ML20004F747
| ML20004F747 | |
| Person / Time | |
|---|---|
| Issue date: | 04/29/1981 |
| From: | Advisory Committee on Reactor Safeguards |
| To: | Advisory Committee on Reactor Safeguards |
| References | |
| ACRS-1821, NUDOCS 8106220271 | |
| Download: ML20004F747 (40) | |
Text
l
.c 9
/
.g N DATE ISSUED:
)
/
3,..'
U~#M SAFETY PHILOS 0 CHNOLOGY, AND CRITERIA f'
SUBCOMiilTTEE MEETING
.:.? N JAN 28, 1981 g#'/
f @ g@
LOS ANGELES, CALIF
' The ACRS Sub. committee on Safety Philosophy, Technology and Criteria held a meeting on January 28, 1981 at the Best Western Airport Park Hotel, 600 Avenue of Champions, Inglewood, California. The purpose of this meeting was to discuss the views that Subcomittee members had as to the requirements for new (beyond NTCP) plants in preparation in responding to Commissioner Ahearne's request for ACRS conments on this subject. Notice of this meeting was published in the Federal Register of January 15, 1981. A copy of the notice is included as Attachment A.
A list of the attendees is included as Attachment B.
A schedule for this meeting is included as Attachment C.
The handouts for this meeting are included as Attachment D.
No written statements or requests for time to make oral statements were received 'from members of the public. The meeting was attended by D. Okrent, Chairman; M. Bender, J. C. Mark, C. P. Siess, and D. Ward (Subcanmittee members); and H. Etherington, Subcommittee consultant and R. Savio of the ACRS Staff. Dr. Savio was the Designated Federal Employee for the meeting.
The meeting was opened at 1:00 pm on January 28, 1981 with a short presentation
}
given by Dr. Okrent summarizing the schedule and the goals for the day's meeting.
The discussions were adjourned at 5:30 pm on the same day. The entire meeting was held in open executive session.
,l Irn /t jf C (L) 9 i
,4 JUll.l. 3193p,,,
j
,;.va.ngey j
e 810622oy
h *-
EXECUTIVE SESSION A number of ways cf developing improved requirements were briefly discussed
~
by.the Subcommittee. These were:
(a) A reexamination of the hardware / procedure modifications which were implemented as a result of the TM1-2 accident review and to evalu-ate their effectiveness and the potential for developing more generic requirements from this experience.
(b) The use of prooabilistic analysis as a basis for defining plant
~
systems important to safety and developing design requirements.
(c) A review of the General Design Criteria as to their adequacy and their implementation in the Regulatory Guides and Branch Technical Position.
(d) A review of the adequacy of tM requirements for DHR systems in the
_ U.S. and foreign countries'and the basis for these requirements.
(e) The establishment of criteria dealing wiin sabotage and the evalua-tion of overall (in the sense of overall safety, effectiveness as separations and controlled access).
The ACRS Staff (M. Libarkin, G. Quittschreiber, and J. C. McKinley) prepared a paper on proposed revisions to the GDCs dealing with decay heat removal, the single-failure criteria, and the treatment of common-mode failure. This paper is attached. The Subcomittee was in general agreement with the approaches suggested and felt that they merited further discussion and investigations.
The design philosophy associated with the German DHR systems was discussed.
~-
The designs generally utilize a high degree of redundancy and a bunkered train. It was suggested that the basis by which these designs were developed needed to be explored further by the Subcomittee.
p._
- n E
k 3
It was suggested
'The treatment of Class 9 accident scenarios was discussed.
that' realistic core melt source terms should be used in this type of evaluation It was also suggested and that the necessary information should be developed.
that an improved treatment of the hydrogen release hazard also needs to be developed and.that the specific site characteristics need to be understood and considered.
Quantitative safety goals were discussed.
It was proposed that the quantitative It was' goals need to be established for the systems which prevent core melt.
noted that it is very difficult to demcnstrate either by analysis or by experi-ment thatindividual systems have a sary low (410-3/yr to 10-4/yr) unavaila-Safety goals which require a lower unavailability would require the use bility.
of redundant / diverse systems and careful attention to avoiding common failure It was The adequacy of the single f ailure criteria was discussed.
modes.
noted that the criterion is inadequate in itself when applied to systems with a In addition, consideration of common mode' failure is high unavailability.
Highly reliable performance is to be achieved with redundant / diverse necessary.
systems.
The schedule f or responding to Chairman Ahearne's requirements for new plants It was agreed to attempt to have issued a response in July 1981.
was discussed.
It is expected' that another meeting on this subject will be held in 5 bout two A list of action items generated at this Subcommittee meeting is months.
included as Attachment E.
E3 NferTWIILfb'O1T7/MrW&QTlLIMhniniSI nonces p
- Deted I:nzry 12.19e1 Employce.Mr.):hn C. AfcKinley has been cancelled cr resch:duhd. the John C.Ho3 :,
(tel; phone 202/634-3287) betw=n 8.15 Chairman's ruling on requests for 'h2 Adnsory Co;nmittee Monogement Oaicer.
c.m. and 500 p.m., EST.
cppor+ unity ta present crt! statim:nts and the time allotted therefor can be gra om m-sean ra.4 s-swi s es em Dated. january 12. test.
obtained by a prepaid teleph,one call te
====a caos reekes-u John C. Ho>le, the cognizant Designated Feoetal A dvisory Committee Manogement Offecer' Employee. Mr. Richard Savio (telephoin (R Da m-H2 W 1-u ses el 202/634-3267) between 8:15 a.m. and Advisory Committee on Reactor 8*"* C ** 'd***'
Safeguartis, Subcommittse on Fort St.
5:00 p m.. EST.
I have determined,in accordance wit!
Vrain; Meeting Subsecton 10(d) of the Federal The ACRS Subcommittee on Fort St.
Advisory Committee on Reactor Advisory Committee Act, that it may be Vraia will hold a meetmg on January 27 Safeguards, Subcommittee on Safety mh portions &
1981 at the Fort St. Vrain Visitors PhHo, sophy, Technology and Criteria; meetin6 ne authority for such closure Center.16806 Road 1P %. Platteville. CO Meetmg is Exemption (9)(B) to the Sunshine Act (near Longmont, CO) The Subcommittee The ACRS Subcommittee on Safety 5 U.S.C. 552b(c)(9)[B).
will review operating experience, degree Philosophy. Technology and Criteria Dated. January 12.1982.
of success in eliminattng the core power will hold a meeting at 100 p.m. on fluctuations, plans for testing and January 28.1981 at the Best Western John C. Hoyle, operation above 70% of rated power.
Airport Park Hotel. eCG Avenue of Advisory Comm/. tee Mar.ogement OfAcer core performance (fuel and structural).
Champions. Inglewood, CA 90301. The tre ou es-sam w s-se-etas: as) and plans for future operations.
Subcommittee will discuss requirements owna coos rue.aw modifications, refueling. and shift for new (beyond Near. Term manning requirements. Notice of this Construction Permit) reactor plants.
meeting was published December 22.
In accordance with the procedures
- h 1980.
outlined in the Federel Register ein in accordance with the procedures October 7,1980 (45 nt ea535'.
1 or One Me 2 and % Mng outhned in the Federal Register on written statements may be presented by
%e ACRS Subcommittee on San October 7,1980. (45 FR 66535), ora. or members of the public, recordings will Onofre Units 2 and 3 will hold a meeting written statements may be presented by be permitted only during those portions on January 31.1981 at the Best Western members of the pubhc. recordings will of the meeting when a transcript is being Airport Park Hotel, ety) Ave. of be permitted only dunng those portions kept, and questions may be asked only Champf ons. Inge! wood, CA 90301. %e of the meeting when a transcr:pt is being by members of the Subcommittee,its Subcommittee will meet with kept, and questions may be asked only consultants. and staff. Persons desinns representatives of the Southern by members of the Subcommittee,its to make oral statements should notify California Edison Ccipany and the consultants. and Staff. Persons desinng the Designated Federal Employee as far NRC Staff te redew the seismology and to make oral statements should notify in advance as practicable so that
- geology related items for San Onofre the Designated Federal Employee as far appropriate arrangements can be made Units 2 and 3 for an Operating Ucense.
in advance as practicable so that to allow the necessary time during the in accordance with the procedures appropriate arrangements can be made meeting for such statements.
outlined in the Taderal Register on to allow the necessary time during the
%e entire meeting will be open to October 7,1960, (45 FR 66535), oral 3r meeting for such staternents.
public attendance except for thsoe written statements may be presented by he entire meeting will be open to sessions during which the Subcommittee members of the public, recordings will public attendance.
finds it necessary to discuss be permitted only during those portions The spenda for subject meeting shall predecisionalinformation. One or more af the meeting when a transcript is being be as fouows:
closed sessions may be necessary to kept, and questions may be asked only Tuesday January 2?,1981 discuss such information. (SUNSHINE by members of the Subcommittee,its 8:30 o.m. until the conclusion of ACT EXEhurnON (9)(B)). To the extent
- onsultants, and Staff. Persons desiring business practicable, these closed sessions will
- ;o make oral statements should notify During the initial portion of the be held so as to minimize inconvenience he Designated Federal Employee as far meeting. the Subcomm!ttee, along with to members of the public in attendance. '
1ippropriate arrangements can be made n advance as practicable so that any of its consultants who may be The agenda for subject meeting shall present, will exchange preliminary be as follows:
i i o allow the necessary time during the views regarding matters to be Wednesday, fanuary 28.121 i neeting for such statements.
considered dunr,g the balance of the J$0p.m. until the conclusion of business l
%e entire meeting will be open to meeting.
During the initial portion of the l ublic attendance.
The Subcommittee will then hear meeting, the Subcommittee, along with h The agenda for sub}ect meeting shall l
preser:erons by and hold discuestons any of its consultants who may be
' I e as follows:
)
with f sentatives of the NRC Staff.
present, will exchange preliminary
- aturday.fanuary31,1981 1
their r,nsultants, and other interested views regarding matters to be 1 :30 a.m. until the conclusion of buntr. css
. persons regarding this review.
considered during the balance of the 1 During the initial portion of the Further information regarding topics meeting.
1 ieeting. the Subcommittee, along with to be discussed, whether the meeting The Subcommittee wtB then hear
) ny ofits cons dtants w.so may be has been cancelled or rescheduled. the presentations by and hold discussions pesent, will exchange preliminary Chairman's ruling on requests for the with representatives of the NRC Staff, jews regarding matters to be opportunity to present ocal statements their consultants, and other interested onsidered during the balance of the and the time allotted therefor can be persons regarding this review.
2eeting.
f[iThe Subcommittee win the obtained by a prepaid telephone call to Further information regsrding topica tesentions by and hold discussions the cognizant Designated Federal to be discussed, whether the meeting
[
l l
h
~
= = = = = - "
(l
.DATE d
ADVISORY COMMilTEE ON REACTOR SAFEGUARDS d
l' s L Lu<auMA~
r/
ATTENDEES PLEASE SIGN BELOW (PLEASE PRit4T)
BADGE NO, AFFILIATION NAME i~ c..,, c~...,
\\
/
2 u. nw.a
\\
/
3~,.v. a
\\/
h t
4 G. r
'>> A 4
/\\/
s
.oi. a n
, t
! \\[
6 7.
/ ~ ~. c _,
/
Y\\
7 % G..,..,
/' I s
/,
' /
9 Y
/
10
\\[
11
[
12 r/
n L
/J
/\\ /
1s
/ \\/
16 I'[
17 1
18
[\\ \\
19 l
20
$NatlC (k
.~
i
~
~
.t 3 -, s;
,r s
d
-e c
-g lSCHEDUIEiFOR JANUARY 28 1981 SUSCOM41TTEE -
. SAFETY PHILOSOPHY, TECHNOLOGY, AND CRTIERIA v.
. EXECUTIVE SESSION: 1:00 until; COB-
+
g
. +
e R-7 e
r i
9 1
4 5'
4 j-t i
~
)
5 5
1 j
1 1
b '.
9
?
4 k.
9 I.
h.
r
'C b.
.--,;-_n.u.,,,_,.___
.---..-_.___2.__.._,,.,.__.____
/po at:
. UNITED STATES y
"'o NUCLEAR RECULATORY COMf4lSSION j' '
/f
.p ADVis23Y COMMITTEE ON [EACTOR SAFECUAROs 4
- r W ASHINGTON. D. C. 20555 Yg*.%,If-
, *e January 26, 1981
~MEMORAf4DUM FOR: Da id krent, ACRS W
.. W. Libarkin, Assistant Executive TROM:
Director for Project Review PROPOSED REWRITTEN GENERAL DESIGN CRITERIA
SUBJECT:
As you requested, John McKinley, Gary Quittschreiber, and I have been considering possible modifications to selected general design criteria.
We have focussed on those relating to decay heat removal and the single The enclosed suggestions are dual in failure criterion initially.
'first, an approach which has had the benefit of somewhat broadened nature:
and more detailed consideration and which, we believe, is therefore more likely to be translatable into practical designs; second, an approach intended to go beyond that and address specific difficulties which have As a result, we have arisen in the course of Committee discussion, etc. Oneislargely," lifted"/
included two decay-heat-removal-related concepts.
from recent German design criteria aimed at insuring the continued ability /
to remove decay heat; the second goes beyond that to address the subject Simi-from the standpoint that the secondary system may not be available.
larly, the single failure criterion has been approached using an assumption th60 protection systems enjoy a higher functional reliability than other important to safety and that a general requirement for criteria, system across the board, analagous to those which have been established for pro-tection systems would be an improvement.* The second approach recognizes the questions which have been raised about current LWR protection systems (e.g., the use of untestable scram relays, etc.) and includes an attempt to describe all of the characteristics of common-mode failure and to write criteria which would preclude those which are design-related.
- WASH 1400 and mgre recegt ATWS related studies gave RPS failure in the range 10- to 10 ; WASH 1400 also gav failure probabilities for im-portant hydraulic systems on the order of 10-j hhb"h
BACK-UP RESIDUAL HEAT REMOVAL q
Disc ussion_
It has been. frequently mentioned during ACRS meetings that significant improvements could and should be made in the capability of U.S. nuclear porer reactors to remove the residual heat following a scram and the loss of the nomal heat sinks.
The Committee has expressed its concern that some of the residual heat remeval (RHR) systems are of low pressure design and must be reliably isolated from the primary system until that system can be depressurized (Generic Items No. 48 - Isolation of Low Pressure from High Pressure Systems).
Example has also been made of the German " bunkered system" as a feature that should be added to U.S. reactors.
A study at UCLA by J. C. Ebersole and D. Okrent proposed "An Integrated Safe-Shutdown Heat Removal System for Light Water Reactors" (UCLA - Eng -
7651, May 1976).
The current requirements for RHR are contained in General Design Criterion No. 34.
Chterson N-Ass 4fsa! Aset remotel A system to remove residual beat thaU be pro-vided. The system suety functlen shall be to transfer fission product decay heat and other residual heat from the reactor core at a rate such that specified acceptable fuel design limits and the dealen conditions of the reactor coolant pressure boundary are not exceeded.
Sultable recur.dancy in components and f
features, and suitable interconnections. leaA detection. and isolation capabilities shall be provided to nasure that for onsite electric poter system operation (assurning offsite f
power is not avn11able) and for offstte elec-tric poter system operation (nasuming i
onsite power la not ava!!able) *.he system safety function can be accomp!!shed. assum-ing a single faUurt.
4 The German RHR requirements are set out in the RSK Guidelines with the requirements _for Emergency Core Cooling.
"22.
Systems for Post-Incident Heat Removal "22.1 Emergency Core Cooling and Residual Heat Removal 'iystem A reliable ad efficient redundant emergency core cooling and residual (1) heat removal system shall be available for the removal of heat after loss-of-coolant accidents. The system shall be capable of keeping core temperatures at long-term low va?ues in case of an occurrence of leaks and breaks in the pressure-retaining boundary as specified in Sec. 21.1...."
"22.2 Emergency System (1)
In case the control roer is not in a functionab'e state it shall be assured that the emergen=3 system will bring the plar.t into a safe state without any manual intervention and that the plant can remain in this state for at least 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />. #
(
In addition, it shall be possible, with the aid of the emergency system by a blowdown on the secondary side, to bring the plant into a state which will permit the subsequent residual heat removal through the special emergency heat removal system. g redundancy is required for this emergency heat remeval sjste."*
T.mergency measures need net be automated if there is sufficient time available prior to their initiation or if their initiation can be provided for by administrative measures. Local auxiliary measures may be reverted to for the long-term control in an emergency case."
"(2)
In detail, the emergency system shall comply with the following safety-related requirements:
1
- 1. Components and subsystems of the emergency system shall be protected against external events and events caused by third parties.
- Emphasis added
,,, n.
- 2. A consistent separation of the emergency system from other nuclear pcwer plant systems shall pre"ent the function of J
the emergency.syste-frc being unacceptably affected by damage caused in plant areas which may be destroyed. This applies not only to process systems but also to energy supply systems and the reactor prctection system.
- 3. In addition, the separatien shall assure that unauthorized interventions or maleperations in the control room or in other plant areas which are not especially protected cannot lead to any unacceptable impairment of the funct' ion of the emergency system.
- 4. Any interve. ion in the emergene; syste, be'it for opera-tional reasons or testing purposes, shall be prohibited if such intervention cannot be made undone or c>mpleted in case of an emergency and will lead to an unacceptable impairment of the function of the system."
Proposal In order to provide an additional means of removing residual heat in U.S.
reactors an additional design criterion is proposed as follows:
"34.a.1 A backup residual heat removal system shall be provided. This system shall be designed to transfer fission product decay heat and other residual heat from the reactor core at a rate such that specified accept-able fuel design limits and design conditions of the reactor coolant boundary are not exceeded. The system shall be capable of operation over It shall keep the full range of primary system temperature and pressure.
the reactor core within specified lhits for at least n* hours without replenishment of consumable materials (fuel, water lubricants, etc.) and i
there shall be sufficient consumable material on site for at least seven
' days of continuous operation."
~*n = 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> in the German guidelines.
e
m 4 : "
The above performance requirements are within the current design capability since all German reactors have such a capability.
If it is desired to make the' backup system more reliable than the German practice, a second part of
~ the criterion would be:
"34.a.2 The backup residual heat removal system will be dedicated to this purpose only and shall have its own power supply and be independent of all other plant systems. It shall'be protected against impacts from both externally and internally generated missiles as well as from the effects of crashing aircraft. The backup system shall be spacially and systemically separated from other heat removal systems so that no single credible event could incapacitate all systems.
It shall have such re-dundancy in components and features, and suitable interconnections, leak detection and isolation capabilities to assure that the system's function can be accomplished assuming a single failure of passive or active com-ponents and multiple active component failures for those credible events where common mode failure could result fr:m adverse environmental con-ditions, extreme plant conditions, or maintenance errors of a generic nature."
This reliability requirement attempts to incorporate the German requirements and add redundancy and common mode failure protection.
It is an attempt to improve on the U.S. single failure criterion. No system has yet been designed to such requirements.
Since the proposed system is safety grade it should have QA, inspection, and testability, therefore a third part of the criterion would be:
"34.a.3 The backup residual heat removal system shall have components and shall be arranged in such a way as to meet the standards of design, quality and testability for systems important to safety."
This quality assurance and testability requirement is the same as for current systems that are important to safety.
t n
' r Supplemental Thouahts
.In addition, it has been suggested by at least one ACRS member (J. C. Ebersole) that nuclear power plants should have the capability to achieve the cold shutdown condition using only safety grade. equipment and tM t one such method would be a bleed-and-feed capability on the primary systen,.
If it is desired _ that the backup system be independent of the PWR steam generators then another high pressure heat transfer system would be required.
To accomplish this, the criterion could be phrased as follows:
- A backup rcsidual heat removal system shall be provided that is independent This system shall be designed to trar.sfer fission of the secondary system.
product decay heat and...."
The above proposals are tentative and no attempt has been made to analyze costs, practicability, or risk reduction. The proposal is aimed at pro-
.viding a residual heat removal system that is capable of reliably operating over the full range of reactor conditions, be independent of other secondary systems, and be protected from adverse external influences.
i
'Y
' SUPPLEMENT TO SINGLE FAILURE CRITERION t
'l
.-y 10' CFR 50 Appendix A states " Multiple failures resulting from a single occurrence are considered _tc be a single failure." Criteria 17, 34, 35, 38, 41, and 44 require that the system safety function can be accomplished assuming a single failure; therefore, the existing General Design Criteria do rer '
- consideration of the Common Cause/ Common Mode (CC/CM) failures;
. ra systematic approach has been used to ensure that multiple howen failures resulting from a single occurrence are adequately covered, especially with regard to fire, flood, earthquake, and human error occur-rences.
The General Design Criteria do expand on the Single failure criteria for reactor p*otection systems in Criterion 21 and 22, and provide a specific approach to ensure that multiple failures do not result from single, initiating failures.
Reactor Protection Systems in nuclear plants are designed to more stringent criteria than other nuclear systems in present day plants and are probably The the less susceptible to loss of safety function due to CC/CM failures.
special requirements for protection systems in Criteria 21 and 22 could be applied to other safety systems.
The present single failure wording in Criteria 17, 34, 35, 38, 41, and 44 could be modified to assure that randomness of failure of redundant systems is not breached by the influence of interactions of other systems or by interactions from the same system using the requirements for protection systems in Criteria 21 and 22. The principal difference resulting from 94
^'
W l
2 such a change is that at least three trains for each safety system would likely be needed in order to allow one train to be out of service for testing, mair...ance, or repair.
Kodify Criteria 17, 34, 35, 38, 41, and 44 as follows:
The system shell be designed for high functional reliability and inservice testability commensurate with the safety functions Redundancy and independence designed into the to be performed.
system shall be sufficient to ensure that (1) no single failure results in loss of the system function and (2) remova_ from service
?
of any component, train, or cnannel does not result ir. loss of the required minimum redundancy unless the acceptatle reliability of operation of the system can be otherwise demonstrated.
The system shall be designed to assure that the effects of natural j
phenomena, and of normal operating, maintenance, testing, and i
postulated accident conditions on redundant trains or channels do not result in loss of the system function, or shall be demonstrated _
to be acceptable on some other defined basis. Design techniques v/
such as physical separation, barrier protection, functional diversity design, and principles of operation, shall
'or div_ersity in componem be used to the extend practic'al to prevent loss of the system function.
PROBABILISTIC ASSESSMENT CRITERIA Professor Birkhofer, RSK, said in a paper IAEA-CN-30/6.5 given at the Stockholm 20-24, 1980 IAEA Meeting -
1
"The ' Safety Criteria' of the Federal Mt.11 ster of the Interior demand: 'In order to verify the well-balancedness of the safety.
concept, and to supplement the deterministic methods of safety assessment of reactors, the reliability of safety-related systems and main components should be evaluated using probabilistic methods as far as this is possible according to the state of the art with sufficient accuracy'".
The Single Failure Criteria could be supplemented with the following probabilistic assessment criteria to demonstrate the acceptability of the overall system design by requiring the following:
The deterministic safety design criteria should be supplemented on safety-related portions of the plant,using " state-of-the-art" proba-bilistic assessment methods. Weak points of system design should be detected and corrected as practical. Relative probabilistic assessment should be us*d to decide on system opticr.:, to optimize maintenance procedures, and to determine appropriate maximum allowable repair times in redundant systems.
Since there have been questions raised about the adequacy of RPS designs e
(e.g., as ATWS iritiators in connection with the testability of scram relays, etc.), a different approach may be thought more desirable.
Discussion i
A widespread perception has been evidenced recently within the ACRS and among others that the single failure criterion does not assure adequate functional reliability, and that multiple failures must be considered.
For purposes of this diseassion, it will be assumed that what is intended is the consideration in desin, of common-mode failures of components or systems, and not simultaneous I
g+
- a..
c.
or saquential, multiple random failures.
It is proposed to retain the single failure criterion where it now.?.ppears in the G.D.C., but to augment it by requiring the affected system designs to accommodate those common-cause failure mechanisms which are amenaable to mitigation by design approaches.
WA54-1400, in a discussion of the treatment of common-mode failure, provided listings of classes of potential common-mode mechanisms and so-called Component Combination Properties which would indicate susceptibility to such failures.
It is proposed to use these as an initial framework within which to consider the subject.
(Not all types of common-cause failure mechanisms are included. An obvious omission is deliberate human intervention: sabotagt).
TABLE 1 Classes of Potential Common-Mode Mechanisms A.
Design defects Fabrication, Manufactur'ng and Quality Controll/ Variations B.
C.
Test, Maintenance, and Repair Errors D.
Human Errors Environmental Variations (Contamination, Temperature, etc.)2/
E.
F.
Failure or Degradation Due to an Initiating Failure G.
External Initiations of Failure 1/ It is not clear that Q.C. is appropriate since, except in the case of the most egregious mismanagement, it is likely to lead only to a failure to detect c defect and not to the defect itself.
2/ Accident and non-accident i
r s 5-
^
TABLE 2 Component Set Properties Indicating Potential Comman-Cause Sus:eptibility All. components identical in type and specification (A,B)1/
1.
2.
Components all under the same maintenance or test (C) 3.
All components having similar failure sensitivity (E,G) 4.
Components all in the same locations (E,F,G)
Compor ents all exposed to a possible accident environment (E) 5.
All components loaded or degraded by a previous failure (F) 6.
7.
All comporerc failures human-initiated (D)
Examples of Modit : 9d G.D.C.
A design criterion incorporating the single failure criterion was chosen as an example of how common cause failure modes could be recognized as contributors to functional unreliability in modifying-the G.D.C.
The added language would be incorporated wherever in the G.D.C. the single failure criterion was invoked.
1.
Criterion 44-Cooling Water "A system to transfer heat from structures, systems, and components important to safety, to an ultimete heat sink, shall be provided. The system iafety function shall be to transfer the combined heat load...
under normal operating and accident conditions.
Suitable redundancy in components and features, and suitable inter-connections, leak detection, and isolation capabilities shall be pro-vided to assure that...the system safety function can be accomplished, assuming a single failure."
t
?
w.
r o In addition,' components comprising this system. and which are considered par t of a redundant set, shall not be identical in type and specifi-i cation, shall not be located within the same compartment or otherwise j
in proximity to one another, shall be designed or located such that is11ures leading to possible damaging influences such as heat or water do not commonly affect all cf any redundant component set, and shall be so designed or arranged that any postulated mechanical or electrical failure of interconnected equipment does not commor.ly affect all of any redundant component set.
In connection with the last requirement, excesses in whatever service (e.g., voltage, frequency, flow, pressure, temperature, etc.) is provided or controlled by the system including the failed component should be considered, as well as "on-off" failures.
The proposed additonal requirements are aimed at precluding classes A, B, E, F, and G of the potential commen-mode mechanisms listed in Table 1.
Some of the defining language was taken from the Committee's October 1979 report on the IP-3 systems interaction study.
As it stands, the added requirements were produced simply by using phrases intended to preclude the properties in Table 2 associated with those mechanisms (A B.E.F,G) which are considered amenable to mitigation by design approaches.
However, some of these have been the source of some controversy in the past, and perhaps that should be recognized. In particular: the requirement for diversity has Leen attacked on the grounds that, if a clearly superior design
7 c.
for a piece of equipment can be identified, it should' be used; the requirement for compartmentalization has been attacked on the grounds that it makes access, inspection, etc. more difficult.
If it seems desirable to recognize these objections, the ' addition could be modified:
"In addition, components comprising this system, and which are considered part of a redundant set, shall not be identical in type and specification,1/ shall be located with adequate separation or protection to prevent failures in nearby systems or in this system from commonly affecting all of any redundant component set, shall be designed or located such that any failures leading to possible damaging influences such as heat or water do not....."
1/ This requirement is subject to a showing that none of the available component types is clearly superior in reliability to any others available.
i l
' D9
-rr w...
t..
JSubconnittee Action Items
- 1. LDevelop a list of_ specific ~ examples as to where 'the Single' Failure Criterion
,r proved not'to be adequate. The object would be to use these examples toThe
. gain' insight as to how the Single Failure Criterion could be improved.
existing _ risk / reliability. assessment and the existing review and. operating experience would-be. sources of this information.
'2._' Develop a list of the' GDCs dealing with CMA' and a' list of the Reg Guides,
[
GDCs.-
.BTP, etc which are used to implement Lthis t aspect of the:
Develop comparative ' system descriptions of the decay heat removal systems.
3.
for the current BWR and PWR plants.
~
- 4. -Schedule' a sessior, with the NRC Staff during which the current German DHR
/ design philosophy and DHR designs can be discussed.
5.
Schedule a' closed sabotage session during which methods of ' improving the =
~
plants resistance to sabotage'can be discussed.
- 6.. Schedule sessions ~ during which the fundamental sabotage philosophy can be discussed, i.e. 'what kinds of' sabotage can be prevented and what types'of'
' consequences will need to be mitigated.
7.1 Schedule discussions which deal with the types of sites and site characteristics which are important in a core melt accident and the instances in which filtered vents and core-retention devices will be beneficial. The discussion should
. address when a core melt -into the ground can be dealt would have acceptable 1 consequences and what could be done to mitigate the consequences of such an Public acceptance of such an event, even when it does not result in event.
severe' radiological consequences, should be considered.
Explore with the NRC Staff what could be done in the way of improving existing 8.
containment types if the manufacturer was not constrained by an existing design.
l l
5 f
ATTACHMENT E 1
,