Summary of 781025 Meeting W/Subcomm on Plant Arrangements of Advisory Comm on Reactor Safeguards Re Sandia Labs Presentation of Sys Interaction Methodology Appl in Nuc Pwr Plants & Subj Facil Sys Interaction Study

ML20148N460
Person / Time
Site:	Zion  File:ZionSolutions icon.png
Issue date:	11/13/1978
From:	Angelo J Office of Nuclear Reactor Regulation
To:	Office of Nuclear Reactor Regulation
References
REF-GTECI-A-17, REF-GTECI-SY, TASK-A-17, TASK-OR NUDOCS 7811270104
Download: ML20148N460 (36)
v • d • e

Text

- - - - - -

te d '

tA U00

/p 9'o UNITED STATES

[' 'g NUCLE AR REGULATORY COMMisslON NRC EUE WASHINGTON, D. C. 20555 l

NOV 131978

%,+..../

I Generic Task No. A-17 PROJECT: Generic Task No. A-17, Systems Interaction in Nuclear Power Plants

SUBJECT:

SUMMARY

OF MEETING WITH THE SUBCOMMITTEE ON PLANT ARRANGEMENTS j l

0F THE ADVISORY COMMITTEE ON REACTOR SAFEGUARDS Members of the NRC staff met with the Subcommittee on Plant Arrangements l l

of the Advisory Committee on Reactor Safeguards (ACRS) on October 25, 1978, in Washington, D. C. to develop information for consideration l by the ACRS in its review of Task Action Plan A-17, Systems Interaction in Nuclear Power Plar.ts, and the Zion Station Systems Interaction Study.

Others who participated in the meeting were: (1) representatives of Commonwealth Edison Company and its consultant, Fluor Power Services (formerly Fluor Pioneer, Inc.), (2) representatives from Sandia Laboratorias and (3) a representative of Oak Ridge National Laboratory, and (4) consultants to the ACRS. A list of participants is included with this meeting summary.

Significant items of discussion and items of further action are summarized in the following paragraphs. A stenographic transcript of the meeting is available.

The ACRS subcommittee opened the meeting with identification of the kinds of information that the members thought should be brought out in this meeting. Typical of the kinds of information sought by the members was: (1) will the NRC staff's definition of systems interaction in any way limit what the staff might cover; (2) the extent to which WASH-1400 was studied to pick up pertinent information; (3) how were the LER's selected for the (Zion Station) study; (4) possibility of inductive coupling between circuits; (5) what is the condition of systems which are interacting, in other words, are systems assumed to be in working order or in a degraded or non-working condition; (6) how will the significance of interactions be evaluated; (7) importance of under-standing the possibility of interactions during a plant faulted condition; (8) interactions between safety-related and non-safety-related systems which may act as a coupler to other safety-related systems; (9) rationale for limiting the scope of the study to certain plant conditions; and (10) events such as accidental actuation of fire protection sprays as contrasted to predicted accidents which come to some pre-established conclusion.

44 qp toi -

of p

e

& s Generic Task No. A-17 NOV 131978 The NRC Staff presented information on the current status of the task, including the recent action to extend the completion of Phase I by four months to September 1979.

The NRC Staff commented on the relative effectiveness of using an experience base to analyze systems interaction and diagnose the things that go wrong compared to the difficulty of synthesizing events that have not yet happened. These kinds of comments were made to stress the importance of focusing our attention on the scope of inquiry for this task and the importance of feedback from the ACRS regarding which events are worthy of being done first.

Mr. Jack Hickman and Mr. Wally Craninond of Sandia Laboratories presented information on the work accomplished to date as well as an overview of the entire Phase I Task. The presentation is outlined in a series of viewgraphs that are enclosed with this meeting sumary. During this presentation, members of the ACRS and consultants raised the following additional questions: (1) explain why the scope of interactions will be limited to plant Conditions I and II in light of the fact that we will be looking for interactions that are important to safety; (2) will we have to go back into the design phase or the orocess of building reliability to assess whether that (reliability) is adequate and proper; (3) is the methodology (described in this Task) really a new technique to audit the effectiveness of the design in the preliminary approval stages; (4) could this technique be used by the staff in reviewing the adequacy of design in preliminary applications; (5) how, for example, will the methodology handle events like plant compartment flooding where it (the flood) would endanger safety-related equipment; (6) concern that we are really attacking this problem in the wrong way, that is, should we first postulate an event or accident and then track it through systems to determine interactions rather that starting with a safety function as the top event and then determine by fault tree methodology how this top event can occur; (7) many of our problems relate to how a plant is operated rather than how it is designed, further, is testing the plant itself a threat to safety; (8) usefulness of making a list of questions (events)' that can be used as the basis for determining how methodology would treat some of these things (events); (9) would it be considered

appropriate to look at interactions that could collectively increase the probability of scram by a factor of two or ten; (10)what types of coupling will be considered under the broad categories of " spatial" coupling and " process" coupling; (11) need to consider fires as a special kind of coupling mechanism, also the need to consider inductive l coupling between circuits; (12) will activities that aren't necessarily I operational in terms of the functioning system itself be considered, i

for example, use of a welding machine that could introduce electro-magnetic coupling; (13) can the (fault tree) methodology dealt will events like valves locked into the wrong position; (14) can the metho-dology handle multiple interactions concurrently, for example, the event

Generic Task No. A-17 I that caused the damage to the diesel generator unit at the Zion Station; (15) how we will treat interconnections between safety and non-safety related systems; (16) do we consider the act of failure of a component in one system as a potential interaction with another system; (17) will we consider the transient effects as a failure of a component occurs, that is the effects that may occur between the time that the system is in working order and the time that it has failed; (18) need to consider probabilities of failure and the fact that probabilities change with time, for example, fatigue failure on airplane wings; (19) concern with what effect this methodology may have on the design process, that is, we may cause the design to be executed for the purpose of meeting a regulation; (20) how do we plan to look at the vulnerability of equipment to (con-tainment) over-temperature; (21) will we consider interactions caused by vibrations or small leaks; (22) will we include structural interactions, also, interactions that may be caused by, for example, train A instrument supported on a structural member with train B piping; (23)are individuals with desion experience assigned to the task, since the ultimate objective of the activity is what gets back into the design process, and ultimately, can this methodology be used by the designer to evaluate the systems design; (24) does human error include the bypassing of a system; (25) how far will we go into the more subtle interactions for example, the same supplier for lube oil to independent lube oil systems.

Mr. John Anderson of Oak Ridge National Laboratory presented infomation related to the study being conducted in regard to the interaction between auxiliary control systems and protection systems, including safety systems.,

The summary of his presentation is enclosed with this meeting summary.

Members of the ACRS and consultants raised certain questions and concerns about this study. Typical of the concerns are: (1) how will we address the lack of adequate or accurate information to the operator, including conflicting information from different sources; (2) comi nt that sometimes a partial loss of power can be a worse case than a total loss of power; (3) an observation that redundancy might involve three or four - channel operation to circumvent the problem of conflicting infomation or conflict-ing control function from two channels; (4) question about whether the untenninated injection of sodium hydroxide into the reactor coolant system would be covered by this study (the event that occurred on a B&W NSSS unit); (5) have we given thought to design improvements that might arise from the study; (6) will Sandia Laboratories and Oak Ridge National Laboratory use the same designation for plant systems.

The NRC Staff, and representati.ves of Edison Company and Fluor Power Services (formerly Fluor Pioneer, Inc.) presented information related

i ,

NOV 131978 Generic Task No. A-17 to the Zion Station Systems Interaction Study. The study was presented in a report by Fluor Pioneer, Inc. dated June 16, 1978. The study was made in response to a recomendation by the ACRS in its letter of June 17, 1977. The effort concentrated on a review of about 9000 Licensee Event Reports (LER) that had occurreed between 1969 and 1977.

Of the list of 9000 LER's, about 67 were determined to be significant enough for a detailed review. About 24 of these 67 events were judged to be applicable to Zion Station.

The Conclusions (Section V) from this study are included as an enclosure to this summary report. (The conclusions were inadvertently omitted from reproduced copies of the report that was made available to the ACRS subcommittee, but are in the bound volumes that were distributed under Docket Nos: 50-295 and 50-304.)

One of the significant matters that was discussed about the Zion Station study was that the loss of one of the direct current emergency busses will result in a plant scram which then challenges the plant shut down systems which are at least partially dependent on the direct current power that was lost.

The ACRS subcommittee members questioned whether Commonwealth Edison had a continuing program of review'ing and evaluating Licensee Event Reports, and also questioned what kind of program the NRC staff had to get information out to the industry. The NRC staff and Commonwealth Edison Company responded to this question. Commonwealth Edison Company depends fundamentally on NRC bulletins issued by the Office of Inspection and Enforcement and on feedback from industry. Also, a group of " design specialists" in the engineering department of Commonwealth Edison Company looks at Licensee Event Reports from the point of view of (plant) availability and specific problems. The NRC staff members explained that we review these events (LER's) from a very broad viewpoint, not just solely from a systems interaction viewpoint. Further, the NRC staff has currently underway several generic study efforts that are, in essence, system interaction types of reviews, such as the over-pressurization review.

The ACRS subcommittee also questioned whether the NRR Working Group on Systems Interaction reviews Licensee Event Reports. Our answer was negative.

At the conclusion of this meeting, the members of the ACRS subcomittee and its consultants made the following coments and observations:

(1) it may be useful to make a list (catalogue) of systems interaction questions which could serve cs a basis for being able to test whether the methodology of Task A217 is going to address the questions; (2) it l

l

Generic Task No.' A-17 NOV 131978 may be useful to do a preliminary survey (Pilot scale basis) to show whether we are justified in limiting the scope of the task as we propose to limit it; (3) it would be useful if the NRC staff (and Sandia) could make some judgments on how far this kind of program could be applied; (4) it appears that we are reaching for " pie in the sky", a nearly impossible task; (5) we need a more comprehensive definition of "nomal operation";

and (6) in what way can systems interaction have an effect upon the probability relationships that are used in deciding whether something is safe or not,.

We agreed that we should give careful consideration to making a list or catalogue of ev: ants (interactions) .that can be used to test the methodology ,

of Task A-17 at some intermediate point. It appeared that January 1979 '

is a reasonable target date for establishing some further communication with the ACRS regarding this matter. We agreed to keep the staff members (Mr. Wright) infomed of our progress in this matter.

JohnAngelo,'Y Task Manager Generic Task No. A-17 Division of Project Management

Enclosures:

1. List of Participants

2. Summary of Presentation by Sandia Laboratories

3. Summary of Presentation by Oak Ridge National Laboratory

4. Conclusions from Zion Station Systems Interaction Study cc:

See next page

Generic Task No. A-17 NOV 131973 cc: Mr. Jack Hickman Nuclear Fuel Cycle Systems Safety Division 4412 Sandia Laboratories Albuquerque,-New Mexico 87115 K. Canady Atomic Industrial Forum, Inc.

7101 Wisconsin Avenue.

Washington, D. C. 20014 Mr. Mark Wisenberg Tennessee Valley Authority 303 Power Building Chattanooga, Tennessee 37401

(

l l

( 4

ENCLOSURE 1 l LIST OF PARTICIPANTS ACRS SUBCOM"ITTEE MEETING OF OCTOBER 25, 1978 ON PLANT ARRANGEMENTS CONCERNING TASK A-17, SYSTEM 5 INTERACTION IN NUCLEAR POWER PLANTS, AND  !

THE ZION STATION SYSTEMS INTERACTION STUDY ACRS Subcommittee-and Consultants:

Mr. Myer Bender Mr. John Arnold Dr. Stephen Lawroski Mr. Epler Dr. Dade Moeller Mr. Michelson Dr. Jerome Ray Dean Palladino Commonwealth Edison Company:

Mr. Cordell Reed Mr. Tom Tramm Mr. Jack Leider Fluor Power Services:

Mr. Jerry Vellender (Formerly with Fluor Pioneer, Inc.)

Oak Ridge National Laboratory:

Mr. John Anderson dia Laboratories:

' .>. Jack Hickman Mr. Wally Crammond NRC:

Mr. Denwood F. Ross, Jr. Mr. M. Taylor Mr. G. Zech Mr. A. Schwencer Mr. John Angelo Atomic Industrial Forum:

Mr. Ken Canady

ENCLOSURE N0. 2

SUMMARY

OF PRESENTATION BY SANDIA LABORATORIES i

i l

l l

l l

l l

l

/Exar Ansusenur.s Susannirrte

[

[ So"ois Es s o rsri w w r/. Hic x n a iol '~

SYSTEMS INTERACTIONS METHODOLOGY APPLICATION .

OBJECTIVES DEVELOP A METHODOLOGY TO IDENTIFY AND EVALUATE SYSTEM .

IMPORTANT TO PUBLIC SAFETY ASSESS THE STANDARD REVIEW PLAN TO DETERMINE COMPLETE IN THE AREA 0F SYSTEMS INTERACTIONS DEVELOP A TECHNICAL BASE FOR CRITERIA, PROCEDURES, AND INFORMATION REQUIREMENTS APPROPRIATE FOR USE BY APPLICANTS

,~ -~

f a 5

i i

1 i

SYSTEMS INTERACTION METHODOLOGY t-l l 60ALS '!

i

. j l

1 IDENTIFY IMPORTANT SYSTEMS -

I i

IDENTIFY POTENTIAL INTERACTIONS l t  !

EVALUATE INTERACTIONS

, i y

O 2 *I j

(

l

- . . . - - . . - ~ . . _ _ _ _ _ __. _,_ _ __ _. _

! CEFIt.'E j PICCNet .-

. SCOPE g

. DLVEIOP DEVEIC? PFIPARE ^

1 PIINr SYSTEM P11ASE I -

IEIC IDDTr!FICATIOr3 REPOEC.

MIELS '1TC1NIQUE EC/E!OP 12 I -- 5 7 f Itt.TP/CTIOri I ELSCRIPTIO:S l l DLVEIDP VERIFY M;D l 2 Ittitr<ACTIO DEMor:STPATE l

100tr1FICATIOJ FrJIEM a ALCORI"D H PIOCEDUf4ES l I

! Srtit'r . g

. Co.MPI APY -- 8 10 .

FACILITY DEVEIDP DEFIhT 3 D M IDP IttrEftACTIO1 ASSESS PREE II

~ - ~

SY M M Iy.pogrteJCE STAT 3DARD pgg  !

EM MEASUPES

~

EEVIEW

~

• PLAtl piv!!u STM N D ~

' 9 13 I 11vitu Pues 11  :

t 1

4  :

Phase I Tasks

' 1 4

a f 1

/'

i ' ,! , ! e ' e ig1  !~ I* i!* il-j

\.

N =

s.

n. i N

OE  :. . .

ICS .c i s.

TNE CAR n a:..

ATU RRS EOA ime TPE NMM II l I li l I I l* -l I l3 l S

N C _

O I _

NI TT OTM NS IAi  !

EI

- TCT NR SE ~ CII h OE TD AFR PT EO RIO

! C s SC ETG OA a TNL CR vm NEA A -i ID I

I i T

I C  :

iw

=

n c. .

in n --

C MN MS IMM RE ETE TEL NTE TEG NTI NSD

~

ASD < ASS YO LYO LYE SM PSM PSD e

I

= l ' i lI l -

l l 1 I .

N O

IS TE SAU -

! CQ -

EII TFN

- SI! l YTC S :! E ET _

D I .

~ _

+

m r

~

=

- v C - s

_ ITCS TCL S

TG N n:

- RNIL  !

I :u J I E i

EAGE GD l-S - T NLOD UCC UE :s

. EPLO PLM PD mv G M in e *%

, s

<. ' i iI! -  : .  : lI i i! i  ! , ; :.  :-

illll llll ,l !llll llijl!I i! ,  ! I (l lil

Within Scope Methodology Aoplicable Category All Othern Plant Type PWR Westinghouce Dry Containment Ice Condenser Containment Babcock & tillcox Conbustion Engineering BilR Ganeral Electric .

1: ark I Containment General Electric

!! ark III Containr ent

!!ultiplo

?!arie r of Units Singlo l Per Site Ecactor Core Spent Fuel Pool Radicactivc Mater'ial Itad :aate Syntca Courcen Othrr C-C-ty F Inted Plant Functionu Protretion of ECS Prcsauro E c:'e t i: aF ;uiring

!nundary ..cc Iia-I:i 1.rfor-I' ' c l o r Shu t.'r.un l i d,ili t y locay !! cat E. .. oval 1:a _ :71 Operations In f r c : .- r.t Incidents Plant Conditions Limiting Pault:

(A;SI ?:13. 2 ) Incidents of I!oderate Frcquency Flood, Earthqutke, _

Envirc.nn nta1  ?!ormal  !!urricane, Tornado Cor.<!i t i ons

( A!..; I ::18. 2)

Procesa Coupling Other Interccticas Interactions Spatial Coupling

.(

e i

REPRESfNTATIVE PLANTS Nuclear Steam Containment Architect-Plant Type Synten Supplier Type Engineer Operator Surry PWR Ucatinghouse Conventional Stone & virginia Electric Webster & Power Co.

Se<Iuoyah PWR Wentinghouse Ice Condenser TVA TVA Oconce PUR Dabcock & Wilcox Conventional Duke Power Duke Power Calvert PUR Cor.-bu s tion Conventional Dechtel P.altimore Gas Cliffs Engineering & Electric Peach EWR Cencral Electric Mark I Dechtel Philadelphia Bottom Electric Co.

Grand SMR Ceneral Electric Mark III Bechtel Mississippi Gulf Power & Light Co.

EXEMPLARY I'ACILITY Watts PWR Ecatinghouse Ice Condenser TVA TVA Bar .

\- )

l l

l l

• l l .

l l

~

15 15 15 15 15 l

' 15 15 15 15 JAN MAR MAY JUL SEP MAY JUL SEP NOV 79 79 i

78 78 78 79 79 79 78 i

I I I i I l> I I I l

IEFIflE PROGRAM SCOPE

)EV ELOP INTERACTIOti JESCRIPTIONS 3 ELECT EXEMPLARY

-ACILITY REVIEN STA!JDARD REVIEW __

?LA?J AtJD LER'S DEVELOP PLANT LOGIC

'*ODELS DEVELOP SYSTEM MODELS DEVELOP SYSTEM IDENTIFI-CATIOr1 TECllNIQUE DEVELOP INTERACTICN IDENTI-FICATION ALGORITiiM .

~

DEVELOP IflTE RACTION IMPORTANCE MEASURES VERIFY AND DEMONSTRATE REVIEW PROCEDURES ASSESS STANDARD REV1EW PLAN .

PREPARE PIIASE I REPORT SYSTEMS INTERACTION PROGRAM SCHEDULE

JNCTIONAL LEVEL lFuHcTlo N l (STEM / CRITERIA LEVEL l SYS Il l5ys 1l l5YS 3l . . .

kV5 Xl

/ -

l JBSYSTEM/ TRAIN LEVEL lTRA4ea n l fanind lSua375l s'~

'ls .

l t

' i N f

)MPONENT LEVEL l comp 1 l ' lcoNo 1l -- lCoH P Y l l comp I l lHP 2. l * * * [coMe l l lCoHPEl lCoh P l***

TAILED FAILURE lTfM l l Hw l lPl l5 l lT4M l l>l lP l lS l lTfMl lHwl lP l l5 l

~

"A A N d' ^

SPACIAL-HW SPACIAL-HW A HUMAN

• PHYSICAL

TERACTION " LEVEL" SPACIAL-SUPPORT OT- SPECIFICALLY ADDRESSED IN THIS STUDY.

O A

O Ic e l h , , .

l s l SeACIAL lawl l1tm l l e l PnYSICAL Q q ^

n -

i i  : , , ,

Iz 1 Ic l3 l1s il ..- 11s wl la l Iss l 11r l INTERCONNECTED O O hI lab l Ine l l l o, j l l l ,,, l l l l _, l l o o h... I d=al...SYSMS O INDEPENDENT CAUSAL ,

Q , ,

Q , , ,

IIARDWARE - IIARDWARE [ g :l coM l5s ,l lcv" l lre s l lCO"l FAILURES FAILURES a q g ANOTIIER COMMON COMMON COLOCATED SUPPORT INDUCED COMPONENT SYSTEMS ENVIRO}1MENTS

SIIARED COMPONENT SEPARATE COMPONENTS l

l Sy S - Sy 1

d a C P PS S "

3 T .

Y b 8 8 2 2 2 (1) SI (2) SI (3) SI 1

b l l i

J <

C P S # S 2 1 PS P

• i S

2 S 2

. (4) SI (5) 5f (6) 5I

-~~ - - - - - -- , , _

0 ENCLOSURE NO. 3 SUMW.RY OF PRESENTATION BY OAK RIDGE NATIONAL LABORATORIES l 1

1 l

l l

1 1

I I

i l

I i 1

l i

1 JOHN ANDERSON, ORNL i l

l AUXILIARY CONTROL SYSTEM AND 1 l

PROTECTION SYSTEM INTERACTIONS I l

STUDY OCTOBER 25, 1978

~

j ',' ),e

< .., i

, uw ..

L) c? t< .

.  : T.

..i . .

\.

/ /

,: v" *- '? '

l h ,v  :.. < .* -

1. $ ./ + $ *

• p b N i

l

. I i

) l

\

/

' .I.f',

1 .

1 s ,

E-- h +- .2-.sm 4 4 .-,d m., m _.h.a .:zh4. m ..er m ,,as -.- # u -,

4 4- e=+4-4 .an .

n SCOPE:

TO IDENTIFY AND EVALUATE THE SAFETY SIGNIFICANCE OF POSSIBLE INTERACTIONS BETWEEN CONTROL AND SAFETY SYSTEMS.

• ANALYSIS OF AUXILIARY CONTROL SYSTEMS

• POTENTIAL FOR DIRECT. INTERACTION

• CONTROL FAILURES RESULTING IN CHALLENGE

• EVALUATE PROTECTIVE CAPABILITY TO MITIGATE THE CONSEQUENCES OF INTERACTIONS

+ vsonwy umscs "abM"1 4 9.t14 7 00 5 70 D C3 Po u tTL.,. cenkt Tr oM $ g, N ors f*E" L d4L \

t 4

4 4

i .

D 4

t ,

i r - -

I APPROACH:

• EXAMINE A-PARTICULAR PWR CONTROL l SYSTEM. (B&W INTEGRATED CONTROL l SYSTEM)

• IDENTIFY CONTROLLED VARIABLES AtlD POTENTIAL FAILURE MODES.

• EVALUATE LIMITING CONDITIONS RESULTING FROM FAILURES AND DETERMINE IF THEY ARE ADEQUATELY TREATED IN THE PSAR.

• IDENTIFY PROTECTION CAPABILITY.

I l S

- I  !

4

. l

.______-_______m_____._. __ e--- - - -

SUBSEQUENT TASKS: SIMILAR EVALUATION .

I

• BOILING WATER REACTORS (BROWNS FERRY)

• OTHER PRESSURIZED WATER REACTORS COMBUSTION ENGINEERING WESTINGHOUSE

• EVALUATION OF PERTINENT LER's l

1 O

4 4

1

- l l .

i B&W INTEGRATED CONTROL SYSTEM l

• CONTROLLED VARIABLES TURBINE THROTTLE TURBINE BYPASS STEAM PRESSURE RELIEF VALVES MAIN FEEDWATER VALVES - 2 LOOPS STARTUP FEEDWATER VALVES - 2 LOOPS FEEDWATER PUMP SPEED - 2 LOOPS EMERGENCY FEEDWATER ISOLATION VALVES t

l

- t I

t l

4 i

s EFFECTS OF FAILURES:

• CONTROLLED VARIABLES EXAMINED >

INDIVIDUALLY IN RELATION TO PSAR.

• MULTIPLE FAILURES EXAMINED TO A MORE LIMITED EXTENT.

OBSERVATIONS:

• OPERABLE PARTS OF SYSTEM TEND TO t COMPENSATE FOR PARTIAL FAILURES BY EXTENSIVE CROSS-LIMITING FOR MULTIPLE FAILURES ONE PARAMETER TENDS TO DOMINATE (E.G. FEEDWATER)

)

8 i e

s 6

, I 4

L .

i

)

, . - , . , _c. - _ , ,-

, ,-w--- ,

t i

FAILURE CONSEQUENCES:

• FAILURES WITHIN THE SYSTEM TEND TO BE OF MINOR CONSEQUENCE.

• FAILURES OF ACTUATORS OR CONTROLLED DEVICES ARE MORE TRAUMATIC, BUT CAN BE MANAGED BY MANUAL OVERRIDE, PROVIDED:

THE OFERATOR HAS ADEQUATE STATUS INFORMATION OF THE PROCESSES.

• MOST SERIOUS CONSEQUENCE SO FAR DETERMINED IS RAPID C00LDOWN.

l I

i 6

i 1

9 i

EVALUATION OF AN ACTUAL EVEtlT

• WHOLESALE LOSS OF CONTROL AND INSTRUMENT POWER

• AUTOMATIC SYSTEM BLIND AND MISBEHAVING.

• OPERATOR INFORMATION WAS LIMITED AND HAD DIFFICULTY DETERMINING l

WHAT CORRECTIVE ACTION WAS NECESSARY.

i O

e l .

i e

I i

INTERACTION EVALUATION:

• PRIMARY PROTECTION SYSTEM (SCRAM)

RESPONDED CORRECTLY TO A REAL '

CHALLENGE CREATED BY CONTROL. FAILURE.

• SECONDARY PROTECTION SYSTEM (ESFAS)

~

ALSO RESPONDED CORRECTLY TO A POTENTIAL)

HEAT SINK . SAFETY PROBLEM (INADE l

• ESFAS ACTION CONFOUNDED THE OPERATORS EFFOR1S TO REGAIN CONTROL. ,

l l

• LACK OF INFORMATION SERIOUSLY j DEGRADED OPERATOR PERFORMANCE.

e D

9 l

~

l

~

I i

l i

- . v v . . - --

1

. I i

^

PRELIMINARY CONCLUSIONS:

• PROTECTION SYSTEMS ACTION WAS NEEDED AND CORRECT.

• PROTECTIVE ACTION WAS SOMEWHAT DETRIMENTAL TO EFFORTS TO REGAIN CONTROL, BUT NOT INAPPROPRIATE.

j

• CONTROL SYSTEM DID NOT INTERFERE WITH PROTECTION.

• GRINCIPAL PROBLEfj WAS CONTROL-CONTROL INTERACTION AND NOT

" CONTROL-PROTECTION" INTERACTION l

. I l

h .

l 0

l

.' l 1

l STATUS

SUMMARY

. l

• CONTROL AND INSTRUMENT SYSTEMS LACK: I CHANNELIZATION REDUNDANCY INDEPENDENCE AS A RESULT, THEY MAY NOT PROVIDE ESSENTIAL IllFORMATION AND PERFORMANCE IN SPITE OF FAILURES (AS IS EXPECTED OF PROTECTION SYSTEMS).

i I

n e

4 S

1 .

i

l l

l DESIGN PRACTICE:  ;

• TO SOME EXTENT THESE FEATURES ARE EXPECTED OF GOOD DESIGNS l

I TliEIR UTILITY HAS BEEN DEMONSTRATED IN RESEARCH REACTORS AND CANADIAN POWER REACTORS ,...

THEY ARE NOT CURRENTLY REQUIRED BY REGULATIONS AND STANDARDS

, I s '\

\.

I e

I .

s

i .

1 1

CONTROL IMPROVEMENTS ,

• PROTECTION CAN BE IMPROVED BY WELL  !

DESIGNED CONTROL SYSTEMS WHICH AVERT SITUATIONS WHICH MAY REQUIRE'PROTEC-TIVE ACTION, THEREBY REDUCING CHALLENGE.

• THE REWARD IS DIRECT.

• AVAILABILITY CAN CERTAINLY BE IMPROVED.

• SOME REDUNDANCY AND DIVERSITY IN CONTROL SYSTEMS WOULD BE A GOOD INVESTMENT.

f 9

9

+

1 I

t

- = -, , .--s ,- - ,-, ,-

m . - - - ,

l

,- I l .-  :

SUMMARY

THE CONSEQUENCE OF SEVERAL CONTROL MALFUNCTIONS HAS BEEN RAPID C00LDOWN, .

SOME C00LDOWNS MIGHT HAVE BEEN AVERTED BY !

IMPROVED OR REDUNDANT CONTROL FEATURES.

LOSS OF INFORMATION DURING LOSS OF '

CONTROL POWER SOURCES IS SIGNIFICANT.

AVAILABILITY OF MORE DIRECT INFORMATION FROM THE PROTECTION SYSTEM DURING CONTROL UPSETS MAY AID OPERATOR' RESPONSE (PARAGRAPH 4,20 0F IEEE-279) l l

i i

• f i

e 4

i y ~

h ENCLOSURE NO. 4 CONCLUSIONS FROM ZION STATION SYSTEMS INTERACTION STUDY

a SECT 10N V ,

!f l CONCLUSIONS 1 I

i l

Several conclusions were reached as a result of this study. ,

ii, These are discussed below:

l l

1. For the Zion plant, generic studies requested by the NRC and~the implemantation of their conclusions and recomendations involving such items as fire protection, pipe break, low temperature primary system overpressure, etc., have resulted in modifications which substantially reduce the possibility of the occurrence of a majority of the events studied.-.

2. The following investigations and/or plant modifications are recomended by this study,

a. Following an evaluation of the benefits of J-tubes, which were installed in one of the steam generators on Unit #2, a detemin-ation should be made as to the need for modification of the steam generators (FPI #9920-3). l

b. The containment spray pump diesel fuel oil tank vent and fill lines' susceptibility to being blocked and covered after a significant '

snowfall should be investigated and/or corrected (FPI #9923-5).

c. An investigation should be conducted to determine if ic'e can form

- on the Diesel Generator Room air inlet dampers to an extent that -

could be detrimental to the operation of the damper (FPI #9924-6),

d. Before initiation of any steam generator maintenance that has ['

the potential to affect the pressure retaining capability of the steam generator tubes, appropriate methods should be included in the procedures to check the integrity of the tubes prior to re-turning the steam generator to operation (FPI #9951-17),

e. A program should be developed to survey electrical boxes containing open terminals which are used in safety or shutdown' systems, and j which are located in the Auxiliary Building, Safety Valve Rooms, ,

pipe tunnels, and crib house to detennine if they could be subject  ; ,

to entry of water. For those boxes in this category, the existence (or lack) of box drain holes should be determined by inspection. If drain holes are not found in these boxes, they should be added, or some other technique should be used to prevent potential shorting of the teminals by water accumulation (FPI #9943-1 and #9943-2). Y l

V .1 k,

.7-._

I e

t

3. The large number of indicators and annunciators at the Zion

[ Station serve effectively to infonn the operator of the presence e

I of abnormal plant conditions including those associated with

', systems interaction events.

4. The approach used in this study was found to be a satisfactory method for investigating systems interaction events. The method was successful because the key project staff members were senior j personnel who had extensive experience.

I 5. Although the study did determine that some systems interaction could occur at the Zion plant, these occurrences would not

significantly degrade the safety and shutdown systems in the plant.

V, t

5 t

s s

V-2

. _ , . . - . . .