ML20211K793

From kanterella
Jump to navigation Jump to search
Provides Note as Internal Use Only Div of Fuel Cycle Safety & Safeguards Record of 990805 W Line 2 Roll Compactor Hopper Level Probe Failure & Coordinate Views from Headquarters with Views from Region II
ML20211K793
Person / Time
Issue date: 08/23/1999
From: Damon D
NRC
To: Ting P
NRC
References
NUDOCS 9909080070
Download: ML20211K793 (6)
v  d  e


Text

-

T 3-' ,

w ,

s

- August 23,1999 [Riv. 3) - '~

4 -

s e -

NOTE TO: Phillip Ting, Chief L:

's J Fuel Cycle Operations Branch (FCOB)

VIA:  ; Walter Schwink, Deputy Chief ^

Fuel Cycle Operations Branch (FCOB)

FROM: Dennis'R. Damon and Harry D. Felshe.r

~ Licensing and International Safeguards Branch (LIB)

SUBJECT:

WESTINGHOUSE LINE 2 FIOLL COMPACTOR' HOPPER LEVEL FAILURE This note will serve (1) as the internal use only Division of Fuel Cycle Safety and Safeguards

- (FCSS) record of the August 5,1999, Westinghouse Line 2 Roll Compactor Hopper Level Probe Failure and (2) to co-ordinate the views from Headquarters with the views from Region ll.

Summary This note discusses (1) the facts, timeline, and Westinghouse's response of the incident, (2) the stage-by-stage FCSS evaluation of an assessment of the safety significance of the incident, the

' risk state of the process, and the safety significance of Westinghouse's response actions, (3) the reportability of the incident under NRC Bulletin 91-01 and/or license (SNM-1107) requirements, and (4) possible items to look at during future inspections and possible future

- licensing actions.

Facts, Timeline, and Westinghouse's Response

' At 10:00'a.m. on Friday, August 6,1999, FCOB, LIB, and Region ll representatives participated in a teleconference with representatives from the Westinghouse Columbia Fuel Fabrication Facility (SNM-1107, Docket 70-1151) regarding an incident in the Westinghouse Line 2 Roll Compactor Hopper. Based on information (1) faxed to FCSS prior to the teleconference, l(2) gathered during the teleconference, and (3) faxed to FCSS by letter dated August 16,1999, I the following includes facts, a timeline, and Westinghouse's response to the incident.

On August 5,1999, at 12:30 a.m.- (i.e., in the morning), while making the required start-of-shift i-checks, which Westinghouse uses as a criticality safety control, the operator noted that material (i.e., dry uranium dioxide (UO2) Powder) was not coming out of the granulator, while the granulator and roll compactor were running at the time. The granulator and roll compactor operate at the same time, being manually started with a foot switch. The feed material to the roll compactor was in " automatic" mode at the time, meaning that the level probe was controlling the addition of batches to the roll compactor. Continuing the checks, the operator noticed an unusual accumulation of materialin the Line 2 Roll Compactor Hopper. Within a g

minute of recognizing the unusual accumulation, the operator shut the process down and notified the immediate supervisor. Within minutes, the immediate supervisor contacted the area supervisor. /)[(

Within 15 minutes or so and under the area supervisors' authority, the granulator and roll compactor were restarted to remove the accumulation of material in the granulator / roll compactor stackup, which included the roll compactor hopper. No action was taken to restart material flow other than turning the equipment on. The material was removed and placed into favorable geometry polypacks. Approximately seven polypacks were filled. At approximately

- 18 kg UO, each, that corresponded to approximately 126 kg UO, total in the granulator / roll compactor stackup.

Apnnny &M

, 9909080070 990823 *

  • PDR TOPRP EMWEST C PDR $$,4w: Kg ..

Um

'y 9 ,.

% ^

,q- 4 s

e

,. g .. t+

., g

,' ,  ? , ,

^

5 4

.(

t

- -t ,

t 4 f J

A v9 e

+ . '

a .

f & is % olocamuV iveM.scun4 7

f/easeyoeear %;,s;as; wady- l r6fd dW 7D:5 D $ $ lz) L s A k W ml e-Qu,W when monbn}dyds;

- ;e%t A A% l %; -

i sir 1

4 y

i I;

I $

' . .' :';  : \ t g 1,

L.

') ', _ ,:<..k 'j '. Y5 , _ , _

~' W" ' '

_r .

P.~ Ting,8/5/99 Westinghouse incid:nt ~

Westinghouse did not know (1) how much of th'e 126 kg UO2 was in the roll compactor hopper

- and (2) whether the criticality limit of 106.3 kg UO, in the roll compactor hopper had been exceeded.

Westinghouse personnel at the scene determined that the level probe on the roll compactor hopper had failed because of a broken connector in the level probe circuit. This type of level probe is'not failsafe and does'not self-indicate that it has failed.~ A new connector was installed -

and the electrical connection for the, probe was visually and functionally tested.

1 At 1;15 a.m., a Westinghouse nuclear criticality safety'(NCS) representative was contacted at home and informed of the situation. At 2:30 a.m., the NCS representative arrived onsite and began to study the NCS documentation for the roll compactor hopper. ' At 3:00 a.m., the NCS representative discussed the incident with the Westinghouse personnel at the scene and developed a plan to approximate how much material ha'd been in the roll compactor hopper when the operator performed the inspection in order to determine whether the 106.3 kg UO2 limit had been passed. Under the direction of NCS, the plan was initiated.

Thh plan called for up to five batches of material to be added to the hopper, recording the mass

- of each batch, and keeping a calculated total so that no more than 90-95 kg UO, would be added. Line 2 was restarted and material was allowed to accumulate in the roll compactor .

hopper. The level probe interlock worked properly and activated after the addition of the third batch. The electrical connection for the probe was manually deactivated to continue the run to five batches. When the fifth batch was added, the operator stated that that was the condition' that existed at the time of the check._ The five batches totaled 94.415 kg UO,. The five batches were processed in the roll hood and filled five polypacks. The electrical connection for the

. probe was reconnected and visually and functiondly tested.

Similar level probes were then visually and functionally inspected for Lines ? and 4, which had been operating at the time of the incident. Similar level probes were visually inspected for Lines 1 and 5, which had not been operating at the time of the incident. Before the teleconference, the Line 1 level probe was visually and functionally inspected and Line 1 was started.

-Westinghouse confirmed that before Line 5 will be restarted, its level probe will be visually and functionally inspected.

During Thursday, August 5,1999, Westinghouse held meetings and determined that:

e the incident did not require notification under NRC Bulletin 91-01 or license requirements,

e. based on a review by the Incident Review Committee, the incident was not safety-significant, 1 e a " courtesy call" to NRC Region il and Headquarters would be appropriate,

'e ' after reviewing previous incidents, this incident was not a repeat occurrence, and

'e ' corrective actions would be made.

The reasons that Westinghouse determined that notification to the NRC was not necessary under either Bulletin 91-01 or license requirements were:

e- high confidence that there were only five polypacks in the hopper, which the licensee determined would be less than the 106.3 kg UO, limit,

.I

r ,

1

~

. \

l P. Tir g,8/5/99 W=tinghouse incident- '

~

e the other contingency (i.e, moderator in the hopper) was not affected,'

  • ' the " operator detect" control worked.to prevent exceeding the criticality limit, providing at least one intact control to prevent the mass contingency, and e ' thus, double contingency protection had not been lost.

The corrective actions that Westinghouse determined to be necessary wem:

e the roll compactor hopper level probes will be converted to self-checking (i.e., design is in process),

e the junction box for the wiring will be evaluated for changes to reduce the possibility of further occurrences, which was thought to be due to the high vibration environment (i.e.,

design in process),

e other safety-significant level probes in the plant will be reviewed to determine if converting them to self-checking is appropriate, e the process control batch counter will be reset from 8 to 5, which will prevent exceeding the mass safety limit and change the batch counter to a safety control, l I'

e a safety control batch counter will be added to Line 5 (i.e., manual feed line),

  • the operations inspections will be continued on a twice-a-shift basis and clarifications will  !

be made in procedures, forms, and training, and e in the long-term, consideration will be given to redesign the roll compact hopper to be favorable geometry.

Via a " courtesy call," Westinghouse told NRC of the incident shortly before the 10:00 a.m.  ;

teleconference on Friday, August 6,1999. During the teleconference NRC asked several  ;

questions that Westinghouse was unable to answer. Westinghouse agreed to provide answers j to those questions. The following are several of those questions:

e When was the last operator inspection in the Line 2 Roll Compactor Hopper?

1 e Was there accumulation of material at the time of the previous operator inspection?

e Why was the accumulated material moved before NCS personnel arrived onsite?

e Because mass control is being used, why wasn't there a posting that would allow the operator or anyone else to quickly determine whether the limit had been exceeded? '

e What was the root cause for the accumulation of material? l l

e' Who determined and how was it determined the level probe connector failed?

e Considering that non-self-indicating /non-failsafe level probes are in use throughout the rest of the facility, what will be done about their use in the long-term?

e What was the importance of the Incident Review Committee determining that the incident was not safety-significant?

  • 1 1

P. Ting, 8/5/99 Wntinghouse incid:nt ; -4 e .Why are NC'S safety controls not consi ered Quality' Level B? -

e 1 Why was the Emergency Coordinator not called in to make a 4-Hour or 24-Hour

- notification determination? ,

. . s - . .-

o Because there was not a high confidence in the determination that "less than a safe

. mass of material".had accumulated, why wasn't' notification made to the NRC?

In response to a telephone disdussion between FCOB and Westin'ghouse on' August 13,1999, Westinghouse provided Additionalinformation regarding the cause of the' accumulation of material.

( >

Having the flow from the granulator stop 15 not an. uncommon CMtion. Feed is by gravity and vibration. The equipment below the roll compactor is favorable geometry and it sometimes impedes the flow of material. A likely cause is that the ribbon of material from the roll' compactor folded in such a way that the material flow was temporarily stopped and later resumed from the effect of vibration and the motion of the granulator.'In conclusion, the reason why material was not coming out of the granulator cannot be determined with absolute '

certainty.- Also, the failure of the level probe does not seem to be in any way related to the stoppage of flow from the granulator.

Safety Significance of the incident, Risk State of the Process, and Safety Significance of

. Response Actions in general,' FCSS agrees that the aggregate actions of Westinghouse were appropriate to ensure safety at the facility and FCSS is glad that Westinghouse did call and discuss the incident within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.-

1.- Initial situation upon discovery it was appropriate that (1) the operator checked the roll compactor hcpper, (2) the operator shut the process down, (3) the operator notified immediate supervision, and (3) immediate supervision notified area supervision.

. At that time,(1) the safety significance of the incident was unknown, (2) the risk state of the

= process was high, and (3) the safety significance of the response actions were high.

2. Immediate recovery actions (stoo orocess unload stack)

It was unclear whether there were adequately safe written procedures covering the movement of UO2 material while unloading the stack. When it is possible that a potential critical mass

- involved, and the situation is abnormal, procedures governing movement should explicitly address abnormal conditions.. Otherwise', the Emergency Coordinator and/or NCS personnel should have been consulted before taking actions that could affect the reactivity of the

. configuration, such as moving the SNM. Thus, this incident may have revealed the inadequacy

. of current written procedures, or the statements governing the applicability of those procedures.

. At that time, (1) the safety significance of the incident was unknown, (2) the risk state of the process was high, and (3) the safety significance of the response actions were high.

3. Interim safety situation (now)-

It was appropriate tha't Westinghouse inspect the level probes in similar locations in Lines 1 and

~ 3 through 5. It was appropriate that the inspection be visual only for non-working lines and

L -,' '

s. r

~

  • ' ~

P. Ting, 8/5/99 Wcstinghouss incid:nt j l -

1 visual as well as functional for working lines.? It was appropriate that the repaired Line 2 level probe be visually and functionally inspected before and after the five batch run.

~

. However,~ because (1) it was unlikely that the plan that' NCS developed for determining whether the criticality safety limit had been reached would provide a positive determination of "less than a safe mass" accumulation within the 4-Hour notification time limit, (2) the plan required the dismantling of the repaired Line 2 level probe, (3) the plan required a subjective evaluation of the amount of accumulation, and (4) the plan was not a documented licensee pre-approved plan, it was not appropriate to use the results of the plan to provide the reason for not reporting the incident to the NRC.

At this time, (1) the safety significance of the incident is low, (2) the risk state of the process is l medium, and (3) the safety significance of the response actions are high. '

~

4. After the lona-term fix lt was appropriate that Westinghouse (1) review this as well as previous incidents and (2) begin corrective actions. Among the corrective actions, it was appropriate that (1) the roll compactor hopper level probes be converted to self-checking, (2) the junction wiring box be evaluated for changes, (3) other safety-significant level probes be reviewed to determine if they should be made self-checking, (4) the batch counter be changed to a safety control and reset from eight to five batches, (5) a safety control batch counter be added to the manual Line 5, and (6) in the long-term, consideration be given to redesign the roll compactor hopper to be favorable geometry.

However, in addition to these corrective actions, Westinghouse should also investigate

-increasing the frequency of the operator inspections and make sure there are no common-mode failures based on operator actions.

For this time, (1) the safety significance of the incident is lov', (2) the risk state of the process is medium, and (3) the safety significance of the response actions are high.

Reportability of the incident NRC Bulletin 91-01 and its Supplement provided guidance to licensees regarding notification criteria for NCS. Westinghouse provided a response that was accepted by FCOB and mostly incorporated into its license (SNM-1107). The relevant reporting requirement in the Westinghouse license, namely subsection 3.7.3(c.5), is clearly ambiguous with respect to this incident.~ The FCSS interpretation of this criterion is such that the incident should have been reported. Westinghouse's interpretation differs, and based on this differing interpretation they concluded that reporting was not required. An explanation of the differing interpretations of j section 3.7.3(c.5)is provided below. Although correct reporting is useful, it is recommended  !

that the response actions focus on corrective actions to the actual controls. The discussion ,

below identifies some of the inadequacies of the controls, because these are also relevant to

~t he reporting criterion. l l

There are a number of reporting criteria in section 3.7.3 of the Westinghouse license. One criterion relates to whether a ' critical mass was involved'. However, this criterion is only needed to determine whether the report is to be made within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> or 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The key criterion in question is 3.7.3(c.5)f

~

"Any nuclear criticality safety incident, in an analyzed system, for which less than previously documented double contingency protection remains..."

b- :l~ -

. P. Ting, 8/5/99 Wtstinghous3 incid:ntL 6-s: .

. . . + -

. The primary mass control for the hopper was the level probe. This probe failed, leading to an accumulation of roughly 95 kg UO2 . The hopper's safety limit was 106 kg UO,. , The backup to the level probe is inspection of the hopper by an operator once every 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. Under these circumstances, failure of this secondary control was'not unlikely. Although the operator did perform the inspection, the fact that the accumulation was near (i.e., possibly over) the safety limit means that any delay in this inspection might have led to exceeding the safety limit. The i FCSS view is that double contingency protection did not remain because double contingency protection requires two unlikely events and failure of the operator inspection in time to prevent exceeding the safety limit was not unlikely. ,

However, Westinghouse interprets criterion 3.7.3 (c.5) as meaning that if any two documented safety controls remain, then double contingency protection' remained. Although this is not the

' FCSS interpretation of double contingency protection, it is one commonly used. Hence, it is clear that the wording of the license condition is' ambiguous with respect to this issue. There is no applicable clarification of this issue in the license nor in NRC endorsed guidance.

L lt is recommended thatl rather than fScusing on imposing our interpretation of the reporting criterion, efforts be made to ensure that the mass' controls on the hopper in question be upgraded so as to be unlikely to fail.1As indicated by Westinghouse, the level probes should be

. made fail-safe as well as self-checking and the particular failure mode corrected. Additionally, FCSS recommends that the frequency of the operator inspections be increased to assure that the hopper contents do not approach "more than a safe mass." This applies even if the level

. probe is converted to a fail-safe self-checking design because, as the system fault tree shows, other failure modes for this system are backed up by this same operator inspection.

The reason for this is taken from the principal criticality safety standard, ANSI /ANS 8.1, which states:

" Process specifications shallincorporate margins to protect against uncertainties in \

process variables and against a limit being accidently exceeded."

In this case, the margin needed is related to the length of time it takes the hopper to fill from its normal 38 kg UO, to the safety limit of 106 kg 00 2. The operator inspections must occur more frequently than this fill-time in order to provide margin to protect against the " limit being accidently exceeded". 1 The Westinghouse license (i.e.,3.7.3 (c.2)) also requires reporting of safety controls of Quality

Level B. These are controls which prevent loss of human life. Despite the fact that criticality could easily cause loss of human life, Westinghouse does not classify criticality controls es  ;

Quality Level B because the failure of only one will not lead to loss of life because they all are part of a redundant system. It is FCSS' view that this classification downgrades the significance of certain criticality controls that are being counted on to be highly reliable. The level probe is one such control. , it is recommended that the quality practices and procedures for criticality controls at Westinghouse be inspected to determine if they are adequate to assure that the

" controls function when needed. In particular, it should be determined whether there is a requirement that all criticality safety active engineered controls be fail-safe or have hardware

. surveillance to detect failures. Reliance on periodic operator inspection is the weakest form of L such surveillance,' unless the hardware is under continuous observation by the operator.

s

Westinghouse's interpretation is that as long as any form of double contingency protection
remains (i.e., at least two of the black boxes in the system fault-tree remain) based on any combination of controls cited in the criticality documentation, then double contingency protection was remained and that reporting of the loss of the level probe interlock function was inot required by Bulletin 91-01 or their license.

D =r W% j P. Ting, 8/5/99 Wutinghouss incident J "

FCSS' view is that loss of the level probe interlock furiction was a loss of a major portion of the

(:

l double contingency protection for this system, and therefore "less than previously documented double contingency protection remained".; Westinghouse's license requires the Emergency Coordinator to be able to make 1-Hour and 4-Hour notifications. There is no clear record that

L the determination'was made before the 4-Hour deadline had passed. The licensee made the

' determination that the incident did not require notification under Bulletin 91-01 or license requirements in meetings that ' vere held on August 5,1999, and the licensee still does know exactly how much mass of spe::ial nuclear material was present.

l L -

. Future inspection items and Future Licensing Actions Possible future inspection items include following up on Westinghouse's corrective actions which were:, (1) the roll compactor hopper level probes will be converted to self-checking, (2) the junction wiring box will be_ evaluated for changes, (3) other safety-significant level probes L will be reviewed to determine if they should be made self-checking, (4) the batch counter will be .

i l . changed to a safety control and reset from eight to five batches, (5) a safety control batch l- counter will be added to the manual Line 5, and (6) in the long-term, consideration will be given to redesign the roll compactor hopper to be favorable geometry.

i in addition, possible other inspection items include an evaluation of (1) the middle-of-the-shift

! - operator check that should have been done before the accumulation of material was noticed, (2) the authorization for the area supervisor to move the accumulated material before NCS personnel arrived onsite, (3) the effectiveness of the posting requirements, (4) the root cause of ,

the accumulation of the material, (5) the method used to determine that the level probe connector had failed, (6) the incident Review Committee evaluation, (7) NCS controls and Quality Level B ' systems, (8) the purpose /use of the Emergency Coordinator, (9) the use of

. conservatism in determining whether notification to the NRC is needed, and (10) surveillance requirements for active-engineered controls classified as safety-significant for criticality control.

Possible future licensing acylons include (1) reviewing the Bulletin 91-01 commitments made by Westinghouse and the other licensees, (2) using the results of.the Westinghouse' inspection to l amend appropriate sections of the license, (3) working with the Criticality Safety Committee to -

l' clarify the Bulletin 91-01 reporting criteria and appropriate Westinghouse and other licensee .

l ' license commitments.-

' Conclusion l Considering tha' t (1) Westinghouse has taken appropriate action to address the safety issues, L (2) Westinghouse did actually inform the NRC, albeit not within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, and (3) the wording of l . the reporting criteria in the license is ambiguous, Westinghouse's reporting actions were L sufficient such that no further action need be taken by NRC.

L However, (1) there are still some unanswered questions that Westinghouse needs to provide in l  : written form to FCSS regarding the facts, timeline, and Westinghouse's responses and (2) l using the information available at the time, Westinghouse should have made a conservative i l- . assessment of the mass of the material and reported the incident to the NRC under both l Bulletin 91-01 and license requirements.

The incident h' as pointed out the lack of clarity in this, and likely other, Bulletin 91-01 related L - reporting criteria. .Thus, possible action, such as a staff guidance document, should be

developed using the Criticality Safety Committee.

cc: Dennis Morey .

-

Retrieved from "https://kanterella.com/w/index.php?title=ML20211K793&oldid=3249002"