ML19345E831

From kanterella
Revision as of 07:28, 3 January 2020 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Testimony in Response to CLI-80-05,Issues 8 & 9,re License Infraction,Ler & Operating Experience History.Prof Qualifications Encl
ML19345E831
Person / Time
Site: Three Mile Island Constellation icon.png
Issue date: 02/02/1981
From: Koppe R
METROPOLITAN EDISON CO.
To:
Shared Package
ML19345E827 List:
References
CLI-80-5, ISSUANCES-SP, NUDOCS 8102060225
Download: ML19345E831 (49)
v  d  e


Text

.-

-

-

O LIC 2/2/81 UNITED STATES OF AMERICA NUCLEAR REGULATORY COMMISSION BEFORE THE ATOMIC SAFETY AND LICENSING BOARD In the Matter of )

)

METROPOLITAN EDISON COMPANY ) Docket No. 50-289 SP

) (Restart)

(Three Mile Island Nuclear )

Station, Unit No. 1) )

l l

l LICENSEE'S TESTIMONY OF ROBERT H. KOPPE IN RESPONSE TO CLI-80-5, ISSUES 8 AND 9 (LICENSEE'S INFRACTICN, LER AND OPERATING EXPERIENCE HISTORY)

!

,

8102060$${

. __ _.

.

INDEX 1

INTRODUCTION ...............................................

3 DATA BASES .................................................

3 TMI-l LERs ............................................

3 OPEC-2 ................................................

5 LER Data Base .........................................

5 OPERATING AVAILABILITY .....................................

7 Gross Unit Performance Statistics ......................

1 Unit Performance Statistics Disaggregated 10 by System ........................................

Summary and Conclusion Regarding 22 Ope r ating Av a ilab ility . . . . . . . . . . . . . . . . . . . . . . . . . . .

23 SAFETY RELATED PERFORMANCE .................................

Number of LERs and Ncncompliances .................... 23 27 TM I - l LE Rs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

,

29 l

,

Personnel Errors .....................................

34 Loss of Safety System Function .......................

l 42 CONCLUSIGN .................................................

l s

-

!

. . , . . . , . _ , . _ . - - - , , . . _ . , ., . - . - - _. .

-

.

OUTLINE The purpose and objectives of this testimony by Robert H.

Koppe, Manager of Reliability and Safety Projects with the S.

M. Stoller Corporation, is to respond to Issues (8) and (9) of Commission Crder CLI-80-5, which question whether any conclu-sions can be drawn regarding Licensee's ability to operate Unit 1 from a comparison of TMI infraction, LER and operating history with industry-wide statistics. Mr. Koppe, using data from TMI and industry drawn from LER's and from OPEC-2 (a data base maintained by the S. M. Stoller Corporation for EPRI) concludes that operating performance of TMI-l has been con-siderabl'g better than average for other B&W units, other PWR units and other nuclear units in general. This is attributable to good design and to efficient management. Mr. Koppe details l TMI-l's safety-related performance with that of industry by i

i comparing the number of LERs and NRC noncompliances, the rate i

of occurrence of personnel and procedural errors, and the failure rate of safety-related systems. His coac!usion is that l TMI-l's history is average or somewhat above, and that opera-tions of TMI-l prior to the March, 1979 accident at TMI-2 were such as to provide an adequate level of safety.

.

This testimony, by Robert H. Koppe, Manager of Reliability and Safety Projects with The S. M. Stoller Corporation of Boulder, Colorado, addresses the following issues posed by the Commission in its March (, 1980 Order, CLI-80-5:

l ISSUE (8) l What, if any, conclusions regarding Metropolitan Edison's ability to operate Unit 1 safely can be drawn 4 from a comparison of the number and type of past infrac-tions of NRC regulations attributable to the Three Mile Island Units with industry-wide infraction statistics; ISSUE (9)

What, if any, conclusions regarding Metropolitan Edison's ability to operate Unit 1 safely can be drawn from a comparison of the number and type of past Licensee Event Reports ("LER") and the licensee's operating experience at the Three Mile Island Units with industry-wide statistics on LER's and operating experi-ence.

The testimony ir presented in three major parts. The first part describes the sources of data which I used. The second describes the operating availability -of TMI-1, while the third describes the safety performance of TMI-1. Because TMI-2 had been in commercial operation for only three months, the limited amount of data available was not considered useful in performing this analysis. At the time of the accident at I

,

I l

__ _ _ -

_

,

TMI-2, Unit I had accumulated four and one-half years of commercial operation. Unit 1 had gone through startup and early commercial operations, and into " mature" operation.

Ultimately the safety of any nuclear unit depends on the reliability of a number of mechanical and electrical systems.

Some systems are primarily of importance because they determine the frequency with which a unit will experience transients and accidents which threaten to damage the core. The reliability of other systems is of primary importance because their availability determines the potential to prevent core damage when transients or accidents occur. Stated succinctly the safety of the core for a given design depends on:

o The frequency of initiating events, and o The reliability of systems to respond to these events.

While it is possible to measure the historical frequency of events and reliability of systems, it is extremely difficult to quantify the extent to which design, maintenance and operations i

each contribute to these results. Recognizing this, I have

! concentrated on quantitative measures of overall performance (both operating and safety) and have not tried to quantify the effect of plant management on that performance- In all the i

performance variables I examined, TMI-l was equal to or better than the average for comparable plants. Whether this was due to design or operations and maintenance, or (most likely) both, l

!

l l- __ __ ._ _ _

1

.

!

,

I I can't be certain. However, I am certain that TMI-l could not have done as well as it did had it been poorly operated,

'

maintained and managed.

,

DATA BASES

,

Data which I used in preparing this testimony came primarily from three sources--TMI-l LERs, OPEC-2, and LER Data Base.

,

TMI-l LER's This consisted of a complete set of all the LERs submitted by TMI-l from May, 1974 through April, 1979.

OPEC-2 4

The OPEC-2 data base is maintained by S. M. Stoller Corporation (SMSC), and consists of three major types of information: gross performance; outage causes; and safety

,related events. This data may be sorted and aggregated by unit, time period, and problem.

Gross Performance. Data on gross performance cover all n .. S . nuclear units rated 400 MW or larger. Data for each unit begins with the first month of commercial operation and continues through December 31, 1979. For each unit data is entered monthly and includes all the standard measures of performance including hours critical, hours on-line and net electric generation.

Outage Causes. Data on outage causes cover all U.S.

nuclear units rated 400 MW or larger. Data for each unit

.. -.

__

,

begins with the first month of commercial operation and continues through December 31, 1979. For each unit, data is entered for each full outage and partial outage. The data describes the date of the event, its duration and magnitude, whether it was forced or scheduled, and its cause. Each cause (more than one cause can be given for a single event) is described by the system and component which caused the event and the problem which the component experienced.

Safety-Eelated Events. Data on safety-related events cover all U.S. nuclear units rated 400 MW or larger. Data for each unit begins with January 1, 1978 or the date of commercial operation, whichever is later, and ends with December 31, 1979.

The following types of events are entered:

o All transients experienced by the unit (as reported in LERs and Monthly Operating Reports).

o All LERs except environmental occurrences.

o All safety-related maintenance (as reported in Monthly Operating Reports) except minor calibrations and adjustments.

For each event, data includes:

o the date o the unit status o the system and component o the problem o the cause of the problem

- - .-

. _

. _ _

,

o the effect on safety system performance o the type of transient Where two or more transients and/or problems occur together, the data is linked together in the computer to show causal or temporal relationships.

LER Data Base This data base is maintained by SMSC for EPRI's Nuclear Safety Ana_ysis Center. It includes only LERs and covers all i

U.S. nuclear units beginning with January 1, 1979 through the most recently available data. Data which is entered for each LER includes the unit ID, the LER number, the coded data from the LER form, and an event class indicating the potential significance of the event. Examples of classes of events are:

o Single component failure o Two or more failures apparently unrelated o Two or more failures with a common cause o Minor performance degradation (e.g., set point drift) o Operator or maintenance error o Potentially generic equipment problem, etc.

Where two or more classes apply, each is entered.

OPERATING AVAILABILITY There are many factors which affect a unit's availability.

Tbc unit with the best availability is not necessarily the best managed unit, nor is the poorest performer necessarily the unit that is most poorly managed. Nevertheless, there is usually

.

some correlation between how well a unit performs and how well it is managed.

There are a number of indices which provide useful measures of the operating availability of generating units.

One of the most common and useful of these indices is the capacity factor. It is with capacity factor that I will be concerned in this section.

When a generating unit is designed and built, it is intended to be able to operate consistently at any power up to some maximum. This power which is the maximum at which a unit could run consistently is called the design net electrical rating of the unit. Because of seasonal variations in con-denser cooling water temperatures, the actual maximum output of a unit may be somewhat above or below the design power level on any particular day. The design net electric rating of a unit

'

is equal to the average power which the unit would produce throughout the year if all equipment were working correctly and if the unit were continously run at its maximum capability. A unit may fail to produce some power due to refueling; due to equipment maintenance or failure; due to restrictions imposed by regulatory bodies; or due to lack of need for the power.

For a given time period, the capacity factor for a unit is simply the ratio of the power that it did produce to that which

! it theoretically could have produced (multiplied by 100 to l

l yield a percent). If a unit actually did run perfectly for a l

!

.

year and required no maintenance or refueling, its capacity factor for that year would be 1004. A unit which did not run at all for a year would have a zero percent capacity factor.

In a case where a unit ran perfectly for nine months and was shut down for three months, its capacity factor for that year would be 75%.

Gross Unit Performance Statistics At the time of the accident at Three Mile Island Unit 2 on March 28, 1979, the capacity factor of Three Mile Island Unit 1 was considerably better than the average for other nuclear units. Table 1 presents the lifetime capacity factors for Three Mile Island Unit 1 and for a number of other groupings of nuclear units. These aggregated capacity factors were cal-culated by weighting and averaging the lifetime capacity factors of each of the units in the group. The weighting factors that were used correspond to the years of experience for each unit. Thus, each year of nuclear experience is weighted equally in determining the aggregated average capacity l

l factors. The lifetime capacity factors were determined for each unit using data from the unit's first full month of commercial operation through the end of March, 1979. This end date roughly corresponds to the occurrence of the accident at Three Mile Unit 2.

l The capacity factors in Table 1 are listed for Three Mile Island Unit 1 and for three groups of nuclear units. Included i

l l

l

+

TABLE 1

,

Lifetime Capacity Factors for Units Weight - Averaged By Unit Years of Experience (Calculated through March 31, 1979)

Lifetime Capacity Unit Years Number of Factors (%) of Experience Units

'

Three Mile Is?:snd 1 72.3 4.5 1 B&W Units other than 58.7 25.6 7 Three Mile Island 1 PWR Units other than* 63.9 154.7 37 Three Mile Island 1 All Nuclear Units other than* 61.7 250.0 56 Three Mile Island 1

  • This included the excellent performance of a number of units in their 7th through 9th years of operation.

l l

. - . . . -.

. . . . . - - -- . , _ _ - , , - - . ,.

. . - . - -

__.

.

1 are the performance statistics of all large modern nuclear units (all units rated 400 MW or larger). As of March 31, 1979, there were seven such B&W units, 37 such PWR units and 56 such nuclear units in total, excluding the Three Mile Island units.

The strongest similarity of performance should be evident when Three Mile Island Unit 1 and the other B&W units are compared. These units have nuclear system designs that are generally very similar. Generic problems that affect the nuclear systems of B&W units will probably also affect Three Mile Island Unit 1. Conversely, problems affecting the nuclear systems of units designed by a different vendor, but not affecting the B&W units, will probably also not influence the performance of Three Mile Island Unit 1. Thus, the generic cracking problem with the surveillance specimen holder tubes resulted in outages at most B&W units including Three Mile Island Unit 1, while other problems like the BWR feedwater sparger cracking did not cause losses at any B&W units.

Because all PWR units have many design similarities inherent in their eactor systems, one would expect that performances of PWR units would also be similar to that of B&W units and Three Mile Island Unit 1. In fact, the lifetime capacity factor of Three le Island Unit 1 is considerably higher than the average life ime capacity factors for other B&W units, for other PWR units, and for all other nuclear units.

.

The largest differential is apparent between the performance of Three Mile Island Unit 1 and other B&W units. Apparently, Three Mile Island Unit I avoided many of the problems that caused outages at these other units.

.

As indicated in Table 1, the lifetime capacity factor for Three Mile Island Unit 1 was accrued during only four and one-half years of commercial operations. This data includes a large proportion of experience during the early years of operations. I have taken this early experience to be the first three years since the start of commercial operations. During this period nuclear units characteristically operate with a lower average capacity factor as compared with later experience in commercial year four and thereaf ter. The reduced perform-ance in the unit's early years results from the debugging of startup problems and the gaining of experience by the unit operators, management and planning personnel.

The experience for other PWR units and other nuclear units in general includes proportionally more experience during the l

later, more mature years of operation than does Three Mile Island Unit 1. One would therefore expect that the lifetime average capacity factors for these two groups would be higher than that for Three Mile Island Unit 1. Such is not the case.

In fact, as Table 2 indicates, the Three Mile Island Unit 1 capacity-factor was greater than the corresponding average capacity factor for the three other groups of nuclear units.

__ _ .

Table 2 Capacity Factor By Commercial Year (through March 1979)

Commercial Year 1 2 3 4 5 6 Three Mile Island 1 Capacity Factor (%) 81.0 60.2 68.4 79.4 73.1 -

Unit Years of Experience 1.0 1.0 1.0 1.0 0.5 -

Other B&W Units Capacity Factor (%) 52.8 51.5 64.0 68.7 61.5 66.2 Unit Years of Experience 7.0 6.0 5.0 4.9 2.0 0.7 Other PWR Units Capacity Factor (1) 59.3 57.8 62.2 68.7 71.8 74.6 Unit Years of Experience 35.5 32.1 26.8 23.6 17.0 10.5 Other Nuclear Units Capacity Factor (%) 58.4 54.5 59.8 64.1 68.8 73.0 Unit Years of Experience 54.5 51.1 43.9 38.8 27.6 19-;

.

- __ __

.

Three Mile Island Unit 1 consistently performed with fewer load reductions and outages as compared with these other groups of nuclear units.

The reduced capacity factors in commercial year two is characteristic for all of these units because the first refueling outage usually occurs during this year. This refueling is often lengthy as the result of many inspections and repairs and the inexperience of the operating and planning staffs of the unit. The capacity factor for Three Mile Island Unit 1 in commercial year five includes only six months of experience. Because a complete refueling outage, which usually accounts for a major portion of the losses during a year, occurred during this six months, the capacity factor for year five is somewhat reduced from what it might have been had the

,

unit operated for the remainder of the year. Nevertheless, the l

'

Three Mile Island Unit 1 capacity factor for year five is still greater than the corresponding average capacity factors for the other groupings of nuclear units.

Unit Performance Statistics Disaqqregated By System

( As is apparent from Tables 1 and 2, the lifetime capacity factors and the capacity factors for each year of commercial j operation of Three Mile Island Unit 1 were greater than the corresponding average capacity factors for other units. If losses of output are attributed to the system or component that l caused the outage or load reduction, a means of comparing unit I

.

l

!

L

performances on a more detailed level is provided. Table 3 lists these lifetime capacity factor losses for systems and components at Three Mile Island Unit 1 and the three other groups of nuclear units. The following is a discussion of the capacity factor losses due to system or component problems.

Fuel. Losses due to fuel problems have been less at Three Mile Island Unit 1 than at the other groupings of nuclear units. The only substantial source of such losses at TMI-1 has been outage for control rod repatching procedures. B&W units routinely interchange the regulating and safety control rods at a prespecified fuel burnup. Thir action promotes a more even fuel burnup and better control characteristics. The losses at Three Mile Island Unit 1 are largely the result of a lengthy outage for such a control rod repatching in May and June, 1975.

Other fuel related losses at Thrae Mile Island Unit 1 have been very typical of the other groups of nuclear units. The large losses at other B&W units attributed to past fuel problems are the result of the ou* mms at Crystal River Unit 3 l

l and Davis Besse Unit 1 to correct the burnable poison rod vibration and cracking problem. These problems, which were generic to larger B&W units, did not affect Three Mile Island Unit 1. Other B&W units had also experienced some problems with trips caused by power imbalances or tilts in the core. As a result, revisions were made to the trip system limits reducing the number of spurious unit trips. This problem was

! not very consequential at Three Mile Island Unit 1.

I

'

__ - .

Reactor Vessel: Three Mile Island Unit 1, like many of the other operating B&W units, was affected by the problem of vibration induced wear and cracking of the surveillance specimen holder tubes (SSHT). This generic problem was discovered at Three Mile Island Unit 1 during its first refueling outage in February of 1976. Inspections and modifications were subsequently made at all operating modern B&W units in that year.

The loases that resulted at Three Mile Island Unit 1 were typical of those at the other B&W units. This is somewhat unusual because the unit which first discovers such a major problem does not have the benefit of any past experience and usually experiences greater losses.

Steam Generator: Losses at PWR units due to steam generator tube problems have been a significant contributor to unit unavailability (BWR units do not have steam generators and therefore have experienced no losses). At Three Mile Island Unit 1 these losses have been uncharacteristically low. Most of these losses have been the result of NRC-required in-spections of the steam generator tubes. Tube degradation and failures that have occurred at other PWR and B&W units have not been a problem at Three Mile Island Unit 1.

Most steam generators at other B&W units have also performed with fewer tube problems than have steam generators designed by the other PWR vendors. Differences in design and

-

_

_ _

-. . _ . _ _ _

.-_ - - _ _ -.

materials in the B&W steam generator which are of once-through design may account for some of this better performance.

Reactor Coolant Recirculation Pumps. Problems with reactor coolant pumps at PWR units, and recirculation pumps at BWR units, have also been a large source of losses. These problems have characteristically taken the form of excessive pump seal leakage, pump motor failures, and other problems.

Excessive seal leakage has caused extensive losses at almost all nuclear units, and at B&W units in particular. These seals are designed with close tolerances. They are subjected to a severe environment involving large temperature changes, movement, high pressures, and large fluid flows. As a result the seals are very sensitive to installation problems, wear, cooling system malfunctions, and impurities in the water.

! B&W units have reactor coolant pumps that are manufactured i

l by either Bingham, Byron-Jackson, or Westinghouse. The pumps at Three Mile Island Unit 1 were made by Westinghouse and have performed reasonably well with only one failure in June, 1978.

Bingham pumps at other B&W units have experienced a more persistent problem with seal leakage, and account for a major portion of the B&W unit losses due to this component.

Another problem that occurred at units with Westinghouse motor drives for the reactor coolant pumps was oil degradation and leakage. These problems have not affected Three Mile Island Unit 1. Instead, TMI-l has only experienced an outage

because of high vibration and an outage due to a pump motor failure.

Control Rods and Control Rod Drives. Many B&W units have experienced a problem with the control rod drive mechanisms (CRDM). The B&W CRDMs are sealed motor d';ven, roller nut drive units. The principal outage causing problem with these drives has been from electrical shorts originating in the stator winding end turns. B&W identified four contributing causes to the failures: epoxy breakdowns due to incom-patibility with the wire, moisture, bifilar design (side by side phasing), and manufacturing defects. Most frequently these shorts caused the power supply fuse for the CRDM to open and resulted in a dropped, inoperable control rod. The faulty CRDM was then repaired or replaced, or operations were resumed at a reduced power level wich the dropped rod.

The effects of these problems have been slightly more consequential at Three Mile Island Unit 1 than at other B&W units. A number of lengthy outages in 1975 and 1976 con-l tributed greatly to these losses at Three Mile Island Unit 1.

Since 1976 when new stators were installed on the problem CRDMs, the unic has not experienced any more outages.

MSIV and RCS Valves. At Three Mile Island Unit 1 the losses attributed to RCS relief valve problems are principally the result of a lengthy outage in 1974 to correct a seat leak on a pressurizer code safety valve. The nature of this problem 1

and its occurrence so shortly after the unit began commercial  !

operations eviderees that it was a debugging-type problem associated with the unit start up. No subsequent outages of consequence are attributable to these valves at Three Mile Island Unit 1. Other B&W units have also experienced seat leakage of the code safety valve and the resulting losses are very similar to that of Three Mile Island Unit 1.

Maintenance to correct packing leakage or stem binding problems with the pressurizer spray valves have caused unit outages at all B&W units. At Three Mile Island Unit 1, these problems have not caused measurable losses.

The losses due to other RCS valve problems at Three Mile Island Unit 1 largely result from an outage to repair a decay heat removal system valve with a bent shaft and a packing leak.

The losses are similar to the corresponding losses at the other groups of nuclear units.

RCS Pipes. RCS pipes have not been a sigrificant source of losses either at Three Mile Island Unit T, at other B&W i

units, or at other PWR units. Cracks in these pipes have been

!

a BWR problem.

Nuclear Instrumentation. Problems with nuclear instru-mentation have not been a significant or widespread problem at any type of nuclear unit.

Safeguard Systems. Components in the safeguards systems have not contributed greatly to losses at nuclear units. The

'

L

..

pump and piping losses at Three Mile Island Unit 1 resulted from outages in 1975 and 1976 because of problems with a decay heat removal pump and cracks in the emergency cooling river water system pipes.

The losses at Three Mile Island Unit 1 attributed to other safeguard system problems are the result of integrated leak rate testing of the containment building which is required by NRC and is generally performed during refueling outages.

Because this testing is a " critical path" job (it cannot be performed in the shadow of other refueling work), it results in losses to the unit's capacity factor. These losses have been similar to the corresponding losses at other groups of nuclear units listed in Table 3.

Pipe Supports and Restraints. Since 1973, losses result-ing from inspections and repairs of pipe supports and restrains

? Te been widespread at nuclear units. At that time, a problem was discovered with degraded seals and leaking damping fluid in the " snubbers." As a result the NRC has required periodic inspections of these " snubbers" at all nuclear units. Some of this work has been performed as noncurtailing jobs during refuelings and other outages. Despite that, losses have been relatively large. At Three Mile Island Unit 1 the losses resulting from the inspections and repairs of these snubbers l have been typical of those at other nuclear units.

l BWR Torus. This component is unique to BWR units.

. . . . . .. . . -. - . .

.

BWR Off-Gas System. This component is unique to BWR units.

Other Nuclear System Problems. Losses due to other nuclear system problems are largely the result of failures in the chemical and volume control system or the reactor water cleanup system. Three Mile Island Unit I has not experienced very consequential losses due to problems in these systems.

Turbine. Losses due to turbine failures and problems in a number of other balance of plant systems have not been aggre-gated in Table 3 for B&W units or PWR units. These losses are only given for the Three Mile Island Unit 1 and for all other nuclear units. This was done because there is nothing unique about these components and systems to B&W units or to PWR units. It therefore makes sense to only compare the Three Mile

,

Island Unit 1 losses with corresponding losses for all other nuclear units.

With one exception, turbines at all operating nuclear units were manufactured by either Westinghouse or General Electric. (D.C. Cook Unit 2 has a Brown-Boveri turbine.)

Three Mile Island Unit 1 has a General Electric turbine. A number of generic problems with blade and rotor cracks at units with Westinghouse turbines account for a large-proportion of the losses for this category. General Electric turbines P. ave generally performed with fewer losses than the average unit

,

I with a Westinghouse turbine and the Three Mile Island Unit 1 t

turbine has performed even better than the average General Electric turbine.

'

The losses at Three Mile Island Unit 1 due to other turbine problems are principally the result of an outage in 1975 to repair a turbine control valve. Turbine blade losses l

at the unit resulted from inspections and turbine I&C losses resulted from malfunctions of the turbino electro-hydraulic control system.

Generator. The principal cause of losses at nuclear units attributable to the generator have been a number of lengthy outages due to electrical shorts and problems with the cooling and oil systems. Most of these lengthy outages have occurred at units with Westinghouse generators. The Three Mile Island Unit 1 generator, which was made by General Electric, has performed better than even the average General Electric generator with no such lengthy outages.

Moisture Separator - Reheater. Tube failures in the moisture separator reheaters at a substantial number of units have necessitated unit deratings and outages. Apparently the moisture separator-reheaters at Three Mile Island Unit 1 have performed without a problem.

Condenser. Condenser tube failures have been a widespread problem at nuclear units. Some units have even retubed their entire condenser in an effort to reduce the number of these

failures. The condenser tubes at Three Mile Island Unit 1 are made of stainless steel. Other units with stainless steel condenser tubes have typically experienced slightly fewer tube failures than have units with tubes of other materials. The Three Mile Island Unit 1 condenser tubes have performed slightly worse than stainless steel condenser tubes at other nuclear units. However, on the average, the Three Mile Island Unit 1 losses due to condenser tube failures are very typical of corresponding average losses at other nuclear units.

Losses attributed to other condenser problems at Three Mile Island Unit 1 are largely the result of an outage in 1976 to stake the lower tube rows in the condenser.

Main Transformer. Catastrophic failures of main trans-formers have occurred at only a few nuclear units. However, when such a failure takes place a lengthy outage or load reduction usually results. As a result, most of the losses attributable to main transformer problems are concentrated at a few units. The main transformers at Three Mile Island Unit 1 l have performed without such a catastrophic failure, and losses j due to this component have been small.

Condensate and Feedwater Svstems. Losses due to feedwater and condensate system problems have been considerably less at

!

l Three Mile Island Unit 1 as compared with the corresponding average losses at other nuclear units. The feedwater pumps at Three Mile Island Unit 1 were manufactured by the Byron-Jackson l

t

'

t

. _ ._ __ _ _ _ - . .

.

Company. These pumps have typically performed better than most 1 other types of feedwater pumps at nuclear units. The Three Mile Island Unit 1 pump performance is better than average for even Byron-Jackson pumps. Feedwater control and regulating valve problems have typically been less frequent and conse-quential at B&W units. These units utili=e an Integrated Control System that is more complex but results in fewer unit trips because of steam generator level instabilities than do

,

feedwater control systems at other PWR units. The losses due to these controls at Three Mile Island Unit 1 are characteris-tically small. (See also Licensee's Response to Board Questien 6.)

Other Balance of Plant Losses. Other balance of plant losses have mainly been the result of problems with the main steam system, plant non-safety electrical systems, the cir-l culating water system, building structural. problems and other

,

unit auxiliaries like service air and water systems. These

'

systems have performed without major problems at Three Mile Island Unit 1 and as a result losses for these systems have j been less at this unit as compared with corresponding average l losses at other nuclear units.

Refueling Operations. Losses due to refueling operations have been slightly higher at Three Mile Island Unit 1 than at other groups of nuclear units listed in Table 3. .One reason

,

for this is that Three Mile Island Unit 1 has operated with a

!

l i

. ~ . , _ _ . . - _ . . . . . - ._. . _ . .

.

- TABLE 3 Total Capacity Factor Losses (%)

(Calculated througn March 31,1979)

. ,

%

!

  • e b[ b b =
= un 88 tr h; 57 52 si e- om oc cc

.

Fuel past problems 0 2.35 0.94 J 84 control rod pattern changes 0. 74 0.30 0.05 0. 19 miscellaneous thermal 0.29 0.48 0.22 0.66 physics testing 0.28 0.34 0.29 0.20 BWR PCIOMR limits 0 0 0 1.07 other oroblens 0.02 0.04 0.67 0.56 Total ruel proolems 1.33 3.51 2.17 4.53 Reactor Vessel surveillance specimen holders 2.68 2.61 0.43 0.27 spargers and jet pumps 0 0 0 0.47 vessel nozzles 0 0 0 0.02 other problems 0 1.02 0.29 0.18 Steam Generator tuoe problems 0.46 3.05 3.99 2.44 other problems 0 0 0.15 0.09 Reactor Coolant /Recire Pumo pump seal prcblems 0.57 3.05 1.17 0.95 other pump problems 1.09 1.24 0.84 0.78 Control Rod and Drives control roo prooiems 0 0 0.03 0.09 drive and control problems 1.42 1.02 0.77 0.55 MSIV and RCS Valves RCS relief valve problems 0.67 0.50 0.11 0.37 pressurizer spray valve problems 0 0.32 0.19 0.11 other RCS valve problems 0.57 0.44 0.32 0.39 MSIV problems 0 0.01 0.38 0.41 RCS Pipes cracks and inspections 0 0.01 0.03 0.71 other problems 0 0.12 0.07 0.12 Nuclear Instrumentation incere instrument problems 0 0.06 0.11 0.11 execre instrument problems 0.02 0.01 0.03 0.03 other problems 0.04 0.20 0.06 0.09

5 o E

-

x 5

=

5 s

8

=

..

[;5

-

50 57 5d 5:

Id s:

~~ co o= c5

! j i l  :

.

i

. .

'

Safecuard Systems l i pump prooiems I0.37 0.01 ! 0.12 0.13 piping problems 0.48 0 0.14 0.10 containment isolation problems 0 0 0.02 0.05 valve problems 0 0.27 0.09 0.13 I&C problems 0 0 0.02 0.03 electrical system proclems 0 0.01 0.30 0.25 other problems 0.55 0.40 0.29 0.40 Pipe supports and Restraints 0.46 0.52 0.45 0.38 swr Torus 0 0 0 0.12 SWR Off-gas Systems 0 0 0 0.19 otner 13uclear system Problems 0.07 0.39 0.22 0.27

,

Turbine ,

,

turoine blade problems 0.07 - -

1.46 turbine I&C problems 0.22 - -

0.51 other croblems 0.52- - -

0.47 total turbine losses 0.81 - -

2. 4 Generator 0.21 - -

0.94 Meisture Seoarator-Reheater

  • 0 - -

! 0.17 j

-

i t condenser i tube problems 0.51 l; -

3

-

l 0.53 other problems 0.22 -

'

-

0.25 Main Transfomer 0.09 0.10 0.39 0.39 I

-Condensate and Feedwater Systems feecwater pump problems 0.07 - -

0.32 feedwater reg. valve problems 0 0.02 0.15 0.18

,

feedwater control system problems 0.02 0.02 0.13 -0.12 l condensate pump problems 0 - - 0.08 l other problems 0.28 - -

0.86 Other Balance of Plant losses 0.97 1.26 1.72 1.72 l Refueling Opera _tions 10.43 7.82 9.44 9.47

' Thermal Efficiency Losses 2.47 2.93 2.33 2.06 l Spurious Reactor Trips 0 0.26 0.22 0.19 tion-plant Related Problems 0.04 0.19 1.59 1.49 Brown's Ferry Fire 0 0 0 1.'15 Unkncwn and Miscellaneous' Losses 0.34 0.82 0.79 0.96 l

l l '

1

r .

l I

t

!. l il l~ l

. .

,

!

L._

..

Table 4 Refueling Outage Durations in Wceks (for refueling completed before August 31,1980) I Refueling Number 1 2 3 4 5 6 Three Mile Island i 13.7 8.3 6.5 6.7* - -

Other B&W Units 14.0 10.5 9.8 16.6 13.9 -

Other PWR Units 15.7 10.1 9.6 10.6 11.2 10.3 ,

Other Nuclear Units 15.1 10.1 9.7 10.4 10.1 9.2

  • Because of the accident at Three Mile Island Unit 2, a return from this refueling was never accomplished.

,

_ __ _ . - _ - __

l relatively higher capacity factor. This fact coupled with the

! timing of the accident at Three Mile Island Unit 2 (during the '

,

recovery from a refueling at Unit 1) has resulted in a large number of refuelings in a relatively short operating period.

4 In only four and one-half years of commercial operation, Three Mile Island Unit 1 has refueled four times. This is a fast pace relative to the average nuclear fuel cycle 1ergths. Table 4 indicates that the refuelings at Three Mile Island Unit i 4

have been consistently and significantly shorter than average

'

refueling lengths at other groups of nuclear units.

Thermal Efficiency posses.

_

Thermal efficiency losses are caused by operations at net electrical power levels below what is normally expected for the corresponding reactor thermal power levels. These losses may result from frequent load reductions or outages, an excessive use of steam by auxiliaries or because of leaks, operations with degraded equipment, or over-estimates of the core thermal power.

i I

l Losses due to thermal efficiency problems at Three Mile Island Unit 1 have been similar to those at other nuclear units.

I Spurious Reactor Trips. Spurious reactor trips due to

!

l malfunctions of the reactor trip system have been a persistent problem at most nuclear units. Three Mile Island Unit 1 has i

experienced no outages as a result of this problem.

l Non-Plant Related Problems. Load following, fuel conser-vation, coasting to a refueling outage, transmission system l

l

._ _ _

. _ . . _ . --.

_ -_ _ _ _ _ _ _ _ . . _

problems and startup testing all comprise non-plant related problems. Three Mile Island Unit I has only experienced very minor losses due to these factors.

Brown's Ferry Fire. The Brown's Ferry Unit fire resulted in large losses at two units.

Unxnown and Miscellaneous Losses. Losses at Three Mile Island Unit 1 due to unknown ( to me) or miscellaneous reasons have been less than corresponding average losses at other nuclear unit groups listed in Table 3.

SUMMARY

AND CONCLUSION REGARDING OPERATING AVAILABILITY Operating performance of Three Mile Island Unit 1 has been censiderably better than average for other B&W units, other PWR units and other nuclear units i.7 general. As can be seen in Table 3, all the systems at TMI-l have performed as well or better than corresponding systems at similar units. To a considerable extent the performance of TMI-1 is attributable to good design. The good turbine experience of TMI-1 is largely attributah'e to the selection of e GE curbine rather than a Westinghouse turbine while the good Reactor Coolant Pump performance is attributable to having Westinghouse, rather than Bingham, pumps. Nonetheless, the performance of TMI-l gives

!

'

the impression of an efficiently run plant. No lengthy outages which might indicate poor planning are appar> tnt, nor are any persistent problems evident that might be indicative of faulty maintenance or operating practices. The generic problems, like

. - - .

those with control rod drives and surveillance specimen holder tubes, that affected Three Mile Island Unit 1 and other B&W units, heve typically resulted in losses which are lower than corresponding losses at other units that were affected by these problems. Finally, the shorter refueling outages are indictive of good pJanning and management of the outage.

,

SAFETY-RELATED PERFORMANCE Safety-related problems at U.S. nuclear plants are

,

documented in LERs and in the reports of NRC inspections. In attempting to compare TMI-1 with other units, I looked at three

measures of safety performance
1. The number of LERs and NRC noncompliances
2. The rate of occurrence of personnel and procedural errors
3. The failure rate of safety-related systems The results of my investigations are described in the following sections.

Number of LERs and Noncompliances LERs. A simple count of the number of LERs submitted by a unit is a very poor measure of the safety c3 that unit. Some of the factors which affect the number of LERs, but have no I effect on safety, are:

l l 1. Older, and generally smaller, units have fewer pieces l of " safety-related" equipment so the same failure

!

rate will result in fewer LERs than for new units.

2. Some units include environmental occurrences in LERs and some do not.
3. Some units report both failures and corrective maintenance of safety equipment while others report only failures.
4. The interpretation of what constitutes a reportable event differs from plant to plant.
5. Other things being equal, the number of LERs will decrease as a unit matures.

In order to minimize the effect of these factors, I compared TMI-1 with these units which could be considered its

" peers." Specifically, I looked at PWRs in the same size range (800-1000 MW) and the same vintage (1972-1976 inclusive). This

" peer. group" includes five B&W units (Arkansas 1; Cconee 1, 2, and 3; and Rancho Seco) and eight CE and Westinghouse units (Beaver Valley 1, Calvert Cliffs 1 and 2, Indian Point 2 and 3, j Millstone Point 2, Maine Yankee, and St. Lucie 1). In counting the number of LERs submitted by each unit, I excluded "envi-ronmental" LERs, except those involving unplanned releases of radioactivity. Recognizing that the number of LERs decreases I with plant age, I divided the experience of these units into the first 2.5 years of operation and subsequent years. The

!

results were:

l l

1

__

Number of LERs per Unit-Year First 2.5 Years Subsequent Unit (s) of Operation Years TMI-l 40 30 Other B&W Units 24 22 CE and W-PWRs 51 38 Total (No TMI) 42 31 It can ba seen that the number of LERs submitted by TMI-l was almost exactly equal to the average for its peers.

I know of no differences in design which would account for the average for B&W units being low relative to CE and Westinghouse units. The most likely explanations involve differences in reporting requirements (or interpretation thereof) and statistical variations in a small sample.

Noncompliances. The number of noncompliances at a unit should be a more uniform measure of performance since the same people inspect a number of plants and since an attempt is made to apply uniform standards to all plants. Unfortunately, most l noncompliances involve minor procedural inadequacies with very little direct effect on safety. Due to the lack of an adequate j data base, it was not possible for me to identify those noncompliances which I believed were "significant." The following table does however present the results of a simple count of noncompliances. Data for NRC Region I (which includes I TMI) was used rather than " peer" units on the theory that there

might be more uniformity of inspection standards within a region since the same NRC personnel are involved. The three units rated less than 400 MW were excluded since they are very different from other units and since two of them were shut down for much of the time period being considered. Also, noncompli-ances involving special nuclear materials accounting and plant security were excluded.

Nonccmpliances Per Unit-Years Year 1975 1976 1977 1978 1979 Average TMI-l 18 26 28 16 16 20.8 All Region I 16 22 26 21 16 20.2 Units (No TMI)

Since NRC inspections primarily involve searching plant records for discrepancies, it might be expected that the number of noncompliances would be proportional to the time spent inspecting. Consequently I prepared the following table

! showing the number of noncompliances per 100-inspector-hours.

As with the pr.evious table, inspections and noncompliances dealing with special nuclear materials accounting and plant l

l security were omitted as were data on smaller plants.

!

,

Noncompliance Per 100 Inspector Hours Group / Year 1975 1976 1977 1978 1979 Total _

TMI-1 2.5 2.1 2.4 2.6 2.1 2.2

, All Regions I 3.3 2.2 2.7 2.3 1.4 2.2 l Units (No TMI) l i

The spread in the data was quite small. Twelve of the eighteen units (excluding TMI-1) fell in the range of 1.8 to 2.6 with three units below 1.8 and three units above 2.6. The lowest unit was 1.3 and the highest was 3.0. As can be seen, the performance of TMI-l was almost exactly average.

TMI-l LERs During the five-year period, April 19, 1974 to March 29, 1979, TMI-l generated a total of 187 reports of " reportable

,

occurrences" (LERs). Twelve of these involved environmental 1

occurrences and are not of concern here. An additional nine concerned actual or potential errors in analyses performed by B&W and did not involve any deficiencies in any equipment or personnel performance at TMI. (None of these errors had any significant impact on plant safety.) Of the remaining 166,100 I occurred in the first 2.5 years of operation and 66 occurred in the second 2.5 years. This decrease in the number of events as a unit matures is typical of industry experience.

l Looking at the 166 reports, I found that 65 dealt with occurrences which had absolutely no impact on the overall

.

l f

. _

_. ._ . -.

safety of the reactor core at TMI-1. Types of occurrences included in these 65 are:

o Minor setpoint drifts in safety-related instru-mentation.

o Minor variances in levels and/or chemistry in

, safety-related tanks.

o Leaks in systems containing radioactive materials.

o Personnel and procedural deficiencies which did not affect the performance of any safety-related equip-ment.

o Failure to perform required tests in specified times, o Minor deviations in core power distribution.

o Problems with radioactive waste systems.

None of these events caused any increase in the rate of occurrence of transients or accidents at the plant or caused any equipment which would be required to respond to a transient or accident to be inoperable. Thus they had no effect on the safety of the reactor core.

The remaining 101 reports dealt with situations which involved some malfunction of safety-related equipment. These l

'

occurrences had very minimal safety significance. The history of safety-system problems at TMI-l is typical of what is found at similar units. Some systems perform very well while others l have a number of problems. Most problems involve single components so that the operability of the entire systern is not affected. Many of the failures which do occur involve problems l with control and electrical equipment or personnel er;: ors.

l

!

l

_ _

. ._ - , _ _. ._.

Such problems can often be rectified promptly so that the affected component could still function in time to prevent significant core damage in all cases except for the unlikely large LOCA.

Personnel Errors. Personnel errors are responsible at least in part for a substantial fraction of the unavailability of safety-related components at nuclear units and for a larger fraction of the unavailability of safety-related systems.

Since many problems are caused by a combination of factors, the distinction between problems caused by personnel error and those not caused by personnel error is blurred. Moreover, the standards used by different plants to assign causes to problems differ greatly. Many plants attribute problems to personnel errors only when the problem could not reasonably be assigned to any other cause. Other plants are assiduous in their quest for any possible contribution of personnel error to equipment failures. Also, the number of components which are reportable and the types of problems which are reported differ from plant to plant. These differences in reporting requirements and philosophy mean that simply counting the number of LERs attributed to personnel error at different units can be very l misleading.

l l Because of these problems and because there are about a thousand LERs throughout the industry involving personnel error j each year, I selected a limited sample of operating experience l

1 I

i

.-.

. . _ _ _

and performed a detailed review of all of the LERs within that experience. Specifically, I looked at the entire five-year history of TMI-l and compared this with the experience of PWRs the first eight months of 1980. I looked at all PWRs except Indian Pcint 1, Yankee Roue, Haddam Neck, San Onofre (all older units), North Anna 2, Salem 2, Sequoyah 1 (all just starting up), and TMI-l and 2. The remaining 37 PWRs had all operated continuously during the 8 months, so there was a total of 296 unit-months or 24.7 unit-years of experience. I examined each of the LERs which were generated during this time and selected those which the utility had identified as being due to person-nel error or which I believe should have been so identified.

Next I classified these LERs into a number of groups:

1. Lineup and tagout errors on major safety systems.
2. Operational errors leading to safety parameters (such as tank levels, chemical concentrations, etc.) on major safety systems being out of specification.

I

3. Errors in maintenance and testing which led to malfunctions in components of major safety systems.
4. Quality assurance and procedural errors regarding major safety systems which did not lead to component malfunction.

l L 5. Failure to perform surveillance tests on major safety equipment in required times.

6. All types of personnel errors involving systems with minimal safety impact (such as liquid or solid radioactive waste systems and radiation monitoring systems).

The following table presents the rate of occurrence (instances per unit-year) for each of these types of error for the 37 PWRs and for TMI-1.

I

. -- - . .-

LERS INVOLVING PERSONNEL ERRORS LERs Per Unit-Year TMI-l Industry Average First 2.5 Second 2.5 PWRs During the Years of Years of First 8 Months of Operation Operation 1980

1. Lineup and Tagout 1.6 1.2 2.3
2. Parameter Control 1.2 .8 .9
3. Maintenance and Test 6.0 2.8 2.0
4. QA and Procedure .8 -

.1

5. Surveillance 1.2 2.1
6. Minor Safety Systems 6.0 4.8 3.0 Total 16.8 11.2 10.4 Because units typically have fewer errors after two-to-three years of operation and because all but five of the l 37 units which went into the industry average had operated more l

'

than two years prior to January 1,1980, I broke the TMI-l data into early and mature experience. Comparing.the later.experi-ence of TMI-l with industry averages there are three~ areas with the largest differences.

Lineup and Tagout. This is the type of personnel error which I regard as most important since it can result in the unavailability rates for major safety systems being higher than expected based on unavailability rates of individual trains (in other words, lineup and tagout errors are a source of common-mode unavailability). Many units are reluctant to cite personnel error as a cause of problems. Since tagout and lineup errors are always caused by personnel error, my data on this type of error is undoubtedly more complete than data on other types of errors. The performance of TMI-1 was significantly better than industry average. There are two possible explana-tions: (1) statistics and (2) superior performance at TMI. I know of no way to determine the extent to which each factor contributed to the observed difference.

Maintenance and Test. Typically maintenance and test errors result in problems with a single component so they are nct as serious as lineup and tagout errors. Many component failures may be due partly to design and partly to maintenance and the contribution of each is often not discernable. If an LER does not specifically mention personnel error, it is usually impossible to be sure that such an error existed. TMI-l LERs reveal a consistent search for possible errors (and an attempt to prevent them in the future) . LERs from many units do not reveal a

.

- .- - _

- ,

_._

similar zeal. Therefore, I suspect that the error rate at TMI was about average and that the appearance of a higher

'

rate was due to better investigations of the cause of failures and/or better reporting.

Errors on Minor Safety Systems. The incidence of errors on minor safety systems at TMI was acove the industry l average (12 events in the last 2.5 years where 7.5 would l

be expected on average). The errors at TMI-1 were varied l both in the type of error and system affected, and no pattern is discernable. The better reporting mentioned above is one possible explanation.

Conclusions Regarding Personnel Errors. The pattern of personnel errors at TMI-T was typical of industry experience, 1

l 1.e., a decreasing rate as the unit matured. The average rate of reported errors at TMI was slightly above average, but this was almost certainly due to a greater willingness at TMI to blame personnel error for component malfunctions.- The most serious type of error, those involving tagouts and lineups, occurred less frequently at TMI than at the average PWR. Tag-out and lineup errors are generally committed by operators l

while other errors generally involve maintenance workers and l

technicians. One possible explanation for TMI's . history _

~

vis-a-vis other plants would be that TMI operators were above average while other personnel were average. There are other factors such as statistical variations,_ differences-in. equip-ment design, and differences in reporting which also could explain the observed differences between TMI-1 and other PWRs.

-

.._-._ _ .. - _-

i Loss of Safety System Function Since thousands of " failures" of safety-related components

'

are reported every year, it would have been impossible for me to perform a careful analysis and interpretation of all failures. Therefore, I focused on the relatively few occurrences of complete failures of safety systems which have been experienced. There are four reasons why focusing on these system failures is particularly useful:

o It is the reliability of safety systems, rather than the reliability of individual components which determines the safety of a plant.

o Many system failures result from causes other than random component failures. Therefore, the failure rate for cystems is generally higher than would be calculated using the f ailure rates for individual components, o System failure rates depend not only on the rate of failure of individual components but also on the

( frequency with which these components are removed l

'

from service for preventive maintenance. Most units do not report preventive maintenance on safety components unless failures of redundant components result in a system failure.

o A number of system failures result from personnel errors. While most personnel errors have a minor I

effect on plant safety, those which cause system failures represent a substantial contribution to the total " unsafety" of the plant. The effect of plant management and personnel on the rate of failure of systems is perhaps the most meaningful measure of their effect on plant safety.

While a number of failures of safety systems are reported

, each year, most are not as serious as might at first be l

l thought. One reason for this is that many systems are only l

l l l l

t

needed for unlikely events, so very high levels of system reliability are not required to provide an adequate overall level of plant safety. Other reasons are:

1. Many system failures occur during unit shutdowns when the systems are not needed.
2. Many systems are in the failed state for only brief time-periods.
3. Many system failures are such that they could be corrected in time for the system to perform its essential functions if needed.
4. Design diversity may accomplish safety functions in some Cases.
1. Failure Durino Shutdown. Plants are generally allowed to remove many safety components from service during outages.

Therefore, the probability that the remaining components will fail and result in a system failure is relatively high.

However, many accidents and transients cannot occur during

.

plant shutdowns. Those that could occur would develop slowly, i

l allowing time to restore systems or improvise responses through the use of diverse systems capable of performing safety functions while shutdown. Since safety system failures during operation are much more important than those during shutdown, I have concentrated on those failures.

2. Time-in-Failed-State. When a system fails it is important to know the time that it was in the failed state.

This is the time during which the system would not have performed as designed had it been needed. Unfortunately, the l

l I i

'

. . , - . . - - , - . . ,

time-in-failed-state is often not known. If a component operated successfully on one day and failed to operate in a test seven days later, all that would be known would be that it had been in the failed state for something less than seven days. Many LERs do not include information on the time that a system was in the failed state, even when this was known, or do not include information on the time since the system was last successfully operated. In order to be able to qualitatively rank the seriousness of system failures, I have distinguished three types of such failures.

Self-Alarming Failures. These are failures which are more or less immediately indicated in the control room.

Since the plant operator can immediately initiate repairs and/or begin to shut down the unit, the time in failed state is typically a few hours or less.

!

Redundant Component Failure. Many failures of safety systems occur because one component fails while another is l

l out-of-service for maintenance. Typically, plants are only allowed to remove a safety component from service for maintenance for a day or two, and then only after having successfully tested the redundant component. Therefore, if a component fails while the redundant component is out-of-service for maintenance, it is generally true that-the system has been in the failed state for one day or less.

l

. . .- --

. .

l l

l l

l

, Test Failure. Failures which are discovered during routir.e tests may have occurred at any time since the system was last tested. Since most safety systems are tested weekly or monthly, the time in failed state for such failures is generally on the order of a few weeks or less.

3. Time to Restore. Many " failures" of safety systems can be rectified in 20 minutes or less once they have been discovered. Most accidents and transients will not result in significant damage for at least that time, even if all safety systems fail. Therefore, the failure of a safety system in response to an accident or transient will generally not lead to

,

significant core damage if the system can be restored to service within about 20 minutes. The only exceptions to this are as follows:

o After a large Loss of Coolant Accident, the Low Pressure Injection System must-function in a. matter of minutes to prevent significant core damage.

o After a large Loss of Coolant Accident simultaneous with the loss of off-site power, the Diesel Generator System must provide power to the Low Pressure Injection System in a matter of minutes to prevent significant core damage.

All situations which require the Auxiliary Feedwater

!

System and/or the High Pressure Injection System can be adequately dealt with if those systems can be made operable in 20 minutes. All situations requiring the Diesel Generator System, except the simultaneous large Loss of. Coolant Accident

!

i

and loss of off-site power, can also be adequately dealt with if the D-G system is restored to service within 20 minutes.

System Failures of Diesel Generator System. Since Diesel Generator Systems for BWRs and PWRs are very similar, I looked at both types of units for the time period 1/1/79 through 8/31/80. This represented a total of 98.3 unit-years of operating experience. During this time there were a total of seven Diesel Generator System failures while at power and seven more which occurred while the unit was shut down. All seven of the "at power" diesel failures occurred when one diesel was ot-..-of-service for maintenance and the second diesel failed.

As mentioned previously, this generally means that the system failure persisted for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or less. The LERs for these seven failures specifically indicate that three failures persisted for an hour or less while one persisted for 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. The times for the remaining three are not stated but appear to be 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or less.

Dividing 98.3 unit-years by 7 failures while at power yields an average of 14 unit-years of operation between at-power system failures.

From a safety point of view, it is system unavailability, rather than time-between-failures which is important. Based on the preceding, I estimate that there were a total of 3.5 unit-days in which diesel generator systems were in the failed state. Assuming that the average unit operated about 260 days

_ _ _ _

l per year, the unavailability of diesel generator systems was approximately:

3.5

'

l 260 x 98.3 = .00014 l

Since all at-power Diesel Generator system failures were l counted, .00014 is the average unavailability of a Diesel l Generator System for dealing with the unlikely case of a concurrent large Loss of Coolant Accident and loss of off-site power. In four of the seven cases of diesel generator failures, the system was actually restored to operation in less than one hour from the- time the problem was discovered. The other three failures persisted for a total of about two days so the unavailability of the Diesel Generator System for dealing with situations other than simultaneous large Loss of Coolant and loss of off-site power was approximately:

2 260 x 98.3 = .00008 The at-power diesel generator system unavailability for the five years of operation of TMI-1 was zero.

System Failures of High Pressure Injection System. Since HPIS designs for BWRs and PWRs are different, I looked at all PWR units for 1979 and the first eight months of 1980 (a total of 63.3 unit-years). During this time there was one HPIS System failure while at power and one while shut down. In the at-power case, one valve between the HFI pump suction and the

I l

Borated Water Storage Tank was out-of-service for maintenance.

The diesel generator which supplied the bus to which the .

j redundant (parallel) valve was connected was taken out-of-service for maintenance for two hours. Dividing two hours by 63.3 unit-years, 260 operating days per year, and 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> per day yields a system unavailability of .000005.

This one HPIS failure was such that the HPIS would not have operated immediately in case of a Loss of Coolant Accident and loss of off-site power. If off-site power had been l

available, the system would have performed correctly. The HPIS System unavailability at TMI-l was zero for five years of operation.

O System Failures of Auxiliary (Emergency) Feedwater System.

Since the Auxiliary Feedwater System is peculiar to PWRs, I looked at PWRs for the time period January,1979 through August, 1980. In this time period there were no instances where the Auxiliary Feedwater System at any plant was incapable of performing its essential functions. There were two cases of i

system-level problems which I will describe in the following l paragraphs:

i

'

o The two Cook units share four auxiliary feedwater pumps ( two steam driven and two motor driven) . With one motor driven pump out-of-service for maintenance, the diesel generator which supplies power to the valves-for one steam-driven pump was removed from service for 2.75 hours8.680556e-4 days <br />0.0208 hours <br />1.240079e-4 weeks <br />2.85375e-5 months <br />. There were still two pumps in operation which could have been realigned to supply both units. Also,'the steam-driven pump could have been operated manually had off-site power not been available.

. . -

o The Trojan unit has only two auxiliary feedwater pumps. Both failed to start automatically on low steam generator level, but were manually started in about one minute.

While I was not including TMI-2 in this evaluation, there was one incident at TMI-2 when all Emergency Feedwater lines were valved out. When the System was needed it was restored to operation in about eight minutes.

Because the auxiliary feedwater system is called upon much more frequently than other safety systems, it needs a high level of reliability and many, but not all, plants were built with three pumps per unit. Therefore, it is not surprising that system reliability _has been very good (zero unavailability in the time period investigated).

The unavailability of the Emergency Feedwater System at TMI-l was also zero for five years of operation.

System Failures of Low Pressure Injection System. There were no reports of system failures in the LPIS at TMI-l or any l other PWRs during the time period investigated.

System Failures of Other Safety-Related Systems. In the preceding sections I concentrated on four safety-related systems (Diesel Generators, High Pressure Injection, Low Pressure Injection, and Auxiliary Feedwater) because I believe these are the most important systems and because they tend to be similar in all PWRs. Other systems (such as Containment and Service Water) differ significantly from plant-to-plant, both

!  !

!

. _ _ _ _ _ . - . . _

in design and in function. Therefore, I did not try to compare TMI experience with these systems with industry experience.

However, I did review all of the TMI LERs to identify any incidents of system failures in any system. I found one such incident. This involved a 33 hour3.819444e-4 days <br />0.00917 hours <br />5.456349e-5 weeks <br />1.25565e-5 months <br /> time period during which the Nuclear River Water System would not have functioned immediately had there been a loss of off-site power. The system would have functioned correctly had off-site power been available. Therefore, the system would have adequately performed its safety function in all cases except for a simultaneous major accident with loss of off-site power. For this later case, the system unavailability was roughly:

33 260 x 5 x 24 = .001 While I did not specifically calculate system unavailabilities for Service Water Systems at other plants, my experience leads me to believe that these would be lower than .001.

Summary and Conclusions Regarding Safety System Failures.

The following table shows system unavailabilities for the four systems (D-G, HPIS, LPIS, and AFWS) for TMI-l and for the industtywide average for PWRs. Also shown are the system unavailabilities (failure rates) for these systems which were used in the WASH 1400 evaluations.

1 i

!

I

.

!

... - . - . . . - - - .

SYSTEM SYSTEM UNAVAILABILITY UNAVAILABILITY WASH 1400 (With No Credit (With Credit SYSTEM

'

System for Restoration) for Restoration) UNAVAILABILITY TMI-l Industry TMI-l Industry Diesel Generator 0 .00014 0 .00008 .01 High Pressure Injection 0 .000005 0 .000005 .009 Auxiliary Feedwater 0 .000007 0 0 .00004 Low Pressure Injection 0 0 0 0 .005 It can be seen that in all cases, actual experience was better than WASH 1400, even if no credit is taken for the ability of operators to restore systems to service. In fact, for the case of no restoration, the average unavailabilities for the four systems is about 160 times lower than the average of the WASH 1400 numbers. There are several reasons why the actual situation may not be this good:

o Some types of " system failures" which are considered in WASH 1400 are not included in the statistics I have compiled. An example would be loss of off-site power plus failure of the "A" Diesel plus failure of the "B" LPIS pump. This would be counted as an LPIS System failure in WASH 1400. However, because of the l ways LERs are written, such a failure might not be included in my count of system failures.

o Some system failures might not be recognized or reported.

o Because I looked at limited operating experience,.

long-term failure rates might be worse (or better) than what I have calculated, i.e., there is considerable statistical uncertainty in my samples.

i

, ._ . - . . , , . . . , . _ -.. , , y

The fact that industry experience with safety system reliability has been better than WASH 1400 levels indicates that a more than adequate level of safety is being achieved today. Comparison of TMI-1 history with industry averages indicates that TMI-1 was average or somewhat-above-average.

Therefore, I conclude that the operations of TMI-1 prior to March, 1979 were such that they provided an adequate level of safety.

1 4

i

- - - - .

i WI" NESS QUALIFICATIONS Robert H. Koppe Mr. Koppe joined SMSC in 1974 as Manager of Reliability 1 and Safety Projects. While at SMSC, Mr. Kcppe has assisted cur clients in development of their Safety Analysis Reports (SARs) and in reviewing the design of nuclear facilities relative to operability and radiological safety. He has directed the Cc=pany's ongoing projects related to i= proving productivity of nuclear and fossil pcwer generating units.

This work has included:

o various studies for EPRI directed toward develep-cent of a National Data System for unit and cc=ponent reliability data for power plants.

This work has led to detailed specifications of data to be collected and analyses to be perfor=ed by the National Data System.

,

o Development of SMSC's cc=puter program and data

'

base on causes of cutages and deratings at U.S. nuclear units.

o Analyses of nuclear and fossil plant cperating

, experience to determine problem areas, effects of problems on unit perforr.ance and ~ variations of proble=s as a function of design, age, etc.

o Applications of cperating experience data to selection of-equipment vendors and to design i=provement programs.

Mr. Koppe also directs a - project which SMSC is undertaking for the Nuclear Safety Analysis Center. This involves analysis of operating experience at all U.S. nuclear units to identify and examine events with potential significant econc=ic or safety implications.

Pricr to joining SMSC,10r. Kcppe was Manager of the Nuclear Engineering Division and was responsible for. licensing and i safety analysis for Consolidated Ediscn's nuclear projects.

l The design and engineering related. co the safety of these l projects was under his direction. This work included design review and licensing for. the Indian _ Point 2 and 3 turnkey units, and design review of changes and retrofit =cdifica-tions and additions:to the three Indian Point units. He also directed the efforts of engineers within his division to supply =cdifications, analysis, and engineering supperg for the nuclear portion of the Indian Point 11and 2. units during cperatien.

-

.__. - _ _ _ . .-.

. _ _

i Mr. Koppe received his B.S. degree from the State University of New York at Syracuse in 1965 and his M.S. in Nuclear Engineering from Ohio State University in 1966. He completed course work toward a Ph.D. in Nuclear Engineering at the Massachusetts Institute of Technology.

,

!

l

-, _ _ _

_ _ , . . ~ . -- -

_ - - -

Retrieved from "https://kanterella.com/w/index.php?title=ML19345E831&oldid=2299578"