ML111260664
| ML111260664 | |
| Person / Time | |
|---|---|
| Site: | Fort Calhoun  |
| Issue date: | 05/06/2011 |
| From: | Kennedy K M NRC/RGN-IV/DRP |
| To: | Bannister D J Omaha Public Power District |
| References | |
| EA-11-025 IR-11-007 | |
| Download: ML111260664 (35) | |
See also: IR 05000285/2011007
Text
May 6, 2011
EA-11-025 Mr. David J. Bannister, Vice President
and Chief Nuclear Officer
Omaha Public Power District
9610 Power Lane
Blair, NE 68008
SUBJECT: NRC INSPECTION REPORT 05000285/2011007; PRELIMINARY YELLOW FINDING, FORT CALHOUN STATION
Dear Mr. Bannister:
On April 15, 2011, t
he U.S. Nuclear Regulatory Commission (NRC) completed an inspection at the Fort Calhoun Station. The enclosed inspection report documents
an inspection finding, which was discussed with you and other members of your staff, on April 15, 2011. The finding is associated
with the June 14, 2010
, failure of a reactor trip contactor (M2) in your reactor protection system. The significance of this finding
has preliminarily been determined to be Yellow, a finding with substantial safety significance that could result in additional NRC inspections and potentially other NRC action.
The specific details of the significance of this finding are described in Attachment
2 of the enclosed report. This finding was assessed based on the best available information, using the
applicable Significance Determination Process (SDP). The final resolution of this finding will be conveyed in separate correspondence.
The technical details of the issue and associated NRC risk analysis were discussed with your staff during the inspection and the exit meeting. Based on the discussions, we understand that you have the following disagreements regarding our risk assessment:
(1) you believe the NRC did not give sufficient credit to operator actions after the failure of an automatic reactor trip, both for the manual actions and the timing of those actions
- (2) you believe the NRC's generic data for reliability of the system's Vital Breakers CB
-AB and CB-CD was too low;
and (3) you believe the NRC applied a higher common cause probability to Trip Contactor M1 than you determined
. Additionally, we understand you are in the process of performing a failure modes and effects analysis on the failed contactor to determine if your apparent cause, what we assumed as the failure mechanism in our analysis, is correct. Fort Calhoun Station personnel replaced all four of the reactor trip contactors in the reactor protection system on February 5, 2011
, to address this issue. The finding is also an apparent violation of NRC requirements and is being considered for escalated enforcement action in
U N I T E D S T A T E S N U C L E A R R E G U L A T O R Y C O M M I S S I O N R E G I O N I V 6 12 EAST LAMAR BLVD
, S U I T E 4 0 0 A R L I N G T O N , T E X A S 7 6 0 1 1-4125
Omaha Public Power District
- 2 - accordance with the Enforcement Policy, which can be found on the NRC's Web site at http://www.nrc.gov/about
-nrc/regulatory/enforcement/enforce
-pol.html. In accordance with NRC Inspection Manual Chapter (IMC) 0609, we intend to complete our evaluation using the best available information and issue our final determination of safety significance within 90 days of the date of this letter.
The significance determination process encourages an open dialogue between the NRC staff and the licensee; however, the dialogue
should not impact the timeliness of the staff's final determination.
Before we make a final decision on this matter, we are providing you with an opportunity (1) to
attend a Regulatory Conference where you can present to the NRC your perspective on the
facts and assumptions the NRC used to arrive at the finding and assess its significance
- or. (2) submit your position on the finding to the NRC in writing. If you request a Regulatory Conference, it should be held within 30 days of the receipt of this letter and we encourage you to submit supporting documentation at least one week prior to the conference in an effort to make the conference more efficient and effective. If a Regulatory Conference is held, it will be open for public observation. If you decide to submit only a written response, such submittal should be sent to the NRC within 30 days of your receipt of this letter. If you decline to request a Regulatory Conference or submit a written response, you relinquish your right to appeal the
final SDP determination, in that by not doing either, you fail to meet the appeal requirements stated in the Prerequisite and Limitation sections of Attachment 2 of IMC 0609.
Please contact Jeff Clark at
(817) 860-8147 and in writing, within 10 days from the issue date of this letter, to notify the NRC of your intentions. If we have not heard from you within 10 days, we will continue with our significance determination and enforcement decision. The final resolution of this matter will be conveyed in separate correspondence.
Because the NRC has not made a final determination in this matter, no Notice of Violation is being issued for the
inspection finding at this time. In addition, please be advised that the number and characterization of the apparent violation described in the enclosed inspection
report may change as a result of further NRC review.
In accordance with Title of the Code of Federal Regulations 10 CFR 2.390 of the NRC's "Rules of Practice," a copy of this letter and its enclosure will be made available electronically for public inspection in the NRC Public Document Room or from the NRC's document system (ADAMS), accessible from the NRC Web site at http://www.nrc.gov/reading
-rm/adams.html
.
Sincerely,
/RA/ T. Pruett for
Kriss M. Kennedy
Director, Division of Reactor Projects
Docket:
50-285 License: DPR
-40
Omaha Public Power District
- 3 - Enclosures:
NRC Inspection Report 05000285/2011007
w/attachments: Supplemental Information
(A-1); Significance Determination Evaluation
(A-2) Distribution via ListServe
Omaha Public Power District
- 4 - Electronic distribution by RIV:
Regional Administrator (Elmo.Collins@nrc.gov
) Deputy Regional Administrator (Art.Howell@nrc.gov)
DRP Directo r (Kriss.Kennedy@nrc.gov) DRP Deputy Director (Troy.Pruett@nrc.gov) DRS Director (Anton.Vegel@nrc.gov) Senior Resident Inspector (John.Kirkland@nrc.gov)
Resident Inspector (Jacob.Wingebach@nrc.gov)
Branch Chief, DRP/E (Jeff.Clark@nrc.gov) Senior Project Engineer, DRP/E (Ray.Azua@nrc.gov
) Project Engineer (Jim.Melfi@nrc.gov) Project Engineer (Chris.Smith@nrc.gov
) RIV Enforcement, ACES (Ray.Kellar@nrc.gov)
FCS Administrative Assistant (Berni.Madison@nrc.gov)
Public Affairs Officer (Victor.Dricks@nrc.gov
) Public Affairs Officer (Lara.Uselding@nrc.gov)
Branch Chief, DRS/TSB (Michael.Hay@nrc.gov
) Project Manager (Lynnea.Wilkins@nrc.gov
) RITS Coordinator (Marisa.Herrera@nrc.gov)
Regional Counsel (Karla.Fuller@nrc.gov
) Congressional Affairs Officer (Thomas.Combs
@nrc.gov) OEMail Resource
DRS/TSB STA (Dale.Powers@nrc.gov
) RIV/OEDO ET (Stephanie.Bush
-Goddard@nrc.gov
) File located:
R:\_REACTORS\_FCS\2011\FCS 2011-007 RP JCK
SUNSI Rev Compl.
Yes No ADAMS Yes No Reviewer Initials
JCK Publicly Avail
Yes No Sensitive Yes No Sens. Type Initials
JCK SRI:DRP/ RI:DRP/ SPE:DRP/ C:DRS/EB1 C:DRS/EB2 JCKirkland
JFWingebach
RVAzua TRFarnholtz
NFO'Keefe /E-JAClark/ /E-JAClark/ /JMelfi for/
/E-JAClark/ /RA/ 4/21/11 4/21/11 4/21/11 4/21/11 4/21/11 DRS/SRA ACES/OE C:DRP/PBE DRP/D DPLoveless
RLKellar JAClark KMKennedy /RA/ /E-JAClark/ /RA/ /RA/ 4/21/11 4/21/11 4/21/11 5/3/11 OFFICIAL RECORD COPY
T=Telephone E=E
-mail F=Fax
- 1 - Enclosure U.S. NUCLEAR REGULATORY COMMISSION
REGION IV Docket: 50-285 License: DPR-40 Report Nos.:
Licensee: Omaha Public Power District
Facility: Fort Calhoun Station
Location: 9610 Power Lane
Blair, NE 68008
Dates: January 17, 2011
- April 15, 2011
Inspectors:
J. Kirkland, Senior Resident Inspector
L. Micewski, Project Engineer
C. Steely, Operations Engineer
J. Wingebach, Resident Inspector
Approved By:
Kriss M. Kennedy, Director
Division of Reactor Projects
- 2 - Enclosure SUMMARY OF FINDINGS
- 01/17/2011 - 04/15/2011
- Fort Calhoun Station , Baseline Inspection Report; Maintenance Effectiveness and Identification and Resolution of Problems
The report covered approximately a three month period of inspection by resident inspectors and two region-based inspector
s. One apparent violation
of preliminary substantial
safety significance
(Yellow) was identified. The significance of most findings is indicated by their color
(Green, White, Yellow, or Red) using Inspection Manual Chapter
(IMC) 0609, "Significance Determination Process." The crosscutting
aspect is determined using IMC 0310, "Components within the Crosscutting Areas." Findings for which the significance determination process
does not apply may be Green or be assigned a severity level after U.S. Nuclear Regulatory Commission management review. The NRC's program for overseeing the safe operation of commercial nuclear power reactors is described in NUREG
-1649, "Reactor Oversight Process," Revision 4, dated December 2006.
A. NRC-Identified Findings and Self
-Revealing Findings
Cornerstone: Mitigating Systems
TBD. The inspectors identified an apparent violation of Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Appendix
B, Criterion
XVI, "Corrective Action," for the licensee
's failure to ensure that
the cause of a significant condition adverse to quality was determined and corrective actions taken to
preclude repetition. Specifically, the licensee failed to identify the cause and preclude the shading coils from becoming loose material in the M2 trip contactor assembly of the reactor protection system that subsequently resulted in a failed contactor. The inspectors
determined that the licensee's failure
to preclude shading coils from repetitively becoming loose material in the M2 reactor trip contactor was a performance deficiency. The finding is more than minor because it affected the Mitigating Systems Cornerstone, and it directly affected the cornerstone objective to ensure the availability, reliability, and capability of systems that respond to
initiating events to prevent undesirable consequences. The inspectors evaluated the issue using the Significance Determination Process
Phase 1 Screening Worksheet for the Initiating Events, Mitigating Systems, and Barriers Cornerstones provided in Manual Chapter 0609, Attachment 4, "Phase 1 - Initial Screening and Characterization of Findings.
" The inspectors determined that the finding represented the actual
loss of a single train (i.e.
, each of the four contactors are considered a train) of non
-Technical Specification equipment, designated as risk
-significant per 10 CFR 50.65, for greater than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Therefore, the finding was potentially risk significant and a Phase 2 analysis was required. The inspectors determined that the pre
-solved table
does not contain a target suitable for evaluating the finding of interest and informed the regional senior reactor analyst that use of the risk
-informed notebook would be necessary. The senior reactor analyst completed a Phase
3 analysis using the plant
-specific
- 3 - Enclosure Standardized Plant Analysis Risk
Model for Fort Calhoun, Revision
3.50 modified to include a detailed modeling of the reactor protection system. The exposure period of 6
4 days represented the 63 days from the last verification of contactor operation, which is most likely the time of failure, until the failure of the quarterly surveillance plus the
1-day repair time
until de-energization of half the reactor protection system. External events impacting the risk included seismic and internal fire initiators. The resulting risk
was calculated to be 2.
6 x 10-5 indicating that the finding was of preliminarily substantial
safety significance (Yellow). The final significance of this finding is to be determined (TBD). This finding has a crosscutting aspect in the area of human performance, decision making component, because the licensee did not use conservative assumptions in the evaluation of the ongoing problems
with the trip contactors H.1(b)(Section 4OA2). B. Licensee-Identified Violations
None
- 4 - Enclosure REPORT DETAILS
1. REACTOR SAFETY
Cornerstones: Initiating Events, Mitigating Systems, Barrier Integrity, and Emergency Preparedness
4OA2 Identification and Resolution of Problems (71152)
Cornerstones: Initiating Events, Mitigating Systems, Barrier Integrity, Emergency Preparedness, Public Radiation Safety, Occupational Radiation Safety, and Physical Protection
.1 Selected Issue Follow
-up Inspection
a. The inspectors reviewed the failure of a contactor in the clutch power supply system associated with the reactor protective system. On June 14, 2010, the contacts associated with the M2 contactor failed to open during performance of a quarterl
y surveillance test. The inspectors considered the following during the review of the licensee's actions:
Inspection Scope
complete and accurate identification of the problem in a timely manner
evaluation and disposition of operability/reportability issues
consideration of extent of condition, generic implications, common cause, and previous occurrences
classification and prioritization of the resolution of the problem
identification of root and contributing causes of the problem
identification of corrective actions
completion of corrective actions in a timely manner
The clutch power supply system consists of four
DC power clutch power supplies, four contactors (M
-contactors), and other relays and contacts which work together to supply power to control element drive mechanisms
(see drawings on next two pages). The control element assemblies
are equipped with magnetic clutches, which couple the control element assemblies
with the control element drive mechanisms. The clutches are powered from four
DC power supplies, PS-1 through PS
-4. Power supplies PS
-1 and PS-2 supply power to 20 clutches, and power supplies PS-3 and PS-4 supply power to 17 clutches. All clutches will remain
energized if only half of their power supplies are available. For example, if PS
-1 is de-energized, the 20 associated clutches will remain energized if PS
-2 remains energized. Therefore, to de
-energize the first 20 clutches, both PS-1 and PS-2 must be de
-energized, and to de
-energize the other 17 clutches, PS-3 and PS-4 must be de
-energized.
For a complete reactor trip (all 37 clutches), all four power supplies must de
-energize.
- 5 - Enclosure Reactor Protection System
Block Diagram
- 6 - Enclosure Reactor Protection System
Partial Line Drawing
- 7 - Enclosure Power is supplied to the four
DC power supplies from 120 Vac instrument busses. Instrument bus A or B supplies power to PS
-1 and PS-3, and instrument bus C or D supplies power to PS
-2 and PS-4. Power from the instrument buses to the dc power supplies are controlled by one breaker and two sets of contacts in series. For dc power supplies PS
-1 and PS-3, the flow path is from the instrument bus, through breaker
CB-AB, through normally closed contacts M1 then M2, then to the dc power supplies. Similarly , for power supplies PS
-2 and PS-4, through breaker CB
-CD, through normally closed contacts M4 then M3, then to the dc power supplies. This configuration is such that if power is lost from one instrument bus, the reactor will not trip because the clutches still have power from the power supplies fed from the other instrument bus. The M-contacts are controlled through the reactor protective system and the breakers are controlled from the diverse scram system
.
The reactor protective system consists of four channels of instrumentation. Each channel monitors 12 safety parameters and each parameter input is derived from an isolated instrument channel. Individual channel trips occur when the measurement reaches a preselected value, and has input to three of six logic matrices. The logic matrix trip relays are de
-energized when two channels of the same measurement channel trip.
The clutch power supply and reactor protective systems interface through six normally closed contacts, in series, in each of four trip paths. The six contacts in each trip path correspond to the six logic matrices in the reactor protective system. If a logic matrix trip relay in the reactor protective system is de-energized, it opens the associated contact in all four trip paths. Opening one of these contacts interrupts power to an interposing relay, opening a contact which interrupts power to an M
-contactor, which in turn opens the M contacts, interrupting power to two clutch power supplies. Trip path 1 consists of the M1 contactor and interposing relay 1, trip path 2
consists of the M2 contactor and interposing relay 2, etc. Initiating a manual reactor trip from control board
4 also interrupts power to the four interposing relays.
When a valid signal is generated in the diverse scram system, a normally closed contac
t will open, interrupting power to a relay associated with the CB
-AB and CB-CD breakers, opening the associated breakers and interrupting power to the clutch power supplies.
Initiating a manual reactor trip from reactor protective system
cabinet AI
-31 will also interrupt power to the breaker relays.
In order for the reactor to automatically trip upon a valid signal from the reactor protective system, the contacts from either M1 or M2 must open (which interrupts power to PS-1 and PS-3), and the contacts from either M3
or M4 must open (which interrupts power to PS
-2 and PS-4). The M
-contacts will not open if power is not interrupted to the interposing relay or the M
-contactors, or the contacts associated with the interposing relay or M
-contactors do not ope
n. These activities constitute completion of
one in-depth problem identification and resolution sample as defined in Inspection Procedure
71152-05.
- 8 - Enclosure b. Introduction. The inspectors identified an apparent violation of preliminary substantial
safety significance (Yellow) of 10 CFR Part 50, Appendix
B, Criterion
XVI, "Corrective Action," for the licensee
's failure to ensure that
the cause of a significant condition adverse to quality was determined and corrective actions taken to preclude repetition. Specifically, the licensee failed to identify the cause and preclude the shading coils from becoming loose material in the M2 trip contactor assembly of the reactor protection system that subsequently resulted in a failed contactor
. Findings Description. On June 14, 2010, the licensee performed a quarterly surveillance test on the reactor trip contactors of the reactor protective system. During this test, the
M2 contactor failed to open as required. The licensee subsequently determined the apparent cause
was due to a shading coil falling out of its recess, breaking apart, and lodging in the contactor mechanism such that it bound its contacts in the closed position.
Fort Calhoun Station
does not use reactor trip circuit breakers. Instead, the reactor protective system
uses four trip contactors (M1 through M4). For these contactors to successfully trip the reactor, either M1 and M3 or M4, or M2 and M3 or M4
must open. Therefore, this is a one out of two, taken twice, coincidence logic. With M2 failed
clos ed , M1 must open to successfully trip the reactor. The failure of M2
reduced the reliability and redundancy of the reactor protective system
. The shading coils of the trip contactors do not perform a direct safety function for the mechanism. They serve to increase the life expectancy and reliability of the contactors. The shading coils are rectangular strips of metal, not electrically connected to the
device, which produce opposing lines of flux to the main coil. The y are maintained in position , in their recess , by press fit (interference fit) to the contactor pole faces.
The shading coil is used to prevent excess vibration on the single-phase AC magnets that must be electrically held in a closed position. A shading coil produces a second field to apply a magnetic force when the primary field force is zero. With no other force present, an AC magnet will partially open at each current zero. A vibration will develop at twice the AC frequency. Without a shading coil to help hold the magnet closed during current zero phase, this vibration could destroy the magnet pole face.
Inspectors determined that the licensee failed to identify that the shading coils being loose within the mechanism posed a failure mechanism to the safety function of the contactor
to open. The licensee has documented several occurrences of shading coils dislodging from their recess in the contactor assemblies since 1987. Since
2008, the licensee documented two such instances of issues with the M2 contactor prior to its failure on June 14, 2010.
On November 3, 2008, after resetting the M2 coil, the AI
-3 panel began chattering similar to an unbalanced fan
during performance of quarterly surveillance test IC
-ST-RPS-0042 , Rev. 5, "Quarterly Functional Test of RPS Trip Logic."
The licensee documented this characterization in Condition Report
2008-6624, and categorized the condition report as a Level C (an adverse condition that requires a simple cause statement). In analyzing the initial operability of the contactor, the condition report stated
"Operating experience shows that coils and contacts can operate for extended periods making noise.
" The
- 9 - Enclosure licensee concluded that, "At this time , the M2 coil would trip and provide the protection it is designed to provide." Troubleshooting determined the cause of the vibration to be a shading coil that had fallen out of its recess and was lying across the coil. On
November 5, 2008, the shading coil was re
-installed, and the vibration ceased.
The response to Condition Report
2008-6624 recommended that all four contactors be replaced due to the age of the equipment
and identified that the contactor model was obsolete and no like
-for-like parts were available for purchase. However, the licensee identified a suitable commercially available
substitute and initiated
an engineering change to replace all four contactors.
In November 2008, engineering change EC 44745 was sent to design engineering for approval. It was initially assigned a high priority so that the contactors could be replaced in the fall 2009 refueling outage. However, the priority was subsequently downgraded and replacement of the contactor was not included in the 2009 outage. T he licensee inappropriately considered replacement of the contactor
s to be an enhancement only, and re-scheduled the activity for the spring 2011 refueling outage. Consequently, review of EC 44745 was assigned a low priority
. On March 20, 2010, Condition Report 2010
-1378 was submitted describing "Electrical noise emanating from AI
-3 cabinet has changed in pitch and volume." The inspectors noted that due to the licensee's continued lack of understanding of the potential contactor problem(s), Condition Report 2010-1378 was cross
-referenced to Condition Report 2008-6624, resulting in Condition Report 2010-1378 being closed with no further action. On March 25, 2010, during the performance of quarterly Surveillance Test
IC-ST-RPS-0 042 , noises from the AI
-3 cabinet became louder, which the licensee
documented in Condition Report
2010-1460 and performed an apparent cause analysis. Troubleshooting again showed that the shading coil had come loose. The condition report evaluation of safety significance again stated that "This is not safety significant as the contactor was able to remain energized with the contact closed, providing power to
the CEDM [control element drive mechanism] power supplies." The inspectors concluded this was another missed opportunity for the licensee to identify the potential negative impact of loose material in the contactor mechanism. On March 31, 2010, the shading coil was re
-installed;
however , the vibration was not eliminated, only reduced
. On April 1, 2010, an engineer initiated Condition Report
2010-1586, in an attempt to
elevate the priority so that design engineering
would again analyze EC 44745. This condition report stated there were no spare parts for the contactors, the contactors were obsolete , and that engineering change request EC 44745 was still in development.
Due to concerns by licensee personnel that the shading coil vibration had not been eliminated on March 31, 2010, a work request was initiated in order to check the contactor during a forced outage. On April 8, 2010, the reactor was tripped to enter a forced outage, which opened the reactor trip contactors. However, the
licensee stated in an apparent cause evaluation for Condition Report 2010
-2923, that they did not inspect the cont actors because of a lack of resources due to other work that needed to be
- 10 - Enclosure accomplished during the forced outage
. The plant was in this outage until startup commenced on April
10, 2010. At that time the reactor trip contactors were again closed. On April 10, 2010, Condition Report 2010
-1738 documented that after resetting the reactor , per Surveillance Test
OP-ST-RPS-0008, the M2 contactor started making noise at the AI-3 cabinet. Electrical maintenance was notified and determined
that the M2 shading coil had most likely come loose and was interfering with the normal contactor. The initial operability basis stated, in part, "At this time the
M2 coil would trip and provide the protection it is designed to provide." Work Request 149645 was initiated to address the condition, which was subsequently assigned to Work Order 374724, which would again re-install the shading coil, and was scheduled for August 9, 2010.
On June 14, 2010, quarterly Surveillance Test IC
-ST-RPS-0042 was performed. During Step 7.8.5 of Surveillance Test IC
-ST-RPS-0042, the system did not perform as required, in that the M2 coil did not open its associated contacts to drop out
clutch power supplies
PS-3 and PS-1. The licensee documented this failure in Condition Report
2010-2923. The system engineer's evaluation of the condition report state
d, "Troubleshooting determined that part of one of the shading coils had wedged [itself] between the contactor and the yoke preventing the contactor from dropping out.
" The licensee further concluded that was
not safety significant as, "The AI-3-M1 contactor would have caused the power supplies to de
-energize in the event of an actual trip
signal." The inspectors postulated that for the shading coil to jam the contactor in the closed position, the shading coil would have to be out of its recess when the contactor physically closed. Specifically, a loose shading coil could fall out of its recess when the contactor is cycled open then jam when subsequently closed. This cycling occurred on April 8 and 10, 2010. As evidenced by the failure to open on June
14, 2010, the inspectors concluded the contactor was likely inoperable from April
10 through June 14, 2010.
In the response to both Condition Reports 2010
-1460 and 2010
-2923, the licensee evaluated the significance of a shading coil being out of its recess as not being significant, as the contactor would still open as required. In these two
instances, the licensee failed to recognize the loose shading coil could adversely affect the safety
-related function of the contactor
to open. The licensee also failed to recognize the importance of the M1 contactor, and the resulting loss of the reactor protection system reliability, given a failure of M2.
Analysis. The inspectors
determined that the failure to identify the cause and preclude the shading coils from becoming loose material in the M2 trip contactor assembly of the reactor protection syst
em , that resulted in a failed contactor, was a performance deficiency. The finding is more than minor because it affected the Mitigating Systems Cornerstone, and it directly affected the cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences. Specifically, with M2 failed closed, M1 must open to successfully trip the reactor. The failure of M2 reduced the reliability and redundancy of the reactor protection system. The inspectors evaluated the issue using the Significance
- 11 - Enclosure Determination Process
Phase 1 Screening Worksheet for the Initiating Events, Mitigating Systems, and Barriers Cornerstones provided in Manual Chapter 0609, Attachment 4, "Phase 1 - Initial Screening and Characterization of Findings.
" The inspectors determined that the finding represented the actual loss of a single train (i.e.
, each of the four contactors are considered a train) of non
-Technical Specification equipment, designated as risk-significant per 10 CFR 50.65, for greater than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Therefore, the finding was potentially risk significant and a Phase 2 analysis was required. The
inspectors determined that the presolved
table d id not contain a target suitable for evaluating the finding of interest and informed the regional senior reactor analyst that use of the risk
-informed notebook would be necessary. Therefore, the senior reactor analyst completed a Phase
3 analysis using the plant
-specific Standardized Plant Analysis Risk Model for Fort Calhoun, Revision
3.50 , modified to include a detailed modeling of the reactor protection system. The exposure period of 6
4 days represented the 63 days from the last verification of contactor operation, which is most likely the time
of failure, until the failure of the quarterly surveillance plus the
1-day repair time
until the M1/M2 half of the reactor protection system
was deenergized. External events impacting the risk included seismic and internal fire initiators. The resulting risk was calculated to be 2.
6 x 10-5 indicating that the finding was of preliminarily substantial
safety significance (Yellow). This finding has a crosscutting aspect in the area of human performance, decision making component, because the licensee did not
use conservative assumptions in the evaluation of the ongoing problems with the trip contactors H.1(b).
Enforcement. Title 10 of the Code of Federal Regulations, Part
50, Appendix B, Criterion XVI, "Corrective Action," states, in part, that measures shall be established to assure that conditions adverse to quality, such as failures, malfunctions, deficiencies, deviations, defective material and equipment, and non
-conformances are promptly identified and corrected.
In the case of significant conditions adverse to quality, the measures shall assure that the cause of the condition is determined and corrective action taken to preclude repetition.
Contrary to the above, between November
3, 2008 , and June 14, 2010 , the licensee failed to preclude shading coils from repetitively becoming loose material in the M2 reactor trip contactor.
Specifically, the shading coils becoming loose material in the M2 reactor trip contactor assembly was a significant condition adverse to quality that subsequently resulted in the contactor failing. O n November 3, 200 8, the licensee determined that the shading coil in the M2 trip contactor had fallen out of its recess and had become loose material in the contactor. The licensee further determined the trip contactors were obsolete and should be replaced. However, the licensee manually pressed the shading coil back into place and continued operations. On March
25, 2010, the licensee again identified the shading coil had fallen out, as evidenced by associated buzzing noise. On March 31, 2010, technicians again pressed the shading coil back into place during troubleshooting, but the noise immediately resumed during the postmaintenance testing, indicating the shading coil did not remain in place. Due to a lack of replacement parts, the licensee determined the contactor would be left "as is" and they would continue to operate.
On June 14, 20 10 , the M2 trip contactor failed to open during a surveillance test because pieces of the loose shading coil jammed the contactor in the closed
position. The licensee failed to identify that the loose parts in the trip contactor represented a potential failure of the
- 12 - Enclosure contactor if they became an obstruction; and therefore, failed to preclude repetition of this significant condition adverse to quality. The licensee has entered this condition into their corrective action program as Condition Report 2011
-0451. The licensee also replaced all four of the reactor trip contactors in the reactor protection system on February 5, 2011. Therefore, the NRC
no longer has a concern with the potential failure mechanisms discussed in the report with the previous reactor trip contactors. Pending completion of the final significance determination, the performance deficiency will be considered an apparent violation, AV 05000285/2011007
-01, "Failure to Correct a Degraded Contactor in the Reactor Protective System."
4OA6 Meetings Exit Meeting Summary
On April 15, 2011, the inspectors presented the inspection results to you and other members of your staff. You and your staff acknowledged the issues presented. Your staff also reiterated the differences they consider in assumptions or analysis in the NRC's risk analysis for this issue. The inspector asked the licensee whether any materials examined during the inspection should be considered proprietary. No proprietary information was identified.
A-1 Attachment
-1 SUPPLEMENTAL INFORMATION
KEY POINTS OF CONTACT
Licensee Personnel R. Acker, Station Licensing
M. Bare, System Engineer J. Bozarth, System Engineer
H. Faulhaber, Division Manager, Nuclear Construction and Projects
M. Ferm, Manager, Systems Engineering
M. Frans, Manager, Engineering
Programs J. Goddell, Division Manager, Nuclear Performance Improvement and Support
D. Guinn, Supervisor Regulatory Compliance
H. Hackerott, Supervisor, Systems Analysis
J. Herman, Division Manager, Nuclear Engineering
T. Nellenbach, Plant Manager
J. Reinhart, Site Vice President
M. Smith, Manager, Operations
LIST OF ITEMS OPENED, CLOSED, AND DISCUSSED
Opened 05000285/2011007
-01 AV Failure to Correct a Degraded Contactor in the Reactor Protective System
LIST OF DOCUMENTS REVIEWED
Section 4OA2: Identification and Resolution of Problems
CONDITION REPORTS
199600356 2008-6624 2010-1378 2010-1460 2010-1586 2010-1738 2010-2923 2011-0451 WORK ORDERS (WO)
00321729 00372893 00301892 PROCEDURES
NUMBER TITLE REVISION EM-RR-RPS-0201 Maintenance of M
-Contactors for Clutch Power Supplies 6 IC-ST-RPS-0042 Quarterly Functional Test of RPS Trip Logic
5 OP-ST-RPS-0008 Reactor Manual Trip Test
12
A-2 Attachment
-1 DRAWINGS NUMBER TITLE REVISION E-23866-411-003 Reactor Protective System Functional Diagram
4 ENGINEERING CHANGES (EC)
NUMBER TITLE REVISION 44745 Replacement for AI
-3-M1/M2/M3/M4 contactors
1 MISCELLANEOUS DOCUMENTS
NUMBER TITLE REVISION / DATE Equipment Reliability (ER) Optimization Project at OPPD Fort Calhoun
September 2010
Meeting Agenda and Package for DNC PRC Subcommittee monthly meeting
January 20, 2010
FCSG-24 Corrective Action Program Guideline
27 STM38 System Training Manual Volume 38, Reactor Protective System and Diverse Scram System
20 USAR-7.2 Instrumentation and Control
- Reactor Protective Systems 14
A-1 Attachment
-2 ATTACHMENT
PRELIMINARY SIGNIFICANCE DETERMINATION
FAILURE TO CORRECT DEFICIENCIES IN THE REACTOR PROTECTION SYSTEM
The seven supplements referred to in this preliminary risk assessment are being withheld from public disclosure in accordance with Section 2.390(d) of Title 10 of the Code of Federal Regulations (10 CFR 2.390). These documents will be provided to the licensee under separate cover.
A. Significance Determination Basis
The senior reactor analyst completed a Phase
3 analysis using the plant
-specific Standardized Plant Analysis Risk
(SPAR) Model for Fort Calhoun, Revision
3.50 modified to include a detailed modeling of the reactor protection system. The exposure
period of 6 4 days represented the 63 days from the last verification of contactor operation, which is most likely the time of failure, until the failure of the quarterly
surveillance plus the
1-day repair time
until deenergization of half the reactor protection system. External events impacting the risk included seismic and internal fire initiators. The final change in core damage frequency
was calculated to be 2.
6 x 10-5 indicating that the finding was of substantial
risk significance (Yellow). a. Phase 1 screening logic, results and assumptions
In accordance with NRC Inspection Manual Chapter 0612, Appendix B, "Issue
Screening," the team determined that the licensee failed to ensure the availability, reliability, and capability of safety systems that respond to initiating
events to prevent undesirable consequences of safe shutdown equipment. The finding is more than minor because it affected the Mitigating Systems Cornerstone, and it directly affected the cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences.
The team evaluated the issue using the Significance Determination Process (SDP) Phase 1 Screening Worksheet for the Initiating Events, Mitigatin
g Systems, and Barriers Cornerstones provided in Manual Chapter 0609, Attachment 4, "Phase 1
- Initial Screening and Characterization of Findings." This finding affected the Mitigating Systems Cornerstone. The inspectors
determined that the finding represented the actual loss of a single train (i.e. each of the four contactors are considered a train) of non-Technical Specification equipment, designated as risk
-significant per 10 CFR 50.65, for greater than
24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Therefore, the finding was potentially risk significant and a Phase 2 Estimation was required.
b. Phase 2 Risk Estimation
In accordance with Manual Chapter
0609, Appendix
A, Attachment
1, "User Guidance for Phase
2 and Phase
3 Reactor Inspection Findings for At
-Power Situations," the inspectors evaluated the subject finding using the presolved table for the "Risk
-Informed Inspection Notebook for Fort Calhoun Power Station," Revision 2.01a. The inspectors determined that the presolved table does not contain a target suitable for evaluating the finding of interest and informed the
A-2 Attachment
-2 Regional Senior Reactor Analyst that use of the risk
-informed notebook would be necessary.
The senior reactor analyst used the plant
-specific risk
-informed notebook to estimate the risk associated with this finding.
The following assumptions were made: 1. Reactor Protection System Contactor M2
most likely failed on April 1
0, 201 0 , when operators performed surveillance
testing of the trip system prior to restarting the reactor from a midcycle outage. The inspectors determined that for the shading coil to jam the contactor in the closed position, the event would have most likely been concurrent with the physical closing of the contactor with the shading coil out of its recess. The inspectors determined that vibration
of the contactor during operation
was insufficient to cause catastrophic failure of the shading coil
.
2. The failure was identified during a test of the system on June 14, 2010. It took the licensee until June 15, 2010 to deenergize
the vital power to the
contactor and confirm a half trip condition existed
. 3. In accordance with Manual Chapter
0609, Appendix
A, Attachment
2, "Site Specific Risk
-Informed Inspection Notebook Usage Rules," Rule
1.1, "Exposure Time," the analyst evaluated the time frame over which the finding
impacted the risk of plant operations. The analyst determined that the performance deficiency affected plant risk for 6
4 days. Therefore, the exposure time used to represent the time that the performance deficiency
affected plant risk in the Phase 2 estimation was greater than 30
days. 4. In accordance with Manual Chapter
0609 , Appendix A, Attachment
1, Step 2.1.3, "Find the Appropriate Target for the Inspection Finding in the Pre
-solved Table," the analyst determined that there was no appropriate target for evaluating this performance deficiency. Therefore, the analyst utilized the Risk-Informed Notebook for Fort Calhoun Station, Revision 2.01a to
perform the estimation.
5. In accordance with Manual Chapter
0609 , Appendix A, Attachment 1, Step 2.2.1, "Select the Initiating Event Scenarios," the analyst determined that only the anticipated transient without scram (ATWS) was affected. Therefore, Table 3.9, "SDP Worksheet for Fort Calhoun Power Station
- Anticipated Transients Without Scram (ATWS)" was used for this estimation.
6. In accordance with Manual Chapter
0609 , Appendix A, Attachment 2, Rule 1.2 "Inspection Finding (Not Involving a Support System) that Increases the Likelihood of an Initiating Event," the analyst increased the Initiating Event Likelihood of the ATWS by one order of magnitude because the increase in the frequency of the ATWS was not known.
7. The analyst determined that the failure of the M2 contactor did not directly affect the ability of any other mitigation system to perform its function.
A-3 Attachment
-2 8. The analyst gave no operator action credit for recovery of the M2 contactor as discussed in Manual Chapter
0609, Appendix
A, Attachment
1, Table 4, "Remaining Mitigation Capability Credit." The requirements for such credit (procedures, available parts and training under similar conditions) were not met. The dominant sequences from the notebook are documented in Table
1, and the worksheet was provided as Supplement 2 to this document
. TABLE 1 Failure Reactor Protection System M2 Contactor Phase 2 Sequences
Initiating Event
Sequence Mitigating Functions
Results Anticipated Transient without SCRAM
1 ATWS-AFW 6 2 ATWS-BORATE 7 3 ATWS-SRV 7 4 ATWS-TTP 8 Using the site-specific risk
-informed notebook, the result from this estimation indicated that the finding was of low to moderate safety significance (White). However, the analyst determined that this estimate most likely increased the initiating event likelihood by more than one order of magnitude and represented a partial loss of capability of the manual reactor trip. Therefore, in accordance with the recommendations of the site
-specific risk
-informed notebook, the finding was evaluated by the analyst using Phase 3 methods
. c. Phase 3 Analysis
The following assumptions were made to support this Phase
3 analysis:
1. The Fort Calhoun plant
-specific SPAR, Revision
3.50 , as modified by the analyst to include a detailed model of the reactor protection system, was the best tool for quantifying the risk of the subject performance deficiency.
2. The M2 contactor was last cycled on April 10, 2010
, when operators performed surveillance of the trip system prior to restarting the reactor from a midcycle outage.
3. Using best
-available information, the inspectors determined that for the shading coil to jam the contactor in the closed position, the event would have most likely been concurrent with the physical closing of the contactor with the shading coil out of its recess. The inspectors determined that vibration
of the contactor during operation
was insufficient to cause catastrophic failure of the shading coil. Therefore, Reactor Protection System Contactor M2
most likely failed during the last successful cycle on April 10, 2010, prior to restarting the reactor from a midcycle outage
.
A-4 Attachment
-2 4. The failure was identified during a test of the system on June 14, 2010. It took the licensee until June 1
5, 2010 , to deenergize
the vital power to the contactor and confirm a half trip condition existed
. 5. In accordance with Manual Chapter
0609, Appendix
A, Attachment
2, "Site Specific Risk
-Informed Inspection Notebook Usage Rules," Rule
1.1, "Exposure Time," the analyst evaluated the time frame over which the finding was reasonably known to have existed. Therefore, the analyst calculated an exposure time of 64 days which includes the 63 days from April 10, 2010
, to June 14, 2010
, plus the 1 day until the vital power to the contactor was
deenergized and a half trip condition confirmed to exist on June
15, 2010. The 1 day was part of the "repair time."
6. The baseline failure rate of an M
-Contactor is 1.2 x 10
-4/demand (Reference: NUREG/CR-5500, Volume 10 Reliability Study: Combustion Engineering Reactor Protection System, 1984
- 1998, Table C
-7, Page C-22). 7. The analyst determined that the common cause failure probability should be adjusted for the contactors. Essentially, there was an increased probability that the contactors could have both failed in response to the same initiating event. Common observations existed on both contactors, including: 1) at least one shading coil would easily come out of its recess; 2) original installation was during plant construction; 3) there were signs of age
-related fatigue; 4) subparts exhibited significant scratching and indentations; and
5) in November 2008 the licensee determined that the contactors were obsolete and should have been replaced.
8. The analyst used NUREG
5485, "Guidelines on Modeling Common
-Cause Failures in Probabilistic Risk Assessment," November 1998, for the common cause assessment. The analyst used the "alpha
-factor" method to evaluate the common cause failure probability. This method is described in
NUREG 5485, Section 5.3.
"Parametric Representation of
Common Cause Basic Eve n t Probabilities." The analyst used NUREG/CR
-5500, Volume 10, "Reliability Study: Combustion Engineering Reactor Protection System, 1984-1998," Table E
-6, Page E19 to determine the appropriate
2 factor for Contactor M1. The 2 factor was 3.59 x 10
-2/demand. 9. The analyst determined that the failure of the M2 contactor did not directly affect the ability of any other mitigation system to perform its function.
10. Other than appropriately modeled manual trip actions, the analyst gave no operator action recovery credit to restore the M2 contactor because there was insufficient time to implement these actions before postulated irrecoverable damage would occur and because parts were not available
. 11. The failure to deenergize any 3 or more RPS clutch power supplies will result in a failure of the automatic scram logic.
12. The failure to deenergize the following combinations of RPS clutch power supplies will result in a failure of the automatic scram logic: PS1 and PS3; PS2 and PS3; PS2 and PS4; or PS1 and PS4.
A-5 Attachment
-2 13. The failure of either the associated M
-contactor or the associated interposing relay will prevent the trip contacts from opening. Example: If Interposing Relay 1 fails to open, Contactor M1 will not deenergize. Also, if Contactor
M1 fails, its contacts will not
open. Therefore, given the failure of Contactor M2, either Interposing Relay 1 or Contactor M1 failing would result in Clutch
Power Supplies 1 and 3 remaining energized.
14. Should the automatic RPS function fail to deenergize a clutch power supply, the diverse scram system may cause the power supplies to deenergize by opening Vital Breakers CB
-CD and CB-AB. 15. The diverse scram system will only function to automatically trip the reactor upon a high pressurizer pressure signal. Therefore, loss of coolant accidents will not result in the diverse scram system initiating a reactor trip.
16. Manual Trip Pushbutton No. 1 is located on the main reactor control panel
and is designed to trip the reactor by deenergizing each of the M
-contactor coils. 17. Manual Trip Pushbutton No. 2 is located on the reactor protection system panel and is designed to trip the reactor by deenergizing the holding solenoids inside Vital Breakers CB
-CD and CB-AB. 18. The baseline failure rate of a molded case circuit breaker with a normally energized holding coil such as Vital Breakers CB
-CD and CB-AB was estimated as 2.5 x 10
-3 /demand from binding of the holding coil plunger and 5.0 x 10-3 /demand from all other reasons (Reference EGG
-SSRE-8875, "Generic Component Failure Database for Light Water and Liquid Sodium Reactors, Idaho National Engineering Laboratory, 1990).
19. The probability that a licensed operator failing to manually trip the reactor using Reactor Trip Pushbutton No. 1 upon failure of the automatic trip systems is 1.5 x 10
-3 /demand (Reference: SPAR
-H Human Reliability Analysis Method Worksheet, Supplement
3). 20. The probability that a licensed operator fails to trip the reactor with Reactor
Trip Pushbutton No. 2 upon failure of the automatic trip systems and the failure of the reactor to
trip upon actuating Manual Trip Pushbutton No. 1 is 5.0 x 10-1/demand based on the high dependency with the failure described earlier (Reference: SPAR
-H Human Reliability Analysis Method Worksheet, Supplement
3). 21. Because the performance deficiency resulted in at least one shading coil in
both Contactors M1 and M2 being in a condition such that it would easily come out of its recess, the analyst assumed that a seismic event
could result in the failure of the reactor
protection system to initiate an automatic scram at any time during the 1
-year assessment period.
22. Based on analyst judgment, the analyst assumed that the failure described in Assumption 21 would occur at or above the frequency that would cause a
A-6 Attachment
-2 seismica lly-induced nonrecoverable loss of offsite power. At this frequency, the offsite power resister stacks have sufficient countermotion in a single plane that they break. The analyst noted that this level of seismic activity would also likely fail a contactor with loose shading coils.
However, the analyst determined that the overall analysis was not very sensitive to this assumption.
23. The analyst assumed that the probability of an anticipated transient without scram (ATWS) was relatively low, even given the
performance deficiency. Therefore, the probability that
a fire would initiate and be severe enough to cause damage to plant equipment at the same time as an ATWS occurred
would be too low to cause a significant change in the overall analysis of 24. Given Assumption 23, the analyst determined that the only fire
scenarios that would be significantly impacted by the subject performance deficiency would
be those that affect ATWS mitigation systems, specifically: emergency boration; high pressure injection;
auxiliary feedwater; shutdown cooling; and high pressure recirculation.
Exposure Period
As documented in the main control room log, the reactor protection system trips were tested on April 10, 2010
, prior to restarting the reactor from a midcycle outage. As documented in Assumption 3, this is when the failure of the M2 contactor most likely occurred. A quarterly surveillance of the system on June 14, 2010 , revealed that the contactor had failed. Therefore, the condition existed 63 days before identification.
As stated in Assumption 4, it took an additional day for the licensee to deenergize vital power to the contactor and verify that a half trip condition existed. In accordance with the Risk Assessment of Operational Events Handbook, Section
2.2, the exposure time for a component failure that was determined to have occurred when the component was last functionally operated should be the total time from the last successful operation to the unsuccessful operation plus the repair time
. The total time from the last successful operation to the unsuccessful operation was 63 days. The repair time until deenergization was 1 day. Therefore, t
he total exposure time was then calculated to be the sum of these two
, or 64 days. Application of Recovery
As stated in the assumptions, other than appropriately modeled manual trip actions, the analyst gave no operator action recovery credit for recovery of Contactor M2 failure because there was insufficient time to implement these actions before postulated irrecoverable damage would occur and because parts were not available
.
A-7 Attachment
-2 Adjustment of Common Cause Component
Failure Probability
As stated in the assumptions, reactor protection system Contactor M1 was potentially affected by the performance deficiency. At least one shading coil would easily come out of its recess, the contactor exhibited signs of age
-related fatigue, parts had significant scratching and indentations and the licensee had determined in November 2008 that the contactor was obsolete and should have been replaced.
The Risk Assessment of Operational Events Handbook, Volume 1, "Internal Events," Revision 1.01 stipulates, a
component failure should be considered independent (no common cause failure mechanism exists) ONLY when the cause is well
understood and there is no likelihood that the same components in other trains or parallel component groups could fail for the same cause. A
presumption of zero common cause potential should be a rare occurrence.
The performance deficiency involved the licensee's failure to correct the degrading conditions of the reactor trip contactors in a timely manner. This deficiency result ed in the failure of Contactor M2. The same performance deficiency also applied to the other reactor protection system contactors. Based on the inspection of Contactor M1, the analyst determined that there was a likelihood that the same circumstances could exist in this contactor. Therefore, the analyst determined that the failure probability of the common cause component group (for Contactors M1 and M2) needed to be increased.
The analyst used NUREG
5485, "Guidelines on Modeling Common
-Cause Failures in Probabilistic Risk Assessment," November 1998, for the common cause assessment. The analyst used the "alpha
-factor" method
to evaluate the common cause failure probability. This method is described in NUREG
5485, Section 5.3.
"Parametric Representation of
Common Cause Basic
Eve n t Probabilities." The alpha factor model is a multi
-parameter model which can handle any redundancy level and is based on ratios of failures rates which makes
the assessment of its parameters easier when no statistical data are available. The model has a simpler statistical model, and produces more accurate point estimates as well as uncertainty distributions when compared to other parametric models. The alpha factor model develops common cause failure frequencies from a set of failure ratios and the total component failure rate.
For this specific case, there is a four-component common cause group, Contactors M1, M2, M3 and M4. Assuming that Contactor M2 failed, th e conditional probability that Contactor M1
fails is of interest. For this particular problem, the combination of one of M1 and M2 failing together or M3 and M4 failing together, a one-of-two-taken-twice logic scheme, must be evaluated. There are two out of six
such combinations
in the group. Mathematically, the conditional probability
of Contactor M1 failing given that Contactor M2 has failed is as follows:
A-8 Attachment
-2 P(M1lM2) = P(M1 M2) P(M2) (1) In the basic parameter model, the numerator is given by Q
2 if the independent failures of two components
is neglected (because they are negligible), and the denominator is
Q t. Note: Q k is the probability that a specific group of k components
fails from a shared cause.
(Q 2 is a specific case of Q
k) Q t is the total component failure probability.
Neglecting independent failures of both components we
have: P(M1lM2) = Q 2
Q t If we assume the components are subject to a staggered
-testing scheme, we have : Q 2 2 Q t Substituting into Equation 1 gives: P(M1lM2) 2.
k is the probability that when a common cause basic event occurs in a common cause group it involves failure of k components.
According to NUREG/CR
-5500, Volume 10, "Reliability Study: Combustion Engineering Reactor Protection System, 1984
-1998," Table E
-6, Page E19, the alpha factor
vector for the reactor trip contactors (four like components) is
- 1 = 9.52E-1 2 = 3.59E-2 3 = 1.03E-2 4 = 2.20E-3 The common cause failure probability of Contactor
M1 given that Contactor M2 has failed can be estimated as the 2 factor from the common cause component failure group, or 3.59 x 10
-2/deman d. The analyst noted that although the common cause failure probability of Contactors M3 and M4 would also be increased, the impact would be substantially lower than the impact of M1 failing because both M3 and M4 would have to fail to cause a failure of the reactor protection system. The probability of M3 and M4 failing from a common cause given a failure of M2 can be estimated as 3.70 x 10-4/demand. This is two orders of magnitude less likely than the failure of Contactor M1 alone and was not considered further in this analysis.
A-9 Attachment
-2 Change in Risk from Internal Initiators
The analyst created a more detailed model of the reactor protection system than that provided in the
Fort Calhoun SPAR, Revision
3.50. Idaho National Laboratories assisted in incorporating this model into the SPAR model and validating the impact (the associated fault trees are provided as Supplement
4). The analyst calculated the change in risk related to this performance deficiency
using the following method:
The analyst quantified the new model and reestablished a baseline risk for the plant (1.2 4 x 10-5/year). The analyst set Basic Event
RPS-RYT-CF-M12, "Common Cause Failure of Contactor s M1 and M2," to
3.59 x 10-2/demand indicating the increased common cause failure probability derived above. This increase in common cause failure probability indicated the new failure probability for Contactor M1 given that Contactor M2 had already failed. The analyst then set Basic Event RPS-RYT-CC-M2 "Contactor M2 Fails to Open upon Demand,"
to the house event "TRUE," indicating that
the contactor had failed to open on demand. The analyst quantified the model and the results are provided in Table
2 below. The analyst considered using the modified model in this manner to be the best estimate of risk.
TABLE 2 Phase 3 Results
SPAR Quantification
Baseline 1.2 4 x 10-5/year Case 1.57 x 10-4/year Difference
1.44 x 10-4/year 64-Day Exposure
1.75 x 10-1 years CDF (Internal)
2.53 x 10-5 Seismic Initiator
4.40 x 10-7/year Internal Fires
1.29 x 10-6/year CDF (External)
6.65 x 10-7 CDF (Total)
2.60 x 10-5
A-10 Attachment
-2 Table 3 documents the major internal initiator sequences contributing 93.3 percent of the change in core damage frequency.
TABLE 3 Dominant Core Damage Sequences
Sequence Description
% of Total
Transient 16
-12 Plant Transient, Failure of Reactor Protection System
- , Failure of Relief Valves to Limit Reactor Pressure.
7.95 x 10-5/yr 55.1 SLOCA 20 Small-Break Loss of Coolant Accident and Failure of the Reactor Protection System
- . 2.16 x 10-5/yr 15.0 LOMFW 16-12 Loss of Main Feedwater, Failure of Reactor Protection System
- , Failure of Relief Valves to Limit Reactor Pressure.
9.94 x 10-6/yr 6.9 LOCHS 16-12 Loss of Condenser Heat Sink, Failure of Reactor Protection
System*, Failure of Relief Valves to Limit Reactor Pressure.
7.95 x 10-6/yr 5.5 MLOCA 5 Medium-Break Loss of Coolant Accident and Failure of Reactor Protection System
- . 7.21 x 10-6/yr 5.0 TRANS 16-10 Plant Transient, Failure of Reactor Protection System
- , Failure of Emergency Boration.
4.55 x 10-6/yr 3.2 LOOP 23-12 Loss of Offsite Power, Failure of Reactor Protection System
- , Failure of Relief Valves to Limit Reactor Pressure.
3.57 x 10-6/yr 2.5 SPURSGIS 16
-12 Spurious Steam Generator Isolation Signal, Failure of Reactor Protection System
- , Failure of Relief Valves to Limit Reactor Pressure.
3.17 x 10-6/yr 2.2 TRANS 16-11 Plant Transient, Failure of the
- , Failure of Emergency Boration.
1.14 x 10-6/yr 0.8 SGTR 21 Steam Generator Tube Rupture, Failure of the Reactor Protection System*. 1.14 x 10-6/yr 0.8 *NOTE: Failure of the Reactor Protection System includes a failure of the reactor protection system to generate an automatic reactor trip; failure of operator actions to manually trip the reactor; and failure of the diverse scram system.
The analyst noted that, in accordance with Inspection Manual Chapter 0609, Appendix A, "Determining the Significance of Reactor Inspection Findings for
At-Power Situations," the internal initiators indicated that this performance deficiency represented a finding of substantial safety significance (Yellow).
A-11 Attachment
-2 Change in Risk from External Initiators
Seismic The analyst used the techniques delineated in the Risk Assessment of Operation Events Handbook, Volume 2, "External Events," Revision 1.01, Section 4.0,
"Seismic Event Modeling and Seismic Risk Quantification," to develop a spreadsheet modeling the Fort Calhoun seismic hazard
(Supplement
5). The analyst then quantified the potential of having a seismically
-induced loss of offsite power with an ATWS (mitigated by a manual reactor trip)
over the previous
1-year assessment
period as a bounding condition.
This was supported by Assumptions 23 and 24.
The results of this analysis are shown in Table
2. Internal Fire
From the licensee's Individual Plant Evaluation of External Events, the analyst identified
six fire areas that contained equipment needed for mitigating an ATWS. These included fires in the main control room, cable spreading room, Fire Area 20 (Auxiliary Building general area at ground level), and the charging pump area. The analyst quantified the change in risk by evaluating the fire ignition frequency, the nonsuppression probability, and the change in conditional core damage probability with a known failure of the M2 contactor (See spreadsheet in Supplement
6). The results of this analysis are shown in Table
2. Large Early Release Frequency
In accordance with the guidance in Inspection Manual Chapter 0609, Appendix H, this finding would not involve a significant increase in risk of a large, early release of radiation because Fort Calhoun has a large, dry containment and the dominant sequences
contributing to the
change in the core damage frequency did not involve either a steam generator tube rupture or an inter
-system loss of coolant accident.
Assessment of Licensee's Risk Evaluation
The analyst also reviewed the licensee's comments provided on the reactor protection system fault tree. The following comments were assessed:
1. The human error probability for human failure event RPS
-XHE-XM-SCRAM, "Operator Fails to Manually Trip the Reactor", is 1.0E
-02. Analysis with
SPAR-H suggests that a more appropriate probability would be 7.5E
-04. The analyst calculated a new human error probability using the SPAR
-H method, derived by the Idaho National Laboratory
(documented in Supplement
3). The new value, representing the best available information for this failure, was 1.5 x 10-3/demand as documented in Assumption
19. In addition, the analyst requantified the assessment of this finding using the licensee's value as a sensitivity. The result indicated a change of much less than 1 percent of the total core damage frequency of the case
(See Table
4
A-12 Attachment
-2 for results). Therefore, the analyst determined that this evaluation was not sensitive to the probability of operators failing to manually trip the reactor.
2. The human error probability for human failure event RPS
-XHE-ERROR, "Operator Fails to De
-energize CEDM power Supply (Recovery Event)", is 4.4E-01. Analysis with SPAR
-H suggests that a more appropriate probability would be 1.0E
-03. The analyst calculated a new human error probability using the
SPAR-H method, derived by the Idaho National Laboratory
(documented in Supplement
3). The new value, representing the best available information for this failure, was 5.0 x 10-1/demand as documented in Assumption
20. The analyst noted that the licensee's
analysis did not include the dependency between this action and Basic Event RPS
-XHE-XM-SCRAM. This dependency is discussed under Assumption
20 and documented in Supplement
3. The analyst determined that a dependency resulted based on the action being performed by the same crew, close in time to the previous action, and only one additional cue being the failure of the first action.
After discussing this with licensee analysts, they stated that there were no additional cues or indications that could dispute this dependency.
However, the analyst requantified the assessment of this finding using the licensee's value as a sensitivity. The result indicated a change of much less than 1 percent of the total core damage frequency of the case
(See Table
4 for results). Therefore, the analyst determined that this evaluation was not sensitive to the
probability of operators failing to manually trip the reactor.
3. It appears that there is logic representing test and maintenance, or bypass, which would prevent an M coil from de-energizing. An example is
Gate RPS-TRIP-PTH1-BYP. These types of activities are not performed online. Refer to drawing E
-23866-411-003. An example of a test that is performed uses holding coils to prevent the AD contacts from opening if th
e RPS 2/4 trip logic is satisfied. However, any of the other 2/4 trip combinations
- would still de
-energize the M coils. For example, see the logic combinations at drawing coordinate C7.
The analyst noted that the trip and bypass functions are utilized on a trip unit basis and do not affect the entire trip path. To assess the effect of this modeling on the final evaluation, the analyst viewed all cutsets that included the test/maintenance and/or bypass basic events. Only five cutsets were greater than the 1 x 10
-13/year truncation limit and these comprised less than a tenth of a percent of the final change in core damage frequency.
The appropriate changes to the reactor protection system to reflect placing trip units in the bypass or trip condition will be made prior to incorporating the model into the SPAR for unlimited use.
As a sensitivity study, the analyst adjusted appropriate basic events so that all trip and bypass conditions would
A-13 Attachment
-2 be removed from the final cutsets. This did not change the first three significant figures from the best estimate result (See Table 4 for results).
Therefore, the analyst determined that this evaluation was not sensitive to the trip and bypass fault trees in the modified SPAR model for the reactor protection system.
4. It is unclear how gate RPS
-DSS-NOSGNL would be used. Diverse Scram System (DSS) is actuated by high pressurizer pressure, so presumably the purpose of this gate is to "disable" automatic DSS for initiating events that cannot result in high pressurizer pressure.
The analyst explained to the licensee analysts that their presumption was
correct. Gate RPS
-DSS-NOSGNL was used to model Assumption
15 No additional licensee comments were made on this subject.
5. Refer to drawing E
-23866-411-003. The fault tree appears to be missing the interposing relays IR
-1, IR-2, IR-3, and IR-4. For example, see IR
-1 at drawing coordinate C7.
The analyst agreed with the licensee analysts. The interposing relays were added to the model for completeness and to add a better understanding of the risk associated with the performance deficiency. The fault tree was updated to model the interposing relays as described under Assumption
1 3. 6. It appears that the fault tree does not contain failure events for the manual trip push buttons and DSS switches. Perhaps those are subsumed into the
human error probabilities.
The analyst agreed with the licensee analysts. The manual trip pushbuttons and DSS switches were added to the fault tree for completeness. The
fault tree was updated to model the pushbuttons as described under
Assumptions
16, 17, 19, and 2 0. 7. Generic analyses performed by Combustion Engineering for ATWS scenarios using best estimate model assumptions and acceptance criteria that was used to support PRA success criteria indicates that success could be achieved if only half of the CEDM clutches are de
-energized for some initiators.
The analyst assessed this comment by the licensee and noted that the generic analyses performed by Combustion Engineering were not incorporated into the licensee's PRA model. The licensee's model indicates that the failure of more than two control rods to insert represents an ATWS. Sans additional plant specific evaluation and a complete understanding of the initiators involved in the study, the analyst continued to assume that best available information indicates that a failure of half the control rods to insert at Fort Calhoun Station represents an ATWS.
Additionally, the analyst evaluated the probability that
a reactor trip signal would result in only one half of the control rods inserting. The analyst noted
A-14 Attachment
-2 that there are no specific active component failures in the reactor protection system that would result in half the rods falling. For this to occur, the
failure of the M contactors would have to cause 2 of the 5 contacts to fail in the
closed position while an additional 2 would have to open.
Therefore, if this were determined to be a viable failure mechanism, it results in a one in sixteen probability of the contactors failing such that half the control rods would fall.
As a sensitivity, the analyst assumed that half the rods falling into the core would only have a major impact on sequences that did not result in rapid
pressurization of the reactor coolant system. The analyst hand calculated the worst-case results and determined that the change in risk was approximately 1.8 percent (See Spreadsheet in Supplement
7). 8. In your common cause model, 2 includes six combinations, but only 2 are involved in the common cause failure of interest for this case. This results in an overprediction of the failure probability of Contactor M1. We recommend
that the common cause failure probability for Contactor M1 given the failure of Contactor M2 should be 1/3 2 as opposed to 2. The use of 2 is clearly delineated in the section "Adjustment of Common Cause Component Failure Probability," above.
Had we wanted th
e conditional probability of any of the contactors failing (Contactor M1 or
Contactor M3 or Contactor M4), given a failure of Contactor M2, we would have: P (M1 M3 M4lM2) = P [(M1 M2) (M3 M2) (M4 M2)] P (M2) (2)
Equation 2 is a special case of Equation 1. Under the rare event
approximation, and ignoring independent
failures, this equation reduces to
- P (M1 M3 M4lM2) = 3Q 2
Q t Therefore, for
the more general case
suggested by the licensee, using Equation 2 we would find the result to be
- P (M1 M3 M4lM2) = 3Q 2 = 2 Q t = 32
Q t
Q t Again, for the specific case of the probability that Contactor M1 fails given Contactor M2 has failed, this suggests that 2 is the best representation of this common cause failure probability.
A-15 Attachment
-2 Additional Sensitivity Studies
To better understand the impact of the major assumptions on the final change in core damage frequency and
specifically address comments made in the peer reviews, the analyst evaluated the following scenarios:
The probabilities of operators failing to manually trip the reactor using Pushbuttons 1 and 2, respectively, were replaced with the values calculated by the licensee's risk analysts;
Channel trip and bypass terms were set to the house event "FALSE," indicating that they could not affect the failure of the reactor protection system; The common cause failure probability for Contactors M1 and M2 was
replaced with common cause basic events representing the upper and lower bounds of the range of probabilities for the failure of Contactor M1 given that Contactor M2 failed. This probability range was hand calculated by experts from Idaho National Laboratories
- The model was revised to indicate that the diverse scram system would trip the reactor following a small
-break loss of coolant accident;
The common cause failure probability for Contactors M1 and M2 was
reset to its original value and the independent failure probabilities of each of the four contactors were increased as opposed to adjusting
the common cause failure probabilities. The probabilities used were derived by dividing the one known component failure by the number of contactor cycles estimated
for a 1-year (Higher) and a 12
-year (Lower) period, respectively;
The change in risk was hand calculated given that the M contactors could fail in a manner that would cause 1/2 the control rods to fall into the core and that 1/2 the rods would appropriately control reactivity for lower pressure sequences (documented in Supplement
7); and The failure probability for Vital Breakers CB
-AB and CB-CD were replaced with values representing: 1) twice the failure rate, 2) the
failure rate of molded case circuit breakers without holding coils, and 3) the failure rate of reactor trip breaker shunt trips.
The results of these sensitivity studies are shown in Table 4.
A-16 Attachment
-2 TABLE 4 Internal Events Sensitivity Study
Sensitivity
Basic Event Initial Value
Adjusted Value Baseline Case Change* (Percent) Best Estimate 1.24 x 10-5/yr 1.57 x 10-4/yr 2.53 x 10-5 N/A Manual Trip RPS-XHE-ERROR 5.0 x 10-1 1 x 10-3 1.24 x 10-5/yr 1.57 x 10-4/yr 2.53 x 10-5 0.00 % RPS-XHE-XM-SCRAM 1.5 x 10-3 7.5 x 10-4 Channel Trip and Bypass RPS-CBI--ALL 7.7 x 10-7 1.24 x 10-5/yr 1.57 x 10-4/yr 2.53 x 10-5 0.00 % RPS-CBI-- 1.7 x 10- RPS-CBI-- 1.7 x 10-7 RPS-RYL--M12BYP
-8 RPS-RYL--ALL 4.3 x 10-8 RPS-RYL--M12TM
-7 Alpha
(High) RPS-RYT--M12 3.59 x 10-2 4.80 x 10-2 1.24 x 10-5/yr 2.05 x 10-4/yr 3.38 x 10-5 Alpha RPS-RYT--M12 3.59 x 10-2 1.25 x 10-2 1.24 x 10-5/yr x 10-5/yr 8.87 x 10-
Small-Break LOCA Small-Break LOCA actuate
s System 1.24 x 10-5/yr 1.39 x 10-4/yr 2.22 x 10-5 12.1 % Higher Independent (1 year) RPS-RYT-CC-M1 1.2 x 10-4 9.2 x 10-3 1.24 x 10-5/yr 4.95 x 10-5/yr x 10- 97.8 % RPS-RYT-CC-M2 1.2 x 10-4 9.2 x 10-3 RPS-RYT-CC-M3 1.2 x 10-4 9.2 x 10-3 RPS-RYT-CC-M4 1.2 x 10-4 9.2 x 10-3 Independent RPS-RYT-CC-M1 1.2 x 10-4 x 10-4 1.24 x 10-5/yr x 10-5/yr x 10-7 74.3 % RPS-RYT-CC-M2 1.2 x 10-4 x 10-4
A-17 Attachment
-2 (12 years)
RPS-RYT-CC-M3 1.2 x 10-4 x 10-4 RPS-RYT-CC-M4 1.2 x 10-4 x 10-4 Half Trip Acceptable
1.2 2 x 10-5/yr 1.54 x 10-4/yr 2.49 x 10-5 1.7 % Circuit Breaker RPS-BSN--CBAB 5.0 x 10-3 1.0 x 10-2 1.24 x 10-5/yr 2.30 x 10-4/yr 3.81 x 10-5 (50.7 %) RPS-BSN-- 5.0 x 10-3 1.0 x 10-2 Standard Circuit Breaker RPS-BSN--CBAB 5.0 x 10-3 2.55 x 10-3 1.24 x 10-5/yr 1.21 x 10-4/yr 1.90 x 10-5 24.9 % RPS-BSN-- 5.0 x 10-3 2.55 x 10-3 Trip Shunt Trip RPS-BSN--CBAB 5.0 x 10-3 3.29 x 10-4 1.24 x 10-5/yr 8.82 x 10-5/yr 1.33 x 10-5 47.4 % RPS-BSN-- 5.0 x 10-3 3.29 x 10-4