Text

{{#Wiki_filter:EY 1* NUCLEAR REGULATORY COMMISSION -{ g'([g5 ADVlsORY COMMITTEE ON REACTOR SAFEGUARDS g .. //,p. WASHINGTON. D. C. 20555 January 17, 1979 C%/p N Pb a %/n T0: M. Bender, Chairman Plant Arrangements Subcommittee FROM: C. te n

SUBJECT:

REMARKS CONCERT:ING SUBCOMMITTEE MEETING ON PLANT ARRANGEMENTS, OCTOBER 25, 1978 The following remarks are concerned with the presentations which were made at the subject subcommittee meeting. I hope they will add further perspective to the important problem of systems interaction and aid the subcommittee in their deliberations. I. REMARKS CONCERNING PRESENTATION BY JACK HICKMAN AND WALLY CRAMOND ON THE SANDIA STUDY OF SYSTEMS lhTERACTIUN Sandia seems to approach the problem of systems interaction by identifying which systems are important to safety and then trying to determine the safety significant interactions that might occur involving these systems and evaluate their effect on the performance of required safety functions. This is a logical way to approach the problem if its pitfalls are recognized and appropriately accommodated. In order to limit the scope of work to a manageable size, the study is being narrowed to events during normal plant operations and off-normal incidents of moderate frequency. The apparent intention is to develop a methodology that can be applied later to other plant conditions. The objective seems to be to develop a broadly applicable methodology as quickly as possible and use it to verify that the NRC Standard Review Plan and industry methods of handling the systems interaction problem are adequate. As a further clarification of scope, Sandia is apparently concentrating on systems interaction that might significantly reduce the ability to (1) shut down the reactor, (2) remove decay heat, or (3) protect the reactor coolant system and prevent a LOCA. These are certainly the priority safety performance objectives for any plant involved in a non-LOCA event irrespective of interaction effects. I have no real concern with this basic approach to the problem, as opposed to alternative ways. It is clearly straightforward and, therefore, amend-able to methodical development, but I can forsee certain difficulties and limitations such as discussed below: i 1. Interactions are considered to arise from the existence of commonalities. Some of these commonalities are easy to see but others are deeply hidden in the design or arrangement and are difficult to identify until after they expose themselves. Unfortunately, the exposure is often associated with a safety-significant event. One commonality of concern is associated i 7903150 /#/4

PLAfiT ARRAfiGEMEliTS. with invironmental conductors." These are conductors which are capable of transferring adverse environmental influences from one area to another during an event. Such conductors may appear obvious such as for the case of the back flow of hot air, vapor, or combustible gas through a ventilation duct following a fan failure. In other cases, the conductor may be subtle such as when water flows through an electrical conduit to a remote electrical board following the failure of a water-cooled component. These environmental conductors need to be identified if the fault trees are to be complete. 2. tiornal plant operations include mair.tenance and testing. Associa-ted with these operations is the recuirement to use off-normal system alignments and procedures such as prescribed by the plant technical specifications. These alignments and procedures need to be examined to determine if unicue interaction possibilities are established. Since the number cf maintenance and test possibilities and their various allcwable combinations are large and plant specific, it is not clear how this could be factored into the study. However, because a significant fraction of total plant operating time will involve such operations, it is not clear that they can be disregar:ed. 3. If the Sandia study is to include i cidents of moderate frequency, it would appear that some considera-ion needs to be given to system interaction possibilities associated with operator errors, such as malalignments, whic are normally treated as plant upset conditions. Since the number of possibilities for such errors is limitless, it may be difficult to handle as a require-ment; but it is not clear that it sr.ould be disregarded. 4 The failure mode of a component car have an important influence on the extent of interactions which might result during the event. For instance, severe ancing in electrical switchgear during tail-ure would produce electromagnetic radiation which may interact adversely with solid states control modules in the area. The rupture of a water line associated ith a component could produce a water spray on a number of adjace-components. The leakage of a hydrogen cover gas line could '.ead to a flash fire or ex-plosion with extensive interactions. Such effects are difficult to predict and account for in a stL:y, but appear to be associated with normal plant operation. It is nct clear how such spacial couplings will be handled.

PLAflT ARRAfiGEMEflTS. 5. The importance or effect of spacial coupling should be determined, in part, by the susceptability of the components in-volved to whatever the challenge might be in the space. For instance, a spacial coupling based on the development of a water spray during component failure cannot exist if all potential targets are resistant to spray. Similar arguments pertain to other spacial challenges such as elevated temperature, flooding, electromagnetic radiation, and steam releases. Unfortunately, detailed information concerning such environmental effects on components is often lacking. 6. It is not clear as to what extent and how possible single active component failures will be included when looking for possible interactions following a given initiating event within the scope of study. Such single failures are generally included in the plant safety analysis and might involve spacial cr physical couplings through otherwise unrelated systems. How will these interactions be handled? 7. Interactions may result from degradations in the quality character-istics of essential supporting auxiliary services such as electric power, cooling water, and control air. The consideration here is not a loss of these services but their degradation. Large variations in voltage, frequency, water pressure, etc. can adversely affect the performance characteristics of components and systems and introduce interactions which can affect many systems. It is not clear how the Sandia study will uncover such interaction possibilities. 8. The total loss of essential supporting auxiliary services such as electric power, cooling water, and control air is also an im-portant consideration, but, in some cases, the interruption effects are more dramatic if only a selective loss is incurred. For example, if electric power is lost to control instruments but not to control logic, the logic will attempt to respond to the failure mode of the instrument (upscale, downscale, or as is) and produce unusual control responses. Misinformation may also be supplied to the operator; it is not clear that the Sandia work will expose interactions of this kind. 9. Essential supporting auxiliary services are also subject to interaction effects resulting from aut;.natic transfers, load shedding, or load additions. Such maneuvers have a potential to overload essential services throuch failure to isolate or the addition of unwanted loads. Some of the load shedding in cooling water and control cir systems may involve non-qualified loads. In many cases, the normal supply for the service is non-

PLAfiT ARRA!;GE!4E!JTS - 9. qualified with some type of automatic transfer to the quali-fied source. The ultimate effect of overloading might be a degradation in the quality characteristics of the auxiliary ser-vice or a partial or total loss of the service. Any one of these effects may produce adverse interactions which need to be in-cluded in the study. It is not clear that they already appear in the fault trees. Interactions between the auxiliary supply services should also be considered. 10. It is not clear that the Sandia methodology will take account of the cause and effect relationships which may develop sequen-tially as e result of interactions occurring during an event. If the interaction effect of one cause creates another cause and interaction effect, etc., then the interactions should be evaluated in proper sequence. This certainly complicates the fault tree and its programming.

11. An accidental actuation of systems such as fire protection or containment spray should be treated as a plant upset condition and evaluated for possible adverse interaction effects.

It is not clear that this will be ir.cluded in the intended scope of study.

12. Reactor vessel head removal and refueling are modes of normal operation and should receive attention relative to possible adverse interactions. Head removal is of special concern since it represents a duration of jeopardy during which pressurization is not possible (e.g, head bolts may be loose) and the steam generators are no longer functional as heat sinks.

The reactor core cannot communicate effectively with the steam generators by convective flow or an evaporation / condensation process. The core decay heat must be removed by the decay heat removal system. A failure to ao so could lead to dangerous modes of heat removal. The unique nature of the plant alignment, physical configuration, and operational procedures during this time could give rise to unusual interaction possibilities that might other-wise escape notice. During and after head removal, the inter-action studies should also extend to systems involved in the handling of heavy objects which could be dropped into the open core.

13. Apparently human interactions with ;/ stems will be included in the Sandia fault trees, but I can foresee a real complication in model-ing man / machine interaction situations such as operator response based on misinformation, or operator reacting to conflicting information.

PLAT 1T ARRAtlGEMEfiT5 '

14. An area of unusual interaction complication is the interface between the process systems and their control and protection systems.

Involved here are interfaces with both qualified and non-qualified controls and with the human operator. Some of the networks involved are very complex and would be difficult to adequately model in a fault tree. Many of the networks must be treated as " black boxes" for manageable simplicity. The wide-spread use of solid states control modules further complicates the problem because their spacial interfaces are susceptible to environmental changes. Also involved is the plant computer and the plant solid states control system with its many human and process interfaces and multiple opportunities for spacial and physical interaction. Of particular concern is its potential vulnerability and fast adverse response to human error during on-line maintenance (e.g., dropping an indicating light bulb). It is not clear how and to what extent Sandia will include such items in their fault trees.

PLANT ARRANGEMENTS. II. GENERAL REMARKS CONCERNING NRC PROGRAM FOR IDENTIFYING SYSTEM INTERACTIONS This whole question of system interactions is rather complex and the possible breadth of consideration could be virtually limitless. Fault trees could be developed to include almost any concern, but, somehow, the scope of such a study must be confined to reasonable limits. My various comments concerning the Sandia work are inter.hd to help identify the potential scope of this problem and thereby exemplify the shortcomings involved when striving for simplicity. They should not be interpreted as a recommendation for an expanded scope and they are not intended to detract from the high quality of the work being done. The work being performed by Sandia appears to be developing along rigorous academic lines with well defined bounds based on resource limitations and NRC safety priorities. However, the methodological procedures being developed do not appear promising at this time as practical tools for a plant designer or reviewer. They already seem rather complex to use and pro-bably have limitations which, if overcome, would only add to their complexity. I can forsee the Sandia methodology as a useful means for an in-depth study of adverse interactions on a limited scale. However, the work likely to be required in developing the unique features of the fault trees for an entire specific plant will probably make it a prohibitive technique for routine review purposes. Certain plants may share some common fault tree branches, but a large number will be plant specific and will most likely require con-siderable work to assure reliable evaluation results. Of course, it is still important to find out how far such a methodology can be developed and applied to produce realistic and useful results. The system interactions of particular concern during plant design and safety review are those which are difficult to predict and find by simple inspection and which are safety significant. For these, appropriate experience is one of the best tools available to the reviewer. The problem is, however, that it is usually difficult to acquire the appropriate experience. This might be done through a prolonged exposure to the nuclear plant design review process with special emphasis on developing an in-depth understanding of how the plant responds to various postulated events and how the safety systems function for each case. If during this exposure various adverse plant interactions are uncovered and resolved, the experience acquired thereby will tend to sharpen the reviewer's ability to uncover additional, but similar, interactions and eventaully develop a higher degree.of sophistication and sensitivity to the more subtle interaction possibilities. This is likely to require a prolonged work exposure and may not provide the needed experience unless the mission of the reviewer is to seek out such interactions and he is provided with dedicated supervision and resources with which to do the job. While striving to acquire appropriate experience, there are some important assists available to help expedite the process. For instance, Licensee Event Reports can provide valuable insight into the kinds of interactions which

VLum nnnrc;0cirrin - might occur and thereby aid the reviewer in uncovering similar possibilities in other plants and enhance the learning process. Experiences acquired during plant preoperational and startup testing can prove invaluable in developing the needed depth of understanding of how the plant and safety systems behave and, to some extent, help to uncover interaction possibilities. Academic studies and tools such as provided by Sandia may also prove helpful in the training process by providing a theoretical basis for how some of the interactions come about and yield additional examples of what to look for. However, in my opinion it takes a proper mix of these various activities to develop the appropriate experience needed by the designer and reviewer to assure an adequate treatment of the systems interaction problem. The methodologica' techniques such as being developed by Sandia should not be considered as the principal tool. Ha'ing acquired the appropriate experience, it is essential to conccentrate it in a dedicated organizational unit whose mission is clearly systems interaction oriented. It is from such an experienced unit that we could expect the development of better and more practical methods for handling the interaction problem. These methods might include additional analytical techniques, but a more promising cutput might be the publication of system interaction case studies based on actual experience and exemplifying the kinds of interaction problems that have been uncovered and how they are handled. Such case studies could be distributed like the " Operating Experience Bulletins" and would help to develop a competent experience base throughout the industry. The costs involved in pulling together the appropriate experience into an adequately staffed unit will probably exceed the reasonable expecta-tions of most utilities. It appears that the f;RC is in the best position to provide the needed continuing effort (either in-house or under contract).

' PLANT ARRAf;GEMENTS -L-III. REMARKS CONCERf!If1G PRESEf1TATI0f! BY JOHN ANDERSON Ofi ORNL WORK ORNL seems to approach the problem of control system / protection system inter-actions by looking for the direct interactions between these systems and not the subtle ones. They are looking at failures and degradations, and evaluating their effects. They are not using formalized fault trees. As an alternative to the Sandia work, this is also a logical way to approach the interaction problem and should provide useful results. It represents another input to the activity mix needed to develop an appropriate experience base. It may, however, be limited in its depth of consideration. I have no specific comments on the ORfiL work.

PLAtlT ARRAtlGEf4Ef4TS. IV. REMARKS CONCERilING PRESEtiTATIONS BY JERRY VELLENDER AND CORDELL REED ON ZION SYSTEM II.TERACTIONS STUDY The Commonwealth of Edison Co. Zion System Interactions Study was based on a review of over 9,000 Licensee Event Reports of which 267 were considered to be applicable to Zion and 67 of which were selected for detailed consid-eration by Fluor Pioneer, Inc. The study concentrated on interactions relating to failures that could interfere with shutdown heat removal. The technique was to look at each LER and determine if it had impaired or degraded non-accident heat removal. If so, it was determined if it could happen at Zion and what corrective action might be needed. I would like to make the following observations and comments concerning this study. 1. Although the work performed by Fluor Pioneer could be considered an independent review of the 67 LER situations selected by Commonwealth Edison, it should not be considered an independent review of the systems interaction potential at Zion. This could only be claimed if Fluor Pioneer had performed the data reduction on the 9,000 LER's and selected the appropriate ones for detailed consideration. 2. The data reduction was based on looking for those LER's which produced system interactions considered adverse to shutdown heat removal. It is my understanding that if no adverse interaction occurred, the LER was not selected for detailed study. This might be a reasonable decision where the equipment and plant arrangement are sufficiently similar to those at Zion. It is not reasonable or correct if certain differences should exist, For instance, if the LER under study is related to a flooding event for which the equipment involved is already designed to accommodate, no adverse interactions should result at that plant and the LER would not be selected for additional study. If, however, the comparable equipment at Zion is not designed for flooding, then an adverse interaction might be experienced and the LER should be selected for further study to make this determination. Other types of potential interactions are also sensitive to equipment design and layout differences which need to be considered. It is not clear how many of the nearly 9,000 LER's reviewed and discarded might be included in this category and should have been selected for further study. Unless suitably clarified, it should be con-sidered a basic shortcoming of the study. 3. An examination of LER's amounts to an examination of the historical record. The corrective actions taken should assure that history will not repeat itself, but it does not assure freedom from other adverse systems interactions. Some of the most serious interactior.s may not have taken place yet at some plant, or there may be interaction sit-

PLAf1T ARRAftGEMENTS. uations unique to Zion that remain to be exposed. The Zion study is certainly well done and useful as a contri-bution to the needed case studies, but it should be recog-nized as very limited in scope if the desired objective is to uncover the full spectrtm of potential adverse inter-actions at the plant before they become self evident. 4. It was pointed out as a major conclusion in the Fluor Pioneer report that generic studies such as requested by the NRC for pipe breaks had already resulted in modifications to Zion which substantially reduced adverse interactions to such events. If this is the case, then I am somewhat surprised that the systems interaction study uncovered a problem with entry and accumulation of water in electrical boxes. I would have thought that water released as sprays, jets, or cascades during the pipe break studies would very likely enter some of these boxes and flag the drain hole problem for corrective action. 5. Since the control air system at Zion was not included in the list of systems for consideration, I assume it is classified as non-essential. If so, it is an important example of a non-safety system which may have a potential for safety-related system interactions which should be evaluated. PWR's of the Zion class usually make widespread use of air operated valves for process isolation and control for both the NSSS supply (Westinghouse) and the B0P (AE design). On loss of control air, these valves revert to safe positions as determined by an appropriate analysis. Such reversions may introduce safety-significant effects when one considers the number of valves and other control components undergoing simultaneous change, and the multiple loss of process control due to the control air failure. In some cases, both trains of redundant equipment may be involved and more than one unit in the plant. The acceptability of this loss must be evaluated using plant specific information and certain assumptions concerning manual operation. Special attention should be given to the effect on such im-portant essential functions as auxiliary feedwater control, RCS chemical volume and control (makeup and letdown), and the continuation of acceptable performance for environmental control systems which are predominantly air operated (for dampers and process control). The loss of environmental control may interact adversely with such items as instrumen-tation and control (particularly where solid states modules are used), and electric power system components (e.g., motors, transformers,andswitchgearcontrol). In my opinion, the, control air system should have been included for consideration even if classified as non-essential.

PLANT ARRANGEMENTS. 6. Other non-essential systems of concern and related to systems interaction are the non-IE electrical power (AC and DC), in-strumentation and control, and plant computer systems. Although none of these systems are considered essential, they do inter-face strongly with the plant operator. Certain initiating events in these systems during normal operations can lead to extensive displays of maloperation, misinformation, and unwanted responses which must be interpreted and corrected quickly by the plant operator. If left uncorrected, they may lead to safety-significant degraded conditions. It is not clear that such non-essential systems were included in the interaction study. Although perhaps less critical than the control air system, I believe they should have been considered.

PLANT ARRANGEMENTS,- V. GENERAL REMARKS CONCERNING NRC PROGRAM FOR REVIEW OF LICENSEE EVENT N_T S, The NRC orogram for review of LER's is an important aspect of the systems interaction work, but its present scope within NRC is unclear. Perhaps the subcommittee may wish to ask for a short presentation on this subject at a future meeting. For now, I would like to make the following observa-tions for your consideration. 1. The LER's are an important source of real world information which should receive careful evaluation from the viewpoint of uncovering possible systems interactions and providing a feedback of information to the designers and reviewers. The Zion Interaction Study is an example of how this information might be evaluated and used for corrective actions. Eventhough it is "after the fact" information, it is still useful. Additional and more comprehensive work of this type needs to be done if the nuclear industry is to benefit fully from this past experience. In my opinion, the NRC is in the best position to have these studies performed (either in-house or under contract). They have the resources and recognized access to all information and facilities, and are in the best position to monitor the entire industry and thereby predict generic difficulties. According to the NRC people, some work on the LER's is being done within URC, but is does not appear to me that it is adequately dedicated to a determination of possible adverse systems interaction. 2. Perhaps the problem of evaluating LER's for systems interaction could be somewhat eased if the preparer of the LER were required to indicate whether or not a system interaction was involved in the event before giving the details. This should not add sicnificantly to the work of preparing the report and it would make the sorting a lot easier. The main problem is assuring that the preparer of the LER understands the concept of " systems interaction." It would be necessary for the NRC to define the concept with suffiicent clarity to assure consistent usage. This may not be easy, but progress is being made and the concept should become clearer as the principles and examples are developed. 3. As the situation now stands, it appears that the nuclear industry does not have or intend to nave an organized effort to review and evaluate LER's for possible systems interaction as was done in the Zion study. The NRC is reviewing each LER but the scope of this review is not clear. This may mean that valuable experiences are not being adequately utilized from the viewpoint of the systems interaction program. Perhaps the subcommittee could benefit from presentations by the industry on how they view the problem and what they would propose to be done. .}}