Loss of Safety Function
50.72(b)(3)(v) - 8 hr ENS notification
- (A) Shutdown the Reactor
- (B) Remove Residual Heat
- (C) Release of Radioactive Material
- (D) Mitigate the Consequences of an Accident
50.73(a)(2)(v) - 60 day LER report
- (A) Shutdown the Reactor
- (B) Remove Residual Heat
- (C) Release of Radioactive Material
- (D) Mitigate the Consequences of an Accident
If the event or condition could have prevented fulfillment of the safety function at the time of discovery, an ENS notification and an LER are required. If it could have prevented fulfillment of the safety function at any time within 3 years of the date of discovery, but not at the time of discovery, only an LER is required. If the event or condition could have prevented fulfillment of the safety function at the time of discovery, and if it is not reported under 10 CFR 50.72(a), (b)(1), or (b)(2), an ENS notification is required under 10 CFR 50.72(b)(3).
Discussion
This criterion is based on the assumption that safety-related SSCs are intended to mitigate the consequences of an accident. SSCs within scope include only safety-related SSCs required by the TS to be operable that are intended to mitigate the consequences of an accident as discussed in Chapters 6 and 15 of the Final Safety Analysis Report (or equivalent chapters). Accidents are identified as events of moderate frequency, infrequent incidents, or limiting faults as discussed in Regulatory Guide 1.70, “Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants (LWR Edition)” (or equivalent classifications of the three types of events). The American Nuclear Society (ANS) categorizes these events as Condition II, III, and IV type events.
The level of judgment for reporting an event or condition under this criterion is a reasonable expectation of preventing fulfillment of a safety function. In the discussions that follow, many of which are taken from previous NUREG guidance, several different expressions, such as “would have,” “could have,” “alone could have,” and “reasonable doubt,” are used to characterize this standard. In the staff’s view, all of these should be judged on the basis of a reasonable expectation of preventing fulfillment of the safety function. A SSC that has been declared inoperable is one in which the SSC capability is degraded to a point where it cannot perform with reasonable expectation or reliability. These criteria cover an event or condition in which scoped in SSCs could have failed to perform their intended function because of one or more personnel errors, including procedure violations; equipment failures; inadequate maintenance; or design, analysis, fabrication, equipment qualification, construction, or procedural deficiencies and no redundant equipment in the same system was operable.
As a result, for SSCs within the scope of this criterion, a report is required when 1) there is a determination that the SSC is inoperable in a required mode or other specified condition in the TS Applicability, 2) the inoperability is due to one or more personnel errors, including procedure violations; equipment failures; inadequate maintenance; or design, analysis, fabrication, equipment qualification, construction, or procedural deficiencies, and 3) no redundant equipment in the same system was operable. For guidance on determining whether a SSC is operable, see RIS 2005-20, Revision 1. Operable but nonconforming or degraded conditions are not considered reportable under this criterion.
As a result, reports are not required when systems are declared inoperable as part of a planned evolution for maintenance or surveillance testing when done in accordance with an approved procedure and the plant’s TS (unless a condition is discovered that would have resulted in the system being declared inoperable). In addition, unless a condition is discovered that would have resulted in the system being declared inoperable, reports are not required when systems are declared inoperable solely as a result of Required Actions for which the bases is the assumption of an additional random single failure (i.e. Westinghouse STS, Revision 4, LCO 3.8.1, “AC Sources – Operating,” Required Actions A.2, B.2, or C.1 (ADAMS Accession No.ML12100A222)).
The event must be reported regardless of whether or not an alternate safety system could have been used to perform the safety function. For example, if the onsite power system was declared inoperable due to equipment failures, the event would be reportable, even if the offsite power system remained operable.
For systems that include three or more trains, the inoperability of two or more trains should be reported if, in the judgment of the licensee, the remaining operable trains could not mitigate the consequences of an accident.
There are a limited number of single-train systems that perform safety functions (e.g., the HPCI system in BWRs). For such systems, inoperability of the single train is reportable even though the plant TS may allow such a condition to exist for a limited time.
If the retraction or cancellation of a report under this criterion is due to a revised operability determination, the retraction or cancellation should discuss the basis for why the operability determination was revised, and why it is believed that system operability was never lost (i.e., in lieu of the initial determination). Examples
SINGLE-TRAIN SYSTEMS
(1) Failure of a Single-Train System Preventing Accident Mitigation and Residual Heat Removal
When the licensee was preparing to run a surveillance test, an HPCI flow controller was found to be inoperable; therefore, the licensee declared the HPCI system inoperable. The plant entered a TS requiring that the automatic depressurization, low-pressure coolant injection, core spray, and isolation condenser systems remain operable during the 7-day LCO or the plant would have to be shut down.
The licensee made an ENS notification within 28 minutes and a followup call after the amplifier on the HPCI flow transmitter was fixed and the HPCI returned to operability. As discussed above, the loss of a single-train safety system such as BWR HPCI is reportable.
(2) Failure of a Single-Train Nonsafety System
Question: If reactor core isolation cooling (RCIC) is not a “safety system” in that no credit for its operation is taken in the safety analysis, are failures and unavailability of this system reportable?
Answer: If the plant's safety analysis considered RCIC as a system needed to mitigate a rod ejection accident and it is included in the TS, then its failure is reportable under this criterion; otherwise, it is not reportable under this section of the rule.
(3) Failure of a Single-Train Environmental System
Question: There are a number of environmental systems in a plant dealing with such things as low-level waste (e.g., gaseous radwaste tanks). Many of these systems are not required to meet the single failure criterion, so a single failure results in the loss of function of the system. Are all of these systems covered within the scope of the LER rule? Answer: Such systems would be within scope if they are safety-related systems retained in the TS that are intended to mitigate the consequences of an accident.
LOSS OF TWO TRAINS
During refueling, one EDG in a two-train system was out of service for maintenance. The second EDG was declared inoperable when it failed its surveillance test.
An ENS notification is required and an LER is required. As addressed in the discussion section above, loss of the onsite power system is reportable under this criterion.
(5) Procedure Error Prevents Reactor Shutdown Function
The unit was in Mode 5 (cold and depressurized, before initial criticality) and a postmodification test was in progress on the train A RPS, when the operator observed that both train A and B source range detectors were disabled. During postmodification testing on the train A RPS, instrumentation personnel placed the train B input error inhibit switch in the inhibit position. With both trains’ input error inhibit switches in the inhibit position, source range detector voltage was disabled. The input error inhibit switch was immediately returned to the normal position, and a caution was added to appropriate plant instructions.
This event is reportable because disabling the source range detectors could have prevented fulfillment of the safety function to shut down the reactor.
(6) Failure of the Overpressurization Mitigation System
The RCS was overpressurized on two occasions during startup following a refueling outage because the overpressure mitigation system (OMS) failed to operate. The reason that the OMS failed to operate was that one train was out of service for maintenance, a pressure transmitter was isolated, and a summator failed in the actuation circuit on the other train.
The event is reportable because the OMS failed to perform its safety function.
(7) Loss of Saltwater Cooling System and Flooding in Saltwater Pump Bay
During maintenance activities on the south saltwater pump, the licensee was removing the pump internals from the casing when flooding of the pump area occurred. The north saltwater pump was secured to prevent pump damage.
The event is reportable because of the failure of the saltwater cooling system, which is the ultimate heat sink for the facility, to perform its safety function.
(8) Maintenance Affecting Two Trains
Question: Some clarification is needed for events or conditions that “could have” prevented the fulfillment of a system safety function.
Answer: With regard to maintenance problems, events or conditions generally involve operator actions and/or component failures that could have prevented the functioning of a safety system. For example, assume that a surveillance test is run on a standby pump and it seizes. The pump is disassembled and found to contain the wrong lubricant. The redundant pump is disassembled and it also has the same wrong lubricant. Thus, it is reasonable to assume that the second pump would have failed if it had been challenged. However, the second pump and, therefore, the system did not actually fail because the second pump was never challenged. Thus, in this case, because of the use of the wrong lubricant, the system “could have” or “would have” failed.
LOSS OF ONE TRAIN
(9) Contaminated Hydraulic Fluid Degrades Main Steam Isolation Valve Operation
Situation: During a routine shutdown, the operator noted that the #11 MSIV closing time appeared to be excessive. A subsequent test revealed the #11 MSIV to shut within the required time; however, the #12 MSIV closing time exceeded the maximum at 7.4 seconds. Contamination of the hydraulic fluid in the valve actuation system had caused the system’s check valves to stick and delay the transmission of hydraulic pressure to the actuator. The licensee will purchase three more filters, providing supplemental filtering for each MSIV. Finer filters will be used in pump suction filters to remove the fine contaminants. The #12 MSIV was repaired and returned to service. Because the valves were not required for operation at the time of discovery, the safety of the public was not affected.
Comments: The event is reportable under 10 CFR 50.73(a)(2)(v) because the condition could have prevented fulfillment of a safety function. The event is not reportable under 10 CFR 50.72(b)(3)(v) because, at the time of discovery, the plant was shut down and the MSIVs were not required to be operable.
(10) Emergency Diesel Generator Lube Oil Fire Hazard
Situation: While the licensee was performing a routine surveillance test of the EDG, a small fire started due to lubricating oil leakage from the exhaust manifold. The manufacturer reviewed the incident and determined that the oil was accumulating in the exhaust manifold due to leakage originating from above the upper pistons of this vertically opposed piston engine. The oil remaining above the upper pistons after shutdown leaked slowly down past the piston rings, into the combustion space, past the lower piston rings, through the exhaust ports, and into the exhaust manifolds. The exhaust manifolds became pressurized during the subsequent startup, which forced the oil out through leaks in the exhaust manifold gaskets where it was ignited. Similar events occurred previously at this plant. In these previous cases, fuel oil accumulated in the exhaust manifold due to extended operation under “no load” conditions. Operation under loaded conditions was therefore required before shutdown in order to burn off any accumulated oil.
Comments: The event is not reportable if the fire did not pose a threat to the plant (e.g., it did not significantly hamper site personnel per 10 CFR 50.73(a)(2)(x)). The event would be reportable if it demonstrated a design, procedural, or equipment deficiency that could have prevented the fulfillment of a safety function (i.e., if the redundant diesels are of similar design and, therefore, susceptible to the same problem) (10 CFR 50.73(a)(2)(vi)).
(11) Single Failures
Question: Suppose you have one pump in a cooling water system (e.g., chilled water) supplying water to both trains of a safety system, but there is another pump in standby; is the loss of the one operating pump reportable?
Answer: No. Single, independent (i.e., random) component failures are not reportable if the redundant component in the same system did or would have fulfilled the safety function. However, if such failures have generic implications, then an LER is to be submitted.
(12) Generic Setpoint Drift
- Situation: With the plant in steady-state power operation and while performing a
main steamline pressure instrument functional test and calibration, the licensee found a switch to actuate at 853 pounds per square inch, gauge. The TS limit is 825+15. The redundant switches were operable. The cause of the occurrence was setpoint drift. The switch was recalibrated and tested successfully per HNP-2-5279, “Barksdale Pressure Switch Calibration,” and returned to service. This is a repetitive event as reported in one previous LER. A generic review revealed that this type of switch is used on other safety systems and that this type of switch is subject to drift. An investigation will continue as to why these switches drift, and, if necessary, they will be replaced.
Comments: The event is not reportable due to the drift of a single pressure switch. The event is reportable if it is indicative of a generic and/or repetitive problem with this type of switch, which is used in several safety systems (10 CFR 50.73(a)(2)(vi) or (vii)).
- Question: Are setpoint drift problems with a particular switch to be reported if
they are experienced more than once? Answer: The independent failure (e.g., excessive setpoint drift) of a single pressure switch is not reportable unless it could have caused a system to fail to fulfill its safety function or is indicative of a generic problem that could have resulted in the failure of more than one switch and thereby cause one or more systems to fail to fulfill their safety functions.
(13) Maintenance Affecting Only One Train
Question: Suppose the wrong lubricant was installed in one pump, but the pump in the other train was correctly lubricated. Is this reportable?
Answer: Engineering judgment is required to decide if the lubricant could have been used on the other pump, and, therefore, the system function would have been lost. If the procedure called for testing of the first pump before maintenance was performed on the second pump, and testing clearly identified the error, then the error would not be reportable. However, if the procedure called for the wrong lubricant and eventually both pumps would have been improperly lubricated, and the problem was only discovered when the first pump was actually challenged and failed, then the error would be reportable.
OTHER CONDITIONS
(14) Conditions Observed While System Out of Service
Question: Suppose that, during shutdown, we are doing maintenance on both SI pumps, which are not required to be operational. Is this reportable? While shut down, suppose I identify or observe something that would cause the SI pumps not to be operational at power. Is this reportable?
Answer: Removing both SI pumps from service to do maintenance is not reportable if the resulting system configuration is not prohibited by the plant’s TS. However, if a situation is discovered during maintenance that could have caused both pumps to fail (e.g., they are both improperly lubricated), then that condition is reportable in an LER even though the pumps were not required to be operational at the time that the condition was discovered.
As another example, suppose the scram breakers were tested during shutdown conditions, and it was found that opening times for more than one breaker were in excess of those specified, or that undervoltage trip attachments were inoperative. Such potential generic problems are reportable in an LER.
(15) Emergency Diesel Generator Bearing Problems
During the annual inspection of one standby EDG, the lower crankshaft thrust bearing and adjacent main bearing were found to be wiped on the journal surface. The thrust bearing was also found to have a small crack from the main oil supply line across the journal surface to the thrust surface. Inspection of the second, redundant standby EDG revealed similar problems. It was judged that extended operation without corrective action could have resulted in bearing failure.
The event is reportable because there was reasonable doubt that the diesels would have completed an extended run under load, as required, if called upon.
(16) Multiple Control Rod Failures
There have been cases in which licensees have erroneously concluded that sequentially discovered failures of systems or components occurring during planned testing are not reportable. The NRC identified this situation as a generic concern on April 3, 1985, in Information Notice (IN) 85-27, “Notifications to the NRC Operations Center and Reporting Events in Licensee Event Reports,” regarding the reportability of multiple events in accordance with 10 CFR 50.72(b)(3)(v) and 10 CFR 50.73(a)(2)(v) (event or condition that could have prevented fulfillment of a safety function).
IN 85-27 described multiple failures of an RPS during control rod insertion testing of a reactor at power. One of the control rods stuck. Subsequent testing identified 3 additional rods that would not insert (scram) into the core and 11 control rods that had an initial hesitation before insertion. The licensee considered each failure as a single random failure; thus, each was determined not to be reportable. Subsequent assessments indicated that the instrument air system, which was to be oil free, was contaminated with oil that was causing the scram solenoid valves to fail. Although the
failure of a single rod to insert may not cause a reasonable doubt about the ability of other rods to insert, the failure of more than one rod does cause a reasonable doubt. As indicated in IN 85-27, multiple failures of redundant components of a safety system are sufficient reason to expect that the failure mechanism, even though not known, could have prevented the fulfillment of the safety function.
(17) Potential Loss of High-Pressure Coolant Injection
During normal refueling leak testing of the upstream containment isolation check valve on the HPCI steam exhaust, the disc of the noncontainment isolation check valve was found to be lodged in downstream piping. This might have prevented HPCI from functioning if the disc had blocked the line. The event was caused by fatigue failure of a disc pin.
Following evaluation of the condition, the event was determined to be reportable because the HPCI could have been prevented from performing its safety function if the disc had blocked the line. In addition, the event is reportable if the fatigue failure is indicative of a common mode failure.
(18) Operator Inaction or Wrong Action
Question: In some systems used to control the release of radioactivity, a detector controls certain equipment. In other systems, a monitor is present and the operator is required to initiate action under certain conditions. The operator is not “wired” in. Are failures of the operator to act reportable?
Answer: Yes. The operator may be viewed as a “component” that is an integral, and frequently essential, part of a “system.” Thus, if an event or condition meets the reporting criterion, it is to be reported regardless of the initiating cause.
(19) Results of Analysis
Question: A number of criteria indicate that they apply to actual situations only and not to potential situations identified as a result of analysis; yet, other criteria address “could have.” When do the results of analysis have to be reported?
Answer: The results need only be reported if the applicable criterion requires the reporting of conditions that “could have” caused a problem. However, others have a need to know about potential problems that are not reportable; thus, such items may be reported as a voluntary LER.
(20) System Interactions
Question: Utilities are not required to analyze for system interactions, yet the rule requires the reporting of events that “could have” happened but did not. Are we to initiate a design activity to determine “could have” system interactions? Answer: No. Report system interactions that you find as a result of ongoing, routine activities (e.g., the analysis of operating events).