ML15223A865
| ML15223A865 | |
| Person / Time | |
|---|---|
| Site: | Oconee  |
| Issue date: | 02/14/1983 |
| From: | Eisenhut D Office of Nuclear Reactor Regulation |
| To: | Tucker H DUKE POWER CO. |
| References | |
| REF-GTECI-A-47, REF-GTECI-SY, TASK-A-47, TASK-OR NUDOCS 8303020194 | |
| Download: ML15223A865 (41) | |
Text
rl ROr in crchron R1
~
nnrmlwoo ICB WR NRC PDR OELD ICB RD L PDR AEOD ICB SUBJ. 2004 ORB#4 Rdg
- IE-!!arnion & Jordan TASK NO. N/A Gray File ACRS-10 FEB 14 1983 bcc: D.Basdekas Dockets [os. 50-269/270/287 E
W. Morrison Mr. H. B. Tucker, Vice President K.Goller Nuclear Production Department D.Ross Duke Power Cqmpany R.Minogue 422 South Cgurch Street A.Szukiewicz Charlotte, North Carolina 28242 K.Kniel P.Nron
Dear Mr. Tucker:
J.Stolz D.Eisenhut.
On November 29, 1982, Mr. Deiiton responded to your letter of October 7, 1982, concerning the 'NRC research program to "asses's the "safety "implications of control systems.
You stated-iln your letter _that your-negative response to our request to assist us iii the resol -ution: of Lkinresolved Safety Issue (USI) A-47, Safety Implicatiis-of Controltystems, stemmed, at least in part, -from certain concerns you rai*sed w ith respect to our program's formulation and effectiveness." Mr. Detonpro information concerning our plans for the -respdtons ovie you A-7, ithudn resoiitotiof SI A4,incudi gole its Task Action Plan. ~Acopy of the cuirent I'USA-47 Task Action Pian is enclosed for your information In additiqp6n, r.) 1nton provided you with the bases for our commitnient to contin-ue worik-6'f on this sse.
Since last August, we have madb additional estimates and assumptions for Ocon ee -lI. T he en clIos ed li sti ng 'Is prodv ided tfo 'a11 i p"y the opportunity to comment.
We -will continue to6 keep 'you 'adv1;sed as our p ro gram p roceeds and, i n parti cul ar, as we fidi't nfeces1sary to -ie fdither assumpti ons and es timates.
in addiJtion,.
S't oWil zkeep y 'Wfor med of the results of our analyses on a timely bai as progra ptor etosses.
Considerable additional planniogand task definition has been accomplished since our first meeting on 1 1 t
47 h
asu l der Chalor n
'May 27, 1982.
The tasks identified in the os s
Task etion Uan resitil re Seafch work at the Oak Ridge National Laborasy nd C
dahoo Naional gineering Laboratory,
part fro crancnesyo aise wTh resc tom our pnrogrms and include consideration o piny app icab e res fo U I nr i Reliability Evaluation-Propgri' f REP) creaia 1
-7bli obabi Tisti c P
Risk Assessments (PRA), and lessons earned fron
'raDtona1 eperience.
We also plan to perform value/Impact assessmeti foany aicensing action recommendations that may be dveloped i s a resul t of this effort. We would appreciate the opportunity to e you and or your stff about and, in particular, as wet fin tnesartomk uthrsuption these refinements in our program. We encourage yours commen information provided to you.
n t If you have any questions ora comments, do not h Eestate to contact me.
6303020194 830214 a
resu l
PD R eliability EPP Darrell G. Eisenhut, Director Division of Licensing a
BRB 2/7/83 the opportunity Office of Nuclear Reactor IfyouhaEne I.
ust of Additonal Seeo n
peite us con acu e.
....ma..
1&tsupi G......................
SURNAME 47
.3030209 4 930214 arre2..
NRC FORM 318 (10-80) NRCM 0240 OFFICIAL RECORD COPY
Scirc chron w
I
(~
WICB WR I CB RD Docket Nos.
50-269, 50-279 Task No. N/A and 50-287 and50-37 bcc: D. Basd'ekas Mr. H. B. Tucker, Vice President Wenzin Nuclear Production Department 1
o Duke Power Company 0.Ross 422 South Church Street R.Minogue Charlotte, North Carolina 2842 Dear Mr. Tucker-.
K:KNoian J.Stolz On November 29, 1982, Mr. Detbn responded to your letter of October 7, 1 82,D.Eisenhut.
concerning the NRC research program to assess tfi~ safety implications of control systems. You stated in your'letter thiat your negative response to our request to assist us in the resolution. of Unresolved Safety Issue (ISI) A-47. Sa fety Impl cationi of, Control' Systes stemmedb, at least in part, from certain concerns you raisd with espect to our s
formulation and effectiveness.' Mr. Denton's response provided you with information concerning our. plans for the-resolution of USI A-47., including its Task Action Plan. In addition:,Mr. DenWton provided you with.the bases for our commitment to con tinue work odi thi's Issue.*
.Since last August, we have mnadbe additional estimates and assumptions for Oconee-l.
The enclosed l isting is pviovidid td 'allow yoqu.the-opportunity to comment. We will continue to keepy ou a.dvis~d as our program proceeds and,' in particular, as we find 't necessary to'makO further'assumptions and estimates. In addition, 46 wil I"'keep you tnformed of the results of our analyses on a timely basifs' as pormporessadpirt public disclosure.h Considerable additional plannig and task definition has been accomplished since our first meeting on USI 'A47 w as held' in Charl'otte on May 27,.1982.
- The tasks identified in the US-I' Task Action 'Plin entail research work at the Oak Ridge National Laboratory and Idaho~ National Engineering Laboratory, and include consideration of..any appliable results from the Interim Reliability Evaluation Program i(I REP), avail able Probabilistic Risk Assessments (PRA), and lessons learnedfo opratoa exprec.W also-plan to perform value/impct assessments -for -anylicensing action recommendations that may be developed as a result of this effort.
We.
would appreciate the opportunity to tell you Kd.
yur'Kstaff about these-refinements in our'program.
We encourage your comments on the information provided to you.,.
If you have any questions or comments, do not hesitate to contact me,.
Z Sincerely, Darrell. Elsenhut, Director 7 9
,DST:NRR
- Note:
See previous concurrence sheet.
Division of Licensing oT:SPEIS Office of Nuclear Reactor Regulation r/
eo/83 OFFICU ICB:DF 47RE Sfey I i
tio GP/NRR RDL/NRR iDLBASDEKASk MMOR PaRISN A i
ns.
I EL addOtEon D*.
Dto po yu wEi NHUT bECWENZI.NGER
...KRGOLLER ommitment to co.tin..
wk on t E~
~ ]*....
.. ]............
3.. ISU I A {
/../.a3....
I.... /
..... /83...
I....
1
- -3..I.....1/....
/.8 NRC FORM 318 (10-80) NRCM 0240 OFFICIAL RECORD COPY
Duke Power Company cc w/enclosure(s):
kMr. William L. Porter Duke Power Company P. 0. Box 33189 422 South Church Street Office of Intergovernmental Relations Charlotte, North Carolina 28242 116 West Jones Street Raleigh, North Carolina 27603 Honorable James M. Phinney County Supervisor of Oconee County Walhalla, South Carolina 29621 Mr. James P. O'Reilly, Regional Administrator U. S. Nuclear Regulatory Commission, Region II 101 Marietta Street, Suite 3100 Atlanta, Georgia 3030.3...
Regional Radiation Representative EPA Region IV 345 Courtland Street, N.E.
Atlanta, Georgia 30308 William T. Orders Senior Resident Inspector U.S. Nuclear Regulatory Commission Route 2, Box 610 Seneca, South Carolina 29678 Mr. Robert B. Borsum Babcock & Wilcox Nuclear Power Generation Division Suite 220,. 7910 Woodmont Avenue Bethesda, Maryland 20814 Manager, LIS NUS Corporation 2536 Countryside Boulevard Clearwater, Florida 33515 J. Michael McGarry, III, Esq.
DeBevoise & Liberman 1200 17th Street, N.W.
Washington, D. C. 20036
LIST OF ADDI TIONAL ESTIMATES AND ASSUIRIONS FOR PARAMETERS USED IN ORNL MODEL OF OCONEE UNIT 1 Reactor Internals
- Guide Thimbles for Control Rods, OD: O,530"/Wall thickness: 16 mils Zircaloy-4 e Instrumentation Tubes, OD: 0.493"/Wall thickness: 26 mils Zircaloyr-4 H. P. Turbine I
A B
C
- Flow (lb/sec) 2972.77 2631.37 2490.73 2250.53 A B C
h (BTU/lb) 1233.00 1192.22 1154.61 1118.63 P (psia) 900.
537.
324.
194.
- This is the total flow (1/2 toward each branch)
L. P. Turbine 4
D E
F Exit
- Flow (lb/sec) 2039.40 1834.98 1709.76 1601.04 1601.04 b (BTU/lb) 1288.84 1189.22 1103.41 1030.74 969.77 P (psia) 190.
- 58.
- 16.
4.60 0.49
- Total Flow (1/6 per each branch of the 3 LPTs)
M.S.:
Efficiency =
1.0 (assumed); W 211.3 lb/sec Leak Rill:
w = 154.17 lb/sec
-R112:
w = 102.19 lb/sec FWP Turbine:
w = 50.16 lb/sec; h inlet 1834.98; h outlet =
1059.3
1j WS (lb/sec)*
P T
T WFW*
WDC1
- WDCo* TDCi TDCo 1 (F) 108.72 3.6 79.07 136.19 1759.92 108.72 148.4 2 (E) 125.22
- 15.
136.19 201.81 1759.92 125.22 213.03 3 (D) 154.25
- 57.
201.96 278.13 1885.14 154.25 277.16 4 (C) 240.2**
190.
318.03 377.05 3074.94 246.94 376.3 5 (B) 140.59 298.
377.24 410.37 3074.94 443.57 584.21 421.
416.71 6 (A) 187.01 495.
410.37 460.49 3074.94 256.36 443.57 498.0 421.00
- Corresponds to the group of heaters
- An extra 6.74 lb/sec flashes from Flash Tank To P
Ti X4DC.
1DC 1
0 TDCi TDCo Flash Tank: Conceptually modeled as one. In reality there are two flash tanks separated by a heat exchanger.
Inventory of water:
10,000 lb Volume:
400 ft3 x
Fractional valve aperture (x) assumed:
1 M:
Mass of water in tank Mo:
Mass of water to overflow the tank M
0 0.2 0.8 1.0 mo 2
Other parameters:
'Moment df inertia (turbine + generator):
10,000 Kgm2 Nec2anical losses in turbine:
1% Nominal Generator Power Nominal Generator Power:
922 Mw Generator efficiency at nominal power:
99%
Variation in Generator Efficiency:
Loss Factor 4.6-7.33 x + 3.73x 2 1.87-1------------
0.5 1
x = Generator Power Nominal Power.
Loss in generator Loss factor *-Loss at nominal power Speed:
1800,rpm Pump Data arameter Speed Density Head Power Flowrate Inertia Volume rpm ibm/ft?
ft hp gpm ibm-ft2 ft3 RCP 1190 62.33 340 9000 88,000 70,000 98 MFW 5001 55.00 2260 7000 13,200 4,178 negl.
LPI 1780 62.33 365 340 3,000 negl.
negi.
EFW 3540 62.33 900 450 450 negl.
negl.
Motor Dr.
EFW 3575 61.71 600 875 1,080 negl.
negl.
Turb.
Dr.
CONDENS.
3560 62.33 900 2000 7,700 negl.
negl.
BOOSTER 3
Integrated Control System
- 1. Function Generators FW 1.12*
Convert feedwater demand into feedwater temperature Feedwater Demand Feedwater Temperature x10 6 lbs/hr OF 0.337 240 0F 2.16 320 3.24 356 5.616 402 10.8 460 12.852 483 FW 14.4 Convert reactor coolant flow to a feedwater flow value; a gain of 0.165 is to be used.
FW 14.16 Same as FW 14.4 FW 17.4 Convert pressure error into a level correcting signal L =.175 x P where L is in inches and P is in psi with a
+ limit on L of +8.75 inches.
FW 29.8 Feedwater demand to speed signal to pump FW 29.12 Demand in %
Speed in %
23 85 54 88 78 91 100 95 117 100 FW 30.5 Low load start up valve FW 31.15J
% Demand
% Open 0
0 15%
100%
FW 30.6 Main feedwater valves FY 30.149
% Demand
% Open 15%
0 100%
100%
4
UL 2.8 RC flow to unit load RC Flow %
Unit Load %
7 0
27.4 24 54.8 56 82.3 86 99 104 UL 4.15 Convert frequency error into unit load demand correction Frequency Error Unit Load %
-5 Hz
'100
-3 Hz 100
-0.03 Hz 0
+0.03 Hz 0
+3 Hz
-100%
+5 Hz
-100%
RC 12.5 Steam generator demand versus reactor demand Steam Generator MW Reactor MW 150 0
1970 670 2680 914 2790 917
- 2. The following limit settings are assumed FW 4.13Q Work together to achieve a +5% deadband to relate FW 5.13 neutron error to feedwater demand Neutron Error Feedwater Demand 62.5%
-57.5%
-5%
0%
+5%
0%
+62.5%
+57.5%
FW 10.4 Limit function to relate feedwater demand to steam generator pressure Steam Generator Pressure Feedwater Limit 890 psi 110%
1170 psi 37%
-1200 psi 37%
5
FW 10.5 Limit function to relate feedwater temperature to feedwater flow Temperature Feedwater Limit 90*F 0%
250 0F 102%
600aF 102%
FW 10.6 Limit function to relate reactor temperature to feedwater flow limit Temperature Feedwater Limit 520 0F 46%
588 0F 46%
608 0 F 106%
620*F 106%
FW 10.16 Same as FW 10.4 FW 23.10 Limit function to generate the function Ex( E ), E times absolute magnitude of E, where E is the error in pressure drop across feedwater valve to obtain a flow correction signal; adjust so that a +15 psi error causes a +90% change in output FW 25.4 Limit function for start up valve; set to convert a 0 to FW 25.15 15% load demand into a 0 to 100% signal to open start up valve.
FW 25.6 Limit functions for main feedwater valves to convert a FW 25.14 15% to 100% load demand into a 0 to 100% signal to main feedwater valve FW 27.12 Feedwater demand limiter to #2 feedwater pump speed control Input Demand Output Demand 0%
0%
12%
0%
100%
100%
- 3. The following are the time constant values assumed for the signal lag units FW 4.15 4.5 second lag FW 15.4 1.0 second lag FW 15.13 1.0 second lag RC 15.9 9.0 second lag RC 16.14 4.0 second lag.
6
- 4. The following are the values of the gain settings for the amplifiers and summers used in the ICS FW 4.14 Gain of 1.0 FW 18.7 Gain of 2.0 FW 11.4 Gain of 1.0 FW 19.5 Gain of 2.0 FW 11.5 Gain of 1.0 FW 19.15 Gain of 2.0 FW 11.13 Gain of 1.0 FW 24.4 Gain of 6.67 FW 11.6 Gain of 1.0 FW 24.6 Gain of 1.0 FW 11.16 Gain of 1.0 FW 24.14 Gain of 1.0 FW 13.7 Gain of 1.0 FW 24.15 Gain of 6.67 FW 18.13 Gain of 2.0 FW 4.10 Gain of 1.0 for all 3 inputs FW 7.9 Gain of 1.0 for both inputs FW 10.10 fGain of 1.0 for input from FW 11.9 Gain of 0.5 for input from FW 11.10 FW 12.5 Gain of 1.0 for all 3 inputs FW 12.8 Gain of 1.0 for both inputs FW 12.9 Gain of 1.0 for both inputs FW 12.12 Gain of 1.0 for both inputs FW 12.15 Gain of 1.0 for all 3 inputs FW 17.5 Gain of 1.0 for both inputs FW 17.10 Gain of 0.5 for both inputs FW 17.15 Gain of 1.0 for both inputs FW 26.10 Gain of 1.0 for both inputs IC 7.6 Gain of 1.0 IC 9.16 Gain of 0.006 IC 10.8 Gain of 0.1 (10 psi error = 1% unit load demand)
Ic 10.10 Gain of 0.1 IC 15.14 Gain of 10.0 (10 psi error = 100%.open for bypass valve)
IC.15.16 Gain of 10.0 IC 6.6 Gain of 1.0 for both inputs IC 9.10 Gain of 1.0 for all 3 inputs IC 13.7 Gain of 1.0 for both inputs UL 3.15 Gain of 1.0 UL 6.13 Gain of 1.0 for both inputs UL 9.3 Gain of 1.0 for both inputs UL 9.15 Gain of 1.0 for both inputs RC 9.9 Gain of 1.0 RC 10.7 Gain of 1.0 RC 10.11 Gain of 1.0 RC 15.8 Gain of 1.0 RC 9.6 Gain of 0.4 for input from RC 9.7 Gain of 1.0 for input from RC 10.7 RC 12.10
[Gain of 1.0 for input from RC 17.5 Gain of 2.5 for input from RC 7.10 Gain of 1.0 for input from RC 10.12 7
5" Setpoints assumed for the following alarm units FW 6.12
+5% on if limit is exceeded FW 12.11
+5% on if limit is exceeded FW 15.10
>0% on FW 15.11
>0% on FW 21.6
=0% on FW 21.14
=0% on IC 4.10 IMWI>10% on IC 6.16 on if ULD<15%
IC 12.4 on if ULD<15%
IC 13.11 on if >10 psi IC 15.8 on if >50 psi UL 4.5
=0% on UL 4.6
=0% on UL 4.7
=0 on UL 5.11
=0 on UL 6.10
=0 on UL 6.11
>0 on UL 8.12
=0 on UL 10.13 0% < D<90% on UL 11.14 dULD >2%/MIN on dt UL 16.11
)0 on low load limit RC 10.8 Tavg < set point on RC 13.16
- 0 on RC 14.14
>60%
on RC 15.14
<20%
on RC 17.14
=0 on B.C 16.10
>5%
on RC 18.13
+1% dead band switch if mag>1% switch on
[.25% if mag<.25% switch off
- 6. The following reset values are assumed for the integrals' IC 7.9 1.8 repeats/min IC 20.9 1.0 repeats/min RC 9.7 4.0 repeats/min RC 9.12 6.7 repeats/min 8
- 7.
The values of gain and reset for the following proportional plus integral controllers are assumed FW 8.12 Gain = 2 Reset 9 repeats/min FW 11.10 Gain = 0.5 Derivative gain 0 min FW 22.8 Gain = 0.1 Reset = 0.2 repeats/min FW 22.12 Gain = 1 Reset = 0.2 repeats/min FW 24.10 Gain = 1 Reset = 10 repeats/min FW 28.3 Gain = 1 Reset = 5 repeats/min FW 28.16 Gain = 1 Reset = 5 repeats/min IC 17.11 Gain = 10 Reset = 9 repeats/min
- 8. The following are values assumed for the derivative units UL 9.11 Selected by condition T8 as a rate limited signal follower; values of 50%/min, 30%/min, 20%/min, 5%/min, and 0%/min are possible UL 10.14 Gain of 1 used to block calibrating integrals if d ULD > 2%/min dt
TASK ACTION PLAN (September 1982)
SAFETY IMPLICATIONS OF CONTROL SYSTEMS (TASK A-47)
Lead Organization:
Division of Safety Technology (OST)
Generic Issues Branch (GIB)
Task Manager:
A. J. Szukiewicz, GIB, DST Lead Supervisor:
Karl Kniel, Chief, GIB, OST NRR Principal Reviewers:
Charles Rossi Instrumentation and Control Systems Branch
.Division of Systems Integration Frank Orr Reactor Systems Branch Division of Systems Integration A. S. Gill Power Systems Branch Division of Systems Integration James T. Beard Operating Reactors Assessment Branch Division of Licensing Chelliah Erulappa Reliability and Risk Assessment Branch Division of Safety Technology William G. Kennedy Procedures and Test Review Branch Division of Human Factors Safety AEOD Lead Reviewer:
Matthew Chiramal Plant Systems Unit RES Lead Reviewer:
Demetrios Basdekas Division of Facility Operations Applicability:
Light Water Reactors (Pressurized Water Reactors and Boiling Water Reactors)
Projected Completion Date:
March 1984
'1.,
DESCRIPTION OF PROBLEM Non-safety grade control systems are used to maintain the plant within the necessary pressure and temperature limits during normal shutdown, startup, and load varying power operation. The control systems are not relied upon to perform any safety functions following postulated accidents.
but are required to control plant processes that could have a significant impact on plant safety. Those control systems include the reactivity control systems, and reactor coolant pressure, temperature, level, flow and inventory controls (that is, borated water controls). In addition, they include secondary system pressure and flow controls (pressurized water reactor) as well as the associated support systems such as electric, hydraulic and/or pneumatic power supply systems.
During the licensind-process, the staff performs an audit review of the non-safety grade control systems, on a case-by-case basis, to assure that an adequate degree of separation and independence is provided between these non-safety grade systems and the safety systems, and that effects of the operation or failure of these systems are bounded by the accident analysis in Chapter 15 of the plant's Safety Analysis Report (SAR).
Typical events that are addressed by the licensees, and are evaluated by the staff in the audit review include, but are not limited to:, (1) the feedwater system malfunctions that result in a decrease or an increase in the feedwater flow (including the loss of the normal feedwater flow); (2) the steam pressure regulator malfunctions or fail ures that result in an increase or a decrease in the steam flow (including the turbine trip event); (3) a spectrum of reactivity addition events; and (4) chemical and volume control malfunctions that increase the reactor coolant inventory or decrease the boron concentration.
On this basis it is generally believed that control system failures are not likely to result in loss of safety functions that could lead to serious events or result in conditions that the safety systems are not able to mitigate. Indepth studies for all the non-safety grade systems A-47/1
ve not been performed however, and there exists some potential for accidents or transients being made more severe than previously analyzed, as a result of some of these control system.failures or malfunctions.
The control system failures or malfunctions may occur independently or as a result of an accident or transient under consideration. Failures or malfunctions may also occur as a result of a common mode or a system interaction that could make recovery to normal safe shutdown conditions difficult.
Two potential concerns have already been identified in which a failure or malfunction of the non-safety grade control system can (1) poten tially cause a steam.generator or reactor vessel overfill, or (2) can lead to a transient (in PWRs) in which the vessel could be subjected to severe overcooling. 'In addition, there is the potential for ai inde pendent event like a single failure, (such as a loss of power supply, a short circuit, open circuit, control sensor failure) or a common mode event (such as a harsh environment caused by an accident or a seismic event)-to cause a malfunction of one or several control systems which would lead.to an undesirable control action, or provide misleading information to the plant operator. These concerns will be reviewed and evaluated as part of the tasks discussed in the following sections. It should be recognized that the effects of control system -failures during accident or normal plant operation may differ from plant to plant, and therefore it may not be possible to develop generic solutions.to these concerns. It is possible,, however, to develop generic criteria that can be used for the plant-specific reviews.
The purpose of this Unresolved Safety Issue (USI) is to perform an indepth evaluation of the control systems that are typically used during normal plant.operation and to verify the adequacy of current licensing design requirements or propose additional guidelines and criteria to assure that nuclear power plants do not pose an unacceptable risk due to inadvertent non-safety grade control system failures.
A-47/2
- 2.
PLAN FOR PROBLEM RESOLUTION In order to best utilize NRC's capabilities and resources, the resolution of the activities described in detail in the following sections will be conducted under contract with the National Laboratories.
The responsi bility for resolution of this safety issue rests with the Office of Nuclear Reactor Regulation (NRR), but will involve both NRR and the Office of Nuclear Regulatory Research (RES) staff effort to manage and review the adequacy of the evaluations conducted. To scope the issue to a manageable level and bound the generic review to a reasonable completion schedule, Task A-47 will evaluate the non-safety grade systems of three PWR designs and one BWR design.
The task will.review the plant designs of the manual and/or automatic control systems for dach of the four nuclear steam system supplier (NSSS) designs [Babcock and Wilcox (B&W), Combustion Engineering (CE),
General Electric (GE) and Westinghouse (W)] and will include the review of any manual and/or automatic control system that interfaces with the NSSS design or dynamically interacts with the primary reactor fluid system and the secondary steam system. These associated control systems may be supplied or designed by different manufacturers or architect engineers than the NSSS. Two PWR non-safety grade control system plant designs (that is, B&W and CE) will be evaluated by Oak Ridge National Laboratory (ORNL) under contract with RES (FIN No. B-0467). The GE BWR designs will be evaluated by EG&G-Idaho under contract with NRR (FIN No. A-6477). The decision on where the W evaluation will be performed is to be made later on the basis of progress at the two labs.
The task will, for each type design:
(1) identify the non-safety grade control system(s) whose failure or misoperation can, (a) cause transients or accidents identifyed in Chapter 15 of the Final Safety Analysis Report.(FSAR) to be made potentially more severe than previously analyzed; (b) create the potential to negate the timely action of the automatic protection system or the manual operation of any equipment required to achieve a safe shutdown condition; (2) establish and define the order of importance of the control system(s) identified.as having A-47/3
aafety significance; (3) describe the mechanism(s) contributing to the credible failure modes, (that is, loss of power supply or the environ mental effects on the control systems); (4) verify the adequacy of the existing design criteria, described in Standard Review Plan Section 7.7, "Control Systems," or develop and propose additional criteria and guidelines to improve system reliability or minimize the consequences of the control system failures that have been identified as safety significant.
To evaluate control system actions that have safety implications, the work effort will focus on the following activities.
Evaluate contro- -system failures that could lead a steam generator or a reactor vessel overfill transient. (subtask 1 of task 7)
Evaluate control system failures that could lead a reactor overcooling transient. (subtask 2 of task 7)
Evaluate (all other) non-safety grade control systems that have safety implications. (overall task)
Evaluate the effect of loss of power supplies to the control systems. This would include the electrical alternating current (ac) and direct current (dc) supplies also and the pneumatic and hydraulic supplies. (Task 4)
The major activity will be to identify and evaluate non-safety grade control systems that have safety implications. The tasks associated with the activity are outlined below. Subtasks 1 and 2 focus on specific areas of concern identified as part of the overall activity.
Additional tasks or subtasks may be identified as the program develops; if other tasks are developed, the Task Action Plan will be revised.
Should these reviews indicate that additional criteria for control system designs are necessary or that specific problems require resolu tion, appropriate action will be taken for plants in the licensing process and for plants now in operation.
A-47/4
Task Action Plan A-47 has been developed to utilize, whenever possible, any applicable data developed by the following current ongoing activities.
Resolution of USI A-49 "Pressurized Thermal Shock" (PTS).
RES activities with ORNL regarding Safety Implications of Control Systems (FIN No. B-0467).
Systems Interaction Program - A study conducted by the Reliability and Risk Assessment Branch of the Division of Safety Technology (RRAB/DST). TMI Action Plan Item II.C.3 and USI A-17.
RES activities with-Sandia National Laboratories evaluating plant electrical systems interactions (FIN No. A-1324).
The interface between the Task A-47 program and these activities is discussed in more detail in the appropriate tasks.
Task Description Evaluate Non-Safety Grade Control Systems that Have Safety Implications This activity will evaluate non-safety grade control systems and identify any non-safety grade control systems whose failure may lead to transients or accidents more severe than those analysed in Chapter 15 of. the plant FSAR and to identify non-safety grade control system failures which could produce an unacceptable frequency of occurrence of those transients bounded by Chapter 15.
The control systems evaluation will review the designs of each of the four NSS suppliers (B&W, CE, W, GE) and will include the control systems which may be designed by other suppliers but interfae with the NSS control system design or dynamically interact with the reactor primary or secondary system. This activity will consist of the tasks listed below. The flow diagram (Figure 1) illustrates the interactions between these tasks.
A-47/5
T~ask 1 Identify the Systems Whose Failure Can Lead to Significant Primary System Transients Conduct a review of the automatic and manual control systems that are used during startup, shutdown and normal load varying operations and identify all systems whose failure or malfunction has the potential for causing pressure, temperature~flow and power transients in the primary reactor system. Identify also any control systems whose failure or malfunction before, during or after any transient or accident analysed in Chapter 15 of the FSAR could cause more severe consequences then presently analysed. Gross analysis based on tools such as FMEA, dependency tables or diagrams, functional and system event'trees and fault trees and/or any other analytical tools judged to be adequate will be used initially on a'system level basis for the purpose of identifying the significant control systems. During this phase, non-mechanistic."worst-case" failure modes of the control systems will be assumed. The major components (such as valves, pumps, control drives, etc.,) whose failure can cause a system malfunction will be identified.
The criteria that will be used for selecting and categorizing the safety significant control systems will be identified. A review of the applicable Licensing Event Reports (LER's), NRC Bulletin and Orders, and NSS.emergency procedures and operating guidelines will be conducted. The results of this review will be factored into the criteria selection process and will help to identify safety significant systems. The control systems identified will be compared with those systems described in 1) the IREP study, 2) the applicable studies conducted by selected Near-Term Operating License (NTOL) applicants in response to the Instrumentation and Control Systems Branch control system concerns identified during the NTOL review and 3) the probability and risk assessment (PRA) studies conducted by the utilities on similar designs.
The control systems identified via the activities described above will be compared with the systems identified in the analysis in A-47/6
Chapter 15 of the FSAR. The safety impact and the order of importance of the systems identified will be described and categorized to define for example, system whose failures initiate significant transients by themselves (i.e., spills, blowdown, etc.,) or systems whose failures can occur concurrent with transients resulting from other initiators. Failures will be limited to independent single failures or multiple failures resulting from a common initiator.
An additional independent single failure may also be included if, as part of a specific scenario analysis, it is apparent that such failure is highly likely and the attendant consequences significant.
Operator misoperation of control systems is outside the scope of this task if existing procedures, the information available to the operator, and the -time for the operator to accomplish the action is sufficient. The control systems whose failure or malfunction may be considered i'ess important or inconsequential or highly unlikely to warrant further study will be identified and the basis for such conclusions will be documented. For example, there may be control systems whose failure produce transients that are enveloped by the limiting transients assumed in Chapter 15 analyses, and therefore, failure of these systems would be of little relative consequence.
There may also be failures whose probability of occurrence in a given sequence or at a particular point in time may be so unlikely as not to warrant further study.
As a result of these activities a set of control systems potentially significant to safety will be identified for further computer study in order to identify important failure sequences and to investigate the dynamic plant behavior as a result of these failures (see Task 2).
Applicable information data developed by other ongoing NRC activities conducted by (1) RES through contracts with ORNL and Sandia, (2) Instrumentation and Control Systems Branch (ICSB) case reviews, (3) the RRAB System Interaction Study for Indian Point Unit #3 and (4) the IREP Study for Calvert Cliffs 1, Millstone 1, Arkansas Nuclear One Unit 1 and Browns Ferry Unit 1 will be assessed as part of this task. The data developed from these activities that identifies significant control systems and assesses their reliability will be considered in the evaluation of this task.
A-47/7
Task 2 Conduct Computer Simulation Studies for Evaluating Combination of Systems Failures Develop an analytical model to simulate the reactor transients, as a result of control system failures or malfunctions, using existing codes.whendver possible. The model should include the plant character istics of the primary reactor fluid and the secondary steam system
- and the feedwater system as well as the major elements of the control systems. The.objective of these simulations will complement the system level FMEA activity (described in Task 1) in identifying and evaluating the sequences and combinations of control system failures important to safety. It is anticipated that the plant dynamic simulator-will minimize the need for extensive use of the analytical.techniques (described in Task 1) to study the inter active controV system failures resulting from simultaneous and/or sequential faults.
As part of the activities conducted at ORNL through NRR/RES (FIN No. 8-0467), ORNL will develop a hybrid computer model to simulate the behavior of a PWR type plant. Concurrently, as part of the activities conducted at EG&G Idaho Falls (FIN No. A-6477) EG&G will develop a digital computer model to simulate the dynamic behavior of a BWR type plant with an option to develop a model to simulate a PWR design to study other PWR designs. The models will.be oriented toward identification and evaluation of the impact of system inter action and failure dependencies of control systems identified in Task 1. The models will employ the use of different codes.
EG&G will utilize existing RELAP 5 codes and ORNL will utilize a hard-wired analog computer for modeling the control systems and a RETRAN code for the plant dynamic model.
Extensive use of existing and verifiable codes and models will be utilized. Additional modeling will be developed for the control systems and for the.necessary secondary flow loops. We plan to modify the models as necessary.to simulate the plant specific characteristics of the four plants under review.
Computer simulations of postulated scenarios will be performed to determine if plant operating or safety limits (identified in the A-47/8
specific Technical Specifications and in NUREG-0800) are exceeded.
When plant operating or safety limits are exceeded then the respective event sequences will be identified and considered in Task 5 and/or
- 6. As a result of this task it is anticipated that the lists of systems identified-in Task 1 will be modified. During this phase an assessment will be made as to the possibility of utilizing any other dynamic models in part or in whole, already developed by others to simulate the plant specific characteristics of the plants under review or for verification testing of the models that will be developed. The benefits of using the~models developed for the LOFT project, or the use of the Tennessee Valley Authority (TVA) simulators, or the capability to use the NSSS vendor engineering simulators will be evaluated.
Task 3 Identify the Failure Modes of the Safety Significant Systems Identify the potential failure mechanisms (i.e., root causes) of the control systems that have been identified as a result of the collective activities described in Tasks 1 and/or 2. The informa tion learned as a result of the LER reports, the IE Bulletins and Orders and other applicable documents (such as failure rate data) will be factored into the evaluation to identify credible failure modes and to assess the likelihood of their occurrence. Additional FMEA and fault tree analysis may need to be performed on a sub-system (i.e., component) level on selected systems to identify the mechanistic failure modes that can occur and to assess methods for corrective actions. The need for additional analysis will be evaluated on a case-by-case basis. The relative importance of the control system, its complexity and its dependence on environmental conditions and on other systems will be a factor for implementing any additional analysis. During this phase failure modes due to short/or open circuits, loss of environmental support systems, loss of power supply, abnormal environmental or seismic effects will be considered.
Operator action will be addressed to the extent of assessing if credit can be given to the operator in mitigating certain selected transients caused by control system failures. This assessment will A-47/9
be limited to assuring that the procedures to mitigate these limited transients are adequately written and relatively simple for the opera tor to correctly accomplish the task in the time allowed, and that sufficient information and time is available to the operator to assess the conditio'ns that exist.
Task 4 Evaluate the Effects of Loss of Power Supply to the Control Systems.
(Including electric (ac and dc) pneumatic, and hydraulic power sources.)
Numerous incidents have occurred in nuclear generating plants involving loss of power in the non-safety grade instrumentation and control systems-- These incidents resulted in reactor and turbine trip; the opening of the pressurizer power operated relief valves, and code safety valves; discharge of a significant amout of primary coolant into the containment building; and, the loss of display instrumentation in the control room. The transients and the loss of equipment function produced as a result of these incidents significantly impact the operator's ability to proceed to safe shutdown conditions in an orderly manner. The purpose of this task is to evaluate the effects of loss or degradation of the.
safety-grade or non-safety grade power supplies which provide power to the non-safety grade instrumentation and control system identified in Task 1 and 2. The evaluation will include the effects of the loss of ac and dc electrical power sources and loss of any applicable pneumatic and hydraulic power sources that operate any important valves. The evaluation will be limited to the loss or degradation of a single power supply and multiple power supply failures that result from a single (source) failure or event. The control systems of the four plant designs will be reviewed. The review of this task will be integrated as part of a review effort associated with the other tasks identified in this plan, and will consist.of the following:
- a.
Coordinate activities with the findings of USI-44, "Station Blackout," and NUREG-0666, "A Probabilistic Safety Analysis of A-47/10
dc Power Supply Requirements for Nuclear Power Plants," April, 1981, and integrate any applicable requirements and information developed as a result of that activity.
- b.
Consider the licensees' evaluations and responses to IE Bulle tin 79-27, "Loss of Non-Class IE Instrumentation and Control Power System Bus During Operation," November 30, 1979.
This subtask will complement the review of IE Bulletin 79-27 and evaluate ac and dc bus power supply failures of the relevant power distribution systems (not limited to 120v systems) on important non-safety equipment and systems. If the non-safety grade equipment is powered from a safety bus, the effects of bus degradatibn on the safety loads connected on that bus will also be evaluated.
- c.
Identify and document the control systems that have a significant safety impact due to power supply'failures (this will be a specific subgroup of the systems identified in Tasks 1 and 2.
Evaluate the effects of a loss of power to the display instru mentation of these systems. Using the criteria and guidance proposed in Reg. Guide 1.97, "Instrumentation for Light-Water Cooled Nuclear Power Plants to Assess Plant and Environment Conditions During and Following an Accident," determine to what extent the problems found would be resolved by implementing this guide. Verify the adequacy of existing criteria or develop additional criteria (if ncessary) to minimize the consequence of such power failures. Assess the reliability of the non-safety grade electrical bus, by evaluating the existing operating history. The effects of the non-safety grade bus failures during startup, shutdown, normal power operation and during accident and transient modes of operation will be considered in the evaluation.
- d.
Develop and propose criteria (or guidelines) to improve the reliability of non-safety grade power supplies (if necessary) and propose recommendations to improve the capability of the A-47/11
systems to cope with the effects of the system failures identified in subtask c. Integrate the applicable require ments and information developed as a result of the IREP studies conducted on Calvert Cliffs 1, Millstone 1, ANO-1 and Browns Ferry 1, and those identified in subtask a. In addition, integrate the applicable information that is developed as a result of the Sandia studies (FIN No. A-1324).
Task 5 Determine the Need for Control or Protection System Improvements Verify the adequacy of the existing criteria for control systems, defined in (a) the Standard Review Plan Section 7.7 (NUREG-0800) and (b) applicable&Branch Technical positions.
Review the activi ties and approaches used by the international community to.
(1) minimize control system failure and (2) improve control system reliability. Evaluate the need for additional non-safety grade control systems or the need for additional safety grade protection systems. During this phase, assessing the need for improved or additional operator action to recognize and to mitigate specific transients resulting from control system failures will be made.
Recommendations concerning improvements to the existing control, protection and power systems, and the need for additional equip ment, such as high level alarms, level controls or interlocks to minimize postulated faults will be.justified on the basis of cost effectiveness and risk to safety. The adequacy of existing.staff positions regarding certain design requirements for control systems such as the sharing of common sensor lines between safety and non-safety systems will be evaluated in light of the knowledge gained through the operating history (i.e., via LER's and Bul letins, etc.). The need for improved or additional surveillance testing to improve the reliability of the.non-safety systems will also be evaluated and proposed if warranted.
A-47/12
0 Task 6 Provide Design Criteria for the Evaluation of Control Systems Develop and propose (if necessary) additional criteria or guidelines to improve system reliability and minimize control system failures that (1) could lead to transients more severe than predicted in the plant FSAR accident analysis, and (2) could cause transients that would significantly affect the availability of plants (such as blowdowns, spills, etc.)
As a result of this study and at the completion of this task, a report will be issued describing the conduct and conclusions of tasks identified above. Recommendations (if any) for control system or protection-system modifications will be provided separately as proposed revisions or additions the'to Standard Review Plan, the Regulatory Guides, or the NRC Regulations.
Task 7 Identify Control Systems That Could Lead to Steam Generator Reactor Vessel Overfill and Overcooling Transients As part of the overall review effort, the initial focus will be to:
Evaluate Control Systems that could lead to a steam generator or reactor vessel overfill transient. (subtask 1)
Evaluate control system failures that could lead to -reactor overcooling transient. (subtask 2)
Identify the lessons that have been learned from past control system failures from the LER's, the Bulletins Orders, the applicable applicant responses and from independent utility studies.
The objective of subtask 1 is to identify automatic and manual control systems whose failure have the potential.for causing steam generator or reactor vessel overfill.
The objecti've of subtask 2 is to identify those control systems whose failure or malfunction A-47/13
can contribute to an overcooling transient in the primary system of sufficient magnitude to initiate repressurization via the automatic initiation of the safety injection systems. The criteria that will be used for selecting and categorizing significant control systems for these tasks will be defined. A candidate criteria for identi fying significant systems for subtask 1 may be one whose failure or malfunction may lead to water ingress (or significantly increase moisture carryover or steam quality in the main steam line steam space). This water ingress may lead to a loss of existing safety systems (i.e., the loss of auxiliary feed pump turbines) or cause undue stress to the steam lines. The screening criteria for sub task 2 will be developed with assistance from Task A-49. This assistance will be-in the form of defining important event sequences and describing unacceptable pressure-temperature conditions that may occur as a result of selected control failures.
The approach and methodology outlined in Tasks 1 through 6 will be utilized for resolution of these subtasks.
As part of a separate subtask conducted for Task A-49, RES has contracted ORNL (FIN No. B-0468) to perform a study of PTS, including as one subtask, the control and safety system design for each of the three PWR vendors (the same plants will be studied for this task.)
One purpose of the contract is to provide details of the control and safety functions that could contribute to pressurized thermal shock events. We plan to utilize the control system informa tion developed on that subtask and include their findings in our evaluation. At the same time, we expect that the results from A-47 related efforts, including those under Fin No. B-0467 at ORNL and A-1324 at Sandia (see Section 5) to contribute to the resolution of A-49.
Proposed recommendations in the form of guidelines or criteria will be developed (if necessary) for control system modification or for additional protection system functions which would minimize the impact of control system failures or malfunctions that could con tribute to significant steam generator or reactor vessel overfill transients and/or pressurized overcooling transients.
A-47/14
As a result of these studies and at the completion of subtasks 1 and 2 a report will be issued describing the technical results and findings. A report.will also be issued to summarize the lessons learned from the study of the applicable LERs, Bulletins and Orders and from the other information identified in Task 1. Recommenda tions for new or modifications to existing requirements (if any) will be provided separately as proposed revisions or additions to the Standard Review Plan or the Regulatory Guides.
- 3.
BASIS FOR CONTINUED OPERATION OR LICENSING PENDING COMPLETION OF PROGRAM As previously noted,-the NRC staff has performed instrumentation and control system reviews on licensed plants 'and is currently reviewing on a case-by-case basi's, the Near Term Operating License (NTOL)7plants.
The goal of the reviews is to verify that the control system failures (either single or multiple failures) will not prevent automatic or manual initiation and operation of any safety protection system equip ment required to trip the plant or maintain the plant in a safe shutdown condition following any "anticipated operational.occurrence" or "accident."
These reviews are performed utilizing, in whole or in part, the guidelines and criteria identified in Standard Review Plan Section 7.7.
With the recent emphasis on the availability of post-accident instrumentation (Regulatory Guide 1.97), the staff reviews evaluate the designs to assure that control system failures will not deprive the operator of information required to maintain the plant in a safe shutdown condition after any "anticipated operational occurrence or accident."
For the NTOL reviews, the applicants are requested to evaluate their control systems and identify any control system whose malfunction could impact plant safety. The licensees are requested to identify the use (if any) of common power supplies, and the use of common sensors or common sensor impulse lines whose failure could have potential safety significance. The results of these reviews.and the*
staff's evaluation for the NTOLs are documented in the Safety Evaluation Reports 'on a case-by-case basis.
A-47/15
In addition,'a specific set of "accidents" has been analyzed to demonstrate that plant trip and/or safety system equipment actuation occurs with sufficient capability and on a time scale such that the potential conse quences to the health and safety of the public are within acceptable limits. In these analyses, conservative assumptions have been used.
The conservative analyses performed and the "accidents" chosen for the analyses are intended to demonstrate that the potential consequences to the health and safety of the public are within acceptable limits for a wide range of postulated events even though specific actual events might not follow the same assumptions made in the analyses.
Several activities that have been completed or are still ongoing which address the effects *of -control system failures have been conducted by the NSSS vendors. B&W.has completed a failure modes and effects analysis and a review of operating experience for their Integrated Confrol System (ICS) and reported the results in B&W Report BAW-1564, "Integrated Control System Reliability Analysis," August 1979. The staff completed its review of BAW-1564 through a technical assistance contract with ORNL (Memorandum, R. Satterfield to P. S. Check, "Assessment of B&W Report 1564,
.'Integrated Control System Reliability Analysis'," May 9, 1980). As a result of this review, both the staff and ORNL concluded that.the ICS itself had a relatively low failure rate and did not appear to initiate a significant number of plant upsets. Failure statistics revealed that only approximately 6 of 162 hardware' malfunctions resulted in reactor trip. ORNL has further concluded that the B&W analysis shows-that anticipated failures of and within the ICS are adequately mitigated by the plant safety systems and many potential failures would be mitigated by crosschecking features of the control system without challenging the plant safety systems. In BAW-1564, B&W recommended six actions regarding control system improvements which could be made to improve overall plant performance. In November 1979, the licensees with B&W plants (except Three Mile Island Unit 1) were requested to evaluate.the B&W recommenda tions and report their followup actions. Subsequently, the responses have been. -reviewed and found acceptable by ICSB.
A-47/16
0 A,1so, the licensees have been requested (IE Information Notice 79-22, "Qualification of Control Systems," September 14 and 17, 1979) to review the possibility of consequential control system failures which exacerbate the effects of high energy line breaks (HELB) and adopt design changes or new operator procedures where needed, to assure that the postulated events would be adequately mitigated. All licensees responded to the request and the responses were screened. On the basis of.the review, no specific event leading to unacceptable consequences was identified and, in general, control equipment locations were such that consequential failures would be unlikely. Some licensees did make changes to their operating procedures to address the possibility of control failures. As part of the staff's ongoing review of the adequacy of the equipment qualification program.on NTOLs, and in response to IE Bulletin 79-01, "Environmental Qualification of Class IE Equipment," February 8, 1979, for all operating rdactors, the staff is re-evaluating the qualification programs to assure that equipment that may potentially be exposed to HELB environments have been adequately qualified or an adequate basis has been provided for not qualifying the equipment to the limiting hostile environment.
The equipment qualification evaluations are conducted on a case-by-case basis. The staff reviews for all operating plants will be documented in the, supplemental Safety Evaluation Reports. For NTOLs, the staff reviews will be completed before operating licenses are granted.
In addition, IE Bulletin 79-27 was issued to licensees requesting.that evaluations be performed to ensure the adequacy of plant procedures for accomplishing shutdown upon loss of power to any electrical bus supplying power for instruments and controls. In their responses to the Bulletin, licensees have indicated that corrective action has been taken including hardware changes and revised procedures, where required, to assure that the loss of any single instrument bus would not result in the loss of instrumentaton required to mitigate such an event. As part of Operating License (OL) licensing reviews, ICSB is requesting that similar reviews be conducted by the NTOL applicants.
A-47/17
Based on the activities identified above and the ongoing NTOL case review activities, continued licensing and operation of PWRs and BWRs is acceptable pending completion of this program.
- 4.
NRC TECHNICAL ORGANIZATIONS INVOLVED A.
Division of Licensing (DL)
DL will provide the coordination necessary to expedite and collect system design information on four operating reactors. The information needs will be to procure system piping and instrumentation designs and flow and logic diagrams for the non-safety grade control systems.
Associated control eqipment support system design schematics, such as power supply systems, will also be needed. DL'will provide assistance to the Task Manager for setting up and coordinating with the utility personnel, information meetings and site visits that may be necessary.
DL will also provide assistance to the Task Manager for integrating any relevant experience and any new requirements resulting from the activities identified in Task A-47. DL will contribute to the review and approval of any licensing requirements and guidelines developed as a result of this USI, and will provide review and comment on the technical evaluations provided by the Task Manager.
Manpower Requirements Total FY83 FY84 Operating Reactors Branch No. 1 0.20 my*
.15
.05 Operating Reactors Branch No. 3 0.20 my
.15
.05 Operating Reactors Branch No. 4 0.20 my
.15
.05 Operating Reactors Branch No. 2 0.20 my
.15
.05 Operating Reactors Assessment Branch 0.30 my
.20
.10 Assumed 1 man-year ='40 man weeks.
A-47/18
B, Division of Systems Integration (DSI)
DSI will provide review and comment on technical evaluations provided by the Task Manager in the areas of instrumentation and control, electrical power, the reactor and auxiliary plant designs, and accident analysis.
The Instrumentation and Control Systems Branch and the Power Systems Branch will provide assistance for the purpose of integrating relevant experience and any new requirements and guidelines stemming from the completion of the subtasks described in Task A-47. The Reactor Systems Branch and the Auxiliary Systems Branch will assist in the development of the selection criteria to be used for establishing safety significant control systems (described in Task 1) and will verify completeness of non-safety grade control' systems that may be needed in mitigating the accidents and transients analyzed in Chapter 15 of the plant FSAR. In addition DSI will contribute to the formulation, review and approval of the recommendations, and guidelines developed at the completion of the tasks (described in Task A-47). DSI will also review and comment on the draft and final NUREG Report.
Manpower Requirements Total FY83 FY84 Instrumentation and Control Systems Branch 0.35 my
.30
.05 Power Systems Branch 0.25 my
.20
.05 Reactor Systems Branch 0.50 my
.4
.10 Auxiliary Systems Branch 0.175 my
.125
.05 C.
Division of Human Factors Safety (DHFS)
DHFS will provide review and comment on those technical evaluations involving man/machine interfaces. DHFS will contribute to the formula tion,.review and approval of recommendations and guidelines involving man/machine interfaces developed at the completion of the tasks. In this area DHFS will contribute in the development of maintenance or testing requirements (if warranted) for non-safety control systems.
A-47/19
Manpower Requirements Total.
FY83 FY84 Human Factors Engineering Branch
.15 my
.15 0
Procedures and Test Review Branch
.15 my
.15 0
D.
Division of Safety Technology (DST)
OST will provide overall management of the program to resolve this USI.
Provides liaison between NRR and RES and provides coordination of acti vities performed within NRR which are part of this Task Action Plan.
DST has primary responsibility for the review of the draft recommenda tions and guidelines and for coordination of the internal management and the public review process required to adopt the recommendations and guidelines into licensing requirements. DST will provide review, comment and technical support on those issues/evaluations provided by the Task Manager involving reliability and risk assessments, and cost/benefit assessments related to non-safety control systems.
DST will provide assistance to the Task Manager for the purpose of integrating relevant experience and any new requirements stemming from the completion of those activities related to Task A-47 for which DST has responsibility. Those activities include RRAB system interaction studies, and the Task A-49 and Task A-44 activities referenced in previous sections of this plan.
In addition, RRAB will provide technical support in the area of reliability and risk assessments on non-safety control systems that have been identified as safety significant. The Safety Program Evaluation Branch will provide technical support on the cost/benefit evaluations associated with the recommendations and positions developed on each of the subtasks. OST will also coordinate the revision and publication of the NUREG report and coordinate the issuance of other licensing documents such as Regulatory Guides, Rules, and the Standard Review Plan with the Division of Engineering Technology.
A-47/20
Manpower Requirements Total FY83 FY84 Generic Issues Branch 2.25 my 1.50
.75.
Reliability and Risk Assessment Branch
.15 my
.125
.025 Licensing Guidance Branch
.15 my
.10
.05 Safety Program Evaluation Branch
.3 my
.3
.00 Research & Standards Coordination Branch
.15 my
.10
.05, E. Office of Analysis and Evaluation of Operational Data (AEOD)
AEOD will provide review and comment on the technical evaluations provided by the Task Manager. AEOD will provide assistance to the formulation, review and comment of the recommendations and guidelines developed (primarily on subtask71).
AEOD will also provide assistance to the Task Manager for the purpose of integrating relevant experience for which AEOD has responsibility.
Manpower Requirements Total FY83 FY84 Plant Systems Unit
.15 my
.10
.05
- 5. ASSISTANCE FROM RES DIVISIONS Close coordination and cooperation will be required on Task A-47 between NRR and RES.. RES assistance will be required from the Division of Facility Operations, Instrumentation and Control Branch (ICB).
ICB through contracts with ORNL, will develop the generic PWR simulator models (discussed.in Tasks 1 through 3) as a specific input for the activities outlined in Task A-47. In addition, RES (FIN No. B-0467) will conduct a review on two or three PWR designs discussed in this.Task Action Plan and will perform the activities identified in Tasks 1 through 7 on each of these plants in conformance with the schedule identified in Figure 1. RES will also provide a draft report on each of the plants reviewed. The report will include the content of the information described in Tasks 1 through 7.
A-47/21
Any control systems identified by RES to be generic will be identified in Task A-47. In addition the Division of Risk Analysis will provide technical input from Task A-44, "Station Blackout" relative to loss of power to the vital buses associated with non-safety control systems.
Also, any applicable information developed by the Sandia plant elec-.*
trical systems study (FIN No. A-1324) that would e.nhance a more complete understanding of significant interactions between the electrical power and the electrical control systems will be factored into the overall evaluation if the information is available and compatible with the schedule for resolution of this task.
Manpower Requirements Total FY83 FY84 Instrumentation and Control Branch
.85 my
.55 0.3 Division of Risk Analysis
.225 my
-.15
.075 (The manpower requirements for RES/ORNL activities are summarized in Table 1).
- 6.
TECHNICAL ASSISTANCE Technical assistance to the program will be required for the activities identified in Tasks 1 through 7. Contracts will be made with the National Laboratories to conduct the studies and activities described in Section 2 of this Plan.
Funding will be provided by the Office of Nuclear Reactor Regulation and the Office of Nuclear Regulatory Research. The estimated costs are shown in Table 1. The proposed schedule for Task resolution is shown in Figure 2. Should additional evaluations of other plant.designs be needed, a significant cost increase will take place. Such costs are not included in the cost estimates shown in Table 1.
The funding associated with the RES activities related to Task A-47, (specifically FINNo. B-0467 and FIN No. B-0468) are funded directly by the Division of Facility Operations, Office of Nuclear Regulatory Research. These related activities are a part of a large overall research program which is beyond the scope of Task Action Plan A-47.
A-47/22
7,.
INTERACTIONS WITH OUTSIDE ORGANIZATIONS Interaction with outside organizations will include the'NSSS vendors, utilities, the architect/engineers, the Electric Power Research Institute (EPRI), ORNL, Sandia Laboratories, and EG&G-Idaho.
The activities of Task A-47 will be coordinated with the appropriate ACRS subcommittee. Significant information will be provided to the subcommittee as it becomes available and meetings will be scheduled at appropriate times. Peer review will be conducted through ACRS briefings and by establishing a peer review panel (if necessary) selected from outside NRC having appropriate expertise. In addition, as Task 5 progresses, it will-be..necessary to establish a strong interaction and information exchange 'with the international community. Attendance at international confe~ences and/or site visits to selected foreign utility agencies and consultants is anticipated.
- 8.
POTENTIAL PROBLEMS A.
Traditionally, the licensees were not required to provide design and operating experience on non-safety grade control systems, and therefore complete information on the final "as built design" for these systems (i.e., schematics, flow logic diagrams and system descriptions) and operating experience may be difficult to obtain.
B.
Performance of selected tasks described in Tasks 1 through 7 by NRR will require participation from members of DSI, DL, and RES at various intervals throughout the program. Assignments of selected personnel, at specific intervals, will be required. Close coordination and cooperation is needed within NRR (e.g., TaskA-49) and between NRR and RES (e.g., ORNL).
C.
Development of appropriate reliability/safety goals for specific non-safety grade control systems and translation of these goals into licensing requirements.
A-47/23
D.
Uncertainty as to the applicability or compatability of the information that will be available from IREP, systems interaction studies, and other ongoing reliability and risk assessment studies for use on Task A-47. The completion schedules of these activities may not be compatible with Task A-47. Uncertainty as to whether the information obtained from these activities can be used for a generic study.
A-47/24
Table 1 A-47 USI Funding FY 1982 FY 1983 FY 1984 Total Manpower Cost Manpower Cost Manpower Cost Manpower Cost EG&G Activities 1.0 99K 3.3 409K 0.2 42K 4.5 550K Resolution of Staff Staff Staff Staff TAP A-47 Review on Years Years Years Years BWR Type Design FIN# A6477 EG&G or ORNL 0.1 11K 4.0 456K 0.4 83K 4.5 550K Activities Staff Staff Staff
.Staff (to be decided)
Years Years Years Years Resolution of Task A-47 on one W PWR design RES (ORNL) 4.4 636K 4.2 636K 5.5 1035K 13.1 2207K Activities to Staff Staff Staff Staff include resolution Years Years Years Years of TAP A-47 on 2 PWR type designs FIN# B0467 A-47/25
Table 2-Re ated Ativity-Ffdi----'
FY 82 FY 83 FY 84 Cost Cost Cost RES (Sandia) Activities
$350,000
$400,000
$400,000 FIN No. A-1324 A-47/26
.IV Figure 1 Flow Diagram for Resolution of USI A-47 Task 1 Identify Task 7 Control Systems Subtasks I & II Imp. to Identification of Task 6 Safety Control Systems Issue (System Level Causing Overfill Report(s)
FEA) and/or Overcooling Resolving A-47 Task 1,2,4 Task1,2 Can Task 1, 2, 4J 5 Are System Failure Cause Document Failures Significant Systems Failures Bounded By Transients Leading and Identify Chapter 15
- o Plant Basis of al sis Unavailability Acce tability N<
Ta 3
Is Probability of System Failure Significant Task Perform Computer' Simulations to Study Sequence and Combination j of Failures f
Taskr 3
I 2
3 Categorize Systems Important to Safety.
Task,1,2,4 Are Failure Modes ti f
Credible Y
JTask 5 Ts Task ),DoesPrps Identify the Failure Criteria for Corrective Modes (FMEA Component Corrective Action Action Level)
Exist A-47/27
Se Figure 2 Proposed Schedule for Task A-47 "SAFETY IMPLICATIONS OF CONTROL SYSTEMS" FAP FY 83 FY 84 A SO N DJF AM JA-S O N D.J F PWR (B&W)
Task W
Task 2 M
Subtask 1 Subtask 2 Task 3 Task 4 Task 5 & 6 PWR (CE)
Task I Task 2 Subtask 1 Subtask 2 Task 3 Task 4 Task 5 6
-t Task1 Task 2 Subtask 1 Subtask 2
Task 3 Task 4 Task 5-& 6
_PWR (W
-Task 1 oTask 2 oSubtask 1 Subtask 2 Task 3 NOTE:
V Draft Report Submitted by Labs V Final Report Submitted by Labs
- Draft Report Submitted by NRR A-47/28