ML16277A340
| ML16277A340 | |
| Person / Time | |
|---|---|
| Site: | Diablo Canyon  |
| Issue date: | 10/03/2016 |
| From: | Troy Pruett NRC/RGN-IV/DRP |
| To: | Halpin E Pacific Gas & Electric Co |
| Jeremy Groom | |
| References | |
| EA-16-168 IR 2016010 | |
| Download: ML16277A340 (30) | |
See also: IR 05000275/2016010
Text
UNITED STATES
NUCLEAR REGULATORY COMMISSION
REGION IV
1600 E. LAMAR BLVD.
ARLINGTON, TX 76011-4511
October 3, 2016
Mr. Edward D. Halpin
Senior Vice President
and Chief Nuclear Officer
Pacific Gas and Electric Company
Diablo Canyon Power Plant
P.O. Box 56, Mail Code 104/6
Avila Beach, CA 93424
SUBJECT: DIABLO CANYON POWER PLANT - NRC INSPECTION REPORT
05000275/2016010 AND 05000323/2016010; PRELIMINARY WHITE FINDING
Dear Mr. Halpin:
On September 12, 2016, the U.S. Nuclear Regulatory Commission (NRC) completed an
inspection at your Diablo Canyon Power Plant. On the same date, the NRC inspectors
discussed the results of this inspection with you and other members of your staff. Inspectors
documented the results of this inspection in the enclosed inspection report.
The enclosed inspection report discusses a finding that has preliminarily been determined to be
of low to moderate safety significance (White) that may require additional NRC inspections,
regulatory actions, and oversight. As described in Section 4OA2 of this report, the finding is
associated with an apparent violation of Technical Specification 5.4.1.a, Procedures, for the
failure to develop adequate instructions for the installation of external limit switches on motor-
operated valves. Specifically, Pacific Gas and Electric (PG&E) failed to provide adequate
maintenance instructions for ensuring that these limit switches were operated within the vendor
established overtravel settings. Consequently, the external limit switch for valve RHR-2-8700B,
Unit 2 residual heat removal pump 2-2 suction from the refueling water storage tank, was
installed such that the limit switch was operated beyond the overtravel setting resulting in a
sheared internal roll pin causing the limit switch to fail. The failure of this limit switch resulted in
failure of an input into the open permissive input logic for valve SI-2-8982B, Unit 2 train B
residual heat removal suction from the containment recirculation sump. PG&E restored valve
RHR-2-8700B to operable and replaced affected components, including the limit switch. PG&E
also initiated corrective actions to develop more detailed and appropriate instructions for
installing Namco' Snap Lock position switches.
This finding was assessed based on the best available information using the applicable
Significance Determination Process (SDP). The basis for the NRCs preliminary significance
determination is described in the enclosed report. The NRC performed a detailed risk
evaluation and determined the total resulting incremental conditional core damage
probability for internal and external initiators. Considering the failure mechanism was
E. Halpin -2-
introduced during Refueling Outage 2R17 maintenance in February 2013, and the limit switch
was last successfully tested on October 22, 2014, the NRC evaluated the issue for the period
from October 22, 2014, until the limit switch failure became apparent on May 16, 2016. This
analysis resulted in a preliminary estimate of core damage frequency of 7.6E-06/year,
corresponding to a finding of low to moderate risk significance (White). The NRC will inform you
in writing when the final significance has been determined.
The finding is also an apparent violation of NRC requirements and is being considered for
escalated enforcement action in accordance with the Enforcement Policy, which can be found
on the NRCs Web site at http://www.nrc.gov/about-nrc/regulatory/enforcement/enforce-pol.html.
In accordance with NRC Inspection Manual Chapter 0609, we intend to complete our evaluation
using the best available information and issue our final determination of safety significance
within 90 days of the date of this letter. The significance determination process encourages an
open dialogue between the NRC staff and the licensee; however, the dialogue should not
impact the timeliness of the staffs final determination.
Before we make a final decision on this matter, we are providing you with an opportunity to
(1) attend a Regulatory Conference where you can present to the NRC your perspective on the
facts and assumptions the NRC used to arrive at the finding and assess its significance, or
(2) submit your position on the finding to the NRC in writing. If you request a Regulatory
Conference, it should be held within 40 days of the receipt of this letter, and we encourage you
to submit supporting documentation at least one week prior to the conference in an effort to
make the conference more efficient and effective. The focus of the Regulatory Conference is to
discuss the significance of the finding and not necessarily the root cause or corrective actions
associated with the finding. If a Regulatory Conference is held, it will be open for public
observation. If you decide to submit only a written response, such submittal should be sent to
the NRC within 40 days of your receipt of this letter. If you decline to request a Regulatory
Conference or to submit a written response, you relinquish your right to appeal the final SDP
determination, in that by not doing either, you fail to meet the appeal requirements stated in the
Prerequisite and Limitation sections of Attachment 2 of NRC Inspection Manual Chapter 0609.
Please contact Jeremy Groom at (817) 200-1148 and in writing within 10 days from the issue
date of this letter to notify the NRC of your intentions. If we have not heard from you within
10 days, we will continue with our significance determination and enforcement decision. The
final resolution of this matter will be conveyed in separate correspondence.
Because the NRC has not made a final determination in this matter, no Notice of Violation is
being issued for this inspection finding at this time. In addition, please be advised that the
number and characterization of the apparent violation described in the enclosed inspection
report may change as a result of further NRC review.
E. Halpin -3-
In accordance with 10 CFR 2.390 of the NRC's "Rules of Practice," a copy of this letter and its
enclosure will be made available electronically for public inspection in the NRC Public Document
Room and in the NRCs Agencywide Documents Access and Management System (ADAMS),
accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html.
Sincerely,
/RA/
Troy W. Pruett, Director
Division of Reactor Projects
Docket Nos. 50-275 and 50-323
License Nos. DPR-80 and DPR-82
Enclosure:
Inspection Report 05000275/2016010 and
w/ Attachments:
1. Supplemental Information
2. Significance Determination
cc w/ enclosure: Electronic Distribution
SUNSI Review ADAMS Non-Sensitive Publicly Available Keyword:
By: JRG Yes No Sensitive Non-Publicly Available NRC-002
OFFICE SRI:DRP/A RI:DRP/A SPE:DRP/A DRS:SRA TL:ACES D:DRS RC:ORA
NAME CNewport JReynoso RAlexander RDeese MHay AVegel KFuller
SIGNATURE /RA/ /RA/ /RA/ /RA/ /RA/ /RA/ /RA/
DATE 09/14/16 09/14/16 09/08/16 09/09/16 09/19/16 09/27/16 09/22/16
OFFICE BC:DRP/A D:DRP
NAME JGroom TPruett
SIGNATURE /RA/ /RA/
DATE 09/26/16 10/3/16
Letter to Edward D. Halpin from Troy W. Pruett dated October 3, 2016
SUBJECT: DIABLO CANYON POWER PLANT - NRC FOCUSED BASELINE INSPECTION
REPORT 05000275/2016010 AND 05000323/2016010; PRELIMINARY WHITE
FINDING
DISTRIBUTION:
Regional Administrator (Kriss.Kennedy@nrc.gov)
Deputy Regional Administrator (Scott.Morris@nrc.gov)
DRP Director (Troy.Pruett@nrc.gov)
DRP Deputy Director (Ryan.Lantz@nrc.gov)
DRS Director (Anton.Vegel@nrc.gov)
DRS Deputy Director (Jeff.Clark@nrc.gov)
Senior Resident Inspector (Christopher.Newport@nrc.gov)
Resident Inspector (John.Reynoso@nrc.gov)
Administrative Assistant (Madeleine.Arel-Davis@nrc.gov)
Branch Chief, DRP/A (Jeremy.Groom@nrc.gov)
Senior Project Engineer, DRP/A (Ryan.Alexander@nrc.gov)
Project Engineer, DRP/A (Matthew.Kirk@nrc.gov)
Project Engineer, DRP/A (Thomas.Sullivan@nrc.gov)
Public Affairs Officer (Victor.Dricks@nrc.gov)
Project Manager (Balwant.Singal@nrc.gov)
Team Leader, DRS/TSS (Thomas.Hipschman@nrc.gov)
RITS Coordinator (Marisa.Herrera@nrc.gov)
ACES (R4Enforcement.Resource@nrc.gov)
Regional Counsel (Karla.Fuller@nrc.gov)
Congressional Affairs Officer (Jenny.Weil@nrc.gov)
RIV Congressional Affairs Officer (Angel.Moreno@nrc.gov)
RIV/ETA: OEDO (Jeremy.Bowen@nrc.gov)
RIV RSLO (Bill.Maier@nrc.gov)
ROPreports.Resource@nrc.gov
ROPassessment.Resource@nrc.gov
U.S. NUCLEAR REGULATORY COMMISSION
REGION IV
Docket: 05000275; 05000323
Report: 05000275/2016010; 05000323/2016010
Licensee: Pacific Gas and Electric Company
Facility: Diablo Canyon Power Plant, Units 1 and 2
Location: 7 1/2 miles NW of Avila Beach
Avila Beach, CA
Dates: May 16 through September 12, 2016
Inspectors: C. Newport, Senior Resident Inspector
J. Reynoso, Acting Senior Resident Inspector
T. Sullivan, Project Engineer
R. Deese, Senior Reactor Analyst
Approved Troy W. Pruett, Director
By: Division of Reactor Projects
Enclosure
SUMMARY
IR 05000275/2016010, 05000323/2016010; 05/16/2016 - 09/12/2016; Diablo Canyon Power
Plant; Problem Identification and Resolution
The inspection activities described in this report were performed between May 16 and
September 12, 2016, by the resident inspectors at Diablo Canyon Power Plant and inspectors
from the NRCs Region IV office. The inspectors identified a preliminary White finding
associated with an apparent violation of NRC requirements. The significance of inspection
findings is indicated by their color (Green, White, Yellow, or Red), which is determined using
Inspection Manual Chapter 0609, Significance Determination Process, issued April 29, 2015.
Their cross-cutting aspects are determined using Inspection Manual Chapter 0310, Aspects
within the Cross-Cutting Areas, issued December 4, 2014. Violations of NRC requirements are
dispositioned in accordance with the NRC Enforcement Policy. The NRCs program for
overseeing the safe operation of commercial nuclear power reactors is described in
NUREG-1649, Reactor Oversight Process.
Cornerstone: Mitigating Systems
- Preliminary White. The inspectors identified a preliminary White finding associated with
an apparent violation of Technical Specification 5.4.1.a, Procedures, for the licensees
failure to develop adequate instructions for the installation, adjustment, and testing of
Namco' Model EA170 snap lock limit switches. Specifically, the licensee failed to provide
site-specific instructions for limiting the travel of these external limit switches when installed
on safety-related motor operated valves. Consequently, the lever switch actuator for valve
RHR-2-8700B, residual heat removal pump 2-2 suction from the refueling water storage
tank, was installed such that the limit switch was operated repeatedly in an over-travel
condition resulting in a sheared internal roll pin that ultimately caused the limit switch to fail.
Following identification of this issue, the licensee replaced the limit switch for valve
RHR-2-8700B and implemented actions to modify maintenance procedures for installing,
calibrating, and testing motor-operated valve external limit switches. The licensee entered
this issue into their corrective action program as Notification 50852345.
The performance deficiency is more than minor, and therefore a finding, because it is
associated with the procedure quality attribute of the Mitigating Systems cornerstone and
adversely affected the cornerstone objective to ensure the availability, reliability, and
capability of systems that respond to initiating events to prevent undesirable consequences
(i.e., core damage). Specifically, maintenance procedure MP E-53.10R, Augmented Stem
Lubrication for Limitorque Operated Valves, used to perform limit switch adjustments on the
Unit 2 valve RHR-2-8700B, did not provide adequate acceptance criteria to prevent
overtravel of the limit switch actuating lever. This resulted in a subsequent failure of the limit
switch, preventing the open permissive signal for valve SI-2-8982B, residual heat removal
pump 2-2 suction from the containment recirculation sump, used during the emergency core
cooling system (ECCS) recirculation mode. The inspectors evaluated the finding using the
Attachment 0609.04, "Initial Characterization of Findings," worksheet to Inspection Manual
Chapter (IMC) 0609, Significance Determination Process, issued June 19, 2012. The
attachment instructs the inspectors to utilize IMC 0609, Appendix A, Significance
Determination Process (SDP) for Findings At-Power, issued June 19, 2012. In accordance
with NRC Inspection Manual Chapter 0609, Appendix A, Exhibit 2, Mitigating Systems
Screening Questions, the inspectors determined that the finding required a detailed risk
evaluation because it represented an actual loss of function of the train B ECCS for greater
-2-
than its technical specification allowed outage time. A senior reactor analyst performed a
detailed risk evaluation in accordance with IMC 0609, Appendix A, Section 6.0, Detailed
Risk Evaluation. The calculated increase in core damage frequency was dominated by
small and medium loss of coolant accident initiators with failures of the opposite train of
ECCS or related support systems. The analyst did not evaluate the large early release
frequency because this performance deficiency would not have challenged the containment.
The NRC preliminarily determined that the increase in core damage frequency for internal
and external initiators was 7.6E-06/year, a finding of low to moderate risk significance
(White). The inspector did not identify a cross-cutting aspect with this finding because it was
not reflective of current performance. The inadequate procedure was developed in 2011
and did not reflect the licensees current performance related to procedure development.
(Section 4OA2)
-3-
REPORT DETAILS
4. OTHER ACTIVITIES
Cornerstone: Mitigating Systems
4OA2 Problem Identification and Resolution (71152)
Annual Follow-up of Selected Issues
a. Inspection Scope
On May 16, 2016, during performance of surveillance procedure PEP V-7B, "Test of
ECCS Valve Interlocks," Revision 9, valve SI-2-8982B, Unit 2 residual heat removal
(RHR) pump 2-2 suction from the containment recirculation sump, failed to open from
the main control room. Subsequent review determined that external limit switch,
POS-648, for valve RHR-2-8700B, RHR 2-2 suction from the refueling water storage
tank (RWST), was in a failed position. The failure of this limit switch prevented the open
permissive signal for valve SI-2-8982B. Investigation by the licensee concluded that
limit switch POS-648 failed due to a sheared internal roll pin.
The inspectors assessed the licensees problem identification threshold, cause analyses,
and verified that corrective actions were commensurate with the significance of the
issue, appropriately prioritized and that these actions were adequate to correct the
condition. The inspectors also reviewed the licensees use of operating experience and
their incorporation of vendor guidance into site-specific maintenance procedures.
These activities constituted completion of one annual follow-up sample as defined in
b. Findings
Failure to Establish Adequate Work Instructions for Installation of Namco' Snap Lock
Limit Switches
Introduction. The inspectors identified a preliminary White finding associated with an
apparent violation of Technical Specification 5.4.1.a, Procedures, for the licensees
failure to develop adequate instructions for the installation, adjustment and testing of
Namco' Model EA170 snap lock limit switches. Specifically, the licensee failed to
provide site-specific instructions for limiting the travel of these external limit switches
when installed on safety-related motor operated valves. Consequently, the lever switch
actuator for valve RHR-2-8700B was installed such that the limit switch was operated
repeatedly in an over-travel condition resulting in a sheared internal roll pin that
ultimately caused the limit switch to fail.
Description. On May 16, 2016, the licensee performed surveillance procedure
PEP V-7B, "Test of ECCS Valve Interlocks," Revision 9, to test various interlock and
permissive circuits for the emergency core cooling system (ECCS). One interlock test
involved valve circuitry needed to transfer the RHR pump suction from the RWST to the
containment recirculation sump during the ECCS recirculation mode. During a loss of
coolant accident, operators would implement ECCS recirculation by closing the RWST to
RHR suction valves, valves RHR-8700A and RHR-8700B, and opening the containment
-4-
recirculation sump suction valves, SI-8982A and SI-8982B. The ECCS system design
includes an interlock, tested during procedure PEP V-7B, to ensure that operators can
only open containment sump suction valves if the respective RWST suction valve is
closed.
During performance of procedure PEP V-7B, Step 12.14.2, valve SI-2-8982B, RHR
pump 2-2 suction from the containment recirculation sump, failed to open from the main
control room. Licensee troubleshooting determined that external limit switch, POS-648,
for valve RHR-2-8700B, RHR pump 2-2 suction from the RWST, was in a failed position.
The failure of this limit switch, caused by a sheared internal roll pin, prevented the open
permissive signal for valve SI-2-8982B. Since limit switch POS-648 failed during a
planned refueling outage with Diablo Canyon Unit 2 shutdown, no technical specification
entries were necessary. The licensee replaced limit switch POS-648 under Work Order 60090383 on May 18, 2016, prior to exiting the planned refueling outage. The licensee
entered this issue into their corrective action program as Notification 50852345.
The inspectors reviewed the work history for valve RHR-2-8700B and limit switch
POS-648. During refueling outage 2R17 completed on February 21, 2013, the licensee
implemented Work Order 64014195 to replace the Limitorque actuator stem nut for valve
RHR-2-8700B and completed maintenance procedure E-53.10R, Augmented Stem
Lubrication for Limitorque Operated Valves, Revision 4. This maintenance included
removal and replacement of limit switch POS-648 and its actuating lever. The
inspectors noted that procedure MP E-53.10R included instructions for re-installing the
stem mounted position switches and checks for proper operation. Specifically,
procedure MP E-53.10R, Step 7.9.2(h), included instructions to Check switches are
properly operating by listening for an audible click from switch when valve is cycled
OPEN and CLOSED.
The inspectors noted that the licensee successfully tested POS-648 as part of
post-maintenance testing for Work Order 64014195 and again on October 22, 2014,
when procedure PEP V-7B was last performed. The licensee cycles valve
RHR-2-8700B quarterly as part of the inservice testing (IST) program; however, the
quarterly IST does not test the interlock provided by limit switch POS-648. As such, the
inspectors concluded that POS-648 failed sometime between the last successful
performance of surveillance procedure PEP V-7B on October 22, 2014, and the failure of
valve SI-2-8982B to open on May 16, 2016.
Limit switch POS-648 is a Namco' Model EA170 snap lock position switch, designed to
snap over when actuated and includes a hard stop. The inspectors reviewed applicable
maintenance, design, and testing instructions provided by the limit switch vendor. Within
the publically available vendor documents, the inspectors identified the following
precaution relative to the design, installation, and operation of Namco' Snap-Lock Limit
switches:
Operating mechanisms for limit switches MUST BE so designed
that, under any operating or emergency conditions, the limit switch
is not operated beyond its overtravel limit position.
The vendor guidance also directed switch owners to the specific bulletin for the switch
overtravel specifications. The inspectors reviewed the switch bulletin for Namco'
Model EA170-35100 snap lock limit switches, the same model used for POS-648. The
inspectors noted that the switch specifications included a recommended travel
-5-
of 7 degrees based on a required trip of 6.5 degrees, and a maximum overtravel of
36 degrees. The inspectors reviewed as-found photos of POS-648 following the
May 16, 2016, failure and noted that the switch actuating arm position was at a nearly
45-degree angle relative to the normal position indicating that the position switch had
exceeded the overtravel specification.
The inspectors determined that when POS-648 was re-installed following maintenance
on February 21, 2013, the licensee did not set the switch and actuating arm correctly in
accordance with the vendor recommendations to ensure that the overtravel specification
was not exceeded. By operating the switch beyond the overtravel specification, valve
force was applied to the limit switch lever and internal roll pin after reaching a hard stop.
The repeated overloading of the lever roll pin eventually led to the failure of POS-648.
While the instructions in procedure MP E-53.10R, Step 7.9.2.(h), to check for proper
operation by listening for an audible click, would verify the limit switch changed state, the
inspectors determined this procedure step was inadequate to prevent overtravel of the
externally mounted limit switch. Specifically, the inspectors determined that the
procedure lacked specificity because it only ensured that the trip and reset of the switch
occurs as the valve is exercised but did not provide adequate instructions to ensure the
switch overtravel specification was not exceeded.
The inspectors interviewed licensee personnel responsible for determining the cause of
the failure of POS-648. During that interview, the licensee shared conclusions regarding
the cause of the failure of POS-648 that corresponded with the independent conclusions
developed by the inspectors. In particular, the licensee determined that the
maintenance instructions in procedure MP E-53.10R to listen for an audible click were
insufficient to prevent over-ranging of the position switch lever. The licensee performed
an extent-of-condition review of other motor operated valve (MOV) external limit
switches that provide control or logic functions but would not provide an audible alarm or
other indication if in a failed state. The licensee identified fifteen other limit switches that
could be susceptible to the failure mechanism experienced on limit switch POS-648.
The licensee walked down these switches on June 1, 2016, and identified no other
similar switch installation problems. Notification 50852345 included corrective action
CA 1, due March 20, 2017, to revise procedure MP E-53.10R to include detailed
instructions for setting the travel of externally mounted limit switches.
Analysis. The inspectors determined the failure to establish adequate adjustment
criteria for maintenance procedure MP E-53.10R was a performance deficiency. The
performance deficiency is more than minor, and therefore a finding, because it is
associated with the procedure quality attribute of the Mitigating Systems cornerstone,
and adversely affected the cornerstone objective to ensure the availability, reliability, and
capability of systems that respond to initiating events to prevent undesirable
consequences (i.e., core damage). Specifically, procedure MP E-53.10R, used by the
licensee to perform limit switch adjustments on the Unit 2 valve RHR-2-8700B, did not
provide adequate acceptance criteria to prevent overtravel of the actuating lever. This
resulted in a subsequent failure of the limit switch, preventing the open permissive signal
for valve SI-2-8982B, residual heat removal pump 2-2 suction from the containment
recirculation sump, used during the ECCS recirculation mode. The inspectors evaluated
the finding using the Attachment 0609.04, "Initial Characterization of Findings,"
worksheet to Inspection Manual Chapter (IMC) 0609, Significance Determination
Process, issued June 19, 2012. The attachment instructs the inspectors to utilize
-6-
IMC 0609, Appendix A, Significance Determination Process (SDP) for Findings At-
Power, issued June 19, 2012. In accordance with NRC Inspection Manual
Chapter 0609, Appendix A, Exhibit 2, Mitigating Systems Screening Questions, the
inspectors determined that the finding required a detailed risk evaluation because it
represented an actual loss of function of the train B ECCS for greater than its technical
specification allowed outage time. A senior reactor analyst performed a detailed risk
evaluation in accordance with IMC 0609, Appendix A, Section 6.0, Detailed Risk
Evaluation.
Small and medium loss of coolant accident initiators with failures of the opposite train of
ECCS or related support systems dominated the calculated increase in core damage
frequency. The analyst did not evaluate the large early release frequency because this
performance deficiency would not have challenged the containment. The NRC
preliminarily determined that the increase in core damage frequency for internal and
external initiators was 7.6E-06/year, in the low to moderate risk significance range
(White). The results of the detailed risk evaluation are included in Attachment 2 of this
report.
The inspector did not identify a cross-cutting aspect with this finding because it was not
reflective of current performance. The inadequate procedure was developed in 2011
and did not reflect the licensees current performance related to procedure development.
Enforcement. Technical Specification 5.4.1.a, Procedures, requires, in part, that
written procedures shall be established, implemented, and maintained covering the
applicable procedures recommended in Appendix A of Regulatory Guide 1.33,
Revision 2. Section 9.a of Appendix A of Regulatory Guide 1.33, Revision 2, requires in
part, that maintenance that can affect the performance of safety-related equipment
should be properly preplanned and performed in accordance with written procedures,
documented instructions, or drawings appropriate to the circumstances. On
December 5, 2011, the licensee established procedure MP E-53.10R, Augmented Stem
Lubrication for Limitorque Operated Valves, Revision 4, to perform maintenance on
safety-related equipment including motor operated valves and their external limit
switches. Contrary to the above, on December 5, 2011, the licensee failed to establish
written procedures for performing maintenance on safety-related equipment which were
appropriate to the circumstances. Specifically, the procedure only checked that motor
operated valve external limit switches changed position during valve exercise but did not
provide instructions to establish and check the travel of these switches within vendor
established criteria. Consequently, the limit switch for valve RHR-2-8700B was installed
such that it was operated repeatedly beyond overtravel tolerances resulting in its failure.
The licensee entered this issue into their corrective action program as Notification
50852345 and initiated action to replace the failed limit switch. The licensee also
initiated corrective actions to change maintenance procedure MP E-53.10R to ensure
adequate acceptance criteria for limit switch travel were included, and performed an
extent of condition for all other MOV stem mounted position switch interlocks circuits. As
a consequence of this failed limit switch, the licensee was also in violation of Unit 2
Technical Specification 3.5.2, ECCS - Operating, because train B of the ECCS was
determined to be inoperable for greater than the technical specification allowed outage
time of 14 days, and the licensee failed to take actions required of the limiting condition
of operation. Because this finding has been preliminarily determined to be of greater
than very low safety significance (i.e., greater than Green), it is being characterized as
-7-
an apparent violation. AV 05000323/2016010-01, Failure to Establish Adequate Work
Instructions for Installation of Namco' Snap Lock Limit Switches
4OA6 Meetings, Including Exit
Exit Meeting Summary
On September 13, 2016, the inspectors presented the inspection results to Mr. E. Halpin, Senior
Vice President and Chief Nuclear Officer, and other members of the licensee staff. The licensee
acknowledged the issues presented. The licensee confirmed that any proprietary information
reviewed by the inspectors had been returned or destroyed.
-8-
SUPPLEMENTAL INFORMATION
KEY POINTS OF CONTACT
Licensee Personnel
T. Baldwin, Director, Nuclear Site Services
D. Evans, Director, Security & Emergency Services
L. Fusco, Manager, Mechanical Engineering
P. Gerfen, Station Director
M. Ginn, Manager, Emergency Planning
E. Halpin, Sr. Vice President, Chief Nuclear Officer Generation
H. Hamzehee, Manager, Regulatory Services
A. Heffner, NRC Interface, Regulatory Services
L. Hopson, Director Maintenance Services
T. Irving, Manager, Radiation Protection
K. Johnston, Director of Operations
M. McCoy, NRC Interface, Regulatory Services
J. Morris, Supervisor, Nuclear Regulatory Services
C. Murry, Director Nuclear Work Management
J. Nimick, Senior Director Nuclear Services
P. Nugent, Director, Quality Verification
A. Peck, Director, Nuclear Engineering
A. Warwick, Supervisor, Emergency Planning
J. Welsch, Site Vice President
R. West, Manager, System Engineering
LIST OF ITEMS OPENED, CLOSED, AND DISCUSSED
Opened
Failure to Establish Adequate Work Instructions for Installation of
Namco' Snap Lock Limit Switches (Section 4OA2)
Section 4OA2: Problem Identification and Resolution
Procedures
Number Title Revision
PEP V-7B Test of ECCS Valve Interlocks 8
MP E-53.10R Augmented Stem Lubrication For Limitorque Operated 4-7
Valves
OP O-22 Emergency Operation of Motor Operated Valves 6
E-0 Reactor Trip or Safety Injection 35
EOP E-1.3 Transfer to Cold Leg Recirculation 22
Attachment 1
MP E-53.10A1 Low Impact External Inspections of Limitorque Motor 1
Operators
Notifications
50852066 50852180 50852345 50861001
Drawings
Number Title Revision
441239 Unit 2, Single Line Meter and Relay Diagram 480V System 48
Bus Section 2H
441310 Unit 2, Schematic Diagram Residual Heat Removal Motor 31
Operated Valves
441317 Unit 2, Schematic Diagram Safety Injection System Motor 19
Operated Valves
500628 Unit 2, Electrical Diagram of connections, Elevation 115-140 26
foot, Area H
507610 Unit 2, Arrangement of Electrical Equipment at Elevation 16
100, Area H
Work Orders
64014195
Miscellaneous
Number Title Revision
Calculation SI-2-8982B Failure to Open During PEP V-7B in 2R19 due 0
SDP16-02 to Damaged Closed Position Switch for 8700B
A1-2
Significance Determination
Significance Determination Basis:
(a) Screening Logic
Minor Question: In accordance with NRC Inspection Manual Chapter 0612,
Appendix B, Issue Screening, the finding was determined to be more than minor
because it was associated with the procedure quality attribute of the Mitigating
Systems Cornerstone, and affected the associated cornerstone objective to ensure
availability, reliability, and capability of systems that respond to initiating events to
prevent undesirable consequences. Specifically, the performance deficiency
associated with the inadequate maintenance procedure resulted in inadequate
criteria to ensure limit switch adjustments did not result in overtravel of the actuating
lever for valve RHR-2-8700B. This resulted in a subsequent failure of limit switch
POS-648, affecting the availability of the ECCS because this limit switch provides the
open permissive signal for valve SI-2-8982B, the containment sump suction for the
RHR system.
Initial Characterization: Using Manual Chapter 0609, Attachment 4, Initial
Characterization of Findings, the inspectors determined that the finding could be
evaluated using the significance determination process. In accordance with Table 3,
SDP Appendix Router, the inspectors determined that the subject finding should be
processed through Appendix A, The Significance Determination Process (SDP) for
Findings At-Power, Exhibit 2, Mitigating Systems Screening Questions, dated
July 1, 2012.
Issue Screening: In accordance with NRC Inspection Manual Chapter 0609,
Appendix A, Exhibit 2, Mitigating Systems Screening Questions, the inspectors
determined that the finding required a detailed risk evaluation because it represented
an actual loss of function of the Unit 2 train B ECCS for greater than its technical
specification allowed outage time (i.e., 14 days). A senior reactor analyst performed
a detailed risk evaluation in accordance with IMC 0609, Appendix A, Section 6.0,
Detailed Risk Evaluation.
Results: The detailed risk evaluation result is an increase in core damage frequency
from the performance deficiency of 7.6E-6/year, characterizing the significance of the
finding to be of low to moderate safety significance. This estimate used best
available information and estimated the increase in core damage frequency to
be 7.1E-6/year from internal events and 5.4E-7/year from external events.
(b) Detailed Risk Evaluation:
(1) Assumptions
Exposure time. The exposure time was 286 days. The licensee last successfully
tested valve SI-2-8982B and the interlock associated with POS-648 on
October 22, 2014. Valve SI-2-8982B failed to open 572 days later on May 16,
2016. Since the inception of the failure of the limit switch after the last operation
could not be determined, the analyst used a t/2 approached and assumed the
exposure time to be half of 572 days, or 286 days. Repair time was not added
Attachment 2
because the deficiency was discovered and returned to a functional status during
an outage when the valve was not needed.
Recovery. Overall recovery was assumed to have a failure probability of 2.4E-1
for small break LOCAs and smaller medium break LOCAs (MLOCAs); 3.4E-2 for
seal LOCAs; and 1.0 for larger MLOCAs. Two methods of recovery were
available - (1) local manual valve operation, and (2) electrical bypassing of the
interlock through manual contactor operation. The derivation of these recoveries
is covered in the Internal Events section of this evaluation.
Common cause. The increased potential for common cause failure of Valve
SI-2-8982A, the same valve on the redundant train, was considered applicable.
The analyst was unaware of any programmatic licensee action to defend against
common cause failure; therefore, the analyst set the failure of valve SI-2-8982B
to TRUE in the SPAR model. This increased the probability of common cause
failure of Valve SI-2-8982A from 3.6E-5 to 3.8E-2.
The analyst also considered the remaining valves installed on Units 1 and 2 with
externally mounted limit switches that receive the same maintenance as the
valve that is the subject of the performance deficiency. For Unit 1, the analyst
determined that the issue would be of very low safety significance since there
was not an actual failure of a component.
For Unit 2, the remaining valves would not result in a significant increase in risk
because the external limit switches are either 1) only associated with an
annunciator function, 2) only associated with an equipment interlock function that
is not used in an accident scenario or, 3) only associated with an equipment
interlock function needed for long-term containment pressure control.
Operating history. The analyst assumed the plant operated at power or at
shutdown conditions above those that necessitated operation of the RHR system
for decay heat removal during the entire exposure time. This allowed the analyst
to use the at-power SPAR model for the entire exposure time.
(2) Internal Events
Background / Introduction. The results of the probabilistic risk assessment (PRA)
tool showed that the performance deficiency affected two initiators - small break
loss of coolant accidents (SLOCA) and MLOCA. These events are characterized
by reactor coolant leaking from the reactor coolant system, which would act to
lower inventory and pressure of the reactor coolant system. In response to the
loss of coolant and system pressure, a safety injection actuation signal actuates
to start ECCS pumps. These pumps include both RHR pumps, both safety
injection pumps, and both charging pumps. These pumps take suction from the
refueling water storage tank, pump water into the reactor coolant system, which
in turn leaks out of the break and into the containment where it collects in the
containment recirculation sump. When the refueling water storage tank level
reaches 33 percent level, operators secure the RHR pumps and perform valve
manipulations to swap the suction of the emergency core cooling pumps from the
refueling water storage tank to the containment recirculation sump. Valve
SI-2-8982B is the first valve in the flowpath leading from the containment sump.
The inability to open valve SI-2-8982B renders train B of core cooling inoperable
A2-2
during the recirculation phase of LOCAs. The licensee would have options to
recover and open the valve, which are discussed in this evaluation. The licensee
would also have the redundant train A flowpath available to successfully cool the
reactor core if valve SI-2-8982B were unrecoverable. PRA demonstrates that the
dominant core damage sequences involve failures of the train A flowpath and the
inability to recover valve SI-2-8982B.
Small Break Loss of Coolant Accidents
For the purposes of this evaluation, SLOCA include pipe breaks up to 2 inches,
catastrophic reactor coolant pump seal failures (seal LOCAs), and seal LOCAs
caused by losses of cooling to the reactor coolant pump seals (brought about by
loss of power to cooling for the seals).
SLOCA comprises 26.0 percent of the increase in core damage frequency. The
results are driven by the failure of valve SI-2-8982B, failures of train A flowpath
for recirculation sump flow, and the ability or inability to operate valve SI-2-8982B
by alternative means.
The primary contributor of failures of the train A flowpath is attributed to an
increased probability of common cause failure of its sump valve SI-2-8982A.
Because valve SI-2-8982B failed and valve SI-2-8982A is subject to the same
environment, maintenance, testing, etc., valve SI-2-8982A is exposed to an
increased probability of failure. The common cause failure of SI-2-8982A
comprises approximately two-thirds of the increase in core damage frequency
from SLOCAs. The remainder of the increase in core damage frequency comes
from power failures to components in the train A flowpath, valve failures in the
flowpath, and pumps failures in the flowpath.
Recovery of valve SI-2-8982B through alternative means is also a contributor.
These alternative means include either electrical operation by use of the motor
contactors or manually by accessing the valve and operating the handwheel on
the valve.
Recovery of Valve SI-2-8982B
Recovery actions to open valve SI-2-8982B are available by two alternate
means, either electrically by use of the motor contactors, or manually by
accessing the valve and operating the handwheel on the valve. In developing
their assessment of the success probability of recovering valve SI-2-8982B, the
licensee interviewed operators who indicated that both recoveries would be
pursued in parallel.
1. Electrical operation of Valve SI-2-8982A by use of motor contactors. This
recovery option takes advantage of the ability to bypass the interlock circuitry,
which is the subject of the performance deficiency, preventing valve SI-2-8982B
from opening. Manual operation of the electrical contactors provided line power
directly to the motor operator for valve SI-2-8982B. Operation of the electrical
contactors could be successful if properly performed, but inspectors found
several impediments to absolute success.
A2-3
The first potential impediment was the adequacy of procedural guidance used for
the electrical operation recovery option. The direction to pursue recovery paths
to open valve SI-2-8982B is contained in Emergency Operating Procedure (EOP)
Emergency Contingency Action (ECA) 1.1, Loss of Emergency Coolant
Recirculation, Revision 21. Step 2 of ECA 1.1 instructs operators to restore
emergency coolant recirculation equipment by several means. Step 2.d has
operators check power available to valves required for recirculation swap over
and refer to an appendix with valve power supplies. The performance deficiency
would not result in a loss of the valves main power supply. Instead, the
performance deficiency would result in the main-line contacts being held open by
the control circuit for valve SI-2-8982B. The analyst considered this an
impediment to recovery because the procedure did not explicitly call out actions
for a loss of control power to the motor operator. The analyst concluded from the
licensees analysis that operator experience would guide them to use Step 2.d as
the best fit for troubleshooting and take the steps response not obtained action
to locally operate the valves as required. The analyst judged that local
operations are at the location of the valve, not in the electrical cabinet located
away from the valve, and that this action to locally operate the valve did not
specifically address use of the electrical contactors. Again, the analyst
determined, based on interviews and discussions with the licensee, that operator
experience and training could employ this as an option even though it is not
explicitly called for in the emergency procedure.
The licensee established procedure O-22, Emergency Operation of Motor
Operated Valves, Revision 6 to operate motor operated valves through use of
the motor contactor. Procedure O-22 requires phone communication between
the control board operator in the control room and the operator in the field at the
cabinet when operating the valve. Inspectors toured the licensees training
facilities used to instruct operators on how to locally operate contactors. The
inspectors noted that the electrical cabinet used to train operators used a
Telemecanique brand contactor, different from the Westinghouse Cutler Hammer
brand contactors installed in the cabinet for valve SI-2-8982B. The different
contactors have different operating methods. To operate the Telemecanique
contactors, operators insert non-conducting rods above and below the contactor
of interest. To operate the Westinghouse contactors, operators depress a gray
plastic armature position indicator.
The analyst concluded that the difference in layout and methods of operating
contactors between the training electrical cabinet and the plant electrical cabinet
would present challenges to successful operation of the contactor. Also, during a
walkdown with the licensee electricians, the inspectors noted that the electrical
cabinet for valve SI-2-8982B housed both the open and close contactors.
However, these contactors are not labelled such that an operator could tell which
contactor was the open contactor.
The inspectors noted that Procedure O-22, Attachment 2, provided a typical
cabinet layout for motor-operated valves in the plant. This diagram showed the
open contactor located above the close contactor. During the walkdown, the
inspectors asked electrical personnel if the orientation illustrated in
Procedure O-22, Attachment 2, was the same orientation for the cabinet for valve
SI-2-8982B. After approximately 6 minutes of inspecting the cabinet with the
A2-4
electrical schematic diagram, the three electrical personnel determined that the
orientation was opposite of that illustrated in Procedure O-22, because the close
contactor was located above the open contactor. The analyst considered these
aspects to be additional impediments to successful operation of the valve.
The inspectors noted that prior to Step 6.11, the step instructing operators to
locate the appropriate contactor, Procedure O-22 included a boxed Note that
read, Those contactors that cant be clearly identified may require assistance
from engineering or maintenance for positive identification.
The analyst concluded that Procedure O-22, Attachment 2 that provided a typical
cabinet layout for motor operated valves, created a likelihood that some
operators would consider the valve SI-2-8982B contactor orientation typical and
not heed this note. The analyst also considered that to follow the note, additional
time is required to have an engineer or electrician report to the cabinet, obtain
the proper electrical print, and trace the cabinet wiring to ascertain which
contactor was the open contactor and which contactor was the close contactor.
This additional time affects the time available to open the valve using the
electrical contractor and adversely influences the success rate of this action. The
analyst also noted that operation of the contactors would require a screwdriver to
defeat the door latch breaker trip and the operator would have to be dressed in
an arc flash suit which the operator would have to obtain prior to this action.
The consequences of operating the incorrect contactor are potentially severe. If
the licensee personnel operated the close contactor thinking they were opening
the valve, the valve motor would drive the valve in the close direction with all of
the motor-operated valve protective features bypassed. Because the valve is
already closed, the motor would be in a stall condition and motor current would
be at or near locked rotor amperage. The potential consequences of this
mis-operation could include motor damage or burnout.
The analyst included these factors in the human reliability analyses performed
using the SPAR-H method.
With the two methods performed in parallel (i.e., electrical contactors and manual
valve manipulation methods), the inspectors concluded that the electrical
contactor method would be ready for attempted use first. The assumed timing
was:
Action Time Total time
(minutes) (hh:mm)
Briefing the operation 15 00:15
Gather tools, dress out in arc flash suit, report to 20 00:35
breaker, open cabinet
Recognize no labelling, summons electrician to 10 00:45
cabinet
Obtain electrical print 10 00:55
A2-5
Operate contactor (valve) 5 01:00
When added to the 10 minutes assumed to attempt swap over to recirculation
and 30 minutes assumed to troubleshoot the issue, diagnose indications, and
decide on a course of action, the analyst estimated a total time to success of
approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 40 minutes.
The analyst used these points to obtain the following human reliability analysis:
Electrical Recovery - Diagnosis (=1E-2)
Time Available Extra 0.1 The 1:40 hour time to diagnose and
perform gives extra time when
compared to the licensees estimate
of 2:35 hour to deplete the RWST
(applying both diagnosis and
action). The time from a depleted
RWST until occurrence of core
damage was also considered.
Stress High 2 The level of stress would be higher
than the nominal level due to
unexpected alarms being present
and consequences that could
threaten plant safety.
Complexity Nominal 1 No event information is available to
warrant a change in this diagnosis
performance shaping factor (PSF)
from Nominal.
Experience/Training Nominal 1 No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
Procedures Incomplete 20 Task instructions are absent to
guide the operator to the
appropriate electrical contactor
operation
Ergonomics Nominal 1 No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
Fitness For Duty Nominal 1 No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
Work Processes Nominal 1 No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
Result = 4E-2 = 0.1 x 2 x 1 x 1 x 20 x 1 x 1 x 1 x 1E-2
A2-6
Electrical Recovery - Action (=1E-3)
Time Available Extra 0.1 The 1:40 hour time to diagnose and
perform gives extra time when
compared to the licensees estimate
of 2:35 hour to deplete the RWST
(applying both diagnosis and
action). The time from a depleted
RWST until occurrence of core
damage was also considered.
Stress High 2 The level of stress would be higher
than the nominal level due to
unexpected alarms being present
and consequences that could
threaten plant safety.
Complexity Highly 5 The evolution involved equipment
line-up that involved defeated
interlocks on valves, a highly
complex task.
Experience/Training Low 3 Different contactors were present in
the cabinet than were trained on
during operator training.
Procedures Incomplete 20 The procedure provided operators
with a generic orientation of the
contactors which did not match the
in-plant configuration. The note for
operators to seek assistance is not
explicit, stating that the situation ..
may require assistance..
Ergonomics Poor 10 The contactors in the panel are not
labelled causing poor human-
machine interface.
Fitness For Duty Nominal 1 No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
Work Processes Nominal 1 No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
PSF = 0.1 x 2 x 5 x 3 x 20 x 10 x 1 x 1 = 600
Result = 3.8E-1 = 1E-3 x 600 / [1E-3 x (600 - 1)] + 1
Combining diagnosis and action (4.0E-2 + 3.8E-1) yielded a failure probability of
4.2E-1.
2. Manual operation of Valve SI-2-8982A by handwheel. This recovery action
involves operators utilizing the handwheel to open valve SI-2-8982B. The
analyst considered the diagnosis to employ this option to be similar to the
decision for electrical contactor operation, except Procedure ECA 1.1 was
appropriate in directing local manual valve operations. Also the analyst
concluded the assumption of 10 minutes to attempt swap over to recirculation
and 30 minutes to troubleshoot the issue, diagnose indications, and decide on a
A2-7
course of action that was appropriate for diagnosis of this action. The inspectors
considered that the local manual valve operation path would present operators
with the decision to incur more dose, face uncertain environmental and
radiological factors at the valve, the potential to introduce a containment bypass
flowpath, and the manual handwheel option requires more time than the
electrical contactor option. In their analysis, the licensee considered this local
manual valve operation as the sole credited recovery option. However, for the
previously stated reasons, the analyst concluded this option would be employed
after the electrical contactor option.
The inspectors noted several attributes of this action made it more complex. The
valve is located adjacent to the containment in a special chamber. The chamber
has an enclosed environment that may become radioactively contaminated
following a LOCA. The licensee would need to implement actions to sample the
environment for suitable breathing to prevent a radioactive intake. Alternatively,
an operator would have to don protective clothing to prevent contaminating
himself, don a respirator, climb a ladder to enter the chamber, and operate the
valve. Any leakage from this valve (e.g., packing leakage) could serve to
pressurize this chamber and require additional protective clothing to prevent
contamination. To access the valve inside of the chamber, the licensee needs to
remove 32 nuts, which act to secure the chamber. This additional time affects
the time available to open the valve and adversely influences the success rate of
this action.
The licensee estimated 90 minutes would be required to brief personnel, gather
tools, and open the manway. Next the licensee estimated 10 minutes to open
the valve. The analyst noted that according to licensee information, the valve
would take 468 turns of the handwheel to open the valve. Factoring in fatigue
from repetitive motion along with potentially cumbersome clothing in a hot
environment, 25 minutes (or one turn approximately every 3 seconds) would be
required. This makes the timeline as follows for execution:
Action Time Total time
(minutes) (hh:mm)
Briefing the operation, gather tools, and open 90 01:30
manway
Operate valve 25 01:55
When added to the 10 minutes assumed to attempt swap over to recirculation
and 30 minutes assumed to troubleshoot the issue, diagnose indications, and
decide on a course of action, the total time to success was estimated to be
approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and 35 minutes (2.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />).
A2-8
The analyst used these points to obtain the following human reliability analysis:
Mechanical Recovery - Diagnosis (=1E-2)
Time Available Nominal 1 The 2:35 hour time to diagnose and
perform gives nominal time when
compared to the licensees estimate
of 2:35 hour to deplete the RWST
(applying both diagnosis and action).
Combined with the time from a
depleted RWST until occurrence of
core damage.
Stress High 2 The level of stress would be higher
than the nominal level due to
unexpected alarms being present
and consequences that could
threaten plant safety.
Complexity Moderate 2 Several variables are involved in
diagnoses including the knowledge
of introducing a potential
containment bypass path.
Experience/Training Nominal 1 Adequate amount of instruction to
perform.
Procedures Nominal 1 Evaluated not to be a performance
driver.
Ergonomics Nominal 1 No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
Fitness For Duty Nominal 1 No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
Work Processes Nominal 1 No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
Result = 4.0E-2 = 1 x 2 x 2 x 1 x 1 x 1 x 1 x 1
Mechanical Recovery - Action (=1E-3)
Time Available Nominal 1 The 2:35 hour time to diagnose and
perform gives nominal time when
compared to the licensees estimate
of 2:35 hour to deplete the RWST
(applying both diagnosis and
action). Combine with the time from
a depleted RWST until occurrence
of core damage.
Stress High 2 The level of stress would be higher
than the nominal level due to
unexpected alarms being present
and consequences that could
threaten plant safety.
A2-9
Mechanical Recovery - Action (=1E-3)
Complexity Nominal 1 Little ambiguity existed in what
needs to be performed
Experience/Training Low 3 The licensee was unable to provide
prior examples where the valve was
operated manually by operators.
Operators are not trained on manual
valve operations inside the
chamber.
Procedures Incomplete 20 References for task instructions for
opening the chamber are absent.
Operators would have to refer to an
outage procedure for guidance on
opening the chamber.
Ergonomics Poor 10 Poor human-machine interface is
present. Access to the valve
chamber requires a ladder. In
chamber, the operator would be
manipulating the valve, possibly in a
respirator and wearing protective
clothing. Operation of the valve
would be in a hot environment, with
awkward and tight clearances
relative to the chamber walls.
Fitness For Duty Nominal 1 No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
Work Processes Nominal 1 No event information is available to
warrant a change in this diagnosis
PSF from Nominal.
PSF = 1 x 2 x 1 x 3 x 20 x 10 x 1 x 1 = 1200
Result = 5.4E-1 = 1E-3 x 1200 / [1E-3 x (1200 - 1)] + 1
Combining diagnosis and action (4.0E-2 + 5.4E-1) yielded a failure probability of
5.8E-1.
Net effect. The analyst assumed the licensee would always have and attempt the
electrical contactor option first. The SPAR-H analysis yielded a result that
58 percent (failure rate = 4.2E-1) of the time the licensee would successfully
open the valve via the electrical contactor method. The analyst then assumed
that failure to select the correct contactor to operate the valve would result in
damage to the valves electric motor, requiring the licensee to utilize the
mechanical recovery option with the failure rate derived by SPAR-H (5.8E-1) for
manual valve operations. This yielded an effective failure rate of 2.4E-1,
calculated as follows:
peff = pe x pm
peff = the effective human performance failure rate for both recoveries
pe = the failure rate by electrical contactor operation
pm = the failure rate by local manual valve operation
A2-10
Catastrophic Seal LOCA. The results of this group is similar to the SLOCA
group. The analyst combined the template events ZT-RCS-MDP-LK-BP1,
Reactor Coolant Pump Seal Stage 1 Integrity Fails (Binding/Popping Open),
and ZT-RCS-MDP-LK-BP2, Reactor Coolant Pump Seal Stage 2 Integrity Fails
(Binding/Popping Open), in the SPAR model to develop an initiating event
frequency for a catastrophic seal failure event of 2.5E-3/year. The analyst
obtained this failure probability from WCAP-15603, Westinghouse Owners
Group 2000 Reactor Coolant Pump Seal Leakage for Westinghouse Pressurized
Water Reactors. This value matches the initiating event frequency used by the
licensee in their model within 2 percent. The analyst then applied the conditional
core damage probability from a SLOCA to this initiating event frequency to
estimate the change in core damage frequency resulting from a catastrophic seal
failure with the performance deficiency present. The analyst considered that the
low leakage rate from a failed reactor coolant pump seal would provide extra time
for recovery via the electrical contactor and via the mechanical operation paths.
This changed the effective recovery from this initiator to 3.4E-2.
Induced Seal LOCA. These reactor coolant leaks result from a loss of cooling to
the reactor coolant pump seals. The dominant initiating events in SPAR which
lead to induced seal failure are grid related losses of offsite power (LOOP),
switchyard centered LOOPs, and transients. These events represent the
smallest contribution to increase in core damage frequency. The analyst
assumed a recovery of 3.4E-2, similar to the recovery of a catastrophic seal
LOCA.
Medium Break Loss of Coolant Accidents
In NRC probabilistic risk assessment analyses, MLOCAs are breaks from 2 to
6 inches in size. MLOCAs may or may not increase pressure high enough to
actuate the containment spray actuation signal, which occurs when pressure in
the containment building reaches approximately 22 psig. This actuation signal
would start the two containment spray pumps that combine to pump around
5000 gallons per minute from the RWST to the containment. This additional
draw of water from the RWST would lower the available time for operators to
take action to open valve SI-2-8982B by the alternative means and therefore
adversely influence the success rate of these actions. The analyst reviewed
Diablo Canyon PRA Calculation MAAP13-03, Diablo Canyon Power Plant
MAAP Success Criteria - Loss of Coolant Accident Definitions, Revision 0, to
determine at which break size would actuate the containment spray actuation
signal and start the containment spray pumps. In this calculation, a 2.9-inch
break produced an 18 pound per square inch pressure in the containment. The
analyst estimated that breaks above 3.5 inches would produce pressure in the
containment sufficient to start the containment spray pumps.
From this estimate, the analyst broke MLOCAs into two classes. The first class
consisted of breaks between 2 and 3.5 inches in size, not sufficient to start the
containment spray pumps. Based on this 1.5-inch range, the analyst estimated
simplistically that 37.5 percent of the MLOCAs would not cause starting of the
containment spray pumps. Conversely, 62.5 percent of MLOCAs were assumed
to start containment spray pumps. Once started, the analyst assumed that
A2-11
operators would leave the containment spray pumps running as required by the
emergency operating procedures.
The analyst split the initiating event frequency by this 37.5 - 62.5 percent split
and applied different recovery actions based on the differing times available. For
the 37.5 percent of MLOCAs which would not start the containment spray pumps,
recovery was similar to SLOCAs.
For the 62.5 percent that would actuate containment spray pumps, the analyst
assumed that the RWST would deplete quickly and not allow sufficient time for
recovery. Licensee estimates were that operators would only have around
30 minutes between RWST level of 33 percent and 4 percent. The 33 percent
level is the point where operators would be required to attempt to swap from
injection from the RWST to the containment recirculation sump. The 4 percent
level is the level at which procedures instruct operators to secure all emergency
core cooling pumps, thereby terminating any injection. That difference of
29 percent (33 - 4) would be depleted by the containment spray pumps in
approximately 30 minutes. Actions to operate the motor contactors or locally
manually operate the valve were far in excess of this timing, so the analyst
considered that recovery was not possible.
Summary of Internal Events
The table below summarizes the dominant initiators and their contribution to the
increase in core damage frequency. The overall results were an increase in core
damage frequency of 8.2E-6/year from internal events:
Increase in Core Damage
Contributor Frequency
SLOCA 2.0E-6
Catastrophic Seal LOCA 1.4E-7
Induced Seal LOCA 1.1E-9
Smaller MLOCA 3.8E-8
Larger MLOCA 4.8E-6
Total 7.1E-6
(3) External Events
The analyst estimated the increase in core damage frequency from all external
events to be 5.4E-7/year, using the individual estimates below.
Seismic. The analyst performed a seismic analysis using Revision 8.23 of the
SPAR model. This analysis used a baseline conditional core damage probability
representing a non-recoverable, switchyard-centered LOOP. The fragilities from
Table AA-2 of Volume 2, External Events, of the Risk Assessment of Operational
A2-12
Events Handbook were used. The increase in core damage frequency from
seismic events was estimated to be 3.2E-7/year.
High winds. The analyst assumed no risk from high winds due to the historically
low tornadic activity at Diablo Canyon.
Fire. The analyst used information from the licensees fire probabilistic risk
assessment model as the best available information to estimate the increase in
core damage frequency from fires. The licensee received their safety evaluation
for approval of application of NFPA 805 and is in transition to full compliance.
The analyst applied the licensees risk achievement worth value of 1.0452 to the
baseline core damage frequency of 1.70E-5/year to estimate the increase in core
damage frequency from fires to be 6.02E-7/year. Due to the low contribution
relative to the internal events estimation of increase in core damage frequency,
the analyst applied a generic recovery failure probability of 2.4E-1 derived from
the SPAR-H for SLOCAs and applied it to all fires. This resulted in an increase in
core damage frequency from fires of 2.2E-7/year.
(4) Large Early Release Frequency
The analyst reviewed the dominant sequences and compared them to Manual
Chapter 0609, Appendix H, Containment Integrity Significance Determination
Process. The analyst performed a LERF screening to assess whether any of
the core damage sequences affected by the finding were potential LERF
contributors. The analyst determined that none of the sequences were
significant LERF contributors and the increase in LERF was considered to be
negligible.
(5) Uncertainties
Analytical
The analyst reviewed the analysis uncertainty for the base case with no recovery
credit for the limited use model with basic event HPI MOV CC 8982B set to
TRUE. The analyst then extrapolated the results to estimate that approximately
75 percent of results from a Monte Carlo distribution resulted in an increase in
core damage frequency between 1.0E-6/year and 1.0E-5/year or less.
Qualitative Considerations
Competing priorities. The detailed risk evaluation only considered the recovery
activities for the failed valve SI-2-8982B. For the core damage sequences of
interest, other plant equipment would malfunction and attempts would be made
to recover them. For example, in a case where the pump on the opposite train of
the recirculation path was not working, operators would be challenged with
additional diagnosis of that problem as well as deciding which recirculation path
was more easily recoverable. This additional diagnosis would divert plant
resources from recovery of valve SI-2-8982B. These competing priorities for
recovery add uncertainty to the detailed risk evaluation performed and would
serve to make recovery more unlikely.
A2-13
Anecdotal information from a simulated recovery attempt. When the inspectors
walked through operation of the valve SI-2-8982B by use of the electrical
contactors with one engineer and two electricians, these individuals initially
indicated that they would operate the contactors as represented in
Procedure O-22. This operation would act to further close the valve, potentially
causing irreparable damage. When the inspectors pointed this out, the
individuals traced the wiring with the electrical drawing and corrected their
response on the proper contactor they would operate. This was done by
electrical personnel in a training environment. The uncertainty in how electrical
personnel, if summoned to assist, would respond was only considered as
success in the analyses. This information for recovery adds uncertainty to the
detailed risk evaluation performed and would serve to make recovery more
unlikely.
Temperature of the Recirculation Valve Chamber. The temperature of the
recirculation valve chamber at the time operators would be required to enter and
manipulate valve 8982B is unknown. If the temperature exceeded 130 degrees
Fahrenheit, local manual valve operation could likely be impossible. This lack of
information adds uncertainty and would serve to make recovery more unlikely.
(6) Sensitivities
The analyst performed sensitivities runs showing the results for various scenarios
altering the influential assumptions:
- Different assumptions of recovery of the valve: The analyst adjusted the
failure probability for various cases and compared them to the assumed
failure probability in the table below:
Failure Probability Comment Increase in Internal
of Recovery Events CDF
1.1E-2 98.9% success in recovery 5.0E-6/year
4.0E-2 96% success in recovery 5.3E-6/year
1.0E-1 90% success in recovery 6.0E-6/year
2.4E-1 76% success in recovery 7.1E-6/year
(assumed in analysis)
5.0E-1 50% success in recovery 9.2E-6/year
No recovery 0% success in recovery 2.0E-5/year
- The potential for common cause failure of Train A Valve 8982A is not affected
by the failure of Valve 8982B: The analyst estimated the increase of
removing the cutsets which contained the common cause failure of
valve 8982A. Result: Increase in CDF of 2.7E-6/year
A2-14
- Consideration that valves 8982A and 8982B were tested in a staggered
scheme: The analyst assumed the valves were tested nine months apart
vice testing both during refueling outages. Result: Increase in CDF of
4.9E-6/year
- Use of the licensees MLOCA frequency value combined with SPAR-H
nominal recovery: The analyst used the licensees lower initiating event
frequency value of 2.3E-5/year along with the SPAR-H nominal recovery
value of 1.1E-2. Result: Increase in CDF of 1.6E-6/year
(7) Licensee Results
The licensee provided the analyst with their analysis. The estimated increase in
core damage frequency was 2.9E-5/year without recovery applied. This value
did not adjust for common cause failure of the train A valve (valve SI-2-8982A).
The analyst estimated that the SPAR model, when adjusted for catastrophic seal
LOCAs and removal of consideration of elevated common cause failure of the
train A valve, would estimate the increase in core damage frequency of
3.3E-5/year.
The licensee derived a failure probability for recovery with the local manual valve
operation of 1.2E-2. When the licensee applied this recovery to their model, they
estimated the increase in core damage frequency to be 7.5E-7/year. The analyst
considered that the value of 1.2E-2 for recovery was conservative in light of the
numerous adjustments needed to the performance shaping factors for less than
nominal conditions affecting the recoveries. SPAR-H uses a nominal failure
probability of 1.1E-2, which is near the licensees recovery value. The analyst
considered the application of SPAR-H to provide more realistic estimations of
failure probabilities.
(8) Model Adjustments
Limited Use Model Version DCAN-RICK-2187 of the Diablo Canyon SPAR
Model, was used with SAPHIRE Version 8.1.4. This version incorporated
modifications to the model derived from the lessons learned from NUREG-2187,
Confirmatory Thermal-Hydraulic Analysis to Support Success Criteria in the
Standardized Plant Analysis Risk Models - Byron Unit 1, Revision 0. The
analyst used the default truncation of 1.0E-11.
A2-15