Text

[

??

.t.

/

/

j, y ^ f c/

A?t1/ n '

[3/[,(h,

~

/

7' SYSTEMS INTERACTION ANALYSIS - SRP TASK

/4 -I +

The analysis task of Systems Interaction Methodology Development Program includes a study of the Standard Review Plan (SRP) and supporting documents to determine whether or not the potential systems interactions found in the study are addressed in the licensing review process.

The first step in this process is a grouping of potential systems interactions into broad categories.

Two purposes are served by this categorization:

1)

Large numbers of cut sets involving components are reduced to a lesser number of representative cut sets involving systems.

2)

The very specific types of interactions on the component level are redefined in more general terms of the Standard Review Plan.

Table 1 illustrates this process for a branch of one tree (decay heat removal using the secondary coolant systems for loss of offsite power during hot shutdown).

In the case shown, actuation and control faults were found to create potential interactions that could lead directly to the top event.

The components and systems involved for all literals of the cut sets of concern were determined and grouped as shown.

In the example, 12 cut sets were reduced to one larger category; that is, the potential systems interactions of control power or actuation affecting the three trains of 1732 286 80011100*/4-

auxiliary feedwater.

This broader grouping and others like it were used to define the question to be asked about the Standard Review Plan.

The results of the SRP task are given below.

It is realized that this example is rather elementary (i.e., a fault tree was not needed to realize that all three trains of auxiliary feedwater should not be susceptible to an interaction); however, it is expected that a complete analysis for each fault tree will reveal some Inuch less obvious potentials for interaction.

Standard Review Plan Results The questions, as defined by the process above, are listed below:

Does the SRP and its supporting documents ensure that:

1)

At least two trains of auxiliary feedwatcr are required?

2)

The trains of the auxiliary feedwater are independent in a)

Motive Power?

b)

Control Power?

c)

Actuation?

d)

Location?

e)

Cooling?

f)

Lubrication?

1732 287

In review of the SRP and supporting documents, the basic approach was to first review the basic system SRP's which would address the auxiliary feedwater system itself.

From an over-all system viewpoint this is SRP 10.4.9 and from an electrical standpoint, SRP's 7.3 and 7.4 were reviewed.

These further reference other SRPs, Branch Technical Positions, General Design Criteria, Regulatory Guides, and IEEE Standards.

These were scanned to determine what additional requirements were imposed by these documents which would impact the questions above.

The results of our review is as follows:

1)

Are two trains or more of auxiliary feedwater required?

A number of general statements were found which would imply a "yes" answer to the above question.

Examples are listed below.

From SRP 10.4.9 - The auxiliary.feedwater system is reviewed to determine that a single malfunction, a failure of a component or the loss of a cooling source does not reduce the safety-related functional performance capabilities of the system.

Also From SRP 10. 4. 9 -

the system shall be capable to withstand a single active failure...

portions of the system can be isolated...

... assure redundancy of components 1732 288

From BTP APCSB10 The piping arrangement should be such that any combination of steam generators can be fed...

- Sufficient redundancy should exist to withstand a single active component failure.

A few specific references were found to the amount of redundancy required in the auxiliary feedwater system, as a whole:

From BTP APCSB 10 The auxiliary feedwater system should consist of at least two full capacity, independent systems

- The system should be able to withstand the rupture of any high energy section of the system, assuming a concurrent single active failure (may imply 3 trains).

From BTP-EICSB The system must withstand an aux feed pipe break inside contaiament together with a single electrical failure (active) in the aux feed system or in the onsite system (may imply 3 trains).

Other implications to the requirement of 2 or more trains are found in the answers to question 2 discussed below.

21 Are the trains required to be independent in actuation, control power, motive power, location, cooling, and lubrication?

1732 289

. Besides the more general statements already mentioned, the following references provided more detailed information on the areas addressed in question 2:

2a)

Motive Power:

From SRP 10.4.9 - Diverse motive power sources should exist.

- AFW pump drive and power supply diversity shall exist.

From BTP APCSB.10 The auxiliary feedwater system should...

include diverse power sources.

- There shall be separate and multiple sources of motive energy.

2b & c)

Control and Actuation:

From SRP 7.3 - The adequacy of physical separation criteria for cabling and electrical power equipment is reviewed.

- Make sure control and motive power are from redundant sources.

- Also covers supporting systems essential to ESF operation.

From SRP 7.4 - Covers review for redundancy and single failure susceptibility for the power, logic, 1732 290

and instrumentation of the main system and all supporting systems.

From IEEE 279 - This is probably the best overall document in this area and essentially stresses those requirements to meet single failure,redun-dancy, and channel independence of safety systems and their supporting systems.

From Reg Guide 1.75 - Includes physical and electrical separation requirements for electric systems.

2d)

Location:

From SRP 10.4.9 - There shall be physical separation or shielding to protect from missiles.

- The location and the design of the system, structures, and pump rooms are reviewed to determine that the degree of protec--

tion provided (from natural phenomena and missiles) is adequate.

2e & f)

Cooling and Lubrication:

No specific references to the auxiliary feed system cooling and lubrication support systems can be found.

Statements in other categories above as they apply to the auxiliary feed system support systems can be applied here.

SRPs 9.4.5, 9.2.1, 1732 29i

_7-and 9.2.2 do cover cooling and ventilation systems in general and will be the subject of other system interaction reviews.

Finally, although other documents such as the General Design Criteria, other Regulatory Guides, etc. make the same requirements as those mentioned above or elaborate on those requirements, none were found which would more specifically answer the questions herein the.n the statements already given.

Conclusion Questions 1 and 2a-c are addressed directly in the Standard Review Plan.

The potential common mode involving location is only dealt with specifically in reference to missiles and natural phenomena.

The potential common modes in 2e and f (cooling and lubrication) are not dealt with specifically in reference to the auxiliary feedwater system.

The only SRP statement that would preclude the interactions in 2d-f would be the statement of the single failure criterion, but it is emphasized that the areas of cooling, lubrication, and location are not dealt'with specifically in reference to the single failure criterion.

1732 292

POTENTIAL INTERACTION GROUPING DHR-SEC-LOP-HS SINGLES POTENT'IAL AFWS TRAIN A AFWS TRAIN B AFWS TURBINE TRAIN CONTROL SYSTEM INTERACTION PUMP MOVs A0Vs PUMP MOVs A0Vs TURBINE VALVES MOVs A0Vs ACTUATION X

X X

and CONTROL X

X X

X X

X X

X X

X X

X X

X X

X X

X X

X X

X X

X X

X X

X X

X N

X X

X u

N f

Ne U

SYSTEMS INTERACTIONS EXPECTED RESULTS Upon completion of Phase I of the Systems Interaction Program the following will have been accomplished.

A method will have been developed for systematically identifying systems interactions which are important to safety.

The method will be applicable to a wide range of interaction types.

The developed methodology will have been applied to the Watts Bar Pressurized Water Reactor to demonstrate its use.

The application to Watts Bar will, however, be limited in scope.

The Standard Review Plan and its supporting documents will have been reviewed to determine if the interactions found to be important in the application of the methodology to Watts Bar are covered in the Plan.

Areas not explicitly covered will be delineated.

1732 294

SYSTEMS INTERACTIONS CRITERIA FOR IMPORTANCE The criteria being used in the systems interaction program to assess the importance of potential systems interaction f all into two categories:

those used to identify important systems interactions and those used to rank them.

To identify important systems interactions, the following topics are considered:

A.

Unacceptable Core Damage:

Unacceptable core damage is the top event of the fault tree.

Thus, only systems whose failure would contribute to this tcp event are included in the trees.

Thus the first criterion is:

for a potential systems iteraction to be important, it must have the potential for increasing the likelihood of unacceptable core damage.

B.

Plant Functions:

The loss of any of four major functions could result in unacceptable core reactor shutdown, decay heat removal, damage:

protection of the RCS boundary, and LOCA mitigation.

The decision was made (by NRC) that the study should be limited to the first three since the latter was being adequately handled in other programs.

Thus for a systems interaction to be important in Phase I of this study, it must have the potential for increasing the likelihood of loss of one of the following three functions:

reactor shutdown, decay heat removal or protection of the RCS boundary.

1732 295 C.

Cutset Components:

The first step of the evaluation is to determine the cutsets associated with each of the three functions.

The cutsets identify the combinations of components which, if failed, would lead to loss of a functions.

Component failures, or other common causes leading to loss of more than one component in a cutset have a greater potential of increasing the likelihood of loss of a function than an event of equal likelihood which causes loss of only one component in a cutset.

Thus, for a systems interaction to be important, it must have the potential for causing failure of two or more components in a cutset.

D.

Common Characteristics:

The method chosen for identifying potential systems interactions is by identifying common characteristics between components.

The common characteristics chosen are ones that could result in systems interactions.

There are, of course,

many such characteristics.

The range of interactions to be treated in Phase I of the program was limited to two categories:

physical and spatial.

The common physical characteristics were further categorized into lubrication, cooling, control, motive power, and actuation system.

Thus, for a systems interaction to be identified as important in Phase I of the program it must originate from a common physical or spatial characteristics.

1732 296

To rank the important systems interactions, the cutsets will be ordered by the number of failures required.

If two or more components in a cutset share a common characteristic, then they will be counted as one failure.

Further.among chose with the same number of f ailures, those with the largest number of common characteristics will be considered as more important.

Then the potential systems interactions represented by common characteristics in cutsets will be identified and ranked based on which ones appear in cutsets with the lowest number of failures.

The above criteria for identifying and ranking potential systems interactions is intended to focus the effort on those areas where potential systems interactions would have the greatest undesirable impact on safety.

I732 297

0sJ J

CmI'-

N N

0oC s

me s

t s

t s

t n

y n

e e

S e

e, m

p s

d k

n o

l m g

is ae o

c oe n

ct unrr S

ot i

nl qaei Ps t

I u hchv e

y a

a titn e

d lS gs tF rrOE r

i e

i r n

ar u

s e

ue t e eg Eu

,l t

t l

Ft ih un

,Hoa c

u p

s Mt qi

,d m a

O i

t a O

et d

ar nf r t

nw A

ri oeno aue R

l ed Cl f m orrn mnh W

u pa Ol ni li ob uat B

M SR LA IL FFTA HMO y

q r

e a

r s

d F

n n

o u

e i

o t

t e

B a

c p

l r

a o

S a

e r

c Cnv nd e

S Rwo oo t

om iM n

n fde t

I i

e otR af h

r u

ro s

t o

nht e

w m

i C

oSa ps f

e W

i e

Ot l

t r

t rH n

al s

e o

co l e l

ca y

l t

ety ad a

ii S

g c

t ca mi m

st R

n a

oac rc r

ya W

i e

ree on o

hp P

S R

PRD NI N

PS sno i

l t

a i

i d

r n

y e

s o

r t

s n

C) o e

a n

o 2

g t

M o

i l -

e i

i t) a8 s

t S

e t

i2 t1 n

a e

v c

d -

nN o

C p

r i

n n8 e(

i y

e t

u o1 m

t T

P cs F

CN n

c ae

(

o a

t s

oc t

t r

r n

t ir n

n i

e a

i du a

a v

t l

n ao l

l n

n P

U RS P

P E

I

.