ML20204E368
| ML20204E368 | |
| Person / Time | |
|---|---|
| Issue date: | 05/15/1986 |
| From: | Advisory Committee on Reactor Safeguards |
| To: | Advisory Committee on Reactor Safeguards |
| References | |
| REF-GTECI-A-17, REF-GTECI-SY, TASK-A-17, TASK-OR ACRS-2419, NUDOCS 8608010012 | |
| Download: ML20204E368 (13) | |
Text
.
L4 g ggs-M/9 fp2
- w/RQ 4
- ; y pg-g6
[ r
- q; D%Y.g( D DATE ISSUED: 5/15/86 ACRS MEETING MINUTES ON THE SAFETY PHILOSOPHY, TECHNOLOGY AND CRITERIA SUBCOMMITTEE MAY 7, 1986 WASHINGTON, DC Purpose The ACRS Subcommittee on Safety Philosophy, Technology and Criteria met on May 7, 1986 at 1717 H Street, NW, Washington, DC. The purpose of this meeting was to continue the review of the NRC Staff proposed resolution for USI A-37, " Systems Interactions.for Nuclear Power Plants." ACRS action on the matter was planned for May 8-10, 1986 ACRS meeting. The Subcommittee heard presentations from representatives of the NRR Staff. The meeting began at 1:00 p.m., and was adjourned at approximately 5:15 p.m., and was held entirely in open session. The principle attendees were as follows:
4 ACRS NRC Staff D. Okrent, Subcommittee Chairman D. Thatcher C. Wylie, Member B. Bosnak G. Reed, Member W. LeFave W. Kerr, Member J. Ebersole, Member C. Michelson, Member R. Savio, ACRS Staff Highlights
- 1. The NRC Staff discussed their proposed resolution for USI A-17.
The initial proposal was described in an August 13, 1985 document which was distributed within NRR for comment. The document was subsequently modified and sent to the CRGR for review. The NRC Staff met with the CRGR on April 10, 1986 to discuss the CRGR comments and is now working on a revised proposal. The action 8600010012 860D15 DESIGUATED ORIGINAL PDR ACRS Certified By [
SPT&C Meeting Minutes May 7, 1986 sought from the CRGR was approval for issuance for public comment.
Discussion and ACRS comment on USI A-17 is scheduled for the May 8-10, 1986 ACRS meeting. ACRS comments are to be considered by the NRC Staff and the CRGR prior to issuance for public comment.
- 2. The Generic Issues Branch (GIB) Staff's initial proposal for the resolution was described in an August 13, 1985 draft paper which was distributed within NRR for comment. This proposal contained:
(a) A requirement for performing a plant walk-through and followup evaluation of certain spatially-coupled systems interactions which were associated with internal floods and seismic events for all Licensees.
(b) The issuance of a Staff Generic Letter which would summarize USI A-17 insights on functional systems interaction for the individual licensees information, with the emphasis on elec-trical and support systems.
(c) The issuance of a new SRP section to address spatially-coupled systems interactions for future plants.
(d) A recommendation that the USI A-17 insights be incorporated in future plant specific PRA's.
The NRC Staff estimated that the cost of the studies associated with the recommended investigation for spatially-coupled system interactions would range between $0.5M and $1M per plant and that the cost of the subsequent evaluation of the systems interaction and/or plant modification could run as high as $3M for an older plant. In addition, the NRC Staff concluded that the safety benefit associatad with fixing the functional system's interactions problems identified in USI a-17 was substantially less than that associated with fixing the identified spatially-coupled problems.
SPT&C Meetir.g Minutes May 7, 1986
- 3. The August 13, 1985 GIB proposal was significantly modified after the NRR office comment. This proposal was subsequently reviewed by the CRGR on April 10, 1986. In this proposal NRC recommended the following actions:
(1) The NRC would disseminate, via a Generic Letter, the insights gained in their evaluation of USI A-17 without any specific recommendation for Utility action. The individual Utilities would be left to evaluate this information and take action as appropriate. INP0 and IE would followup on the Utility actions during routine audits and make judgements as to the adequacy of the Utility actions.
(2) A limited search for seismic system interactions would be incorporated into the plant walkdowns which are expected to be performed as part of the resolution of USI A-46 (" Seismic Qualification of Equipment in Operating Plants").
(3) The internal ficoding evaluation work proposed by INP0 in their SOER 85-5 (" Internal Flooding of Power Plant Buildings,"
December 30,1985) would be relied on to deal with flooding induced system interactions.
(4) The NRC work being carried out on I&C power supplies should be coordinated into a single program and systems interactions involving these systems should be dealt with in the context of evaluating the adequacy of these systems.
(5) A system interactions evaluation would be proformed as part of the NRC Policy on Severe Accident review and as part of future plant specific PRA's. )
1
e SPT&C Meeting Minutes May 7, 1986 (6) The following guidance would be added to the SRP and would apply to future plants:
"Where a single failure can cause both an event requiring plant shutdown and can also prevent proper action of the plant safety related equipment designed to protect the plant; the remaining safety related equipment should be capable of mitigating the event (transient or accident) even when degraded by an additional single random failure.
The additional random single failure would not have to include unlikely events such as passive mechanical failures if the initiating failure is a passive mechanical failure (i.e., a pipe break). However, the mitigation equipment considered would include that equipment necessary for longer term decay heat removal."
This, as stated, would drive designs toward three train systems.
The CRGR reviewed this proposal and commented on it on April 10, 1986. The NRR intent in this new proposal was that no new require-ments be established by the resolution of USI A-17. The CRGR recommended that this intent be made clearer and that the acticns to be completed under USI A-46, the INP0 internal flooding program, and NRC followup to the Generic Letter and the INP0 program be better identified in the proposed resolution to USI A-17. The guidance proposed for future plants under Item 6 above is being reevaluated and is not likely to be recommended, if at all, for any systems other than electrical power systems. Additional informa-tion will be developed as to how actions on future PRA's and actions within the Severe Accident Program are to contribute to the resolution of USI A-17.
l
~
SpT&C Meeting Minutes May 7, 1986 The NRC Staff is revising their proposal to accommodate the CRGR recommendations and will probably appear before the CRGR again in mid-June 1986.
- 4. Mr. Ebersole and Mr. Michelson submitted written comments on the NRC Staff proposed solution to USI A-17. Copies are included as Attachment A. In summary, Mr. Ebersole stated that:
(a) The proposed resolution does not recognize the scope and importance of the systems interaction problem.
(b) Tnere is a need for establishing organizational groups with specific responsibility for addressing system interaction and coordinating the work of other design / review groups in dealing with systems interactions.
Mr. Michelson in summary stated:
(a) The scope of the proposed resolution is limited and provides only very limited guidance.
(b) The risk contribution of systems interactions generated by a common cause such as fire, pipe rupture, and earthquake needs to be evaluated and dealt with effectively.
(c) Th nature of initiating events, the potential for affecting multiple trains and the implications of independent single failures needs to be more carefully considered.
l
- 5. There was some discussion as to the bases under which any require-ments made under USI A-17 might be considered a backfit. The NRC Staff is viewing their actions under USI A-17 as a NRC considera-tion of a reinterpretation of existing requirements. Dr. Okrent l
l
SPT&C Meeting Minutes May 7, 1986 stated that he believed that the NRC Staff position need a more carefully legal evaluation and that actions should be taken to bring this about.
- 6. There was some discussion as to the effects of subjecting plants to environments which exceed the design basis. It was noted the equipment which was not safety grade is often not subjected to qualification testing and could, if subjected to adverse environ-ments, cause systems interactions. In addition, safety equipment is sometimes not tested for all aspects of accident conditions.
(For example, valves closing against blowdown loads, or purge valves closing under LOCA conditions.) The effect of partial failures (for example, low air pressure or voltage rather than the total loss of air pressure or electrical power) is generally not considered. Mr. Michelson stated that these effects need to be carefully considered.
NOTE: Additional meeting details can be obtained from a transcript of this meeting available in the NRC Public Document Room, 1717 H Street, NW, Washington, DC, or can be purchased from ACE-Federal Reporters, 444 North Capitol Street, Washington, DC 20001, (202) 347-3700.
4/24/86 To: David Okrent Frome p n Subjects CONCERN REGARDING A-17 RESOLUTION STATEMENT OF CONCERN It would appear that the resolution of Unresolved Safety Issue A-17 (" System Interactions in Nuclear Power Plants")
should, in part, provide guidance concerning to what extent a licensee should identif y and analyze multiple adverse system interaction (ASI) sequences of the types associated with major common cause event si tuations such as fire, pipe rupture or earthquake. The resolution provides no new guidance in this regard and the existing guidance is unclear.
It may be difficult to provide, but the issue should not be considered resolved until the needed guidance exists. If the situation defies understanding then we should say so and not concoct a resolution.
From the viewpoint of safety significance, ASI sequences l which are generated by a common cause such as fire, pipe rupture or earthquake should be of major interest since they could exacerbate an already hazardous situation and are likely to be numerous and appear in an unpredictable time
, sequence. Their contribution to risk under such circumstances needs to be known if they are to be dealt with effectively.
DISCUSSION Assurance that a nuclear plant unit can achieve a timely safe shutdown condition following a credible initiating event such as fire, pipe rupture or earthquake should take account of the ultimate effect of all adverse system interaction (ASI) sequences attributable to the initiating event. Clearly, mitigation of the initiating event must be accomplished by such equipment as is still available in a timely fashion after first accounting for (1) disabling effects of the initiating event and its* subsequent development, (2) all credible sequences of adverse system interactions and their consequences, and (3) perhaps an arbitrary single f ailure. If the design of a two train plant assures that the initiating event cannot propagate fjeyond the involved train and if all credible adverse system interaction sequences and their consequences are also limited to the same train, then adequate mitigation is f ully assured unless an arbitrary single failure is postulated in the opposite train of mitigating equipment. Of course, such a k single failure could result in a partial or total loss of ability to mitigate the initiating event. For that case, it would take a three train separated arrangement to assure
! mitigation.
. , . - - _ - . . . ~ _ _ _ . - - . _ _ . . _ _ _ . __ _ _ _ _ . . - . _ _ _ - . _ . _ , _ _ _ .
From the ri sk viewpoint , it is necessary to understand how an initiating event occurs, develops and is ultimately mitigated. The potential contribution of ASIS to risk cannot be fully determined until such sequences have been adequately defined and included in the event model. Until this is done, it is difficult to tell what the safety significance of the ASIS might be. Present-day PRAs are generally skimpy in their treatment of ASI sequences.
In the real world, most nuclear plants utilize a basic two train arrangement with varying amounts of spacial separation and physical barrier construction between trains to assure that the development of an initiating event in one train cannot propagate to required mitigating equipment located in the opposite train. Since the separation or barrier is generally not fully effective, an analysis is performed to determine the extent of adverse direct exposure of the requied mitigating equipment to the initiating event, and the equipment is qualified accordingly. Of course, certain types of arbitrary single failures cannot be accommodated.
What is not well understood is how to account for numerous ASI sequences attributable to a common cause initiating event or its' subsequent propagation and for which the spacial separation or physical barriers may not be effective. In some way, these ASIS must be accounted for if the assurance of appropriate event mitigation is to be credible.
FIRE EVENTS For a given initiating event such as a fire at a specific plant location, there will be a zone of influence of the event as defined by the maximum extent of direct propagation of heat, smoke and flame, unassisted by any system interaction effects. In addition, there will be a defined set of equipment and services needed as a minimum to mitigate the event. Any equipment (including piping and wiring) within this zone will be exposed to various amounts of heat, products of combustion and physical disruption as a consequence of the event and its' full extent of propagation.
If any of the equipment within the zone belongs to the minimum set required to mitigate the fire, then it must be shown to be either qualified to function for an adequate time in the fire-created environment or protected (perhaps by rel ocati on) . All other equipment within the zone is assumed to be in a failed but otherwise unspecified state such that it cannot be used for mitigation purposes.
k The analytical techniques required to characterize the I fire event and its' propagation are still under development but the process appears to be somswhat straightforward, at 2
least for simple geometries. Also under investigation is the effect of a fire-created environment on various equipment.
Together, this ongoing work should culminate in reasonable analytical and qualification bases for determining the zone of influence of a fire event and its' possible effects on needed mitigation equipment. However, it will be necessary to extrapolate from this limited set of analytical tools and equipment information to more complex real world conf igurati ons and equipment.
Of special concern is how to identify possible ASI sequences which may result from equipment which is within the zone of influence of the fire but is not qualified to function in the fire-created environment. The fire-induced f ailure modes of such equipment and their time sepuence of failure may be varied and unpredictable due to variability in the specifics of the particular situation. It appears reasonable to assume that a portion of these failures may lead to ASI sequ:ences, some of which could significantly affect the outcome of the event.
How to get an analytical handle on this concern is a part of what USI A-17 should be about. One possible approach would be to consider each piece of equipment (including piping and wiring) in terms of all possible combinations of failure modes and effects due to the fire-induced i environment. But it is necessary to examine each piece of equipment within the zone of influence in similar terms and then in all possible combinations of simultaneous or time sequenced occurrence relative to each other. Before long the analysis may become intractable. Undoubtedly, some simplifying assumptions must be made short of ignoring the existance of ASI sequences altogether. Thoughtful guidance on how to approach such a dilemma is needed but not provided by the A-17 resolution.
PIPE RUPTURE EVENTS A similar situation exists f or the case of a high or moderate energy pipe rupture as an initiating event. Again, there will be a zone of influence of the event as defined by the maximum extent of pipe whip, jet impingement, atmospheric pressurization, steaming, condensation, flooding, and water sprays or cascades. Any equipment within this zone (including electrical wiring) will be exposed to various amounts of heat, pressure, moisture, flooding, and mechanical abuse as a consequence of the event. If any of the equipment within the zone belongs to the minimum set required to mitigate the pipe rupture, then it must be shewn to be either qualified to f unction f or an adequate time in the event environment or protected (perhaps by relocation). All other k equipment within the zone is assumed to be in a f ailed but otherwise unspecified state such that it cannot be used for mitigation purposes.
3
e The analytical techiques required to characterize a pipe rupture event and its' propagation are well developed and in use, but the effects of a pipe rupture environment on various equipment is less well known. Again the concern is how to identify possible ASI sequences which may result from equipment which is within the zone of influence of the pipe rupture but is not qualified to function in the rupture-created environment. As in the case of fire, the environmentally induced failure modes and sequences may be varied and unpredictable.
Predicting the behavior of an environmentally unqualified piece of equipment under the disruptive influence of pipe rupture is not straightforward. Furthermore, considering all possible combinations of failure modes in conjunction with the possible failure modes of all other equipment within the zone and in appropriate time sequence may become intractable. Again, the A-17 resoltion provides no thoughtful guidance on how to proceed.
SEISMIC EVENTS A seismic event constitutes a common challenge to all plant equipment (i . e. , the zone of influence of the initiating event is plantwide). All plant equipment will be exposed to various amounts of mechanical abuse due to the ground motion. The analytical techniques required to j
character 1:e a seismic event are well established and in common use. The plant safety-related equipment is qualified to withstand the mechanical abuse caused by a design basis earthquake (although its' electrical response is not always certain), but the response of nonsafety equipment is less well known. Such equipment is assumed to be an a failed state such that it cannot be used for safety-related purposes, but the condition of its' pressure boundary or propensity for production of unwanted actions is unspecified.
Again the concern is how to identify possible ASI sequences which may result from the failure of equipment It may be difficult to which is not qualified for the event.
accurately predict seismically induced f ailure modes f or nonseismic equipment. As in the case of fire and pipe rupture, considering all possible combinations of nonseismic equipment failure modes in conjunction with the possible failure modes of all other nonseismic equipment in both a simultaneous and time sequenced sense may be impractical.
Again, the A-17 resolution provides no thoughtful quidance.
(
4
g recog% UNITED STATES
,y 'n NUCLEAR REGULATORY COMMISSION 5 .I ADVISORY COMMITTEE ON REACTOR SAFEGUARDS
- # WASHINGTON, D. C. 20555
\...+/
\ DRAFT 2 Ebersole/ car 5/7/86 5520: Jesse MEM0iEANDUMFOR: Dave Okrent FROM: Jesse C. Ebersole
SUBJECT:
NRC PROPOSED RESOLUTION OF USI A-17 In reviewing the several supporting documents for the purpose of discussing the subject resolution at the Subcommittee meeting on May 7, 1986, the following matters appear to me to be the two major considerations:
- 1. There is no real dearth of understanding of what " system interaction" means insofar as the apparent coordination division in NRC is con-cerned (Thomas P. Speis, Director of Safety Technology). A Somewhat general definition is adequate along with a half-dozen or so examples, as an adequate " policy" base on which to integrate the resolution to the issue.
There will always be a few apparently knowledgeable members of the technical community who will refuse (I believe perversely so) to acknowledge the presence of the problem.
It has been thus always. " System interaction" has been, from its conception many year ago, an orphan without pedigree in the world of design and design analysis.
It tends to invade the jealously guarded domain of well-established compartmentalized areas of " functional" design responsibility and more often than not is pushed out of existence by decentralized management
- as discussed below.
From my point of view only very few examples suffice to make the point that " system interaction" problems will always be with us. From personal experience and some ancient history, I cite the following examples:
- a. In the so called "Superfortress," the B-29, the loss of a single 3/8" Phillips head screw was the cause of a personally witnessed take-off crash, and probably many other crashes, due to identical or related versions of loss of all DC power. In essence, ground reference for all six voltage regulators were lost and extreme overvoltage destroyed the electrical network except, of course, the magneto ignition system (supposedly the " diverse" electrical system that would ensure survival of the " system").
It didn't work.
(
- b. The entire TVA grid barely survived due to a failed $40,00 float switch controlling domestic or potable water pressure. Low pressure cascaded all 10 units of the Shawnee Steam Plant.
Domestic water pressure had been used to pilot and drive all turbine condenser circulating water valves.
- c. In more recent history, the Lockheed Electra should be recalled.
Combinations of gyroscopic forces from the heavy rotating engine-propellers along with " normal" loads caused the wings to break off,
- d. The DC-10 case is well known and will be remembered as one in which the FAA essentially "got in bed" with the aircraft manu-facturer until hundreds had been killed in crashes. NRC would do well not to have its reputation stained by such a " system inter-action" accident. It is enough that this kind of analysis has been done on the TMI-2 design and in that accident, the pre-existing conditions which would lead to core melt were about as well known as the faults in the DC-10 design.
- e. Very recently a two-unit nuclear plant reported trip of both units, with some considerable post-trip complications as a result of a blown rubber hose on the station air system.
It will be interesting to learn, if we ever do, of the recent Russian incident, in the context of learning whether it was a single system deficiency or a complex of inter-system failures compounded to produce the final effect. If it was caused by the latter, the price to recover will be somewhat larger than would have been the cost of the original overview and "fix," which might have prevented it.
- 2. Given (1), above, the essence of the problem solution seems to be a clear case of management options. There seem to be three choices, but as yet, the Staff appears to be undecided. I understand a
" position" may be taken at the meeting on May 7.
The choices seem to be as follows:
- a. Distribute the process of finding and fixing Adverse System Interactions (ASIS) by charging the several compartmentalized areas of Staff reviews but with little, if any line responsibility overview or guidance.
- b. Establish a line responsibility overview group and charge if penetrate all of the compartmentalized work for vulnerability to ASIS.
- c. Combine (a) and (b) into a tight and competent group which provides overall guidance and delegates the duty of searching out
( and fixing ASI problems in appropriate areas, but is inescapably responsible for any residual vulnerability to m ch events and be clearly accountable for the events which occur.
This last choice is the arrangement I would recommend. I believe such a group would have to do more than softly " inform" and "recom-mend" modest changes in the SRPs to a stubborn ano recalcitrant industry which has yet to demonstrate its prowess to design and build even one nuclear workhorse plant acceptable to the using utilities with, of course, a secure blessing from NRC. The current overall
" nuclear option" situation is a national disgrace and the stalemate, unless the coordinated attitude of the utilities changes, will only become worse with loose suggestions and " recommendations."
The first choice listed above is by far the worst. It is the ultimate in decentralization, leading to no one in charge at all.
It is best represented in the extreme case by the root policy of TVA from years ago, called the system of " individual initiative," the 3
' consequence of which are now apparent. But it is the one always chosen by the decentralized " majority" in the absence of any real technical leadership whln a sort of " voting" process is allowed.
l The attempt to shunt this matter off to other USI areas such as A-45, l A-46, and the far less desirable alternative of putting into the Severe Accident Policy. To push it into USI A-45 without explicitly requiring a dedicated shutdown heat removal system will cripple the minisule staff doing that work and guarantee a stalemate on the issue.
The transmittal letter contains a statement that - " dissemination of this information will result in early consideration of these types of
- adverse system interactions as part of the industry's ongoing review and evaluation of operating experience. This is certainly pure wishful thinking against the past and current performance of the industry and neglects the unique combinations of events which can cause a single disaster without precursor " symptoms" of it, such as those listed in (1), above.
Finally, ore such postulated USI event which has dangled beforeIt NRC's is
" eyes" for 15 odd years may be a good example of " progress."
the case of the high pressure steam or water lines connected to the reactor coolant or secondary system and penetrating into machinery and personnel areas. The problem is a composite one related to the potential for pipe failure coupled with valve unreliability and the disabling effects on equipment and personnel caused by water or steam release. The worst case by far is the BWR HPCI steam line case which has the potential for disabling shutdown functions for multiple units.
As far as I know, the resolution of this case is as muddy as it was some 15 years ago, although there is some modest improvement in real reliability of the valves in a few cases.
!t
._ _ . . - - .