ML19250J299
| ML19250J299 | |
| Person / Time | |
|---|---|
| Issue date: | 06/30/1981 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML19250J298 | List: |
| References | |
| FOIA-82-93 NUDOCS 8107210466 | |
| Download: ML19250J299 (16) | |
Text
.
STAFF
SUMMARY
LETTER REPORT THE APPROACH TO SYSTEMS INTERACTIONS IN L'n'RS JUNE 1981 Systems Interaction Section Reliability and Risk Assessment Branch Division of Safety Technology U.S. Nuclear Regulatory Commission 8107210466 810625 CF SUBJ j
TABLE OF CONTENTS
1.0 INTRODUCTION
1.1 Purpose of Report
1.2 Background
2.0 DEFINITIONS 2.1 Basic Safety Functions 2.2 Characteristics of Systems Interactions 2.3 Adverse Systems Interactions 2.4 Common Cause Failure 3.0 PRAs AND SYSTEMS INTERACTION REVIEWS 4.0 SYSTEMS INTERACTION TYPES 4.1 Externally Caused 4.2 Internally Caused 5.0 THE SYSTEMS INTERACTION REVIEW PROCESS 5.1 Step 1 5.2 Step 2 5.3 Step 3 6.0 COORDINATION WITH ONGOING PROGRAMS
7.0 CONCLUSION
8.0 REFERENCES
- 1. 0 INTRODUCTION 1.1 Purpose of Report The purpose of this report is to summarize current staff thinking on the approach to be taken by the Systems Interaction Program within the Office of Nuclear Reactor Regulation for the evaluation of adverse systems interections in LWRs.
It is also intended that this report act as a vehicle to stimulate discussion and encourage feedback from interested groups within the NRC and from the industry for staff use in making future improvements to the evolving Systems Interaction Program.
The forthcoming development of interim guidance in CY 81 will generally follow the process described here and will proceed with technical assistance from Battelle Memorial Institute and Brookhaven National Laboratory.
1.2 Background
The potential benefits from designing LWRs against adverse systems interactions were recognized prior to the accident at Three Mile Island.
Generic Activity Task A-17, Systems Interactions in Nuclear Power Plants,1 was formally begun in May 1978.
Assessments of TMI-2 and other recent events, including those at Browns Ferry-32 6 and Crystal River-37 8 have pointed to the need for an NRC program in this area.
This need is being addressed on several fronts within the NRC.
The NRC Action Plan Developed as a Result of the TMI-2 Accident, NUREG-0660,9 provides for a systems interaction follow-on study,Section II.C.3, Systems Interaction.
In the April 1980 reorganization of the NRC, the Systems Interaction Branch of the Division of Systems Intergration was formed and given the responsibility for coordinating the Office of Nuclear Reactor Regulation's activities in the area of systems interactions.
As a part of its responsibility, and preparatory to the development of regulatory guidance addressing systems interactions, the Systems Interaction Branch conducted a review and evaluation of the state-of-the-art of methods that might be applicable for near-term analyses of systems interactions. Three laboratories (Battelle Memorial Institute, Brookhaven National Laboratory, and Lawrence Livermore National Laboratory) aided in performing the review and evaluation, and their final reports with recommen-dations are documented in References 10, 11, and 12.
The laboratory reports address both near-term and long-term analysis capabilities and neecs.
This summary report makes extensive use of the results of the laboratory reviews as well as information gained from other reports and discussions with experts in the field both within and outside of the NRC.23.17 The Systems Interaction Branch has contracted the Battelle Memorial Institute and the Brookhaven National Laboratory to assist in defining the systems interaction interim guidance over the next 3 montbs for near-term application in pilot systems interaction reviews.
The pilot reviews are a critical prerequisite to a general licensing requirement since the nuclear industry's experience with systems interactions reviews is
2 fragmented.
Specific plants have been suggested by both the Systems Interaction Branch and the ACRS for the pilot reviews.
However, the pilot review plants have not yet ban selected.
The selection and analyses vill be coordinated with the National Reliability Evaluation Program schedule.
The Systems Inter-action Branch also contracted with Lawrence Livermore National Laboratory to perform a systems interaction review at Indian Point-3 to be completed in March 1982.
The Indian Point-3 review will supplement the pilot reviews to provide the essential experience base upon which a systems interaction licensing requirement can be established.
The Systems Interaction Branch, per se, was dissolved (May 2, 1981) and some of the branch personnel were reassigned to form the Systems Interaction Section
/
within the Reliability and Risk Assessment Branch, Division of Safety Technology.
The responsibility for the Systems Interaction Program was transferred with the branch personnel to the Systems Interaction Section, RRAB.
The Branch approach was developed prior to the May 1981 reorganization and is essentially the approach described in this report.
Although the reorganization will delay some of the scheduled milestones, it should facilitate coordination between the program and PRAs.
All tasks in the Systems Interaction Program will remain active.
The program covers work under Unresolved Safety Issue A-17, " Systems Interaction in Nuclear Power Plants."
2.0 DEFINITIONS The term " systems interaction" has had a broad range of definitions.
The definitions given here are fundamental to the approach for the near-term evaluation of nuclear power plant susceptibilities to adverse systems interac-tions and serve to introduce the specific emphasis of the approac Tne definitions are rigorous enough to proceed with the Systems Interaction Prcgram, but they are not yet sufficiently rig 2rous to preclude further development.
Examples of different systems interactions are given in Section 4 to clarify the definitions developed here.
Figure 1 is included to provide reader orientation as we proceed to define the fundamental terms of our approach.
2.1 Basic Safety Fur.ctions The design of LWRs provides basic functions to protect public health and safety.
The performance of these basic safety functions precludes c:re damage and unacceptable levels of radioactivity released to the site environs.
The basic safety functions selected for the Systems Interaction Program are listed below.
These basic safety functions include the two elements of both the systems and the actions they serve.
A plant can f ail a basic safety function without losing all the systems serving an action.
1.
The systems relied upon to maintain the primary coolant inventory shall be unimpaired.
2.
The systems relied upon to transfer decay heat from the reactor to the ultimate heat sink shall be unimpaired.
3 3.
The systems relied upon to render and keep the entire core subcritical shall be unimpaired.
4.
The Engineered Safety Features, including those for the control of radio-active material, shall be unimpaired.
2.2 Characteristics of Systems Interactions Notwithstanding that many intersystems dependencies are desired by design, the connotation of an adverse intersystems dependency is inherently part of the definition of a systems interaction.
The failure to perform at least one of these basic safety functions is the first essential characteristic of an adverse systems interaction.
Hypothetically, a basic safety function could be failed where only one component failed within all the systems of an LWR.
Although not a likely state, this failed state is mentioned here to show contrast in our definitions.
Al ready,
the licensing process requires specific functions at plants to meet a single failure criterion; but excluded from this criterion is consideration of failure of passive components in fluid systems.
To comply with the single failure criterion, LWR designs use independent systems and components to provide basic safety functions.
Yet, the potential that these independent systems might be vulnerable to hidden dependencies has created the need for a Systems Interaction Program.
It is more likely that a basic safety function could be lost by the existence of more than one failed component in the LWR.
Multiple failures can result from either independent or dependent causes which are separately treated in a Probabilistic Risk Assessment (PRA) once the causes are determined.
Independ-ently caused multiple failures occur by remote coincidence and their joint probability can be easily calculated for feasible combinations of failures given suitable failure rate data.
Dependently caused multiple failures result from the influence of either a process ceupling or a spatial coupling in the plant and their joint occurrence has a higher probability than the value obtained assuming independent failures.
Because we are concerned with commonly caused multiple failures, the second essential characteristic of a systems interaction is the couplings that cause dependent effects.
During any scenario from an initiating event to the failure of a basic safety function, the multiple dependent failures could occur either as parallel effects (simultaneously) or as serial effects (sequentially).
Only when the plant possesses a precon6ition that can simultaneously affect intentionally "inde-pendent" systems which serve a basic safety function is it possible for a licensed LWR to fail a basic safety function from the occurrence of one initial failure.
Thus, the third characteristic of a systems interaction is a precondi-tion that allows systems to be simultaneously influenced that both serve a basic safety function and were intended to be independent.
4 2.3 Adverse Systems Interactions Thus, we can state that an adverse systems interaction is a precondition within the plant that would fail a basic safety function as a consequence of both an intersystems dependency and an initiating malfunction.
An intersystems dependency simultaneously transmits the effects of an initiating action to more than one system.
Systems interactions that were not intended by design, i.e.,
not explicitly included in the design descriptions, can be referred to as hidden dependencies.
The relative safety importance among systems interactions is determined primarily by the degree of impairment that led to the failure of a basic safety function.
Two considerations bear on the degree of impairment:
(1) the specific state of the plant, ano (2) the initiating malfunction.
The relative safety importance of systems interactions is discussed further in Section 5.3.
2.4 Common Cause Failure A common cause failure is a group of multiple failures resulting from a single Like systems Interactions, common cause failures result only when the cause.
plant possesses a precondition that allows parallel dependent effects.
There is little practical distinction between a common cause failure and a systems interaction other than the importance of intersystems dependencies.
An adverse systems interaction is what we call a common cause failure that resulted in the failure of a basic safety function.
The term " systems interaction" became meaningful only since LWR designs have developed in sophistication to the degree that entire safety grade systems are used in parallel to perform basic safety functions.
Experience to date shows that attempting to systematically identify generally defined systems interactions would yield a program of unmanageable scope.
Therefore, the Systems Interaction Program may narrow the definition where it will provide more focus on adverse systems interactions that have a higher safety significance.
3.0 PRAs AND SYSTEM INTERACTION REVIEWS Interfaces exist between the systems interaction reviews defined here and Probabilistic Risk Assessments since both ef forts treat dependent f ailures.
However, most Probabilistic Risk Assessments (PRA) rely upon failure rate data to account for hidden dependencies.
Systems interaction reviews are aimed at descriptions of the preconditions that allow the dependent effects of a single initiator to simultaneously affect systems which were intended to be independent, while PRAs are aimed at assessing the relative risks among feasible scenarios.
PRAs must evaluate all scenarios including both successes and failures (dependent and independent) while systems interactions revie.ws evaluate only dependent failures.
The results of a systems interaction review will be fully characterized systems interactions (a mechanistically defined systems problem) to be evaluated
5 by the responsible technical review branches. The result of a PRA is consistent ranking of the main risk contributors to be used by management to allocate technological resources.
Together, PRAs and systems interaction reviews are supplementary in assuring the reliability of LWR safety functions.
The May 1981 merging of the Systems Interaction Prograr into the Reliability and Risk Assessment Branch should facilitate the close coordination needed to manifest the benefits of these supplementary efforts.
4.0 SYSTEMS INTERACTION TYPES Our reviews of operating reactor experiences showed that there are different types of systems interactions.
The state-of-the-art reviewsto.12 showed that some methods more efficiently identify specific systems interaction types than other methods. Thus, the classification of systems interactions by type is useful to guide the analysts in matching the method (s) best suited to the particular evaluation.
Systams interactions of interest to the systems inter-action reviews may be placed in two elementary categories depending on whether the initiating cause originated externally to the af fected system (s) or within one of the affected systems.
4.1 Externally Caused Externally caused systems interactions (sometimes referred to as " physical" or
" spatial") are common cause events often initiated by phenomena such as earth-quakes, fires, floods, missiles, or abnormal environmental conditions within the plant. These types of systems interactions are distinguished by systems sharing a spatial domain which allows an initiating event to couple the systems within that space.
Principally, systems without a process coupling (unconnected systems) would be included in this type of systems interaction.
Two examples of exteraally caused adverse systems interactions are the Browns Ferry 1 fire and the postulated Hosgri earthquake at Diablo Canyon 1/2.
More specifically, at Diablo Canyon a charging pump suction line could be " spatially coupled" with a crane monorail during a seismic event resulting in a loss of the charging pump suction.
Such systems interactions are amenable to physical inspection methods such as Walk-Downs / Walk-Throughs.
Additionally, there are computerized models developed to search for externally caused systems interactions by spatial domain.17 4.2 Internally Caused Internally caused systems interactions originate from a malfunction occurring within systems that are connected either through the sharing of components or a process coupling between the systems.
At a BWR, an illustration of the former is that both the LPCI and RHR systems depend upon the same pumps, and an illustration of the latter is that all the low pressure ECCS depend upon the automatic depressurization system under the conditions that the high pressure systems f ailed during a small LOCA and some transients.
Possible process couplings between systems include electrical, hydraulic, pneumatic, and -
mechanical connections.
Process couplings (intersystems dependencies) exist for the systems to perform their design functions; thus, such systems inter-actions are sometimes called " functional" systems interactions.
Two examples
6 of functional, adverse systems interactions are the Crystal River-37 8 loss of reactor coolant and the Browns Ferry-32 c partial loss of scram capability.
Some " Human Errors" may also be considered as functional systems interactions, either dynamic or latent types of errors.
To illustrate, let us postulate a dynamic " human error" in which a failure originates within a power supply that causes plant instruments to display spurious readings to the operator who is misled into performing an unsafe act. We refer to such a case as having an element of " human error" although the operator actions are not exactly at fault since they were intended by design. A dynamic human error that is a dependent rffect rather than the initiating cause may be a systems interaction.
Latent human errors, including multiple maintenance and equipment positioning errors, sometimes can be commonly caused by faulty procedures or training.
The adverse systems interaction effects of latent human errors may not appear immediately when committed.
Internally caused systems interactions are not readily identifiable by physical inspection methods.
Methods available for identifying such systems interactions are described in Section 5.0.
5.0 THE SYSTEMS INTERACTION REVIEW PROCESS During the state-of-the-art reviews there was a range of methods evaluated including Fault Trees, Event Trees, Cause-Consequence Diagrams, GO methodology, Failure Modes and Effects Analysis, Walk-Downs, Operational Survey, Markov Modeling, Phases Mission Analysis, Diversion Path Analysis, and Generic Cause Analysis.
An analyst could use these methods to discipline his review by formalized courses of reasoning, both deductively and inductively.
These methods, and a few others, were reviewed and evaluated by Battelle Memorial Institute, Brookhaven National Laboratory, and Lawrence Livermore National Laboratory as reported in References 10, 11, and 12.
The laboratories concluded that no single method presently exists in a form that can be used to perform an adequate review for adverse systems interactions.
Although each laboratory recommended an approach using different combinations of methods, each combination proposed to screen out adverse systems interactions by following a three-step review process. We agree that an adequate review follows a three-step process and that each step in the process is distinct in its objective.
It appears beneficial to iterate among the three steps to adequately complete a review.
The three-step process is:
The Systems Interaction Review Process 1.
The grading of designed dependencies and selection of systems for detailed evaluation.
2.
The identification of the hidden dependencies.
7 3.
The ranking and evaluation of the hidden dependencies.
5.1 Sten 1 The'first step, the grading of designed dependencies and selection of systems for detailed evaluation, is akin to the first step in a PRA since it leads to a comprehensive understanding of the design under review.
To begin this first step, essentially all of the plant's systems which have the potential to include adverse systems interactions must be identified.
There are different ways to accomplish this beginning identification:
BMI20 suggested using the basic safety functions directly to derive the front-line systems
- and the hierarchy of support systems
- for a specific plant, including any redundancy needed to perform the basic safety functions for the principal operating modes of the plant. All possible' systems and their combinations to successfully perform the basic safety functions should be identified.
BNL 2 and LLNL12 sug-1 gested another way that these systems can be derived from the systemic event trees leading to core damage.
Finally, we think it is possible to derive these systems from the current Design Basis Events (Chapter 15, Regulatory Guide 1.70).
However, we expect that each approach will eventually lead to the determination of the same systems relied upon at the specific plant to meet the basic safety functions which apply to all LWRs.
A significant amount of design and operational information is needed to derive the systems for a plant.
The analysts will need electrical elementary diagrams
("one line" diagrams), control logic diagrams, piping and instrumentation drawings, and engineering drawings of specific subsystems.
Some of the needed information about systems interfaces may be obtained only at the site both by inspecting the physical facilities and by meeting with plant personnel familiar with design, operation, and maintenance.
To proceed with this first step, the systems most important to the basic safety functions must be objectively separated from among all the plant's systems.
The plant's process couplings (intersystems dependencies) must be evaluated to grade the relative importance among the. plant's systems.
The most important systems should be those selected to begin Step 2.
It appears that the systems having the largest number of process couplings to the basic safety functions are the most imprtant systems concerning systems interactions.
Presently, there are four methods that can facilitate performing Step 1 in the systems interaction review process; i.e., the selection of systems for detailed evaluation.
In Step 1, these methods are applied to the systems level of detail only.
The methods listed here may change during the development of the interim systems interaction guidance.
- Front-Line systems operate to determine the course of the plant's response assuring that no basic safety function is lost.
Support systems operate to affect the course of the plant's reeponse only by way of their effect on the front-line systems.
8 Methods for Step 1 1.
Operational Survey 2.
Success Trees / Fault Trees 3.
Systemic Event Trees / Fault Trees, and 4.
Directional Graphs (digraphs, dependency diagrams).
The final selection of the systems for detailed evaluation, at the completion of Step 1, must be congruent with past experience.
The selections suggested by an application of one of the these methods must merge with operating expe-rience and the insight gained by both the NRC and the reactor operators.
(The Systems Interaction Program is developing this insight through cooperative efforts with the Office of Analysis and Evaluation of Operational Data and the Atomic Industrial Forem). Thus, regulatory judgment based upon experience could modify the final selection of the systems upon which detailed evaluations will be performed.
One way to select the systems for further review is to utilize distinctions between safety grade and nonsafety grade systems.
Almost all the systems in an LWR are given detailed considerations during the design and installation However, past licensing reviews of LWRs led to an emphasis processes.
safety grade systems.
Initially,weperformedtheDiabloCanyonprogram(13) by identifying common-cause failures originating in nonsafety grade systems resulting f rom a seismic event.
It should be clear that this extension of safety reviews into nonsafety grade systems extended past licensing practice in the performance of 10 CFR safety reviews.
However, the methods being developed will not be restricted by the distinction between safety grade and nonsafety grade systems.
5.2 Step 2 Step 2 in the process is to perform a detailed review of those systems that were graded as most important to safety from Step 1.
The main objective of the entire review process is to identify those systems interactions that jeopardize the independence of redundant trains of systems performing the basic safet3 ' f unctions.
An adequate identification should characterize each adverse systems interaction by (a) the single random failure that initiated the dependent effects, (b) the precondition within the plant allowing the simultaneous influence of systems that were intended to be independent, (c) the process or spatial couplings that caused thL dependent effects, and (d) the failure of at least one basic safety function.
To perform such identifications, the analyst may need to proceed through multiple tiers of dependencies into the details of subsystems to the component
- level.
The number of combinations of basic safety functions, operating modes, systems and components for a plant is very large.
Thus, it is essential to grade the plant's systems by their relative importance using a method suggested in Step 1
- A camponent is a basic element of the system.
For systems interaction reviews the component level is the level of resolution of the system description or analysis.
9 before proceeding into the deeper analysis.
In Step 2, it appears necessary to use identifiers to track the systems, subsystems, and support systems in each success / failure path.
Such traceability information is beyond that contained within path / cut sets of routine success / fault tree analyses.
To help the analyst, four methods have the most potential to identify externally caused systems interactions (Section 4.1).
Methods for Externally Caused (Fhysical/ Spatial) 1.
Site Walk-Downs / Walk-Throughs; 2.
Computerized searches by spatial domains; 3.
Plant-specific reviews of operating experiences; and, 4.
Generic Cause Analyses.
Five methods have the most potential to identify internally caused systems interactions (Section 4.2).
Methods for Internally Caused (Functional / Process) 1.
Directional Graphs (digraphs, dependency diagrams);
2.
Success Trees / Fault Trees; 3.
Cause-Consequence Diagrams (Event Tree-Fault Trees);
4.
Failure Modes and Effects Analyses; and, 5.
Operational Surveys and Operator Interviews.
The application of Fault Trees in these lists of methods mest be contrasted with the g of Fault Trees in the " Systems Interaction Methodology Application Program."
That program used Fault Trees to begin the review process and carried the resolution to the component level in one continuous process on all the systems.
There was a practical problem from the enormous number of components that comprise a nuclear power plant.
However, the use of Fault Trees as proposed here is staged; first, in Step 1, to the systems level only, and then in Steo 2 to the component level but only on those specific systems that were selected from Step 1.
Significant functional dependencies are often coupled by " Human Errors," and we intend to manage some of these functional dependencies in close coordination with the ciesignated re.sponsible groups within the NRC.
Some Latent Human Errors (as.;oted in Section 4.2) due to improperly written procedures, or inadequate training can be the common cause in an adverst systems interaction.
- However, our reviews are not expected to concentrate on these types of Human Errors; rather, we rely upon the Division of Human factors to identify and evaluate Latent Human Errors.
Also, we exclude malevolence and random operator errors as adverse systems interaction initiators.
We rely upon the safeguards activities and others to evaluate such human errors.
Our reviews regarding human errors will concentrate on systematically identi-fying potential Dynamic Human Errors that are part of the dependent effects in an adverse systems interaction scenario.
These are the types of human errors
10 that propagate some initiating failure across independent systems.
We want to predict only'those human errors where the operator's actions depend upon a system's response to a failure.
The best examples are from the machine-to-man transmission interface (the displays).
Thus, we will treat the operatar as a coupling that has the potential to connect systems that are normally independent.
We are evaluating the use of control rooin simulators to identify machine-to-man adverse systems interactions and those systems interactions caused by control systems malfunctions or by power supply failures.
- 5. 3 Steo 3 The final step in the review process is the ranking and the subsequent imple-menting of corrective action on the identified systems interactions by their relati n importance to safety. Adverse systems interactions are already important to safety simply because of the failure of a basic safety function (Section 2.1).
Yet, the failure of a basic safety function covers a range of importance because each allows a range of system impairments that yield a range of margins to core damage or unacceptable radioactivity relesses.
The basic safety functions were chosen from a conservative perspective as criteria to guide the search of a plant to identify systems interactions.
The ranking of safety issues has been needed in the past because corrective actions at plants continued to reflect a balance between maximum safety and other contravening purposes.
We expect that future corrective actions on identified systems interactions will be graded by their safety significance for both any interim patch and the final fix.
The most systematic means of grading relative safety significance is built upon the notion of risk.
Formal PRAs compose only one specific application of the risk notion.
We are consider-ing less sophisticated applications that emphasize features such as (a) the number of functions lost, (b) the degree of degradation of a basic safety function, and (c) the urgency for human amelioration.
However, risk based gradings are not complete by themselves and are normally modified by legal constraints and obligations among interfacing organizations.
From the state-of-the-art reviews, it is evident that Step 3 requires more refinements.
It is possible that the ranking scheme being developed by the Safety Program Evaluation Branch, DST, will directly apply to Step 3.
Once the adverse systems interactions are ranked by their relative importance to safety, then the implementation of the corrections can proceed at a rate determined by the resources allocated for the task.
We expect the affected utilities and the responsible technical review branches within the NRC to participate in the evaluation of systems interactions and the subsequent implementation of corrective action.
The Systems Interaction Section, RRAB, will account for the identified systems interactions through their eventual disposition.
6.0 COORDINATION WITH ONGOING PROGRAMS The goal of the Systems Interaction Program is directed toward identifying the hidden dependencies among properly designed systems that create safey hazards
11 rather than in identifying misdesigned systems.
Thus, the adequacy of specific systems remains the responsibility of the chartered technical branches.
Because adverse systems interactions could originate throughout the entire plant, the Systems Interaction Program will share concerns about specific hazards with the technical branches and other ongoing programs.
However, the Systems Inter-action Program is not intended to duplicate the numerous evaluations that the industry is already addressing. We plan coordination with the associated programs and will draw from their evaluations to provide for the evaluation of missing pieces, Some of the coordination was already mentioned relative to Probabilistic Risk Assessments (Set.tions 1.2 and 3.0), Human Factors (Sections 4.2 and 5.2), and the feedback of operating experience (Section 5.1).
Because Step 1 (Section 5.1) is identical with the initial stages of a PRA, both a PRA and a systems interaction review can be performed jointly for economy.
The Systems Interaction Program is directed toward the systematic identification of previously hidden dependencies rather than the evaluation of ongoing programs.
The present programs have led to the review of plants against specific hazards, e.g., fire (10 CFR 50, App. R), control systems interactions (10 CFR 50, GDC-24)/IE Information Notice 79-22 (IE Bulletin 79-27), environmental qualification of safety-related equipment (NUREG-0588), and masonry wall design (IE Bulletin 80-11).
These specific hazards include both externally caused (Section 4.1) and internally caused (Section 4.2) systems interactions that have already been identified and corrective action was initiated.
The Systems Interaction Program will focus on the adverse systems interactions that are outside those already within the ongoing programs.
It is feasible that the Systems Interaction Program will identify systems interactions that were missed by an ongoing program and should be included in that program for completeness.
7.0 CONCLUSION
S This letter report has summarized the current staff thinking on the approach to be taken by the Systems Interaction Program within the Office of Nuclear Rea: tor Regulation.
The report provides a vehicle for comments from all parties interested in the approach.
We remain open particularly to input that will facilitate the coordination process between ongoing programs and the Systems Interaction Program.
We want to consider all comments during the development of the interim guidance.
Thus, they should be provided us before mid-August 1981.
Additionally, we solicit input for the selection of the plants at which the pilot reviews will be conducted.
12
8.0 REFERENCES
1.
G. Boyd, et al., Sandia National Laboratories, " Final Report - Phase I, Systems Interaction Methodology Applications Program," USNRC Report NUREG/CR-1321 (SAND 80-0884), April 1980.
2.
Memorandum from P. S. Check, NRC, to G. C. Lainas, T. H. Novak, and R. L.
Tedesco, NRC, "BWR Scram Discharge System Safety Evaluation," December 1980.
3.
G. Lanik, U.S. Nuclear Regulatory Commission, " Report on the Interim Equipment and Procedures at Browns Ferry to Detect Water in the Scram Discharge Volume," September 1980.
4.
U.S. Nuclear Regulatory Commission, Verbatim Transcript of Advisory Committee on Reactor Safeguards, Fluid Dynamics Subcommittee Meeting, Tuesday, August 19, 1980, Inglewood, California.
5.
Memorandum from C. Michelson, AEOD, to H. R. Denton, NRR,
Subject:
" Potential for Unacceptable Interaction Between the Control Rod Drive System and Nonessential Control Air System at the Browns Ferry Nuclear Plant," August 18, 1980.
6.
S. Rubin and G. Lanik, U.S. Nuclear Regulatory Commission, " Report on the Browns Ferry 3, Partial Failure to Scram Event on June 28, 1980," July 30, 1980 (with Executive Summary).
7.
U.S. Nuclear Regulatory Commission, " Transient Response of Babcock &
Wilcox-Designed Reactors," USNRC Report NUREG-0667, May 1980.
8.
Nuclear Safety Analysis Center and Institute of Nuclear Power Operations,
" Analysis and Evaluation of Crystal River Unit 3 Incident," Joint NSAC/INPO Report NSAC-3/INPO-1, March 1980.
9.
U.S. Nuclear Regulatory Commission, "NRC Action Plan Developed as a Result of the TMI-2 Accident," USNRC Report NUREG-0660, Vols. 1 & 2, May 1980.
10.
P. Cybulskis, et al., Battelle Memorial Institute, " Review of Systems Interaction Methodologies," USNRC Report NUREG/CR-1896, January 1981.
11.
A. Busiik, I. Papazoglou, R. Bari, Brookhaven National Laboratory, " Review and Evaluation of Systems Interactions Methods," USNRC Report NUREG/CR-1901, January 1981.
12.
J. Lim, R. McCord, and T. Rice, Lawrence Livermore Natioral Laboratory, " Systems Interaction:
State-of-the-Art Review and Methods Evaluation," USNRC Report NUREG/CR-1859, January 1981.
13.
U.S. Nuclear Regulatory Commission, " Safety Evaluation Report Related to the Operation of Diablo Canyon Nuclear Power Plant, Units 1 and 2,"
USNRC Report NUREG-0695, Supplement No. 11, October 1980.
13
- 14. Memorandum from F. D. Coffman, NRC, to J. F. Stolz, NRC, " SIB Peer Review Meeting - November 12, 1980," December 2, 1980.
15.
U.S. Nuclear Regulatory Commission, " Reactor Safety Study - An Assessment of Accident Risk in U.S. Conmercial Nuclear Power Plants," USNRC Report NUREG-75/1014 (WASH-1400), October 1975.
16.
H. W. Lewis, et al., Ad Hoc Review Group, " Risk Assessment Review Groep to the U.S. Nuclear Regulatory Commission," USNRC Report NUREG/CR-0400, September 1978.
17.
Memorandum from F. D. Coffman, NRC, to L. S. Rubenstein, NRC, "AIF-NRC Meeting on Systems Interactions - April 1, 1981," April 15, 1981.
18.
U.S. Nuclear Regulatcry Commission, " Plan for Developing a Safety Goci,"
USNRC Report NUREG-0735, October 1980.
SAFETY
[
BASIC
)l BASIC FUNCTION l
FUNCTION
( PEllFOilMED )
FAILED
[
ONE
)
MOilE TH AN l
SYSTEM I
CNE SYSTEM
(
FAILED
)
FAILED INDEPENDENT DEPENDENT FAILURES FAILUllES EXTEilNALLY INTEllNALLY CAUSED CAUSED STAFF FOCUS ON SYSTEMS INTEll ACTION Figure 1. Disjunctive Diagram for Definitions in 2.0 l