ML20244A911

From kanterella
Jump to navigation Jump to search
Evaluation of Systems Interactions in Nuclear Power Plants. Technical Findings Related to Unresolved Safety Issue A-17
ML20244A911
Person / Time
Issue date: 05/31/1989
From: Thatcher D
NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
To:
References
REF-GTECI-A-17, REF-GTECI-SY, TASK-A-17, TASK-OR NUREG-1174, NUDOCS 8906120193
Download: ML20244A911 (48)
v  d  e


Text

..

4 NUREG-1174 Evalua~: ion of ,

l

^

Sys~: ems int:eractions in Nuc~ ear Power Plants Technical Findings Related to Unresolved Safety 1ssue A-17 U.S. Nuclear Regulatory Commission Oirice of Nuclear llegulatory Itesearch Dale Thatcher

,p "ic oq I k kOd[$ 890531 1174 R PDR

_a

AVAILABILITY NOTICE l i

Availability of Reference Materials Cited in NRC Publications '

1 Most documents cited in NRC publications will' be.uvallable from one of the following ~

sources:

1. The NRC Public Document .Roomi 2120.L' Street, NW, Lower Level, Washingtoni DCJ _-.

20555

2. The Superintendent of Documents, U.S. Government Printing Office, P.O. Box 37082, Washington, DC 20013-7082-
3. The National Technical Information Service,' Springfield,tVA 22161.

~

Although the listing that follows represents the majority of documents cited in NRC publica-tions, it is not intended to be exhaustive.

Referenced documents available for inspection and copying for a fee from thei NRC Public .

Document Room include NRC correspondence and internal NRC memoranda: NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investi- .T gation notices; Licensee Event Reports; vendor reports and correspondence: Commission papers; and applicant and . licensee documents'and correspondence.. .

The following documents in the NUREG series are availathie for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceedi ings, and NRC booklets and '.>rochures. Also available are Regulatory Guides, NRC regula :

tions in the Code of Federal Regulations, and Nuclear Regulatory Ce nmission issuances, Documents available from the National Technical information Service include NUREG series .

reports and technical reports prepared by other federal agencies and reports prepared by; the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory' Commission.1 Documents available from public and special technical.l'braries. i include all'open literature items, such as books, joumal and periodical articles, and transactions. Federal Register; notices, federal and state legislation, and congressional reports can usually be obtained from these libraries.

.j Documents such as theses, dissertations, foreign reports and translations, and non-NRC conference proceedings are available for purchase from the organization sponsoring the'-

publication cited.

Single copies of NRC draft reports are available free, to the (. mnt of supply, upon written _ 'i l: raquest to the Office of information Resources Managemerk Distribution Section, U.S.

Nuclear Regulatory Comrsssbn Washington, DC. 20555. ,

i j

Copies of industry codes and standards used in a substantive manner in the NRC regulatory' - 1 process are maintained at the NRC. Library,'7920 Norfolk Avenea, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copy-righted and may be purchased from the originating organization % if they are'American. i National Standards, from the American' National Standards institute,1430 Broadway, )

New York, NY 10018.

,, l j _ _

l .

l- 1J 1

ll s

y x w ,

1

NUREG-1174 i

Evaluation of Systems Interactions in Nuclear Power Plants i

)

Technical Findings Related to l Unresolved SafetyIssue A-17  :

Manuscript Completed: April 1989 Date Published: May 1989 .,

Dale Thatcher ,

Division of Safety Issue Resolution Office of Nuclear Regulatory Research  ;

U.S. Nuclear Regulatory Commission Washington, DC 20555 5

1 ABSTRACT This report presents a summary of the activities related to Unresolved Safety Issue (USI) A-17," Systems Interactions in Nuclear Power Plants," and also includes the NRC staff's conclusions based on those activities. The staff's technical find- '

ings provide the framework for the final resolution of this unresolved safety issue. The final resolution will be published later as NUREG-1229.

i i

1 I

l l

i I

1 l

l 1

l l

i iii NUREG-1174 2

CONTENTS Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii 4.6 Staff Conc?usions . . . . . . . . . . . . . . . . . . . . . 13 Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii 5 Description of Results and Staff Conclusions . . 13 Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . ix 5.1 Utility Studier of Systems Interactions . . . 13 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 5.1.1 Zion Nuclear Plant Study . . . . . . . . 13 l

'l 5.1.2 'Diablo Canyon Nuclear Power 2 B ackgrou nd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Plant Seismically Induced Systems j 3 Definitions and Scope . . . . . . . . . . . . . . . . . . . . . . . 1 Interaction Program . . . . . . . . . . . . 14 1 5.1.3 Indian Point Station, Unit 3 Utility I 3.1 Systems Interactions . . . . . . . . . . . . . . . . . . . 3 Study............. ........... 15 5.1.4 Midland Nuclear Power Plant, 3.2 Adverse Systems Interactions . . . . . . . . . . . . 3 Units 1 and 2 Program . . . . . . . . . . 15  ;

3.3 Other Common-Cause Events . . . . . . . . . . . 4 5.1.5 Staff Conclusions . . . . . . . . . . . . . . . 16 3.4 Clarifications . . . . . . . . . . . . . . . . . . . . . . . . . 4 5.2 Other Related Studies, Programs, and Issues 16 f 3.4.1 Operator Error . . . . . . . . . . . . . . . . . . 4 5.2.1 Sandia 12boratory Study of Watts 3.4.2 External Events . . . . . . . . . . . . . . . . 4 Bar Nuclear Plant . . . . . . . . . . . . . . 16 3.4.3 Major Plantwide Events and the 5.2.2 Systems Interactions State-of-the- 1 Potential for Unanalyzed, Art Reviews . . . . . . . . . . . . . . . . . . 17 j Nonconservative, Multiple Systems Responses . . . . . . . . . . . . . . . . . . . . 5 5.2.3 Advisory Committee on Reactor l '

Safeguards Concerns . . . . . . . . . . . . 17 3.4.4 Single Failures vs. ASIS . . . . . . . . . 5 5.2.4 Post-TMI-2 Actions, including a 3.4.5 Frontline and Support Systems . . . . 5 Human Factors Issues . . . . . . . . . . . 19 - i 3.5 Summary and Conclusions . . . . . . . . . . . . . . 6 5.2.5 NRC Office for Analysis and Evaluation of Operational Data 4 Available Methods For Identifying Systems A:tivities . . . . . . . . . . . . . . . . . . . . . 19 Int eractions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.2.6 Office of Inspection and 1 Enforcement Activities . . . . . . . . . 19 1 4.1 Operating Experience Reviews . . . . . . . . . . . 6 5.2.7 Other Generic Issues . . . . . . . . . . . 20 4.2 Onsite Inspections .... ........ .... 7 5.2.8 Other Unresolved Safety Issues . . . 20 4.2.1 Plant Walkthroughs . . . . . . . . . . . 7 5.2.9 Systematic Evaluation Program . . . 21 4.2.2 Preoperational Testing . . . . . . . . . . . 8 5.2.10 Standard Review Plan . . . . . . . . . . . 21  !

. 5.2.11 NRC's Policy Statement on Severe 4.3 Analysis by Parts . . . . . . . . . . . . . . . . . . . . 8 Reactor Accidents Regarding Future 4.3.1 Failure Modes and Effects Analysis . 8 Designs and Existing Plants . . . . . 21 i 4.3.2 Design Reviews . . . . . . . . ....9 5.2.12 Electric Power Research Institute's

" Systems Interaction Identification 4.3.3 Decision Tables . . . . . . . . . . . . . . . 9 Procedures" . . . . . . . . . . . . . . . . . . . 22 4.3.4 System State Enumeration ......9 5.3 Indian Point Station, Unit 312boratory 4.3.5 Binary Matrices .............9 Demonstration Study . . . . . . . . . . . . . . . . . 22 4.4 Graph-Based Analyses . . . . . . . . . . . . . . . 9 5.4 Search for Common-Cause Events in Operating Experience . . . . . . . . . . . . . . . . 23 4.4.1 Digraph Matnx Analysis . . . . . 10 4.4.2 Event Tree Analysis . . . . . . . . . . . . . 10 5.4.1 Functionally Coupled Type . . . . . 25 4.4.3 Fault Tree Analysis . . . . . . . . . . . 11 5.4.2 Spatially Coupled Type . . . . . . . . . 27 4.4.4 GO Methodology . . .. . . . . . . . 11 5.4.3 Induced Human-Intervention-Coupled Type . . . . . . . . . . . . . . . 27 4.4.5 Sneak-Circuit Analysis . . . . . . . . . 11 5.4.4 Adequacy of Ongoing Evaluations of 4.4.6 Generic Analysis . . . . . . . . . . . . . . 12 Operatmg Experience . . . . . . . . . 27 4.5 Oak Ridge National 12boratory's 5.4.5 Undesirable Results of Systems Conclusions and Recommendations . . . . . 12 Interaction Events . . . . . . . . . . . . . 27 v NUREG-1174

l'.,- I

.{, --)

.o j L

..I

",j

,l l .. ' 1

.l 1

1 CONTENTS '(cont.).  :

j i

' 5.5 Probabilistic Risk Assessments . . . . . . . . . . . 28 T 5.6.4 ' ' Documentation . . . . . . . . . . . . :. . . i . 31 5.5.1 PRA Methods . . . . . . . . . . . ; . . . . . . . '28  ! 5.6.5 : Analysis of Spatially Coupled 5.5.2 ASIS Identified From Review of : .. Systems Interactions . . . . . ... . . . . . 31 PRA Results . . .. '.. . . . . . . . . . . . . . . . 30 . 5.6.6 Staff Conclusions . . . . . . . . . . . . . . . 31 .

5.6 Study of Seismic / Spatially Coup!cd .

Systems Interactions . . . . . . . . . . . a . . . . . . 30 6, Summary of Staff Conclusions : . . . . . . . . . . . . . . . ' 32 L.

5.6.1 ' Target Scope . . . . . . . . . . . . . . . . . . 30 ' 7 a References . .'. .'. . ' . . . . . . . . . . . . .. . . . . . .. . . . . .' 33

. 5.6.2 : Initiating Everits . . . . . . . . . . . . . . . . 30 Appendix: Internal Flooding an'd Water Intrusion 5.6.3 . Source Failures . . . . . . . . . . . . . . . . . 31 : Insights . . . . . . . . . .. . . . . . . . . . . . s . . . . . . 37 i-i TABLES 1 scope of USI A-17, " Systems Interactions" '. . . . 2 . 3 : SRP sections that deal with spatially and ;

functionally coupled ASIS - .'. . . . . . . . . . . . . . . . . 22 ,

2 . A6alysis methodologies available to identify . 4 ~ Event cEtegories involving systems

. types of systems interactions . . . . . . . . . . . . . . . . . 7 interactions . . . . . . . . '. . . . . . . . . . . . . . . . .'. . ' . . . ' 24 L s

L

.e l

l 1 a' 1

+

. NUREG-1174 vi

.l

. . . . , . . 't

ABBREVIATIONS ACRS Advisory Committee en Reactor Safeguards IREP Intenm Reliability Evaluation Program ADS automatic depressurization system AEC Atomic Energy Commission LER- licensee event report AEOD Office for Analysis and Evaluation of LLNL Lawrence Livermore National laboratory Operational Data LOCA loss-of-coolant accident AFW auxiliary feedwater MSLB main stearrline break ANS Amencan Nuclear Society ASI adverse systems interaction NPRDS Nuclear Plant Reliability Data System ATWS anticipated transient without scram NRC U.S. Nuclear Regulatory Commission BNL Brookhaven National Laboratory NSSS nuclear 1,tcam supply syst,em NYPA New York Power Authonty BTP branch technical position BWR boiling-water reactor ORNL Oak Ridge National Laboratory Power Authority of the State of New York hhh c onen lin ater PASNY CFR Code ofFedera' Regulations PG&E Pacific Gas & Electric Co.

CPCo Consumers Power Company PRA probabilistic nsk assessment

. . PWR pressunzed-water reactor DMA digraph matnx analysis RCPB reactor coolant pressure boundary l ECCS emer core coolin stem

! EPRI ElectricYowerResearhh nstitute RHR residual heat removal

! ESF engineered safety features ey u Methodology RS MAP c FMEA failure modes and effects analysis Applications Program FSAR Final Safety Analysis Report RTS reactor trip system GDC general design criterion / criteria SEP S stematic Evaluation Pro ram GI genene issue SETS Sbt Equation Transformation Systems HELB high-energy line break SI systems interaction HPSI high-pressure safety injection SISIP Seismically Induced Systems Interaction

, HVAC heatmg, ventilation, and air conditioning Program I&C instrumentation and contrcl 'SRP Standard Review Plan IE Office of Inspection and Enforcement, NRC TAP Task Action Plan IEEE Institute of Electrical and Electronics TMI Three Mile Island Nuclear Station  !

TMI-2 Three Mile Island Nuclear Station, Unit 2 INPO n i ute of Nuclear Power Operations IP3 Indian Point Station, Unit 3 USI unresolved safety issue i

i

{

vii NUREG-1174

i i

i i

1 EXECUTIVE

SUMMARY

Re U.S. Nuclear Regulatory Commission (NRC) has Undesirable Result (Produced by Sis) concluded its technical evaluation of Unresolved Safety Issue (USI) A-17, " Systems Interactions in Nuc! car This was defined by a list of the types of events that were Power Plants." This report summarizes the results of the to be considered in USI A-17:

technical activities used by the NRCstaff to formulate the e Degradation of redundant portions of a safety sys-final resolution of USI A-17.The regulatory analysis for tem, including consideration of all auxiliary support the proposed resolution of USI A-17 will be published functions. Redundant portions are those considered later as NUREG-1229. to be independent in the design and analysis (Chap-ter 15) of the Final Safety Analysis Report (FSAR) {

of the plant. (Note: This would violate the single-Bccause of the complex, m.terdependent network of sys- ' failure criterion.

tems, structures, and components that constitute a nu-clcar power plant, the scenario of almost any significant

  • Degradation of a safety system by a system that is not l event can be characterized as a rystems interaction. As a safety related. (Note: This result would demonstrate result, the staff determined that if the term " systems in. a breakdown in presumed " isolation.")  ;

teaction" were interpeted in a very broad sense, it be- . Initiation of an " accident"[e.g., loss-of-coolant acci-  !

can.e an unmanapable safety issue. To begin to address dent (LOCA), main steamline break (MSLB)] and  !

I perceived safety concerns within this potentially broad (a) the degradation of at Icast one redundant portion subject area requires some focusing. One way to focus of any one of the safety systems required to mitigate such an etfert is to develop a working set of definitions that event (Chapter 15, FSAR analyses) or (b) deg-based on the perceived safety concerns. It is recognized radation of critical operator information sufficient that by the very nature of such a focusing effort, all con- to cause the operator to perform unanalyzed, unas-cerns that one may characterize as systems mteractions sumed, or incorrect action. (Note: This includes fail-  ;

may not be addressed. It is therefore extremely important ure to perform correct actions because of incorrect j that the scope and boundary of the focused program be as information.)

clearly defined and understood as possible.Then, if other .

concerns still exist after completion of the program, they

. Initiation of a " transient" (including reactor trip)  ;

can be addressed as part of other efforts as deemed neces-

  1. "d (a)the degradation of atleast one redundant j

porti n 1 any one of the safety systems required to )

sary. '

mitigate the event (Chapter 15, FSAR analyses) or (h) sufficient degradation of critical operator infor-The technical findings and conclusions presented in this mation to cause the operator to perform unana- i lyzed, unassumed, or incorrect action. (Note: This i document are based on the following definitions.

includes failure to perform correct actions because ofincorrect information.)

Systems Interaction (SI) I e Initiation of an event that requires plant operators  ;

I to act in areas outside the control room (perhaps be-An action or inaction (not necessarily a failure) of various cause the c(mtrol room is being evacuated or the systems (subsystems, divisions, trains), components, or plant is being shut down) and disruption of the ac-structures resulting from a single credible failure within cess to these areas (for example, by disruption of the one system, component, or structure and propagation to security system or isolation of an area when fire other systems, components, or structures by inconspicu- doors are closed or a suppression system is actu-ous or unanticipated interdependencies. The major dif- ated).

i ference between an SI and a classic single-failure event is in those hidden or unanticipated aspects of the initiating The intersystem dependencies (or systems interactions) failure and/orits propagation. have been divided into three classes based on the way they propagate:

Adverse Systems Interaction (ASI) Functionally Coupled Those sis that result from sharing of common systems /

A systems interaction that produces an undesirable re- componentst or physical connections between systems, sult. including electrical, hydraulic, pn cumatic, or mechanical.

l i

)- ix NUREG-1174 j

1 Spatially Coupled _( 5) Functionally coupled ASIS have occurredat a num-ber of plants, but improved operator information Those sis that result from sha&g or proximity ofidruc. and training (instituted since the accident at Three tures/ locations; egnipment, or components or by spatial Mile Island) sh'uld greatly aid in recovery actions j inter-ties such as heating, ventilation, and air condition. durms future events. 3 ing (HVAC)and drain systems.

(6) Induced human-intervention-coupled interactions Induced Human-Intervention Coupled as defined in A-17 are a subset of the broader class of functionally coupled sis. As stated for function-Those sis that result when a plant malfunction (such as ally coupled sis, improvements in both opemtor in-failed indication) inappropriately induces an operator ac- f rmation and operator tmmmg will greatly 1mprove tion, or a malfunction inhibits an operator's ability to re- mc very fmm such mnts.

spond. As analyzed in A-17, these sis are considered an-other example of functionally coupled ASIS. (Note: Ran. (7) As a class, spatially coupled sis may be the most sig-dom human errors and acts of sabotage are excluded.) nificant because of the potential for the loss of equipment which is damaged beyond repair. In many As a result of the staff's studies of ASIS undertaken as cases mesWs am less Meh to a kcah part ofits search for;a solution to the USI A-17 safetyis- the lower probability of initiating failure (e.g., carth-sue, the staff has concluded the following: 9"" "' P2Pe rupture) and the less-than-certain cou-pling mechanisms involved. However, past operat-(1) To address a subject area such as " systems interac- ing exp water m,erience highlighted a number ofilooding and tions"in its broadest sense tends to be an unmanage- trusion events and more recent operating able task and therefore incapable of resolution. experience indicates that these types of events are Some bounds and limitations are crucial to proceed. continuing to occur (see the Appendix for additional ing toward a resolution. Considering this, the A-17 information).

program utilized a set of working definitions to limit the issue. It is recognized that such an approach may (8) Probabilistic risk assessments or other systematic leave some concerns unaddressed. plant-specific reviews can provide a framework for identifying and addressing ASIS.

(2) The occurrence of an actual ASI or the existence of a potential ASIis very much a function of an mdivid- (9) Because of the nature of ASIS (they are introduced ual plant's design and operational features (such as into plants by design errors and/or by overlooking its detailed design and layout, allowed operating subtle or hidden dependencies), they will probably modes, procedures, and test and maintenance prac- continue to happen. In their evaluations of operat-tices). Furthermore, the potential overall safety im- ing experience, NRCand the nuclear powerindustry pact (such as loss of all coohng, loss of all electric can provide an effective method for addressing power, or core melt)is similarly a function of those 3333~

plant features that remain unaffected by the ASI. In other words, the results of an ASI depend on the (10) For existing plants, a properly focused, systematic availability of other independent equipment and the plant search for certain types of spatiaHy coupled operator's response capabilities. ASIS and functionally coupled ASIS (and correction of the deficiencies found) may improve safety.

(3) Although each ASI (and its safetyimpact)is unique to an mdividual plant, there appear to be some char- (11) The area of electric power, and particularly instru-acteristics common to a number of the ASIS. rnentation and control power supplies, was high-lighted as being vulnerable to relatively significant ASIS. Further investigation showed that this area re-(4) M ethods are available (and some are under develop- mains the subject of a number of separate issues and ment) for searching out sis on a plant-specific basis. studies. A concentrated effort to coordinate these Studies conducted by utilities and nationallaborato- activities and to include power supply interactions ries indicate that a fdi-scope plant search takes con- could provide a more effective approach in this area. { 4 siderable time and money. Even then, there is not a high degree of assurance all, or even most, ASIS will (12) For future plants, additional guidance regarding i be discovered. Asis could benefit safety. l NUREG-1174 x

g .. _

' ' ' [ .1 ', ; ,

, .y

')

1 f, w .

-H -

l (th) The concerns raised by the Advisory Committee on -

Reactor Safeguards (ACRS) on LA-17, but which

. have not been addressed in the staff's study of A-17, -

a' . should be considered as candidate generic issues,.

4 separate from UM A-17.'

i i

i o

.: i 1

4 .q l

l.

l l

\

I i

1: l i

l l 'l l.

i" ..

<' ' NUREG-1174 -  :

- xi .I

i s 1

J

e UNRESOLVED SAFETY ISSUE A-17: . SYSTEMS INTERACTIONS IN

< NUCLEAR POWER PLANTS 1 INTRODUCTION an integrated plan for addressing the broader question of systems reliability in conjunction with IREP (Interim Re-In 1978, the NRC identified the area of systems interac- liability Evaluation Program) and other efforts. The tions as an unresolved safety issue (USI) and designated it TMI-2 Action Plan also stated: "As these programs go as USI A-17. " Systems Interactions in Nuclear Power . forward, there will be a conscious effort to coordinate Plants." these activities, including possible combination of re-sources, to eliminate unnecessary dup 3:ation." As stated The orig ~ ins of the concerns with systems interactions go in' the Task Action Plan (TAP) for USI A-17 back to 1974 when the Advisory Committee on Reactor (NUREG-0649), the resolution of USI A-17 has consid-Safeguards (ACRS, November 8,1974) expressed its be. cred the activities desenbed in Item II.C.3.

lief that the staff should give " attention to the evaluati The A-17 program has been designed to establish of safety systems and associated equipment from a multi-  ;  ; g disciph, nary pomt of view to identify potentially undesir-cerns in the area of systems interactions, and then if there eble interactions between systems.

are such concerns, to develop ways to identify these con-

. cerns and address them.

It should be noted that the original concerns were raised in the context of standard plants (ACRS, November 8, 1974). It was felt that with the prospect of many "identi-2 BACKGROUND cal" plants, significant additional efforts should be fo- The term " systems interaction" has never been precisely cused on uncovering potential problems that may arise defined, and, as a result, the investigation into the con-because a nuclear power plant is designed by groups of cern has suffered from a lack of a c! car focus. At times, engmeers and scientists who belong to separate engmeer- A-17 was becoming a " catch all" category for almost all mg and scientific discipimes. It was recognized that some significant events that occurred at opemting reactors.The mterdisciplinary reviews were performed to ensure the term has often been used interchangeably with other compatibility of the plant's structures, systems, and com-

, terms such as " dependent failures," " propagating fail-ponents; however, there remamed some question regard- ures," " common-cause failures," and " common-mode ing the adequacy of these reviews. I,or standardized failures." To address what was perceived to be the origi-plants, it,was beh,eved that the additional effort could nal concern, and to address some of the significant types provide sigmficant benefits in addition to the ongmal of events that have occurred, the A-17 prograto has been ACRS concern, some potentially significant events at provided with a set of working definitions (see Section 3, operating nuclear power plants have been traced to, or " Definitions and Scope").

have been post ulated to be the result of, a smgle common cause (as opposed to multiple independent causes). As a The definitions attempt to clarify the specific types of result, the required independence among the plant safety phenomena or events that are of interest in A-17 and to systems and the independence of the safety systems from separately classify other phenomena or events considered the systems not related to safety have been questioned. outside the scope of A-17.

Because of the original ACRS concern and because some significant operating events took place as a result of unex- 3 DEFINITIONS AND SCOPE pected interdependencies among the various plant sys-tems, components, and structures, USI A-17 was devel- One of the largest efforts in focusing all of the various oped to address the area of systems interactions. (Note: tasks related to systems interactions was in the develop-ne program designed to address systems interactions ment of a workable set of definitions.The definitions, and will not address all events resulting from a single common associated clarifications, were drawn from the large cause.) For further clarification, see Sections 2 and 3 of amount of information previously developed in A-17 (be-this report- fore 1983). He definitions attempt to clarify the specific types of phenomena or events that are of interest, i.e.,

In 1979, an accident at the Three Mile Island Nuclear those that represent unanticipated, adverse interactions Station, Unit 2 (TMI-2) led to issuance of among " systems" where systems can be structures, sys-NUREG-0660,"NRC Action Plan Developed As a Re- tems, or components. The definitions also attempt to sult of theTMI-2 Accident,"wiiichidentifiedTMI Action separately classify other types of events which, although Plan Item II.C.3, " Systems Interaction." for the purpose they may be significant, are not addressed in A-17. Ta-of coordinating and expanding the staff's work on systems ble 1 is included to summarize the scope and bases of the i interactions (USI A-17)and to incorporate that work iato USl A-17 issue.

1 NUREG-1174

Table I Scope of USI A-17," Systems Interactions"*

- Concerns Covered by ~ . Clarification

]

(1) Recognized / analyzed single failures directly Existing regulations Not analyzed in A-17 propagate to other equipment / systems e Single failure defined in within the same safety division the GDC (2) Single failures subtly propagate to cause . USI A-17 definition of adverse plant transients / accidents and/or degrade systems interactions the required safety systems. Includes:

  • Subtle spatialinter-ties e Subtle functionalinter-ties (3) Common failure of redundant safety systems Improvements in maintenance Not analyzed in A due to commonalities such as: and test procedures ATWS rule, e Same manufacturing defect A-44 proposed rule e Same testing error ~

e Same maintenance error (4) Operator errors that disable redundant safety Improvements in operator training Not analyzed in A-17 systems (5) Events that could cause multiple plant USI A-46 plus current licensing -Not analyzed in A-17, problems simultaneously: requirements cover earthquakes except for internal e Particularly earthquakes flooding /waterintrusion e Also fire and pipe break / flooding Appendix R deals witti fire events occurring one at a time Equipment qualification rule (10 CFR 50.49) deals with design-

' basis pipe breaks None of these programs deals with multiple, simultaneous events.

Therefore, this area is to be fur-ther evaluated under the Multiple System Responses Program.

  • General subject area involves system failures which are due to system dependencies.

The definitions presented here parallel those in the NRC credit for other activities which will cover areas that one Task Action Plan (NUREG-0649); however, the term might argue should be included in A-17. Some of the

" common-mode failure" has been dropped and further changes that have been acknowledged include clarifications have been added. In developing the defini-tions, the main objective was to acknowledge that a great (1) greater attention to human factors or the man /ma-amount of concern exists regarding events in which a chine interface in all aspects of nuclear power plant scenario progresses to an undesirable set of circum-  !

, design and op'e ration  !

l stances and the cause can be traced to a single common i I cause (common-cause events), involving an equipment (2) useofprobabilisticriskassessments(PRAs)insafety l malfunction or failure and its propagation. analysis l

(3) increased attention to operating events.

After tracing the origins of the systems interaction con-cern as expressed by the ACRS and then also considering 'Ihe resulting classification scheme outlines a number of the clumges that have been taking place in the nuclear different types of common-cause events, only one set of industry over the last 10 years, it was decided that a classi- which was defined to involve " adverse systems fication needed to be created to make the problem of interactions." 'Ihe other single-cause events involve j " systems interactions" more tractab!c and also to take mostly common characteristics of the equipment (e.g.,

i NUREG-1174 2 i

l

i i

i I

1 (1) Degradation of redundant portions of a safety sys- I single manufacturer, common maintenance practices and personnel, common testing practices and personnel). tem, including consideration of all auxiliary support functiops. Redundant portions are those considered to be independent in the design and accident analy-3.1 Systems Interact. ions sis (Chapter 15, FSAR analyses)of the plant. (Note:

He definition used here is: Actions or inactions (not necessarily failures) of various systems (subsystems, divi- (2) Degradation of a safety system by a system not re-sions, trains), components, or structures resulting from a lated to safety. (Note: This result would demon-single credible failure within one system, component, or strate a breakdown in presumed " isolation.")

structure and propagation to other systems, components, or structures by inconspicuous or unanticipated interde- (3) Initiation of an " accident"[e.g., loss-of-coolant acci-pendencies. The major difference between this type of dent (LOCA), main steamline break (MSLB)] and event and a classic single-failure event is in those aspects (a) the degradation of at least one redundant portion I of the initiating failure and/or its propagation that are not of any one of the safety systems required to mitigate  !

obvious (that are hidden or unanticipated). that event (Chapter 15, FSAR analyses) or (b) deg-radation of critical operator information sufficient to Systems interactions (Sis) also can involve systems telated cause the operator to perform unanalyzed, unas-sumed, or incorrect actions. (Note: This mcludes to safety and systems not related to safety. A large part of the problem in addressing sis stems from the fact that, in failure to perform correct actions because of incor-any nuc! car power plant, many systems are intended to rect information.)

intentet and are so designed. For example, one division of the safety-related component cooling water system is de- (4) Initiation of a " transient"(including reactor trip)and (a) the degradation of at least one redundant portion signed to interact with (i.e., cool) a number of other safety-related systems in that division as well as possibly of any one of the safety systems required to mitigate some systems not related to safety. Similarly, one division the event (Chapter 15, FSAR analyses) or (b) degra-of the Class IE electric power system is designed to inter, dation of critical operator information sufficient to act with a number of safety-related systems in that same cause the operator to perform unanalyzed, unas-division as well as possibly with some equipment not re.

sumed, or incorrect actions. (Note: This includes lated to safety. If these support-type systems do fail, the failure to perform correct actions because ofincor-supported system will also most likely fail or at least will rect information.)

operate improperly.

(Note: Undesirable results 3 and 4 are included because of the concerns regarding possible breakdowns in de-Although these examples m.yolve interaction of systems fense-in-depth principles. If a link is found between the and even could be considered adverse systems mterac- initiation of an event and the systems designed to mitigate j tions, they are not the kinds of interactions of concern in that event, then the probability of an event sequence )

USI A-17, because this type ofinteraction is expected and progressing to core melt may be greater than originally the potential for such failure propagation is withm the believed.)

typical analysis and assumptions for a single failure. To differentiate among all the potential " systems interac- (5) Initiation of an event that requires plant opcrators tions," the A-17 Task Action Plan added the aspect of to act in areas outside the control room area (per-

" adverse" to further pinpoint the issue. haps because the control room is being evacuated or the plant is being shut down) and disruption of the access to these areas (for example, by disruption of 3.2 Adverse Systems Interactions the security system or isolation of an area when fire doors are closed or a suppression system is actu-The definition used here is: A systems interaction that produces an undesirable result, as defined by a list of the ated).

l types of events to be considered in the A-17 program (see Tbc intersystem dependencies (or systems interactions) list that follows). have been divided into three classes, based on the way The list was created on the basis of perceived safety con-cerns in the broad area of systems interactions for the functionally Coup /cd purpose of capturing porcntial adverse systems interac, tions, and therefore terms such as " undesirable"instead Those sis that result from sharing of common systems /

of " unacceptable" and " degradation" instead of " failure" components: or physical connections between systems, were used. including electrical, hydraulic, pneumatic, or mechanical.

3 NUREG-1174

l' i

i l

Spatially Coupled. is instituting major programs to address all of these areas Those sis that result from sharing or proximity of struc- (see NUREG-0985).

tures/ locations, equipment,'or components, or by spatial mter-ties such as heatmg, ventilation, and air condition Other Provisions maYbe utilized for Protection a8ainst l ing (HVAC)and drain systems, these types of common-cause failures. One design tech-nique which is utilized is diversity. An example of such an application by the staff is a portion of the requirements Induced Human-Intervention Coupled which resulted from the Salem anticipated transient with-Those sis that result when a plant malfunction (such as out scram (ATWS) event (NUREG-1000). Aspart of the failed indication) inappropriately induces an operator ac. resolution,it was concluded that consideration should be tion, or when a malfunction inhibits an operator's ability - given to providing a diverse breaker trip scheme. Al-to respond. As analyzed in the study of USI A-17, these though snch cases have been addressed on an mdividual sis are considered another example of functionally cou- basis, the concept of diversity is cited in the regulations pled ASIS. (Note: Random human errors and acts of [e.g., General Design Criterion (GDC) 22].

sabotage are excluded.)

3.4 Clarifications 3.3 Other Common Cause Events Some additional clarifications are included here to ad-Multiple failures resulting from a single common cause dress the areas that tend to be the hardest to classify.

and typically characterized by the failure ofidentical com- First, events mduced by operator error will be discussed ponents in redundant safety systems will not be addressed and then eventsinvolving external phenomena and other in the A-17 study. Such multiple failures can be traced to major plantwide events will be discussed. Classic smgle external events, manufacturing and installation errors, or failures vs. adverse systems interactions will be discussed.

to operation, testing, and maintenance errors. Als , the concept of frontline and support systems will be presented.

He usual design practice for safety systems is to satisfy the single-failure criterion by providing identical, redun- 3.4.1 Operator Error dant safety systems which are subjected to common envi-For purposes of studying USI A-17, plant operators and ronmental events and made, installed, operated, tested, their procedures were assumed to be perfect. This as-and maintained m, common.Therefore, the potential for sumption a!! owed the staff to focus on only the area of the these types of " failures" results from a recognized com-promise in independence (see 10 CFR Part 50, Appen- adequacy of the information presented to the operator by the plant display systems, as outlined in induced human-dix A," Introduction to the General Design Criteria")and is addressed in a number of ways, and in some cases intervention-coupled Sis. Therefore, the operator was without specificidentification. Some of the ways m which treated as a hardwired link that performed perfectly. As stated earlier, other programs involving human factors this other class of failures / errors is addressed are dis-cussed in the four paragraphs that follow. were considered more suited to addressing the possibility of operator error, test and maintenance errors, and pro-To obtain protection from possible failures induced by a component's environment, including failures resulting from external events, the components of the safety sys. 3.4.2 External Events tems are designed, qualified, and installed to be immune One of the most difficult areas to classify for purposes of to such anticipated challenges. studying USI A-17 is external events. In general, external events such as tornadoes and earthquakes are not ad- ,

To obtain immunity to failures, including failures result- dressed in the A-17 program. It is recognized that exter-ing from manufacturing and installation errors, the l nal events could initiate other common-cause failures, as -

safety.related systems, structures, and components are stated in Section 3.3 above. j subjected to various quality control and qualt.y assurance i programs which include comprehensive testing require- It is also recognized that, with respect to non-seismically ments at all phases of construction and pre-operation. qualified or non-safety-related equipment, aa external Major improvements in the area of quality assuranec have event Fuch as an carthquake could be the cause of the i been made at the utilities. single initiating failure in an adverse systems interaction  !

sequence. In that limited sense, external events were Protection from failures attributed to errors by operators, considered.The group engaged in the A-17 program did technicians, and maintenance personnel can be obtained not consider the potential for an external event to cause i through adequate training and good procedures for all simultaneous multiple initiating failures and systems re-aspects of operation, testing, and maintenance. The staff sponses. For more discussion of major plantwide events NUREG-1174 4 t

and the potential for multiple systems responses, see dependency. lt is acknowledged (and therefore not "unan-Section 3.4.3 which follows. ticipated") that certain design features do not have redun-dancy. Examples are the reactor vessel itself and the refueling water storage tank at some pressurized-water 3A3 Maj.or Plantwide Events and the reactors (PWRs). Clearly, a failure of these could lead to Potential for Unanalyzed, an undesirable result; however, A-17 does not intend to Nonconservative, Multiple Systems deal with these common causes because they are not hidden or unanticipated. The other important aspect in-Responses volves a similar problem area. A problem arose because During discussions with the ACRS, some disagreements once an ASI is identified, it looks like a classic single over the scope of the A-17 program were noted (ACRS, failure and one could then argue that it is, therefore, not May 13,1986). an ASI, just a single failure. This aspect was very critical in the operating experience search. Hat part of the pro-In later discussions with the ACRS, the concerns were gram relied heavily on the consensus of a number of developed further. The analysis for plant events (such as people familiar with operating events and plant design earthquakes, fires, LOCAs, and floods) involve a number and, therefore, keenly attentive to " surprises" such as of assumptions.nese assumptions often include certain unanticipated couplings or dependencies. This "judg-aspects which the ACRS believes may not be conserva- ment" aspect has led to at least one noted disagreement tive. The first aspect involves the assumptions that the involving power sources and the results that one would events themselves are not linked, that is an earthquake anticipate or expect from a single failure in a Class IE does not start a fire, a fire does not cause a LOCA, etc. power source. An analyst or engi tr familiar with nu-The ACRS is concerned that such assumptions are nei- clear power plant systems, and particularly with the in-ther realistic nor conservative. strumentation and control power systems and electric power systems, may expect one set of results (which would ne second aspect involves the assumption that if a com- meet all other aspects of the ASI definition); another ponent is not specifically required to function for the analyst or engineer may find the results unexpected.

mitigation of an event, then it is assumed to be disabled or Therefore, some events invoMng loss of instrumentation inoperable. Again, the ACRS is concerned that such as. and control power supplies may not have been captured sumptions are not conservative because if the specific during the initial screening of the licensee event repon failure modes of the component are considered, the com- (LER) data base. Because of its possible importance, as ponent could spuriously perform some detrimental action outlined in related Generic Issue (GI)76 (NUREG-0933, which could affect the ability to mitigate the event and/or Rev. 2) and as stated by the NRC staff (NRC memoran-to achieve safe shutdown. dum, September 18,1984), further specific work was un-dertaken in this area (see Section 5.4).

The above concern invoMng specific failure modes in-cludes the added aspect that systems and components are generally assumed to be either fully operable or totally 3.4.5 Frontline and Support Systems inoperable, as if only two possible states existed. As a During the review and evaluation of systems interactions, result, ACRS believes that there is also the potential that the group studying USI A-17 acknowledged that there partial failures that do not result in total loss of function may be a difference in the way the frontline systems, such could lead to some unanalyzed systems action which in as emergency core cooling and reactor protection sys-I turn may adversely affect the event mitigation and/or the tems, are treated and the way the support systems, such as l ability to achieve safe shutdown. He ACRS believes that component cooling water and heating and ventilating sys-t failures or partial failures could occur simultaneously in tems, are treated. The frontline systems usually receive multiple systems, if the initiating event is of a sufficiently thorough scrutiny in the licensing process because of the broad nature, such as an carthquake, fire, or flood. number of specific criteria that are clearly applicable and also because these areas of the plant tend to be more The staff studying USl A-17 has not addressed the poten- standardized among plants (at least regarding any specific tial for major events causing other events nor has it ad- nuclear steam system supplier).

dressed the multiple failure concerns expressed by the ACRS. It is recommended that these issues be addressed The support systems, on the other hand, are often less as separute potential generic issues. standardized and in many cases are more complex and i pervasive, so that they not only interface with multiple 3.4.4 Single Failures vs. ASIS fr ntline safety systems and other safety-related support systems, but also may interface with functions not related An important aspect of the A-17 group's definition of sis to safety. As a result, support systems may require greater and Asis is the unanticipated or hidden nature of the scrutiny for adverse systems interactions.

i 5 NUREG-1174 l l

3.5 Summary and Conclusions niques is discussed below, and information is provided about the individual methodologies in the class. (For a list Resolution of USI A-17 involves those types of common- of some associated references for each technique, see cause events which are classified as adverse systemsinter- NUREG/CR-4261.)

actions subject to the above definitions and classifica-tions. Some combination of these analysis techniques could be

. used to perform a systems interaction study or could be On the basis of all work that has been and is being per- incorporated into a systematic study such as a probabilis-formed in the resolution of A-17 and with the objective of tic risk assessment (FRA) to identify functional, spatial, .

resolving A-17 in a dr. fined time frame, the staff con-or induced human-intervention-coupled systems interac-cluded that a working set of definitions was crucial to the tions.

A-17 program. Herefore, the staff focused its A-17 task on certain types of phenomena and scenarios and left other areas to other programs and issues. 4.1 Operating Experience Reviews 4 AVAILABLE METIIODS FOR De NRC staff currently requires operating experience review " programs" for each nuclear power plant licensee 1

IDENTIFYING SYSTEMS (TMI Action Plan Item I.C.5).ne NRC and industry also INTERACTIONS sponsor their own reviews of operating experience (see e n et a pmgrams to As a related effort to the investigation of the nature and potential safety significance of adverse systems interac-Ican mm mnts datlian akea@ ed,diade tions, the group engaged in the A-17 program explored a p entiahoxm,atoperatingmelearpow% ant @

number of methods that appeared to offer the potential stow events at plants mder cmstatim is ape-for finding ASIS. The purpose of this part of the program

  • * * ' " E9"ntial benefit of operatmg expenence was to oetermine the effectiveness and the resource re- ws a to c!mm. ate ymg pdems. N systenp ,

quirements of potential ASI search methods and to make interactim purpo,ses, this may allow previously unantici-pated dependencies to be identified before any serious recommendations regarding possible search methods ifit was concluded that a search was necessary.

safety casequmes xm.

Some of the information a methods is reported in other To benefit from the review of operating experlence, reli-sections of this report (e.g., digraph matrix analyses, Sec- able sources of data on events must be available. For a tion 5.3; interactive fault tree and failure modes and ef- Specific plant, this includes both onsite sources (defi-fects analyses, Section 5.3; operating experience search, ciency reports, operating logs, work orders, etc.) and Sections 5.1.1, 5.2.3, 5.2.5, 5.2.6, and 5.4; onsite inspec- documents prepared for submittal to outside agencies )

tions, Sections 5.1 and 5.6; and PRAs, Section 5.5). This [ licensee event reports (LERs), significant event reports, section of the report also addresses some of these meth. Nuclear Plant Reliability Data System (NPRDS) failure ods, combinations of these methods, and other methods, reports, etc.J The data sources that contain information and then draws some general conclusions. on events from many plants include the NRC's LER files, Institute of Nuclear Power Operations (INPO) operating ORNL (NUREG/CR-4261) teviewed and identified four experience systems, and various other industry working classes of qualitative analyses techniques that can be used groups (vendors, technical societies, etc.). <

to identify possible systems interactions. Each class of I techniques eeld be appropriate for different aspects of a Once a source of operating experience is chosen, proper  !

systems mteraction search (see Table 2). In addition, review requires the services of experienced personnel. '

there are distinct advantages and disadvantages in per- The reviewers need to be familiar with the facility for forming each class of techniques. The four basic classes which the review is conducted: reviewers also need to be are cognizant of the similarities and differences between that l facility and those facilities at which the events occurred.

(1) operating experience reviews his knowledge is essential in determining whether the events apply to the plant for which the review is being (2) onsiteinspections performed.

(3) analysis by parts A key to performing effective operating experience re-(4) graph-based analyses views is to carry the evaluation beyond simply asking, "What would happen in our plant if the exact same condi-l Each class of techniques is composed of one or more tions occurred?" It requires the personnel to consider different analysis methodologies. Each class of tech- two other questions:

NUREG-1174 6 u

Table 2 Analysis methodologies available to identify types of systems interactions Types of systems interactions identified by methodologies Analysis methodologies available Induced human-to identify systetas interactions Functional Spatial intervention-co: pled Operating experience review X X X Plant walkthrough X Preoperational testing X Fr.ilure modes and effects analysis X X X Design review X X X Decision table X X System state enumeration X Binary matrix X X Digraph matrix X X X Event tree analysis X Fault tree analysis X X F GO methodology X X Sneak-circuit analysis X Generic analysis X X l

l l

(1) Can this systems interaction occur at our facility un- sonnel into the analysis. Onsite inspections can also be der any conditions? used to identify areas in which the emironmental condi-tions within the plant are hazardous to equipment or in (2) If such an event occurred at our facility, are the con- which adverse changes have been made in the plant's sequences unacceptable? equipment configuration (because of rnaintenance or up-grading). Two types of onsite inspection methodologies If the answer to both these questions is *yes," then further were identified: plant walkthroughs and preoperational evaluation (and subsequent resolution) of the potential testing.

problem is required.

Operating experience reviews can examine the potential 4.2.1 Plant Walkthroughs for certain systems interactions (i.e., those interactions Plant walkthroughs are used to identify potential spatial that have occurred previously). Since the NRC requires systems interactions and to visually inspect safety-related ongoing operating experience reviews. it would be simple components and systems in their as-built configuration.

and inexpensive to include the identification of systems Consequently, walkthroughs are used to identify those interactions as one of the objectives of the reviews.The systems interactions that were overlooked during plant recognized shortcomings of operating experience reviews design or that were generated during plant construction.

are that the reviews (1) are not fully predictive and (2) are very dependent on the experience and training of the Consumers Power Company developed a plant walk-review staff. Operating experience reviews can provide through program at its Midland Nuclear Power Plant, insights into functional, spatial, and induced human-in- Units 1 and 2 (Consumers Power Company, J une 1983) to tervention-coupled systems interactions. determine the potential for spatial systems interactions.

The program consisted of: (1) combined proximity for 4.2 Onsite Inspections seismic Category I and 11 components, systems, and structures, (2) high-energy line break hazards. (3) inter-Onsite inspections are used to identify differences be- nal missiles, and (4) flooding. The function and team tween the as-built conditions and the design conditions. composition for each of these walkttroughs were varied They can also examine undesuab!< situations (i.e., prox- to be appropriate for each specific ty,se of systems intcrac-imity, seismic interaction, et~.) that may not be apparent tion. Consumers Power Company also developed a sup-from design documentation This class of techniques in- plemental walkthrough program that addressed (1) fire corporates the experience and knowledpc of plant per- protection, (2) stress. (3) thermal growth, (4) system or 7 NUREG-1174 L _ _

i area tt,rnover walkthroughs, and (5) potential concerr.s (2) design reviews l discovered during preoperational testing of systems. 'l (3) decision tables l Plant walkthroughs to identify potential systems interac-tions have also been performed at Diablo Canyon Nu- (4) system state enumeradon clear Power Plant; San Onofre Nuclear Generating Sta-tion, Units 2 and 3; Zion Nuclear Plant; and Indian Point (5) binary matrices Station, Unit 3. Rese walkthroughs were structured to Analysis by parts requires the analyst to examine the identify spatial systems interactions. causes of a given event or to develop credible conditions under which an undesirable event muld occur. Conse-The advantages of plant walkthroughs include: (1) They quently, a problem is not evaluated from a total system can focus on bad design, ccmstruction errors, mainte- perspective. Instead, direct causes of subsystem or com-nance errors, and conditions for common failure and ponent failures are identified and the consequences of (2)They utilize the knowledge of experienced plant per- these failures are examined. Since these techniques are sonnel, used to look for direct causes, they are not exhaustive in that regard.

4.2.2 Preoperational Testing Several advantages of this class of techniques are:

Preoperational testing is used to demonstrate the oper- (1)They require less effort to perform than the graph-ability of the nuclear steam supply systems, the auxiliary based analyses (at the price of less complete coverage),

systems, and related secondary systems. All licensees arc (2)They are relatively simple to perform, (3)They are required to successfully complete a preoperational test- useful for detecting local effects, and (4) Rey require the I ing program before a full-power license can be issued. analyst to look systematically at the failure of each com-his testing program demonstrates the capability of items ponent. Disadvantages of this class include: (1) They usu-of equipment (and syst ems) to meet their design perform- ally capture only local effects, (2)They depend on the ance and safety criteria. However, preoperational tests creativity of the analyst, (3) They have a limited amount can specifically test how systems interact (in some cases of predictive strength, and (4) They are generally used in existing tests already do this). For example, a diesel gen- support of other classes and ft equently address the same crator opembility test should include sequencing the die- type of systems interactions as the graph-based methods.

sel generators onto the emergency power buses. These Each of the methodologies is discussed below.

are many cases in which a test specifically designed to test for systems interactions could confirm the absence of 4.3.1 Failure Modes and Effects Analysis unacceptable interactions during specific operating modes. Failure modes and effects analysis (FMEA) is an induc-tive analysis method that is generally applied at the com-The advantages of preoperational testing include: ponent level. As such,it examines a component to deter-(1)The tests cm provide a baseline of operating data mme how it would fail (mode) and what would result from which future operational anomalics may be identi- (effect). An FMEA generally does not examine the causes fied. (2) They provide further confidence in the analytical of the failure extensively but may be employed to identify results and Iunctional capabilities of the systems, and failure modes whose effects are severe enough to warrant (3) Hey have the potential to identify functional interac- further analysis.

tions.

He FMEA identifies failure modes for components of concern and traces their effects on other components,  !

A disadvantage is that they cannot typically identify spa- I subsystems, and systems. Emphasis is placed on identify-tially coupled interactions.

ing the problems that result from such problems as hard-ware failures and operator errors. Typically, a column 4.3 Analysis by Parts format is employed in an FMEA. Specific entries for the  ;

columns include descriptions of the component, its fail-De third class of techniques available for identifying ure modes, possible fadure causes, possible effects, and ,

systemsinteractionsisanalysisbyparts. Analysis-by-parts actions to reduce the failures and their consequences. By I techniques are more analytically oriented than the previ- further examining the causes of the failures, possible $

ously discussed classes of techniques, but they are also common-cause mechanisms may be identified. I less comprehensive than the graph-based analyses dis-cussed in Section 4.4. Five methodologies were identified

~

An FMEA is traditionally developed at the component as analysis-by-parts techniques: level. Ilowever, an FMEA czm also be applied at the subsystem or system level to trace interactions and their (1) failure modes and effects analysis effects on plant safety functions and, eventually, on plant NUIEG-1174 8 l

1 i

l l

l l

safety itself. In addition, the effects of the failure modes One advantage of constructing decision tables is that they (whether at the component or system level) must be con- not only model hardware failures, but model buman ac- i sidered for all plant operational medes and the analyst tions and interactions as well. However, decision tables l must also consider the possibility of other components are not a stand-alone method and are generally used to 4 undergoing test and maintenance. aid in constructing fault trees. i 43.4 System State Enumeration 43.2 Des.ign Reviews In a system state enumeration analysis, all of the system Design reviews are performed to ensure that the safety states are generated and recorded in a table format by system independence and functional design criteria have considering all possible combinations of component 3 been met or exceeded. The procedures for performing states. After this is completed, each system state is indi- i them vary, and are specific to the design organization. vidually examined for dependencies between component Design reviews are generally performed by a diversified states. From a qualitative point of view, this analysis is group of experienced designers called a design review equivalent to an event tree analysis.

teaan. Using the design criteria or specifications for the systems, the team reviews available documentation such An advantage of system state enumeration is that it is a as control schematics, layout drawings, as-built drawings, fairly complete qualitative method. However, a complete and piping and instrumcatation diagrams.The team then qualitative system analysis would include an FMEA for identifies design deficiencies, including potential systems each state. Also, for complex systems, enumerating all interactions.The team also recommends actions or design potential component states can be an overwhelming task.

changes that may correct the design deficiencies and climinate potential systems interactions. An advantage of 43.5 Binary Matrices using design reviews to identify potential systems mterac-tions is that they can provide early identification. One Binary matrices use hierarchies to portray the dependen-disadvantage is that as-built drawings me frequently not cies between components. A binary entry in each inter-available or are not up to date. Also, it is difficult to section of the matrix indicates whether or not the compo- I ensure the comprehensiveness of design reviews. nents are dependent upon each other. The binary entry i indicates that the component on the left of the matrix ,

(row)is dependent upon (receives support from) the com-433 Decision Tables ponent listed at the top (column). The matrix is not lim-ited to components. The entity of interest could be main-Decision tables are used to describe cach possible output tenance, a physical location, a system train, and so forth.

state of a component.The output states are a function of A set of binary matrices that represent more than one the inputs and internal states (operational or failed states) ,

independent system rs used to generate digraph matrices.

of the components. Decision tables can handle binaryand nonbinary logic (i.e., components with two or more One advantage of binary matrices is that the analyst need states). only supply direct relationships between individual items (components, subsystems, etc.). A computer code can To construct a decision table, the analyst divides the sys- then be used to deduce subsequent relationships. A sec- 1 tem into levels of components or subsystems. Once the ond advantage of binary matrices is that the components system has been divided into levels, the analyst needs to can be listed in any order in the matrix. In addition, the 1 perform three basic steps: use of binary matrices forces the analyst to identify all i supporting systems or components. This aids the analyst f 4

Step 1 The analyst constructs the decision tables begin- in developing fault trees, digraph matrices,and such tech-ning with the components of the lowest levels niques. 3 (i.e., the simpler components of the system).  !

4.4 Graph-Based Analyses  !

i Step 2 The outputs of the tables from Step I constitute The last class of analysis techniques is graph-based analy-l the inputs of the decision tables for the next ses. Graph-based analyses are comprehensive within a higher level. given set of boundary conditions and are used to repre- I sent the logical relationship among those components (or Step 3 Step 2 is repeated for each higher level until the systems) whose failure can lead to a specific undesired decision table of the system is formed. event. These relationships are captured in the graphic i model. All of the potential failure modes (within the l This methodology can be used to identify common-cause scope of the analysis) are then identified by usingcomput- l failures, since they are the inputs that ar e carried through ers to generate the combinations of component and hu-several levels. man failures that contribute to the undesired event. i l

9 NUREG-1174 l

l Advantages of this class of techniques include: (1) the Finally, the analyst can evaluate cutsets on the basis of ability to cover low-frequency events systematically, probability and display answers for both top event and (2) the ability to deal with complex systems, (3) the ability cutset probabilities.

to evaluate shared support systems, and (4) the ability to identify common-cause failures. Disadvantages of these Some advantages of a digraph matrix analysis include:

techniques include: (1) their limited ability to analyze human interface, (2) their complexity, and (3) their ex- (1) The construction of the logic modelis performed di-pense when performed at a detailed level (probably the rectly from plant schematics (piping and instrumen-level needed for an ASI study). tation diagrams, electrical schematics, safety logic diagrams, etc.). The resulting model can be overlaid Six methodologies were identified as graph based analysis n the plant schematics; thus, the model can be techniques: readily understood, reviewed, and corrected.

l .

(2) The digraph can represent physical situations that (1) digraph matrix analysis are cyclic.

l (2) event tree analysis (3) DMA computer codes can process very large mod-els. An entire accident sequence consisting of sev.

(3) fault tree analysis eral safety systems and their support systems is mod-eled as a' single digraph.

(4) GO methodology analysis (4) he binary matrix indicates alllevels of subordina-tion, but only direct first-level relationships must be (5) sneak-circuit analysis provided. Computer codes deduce any consequent levels of subordination.

(6) genericanalysis (5) An element of the matrix can be any entity ofinter-est (e.g., an entire system, a system function, compo-4.4.1 Digraph Matrix Analysis nent. or maintenance crew). Elements of any level of Digraph matnx analysis (DM A) utilizes a success tree that detail can be intermixed.

includes all systems and/or components (elements)in-Disadvantages of a digraph matrix analysis include:

volved in an accident sequence.This success tree includes subsystems and support systems as elements. A binary (1) There are few trained analysts and few available matrix (known as an adjacency matrix)is produced from computer codes that can be used to develop and sub-the success tree that contains information about the rela- sequently apply the analysis.

tionship between these elements. This binary matrix is then converted to a dual-digraph matrix by changing all (2) For certain types of logic diagrams, the analyst's at-

"or" gates to "and" gates and *and" gates to "or" gates. tempt to be more complete can lead to computer Cutsets or failure combinations are then obtained from limitations.

the dual digraph. The cutsets are then evaluated for sys-tems interactions. The steps involved in performing a D M A are: 4.4.2 Event Tree Analysis Because nuclear power plant systems are so complex, it is '

First, the analyst selects the combinations of systems of n t feasible to write down by inspection a listing ofimpor-interest for a detailed evaluation. (This is equivalent to tant accident sequences. Therefore, a systematic and or-the PRA event tree analysis designed to find accident derly approach is required to properly understand and sequences.) identify the many factors that could influence the course  !

of potential accidents. This approach myolves developmg an event tree. An event tree is an inductive logic model Next, the analyst ccmstructs a single-digraph model for that sequentially models the progression of events (both each accident sequence. This is a graphic approach that failure and success) from some initiating event to a series allows the analyst to develop a binary matrix (adjacency oflog c consequences. An event tree begins with an initi-matrix) of elements that have direct influence on an ele- ating failure, and it maps out a sequence of events of the ment of higher order.

system level that forms a set of branches. Each of the I

branches represents a specific accident sequence. A com- j The analyst can then partition digraph models into inde- plete event tree analysis requires the identification of all y pendent subdigraphs to find the cutsets. Computer codes possible initiating events and the development of an are available that identify the cutsets. event tree for each event.

NUREG-1174 10 1

Event trees are normally used to model events havit.g 4.4,4 GO Methodology binary failure states.These events usually correspond t The GO methodology is a success-oriented technique total success or failure of a system. Event tree analysis is a that is generally used for quantitative analyses. However, useful tool for systems interaction analysis when used this methodology can be used to identify component fail-with other techniques such as fault tree analysis. ure combinations that can lead to system failure, and to construct event trees. Completed GO models resemble 4.4.3 Fault Tree Analysis system schematic or process flow charts and tend to be more compact than equivalent fault tree models (albeit Fault tree analysis is a deductive failure analysis that with correspondingly less iailure mode information). Sev-focuses on an undesired event and provides a method for enteen logical operators are used to model a process.

determining causes of this event. The undesired event From these models, functional, spatial, and induced hu-constitutes the top event in a fault tree diagram. Careful man-system interactions can be identified.

l choice of the top event is important to the success of the i analysis. A fault tree analysis describes an undesired state Specific advantages of the GO methodology include-l of the plant or system (usually an undesired state that is (1) The system models follow the normal process flow (as (ritical from a safety viewpoint) and analyzes the plant or does a digraph matrix analysis), (2)Modeling of most i component and system interactions and dependencies is l system to find all credible v;ays in which the undesired event can occur. The fault tree is a graphic model of the explicit, (3) Models are compact and easy to validate, l (4)Model evaluations can represent both success and j combinations of faults that will result in the occurrence of the undesired event.The faults can depict hardware fail- failur e states of systems, and (5)It is uniquely adaptable ure, human error, system failures, external events (e.g., to analyses in which many levels of system availability are earthquakes or internal fires), or other events that can to be considered, since it has the ability to hand!c multiple lead to the undesired event. system states (i.e., partial failure or degraded conditions '

can be modeled).

A fault tree is not a model of all possible plarit or system Disadvantages of the GO methodology mclude:

failures or all possible causes for failure. A fault tree is (1) Fewer analysts are famd, iar with the GO methodology tailored to its top event and includes only those faults that than with fault tree / event tree analyses and (2)The GO contribute to the top event.The fault tree is not quantita- methodology has been used extensively for probabilistic tive; however, the results can be evaluated quantitatively, studies of individual systems but has not been employed In fact, the fault tree is a convenient model to quantify to any great extent as the primary tecimique for a full-and, along with event trees, has formed the structure for scope MA.

almost all of the PRA studies performed for the nuclear industry. As a result, a large number of people in the ,

4.4.5 Sneak-C.treuit Analys,s t nuclear industry are experienced in developing and/or using fault trees. Sneak-circuit analyses are normally applied to electrical systems and were originally designed to identify un-A formalized combination of event trees and fault tree planned modes of operation, unexplained problems, and analyses is called a cause-consequence analysis. The unrepeatable anomalics. However, this type of analysis event trees are used to determine the sequence of events can also be applied to fluid systems, since fluid systems that can lead to the consequences ofinterest. Event trees can be remesented by electrical system analogs.

are developed for several different initiating events (usu-A sneak-circuit analysis will identify latent signal paths or 1 ally LOCAs and transients).The fault trees are then used circuit conditions in systems that may cause undesired i to model the causes of the event sequences.The causes of events to occur, or may inhibit the occurrence of a desired the event sequence failures can be modeled as system function. The problems identified in the analysis are failures or component failures. Ilowever, if failure data called sneak circuits and are characterized by their ability are lacking on the system level, the causes would be mod.

to escape detection during most standardized tests. In cled on the component level where such data are usually addition, sneak circuits are not dependent on component available. Hence, the results of a cause-consequence failures, although many erroneous responses of system analysis are both quahtative and quantitative. failures occur because of component failures. Sneak cir-cuits can be subdivided into four types:

Two advantages of performing a cause-consequence analysis are: (1) the method is better suited for identify' (1) sneak paths, which cause current or energy to flow mg potential system dependencies on the component along unexpected paths level than is the event tree alone and (2) for fault trees alone, the dependencies are shown on separate trees. (2) sneak timing, which may cause or prevent the flow of Ilowever, the consequence diagram includes all of them current of energy to activate or inhibit a function at within a single logic structure. an unexpected time 11 NUREG-1174 i 1

~ -- .

j

(3) sneak indications, which may cause an ambiguous or (4) other common links false display of system operating conditions

ncrgy source (4) sncak labels, which may cause incorrect stimuli to be calibration initiated through operator error installations An advantage of sneak-circuit analyses is that problems maintenance caused by latent signal paths that are not contingent on perator or operation component failures can be identified.1hese signal paths Proximity can cause undesired events to occur, or inhibit a desired test procedure function from occurring. 'Ihe main disadvantages of sneak-circuit analyses are the lack of documentation ex- energy flow paths plaining the methodology. Additionally, only one com-pany was found that had experienced and qualified ana- Although a major portion of this tecimique is qualitative, lysts able to perform such analyses. it follows an analysis procedure such as fault trees rather than preceding it, as other qualitative methods usually do.

This e.pproach differs from most comraon-cause analyses 4.4.6 Generic Analysis because it deals directly with the minimal cutsets instead A generic analysis reviews the basic events in each mini- of adding secondary failures to the logic model. Thus, only component failures that result in system failure are con-mal cutset for susceptibilities to generic causes (depend- sidered.

encies). The minimal cutsets can be determined from fault tree analysis or similar analyses. When a generic cause is common to all members of a minimal cutset, and A generic analysis is a helpful methodical way to identify the k) cation of the minimal cutset components offers no spatial systems interactions. It has been implemented in a protection from that generic cause of failure, the minimal number of computer programs and is extensively used in dependent-failure analyses in the nuclear industry, cutset is called a common-cause candidate (CCC). Ge-neric causes for failure that are often considered in such

"" '75'S"'* 4.5 Oak Ridge National Laboratory's Conclusions and Recommenda-(1) mechanical / thermal generic causes tionS i impact ORNL concluded (NRC, NUREG/CR.-4261) that there I vibration are many different and varied methodologies available pressure that can identify systems interactions. However, no one methodology by itself can adequately identify functional, grit spatial, and induced human-intervention-coupled sys-moisture tems interactions. Therefore, several different analysis stress techniques should be used.

temperature freezing Determining the most appropriate combination of analy-sis techniques for identifying systems interactions re-quires consideration of several factors-time, scope, (2) electrical / radiation generic causes costs, benefits, and such. However, a review of the meth-odologies available made severalinsights apparent. First, electromagnetic interference any systems interaction program should utilize operating radiation damage experience reviews, design reviews, and preoperational conducting medium testing. These three methodologies are already required out-of-tolerance voltage to be performed, and minimal modifications to the '

existing programs could be required to identify all three out-of-tolerance current types of systems interactions. Second, expanding the 3 scope of PRAs to include the identification of systems (3) chemical / miscellaneous generic causes interactions should simplify the problem (with respect to starting an independent evaluation), since the analysts corrosion (acid) would already be familiar with the systems and their re-corrosion (oxidation) sponses. Last, the resulting combination of methodolo-other chemical reactions gies must be able to adequately identify all three types of systems interactions-spatial, functional, and induced carbonization biological human-intervention coupled.

NUREG-1174 12 J

l l

The manpower required to perform a PRA that includes a 5.1 Utility Studies of Systems systems interaction analysis should be within the bounds Interactions provided in the "PRA Procedures Guide" (NUREG/

CR-2300). He "PRA Procedures Guide" indicates that A number of utilities performed systems interaction stud-19 to 38 man-months are required for sequence and sys- ies of their own plant (s) as part of the operating license l- tem modeling, with another 18 to 24 man-months re. review process. He staff has considered some of these j quired for external event analysis. It is not possible to programs in the resolution of A-17.

I separate the amount of modeling required for independ-ent and dependent failure modes. Ilowever, it should be 5.1.1 Zion Nuclear Plant Study l

recogmzed that to do an adequate job of analyzing sys.

tems interactions requires experienced analysts and ade- In a June 17,1977 letter, the NRC Advisory Committee quate time to examine and incorporate all the potential on Reactor Safeguards (ACRS) recommended that Com-l dependencies that can arise from systems interactions, monwealth Edison conduct a study of possible systems For this reason, the upper estimates provided in the guide interactions related to the Zion Nuclear Plant's shutdown may be more appropriate to ensure that adequate analysis heat removal capability.The ACRS also referenced addi-of systems interactions can be included. tional gmdance contained in its letter of November 8, 1974. Possible approaches to a systems interaction study in summary, the methodologies discussed in this report were discussed with a number of consultants and with the can be applied to identify sy' stems interactions. However, N R C staff.

i I

the problem in conducting a systems interaction analysis is not a problem with methodology as much as it is a As a followup to these discussions, Commonwealth problem with scope and level of detail. Ed,i son performed an experience survey utih,zm, g ERs (Commonwealth Edison Company, June 16,1978). The study was divided into three phases. Phase 1 consisted of a 4.6 Staff Conclusions review of more than 9000 ERs which were generated in the operation of U.S. commercial nuclear power plants All methods appear to have some advantages and disad- between 1969 and 1977, j vantages. The major conclusions based on the above re-view are: The ERs were used to identify events that have occurred at operating power plants that involve systems interac-(1) The global application of any method or combina- tions which had a potential for reducing the effectiveness tion of methods is costly. of shutdown cooling systems under nonaccident condi-f tions. The review covered not only four. loop PWRs but (2) ne choice of method may not be as important as the all pressurized-water, boiling-water, and gas-cooled reac-scope and depth of the study performed. tor ERs.

(3) It is Werefore, probably most cost effective tolimit The Zion screening criteria as quoted from the report t

i studies to specific areas and to increase the level of were formulated to include the following types of events:

detail in modeling and analysis in those areas.

  • Events which demonstrated that the action of any system degraded or resulted in loss of the effective- ,

5 DESCRIPTION OF RESULTS ness of any of the following systems-AND STAFF CONCLUSIONS reactor coolant  !

NRC defined a number of tasksin the revisedTask Action instrumentation power ,

Plan (TAP) for USl A-17 (NUREG-0649) to address the residual heat removal  !

area of systems interactions. Although all the tasks de-fined in the TAP were completed, this section of the chemical and volume control report is not organized into the same set of tasks. Ratbr, component cooling this report is organized around the task results and rec- g ,

7 commendations which were then used as input for the l technical resolution of USI A-17. service water l portions of main steam The tasks outlined for studying the A-17 issue were de-auxiliary power veloped to utilize a cotabination of existing information, ongoing work, and new work with the objective of focus-

  • The action which initiated the event could have been ing the various efforts to resolve the generic issue as a normal control function, a malfunction, or opera-defined in the revised TAP scope and definitions. tor induced. The single-failure criterion was not 13 NUREG-1174

extended; however, a detailed review was made to ble SI events which met the definition offered in the determineits applicability. current A-17 Task Action Plan.

e As an example, the failure of an RHR [ residual heat removal) pump to start due to an electncal fault m 5.1.2 Diablo CanIon Nuclear Power Plant the motor would not have been considered a systems Se.ismically Induced Systems Interac-interaction. However, if the motor failure was due to tion Program excessive humidity and temperatme in the RH bicle,it was considered an undesirable ter- systemsPacific m,R cu-Electric Co. (PG&E) established a sys-Gas and action. tems interaction program (PG&E, May 7,1984) which was intended to establish confidence that if a seismic e It was noted that personnel action _ can result in event of the severity of the postulated Hosgri event

  • maintenance errors or operator errors which will occurred. structures and equipment important to safety have a direct effect on a system or piece of equip. will not be prevented from fuffilling their safety functions ment, but this was not considered to be an interac. because of seismically mduced failure or motion of struc-tion between systems. For example, the loss of an in. tures or equipment not related to safety. Also, the Seismi-strument bus due to placing a grounded test cally Induced Systems Interaction Program (SISIP) was instrument on the bus results in the loss of a large instituted to establish confidence that safety-related sys-amount of equipment, as expected. If, alternatively, tems will not fail to meet the single-failure criterion be-the load from the bus was not correctly shed from cause of seismically mduced interactions.

the electrical system and resulted in faults in other parts of the electrical system, it would be considered PG&E defined the following two terms to clarify its pos-an undesirable interaction. tulation of potential systems interactions:

The second phase of the study, which was conducted by (1) Targets are (a) structures and equipment neede,d to Fluor Pioneer, Inc., involved detailed analysis and investi- take the plant to safe shutdown and maintam, it at gations of each identified event to determine how and why safe shutdown; (b)certam accident-mitigating sys-the event occurred and its effect on the originating plant. tems such as containment isolation, main steam iso-lation, and contamment spray; and (c) the manual For the third phase, an assessment was made of the possi-bility of the occurrence of an identical or similar event at the Zion plant. If it was found that a similar event could (2) Sources are any other equipment whose seismically induced failure or motion could interact with a tar-occur at the Zion plant, corrective action options were get and prevent orinhibit a target from accomplish-evaluated.The evaluation criteria included consideration ing its safety function.

of safety, constructability, operability, maintainability, and cost. While the range of possible corrective options On the basis of these definitions, a large number of poten-was being review and analyzed, the utility assessed the tial interactions were postulated. PG&E utilized four benefits of the options. ways to resolve postulated interactions. These were:

(1) resolution by field inspection in which the interaction team could by inspection or simple field analysis show On the basis of the evaluation entena and the benefits assessment, the utility concluded that for Zion, the ge- that either the source would not fail, the occurrence of neric studies requested by the NRC and the unplementa- the interaction was not credible, or the consequences of tion of conclusions and recommendatens mvolvmg such the interaction, if it occurred, would not adversely affect items as fire protection, pipe break, and low-temperature target operations;(2) resolution by engineering analysis pnmary system overpressure have resulted m modifica- in which PG&E could show either that the interactions tions that substantially reduce the possibility of the occur- would not occur or, if they did occur, that the umse-rence of a majority of the events studied. In addition, quences would not affect target operations:(3) resolution about five specific mvestigations and/or plant modifica- by an expedient modification in which PG&E decided it tions were recommended in the study. was more cost effective to resolve the interaction by modi-fying the plant than to justify the configuration by analy-sis; and (4) resolution by necessary modification in which It should be noted that there is not a good correlation betn'een the LERs highlighted by Commonwealth Edison furtheranalysis showed that plant modification is thc only means for resolving the interaction. Because the last two and the LERs e(mtained in the ORNL review of operating involved plant modification, PG&E combincd resolutions cxperience (see Section 5.4). To some degree, this oc-  !

3 and 4 and only reported three resolution groups. <

curred because of differences in definitions of what con-  !

stitutes an adverse systems interaction event. Neverthe.

less, the Zion study was reviewed by ORNLas part of the d '" '

review of operating experience (see Section 5.4) for possi-M*N[E"'*E"[orh"aYn"gN"2"I1 riN"It b Ea'n#"E c of the San Andreas ault)was reappraised.

NUREG-1174 14 l

I The problem in assessing the Diablo Canyon program interactions was less than 4 percent of the overall core-comes from the fact that the safety significance of the melt frequency at the design-basis earthquake level modifications (both expedient and necessary) cannot be (Atomic Industrial Forum, Inc., October 8,1985). Infor-mation developed as a result of this program has been readily established.

utilized in the A-17 program (see Section 5.6).

l Information developed as a result of this program has been utilized in the A-17 program (see Section 5.6).

5.1.4 Midland' Nuclear Power Plant, Units 1 and 2 Program 5.1.3 Indian Point Station, Unit 3 Utility Study In January 1983, Consumers Power Company (CPCo)-

initiated a program to address systems interactions The Indian Point Station, Unit 3 (IP3) systems interaction (CPCo, June 6,1983). The program consisted of three report was prepared by the Power Authority of the State parts to address the three classes of systerrs interaction:

of New York (PASNY, November 1983)in conjunction functional, spatial, and induced human-intervention-cou-with Ebasco Services Inc.and consists of 25 volumes. The pled. '

objectives of this study were:(1) to develop a methodol-ogy and evaluation criteria to be used to identify and . .

The functional interaction portion of the program was to -

evaluate systems interactions and (2) to apply these crite.

rely heavily on existing plant procedures for design con-ria to a systems interaction review of 23 identified sys.

trol and preoperational checkout and testing.The design  !

tems.  ;

control task involved an interdisciplinary review of plant For purposes of this study, the utility decided to define design to ensure that potentialinteractions generated by j themterfacebetweenactivitiesof thevanousengmeerm, g systems interactions as those events that affect the safety I;roups were identihed and corrected.The program was to l of the plant by one system acting on one or more other . melude preoperational testmg to demonstrate the capa- -

systems in a manner not intended by design, with empha-sis on interactions in which systems not related to safety bility of required safety systems,to meet design perform-ance and safety cnteria. Additional methods for use m (non-safety systems) act on safety-related systems.

identifying and evaluating functional dependencies in-cluded probabilistic risk assessment (PRA), control sys-The analysis then involved: (1) the systematic search for tems failure evaluation, and hcensmg department reviews j hidden or inadequately analyzed interconnections or cou- f industry operating experience through nuclear steam plings that link safety and non-safety systems in the reac- J SUPPy l system (NSSS) vendor reports, Institute of Nu-tor plant and (2) the evaluation of the effects of a non- clear Power Operations (INPO) reports, and licensee safety-system failure (or maloperation) propagated into event reports (LERs).

the safety system by such interconnections / couplings.

(Note: It was assumed for purposes of that study that the safety systems satisfied the single-failure criterion and Onsite reviews (walkthroughs) of safety-related struc-that redundant safety systems do not possess dependen- tures, systems, and components were empk>yed to ad-cies so that one malfunction cannot disable redundant dress spatially coupled Sis. These onsite reviews identi-safety systems.) fied potential interactions arising from proximity, location of non-seismically _ qualified equipment over On the basis of these premises, a number of potentially safety equipment, high-energy line break (HELB), inter-adverse interactions between non-safety systems and nal missiles, and flooding. Additional reviews also ad- 9 safety systems were identified through a series of depend. dressed the areas of pipe stress, fire protection, and ther-ency tables, logic diagrams, failure mode and effect analy. mal growth for potential spatial interactions. CPCo was sis, event trees / fault trees, review of previous reports,and incorporatmg many mplace programs into the spatial SI walkthroughs (onsite reviews). Only one of these resulted studies to avoid unnecessary duplication of efforts. For.

example, a program had been in place to address the i in a reportable condition (LER) as determined by the licensee. This involved a nonscismic pipe connection to a seismic ytass il over Class I" issue per Regulatory Guide seismic system with inadequate isolation. The resolution 1.29 requirements.

I involved maintaining a manual isolation valve in a closed  !

position. To address the induced human. intervention-coupled  !

class of ASIS, the CPCo SI program incorporated design A number of potential adverse systems interactions were reviews and other tasks implemented to improve operator identified and resolved. The utility concluded that the response to plant events. Other tasks included a human

! program increased the level of safety for IP3; however. factors review of control room design and procedures, the contribution to core damage probability from the review of control room operating experience, and in-f postulated non-connected seismically initiated systems creased opemtor training, including the use of simulators. {

15 NUREG-1174

Although the Midland project has been terminated, the The first step of the study was to develop a methodology available results, particularly with regard to the seismic . for reviewing the SRP that could also be used to evaluate ally induced systems interactions have been utilized in the specificfacilities.The underlying premise of the method.

A-17 program (see Section 5.6). ology is that potential interactions can effectively be found by identifying the commonalities between systems.

5.1.5 Staff Conclusions The methodology uses fault trees to model plant func-Although the licensee programs discussed above ccmtrib- - tions from which the analysis is performed. The SETS uted to an increase in safety, the utilities did not perceive computer code and subsequent analysis identifies and the amount of increase to be significant. What was clear highlights the important commonalities based on input was that each program cost the utility millions of dollars. plant information. Commonalities found between com-ponents whose unavailability could lead to loss or signifi-On the basis of these preliminary conclusions, the staff cant degradation of an important plant function are pur-

~ ~

defined a tar.k to examine the three utility studies (Diablo sued in greater detail.

Canyon, Indian Point 3, and Midland) in greater detail to attempt to better optimize the cost / benefit ratio. The principal product of this study was to be the develop-ment of a systematic and disciplined methodology for the For the results and conclusions of this additional work, identification and evaluation of a range of potential sys-refer to Section 5.6. tems interactions.

5.2 Other Related Studies, Programs, The methodology was applied to a facility that had re-cently gone through the 1: censing process (Watts Har) to .

and Issues achieve two goals: (1) to provide a basis for comparison to the SRP-type review and (2) to demonstrate the method-As part of earlier NRC programs to address the issue of systems interactions, national laboratories did a number 1 gy ntself. In general, it was concluded that application of the methodolog,y should not be limited to those systems of studies. In addition, many other ongoing NRC pro- ,

grams are directly related to the work on A-17. explicitly identified in the SRP as safety related. In addi-tion to this general conclusion, several weaknesses were identified in the SRP. These met all of the following 5.2.1 Sandia Laboratory Study of Watts Bar criteria: (1) A potential cause of an interaction could be Nuclear Plant identified,(2) If an interaction occurred,it would increase the likelihood of core damage, and (3)The potential From 1978 through 1980, NRC contracted with Sandia cause of an interaction was not explicitly covered in the Laboratory to utilize a method of reviewing nuclear SRP.

power plant systems for potential interactions that was ,

different from the review process being used by NRC in

'Ihe weakness identified was the absence of explicit assur-its Standard Review Plan (SRP)(NUREG-0800). ances in the SRP or its supporting documents that:(1) the reactor coolant pressure noundary integrity will not be The method was the fault tree method using the Set lost as a result of interactions stemming from a common Equation Transformation Systems (SETS) computer location or common actuation of the pressurizer power-code for evaluating the fault trees to identify the poten- operated relief valves and their isolation valves,(2)the l tially interactive cutsets. The resulting report (NUREG/ decay heat removal function will not be lost as a result of  ;

CR-1321), also assessed the SRP to show where the po- interactions stemming from a common location or com-tential interactions revealed by this independent method mon cooling between trains of the auxiliary feedwater may not be specifically discussed in the SRP sections on system, (3) positive pressure control will not be hst as a review, review procedures, or acceptance criteria. resu;t of interactions stemming from common power sources between pressurizer heater channels, and (4) the The scope of the study was testricted to allow the method- inventory makeup necessary to maintain decay heat re- I ology to be developed and demonstrated in a timely fash- moval will not be lost as a result of interactions stemming ion. 'the interactions addressed were limited to those from the common location of the refueling water storage l

arising from physical ccmnections and common locations. tank output valves.

I Three plant functions were included: decay heat removal. Although the Sandia work was considered a major portion reactor suberiticahty, and reactor coolant pressure (Phase 1)of the NRC program to address systems interac-boundary integrity. The mnge of environmental condi- tions, subsequent revision to the A-17 Task Action Plan tions, plant modes, and plant occurrences was also re- somewhat deemphasized this work by Sandia because stricted. ongoing PR A work (see Section 5.5)and the Brookhaven I

l NUREG-1174 16

s l

and near-term use by industry and the NRC on sys-application on Indian Point 3 (see Section 53) were simi-lar to the Sandia work. - tems interaction evaluations (5) application of candidate methodologies to actual oc-The staff concluded that fault trees and other PRA tech. currences to demonstrate their ability to predict sys- ' j niques could be used in the investigation of systems inter. . tems mteractions effects j actions.For more on PRA and its relationship to systems interactions see Section 5.5. .He staff conclu6ed that the recommendations of the .

three studies would be considered as part of the' A-17 resolution if a study was required of all utilities. For more 5.2.2 Systctns Interactions State-of-the-Art . on state of the art see Section 4, on methods.

Reviews-The NRC requested three national laboratories to con- S.23. Advisory Committee on Reactor Safe--

duct a review of the state of the art in the area of systems guards Concerns-  ?

interactions in 1980.

As stated in the introduction to this report (Section 1),.

Each laboratory produced a report as follows: the ACRS was credited with identifying the original con- -

cerns. In addition to the original identification, the ACRS '

  • NUREG/CR-1859,"SystemsInteraction: State-of- has also been instrumental in subsequent investigations -

the Art Review and Met hods Evaluation," prepared in the area of rystems interactions. The utility studies at -

for NRC by Lauence lhermore National Labora- Zion, Indian Point, and Diablo Canyon wcre all the sub '

tory, January 1981 ject of ACRS discussions (see Sections' 5.1.1, 5.1.2, and 5.13, respectively).

e NUREG/CR-1896, " Review of Systems Interac -

tions Methodologies," prepared for NRC by Bat- In addition,in September 1979, ACRS consultants com-telle Columbus labomtories, January 1981 pleted NUREG-0572, " Review of Licensee Event Re-e NUREG/CR-1901," Review and Evaluation of Sys- ports (1976-1978)," in which they identified a class of tems Interaction Methods," prepared for NRC by events as " systems interaction." The report concluded s Brookhaven National laboratory, January 1981 that a number of LERs reveal unusual and often un- }

J Predicted interactions among various plant systems.The The broad objective of these reports was to develop meth, rep rt went on to state that it is not surpnsmg that inter-ods that held the best potential for further development actions exist, since a nuclear power plant is an extensive and near-term use by industry and NRC on systems imer- and complex facility; however, the nature of these mter-action evaluations for future as well as operating plants. admns is often qde tmexpeded Men mteradons in- _;

More specifically, the objectives of the work were to in- y lve degraded performance of systems required for vital  ;

clude,* functions, such as shutdown heat removal, there can be significant safety implications. The ACRS acknowledged (1) development of a definition of systems mteraction ,

that the NRC staff is studying systems interactions and correspondmg safety failure critena through GenericTask No. A-17.

(2) review and assessment of current systematic meth- Regarding the use of the LERs the report stated:

ods that have been used, or are considered feasible i for use, on any complex system comparable to a Redundancy and defense in depth are widely light-water reactor plant used in essential reactor systems to assure their availability. Implicit in such usage is the as-(3) provision of aninventory of a range of systemsinter- sumption that a high degree of independence

' action scenarios with emphasis on actual operating exists between the redundant elements (or the experience to various echelons of defense in depth). Occa .

sionally an LER discloses an unintentional or (a) better focus on the definition of systems inter- previously unrecognized interdependence be-l tween such elements. In such cases, interde-l action pendcuce reflects one type of systems inte ac.

(b) serve as a basis for evaluating the ability of the tion problem. Although there are few LER3 various methodologies to predict these exam- that directly reveal such problems, there are plcs many that hint at deficiencies of this nature.

Because of the potentially serious implications p of such situations, more attention needs to be (4) recommendation of a methodology or alternatives that have the best potential for further development directed to seeking them out. Careful review of 17 NUREG-1174

LERs can uncover such design error.c, if they One, Units 1 and 2. The event involved a number of are consciously sought out. adverse systems interaction aspects and has also been included in the list of events compiled by ORNL. It was Reference is then made to three sections of the Appendix noted that the ACRS report and the ORNL report both that include some examples. The first section is entitled seem to indicate the potential for adverse systems interac-

" Systems Interactions" and describes three separate tions in the highly complicated electrical power supply events, all of which involve the plant electrical systems. and its control systems.

These specific events do not meet the definition and screening criteria of the current TAP for A-17 and there. Some other ACRS questions and concerns were docu-fore were not included in the ORNL list. However, it mented in the form of recommendations to the staff and, should be noted that the ORNL LER study (see Section in at least three cited utility studies,in the form of guid-5.4) does highlight the area of electrical systems as a ance to the utilities. Of particular note is the guidance in potentially significant area from the viewpoint of adverse the ACRS October 12,1979 letter on Indian Point Sta-systems interactions. tion, Unit 3. This guidance was issued in response to questions about what constitutes " reasonably appropriate The second section is entitled " Failures That Indicate study of systems interactions at Indian Point 3." In that Interdependence of Redundant Elements"and describes letter, the ACRS expressed specific concerns in two sepa-four separate events. rate areas. One area involved " possibility of systems inter-actions within an interconnected electrical and mechani-o The first of these eventsinvolves redundant battery cal complex." The ACRS expressed concerns with the chargers for a fire pump and would not rnect the consideration of other than usually assumed failures, that TAP definition of systems interaction because is, partly failed or other than normally assumed failed (1) the fire system is not typically a system needed to states. The ACRS was also concerned that this type of achieve and maintain safe shutdown and (2)the failure would probably not be revealed by LERs and that chargers were not truly redundant in the same sense a failure mode and effects analysis (FMEA) was required. -

of engineered safety features (ESF) Trains A and B The second area involved " possibility of interactions be-equipment.

tween non-connected systems due to the physical ar-o The second event involves the loss of both makeup rangement or disposition of equipment." Again, ACRS pumps at Davis-Besse Nuclear Power Station. It is expressed its belief that LERs would not reveal these the staff's understanding that the makeup pumps at .nique interactions and recommended a physical inspec-Davis-Besse are not considered safety related and tion of the plant and the " formation of a small but compe-therefore such an event does not meet the TAP defi- tent interdisciplinary wam.

nition which includes degradation of safety-related equipment. Over the years, ACRS has stated its belief that the staff o should require all utilities to do a systems interaction type The third event involves a boron dilution event at of analysis and that because such an analysis could be Surry Power Station, Unit 2. Although this event in- done with little NRC guidance, the requirement should volved some unexpected interaction between sys- be issued without further investigations and delay. Over tems and temporarily blinded the operator, none of the same time period, the NRC staff took the position

, the systems involved were safety related and the that such a general requirement would not resolve the i

consequ ences were very minimal. The consequences issue because of the lack of any consensus about what, if werelimited by the inherent design of the system be- anything, needed to be done.nc staff continued to pur-cause the system could only deliver a maximum of sue an approach for resolution, searching for an overall 150 gpm which could not reduce the boron concen- cure in the form of what " acceptable" methods should be tration bclow acceptable levels between the re- applied. At this time and on the basis of further review, quired sampling intervals.

the staff has concluded that the concerns expressed by the o The fourth event occurred at Dree Mile Island Nu- ACRS in the October 12,1979 letter are some of the clear Station, Unit I @il-1) and involves a mis- centralissues that need to be addressed by the resolution calibration of all four power range flux monitors as a of USI A-17.

result of a faulty test pressure transmitter. Although this event does demonstrate a common-cause effect Regarding the ACRS report (NUREG-0572), tl:e staff or dependency, it is not an adverse systems interac- concluded that although many of the events cited there tion but rather fits m the class of other common- were not " adverse systems interactions" as defined in the I cause failures according to the TAP definitions. present A-17 TAP, the overall conclusions of the report I regarding power systems and their control remain valid. l The third section of the Appendix is entitled " Adverse In addition, the general type of concerns expressed in the Interactions of Safety System and the Influence of Hu-report regarding compromise in redundancy and/or levels man Errors" and involves one event at Arkansas Nuclear of defense in depth also remain valid and have been NUREG-1174 18

l I

explored further in the work on A-17 (see Sections 3,5.4, systems interactions. The potential for ir.dication systems  ;

and 5.6). misleading the operator has been reduced by other ac- 1 tions mentioned above. Furthermore, the actions in the On the basis of further review, the staff concludes that area of operator information and training should improve _ 3 (1)walkthroughs similar to walkthroughs suggested by response to and recovery from ASI-type events.

ACRS but with much narrower focus could achieve a l cost-effective safety improvement at some plants and 5.2.5 NRC Omce for Analys.is and Evalu-(2) although the pursuit of so-called partial failures (lead-ing to functionally coupled ASIS) may uncover uniquely ation of Operational Data Activities plant-specific scenarios, there is not sufficient evidence t As a result of the TMI-2 accident, the NRC formed the 4

'i show that they are safety sigmficant enough to justify the

. Office for Analysis and Evaluation of Operational Data type of analyses requtreu to uncover them. In addition, (AEOD) with the intent to pay closer attention to current ,

with respect to the failure modes of control systems, USI operating experience and to learn from past experience.' l A-47 (NUREG-0649) is also addressmg this area. The ' AEOD has reported on a number of events that meet the staff will provide information to the utilities regarding the TAP definition of systems interaction, although the, 'I types of problems uncovered in the electrical power sys- events may not have been labeled " systems interactions." j tems (one area that was hight;ghted for partial failure In some cases, the staff has formulated new genericissues '

mvestigation), and other types of problems regarding fail- based on the AEOD reports (see Section 5.2.7). As part I

ure modes (see Section 5.4). The ACRS has also ex- of the resolution of A-17, the staff took a separate look at - .

pressed concern (ACRS, May 13,1986) over the scope of operating experience. The AEOD reports were one of the A-17 program.Ttus was discussed previously m Sec-the reference sources for this work (see NUREG/

tions 3.4.2 and 3.4.3. CR-3922 and Section 5.4 for more information on oper-ating events). ,

5.2.4 Post-TMI-2 Actions, including Human Factors Issues The staff has concluded that since the formation of ~l After the accident at 'IMI-2, a si Enificant amount of P' E# # # "" ## # E"#

l scrutmy than at the time when the systems i interact)o ettent. ion was focused on the operators and on so-called issue first surfaced. It should be recognized that the im-human factors issues. The USI A-17 TAP pigmentation by NRC and the industry, through organi-(NUREG-0649) recogmzes all the activity m this area zations such as INPO, of such scrutinizing analyses ad-and attempts 1o limit the overlap of concerns between the

, dresses some concerns that could be ciled sis and as such systems mteraction issue and those other efforts. As a contributes to a reduction in concerns with systems inter-result, the A-17 studies focused on the hardware or hard- action' wired aspects of the operators' indication systems and left the human engineering and, specifically operator error, to NUREG-0985, " Human Factors Program Plan." 5.2.6 Omce ofInspection and Enforcement The A-17 area of concern was, therefore, limited to the possibility of misleading an operator by means of ma!- The former NRC Office of Inspection and Enforcement ,

l l function (that was not readily detectable)in a plant indi- (IE) had the responsibility for notifying all utilities about l cation system during an event. This was the induced hu- significant operating events through a system of bulletins

man-intervention-coupled adverse systems interaction and information notices. Several of the events that were i referred to in Section 3. After the accident at TMI-2, a screened from the operating experience, by the work on significant amount of attention was focused on this aspect A-17, were the subject of an IE bulletin or notice. In of plant indications. Specifically, requirements were those cases, this information was included as a reference implemented through NUREG-0737, Supplement 1, source (see NUREG/CR-3922 for more information). In which improved monitoring information (Regulatory addition, as part of the decisionmaking process to possibly Guide 1.97, "lvtrumentation for Light-Water-Cooled implement new requirements, those regulatory actions Nuclear Power PlassTo Assess Plant and Environs Con- already required by IE were considered (for more infor-ditions During and Following an Accident," and added mation see Section 5.4).

operator aids such as the safety parameter display system.

Over the years, IE has notified the industry about signifi-The staff engaged in the A-17 program concluded that cant operating occurrences. In some cases, the occur-plant personnel (operators, maintenance personnel, test rences involve systemsinteractions. As was concluded for technicians, etc.) can have a significant impact on plant AEOD, the staff concludes that the IE mechanisms of response, both negative and positive; however, events bulletins and notices addressed significant experience, initiated by personnel error should not be classified as including systems interactions.

19 NUREG-1174

5.2.7 Other Generic Issues was formerly referred to ss " common mode failure of In November 1983, the NRCPublished NUREG-0933' mady "A Pn.ontization of Generic Safety Issues." He report identica! cal compmems epsed conditions or M y (as evi environments,en&a@denced by presents the priority rankmgs for a number of genene reference to issues such as A-9, A-30, A-35, B-56, and safety issues related to nuclear pow er plants.The purpose B-57), it was expanded to include other types of failures of these rankmgs is to assist in the timely and efficient and, as a result, a reference to USI A-17 is made in allocation of NRC resources for the resolution of those NUREG-0933. It should, therefore, be kept clear that safety issues that have a sigmficant potential for reductng the term "non-random failures" can include more than nsk. " systems interactions"and that a resolution of A-17 does not resolve all non-random failures (for additional infor-The prioritized issues include TMI Action Plan items ** * "

under development; previously proposed issues covered by task action plans, except issues designated as unre- GI-77 was given a high priority and was also qualified solved safety issues (USIs) which had already been as- insofar as the lack of plant-specific details. In this regard, the group studying the resolution of USI A-17 considered signed high pnority; and newly proposed issues.

these in its resolution.

The safety priorities, ranked as high, medium, low, and drop, have been assigned on the basis of risk significance The mechanism in place for identifying and prioritizing estimates, the ratio of risk to costs, and other impacts generic safety issues provides an avenue far handling all estimated to resui: if resolution of the safety issues were types of issues, including systems interaction-type issues.

implemented. On the basis of the treatment of a general type of issue such as C-13, that is by handling it as a class and dealing with individual identified parts, the staff concludes that A number of the issues identified in NUREG-0933 can be called adverse systems interactions and, therefore, this is the best mechanism for dealing with any remaining there is significant overlap between some issues listed or future SI concerns after the resolution of A-17. This is there and the general categories resulting from the consistent with the need to clearly define any proposed ORNL experience search (Section 5.4). This could be safety issue in order to prioritize it.

expected since the NUREG-0933 issues often arise from the same sources that ORNL used (e.g., LERs and 5.2.8 Oth:r Unresolved Safety Issues AEOD reports). In some cases, a potential area of con-The Task Action Plan for USI A-17 acknowledges that a cern highlighted from an A-17 systems interaction per-spective will have been cited, and possibly addressed, but relationship can exist with USI A-47, " Safety Implica-on a more specific basis. tions of Control Systems" (NUREG-0649). This is pri-marily based on the understanding that control systems dointeract with many plant systems and, therefore,if the The resolution of A-17 has considered the safety priority control systems interactions lecd to possible degradations ranking given to the corresponding issues (when avail- in safety systems, such a concern could also be labeled an able).The A-17 resolution then also recommends further adverse systems interaction.

action if necessary (for more information see Section 5.4).

As the resolution of A-17 progressed, a close relationship Three issues included in NUREG-0933 warrant special between A-46 (NUREG-0649) and part of A-17 was discussion: Issue II.C.3, " Systems Interactions"t 1s-acknowledged. Part of A-17 deals with possible seismic-sue C-13,"Non-random Failures"t and Generic Issuc 77, induced spatial interactions between the non-seismic

" Flooding of Safety Equipment Compartments by Back- structures, systems, and components and the scismic flowThrough Floor Dmins." As stated in the TMI Action structures, systems, and components. A-46 deals with the Plan, the purpose of Issue II.C.3 was "to coordinate and seismic qualification of certain equipment in older plants.

expand ongoing staff work on systems interaction (USI The resolution of A-17 reflects this relationship.

A-17) so as to incorporate it into an integrated plan for addressing the broader question of system reliability in Although USI A-45, " Shutdown Decay Heat Removal conjunction with IREP [ Interim Reliability Evaluation Requirements"(NUREG-0649)is not directly related to Program] and other efforts."

A-17, it is recognized that if the resolution of A-45 were to be an independent shutdown system, then such a reso-When the A-17 Task Action Plan was revised in January lution could substantially reduce the safety benefit of 1984,it was d ecided to include in issue A-17 the activities pursuing some Asis.

described under Issue II.C.3.

As the resolution of A-17 has progressed to the point of issue C-13,"Non-random Failures,"is an issue that was focusing on certain areas, the relationships to other unre-credited to ACRSin NUREG-0471. Although thisissue solved safety issues have been considered. nc proposed

{

NUREG-1374 20

w ,

l l.

I resolution of A-17 acknowledges relationships with USI has typically addressed areas of concern that can be con- )

A-45, USI A-46, and USI A-47. sidered adverse systems interactions. ~l i

One alternative considered in the A-17 program was the - 1 5.2.9 Systematic Evaluation Program possibility of revising the SRP or related guidance docu-  !

He Systematic Evaluation Program (SEP) was initiated ments such as regulatory guides toimprove the evaluation by the NRC to review the designs of older operating of ASIS for future plant reviews. Some of the SRP sec-nuclear reactor plants to reconfirm and document their tions that already address systems interaction concerns i safety.The review provided (1) an assessnient of the sig- are listed in Table 3.

nificance of differences between current technical posi-tions on safety issues and those that existed when a par-ticular plant was licensed, (2) a basis for deciding how 5.2.11 NRCs Policy Statement on Severe these differences should be resolved in an integrated Reactor Accidents Regarding Future plant review, and (3) a documented evaluation of plant Designs and Existing Plants safety.

The NRC has published a policy to resolve safety issues ne review focused on 137 different " topic" areas related to reactor accidents more severe than design-basis (NUREG-0824). Although topics that were being re. accidents (NUREG-1070). Its main focus is on the crite-viewed under other programs, such as unresolved safety ria and procedures the Commission intends to use to issues, were generally deleted from consideration in the certify new standard designs for nuclear power plants; SEP, some topics that were evaluated under the SEP are however, it also provides guidance on decision and ana-related to USI A-17. ncrefore, the information devel- lytical procedures for the resolution of severe-accident oped in these topic areas was used in the A-17 study. issues for other classes of future plants and for existing -

plants (operating reactors and plants under construction which have applied for operating licenses). Severe nu-Of specific applicability were topics that were related to clear accidents are those durmg which substantial damage .

potential spatially coupled interactions. is done to the reactor core, whether or not there are seri us offsite consequences. Specifically the ' policy These topics included: states:

e ill-4.C Internally Generated Missiles The Commission plans to formulate an inte-

  • III-5.A Effects of Pipe Break on Structures, Sys- grated systematic approach to an examination tems, and Components InsideContain- of each nuclear power plant now operating or ment under construction for possible risk contribu-
  • III-5.B Pipe Break Outside Containment m sca sthen %atmW plant specific and might be missed absent a sys-On the basis ofits review of the general SEP findings on tematic search.

these topics (SECY-84-133), the staff concluded that:

The investigation into USI A-17," Systems Interactions," '

(1) Plants typically provide significant protection highlighted a number of nuclear power plant systems or i against internally generated missiles. areas that appear to be the ones that are most likely to l contain potential adverse systems interactions. ,

(2) ne flooding reviews performed in response to the Atomic Energy Commission (AEC) generic letter of Asis (both functionally coupled and spatially coupled)

September 26,1972. may not have adequately cov- are most often caused by a design feature and/or a set of cred some significant areas of concern. operating conditions peculiar to a particular plant; the consequences of an ASI are similarly determined by fea-His information was used to develop the focus of spa- tures peculiar to a particular plant and by the operator's tially coupled ASIS (see Section 5.6). response. nerefore, the resolution of A-17 can add to the formulation of any systematic evaluation of plants by F g amn Mg me searcaNec 5.2.10 Standard Review Plan ne Commission's Standard Review Plan (SRP) The areas of concern should include aspects that are (NUREG-0800)is the document that defines the accep- discussed in the review of operating experience (see Sec-tance criteria and review guidance used in the licensing tion 5.4) and the review of scismic/ spatially coupled SI process.The SRP has evolved over a number of years and programs (see Section 5.6). These are:

21 NUREG-1174

Table 3 SRP sections that deal with spatially and functionally coupled Asis Source SRP Section(s)(NUREG-0800)

Spatially coupled ASIS Earthquake 3.6.2,3.7.3,3.9.2,3.10,3.11,6.7,9.13,9.2.1-9.23,9.2.6,93.1, 933 93.5,9.4.1-9.4.5,103,10.4.7,10.4.9-Internal flood 3.4.1,3.6.1,933,10.4.5 Internal fire 9.5.1 High-energy line break 3.6.1 Internal missiles 3.5.1.1-3.5.13,9.1.4,9.1.5 Functionally coupled Asis Reactor protection / engineered safety features 7.2,73 Safe shutdown 7.4 Control system 7.7 Station service water 9.2.2 Electric power systems 8.2,83 Functionally Coupled ASl3 USI A-17 and the EPRI report explored numerous meth-(1) - electric power systems odologies for identifying sis. Both assessments conclude that no one methodology by itself can adequately identify-(2) support systems functional, spatial, and induced human-interven tion-cou-pled interactions. Herefore, several different analysis (3) overreliance on " fail-safe" design principles techniques could and should be used.

(4) automt} tic actions with no preferred failure mode for au stauons None of the methods presented in the EPRI assessment provided a quicker, casier, or more comprehensive means (5) instrumentation and control power supplies f identifying sis. It was, therefore, concluded that the EPRI work brought no new information to the techmcal Spatially Coupled Asis (1) non-seismically qualified equipment effects on seis- . .

5.3 Indian Point Station, Unit 3 mically qualified equipment Laboratory Demonstration Study (2) internal plant flooding of safety-related equipment ne staff initiated a laboratory demonstration study on 5.2.12 Electric Power Research Institute's the Indian Point 3 plant in mid-1983 through Brookhaven

" Systems Interaction Identification National Laboratory (BNL) and lawrence Livermore Na- ,

Procedures,, ti nal Lab rat ry(LLNL).He purpose of the study was i to test and compare two potentially useful search meth- -

As the technical resolution of USI A-17 was proceeding, ods and to compare the results with the study made by the i the Electric Power Research Institute (EPRI) published utility. One method, the digraph matrix method, was ap-EPRI NP-3834, Volumes 1-5, Systems Interaction Ide.'- plied by LLNL (for further information see NUREG/

tification Procedures." he staff asked Oak Ridge Na- CR-2915, NUREG/CR-3593, NUREG/CR-4179, and j tional 1.aboratory to review and assess the report's impact LLNL's report of June 1983) and the other method, the (

on the proposed resolution of USI A-17. interactive fault tree / failure mode and effect analysis, was applied by BNL (for further information see NUREG/

ORNL prepared a draft letter report dated February 10, CR-4207). Both studies concentrated on functionally 1986, concluding that both the proposed resolution for coupled events.

NUREG-1174 22

s 13y placing the same $1 million limit on each study, a On the basis of the evaluation of the results of the two meaningful comparison was anticipated. demonstration analyses, the staff concludes that there is no one method that alone could serve as a mechanism for resolving concerns regarding adverse systems interac .

1here was no shortage af postdated intersystems de-

, tions; in other words, there is no panacea. Significant pendencies that could be counted among the possible resources were expended by the two nationallaboratories causes of safety malfun:tions (NRC memorandum, and the results indicate that few, if any, risk-significant, March 20,1985). From the impressively large number of , functionally coupled systems interactions were uncov-cutsets generated by both g/oups of analysts, surpnsmgly

, cred. At least one interaction was uncovered that violated few were safety sigmficant, the plant's design basis.

Two cutsets contributed ".n estimated core damage fre- Furthermore,it appears that the ability of one method or quency as high as 6 x 10_e per reactor-year. The next likely another to identify certain systems interactions is often cutset contribution was not greater than about 5 x 10 8 per rnore a function of the skill of the analyst and the model-reactor-year. The estimated frequencies of occurrence ing detail, than it is a function of a particular method.

are highly biased by a pessimistic treatment of recovery From this, the staff concluded that there is no one solu-actions available to the operators. Therefore, a very small tion to the systems interaction issac and, therefore, fo-fraction of the intersystems dependencies (which are pos- cused on a more limited type of analyses.The basis for this sible to postulate) werc even modestly safety sigmficant. was the possibility that a more directed effort, by any number of methods, may be cost effective if it can be lhe only safety-significant systems interaction high. determined that certain areas are more prone to signifi-lighted by I1NL was the unavailability of station battery 32 cant adverse systems interactions.To this end, the operat-coincident with a safeguards systems actuation signal. ing experience search was intended to highlight such ar-1his postulated event would leave both low-pressure in. cas (see Section 5.4).1he Indian Point 3 demonstration jection recirculation pumps and other vital equipment did point out that the electrical power system, or portions  !

unavailable. The loss of station battery 32 does not meet ofit, may be such an area. In particular, the study provides General Design Criterion (GDC)35 (PASNY, some indication that electrical distribution systems some-LER 84-010-00, Docket 05000286, July 16,1984). The times are not designed with total redundancy and chan-postulated event could lead to core damage with an esti. nelization and usually include significant non-safety /

mated frequency as high as 2 x 10_e per reactor-year.The safety interfaces which make them prone to hidden plant was modified and is not now vulnerable to this dependencies.

postulated event.

5.4 Search for Common-Cause Events The first significant systems interaction highlighted by in Operating Experience ,

LLNL is a misalignment of preselected service water i pumps and valves coincident with a loss of offsite power.

As part of the effort to provide a more focused approach Without rapid operator intervention, this postulated for the resolution of A-17, a set of tasks was defined to  ;

event could lead to a reactor coolant pump seal failure '

search operating experience in order to accumulate a data and hence a small LOCA and the loss of both core heat bank on the types of common-cause events of concern.

removal paths. The postulated event could lead to core damage with an estimate:1 frequency as high as 4 x 10 8 per reactor-year. (Note: Although this was presented by The major portion of this work was performed by ORNL, LLNL as an adverse systems interaction, it does not truly and a summary of ORNL's findings is included in NRC's I fit the TAP definition.) document, NUREG/CR-3922.

The other significant systems interaction highlighted by The search emphasized events included in the LER files LLNL is a mechanical failme of the linkage within an and involved a screening of those events based on the  ;

interlocking breaker coincident with a loss of offsite Task Action Plan definition. On the basis of the charac-power. Without rapid operator intervention, this postu- teristics or attributes of the systems interaction events, a lated event could lead to damage to the emergency diesels , group of general categories of SI events was developed. In and the subsequent failure of reactor coolant pump seals this manner, it was anticipated that generic areas of con-LOCA and loss of core-heat-removal paths. It was esti- cern could be highlighted for possible further action.The mated that this postulated event could lead to core dam- results of the ORNL experience review indicate 23 gen- j are with a frequency only as high as 5 x 10 8 per reactor- eral categories of events that have involved systems inter- 1 year, actions. Those categories are listed in Table 4.

l 23 NUREG-1174

l b

~

Table 4 Event categories involving systems interactions Category ' No. of No. Title events 1 Adverse interactions between normal or offsite power systems and emergency power systems 34 2 ' Degradation of safety-related systems by vapor or gas intrusion 15 3 Degradation of safety-related components by fire-protection systems 10 4 Plant drain systems allow flooding of safety-related equipment - 8 5 Imss of charging pumps due to volume control tank level instrumentation failures 6 6 Inadvertent ECCS/RHR pump suction transfer 4 7 HPSI/ charging pumps overheat on low flow during safety injection 6 8 Ixvel instrumentation degraded by HELB conditions 21 9 Loss of containment integrity from LOCA conditions during purge operations 10 10 HELB conditions degrading control systems 3 11 Auxiliary feedwater pump runout under steamline break conditions 2 12 Waterhammer events 4 13 Common support systems or cross-connects 18 14 Instrument power failures affecting safety systems - 5 13 Inadequate cable separation 8 16 Safety-related cables unprotected from missiles genemted from HVAC fans 3 17 Suppression pool swell 3-18 Scram discharge volume degradation 2 19 Induced human interactions 4 20 Functional dependencies from failures during seismic events 5 21 Spatial dependencies from failures during seismic event- 13 22 Other functional dependencies 21 23 Other spatial dependencies 30 i

l From these categones, the staff sought to establish possi- for which little regulatory action was taken often involved ble safety significance (NUREG/CR-4261). His in- scenarios that were specific to a particular plant.

volved consideration of completed or ongoing related regulatory action. In this manner, it was anticipated that  !

some areas would need no further action and any remain. The staff then reviewed all the categories to see if some ing areas of concern could then be evaluated for potential generic aspects related to adverse systems interaction safety siEnificance. In geneml, where extensive regulatory concerns should be identified foraction on all plants.The action was involved, such as IE bulletins or vendor notifi- areas are summarized below on the basis of the type of cations, the event and action taken could be shown to coupling exhibited, that is, functional, spatial, or induced (

involve other than plant specific features.The categories human intervention. ORNL also looked at the general

' NUREG-1174 24 1

adequacy of the ongoing evaluations of operating experi- (2) diesel generator failures caused by specific operat-ence. ing mode (3) breaker failures due to loss of de power 5.4.1 Functionally Coupled Type 1 (4) failures that propagate between the safety-related Electric Power System portion and the non-safety-related portion of the p werystems For purposee of this work, the electric power system in-cludes the offsite sources, the switchyard, the power dis- With respect to these four areas of concern, the staff tribution buses and breakers, onsite generating equip- noted that although regulatory practice has allowed non-ment, and the control power and logic to operate the safety-related equipment to be powered from safety-breakers and start and load the diesel generators. Some of related buses, this practice has created the potential for a the lower voltage (typically 120-V ac and 125-V de) number of undesirable interactions. In such situations, power supply portion of the system is also dealt with the isolation devices protect the safety-related equip-under Section 5.4.1.5. ment. These isolation devices have been the subject of much concern, both in the main power supply area (such As outlined in NUREG/CR-3922 and NUREG/ as breakers that open on fault current or " accident" sig-CR-4261, concerns were highlighted in the area of elec- nals) and in the instrumentation and control power supply tric power systems in Categories 1 and 13 (Table 4). area (such as isolation transformers and other devices). In Three importan; factors appear to contribute to the possi- some cases, the " isolation" devices do not isolate the full ble significtmce of this area: range of undesirab!c events. In addition, there are other concerns that the investigation into the A-17 issue has (1) It is one of the most (if not the most) extensive sup- focused on.The ASIS of note involve scenarios in which a port systems in a plant. Power is supplied from vari- non-safety- related load is supplied by a safety-related bus ous sources including the offsite network, the main and the non-safety-related load is part of important plant plant turbine-generator, and in certain situations, operation and/or control. As a result, a failure in the the safety-related diesel generators. Power is then syfcfy.rclared portion can create a situation in which a distributed to various items of equipment for normal plant transient event occurs and, simultaneously, signifi-plant control which are not related to safety, various cant safety-related equipment is unavailable because of engineered safety features equipment which is the same failure. The most significant types of events safety related, and various items of equipment for a[ pear to be those that involve the instrumentation and shutdown and decay heat removal, control power system. As stated below in the discussion of

. those specific power supplies, the staff believes that ongo-(2) Given these system demands, the power system is ing activities in the area of instrumentation and control therefore an inherently complex system. A large power supplies should be integrated and should also ad-number of normal operating modes at the plant, as dress this type of concern.

well as transient and accident situations, must be ac-commodated. Interfaces are created between redun-Plant Support Systems dant safety.related equipment as well as between non-safety.related equipment and the safety-related Concerns related to the area of support systems were equipment. In addition, the power system itself re- noted in Categories 1 (as stated, the electric power system lies on a number of other support systems such as is an extensive support system), 13,14,18, and 22 (Ta-HVAC and cooling water. ble 4). Since the electric power system was dealt with sepamtely, the support systems considered here include (3) Because of individual plant requirements and situ- cooling water systems; heating, ventilation, and air condi-ations (a number of significant events occur when tioning systems; lube oil systems; air supply systems; and the system is in any abnormal temporary alignment), instrumentation and control systems. As was pointed out each power system tends to have some unique as- for the electric systems, these types of support systems pects. Very few specific Asis can be stated to be tend to be plant unique to some extent.

generically applicable; however, the staff believes that general classes of electric power events can be The main general concern with some of the suppon sys-

, potentially generic. tems involves the potential for them to initiate an event l and also degrade the systems necessary to mitigate that ORNL (NUREG/CR-3922 and NUREG/CR-4261) event. This potential breakdown in the defense-in-depth categorized the electric power system concerns into four philosophy can exist in some plants; however, the safety areas: significance is highly dependent on other plant mitigating features such as remaining independent trains of equip-(1) load sequencing / load shedding ment.

25 NUREG-1174

l l

Because the loss of these support systems (including the Automated Safety.Related Actions With No Preferred clectrical power system) does not lead to events such as a Tailure Mode

{

i large LOCA or an MSLB which require immediate op-crator action, the staff cor.cludes that, except for cata- Another area of adverse systems interactions which was strophic failures (see Section 5.4.2), the potential for re- highlighted involved the inadvertent actuation of an engi- l covery of these systems is very great. In conjunction with neered safety features (Category 6), inadvertent emer-  !

the conclusions regarding induced human-mten'ention- M system / residual heat removal (ECCS/ I coupled sis (see Section 5.4.3), the staff has not recom- RHR) pump suction transfer. The most significant mended a regulatory action in this area, except for spa- characteristic of this area appears to be that such a design 1 tially coupled interactions. He staff will, however, feature does not have an "always" preferred (failure) commumcate to the industry this mformation on support mode. As a result, extra precautions may be needed to ystems. avoid: (1)a failure to actuate when needed and (2)a failure that actuates the system when not required (i.e.,

inadvertently). Of particular note is the possibility of in-advertent actuation of these types of functions during Incorrect Reliance on Failsafe Design Principles testing or maintenance. it is fairly comrnon practice to put ,

portions of the actuation logics in a trip or actuated state l Onc arca of adverse systems interactions involved reactor and assume that the plant is then in a " safe" condition.

protection (scram) systems, Category 18. He staff Although this may be true for functions that have a pre-recognized that such ASIS could be significant because of ferred (failure) mode, it may not be a consen'ative as-the time response demanded of a trip system. An sumption fbr these other functions that do not have an argument similar to the argument given above (that the always preferred (failure) mode. He specific area of operator could have the time to fix a problem) does not automatic ECCS switch to recirculation is the subject of a apply.

generic issue (GI) that is scheduled for prioritization.

GI-24 (NUREG-0933, Rev. 2).

He staff believes that the types of ASI identified in the GI-24 will consider the aspect of possible untimely,inad-studies were the result of use of a design approach which vertent ECCS/RHR pump suction transfer; therefore, actually requires the functioning of certain features (for the staff concludes that further specific action as part of instance, a BWR discharge volume had to be empty) and, the A-17 resolution is not warranted. %c task manager therefore, an incorrect reliance on failsafe principles. In fact, the concern with the air system was due to reliance for A-17 will make the staff responsible for NUREG-0933 aware of the information developed in the on incorrect failsafe principles. In that case, the air system ORNL study.

was assumed to fail safe (i.e., biced off)and, as a result, a partial failure, at some low pressure, went unanalyzed. There is some additional concern that other ESF systems Action was taken at all DWRs to correct this prob!cm. In may similarly not always have a preferred failure mode. In addition,it was noted that the electrical supply system to general, almost a!! of these systems have been analyzed this scram system also had been previously modified be- for inadvertent actuation from a functional standpoint.

cause of similar concerns. Specifically, the electrical The staff will, however, communicate to the industry this power was assumed to fail saie, that is, voltage going to information on the concern (regarding functionally cou-zero and, as a result, partial failure such as low voltage or pled ASIS) for systems that do not have an always pre-high voltage went unanalyzed for a time. ferred failure mode.

I Although the staff is concerned with such scenarios, the Instrumentation and Control Power Supplies concern focuses on the reactor trip system and it is ac- ne ORNL review (NUREG/CR-3922) highlighted sev- '

knowledged that the resolution of A-9, " Anticipated cral events related to instrumentation and control (I&C)

Transient Without Scram (ATWS)" should resolve the power supplies (Category 14). De events at all plants, concerns in the area of the reactor trip system (RTS). The and specifically at Babcock & Wilcox plants, have already staff acknowledges that there may be other t.reas of the received significant attention as outlined in the ORNL plant in which incorrect use of failsafe princip!cs has l occurred, but in all cases except the RTS, it is concluded assessment (NUREG/CR-4261). As stated in Section i 3.4.3, there was some concern that the potential for a that the safety significance would be less because of the significant event related to I&C power supply interac-greater time available for the operator to take corrective tions may still exist. Because of this concern, further re-action. He only exception may be during a large LOCA: view work at ORNL was identified.

however, the probability of a large LOCA occurring in conjunction with these types of partial failures should bc j ORNL completed this work and summarized it in a low.The staff will, however, communicate to the industry report entitled, " Survey and Evaluation of Vital this information on the use of failsafe principles. Instrumentation and Control Power Supply Events" i NUREG-1174 26 i

(NUREG/CR -4470). The report included a number of (Section 5.2.6)and efforts by the industry. On the basis of L 1&C power supply failures, some of whichied to initiation this review, ORNL concluded that adequate provisions of a plant transient and partial disabhng of a safetysystem are in place to continue to monitor the operating experi-or operatorindication. ence for adverse systems interactions regardless of

. whether they are specifically labeled as such.

On the basis of the additional work performed by ORNL and the staff's further review of the area of 1&C power, The staff grees with the ORNL conclusion and is, there-the staff concluded that a significant number of. issues and fore, considering taking no action in the area of evalu-industry efforts were already under way in this area.ne ation of operating experience, except for the one-time results of the A-17 work in this area will be communi, dissemination of the information from the ORNL study cated to the industry for information. However, the con- for Asis (NUREG/CR-3922 and NUREG/CR-4261).

clusion that significant acth ity is already under way in this area has led the A-17 resolution to include a recommen- 5.4.5 Undesirable Results' of Systems Inter-dation that all the issues related to IkC power be com- action Events .

bined under one task action plan to better expedite and coordinate the work in this entical area. In addition, the Part of the effort to focus USI A-17 involv ORNL report should be utilized in this combined task. definitions which included a irabic set of undes.

results - ed a s (see Section 3.2). Although no conclusion was reached as to the relative consequences or frequency of the various 5.4.2 Spatially Coupled Type results (except for undesirable result 5-see below), a Spatial dependencies appeared in a number ofcategories, closer evaluation of the nature of the events which in-including 3, 4, 8,10,15,16, 21, and 23 (Table 4). This volve tl'ese results led to certain observations.

information was used in conjunction with the review of Undesirable result 1 involves breakdowns in the independ-the utility studies m the spatial area. ence of redundant safety systems, divisions, trains, etc.

His is a clear violation of the single-failure critcrion, and See Section 5.6 for the staff's conclusions regardm.g spa- these events often result from errors such as design or tially coupled interactions. installation errors. Although they sometimes im>olve sub-tic couplings, they are still caused by errors that probably ,

5.4.3 Induced Human-Intervention-Coupled cannot be rectified by providing additional guidance on l Type the application of the single. failure criterion.  !

He limited treatment of the operator in the stu(v of the Undesirable result 2, which addresses the degradation of a i A-17 issue (i.e., as a hardwire link) resulted in only a few safety-related system by a system not related to safety,  !

events in this specific area (Category 19) and, actually, involves a similar observatica. Independence or isolation i these events could also be classified as another form of is clearly required for these cases and typically errors, l functional coupling. Of related interest are those events rather than subtle c, uplings, cause the problems.

related to instrument and control power losses (Cate- .!

gory 14). since such losses can also lead the operator to a Undesirable results3 and 4. on the other hand, involve false c<melusion, coupling of any plant accident or transient event and the degradation of any safety system including operation in- j On the basis of actions taken independently of the A-17 formation. Ris aspect of breakdowns in levels of defense  !

issue in the area of operator indication, and particularly 3D depth has not typically been the subject of as much the impicmentation of Regulatory Guide 1.97 ana the guidance as the area of independence between safety issuance ofIE Bulletin 79-27, the staff concludes that no systems and non. safety systems. One exception may be in additional action should be required for adverse systems regard to the potential for a LOCA or MSLB to result in interactions of this type at this time.nc A-17 investiga. an environment that can impact safety-related equip- i tion will supply any additional information uncovered as a ment.This area has been the subject of a large effort to j qualify the plant equipment to sumvc these environ-

~

result ofinstrumentation and control power supply inves, tigations as input to GI-76 (NUREG-0933, Rev. 2). "C"I8-Asis of note that were identified as a result of the A-17 5.4.4 Adequacy of Ongoing Evaluations of study were events that involved a single failure, such as Operating Experience loss of a pcwcr supply or other support system which led to a transient and also led to the loss of a train of some ORNL reviewed (NUREG/CR-4261) the existing pro- mitigative feature.

grams for the reporting, evaluation, and dissemination of significant operating experience.nis review included the Undesirable result 5 vas included in the A-17 issue to activities considered by AEOD (Section 5.2.5) and IE address events that may iraolve plant features such as l 27 NUREG-ll74

locked doors or inaccessible areas. De search of operat- subset of the general area referred to as " dependencies" inE crperience uncovered only a few events of this type in a PRA. The dependencies related to systems interac-(NUREG/CR-3922). In addition, a prioritization tions involve topic areas such as Modeling of AC Power (NUREG-0933) of a related area, GI-81, " Impact of Systems snd Modeling of Logic (Actuation) Systems.

Locked Doors and Barriers on Plant and Personnel here are many other dependencies dealt with which are Safety," concluded that the issue should be dropped from not systems interactions. Among these are evaluation of further consideration. Therefore, the staff did not con- human error and common-mode analysis.

sider this type of adverse systems interaction further.

Reports published on probabilistic risk assessment (NUREG-1050, NUREG/CR-2300, and NUREG/

5.5 Probabilistic Risk Assessments CR-2815) have consistently identified the area of de-ne following is extracted from the Introduction to pendencies as critical to the accuracy of the studies. The NUREG/CR-3852, " Insight Into PRA Methodologies." failure to adequately treat dependencies, meludmg ad-verse systems interactions, will repeatedly cause the re-In 1975, a new approach to evaluating reactor s M erc h ate m erau h reliability and risk-Probabilistic Risk Assess-In terms of probabilities, cutsets include independent ment (PRA)-was presented in the Reactor events so that Pas = Pa + Ps. However, where there is Saiety Study (RSS), WASH-1400 [renum- somedependency, Pas isgreaterthan Pa Ps. Clearly, bered NUREG-75/014]. His approach is by A-17 definitions, not all such dependencies are due to based upon the concept of defining reactor sys- adverse systems interactions because a dependency such tem functions required for specific challenges as could arise from common maintenance practices (e.g.,

(event trees) and estimating the probability of the case of the Salem A and B scram breakers, failure of system and functional requirements NUREG-1000) would also be such a dependency. If a (fault trees). Since the completion of the RSS, PRA would, through very detailed modeling, include all reliability and risk assessment methods have the system and initiating event dependencies (including been slowly evolving to the degree that they functional and spatial dependencies), then it would ad-have become generally accepted for providing dress all concerns for systems interactions.

a reasonable analysis of the safety of a nuclear power plant. During the mid to late 1970s, the No PRA to date has been able to make this sort of claim; Reactor Safety Study Methodology Applica- however, many have highlighted significant system de-tions Program (RSSMAP) developed the con - pendencies that are related to the systems interaction cept of dominant accident sequences to sim- issue.

plify the construction of detailed event and fault trees. Following RSSMAP, the Interim Additional work has been performed in the general sub-Reliability Evaluation Program (IREP) spon- ject area of common-cause event analysis. A guide sored five reliability assessments to determine (NUREG/CR-4780) has been prepared to aid in per-plant differences by utilizing a variety of proba- forming a common-causc analysis as part of a risk or bilistic assessment methods and implementa- reliabihty analysis. The guide reflects many years of re-tion techniques. In addition to these NRC- search by the authors and others in the treatrnent of l sponsored studies, the nuclear power industry dependent failures in reliability and risk studies. As such, j has conducted a number of reliability and risk it references much related work by organizations such as j studies. Examples include the Zion, Indian the Electric Power Research Institute and Pickard, Lowe, l Point, Oconce, and Limerick PRAs. nese and Garrick, Inc. I studies have also made significant advances to .

i the state of the art in probabilistic analysis. During its study leading to the resolution of USI A-17, i the staff considered both the PRA methods used in these At the present time about 20 probabilistic areas and significant systems interactions highlighted by safety analyses on specific nuclear power plants individual studies.

havebeencompleted. Allof thestudiesarepri-marily based on the methods developed in the 5.5.1 PRA Methods Reactor Safety Study. However, most of the ORNL reviewed the relationship of systems interactions studies have attempted to improve upon the original probabilistic concepts. to PRAs (NUREG/CR-4261) and concluded that there are three keys to adequately model systems interaction Many of the studies, to one degree or another, address some aspects of the general subject area of systems inter- (1) The model must provide adequate detail about the actions. Adverse systems interactions constitute a small systems.This detail is required to identify functiona' NUREG-1174 28 i.

1 l

1 1

1 interactions that occur because support systems fail a PRA is performed, the A-17 program results provide l and is also necessary for examining spatial interac- the following guidance.  !

tions. ,

With respect to future PRAs, the staff concludes that i (2) The model must utilize extensive plant-specific in- numeras methods are available for identifying the adverse systems interactions, but it is more a question of formation. His information includes the location of safety-related equipment and its proximity to both - the amount of effort (and therefore dollars) one can redundant equipment and to items that could affect expend.Therefore, contrary to the expectation expressed l its safety function. Through the use of such plant. in NUREG/CR-2815, "Probabilistic Safety Analysis j Procedures Guide," the staff does not endorse one  !

specific information, the spatial systems interactions could be identified. Plant-specific information is also methodology. On the other hand, the staff remforces the needed for identifying functional interactions that cmclusions reached m NUREG/CR-2815 regarding  ;

can occur in support equipment such as cooling functional dependencies and physical dependencies.

water and electric power systems. '

Specifically, NUREG/CR-2815 concludes:

(3) The models must consider off-normal (i.e., other (1) Functional Dependenefiles than anticipated) modes of operation. A number of the systems interactions identified in an operating All funcuonal dependenc[i]es should in principle be experience review (see Section 5.4) involved off- identified at the FMEA phase and/or included in a l normal conditions during which equipment failed correctly drawn fault tree. A fault tree should con- ]

because the designer did not anticipate all condi- tain in particular all the shared-hardware and direct- l tions. process-coupling types of dependenc[i]cs. Addi- l tional functional dependenc[i]es could be identified j if the basic events in the fault trees are further de- 1 One of the greatest advantages of this type of plant mod. composed to simpler events. The level of resolution i cling may be found in the process itself: By following in a fault tree depends on whether the analyst beliews j patterns of investigation dictated by application of the that a dependence could possibly exist at lower lev-  ;

techniques, the analyst takes a systematic look at plant els and on the relevant significance of such depen-  !

design and operation. This can provide more insights than denc[ijes. l just those gained in the traditional design-review process.  !

. In this last regard, the A-17 program has highlighted a

'I.o provide a reasonably accurate estimate of the prob- number of areas of concern which should be the focus of abilities of accident sequences, a PRA must consider de- such resolution by the analyst (see Section 5.4).

pendencies between the systems and initiating events in the sequence. In some cases this has been done through (2) Physical Dependenefiles system failure probabilities (which are derived from fail-ure data that include such things as support system fail- A scarch of physical dependenc[i]es generally con-ure) and in other cases explicit detailed modeling has sists of generating minimal cutsets and examining accounted for them. whether the elements of these sets are susceptible to the same generic causative factor and in addition are in either case, the process must include the normal, rec. connected by an " environmental" conductor that ognized, systems interaction (e.g., where Train A cooling will allow such a dependence to be created by a sin-water supports Train A high-pressure injection through gle source. Computer-aided search procedures have bearing cooling). To resolve issue A-17, a PRA would been developed for this purpose and are described in also have to address the adverse systemsinteractions. Section 3.7.3.9 of the ANS/IEEE,"PRA Procedures The problem (with respect to A-17)is that the dependen. Guide" [NUREG/CR-2300].* In applying these I cies of concern (referred to as adverse systems interac. tecimiques, the information generated during the i tions) are sometimes so hidden or subtle that the analyst FMEA and put in the form of generic causative fac-would not recognize them and, therefore, would not ac- tors list is extremely useful.

count for them either in the failure probabilities or l through the modeling process. Special caution should be exercised if codes that I generate minimal cutsets using cutoff probabilities are employed, in order to avoid missing important

%c staff has concluded that it is not necessary (or even dependenc[i]es contained in the rejected cutsets.

logical) to perform a separate, full-plant-scope study, such as a PRA, solely for the purpose of addressing ad-l verse systems interactions. However, if for other reasons

  • Prepared for MRC tmder suspices of ANS/IEEE.

t 29 NUREG-1174

l I

For certain physical dependenc[i]es the search initiating Events within minimal cutsets can be combined with the PASNY approach of identifying " targets, and (1) A CCW system pipe break causes loss of cooling to

" sources for these mteractions. If critical combma- the reactor coolant pump seals and to the charging  !

tions of , targets pumps which provide sealinjection flow. Loss of seal 3 to be examined durmg cooling and injection flow may result b sea! failure "walkthroughs" are defined on the basis of the mmi-mum cutsets, then the efficiency of the (i.e., small LOCA). Core melt may ensue because the high head safety injection pumps (ECCS) also I "walkthrough" procedure willimprove substantially, '

fail when CCW system cooling is lost. Thus, a single As concluded elsewhere (see Section 5.6 on spatial inter-re et actions), the staff believes that a focused walkthrough review could be beneficial to safety. If a specific plant (2) Irss of cooling to reactor pump seals for short peri-PRA is available, the targets and sources could be identi- ods of time (30-60 minutes) may result in seal failure fled on the basis of the minimal cutsets and the procedure even when the reactor coolant pumps have been could be improved substantially, tripped.

These examples indicate that PRAs have indeed uncov-5.5.2 ASIS Identified From Review of PRA cred some adverse systems interactions. These examples Results of ASIS occur in the areas of support systems and initiat-The following ASIS were identified from a review of a ing events coupled with mitigating system failures. They number of PRAs (NRC memoranda, December 3,1984, tend to reinforce the areas highlighted by the review of operating experience.

and May 31,1985) based on the description of the events as compared to the definitions in the A-17 Task Action Plan.

5.6 Study of Seismic / Spatially Coupled Systems Interactions Support Systems As the review of operating events and the review of utility SI studies progressed, it became apparent that a very -

(1) Direct-current bus supplies actuation power to the large number of spatial interactions were possible. To turbine-driven emergency feedwater pump and to a attempt to understand these phenomena, a separate ef-diesel generator breaker. Therefore, a single de bus fort was defined to review this area. The approach for the failure (the breaker connecting the bus fails to close) review of SI studies was to compare the results of the IF3 disables two emergency feedwater pumps in the study and the Diablo Canyon study, and from this infor-event of a loss of offsite power. mation to draw conclusions about the possible safety sig-nificance of the interactions postulated and the costs as-(2) Stripping vital loads from the safety buses on a safety sociated with conducting a more focused program.

injection signal (even though offsite power has not .

been lost) and then reloading them sequentially on The major portion of this work was performed by Mark the bus reduces the reliability of the safetyfunction. Technologies Corp. under subcontract to ORNL. ' Bat report (NUREG/CR-4306) addresses four major aspects (3) Direct-current bus faults can cause a reactor trip in. of the programs. These aspects are the targets, the scope itiating event with concornitant failure of multiple of the postulated initiating events, the postulated source core and containment cooling system trains. failures, and the resulting documentation.

(4) Failures in the cornponent cooling water (CCW) sys. 5.6.1 Target Scope tem have been identified as extremely important The programs reviewed had broad target scopes. They ,

support system failures which have the potential of considered most safety systems and one included refuel- .

being an initiating event along with disabling mitiga- - ing and fire-protection components. The differences in tive systems required for that sequence. These as- scope in each of the programs appeared to have been I pects are discussed together in the next section,"In- based on plant-specific licensing and documentation con-itiating Events." siderations rather than on any cost / benefit or risk-based criteria. The target scope is the most important factor in (5) A pipe failure in an air supply system results in fail- ]

the level of effort and cost for all of the programs re- 1 ure of all automatic depressurization system (ADS) viewed.

valves. 1 5.6.2 Initiating Events j

. rower Authority of the siste of New York now caHed New York Power A review of the programs shows that greater risk signifi-Authority (NYPA). cance is associated with those amtiators capable of NUREG-1174 30

challenging the plant support functions. The greatest through the connected systems and causes other failure in risk-significant initiators for the reactor coolant pressure spatially coupled events, failure propagates through less boundary include seismic events and fires. Auxiliary feed- direct paths and, as a result, other failures are less certain.

water and other frontline systems have significant risk on!y for plantwide events which are capable of challeng- On the basis of its review, Mark Technologies Corp. out-ing multiple frontline functions simultaneously (e.g., seis- lined a relative ranking of the targets based on the per-mic, fire, flood, and possibly tornado winds). Tornado ceived risk significance of the target groupings.

missiles, local internal missiles, and pipe failure (not seis-mically induced) do not pose significant plant risk outside Vith respect to the targets, the support systems and con-the plant support systems. trols were noted to be of greatest significance, ne basis for this conclusion involves the fact that support systems and controls can potentially affect multiple frontline sys-5.6.3 Source Failures tems as well as possibly initiate a plant transient. In addi-All three programs have postulated large numbers of tion, controls (instrumentation, electrical devices, etc.)

source failures for which limited historical data are avail. tend to be very sensitive to the type of spatial phenomena able and even less quantitative evaluation has been per. (e.g., seismic, flood, spray) which are of concern. These formed. He program scopes of source failures included are followed in decreasing importance by the reactor low-frequency initiating events such as high-energy line coolant pressure boundary, the atr:iliary feedwater breaks, tornado missiles, plantwide floods, and low. (AFW) system and controls, and the other frontline sys-tems, probability seismically initiated component failures such as failure and falling of piping, raceways, and HVAC equipment. In addition to the low-fregrincy initiating With respect to the source or initiating event scope, the failures, the programs postulated interactions with safety Programs considered a number of initiators which in-components such as large mechanical equipment and pip. cluded seismic events, flood, fire, missiles, pipewhip, and ing which could be capable of surviving some impacts. tornado, depending on the target system mvolved.

Other areas of source failure appear to have been less extensively covered. These include, most notably, the ef. The report (NUREG/CR-4306) discusses a simplified fects of water spray on electrical equipment.The postula. search methodology which could be applied to these tar-tion and treatment of water as a source was inconsistent in get groupings and initiating events and provides cost esti-the documentation of both the walkdown and the flooding mates for such searches.

study portions of the programs. Limiting the study to only the most credible source initiators and the resulting cred- 5.6.6 Staff Conclusions ible interactions can produce reductions in cost and opti-mize risk benefit. The staff pencrally agrees with the conclusions of NUREG/CR-.4306.

5.6.4 Documentation The staff believes that for any fut ure SI reviews, the target scope should be limited to the support systems and con-Documentation of the three programs on an m. dividual trols for the systems required for safe shutdown, the safe-source / target basis took a lot of engmeermg and admuus' shutdown systems themselves, and the reactor coolant trative time. Individual documents were generated, re-vised, edited, controlled, tracked, and sorted in the mter- pressure boundary.

ests of ensuring traceability and unique identification of The staff does not believe that further review for spatially the thousands of potential, but m many cases, clearly Iow-probability, low-nsk events. A streamhnea and fo- coupled interactions in the area of the ECCS isjustified.

cused program could be developed with a level of docu-These areas received a lot of review in the past. The review of the ECCS has not focused on all of the areas mentation commensurate with the level of risk associated with the events being investigated.

listed as concerns, but the need for this equipment is predicated on the occurrence of a 1OCA which has a relatively low frequency of occurrence. In addition, the 5.6.5 Analysis of Spatiallv Coupled Systems reactor coolant pressure boundary (RCPB) would be Interactions evaluated as a target system (both as the RCPB itself and under controls such as relief valves) and, therefore, the Each interaction is typically characterized by an initiating potential for a seismically induced LOCA caused by a event or failure, a coupling or transmission of the failure spatially coupled ASI should be low.

effects, and a disabling of a target component, system, and so forth. Of particular note is the uncertain nature of each Furthermore, the staff believes that the initiating events one of these characteristics. Unlike functionally coupled to be considered should include only those related to Asis, in which a failure usually propagates directly seismic events and fluid-related failures such as flooding 31 NUREG-1174

and water intrusion, including spray from low- or moder- that almost every conceivable safety issue could fall .

ate-energy piping. On the basis of other previous or ongo- within the concern, and therefore the issue itself would ing activities, each of the other potential initiating events prove unmanageable.

is believed to be adequately covered.

Therefore, to proceed with a resolution of the concerns With respect to flooding, actions were taken at all plants expressed as " systems interactions," the NRC staff devel-as a result of the event at Quad Cities in 1972 (AEC oped a set of definitions to attempt to give the safety letter, September 26,1972). He actions taken should concern narrower focus. As part of developing this defini-have addressed these areas of concern. (See also SRP tion, it was decided to take advantage of many ongoing Section 3.6.1 and Branch Technical Position (BTP) efforts, so that if some aspects that might be considered ASB 3-1.) However, there is some evidence that not all systems interactions were better addressed by other ef-flooding and water-intrusion interactions werc evaluated. forts, the definitions would direct the A-17 effort away Specifically, both the Diablo Canyon and Indian Point from those areas. As a result, a workable set ofdefinitions studies, as well as some of the SEP reviews (e.g., was developed for the A-17 issue. Many other concerns NUREG-0824) under Topic III-5.B, " Pipe Break Out- were left to be addressed outside A-17.ncse definitions l side Containment," highlighted some potential interac- are crucial to the understanding of the issue and its reso-  !

tions. In addition, operating experience has highlighted a lution. ,

number of events that have involved flooding and water )

intrusion (see Section 5.4.2). On the basis of these find- On the basis of the definitions, a number of tasks were ings, the staff developed a number of insights in the area defined. nese tasks were structured to: (1) make use of of flooding and water intrusion from internal sources (see operating experience and other sources of actual or pos-the Appendix for additional information). tulated events, (2) take maximum advantage of previous systems interaction studies, (3) evaluate the safety signifi-The area of fire protection has received significant atten- cance of systems interactions, and (4) evaluate the safety tion as the result of action taken in response to Appen. benefit and cost effectiveness of potential corrective dix R of 10 CFR Part 50.The overall fire reviews include measures.

the type of considerations identified in the Mark Tech-nologies Corp. report. Because of this, the staff is recom- Because systems interactions events are for the most part mending taking no further action related to fire as a plant specific, the quantification of the potential safety hazard. However, the fire-suppression system itself may significance was extremely difficult. Therefore, the safety be a source for flood or spray. benefit is based mostly on qualitative insights rather than quantitative analysis.

(1) Turbine missiles and (2) tornadoes and tornado mis-siles have been the subject of a number of proposed As a result of the investigation into adverse systems inter-generic issues, namely A-37 and A-38, respectively. actions the staff concluded the following:

These issues were prioritized " drop" and " low," respec-tively. In addition, the SEP group reviewed the area of (1) To address a subject area such as " systems interac-internal missiles t'ader Topic III-4.C and generally con- tions"in its broadest sense tends to be an unmanage-cluded that plants had adequate protection from internal able task incapable of resolution. Some bounds and raissiles. On this basis, the staff is not recommending that limitations are crucial to proceeding toward a resolu-these sources be pursued. tion. Considering this, the staff studying the A-17 is-sue utilized a set of working definitions to limit the As a result of the a'oove considerations and the spatially issue. It is recognized that such an approach may coupled AS!s uncovered by the operating experience re. leave some concerns unaddressed.

view (see Section 5.4), the staff concludes that a focused search for certain spatially coupled systems interactions (2) Theoccurrenceof anactual ASIortheexistenceofa and appropriate corrective measures could benefit safety potential ASI is very much a function of an individ-for some operating plants. ual plant's design and operational features (such as its detailed design and layout, allowed operating 6

SUMMARY

OF STAFF

  • d **' P' '*d "'*** ""d ** " ""d * ^I"" "'" P'"'~

tices). Furthermore, the potential overall safety im-CONCLUSIONS pact (such as loss of all cooling, loss of all electric l power, or core melt)is similarly a function of those l The resolution of any safety issue requires that the nature plant features that remain unaffected by the ASI. In of the concern be clearly described. Concerns described other words, the results of an ASI depend on the as general subject areas. such as common cause, systems availability of other independent equipment and the interactions, and dependent failure, can prove so broad opemtor's response capabilities.

NUREG-1174 32

l l

(3) Although each ASI (and its safety impact)is unique ther investigation showed that this area remains the to an individual plant, there appear to be some char- subject of a number of separate issues and studies. A acteristics common to a number of the ASIS. concentrated effort to coordinate these activities  ;

and to include power supply interactions could l (4) Methods are available (and some are under develop- prove an effective approach in this area. I ment) for searching out sis on a plant-specific basis.

Studies conducted by utilities and nationallaborato. (12) For future plants, additional guidance regarding ries indicate that a full scope plant scarch takes con. ASIS could benefit safety.

siderable time and money. Even then, there is not a (13) The concerns raised by the Advisory Committee on high degree of assurance all, or even most, ASIS will Reactor Safeguards on A-17, but which have not be discovered. 3 been addressed in the staff's study of A-17, should {

be considered as candidate generic issues, separate 1 (5) Functionally coupled ASIS have occurred at a num-ber of plants, but improved operator information fr m USI A-17.

and training (instituted since the accident at Three Mile Island) should greatly aid m recovery actions 7 REFERENCES  ;

i during future events- Advisory Committee on Reactor Safeguards, Letter dated November 8,1974, to the Director of Regulation of (6) Induced human-intervention-coupled interactions the AEC, " Systems Analysis of Engineered Safety Sys-as defined in A-17 are a subset of the broader class tems."

of functionally coupled systems interactions. As stated for functionally coupled Sis, improvements in -- , Letter dated June 17,1977, to Chairman of the l both operator information and operator training will NRC, " Report on the Zion Station, Units 1 and 2." I greatly improve recovery from such events.

-- , Letter dated October 12,1979, to Executive Di-(7) As a class, spatially coupled sis may be the most sig- rector of Operations of the NRC, " Systems Interactions nificant because of the potential for the loss of Study for Indian Point Nuclear Generating Unit No. 3."

equipment which is damaged beyond repair. In many cases, these Asis are less likely to occur because of -- , Letter dated May 13,1986, to Executive Director the lower probability ofinitiating failure (e.g., earth- of Operations of the NRC, "ACRS Comments on Pro-quake, pipe rupture) and the less-than-certain cou- posal Resolution of USI A-17, " Systems Interactions in pling mechanisms involved. However, past operat- Nuclear Power Plants."

ing experience highlighted a number of flooding and water intrusion events and more recent operating Atomic Energy Commission, Letter dated September 26, experience indicates that these types of events are 1972, from R. C. DeYoung to licensees, " Flooding Event continuing to occur (see the Appendix for additional at Ouad Cities, Unit 1."

information). Atomic Industrial Forum, Inc., Letter dated October 8, (8) Probabilistic risk assessments or other systematic 1985, from M. R. Ec an to V. Stello, " Unresolved plant-specific reviews can provide a framework for Safety Issue A-17 Syatms Interactions" identifying and addressing ASIS.

Commonwealth Edison Company," Zion Station Interac-tion Study," Docket 50-304, June 16,1978.

(9) Because of the nature of ASIS (they are introduced into plants by design errors and/or by overlooking Consumers Power Company, " Program Manual Spatial subtle or hidden dependencies), they will probably Systems Interaction Program / Seismic Midland Energy continue to happen. In their evaluations of operat- Center," Revision 1, June 6,1983.

mg expenence, NRC and the nuclear power industry can provide an effective method for addressing Electric Power Research Institute, " Systems Interaction ASIS

  • Identification Procedures," EPRI NP-3834, Vols.15, (10) For existing plants, a properly focused systematic plant search for certain types of spatially coupled -- , EPRI NP-5613, see NRC, NUREG/CR-4780.

ASIS and functionally coupled ASIS (and correction of the deficiencies found) may improve safety. 12wrence Livermore National laboratory / Analytic In-formation Processing, Inc., " Preliminary Syst ems Interac-(11) The area of electric power, particularly instruments- tion Results From the Digraph Matrix Analysis of the tion and control power supplies, was highlighted as Watts Bar Nuclear Power Plant Safety Injection Sys-being vulnerable to relatively significant ASIS. Fur- tems," UCID-19707, June 1983.

33 NUREG-1174

l l

Oak Ridge National Laboratory, ORNI/ Letter Report, -- , NUREG-0800, " Standard Review Plan for the

" Summary and Assessment of EPRI Report NP-3834 on Review of Safety Analysis Reports for Nuclear Power

' Systems Interaction Identification Procedures'," Febru- Plants," July 1981.

ary 10,1986

-- , NUREG-0824," Integrated Plant Safety Assess-Office of Inspection and Enforcement, NRC, Bulletin ment Systematic Evaluation Program-Millstone Nu-79-27," Loss of Non-Class 1E Instrumentation and Con. clear Power Station, Unit 1," February 1983.

trol Power Systems Bus During Operation," Novem-ber 30,1979. -- , NUREG-0933 "A Prioritization of Generic Safety Issues," revised frequently.

Pacific Gas and Electric Company, "Diablo Canyon Seis-mically Induced Systems Interaction Program," Dockets -- , NUREG-0985," Human Factors Program Plan,,,

50-275 and 50-323, May 7,1984. August 1983; Rev.1, September 1984.

7 -- , REG 4000,"GenericIm ations of ANS Power Authority of the State of New York, " Systems Events at the Salem Nuclear Power Iplant,, April 19 Interaction Study, Indian Point 3," Docket 50-286, No-vember 1983. -- , NUREG-.1050, "Probabilistic Risk Assessment n , , Septem-

-- , LER 84-010-000, Docket 50-286, July 15,1984. 98 U.S. Nuclear Regulatory Commission, Memorandum -- , NUREG-1070,"NRC Policy on Future Reactor dated September 18, 1984, from R. Kendall to Designs," July 1985.

D. Thatcher, " Comments en ORNL Draft NUREG/

CR-3922." -- , NUREG-1229, " Regulatory Analysis for Pro-

-- , Memorandum dated December 3,1984, from H.

R. Denton to Division Directors," Insights Gained From -- ,NUREG/CR-1321,"FinalReport-PhaseI,Sys-Probabilistic Risk Assessments." tems Interaction Methodology Applications Program,"

Sandia National Laboratories (SAND 80-0884),

-- , Memorandum dated March 20,1985, from April 1980.

A. Thadani to K. Kniel, "RRAB Inputs to the USI A-17 Program." - - , NUREG/CR-1859, " Systems Interactions:

State-of-the-Art Review and Methods Evaluation,"

- - , Memorandum dated May 31, 1985, from Lawrence Livermore National Laboratory, January 1981.

A.Thadani to K. Kneil, "RRAB Input to USI A-17 Resolution."

-- ,NUREG/CR-1896,"Reviewof SystemsInterac-

-- , NUREG-75/014, " Reactor Safety Study-An tion Methodologies," Battelle Memorial Institute, Janu-Assessment of Accident Risks in U.S. Commercial Nu. ary 1981.

clear Power Plants," October 1975.

-- , NUREG/CR-1901, " Review and Evaluation of

-- , NUREG-0471," Generic Task Problem Descrip- Systems Interactions Methods," Brookhaven National tions (Categories B, C, and D)," June 1978. Laboratory, January 1981.

-- , NUREG/CR-2300, "PRA Procedures Guide,"

-- , NUREG-0572," Review of Licensee Event Re-s.1 and 2, January M83.

ports (1976-1978)," September 1979.

-- , NUREG/CR-2815, "Probabilistic Safety Analy-

-- , NUREG-0649, " Task Action Plans for Unre- sis Procedures G uide," Brookhaven National laboratory, solved Safety Issues Related to Nuclear Power Plants," January 1984.  ;

, September 1984.  !

-- , NUREG/CR-2915, " Initial Guidance on Di-

-- , NUREG-0660, *NRC Action Plan Developed f graph Matrix Analysis for Systems Interaction Studies," l As a Result of the 'IMI-2 Accident," May 1980. Iawrence Livermore National Laboratory l

-- , NUREG-0737, Supplement 1, " Clarification of TMI Action Plan Requirements: Requirements for -- , NUREG/CR-3593, " Systems Interaction Re- 3 Emergency Response Capability," January 1983. sults From the Digraph Matrix Analysis of a Nuclear NUREG-1174 34 i

Power Plant's High Pressure Safety Injection Systems," -- , NUREG/CR-4261," Assessment of System In-Analytic Information Processing and Lawrence Liver , teraction Experience in Nuclear Power Plants," Oak more National Laboratory, July 1984. Ridge National Laboratory, June 1986.

-- , NUREG/CR-3852, " Insight Into PRA Method- -- , NUREG/CR-4306, " Review and Evaluation of ologies,_ August 1984.

Spatial System Interaction Programs," Oak Ridge Na-

-- , NUREG/CR-3922, " Survey and Evaluation of tionallaboratory, December,1986.

Systems Interaction Events and Sources," Oak Ridge Na-tional Laboratory, January 1985. -- , NUREG/CR-4470, " Survey and Evaluation of Vital Instrumentation and Control Power Supply

-- , NUREG/CR-4179, " Digraph Matrix Analysis Events," August 1986.

for Systems Interactions at Indian Point Unit 3, Abridged Version," Vol.1, January 1986, Vols. 2-6 will be available m the NRC Public Document Room, 2120 L Street, -- , NUREG/CR -4780, " Procedures for Treating N.W., Washington, D.C., Lawrence Livermore National Common Cause Failures in Safety and Reliability Stud-1;iboratory. ies: Procedural Framework and Examples," January 1988.

-- , NUREG/CR-4207, " Fault Tree Application to the Study of Systems Interactions at Indian Point 3," -- , SECY-84-133, "Results of SEP," Enclosure 4, Brookhaven NationalI2boratory, April 1985. "SEP Phase II Safety Lessons Learned," March 23,1984.

l I

35 NUREG-1174

l' l

l APPENDIX-INTERNAL FLOODING AND WATER INTRUSION INSIGHTS l' Operating events have demonstrated the susceptibility of sign basis when analyses reviewed and approved '

individual plant components to waterintrusion and flood- by the Commission demonstrate that the prob-ing from internal plant sources. Flooding, as discussed - ability of fluid system piping rupture is extremely I here, includes flooding of equipment by large volumes of low under conditions consistent with the design water (i.e., equipment submergence) and other forms of basis for the pipmg." =

water , intrusion, including water spraying, dripping, or (2) As part of environmental qualification requirements splashmg on sensitive equipment. Examples of these of 10 CFR 50.49, submergence was evaluated for-l types of events can be found in an operating experience

' certain equipment for water associated with design- <

review (References 1 and 2) conducted by the NRC and m basis events' individual NRC information notices (References 3-9L A key point apparent from these events is that the quantity (3) Generic letters issued to licensed facilities in 1972-of the water involved is not necessarily a measure of the . required additional review based on an event at the .

problems that the water can create; the locatior; of the Quad Cities plant.

water is much more significant. For example, a smallleak . 3 that drips down through electrical equipment can have a (4) For more recently licensed plants, the Standard Re-  !

more severe impact on the plant than an 8-foot flood in a view Plan (Reference 11) cites the generic letters of . ,

pump compartment. Also, Generic Issue 77, " Flooding of 1972, and therefore, flooding-type analysis should l Safety Equipment Compartments by Back-Flow Through have been performed as part of the licensing proc-  !

Floor Drains," has received a high priority ranking (Ref- ess.

crence 10) because of the possibility that plant designs  ;

have overlooked backflow through floor drains as a flood-mg pathway..

In addition, all plants should have developed programs j for the review of operating experience per the require- j ments of Item I.C.5 of NUREG-0737 (Reference 12).

All plants should have conducted some flooding-type. These reviews should include consideration of NRC in-studies as part of demonstrating conformance to various formation notices and other industry documents such as requirements.*Ihese requirementswere typicallyfocused those issued by the Institute of Nuclear Power Operations on large volumes of water and the potential for submerg- (INPO). Both of these have included events involving mg equipment. flooding and water intrusion.

(1) 'Ihe general design criteria (10 CFR Part 50, Ap- ,

The staff has concluded that existing rdrements lack pendix A) address the arca of floodmg. Specifically:

specific guidance regarding water intrusion events that a may involve small amounts of water and subtle paths of GDC 3,

  • Fire protection," states: " Fire fighting communication of water or moisture to sensitive equip- .

systems shall be designed to assure that their ment.

rupture or inadvertent operation does not sig-nificantly impair the safety capability of these 'Ihe staff also recognizes that it may not be possible to structures, systems and components designated identify all subtle pathways and sources. Ilowever, the as important to safety." staff believes that risk could be reduced significantly by conducting a focused review that includes:

GDC 4, " Environmental and dynamic effects .

missile asign bases," states: " Structures, sys. (1) reviewing actual industry operating experience in-tems, and components important to safety shall volving water intrusion for applicability to the licen-be designed to accommodate the effects of and to see's plant be compatible with... normal operation, mainte-nance, testing, and postulated accidents, melu$ (2) considering action such as scaling conduit or provid-mg loss-of-coolant accidents. These structures,- ing shields for sensitive equipment, and systems and components shall be appropriately (3) examining safe-shutdown equipment specifically fo-protected against dynamic effects, meloding the cusing on the potential forwater intrusion problems.

effects of missiles, pipe whipping, and discharg- Safe-shutdown equipment fora flooding or waterin-ing fluids, that may result from equipment fail- trusion event would typicallyinclude the equipment urcs and from events and conditions outside the needed to perform the following functions:

nuclear power unit. However, dynamic effects associated with postulated pipe ruptures in nu-

  • Bring the plant to hot shutdown and establish clear power units may be excluded from the de- heat removal.

37 NUREG-1174

Appendix

  • Maintain support systems necessary to establish Pathways and maintain hot shutdown.

Operating experience has demonstrated that separate

  • Maintain control room functions and instrumen- rooms do not necessarily provide protection because of i tat n and controls necessary to monitor hot
  • drain systen s that may be plugged orallow backflow
  • Provide alternating current and/or direct current
  • heating and ventilation ducts and penetrations be-emergency pow:r as needed on a plant-specific tween rooms basis to meet the above three functions.
  • unsealed doors

[ Note: In addition to the above equipment, a review ,

unsealed or inadequately sealed electrical conduit should include electrical equipment that could cause m- and penetrations (either by design or from inade- l i advertent actuation of components which m turn could quate maintenance) {

j hinder the ability to perform these functions (e.g., logic cabinets that actuate the automatic depressurization sys-

  • unusual maintenance situations (temporary drain tem).] 1 nes, water barriers)

On the basis of a large amount ofindustry experience, the staff has determined that a flooding (including water in- Operadng4cdence trusion) analysis should address the aspects listed below.

Collective industry experience has been described in:

Water mtrusion meludes all forms of water or moisture release from water sources internal to plant structures

  • NRC Ir. formation Notice 83-41, " Actuation of Fire (e.g., leaks or ruptures of water or steam sources or from Suppression System CausingInoperability of Safety-fire-suppression system actuation). Regardless of the Related Equipment," June 22,1983 means of release, the failure mechanism is intrusion of water or moisture to sensitive equipment (e.g., electrical
  • NRC Information Notice 83-44, " Potential Damage cabinets). to Redundant Safety Equipment As a Result of Backflow Through the Equipment and Floor Drain (Note: If an analyses has been performed to demonstrate Systems," July 1,1983 that the probability of fluid system piping rupture is ex-tremely low under conditions consistent with the design
  • NRC Information Notice 85-85, " Systems Interac-basis for the piping (i.e., per revised GDC 4), then fluid tion Event Resulting in Reactor System Safety Re-discharge associated with that rupture may be excluded lief Valve Opening Following a Fire-Protection Del-l from further consideration.) uge System Malfunction," October 31,1985 WaterIntrusion Considerations
  • NRC Information Notice 86-106, Supplement 2, "Feedwater line Break," March 18,1987 Sources
  • NRC Information Notice 87-14, " Actuation of Fire The water can and has been released by failure (e.g., Suppression System Causing Inoperability of Safety-leaks, ruptures), by system actuation (e.g., fire- Related Ventilation Equipment," March 23,1987 l suppression system), or by special plant situations during maintenance or testing. Actual operating experience has
  • NRC Information Notice 87-49, " Deficiencies in demonstrated problems that emanate from: Outside Containment Flooding Protection," Octo-ber 9,1987 e domestic water systems (toilets, smks, eye-wash sta-tions, etc.)
  • Inadequate De-sign and Installation of Watertight Penetration a fire-suppression equipment Seals," August 11,1988 e moderate-energy piping systems such as circulating REFERENCES water
1. U.S. Nuclear Regulatory Commission, NUREG/

e maintenance actions (e.g., draining, venting) CR-3922, " Survey and Evaluation of System Inter-action Events and Sources," Vols. I and 2, January e low-pressure steam and condensate leakag: 1985.

NUREG-1174 38

Appendix

2. -- , AEOD/C402, " Operating Experience Re- 7. -- , Information Notice 87-14, " Actuation of lated to Moisture Intrusion in Electrical Equipment Fire Suppression System Causing Inoperability of at Commercial Power Reactors," June 1984. Safety-Related Ventilation Equipment," March 23, 1987.
3. -- , Information Notice 83-41, " Actuation of Fire Suppression System Causing Inoperability of
8. . -- ,Information Notice 87-49,"Deficienciesin Safety-Related Equipment, June 22,1983. Outside Containment Flooding Protection," Octo-ber 9,1987.
4. -- ,Information Notice 83-44, " Potential Dam- 9. -- ,Information Notice 88-60," Inadequate De.

age to Redundant Safety Equipment As a Resalt of sign and Installation of Watertight Penetration Backflow Through the Equipment and Floor Drain Seals," August 11,1988.

Systems," July 1,1983.

10. -- ,NUREG-0933,"A Prioritization of Generic
5. -- , Information Notice 85-85, " Systems Inter- Safety Issues," December 1983.

action Event Resulting in Reactor System Safety , 11. -- , NUREG-0800, " Standard Review Plan for Relief Valve Opening Followmg a Fire-Protection Deluge System Malfunction, October 31,1985. the Review of Safety Analysis Reports for Nuclear Power Plants," LWR edition, July 1981.

6. -- , Information Notice 86-106, Supplement 2, 12. -- ,NUREG-0737,"ClarificationofTMI-2Re-

"Feedwater Line Break," March 18,1987. quirements," September 1980.

l l

39 NUREG-1174

NRC 5'OA3 335 U.S. feUCLEAS KS1ULATORT ConsessessoN i EteORT NuMetR IAmpaeaar TfDC. esa vor No, ersar#

43 Mt BIBLIOGRAPHIC DATA SHEET NUREG-1174 Eo'ifEo$

$tt #N8TRUCTIONS ON Twt RtvtR85 2 f t.TLE AND SUOTITLE 3 LE Avg BLANK Evaluation of Systems Interactions-in Nuclear, Power Plants Technical Findings Related to Unresolved Safety Issue A-1; 4 D ATE REPDAT COMPLETED MQNTH .vtAR

.. AuTuo.., April 1989 Dale Thatcher MONTM vtAA May. 1989 7 FtutPORMING ORGANIZATION NAME AND MAILING ADUnts8 (sociumple Cearf 8 PROJE01/1 ASKMrORK UNIT NUMSLR Division of Safety Issue Resolution ,,,,,, ,,,, _ ,,,

Office of Nuclear Regulatory Research U.~S. Nuclear Regulatory Commission Washington, D.C. 20555

10. SMN80 RING ORGANIZ ATION NAME AND MAILING ADDRt38 ttaciuselp Cases sie TYPt OP REPORT Technical Same as 7, above. . PERIOD COvtRED u-o ,

8 12 SUPPLEMENT ARY NOTES I

13 A38T R ACT (200 wora, or ress/

This report presents a summary of the activities related to Unresolved Safety Issue (USI) A-17, " Systems Interactions in Nuclear Tower Plants,"

and also includes the NRC staff's conclusions based on those activities.

The staff's technical findings provide the framework for the final reso-lution of this unresolved safety issue. The final resolution will be published later as NUREG-1229.

+4 DOCUMENT ANALYSIS -e Et vwDRD&tDEscRIPTORS 56 Av AsLABitti y

$T AttME NT Unresolved Safety Issue A-17 Systems Interactions Unlimited 16 $ECURITY CLASSiF4 CATION iTha nneet

. iDiNTi.itas,0*e= ENDED TERus Unclassified or I, s .m Unclassified I P NUMetR OS PAGl$

14 PRict eu.l.C0vtphieth1 PaltlinC prFICC 1989 2A1 593:33383

UNITED STATES ' '2-

. Specat ,oo21w ctass nais

-NUCLEAR REGULATORY COMMISSION, ' "^$3U!'5 "-  ;@!

WASHINGTON, D.C. 20555 ,,,,, g e 6 -Mr

.9 .-

OFFICIAL BUSINESS ' . -

PENALTY FOR PRIVATE USE, $300 . n 3 c. '; l 1 "s 19 E ,* '7 jb b -

g ;. L I C A 1 Tprw' P ' .a.

w ~> 0 5 5 :

..en n.s C

'h

-m1 i >< ;:

. ?"' !

'.h I iCl

. .Z i OI

':9;.

G&j na!

-0i -

. .Wl l

I O-

'Z.

, m Z

.. d '

g t"'

![. n

.ml

.Oi

.$1 M'

-n; m

'h'

.' ==7l \

ml

.-l 11 i

4 4

~b wj h<

'<l

  • i Cl QC ' -
  1. l

}

_ _ _

Retrieved from "https://kanterella.com/w/index.php?title=ML20244A911&oldid=3220713"