ML20151T841

From kanterella
Jump to navigation Jump to search
Transcript of 880810 ACRS Regulatory Policies & Practices Subcommittee Meeting in Washington,Dc.Pp 1-88.Supporting Info Encl
ML20151T841
Person / Time
Issue date: 08/10/1988
From:
Advisory Committee on Reactor Safeguards
To:
References
ACRS-T-1688, NUDOCS 8808180310
Download: ML20151T841 (110)
v  d  e


Text

.

13\\A_

~

UNITED STATES O

NUCLEAR REGULATORY COMMISSION In the Matter of REGULATORY POLICIES AND PRACTICES SUBCOMMITTEE MEETING

)

Y

...,e

'I l

!Ikhki'i"fjIf'$;8{$Vg

~ a' O

  • # O'b !! ak% O ( M C W ~d d a Pages: 1 through 80 T T l ". f) r ri l a r r. e
    • Place:
    Washington, D.ce i M .b.-) '! b E 'f C h f - ^ ~~ Datet August 10, 1988 .........................................................i HERITAGE REPORTING CORPORATION OjidsfNaperters lite L Street, N.W., Suite 400 WanMagton, D.C. 20005 MM seos180310 880810 FDR ACRS PDL T-1688 I ., _ _ - -. -. - - _ _, -, _. _., ~ _, _, _ _ - _ -... - _ _, _. ~., ~. - - - - ~ 't i PUBLIC t10TICE BY THE ( 2 UtlITED STATES. NUCLEAR REGULATORY COMMISSION'S 3 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 4 5 6 7 The contents of this stenographic transcript of the 8 proceedings of the United States Nuclear Regulatory 9 Commission's Adviscry Committee on Reactor Safeguards (ACRS), 10 as reported herein, is an uncorrected record of the discussions 11 recorded at the meeting held on the above date. t 12 No member of the ACRS St,aff and no participant at 13 this meeting accepts any responsibility for errors or 14 inaccuracies of statement or data contained in this transcript. (:) 5 16 17 18 19 l 20 21 22 23 24 25 Heritage Reporting Corpo' ration } (202) 628-4888 i ] l~ UNITED STATES NUCLEAR REGULATORY COMMISSION i ADVISORY COMMITTEE ON REACTOR SAFEGUARDS Ov ) Regulatory Policies and ) Practices Subcommittee ) Meeting ) ) Wednesday, August 10, 1988 Room 1046 1717 H Street, N.W. Washington, D.C. 20555 The above-entitled matter came on for hearing, pursuant to notice, at 8:40 a.m. BEFORE: DR. HAROLD LEWIS Chairman Professor of Physics a Department of Physics University of California Santa Barbara, California ACRS MEMBERS PRESENT: MR. CARLYLE MICHELSON Retired Principal Nuclear Engineer Tennessee Valley Authority, i K.Jxville, Tennessee, and Retired Director, Office for Analysis and Evaluation of Operational Data l U.S. Nuclear Regulatory Commission i j Washington, D.C. l l DR. CHESTER P. SIESS i Professor Emeritus of Civil Engineering University of Illinois Urbana, Illinois i Heritage Reporting Corporation (202) 628-4888 l () lA ACRS MEM9ERS PRESENT: (Continued) MR. CHARLES J. WYLIE r~s Retired Chief Engineer Electrical Division Duke Power Company Charlotte, North Carolina DR. WILLIAM KERR Professor of. Nuclear' Engineering Director, Office of Energy Research University of Michigan Ann Arbor, Michigan DR. DAVID OKRENT Professor of Engineering and Applied Science Department of Mechanial, Aerospace and Nuclear Engineering School of Engineering and Applied Science University of California Los Angeles, California MR. JAMES CARROLL NRC COGNIZANT STAFF Gary R. Quittschreiber [} NRC STAFF PRESENTERS: R. Baer D. Thatcher A. Szukiewicz Iloritage Reporting Corporation (202) 628-4888 l '( ) 2 t/1 1 PROCEEDINGS () 2 DR. LEWIS: The meeting will now come to order. 3 This is a meeting of the Advisory Committee on Reactor 4 Safeguards Subcommittee on Regulatory Policies and 5 Practices. 6 Somsbody told me long ago, you can tell the 7 importance of an organization because it's inadversely 8 proportionate with enough words in its title. 9 I am Hal Lewis, Subcommittee Chairman. 10 The ACRS members in attendance are Bill Kerr, J. 11 Carroll, Charlie Wylie, and Carl Michelson was here a moment 12 ago. We also have Dave Okrent a long term member of ACRS, 13 now our distinguished consultant. 14 The purpose of the meeting is to review the NRC () 15 staff's response to the ACRS comments on USI A-47 entitled 16 "Safety Implications of Control Systems." Mr. Gary Quittschreiber to my right is the 17 18 cognizant ACRS staff member for this meeting. 19 Rules for participation have been announced as 20 part of the notice of the meeting published in the Federal i 21 Register on July 27th of this year. 22 A transcript is being kept for the open portions 23 of the meeting and will be made available as stated in the 24 Federal Register Notice. It is requested that each speaker 25 first identify himself or herself and speak with sufficient Heritage Reporting Corporation l (, (202) 628-4888 1 2A 1 clarity and volume so that he or she can be readily heard. 2 We have received no written comments or requests 3 to make statements from members of the public. 4 Ne will then proceed with the meeting. 4 5 (Subccmmittee went into Executive Session.)- 6 DR. LEWIS: Mr. Baer. 7 (Slides being shown) ) 8 MR. BAER: I was just going to give a brief 9 introduction and Andy Szukiewicz and Dale Thatcher will be 10 doing the bulk of the presentation. 11 We will be following the agenda pretty much', I 12 think, in exactly the order specified. I was just going to 13 give a brief status of where we stand on A-47, USI A-47, 14 Safety Implications of Control Systems. 15 The proposed resolution was issued for public 16 comment right at the end of May of this year after getting 17 agreement fro.,ACRS and agreeing to publish it, although l 18 were concerned about other items they felt weren't covered i 19 in the scope. l 20 It went through a CRGR review, revised the package j 21 slightly to reflect comments both from ACRS and CRGR. And 22 as I said, was published at the end of May. I l 23 The public comment period closed the end of July, 24 I think July 29th was the exact date it officially closed. 25 We have only received one set of comments, it was from 1 e Heritage Reporting Corporation (_') (202) 628-4888 i 3 1 Westinghouse and it had some corrections on some of the very () 2 specific details, but didn't raise any broad philosophical 3 questions. 4 We have also-received, Andy Szukiewicz and I, was S it ilve -- I think I received a couple and he three -- calls 6 from various utilities or owners groups saying they will be 7 providing comments and could they have a little more time. 8 I think they have all agreed to get something in by the end 9 of this week. And I don't know that means physically in our 10 hands or mailed out, but certainly by the end of next week 11 we expect to have all the comments in. 12 Our next step would then be to review the comments 13 and revise as necessary the package, the proposed resoJution 14 package, come back to the ACRS and the CRGR; and we hope to rN (_/ 15 do that in January of '89. And taen assuming agreement of 16 this committee and CRGR publish the final resolution package 17 in April of next year. 18 That's pretty much the up to date status. 19 Following along with the agenda, Andy Szukiewicz will 20 discuss how we plan to resolve the remaining ACRS comments. 21 DR. LEWIS: Bob, before you go away, do you have 22 any memory at what point that Dave Okrent made -- whether it 23 was an original statement? ] 24 MR. BAER: No, but I have only been involved, as I 25 said in the other subcommittee, I took over this branch in Heritage Reporting Corporation () (202) 628-4888 4 1 April of '87. I'm generally familiar with the issue but not ( 2 all the detail correspondence. 3 DR. LEWIS: You're a new boy on the block. 4 MR. BAER: What? 5 DR. LEWIS: You're a new boy on the block'. 6 MR. BAER: Yes. v. 7 (Slides being shown) 8 MR. SZUKIEWICZ: My name is Andrew Szukiewicz and 9 I'm the task manager of A-47. Before I start to answer your 10 question on this issue about a memo outliaing those two 11 concerns, I don't recall any specific memo that did that. 12 Of course, in meetings these issues have been raised. But 13 we went back to look at some of the memos we had that were 14 developed by the ACRS on this subject and we couldn't find 15 it. Now that doesn't mean that it's not there, but we just if couldn't find it. We tried to work with the staff, on the 17 ACRS staff to see what information was available and we 18 couldn't specifically identify that. 19 DR. LEWIS: Well, either way it's easier possible 20 that we forgot to formalize it. 21 MR. SZUKIEWICZ: But it was, you know, in most of 22 our meetings on this subject a discussion of misoperation, 23 misinformation or misleading the operators was a subject of 24 sdiscussion. 25 I would just like to provide a quick summary of f^g Heritage Reporting Corporation (_) (202) 628-4888 l 5 1 our proposed resolution just as a refresher. We discussed -( ) 2 the resolution and the actions in quite a lot of detail in 3 May or March of this year, March 24th. I'll just_go over ,s 4 this quickly. 5 As a result of our efforts to look at non-safety l 6 grade control systems we identified a limited number of 7 requirements. Primarily the major requirement that affected 8 all plants was the issue of adequacy of protection against 9 overfill. 10 As a result we identified certain scenarios that 11 could occur that were significant risk contributors that 12 warranted a fix. And we issued a generic letter and we 13 discussed this in the generic letter on the requirements. 14 Basically we require that all utilities, all plants provide ( 15 overfill protection. 16 As we pointed out then and now, a number of 17 plants, for instance, Westinghouse plants, we identified 18 that almost all of them except three did provide overfill 19 protection already and it was safety grade. About half of 20 the BWRs provided overfill protection. And a number of B&W 21 plants provided some sort of overfill protection. None of 22 the CE plants provided overfill protection. We're also j 23 requiring that they do provide some. 24 DR. LEWIS: Could I just understand your { 25 philosophy, I'm sure I'm reading it wrong. Is there built i 4 Heritage Reporting Corporation O (202) 628-4888 6 1 in to your process that if somebody provides a safety grade [ () 2 channel to cover a defi.ciency in a non-safety grade system 3 that is a resolution? 4 MR. SZUKIEWICZ: That's true. 5 We also determined that there waa really, once you 6 had this overfill protection, since we didn't require safety 7 grade per se, to make sure that at least overfill protection 8 channels would be tech spec to make sure that during 9 operation they have means for sensing and inhibiting 10 overfill. 11 So included in the resolution are tech spec 12 requirements for periodic verification; testing; and 13 assuring that it be operable. 14 Also in one of the plants we identified certain 15 control system failures that could cause overheating I 16 transients. All the plants except' for Oconee 1, 2, and 3, i 17 we felt adequately mitigated the overfill transients by 18 their auxiliary feedwater systems. 19 The Oconee plants, in their logic, because of 20 their logic you could have failures that could prevent j 21 initiation of emergency feedwater systems. So we are 22 requesting that the Oconee plants take a look at their 23 design and make sure that even in certain failures, and 24 specifically if it's failures in the main feedwater systems ] 25 that you could actually have systems where you can have I i g-Heritage Reporting Corporation (,) (202) 628-4888 7-1 low -- the pumps would not trip, which would be initiation ) 2 of auxiliary feedwater system, but they could coast down to 3 some minimum flow and not trip, and that would not 4 automatically initiate the auxiliary feedwater systems. 5 Most of the other plants have coincident logic 6 that has levol and status of feedwater pumps running. In 7 the case of Oconee it was only just that one permissive, if 8 the feedwater pump was tripped you would start the auxiliary 9 ,feedwater system. 1 10 Su in addition to the overfill protection we 11 identified certain scenarios for overheat transients. 12 DR. LEWIS: I'm trying to understand the mechanis'a 13 for which this was done. When you say identified does this 14 mean that, you know, six people sat around a table with felt 15 hats on and tried to think of things that could happen or 16 does it mean you took existing PRAs and looked through them 17 for events that could be associated with the failure of some 18 control component. What was the mechanism? Was it 19 brainstorming? 20 MR. SZUKIEWJCZ: It was, really, a process, it was 21 a combination of a lot of things. 22 MR. BAER: Well, we 'id look at specific -- it 23 wasn't PRAs, we look at the effects analysis on specific 24 plants. One representative of B&W plant; one representative 25 of CE plant; and one representative of Westinghouse. Heritage Reporting Corporation O (202) G28-4888 i 8 1 1 OR, LEWIS: But on those you simply brainstormed j 2 the things that could happen or did you look at oach control j 3 and do what the people in other industries would call an j 4 FMEA on it? 5 MR. BAER: An FMEA, and more than that.
    Well, 3
    I 6 here is, I guess, a little bit where we separate from ACRS, 7 but we think we systematically looked at the major -- well, 8 the systems that could cause overcooling events, 9 overpressure events. 10 MR. SZUKIEWICZ: Overtemperature. 11 MR. BAER: Overtemperature, overfill. And we 12 said, okay -- 13 MR. SZUKIEWICZ: Reactor transients. 14 MR. BAER: Reactor transients. What other control 15 systems, either single failures or multiple failures that 16 could effect the prime movers that could result in this. 17 For those selected plants, one representative of each 18 supplier, those were looked at in fairly detailed FMEA and I 19 think some other techniques, too. 20 MR. SZUKIEWICZ: We also used a computer model to 21 full single and multiple failures and to look at the i 22 responses and look at the thermal-hydraulic responses. 23 DR. LEWIS: What is important about it having been 24 a computer model; did it embody the logic Bob was just 25 talking about? I Heritage Reporting Corporation (202) 628-4888 9 1 MR. SZUKIEWICZ: It did. () 2 DR. OKRENT: I'm just wondering how they chose the 3 failures when they were multiple, I mean more than one, how 4 did they decide which pairs or which trip lifts, how many, 5 and so forth? 6 MR. SZUKIEWICZ: Onca they identified a list of 7 control systems and their failure modes, if they could not 8 determine whether certain failures could be derived from a 9 single failure. In some cases what they did was they -- I 10 lost my train of thought. 11 They did bounding annlysis, and in some cases they 12 had the detailed drawings. So they looked at potential 13 common mode failures like loss of power to identify f 14 combinations of failures. So what kind of failures could ( 15 occur. 16 And also if they didr.'t they determined whether 17 there was a probability, a nigh probability and whether the J 18 combinations of these failures was significant. 19 In some cases where they could not determine that 20 it was significant, they arbitrarily took failures to do a i 21 bounding analysis. 22 DR. LEWIS: You used a number of words like 23 bounding analysis and significant and so forth, were these 24 defined somewhere in language that others can understand? 1 25 MR. SZUKIEWICZt Yes. They established a criteria Heritage Reporting Corporation i () (202) 628-4888 B 10 1 which was identified and reported in the resolution what () 2 they were looking at. They were looking at certain cooling 3 rateF and Certain transients that would exceed set point 4 pressures. Certain transients that would exceed 5 temperatures. Transients that could exceed certain level 6 parameters. l 7 DR. LEWIS: I see. This was bounding in plant 8 pararneters. Probability played no role. 9 MR. SZUKIEWICZ: No. 10 DR. LEWIS: I misuaderstood. 11 DR. OKRENT: Could I put words in your mouth and 12 ask, did they in effect use fault trees where the top event 13 was to exceed a cooling rate or certain level in the best or i 14 so forth. And were they allowed failures in the fault tree ( 15 where those that could be related to control systems, and j 16 find all the cut sets? l 1 17 MR. SZUKIEWICZ: They didn't do it in the sense 18 of, what you're inferring, writing an unlimited number of 19 fault trees. 20 What they did was analyze all the control systems. 21 And analyze, for example, in the case of the feedwater, if 1 22 there was a failure in the feedwater it could either l, increase the flow or decrease the flow and they actually 23 l 24 looked at mia ranges as well. 25 They did that in every single control, non-safety Heritage Reporting Corporation O (2o2) s28-4888 1 l l 1 l 11 1 control system. And from that point then they went either () 2 to drawings to see if there were -- if these designs were on 3 rodundant and separate independent systems or if they a couldn't determine thatl t'or example, two cystems were 5 identified that could cause an increase in flow. Then they 0 would eventually bound those and look at failures mode that 7 could fail both those systems together. 8 In a lot of cases what they did, and I'm going 9 back from memory because.this happened about three years ago 10 now. In the case of overfill they identified feedwater, for 11 example, as a failure in some way that would increase 12 feedwater flow and then looked at other systems that go into 13 and cause overfill. 14 Then they looked at, for example, they identified ( 15 certain valves that if they opened inadvertently that could, 16 on the top of the steam generators, that could possibly suck 17 the water out and could change level. 18 So they looked at all systems to see how level 19 could change. And then what they tried to do, for example, 20 on a BWR they took failures of the.feedwater system failing 21 high, maximum flow, simultaneous with inadvertent actuation 22 of six ADS valves to simulate the swell phenomenon. And 23 then asked whether there were protection systems that 24 mitigated this kind of a transient, whether the transient 25 was really significant, to determine what the significance j Heritage Reporting Corporation j () (202) 628-4888 J 12 1 of coupling of protection system or non-safety grade systems O 2 wou1d be. 3 In some cases what they did was, they 4 systematically took worse case type of or most significant 5 control systems, in a lot of cases the feedwater was one of 6 the systems that was impacted, and they coupled the system 7 with anothar independent failure. If they couldn't identify 8 whether it was as a result of a single event or if they 9 didn't know that they actually took two at a time of what 10 they considered independent failures. 11 Then in order to do bounding studies for the 12 systems, after they had done a lot of process and had a feel 13 of how transients of these non-safety grade control systems 14 acted on the system itself, they had a better feel of, some 4 () 15 of the systems were more significant as far as transient 16 producers, others were not. l 17 In those cases where they felt that there were a j 18 number of systems that were significant they actually lump I 19 them together and then try to see what the effects would be 20 on different power levels. 21 DR. LEWIS: I want to ask you two very quick 22 questions because I don't want to get you any further behind 23 and we have already done it. 24 One was, and this is related to Dave's earlier 25 question -- d I Heritage Reporting Corporation () (202) 628-4888 13 4 1 DR. KERR I can barely hear you. ) 2 DR. LEWIS: Forgive me, I should ahout, I have 3 this terrible problem. 4 Two very quick questions without getting too far 5 behind schedule. 6 One is, Bob mentioned earlier and you're going to 7 have to speak up, you know, answer for whatever he says 8 inadvertently, he said something about looking for this 9 things that effect the prime movers. The kind of question 10 that Dave was asking earlier was a problem that doesn't 11 affect the primer mover, but does at second order because it 12 effects the operator information track. So just bear that 13 in mind. 14 The second point, and this overlaps the A-17 O 15 issues, in looking for ways in which one control system i 16 failure can produce an effect, and you have gone through a 17 number cf such things, were these done through the plant 18 diagrams or did people also look for systems interactions 19 which can transfer problems from one control system to i 20 another like power losses and things like that; were those 21 included in the systematic search? j i 22 MR. SZUKIEWICZ: Yes, they were; and they were 23 included by either specifically looking at the final design 24 drawings. And on some of the plants this was available. In i 25 other cases where this was not available the methodology Heritage Reporting Corporation O (202) 628-4888 14 1 that was used was to fail a number,.just combine-() 2 arbitrarily, a number of control system failures and analyze 3 it. 4 If the resultant transients were significant, then 5 they have to back track and determine, well, how significant 6 are these combinations of failures and how likely are these 7 combination of failures to occur. 8 DR. LEWIS: Were failures in plant computers 9 considered? 10' MR. SZUitIEWICZ : There was a verification program 11 to verify the transient studies. 12 DR. LEWIS: I don't know what that means. 13 MR. SZUKIEWICZ: Well, they took actually data c 14 from actual transients to determine and to study and to 15 simulate that on a computer to verify that there are 16 simulations. 4 17 MR. BAER: He's talking about computers that are 18 used to operate the plants. ) 19 MR. SZUKIEWICZ: Oh, I see, I thought you meant ) 20 the -- we did not look at 1 21 DR. LEWIS: I see. Okay, that's an answer. 22 MR. SZUKIEWICZ: Well, we considered that could be 23 a potential common mode failure of control systcms, but we 1 I 24 didn't specifically go into the plant computer to find out 25 what specific combinations they could occur. Heritage Reporting Corporation (202) 628-4888 j i 15 i 1 We actually took and we did a bounding study, /~T (_/ 2 DR. LEWIS: Let me not argue the point, let me ) 3 keep you on track. 4 DR. KERR This question has been around a long I 5 time and I'm not sure I remember in detail, I know I don't 6 remember all the details, but in the early part of the 7 discussion one of the concerns that we had was that control 8 systems, because of their unreliability might be 9 contributing significantly to risk, at hence, the name of 4 10 the game. 11 What at least some of us had in mind was that it i 12 might be possible to get some idoa of the actual risk p 13 contribution by looking at representative control systems 14 and soeing what their failure or lack of reliability O i 15 contributed to risk. 16 It is my impression that this was not done. I 17 think certainly what has done has decreased risk. I don't i 18 think we know how much. 4 19 But in addition there was some feeling, certainly 20 on the part of some of us, that more than failures might 21 contribute to risk. Take the feedwater system, for example, 22 the feedwater systems still contribute significantly to the 4 23 number of scrams that occurred during the operation of ] 24 plants. Not because they failed but because the damn things 25 are just not designed very well, particularly at low flow i i Heritage "eporting Corporation O (202) 628-4888 l 16 1 conditions, p) (_ 2 I'm convinced personally that they could be 3 designed better than they are. Every time you get a 4 challenge to a safety system, I think, introduce some risk. 5 The Canadians, if I understand their approach to this, 6 actually set goals for challenges of control systems to 7 safety systems and there is a limit that they try to achieve 8 as a goal. 9 This sort of thing I think was not done in this 10 study. Perhaps the approach that was taken was better, more 11 practical, more efficient. But I think we still don't have 12 a good answer to some of the sorts of questions as it seems 13 to me one would want to have and that is, should there be 14 some sort of standard for performance of control sestems, q (_/ 15 not necessarily safety grade or single failure or whatever, 16 based on what one might determine about the risk 17 contribution of systems whose reliability is unknown. 18 That, it seems to me, it might still be worth 19 doing. I don't think it was done in this study. 20 MR. SZUKIEWICZ: No, it was not done or -- 21 DR. LEWIS: I think that part of a class of things 22 we're closing in on. This study was a mechanistic study and 23 it was designed so that it could be closed. 24 DR. KERR That is not meant to imply that this 25 study didn't produce some useful results, I think it did. !!eritage Reporting Corporation O (202) 628-4888 v i l 17 1 MR. SZUKIEWICZ We tried to wrestle it in the () 2 early stages of what would constitute an unacceptable risk, 3 an unacceptable number of challenger, to the protection 4 system, and we really couldn't get a consensus. 5 When we looked at our LER search we compared the l 4 6 different vendors and to see, you know, if there was a 7 certain group of plants that was actually challenging the i 8 protection systems a lot more than other plants. And our i 9 conclusion was that they were all about the same. 10 Now subsequent to our study a number of transients 11 occurred at D&W plants where it was perceived that something i 12 needs to be done with those plants. I'm sure you all know 13 about the B&W Owners Group study which took pretty close to I 14 two years to evaluate. And one of the objectives of that i O l v 15 program was to reduce the number of transients and the 16 number of trips to the protection system. And then, of 17 course, the other objective was to make sure that the 18 transients that are produced can be mitigated as simply as 4 i 19 possible. ot/1 20 (Continued on next page.) 21 1 1 1 22 23 24 ] ] 25 4 1 4 ] Heritage Reporting Corporation (202) 628-4888 3 l 1 a i 18 1 So, the number of challenges too high for the B&W 2 plants and the Commission did something about that in that 3 specific area. They didn't feel that it was at that point 4 necessary to go out and do the same kind of study on the 5 other vendors. 6 But to answer Dr. Kerr's question, you know, we 7 specifically did not look at that aspect of it. 8 MR. BAER: I will point out that the Commission is 9 applying the subtle or not so subtle pressure along those 10 lines with the performance indicators by counting the number 11 of scrams in each plant. Most of them are, or a good 12 fraction of them are, some sort of control system failure. 13 Certainly a feed water system failure is a major contributor GV 14 to the scrams at the Westinghouse plants at low flows. 15 DR. LEWIS: The problem there, as I think we all 16 know, is that a scram per se is not a bad thing if'it 17 prevents an accident. It's the unnecessary scrams that you 18 want to reduce. But you're exactly right. People catalog 19 and measure the total of all scrams and then they -- it's 1 20 been going down fairly steadily, and you might want a nitch -s l 21 in your system in some cases, but this whole question of the 22 computer is one I don't want to drag us on. We're going to 23 come back to it because there are an enormous class of 24 questions that have to do with transfer of misinformation, () 25 with unfortunate response of computers to unexpected inputs, lieritago Itoporting corporation (202) 628-4888 l 19 1 There's a whole field of computer science devoted n'q) 2 to making computers immune to those, and none cf that 3 technology seems to be represented anywhere around here, and 4 I find that a very, to invent a word, nervousing fact, but 5 you're not -- we're not going to solve it around this table. 6 So, please go on. 7 DR. OKRENT: Could I ask one question that's a 8 little bit related to this? 9 Would the multiple failure approach that was used 10 have disclosed the kind of failure that occurred during the 11 Rancho Seco light bulb incident where, if I recall 12 correctly, for awhile, the main feed water was off and the 13 aux feed water was signaled not to go on due to this loss of 14 power, and there was an interaction which Frank Rouson 15 characterized as one of the more serious events? 16 DR. LEWIS: No. In fact, that's an event I carry 1 17 in my mind as a prototype of the kind of event that can make 18 trouble. 19 If I remember correctly, there was also withdrawal 20 of rods at the same time, i 21 DR. OKRENT: That may well be. Your memory of it 22 is better than mine, but I'm wondering whether they would 23 have picked it up with their -- 24 MR. S3UKIEWIC' : We had the same question, and in 4 (~) x-25 the Rancho Soco case, from what I understand, there were Heritago Roporting Corporation (202) 628-4888 i i 20 1 certain valves that the licensee agreed to modify and change O 2 the tosto o ener wo#1am t 1# everteativ oeea oa to or 3 power. 4 All the B&W plants did commit and actually did I 5 implement these kind of requirements. Rancho Seco committed i 6 to provide this modification, but they never implemented it. j i 7 MR. CARROLL: The question was, would you have 8 caught -- 9 MR. SZUKIEWICZ: I'm sorry? j ]' l 10 MR. CARROLL: Would you have caught this kind of a j 11 problem if you had done this sort of analysis? j i j 12' MR. SZUKIEWICZ: If t' ore was no requirement on J ] 13 that particolar valve, yes, we vould have caught it. If O 4 14 there was a requirement that came out and it was not i 15 implemented, no, we wouldn't have caught it. 16 DR. OKRENT: This requirement was before the light 17 bulb incident? i i 18 MR. SZUKIEWICZ: No. It was after. 19 MR. BAER: I think, Andy, that we really have been 20 j i j 21 MR. SZUKIEWICZ: I'm thinking of the one that 1 ] 22 occurred in 198 -- the December '79. } 23 MR. BAER: I think the analysis -- there was a i j 24 bulletin, 7924, 27, 25 MR. SZUKIEWICZ: 7927. j Heritage r g g g poration l r 21 1 MR. BAER: 7927, and I think the analysis done for l () '2 USIA-47 assumed that licensees had met their commitments to 3 fix things on the B&W plants relative to that. l i 4 MR. SZUKIEWICZ: And, actually, on the referenced 5 plant -- i ) 6 MR. CARROLL: I thought what was being asked, 7 hypothetically, if you didn't have any of that history, 8 would you have discovered this as a result of the analysis 9 you had recently done? 10 DR. LEWIS: That's what the question was. It was i-11 a question about your procedure not about that accident. l l 12 MR. SZUKIEWICZ: No, we would not have identified 13 it because it, you know, was an implementation problem. (:) 14 DR LEWIS: I don't understand the implementation j l 15 problem. J 16 MR. SZUKIEWICZ: Oh. Wait a minute. I'm sorry. I'm l 4 i 17 still going back to the most recent Rancho Seco, j 18 DR. LEWIS: This was the fact that was \\ l 19 unanticipated. I i l 20 MR. SZUKIEWICZ: No. i 21 DR. LEWIS: Which we would call system failure. 22 The question is whether your search for a control system i j 23 failure would have found it. j 24 MB. SZUKIEWICZ: No. ( 25 DR. LEWIS: It would not. Fair enough. How far HeritagoRggorgggggggporation t i 22 i 1 behind have we made you at this point? f O 2 an c^aaou' 1 weat to exe e votat- 'oa vour 3 carlier slide, you showed one of your resolutions to be the 4 discovery of a glitch in emergency feed water at Up County. 5 Nine and a half years after TMI, we're still finding 6 glitches and PWR emergency feed water systems. I'm t I 7 appalled. 8 DR. LEWIS: That's a statement. Not a. question. 9 MR. CARROLL: Is there some explanation? 10 DR. LEWIS: That'- t question, 11 MR. CARROLL: That's a question. ( t 12 MR. BAER: Not an explanation, but do keep in mind ( 13 that when we're trying to resolve a generic issue, unless we O i 14 have strong evidence to the contrary, we assume plants have 15 been designed and the design has been impicmented according l 16 to their commitments. 17 We don't go down and do plant-specific audits, 18 and, so, if somebody has a screw-up in their design, the 19 only reason this was caught on the Oconee was, correct me if l l 20 I'm wrong, but the Oconee happened to be a plant we selected 21 as the typical D&W plant. 22 If we had selected Crystal River, we probably 23 would not have uncovered that. 24 MR. SZUKIEWICZ: Well, no, because we would make 25 sure that the design of Crystal River was the same as all Heritago Reporting Corporation (202) 628-4888 l 23 1 the other plants. So, we would have gone back and looked at O 2 ene de 19a to ee it there ear ot cree acie det e a the 3 difforent plants, i 4 MR. BAER: Well, maybe I'm on the feed water I 5 because it's a safety system or pseudo-safety system can do 6 it, but other control systems probably wouldn't have that 7 kind of -- f f 8 MR. SZUKIEWICZ Exactly. j 9 MR. BAER: Because one of the things we do in our { j 10 proposed generic letter is we ask each licensee to review [ ) 11 the technical reports and make sure it's applicable to their c 12 plant, because we are making judgments having looked at one j I 1 13 plant in each NS3S. We're making judgments that these are 't O i { 14 typical, and particularly in the control systems, the [ 15 documentation is not always that precise as Andy indicated. l f j 16 one of the problems contractors have when doing this 4 j 17 analysis. i ) 18 So, I want to make the point that we're not doing i j 19 plant-specific audits. 20 MR. CARROLL: I understand this was a glitch. I'm l 21 not saying you people should have found it, but it was a ? j 22 glitch that resided there ever since TMI. [ l 23 MR. BAER: And before. I r ] 24 MR. CARROLL Neither the 11censeo nor the people 25 that reviewed the TMI fixes, the people that had done i Heritage r g g poration t i O l 24 1 emergency feed water systems, caught it. (]) 2 MR. BAER: If I recall correctly, the fix aux feed-3 system was maybe overly proscriptive. It said if you made 4 feed water pumps start the aux feed pumps, and I think 5 Oconee' meets that. 6 MR. SZUKIEWICZ: That's exactly what they have. 7 MR. BAER: But that's all that they have. Maybe-8 that's an over-simplification. 9 MR. CARROLL: The problem is you can retain the 10 feed wator system, but at such a low flow -- 11 MR. SZUKIEWICZ: It does, but you can still havo 12 very low flow. 13 MR. BAER: The level in the steam generator can O 14 never initiato aux food water no matter how low the flow 15 gets. 16 MR. SZUKIEWICZ And you'd need operator 17 intervention in this caso. "..-"ho just for explanation, 18 maybe at the timo that they roviewoo it, operator 19 intervention was considered an acceptable way of meeting 20 that requirement. 21 The general comments that we received on the April 22 12th, 1988, letter from the ACRS, we characterized in two 23 broad areas. 24 One, that the scope was unduly truncated, and, () 25 two, that common r sde f ailures woro not addressed in Heritage Mgg>orgggg gggporation 25 1 sufficient detail and -- [) 2 MR. CARROLL: Unduly truncated? 3 MR. SZUKIEWICZ: Yes. The ACRS put it -- no. That 4~ was a quote from the letter. They did not put -- they used 5 the word "unduly". 6 DR. LENIS: Did we use the word "truncated"? 7 MR. SZUKIEWICZ: Yes. 8 DR. LEWIS: But that's not a quote? 9 MR. SZUKIEWICZ: That's true. Good point. 10 The next slides really are attempting to address 11 the general comments. The letter indicated that one of the 12 -- the letter was using the scope from an agua book 13 reference, and we tried to make the point that the work 14 scope and the task activities were conducted in accordance 15 with the approved task action plan. 16 DR. LEWIS: What is that supposed to tell me? 17 MR. SZUKIEWICZ: The task action plan was the -- 18 is the official or our official bible, as it were, of 19 defining what kind of tasks will be conducted and how will 20 they be conducted on this particular -- 21 DR. LEWIS: 1 understand that, but which ACRS 22 criticism does that comment deal with? 23 MR. SZUKIEWICZ: The criticism was that it was 24 unduly truncated because the agua book statements appeared A(-) 25 to be broader than the task conducted, lioritage Reporting Corporation (202) 628-4888 l l l 26 1 1 1 DR. LEWIS: Our complaint is about the way the p) \\ 2 working group implemented the task action plan as provided 3 by the staff management or our complaint was that the task 4 action plan was unduly truncated? .hich was it? I don't 5 remember. 6 MR. SZUKIEWICZ: The iscue was that the scope was 7 -- well, maybe you can tell me what the concern was. 8 DR. LEWIS: Okay. We said that the scope of the 9 issue has been unduly truncated and that the problem 10 description in the last revision of the agua book gave a 11 much broader issue for evaluation. 12 So, the question is, where did it get truncated? 13 Because all this tells me is that the staff claims it did fsU 14 the job, the staff assignment. 15 MR. SZUKIEWICZ: That's right. Yeah. 16 DR. LEWIS: And that don't help me at all. l 17 MR. BAER: Well, we went back to the agua book and 18 we didn't find very much difference between the agua book 19 and the transaction plan. 20 DR. LEWIS: So, you disagree with that it says in j 21 the ACRS. You're allowed to, 22 MR. BAERt Yeah. We thought, thought, I guess, i 23 many years ago, that we had a mutual agreement on the things 24 we were going to do, and I guess we didn't have a mutual ) 25 agreement. Iloritage Reporting Corporation (202) 628-4888 27 1 But we do think -- well, we hope we're going to be () 2 addressing the-residual comments in a program we'll 3 described. so, maybe -- 4 MR. MICHELSON: The agua book discuss all control 5 systems failures as one of the things you were going to look 6 at and did not discuss loss of power in the control system? 7 MR. BAER: We did look at loss of power. 8 MR. SZUKIEWICZ: We certainly looked at loss of 9 power. What we didn't look at, and we'll get into_this in 10 more detail because there's a. lot of comments that were 11 specific that we are addressing or will show you how we are 12 going to be addressing, 13 MR. MICHELSON: Did you look at loss of power in 14 the control system related to feed water? 15 MR. SZUKIEWICZ: We looked at loss of power for 16 non-safety grade control systems. f 17 DR. OKRENT: But not in a way that would have 18 found the light bulb. 19 DR. LEWIS: I found those incompatible. That was 20 a loss of power. 21 MR. SZUKIEWICZ: That's right. 22 DR. LEWIS: You wouldn't have found it but now you 23 said you considered loss of power. I'm not understanding. 24 MR. BAER: I think the difference is the multiple 25 event versus single event. Heritage Reporting Corporation (202) 628-4888 - I, 28 1 DR. LEWIS: This was single event loss of power. () 2 DR. KERR: One drop of a light bulb. 3 DR. LEWIS: Single event, mult.iple loss of power. 4 Just the sort of thing we're talking about. 5 DR. KERR: Light bulb drop on control panels every 6 day. It would seem strange to me -- 7 MR. SZUKIENICZ: But as a result of that incident, 8 the utilities made some changes to preclude the situation of 9 the light bulb effect. 10 DR. LEWIS: Well, we'll have to do this several 11 times more, obviously, but the question was asked if the 12 utility had not made the changes, would you have discovered 13 the potential for the Rancho Seco light bulb event, and the O 14 answer you gave was no, but now I'm hearing yes. I could, 15 of course, take the average. 16 DR. KERR: Maybe you ought to be more specific. It 17 seems to me that it would be effecting too much that this 18 investigation would discover the falling of a light bulb. It 19 might have discovered some difficulty with a single power 20 supply for a number of channels. 21 MR. BAER: We definitely -- 22 DR. KERR: I would almost certainly thing that 23 they would have discovered that because they looked at that 24 sort of thing. I () 25 MR. SZUKIEWICZ: I thought you changed the Heritage Reporting Corporation (202) 628-4880 29 1 question. You just said if the utility didn't do anything () 2 about that incident, would you have discovered it, and the 3 answer would be no, we wouldn't have because we would have 4 assumed that the implementation of those -- as a result of 5 that event was complied with. 6 DR. LEWIS: Really, I'm being very slow here. I 7 certainly don't ask whether anyone could have discovered 8 that a technician would drop a light bulb which would smash 9 on to the panel and short out a control system power supply. 10 I wouldn't even believe that it 11 MR. BAER: On the B&W plant, I was just checking 12 my memory with Dale, at that time, it was a little more 13 complicated than that. It knocked out an converter that O 14 also controlled all steam water system. I think there were a 15 lot of deper.dencies that weren't recognized and at the time 16 A-47 was being worked, allegedly all the B&W plants had 17 fixed that problem. 18 So, I think that's the -- why the confusing 19 answer. 20 MR. MICHELSON: You're getting it mixed up with 21 Crystal River now. Crystal River came along, it happened 611 22 over again. It was due to the fix that they had made for the 23 Rancho Seco event and you thought everybody fixed it right. 24 DR. LEWIS: No. The fix they made for Three Mile 0\\ (s/ 25
    Island, lieritage Reporting Corporation (202) 628-4888
    30 1 .MR. BAER: That was before. Except Rancho Seco j () 2 didn't implement the bulletin, it turned out, because there 3 was another event at Rancho Seco afterwards. H 4 MR. MICHELSON: That's right. 5 MR. BAER: Not as. severe, and what I'm saying is 6 we were limited to believing at the time we were doing the 1 7 study that people had made the fixes that they were directed 8 to have made. So, that's, I think, why the somewhat 9 different answer. 10 I think there_was a lot of dependencies not 11 recognized on the B&W system -- 12 DR. LEWIS: And they are not there now? Well, you 13 have discovered that they are not there now? U 14 MR. BAER: If things have been implemented, yes. 15 We went back and we looked -- I personally looked at the 16 inspection report on Bulletin 7927, and they were all closed 17 out. They don't have a lot of detail, but an inspector went 18 out in each case and said, yeah, the licensee did good. 19 DR. LEWIS: But you're also certifying that that 20 letter was complete as far as that kind of attraction to the 21 control system is concerned? 22 MR. BAER: I'm sorry? Say that again. 23 DR. LEWIS: But you're also -- I understand you 24 went out and looked and made sure that whatever was written 25 in 7927 was complied with at the plant, but you're also -- lieritage Reprting Corporation (202) 628.4888 31 1 MR. BAER: Well, the regional offices did, yes. ( ), '2 DR. LEWIS: Yes, and you believe the regional 3 offices. 4 MR. BAER: Yes. 5 DR. LEWIS: You have to. But you're also 6 certifying something extra because we're not here to 7 resurvey that event. You're certifying that in your view, 8 the fixes recommended in 7927 actually take care of events 9 of that type. 10 MR. BAER: As far as the staff knows. There's a 11 lot of work that went into that. I think Dale was involved 12 with that stuff. 13 DR. LEWIS: But the basis for concluding that you 14 would have -- what I understand to be a different answer 15 than I thought you would have picked up -- is that you would 16 build into your study an assumption that all those 17 vulnerabilities had been resolved? 18 MR. BAER: Yes, yes, 19 DR. LEWIS: I understand your logic. Please. 20 MR. MICHELSON: Question. What did you look at in 21 your study then that -- I mean, I hear these words about 22 assumptions. You looked at the actual information on the 23 circuits you were analyzing for failure modes and effects 24 and so forth, didn't you, as hopefully as built or as -- ( 25 MR. SZUKIEWICZ: Yes. That's correct. Heritage Reporting Corporation (202) 628-4888 32 1 MR. MICHELSON: So, it has nothing to'do with () ~2 whether or not somebody remembered to do something. You're 3 looking at today's situation, whatever it is, without'the 4 fixes. 5 MR. BAER: On those plants that we looked at. 6 MR. MICHELSON: On'those plants you looked at, you 7 looked at today's situation, not whether or not the utility 8 ever missed making a fix. 9 MR. BAER: Control system information was 10 available. 11 MR. MICHELSON: Well, yeah, that's assuming 12 there's sufficient available to draw your conclusions. 13 MR. BAER: I think Andy says in some cases, 14 contractors ended up making what -- tried to make 15 assumptions where they couldn't get the detailed information 16 on possible dependencies because we don't really require 17 nearly as much information on the control systems -- 18 MR. MICHELSON: The conclusions you reached 19 concerning what was important and what wasn't important were 20 based on the situation that exists on the plants today or at 21 least at the time of the study, which was a couple of years 22 ago. 23 MR. BAER: Yes. 24 MR. MICHELSON: Including any fixes or lack of 25 fixes around that plant at the time. Heritage Re wrting Corporation (202) 628-4888 33 1 1 MR. SZUKIEWICZ: In fact, what we did on Oconee () 2 was we looked at the requirements of 7927 and actually went 3 back to verify for a second time independently to see if, 4 you know, they have adequately implemented the requirements, 5 and the drawings indicated that they have. 6 Now, we assume that the other plants also did 7 something equivalent to that. 8 DR. LEWIS: What Bob said a moment ago was that, 9 in fact, as a generalization, control systems in general, 10 you don't have the same detailed information that they have 11 on other parts of the plant. Is that a situation which will 12 persist forever? Is it your feeling that that's fine? 13 MR. BAER: I don't know how to go back and change (3 %/ 14 it. 15 DR. LEWIS: One of the reasons that we're meeting 16 is that there is a sense in some peoples' minds that the NRC 17 has not sufficiently considered the role of control systems 18 as a risk factor in nuclear power plants, and that would be 19 reflected in not requiring quite as much information about 20 it. 21 So, accepting that ao a basis for the study and 22 not asking whether you're going to challenge that is 23 relevant to what we're talking about around the table today. 24 I'm not picking on you. () 25 MR. BAER: No. It's just -- as the next designer, Heritago RoWrting Corporation (202) 628-4888 34 1 I don't think 're get a huge amount of information.about () 2 anything, you know. Realistically, even the final safety 3 analysis report is largely_ design criteria, and a commitment 4 to meet it. 5 Now, I think the electrical people probably, 6 generally the control and instrumentation people at NRR, 7 historically have gotten somewhat more detailed than the 8 mechanical people, but, you know, -- 9 MR. THATCHER: It's certainly not down to what. 10 wire is connected to what formula and all that. 11 MR. SZUKIEWICZ: Actually, in this case, we went 12 out to Oconee and they provided us the latest drawings 13 because sometimes eveti the latest drawings that we have in 14 house may not be the up-to-date ones. There may be changes. 15 So, we actually went out and Oconee was kind 16 enough to really give it to us, to provide us these 17 drawings. So, there was a very extensive program with four 18 or five people actually looking at power systems and 19 reviewing just those kind of events. 20 MR. CARROLL: Was that same thing done with the 21 other vendor plants? 22 MR. SZUKIEWICZ: In cases, in cases where we 23 didn't have this information, we did more bounding analysis 24 by assuming combinations of failures to occur and then () 25 analyzing the results of these failures. Heritage Reporting Corporation (202) 628-4888 '35 1 Now, we did not, as was pointed out during our () 2 discussions previously, that what one of the major 3 assumptions that we did in A-47 was that we assumed that one 4 channel of protection system will be available. 5 So, that's what we did, was we took a combination 6 of failures, but we -- if there'was a protection system to 7 mitigate it and that particular transient was,'indeed, 8 mitigated by the protection system, we had to assume that 9 one channel was available. 10 MR. DAER: We also -- I think you told me that the 11 LER search didn't disclose any situation where that was. We i 12 looked at past history and we didn't find any event where 13 that was not the case. Where, for example, a power supply O 14 that supplied both safety systems, safaty-related system and 15 non-safety-related system, failed. We didn't find 16 situations where that cascaded over to the redundant j 17 protection system. 18 So, it was a little more than an assumption in my 19 mind. It was somewhat verified. 20 MR. THATCHER: It wiped out the auxiliary feed 21 water. 22 MR. BAER: Those weren't considered protection 23 systems in those days. 24 MR. THATCHER: That's right. 25 MR. BABR: It was a very important system, but the Heritage Rooorting Corporation (202) 628-4888 m 36 1 criteria wasn't the safety system. () 2 DR. LEWIS: Let me level the playing field a 3 little bit by revealing a bias or prejudice that I have.< 4 The term "prejudice" doesn't mean one is wrong. It just 5 means one is prejudged. 6 And that is that you sort of mixed up the term the 7 electrical design in talking about control systems, and one 8 of my concerns, you call it a prejudice if you like, is that 9 NRC is an organization and, indeed, the industry as an 10 industry have really not made the distinction between 11 electrical systems and electronic systems and computing 12 systems as well as they should because there are 13 vulnerabilities in electronic systems which are simply not 14 part of the electrical system world, and, so, my concern in 15 this whole business is to go into those and find out to what ] 16 extent they can make trouble. i 17 The light bulb event at Hancho Seco happens-to be 18 a convenient event to illustrate the point, but it's that 19 broad area that concerns me, and I'm not hearing anything j l 30 that tells me that experts in electronics stability and that 21 sort of thing have been brought anywhere into this picture. 22 That's my personal view, not shared, I guarantee, 23 by anyone. I'd liko to level the playing field. 24 MR. SZUKIEWICZ: When we did the failure, single ( 25 failures, two at a time failures and selected multiple Heritage Rewrting Corporation (202) 628-4880 37 1 failures, we felt that we bounded the issue and it didn't p() '2 really matter if certain components failed. The end result 3 was that if you had a maximum flow or a minimum flow, that 4 was the concern. 5 You could get those through a number of 6 mechanisms, but if you get them, is it a problem? And when 7 we determined that it was a problem, then we had to go back 8 and see if -- can this, indeed, occur. 9 DR. LEWIS: Well, I don't believe, okay, since 10 we're going to argue, I don't believe that any where in your 11 study, or at least I've not heard it yet, was there any one 12 brought into consider the following class of problems. 13 For any computer, there's a set of vulnerabilities d 14 which have to do with unexpected influence. In fact, the 15 example is your personal keyboard, whatever it is. Everybody 16 knows what will happen if you hit 0 or Control C or 17 something like that, but if you ask what happens if you 18 cccidentally put your elbow down and happen to hit ZBQ and 19 the plus sign, that isn't analyzed in general, and that can 20 produce an effect which is quite remarkable, and there 21 exists many incidents in the computer world in which that 22 has been used as a means of getting into a computer, a means 23 of making it misbehave, and there's a whole subject in 24 computer science, called formal specification and ( 25 verification, which is devoted to trying to rule out such Heritage Rewrting Corporation (202) 628-4888 38 1 things. () 2 It's not here. We haven't heard of it. It hasn't 3 happened, and, yet, things like that can happen, in which 4 you get six inputs that have never been seen before-in 5 combination and nnbody has studied what the computer is 6 going to do. 7 You know, I'm not saying it's going to be bad. 8 I'm saying that it would be good to have some alertness to 9 it. Electrical engineers don't have that alertne;to because 10 this subject is out of their field and that's what troubles 11 me. 12 MR. SZUKIEWICZ: But there's really no required 13 operator action. The procedures call for certain tools that 14 he has to use for an analytical purpose. The computer itself 15 is not the prime tool. He always has back-up as far as' 16 protection systems. Certain indications. 17 Now, your concern -- 18 MR. BAER: For better or worse, you have 19 protection systems from the control systems, and that for 20 the events that people have postulated, those protection i 21 systems can handle it. 22 DR. LEWIS: But they are driven by the control 23 system which is computer oriented. The light bulb incident 24 was a case -- 25 MR. BAER: I don't think so. I don't think so. I Heritage Reporting Corporation (202) 628-4888 39 ,1 think even under our old relaxed design criteria in those ,m y_) 2 days, if the aux feed water system had been a safety grade t 3 redundant system, you couldn't have lost all aux feed water 4 pumps, even in Rancho Seco with the light bulb, if two 5 things had happened. 6 One, that the aux feed water system-had been 7 classified safety grade and, two, the design met the 8 criteria. 9 MR. CARROLL: I don't think your example of Rancho 10 Seco applies to B&W plants. They were the only ones who went' 11 into this concept of an integrated control system where we 12 can have all these weird things happen. 13 Most everybody else had dedicated control systems O 14 for particular -- 15 DR. LEWIS: I'm not going to -- 16 MR. CARROLL: The trend is in that direction as we 17 get more confident in using that kind of equipment. 18 DR. LEWIS: I'm not going to get into a spitting 19 contest about who knows more about these things. I'm only 20 asking whether people from the computer world who are 21 accustomed to this kind of question were somehow brought in 22 to help look at it. ~ 23 MR. BAER: No. 24 MR. T!tATCHER: Do any of those plans that you 25 studied use computer controls? Horitage Roporting Corporation (202) 628-4888 40 1 MR. SZUKIEWICZ: Well, they use inputs to log ( "> (j 2_ certain data, and I guess Mr. Lewis -- 3 MR. THATCHER: We're talking about1 data logging 4 computers. 5 DR. LEWIS: No. 6 DR. KERR: The combustion engineering protection 7 system uses digital computer-based logic and control. 8 MR. SZUKIEWICZ: Exactly. But that is testable. It 9 meets all the safety grade systems and verifiable -- 10 MR. BAER: I'll bring down an old friend, who 11 spent three years of his life making Arkansas and combustion 12 go through a huge number of tests. Now, you never test 13 every parameter, every combination of permutations, but it /_,i V 14 was a pretty exhaustive effort before that was accepted for 15 protection. 16 DR. KERR: Leo is not a computer science person. 17 He's a good electronics engineer, 18 MR. BAER: No. He is a mechanical engineer. He's i i 19 in the same class. i 20 DR. KERR: He has learned something about 21 electronics, but he does not have the background in what 22 we're talking about. I don't know whether people at 23 combustion do or not. 24 DR. LEWIS: I'm not going to match my expert ( 25 against your expert, and I am a little disturbed to find Heritage Reporting Corporation (202) 628-4888 i 41 1 what I believe a legitimate question being met with j l (s (,) 2 essentially a kind of sneer, but that's your privilege, 3 obviously. l 4 But I would be much more comfortable if there vere 5 more willingness in this agency to recognize that there 6 exists a field of science which has happened since the first 7 reactors were built and which has permeated the community to 8 some extent, not nearly as much as it should, but to some 9 extent, and which contains within it vulnerabilities for 10 which the agency is simply not staffed, and as far as I 11 know, the industry is really not staffed to the point that 12 they don't understand the question. 13 I find that disturbing. Please, how far behind V 14 are you now? 'l 15 MR. SZUKIEWICZ: Case in point on the Arkansas 16 study for those computerized systems. They did bring in 17 specialists. Now, whether that would satisfy your criteria 18 now, that's a different issue. But they did, I know Leo, 19 because I was involved in it. This was being reviewed in the 20 ICSB at the time, and they had some experts to assist Leo in 21 this area. 22 But it is not being done right now, and I don't 23 know what's being done in the human factors. I don't know 24 the -- 25 MR. BAER: The CE plant, is that for controls -- IIeritage Reprting Corporation (202) 628-4808 L 42 1 that's purely -- it just -- () 2 MR. SZUKIEWICZ: It's the protection system. 3 MR. BAER: The protection system. Instead of 4 having a fixed point that I'm going to scram when my coolant 5 outlet temperature gets to 587.5 degrees, instead of having 6 that number built into the protection system, it's a 7 calculated number based on the flow rate at the moment and 8 the inlet temperature and the power level. 9 But I don't think it is used in the control 10 itself. I don't believe so. 11 DR. LEWIS: I hate to keep going into ancient 12 history, but I think Bill will remember when we had an issue 13 of the under-voltage scram board in which there had been an 14 inordinate number of failures, all caused by testing. Of 15 course, the NRC cure was to order more frequent testing. 16 But, anyway, that's a classic one in my memory. 17 But, in particular, on that, you know, everyone has a 18 personal computer at home by now, and even a few people are 19 allowed to have them at NRC, which will catch up to our 20 homes one of these years, and when you turn the thing on, it 21 goes to your system test itself. It makes sure that 22 everything is okay, and in the case of the under-voltage l 23 circuit board, I remember we asked the question of whether 24 one could put in the sort of things that one has on one's ) 25 personal computer, something that tests it every minute, lieritage Reporting Corporation j (202) 628-4888 1 43 1 sends a low voltage signal down the line to all the () 2 components, comes back, it says beep, we are here, and the 3 answer we got from the NRC rep was that would involve adding 4 more equipment to the system and'it's too unreliable 5 already. Adding more equipment would.just introduce a new 6 accident mode. 7 I didn't think that was very good, but, anyway, 8 education counts for a lot. 9 MR. SZUKIEWICZ: We made some scope changes and 10 these were identified in the subsequent revisions. They 11 were sent around to the different divisions for comment and 12 approval and were approved and then incorporated in the task 13 action plan. b,, 14 These revisions have been described to the ACRS in 15 March 24th, and I included in the hand-out in the back the 16 table. In fact, it was the table that we submitted also with 17 the letter on the activities, the scope and if there were 18 changes, where the changes were made. 19 We feel that we have conducted the review of A-47 20 within the limits that were deflued and that actually 21 conform to the task action plan, and we are not planning to 22 conduct any additional activities on USIA-47 to review more 23 control system failure scenarios at this time. 24 ACRS has identified a number of potential common O k> 25 mode failures that we did not look at in A-47, and we agreed IIeritage Reporting Corporation (20.) 628-4888 44 1 that we would address these ACRS concerns in more detail and () 2 try to identify them as specifically as we can, describe 3 them, then prioritize them, and then, depending on the 4 priority, to establish new issues or, in certain cases, some 5 of the concerns may be lumped together. 6 Now, this is -- the program that we're doing this 7 under is the multiple system response program which we 8 discussed really this morning, and we can talk about it in 9 more detail today. 10 MR. MICHELSON: Does this discuss A-47 aspects of 11 the MSR program at all this morning? Just the A-17 aspects? 12 Now, I-think you want to tell us how it's going to pick up 13 the A-47. O 14 MR. SZUKIEWICZ: What we can do is I can summarize 15 what we're planning on doing and then we can go into the 16 MSRP program, give an overview for you of what we discussed 17 today in the morning, and then specifically talk about each 18 of the items that were identified and how we're going to be 19 addressing them. 20 DR. LEWIS: On this question of whether the task 21 action plan was unduly truncated, our quarrel was not with 22 you. I don't know that we have any quarrel at all. 23 MR. SZUKIEWICZ: I understand, and we -- 24 MR. BAER: Andy, before you go into these, I 25 thought we were going to have Dale just give a brief IIeritage Reprting Corporation (202) 628-4888 45 1 overview of the NSR program because Dr. Lewis wasn't here () 2 this morning, and maybe before Dale does that, as you will 3 see, this program is to try and pick up items that people, 4 ACRS or the staff or anybody else, feels weren't directly 5 covered and, so, perhaps we can put an item in that isn't in 6 the program now that deals with your concerns on computer 7 control and, you know, at least the benefit of this system 8 is, as we discussed this morning, is going to be a living 9 document that at least defines the concern, hopefully gets 10 it down in writing, and then, once something is prioritized, 11 there is a permanent record and written up and kept in the 12 published form so that if additional information comes up 13 later, you know, even if something is prioritized low, and O 14 I'm not pre-judging any of these issues, there is a written 15 record of what the assumptions were, how it was prioritized, 16 and so it can be reviewed again, and that's happened on a 17 number of cases. 18 An event has occurred and someone said, well, 19 maybe this wasn't such a low priority event, you know, now 20 that it really happened. So, I just wanted to -- 21 MR. TIIATCHER: Maybe you've already enough about 22 the multiple system response program. The concerns raised on 23 a number of the issues including A-17, A-46 and A-47 as 24 outlined on this slide have been raised, and our objective 25 in this program is to provide a means or a mechanism to !!eritage Reporting Corporation (202) 628-4888 j 46 1 address these concerns. () 2 The kind of concerns we're looking at are things 3 that are not in the scope, issues that have been spun off 4 from the other issues, and things I'll just call peripheral 5 concerns with a particular issue. 6 As was stated, the objective is to develop the 7 concern into an issue and then pass it on into the 8 prioritization process. The existing process that we now 9 have in place, and then, in that process, the issue would be 10 evaluated based on its priority. 11 This program, the MSR program, was only initiated 12 to identify and define these issues. Take the concerns from 13 A-17, A-47, A-46 and a couple of other things, including ( 14 environmental qualification and fire-related concerns, and 15 to identify those concerns, put them into this program, into 16 'a document, summarize them and define them, and then, at 17 that point, pass them on for prioritization. 18 So, that's basically the concept of the program. '9 I can give you the status and then we'll decide whether we 20 want to talk about the A-47 ones specifically. 21 As I already said, we reviewed the ACRS concerns 22 on A-17, A-46, A-47, environmental qualifications, fire-23 related items. We have preliminary drafts which provide -- l 24 not to this subcommittee but to the auxiliary systems 2 ) 25 subcommittee. So, unfortunately, Dr. Lewis, you don't have Iloritago Hoporting Corporation j (202) 628-4888 47 1 a copy of it. () 2 We tried not to leave any of the concerns out. 3 That was our main objective. We wanted to get a long list 4 and there's about thirty some items on that report. We're 5 redrafting those issues now to provide more definition, and 6 we've recognized among those issues the complexity and 7 inter-relationships. We talked a little bit about that this 8 morning. You have some concerns that seismic event will 9 cause a flood or something like that or a fire and then you 10 have concerns that during that sequence of events, certain 11 other control system problems may occur and so forth. 12 So, we're trying to figure out a way to combine i 13 some of those thirty some issues we have, potential issues O 14 we have, but we also want to avoid over-combining them such 15 that we end up with an unmanageable program. i 16 As I said, we're redrafting them now. We hope to 17 put together the redrafts of the report and propose some 18 final issues for prioritization. That's the objective. 19 And in that program, we have tried to capture the 20 A-47 items that were raised in the ACRS letter that you're 21 discussing at this meeting. 22 Now, I've got slides of what I've got in my 23 program and Andy's got slides. Which one should go first? 24 MR. SZUKIEWICZ: Why don't you show those slides () 25 since they're a continuation of this morning's discussion, i lleritage Ho mrting Corporation (202) 628-4888 48 1 but specifically for A-47, and then I would just summarize () 2 with my slides? 3 MR. THATCHER: Whatever. 4 MR. CARROLL: You left out the part about once 5 this document becomes more final, ACRS is going to have 6 another shot at it. 7 MR. THATCHER: I did leave that out. Thank you. 8 The number up here in the corner -- let's see. You 9 don't even have these slides, do you? No. The morning 10 group had them. They were in that package, but -- okay. 11 All right. Let's do it from here. The number up in 12 the right i. nd corner doesn't really mean anything. It's the 13 section in the report. But there's about five items here ( [ 14 from the A-47. 15 This is a particular one that -- this -- I don't 16 oven know if this was in the ACRS letter, was it? 17 MR. SZUKIEWICZ: Not this particular study. 18 MR. THATCHER: Yeah. Okay. This is the idea that 19 we did a kind of a generic study and we used four plants and 20 we decided some things based on that, but there's still a 21 possibility on a plant specific basis, there's unrecognized 22 dependencies between the plant protection system and the 23 control system, such that you might lose your necessary 24 protection systems. () 25 As Andy said, he assumed that you had a minimum IIeritage Rewrting Corporation (202) 628-4888 l I I 49 1 number of protection systems to protect you. This particular r-() 2 issue brings in question whether you really have the minimum" 3 number left. 4 MR. BAER: This wasn't in the ACRS letter. We 5 feel there's a very key assumption for limitation of what we 6 did, although we had looked at LERs and didn't find any 7 experience that disagreed with this, we do feel it's 8 worthwhile to go back and look at it because it is very key 9 to what we assumed in A-47. 10 MR. SZUKIEWICZ: It was also a limitation that the 11 ACRS questioned the validity. So, we included that. 12 MR. BAER: Yes. Verbally. It didn't appear in the 13 letter. There have been a lot of comments during the O 14 previous presentations. 15 MR. THATCHER: The thing that we tried to do is-16 give some examples as best we could in our report and also 17 talk about existing requirements and their relationship to 18 this particular area. 19 Now, admittedly, some of these cases -- well, at 20 least in the control systems area, you'll probably see on 21 every one of these slides some of these same existing 22 requirements. In other words, there are existing 23 requirements, GEC-24, about separation of protection and 24 control functions, and also IEEE-279, which is part of the 25 regulation, does specifically address protection control lieritage Reporting Corporation (202) 628-4888 t 50 1 system interaction. () 2 We think that during a -- if this becomes an issue 3, and defined -- as I said, may be combined with something 4 else,'but if this becomes an issue, these are the kinds of 5 things that will have to be considered during the 6 prioritization process. So, that's why they're discussed in 7 the report. 8 The next particular item, I don't think this is 9 ACRS item, this is NRC staff item, and they were raised in a I guess a letter by a staff member or something, and 10 11 they have to do with two very specific scenarios, and as it 12 turns out, at least on the first one, we're not going to j 13 take it any further because it's already proposed as a 14 potential generic issue, GI-144. So, in our MSR program, 15 we're going to have that identified as a potential issue as 16 a way of tracing it, but we're not going to develop any more 17 information because we're going to say it's already being 18 prioritized as GI-144. 19 The second one, we do think, is a low probability 20 event, but we still are going to try to define it for 21 potential prioritization, but as we point out, it's low 22 probability plus we feel that A-47, the A-47 program has 23 provided some additional protection or improvements in that 24 particular area of overfill. (} 25 DR. KERR How long a probability would it have to Heritage Ro mrting Corporation (202) 628-4888 51 1 be in order that you would ignore it? () 2 MR. THATCHER: Prioritization? It would probably 3 be on the order of ten to the minus six. Somewhere on the 4 order of ten to six. 5 MR. BAER: I think if it's below ten to the minus 6 six, they dismiss it as low. If it's somewhat higher, they 7 start trying to make a rough estimate of what it might cost 8 to fix it and how much -- and I think if it gets well up 9 above ten to the minus five, it's high priority no matter 10 what it costs to fix it. We're not the prioritization 11 people, but -- 12 DR. KERR: I was trying to get some idea. 13 MR. BAER: -- I think that's roughly what they o 14 use. 15 MR. CARROLL: Lead me through this second one. 16 MR. SZUKIEWICZ: I don't know if I can. The l l 17 second item on steam generator overflow? 18 MR. THATCHER: Andy, maybe you can help me out 19 here? 20 MR. SZUKIEWICZ: Okay. You would have failures 21 that could cause on overfill event in the steam system, and l 22 that, in turn, the postulation was that if you get water in 23 the steam line, you could break the steam line, cause a blow 24 down, and at the same time rupture -- koll, in the case of 3 () 25 the PWR, rupture the steam generator tubes and cause l Horitago Reporting Corporation (202) 628-4888 .-l 52 1 affluent to escape, and that's the safety concern. r ( 2 One of the concerns for overfill is to cause 3 damage in that kind of scenario. 4 Now, this particular concern was that you would 5 blow down both steam generators. There would be some 6 mechanism that would cause both steam generators. 'l 7 MR. CARROLL: Well, is it more than one steam 8 generator that could be ruptured? 9 MR. SZUKIEWICZ: It would be blowing down both ) 10 steam generators which potentially, I suppose, could cause 11 more than ten steam generators to go or the assumptions that i 12 we made could be aggravated more with the -- 13 MR. CARROLL: But it's tubes and more than one O 14 steam generator? That's the postulation? 15 MR. SZUKIEWICZ: It's both steam lines, right. 16 MR. CARROLL: My problem is it's the steam 17 generator tube rupture, singular, and I thought I understood 18 what you said. 19 MR. SZUKIEWICZ: When we looked at this particular 20 event and prioritized it and looked at the risk 21 contribution, it was fairly low, but it wasn't low enough to 1 i 22 ignore it. We made some conservative assumptions in this i 3 23 area. 1 24 This one, we feel, would be a lower priority yet. 25 Minimal, but we are going to look at it. lieritago Romrting Corporation (202) 628-4888 53 1 MR. THATCHER: I think the next one starts getting () 2 into the ACRS -- some of the ACRS items in their letter. 3 This first one, these are all in a 4.43 report, and we broke 4 them out as A, B, C and D. 5 ACRS basically stated that they thought A-47 6 didn't do enough in the area of initiators, like earthquake, 7 fire, flood and the loss, potential cascading losses during 8 those events. 9 So, this particular item is an attempt to capture 10 that particular concern. That -- it's possible -- we also 11 have in this program a number of seismic concerns. It's 12 possible that some of these -- the earthquake concerns may 13 go under that particular program or under that particular O 14 issue, but that's the portion we're trying to work right 15 now, is how to combine these issues or those concerns into 16 issues to be prioritized. 17 So that's -- that was the first one. I think j 18 you'll recognize some of these other ones here from the 19 letter. Effects of degradation or loss of control power and a 20 control air systems on controlled detection systems. The 21 concern being that there's potentially common non-safety 22 electric power systems or air systems that feed the whole 23 plant complex, and what's, you know, potential failure that 24 could affect both. } 25 Again, we've got some existing requirements Heritage Re wrting Corporation (202) 628-4888 54 1 listed. A couple of other considerations, as an example,.in (') 2 this case, we thought that if this issue becomes part of the 3 prioritization, that they ought to consider that GI-43 4 asready is dealing with air systems. So, we tried to l 5 provide as much information to the prioritization process as 6 we can. 7 Let's see. I think there's two more.- Effects of 8 degradation on the HVAC equipment, I believe that came from 9 the letter that we're referring to. Again, there's some 10 feeling that non-safety-related HVAC equipment could fail 11 through heat-up or whatever and cause multiple control 12 system failures and unrecognized dependencies between 13 protection systems and control systems, you could O 14 potentially lead to a serious event. 15 Again, some of the similar requirements, as I 16 said. The requirements on protection and control are about 1 17 the same, except that in this case, there is some 13 requirements in the area of environmental qualification 19 under 5049. i 20 MR. BAER: I think this -- the distinction here 21 is, I think, the multiple control systems and -- 22 MR. THATCHER: Potential -- 23 MR. BAER: -- potential protection systems, and 24 the focus of what was done on USIA-47 was to look at -- this () 25 is one we'll call Michelson's, I think, concerns about what IIeritage Reporting Corporation (202) 628-4888 J 55 1 we did on A-47, was that we looked at a particular system, () 2 like feed water system, said okay, what are all the things 3 that could make the feed water system go screwy. 4 We didn't at the same time say, hey, is there 5 control syctems that could cause other things to happen 6 simultaneously, and this would be one mechanism that I guess i 7 could possibly lead to that. So, it's a -- although a 8 seismic event, certainly fires, could also have the same end 9 result. 10 MR. SZUKIEWICZ: Although we did a non-mechanistic 11 failure of multiple failures, we did not really do a 12 systematic event-related failure like this. So, we decided 13 we will go back and look at specifically what a loss of O 14 ventilation would do. 15 MR. THATCHER: Now, the last one is basically the 16 possibility that the assumption in A-47 was wrong. That is 17 that a non-safety grade control system could cause failure 18 of multiple trains of protection systems. 19 That was specifically what 4.43D talks about and, ?9 again, it's kind of unrecognized dependencies between the 21 non-safety-related control systems and the safety-related ] 22 protection systems. Somehow we could get some kind of I 23 unanticipated interaction. 24 So, those are the items in the MSRP program that 1 \\ () 25 have come out of the A-47 program. Heritage Romrting Corporation (202) 628-4888 56 1 DR. KERR Now, implicit in this, I assune, is the (} 2 recognition that safety systems are not always worked -- as 3 they also have a, failure rate. So, the more likely is the I t 4 failure rate of the control system, the more likely is that 5 when it fails, the safety system will also not be operating. 6 That is something about which there should be some 7 concern, it would seem to me. 8 MR. BAER: I think -- 9 DR. KERR It's not just a question of a control 1,0 system failing and failing the safety system, but, rather, a 11 is there likely to be a period in which both are inoperable? 12 MR. BAER: I think the prioritization would have i 13 to look at that. 4 O 14 DR. KERR: I don't know what -- I don't know the i i 15 quantitative nature of the problem, Imt it certainly is a 16 possibility, i 17 MR. BAER: Yes, and that was something that was 18 not looked at in USIA-47. The approach was taken very i 19 similar to the allowing a plant to operate under a limiting 20 condition of operation with protection system operating for 21 a certain period of time. 4 22 MR. TilATCllER: The prioritization process is t 1 23 typically, you know, very event-tree oriented, and as you go [ 24 down there, you're putting in the probabilities and so () 25 forth. So, I would imagine that the probability of the lloritage Romrting Corporation (202) 628-4888 c l 57 { 1 protection system isn't there, it would show up in that () 2 scheme. 3 That's really all I had on MSRs as relates tc A-4 47. I don't know. Andy, you had more on the specific 5 assumptions? 6 MR. SZUKIEWICZ: Just to identify the specific 7 areas that you identified in the letter. 8 (Pause) 9 MR. SZUKIEWICZ: Specifically, in the April 12th 10 letter, the ACRS recommended a number of events that needed 11 to be addressed, and Dale mentioned how we were going to 12 address them in the MSRP program. I would just like to 13 briefly summarize for you, take the issues that you () 14 identified, and in terms of earthquakes, we"m.entioned that 15 the A-47 scope evaluated a limited numbo; of multiple 16 control system failures to study the effects from the 17 potential common mode failures. 18 We did not -- we just did a non-mechanistic 19 failure. We never did a seismic. We never evaluated the 20 adequacy of control systems during a seismic event. So, we 21 agreed that we would go back and consider the ACRS comments 22 on control system f ailures and as we said, we will be 23 describing this in the prioritization program or in the MSRP 24 program for prioritization. ) 25 In the letter, we mentioned that when we will look Heritage Re w rting Corporation (202) 628-4888 58 1 at the control system failures, we_would limit the study () 2 only to seismic events up to an SSE but would not include 3 beyond the design base events. 4 In this event this morning, we identified that 5 there is a potential another issue that we have identified 6 ond that is problems beyond the design base event. But for 7 the control system failures, we're only going to do up to 8 the SSE. 9 MR. MICHELSON: Now, why, under the same program, 10 in one case, you're only going to look at SSE, in the other 11 case, you're going to look beyond the SSE? 12 MR. SZUKIEWICZ: Well, right now, those programs 13 could be separate. 14 MR. MICHELSON: Well, the thing that bothers me 15 fundamentally is when an earthquake occurs, that's the s 16 initiating event, and I'd like to know if the plant can 17 safely shut down. I got to look both at non-safety and 18 safety for that same earthquake. 19 Now, if it happens to be a three SSE, that's what 20 I got to look at for all systems. I 21 MR. BAER: Okay, I think many of these issues that 22 we said we'd look at under USIA-47 or bccause of the USIA-47 23 are a sub-set of a broader issue that we're going to be I 24 looking at under other programs, and I kind of suspect we j 25 may look at the broader issue first. Heritage Rewrting Corporation (202) 628-4888 59 1 The concern I have and that other people have when () 2 we were preparing response to the committee's letter was, 3 here, we're talking about non-safety grade system. The ACRS 4 comment was rather terse. We were unclear and we thought, 5 gee, is there any -- is it realistic to try and come up with 6 some sort of a requirement where we're saying control 7 systems have to withstand the worse event than we're 8 currently requiring in the protection systems. 9 So, in the context of A-47, we're saying, well, in 10 the context of A-47, we'll look merely up to SSE. It is, 11 though, you know, going to be a number of different -- as we 12 discussed this morning, the number of situations or number h 13 of these concerns really deal with multiple control system 14 failures due to seismic events -- 15 MR. MICHELSON: Just for clarification. At such 16 point in time as you think they're looking at the effect of 17 a two SSE on a plant, you will look at two SSE on the 18 control system at that point in time? 19 MR. BAER: Yes. l 20 MR. MICHELSON: Right now, you just say we want to 21 cut off at one SSE, that's fine, too. 22 MR. BAER: For this purpose. 23 MR. MICHELSON: For this purposo. Okay. All of 1 24 us agree as to what you ultimately are looking at. 1 l 25 DR. LEWIS: Just for clarity. When you say you're Heritage Romrting Corporation" (202) 628-4888 60 1 going to look at a two SSE at that time, what does "look at" () 2 mean? 3 MR. DAER: Okay. What we said is the broad concern J 4 of seismic event beyond the SSE, we will define for the 5 people that prioritize issues and have them prioritize it. 6 Now, I made a guess in going through the 7' prioritization, although we're going to have to be working 8 closely with them on these issues to help define them, I 9 made a guess this morning that prioritization often -- well, 10 one of its goals is to avoid duplicate issues, and since -t 11 there's a large effort underway, started anyhow, on severe 12 accidents, including external effects, I'm guessing that the 13 prioritization might just say, hey, this is going to be O 14 covered under an existing program on severe events. 15 DR. LEWIS: Who does the prioritization? 16 MR. BAER: What? 17 DR. LEWIS: Who does the prioritization? 18 MR. BAER: It's in Tom King's branch. l 19 'MR. MICHELSON: There isn't an inference that all 20 external events are severe accidents, is there? 21 MR. BAER: I'm not familiar enough with what they 22 are doing, other than I know they have a high level steering 23 group and two or three working groups which they tag -- 1 i 24 MR. MICHELSON: Certainly in the past, I mean by ( 25 1972, we didn't consider a pipe break outside a primary 1 Heritage Reporting Corporation .1 (202) 628-4888 61 1 containment to be a severe accident. It was just an accident () 2 we looked at, and we looked at it with the accident kind of 3 sets of rules. 4 We're not going to now go back and say those were 5 all severe accidents or only examine under the severe 6 accident policy, are we? 7 MR. BAER: No, no. I think these are things beyond 8 the current -- 9 MR. MICHELSON: External events, if they exceed 10 the design basis for the plant, might be considered severe 11 accidents, though, if they're within the design basis, if a 12 pipe breaks and all that. 13 MR. BAER: Oh, I'm sorry. Yes. O 14 MR. MICHELSON: But they're still multiple system 15 response problems for those kinds of events. 16 MR. BAER: Yes. 17 MR. MICHELSON: But they're not severe accidents. 18 They can lead more likely to severe accidents than some of i 19 the other things we look at. 20 DR. KERR: What I heard him saying was that they j 21 will be examined under the severe accident program. 22 MR. MICHELSON: I hope they are not because that j 23 has a different set of rules for examining things on those 24 design basis accident considerations. ) () 25 DR. KERR: I think that's what he's saying. Heritage Rewrting Corporation (202) 628-4888 i 62 1 MR. MICHELSON: That's what I thought he was, too. () 2 MR. BAER: I'm making a limited guess, and it's 3 just a guess, that on seismic events beyond the design 4 basis, the prioritization people will say, hey, there's-a 5 big group studying that already. 6 MR. MICHELSON: That's great. 7 MR. BAER: Ckay. 8 MR. MICHELSON: Just make sure that severe 9 accident considerations are kept out of the design basis 10 considerations, and our ability to shut down under design 11 basis conditions, considering system interaction effects. 12 That's the part you haven't looked at, that's the part 13 that's going to ultimately have to be looked at under the 14 MSR program. 15 I'm not talking beyond the design basis at all. 16 We're just talking about making sure to consider all the 17 things that happen when the earth shakes or a fire burns or 18 whatever or a flood from a pipe break. Those should not be 19 ever examined under the severe accident policy or program. 20 DR. KERR: This is not -- I'm not trying to debate 21 the issue, but I personally think it's a mistake to separate 22 as we.do the design basis accident and the non-design basis 23 accident area. What we're interested in is risk to the 24 public, and that risk doesn't know whether it's based on a 25 design basis accident or not. Heritago Ro Wrting Corporation (202) 628-4888 63 1 MR. MICHELSON: You use the same rules. Bill, if f 2 you'd use the same rules, it's a perfectly good thing to (} 3 examine the full spectrum, but if you start' shifting the 4 rules, make sure the shift occurs in a definitive way atua 5 definitive point. 6 DR. KERR: I just don't want to'be in the position 7 of continuing to endorse the dichotomy between the two 8 reasonably exists. I don't think it's real. 9 MR. MICHELSON: No. I would agree, but this -- 10 that's a different problem and if they mix it up now,-you're 11 going to cet -- these events that are called external 12 examined as severe accidents with a different set of rules. 13 You've got coals that you're trying to strive for and so 4 14 forth for severe accidents. 15 DR. LEWIS: This is an example of a whole class of i 16 questions which really aren't these guys' -- this is one 4 17 example of a whole batch of questions that really aren't -- 18 we can't lean on these guys on them, that have to do with 19 the coherence of the whole program and just who puts it 1 20 together and who has the responsibility, and tc tell me the 21 Commission does that doesn't help a great deal. But we i 22 won't lay thtt one on you, 23 MR. SZUKIEWICZ: The next issue that you 24 specifically identified in your letter was fires. In A-47, () 25 we did not include them. This was one of the limitations Heritage Re$ortinE orporation C (20 ) 628 4888 64 1 that we identified. (} 2 We mentioned this morning and again reiterating 3 that we agreed to consider the concerns for control systems 4 subjected to scismically-induced fires and randomly-induced I 5 fires. 6 When -- and, again, this' issue is what we consider 7 maybe a part of a more broader issue, that we identified in 8 the systems response -- multiple systems response program, 9 and it may be sort of subsumed in that area. Specifically, 10 the area of multiple simultaneous failures due to fire 11 effects was an MSRP-identified issue that we discussed t~nis 12 morning. 13 We said in the letter that we would for the A-47, 14 that we would limit -- the study would be limited mainly to 15 fires and only one zone at a time. We would look at multiple 16 fire zones if initiated by earthquakes, and we would use the 17 seismic experience data developed by A-46 to determine the 18 multiple zones. 19 MR. MICHELSON: When looking at a single zone, are 20 you going to look at the migration of a fire, smoke and heat 21 out of the zone? 22 MR. SZUKIEWICZ: We plan to include that, right, 23 and even though you did not uddress it in the specific 9 24 letter, in the MSRP program, it is included. It is included () 25 in the program. Heritage Rewrting Corporation (202) 628-4888 65 ( 1 MR. MICHELSON: The only problem is the fire (]) 2 mitigation process dumps large amounts of water on the floor 3 and so forth, some of which -- well, the drains may become 4 clogged by the fire debris and whatever, and the water 5 begins to become a flood concern at the time of the fire. 6 6 That has already -- 7 MR. BAER: That was covered in A-47. 8 MR. SZUKIEWICZ: Also, we provided a limitation to 9 say damage to safety grade systems would only be considerad 4 10 onlj in cases where multiple fires and multiple fire zones 11 were considered, and we identified that we will, where 12 interaction vulnerabilities, we will consider the Appendix R a 13 implementation by the licensees. () 14 Again, this is an issue that is being described 15 now for prioritization. 16 MR. MICHELSON: I guess you're tieing in very r 17 tightly with that fire risk scoping studv results and 18 deliberations, whatever. They'll feea back to you, I guess, 19 or maybe it won't feed back to yo'2. 20 MR. THATCHER: They'rorting Corporation (202) 628-4888 88 1 MR. MICHELSON: I. thought you had picked up the -( ). 2 letters that we had written in the past in which we r 3 mentioned this as one of the aspects of the problem because 4 we have before talked about effects of high temperature on 5 -- maybe you just didn't read the write letter because your 6 letter on control system, we picked this up in great deal. 7 MR. BAER: George, is that part of one of'the 8 identified issues in NSR? 9 MR. MURPHY: I will have to go back. 10 MR. THATCHER: I thought it was. 11 MR. MURPHY: I think it's evaluation of all 12 failure modes through the environmental stresses. 13 DR. LEWIS: I think we're rambling at this point 7_(> 14 and -- 15 MR. THATCHER: I just want to point out that this 16 computer -- the staff is working in that area. We just wrote 17 a reg guide on programmable computer software. 18 DR. LEWIS: You did? 19 MR. THATCHER: Yes. 20 DR. LEWIS: Can we see it? 21 MR. THATCHER: Do you have access to the reg 22 guides? You can see it? 23 DR. LEWIS: Of course we have access. 24 (Whereupon, at 4:35 p.m., the subcommittee was p/ s-25 adjourned.) Heritage Reporting Corporation (202) 628-4888 i CERT:FICATE .s 3 This is to certify that the attached proceedings before the United States Nuclear Regulatory Commission in the matter of: 5 Name: REGULATORY POLICIES AND PRACTICES-SUBCOMMITTEE MEETING 3 7 Docket Number: 8 Place-Washington,, D.C. 9 Date: August 10, 1988 10 were held as herein appears, and that this is the original .1 transcript thereof for the file of the United States Nuclea
    2 Regulatory Commission taken stenographically sy me and, 12 thereafter reduced to typewriting by me or under the direction 14 of the court reporting company, and that the transcript is a 15 true and accurate "ecord of the foregoing proceedings.
    16 /S/ Ch t/4R.
    7 (Signature typed)
    Joan Rose i
    8 Official Reporter 19 Heritage Reporting Corporation 20 21 22 03 24 25 Her;*. age Reporting Corporation (202) 628-4888 j
    { -l ^ i l '.. O: . 1 r 1 ' i e UNPESOLVED SAFETY ~ ISSUE (USI) ' TASK A-47 - i i "SAFETY-IMPLICATIONS OF' CONTROL SYSTEMS" PPESENTATION 4 TO THE ACRS SUBC0ffilTTEE WETING ON m REGULATORY POLICIES AND PRACTICES t U I i -[ AUGUST 10,1988 i ~ J t h i i l l il i l l O 1 t r 4 i r
    • -NW
    • P We-'M g--ryg,e--+-
    g-gy m'_ gy y ym pppy 94 99g g,- m p y+ g yg m.q yo g > w% rg.g y ,q w wgM g W-pg T @rWWW MW W s'6NM W-' V ' f USI-A47 . O-STATUS. I i O PROPOSED RESOLlITION ISSUED FOR PUBLIC COWENT (NUPEG's 1217 AND 1218) MAY 1988 0 ONE SET OF INDUSTRY COPENTS HAVE BEEN PROVIDED i O 0 ACRS AND CRGR REVIEW 0F THE A-47 FINAL RESOLUTION PACKAGE JAN 1989 O ISSUE FINAL PESOLUTION APRIL 1989 e i i f i t I i i !O i t 4 i .. ~. - _,.. _, -.. ',[ _.... ~.. _ _ _. -... ~ _.. _ -...,,. _ _, _ _ _,, _. _., _,. _, SIFMARY OF PROPOSED RESOLiffl0N ,L) o LIMITED NUMBER OF REQUIRBG'TS o PROVIDE 0\\ERFILL PROTECTION (ALL PLANTS) o PROVIDE PERIODIC VERIFICATION OF OVERFILL PROTECTION (TECH SPECS) r-o PROVIDE DIVERSE AlfT0MATIC INITIATION OF EFW (OCONEE ONLY) V) o IMPROVE PERGENCY PROCEDUPES FOR SBLOCA (CE PLANTS WITH LOW HEAD PLFPS) 1 (~/) x_ l l l ACRS COWENTS PEGARDING p USI A l47 (ACRS LETTER APRIL 12,1988) 0 SCOPE "UNDULY" TRUNCATED 0 CCFTDN MODE FAILUPES NOT ADDRESSED IN SUFFICIENT DETAIL O O STAFF POSITION i (V, STELLO LETTER TO W. KERR - PAY 20,1988) 0 kCRK SCOPE AND TASK ACTIVITIES WERE CONDUCTED IN ACCORDANCE WITH j THE APPROVED TASK ACTION PLAN O SCOPE CHANGES WERE IDENTIFIED IN SlJSEQUEhT REVISIONS TO THE TAP AND APPROVED BY THE STAFF 0 TAP PEVISIONS WERE DESCRIBED TO ACRS - MARCH 24,1988 0 N0 ADDITIONAL ACTIVITIES TO REVIEW MDRE CONTROL SYSTEN FAILURE SCENARIOS ARE PLANNED AS PART OF USI A-47 0 ACRS CONCEPNS REGARDING C0ft0N MODE CONTROL SYSTEN FAILURES ARE CURRENTLY BEING DEVELOPED F0P PRIORITIZATION IN MSPP b .4 i O i O O O MULTIPLE SYSTEM RESPONSE (MSR) PROGRAM l CONCERNS ARE RAISED WHICH ARE NOT C0VERED BY EXISTING ISSUES - NOT IN CURRENT SCOPE l - SPIN-0FF FROM EXISTING ISSUES - PERIPHERAL CONCERNS NEED A MECHANISM TO ADDRESS TilESE TYPE CONCERNS - DEVELOP AS AN ISSUE - PRIORITIZE - EVALUATE AS GENERIC ISSUE ACCORDING TO PRIORITY MSR PROGRAM INITIATED TO IDENTIFY AND~ DEFINE CONCERNS TO DATE'HAVE COME FROM USI A-17,.-A-46, A-47 .c t l O O 0: MSRP STATUS REVIEWED ACRS CONCERNS ON: - A-17, A-46, A-47 r - ENVIRONMENTAL QUALIFICATION - FIRE RESEARCH PRELIMINARY DRAFTS INCLUDED IDENTIFICATION OF ISSUES (MAY 29, 1988 DRAFT) (TRIED NOT TO LEAVE ANY CONCERNS OUT) REDRAFT IN PROGRESS WHICH IS FURTHER DEFINING THE ISSUES RECOGNIZE COMPLEXITY AND INTERRELATIONSHIPS OVERLAP, NEED SOME COMBINATION (MAINTAIN TRACEABILITY) OVER COMBINATION NEEDS TO BE AVOIDED REDRAFT TO PROPOSE FINAL ISSUES FOR PRIORITIZATION --4s---m ,w- -e- ,e-r. tm+t em- ?-*-i-- e#we s e u RESOLUTION OF ACRS RECOWENDATIONS 0 EARTHQUAKES: A-47 SCOPE EVALUATED A LIMITED NtiTER OF B1]LTIPLE CONTROL SYSTEM FAILURES TO STUDY EFFECTS PESULTING FROM POTENTIAL - COPNON MODE FAILURES STAFF AGREED TO CONSIDER ACRS CONCERNS FOR CONTROL SYSTEMS SUBJECTED TO SEISMIC EVENTS f O ACRS CONCERN WILL BE DESCRIBED FOR PRIORITIZATION IN MSRP a f d THE DEVELOPEENT OF THE CONCERNS WILL BE LIMITED TO SSE's ACRS CONCERN MAY BE INCLUDED AS A SUBSET OF BROADER MSRP ISSUE (E.G., SEISMICALLY INDIXED RELAY CHATTER OR MULTIPLE FAILURES IN NON-SAFETY GPADE CONTROL SYSTEMS) \\ -l O I l RESOLlFION OF ACRS REC 0ftENDAT10NS O < CONT,D) 0 FIRES: STAFF AGREED TO CONSIDER ACRS CONCEPNS FOR CONTROL SYS U E SUBJECTED TO SEISMICALLY INDUCED FIRES AND RAND 0ftY INDUCED FIRES THE DEVELOPE NT OF THE CONCERN WILL BE; LIMITED MAINLY TO FIRES IN ONLY ONE ZONE AT A TIE MULTIPLE FIRE ZONES WILL ONLY BE CONSIDERED IF INITIATED O BY EARTHOUAKES. SEISMIC EXPERIANCE DATA DEVELOPED BY USI A-46 WILL BE USED AS TiiE BASIS FOR MJLTIPLE FIRE ZONES DAMAGE TO SAFETY-GRADE PROTECTION SYSTDE WILL BE CONSIDERED ONLY IN CASES WHERE MJLTIPLE FIRES IN MJLTIPLE FIRE ZONES ARE CONSIDEPED I INTERACTION VULNERABILITIES WILL CONSIDER APPENDlX R IMPLEENTATION BY LICENSEES I ACRS CONCERNS WILL BE DESCRIBED FOR PRIORITIZATION IN FERP. ACRS CONCEPNS PAY BE INCLUDED AS A SUBSET OF BROADER PERP ISSUE (E.G., MULTIPLE SIMULTAtlEOUS FAILURES DUE TO FIRE EFFECTS) I RESOLlffl0N OF ACRS RECORENDATIONS o'J (CONT'D) '~ 0 HIGil OR F0DERATE ENERGY PIPE BREAKS STAFF AGREED TO CONSIDER ACRS CONCERNS FOR CONTROL SYSTEFS SUBJECTED TO HIGH OR MODERATE ENERGY PIPE BREAKS ACRS CONCERN WILL BE DESCRIBED FOR PRIORITIZATION IN PSRP THE DEVELOPENT OF THE ACRS CONCERN WILL PE LIMITED TO SINGLE PIPE BREAKS ONLY ACRS CONCEPN MAY BE INCLUDED AS PART OF A BROADER MSRP ISSUE (E.G., EVALUATION OF FAILURE MODES DUE TO nU EtNIRONMEffrAL STRESS) 0 DEGRADED CONTROL P0hER A-47 EVALUATED ONLY LOSS OF POWER STAFF AGREED TO CONSIDER ACRS CONCERNS FOR CONTROL SYSTB'E SUBJECTED TO VOLTAGE DEGRADATION OF ELECTRIC POWER AC AND DC POWER SUPPLY DEGRADATION WILL BE CONSIDEPED ACRS CONCERN WILL BE DESCRIBED FOR PRIORITIZATION IN MSRP ACRS CONCERN PAY BE INCLUDED AS A SEPARATE FERP ISSUE (E.G., FAILURE MODES OTHER THAtt Fall To FUticTIOr0 f-V + x RESOLlfTION OF. ACRS REC 0ftENDATIONS U (CONT'D) 0 DEGRADED AIR SYSTEMS ONLY CCFPLETE LOSS OF INSTRlle.T AIR SYSTEMS WERE EVALUATED IN USI A-47 (1.E., DEGRADATION OF INSTRlfBT AIR SYSTEMS WAS NOT INCLUDED IN SCOPE) GENERIC ISSUE 43, "AIR SUPPLY SYSTEMS RELIABILITY" IS EVALUATING THE EFFECTS OF LOSS, DEGPADATION AND EXCESSIVE AIR SUPPLY SYSTEMS ON PLANT SAFETY I ACPS CONCERN MAY BE INCLUDED AS PART OF A BROADER O MsRe ISSUE (E.G., FAILUPE MODES OTHER THAN Fall TO FUNCTION) 0 LOSS OF NON-SAFETY-GPADE HVAC SYSTEMS STAFF AGREED TO CONSIDER ACRS CONCERNS FOR CONTROL _ SYSTEMS SUBJECTED TO A LOSS OF INAC SYSHMS ACRS CONCERNS WILL BE DESCRIBED FOR PRIORITIZATION IN MSRP ACRS CONCERNS MAY BE INCLUDED AS A SUBSET OF A BROADER MSRP ISSUE (E.G., EVALUATI0fl 0F FAILURE MODES DUE TO EfNIPOWENTAL STRESS) 1 s o RESOLUTION OF~ACRS REC 0FK NDATIONS. (CONT'D) 0 EFFECTS OF NON SAFEIY SYSTBE ON REDUNDANT SAFETY GRADE. PROTECTION SYSTEMS (NOT SPECIFICALLY IDENTIFIED IN THE ACRS LETTER OF APRIL 12,'1988) A-47 ASSLE D AT LEAST ONE CHANNEL OF PROTECTION ~ WILL BE AVAILABLE FOR TRANSIENT MITIGAION THIS ISSUE TO BE DESCRIBED FOR PRIORITIZATION IN MSRP (E.G., PLANT - SPECIFIC CONTROL SYSTEM / SAFETY SYSTEM DEPENDENCIES) I I a W 1 4, l 0 3 _.___._.._____....___.._.._._,__.._._.__._...._.___-..i i 1 O USI A-47 SCOPE (TASK ACCOMPLISHMENT) TASK NO. EFFORT DESCRIBED IN TASK ACTION PLAN WORK ACCOMoLISHED 1 IDENTIFY CONTROL SYSTEMS WHOSE FAILURE SAME AS TAP CAN LEAD TO SIGNIFICANT PRIMARY SYSTEM TRANSIENTS (1) IDENTIFY CANDIDATE SYSTEMS USING SAME AS TAP TOOLS SUCH AS FMEA, USE NON-MECHANISTIC "WORST-CASE" FAILURES SAME AS TAP (2) EVALUATE INDEPENDENT FAILURES AND SAME AS TAP r ()) FAILURES CONCURRENT WITH ACCIDENTS OR TRANSIENTS (3) CONDUCT 2.AT-A-TIME INDEPENDENT FAILURES SAME AS TAP OF CONTROL SYSTEMS IF CONSE0VENCES ARE SIGNIFICANT (4)CONDUCTSELECTEDNON-MECHANISTIC TASK ADDED IN 1984 MULTIPLE FAILURES OF MAJOR CONTROL REVISION SYSTEMS TO ASSESS COMMON-MODE FAILURE (5) REVIEW LERs, IE BULLETINS, ETC. SAME AS TAP (6) SAB0TAGE NOT INCLUDED IN SCOPE 1984 CLARIFICATION (7)SYSTEMATICINVESTIGATIONOFALL 1984 CLARIFICATION SEISMICALLY OR ENVIRONMENTALLY INDUCED FAILURES NOT INCLUDED IN SCOPE i .-.-.i 9 USI A-47 SCOPE (TASK ACCOMPLISHMENT) TASK NO. EFFORT DESCRIBED IN TASK ACTION PLAN WORK ACCOMPLISHED (8) OPERATOR ERRORS THAT COULD CONTRIBUTE SAME AS TAP TO ADDITIONAL CONTR01. FAILURES OVER AND AB0VE MULTIPLE FAILURES NOT CONSIDERED (9) ONE TRAIN OF EXISTING REDUNDANT 1984 CLARIFICATION PROTECTION SYSTEMS IS ASSUMED TO BE AVAILABLE t () 2 DEVELOP AND CONDUCT COMPUTER SIMULATION SAME AS TAP STUDIES ON 4 PLANT DESIGNS 3 IDENTIFY FAILURE MODES OF SIGNIFICANT SAME AS TAP CONTROL SYSTEMS c 4 EVALUATE EFFECTS OF LOSS OF POWER SUPPLY SAME AS TAP TO CONTROL SYSTEMS. (1) EVALUATE MULTIPLE FAILURES AS A SAME AS TAP RESULT OF COMMON EVENT (LOSS OF POWER - ELECTRIC AND AIR SYSTEMS - CONSIDER LICENSEES RESPONSES TO IEB O 79-27 O USI A-47 SCOPE (TASK ACCOMPLISHMENT) TASK N0. EFFORT DESCRIBED IN TASK ACTION PLAN WORK ACCOMPLISHED (2) IDENTIFY CONTROL SYSTEMS HAVING SAME AS TAP A SIGNIFICANT SAFETY IMPACT DUE TO POWER SUPPLY FAILURE. (3) DEVELOP CRITERIA TO IMPROVE RELIABILITY CONCLUDED NOT TO 0F CONTROL SYSTEMS (IF NECESSARY) BE NECESSARY 5 DETERMINE THE NEED FOR CONTROL OR ONLY LIMITED PROTECTION SYSTEMS. IMPROVEMENTS JUSTIFIED BY COST /8ENEFIT 6 PROVIDE CRITERIA FOR EVALUATION CONCLUDED NOT TO 0F CONTROL SYSTEMS (IF NECESSARY) BE NECESSARY 7 IDENTIFY CONTROL SYSTEMS THAT COULD LEAD bVERFILLOROVERC00LINGTRANSIENTS. (1) OVERFILL EVENTS SAME AS TAP + (2) REACTOR OVERC00 LING EVENTS OVERPRESSURE,, OVERHEAT & REAC-O TIVITY TRANSIENTS 4 () USI A-47 SCOPE (TASK ACCOMPLISHMENT) TASK N0. EFFORT DESCRIBED IN TASK ACTION PLAN WORK ACCOMPLISHED d (3) IDENTIFY LESSONS LEARNED FROM PAST CONTROL SYSTEM FAILURES 8 EVALUATE THE POTENTIAL FOR WATER TASK ADDDED IN 1985 HARMER IN THE STEAM LINES AS A RESULT REVISION OF A STEAM GENERATOR OR REACTOR VESSEL OVERFILL. () 9 PERFORM RISK ANALYSIS AND COST / BENEFIT TASK ADDED IN 1985 t ANALYSIS ON SIGNIFICANT CONTROL SYSTEMS REVISION 1 1 4 (1) PERFORM VALUE/ IMPACT ANALYSIS ON 4 PROPOSED DESIGN MODIFICATIONS l h I W 4 C:) v INTRODUCTORY STATEMENT lBY THE REGULATORY POLICIES AND PRACTICES SUBCOMMITTEE - CHAIRMAN REPORT l AUGUST 10, 1988 .l ~ The meeting will now come to order. This is a meeting of the Advisory Comittee on Reactor Safeguards Subcomittee on Regulatory Policies and Practices. I am H. Lewis, Subcommittee Chainnan. The ACRS Members in attendance are: J. Carroll, W. Kerr, C. Michelson, C. Siess and C. Wylie. Also in attendance is ACRS Consultant: D. Okrent. The purpose of this meeting is to review the NRC Staff's response to the ACRS comments on USI A-47, "Safety Implications of Control Systems." Mr. Gary Quittschreiber is the cognizant ACRS Staff Member for this meeting. The rules for participation in today's meeting have been announced as part of the notice of this meeting previously published in the Federal Register on July 27, 1988. A transcript is being kept for the open portions of the meeting and will be made available as stated in the Federal Register Notice. It is requested that each speaker first identify himself or herself and speak d with sufficient clarity and volume so that he or she can be readily j heard. We have received no written comments or requests to make oral statements from members of the public. 1. Chairman's Comments 2. Executiv1 Session 1 We will proceed with the meeting and I call upon Bob Baer to begin. -- -}}
    • Retrieved from "https://kanterella.com/w/index.php?title=ML20151T841&oldid=4152149"