Text

% is gha mICg I'% m k'h UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D. C. 20555

%aj FEB

. 1980 Generic Task No. A-17 fir. D. J. McCloskey Sandia Laboratories P. O. Box 5800 Albuquerque, New Mexico 87185

Dear Mr. McCloskey:

SUBJECT:

PROGRAM PROPOSAL (SCHEDULE 189) FOR PHASE II WORK ON SYSTEtiS INTERACTION We have reviewed your draft Program and Budget Proposal, Schedule 189, for additional work on Systems Interaction Methodology Development. We believe that your proposal is oriented mostly to doing additional scope studies. We prefer that the work be directed more toward accomplishing s;ecific tasks even though that work may be a modest part of a much larger possible effort. With that in mind, here are five possible tasks that we believe should be accomplished as an interim program which we will call Phase II. We request that you consider the time and resources that are needed to complete these tasks, recognizing that Tasks 4 and 5 may not be practical at this time.

Task 1: RCPB Miticating Systems Develop the branch of the fault tree identified as failure of the RCPB fault tree with this added branch and compare the cut sets derived from this evaluation with the cut sets obtained in the Phase I evaluation.

This will provide the opportunity to detennine potential systems interaction between those systems whose failure may lead to a loss of RCPB and those systems designed to mitigate the consequences of that situation. To a large extent, the fault trees for the decay heat removal function already hava most of the component arrangements

' that would be used for the RCPB mitigating systems.

Therefore, development of this additional branch for mitigating systems should be accomplished within a reasonable time and resources.

Task 2:

Human Error Analysis With regard to Task 2 on human error analyses, we agree that some effort is needed in this area provided that it is carefully coordinated with any efforts that may go forward under other activities such as 8o03060 M

Mr. D. J. McCloskey FEB d 30 the Integrated Reliability Evaluation Pragram (IREP).

In this regard, a scoping study would be very useful. The scoping study should include identification and analysis of the various ways to expand the systems interaction methodology to include operator errors and a reconrnendation, based on cost / payoff, as to which one should be used.

Recognizing that a scoping study can be useful, we still believe that the fault trees derived for the Phase I effort can be used directly to evaluate a particular class of operator errors.

The present fault trees depict a significant number of basic events where the component is already in the faulted state. For example, the fault tree depicts manually operated valves as " failed closed" where the valve is normally in the closed position.

A likely operator error is that the valve remains closed either because the operator fails to recognize the fault or cannot be expected or able to take corrective action. We believe that cut sets can be derived by assuming that the faulted event has occurred, and that these cut sets will be significantly different because of the "three independent event" criteria that was used in Phase I.

There are also a significant number of operator actions like realignment of components for the purpose of testing, or the deactivation of com-ponents for maintenance as allowed by plant technical specifications.

These actions negate redundancy for a specified period of time. Again, there is a potential that some permissible operations may reduce the number of independent events and thus change the cut sets significantly.

We believe that new cut sets can be derived for these assumed plant conditions as part of an investigation of operator errors.

Task 3: Technical Transfer Packaae We agree that your proposed Task 3, while it is not a research type task, is important to the ultimate resolution of the generic issue on systems interaction. We believe that the preparation of the final report on Phase I should, however, be done under the existing Phase I funding.

If the nature of our comments on Phase I turn out to be more extensive than we now expect, we will reconsider the need for additional resources under the Phase I work program schedule of funds.

There has

• been some concern expressed that in the generic review, many potential inter tions were ruled out due to specific criteria in the Standard Revit Ian that would preclude such an interaction. However, operating plants may not confonn to the particular criterion in the SRP that was relied on. To make the results of Task A-17 useful for operating plants, the transfer package should identify those areas where an SRP criterion was relied on to screen out cut sets, and then identify the SRP criterion relied on.

It does not appear so obvious that all of these particular cut sets are now identified in your draft Final Report on Phase I.

a a.

B b rz)

Mr. D. J. McCloskey Task 4: Methods of Identifying Dynamic Effects There is a question whether the fault tree / event tree method is really an effective way of analyzing for the dynamic fluid, thermal, or electrical effects of systems interaction because the fault tree lacks the time-dependent effects, and the fault tree does not account for sequence of faults. Therefore, we have a feeling that the fault tree /

event tree methods have limited capability to reveal sur.h interacticns.

Other methods of analysis have been suggested such as disturbance analysis. We believe that other analysis techniques should be researched and recorxnendations made on what other methods appear to be feasible.

Task 5: Multiole Failures of Components The present fault trees and evaluations by the SETS code do not account for multiple failures of components which do not appear in the faults because their failure does not lead to the top event.

Yet these failures can separately cause failures of components which do appear in the cut sets as independent events.

In other words, there are potential linking characteristics that were not included in Phase I but which may have relatively high probability.

These potential events can reduce otherwise independent events to a common event. We believe that the present methods developed in Phase I should be explored for potential application to this investigation of multiple failures of non-safety equipment which can collectively affect the performance of components whose faults can lead to the top event of the fault tree.

We request that you revise your program proposal along the lines mentioned above, and suggest that you identify the program as Phase II to avoid confus on.

Sincerely,

\\

' l ' l'-

oW, i<.4cu m y ' Unresolved Safety Issues Program Stephen H. Hancuer, Director

.