Text

V(ASHLNGTON,D. C, 2p566 J

g sha ~h 1

">>>>~~

August 'I 1977 MEMORANDUM FOR:

E.

G. Case, Acting Director Office of Nuclear Reactor Regulation g

~

FROM:

~

~ to B

~

SUBJECT:

Stephen H. Hanauer, Technical Advisor to Executive Director for Operations INTERACTION BETWEEN CONTROl SYSTEM AND PROTECTION'YSTEM The Zion incident of July 12, 1977, apparently shows a design defect as well as the obvious gross management deficiency.

The 31 denny signals disabled the primary system level control, which initiated a transient involving decreasing level.

Concurrently, the same sequence of events disabled portions of the protection functions associated with the same level.

Thus a single sequence of events caused 'the transient and paralyzed the safety provided for that very transient.

Westin house desiqns are characterized b

the larae number and tyes of interaction ween control s stems and related sa et vstemss.

he think this is reat.

I think it is unsafe.

This feud has b=en going on for years.

I have not so far been able to find out whether a single signal or group of signals went to both control and safety, or whether the interaction was more obscure.

It almost doesn't matter.

I also don't know (and don't much. care) whether. the interaction, whatever its nature, is allowed by the various meticulously crafted clauses in IEEE-279.

For existing plants, I believe the lesson of the Zion incident should be taken to heart, and acted on constructively.

The'fact that, this time, nothing bad happened is a tribute to good operator action arid defense in depth, and should not keep us from learning the lesson.

All interactions between control functions and safety function should be reviewed in the light of this experience.

A statement that no suc duozny signals are allowed is not to the point; next Ume, some dif'ere and not now foreseen sequence of events may start the ball rolling.

What is needed is adequate independence of control functions fror:.

safety functions that provide against, control malfunctions.

00GKETED USNRC FE~ ~ V')9N ~

C-office of the Seetgay S

DocRetinR 5 Sen7fce Brarrch Ql

~@PE 0+

qqosB'I 1~0

~

~

V

~

~

E. G.'ase August 18, 1977

~

For future plants, we have RESAR-014, with a

new "Integrated Protection System," which includes inter'actions between safety channels and between safety and "non-safety systems for monitoring and control" (PSAR,

p. 7.1-27).

Such interactions seem to be on a scale far beyond present practice and involve a complexity (multiplexing, data links between computers) not previously encountered..

The philosophy (old and new) is, "ltestinghouse considers it advantageous to use certain information derived from protection channels to control the plant" (PSAR,

p. 7.1-62).

The acceptability of all systems, Westinghouse and'on-Mestinghouse, old and

new, needs to be reviewed in the light of the Zion event and any unacceptable interactions removed.

cc:

L. V. Gossick S. Levine E. Volgenau R. Hinogue A~eA C

~

PStephen H. Hanauer Technical Advisor to Executive Director for Operations C

C-2