Text

,.

nV ASSESSMENT OF B&W REPORT BAW-1564, " INTEGRATED CONTROL SYSTEM RELIABILITY ANALYSIS SUMfGRY In August 1979, B&W submitted a report titled " Integrated Control System Reliability Analysis," BAW-1564, which provided the results of a failure mode and effects analysis (FMEA) and an operating history review for the Integrated Control System (ICS) installed at all operating B&W plants.

This analysis, which was prepared in response to concerns raised by the NRC staff folicwing the TMI-2 event, concluded that the ICS was a reliable control system and that it serves to reduce the challenges to the reactor protection system. However, the analysis also identified a number of failures, most of which were related to ccaponents or systems which interface with the ICS, that could lead to ESFAS or AFW pctuation.

In addition, failures which have contributed significantly to the number of trips at B&W plants were also identified.

B&W made a number of reccamendations, to be investigated en a plant specific basis, that could reduce the probability or consequences of these failures The review of BAW-1564 was perfonned by staff consultants from the Oak Ridge National Laboratory.

Based on that review and discussions with B&W and licensee representatives, CRNL concluded that the ICS itself has a relatively Icw failure rate and does not appear to precipitate a significant number of plant upsets.

Furthercore, anticipated failures of and within the ICS are adequately mitigated by the plant safety systems. However, ORNL was critical of the report (specifically the FMEA) because it was limited to a study of only the ICS and not the other plant systems with which it interacts. While' ORNL generally agreed with the recccmendations B&W made for iaproving the control system

~

and related c'apcr.ents, they made additional suggesticr.s for assessing more generally the adeqatty of B&W control systems.

800'6120 N f

We concur in the ORNL mssessment of B AW-1564. With regard to the specific reconrend-ation made by S&W for improving control systems and related. systems, we requested, by letter dated Novenber 7,1979, that all licensees with B&W plants provide

'ir plans regarding these recommendations and their schedules for completing this work. We plan to review this information to establish the adequacy of licensee actions. We also plan to make a broader study of B&W control systems which considers the ORNL recomrendations, the results of the B&W Reactor Transient Response Task Force investigation (as reported in NUREG-0657) and the early results of the Interim Reliability Evaluation Program studi-.

The timing of the broader study will be dependent on canpower availability.

DISCUSSION t

The staff's investigation of the TMI-2 accident identified a number of concerns related to B&W operating plant designs.

One of the areas of concern was the Integrated Control System (ICS).

The staff questioned the role the ICS played in initiating and exacerbat-ing transients, particularly the reliance placed on the ICS to regulate main feedwater and, in the event of loss of main feedwater, the reliance on the same system to also regulate auxiliary (emergency) feedwater. This latter concern was resolved for the short tenn by the Commission Orders of May 1979 which confirmed that the licensees would develop procedures to initiate and control the auxiliary feedwater system independent of the ICS.

In the longer term, each licer.see was required to implement _ a safety grade, autcmatic auxiliary feedwater initiation and control system (as recccmended in NUREG-0578), resulting in a highly reliable. initiation and control system completely separate from the ICS.

=

. To detemine the rol'e of the ICS in initiating and exacerbating transients, the staff concluded tha' further investigation was needed.

The licensees (through B&W) prcpesed to submit a reliability analysis including a failure mode and efft. cts analysis (FMEA) of the ICS to the NRC staff as'soon as practicable.

The Ccamission Crders of May 1979 confimed this action.

Summary Of B&W Report And Recommendations As a means of assessing the perfomance of the ICS, B&W perfomed both a FMEA and a review of the ICS operating experience. The FMEA was limited to the ICS, as centainec in the ICS cabinets, provided by B&W. It censidered only failures of the ICS i puts, functional nodules within the ICS, and ICS outputs, each failure taken one at a time.

The results of the single failures were then detemined based on analysis or ccaputer siculation. The ICS operating experience review considered the history of transient.

events at operating B&W plants which were initiated by, or involved, the ICS.

The FMEA and cperating experience are documented in B&W Report BAW-1564, " Integrated Control System Reliability Analysis," dated August 1979.

The report concluded that the reactor core 'emains protected for events resulting fro-any of the ICS failures studied (FMEA) and that the ICS hardware failures (detemined frca operating experience) have not led to a significant number of reactor trips.

The report does recognize the desirability of improving the ICS and related systems in order to improve overall plant perfomance.

Based on the analysis, recomrendations were made which were to be evaluated on a plant specific basis.

The reconmendations highlighted areas in which B&W believed imprcvements could potentially contribute to i preved everall operaticn of the plant.

The majority of the reconnendations related

to systems /comparents which interface with the ICS, and were not specific in nature because of the design differences which exi'st at the different B&W plants.

Specifically, B&W recocoended that improvements in the folicwing areas should be further studied:

1.

ICS-Related a.

Non-nuclear instrumentation /ICS power supply reliability.

b.

Reliability of input signals from the Nuclear Instrumentation / Reactor Protection System to the ICS - specifically, the Reactor Coolant ficw signal.

c.

ICS/ Balance of Plant system tuning, (e.g., refinement of control system setpoints) particularly feedwater condensate systems and the ICS controls.

2.

Balance of Plant a.

Main feedwater pump turbine drive minimum speed control - to prevent loss of main feedwater or indication of main feedwater.

b.

A means to prevent or mitigate the consequences of a stuck-open main feedwater startup valve.

A means to prevent or mitigate the consequences of a stuck-open turbine c.

bypass valve.

ORNL Report Review i

Staff consu1* ants from the Oak Ridge National Laboratory (0RNL) reviewed the B&W report for tho.dC and reported their results in a Report Review, " Integrated Control System Reliability Analysis," transmitted to the Staff on January 21, 1980. ORNL concluded that, although the ICS and related control systems could be improved, the ICS itself has preven to have a icw failure rate and its does not appear to precipitate a significant number of plant upsets. The examination of the failure statistics revealed that only a

=

..... ~

sr?ll number of ICS hardware malfunctions resulted in reactor trip (approximately 6 of 162).

From this data, ORNL concluded that the ICS is failure tolerant to a significant degree.

Nevertheless, CRNL was critical of the FMEA because of its limited scope. That portion of the study dealt only with single failures of inputs to the ICS, functional 2

modules within the ICS cabinets, and ICS outputs.

They believed that the FMEA could i

have been improved if it had been expanded to include other systems with which the ICS interacts.

Therefore, ORNL concluded that the FMEA was of limited value.

CRNL agread with the 33W conclusior.s regarding control system imprcvements, and in i

particular, ORNL high'ighted the need for imprcvements with regard to the power supplies based on the past events that have resulted from NNI and/or ICS power supply failure.

In addition, ORNL suggested areas for possible further study. These suggestions are:

1.

Perform an analysis of overall plar.t stacility, inclu' ding the participation of the ICS in system oscillations ard other specific ICS actions, such as control of feedwater after a turbine trip and other anticipated transients.

2.

Cevelop an appropriate full-plant simulator to evaluate the interaction of the primary, secondary and control systems.

3.

Ferform fault tree analyses for the less of feedwater event and other events as n eces sa ry.

4.

Determine design features for avoiding as well as detecting degradation or failure within control systems.

Staff Conclusions 4

We concur in the ORNL assessment of B AW-1564.

The ICS itself does not appear to initiate a significant number of challenges to the reactor protection system.

Mcwever, the actions of the ICS as a result of failures in related systems can lead to major plant upsets and, therefore, it is desirable to improve overall plant control system perfonnance. We believe that the recommendations made by B&W, if implemented, could reduce the probability or consequences of these failures.

By letter dated November 7,1979, we requested that all licensees with B&W plants evaluate these recccmendations and report to us the followup acticns they have taken. We plan to review this infonnation to establish the adequacy of the licensee's actions. This activity is a part of the NRC Action Plans (NUREG-0660, Task II.K.2).

We also believe there is a need to perfonn a broader study of B&W control _sy, stems to more adequately assess the role these systems play in transient initiation and mitigation. The ORNL review described abcve suggested the need for such a study as did the B&W Reactor Transient Response Task Force (as reported in NUREG-0667). - The scope and content of this study will be based in part on the results of the Crystal River review new being perfonned as part of the Interim Reliability Evaluation Program (IREP).

The timing of this study will be dependent on manpower availability. While we expect to initiate this effort during this fiscal year, initial results will probably not be available until the latter half of 1981. We believe that this schedule ~ is acceptable because of the system improvements which we anticipate will result fraa the implementation of the ~ recommendations 'made in SAW-1564.

w I