ML16277A340: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (StriderTol Bot change) |
||
| Line 18: | Line 18: | ||
=Text= | =Text= | ||
{{#Wiki_filter:UNITED STATES | {{#Wiki_filter:UNITED STATES | ||
NUCLEAR REGULATORY COMMISSION | |||
REGION IV | |||
1600 E. LAMAR BLVD. | |||
ARLINGTON, TX 76011-4511 | |||
October 3, 2016 | |||
EA-16-168 | EA-16-168 | ||
Mr. Edward D. Halpin | Mr. Edward D. Halpin | ||
Senior Vice President | Senior Vice President | ||
and Chief Nuclear Officer | and Chief Nuclear Officer | ||
Pacific Gas and Electric Company | Pacific Gas and Electric Company | ||
Diablo Canyon Power Plant | Diablo Canyon Power Plant | ||
P.O. Box 56, Mail Code 104/6 | P.O. Box 56, Mail Code 104/6 | ||
Avila Beach, CA 93424 | Avila Beach, CA 93424 | ||
SUBJECT: | SUBJECT: | ||
DIABLO CANYON POWER PLANT - NRC INSPECTION REPORT | |||
Dear Mr. Halpin: | 05000275/2016010 AND 05000323/2016010; PRELIMINARY WHITE FINDING | ||
On September 12, 2016, the U.S. Nuclear Regulatory Commission (NRC) completed an | Dear Mr. Halpin: | ||
inspection at your Diablo Canyon Power Plant. On the same date, the NRC inspectors | On September 12, 2016, the U.S. Nuclear Regulatory Commission (NRC) completed an | ||
discussed the results of this inspection with you and other members of your staff. Inspectors | inspection at your Diablo Canyon Power Plant. On the same date, the NRC inspectors | ||
documented the results of this inspection in the enclosed inspection report. | discussed the results of this inspection with you and other members of your staff. Inspectors | ||
The enclosed inspection report discusses a finding that has preliminarily been determined to be | documented the results of this inspection in the enclosed inspection report. | ||
of low to moderate safety significance (White) that may require additional NRC inspections, | The enclosed inspection report discusses a finding that has preliminarily been determined to be | ||
regulatory actions, and oversight. As described in Section 4OA2 of this report, the finding is | of low to moderate safety significance (White) that may require additional NRC inspections, | ||
associated with an apparent violation of Technical Specification 5.4.1.a, Procedures, for the | regulatory actions, and oversight. As described in Section 4OA2 of this report, the finding is | ||
associated with an apparent violation of Technical Specification 5.4.1.a, Procedures, for the | |||
failure to develop adequate instructions for the installation of external limit switches on motor- | failure to develop adequate instructions for the installation of external limit switches on motor- | ||
operated valves. Specifically, Pacific Gas and Electric (PG&E) failed to provide adequate | operated valves. Specifically, Pacific Gas and Electric (PG&E) failed to provide adequate | ||
maintenance instructions for ensuring that these limit switches were operated within the vendor | maintenance instructions for ensuring that these limit switches were operated within the vendor | ||
established overtravel settings. Consequently, the external limit switch for valve RHR-2-8700B, | established overtravel settings. Consequently, the external limit switch for valve RHR-2-8700B, | ||
Unit 2 residual heat removal pump 2-2 suction from the refueling water storage tank, was | Unit 2 residual heat removal pump 2-2 suction from the refueling water storage tank, was | ||
installed such that the limit switch was operated beyond the overtravel setting resulting in a | installed such that the limit switch was operated beyond the overtravel setting resulting in a | ||
sheared internal roll pin causing the limit switch to fail. The failure of this limit switch resulted in | sheared internal roll pin causing the limit switch to fail. The failure of this limit switch resulted in | ||
failure of an input into the open permissive input logic for valve SI-2-8982B, Unit 2 train B | failure of an input into the open permissive input logic for valve SI-2-8982B, Unit 2 train B | ||
residual heat removal suction from the containment recirculation sump. PG&E restored valve | residual heat removal suction from the containment recirculation sump. PG&E restored valve | ||
RHR-2-8700B to operable and replaced affected components, including the limit switch. PG&E | RHR-2-8700B to operable and replaced affected components, including the limit switch. PG&E | ||
also initiated corrective actions to develop more detailed and appropriate instructions for | also initiated corrective actions to develop more detailed and appropriate instructions for | ||
installing Namco' Snap Lock position switches. | installing Namco' Snap Lock position switches. | ||
This finding was assessed based on the best available information using the applicable | This finding was assessed based on the best available information using the applicable | ||
Significance Determination Process (SDP). The basis for the NRCs preliminary significance | Significance Determination Process (SDP). The basis for the NRCs preliminary significance | ||
determination is described in the enclosed report. The NRC performed a detailed risk | determination is described in the enclosed report. The NRC performed a detailed risk | ||
evaluation and determined the total resulting incremental conditional core damage | evaluation and determined the total resulting incremental conditional core damage | ||
probability for internal and external initiators. Considering the failure mechanism was | probability for internal and external initiators. Considering the failure mechanism was | ||
E. Halpin | E. Halpin | ||
introduced during Refueling Outage 2R17 maintenance in February 2013, and the limit switch | - 2 - | ||
was last successfully tested on October 22, 2014, the NRC evaluated the issue for the period | introduced during Refueling Outage 2R17 maintenance in February 2013, and the limit switch | ||
from October 22, 2014, until the limit switch failure became apparent on May 16, 2016. This | was last successfully tested on October 22, 2014, the NRC evaluated the issue for the period | ||
analysis resulted in a preliminary estimate of core damage frequency of 7.6E-06/year, | from October 22, 2014, until the limit switch failure became apparent on May 16, 2016. This | ||
corresponding to a finding of low to moderate risk significance (White). The NRC will inform you | analysis resulted in a preliminary estimate of core damage frequency of 7.6E-06/year, | ||
in writing when the final significance has been determined. | corresponding to a finding of low to moderate risk significance (White). The NRC will inform you | ||
The finding is also an apparent violation of NRC requirements and is being considered for | in writing when the final significance has been determined. | ||
escalated enforcement action in accordance with the Enforcement Policy, which can be found | The finding is also an apparent violation of NRC requirements and is being considered for | ||
on the NRCs Web site at http://www.nrc.gov/about-nrc/regulatory/enforcement/enforce-pol.html. | escalated enforcement action in accordance with the Enforcement Policy, which can be found | ||
In accordance with NRC Inspection Manual Chapter 0609, we intend to complete our evaluation | on the NRCs Web site at http://www.nrc.gov/about-nrc/regulatory/enforcement/enforce-pol.html. | ||
using the best available information and issue our final determination of safety significance | In accordance with NRC Inspection Manual Chapter 0609, we intend to complete our evaluation | ||
within 90 days of the date of this letter. The significance determination process encourages an | using the best available information and issue our final determination of safety significance | ||
open dialogue between the NRC staff and the licensee; however, the dialogue should not | within 90 days of the date of this letter. The significance determination process encourages an | ||
impact the timeliness of the staffs final determination. | open dialogue between the NRC staff and the licensee; however, the dialogue should not | ||
Before we make a final decision on this matter, we are providing you with an opportunity to | impact the timeliness of the staffs final determination. | ||
(1) attend a Regulatory Conference where you can present to the NRC your perspective on the | Before we make a final decision on this matter, we are providing you with an opportunity to | ||
facts and assumptions the NRC used to arrive at the finding and assess its significance, or | (1) attend a Regulatory Conference where you can present to the NRC your perspective on the | ||
(2) submit your position on the finding to the NRC in writing. If you request a Regulatory | facts and assumptions the NRC used to arrive at the finding and assess its significance, or | ||
Conference, it should be held within 40 days of the receipt of this letter, and we encourage you | (2) submit your position on the finding to the NRC in writing. If you request a Regulatory | ||
to submit supporting documentation at least one week prior to the conference in an effort to | Conference, it should be held within 40 days of the receipt of this letter, and we encourage you | ||
make the conference more efficient and effective. The focus of the Regulatory Conference is to | to submit supporting documentation at least one week prior to the conference in an effort to | ||
discuss the significance of the finding and not necessarily the root cause or corrective actions | make the conference more efficient and effective. The focus of the Regulatory Conference is to | ||
associated with the finding. If a Regulatory Conference is held, it will be open for public | discuss the significance of the finding and not necessarily the root cause or corrective actions | ||
observation. If you decide to submit only a written response, such submittal should be sent to | associated with the finding. If a Regulatory Conference is held, it will be open for public | ||
the NRC within 40 days of your receipt of this letter. If you decline to request a Regulatory | observation. If you decide to submit only a written response, such submittal should be sent to | ||
Conference or to submit a written response, you relinquish your right to appeal the final SDP | the NRC within 40 days of your receipt of this letter. If you decline to request a Regulatory | ||
determination, in that by not doing either, you fail to meet the appeal requirements stated in the | Conference or to submit a written response, you relinquish your right to appeal the final SDP | ||
Prerequisite and Limitation sections of Attachment 2 of NRC Inspection Manual Chapter 0609. | determination, in that by not doing either, you fail to meet the appeal requirements stated in the | ||
Please contact Jeremy Groom at (817) 200-1148 and in writing within 10 days from the issue | Prerequisite and Limitation sections of Attachment 2 of NRC Inspection Manual Chapter 0609. | ||
date of this letter to notify the NRC of your intentions. If we have not heard from you within | Please contact Jeremy Groom at (817) 200-1148 and in writing within 10 days from the issue | ||
10 days, we will continue with our significance determination and enforcement decision. The | date of this letter to notify the NRC of your intentions. If we have not heard from you within | ||
final resolution of this matter will be conveyed in separate correspondence. | 10 days, we will continue with our significance determination and enforcement decision. The | ||
Because the NRC has not made a final determination in this matter, no Notice of Violation is | final resolution of this matter will be conveyed in separate correspondence. | ||
being issued for this inspection finding at this time. In addition, please be advised that the | Because the NRC has not made a final determination in this matter, no Notice of Violation is | ||
number and characterization of the apparent violation described in the enclosed inspection | being issued for this inspection finding at this time. In addition, please be advised that the | ||
report may change as a result of further NRC review. | number and characterization of the apparent violation described in the enclosed inspection | ||
report may change as a result of further NRC review. | |||
E. Halpin | E. Halpin | ||
In accordance with 10 CFR 2.390 of the NRC's "Rules of Practice," a copy of this letter and its | - 3 - | ||
enclosure will be made available electronically for public inspection in the NRC Public Document | In accordance with 10 CFR 2.390 of the NRC's "Rules of Practice," a copy of this letter and its | ||
Room and in the NRCs Agencywide Documents Access and Management System (ADAMS), | enclosure will be made available electronically for public inspection in the NRC Public Document | ||
accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html. | Room and in the NRCs Agencywide Documents Access and Management System (ADAMS), | ||
accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html. | |||
Sincerely, | |||
/RA/ | |||
Troy W. Pruett, Director | |||
Docket Nos. 50-275 and 50-323 | Division of Reactor Projects | ||
License Nos. DPR-80 and DPR-82 | Docket Nos. 50-275 and 50-323 | ||
Enclosure: | License Nos. DPR-80 and DPR-82 | ||
Inspection Report 05000275/2016010 and | Enclosure: | ||
05000323/2016010 | Inspection Report 05000275/2016010 and | ||
w/ Attachments: | 05000323/2016010 | ||
w/ Attachments: | |||
1. Supplemental Information | 1. Supplemental Information | ||
2. Significance Determination | 2. Significance Determination | ||
cc w/ enclosure: Electronic Distribution | cc w/ enclosure: Electronic Distribution | ||
SUNSI Review | |||
By: JRG | |||
ADAMS | |||
Yes No | |||
Non-Sensitive | |||
Sensitive | |||
Publicly Available | |||
Non-Publicly Available | |||
Keyword: | |||
NRC-002 | |||
OFFICE | |||
SRI:DRP/A | |||
RI:DRP/A | |||
SPE:DRP/A | |||
DRS:SRA | |||
TL:ACES | |||
D:DRS | |||
RC:ORA | |||
NAME | |||
CNewport | |||
JReynoso | |||
RAlexander | |||
RDeese | |||
MHay | |||
AVegel | |||
KFuller | |||
SIGNATURE | |||
/RA/ | |||
/RA/ | |||
/RA/ | |||
/RA/ | |||
/RA/ | |||
/RA/ | |||
/RA/ | |||
DATE | |||
09/14/16 | |||
09/14/16 | |||
09/08/16 | |||
09/09/16 | |||
09/19/16 | |||
09/27/16 | |||
09/22/16 | |||
OFFICE | |||
BC:DRP/A | |||
D:DRP | |||
NAME | |||
JGroom | |||
TPruett | |||
SIGNATURE | |||
/RA/ | |||
/RA/ | |||
DATE | |||
09/26/16 | |||
10/3/16 | |||
Letter to Edward D. Halpin from Troy W. Pruett dated October 3, 2016 | |||
SUBJECT: | |||
DIABLO CANYON POWER PLANT - NRC FOCUSED BASELINE INSPECTION | |||
REPORT 05000275/2016010 AND 05000323/2016010; PRELIMINARY WHITE | |||
FINDING | |||
DISTRIBUTION: | |||
Regional Administrator (Kriss.Kennedy@nrc.gov) | |||
Deputy Regional Administrator (Scott.Morris@nrc.gov) | |||
DRP Director (Troy.Pruett@nrc.gov) | |||
DRP Deputy Director (Ryan.Lantz@nrc.gov) | |||
DRS Director (Anton.Vegel@nrc.gov) | |||
DRS Deputy Director (Jeff.Clark@nrc.gov) | |||
Senior Resident Inspector (Christopher.Newport@nrc.gov) | |||
Resident Inspector (John.Reynoso@nrc.gov) | |||
Administrative Assistant (Madeleine.Arel-Davis@nrc.gov) | |||
Branch Chief, DRP/A (Jeremy.Groom@nrc.gov) | |||
Senior Project Engineer, DRP/A (Ryan.Alexander@nrc.gov) | |||
Project Engineer, DRP/A (Matthew.Kirk@nrc.gov) | |||
Project Engineer, DRP/A (Thomas.Sullivan@nrc.gov) | |||
Public Affairs Officer (Victor.Dricks@nrc.gov) | |||
Project Manager (Balwant.Singal@nrc.gov) | |||
Team Leader, DRS/TSS (Thomas.Hipschman@nrc.gov) | |||
RITS Coordinator (Marisa.Herrera@nrc.gov) | |||
ACES (R4Enforcement.Resource@nrc.gov) | |||
Regional Counsel (Karla.Fuller@nrc.gov) | |||
Congressional Affairs Officer (Jenny.Weil@nrc.gov) | |||
RIV Congressional Affairs Officer (Angel.Moreno@nrc.gov) | |||
RIV/ETA: OEDO (Jeremy.Bowen@nrc.gov) | |||
RIV RSLO (Bill.Maier@nrc.gov) | |||
ROPreports.Resource@nrc.gov | |||
ROPassessment.Resource@nrc.gov | |||
Enclosure | |||
U.S. NUCLEAR REGULATORY COMMISSION | |||
REGION IV | |||
Docket: | |||
05000275; 05000323 | |||
License: | |||
DPR-80; DPR-82 | |||
Report: | |||
05000275/2016010; 05000323/2016010 | |||
Licensee: | |||
Pacific Gas and Electric Company | |||
Facility: | |||
Diablo Canyon Power Plant, Units 1 and 2 | |||
Location: | |||
7 1/2 miles NW of Avila Beach | |||
Avila Beach, CA | |||
Dates: | |||
May 16 through September 12, 2016 | |||
Inspectors: C. Newport, Senior Resident Inspector | |||
J. Reynoso, Acting Senior Resident Inspector | |||
T. Sullivan, Project Engineer | |||
R. Deese, Senior Reactor Analyst | |||
Approved | |||
By: | |||
Troy W. Pruett, Director | |||
Division of Reactor Projects | |||
- 2 - | |||
SUMMARY | |||
IR 05000275/2016010, 05000323/2016010; 05/16/2016 - 09/12/2016; Diablo Canyon Power | |||
and external | Plant; Problem Identification and Resolution | ||
( | |||
The inspection activities described in this report were performed between May 16 and | |||
September 12, 2016, by the resident inspectors at Diablo Canyon Power Plant and inspectors | |||
( | from the NRCs Region IV office. The inspectors identified a preliminary White finding | ||
associated with an apparent violation of NRC requirements. The significance of inspection | |||
findings is indicated by their color (Green, White, Yellow, or Red), which is determined using | |||
Inspection Manual Chapter 0609, Significance Determination Process, issued April 29, 2015. | |||
Their cross-cutting aspects are determined using Inspection Manual Chapter 0310, Aspects | |||
within the Cross-Cutting Areas, issued December 4, 2014. Violations of NRC requirements are | |||
dispositioned in accordance with the NRC Enforcement Policy. The NRCs program for | |||
overseeing the safe operation of commercial nuclear power reactors is described in | |||
NUREG-1649, Reactor Oversight Process. | |||
Cornerstone: Mitigating Systems | |||
* | |||
Preliminary White. The inspectors identified a preliminary White finding associated with | |||
an apparent violation of Technical Specification 5.4.1.a, Procedures, for the licensees | |||
failure to develop adequate instructions for the installation, adjustment, and testing of | |||
Namco' Model EA170 snap lock limit switches. Specifically, the licensee failed to provide | |||
site-specific instructions for limiting the travel of these external limit switches when installed | |||
on safety-related motor operated valves. Consequently, the lever switch actuator for valve | |||
RHR-2-8700B, residual heat removal pump 2-2 suction from the refueling water storage | |||
tank, was installed such that the limit switch was operated repeatedly in an over-travel | |||
condition resulting in a sheared internal roll pin that ultimately caused the limit switch to fail. | |||
Following identification of this issue, the licensee replaced the limit switch for valve | |||
RHR-2-8700B and implemented actions to modify maintenance procedures for installing, | |||
calibrating, and testing motor-operated valve external limit switches. The licensee entered | |||
this issue into their corrective action program as Notification 50852345. | |||
The performance deficiency is more than minor, and therefore a finding, because it is | |||
associated with the procedure quality attribute of the Mitigating Systems cornerstone and | |||
adversely affected the cornerstone objective to ensure the availability, reliability, and | |||
capability of systems that respond to initiating events to prevent undesirable consequences | |||
(i.e., core damage). Specifically, maintenance procedure MP E-53.10R, Augmented Stem | |||
Lubrication for Limitorque Operated Valves, used to perform limit switch adjustments on the | |||
Unit 2 valve RHR-2-8700B, did not provide adequate acceptance criteria to prevent | |||
overtravel of the limit switch actuating lever. This resulted in a subsequent failure of the limit | |||
switch, preventing the open permissive signal for valve SI-2-8982B, residual heat removal | |||
pump 2-2 suction from the containment recirculation sump, used during the emergency core | |||
cooling system (ECCS) recirculation mode. The inspectors evaluated the finding using the | |||
Attachment 0609.04, "Initial Characterization of Findings," worksheet to Inspection Manual | |||
Chapter (IMC) 0609, Significance Determination Process, issued June 19, 2012. The | |||
attachment instructs the inspectors to utilize IMC 0609, Appendix A, Significance | |||
Determination Process (SDP) for Findings At-Power, issued June 19, 2012. In accordance | |||
with NRC Inspection Manual Chapter 0609, Appendix A, Exhibit 2, Mitigating Systems | |||
Screening Questions, the inspectors determined that the finding required a detailed risk | |||
evaluation because it represented an actual loss of function of the train B ECCS for greater | |||
- 3 - | |||
than its technical specification allowed outage time. A senior reactor analyst performed a | |||
detailed risk evaluation in accordance with IMC 0609, Appendix A, Section 6.0, Detailed | |||
Risk Evaluation. The calculated increase in core damage frequency was dominated by | |||
small and medium loss of coolant accident initiators with failures of the opposite train of | |||
ECCS or related support systems. The analyst did not evaluate the large early release | |||
frequency because this performance deficiency would not have challenged the containment. | |||
The NRC preliminarily determined that the increase in core damage frequency for internal | |||
and external initiators was 7.6E-06/year, a finding of low to moderate risk significance | |||
(White). The inspector did not identify a cross-cutting aspect with this finding because it was | |||
not reflective of current performance. The inadequate procedure was developed in 2011 | |||
and did not reflect the licensees current performance related to procedure development. | |||
(Section 4OA2) | |||
- 4 - | |||
REPORT DETAILS | |||
pump 2-2 suction from the containment recirculation sump, failed to open from the main | |||
control room. | 4. | ||
for valve RHR-2-8700B, RHR | OTHER ACTIVITIES | ||
The failure of this limit switch | Cornerstone: Mitigating Systems | ||
permissive signal for valve SI-2-8982B. | 4OA2 Problem Identification and Resolution (71152) | ||
Annual Follow-up of Selected Issues | |||
a. Inspection Scope | |||
On May 16, 2016, during performance of surveillance procedure PEP V-7B, "Test of | |||
The inspectors reviewed the | ECCS Valve Interlocks," Revision 9, valve SI-2-8982B, Unit 2 residual heat removal | ||
(RHR) pump 2-2 suction from the containment recirculation sump, failed to open from | |||
the main control room. Subsequent review determined that external limit switch, | |||
POS-648, for valve RHR-2-8700B, RHR 2-2 suction from the refueling water storage | |||
tank (RWST), was in a failed position. The failure of this limit switch prevented the open | |||
permissive signal for valve SI-2-8982B. Investigation by the licensee concluded that | |||
limit switch POS-648 failed due to a sheared internal roll pin. | |||
The inspectors assessed the licensees problem identification threshold, cause analyses, | |||
and verified that corrective actions were commensurate with the significance of the | |||
issue, appropriately prioritized and that these actions were adequate to correct the | |||
condition. The inspectors also reviewed the licensees use of operating experience and | |||
their incorporation of vendor guidance into site-specific maintenance procedures. | |||
These activities constituted completion of one annual follow-up sample as defined in | |||
Inspection Procedure 71152. | |||
RHR-2-8700B | b. Findings | ||
Failure to Establish Adequate Work Instructions for Installation of Namco' Snap Lock | |||
Limit Switches | |||
Introduction. The inspectors identified a preliminary White finding associated with an | |||
apparent violation of Technical Specification 5.4.1.a, Procedures, for the licensees | |||
failure to develop adequate instructions for the installation, adjustment and testing of | |||
Namco' Model EA170 snap lock limit switches. Specifically, the licensee failed to | |||
provide site-specific instructions for limiting the travel of these external limit switches | |||
the | when installed on safety-related motor operated valves. Consequently, the lever switch | ||
actuator for valve RHR-2-8700B was installed such that the limit switch was operated | |||
repeatedly in an over-travel condition resulting in a sheared internal roll pin that | |||
ultimately caused the limit switch to fail. | |||
Description. On May 16, 2016, the licensee performed surveillance procedure | |||
PEP V-7B, "Test of ECCS Valve Interlocks," Revision 9, to test various interlock and | |||
permissive circuits for the emergency core cooling system (ECCS). One interlock test | |||
involved valve circuitry needed to transfer the RHR pump suction from the RWST to the | |||
containment recirculation sump during the ECCS recirculation mode. During a loss of | |||
coolant accident, operators would implement ECCS recirculation by closing the RWST to | |||
RHR suction valves, valves RHR-8700A and RHR-8700B, and opening the containment | |||
- 5 - | |||
recirculation sump suction valves, SI-8982A and SI-8982B. The ECCS system design | |||
The inspectors | includes an interlock, tested during procedure PEP V-7B, to ensure that operators can | ||
on February 21, 2013, the licensee | only open containment sump suction valves if the respective RWST suction valve is | ||
closed. | |||
During performance of procedure PEP V-7B, Step 12.14.2, valve SI-2-8982B, RHR | |||
pump 2-2 suction from the containment recirculation sump, failed to open from the main | |||
control room. Licensee troubleshooting determined that external limit switch, POS-648, | |||
for valve RHR-2-8700B, RHR pump 2-2 suction from the RWST, was in a failed position. | |||
The failure of this limit switch, caused by a sheared internal roll pin, prevented the open | |||
permissive signal for valve SI-2-8982B. Since limit switch POS-648 failed during a | |||
planned refueling outage with Diablo Canyon Unit 2 shutdown, no technical specification | |||
entries were necessary. The licensee replaced limit switch POS-648 under Work Order | |||
60090383 on May 18, 2016, prior to exiting the planned refueling outage. The licensee | |||
entered this issue into their corrective action program as Notification 50852345. | |||
The inspectors | The inspectors reviewed the work history for valve RHR-2-8700B and limit switch | ||
POS-648. During refueling outage 2R17 completed on February 21, 2013, the licensee | |||
implemented Work Order 64014195 to replace the Limitorque actuator stem nut for valve | |||
RHR-2-8700B and completed maintenance procedure E-53.10R, Augmented Stem | |||
Lubrication for Limitorque Operated Valves, Revision 4. This maintenance included | |||
removal and replacement of limit switch POS-648 and its actuating lever. The | |||
inspectors noted that procedure MP E-53.10R included instructions for re-installing the | |||
stem mounted position switches and checks for proper operation. Specifically, | |||
procedure MP E-53.10R, Step 7.9.2(h), included instructions to Check switches are | |||
properly operating by listening for an audible click from switch when valve is cycled | |||
OPEN and CLOSED. | |||
The inspectors noted that the licensee successfully tested POS-648 as part of | |||
post-maintenance testing for Work Order 64014195 and again on October 22, 2014, | |||
instructions | when procedure PEP V-7B was last performed. The licensee cycles valve | ||
RHR-2-8700B quarterly as part of the inservice testing (IST) program; however, the | |||
quarterly IST does not test the interlock provided by limit switch POS-648. As such, the | |||
inspectors concluded that POS-648 failed sometime between the last successful | |||
performance of surveillance procedure PEP V-7B on October 22, 2014, and the failure of | |||
valve SI-2-8982B to open on May 16, 2016. | |||
Limit switch POS-648 is a Namco' Model EA170 snap lock position switch, designed to | |||
snap over when actuated and includes a hard stop. The inspectors reviewed applicable | |||
maintenance, design, and testing instructions provided by the limit switch vendor. Within | |||
the publically available vendor documents, the inspectors identified the following | |||
precaution relative to the design, installation, and operation of Namco' Snap-Lock Limit | |||
for | switches: | ||
Operating mechanisms for limit switches MUST BE so designed | |||
the | that, under any operating or emergency conditions, the limit switch | ||
is not operated beyond its overtravel limit position. | |||
The vendor guidance also directed switch owners to the specific bulletin for the switch | |||
overtravel specifications. The inspectors reviewed the switch bulletin for Namco' | |||
Model EA170-35100 snap lock limit switches, the same model used for POS-648. The | |||
inspectors noted that the switch specifications included a recommended travel | |||
- 6 - | |||
of 7 degrees based on a required trip of 6.5 degrees, and a maximum overtravel of | |||
36 degrees. The inspectors reviewed as-found photos of POS-648 following the | |||
May 16, 2016, failure and noted that the switch actuating arm position was at a nearly | |||
45-degree angle relative to the normal position indicating that the position switch had | |||
exceeded the overtravel specification. | |||
The inspectors determined that when POS-648 was re-installed following maintenance | |||
on February 21, 2013, the licensee did not set the switch and actuating arm correctly in | |||
accordance with the vendor recommendations to ensure that the overtravel specification | |||
was not exceeded. By operating the switch beyond the overtravel specification, valve | |||
force was applied to the limit switch lever and internal roll pin after reaching a hard stop. | |||
The repeated overloading of the lever roll pin eventually led to the failure of POS-648. | |||
While the instructions in procedure MP E-53.10R, Step 7.9.2.(h), to check for proper | |||
operation by listening for an audible click, would verify the limit switch changed state, the | |||
inspectors determined this procedure step was inadequate to prevent overtravel of the | |||
externally mounted limit switch. Specifically, the inspectors determined that the | |||
procedure lacked specificity because it only ensured that the trip and reset of the switch | |||
occurs as the valve is exercised but did not provide adequate instructions to ensure the | |||
switch overtravel specification was not exceeded. | |||
The inspectors interviewed licensee personnel responsible for determining the cause of | |||
the failure of POS-648. During that interview, the licensee shared conclusions regarding | |||
the cause of the failure of POS-648 that corresponded with the independent conclusions | |||
developed by the inspectors. In particular, the licensee determined that the | |||
maintenance instructions in procedure MP E-53.10R to listen for an audible click were | |||
insufficient to prevent over-ranging of the position switch lever. The licensee performed | |||
an extent-of-condition review of other motor operated valve (MOV) external limit | |||
switches that provide control or logic functions but would not provide an audible alarm or | |||
other indication if in a failed state. The licensee identified fifteen other limit switches that | |||
could be susceptible to the failure mechanism experienced on limit switch POS-648. | |||
The licensee walked down these switches on June 1, 2016, and identified no other | |||
similar switch installation problems. Notification 50852345 included corrective action | |||
CA 1, due March 20, 2017, to revise procedure MP E-53.10R to include detailed | |||
instructions for setting the travel of externally mounted limit switches. | |||
Analysis. The inspectors determined the failure to establish adequate adjustment | |||
criteria for maintenance procedure MP E-53.10R was a performance deficiency. The | |||
performance deficiency is more than minor, and therefore a finding, because it is | |||
associated with the procedure quality attribute of the Mitigating Systems cornerstone, | |||
and adversely affected the cornerstone objective to ensure the availability, reliability, and | |||
capability of systems that respond to initiating events to prevent undesirable | |||
consequences (i.e., core damage). Specifically, procedure MP E-53.10R, used by the | |||
licensee to perform limit switch adjustments on the Unit 2 valve RHR-2-8700B, did not | |||
provide adequate acceptance criteria to prevent overtravel of the actuating lever. This | |||
resulted in a subsequent failure of the limit switch, preventing the open permissive signal | |||
for valve SI-2-8982B, residual heat removal pump 2-2 suction from the containment | |||
recirculation sump, used during the ECCS recirculation mode. The inspectors evaluated | |||
the finding using the Attachment 0609.04, "Initial Characterization of Findings," | |||
worksheet to Inspection Manual Chapter (IMC) 0609, Significance Determination | |||
Process, issued June 19, 2012. The attachment instructs the inspectors to utilize | |||
- 7 - | |||
IMC 0609, Appendix A, Significance Determination Process (SDP) for Findings At- | IMC 0609, Appendix A, Significance Determination Process (SDP) for Findings At- | ||
Power, issued June 19, 2012. In accordance with NRC Inspection Manual | Power, issued June 19, 2012. In accordance with NRC Inspection Manual | ||
Chapter 0609, Appendix A, Exhibit 2, Mitigating Systems Screening Questions, the | Chapter 0609, Appendix A, Exhibit 2, Mitigating Systems Screening Questions, the | ||
inspectors determined that the finding required a detailed risk evaluation because it | inspectors determined that the finding required a detailed risk evaluation because it | ||
represented an actual loss of function of the train B ECCS for greater than its technical | represented an actual loss of function of the train B ECCS for greater than its technical | ||
specification allowed outage time. A senior reactor analyst performed a detailed risk | specification allowed outage time. A senior reactor analyst performed a detailed risk | ||
evaluation in accordance with IMC 0609, Appendix A, Section 6.0, Detailed Risk | evaluation in accordance with IMC 0609, Appendix A, Section 6.0, Detailed Risk | ||
Evaluation. | Evaluation. | ||
Small and medium loss of coolant accident initiators with failures of the opposite train of | Small and medium loss of coolant accident initiators with failures of the opposite train of | ||
ECCS or related support systems dominated the calculated increase in core damage | ECCS or related support systems dominated the calculated increase in core damage | ||
frequency. The analyst did not evaluate the large early release frequency because this | frequency. The analyst did not evaluate the large early release frequency because this | ||
performance deficiency would not have challenged the containment. The NRC | performance deficiency would not have challenged the containment. The NRC | ||
preliminarily determined that the increase in core damage frequency for internal and | preliminarily determined that the increase in core damage frequency for internal and | ||
external initiators was 7.6E-06/year, in the low to moderate risk significance range | external initiators was 7.6E-06/year, in the low to moderate risk significance range | ||
(White). The results of the detailed risk evaluation are included in Attachment 2 of this | (White). The results of the detailed risk evaluation are included in Attachment 2 of this | ||
report. | report. | ||
The inspector did not identify a cross-cutting aspect with this finding because it was not | The inspector did not identify a cross-cutting aspect with this finding because it was not | ||
reflective of current performance. The inadequate procedure was developed in 2011 | reflective of current performance. The inadequate procedure was developed in 2011 | ||
and did not reflect the licensees current performance related to procedure development. | and did not reflect the licensees current performance related to procedure development. | ||
Enforcement. Technical Specification 5.4.1.a, Procedures, requires, in part, that | Enforcement. Technical Specification 5.4.1.a, Procedures, requires, in part, that | ||
written procedures shall be established, implemented, and maintained covering the | written procedures shall be established, implemented, and maintained covering the | ||
applicable procedures recommended in Appendix A of Regulatory Guide 1.33, | applicable procedures recommended in Appendix A of Regulatory Guide 1.33, | ||
Revision 2. Section 9.a of Appendix A of Regulatory Guide 1.33, Revision 2, requires in | Revision 2. Section 9.a of Appendix A of Regulatory Guide 1.33, Revision 2, requires in | ||
part, that maintenance that can affect the performance of safety-related equipment | part, that maintenance that can affect the performance of safety-related equipment | ||
should be properly preplanned and performed in accordance with written procedures, | should be properly preplanned and performed in accordance with written procedures, | ||
documented instructions, or drawings appropriate to the circumstances. On | documented instructions, or drawings appropriate to the circumstances. On | ||
December 5, 2011, the licensee established procedure MP E-53.10R, Augmented Stem | December 5, 2011, the licensee established procedure MP E-53.10R, Augmented Stem | ||
Lubrication for Limitorque Operated Valves, Revision 4, to perform maintenance on | Lubrication for Limitorque Operated Valves, Revision 4, to perform maintenance on | ||
safety-related equipment including motor operated valves and their external limit | safety-related equipment including motor operated valves and their external limit | ||
switches. Contrary to the above, on December 5, 2011, the licensee failed to establish | switches. Contrary to the above, on December 5, 2011, the licensee failed to establish | ||
written procedures for performing maintenance on safety-related equipment which were | written procedures for performing maintenance on safety-related equipment which were | ||
appropriate to the circumstances. Specifically, the procedure only checked that motor | appropriate to the circumstances. Specifically, the procedure only checked that motor | ||
operated valve external limit switches changed position during valve exercise but did not | operated valve external limit switches changed position during valve exercise but did not | ||
provide instructions to establish and check the travel of these switches within vendor | provide instructions to establish and check the travel of these switches within vendor | ||
established criteria. Consequently, the limit switch for valve RHR-2-8700B was installed | established criteria. Consequently, the limit switch for valve RHR-2-8700B was installed | ||
such that it was operated repeatedly beyond overtravel tolerances resulting in its failure. | such that it was operated repeatedly beyond overtravel tolerances resulting in its failure. | ||
The licensee entered this issue into their corrective action program as Notification | The licensee entered this issue into their corrective action program as Notification | ||
50852345 and initiated action to replace the failed limit switch. The licensee also | 50852345 and initiated action to replace the failed limit switch. The licensee also | ||
initiated corrective actions to change maintenance procedure MP E-53.10R to ensure | initiated corrective actions to change maintenance procedure MP E-53.10R to ensure | ||
adequate acceptance criteria for limit switch travel were included, and performed an | adequate acceptance criteria for limit switch travel were included, and performed an | ||
extent of condition for all other MOV stem mounted position switch interlocks circuits. As | extent of condition for all other MOV stem mounted position switch interlocks circuits. As | ||
a consequence of this failed limit switch, the licensee was also in violation of Unit 2 | a consequence of this failed limit switch, the licensee was also in violation of Unit 2 | ||
Technical Specification 3.5.2, ECCS - Operating, because train B of the ECCS was | Technical Specification 3.5.2, ECCS - Operating, because train B of the ECCS was | ||
determined to be inoperable for greater than the technical specification allowed outage | determined to be inoperable for greater than the technical specification allowed outage | ||
time of 14 days, and the licensee failed to take actions required of the limiting condition | time of 14 days, and the licensee failed to take actions required of the limiting condition | ||
of operation. Because this finding has been preliminarily determined to be of greater | of operation. Because this finding has been preliminarily determined to be of greater | ||
than very low safety significance (i.e., greater than Green), it is being characterized as | than very low safety significance (i.e., greater than Green), it is being characterized as | ||
4OA6 Meetings, Including Exit | - 8 - | ||
Exit Meeting Summary | |||
On September 13, 2016, the inspectors presented the inspection results to Mr. E. Halpin, Senior | an apparent violation. AV 05000323/2016010-01, Failure to Establish Adequate Work | ||
Vice President and Chief Nuclear Officer, and other members of the licensee staff. The licensee | Instructions for Installation of Namco' Snap Lock Limit Switches | ||
acknowledged the issues presented. The licensee confirmed that any proprietary information | 4OA6 Meetings, Including Exit | ||
reviewed by the inspectors had been returned or destroyed. | Exit Meeting Summary | ||
On September 13, 2016, the inspectors presented the inspection results to Mr. E. Halpin, Senior | |||
Vice President and Chief Nuclear Officer, and other members of the licensee staff. The licensee | |||
acknowledged the issues presented. The licensee confirmed that any proprietary information | |||
reviewed by the inspectors had been returned or destroyed. | |||
Licensee Personnel | |||
T. Baldwin, Director, Nuclear Site Services | Attachment 1 | ||
D. Evans, Director, Security & Emergency Services | SUPPLEMENTAL INFORMATION | ||
L. Fusco, Manager, Mechanical Engineering | |||
P. Gerfen, Station Director | KEY POINTS OF CONTACT | ||
M. Ginn, Manager, Emergency Planning | |||
E. Halpin, Sr. Vice President, Chief Nuclear Officer Generation | Licensee Personnel | ||
H. Hamzehee, Manager, Regulatory Services | |||
A. Heffner, NRC Interface, Regulatory Services | T. Baldwin, Director, Nuclear Site Services | ||
L. Hopson, Director Maintenance Services | D. Evans, Director, Security & Emergency Services | ||
T. Irving, Manager, Radiation Protection | L. Fusco, Manager, Mechanical Engineering | ||
K. Johnston, Director of Operations | P. Gerfen, Station Director | ||
M. McCoy, NRC Interface, Regulatory Services | M. Ginn, Manager, Emergency Planning | ||
J. Morris, Supervisor, Nuclear Regulatory Services | E. Halpin, Sr. Vice President, Chief Nuclear Officer Generation | ||
C. Murry, Director Nuclear Work Management | H. Hamzehee, Manager, Regulatory Services | ||
J. Nimick, Senior Director Nuclear Services | A. Heffner, NRC Interface, Regulatory Services | ||
P. Nugent, Director, Quality Verification | L. Hopson, Director Maintenance Services | ||
A. Peck, Director, Nuclear Engineering | T. Irving, Manager, Radiation Protection | ||
A. Warwick, Supervisor, Emergency Planning | K. Johnston, Director of Operations | ||
J. Welsch, Site Vice President | M. McCoy, NRC Interface, Regulatory Services | ||
R. West, Manager, System Engineering | J. Morris, Supervisor, Nuclear Regulatory Services | ||
C. Murry, Director Nuclear Work Management | |||
J. Nimick, Senior Director Nuclear Services | |||
P. Nugent, Director, Quality Verification | |||
A. Peck, Director, Nuclear Engineering | |||
A. Warwick, Supervisor, Emergency Planning | |||
Section 4OA2: Problem Identification and Resolution | J. Welsch, Site Vice President | ||
R. West, Manager, System Engineering | |||
LIST OF ITEMS OPENED, CLOSED, AND DISCUSSED | |||
Opened | |||
05000323/2016010-01 AV | |||
Failure to Establish Adequate Work Instructions for Installation of | |||
Namco' Snap Lock Limit Switches (Section 4OA2) | |||
Section 4OA2: Problem Identification and Resolution | |||
Procedures | |||
Number | |||
Title | |||
Revision | |||
PEP V-7B | |||
Test of ECCS Valve Interlocks | |||
8 | |||
MP E-53.10R | |||
Augmented Stem Lubrication For Limitorque Operated | |||
Valves | |||
4-7 | |||
OP O-22 | |||
Emergency Operation of Motor Operated Valves | |||
6 | |||
E-0 | |||
Reactor Trip or Safety Injection | |||
35 | |||
EOP E-1.3 | |||
Transfer to Cold Leg Recirculation | |||
22 | |||
MP E-53.10A1 | |||
Notifications | A1-2 | ||
50852066 | MP E-53.10A1 | ||
Drawings | Low Impact External Inspections of Limitorque Motor | ||
Number | Operators | ||
441239 | 1 | ||
441310 | Notifications | ||
50852066 | |||
441317 | 50852180 | ||
50852345 | |||
500628 | 50861001 | ||
507610 | |||
Drawings | |||
Work Orders | Number | ||
64014195 | Title | ||
Miscellaneous | Revision | ||
Number | 441239 | ||
Calculation | Unit 2, Single Line Meter and Relay Diagram 480V System | ||
Bus Section 2H | |||
48 | |||
441310 | |||
Unit 2, Schematic Diagram Residual Heat Removal Motor | |||
Operated Valves | |||
31 | |||
441317 | |||
Unit 2, Schematic Diagram Safety Injection System Motor | |||
Operated Valves | |||
19 | |||
500628 | |||
Unit 2, Electrical Diagram of connections, Elevation 115-140 | |||
foot, Area H | |||
26 | |||
507610 | |||
Unit 2, Arrangement of Electrical Equipment at Elevation | |||
100, Area H | |||
16 | |||
Work Orders | |||
64014195 | |||
Miscellaneous | |||
Number | |||
Title | |||
Revision | |||
Calculation | |||
SDP16-02 | |||
SI-2-8982B Failure to Open During PEP V-7B in 2R19 due | |||
to Damaged Closed Position Switch for 8700B | |||
0 | |||
Significance Determination Basis: | |||
Attachment 2 | |||
Significance Determination | |||
Significance Determination Basis: | |||
(a) | |||
Screening Logic | |||
Minor Question: In accordance with NRC Inspection Manual Chapter 0612, | |||
Appendix B, Issue Screening, the finding was determined to be more than minor | |||
because it was associated with the procedure quality attribute of the Mitigating | |||
Systems Cornerstone, and affected the associated cornerstone objective to ensure | |||
availability, reliability, and capability of systems that respond to initiating events to | |||
prevent undesirable consequences. Specifically, the performance deficiency | |||
associated with the inadequate maintenance procedure resulted in inadequate | |||
criteria to ensure limit switch adjustments did not result in overtravel of the actuating | |||
lever for valve RHR-2-8700B. This resulted in a subsequent failure of limit switch | |||
POS-648, affecting the availability of the ECCS because this limit switch provides the | |||
open permissive signal for valve SI-2-8982B, the containment sump suction for the | |||
RHR system. | |||
Initial Characterization: Using Manual Chapter 0609, Attachment 4, Initial | |||
Characterization of Findings, the inspectors determined that the finding could be | |||
evaluated using the significance determination process. In accordance with Table 3, | |||
SDP Appendix Router, the inspectors determined that the subject finding should be | |||
processed through Appendix A, The Significance Determination Process (SDP) for | |||
Findings At-Power, Exhibit 2, Mitigating Systems Screening Questions, dated | |||
July 1, 2012. | |||
Issue Screening: In accordance with NRC Inspection Manual Chapter 0609, | |||
Appendix A, Exhibit 2, Mitigating Systems Screening Questions, the inspectors | |||
determined that the finding required a detailed risk evaluation because it represented | |||
an actual loss of function of the Unit 2 train B ECCS for greater than its technical | |||
specification allowed outage time (i.e., 14 days). A senior reactor analyst performed | |||
a detailed risk evaluation in accordance with IMC 0609, Appendix A, Section 6.0, | |||
Detailed Risk Evaluation. | |||
Results: The detailed risk evaluation result is an increase in core damage frequency | |||
from the performance deficiency of 7.6E-6/year, characterizing the significance of the | |||
finding to be of low to moderate safety significance. This estimate used best | |||
available information and estimated the increase in core damage frequency to | |||
be 7.1E-6/year from internal events and 5.4E-7/year from external events. | |||
(b) | |||
Detailed Risk Evaluation: | |||
(1) | |||
Assumptions | |||
Exposure time. The exposure time was 286 days. The licensee last successfully | |||
tested valve SI-2-8982B and the interlock associated with POS-648 on | |||
October 22, 2014. Valve SI-2-8982B failed to open 572 days later on May 16, | |||
2016. Since the inception of the failure of the limit switch after the last operation | |||
could not be determined, the analyst used a t/2 approached and assumed the | |||
exposure time to be half of 572 days, or 286 days. Repair time was not added | |||
A2-2 | |||
because the deficiency was discovered and returned to a functional status during | |||
an outage when the valve was not needed. | |||
Recovery. Overall recovery was assumed to have a failure probability of 2.4E-1 | |||
for small break LOCAs and smaller medium break LOCAs (MLOCAs); 3.4E-2 for | |||
seal LOCAs; and 1.0 for larger MLOCAs. Two methods of recovery were | |||
available - (1) local manual valve operation, and (2) electrical bypassing of the | |||
interlock through manual contactor operation. The derivation of these recoveries | |||
is covered in the Internal Events section of this evaluation. | |||
Common cause. The increased potential for common cause failure of Valve | |||
SI-2-8982A, the same valve on the redundant train, was considered applicable. | |||
The analyst was unaware of any programmatic licensee action to defend against | |||
common cause failure; therefore, the analyst set the failure of valve SI-2-8982B | |||
to TRUE in the SPAR model. This increased the probability of common cause | |||
failure of Valve SI-2-8982A from 3.6E-5 to 3.8E-2. | |||
The analyst also considered the remaining valves installed on Units 1 and 2 with | |||
externally mounted limit switches that receive the same maintenance as the | |||
valve that is the subject of the performance deficiency. For Unit 1, the analyst | |||
determined that the issue would be of very low safety significance since there | |||
was not an actual failure of a component. | |||
For Unit 2, the remaining valves would not result in a significant increase in risk | |||
because the external limit switches are either 1) only associated with an | |||
annunciator function, 2) only associated with an equipment interlock function that | |||
is not used in an accident scenario or, 3) only associated with an equipment | |||
interlock function needed for long-term containment pressure control. | |||
Operating history. The analyst assumed the plant operated at power or at | |||
(2) Internal Events | shutdown conditions above those that necessitated operation of the RHR system | ||
for decay heat removal during the entire exposure time. This allowed the analyst | |||
to use the at-power SPAR model for the entire exposure time. | |||
(2) | |||
Internal Events | |||
Background / Introduction. The results of the probabilistic risk assessment (PRA) | |||
tool showed that the performance deficiency affected two initiators - small break | |||
loss of coolant accidents (SLOCA) and MLOCA. These events are characterized | |||
by reactor coolant leaking from the reactor coolant system, which would act to | |||
lower inventory and pressure of the reactor coolant system. In response to the | |||
loss of coolant and system pressure, a safety injection actuation signal actuates | |||
to start ECCS pumps. These pumps include both RHR pumps, both safety | |||
injection pumps, and both charging pumps. These pumps take suction from the | |||
refueling water storage tank, pump water into the reactor coolant system, which | |||
in turn leaks out of the break and into the containment where it collects in the | |||
containment recirculation sump. When the refueling water storage tank level | |||
reaches 33 percent level, operators secure the RHR pumps and perform valve | |||
manipulations to swap the suction of the emergency core cooling pumps from the | |||
refueling water storage tank to the containment recirculation sump. Valve | |||
SI-2-8982B is the first valve in the flowpath leading from the containment sump. | |||
The inability to open valve SI-2-8982B renders train B of core cooling inoperable | |||
during the recirculation phase of LOCAs. The licensee would have options to | |||
recover and open the valve, which are discussed in this evaluation. The licensee | |||
would also have the redundant train A flowpath available to successfully cool the | A2-3 | ||
reactor core if valve SI-2-8982B were unrecoverable. PRA demonstrates that the | during the recirculation phase of LOCAs. The licensee would have options to | ||
dominant core damage sequences involve failures of the train A flowpath and the | recover and open the valve, which are discussed in this evaluation. The licensee | ||
inability to recover valve SI-2-8982B. | would also have the redundant train A flowpath available to successfully cool the | ||
Small Break Loss of Coolant Accidents | reactor core if valve SI-2-8982B were unrecoverable. PRA demonstrates that the | ||
For the purposes of this evaluation, SLOCA include pipe breaks up to 2 inches, | dominant core damage sequences involve failures of the train A flowpath and the | ||
catastrophic reactor coolant pump seal failures (seal LOCAs), and seal LOCAs | inability to recover valve SI-2-8982B. | ||
caused by losses of cooling to the reactor coolant pump seals (brought about by | Small Break Loss of Coolant Accidents | ||
loss of power to cooling for the seals). | For the purposes of this evaluation, SLOCA include pipe breaks up to 2 inches, | ||
SLOCA comprises 26.0 percent of the increase in core damage frequency. The | catastrophic reactor coolant pump seal failures (seal LOCAs), and seal LOCAs | ||
results are driven by the failure of valve SI-2-8982B, failures of train A flowpath | caused by losses of cooling to the reactor coolant pump seals (brought about by | ||
for recirculation sump flow, and the ability or inability to operate valve SI-2-8982B | loss of power to cooling for the seals). | ||
by alternative means. | SLOCA comprises 26.0 percent of the increase in core damage frequency. The | ||
The primary contributor of failures of the train A flowpath is attributed to an | results are driven by the failure of valve SI-2-8982B, failures of train A flowpath | ||
increased probability of common cause failure of its sump valve SI-2-8982A. | for recirculation sump flow, and the ability or inability to operate valve SI-2-8982B | ||
Because valve SI-2-8982B failed and valve SI-2-8982A is subject to the same | by alternative means. | ||
environment, maintenance, testing, etc., valve SI-2-8982A is exposed to an | The primary contributor of failures of the train A flowpath is attributed to an | ||
increased probability of failure. The common cause failure of SI-2-8982A | increased probability of common cause failure of its sump valve SI-2-8982A. | ||
comprises approximately two-thirds of the increase in core damage frequency | Because valve SI-2-8982B failed and valve SI-2-8982A is subject to the same | ||
from SLOCAs. The remainder of the increase in core damage frequency comes | environment, maintenance, testing, etc., valve SI-2-8982A is exposed to an | ||
from power failures to components in the train A flowpath, valve failures in the | increased probability of failure. The common cause failure of SI-2-8982A | ||
flowpath, and pumps failures in the flowpath. | comprises approximately two-thirds of the increase in core damage frequency | ||
Recovery of valve SI-2-8982B through alternative means is also a contributor. | from SLOCAs. The remainder of the increase in core damage frequency comes | ||
These alternative means include either electrical operation by use of the motor | from power failures to components in the train A flowpath, valve failures in the | ||
contactors or manually by accessing the valve and operating the handwheel on | flowpath, and pumps failures in the flowpath. | ||
the valve. | Recovery of valve SI-2-8982B through alternative means is also a contributor. | ||
Recovery of Valve SI-2-8982B | These alternative means include either electrical operation by use of the motor | ||
Recovery actions to open valve SI-2-8982B are available by two alternate | contactors or manually by accessing the valve and operating the handwheel on | ||
means, either electrically by use of the motor contactors, or manually by | the valve. | ||
accessing the valve and operating the handwheel on the valve. In developing | Recovery of Valve SI-2-8982B | ||
their assessment of the success probability of recovering valve SI-2-8982B, the | Recovery actions to open valve SI-2-8982B are available by two alternate | ||
licensee interviewed operators who indicated that both recoveries would be | means, either electrically by use of the motor contactors, or manually by | ||
pursued in parallel. | accessing the valve and operating the handwheel on the valve. In developing | ||
1. Electrical operation of Valve SI-2-8982A by use of motor contactors. This | their assessment of the success probability of recovering valve SI-2-8982B, the | ||
recovery option takes advantage of the ability to bypass the interlock circuitry, | licensee interviewed operators who indicated that both recoveries would be | ||
which is the subject of the performance deficiency, preventing valve SI-2-8982B | pursued in parallel. | ||
from opening. Manual operation of the electrical contactors provided line power | 1. Electrical operation of Valve SI-2-8982A by use of motor contactors. This | ||
directly to the motor operator for valve SI-2-8982B. Operation of the electrical | recovery option takes advantage of the ability to bypass the interlock circuitry, | ||
contactors could be successful if properly performed, but inspectors found | which is the subject of the performance deficiency, preventing valve SI-2-8982B | ||
several impediments to absolute success. | from opening. Manual operation of the electrical contactors provided line power | ||
directly to the motor operator for valve SI-2-8982B. Operation of the electrical | |||
contactors could be successful if properly performed, but inspectors found | |||
several impediments to absolute success. | |||
The first potential impediment was the adequacy of procedural guidance used for | |||
the electrical operation recovery option. The direction to pursue recovery paths | |||
to open valve SI-2-8982B is contained in Emergency Operating Procedure (EOP) | A2-4 | ||
Emergency Contingency Action (ECA) 1.1, Loss of Emergency Coolant | The first potential impediment was the adequacy of procedural guidance used for | ||
Recirculation, Revision 21. Step 2 of ECA 1.1 instructs operators to restore | the electrical operation recovery option. The direction to pursue recovery paths | ||
emergency coolant recirculation equipment by several means. Step 2.d has | to open valve SI-2-8982B is contained in Emergency Operating Procedure (EOP) | ||
operators check power available to valves required for recirculation swap over | Emergency Contingency Action (ECA) 1.1, Loss of Emergency Coolant | ||
and refer to an appendix with valve power supplies. The performance deficiency | Recirculation, Revision 21. Step 2 of ECA 1.1 instructs operators to restore | ||
would not result in a loss of the valves main power supply. Instead, the | emergency coolant recirculation equipment by several means. Step 2.d has | ||
performance deficiency would result in the main-line contacts being held open by | operators check power available to valves required for recirculation swap over | ||
the control circuit for valve SI-2-8982B. The analyst considered this an | and refer to an appendix with valve power supplies. The performance deficiency | ||
impediment to recovery because the procedure did not explicitly call out actions | would not result in a loss of the valves main power supply. Instead, the | ||
for a loss of control power to the motor operator. The analyst concluded from the | performance deficiency would result in the main-line contacts being held open by | ||
licensees analysis that operator experience would guide them to use Step 2.d as | the control circuit for valve SI-2-8982B. The analyst considered this an | ||
the best fit for troubleshooting and take the steps response not obtained action | impediment to recovery because the procedure did not explicitly call out actions | ||
to locally operate the valves as required. The analyst judged that local | for a loss of control power to the motor operator. The analyst concluded from the | ||
operations are at the location of the valve, not in the electrical cabinet located | licensees analysis that operator experience would guide them to use Step 2.d as | ||
away from the valve, and that this action to locally operate the valve did not | the best fit for troubleshooting and take the steps response not obtained action | ||
specifically address use of the electrical contactors. Again, the analyst | to locally operate the valves as required. The analyst judged that local | ||
determined, based on interviews and discussions with the licensee, that operator | operations are at the location of the valve, not in the electrical cabinet located | ||
experience and training could employ this as an option even though it is not | away from the valve, and that this action to locally operate the valve did not | ||
explicitly called for in the emergency procedure. | specifically address use of the electrical contactors. Again, the analyst | ||
The licensee established procedure O-22, Emergency Operation of Motor | determined, based on interviews and discussions with the licensee, that operator | ||
Operated Valves, Revision 6 to operate motor operated valves through use of | experience and training could employ this as an option even though it is not | ||
the motor contactor. Procedure O-22 requires phone communication between | explicitly called for in the emergency procedure. | ||
the control board operator in the control room and the operator in the field at the | The licensee established procedure O-22, Emergency Operation of Motor | ||
cabinet when operating the valve. Inspectors toured the licensees training | Operated Valves, Revision 6 to operate motor operated valves through use of | ||
facilities used to instruct operators on how to locally operate contactors. The | the motor contactor. Procedure O-22 requires phone communication between | ||
inspectors noted that the electrical cabinet used to train operators used a | the control board operator in the control room and the operator in the field at the | ||
Telemecanique brand contactor, different from the Westinghouse Cutler Hammer | cabinet when operating the valve. Inspectors toured the licensees training | ||
brand contactors installed in the cabinet for valve SI-2-8982B. The different | facilities used to instruct operators on how to locally operate contactors. The | ||
contactors have different operating methods. To operate the Telemecanique | inspectors noted that the electrical cabinet used to train operators used a | ||
contactors, operators insert non-conducting rods above and below the contactor | Telemecanique brand contactor, different from the Westinghouse Cutler Hammer | ||
of interest. To operate the Westinghouse contactors, operators depress a gray | brand contactors installed in the cabinet for valve SI-2-8982B. The different | ||
plastic armature position indicator. | contactors have different operating methods. To operate the Telemecanique | ||
The analyst concluded that the difference in layout and methods of operating | contactors, operators insert non-conducting rods above and below the contactor | ||
contactors between the training electrical cabinet and the plant electrical cabinet | of interest. To operate the Westinghouse contactors, operators depress a gray | ||
would present challenges to successful operation of the contactor. Also, during a | plastic armature position indicator. | ||
walkdown with the licensee electricians, the inspectors noted that the electrical | The analyst concluded that the difference in layout and methods of operating | ||
cabinet for valve SI-2-8982B housed both the open and close contactors. | contactors between the training electrical cabinet and the plant electrical cabinet | ||
However, these contactors are not labelled such that an operator could tell which | would present challenges to successful operation of the contactor. Also, during a | ||
contactor was the open contactor. | walkdown with the licensee electricians, the inspectors noted that the electrical | ||
The inspectors noted that Procedure O-22, Attachment 2, provided a typical | cabinet for valve SI-2-8982B housed both the open and close contactors. | ||
cabinet layout for motor-operated valves in the plant. This diagram showed the | However, these contactors are not labelled such that an operator could tell which | ||
open contactor located above the close contactor. During the walkdown, the | contactor was the open contactor. | ||
inspectors asked electrical personnel if the orientation illustrated in | The inspectors noted that Procedure O-22, Attachment 2, provided a typical | ||
Procedure O-22, Attachment 2, was the same orientation for the cabinet for valve | cabinet layout for motor-operated valves in the plant. This diagram showed the | ||
SI-2-8982B. After approximately 6 minutes of inspecting the cabinet with the | open contactor located above the close contactor. During the walkdown, the | ||
inspectors asked electrical personnel if the orientation illustrated in | |||
Procedure O-22, Attachment 2, was the same orientation for the cabinet for valve | |||
SI-2-8982B. After approximately 6 minutes of inspecting the cabinet with the | |||
electrical schematic diagram, the three electrical personnel determined that the | |||
orientation was opposite of that illustrated in Procedure O-22, because the close | |||
contactor was located above the open contactor. The analyst considered these | A2-5 | ||
aspects to be additional impediments to successful operation of the valve. | electrical schematic diagram, the three electrical personnel determined that the | ||
The inspectors noted that prior to Step 6.11, the step instructing operators to | orientation was opposite of that illustrated in Procedure O-22, because the close | ||
locate the appropriate contactor, Procedure O-22 included a boxed Note that | contactor was located above the open contactor. The analyst considered these | ||
read, Those contactors that cant be clearly identified may require assistance | aspects to be additional impediments to successful operation of the valve. | ||
from engineering or maintenance for positive identification. | The inspectors noted that prior to Step 6.11, the step instructing operators to | ||
The analyst concluded that Procedure O-22, Attachment 2 that provided a typical | locate the appropriate contactor, Procedure O-22 included a boxed Note that | ||
cabinet layout for motor operated valves, created a likelihood that some | read, Those contactors that cant be clearly identified may require assistance | ||
operators would consider the valve SI-2-8982B contactor orientation typical and | from engineering or maintenance for positive identification. | ||
not heed this note. The analyst also considered that to follow the note, additional | The analyst concluded that Procedure O-22, Attachment 2 that provided a typical | ||
time is required to have an engineer or electrician report to the cabinet, obtain | cabinet layout for motor operated valves, created a likelihood that some | ||
the proper electrical print, and trace the cabinet wiring to ascertain which | operators would consider the valve SI-2-8982B contactor orientation typical and | ||
contactor was the open contactor and which contactor was the close contactor. | not heed this note. The analyst also considered that to follow the note, additional | ||
This additional time affects the time available to open the valve using the | time is required to have an engineer or electrician report to the cabinet, obtain | ||
electrical contractor and adversely influences the success rate of this action. The | the proper electrical print, and trace the cabinet wiring to ascertain which | ||
analyst also noted that operation of the contactors would require a screwdriver to | contactor was the open contactor and which contactor was the close contactor. | ||
defeat the door latch breaker trip and the operator would have to be dressed in | This additional time affects the time available to open the valve using the | ||
an arc flash suit which the operator would have to obtain prior to this action. | electrical contractor and adversely influences the success rate of this action. The | ||
The consequences of operating the incorrect contactor are potentially severe. If | analyst also noted that operation of the contactors would require a screwdriver to | ||
the licensee personnel operated the close contactor thinking they were opening | defeat the door latch breaker trip and the operator would have to be dressed in | ||
the valve, the valve motor would drive the valve in the close direction with all of | an arc flash suit which the operator would have to obtain prior to this action. | ||
the motor-operated valve protective features bypassed. Because the valve is | The consequences of operating the incorrect contactor are potentially severe. If | ||
already closed, the motor would be in a stall condition and motor current would | the licensee personnel operated the close contactor thinking they were opening | ||
be at or near locked rotor amperage. The potential consequences of this | the valve, the valve motor would drive the valve in the close direction with all of | ||
mis-operation could include motor damage or burnout. | the motor-operated valve protective features bypassed. Because the valve is | ||
The analyst included these factors in the human reliability analyses performed | already closed, the motor would be in a stall condition and motor current would | ||
using the SPAR-H method. | be at or near locked rotor amperage. The potential consequences of this | ||
With the two methods performed in parallel (i.e., electrical contactors and manual | mis-operation could include motor damage or burnout. | ||
valve manipulation methods), the inspectors concluded that the electrical | The analyst included these factors in the human reliability analyses performed | ||
contactor method would be ready for attempted use first. The assumed timing | using the SPAR-H method. | ||
was: | With the two methods performed in parallel (i.e., electrical contactors and manual | ||
valve manipulation methods), the inspectors concluded that the electrical | |||
contactor method would be ready for attempted use first. The assumed timing | |||
was: | |||
Action | |||
Time | |||
(minutes) | |||
Total time | |||
(hh:mm) | |||
Briefing the operation | |||
15 | |||
00:15 | |||
Gather tools, dress out in arc flash suit, report to | |||
breaker, open cabinet | |||
20 | |||
00:35 | |||
Recognize no labelling, summons electrician to | |||
cabinet | |||
10 | |||
00:45 | |||
Obtain electrical print | |||
10 | |||
00:55 | |||
Operate contactor (valve) | |||
When added to the 10 minutes assumed to attempt swap over to recirculation | |||
and 30 minutes assumed to troubleshoot the issue, diagnose indications, and | A2-6 | ||
decide on a course of action, the analyst estimated a total time to success of | Operate contactor (valve) | ||
approximately 1 hour and 40 minutes. | 5 | ||
The analyst used these points to obtain the following human reliability analysis: | 01:00 | ||
When added to the 10 minutes assumed to attempt swap over to recirculation | |||
and 30 minutes assumed to troubleshoot the issue, diagnose indications, and | |||
decide on a course of action, the analyst estimated a total time to success of | |||
approximately 1 hour and 40 minutes. | |||
The analyst used these points to obtain the following human reliability analysis: | |||
Electrical Recovery - Diagnosis (=1E-2) | |||
Time Available | |||
Extra | |||
0.1 | |||
The 1:40 hour time to diagnose and | |||
perform gives extra time when | |||
compared to the licensees estimate | |||
of 2:35 hour to deplete the RWST | |||
(applying both diagnosis and | |||
action). The time from a depleted | |||
RWST until occurrence of core | |||
damage was also considered. | |||
Stress | |||
High | |||
2 | |||
The level of stress would be higher | |||
than the nominal level due to | |||
unexpected alarms being present | |||
and consequences that could | |||
threaten plant safety. | |||
Complexity | |||
Nominal | |||
1 | |||
No event information is available to | |||
warrant a change in this diagnosis | |||
performance shaping factor (PSF) | |||
from Nominal. | |||
Experience/Training Nominal | |||
1 | |||
No event information is available to | |||
warrant a change in this diagnosis | |||
PSF from Nominal. | |||
Procedures | |||
Incomplete | |||
20 | |||
Task instructions are absent to | |||
guide the operator to the | |||
appropriate electrical contactor | |||
operation | |||
Ergonomics | |||
Nominal | |||
1 | |||
No event information is available to | |||
warrant a change in this diagnosis | |||
PSF from Nominal. | |||
Fitness For Duty | |||
Nominal | |||
1 | |||
No event information is available to | |||
warrant a change in this diagnosis | |||
PSF from Nominal. | |||
Work Processes | |||
Nominal | |||
1 | |||
No event information is available to | |||
warrant a change in this diagnosis | |||
PSF from Nominal. | |||
Result = 4E-2 = 0.1 x 2 x 1 x 1 x 20 x 1 x 1 x 1 x 1E-2 | |||
A2-7 | |||
Electrical Recovery - Action (=1E-3) | |||
Time Available | |||
Extra | |||
0.1 | |||
The 1:40 hour time to diagnose and | |||
perform gives extra time when | |||
compared to the licensees estimate | |||
of 2:35 hour to deplete the RWST | |||
(applying both diagnosis and | |||
action). The time from a depleted | |||
RWST until occurrence of core | |||
damage was also considered. | |||
Stress | |||
High | |||
2 | |||
The level of stress would be higher | |||
than the nominal level due to | |||
unexpected alarms being present | |||
and consequences that could | |||
threaten plant safety. | |||
Complexity | |||
Highly | |||
5 | |||
The evolution involved equipment | |||
line-up that involved defeated | |||
interlocks on valves, a highly | |||
complex task. | |||
Experience/Training Low | |||
3 | |||
Different contactors were present in | |||
the cabinet than were trained on | |||
during operator training. | |||
Procedures | |||
Incomplete | |||
20 | |||
The procedure provided operators | |||
Combining diagnosis and action (4.0E-2 + 3.8E-1) yielded a failure probability of | with a generic orientation of the | ||
4.2E-1. | contactors which did not match the | ||
2. Manual operation of Valve SI-2-8982A by handwheel. This recovery action | in-plant configuration. The note for | ||
involves operators utilizing the handwheel to open valve SI-2-8982B. The | operators to seek assistance is not | ||
analyst considered the diagnosis to employ this option to be similar to the | explicit, stating that the situation .. | ||
decision for electrical contactor operation, except Procedure ECA 1.1 was | may require assistance.. | ||
appropriate in directing local manual valve operations. Also the analyst | Ergonomics | ||
concluded the assumption of 10 minutes to attempt swap over to recirculation | Poor | ||
and 30 minutes to troubleshoot the issue, diagnose indications, and decide on a | 10 | ||
The contactors in the panel are not | |||
labelled causing poor human- | |||
machine interface. | |||
Fitness For Duty | |||
Nominal | |||
1 | |||
No event information is available to | |||
warrant a change in this diagnosis | |||
PSF from Nominal. | |||
Work Processes | |||
Nominal | |||
1 | |||
No event information is available to | |||
warrant a change in this diagnosis | |||
PSF from Nominal. | |||
PSF = 0.1 x 2 x 5 x 3 x 20 x 10 x 1 x 1 = 600 | |||
Result = 3.8E-1 = 1E-3 x 600 / [1E-3 x (600 - 1)] + 1 | |||
Combining diagnosis and action (4.0E-2 + 3.8E-1) yielded a failure probability of | |||
4.2E-1. | |||
2. Manual operation of Valve SI-2-8982A by handwheel. This recovery action | |||
involves operators utilizing the handwheel to open valve SI-2-8982B. The | |||
analyst considered the diagnosis to employ this option to be similar to the | |||
decision for electrical contactor operation, except Procedure ECA 1.1 was | |||
appropriate in directing local manual valve operations. Also the analyst | |||
concluded the assumption of 10 minutes to attempt swap over to recirculation | |||
and 30 minutes to troubleshoot the issue, diagnose indications, and decide on a | |||
course of action that was appropriate for diagnosis of this action. The inspectors | |||
considered that the local manual valve operation path would present operators | |||
with the decision to incur more dose, face uncertain environmental and | A2-8 | ||
radiological factors at the valve, the potential to introduce a containment bypass | course of action that was appropriate for diagnosis of this action. The inspectors | ||
flowpath, and the manual handwheel option requires more time than the | considered that the local manual valve operation path would present operators | ||
electrical contactor option. In their analysis, the licensee considered this local | with the decision to incur more dose, face uncertain environmental and | ||
manual valve operation as the sole credited recovery option. However, for the | radiological factors at the valve, the potential to introduce a containment bypass | ||
previously stated reasons, the analyst concluded this option would be employed | flowpath, and the manual handwheel option requires more time than the | ||
after the electrical contactor option. | electrical contactor option. In their analysis, the licensee considered this local | ||
The inspectors noted several attributes of this action made it more complex. The | manual valve operation as the sole credited recovery option. However, for the | ||
valve is located adjacent to the containment in a special chamber. The chamber | previously stated reasons, the analyst concluded this option would be employed | ||
has an enclosed environment that may become radioactively contaminated | after the electrical contactor option. | ||
following a LOCA. The licensee would need to implement actions to sample the | The inspectors noted several attributes of this action made it more complex. The | ||
environment for suitable breathing to prevent a radioactive intake. Alternatively, | valve is located adjacent to the containment in a special chamber. The chamber | ||
an operator would have to don protective clothing to prevent contaminating | has an enclosed environment that may become radioactively contaminated | ||
himself, don a respirator, climb a ladder to enter the chamber, and operate the | following a LOCA. The licensee would need to implement actions to sample the | ||
valve. Any leakage from this valve (e.g., packing leakage) could serve to | environment for suitable breathing to prevent a radioactive intake. Alternatively, | ||
pressurize this chamber and require additional protective clothing to prevent | an operator would have to don protective clothing to prevent contaminating | ||
contamination. To access the valve inside of the chamber, the licensee needs to | himself, don a respirator, climb a ladder to enter the chamber, and operate the | ||
remove 32 nuts, which act to secure the chamber. This additional time affects | valve. Any leakage from this valve (e.g., packing leakage) could serve to | ||
the time available to open the valve and adversely influences the success rate of | pressurize this chamber and require additional protective clothing to prevent | ||
this action. | contamination. To access the valve inside of the chamber, the licensee needs to | ||
The licensee estimated 90 minutes would be required to brief personnel, gather | remove 32 nuts, which act to secure the chamber. This additional time affects | ||
tools, and open the manway. Next the licensee estimated 10 minutes to open | the time available to open the valve and adversely influences the success rate of | ||
the valve. The analyst noted that according to licensee information, the valve | this action. | ||
would take 468 turns of the handwheel to open the valve. Factoring in fatigue | The licensee estimated 90 minutes would be required to brief personnel, gather | ||
from repetitive motion along with potentially cumbersome clothing in a hot | tools, and open the manway. Next the licensee estimated 10 minutes to open | ||
environment, 25 minutes (or one turn approximately every 3 seconds) would be | the valve. The analyst noted that according to licensee information, the valve | ||
required. This makes the timeline as follows for execution: | would take 468 turns of the handwheel to open the valve. Factoring in fatigue | ||
from repetitive motion along with potentially cumbersome clothing in a hot | |||
environment, 25 minutes (or one turn approximately every 3 seconds) would be | |||
required. This makes the timeline as follows for execution: | |||
Action | |||
Time | |||
When added to the 10 minutes assumed to attempt swap over to recirculation | (minutes) | ||
and 30 minutes assumed to troubleshoot the issue, diagnose indications, and | Total time | ||
decide on a course of action, the total time to success was estimated to be | (hh:mm) | ||
approximately 2 hours and 35 minutes (2.6 hours). | Briefing the operation, gather tools, and open | ||
manway | |||
90 | |||
01:30 | |||
Operate valve | |||
25 | |||
01:55 | |||
When added to the 10 minutes assumed to attempt swap over to recirculation | |||
and 30 minutes assumed to troubleshoot the issue, diagnose indications, and | |||
decide on a course of action, the total time to success was estimated to be | |||
approximately 2 hours and 35 minutes (2.6 hours). | |||
The analyst used these points to obtain the following human reliability analysis: | |||
A2-9 | |||
The analyst used these points to obtain the following human reliability analysis: | |||
Mechanical Recovery - Diagnosis (=1E-2) | |||
Time Available | |||
Nominal | |||
1 | |||
The 2:35 hour time to diagnose and | |||
perform gives nominal time when | |||
compared to the licensees estimate | |||
of 2:35 hour to deplete the RWST | |||
(applying both diagnosis and action). | |||
Combined with the time from a | |||
depleted RWST until occurrence of | |||
core damage. | |||
Stress | |||
High | |||
2 | |||
The level of stress would be higher | |||
than the nominal level due to | |||
unexpected alarms being present | |||
and consequences that could | |||
threaten plant safety. | |||
Complexity | |||
Moderate | |||
2 | |||
Several variables are involved in | |||
diagnoses including the knowledge | |||
of introducing a potential | |||
containment bypass path. | |||
Experience/Training Nominal | |||
1 | |||
Adequate amount of instruction to | |||
perform. | |||
Procedures | |||
Nominal | |||
1 | |||
Evaluated not to be a performance | |||
driver. | |||
Ergonomics | |||
Nominal | |||
1 | |||
No event information is available to | |||
warrant a change in this diagnosis | |||
PSF from Nominal. | |||
Fitness For Duty | |||
Nominal | |||
1 | |||
No event information is available to | |||
warrant a change in this diagnosis | |||
PSF from Nominal. | |||
Work Processes | |||
Nominal | |||
1 | |||
No event information is available to | |||
warrant a change in this diagnosis | |||
PSF from Nominal. | |||
Result = 4.0E-2 = 1 x 2 x 2 x 1 x 1 x 1 x 1 x 1 | |||
Mechanical Recovery - Action (=1E-3) | |||
Time Available | |||
Nominal | |||
1 | |||
The 2:35 hour time to diagnose and | |||
perform gives nominal time when | |||
compared to the licensees estimate | |||
of 2:35 hour to deplete the RWST | |||
(applying both diagnosis and | |||
action). Combine with the time from | |||
a depleted RWST until occurrence | |||
of core damage. | |||
Stress | |||
High | |||
2 | |||
The level of stress would be higher | |||
than the nominal level due to | |||
unexpected alarms being present | |||
and consequences that could | |||
threaten plant safety. | |||
A2-10 | |||
Mechanical Recovery - Action (=1E-3) | |||
Complexity | |||
Nominal | |||
1 | |||
Little ambiguity existed in what | |||
needs to be performed | |||
Experience/Training Low | |||
3 | |||
The licensee was unable to provide | |||
prior examples where the valve was | |||
operated manually by operators. | |||
Operators are not trained on manual | |||
valve operations inside the | |||
chamber. | |||
Procedures | |||
Incomplete | |||
20 | |||
References for task instructions for | |||
opening the chamber are absent. | |||
Operators would have to refer to an | |||
outage procedure for guidance on | |||
opening the chamber. | |||
Ergonomics | |||
Poor | |||
10 | |||
Poor human-machine interface is | |||
present. Access to the valve | |||
chamber requires a ladder. In | |||
chamber, the operator would be | |||
Combining diagnosis and action (4.0E-2 + 5.4E-1) yielded a failure probability of | manipulating the valve, possibly in a | ||
5.8E-1. | respirator and wearing protective | ||
Net effect. The analyst assumed the licensee would always have and attempt the | clothing. Operation of the valve | ||
electrical contactor option first. The SPAR-H analysis yielded a result that | would be in a hot environment, with | ||
58 percent (failure rate = 4.2E-1) of the time the licensee would successfully | awkward and tight clearances | ||
open the valve via the electrical contactor method. The analyst then assumed | relative to the chamber walls. | ||
that failure to select the correct contactor to operate the valve would result in | Fitness For Duty | ||
damage to the valves electric motor, requiring the licensee to utilize the | Nominal | ||
mechanical recovery option with the failure rate derived by SPAR-H (5.8E-1) for | 1 | ||
manual valve operations. This yielded an effective failure rate of 2.4E-1, | No event information is available to | ||
calculated as follows: | warrant a change in this diagnosis | ||
PSF from Nominal. | |||
Work Processes | |||
Nominal | |||
1 | |||
No event information is available to | |||
warrant a change in this diagnosis | |||
PSF from Nominal. | |||
PSF = 1 x 2 x 1 x 3 x 20 x 10 x 1 x 1 = 1200 | |||
Result = 5.4E-1 = 1E-3 x 1200 / [1E-3 x (1200 - 1)] + 1 | |||
Combining diagnosis and action (4.0E-2 + 5.4E-1) yielded a failure probability of | |||
5.8E-1. | |||
Net effect. The analyst assumed the licensee would always have and attempt the | |||
electrical contactor option first. The SPAR-H analysis yielded a result that | |||
58 percent (failure rate = 4.2E-1) of the time the licensee would successfully | |||
open the valve via the electrical contactor method. The analyst then assumed | |||
that failure to select the correct contactor to operate the valve would result in | |||
damage to the valves electric motor, requiring the licensee to utilize the | |||
mechanical recovery option with the failure rate derived by SPAR-H (5.8E-1) for | |||
manual valve operations. This yielded an effective failure rate of 2.4E-1, | |||
calculated as follows: | |||
peff = pe x pm | |||
peff = the effective human performance failure rate for both recoveries | |||
pe = the failure rate by electrical contactor operation | |||
pm = the failure rate by local manual valve operation | |||
Catastrophic Seal LOCA. The results of this group is similar to the SLOCA | |||
group. The analyst combined the template events ZT-RCS-MDP-LK-BP1, | |||
Reactor Coolant Pump Seal Stage 1 Integrity Fails (Binding/Popping Open), | A2-11 | ||
and ZT-RCS-MDP-LK-BP2, Reactor Coolant Pump Seal Stage 2 Integrity Fails | Catastrophic Seal LOCA. The results of this group is similar to the SLOCA | ||
(Binding/Popping Open), in the SPAR model to develop an initiating event | group. The analyst combined the template events ZT-RCS-MDP-LK-BP1, | ||
frequency for a catastrophic seal failure event of 2.5E-3/year. The analyst | Reactor Coolant Pump Seal Stage 1 Integrity Fails (Binding/Popping Open), | ||
obtained this failure probability from WCAP-15603, Westinghouse Owners | and ZT-RCS-MDP-LK-BP2, Reactor Coolant Pump Seal Stage 2 Integrity Fails | ||
Group 2000 Reactor Coolant Pump Seal Leakage for Westinghouse Pressurized | (Binding/Popping Open), in the SPAR model to develop an initiating event | ||
Water Reactors. This value matches the initiating event frequency used by the | frequency for a catastrophic seal failure event of 2.5E-3/year. The analyst | ||
licensee in their model within 2 percent. The analyst then applied the conditional | obtained this failure probability from WCAP-15603, Westinghouse Owners | ||
core damage probability from a SLOCA to this initiating event frequency to | Group 2000 Reactor Coolant Pump Seal Leakage for Westinghouse Pressurized | ||
estimate the change in core damage frequency resulting from a catastrophic seal | Water Reactors. This value matches the initiating event frequency used by the | ||
failure with the performance deficiency present. The analyst considered that the | licensee in their model within 2 percent. The analyst then applied the conditional | ||
low leakage rate from a failed reactor coolant pump seal would provide extra time | core damage probability from a SLOCA to this initiating event frequency to | ||
for recovery via the electrical contactor and via the mechanical operation paths. | estimate the change in core damage frequency resulting from a catastrophic seal | ||
This changed the effective recovery from this initiator to 3.4E-2. | failure with the performance deficiency present. The analyst considered that the | ||
Induced Seal LOCA. These reactor coolant leaks result from a loss of cooling to | low leakage rate from a failed reactor coolant pump seal would provide extra time | ||
the reactor coolant pump seals. The dominant initiating events in SPAR which | for recovery via the electrical contactor and via the mechanical operation paths. | ||
lead to induced seal failure are grid related losses of offsite power (LOOP), | This changed the effective recovery from this initiator to 3.4E-2. | ||
switchyard centered LOOPs, and transients. These events represent the | Induced Seal LOCA. These reactor coolant leaks result from a loss of cooling to | ||
smallest contribution to increase in core damage frequency. The analyst | the reactor coolant pump seals. The dominant initiating events in SPAR which | ||
assumed a recovery of 3.4E-2, similar to the recovery of a catastrophic seal | lead to induced seal failure are grid related losses of offsite power (LOOP), | ||
LOCA. | switchyard centered LOOPs, and transients. These events represent the | ||
Medium Break Loss of Coolant Accidents | smallest contribution to increase in core damage frequency. The analyst | ||
In NRC probabilistic risk assessment analyses, MLOCAs are breaks from 2 to | assumed a recovery of 3.4E-2, similar to the recovery of a catastrophic seal | ||
6 inches in size. MLOCAs may or may not increase pressure high enough to | LOCA. | ||
actuate the containment spray actuation signal, which occurs when pressure in | Medium Break Loss of Coolant Accidents | ||
the containment building reaches approximately 22 psig. This actuation signal | In NRC probabilistic risk assessment analyses, MLOCAs are breaks from 2 to | ||
would start the two containment spray pumps that combine to pump around | 6 inches in size. MLOCAs may or may not increase pressure high enough to | ||
5000 gallons per minute from the RWST to the containment. This additional | actuate the containment spray actuation signal, which occurs when pressure in | ||
draw of water from the RWST would lower the available time for operators to | the containment building reaches approximately 22 psig. This actuation signal | ||
take action to open valve SI-2-8982B by the alternative means and therefore | would start the two containment spray pumps that combine to pump around | ||
adversely influence the success rate of these actions. The analyst reviewed | 5000 gallons per minute from the RWST to the containment. This additional | ||
Diablo Canyon PRA Calculation MAAP13-03, Diablo Canyon Power Plant | draw of water from the RWST would lower the available time for operators to | ||
MAAP Success Criteria - Loss of Coolant Accident Definitions, Revision 0, to | take action to open valve SI-2-8982B by the alternative means and therefore | ||
determine at which break size would actuate the containment spray actuation | adversely influence the success rate of these actions. The analyst reviewed | ||
signal and start the containment spray pumps. In this calculation, a 2.9-inch | Diablo Canyon PRA Calculation MAAP13-03, Diablo Canyon Power Plant | ||
break produced an 18 pound per square inch pressure in the containment. The | MAAP Success Criteria - Loss of Coolant Accident Definitions, Revision 0, to | ||
analyst estimated that breaks above 3.5 inches would produce pressure in the | determine at which break size would actuate the containment spray actuation | ||
containment sufficient to start the containment spray pumps. | signal and start the containment spray pumps. In this calculation, a 2.9-inch | ||
From this estimate, the analyst broke MLOCAs into two classes. The first class | break produced an 18 pound per square inch pressure in the containment. The | ||
consisted of breaks between 2 and 3.5 inches in size, not sufficient to start the | analyst estimated that breaks above 3.5 inches would produce pressure in the | ||
containment spray pumps. Based on this 1.5-inch range, the analyst estimated | containment sufficient to start the containment spray pumps. | ||
simplistically that 37.5 percent of the MLOCAs would not cause starting of the | From this estimate, the analyst broke MLOCAs into two classes. The first class | ||
containment spray pumps. Conversely, 62.5 percent of MLOCAs were assumed | consisted of breaks between 2 and 3.5 inches in size, not sufficient to start the | ||
to start containment spray pumps. Once started, the analyst assumed that | containment spray pumps. Based on this 1.5-inch range, the analyst estimated | ||
simplistically that 37.5 percent of the MLOCAs would not cause starting of the | |||
containment spray pumps. Conversely, 62.5 percent of MLOCAs were assumed | |||
to start containment spray pumps. Once started, the analyst assumed that | |||
A2-12 | |||
operators would leave the containment spray pumps running as required by the | |||
emergency operating procedures. | |||
The analyst split the initiating event frequency by this 37.5 - 62.5 percent split | |||
and applied different recovery actions based on the differing times available. For | |||
the 37.5 percent of MLOCAs which would not start the containment spray pumps, | |||
recovery was similar to SLOCAs. | |||
For the 62.5 percent that would actuate containment spray pumps, the analyst | |||
assumed that the RWST would deplete quickly and not allow sufficient time for | |||
recovery. Licensee estimates were that operators would only have around | |||
30 minutes between RWST level of 33 percent and 4 percent. The 33 percent | |||
level is the point where operators would be required to attempt to swap from | |||
injection from the RWST to the containment recirculation sump. The 4 percent | |||
level is the level at which procedures instruct operators to secure all emergency | |||
core cooling pumps, thereby terminating any injection. That difference of | |||
29 percent (33 - 4) would be depleted by the containment spray pumps in | |||
approximately 30 minutes. Actions to operate the motor contactors or locally | |||
manually operate the valve were far in excess of this timing, so the analyst | |||
considered that recovery was not possible. | |||
Summary of Internal Events | |||
The table below summarizes the dominant initiators and their contribution to the | |||
increase in core damage frequency. The overall results were an increase in core | |||
damage frequency of 8.2E-6/year from internal events: | |||
Contributor | |||
Increase in Core Damage | |||
Frequency | |||
SLOCA | |||
(3) External Events | 2.0E-6 | ||
Catastrophic Seal LOCA | |||
1.4E-7 | |||
Induced Seal LOCA | |||
1.1E-9 | |||
Smaller MLOCA | |||
3.8E-8 | |||
Larger MLOCA | |||
4.8E-6 | |||
Total | |||
7.1E-6 | |||
(3) | |||
External Events | |||
The analyst estimated the increase in core damage frequency from all external | |||
events to be 5.4E-7/year, using the individual estimates below. | |||
Seismic. The analyst performed a seismic analysis using Revision 8.23 of the | |||
SPAR model. This analysis used a baseline conditional core damage probability | |||
representing a non-recoverable, switchyard-centered LOOP. The fragilities from | |||
Table AA-2 of Volume 2, External Events, of the Risk Assessment of Operational | |||
A2-13 | |||
Events Handbook were used. The increase in core damage frequency from | |||
seismic events was estimated to be 3.2E-7/year. | |||
High winds. The analyst assumed no risk from high winds due to the historically | |||
low tornadic activity at Diablo Canyon. | |||
Fire. The analyst used information from the licensees fire probabilistic risk | |||
assessment model as the best available information to estimate the increase in | |||
core damage frequency from fires. The licensee received their safety evaluation | |||
for approval of application of NFPA 805 and is in transition to full compliance. | |||
The analyst applied the licensees risk achievement worth value of 1.0452 to the | |||
baseline core damage frequency of 1.70E-5/year to estimate the increase in core | |||
damage frequency from fires to be 6.02E-7/year. Due to the low contribution | |||
relative to the internal events estimation of increase in core damage frequency, | |||
(4) Large Early Release Frequency | the analyst applied a generic recovery failure probability of 2.4E-1 derived from | ||
the SPAR-H for SLOCAs and applied it to all fires. This resulted in an increase in | |||
core damage frequency from fires of 2.2E-7/year. | |||
(4) | |||
Large Early Release Frequency | |||
The analyst reviewed the dominant sequences and compared them to Manual | |||
Chapter 0609, Appendix H, Containment Integrity Significance Determination | |||
Process. The analyst performed a LERF screening to assess whether any of | |||
(5) Uncertainties | the core damage sequences affected by the finding were potential LERF | ||
contributors. The analyst determined that none of the sequences were | |||
significant LERF contributors and the increase in LERF was considered to be | |||
negligible. | |||
(5) | |||
Uncertainties | |||
Analytical | |||
The analyst reviewed the analysis uncertainty for the base case with no recovery | |||
credit for the limited use model with basic event HPI MOV CC 8982B set to | |||
TRUE. The analyst then extrapolated the results to estimate that approximately | |||
75 percent of results from a Monte Carlo distribution resulted in an increase in | |||
core damage frequency between 1.0E-6/year and 1.0E-5/year or less. | |||
Qualitative Considerations | |||
Competing priorities. The detailed risk evaluation only considered the recovery | |||
activities for the failed valve SI-2-8982B. For the core damage sequences of | |||
interest, other plant equipment would malfunction and attempts would be made | |||
to recover them. For example, in a case where the pump on the opposite train of | |||
the recirculation path was not working, operators would be challenged with | |||
additional diagnosis of that problem as well as deciding which recirculation path | |||
was more easily recoverable. This additional diagnosis would divert plant | |||
resources from recovery of valve SI-2-8982B. These competing priorities for | |||
recovery add uncertainty to the detailed risk evaluation performed and would | |||
serve to make recovery more unlikely. | |||
A2-14 | |||
Anecdotal information from a simulated recovery attempt. When the inspectors | |||
walked through operation of the valve SI-2-8982B by use of the electrical | |||
contactors with one engineer and two electricians, these individuals initially | |||
indicated that they would operate the contactors as represented in | |||
Procedure O-22. This operation would act to further close the valve, potentially | |||
causing irreparable damage. When the inspectors pointed this out, the | |||
individuals traced the wiring with the electrical drawing and corrected their | |||
response on the proper contactor they would operate. This was done by | |||
electrical personnel in a training environment. The uncertainty in how electrical | |||
personnel, if summoned to assist, would respond was only considered as | |||
success in the analyses. This information for recovery adds uncertainty to the | |||
detailed risk evaluation performed and would serve to make recovery more | |||
unlikely. | |||
Temperature of the Recirculation Valve Chamber. The temperature of the | |||
recirculation valve chamber at the time operators would be required to enter and | |||
(6) Sensitivities | manipulate valve 8982B is unknown. If the temperature exceeded 130 degrees | ||
Fahrenheit, local manual valve operation could likely be impossible. This lack of | |||
information adds uncertainty and would serve to make recovery more unlikely. | |||
(6) | |||
Sensitivities | |||
The analyst performed sensitivities runs showing the results for various scenarios | |||
altering the influential assumptions: | |||
* | |||
Different assumptions of recovery of the valve: The analyst adjusted the | |||
failure probability for various cases and compared them to the assumed | |||
failure probability in the table below: | |||
Failure Probability | |||
of Recovery | |||
Comment | |||
Increase in Internal | |||
Events CDF | |||
1.1E-2 | |||
98.9% success in recovery | |||
5.0E-6/year | |||
4.0E-2 | |||
96% success in recovery | |||
5.3E-6/year | |||
1.0E-1 | |||
90% success in recovery | |||
6.0E-6/year | |||
2.4E-1 | |||
76% success in recovery | |||
(assumed in analysis) | |||
7.1E-6/year | |||
5.0E-1 | |||
50% success in recovery | |||
9.2E-6/year | |||
No recovery | |||
0% success in recovery | |||
2.0E-5/year | |||
* | |||
The potential for common cause failure of Train A Valve 8982A is not affected | |||
by the failure of Valve 8982B: The analyst estimated the increase of | |||
removing the cutsets which contained the common cause failure of | |||
valve 8982A. Result: Increase in CDF of 2.7E-6/year | |||
A2-15 | |||
* | |||
Consideration that valves 8982A and 8982B were tested in a staggered | |||
scheme: The analyst assumed the valves were tested nine months apart | |||
vice testing both during refueling outages. Result: Increase in CDF of | |||
4.9E-6/year | |||
(7) Licensee Results | * | ||
Use of the licensees MLOCA frequency value combined with SPAR-H | |||
nominal recovery: The analyst used the licensees lower initiating event | |||
frequency value of 2.3E-5/year along with the SPAR-H nominal recovery | |||
value of 1.1E-2. Result: Increase in CDF of 1.6E-6/year | |||
(7) | |||
Licensee Results | |||
The licensee provided the analyst with their analysis. The estimated increase in | |||
core damage frequency was 2.9E-5/year without recovery applied. This value | |||
did not adjust for common cause failure of the train A valve (valve SI-2-8982A). | |||
The analyst estimated that the SPAR model, when adjusted for catastrophic seal | |||
LOCAs and removal of consideration of elevated common cause failure of the | |||
train A valve, would estimate the increase in core damage frequency of | |||
3.3E-5/year. | |||
The licensee derived a failure probability for recovery with the local manual valve | |||
operation of 1.2E-2. When the licensee applied this recovery to their model, they | |||
estimated the increase in core damage frequency to be 7.5E-7/year. The analyst | |||
(8) Model Adjustments | considered that the value of 1.2E-2 for recovery was conservative in light of the | ||
numerous adjustments needed to the performance shaping factors for less than | |||
nominal conditions affecting the recoveries. SPAR-H uses a nominal failure | |||
probability of 1.1E-2, which is near the licensees recovery value. The analyst | |||
considered the application of SPAR-H to provide more realistic estimations of | |||
failure probabilities. | |||
(8) | |||
Model Adjustments | |||
Limited Use Model Version DCAN-RICK-2187 of the Diablo Canyon SPAR | |||
Model, was used with SAPHIRE Version 8.1.4. This version incorporated | |||
modifications to the model derived from the lessons learned from NUREG-2187, | |||
Confirmatory Thermal-Hydraulic Analysis to Support Success Criteria in the | |||
Standardized Plant Analysis Risk Models - Byron Unit 1, Revision 0. The | |||
analyst used the default truncation of 1.0E-11. | |||
}} | }} | ||
Latest revision as of 20:03, 9 January 2025
| ML16277A340 | |
| Person / Time | |
|---|---|
| Site: | Diablo Canyon  |
| Issue date: | 10/03/2016 |
| From: | Troy Pruett NRC/RGN-IV/DRP |
| To: | Halpin E Pacific Gas & Electric Co |
| Jeremy Groom | |
| References | |
| EA-16-168 IR 2016010 | |
| Download: ML16277A340 (30) | |
See also: IR 05000275/2016010
Text
UNITED STATES
NUCLEAR REGULATORY COMMISSION
REGION IV
1600 E. LAMAR BLVD.
ARLINGTON, TX 76011-4511
October 3, 2016
Mr. Edward D. Halpin
Senior Vice President
and Chief Nuclear Officer
Pacific Gas and Electric Company
Diablo Canyon Power Plant
P.O. Box 56, Mail Code 104/6
Avila Beach, CA 93424
SUBJECT:
DIABLO CANYON POWER PLANT - NRC INSPECTION REPORT
05000275/2016010 AND 05000323/2016010; PRELIMINARY WHITE FINDING
Dear Mr. Halpin:
On September 12, 2016, the U.S. Nuclear Regulatory Commission (NRC) completed an
inspection at your Diablo Canyon Power Plant. On the same date, the NRC inspectors
discussed the results of this inspection with you and other members of your staff. Inspectors
documented the results of this inspection in the enclosed inspection report.
The enclosed inspection report discusses a finding that has preliminarily been determined to be
of low to moderate safety significance (White) that may require additional NRC inspections,
regulatory actions, and oversight. As described in Section 4OA2 of this report, the finding is
associated with an apparent violation of Technical Specification 5.4.1.a, Procedures, for the
failure to develop adequate instructions for the installation of external limit switches on motor-
operated valves. Specifically, Pacific Gas and Electric (PG&E) failed to provide adequate
maintenance instructions for ensuring that these limit switches were operated within the vendor
established overtravel settings. Consequently, the external limit switch for valve RHR-2-8700B,
Unit 2 residual heat removal pump 2-2 suction from the refueling water storage tank, was
installed such that the limit switch was operated beyond the overtravel setting resulting in a
sheared internal roll pin causing the limit switch to fail. The failure of this limit switch resulted in
failure of an input into the open permissive input logic for valve SI-2-8982B, Unit 2 train B
residual heat removal suction from the containment recirculation sump. PG&E restored valve
RHR-2-8700B to operable and replaced affected components, including the limit switch. PG&E
also initiated corrective actions to develop more detailed and appropriate instructions for
installing Namco' Snap Lock position switches.
This finding was assessed based on the best available information using the applicable
Significance Determination Process (SDP). The basis for the NRCs preliminary significance
determination is described in the enclosed report. The NRC performed a detailed risk
evaluation and determined the total resulting incremental conditional core damage
probability for internal and external initiators. Considering the failure mechanism was
E. Halpin
- 2 -
introduced during Refueling Outage 2R17 maintenance in February 2013, and the limit switch
was last successfully tested on October 22, 2014, the NRC evaluated the issue for the period
from October 22, 2014, until the limit switch failure became apparent on May 16, 2016. This
analysis resulted in a preliminary estimate of core damage frequency of 7.6E-06/year,
corresponding to a finding of low to moderate risk significance (White). The NRC will inform you
in writing when the final significance has been determined.
The finding is also an apparent violation of NRC requirements and is being considered for
escalated enforcement action in accordance with the Enforcement Policy, which can be found
on the NRCs Web site at http://www.nrc.gov/about-nrc/regulatory/enforcement/enforce-pol.html.
In accordance with NRC Inspection Manual Chapter 0609, we intend to complete our evaluation
using the best available information and issue our final determination of safety significance
within 90 days of the date of this letter. The significance determination process encourages an
open dialogue between the NRC staff and the licensee; however, the dialogue should not
impact the timeliness of the staffs final determination.
Before we make a final decision on this matter, we are providing you with an opportunity to
(1) attend a Regulatory Conference where you can present to the NRC your perspective on the
facts and assumptions the NRC used to arrive at the finding and assess its significance, or
(2) submit your position on the finding to the NRC in writing. If you request a Regulatory
Conference, it should be held within 40 days of the receipt of this letter, and we encourage you
to submit supporting documentation at least one week prior to the conference in an effort to
make the conference more efficient and effective. The focus of the Regulatory Conference is to
discuss the significance of the finding and not necessarily the root cause or corrective actions
associated with the finding. If a Regulatory Conference is held, it will be open for public
observation. If you decide to submit only a written response, such submittal should be sent to
the NRC within 40 days of your receipt of this letter. If you decline to request a Regulatory
Conference or to submit a written response, you relinquish your right to appeal the final SDP
determination, in that by not doing either, you fail to meet the appeal requirements stated in the
Prerequisite and Limitation sections of Attachment 2 of NRC Inspection Manual Chapter 0609.
Please contact Jeremy Groom at (817) 200-1148 and in writing within 10 days from the issue
date of this letter to notify the NRC of your intentions. If we have not heard from you within
10 days, we will continue with our significance determination and enforcement decision. The
final resolution of this matter will be conveyed in separate correspondence.
Because the NRC has not made a final determination in this matter, no Notice of Violation is
being issued for this inspection finding at this time. In addition, please be advised that the
number and characterization of the apparent violation described in the enclosed inspection
report may change as a result of further NRC review.
E. Halpin
- 3 -
In accordance with 10 CFR 2.390 of the NRC's "Rules of Practice," a copy of this letter and its
enclosure will be made available electronically for public inspection in the NRC Public Document
Room and in the NRCs Agencywide Documents Access and Management System (ADAMS),
accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html.
Sincerely,
/RA/
Troy W. Pruett, Director
Division of Reactor Projects
Docket Nos. 50-275 and 50-323
License Nos. DPR-80 and DPR-82
Enclosure:
Inspection Report 05000275/2016010 and
w/ Attachments:
1. Supplemental Information
2. Significance Determination
cc w/ enclosure: Electronic Distribution
SUNSI Review
By: JRG
Yes No
Non-Sensitive
Sensitive
Publicly Available
Non-Publicly Available
Keyword:
OFFICE
SRI:DRP/A
RI:DRP/A
SPE:DRP/A
DRS:SRA
TL:ACES
D:DRS
RC:ORA
NAME
CNewport
JReynoso
RAlexander
RDeese
MHay
AVegel
KFuller
SIGNATURE
/RA/
/RA/
/RA/
/RA/
/RA/
/RA/
/RA/
DATE
09/14/16
09/14/16
09/08/16
09/09/16
09/19/16
09/27/16
09/22/16
OFFICE
BC:DRP/A
D:DRP
NAME
JGroom
TPruett
SIGNATURE
/RA/
/RA/
DATE
09/26/16
10/3/16
Letter to Edward D. Halpin from Troy W. Pruett dated October 3, 2016
SUBJECT:
DIABLO CANYON POWER PLANT - NRC FOCUSED BASELINE INSPECTION
REPORT 05000275/2016010 AND 05000323/2016010; PRELIMINARY WHITE
FINDING
DISTRIBUTION:
Regional Administrator (Kriss.Kennedy@nrc.gov)
Deputy Regional Administrator (Scott.Morris@nrc.gov)
DRP Director (Troy.Pruett@nrc.gov)
DRP Deputy Director (Ryan.Lantz@nrc.gov)
DRS Director (Anton.Vegel@nrc.gov)
DRS Deputy Director (Jeff.Clark@nrc.gov)
Senior Resident Inspector (Christopher.Newport@nrc.gov)
Resident Inspector (John.Reynoso@nrc.gov)
Administrative Assistant (Madeleine.Arel-Davis@nrc.gov)
Branch Chief, DRP/A (Jeremy.Groom@nrc.gov)
Senior Project Engineer, DRP/A (Ryan.Alexander@nrc.gov)
Project Engineer, DRP/A (Matthew.Kirk@nrc.gov)
Project Engineer, DRP/A (Thomas.Sullivan@nrc.gov)
Public Affairs Officer (Victor.Dricks@nrc.gov)
Project Manager (Balwant.Singal@nrc.gov)
Team Leader, DRS/TSS (Thomas.Hipschman@nrc.gov)
RITS Coordinator (Marisa.Herrera@nrc.gov)
ACES (R4Enforcement.Resource@nrc.gov)
Regional Counsel (Karla.Fuller@nrc.gov)
Congressional Affairs Officer (Jenny.Weil@nrc.gov)
RIV Congressional Affairs Officer (Angel.Moreno@nrc.gov)
RIV/ETA: OEDO (Jeremy.Bowen@nrc.gov)
RIV RSLO (Bill.Maier@nrc.gov)
ROPreports.Resource@nrc.gov
ROPassessment.Resource@nrc.gov
Enclosure
U.S. NUCLEAR REGULATORY COMMISSION
REGION IV
Docket:
05000275; 05000323
License:
Report:
05000275/2016010; 05000323/2016010
Licensee:
Pacific Gas and Electric Company
Facility:
Diablo Canyon Power Plant, Units 1 and 2
Location:
7 1/2 miles NW of Avila Beach
Avila Beach, CA
Dates:
May 16 through September 12, 2016
Inspectors: C. Newport, Senior Resident Inspector
J. Reynoso, Acting Senior Resident Inspector
T. Sullivan, Project Engineer
R. Deese, Senior Reactor Analyst
Approved
By:
Troy W. Pruett, Director
Division of Reactor Projects
- 2 -
SUMMARY
IR 05000275/2016010, 05000323/2016010; 05/16/2016 - 09/12/2016; Diablo Canyon Power
Plant; Problem Identification and Resolution
The inspection activities described in this report were performed between May 16 and
September 12, 2016, by the resident inspectors at Diablo Canyon Power Plant and inspectors
from the NRCs Region IV office. The inspectors identified a preliminary White finding
associated with an apparent violation of NRC requirements. The significance of inspection
findings is indicated by their color (Green, White, Yellow, or Red), which is determined using
Inspection Manual Chapter 0609, Significance Determination Process, issued April 29, 2015.
Their cross-cutting aspects are determined using Inspection Manual Chapter 0310, Aspects
within the Cross-Cutting Areas, issued December 4, 2014. Violations of NRC requirements are
dispositioned in accordance with the NRC Enforcement Policy. The NRCs program for
overseeing the safe operation of commercial nuclear power reactors is described in
NUREG-1649, Reactor Oversight Process.
Cornerstone: Mitigating Systems
Preliminary White. The inspectors identified a preliminary White finding associated with
an apparent violation of Technical Specification 5.4.1.a, Procedures, for the licensees
failure to develop adequate instructions for the installation, adjustment, and testing of
Namco' Model EA170 snap lock limit switches. Specifically, the licensee failed to provide
site-specific instructions for limiting the travel of these external limit switches when installed
on safety-related motor operated valves. Consequently, the lever switch actuator for valve
RHR-2-8700B, residual heat removal pump 2-2 suction from the refueling water storage
tank, was installed such that the limit switch was operated repeatedly in an over-travel
condition resulting in a sheared internal roll pin that ultimately caused the limit switch to fail.
Following identification of this issue, the licensee replaced the limit switch for valve
RHR-2-8700B and implemented actions to modify maintenance procedures for installing,
calibrating, and testing motor-operated valve external limit switches. The licensee entered
this issue into their corrective action program as Notification 50852345.
The performance deficiency is more than minor, and therefore a finding, because it is
associated with the procedure quality attribute of the Mitigating Systems cornerstone and
adversely affected the cornerstone objective to ensure the availability, reliability, and
capability of systems that respond to initiating events to prevent undesirable consequences
(i.e., core damage). Specifically, maintenance procedure MP E-53.10R, Augmented Stem
Lubrication for Limitorque Operated Valves, used to perform limit switch adjustments on the
Unit 2 valve RHR-2-8700B, did not provide adequate acceptance criteria to prevent
overtravel of the limit switch actuating lever. This resulted in a subsequent failure of the limit
switch, preventing the open permissive signal for valve SI-2-8982B, residual heat removal
pump 2-2 suction from the containment recirculation sump, used during the emergency core
cooling system (ECCS) recirculation mode. The inspectors evaluated the finding using the
Attachment 0609.04, "Initial Characterization of Findings," worksheet to Inspection Manual
Chapter (IMC) 0609, Significance Determination Process, issued June 19, 2012. The
attachment instructs the inspectors to utilize IMC 0609, Appendix A, Significance
Determination Process (SDP) for Findings At-Power, issued June 19, 2012. In accordance
with NRC Inspection Manual Chapter 0609, Appendix A, Exhibit 2, Mitigating Systems
Screening Questions, the inspectors determined that the finding required a detailed risk
evaluation because it represented an actual loss of function of the train B ECCS for greater
- 3 -
than its technical specification allowed outage time. A senior reactor analyst performed a
detailed risk evaluation in accordance with IMC 0609, Appendix A, Section 6.0, Detailed
Risk Evaluation. The calculated increase in core damage frequency was dominated by
small and medium loss of coolant accident initiators with failures of the opposite train of
ECCS or related support systems. The analyst did not evaluate the large early release
frequency because this performance deficiency would not have challenged the containment.
The NRC preliminarily determined that the increase in core damage frequency for internal
and external initiators was 7.6E-06/year, a finding of low to moderate risk significance
(White). The inspector did not identify a cross-cutting aspect with this finding because it was
not reflective of current performance. The inadequate procedure was developed in 2011
and did not reflect the licensees current performance related to procedure development.
(Section 4OA2)
- 4 -
REPORT DETAILS
4.
OTHER ACTIVITIES
Cornerstone: Mitigating Systems
4OA2 Problem Identification and Resolution (71152)
Annual Follow-up of Selected Issues
a. Inspection Scope
On May 16, 2016, during performance of surveillance procedure PEP V-7B, "Test of
ECCS Valve Interlocks," Revision 9, valve SI-2-8982B, Unit 2 residual heat removal
(RHR) pump 2-2 suction from the containment recirculation sump, failed to open from
the main control room. Subsequent review determined that external limit switch,
POS-648, for valve RHR-2-8700B, RHR 2-2 suction from the refueling water storage
tank (RWST), was in a failed position. The failure of this limit switch prevented the open
permissive signal for valve SI-2-8982B. Investigation by the licensee concluded that
limit switch POS-648 failed due to a sheared internal roll pin.
The inspectors assessed the licensees problem identification threshold, cause analyses,
and verified that corrective actions were commensurate with the significance of the
issue, appropriately prioritized and that these actions were adequate to correct the
condition. The inspectors also reviewed the licensees use of operating experience and
their incorporation of vendor guidance into site-specific maintenance procedures.
These activities constituted completion of one annual follow-up sample as defined in
b. Findings
Failure to Establish Adequate Work Instructions for Installation of Namco' Snap Lock
Limit Switches
Introduction. The inspectors identified a preliminary White finding associated with an
apparent violation of Technical Specification 5.4.1.a, Procedures, for the licensees
failure to develop adequate instructions for the installation, adjustment and testing of
Namco' Model EA170 snap lock limit switches. Specifically, the licensee failed to
provide site-specific instructions for limiting the travel of these external limit switches
when installed on safety-related motor operated valves. Consequently, the lever switch
actuator for valve RHR-2-8700B was installed such that the limit switch was operated
repeatedly in an over-travel condition resulting in a sheared internal roll pin that
ultimately caused the limit switch to fail.
Description. On May 16, 2016, the licensee performed surveillance procedure
PEP V-7B, "Test of ECCS Valve Interlocks," Revision 9, to test various interlock and
permissive circuits for the emergency core cooling system (ECCS). One interlock test
involved valve circuitry needed to transfer the RHR pump suction from the RWST to the
containment recirculation sump during the ECCS recirculation mode. During a loss of
coolant accident, operators would implement ECCS recirculation by closing the RWST to
RHR suction valves, valves RHR-8700A and RHR-8700B, and opening the containment
- 5 -
recirculation sump suction valves, SI-8982A and SI-8982B. The ECCS system design
includes an interlock, tested during procedure PEP V-7B, to ensure that operators can
only open containment sump suction valves if the respective RWST suction valve is
closed.
During performance of procedure PEP V-7B, Step 12.14.2, valve SI-2-8982B, RHR
pump 2-2 suction from the containment recirculation sump, failed to open from the main
control room. Licensee troubleshooting determined that external limit switch, POS-648,
for valve RHR-2-8700B, RHR pump 2-2 suction from the RWST, was in a failed position.
The failure of this limit switch, caused by a sheared internal roll pin, prevented the open
permissive signal for valve SI-2-8982B. Since limit switch POS-648 failed during a
planned refueling outage with Diablo Canyon Unit 2 shutdown, no technical specification
entries were necessary. The licensee replaced limit switch POS-648 under Work Order 60090383 on May 18, 2016, prior to exiting the planned refueling outage. The licensee
entered this issue into their corrective action program as Notification 50852345.
The inspectors reviewed the work history for valve RHR-2-8700B and limit switch
POS-648. During refueling outage 2R17 completed on February 21, 2013, the licensee
implemented Work Order 64014195 to replace the Limitorque actuator stem nut for valve
RHR-2-8700B and completed maintenance procedure E-53.10R, Augmented Stem
Lubrication for Limitorque Operated Valves, Revision 4. This maintenance included
removal and replacement of limit switch POS-648 and its actuating lever. The
inspectors noted that procedure MP E-53.10R included instructions for re-installing the
stem mounted position switches and checks for proper operation. Specifically,
procedure MP E-53.10R, Step 7.9.2(h), included instructions to Check switches are
properly operating by listening for an audible click from switch when valve is cycled
OPEN and CLOSED.
The inspectors noted that the licensee successfully tested POS-648 as part of
post-maintenance testing for Work Order 64014195 and again on October 22, 2014,
when procedure PEP V-7B was last performed. The licensee cycles valve
RHR-2-8700B quarterly as part of the inservice testing (IST) program; however, the
quarterly IST does not test the interlock provided by limit switch POS-648. As such, the
inspectors concluded that POS-648 failed sometime between the last successful
performance of surveillance procedure PEP V-7B on October 22, 2014, and the failure of
valve SI-2-8982B to open on May 16, 2016.
Limit switch POS-648 is a Namco' Model EA170 snap lock position switch, designed to
snap over when actuated and includes a hard stop. The inspectors reviewed applicable
maintenance, design, and testing instructions provided by the limit switch vendor. Within
the publically available vendor documents, the inspectors identified the following
precaution relative to the design, installation, and operation of Namco' Snap-Lock Limit
switches:
Operating mechanisms for limit switches MUST BE so designed
that, under any operating or emergency conditions, the limit switch
is not operated beyond its overtravel limit position.
The vendor guidance also directed switch owners to the specific bulletin for the switch
overtravel specifications. The inspectors reviewed the switch bulletin for Namco'
Model EA170-35100 snap lock limit switches, the same model used for POS-648. The
inspectors noted that the switch specifications included a recommended travel
- 6 -
of 7 degrees based on a required trip of 6.5 degrees, and a maximum overtravel of
36 degrees. The inspectors reviewed as-found photos of POS-648 following the
May 16, 2016, failure and noted that the switch actuating arm position was at a nearly
45-degree angle relative to the normal position indicating that the position switch had
exceeded the overtravel specification.
The inspectors determined that when POS-648 was re-installed following maintenance
on February 21, 2013, the licensee did not set the switch and actuating arm correctly in
accordance with the vendor recommendations to ensure that the overtravel specification
was not exceeded. By operating the switch beyond the overtravel specification, valve
force was applied to the limit switch lever and internal roll pin after reaching a hard stop.
The repeated overloading of the lever roll pin eventually led to the failure of POS-648.
While the instructions in procedure MP E-53.10R, Step 7.9.2.(h), to check for proper
operation by listening for an audible click, would verify the limit switch changed state, the
inspectors determined this procedure step was inadequate to prevent overtravel of the
externally mounted limit switch. Specifically, the inspectors determined that the
procedure lacked specificity because it only ensured that the trip and reset of the switch
occurs as the valve is exercised but did not provide adequate instructions to ensure the
switch overtravel specification was not exceeded.
The inspectors interviewed licensee personnel responsible for determining the cause of
the failure of POS-648. During that interview, the licensee shared conclusions regarding
the cause of the failure of POS-648 that corresponded with the independent conclusions
developed by the inspectors. In particular, the licensee determined that the
maintenance instructions in procedure MP E-53.10R to listen for an audible click were
insufficient to prevent over-ranging of the position switch lever. The licensee performed
an extent-of-condition review of other motor operated valve (MOV) external limit
switches that provide control or logic functions but would not provide an audible alarm or
other indication if in a failed state. The licensee identified fifteen other limit switches that
could be susceptible to the failure mechanism experienced on limit switch POS-648.
The licensee walked down these switches on June 1, 2016, and identified no other
similar switch installation problems. Notification 50852345 included corrective action
CA 1, due March 20, 2017, to revise procedure MP E-53.10R to include detailed
instructions for setting the travel of externally mounted limit switches.
Analysis. The inspectors determined the failure to establish adequate adjustment
criteria for maintenance procedure MP E-53.10R was a performance deficiency. The
performance deficiency is more than minor, and therefore a finding, because it is
associated with the procedure quality attribute of the Mitigating Systems cornerstone,
and adversely affected the cornerstone objective to ensure the availability, reliability, and
capability of systems that respond to initiating events to prevent undesirable
consequences (i.e., core damage). Specifically, procedure MP E-53.10R, used by the
licensee to perform limit switch adjustments on the Unit 2 valve RHR-2-8700B, did not
provide adequate acceptance criteria to prevent overtravel of the actuating lever. This
resulted in a subsequent failure of the limit switch, preventing the open permissive signal
for valve SI-2-8982B, residual heat removal pump 2-2 suction from the containment
recirculation sump, used during the ECCS recirculation mode. The inspectors evaluated
the finding using the Attachment 0609.04, "Initial Characterization of Findings,"
worksheet to Inspection Manual Chapter (IMC) 0609, Significance Determination
Process, issued June 19, 2012. The attachment instructs the inspectors to utilize
- 7 -
IMC 0609, Appendix A, Significance Determination Process (SDP) for Findings At-
Power, issued June 19, 2012. In accordance with NRC Inspection Manual
Chapter 0609, Appendix A, Exhibit 2, Mitigating Systems Screening Questions, the
inspectors determined that the finding required a detailed risk evaluation because it
represented an actual loss of function of the train B ECCS for greater than its technical
specification allowed outage time. A senior reactor analyst performed a detailed risk
evaluation in accordance with IMC 0609, Appendix A, Section 6.0, Detailed Risk
Evaluation.
Small and medium loss of coolant accident initiators with failures of the opposite train of
ECCS or related support systems dominated the calculated increase in core damage
frequency. The analyst did not evaluate the large early release frequency because this
performance deficiency would not have challenged the containment. The NRC
preliminarily determined that the increase in core damage frequency for internal and
external initiators was 7.6E-06/year, in the low to moderate risk significance range
(White). The results of the detailed risk evaluation are included in Attachment 2 of this
report.
The inspector did not identify a cross-cutting aspect with this finding because it was not
reflective of current performance. The inadequate procedure was developed in 2011
and did not reflect the licensees current performance related to procedure development.
Enforcement. Technical Specification 5.4.1.a, Procedures, requires, in part, that
written procedures shall be established, implemented, and maintained covering the
applicable procedures recommended in Appendix A of Regulatory Guide 1.33,
Revision 2. Section 9.a of Appendix A of Regulatory Guide 1.33, Revision 2, requires in
part, that maintenance that can affect the performance of safety-related equipment
should be properly preplanned and performed in accordance with written procedures,
documented instructions, or drawings appropriate to the circumstances. On
December 5, 2011, the licensee established procedure MP E-53.10R, Augmented Stem
Lubrication for Limitorque Operated Valves, Revision 4, to perform maintenance on
safety-related equipment including motor operated valves and their external limit
switches. Contrary to the above, on December 5, 2011, the licensee failed to establish
written procedures for performing maintenance on safety-related equipment which were
appropriate to the circumstances. Specifically, the procedure only checked that motor
operated valve external limit switches changed position during valve exercise but did not
provide instructions to establish and check the travel of these switches within vendor
established criteria. Consequently, the limit switch for valve RHR-2-8700B was installed
such that it was operated repeatedly beyond overtravel tolerances resulting in its failure.
The licensee entered this issue into their corrective action program as Notification
50852345 and initiated action to replace the failed limit switch. The licensee also
initiated corrective actions to change maintenance procedure MP E-53.10R to ensure
adequate acceptance criteria for limit switch travel were included, and performed an
extent of condition for all other MOV stem mounted position switch interlocks circuits. As
a consequence of this failed limit switch, the licensee was also in violation of Unit 2
Technical Specification 3.5.2, ECCS - Operating, because train B of the ECCS was
determined to be inoperable for greater than the technical specification allowed outage
time of 14 days, and the licensee failed to take actions required of the limiting condition
of operation. Because this finding has been preliminarily determined to be of greater
than very low safety significance (i.e., greater than Green), it is being characterized as
- 8 -
an apparent violation. AV 05000323/2016010-01, Failure to Establish Adequate Work
Instructions for Installation of Namco' Snap Lock Limit Switches
4OA6 Meetings, Including Exit
Exit Meeting Summary
On September 13, 2016, the inspectors presented the inspection results to Mr. E. Halpin, Senior
Vice President and Chief Nuclear Officer, and other members of the licensee staff. The licensee
acknowledged the issues presented. The licensee confirmed that any proprietary information
reviewed by the inspectors had been returned or destroyed.
Attachment 1
SUPPLEMENTAL INFORMATION
KEY POINTS OF CONTACT
Licensee Personnel
T. Baldwin, Director, Nuclear Site Services
D. Evans, Director, Security & Emergency Services
L. Fusco, Manager, Mechanical Engineering
P. Gerfen, Station Director
M. Ginn, Manager, Emergency Planning
E. Halpin, Sr. Vice President, Chief Nuclear Officer Generation
H. Hamzehee, Manager, Regulatory Services
A. Heffner, NRC Interface, Regulatory Services
L. Hopson, Director Maintenance Services
T. Irving, Manager, Radiation Protection
K. Johnston, Director of Operations
M. McCoy, NRC Interface, Regulatory Services
J. Morris, Supervisor, Nuclear Regulatory Services
C. Murry, Director Nuclear Work Management
J. Nimick, Senior Director Nuclear Services
P. Nugent, Director, Quality Verification
A. Peck, Director, Nuclear Engineering
A. Warwick, Supervisor, Emergency Planning
J. Welsch, Site Vice President
R. West, Manager, System Engineering
LIST OF ITEMS OPENED, CLOSED, AND DISCUSSED
Opened 05000323/2016010-01 AV
Failure to Establish Adequate Work Instructions for Installation of
Namco' Snap Lock Limit Switches (Section 4OA2)
Section 4OA2: Problem Identification and Resolution
Procedures
Number
Title
Revision
PEP V-7B
Test of ECCS Valve Interlocks
8
MP E-53.10R
Augmented Stem Lubrication For Limitorque Operated
Valves
4-7
OP O-22
Emergency Operation of Motor Operated Valves
6
E-0
Reactor Trip or Safety Injection
35
EOP E-1.3
Transfer to Cold Leg Recirculation
22
A1-2
MP E-53.10A1
Low Impact External Inspections of Limitorque Motor
Operators
1
Notifications
50852066
50852180
50852345
50861001
Drawings
Number
Title
Revision
441239
Unit 2, Single Line Meter and Relay Diagram 480V System
Bus Section 2H
48
441310
Unit 2, Schematic Diagram Residual Heat Removal Motor
Operated Valves
31
441317
Unit 2, Schematic Diagram Safety Injection System Motor
Operated Valves
19
500628
Unit 2, Electrical Diagram of connections, Elevation 115-140
foot, Area H
26
507610
Unit 2, Arrangement of Electrical Equipment at Elevation
100, Area H
16
Work Orders
64014195
Miscellaneous
Number
Title
Revision
Calculation
SDP16-02
SI-2-8982B Failure to Open During PEP V-7B in 2R19 due
to Damaged Closed Position Switch for 8700B
0
Attachment 2
Significance Determination
Significance Determination Basis:
(a)
Screening Logic
Minor Question: In accordance with NRC Inspection Manual Chapter 0612,
Appendix B, Issue Screening, the finding was determined to be more than minor
because it was associated with the procedure quality attribute of the Mitigating
Systems Cornerstone, and affected the associated cornerstone objective to ensure
availability, reliability, and capability of systems that respond to initiating events to
prevent undesirable consequences. Specifically, the performance deficiency
associated with the inadequate maintenance procedure resulted in inadequate
criteria to ensure limit switch adjustments did not result in overtravel of the actuating
lever for valve RHR-2-8700B. This resulted in a subsequent failure of limit switch
POS-648, affecting the availability of the ECCS because this limit switch provides the
open permissive signal for valve SI-2-8982B, the containment sump suction for the
RHR system.
Initial Characterization: Using Manual Chapter 0609, Attachment 4, Initial
Characterization of Findings, the inspectors determined that the finding could be
evaluated using the significance determination process. In accordance with Table 3,
SDP Appendix Router, the inspectors determined that the subject finding should be
processed through Appendix A, The Significance Determination Process (SDP) for
Findings At-Power, Exhibit 2, Mitigating Systems Screening Questions, dated
July 1, 2012.
Issue Screening: In accordance with NRC Inspection Manual Chapter 0609,
Appendix A, Exhibit 2, Mitigating Systems Screening Questions, the inspectors
determined that the finding required a detailed risk evaluation because it represented
an actual loss of function of the Unit 2 train B ECCS for greater than its technical
specification allowed outage time (i.e., 14 days). A senior reactor analyst performed
a detailed risk evaluation in accordance with IMC 0609, Appendix A, Section 6.0,
Detailed Risk Evaluation.
Results: The detailed risk evaluation result is an increase in core damage frequency
from the performance deficiency of 7.6E-6/year, characterizing the significance of the
finding to be of low to moderate safety significance. This estimate used best
available information and estimated the increase in core damage frequency to
be 7.1E-6/year from internal events and 5.4E-7/year from external events.
(b)
Detailed Risk Evaluation:
(1)
Assumptions
Exposure time. The exposure time was 286 days. The licensee last successfully
tested valve SI-2-8982B and the interlock associated with POS-648 on
October 22, 2014. Valve SI-2-8982B failed to open 572 days later on May 16,
2016. Since the inception of the failure of the limit switch after the last operation
could not be determined, the analyst used a t/2 approached and assumed the
exposure time to be half of 572 days, or 286 days. Repair time was not added
A2-2
because the deficiency was discovered and returned to a functional status during
an outage when the valve was not needed.
Recovery. Overall recovery was assumed to have a failure probability of 2.4E-1
for small break LOCAs and smaller medium break LOCAs (MLOCAs); 3.4E-2 for
seal LOCAs; and 1.0 for larger MLOCAs. Two methods of recovery were
available - (1) local manual valve operation, and (2) electrical bypassing of the
interlock through manual contactor operation. The derivation of these recoveries
is covered in the Internal Events section of this evaluation.
Common cause. The increased potential for common cause failure of Valve
SI-2-8982A, the same valve on the redundant train, was considered applicable.
The analyst was unaware of any programmatic licensee action to defend against
common cause failure; therefore, the analyst set the failure of valve SI-2-8982B
to TRUE in the SPAR model. This increased the probability of common cause
failure of Valve SI-2-8982A from 3.6E-5 to 3.8E-2.
The analyst also considered the remaining valves installed on Units 1 and 2 with
externally mounted limit switches that receive the same maintenance as the
valve that is the subject of the performance deficiency. For Unit 1, the analyst
determined that the issue would be of very low safety significance since there
was not an actual failure of a component.
For Unit 2, the remaining valves would not result in a significant increase in risk
because the external limit switches are either 1) only associated with an
annunciator function, 2) only associated with an equipment interlock function that
is not used in an accident scenario or, 3) only associated with an equipment
interlock function needed for long-term containment pressure control.
Operating history. The analyst assumed the plant operated at power or at
shutdown conditions above those that necessitated operation of the RHR system
for decay heat removal during the entire exposure time. This allowed the analyst
to use the at-power SPAR model for the entire exposure time.
(2)
Internal Events
Background / Introduction. The results of the probabilistic risk assessment (PRA)
tool showed that the performance deficiency affected two initiators - small break
loss of coolant accidents (SLOCA) and MLOCA. These events are characterized
by reactor coolant leaking from the reactor coolant system, which would act to
lower inventory and pressure of the reactor coolant system. In response to the
loss of coolant and system pressure, a safety injection actuation signal actuates
to start ECCS pumps. These pumps include both RHR pumps, both safety
injection pumps, and both charging pumps. These pumps take suction from the
refueling water storage tank, pump water into the reactor coolant system, which
in turn leaks out of the break and into the containment where it collects in the
containment recirculation sump. When the refueling water storage tank level
reaches 33 percent level, operators secure the RHR pumps and perform valve
manipulations to swap the suction of the emergency core cooling pumps from the
refueling water storage tank to the containment recirculation sump. Valve
SI-2-8982B is the first valve in the flowpath leading from the containment sump.
The inability to open valve SI-2-8982B renders train B of core cooling inoperable
A2-3
during the recirculation phase of LOCAs. The licensee would have options to
recover and open the valve, which are discussed in this evaluation. The licensee
would also have the redundant train A flowpath available to successfully cool the
reactor core if valve SI-2-8982B were unrecoverable. PRA demonstrates that the
dominant core damage sequences involve failures of the train A flowpath and the
inability to recover valve SI-2-8982B.
Small Break Loss of Coolant Accidents
For the purposes of this evaluation, SLOCA include pipe breaks up to 2 inches,
catastrophic reactor coolant pump seal failures (seal LOCAs), and seal LOCAs
caused by losses of cooling to the reactor coolant pump seals (brought about by
loss of power to cooling for the seals).
SLOCA comprises 26.0 percent of the increase in core damage frequency. The
results are driven by the failure of valve SI-2-8982B, failures of train A flowpath
for recirculation sump flow, and the ability or inability to operate valve SI-2-8982B
by alternative means.
The primary contributor of failures of the train A flowpath is attributed to an
increased probability of common cause failure of its sump valve SI-2-8982A.
Because valve SI-2-8982B failed and valve SI-2-8982A is subject to the same
environment, maintenance, testing, etc., valve SI-2-8982A is exposed to an
increased probability of failure. The common cause failure of SI-2-8982A
comprises approximately two-thirds of the increase in core damage frequency
from SLOCAs. The remainder of the increase in core damage frequency comes
from power failures to components in the train A flowpath, valve failures in the
flowpath, and pumps failures in the flowpath.
Recovery of valve SI-2-8982B through alternative means is also a contributor.
These alternative means include either electrical operation by use of the motor
contactors or manually by accessing the valve and operating the handwheel on
the valve.
Recovery of Valve SI-2-8982B
Recovery actions to open valve SI-2-8982B are available by two alternate
means, either electrically by use of the motor contactors, or manually by
accessing the valve and operating the handwheel on the valve. In developing
their assessment of the success probability of recovering valve SI-2-8982B, the
licensee interviewed operators who indicated that both recoveries would be
pursued in parallel.
1. Electrical operation of Valve SI-2-8982A by use of motor contactors. This
recovery option takes advantage of the ability to bypass the interlock circuitry,
which is the subject of the performance deficiency, preventing valve SI-2-8982B
from opening. Manual operation of the electrical contactors provided line power
directly to the motor operator for valve SI-2-8982B. Operation of the electrical
contactors could be successful if properly performed, but inspectors found
several impediments to absolute success.
A2-4
The first potential impediment was the adequacy of procedural guidance used for
the electrical operation recovery option. The direction to pursue recovery paths
to open valve SI-2-8982B is contained in Emergency Operating Procedure (EOP)
Emergency Contingency Action (ECA) 1.1, Loss of Emergency Coolant
Recirculation, Revision 21. Step 2 of ECA 1.1 instructs operators to restore
emergency coolant recirculation equipment by several means. Step 2.d has
operators check power available to valves required for recirculation swap over
and refer to an appendix with valve power supplies. The performance deficiency
would not result in a loss of the valves main power supply. Instead, the
performance deficiency would result in the main-line contacts being held open by
the control circuit for valve SI-2-8982B. The analyst considered this an
impediment to recovery because the procedure did not explicitly call out actions
for a loss of control power to the motor operator. The analyst concluded from the
licensees analysis that operator experience would guide them to use Step 2.d as
the best fit for troubleshooting and take the steps response not obtained action
to locally operate the valves as required. The analyst judged that local
operations are at the location of the valve, not in the electrical cabinet located
away from the valve, and that this action to locally operate the valve did not
specifically address use of the electrical contactors. Again, the analyst
determined, based on interviews and discussions with the licensee, that operator
experience and training could employ this as an option even though it is not
explicitly called for in the emergency procedure.
The licensee established procedure O-22, Emergency Operation of Motor
Operated Valves, Revision 6 to operate motor operated valves through use of
the motor contactor. Procedure O-22 requires phone communication between
the control board operator in the control room and the operator in the field at the
cabinet when operating the valve. Inspectors toured the licensees training
facilities used to instruct operators on how to locally operate contactors. The
inspectors noted that the electrical cabinet used to train operators used a
Telemecanique brand contactor, different from the Westinghouse Cutler Hammer
brand contactors installed in the cabinet for valve SI-2-8982B. The different
contactors have different operating methods. To operate the Telemecanique
contactors, operators insert non-conducting rods above and below the contactor
of interest. To operate the Westinghouse contactors, operators depress a gray
plastic armature position indicator.
The analyst concluded that the difference in layout and methods of operating
contactors between the training electrical cabinet and the plant electrical cabinet
would present challenges to successful operation of the contactor. Also, during a
walkdown with the licensee electricians, the inspectors noted that the electrical
cabinet for valve SI-2-8982B housed both the open and close contactors.
However, these contactors are not labelled such that an operator could tell which
contactor was the open contactor.
The inspectors noted that Procedure O-22, Attachment 2, provided a typical
cabinet layout for motor-operated valves in the plant. This diagram showed the
open contactor located above the close contactor. During the walkdown, the
inspectors asked electrical personnel if the orientation illustrated in
Procedure O-22, Attachment 2, was the same orientation for the cabinet for valve
SI-2-8982B. After approximately 6 minutes of inspecting the cabinet with the
A2-5
electrical schematic diagram, the three electrical personnel determined that the
orientation was opposite of that illustrated in Procedure O-22, because the close
contactor was located above the open contactor. The analyst considered these
aspects to be additional impediments to successful operation of the valve.
The inspectors noted that prior to Step 6.11, the step instructing operators to
locate the appropriate contactor, Procedure O-22 included a boxed Note that
read, Those contactors that cant be clearly identified may require assistance
from engineering or maintenance for positive identification.
The analyst concluded that Procedure O-22, Attachment 2 that provided a typical
cabinet layout for motor operated valves, created a likelihood that some
operators would consider the valve SI-2-8982B contactor orientation typical and
not heed this note. The analyst also considered that to follow the note, additional
time is required to have an engineer or electrician report to the cabinet, obtain
the proper electrical print, and trace the cabinet wiring to ascertain which
contactor was the open contactor and which contactor was the close contactor.
This additional time affects the time available to open the valve using the
electrical contractor and adversely influences the success rate of this action. The
analyst also noted that operation of the contactors would require a screwdriver to
defeat the door latch breaker trip and the operator would have to be dressed in
an arc flash suit which the operator would have to obtain prior to this action.
The consequences of operating the incorrect contactor are potentially severe. If
the licensee personnel operated the close contactor thinking they were opening
the valve, the valve motor would drive the valve in the close direction with all of
the motor-operated valve protective features bypassed. Because the valve is
already closed, the motor would be in a stall condition and motor current would
be at or near locked rotor amperage. The potential consequences of this
mis-operation could include motor damage or burnout.
The analyst included these factors in the human reliability analyses performed
using the SPAR-H method.
With the two methods performed in parallel (i.e., electrical contactors and manual
valve manipulation methods), the inspectors concluded that the electrical
contactor method would be ready for attempted use first. The assumed timing
was:
Action
Time
(minutes)
Total time
(hh:mm)
Briefing the operation
15
00:15
Gather tools, dress out in arc flash suit, report to
breaker, open cabinet
20
00:35
Recognize no labelling, summons electrician to
cabinet
10
00:45
Obtain electrical print
10
00:55
A2-6
Operate contactor (valve)
5
01:00
When added to the 10 minutes assumed to attempt swap over to recirculation
and 30 minutes assumed to troubleshoot the issue, diagnose indications, and
decide on a course of action, the analyst estimated a total time to success of
approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 40 minutes.
The analyst used these points to obtain the following human reliability analysis:
Electrical Recovery - Diagnosis (=1E-2)
Time Available
Extra
0.1
The 1:40 hour time to diagnose and
perform gives extra time when
compared to the licensees estimate
of 2:35 hour to deplete the RWST
(applying both diagnosis and
action). The time from a depleted
RWST until occurrence of core
damage was also considered.
Stress
High
2
The level of stress would be higher
than the nominal level due to
unexpected alarms being present
and consequences that could
threaten plant safety.
Complexity
Nominal
1
No event information is available to
warrant a change in this diagnosis
performance shaping factor (PSF)
from Nominal.
Experience/Training Nominal
1
No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
Procedures
Incomplete
20
Task instructions are absent to
guide the operator to the
appropriate electrical contactor
operation
Ergonomics
Nominal
1
No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
Nominal
1
No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
Work Processes
Nominal
1
No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
Result = 4E-2 = 0.1 x 2 x 1 x 1 x 20 x 1 x 1 x 1 x 1E-2
A2-7
Electrical Recovery - Action (=1E-3)
Time Available
Extra
0.1
The 1:40 hour time to diagnose and
perform gives extra time when
compared to the licensees estimate
of 2:35 hour to deplete the RWST
(applying both diagnosis and
action). The time from a depleted
RWST until occurrence of core
damage was also considered.
Stress
High
2
The level of stress would be higher
than the nominal level due to
unexpected alarms being present
and consequences that could
threaten plant safety.
Complexity
Highly
5
The evolution involved equipment
line-up that involved defeated
interlocks on valves, a highly
complex task.
Experience/Training Low
3
Different contactors were present in
the cabinet than were trained on
during operator training.
Procedures
Incomplete
20
The procedure provided operators
with a generic orientation of the
contactors which did not match the
in-plant configuration. The note for
operators to seek assistance is not
explicit, stating that the situation ..
may require assistance..
Ergonomics
Poor
10
The contactors in the panel are not
labelled causing poor human-
machine interface.
Nominal
1
No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
Work Processes
Nominal
1
No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
PSF = 0.1 x 2 x 5 x 3 x 20 x 10 x 1 x 1 = 600
Result = 3.8E-1 = 1E-3 x 600 / [1E-3 x (600 - 1)] + 1
Combining diagnosis and action (4.0E-2 + 3.8E-1) yielded a failure probability of
4.2E-1.
2. Manual operation of Valve SI-2-8982A by handwheel. This recovery action
involves operators utilizing the handwheel to open valve SI-2-8982B. The
analyst considered the diagnosis to employ this option to be similar to the
decision for electrical contactor operation, except Procedure ECA 1.1 was
appropriate in directing local manual valve operations. Also the analyst
concluded the assumption of 10 minutes to attempt swap over to recirculation
and 30 minutes to troubleshoot the issue, diagnose indications, and decide on a
A2-8
course of action that was appropriate for diagnosis of this action. The inspectors
considered that the local manual valve operation path would present operators
with the decision to incur more dose, face uncertain environmental and
radiological factors at the valve, the potential to introduce a containment bypass
flowpath, and the manual handwheel option requires more time than the
electrical contactor option. In their analysis, the licensee considered this local
manual valve operation as the sole credited recovery option. However, for the
previously stated reasons, the analyst concluded this option would be employed
after the electrical contactor option.
The inspectors noted several attributes of this action made it more complex. The
valve is located adjacent to the containment in a special chamber. The chamber
has an enclosed environment that may become radioactively contaminated
following a LOCA. The licensee would need to implement actions to sample the
environment for suitable breathing to prevent a radioactive intake. Alternatively,
an operator would have to don protective clothing to prevent contaminating
himself, don a respirator, climb a ladder to enter the chamber, and operate the
valve. Any leakage from this valve (e.g., packing leakage) could serve to
pressurize this chamber and require additional protective clothing to prevent
contamination. To access the valve inside of the chamber, the licensee needs to
remove 32 nuts, which act to secure the chamber. This additional time affects
the time available to open the valve and adversely influences the success rate of
this action.
The licensee estimated 90 minutes would be required to brief personnel, gather
tools, and open the manway. Next the licensee estimated 10 minutes to open
the valve. The analyst noted that according to licensee information, the valve
would take 468 turns of the handwheel to open the valve. Factoring in fatigue
from repetitive motion along with potentially cumbersome clothing in a hot
environment, 25 minutes (or one turn approximately every 3 seconds) would be
required. This makes the timeline as follows for execution:
Action
Time
(minutes)
Total time
(hh:mm)
Briefing the operation, gather tools, and open
manway
90
01:30
Operate valve
25
01:55
When added to the 10 minutes assumed to attempt swap over to recirculation
and 30 minutes assumed to troubleshoot the issue, diagnose indications, and
decide on a course of action, the total time to success was estimated to be
approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and 35 minutes (2.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />).
A2-9
The analyst used these points to obtain the following human reliability analysis:
Mechanical Recovery - Diagnosis (=1E-2)
Time Available
Nominal
1
The 2:35 hour time to diagnose and
perform gives nominal time when
compared to the licensees estimate
of 2:35 hour to deplete the RWST
(applying both diagnosis and action).
Combined with the time from a
depleted RWST until occurrence of
core damage.
Stress
High
2
The level of stress would be higher
than the nominal level due to
unexpected alarms being present
and consequences that could
threaten plant safety.
Complexity
Moderate
2
Several variables are involved in
diagnoses including the knowledge
of introducing a potential
containment bypass path.
Experience/Training Nominal
1
Adequate amount of instruction to
perform.
Procedures
Nominal
1
Evaluated not to be a performance
driver.
Ergonomics
Nominal
1
No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
Nominal
1
No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
Work Processes
Nominal
1
No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
Result = 4.0E-2 = 1 x 2 x 2 x 1 x 1 x 1 x 1 x 1
Mechanical Recovery - Action (=1E-3)
Time Available
Nominal
1
The 2:35 hour time to diagnose and
perform gives nominal time when
compared to the licensees estimate
of 2:35 hour to deplete the RWST
(applying both diagnosis and
action). Combine with the time from
a depleted RWST until occurrence
of core damage.
Stress
High
2
The level of stress would be higher
than the nominal level due to
unexpected alarms being present
and consequences that could
threaten plant safety.
A2-10
Mechanical Recovery - Action (=1E-3)
Complexity
Nominal
1
Little ambiguity existed in what
needs to be performed
Experience/Training Low
3
The licensee was unable to provide
prior examples where the valve was
operated manually by operators.
Operators are not trained on manual
valve operations inside the
chamber.
Procedures
Incomplete
20
References for task instructions for
opening the chamber are absent.
Operators would have to refer to an
outage procedure for guidance on
opening the chamber.
Ergonomics
Poor
10
Poor human-machine interface is
present. Access to the valve
chamber requires a ladder. In
chamber, the operator would be
manipulating the valve, possibly in a
respirator and wearing protective
clothing. Operation of the valve
would be in a hot environment, with
awkward and tight clearances
relative to the chamber walls.
Nominal
1
No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
Work Processes
Nominal
1
No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
PSF = 1 x 2 x 1 x 3 x 20 x 10 x 1 x 1 = 1200
Result = 5.4E-1 = 1E-3 x 1200 / [1E-3 x (1200 - 1)] + 1
Combining diagnosis and action (4.0E-2 + 5.4E-1) yielded a failure probability of
5.8E-1.
Net effect. The analyst assumed the licensee would always have and attempt the
electrical contactor option first. The SPAR-H analysis yielded a result that
58 percent (failure rate = 4.2E-1) of the time the licensee would successfully
open the valve via the electrical contactor method. The analyst then assumed
that failure to select the correct contactor to operate the valve would result in
damage to the valves electric motor, requiring the licensee to utilize the
mechanical recovery option with the failure rate derived by SPAR-H (5.8E-1) for
manual valve operations. This yielded an effective failure rate of 2.4E-1,
calculated as follows:
peff = pe x pm
peff = the effective human performance failure rate for both recoveries
pe = the failure rate by electrical contactor operation
pm = the failure rate by local manual valve operation
A2-11
Catastrophic Seal LOCA. The results of this group is similar to the SLOCA
group. The analyst combined the template events ZT-RCS-MDP-LK-BP1,
Reactor Coolant Pump Seal Stage 1 Integrity Fails (Binding/Popping Open),
and ZT-RCS-MDP-LK-BP2, Reactor Coolant Pump Seal Stage 2 Integrity Fails
(Binding/Popping Open), in the SPAR model to develop an initiating event
frequency for a catastrophic seal failure event of 2.5E-3/year. The analyst
obtained this failure probability from WCAP-15603, Westinghouse Owners
Group 2000 Reactor Coolant Pump Seal Leakage for Westinghouse Pressurized
Water Reactors. This value matches the initiating event frequency used by the
licensee in their model within 2 percent. The analyst then applied the conditional
core damage probability from a SLOCA to this initiating event frequency to
estimate the change in core damage frequency resulting from a catastrophic seal
failure with the performance deficiency present. The analyst considered that the
low leakage rate from a failed reactor coolant pump seal would provide extra time
for recovery via the electrical contactor and via the mechanical operation paths.
This changed the effective recovery from this initiator to 3.4E-2.
Induced Seal LOCA. These reactor coolant leaks result from a loss of cooling to
the reactor coolant pump seals. The dominant initiating events in SPAR which
lead to induced seal failure are grid related losses of offsite power (LOOP),
switchyard centered LOOPs, and transients. These events represent the
smallest contribution to increase in core damage frequency. The analyst
assumed a recovery of 3.4E-2, similar to the recovery of a catastrophic seal
LOCA.
Medium Break Loss of Coolant Accidents
In NRC probabilistic risk assessment analyses, MLOCAs are breaks from 2 to
6 inches in size. MLOCAs may or may not increase pressure high enough to
actuate the containment spray actuation signal, which occurs when pressure in
the containment building reaches approximately 22 psig. This actuation signal
would start the two containment spray pumps that combine to pump around
5000 gallons per minute from the RWST to the containment. This additional
draw of water from the RWST would lower the available time for operators to
take action to open valve SI-2-8982B by the alternative means and therefore
adversely influence the success rate of these actions. The analyst reviewed
Diablo Canyon PRA Calculation MAAP13-03, Diablo Canyon Power Plant
MAAP Success Criteria - Loss of Coolant Accident Definitions, Revision 0, to
determine at which break size would actuate the containment spray actuation
signal and start the containment spray pumps. In this calculation, a 2.9-inch
break produced an 18 pound per square inch pressure in the containment. The
analyst estimated that breaks above 3.5 inches would produce pressure in the
containment sufficient to start the containment spray pumps.
From this estimate, the analyst broke MLOCAs into two classes. The first class
consisted of breaks between 2 and 3.5 inches in size, not sufficient to start the
containment spray pumps. Based on this 1.5-inch range, the analyst estimated
simplistically that 37.5 percent of the MLOCAs would not cause starting of the
containment spray pumps. Conversely, 62.5 percent of MLOCAs were assumed
to start containment spray pumps. Once started, the analyst assumed that
A2-12
operators would leave the containment spray pumps running as required by the
emergency operating procedures.
The analyst split the initiating event frequency by this 37.5 - 62.5 percent split
and applied different recovery actions based on the differing times available. For
the 37.5 percent of MLOCAs which would not start the containment spray pumps,
recovery was similar to SLOCAs.
For the 62.5 percent that would actuate containment spray pumps, the analyst
assumed that the RWST would deplete quickly and not allow sufficient time for
recovery. Licensee estimates were that operators would only have around
30 minutes between RWST level of 33 percent and 4 percent. The 33 percent
level is the point where operators would be required to attempt to swap from
injection from the RWST to the containment recirculation sump. The 4 percent
level is the level at which procedures instruct operators to secure all emergency
core cooling pumps, thereby terminating any injection. That difference of
29 percent (33 - 4) would be depleted by the containment spray pumps in
approximately 30 minutes. Actions to operate the motor contactors or locally
manually operate the valve were far in excess of this timing, so the analyst
considered that recovery was not possible.
Summary of Internal Events
The table below summarizes the dominant initiators and their contribution to the
increase in core damage frequency. The overall results were an increase in core
damage frequency of 8.2E-6/year from internal events:
Contributor
Increase in Core Damage
Frequency
SLOCA
2.0E-6
Catastrophic Seal LOCA
1.4E-7
Induced Seal LOCA
1.1E-9
Smaller MLOCA
3.8E-8
Larger MLOCA
4.8E-6
Total
7.1E-6
(3)
External Events
The analyst estimated the increase in core damage frequency from all external
events to be 5.4E-7/year, using the individual estimates below.
Seismic. The analyst performed a seismic analysis using Revision 8.23 of the
SPAR model. This analysis used a baseline conditional core damage probability
representing a non-recoverable, switchyard-centered LOOP. The fragilities from
Table AA-2 of Volume 2, External Events, of the Risk Assessment of Operational
A2-13
Events Handbook were used. The increase in core damage frequency from
seismic events was estimated to be 3.2E-7/year.
High winds. The analyst assumed no risk from high winds due to the historically
low tornadic activity at Diablo Canyon.
Fire. The analyst used information from the licensees fire probabilistic risk
assessment model as the best available information to estimate the increase in
core damage frequency from fires. The licensee received their safety evaluation
for approval of application of NFPA 805 and is in transition to full compliance.
The analyst applied the licensees risk achievement worth value of 1.0452 to the
baseline core damage frequency of 1.70E-5/year to estimate the increase in core
damage frequency from fires to be 6.02E-7/year. Due to the low contribution
relative to the internal events estimation of increase in core damage frequency,
the analyst applied a generic recovery failure probability of 2.4E-1 derived from
the SPAR-H for SLOCAs and applied it to all fires. This resulted in an increase in
core damage frequency from fires of 2.2E-7/year.
(4)
The analyst reviewed the dominant sequences and compared them to Manual
Chapter 0609, Appendix H, Containment Integrity Significance Determination
Process. The analyst performed a LERF screening to assess whether any of
the core damage sequences affected by the finding were potential LERF
contributors. The analyst determined that none of the sequences were
significant LERF contributors and the increase in LERF was considered to be
negligible.
(5)
Uncertainties
Analytical
The analyst reviewed the analysis uncertainty for the base case with no recovery
credit for the limited use model with basic event HPI MOV CC 8982B set to
TRUE. The analyst then extrapolated the results to estimate that approximately
75 percent of results from a Monte Carlo distribution resulted in an increase in
core damage frequency between 1.0E-6/year and 1.0E-5/year or less.
Qualitative Considerations
Competing priorities. The detailed risk evaluation only considered the recovery
activities for the failed valve SI-2-8982B. For the core damage sequences of
interest, other plant equipment would malfunction and attempts would be made
to recover them. For example, in a case where the pump on the opposite train of
the recirculation path was not working, operators would be challenged with
additional diagnosis of that problem as well as deciding which recirculation path
was more easily recoverable. This additional diagnosis would divert plant
resources from recovery of valve SI-2-8982B. These competing priorities for
recovery add uncertainty to the detailed risk evaluation performed and would
serve to make recovery more unlikely.
A2-14
Anecdotal information from a simulated recovery attempt. When the inspectors
walked through operation of the valve SI-2-8982B by use of the electrical
contactors with one engineer and two electricians, these individuals initially
indicated that they would operate the contactors as represented in
Procedure O-22. This operation would act to further close the valve, potentially
causing irreparable damage. When the inspectors pointed this out, the
individuals traced the wiring with the electrical drawing and corrected their
response on the proper contactor they would operate. This was done by
electrical personnel in a training environment. The uncertainty in how electrical
personnel, if summoned to assist, would respond was only considered as
success in the analyses. This information for recovery adds uncertainty to the
detailed risk evaluation performed and would serve to make recovery more
unlikely.
Temperature of the Recirculation Valve Chamber. The temperature of the
recirculation valve chamber at the time operators would be required to enter and
manipulate valve 8982B is unknown. If the temperature exceeded 130 degrees
Fahrenheit, local manual valve operation could likely be impossible. This lack of
information adds uncertainty and would serve to make recovery more unlikely.
(6)
Sensitivities
The analyst performed sensitivities runs showing the results for various scenarios
altering the influential assumptions:
Different assumptions of recovery of the valve: The analyst adjusted the
failure probability for various cases and compared them to the assumed
failure probability in the table below:
Failure Probability
of Recovery
Comment
Increase in Internal
Events CDF
1.1E-2
98.9% success in recovery
5.0E-6/year
4.0E-2
96% success in recovery
5.3E-6/year
1.0E-1
90% success in recovery
6.0E-6/year
2.4E-1
76% success in recovery
(assumed in analysis)
7.1E-6/year
5.0E-1
50% success in recovery
9.2E-6/year
No recovery
0% success in recovery
2.0E-5/year
The potential for common cause failure of Train A Valve 8982A is not affected
by the failure of Valve 8982B: The analyst estimated the increase of
removing the cutsets which contained the common cause failure of
valve 8982A. Result: Increase in CDF of 2.7E-6/year
A2-15
Consideration that valves 8982A and 8982B were tested in a staggered
scheme: The analyst assumed the valves were tested nine months apart
vice testing both during refueling outages. Result: Increase in CDF of
4.9E-6/year
Use of the licensees MLOCA frequency value combined with SPAR-H
nominal recovery: The analyst used the licensees lower initiating event
frequency value of 2.3E-5/year along with the SPAR-H nominal recovery
value of 1.1E-2. Result: Increase in CDF of 1.6E-6/year
(7)
Licensee Results
The licensee provided the analyst with their analysis. The estimated increase in
core damage frequency was 2.9E-5/year without recovery applied. This value
did not adjust for common cause failure of the train A valve (valve SI-2-8982A).
The analyst estimated that the SPAR model, when adjusted for catastrophic seal
LOCAs and removal of consideration of elevated common cause failure of the
train A valve, would estimate the increase in core damage frequency of
3.3E-5/year.
The licensee derived a failure probability for recovery with the local manual valve
operation of 1.2E-2. When the licensee applied this recovery to their model, they
estimated the increase in core damage frequency to be 7.5E-7/year. The analyst
considered that the value of 1.2E-2 for recovery was conservative in light of the
numerous adjustments needed to the performance shaping factors for less than
nominal conditions affecting the recoveries. SPAR-H uses a nominal failure
probability of 1.1E-2, which is near the licensees recovery value. The analyst
considered the application of SPAR-H to provide more realistic estimations of
failure probabilities.
(8)
Model Adjustments
Limited Use Model Version DCAN-RICK-2187 of the Diablo Canyon SPAR
Model, was used with SAPHIRE Version 8.1.4. This version incorporated
modifications to the model derived from the lessons learned from NUREG-2187,
Confirmatory Thermal-Hydraulic Analysis to Support Success Criteria in the
Standardized Plant Analysis Risk Models - Byron Unit 1, Revision 0. The
analyst used the default truncation of 1.0E-11.