Wednesday, January 21, 2015

Millstone Special Inspection: My Analysis On The Delayed Starting Of The TDAFW pump


The NRC has no proof the degraded and broken components in the TDAFW make the pump reliable to operate in a nuclear plant in 15 to 20 minutes.


I contend the normal training of the control room staff would lockout operation of the pump. The staff would put the pump in "pull to lock" fearing the failed-to-start pump is dangerous and too erratic for safety operation. So it wouldn't start at all. 

Big picture, the NRC's staff is teaching the Dominion staff that the licencing conditions of the plant is optional.       
January 15, 2015: MILLSTONE POWER UNIT 3 – NRC SPECIAL INSPECTION REPORT 05000423/2014013
If the TDAFW pump had been called upon in response to a plant transient, between May and September 2014, it likely would have performed as it did on July 15 and September 10, failing initially to start, but starting successfully after approximately 15 to 20 minutes. This protracted start would have permitted the pump to supply water to the steam generators within sufficient time to limit the significance of the initial failure. Specifically, the Team verified that the delayed start would not have prevented the pump from meeting its safety function for a limiting case station blackout event.
This is astonishing pernicious form of regulatory and corporate fraud and corruption. It effectively is telling lies deep in the bowels of engineering and science.

Excerpts from yesterday’s attachment and the Millstone’s new special inspection. I honestly don’t understand why the NRC doesn't reevaluated this risk, the violation level…assuming the TDAFWP wasn't operable in the two plant LOOP. Conservatism would call the TDAFP pump inop prior to 2013 till the recent upgrade of all faulty components. That would help jack up the violation level...where Dominion and the nuclear industry would fear the backlash with the public's full knowledge of the safety condition inside Millstone.   
I recent talked to the senior resident at Browns Ferry over the accumulator flex tubing to a SRVs (ADS valve) being switched around making the SRV inop since 2007. You get what is going on, the accumulators nationwide are untestable…all SRVs throughout the nation should have conservatively called all their SRVs/ADS system inop because there is no way to test if the accumulators are operable.

Do you get what I am saying, three big safety systems broken simultaneously when the accident happened is a hell of a bigger problem than the identical components being broken at seperate time and exposed to the same accident. It is the mass defect problem with risk and multiple components being broken at the same time and in the same accident. This plays out in Millstone this summer.
1) The TDAFW pump problems. I'd call that inop prior to 2013.(exposure time) 
2) The inappropriately sized containment feed water isolation valve hydraulic actuators not fixed until recent outage. I' call them inop since 2007. It is extraordinarily dangerous to allow a prolonged exposure time of the flaw because it is exposed to many accidents with a component design and operability defect 
3) Dominion removing the SLOD safety circuit secretly and without permission since maybe 2012. 
4) The two plant LOOP.
Individually any one of these components and organizational failures are bad...but it is horrendous the flaws being available in the same event. The risk collectively together should have driven the violation to the yellow and more likely a red finding. That way Dominion would have gotten all the NRC and public attention they really deserved. It would have driven Millstone into a much deeper corrective action and they would have had to explained their selves much deeper and in their own word to the public. We are worried the agency is inventing another Palisades or Pilgrim. The NRC are repeating their failures coming out of their 2007 feedwater isolation valve actuators being too small...to not accurately disposition risk in the LOOP and the third TDAFW pump inoperability to the proper violation that would get Dominion to change their tune.     
     
So I asked the Browns Ferry resident, as example, the inoped RHR injection red finding and all the other safety component who were found to be degraded and inop (HPIC bearing installed backwards and wouldn't have met its mission time)…so why don’t the agency reevaluate the risk of the inopped injection valve now with recently discovered inoped SRV/ADS valve, and how about throwing in all the other the ADS valves whose accumulators who wasn't operability testable. The NRC only looks at apparent risk, with say evaluating the risk of backward installed bearing in the HPCI pump. The ADS system is the back-up system for HPCI. Conservatism would demand you call HPCI inop upon the improper installation of the bearing. The time it was inoped is from installation til it discovered and the repair job. The risk penalty is siloed, say in the HPCI inop, in that the other safety system found to be broken at the same time aren't included in HPCI risk calculation. It is like with the emergency brakes in your car being non functional. Any dope with a brain could see if the main brakes failed, the risk of a accident is jacked up and the severity of the accident increased if the emergency brakes didn't work just prior to the main brake failure. The real risk, say in the era of the red finding broken injection valve, is the combination and simultaneously with the red finding injection valve was broken, HPCI inop backward bearing and the individual SRV/ADS valve.

The risk and magnitude of an accident with the combination of these three important components being broken at the same time is way bigger than the risk of separately calculated risk and the isolated risk of component failures(3 or more) and then the seperate risk of the component totaled together. The NRC very seldom calculates multiple component risk who become simultaneously broken.      

The Browns Ferry inspector paused for a minute to think about the question. This inspector is a good guy and I like him. He said the rules of the agency force us to calculate risk on issue by issue or case by case manner. I said, so there is real risk and then there is apparent calculated risk dictated by rules of the agency?

Terry, there is widespread corruption and fraud with how the agency calculates and uses risk. It going to bite the agency in the ass one day!

***Excerpts: 
Endemic Engineering Corruption at McGuire and in NRC?
*"The slippage of the VSI"...isn't it hilarious this choice of words. Engineering language...language or word understanding disruption...the real possibility of the operability destruction of the dg through touristy and flowery words and language." 
 *"Are just the facts a lie in the big story? What evidence does the NRC have these defective inserts could remained stable in the worst case mission time? What evidence does the NRC infer that the insert cracks are stable and the failure is predictable? See how the NRC always throws the engineering and assumption uncertainties to whatever advantages a licensee. They only caught these cracked inserts by chance…they caught the cracks when another cylinder choked on a lose insert. The NRC can only punish the licensees on what the agency can see and measure...can't incentivize for a  licensee for having cracks on inserts risking a future failure of the machine when much needed in a accident. 
This is how the NRC frames it. I need triplicate proof to a make a safety concern...the NRC gets to make unsubstantiated and fragile assumptions mitigating the risk imposes on the community from the poor behavior of a licencee. The level of the violation becomes too small and insignificant as to get a change of behavior out of the licencee. The NRC not evidence based assumptions drives the level of the violation! 

I can make a case with the licencee and the NRC burying the magnitude of  the violation (2007) levels within the too small containment feed water isolation valve hydraulic actuators naturally led to a "lack of attention" for plant conditions in the current spate of plant problems.   
 January 15, 2015: SUBJECT: MILLSTONE POWER STATION UNIT 3 – NRC SPECIAL INSPECTION REPORT 05000423/2014013
 If the TDAFW pump had been called upon in response to a plant transient, between May and September 2014, it likely would have performed as it did on July 15 and September 10, failing initially to start, but starting successfully after approximately 15 to 20 minutes. This protracted start would have permitted the pump to supply water to the steam generators within sufficient time to limit the significance of the initial failure. Specifically, the Team verified that the delayed start would not have prevented the pump from meeting its safety function for a limiting case station blackout event.
So gaming “certainty” and “uncertainty” for the favored side is pernicious engineering fraud. The uncertainty with the TDAFW operability there is no real engineering data and a library worth of documentation proving the degraded mechanical and electrical  components  would continue to behave in the 15 to 20 minutes span. They are damaged, out of it lifespan, worn components…there is no reliable way to predict how they will operate next time.  I know there is no proof, but conservatism would demand you call that machine inop. Can you even imagine the complexity in the control room in  blackout accident, the complexity the operator would be facing in a blackout.  

So the uncertainty is because of the component are not up the regulations and licensee’s procedures/ processes, basically the machine would operate as intend next time is unknowable because of the degradation and it is too complex a problem to be estimated. Until recently Dominion didn’t understand the uncertainty in knowing the true condition of the machine…the NRc is not disclosing the engineering evidence uncertainty floating under the surface of their 15 to 20 minute possible startup the pump after the was called to start-up.  The inspectors are grossly over estimating the past component reliable startups history from just a few data points. In other words, if the TDAFW pumps were started up 100 times; do you honestly think the machine would startup 100% (100 times) within 15 to 20 minute? At what point would the machine not work?

Basically the inspectors are using the stature and power of the agency to back up the weak assumption the degraded machine would positively startup on the next call minus any real evidence. There is utterly no engineer proof it would start up the next time.

It is mind boggling fraud going on here. The agency just threw out the licensing conditions of the plant…the TDAFWP would be required to startup within the time frame of the UFSARs.  The NRC is teaching  the staff of dominion the licensing conditions  “aren’t” the bible of public safety,. The staff of the plant only has to conform to the poorly informed agency assumption based on a  few historical data points with no real engineering or science proof or evidence.

Big picture on the NRC’s staff in the this special inspection and their recent interaction with Dominion: The agency is teaching Millstone the plant licensing and tech specs are just optional today with accepting the delayed startup of the TDAFWP and the penalty of violating the licensing conditions is insignificant.   

“This is all bs. The operators don't know what is wrong with the pump in this type of accident. The component unreliability is nothing but a diversion for the staff in the control room. It is in the emergency procedures to take a second shot at the start-up or waiting around with hands in their pockets? They would be way too busy to try to restart the pump and just abandon it. Not knowing the failure mechanism, the control room would assume upon restart the latent failure would emerge in as a way to make their precarious situation worst, like a steam leak, water leak or fire. I’ll bet you they would put it in “pull to lock” so it wouldn’t bite them in the ass later. Why waste invaluable control room resources on a machine that has been demonstrated as unreliable. Once starting up the machine, waiting for the machine to come up to speed, it would divert control room attention as they would worry it would fail and further erratic operation. So why isn’t the assumption in the control room, ok this pump didn’t startup as required and if it did startup later the operation of the pump would be so erratic as to be useless.

Waiting the 20 minutes for the pump to be able to restart would further dilute precious control room resources. Honestly the staff has no idea the machine would restart in 20 minutes…has there been simulator validation the control room would act as the NRC predicted? I suppose the staff has been trained hundreds of time on just such a TDAFWP style failure. They got any scientific or engineering evidence or testing these failed and degraded electronic and mechanical devices would work reliable with restarting the pump in 20 minutes. This is ridiculous. Remember they are talking about a blackout…this first time the plant ever went into this kind of accident.

"If the TDAFW pump had been called upon in response to a plant transient, between May and September 2014, it likely would have performed as it did on July 15 and September 10, failing initially to start, but starting successfully after approximately 15 to 20 minutes. This protracted start would have permitted the pump to supply water to the steam generators within sufficient time to limit the significance of the initial failure. Specifically, the Team verified that the delayed start would not have prevented the pump from meeting its safety function for a limiting case station blackout event."”

The green non site violation constitutes a NRC cover-up. The violation level isn’t high enough such that Dominion isn’t requiring to publically explain their bad behavior that got them to this inspection report. Now Dominion can’t contradict the NRC.


No comments: