendix 0
Panel RC Title 3.6 HP FW Htr 2-6 Lvl 14 3.4 Ehc Fluid Lvl 15 2.4 MSR 1 1st Stg Dt Lvl 2.5 MSR 1 1st Stg Dt Lvl 3.3 T-G Lub Oil Tk Lvl 3.4 MSR 1 2nd Stg Dt Lvl 3.5 MSR 2 2nd Stg Dt Lvl 16 4.3 Gen H2 Gas Press PROBLEM DESCRIPTION:
. Annunciators with inputs from more than one plant parameter setpoint is not avoided.
SPECIFIC ERROR:
Misinterpretation of annunciator. Delay in identifying alarms. See dispos-ition section for consequences of specific errors.
ASSESSMENT JUSTIFICATION:
The annunciator alarms have been grouped and categorized as follows:
- 1. Tank Levels
- 2. Electrical Breaker Status
- 3. System Temperatures
- 4. Others
- 1. Tank levels
- a. Acolicable Annunciators: (Panel, Row, Column) 2-1-4 9-1-7 13-1-4 13-3-5 2-2-3 9-2-4 13-1-5 13-3-6 2-2-4 9-3-4 13-1-6 13-5-1 2-5-3 9-5-4 13-2-3 14 3-4 2-5-4 10-2-3 13-2-4 15-2-4 3-1-1 10-2-4 13-2-5 15-2-5 3-2-2 11-3-4 13-2-6 15-3-3 4-4-4 11-3-6 13-3-3 15-3-4 7-5-4 13-1-3 13-3-4 15-3-5 9-1-4
- b. Clarification
- 1. Many of the above alarms have associated level indicators displaying information to the operators in the control room.
Upon receipt of the applicable annunciator, the operator would then refer to the indicator associated with the alarm.
Davis-Besse Restart SER 86 Appendix D
- 2. Exceptions:
The following annunciator alarms do not have an associated indicator in the control room.
2-1-4 BA Mix Tank Lvl 9-1-4 New Lube Oil Strg Tk Lvl.
9-2-4 Used Lube Oil Strg Tk Lvl 9-5-4 Aux Blr Drum Lvl 10-2-3 MFPT 1 Lube Oil Tk Lvl 10-2-4 MFPT 2 Lube Oil Tk Lvl 13-1-3 LPFW Htr Drn Tk 1 Lvl 13-1-4 LPFW Htr Drn Tk 2 Lvl 13-1-5 HPFW Htr 1-4 Lvl 13-1-6 HPFW Htr 2-4 Lvl 13-2-3 LPFW Htr 1-2 Lvl 13-2-4 LPFW Htr 2-2 Lvl 13-2-5 HPFW Htr 1-5 Lvl 13-2-6 HPFW Htr 2-5 Lvl 13-3-5 HPFW Htr 1-6 Lvl 13-3-6 HPFW Htr 2-6 Lvl 14-3-4 EHC Fluid Lvl 15-2-4 MSR 1 1st Stg Dt Lvl 1 15-2-5 MSR 2 1st Stg Dt Lvl 15-3-3 TG Lube Oil Tk Lvl 15-3-4 MSR 1 2nd Stg Dt Lvl
! 15-3-5 MSR 2 2nd Stg Dt Lvl 1-2-7 Emer DG FOST 1-1 Lvl Hi/Lo 1-2-8 Emer DG FOST 1-2 Lvl Hi/Lo 3
- c. Tank Level Annunciators. Exceptions: Conseauences of Specific Error The annunciators listed above under Item (2), exceptions, do not have associated control room panel indicators. Consequently, upon receipt of an alarm the control room operator would contact an operator working outside of the control room for clarification of the applicable tank level status. The level alarms listed are actuated at a high or low setpoint. The operator external to the control room has local indicators available to him to allow speci-fic interpretation of the deviation. It is determined that no significant adverse consequence will occur due to specific error and therefore rate this item as Category III.
- d. Imoact On E0P Exception As prescribed by the station emergency operating procedure, there are no safety related operator actions associated with mul tiple input tank level annunciators. The annunciators identified in exceptions (2) are not related to safety related equipment except Davis-Desse Restart SER 87 Appendix 0 1
Diesel Generator Fuel Oil Storage Tanks (week tanks). The annun-ciators for these two windows have had their input from high level removed and the windows renamed LOW LEVEL.
- 2. Electrical Breaker Status
- a. Applicable Annunciators: (Panel, Row, Column) 1-1-5 Essential Bus E-1 Brkrs NTNM l-1-6 Essential Bus F-1 Brkrs NTNM
- b. Clarification:
The above listed alarms have multiple input plant parameter set- 1 points in that associated breakers actuating the alarm may be open, closed or withdrawn. There are twelve breakers which are monitored by each alarm. These breakers and the conditions of the breakers to cause an alarm are listed in the Station Alarm Procedure AP 3001.05.4. Upon receipt refer to AP 3001.05.4 which provides j direction on which breakers to check locally. The control room operator would then request an operator working outside of the control room to clarify the deviation. In addition, the breakers inputting the alarm feed electrical power to equipment which have status indication in the control room. The following is a break-down of the breakers inputting the alarm and examples of the powered equipment status: ;
1
- 1. Alarm: 1-1-5 Essential Bus E-1 Brkrs NTNM l Control Room Panel Breaker Alarmina Condition Mounted Ecuipment Status (Examples of)
BCE 11 open or withdrawn Control Room Panel mounted
'1 open/ closed indicators BCE 11 BCE 12 closed or withdrawn Control Room Panel mounted open/ closed indicators BCE 12 BE 105 withdrawn Ctmt Air Cooler 1-3 on/off status indicator BE 106 open or withdrawn Essential Pressurizer Heaters on/off status indicators BE 107 open or withdrawn Essential valve status; i.e. DH9B; DH78; MU40; RC10 etc.
3 Davis-Besse Restart SER 88 Appendix D
Control Room Panel Breaker Alarmina Condition Mounted Eauipment Statqi (Examples of)
BE 110 open or withdrawn Ctmt Air Cooler 1-l' i on/off status ~ indicator BE 111 withdrawn #1 Ctmt Spray Pump on/off status indicator BE 113 closed or withdrawn T/G Lift Pump on/off indicator (if.on E side supply)
, BE 118 open or withdrawn RE4598AA or RE4598AB 1
Radiation Monitors
- (behind Ctrol Room Panels)
- 2. Alarm: 1-1-6 Essential Bus F-1 Brkrs NTNM 4 Control Room Panel i Breaker Alarmina Condition Mounted Eauioment Status
- (Examples of)
BDF 11 closed or withdrawn Control Room Panel mounted i open/ closed indicators
- . BDF 11 i
j BDF 12 open or withdrawn Control Room Panel mounted
~
open/ closed indicators BDF 11 1
! BF 105 withdrawn Ctmt. Air Cooler 1-3 on/off j status indicator BF 110 open or withdrawn Ctmt Air Cooler 1-2 on/off status indicator'
! BF 111 withdrawn Ctmt Spray Pump 1-2 on/off.
status indicator l BF 115 open or withdrawn Essential Valve status, i.e.; CF5A, CF2A, CFIA, AF 599, etc.
j BF 114 open or withdrawn Essential Pressurizer i Heater on/off status i indicators 4
1 Davis-Besse Restart SER 89 Appendix 0 1
i
Control Room Panel Breaker Alarmina Condition Mounted Eauipment Status (Examples of)
BF 113 open or withdrawn T/G LIPT Pump on/off status indicators (if on F side supply)
BF 118 open or withdrawn RE4598BA, RE4598BB Radiation Monitors (behind ctrl room panels)
- c. Conseauence of Specific Error: Electrical Breaker Status As identified both alarms listed receive input from 9 breakers status and if in an unusual or "not normal" condition, will sub-sequently cause further control room panel indication status changes. Therefore, the consequences of the specific error for the multiple input conditions providing input to these alarms are considered low. It is determined no adverse consequences will occur due to specific error therefore rate this item a Category III.
- d. Impact On E0P Execution As prescribed in the Station Emergency Operating Procedure, there are no safety related operator actions associated with these two electrical breaker status multiple input annunciator alarms.
- 3. System Temperatures.
- a. Apolicable Temperatures 2-3-3 BA Add TK 1 Temp 2-3-4 BA Add Tk 2 Temp 12-5-1 SG 1 Out Stm Temp 12-5-2 SG 2 Out Stm Temp
- b. Clarification The above alarms have associated temperature indicators which display information to the operators in the control room. Upon l receipt of the alarm, the operator then refer to the indicator l
associated with the alarm for a specific interpretation of the deviation.
I l Davis-Besse Restart SER 90 Appendix D
- c. Conseauences Of Specific Error: System Temperatures The consequence of this item is low due to the availability of temperature indicators provided in the control room. No adverse consequences will occur due to specific error, therefore, this item a Category III.
- d. Imoact On E0P Execution As prescribed by the Station Emergency Operating Procedure, there are no safety related operator actions associated with the multiple input system temperature annunciators.
- 4. Other Annunciators (Panel, Row, Column)
- a. Apolicable Annunciators 2-4-2 RC Letdown or MU Flt DP 6-1-4 RCP Seal In Total Flow 7-5-3 Misc. Wst Mntr Tk or Flt Trbl 9-2-1 N2 Header Press 16-4-3 Gen H2 Gas Press
- b. Clarification Items 2-4-2, 6-1-4, 9-2-1 and 16-4-3 have associated control room indicators to allow specific interpretation to the deviation. Upon receipt of the alarm the control room operator would refer to the applicable indicator.
- 1. Exceptions Item 7-5-3 does have multiple inputs to the annunciator. This 4
is however a non-safety related system. Upon receipt of the alarm the control room operator would refer to the operator outside of the control room for interpretation of the devia-tion. Status of the inputs to this annunciator are available to the local operator.
- c. Conseauence Of Soecific Error: Other Annunciators With the exception of item 7-5-3,- the annunciators have associated indicators which allow the operator to further assess the alarm input status. The control room operator will not be misled by this
< alarm. His task upon receiving this alarm is to notify the local operator to check local status. Therefore, the consequences of Specific Error is viewed as low. Item 7-5-3 is related to a non-safety system and therefore consequences is cont
- Pred low as there is time for the local operator to perform the assessment. It is determined no adverse consequence will occur due to specific error therefore rate this item a Category III.
Davis-Besse Restart SER 91 Appendix 0
- d. Impact On E0P Execution As prescribed by the Station Emergency Operating Procedure, there are no safety related operator actions associated with the above listed multiple input annunciators.
DISPOSITION:
As indicated in the Assessment Justification, these annunciators have no impact on the implementation of the emergency operating procedure, and potential for incorrect operator action is low.
The long standing nuisance alarm reduction program has addressed many problems with multiple input alarms which has improved the reliability of alarms to reduce confusion from unnecessary alarms. The program has also resulted in the elimination of some multiple inputs such as the Emergency Diesel Generator Week Tank (011) level alarm modified by FCRs85-174 and 85-014.
SFRCS alarms have also been modified during this outage (see HED 9.2.018 for details).
Although no other specific actions to resolve this HED are required, it will be considered in conjunction with other annunciator HEDs in the Annunciator Special Study.
SCHEDULE:
The annunciator special study will begin after restart.
SAIC's TECHNICAL EVALUATION CONCLUSIONS AND STAFF POSITION:
A review of the documentation pertaining to this HED describes the use of multiple set points for single annunciator alarms. This situation can cause operator confusion and misinterpretation. However, since the alarms involved in this HED do not involve entry conditions to the E0P's and
" nuisance alarms" have been a recurring problem for Davis-Besse, TED has proposed to conduct an Annunciator Special Study to resolve these annun-ciator problems on a generic level. The staff agrees with this approach and does not consider this HED a restart issue due to non-safety related com-ponents and the availability of alternative indications in the control room to verify confusing annunciator indications.
ACTIONS TO BE COMPLETED BY TED:
No actions are required for restart. However, this HED should be resolved after restart as a result of the Annunciator Special Study scheduled for implementation by the 5th refueling outage.
Davis-Besse Restart SER 92 Appendix D
l SYN 0PSIS OF TED's SUBMITTAL HED NO.: 5.1.002 TITLE: Indicator Lights That Indicate System or Equipment Status When Off ITEMS INVOLVED:
Panel ID Component ID Component Description Cateaory C5713 EHC Panel #1 Turbine Panel Lights III C5713 EHC Panel #1 Master Trip Solenoid Valve (2) III C5713 IL2410 Lube Oil Vapor Extractor III C5713 EHC Panel #1 Turbine Panel Load Limiting Light III C5709 ILICS388-A Aux-Shutdown Panel Lights (4) III C5705 ILRC2-5-ILRC2-9 C5710 ILSP1381-2-3 & Turbine Bypass Valves (6) IIB-L Al-2-3 C5710 ILICSilB-11A Atmospheric Vent Valves (2) III C5706 IL3302-IL3303 Source Range High Voltage (2) III C5705 ILRC2-6 PORV Light DC Ctrl Power Available III C5702 ILMUll Feed and Bleed Permissive III C5705 IL285 Pres:;urizer Spray Bypass Valve III C5715 ILX DC and Instrument AC Bus Breaker III (Total 38 Lights) Positions (38)
C5722 NNI-YAC, YDC, NNI Power Available Indications (4) III XAC, XDC I
C5716 IL1530 Ill531 Containment Spray Valve Throttle III Indications (2)
PROBLEM DESCRIPTION:
The indicator lights identified show equipment or system status when the
., light is off. In such cases, a failed bulb may be misinterpreted. Although all indicating lights indicate some form of status in their off condition, most controls and indications have two or more indicating lights which are
! illuminated to show various system status conditions; for example, the open
- or close indications on a valve or on and off indications on a pump. The
, indicators listed in this HED have only one light to provide status indica-tion.
i SPECIFIC ERROR:
Misinterpretation of indicator light status.
l ASSESSMENT JUSTIFICATION:
i When this HED was originally evaluated, a general error assessment was applied to all the listed indicators. It was conservatively assumed that most of the indicators could be misinterpreted in the event of a failed light bulb, the error assessment category was determined to be II. Since Davis-Besse Restart SER 93 Appendix D
i i
e k
numerous safety related components were associated with this HED, and the specific evaluation of the consequences of a misinterpretation of each indicator light was not performed, a generic safety significance category of "A" was assigned. A specific evaluation of each listed item resulted in the additianal significance categorization of "L" since the consequences of individual misinterpretations was determined to be minor. ~The individual component " category" listed in the Items Involved Section reflect the most recent review of each item with respect to error assessment and safety significance. The following is a justification for each of those items.
Component ID Component Description EHC Panel #1 Turbine Panel Lights The turbine panel lights indicate turbine control system status. Any lights that are normally off and come on to indicate an abnormal status
< also trigger'an annunciator to warn the operator. These lights have dual bulbs and a lamp test feature. Therefore, the error assessment potential is very low and this component is categorized III.
, EHC Panel #1 Master Trip Solenoid The Master Trip Solenoid Valve Valves A, B (MTSV) indication is provided to allow on-line testing of each MTSV (PT 5193.11). Each light is normally on and goes off when pushed for testing.
Also, dual bulbs and a lamp test circuit is provided for 1 this panel. The error assess-j' ment of this component problem is, therefore, low and is categorized as III.
]
I IL2410 Lube Oil Vapor The turbine generator lube oil Extractor vapor extractor is normally in operation as indicated by the i
Control Room lights which are i
normally on. A failure of the indicator light would result in an investigation by local
. examination of the system operation. Loss of the' vapor extractor requires no immediate operation action. Consequently the error assessment potential L
i Davis-Besse Restart SER 94 Appendix D
l l
Component 10 Component Description is very low and this component problem is categorized III.
EHC Panel #1 Turbine Panel Load Although separately listed, the Limitjng Light load limiting light on the turbine panel is also a control
, status light. This light is normally off and comes on to warn that the turbine valves have reached a load limit. An annunciator is also triggered.
It is part of the trubine panel lights listed previously and also has dual bulbs and a lamp test of feature. The component problem has a corresponding III category.
ILICS388-A Aux. Shutdown Panel The auxiliary shutdown panel ILRC2-5 Lights lights are illuminated when ILRC2-9 control power is assumed locally at the shutdown panel for the corresponding safety related components. An annun-ciator exists to redundantly indicate the transfer of control power to the shutdown panel. Consequently the error assessment potential is very low and the component problem has been categorized as III.
ILSP1381, 2, 3 Turbine Bypass Valve For each of the six turbine ILSP13A, 1, 2, 3 Lights Bypass valves, the individual valve light comes on when the
- valve is some small percentage open (10-20%). A failed indi-cator could allow a turbine bypass valve to be fully open without other direct control room indication. ~This could result in the equivalent of a ,
small steam leak with respect j to primary system response, l
- but would not present a signi-ficant operational problem. At power, this condition may be unnoticed until the feedwater to generator output power mis-Davis-Besse Restart SER 35 Appendix 0
d Component ID' Component Description 4 match is detected. In a shut-down condition, this would result in a slow depressuriza-tion of the steam generator ;
which would allow the operator sufficient time to identify the leak by local observations and take corrective action, i.e.,
close a manual isolation valve.
If the operator failed to take action, the steam generator depressurization caused by these non-safety related valves !
would ultimately be terminated :
by the safety related main I steam isolation valves actuated by SFRCS. This would be a challenge to a safety system, therefore, this component
- problem has been categorized as IIB-L.
ILICS11B Atmospheric Vent Valve The indicator light for each ILICS11A Lights atmospheric vent valve is 1
illuminated when the valve is l almost completely open. Conse-4 quently, the failure of the indicator is insignificant since the additional flow thr~ough the valve from a point of indication to full open is minimal. A separate control.
switch in the control room has open and closed indications that will also show AVV posi-tion and the automatic control station has a demand meter for the control signal to the valves. As a result of the location of the main steam lines, the atmospheric vent valves, and the control room, the noise created by an atmos-pheric vent valve even par-tially open is easily detect-able in the control room. The potential for failing to recog-nize that an atmospheric vent valve is open, as the result Davis-Besse Restart SER 96 Appendix 0
l l
Component ID Component Description of the indicator light failure, is relatively low. Therefore, this component problem is cate-gorized as III.
IL3302 Source Range High The source range high voltage IL3303 Voltage indicator light is illuminated to show that the source range reactor power indication is energized during shutdown con-ditions. This is not a safety significant condition. Failure of the light at power coinci-dent with a failure of the redundant deenergization inter-locks would only result in shortening the useful lifetime of the detectors. A failed indicator light during shutdown conditions would prompt the operator to check the source range indication for proper operation. This simple check of system operation would provide an indication of the high voltage condition. There-fore, the potential' for misin-terpreting a bulb failure is low, and this component problem is categorized as III.
ILRC2-6 PORV Control Power The PORV indicator lights shows Lights that control power exists to the power operated relief valve solenoid. This light is nor-mally on unless the control circuit is deenergized. If
! work requiring that the circuit be deenergized is not ongoing, a failed indicator light would prompt an operator investiga-tion. The potential for mis-interpretation of a failed indicator is, therefore, very low, and this component problem is categorized as III.
ILMUll Boration Permit The feed and bleed permissive lights indicate that conditions I
I Davis-Besse Restart SER 97 Appendix 0
l Component ID Component DescriDtion are acceptable for the simul-taneous primary system makeup and letdown to change RCS boron concentration. Failure of the light during conditions which would otherwise permit feed and bleed would prompt an operator investigation or to use the alternate method of boron con-centrating control via the batch method. Failure to perform a feed and bleed opera-tion results in an increase in ,
the amount of water that must I be processed for an RCS boron change, but doesn't prevent boron concentration changes.
The potential for misinterpre-tation of the failure and safety significance are, there-fore, very low, and this component problem is categor-ized as III.
IL285 Pressurizer Spray The pressurizer spray bypass Bypass Valve valve indicator light is a position indicator on a manually positioned valve. The valve is normally closed and the light is on when the valve is not closed. The valve can only be repositioned from inside containment. The spray bypass valve would only be used in an unusual case where the normal spray valve had failed closed and would only be used with close communication with the control room. If the spray bypass valve were not fully closed, more than the normal number of pressurizer heaters would be energized to maintain Reactor Coolant System pres-sure. The unusual response of pressurizer heater and RCS pressure would be quickly 4
identified. The potential for misinterpretation of the failed Davis-Besse Restart SER 98 Appendix 0
Component ID Component Descriotion indicator is very low; conse-quently, thi. component problem is categorized III.
ILXXX DC and Instrument AC The DC and instrument AC bus (Total 38 Bus Breaker Positions breaker position indications Lights) provide bus alignment informa-tion. A failed indicator would prompt an operator to investi-gate whether normal bus voltage conditions exist, which is easily identifiable through annunciators and voltage indi-cations. The potential for misinterpreting a failed indi-cator is very low, and this component problem is categor-ized as III.
NNI-Y-AC NNI Power Available The NNI power available indica-NNI-Y-DC Indications tions are normally energized.
NNI-X-AC If authorized work requiring NNI-X-DC that the power supplies be deenergized is not ongoing, a failed indicator would imme-diately prompt an operator investigation. Actual failure
_ ' ,of an NNI power supply would be immediately indicated by plant response and related annuncia-tors. The potential for misin-terpretation of a failed indi-cator is very low, and this component problem is categor-ized as III.
IL1530 Containment Spray Valve The throttle position lights on IL1531 Throttle Indication containment spray valves come on to show that the containment spray valve is in its proper throttle position following the transfer of decay heat suction to the emergency sump after the Borated Water Storage Tank has been emptied into Containment.
Failure of these lights would, l therefore, prompt operator
! action as he attempts to verify that proper throttling occurs.
Davis-Besse Restart SER 99 Appendix D
l l
l 1
Component ID Component Descriotion-
$ An indication of reduced con-1 tainment spray flow would pro-
! vide assurance of proper valve i operation. The valve full open i and closed lights and the SFAS
! Safety Actuation Monitor (SAM) lights are also available to show proper _ valve operation on the initial actuation of Containment Spray. The poten-tial for misinterpretation of'
- this indicator is, therefore, f
low, and the component problem is categorized as III.
? DISPOSITION:
i
) Other than the IIB-L categorization of the turbine bypass valve indicator ,
1 lights, the individual indicators identified in this HED provide useful
! operator information and are not easily misinterpreted. The specific rev.iew 1 of these indicators has resulted in their categorization as III .and- no further action is required. ;
} The Turbine Bypass Valve indicating lights are an aid to the operator during the performance of the Emergency Operating Procedure. They are not his only indication. Emergency Operating Procedures direct the operator to verify i proper steam header pressure control. These indicating lights are not 4
directly referenced in- the Emergency Procedure. Operator actions are ,'
'j directed to determine which SG is causing an overcooling event by comparing several parameters 'on both SG's and key valve positions (Turbine Bypass i Valves included) three turbine bypass valves are controlled by one ' control station therefore all three valves should open together and one light off
- indicating the TBPV is closed will not prevent the operator from identifying improper control of that' steam lines TBPV's. The operator is directed to attempt manual control of any valves causing overcooling. If an overcooling event cannot be corrected by the operator, he is directed to manually actuate the SFRCS. The SFRCS would automatically actuate to terminate the
- overcooling. Therefore, improper operation of these indicating lights will not prevent proper conduct of the Emergency Operating Procedure. Corrective-actions for this problem,_if required, will be developed during the Displays i Special Study. No other actions are required prior to restart.
SCHEDULE:
The Turbine Bypass Valve indicating lights will be' re-examined in the Displays Special Study to be conducted after startup.
l l
1 l
) Davis-Besse Restart SER 100 Appendix D c
r--,.mm.t. , - - . , , - -4 - , - r- e-- -- - - - - ,-,i,m.+ m--w----.o----,-.--es y, --------a ,---+e ,e- m -s ,. , - ,
SAIC's TECHNICAL EVALUATION CONCLUSIONS AND STAFF POSITION:
Based upon a review of TED's submittal, the staff concludes only one of the individual indicators listed in this HED is safety related and involves the E0P's. This indicator is the turbine bypass valve indicating lights and since there are alternative indications available in the control room to determine the appropriate valve status, the staff agrees with TED that this problem can be considered after restart as part of the Displays Special Study without undue safety consequences.
ACTIONS TO BE COMPLETED BY TED No actions are required before restart. However, the corrective action to resolve this HED should be developed as part of the Display Special Study to be completed after startup and implemented no later than the 5th refueling outage.
i i
i l l i
Davis-Besse Restart SER 101 Appendix D
l l
, i
+
SYNOPSIS OF TED's SUBMITTAL HED NO.: 5.1.029 i TITLE: Meters With Pointers That Have Parallax Problems
' ITEMS INVOLVED:
$ Cateaory Panel . Component ID Description 5798 TIRC3B6/TIRC4B2A Loop 1 Temperature III TIRC3A6/TIRC4A2A Loop 2 Temperature III TI4628 Incore Temperature III 5799 TIRC385/TIRC4B4 Loop 1 Temperature III
. TIRC3A5/TIRC4A4 Loop 2 Temperature -III l TI4627 Incore Temperature III l
- PROBLEM DESCRIPTION:
Pointers on meters on the Post Accident Monitor (PAM) panel are not mounted
- close to the scale causing parallax problems. This could make it difficult to obtain a proper reading and cause an operator to misread the display.
- The significance of this problem and effect on performance of Emergency Operating Procedures is described in the Assessment Justification section.
i SPECIFIC ERROR: ,
Misread the display and fail to take action or take improper action based on that reading. t' t ,t '
ASSESSMENT JUSTIFICATION:
l
- The Post Accident Monitoring-(PAM) Panel is by design intended to be a i backup monitoring system. The only meters on the PAM panel which are refer-l enced by the Emergency Procedure (EP) to be used for an operator task are j the incore thermocouple meters (TI 4627 and TI 4628) and the wide range hot leg temperatures (TIRC3A5, TIRC#B5, TIRC3A6 and TIRC3B6) and the margin to-l saturation meters (TDI 4950 TDI 4951). The margin to saturation meters are large digital displays and are not associated with the problem described in
- this HED. The incore thermocouple meters are the primary indication to be used for determination of inadequate core cooling (ICC) conditions.- Entry into the EP section for ICC and the operator actions in the ICC section are
! based on the indications from these meters. The meters are readable to the accuracy required by the procedure. The meters are readable to one half of
- one scale increment (50 F) accuracy which is more accurate than the technical basis which defined the procedure steps. The error assessment category for j these meters is therefore III.
. The wide range hot leg temperatures are only used as a backup indication to i
the four control panel mounted hot leg temperature meters (two of the J
- Davis-Besse Restart SER 102 Appendix 0
-- - . - , - -, - . ~ .- , .- - , . - , - . - . -.
control panel meters are safety grade and two are NNI system powered). The operator task required by the EP is the initiation of the " Feed and Bleed" cooling mode, after a complete loss of0 all feedwater to the SC- when either loop hot leg temperature reaches 600 F. The PAM panel 3 are only required by the EP if all the control panel hot leg tempet uure indication has been lost. In the unlikely event all four control panel hot leg temper-ature meters are lost the operator would have to make the determination 0 based on the PAM panel hot leg meters which 0 are also readable 0
to 5F accuracy. The EP criteria of initiation at 600 F is more than 5 F below the initiation temperature required by analysis. The error assessment category for those meters is therefore III.
If these PAM panel hot leg temperatures are also lost the incore thermocou-ple temperature meters mentioned above are used by the operator. These have the same readable accuracy as the hot leg temperatures as mentioned above.
Considering other HEDs related to the PAM panel this HED has been conserva-tively upgraded to II.A-L.
DISPOSITION:
As described in the Assessment Justification section continued operation with the present design of the PAM panel will not adversely affect perform-ance of Emergency Operating Procedures. However, due to other HEDs asso-ciated with this panel the special studies on displays to be completed after restart are expected to recommend major changes to these displays. These changes are expected to be completed in the 5th refueling outage.
SCHEDULE:
The Display Study generated corrective actions with respect to the PAM panel will be implemented in the next (5th) refueling outage.
SAIC's TECHNICAL EVALUATAION l
CONCLUSIONS AND STAFF POSITION:
Based upon the documentation submitted by TED, the staff. concludes that the corrective actions to the Post Accident Monitoring (PAM) Panel as discussed
, in this HED can be implemented af ter restart. The PAM panel is by design used as a backup monitoring system and therefore should not be considered as the primary source of status indication. Although there are problems with j exhibit the required accuracy visualparallax,thedisplaysonthePAMpanell for the operators to properly determine meter indication.
ACTIONS TO BE COMPLETED BY TED As part of the Display Study, TED has agreed to develop recommendations that will generate corrective actions for the PAM panel. These design solutions should be implemented by the 5th refueling outage.
l i
t Davis-Besse Restart SER 103 Appendix D
SYNOPSIS OF TED's SUBMITTAL HED N0: 6.1.0
1 TITLE: Labels That are not Placed Above the Panel Elements They Describe j
ITEMS INVOLVED:
Most Control Room labels containing the instrument identification numbers.
, PROBLEM DESCRIPTION:
f The majority of the labels containing instrument identification numbers and some descriptor labels are not located above the associated component. Some labels are located on the pushbutton switch perpendicular to the control board or may be located under the components or to the side.
- SPECIFIC ERROR:
Potential for identification of the wrong component.
ASSESSMENT JUSTIFICATION:
This problem is generic to all control room labeling and since the potential for some error does exist, the error assessment category is II. Although
- the problem is generic to all control room components, therefore encompass-ing some safety related equipment, operators do not base their actions on instrument number identifiers or descriptive labels only, and routinely verify the results of control manipulations through other indications.
Taken by itself this HED has relatively low error potential and safety significance but, it has been conservatively categorized as II A-L in light of other labeling HED's.
- DISPOSITION:
This problem is to be addressed during the Label and Location Aids Special Study which will integrate the resolution of all other labeling related HEDs. As indicated in the "tsessment Justification, this HED is considered i
less significant becaus- of the operator's restricted use of component identification by instrh.nent ID number or descriptive-label and by the routine practice of verifying control actions with other indications.
Deferring resolution of ,is HED until the Label and Locations Aid Special Study is, therefore, justified.
SCHEDULE:
i The Label and Location Aids Special Study will begin following restart.
)
Davis-Besse Restart SER 104 Appendix 0
4 t
i SAIC's TECHNICAL EVALUATION l
i CONCLUSIONS AND STAFF POSITION:
After reviewing the documentation submitted by TED on this HED, the staff i concludes that control and display information labels require a generic
! review for consistency and conformance to formal plant conventions. This i generic review titled " Label and Location Aid Special Study," will enhance the operators' identification of panel components but is not essential for plant restart. The operator's routine practice of verifying control actions and manipulations by other control room indications is a satisfactory way of ensuring proper actuation of controls on an interim basis. TED's commit-i ment to a generic study, which may require a complete relabeling of the
- control room is commended.
4 ACTIONS TO BE COMPLETED BY TED:
4 TED is committed to ensure that corrective actions being implemented in the control room prior to restart, developed as a result of other HEDs solu-3 tions, make use of good human factors guidelines. This practice will ensure :
- that corrective actions implemented in the control room will not require additional c5 .iges as a result of the Label and Location Aids Special Study, i -
F i
s i
3 i
1
\
t i
i i
i e
! Davis-Besse Restart SER 105 Appendix 0
I SYN 0PSIS OF TED's SUBMITTAL HED NO.: 6.1.015 TIT (.E: Temporary Labels, Magnetic Labels, and Information Tags Obscure Components ITEMS INVOLVED:
Most control room components.
PROBLEM DESCRIPTION:
Temporary labels, magnetic labels, and information tags obscure components and other labels. The most notable problems are the information tags placed over Cutler Hammer hand indicating switches. l SPECIFIC ERROR:
Delay in or failure to identify equipment status.
ASSESSMENT JUSTIFICATION:
i The potential for this problem exists throughout the control room, and the HED is given an error assessment category of II. Although this problem is generic and the practice of handling information tags and placing labels may potentially affect safety related equipment, the effect of the problem is primarily to delay the operator's completion of normal assessment activi-ties. The significance category is, therefore, A-L.
DISPOSITION:
A new procedure for the control of control room labels and tags has been established as a part of Administrative Procedure AD 1803,02, " Operational Information Tags." This procedure clearly states the importance of hanging tags or placing labels in such a manner that other components or labels are not obscured.
For control room hand indicating switches, a plastic shroud with a sliding plexiglass front will be installed on switches requiring labeling to permit the use of stickers containing the necessary information, which will be placed on the sliding plexiglass cover. This will insure that no other indication is obscured. The use of the plastic shrouds is also controlled by AD 1803.02.
The use of this new procedure will eliminate the previous problems and completely addresses this HED. The new procedure for controlling tags and labels does not create any new HEDs (see attached Verification of Design Improvement form). The use of the plastic shroud on hand indicating switches still permits the placement of important operating information Davis-Besse Restart SER 106 Appendix D
while assuring that no other components are obscured. This corrective action, therefore, closes this HED.
SCHEDULE:
Complete.
SAIC's TECHNICAL EVALUATION CONCLUSIONS AND STAFF POSITION:
Based upon a review of TED's documentation, the staff concludes that the corrective action developed to resolve this HED should be effective in identi fying control room components that have been tagged-out without obscuring information on the control boards. TED has developed plastic shrouds with clear plexiglass fronts to be placed on identified components with appropriate tag-out information easily identified by the operators.
New administrative procedures and a component log have also been developed to integrate this process in the control room. These corrective actions should resolve the prior problems with the use of operational information tags and enable operators to have unobstructed view of controls and displays in the control room.
ACTIONS TO BE COMPLETED BY TED None.
4 l
J Davis-Besse Restart SER 107 Appendix 0
SYN 0PSIS OF TED's SUBMITTAL HED NO.: 9.2.004 TITLE: Related Controls and Displays Not Located Together i
. ITEMS INVOLVED: !
Reactor Coolant System (RCS) temperature input to Integrated Control System (ICS) select switches HS-RC3B and HS-RC3A.
PROBLEM DESCRIPTION:
The identified hand switches are used to select the respective reactor coolant hot leg loop temperature for display and temperature compensation
, for the corresponding RCS loop flow signal. The hand switches are located on the back panel along with the temperature indication such that the selected temperature can be read as the hand switch is manipulated. The indication of RCS loop flow is, however, located on the front console and is
- not visible by the individual manipulating the switch. This loop flow feeds the ICS and can affect the feedwater controls.
Although the operator can view the selected temperature while manipulating the control, the use of the temperature signal as temperature compensation for reactor coolant flow can have a pronounced effect on reactor coolant flow. Consequently, the process of switching from one temperature signal to another may have a minor impact on indicated tempetature, but have a suffi-cient impact on reactor coolant flow to cause a feedwater system transient.
/ Manipulation of this control is not required as a part of the emergency operating procedure, and the outputs feed no safety related system. Selec-tion of the temperature indication not normally selected is useful only to determine proper operation of the instrument string.
! SPECIFIC ERROR:
ASSESSMENT JUSTIFICATION:
4 I
The problem, and therefore its assessment, for both of these switches is j identical. Although manipulation of these controls has not resulted in any i
reactor / turbine trips, the potential does exist under certain circumstances.
The error assessment category is II.
4 The associated equipment is not safety related, cannot degrade any safety function and is not referenced in the Emergency Operating Procedure. The -
- significance category is, therefore, B-L.
j
! \
r Davis-Besse Restart SER 108 Appendix 0
> I 4
r , _ - ,w. . . --
p . . - - - - - - . , ' ' " = r - * - - - - - - - - -
DISPOSITION:
The facility modification FCR 82-023A (not specifically initiated as a result of this HED) has resolved this problem. The n'odification was intend-ed to improve ICS reliability by modifying the control system dependence on reactor coolant flow inputs. The inputs to the ICS have been modified to use reactor coolant pump operating status in place of reactor coolant fl ow.
The reactor coolant pump status provides sufficient information for the ICS to determine required feedwater flow and is considerably more reliable than i
actual flow indication. Actual flow indication is switched into the ICS in the event of a reactor coolant pump trip.
As a result of this modification, the potential transients caused by select-4 ing an inaccurate or failed temperature indication have been eliminated.
The need to monitor reactor coolant flow indication on the front console while manipulating the temperature selectors has been eliminated.
No new HEDs are created by this modification since reactor coolant pump status provides appropriate information to the ICS, and the modification created no other impact on the Control Room.
An interim corrective action was earlier identified for this problem. The corrective action was to eliminate the procedural requirement to periodi-cally select the unused temperature input to verify proper operation. With the implementation of FCR 82-023A this procedural restriction is no longer 4
required.
SCHEDULE:
Complete.
SAIC's TECHNICAL EVALUATION CONCLUSIONS AND STAFF POSITION:
Based upon a review of TED's documentation, the staff concludes that the corrective action developed for this HED improves the ICS reliability by utilizing reactor coolant pump operating status instead of reactor coolant fl ow. The pump status provides sufficient information for the ICS to deter-mine required feedwater flow and is more reliable than actual flow indica-tion. While flow indication is used in the event of a reactor coolant pump trip as an input to the ICS, the operator is no longer required to manipu-late the affected control system.
ACTIONS TO BE COMPLETED BY TED Procedures and training should incorporate the above solution into upgraded
- restart initiatives so that operators are aware of and familiar with I
corrective actions being implemented in the control room.
Davis-Besse Restart SER 109 Appendix 0
l SYN 0PSIS OF TED's SUBMITTAL l HED NO.: 9.2.028 TITLE: Potential For Mi Indication ITEMS INVOLVED:
FR SP4A, Loop 2 Main Fe'edwater Flow Recorder Panel C5712 FR SP4B, Loop 1 Main Feedwater Flow Recorder Panel C5712 PROBLEM DESCRIPTION:
The Main Feedwater Flow Recorder for each loop can be fed a signal from either the corresponding wide range sensor or low range startup sensor, depending upon the position of the Main Feedwater Block Valve. The block valve position interlock has occasionally failed, resulting in a low (approximately 1.0 mlb/ir) flow indication and flow control signal to the Integrated Control System (ICS) from the startup flow element, when actual flow was normal for power operations (approximately 6.5 mlb/hr). This results in an incorrect interpretation of low flow and an incorrect response by the ICS to increase feedwater flow, resulting in an overfeed condition and a reactor trip on low primary system pressure or a Steam and Feedwater Rupture Control System (SFRCS) trip on high steam generator lovel. The operator could be misled by this incorrect indication of feedwater flow and also take incorrect action.
SPECIFIC ERROR:
The automatic control system (ICS) has taken incorrect action and has caused a reactor trip. Operator action has been taken and in one case prevented a reactor trip. In another case, a reactor trip occurred due to the diffi-culty in achieving proper feedwater flow.
ASSESSMENT JUSTIFICATION:
The problem associated with these indicators is identical; therefore this HED may be assessed generically. Since the identified errors have occurred, the error assessment category is I. The feedwater controls and indications have no specific safety function, but can lead to a reactor trip, thus challenging safety systems. The significance categorization is, therefore, B-L.
I DISPOSITION:
FCR 85-227 has been implemented to remove the interlocks which transfer the indicated flow signals from the wide range sensors to the startup sensors.
The flew recorder is, therefore, always indicating wide range flow, which is suffic.iently accurate for the ICS and the operator to assure proper feed-water flow conditions even during low feedwater flow startup conditions. No physical modifications have been made to control room hardware and deleting Davis-Besse Restart SER 110 Appendix D
the use of the startup flow indication does not detract from the operator's ability to evaluate feedwater flow conditions since the wide range indica-tion is sufficiently accurate. Therefore, no new HEDs have been introduced by this modification (see attached Verification of Design Improvement form).
This HED has been completely addressed by FCR 85-227.
SCHEDULE:
Complete.
SAIC's TECHNICAL EVALUATION CONCLUSIONS AND STAFF POSITION:
Based upon a review of TED's documentation, the staff concludes that the removal of the interlocks which transfer signals from wide range to low range for startup, so that only wide range indication is displayed in the control room, is a satisfactory resolution of this HED.
ACTIONS TO BE COMPLETED BY TED Since this corrective action only involved a logic change and no physical modifications, the only action agreed to by TED is to ensure that procedures and training address any impact of using wide range scale for indicating feedwater flow during startup conditions.
i t
l Davis-Besse Restart SER 111 Appendix D ,;
\
s ,
'- ' ' ~ ~
SYN 0PSIS OF TED's SUBMITTAL HED N0.: 9.2.043 TIT (E: SFRCS Block For Startup Feedwater Valves Located Outside of Control Room ITEMS INVOLVED:
Steam and Feedwater Rupture Control System (SFRCS) Block Switches for Startup Feedwater Valves, HIS-SP7AB, HIS-SP788, HIS-SP7CB, HIS-SP7DB PROBLEM DESCRIPTION:
In a total loss of feedwater event, the control room operator can use the startup feed pump to feed the steam generator through the normal feedwater lines by opening the startup feedwater valves. The startup feedwater valves are closed by SFRCS on a loss of feedwater and must be blocked to open. The SFRCS block switches are located outside the control room on a back wall of the cabinet room. Operation of these controls, therefore, requires the operator to leave the control room for a short period of time.
SPECIFIC ERROR:
Errors of task omission, temporal errors induced by task time demands, work overload errors.
ASSESSMENT JUSTIFICATION:
Specific errors in the use of these controls has not occurred. On June 9, 1985, the control room operator was required to leave the control room area to manipulate these controls, and the time away from the Control Room detained him from attending to other plant problems.
The error assessment category for this HED is II since no specific errors can be directly attributed to this condition.
A failure to properly actuate these controls would affect the safety function of supplying feedwater to the steam generators. The significance category of this HED is, therefore, A-M.
DISPOSITION:
FCR 85-189 has moved the SFRCS block switches for the startup feedwater valves to the main control panel to support other taks, as required. These modifications address this concern entirely.
The movement of the SFRCS block switches for the startup feedwater control valves to the main console created no new HEDs (see attached Verification of Design Improvement form). The block switches were appropriately grouped with their corresponding startup feedwater control valve controls.
l Davis-Besse Restart SER 112 Appendix D
SCHEDULE:
Complete.
SAIC's TECHNICAL EVALUATION CONCLUSIONS AND STAFF POSITION:
Based upon a review of TED's documentation and the emergency event of June 9, 1985, the stafi concludes that moving the SFRCS block valve switches for startup feedwater to the main control panel for easy access during an emer-gency is satisfactory solution to this HED. The block switches are appro-priately grouped with corresponding feedwater control valve switches and the design solution appropriately considers human factors implications for this corrective action.
ACTI1NS TO BE COMPLETED BY TED TED should ensure that control room operators are thoroughly trained on the design change arrangement and that the labeling conforms to good human factors guidelines as developed in TED's Label and Location Aids Special Study.
Davis-Besse Restart SER 113 Appendix D
SYN 0PSIS OF TED's SUBMITTAL HED N0.: 9.2.065 TITLE: Unreliable Control Room Display ITEMS INVOLVED:
Main turbine control valve and stop valve position indications on Turbine Control Panel HIC-2540.
PROELEM DESCRIPTION:
The indication of the main turbine control and stop valve position in the control room is unreliable. This is a design / maintenance problem associated with the instrumentation sensors in the field which can result in inaccurate control room indication.
SPECIFIC ERROR:
Delay in determining main turbine control and stop valve positions.
ASSESSMENT JUSTIFICATION:
Although this error has occasionally caused a delay in verifying valve closure following a reactor trip, no inappropriate operator actions have occurred as a result. The potential for a misinterpretation does exist, therefore, the error assessment category of this HED is II.
The emergency operating procedure requires the operator to use these indica-tions following a reactor trip to verify that the turbine has tripped to prevent an undesirable overcooling. If the turbine is not properly tripped, the operator is directed to trip SFRCS to isolate the turbine. Confusion in evaluating the position of the valves could lead to an unnecessary manual SFRCS trip or could delay a required trip; although in a condition actually requiring an SFRCS trip, automatic isolation would occur on SFRCS low pres-sure trip.
This HED is, therefore, associated with non-safety related equipment which can challenge a safety system. The significance category is B-L.
DISPOSITION:
The maintenance history of the position sensors for these valves has been reviewed during the current outage. A preventive maintenance schedule has been established for these sensors on the basis of the failure history.
This action will substantially improve the reliability of these components which previously had no set preventive maintenance requirements. This action closes this HED.
Davis-Besse Restart SER 114 Appendix D
SCHEDULE:
Complete.
SAIC's TECHNICAL EVALUATION CONCLUSIONS AND STAFF POSITION:
. Based upon a review of TED's documentation and the assurance that a l
preventive maintenance schedule has been established for the instrumentation sensors feeding the main turbine control valve and stop valve indications in the centrol room, the staff concludes that this HED has been appropriately resolved.
ACTIONS TO BE COMPLETED BY TED TED should monitor closely any future unreliable indications displayed in the control room in order to determine if the preventive maintenance sche-dule is having the desired effect. Since this problem involves action steps in the E0P's which require the operator to use the main turbine control and stop valve indications following a reactor trip, any unreliable indications could cause confusion and delay the control room operator in verifying valve closure and that the turbine has tripped, preventing undesirable overcooling.
Davis-Besse Restart SER 115 Appendix D
SYNOPSIS OF TED's SUBMITTAL HED NO.: 9.2.00 TITLE: Information Displays Not Available in Control Room ITEMS INVOLVED:
Integrated Control System (ICS) status indication.
PROBLEM DESCRIPTION:
There is no display in the Control Room to indicate when the Integrated Control System (ICS) is in Track Mode. The ICS Track Mode is an automatic control function which is initiated when automatic control of either the reactor, feedwater/ steam generator, or turbine cenerator can no longer be maintained.
The inability to maintain automatic control may be the result of a wide variety of controller system malfunctions or limitations which places a restriction on the power production capabilities of either the reactor or steam generator /feedwater turbine generator systems. The ICS then forces the entire plant to " track" the power production capability of the limiting system or subsystem. The ICS can, therefore, cause a reduction in power output in response to a control or system upset by automatically reducing reactor power, feedwater flow, or turbine generator output in just a few minutes to reach a new system equilibrium. The lack of an annunciator identifying the Track Mode of operation complicates the operator's response to the power reduction transient. There are indicating lights on the unit load demand station for manual and automatic ICS operation which would both be lit in the case of the ICS being in Track Mode. Therefore, some indica-tion of this condition already exists. A more prominent indication such as an annunciator would be easier to identify in a transient condition.
SPECIFIC ERROR:
Delay in determining ICS status, delay in response to transient.
ASSESSMENT JUSTIFICATION:
Since no prominent indication exists, the potential for not immediately recognizing the Track Mode exists, and the error assessment category is II.
Depending upon the cause of the transient or condition which placed the ICS in Track, the end result of the transient may be a reactor / turbine trip. In some cases, rapid operator intervention may be able to prevent a trip.
Consequently, the inability to quickly determine the Track Mode of operation could possibly contribute to an unnecessary reactor / turbine trip. The significance category is B-L.
Davis-Besse Restart SER 116 Appendix D
DISPOSITION:
The appropriate corrective action for this HED is the addition of an "ICS in Track" annunciator. The specific corrective action for this modification including the location of the annunciator will be developed in conjunction with the Annunciator Special Study.
Although the inability to quickly identify the Track Mode of operation can complicate the operator's response, it would only affect the end result of the transient in certain special circumstances where prompt operator action might prevent a possible reactor trip. Since the Track Mode of operation can be identified using existing indications in a time frame consistent with most needs, and since the Emergency Operating Procedure requires no actions with respect to the ICS Track Mode of operation, the addition of the "ICS in Track" annunciator need not be made prior to restart.
SCHEDULE:
The Annunciator Special Study will commence following restart.
SAIC's TECHNICAL EVALUATION CONCLUSIONS AND STAFF POSITION:
Based upon a review of TED's documentation and E0P utilization, the staff concludes that this HED can be deferred and appropriately considered as part of the Annunciator Special Study to be completed after restart. Since there are indirect indications presently available in the control room which the operators can use to infer the status of ICS in " Track Mode," it is not essential that this safety-significant HED be resolved prior to restart.
ACTIONS TO BE COMPLETED BY TED TED has committed to install an annunciator status indication entitled, "ICS l
in Track" as part of the ongoing Annunciator Special Study in order to provide the control room operators with a direct and immediate indication of ICS status. This corrective action is scheduled for implementation during the 5th refueling outage.
Davis-Besse Restart SER 117 Appendix D
APPENDIX E REFERENCES Babcock and Wilcox Company, Topical Report BAW-1543, Revision 2, " Integrated Reactor Vessel Material Surveillance Program, " May 1985.
-- , Topical Report BAW-10003A, Revision 4, " Qualification Testing of Protection System Instrumentation," January 1976.
Line, J. F. , B. Nassersharif, and B. E. Boyack, " Rapid-Response Analysis of the Davis-Besse Loss-of-Feedwater Event on June 9,1985," Los Alamos National Lab-oratory (LA-UR-85-3083), August 1985 U.S. Nuclear Regulatory Commission, Generic Letter 82-33, see NUREG-0737, Supplement 1.
-- , Generic Letter 83-31, September 19, 1983.
gl
-- , NUREG-0136, " Safety Evaluation Report Related to Operation of Davis-Besse Nuclear Power Station Unit 1," December 1976.
-- , NUREG-0611, " Generic Evaluation of Feedwater Transients and Small Break Loss-of-Coolant Accidents in Westinghouse-Designed Operating Plants," January 1980.
-- , NUREG-0612, " Control of Heavy Loads at Nuclear Power Plants," July 1980.
-- , NUREG-0635, " Generic Evaluation of Feedwater Transients and Small Break Loss-of-Coolant Accidents in Combustion Engineering Designed Operating Plants," January 1980.
-- , NUREG-0737, " Clarification of TMI Action Plan Requirements," November 1980; Supplement 1, " Requirements for Emergency Response Capability," January 1983.
-- , NUREG-0800, " Standard Review Plan for the Review of Safety Analysis for Nuclear Power Plants--LWR Edition," July 1981 (includes branch technical positions).
-- , NUREG-1154, " Loss of Main and Auxiliary Feedwater Event at the Davis-Besse Plant on June 9 1985," August 1985.
-- , NUREG/CR-3384, " VISA - A Computer Code for Predicting the Probability of Reactor Pressure Vessel Failure," September 1983 Davis-Besse Restart SER E-1 l
-- , SECY-82-245, " Requests Commission Approval of Recommendations for Near-Term Actions Related to Protection Against Pressurized Thermal Shock Events,"
November 23, 1982.
-- , SECY-85-129, " Informs Commission About Approval of Maintenance and Surveil-lance Plan and Reports on Proposed Interaction of NRC and Nuclear Utility Management and Human Resources Committee Within the Program," April 12, 1985.
-- , Office of Inspection and Enforcement (IE), Bulletin 85-01, " Steam Binding of Auxiliary Feedwater Pumps," November 29, 1985.
-- , Office of Inspection and Enforcement (IE), Inspection Report 50-346/85023, July 29, 1985.
Davis-Besse Restart SER E-2
. RE POmi Nuuu R <A.e .P r/oC , v., N.. .< P, u nuctE.= mEaut.TO T CO.WealON g,PO=M an l %$'E2 BIBLIOGRAPHIC DATA SHEET NUREG-ll77 i SEE INSTRucTiCN5 ON THE REVERSE 2 TITLE AN0 $081tTLE 3 LE AVE BLANE j
Safety Evaluation Report Related to the Restart of Davis-Besse Nucl ar Power Station, Unit 1 j
[ , ,,,, ,,,,,,,cou,,,,,,
f Following the Eve t cf June 9, 1985 Wo ,,,,
j VEAR s AvTROai$i fMay 1986
, 6 DATE REPORT is5UED Albert W. De Agazio a'nd others I MO,,T R , EAR e
\ l 1986 c
\ June L PER,ORMING ORGANIZ ATION NAME AND W AILING ADDRES5 ttwbarle C.de) S PROJECTIT ASE' WORE UNIT NUMSER c
U.S. Nuclear Regulatory Co'mmission . . N OR GR A,.r NuM.E R Office of Nuclear Reactor Regulation Washington, D.C. 20555 s t-
~~
10 SPON50RsNG ORGANS 2 ATION N AME ANO M AsLING ADORESS (faschap /g Code) 11a TYPE OP REPORT l Safety Evaluation Report Final b PERIOD COWERED fiaschs,se asass; 1[:
's-12 $UPPLEMtNT ARY NOTES Docket No. 50-346 13 A8 5T R ACT (200 eores .r 'esst On June 9,1985, the Davis-Besse Nuclear Power Station experienced a partial loss of main feedwater while at 90% power. Following a reactor trip, other malfunctions and operator errors led to a total loss of feedwater for a short period. Before operators were able to restore feedwater, both steam generators boiled dry.
This report presents the staff's evaluation of the corrective actions taken by the licensee to prevent recurrence and to improve overall performance of Davis-Besse with respect to safety. The Safety Evaluation supports the restart of the facility.
3 14 DOCUMENT ANat.v$is - e IEE vwCED5'DESCRiPTOR5 1 16 A V A A ILIT Y l Safety Evaluation Report Unlimited Operating Reactors Loss of Feedwater s. neurit, et A558,ecAT.O.,
l Davis-Besse Nuclear Power Station , r.. ,
e IDENTereER5eOPEN ENDED TERMS
'0'n*cE's s i f' ed 17 NUMSER OF PAGE5 ng PRi(E
UNITED STATES n,,, ct NUCLEAR REGULATORY COMMISSIOEB postcoa a,, nes,ag ecno WASHINGTON, D.C. 20555 wf *2"o* c_
etRMIT No G 47 OFFICIAL BUSINESS
, PENALTY FOR PRIVATE USE. $300 1 A'Uf, D US h cD S L / H e f f 1 1AN112 L>.c ry ,-
blI(h
-Sc2 i $i,;fIhf,i rR-pa
.,w gg a t C H I f,5 7 c s CC 2C555 l
i
_ _ - - _ _ _ - _ -