ML19323F059
| ML19323F059 | |
| Person / Time | |
|---|---|
| Issue date: | 12/19/1979 |
| From: | Check P Office of Nuclear Reactor Regulation |
| To: | Eisenhut D Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML19323F048 | List: |
| References | |
| TAC-12263, NUDOCS 8005280473 | |
| Download: ML19323F059 (17) | |
Text
. -.
o pa rec,
e f._
A, UNITED STATES
- r..$g(
y g
NUCLEAR REGULATORY COMMISSION ap WASHINCTON, D. C. 20555
%M /
DEC 1 s 1979
=....
MEMORANDUM:FOR: Darrell G. Eisenhut, Acting Director, j
Division of Operating Reactors THRU:
Gus Lainas, Acting Assistant Director, Systems Engineering, Division of Operating Reactors FROM:
Paul S. Check, Chief, Reactor Safety Branch, Division of Operating Reactors SUBJ ECT:
STATUS REPORT - HIGH ENERGY LINE BREAX WITH CONSEQUENTIAL CONTROL SYSTEM FAILURE
1.0 INTRODUCTION
AND
SUMMARY
On September 17, 1979, all licensees of light water reactors were requested to determine if an unreviewed safety question related to the interaction of safety grade and non-safety grade equipment existed at their respective nuclear plants. On the basis of scenarios involving interactions such as those identified by Westinghouse and submitted to NRC by Public Service Electric and Gas Co. (Reportable Occurrence 79-58/1P) we were concerned that consequential control system failures following a high energy.line break (HELB) might cause the consequences of the HELB to be more severe than previously expected.
All licensees responded to our request within the requisite 20 days. We have screened these submittals.
On the basis of our review to date, we find no specific identifed safety problems; that is, we find no event sequence that clearly leads to an unacceptable consequence.
- However, both sneral and specific concerns remain.
Our general concern relates to the variability in breadth and depth of the initial systems reviews, the lack of a consistent methodology of review, and the failure to characterize the relative risks among the interactions considered. We believe these broad concerns will be dealt with by the systematic assault on this and closely relatcd topics pro-posed by Recomendation 9 of NUREG 0585.
Industry is currently forming a group to develop a plan for resolving the issues raised in Recomenda-tion 9.
We empliatically recomend NRC participation in this activity.
The industry group augmented by HRC representatives would form an NRC-Industry Steering Group on Systems Interaction.
Such a group could provide the forum and mechanism for exploring and implementing new and presumably more efficient ways of handling this unresolved safety issue.
In addition to its overall responsibility for ultimately responding to Recomendation 9, a near-term objection of this group could be identifi-cation of high risk events for consideration by TAP A-17 and IREP. The NRC-Industry Steering Group could readily be employed to accomplish
Contact:
B. Morris, RS/ DOR, 28173 Bea Rosenberg, RS/00R, Vydec Disc 21 T0052roY?3
Darrell G. Eisenhut DEC 191979 Tasks II.C.1 Items B-9 and C-9 outlined in Denton's Draft Action Plan Jto the Commissioners (December 11,1979).
Our specific concern relates to new scenarios generated by some licen-sees during their reviews and described in detail in their reports.
Although each new scenario was resolved by the licensee who developed it, we cannot tell whether other, similar plants considered these sce-narios.
We recommend that the scenarios described in Appendix A be addressed by the appropriate LWR licensees within the next 60 days.
Interim criteria for these reviews are also stated in Appendix A.
2.0 EVALUATION OF RESPONSES Each licensee employed a matrix to identify potential interactions.
Control systems and functions are listed on one axis and type of HELB along the other.
Sample matrices are included in Appendix B.
Identi-fied potential interactions were then examined by the vendors and li-The extent or completeness of the matrices and the thorough-consees.
ness of the examinations of potential interactions show considerable variation with vendor and licensee.
A general appraisal by NSSS vendor, based on our initial screening, is presented below.
2.1 WESTINGHOUSE PLANTS Westinghouse identified 15 potential interactions out of an array of seven control systems with seven accidents.
Four of the 15 potential interactions were considered limiting by Westinghouse. Generic analyses were provided to the licensees, who in turn submitted the analyses to the Commission.
Most licensees modified this submittal with plant-specific considerations such as physical separation, environmental qualification of equipment, operating mode, und operator training.
Licensees have relied on the fact that for several scenarios the operator would have in excess of one-half hour to take corrective action.
It remains to be shown conclusively that (1) the operator has suf-ficient reliable indication and training to cope with all 15 potential interactions, (2) that the enumerated set is complete.
Licensees have proposed to perform additional work in conjunction with forthcoming Lessons Learned requirements containe'd in the final report (NUREG 0585).
O O
9
Darrell G. Eisenhut Ocy 1 S $79 2.2 BABCOCK & WILCOX All B&W supplied NSSS owners have relied on a generic B&W analysis (see Appendix B). Each B&W reactor owner related its plant-specific equip-ment features (e.g., location and/or qualification of existing equipment) to the characterisites of certain plant functions (e.g., the reactor or turbine trip may occur before non-safety-grade systems can deteriorate as a result of the HELB considered).
Some interactions when compared to the FSAR analysis are either unchanged or changed in the conservative di rection.
The rest were rejected on the basis of low probability.
In this regard, licensees referenced a probabilistic analysis by the Nuclear Safety Analysis Center (NSAC), sent under cover of an AIF letter, Ward to Denton, dated October 19, 1979.
FWLB insice containment and its potentially adverse effect on PORY (i.e.,
spurious openings, or failure to close after opening) was not analyzed in the FSARs. Post TMI-2 analysis and operator guicelines have been developed for LOFW concurrent with an open PORV.
B&W plant licensee ~s referenced this analysis. MFW control /EFW initiation and control inter-action with a small LOCA or MFWLB inside containment (steam generator level transmitters) has been addressed in the B&W plant licensees re-sponses to Information Notice 79-22.
All B&W plant licensees have proposed a long-term assessment of environ-mental effects on NSGS to include (a)
Defining instrumentation and control functions required for safe shutdown; (b)' Identifying applicable equipment errors and responses in an adverse envi ronment; (c)
Preparing a safety assessment and recommending corrective actions, if required.
B&W licensees plan to couple this proposed assessment with the Abnormal Transient Operating Guidelines ( ATOG) currently under preparation, and will focus on additional operator training to recognize and respond to an adverse HELB/NSGS interaction.
Certain scenarios generated during the B&W plant reviews had not been included among the original scenarios identified by Westinghouse. These have been included in Appendix A.
They should be addressed by all PWR licensees in their follow-up reviews.
S
t DEC}.91979 Darrell G. Eisenhut,
2.3 COMBUSTION ENGINEERING All CE reactor owners have also relied on a generic CE analysis that identified potential adverse HELB/NSGS interactions (see Appendix B).
Each plant considered the plant specific characteristics:
location and/or qualification of equipment, modes of operation of certain systems.
Some potential interactions were either inconsequential or act in a conservative direction relative to the FSAR analysis. The rest were rejected on the basis of low probability (NSAC letter, op. cit.).
Some plant owners plan to alert the operator to the potential inter-action scenarios stressing the necessity of pro::ct action and will instruct the operators to search for diverse indication signals.
2.4 GENERAL ELECTRIC Most BWR licensees responded using a format developed by a BWR Users Group with GE advice.
As 'many as 70 plant systems were considered in conjunction with a variety of postulated HELBs. The matrix developed (Appendix B) contains entries classifying the effect of the particular HELB on the particular system.
In all these cases, the licensee con-cluded that HELB consequences would not be more severe than previous.ly reported in safety analyses.
The reasons fo. these conclusions included claic that the equipment is qualified to perform adequately in the HELB environment, that the consequences would not be worse even if the equip ment malfunctions in the most adverse way possible, or that the equip-ment would not experience an adverse environment.
No further details were given to justify these conclusions and detailed scenario descrip-tions were not provided.
A few BWR licensees not following the BWR Users Group format identified and described specific scenarios in detail.
In each case, the licensee determined, on the basis of environmentally qualified control equipment or operator action or accident analysis, that the consequences of the scenarios would meet licensing criteria.
The specific scenarios are descri Ad in Appendix A.
Two BWR licensees (Lacrosse, Humboldt) responded formally but failed to address the main issues raised in the letter of September 17, 1979.
In both cases, the licensees have stated their intention to perform an appropriate review and submit a report.
The reports following the B'WR Users Group format are in general more extensive in terms of systems and types of HELBs considered than reports from PWRs.
However, the BWR reports do not include details to support the conclusions reached as did the PWR reports.
i
(
I l,,
-~
Darrell G. Eisenhut DEC 1 S E79 3.0 RELATED NRC ACTIVITIES Two major generic NRC activities, Systems Interactions (TAP A-17) and the Integrated Reliaoility Evaluation Program (IREP), have the potential for developing methodologies to resolve the concern regarding consequen-tial control system f ailures due to HELBs. The same methodologies would also be applicable to resolution of other concerns related to control systems.
Reconmendation 9 of HUREG 0585 su=narizes these concerns and calls for the nuclear industry to resolve them as follows:
"The owner of operating plants and all plants' under construction should be required to evaluate the interaction of non-safety and safety-grace systems during normal operation, transients, and design basis accidents to assure that any interaction will not result in exceecing the acceptance criteria for any design basis event. The review should be systematic and incluce all non-safety components, equipment, systems, and structures under all conditions of normal operation, anticipated operational occurrences, and cesign basis accidents initiated both within the plant (such as pipe Dreaks) and from outside the plant (such as earthquakes, other natural phe-nomena, and offsite hazards). The interactions and effects should consider various f ailure modes including spurious operation, failure to operate upon demand, and any unusual or erratic operation that might result from exposure to the abnormal process or environmental conditions accompanying the event under study. As a necessary part of this evaluation, proper qualification of safety systems, including mechanical coroonents, should be verified.
"The number of simultaneous failures of non-safety equipment con-sidereo should reasonably reflect the expected number of non-safety systems simaltaneously exposed during the event under study to conditions for which they were not designed or qualified.
" Equipment identified as the potential cause of violation of the acceptance criteria for any design basis event should be appro-priately modified to eliminate or significantly reduce the proba-bility of the adverse interaction. Alternatively, the affected safety systems or structures should be modified to cope with the i nteraction. The results of the evaluations should be used to review and modify as appropriate, the plant operating and emergency e
e w.,
Darrell G. Eisenhut DEC 19 IST3 procedures and operator ' training.
The Task Force reconnends that these studies be completed within a year, at which time licensees should submit proposed schedules for making the modifications identified in the evaluations.
Conpletion of this study would not be a condition of licensing new plants 'in the interim of one year if the basis for continued licensing in face of the present unresolved safety issue on systems interaction is judged by the staff to continue to be valid."
The development of the scope and the schedules for TAP A-17 and IREP should be guided by Recommendation 9; i.e., to the extent possible the objectives and schedule of Recommendation 9 should be made the objectives and schedule of these tasks. This conclusion is consistent with our in-terpretatien of Tasks II.C.1 of Denton's Draf t Action Plan of December 11, 1979.
However, given the co=plexity of application of these powerful methodologies, it is unlikely that completion could be achieved within several years.
Nevertheless, these prograns can provide a check on the resolutions developed through the efforts of the Incustry-NRC Steering Group described below.
4.0 INDUSTRY ACTIVITIES On November 8,1979, a group of utility, AIF and NSSS vendor represent-atives met with NRC staff members in Bethasda to consider 5&w a joint industry-NRC steering committee could assist in resolving the concerns expressec in Recommendation 9, including the HELB consequential Control System Failure concern.
The incustry representatives are now organizing their effort. We recem-mend that NRC steering committee representatives be named as soon as possible.
Current NRC activitifs related to Recommendation 9, i.e., TAP A-17 and IREP, are unlikely to provide resolutions within several years.
We believe the Industry-NRC Steering Group shouit have as its principal objective the identification and resolution of the highest risk systems interactions concerns 'sithin one or two years.
Denton's Draft Action Picn, in describing Task II.C.1 provides the foi-lowing direction.
for NRC---
" Reliability engineering techniques can complement quality assurance and provide a disciplined approach to multidisi-plinary systems engineering.in the design of nuclear plants, the development of startup test procedures, the development e
-, - - +
DEC 1 S MU3 Darrell G. Eisenhut.
of operating, maintenance, and emergency procedures, and in operations. Specifications will be developed for accep' table reliability assurance programs to be implemented by operating license holders, construction permit holders, and future con-struction permit applicants. The role of applicant-supplied probabilistic safety or reliability analysis in future safety analysis reports will be defined in this program.
Reliability assurance program requirements will'be promulgated by a new Regulatory Guide."
for Licensees---
" Applicants and operating license holders will be required to develop relisbility assurance programs for NRC approval and implementation.'
These tasks can readily be pursued by the Industry-NRC Steering Group.
5.0 SPECIFIC RECOMMENDATIONS (a)
Each operating reactor licensee should address the specific scenarios and criteria expressed in Appendix A and report their findings within 60 days.
(b)
An Industry-NRC Steering Group should be formed with the objective of identitying and resolving the highest risk Recommendation 9 and Task 1I.0.1. concerns within two years.
The key near-term action here is naming 3 NRR BC/ ads and a task manager to serve on this Committee.
Paul S. Check, Chief Reactor Safety Branch Division of Operating Reactors cc:
R. Mattson J. Rosenthal D. Ross S. Diab R. Tedesco R. Satterfield S. Hanauer E. Butcher G. Lainas J. Angelo V. Moore F. Rowsone Y. Panciera M. Aycock F. Coffman D. Tondi S. Weiss B. Morris G
6
APPENDIX A SPECIFIC SCERARIOS AND INTERIM CRITERIA TO BE CONSIDERED lN FOLLOW UP REVIEWS OF HELBs WITH CONSE0UENTIAL CONTROL SYSTEM FAILURE General Criteria - Licensees should reconsider their original review and the additional scenarios ~ described below. The following criteria should be applied.
1.
Ecuicment Oualification - Equipment neeced to achieve emergency reactor snutcown, containment isolation, reactor core cooling, containment and reactor heat removal and prevention.of significant release of radioactive material to the environment is to be designated " Class IE" or safety-grade anc must be enviorenmentally qualified.
If such equipment is discovered not to te environmentally qualifiec curing these reviews, the NRC should be informed according to appropriate reporting requirements.
If non-safety-grade equipment exposed to a HELS environment could inter-fere with operation of safety equipment intended to mitigate the dELB, the non-safety equipment must be moved to a protected area, be ce-energized, or its environmental qualification cocumentation must be available for NRC au di t.
2.
Doerator Actions - In any case that operator actions are required to remeqy a situation of concern resulting from a control system failure subsequent to a HELE, the revised emergency procedures relevent to the concern should be available for NRC audit.
Furthermore, if a HELB cculo cause non-tafety-grade instrumentation to malfunction and confuse the operator, the emergency procedures should include appropriate warnings.
3.
De-enercization of Controls - In any case that power or control circuits f or non-safety-grace eculpment have been de-energized to prevent interfer-ence with safety functions, consideration must also be given to the possi-bility that an adverse HELB environment could cause electrical shorts to ground or to power sources or mechanical f ailures of control equipment which could result in re-energizing the control or power circuits.
4.
Simultaneous Failures of Multiple Non-Safety Comoonents or Systems In any case that a given HELB location can result in sinaltaneous failure of more than one Non-Safety-Component or System all the potential f ailures I
, must be considered. For example, if a PORY fails due to a HELS, the related block valve will probably be subjected to the same environ-ment and might also fail and the block valve may not be relied on to mitigate the situat'on. Credit cannot be taken for block valve action in such a situatit-unless the valve can be shown to be environmentally quali fied.
Scenarios To Be Considered We cannot determine from the initial reports whether the following scenarios have been considered by all licensees.
The scenarios should be reviewed.
If they have been considered, the licensee should inform the NRC project manager; if not, the results of the review and actions taken should be reported within 60 days.
1.
Inadvertent Removal of ECCS Recircu'stion Water (PWRs) - Systems for craining or pumping leakage f rom tne containment or reactor building could be inadvertantly actuateo in a LOCA environment and recuce the ECCS recirculation water inventory in the active sump.
2.
Failure to Isolate Broken Steam Generator Loop (PWRs) - The inappro-priate opening of a main steam 1 solation valve byoass valve because of the steam environment would preclude complete steam generator isolation.
3.
Inability To Maintain Fuel Pool Coolina (BWRs) - Fuel pool cooling may be lost cue to a LOCA environment ano the situation cannot be remediec because of hign radiation in secondary containment.
4.
Moisture in Comoressed Air System - (All plants) The compressed air system air cryer controls coulo malfunction while the compressors con-tinue to operate.
Moist compressed air could cause malfunction of the Containment Atmosphere Dilution System control valves (backup control air for these valves would not be operable until loss of control air p res sure).
Other systems may also be affected.
5.
Overflow of Liouid Radwaste System (BWR) - A HELB resulting in failure of tne concensate filter /aemineralizer controls could result in simultaneous transfer of liquic to the liquid raowaste systems from the break anc from the filter /demineralizers. This could overflow the raosaste system re-sulting in more severe radiological consequences than anticipated from an HELB. This is of particular interest for multiple units sharing common liquid radwaste ;ystems.
I I
~
6.
Isolation ~of Recirculation Loops (Non-Jet Pump BWRs) - HELB induced closure of recirculation pump valves could isolate the recirculation loops. Acci-dent analyses have assumed these valves.to remain open.
7.
Openina of Reactor Vessel Head Vent Yalves (BWRs) - Many BWRs considered the possibility tnat the RPV Head Vent Valyes could fail open during a LOCA. A generic
' lysis was done for these plants showing a negligible increase in PCT.
i..e remaining BWRs should confirm that this analysis is applicable to their designs.
l l
APPENDIX B FORMAT USED BY YENDOR USER GROUPS TO RESPOND TO HELB CONSEQUENTIAL CONTROL FAILURE CONCERNS 9
6 9
4 S
EllCLOSURE I o..
'\\
Control Sied" 4 csierait or Sicam
~
Systein iteac t o s l* r en:nir e f.e ve l l'cedwater l's c a uu r e Hump Tushine Accident Control Coutral Cosit rol Cuntrol Control Syutem Control Saus11 Steamline Hupture X
X X
I.arge Steamilne Rupture X
X Small Feedline Mupture X
X X
X Q.
1.arge Feed!!ne Hupture X
X X
m
~
Seus!! 1.UCA X
X X
<-O Og I.arge LOCA 9
Rod Ejectlon 4
N h
WW TAlli.E I l'RolECTIUlf SYSTI.il-Culli'itut. SYSIt'll l'uTEllTI AI. Ellviltull!!EllTAl. tilTEllACT!Oli X - l'ut ent ial Interactfun Islent i f ied t hat coutil llegrade Accident Analyulu
- tio nucli tuteract ton llecleanium identifled e
i i
t I
.g O
0 e
^^
-^
- L.
4M...~. -
- u 4
.s..--
- se.
tanacFawx7s IAULC iiI IMPACT Of C0lilll0L SYS1fH [ffECTS Oil SAF.ETY ANALYSIS Licensing Dasts Accidents SLD Inside SLD Outside FWLU Inside FWLD Outside Large Sinal l Conta lssnent Conta lawnent Contalnnent Conta lnuent LOCA
.LOCA 1.
Reactor Power Contrei and Shutdown
..t.-
Control. Rod Drive Control Sys tem (2)
(2)
(2)
(2)
(2)
(2)
D Reactor Pressure Control
(
Power Operated Relief Valve (1)
(1)
(3)
Pressurizer lleaters Y
Pressurizer Spray wJ K
l' Steam System Isolation and Pressure Control I
Turbine Trip / Turbine Stop Valves (2)
(2)
%Q Turbine Bypass /Atm Relief Valves (1)
(3)
(1)
(3)
(3)
(3)
IV. Feedwater System Isolation and Control Hain Feedwater Control (4)
(4)
(4 )
(4)
(3)
(4)
Main Feem ter isolation Valves (1)
(1)
Auxillary fe'edwater Isolation Valves (4)
(4)
Auxiliary feedwater Initiation (1)
(1)
Auxiliary feedwater Level Control (4)
(4)
(4)
(4)
(3)
(4).
b) Equipnent"Can bs Shown to Perform Intended function
!) R: quired Period of Operability is Short
- 1) '(quipment Perfonnance Is Conservative in Adverse tuviroinnent l') P:lential Inconsistency With Safety Analysis.nputs and itesponses i
~
ste: All Open Entries are Either a Dash (-) or a Y on lable 11 g
y y
y 3
^~*
.==ne, e e
" - ~ - ~
., >.C W M f6 U5 T/O y 2.D g /N R )ojx))::]
/_
a
\\
MATRfX OF EVENTS / CONTROL FUNCTTONS' FOR FURTHER CONSTOERATTON AND ACTf 0N Pi:e Break CEA Centroi.:un :1on SLB FWLB E.: action SBLOCA LSLOCA i
Pressuri:er Level X
Pressurizer Pressure Pilot M erated Relief Valves X
X t;
- e.. n*
Ecsition X
X X
X Feecaater I
l iew X
X
'l 30 ren il l
)
l
\\
'. n=entratier 7
Turbine j
C:P..roi X
j
{
l Steam j
l l
i Ey: ass X
i l
i i
Stea-Ou.:
I i
' ': stream cf l
X X
I
..e t u.
s.
t l
j 5:eam Dum hwnstrea Of X
l j
\\
'*S I V j
j l
Steam Gen.
Elewecse t
8 1
i i
Cendenser I
I,
)
F.e a: tor l
j COClant Flow l
l 7,
1 1
r-O m
i
- l E,.
r l
u e
~
.. X-
. ~ -.
i!i 1l 8
\\
. l G t
H O1 1 T1 0C 1 1 A
' 4 l
4 2
4 2
4 4
4 4
4 2
2 4
4 l
1 Eu 1
tt, B i
RU 8
i>
ON CI l
C l.
4 2
4 2
4 4
4 4
I.
2 2
4 4
t, i
I l
cal e
HEf l
n Hl U
8' t ;
l l
OH UTl CCl 4
4 4
2 4
4 4
4 t.
2 2
4 4
4 I.
WAl 4
El 1
t u
I H
E C
N 2
4 4
2 4
4 4
4 4
2 4
4 2
1 A.
A l
C O.
I.
I I
4 A
2 4
4 2
4 4
4 4
4 2
4 4
2 H
S E
N I
I W
l 4
4 2
2 4
4 2
2 2
2 2
4 4
4 t
l.
nl uB 4
~
T H
E E.
E t
i U
l T u R
t A
r :
S lA M c i.
2 2
4
'2 4
4 4
4 l
2 2
2 4
4 d
e O
t T
Al l
I L
a E
EI l
l E
H Cl T
l F
l u
f A
I E
T T
D SC I
2 4
4 2
4 4
4 4
t 2
4 0
2 1
e A
S l
R N
l A
E I
E.
f
_E j
I i
C l
H
.c H
l l
4 4
2 2
4 4
2 2
2 2
2 4
t 4
o ll l
i nI.
A Hl nT Ub
_T Ell
'1 E 0
l t
C Ot 0l l
0 l
r ;y R
C l.
t t
I A
Al 2
2 t
2 4
4 4
4 l
2 2
2 4
4 e
I_
V E
EH T
R l
lE S
EE DC i
l l
I H 4
4 4
2 4
4 2
1 2
4 4
2 4
4 A
S A.
m H Nl E1, m
I m
ll l i A 2
4 4
2 4
4 4
4 4
2 4
5 2
1 SH u
_H S
_l w
)
m o
i 3
N n
u O
i r
r l
B
/
u tu a
I T
T T
k l
C
/
T T
T H
/
N' M
h N
H T
u u
e l
u T
I
!l l
/
I A
/
/
a A
n
/
u M
C b
n l
R B
k 8
H u
u T
I l
L g
c l
n i
s o
i r
l r
m l
r m
t o
t e
m"
^
o 6
o e
c r
n
)
g t
r t
)
t e
r t
o l
n u
e l
i i
g v
s l
e n
C o
l y
g i
l n
n rt y
E f
o r
i S
u s
u g
S l
o i ee S
s C
t i
y C
H o
H r
tf y
n n
P i
S t
k u
o aa y
r a
r o
u o
d T
P e
t WS r
m r
e C
i e
i S
r t
e 1
T e
s
(
ro t
l t
u s
Y n
u n
S o
t o
ign m
t 1
e n
n or c
l) n e
6 l
n o
e t
1 eu i
e t est e
ua e
l.
s l
a H
iN t
a u
t m a
l d
ngse t
aa V
s I
e r
t(
s B
u ar r
n eLeu u
r r s
a l
a y
A u o u
o m g rC r
d g d y
e p
e l m S
E nt T
c uvp ly5 n
l e
l a
r m
v ue I
aiS rS md e
d l
p a
e.
ct C
C d
n e
t on e
s a
l n
n l
p T
t ra A
n nd i
l sr Ca r
ua a
on a
a ui i
NN V
t u
iv V
o S
CS N
A C a H
H A
F C(
I S
l l
I i
, l I
l U
k l I I
UI l I I CCI 3
4 4
4 4
4 4
4 4
4 4
4 4
2 A3 l
e p
E D l
l Rl l j
D 8g 6
NG N
d u
ON CI l
C l.
4 4
4 4
4 4
4 4
4 4
4 4
2 i
u I
cal F
1 e
t E i
^
l g
Hd i
a l
l' t
t t
uN Uil W
C C I.
4 4
4 2
2 2
2 4
4 4
4 2
2 l
9 WAi 9
El M
t l
l I i t
b E
C
- W M
4 4
4 2
2 2
2 4
4 4
1 4
3 A.
A l
C O.
1 1
1 4
4 4
2 2
2 2
4 4
4 3
4 3
A l
t S
y E
i l
l x
J 2
4 4
4 4
4 2
4 4
4 4
4 it t.
i l
uI l
'l t
E.
lei t
Tu l
h Ar; Mcg 4
4 4
2 2
2 2
4 4
4 3
2 2
A l.
a t
T I
Al O
EEI l
N E
t I
TO F
l A
I E
T T
D S C I
A S
4 4
4 2
2 2
2 4
4 4
4 3
1 t
l H
l E
l i
A. T
'I.
N E
IC I
l l
U l
d 2
2 4
4 4
4 4
2 4
4 4
4 4
l H
i.
I lhl A
l H T UI E
T l
lE l
i t
uO l
Ot i
l Co I
k C1 4
4 4
2 2
2 2
4 4
4 3
2 2
4 I
1 MA1 I
V EE1 6
t 4
Tl 1
F S
l t
EE DG i
l I
l 4
4 4
2 2
2 2
4 4
3 4
3 AS A.
l 1
l l
I s
E i.
e ll l e
iA 4
4 4
2 2
2 2
4 4
4 3
4 3
SH G
NJ I
N O
i t
B B
u I
i li N
H k
H H
u B
U g
u H
I t
l i
i TA T
T C
/
/
/
/
T C
I p
H
/
C M
M M
M I
M I
N I
I I
I I
O.
I s
m m
s l
e e
F u
t t
b r
s s
't O
t y
y 5
n S
S
')
i o
4u S
C e
g H
n D
r m
s u
A ie S
e m
u a
l e
e k
t i
tJ r
o s
e r
l l
c i
e n
n a
ld o
F u
v n
t u
b b
u c
T s
l e
s t
a a
i u
r a
H S
s a
S y
i C -
C R
t c
u d-(
n Y
a V
S n
o S
nu e
S r
e o
d r
ay m t
HWt e
u F
s r
l H
e P
a y
n t
t u
u o
s s
i r
s S
e a
e r
n
/
r i
e
'H
'H S
o b
S ou y n
P n
t o
W b
y r
o t
P.
P I
c u
i cuS M
i e
n r
R k
I P
t r
t U
t l
I M
auV C
C T
a T.
_uu r
B P
C u
L A
t I
R W
e l
u e
e i
k k
_MJS T
N R
Lr
i,*
e l
lUI l
nI l rI CCD 4
4 4
4 4
4 4
4 4
4 4
4 4
4 l
AI l
l EI s.
L lU t
U 1
- r RJ H Ol CT t
i u
C D.
4 4
4 4
4 4
4 4
4 4
4 4
4 4
I cal 1
REl u
t l
e H
g
- a.
RG OH 1
l 3 I l C C D.
4 4
4 4
4 4
4 4
4 4
4 4
4 4
WAl El ll t
u I
l i
E G
2 3
4 4
4 4
4 2
4 4
4 4
4 4
~
R A.
.A
.C l
0 l.
I f
A 2
3 4
4 4
4 4
2 4
. 4 4
4 4
4._
i l
S E
ll l
u l
l.
4 4
4 4
4 4
2 4
2 2
4 2
2. 2 l
li tu l
iT R
E.
E R
_TOA T ;M t
l lA i
C l.
4 4
4 4
4 2
4 4
4 4
4 4
4 2
l
. D Al li T n
E Ep i
t E
L t
I To
'l Al E
Tf D
SC I
2 4
4 4
4 4
4_
4_
A S
2 l'
4 4
4 4
l t
t AEl l
i l
E. T E
l l
l lC I
ll C l
li L i D.
4 4
4 4
4 4
2 4
2 2
4 7
2 2
l l
A t
- HT t
l l
l l
u J, T
l
't lul R
l ol O
i Cu T: W C
l.
4 4
4 4
4 4
2 4
4 4
4 4
4 2
t l
l lAAt l
V EE il
. TR l
l S
E EE DG i
t R
l I I
A.
2 1
4 4
4.
4 4
2 4
4 4
4 4
4 AS I li l
l E
l.
Dl I A S
2 3
4 4
4 4
4 2
4 4
4 4
4 4
l i
ll S I
l lO 8
B u
I A
I I
R 1
l l
R B
l R
u T
l l
8 l
T M
M i
R
/
R iT
/
T T
C T
T
/
i i
i i
C H
W li C
D H
0 l
me t
s s
y a
m n
S n
e a
g u
t n
r y
s n
r s
y T
r y
I T
S y
S e
S t
a i
S r
v e
r n
t D
e l
t 1
t e
l e
A t
T n
p o
u 1
n p
o s
l l
S o
O r
n o
e O
r t
n i
t I
D m
t r
n I
Y t
n e
n e
e S
e a
l r
l o
t m
l l
s t
c o
e E
s C
a u
o u
s e
e r
t l
s e
w r
r e
p v
S w
t a
w e
p v
w d
t t
e e
s -
C o
n w
o v
m l
o e
s n
r m
l t
u a
C C
l o
d l
e u
a l
e n
o c
F V
H H
F C
e F
L P
V F
F i
C R
F l
l L(b.
h
wv l#
.i
=
[p3 C3%q#e,,
UNITED STATES y
g g NUCLEAR REGULATORY COMMISSION
- 4 E
WASHINGTON, D. C. 20555 o %'D%
[
%N#/-
OCT 22 1970 w
MEMORANDUM FOR:
Comissioner John F. Ahearne (Signec!) L f.e V, Gessi:g THRU:
Lee V. Gossick, Executive Director for Opesations
-~
FROM:
Harold R. Denton, Director, Office of Nuclear Reactor Regulation
SUBJECT:
SAFETY IMPLICATIONS OF CONTROL SYSTEMS AND PLANT DY MMICS Introduction and Sumary By memorandum to you dated September 4,1979, Mr. Demetrios Basdekas identified a number of concerns related to control system design and plant dynamics.
This memorandum addresses those concerns and discusses related work that NRR has either planned or is underway.
Mr. Easdekas maintains that, becEuse design criteria are inadequate and there is no detailed staff review of plant crntrol systems, it cannot be concluded that the staff safety reviews are adequate to ensure that plant designs are acceptable.
In addition, he contends that control system malfunctions should be considered as ir'.tiators of anticipated operational occurrences
- or postulated accidents.
Further, these malfunctions, together with the effects of other nomally functioning control systems, should be considered during and subsequent to A00s or accidents.
In assessing the impacts of these malfunctions on the consequences of both transients and accidents, Mr. Basdekas believes that the analytic modeling must accurately describe the various dynamic processes.
Without such an assessment, he concludes that there may be sequences of events not now considered in the safety analyses for which inadequate mitigating features have been provided.
He cites TMI'-2.as an example.
~
Mr. Basdekas makes a number of recomendations for addressing the concerns he has raised.
These include:
1.
Failure Mode and Effects Analyses (FMEA) of control systems for each plant;
,F,
(
ll 2.
Establishment of design criteria for control systems; 3.
Establishment of requirements for control system design and installation;
,3 4.
Revision of the Standard' Review Plan (SRP) to include the ' detailed e
wt I
review of control systems;
- f '. :
S.! I 5.
Training and/or hiring of suitably trained staff to perfom the control h$E system reviews; and,
~
- c: :s ;:
j l
6.
Derating of operating plants until a preliminary review of control systems i
has been completed for each plant.
-Anticipated operational occurrences (A00s) are those events which are expected to occur'at least once during the life of the plant.
O
Commissioner John F. Ahearne.
In the discussion ~which follows, we describe the review process presently used to judge the adequacy, from a safety standpoint, of plant protection systems, our treatment of control systems in that process and efforts that are planned or underway to provide added assurance that this process is adequate or identify changes necessary to satisfy Commission safety requirements.
As this discussion indicates,"we share.some of the same concerns that Mr. Basdekas raises and we beiieve that the work we have initiated addressed those concerns!
We agree with the need to investigate control system failures and design inad6quacies.
How-ever, we do not assign the same importance to the review of plant dynamic and control system performance, including stability, as does Mr. Basdekas.
We do plan to investigate.the possibility of simulating the dynamics of control systems in a representative B&W plant but we do not believe there is sufficient justifi-cation for an immediate detailed review of control system dynamir; at all I
operating plants.
Finally, while we agree with the need to investigate the effacts of control system
~
failures and design inadequacies, we do not believe there is sufficient evidence to suggest that conciusions drawn from safety analyses are not valid.
Therefore, we do not believe there is adequate justification for the recommendation to reduce power at operating p' ants pending a preliminary review of control systems.
Discussion As Mr. Basdekas notes in his memorandum, the" staff has not reviewed control
' systems in detail.
The staff requires that all applicants for an operating license demonstrate by analysis that the plant is designed to mitigate the effects of a defined set of anticipated operational occurrences and postulated accidents.
In assessing the effects of anticipated events, it is assumed that the events can be initiated by single control system malfunctions.
These mal-functions are non-mechanistic in that no cause for the malfunction is identified nor are other associated malfunctions considered.
For example, the loss of all main feedwater is considered an anticipated event, but, in analyzing this event, it has not been necessary to identify, for example, that a power supply failure caused the loss of feedwater and the coincident malfunction of other equipment powered by that same supply.
The staff followed this approach, reasoning that the event would not be substantially changed because of the specific component which was assumed to have failed.
This simplified the staff review since it would not be required to identify all single failures which could cause the event regardless of the probability of its failure.
Further, the analysis assumed that all control systems respond as designed (unless the equipment mal-function is associated with a particular control system).
All plant neutronic and thermohydraulic parameters are assumed to be at their worst-case values at the time the event is initiated.
Similarly, in analyzing postulated accidents,- plant control systems are assumed to respond normally except that no credit is taken for such a response that would be of benefit in mitigating the effects of the accident.
It has been assumed that l
the consequences of design basis accidents (e.g., LOCA, steamline break) would not
Connissioner John F. Ahearne.
be significantly a'ffected by control system malfunctions because of the rapid change in plant parameters during such accidents.
We believe that the review approach followed by the staf? has been an effective use of resources for evaluating the adequacy of plant d' signs.
The analytical demonstration that the plant safety systems can successfully mitigate the effects of the defined set of anticipated operational occurrences and postulated accident, provided the staff with adequate basis to conclude that the designs of these protection systems were adequate and that the' consequences of these design basis accidents would not be significantly affected by malfunctions in plant control systems.
The staff has recognized that there are drawbacks in the approach. discussed above in that the events considered in the analysis do not bound'all events which can be postulated.
For example, recently in a letter from Westinghouse Electric Corporation to one of their operating plant customers (Attachment 1), a number of control systems could potentially malfunction if impacted by adverse environments due
. to a high energy line break inside or outside containment.
Westinghouse indicated that tne effects of such failures could lead to high energy line break consequences more severe than those presented in the safety analysis reports. The staff responded by issuing a letter to all operating light water reactors (Attachment 2) requesting that each licensee review their plant design in light of this concern and respond within (20) days with regard to whether operation of their plant should be modified, suspended, or revoked.
It is expected that evaluations will be perfomed to evaluate the consequences of. these and other potential control system failures which can be postulated to ensure that while this safety concern may exist, the overall conclusions regarding the adequacy of plant protection features and operator actions necessary to mitigate these events are adequate to meet all safety criteria necessary to permit continued plant operation.
The staff has raised questions regarding the acceptability of multiple challenges to the reactor protection system due to problems related to control system actions at sever:1 B&W plants (Attachment 3).
The Crystal River events mentioned by Mr. Basdekas are discussed in Attachment 3.
The events were either initiated by equipment malfunction or operator induced.
While none of these events led to significant consequences, the frequency with which these events have occurred has highlighted the need to give greater regulatory attention to the control systems involved.
In a very related way the " Lessons Learned Task Force Status Report and Short-Term Recomendations, NUREG-0578" required in Section 2.1.9 that analysis of design and off-normal transients and accidents scenarios be performed including operator..
actions not.previously analyzed. This position requires that, in addition to the nomal single failure assumption, consequential failures shall also be considered.
The staff also required that operator errors that could cause the complete loss of safety function shall also be considered.
Thus it is expected that through these efforts a variety of event trees will be investigated for their probability
~
4 Commissioner John F. Ahearne.
of occurrence as well as possible consequences.
In response to this requirement of'B&W Owner's Group. (TMI Effects Subcommittee).has discussed with the staff a program they intend to follow to be responsive to this requirement. Briefly,
the program has the following objectives:
Investigate a wide range of reactor plant transients, including failures not normally considered in Safety Analysis Reports.
Provide appropriate information to the plant operators to enable them to deal effectively with abnoraal transients.
Promote a better understanding of system fundamentals and abnormal transient operation.
The B&W owners have stated that the engineering support to accomplish these objectives are estimated at 30,000 man-hours, independent of the efforts that will be provided at each licensee plant.
The staff is currently reviewing the program to better understand how responsive this program is to the requirement stated in NUREG-0578 and the time necessary to implement the program.
' Recognizing the importance of control systems and the role thora systems can' play in both the initiation and mitigation of off-normal events, the staff has a number of other initiatives either in the planning stage or presently underway to enhance our knowledge of these systecs.
These initiatives. are aimed at improving our understanding of possible control system failure mechanists and their frequency of occurrence, and establishing the effects of these failures.
As a followup to the TMI-2 events, the Commission issued orders to the B&W operating plants.
As part of these orders, B&W was required to submit to the NRC staff a failure modes and effects analysis of the Integrated Control System.
This analysis has been completed and the results are included in a B&W report entitled
" Integrated Control System Reliability Analysis," BAW-1564, August 1979.
The report includes a number of recommendations by B&W regarding improvenents in the performance of the ICS and related systecs.
The staff is presently reviewing this report with the assistance of Oak Ridge National Laboratory.
Recommendations regarding possible system improvements will be developed and future work will be defined.
As part of this effort, ORNL is investigating the possibility of producing
)
i a computer simulation of a representative B&W plant which would include plant control systens.
Such a simulation, if it proves feasible, would '
allow us to evaluate a. variety of different kinds of control system failures including the effects of plant dynamics.
The. staff has for some time recognized the need for criteria for equipment and systecs important to safe plant operation but which need not be designed in compliance with safety system requirements.
In 1977, D
Comgission:r John.F. Ah:grne
,5-the Offi.ce of Standards Deyelopment was requested to begin the development -
of such criteria but no work was done because of unayailability of manpower in both OSD and NRR. We have recently held discussi.ons with OSD regarding the need to begin the development of these criteria and they agree with the need to proceed.
Further work is being delayed until the Lessons Learned Task Force decides on the scope of equipment to be coyered by the cri.teria.
Prior to the TMI-2 event, the staff had began to investigate the interaction of the various plant systems.
This activity, defined in Task Action Plan
' TAP-A17 " Systems Interaction in Nuclear. Power Plants," involyes the application of fault tree methodology as a means of systematically reviewing plant systems for susceptibility to systems interactions.
Particular emphasis is being placed on the presumed redundancy and independence of safety systems.
As Mr. Basdekas notes in his memorandum, this analysis does not treat the dynamic aspects of control-p'rotection system interactions.
We believe that this detailed analysis of control system malfunctions is unnecessary at this time.
Westinghouse also has a study underway that is closeiy related to A-17.
As a part of our review of the Westinghouse Integrated Protection System (IPS), we requested that an analysis be made of possible interactions between the IPS and the plant control systems and/or the engineered safety-features (see NUREG-0493). The objective of this analysis is to assess the degree to which these interconnected systems are susceptible to common mode failure.
The methodology which is currently being developed by Westinghouse for this purpose makes use aof fault tree analysis. The Westinghouse study will not only give us additional insight into the interaction of complex control and protection systems, but it should also provide us with additional guidance on methodology for assessing the impact of control system failures for other plant designs.
Finally, we are planning to devote more manpower to the analysis of. operating experience.
Events have occurred in the past which have received in-sufficient review effort.
Such events can indicate the existence of control system problems and possible problems associated with operator errors.
This knowledge should be fed back into the review process.
It will also be useful input to a technical assistance effort to be initiated shortly on control room design improvements.
We believe each of these initiatives will add to our understanding of the importance of control system malfunctions and operator action and help us confirm the adequacy of our cu" rent review process.
Our approach emphasizes only those concerns that we believe deserve immediate attention, thereby ensuring that limited staff. resources are used wisely.
We have not concluded that these concerns are of sufficient e
W
C,cmai,ssi.oner John.f. Ahearne,,
significance to warrant either.the plant-by-plant control system analysis or the temporary reduction in power that Mr. Basdekas suggests would be prudent.
I hope this memo has been responsive to the concern highlighted by Mr. Basdekas.
If you have any questions, I will be glad to discuss them with you at your con-venience.
OCT 15 579
,(~
(711 9 (j / Harold R. Denton, Director
& Office of Nuclear Reactor Regulation Enclosures :
As stated
' cc:
Chairman Hendrie Commissioner Gilinsky Commissioner Bradford Commi2sioner Kennedy OGC OPE SECY O
G Y
e e
]
.r a-NsNETY SIXTH CONGRESS CHARLES CONMUN STAFF DimECTOR MORRIS K. UDALL. ARIZ CNAIRM AN
. ROBERT A. RENS PeeeLup swetose. CALsr.
poseM.CLAs#9EN.CAuP.
possav w. maatteswasta. wes.
saawush v54Am. Jm
- n. estx.
ASSOCIATE STAFF DinECTOR
- *""f,, *,* ",,';",'*;"^*'*
COMMITTEE ON INTERIOR AND INSULAR AFFAIRS E
Lar wC EuAiN seamoEn lye
,Es"PI(Je=7M$,=, cam.
U.S. HOUSE Of" REPRESENTATIVES GENsnAL COUNSEL WASHINGTON. D.C.
20515 STANLev Scov LLE s=to.co acesa =ese Pat. euaw monat J. Laeomansino. CAur.
oc.e acaeemmet. v3.n.
oA= anamneovv. vtan Secci At covNSEt Ja*8 SANYases. htv.
men esAALS8eBS. heOfff.
FOR LEGISLATION
- b. "
JAesis wtavta, enge, emeCMtv EDwAmps, cetLA.
808 CA#A. eseC.M.
C ea.ARD. 3,. CMEMtY, wve.
Attse gggy g,g g g g7g
., w-,m.t Cau,.
February 7r 1980 uineo.,Tv COUNSEL
. - -em.. cau,.
m A-, A.e A.s J.
L.-8...A.
-.....--om..... n.
e sea.
Aw e
A P.86LeP R. SeeaRP. 8eO.
esELWoM M. tWAtet. W.1.
SDe Amp J. esaparv asagt.
9tTER M. ROSTwA* Ca. PA.
SALTa5&A CosetADA. P.R.
&UST18e J. tawmPMY. PA.
seeCf6 JOE AAseALL te. w, WA.
emhtE F. vtseve. Detsess.
Jt@#TseuCmasy,LA.
LAM AR GUDGER. N C.
JAastS J. esowang, as,J, JE#87 ed. PaTTEmaces. CAL 8F.
SAT MOOOWstes, COLD.
f PAT weLuaMS. edOert.
The Honorable John Ahearne Chairman, Nuclear Regulatory Commission l-Washington, D.C.
20555 i
Dear Mr. Chairman:
l I.
It has recently been brought to my attention that certain
{
kinds of nuclear reactor control system failures could lead to accident sequences that have not been anticipated in the NRC's regulatory requirements.
I would appreciate your providing the Subcommittee the following:
- An outline of the Commission's program for determining the extent to which control system failures that have not been anticipated could aggravate accident sequences currently considered in the NRC's regulatory requirements.
- A listing of significant corrective measures which have been or will be required as a result of control system malfunction or failure analyses conducted to date.
- Brief descriptions of the analyses upon which decisions concerning the foregoing corrective measures have been based.
I would also appreciate the Commission's position with regard to staff recommendations as to the need for power derating while this matter is under review.
=
Thank you for looking into this matter.
Sincerely,
=....
MORRIS K. UDALL Chairman O
e