ML20204F931: Difference between revisions
StriderTol (talk | contribs) (StriderTol Bot change) |
StriderTol (talk | contribs) (StriderTol Bot change) |
||
Line 2: | Line 2: | ||
| number = ML20204F931 | | number = ML20204F931 | ||
| issue date = 07/23/1986 | | issue date = 07/23/1986 | ||
| title = Responds to | | title = Responds to to Palladino,Recommending Establishment of Independent Review Group to Examine B&W Plant Design.Nrc Handling of Reassessment Program for B&W Design Defended.Formation of New Group Opposed | ||
| author name = Zech L | | author name = Zech L | ||
| author affiliation = NRC COMMISSION (OCM) | | author affiliation = NRC COMMISSION (OCM) | ||
Line 11: | Line 11: | ||
| contact person = | | contact person = | ||
| document report number = NUDOCS 8608070006 | | document report number = NUDOCS 8608070006 | ||
| title reference date = 04-25-1986 | |||
| document type = CORRESPONDENCE-LETTERS, NRC TO U.S. CONGRESS, OUTGOING CORRESPONDENCE | | document type = CORRESPONDENCE-LETTERS, NRC TO U.S. CONGRESS, OUTGOING CORRESPONDENCE | ||
| page count = 3 | | page count = 3 | ||
Line 26: | Line 27: | ||
==Dear Congressman Matsui:== | ==Dear Congressman Matsui:== | ||
I am responding to your letter of April 25, 1986, to former Chairman Palladino. In that letter, you recommended the establishment of an independent review group to conduct a thorough examination of the B&W design and you expressed reservations about the role of the B&W Owners Group in the l reassessment program. As I respond, I want to reiterate the l commitment to safety as the fundamental mission of the NRC that Chairman Palladino expressed in his April 23, 1986 letter. | I am responding to your letter of April 25, 1986, to former Chairman Palladino. In that letter, you recommended the establishment of an independent review group to conduct a thorough examination of the B&W design and you expressed reservations about the role of the B&W Owners Group in the l reassessment program. As I respond, I want to reiterate the l commitment to safety as the fundamental mission of the NRC that Chairman Palladino expressed in his {{letter dated|date=April 23, 1986|text=April 23, 1986 letter}}. | ||
The staff's overall reassessment program will provide a comprehensive examination of the B&W reactor design. The program is aimed at identifying potential improvements to reduce the frequency of complex transients in B&W reactors and thereby improve their overall safety. As part of the program, operational experience of the B&W plants will be reviewed, thermal-hydraulic calculations will be performed to further examine the B&W plant response to system upsets, and B&W plant probabilistic risk assessments will be examined. As a result of these efforts, potential improvements in the areas of system design, human factors and operations will be identified. | The staff's overall reassessment program will provide a comprehensive examination of the B&W reactor design. The program is aimed at identifying potential improvements to reduce the frequency of complex transients in B&W reactors and thereby improve their overall safety. As part of the program, operational experience of the B&W plants will be reviewed, thermal-hydraulic calculations will be performed to further examine the B&W plant response to system upsets, and B&W plant probabilistic risk assessments will be examined. As a result of these efforts, potential improvements in the areas of system design, human factors and operations will be identified. | ||
In his letter of April 23, Chairman Palladino noted Commissioner Asselstine's comments regarding an independent review of the B&W design. The other Commissioners and I disagree with Commissioner Asselstine's proposal. As you are aware, an independent body, the Davis-Besse Ad Hoc Group, reviewed the Davis-Besse event of June 1985 and related regulatory activities. The results of the Ad Hoc Group efforts, along with their report, were presented to the Commission at a briefing held on June 6, 1986. I have enclosed a copy of that report for your information. In its report, the Group concluded, among other things, that: (1) the mandate for Incident Investigation Teams (IITs) is adequate for conducting NRC incident investigations, (2) the IIT members possessed adequate technical expertise to comply with the requirements necessary to perform their investigative task, and (3) the investigations of pre-event NRC interactions might better be conducted by an office reporting to the Commission rather than to the EDO. The Office of Inspector and Auditor (OIA), which performed a similar function in connection with the Davis-Besse incident, could carry out this responsibility. Taking into account the AEOD program for interaction with licensees, industry and INPO, and 8608070006 860723 PDR U ADOCK 05000321 PDR , | In his letter of April 23, Chairman Palladino noted Commissioner Asselstine's comments regarding an independent review of the B&W design. The other Commissioners and I disagree with Commissioner Asselstine's proposal. As you are aware, an independent body, the Davis-Besse Ad Hoc Group, reviewed the Davis-Besse event of June 1985 and related regulatory activities. The results of the Ad Hoc Group efforts, along with their report, were presented to the Commission at a briefing held on June 6, 1986. I have enclosed a copy of that report for your information. In its report, the Group concluded, among other things, that: (1) the mandate for Incident Investigation Teams (IITs) is adequate for conducting NRC incident investigations, (2) the IIT members possessed adequate technical expertise to comply with the requirements necessary to perform their investigative task, and (3) the investigations of pre-event NRC interactions might better be conducted by an office reporting to the Commission rather than to the EDO. The Office of Inspector and Auditor (OIA), which performed a similar function in connection with the Davis-Besse incident, could carry out this responsibility. Taking into account the AEOD program for interaction with licensees, industry and INPO, and 8608070006 860723 PDR U ADOCK 05000321 PDR , | ||
Line 678: | Line 679: | ||
, An NRR memorandum of January 16, 1984 provides additional information on the CRGR proposal, including estimated frequencies of a core melt (per year) attributable to loss of main feedwater. The memorandum states that the mean probability of a core melt per year from this type of incident is 5.4 x 10-4 (or 1 chancg in 1,851). (The NRC provisional safety goal 1: 1 x 10- or 1 chance in 10,000, per reactor year. ) This average estimate assumes that feed and bleed emergency cooling is not possible at Davis-Besse; the risk of a core melt at Davis-Besse from loss of main feedwater is 5 times greater than the probability of a core melt accident in the Commission's safety goal for chances of a core melt from all types of accidents at any plant. | , An NRR memorandum of January 16, 1984 provides additional information on the CRGR proposal, including estimated frequencies of a core melt (per year) attributable to loss of main feedwater. The memorandum states that the mean probability of a core melt per year from this type of incident is 5.4 x 10-4 (or 1 chancg in 1,851). (The NRC provisional safety goal 1: 1 x 10- or 1 chance in 10,000, per reactor year. ) This average estimate assumes that feed and bleed emergency cooling is not possible at Davis-Besse; the risk of a core melt at Davis-Besse from loss of main feedwater is 5 times greater than the probability of a core melt accident in the Commission's safety goal for chances of a core melt from all types of accidents at any plant. | ||
On March 2 and 3, 1984 a stuck open safety valve resulted in steam generator dryout at Davis Besse. An I&E memorandum.of April 9, 1984 to NRR referring to this dryout supports the CRGR proposal to require diverse AFW pump power. | On March 2 and 3, 1984 a stuck open safety valve resulted in steam generator dryout at Davis Besse. An I&E memorandum.of April 9, 1984 to NRR referring to this dryout supports the CRGR proposal to require diverse AFW pump power. | ||
An April 23, 1984 letter from NRR to Toledo Edison provides the staff evaluation of the utility's December 31, 1981 reliability analysis and the Brookhaven National Laboratory reliability analysis (NUREG/CR-3530). The letter notes the opposing conclusions reached by BNL and Toledo Edison and concludes that the Davis-Besse AFWS does not comply with the current SRP reliability criterion. It should be noted that Toledo Edison's reliability analysis takes credit for feed and bleed operations and other modifications; BNL's analysis does not. | An {{letter dated|date=April 23, 1984|text=April 23, 1984 letter}} from NRR to Toledo Edison provides the staff evaluation of the utility's December 31, 1981 reliability analysis and the Brookhaven National Laboratory reliability analysis (NUREG/CR-3530). The letter notes the opposing conclusions reached by BNL and Toledo Edison and concludes that the Davis-Besse AFWS does not comply with the current SRP reliability criterion. It should be noted that Toledo Edison's reliability analysis takes credit for feed and bleed operations and other modifications; BNL's analysis does not. | ||
The NRC staff report, " Comparison of Implementation of Selected TMI Action Plan Requirements for Operating Plants Designed by B&W," May 1984 (NUREG-1066), concludes that Davis-Besse had completed all required plant modifications. | The NRC staff report, " Comparison of Implementation of Selected TMI Action Plan Requirements for Operating Plants Designed by B&W," May 1984 (NUREG-1066), concludes that Davis-Besse had completed all required plant modifications. | ||
However, three open Technical Specification items remained regarding the Davis-Besse AFWS. The report noted that staff review of these items was to be completed by June 1984 19 | However, three open Technical Specification items remained regarding the Davis-Besse AFWS. The report noted that staff review of these items was to be completed by June 1984 19 | ||
(nearly 5 years af ter the staff notified Toledo Edison in July 1979 that modification to the AFWS would be required). | (nearly 5 years af ter the staff notified Toledo Edison in July 1979 that modification to the AFWS would be required). | ||
A Toledo Edison internal memorandum of September 7, 1984 comments on the NRC's April 23, 1984 letter and the BNL analysis. It disagrees with a number of assumptions made by BNL and the staff, particularly their lack of credit for the feed and bleed function, and, concludes that their findings are " inaccurate, unjustified and irrelevant." | A Toledo Edison internal memorandum of September 7, 1984 comments on the NRC's {{letter dated|date=April 23, 1984|text=April 23, 1984 letter}} and the BNL analysis. It disagrees with a number of assumptions made by BNL and the staff, particularly their lack of credit for the feed and bleed function, and, concludes that their findings are " inaccurate, unjustified and irrelevant." | ||
At an NRC-Toledo Edison meeting on September 19, 1984, Toledo Edison committed to install a relocated, electric motor-driven startup feedwater pump with full capacity at the next refueling outage. Relocation was necessary to avoid a high or moderate energy pipe break problem. (See License Amendment 83, above.) | At an NRC-Toledo Edison meeting on September 19, 1984, Toledo Edison committed to install a relocated, electric motor-driven startup feedwater pump with full capacity at the next refueling outage. Relocation was necessary to avoid a high or moderate energy pipe break problem. (See License Amendment 83, above.) | ||
A September 28, 1984 memorandum from the Director, NRR, to the ED0 reported that the Auxiliary Systems Branch deter-mined that a diverse-drive AFW system was unnecessary. | A September 28, 1984 memorandum from the Director, NRR, to the ED0 reported that the Auxiliary Systems Branch deter-mined that a diverse-drive AFW system was unnecessary. |
Latest revision as of 04:27, 7 December 2021
ML20204F931 | |
Person / Time | |
---|---|
Site: | Hatch |
Issue date: | 07/23/1986 |
From: | Zech L NRC COMMISSION (OCM) |
To: | Matsui R HOUSE OF REP. |
References | |
NUDOCS 8608070006 | |
Download: ML20204F931 (3) | |
Text
'
.#p. m#o N
^g UNITED STATES
. 8 o NUCLEAR REGULATORY COMMISSION
{ E e
WASHINGTON, D. C. 20555 I
'%*****J CHAIRMAN July 23, 1986 The Honorable Robert T. Matsui United States House of Representatives Washington, D. C. 20515
Dear Congressman Matsui:
I am responding to your letter of April 25, 1986, to former Chairman Palladino. In that letter, you recommended the establishment of an independent review group to conduct a thorough examination of the B&W design and you expressed reservations about the role of the B&W Owners Group in the l reassessment program. As I respond, I want to reiterate the l commitment to safety as the fundamental mission of the NRC that Chairman Palladino expressed in his April 23, 1986 letter.
The staff's overall reassessment program will provide a comprehensive examination of the B&W reactor design. The program is aimed at identifying potential improvements to reduce the frequency of complex transients in B&W reactors and thereby improve their overall safety. As part of the program, operational experience of the B&W plants will be reviewed, thermal-hydraulic calculations will be performed to further examine the B&W plant response to system upsets, and B&W plant probabilistic risk assessments will be examined. As a result of these efforts, potential improvements in the areas of system design, human factors and operations will be identified.
In his letter of April 23, Chairman Palladino noted Commissioner Asselstine's comments regarding an independent review of the B&W design. The other Commissioners and I disagree with Commissioner Asselstine's proposal. As you are aware, an independent body, the Davis-Besse Ad Hoc Group, reviewed the Davis-Besse event of June 1985 and related regulatory activities. The results of the Ad Hoc Group efforts, along with their report, were presented to the Commission at a briefing held on June 6, 1986. I have enclosed a copy of that report for your information. In its report, the Group concluded, among other things, that: (1) the mandate for Incident Investigation Teams (IITs) is adequate for conducting NRC incident investigations, (2) the IIT members possessed adequate technical expertise to comply with the requirements necessary to perform their investigative task, and (3) the investigations of pre-event NRC interactions might better be conducted by an office reporting to the Commission rather than to the EDO. The Office of Inspector and Auditor (OIA), which performed a similar function in connection with the Davis-Besse incident, could carry out this responsibility. Taking into account the AEOD program for interaction with licensees, industry and INPO, and 8608070006 860723 PDR U ADOCK 05000321 PDR ,
- i the limited number (perhaps three per year) of incidents requiring investigation, the Ad Hoc Group believes that creation
, of a full-time Independent Safety Board does not appear to be justified at this time. The group also recommended several improvements to the IIT program. We are incorporating such improvements; and, in fact, I believe that the Rancho Seco IIT effort already reflects our efforts at improving that process.
The question of whether or not an independent review of the Rancho Seco event is appropriate has yet to be determined by the Commission.
You also stated in your letter that the Rancho Seco IIT report did not address the question of why neither the utility, nor the NRC took effective action to prevent the Rancho Seco event from occurring. While such a discussion is beyond the scope of the IIT charter, Chairman Palladino directed the staff to assess the completeness of various staff and licensee actions associated -
with plant control systems. Similarly, following the Davis-Besse event, the staff was directed to perform an in-depth reappraisal of NRC's current programs. One conclusion reached as a result of that reappraisal was that NRC's current safety review and inspection programs have proven capable of identifying problems in plant design and licensee performance that could adversely affect safety. However, another conclusion was that the NRC has not always reacted to indications of problems in a timely manner. The staff is assuring effective continued' monitoring and resolution of safety and licensing issues by implementing improved integrated management systems concerning such issues. The Ad Hoc Group report has strongly endorsed this effort. Enclosed are copies of memoranda, dated November 26, 1985, January 13, 1986 and February 6, 1986, which describe the actions underway as a result of the NRC's internal reappraisal undertaken in response to the Davis-Besse event.
With respect to the role of the B&W Owners Group in the reassessment program, the NRC believes their role is appropriate. It is the fundamental responsibility of each B&W plant licensee to assure that their plant (s) are properly designed and safely operated. In addition, the B&W Owners Group has the firsthand knowledge of their plant design and performance characteristics along with a detailed understanding of operational problems which have been experienced. Also, the licensees have the expertise and resources available to assure that plant performance problems can be identified and solved.
The staff has met with the Owners Group several times, and believes that their program will provide a comprehensive review l
of the B&W design. The staff will perform the necessary reviews to assure that the NRC's concerns are properly addressed and will perform the detailed assessments of areas that may not be appropriate for the licensees to address.
I am informed that Commissioner Asselstine has dissenting views and will submit them separately.
Sincerely,
, &^: &' N . W L.
Lando W. Ze 4, J .
Enclosures:
As Stated 6
a A
_n__-______-___---_-__--------------------------------------------------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
l
% UNITED STATE 8 NUCLEAR REGULATORY COMMISSION
[
s '
waawmerom.o.c.neess NOV 2 81985 k*esee .
MEMORANDUM FOR: Harold R. Denton, Director, NRR James M. Taylor Director IE Robert B. Minogue Director RES John G. Davis, Director, NMSS Clemens J. Heltemes, Director, AE00.
Thomas E. Murley, Regional Administrator, Region-I i l J. Nelson Grace Regional Administrator, Region-II l James G. Keppler, Regional Administrator, Region-III '
Robert D. Martin, Regional Administrator, Region-IV John 8. Martin, Regional Administrator, Region-V FROM: William J. Dircks Executive Director for Operations
SUBJECT:
DAVIS-BESSE EVENT - NRC LESSONS LEARNED In sqy August 5,1985 memorandum on staff actions resulting from investigation of the June 9 loss of feedwater event at Davis-Besse. I assigned responsibility for a number of generic and plant-specific actions identified in the report of theNRCinvestigationofthatevent(NUREG-1154). I also directed an in-depth and searching reappraisal of NRR, IE, AE00, RES and Region !!! programs in the light of the June 9 event.
I have reviewed the responses to that memorandum and the action plans that have been developed by the offices for addressing those assigned actions. I also have met subsequently with the program directors to review progress in initiating and implementing those action plans. I believe that the actions that are already underway or planned by the offices are a good start in addressing ,
imediate need: with respect to the specific action items assigned. I will continue to meet with the program directors periodically to review progress, toward completiov of their initiatives. I have also reviewed carefully the program reappraisels provided by the individual offices, and I believe there is need for further strengthening of our agency programs beyond the improvements
, indicated in the program office proposals.
The broad picture that emerges from my review of all the assessments that have been done to date of the Davis Besse event and its implications, points to the need for improvements in the three major areas indicated below. I believe that the points discussed below reflect the major lessons learned from the Davis 1
Besse event. To the extent that your program improvement plans do not now include explicitly specific measures to address these points, in their final forms the plans will have to be modified to do so.
- 1. More Timely Identification and Completion of Safety Issues Our safety review and inspection programs as currently structured have proven capable of identifying problems in plant design and licensee performancethatcouldadverselyaffectsafety(e.g.,thelackofdiversity/
reliability in the Davis Besse AFW system design, and the pattern of low /
kT5WYhW 7 y,,
. 1
. 2-deteriorating SALP ratings for Davis Besse). However, we have not always reacted to indications of problems provided by these programs in a way j that led to timely correction of the problems identified. Although program
! improvements already planned by the offices, as indicated in the responses i
to vny August 5 memorandum, should contribute substantially to correcting this weakness, the aspects of program improvement in this area that need l
more attention are the establishing of criteria for identifying deterior- l ation of plant performance and the tracking of identified issues. Explicit i i provisions should be made in our improvement plans for development of an improved methodology for detennining when facilities should be placed on j an NRC required " performance improvement program." Likewise, we must promptly develop and implement a more-fully integrated tracking system that will maintain accurate status of the complete range of outstanding licensing i
actions, pending generic issues, and approved backfits that must be dealt i
with, to better focus management attention on identified problems until l
necessary action is taken or completed. I have already identified some of 4 the tracking and interoffice coordination problems that need to be addressed more effectively, in a September 5, 1985 memorandum to the Directors of NRR and IE on monitoring the completion of generic issues. This beginning must be expanded upon. All offices that have a role in the identification,
, generation, imposition, or verification of compliance / completion of new
- requirements by any means share in the responsibility for development and i
implementation of the improved issue management system.
J 4
An important corollary to the need for keeping NRC management aware of the status of pending issues and approved-but-uncompleted licensing actions is l
the need to keep licensees similarly informed. We must be explicit, as well as timely, in communicating to licensees NRC's understanding of the
! status of pending safety issues or approved licensing actions. This is
' particularly true in cases where the staff's evaluation and the final NRC decision regarding a licensee's submittal on an important issue extend for an appreciable length of time, as in the case of the Davis-Besse AFW system design adequacy question. Extended delay and regulatory silence on the part of NRC in such circumstances can be misinterpreted as implicit or
- defacto acceptance by NRC of a position on which the staff is undecided or l
which the staff might even regard as unacceptable. These points are j important enough that they need to be addressed explicitly in the program 1 improvement plans.
- 2. Broader Consideration of Positive and Potentially Negative Safety l Impacts of Regulatory Actions 1
Our current me%ods for assessing the safety impacts of changes to plant l
i equipment or procedures, whether proposed by licensees or imposed by NRC,
. need to be improved to provide a broader and better understanding of both the positive and potentially negative effects of equipment and procedure modifications. The backfit decision which resulted in the installation of
- the SFRCS at Davis Besse, and other changes such as valving out the
! feedwater startup pump, resulted in unintended, unanticipated safety i effects that contributed to and complicated the June 9 event at that 1
l l
i---_.-, - _ , . -
6 e e
~ ~
facility. This was because the staff safety evaluations involved focused too narrowly on some specific safety concern or criterion (e.g., seismic
- qualificationorprotectionagainstmainsteamlinebreak)anddidnot
, adequately take into account the other potential ramifications of such
' actions. Another example of focusing too narrowly on an innediate safety concern or objective (not just in the Davis-Besse context) can be seen in j the requirement for cold-fast-start testing of diesel generators. That j testing was intended as a means of demonstrating the reliability of the i emergency power function on demand under stringent conditions. But, focusing too narrowly or, demonstration of that capability (by hamful testing) actually resulted in degrading that capability in a number of j operating plants.
Increased application of analysis techniques, such as PRA, that are
- specifically designed to provide a more-fully integrated treatment to the j many interrelated aspects of the complex safety issues that arise, can -
' contribute significantly to the broader understanding that is needed of
, both the positive and potentially negative effects of our regulatory j actions. PRA methods are inherently less likely to recognize artificial i distinctions in perceived safety importance between safety-related and nonsafety-related plant features. Such artificial distinctions reflect t
the more simplistic approach that has been taken in our safety analyses as j reflected in still-existing "deteministic" licensing criteria and requirements. Clearly, this current approach can be seen to be a j fundamental causative factor in a nunber of instances in the past where an i
intended fix of one problem has unexpectedly created or led to a more
! serious problem..
! More emphasis needs to be given to increased application of improved analysis methods (specifically PRA) in all aspects of our regulatory l activity. Such increased emphasis is necessary not only to provide a
. broader perspective in our assessment of the full impact of any proposed j changes in the future, but to provide a framework and a viable means for i
detemining whether there are other examples, as yet undiscovered or unrecognized, of weil intended past regulatory actions that may be having i an undesired effect. l I
- 3. Increased Emphasis on Balance of Plant Equipment l The paramount importance of proper maintenance in maintaining levels of I reliability assumed in the safety analyses that fom the licensing basis l for operating plants has been accorded greater recognition and increased I emphasis and attention by both NRC and utility management in the aftemath i i
of the TMI accident. However, it appears from the circumstances noted in the review of the June 9 Davis-Besse event that an inappropriate, artificial distinction (alluded to in 2. above) between the importance of l safety-related vs nonsafety-related plant features may have led some i licensees to place inadequate emphasis on proper maintenance of all equipment necessary to assure proper facility operations. Some balance-of-plant systems may actually have equal or perhaps greater safety importance (cumulatively) than equipment classified as safety-related
6 4_
because their too-frequent failure can needlessly challenge the safety-related systems, and their failure can also aggravate conditions under which the safety-related systems must respond. We need to give increased attention to assuring that the attention of licensee management is focused properly on this important aspect of plant operations and that important balance-of-plant systems and equipment receive adequate attention in the overall maintenance picture. We should also consider seriously, in the context of finalizing our improvement plans, whether this requires signifi-cantly increased commitment of regulatory attention to balance-of-plant areas within our licensing review and inrpection programs.
I want to meet with you to discuss further the matter of program improvements.
I will be scheduling a meeting within the next month or so for that purpose. I ,
- would like to receive your written reactions and comments to the above in '
advance of that meeting. Please provide me with your preliminary views by December 16. I have included in an enclosure to this memorandum some important general points and specific questions that I want you to consider for discus- l sion at the upcoming meeting to help decide those additional internal program improvements which should be implemented.
~
(Signef William J.Dirsig William J. Dircks Executive Director for Operations Enclosure Important General Points and Specific Questions for Discussion
. 1 l
- Enclosure j DISCUSSION POINTS A. Important Points for Consideration Regarding Program Improvement Identification
- 1. There is much about our existing regulatory programs and processes that work, and work well. Those aspects of our current programs that do work, demonstrably and effectively, should for the most part be left alone now. We should concentrate our improvement efforts on program aspects that clearly need to work more effectively. With regard to the SALP process specifically, for example, in its existing form that program effectively identified before the June 9 event the i need for improvement in licensee performance in areas highlighted subsequently in the NRC investigation following that event. The .
I problem, therefore, was not that the SALP process failed to identify problems. The need for further improvement in the SALP process (beyond changes already planned in the iminent SALP Manual Chapter revision) would appear to lie principally in the program managers' recognizing and reacting somewhat sooner to SALP trends indicating
- poor or deteriorating licensee performance.
s Similarly, the safety review process, as it is currently conducted within NRC, did identify basic questions regarding the adequacy and reliability of the Davis-Besse AFW systems configuration, and resulted in a continuing pressure to upgrade its design and improve its reliability over a longer period of time. The problem is that j the period of time involved was too long. In retrospect, it does i seem likely that the perspectives provided by a more-fully integrated treatment of that system's less desirable features (such as the SFRCS, and the locking out of the standby feedwater startup pump) had they been available earlier, would have brought things to a head with regard to final disposition of that issue before the occurrence of the June 9 Davis Besse event. It is also likely that the existence of the improved issue mangagement system referred to above, might j
have kept management attention focused more effectively on that l
situation and brought about earlier resolution of that issue. The message, again, from all this is: we must avoid change for change sake in the heat of this particular moment. I see no need for funda-mental or wholesale change in our programs. What is needed are l
j judicious improvements on what are, for the most part, well-working programs. We need to concentrate our efforts in those areas where the need for improvement is strongly and broadly indicated.
- 2. There has been criticism directed at the use of PRA in our regulatory
- activities, to the effect that reliance on PRA in determining the priority of a safety issue contributes to inordinate delay in dealing
- effectively and promptly with issues that are identified; e.g., the
' AFW safety issues that had been identified at Davis-Besse. It is i
wn--w n ,vm m _ s _,,,m-m-,, ,.-e-,.,- . _ . - , - - _ - ~ _ - - , - - -
likely true that, if our licensing decisions regarding Davis-Besse had been made solely on the basis of deteministic-type criteria and judgments to the exclusion of any probabilistic analysis input, NRC would long ago have required Davis-Besse to provide a diverse AFW
, system design. The balancing consideration is that we would likely
- also have required that utility and other utilities to do many other i things, a number of which would now be seen as unnecessary for safety in the light of insights provided by PRA. As we learned in the after-math of TMI, the undisciplined proliferatien of requirements that can result when we restrict ourselves solely to use of deterministic-type criteria and engineering judgment can adversely affect safety.
Equally important, the improved, more-fully integrated treatment of -
safety issues (the need for which I have previously emphasized).can only practicably be achieved at this time by systematic analyses -
within the framework provided by PRA methodology. So keeping in mind the uncertainties and limitations of PRA methods as they have evolved to this point, and appropriately taking into account such uncertainties and limitations in our decisionmaking, we must continue to apply and even broaden our application of those powerful integrating methods to achieve important program improvements that can be demonstrated to be necessary. I would expect to see, therefore, in the comprehensive plans for program improvements that result finally from our upcoming
. discussions, proposals for increased use of PRA in detemining safety importance of issues identified for regulatory action, in detemining i inspection methods and focus, in prioritizing operational experience 1
review efforts, determining research programs, ete; in short, in every phase of our activities.
l B. Specific Questions To Be Considered in Determining Additional Program Improvements Questions
- 1. Should NRC as a matter of policy concentrate more heavily on balance-of-plant systems in our full range of regulatory activities?
- 2. What is the most efficient and effective means of examining retrospectively whether, in the absence of a more-fully integrated evaluation of safety issues in the past, we have prescribed actions (such as locking out valves / pumps / breakers) or approved installation of systems (such as SFRCS) in licensing contexts other than Davis-l Besse that could have unintended, adverse effects on safety?
- 3. Are administrative control measures like locking or chaining valves driven principally by security or safety concerns? If safety is the driving concern, wouldn't use of more easily broken seals or other such " flags" satisfy the safety purpose involved (i.e., inadvertent operation) in many areas? If security was the driving concern in implementing such measures, has adequate consideration been given to alternative measures that could be more easily overridden in the event of an emergency?
- 4. Should serious consideration be given to moving away from testing of individual components of safety systems during normal operation as a means of verifying or assuring operability, to more integrated testing of systems during outages?
- 5. Should we develop criteria which mandate when a licensee is to be required to implement a "Perfomance Improvement Program"?
~
I
g UNITED STATE 8 8 NUCLEAR REGULATORY COMMISSION I. WASHINGTON, D. C. 30006 January 13, 1986 MEMORANDUM FOR: Addressees FROM: James H. Sniezek, Acting Deputy Executive Director Regional Operations and Generic Requirements
SUBJECT:
AGENDA FOR NRC LESSONS LEARNED MEETING As discussed on the conference call, the meeting will be held at 10 a.m. on Thursday, January 16, 1986 in the Operations Center, MNBB. Regional Administrators will participate by phone.
The purpose of the meeting is to ensure we are taking appropriate actions in response to the lessons learned from the Davis-Besse event and (to the extent our understanding permits at this time) to the recent Rancho Seco event.
Enclosed is the listing of topics for discussion at the meeting. Each '
participant should be fully prepared to advise the ED0 on these topics and the staff activities in each area so that a decision regarding additional appropriate NRC action can be reached.
There are five major areas for discussion:
- 1. What, if any, design improvements need be made, on what time frame, and how should NRC approach the design issue? What NRC actions are currently underway and what additional activities need to be instituted? (Items I.B.I.C.I.D).
- 2. What NRC actions are underway to assure timely identification and completion of safety issues? What more is necess:ry? (Item II A.1), (
- 3. What additional steps should we take to assure we full understand the ramifications of our regulatory actions? (Item II A.2 .
4 How much attention are we placing on balance-of-plant issues? Should we increase the emphasis? How should we proceed? (Item II A.3). )
- 5. What specific actions regarding the other issues raised by certain offices in response to the WJDircks memo dated 11/26/857 (Item !! B and C).
Additionally,theEDOshouldbeinformed(onanexceptionbasis)regardingthe status of staff actions detailed in the WJDircks memo dated 8/5/85.
(ItemIA).
- w. .
- g. . ..-
2 i
To the extent possible it 1.s expected that staff assignments and schedules will be developed to reflect decisions reached during the meeting.
oristr. J. sicasi W JamosH.Snissek James H. Sniezek Acting Deputy Executive Director Regional Operations and Generic Requirements
Enclosure:
Topics for Discussion cc: V. Stello J. Roe T. Rehm
i e
ADDRESSEES FOR MEMORANDUM DATED January 13, 1986 John G. Davis, Director, NMSS Harold R. Denton, Director, NRR Robert B. Minogue, Director, RES James M. Taylor, Director, IE Clemens J. Heltemes Director, AEOD Guy H. Cunningham, Executive Legal Director Ronald M. Scroggins, Director, RM Thomas E. Murley, Regional Administrator, Region-I J. Nelson Grace, Regional Administrator, Region-II James G. Keppler, Regional Administrator, Region-III Robert D. Martin, Regional Administrator, Region-IV John B. Martin, Regional Administrator, Region-V 6
a l
d I
k
1
' Topics for Discussion at Meeting on Lessons learned from Davis-Besse f
I. PLANT-SPECIFIC OR B&W DESIGN-SPECIFIC TOPICS A. Status of D-B Action Items (Ref. - WJD Memo dtd 8/5/85)
(Note: Report by exception only, i.e., significant/ unanticipated proL'ams or delays in implementation)
B. AFW Design Improvements
- 1. Status of D-B AFW Design Upgrade
- 3. Possible Need for Further Generic Upgrade to Fully Safety-Related (Ref. - NRR Memo dtd 12/24/85toWJD) *
(Ref. - ACRS Letter dtd 12/10/85)
' C. SFRCS Design Reassessment
- 1. Need for Reassessment Recommended (Ref. - Rowsome Memo dtd 9/9/85)
- 2. Preliminary Effort by RES Ongoing
- 3. Need for Comprehensive Reassessment (Is a higher priority effort needed? Whoshoulddoit?)
D. Possible Need for Broad Reassessment of B&W Design Adequacy
- 1. Cumulative Operating Experience of B&W Class (Does experience to date, including recent events at D-B and
. Rancho Seco, indicate need now for such a reassessment?)
- 2. Where does capability exist for such a reassessment (within NRC?
At DOE labs?)
- 3. Possible Implications of Such a Reassessment (Perceived as prudent or as questioning adequacy of B&W class to continue safe operation? Compensatory measure needed, as an interim re verdict?) gulatory measure, for continued operation until final
- !!. REASSESSMENT OF ADE0VACY OF NRC REGULATORY PROGRAMS l A. Sumary of Responses to Principal Points in WJD memo dtd 11/26/85 l
2 i
- 1. Timely Ident(fication and Completion of Safety Issues
- a. Strong consensus that improved integrated Issue Management and Tracking System is needed.
- b. Strong consensus that Licensee Perfomance Indicators and criteria for triggering imposition of Perfomance Improvement Program should be developed and incorporated into SALP.
- c. Equal or greater need seen for improvement of other aspects of management systems, e.g., quarterly or semi-annual perfomance review meetings for each operating plant.
- d. Need seen for greate* involvement of program offices in SALP, and for restructuring and better focusing of some SALP categories to better reflect relative safety importance,
- e. Need seen for more effective NRC policy / measures regarding poor performers as well as for better perfomance indicators.
- 2. Broader Consideration of the Positive and Negative Safety Impacts of Regulatory Actions
- a. Strong consensus that broader consideration by NRC is necessary; but licensees' responsibility to improve in this area also emphasized.
- b. PRA seen as useful and important tool, but not panacea, in this regard. PRAs should not replace deterministic criteria.
- c. Surveys of NRC staff and licensees suggested as a practical means of identifying instances in which regulatory actions have had undesired effects. A more disciplined management system for dealing with such candidate issues, when identified, also seen as a crucial need.
- 3. Increased Emphasis on Balance-of-Plant
- a. Strong consensus that NRC should give greater emphasis to balance-of-plant systems in regulation.
- c. Priority effort should be initiated to evaluate existing PRAs in this regard,
- d. Some sentiment expressed that NRC should be concerned only with systems necessary for safe shutdown; also that changes
.. l 3
I l
to regul and enfo,ations rcement inmay new be B0Pnecessary areas. to permit NRC inspection B. Responses to Other Questions Posed in WJD memo dtd 11/26/85 l
- 1. Locking / Chaining of Valves i
- a. Driven by safety concerns in most instances. More easily l broken seals already used in lieu of locks / chains in many cases.
- b. Locks / chains / seals on safety-important valves readily identify those components to anyone intent on disrupting plant systems.
- 2. Integrated Testing of Systems
- a. Broad support for integrated testing of systems during plant shutdown periods in place of testing of individual components during operation; but this would not address the more fundamental and difficult problem that actually accounts for much of the adverse operating experience observed to date, i.e., failure to properly define and conduct the tests actually required and to restore systems after testing.
C. Inadequate Use of Industry-Wide Operating Experience by Individual Plants NOTE: This program improvement issue was not addressed in WJD memo dtd 11/26/85, but was raised subseouently and separately in an AE00 Report. (Ref. - AE00 Preliminary Report dtd 12/24/85)
- 1. Timely and effective application of lessons learned from operating experience is a fundamental premise of post-THI safety
. regulation by NRC.
- 2. Licensees are evaluating and applying lessons learned from their own operating experience.
- 3. Licensees are not evaluating and applying other plants' operating events, resulting in repeats of serious operating events in a number of plants that should have been avoided.
l l
FEB 06 W MEMORANDUM FOR: Chainnan Palladino Connissioner Roberts Connissioner Asselstine Connissioner Bernthal Connissioner Zech FROM: Victor Stello, Jr.
Acting Executive Director for Operations
SUBJECT:
DAVIS-BESSE EVENT - NRC LESSONS LEARNED Enclosed for your information is a summary of a meeting I held on January 16,
,1986 with senior NRC managers (Regional Offices participated by telephone conference hookup) to discuss NRC lessons learned from the Davis-Besse event (and, to the limited extent possible at this time, from the more recent Rancho Secoevent). The sunnary documents decisions that were made with respect to (1) improvements needed in our internal agency operations, and (2) the need for reassessment of the adequacy of the B&W nuclear plant design. In my view, it was a very productive meeting.
Original signed by'
. Victor Stallo ,
Victor Stello, Jr.
Acting Executive Director for Operations
Enclosure:
( Meeting Sunnary cc: OGC OPE SECY P
Odid1# Mdb' t.^ y
. f MEETING
SUMMARY
B&W Desian Reassessment The general question of the need for reassessment of the adequacy of the B&W reactor design, in view of cumulative operating experience with the B&W design to date (including, in particular, the recent Davis-Besse and Rancho Seco problems), was the principal topic for deliberation and decisionmaking at the meeting. The strong consensus of the meeting participants was that reassess-ment of the B&W design is in order at this time. Two reassessment-type efforts that have already been put into motion were discussed: (1) an effort undertaken i by the B&W owners group (BWOG) to review the Davis-Besse event of June 1985 and !
the Rancho Seco event of December 1985; and (2) a recently-initiated task group I
effort within NRR to reevaluate the design of the integrated control system (ICS) and its interaction with nonnuclear instrumentation (NNI) systems.
On the basis of recent discussions with the BWOG, NRR is of the view that both B&W and the utility members of the BWOG recognize now that certain weaknesses or vulnerabilities inherent in the design and operation of the B&W reactor design must be addressed more effectively, and they intend to work closely together now in doing so. The BWOG will report the status and progress-to-date
! of their efforts at a meeting with NRR now scheduled for early February. NRR will prepare a letter imediately to the BWOG, to indicate the staff's high
' interest in and encouragement of that activity, to give added visibility and impetus to the BWOG effort, and to make clear the NRC view that it is important that utilities through the BWOG share in and will hopefully take lead
. responsibility for such design reassessment and improvement.
With regard to the NRR reassessment task group that has been established, it was noted that the group's original charter called for reenluation of the IOS/NNI design and interface. NRR recommended that the effort be expanded to include issues that impact on the fast response to operational transients. The concern to be addressed is whether the B&W design response time is inherently too rapid to allow reliable and effective operator actions that may be required in the event of severe plant upsets / transients. Other design features unique to the B&W design (e.g., the SFRCS), which appear to contribute to too high a frequency of transients in B&W plants, or which can complicate unnecessarily the conditions that operators must respond to in such events, would also be I examined carefully in the (proposed) broadened NRR reassessment effort.
( The direct applicability of several ongoing RES projects to the proposed design reassessment effort was noted. Specific examples cited were: (1) the computerized Interactive Risk Analyzer development effort (this analyzer has been applied initia?ly to one of the Arkansas Nuclear One unit designs); and (2) the Plant Analyzer that has been used for thermal-hydraulic analyses of transients in the Oconee, Bellefonte and Davis-Besse reactor designs. These tools could be used immediately by the staff to begin the recalculation of fast r
transients that must be done in the reassessment effort envisioned. It was
2 noted, however, that these kinds of analyses are very plant-specific focused and resource intensive. Significant cooperation of the industry and utilities will be required in providing the detailed kind of plant design information that will be required. NRC's experience in obtaining design data recuired for the analyses done for NRC by Oak Ridge National Laboratory and Idaho National Engineering Laboratory in connection with USI A-47 was recounted to illustrate this point.
With regard to other possible reassessment options, NRR and RES reported that EPRI seems reticent at this point regarding serious involvement or a lead role in any reassessment effort. The possibility of involving DOE in an independent reassessment was also discussed. It was noted that, if such an effort were to be seriously considered, very timely action would have to be taken to assure that funds are available in the DOE budget for the major task envisioned. RES agreed to promptly contact DOE to begin discussions of the feasibility of DOE involvement and any necessary preliminary planning required. The question of projected schedule for accomplishing the design reassessment efforts envisioned was then discussed. It was agreed that the staff's reassessment efforts should be conducted and concluded on a schedule that would permit agency decision on the B&W design adequacy issue by the end of 1986.
After thorough discussion of all these aspects of this question, the consensus was that the NRR ICS/NNI reassessment effort should be broadened as recommended
,by NRR and given the necessary priority to assure its completion on the schedule indicated above. NRR, in coordination with RES, will develop and provide to the EDO within 1 month the overall plan of action and projected schedule for accomplishing the necessary study efforts involved. The need to maintain that schedule was emphasized and acknowledged by all meeting participants. These projected schedules could be adjusted if the industry agrees to lead responsibility for this issue.
Improved Issue Tracking and Management System A second major topic of the meeting was the question of need for, and projected schedule for the effective availability of, an improved tracking system to facilitate the cradle-to-grave monitoring and management of all important identified safety issues and approved licensing actions. There was consensus among the participants in this meeting that such an improved system was needed.
- It was noted that a strong initiative has been taken by RM, in cooperation with l RES, IE NRR and NMSS, to develop and provide such a system (designated GIMS) on i an expedited schedule. The close coordination and cooperation evident among the major offices recently in pursuing this important effort was acknowledged and commended. The necessity for continuing the effort on that basis and completing it expeditiously now was emphasized. The goal is to have a workable tool available as soon as possible for effective use by NRC senior management in the difficult and perennially troublesome task of resolution and closecut of safety issues that arise continually to compete for staff attention. The need for an improved system was identified prior to the Davis-Besse event in connection with a GA0 audit (and criticism) of NRC's handling of generic l issues. The circumstances surrounding the Davis-Besse event in June 1985 I reinforced the need for an improved system; and Mr. Dircks had set the December
3-1985/ January 1986 time frame as the date for completing development and beginning implementation of GIMS. Mr. Stello stressed that it is now imperative that a workable improved system be provided for effective use by NRC senior management in getting positive control of safety issue management without any further slippage in established schedules.
The following schedule is currently projected for availability / implementation of the new system:
- 1. By end-of-February, RM will have the computer system (hardware & software) required for the new Issue Tracking System up and running, although by that date it is expected that only about 15 percent of the data eventually required in all the data elements of the new system will actually be
- loaded. The first data entered into the new system will be from the current NRR TACS and LORDS systems for tracking NRR activities related to generic issues and other licensing actions.
- 2. By end-of-June, it is projected that another important NRR tracking systems (GIMCS) can be incorporated fully in the new GIMS system.
- 3. Current schedules call for having all applicable data currently available within NRC in various other existing information systems (e.g., the TMI Action Plan Tracking System; the ORLAS system for tracking the status of operating reactor licensing actions; the IE Bulletin tracking system; etc.) fully-loaded into the new system by end-of-July.
RM stated that the end-of-February date in (1) above seems quite firm at this point. Testing of the new system hardware and software is in progress now, and it appears that date will be met. The end-of-June and end-of-July dates cited in (2) and (3) above are much less certain, and can only be achieved if the program offices involved, who must actually provide input from their separate existing systems for loading into the new integrated systems, give very high priority to those efforts. NRR also cautioned that some of the data called for in the complete GIMS system (e.g., inspection / verification of completion of all required actions by individual licensees) may not now be available completely within the agency. If not, and if NRR/IE staff or licensees must be tasked to collect and provide such data, the time frame for providing a fully-loaded GIMS system could be lengthened significantly. It was agreed, however, that the schedule for collecting and loading data required by the new system that are currently available within other NRC information systems (or are readily obtainable by the staff) must be maintained as indicated above. All participants at the meeting agreed that their offices would give the necessary priority to completing that portion of the overall task by the end of July.
The actual extent of required data not currently available within/to NRC (if any), will emerge as this coordinated effort goes forward. Further decisions regarding what additional measures must be taken (if any) to obtain any missing data, to assure full functioning of the GIMS system as an effective management tool, will be made if/when that need arises.
\
. . . 4- ,
~
r Performance Appraisal Meetings On Operating Facilities An important point made in the context of the discussion of the improved issue tracking and management system topic above, was that the improved tracking system is necessary, but not sufficient, to assure that the necessary follow-through on all identified safety issues takes place. Considerable support was expressed by the participants at this meeting for proposals / ideas (submitted in fomal comments provided in advance of the meeting) calling for intensive and dedicated meetings periodically, of the senior management of NRC program and regional offices, for the purpose of thrashing out and deciding expeditiously the many issues and problems identified by the NRC staff on a continuing basis. A specific forum suggested for doing this is a periodic (e.g., quarterly or semi annual) perfomance appraisal meeting to consider thoroughly the operations and perfomance of each operating facility. It was agreed that this suggestion should be implemented, on a trial basis first, in conjunction with the next regularly-scheduled Regional Administrators' meeting. .
The agenda for the next Regional Administrators' meeting will be extended by one-half day for this (dedicated) purpose. Program and regional offices will submit in advance proposals regarding issues / problems to be considered at this meeting; DEDROGR will' coordinate this~ input and determine the agenda for this first trial-run meeting. Key HQ program directors (e.g. , NRR, RES, ELD, RM) will be invited to attend the add-on, half-day session, as appropriate, to assure that a full complement of senior managers are present: (1) to support discussion of the full range of technical and legal aspects that may be involved in the topics chosen for consideration, (2) to examine fully the '
resource impact / implications of any specific actions proposed, and (3) to .
enable decisionmaking on the matters discussed before adjournment of the meeting to the extent practicable. The hope was expressed by participants at this meeting that implementing this fomat for senior management's consideration of issues would encourage the kind of staff work and the degree of coordination between mid-level program office and regional office manager.s in advance of the meeting, that will enable the senior managers to actually 2 decide courses of action ori the matters discussed at the meeting, not simply to hear about them or exchange views regarding them. It was agreed that if this was the case, something very useful and significant could come out of this experiment. Continuation and/or expansion of this concept will be decided finally based on assessment by the participants following the meeting of the effectiveness and efficiency of this format / mechanism for dealing with '
important issues.
Licensee Performance Indicators The third major topic discussed at this meeting was development by NRC of licensee performance indicators, and criteria for imposing mandatory performance improvement measures if licensee perfomance is perceived to be lagging. For the short-term, IE has revised IE Manual Chapter 2515 to make the '
results of SALP evaluations a primary consideration in the allocation of inspection resources. The revised IE Manual Chapter provides specific guidance !
for increasing or decreasing inspection efforts in response to the latest SALP ,
evaluations. The intent of the changes was to make clear that licensee !
perfomance which results in functional areas being rated Category 3 is l acceptable only on a short-term basis, and that continued performance at such !
levels will not be tolerated. Letters transmitting SALP Reports containing I
--g-,.-.-,--- . . , , , . , - . - -hy . - - , - . -,-----------_,.---.--v---- --------w-----w-+--,- w-w..-..-,--,,-~r.-,,---. - - , - - --.in.-,e -e n- r w -
Category 3 ratings will now require the licensee to respond and provide the licensee's planned corrective actions to achieve improved perfomance in the functional areas rated Category 3.
For the longer tem, the staff is developing additional guidelines on further actions to be taken when licensee performance is evaluated as Category 3.
Staff is also developing a set of objective performance indicators for potential use in evaluating each of the SALP function areas and for signaling adverse performance trends throughout the SALP evaluation period.
With regard to the effort to identify an improved set of reliable performance indicators, it was noted that the results of recent efforts by INP0 to develop a set of key maintenance performance indicators, for INPO's use in their continuing effort to improve the performance level of the industry as a whole, were reviewed at a recent meeting between INPO and NRC management in Atlanta.
The general NRC reaction seemed to be that there was not a high degree of _
correlation evident to the NRC participants between licensee perfomance results viewed retrospectively (as determined on the basis of IE inspections and SALP ratings) and the way those same licensees would have " stacked up" had g they been rated against the INPO-developed set of perfomance indicators. This reinforced the view that identification of an appropriate set of indicators for NRC's regulatory purposes will be a difficult task. It was agreed, nevertheless, that the staff must do the work necessary to try to identify the most reliable set of indicators possible, and make specific recomendations to the 'Comission on this important question without further significant delay.
~
IE has the lead role in coordinating this longer-tem effort as well. IE will assemble, by mid-March, an interoffice task group to fomulate the final staff position on the subject. That group will provide to the EDO by mid-April their plan and schedule for completing the performance indicator development task.
Balance-of-Plant and Safety Ramifications of Regulatory Actions A fourth main topic area was the need to expand NRC's regulatory activities in balance-of-plant (BOP) areas, and the closely-related question of the need to broaden the staff's analysis and understanding of potential safety impacts (both positive and negative) of regulatory actions and decisions. There was a strong consensus among meeting participants that NRC must increase the regulatory attention given to BOP system design and operation, and must take positive steps to improve our understanding of the possiblo negative safety impacts of our regulatory actions. Expanded use of PRA was' ar approach strongly favored by a number of meeting participants: (1) to identify candidate
, BOP areas where increased regulatory attention could produce the highest i
safety / risk benefit, and (2) to better understand (on the basis of a more comprehensive and integrated treatment of the operation and interaction of nonsafety and safety systems), the possible negative safety impact of proposed changes to plant design or operating procedures. Use of survey techniques to solicit suggestions from cognizant NRC staff members, knowledgeable members of the public, and even the operating utilities themselves, regarding B0P candidates for increased NRC scrutiny or instances where regulatory actions may have produced unintended adverse safety impact, was an alternate approach suggested. The possibility of combining these two approaches was also i
considered (i.e., use insights gleaned from PRA analyses done to date to prepare a listing or ranking of safety / risk important plant features, and use this listing as a basis for soliciting comment or suggestions on expanding the scope of NRC's regulatory purview, etc.).
Some questioned whether PRA should be used primarily or even in a greatly-expanded role in the near future as the means of examining these questions, in view of the resource intensive nature and plant-specific focus of PRA noted earlier. The need was seen to update existing PRAs continually (i.e., implement a "living" PRA concept) if they were to be used as some
, suggested in this context.
After much discussion of these questions, the consensus seemed to be (for the short term, at least) (1) to continue to use PRA in the manner and to the degree it is currently used, to provide useful insights into safety issues being examined and regulatory actions being proposed, and to examine critically the cost benefit and backfit implications involved as well, and (2) to apply insights from PRA in combination with lessons learned from experience, and the suggestions / input gleaned from senior, seasoned, knowledgeable individuals both within and outside NRC to identify BOP areas in which to focus increased NRC attention on a priority basis and to guide the staff's efforts in broadening consideration of the possible impacts of our regulatory actions.
Another important question dealt with in these discussions was whether any rule
' changes are likely to be required to pennit the NRC staff to extend the scope of its current regulatory activities into additional BOP /nonsafety-related areas. The ELD view was that rule changes are not required to provide a legal
. basis for the type of expansion of scope being addressed at this meeting (i.e.,
where the reason for expanding the scope of the staff's activities is NRC concern arising from demonstrable safety implications of the nonsafety/B0P plant features at issue). More specifically, where the NRC concern can be tied to a new understanding by the staff of some essential element of the existing licensing basis (e.g., recognition that the staff's previous assumptions regarding frequency or severity of challenge to safety systems may be incorrect because reliability of nonsafety equipment is not adequately assured), the technical and legal basis for extending the scope of regulatory involvement is established. Another point emphasized in this context was that, although rule changes may not be necessary, the backfit implications of any proposed extension of the current regulatory scope must be thorcughly considered and documented under the new backfit rule.
With regard to specific actions to be taken by the staff for improvement in these areas, IE will provide to the ED0 by early March, preliminary proposals for expanding IE inspection activities in BOP /nonsafety-related areas. NRR will provide the ED0 a preliminary plan for augmenting and improving the
. staff's evaluation of a nuclear plant as an ir.tegrated set of systems on a similar schedule.
7-Inadequate Use by Licensees of Operational Experience Information The final major topic discussed at the meeting was the conclusion, based on an extensive AEOD study, that control room operators are not sufficiently aware of, and do not make adequate use of, lessons learned from operating experiences at other-than-their-own facilities. That conclusion is contained in a draft report that has been widely-circulated recently within the agency by AE00 for comment. It was noted by a number of meeting participants that a regulatory requirement for evaluation and use of operating experience by licensees is in place; but the AEOD conclusion (supported by disturbing examples cited in the report) is that the post-TMI scheme for assuring effective use of operating experience is simply not working as intended. A principal factor seems to be that the sheer volume of operating experience reports generated by all operating nuclear power plants is simply too great for operators at any single facility to absorb and evaluate; so improved mechanisms for distilling that large volume need to be considered. INPO has had a major role in monitoring and improving licensee performance in this area in the years since the TMI accident. Therefore, AEOD also provided their conclusions to INPO for their information.
It was agreed that serious consideration must be given now to whether NRC must take additional regulatory action in this area, and all offices to whom the draft report had been provided will review the report expeditiously and provide promptly to AEOD their views on this critical question. It was also noted, in
'this context, that IE has recently developed an improved plan for inspection / evaluation of licensees' corrective action systems generally. That plan appears to have relevance, and will be circulated for comment, in this same context.
Summary of Results and Conclusions A summary of the key decisions made, lead assignments given, and preliminary schedules established as a result of discussions at this meeting is provided in Attachment I to this Meeting Summary.
6 1
ACTION ITEMS _(PRELIMINARY)
FROM LESSONS LEARNE0 MEETING ON DAVIS-BESSE RESPONSIBLE COMPLETION OFFICE DATE ACTION I. B&W Design Reassessment A. Prepare Letter to BWOG NRR 2/1/86 (Completed)
B. Explore DOE Involvement RES 2/1/86 (Completed) m C. Develop Plan / Schedule for NRR 2/14/86 NRC Reassessment Effort D. Staff Recommendations / Conclusions 12/31/86 Regarding B&W Design Adequacy II. Improved Tracking System (GIMS)
A. System Up and Running (15% Loaded) RM 2/28/86 B. Achieve Automated Loading of RM/NRR 6/30/86 GIMCS Data C. Complete Loading Data Available NRR/IE/RES/ 7/31/86 NMSS/ Regions Within/To NRC D. Identify Additional Information NRR/IE/RES/ 7/31/86 Required to Complete System NMSS/ Regions III. Develop Licensee Performance Indicators / Criteria Ac Establish Interoffice Group for IE 3/15/86 i
Long Term Study B. Preliminary Proposals for Operations / IE 4/15/86 Maintenance Performance Indicators C. Develop Detailed Plan / Schedule for IE 4/15/86 Performance Indicator Development Task D. Staff Conclusions / Recommendations IE 8/31/86 (Longterm) l
a 2-
~
4 RESPONSIBLE COMPLETION ACTION OFFICE DATE
't IV. Performance Appraisal Meetings A. Develop Schedule / Agenda for DEDROGR Next Regional First Trial Meeting Administrators Meeting V. Broader Consideration of Balance-of-Plant and Ramifications of Regulatory Actions A. Develop Preliminary Proposals for IE 3/1/86 Increased Inspection of B0P B. Develop Plan for More Fully- NRR 3/1/86 Integrated Evaluations of Nuclear Plant Systems VI. Evaluate Licensee Use of Operating Experience A. Provide Comments on AE00 Program and 2/14/86 Draft Report Regional Offices B. AEOD Final Report to EDO AEOD 4/15/86 I
' * - - - " - + - - - . - . _ . . _ _ _ _ . . , , , _ , _ . _ _ _ , , _ _ , _ , , _ _ _
ROBERT T, IAATSul wwacroa omce Taino Disinct. Catwomma 231 CANNON HOUSE OFFICE SutLDING
- WASHINGTOct. DC 80515 (202)225 7,163 COMMITTEE ON
- * " ^ ~ " ' "
Congregg of tfje Enitch 6tates .0.IX"LNo 650 CAPITOL MALL Jpouse of Representatibeg *^'7".'".'.us'.""
3Basfjington, BC 20515 April 25, 1986 Honorable Nunzio Palladino Chairman U.S. Nuclear Regulatory Commission Washington, DC 20555
Dear Mr. Chairman:
Your letter of April 23rd reflects a startling degree of discord within the Commission regarding the adequacy of the NRC's efforts to improve the safety of nuclear power plants designed by .
Babcock & Wilcox It has been seven years since the accident at Three Mile Island, but incidents at other B&W reactors continue to occur with alarming frequency. It is Commissioner Asselstine's view that the NRC has not taken effective action to correct the problems with B&W reactors, and your letter in no way reassures me that such action will be taken.
I am particularly troubled by Commissioner Asselstine's statement that the Commission has stonewalled his efforts to establish an independent review group to conduct a thorough examination of the safety vulnerabilities in the B&W design.
In my opinion, the NRC proposal to reassess the long-term safety of B&W nuclear reactors is little more than window-dressing, and your letter has given me little reason to think /
otherwise. i I am not reassured by the fact that the NRC has turned over the responsibility for the reassessment to the industry itself. l I am further dissatisfied that it has been nearly four months l since the reassessment was proposed and yet no final plans or procedures have been developed to carry it out.
The NRC Incident Investigative Team's review of the December 26, 1985 accident at the Rancho Seco nuclear plant is highly critical of the NRC staff's failure to learn from past events that pointed to safety problems with B&W reactors.
Unfortunately, the question left unanswered in the IIT report was why neither the utilities nor the NRC took effective action to prevent the accident from occurring. ,
l C D M ll 4 th 2 l
'On & (A V I f p L.:- ",
L pf, THIS STATIONERY PRINTED ON PAPER MADE WITH RECYCLED FIBERS
. . l HONORABLE NUNZIO PALLADINO PAGE TWO What I would like to avoid is a possible conflict of interest in the investigation of safety problems at B&W plants.
Under current practice, any review of the adequacy of the NRC staff's performance is left to the staff itself. However, past experience has demonstrated a well-entrenched reluctance by the staff to criticize the shortcomings of NRC procedures at higher levels.
I am also extremely skeptical of a reassessment of B&W plants which is conducted by the B&W Owners Group itself.
I feel that it is imperative that you reassure the public of the NRC's commitment to nuclear safety in regard to B&W reactors. To that end, I am requesting that the NRC follow Commissioner Asselstine's recommendation and establish a special review group, including experts from outside the NRC, to conduct a thorough and ongoing review of the safety vulnerabilities in the B&W design.
A similar advisory group was established in Pennsylvania after the Three Mile Island accident, and I believe that recent incidents at Rancho Seco and at other B&W plants warrant similar attention.
Finally, let me say that I appreciate your commitment to safety as the NRC's fundamental mission, and I urge you to use all the tools at your disposal to fulfill that commitment.
Very truly yours, f b w'-
ROBERT T. MATSUI
- Member of Congress
NUREG-1201 Report of the
- Independent Ad Hoc Group for the Davis-Besse Incident U.S. Nuclear Regulatory Commission l
,s ~m,,
s :
w a m ! P
i NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources:
- 1. The NRC Public Document Room,1717 H Street, N.W.
Washington, DC 20555
- 2. The Superintendent of Documents, U.S. Government Printing Office, Post Office Box 37082, Washington, DC 20013-7082
- 3. The National Technical Information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publications, it is not intended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Public Docu-ment Room include NRC correspondence and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and licensee documents and correspondence.
The following documents in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and N RC booklets and brochures. Also available are Regulatory Guides, N RC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission Issuances.
Documents available from the National Technical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.
Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. federal Register notices, federt.l and state legislation, and congressional reports can usually be obtained from these libraries.
Documents such as theses, dissertations, foreign reports and translations, and non-NRC conference proceedings are available for purchase from the organization sponsoring the publication cited.
i
! Single copies of NRC draft reports are available free, to the extent of supply, upon written request to the Division of Technical Information and Document Control, U.S. Nuclear Regulatory Com-i mission, Washington, DC 20555.
Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available ,
there for reference use by the public. Codes artd standards are usually copyrighted and may be j purchased from the originating organization or, if they are American National Standards, from the j American National Standards Institute,1430 Broadway, New York, NY 10018.
l
NUREG-1201 Report of the Independent Ad Hoc Group for the Davis-Besse Incident Manuscript Completed: May 1986 Date Published: June 1986 U.S. Nuclear Regulatory Commission Wcshington, D.C. 20555
,p "=~a,
{
l t
l i
i j
ABSTRACT The Nuclear Regulatory Commission established an independent Ad Hoc Group in January 1986 to review issues subsequent to a complete loss of feedwater event at Davis-Besse Nuclear Power Station on June 9, 1985, including the NRC Incident Investigation Team (IIT) investigation of that event. The Commission asked the Group to identify additional lessons that might be learned and from these to make recommendations to improve NRC oversight of reactor licensees. To fulfill its charter, the Ad Hoc Group examined the following: (1) pre-event interactions between the licensee and NRC con-cerning reliability of the auxiliary feedwater system and associated systems; (2) pre-event probabilistic assessments of the reliability of plant safety systems, NRC's review 'of them, and their use in regulatory decisionmaking; (3) 11-censec m'anagement, operation and maintenance programs as they may have contributed to equipment failures and NRC oversight of such programs; and (4) the mandate, capabili-ties of members, operation, and results of the NRC Davis-Besse IIT, and the use to which its report was put by the regulatory staff.
l iii -
l I
i CONTENTS Page Abstract .............................................. iii Davis-Besse Independent Ad Hoc Group .................. vii Acknowledgments ....................................... viii Acronyms .............................................. ix 1 EXECUTIVE
SUMMARY
................................. 1 4
Background ........................................ 1 Ad Hoc Group Mandate and Methodology .............. 1 Davis-Besse Regulatory History .................... 3 1
Ad Hoc Group Conclusions and Recommendations ...... 3
- 1. Pre-event Interaction Between Toledo Edison and NRC Concerning the Auxiliary Feedwater System .......................... 4
- l. 2. Davis-Besse Reliability Assessments ....... 5
- 3. Contributions of Toledo Edison's Manage- o ment, Operation, and Maintenance Programs to Equipment Failures ..................... 6
- 4. NRC Incident Investigation Program ........ 7 2 INTRODUCTION ...................................... 9 ,
3 PRE-EVENT INTERACTION BETWEEN TOLED0 EDIS0N AND NRC CONCERNING THE AUXILIARY FEEDWATER SYSTEM ..... 11 Regulatory Process - Pre-event .................... 11 iv i
, _ . . . _ _ _ . _ _ _ _ - - _ _ _ _ _ , _.,m . _ , . . . . _ _ . . . . _ . . _ _ . _ _ -
Page Licensing Actions for the Davis-Besse Auxiliary Feedwater System and Associated Systems ........... 12 Advisory Committee on Reactor Safeguards (ACRS)
Review ............................................ 21 Conclusions ....................................... 21 Recommendations ................................... 22 4 DAVIS-BESSE RELIABILITY ASSESSMENTS ............... 23 Pre-event AFWS Probabilistic Reliability Assessments ....................................... 23 Toledo Edison AFWS Reliability Analysis (EDS Nuclear, Inc.) ........................... 24 Brookhaven Review of EDS Analysis ............. 24 Toledo Edison AFWS Reliability Analysis (Impell Corp.) ................................ 25 Ad Hoc Group Review of Davis-Besse Reliability Analyses .......................................... 25 Use of Reliability Probabilistic Analysis in
, Regulatory Decisionmaking ......................... 28 Additional Qualitative Reliability Techniques for Regulatory Decisionmaking ..................... 28 Conclusions ....................................... 29 Recommendations ................................... 30 5 CONTRIBUTION OF TOLED0 EDIS0N'S MANAGEMENT, OPERATION, AND MAINTENANCE PROGRAMS TO EQUIPl1ENT FAILURES .......................................... 31 The Toledo Edison Nuclear Program ................. 31 v
Page The Davis-Besse Maintenance Program ............... 32 The Davis-Besse Quality Assurance Program ......... 33 Davis-Besse Plant and Safety Performance . . . . . . . . . . 34 Organization for Nuclear Management ............... 37 Regulatory Oversight .............................. 38 Impact of Regulatory Oversight .................... 39 Conclusions ....................................... 43 Recommendations ................................... 44 6 NRC INCIDENT INVESTI0ATION PROGRAM ................ 45 Program ...........................gation Background for the Incident Investi
................ 45 Mandate and Instructions for Incident Investigation Teams (IITs) ........................ 45 Capabilities of IIT Members ....................... 46 IIT Operational Procedures ........................ 47
' Staff .............................y Use of the Davis-Besse IIT Report b the NRC
................ 49 Follow-on Incident Investigation Team Reviews ..... 49 Conclusions ....................................... 50 Recommendations ................................... 50 vi
DAVIS-BESSE INDEPENDENT AD H0C GROUP James P. Gleason, Chairman, Administrative Judge, Atomic Safety and Licensing Board Panel, Nuclear Regulatory Commission Joseph H. Levine, Chief, Reliability Division, Directorate of S.afety, Reliability, and Quality Assurance, Johnson Space Flight Center, National Aeronautics and Space Administration Peter A. Morris, Ph.D., Administrative Judge, Atomic Safety and Licensing Board Panel, Nuclear Regulatory Commission Dennis K. Rathbun, Deputy Director, Office of Policy Evaluation, Nuclear Regulatory Commission H. Guice Tinsley, Technical Program Officer, Federal Aviation Administration vii
ACKNOWLEDGMENTS The Davis-Besse Ad Hoc Group wishes to extend their appreciation for the excellent support provided by the NRC Staff relative to the background of events at Davis-Besse.
The Group extends its thanks for their valuable cooperation and information to officers of the Toledo Edison Company and to officials and executives of other industry and utility organizations.
We also wish to acknowledge our appreciation to members of the Atomic Safety and Licensing Board Panel for their valuable service as a peer review group:
Jerry Harbour, Ph.D., Administrative Judge Jerry R. Kline, Ph.D. , Administrative Judge Morton B. Margulies, Administrative Law Judge Ivan W. Smith, Chief Administrative Law Judge In addition, we wish to acknowledge the excellent support given to the Ad Hoc Group by the NRC Atomic Safety and Licensing Board Panel staff with respect to their excellent administrative, technical, and secretarial assistance. In particular, we commend the dedicated efforts provided by the Group's Executive Assistant, Mr. Charles J. Fitti.
l viii
ACRONYMS ACRS Advisory Committee on Reactor Safeguards (NRC)
AE0D Office for Analysis and Evaluation of Operat.icnal Data (NRC)
AFWS Auxiliary Feedwater System ASB Auxiliary Systems Branch (NRC)
B&W Babcock & Wilcox BNL Brookhaven National Laboratory 80P Balance of Plant .
CAPC0 Central Area Power Coordination Group CE Combustior Engineering CEO Chief Executive Officer CNRB Company Nuclear Review Board CRGR Committee for Review of Generic Requirements (NRC)
DVR Deviation Report ED0 Executive Director of Operations (NRC)
EFIC Emergency Feedwater Initiation & Control EPRI Electrical Power Research Institute FMEA Failure Modes and Effects Analysis FSAR Final Safety Analysis Report I&E Office of Inspection & Enforcement (NRC)
ICS Integrated Contrcl System IIP Incident Investigation Program (NRC)
IIT Incident Investigation Team (NRC)
INP0 Institute of Nuclear Power Operations LER Licensee Event Report MFWS Main Feedwater System NMSS Nuclear Material Safety & Safeguards (NRC)
NRC Nuclear Regulatory Commission NRR Office of Nuclear Reactor Regulation (NRC) ix
l NSAC Nuclear Safety Analysis Center NSSS Nuclear Steam System Supplier NUMARC Nuclear Utility Management and Resource Conrittee NUREG Nuclear Regulatory Commission Report OIA Office of Inspector and Auditor (NRC)
PAT Performance Appraisal Team (NRC)
PORY Pilot Operated Relief Valve PRA Probabilistic Risk Assessment PSA Probabilistic Safety Assessment PWR Pressurized Water Reactor QA Quality Assurance RES Office of Nuclear Regulatory Research (NRC)
SALP Systematic Assessment of Licensee Performance SER Safety Evaluation Report (NRC)
SFRCS Steam and Feedwater Rupture Control System SMUD Sacramento Municipal Utility District SRP Standard Review Plan (NRC)
TMI Three Mile Island USI Unresolved Safety Issue t
X l
. - - - - ._ .. . - - . _ - . - =
l l
i l
1 EXECUTIVE
SUMMARY
f Background I
The Davis-Besse Nuclear Power Station, operated by the Toledo Edison Company, underwent a complete loss of feed-water event on June 9, 1985. The day following the event,
-the Executive Director for Operations (ED0) of the U.S.
l Nuclear tigationRegulatory) Team (IIT Commission (NRC) to Davis-Besse to sent an Incident ascertain Inves-the facts, I to identify the probable causes of the event, and to form
- conclusions and make recommendations as the basis for ;
i corrective actions. The results of its investigation are documented in " Loss of Main and Auxiliary Feedwater Event at j the Davis-Besse Plant on June 9, 1985" (NUREG-1154).
Ad Hoc Group Mandate and Methodology i 4 !
, The Nuclear Regulatory Commission established an independent .
! Ad Hoc Group in January 1986 to review issues subsequent to the loss of feedwater event at Davis-Besse and the Da-
. vis-Besse IIT's investigation. The Commission asked the Group to identify any additional lessons that might be learned from the incident, and from these to make recommen-l dations about how NRC internal procedures and oversight of reactor licensees may be improved. By this and other reviews, and by implementing the recommendations arising -
- from then, the Commission proposes to reduce the possibility of future similar occurrences. To fulfill its charter, the Ad Hoc Group was asked to undertake the following studies:
- 1. Examine the process of analysis, review, and interac-tion between the licensee and the NRC that tock place preceding the event concerning the reliability of, and I the need and schedule for modification of, the Da-vis-Besse auxiliary feedwater system and associated '
i systems; and make recommendations as to h'ow the regula-
! tory process may be improved in light of the findings
{
resulting from this examination. i i
- 2. Examine pre-event probabilistic assessments of the reliability of the Davis-Besse plant safety systems, l
the NRC review of these assessments, and the use to
- which these analyses were put in the regulatory decision-
! making process; and make recommendations as to how the use of this sort of reliability analysis in the regula-
- tory process might be improved.
l 1 l
! i
- . , . _ _ _ . . _ _ _ _ . _ _ - _ _ _ - _ _ . . . ~
, _ . _ , . . . . _ _ _______._____i
- 3. Examine the licensee's management, operation and maintenance programs to the extent that they may have contributed to the equipment failures that caused or exacerbated the incident; examine the NRC's require-ments for, and oversight of, such licensee programs; and make recommendations as to how the NRC may improve its regulatory processes and its oversight of reactor licensees in these areas.
- 4. Examine the mandate, capabilities of members, opera-tion, and results of the Davis-Besse incident investi-gation team, and the use to which its report was put by the regulatory staff; and make recommendations as to how the incident investigation process may be improved.
The Commission directed that the review not be a vehicle for determining whether Davis-Besse could be operated without undue risk to the public health and safety. The Commission further for the specified incident onthat the the part Group not assess of Toledo Edisonresponsibility (the licensee )
or the NRC staff.
In implementing its review, the Group interviewed principal NRC Headquarters and Regional personnel, the Chairman of the Advisory Committee on Reactor Safeguards (ACRS), Toledo Edison corporate and departmental managers, officials from the industry's Institute of Nuclear Power Operations (INP0) and from Babcock & Wilcox (B&W), and executives from four other nuclear power utilities. The testimony of these utility executives was solicited to broaden the Group's perspective on NRC's IIT program, on utility management issues, and on the impact of regulatory requirements on plant operations. In site visits, the Group examined Toledo Edison's management, operations, and maintenance programs.
The Group also reviewed relevant correspondence, reports, and other documents on Davis-Besse matters for the period 1977 to the present.
The various probabilistic analyses made of the auxiliary feedwater system (AFWS) were analyzed for the Ad Hoc Group by Sandia National Laboratories. The Group also solicited the views of B&W, Toledo Edison, and the NRC staff about probabilistic studies that were performed for the AFWS following the accident at Three Mile Island.
Since the Incident Investigation Program is new to NRC, the Group considered it essential to compare the practices and procedures for the Davis-Besse IIT incident investigation with those of the subsequent San Onofre and Rancho Seco IIT investigations. Accordingly, the Group interviewed the NRC Team Leaders for these IITs and reviewed relevant documenta-tion.
2
Davis-Besse Reoulatory History Davis-Besse was licensed to operate in 1977. Averaging 7.7 trips (unscheduled shutdowns) yearly, Davis-Besse averaged
- an annual capacity factor of approximately 45% until June 9, 1985. Although some of its outages can be traced to NRC Three Mile Island backfit requirements, the major contribu-tors were equipment failures and personnel errors. Plant operations have been marked by frequent deficiencies in maintenance efforts and procedural and Technical Specifica-tion violations, as reflected in NRC's Systematic Appraisal of Licensee Performance (SALP) reports. The NRC inspection effort at Davis-Besse was in excess of 1,500 work days and required over fourteen management or informal conferences prior to the June 1985 incident.
As a result of the incident, the NRC staff and Toledo Edison have engaged in an extensive evaluation of their respective responsibilities in assuring operational safety at Da-vis-Besse. For the NRC, this process has required not only implementation of a substantial number of generic and plant-specific actions, but an appraisal of the relevant i"
programs in the Of fices of Nuclear Reactor Regulation (NRR),
Inspection and Enforcement (I&E), Analysis and Evaluation of
- Operational Data (AEOD), and Nuclear Regulatory Research
- (RES), as well as for its Region III office. For Toledo Edison, it resulted in a nuclear staff reorganization, the authorization to hire additional personnel, a complete review of the facility's safety-related systems prior to restart, and extensive improvements in training programs and procedures. The cost to both organizations has been sub-i stantial
- for NRC approximately $1.5 million, to date, and for Toledo Edison $71.5 million, a figure exclusive of power replacement costs.
In its 1986 Policy and Planning Guidance document, the Commission expressed its concern about unnecessary regulato-i ry burdens and the Agency's volume of regulatory require-ments. This year, in establishing a set of strategic goals, the Commission stated its intention to improve the regulato-ry climate in which the nuclear industry operates, and to
- complete a comprehensive review of NRC regulations. This report, by examining the extensive interaction between NRC and Toledo Edison prior to the incident, hopefully contrib-
- utes to a continuing review of the status of that regulatory i
framework.
i Ad Hoc Group Conclusions and Recommendations Based on its review of issues subsequent to the June 9, 1985 incident at Davis-Besse, the Ad Hoc Group has arrived at the following conclusions and recommendations in the four areas specified in the Group's mandate.
l 3
- 1. Pre-event Interaction Between Toledo Edison and NRC Concerning the Auxiliary Feedwater System Conclusions Extensive and detailed regulatory interactions and activi-ties took place concerning the AFWS at Davis-Besse between NRC and Toledo Edison from the licensing of the plant in 1977 through the June 9, 1985 incident.
The AFWS and related controls experienced recurring problems involving components and required a number of design chang-es, such as the addition of dynamic brakes on the pump turbine governors and flow indication in the control room for both steam generator AFW inlet lines. Toledo Edison made appropriate Changes, including installation of a diverse power supply to one of the AFWS trains (for the motor-operated valves), that were required before the second fuel cycle. The staff approved a license for Davis-Besse, even though it lacked diverse power to the AFWS pumps, a condition unchanged up to the incident.
NRC's post TMI-2 evaluations of the Davis-Besse AFWS identi-fied the need for short-term and long-term modifications.
However, NRC did not require installation of a 100-percent capacity, motor-driven startup feedwater pump until Toledo Edison committed to its installation in September 1984.
NRC did not believe that the Davis-Besse AFWS, as it existed before the incident, was sufficiently reliable. This conclusion was based largely on the lack of diverse power to the pumps and the lack of full capacity of the existing startup pump. Earlier requirements for suitable modifica-tions of the AFWS might have been justified technically, even though not required by the Commission's rules.
By focusing on a generic solution to the decay heat removal l question, both the ACRS and the staff may have contributed i to an unreasonable delay in resolving the specific weakness l l
in the Davis-Besse AFWS. This finding does not suggest that l generic solutions are not desirable where feasible. Ana-l l l lysts should exercise caution, however, in seeking solutions I to generic problems when they unduly delay specific solu-tions at individual plants.
Reccmmendations Regional Administrators should meet with NRC Headquarters management to review the periormance of each nuclear power plant and licensee in their region at least quarterly, or more frequently as needed. The Group strongly endorses the current plans of the Executive Director for Operations (EDO) to implement such a program. The EDO should make prompt 4
1 i
i decisions to resolve problems and to establish appropriate schedules for completing their resolution.
Project Managers (with appropriate technical support) should visit nuclear power plants on a periodic basis (perhaps quarterly) to communicate directly with plant management and utility licensing officers.
The Group strongly endorses the ED0's current development and implementation of the integrated tracking and management system to assure effective management monitoring and resolu-tion of safety and licensing issues. Such a system might have been of assistance prior to the 1985 incident at Davis-Besse.
The staff should decide and communicate the results of decisions to relevant staff and licensees promptly as to whether an issue is plant-specific or generic. Such deci-sions should be made or endorsed by the EDO and action plans should be promulgated and executed expeditiously.
- 2. Davis-Besse Reliability Assessments Conclusions The conf.licting assumptions, methodologies and findings in licensee and NRC staff reliability analyses, and considera-tion of the proposed Committee for Review of Generic Re-quirements (CRGR) memorandum on pree grized water reactor AFWs, were factors in delaying the final decision on the installation of a diverse electric motor-powered auxiliary feedwater pump. Another factor delaying a final decision was the staff's delay in generic resolution of the decay heat removal issue, Unresolved Safety Issue (USI) A-45.
Improvements in probabilistic analyses of safety systems can be achieved by inclusion of important associated systems and a more defensible plant-specific data base.
Additional qualitative reliability techniques and measures over and above probabilistic analyses could be useful to in-crease confidence in the safety of nuclear power plant oper-ation. Improvements in the probabilistic analysis process will be more useful in NRC regulatory decisionmaking if they are augmented by information gained from other qualitative management and reliability techniques, such as configuration management, failure modes and effects analysis, and other disciplines discussed in Section 4 of this report.
Recommendations NRC should establish a timely and effective process to review reliability analyses requested of licensees, particu-5 l
1 larly where it is determined that such analyses will be used in regulatory decisionmaking.
NRC should evaluate the use of qualitative management and reliability disciplines as a means of increasing confidence in the day-to-day performance of nuclear power plant licensees. '
I&E should give priority to the conduct and promotion of safety system functional inspections and outage system modification inspections.
- 3. Contributions of Toledo Edison's Management, Operation, and Maintenance Programs to Equipment Failures Conclusions The number of organizational changes made by Toledo Edison in its pre-event nuclear mission and programs to enhance reactor safety performance were not sufficient to prevent the June 9, 1985 incident; neither was NRC oversight and enforcement effective in preventing the incident.
It was not apparent that Toledo Edison's Company Nuclear Review Board (CNRB) performed its overall audit function of plant safety effectively.
There were deficiencies in the effectiveness of the manage-ment and oversight of plant operations which had been recognized in NRC's SALP evaluations.
The Group recognizes that balance of plant items are impor-tant to safety.
The pre-event maintenance program at Davis-Besse was charac-terized by many weaknesses and deficiencies. The pre-event preventive maintenance program was not systematically developed and managed.
Compliance with the substantial, growing volume of prescrip-tive regulatory requirements may have acted to reduce rather than increase plant safety.
Recommendations The NRC should shift emphasis away from detailed, prescrip-tive requirements toward performance-based requirements. A systematic, continuing review of NRC's regulatory require-ments embodying the full scope of regulatory oversight is needed to ensure that these requirements are coherent, consistent, and act to improve plant safety. Responsibility for this function should be assigned to a specific office.
6
l NRR management and Regional Administrators should meet with the licensee's Board of Directors when a plant's deteriorat-ing performance warrants. The purpose of such meetings would be to discuss the adequacy of the licensee's activi-ties to protect the health and safety of the public. It would also provide the Board with an opportunity to express its views on the effe:tiveness of the current regulatory process.
NRC should take advantage of INP0's programs to assess licensee's maintenance management programs to the extent reasonable and practical.
The staff should 1mprove its follow-up on licensee correc-tive actions. Licensee " integrated living schedules" should be encouraged.
Resolution of the "important to safety" issue, and its application to balance of plant (B0P) items in existing, as well as future plants, deserves high priority. (The Group understands that I&E has responsibility for resolution of at least part of this problem.)
- 4. NRC Incident Investigation Program Conclusions The mandate for Incident Investigation Teams is adequate for conducting NRC incident investigations.
The Davis-Besse IIT report would have been enhanced if the team had been instructed to examine pre-event NRC-licensee interactions.
There is need for NRC to conduct seminars or workshops to inforn licensees in advance of the fundamentals of an NRC incident investigation. (The Group understands that such a program is being considered by AE00.)
The Davis-Besse IIT members possessed adequate technical expertise to comply with the requirements necessary to perform their investigative task. The Group endorses proposals that IITs receive incident investigation training.
The Davis-Besse IIT report effectively described the se-quence of events of the June 9, 1985 incident. However, the report's observation that Davis-Besse had a history "of evaluating operating experience related to equipment in a superficial manner," was not supported in the report. The conclusion that the underlying cause of the main and auxil-iary feedwater event was the licensee's lack of attention to detail in the care of plant equipment was also not supported in the report.
7
The EDO Action Plan following the incident made adequate use of IIT report findings and conclusions. The Action Plan is commendable since it also included the requirement for the NRC staff to reappraise its programs, planning, and actions based upon lessons learned from the Davis-Besse incident.
Unless organizations such as utilities, INPO, EPRI and reactor vendors are involved in the formulation of and are familiar with IIT procedures, they may not be willing or prepared to participate in future investigations.
Recommendations Expedite the development of detailed procedures for the formation, training, operation, and reporting requirements of future IITs. These procedures should clearly define the (a) scope of the investigation and its schedule; (b) mode of operation for the team; (c) legal constraints and rights of licensees and employees, including NRC employees; (d) quarantining of equipment, with clearly defined roles for the licensee and the Region; and (e) completion of the assignment. These procedures should be developed and coordinated with the nuclear power industry and Agency personnel should meet with them to explain the role of IITs and how they will function.
Participation on IITs of members from INP0, EPRI, vendors, other utilities, and Federal and State agencies with appli-cable technical expertise, when appropriate, should be encouraged.
The Commission should assign NRC's Office of Inspector and Auditor (0IA) to investigate pre-event interaction between '
the NRC staff and the licensee as it may be relevant to the root cause of the event.
The NRC manual chapter and other appropriate procedures should specify guidelines concerning the role of counsel or other advisors for personnel interviewed by an IIT.
The IIT incident investigation training program should be accelerated and consideration given to extending some of this training to Augmented Inspection Team candidates and other I&E staff members.
8 l
2 INTRODUCTION The Davis-Besse Nuclear Power Station, Unit 1, operated by the Toledo Edison Company, is located on Lake Erie in Ottawa County, Ohio, approximately six miles northeast of Oak Harbor, Ohio. Toledo Edison is a part of the Central Area Power Coordination Group (CAPC0) which is responsible for planning additional generating capacity in the CAPC0 service area. CAPC0 service areas cover northern and parts of central Ohio and sections of western Pennsylvania. Other CAPC0 members include the Cleveland Electric Illuminating Company, Duquesne Light Company, Ohio Edison Company and Pennsylvania Power Company. The Davis-Besse plant is jointly owned by Toledo Edison (49 percent) and Cleveland Electric Illuminating Company (51 percent), with Toledo Edison responsible for its operation. Toledo Edison and Cleveland Electric Illuminating Company have recently merged into a new holding company, Centerior Energy Corporation, which will operate a service company for the two operating utilities.
In January 1980 the CAPC0 companies terminated plans to construct Davis-Besse Units 2 and 3 and Erie Units 1 and 2.
Nonetheless, Toledo Edison's annual construction expendi-tures have been ove'r $200 million per year in the 1980's.
Most of these costs are attributable to the continuing construction of CAPC0 nuclear generating units (Perry Units 1 and 2 and Beaver Valley Unit 2), of which Toledo Edison owns 20 percent.
Davis-Besse underwent a complete loss of feedwater on June 9, 1985. The day following the event, the Executive Direc-tor for Operations (ED0) of the U.S. Nuclear Regulatory Commission (NRC) sent an Incident Investigation Team (IIT) to Davis-Besse to learn what happened, to identify the probable causes of the event, and to formulate conclusions and make recommendations for corrective action ~s. The results of its investigation are documented in " Loss of Main and Auxiliary Feedwater Event at the Davis-Besse plant on June 9, 1985" (NUREG-1154).
The Nuclear Regulatory Commission established an independent Ad Hoc Group (Group) in January 1986 to review other issues relating to the loss of feedwater event at Davis-Besse and the Davis-Besse IIT's investigation. The review was to identify any additional lessons that might be learned from the incident, and from these to make recommendations about 9
f how NRC internal procedures and oversight of reactor licensees may be improved. To fulfill its charter, the Group was asked to review activities and make recommenda-tions in the following areas:
- 1. The interaction between Toledo Edison and NRC preceding the event concerning the auxiliary feedwater system (AFWS),
- 2. Pre-event probabilistic analyses of Davis-Besse safety systems, NRC reviews of these analyses, and the use to which they were put in regulatory decisionmaking,
- 3. The extent to which Davis-Besse management, operations, and maintenance programs may have contributed to equipment failures that caused or exacerbated the event, and NRC requirements for and oversight of such programs, and
- 4. The mandate, operation, membership capabilities and results of the Davis-Besse IIT and the uses made of its report by the NRC staff.
In conducting its review, the Ad Hoc Group interviewed key NRC Headquarters and Regional personnel, the Chairman of the Advisory Committee on Reactor Safeguards (ACRS), Toledo Edison corporate and departmental managers, officials from the industry's Institute of Nuclear Power Operations (INP0),
representatives from Babcock & Wilcox, and executives from four other nuclear power utilities. The views of these executives was solicited to broaden the Group's perspective on NRC's IIT program, on mismanagement at nuclear utilities, and on the impact of regulatory requirements on plant operations. The Group compared practices and procedures for the Davis-Besse IIT investigation with those of the San Onofre and Rancho Seco IIT investigations. In site visits, the Group examined Toledo Edison's management, operations, and maintenance programs. Additionally, the Group reviewed relevant correspondence, reports, and other documentation on Davis-Besse for the period 1977 to date.
The various probabilistic analyses made for the auxiliary feedwater system (AFWS) were analyzed for the Ad Hoc Group by Sandia National Laboratories. The Group also solicited views on the probabilistic studies from Babcock & Wilcox, Toledo Edison officials, and the NRC staff.
The Commission directed that the Group's review not be a vehicle for determining whether Davis-Besse could be operat-ed in the future without undue risk to the public health and safety. Evaluating responsibility for the incident was also not within the purview of the Group.
10
3 PRE-EVENT INTERACTION BETWEEN TOLED0 EDIS0N AND NRC CONCERNING THE AUXILIARY FEEDWATER SYSTEM Regulatory Proces' - Pre-event This section provides an extensive chronology describing specific events directly or indirectly pertinent to the Group's review.
The staff identified the need to modify the Davis-Besse auxiliary feedwater system (AFWS) when the plant was li-censed. While Toledo Edison made a number of changes over the years to improve reliability of the system, it resisted making major modifications until an unanalyzed safety question was identified in the fall of 1984. Probabilistic
' reliability studies on the AFWS had been previously per-formed by Toledo Edison, by Babcock & Wilcox (B&W), and for the staff by Brookhaven National Laboratories (BNL). The staff made no decision on resolving the issue while these studies were being evaluated. Toledo Edison finally pro-posed installation of a full-capacity, motor-driven startup AFWS pump to resolve an unanalyzed safety question which affected system reliability and this resolution satisfied the staff's concern. The Group, based on its review, reached several conclusions and recommends that the staf f act to resolve similar identified problems expeditiously and to communicate more effectively among its organizational components and with the licensee.
The regulatory process on the Davis-Besse AFWS involved the following(Toledo licensee Edison) and NRC : kinds of actions and igteractions between the Reports of licensee events; The shutdown order following the TMI-2 accident; Applications for amendments to the operating license; 1
The Institute for Nuclear Power Operations conducted several evaluations of Davis-Besse operations, the results of which the staff was generally aware through exchanges of information between the NRC Regional inspectors and Davis-Besse personnel.
11
!
- NRC requests for information and analyses by Toledo
- Edison and its responses;
- Review, evaluation and approval by NRC of requests for license amendments; l
Inspection by NRC onsite inspectors; Inspection by NRC Region III inspectors; A performance appraisal team (PAT) inspection;
- Management and enforcement conferences between Toledo Edison management and Region III management; Meetings between Toledo Edison staff and NRC staff; Systematic Appraisals of Licensee Performance (SALPs); and Civil penalty recommendations.
Licensing Actions for the Davis-Besse Auxiliary Feedwater 3ystem and Associated Systems The original AFWS was essentially a safety-grade system.
Both AFW pumps were driven by steam turbines, with only ac power available to the motor-operated valves in the two trains. The NRC staff recognized that the system was susceptible to common-cause failures. As a license condi-tion, Toledo Edison was required to provide de power to one train of the AFWS at the plant's first scheduled refueling outage. The license condition was removed by Amendment No. 33 in October 1980 after Toledo Edison made the modifi-cation.
From initial startup until the incident on June 9, 1985, Davis-Besse had recurring problems with the AFWS and related controls. These problems involved components such as pressure switches and turbine governors. Davis-Besse made a number of design changes, including the addition of dynamic brakes on the pump turbine governors and flow indication instruments in the control room for both steam generator AFW inlet lines. Following TMI-2, Toledo Edison made a number of re-evaluations on its own, or at NRC's request, of the reliability of the AFWS, which necessitated a number of licensing amendments:
License Amendment 63, October 26, 1983, permitted removal of speed switches and interlocks to valves for the AFW turbines.
12
Amendment 68, May 30, 1984, modified Davis-Besse Technical Specifications to require that a minimum of two channels of AFW flow be operable for each steam generator.
Amendment 82, December 20, 1984, allowed AFWS operability to be determined without consideration of the status of the startup feedwater pump during startup (i.e. , the sta rtup feedwater pump could be inoperable).
License Amendment 83, January 8, 1985, imposed three operational restrictions on the use of the startup feedwater pump to avoid hazards to the AFW pumps.
This amendment was a consequence of Toledo Edison identifying high and moderate energy lines in the AFW pump rooms whose failure had not been analyzed.
Their failure could jeopardize the operability of either AFW pump f rom the effects of jet impingement, pipe whip, flooding and environmental conditions.
The amendment included these restrictions:
isolation outside the startup feedwater pump /AFW area of the startup feedwater pump suction, discharge and turbine plant cooling water piping, when the startup feedwater pump is not in operation, and Toledo Edison will install a startup feed-water pump, associated piping, and valves, to
~
remove the hazards to the AFW pumps before commencing Cycle 6.
The original Davis-Besse Technical Specifications (1977) contained one Limiting Condition for Operation of the AFWS:
"Two independent steam generator auxiliary feedwater pumps and associated flow paths shall be operable." Revision 3 of the " Standard Technical Specifications for Babcock & Wilcox (B&W) Pressurized Water Reactors (PWRs)," published in July 1979, contained the following Limiting Condition:
At least three independent steam generator auxil-iary feedwater pumps and associated' flow paths shall be operable with:
Two auxiliary feed pumps capable of being powered from separate emergency buses, and one feedwater pump capable of being powered from an operable steam supply system.
Since Davis-Besse was licensed and operating, this require-ment did not apply to the plant's AFWS.
13
The following chronology records numerous meetings, memoran-
<la, and analyses about the Davis-Besse AFWS involving NRC's Office of Nuclear Reactor Regulation (NRR), Toledo Edison and others prior to June 9, 1985. I&E's Region III staff played little or no role in these interactions. It is also clear that the NRR staff did not appear well informed about the extent of the Regional staff's concerns regarding Toledo Edison's performance. The Ad Hoc Group examined these activities in detail in forming its overall appraisal of the regulatory process.
Following TMI-2 in March 1979, the Commission issued a Confirmatory Order on May 16, 1979 ordering Davis-Besse, during a scheduled outage, to remain shut down until certain hardware and procedural changes and analyses were made by Toledo Edison and approved by the NRC staff.
NRC lifted the Order on July 6, 1979. In its accompanying Safety Evaluation Report (SER), NRC stated:
While the Staff recognizes that the AFW system is safety grade, we also note that the licensee has agreed to continue to review the performance of the AFW system for assurance of reliability and performance. Consis-tent with this long-term agreement, we will require that the licensee modify the plant to provide the greater degree of diversity offered by a 100 percent capability motor-operated AFW pump, or an alternative acceptable to the Staff.
On June 8, 1979, the NRC staff visited Davis-Besse to discuss Toledo Edison's efforts to respond to the Commis-sion's Order. A week later, Toledo Edison transmitted to NRC an analysis of a complete loss of feedwater transient.
Eight days later, in response to staff questions, a Toledo Edison analysis concluded that secondary steam pressure, after loss of main feedwater to the steam generators, would support the AFWS steam turbine operation if started within 20 minutes.
In April 1980, NRC issued " Transient Response of Babcock &
Wilcox-designed Reactors" (NUREG-0667), which made recommen-dations for reducing the likelihood or consequences of severe accidents. One recommendation was to upgrade the AFWS to include diverse power sources with either three trains, or two trains plus feed and bleed capability.
Installation of a diverse-drive AFW pump was recommended for Davis-Besse specifically, partly because the relatively low head, high pressure injection pumps prevented injection at normal operating pressure.
In May 1980, NRC issued the TMI Action Plan (NUREG-0660),
which called for licensees with B&W plants to evaluate their 14
AFWSs by September 1, 1980. The staff Reactor Transient Task Force recommended that installation of a diverse-drive AFW pump be expedited at Davis-Besse. In August 1980, the Director of NRC's Division of Safety Technology wrote to the Director, Office of Nuclear Reactor Regulation (NRR), that the recommendation of the Reactor Transient Task Force "be implemented as soon as possible by an NRC order...." This requirement, he noted, was identified in the post-TMI-2 startup authorization. As reported above, the July 1979 authorization lifting the shutdown permitted Toledo Edison to propose an alternative. Nevertheless, the Director, Division of Safety Technology, concluded, "It is our under-standing that the licensee [ Toledo Edison] is still review-ing possible options.... This is too long a time to merely study such an important issue."
In November 1980, the staff issued " Clarification of TMI Action Plan" (NUREG-0737), which, in part, emphasized that previously required analyses should include multiple events, such as the failure of both nain and auxiliary feedwater systems. These analyses were to be submitted to the staff by January 1, 1981, and reviewed by July 1, 1981 (i.e., 2 years after the staff originally notified Toledo Edison that a motor-operated pump, or an acceptable alternative, would be required).
On January 23, 1981, Toledo Edison objected, because of cost, to the NRC alternative for a diverse-drive AFW pump with a 100-percent capacity and proposed an alternate resolution, concluding:
To bring this issue to final resolution, it is proposed that, prior to proceeding on any major plant modifica-tion, a risk reduction comparison be completed to provide an evaluation of the acceptable alternatives.
This would allow us to optimize the plant response results, minimize the perturbation and still verify that the design provides an appropriate level of protection to the public health and safety now and after any such modification is complete.
In a March 5, 1981 meeting, Toledo Edison advised the staff that its August 1980 feasibility study demonstrated that providing an additional 100-percent capacity AFW pump was prohibitively expensive and required an excessive prepara-tion time. This conclusion was based on the need to provide a completely diverse safety-grade AFW train, i.e., that entailed seismic-resistant components in a new seis-mic-resistant building, rather than just a motor-driven pump. This change, involving a safety-grade system, appears to be what the staff had in mind. Toledo Edison planned to perform a detailed probabilistic risk assessment to evaluate a eptable alternatives.
15
In responding on April 2, 1981, the staff recommended six ways to improve the reliability of the AFWS at Davis-Besse.
In commenting on the licensee's proposal, the staff noted,
"[t]he principal thrust of [ Toledo Edison's] proposed reliability analysis would therefore try to demonstrate the acceptability of the reliability of the present two train AFWS at the Davis-Besse 1 plant." NRC rejected this ap-proach and, apparently changing its position (from the requirement for a fully safety grade, seismically qualified system), stated: "We believe that you should consider placing more emphasis on upgrading the existing startup feedwater train to provide diversity from the present steam driven AFWS, and thus improve system reliability." The sixth NRC recommendation'was for installation of a di-verse-drive auxiliary feedwater pump. The April 2 letter stated:
We are concerned with the dependency of both AFWS pumps on steam from the main steam lines. Other PWRs are known to have a similar configuration (e.g., Calvert Cliffs); however, because of the more rapid dry-out of the steam system in B&W plants, such a steam dependency is of more concern in Davis-Besse. The licensee should state plans for providing a third AFWS train which will l
utilize a pump powered from a source other than steam.
A schedule of implementation should be provided.
On May 22, 1981, Toledo Edison responded, indicating its intent to submit a probabilistic risk assessment on the AFWS l
by July 1981, which would identify dominant failure contrib-i utors. Toledo Edison stated its intent to upgrade the existing startup and auxiliary feedwater systems based on results of the risk assessment.
Independently of this decision, on June 22, 1981, B&W issued
" Draft Engineering Summary Report of a Complete Loss of FW Transient Analysis for Davis-Besse" (B&W 582-7151-14-00),
which concludes that operator action (feed and bleed) within 30 minutes of a loss of feedwater will prevent the core from becoming uncovered.
In a June 29, 1981 memorandum to NRR, the NRC Division of Safety Technology recommended adoption of a reliability criterfonintgeStandardReviewPlan(SRP)ofaprobability of 10- to 10~ for failure upon demand of the AFWS. This recomme..dation was endorsed by the NRC Division of Systems Integration on July 31, 1981.
The SRP, " Auxiliary Feedwater System (PWR)," Rev. 2, issued in July 1981, stated that the NRC reviewer is to determine that:
16
- -___________. .__ \
... 2. The system is protected against the effects of pipe whip and jet impingement that may result from high or moderate energy piping breaks or cracks.
... 5. The system possesses diversity in motor power sources such that system performance require-ments may be met with either of the assigned power sources, e.g., a system with an AC subsystem and a redundant steam /DC subsystem.
The reviewer is to determine whether licensees have submit-ted sufficient information for NRC to co hasanunreliabilityintherangeof10gcludetgattheAFWS to 10- per demand. The numerical criteria in this review did not apply to previously licensed operating plants, such as Da-vis-Besse.
On July 16, 1981, NRC asked Toledo Edison to provide addi-tional information on AFWS automatic initiation and flow indication. This was submitted on September 16, 1981. On December 31, 1981 Toledo Edison transmitted to NRC the
" Davis-Besse AFWS Reliability Analysis, Final Report." NRC later sent the report to the Brookhaven National Laboratory for review. (This report is discussed in Section 4.)
An NRC memorandum of March 1, 1983 repeated the recommenda-tion that NRC should require installation of a third, qualified, motor-driven AFW pump at Davis-Besse. On Au-gust 22, 1983, the staff issued a draft proposal intended for review by the NRC Committee to Review Generic Require-ments (CRGR). It contained a proposed Generic Letter to licensees concerning ten pressurized water reactors (PWRs),
including Davis-Besse, that had not made the "necessary system modifications...to ensure that their AFW systems are capable of being operated in the high reliability range...."
The proposal concluded that AFWS failure is a dominant contributor to core melt accidents and recommended requiring modifications to demonstrate adequate reliability in accor-dancewitgthecugrentSRP(Section10.4.9)failurecriteri-on of 10- to 10- per demana. The proposal included the recommendation that NRC issue a Generic Letter: it would require licensees to confirm within 30 days that changes would be made to the AFWS and that a design would be pro-posed within 120 days. The analysis notes that improvements could be evaluated under the long-term Unresolved Safety Issue (USI) of decay heat renoval (A-45), but rejects this 17
approachbecausestugyofthisissuewasnutexpectedtobe complete until 1985.
An NRC handwritten memorandum of August 26, 1983, referring to the August 22, 1983 CRGR draft proposal states:
We need to get together ASAP [as soon as possible] on the attached CRGR package-- The [ Director of Systems Integration] is tr plants (12 total) ying withto a stick a number 3rd AFWS pump. of operating This action will have significant ramifications on A-45. We may come up with a more comprehensive cost-beneficial solution.
Their value-impact looks weak and will be shot down by CRGR.
An NRR memorandum of August 29, 1983 reviewed implementation of recommendations for AFWSs and found the Davis-Besse AFWS acceptable. The recommendations were based on the Toledo Edison reliability analysis of December 1981 and generic recommendations of NUREG-0611 and NUREG-0635, which did not require a third pump. The memorandum referred to the proposal intended for the.CRGR which would require all plants to upgrade their AFWS to meet existing reouirements and stated that such requirements for Davis-Besse would be the subject of future correspondence.
An NRR memorandum of September 25, 1983, containing a long list of comments and questions on the August 22, 1983 CRGR proposal, concludes that a decision should be deferred:
The proposed action, if implemented independently will have significant ramifications for the USI A-45 pro-gram. Accordingly, further and more detailed regulato-ry analyses should be done to provide a good basis for deciding whether this issue should be done independent-ly or combined with A-45. Until then, it is suggested that the decision be deferred.
An attachment to the memorandum refers to a September 13, 1983 meeting among represantatives of NRC divisions and l branches wherein they agreed that further work should be l done before the proposal was forwarded to the CRGR.
2 While the NRC staff was to have completed its study of USI A-45 by 1985, the current projected completion date is 1987.
i 18
/
An NRR memorandum of November 16, 1983 transmits the staff evaluation of Toledo Edison's December 31, 1981 reliability analysis from the Division of Systems Integration to the Division of Licensing. It repeats the June 1981 conclusion oftheDivisionofSafetyTechgologytgattheSRPincludean unreliability criterion of 10- to 10 An NRR memorandum of December 7, 1983 notes that the staff delay in responding to the August 22, 1983 proposal " result-l ed from the need to complete other higher priority work."
l The memorandum states that the requirement for a third pump was considered a low priority acc.ording to a staff cost-benefit analysis. The memorandum notes that changes have been or will be made at plants other than Davis-Besse.
, An NRR memorandum of January 16, 1984 provides additional information on the CRGR proposal, including estimated frequencies of a core melt (per year) attributable to loss of main feedwater. The memorandum states that the mean probability of a core melt per year from this type of incident is 5.4 x 10-4 (or 1 chancg in 1,851). (The NRC provisional safety goal 1: 1 x 10- or 1 chance in 10,000, per reactor year. ) This average estimate assumes that feed and bleed emergency cooling is not possible at Davis-Besse; the risk of a core melt at Davis-Besse from loss of main feedwater is 5 times greater than the probability of a core melt accident in the Commission's safety goal for chances of a core melt from all types of accidents at any plant.
On March 2 and 3, 1984 a stuck open safety valve resulted in steam generator dryout at Davis Besse. An I&E memorandum.of April 9, 1984 to NRR referring to this dryout supports the CRGR proposal to require diverse AFW pump power.
An April 23, 1984 letter from NRR to Toledo Edison provides the staff evaluation of the utility's December 31, 1981 reliability analysis and the Brookhaven National Laboratory reliability analysis (NUREG/CR-3530). The letter notes the opposing conclusions reached by BNL and Toledo Edison and concludes that the Davis-Besse AFWS does not comply with the current SRP reliability criterion. It should be noted that Toledo Edison's reliability analysis takes credit for feed and bleed operations and other modifications; BNL's analysis does not.
The NRC staff report, " Comparison of Implementation of Selected TMI Action Plan Requirements for Operating Plants Designed by B&W," May 1984 (NUREG-1066), concludes that Davis-Besse had completed all required plant modifications.
However, three open Technical Specification items remained regarding the Davis-Besse AFWS. The report noted that staff review of these items was to be completed by June 1984 19
(nearly 5 years af ter the staff notified Toledo Edison in July 1979 that modification to the AFWS would be required).
A Toledo Edison internal memorandum of September 7, 1984 comments on the NRC's April 23, 1984 letter and the BNL analysis. It disagrees with a number of assumptions made by BNL and the staff, particularly their lack of credit for the feed and bleed function, and, concludes that their findings are " inaccurate, unjustified and irrelevant."
At an NRC-Toledo Edison meeting on September 19, 1984, Toledo Edison committed to install a relocated, electric motor-driven startup feedwater pump with full capacity at the next refueling outage. Relocation was necessary to avoid a high or moderate energy pipe break problem. (See License Amendment 83, above.)
A September 28, 1984 memorandum from the Director, NRR, to the ED0 reported that the Auxiliary Systems Branch deter-mined that a diverse-drive AFW system was unnecessary.
Toledo Edison formally notified NRC in writing in October 1984 of the unanalyzed pipe break problem involving the existing startup feedwater pump.
Toledo Edison applied on November 12, 1984 for a license amendment to install the new 100-percent capacity auxiliary feedwater, electric motor-driven startup pump at a new location at the next refueling outage (spring of 1986). The license amendment was approved on January 8, 1985. However, NRC required that special precautions be taken with the existing startup pump, including isolating it from the feedwater system and disabling the motor drive until the new pump was installed. The isolated startup pump, to be activated, required repositioning of four valves and the installation of fuses in the motor control system. An operator also needed to be stationed at the pump to monitor its operation. These actions were, in fact, performed during the June 9, 1985 incident. Toledo Edison believed that isolating the startup pump actually increased risk.
On June 20, 1985, the CRGR noted in a menorandum that the regulatory proposal for improving the reliability of AFWSs still had not been submitted to the CRGR.
Following the incident, NRC requested, on October 30, 1985, that Toledo Edison perform probabilistic analyses of the AFWS as it existed on June 9, 1985, and as it would exist at restart, using the assumptions and methodology of NUREG-0611.
20
Advisory Ccomittee on Reactor Safeguards (ACRS) Review Since 1979, the ACRS expressed concern about the functional capability and reliability of decay heat removal systems in general and AFWSs in particular. Although it did not specifically address B&W or Davis-Besse AFWSs in its advice to the Commission, the ACRS consistently recommended giving high priority to generic and specific upgrading of these systems. In April 1980 the ACRS observed that staff action l
plans in this area appeared to lack coordination in evaluat-i ing shutdown heat removal requirements comprehensively. In l May 1981 the Committee again recommended that high priority be given to USI A-45. (Its resolution seems to have been inhibited by extended consideration of the need for pilot operated relief valves (PORVs) in Combustion Engineering's System 80 design.) More than 3 years later, in August 1984, the ACRS pointed to the importance of A-45 to plant safety.
Recognizing the great variety and complexity of decay heat removal systems among the many different nuclear plants, the ACRS suggested that if a generic treatment was not feasible, timely alternatives should be developed.
Conclusions Extensive and detailed regulatory interactions and activi-ties took place concerning the AFWS at Davis-Besse between NRC and Toledo Edison from the licensing of the plant in 1977 through the June 9, 1985 incident.
The AFWS and related controls experienced recurring problems involving components and required a number of design changes such as the addition of dynamic brakes on the pump turbine governors and flow indication in the control room for both steam generator AFW inlet lines. Toledo Edison made appro-priate changes, including installation of a diverse power supply)to valves one of the AFWS trains (for the motor-operated, that were required be The staff approved a license for Davis-Desse, even though it lacked diverse power to the AFWS pumps, a condition un-changed up to the incident.
NRC's post TMI-2 evaluations of the Davis-Besse AFWS identi-fied the need for short-term and long-term modifications.
However, NRC did not require installation of a 100-percent capacity, motor-driven startup feedwater pump until Toledo Edison committed to its installation in September 1984.
NRC did not believe that the Davis-Desse AFWS, as it existed before the incident, was sufficiently reliable. This conclusion was based largely on the lack of diverse power to the pumps and the lack of full capacity of the existing startup pump. Earlier requirements for suitable 21
modifications of the AFWS might have been justified techni-cally, even though not required by the Commission's rules.
Both the ACRS and the staff may have contributed to an unreasonable delay in resolving the specific weakness in the Davis-Besse AFWS by focusing on a generic solution to the decay heat removal question. This finding-does not suggest that generic solutions are not desirable where feasible.
Analysts should exercise caution, however, in seeking solutions to generic problems when they unduly delay specif-ic solutions at individual plants.
Recommendations Regional Administrators should meet with NRC Headquarters management to review the performance of each nuclear plant and licensee in their region at least quarterly, or more frequently as needed. The Group strongly endorses the current plans of the ED0 to implement such a program. The ED0 should make prompt decisions to resolve problems and to establish appropriate schedules for completing their resolu-tion.
Project Managers (with appropriate technical support) should visit nuclear power plants on a periodic basis (perhaps quarterly) to communicate directly with plant management and utility licensing officers.
The ED0's current development and implementation of the integrated tracking and management system to assure effec-tive continued management monitoring and resolution of safety and licensing issues are strongly endorsed. Such a system might have been of assistance prior to the 1985 incident at Davis-Besse.
The staff should decide and communicate the results of decisions promptly to relevant staff and licensees on whether an issue is plant-specific or generic. Such deci-sions should be made or endorsed by the EDO and action plans should be promulgated and executed expeditiously.
i
)
22
- -. _ ,m_, _ _ , _ _ _ _ - - -_____,,_,.n.. - - . - -- -_.
_ ,--_,m.__-m_,_
4 DAVIS-BESSE RELIABILITY ASSESSMENTS This section summarizes (a) staff requirements for the prob-abilistic assessments of Davis-Besse plant safety systems, (b) the auxiliary feedwater system (AFWS) probabilistic reliability analyses performed by Toledo Edison and Brook-haven National Laboratory (BNL), (c) the staff's evaluation and use of these analyses, (d) the Davis-Besse response to the staff's evaluation, (e) S evaluation of these analyses,gndia (f) National Laboratories' a Davis-Besse post-event reliability analysis, and (g) additional qualitative reli-ability techniques which might ensure greater confidence in nuclear power plant performance.
Pre-event AFWS Probabilistic Reliability Assessments l
AFWS reliability analyses were conducted prior to the June 9, 1985 incident by Babcock & Wilcox (B&W), Toledo
- Edison, and Brookhaven National Laboratory (BNL).
On December 1979, B&W completed its " Auxiliary Feedwater Systems Reliability Analysis - A Generic Report For Plants With Babcock & Wilcox Reactors." The objectives were:
(1) To identify, through reliability-based insights, dominant contributors to AFWS unreliability.
(2) To assess the relative reliability of B&W operat-ing plant auxiliary feedwater systems.
The study identified dominant contributors to AFWS unavail-ability for each plant so that B&W utilities could make ap-propriate design changes to improve AFWS reliability. For Davis-Besse, the dominant contributor noted was simultaneous loss of both trains. This condition could occur if one train were out of service for maintenance during normal plant operations, and a random failure occurred in the other train. The study calculated system reliability at 5, 15, and 30 minutes af ter loss of main feedwater to allow for a range of operator actions following initiating conditions.
3 J.W. Hickman and B. Atefi, " Review of Documents Related to the Davis-Besse Auxiliary Feedwater System Reliability Assessments," April 21, 1986.
23
The probability of failure to function upon demand ranged from approximately 5 x 10-3 to 8 x 10-3 The study cautions that these values should be viewed as relative rather than absolute values.
Toledo Edison AFWS Reliability Analysis (EDS Nuclear, Inc.)
On December 31, 1981, Toledo Edison submitted to NRC a de-tailed probabilistic reliability analysis of the AFWS pre-pared by EDS Nuclear, Inc. (now Impell Corp.). The study analyzed four configurations, including one for a third AFW train to upgrade the existing feedwater startup pump as a diverse full-capacity electrically driven pump. The analy-sis concluded that the most cost-effective approach was to rely on a modified feed and bleed mode using the existing startup pump, the makeup pumps and the pilot operated relief valve (PORV) to provide adequate core cooling. The study recommended upgrading other components and procedures, such as the auxiliary feedwater pump turbine governor and improv-i ing Limitorque valve operations, turbine feed from both steam generators, and valve positioning. This "analy-sis-based" approach predicted an AFWS unavailability per demand of 3.3 x 10-5 , a figure which includes credit for (proper) operator actions.
Brookhaven Review of EDS Analysis In 1983, NRC directed Brookhaven National Laboratory (BNL) to perform an independent reliability analysis of the Davis-Besse AFWS using methodology and data from " Generic Evaluation of Feedwater Transients and Small Break Loss-of-Coolant Accidents in Westinghouse Designed Operating Plants" (NUREG-0611). BNL indicated that an independent reliability analysis was requested because each applicant for an operating license was required to comply with the Standard Review Plan (SRP), Section 10.4.9. This section requires the use of criteria which enable direct compari witg the acceptable AFWS unreliability range of from 10-gonto 10- per demand. NRC wanted to compare the results for Davis-Besse with results from other plants, even though the SRP criteria did not apply to Davis-Besse.
I The BNL results assumed no time for any intervention, in-cluding operator actions, to recover f rom malfunctions or maintenance errors. The report noted that Toledo Edison used a function-success criterion different from that considered in NUREG-0611 (which defined unavailability as the probability per demand that the system will fail to
, perform its function).
The BNL review noted that the EDS Davis-Besse study consid-ered the measure of AFWS success to be the maintenance of adequate core cooling to prevent fuel damage. BNL also 24 b
noted that " Toledo Edison assumed it was considered suffi-cient either to (1) provide flow from one AFW pump within ten minutes, or (2) establish feed-and-bleed within 30 min-utes,.in conjunction with feedwater flow from the start-up pump, which is not adequate in itself to remove decay heat."
The report called attention to (a) the Davis-Besse AFWS's lack of diversity and its vulnerability.to common cause failures, and (b) the Davis-Besse history of such items as AFW pump speed failure, loss of control of both AFW pumps from mechanical binding in one pump and blown fuses in the other, and the loss of an essential bus.
l Toledo Edison AFWS Reliability Analysis (Impell Corp.)
On November 1, 1985, the Impell Corporation submitted its study to compare its analysis with NRC staff analyses of other plants. It addressed the cuantitative criteria for AFWS unreliability using data and methodology prescribed in NUREG-0611. The study, initiated prior to the June 9, 1985 incident, analyzed three AFWS configurations: (1) the exist-ing Davis-Besse AFWS configuration as of June 9, 1985, (2) a two-pump configuration, and (3) a three-pump configuration.
The configuration as of June 9, I ty on demand ranging from 4 x 10g85showedangnavailabili-to 1.6 x 10- for speci-fied initiating events using the criteria in NUREG-0611.
The three-pump system with a diverse electric motor-driven feedwater pump was predictgd to meet the SRP unreliability requirement of 10-4 to 10- per demand.
Ad Hoc Group Review of Davis-Besse Reliability Analyses The Group requested Sandia National Laboratories to examine the various probabilistic assessments of safety system reliability at Davis-Besse. The objectives of the study were to review and summarize all reliability-related studies and reports, comment on the quality and relevance of these studies to the Davis-Besse event, and reach conclusions and submit recommendations about the use of proba'bilistic analyses in regulatory decisionmaking. Table 4.1 from the Sandia study shows a comparison of the results of the BNL study and the EDS Nuclear and Impell studies.
The Sandia report includes (1) a summary of the correspon-dence and activities involving probabilistic analysis of the Davis-Besse plant; (2) a comparison of the results of the utility-sponsored AFWS reliability analyses with the NRC-BNL review of these studies; (3) a discussion of the use of state-of-the-art methodology, compliance of the utility's results with the requirement of the SRP, and a discussion of the Davis-Besse plant configuration on June 9, 1985; and (4) conclusions and recommendations.
25
Table 4.1 Comparison of the Results of a
-the Davis-Besse AFWS Studies EDS Study BNL Studyc ,d Impell Study (December 1981)b (November 1985)d,e Configuration -(Feb. 1984) Configuration Existing Planned Two Planned Three Initiator Pre-TMI Post-TMI Third Train Analysis-Based (6/9/85) Pump System Pump System LossofMajn 6.6E-4 9.1E-5 Feedwater 3.3E-2 6.6E-4 4.5E-5 3.3E-5 1.6E-3 1.6E-3 Loss of Off-Site Power 4.1E-2 5.5E-3 1.4E-4 9.3E-5 2.8E-3 2.9E-3 1.7E-3 1.1E-3 Loss of All ac 3.4E-2 4.0E-2 3.3E-2 3.3E-2 St Seismic Event 8.8E-2 1.9E-2 1.9E-2 1.1E-2 a E-2=10-2 b AFWS success criteria in this study consist of a) providing flow from one AFW pump to one steam generator within 10 minutes, or b) establishing-feed and bleed procedure within 30 minutes including some heat removal via the main feedwater startup pump.
c AFWS success criteria in this study consist of successful flow from at least one AFW pump to at least one steam generator without delay.
d Calculations based on NUREG-0611 methods and data, e The success criteria in this study consist of availability of sufficient auxiliary feedwater flow to at least one steam generator within 5 minutes following the loss of main feedwater or offsite power or all ac.
f SRP requires an unreliability in the range of 10~4 to 10-5 per demand.
The Group examined the Sandia study and agrees with its conclusions and recommendations.
Sandia
Conclusions:
4
- 1. Each of the AFWS reliability analyses provided sound reconsendations addressing areas of system vulnerability, which found their way into the Davis-Besse design and resulted in AFWS reliabili-ty improvements.
- 2. Each of these studies fell short of realizing the full potential of the PRA type of analysis because important support systems, such as ICS [ integrated control system] and SFRCs [ steam and feedwater rupture control system], were not modeled.
- 3. State-of-the-art limitations with respect to modeling of heroic recovery actions and human errors of commission, such as the one that oc-curred during the Davis-Besse 1985 incident when the operator inadvertently pushed the " low pres-sure" buttons, prevent PRAs from covering all aspects of events such as the Davis-Besse inci-dent.
- 4. The reliability analyses performed as a part of NUREG-0611 and NUREG-0635 had limited scope and were not originally intended to be used as a guide for SRP purposes. This limited scope does not cover all unusual occurrences which happened in the Davis-Besse event such as those which were due ,
to the i nitiation system.
- 5. Overall quality of the reliability analyses i reviewed with respect to the use of state-of-the-art methodology and data was satis-factory.
Sandia Recommendations:
- 1. The recommendations of SRP Section 10.4.9 with respect to following a set of guidelines on methodology and use of data for AFWS reliability evaluation should be updated to include a much more comprehensive set of guidelines. Consider-4 Sandia conclusions and recommendations are quoted verbatim, except for bracketed statements added by the Group for cla ri ty.
27
-,--nr.,.. _ . --,.,.7 g .,,----..,,,e,.--,, -.+----,--w w. . . - - - - , n-w,---,-,----n n,, -~-.,.m.-----. -
e-- - - - - - - - - -~
ation should be given to more detailed modeling of human actions, and [ support systems such as) power, control, initiation, and cooling systems rather than treating the auxiliary feedwater system in isolation from its support systems.
- 2. The current SRP unreliability requirement is not clearly defined and applies only to the loss-of-main-feedwater-system initiator. Unreli-ability requirements for other initiators such as loss of offsite power and total loss of ac (stg-tion blackout), should be considered. The 10' requirement of the SRP does not appear to be appropriate for station blackout events.
- 3. Review of PRA documents by the NRC should not be limited to the compliance of the submitted report with a set of narrow guidance such as SRP. NRC reviewers should be encouraged to provide addi-tional comments and insights about the areas of system vulnerability beyond the pure compliance guidance.
Use of Reliability Probabilistic Analysis in Regulatory Decisionmaking The previous sections illustrate the differing views about how probabilistic analyses are conducted, both from the standpoint of the approach to the analysis, and in the numerical values used and generated by them.
Key NRC management personnel interviewed by the Ad Hoc Group believe there is considerable value in the use of fault trees in reliability analyses, and that this discipline alone may call attention to potential problems if properly applied by licensees and the NRC staff. They also believe that numerical values from probabilistic analyses should be viewed as a goal toward which to aim rather than as a quantifiable value by which to neasure what a given plant has actually achieved. A licensee can conduct plant-specific probabilistic analyses with a valid data base which can be useful in detecting design weaknesses and I undesirable trends in plant performance.
Additional Qualitative Reliability Techniques for Regulatory l
Decisionmaking During interviews with NRC management, the Ad Hoc Group discussed the use of other reli6bility and management techniques, including (1) configuration management controls, l (2) failure modes and effects analysis, (3) component qualification control, (4) rigorous failure reporting and corrective action systems, (5) maintainability analyses, and 28
(6) improved maintenance. Although most of those inter-viewed agree these techniques would be useful to licensees in improving availability and in enhancing safety, they believe it would be difficult to prepare detailed regula-tions to require that these disciplines be implemented by licensees.
The Director of NRC's Office of Inspection and Enforcement (I&E) has conducted several safety system functional inspec-tions and outage system modification inspections that revealed plant design and safety issues. These findings reinforce the value of addressing reliability and management techniques in preventing incidents that threaten plant safety.
A recent publication by the NRC Division of Waste Management (NUREG/CR-4271) recommended that the safety, reliability, quality assurance and management techniques used in the aerospace industry could possibly be applied by the Depart-ment of Energy for the High-Level Nuclear Waste Repository Program. The document describes successful aerospace management, safety, reliability assurance and quality assurance techniques, as well as specific aspects of the ease of technology transfer, which may also be applicable to nuclear reactor operation and regulation.
Conclusions The conflicting assumptions, methodologies and findings in licensee and NRC staff reliability analyses, and considera-tion of the CRGR memorandum on PWR AFWs, were factors in delaying the final decision on the installation of a diverse electric motor-powered auxiliary feedwater pump. Another factor delaying a final decision was the staff's delay in gencric resolution of the decay heat removal issue, Unre-solved Safety Issue (USI) A-45.
Improvements in probabilistic analyses of safety systems can be achieved by inclusion of important associated systems and a more defensible plant-specific data base.
Additional qualitative reliability techniques.and measures over and above probabilistic analyses could be useful to increase confidence in the safety of nuclear power plant operation. Improvements in the probabilistic analysis process will be more useful in NRC regulatory decisionmaking if they are augmented by information gained from other qualitative management and reliability techniques, such as configuration management, failure modes and effects analy-sis, and other disciplines referred to in this section.
29
Recommendations NRC should establish a timely and effective process to review reliability analyses requested of licensees, particu-larly where it is determined that~ such analyses will be used in regulatory decisionmaking.
NRC should evaluate the use of qualitative management and reliability disciplines as a means of increasing confidence in the day-to-day performance of nuclear power plant licensees.
I&E should give priority to the conduct and promotion of safety system functional inspections and outage system modification inspections.
30
5 CONTRIBUTION OF TOLED0 EDIS0N'S PANAGEMENT, OPERATION, AND MAINTENANCE PROGRAMS TO EQUIPMENT FAILURES The Toledo Edison Nuclear Program The Ad Hoc Group examined the structure and staffing of Toledo Edison's Nuclear organization to determine its effectiveness prior to June 9, 1985. During 1979, the Davis-Besse Plant Superintendent reported to the company Vice President for Energy Supply. A separate organization for nuclear operations was established in 1980 with a Vice President for Nuclear, and several reorganizations were implemented between 1982 and 1985 to strengthen Toledo Edison's Nuclear mission.
Between 1979 and 1985, the staff of the Nuclear mission
- increased from 340 to 590 employees to remedy deficiencies
- and to improve performance. A Performance Enhancement
- Program (PEP), initiated in November 1983, reauired the extended services of over 100 persons. The program, costing approximately $18.9 million, covered 16 areas, including maintenance, training, safety management, fire protection, j security, and configuration management.
In 1983 Toledo Edison also formed a corporate Steering Group, headed by the Vice President for Nuclear, that reported to the President.
Performance Teams were organized to review issues of signif-icant safety or regulatory importance and their assessments identified whether problems were understood and whether reasonable interim actions were defined. Changes to interin action plans in the PEP program had to be approved by the plant manager and a Steering Group. The PEP program was reviewed by Region III in the light of improvements reouest-ed by NRC and other changes decided upon by Toledo Edison; one noteworthy example was a computerized maintenance management system.
A Senior Vice President for Nuclear, hired in July 1985, made a number of changes in the organization, among which t
were: (1) a preference for in-house rather than consultant '
expertise to assure technical continuity, and (2) consolida-tion at the Davis-Besse site of engineering and other support functions previously divided between the plant site and corporate headquarters.
31 i
The Technical Specifications for Davis-Besse require the establishment of review groups to consider and recommend facility changes and review plant operational data. Among other responsibilities, the Davis-Besse Station Review Group examines all safety-related transients and incidents at the plant and reviews and recommends approval for plant safe-ty-related operating procedures.
A Company Nuclear Review Board (CNRB) subsequently reviewed the decisions and recommendations of the Station Review Group. The CNRB initially drew upon personnel from Toledo Edison Nuclear and other company personnel and later added several outside experts. It met approximately 18 times per year and relied upon analyses performed by other groups in the corporate structure. The CNRB is responsible for reviews and audits of the plant's operations and procedures and for advising management in the areas reviewed. It also reviews issues resulting from regulatory actions (e.g., SALP reports, emergency planning changes, plant modifications and changes to Technical Specifications).
The Davis-Besse Maintenance Program The Davis-Besse maintenance program staff grew substan-tially--from a complement of 34 to 207--between 1977 and the 1985 incident. According to Davis-Besse management, the increase was in response to surveillance requirements of the Technical Specifications as well as the requirements result-ing from TH! and other regulatory issues.
At the time of the June 9, 1985 incident, Davis-Besse had 1339 open corrective work orders, 111 open facility change requests, and a preventive maintenance backlog of 405 work orders. There is evidence that prior to the event, a large backlog of equipment needing maintenance existed, some of which was undoubtedly due to deferring certain maintenance tasks until an outage period. The prevailing pre-event maintenance practice, particularly for the balance of the plant, appeared to be directed toward maintaining only that equipment essential for safe plant operation.
Operating nuclear utility experience demonstrates that many challenges to emergency safety systems arise from malfunc-tions in balance of plant equipment. Accordingly, a large backlog of maintenance items appears to have safety signifi-cance, even though related generally to non-safety grade systems and components. NRC periodic Systematic Assessment of Licensee Performance (SALP) reports !!, Ill, and IV indicated that improvement was required in Davis-Besse's maintenance program.
SALP assessments are performed over a period of a year or longer by teams led by Regional personnel. The purpose of 32
these reviews is to collect recorded observations on a periodic basis and evaluate licensee performance based on those observations. The assessments consider positive and negative attributes of licensee performance and emphasize an understanding of the reasons for a licensee's performance.
The SALP process and ratings focus on assuring that the resources of both the NRC and the licensee are allocated to functional areas needing improvement. SALP ratings are classified in three categories:
- 1. I&E inspection efforts can be reduced.
- 2. Inspections should continue at the same level.
- 3. Additional effort by the licensee and I&E is necessary to improve licensee performance.
Although 3 is the most unfavorable category, it constitutes
- acceptable reactor safety performance. SALP IV (1984) reported that maintenance personnel errors accounted for the submission to NRC of 8 of 13 Licensee Event Reports (LERs) and that 5 reactor trips (unscheduled plant shutdowns) were traceable to maintenance activities. Several equipment nalfunctions resulted from inadequate corrections of previ-ous equipment failures, including a containment building j isolation valve and the safety features actuation system 4 radiation meter. NRC's SALP IV assessment of Davis-Besse's maintenance reorganization was that "an appreciable improve-
, ment in field performance was not observed." Region III
- l personnel submitted no information that the resources and organization for the Davis-Besse maintenance program were markedly different from organizations at other plants.
I Since the incident, the Davis-Besse maintenance program has been substantially reorganized and a new maintenance manager has been appointed. A major maintenance facility planned l
prior to the incident is now under construction.
l INPO has prepared guidelines for a "high level of perfor-mance" maintenance program covering items such as mainte-nance department organizations and administration; training and qualification of maintenance personnel, and maintenance facilities, equipment, and tools. " Guidelines for the Conduct of Maintenance at Nuclear Power Stations" (INP0-85-038). Davis-Besse plans to obtain INP0 accredita-tion by the end of 1986 or earlier for the plant's mainte-nance training program.
The Davis-Besse Quality Assurance Program The four SALP reports on Davis-Besse call attention to several quality assurance (QA) problems which were taken by 33
SALP evaluators to indiccte a lack of upper management direction and involvement in the QA program.
Toledo Edison hired an outside organization (CER Corpora-tion) to independently assess the Davis-Besse QA program in October 1984. The study was completed after June 9, 1985.
It identifies a number of quality control issues, such as centralizing document control, expanding the role of quality engineering beyond procurement, and coordinating work with NRC to improve SALP ratings. All issues identified in the report are currently under review by the NRC staff.
Davis-Besse Plant and Safety Performance The Ad Hoc Group reviewed several information sources bearing on Davis-Besse plant and safety performance. In addition to NRC SALP reports, a Region III Davis-Besse Study Group report written after the June 9, 1985 event, was also considered.
SALP results for Davis-Besse are summarized in Table 5.1.
It shows that of the 11 functional areas reviewed in SALP IV, five were rated as Category 3 and three of these five were declining in performance. Four of the remaining six functional areas were rated as 2, and two of those were improving.
SALP reports on plant operations, surveillance and testing, and licensing activities were consistently rated as adequate (i.e., as category 2) while refueling operations rated as category 1. SALP I report (December 31, 1980) noted that a large number of " serious regulatory concerns existed with the Davis-Besse operation" and that Davis-Besse operating performance was " clearly below average" compared with other Region III licensees. In commenting on the SALP 11 report, the NRC Regional Administrator concluded that overall regulatory performance at Davis-Besse had shown considerable improvement. However, in his letter on SALP IV (1984), he commented that a noticeable positive impact was not evident during the appraisal period and that performance had declined.
Subsequent to the 1985 incident, Region III established a study group that broadly reviewed the history of Davis-Besse between March 1979 and June 1985. It conducted its review using LER and inspection history, status of TMI items, and a review of management and enforcement meetings. (Attach-ment F of the Study Group Report, with violations catego-rized by SALP functional areas, is reproduced as Table 5.2.)
The Group's report also showed that after TMI through 1983 Davis-Besse submitted 391 Licensee Event Reports (LERs) to NRC.
34
3 Table 5.1 SALP Ratings at Davis-Besse*
Period of Review **
Functional Area I II III IV
- 1. Management Control 2
- 2. Plant Operations 2' 2 2 2
- 3. Refueling Operations 2 1 1 1
- 4. Maintenance 2 3 3+ +3
- 5. Surveillance and Pre-op. Test. 2 2 2+ +2
- 6. Training 2 3+
- 7. Radiation Protection 2 1 1 1
- 8. Environmental Protection 2 2
- 9. Emergency Planning 3 1 2+ 3+
- 10. Fire Protection 2 2 2 +3
- 11. Security and Safeguards 3 2 +2 2
- 12. Design Changes and Modifications 2
- 13. Reporting 2
- 14. QA Audits 2 3 3+
- 15. Communications Activities 2
- 16. Quality Control 2
- 17. Procurement 2
- 18. Licensing Activities 2 2+ +2
- Blanks indicate factors not rated; arrows indicate whether performance is improving (left) or declining (right).
- Period of Review: I November 1, 1979 to October 31, 1980 II November 1, 1980 to March 31, 1982 III April 1, 1982 to March 31, 1983 IV April 1,1983 to August 31, 1984 35
~ .
Table 5.2 Summary Of Violations SALP Functional Areas 78 79 80 81 82 83 84 85 Plant Operations 2 5 3 2 7 2 5 5 Radiological Controls 5 1 8 0 0 0 0 1 1
l Maintenance 1 2 1 4 6 6 5 3 Surveillance 3 1 2 3 4 2 5 2 a c l Fire Protection 2 4 2 1 6 9 O 0 Emergency Preparedness 0 0 0 0 0 0 2 1 Security 8 7 24 1 4 2 4 1 Refueling 0 0 0 0 0 0 0 0 Quality Programs &
Administrative Controls 8 9 1 2 4 3 16 11 Training b b b b b 2 1 2 TOTALS 29 29 41 13 31 26 38 26 a Fire protection violations under consideration for possible escalated enforcement action.
b Not rated as a SALP functional area during this year.
c Following inspection conducted in June 1984 (IR 84-10);
no violations were identified.
36
From data submitted by Toledo Edison, it is evident that the plant has a history of operational problems and equipment failures that resulted in a significant number of plant outages and an adverse impact on plant capacity factor. The average capacity factor from 1978 to 1984 was roughly 45 percent, for which annual data are shown in Table 5.3.
Table 5.3 Capacity Factor and Plant Outages from 1978 to 1985 Capacity Plant Number of ;
Year Factor Outage Outages l
(%) (Days) 1978 35 188 14 1979 41 192 14 1980 27 212 19 1981 57 129 12 1982 42 177 4 1983 64 99 15 1984 56 136 6 1985 26 -- --
The Ad Hoc Group has not evaluated how SALP ratings, LERs, Technical Specifications, Operational Violations and forced outage times at Davis-Besse compare with an average nuclear power facility.
Organization for Nuclear Management It is difficult to show a causal relationship between specific Toledo Edison management, operation and maintenance programs and the equipment failures that caused or exacer-bated the June 9, 1985 incident.
As reflected in the various SALP reports and management and enforcement conferences, the effectiveness of management controls and corrective action programs at Davis-Besse was a general NRC concern. Toledo Edison management responded by reorganizing a number of times to gain better control of its nuclear operation. Nevertheless, the NRC Region III Admin-istrator judged the management to be weak because he said it was unable to operate consistently within Agency regula-tions. He indicated further that when top utility manage-ment is a part of the problem, NRC inspectors find it more 37
difficult to delve into management issues. Neither Region III nor NRC Headquarters personnel appear to have the requisite expertise to assess management performance.
The current Vice President for Nuclear, Toledo Edison, offered observations on management competence in operating nuclear organizations. First, with respect to the Board of Directors of a nuclear utility, two important skills that should be represented are extensive experience in actually managing a nuclear utility program and extensive experience in managing the budget for a nuclear utility program. If persons with such skills are not on the Board, experienced consultants with these skills should be obtained and should report to the Board, or to a subcommittee of the Board that is responsible for the nuclear affairs of the company.
Second, with respect to staffing, personnel should be hired and trained who are capable of working in a highly regulated industry; a utility must be able to compete in the job market for the highly skilled personnel necessary. It is also important for these executive skills to be represented in NRC to produce effective regulatory performance.
The General Accounting Office, in a January 1986 report rec-ommends that NRC establish criteria where significant improvements are an issue, that results in NRC being required to mandate improvement progrcms or document why they are not warranted. The report noted Davis-Besse as one of the 12 operating nuclear plants required to implement facility-wide improvement programs. (" Nuclear Regulation:
Oversight of Quality Assurance at Nuclear Power Plants Needs Improvement," GA0/RCED-8641.)
Both the industry's Institute for Nuclear Power Operations (INP0) and the NRC staff have been trying to develop perfor-mance indicators to assist in judging management perfor-mance. The Office of Inspection and Enforcement (I&E) is responsible for the coordinated plan to develop performance indicators for NRC.
Regulatory Oversight Neither the Atomic Energy Act nor NRC's regulations includes a single integrated section that addresses requirements related to licensee management performance. The only provision of the Atomic Energy Act that may be pertinent is Sec. 103 b., which states that "the Commission shall is-sue... licenses...to persons...who are equipped to observe and who agree to observe such safety standards to protect health and to minimize danger to life or property as the Commission may by rule establish."
The Davis-Besse Nuclear Power Station is subject to the rules and regulations of the U.S. Nuclear Regulatory 38
Commission (NRC) as specified in Title 10 Code of Federal Regulations, Part 50, " Domestic Licensing of Production and Utilization Facilities," and its Appendices (10 CFR 50).
The plant design must meet the General Design Criteria of 10 CFR 50 Appendix A and the quality assurance program must comply with the Quality Assurance Criteria for Nuclear Power Plants in Appendix B. Plant operations must also conform with Commission rules specified in the regulations as well as the operating license, conditions of the license, and the plant's Technical Specifications.
The NRC staff review and evaluation of the Davis-Besse application for a license was guided by NRC's Standard Review Plan (SRP). The application was also reviewed by the Commission's Advisory Committee on Reactor Safeguards
. (ACRS). NRC's Office of Inspection and Enforcement (I&E) made periodic inspections of the facility during its con-struction and continues to inspect the plant's operations.
NRC's requirements for safe plant operation include the license conditions contained in 10 CFR 50.54. Among other conditions, licensee management is prohibited from allowing anyone who is not a licensed operator from manipulating a reactor's controls.
Regulations governing safe plant operations are also regu-lated by provisions in 10 CFR 50.36, which describes infor-mation which must be included in a licensee's Technical Specifications. The Technical Specifications include an organization chart of the corporate structure for offsite Toledo Edison facility management and technical support and administrative controls necessary for management to assure safe operation of the plant. Station staffing and plant organization are also described.
The requirements for the licensee's management of quality assurance (QA), specified in Appendix B to 10 CFR Part 50, specify that QA program managers be given direct access to the appropriate levels of management to perform the QA function. Appendix B also requires QA independence from cost and schedule considerations where safety is involved.
Part 50.72 contains the notification requirements for various emergency and nonemergency events which are applica- ..
ble to licensee management; the licensee is responsible for informing NRC if a reportable event occurs at the plant.
Impact of Regulatory Oversight There are many NRC requirements, besides those discussed above, that have an impact on how management performs in operating and maintaining a nuclear plant.
39 1
The NRC staff principally performs its oversight of licensee programs through the Offices of Nuclear Reactor Regulation (NRR) and Inspection and Enforcement (I&E). The mechanisms used include license conditions and Technical Specifica-tions, rulemaking, regulations, policy statements, Commis-sion Papers, Confirmatory Action Letters and Orders, Generic Letters , Bulletins , Circulars , TMI Action Plan letters ,
Regulatory Guides, the Standard Review Plan, Branch Techni-cal Positions, and Unresolved Safety Issue Resolution Reports. Mechanisms used to interpret requirements include approval of topical reports, Safety Evaluation Reports, the Inspection and Enforcement Manual, the Project Manager's Handbook, I&E Headquarters Positions, and open issues resul. ting from inspections. Mechanisms used to communicate requirements to licensees include inspector entry, exit and management meetings, staff information exchange meetings, Information Notices, phone calls and site visits, Prelimi-nary Notifications, public meetings, workshops, resident inspector dail l al Team (PAT) reports, y contacts, SALP reports, Commission Performance Papers, and others.Apprais-Enforcement actions include notices of violations and deviations, enforcement conferences, civil penalties and orders to cease and desist and to suspend, modify or revoke a license.
That this plethora of requirements has an impact on licensee performance cannot be overemphasized. Between the TMI-?
accident in 1979 and the June 9, 1985 incident, there were 72 amendments to the Davis-Besse operating license, or approximately one per month. The Toledo Edison Corporate Nuclear Review Board Chairman indicated that the Board's activities were driven by the licensee's Technical Specifi-cations so that most of its time was spent on paper reviews rather than on assessing plant performance. Out of nearly 400 items that the CNRB tracked between 1979 and 1985, approximately 40 related directly or indirectly to the AFWS alone.
Senior technical personnel at Davis-Besse advised that the complexity and multiplicity of regulatory requirements complicated effective management of the plants. The situation was underscored by the Assistant Plant Manager with respect to fire protection requirements alone: "Every month it seems a different person comes in, wants you to do something. In the meantime you are so busy spinning your wheels on these things, you are losing track." He also thought that, although the regulations and regulatory activity in any single area may be well-founded, the totali-ty of NRC requirements adds greatly to management burdens in operating the plant. It was alleged that the regulatory requirements are not always consistent and two examples related to the Davis-Besse incident were cited. First, during the incident, plant physical security barriers slowed 40
l operator access to areas in the plant crucial to bringing the plant under control. Second, the NRC requirement isolating the startup feedwater pump proved to be an impedi-ment in securing prompt recovery of the plant.
The Group discussed with the EDO, major office directors and Region III personnel, the potential negative impacts on safety f rom regulatory oversight. There was no consensus on this issue, although there was substantial agreement that certain regulations or combinations of regulations could decrease safety and that NRC oversight could be too heavy in certain areas. The staff has been aware of this impact, as is evident from its efforts in the TMI lessons learned task force, the current staff review of certain regulatory requirements (reactor containment building leakage and licensing review of fuel design), the current review process to control rulemaking, current revisions to the CRGR char-ter, and the Manual guidance for management of plant-specific backfitting in nuclear power plants.
The Group did not want to assess whether regulatory over-sight is a problem based solely on interviews with Da-vis-Besse management and staff. To gain added perspectiv the Group interviewed executives of four other utilities.g, The Vice President of Commonwealth Edison, with 15 years in the nuc' lear business, stated "I am still concerned that for most of our plants the greatest problem that we have is trying to deal with all of the requirements." The Vice President of Florida Power stated, "One of the things we have learned as an, industry, and regulators understand this also, is you don't want to challenge your system when it's operating. Yet the standard tech specs put me into a position of requiring me to do tens of thousands of surveil-lances during the course of the year with my reactor operat-ing, to encourage it to trip."
The Vice President of Duke Power Co. indicated that the impact of regulation had produced an unmanageable situation at some nuclear plants. Where regulatory recommendations are made that the utility believes have no valid basis, the recommendations need not be followed. If the utility does not have the resources to take such a position, however, the utility can become so involved in responding to the recommendations that it cannot manage the plant properly.
5 The utility representatives were also questioned about the IIT process and the effectiveness of NRC oversight on poor nuclear plant management practices.
41
I The Assistant General Manager, Nuclear, of the Sacramento Municipal Utility District stated that "it is the intensity which the management people and the technical people have to deal with the regulatory process that really eats up...the manpower and manhours that I think would be better placed on the details of the plant...."
Finally, the Group noted the rather extensive exploration of the " Safety Impact of Regulatory Activities" conducted by senior members of the NRC staff itself in 1981 (NUREG-0839).
Comments of the 12 utilities surveyed for the study were strikingly similar. With few exceptions, no NRC requirement was viewed in itself as unsafe or unreasonable. The single survey finding was that "notwithstanding the competence and good intentions of the staff, the pace and nature of regula-tory actions have created a potential safety problem of unknown dimensions." The problems cited are the large number of regulations and the many regulatory bodies in-volved, varying interpretations by inspection personnel, extensive growth in surveillance testing, delays in agency approvals, and the adversarial environment in which NRC reviews are sometimes conducted. Time limitations on the Group review did not permit an adequate opportunity to determine whether these problems influenced the incident at Davis-Besse.
The Commission, in its 1986 Policy and Planning Guidance to the staff, has called for a comprehensive review of NRC regulations and a reduction in the numbers and prescriptive-ness of both regulations and Technical Specifications. The Group's review supports the need for such a ^omprehensive review.
The Group sought suggestions from NRC, utility, and industry officials as to how the regulatory process could be im-proved, both from the standpoints of regulations which may be detrimental to safety and of more effective regulation.
The Group knows that the ED0 has strongly urged utilities to implement " integrated living schedules" for accomplishing both NRC-induced and utility-initiated changes or other actions for their plants. There is some hesitancy, however, on the part of many utilities to cooperate until they can evaluate the initial experience of those complying with the new schedule. The concept of an integrated, flexible schedule is generally supported, but it appears that more effort is needed both by the staff and the licensees to make it work.
The Group was disturbed by allegations that the whole process was overly adversarial, that it took place in an environment of hostility and confrontation, and that often it dealt with " picayune detail" and questions that do not 42
enhance plant safety but engender resentment by operators and engineers toward NRC. A criticism, presumably directed primarily at Headquarters staff, was that little reactor operation or plant management experience can lead to a lack of understanding of the difficulty of implementing staff requirements in the field. The Group understands that the Commission is taking steps to ameliorate the situation.
When the Davis-Besse AFWS was designed, it was a bal-ance-of-plant (B0P) system and was not required to be safety-grade, although it was essentially safety grade.
Accordingly, it was not treated as safety grade by the staff in its design review.
The General Design Criteria, first published in 1971, apply .
to structures, systems and components "important to safety." -
A 1981 memorandum from the Director of NRR states that "important to safety... encompasses the broad class of plant features, covered (not necessarily explicitly) in the General Design Criteria, that contribute in an important way to safe operation and protection of the public in all phases and aspects of facility operation (i.e., normal operation and transient control as well as accident mitigation)." It also states that the important-to-safety class includes the safety-grade class. Utilities, however, have used the two terms synonymously, relegating those items not safe-ty-related to the class "non-safety related." The Introduc-tion to the General Design Criteria points out that some of the specific design requirements for structures, systems, and components important to safety have not as yet been suitably defined. Their omission, however, does not relieve any applicant from considering these matters in the design of a specific facility and satisfying the necessary safety requirements. These matters include, for example, consider-ing redundancy and diversity requirements for fluid systems important to safety. Confusion has persisted over what design and quality assurance criteria apply to 80P items.
Conclusions The number of organizational changes made by Toledo Edison in its pre-event nuclear mission and programs to enhance reactor safety performance were not sufficient to prevent the June 9, 1985 incident; neither was.NRC oversight and enforcement effective in preventing the incident.
It was not apparent that Toledo Edison's Company Nuclear Review Board (CNRB) performed its overall audit function of plant safety effectively.
There were deficiencies in the effectiveness of the manage-ment and oversight of plant operations which had been recognized in NRC's SALP evaluations.
43
l The Group recognizes that balance of plant items are impor-tant to safety.
The pre-event maintenance program at Davis-Besse was charac-terized by many weaknesses and deficiencies. The pre-event preventive maintenance program was not systematically developed and managed.
Compliance with the substantial, growing volume of prescrip-tive regulatory requirements may have acted to reduce rather than increase plant safety.
Recommendations t
The NRC should shift emphasis away from detailed, prescrip-tive requirements toward performance-based requirements. A systematic, continuing review of NRC's regulatory require-ments embodying the full scope of regulatory oversight is needed to ensure that these requirements are coherent, consistent, and act to improve plant safety. Responsibility for this function should be assigned to a specific office.
NRR management and Regional Administrators should meet with the licensee's Board of Directors when a plant's deteriorat-ing performance warrants. The purpose of such meetings would be to discuss the adequacy of the licensee's activi-ties to protect the health and safety of the public. It would also provide the Board with an opportunity to express its views on the effectiveness of the current regulatory process.
NRC should take advantage of INP0's programs to assess licensee's maintenance management programs to the extent reasonable and practical.
The staff should improve its follow-up on licensee correc-tive actions. Licensee " integrated living schedules" should be encouraged.
Resolution of the "important to safety" issue, and its application to balance of plant (80P) items in existing, as well as future plants, deserves high priority. (The Group understands that I&E has responsibility for resolution of at least part of this problen.)
44
6 NRC INCIDENT INVESTIGATION PROGRAM Background for the Incident Investigation Program The Kemeny Commission report of its investigation of the accident at Three Mile Island (THI) recommended creation of an independent safety organization to provide NRC with reactor safety oversight. The Rogovin Inquir Special Inquiry Group on the TMI-2 accident) yalso(NRC's specifi-cally recommenced the establishment of an independent Nuclear Safety Board. As a result of a Congressional requirement in the NRC's FY 84 appropriation legislation, the NRC Office of Analysis and Evaluation of Operational Data (AE0D) requested that Brookhaven National Laboratory (BNL) evaluate the feasibility of such a Board.
On February 15, 1985, BNL, after evaluating various indepen-dent safety board options, recommended that NRC consider an independent Nuclear Safety Board or expand the scope of the Advisory Committee on Reactor Safeguards (ACRS) to provide an oversight function. The ACRS supported the BNL proposal for an independent safety organization.
Subsequently, the Commission directed the NRC staff to evaluate the BNL report. The staff recommendation appears in SECY-85-208 and was approved by the Commission in October 1985. The paper recommended establishment of an Incident Investigation Program (IIP).
The Group assumed SECY-85-208 to be basic Commission guid-ance for the NRC's IIP. The staff subsequently prepared draft Manual Chapter (MC 0513) on the IIP. The Group, in addition to the Davis-Besse investigation, considered the practices and procedures followed by the investigations for San Onofre and Rancho Seco. In assessing the IIP, the Group made no evaluation of independent safety organizations, such as those recommended in the BNL report.
Mandate and Instructions for Incident Investigation Teams (IITs)
The need for an IIT is to be determined by the potential safety significance of an event, its nature and complexity, and its potential generic implications. Events judged by the staff to be of lesser safety significance are to be investigated either by a Regional Augmented Inspection Team or through the normal inspection process. The Executive 45
Director for Operations (ED0) authorizes an IIT based on recommendations from AE00, the Office of Inspection and Enforcement (I&E), the Office of Nuclear Reactor Regulation (NRR), the Office of Nuclear Material Safety and Safeguards (NMSS), and Regional Administrators.
The program is designed to ensure that an investigation is structured, coordinated, and formally administered in order to be prompt, thorough and systematic. An IIT is to collect and document factual information and evidence and concen-trate on probable causes of an incident rather than on possible violations of NRC rules and regulations.
MC 0513 indicates that the investigation should include the relevant facts and circumstances necessary for a full understanding of the event. The investigation would also identify probable causes and assess any pre-event relation-ship or interaction between the licensee and NRC which contributed directly to the event. MC 0513 also provides guidance as to areas for investigation, to include condi-tions preceding the event, event chronology, systems re-sponse, human factors considerations, equipment performance, precursors to the event, safety significance, and radiologi-cal considerations. Areas excluded from the investigations include wrongdoing or individual responsibility, generic implications for other plants, adequacy of plant design, and the licensing basis for the facility.
The Davis-Besse IIT was given 30 days to complete its investigation, but required 44 days. The San Onofre and Rancho Seco IITs were given 45 days to accomplish their tasks and were given the additional assignment of assessing pre-event interactions between NRC and the licensees.
Capabilities of IIT Members The ED0 selects Team Leaders from the Senior Executive Serv-ice who have not had significant prior involvement in the licensing or inspection of the plant involved. The Leader selects other Team members from pre-approved rosters. Fu-ture IIT members will receive investigative training before assignment, to the extent practical. Members will continue to be selected on the basis of technical and operational ex-pertise, and their freedom from direct involvement in the licensing or inspection of the plant involved. Representa-tives from outside NRC (e.g., INP0, nuclear steam system suppliers) can be invited to participate in incident inves-tigations. The Rancho Seco IIT included a representative from INP0 who, although involved in the Team's evaluations, was not a signatory of the Team's final report.
46
IIT Operational Procedures The information ecllection and evaluation process for the three IITs was similar. Members interviewed plant personnel and reviewed plant data for the period immediately preceding and during the event. Failed equipment and control room in-strumentation and controls were inspected. The equipment which malfunctioned and contributed to the event was quaran-tined cally.go Thethatteams troubleshooting obtained photographic could be performed systemati-documentation of failed or damaged equipment, a valuable technique in their investigations.
The Davis-Besse IIT made transcripts available to personnel interviewed, and permitted them to be interviewed in the presence of advisors or counsel. Transcripts were also made available in the subsequent incident investigations at San Onofre and Rancho Seco.
The IITs placed high priority on interviewing personnel on shift during the event. Scheduling problems made strict adherence to this policy impossible. In some cases, the IIT was split into two groups to expedite the interviews.
During an investigation, the appropriate Regional Office issues confirmatory action letters to verify that the utility will not perform additional work on faulty equipment until the utility's troubleshooting plans can be reviewed by the IIT. The Team Leader has the authority to add or remove equipment from the quarantine list. The Regional Inspectors and the Regional Office oversee the troubleshooting process and report their results to the IIT.
In interviews with four other nuclear power plant licensees, concern was expressed about equipment unnecessarily quaran-tined that was unrelated to the incident. In their view, such equipment should be released as soon as possible to ex-pedite plant recovery work. The Westinghouse Owner's Group has expressed the same concern. SECY-85-208 calls for the prompt release of quarantined equipment unrelated to the in-cident, and MC 0513 and IIT training should emphasize this issue. Prolonged quarantining of equipment brings into question the licensee's responsibility for the safe condi-tion of the plant.
0 Quarantining in this context refers to the practice of physically removing or otherwise isolating equipment to keep it off limits to unauthorized plant personnel so that infor-mation about the root causes of its malfunction is not lost or inadvertently destroyed by activities subsequent to the incident.
47 1
During the Davis-Besse investigation, misunderstandings arose regarding legal representation for utility employees interviewed by the IIT. Some of those questioned felt it necessary to have legal or other representatives present.
Although such interviews are conducted on a voluntary basis rather than as the result of subpoenaed appearances, consti-tutional considerations of due process favor granting the interviewee the right to legal representation and the advice of counsel during the interview. Despite the IIT's nonadversarial investigation, consequences resulting from it may lead to enforcement actions and, under some circumstanc-es, criminal sanctions. Because the IIT engages in a fact-finding, nonadjudicative investigation, the participation of counsel may be limited by the Agency.
Toledo Edison personnel and the NRR Project Manager for Davis-Besse were concerned because normal communications between them concerning pending issues were deferred until completion of the IIT investigation.
The Group examined the role of NRC's Office for the Analysis and Evaluation of Operational Data (AE00) in coordinating the administration of the IIP. Both SECY-85-208 and MC 0513 identify AE00 as providing administrative support to and 1.iaison between the IIT Leader and the ED0 during an inves-tigation. The three IIT Leaders unanimously stated that the AE0D support role in no way reduced their efforts to conduct a thorough and independent investigation.
The Group considered NRC-Toledo Edison pre-event interaction as it may have been a part of a root cause for the Da-vis-Besse incident. The Group's review did not disclose any basis in the Davis-Besse IIT report (NUREG-1154) for alleged superficial licensee management and maintenance practices, nor the foundation for concluding that the incident was caused by a lack of attention to detail in the maintenance of plant equipment. An evaluation of NRC-Toledo Edison interaction that might have been associated with the incident was not performed by the Davis-Besse IIT--being considered outside o' its mandate--but was performed to an extent in the San Ontfre and Rancho Seco investigations.
The Group believes that investigations of pre-event NRC interactions might better be conducted by an Office report-ing to the Commission rather than to the EDO. The Office of the Inspector and Auditor (0IA), which performed a similar function in connection with the Davis-Besse incident, could carry out this responsibility. The OIA, when necessary, could use technical consultants from within and outside the Agency. This approach would still make the IIT responsible for describing the pre-event interaction directly applicable to the event. However, an OIA role would eliminate any concerns over whether the NRC staff should investigate 48
l itself or whether an IIT lacks independence because it reports to the EDO.
Use of the Davis-Besse IIT Report by the NRC Staff The NRC Staff Action Plan, which includes some pre-event unresolved items, responded to all the items listed in the Davis-Besse IIT report. The ED0 also directed that a reappraisal of the adequacy of the basic design of B&W reactor plants be undertaken. The B&W Owner's Group is to handle this responsibility, subject to staff review and approval.
On August 5, 1985, an ED0 memorandum requested all NRC office directors to conduct an "in-depth and searching reappraisal of the effectiveness of their programs and the lessons learned of the Davis-Besse event." As a result, a number of substantive staff actions were proposed or initi-ated. The EDO directed the staff's attention to the follow-ing issues: (1) that safety issues be identified and com-pleted in a timely manner, (2) that the potential for the positive and negative safety impacts resulting from regula-tory actions be considered, and (3) that increased emphasis be given to balance of plant equipment.
In addition to the B&W design reassessment, the results of the EDO and staff director evaluations produced the follow-ing decisions: (1) an improved issue-tracking and manage-ment system, (2) periodic performance appraisal meetings on operating facilities, (3) development of licensee perfor-mance indicators, a'nd (4) increased regulatory attention to balance of plant and the safety ramifications of regulatory actions.
Follow-on Incident Investigation Team Reviews The Rancho Seco and San Onofre IITs examined, to an extent, the NRC staff-licensee pre-event interactions. In the case of Rancho Seco, the IIT Team Leader noted that although the staff had serious concerns in the past 6 to 8 years about precursors to that event, Rancho Seco management had not implemented the actions required nor had the NRC staff pursued these issues to ensure their implementation. For example, the staff believed that the emergency feedwater initiation and control (EFIC) system would be installed at Rancho Seco in 1984 in response to NRC requirements. In fact, an alternate system was subsequently installed, but the design was not approved nor made clear tc the NRC staff, and may not have complied with NRC requirements.
49
Conclusions The mandate for Incident Investigation Teams is adequate for conducting NRC incident investigations.
The Davis-Besse IIT report would have been enhanced if the team had been instructed to examine pre-event NRC-licensee interactions.
There is need for NRC to conduct seminars or workshops to inform licensees in advance of the fundamentals of an NRC incident investigation. (The Group understands that such a program is being considered by AE0D.)
The Davis-Besse IIT members possessed adequate technical expertise to comply with the requirements necessary to perform their investigative task. The Group endorses a suggestion that IITs receive incident investigation train-ing.
The Davis-Besse IIT report effectively described the se-quence of events of the June 9, 1985 incident. However, the report's observation that Davis-Besse had a history "of evaluating operating experience related to equipment in a superficial manner," was not supported in the report. The conclusion that the underlying cause of the main and auxil-iary feedwater event was the licensee's lack of attention to detail in the care of plant equipment was also not supported in the report.
The ED0 Action Plan following the incident made adequate use of the report findings and conclusions. The ED0 Action Plan since it also included the requirement for the NRC staff to reappraise its programs, planning, and actions based upon lessons learned from the Davis-Besse incident.
Unless organizations such as utilities, INP0, EPRI and reactor vendors are involved in the formulation of and are familiar with IIT procedures, they may not be willing or prepared to participate in future investigations.
Recommendations Expedite the development of detailed procedures for the formation, training, operation, and reporting requirements of future IITs. These procedures should clearly define the (a) scope of the investigation and its schedule; (b) mode of operation for the team; (c) legal constraints and rights of licensees and employees, including NRC employees; (d) quarantining equipment, with clearly defined roles for the licensee and the Region; and (e) completion of the assign-ment. These procedures should be developed and coordinated with the nuclear power industry, and Agency personnel should 50
__ __ _ _ _ l
meet with them to explain the role of IITs and how they will function.
Participation on IITs of members from INPO, EPRI, vendors, other utilities, and Federal and State agencies with appli-cable technical expertise, when appropriate, should be encouraged.
The Commission should assign 01A to investigate pre-event interaction between the NRC staff and the licensee.as it may be relevant to the root cause of the event.
The NRC manual chapter and other appropriate procedures should specify guidelines concerning the role of counsel or other advisors for personnel interviewed by an IIT.
The IIT incident investigation training program should be accelerated and consideration given to extending some of this training to Augmented Inspection Team candidates and other ISE staff members.
51
i m eRYNuMu - - ,oc ,v., .., ,
g,,0=M= u NuCtua muu.TDR v COMM ss.ON ET'EE' BIBLIOGRAPHIC DATA SHEET NUREG-1201
$EE INSTf;uCTIONS ON THE REVERSE 2 Ts'(LE AND $uSTITLE 3 LE ave SLANE Report of the Independent Ad Hoc Group for the Davis-Besse Incident
. DATE REPORT COMPLETED MONTH vEAR
. Auf oms, May 1986 6 DATE REPORT 155uED MONTH VEAR June 1986 F PE FORalNG ORGANt2ATION NAME AND MAILING ADDRE55 fsac% dele Coms 8 PROJECTrT ASEveORK UNIT NUMBE R Ad Hoc Review Group . m OR ORA ~T NuMua U. S. Nuclear Regulatory Commission Washington, D.C. 20555 10 SPON50 RING ORGANIZATION NAME AND MattsNG ADDRES$ (!v4delg Coses 11e TYPE OF REPORT Independent Review Same as 7.
O PE RIOD COV ERED finc4sewe deresJ 12 SUPPLEMENT ARY NOTES 12 ABSTRACT (200 words or sess/
The Nuclear Regulatory Commission established an independent Ad Hoc Group in January 1986 to review issues subsequent to a complete loss of feedwater event at Davis-Besse Nuclear Power Station on June 9,1985, including the NRC Incident Investigation Team (IIT) investigatior: of that event. The Commission asked the Group to identify additional lessons that might be learned and frem these to make recommendations to improve NRC oversight of reactor licensees. To fulfill its charter, the Ad Hoc Group examined the following: (1) pre-event interactions between the licensee and NRC concerning reliability of the auxiliary feedwater system and associated systems; (2) pre-event probabilistic assessments of the reliability of plant safety systems, NRC's review of them, and their use in regulatory decisionmaking; (3) licensee management, operation and maintenance programs as they may have contributed to equipment failures and NRC oversight of such programs; and (4) the mandate, capabilities of members, operation, and results of the NRC Davis-Besse IIT, and the use to which its report was put by the regulatory staff.
- i. DOCuM.NT AN ALys,s . . E v.0 Ds DEsc .eTO s
- i. Av,A g Yv Auxiliary Feedwater System Probabilistic Reliability Analysis Unlimited
'6 $ECURtTY CLA$$iF CATION IThe oeger e iDENiintas OPEN ENmD teams Unclassified Davis-Besse n-- rri Incident Investigation Teams Unclassified Nuc1 ear Regulatory Commission "*""o"*"5 18 PRICE
7 PAGE: l' U.S. NUCLEAR REGULATORY COMMISSION DA TE : 06/17/86 PACKING SLIP USNRC ORDER NUMB: A15481-00001 SAN 3Y SCH3WMAN ORDER TYPE: 2 1149HST DOCUMEMT NO. QTY 9 COST TOTAL COST COMMENTS NUREG1201 4 T3TAL DOCUMENTS OR3ERED : 4 TOTAL DOCUMENTS ENCLOSED: 4 l
I I
l A
UNITED STATES se erwetass nar NUCLEA3 RE ULATGY COMMISSION * ^ Q '5*^*
WASHINGTON, D.C. 20655 4Asagcg OFFICIAL BUSINESS
- PENALTY FOR PRIVATE USE, $300 -
1 i
3g Ohh0[^^^^^^^^^^^^^444,4 S AtJO Y SCHoungy '
1149hST O
O e
D O
t O
O M
O O
O e
4 9
.c o
a i
t