Text

[

/

• • a t o vg f

UNITED STATES y

(g NUCLFAR REGULATORY COMMISSION y

,,e <

g

, "/

E WASHINGTON, D. C. 20555 s

I

/

JAN 141980 MEMORANDUM FOR:

S. Hanauer, Director, Unresolved Safety Issues Program FROM:

D. Tondi, Section Leader, Plant Systems Branch, DOR

SUBJECT:

IEC DOCUMENT 45 A(CD)58, " DEFINITION OF THE SINGLE FAILURE CRITERION" We have reviewed the subject document and find it to be much like the " generic statement" of the single failure criterion given by IEEE Standard 379-1977 with some notable omissions.

Some of the major items not covered by the IEC definition are:

1.

additional failures (i.e., cascaded failures) that could result consequentially from the assumed single component fa il ure.

2.

Multiple failures from a single cause, e.g., fire in an enclosure.

Additionally, some peripheral requirements which are not covered by the IEC definition result in less protection for the public. Two such requirements involved are:

1.

Failures within other systems (non-Class IE) which " interface" in some way with the perfomance of the (Class lE) safety systems.

IEEE 379 requires that if such failures can cause failure of a part of the safety system, these failures are assumed to occur in addition to the assumed single failure within the safety system.

2.

Failures of the safety system that can cause spurious and unacceptable safety system action must be considered. An example is the spurious switch-over of the ECCS to the reci;culation mode at the start of an accident (when an inadequate supply of water may exist in the sump).

Finally, our enclosed specific comments include some editorial improvements also.

19^] 298

%6 2/ /oc 5 y

. JAN 141980 As to a ballot recomendation, in view of the importance of the items omitted from the IEC definition, the ballot should be either affinn-ative subject to satisfactory incorporation of the coments or negative.

Should you wish to discuss this matter, please call J.T. Beard at 49-28213.

'f D. Tondi, Section Leader Plant Systems Branch Division of Operating Reactors

Enclosure:

As stated cc w/ enclosure:

G. Lainas E. Wenzinger R. Satterfield T. Ippolito D. Sullivan J.T. Beard PSB Section A 19AJ 299

ENCLOSURE COMMENTS ON IEC DOCUMENT 45A(CO)58

" DEFINITION OF THE SINGLE FAILURE CRITERION" 1.

Seccion 2.1 - In the first sentence, add "an obviously" before

" anomalous indication."

2.

Section 2.1 - In the first sentence, add " unambiguous and" before

" positive means." Same comment applies to the second sentence in this section.

3.

Section 2.2 - An additional classification should be provided to cover " cascaded" (or " consequential") failures which could reasonably be expected from the occurrence of a single failure.

4.

Section 3 - Item "a" of this section confuses design basis events (tnose plant abnomalities which necessitate safety system actions) with the separate consideration of those events (such as fire, lightning, flood) which could physically damage safety system equipment. Consideration of these latter items must remain separate from station conditions which require mitigation by the safety systems.

Suggest that the words " design basis" be deleted from this section.

5.

Section 4 - Cascaded failures (see earlier comment 3) should be added to this statement.

6.

Section 4 - Multiple failures resulting from any single cause snould be explicitly covered, e.g., loss of ventilation flow to a safety system cabinet.

7.

Section 4 - Failures within other systems (plant controls) which in some way adversely impact the perfomance of a part of the safety systems should be covered in addition to a single failure assumed within the safety system.

8.

Section 4 - Failures within the safety system which can cause spurious action by the system must be considered w9en the action is unacceptable.

9.

Section 4 - To provide better clarity and to provide better assurance that all aspects of the criterion are considered, some editorial improvement in the format of the criterion would be worthwhil e.

The fomat below may be desirable.

s "A Safety System is considered to meet the single failure criterion if it can adequately perform its safety task in response to any design basis event when the system is degraded by any single 19A0 300

_2_

detectable failure within the system which occurs coincident with the design basis event, concurrent with:

(a) all failures which could be caused by the design basis

event, (b) all failures which are non-detectable, (c) all failures which could result from the single detectable

failure, (d) any external condition which could degrade the performance of the safety system, and 19AJ 301