Text

ENCLOSURE 4 pa a.cg

-n ( 'k UNITED STATES

y.,

p, NUCLEAR REGULATORY COMMISSION y)

E WASHINGTON. D C. 20555

,w e

h.R:

f JAN 2 91930 MEMORANDUM FOR:

S. H. Hanauer, Director Unresolved Safety Issues Program FROM:

J. A. Norberg, Chief Engineering Methodology Standards Branch Division of Engineering Standards Office of Standards Development

SUBJECT:

NRC STAFF REVIEW OF DRAFT REPO?.T ON PHASE I 0F GENERIC TASK NO. A-17 In response to your memorandum dated January 2,1980, a review of the draft Report on Phase I of Generic Task No. A-17 and its associated fault trees has been conducted.

Attached are comments on the report (Enclosure 1) and the fault trees (Enclosure 2).

In addition, a list of suagested areas for consid-eration in follow-on system interaction studies (Enclosure 3) is provided.

In your memorandum, you requested comments concerning revision of the Standard Review Plan (SRP) in light of the results of the study.

Two general conclusicns regarding the SRP cre made in the draft report as well as the identification of a few specific areas where potential interactions exist which are not explicitly covered by the SRP. These conclusions basically recommend that more detailed guidance addressing systems interactions be provided in areas where potential systems interactions are important to safety, and that the review in these creas include a wider sgetrum of systems (i.e., non-safety as well as safety systems).

Consideration should be given to beefing up the SRP in those areas.

The study also concluded that a disciplined, systematic methodology is desirable to assure that potential systems interactions important to safety are identified and evaluated.

This conclusion is similar to conclusions or recommendations made by the TMI Lessons Learned Report, President's Commission Report, Rogovie Report, etc.

The planned Integrated Reliability Evaluation Program (IREP) appearc to address the general recommendation of a disciplined, systematic methodology, and the systems interaction methodology developed by this study could possibly be a subset of this program.

To factor the systems interaction methodology developed by this study directly into the SRP process would be a significant effort and involve specific training of a large segment of the technical review staff.

While this may be a desirable long range goal, a more immediate step could be to make the methodology a part of the near tern IREP effort.

A task in the pro-posed phase II of the study could investigate the integrating of the systems interaction methodology into IREP.

A personal conclusion I have reached regarding the SRP, based on the results of this stud", is that the SRP in general addresses most of the potential system

^ c02 250 4/ /

~

2 interactions identified by the study. That is, the study did not identify glaring ommissions in the SRP of significant system interaction potentials.

If you have any questions regarding the enclosure, please contact Mr. T. G.

Scarbrough.

J. A. Norberg, Chief Engineering Methodology Standards Branch Division of Engineering Standards Office of Standards Development Enclos ures :

as stated J. Angelov/

cc:

CONTACT:

T. G. Scarbrough 443-5913 e.

Coments on the Drafi Final Report on Phase I of the Systems Interaction Methodoloay Applications Proaram dated December 21, 1979) 1.

The study involved many instances where the judgement and knowledge of the Sandia personnel in regard to plant systems were necessary to complete the fault tree logic and analysis.

In order to allow for an independent review of the study and its conclusions, the final report should elaborate in areas where the Sandia personnel were required to make specific assumptions.

The following are examples of where additional explanation is necessary.

In the DHR fault tree, a specific amount of letdown in excess of a.

charging was assumed to be required for injection of nitrogen gas from the UHIS or a cold leg accumulator.

The report should explain the assumptions involved in arriving at this amount of letdown, b.

In Section 2.5, the report discusses the RS fault tree and the re-activity values for various plant conditions and transients.

On page 2-23, the report states that there is nothing unioue about the reactivity requirements in the study m The report should ex-plain the assumptions behind the selection of the different re-activity values used in the study. -

The report states on Paae 3.7 that operator action outside of the c.

control room is included in the fault tree but excluded from the cut set analysis.

The technique utilized to eliminated 5ese failures from the cut sets should be further explained.

d.

As discussed in Section 3.3.2, Cut Set Analysis, the study identified potential interactions in which the Sandia personnel were required to actermine the feasibility of the interactions in order to classify their safety significance.

The assumptions upon which these determinations were based should be elaborated for each poten-tial interaction.

2.

In Section 2.0, Fault Tree Development, the report states that since all three branches (loss of DHR, loss of RCPB, and failure to maintain reactor subcriticality) of the fault tree leads to the top event, there is no need to analyze them simultaneously. An inherent assumption of the study due to the fault tree structure is that the probability of achieving a loss of function and the resulting effects of its loss in regard to leading to unacceptable core damage is equal for all three branches.

Since each branch is to be analyzed separately, effort should be made to provide modeling that is as complete as possible.

In particular, the RCPB fault tree should include LOCA mitigating systems and the possible methods to achieve an overpressure condition (e.g., loss of feedwater).

In this manner, each primary function can be analyzed independently while identifying all potential system interactiols that could lead to a loss of that parti-cular function.

3.

In Section 2.1, Plant Conditions, the report discusses the RCS pressure /

temperature limitations shown in Figure 2.2. Saturation temperature require-ments should also be included in the graph.

Section 2.1 also addresses the definitions of different plant modes as used in the study.

In order to clarify that these definitions can be modi-fied, the report should state that the boundaries between plant modes can be defined as applicable to a particular plant with the fault trees con-structed accordingly.

4.

Section 2.4.1, Secondary DHR Systems, discusses removal of decay heat by means of the secondary heat removal systems.

In regard to maintenance of coolant flow, forced circulation is provided during cold shutdown and hot shutdown when the reactor coolant system is below 350 F and 425 psig by use of the RHR pumps. Therefore, this should be incorporated into the fault tree.

Since each plant condition is being treated separately, the fault tree should model all systems necessary for the achievement of the primary function during that particular plant mode. _Ecr example, failure of the ability to provide for decay heat removal during the cold shutdown mode may lead to the hot shutdown plant condition, but this result should not be assumed in the construction of the fault tree for the cold shutdown mode.

5.

Section 2.4.2, Primary DHR Systems, discusses the use of thMHR system for the removal of heat from the reactor core. Two modes are addressed:

(1) recirculation and (2) atmospheric relief. However, the RHR system does not allow for release to the atmosphere, but only to the pressurizer relief tank.

Extended use of this method of heat removal would lead to an increase in containment pressure and temperature. This would require use of the con-tainment spray system and, therefore, this system should be modeled in the fault tree.

6.

Section 2.5.2, Boration and Rod Insertion Success Criteria, discusses negative reactivity requirements to ensure reactor subtriticality.

As a result of the d:>.'mption that there is sufficient shutdown nargin to account for any positive react 1/ity insertion occurrences during cold shutdown, the report does not analyze reactor subcriticality during this plant condition.

Cold shutdown should be included in the analysis since the maintenance of reactor subtriti-cality in this plant condition is significantly dependent on boration control.

7.

Section 3.0, Fault Tree Analysis Techniques, discusses the analytical tech-niques used in the study. The term "important to safety" should be clarified since, in this study, this term refers to those systems whose failure could contribute to a loss of one of the three primary functions.

8.

In Section 6.0, Analysis Results - Reactor Subtriticality Function, on Page 6-1, it is stated that in the hot standby mode all of the control rods are assumed to be inserted in the core.

However, on Page 6-2, the report dir-cusses the reduced boration requirements if the shutdown rods function. The report should be clarified with regard to the availability of rods at di*ferent plant modes.

9.

In Section 6.1.3, the report states that all of the potent.. ; system interations that were identified in the RS analysis involved the boration function and that this is not the principal means for achieving subcriti-cality.

In some plant conditions, particularly after a reactor scram, boration may be the principal means to ensure reactor subcriticality.

Coments on the Final Set of Fault Trees A.

Reactor Coolant Pressure Boundary (RCPB) 1.

In regard to a previous comment on the RCPB faalt tree, it was agreed that water from the primary water storage tank would be assumed un-available for a loss of offsite power conditicn. The fault tree has not been modified to reflect this decision.

2.

CVCS-I-P0HS As stated in a memorandum from T. Scarbrough ts J. Angelo, dated August 1,1979, the inputs, " Letdown High Pressure Isolation Valves Fail Open" and " Letdown Relief Valve Fails to Ocen with Overpressure,"

to "RCS Pressure Boundary Failure due to CVCS Sormal Letdown Line" are unnecessary. The blockage of flow downstream of the letdown orifice valves wauld result in an operating reactor pressure of 2235 psig being applied to the relief valve which his a setpoint of 600 psig. This situation would result in a_ Joss of the reactor coolant pressure boundary.

In resolution of this conment, it was agreed that the entire subtree CVCS-LET-LINES should be deleted and addressed in the DHR fault tree.

In the final version of the RCPB fault tree, this subtree has not been deleted.

B.

Decay Heat Removal (DHR) e 1.

DHR/ Sheet 1 L

In the subtree entitled "Depressurization Due to Loss of Heaters and RCS Saturation" (DEPRESS-HEATERS), the input gate should be changed from an AND gate to a conditional gate to elininate the requirement for two separate events. The event "RCS Temperature Reaches Saturation Outside the Pressurizer" (RCS-SATURATE) could te a result of the other input " Pressurizer Heaters Unable to Control RCS Pressure." The use of two separate inputs increases the number of cut set literals and could lead to exclusion of the cut set from further study.

Other conditional inputs should be treated in the same manner.

2.

DHR/ Sheet 1 h

The DHR fault tree models the loss of the ability to maintain natural circulation. This failure could be the result af loss of the ability to control RCS pressure such as failure of pressurizer level and/or pressure indication.

Portions of control systems have been included in the fault tree logic while others, such as steam generator water level and feedwater flow, have not.

This supports the recommendation that all contrcl systems be incorporated into the fault tree logic.

i -

3.

DHR/ Sheet 8 As was indicated in my memorandum of October 19, 1979 to J. Angelo, the fault tree structure leading to the failure entitled "RHR Paths from CL1 and CL4 to RHR Pump Trains (RHR-CL14)" appears in error.

The possible failure of the RHR crossover valve from HL to CL14 and the A0V in RHR Pump Train 2 to CL14 would be sufficient to achieve "RHR-CLl^."

However, this failure pathway is not apparent in the fault tree.

Also, the logic indicates that the failure of (1) the crossover valve from HL to CL23 and (2) the A0V in RHR Pump Train 1 to CL 14 would lead to "RHR-CL14." However, these two failures do not entirely prevent flow, since the pathway thru the heat exchanger bypass is available.

Similarly, on the same sheet the subtree entitled "RHR Paths from CL2 and CL3 to RHR Pump Trains" (RHR-CL23) should be reexamined for possible similar errors.

4.

DHR-PRI/ Sheet 1 The subtree entitled " Failure of CCPS toirovide DHR Flow" (CCP-SYS-

~

RWST) should model the possible flow path thru the Boron Injection Tank (BIT).

This would provide consistency with flow paths modelled in the other fault trees.

5.

DHR-PRI/ Sheet 5 e

The previous comment concerning the RHR-CL14 and CL23 subtrees (DHR/

Sheet 8) are also applicable in the DHR-PRI fault tree.

6.

DHR-SEC-AFWS/ Sheet 4 As stated in my memorandum of October 18, 1979, to J. Angelo, under the subtree " Failure to Dump Steam from SG1 Thru Safety and Relief Valvef (SG1-SD-SRV), the loss of steam relief capability via the power operated relief valve would be sufficient to achieve that failure during the cold shutdown mode.

The fault tree should be modified to account for this situation.

C.

Reactor Subcriticality (RS) 1.

RS/ Sheet 8 It appears that the subtree entitled " Failure to Get 75 GPM or Greater Letdown (LET 75) should have an additional input entitled "flormal Let-down Path Fails Closed Other than Flow Control Orifices" (f40R-LET-0THER).

2.

PCS-LD-FLO-A/ Sheet 1 The input gate to " Train A Loop 12/2 Logic Gate Level Input Fails" (PLF-A-L1-Iti) should be an At40 gate since only one of the two inputs to this gate is necessary for successful transmittal of a trip signal.

3 Similarly, the input gate to " Train A Loop 12/2 Logic Gate Flow Input Fails" (PLF-A-F1-Ifi) should be an AtlD gate.

The other loops should also be revised as discussed above.

l y=4, e

SUGGESTED AREAS FOR CONSIDERATION IN FOLLOW-ON SYSTEM INTERACTION STUDIES 1.

The study equates an operator error to a single equipment malfunction.

While it is true that in most cases this relationship can bc utilized accurately, the operator still has the capability of removing a number of safety features from operation.

For example, upon a safety injection signal and its subse-quent reset, the normal charging path has been removed from service and the operator must manually realign the system for normal charging to the reactor vessel.

With this in mind, equating an operator error to a single equipment malfunction may not always be acceptable.

Therefore, potential interactions resulting from a single action should be investigated.

2.

The study assumes that all equipment is available for service. Technical specifications, however, allow equipment to be inoperative for a specified period of time during maintenance.

The operational status of plant equipment cannot be assumed to be any greater than th.e_ minimum-requirements of technical specifications.

Therefore, the fault trees should be reduced to reflect the ninimum requirements for operational equipment.

This could be performed as an additional task of the study to investigate failure modes that could further reduce equipment availability.

3.

The subtree which models the failure of the " Loss of RCPB eitigating systems" is assumed indep1ndent from the " Loss of RCPB" subtree.

The systems so de-fined are normali.' the emergency core cooling systems and provide decay heat removal following a loss of RCPB or other emergency conditions.

The subtree entitled " Loss of LFR" has included the flowpaths from the CVCS centrifugal punps, safety injec ion pumps and RHR pumps which comprise the majority of the ECC systems. Tnerefore, the ECC systems have been incorporated to some extent into the DHR subtree, but specifically excluded from the RCPB subtree.

The "RCPB mitigating systems" should be incorporated into the RCPB subtree to provide an opportunity to determine potential system interactions between those systems whose failure may lead to a loss of RCPB and those systems de-signed to mitigate the consequences of that situation.

4.

The report states that cut sets which involve more than three independent events are excluded from further analysis.

The fault trees include many failures which correspond to the normal operational state of a particular component.

If these failures are also determined to be independent, then their presence can result in the deletion of a cut set that represents a realistic failure pathway.

Therefore, those particular cut sets which con-tain failures corresponding to the nomal operational ' ate of the components should be reevaluated for their possible occurrence.

5.

In regard to the reactor coolant pump seal failure at tne H. B. Robinson Plant on May 1, 1975, a system interaction was involved when the failure of one pump's seals adversely effected the seal flow to the other pumps.

This type of system interaction will not be identified in the Sandia study which investigates only failures leading directly to unacceptable core damage.

_2_

However, system interactions of the above type can increase the severity of the problem.

Even though this could be a complex undertaking, this aspect of potential systems interaction should be considered in the scope of follow-on studies.

6.

According to the resolution of a comment, the overpressure condition leading to failure of the normal or excess letdown lines has been deleted from the RCPB fault tree.

The potential failure of the normal and/or excess letdown lines resulting in a loss of inventory is stated in the connent resolution to have been included in the DHR fault tree.

The potential failure of the normal or excess letdown lines, specifically as a result of overpressure, is ap-parently not modeled because the letdown orifices are the controlling para-meters in the fault tree logic.

Since this does not lead directly to unac-ceptable core damage, the failure of systems downstream of these orifices is outside the scope of the study.

However, such a failure could result in significant radioactivity release to the auxiliary building and the environ-ment.

This type of system inter 6ction may be appropriate to follow-on studies.

7.

The studies has specifically excluded the piping and e'ectrical wiring that connects components.

System interactions cou.ld result from piping and wiring which are located in the same plant areas.

Examples of environmental para-meters which could lead to adverse system interactions are moisture, steam, and radioactivity level.

Therefore, piping and electrical wiring should be appropriately modeled in the fault trees to identify potential system inter-actions.

.~

8.

The potential for systems interaction between non-safety related systems and safety-related systems has become an increased concern.

I.E. Information Notice 79-22, issued September 14, 1979, specifically addressed this area.

Westinghouse has performed studies which identified that certain control systems could fail in an adverse manner as a result of a severe environment due to a feedwater or steam line break.

Potential failures involving (1) the steam generatar power operated relief valve (PORV) control system, (2) the pressurizer PORV control system, (3) the main feedwater control system, and (4) the autonatic rod control system could lead to violation of Westinghouse safety analysis criteria.

In light of this information, the control systems of the plant should be modeled in the fault trees to identify potential system interactions.

ENCLOSURE 5 ADDITIONAL COMMENTS ON THE DRAFT FINAL REPORT 1.

Ques tion No. 7 on p 4-9 and the event "High Pressure Injection Inadvertent Operation" on Table 4.3 appear to infer that two trains of HPI are required and are linked by the commonality of " Motive Power." On the contrary, it appears that only one train inadvertently operated is sufficient to cause the overpressurization in conjunction with the other event of that cut set called " Pressure Relief."

(Comment by G. Kelly).

2.

Revise Table 2.2 to show the correct number of sheets for each of the fault tree branches.

3.

In the fault tree titled " LOOPS-C-P0HS," the events identified as " reactor coolant pump ruptures" are much too cryptic. There has been a recorded failure of RCPB which resulted in an unisolated flow that was caused by pump seal failures.

This is the event at H. B. Robinson plant in May 1975 that was reported by the NRC to the Congress of the United States in the report NUREG75/090 dated October 1975.

If and when the fault' trees are developed further for the mitigati.n.n systems, you should give consideration to developing the fault event further to depict basic faelts such as the seal leakoff line isolation valve fails, etc.

4 The fault tree titled "DHR" on Sheet 1, you may need to consider another event as input to the logic gate NC-DEPRESS. The additional event is the inadvertent operation of the pressurizer sprays which can msult in de-pressurization of the RCS.

Also on the same sheet, failure of forced cir-culation can occur if the loop is inadvertently depressurized low enough in pressure to cause malfunction or failure of the RCPumps.

This deprescuri-zation event should be depicted as another inout to the gate DHR-FC.

5.

On page 6-8 of the report you state that letdown is necessary in order to affect changes in boron concentration and should be specifically reviewed.

You sheuld qualify that statement by restating that letdown is normally necessary.

However, shrinkage from cooldown may provide sufficient space for boron addition, and the reviewer should review for this operational claim also (Comment by G. Kelly).

/

4