Text

Regulatory Analysis for Resolution of USI A-17.Systems Interactions in Nuclear Power Plants
	ML20245K735
Person / Time
Issue date:	08/31/1989
From:	Thatcher D; NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
To:	;
References
	REF-GTECI-A-17, REF-GTECI-SY, TASK-A-17, TASK-OR NUREG-1229, NUDOCS 8908210132
	Download: ML20245K735 (26)
	v • d • e

_

NUREG-1229 Regulatory Ana.ysis ::or Resolution 0: TSI A-17 Systems Interactions in Nuclear Power Plants

.U.S. Nuclear Regulatory Commission Ofrece of Nuclear Regulatory Research D. F. Thatcher

$ ^ 'o

(

e%,;sfQ..7

%*f0);,4 i HRS 2A8Ai! ' "'DR P 1229 R

AVAILABILITY NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources:

1. The NRC Public Document Room, 2120 L Street, NW, Lower Level, Washington, DC 20555

2. The Superintendent of Documents. U.S. Government Printing Office, P.O. Box 37082.

Washington, DC 20013-7082 3 The National Technical information Service, Springfield VA 22161 Although the listing that follows represents the majority of documents cited in NRC publica-tions, it is not intended to be exhaustive.

Referenced documents available for inspection and copying for a fee from the NRC Public Document Room include NRC correspondence and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investi-gation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and licensee documents and correspondence.

The following documents in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceed-ings, and NRC booklets and brochures. Also available are Regulatory Guides NRC regula-tions in the Code of Fedcral Regulations, and Nuclear Regulatory Commission issuances.

Documents available f rom the National Technical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.

Documents available from pubhc and special technical libraries include all open literature items, such as books, joumal and periodical articles, and transactions. Federal hegister notices, federal and state legislation, and congressional reports can usually be obtained from these libraries.

Documents such as theses, dissertations, foreagn reports and translations, and non-NRC conference proceedings are available for purchase from the organization sponsoring the publication cited.

Single copies of NRC draft reports are available free, to the extent of supply, upon wri: ten request to the Office of Information Resources Management, Distribution Section. U.S.

Nuclear Regulatory Commission, Washington, DC 20555.

Copies of industry codes and standards used in a substantwe manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copy-righted and may be purchased from the originating organization or. if they are Amencan National Standards, from the Arnerican Nationa! Standards institute. 1430 Broadway, New York. NY 10018.

NUREG-1229 Regulatory Anaysis for Resolution of USI A-17 Systems Interactions in Nuclear Power Plants Manuscript Completed: May 1989 Date Published: August 1989 1

i D. F. Thatcher Division of Safety Issue Resolution l Omce of Nuclear Regulatory Research l U.S. Nuclear Regulatory Commission I Washington, DC 20555 ff "%,

s.....

ABSTRACT This report presents a summary of the regulatory analysis inducing erroneous human intervention.,nc staff has conducted by the NRC staff to evaluate the value and im- identified actions to be taken by licensees and the NRC to pact of potential alternatives for the resc!ution of Unre- resolve USI A-17; the staff has also made the judgment solved Safety Issue (USI) A-17," Systems Interactions in that these actions, together with other ongoing activities, Nuclear Power Plants." The NRC staff bases the resolu- would reduce the risk from adverse systems interactions.

tion offered in this report on this analysis. The staff's As discussed further in this report, the staff judgment that technical finding regarding systems interactions can be the actions are sufficient is not based on the assertion that found in NUREG-1174. all systems interactions have been identified, but rather that the A-17 actions, plus other activities by the licen-Adverse systems interactions (ASIS) involve subtle and sees and staff, will identify precursors to potentially risk-often very complicated plant-specific dependencies be- significar., interactions so that action can be taken if tween components and systems, possibly compounded by deemed necessary.

iii NUREG-1229

i L

CONTENTS Page AUSTRACI'....................................................................- . iii EXECUTIVE SUMM ARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii 1

1 STATEM ENT O F TH E PROB LEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1 2

SUMMARY

OF TECHNICAL FINDINGS AND CONCLUSIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1 2.1 Syst ems int eract ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1 2.2 Adverse Systems Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.3 Undesirable Result (Produced by sis) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2.4 Classification of Adverse Systems Interactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.5 Con cl u sion s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4

3 ALTE R NKITVES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3.1 Alternatives for Operating Plants . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4

3.2 Alternatives for Future Plants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3.3 Alternatives for Improving Systematic Plant Reviews Such As Probabilistic Risk Assessments . . . . . . . . . 4 3.4 Alternatives for Evaluating Operating Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4 DISCUSSION OF ALTERN ATIVES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.1 Alternatives for Operating Plants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.2 Alternatives for Future Plants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4.3 Alternatives for Improving Systematic Plant Reviews (Such As PRAs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4.4 Alternatives for Evaluating Operating Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5 DASES FOR RESOLUTION OF UNRESOLVED SAFETY ISSUE A-17 . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 14 6 R ES O LUTI O N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6.1 Provide Information on ASIS to Ongoing Evaluations of Operating Experience . . . . . . . . . . . . . . . . . . . . . 14 6.2 Acknowledge Seismic SI Aspects of USI A--46 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 6.3 Consider Flooding and Water Intrusion From Internal Sources in Individual I lant Examinations . . . . . . 16 6.4 Provide for the Integration and Coordination of Electrical and Instrumentation and Control Power 16 S upply Issu es and Conce rn s . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6.5 Provide Guidance for Future PRA or Other Systematic Plant Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 6.6 Define Potential GenericIssues'Ihat Are Not included As Part of the A-17 Resolution or Other 16 R egulatory Program s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

......... ............... ............... 16 6.7 Develop a Standard Review Plan for Future Plants .

...... .. ......... 16 7 REFERENCES . . . .. ............... ............... ........ ....

Tabies 3 Scope of USI A-17," Systems Interactions": General subject area involves system failures which are due 2

to system dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... ..... ..................

.. ... .. .. . .. .... ... .. ........ .... 15 2 Resolution of USI A-17 . . . . . . . . . . . . . . . .

v NUREG-1229

EXECUTIVE

SUMMARY

The U.S. Nuclear Regulatory Commission (NRC) has Adverse Systems Interaction (ASI) concluded its technical evaluation of Unresolved Safety Issue (USI) A-17,

Systems Interactions in Nuclear A systems interaction that produces an undesirable re-Power Plants." The present report summarizes the re- sult.

sults of the regulatory analysis conducted by the NRC Undesirable Result (Produced l>y sis) staff ta formulate the resolution oiUSI A-17.1he techni.

cal findings and conclusions used in this report are based .

This was defined by a list of the types of events that were on those presented in NUREG-1174," Evaluation of Sys-to be considered in USI A-17.

tems Interactions in Nuclear Power Plants: Technical Findings Related to Unresolved Safety Issue A-17." . Degradation of redundant portions of a safety sys-tem, including consideration of all auxiliary support functions. Redundant portion 3 are Ihose considered As emphasized in NUREG-1174, the set of definitionsis to be independent in the design and accident analy-critical to proceeding with resolution of the issue. Those sis (Chapter 15) of the Final Safety Analysis Report definitions are repeated in this document. (FSAR) of the plant. (Note: This would violate the single-failure criterion.)

Because of the complex and interdependent network of ,

Degradation of a safety system by a non-safety sys-systems, structures, and components that constitute a nu-tem. (Note: This result would demonstrate a break-clear power plant, the scenario of almost any, sigmfdown in presumed cantevent can" isolation ")

be characterized as a " system a result, the staff recognized that if the term " systems in'

Initiation of an " accident"[c.g., loss-of-coolant acci-teraction were interpreted in a very broad sense it be- dent (LOCA), main steamline break (MSLII)] and came an unmanageable safety issue. To begin to address (1)the degradation of at least one redundant portion perceived safety concerns within this potentially broad of any one of the safety systems required te titigate subject area, requires a narrowing of the scope. To this iegra-end, a set of definitions b2. sed on the perceived safety con- that dation event (Chapter of critical operator15,FSAR analyses)or information suffici a' ent to cerns has been developed. cause the operator to perform unanalyzed, unas-sumed, or incorrect actions. (Note: This includes failure to perform correct actions because of incor-it is recognized that by narrowing the focus, all concerns that could be characterized as systems interactions may rect information.)

not be addressed. It is, therefore, extremely important .

Initiat20n of a " transient"(including reactor trip)and that the scope and boundary of the program be as clearly (1) the degradation of at least one redundant portion defined (and understood) as possible. Then, should con-f any one of the safety systems required to mitigate cerns still exist after the program has been completed, the event (Chapter 15, FSAR analyses) or (2) degra-those concerns could be addressed as part of any separate dation of critical operator information sufficient to efforts deemed necessary.

cause the operator to perform unanalyzed, unas-sumed, or incorrect actions. (Note: This includes The following terms and definitions were used in the failure to perform correct actions because ofincor-A-17 program: rect information.)

+ Initiation of an event that requires plant operators Systems Interaction (SI) to act in areas outside the control room (perhaps be-cause the control room h being evacuated or the An action or inaction (not necessarily a failure) of various pl nt is being shut down) and disruption of the ac-cess to these areas (for example, by disruption of the systems (subsystems, divisions, trains), components, or semrity system or isolation of an area when fire structures resulting from a single credible failure within doors are closed or a suppression system is actu-one system, component, or structure and propagation to ated).

other systems, components, or structures by inconspicu-ous or unanticipated interdependencies. The major dif-ference between an SI and a classic single-failure event is 'Ihe intersystem dependencies (or systems interactions) in those hidden or unanticipated aspects of the initiating have been divided wo (nree classes based on the way they failure and/or its propagation. propagate:

vii NURIiG-1229

s f

I l l l

l Functionally Coupled (1) Send a generic letter to all plants providing informa-Those sis that result from sharing of common systems /

components; or physical connections between systems, (2) Consider the insights developed in the resolution of -

meludmg electrical, hydraulic, pneumatic, or mechanical. A-17 for flooding and water intrusion from internal i Spatially Coupled p

{Iant sources in the Individual Plant Ex Those sis that result from sharing or proximity of struc- i tures/ locations, equipment, or components or by spatial (3) Consider systems interactions involving the electn- j inter-ties such as heating, ventilation, and air condition- cal power systems in the integrated program on elec- i ing (HVAC) and drain systems. trical power reliability. i InducedHuman-Intervention Coupled (4) Provide information for use in future probabilistic j Those sis that result when a plant malfunction (such as assessments @ ras).

failed indication) inappropriately induces an operator ac-tion, or when a malfunction inhibits an operator's ability (5) Provide a framework for addressing those other con-to respond. As analyzed in the A-17 program, these JIs cerns related to systems mteractions which are not ;

are considered another example of functionally coupled covered by the A-17 program.

ASIS. (Note: Random human errors and acts of sabotage are excluded.) (6) Acknowledge that the resolution of USI A-46 ad-dresses aspects of systems interactions.

As a result of the staff's studies of alternative actions that might resolve the A-17 safety issue, the staff has con- (7) Develop a standard review plan for future plants to cluded that certain actions should be taken. These actions address protection from internal flooding and water are: intrusion.

I NUREG-1229 viii

REGULATORY ANALYSIS FOR PROPOSED RESOLUTION OF USI A-17:

SYSTEMS INTERACTIONS IN NUCLEAR POWER PLANTS 1 STATEMENT OF THE PROBLEM Eram has been completed, those concerns could be ad-dressed as part of any separate efforts deemed necessary.

A nuclear power plant is composed of numerous systems, The terms and definitions used in the A-17 program fol-structures, and components which are designed and ana- low in Sections 2.1 through 2.4. In addition. Tabic 1 lyzed by several engineering disciplines. The degree of (which is reproduced here from NUREG-1174) is in-functional and physical integration of all these systems, cluded to help clarify the scope of A-17 and its bases.

components, and structures into any single power plant may vary considerably. Concerns have been raised which 2.1 Systerns Interaction question the adequacy of this functional and physical inte-gration coordination process. Also,it has been postulated A systems interaction (SI) is an action or inaction (not that adverse systems interactions (Asis) may be inadver- necessarily a failure) of various syst ems (subsyst ems, divi-tently incorporated into phnts by inadequacies in the sions, trains), components, or structures resulting from a process. Given that a nuclear power plant includes many single credible failure within one system, component, or systems, components, and structures, including (1) sys- structure and propagation to other systems, components, tems that normally control the plant, (2) systems that re- or structures by inconspicuous or unanticipated interde-spond to off-normal events, and (3) systems that both pendencies. The major difference between an SI and a functionally and physically support other systems, it is classic single-failure event is in those hidden or unantici-reasonable to suspect that such interactions may exist, pated aspects of the initiating failure and/or its propaga-Current regulatory requirements and guidance address tion.

this area. The unresolved safety issue (USI) A-17 pro-gram was initiated to investigate the area of systems inter- 2.2 Adverse Systems Interaction actions and to consider viable alternatives for regulatory requirements (including doing nothing) to ensure that ad- An adverse systems interaction (ASI)is an SI that pro-verse systems interactions have been or will be minimized duces an undesirable result.

at operating plants and at new plants.

2.3 Undesirable Result (Produced by 2

SUMMARY

OF TECHNICAL sis)

FINDINGS AND CONCLUSIONS A list of types of events that were to be considered in USI e s 2 tenm

'Ihe technical findings and conclusions presented here are based on the results reported in NRC staff report (1) Degradation of redundant portions of a safety sys-NUREG-1174. tem, including consideration of all auxiliary support functions. Redundant portions are those considered to be independent in the design and accident analy-Because a nuclear power plant is composed of systems, sis (Chapter 15) of the Final Safety Analysis Report structures, and components both complex and interde-(FSAR) of the plant. (Note: This would violate the pendent, any significant event scenario can potentially be smgle-failure criterion.)

characterized as a " systems interaction." As a result, the staff has determined that if the term sptems interaction (2) Degradation of a safety system by a non-safety sys- I were interpreted m its broadest sense, it became an un- tem (Note: This result would demonstrate a break-j manageable safety issue. To begin to address perceived down in presumed " isolation.")

safety concerns within this potentially broad subject area, requires some focusing. One way to focus on such an ef- (3) Initiation of an " accident"[e.g.. loss-of-coolant-acci-fort is to develop a working set of definitions based on the dent (LOCA), main steamline break (MSLB)] and perceived safety concerns. (a) the degradation of at least one redundant portion of any one of the safety systems required to mitigate It is recognized that by the very nature of narrowing the that event (Chapter 15, FS AR analyses)or (b) degra-focus, all concerns that could be characterized as systems dation of critical operator information sufficient to l interactions may not be addressed. It is, therefore, ex- cause the operator to perform unanalyzed, unas- i tremely important that the scope and boundary of the fo- sumed, or incorrect actions. (Note: This includes cused program be as clearly defined (and understood) as failure to perform correct actions because of incor-possible. 'Ihen, should concerns still exist after the pro- rect information.)

1 NURI G-1229

< 2 %

l k f,.

',~ '

Table 1. Scope of USI A-17," Systems Interactions": General subject area involves system failures which are

' due to system dependencies IConcerns Covered by - Clarification

' (1) i Recognized / analyzed single failures . .. - Existing regulations . . . Not analyzed in A-17 '

' directly. propagate to other equipment / ~*-' ; Single failure dermed in the

~

L systems within the same safety division . :GDC- 'l '

L (2) ' Single failures' subtly propagate to cause . USI A-17 definition of adverse -

y ' ' plant transients / accidents and/or degrade systems interactions the required safety systems. Includes .

+ Subtle spatialinter-ties l

. i Subtle functional inter-ties j b

1

'(3) Common failure of redundant safety Improvementsin maintenance Not analyzed in A-17 '

systems due to commonalities such as: !

and test procedures, ATWS rule,

{

A-44 proposed rule i

~.: Same manufacturing defect '

. j Same testing error a

Same maintenance error (4) Operator errors that disable redundant ' . Improvements in operator' Not analyzed in A-17.

safety systems training l

(5) Events that could cause multiple plant USI A-46 plus current licensing; Not analyzed in A-17, problems simultaneously: requirements cover earthquakes ' except for internal flooding /

waterintrusion events

. . Particularly earthquakes . Appendix R deals with fire occurring one at a time ;

' +~ Also fire and pipe break / flooding i Equipment qualification rule ;

(10 CFR 50.49) deals with 1 design-basis pipe breaks None of these programs deals' .I with multiple, simultaneous events.

Therefore, this area is to be j further evaluated under the ;

- Multiple System Responses Program.

1 i

(4)' Initiationofa" transient"(includingreactortrip)and cess to these areas (for example, by disruption of the (a) the degradation of ut icast one redundant portion {

security system or isolation of an area when fire j of any one of the safety systems required to mitigate doors are closed or when a suppression system is ac- l the event (Chapter 15, FSAR analyses)or (b)degra- tuated). i

dation of critical operator information sufficient to I cause the operator to perform unanalyzed, unas- l sumed, or incorrect actions. (Note: This includes j failure to perform correct actions because of incor- 2.4 Classification of Adverse Systems i rect information.) '

Interactions ,

1 (5) J Initiation of an event that requires plant operators !

to act in areas outside the control room (perhaps be- The intersystem dependencies (or systems interactions) j cause the control room is being evacuated or the have been divided into three classes based on the way they ]

- plant is being shut down) and disruption of the ac- propagate:

' NUREG-1229 2

_ _ - - - - - - _ _ - - --_.a____. - _- - - - - -- - .__ ----_--a_ . - - . - -

- Amctionally Coupled rics indicate that a full-scope plant search takes con-siderable time and money. Even then, there is not a nose sis that result from sharing of common systems / high degree of assurance all, c- ven most, Asis will components; or physical connections between systems, be discovered.

including electrical, hydraulic, pneumatic, or mechanica!.

(5) Functionally coupled ASIS have occurred at a num-Spatially Coupled. ber of plants, but improved operator information and training (instituted since the accident at Three nose sis that result from sharing or proximity of struc- Mile Island) should greatly aid in recovery actions tures/ locations, equipment, or components, or by spatial during future events.

inter-ties such as heating, ventilation, and air condition-ing (IIVAC)and drain systems. (6) Induced human-intervention-coupled interactions as defined in A-17 are a subset of the broader class Induced HumanJntervention Coupled of functionally coupled Sis. As stated for function-ally coupled sis, improvements in both operator in-Those sis that result when a plant malfunction (such as formation and operator training will peatly improve failed indication) inappropriately induces an operator ac- recovery from such events.

tion, or when a malfunction inhibits an operator's ability to respond. As analyzed in the A-17 program, these sis (7) As a class, spatially coupled sis may be the most sig-are considered another example of functionally coupled nificant because of the potential for the loss of Asis. (Note Random human errors and acts of sabotage equipment which is damaged beyond repair. In many

. are excluded.) cases these ASIS are less likely to occur because of the lower probability ofinitiating failure (e.g., carth-9". ke, pipe rupture) and the less-than-certain cou-2.5 Conclusions plmg mechamsms mvolved. Ilowever, past operat-ing experience highlighted a number of internal As a result of the staff's studies of ASIS undertaken as flooding and water intrusion events and more recent part of its search for a solution to the USI A-17 safety is- operating experience indicates that these type of sue, the staff has concluded the following: events are continuing to occur.

(1) To address a subject area such as " systems interac- . . .

tions"in its broadest sense tends to be an unmanage. (8) Probabilistic risk assessments or other systematic able task incapable of resolution. Some bounds and plant-specific reviews can provide a framework for limitations are crucial to proceeding toward a resolu- identifymg and addressmg ASIS.

tion. Considering this, the A-17 program utilized a (9) Ilecause of the nature of ASIS (they are introduced set of workmg definitions to limit the issue. It is rec-nto plants by design errors and/or by overlooking ognized that such an approach may leave some con-cerns unaddressed, subtle or hidden dependencies), they will probably continue to happen. In their evaluations of operat-I"E "P"'.cnce, NRC and the nuclear power industry (2) ne occurrence of an actual ASI or the existence of a can provide an effective method for addressmg potential ASI is very much a function of an individ- g ,'

ual plant's design and operational features (such as its detailed design and layout, allowed operating (10) For existing plants, a properly focused, systematic modes, procedures, and test and mamtenance prac- plant scarch for certain types of spatially coupled tices). Furthermore, the potential overall safety im- Asis and functionally coupled Asis (and correction pact (such as loss of all cooling, loss of all electne of the deficiencies found) should improve safety.

power, or core melt)is similarly a function of those plant features that remain unaffected by the ASI. In (11) The area of electric power, and particularly instru- )

other words, the results of an ASI depend on the mentation and control power supplies, was high- )

availability of other independent equipment and the lighted as being vulnerable to relatively significant '

operator's response capabilities. ASIS. Further investigation showed that this area re-mains the subject of a number of separate issues and (3) Although each ASI (and its safety impact) is unique studies. A concentrated effort to coordilnate these to an individual plant, there appear to be some char- activities and to include power wpply interactions j acteristics common to a number of the Asis. should provide a more effective approach in this !

area.

(4) M ethods are available (and some are under develop-ment) for searching out sis on a plant-specific basis. (12) For future plants, additional guidance regarding Studies conducted by utilities and national laborato. Asis could benefit safety.

3 KURiiG-1229

m

.l 6

(13) The concerns raised by the Advisory Committee on (5) . Requiring all plants to do a focused individual study j

- Reactor Safeguards (ACRS) on A-17, but which . in specific areas for spatially coupled and function- '

r have not been addressed in the staff's study of A-17, ally coupled ASIS would necessitate that individual i h should be considered as candidate generic issues, plants do evaluations in rather specific areas based -

n separate from USI A-17. on guidelines that would focus the more significant .

concerns for ASIS. As a result of individual plant evaluations, actions may be required -

Although there does not seem to be a generic safety con- l cern that warrants immediate attention, some potential !

exists for plant-specific problems and, therefore, alterna- 3.2 Alternatives for Future Plants !

tivas for action were considered further. l (1) . Adding a new and separate ASI review section to the 1 Standard Review Plan would inaugurate a new sec- i 3 - ALTERNATIVES tion in . the Standard Review Plan ' (SRP)

(NUREG-0800) containing a set of acceptance cri- ;

The alternatives considered were grouped into four areas: teria and review guidelines, and designating a lead l review branch.

(1) the'need to take action at operating plants 1 (2)

laking no action would indicate that the require- 1 (2) the adequacy of current licensing requirements and ments and guidance in the SRP are adequate and no . :

guidance (for future plants) new guidance is necessary.

{

1

. . (3) . Providing additional regulatoryguidance/ criteria for ]

(3) the possibility of providing additional guidance for ASIS would consider the existing regulatory guid- i those utilities which perform a sy tematic safety ance (e.g., acceptance criteria and review guidelines) analys,is such as a probabilistic risk assessment in the appropriate sections of the SRP and would es-(PRA) tablish the adequacy of the guidance. Where the guidance is inadequate, individual revisions would

-(4) the adequacy of the existing processes for review and be proposed.

evaluation of operating experience ;

t

'Ihen, for each of these areas, various alternatives wer 3.3 Alternatives for Improving System- !

considered as discussed below. atic Plant Reviews Such As Proba-bilistic Risk Assessments 3.1' Alternatives for Operating Plants (1) Providing additional guidance for future systematic reviews would involve developing new guidance to :

(1) Requiring a comprehensive plant study would in- such studies.

volve modeling the plant dependencies (functional ,

and spatial) and then evaluating them. (2) Taking no action would conclude that present guid- -l ante is sufficient. j (2) Taking no action would involve addressing only the .. . !

- requirements already resulting from previous atten. (3) Requiring a specific scarch method for uncovering !

tion to ASIS. such as staff bulletins and generic let- Asis would endorse one particular method as the so- ;

ters. lution for the subject area of ASIS and would recom- '

mend that all systematic type reviews use it.

{

(3) ; Requiringall plants to meet a prescriptive set of spe- l cific generic requirements would involve imple- 3A Alternatives for Evaluating Operat- '

menting specific plant actions and/or modifications !

to specific systems. In the past, this approach has ina Experience ;

. been used for individual ASIS. (1) Providing for new recommendations in the future l cvaluation of operating experience for ASIS would ;

(4) . Requiring all plants to provide a separate and inde- consider the existing programs that deal with operat-pendent, alternate shutdown system would involve ing experience and would make recommendations l the design and implementation of a functionally and for improving them to address ASIS.

physically independent plant system (s) that would be free from ASIS with respect to the rest of the (2) Taking no action would consider the present pro-plant. grams for the review and dissemination of operating j NUREG-1229 4

. o

experience and would conclude that they are ade. Considering that a significant safety benefit was not evi-quate with respect to ASIS. dent and considering the high costs of a full study, this al-ternative was not seen as a viable option. Assuming a cost-(3) Providing information on ASIS to ongoing evalu. to-benefit criterion of $1000 per man-rem, at $10 million ations of operating experience would involve the per plant study, a safety benefit (for 100 plants) of 1 mil-one-time dissemination of information developed lion man rem would have to be realized.

regarding Asis.

Take no action.

4 DISCUSSION OF ALTERNATIVES His alternative would be to take no actions beyond the actions already resulting from all the previous attention given to ASIS (e.g., IE bulletins, IE notices, and 10 CFR 4.1 Alternatives for Operating Plants 50.49). I Require a compechensive plant study. This alternative was seriously considered; however, the staff believes that there is still 'some potential for plant-his alternative would require all plants to perform a specific Asis based on the results of funher review of the large study for sis. He study would consider the total utility studies, further review of the operating experience, I plant and would address both functionally and spatially and plant-specific PRAs.

coupled Asis.

No safety benefit is involved with this alternative nor are A number of large studies have been performed by industry costs involved in such a resolution.

utilities such as Pacific Gas and Electric (May 1984), the Power Autbority oi the State of New York (June 1983), Require allplants Io meet aprescriptire set ofspecific ger:eric and Consumers Power Company (June 1983). In addition, requirements.

the NRC, sponsored two studies by nat onal laboratories i at one plant, Indian Point Station, Unit 3 (NRC, .

NUREG/CR-4179, and NRC, NUREG/CR-4207). The intention of this alternative would be to require a None of these studies could be called a comprehensive or specific set of plant " fixes ' based on results of previously full plant study, except possibly the overall Midland pro- c nducted Si studies and the A-17 work.1 rom these re-sults, a list of actual and postulated events would be com-gram (Consumers Power Company, J une 1983) which was never completed. Each of the other studies had a limited piled.The objective of the plant-specific review would be to ensure that certam specific events would not occur at scope (to varying degrees) based on a specific set of objec-that facility.This alternative was judged to be impractical tives and/or assumptions.

for two reasons. First, a large number of the sis that have occurred have already been dealt with at the facilities in The staff's review of Asis (both postulated and actual) question. Action was generally taken in response to ge-has shown that selecting this alternative provides only a neric letters or IE bulletins. Sometimes the industry initi-small potential to reduce risk. ated its own action. In some cases, post ulated events (that is, events that have not actually occurred) have also been The safety benefit of the completed programs was ex- the subject of generic letters or IE bulletins. Second, most tremely hard to quantify. In general, based on the re- existing nuclear power plants have significant differences ported results, many modifications were made but the in systems, components, and structures in the areas of utilitics considered few, if any, truly safety significant. concern highlighted in the review of operating experience Some quantification of safety benefit has been estimated and the review of utility studies. For example, probably no on the basis of the NRC-sponsored work. As reported in two plants are identical in physical aspects (except maybe the evaluation of the two demonstration analyses for sis, a dual-unit plant) and no;wo plants have identical electri-the one event considered to be an ASI involving the sta- cal systems. If a set of prescriptive alternatives were de-tion battery was estimated to have a core-melt frequency veloped,it would not be abic to properly take these differ-of 2x103 per reactor-year, ences into account. This alternative would not be able to give guidance in all areas that may need improvement at The costs of'he utility-sponsored studies (including modi, some plants and not at others, nor would it be able to give fications) ranged from a low of about $2 million to a high credit for mitigative design aspects at some plants which of between $10 and $12 million. The laboratory studies don't exist at others.

were limited to $1 million each. A comprehensive study for both functionally coupled and spatially coupled Asis For these reasons, the staff abandoned consideration of would cost approximately $10 million. this alternative.

e 5 NUREG-1229

l I

I'

' Require all plants to provide a separate and independent evaluation teport were estimated to require about 3 man-alternative shutdown system. weeks per plant.nerefore, total NRC cost should not ex-cced $1 million. However, the cost to utilities would be This alternative was considered as a possible solution be- _ much greater, as discussed in the following subsections of cause, in theory, if a totally independent (i.e., separate Section 4.1: (1b), (Ic), (2b), and (2c), below.

and independent from all existing plant features) design feature is provided,it would not be subject to ASIS.This Considering operating experience (NRC, NUREG/ ,

type of alternative received consideration under another CR-3922), the evaluation of the major utility programs, i unresolved safety issue, namely USI A-45, " Shutdown and recent plant-specific PRAs (NRC memorandum, De- 1 Decay Heat Removal Requirements." cember 1984), a n umber of " areas" of the plants appeared t to be vulnerable to specific types of ASIS. On the basis of l This solution could theoretically solve all SI concerns; the above work, the concerns were focused in the areas of however, the costs for a "new design feature" to accom- ]

spatially coupled ASIS and functionally coupled ASIS as '

plish independent plant shutdown is high, probably on the follows:

order of tens of millions to $100 million per plant.There-fore, this alternative was not considered feasible when (1) Spatially Coupled ASIS only the resolution of A-17 was considered.

Require all plants to perform a focused individual study in A number of licensee event reports (LERs) identified ac-specific arcasfor spatially coupled andfunctionally coupled tual events or postulated conditnans that mvolved spa-ASI,' tially coupled ASIS. The following categories, as defm_ ed in NRC's NUREG/CR-3922, include spatially coupled Performing a focused review and potential associated adverse systems interactions identified in LERs:

modifications would reduce the probability of core melt.

The quantification of the possible reduction proved ex. Category 3 degradation of safety-related components tremely difficult. To estimate a reduction in core-melt by fire prctection systems frequency (and then calculate risk in terms of radiation release) requires that specific event sequences be se- Cate8o#Y4 Pl ant drain 87 stems that allow flooding of lected and failure / success estimates be made for each safety-related equipment function in the event tree. All the ASIS involve very spe.

Category 8 Icvel instrumentation degraded by high-cific plant conditions (such as operating modes, design features, and test and maintenance practices) and the energyline break (HELB) conditions overall results (such as loss of all cooling, loss of all ac power, and core melt) of an mdividual ASI are highly de-Category 10 HELB conditions degrading control sys-tems i pendent on which specific plant design features remain ;

intact after the ASI(such as remaining independent divi-Category 15 inadequate cable separation sions, remaining displays) and the operator's response.

Therefore, the risk analyses could not be used generically. Category 16 safety-related cables unprotected from Studies conducted to identify Asis and the risks associ- missiles generated from HVAC fans ated with them have indicated that the associated risk is very low. For instance, as reporteci by the Atomic Indus- Category 17 suppression pool swell trial Forum, the Indian Point Unit 3 Study (1985), the i most comprehensive study completed to date, has indi- Category 21 spatial dependencies due to failures during l cated that the risk imposed by Asis is insignificant- postulated scismic events l Brookhaven National Laboratory (BNL) (NRC, April 1985) and Lawrence Livermore National Laboratory Category 23 other spatial dependencies (LLNL) (NRC, January 1986) studies (also on Indian Point Unit 3) confirmed that uncovering subtle Asis can In addition, consultants to Oak Ridge National Labora-be difficult; these reports also predicted very low risk tory compared the utility studies donc at Indian Point Sta- l from those Asis that were identified. tion, Unit 3, and Diablo Canyon Nuclear Power Plant, Units 1 and 2, in the area of spatially coupled sis (NRC, For these reasons, the assessment of safety benefit is pri- NUREG/CR-4306). As a result of this work, a focused marily qualitative. study was defined. The study would include (a) a limited target scope, (b) a hst of hazards or initiating events (re-The audit of the utilities program was estimated to re- lated to the targets), and (c) a simplified search method.

quire 1 man-week per plant; therefore, about 2 man-years The staff reviewed the results of the consultant's report (total) would be involved. The audit of results (analysis / and developed a proposed target scope and hazard scope modifications)of the program and the subsequent safety based on other considerations, as follows:

NUREG-1229 6

_ _ _ _ - - _ _ _ _ _ _____-______-_-________-___--_A

i I

'* Target Scope - Missiles have been evaluated under the SEP re-views, and, in general, the staff concluded that plant Target is the term typically used to describe a struc- systems were well protected from internal missiles ture, system, or component that is to be protected (NRC, SECY-84-133). Therefore, the staff elimi-from Asis. 'Ihe consultant's report considered four nated this hazard from further consideration, target groupings:

Tornado-initiated missiles are not considered within a support systems and controls the scope of USI A-17 and, therefore, are climi-reactor coolant pressure boundary (RCPB) natea from further consideration.

. auxiliary feedwater system

. . other frontline systems (such as ECCS) (a) Safety Benefits

'Ihe staff concluded that auxiliary feedwater systems Because of the way nuclear power plants are de-have received significant attention as a result of the signed and constructed by the various engineering accident at Three Mile Island and other ongoing is. disciplines, the possibility exists that space alloca-sues and staff actions. tions for systems and interrelationstups between sys-tems may not have been adequately analyzed. The Regarding the other frontline systems, it was con- review of SI studies by utilities appears to support cluded that if the RCPB is adequately protected this conclusion. Although large numbers of spatially from spatially coupled ASIS, the need for the oper- c upled interactions were identified in these pro-ability of frontline systems under ccmditions such as grams, many of them are of low probability. Nevers carthquake is greatly reduced. theless, some of the operating experience (NRC, January 1985) and PRA results (NRC, December Therefore, the staff proposed to limit the scope to cam dat h ppndal for mme h consideration of the systems required to achieve hot sigm an e s. m it can be infe ese sMes dat mem was pdaWgomum no n% imm shutdown (and maintain it for 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months ).This is con-sistent with the proposed resolution of USI A-46 in systematic procedure m, older plants to uncover the area of seismic qualification of equipment. these potential sis dunng the design phase.

With respect to probability of occurrence,it can be

. Hazard Scope argued that the probability of any oN occurrence is low. On the other hand, some of the spatially cou-Regarding the " hazards" evaluated in the utility pro ~ pled ASIS could be the result of very pervasive grams, the following were identified: seismic events, events, such as an carthquake or an internal flood.

fire, flood, missiles, pipe whip, and tornadoes. On Given this " pervasive" aspect and the frequency of the basis of carher regulatory actions in certam of some of the initiators, for example safe shutdown these areas, the stafIproposed that only two types of

, earthquake (SSE)-on the order of 10 4 per reactor the hazards needed to be considered: carthquake year, or internal flood on the same order-concerns and flooding.

in these areas may still remain.

Fire reviews have been performed at all plants to Many of the ASIS could damage support systems meet the requirements of Appendix R 1010 CFR 50. which have been shown by PRA analyses to poten-These reviews include criteria that address the con- tially affect multiple safe shutdown or frontline sys-cerns for spatially coupled ASIS. However, the po- tems as well as to initiate events. Therefore, if the tential for ASIS from the fire protection equipment probability of the initiating event is on the order of was noted (e.g., spray, flood). Therefore, the A-17 an SSE (and then subsequent damage to a support resolution would not propose to reevaluate this area system is assumed) and this support system can initi- )

except as it relates to the possibility of fluid interac- ate a transient and degrade the mitigation of that I tions from the fire protection system. transient, it is cicar that such spatially coupled ASIS I involving support systems conld be significant.

Flood reviews were required by the Atomic Energy Commission (AEC) at all plants in 1972 after the Another aspect that was considered is the potential Quad Cities flood of 1972 (AEC,1972). There is for the operator to take recovery action. When the some indication from the Systematic Evaluation plant recovery actions that an operator might take l

Program (SEP) reviews and operating experience are considered,it becomes apparent that for some of that this area needs more attention. Therefore, the these spatially coupled Sis, and depending on the staff examined the need to reevaluate flooding (and specific plant design, there may be few if any actions .

spraying and dripping) as potential hazards. that etm be taken, given the ASI occurs.That is, the d

7 NUREG-1229

i

. potential physical damage involved may not be re- ity programs to the target scopes reviewed in the coverable in a short time imme. programs.

Resolution costs for analysis and/or modifications (b) Costs have a very large range.The costs are dependent on the interactions identified Dy the programs, the The cost for a focused spatial study was estimated method required for resolution, and many plant-based on a review of the utility studies (NRC, dependent factors such as feasibility of plant modifi--

cation.

NUREG/CR-4306).

The manpower requirements for in-plant assess-The required resources were broken down into the ment for each of the three target groups and the as-Plant Document Review Phase and tl e In-Plant As- sociated estimates for plant document review and sessments Phase (onsite review). Their costs were analysis and modifications are shown below on a per estimated by apportioning the total costs of the util- plant basis:

i Plant document In plant Analysis / mod. ,

review assessment cost i Targets (man. months) (man. months) (x 1000)

Supports & controls 8 8 $750-2000 RCPB' 2 2 $200-550 l Safe shutdown equipment 2 2 $200-550 It should be noted that these costs were obtained by costs would be on the order of $100 million. Al.

scaling down the scope of industry-conducted stud- though the value and impact were not calculated, les. nese studies were first of a kind and were very the staff believes that the study of certain specific thoroughly done, both in identifying possible inter- spatially coupled ASIS should be pursued for a num-actions andin documenting them. Asa result of the ber of reasons. Specifically, a number of potential experience gained during this learning period, more- ASIS have been noted in the SI studies and in the op-efficient reviews could be defined. It is expected, crating experience reviews. As an example, one re-therefore, that the per plant costs could be substan- cently postulated event involves a possible seismi-tially reduced from the estimates presented above, cally induced SI with the reactor coolant pressure ;

based on a number of potential efficiencies such as a boundary. Westinghouse identified a conecrn with i better defined scope, reduced level of documenta- the potential for non-seismically qualified equip- ,

tion and quality assurance, and a cooperative effort ment (flux mapping system located over the instru-by plant owners through formation of an industry mentation seal table) to jeopardize the integrity of group to develop implementation procedures. It is the RCPB as a result of a seismic event.This type of estimated that these economics could amount to at potential event coupled with the concerns that re-least a 50% reduction in costs per plant. The forego- covery from an actual event may be very difficult, ing data provide the basis for evaluating the poten- forms the bases for further actions. (See Section 6, tial cost associated with the review, identifying and " Proposed Resolution.")

resolving spatial sis for each of the major groups of target systems by the utility. Similarly, events have occurred, have been postu-lated to occur, and appear to continue to occur in- ,

(c) Value/ Impact volving internal flooding. The term " flooding" is i used here to cover many types of events such as The total costs per plant were estimated to range spraying and dripping as well as submergence.

from about $0.5 million to $3.5 million; most plants were in the lower range because of actions already Recently, a fire deluge system actuated inadver-taken in these areas and the economies outlined tently and water traveled tht'ough HVAC ducts and above. A very rough estimate of overall industry dripped down on sensitive electrical equipment. As NUREG-1229 8

a result of this event, the Office of Inspection and considered here include: cooling water systems: heat-Enforcement issued Information Notice 85-85. ing, ventilation, and air conditioning systems; lube oil systems; air supply systems; and instrumentation and In another recent event, a temporary floor fan was control systems. It was noted that all of these types of used to cool an inverter and the inverter failed when support systems tend to be plant unique to some ex-water on the floor was blown into it. tent, as is true with electric systems.

Both the seismically induced ASIS and the flooding The main concern with many of the support systems ASIS can have very widespread effects and, as a re- is their potential to initiate an event and also degrade sult, may affect many systems required for safe shut- the systems necessary to mitigate that event. This po-down, tential breakdown in the defense-in-depth philoso-phy can exist in some plants; however, the safety sig-A dedicated search for these types of ASIS could be nificance is highly dependent on other plant costly; however, a number of activities related to mitigating features, such as remaining independerit these concerns are under way. The staff believes that trains of equipment.

these ongoing activities can be used to address the A-17 concerns. See the proposed resolution (Sec- In addition, because the loss of these support systems tion 6) regarding the seismic concerns (Section 6.2) (including the electrical power system) does not lead and the flooding and water intrusion ASIS (Section to events such as large LOCAs or MSLDs which re-6.3). quire immediate operator action, the staff concluded that, except for catastrophic failures (such as some (2) Functionally Coupled ASIS spatially coupled sis), the potential for recovery from Asis involving these systems is very great.

The review of operating experience highlighted a number of areas that involved functionally coupled ASIS. The

+ Overreliance on Failsafe Design ConceEt (Failure staff concluded that for continued review the events could es) be grouped as follows: One area of ASIS involved reactor protection (scram) systems-Category 18 in NUREG/CR-3922. The

clectric power systems staff recognized that the Asis in these systems could E" "" '""* * # "E "*

ov clian e on failsafe desi En concept manded of a trip system. An argument that the opera-

+ automatic action with no preferred failure mode tor has time to compensate for a problem might not e instrumentation and control power supphes apply.

Each significant area is discussed individually below. In Category 18, a potential problem with the scram discharge volume (SDV) at hil boiling-water reactors

Electric Power Systems was noted. It was discovered that there could be water Concerns related to this area were highlighted in in the SDV because of poor drainage or a failure of Categories 1 and 13 cf NUREG/CR-3922.The three air supply. Water in the SDV would inhibit control most important factors contributing to the possible rod insertion. 'Ihe failurc involving the air system was significance of this area are: of particular concern because 11 involves a system typically considered a portion of the reactor protec-

+ lt is one of the most extensive support systems tion system that is not safety related. Action was in the plant. taken at all boiling-water reactors to correct the prob-lem.

The systems are inherently among the most complex in the plant. The staff believes that tihis type of ASI was the result of using a design approach which actually requires

. Each plant design is different to some extent the " functioning" of a number of features that in.

(i.e., there is very little standardization). clude systems not related to safety and therefore, an incorrect reliance on failsafe principles. In the case of a the air system, the system was assumed to " fail safe" Support Systems (i.e., bleed off), and as a result, a partial failure, at Concerns re!ated to the area of support systems were some intermediate pressure, went unanalyzed. It was noted in Categories 1 (as stated, the electric power noted, too, that the electrical supply system to this system is an extensive support system),13,14,18, and scram system had been previously modified because 22 in NUREG/CR-3922. Since the electric power of a similar type of concern. Specifically, the electri-system was dealt with separately, the support systems cal power was assumed to fail safe (i.e., voltage going 9 NUREG-1229

1 l

i to zero) and as a result, partial failure such as low still exist, further review work at ORNL was identi-voltage or high voltage went unanalyzed for a time. fied.

The staff acknowledges that there may be otherareas ORNL completed this additional work and reported of the plant in which failsafe principles have been it in NRC's NUREG/CR-4470. The report included used incorrectly, but in all cases except in the reactor a number of I&C power supp;y failures, some of trip system (RTS) case, it is concluded that the safety which led to initiation of a plant transient and partial significance would be less because of the time for the disabling of a safety function or operator information. -

operator to take action.The only other case may be during a large LOCA, however the probability~ of a large LOCA or MSLB in conjunction with these As a result of the additional work performed by' types of failures should be low. ORNL and the staff's further review of the area of I&C power,it was concluded that a significant num ~

ber of issues and industry efforts are already under

. Automatic Action With No Preferred Failure Mode way m this area. In addition, the staff is proposing to Another area of Asis that was highlighted involved integrate.I&C power issues into a comprehensive the inadvert ent actuation of an engineered safety fea- program independent of A-17.

ture (ESF) (Category 6 in NUREG/CR-3922), i.e.,

inadvertent ECCS/RHR (emergency core cooling (a) Safety Benefits system / residual heat removal) pump suction transfer.

The most significant characteristic of this area ap. With respect to the functionally coupled Asis, the

' pears to be the fact that such a design feature does following parallel conclusions were reached:

not have an "always" preferred failure mode. As a re-sult, extra precaution may be needed to ' avoid (a) a (i) Unlike the possible lack of consideration of '

spatial allocations, the designers must usually j failure to actuate when needed and (b)a failure that actuates the system when the system is not required consider all functional interrelationships in (i.e., inadvertently). great detail. This is because the system will probably not operate if the functional ties are The area of automatic switching of ECCS from the not operating correctly.

injection mode to the recirculation mode is the sub- As a result, the functional aspects get a signifi-ject of a generic issue that is scheduled for priori- cant amount of preoperational checkout and tization, GI-24.

testing. On the other hand, the operating expe-ce w as e te at in some cam GI-24 will consider the aspect of possible untimely, " "* " #

inadvertent ECCS/RHR pump suction transferand, '" *"I # "*#

ASIS to exist, and m other cases subtle A51s therefore, it is concluded that further specific action "*

as part of the .A-17 remlution is not warranted.

1. E" (ii) If the large number of unanalyzed functionally Some additional concern exists that other ESF sys- coupled occurrences which could involve per-tems at specific plants may similarly not always have a mutations and combinations of systems and all preferred failure mode. Some examples could be their failure states (including off, on, halfway, containment isolation, lowJhigh-pressure interface etc.) are contemplated, it is clear that not all for RHR, and automatic selection for feeding intact possible functionally coupled Asis have been steam generators only. In general, almost all of these analyzed. However, this is not always necessary systems have been analyzed forinadvertent actuation if the analyses peric 'ned bound all possible from a functional standpoint. cases (i.e., the analyses are conservative). In general, this is believed to be the case and most

. Instrumentation and Controi Power Supplies experience proves this.

The Oak Ridge Natiomd biboratory (ORNL) review (iii) Similar to the spatially coupled ASIS of con-reported in NUREG/CR-3922 highlighted a few sig- cern, the functionally coupled Asis of concern nificant events related to instrumentation and con- often involve the support systems (and for the I

trol (I& C) power supplies.These events at all plants- same reasons).

and specifically at Babcock and Wilcox (B&W) plants, have already received significant attention as (iv) The nature of the functionally coupled ASIS outlined in the ORNL followup review. Since there hasled the staff to conclude that the majority of was some concern that the potential for significtmt them would be recoverable (i.e., equipment i events related to I& C power supply interactions may was not damageo beyond use) given that the L

' NUREG-1229 10 l ._- - ._ _ _ _ _ _ _ _ _ _ _ - _-____ ___-__- __ - _ _ _

i I

i operator has the time and the information (3) Induced lluman. Intervention. Coupled ASIS j needed. In this regard, the actions taken with respect to Regulatory G uide 1.97 and I& E Bul- ' As a result of the definitions used in the USI A-17 pro- i letin 79-27 (NRC, November 1979) have pro- gram, these ASIS have been included in the evaluation of vided improvements in the area of operator in- functionally coupled ASIS (Section 4.1(2) above).

formation.

4.2 Alternatives for Future Plants I (b) Costs Add a new and separate ASIreview section to the Standard I To perform a study for functionally coupled ASIS N'"IC# #I""-

would involve some type of plant-specific systematic 'Ihe safety benefit of this alternative would be that ASIS analysis such as an FMEA (failure mode and effects would receive a dedicated review.The staff has generally 1 analysis), PRA, or sneak circuit analysis (NRC. concluded that the individual SRPs cover the area of NUREG/CR-4261). The costs of these types of ASIS. However, there is some question of whether the studies are tied very closely to the scope and detail of present approach is adequate for spatially coupled ASIS.

the study. Much modeling is required if the scope is not limited to very specific areas or problems. 'Ihe cost to the utility would be to address a separate sec-tion in the review process. 'Ihis would add another licens-The Ilrookhaven and Livermore studies were held to ing burden; however, the concerns should already have

$1 million each;it would be expected that a focused bcen considered in the design and construction process.

st udy for functionally coupled ASIS would cost about F,or example, plant walkdowns are often conducted by an the same amount. applicant for the area ofimpacts of equipment that is not seismically qualified (Category II eqmpment) on seismi-(c) Value/ Impact cally qualified (Category I) equipment ("Il over I review")

and for high-energy line break (HEIE) effects. Adding this to the SRP would require that these reviews be broad-Since the safety benefit of taking actions for these ened somewhat to consider other systems interactions.

ASIS was also not practical to quantify, no value/im- These costs would be exnected to be less than $0.5 million pact was calculated. per plant, especially given the prospect that future plants would be " standard" plants. NRC costs would be some-what increased because the SRP would recommend that As in the case of the spatially coupled ASIS, the review of the staff perform some additional review and audit the operating experience uncovered a number of func-walkdowns. 'Ihis cost was estimated to be less than tionally coupled ASIS. In addition, recent operating expe- $100.000 per plant based on about 6 to 7 man. months of rience continues to show events that involve the same effort.

characteristics that were highlighted in the A-17 review.

Take no action.

Of particular note are events involving the electrical sys-tem and the mstrumentation and control system. There This alternative was considered because: (1) the individ-ual SRPs were believed to address ASIS,(2) future plants continue to be inadvertent actuations which cause unde-strable actions, such as mitiation of switchover to the con- will perform a PRA or some type of systematic analysis, and (3)if A-17 recommendations regarding PRAs are in-tamment sump. Also, isolation problems between safety cluded in those studies, consideration of ASIS could be and non- safety equipment still occur. addressed. (Refer to Section 4.3, " Alternatives for Im-proving Systematic Plant Reviews (Such As PRAs).")

As was concluded for the spatially coupled ASIS, a dedi-cated search for these types of functionally coupled ASIS Provide additional regulatory guidancefor ASIS.

could be costly. Ilowever, the staff believes that there are m place a number of ongomg programs related to thes It was concluded that, in general, the existing SRPs cover concerns, and they should be used to address the A-17 the Asis of concern. There is a potential benefit to pro-concerns. vide more guidance and, if the guidance is followed early enough in the design process, little added cost would re-See the resolution (Section 6) regarding the operating ex.

perience reviews (Section 6.1), the USI A-46 implemen- The one area of Asis which the staff concluded needed tation (Section 6.2), the further investigation of flooding / additional guidance is the area of internal flooding and water intrusion (Section 6.3), the instrumentation and water intrusion (see Section 6.3). On the bask of this con-control power supply issues reviews (Section 6A), and the clusion, the staff will pursue the development of a stan-Severe Accident Policy Statement (Section 6.5). dard review plan in this area. (See Section 6.7.)

11 NURl!G-1229

ASIS can surface in a systematic plant review (such as a costs to implement the various methods appear to be PRA) which will be required of all future plants. Here- equivalent.

fore, the staff considered future plants in conjunction with PRAs. (See Section 43 which follows.) 4.4 Alternatives for Evaluating Operat-ing Experience 4.3 Alternat.ives for Improving System-atic Plant Reviews (Such As PRAs) Provide for new recommendations in the future evalu-ation of operating experience for ASIS.

In its policy statement on severe accidents in nuclear The existing programs that deal with operating experi-power plants issued on August 8,1985 (50 FR 32138), the Commission concluded, based on available information, ence were reviewed by ORNL (NRC, NUREG/

CR-4261). It was concluded that the scope of the pro-that existing plants pose no undue risk to the public health and safety and that there is no present basis for im- grams do include ASIS.

mediate action on generic rulemaking or other regulatory Take no action.

requirements for these plants. However, the Commission has recognized, based on NRC and industry experience Based on the above, it was concluded not to consider with plant-specific probabilistic risk assessments (PRAs), other alternatives, except for the possible one-time dis-that systematic examinations are beneficial in identifying semination of the information developed in USI A-17. i plant-specific vulnerabilities to severe accidents that could be fixed with low-cost improvements. Therefore, Provide information on ASIS to ongoing evaluations of each existing plant should perform a systematic examina- operating experience. i tion to identify any plant-specific vulnerabilities to severe accidents and report the results to the Commission. As just stated, the A-17 resolution is considering a one-Therefore, the resolution of A-17 considered alterna- time dissemination of information (see Section 6.1).

tives for future systematic studies or PRAs.

Provide additionalguidance. 5 BASES FOR RESOLUTION OF By including more guidance in the specific areas of con- UNRESOLVED SAFETY ISSUE cern regarding ASIS, it is anticipated that better studies A-17 can be developed and safety-significant ASIS can be un-covered. The cost to the industry of the added guidance Adverse systems interactions (Asis) involve subtle and would be mimmal and may m fact save money by focusing often very complicated plant-specific dependencies be-mdustry efforts m certain areas. [See the proposed reso- tween components and systems, possibly compounded by lution regarding flooding and water intrusion (Section inducing erroneous human intervention. The staff has

63) and PRAs (Section 6.5).] identified actions to be taken by the NRC to resolve USI A-17, and has made the judgment that these actions, to-Take no action. gether with other ongoing activitics, should reduce the risk from adverse systems interactions.

To date, there has been guidance given to PRAs regard-ing dependent failure analysis. This alternative would The staff's judgment is not based on the assertion that all ,

choose not to add any new mformation specific for ASIS. adverse systems interactions have been identified, but rather that the A-17 actions plus other activities by the There would be neither safety benefit, cost, nor valueh.m- licensees and staff as discussed further below give reason-pact in selecting this alternative. abic assurance that the more risk-significant interactions will be recognized and appropriate action taken.

Require and endorse a specific search methodfor uncovering ASIS. Ongoing Actions by Licensees

- This alternative evaluated various search methods; how- (1) Water intrusion and Flooding From Internal Sources ever,it was concluded that any number of methods could i

be acceptable and the largest benefit appeared to involve As part of the resolution of USI A-17, the staff hasidenti-focusing the study in the right areas. fied that water intrusion and flooding of equipment from

( internal plant sources may result in a risk-significant ad-There did not appear to be a greater safety benefit in verse systems interaction. Such events could cause a tran-choosing one method over another, and the particular sient and could also disable the equipment needed to method did not appear to be as critical as the focus: the mitigate the consequences of the event.;; e Appendix to NUREG-1229 12 l

NUREG-1174 provides insights regarding plant vul- clude walkdowns of individual plants to ensure nerabilities to flooding and water intrusion from internal that the systems needed to shut down the plant plant scarces. It is expected that these insights will be and maintain it in a safe ecmdition for 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months considered in the Individual Plant Examinations (IPEs), can withstand a design-basis seismic event. The scope incrudes not only the systems needed to ;

(2) Review of Events at Nuclear Power Plants control reactivity and remove decay heat, but also the supporting power supplies, controls, in-Licensees are expected to continue to revicw information strumentation, and environmental control sub-on events at operating nuclear power plants in accor- systems needed by those systems. The plant dance with the requirements of Item I.C 5 of walkdown reviews include seismic systems inter-NUREG-0737. Such information is disseminated by the actions.

NRC in the form of information notices, bulletins, and other reports; by individual licensees in the form oflicen.

Generic Issue 128, " Electric Power Reliability" see event reports; and by industry groups such as the Insti-tute of Nuclear Power Operations (INPO). The NRC has The USI A-17 review of operating experience an aggressive program of reviewing events at nuclear reemphasized the potentihl interactions stem-power plants. Each licensee is required to notify the NRC mmg from the electric power system and,in par-staff rapidly by telephone of any event that meets or ex. ticular, instrumentation and control (I&C) ceeds the threshold defined in 10 CFR 50.72 and to file a Power supply failures. (See NUREG/CR-4470, written licensee event report for those events that meet " Survey and Evaluation of VitalInstrumentaton l or exceed the threshold defined in 10 CFR 50.73. Also, and Control Power Supply Events.") I&C ,

the NRC regional offices report events of significance power loss can cause sigmficant transients and

. every day. This information is reviewed daily by members can sunultaneously affect the operator's ability of the NRC staff and followup efforts are assigned for to proceed with recovery by disabling portions of events that appear to be potentially risk significant and/or the mdications and the equipment needed for are judged to be a possible precursor to a more severe recovery. The events that have occtrrred were event. A weekly meeting is held to brief NRC manage- mostly limited to a smgle electrical division and ment on those events of significance. This ongoing proc- therefore were not strictly adverse systems in-ess provides a great deal of assurance that any potentially teractions according to the definitions m the significant event is brought to the attention of the appro- USI A-17 program.Inaddition,actionshaveal-priate NRC staff and management. Depending on the sig- ready been taken by licensees to improve the nificance, further action may be taken to notify licensees operator's ability to cope with such events. As a or to impose additional requirements. The total process separate activity, a number of generic issues in-offers a high degree of assurance that precursors to po- V Ivm, g electrical power supplies were inte-tentially significant events, including those involving ad. grated into one generic issue, verse systems interactions, are treated expeditiously.The staff plans to issue a letter to all licensees that summa- This issue became GI-128, " Electric Power Re-rizes the A-17 information relevant to those ongoing op- I ability," and consists of the following specific erating experience evaluations. electric issues:

Actions To Be Taken by the NRC Related to Adverse - ' * " * * " "

Systems Interactions B m es m. Opua@g I lants,,

GI-49, " Interlocks and LCOs for Redundant (1) Integratwn ofSpecific, Ongoing Genen.cissues Related to A-17. Class 1E Tie Breakers" The NRC is considering certain aspects of potential GbA-30, " Adequacy of Safety-Related DC interactions as part of the resolution of identified ge- P wa SuppHes neric issues.

It was concluded that the additionalinformation

. developed on USI A-17 (NUREG/CR-4470) l USI A-46, "Setsmic Qualification of Equip- should be used as an input to the GI-128 pro-ment gram. Therefore, NUREO/CR-4470 was com-Actions to resolve this issue have been sent to the licensees. The NRC and industry are work- (2) Ddine and Prioritize Other issues ing on detailed procedures that will be used to implement the requirements on a plant-specific The Advisory Committee for Reactor Safeguards basis. These implementation procedu res will in- (ACRS) and other groups have identified concerns 13 NUREG-1229 1

in the comext of systems interactions. In many cases, (4) Additional Considerations for Future Plants the concerns are not considered to be within the scope of systems interactions as defined in the USI The preceding actions acknowledge the fact that fu-A-17 Task Action Plan. In some cases, these con- ture plants will perform probabilistic risk assess-cerns have not been described specifically enough to ments, and that such studies can uncover ASIS.The permit the risk to be estimated.The NRC has under- staff also recognizes that the continual review of op-taken a program [ referred to as the Multiple System erating experience will identify systems interactions, Responses Program (MSRP)] with Oak Ridge Na- some of which may be ASIS Further, prioritization tional Laboratory (ORNL) to define these concerns of issues defined by the MSRP may result in addi-in sufficient detail so that they may be prioritized in tional generic issues whose resolution may lead to accordance with NRC procedures, requirements applicable to future plants.

Therefore, future plants should keep current on les-Exampics of concerns involve potential coupling of sons learned from operating experience and con-postulated plant events such as seismically induced tinue to monitor the ongoing NRC process of devel- i fires and scismicallyinduced flooding, and the atten- oping, prioritizing, and resolving generic issues. !

dant potential for multiple, simultaneous, adverse i systems responses. These concerns are beyond the In addition, the staff plans to develop a standard re-defined scope of USI A-17.If the definition, priority view plan (SRP) for future plants. The SRP would determination, and peer review processes identify include specific guidance regarding protection from one or rnore issues as having high or medium prior- internal flooding and water intrusion events.

ity, the issue (s) will be assigned to the appropriate organization for resolution. Sbff Findings (3) Probabilistic Risk Analyses or Other Systematic Plant On the basis of the technical findings reported in i ges. jew, NUREG-1174 and the regulatory analysis reported {

herein, the staff has concluded that these actions can fur- )

ther reduce the risk from ASIS.The staff does not recem- !

= Existing Plants mend further broad searches for ASIS because such searches have not proved to be cost effective, and in any The Commission's Severe Accident Policy,50 FR case, there is no guarantee, after such a study is per-f rmed, that all ASIS have been uncovered. Although 32128 (August 8,1985), calls for all existing plants to these actions complete the staff's work under the Task perform a plant-specific search for vulnerabilities.

Such searches, referred to as individual plant exami- Acnon Plan for USI A ,i7, and constitute techmeal reso- -

lution of the issue as defmed therein, the potential for sys-nations (IPEs), involve a systematic piant review ,

tems mteractions remains an important consideration in (which could be a Pl type analysis). NRC is issu-the design and operation of nuclear power plants.

ing guidance for perfor ming such reviews. One sub-ject area to be treated by the IPEs is common-cause failures (or dependent failures). USI A-17 recog- 6 RESOLUTION nizes that ASIS are a subset of this broader subject area and, therefore, is providing for the dissemina- Considering the alternatives and other related activities, tion of the insights gained in the A-17 program for the staff offers the resolution that follows. The staffs use in the IPE work. resolution is summarized in Table 2.

l

Future Plants 6.1 Provide Information on ASIS to Ongoing Evaluations of Operating The Commission's regulations (10 CFR 50.52) re- Experience quire all future plants to perform a probabilistic risk assessment (PRA). NRC is issuing guidance on the Ongoing industry and MRC review of operating experi-content of PRA submittals for future light-water re- ence can provide iramework for assessing Asis (both actors (LWRs). As part of that guidance, A-17 is those that have occurred and those that could occur). In providing the insights gained in the A-17 program addition, the ongoing reviews are specifically addressing for the treatment of plant dependencies, some of the Asis of concern highlighted by A-17.

NUREG-1229 14

_ _________-___-___________-_____a

. i ?

,Je f

1 i

Table 2 Resolution of USI A-17 ]

Identified concern Action Clarification

. Spatial interactions that may be seismically . USI A-46 considered . Multiple System Responses initiated Program to consider this area further

, Spatial interactions that result from a A-17 proposes further action Multiple System Responses flooding-type event - relative to IPEs Program to consider this area further Functional interactions that involve safety . A-17 proposes sending infor- , A-17 will also provide informa- -

systems and their support systems mation to utilities relevant to tion to NRC staff responsible g ; . ongoing operating experience for IPE reviews, GI-128 to

e. Electric power systems reviews consider A-17 information

- Instrumentation and control power supplies

Failsafe principles, misapplication e . Safety functions with no always-preferred failure direction Therefore, to ensure that these operating experience re- 6.2 Acknowledge Seistnic SI Aspects of view programs consider the concerns highlighted in USI A-17, the staff recommends that a summary of the infor. USI A-46 Implementat. ion mation developed from the work on USI A-17 be sent to all utilities. Although no specific action would be required One of the areas of concern highlightedin A-17 involves of the utilities, the staff believes tlut the transmittal of seismically induced sis. The staff has concluded that ac-this mformation m itself will give the mformation that has tivities are already taking place that adequately address been developed on the A-17 issue the appropriate level this concern. Specifically, 72 older plants will be imple-of attention. menting requirements imposed by the resolution of USI A-46, "Scismic Qualification of Equipment in Operating Furthermore, to confirm that utilitics are evaluating op. Plants " The newer plants, not covered by the A-46 pro-erational experience properly, both the NRC's inspectors gram, have been reviewed to current requirements which and the Institute of Nuclear Power Operation's (INPO's) address seismically induced Sis.

. evaluation teams routinely audit and review this area. For example, NRC inspectors verify that utilities are review- The proposed resolution of A-46 involves an onsite re-mg events and issues discussed in NRC information no- view and walkdown of equipment required for safe shut-tices for applicability to their facilities. down. As part of this review and walkdown, the evaluation team will review the potential for certain ASIS which The information developed as a result of the A-17 pro- might disable (1) the safe shutdown system components, ,

. gram will be attached to the generic letter sent to all utili. (2) cable trays, and to a limited extent, (3) the support sys-ties. It will cover the following specific areas: tems. On the basis of this activity, the staff concluded that further review in this area (to resolve the A-17 issue), was

. electric power systems not required. Although USI A-46 is not covering all pos-

Lsupport systems sible ASIS, the staff has concluded that any further work is reliance on failsafe design principles in the area of seismically induced failures should be pur-

= automatic safety actions with no (always) preferred sued as a generic issue separate from A-46 and A-17. For failure mode further information see the action under Section 6.6 be-

- instrumentation and control power supplies low.

15 NUREG-1229

6.3 Consider Flooding and Water In.

GI-49, " Interlocks and LCOs for Redundant Class I Ti* "'*"k*

trusion From Internal Sources in Individual Plant Examinations 6.5 Provide Guidance for Future PRA The staff intends to provide insights to all licensees for or Other Systematic Plant Reviews use in performing analysis of flooding and water intrusion from internal sources. It is expected that these insights The staff and the nuclear power industry have been ii-will be used in theirIndividual Plant Examinations (IPEs). volved in developmental work for probabilistic risk as-For further information see the Appendix to sessments. One portion of that work involved the "PRA NUREG-1174. Procedures Guide" (NRC, NUREG/CR-2300) and the

PSA Procedures Guide"(NRC, NUREG/CR-2815). As l stated above, the A-17 results can help focus on areas of 6.4 Provide for the Integration and the plant that need to be emphasized because of the high Coordination of Electrical and In- potential for these areas to be vulnerable to ASIS.

strumentation and Control Power Therefore, the resolution of A-17 will provide the m. for-Supply Issues and Concerns mation on ASIS highlighted in A-17 for use in future PR A review. i Work on USI A-17 highlighted a number of ASI concerns l in the area of instrumentation and control (I&C) power 6.6 Define Potential Generic Issues supplies (NRC, NUREG/CR-4470).

That Are Not Included As Part of

~ One specific aspect of note for A-17 was the potential the A-17 Resolution or Other Regu- ,

that the loss of one power supply could cause an event latory Programs (such as a transient or trip)and then could also affect the systems required to respond to the event and/or the op-crators,information displays.

As was discussed under the cope and definition of the g; ;

. have been covered as part of the A-17 study. The staff, i' Although only a fraction of the events led to such type of with the assistance of ORNL, is in the process of defining results, the work under A-17 highlighted a number of these other issues and concerns in sufficient detail so that other concerns that involved the failure of certain I&C they can be prioritized separately. As a result of this power supply compon nts (such as the inverters) arid the

, prioritization, additional work effort may be defined for lack of consistent limitmg conditions for operation the separate issues. ' Itis research pregram is designated, (LCOs)on the I&C power supplies. " Multiple System Responses Program."

Additional review showed that the area of I&C power has been the subject of a number of actions and is the subject 6.7 Develop a Standard Review Plan for ,

of a n umber of contin uing issues. To achieve a more coor- Future Plants '

dinated approach to this area, the NRC staff working on the A-17 program recommends that the area of I&C The staff plans to develop a standard review plan for fu-power be integrated into one program and that these vari- ture plants. De SRP would include specific guidance re-ous issues be addressed under a single program plan to garding protection from internal flooding and water in-deal with the overall adequacy of nuclear power plant trusion events.

I&C power systems.

The NRC staff initiated this activity with the assistance of 7 REFERENCES national laboratories under integrated issue GI-128,

" Electric Power Reliability." Some of the issues and con-cerns being addressed include the following: Atomic Energy Commission, letter dated September 26, 1972, from R. C. DeYoung to licensees, " Flooding Event

. A-30," Adequacy of Safety-Related DC Power Sup- at Quad Cities, Unit 1."

plies" Atomic Industrial Forum. Inc., letter dated October 8, ,

+ GI-48,"LCO for Class IE Vital Instrument Buses 1985, from M. R. Edelman to V. Stello, " Unresolved in Operating Reactors" Safety Issue A-17 Systems Interactions."

NUREG-1229 16

_ _ _ _ . . _ _ _ __.__________________________________J

l l

Consumers Power Company, " Program Manual Spatial -- , NUREG-0572," Review of Licensee Event Re-Systems Interaction Program / Seismic Midland Energy ports (1976-1978)" September 1979.

Center," Revision 1, June 6,1983.

-- , NUREG-0649, " Task Action Plans for Unre-Office of Inspection and Enforcement, NRC, Bulletin solved Safety Issues Related to Nuclear Power Plants,"

79-27, %ss of Non-Class 1E Instrumentation and Rev.1. September 1984.

Control Power Systems Bus During Operation," Novem-ber 30,1979. -- , NUREG-0660,"NRC Action Plan Developed as a Result of the'IMI-2 Accident," May 1980.

-- , Information Notice 83-41, " Actuation of Fire

' NUREG-0737, " Clarification of TMI Action Suppression System Causing Inoperability of Safety-Related Equipment, June 22,1983. R@m" November 1980.

-- , NUREG-0800, " Standard Review Plan for the

-- ,Information Notice 83-44," Potential Damage t Review of Safety Analysis Reports for Nuclear Power Redundant Safety Equipment as a Result of Backflow Plants," July 1981*

Through the Equipment and Floor Drainage System,"

July 1,1983. -- , NUREG-0824," Integrated Plant Safety Assess-ment Systematic Evaluation Program for Millstone Nu-

-- , Information Notice 85-85, " Systems Interaction clear Power Station, Unit 1," February 1983.

Event Resulting in Reactor System Safety Relief Valve Opening Following a Fire. Protection Deluge System -- , NUREG-0933, Rev. 2, "A Prioritization of Ge-Malfunction," October 31,1985. neric Safety Issues," December 1984.

- , Information Notice 87-14 " Actuation of Fire -- , NUREG-1070,"NRC Policy on Future Reactor Suppression System Causing Inoperability of Safety- Designs," July 1985.

Related Ventilation Equipment," March 23,1987.

-- , NUREG-1174," Evaluation of Systems Interac-Pacific Gas and Electric Company, *Diablo Canyon Seis- tions in Nuclear Power Plants: Technical Findings Re-mically Induced Systems Interaction Program," Dockets lated to Unresolved Safety Issue A-17," May 1989.

50-275 and 50-323, May 7,1984.

-- ., NUREG/CR-2300, "PRA Procedures Guide,"

Power Authority of the State of New York," Systems In. Vols. I and 2, January 1983.

teraction Study, Indian Point 3," Docket 50-286, Novem-ber 33,1983. --- NUREG/CR-2815,"Probabilistic

Safety Analy-sis Procedures Guide," Brookhaven Nationallaboratory, U.S. Nuclear Regulatory Commission, Memorandum January 1984.

dated September 18 1984, from R. Kendall to D. -- , NUREG/CR-3922, " Survey and Evaluation of

'I at , " Comments on ORNL Draft NUREG/ System Interaction Events and Sources," Vols.1 and 2, Oak Ridge National Laboratory, January 1985.

-- , Memorandum dated December 3,1984, from H. -- , NUREG/CR-4179, " Digraph Matrix Analysis R. Denton to Division Directors," Insights Gained From for Systems Interactions at Indian Point Unit 3, Abridged Probabilistic Risk Assessments." Version," Vol.1, (January 1986) Vols. 2-6 will be avail-able in the NRC Public Document Room,2120 L Street,

-- , Memorandum dated March 20,1985, from A. N. W., Washington, D.C., Lawrence Livermore National Thadani to K. Kniel,"RRAB Inputs to the USl A-17 Pro- Laboratory.

gram.

-- , NUREG/CR-4207, " Fault Tree Application to

-- , Memorandum dated May 31,1985, from A. the Study of Systems Interactions at Indian Point 3 "

Thadani to K. Kniel, "RRAB Input to USI A-17 Resolu- Brookhaven National Laboratory, January 1986.

tica.

-- , NUREG/CR-4261, " Assessment of System In-

-- , NUREG-75/014, " Reactor Safety Study-An teraction Experience in Nuclear Power Plants," Oak Assessment of Acrident Risks in U.S. Commercial Nu- Ridge National laboratory, June 1986.

clear Power Plants," October 1975.

-- , NUREG/CR-4306, " Review and Evaluation of

-- ,NUREG-0471,"GenericTask Problem Descrip- Spatial System Interaction Programs," Oak Ridge Na-tions (Category B, C, and D Tasks)" June 1978. tional laboratory, December 1986.

17 NUREG-1229

C.

r .

. 1 f.

-- , NUREG/CR-4470," Survey and Evaluation of -- , SECY-84-133, "Results Ef SEP," Enclosure 4, i Vital Instrumentation and Control Power Supply "SEP Phase II Safety lessons Learned," March 23,1984.

Events," August 1986. ,

2 I

i

}

i

'1 l

i 1-l 4

l i

l l

l 4

f

- NUREG-1229 18

_______1_____

WRC DOmM 335 U S esuCLE AR mEGUL ATOn v COMMesseoN i Nt PDat %uM8t R # A,,,,,,a a. TsDC esa vaw 4o J anie s '

E',Y BIBLIOGRAPHIC DATA SHEET NUREG-1229 11I sNSTHUCTsONS ON 1wt at v4 a5t 2 titit AND $us tit LE J in Aw t et ANet Regulatory Analysis for Resolution of USI A-17:

Systems Interactions in Nuclear Power Plants A Daf t REPORT CDMPLi1ED MONT ** *iAR

. .vi .<D . May 1989 Dale F. Thatcher ,0,,,, ,,,,

l August 1989 7 PtRf 0AMING ORGANilAliDN N AME AND MastiNG ADD 8tESS t,arsusele Cossi 8 PROJECT T A$suwomst WN#1 NUMetR Division of Safety Issue Resolution Office of Nuclear Regulatory Research * "N oa ca AN' NvMn a U.S. Nuclear Regulatory Commission 8ashington, DC 20555 10 SPONSOReNG ORGamilaisON NAME AND MAIL SNG ADDat&5 (sa,tuee bp Coaes t is I vPt OF RE PO8t ?

Technical Same as 7, above. , ,, ,,03 co v t R t o ,,,,,,,, .,,,

12 SUPPLiptNT ARv NOTE 6 l

,, A. , R A e , .-a. . s This report presents a summary of the regulatory analysis conducted by the NRC staff to evaluate the value and impact of potential alternatives for the resolution of

, Unresolved Safety Issue (USI) A-17, " Systems Interactions in Nuclear Power Plants."

The NRC staff's proposed resolution offered in this report is based on.this analysis, lhe staff's technical finding regarding systems interactions can be found in NUREG-1174.

Adverse systems interactions (ASIS) involve subtle and often very complicated plant-specific dependencies between components ano systems, possibly compounded by inducing erroneous human intervention. The staff has identified actions to be taken by licensees and the NRC to resolve USI A-17; the staff has also made the judgment that ,

these actions, together with other ongoing activities, would reduce the risk from I adverse systems interactions. As discussed further in this report, the staff judgment that the actions are sufficient is not based on the assertion that all systems interactions have been identified, but rather that the A-17 actions, plus other activities by the licensees and staff, will identify precursors to potentially risk-significant interactions so that action can be taken if deemed necessary.

10 DOCUMt NT AN A L v5'S < a a t *wopDODt sCR rPTORS tt Avent A8sLeiv Unresolved Safety Issue A-17 Unlimited Systems interactions Regulatory Analysis ' 'au.,

. .Otuint 5, opt ~ e ~ut o TiaMs Uncl as si fi ed

<F,,

Unclassi fied 17 NUMtta OS PAGil l

.a *R.ct i

. - - - _ _ _ ~ . . --- -

.,y, ,.gm ppmeywww 3 -' mm wr----- y - g n-n vn

' , ,, s

.c < '

4 9..., r7; 6

. - .~ , <

c. . ,

.1

p :,

. . a q:.(.

a- < .

IU .[ 'a . . I dNITEDiSTATES.;

. NUCLEAR REGULATORY COMMISSION . '"5$/afdNWiiS'"

pc l i WASHINGTON, D.C. 20555 :- ~

~

'. "S""' ' '

' nnaci s ori - <

f '

I% , ., . OFFICIAL BUSINESSS

..3 . , PENALTY FOR FRIVATE tJSEJ $300 '

~,:

Q .,

,.:: p a s

, er 1'1ANilI1PDllA1

~

p' f' +. 320655139531 LN6 E , ;,, US NRC-OLJM DIV FOIA k PUBLICATI0ts5 SVCS

'46. ' TPS PDP-NJ4EG

'r ;

p.?Q%

20553

, WA5HiNGTON DC

.' (

i k

't g f I e

h

.;. 4 I

t

? '

'r. .g s

,!:: ~s.'. . s.

' C N .lv ,

N-.

v ^

.i

>;; .i

}% ~

l' j

5->

?.

( N.

[I .,i@' '

.(

.,j

'.t<

p> .:

4. <

. I,

. c. _<

I o

e p-J. s li:

f;(;

e. .

h-e 4

4

.s t f p;- q s

(U <

c. I C t,'. g e

,'g i -j,) c

{u?l ,' a - _ - _ _ . _ - . - . _ _ _ . _ . - - _

ML20245K735

Contents

Text

SUMMARY

SUMMARY

SUMMARY

Navigation menu

ML20245K735

Text

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search