ML19340C548
| ML19340C548 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 10/22/1979 |
| From: | Gossick L NRC OFFICE OF THE EXECUTIVE DIRECTOR FOR OPERATIONS (EDO) |
| To: | Ahearne J NRC COMMISSION (OCM) |
| Shared Package | |
| ML16341B457 | List: |
| References | |
| TASK-TF, TASK-TMR NUDOCS 8012110064 | |
| Download: ML19340C548 (6) | |
Text
s S. hwitpD
' ?"*%,
j UNITED STATES g
NUCLEAR REGULATORY COMMISSION j
~g WASWNGTON,0. C. 20555 c
,/
OCT 2 2 1979 MEMORANDUM FOR:
Comissioner John F. Ahearne g,,, j,y:n THRU:
Lee V. Gossick, Executive Director for Operations FROM:
Harold R. Denton, Director, Office of Nuclear Reactor Regulation
SUBJECT:
SAFETY IMPLICATIONS OF CONTROL SYSTEMS AND PLANT DYNAMICS Introduction and Sumary By memorandum to you dated September 4,1979, Mr. Demetrios Basdekas identified a number of concerns related to control system design and plant dynamics. This memorandum addresses those concerns and discusses related work that NRR has either planned or is underway.
Mr. Basdekas maiittains that, because design criteria are inadequate and there is no detailed staff review of plant control systems, it cannot be concluded that the staff safety reviews are adequate to ensure that plant designs are acceptable.
In addition, he contends that control system malfunctions should be considered as initiators of anticipated operational occurrences
- or postulated accidents.
Further, these malfunctions, together with the effects of other normally functioning control systems, should be considered during and subsequent to A00s or accidents.
In assessing the impacts of these malfunctions on the consequences of both transients and accidents, Mr. Basdekas believes that the analytic modeling must accurately describe the various dynamic processes. Without such an assessment, he concludes that there may be sequences of events not now considered in the safety analyses for which inadequate mitigating features have been provided.
~~
He cites TMI-2 as an example.
l Mr. Basdekas makes a number of recomendations for addressing the concerns j
1 he has raised. These include:
l l
1.
Failure Mode and Effects Analyses (FMEA) of control systems for each plant; hs
/l; 2.
Establishment of design criteria for control systems; 3.
Establishment of requirements for control system. design and installation; e.a T
4.
Revision of the Standard Review Plan (SRP) to include the detailed
[}
review of control systems; l
E \\5 :
5.
Training and/or hiring of suitably trained staff to perform the control i @Nj$
gJ system reviews; and, l O l
6.
Derating of operating plants until a preliminary review of control systems has been completed for each plant.
- Anticipated operational occurrences (A00s) are those events which are expected to occur at least once during the life of the plant.
801211006f
e
~
Comissioner John F. Ahearne.
In the discussion which follows, we describe the review process presently used to judge the adequacy, frca a safety standpoint, of plant protection systems, our treatment of control systems in that process and efforts that are planned or underway to provide added assurance that this process is adequate or identify changes necessary to satisfy Comission safety requirements. As this discussion indicates, we share some of the same concerns that Mr. Basdekas raises and we believe that the work we have initiated addressed those concerns. We agree with the need to investigate control system failures and design inadequacies. How-ever, we do not assign the same importance to the review of plant dynamic and centrol system performance, including stability, as does Mr. Basdekas. We do plan to investigate the possibility of simulating the dynamics of control systems '
in a representative B&W plant but we do not believe there is sufficient justifi-cation for an imediate detailed review of control system dynamics at all operating plants.
Finally, while we agree with the need to investig' ate the effects of control system failures and design inadequacies, we do not believe there is sufficient evidence to suggest that conclusions drawn from safety analyses are not valid. Therefore, we do not believe there is adequate justification for the recomendation to reduce power at operating plants pending a preliminary review of. control systems.
Discussion
'~
As Mr. Basdekas notes inlis memorandum, the staff has not reviewed control systems in detail. The staff requires that all applicants for an operating license demonstrate by analysis that the plant is designed to mitigate the effects of a defined set of anticipated operational occurrences and postulated accidents.
In assessing the effects of anticipated events, it is assumed that the events can be initiated by single control system malfunctions. These mal-
-~
functions are non-mecb=nistic in that no cause for the malfunction is identified nor are other associated malfunctions considered.
For example, the loss of ali main feedwater is considered an anticipated event, but, in analyzing this event, it has not been necessary to identify, ror example, that a power supply failure caused the loss of feedwater and the coincident malfunction of other equipment powered by that same supply. The staff followed this approach, reasoning that the event would not be substantially changed because of the specific component which was assumed to have failed. This simplified the staff review since it would not be required to identify all single failures which could cause the event regardless of the probability of its failure.
Further, the analysis assumed that all control systems respond as designed (unless the equipment mal-function is associated with a particular control system). All plant neutronic and thermohydraulic parameters are assumed to be at their worst-case values at the time the event is initiated.
Similarly, in analyzing postulated accidents,- plant control systems are assumed to respond normally except that no credit is taken for such a response that would be of benefit in mitigating the effects of the accident.
It has been assumed that the consequences of design basis accidents (e.g., LOCA, steamline break) would not
-~-
-_w m
,m_.
r
- Comissioner John F. Ahearne '
be significantly affected by control system malfunctions because of the rapid change in plant parameters during such accidents.
We believe that the review approach fallowed by the staff has been an effective use of resources for evaluating the acequacy of plant designs. The analytical demonstration that the plant safety systems can successfully mitigate the effects of the defined set of anticipated operational occurrences and postulated accidents provided the staff with adequate basis to conclude that the designs of these protection systems were adequate and that the consequences of these desfgn basis accidents would not be significantly affected by malfunctions in plant control systems:
The staff has recognized that there are drawbacks in the approach. di.scussed above in that the events considered in the analysis do not bound all events which can be postulated. For example, recently in a letter from Westinghouse Electric Corporation to one of their operating plant customers (Attachment 1), a number of control systems could potentially malfunction if impacted by adverse environments due to a high energy line break inside or outside containment. Westinghouse indicated that the effects of such failures could lead to high energy line break consequences more severe than those presented in the safety analysis reports. The staff responded by issuing a letter to all operating 1.ight water reactors (Attachment 2) requesting that each licensee review their plant design in light of this concern and respond within (20) days with regard to whether operation of their plant should be modified, suspended, or revoked.
It is expected that evaluations will be perfomed to evaluate the consequences of these and other potential control system failures which can be postulated to ensure that while this safety concern may exist, the overall conclusions regarding the adequacy of plant protection features and operator actions necessary to mitigate these events are adequate to meet all safety criteria necessary to pemit continued plant operation.
The staff has raised questions regarding the acceptability of multiple challenges to the reactor protection system due to problems related to control system actions at several B&W plants (Attachment 3)..
The Crystal River events mentioned by Mr. Basdekas are discussed in Attachment 3.
The events were either initiated by equipment malfunction or operator induced. While none of these events led to significant consequences, the frequency with which these events have occurred has j
highlighted the need to give greater regulatory attention to the control systems involved.
l In a very related way the " Lessons Learned Task Force Status Report and Short-Tem l
Recomendations, NUREG-0578" required in Section 2.1.9 that analysis of design l
and off-nomal transients and accidents s:enarios be perfomed including operator..
I actions not previously analyzed. This po.iition requires that, in addition to the i
nomal single failure assumption, consegrantial failures shall also be considered.
The staff also required that operator errors that could cause the complete loss of safety function shall also be considered. Thus it is expected that through these efforts a variety of event trees will be investigated for their probability l
l lu.
g
a s e Co.missioner John F. Ahearne.
of occurrence as well as possible consequences.
In response to this requirement of B&W Owner's Group (TMI Effects Subccmmittee) has discussed with the staff a program they intend to follow to be responsive to this requirement. Briefly, the program has the following objectives:
Investigate a wide range of reacter plant transients, including failures not normally considered in Safety Analysis Reports.
Prov1oe appropriate infermation to the plant operators to enable them to deal effectively with abnormal transients.
Promote a better unkrstanding of system fundamentals and abnormal transient operatiem The B&W owners have stated that the engineering support to accomplish these objectives are estimated at 30,000 man-hours, independent of the efforts that will be provided at each licensee plant. The staff is currently reviewing the program to better understand how responsive this program is to the requirement stated in NUREG-0578 and the time necessary to implement the program.
Recognizing the importance of control systems and the role those systems can play in both the initiation and mitigation of off-normal events, the staff i
has a number of other initiatives either in the planning stage or presently undenvay to enhance our knowledge of these systems. These initiatives are aimed at improving our understanding of possible control system failure mechanisms and their frequency of occurrence, and establishing the effects of these failures.
As a followup to the TMI-2 events, the Commission issued orders to the B&W operating plants. As part of these orders, B&W was required to submit to the NRC staff a failure modes and effects.
analysis of the Integrated Control System. This analysis has been completed and the results are included in a B&W report entitled
" Integrated Control System Reliability Analysis," BAW-1564, August 1979.
The report includes a number of recommendations by B&W regarding improvements in the performance of the ICS and related systems. The staff is presently reviewing this report with the assistance of Oak Ridge National Uboratory.
Recommendations regarding possible system improvent.nts will ba developed and future work will be defined.
As part of this effort, ORNL is investigating the possibility of producing a computer simulation of a representative B&W plant which would include plant control systems. Such a simulation, if it proves feasible, would '
allow us to evaluate a variety of different kinds of control system
'ailures including the effects of plant dynamics.
The staff has for some time recognized the need for criteria for equipment and systems important to safe plant operation but which need not be designed in compliance with safety system requirements.
In 1977,
Comissioner John F. Ahearne.
the Office of Star.dards Deyelopment was requested to begin the development of such criteria but no work was done because of unavailability of manpower in both OSD and NRR. We have recently held discunions with OSD regarding the need to begin the development of these~ criteria and they agree with the need to proceed. Further work is being delayed unti.1 the Lessons Learned Task Force decides on the scope of equipment to be coyered by the criteria.
Prior to the TMI-2 event, the staff had began to investigate the interaction of the various plant systems. This activity, defined in Task Action Plan TAP-A17 " Systems Interaction in Nuclear Power Plants," involves the application of fault tree methodology as a means of systematically reviewing plant systems for susceptibility to systems interactions.
Particular emphasis is being placed on the presumed redundancy and independence of safety systems. As Mr. Basdekas notes in his memorandum, this analysis does not treat the dynamic aspects of control-protection system interactions.
We believe that this detailed analysis of control system malfunctions is unnecessary at this time.
Westinghouse also has a study underway that is closely related to A-17.
As a part.of our review of the Westingnouse Integrated Protection System (IPS), we requested that an analysis be made of possible interactions between the IPS and the plant control systems and/or the engineered safety features (see NUREG-0493). The objective of this analysis is to assess the degree to which these interconnected systems are susceptible to common mode failure. The methodology which is currently being developed by Westinghouse for tl11s purpose makes use of fault tree analysis. The Westinghouse study will not only give us additional insight into the interaction of complex control and protection systems, but it should also provide us with additional guidance on methodology for assessing the impact of control
'em failures for other plant designs.
Finally, we aie planning to devote more manpower to the analysis of. operating experience. Events have occurred in the past which have received in-sufficient review effort.
Such events can indicate the existence of control system problems and possible problems associated with operator errors. This knowledge should be fed back into the review process.
It will also be useful input to a technical assistance effort to be ir.itiated shortly on control room design improvements.
We believe each of these initiatives will add to our understanding of the importance i
i of control system malfunctions and operator action and help us confirm the adequacy of our current reu%w process. Our approach emphasizes only those concerns that we believe deserve imediate attention, thereby ensuring that limited staff resources are used wisely. We have not concluded that these concerns are of sufficient r
(
~
i 1
l I
.m
--,,--.mm.-a.w-f.=
w-%*,ep-.ewm
-e-
---u.y e
--eu
Commi.ss'ioner John F. Ahearne '
?.
significance to warrant either the plant-by-plant control system analysis or the temporary reduction in power that Mr. Basdekas suggests would be prudent.
I hope this memo has been responsive to the concern highlighted by Mr. Basdekas.
If you have any questions, I will be glad to discuss them with you at your cor.-
venience.
c5! 15 '95 Harold R. Denton, Director Office of Nuclear Reactor Reguidtion 4
Enclosures:
As stated cc: Chairman Hendrie Commissioner Gilinsky Commissioner Bradford Commissioner Kennedy OGC OPE /'
~
SECY I
J t
t
,e e
b L P. W-a'--
~
g 4
..me
- w.,,,,,.,
,,,,_