ML090080163

From kanterella
Jump to navigation Jump to search
Comment (12) of David Lochbaum on Behalf of Union of Concerned Scientists on Operator Working Hour Limits at Multiple-Unit Nuclear Plant Site with at Least One Reactor Operating and Other(S) Not
ML090080163
Person / Time
Site: Crane  Constellation icon.png
Issue date: 08/21/2008
From: Lochbaum D
Union of Concerned Scientists
To: Leeds E
Office of Nuclear Reactor Regulation
References
73FR56618 00012
Download: ML090080163 (28)
v  d  e


Text

clla2 ý7112 15

..... Uni on of Concerned Scientists Citizens and Scientists for Environmental Solutions

-~

i*T~1 D

5,.

August 21, 2008 w

Eric J. Leeds, Director Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 Re:

OPERATOR WORKING HOUR LIMITS AT MULIPLE-UNIT NUCLEAR PLANT SITE WITH AT LEAST ONE REACTOR OPERATING AND OTHER(S) NOT Dear Mr. Leedsý I have read Mr. Alexander Marion's letter to you dated August 12, 2008, along with its enclosure. I hope I fairly characterize Mr. Marion's concerns as being that the provisions in the recently revised federal regulations on working hour limits for control room operators at multiple unit sites with at least one reactor operating and at least one reactor in an outage are too onerous for the nuclear industry to bear. Mr. Marion's letter contains a litany of essentially inconveniences the federal safety regulation causes plant owners.

Safety trumps inconvenience, or at least it should.

The worst accident in US civilian nuclear power plant history occurred March 28, 1979, at the multiple-unit Three Mile Island nuclear plant in Pennsylvania. Unit 2 was operating at close to full power when a combination of design flaws, equipment problems, procedure inadequacies, and worker errors led to a partial meltdown of the reactor's core. Less well known is the fact that Unit 1 was in the 391h day of a refueling outage and scheduled to restart on day shift of March 28, 1979. Enclosure 1, excerpts from NUREG/CR-1496, testify to this reality.

What's the relevance of this trivia to the matter NEI put before you? At least some of the workers on duty at Three Mile Island at the time of the accident were too fatigued to undertake assigned tasks in response to the emergency. Enclosure 2, excerpts from NUREG-0600, testify to this reality.

b Washington Office: 1825 K Street NW Suite 800

  • FAX: 202-223-6162 Cambridge Headquarters: Two Brattle Square
  • Cambridge MA 02238-9105
  • 617-547-5552
  • FAX: 617-864-9405 California Office: 2397 Shattuck Avenue Suite 203
  • Berkeley CA 94704-1567
  • 510-843-1872
  • FAX: 510-843-3785 04e O4j

August 21, 2008 Page 2 of 2 Concerns about fatigue impairing workers' performance and its detrimental affects on nuclear plant safety were raised by the NRC in the wake of the TMI accident. Enclosure 3, NRC Circulator 80-02, is but one of many agency reports on this reality.

How relevant is 30-year-old reality to the matter before you today? NRC Region IV examined risk management during 19 refueling outages. Enclosure 4, attachment 1 to NRC Information Notice 2000-13, details this reality. This NRC evaluation reported:

"Further, human error along with weak or deficient procedures were the causes (or at least contributing factors) for almost all the operational issues that were observed. Additionally, the maiority of these problems occurred relatively late in the outage." [emphasis added]

What might account for human error rates at the ends of outages being markedly higher than at the beginnings of outages? As NRC chronicled in enclosure 3 and countless experts chronicled elsewhere, the buildup of fatigue over time corresponds with a drop-off in performance - it takes longer to make decisions and more errors are made, reading rates decrease, and people ignore warning signals. While Region IV's efforts have not conclusively proven that the observed problems are caused in whole or in part by fatigue, this objective evidence cannot and should not be used to conclude or assume that fatigue is not adversely affected worker performance, and by extension, nuclear safety.

The worst nuclear plant accident in US history (so far) involved an operating reactor adjacent to a reactor in the latter stages of a refueling outage. Workers on the operating reactor at the time of the accident freely admit to having been too fatigued to perform assigned tasks. More recent NRC data shows that human error rates are highest in the latter stages of refueling outages, a situation credibly explainable by fatigue-induced human performance. This is certainly not the fact set to justify watering down the operator working hour limits.

I attended many of the public meetings leading up to the revised regulation. I listened to sleep experts from Walter Reed, Harvard and the National Sleep Foundation describe fatigue and fatigue management options. I believe the NRC staff did a fine job balancing safety and economics. I trust you will not be persuaded by NEI's lame arguments and allow mere inconveniences to trump nuclear safety.

Sincerely, David Lochbaum Director, Nuclear Safety Project

Enclosures:

yes

N ucltear P ower Plant Operating

ýExperience ~- 1979 Qate ?uihed:My11

THREE ~MILE ISLAND 1 Operation was uniinterrupted until the refueling outage was starte-d Febur 17.

Plantstartup schedulied

,for March 28 was\\ aborted due to the accident at T141-2,

THREE MILE ISLAND 1 DETAILS OF PLANT OUTAGES No.

Date Duration Type Description Cause Shutdown System Component (1979)

(h) method involved involved la) 2/17 Ib) 2/17 (cont.)

940 6692 S

Refueling C

I Reactor (RC)

Fuel elements F

The unit remained shut down for D

investigation of possible safety problems related to the TMI-2 accident 4

Steam and power con-version (HH)

Instrumenta-tion and controls r0) co

I3 110 100 90 8o 70 60 50 cc40 a-aI:

30

-J

=20 cc 0

0.I 0

  • , 110 1

100 x= 90 I-.z g

w 80 r.lu70 60 50 40 30 20 10 0

III

-JUN a

I a-I II Il I,

II IJL _

DESIGN ELEC.

RATING =

819 MAX. DEPEND.

CAP.

=

776 1100%)

N C!V DE:=

THREE MILE ISLAND 1

INVESTIGATION INTO THE MARCH 28,1979 TH-IREE MILE ISLAN~ID. ACCI DENT BY OFFICE OF INSPEC~TION AND ENFORCEMENT Date. Published: Auut1979,ý

FOREWORD On March 28, 1979, the Three Mile Island Unit 2 Nuclear Power Plant experienced the most severe accident in U.S. commercial nuclear power plant operating history.

This report sets forth the facts concerning the events of the accident determined as a result of an investigation by the NRC Office of Inspection and Enforcement.

The IE investigation, which is based on the information available at this time, is limited to two aspects of the accident:

1. Those related operational actions by the licensee during the period from before the initiating event until approximately 8:00 p.m.,

March 28, when primary coolant flow was re-established by starting a reactor coolant pump, and

2.

Thosesteps taken by the licensee to control the release of radio-active material to the off-site environs, and to implement his emergency plan during the period from the initiation of the event to midnight, March 30.

These investigation periods were selected because they include the licensee actions which most significantly affected the accident sequence and its results.

The results of the IE investigation supports the reported population dose from the accident, developed by an an hoc dose assessment group, which included representatives of various cognizant Federal agencies.

In its report dated May 10, 1979, this group concluded that, "Based on the current assessment.

. the off-site collective dose associated with the radioactive material released during the period of March 28 to April 7, 1979, represents minimal risks (that is, a very small number) of additional health effects to the off-site population."

At the same time, the IE investigation identifies several inadequacies in the inplant radiation protection activities of the licensee and criticizes the measurements of off-site radiation levels made by the licensee.

In spite of these identi-fied flaws, no glaring inconsistencies have been found which would significantly alter the conclusions reached by the ad hoc group.

The IE investigation also substantiates earlier conclusions concerning the underlying causes of the accident and those factors that contributed to its severity.

Inadequacies in six major areas have been confirmed:

1. Equipment performance (failures and maloperation).
2.

Transient and accident analyses.

3.

Operator training and performance.

2

4.

Equipment and system design.

5.

Information flow, particularly during the early hours of the accident.

6.

Implementation of emergency planning.

Perhaps the most disturbing result of the IE investigation is confirmation of earlier conclusions that the Three Mile Island Unit 2 accident could have been prevented, in spite of the inadequacies listed above.

The design of the plant, the equipment that was installed, the various accident and transient analyses, and the emergency procedures were adequate to have prewented the serious consequences of the accident, if they had been permitted to function or be carried out as planned.

For example, had the operators allowed the emergency core cooling system to perform its intended function, damage to the core would most likely have been prevented.

There are other examples set forth in the report where, had a particular operator action been taken, the consequences of the accident could have been significantly mitigated.

On the other hand, had certain equipment been designed differently, it too, could have prevented or reduced the consequences of the accident.

The results of the investigation make it difficult.to fault only the actions of the operating staff.

There is considerable evidence of a "mind set,"

not only by TM1 operators but by operators at other plants as well, that overfilling the reactor coolant system (making the system solid) was to be avoided at almost any cost.

Undue attention by the TMI operators to avoiding a solid system led them to ignore other procedural instructions and indications that the core was not being properly cooled.

Without this "mind set" they might well have acted to preclude or better mitigate the accident.

Subsequent actions have been required by NRC to retrain all licensed operators in an effort to preclude recurrence.

Upgraded procedural instructions have also been required.

It is clear that substantial effort is needed, by both the NRC and the industry, to assure that these lessons learned concerning the TMI accident are implemented at other facilities.

Within the NRC, early action has been taken to inform other nuclear power plant licensees of the circumstances surrounding the Three Mile Island accident-and to require immediate imple-mentation of compensatory measures to prevent occurrence of similar accidents elsewhere.

In addition, a special Lessons Learned Task Force was established in the NRC Office of Nuclear Reactor Regulation.

This group has studied the Three Mile Island accident and has issued a report (NUREG-0578) containing short-term recommendations that will significantly improve continued safe operation of licensed nuclear power plants.

The IE investigation adds further emphasis to the need for such plant and procedural modifications.

3 Because they have the benefit of hindsight, most retrospective investi-gations like this tend to emphasize areas where people and equipment did not perform as desired. The LIE investigation team made a concerted effort to evaluate the reasoning processes of the people who were operating the plant during the course of the accident. The report con-tains the team's conclusion as to whether or not the operating staff's actions were appropriate in light of the training and factual information available to them at the time they had to make decisions as to what course of action to follow.

Further study is clearly needed with respect to the contributions of various other organizations that influence the operation of nuclear power plants, including designers, reviewers, builders, vendors and regulatory agencies.

These various studies are now underway; most notably the Presidentially appointed Kemeny Commission, as well as a wide-ranging internal NRC study under Mr. Mitchell Rogovin. A full assessment of all the underlying causes of the Three Mile Island accident must await completion of these studies.

The findings of this 1E investigation will be the subject of appropriate enforcement action in accordance with the Commission's regulations (Part 2, Title 10, CFR).

Director Office of Inspection and Enforcement

U.S. NUCLEAR REGULATORY COMMISSION OFFICE OF INSPECTION AND ENFORCEMENT Region I Report No.

50-320/79-10 Docket No.

50-320 License No.

DPR-73 Category C Licensee:

Metropolitan Edison Company P.O. Box 542 Reading, Pennsylvania 19640 Facility Name:

Three Mile Island Nuclear Station Unit 2 Investigation at:

Middletown, Pennsylvania Investigation conducted:

March 28-July 31, 1979 Investigators Operational Aspects Team J.S. Creswell Date Radiological Aspects Team D.M. Collins

'Date' D.R. Hunter Datie Da te Dldo 7 Rq -7 D.

E. Do-nalds-on Date7 T.H. Essig hidJ kon Date Dat*

K.C.7Kikptrick Date

",,'Marsh -

Dbat'e T.T. Martin Team Leaders

'R.D. Martin Approved by:

7ew~

C,01-r.C.

Shackleton

[ate A.G ibo D'ate Date /

A,*,

. Alan, D~eputy Director,

  • ~gion I, Investigation Director

At about thi*s samne time (pproximately 0620),

th~e ~Supervisor, Radiat~ion Protection and Chemistry ~was reque~sted~ to&aeprpr "ationsfor an entr~y it the rectr bu i idI[g. ~HeQ asked Radi at ion/ehemflisry Technician I to accompany the operatorassigned ~to'enter~ the reactor building

ýRadi ationiC hemi'stry Techniician>TI su ggested that s.ince~ he and the ot~her radiation/

chemistry ehiin wer~e faiud h nr edlydutlteocmn shi ft. arrived inaOu~t. 30 minfutes.

iIE~ Circular No. 8b-02 Date: February 1, 1980

,NUCLEAR )POWER ~PLAN17§TFF AK HORS Studies indicate that wi~th fatigue, espe~cially because of< loss of sleep, anii individual's detection of~ visual) si'gnal~s deteriorates markedly,> the time it take fo 1,a pesocn to make a decision increases andt more errors aremade, and, readiing rates. decrease., Other studies1 show that> fat~igue results in personnel

,ign~oring some s~ignal s because 'they develop their~ own subjective, standards as

,to what is~ importanit, a~nd, as they <become mor fatigued they igno-re more signals IE Circular No. 80-02 Date: February 1, 1980 Page 2 of 2

b.

There should be at least a 12-hour break between all work periods.

c.

An individual should not work more than 72-hours in any 7-day period.

d.

An individual should not work more than 14 consecutive days without having 2 consecutive days off.

2.

In the event that special circumstances arise that require deviation from the above, such deviations should be authorized by the Station Manager with appropriate documentation of the cause.

Plants should be staffed and schedules developed to operate such that exceptions are not required.

3.

If an operator is required to work in excess of 12 continuous hours, his duties should be carefully selected.

It is preferable that he not be assigned any task that affects core reactivity or could possibly endanger the safe operation of the plant.

No written response to this Circular is required.

If you desire additional information regarding this matter, contact the Director of the appropriate NRC Regional Office.

Attachment ~1 IN 2000-13

Refueling Outage Risk - An Operational Perspective J.L. Shackelford and W.B. Jones Senior Reactor Analysts United States Nuclear Regulatory Commission Abstract An operational overview of 19. efueiig outgages at nite States nuclear power plants was§ performed. The overview included an assessment of the risk methodology used by licensees to plan and implement a refueling outage. Data were collected with respect to the overall risk of the outage from both a configuration risk as well as a modification risk perspective. The results of these reviews were factored into the Nuclear Regulatory Commission's inspection planning activities associated with the outages. The collected data were analyzed for significant patterns and operational insights.

Introduction During calendar year 1999, the NRC Region IV senior reactor analysts (SRAs) implemented a special initiative to improve the Region's approach to the inspection and assessment of outage activities. This initiative entailed detailed reviews of outage schedules, licensee outage risk assessments, and the proposed major modification activities for each refueling outage which was conducted in Region IV during the year. The purpose of the reviews was to gain a comprehensive understanding of the overall risk of each refueling outage from two separate, but equally important, perspectives; configuration risk and modification impact risk. In this context, configuration risk refers to the real-time risk associated with the specific plant configurations which are entered during the course of a refueling outage. In contrast, the modification impact risk is more closely associated with the potential risk associated with a modification from an online perspective (i.e., the importance of the modification with respect to its potential contribution to plant risk following startup independent of the configuration risk).

These reviews were conducted primarily through a combination of site visits, document reviews, and teleconferences and involved personnel from the licensees' risk and outage planning organizations. The NRC resident inspection staff were also involved in the overall process and the results of the reviews were integrated into the NRC's inspection planning for the outages. A total of 19 refueling outages at 13 reactor sites were reviewed. This included 16 outages at pressurized water reactors (PWRs) and three outages at boiling water reactors (BWRs). These reviews covered the full range of reactor vendors (i.e., Babcock & Wilcox, Westinghouse, Combustion Engineering, and General Electric).

2 The results of this effort yielded important benefits in a number of areas. Of primary importance, this initiative resulted in a more efficient and focused inspection effort on the part of NRC inspectors during the individual outage inspections. By defining the most important plant configurations and maintenance activities, the results of the outage reviews highlighted the most risk-significant attributes of the outages. This enabled the NRC inspection staff and regional management to concentrate their efforts in the most important areas involving inspection and regulatory oversight. However, in addition to the inspection related benefits, the results of this initiative yielded a considerable amount of data related to outage risk as well as outage risk assessment and management across the full range of reactor types. The information which was collected was integrated and analyzed by the Region IV SRAs. The results are summarized in the remainder of this report and in the accompanying tables and figures. The names of the individual plants have been omitted from the summary information.

Overview of outage risk assessment methods Each of the licensees performed some type of systematic risk assessment or safety review for their respective refueling outage. In general, these reviews were performed by the risk assessment staff at the site and were coordinated with the outage planning and scheduling organizations. The reviews were generally incorporated into outage risk assessment reports and forwarded to licensee management for review and approval. Where necessary, contingency measures were identified with respect to potentially risk significant configurations.

The final results of the licensee risk assessments were provided to the plant operations staff for use during the actual conduct of the outage.

In three of the 19 outages, a purely qualitative approach to outage risk assessment was performed (i.e., no quantitative estimates of risk were developed). These licensees employed the guiding principles contained in NUMARC 91-06, "Guidelines for Industry Actions to Assess Shutdown Management," December 1991, as a foundation for planning the outage. In the remaining 16 outages, some form of quantitative assessment was performed in conjunction with the qualitative considerations contained in the NUMARC guidelines. Of the total 13 sites which were assessed, 11 sites employed a combination of quantitative and qualitative approaches while two sites used a strictly qualitative approach. All the sites incorporated the NUMARC 91-06 guidelines in their planning activities.

With respect to the quantitative approaches, four of the 16 outages used a plant-specific shutdown model in assessing outage risk. The remaining 12 outages employed a proprietary industry product which provided generic modeling of various outage configurations. This generic modeling was then modified with some elements of plant and outage specific data to provide a "semi-quantitative" assessment of the outage risk. Of the 11 sites employing quantitative approaches, three sites used a plant-specific shutdown model and the remaining 8 sites used the proprietary industry software. A full description of the methodology and scope of the modeling which was used is beyond the scope of this effort. However, in general, the quantitative approaches employed modeling considerations related to the specific outage configurations entered and used modified estimates of the initiating event frequencies and human error rates which were used in their at-power models.

Outage risk insights Quantitative results For each of the outages which employed a quantitative approach to risk assessment, the following data were obtained: 1) scheduled or predicted (cumulative) risk, 2) actual (cumulative) risk, and 3) peak risk (per hour). A summary of the data which were collected is shown in Table 1.

3 With respect to the cumulative risk data, (both predicted and actual) an extremely wide range of values were observed with respect to the outage risk. When pooled, the data (associated with the actual risk) for the PWRs showed a cumulative mean core damage probability (CDP) of approximately 1.2E-04 for the outage. However, the values ranged from a low of 1.5E-06 to a high of 6.6E-04 with a standard deviation of 2.OE-04. (Twelve data points were used in the analysis.) These same wide ranges of valuesrwere observed with respect to the data associated with the predicted cumulative risk. The mean value for the PWR peak risk (in units of cdp/hr) was 1.6E-06/hr. As with the cumulative risk data, a wide range of values were observed with a high of 5.OE-06/hr, a low of 2.OE-08/hr and a standard deviation of 2.1 E-06/hr.

The data for the BWR plants included only three observations. Additionally, one of the BWR units experienced unexpected complications due to fuel integrity issues which significantly extended the duration of the outage. Similar to the PWR data, a wide range of values existed in the cumulative and peak risk estimates associated with the BWR outage observations.

Notwithstanding these issues related to data quality, the mean actual risk was estimated to be approximately 8.6E-07 with a high and low of 1.7E-06 and 2.OE-08 respectively. The peak risk was estimated at about 1.2E-08/hr with a range of 3.3E-10/hr to 3.1E-08/hr.

Even if the data are further segregated such that the results of those licensees which used a plant-specific shutdown model are treated separately, similar disparities exist. It should be noted that even with respect to a given multi-unit site, no two outages are identical.

However, most of the outages which were assessed were of a generally similar nature and duration. Thus, these extremely wide disparities in quantitative results are unlikely the result of true differences in the risk of the outage but rather represent an artifact of different modeling assumptions and data issues.

Notwithstanding the variability across plants with respect to the actual value of the risk estimates, some generalizations regarding the quantitative results are possible. There was a close agreement (within plants) with respect to the predicted versus the actual cumulative risk.

This would suggest that within a given analysis, the quantitative results are somewhat stationary and repeatable. Additionally, even though the absolute values of the risk estimates (both cumulative as well as those for a given configuration) vary widely across plants, the general character and shape of the risk profiles were similar. This would suggest that the quantitative approaches were effective at identifying the relative risk of different outage configurations. A more detailed discussion of the general risk profiles seen in the outage reviews is provided in the following sections of this report.

Risk profile of a typical PWR outage As mentioned earlier, a total of 16 PWR outages across 10 reactor sites were assessed.

As shown in Table 1, the mean scheduled outage duration was approximately 36 days and the mean actual duration was about 37 days. The longest outage was 54 days and the shortest was 27 days with the standard deviation being approximately 7 days. These data suggest that most licensees had accurately planned and predicted the outage duration and that significant schedule impacts were generally minimized. This represented at least the 7th refueling outage for each of the affected units and for some units, this was as high as the 13 th outage. Further, for multi-unit sites, the actual level of outage experience would represent a multiple equal to the number of units at the site. (i.e., The 7th refueling outage for a plant at a two unit site would represent closer to 14 outages worth of experience.)

The majority of the PWR outages which were assessed employed an early "hot" midloop or reduced inventory configuration. This was almost exclusively an economic consideration in that the early midloop allowed for earlier entry into the steam generators to perform the required inspection activities. In order to eliminate the midloop, licensees would have been required to delay the steam generator entry until after the reactor vessel was defueled. This would have

4 had the net effect of making the steam generator inspections "critical path" (i.e., the driving factor for the outage duration) in many instances thereby increasing the overall length of the outage. Even with the implementation of the early midloop, the steam generator inspection activities constituted the critical path for many of the refueling outages which were assessed.

For the vast majority of the PWR outages, either the steam generator inspections or the actual refueling activities themselves constituted the critical path for the outage.

Of the PWR outages employing a midloop or reduced inventory configuration, 9 of the 15 outages did so with a concurrent unavailability of either an emergency diesel generator or the performance of significant switchyard maintenance. At least one outage employed a midloop configuration with concurrent switchyard and emergency diesel maintenance.

However, each of the outages prescribed a number of contingencies and other strict controls during midloop activities. These controls generally followed the NUMARC guidance with respect to protecting trains of equipment, comprehensive pre-evolution briefings, establishment of diverse means of level indications, and in some cases, the addition of temporary emergency power supplies.

With respect to the time of entry into the midloop configurations, data were collected relative to the scheduled as well as the actual time after shutdown before midloop conditions were achieved. Additionally, information associated with the estimated time-to-boil while at midloop was collected. As shown in Table 1, the average scheduled time after shutdown before entering midloop was about 84 hours9.722222e-4 days <br />0.0233 hours <br />1.388889e-4 weeks <br />3.1962e-5 months <br /> with the actual value being closer to 93 hours0.00108 days <br />0.0258 hours <br />1.537698e-4 weeks <br />3.53865e-5 months <br />.

(The most aggressive schedule planned a midloop configuration 68 hours7.87037e-4 days <br />0.0189 hours <br />1.124339e-4 weeks <br />2.5874e-5 months <br /> after shutdown.) The average estimated time-to-boil for the reduced inventory/midloop configurations was about 15 minutes (assuming a loss of shutdown cooling or inventory control) with a high and low estimate of 24 minutes and 9 minutes respectively.

Given that the primary reason for entering the early, hot midloop was to shorten the overall outage duration, it is interesting to note that the data show a slightly negative correlation (p = -0.26) between the actual outage duration and the delay before entering midloop.

In other words, those plants which employed an early entry into the midloop configuration were observed to have outages of slightly longer duration relative to those plants that delayed the entry into the midloop configuration. For example, the plant that waited the longest before entering midloop (150 hours0.00174 days <br />0.0417 hours <br />2.480159e-4 weeks <br />5.7075e-5 months <br />) realized a total outage duration of 32 days (slightly below the average) whereas one of the facilities that had the most aggressive midloop schedule (68 hours7.87037e-4 days <br />0.0189 hours <br />1.124339e-4 weeks <br />2.5874e-5 months <br />) had a duration of 38 days (slightly above average). The reasons for this relationship are not clear; however, these data suggest that further reviews of the relationship between scheduling of the midloop configuration with respect to the overall outage duration may be warranted. A graphical representation of this relationship is shown in Figure 1.

As noted earlier, the quantitative estimates of both the cumulative outage risk as well as the peak risk associated with various outage configurations varied greatly among the plants which were assessed. However, if one uses those plants which employed a plant-specific shutdown model as a representative benchmark, then a rough approximation of the risk of a midloop configuration can be obtained. From the data, it was noted that the peak risk associated with the early hot midloop configuration was in the 1.OE-04/yr to 5.OE-04/yr range (i.e., instantaneous core damage frequency). Further, the "typical" early midloop lasted for approximately 22 hours2.546296e-4 days <br />0.00611 hours <br />3.637566e-5 weeks <br />8.371e-6 months <br />. Thus, using these assumptions, the conditional core damage probability of the early midloop may be on the order of about 1.3E-06. This may be a somewhat conservative estimate in that one of the plants which was used to benchmark this data employed a relatively conservative approach to midloop operations compared to some of the other plants. (This particular plant ensured that no emergency diesel generator or switchyard work was allowed and many of the standby systems were started prior to midloop to avoid "fail-to-start" equipment vulnerabilities.)

Figure 2 shows a graphical representation of the risk profile associated with a typical PWR refueling outage. Initially, the risk is relatively low due to the high reactor coolant

5 inventory and the availability of all electric power sources and decay heat removal systems.

The risk then experiences a prompt jump when the steam generator tubes are voided, thereby eliminating the availability of secondary heat removal as a decay heat removal mechanism.

The risk can be seen to reach its peak as reactor coolant inventory is reduced during the midloop configuration. Risk is gradually reduced as inventory is restored following the midloop and decay heat levels abate. Once the core is offloaded, the risk of in-vessel core damage is eliminated during the interval when the reactor fuel is in the spent fuel pool and the risk of spent fuel pool boiling represents the primary radiological risk of the outage. Following the reload of the fuel, the risk then rises in an inverse relationship with respect to inventory levels and reaches a somewhat lower (due to reduced decay heat levels) late peak during the "back-end" midloop to restore the steam generators.

Risk profile of a typical BWR outage The risk profile of a typical BWR outage is somewhat different from that seen in the PWR case. In general, the refueling activities associated with a BWR are more time-intensive and full core offloads are not generally performed. Thus, the risk of in-vessel core damage remains throughout the outage. The risk profile associated with the BWR outage shows an inverse relationship with respect to inventory levels and decreases gradually throughout the outage due to dissipating decay heat levels. Several "spikes" in the typical profile can be seen during swaps of the shutdown cooling system and cavity draining evolutions. These spikes are primarily the result of human errors during these processes. A representative profile of a BWR outage is shown in Figure 3.

Operational issues observed during the conduct of the refueling outages Significant modifications and maintenance activities As mentioned in the introduction, the primary purpose of the outage review effort was to collect information related to outage risk from both a configuration risk perspective as well as from the standpoint of major maintenance and modifications on important plant equipment for use in the inspection planning process. For each of the outages, a compilation of the most important modifications and major maintenance activities was obtained. A summary of these items is presented in Table 2.

As shown in the table, the majority of the significant maintenance activities did not involve actual modifications to the plants. Rather, most of the important work activities involved equipment replacements, primarily on a "like-for-like" basis. Some exceptions to this were noted, particularly in the case of battery replacements which involved replacing the existing batteries with equipment of a newer design. In general, however, the equipment replacements were implemented to address aging considerations associated with the existing components.

As seen in Table 2, many of these activities involved the replacement of relatively risk significant components.

The prevalence of equipment replacement activities (to address aging considerations) versus plant improvements via the modification process is likely a result of the maturity of the nuclear industry as a whole. It was noted that the average (operational) age of the plants which were assessed was just over 15 years. The most common plant change which was observed were emergency core cooling system injection line modifications implemented as a result of NRC Information Notice 97-76, "Degraded Throttle Valves in Emergency Core Cooling Systems from Cavitation Induced Erosion Following a Loss of Coolant Accident", dated October 30, 1997.

6 Operational Issues The NRC inspection reports for each of the outages were reviewed. Additionally, interviews and debriefings were conducted with the resident inspectors for selected outage inspections in order to understand the most important operational issues and challenges which occurred during the outages. A compilation of these observations is shown in Table 3.

As can be seen in the. Table, two loss of. shutdown~ cooling~ events and one in~advertent en~try into reduced inventory occurred in tlie 19 Ouitages which were a~ssessed. Additionally,.

thr~ee switchyard control issu~es wer rn~oted, two o6f wh~ich ocurddrn ilo operations~.

Other operational problemns included is~sues relate~d to spent fuel pool cooling alignmhents, ~fuel~

h andling errors, improper valve and e~quipment lineups, an o~ther work contfrol errors. Each of these issues is documented in the NRC inspection report for the associated facility.

While the risk significance of several of the issues was assessed from a quantitative perspective, the majority of the issues were evaluated qualitatively. None of the issues which are documented in the table were characterized as risk significant by the NRC in the inspection, assessment, and enforcement process. (The highest estimate of the conditional core damage probability of the issues which were assessed quantitatively was in the low 1.OE-07 range.)

With respect to the loss of shutdown cooling and inadvertent entry into reduced inventory events, a high level of redundancy and diversity was observed in the available core cooling and inventory control systems at the time of the events. This served to mitigate the overall risk significance of these events. However, because less mitigation equipment is required by NRC regulations to be operable during shutdown conditions, these events would have been of significantly higher "potential" risk significance if it were postulated that only the minimum set of required equipment had been available at the time of the event. This observation underscores the importance of the industry's voluntary efforts to minimize shutdown risk by exceeding the existing regulatory requirements.

F~thr huanterr~or aogwtwek or eficient procedures were~ th~e causes (or at lat contributing fatr)fralmost all the~ ope6rational issues that were observed. Additionially, themailjority of theseproblems occurred elatively laterin the outagep. This was seen to be a factor in mitigating the risk significance of several of these issues, particularly those involving a loss of shutdown cooling and the inadvertent entry into reduced inventory in that decay heat levels had dissipated considerably.

With respect to the early midloop configurations, there were no significant negative observations from an NRC inspection perspective for the outages which were assessed. Thus, even though the midloop configurations represented a relatively higher level of operational risk than other outage configurations, the increased attention and awareness afforded to this evolution most likely decreased the potential for human errors. In addition, the NRC placed special emphasis on these higher risk configurations. For several of the midloop configurations, particularly those that involved emergency diesel generator outages or switchyard work, the NRC conducted management level teleconferences with the licensees to emphasize the Agency's concern with the elevated risk. Further, the NRC generally conducted around-the-clock inspection coverage of the midloop and other elevated risk configurations.

Summary and Conclusions The results of this initiative indicate that the use of formal risk assessment in outage planning and outage management is widespread throughout the nuclear industry. For each of the outages which were assessed in this effort, some type of structured risk assessment or safety review was performed. Further, the results of these assessments were generally reviewed and approved by site management and used by the planning, scheduling and operations organizations at the sites to plan and execute the refueling outages. Of the sites which were reviewed, about 23% of the sites employed a plant-specific shutdown model in their

7 assessment approach while about 62% used a proprietary industry product for their modeling.

The remaining 15% of the sites used a purely qualitative approach to outage risk assessment and outage management. Further, all the sites incorporated the NUMARC 91-06 guidelines in their planning activities.

With respect to the quantitative results, a wide range of values were observed in the estimates of both the cumulative outage risk and the peak risk. While it is true that no two outages which were assessed were identical, many commonalities were observed in terms of both outage duration and actual plant configurations. Thus, these disparities in the quantitative results are not likely the result of true differences in the actual risk of the outage but rather represent differences in modeling and other related data issues. There was a relatively close agreement (within plants) with respect to the predicted versus the actual cumulative risk. This would suggest that within a given analysis, the quantitative results are somewhat stationary and repeatable. Also, the general shape of the risk profile was consistent across plants (for a given reactor type). This suggests that the quantitative approaches were effective at identifying the relative risk of different outage configurations. Thus, it appears that while the actual value of the risk estimates for a given plant may not be reliable in an absolute sense, the relative risk of the given plant configurations may be more consistently identified.

Because of a paucity of data and the anomalous nature of one of the data points, no valid conclusions of a quantitative nature regarding the BWR outages were possible. However, for the PWR population, the average (actual) outage duration was about 37 days with a standard deviation of about 7 days. The average (scheduled) duration was about 36 days.

This suggests that, overall, most licensees had effectively planned and implemented their outage schedules. Additionally, there was a high level of refueling outage experience among the licensees which were reviewed. (i.e., This was at least the 7 th refueling for each of the sites, whereas some of the multi-unit sites had performed more than 20 refuels.) Thus, one possible conclusion is that the maturity of the industry has contributed to effective scheduling and outage management.

With respect to the PWR outages, 94% of those assessed employed an early hot midloop or reduced inventory configuration. Further, 53% of the PWR sites entered the midloop/reduced inventory configuration with concurrent emergency diesel generator or switchyard maintenance. The average time after shutdown prior to entering midloop was a little over 3 1/2 days, with the most aggressive schedule being about 2 1/2 days after shutdown. The time to boil during midloop ranged from about 9 to 24 minutes with an average of about 15 minutes. Analysis of the data showed no real advantage in terms of outage duration savings by earlier entry into the midloop configuration. (i.e., Those plants with the most aggressive schedule for entering midloop did not, on the average, experience shorter outages than those with longer delays in entering midloop.) However, this relationship may not be statistically significant, and further review in this area may be warranted. Further, even though the quantitative estimates of risk varied greatly among the plants, the best estimate of the conditional core damage probability of a typical midloop configuration was about 1.3E-06 based on the data collected. The annual (at-power) core damage frequency for the plants which were assessed was in the low to mid 1.OE-05/yr range. Thus, givnthatthetypicalmhidlo configuration lasted about 22 hours2.546296e-4 days <br />0.00611 hours <br />3.637566e-5 weeks <br />8.371e-6 months <br />, it is interestingAo note that these

~eq uivalent of about 10 of/

ctheir annual at-power risk in essentially one da fmilo

ýoperation. (These results are presented for illustration purposes and are not intended to imply a direct comparison between the shutdown and at-power modeling approaches.)

For the vast majority of the PWR outages, either the steam generator inspections or the actual refueling activities themselves constituted the critical path for the outage. Further, the majority of the significant maintenance activities performed during the refueling outages did not involve actual modifications to the plants, but rather involved equipment replacements, primarily on a like-for-like basis. Many of these replacement activities were associated with relatively risk significant components. The prevalence of replacement activities versus modifications may be

8 attributable to the age of the American nuclear power industry in that it was observed that the average operational age of the plants which were assessed was just over 15 years.

From an operational perspective, two loss of shutdown cooling events and one inadvertent entry into reduced inventory occurred in the 19 outages which were assessed.

Additionally, three switchyard control issues were noted, two of which occurred during midloop operations. There were other operational considerations related to issues involving improper spent fuel pool cooling alignments, fuel handling errors, improper valve and equipment lineups, and other work control errors. From a safety perspective, none of the issues were characterized as risk significant by the NRC in the inspection, assessment, and enforcement process. However, evidence suggests that these issues may have been of much greater risk significance if only the minimum required set of equipment had been available at the time of the events. Finally, most of the events which were observed involved human errors or deficient procedural guidance.

References I

NRC Information Notice 97-76, "Degraded Throttle Valves in Emergency Core Cooling Systems from Cavitation Induced Erosion Following a Loss of Coolant Accident", 10/30/97 NRC Inspection Report Nos:

50-313,368/98-10, 99-01,99-03, 99-14 50-483/99-09 50-445,446/99-07, 99-15, 99-18 50-275,323/99-03, 99-14, 99-17 50-285/99-13 50-528,529,530/99-06, 99-19, 99-20 50-458/99-03, 99-05 50-416/99-17, 99-18 50-361,362/99-01, 99-03, 99-04, 99-06 50-498,499/99-06, 99-11, 99-18 50-382/99-02, 99-05 50-482/99-03, 99-06 50-397/99-10, 99-13 NUMARC 91-06,"Guidelines for Industry Actions to Assess Shutdown Management", December

1991,

Table 1 - Selected Outage Data PWR OUTAGES Outage Total Risk Time after S/D Peak PLANT NAME Duration Estimate Time to Boil before ML Risk/hr Scheduled Actual Scheduled Actual (ML/RI)

Scheduled Actual min.

hr.

PWR 1 28 30 2.1e-06 1.5e-06 17 72 110 2.0e-08 PWR 1A 48 43 7.7e-06 5.7e-06 21 104 96 3.2e-08 PWR 2 25 35 1.7e-05 2.0e-05 12 80 102 3.7e-07 PWR 3 36 35 2.4e-04 3.7e-04 10 76 108 4.9e-06 PWR 3A 32 33 6.7e-04 6.6e-04 15 79 102 1.6e-06 PWR 4 24 31 4.0e-04 1.5e-04 15 96 120 5.0e-06 PWR 4A 31 32 1.5e-04 1.4e-04 13 132 150 5.0e-06 PWR 5 32 40 Note 1 Note 1 24 120 148 Note 1 PWR 6 46 38 Note 1 Note 1 18 68 69 Note 1 PWR 6A 37 36 Note 1 Note 1 15 72 72 Note 1 PWR 7 60 54 2.9e-06 2.5e-06 16 78 76 2.3e-08 PWR 7A 55 43 2.9e-06 2.4e-06 16 78 60 2.1e-08 PWR 8 28 32 4.1e-05 4.1e-05 9

68 71 8.0e-07 PWR 8A 28 27 4.0e-05 4.1e-05 10 72 74 8.0e-07 PWR 9 38 42 Note 1 Note 1 12 96 81 Note 1 PWR 10 34 36 2.2e-05 2.2e-05 n/a n/a n/a 2.2e-07 n

16 16 12 12 16 16 16 12 Mean 36.4 36.7 1.3e-04 1.2e-04 15.2 83.8 93.4 1.6e-06 Standard Deviation 10.7 6.6 2.1e-04 2.0e-04 4.2 20.9 28.9 2.1e-06 High 60 54 6.7e-04 6.6e-04 24 132 150 5.0e-06 Low 24 27 2.1e-06 1.5e-06 9

50 55 2.0e-08 BWR OUTAGES Outage Total Risk Peak PLANT NAME Duration Estimate Risk/hr Scheduled Actual Scheduled Actual BWR 1 32 49 4.5e-08 2.0e-08 6.0e-09 BWR 2 29 92 4.5e-08 Note 2 3.3e-10 BWR 3 38 37 1.7e-06 1.7e-06 3.1e-08 n

3 3

3 2

3 Mean 33.0 59.3 6.0e-07 8.6e-07 1.2e-08 Standard Deviation 4.6 28.9 9.6e-07 1.2e-06 1.6e-08 High 38 92 1.7e-06 1.7e-06 3.1e-08 Low 29 37 4.5e-08 2.0e-08 3.3e-10 Note 1 - Qualitative approach used Note 2 - Data not available

Table 2 Major Modifications and Maintenance Activities SITE Major Modifications and Maintenance Activities PWR a1 Main steam isolation valve actuator rep;acer.ent, emergency feedwater pump rep:lacement,i magn:bl"st breaker repa ements PWR 1A Service water pump replacement, refueling level indication modification, vital AC upgrade, reactor coolant pump seal replacenent ii_._-

PWIR 2 Battery replacements, steam generator electros leeving, emergency service water pumphk otore lacement, main feedwater check valve replacements PWR 3 Emegency core cooling system injection line modifications, emergency diesel generator start circuit modifications, midloop level indication nrodificatio ns, battery replacements PWR Turbine-driven auxilary feedwate pump impeller replacement, emergency core coolingsystem injection line modifications, emergency diesel generator start circuit modifications, micloop level indication modifications.

PWR 4 Emergency core cooling system injection line modifications, auxiliary salt water pump motor rep acement. containm~erlt fan cooler motor replacements, RCCA guide tube split pin replacements PWR 4A Containmenit fan cooler mnotor replacements, main transformecr bank replacem ent, centrifugal charging pump replacement PWR 5 Diesel driven auxiliary feedwater pump vacuum drag modification on condensate storage tank, etdown isolation valve modifications, 161/345:kV transformer autotap meodifications 6 High pressure safety injection lne modificationsl~ow pressure safety injection and containment sprayi njection,va1ve replacements 7

PW;R:6A 1E battery replacement, high pressure safety njection line modifications, low pressure safety injection and containment spray injection valve replacements RWR 7

Emergecy des~el generator tank liner replacement, component cooling water heat exchangerreunTHedci atvis PWR 7A' Emi~ergency diesel ge'nerator tank liner replacement, coniPone nt cooling water hetechne rtbnTH reduction activities-

,,,=,=,=,====;

,

,=,,===

Pm8 b

nlergency diesel generator governor replacement, emergency xiliary building fan motor replacement__________________i_______..........___iiiiil_____________

PWR 8A Emergency diesel generator governor replacement PWR 9 W

Startup transformer replacementstaticunnterruptible power supply replacement I.

PWR 10 Emergency service water containment isolation valve modification, reactor coolant pump seal package maintenance, non-afety swing battery charger addition BWR 1 Standby serviceý water basin draining, recirculation pump seal replacement BWR 2 Reactor core isolation cooling injection pointmodification, emergency diesel geierator air coimpress rieplacements, 'sfety relief valve actuatorl ogic modification

'BWR 3 Hig pressure coresprayelectrical panelmodifications Table 3 Operational Issues

d dul

Figure 1 - Outage Duration vs. Time Before Entering Midloop 0

160 140 120 100 80 60 40 20 0

0 10 20 30 40 Actual Outage Duration (days) 50 60

I, i

i I

A **.

.1~

I I

I. -

L rge venit establi~he~d (Fill frann midloap to flange

/

pFbod Tefuelir'g cavity Fill fro...

rr lop ange I

Remove upper intrn:als Install upper internIals

~

I I I FIGURE 2 - Typical PWR Outage Risk Profile

i,.

.1 I.

.6

.4 1.-

RPVbottom head flushing,.

MVSLPlugs in I

.310L*

FIGURE 3 - Typical BWR Outage Risk Profile

Retrieved from "https://kanterella.com/w/index.php?title=ML090080163&oldid=5321627"