NUREG/CR-5500, Discusses Issuance of Final Rept, Reliability Study Auxiliary Emergency Feedwater System 1987-1995, (NUREG/CR-5500,Vol 1).Summary of Comment Resolutions Encl

From kanterella
(Redirected from NUREG/CR-5500)
Jump to navigation Jump to search
Discusses Issuance of Final Rept, Reliability Study Auxiliary Emergency Feedwater System 1987-1995, (NUREG/CR-5500,Vol 1).Summary of Comment Resolutions Encl
ML20237D586
Person / Time
Issue date: 07/29/1998
From: Rossi C
NRC OFFICE FOR ANALYSIS & EVALUATION OF OPERATIONAL DATA (AEOD)
To: Gillespie F, Holahan G, Lainas G
NRC (Affiliation Not Assigned)
References
RTR-NUREG-CR-5500 NUDOCS 9808270016
Download: ML20237D586 (10)
v  d  e


Text

,. . - - - - -_ .

pg7z l

[

  • J* *%g -

p" lt UNITED STATES g ,j NUCLEAR fiEGULATORY COMMISSION E n l o WASHINGTON. 0.C. 206664xs01 1 8 r ~

%,****+p July 29, 1998l M 3 50 u 7 l

PUSMC 000m ii . l MEMORANDUM TO: Frank P. Gillespie, Director, DISP:NRR l

Gery M. Holahan. Director, DSSA:NRR '

Gus C. Lainas, Acting Director, DE:NRR Jack W. Roe, Acting Director, DRPM:NRR R. Lee Spessard, Director, DRCH:NRR l j

Lawrence C. Shao, Director, DET:RES l Thomas L. King, Director, DST:RES John W. Craig, Director, DRA:RES James T. Wiggins, Director, DRS:RGN-1 Charles W. Hehl, Director, DRP:RGN-l '

Bruce S. Mallett, Director, DRS:RGN-il Loren R. Plisco, Director, DRP:RGN-il John A. Grobe, Director, DRS:RGN-Ill Geoffrey E. Grant, Director, DRP:RGN-Ill Arthur T. Howell, Director, DRS:RGN-IV Thomas P. Gwynn, Director, DRP:RGN-IV FROM: Charles E. Rossi, Direct h Safety Programs Division Office for Analysis and Evaluation of Operational Data

SUBJECT:

ISSUANCE OF FINAL REPORT," RELIABILITY STUDY-AUXILIARY / EMERGENCY FEEDWATER SYSTEM: 1987-1995,"

(NUREGICR-5500, VOLUME 1)

The final report,

  • Reliability Study-Auxiliary / Emergency Feedwater System: 1987-1995,"

(NUREG/CR-5500, Volume 1), has been completed and will be distributed to you by NRC Publications. The report is the sixth in a series that presents the results of system reliability studies which focus on using operational data to determ'ae the reliability of risk significant systems in U.S. commercial nuclear reactors. The report provides an estimate of auxiliary / emergency feedwater (AFW) system reliability based on actual demands from operating experience during 1987-1995, as reported in licensee event reports (LERs). The report also provides an evaluation of the most significant trends; includes a comparison of AFW cystem reliability derived from this operating experience and the AFW unreliability estimates obtained kom the failure data published in Probabiymt!c Risk Assessments (PRAs) and Individual Plant Evaluations (IPEs); and includes insights from an engineering analysis of the l/

operating experience data. Earlier drafts of this report were provided to the Office of Nuclear Reactor Regulation (NRR), the Office of Nuclear Regulatory Recearch (RES), the regions, and l

N <p o CONTACTS: Steve Mays, SPD, AEOD (415-7496)

Dale Rasmuson, SPD, AEOD (415-7571)

(; '

y

" "A\

4Q 9808270016 980729 -

PDR NUREG  % , ,}

CR-5500 C PDR , .Q D~ " l' - c -~

7-L-- - - - _ - _ _ _ - - _

j Multiple Addressees 2 industry organizations for peer review and comment. The summary of comment resolutions is attached.

The findings, conclusions, and information contained in this and similar system reliability studies can be used to support several risk-informed regulatory activities. The reports identify the dominant contributors to system unreliability and provide a link to the detailed information about these contributors that is contained in the relevant LERs. This information could be used to enhance the focus of inspections on risk-important system performance, and rebted design and operational characteristics.

A number of comments from intemal reviews indicated a difficulty in obtaining qualitative j insights and related detailed information from the reports, especially for inspection-related (

activities. To help the staff to better identify and relate this detailed information to various risk- 1 important regulatory applications, we have provided a forward to the report that provides ditections to the relevant quantitative and qualitative information contained in the report. The forward also indicates the appropriate type of engineering review of this information for application on a plant-specific basis, it should be recognized that this report is not a handbook.

It is a source of information that could be used to focus both generic and plant-specific risk-informed activities involving the AFW system. We have also provided additional guidance for specific applications in the attachment containing our responses to the review comments.

Cognizant AEOD staff will be available to consult with users of these reoorts,  ;

i Notable observations and findings of the study include the following:

1 e Based on the 1987-1995 experience data, there were no failures of the entire system l Identified in 1,117 unplanned system demands.

e The operational unreliability of the AFW system calculated by arithmetically averaging l the results of 72 plant-specific models is 3.4 x 104 Individual results vary over two l orders of magnitude, from 1.5 x 104 to 6.2 x 10d. The variability in AFW system unreliability reflects the diversity found in AFW system designs and variation in '

equipment performance among plants with similar designs.

  • No trends were identified in the AFW system unreliability when plotted against calendar year or low-power licenec date. The unplanned demand frequerry exhibited a statistically significant decreasing trend when plotted against calendar year, and an increasing trend when plotted against low-power license datts.

e The AFW desigt.s composed only of turbine-driven pumps were less reliable, while AFW designs comprising three redundant trains of diverse design (e.g., two motor-driven pumps and one turbine-driven pump) were more reliable. The benefit of additional  ;

i trains of redundancy to AFW system reliability is offset by the effects of common cause

! failures. Although the AFW designs corisisting solely of turbinedriven pumps tend to be less reliaok in routine operations, only turt;ne-driven pumps would be available during station blackout situations since they do not rely on ac power.

I E_

r .

Multiple Addressees 3

. e . Generally, the unreliabilities of the turbine-driven pump trains were a factor of 10 greater than the unreliabilities of the motor-driven pump trains ard a factor of 4 greater than the unreliabilities of the diesel-dri_ven trains. While plant-te-plant variation was detected within the motor-driven and turbine-driven pump train unreliabilities, the size of the variation was small-a factor of two for the turbine driven pump train unreliabilities and a i factor of 3 for the motor-driven pump train unreliabilities. f e Most of the turbine-driven pump failures during unplanned demands were failures to ,

start, resulting from turbine overspeed trips. These trips were caused by worn, loose, or  !

E mis-aligned trip linkages; water accumulation in the supply lines; and contaminated i l ' govemor hydraulic oil. These overspeed trips were primarily mechanical overspeed l trips that could not be reset in the control room. As a result, approximately half of the overspeed trips were not immediately recoverable.

  • The loss of suction source was a dominant contributor to system failure for many of the AFW design classes. This failure mode, though rare, is important because it disables the designed redundancy of the AFW system and is usually discounted or.not modeled in PRAs. There was one failure of a suction source during the 1,117 unplanned system demands observed in the 1987-1995 operating experience. This failure occurred during an automatic start of two motor-driven pumps in which suction pressure was insufficient for pump operation, and consequently caused an automatic shift to the service water pond which is the backup suction source for the AFW system. The low suction pressure condition was a result of operating with the AFW condensate storage tank isolated, and l not maintaining adequate level in the upper surge tank. Even though AFW pump

! suction shifted to the backup source, the service water system was fouled with clams l and sludge which caused the AFW flow control valves to the steam generators to clog, l thereby significantly reducing flow to two of the four steam pnerators. This event was identified as a precursor by the Accident Sequence Procursos (ASP) Program and had a conditional core damage probability of 2.7 x 10d. j Although outside the time frame for the reliability calculation in this report, another loss I of suction source event occurred at Catawba Unit 1 in May 1998, The temperature of the water in the upper surge tanks (primary suction source for the AFW r.ystem)was above the maximum AFW system design temperature. An improper controller setpoint  ;

on the condensate booster pump recirculation valve had resulted in diverting high temperature condensate to the upper surge tanks during an earlier evolution. The high ,

suction source temperature may have resulted in the cavitation of the AFW pumps, had l j

l they been demanded. The risk significance of this event is currently being evaluated by i

the ASP Program.

I e The AFW system unreliability estimate based on 1987-1995 operating experience is about a factor of six greater than the average of the PRA/IPE values. The difference between the two estimates is primarily attributable to the probabilities associated with failure of the primary AFW system water source (e.g., condensate storage tank suction path), and the AFW turbine-driven pump failure to run. The failure of the primary AFW system water source generally was not considered as being probabilististically important

0 ..

9 '

- 5 Multiple Addressees 4 I

in most PRA/IPEs. The differences in the turbine-driven pump failure to run estimates j are most likely due to the limited long run time data in the operating experience and the '

use of optimistic failure rate estimates in the IPEs. Long run times (8 to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />) that are associated with typical accident sequences modeled in PRA/IPEs were infrequently observed in the 1987-1995 operating experience. The majority of the run times

. associated with the unplanned demands tended to be of much shorter duration. Due to ,

the limitations of the long run time data, no meaningful time dependence analysis of the failure rates could be performed. Therefore, failure probabilities based on extrapolation of limited data for short run times may overstate the failure to run contribution to the longer PRA accident scenarios.

The IPE estimates for failure to run are factors of 6 to 215 lower for the turbine-driven pump than the 1987-1995 experience estimates. The plant-specific failure data did not support the highly optimistic generic failure rates being used in some of the IPEs.

e Estimates of AFW unreliability have been used in past regulatory reviews and rulemaking that addressed the design and operation of the AFW system, in particular 1 the Standard Review Plan (NUREG-0800), Station Blackout (NUREG-1032), and i Anticipated Transients Without Scram (SECY-83-293). The estimates provided in these documents were compared with the estimates presented in this report, based on the  ;

1987-1995 operating experience. These comparisons demonstrated that the operating- l' experience-based estimates are similar to or slightly better than those used in the regulatory app;ications, with the exception of five plants with estimates greater than the 4 upper acceptable range (1 x 104) specified in the Standard Review Plan. The high AFW unreliabilities for these plants were driven by the higher failure to start probabilities of a the turbine-driven pump train.

These findings are discussed in more detail in the report. Graphical and tabular displays, along with specific discussions, are included. Specific failures and failure mechanisms are identified and characterized.

USE OF STUDY RESULTS TO IMPROVE RISK-INFORMED REGULATORY ACTMTIES:

Based on these findings and conclusions, the following can be used to improve risk-informed regulatory activities-e inspectors should be made aware of the major contributors to AFW system unreliability so that plant activities which could adversely impact system reliability can receive relatively higher attention in AFW system inspections. Inspections of AFW systems

! should be focused on plant activities which could adversely impact the suction source segments (especially for those AFW designs that have a common suction path and j share water sources), the ability of turbine-driven AFW pumps to start, and the means of L recovering from an overspeed condition (especially for those plants with heavy reliance on turbine-driven pumps).

.. 1

,. {

l Multiple Addressees 5 l

In addition, inspectors should be aware of conditions and equipment performance that could affect pump running reliability, especially factors related to longer run times. The limited run time data from the operating experience showed that the pump train failure to run events are mostly complete failures and are not easily recoverable. In light of this limited experience, inspectors should review past plant experience to identify failure to run events during surveillance tests and hot shutdown operations that could be indicative of relatively high running failure rates. Since single train failures are not reportat,le in LERs, this review of plant experience will help indicate whether failure to run is a significant contribution to AFW system unreliability.

  • NRR.phould examine proposed license amendments where the potentialimpact of the AFW failure to run probability or suction source failures can have a significant impact on tne results and conclusions of risk-informed analyses. This is an area where the evaluation of the operating experience indicates some weaknesses in IPEs.

Examination of data sources for failure to run estimates and their applicability to the particular application should be part of the regulatory review when this issue could be important.

Further examination is required to understand the differences between failure to run estimates for long term accident sequeness and those extrapolated from the limited operating experience.

AEOD will pursue acquisition of appropriate failure to run data from LERs and industry sources such as the industry's Equipment Performance Information and Exchange (EPIX) system. This information will be included in the NRC reliability database presently under development.

AEOD will use this data in future updates to AFW system reliability evaluations to better assess the relationship between PRAllPEs and operating experience.

Attachment:

Resolution of Comments on Draft Report Auxiliary / Emergency Feedwater Reliability: 1987-1995.

cc w/att.:

A.P. Drake, Westinghouse Owners Group Distribution.w/att. See attached list DOCUMENT NAME: H:\ DON \N-AFW3.WPD

  • See previous concurrence To r.c.w. . copy a ini. ooc-,v. iec.t. in in. t or c copy witnoot .it.cu.g e . copy wiin .ei.cu.nci u no copy OFFICE RRAB l E RRAB E RRAB l E [RRAB 6 sod g l NAME DMarksberry DRasmuson SMays PBaranowsky CRosqM/)[

DATE 07/22/98* 07/22/98* 07/22/96" 07/22/9B* 7 / M/98

.4 -

Multiple Addressees 6

- Distribution w/att; Public 1 JStolz, NRR EHackett, RES TShediosky, RI File Center ' JTappert, NRR- FCoffman,RES - WRogers, Ril

SPD R/F BSheron, NRR REmrit, RES RBembard, Ril l RRAB R/F JCalvo, NRR TOMartin, RES SBurgess, Rill WTravers, EDO' RWessman, NRR MCunningham, RES MParker, Rlli .

TTMartin GParry, NRR ' MDrouin, RES JShackelford, RIV l

- FCongel- RGallo, NRR ARubin, RES WJones, RIV KRaglin SBlack, NRR HVanderMolen, RES DAllison i JRosenthat LMarsh, NRR - JFlack, RES . BBrady

- DHickman - RBarrett, NRR RMeyer, RES HHamzehee

- -SCollins, NRR MRubin, NRR NSiu, RES . MHarper .

BBoger, NRR . AEl-Bassioni, NRR JMitchell, OEDO PO'Reilly. i WBeckner, NRR .TCollins, NRR JLarkins, ACRS DRasmuson

'JZwolinski NRR AThadani, RES . DCoe, NRR SWeerakkody j EAdensam, NRR BMorris, RES JTrapp, RI TWolf PWilson, NRR DYeilding j j -..

i f

i

RESOLUTION OF COMMENTS ON DRAFT REPORT AUXILIARY / EMERGENCY FEEDWATER SYSTEM RELIABILITY: 1987-1995 Summaries of the comments received on the draft report titled, " Auxiliary / Emergency Feedwater System Reliability: 1987-1995," December 1997, along with their associated resolutions follow. The final version of the report incorporates these resolutions.

1. Comment (from Region IV): The study goes into considerable detail regarding the statistical treatment and analysis methods, which were used to analyze the data, but very little information is provided as to the qualitative insights which might be available from the data reduction. This study concludes that hardware failures are the dominant cause for auxiliary feedwater system (AFW) unreliability over the past several years; however, the study does not provide appreciable information as to the specific components or .

failure modes which are involved. These types of insights would be particularly valuable from an inspection perspective in that they would allow regional and resident inspectors to focus their activities on the most susceptible components and human actions.

Comment (from NRR): ' Dominant failure mechanisms may not be broken down to the level of detail useful for inspectors.

Resolution: A forward was added to the report to guide the staff on where to find the quantitative and qualitative information in support of risk-informed regulatory activities.

Speafically, the report provides the causal factors of hardware failures that have a dominant impact on AFW system reliability at a plant or at a similar plant. The information j presented in the report can be used to identify the failure events of interest. The licensee ,

event reports (LERs) associated with the events of interest provide the details of the speafic causes of the AFW system failure that are applicable at a specific plant. Various sections in the main body of the report provide discussion of the dominant contributors to AFW system unreliability. Section 3.2.5 identifies those plants with higher than average AFW unreliability within each AFW design class and provides the factor (s) (e.g., plant-specific failure data, variations of AFW system design within a design class) that contributed to the within design class difference. Section 4.2 provides a detailed discussion of the causes of failure of the dominant contributors to the reliability of AFW system segments (i.e., suction, pump, feed). Section 4.3 provides a review of the

. dominant failures that contributed to the operational reliability for each of the 11 AFW design classes. Table B-2 provides a summary of all failure events (test and unplanned demands) including affected segment, cause of failure, method of detection, and failure mode. Table C-1 provides a summary description of the failure events used to estimate AFW system unreliability. AEOD will work with NRR and the regional senior reactor analysts (SRA) to assist in using the report information and improve the format of presentation of this information in future reports.

I 2. Comment (from RES): The report would be more useful in a general sense if it contained (a) detailed root cause analysis of AFW unreliability events and (b) recommendations for

[ improving system reliability. (c) It would be useful if equipment failure data were grouped I

according to age of equipment rend plant.

1 Attachment

A f.- .' .

(

Resolution: (a) Section 4.2 provides a detailed discussion of the failure events, including root causes, that have a dominant contribution to the AFW unreliability. Section 4.2.1 provides insights into the failures that disabled the AFW system. Sections 4.2.2 and 4.2.3 discuss the causes for turbine-driven pump failures and motor-driven pump failures, respectively. The factors affecting feed-control segment reliability are presented in Section 4.2.4. Table B-2 provides a summary of all failure events from test and unplanned demands and provides a cross-reference to the associated LER. Failure events associated with the dominant contributors are discussed in Section 4.2 by affected segment and failure mode. These events can be identified in Table B-2 by using the columns labeled "affected segment" and " failure mode." A more detailed review of the root causes for events applicable at a specific plant can be found in the relevant LERs.

(b) This report does not provide a basis for recommending improvements to AFW

' reliability. However, improvements in the reliability of any risk-important system can be made by reducing the occurrence of the dominant contributors to the system unreliability.

inspections of AFW systems could be focused on plant activities which could adversely l- impact the reliability of suction source segments (especially for those AFW designs that -

have a common suction path and share water sources), and the reliability of turbine-driven AFW pumps (especially for those plants with heavy reliance on turbine-driven pumps). The potential impact of license changes where the probability of a major contributor to AFW unreliability can have a significant impact on the regulatory evaluation can be examined more closely. A forward was added to the report to guide the staff on where to find quantitative and qualitative information that could be used in risk-informed regulatory activities.

(c) Section 4.1 provides the results of the effect of plant age on AFW performance. As shown in Figure 20, the frequency of motor-driven pump segment failures versus low-power license date shows a statistically significant decreasing trend for the newer plants.

As discussed in Section 4.1.2, only five hardware-related failures could be attributed to age-related failures. Table C.1 provides a biief discussion of these events. The turbine-driven pump and feed segments did not have statistically sign?icant trends. The i

remaining segments (i.e., suction, diesel-driven pump) had too few failure events to detect a trend. The operating experience did not identify a significant reliability concem  !

related to plant aging. Moreover, information on the age of specific components was not l available from the LERs.

3. Comment (from Region IV): -The study's reliance on 10 CFR 50.73 reports for 1 assessment of AFW unreliability resulted in failures during surveillance testing not being consistently identified. A discussion of any operational unreliability sensitiity analysis that was performed would be beneficial in understanding the effect of not including these test failures.

Resolution: Plants are not required to report single train inoperabilities of multi-train systems including surveillance test failures unless the malfunction resulted in a train outage time in excess of Technical Specification allowable outage times, or resulted in a '

unit shutdown required by Technical Specifications. Thus, reporting of surveillance test i failurus is inconsistent at best. However, for engineered safety feature (ESF) actuations, 2

m ______________.______._.._-m__.__ . _ . _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ - _ _ ._ _ _ . . _ _ . . _ _ . _ _ _ . . . . _ _ .__._ _m_.___

f.* * .

all component failures that occt:rred as part of or in conjunction with the ESF actuation ,

were assumed to be described in the narrative of the LER as required by 10 CFR 50.73(b)(2)(ii). Because all ESF actuations are reportable under 10 CFR 50.73(a)(2)(iv),

the failures listed in an LER describing an ESF actuation are assumed to be complete.

Therefore, only reportable ESF actuations and associated failures can be used to make an unbiased estimate of system reliability. The amount of data obtained for the unplanned AFW demands (over 1000)is adequate to provide a reasonable degree of confidence in the results and conclusions presented in the report. Additional discussion  !

of data parsing can be found in Section A-2 in the appendix of the report.

4. Comment (from Region 1): The AFW failure event in LER 498-93-007 may be a failure 4 event not included in the unreliability analysis.

Resolution: This event was included in Table B-2 as a test failure. This failure did not occur during an unplanned demand and was not included in the calculation of reliability.

(See comment 3)

5. Comment (Westinghouse Owner's Group): Currently, only Alpha Factor methodology parameters for common cause failures (CCF) are estimated and provided in the report.

This rnethod is rarely used by the probabilistic risk assessment (PRA) practitioners in the utilities. The most commonly used method is the multiple Greek letter (MGL) method.

The parameters of the MGL method should also be estimated and provided.

Comment (Westinghouse Owner's Group): The AFW operational data compiled and presented in Appendix B may be used by a utility to estimate generic AFW component / train failure rates, which may then be Bayesian-updated with plant-specific data. In that case, the plant-specific data that may already have been included in the  :

generic database needs to be removed from the database to avoid double counting. To help this process of data analysis, it may be useful to give some guidance as to how to proceed with such data analysis, with a specific example.

Resolution: The Alpha Factor methodology had been the standard used in past AEOD reliability studies to estimate CCF parameters. NUREG/CR-6268," Common-Cause Failure Database and Analysis System," provides guidance for mapping Alpha Factor parameters into MGL parameters. This document and the related AEOD CCF database will be distributed to utilities in July 1998. The database and accompanying software provide methods for identifying CCF events, a collection of events from industry failure data, and a computerized system for quantifying probabilistic risk assessment parameters and uncertainties (including the MGL parameter). This database will support utility-specific analysis with plant-specific data. AEOD will also include MGL parameter estimates in future system reliability reports.

6. Comment (from NRR): The results of AFW system reliability are presented in Table 7 for l the different AFW design classes. It may be helpful to discuss the frame within which l- these results are applicable. For example, the results in Table 7 would not apply to f station blackout conditions.

3 l

,_ :- w .

l Resolution: We agree that the results in Table 7 would not apply to station blackout conditions. The results in the table present operational unreliability calculated from the 1

1987-1995 operating experience. A comparison of the turbine-driven train estimates used in the Station Blackout Ruie to the turbine-driven train unrecovered failure probability ,

estimated from the 1987-1995 experience can be found in Table 12 (Section 3.6.2).  !

7. Comment (from NRR): The study found that the injection headers downstream of the pumps and vatves for. directing and controlling flow to al steam generator have about a 50% non-recovery probability (Table 2). This non-recovery probability may be as l significant as failure to recover a motor-driven or a turbine-driven train which is in l maintenance. An expanded discussion of the types of failures observed in injection j headers would provide additional useful insights. ,

Resolution: Appendix C provides a description of all observed failure events in tile injection headers found in the 1987-1995 operating experience. Injection header failures i were found not to be a dominant contributor !c AFW system unreliability. Therefore, the l report did not provide a detailed discussion of this failure mode, including recovery.

8. Minor editorial and clarification comments were received from Region 1 and NRR. These comments were incorporated in the final report.

l 4

L_ _ _ _ _ _ _ _

Retrieved from "https://kanterella.com/w/index.php?title=NUREG/CR-5500,_Discusses_Issuance_of_Final_Rept,_Reliability_Study_Auxiliary_Emergency_Feedwater_System_1987-1995,_(NUREG/CR-5500,Vol_1).Summary_of_Comment_Resolutions_Encl&oldid=3381882"