Resolution of Generic Safety Issues: Issue 122: Davis-Besse Loss of All Feedwater Event of June 9, 1985 - Short-Term Actions (Rev. 4) ( NUREG-0933, Main Report with Supplements 1–34 )
The loss of all feedwater event at Davis-Besse on June 9, 1985, resulted in the formation of an NRC project team to investigate the event. The team's findings were published in NUREG-1154886 and were subsequently reviewed by DL/NRR. As a result of this review, the following items were identified as candidates for short-term staff action885 and were forwarded to DST/NRR for evaluation:887
|(1)||Potential inability to remove reactor decay heat due to questionable reliability of the AFW system caused by any or all of the following:|
|(a)||Loss of all AFW due to common-mode failure of AFW pump discharge isolation valves in closed position.|
|(b)||Excessive delay in recovery of AFW due to difficulty in restarting AFW pump steam driven turbines, if turbines are tripped.|
|(c)||Interruption of auxiliary feedwater flow due to failures in steam and feed line break accident mitigation features (e.g., SFRCS).|
|(2)||Adequacy of emergency procedures, operator training and available plant monitoring systems for determining need to initiate feed-and-bleed cooling following loss of steam generator heat sink.|
|(3)||Physical security system constraints which could deny timely operator access to vital equipment and inhibit operator from performing local manual operations called for in emergency procedures.|
The above items formed the basis for Issue 122 but were evaluated separately as shown below. The identification of each item followed the numbering system established in the DL/NRR memorandum.885 The evaluation results are summarized in Table 3.122-1.
ITEM 122.1: POTENTIAL INABILITY TO REMOVE REACTOR DECAY HEAT
During the loss of main feedwater event, the reactor scrammed and the AFW system should have actuated and supplied feedwater to the steam generators to enable them to remove decay heat. However, in this process several failures occurred, three of which are of significance here.
|(1)||An operator attempted to start the two AFW trains manually, in addition to the automatic signal on low steam generator water level. Unfortunately, the operator pressed the wrong buttons, sending erroneous "low steam generator pressure" signals to both AFW trains. The AFW control systems then caused both AFW isolation valves to close. Thus, neither steam generator could receive any water. In essence, the operator caused a common mode failure.|
|1.a||Failure of Isolation Valves in Closed Position||Covered in Issue 124|
|1.b||Recovery of Auxiliary Feedwater||Covered in Issue 124|
|1.c||Interruption of Auxiliary Feedwater Flow||Covered in Issue 124|
|3.||Physical Security System Constraints||DROP|
|(2)||Both AFW turbines tripped on overspeed. The overspeed trips on such turbines usually have to be reset at the turbine, not from the control room.|
|(3)||In attempting to recover the AFW system, the operators reset the erroneous signals. However, the AFW isolation valves did not open. In spite of several attempts, the plant operators were unable to open these valves from the control room, and ultimately had to open them manually.|
The three parts of this item are evaluated separately below.
ITEM 122.1.A: FAILURE OF ISOLATION VALVES IN CLOSED POSITION
This item addressed Findings 4, 5, 6, and 15 in Section 5.2.5 of NUREG-1154886 and deals with the potential inability to remove reactor decay heat because of loss of all auxiliary feedwater due to the third common mode failure discussed above: the failure of AFW pump discharge isolation valves to reopen on command after they had closed.
With the main feedwater out of service (the transient initiator), a spurious closing of these AFW valves cannot easily be rectified, leaving only feed-and-bleed techniques available for removal of decay heat. Westinghouse PWRs generally do not have such motor-operated isolation valves in the AFW discharge lines, but some W plants plus roughly 16 plants designed by B&W and CE in addition to Davis-Besse may be susceptible to this problem.
The failure of the Davis-Besse AFW valves to reopen was ultimately traced to the torque limit and bypass switches which control the motor operators of the valves. In essence, the high differential pressure across the closed valves necessitated a relatively large force for valve motion. The motor control switches were not adjusted to accommodate such a force. Such a failure can happen in two ways. First, the switches can be inadvertently erroneously adjusted during routine maintenance. Second, the valve may be correctly maintained, but the actuation system is not designed to provide for an open command to these valves (in some PWRs), or the torque necessary to reopen these valves under some conditions may be beyond the design capacity of the valve actuators. In the case of Davis-Besse, the valves were designed to close (which is their intended safety function), but apparently less attention was paid to their ability to reopen.
The solutions are implicit in the causes. For this evaluation, it was assumed that the actuation system is equipped to issue open commands so the solutions are: (1) verify that the valves, as designed, are capable of reopening in the presence of a differential pressure; and (2) upgrade the calibration and maintenance procedures.
To estimate accident frequencies, the staff followed the example888 in which the relatively simple transient classifications of the Oconee PRA54 were used, but frequency and probability estimates were taken from later sources such as the more detailed Oconee 3 PRA.889
The affected sequences in the RSSMAP study54 are T1M(LOPNRE)LU, T2MLU, and T3M(PCSNR)LU, where the terms are defined as follows:
|T1||= a loss of offsite power (LOOP) transient with an assumed frequency of 0.05 transient/RY (or more).890|
|T2||= a non-recoverable loss of the Power Conversion System caused by a source other than a LOOP, with an assumed frequency of 0.64 transient/RY, based on the Oconee-3 PRA.889|
|T3||= a transient with the Power Conversion System initially available, with an assumed frequency of 5.7 transients/RY, also based on the Oconee 3 PRA.889|
|M||= a failure of the power conversion system. The probability is unity for T1 and T2 sequences. For T3 sequences, 3.7 x 10-3 was used after being obtained by summing the failure modes listed in Section A8.3.8 of the Oconee-3 PRA.889|
|LOPNRE||= the probability of non-recovery of offsite power in 40 minutes after a LOOP event. This was estimated to be roughly 0.25, based on the generic curves given in NUREG-1032.890|
|PCSNR||= the probability of non-recovery of the Power Conversion System (really, main feedwater) in 30 minutes. The Oconee-3 PRA889 used 0.3 for a similar event (REFDW2). This figure is somewhat optimistic because of the ability to cross- connect at the Oconee site.|
|L||= failure of the AFW system.|
|U||= a failure to cool the core via feed-and-bleed. For Oconee-3 and most other plants, this is essentially a failure of the high pressure ECCS. The assumed probability was 0.015, based on the Oconee- 3 PRA.889|
The unquantified parameter is L, the change in the AFW failure probability to be attributed to this issue. It is composed of three factors: the probability of spurious isolation, the probability of failure to reopen on demand, and the probability of failure of reopening (in time to prevent core damage) by manual action.
At the time of this evaluation, Davis-Besse had been in operation for eight years with a reported frequency of loss-of-feedwater events of 0.67/year.891 Thus, the AFW system had about five real challenges. One of these was the June 9, 1985, event where an operator inadvertently pushed the wrong button and caused a spurious isolation. One would therefore expect the spurious isolation rate to be roughly one in five AFW demands, or 20%, and dominated by human error. However, it was unrealistic to assume that this event (and its associated extended shutdown) had gone unnoticed in the control rooms of other plants, nor could it be assumed that all other plants had an AFW control panel like that of Davis-Besse. On the other hand, the AFW discharge isolation valves may be initially closed at the time of the demand, as they were at the outset of the accident at TMI-2. It was assumed that the minimum likelihood of spurious or inadvertent AFW isolation would be 5% and that plants with a high likelihood (20%) were addressed in Issue 122.1.C.
Next is the question of failure of the isolation valves to open on demand. As stated above, this can happen either by errors in maintenance or by a lack of foresight in design. For the case of errors in maintenance, the valve failure data tabulated in NUREG/CR-2770892 were used. Of the 393 MOV failures listed, 75 involved torque limit or bypass switches and 34 (about 8.7% of all the failures) appeared to be adjustment or calibration errors. Since the same crews and procedures were used on all AFW trains, these failures were very likely to be present on all trains. Given a failure on one train, the staff assumed an 8.7% probability892 that the failure was due to improper torque or limit switch adjustment and that the analogous valves on the redundant trains will also fail.
The RSSMAP study54 used an MOV control failure rate of 6.4 x 10-3/demand. The probability of failure to reopen due to maintenance error is the product of these two figures, or 5.6 x 10-4.
For the case of lack of foresight in design, there is no extensive tabular data. This particular scenario, by its very nature, will affect both valves. However, this does not mean that both valves necessarily will fail to open. NUREG-1154886 describes tests of the actual valves at Davis-Besse, five of which were at a full differential pressure of 1050 psid. One valve failed to open twice. The other valve failed once but opened successfully two times. Thus, for a two-train AFW system, the probability of neither valve opening would be expected to be on the order of (1 x 0.33), or 0.33, based on this sparse data.
Finally, the probability of the operator failing to reopen the valves manually had to be estimated. In the case of the Davis-Besse event, the spurious closure occurred about six minutes into the event. NUREG-1154886 states that a 30-minute interval before core damage would be expected. Thus, the operators had about 24 minutes in which to reopen at least one valve. In actual fact, it took an average of 7.5 minutes (about a third of the available time) to open these two valves. This margin is adequate and would normally imply a failure rate (due to timeout) of a percent or two. However, it should be noted that, except for one button-pushing error, the operating crew performed very well. The shift supervisor and his assistant were astute in diagnosing the AFWS misalignment (while being faced with a barrage of other information) and took the correct action to manually open the auxiliary feedwater block valves. A 10% probability of failure to manually reopen the valves was assigned, based purely on judgment of the human factors aspects.
Putting these factors together, the AFW failure probability is the product of a 5% probability of inadvertent AFW isolation, a 33% probability that neither valve will reopen on demand, and a 10% probability that manual opening will not be attempted or will fail to be accomplished in time. The product is 1.7 x 10-3/demand. In addition, no solution is perfect. It was assumed that any resolutions adopted will be at least 90% effective. Thus, the change in AFW failure probability will be on the order of 1.5 x 10-3. The change in core-melt frequencies was then estimated. The cut sets are:
|T1M*LOPNRE*L*U||3.0 x 10-7/RY|
|T2M*L*U||1.5 x 10-5/RY|
|T3*M*PCSNR*L*U||1.5 x 10-7/RY|
|Total F||= 1.5 x 10-5/RY|
Under the assumption that one plant will find and correct the problem, the core-melt frequency was estimated to be 1.5 x 10-5/year.
Normally, accident sequences such as those discussed above would be distributed across a spectrum of containment failure modes in a variety of ways. However, because the sequences of interest in this issue were similar in their final stages prior to core-melt, all three sequences were distributed across the containment failure modes in the same manner.
All three principal accident sequences involve a core-melt with no large breaks initially in the reactor coolant pressure boundary. The reactor is likely to be at high pressure (until the core melts through the lower vessel head) with a steady discharge of steam and gases through the PORV. These are conditions likely to produce significant hydrogen generation and combustion.
The Zion and Indian Point PRA studies used a 3% probability of containment failure due to hydrogen burn (the "gamma" failure). This example was followed and 3% was used, although specific containment designs may differ significantly from this figure. In addition, the containment can fail to isolate (the "beta" failure). Here, the Oconee PRA889 figure of 0.0053 was used. If the containment does not fail by isolation failure or hydrogen burn, it will be assumed to fail by base mat melt-through (the "epsilon" failure).
Based on a central midwest plain meteorology, a uniform population density of 340 persons per square mile, a 50-mile radius, and no ingestion pathways, the consequences were estimated as follows:
|Failure Mode||Percent Probability||Release Category||Consequences (man-rem)|
|gamma||3%||PWR-2||4.8 x 106|
|beta||0.5%||PWR-5||1.0 x 106|
|epsilon||96.5%||PWR-7||2.3 x 103|
The "weighted-average" core-melt will have consequences of 1.5 x 105 man-rem.
The consequence estimate was 50 man-rem/reactor. The B&W and CE plants had an average remaining life 31 years/plant, 24 years of which would be operational. Based on the above assumption that one plant will find and correct the problem, the risk reduction estimate was 50 man-rem.
Industry Cost: The cost associated with resolving this issue was dependent upon the nature of the solution. A check of the valve operator design would be relatively inexpensive. A test to ensure the valves will open will cost significantly more. Finally, if valve operators were found to be insufficiently sized, the cost of replacement would be higher still. In addition, improvements in maintenance might also be required.
It was assumed that a check of design (rather than extensive testing) will be done, and that one plant will be found where the valves would not re-open with a significant differential pressure present. It was also assumed that the motor was strong enough to open the valve and that the problem can be fixed by changing torque limit and bypass switch setpoints. Because maintenance error is a relatively minor contributor, the issue of improved maintenance was not addressed.
NRC Cost: For each plant affected, 2 staff-weeks should be sufficient to check the valve design. For the (hypothetical) plant where a problem is found, 6 staff-months should suffice to find a solution. Finally, 6 staff-months plus 2 staff-weeks/plant of NRC time would probably be necessary to impose the requirement. Thus, for 17 plants, the total cost would be roughly $240,000, assuming that a staff-year costs $100,000.
Total Cost: The total industry and NRC cost associated with the possible solution was $0.24M.
Based on an estimated public risk reduction of 50 man-rem and a cost of $0.24M for a possible solution, the value/impact score was given by:
|(1)||There was no significant ORE associated with the solution to this issue. The valves in question are not exposed to contaminated fluids, since they are in the secondary system.|
|(2)||There were offsetting savings which could be credited against the expenditures above. The cost of a core-melt would be about a billion dollars plus replacement power for the rest of the plant life. Using the accident frequency estimated above and assuming a 5% annual discount rate, this corresponded to a present worth of about $430,000/plant. Also, even if a core-melt is avoided and if the plant is ever placed in a situation where feed-and-bleed techniques are used, major cleanup will be necessary because of rupture of the quench tank. If cleanup lasts 6 months, the present worth cost was about $770,000/plant. Finally, it should be noted that the Davis-Besse event kept the plant shut down for over three months. The frequency of this situation is about 1.2 x 10-2/RY, which corresponded to an actuarial cost of roughly $4.6M/plant. If any of these three considerations were included, the cost-benefit ratio would be favorable and would be in the licensee's financial interest to fix this problem.|
|(3)||It was assumed that the feed-and-bleed failure probability is 0.015. In actual fact, NUREG-1154886 inferred that the Davis-Besse operators were reluctant to initiate feed-and-bleed. Thus, this figure may be somewhat optimistic. Also, some (CE) plants do not have power-operated relief valves on the primary system and thus cannot use feed-and-bleed techniques.|
|(4)||Some plants operate with the AFW isolation valves in the closed position. Thus, these plants will not need an inadvertent isolation to encounter a problem. On the other hand, these plants are more likely to be designed to open under differential pressure or to find the problem by normal testing.|
|(5)||The discussion addressed only PWRs; BWRs have analogous systems (HPCI and RCIC) for mitigating loss-of-feedwater events. Moreover, these systems have normally-closed motor-operated isolation valves in the discharge line, but these valves are tested during normal system testing. In addition, BWRs can rapidly depressurize via the ADS and can use low pressure systems for decay heat removal.|
|(6)||At the time of this evaluation, an NRC Bulletin on the subject of valve operability was being considered. This could have been sufficient to resolve the issue for most plants. However, some followup action may be appropriate particularly for plants where the viability of feed-and-bleed is doubtful. If such plants were also susceptible to the common-mode valve problem described here, the core-melt frequency could approach 1 x 10-3.|
|(7)||This issue is related to Issue II.E.6.1, "In-Situ Testing of Valves." Although II.E.6.1 is also concerned with valve operability, this issue differed in that the potential for commonality was a primary concern. Issue II.E.6.1 was geared toward the single failure rate per valve, not the potential for common-mode failures, but was not specific as to which valves or which failure mode.|
|(8)||This issue is also similar to Issue 87 which addressed the failure of the HPCI steam line isolation valves to close following a break in the line downstream of the valves. These failures are also due to a design problem in which the valve may not have been designed to operate under some overlooked conditions. There may be other systems with valves that are not designed to operate under all likely conditions and, therefore, a widening of the scope of this issue may be in order.|
|(9)||It was assumed that the probability of both AFW isolation valves failing to reopen was 33%. In some cases (e.g., undersized actuators), the probability may be nearly 100%, a fact that would triple the priority parameters. However, this would not change the conclusion.|
Based on the potential change in core-melt frequency, this issue was given a high priority ranking (see Appendix C), but was later integrated into the resolution of Issue 124.
ITEM 122.1.B: RECOVERY OF AUXILIARY FEEDWATER
This item addressed Findings 4, 8, and 15 in Sections 5.2.4 and 6.2.4 of NUREG-1154886 and deals with a potential inability to remove reactor decay heat due to the second common mode failure discussed above: the excessive delay in recovery of AFW due to difficulty in restarting AFW pump steam turbines, if the turbines are tripped.
Some method of decay heat removal is necessary within 30 minutes after the start of this type of transient in order to prevent core uncovery. The turbines tripped about 7 minutes into the event. Thus, 23 minutes were available. Although it only took 4.5 minutes for a pair of equipment operators to go to the AFW pump rooms and start work, considerable difficulty was experienced in resetting and restarting the turbines. Thus, it might well have taken longer than 23 minutes to get the AFW pumps in operation. Had other decay heat removal techniques (i.e., startup feed pump and primary side feed-and-bleed) also failed, core damage would have resulted.
This issue is applicable to any PWR. However, it is of greatest importance to plants with only steam-driven AFW trains (such as Davis-Besse) and of less importance to plants with one steam-driven train plus one or two motor-driven trains. In addition, non-B&W plants are less susceptible because of their greater water inventory in the steam generators which provides more time before active means of decay heat removal are essential. Davis-Besse is the only remaining plant with only steam-driven auxiliary feedwater. Thus, this analysis was geared to the other most-susceptible plant class: a B&W plant with one steam-driven and one motor-driven AFW train.
The Davis-Besse event exhibited two problems that led to delay in AFW restart. The first problem was that the turbine overspeed trips had to be manually reset requiring plant personnel to be dispatched to the AFW pump rooms. A possible solution was to make the trip resettable from the control room. The trip mechanism is usually a latch hook device on the trip-and-throttle valve. A mechanical device will unlatch the hook and trip the turbine at a preset speed (usually 125% of rated). Other signals can be used to trip the latch hook by means of an electrical solenoid. In either case, the hook must be reset manually. The solution, which had been implemented on some BWR RCIC turbines, was to wire the protective circuits into the throttle mechanism rather than the trip solenoid. The mechanical overspeed trip remains active, but is supplemented by an electrical overspeed trip (set at 110%) which can be remotely reset.
The second problem was that the two equipment operators were unsuccessful in their attempts to get the turbines running and were saved by the arrival of an experienced operator. The most obvious solution to this problem would be to require the plant operators to practice going through the procedures of resetting and starting the turbines, assuming a remote reset is not provided. At the time of this evaluation, "hands-on" practice of this task was not part of operator training.
Problem 1: The affected sequences and cut sets were the same as those for Item 122.1.A except parameter L, the change in AFW failure probability to be attributed to this item. This is governed by three factors: the probability of a resettable turbine trip, the probability of failure to manually reset and restart the turbine, and the probability of failure (in this study) of the one motor-driven AFW train.
First, the probability of a turbine trip either during the auto-start or while running had to be estimated. PRA fault trees model individual components and their failures, but do not normally model the spurious and/or readily resettable trips that are of concern here. Thus, PRA fault-tree-based estimates are really estimates of the failure rate assuming that the manual reset problem has been fixed. Also, the turbine-train-only failure rate is difficult to separate out of most PRA studies. A value of 3 x 10-2 failure/demand was used based on the station blackout calculations for a two-train AFW system in an RRAB memorandum.894
In NUREG/CR-2098,893 112 of the 170 AFW events tabulated were failures of turbine-driven rather than motor-driven pumps. Of the 112 turbine events, 40 were trips, usually on overspeed. Thus, given a failure of a turbine-driven AFW pump to operate, there is a 35% chance that a (manual) reset might recover the pump. Therefore, the failure rate before fixing is (3 x 10-2)(1.35)/demand or (4.1 x 10-2)/demand.
The change in turbine failure rate due to elimination of the need for manual reset had to estimated. In the Davis-Besse event, the operators were able to reset the two turbines in 4.32 and 4.77 minutes (but not get them running), which was about one-fifth of the 23.4 minutes available before core uncovery.886
One would expect that, for a straightforward task such as resetting and restarting a turbine, the time needed would be described by a reasonably symmetrical distribution centered about an average time. Here, the 4.5-minute average time of the two unsuccessful resets at Davis-Besse is probably a reasonable estimate of a general mean time for an experienced operator to successfully complete the task. This number is also consistent with a walk-through of the procedure at Davis-Besse by NRC staff. However, there was no direct information about the width of the distribution: the minimum and maximum time needed for completion. Thus, a pragmatic approach was used by keeping the peak of the distribution at 4.5 minutes and fixing it at zero at time zero. Further, the single-event Poisson distribution which will extend out to infinity in the positive direction was used. The formula is P(t) = t exp(-t).
The peak of the distribution is at t = 1/, so = 1/4.5 = 0.22 was used. The probability of not resetting the turbine before 23.4 minutes was obtained by integrating this formula from 23.4 minutes to infinity. The integral is:
|P(t > t0)||= (1 + t0) exp(-t0)|
Again, this approach was pragmatic rather than rigorous; the formula is appropriate for randomly distributed events, which this really is not. In the actual event at Davis-Besse, it was evident that the operating crew worked as fast as they could. It was also evident that the task of resetting and restarting the turbines was far from smooth; many things went wrong. Moreover, things might well not be easy and straightforward in another similar event. Nevertheless, a factor of five margin in the time actually taken is significant. Thus, 3.6% does not seem unreasonable in spite of the rather sparse mathematical basis.
In addition, there is a finite probability that plant operators will encounter difficulty in moving through the plant and entering the AFW pump rooms due to locked doors, etc. To account for this, the staff added a 1% probability of an insurmountable difficulty in reaching the turbines (based on the calculations in Issue 122.3) to get a total probability of failure to reset of 0.046. L can now be estimated. First, the change in the turbine-driven train's failure rate is:
In addition, the unavailability of the motor-driven train had to be estimated. The RRAB memorandum894 gave a "typical" AFW system unavailability of 10-3/demand for a two-train system. Such a figure included common-mode failures and common component failures, in addition to the individual train failures. It was assumed that the common-mode and common-component contributions were small and thus the turbine train contribution enters as a multiplicative factor. The non-turbine failure probability is then 10-3/(3 x 10-2) or 0.033.
Giving credit for the motor-driven train, if AC power is available, L = (6.6 x 10-4)(0.033) = 2.2 x 10-5. If AC power is not available, L = 6.6 x 10-4.
Since the turbine-driven AFW pump is especially significant for loss of all AC power (station blackout), a diesel unavailability was needed. NUREG-1032890 gives a range of 1.1 x 10-3 to 6.8 x 10-3 for a one-out-of-two diesel configuration; 2.7 x 10-3 was used as the middle of this range.
Cut sets were then calculated as follows:
|T1M*LOPNRE*L*U||4.1 x 10-9/RY|
|T1M*LOPNRE*DIESELS*L||2.0 x 10-8/RY|
|T2M*L*U||2.1 x 10-7/RY|
|T3*M*PCSNR*L*U||2.1 x 10-9/RY|
|Total F||= 2.4 x 10-7/RY|
For 9 PWRs with two-train AFW systems, this change in core-melt frequency is 2.2 x 10-6/year.
Problem 2: In the first problem, it was assumed that the only question was the time available for a qualified operator to locally reset a tripped AFW turbine. The fact that neither of two equipment operators was able to get the turbines running at Davis-Besse strongly suggested that the probability of failure was nearly unity over the course of a half-hour, if the individuals involved had never performed this task before. (This task is generally not part of an operator's training.) In general, during off-shifts, experienced personnel are present in very limited numbers. In a future event, the more experienced personnel are likely to be busy with other tasks (e.g., getting diesels started), and a less experienced operator may once again be faced with the task of resetting and restarting AFW turbines.
This second problem was not amenable to the exponential time calculations of Problem 1, since the average time needed for inexperienced personnel is likely to be far in excess of 30 minutes. Thus, it was arbitrarily assumed that, should an event occur during the evening, night, or weekend shifts (76% of the time), there is a 50% probability that an AFW turbine trip reset will be assigned to an inexperienced operator who is at most 10% likely to succeed in getting the turbine running in the required time. Thus, the change in the probability of failure to restart the turbine becomes (0.76)(0.50)(0.90) = 0.342.
For this problem, the change in the turbine-driven train's unavailability is:
Giving credit for the motor-driven train as before:
L = (4.9 x 10-3)(0.033) = 1.6 x 10-4 (AC power available)
L = 4.9 x 10-3 (AC power not available)
Cut sets were then calculated as follows:
|T1M*LOPNRE*L*U||3.1 x 10-8|
|T1M*LOPNRE*DIESELS*L||1.7 x 10-7|
|T2M*L*U||1.6 x 10-6|
|T3*M*PCSNR*L*U||1.6 x 10-8|
|Total F||= 1.8 x 10-6 core-melt/RY|
For 9 PWRs with two-train AFW systems, this frequency is 1.6 x 10-5 core-melt/ year.
The consequence estimate was the same as that for Issue 122.1.A. The "weighted-average" core-melt will have consequences of 1.5 x 105 man-rem. The 9 PWRs with two-train AFW systems had about 250 calendar-years of collective license lifetime remaining. This was roughly 189 years of operational life.
Problem 1: The consequence estimate was (2.4 x 10-7)(1.5 x 105)(189) man-rem = 7 man-rem.
Problem 2: The consequence estimate was (1.8 x 10-6)(1.5 x 105)(189) man-rem = 51 man-rem.
Problem 1: Changing the turbine trip logic on a safety-related system was likely to require 6 staff-months of effort per plant, even if no major procurement was needed. In addition, at least 3 staff-months of generic work plus a week of effort on each plant would be required of the NRC staff. The total cost for the 9 PWRs with 2 AFW trains (excluding Davis-Besse) was thus estimated to be at least $0.5M.
Problem 2: Having operators practice the task of resetting and manually starting AFW turbines is relatively inexpensive. (If, after the first time, more than half an hour of the operator's time is needed, there is little point in the exercise.) However, this is a continuing expense. It was assumed that one staff-month/plant of administrative effort would be required to set up the program plus two staff-weeks/year thereafter of actual practice. Assuming a 5% discount rate and an average remaining life of 28 calendar-years, this totaled $620,000 for 9 plants. NRC costs were likely to be one staff-month of generic work plus 1 staff-week/ plant, or about $26,000. The total cost was roughly $650,000.
Problem 1: Based on an estimated public risk reduction of 7 man-rem and a cost of $0.5M for a possible solution, the value/impact score was given by:
Problem 2: Based on an estimated public risk reduction of 51 man-rem and a cost of $0.65M for a possible solution, the value/impact score was given by:
|(1)||There was no significant ORE associated with the the possible solution to this issue. The valves in question are not exposed to contaminated fluids, since they are in the secondary system.|
|(2)||There were offsetting savings which could be credited against the estimated expenditures. The cost of a core-melt would be about $1 billion plus replacement power for the rest of the plant lifetime. In an actuarial sense, using the accident frequencies estimated above and assuming a 5% annual discount rate, this corresponded to a present worth or $6,000/plant. Also, even if a core-melt is avoided and the plant is ever placed in a situation where feed-and-bleed techniques are used, major cleanup will be necessary because of rupture of the quench tank. If cleanup lasts six months, the actuarial cost had a present worth of $10,000/plant.|
|(3)||It was assumed in the calculations that the feed-and-bleed failure probability was 0.015. In actual fact, NUREG-1154886 inferred that the Davis-Besse operators were reluctant to initiate feed-and-bleed. Thus, this figure may be somewhat optimistic. Also, some (CE) plants do not have power-operated relief valves on the primary system and thus cannot use feed-and-bleed techniques. Raising the feed-and-bleed failure probability to 0.1 would put this issue into the high priority range.|
|(4)||Some plants may have other means of decay heat removal (e.g., the high head service water system at Oconee). For these plants, the figures would have to be adjusted downward.|
|(5)||These figures should not be used for BWR HPCI and RCIC systems. The BWR systems generally have a greater number of trips and an elaborate isolation system.|
|(6)||The calculations above were based on an AFW system with one motor-driven and one turbine-driven train. A plant such as Davis-Besse with only two turbine-driven trains will be significantly more susceptible to this issue because whatever tripped the first turbine may well trip the second also. Other plants which originally were equipped with only turbine-driven trains include Turkey Point 3 and 4 and Haddam Neck. The Turkey Point units share three turbine-driven AFW trains and also had a motor-driven train installed on each unit. Haddam Neck had two turbine-driven trains and installed one (manual start) motor-driven train. At the time of this evaluation, the availability and surveillance requirements for the new motor-driven trains on these plants had not been added to the plant TS and they were not capable of being powered from onsite emergency power. Nevertheless, given the presence of these diversely powered trains, these plants were not likely to need special treatment for this issue.|
This issue was of high priority for those plants that did not have the capability to remove decay heat by feed-and-bleed or other alternative means. However, this concern was addressed in the resolution of Issue 122.2. Based on the calculations above, the remaining part of the issue was placed in the medium priority category (see Appendix C), but was later integrated into the resolution of Issue 124.
ITEM 122.1.C: INTERRUPTION OF AUXILIARY FEEDWATER FLOW
This item addressed Finding 6 in Section 5.2.2 of NUREG-1154886 and deals with the potential inability to remove reactor decay heat because of the interruption of all AFW flow due to the first common mode failure discussed above: the closing of the AFW pump discharge isolation valves. This issue is related to Issue 122.1.A, which deals with another problem that prevented the isolation valves from reopening.
The definition885 of this issue was ambiguous in that the full title, "Interruption of Auxiliary Feedwater Flow due to Failures in Steam and Feed Line Break Accident Mitigation Features (e.g., SFRCS)," referred to the second failure described under Issue 122.1, but the bases presented are Section 5.2.2 and Finding 6 of NUREG-1154886 which referred to the first failure (i.e., of main, not auxiliary, feedwater). Both failures were addressed in this analysis.
The first part of the issue is the spurious closure of the MSIVs; in this case, as a result of a turbine trip. Most plants of recent design are equipped with turbine-driven main feedwater pumps. Closure of the MSIVs will shut off all feedwater flow. Moreover, once MSIVs are closed, the reopening of these valves is a rather elaborate procedure. The loss of main feedwater is not easily recoverable.
The second part of the issue is the isolation of AFW. This is done in the event of a steam line break within containment to prevent exceeding the containment design pressure. The containment is designed to accommodate the initial blowdown of a steam generator. If feedwater to the affected steam generator is not shut off, the boil-off due to decay heat will continue to dump steam to the containment. However, in a transient involving loss of main feedwater but no steam line break, shutting off AFW flow is very undesirable. It must also be remembered that loss-of-feedwater events are far more frequent than steam line breaks.
In the past, inadvertent MSIV closure was considered a relatively rare transient. In the particular case of the Davis-Besse transient, the steam generator level sensors had been replaced by a new type of transmitter.886 The rapid closure of the turbine stop valves sent a pressure wave up the steam lines back to the steam generators. This phenomenon is not new; it is routinely allowed for in the analysis of BWR transients where the reactor core is directly sensitive to the pressure pulse. However, the new transmitters were of a design that did not dampen out the pressure pulse, which cased them to trip. A possible solution would be to add some damping to the level signal at those plants where this has proven to be a problem.
The inadvertent isolation of AFW flow appears to be primarily a human factors problem associated with the controls layout. This could be solved by a redesign of this portion of the control panel. If on further study it appears that spurious isolations are occurring because of hardware problems, other actions (e.g., possibly using high containment pressure in a logical "and" with low steam generator pressure) might be necessary. In addition, the question of whether an operator should anticipate automatic actuations or simply observe and confirm them should be addressed in the long term.
This item appears to be associated with B&W plants. The isolation logic and AFW control is quite different for the other PWR vendors. (CE-designed plants may be susceptible to the first part of the issue.)
The affected sequences and cut sets are the same as those for Item 122.1.A with the exception of the parameter L which is redefined as follows:
|L||= Failure rate of the AFW system. The RRAB memorandum894 gives 10-3 /demand as "typical" for a two-train system (offsite power available) and 1.8 x 10-5/demand as "typical" for a three-train system.|
The first part of the issue, inadvertent MSIV closure, has the effect of turning the T3-initiated transients into T2-initiated transients. (T1 transients are unaffected). If every transient led to MSIV closure (as NUREG-1154,886 Section 5.11 seems to imply), the parameters and sequences are straightforward:
T2 = (5.7 - 0.64) = 5.06
T3 = -5.7
For plants with a two-train AFW system:
|T2M*L*U||= 7.6 x 10-5|
|T3*M*PCSNR*L*U||= -9.5 x 10-8|
|Net change, F||= 7.6 x 10-5/RY|
For plants with a three-train AFW system:
|T2M*L*U||= 1.4 x 10-6|
|T3*M*PCSNR*L*U||= -1.7 x 10-9|
|Net change, F||= 1.4 x 10-6/RY|
The second part of the issue, AFW isolation, affects parameter L. The change in L is composed of two factors: the change in the probability of spurious isolation and the probability of failure to reopen on demand. As discussed in Issue 122.1.A, the staff assumed a 5% minimum likelihood of spurious AFW isolation and that another plant with a high likelihood (e.g., 20%) exists.
The second factor is the failure of the isolation valves to reopen on demand. It was assumed that Issue 122.1.A was addressed independently and that this failure probability was now governed by the failure of an operator to diagnose and correct the problem. The operator failure rate for such a situation is not independent of the spurious actuation error described above. It was assumed, based on judgment, that 95% of the time the operator will correct the error by resetting the inadvertent isolation and reopening the isolation valves.
For the more realistic (5% inadvertent isolation probability situation, the cut sets become:
|T1M*LOPNRE*L*U||= 4.7 x 10-7/RY|
|T2M*L*U||= 2.4 x 10-5/RY|
|T3*M*PCSNR*L*U||= 2.4 x 10-7/RY|
|Total F||= 2.5 x 10-5/RY|
For the more extreme (20%) case, this change in core-melt frequency would be four times this value, or 9.9 x 10-5/RY.
The consequence estimate was the same as that for Issue 122.1.A. The "weighted-average" core-melt will have consequences of 1.5 x 105 man-rem.
The core-melt frequencies were in a range where costs that are within reason would not affect the priority ranking. Consequently, no cost analysis was done.
Without a detailed design examination, it was not possible to determine exactly how many plants were affected. The B&W plants had an average of 29.5 calendar-years (22 operational years) of remaining lifetime. The priority parameters for each part of the issue were:
|Part 1||Part 2|
|Core-melt/RY||7.6 x 10-5||2.5 x 10-5|
|(1)||There was no significant ORE associated with the possible solution to this issue. The valves in question are not exposed to contaminated fluids since they are in the secondary system.|
|(2)||It was assumed in the calculations that the feed-and-bleed failure probability is 0.015. In actual fact, NUREG-1154886 infers that the Davis-Besse operators were reluctant to initiate feed-and-bleed. Thus, this figure may be somewhat optimistic, a fact that would raise the priority scores higher.|
|(3)||The two parts of the issue were evaluated separately because they involved two separate failures in the Davis-Besse event. Nevertheless, it should be noted that both involved the SFRCS. In essence, one control system apparently had the capability to shut off both main feedwater (by MSIV closure) and AFW. Although two distinct failures were involved at Davis-Besse, there may well be a single failure within the SFRCS which could do both. Deterministic evaluations of this system should recognize the seriousness of such a failure mode.|
Based on the potential change in core-melt frequency, this issue was given a high priority ranking (see Appendix C), but was later integrated into the resolution of Issue 124.
ITEM 122.2: INITIATING FEED-AND-BLEED
This issue deals with the adequacy of emergency procedures, operator training, and available plant monitoring systems for determining the need to initiate feed-and-bleed cooling following loss of the steam generator heat sink. It was based upon Findings 10, 17 and 18 in Sections 6.1.1 and 6.1.2 of NUREG-1154.886 Essentially, the operators were reluctant to take the drastic step of initiating feed-and-bleed cooling, probably because they believed restoration of the AFW system was imminent. The fact that feed-and-bleed cooling releases primary coolant to the containment (implying an extensive shutdown for the purpose of decontamination) may also have influenced their actions. Finally, the normal control room instrumentation was inadequate to clearly inform the operators that feed-and-bleed was called for. The SPDS which would have displayed the necessary information was not operable.
The reactor vendors have provided licensees with feed-and-bleed procedures. At the time of this evaluation, feed-and-bleed capability was not specifically required by the NRC although the techniques, benefits, and costs were evaluated as part of Issue A-45. Basically, feed-and-bleed cooling is a method of last resort which can avert core damage if main and auxiliary feedwater are lost and other methods of decay heat removal are unavailable. For plants licensed without a PORV, the lack of feed-and-bleed capability was a significant issue and the need for a highly reliable AFW system was emphasized.
PRAs give considerable credit for feed-and-bleed cooling. A failure rate of one or two percent is a typical assumption. However, the Davis-Besse event chronology left the impression that this failure probability may be overly optimistic. In addition, it should be noted that, depending on specific plant design, there may be a fairly short time period in which feed-and-bleed cooling will be successful. If the plant operators delay too long before initiating feed-and-bleed cooling, their error may not be retrievable by later action. This issue applies to all plants that can use feed-and-bleed techniques, i.e., all PWRs, except for a few CE-designed plants that have no pressurizer PORVs.
The solution was a matter of emphasis on safety vs. operation, training in existing procedures, and possibly an upgrading of instrumentation at certain sites. In addition, the procedures themselves could be upgraded to make the criteria for initiation of feed-and-bleed cooling more direct and unambiguous, leaving less room for operator reluctance. (For example, in the case of Davis-Besse, basing the initiation of feed-and-bleed on hot leg temperature rather than on steam generator parameters has been suggested.) Here, we will concentrate on ensuring that existing procedures are followed. The general technical aspects of feed-and-bleed decay heat removal was addressed under Issue A-45.
The question of interest was, what would be the change in core-melt frequency if the failure probability of feed-and-bleed cooling (U) is changed? NUREG/CR-165954 and NSAC-60889 assume a failure probability of 0.015 for non-ATWS sequences (RSSMAP parameter "HPMAN") and 0.10 for the (higher stress) ATWS sequences ("HPMAN1"). The operators' performance during the Davis-Besse event left the impression that these figures were too low. It was assumed, based purely on judgment, that failure probabilities of 0.10 for non-ATWS sequences and 0.50 for ATWS sequences were more reasonable estimates.
In making the calculations, the parameters were the same as in Issue 122.1.A, except: (1) the frequency of loss of main feedwater transients T2 (momentary and sustained) was set at 2.13/year, based on NSAC-60889; and (2) the AFW failure probability (L) was set as follows, based on the RRAB memorandum:894
|Offsite Power Available||No Offsite Power|
|3-trainAFW||1.8 x 10-5||5.1 x 10-5|
|2-train AFW||1.0 x 10-3||1.7 x 10-3|
In addition, the computerized RSSMAP54 analysis was changed as follows: (1) the probability of loss of onsite power (B3) was changed to 1.3 x 10-3, a figure more representative of a twin diesel system (Oconee uses hydroelectric generators for emergency power); and (2) Oconee's capability of feeding the steam generators with the High Head Service Water System was disabled (HHMAN = 1.0).
A series of computer calculations was performed, in an attempt to obtain both the "best" answer and some information as to the sensitivity of the answer to a variety of conditions.
|3-train AFW system:
HPMAN raised to 0.1,
HPMAN1 raised to 0.5
3.3 x 10-5
|3-train AFW system:
HPMAN raised to 0.1,
ATWS sequences unchanged
9.2 x 10-6
|2-train AFW system:
HPMAN raised to 0.1,
HPMAN1 raised to 0.5
1.0 x 10-4
|2-train AFW system:
HPMAN raised to 0.1,
ATWS sequences unchanged
8.1 x 10-5
|Test case, original RSSMAP parameters:
HPMAN raised to 0.1,
ATWS sequences unchanged
|2.0 x 10-5|
Clearly, the change in the feed-and-bleed failure probability has a strong effect on core-melt frequency. The figures span the decade from 10-5 to 10-4. The first calculation (3.3 x 10-3) was used bearing in mind that the figure for a plant with a two-train AFW system will probably be greater. In addition, it should be noted that even a partial solution will make a significant reduction in core-melt frequency.
At the time of this evaluation, there were 55 operating PWRs with an aggregate of about 1700 calendar-years or 1300 operational years of remaining lifetime. Thus, the core-melt frequency estimate was (3.3 x 10-5)(55)/year or 1.8 x 10-3/year.
The consequence estimate was the same as that for Issue 122.1.A. The "weighted-average" core-melt will have consequences of 1.5 x 105 man-rem. For the 55 plants with a combined remaining operation life of 1300 years, the consequence estimate was approximately 6,500 man-rem.
The solution to this issue was likely to be procedural in nature, with upgrades in equipment more likely to be done under Issue A-45. It was assumed that 6 staff-months/plant would suffice for refresher training on these procedures. NRR costs were likely to be on the order of 6 staff-months of generic effort plus 2 staff-weeks per licensee. For the 55 operating PWRs, this cost was roughly $3M.
Based on an estimated public risk reduction of 6,500 man-rem and a cost of $3M for a possible solution, the value/impact score was given by:
(1) For a plant with a two-train AFW system, the per-reactor and per-RY figures would be roughly three times as large.
(2) This issue did not involve ORE.
(3) There was an offsetting saving which could be credited against the expenditures above. The cost of a core-melt would be about one billion dollars plus replacement power for the rest of the plant lifetime. In an actuarial sense, using the accident frequencies estimated above, assuming a 5% annual discount rate and subtracting the feed-and-bleed cleanup costs which would reduce the core-melt costs, this corresponded to about a present worth of $1.2M/plant.
(4) In contrast to the saving associated with averting a core-melt, an unnecessary use of feed-and-bleed will result in major cleanup costs. If half the uses of feed-and-bleed are unnecessary and a cleanup lasts six months, the actuarial cost showed a present worth of roughly $400,000/plant (based on a residual frequency of unnecessary use of feed-and-bleed of 5 x 10-4/RY).
Based on the above calculations, this issue was given a high priority ranking (see Appendix C). In resolving the issue, the staff concluded that there was no need for new regulatory requirements/guidance. This conclusion was based on the determination that there was adequate reactor safety and ongoing industry initiatives to continue enhancing safety involving feed-and-bleed. More specifically, the staff's conclusion was based on the following: (1) as a result of the TMI accident, NRC required licensees to have new EOPs to prevent/mitigate accidents; (2) licensees have EOPs in place that incorporate NSSS vendor guidance for feed-and-bleed; (3) licensees continue to enhance feed-and-bleed procedures taking into account existing NSSS vendor recommendations; and (4) NRC has ongoing licensing review/ inspection activities concerning NSSS vendor/licensee enhancement of EOPs including feed-and-bleed. Thus, this issue was RESOLVED and no new requirements were established.1204
ITEM 122.3: PHYSICAL SECURITY SYSTEM CONSTRAINTS
This particular issue arose out of Finding 9 in Section 3.6 of NUREG-1154,886 which states: "The locked doors and valves in the plant had the potential for significantly hampering operator actions taken to compensate for equipment malfunctions during the event and were a significant concern to the equipment operators."
In the Davis-Besse event, the operators were able to reach the AFW pump room with no reported difficulty. There were difficulties in resetting and restarting the turbines and in opening the isolation valves, but these were not related to locking devices.
Barriers and locks are present for purposes of physical security. In addition, barriers are provided for other purposes, such as personnel protection, fire zone isolation, and flood protection. Valves are locked not only for security reasons, but also because inadvertent opening of these valves may have economic or safety consequences. The presence of the locking devices and barriers must strike a balance between these purposes and the fact that these devices may impede free movement in the plant and some local operations during an emergency. It should be noted that the control boards in the control room are also liberally supplied with keylock switches. This issue applies to all reactors.
The possible solution to this issue is to completely evaluate the net effect of a given barrier on plant safety and either remove it or (in extreme cases) provide an alternate means of entrance (with its own locks), should the analysis so indicate.
This issue was not new; the impact of locked doors and barriers on safety was evaluated in Issue 81 where the staff considered the frequency of a need for entry into the plant, the likelihood of procedural error (e.g., wrong key), and the probability of successful forcible entry in a timely fashion.
Only non-security barriers were considered in Issue 81. A barrier that was installed for security reasons is not as likely to be forcibly penetrated in a few minutes. Moreover, the scenario here is slightly different than that of Issue 81. It should be noted, however, that the Davis-Besse experience confirmed some of the assumptions of the Issue 81 evaluation since there were in fact no problems with locked doors or valves.
Frequency estimates were based on a loss of main feedwater event consistent with Issue 122.1.A. The frequencies and probabilities were: non-recoverable loss of main feedwater (0.67/RY); failure of AFW (10-3 for a "typical" two-train system and 1.8 x 10-5 for a "typical" three-train system); and failure of feed-and-bleed cooling (0.015).
It was also assumed that a locked barrier could prevent entry into the AFW pump room(s) and that such entry could recover the AFW system. This is a high stress situation. Thus, it was assumed that there was a 10% chance of human error (e.g., wrong key) and a 10% chance of non-recovery. (The chance of mechanical lock failure estimated in Issue 81 was 0.001.) No credit for forcible penetration was assumed.
The padlocks and chains on the valve wheels were not considered in view of the existence of bolt-cutters and the fact that there were two or three redundant trains. The result was a change in core-melt frequency of 10-7 for plants with 2 AFW trains and 1.8 x 10-9 for plants with 3 AFW trains.
The consequence estimate was the same as that for Issue 122.1.A. The "weighted-average" core-melt will have consequences of 1.5 x 105 man-rem. Assuming 30 years of remaining operational life for plants with 2 AFW trains, the consequence estimate was (10-7)(1.5 x 105)(30) man-rem/reactor or approximately 0.45 man-rem/reactor. For plants with 3 AFW trains, the consequence estimate was (1.8 x 10-9)(1.5 x 105)(30) man-rem/reactor or approximately 0.01 man-rem/reactor.
In Issue 81, a one-time evaluation of existing locked doors was estimated to cost $200,000. This value was used as a minimum cost/plant, recognizing that an adverse finding will incur labor and equipment costs that may be much larger.
2 AFW Trains: Based on an estimated public risk reduction of 0.45 man-rem/reactor and a cost of $0.2M/reactor for a possible solution, the value/ impact score was given by:
3 AFW Trains: Based on an estimated public risk reduction of 0.01 man-rem/reactor and a cost of $0.2M/reactor for a possible solution, the value/ impact score was given by:
The analysis was based on the PWR design. It was not expected that a BWR design would be greatly different from that of a three AFW-train PWR, given the ability of HPCI, RCIC, and the ADS low-pressure ECCS to mitigate transients.
Based on the above calculations, this issue was given a low priority ranking (see Appendix C). In NUREG/CR-5382,1563 it was concluded that consideration of a 20-year license renewal period did not change this priority. Further prioritization, using the conversion factor of $2,000/man-rem approved1689 by the Commission in September 1995, resulted in an impact/value ratio (R) of $444,444/man-rem which placed the issue in the DROP category.