Latest revision as of 14:42, 6 December 2021

Text

Report of the Independent AD HOC Group for the DAVIS-BESSE Incident
	ML20206C812
Person / Time
Site:	Davis Besse
Issue date:	06/30/1986
From:	; NRC - TEAM ON DAVIS-BESSE EVENT
To:	;
References
	NUREG-1201, NUDOCS 8606190571
	Download: ML20206C812 (65)
	v • d • e

- - - - - - _ - - - - - -- - - - - -

NUREG-1201 Report of the

! Indeaendent Ad Hoc Group for t1e Davis-Besse Incident i 1

i l

.I

\

U.S. Nuclear Regulatory -'

' Commission

,f* * **'%

1 C' *\ a 1

e.,

.:a 1 9

0*...** $

' 5

) .'

l 4 '

I t

8606190571 860630 PDR P

ADOCK 05000346 ll PDR i

h' l :

p

*? v---W F-** * ' ' ~ - " ' ' ~-""^"#

NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in N RC publications will be available from one of the following sources: :

I

1. The NRC Public Document Room,1717 H Street, N.W. !

Washington, DC 20555 i

2. The Superintendent of Documents, U.S. Government Printing Office, Post Office Box '47082 Washington, DC 20013 7082

3. The National Technical Information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publications, it is not intended to be exhaustive. ,

l Referenced documents available for inspect i on and copying for a fee from the NRC Public Docu-ment Room include NRC corresponder":e and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers;and applicant and )

licensee documents and correspondence.

The following documents in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission issuances.

Documents available from the National Technical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission, i Documents available from public and special technical libraries inciude all open literature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legislation, and congressional reports can usually be obtained from these libraries.

Documents such as theses, dissertations, foreign reports and trenslations,and non NRC conference proceedings are available for purchase from the organization sponsoring the publication cited.

Single copies of NRC draf t reports are available free, to the extent of supply, upon written request to the Division of Technical Information and Document Control, U.S. Nuclear Regulatory Com-mission, Washington, DC 20555.

Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards institute,1430 Broadway, New York, NY 10018.

I l

I

NUREG-1201 Reaort of the inceaendent Ad Hoc Group 1

for t7e Davis-Besse Incident l,

Manuscript Completed: May 1986 Date Published: June 1986

) U.S. Nuclear Regulatory Commission

Washington, D.C. 20555

,s. *,,,

S I

i l

1 4

i

. _ _ _ _ . _ _ . _ _ _ _ . - - - - - - - - . - - . _ _ - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ - - -

ABSTRACT The Nuclear Regulatory Commission established an independent Ad Hoc Group in January 1986 to review issues subsequent to a complete loss of feedwater event at Davis-Besse Nuclear Power Station on June 9, 1985, including the NRC Incident Investigation Team (!!T) investigation of that event. The Commission asked the Group to identify additional lessons that might be learned and from these to make recommendations to improve NRC oversight of reactor licensees. To fulfill its charter, the Ad Hoc Group examined the following:

pre-event interactions between the licensee and NRC con-(1) cerning reliability of the auxiliary feedwater system and associated systems; (2) pre event probabilistic assessnents of the reliability of plant safety systems, NRC's review of them, and their use in regulatory decisionmaking; (3) li-censee m'anagement, operation and maintenance programs as they may have contributed to equipment failures and NRC oversight of such programs; and (4) the mandate, capabili-ties of members, operation, and results of the NRC Davis-Besse !!T,sand regula tory ta f f,the use to which its report was put by the ,

i i

111 i

t

, _ _ _ _ _ . . , .--- - - - - ' - - ' " ~^ ^ ~ ^ ~ ~ ~ ' _ __ _ __ .- - - - - -

-m CONTENTS Page Abstract .......................................... ... iii Davis-Besse Independent Ad Hoc Group .................. vii Acknowledgments ....................................... viii Acronyms .............................................. ix 1

EXECUTIVE

SUMMARY

................................. 1 i

Background ........................................ I Ad Hoc Group Mandate and Methodology .............. 1 Davis-Besse Regulatory History .................... 3 Ad Hoc Group Conclusions and Recommendations ...... 3

1. i Pre-event Interaction Between Toledo Edison and NRC Concerning the Auxiliar F e e dwa t e r Sy s tem . . . . . . . . . . . . . . . . . . . . .y..... 4

2. Davis-Besse Reliability Assessments ....... 5

3. Contributions of Toiedo Edison's Manage-ment, Operation, and Maintenance Programs 1 to Equipment Failures ..................... 6 4

NRC incident Inves tiga t ion Program . . . . . . . . 7 2

INTRODUCTION ...................................... 9 3

PRE-EVENT INTERACTION BETWEEN TOLEDO EDIS0N AND NRC CONCERNING THE AUXILIARY FEEDWATER SYSTEM 11 .....

i l

Regulatory Process - Pre-event .................... 11 iv

, 1 l

l. l l

i

_ _ _ _ _ _ , _ . _ _ _ - - - - - - - - - - ~ - - - ~ ~ - ~ ~ ~ ~ ~ ~ ~' ~ "~ ~ '~~

3.

Page '

I f

i Licensing Actions for the Davis-Besse Auxiliary Feedwater System and Associated Systems ........... 12 Advisory Committee on Reactor Safeguards (ACRS)

Review ............................................ 21 Conclusions ....................................... 21 Recommendations ................................... 22 4

OAVIS-BESSE RELIABILITY ASSESSMENTS ............... 23 Pre-event AFWS Probabilistic Reliabilit

...........................y Assessments ............ 23 Toledo Edison AFWS Reliability Analysis (EDS Nuclear, Inc.) ........................... 24 Brookhaven Review of EDS Analysis ............. 24 Toledo Edison AFWS Reliability Analysis (Impell Corp.) ................................

. 25 Ad Hoc Group Review of Da Analyses ................vis-Besse Reliability

.......................... 25 Use of Reliability Probabilistic Anal Regula tory Decisionma king . . . . . . . . . . ..............

.ysis in 28 Additional Qualitative Reliability Techniquet, .

for Regulatory Decisionmaking .............. ...... 28 Conclusions ....................................... 29 Recommendations ................................... 30 5

CONTRIBUTION OF TOLEDO EDISON'S MANAGEMENT, OPERATION, AND MAINTENANCE PROGRAMS TO EQUIPitENT FAILURES .......................................... 31 The Toledo Edison Nuclear Program ................. 31 v

s l l

7 7-M The Davis-Besse Maintenance Progran ............... 32 The Davis-Besse Qua li ty As su rance Program . . . . . . . . . 33 Davis-Besse Plant and Safety Performance .......... 34 Organization for Nuclear Management ............... 37 Regulatory Oversight .............................. 38 Impact of Regulatory Oversight .................... 39 Conclusions ............. ....................... 43 Recommendations ................................... 44 6

NRC INCIDENT INVESTI0ATION PROGRAM ................ 45 Background for the Incident P ro g r a m . . . . . . . . . . . . . . . . . . . '. .I n v e s t i g a t i o n

...................... 45 Mandate and Instructions for Incident Investigation Teams (!!Ts) ........................ 45 Capabilities of IIT Members ....................... 46

!!T Operational Procedures ........................ 47 Use of the Davis-Besse IIT Report by the NRC Staff ............................................. 49 Follow-on Incident Investigation Team Reviews ..... 49 Conclusions ....................................... 50 Recommendations ................................... 50 vi t

,,-__,-,-.g-e--T-*^~T " , _ , , , _ , , - - - -

e - ^ ~ ~ ~ ' ' '

l t

i i i DAVIS-BESSE INDEPENDENT AD H0C GROUP James P. Glea son , Cha i rman , Administra tive Judge ,

Atomic Safety and Licensing Board Panel, ,1 Nuclear Regulatory Commission Joseph F. Levine, Chief, Reliability Division, Directorate of Safety, Reliability, and Quality Assurance, Johnson Space Flight Center, National Aeronautics and Space Administration Peter A. Morris, Ph.D., Admini rati.e Judge.

Atomic Safety h dL censing Board Panel, Nuclear Regulata j Jommission Dennis K. Rathbun, Deputy Director, Office of Policy Evaluation, Nuclear Regulatory Commission H. Guice Tinsley, Technical Progran Officer, Federal Aviation Administration l

l l

i vii

t

/ ,

7 ACKNOWLEDGMENTS The Davis-Besse Ad Hoc Group wishes to extend'the 'r appreciation for the excellent support provided by'the NRC Staff relative to the background of events at Davis-Besse.

The Group extends its thanks for their valuable cooperation and infcrmation to officers of the Toledo Edison Ccmpany and to officials and executives of other industry and utility '

organizations.

We also wish to acknowledge our appreciation to members of the Atomic Safety and Licensing Board Panel for their <

valuable service as a peer review group: .y Jerry Harbour, Ph.D. , Administrative Judge Jerry R. Kline, Ph.D. , Administra tive Judge Morton B. Margulies, Administrative Law Judge i Ivan W. Smith, Chief Administrative Law Judge '

In addition, we wish to acknowledge the excellent support given to the Ad Hoc Group by the NRC Atomic Safety and l

. Licensing Board Panel staff with respect to their excellent i administrative, technical, and secretarial assistance. In l particular, we commend the dedicated efforts provided by the '

Group's Executive Assistant, Mr. Charles J. Fitti.

l

, viii ,

$F

/

v

~

J~

"N i l I l ACRONYMS 5 i e

ACRS Advisory Committee on Reactor Safeguards ,

j (NRC) :

AE0D Office for Analysis and Evaluation of f Operational Data (NRC) 5.

AFWS Auxiliary Feedwater System ASB Auxiliary Systems Branch (NRC) ;

B&N Babcock & Wilcox t' BNL Brookhaven National Laboratory t l B0P Balance of Plant i '

i CAPC0 Central Area Power Coordination Group :

CE Combustior Engineering ( !

CEO Chief Executive Officer i 1 CNRB Company Nuclear Review Board 5 l CRGR Committee for Review of Generic !

Requirements (NRC) '

DVR Deviation Report

~

ED0 Executive Director of Operations (NRC) .

EFIC Emergency Feedwater Initiation & Control EPRI Electrical Power Research Institute ,

FMEA Failure Modes and Effects Analysis i FSAR Final Safety Analysis Report ;

1 I&E Office of Inspection & Enforcement (NRC) ,

ICS Integrated Control System IIP Incident Investigation Program (NRC)

IIT Incident Investigation Team (NRC)

INP0 Institute of Nuclear Power Operations j

Licensee Event Report LER i ,

? ,

MFWS Main Feedwater System NMSS Nuclear Material Safety & Safeguards (NRC)

NRC Nuclear Regulatory Commission '

i NRR Office of Nuclear Reactor Reoulation (NRC) -

)

i i

b ix i s

1 NSAC Nuclear Safety Analysis Center NSSS Nuclear Steam System Supplier :

NUMARC Nuclear Utility Management and Resource [-

Conrittee NUREG Muclear Regulatory Commission Report OIA Office of Inspector and Auditor (NRC) :

PAT Performance Appraisal Tean (NRC)

PORY Pilot Operated Relief Valve PRA Probabilistic Risk Assessment PSA Probabilistic Safety Assessment PWR Pressurized Water Reactor QA Quality Assurance RES Office of Nuclear Regulatory Research (NRC) :

SALP Systematic Assessment of Licensee Performance i SER Safety Evaluation Report (NRC) ;

SFRCS Steam and Feedwater Rupture Control System }-

SMUD Sacramento Municipal Utility District ;

SRP Standard Review Plan (NRC) i i:

TMI Three Mile Island i '

i USI Unresolved Safety Issue .,

f I

l l

h 9

J S

i' n

1 EXECUTIVE

SUMMARY

Background

The Davis-Besse Nuclear Power Station, operated by the l Toledo Edison Company, underwent a complete loss of feed-water event on June 9, 1985. The day following the event, the Ex'ecutive Director for Operations (EDO) of the U.S.

Nuclear Regulatory Commission (NRC) sent an Incident Inves-tigation Team (IIT) to Davis-Besse to ascertain the facts, to identify the probable causes of the event, and to form conclusions and make recommendations as the basis for ,

corrective actions. The results of its investigation are documented in " Loss of Main and Auxiliary Feedwater Event at the Davis-Besse Plant on June 9, 1985" (NUREG-1154).

Ad Hoc Group Mandate and Methodoloal The Nuclear Regulatory Commission established an independent Ad Hoc Group in January 1986 to review issues subsequent to the loss of feedwater event at Davis-Besse and the Da-vis-Besse IIT's investigation. The Commission asked the Group to identify any additional lessons that might be learned from the incident, and from these to make recommen-dations about how NRC internal procedures and oversight of reactor licensees may be improved. By this and other reviews, and by implementing the recommendations arising from then, the Commission proposes to reduce the possibility .

of future similar occurrences. To fulfill its charter, the Ad Hoc Group was asked to undertake the following studies:

1. Examine the process of analysis, review, and interac-tion between the licensee and the NRC that took place preceding the event concerning the reliability of, and the need and schedule for modification of, the Da-vis-Besse auxiliary feedwater system and associated systems; and make recommendations as to h'ow the regula-tory process may be improved in light of the findings resulting from this examination.

2. Examine pre-event probabilistic assessments of the reliability of the Davis-Besse plant safety systems, the NRC review of these assessments, and the use to which these analyses were put in the regulatory decision-making process; and make recommendations as to how the use of this sort of reliability analysis in the regula-tory process might be improved.

1

3

3. Examine the licensee's management, operation and maintenance programs to the extent that they may have contributed to the equipment failures that caused or i exacerbated the incident; examine the NRC's require- l ments for, and oversight of, such licensee programs; =

and make recommendations as to how the NRC may improve ! l its regulatory processes and its oversight of reactor . I licensees in these areas, a 4 Examine the mandate, capabilities of members, opera-tion, and results of the Davis-Besse incident investi- i gation team, and the use to which its report was put by the regulatory staff; and make recommendations as to !

how the incident investigation process may be improved.

The Commission directed that the review not be a vehicle for determining whether Davis-Besse could be operated withnut !.

undue risk to the public health and safety. The Con.mi ssion ; I further specified that the Group not assess responsibility j for the incident on the part of Toledo Edison (the licensee) or the NRC staff. '

t In implementing its review, the Group interviewed principal NRC Headquarters and Regional personnel, the Chairman of the !.

Advisory Committee on Reactor Safeguards ( ACRS) Toledo Edison corporate and departmental managers, officials from the industry's Institute of Nuclear Power Operations (INPO) ,

and from Babcock & Wilcox (B&W), and executives from four , t other nuclear power utilities. The testimony of these I utility executives was solicited to broaden the Group's ',

perspective on NRC's IIT program, on utility management issues, and on the impact of regulatory requirements on '

plant operations. In site visits, the Group examined Toledo Edison's management, operations, and maintenance programs.

1 The Group also reviewed relevant correspondence, reports, 4 and other documents on Davis-Besse matters for the period j 1977 to the present, j l The various probabilistic analyses made of the auxiliary !

feedwater system ( AFWS) were analyzed for the Ad Hoc Group by Sandia National Laboratories. The Group also solicited i

the views of B&W, Toledo Edison, and the NR" staff about i probabilistic studies that were performed for the AFWS following the accident at Three Mile Island.

j Since the Incident Investigation Program is new to NRC, the ^

Group considered it essential to compare the practices and procedures for the Davis-Besse !!T incident investigation with those of the subsequent San Onofre and Rancho Seco IIT investigations. Accordingly, the Group interviewed the NRC Team Leaders for these IITs and reviewed ielevant documenta- '

tion.

j 2

- - - - ~ ~ - - - - -

Davis-Besse Reculatory History Davis-Besse was licensed to operate in 1977. Averaging 7.7 trips (unscheduled shutdowns) yearly, Davis-Besse averaged an annual capacity factor of approximately 45% until June 9, 1985. Although some of its outages can be traced to NRC Three Mile Island backfit requirements, the major contribu-tors were equipment failures and personnel errors. Plant operations have been marked by frequent deficiencies in maintenance efforts and procedural and Technical Specifica-tion violations, as reflected in NRC's Systematic Appraisal of Licensee Performance (SALP) reports. The NRC inspection effort at Davis-Besse was in excess of 1,500 work days and required over fourteen management or informal conferences prior to the June 1985 incident.

As a result of the incident, the NRC staff and Toledo Edison have engaged in an extensive evaluation of their respective responsibilities in assuring operational safety at Oa-vis-Besse. For the NRC, this process has required not only implementation of a substantial number of generic and plant-specific actions, but an appraisal of the relevant programs in the Offices of Nuclear Reactor Regulation (NRR),

, Inspection and Enforcement (!&E), Analysis and Evaluation of Operational Data ( AE00), and Nuclear Regulatory Research (RES), as well as for its Region !!! office. For Toledo Edison, it resulted in a nuclear staff reorganization, the authorization to hire additional personntl, a complete review of the facility's safety-related systems prior to restart, and extensive improvements in training programs and procedures. The cost to both organizations has been sub-stantial: for NRC approximately $1.5 million, to date, and for Toledo Edison $71.5 million, a figure exclusive of power replacement costs.

In its 1986 Policy and Planning Guidance document, the Commission expressed its concern about unnecessary regulato-ry burdens and the Agency's volume of regulatory require-ments. This year, in establishing a set of strategic goals, the Commission stated its intention to improve the regulato-ry climate in which the nuclear industry operates, and to complete a com'prehensive review of NRC regulations. This report, by examining the extensive interaction between NRC and Toledo Edison prior to the incident, hopefully contrib-utes to a continuing review of the status of that regulatory framework.

Ad Hoc Group Conclusions and Recommendations Based on its review of issues subsequent to the June 9, 1985 incident at Davis-Besse, the Ad Hoc Group has a" rived at the following conclusions and recommendations in the four areas ------

specified in the Group's mandate.

M_

3

L Fre-evert feceractive totween Toledo Edison sad stC Concerning the Auxfif ary feedwater System Conclusions Extensive and detailed regulatory interactions and activt-ties took place concerning the AFWS at Davis-Besse between NRC and Toledo Edison from the licensing of the plant in 1977 through the June 9, 1985 incident.

The AFWS and related controls experienced recurring problems involving components and required a number of design chang-es, such as the addition of dynamic brakes on the pump turbine governors and flow indication in the control room for both steam generator AFW f alet Ilmes. Toledo (disoa cade appropriate changes, including festallation of a diverse power supply to one of the AFW5 tratas (for the potor-opera ted valves), that were required bef ore the neceed fuel cycle. The staff approved a license for Davis tesse, even though it lacked diverse power to the Afwl props, a l

connetton unchanged up to the facident.

NRC's post TMI-2 evaluations of the Dawls-8 esse AFW5 tdenti-fied the need for short-term and long-term modifications.

However, NRC did not require installation of a 100-percent capacity, motor-driven startup feedwater pump until Toledo Edison committed to its installation in September 1984 NRC did not believe that the Davis-Besse AFWS, as it existed before the incident, was suf ficiently reliable. This conclusion was based largely on the lack of diverse power to the pumps and the lack of full capacity of the existing startup pump. Earlier requirements for suitable modifica-tions of the AFWS might have been justified technically, even though not required by the Commission's rules.

By focusing on a generic solution to the decay heat removal question, both the ACRS and the staff may have contributed to an unreasonable delay in resolving the specific weakness in the Davis-Besse AFWS. This finding does not suggest that generic solutions are not desirable where feasible. Ana-lysts should exercise caution, however, in seeking solutions to generic problems when they unduly delay specific solu-tions at individual plants.

Recommendations Regional Administrators should meet with NRC Headquarters management to review the performance of each nuclear power plant and licensee in their region at least quarterly, or more frecuently as needed. The Group strongly endorses the current plans of the Executive Director for Operations (EDO) to implement such a program. The E00 should make prompt 4

decisions to resolve problems and to estabitsh appropriate schedules (or completing their resolution.

Project Managers (with appropriate technical support) should visit nuclear power plants on a periodic basis (perhaps quarterly} to communicate directly with plant management and utility licensing officers.

The Group strongly endorses the E00's current development and implementation of the integrated tracking and managerent system to assure effective management monitoring and resolu-tion of safety and licensing issues. Such a system might ,

have been of assistance prior to the 1985 incident at Davis-Besse.

The staff should decide and communicate the results of decisions to relevant staff and licensees promptly as to l whether an issue is plant-specific or generic. Such dect-sions should be made or endorsed by the E00 and action plans should be promulgated and executed expeditiously.

I

2. Davis-Besse Reliability Assessments Conclusions The conf.Iteting assurptions, methodologies and findings in Itcensee and NRC staff reliability analyses, and considera-tion of the proposed Cormittee for Review of Generic Re-outrements (CRGR) memorandum on pressurized water reactor AFWs, were factors in delaying the final decision on the installation of a diverse electric motor-powered auxiliary feedwater pump. Another factor delaying a final decision was the staff's delay in generic resolution of the decay heat removal issue, Unresolved Safety Issue (USI) A-45.

Improver.ents in probabilistic analyses of safety systems can be achieved by inclusion of important associated systems and a more defensible plant-specific data base.

Additional qualitative reliability techniques and measures over and above probabilistic analyses could be useful to in-crease coeftdence in the safety of nuclear power plant oper-ation. Inprovements in the probabilist(c analysis process will be were useful in hRC regulatory decisionmaking if they are augnented by information gained from other qualitative managerent and reliability techniques, such as configuration management, failure modes and effects analysis, and other discipitnes discussed in Section 4 of this report.

Recommendations NRC should establish a timely and effective process to review reliability analyses requested of IIcensees, perticu-5

I larly where it is de.termined that such analyses will be used in regulatory decisionmaking.

NRC should evaluate the use of qualitative management and reliability disciplines as a means of increasing confidence in the day-to-day performance of nuclear power plant licersees.

I&E should give priority to the conduct and promotion of safety system functional inspections and outage system modification inspections. '

3. Contributions of Toledo Edison's Management, Operation, and Maintenance programs to Equipment Failures Conclusions The number of organizational changes made by Toledo Edison in its pre-event nuclear mission and programs to enhance reactor safety performance were not sufficient to prevent the June 9, 1985 incident; neither was NRC oversight and enforcement effective in preventing the incident.

It was not apparent that Toledo Edison's Company Nuclear Review Board (CNRB) performed its overall audit function of .

plant safety effectively.

There were deficiencies in the effectiveness of the manage-ment and oversight of plant operations which had been recognized in NRC's SALP eval ations.

The Group recognizes that balance of plant items are impor-tant to safety.

The pre-event maintenance program at Davis-Besse was charac-terized by many weaknesses and deficiencies. The pre-event preventive maintenance program was not systematically developed and managed.

Compliance with the substantial, growing volume of prescrip-tive regulatory requirements may have acted to reduce rather than increase plant safety.

Recommendations :

The NRC should shift emphasis away from detailed, prescrip- h tive requirements toward performance-based requirements. A l systematic, continuing review of NRC's regulatory require- -

ments embodying the full scope of regulatory oversight is ,

j needed to ensure that these requirements are conerent. '

consistent, and act to improve plant safety. Responsibility t for this function should be assigned to a specific office.

NRR management and Regional Administrators should meet with the licensee's Board of Directors when a plant's deteriorat-ing performance warrants. The purpose of such meetings would be to discuss the adequacy of the licensee's activi-ties to protect the health and safety of the public. It would also provide the Board with an opportunity to express its views on the effectiveness of the current regulatory process.

NRC should take advantage of INP0's programs to assess licensee's maintenance management programs to the extent reasonable and practical.

The staff should improve its follow-up on licensee correc-tive actions. Licensee " integrated living schedules" should be encouraged.

Resolution of the "important to safety" issue, and its application to balance of plant (80P) items in existing, as wc11 as future plants, deserves high priority. (The Group understands that I&E bas responsibility for resolution of at least part of this problem.)

4. NRC Incident investigation Program Conclusions The mandate for Incident Investigation Teams is adequate for conducting NRC incident investigations.

The Davis-Besse IIT report would have been enhanced if the team had been instructed to examine pre-event NRC-licensee interactions.

There is need for NRC to conduct seminars or workshops to inforn licensees in advance of the fundamentals of an NRC incident investigation. (The Group understands that such a program is being considered by AE00.)

The Davis-Besse IIT members possessed adequate technical expertise to comply with the requirements necessary to perform their investigative task. The Group endorses proposals that IITs receive incident investigation training.

The Davis-Besse IIT report effectively described the se-quence of events of the June 9, 1985 incident. However, the report's observation that Davis-Besse had a history "of evaluating operating experience related to equipment in a superficial manner," was not supported in the report. The conclusion that the underlying cause of the main and auxil-iary feedwater event was the licensee's lack of attention to detail in the care of plant equipment was also not supported .

in the report.

l l

The E00 Action Plan following the incident made adequate use of IIT report findings and conclusions. The Action Plan is commendable since it also included the requirement for the NRC staff to reappraise its programs, planning, and actions :

based upon lessons learned from the Davis-Besse incident.

Unless organizations such as utilities, INPO, EPRI and reactor vendors are involved in the formulation of and are familiar with IIT procedures, they may not be willing or prepared to participate in future investigations.

_ Recommendations -

Expedite the development of detailed procedures for the f formation, training, operation, and reporting requirements i of future IITs. These procedures should clearly define the 5 (a) scope of the investigation and its schedule; (b) mode of j operation for the team; (c) legal constraints and rights of :

licensees and employees, including NRC employees; (d) ~

cuarantining of equipment, with clearly defined roles for j the licensee and the Region; and (e) completion of the assignment. These procedures should be developed and coordirated with the nuclear power industry and Agency personnel should meet with them to explain the role of IITs i and how they will function, i i'

Participation on !!Ts of members from INPO, EPRI, vendors, other utilities, and Federal and State agencies with appli-

cable technical expertise, when appropriate, should be -

encouraged. ,

The Commission should assign NRC's Office of Inspector and Auditor (OIA) to investigate pre-event interaction between the NRC staff and the licensee as it may be relevant to the root cause of the event.

The NRC manual chapter and other appropriate procedures should specify guidelines concerning the role of counsel or other advisors for personnel interviewed by an IIT. 1 The !!T incident investigation training program should be accelerated and consideration given to extending some of ~:

this trainir.g to Augmented Inspection Team candidates and '

other I&E staff members.

8 o.

se aminummmmmmmmmmmme mummmmme mummmmmmme m a a mem-m immmmma - == m ammi-m immmmmmme -. summ- m ai

2 INTRODUCTION The Davis-Besse Nuclear Power Station, Unit 1, operated by the Toledo Edison Company, is located on Lake Erie in Ottawa County, Ohio, approximately six miles northeast of Oak Harbor. Ohio. Toledo Edison is a part of the Central Area Power Coordination Group (CAPC0) which is responsible for planning additional generating capacity in the CAPC0 service area. CAPC0 service areas cover northern and parts of ,

central Ohio and sections of western Pennsylvania. Other ,

CAPC0 members include the Cleveland Electric Illuminating Company, Duquesne Light Company, Ohio Edison Company and Pennsylvania Power Company. The Davis-Besse plant is jcintly owned by Toledo Edison (49 percent) and Cleveland Electric Illuminating Company (51 percent), with Toledo Edison responsible for its operation. Toledo Edison and Cleveland Electric Illuminating Company have recently merged ,

l into a new holding company, Centerior Energy Corporation, which w,ill operate a service company for the two operating utilities.

In January 1980 the CAPCO companies terminated plans to !

construct Davis-Besse Units 2 and 3 and Erie Units 1 and 2.

Nonetheless, Toledo Edison's annual construction expendi-tures have been over $200 million per year in the 1980's.

Most of these costs are attributable to the continuing construction of CAPC0 nuclear generating units (Perry Units 1 and 2 and Beaver Valley Unit 2), of which Toledo Edison owns 20 percent.

Davis-Besse underwent a complete loss of feedwater on June l 9, 1985. The day following the event, the Executive Direc-tor for Operations (E00) of the U.S. Nuclear Regulatory Commission (NRC) sent an Incident Investigation Team (IIT) to Davis-Besse to learn what happened, to identify the probable causes of the event, and to formulate conclusiens and make recommendations for corrective action's. The results of its investigation are documented in " Loss of Main and Auxiliary Feedwater Event at the Davis-Besse plant on June 9, 1985" (NUREG-1154).

The Nuclear Regulatory Commission established an iudependent Ad Hoc Group (Group) in January 1986 to review other issues relating to the loss of feedwater event at Davis-8 esse and the Davis-Besse !!T's investigation. The review was to identify any additional lessons that might be learned from the incident, and from these to make recommendations about 9

. b

how NRC internal procedures and oversight of reactor '

licensees may be improved. To fulfill i ts charter, the Group was asked to review activities and make recommenda- ' '

tions in the following areas: '

1. The interaction between Toledo Edison and NRC preceding '

the event concerning the auxiliary feedwater system (AFWS), ;

2. Pre-event probabilistic analyses of Davis-Besse safety '

systems, NRC reviews of these analyses, and the use to which they were put in regulatory decisionmaking.

3. The extent to which Davis-Besse management, operations, !

and maintenance programs may have contributed to i equipment failures that caused or exacerbated the i event, and NRC requirements for and oversight of such :

programs , and

4. The mandate, operation, membership capabilities and [

results of the Davis-Besse !!T and the uses made of its 4 report by the NRC staff. j In conducting its review, the Ad Hoc Group interviewed key k NRC Headquarters and Regional personnel, the Chairman gf the

}

Advisory Committee on Reactor Safeguards ( ACRS), Toledo 7 Edison corporate and departmental managers, of ficials from

the industry's Institute of Nuclear Power Operations (INPO), ,

representatives from Babcock & Wilcox, and executives from four other nuclear power utilities. The views of these '

executives was solicited to broaden the Group's perspective ,

on NRC's IIT program, on mismanagement at nuclear utilities, '

and on the impact of regulatory requirements on plant '

operations. The Group compared practices and procedures for the Davis-Besse IIT investigation with those of the San Onofre and Rancho Seco IIT investigations. In site visits, the Group examined Toledo Edison's management, operations, a and maintenance programs. Additionally, the Group reviewed i relevant correspondence, reports, and other documentation on '

Davis-Besse for the period 1977 to date.

The various probabilistic analyses made for the auxiliary i feedwater system (AFWS) were analyzed for the Ad Hoc Group by Sandia National Laboratories. The Group also solicited views on the probabilistic studies from Babcock & Wilcox, Toledo Edison officials, and the NRC staff.

The Commission directed that the Group's review not be a ;

vehicle for determining whether Davis-Besse could be operat-ed in the future without undue risk to the public health and safety. Evaluating responsibility for the incident was also not within the purview of the Group.

10 )

4

.,--- , m -- y m- - n -- ~ ~ '

3 FRE-EVENT INTERACTION BETWEEN TOLEDO EJISON Af.0 NRC CONCERNING THE AUXILIARY FEEDWATER SYSTEM Regulatory Process - Pre-event This section provides an extensive chronology describing specific events directly or indirectly pertinent to the Group's review.

The staff identified the need to nodify the Davis-Besse auxiliary feedwater system (AFWS) when the plant was li-censed. While Toledo Edison made a number of changes over the years to improve reliability of the system, it resisted making major modifications until an unanalyzed safety question was identified in the fall of 1984 Probabilistic reliability studies on the AFWS had been previously per-formed by Toledo Edison, by Babcock & Wilcox (B&W), and for the staff by Brookhaven National Laboratories (BNL). The staff made no decision on resolving the issue while these 9]ll studies were being evaluated. Toledo Edison finally pro-posed installation of a full-capacity, motor-driven startup AFWS pump to resolve an unanalyzed safety question which affected system reliability and this resolution satisfied the staff's concern. The Group, based on its review, reached several conclusions and recommends that the staff act to resolve similar identified problems expeditiously and to communicate more effectively among its organizational components and with the licensee.

The regulatory process on the Davis-Besse AFWS involved the following(kinds licensee ToledoofEdison) actionsand and igteractions NRC : between the

Reports of licensee events;

" The shutdown order following the THI-2 accident;

' Applications for amendments to the operating license; I

The Institute for Nuclear power Operations conducted several evaluations of Davis-Besse operations, the results of which the staf f was generally aware through exchanges of information between the NRC Regional inspectors and Davis-Besse personnel.

11

]

I

i i

NRC requests for information and analyses by Toledo .j l Edison and its responses; ;

Review, evaluation and approval by NRC of requests j for license amendments; Inspection by NRC onsite inspectors; Inspection by NRC Region III inspectors; l

A performance appraisal team (PAT) inspection; i l

Managemer.t and enforcement conferences l between Toledo Edison management and Region III l management; ;

Heetings between Toledo Edison staff and NRC staff;

Systemstic Appraisals of Licensee Performance ;

(Sales); and l

Civil penalty recommendations. -

\

l Licensing Actions for the Davis-Besse Auxiliary Feedwater l 3ystem and Associated Systems , 1 I

The original AFWS was essentially a safety-grade system.

Both AFW pumps were driven by steam turbines, with only ac power available to the motor-operated valves in the two trains. The NRC staff recognized that the system was susceptible to common-cause failures. As a license condi-i tion, Toledo Edison was required to provide de power to one i

train of the AFWS at the plant's first scheduled refueling ,

outage. The license condition was removed by Amendment !

No. 33 in October 1980 after Toledo Edison made the modifi- '

cation.

From initial startup until the incident on June 9, 1985, Davis-Desse had recurring problems with the AFWS and related controls. These prnblems involved components such as '

pressure switches and turbine governors. Davis-Besse made a number of design changes, including the addition of dynamic brakes on the pump turbine governors and flow indication instruments in the control room for both steam generator AFW i

inlet lines. Following THI-2, Toledo Edison made a number of re-evaluations on its own, or at NRC's request, of the reliability of tn'e AFWS, which necessitated a number of licer. sing amendments:

License Amendment 63, October 26, 1983, permitted removal of speed switches and interlocks to valves for the AFW turbines, 12

?

3

Amendment 68, May 30, 1984, modified Davis-Besse -

Technical Specifications to require that a minimum of two channels of AFW flow be operabic for each steam generator.

Amendment 82 December 20, 1984, allowed AFWS operability to be determined without consideration !

of the status of the startup feedwater pump during startup (i.e., the startup feedwater pump could be i inoperable).

License Amendment 83, January 8, 1985, imposed three .

operational restrictions on the use of the startup ,

feedwater pump to avoid hazards to the AFW pumps, This amendment was a consequence of Toledo Edison identifying high and moderate energy lines in the ; !

AFW pump rooms whose failure had not been analyzed. -

_ i Their failure could jeopardize the operability of :

either AFW pump from the effects of jet impingement, = !

pipe whip, flooding and environmental conditions. ; l The amendment included these restrictions:

isolation outside the startup feedwater .

pump /AFW area of the startup feedwater pump suction, discharge and turbine plant cooling :

water piping, when the startup feedwater pump -

is not in operation, and Toledo Edison will install a startup feed-water pump, associated piping, and valves, to remove the hazards to the AFW pumps before commencing Cycle 6. ,

! The original Davis-Besse Technical Specifications (1977) I contained one Limiting Condition for Operation of the AFWS: 1 "Two independent steam generator auxiliary feedwater pumps >

and associated flow paths shall be operable." Revision 3 of the " Standard Technical Specifications for Babcock & Wilcox (B&W) pressurized Water Reactors (PWRs)," published in July v 1979, contained the following Limiting Condition: ,

I

?

At least three independent steam generator auxil-

~

iary feedwater pumps and associated flow paths shall be ooerable with:

Two auxiliary feed pumps capable of being powered from separate emergency buses, and one feedwater pump capable of being powered from an operable steam supply system. ,

Since Davis-Besse was licensed and operating, this require-ment did not apply to the plant's AFWS.

1 i

13 1

i 1

l

The following thronology records numerous meetings, memoran- l da, and analyses about the Davis-Besse AFWS involving NRC's Office of Nucit ar Reactor Regulation (NRR) Toledo Edison .

and others prio- to June 9,1985. IAE's Rsgion !!! staff l played little or no role in these interactions. It is also i clear that the hRR staf f did not appear well informed about the extent of tha Regional staff's concerns regarding Toledo Edison's performance. The Ad Hoc Group examined these activities in detail in forming its overall appraisal of the regulatory process.

Following THI-2 in March 1979, the Commission issued a Confirmatory Order on May 16, 1979 ordering Davis-Desse, during a s heduled outage, to remain shut down until certain hardware and procedural changes and analyses were made by Toledo (disom and approved by the NRC staff.

htC ltite6 thn Order en Jul.r 6, 1979. In its accompanying Safety (vaivation Report (5: 0), kRC stated!

While the Staff recognizes.that the AFW system is safety grade, we also note that the licensee has agreed to continue to review the performance of the AFW system for assurance of reliability and performance. Consis-tent with this long-term agreement, we will require that the licensee modify the plant to provide the ,

greater degree of ';lversity of fered by a 100 percent ,

l capability motor operated AFW pump, or an alternative l acceptable to the Staff.

On June 8. 1979. the NRC staff visited Davis-Besse to discuss Toledo Edison's efforts to respond to the Commis-sion's Order. A week later, Toledo Edison transmitted to NRC an analysis of a complete loss of feedwater transier.t.

Eight days later, in response to staff questions, a Toledo Edison analysis concluded that secondary steam pressure, af ter lost of main feedwater to the steam generators, would support the AFWS steam turbine operation if started within 20 minutes. ,

In April 1980, NRC issued " Transient Response of Babcock &

Wilcox-designed Reactors" (NUREG-0667), which made recommen-dations for reducing the likelihood or consequences of severe accidents. One recommendation was to upgrade the i AFWS to include diverse power sources with either three trains, or two trains plus feed and bleed capability.

i Installation of a diverse-drive AFW pump was recommended for ,

i' Davis-Besse specifically, partly because the relatively low i i

head, high pressure injection pumps prevented injection at i normal operating pressure.

i In May 1980, NRC issued the TM! Action Plan (NUREG-0660),

which called for licensees with B&W plants to evaluate their l J

14 a

w.

. - . - . - . . - - . _ ~ . - , , - - .,--..- - - . - -

AFWSs by September 1, 1980. The staff Reactor Transient Task Force recommended that installation of a diverse-drive AFW pump be expedited at Davis-Besse. In August 1980, the j

Director Director.ofOffice NRC'sof Division NuclearofReactor Safety Technology Regulation (wrote to the NRR), that '

the recommendation of the Reactor Transient Task Force "be ;

implemented as soon as possible by an NRC order...." This j requirement, he noted, was identified in the post-THI-2 startup authorizetion. As reported above, the July 1979 authorization lifting the shutdown pernitted Toledo Edison to propose an alternative. Nevertheless, the Director, ,

Division of Safety Technology, concluded, "It is our under-standing that the licensee [ Toledo Edison] is still review-ing possible options.... This is too long a time to merely study such an important issue."

l e

in Nover.ber 1980, the staff issued " Clarification of TH! j Action Plan" (NUREG-0737), which, in part, emphasized that previously required analyses should include multiple events, I such as the failure of both main and auxiliary feedwater ?

systems. These analyses were to be submitted to the staff by January 1, 1981, and reviewed by July 1, 1981 (i.e., 2 years after the staff originally notified Toledo Edison that l a motor-operated pump, or an acceptable alternative, would be required).

i j

s On January 23, 1981 Toledo Edison objected, because of cost, to the NRC alternative for a diverse-drive AFW pump '

with a 100-percent capacity and proposed an alternate resolution, concluding:

To bring this issue to final resolution, it is proposed I that, prior to proceeding on any major plant modifica- .

tion, a risk reduction comparison be completed to ;

provide an evaluation of the acceptable alternatives.

This would allow us to optimize the plant response results, minimize the perturbation and still verify that the design provides an appropriate level of protection to the public health and safety now and 4 after any such modification is complete.

In a March 6, 1981 meeting, Toledo Edison advised the staff that its August 1980 feasibility study demonstrated that providing an additional 100-percent capacity AFW pump was prohibitively expensive and required an excessive prepara-tion time. This conclusion was based on the need to provide a completely diverse sa fety-grade AFW train, i.e., that (

entailed seismic-resistant components in a new seis-mic-resistant building, rather than just a motor-driven ,

pump. This change, involving a safety-grade system, appears to be what the staff had in mind. Toledo Edison planned to perform a detailed probabilistic risk assessment to rvaluate acceptable alternatives.

16

~

i In responding on April 2, 1981, the staff recommended six ways to improve the reliability of the AFWS at Davis-Besse.

In commenting on the licensee's proposal, the staff noted.

"[t]he principal thrust of [ Toledo Edison's] ptoposed reliability analysis would therefore try to demonstrate the acceptability of the reliability of the present two train AFWS at the Davis-Besse 1 plant." NRC rejected this ap-proach end, apparently changing its position (from the requirement for a fully safety grade, seismically qualified system), stated: "We believe that you should consider placing more emphasis on uporading the existing startup feedwater train to provide diversity from the present steam driven AFWS, and thus improve system reliability." The sixth NRC recommendation was for installation of a di-verse-drive auxiliary feedwater pui..p. The April 2 letter stated: l We are concerned with the dependency of both AFWS pumps f

, on steam from the main steam lines. Other PWRs are 2

known to have a similar configuration (e.g., Calvert Clif fs); however, because of the more rapid dry-out of the steam system in BAW plants, such a steam dependency {

is'of more concern in Davis-Besse. The licensee should I state plans for providing a third AFWS train which will i utilize a pump powered from a source other than steam.

A schedule of implementation should be provided.

On May 22, 1981, Toledo Edison responded, indicating its .

intent to submit a probabilistic risk assessment on the AFWS I by July 1981, which would identify dominant failure contrib- t utors. Toledo Edison stated its intent to upgrade the i existing startup and auxiliary feedvater systems based on results of the risk assessment. ,

Independently of this decision, on June 22, 1981, B&W issued "Draf t Engineering Summary Report of a Complete Loss of FW Transient Analysis for Dasir,-Besse" (B&W 582-7151-14-00),

which concludes that operatur action (feed and bleed) within 30 minutes of a lor,s of feedwater will prevent the core from ,

becoming uncovered. ;

1 In a June 29, 1981 memorandum to NRR, the NRC Division of ;

Safety Technology recommended adoption of a reliability j criterjonintgeStandardReviewPlan(SRP)ofaprobability of 10" to 10' for failure upon demand of the AFWS. This ;

recommendation was endorsed by the NRC Division of Systems Integration on July 31, 1981.

The SRP, " Auxiliary Feedwater System (PWR)," Rev. ?, issued in July 1981, stated that the NRC reviewer is to determine ,

that:

l 16 L

... 2. The system is protected against the effects of pipe whip and jet impingement that may result from high or moderate energy piping breaks or cracks.

... 5. The system possesses diversity in motor power sources such that system performance require-ments may be met with either of the assigned power sources, e.g., a system with an AC subsystem and a redundant steam /DC subsystem.

The reviewer is to determine whether licensees have submit-ted sufficient information for NRC to co hasanunreliabilityintherangeof10~gcludetgattheAFWS to 10~ per demand. The numerical criteria in this review did not apply to previously licensed operating plants, such as Da-vis-Besse.

On July 16, 1981, NRC asked Toledo Edison to orovide addi-tional information on AFWS automatic initiation and flow indication. This was submitted on September 16, 1981. On December 31, 1981 Toledo Edison transmitted to NRC the

" Davis-Besse AFWS Reliability Analysis, Final Report." NRC later sent the report to the Brookhaven National Laborato*y for review. (This report is discussed in Section 4.) >

An NRC memorandum of March 1, 1983 repeated the recommenda-tion that NRC should require installation of a third, qualified, motor-driven AFW pump at Davis-Besse. On Au-gust ?2, 1983, the staf f issued a draf t, proposal intended for review b ments (CRGR)y the NRC Committee It contained to Review a proposed Generic Generic Require-Letter to licensees concerning ten pressurized water reactors (PWRs),

including Davis-Besse, that had not made the "necessary system modifications...to ensure that their AFW systems are capable of being operated in the high reliability range...."

The proposal concluded that AFWS failure is a dominant contributor to core melt accidents and reconmended requiring modifications to demonstrate adequate reliability in accor-dancewitgthecugrentSRP(Section10.4.9)failurecriteri-on of 10' to 10' per demano. The proposal included the recommendation that NRC issue a Generic Letter: it would require licensees to confirn within 30 days that changes wou.o be made to the AFWS and that a design would be pro-posed within 120 days. The analysis notes that improvements could be evaluated under the long-term Unresolved Safety Issue (USI) of decay heat renoval (A-45), but rejects this 17

h I

f approachbecausestugyofthisissuewasnotexpectedtobe !

complete until 1985.'

An NRC handwritten memorandum of August 26, 1983, referring to the August 22, 1983 CRGR draft proposal states:

We need to get together ASAP [as soon as possible] on the attached CRGR package-- The [ Director of Systems Integration) is tr plants (12 total) ying withto a stick a number 3rd AFWS pump. of operating This action will have significant ramifications on A-45. We may come up with a more comprehensive cost-beneficial solution.

Their value-impact looks weak and will be shot down by CRGR.

An NRR memorandum of August 29, 1983 reviewed implementation of recommendations for AFWSs and found the Davis-Besse AFWS acceptable. The recommendations were based on the Toledo Edison reliability analysis of December 1981 and generic recommendations of NUREG-0611 and NUREG-0635, which did not require a third pump. The memorandum referred to the proposal intended for the CRGR which would require all plants to upgrade their AFWS to meet existing reouirements and stated that such requirements for Davis-Besse would be the subject of future correspondence.

An NRR memorandum of Septenber 25, 1983, containing a long list of comments and questions on the August 22, 1983 CRGR proposal, concludes that a decision should be deferred:

The proposed action, if implemented independently will have significant ramifications for the USI A-45 pro-gram. Accordingly, further and more detailed regulato-ry analyses should be done to provide a good basis for deciding whether this issue should be done independent-ly or combined with A-45. Until then, it is suggested that the decision be deferred.

An attachment to the memorandum refers to a September 13, 1983 meeting among representatives of NRC divisions and branches wherein they agreed that further work should be ,

done before the proposal was forwarded to the CRGR.

l 2

While the NRC staff was to have completed its study of USI A-45 by 1985, the current projected completion date is f 1987. ,

18 4

0

An NRR memorandum of November 16, 1983 transmits the staff evaluation of Toledo Edison's December 31, 1981 reliability analysis from the Division of Systems Integration to the Division of Licensing, it repeats the June 1981 conclusion oftheDivisionofSafetyTechgologytgattheSRPincludean unreliability criterion of 10~ to 10 An NRR memorandun of December 7, 1983 notes that the staff delay in responding to the August 22, 1983 proposal " result-ed from the need to complete other higher priority work."

The memorandum states that the requirement for a third pump was considered a low priority according to a staff cost-benefit analysis. The memorandum notes that changes have been or will be made at plants other than Davis-Besse.

An NRR memorandum of January 16, 1984 provides additional information on the CRGR proposal, including estimated frequencies of a core nelt (per year) attributable to loss of main feedwater. The memorandum states that the mean -

probability of a core melt per year from this type of incident is 5.4 x 10~4 (or 1 chancg in 1,851). (The NRC provisional safety 1: 1x 10~ or 1 chance in 10,000, per reactor year.) goalThis average estimate assumes that feed and bleed emergency cooling is not possible at Davis-Besse; the risk of a core melt at Davis-Besse f rom loss of main feedwater is 5 times greater than the probability of a core (

melt accident in the Commission's safety goal for chances of a core melt from all types of accidents at any plant.

On March 2 and 3,1984 a stuck open safety valve resulted in steam generator dryout at Davis Besse. An I&E memorandum.of April 9, 1984 to NRR referring to this dryout supports the CRGR proposal to require diverse AFW pump power.

An April 23, 1984 letter from NRR to Toledo Edison provides the staff evaluation of the utility's December 31, 1981 reliability analysis and the Brookhaven National Laboratory reliebility analysis (NUREG/CR-3530). The letter notes the opposing conclusions reached by GNL and Toledo Edison and concludes that the Davis-Besse AFWS does not comply with the current SRP reliability criterion. It should be noted that Toledo Edison's reliability analysis takes credit for feed and bleed operations and other modifications; BNL's analysis does not.

The NRC staff report, " Comparison of Impicmentation of Selected TM1 Action Plan Requirements for Operating Plants Designed by B&W," May 1984 (NUREG-1066), concludes that Davis-Besse had completed all required plant modifications.

However, three open Technical Specification items remained regarding tne Davis-Besse AFWS. The report noted that staff review of these items was to be completed by June 1984 19

(nearly 5 years af ter the staff notified Toledo Edison in July 1979 that modification to the AFWS would be required).

A Toledo Edison internal memorandum of September 7, 1984 comments on the NRC's April 23, 1984 letter and the BNL analysis. It disagrees with a number of assumptions made by BNL and the staff, particularly their lack of credit for the feed and bleed function, and concludes that their findings are " inaccurate, unjustified and irrelevant."

At an NRC-Toledo Edison meeting on September 19, 1984, Toledo Edison committed to install a relecated, electric motor-driven startup feedwater pump with full capacity at the next refueling outage. Relocation was necessary to avoid a high or moderate ener (See License Amendment 83, above.)gy pipe break problem. l A September 28, 1984 memorandum from the Director, NRR, to l the E00 reported that the Auxiliary Systems Branch deter-mined that a diverse-drive AFW system was unnecessary.

Toledo Edison formally notified NRC in writing in October l 1984 of the unanalyzed pipe break problem involving the l existing startup feedwater pump.

l Toledo Edison applied on November 12, 1984 for a license amendment to install the new 100-percent capacity auxiliary feedwater, electric motor-driven startup pump at a new location at the next refueling outage (spring of 1986). The l

license amendment was approved on January 8,1985. However, NRC required that special precautions be taken with the existing startup pump, including isolating it from the feedwater system and disabling the motor drive until the new i pump was installed. The isolated startup pump, to be l activated, required repositioning of four valves and the i installation of fuses in the motor control system. An operator also needed to be stationed at the pump to monitor its operation. These actions were, in fact, performed I during the June 9, 1985 incident. Toledo Edison believed that isolating the startup pump actually increased risk.

i On June 20, 1985, the CRGR noted in a menorandum that the regulatory proposal for improving the reliability of AFWSs still had not been submitted to the CRGR.

l Following the incident NRC requested, on October 30, 1985, that Toledo Edison perform probabilistic analyses of the AFWS as it existed on June 9, 1985, and as it would exist at restart, using the assumptions and 'ethodology of i NUREG-0611. '

I 20 E

Advisory Ccmmittee on Reactor Safeguards (ACRS) Review Since 1979, the ACRS expressed concern about the functional capability and reliability of decay beat removal systems in general and AFWSs in particular. Although it did not specifically address B&W or Davis-Besse AFWSs in its advice to the Commission, the ACRS consistently recommended giving high priority to generic and specific upgrading of these systems. In April 1980 the ACRS observed that staff action plans in this area appeared to lack coordination in evaluat-ing shutdown heat removal requirements comprehensisely. In May 1981 the Committee again recommended that high priority be given to USI A-45. (Its resolution seems to hate been inhibited by extended consideration of the need for pilot operated relief valves (PORVs) in Combustion Engineering's System 80 design.) More than 3 years later, in August 1084, the ACRS pointed to the importance of A-45 to plant safety.

Recognizing the great variety and complexity of decay heat removal systems among the many different nuclear plants, the (.

ACRS suggested that if a generic treatment was not feasible, timely alternatives should be developed.

Conclusions Extensive and detailed regulatory interactions and activi-ties took place concerning the AFWS at Davis-Besse between NRC and Toledo Edison from the licensing of the plant in 1977 through the June 9, 1985 incident.

The AFWS and related controls experienced recurring problens involving components and required a number of design changes such as the addition of dynamic brakes on the pump turbine governors and floo indication in the control room for both steam generator AFW inlet lines. Toledo Edison made appro-priate changes, including installation of a diverse power supply)tothat valves ,

one were of therequired AFWS trains before(for thethe motor-operated second fuel cycle.

The staff approved a license for Davis-Desse, even though it lacked diverse power to the AFWS pumps, a condition un-changed up to the incident.

NRC's post TM!-2 evaluations of the Davis-Basse AFWS identi-fied the need for short-term and long-term modifications.

However, NRC did not require installation of a 100-percent capacity, motor-driven startup feedwater pump until Toledo Edison committed to its installation in September 1984 NRC did not believe that the Davis-Desse AFWS, as it existed before the incident, was sufficiently reliable. This conclusion was based largely on the lack of diverse power to the pumps and the lack of full capacity of the existing startup pump. Earlier requirements for suitable 21

t modifications of the AFWS night have been justified techni-cally, even though not required by the Commission's rules.

Both the ACRS a7d the staff may have contributed to an unreasonabit uelay in resolving the specific weakness in the Davis-Besse AFWS by focusing on a generic solution to the I decay heat removal question. This finding does not suggest that generic solutions are not desirable where feasible.

Analysts should exercise cautfon, however, in seeking solutions to generic problems when they unduly delay specif-ic solutions at individual plants.

Recommendations ?

Regional Administrators should meet with NRC Headquarters managenent to review the performance of each nuclear plant and licensee in their region at least quarterly, or more ;

frequently as needed. The Group strongly endorses the ;

current plans of the EDO to implement such a program. The EDO should make prompt decisions to resolve problems and to establish appropriate schedules for completing their resolu- ,

tion. ,

Project Managers (with appropriate technical support) should !

visit nuclear power plants on a periodic basis (perhaps quarterly) to communicate directly with plant management and '

utility licensing officers.

The E00's current development and implementation of the l integrated tracking and management system to assure effec- '

tive continued management monitoring and resolution of ,

safety and licensing issues are strongly endorsed. Such a ,

system might have been of assistance prior to the 1985 ,

incident at Davis 'tesse.

3 The staff should decide and communicate the results of decisions promptly to relevant stoff and licensees on I whether an issue is plant-specific or generic. Such d?ci-

sions should be made or endorsed by the E00 and action plans should be promulgated and executed expeditiously, t

i s

i e

e f

22 L

a

r 1

i i

i

?

4 DAVIS-BESSE RELIABILITY ASSESSMENTS This section summarizes (a) staff requirements for the prob- )

abilistic assessments of Davis-Besse plant safety systems, ;

(b) the auxiliary feedwater system (AFWS) probabilistic j reliability analyses haven National performed Laboratory by(Toledo (BNL), c) theEdison staff'sand Brook-evaluation !

and use of these analyses, (d) the Davis-Besse response to {-

the staff's evaluation, (e) S j evaluation of these analyses,gndia (f) a National Laboratories' Davis-Besse post-event :

reliability analysis, and (g) additional qualitative reli- j ability techniques which might ensure greater confidence in ,

nuclear power plant perfnrmance, j

(

Pre-event AFWS Probabilistic Reliability Assessments ;

i AFWS reliability analyses were conducted prior to the i June 9, 1985 incident by Babcock & Wilcox (B&W), Toledo Edison, and Brookhaven National L a b o ra to ry (BNL). }

On December 1079, B&W completed its " Auxiliary Feedwater Systems Reliability Analysis - A Generic Report For Plants ,

With Babcock & Wilcox Reactors." The objectives were:

(1) To identify, throu.jh reliability-based insights, dominant contributois to AFWS unreliability.

(2) To assess the relative reliability of B&W operat-ing plant auxiliary feedwater systems.

The study identified domirsnt contributors to AFWS unavail- l '

ability for each plant so that B&W utilitiet could make ap-7 propriate design changes to improve AFWS reliability. For ;

Davis-Besse, the dominant contributor noted was simultaneous I '

Inss of both trains. This condition could occur if one train were out of service for maintenance during normal '.

plant operations, and a random failure occurred in the other train. The study calculated system reliability at 5, 15, .

and 30 minutes after loss of. main feedwater to allow for a range of operator actions following initiating conditinns.

3 J.W. Hickman and B. Atefi, " Review nf Cocuments ,

Related to the Davis-Besse Auxiliary Feedwater System Reliability Assessments," April 21, 1986. g ,

+

l 23 i 4

i i

k The probe.bility of failure to function upnn demand ranged ;

from approximately 5 x 10-3 to 8 x 10-3 The study cautions that these values should be viewed as relative rather than absolute values.

Toledo Edison AFWS Reliability Analysis (EDS Nuclear, Inc.)

On December 31, 1981, Toledo Edisor submitted to NRC a de-tailed probabilistic reliability analysis of the AFWS pre-pared by EDS Nuclear, Inc. (now Impell Corp.). The study analyzed four configurations, including one for a third AFW train to upgrade the existing feedwater startup pump as a diverse full-capacity electrically driven pump. The analy-sis concluded that the most cost-effective approach was to rely on a modified feed and bleed mode using the existing startup pump, the makeup pumps and the pilot operated relief valve (PORV) to provide adequate core coeling. The study recommended upgrading other components and procedures, such as the auxiliary feedwater pump turbine governor and improv-ing Limitorque valve operations, turbine feed from both steam generators, and valve positioning. This "analy-sis-based" approach predicted an AFWS unavailability per demand of 3.3 x 10-5 , a figure which includes credit for (proper) operator actions.

Brookhaven Review of EDS Analysis in 1983, NRC directed Brookhaven National Laboratory (BNL) I to perform an independent reliability analysis of the Davis-Besse AFWS using methodology and data from " Generic Evaluation of Feedwater Transients and Small Break Loss-of-Coolant Accidents in Westinghouse Designed Operating Plants" (HUREG-0611). BNL indicated that an independent reliability analysis was requested because each applicant for an operating license was required to comply with the Standard Review Plan (SRP) Section 10.4.9. This section requires the use of criteria which enable direct compari l witg the acceptable AFWS unreliability range of from 10 gonto l 10- per demand. NRC wanted to compare the results for l Davis-Besse with results from other plants, even though the l i SRP criteria did not apply to Davis-Besse.

The BNL results assumed no time for any intervention, in- l cluding operator actions, to recover f rom malfunctions or maintenance errors. The report noted that Toledo Edison used a function-success criterion different from that L considered in NUREG-0611 (which defined unavailability as the probability per demand that the system will fail to perform its function).

The BNL review noted that the EDS Davis-Resse study consid- f cred the measure of AFWS success to be the maintenance of ,

adequate core cooling to prevent fuel damage. BNL also 24 !

a

1 D

noted that " Toledo Edison assumed it was considered suffi-cient either to (1) provide flow from one AFW pump within ten minutes, or (2) establish feed-and-bleed within 30 min- .

utes, in conjunction with feedwater flow from the start-up pump, which is not adequate in itself to remove decay heat."

The report called attention to (a) the Davis-Resse AFWS's lack of diversity and its vulnerability to common cause failures, and (b) the Davis-Besse history of such items as AFW pump speed failure, loss of control of both AFW pumps from mechanical binding in one pump and blown fuses in the other, and the loss of an essential bus.

Toledo Edison AFWS Reliability Analysis (Impell Corp.)

On November 1, 1985, the Impell Corporation submitted its i study to compare its analysis with NRC staff analyses of j other plants. It addressed the cuantitative criteria for !

AFWS unreliability using data and methodology prescribed in NUREG-0611. The study, initiated prior to the June 9, 1985 i incident, analyzed three AFWS configurations: (1) the exist- 8 ing Davis-Besse AFWS configuration as of June 9, 1985, (2) a t two-pump configuration, and (3) a three-pump configuration.

The configuration as of June 9, l ty on demand ranging from a x 10j85showedangnavailabili-to 1.6 x 10- for speci-fied initiating events using tha criteria ir. NUREG-0611.

The three-pump system with a diverse electric motor-driven feedwater requirement pump wastopredictgd of 10-4 10- pertodemand.

meet the SRP unreliability

]

Ad Hoc Group Review of Davis-Besse Reliability Analyses The Group requested Sandia National Laboratories to examine the various probabilistic assessments of safety system reliability at Davis-Besse. The objectives of the study were to review and summarize all reliability-related studies and reports, comment on the quality and relevance of these studies to the Davis-Besse event, and reach conclusions and submit recommendations about the use of probabilistic analyses in regulatory decisionmaking. Table 4.1 from the Sandia study shows a comparison of the results of the BNL l study and the EDS Nuclear and Impell studies.

The Sandia report includes (1) a summary of the correspon-dence and activities involving probabilistic analysis of the Davis-Besse plant; (2) a comparison of the results of the utility-sponsored AFWS reliability anal yses with the NRC-BNL l review of these studies; (3) a discussion of the use of state-of-the-art methodology, compliance of the utility's results with the requirement of the SRP, and a discussion of the Davis-Besse plant configuration on June 9, 1985; and (4) conclusions and recommendations.

25

i I ~

i

Table 4.1 Comparison of the Result.s of d 1

the Davis-Besse AFWS Studies EDS Study BNL Studyc .d Impell Study (December 1981)b (N vember 1985)d,e (Feb* 1984) Configura tion Confipra tion Existing Planned Two Planned Three initiator Pre-TMI Post-TMI Third Train Analysis-Cased (6/9/85) Pump System Pump System LossofMajn 1.6E-3 feedwater 3.3E-2 E.GE-4 4.5E-5 3.3E-5 1.6E-3 6.6E-4 9.lE-5 Loss of Off-Site Power 4.lE-2 5.5E-3 1.3C-4 9.3E-5 2.8E-3 2.9E-3 1.7E-3 1.lE-3 L Loss of All ac 3.4E-2 4.0E-2 3.3E-2 3.3E-2 I E hismic Event 8.8E-2 1.9E-2 1.9E-2 1.lE-2 l

l a E-2=10-2 b AFWS success criteria in this study consist of a) providing flow from one AFW pump to one steam generator within 10 minutes, or b) establishing feed and bleed procedure within 30 minutes includir.g sene heat removal via the main feedwater startup pump.

c AFWS success criteria in this study consist of successful flow from at least one AFW pump to at least ene steam generator without delay.

d Calculations based on NUREG-0611 methods and data.

e The success criteria in this study consist of availability of sufficient auxiliary feedwater flow to at least one stean generator within 5. minutes following the less of main feedwater or offsite power or all ac.

-4 f SRP requires an unreliability in the range of 10 to 10'4 per demand.

The Group examined the Sandia study and agrees with its conclusions and recommendations.

Sandia

Conclusions:

1. Each of the AFWS reliability analyses provided sound recommendations addressing areas of systen vulnerability, which found their way into the Davis-Besse design and resulted in AFWS reliabili-ty improvements.

2. Each cf these studies fell short of realizing the full potential of the PRA type of analysis because important support systems, such as ICS [ integrated control systeml and SFRCs [steen and feedwater rupture control systeml, were not modeled.

3. State-of-the-art limitations with respect to modeling of heroic recovery actions and humen errors of conmission, such as the one that oc-curred durinc the Davis-Besse 1985 incident when the operator'in;dvertently pushed the " low pres-sure" buttons, prevent PRAs fror covering all aspects of events such as the Davis-Besse inci-dent.

l

4 The reliability analyses performed as a part of NUREG-0611 and NUREG-0635 had limited scope and i

were not originally intended to be used as a guide for SRP purposes. This limited scope does not cover all unusual occurrences which happened in l'

the Davis-Besse event such as those which were due to the initiation system. !

k

5. Overall quality of the reliability analyses l reviewed with respect to the use of l

state-of-the-art rcthodology and data was satis- '

f ac tory.

,Sandia Recccmendations:

1. The recommendations of SRP Section 10.4.9 with respect to following a set of guidelines on

methodology and use of data for AFWS reliability u

evaluation should be updated to include a muth

] more comprehensive set of guidelines. Consider-1 at f

j S a r. d i a conclusions and recommendations are quoted y verbatin, e> cept for bracketed statements added by the Group g for clarity.

M, r 27 i

B -

1 l

ation shtold be given to more detailed modeling of human actiens, and [ support systems such asi power, control, ini.iatien, and cooling systens ra t h e r that, treating the auxiliary feedwater systen in isolation from its support systems.

2. The current $RP unreliatility requirement is not ,

clearly defined and applies only to the '

loss-of-main-feedwater-system initiator. Unreli- l ability requirements for other initiators such as l

loss of offsite power and total loss of ac (sta-tion blackout), should be considered. The 10

requirement of the SPP does not appear to be appropriate for station blackout events.

l 3. Review of PRA documents by the NRC should not be I

limited to the compliance of the submitted report with set of na rrow guidance such a s SRP. NRC reviewers should be encouraged to pro ide addi-ticral comments and insights about the areas of system vulnerability beyond the pure compliance guidance.

Use of Reliability P_robabilistic Analysis in Regulatory E7clslonmaking The previous sections illustrate the differine views about huw probabilistic analyses are conducted, both from the standpoint of the approach to the analysis, and in th?

nueerical values used are generateo by them.

Key NPC management personnel interviewed by the Ad Hoc Group believe there is considerable value in the use of fault trees in reliability analyses, and that this discipline alone may call attention to potential problems if properly applied by licensees and the NRC staff. They also believe that numerical valuer. from probabilistic analyses should be viewed as a goal toward which to aim rather than as a quantifiable value by which to neasure what a given plant has actually othieved. A licensee cori conduct plant-specific probabilittic analyses with a valid data base which can he useful in detecting design weaknesses and undesirable trends in plant performance.

Additio,nd ' Qualitative Reliabilip Techniques for Reculatory Decisionmak !nq During interviews with NRC management, the Ad Hoc Group discussed the use of other relinbility and management techniques, including (11 configuration management controls.

(?) failure modes and rffects analysis, (3) component qualification control, (4) corrective action systems. rig)orous failure reporting (5 maintainability ar.d analyses, and

?8 e

-- w

(6) inproved maintenance. Although most of those inter- I viewed agree these techniques would be useful to licensees $

in improving availability and in enhancing safety, they I believe it would be difficult to prepare detailed regula- I tions to require that these disciplines be implemented by j licensees. =

The Director of NRC's Office of Inspection and En f orcemen t -

Ilt.E) nas conducted several safety system functional inspec- .'

tions and outage system modification inspections that -j revealed plant design and safety issues. These findings -

reinforce the value of addressing reliability and management techniques in preventing incidents that threaten plant y safety.

Q 4

A recent publicatien by the NRC Division of Waste Management ;{

(NUREG/CR-4271) recommended that the safety, reliability, Ei quality assurance and management techniques used in the J aerospace industry could possibly be applied by the Depart-ment of Energy # 0r the High-Level Nucl ea r Wa s te Reposi t ory 8{

3, Program. The document describes successful aerospace 7 management, safety, reliability assurance and quality y assurance techniques, as well as specific aspects of the &"

tase of technology transfer, which may also be applicable to nuclear reactor operation and regulation. -]h Conclusions

=

G T

The conflicting assumptions, methodologies and findings in g licensee and NRr sta f f reliability analyses, and considera- y tion of the CRGR memorandum on PWR AFWs, were factors in K.

delayinu lhe final decision on the installation of a diverse M electric motor-powered auxiliary feedwater pump. Another $

'a c to r delaying a final decision was the staff's delay in 4 generic resolution of the decay heat removal issee, Unre- 7t solved Safety Issue (USIl A 45.

[

x Improvements in probabilistic analyses of safety systems can jg j De achieved by inclusion of important associated systems and i; l a more defensible plant-specific data base. }g Additional qualitative reliability techniques and measures D

$p ovar and above probabilistic analyses could be useful to ?!

increase confidence in the safety of nuclear power plant 4 operation. Improvements in the probabilistic analysis process will be more useful in NRC regulatory decisionmaking $

y if they are augmented by information gained from other y-qualitative manacement and reliability techniques, such as 4 configuration management, failure modes and effects analy- 3 sis, and other disciplines referred to in this section, y[

S

$ c.

29 h a

1 5

5,

t Recommendations NRC should establish a timely and effective process to review reliability analyses requested of licensees, particu-larly where it is determined that such analyse; will be used in regulatory decisionmaking.

NRC should evaluate the use of qualitative management and reliability disciplines as a means of increasing confidence in the day-to-day performance of nuclear power 31 ant licensees.

i&E should give priority to the conduct and promotion of safety system functional inspections and outage tysten modification i nspections.

I i

1 j

I i

1 l

l 30

- -- --m---- -- -- ---_ _- __m- - _ _ - - _ _ _ _ _ _ _ __ - _ - - --+e-- r----

l 1

5 CONTRIDUTION OF TOLE 00 EDISON'S PANAGEMENT, OPERATION, AND fiAINTENANCE PROGRAMS TO EQUIPMENT FAILURES The Toledo Edison Nuclear Program The Ad Hoc Group examined the structure and staffing of Toledo Edison's Nuclear organization to determine its effectiveness prior to June 9, 1985. During 1979, the Davis-Besse Plant Superintendent reported to the company Vice President for Energy Supply. A separate organization i for nuclear operations was established in 1980 with a Vice )

President for Nuclear, and several reorganizations were i implemented between 1982 and 1985 to strengthen Toledo l Edison's Nuclear mission. !

1 Between 1979 and 1985, the staff of the Nuclear mission l increased from 340 to 590 employees to remedy deficiencies !

and to improve performance. A Performance Enhancement l Program (PEP), initiated in November 1983, receired the i extended services of over 100 persons. The program, costing approximately $18.9 million, covered 16 areas, including !

maintenance, training, safety management, fire protection, l security, and configuration management.

l ,

i In 1983 Toledo Edison also formed a corporate Steering ! l Group, headed by the Vice President for Nuclear, that '

i reported to the President.

Performance Teams were organized to review issues of signif- l icant safety or regulatory importance and their assessments I identified whether problems were understood and whether reasonable interim actions were defined. Changes to interin action plans in the PEP program had to be approved by the plant manager and a Steering Group. The PEP program was reviewed by Region 111 in the light of improvements request-eo by NRC and other changes decided upon by Toledo Edison; one noteworthy example was a computerized maintenance management system.

A Senior Vite President for Nuclea r, hired in July 1985, made a number of changes in the orgeaization, among which were: (1) a preference for i n - h o '; s e rather than consultant expertise to assure technical continuity, and (2) consolida-tion at the Davis-Besse site of engineering and other support functions previously divided between the plant site and corporate headquarters, i

l 31 :

i

! \

i i

t

The Technical Specifications for Davis-Besse require the establishment of review groups to consider and recommend facility changes and review plant operational data. A r.o n g other responsibilities, the Davis-Besse Station Peview Group examines all safety-rela ted transients and incidents at the plant and reviews and recommends approval for plant safe-ty-related operating procedures.

A Company Nuclear Review Board (CNRB) subsequently reviewed the decisions and recommendations of the Station Review Group. The CNRB initially drew upon personnel from Toledo Edison Nuclear and other company personnel and later added several outside experts. It met approximately 18 times per year and relied upon analyses performed by other groups in the corporate structure. The CNRB is responsible for reviews and audits of the plant's operations and procedures and for advising management in the areas reviewed. It also reviews issues resulting from regulatory action, (e.g., SALP reports, emergency planning changes, plant mod'fications ar.d changes to Technical Specifications). .

The Davis-Besse Maintenance Program The Davis-Besse maintenance program staff grew substan-tially--from a complement of 34 to 207--between 1977 and the 1985 incident. According to Davis-Besse management, the increase was in response to surveillance requirements of the Technical Specifications as well as the requirements result-ing from TMI and other regulatory issues.

At the time of the June 9, 1985 incident, Davis-Besse had 1339 open corrective work orders, 111 open facility change requests, orders.

and a preventive maintenance backlog of 405 work There is evidence that prior to the event, a large backlog of equipment needing maintenance existed, some nf which was undoubtedly due to deferring certain maintenance tasks until an outage period. The prevailing pre-event ma intenance pra ct ice, pa rt icula rly for the balance of the plant, appeared to be directed toward maintaining only that equipment essential for safe plant operation.

Operating nuclear utility experience demonstrates that many challenges to emergency safety systems arise from malfunc-tions in balance of plant e q u i pia e re t . Accordingly, a large backlog of maintenance i tems appea rs to have safety signifi-cance, even though related generally to non-safety grade systems and components. NRC periodic Systematic Assessment of Licensee Performance (SALP) reports !!. !!!, and IV indicated that improvement was required in Davis-Besse's maintenance program.

SALP assessments are performed over a period of a year or longer by teams led by Regional personnel. The purpose of, i

32 WW __

these reviews is to collect recorded observations on a periodic basis and evaluate licensee performance based on those observations. The assessments consider positive and negative attributes of licensee performance and emphasize an understanding of the reasons for a licensee's performance.

The SALP process ano ratings focus on assuring that the resources of both the NRC and the licensee are allocated to functional areas needing improvement. SALP ratings are classified in three categories:

1. I&E inspection efforts can be reduced.

2. Inspections should continue at the same level.

3. Additional effort by the licensee and ISE is necessa ry to improve licensee performance.

Although 3 is the most unf avorable ca tegory, it constitutes acceptable reactor safety performance. SALP IV (1984) reported that maintenance personnel errors accounted for the submission to NRC of 8 of 13 Licensee Event Reports (LERs) and that 5 reactor trips (unscheduled plant shutdowns) were traceable to maintenance activities. Several equipment nalfunctions resulted from inadequate corrections of previ-ous equipment failures, including a containment building isolation valve and the sa fety fea tures actua tion system radiation meter. NRC's SALP IV assessment of Davis-Besse's maintenance reorganization was that "an appreciable improve-ment in field performance was not observed." Region III personnel submitted no information that the resources and organization for the Davis-Besse maintenance program were markedly different from organizations at other plants.

Since the incident, the Davis-Besse maintenance program has been substantially reorganized and a new naintenance manager has been appointed. A major maintenance facility planned prior to the incident is now under construction.

INPO has prepared guidelines for a "high level of perfor-mance" maintenance program covering items such as mainte-nance department organizations and administration; training and qualification of maintenance personnel, and maintenance facilities, equipment, and tools. " Guidelines for the Conduct of Maintenance at Nuclear Power Stations" (INP0-85-038). Davis-Besse plans to cbtain INPO accredita-tion by the end of 1986 or ea rlier for the plant's mainte-nance training program.

The Davis-Besse Quality Assurance Program The four SALP reports on Davis-Besse call attention to several quality assurance (QA) problens which were taken by 33 1

SALP evaluators to indicate a lack of upper management direction and involvement in the QA program.

Toledo Edison hired an outside organization (CER Corpora-tion) to independently assess the Davis-Desse QA program in October 1984. The study was completed after June 9, 1985.

It identifies a number of quality control issues, such as centralizing document control, expanding the role of quality engineering beyond procurement, and coordinating work with NRC to improve SALP ratings. All issues identified in the report are currently under review by the NRC staff.

Davis-Besse Plant and Safety Performance The Ad Hoc Group reviewed several information sources bearing on Davis-Besse plant and safety performance. I r.

addition to NRC SALP reports, a Region III Davis-Besse Study Group report written after the June 9, 1985 event, was also consiaered.

SALP results for Davis-Besse are summarized in Table 5.1.

It shows that of the 11 functional areas reviewed in SALP IV, five were rated as Category 3 and three of these five were declining in performar.ce. Four of the remaining six functional areas were rated as 2, and two of those .;ere improving.

SALP reports on plant operations, surveillance and testing, and licensing activities were consistently rated as adequate (i.e., as category 2) while refueling operations rated as category 1. SALP I report (December 31, 1980) noted that a large number of " serious regulatory concerns existed with the Davis-Besse opera tion" and that Davis-Besse operating performance was "clea rly below average" compared with other Region III licensees. In commenting on the SALP II report, the NRC Regional Administrator concluded that overall regulatory performance at Davis-Besse had shown considerable improvement. However, in his letter on SALP IV (1984), he commented that a noticeable positive impact was not evident during the appraisal period and that performance had declined.

Subsequent to the 1985 incident, Region III established a study group that broadly reviewed the history of Davis-Besse between March 1979 and June 1985. It conducted its review using LER and inspection history, status of TMI items, and a review of management and enforcement meetings. (Attach-ment F of the Study Group Report, with violations catego-rized by SALP functional areas, is reproduced as Table 5.2.)

The Group's report also showed that after TMI through 1983, t Davis-Besse submitted 391 Licensee Event Reports (LERs) to NRC. ,

34 l

~

Table 5.1 SALP Ratings at Davis-Besse*

I 7 Period of Review **

Functional Area I II III IV ,

1. Management Control 2

2. Plant Operations 2 2 2 2

3. Refueling Operations 2 1 1 1 4 Maintenance 2 3 3+ +3

5. Surveillance and Pre-op. Tes t. 2 2 2-* +2

6. Training 2 3-*

7. Radiation Protection 2 1 1 1

8. Environmental Protection 2 2

9. Emergency Planning 3 1 2-+ 3-*

10. Fire Protecticn 2 2 2 +3 l

11. Security and Safeguards 3 2 +2 2

12. Design Changes and Modifications 2

{

13. Reporting 2

)

14 QA Audits 2 3 3-* i

15. Comunications Activities 2

16. Quality Control 2

17. Procurement 2

18. Licensing Activities 2 2 -* 1

Blanks indicate factors nnt rated; arrows indicate whether performance is improving (lef t) or es.:.lini 9 (right),

j ** Period of Review: I f,uvemt:er 1,1979 to October 31, 1980 i

!! f;ovember 1, 1980 to March 31, 1982 III April 1,1982 to March 31, 1983 IV April 1, 1983 to August 31, 1984 35

{} 7

] 4 ;e.. ..' - * . ; . - < . ;.cn

~

Table 5.2 Summary Of Violations SALP Functional Areas 78 79 80 81 8? 83 84 85 ll Plant Operations 2 5 3 2 7 2 5 5 Radiological i Controls 5 1 8 0 0 0 0 1 )

i Maintenance 1 2 1 4 6 6 5 3 Surveillance 3 1 2 3 4 2 5 2 Fire Protection 2 4 2 1 6 9 8

O C

0 Emergency l

Preparedness 0 0 0 0 0 0 2 1 ,

l Security 8 7 24 1 4 2 4 1 Refueling 0 0 0 0 0 0 0 0 Quality Programs &

Administrative Controls 8 9 1 2 4 3 16 11 Training b b b b b 2 1 2 TOTALS 29 29 41 13 31 26 38 26 ; i a Fire protection violations under consideration for possible escalated enforcement action, i

(

b Not rated as a SALP functional area during this year, j c Following inspection conducted in June 1984 (IR 84-10); I no violations were identified, i

~

-1 36 -'

r

.. .:m a >.m.

9 From data submitted by Toledo Edison, it is evident that the plant has a history of operatiGnal problems and equipment g failures that resulted in a significant number of plant outages and an adverse impact on plant capacity factor. The average capacity factor from 1978 to 1984 was roughly 45 l

percent, for which annual data are shown in Table 5.3.

Table 5.3 Capacity Factor and Plant Outages from 1978 to 1985 Capacity Plant Number of Year Factor Outage Outages

(%) (Days) ,

1978 35 188 14 1979 41 192 14 1980 27 212 19 1981 57 129 12 1982 42 177 4 1983 64 99 15 1984 56 136 6 1985 26 -- --

l l

i The Ad Hoc Group has not evaluated how SALP ratings, LERs, I Technical Specifications, Operational Violations and forced outage times at Davis-Besse comp 3re with an average nuclear power facility. '

i l Organization for Nuclear Management I l

it is difficult to show a causal relationship between I specific Toledo Edison management, operation and maintenance programs and the equipment failures that caused or exacer-bated the June 9, 1985 incident.

As reflected in the various SALP reports and management and I enforcement conferences, the effectiveness of management l controls and corrective action programs at Davis-Besse was a '

general NRC concern. Toledo Edisnn management responded by .

reorganizing a number of times to gain better control of its !

nuclear operation. Nevertheless, the NRC Region 111 Admin- l 1stra tor judged the management to be weak because he said it i was unable to operate consistently within Agency regula- ,

tions. He indicated further that when top utility manage- I ment is a part of the problem, NRC inspectors find it more i

37 !

$ l 1

difficult to delve into management issues. Neither Region III nor NRC Headquarters personnel appear to have the requisite expertise to assess management performance. ,

The current Vice President for Nuclear, Toleco Edison, effered observations on management competence in operating nuclear organizations. First, with respect to the Board of l

Directors of a nuclear utility, two important skills that I should be represented are extensive experience in actually l managing a nuclear utility program and extensive experience ;

in managing the budget for a nuclear utility program. If 1 persons with such skills are not on the Board, experienced consultants with these skills should be obtained and should report to the Board, or to a subcommittee of the Board that is responsible for the nuclear affairs of the company.

Second, with respect to staffing, personnel should be hired and trained who are capable of working in a highly regulated industry; a utility must be able to compete in the Job market for the highly skilled personnel necessary. It is also important for these executive skills to be represented in NRC to produce effective regulatory performance.

The General Accounting Office, in a January 1986 report rec-ommends that NRC establish criteria where significant improvements are an issue, that results in NRC being required to mandate improvement programs or document why they are not warranted. The report noted Davis-Besse as one of the 12 operating nuclear plants required to implement facility-wide improvement programs. (" Nuclear Regulation:

Oversight of Quality Assurance at Nuclear Power Plants Needs Improvement," GA0/RCED-8641.)

Both the industry's Institute for Nuclear Power Operations (INPO) and the NRC sta f f have been trying to develop perfor- i mance indicators to assist in judging management perfor- !

mance. The Office of Inspection and Enforcement (!&E) is responsible for the coordinated plan to develop performance ;

indicators for NRC, e 1

i Bggulaig[y_Qyg[sighi

{

i;e i t h e r the Atomic Energ, Act nor NRC's regulations includes -

l a single integrated section that addresses requirements >

related to licensee management performance. The only provision of the Atomic Energy Act that may be pertinent is Sec. 103 b., which states that "the Commission shall is-sue... licenses...to persons...who are equipped to observe and who agree to observe such safety standards to protect health and to minimize danger to life or property as the Commission may by rule establish."

The Davis-Besse Nuclear Power S ta t ion is subject to the i rules and regulations of the U.S. Nuclear Regulatory ;

1 38 1

E 7

Commission (NRC) as specified in Title 10 Code of Federal Re ulations, Part 50, " Domestic Licensing of Production and tilization Facilities," and its Appendices (10 CFR 50).

The plant design must meet the General Design Criteria of 10 CFR 50 Appendix A and the quality assurance program must comply with the Quality Assurance Criteria for Nuclear Power Plants in Appendix B. Plant operations must also conform with Commission rules specified in the regulations as well as the operating license, conditions of the license, and the plant's Technical Specifications.

The NRC staff review and evaluation of the Davis-Besse application for a license was guided by NRC's Standard Review Plan (SRP). The app'ication was also reviewed by the Commission's .idvisory Committee on Reactor Safeguards (ACRS). NRC's Office of ' t. pection and Enforcement (I&E) made periodic inspecti- , of the facility during its con-struction and contin' .s to irsnect the plant 's operations.

NRC's requirements for safe plant operation include the license conditions contained in 10 CFR 50.54. Among other conditions, licensee management is prohibited from allowing anyone who is not a licensed operator from manipulating a reactor's controls.

Regula tions governing safe plant operations are also regu-lated by provisioni in 10 CFR 50.36, which describes infor- 5 mation which must be included in a licensee's Technical Specifications.

The Technical Specifications include an organization chart of the corporate structure for offsite Toledo Edison facility management and technical support and administrative controls necessary for management to assure safe operation of the plant.

organization are also described. Station staffing and plant The requirements assurance for the licensee's management of quality (QA), specified in Appendix B to 10 CFR Part 50 specify that (A program nanagers be given direct access to the appropriate levels of management to perform the QA function.

cost Appendix B also requires QA independence from and schedule consideratinns where safety is involved.

Part 50.72 contains the notification requirements for various emergency and nonemergency events which are applica-ble to licensee management; the licensee is responsible for informing NRC if a reportable event occurs at the plant.

Impact of Regulatory Oversight There are many NRC requirements, besides those discussed above, that have an impact on how management performs in operating and maintaining a nuclear plant.

39

The NRC staff principally performs its oversight of licensee programs through the Offices of Nuclear Reactor Regulation (NRR) and Inspection and Enforcement (l&E). The mechanisms used include license conditions and Technical Specifica-tions, rulemaking, regulations, policy statements, Commis-sion Papers, Confirmatory Action Letters and Orders, Generic Letters, Bul'letins, Circulars TMI Action Plan letters, Regulatory Guides, the Standard Review Plan, Branch Techni-cal Positions, and Unresolved Safety Issue Resolution Reports. Mechanisms used to interpret requirements include approval of topical reports, Safety Evaluation Reports, the Inspection and Enforcement Manual, the Project Manager's --

Handbook, I&E Headquarters Positions, and open issues resulting from inspections. Mechanisms used to communicate requirements to licensees include inspector entry, exit and management meetings, staff information exchange meetings, Information Notices, phone calls and site visits, Prelimi-nary kotifications , public meetings , workshops , resident inspector daily contacts , SAL P reports, Performance Apprais-al Team (PAT) reports, Commission Papers, and others. (;

Enforcement actions include notices of violations and ~

deviations, enforcement conferences, civil penalties and orders to cease and desist and to suspend, modify or revoxe

r. license.

That this plethora of requirements has an impact on licensee performance cannot be overemphasized. Between the THI-?

accident in 1979 and the June 9, 1985 incident, there were (

\

72 amendments to the Davis-Besse operating license, or approximately one per month. The Toledo Edison Corporate Nuclear Review Board Chairman indicated that the Board's activities were driven by the licensee's Technical Specifije cations so that most of its time was spent on paper reviFws rather than on assessing plant performance. Out of nearly 400 items that the CNRB tracked between 1979 and 1985, approximately 40 related directly or indirectly to the AFWS alone.

Senior technical personnel at Davis-Besse advised that the complexity and multiplicity of regulatory requirements complica ted ef fective management of the plants. The situation was underscored by the Assistant Plant Manager with respect to fire protection requirements alone: "Every month it seems a different person comes in, wants you to do something. In the meantime you are so busy spinning your wheels on these things, you a re losing track. " He also thought that, although the regulations and regulatory activity in any single area may be well-founded, the totali-ty of HRC requirements adds greatly to management burdens in operating the plant. It was alleged that the regulatory requirements a re not always consistent and two examples related to the Davis-Besse incident were cited. First, during the incident, plant physical security barriers slowed 40

l operator access to areas in the plant crucial to bringing [

the plant under control. Second, the NRC requirement '

isolating the startup feedwater pump proved to be an impedi- l ment in securing prompt recovery of the plant, j f

The Group discussed with the EDO, major office directors and :

Region 111 personnel, the potential negative impacts on i sa f ety f rom regula tory oversight. There was no consent'as on l this issue, although there was substantial agreement that certain regulations or combinations of regulations could :

decrease safety and that NRC oversight could be too heavy "

in certain areas. The staff has been aware of this impact, as is evident from its efforts in the TMI lessons learned task force, the current staff review of certain regulatory requirements (reactor containment building leakage and licer. sing review of fuel design), the current review process ..t to control rulemaking, current revisions to the CP.JR char- i; l ter, and the Manual guidance for management of plant-specific backfitting in nuclear power plants. ;

};

The Group did not want to assess whether regulatory over- i sight is a problem based solely on interviews with Da- ) I vis-Besse nanagement and sta f f. To gain added perspectiv the Group interviewed executives of four other utilities.g, ,

The Vice President of Commonwealth Edison, with 15 years in l the nuc' lear business, stated "I am still concerned that for i ;

most of our plants the greatest problem that we have is . '

trying to deal with all of the requirements." The Vice '

President of Florida power stated, "One of the things we '

have learned as an industry, and regulators understand this also, is you don't want to challenge your system when it's )

operating. Yet the standard tech specs put me into a i l

position of requiring me to do tens of thousands of surveil-lances during the course of the year with my reactor operat-ing, to encourage it to trip." --

The Vice President of Duke Power Co. indicated that the impact of regulation had produced an unmanageable situation I at some nuclear plants. Where regulatory recommendations are made that the utility believes have no valid basi.s, the recommendations need not be followed. If the utility does '

not have the resources to take such a position, however, the utility can become so involved in responding to the recommendations that it cannot manage the plant properly.

5 The utility representatives were also questioned about the IIT process and the ef fectiveness of NRC oversight on M rant nuclear plant management practices, j

41 r

L ..

, _ . _ _ _ _ _ _ . _ - - - - - -- - -- -- ~~

The Assistant General Manager, Nuclear, of the Sacramento Municipal Utility District stated that "it is the intensity which the management people and the technical people have to deal with the regulatory process that really eats up...the manpower and manhours that I think would be better placed on the details of the plant...."

, Finally, the Group noted the rather extensive exploration of the " Safety Impact of Regulatory Activities" conducted by senior members of the NRC staff itself in 1981 (NUREG-0839).

Comments of the 12 utilities surveyed for the study were strikingly similar. With few exceptions, no NRC requirement was viewed in itself as uncafe or unreasonable. The single survey finding was that "notwithstanding the competence and good intentions of the staff, the pace and nature of regula-tory actions have created a potential safety problem of unknown dimensions." The problems cited a re the large number of regulations and the many regulatory bodies in-volved, varying interpreta tions by inspection personnel, extensive growth in surveillance testing, delays in agency approvals, and the adversa rial environment in which NRC reviews a re sometimes conducted. Time limitations on the Group review did not permit an adequate opportunity to determine whether these problems influenced the incident at Davis-Besse.

The Commission, in its 1986 Policy and Planning Guidance to the staff, has called for a comprehensive review of HRC regulations and a reduction in the numbers and prescriptive-ness of both regulations and Technical Specifications. The Group's review supports the need for such a comprehensive review.

The Group sought suggestions from NRC, utility, and industry officials as to how the regulatory process could be im-proved, both from the standpoints of regulations which may be detrimental to safety and of more effective regulation.

The Group knows that the ED0 has strongly urged utilities to implement " integrated living schedules" for accomplishing both NRC-induced and utility-initiated changes or other actions for their plants. There is some hesitancy, however, on the part of many utilities to cooperate until they can evaluate the initial experience of those complying with the new schedule. The concept of an integrated, flexible schedule is generally supported, but it appears tha t more effort is needed both by the staff and the licensees to make it work.

The Group was disturbed by allegations that the whole process was overly adversarial, that it took place in an environment of hostility and confrontation, and that often it dealt with " picayune detail" and questions that do not 42

enhance plant safety but engender resentment by operators and engineers toward'NRC. A criticism, presumably directed primarily at Headquarters staff, was that little reactor operation or plant management experience can lead to a lack of understanding of the difficulty of implementing staff requirements in the field. The Group understands that the Commission is taking steps to ameliorate the situation.

When the Davis-Besse AFWS was designed, it was a bal-ance-of-plant (BOP) system and was not required to be safety-grade, although it was essentially safety grade.

Accordingly, it was not treated as safety grade by the staff in its design review.

The General Design Criteria, first published in 1971, apply to structures, systems and components "important to safety."

A 1981 memorandum from the Director of NRR states that "important to safety... encompasses the broad class of plant features, covered (not necessarily explicitly) in the General Design Criteria, that contribute in an important way to safe operation and protection of the public in all phases and aspects of facility operation (i.e., normal operation and transient control as well as accident mitigation)." It also states that the important-to-safety class includes the safety-grade class. Utilities, however, have used the two terns synonymously, relegating those items not safe-ty-related to the class "non-safety related." The Introduc-tion to the General Design Criteria points out that sone of the specific design requirements for structures, systems, and components important to safety have not as yet been suitably defined. Their omission, however, does not relieve any applicant from considering these matters in the design of a specific facility and satisfying the necessary safety requirements. These matters include, for example, consider-ing redundancy and diversity requirements for fluid systems important to safety. Confusion has persisted over what design and quality assurance criteria apply to B0P items.

Conclusions The number of organizational changes made by Toledo Edison in its pre-event nuclear mission and programs to enhance reactor safety performance were not sufficient to prevent the June 9, 1985 incident; neither was NRC oversight and I enforcement effective in preventing the incident, j lt was not apparent that Toledo Edison's Company Nuclear Review Board (CNRC) performed its overall audit function of plant safety effectively.

There were deficiencies in the effectiveness of the manage- l I

ment and oversight of plant operations which had been recognized in NRC's SALP evaluations.

43

The Group recognizes that balance of plant items are impor-l tant to sa fety.

The pre-event maintenance program at Davis-Besse was charac-terized by many weaknesses and deficiencies. The pre-event preventive maintenance program was not systematically developed and managed.

Compliance with the substantirl, growing volume of prescrip-tive regulatory requirements may have acted to reduce rather than increase plant safety.

Recommendations The ilRC should shif t emphasis away from detailed, prescrip-tive requirements toward performance-based requirements. A systematic, continuing review of NRC's regulatory require-ments embodying the full scope of regulatory oversight is needed to ensure that these requirements are coherent, consistent, and act to improve plant safety. Responsibility for this function should be assigned to a specific office.

NRR management and Regional Administrators should meet with the licensee's Board of Directors when a plant's deteriorat-ing performance warrants. The purpose of such meetings would be to discuss the adequacy of the licensee's activi-ties to protect the health and safety of the public. It would also provide the Board with an opportunity to express its views on the effectiveness of the current regul a tory process. '

NRC should take advantage of INP0's programs to assess '

licensee's maintenance management programs to the extent reasonable and practical.

The staff should improve its follow-up on licensee correc-tive actions. Licensee " integrated living schedules" should '

be encouraged. I l

Resolution of the "important to safety" issue, and its i application to balance of plant (80P) items in existing, as i well as future plants, deserves high priority. (The Group i understands that I&E has responsibility for resolution of at !

least part of this problem.)

i 44 l i l t

A 6 NRC INCIDENT INVESTIGATION PROGRAM Background for the incident Inves tiga tion Program -

The Kemeny Commission report of its investigation of the ~

accident at Three Mile Island (TMI) recommended creation of -

an independent safety organization to provide NRC with reactor safety oversight. The Rogovin Inquir Special Inquiry Group on the THI-2 accident) yalso (NRC's ,

specif1- ; l cally recommended the establishment of an independent + !

Nuclear Safety Board. As a result of a Congressional d !

requirement in the NRC's FY 84 appropriation legislation, C the NRC Office of Analysis and Evaluation of Operational '

Data (AE0D) requested that Brookhaven National Laboratory (BNL) evaluate the feasibility of such a Board. ,

On February 15, 1985, BNL, after evaluating various indepen- :

l dent safety board options, recommended that NRC consider an i independent Nuclear Safety Board or expand the scope of the l Advisory Committee on Reactor Safeguards ( ACRS) to provide an oversight function. The ACRS supported the BNL proposal for an independent safety organization.

Subsequently, the Commission directed the NRC staff to evaluate the BNL report. The staff recommendation appears '

in SECY-85-208 and was approved by the Commission in October 7 1985. The paper recommended establishment of an Incident Investigation Program (IIP).

The Group assumed SECY-85-208 to be basic Commission guid-ance for the NRC's !!P. The staff subsequently prepared draft Manual Chapter (MC 0513) on the IIP. The Group, i n -

addition to the Davis-Besse investigation, considered the practices and procedures followed by the investigations for San Onofre and Rancho Seco. In assessing the IIP, the Group '

made no evaluation of independent safety organizations, such as those recommended in the BNL report.

Mandate and Instructions for Incident Investigation Teams !

TIITs) {

The need for an IIT is to be determined by the potential safety significance of an event, i ts nature and complexity, and its potential generic implications. Events judged by the staff to be of lesser safety significance are to be investigated either by a Regional Augmented Inspection Team or through the ncrmal inspection process. The Executive 45 -

---,,w-m--+ - --y-,-- ,, , , , , , ,, -. ,,,,-,,,_,.--,,,w - , , m w -

l Director for Operations (E00) authorizes an IIT based on recommendations from AE00, the Office of Inspection and .

Enforcement (I&E), the Office of Nuclear Reactor Regulation (NRR), the Office of Nuclear Material Safety and Safeguards !

(NMSS), and Regional Administrators.

The program is designed to ensure that an investigation is structured, coordinated, and formally administered in order to be prompt, thorough and systematic. An IIT is to collect and document factual information and evidence and concen-trate on probable causes of an incident rather than on possible violations of NRC rules and regulations.

MC 0513 indicates that the investigation should include the relevant facts and circumstances necessary for a full understanding of the event. The investigation would also identify probable causes and assess any pre-event relation-ship or interaction between the licensee and NRC which contributed directly to the event. NC 0513 also provides guidance as to areas for investigation, to include condi-tions preceding the event, event chronology, systems re-sponse, human factors considerations, equipment performance, precursors to the event, safety significance, and radiologi-cal considerations. Areas excluded from the investigations include wrongdoing or individual responsibility, generic implications for other plants, adequacy of plant design, and the licensing basis for the facility.

The Davis-Besse IIT was given 30 days to complete its investigation, but required 44 days. The San Onofre and Rancho Seco llTs were given 45 days to accomplish their l tasks and were given the additional assignment of assessing pre-event interactions between NRC and the licensees.

Capabilities of IIT Members The ED0 selects Team Leaders from the Senior Executive Serv-ice who have not had significant prier involvement in the licensing or inspection of the plant involved. The Leader i selects other Team members from pre-approved rosters. Fu-

[

ture IIT members will receive investigative training before assignment, to the extent practical. Members will continue to be selected oa the basis of technical and operational ex- !

pertise, and their freedom from direct involvement in the licensing or inspection of the plant involved. Representa- ;

tives from o tside NRC (e.g., INP0, nuclear steam systen -

suppliers) can be invited to participate in incident inves-tigations. I The Rancho Seco IIT included a representative from INPO who, although involved in the Team's evaluations, {

was not a signatory of the Team's final report.

L 46 14 s

M

IIT Operational Procedures The information collection and evaluation process for the three IITs was similar. Members interviewed plant personnel and reviewed plant data for the period immediately preceding and during the event. Failed equipment and control room in-strumentation and controls wert inspected. The equipment which malfunctioned and contributed to the event was quaran-tined cally.go Thethatteams troubleshooting could be performed obtained photographic systemati-documentation of failed or damaged equipment, a valuable technique in their investigations.

The Davis-Besse IIT mcde transcripts available to personnel interviewed, and permitted them to be interviewed in the presence of advisors or counsel. Transcripts were also made available in the subsequent incident investigations at San i Onofre and Rancho Seco.

The IITs placed high priority on interviewing personnel on shift during the event. Scheduling problems made strict adherence to this policy impossible. In some cases, the IIT .

was split into two groups to expedite the interviews, j i

During an investigation, the appropriate Regional Office ~

issues confirmatory action letters to verify that the ,

utility will not perform additional work on faulty equipment until the utility's troubleshooting plans can be reviewed by the IIT. The Team Leader has the authority to add or remove equipment from the quarantine list. The Regional Inspectors ;

and the Regional Office oversee the troubleshooting process ;

and report their results to the IIT.

In interviews with four other nuclear power plant licensees, !

concern was expressed about equipment unnecessarily quaran- i tined that was unrelated to the incident. In their view, i such equipment should be released as soon as possible to ex- 3 pedite plant recovery work. The Westinghouse Owner's Group 2 has expressed the same concern. SECY-85-208 calls for the i prompt release of quarantined equipment unrelated to the in- .

cident, and MC 0513 and !!T training should emphasize this issue. Prolonged quarantining of equipment brings into ;

question the licensee's responsibility for the safe condi- 1 tion of the plant. )

i 0

0uarantining in this context refers to the practice of physically removing or otherwise isolating equipment to keep { '

it off linits to unauthorized plant personnel so that infor-mation about the root causes of its malfunction is not lost I or inadvertently destroyed by activities subsequent to the incident. (3 ?

47

. I I

1 1

l During the Davis-Besse investigation, misunderstandings arose regarding legal representation for utility employees interviewed by the IIT. Some of those questioned felt it necessary to have legal or other representatives present.

Although such interviews are conducted on a voluntary basis rather than as the result of subpoenaed appearances, consti-tutional considerations of due process favor granting the interviewee the right to legal representation and the advice of counsel during the interview. Despite the IIT's nonaoversarial investigation, consequences resulting from it may lead to enforcement actions and, under some circumstanc-es, c riminal sanctions. Because the IIT engages in a fact-finding, nonadjudicative investigation, the participation of counsel may be limited by the Agency.

Toledo Edison personnel and the NRR Project Manager for Davis-Besse were concerned because normal communications between them concerning pending issues were deferred until completion of the IIT investigation.

The Group examined the role of NRC's Office for the Analysis and Evaluation of Operational Data (AE00) in coordinating the administration of the IIP. Both SECY-85-208 and MC 0513 identify AE00 as providing administrative support to and liaison between the IIT Leader ~and the ED0 during an inves-tigation. The three IIT Leaders unanimously stated that the

- AE0D support role in no way reduced their efforts to conduct a thorough and independent investigation.

The Group considered NRC-Toledo Edison pre-event interaction as it may have been a part of a root cause for the Da-vis-Besse incident. The Group's review did not disclose any basis in the Davis-Besse IIT report (NUREG-1154) for alleged superficial licensee management and maintenance practices, nor the foundation for concluding that the incident was caused by a lack of attention to detail in the maintenance of plant equipment.

An evaluation of NRC-Toledo Edison interaction that might have been associated with the incident was not performed by the Davis-Besse IIT--being considered outside of its mandate--but was performed to an j extent in the San Onofre and Rancho Seco investigations.

The Group believes that investigations of pre-event NRC interactions might better be conducted by an Office report-ing to the Commission rather than to the EDO. The Office of the Inspector and Auditor (OI A), which performed a similar function in connection with the Davis-Besse incident, could carry out this responsibility. The OIA, when necessary,

= could use technical consultants from within and outside the Agency. This approach would still make the IIT responsible for describing the pre-event intaraction directly applicable to the event. However, an 01A role would eliminate any concerns over whether the NRC staf f should investigate 48

. .. mm , --

itself or whether an IIT lacks independence because it reports to the EDO.

l Use of the Davis-Besse IIT Report by the NRC Staff The NRC Staff Action Plan, which includes some pre-event unresolved items, responded to all the items listed in the Davis-Besse IIT report. The ED0 also directed that a ' '

reappraisal of the adequacy of the basic design of B&W ,

reactor plants be undertaken. lhe B&W Owner's Group is to handle this responsibility, subject to staff review and approval.

On August 5,1985, an EDO memorandum requested all NRC office directors to conduct an "in-depth and searching reappraisal of the ef fectiveness of their programs and the - - -

lessons learned of the Davis-Besse event." As a result, a number ated.

of substantive staf f actions were proposed or initi-The (1)

EDO directed safet the staff's attention to the follow-ing issues: that pleted in a timely manner,y(2) issues that be theidentified potentialand forcom-the positive and negative safety impacts resulting from regula-tory actions be considered, and (3) that increased emphasis be given to balance of plant equipment.

In addition to the B&W design reassessment, the results of the E00 and staff director evaluations produced the follow-ing decisions:

(1) an improved issue-tracking cnd manage-ment system, (2) periodic performance appraisal meetings on operating facilities,n (3) development of licensee perfor-mance indicators, a' d (4) increased regulatory attention to balance of plant and the safety ramifications of regulatory actions.

Follow-on Incident Investigation Team Reviews The Rancho Seco and San Onofre IITs examined, to an extent, the NRC staff-licensee pre-event interactions. In the case of Rancho Seco, the !!T Team Leader noted that although the "

staff had serious concerns in the past 6 to 8 years about precursors to that event, Rancho Seco manacement had not implemented the actions required nor had the NRC staff pursued these issues to ensure their implementation. For example, the staff believed that the emergency feedwater initiation and control (EFIC) system would be installed at Rancho Seco in 1984 in response to NRC requirements. In fact, an alternate system was subsequently installed, but the design was not approved nor made clear to the NRC staff, and may not have complied with NRC requirements.

k

. h, 49 '

1

Conclusions The mandate for Incident Investigation Teams is adequate for conducting NRC incident investigations.

The Davis-Besse IIT report would have been enhanced if the team had been instructed to examine pre-event NRC-licensee interactions.

There is need for NRC to conduct seminars or workshops to inform licensees in advance of the fundamentals of an NRC incident investigation. (The Group understands.that such a program is being considered by AE00.)

The Davis-Besse IIT members possessed adequate technical expertise to comply with the requirements necessary to perform their investigative task. The Group endorses a suggestion that IITs receive incident investigation train-ing.

The Davis-Besse IIT report effectively described the se-quence of events of the June 9, 1985 incident. However, the report's observation that Davis-Besse had a history "of evaluating operating experience related to equipment in a superficial manner," was not supported in the report. The ,

conclusion that the underlying cause of the main and auxil-iary feedwater event was the licensee's lack of attention to detail in the care of plant equipment was also not supported in the report.

p t

The EDO Action Plan following the incident made adequate use ;

of the report findings and conclusions. The EDO Action Plan since it also included the requirement for the NRC staff to reappraise its programs, planning, and actions based upon !

j lessons learned from the Davis-Besse incident. ; ,

s Unless organizations such as utilities, INPO, EPRI and '

reactor vendors are involved in the formulation of and are familiar with IIT procedures, they may not be willing or prepared to participate in future investigations. :

Recommendations 1

Expedite the development of detailed procedures for the /

formation, training, operation, and reporting requirements of future IITs. These procedures should clearly define the 1 (a) scope of the investigation and its schedule; (b) mode of l operation for the team; (c) legal constraints and rights of '

licensees and employees, including NRC employees; (d) h 4

quarantining equipment, with clearly defined roles for the licensee and the Region; and (e) completion of the assign-ment. These procedures should be developed and coordinated c with the nuclear power industry, and Agency personnel should 50 l J 1 1

2

meet with them to explain the role of IITs and how they will function.

Participation on IITs of members from INP0, EPRI, vendors,

( other utilities, and Federal and Sta te agencies with appli-cable technical expertise, when appropriate, should be encouraged.

The Commission should assign 0IA to investigate pre-event interaction between the NRC staff and the licensee as it may be relevant to the root cause of the event.

The NRC manual chapter and other appropriate procedures should specify guidelines concerning the role of counsel or other advisors for personnel interviewed by an IIT.

'; The IIT incident investigation training program should be accelerated and consideration given to extending some of this training to Augmented Inspection Team candidates and other I&E staff members. l 51

1 l

, ,. . , , . . . . .......u....._.. . . . - . - . . . ~ , . - - - , . . ;

%',">% BIBLIOGRAPHIC DATA SHEET NUREG-1201 Siteastf.uCTsO SO4f ast .8 wt alt 3 f aTLE .%o syssiv. g 3Lt.vtet.ga

(

Report of the Independent Ad Hoc Group for the Davis-Bess Incident [

.f......o..co-6.,so of ; l

. .ui -o..s, Maf 1986 ;

f . o. , t .. .n. , im a o l

o .. .... j g

, n .. o...o c a s.. , . .o. ,.c

/ June ..

1986

. .~o...t.~o.oo.... .

. .p. c . . .o. . r. . ;

/ l Ad Foc Review Grou !

U. S. Nuclear Regul ory Commission [ "' o" ' ' ' '** ' " I Washington, D.C. 20d,5 10 $*O%50..NG o C.%.2 1 0% %..e .%g .. , G .00 6 n .e /, c . *

e 8 . *t 0 8 -4 0. '

Independent Review Same as 7.

2 sv t . . . . . . . ,

, , .. s , . .c , ax . . .,

The Nuclear Regulatory Comnission etablis d an independent Ad Hoc Group in January 1986 to review issues subse ent a complete loss of feedwater event at Davis-Besse Nuclear Power Station J e 9,1985, including the NRC Incident Investigation Team (!!T) investigation that event. The Commission asked the Group to identify additional lessons thy .ight be learned and from these to '

make recomnendations to in. prove NRC ove i t of reactor licensees. To fulfill i its charter, the Ad Hoc Group examined he llowing: (1) pre-eventinteractions between the licensee and NRC concernin relia 'lity of the auxiliary feedwater systen and associated systems; (2) pr event p babilistic assessments of the '

reliability of plant safety systems, RC's revie of them, and their use in regulatory decisionmaking; (3) licen 2e managemen operation and maintenance programs as they may have contribut to equipment aflures and NRC oversight of such programs; and (4) the manda1 , capabilities f members, operation, and ; .

l results of the NRC Davis-Besse IIT,l nd the use to wh h its report was put by the regulatory staff. : '

I 4

. . oat s. s . .s . t . , , .. ..c...so. c ...a-,

. . ,,. .,.g;' . l Auxiliary Feedwater System Probabilistic Reliability Analys. S Unlimited 4 SICu.*T. Ct .nla. iC.. og

. .oi . .. .. . o.. s o. o . . . 5 ! Unc1assified i Davis-Besse . . . . - - !

incident Investigation Teams Unclassified l Nuclear Regulatory Commission "'***"o***'"

l

.....c.

i

UNITED STATES m %n a... 2 NUCLEAR REGULATORY COMMISSION *os' amp *** C WASHINGTON, D.C. 20555 4asa,e g $

O.

OFFICIAL BUf 8 NESS PENALTY FOR PRIVATE USE. 8J00 h

3 120555078877 1 1 AN19C US NR C ADP-DIV OF T!OC z POLICY & PUB PGT BR-PDR AUREG m h-501 3 h A SHI NGTON LC 2C555 m H

m m

s a a

2 0

?

l i

i 1 l

}

f

^

l

?

I k

- . . . -. n , - - . . .n . . --- , - . . . - . . . , . - . - . - - - -. . - . - - - --, _ _ _ _ _ _

_ --

ML20206C812: Difference between revisions

Latest revision as of 14:42, 6 December 2021

Contents

Text

SUMMARY

SUMMARY

Background

Conclusions:

Navigation menu

ML20206C812: Difference between revisions

Latest revision as of 14:42, 6 December 2021

Text

SUMMARY

SUMMARY

Background

Conclusions:

Navigation menu

Search