Text

Review of PASNY Sys Interaction Study
	ML20086S648
Person / Time
Site:	Indian Point, 05000000
Issue date:	06/15/1981
From:	Alesso H, Joseph Kelly; LAWRENCE LIVERMORE NATIONAL LABORATORY, SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY
To:	; NRC
Shared Package
ML20083L077	List: ML20083Q711; ML20086S620; ML20086S648; ML20086S661;
References
	FOIA-83-618 NUDOCS 8403050035
	Download: ML20086S648 (9)
	v • d • e

..

REVIEW OF THE PASNY SYSTEMS INTERACTION STUDY H. P. Alesso Lawrencc Livermore National Laboratory J. E. Kelly Science Applications, Inc.

(

June 15, 1981 gJ kr. 6,, r).p

.a it i

s

[

ht'4 o.'d hI a

O o

f

.$ f ' 17' "l,q$*

t I" (o*

dp'a

/

f p

e s

.{sV 4 n!?v f 4

(

/

/

g,.f'M 'l * "(/

8403050035 831207

.18

/'

d t

l PDR FOIA l

j SHOLLY83-618 PDR o' g.

p/

V

...._. [s..ad;_

1.0 OBJECTIVE OF REVIEW The objective of this review is to evaluate and make recommendations on i

the Systems Interaction (SI) methodology proposed by the Power Authority of the State of New York (PASNY) for application to Indian Point No. 3 (IP-3)I.

2.0 BACKGROUND

AND MOTIVATION OF REVIEW A systematic procedure for the identification and evaluation of systems interactions is being developed by the NRC. Contributions by Battelle Memorial Institute and Brookhaven National Laboratory are being used for the development of future guidance and regulations. In addition, the Lawrence Livermore National Laboratory (LLNL) is assisting NRC in reviewing PASNY's proposed SI methodology for cpplication to IP-3.

It is expected that experience and knowledge gained from the IP-3 application will lead to modifications of the SI efforts in other areas of the NRC program.

3.0 STATEMENT OF PROBLEM This review must judge if PASNY's proposed SI methodology can sueggpd in solving the following problems:

1.

identify sis for non-connected and inter-connected systems for IP-3, 2.

evaluate the assc:1ated safety hazard or risk of the sis for non-connected and inter-connected systems-for IP-3, 3.

ensure that the NRC proposed scope of the problem is covered, and

"~

4.

provide insight for others working toward NRC SI regulations.

o

(

"'999

"-*h e

e I _..

4.0'00R REVIEW APPROACH Our preference for a SI identification and evaluation procedure for

(.

application to Indian Point-3 was presented in our LLNL draft report.

However, we have evaluated the PASNY proposal on the basis of its own merits i.

to address the problems involved in sis (see Section 3.0).

I We examined the PASNY general methodo1ogy presented in Vol. I and the PASNY AFW example presented in Vol. 2 against our review criteria given in 2

Section 3.0.

We referred to the NRC Staff Letter Report and to the LLNL SI 3

Evaluation to IP-3 Procedure for guidance and comparison.

l Our definition of a systems interaction was taken from References 2 and j

l 3.

Recall that a systems interaction is a seguence of events leading to the violation of at least one vital safety criteria as a result of two or more co.nponent f ailures that are caused by a dependent failure (common-mode or 2

common cause)2,3 The four vital safety criteria are:

1.

the ability to' achieve and maintain the entire core subcritical, 2.

the ability to transfer decay heat from the reactor to the ultimate heat sink, 3.

the ability to maintain reactor coolant pressure boundary, and 4.

the ability to provide Engineered Safety Features.

5.0 OUR RESULTS l

The general methodology presented in Vol. I consisted of a non-connected SI procedure and an independent inter-connected SI procedure.

The non-connected SI procedure examined common cause events (like a fire) and found all sources (non-safety-grade components) that could threaten the safety function of a target (safety-grade component). By establishing a criteria to fix,am, target whose safety function was lost PASNY was acting

(

conservatively.

i

....._.u-i.,w cw7

.y,g-m,--,- - - -.g,.

,-,sm,_,,-

,-pw,

--y-w

_**99T 4'*

+ ' '

Within the limitations of this assumption and repair criteria, their general procedure was satisfactory for the identification and evaluation of non-connected sis.

It encompassed the non-connected scope of the problem l

j, and will provide useful information to others working in related areas.

Similarly, the non-connected portion of the AFW example presented in Vol. 2 was satisfactory. It demonstrated the capability of the non-connected i

SI procedure. We found the photographs, discussion sheets and cross-indexing 7

to be a good format.

The PASNY inter-connected SI procedure, however, was not as successful.

I In Vol. 1, chapters 5 and 6 a general procedure for identifying and evaluating inter-connected SI was presented.

Their definition of a system interaction was: "those events that affect the safety of the plant by one system acting upon one or more other systems in a manner not intended by design".

Briefly, the PASNY inter-connected SI procedure included:

(

l.

The use of Pickard, Lowe, and Garrick (PL&G) Probability Risk Assessment (PRA) study (which incidently was an excellent PRA for individual safety systems),

2.

Event trees for identifying accident paths and combinations of systems that could lead to core damage, 3.

Fault trees for determining likelihood of various systems identified in the event tree accident paths,

]

i 4.

Shutdown logic diagrams to combine systems and actions to generate i

success paths or operation sequences leading to the required safety

function, 5.

-The identification of dependencies using safety auxiliary diagrams and auxiliary safety system commonality diagrams, and 6.

The evaluation of sis by using FMEA with fault trees as a backdrop.

The evaluation criteria used was to be completely subjective in nature.

1 qp _,

+ + - _ _ _ -

.. =

= = = = *_

_. * = = =

=-

.=

r.

While PASNY's very sketchy description of a general inter-connected procedurementionedtechniquesthatcouldsucceedinidentifyingSIs,they

~

were not carefully linked together. The infomation flow from one diagram to another is not described. The final identification of the accident sequences leading to core damage is not presented (PASNY is waiting on PL&G to supply these). Table 5-1 in Vol. 1 attempts to relate: (a) vital safety criteria, (b) safety functions, and (c) safety systems. It does this by a simple listing but fails to relate them according to consequence.

While these deficiencies in identifying inter-connected sis are serious, they can be overcome by further development within the framework established by PASNY. The subsequent inter-connected evaluation procedure, however, is inadequate. It consists of FMEA review of a single component in light of a common cause event.

In general, a FMEA review by itself is inadequate in evaluating inter-connected sis. This is because it requires *the analyst to maka ? subjective

(

judgement that he is not qualified to make. He is asked to decide whether a combination of component failures (occurring due to a dependent f ailure) can lead to an undesirable consequence (like core damage) and how this SI ranks in

t. relation to other sis. The ranking is necessary in order to dacide which repairs are to be given priority and which may be neglected.

The PASNY use of FMEA to evaluate a single component failure in relation to its compromising "its 'intendant safety function",I is inadequate. Single components (evenonesconditionalonevents)arenotsystemsinteractions,

~

specially when they do not " dig" into the non-safety grade support systems (such as non-safety control and instrumentation). It would be more appropriate to use FMEA, at this point, as a decision tool. It would decide if the safety grade component was dependent on a non-safety grade support system. If it was then a further analysis would be necessary such as a fault

(

~

=i-:-

___________.n.

tree of the non-safety grade system or (usir.g PASNY's own suggested methodology) shutdown logic auxiliary and commonality diagrams.

Another discrepancy in t5e inter-connected SI procedure is the lack of sufficient consideration for dynamic human error as required in the scope of 2

the SI problem.

The inter-connected portion of the AFW example presented in Vol. 2 failed to demonstrate PASNY's inter-connected SI procedure. This failure is a result of the following:

1.

it was inappropri' ate to select any single safety system for examination for the inter-cc m eted portion of the analysis, 2.

no auxiliary diagrams and commonality analysis were presented as a demonstration of their capability, 3.

no combination of component failures leading to an undesired consequence and resulting from a dependent failure were identified, 4.

no connection was made between ho' the fault tree and FMEA was used

[J to evaluate sis.

Table I sumarizes our review conclu~sions. It gives a grade of satisfactory or inadequate to various aspects of the tw independent PASNY.

procedures for both the general methodology and the AFW example.

"f

. en 4

N y

y 7-

.,--,-w y

y

---mas es.

^ ~ - ~- -

Table 1 SdMMARYOFREVIEWCONCLUSIONS PASNY's General Methodology PASNY's AFW Example For Non-connected Systems Procedure:

1.

Identifying sis SATISFACTORY SATISFACTORY 2.

Evaluating sis SATISFACTORY SATISFACTORY 3.

Covering NRC Scope SATISFACTORY SATISFACTORY 4.

Usefulness to Others SATISFACTORY SATISFACTORY

^

For Inter-connected Systems Procedure:

1.

Identifying sis SATISFACTORY (?)

INADEQUATE 2.

Evaluating sis INADEQUATE INADEQUATE 3.

Covering NRC Scope INADEQUATE

INADEQUATE

4.

Usefulness to Others SATISFACTORY INADEQUATE

Did not include dynamic human error sis" s ee 4

Y

(

g s--

w y

w g

.--m

6.0 RECOMMENDATIONS We recommend that:

/

1.

PASNY continue to use their non-connected SI procedure for application to all safety systems at IP-3, 2.

PASNY further develop its inter-connected SI procedure for identifying and evaluating sis, document it in more detail, and provide a realistic demonstration of its capabilities. It should capture combinations of components whose failures are due to a g.Q, dependent f ailure and which lead to a known consequence,

, 3MJ/$ 3.

PASNY include dynamic human error in their inter-connected SI o,

gf f'*b procedure, 4.

after a satisfactory inter-connected SI procedure has been reviewed by NRC and LLNL, PASNY should apply it to IP-3, and 5.

others working in related NRC SI projects review the PASNY " Systems Interaction Study" for their own e'dification along with NRC's review

(

of the study.

m_

. s.

._4.

._.....s...

e-

~

REFERENCES 1.

" Power Authority of the State of New York Indian Point No. '3 Systems Interaction Study", Vol.1 and 2 EBASCO Servicas, Inc.

(

2.

"The Systems Interaction Branch Approach to Systems Interactions in LWRs",

l Draft Staff Sumary Letter Report, February 1981.

3.

J. Lim, H. P. Alesso, T. R. Rice, R. K. McCord, and J. E. Kelly, " Systems

~

Interaction Evaluation Procedure for Application to Indian Point-3",

NUREG/CR.2050, May 1981.

o m

a4 I

5 i\\

= -- ----

---mse.

- * - = + - - -

. ~.. - - -. -....

r p.,

o UNITED STATES y 3;g(/.,a[,,g NUCLEAR REGULATORY COMMISSION

,y-(,

a WASHINGTON, D. C. 20555

'y +.%.!

JUL 171981 o

Docket No. 50-2B6 MEMORANDUM FOR: Steven A. Varga, Chief, Operating Reactor,s Branch No. 1. DL FROM:

L. 01shan, Project Manager, Operating Reactors Branch No.1, DL

SUBJECT:

FORTHCOMING. MEETING WITH POWER AUTHORITY OF THE STATE OF NEW YORK REGARDING INDIAN POINT 3 DATE AND TIME:

Friday, July 24, 1981 10:00 AM LOCATION:

Phillips' Building P-114 PURPOSE:

To discuss Synems Interactions Study.

PARTICIPANTS:

NRC Requested Participants J. Conran F. Coffman E. Chellf ah J. Thoma

{

,,blA

^

~

L. 01shan Project Manager Operating Reactors Branch No. 1 Division of Licensing

Enclosure:

Agenda cc: See next page

{

N 2l%v,, ~ /

v.-

y

* ~

p-e

i Mr. 'deorge T. Berry Power Authority of the State of New York

?.

cc: White Dlains Public Library

'Mr.,J. P. Bayne, Senior Vice Pres.

100 Martine Avenue Power Authority, of the State White Plains, New York 10601 of New York

~

~ ^

10 Columbus Circle Mr. Charles M. Pratt -

New York,.New York 10019 I

Assistant General Counsel.

Power Autho'rity of the Mr. John C. Brons, Re'sident Manger State of. New York Indian Point 3 Nuclear Power Plant 10 Columbus Circle -

P.O. Box 215' New York, New York 10019 Buchanan, New York 10511 Ms. Ellyn' Weiss E Ezra I. Bialik Sheldon, Harmon an,d Weiss Assistant Attorney General 1725 I Street, N.W., Suite 506 Environmental Protection Bureau Washington, D. C.

20006 New York State Dd;sartment of Law 2 World Trade Center Dr.-Lawrence D. Quarles New York, New Yoric '10047 Apartment 51 Kendal at lengwood Mr. George T. Berry, President Kennett Square, Pennsylvania 19343 and Chief Operating Officer Power Authority of the State of Mr. George M. Wilverding 10 1

us 'ircle C

Manager - Nuclear Licensing Power Authority c,. i.ne New York, New York 10019 State. cf New York 10 Columbus Circle

~~

New York, New York 10019 Theodore A. Rebelowski Resident Inspector Indian Point Nuclear Generating U. S. Nuclear Regulatory Cc= mission Post Office Box 38 Buchanan, New York 10511

{

Joan Holt, Projec*t Director New York Public Interest Research Group, f nc.

5 Beekr.an Street New York, New York 10038 a

e g

y

- = *

-a__.

\\

n 1

---~=

---.t u

i PROPOSED MEETING AGENL; Discussion of Indian Point 3 Systems Interaction Analysis July 22, 1981 I.

INTROD,UCTION/ BACKGROUND A.

NRC Philosophy on SI Analysis (NRC) 1.

Concentrate on safety /nonsafety system dependencies and nons,afety system failure effects 2.

Consider significant operating experience in scoping SI analysis effort and in demonstrating effectiveness of methodology employed B.

Relationship between PRA and SI (NRC) 1.

Historical' perspective-(PRA and SI essentially complementary) i 2.

Current efforts (More SI included in PRA) i

[

3.

Future direction (Comprehensive PRA could include SI)

Y

~

4 II DISCUSSION OF INITIAL IP-3 SUBMITTAI. AND NRC REVIEW COM i

A.

Definition of SI and Application of Single Failure Criterion 1.

Degradation of safety system vs defeat of safety function (NRC) 2.

Treatment of SI that aggravate accident conditions-or exceed safety system capability (NRC) 3.

Identification of critical safety functions and corresponding plant systems /ccmponents (e.g., how is PORY treated?)

(PASNY)

B.

Interconnected Systems Interaction Aitalysis 1.

How do shutdown logic diagrams, safety system auxiliary diagrams, and auxiliary safety system

-i comonality diagrams #it together with FMEAs and PRA event trees / fault trees to identify adverse systems interactions? (Amplify on Vol. I description) (PASNY) i 2.

Treatment of nonsafety control system failure effects, t

nonsafety power supply effects, and nonsafety instrumentation display failure effects li 79-22 submittal inadequate for SI purposes a.

(NRC)

I

..,a 3p_

,7 y

y

.y

,,,,3a, g-.,_,g-

,p,

.,m.g,,,,__.,%

T__ _ _ __y _..

i... _f

~,

-- considers only one type of environmentally induced failure

-- does not consider all nonsafety control systems

-- based on FW HEBL analysis where break sizes /

locations are chosen for direct' effects on safety systems b.

Misinterpretation by PASNY of NUREG-05 8 (NRC)

" requirement" for nonsafety system analysis c.

F'ossible. alternative approaches for treatment in IP-3 SI program

-- investigate use of Indian Point simulator (PASNY) i

?

-- comprehensive dependency analysis (e.g.,

digraph)

(NRC)

-- current ICSB review approach, as reflected in SNUPPS questions provided to PASNY Nonconnected Systems Interaction Analysis, C.

1.

Criteria / methodology presented in Vol. I appear generally very good (NRC) 2.

Should take credit explicitly for SI analysis already done in fire protection, flooding, HELB

~

analyses, etc.

(NRC)'~

3.

Describe in greater detail how and to-what-extent SRP/ Reg. Guide guidance used for SI analyses in (2) will be applied in determining effects of fire, flooding, HELB, etc., on nonsafety control systems, power sources, instrumentation cabling, etc. (which could in turn adversely influence safety. functions)

III. SAFETY CLASSIFICATION TERMINOLOGIES /IP-3 HEARING ISSUES

~

A.

Use definitions developed in NRC TMI-1 Restart Hearing Testimony (NRC)

B.

Systems Interaction--Major Issue in IP-3 Hearing (PASNY)

(What is current hearing schedule?)

IV.

SCHEDULE FOR COMPLETION OF IP-3 SI PROGRAM A.

Final Submittal /ACRS Meeting, Sept.1981 (PA5HY/NRC)

I B.

NRC Audit-Review / Walk-Through (NRC)

C.

SER on IP-3 SI Program March 1982 (NRC) e-a

,-w-

.,--e

.o

v. - - -

n,.

7

. a _..

L.-

s MEETING NOTICE OPERATING REACTORS BRANCH No* 1 DIVISION OF LICENSING DISTRIBUyT Docket File NRC PDR Local PDR ORB No. 1 Rdg File J. 01shinski 8-r es (Emergency Priparedness) 5, Project Manager OELD

l, I&E (3)

Receptionist NRC Participants -

NSEC TERA ACRS (10) t i

l I

a I

I-

?'

I r

e O

.i 4

=

.i

.~

$1-

~

3' (: f 4 *<

g neo s

/

30,,

nu i) E/

UNITED STATES g

,e E'

NUCLEAR REGULATORY COMMISSION

~

n f,

,I

[)

wAsHWGTON. D. C. 20655

\\, * * * * * /

/

Docket Nos. : 50-247 Af 50-286 NEMORANDUM TO: Ashok Thadani, Chief n

Reliability and Risk Assessment Branch Division of Safety Technology, NRR THRU:

Franklin D. Coffman, Jr., Section Chief Systems Interaction Section Reliability and Risk Assessment Branch Division of Safety Technology, NRR FROM:

James H. Conran, Principal Systems Engineer Systems Interaction Section Reliability and Risk Assessment Branch Division of Safety Technology, NRR

SUBJECT:

TRANSMITTAL OF MEETING SU41ARY AND STATUS REPORT Attached is a combined " Meeting Sumary and Status Report" relating to the Indian Point-3 systems interaction study effort. This report is principally a sumary of discussions of a July 24, 1981 meeting between the Systems Interaction staff and the Indian Point-3 licensee (PASNY) and their con-tractor (EBASCO). The purpose of that meeting was to discuss the staff's final review coments on PASNY's preliminary submittal describing the pro-posed IP-3 systems interaction study program. The report is in the format of a " Meeting Sumary"; however, since the report also reflects developments subsequent to the meeting (e-g. as recent as the simulator trials at the Indian Point facility on September 23-24), it is also, termed " Status Report".

James H. Conran Systems Interaction Scction Reliability and Risk Assessment Branch Division of Safety Technology, NRR Attactments - Report as stated in text cc:

T. Murley - DST M. Ernst DST J. Thoma DL J. Greismeyer - ACRS staff g

c

= =.

-=w

=h+-*

g-

a MEETING NOTICE DISTRIBUTION Docket File J. Stolz NRC PDR S. Hanauer Local POR P. Collins TIC D. Vassallo NSIC D. Ziemann TERA T. Murley Branch File F. Schroeder E. Case K. Kniel D. Eisenhut '

O. Skovholt R. Purple G. Knighton T. Novak M. Ernst S. Varga W. Minners T. Ippolito E. Adensam R. A. Clark A. Thadani N. Hughes ACRS (16)

R. Tedesco Attorney, OELD J. Youngblood OIE (3)

A. Schwencer OSD (7)

F. Miraglia Licensing Assistant K. Parrish J. R. Miller J. LeDoux, I&E G. Lainas I&E Headquarters D. Crutchfield I&E Region I W. Russell I&E Region II J. 01 shinki I&E Region III R. Vollmer I&E Region IV R. Bosnak I&E Region V F. Schauer R. E. Jackson NRC

Participants:

G. Lear l_ _ 01 cha.

W. Johnston (J. O. Tharam >

S. Pawlicki F. Coffman V. Benaroya E. Chelliah Z. Rosztoczy J. Conran W. Haass D. Muller Licensee Participants R Ba lard J. Lamberski - PASNY Y. Kishinevsky - PASNY V. Moore R. Mattson

~

P. Check F. Congel O. Parr F. Rosa W. Butler W. Kreger R. W. Houston W Gammill L.y Rubenstein T. Speis M. Srinivasan B. Grimes S. Schurtz F. Pagano S. Ramos J. Kramer

e t i i

outline for his presentation which summarized the ways that the NRR SI staff has " cross-cut" the overall SI topic, as its thinking i

has developed and evolved over the past 1 year. That presentation and subsequent discussion throughout the meeting developed the following important points:

o Systems interaction analysis involves (1) the systematic search for heretofore " hidden" or inadequately analyzed interconnections or couplings that link safety and non-safety systems in the reactor plant, and (2) the evaluation of the effects of non-safety system failure (or maloperation) propagated into the safety system by such interconnections / couplings.

o The SI staff stated that the treatment of sis that aggravate acci-dent conditions and exceed the capabilities of installed safety systems (in addition to SI's that degrade safety system capability) is considered to be within the scope of a comprehensive SI analysis.

And methods are available for treating a number of types of SI's, as outlined in Enclosure 3.

The SI staff acknowledged, however, that methods are not now available for treating comprehensively the so-called " higher-order" type SI's in interconnected systems. The cap-ability does now exist for treating thoroughly specific events (or postulated events) involving higher-order SI's (e.g., as was done in the extensive analyses of the THI-2 accident, the Crystal River loss-of-coolant event, the Brown's Ferry partial scram failure, etc.).

But the SI staff believes that improved simulator / engineering analyzer capability must be developed if " higher-order" type SI's can be treated systematically and. comprehensively in future SI studies.

o The staff emphasized that consideration of operating experience is an important element in the systems interaction analysis of a facility and should be treated explicitly in the IP-3 SI study. Extrapolation of events that have actually occurred is, of course, an effective and accepted method for identifying additional potential SI's with nexus to what has already actually occurred. Consideration of operating experien% can also be useful in another important way. The suit-ability / workability of a proposed SI analysis methodology can be demonstrated if it can be shown that application of that methodology will identify and lead to correction of adverse systems interactions similar to those iihat have occurred in the past.

~

o With regard to the question of suitability / workability of various analytical methods for SI analysis purposes, the SI staff does not feel that Event Tree /rault tree metnoas nave yet been satisfactorily demonstrated in tne limited applications attempted to date (e.g.

Sandia Phase I A-17 effort; cr Battelle/BNL/LLL State-of-the Art surveys).* PASNY has proposed use of " dependency analysis" techniques (e.g., combining shutdown logic diagrams, safety system auxiliary 0

diagrams, auxiliary safety system commonality diagrams, dependency

Battelle, BNL, and LLL have continued efforts to adapt Event Tree / Fault Tree methodology for SI analysis purposes. Their efforts are' reflected in Interim Guidance being developed; and Event Tree / Fault Tree met'udology will be one pro-posed SI analysis technique tested in " pilot" reviews planned in the near future.

I e *

' tables / matrices RiEAs) as the primary means for identifying SI's in the IP-3 study. PASNY has proposed also the use or " consideration" of individual system Fault Trees (available from the IP-3 PRA study) as a supplemental,means of identifying and evaluating SI's.

This is acceptable to the staff; but PASNY should emphasize and concentrate efforts on application of " dependency analysis" methods in the actual performance of the IP-3 study.

I I.B.

Relationship Between PRA and SI P. Alesso, LLL, presented an overview on the relationship between PRA and SI analysis, based on his background and experience in applying PRA techniques, and on perspectivas gained from the RRAB/LLL/SAI review of both the PASNY SI submittal and Draft sections of the Z/IP-3 PRA report (provided separately by PASNY at RRA8's request to facilitate -

the SI submittal review). His presentation (see outline in ), and subsequent discussions throughout the meeting developed 4

the following main points:

o Early PRA studies focused largely on s lety systems, and (because of assumed independence between nonsafety and safety systems) did not treat nonsafety system-related effects to any great extent. This approach seemed valid in view of. stringent criteria applied in the design and licensing review process (i.e., single failure criterion, separation criteria, etc.) for the express purpose of achieving and maintaining nonsafety/ safety independence. Also, consideration was given in early PRA efforts to consnon-mode failure mechanisms and effects; but, again, the e'mphasis was on couplings (and their effects) between safety systems (not between safety and nonsafety systems).

In this sense, some consider SI studies as merely an extension of the too-restrictive boundary conditions imposed in early PRA studies to encompass full treatment of common cause/consnon mode effects involving both nonsafety and safety systems. Consistent with this view, recent " enhanced" reliability and risk analyses (e.g., IREP and the Z/IP-3 PRA) g include significantly improved treatment of nonsafety front line and support systems.

o The SI staff does not agree with characterization of SI analysis as "just a part of an enhanced PRA" for the following reasons:

(1) SI analysis is a useful exercise and has inherent value completely aside and apart from PRA.The nonsafety/ safety dependency information i

developed by SI analyses is certainly important in assuring the accuracy of PRA results (in fact, SI analysis must be regarded looically as a prerequisite to PRA). But nonsafety/ safety dependency infomation can Be used readily and effectively to improve safety in j

the context of the current " deterministic" licensing approach even 0

l if PRA is never done.

(2) Thinking of SI analysis as " simply a part of PRA" can lead to i

undue empahsis or reliance on use of analysis methods usually l

associatei with PRA (i.e., Event Tree / Fault Tree Analysis),

that have not yet been satisfactorily demonstrated (for SI analysis purposes) in applications attempted to date.*

l l

See footnote preceding page.

l i

' ~ " T l

~T

~,

.?

. ~. N -. -

e 0 As a final point in the area of PRA/SI relationship, PASNY stated that the results of the IP-3 PRA study would be an important factor in the final selection of specific systems to be treated in the IP-3 SI analysis. The SI staff stated that PASNY should not rely pri-marily on those PRA results in making such determinations regarding the critical parameters of the SI study.

If the PRA is flawed by not taking into account some hidden dependency in the IP-3 systems that could be found by a SI analysis, there is a logical inconsis-tency in using the results of such a potentially flawed PRA (in any controlling manner) in determining scope or depth of treatment of the SI analysis. PRA results may be useful in confirming the selection of systems (for SI analysis) arr*ved at by applying the methods and criteria described by PASNY ir their Preliminary submittal II.A Definition of SI and Application of Single Failure Criterion o PASNY and the SI staff agreed explicitly that the threshold for 1

j identification of adverse SI's will be a nonsafety system or canponent failure that leads to the defeat of one train of a

]

safety system or engineered safety feature... even if the re-maining trains of the affected safety system or ESF could per-form the intended safety function. This is a more stringent

~ ggw criterion than the Single Failure Criterion currently applied in the licensing review proc,ess; but it was enphasized that it is specified by the staff at this point only as a SI search criterion. SI's identified by applying this search criterion 25)C require design change or plant modification; but not necessarily so.

o The choice of the stringent search criterion discussed in the preceding stems from the SI staff's objective of assessing the effectiveness of existing deterministic criteria in achieving independence between safety and nonsafety systems. The assump-tion of nonsafety/ safety systens independence (in accordance with existing design and ifcensing review criteria) forms an important part of the rationale for determinations of " adequate-

~

safety" for existing plants sans systematic and comprehensive analysis of nonsafety failure effects.

If numerous nonsafety/

safety system dependencies are found by application of the search criterion specified above, that could indicate a funda-mentally different level of reliability in safety systems than is now assumed, and could (for example) indicate the need for reassessment of the adequacy of the Single Failure Criterion as currently applied.

~

..-eA",--,----

,.,n

?---

-,-,,-.,e

--,, - - ~ ~ -,,- ----

. II.B Interconnected Systems Interaction Analysis PASNY amplified in discussions at this meeting their description in o

the Preliminary submittal of how Shutdown Logic Diagrams (SLD's)

Safety System Auxiliary Diagrams (SSAD's), and Auxiliary Safety System Commonality Diagrams (ASSCD's) will fit together with FMEAs and Fault Trees on individual systems, to identify and evaluate SI's (depen-dencies) in the IP-3 study. As the staff now ur.derstands it. SLD's, SSAD's, and ASSCD's are basically devices employed (1) for identify-ing the safety and support systems (including nonsafety systems) that are to be analyzed for interactions, and (2) for correlating and combining the results of FMEA's on individual systems in order to understand and portray how interconnections, couplings and de-pendencies among all systems can propogate nonsafety system failure (s) into the safety system.

(PASNY also agreed to consider the use of matrix based methods, as suggested by the SI staff, as a refinement on the above mentioned methods in identifying dependencies among interconnected systems.)

In. addit.fon, as a supplemental device in searchino for sis, and as one of the principle methods for the* evaluation of SI's identified, PASNY will use or " consider" Fault Trees on individual systems already available from the Z/IP-3 PRA. PASNY may develop new Fault Trees for systems covered in the SI analysis, if these systems were not covered or were not modeled in sufficient detail (.for SI purposes) in the PRA. All SI's identified are not expected to require use of Fault Trees for evaluation; engineerinq judgment, based on and appropriately reflecting existing deteministic criteria,'will be used in some cases, o A staff concern regarding the effectiveness of PASNY's proposed method for generating system / component listings corresponding to required safety functions was resolved by PASNY's statement that Table 6.1 presented in Vol.1 of the " Preliminary" submittal was not intended to be complete in that respect (e.g., it did. not include the PORV) explicitly at the time, but would do so in the final submittal). At this point the table was intended for illustrative purposes only.

-l o PASNY's amplifying coments referred to in the preceding also answered specifically a staff concern regarding adequacy of the FMEA approach to be applied to all systems generally on the basis of conclusions drawn from the FMEA of the AFW system alone (see Fig. A-2.1 in Vol. II).

Specifically the staff questioned the validity of " Acceptable" conclusions l

a for various failure modes postulated in the AFW system, without considering 1

possible combined effects of failures in other systems (e.g., due to failure of support systems shared by the AFW and other systems, or other coupling mechanisms).

n -,_

.---e.---

- --aw

6-An important area of disagreement between the SI staff and PASNY all o

along has been the question of treatment of nonsafety control system failure effects, nonsafety power system failure effects, and nonsafety instrumentation failure effects. These types of SI's have played major roles in a number of very serious operating incidents, ard are of great concern and are considered high priority aspects of the overall SI problem by the staff; but PASNY indicated in the Preliminary submittal that they intended ta address these types of sis only very limitedly or not at all in the IP-3 study._

With regard to the treatment of SI's involving nonsafety instru-mentation failure effects, PASNY stated in their " Preliminary" submittal that they did not intend to treat latent-or-dynamic human error-induced failures within the scope of their SI analysis.

Consistent with this position, they specifically excluded treatment of "... failures which deprive the operator of required information for normally controlling plant conditions, or which provide confusing or incorrect information to the operator..." A part of PASNY's rationale in this respect was that it was simply too difficult to predict and analyze the many ways in which an operator might act incorrectly. -

The SI staff belfeTies that.it is possible to treat one specific important t

type of interaction involving +,he human error as a coupling or linking mechanism. That type of SI has been termed " induced operator error" (see Enclosure 3), and involves a set of circumstances in which (1) a nonsafety system failure causes loss (particularl of normal control instrumentation display, and (2) y massive loss) the operator is assumed to act correctly-(procedurally speaking) on the basis of l

incorrect reading (s) produced by the initiating failure. Thus, the difficulty of trying to predict and analyze incorrect actions is eliminated.

PASNY appeared to understand and appreciate the staff's comment in this regard (provided in the initial meeting on 4/2/81), but has not yet explicitly committed to including treatment of this type SI within their intended scope of study. The SI staff continues to believe that the seriousness and likelihood of this kind of failure are both such as to warrant its treatment in the IP-3 SI study.

With regard to nonsafety control systems failure effects, PASNY merely referenced in their Preliminary submittal the PASNY response to IEB 79-22. This was somewhat confusing in that context because IEB 79-22 addressed control system failures only in the context of 9

non-connected SI effects (specifically, high energy line break l

effects); also PASNY's response focused on only a few control systems. Further, there was no indication in the Preliminary submittal that PASNY intended to consider adequately nonsafety power system failure effects caused by or propagated by nonsafety contml systems, The staff therefore. considered this aspect of PASNYts Prelintnery sumatttal inadequate,

-f

-g-.-w..-

-9,

,p

e Subsequently, PASNY added reference to their responses to IEB 79-27 and NUREG-0588 as appitcable and sufficient in this context. PASNY considers anything much beyond that to fall within the scope of one or another Unresolved Safety Issue (e.g. A-47 Control Systems Dynamics)..

not assignable by requirement to an individual if censee for resoluiton.

The staff understands PASNY's legalistic position in this regard, but has required that at a minimum PASNY's treatment of SI's in interconnected systems should consider explicitly nonsafety control system failure effects and nonsafety power system failure effects to a degree con-sistent with requirements imposed by current staff practice for detailed information regarding nonsafety system aspects of plant

design, e.g., recent ICSB review questions to OL applicants in the SNUPPs project.

(A copy of the ICSB review questions referred to have been provided to PASNY.)

Beyond this minimum requirement, the staff has requested that PASNY consider oossible application of the Indian Point simulator in the treatment of "first-order" types of SI's (see Enclosure 3) involving nonsafety control and power systems. The SI staff believes that to the extent that such a training simulator accurately models at least direct interconnections between safety and nonsafety front line systems and their support systems, f.t may be possible to do more comprehensive and systematic analysis of their failure effects more easily and efficiently by use of the simulator.

(It would not be necessary for r

the simulator to accurately)model process couplings or systems dynamics to be useful in' thisregard.

It should also be noted that a training 2

simulator would appear to'be an almost ideal tool to be applied in

. treating more systematically and comprehensively nonsafety instru-mentation display failure effects (i.e., the induced. operator error SI) as discussed in the preceding. PASNY has agreed to investigate these possibilities and has examined on a very preliminary basis some specific -scenarios and faf'urs_combjnations of particula _r interest in this respect. The SI staff was invited to observe and participate

~

fn initial trials on September 23-24, ~1981 at the Indian Point Simulater facility. We believe that PASNY is to be commended for responding in this fashion, and in demonstrating the willingness to examine novel l

(potential) alternative approaches to this very difficult aspect of SI

],

l analysis.

II.C Non-connected Systens Interaction Analysis l

o The staff considers the methods and criteria proposed by PASNY for use in identifying and evaluating seismic-initiated SI's to be acceptable.

l The methods and criteria proposed are similar to those which have been 0

employed previously at the Diablo Canyon facility; but the staff has noted refinements introduced by PASNY in this area that should facilitate the evaluation and utilization of results obtained in the walk-down inspections of IP-3 systems.

i 9

9 l

_,--:c__.___.._.___~-_

~... -.

1 o

.. o With regard to treatment of other (non-seismic) types of event-induced SI's, it appears that PASNY essentially proposes to perform" enhanced" 4

versions of the kinds of analyses already required under existing licensing requirements in this regard (e.g., Fire Protection Analyses, Flooding Protection Analyses, HELB Analyses, etc.). The " enhanced" analyses as pro-posed would feature increased emphasis on, and mora comprehensive consider-ation of, nonsafety components in the vicinity of safety system components that could be damaged by failure of the nonsafety components. This proposed effort appears to go considerably beyond what is now required under i

i existing requirements although it relies heavily on methods and criteria in existing regulatory guidance. The staff believes that such enhanced treatment of nonseismic event-induced SI's can be safety beneficial; and i

the methods and criteria proposed by PASNY in this regard appear acceptable to the staff within the scope intended by PASNY.

PASNY's proposed approach however, considers only direct effects of-event-induced nonsafety component failures on the functioning of safety systems, i.e., nonsafety (source)/ safety (target) interactions. The SI staff believes that the IP-3 study should also include some consider-ation of effects of event-induced nonsafety component failures on important nonsafety systems functioning and the possible resulting impact on safety system functioning, i.e., nonsafety (source)/nonsafety (target) inter-actions' and resulting effects on safety systems. PASNY's objections to including treatment of such interactions in the IP-3 study were based on concerns eegarding how to bound such analyses (e.g., would all non-safety (target) systems within an entire compartment have to be consider-ed with regard to effects of an event-induced steam environment). The staff recognizes the validity of such concerns, and for that reason the st t

seipent to the July 24 meeting suggested a reasonably-bounded approach to an

!~

initial effort in this direction that could be accomplished within the scope of the IP-3 study.

t As a first step in the suggested approach, PASNY would select (subject to agreement by the staff) a representative hiah-energy nonsafety system.

The agreed upon (source) system would be walked-down while surveying the vicinity surrounding for (target) nonsafety systems which had already been treated in the interconnected SI analysis phase of their study and had been shown to have safety significance, i.e., coulo adversely affect, a safety function if their own (non-safety) functioning were impaired.

If a situation is found in the walk-down of the (source) high energy system ir which such (target) nonsafety systems could be damaged by failure of the high energy (source) nonsafety system, a potentially adverse " coincidence" or systems interaction would have been identified.

If such potentially adverse " coincidences" were found to occur 4

frequently, that might indicate a need for extending such analyses generically. On the other hand, if no (or very few) such potenti111y adverse coincidences were identified, that could be taken as additional assurance that the existing licensing basis is adequate without the need for requiring or extending this type of SI analysis. The staff believes that this limited additional effort could contribute signi-ficantly toward better definition and understanding, if not complete resolution, of this unexplored aspect of the overall systems interaction question.

v- -- :.

=

==== = :

? = =

o

~ ^ - ~ - -

~'

-.agen

.g.

III.A Safety Classification Terminologies The staff emphasized that, because SI analysis involves extensively the o

treatment of systems ranging widely in degree of importance to safety, careful use must be made of the safety classification terms which properly reflect such differences.

In this context, the SI staff provided to PASNY standard definitions for three most commonly-used safety classification terms (see Enclosure 5).

IV Schedule for Completion of IP-3 SI Analysis Progress PASNY agreed to prepare a Final IP-3 study submittal that incorporates o

or addresses the staff's review coments; the revised submittal is expected to be available in late-October.

ACRS has tentatively scheduled a meeting of the appropriate sub-o committee in mid-November to discuss the revised (Final) submittal, PASNY estimates that completion of the actual IP-3 SI analysis effort o

could take 6-12 nunths after initiation.

e-o me N

e-0

._e---.-

.. -... -.. ~..

List of Attendees Indian Point 3 Systems Interaction Study July 24,1981 L. Olshan NRC J. Kelly SAI P. Alesso LLNL J. O. Thoma NRC J. Lamberski PASNY W. D. Hamlin PASNY Y. Kishinevsky PASNY K. S. Sunder Raj PASNY Roberto L. Goyette PASNY George Wilverding PASNY S. S. Iyer PASNY Edward J. Borella EBASCO Ralph J. Giorgio EBASCO Michael G. Gegliardi EBASCO F. Coffman

'NRC E. Chelliah NRC J. Conran NRC emme ea.

9 4

Enclosura 1 vsww"m- -

-e-~

=

- -~

-~

~e w -

g

I DETAILED MEETING AGENDA Discussion of Indian Point 3 Systems Interaction Analysis July 24, 1981 I.'

INTRODUCTION /BACKGROUNO A.

NRC Philosophy on SI Analysis (NRC) 1.

Concentrate on safety /nonstfety system dependencies and nonsafety system failure effects 2.

Consider significant operating experience in scoping SI analysis effort and in demonstrating effectiveness of methodology employed B.

Relationship between PRA and SI (NRC) 1.

Historical perspective (PRA and SI essentially complementary) 2.

Current efforts (More SI in~cluded in PRA) 3.

Future direction (Comprehensive PRA could include SI) 4 II.

DISCUSSION OF INITIAL IP-3 SUBMITTAL AND NRC REVIEW COMMENTS A.

Definition of SI and Application of Single Failure Criterion 1.

Degradation of safety system vs defeat of sr.ety function (NRC) 2.

Treatment of SI that aggravate accident conditions or exceed safety system capability (NRC) 3.

Identification of :ritical safety functions and corresponding plant systems / components (PASNY)

(e.g., how is PORV treated?)

(

B.

Interconnected Systems Interaction Analysis 1.

How do shutdown logic diagrams, safety system auxiliary diagrams, and auxiliary safety system consnonality diagrams fit together wIth FMEAs and PRA event trees / fault trees to identify adverse systems interactions? (Amplify on Vol. I description) (PASNY) 2.

Treatment of nonsafety control system failure effects, nonsafety power supply effects, and nonsafety instrumentation display failure effects a.

79-22 submittal inadequate for SI purposes (NRC) 3

. _. -.. ~.

2

-- considers only one type of environmentally induced failure

-- does not consider all nonsafety control systems

-- based on FW HELB analysis where break sizes /

locations are chosen for direct effects on safety systems b.

Misinterpretation by PASNY of NUREG-0578 (NRC)

" requirement" for nonsafety system analysis c.

Possible alternative approaches for treatment in IP-3 SI program

-- investigate use of Indian Point simulator (PASNY)

-- comprehensive dependency analysis (e.g.,

digraph)

(NRC)

-- current ICSB review approach, as reflected in SNUDPS questions provided to PASNY C.

Nonconnected Systems Interaction Analysis 1.

Criteria / methodology presented in Vol. I appear generally very good (NRC) 2.

Should take credit explicitly for SI analysis already done in fire protection, flooding, HELB analyses, etc.

(NRC) 3.

Describe in greater detail how and to-what-extent (PASNY)

SRP/ Reg. Guide guidance used for SI analyses in (2) will be applied in determining effects of fire, flooding, HELB, etc., on nonsafety control systems, power sources, instrumentation cabling, etc. (which could in turn adversely influence safety functions)

III. SAFETY CLASSIFICATION TERMINOLOGIES /IP-3 HEARING ISSUES A.

Use definitions developed in NRC TMI-1 Restart Hearing

~

Testimony (NRC) 8.

Systems Interaction--Major Issue in IP-3 Hearing (PASNY)

(What is current hearing schedule?)

v IV.

SCHEDULE FOR COMPLETION OF IP-3 SI PROGRAM A.

Final Submittal /ACRS Meeting, Sept.1981 (PASNY/NRC) 8.

NRC Audit Review / Walk-Through (NRC)

C.

SER on IP-3 SI Program, March 1982 (NRC)

o SYSTEMS It!TERACTI0fl PROGRAM SCOPE COMMON-CAUSE FAILURES THAT:

VIOLATE RCPB INTEGRITY (E.G., PIPE BREAK, RELIEF / ISOLATION VALVE FAILURE, PUMP SEAL FAILURE)

DEGRADE OR DEFEAT SAFETY SYSTEMS (SCRAM, ECCS, RHR, & ESF)

EXCEED SAFETY SYSTEM CAPAEILITIES (E.G., EXTREME OVERPRESSURE, OVERC00 LING EMPHASIS ON NONSAFETY SYSTEM FAILURE EFFECTS PP[0 CESS &SilPPORTSYSTEMS EOUIPMENT FAILURE & HUMAN ERROR FAILURE TO OPERATE & It! ADVERTENT OPERATION TYPES NONCONNECTED SYSTEMS INTERACTIONS (C0UPLING IS BY SHARED SPACE OR ENVIRONMENT)

IflTERCONNECTED SYSTEMS INTERACTION A.

FIRST-0RDER (CHARACTERIZED BY:

DIRECT C0!!NECTIONS: "0NE-WAY" DEPENDENCE:

NO SYSTEN DYNAMICS OR FEEDBACK EFFECTS INVOLVED)

-B.

HIGHER ORDER (CHARACTERIZED BY:

PROCESS COUPLING: SYSTEMS.DYllAMICS EFFECTS)

INDUCED-HUMAN EPR0R (INSTRUMENTATION DISPLAY ERROR: ASSUME PROCEDURALLY CORRECT OPERATOR ACTION)

METHODS WALK-THRU OR WALKDOWN

' ANALYTICAL METHODS (EVENT TREE / FAULT TREE, DEPENDEt!CY ANALYSIS, FMEA)

EVALUATION & EXTRAPOLATION OF OPERATING EXPERIENCE SIMULATION METHODS TRAINING SIMULATORS (INTERCONMECTIONS WELL-MODEl:ED; DYNAMICS POORLY MODELED)

ENGINEERING ANALYZER (INTERCONNECTIONS & DYNAMICS WELL MODELED)

BASIC SAFETY FUNCTIONS ABILITY TO ACHIEVE & MAINTAIN ENTIRE CORE SUBCRITICAL I_

ABILITY TO TRANSFER DECAY HEAT TO ULTIMATE HEAT SINK ABILITY TO MAINTAIN RCPB o

ABILITY TO PROVIDE ENGINEERED SAFETY FEATURES

.=

I.

PURPOSE OF PRESENTATION O

TO PRESENT THE SYSTEMS INTERACTION (SI) PROBLEM IN TERMS OF PROBABILITY RISK ASSESSMENT (PRA), AND 0

TO STIMULATE DISCUSSION AND ENCOURAGE FEEDBACK FROM INTERESTED GROUPS.

e t

v a

a

.9 4

~

e t

e e

4

__.___. ~~.__ __.._.

4 II.

BACKGROUND O

EARLY REACTOR DESIGN WAS DONE WITHOUT FO'RMAL RISK

~

ANALYSIS.

O THE NEED TO BALANCE THE LIKELIHOOD OF A POSTULATED SCENARIO WITH ITS CONSE9UENCES LED TO THE. REACTOR SAFCTY STUDY CRSS) 1975.

O SUsSEQUENT RISK ANALYSIS WAS PRA.

L P'

)

g

.f 6

i l

. =.... _. _. 9: ;-

PRA LEVEL 1:

EVENT TREES:

o RELATES THE SAFETY FUNCTIONS TO SYSTEMS NECESSARY TO PREVENT A CORE DAMAGE.

SYSTEM A SYSTEM B SUCCESS SUCCESS FAILURE

.g 8

FAILURE O

THE RESULTS ARE ACCIDENT 3EQUENCES.

USUALLY SAFETY SYSTEMS ALONG WITH THE l

MAIN FEEDWATER SYSTEM.

=

e9 t

l e

a e

0

PRA LEVEL 2:

FAULT TREES:

THESE WERE USED TO DETERMINE THE FAILURE PROBABILITY FOR EACH SAFETY SYSTEM WITHIN THE ACCIDENT SEQUENCE i

BOUNDARY

+

FAILURE OF SAFETY SYSTEM A SYSTEM i

l T

i i

I i

i l

El VIOLATES SINGLE FAILURE CRITERIA i

i 9

~~:.__

r.

i s

4 BOUNDARY CONDITIONS PRA t

LEVEL 1:

EVENT TREES'-

ADDITIONAL

/

ACCIDENT SEQUENCES s

CONSIDERATIONS i

LEVEL 2:

FAULT TREES OF SAFETY SYSTEMS l.

SHARED

^

ENVIRONMENTAL CONDITIONS 2.

DYNAMIC HUMAN LEVEL 3:

ANALYSIS OF DEPENDENCIES ERROR IN NONSAFETY SYSTEMS I

f I

t i

t p

4 W

r 0

w.

m.==-.w-.

- ~ * -

~

_... ~.._

t PAST LIMITATIONS OF PRA I

~

o LIMITED BOOLEAN COMPUTATIONAL ABILITY.

i o

LACK OF FAILURE RATE DATA 4

RESULTS 4

a o

SAFETY SYSTEM BOUNDARY CONDITION LIMITS, O

APPROXIMATION FOR NONSAFETY SYSTEMS i

P( AAB) 2 P( A)

P(B)

(OMITS SOME DEPENDENCE FROM EACH ANALYSIS) t 9

I l

i t

1 I

W f

9

+

...e e-

.w

.. _ht

~_.__

...---.4

- w,-

...,~.

III.

THE PROBLEM HOWEVER, ACCIDENTS SUCH AS TMI, BROWN'S FERRY, AND CRYSTAL RIVER HAVE OCCURRED, THAT HAD NOT SURFACED EXPLICITLY IN PRA.

O ARE THE MATHEMATICAL METHODS OF PRA INADEQUATE?

O ARE THE BOUNDARY CONDITIONS TOO RESTRICTIVE?

O IS A NEW UNICUE APPROACH NECESSARY?

e I

a 9

m i

6

-I o

9 3

1.=me.

w-1 w=-

>=

-ee"-

I i

WHY ALL THE DIVERSITY IN METHODOLOGY?

1 4

POINTS OF VIEW e

a O

PRA STUDIES HAVE NOT FOUND SOME sis BEFORE ANG THEREFORE MUST BE INADEQUATE.

O sis SHOULD BE EXAMINED IN ISOLATION.

B e

e i

=

0 9

e 1

---.mmm.

m,

~.,

_~.

o O

SUMMARY

SYSTEMS INTERACTION ANALYSIS CAN BE AN EXPANSION OF THE BOUNDARY CONDITIONS OF PROBABILITY RISx ASSESSMENT ANALYSIS USING THE SAME TOOLS AS THE PRA, BUT DEVELOPING A MORE DETAILED EMPHASIS'ON DEPENDENT FAILURES.

4 0

0 m*

e

~**

~-

' i[,_

l

-~

e DEFINITION OF TERMS Important to Safety e Definition - From 10 CFR 50, Appendix A (General Design Criteria) - see first paragraph of " Introduction."

"Those structures, systems, and components that provide reasonable assurance that the facility can be operated without undue risk to the health and safety of the public."

l e Encompasses the broad class of plant features, covered (not necessarily explicitly) in the General Design Criteria, that contribute in important way to safe operation and protection of the ptblic in all phases and aspects of facility operation-(i.e., normal oepration and transient control as well as accident mitigation),

e Includes Safety-Grade (or Safety-Related) as a subset.

Sa fety-Rela ted e Definition - From 10 CFR 100. Appendix A - see sectione III.(c), VI.a.(1), and VI.b.(3).

"Those structure, systems, or components designed to remain functional for the SSE (also termed ' safety features') necessary to assure required safety functions, i.e.:

(1) the integrity of the reactor coolant pressure boundary; (2) the capability to shut down the reactor and maintain it in a safe shutdown condition; or (3) the capability to prevent or mitigate the consequences of accidents which could result in potential off-site exposures comparable to the guideline exposures of this part..

L e Subset of "Important to Safety"

~~

e Regulatory Guide 1.29 provides a LWR-oeneric, function-oriented listing of

" safety-related" structures, systems, and components needed to provide or perform" required safety functions. Additional information (e.g., NSSS type, 80P design A-E, etc.) is needed to generate the complete listing of safety-related SSC's for any specific facility.

Note: The term " safety-related" also appears in 10 CFR 50, Appendix B (Q.A. Program Requirements); however, in that context it is framed o

in somewhat different language than its definition in 10 CFR 100, Appendix A.

That difference in language between the two appendices has contributed to confusion and misunderstanding regarding the exact meaning of " safety-related" and its relationship to "important to safety" and " safety-grade." A revision to the language of Appendix B has been proposed'to clarify this situation and remove any ambiquity in the meaning of these terms.

ENCLOSURE 5

.a

,w.

e.g.pa.e, e,wa--==4 e.=*

++e w - es-se m==-

.= *

= * * * -

- e-

- - + ' *

_,,,,,,.,,,,,,,y,._

,_,_m,,._.%,,,_.

f

o 2

Safety-Grade e Term not used explicitly in regulations but widely used/ applied by staff and industry in safety review process.

e Equivalent to " Safety-Relate *d," i.e., both terms apply to the same subset of the broad class "Important to Safety."

5 4

e O

t amm eO N

l i

-+=*

_n

..-.-w.--

+ - _ -. - *. * - - * - ~ * -

- - ~ ~.

- ~ ~

l ASB REVIEW COMMENTS A-3.2 LossUof Air to Speed Controller TDAFW?

Not on Table A-3 or F1g. A-2.1 A-1.2 Did not consider loss of non-safety grade control systems.

Justified by response to IE notice 79-22 via IPN-79-74, Oct.11,1979.

A-2.1.1 Acceptance criteria that AFW is delivered within 30 minutes of initial demand - How can this be backed up as the required time for AFW initiation for all accidents - It may take 30 minutes to boil dry but flow may have to be initiated earlier for the AFW system to " catch up" and prevent dryout.

Also,is dryout sufficient criteria since the accident analyses in Chapter 15 uses other criteria.

A-2.2.3 What about toronado protection for the condensate storage tank?

A-2.2.5 Fig. A-2.1 Sheet 3 of 9 M-6, M Should mention that pumps are protected by automatic trip. (Will correct operator action assumption JHC, per PASNY 7/2 4/ 81 )

Should have PAS /RRAB look at Fault Trees and ICSB look at logic diagrams and electrical failures; on surface the electrical failures look OK.

General Power / Air failures are evaluated with respect to individual comoonents and their effect on the system. What about a combinationof these components if one electrical /

air failure can affect groups of components?

For instance, a complete loss of A-C power (on & off) would affect many of the components in Fig. A-2.1.

How is the scenario followed in this report?

' emune.__

4 0

__-____mm____.

_

ML20086S648

Contents

Text

2.0 BACKGROUND

SUBJECT:

Enclosure:

SUBJECT:

Participants:

SUMMARY

Navigation menu

ML20086S648

Text

2.0 BACKGROUND

SUBJECT:

Enclosure:

SUBJECT:

Participants:

SUMMARY

Navigation menu

Search