Text

.

z.

q hnfy 3I IMR 2 01981 MDiORANDUM FOR: Dr. William Kerr Advisory Committee on Reactor Safeguards FROM:

Faust Rosa, Chief, Instrumentation & Control Systems Branch Division of Systems Integration

SUBJECT:

ONG0ING AND PLANNED ACTIVITIES RELATED TO THE SAFETY IMPLICATIONS OF CONTROL SYSTD45 In a memorandum to Gary Zech from R. Savio dated March 5,1981, the staff was asked to provide you with a written summary of the ongoing and planned activities related to the safety implications of control systems. This memorandum is for the purpose of providing you with the reqmsted informa-tion.

Andy Szukiewicz in the Generic Issues Branch, Division of Safety Technoloay, has been assigned Task Manager for Unresolved Safety Issue A-47, " Safety Implications of Control Systems." A description of the issue and plan for addressing it are attached. A preliminary estimate for completion of the program is April,1984.

Also attached is a list of other actions being taken to address control systems.

In general, detailed schedules for these items have not been established. Several of the items will proceed in parallel and at a schedule consistent with operating license reviews.

He hope the enclosed material answers your questions and we will be avail-able for further discussion of this matter during the subcommittee meeting on March 25, 1981.

9tiginal Signed by N F. Rosa Faust Rosa, Chief Instrumentation & Control Systems Branch Division of Systems Integration

Enclosures:

DISTRIBUTION:

As stated Eent ral File ICSB Reading File j

cc: See attached sheet F. Rosa

'l' C. E. Rossi (P.F.)

810 410 0 /J F B Obc (PF) i Contacts:

,y B. tiorris J

l.

3 X29435

.; o CTE7Rossi j

I 4

.X29y31 j.I.CSD/DSI IgB

. ICSD/.DSI/J l ICSD[

JCSB/

c"o!>-

-"+

j jBMorris:c.

CERossi

.l. TDunning

' M5riniva san FRosa. '

i

. p/N/81 3/Tuz /81 3 /..~ ~. '/ 61. l.. 3/,b /BL.f.3/MG/81.

OFFICIAL RECORD COPY

"+:" u

-';'t

s.

i

.c cc:

D. Ross T. Murley P. Check K. Kniel G. Zech R. Savio T. Dunning H. Srinivasan C. Rossi B. Morris

_,n>>

I i

v..... r y l

l t

ecit l

i i

~ >, -:..:.-i CFFICIAL RECORD COPY

.a

SAFETY IMPLICATIONS OF CONTROL SYSTEMS (TASK A-47)

Issue Definition This issue concerns the potential for transients or accidents being made more severe as a result of control system failures or malfunctions.

These failures or malfunctions may occur independently, or as a result of the accident or transient under consideration.

One concern is the potential for a single failure (such as:

loss of power supply, short circuit, open circuit, or sensor failure) to cause simultaneous malfunction of several control features. Another concern is for a postulated accident to cause control system failures which would make the accident more severe than analyzed. Accidents could conceivably cause control system failures by creating a harsh environ-ment in the area of the control equipment or by physically damaging the control equipment.

The effects of control system failures can be divided into the following:

(1) The effects of control system failures on " anticipated operational occurrences."

" Anticipated operational occurrences" are defined as those conditions of normal operation which are expected to occur one or more times during the life of a nuclear power unit.

(2) The effects of :ontrol system failures on accidents.

Accidents are defined as those corditions of abnormal operation that result in limiting faults. These are occurrences that are not expected to occur but are postulated because their consequences would include the potential for the release of significant amounts of radioactive material.

(3) The effects of control system failures on operator actions.

2 Operator action would be considered with the plant at shutdown, during plant heatup or cooldoun, following plant trips, or following actuation of engineering safeguards systems.

The control systems failures include those which deprive the operator of required information for manually controlling plant conditions, those which provide confusing or incorrect information to the operator, or those which may initiate or compound transients.

Although it is generally believed that such control system failures would not lead to serious events or result in conditions that safety systems cannot safely handle, rigorous in-depth studies have not been performed to confirm this belief.

In the past, NRC staff reviews have been performed on currentiv licensed plants with the goal of ensuring that control system failures will not pre-vent automatic or manual initiation and operation of any safety system equip-ment required to trip the plant or maintain the plant in a safe shutdown con-dition following any " anticipated operational occurrence" or " accident."

The approach has been either to provide physical independence between safety and non-safety systems or to require isolating devices, such as iso'.ation amplifiers between safety and non-safety systems, such that failures of non-safety system equipment cannot propagate through the isolating devices to impair operation of the safety system equipment.

In addition, a specific set of anticipated operational occurrences and accidents has been analyzed to dem-onstrate that plant trip and/or safety system equipment actuation occurs on a time scale such that appropriate safety limits are maintained.

In these analy-ses, conservative initial plant conditions, core physics parameters, and instrumentation setpoints have been assumed. Where active control system operation would mitigate the consequences of the transient, in general, no

credit is taken for the control system operation Where active control system operation would not mitigate the consequences of a transient, no penalties are taken in the analyses for incorrect control system actions that might be caused by control system equipment failures.

It should be emphasized that the issue is nut whether re6ctor trip or safety system equipment action would be defeated, but whether trip or equipment action would occur in time to maintain the limits appropriatefor the specific event and, more importantly, whether control system failures might confuse +Se operator such that he takes improper actions which worsen the transient consequences.

Tajj Action Plan The NRC staff has initiated the preparation of a Task Action Plan on Safety Implications of Control System requirements which will provide a description of the issue, a description of the NRC staff's approa h to resolving the issue, a general discussion of the basis for continued operation and licensing pending resolution of the issue, a discussion of the technical organizations involved in the task, and the requirements for manpower and program supporting funding.

It is expected that it will take about three months for preparation and approval of the above plan.

The completion date for this program depends on obtaining the necessary program funding and implementation time for techrical assistance contracts, probably on a competitive basis. A preliminary estimate for completion of this program is April 1984.

The primary goal of Task A-47 will be the development of e comprehensive and consistent set of requirements and design criteria for " isting end future LWRs.

Specific subtasks will be defined. One such subtask will be to study the reactor and/or steam generator overfill transient in BWRs and PWRs, resnectivel_y, to determine the need for preventative ar d/or mitigating design measures to preclude or minimize the consequences of this transient.

Other subtasks, yet te be oeveloped will:

Dr ine other scenarios that should also be considered.

(1) r (2)

Develop a methodology for evaluating these scenarios, (3) Develop acceptance c stecia for the :esults of ete scenarios, (4) Develop guidelines for 'mprovements that must be made where acceptance criteria are 'ot r. c.

These subtasks will address:

(1) Measures to iniprove the reliability of control systems (such as QA criteria, environmental qualific.Ltion, or increased. sdundancy),

(2) Maasures to reduce the effects of control systen failures, (3) Measures to improve the cape 5ility of coping with effects of control syste failures (such as procedural improvements, it?rovements in information display, human factors improvements, imorovements in ocerator training, and/or changes in safety system setpoints).

OTHER ACTIONS TO ADDRESS CONTROL SYSTEMS (1) B&W has completed a fai'ure modes and effects analysis and review of operating experience for their Integrated Control System (ICS) and

'2 ported the results in B&W Report BAW-1564, " Integrated Control System Reliability Analysis." Consultants from the Oak Ridge National Laboratory reviewed the B&W report and concluded that although the ICS and related control systems could be improved, the ICS itself has proven to hase a low failure rate and does not appear to precipitate a significant number of plant upsets.

Failure statistics revealed that only approximately 6 of 162 hardware malfunctions resulted in reactor trip.

Oak Ridge has further concluded that the B&W anaiysis shows that ant J.ed failures of

=afety systems and and within the ICS are adequately mitigated by the r many potential failures would be mitigated by cross checking features of the control system without cven challenging the plant safety systems.

Oak Ridge agreed with B&W conclusions regarding control system improvements,vhich could be made to improve overall plani performance.

Licensees with B&W plants were requested to evaluate the B&W recommendations anc report their follow-up actions.

Responses have been received and reviewed.

Meetings are being arranged with licensees to evaluate the responses in greater depth.

(2) In September, 1979, all licensees were asked to review the possibility of consequential control system failures which could exacerbate the effects of high energy line breaks and identify appropriate actions, where needed, to assure that the postulated events would be adequately mitigated. The rn"iew was requested as a result of postulated s enarios involving consequential control syster failures identified by Westinghouse and submitted to the NRC by Public Service Electric and Gas Co. All licensees responded to the request and the responses were screened.

On the basis of the review, no specific event ieading to unacceptable consequences was identified and, in general, control equipment locations wei e such that consequential failures would be unlikely.

Some licensees, however, did make changes to operating procedures to include the possibility of control failures. Although in-depth, systematic reviews were not made by the staff,with considerable reliance being placeu on the reviews of the licensees, the Systems Interactions Proaram includes plans for such reviews.

This item is also currently being pursued on operating license applications.

(3) ISE Bulletin 79-27 was issued to licensees requesting actions to ensure the adequacy of plant procedures for accomplishing shutdown upon loss of power to any electrical bus supplying power for instruments and controls.

Some licensens have taken corrective action including hardware changes and revised procedures to assure that the loss of any single instrument bus would not resultin the loss of instrumentation required to mitigate such an event. As part of OL licensing reviews, we are making similar requests of OL applicants.

(4) The Office of Standards Develor~ent is coordinating efforts with the IEEE to establish design criteria for systems important to safety which are not covered by and do not need to meet all of the rigorous standards for safety grade equipment but nevertheless are sufficienuly importat.u to.afety to be included in the fiRC review process.

(5) Implementation of Regulatory Guide 1.97 " Instrumentation for Light-Water-Cooled liuclear Power Plants To Assess Plant And Environs Conditions During And Following An Accident," NUREG-0737, "Clarif uation of TMI Action Plan Re-quirements," and f4UREG-0696, " Functional Criteria for Emergency Response Facilities" will significantly upgrade the amount and quality of information available to the operator to diagnose and respond to control system failures.

(6) Standard Review Plan Section 7.7 calls for staff reviews to assure that

. failures of control tystems will not impair the capability of the protection system in any significant manner or cause plant conditions more severe than those for which the plant safety systems are designed.

The staff has pursued these reviews primarily to ensure that electrical interconnections between protection systems and control systems are imple-rented such that failures in control system equipment cannot impair the operation of protection system equipment.

The Chapter 15 design basis events analyses have also been reviewed to assure that sufficient conservatism has been assumed so that these analyses adequately bound the consequences of single control system failures. The Instrumentation and Control Sys+. ems Branch is currently revies:ing control systems designs of OL applicants to determine whether the Chapter 15 design basis analyses also bound multiple control system failures

, initiated by credible malfunctions of connon power sources or sensors.

In addition we have requested that the potential for control system malfunctions caused by high energy line breaks be reviewed by OL applicants.

These reviews will provide additional insight regarding the impact of control systems on plant safety.