NUREG-1229, Forwards Revised Resolution of USI A-17, Sys Interactions in Nuclear Power Plants. Package Requested to Be Revised to State More Explicitly Proposed Actions Taken by Licensees & by Nrc.Issue Identified as Category 2 Action
| ML20246B762 | |
| Person / Time | |
|---|---|
| Issue date: | 05/19/1988 |
| From: | Beckjord E NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| To: | Jordan E Committee To Review Generic Requirements |
| Shared Package | |
| ML20245D430 | List: |
| References | |
| REF-GTECI-A-17, REF-GTECI-SY, RTR-NUREG-1229, TASK-A-17, TASK-OR NUDOCS 8905090158 | |
| Download: ML20246B762 (150) | |
Text
{{#Wiki_filter:a -[suf T o g o UMTED STATES NUCLEAR REGULATORY COMMISSION
- O E WASHINGTON, D. C. 20665
- ( $
- w, om MEMORANDUM FOR: Edward Jordan,' Chairman Committee to Review Generic Requirements .
FROM: Eric Beckjord Director Office of Nuclear Regulatory Research
SUBJECT:
CRGR REVIEW OF THE REVISED PROPOSED RESOLUTION OF USI A-17
" SYSTEMS INTERACTIONS IN NUCLEAR POWER PLANTS"
REFERENCES:
- 1. Memorandum for J. Sniezek from H. Denton dated March 21, 1986, CRGR Review of Proposed Resolution of USI A-17, " Systems Interactions in Nuclear Power Plants"
- 2. Memorsndum for V. Stello from J. Sniezek dated May 2, 1986, Minutes of CRGR Meeting Number 88
- 3. Memorandum for V. Stello.from D. Ward dated May 13,1986, ACRS Coments on Proposed Resolution of-USI A-17, " Systems Interactions in Nuclear Power Plants"
- 4. Memorandum for D. Ward from V. Stello dated August 1, 1986, Response to ACRS Coments _ on Proposed Resolution of USI A-17, " Systems Interactions in Nuclear Power Plants" The staff'has revised its proposed resolution of Unresolved Safety Issue A-17,
" Systems Interactions in Nuclear Power Plants," based on CRGR coments (Ref. I and 2), ACRS coments (Ref. 3 and 4), and further staff coments. Results of-the staff evaluation and the revised resolution are presented in the enclosed documents. These documents are submitted for consideration by the CRGR.
This issue was presented to the CRGR in April 1986. Based on the CRGR review and comments, the staff understood that although the CRGR was in general agreement with the proposed resolution, it requested that the package be revised to state more explicitly the proposed actions to be taken by licensees and by the NRC staff. l On-the other hand, ACRS expressed (Ref. 3) significant concerns with the scope and content of the A-17 program which the ACRS believes is too limited. The staff committed (Ref. 4) to address the ACRS concerns in the revised resolution. , 4 The enclosed draft resolution has addressed both the CRGR'and the ACRS concerns as well as additional staff coments. The basic conclusions are'the same as those presented to the CRGR in 1986; however, the implementation of the resolution has been changed to include a letter (pursuant to 10 CFR 50.54f) which requires all utilities certify that their plant is protected from ! 8905090158 880715 PDR REVGP NRCCRGR MEETING 139 PDC ! u_ - _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _!
]
l j. Edward Jordan 2 NYI91999 internal plant flooding and water intrusion. Previously, the staff had proposed to rely on other activities, such as IE Notices and INP0 notifications. USI A-17 deals with the safety concern that nuclear power plant systems may contain hidden dependencies which could be safety significant even though regulatory criteria and guidance have to some extent addressed the area of l- dependent failures. As described in the definitions in the task action l plan for A-17, these types of dependencies can be considered a subset of a much l larger set of dependent failures or common cause failures. The dependencies ) l of concern for A-17 involve safety significant events which are due to a 4 single fault or failure in one system which is then propagated to another system by spatial or functional coupling. A-17 is not addressing areas of l dependency that are due to recognized commonalities such as duplicate manufacturing errors or duplicate testing errors. These distinctions in the various types of common cause failures are critical to the understanding of A-17 and its resolution. The staff has concluded that Adverse Systems Interactions (ASIS) involve subtle, and often very complicated dependencies. Total elimination of ASIS is unachievable and therefore we are not recommending that each plant undertake a large, comprehensive study to uncover them. Instead, the staff is recom cnding other, more cost-effective actions. Although these actions complete the staff's work under the Task Action Plan for USI A-17, and constitute technical resolution of the issue as defined therein, the potential for ASIS remains an important consideration in the design and operation of nuclear power plants. The staff has therefore acknowledged the continuing importance of ongoing activities such as probabilistic risk assessments or other systematic plant evaluations and the continuing review and evaluation of the industry's operating experience. The proposed resolution includes a number of actions which involve both the NRC and licensees, but no new requirements are being proposed. The staff is proposing the following:
- 1) ,' Issuance of a generic letter which includes:
a) the bases for resolution of USI A-17 b) a sumary of information for use in ongoing operating experience reviews c) a request (pursuant to 10 CFR 50.54f) for all utilities to certify that their plant is protected from internal plant flooding and water intrusion.
- 2) Recognition that the USI A-46 resolution will address seismically induced syi tus interactions to the extent that components and systeia, h eded w safely shut down the plant are protected given loss of offsite power. (New plants, not covered by A-46, have been reviewed to current re system interactions.) quirements which address seismically induced w
MAY I 91983 . Edward Jordan 3 ) j
- 3) Comnunicetion of information internal to NPC for review of PRAs !
and for evaluation of electric power supplies as part of GI-128.
- 4) Identification and definition of concerns related to A-17 and other programs which have not been specifically addressed. (The objective of this program is to define the concerns with sufficient specificity i to permit them to be prioritized as potential generic safety issues.)
RES proposes to issue the technical findings report (NUREG-1174, included here as Enclosure 5) and the Regulatory Analysis (NUREG-1229, included here as Enclosure 1) for public comment. After consideration of the public comments received and a favorable recommendation by CRGR, the A-17 resolution would be implemented by issuing ;
'the generic letter (Enclosure 2). It is the staff's intention to determine the level of in-plant verification needed after the Licensees' certification are received. Such a verification could involve an audit inspection which would check a sample of certain plant specific aspects (e.g., sources of water, pathways allowing transmission of water, preventative / mitigative features) based on a utility's analysis. See Enclosure 6 for more information.
We have identified USI A-17 as CRGR category 2 action. , For further information on this subject, contact Dale Thatcher, USI A-17 Task Manager (x23808). D , sf jd . hW Eric Beckjord, D ector Office of NucleaW Regulatory Research
Enclosures:
See next page e w--____-__-____
Enclosures:
MAY 191988 'l 1. NUREG-12?9 " Regulatory Analysis For Proposed Resolution of USI A-17
- 2. Proposed Generic Letter
- 3. Background Information for CRGR
- 4. Summary of References
- 5. NUREG-ll74 " Systems Interactions in ,
Nuclear Power Plants, Technical i Findings Related to Unresolved Safety Issue A-17" 4
- 6. Verification of Licensee actions in response to Generic Letter 4 1
l
/
s
g ,. . , _ i
+
-/22
~
] 1)R e &
(eyuh4a;/ ~ Lyrc5 / 4
~l, t
e 9 e i i
"~'i..n".
- i. .I v 5 c i *'. *- ) ..- *., .
[ . f p s,fmad!tk%I
.s* *..,#... - _ v2.Ev T4.1 ~
- 1 . 4 . . , . i F- o. '.i 3. ' 3E % s
-g s... r ..#'J- , e * .1 ir .',.
1 t i l NUREG-1229 2
! Regulatory Analysis for '
! , Proposed Resolution'of USI A-17 4 ..... ' ('.5
, 8 z
s e 3 Systems Interactions in Nuclear Power Plants ~ 8 m , m Draft Report for Comment S'
- 8 8
. E a
j 2 U.S. Nuclear Regulatory ii E Commission . d Office of Nuclear Regulatory Research z g D. F. Thatcher i O 5 .. g g f... g g m . g e
; m i s....v. t i
3 1 s 1 , I k k .A a ~ . li 7 C i $ jE . 3 a ! ,; s C______________________________.____ __* $
waa ur. - - .:.. : - . 2.=, ~. ~;:= .a =a x a - p e c . i { NUREG-1229 i, ! i ! Re j Proposed gulatoryResolution Analysis for of USI A-17 I i i , Systems Interactions in Nuclear Power Plants i Draft Report for Comment I i
+
Manuscript Completed: May 1987 Date Published: i i D. F. Thatcher
- Division of Engineering 5
OHice of Nuclear Reguletory Research . U.S. Nuclear Regulatory Commission
,; Washington, DC 20555
( i , f ps "*% . o ! . 3 i g..... i ? l 'i . Il _ t i a i
.i ,
s t
,s ' i I' .. __.
7'- , g
- . .rm. ., ,. y%. . ,i-. g, .
,e . . . ,
< o ,;.
'i
,., .; - *-... , + . .
. Ta *M , - , a
; .m ...<y .
- v y ,
,, - ..: %, - , . ey
/
a - w . . .- 4 .$. a ,- * <. A.m.u -w . .. n..aa-~u~.i.,,+...
.-i.w,.
-a .t. a.. . . '. gv~.t>
. - . ~
+..m..
.-a...
3..~..,..).~.e.4,,,.g
- . -..s.
L a , t i-
; e,
.' o- :. .
- .i.
u
-~, ,,
- j; ; .. s .s . -
,.s,., ( .. . --. -.-
s.. ss.<. , , f , s
- s' ' j' ' ') ,
ggy E8 Document Name: N j
- g f OsI A-17 ENCL 1 TC a
$. Requestor's ID: i J BONNIE :i es L Author's Name:
- THATCHER / Sanders ,
h [ Document Comments: ] ETPB 5/4/88 KEEP THIS SHEET WITH DOCUMENT i.
? (
O 1 .q* 4 'I O 't-r! E t 4 E o ,
)
- l.
4 .t e e E' s e i
'T f
Y t k N, l 0,
- l 9.+ n
.t
. , .r 4
l
.h ?k
- 4.
1 0 i
bd%UMg : - .. ::b& ' ' 4.:h. . u==L .g O M:=l ~ A hih ' M'E M V - l,
. l 4 ,
3 -. g-N j ABSTRACT 1 i . This report presents a summary of the regulatory analysis conducted by the ! Y NRC staff to evaluate the value and impact of potential alternatives for the $ resolution of Unresolved Safety Issue (USI) A-17, " Systems Interactions in 4 Nuclear Power Plants." The NRC staff's proposed resolution offered in this report is based on this analysis. The staff's technical finding regarding ~4. 4-systems interactions can be found in NUREG-1174. 1 j Adverse systems interactions (ASIS) involve subtle and often very complicated i plant-specific dependencies between components and systems, possibly compounded _ by inducing erroneous human intervention. The staff has identified actions to 9 be taken by licensees and the NRC to resolve USI A-17; the staff has also made the judgment that these actions, together with other ongoing activities, are sufficient to reduce the risk from adverse systems interactions to an accept-9 able level. As discussed further in this report, the staff judgment that the 3 proposed actions are sufficient is not based on the assertion that all systems interactions have been. identified, but rather that the A-17 actions, plus other activities by the licensees and staff, will identify precursors to poten-tially risk-significant interactions so that action can be taken if deemed necessary. 1 a l a y 1
.t i
Li li I.6 Li 4 A 3 K J, .
.j d USI A-17 Enc 1 1 tii e +
s
...,, y__ q. , g, , q, ,, 7-W2DkU C;h.L.L J h = w ,
AaM-"'
" ' " ' ' ' * ' ~ ' '
,. .3 ,.
~ " " ^
- 3. , ., p .,. ,. 3
'~ ~' ,
i..i ,,y. s ..
~;
n..a , ,.;. -
- r. , - '
4
;g <g 2 v_n , a.
Q. + a ,;( L ,.y J-w
?
hi 0 . g CONTENTS P' ; d Paqe Q. p ABSTRACT ............................................................. 'tii h EXECUTIVE
SUMMARY
.................................................... vii i 1 .
j 2 STATEMENT OF THE PROBLEM ........................................ 1 .
SUMMARY
OF TECHNICAL FINDINGS AND CONCLUSIONS ................... 1 4 1 2.1 Systems Interaction .................................. 3 2.2 Adverse Sy' stems Interaction ................................ . ..... 3 2.3 Undesirable Result (Produced by sis) ....................... 3
- 2. 4 Classification of Adverse S i 2.5 Conclusions ...............ystems Interactions .............
3 4 i
-3 ALTERNATIVES .................................................... 5 c 3.1 Alternatives for Operating Plants . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2 Alternatives for Future Plants ............................. 6 3.3 Alternatives for Improving Systematic Plant Reviews Such As Probabilistic Risk Assessments .............................
7 0
- 3. 4 Alternatives for Evaluating Operating Experience ........... 7
- c. 4
- f DISCUSSION OF ALTERNATIVES ...................................... 7 b 4.1 Alternatives for Operating Plants . . . . . . . . . . . . . . . . . . . . . . . . . . 7 i 4.2 Alternatives for Future Plants ............................. 18 4.3 Alternatives for Improving Systematic Plant Reviews 3
(Such As PRAs) ............................................. 19 ,
- 4. 4 Alternatives for Evaluating Operating Experience ........... 19 E..
5 BASES FOR RESOLUTION OF UNRESOLVED SAFETY ISSUE A-17 ............ 20 ; 6 a 4 PROPOSED RESOLUTION ...........- ................................. 23
- 6.1 Provide Information on ASIS to On 4 Operating Experience ............ going Evaluations of
........................... 23 d.. 6.2 Acknowledge Seismic SI Aspects of USI A-46 Implementation .. 24 j
6.3 Require Utilities To Submit Information Certifying That Their Plants Have Been Adequately Evaluated With Respect 5 to Internal Flooding and Water Intrusion .............'...... 25 1 6. 4 Provide for the Integration and Coordination of Electrical [ and Instrumentation and Control Power Supply Issues and i l Concerns ................................................... 27 g , 6.S Provide Guidance for Future PRA or Other Systematic i 0 i Plant Reviews .............................................. 28 6
- 6. 6 Define Potential Generic Issues That Are Not Included As
~
9 Part of the A-17 Resolution or Other Regulatory Programs ... 28 i 9 9 7 REFERENCES ...................................................... 28
~
s i 0 ' USI A-17 Encl 1 v 1 'e 9 , w-_____---__-----_-_-- .
,h[ L . , . ?.; .: . .. . W
- a: $%'. *
.a $i>' O: -. Y s . >N< ~
F f .' 1 i-a t ]. } EXECUTIVE
SUMMARY
1 ] The U.S. Nuclear Regulatory Commission (NRC) has concluded its technical evalua-M tion of Unresolved Safety Issue (USI) A-17, " Systems Interactions in Nuclear 3 Power Plants." The present report summarizes the results of the regulatory I analysis conducted by the NRC staff.to formulate the resolution of USI'A-17. j The technical findings and conclusions used in this report' are based on those 1 presented in NUREG-1174, " Evaluation of Systems Interactions in Nuclear Power j Plants: Technical Findings Related to Unresolved Safety Issue A-17." j~ -As emphasized in NUREG-1174, the set of definitions is critical to proceeding with resolution of the issue. Those definitions are repeated in this document. Because of the complex and interdependent network of systems, structures, and components,that constitute a nuclear power plant, the scenario of almost any j- significant event can be characterized as a " systems interaction." As a result, a the staff recognized that if the term " systems interaction" were interpreted in 3 a very broad sense it.became an unmanageable safety issue. To begin to address perceived safety concerns within this potentially broad subject area, requires a narrowing of the scope. To this end, a set of definitions based on the per- ; ceived safety concerns has been developed. J It is recognized that by narrowing the focus, all concerns that could be characterized as systems interactions may not be addressed. It is, therefore, extremely important that the scope and boundary of the program be as clearly j defined (and understood) as possible. Then, should concerns still exist after P; the program has been completed, those concerns could be addressed as part of l; any separate efforts deemed necessary., The following terms and definitions were used in the A-17 program: [j (1) Systems Interaction (SI) , An action or inaction (not necessarily a failure) of various systems (sub- ,,. systems, divisions, trains), components, or structures resulting from a L .! single credible failure within one system, component, or structure and f' propagation to other systems, components, or structures by inconspicuous or unanticipated interdependencies. The major difference between an SI
.. and a classic single-failure event is in those hidden or unanticipated
/ , aspects of the initiating failure and/or its propagation. ) (2) Adverse Systems Interaction (ASI) , q . ) [j A systems interaction that produces an undesirable result. : N O 1 USI A-17 Enc 1 1 vii j '
- + ,
e- -. -
{ d M .O si t i . 5 a . u E m . O 0.L m . i L. n:L: .' ' u::d % L. l . ~. %h* & 555 f r i 1 1 (3) Undesirable Result (Produced by sis) d This was defined by a list of the types of events that were to be con- [ sidered in USI A-17. Degradation of redundant portions of a safety system, including con-l sideration of all auxiliary support functions. Redundant portions 1 are those considered to be independent in the design and accident ij analysis (Chapter 15) of the Final Safety Analysis Report (FSAR) of h the plant. (Note: This would violate the single-failure criterion.) M u o - Degradation of a safety system by a non-safety system. (Note: This result would demonstrate a breakdown in presumed " isolation.") ll Initiation of an " accident" [e.g. , loss-of-coolant accident (LOCA), 9 main steamline break (MSLB)] and (a) the degradation of at least one s redundant portion of any one of the safety systems required to miti- ? gate that event (Chapter 15, FSAR analyses) g (b) degradation of f critical operator information sufficient to cause the operator to
, perform unanalyzed, unassumed, or incorrect actions. (Note: This .. includes failure to perform correct actions because of incorrect information.)
Initiation of a " transient" (including reactor trip) and (a) the deg-radation of at least one redundant portion of any oneTf the safety
~
systems required to mitigate the event (Chapter 15, FSAR analyses) g (b) degradation of critical operator information sufficient to cause the operator to perform unanalyzed, unassumed, or incorrect actions. (Note: This includes failure to perform correct actions ] because of incorrect information.) 1 - Initiation of an event that requires plant operators to act in areas A outside the control room (perhaps because the control room is being 1 evacuated or the plant is being shut down) and disruption of the 1 access to these areas (for example; by di,sruption of the security b system or isolation of an area when fire doors are closed or a sup-f pression system is actuated). a P The intersystem dependencies (or systems interactions) have been divided into M three classes based on the way they propagate: a ? (1) Functionally Coupled i a Those sis that result from sharing of common systems / components; or physical $j connections between systems, including electrical, hydraulic, pneumatic, or 1 1 mechanical. E 3 (2) Spatially Coupled } } Those sis that result from sharing or proximity of structures / locations, j equipment, or components or by spatial inter-ties such as heating, ven-i j tilation, and air conditioning (HVAC) and drain systems. l 3
\
i i USI A-17 Encl 1 viii (
~
Y ~
._ _ _ _ _ _ J
- hisjRlNGir..a0 a. M -
' .c
[L - U-M- J' ' 20 '3 ' i s 1-3 . i (3) Induced Human-Intervention Coupled ! k 3 Those sis in which a plant malfunction (such as failed indication) inappro-j priately induces an operator action, or a malfunction inhibits an operator's j ability to respond. As analyzed in the A-17 program, these sis are con-sidered another example of functionally coupled ASIS. (Note: Random human errors and acts of sabotage are excluded.) j As a result of the staff's studies of alternative actions that might resolve h the A-17 safety issue, the staff has concluded that certain actions should be [ taken. These actions are: h
- ) (1) Send a generic letter to all plants providing information developed 4 during the resolution of A-17.
1 l 0 (2) Require all plants to respond to questions regarding internal flooding
, analyses under a 10 CFR 50.54(f) request.
(3) Consider systems interactions involving the electrical power systems in P the integrated program on electrical power reliability. ) I (4) Provide information for use in future probabilistic risk assessments (PRAs). I (5) Provide a framework for addressing those other concerns related to systems .j interactions which are not covered by the A-17 program. j (6) Acknowledge that the resolution of USI A-46 addresses aspects of systems l interactions. / I i: 4
- 1 a .
ii '3 l e a !1, .
+ t i )
}d 3 , b il i 1 ! s ' 3 i
.1 o l d i USI A-17 Enc 1 1 ix !
'e F ,
. .y
' e; :
.c : y.:
-%um-...s. ky ; . . .. .u ;& w u %..uA, L . d a :.:e. 2:s . '.:1:.. . " 5.xAu . Ju ,:., L .s ' :: N.. & ., ,c. q : >; v , , ,
- .2 :, v . ;. .c'.
' :e:: : :.8,' ' ...< 2? ? '.
a .. .
- h. .. , . , . ..
< e.x, w. .
- v. , r ' .: 3.
1 .{. 4,
.,r . .g
' . . ^~,
7 .
, .si.
' '. ' 's .y
.,s
' Document Name: DT Has
- USI A-17 ENCL 1 f N PROOFREAD Requestor's ID:
1 BONNIE Author's Name: Thatcher / Sanders 4' Document Comments: ' } 5/4/88 KEEP THIS SHEET WITH DOCUMENT ! e, , 5
.t 8 i
9h 6
) ,1 g-U
'1 . [4, . i k l .s 'i
.s J
d '.;1 . F I 5-o 7 . i
.i ?
t. 3 d . 2 y , I hI !i . tN - 3 Ej l] >4
}
74, 4 33 k..i a'1 Yh. Ln *1 f^i. . L1 * (4
- f. e 6,. .
3 e p , 1 . L. . . - - - - - - - - - - _ - _ _ -..- -_ -
g : :, .. . , .
'a li.21 a6
%M~M.n, m.L.L ' cum mmu.zw.m, mig M..J! m de
~ , . c. .
n.
',t..m .
l ( . . pl - I. 4 . i REGULATORY ANALYSIS FOR PROPOSED RESOLUTION OF USI A-17: l SYSTEMS INTERACTIONS IN NUCLEAR POWER PLANTS jL i 1 STATEMENT OF THE PROBLEM
\
$ A nuclear power plant is composed of numerous systems, structures, and components ' L 3 e which are designed and analyzed by several engineering disciplines. The degree of functional and physical integration of all these systems, components, and ? structures into any single power plant may vary considerably. Concerns have li been raised which question the adequacy of this functional and physical integra- { ' i tion coordination process. Also, it has been postulated that adverse systems F interactions (ASIS) may be inadvertently incorporated into plants by inade-quacies in the process. Given that a nuclear. power plant includes many systems, ?- components, and structures, including (1) systems that normally control the ? i plant, (2) systems that respond to off-normal events, and (3) systems.that both 3 functionally and physically support other systems, it is reasonable to suspect , 1 that such interactions may exist. Current regulatory requirements and guidance j address this area. The unresolved safety issue (USI) A-17 program was initiated
- to investigate the area of. systems interactions and to consider viable alterna- .
l 5 tives. for regulatory requirements (including doing nothing) to ensure that , 1 adverse systems interactions have been or will be minimized at operating plants ' and at new plants. y 2
SUMMARY
OF TECHNICAL FINDINGS AND CONCLUSIONS j The technical findings and conclusions presented here are based on the results ] reported in NRC staff report NUREG-1174 (unpublished draft). [ y Because a nuclear power plant is composed of systems, structures, and components both complex and interdependent, any significant event scenario can potentially j be characterized as a " systems interaction." As a result, the staff has deter-4 mined that if the term systems interaction were interpreted in its broadest . f sense, it became an unmanageable safety issue. To begin to address perceived
- ) safety concerns within this potentially broad subject area, requires some
)j focusing. One way to focus on such an effort is to develop a working set of y definitions based on the perceived safety concerns. ? It'is recognized that by the very nature of narrowing the focus, all concerns ' that could be characterized as systems interactions may not be addressed. It is, therefore, extremely important that the scope and boundary of the focused 4 program be as clearly defined (and understood) as possible. Then, should r concerns still exist after the program has been completed, those concerns could j- be addressed as part of any separate efforts deemed necessary. j , a The terms and definitions used in the A-17 program follow in Sections 2.1 : i through 2.4. In addition, Table 1 (which is reproduced here from NUREG-1174) '
- j. is included to help clarify the scope of A-17 and its bases.
11 ? , A' , a , ) USI A-17 Encl 1 1 l ** l f , L________________..__ _ _ - . i
~ ,
- a. ,
ww
%dMih&
. . . . . , ~
- .w . % = & - % "; * ' ~ " * " "" ^"
^
f .. t [ a ( 0 Table 1 Scope of USI A-17, " Systems Interactions": General subject area ' l involves system failures which are due to system dependencies
- i
) Concerns Covered by Clarification S y (1) Recognized / analyzed single Existing regulations Not analyzed in failures directly propagate Single failure A-17 s to other equipment / systems defined in the GDC within the same safety division (2) Single failures subtly USI A-17 definition See the proposed propagate to cause plant of adverse systems resolution of A-17 4 transients / accidents interactions for resulting / and/or degrade the actions required safety systems, a Includes: -
,
- Subtle spatial interties Subtle functional interties (3) Common failure of redun- Improvements in main- Not analyzed in dant safety systems due to tenance and test A-17 j commonalities such as: procedures, ATWS rule,
; Same manufacturing A-44 proposed rule defect Same testing error Same maintenance error s ,.
1 (4) Operator errors that dis- Improvements in oper- Not analyzed by i { able redundant safety ator training A-17 9 systems l 4 1 (5) Events that could cause USI A-46 plus c.urrent Not analyzed in multiple plant problems licensing requirements A-17, except for simultaneously: cover earthquakes internal flooding / Particularly earthquakes water intrusion ? Also fire and pipe break / Appendix R deals with events occurring 3 flooding fire one at a time
- 1 1
? Equipment qualifica- See the proposed j tion rule (10 CFR resolution of ) 50.49) deals with A-17 d design-basis pipe breaks j None of these programs 4 deals with multiple, simultaneous events. Therefore, this area is $ to be further evaluated j under the Multiple System j Responses Program. 3 3 j ' T USI A-17 Encl 1 2 0 . r 1 . _ _ _ -_ - . _--_-- i
m ,. , -
.o p.., : . v . . w -. a. -
n; "= 1 4 1 0 i 2.1 Systems Interaction N j A systems interaction (SI) is an action or inaction (not necessarily a failure) )4 of various systems (subsystems, divisions, trains), components, or structures resulting from a single credible failure within one system, component, or struc-1 ture and propagation to other systems, components, or structures by inconspicuous ) or Laanticipated interdependencies. The major difference between an SI and a i classic single-failure event is in those hidden or unanticipated aspects of the i initiating failure and/or its propagation. j 2.2 Adverse Systems Interaction 3 An adverse systems interaction (ASI) is an SI that produces an undesirable l 3; result. 9 2. 3 Undesirable Result (Produced by sis) i A list of types of events that were to be considered in USI A-17 defines this term: (1) Degradation of redundant portions of a safety system, including considera-tion of all auxiliary support functions. Redundant portions are those considered to be independent in the design and accident analysis (Chap- [' ter 15) of the Final Safety Analysis Report (FSAR) of the plant. (Note: This would violate the single-failure criterion.) l 4 (2) Degradation of a safety system by a non-safety system. (Note: This result would demonstrate a breakdown in presumed " isolation.") J (3) Initiation of an " accident" [e.g. , loss-of-coolant-accident (LOCA), main ) 4 steamline break (MSLB)] and (a) the degradation of at least one redundant i portion of any one of the safety systems required to mitigate that event . (Chapter 15, FSAR analyses) or (b) degradation of critical operator infor- l %; mation sufficient to cause tre' operator to perform unanalyzed, unassumed, ! or incorrect actions. (Note: This includes failure to perform correct actions because of incorrect information.) J (4) Initiation of a " transient" (including reactor trip) and (a) the degradation
, of at least one redundant portion of any one of the safety systems required
'j to mitigate the event (Chapter 15, FSAR analyses) or (b) degradation of ; critical operator information sufficient to cause the operator to perform l unanalyzed, unassumed, or incorrect actions. (Note: This includes failure 1 to perform correct actions because of incorrect information.) (5) Initiation of an event that requires plant operators to act in areas outside i _ the control room (perhaps because the control room is being evacuated or the plant is being shut down) and disruption of the access to these areas S; (for example, by disruption of the security system or isolation of an area when fire doors are closed or when a suppression system is actuated). ) 2. 4 Classification of Adverse Systems Interactions 1 The intersystem dependencies (or systems interactions) have been divided into
} three classes based on the way they propagate:
s a l USI A-17 Enc 1 1 3 7 . q e 6 ' l
;ldL0 i&. .'. . = d .N - .x - . .'A: ? ' N. m.NN 'N.+ h.
^
L' M di .. - -
- 4. '. ,
)! 4 + r ; ]'fi (1) Functionally Coupled 4 . g Those sis that result from sharing of common systems / components; or physi-cal connections between systems, including electrical, hydraulic, pneumatic, j or mechanical. 1 d (2) Spatially Coupled T s Those sis that result from sharing or proximity of structures / locations, 9 equipment, or components, or by spatial inter-ties such as heating, venti-1 lation, and air conditioning (HVAC) and drain systems. f y 1 (3) Induced Human-Intervention Coupled i [; Those sis that result when a plant malfunction (such as failed indication) inappropriately induces an operator action, or when a malfunction inhibits an operator's ability to respond. As analyzed in the A-17 program, these a sis are considered another example of functionally coupled ASIS. (Note: Random human errors and acts of sabotage are excluded.) j 2.5 Conclusions j As a result of the staff's studies of ASIS undertaken as part of its search for a solution to the USI A-17 safety issue, the staff has concluded the following: (1) To address a subject area such as " systems interactions" in its broadest g sense tends to be an unmanageable task incapable of resolution. Some i bounds and limitations are crucial to proceeding toward a resolution. Ji Considering this, the A-17 program utilized a set of working definitions G to limit the issue. It is recognized that such an approach may leave some concerns unaddressed. e 1 (2) The occurrence of an actual ASI or the existence of a potential ASI is y very much a function of an individual plant's design and operational
; features (such as its detailed design and layout, allowed operating modes, procedures, and test and maintenance practices). Furthermore, the poten-tial overall safety impact (such as loss of all cooling, loss of all elec-a tric power, or core melt) is similarly a function of those plant features d that remain unaffected by the ASI. In other words, the results of an ASI 1 j depend on the availability of other independent equipment and the opera-9 tor's response capabilities.
- .1 f (3) Although each ASI (and its safety impact) is unique to an individual plant, there appear to be some characteristics common to a number of the ASIS.
) (4) Methods are available (and some are under development) for searching out ,
- ) sis on a plant-specific basis. Studies conducted by utilities and i j national laboratories indicate that a full-scope plant search takes con- .
y siderable time and money. Even then, there is not a high degree of assur-y ance all, or even most, ASIS will be discovered. - N
- k q -
5 } e4 USI A-17 Enc 1 1 4 7 . W ? . .
X ; ' ~m e .::$wmm.wnb_.7 "- - c d. m
, cuip. ,,
ena-m , r, . c ,. a .. . .% , e a re a .a c.
.wa .e.
.c .u , tw 1
F r $ (5) Functionally coupled ASIS have occurred at a number of plants, but improved d' operator information and training (instituted since the accident at Three
- 1 Mile Island) should greatly aid in recovery actions during future events.
A y (6) Induced human-intervention-coupled interactions as defined in A-17 are 'a i subset of the broader class of functionally coupled sis. As stated for 4 functionally coupled sis, improvements in both operator information and j s operator training will greatly improve recovery from such events. I (7) As a class, spatially coupled sis may be the most significant because of l: .the potential for the loss' of equipment which is damaged beyond repair.
- However, in many cases these ASIS are less likely to occur because of the lower probability of initiating failure (eig., earthquake, pipe rupture) 1 and the less-than-certain coupling mechanisms involved.
d (8) Probabilistic risk assessments or other systematic plant-specific reviews & can provide a framework for identifying and addressing ASIS. (9) Because of the nature of ASIS (they are introduced _into plants by design errors.and/or by overlooking subtle or hidden. dependencies), they.will 'l . probably continue to happen. In their evaluations of operating experience, NRC and the nuclear power industry can provide an effective method for j addressing ASIS. A i (10) For existing plants, a properly focused, systematic plant search for certain types of spatially coupled ASIS and functionally coupled ASIS (and correction of the deficiencies found) may improve safety. f (11) The area of electric power, and particularly instrumentation'and control j power supplies, was highlighted as being vulnerable to relatively signi-3
- ficant ASIS. Further investigation showed.that this area remains the subject of a number of separate issues and studies. A concentrated effort 1; to coordinate these activities any to include power supply interactions h could provide a more effective approach in this area.
(12) For future plants, additional guidance regarding ASIS could benefit safety.
- i (13) The concerns raised by the Advisory Committee on Reactor Safeguards (ACRS)
% on A-17, but which have not been addressed in the staff's. study of A-17, y should be considered as candidate generic issues, separate from USI A-17. f i Although there does not seem to be a generic safety concern that warrants imme-p diate attention, some potential exists for plant-specific problems and, there-fore, alternatives for action were considered further. m J y 3 ALTERNATIVES () The alternatives considered were grouped into four areas: N j (1) the need to take action at operating plants " 9 2 i f- 1 y j I d ]j ,. USI A-17 Encl 1 5 _ . _ _ _ _ - - _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ =_=__
F A n W ; h w . - -.; .u l E .w.. .:.,--.. :. . : , .x =,+ %:F. .J* e-l l .. . 9 k i 3 (2) 'the adequacy of current licensing requirements and guidance (for future ' 0
- plants) d y
- (3) the possibility of providing additional guidance for those utilities which j perform a systematic safety analysis such as a probabilistic risk assess-j ment (PRA)
! (4) the adequacy of the existing processes for review and evaluation of operat- @ ing experience q Then for each of these areas, various alternatives were considered as discussed g below. 4 } 3.1 Alternatives for Operating Plants (1) Requiring a comprehensive plant study would involve modeling the plant dependencies (functional and spatial) and then evaluating them. (2) Taking no action would involve addressing only the requirements already i s resulting from previous attention to ASIS, such as staff bulletins and generic letters. (3) Requiring all plants to meet a prescriptive set of specific generic re-4 quirements would involve implementing specific plant actions and/or modifications to specific systems. In the past, this approach has been used for individual ASIS. (4) Requiring all plants to provide a separate and independent, alternate
- shutdown system would involve the design and implementation of a function-ally and physically independent plant system (s) that would be free from
, ASIS with respect to the rest of the plant. 5 (S) Requiring all plants to do a focused individual study in specific areas i for spatially coupled and function
- ally coupled ASIS would necessitate that individual plants do evaluations in rather specific areas based on guide-lines that would focus the more significant concerns for ASIS. As a result 2
of individual plant evaluations, actions may be required. g 3.2 Alternatives for Future Plants a j (1) Adding a new'and separate ASI review section to the Standard Review Plan 1 would inaugurate a new section in the Standard Review Plan (SRP) 1 (NUREG-0800) containing a set of acceptance criteria and review guidelines, e and designating a lead review branch. i , (2) Taking no action would indicate that the requirements and guidance in the j
; SRP are adequate and no new guidance is necessary. j l (3) Providing additional regulatory guidance / criteria for ASIS would consider j the existing regulatory guidance (e.g., acceptance criteria and review ,
l guidelines) in the appropriate sections of the SRP and would establish the l J adequacy of the guidance. Where the guidance is inadequate, individual ! q revisions would be proposed. j l . j ' USI A-17 Enc 1 1 6 j 'o +
- _ _ _ - _ _ _ _ _ _ _ _ 1
bh. N__E&&hiL S a 4315% M3 U. . ,M i W =f d W,. W ~ @. M = X ? M I p i l' i .- { 3.3 Alternatives for Improving Systematic Plant Reviews Such As Probabilistic ' h Risk Assessments * ! (1) Providing additional guidance for future systematic reviews would involve developing new guidance to such studies. [ L . (2)' Taking no action would conclude that present guidance is sufficient. [ (3) Requiring a specific search method for uncovering ASIS would endorse one a particular method as the solution for the subject area of ASIS and would }. recommend that all systematic type reviews use it. i 3.4 Alternatives for Evaluating Operating Experience ! (1) Providing for new recommendations in the future evaluation of operating $ experience for ASIS would consider the existing programs that deal with operating experience and would make recommendations for improving them to address ASIS. (2) Taking no action would consider the present programs for the review and dissemination of operating experience and would conclude that they are l adequate with respect to ASIS. 4 (3) Providing'information on ASIS to ongoing evaluations of operating experi--
- j. , ence would involve the one-time dissemination of information developed regarding ASIS.
4 DISCUSSION OF ALTERNATIVES 3 4.1 Alternatives for Operating Plants l (1) Require a comprehensive plant study. This alternative would require all plants to perform a large study for sis. 4 The study would consider the total plant and would address both functionally i and spatially coupled ASIS. ? A number of large studies have been performed by utilities such as Pacific Gas p and Electric (May 1984), the Power Authority of the State of New York (June j 1983), and Consumers Power Company (June 1983). In addition, the NRC sponsored ? 4 two studies by national laboratories at one plant, Indian Point Station, Unit 3 (NRC, NUREG/CR-4179,. and NRC, NUREG/CR-4207). None of these studies could be called a comprehensive or full plant study, except possibly the overall Midland j program (Consumers Power Company, June 1983) which was never completed. Each of the other studies had a limited scope (to varying degrees) based on a specific 4 ' i set of objectives and/or assumptions. } )- The staff's review of ASIS (both postulated and actual) has shown that selecting ) this alternative provides only a small potential to reduce risk. P The safety benefit of the completed programs was extremely hard to quantify. a In general, based on the reported results, many modifications were made but 4
- 3. .
($
]- USI A-17 Enc 1 1 7 j '
' v. ,
L__ - _ - _ - _ --
h $ h M e - ___; . - _ .. : M . f.m l a_m.M ._ ;,
^
12.2. ,, A.' '
+
q .. R q d $ the utilities considered few, if any, truly safety significant. Some quanti-j% fication of safety benefit has been estimated on the basis of the NRC-sponsored work. As reported in the evaluation of the two demonstration analyses for sis, i the one event considered to be an ASI involving the station battery was esti-mated to have a core melt frequency of 2x10 8 per reactor year. j The costs of the utility-sponsored studies (including modifications) ranged from a low of about $2 million to a high of between $10 and $12 million. The 2 laboratory studies were limited to $1 million each. A comprehensive study for i both functionally coupled and spatially coupled ASIS would cost approximately a $10 million. Considering that a significant~ safety benefit was not evident and considering j the high costs of a full study, this alternative was not seen as a viable 1 option. Assuming a cost-to-benefit criterion of $1000 per man-rem, at $10 million per plant' study, a safety benefit (for 100 plants) of 1 million man-rem would have to be realized. (2) Take no action. z This alternative would be to take no actions beyond the actions already resulting
- from all the previous attention given to ASIS (e.g., IE Bulletins, IE Notices, and 10 CFR 50.49).
This alternative was seriously considered; however, the staff believes that there is still some potential for plant specific ASIS based on the results of further review of the utility studies, further review of the operating experience, and
, plant-specific PRAs.
i 3 No safety benefit is involved with this alternative nor are industry costs n involved in such a resolution, j (3) Require all plants to meet a prescriptive set of specific generic requirements. j 1 The intention of this alternative would be to require a specific set of plant
" fixes" based.on results of previously conducted SI studies and the A-17 work.
1 From these results, a list of actual and postulated events would be compiled. j The objective of the plant-specific review would be to ensure that certain a specific events would not occur at that fe.;ility. This alternative was judged y' to be impractical for two reasons. First, a large number of the sis that have ! occurred have already been dealt with at the facilities in question. Action j was generally taken in response to generic letters or IE bulletins. Sometimes
. the industry initiated its own action. In some cases, postulated events (that y is, events that have not actually occurred) have also been the subject of i generic letters or IE bulletins. Second, most existing nuclear power plants i have significant differences in systems, components, and structures in the
} areas of concern highlighted in the review of operating experience and the a review of utility studies. For example, probably no two plants are identical 1 in physical aspects (except maybe a dual-unit plant) and no two plants have j identical electrical systems. . If a set of prescriptive alternatives were
- developed, it would not be able to properly take these differences into account.
} This alternative would not be able to give guidance in all areas that may need 1 1 o USI A-17 Encl 1 8 3 H
"IL f. -ec u..___. .. m- . 1 2. , i. .
- d ' _ . . .n b ' U t
ei J i 1 a l M improvement at some plants and not at others, nor would it be able to give
, l 9 credit for mitigative design aspects at some pTants which don't exist at others'. '
J j For these reasons, the staff abandoned consideration of this alternative. , I ] ; (4) Require all plants to provide a separate and independent alternative shut-fown l system. )1
- l d This alternative was considered as a possible solution because, in theory, if- (
9 a totally independent (i.e., separate and independent from all existing plant ' d features) design feature is provided, it would not be subject to ASIS. This j type of alternative is receiving consideration under another unresolved safety d issue, namely USI A-45, " Shutdown Decay Heat Removal Requirements." y s' 4 This solution could theoretically solve all SI concerns; however, the costs for a "new design feature" to accomplish independent plant shutdown is high, y~ probably on the order of tens of millions to $100 million per plant. Therefore, this alternative was not considered feasible when only the resolution of A-17 i
. was considered. 1 ", (5) Require all plants to perform a focused individual study in specific areas for spatially coupled and functionally coupled ASIS.
3 i Performing a focused review and potential associated modifications would reduce _ the probability of core melt. The quantification of the possible reduction proved extremely difficult. To estimate a reduction in core-melt frequency (and then calculate risk in terms of radiation release) requires that specific event sequences be selected and failure / success estimates be made for each function in the event tree. All the ASIS involve very specific plant conditions (such 'I as operating modes, design features, and test and maintenance practices) and the n overall results (such as loss of all cooling, loss of all ac power, and core 1 melt) of an individual ASI are highly dependent on which specific plant design features remain intact after the ASI (such as remaining independent divisions, remaining displays) and the operator's' response. Therefore, the risk analyses could not be used generically. Studies conducted to identify ASIS and the risks associated with them have indicated that the associated risk is very low. For instance, as reported by the Atomic Industrial Forum, the Indian Point Unit 3 Study (1985), the most comprehensive study completed to date, has y indicated that the risk imposed by ASIS is insignificant. Brookhaven National a Laboratory (BNL) (NRC, April 1985) and Lawrence Livermore National Laboratory q (LLNL) (NRC, January 1986) studies (also on Indian Point Unit 3) confirmed that !: uncovering subtle ASIS can be difficult; these reports also predicted very low risk from those ASIS that were identified. Jj For these reasons, the assessment of safety benefit is primarily qualitative. j The audit of the utilities program was estimated to require 1 man-week per plant; !.; therefore, about 2 man years (total) would be involved. The audit of results 4 (analysis / modifications) of the program and the subsequent safety evaluation n report were e.:timated to require about 3 man-weeks per plant. Therefore, total j; NRC cost shouh.' not exceed $1 million. However, the cost to utilities would
- be much greatec, as oiscussed in the following subsections of Section 4.1
j (5.1(b)), (5.1(c)), (5.2(b)), and (5.2(c)), below. 1 ci R Li, USI A-17 Encl 1 9 [ 5 4- ' N . 1
Q% wid$$$& L %U.tN05 N.A. Av AA?$LSi AN0AA. RSh O l' . } p, a [ .Considering operating' experience (NRC, NUREG/CR-3922), the evaluation lo b g mafor utility programs, and recent plant-specific PRAs (NRC memorar.dum,'.f December the . i-E 1984), a number of " areas" of the plants appeared to be vulnerable to specific 4' types of ASIS. On the basis of the above work, the concerns were focused in { the areas of spatially coupled ASIS and functionally coupled ASIS as follows: y (5.1)' Spatially Coupled ASIS I A number of licensee event reports (LERs) identified actual events or postulated P conditions that involved spatially coupled ASIS. The following categories, j as defined in NRC's NUREG/CR-3922, include spatially coupled adverse systems [ interactions identified in LERs: k Category 3 degradation of safety-related components by fire protection systems j Category 4 plant drain systems that allow flooding of safety-related equipment-4 Category 8 . level instrumentation. degraded by high-energy'line break (HELB) j conditions 3 Category 10 .. HELB conditions degrading control systems Category.15 inadequate cable separation 3 Catetory 16 safety-related caN cs unprotected from missiles generated from HVAC 1 fans [ Category 17 suppression pool swell lll Category 21 spatial dependencies due to failures during postulated seismic e events j Category 23 other spatial dependencies In addition, consultants'to Oak Ridge National Laboratory compared the utility studies done at-Indian Point Station, Unit 3, and Diablo Canyon Nuclear Power Plant,-Units 1 and 2, in the area of spatially coupled sis (NRC, NUREG/CR-4306). 1 As a result of this work, a focused study was defined. The study would include [ (1) .a limited target scope, (2) a list of hazards or initiating events (related 0 to the targets), and (3) a simplified search method. The staff reviewed the 1 results of the consultant's report and developed a proposed target scope and' 1 hazard scope based on other considerations, as' follows: Target Scope y Target is the term typically used to describe a structure, system, or 4 component that is to be protected from ASIS. The consultant's report
? considered'four target groupings:
? I - support systems and controls ] reactor coolant pressure boundary (RCPB) 4 - auxiliary feedwater system ) - other frontline systems (such as ECCS) J 1 The staff concluded that auxiliary feedwater systems have received signifi-9 cant attention as a result of the accident at Three Mile Island and other f ongoing issues and staff actions. J 1 Regarding the other frontline systems, it was concluded that if the RCPB is adequately protected from spatially coupled ASIS, the need for the i k operability of frontline systems under conditions such as earthquake is greatly reduced. 1 - f.1 p 'USI A-17 Enc 1 1 10 Pj ,. g i .
1
~.w : ::: . :.x ..- .
& U.u u:G::e::.~ . . .. ;,n . - - : , . x .. u .. x m: ; ,
. m l
I l. l j Therefore, the staff proposed to limit the scope to consideration of the ' i systems required to achieve hot shutdown (and maintain it for 72 hours). This is consistent with the proposed resolution of USI A-46 in the area 3 of seismic qualification of equipment. Hazard Scope Regarding the " hazards" evaluated in the utility programs, the following
- were identified
- seismic events, fire, flood, missiles, pipe whip, and
{ tornadoes. On the basis of earlier regulatory actions in certain of these areas, the staff proposed that only two types of the hazards needed to be ' i considered: earthquake and flooding. I ~ Fire reviews have been performed at all plants to meet the requirements , of Appendix R to 10 CFR 50. These reviews include criteria that address the concerns for spatially coupled ASIS. However, the potential for ASIS from the fire protection equipment was noted (e.g., spray, flood). There-fore, the A-17 resolution would not propose to reevaluate this area except as it relates to the possibility of fluid interactions from the fire protection system. 1 Flood reviews were required by the Atomic Energy Commission (AEC) at all plants in 1972 after the Qued Cities flood of 1972 (AEC, 1972). There is
, some indication from the Systematic Evaluation Program (SEP) reviews and operating experience that this area needs more attention. Therefore, the staff examined the need to reevaluate flooding (and spraying and dripping) as potential hazaros.
Missiles have been evaluated under the SEP reviews, and, in general, the staff concluded that plant systems were well protected from internal
, missiles (NRC, SECY-84-133). Therefore, the staff eliminated this hazard from further consideration.
Tornado-initiated missiles are noi, considered within the scope of USI A-17 j and, therefore, are eliminated from further consideration. (a) Safety Benefitt j Because of the way nuclear power plants are designed and constructed by the various engineering disciplines, the possibility exists that space i allocations for systems and interrelationships between systems may not j have been adequately analyzed. The review of SI studies by utilities appears to support this conclusion. Although large numbers of spatially
- coupled interactions were identified in these programs, many of them are of low probability. Nevertheless, some of the operating experience (NRC, k!
January 1985) and PRA results (NRC, December 1984) indicate that the potential for some risk-significant sis exists. Also it can be inferred from these studies that there was probably no rigorous or systematic pro- , y cedure in older plants to uncover these potential sis during the design g phase. ] With respect to probability of occurrence, it can be argued that the prob-
; ability of any one occurrence is low. On the other hand, some of the d '
K P}. USI A-17 Enc 1 1 11 6 h. I' qp
%dG &,tp a . a. . , , ,x .-..
.. a , L a. c ' ~, , y - ^ ~, '
i a !, l I I i l spatially coupled ASIS could be the result of very pervasive events, such l as an earthquake or an internal flood. Given this " pervasive" aspect and'
- the frequency of some of the initiators, for example safe shutdown earth-quake (SSE)--on the order of 10 4 per reactor year, or internal flood on
} t the same order--concerris in these areas may still remain. ) Many of the ASIS could damage support systems which have been shown by PRA j analyses to potentially affect multiple safe shutdown or frontline systems i as well as to initiate events. Therefore, if the probability of the ini- l {j tiating event is on the order of an SSE (and then subsequent damage to a I ( support system is assumed) and this support system can initiate a tran-e sient and degrade the mitigation of that transient, it is clear that such , spatially coupled ASIS involving support systems could be significant.
- Another aspect that was considered is the potential for the operator to take recovery action. When the plant recovery actions that an operator might take are considered, it becomes apparent that for some of these spatially coupled sis, and depending on the specific plant design, there may be few if any actions that can be taken, given the ASI occurs. That is, the potential physical damage involved may not be recoverable in a
, short time frame.
(b) Costs The cost for a focused spatial study was estimated based on a review of the utility studies (NRC, NUREG/CR-4306). The required resources were broken down into the Plant Document Review
- Phase and the In-Plant Assessments Phase (onsite review). Their costs 2
were estimated by apportioning the total costs of the utility programs to the target scopes reviewed in the programs, i Resolution costs for analysis and/or modifications have a very large range. i The costs are dependent on the interactions identified by the programs,
, the method required for resolution, and many plant-dependent factors such i as feasibility of plant modification.
The manpower requirements for in plant assessment for each of the three q target groups and the associated estimates for plant document review and analysis and modifications are shown below on a per plant basis: j i
- 1 Plant document In plant Analysis / mod.
review assessment cost
; Targets (man-months) (man-months) (x 1000) o Supports & 8 8 $750-2000
} controls 1 Q RCPB 2 2 $200-550 i Safe shutdown 2 2 $200-550 t equipment a USI A-17 Enc 1 1 12 k ,
laMIErn._.. 4
. a.C:1 2.w. .~
?.wg -. :' m LE L w x:2,:L. ' h * 'a
[ t d i i i
- l l It should be noted that these costs were obtained by scaling down the q scope of industry-conducted studies. These studies were first of a kind j and were very thoroughly done, both in identifying possible interactions l
- and in documenting them. As a result of the experience gained during l t this learning period, more-efficient reviews could be defined. It is
/ expected, therefore, that the per plant costs could be substantially [ reduced from the estimates presented above, based on a number of potential i efficiencies such as a better defined scope, reduced level of documenta-d tion and quality assurance, and a cooperative effort by plant owners j through formation of an industry group to develop implementation proce-4 dures. It is estimated that these economies could amount to at least a j 50% reduction in costs per plant. The foregoing data provide the basis j for evaluating the potential cost associated with the review, identifying y and resolving spatial sis for each of the major groups of target systems l 4 by the utility. ! 1 1 (c) Value/ Impact i s The total costs per plant were estimated to range from about $0.5 million i to $3.5 million; most plants were in the lower range because of actions already taken in these areas and the economies outlined above. A very rough estimate of overall industry costs would be on the order of
$100 million.. Although the value and impact were not calculated, the staff believes that the study of certain specific spatially coupled ASIS should
/, be pursued for a number of reasons. Specifically, a number of potential ASIS have been noted in the SI studies and in the operating experience reviews. As an example, one recently postulated event involves a possible , seismically induced SI with the reactor coolant pressure boundary. y Westinghouse identified a concern with the potential for non-seismically qualified equipment (flux mapping system located over the instrumentation i seal table) to jeopardize the integrity of the RCPB as a result of a seis-1' mic event. This type of potential event coupled with the concerns that recovery from an actual event may,be very difficult, forms the bases for j further actions. (See Section 6, " Proposed Resolution.") .t j Similarly, events have occurred, have been postulated to occur, and appear . to continue to occur involving internal flooding. The term " flooding" is P used here to cover many types of events such as spraying and dripping as j well as submergence. 3 j Recently, a fire deluge system actuated inadvertently and water traveled 3 through HVAC ducts and dripped down on sensitive electrical equipment. As 3 a result of this event, the Office of Inspection and Enforcement issued 1 Information Notice 85-85. J 2 In another recent event, a temporary floor fan was used to cool an inverter j and the inverter failed when water on the floor was blown into it. A 1 Both the seismically induced ASIS and the flooding ASIS can have very 3 widespread effects and, as a result, may affect many systems required for j safe shutdown. ] A dedicated search for these types of ASIS could be costly; however, a num-ber of programs are already in place related to these concerns. The staff j d s LI USI A-17 Enc 1 1 13
* +
x ,
, , tC i ud. S4 A it AL tm*l
- e
* " ' ~
g' h i, y .. T ,4 believes that to the extent possible these ongoing programs should be used ' $. to address the A-17 concerns. See the proposed resolution (Section 6) re' N garding the operating experience reviews (Section 6.1), the seismic con-cerns (Section 6.2), the flooding concerns (Section 6.3), and the Severe a Accident Policy Statement (Section 6.5).
- 1
- (5.2) Functionally Coupled ASIS j' The review of operating experience highlighted a number of areas that involved 4 functionally coupled ASIS. The staff concluded that for continued review the Q events could be grouped as follows
4 j - electric power systems 1 - support systems 1 overreliance on failsafo design concept automatic action with no preferred failure mode instrumentation and control power supplies Each significant area is discussed individually below. Electric Power Systems 4 Concerns related to this area were highlighted in Categories 1 and 13 of NUREG/CR-3922. The three most important factors contributing to the possi-ble significance of this area are: It is one of the most extensive support systems in the plant. The systems are inherently among the most complex in the plant. Each plant design is different to some extent (i.e., there is very a little standardization). .1 - Support Systems Concerns related to the area of support systems were noted in Categories a 1 (as stated, the electric power system is,an extensive support system), 13, 14, 18, and 22 in NUREG/CR-3922. Since the electric power system was
, dealt with separately, the support systems considered here include:
i cooling water systems; heating, ventilation, and air conditioning systems; i lube oil systems; air supply systems; and instrumentation and control
. systems. It was noted that all of these types of support systems tend to j be plant unique to some extent, as is true with electric systems.
1 The main concern with many of the support systems is their potential to initiate an event and also degrade the systems necessary to mitigate that
- event. This potential breakdown in the defense-in-depth philosophy can Q exist in some plants; however, the safety significance is highly dependent y on other plant mitigating features, such as remaining independent trains of 1 equipment.
- j ji In addition, because the loss of these support systems (including the electrical power system) does not lead to events such as large LOCAs or j MSLBs which require immediate operator action, the staff concluded that,
?
0
- 2 USI A-17 Enc 1 1 14 k ? .
w ~w, , a , ,
- . c .=,-
,2:; _' : ,.- . W.
pwsnw us
..A.: s. = . - . .g :. ..i. i .= -
S j i i . j except for catastrophic failures (such as some spatially coupled sis), q the potential for recovery from ASIS involving these systems is very Lj great. 4 J - Overreliance on Failsafe Design Concept (Failure Modes) One area of ASIS involved reactor protection (scram) systems--Category 18 i in NUREG/CR-3922. The staff recognized that the ASIS in these systems j' could be significant because of the time response demanded of a trip
; system. An argument that the operator has time to compensate for a problem
] might not apply. b; In Category 18, a potential problem with the scram discharge volume (SDV) at all boiling-water reactors was noted. It was discovered that there
- could be water in the SDV because of poor drainage or a failure of air supply. Water in the SDV would inhibit control rod insertion. The failure i involving the air system was of particular concern because it involves a 3 system typically considered a portion of the reactor protection system 1 that is not safety related. Action was taken at all boiling-water reactors to correct the problem.
The staff believes that this type of ASI was the result of using a design approach which actually requires the " functioning" of a number of features l 3 that include systems not related to safety and therefore, an incorrect i g reliance on failsafe principles. In the case of the air system, the system ) was assumed to " fail safe" (i.e., bleed off), and as a result, a partial j
, failure, at some intermediate pressure, went unanalyzed. It was noted, i too, that the electrical supply system to this scram system had been pre-j viously modified because of a similar type of concern. Specifically, the i
electrical power was assumed to fail safe (i.e., voltage going to zero) and 3 as a result, partial failure such as low voltage or high voltage went } unanalyzed for a time. The staff acknowledges that there may be other areas of the plant in which i failsafe principles have been used incorrectly, but in all cases except in the reactor trip system (RTS) case, it is concluded that the safety sig-nificance would be less because of the time for the operator to take action. h: The only other case may be during a large LOCA, however the probability of I [_ a large LOCA or MSLB in conjunction with these types of failures should be n low. p. ? - Automatic Action With No Preferred Failure Mode ,, Another area of ASIS that was highlighted involved the inadvertent actua-4 tion of an engineered safety feature (ESF) (Category 6 in NUREG/CR-3922), i i.e., inadvertent ECCS/RHR (emergency core cooling system / residual heat 1 removal) pump suction transfer. The most significant characteristic of
- ] this area appears to be the fact that such a design feature does not have
[t an "always" preferred failure mode. As a result, extra precaution may be p needed to avoid (a) a failure to actuate when needed and (b) a failure that ] actuates the system when the system is not required (i.e. , inadvertently). 3 l 1 d A i 1 , USI A-17 Enc 1 1 15
. r q ,
a
th aJ. 2 ~ , . s x,., w .6 .ca 6.Mushh.m: x
/
nn U , A . . . .. ,w :. a .. :: :.:: .x .' . - . m g Y.
.The area of automatic switching of ECCS from the injection mode to the re-circulation mode is the subject of a generic issue that is scheduled for -
prioritization, GI-24. t GI-24 will consider the aspect of possible untimely, inadvertent ECCS/RHR pump suction transfer and, therefore, it is concluded that further specific action as part of the A-17 resolution is not warranted. , Some additional concern exists that other ESF systems at specific plants may similarly not always have a preferred failure mode. Some examples could be containment isolation, low-/high pressure interface for RHR, and automatic selection for feeding intact steam generators only. In general, almost all of these systems have been analyzed for inadvertent actuation , from a functional standpoint.
~
- Instrumentation and Centrol Power Supplies The Oak Ridge National Laboratory (ORNL) review reported in NUREG/CR-3922 highlighted a few significant events related to instrumentation and control (I&C) power supplies. These events at all plants, and specifically at Babcock and Wilcox (B&W) plants, have already received significant atten-tion as outlined in the OML followup review. Since there was some concern that the potential for si;nificant events related to I&C power supply interactions may still exist, further review work at ORNL was identified.
ORNL completed this additional work and reported it in NRC's NUREG/CR-4470. The report included a number of I&C power supply failures, some of which led to initiation of a plant transient and partial disabling of a safety function or operator information. As a result of the additional work performed by ORNL and the staff's further review of the area of I&C power, it was concluded that a signifi-- cant number of issues and industry efforts are already under way in this area. In addition, the staff is proposing to integrate I&C power issues into a comprehensive program independent of. A-17. (a) Safety Benefits With respect to the functionally coupled ASIS, the following parallel conclusions were reached: (1) Unlike the possible lack of consideration of spatial allocations, the designers must usually consider all functional interrelationships in great detail. This is because the system will probably not operate if the functional ties are not operating correctly. t As a result, the functional aspects get a significant amount of pre-l operational checkout and testing. On the other hand, the operating 1 j experience review has indicated that in some cases errors may cause 5 some functionally coupled ASIS to exist, and in other cases subtle ASIS may be designed into the plant. l 9, k l 2 1 3 ) USI A-17 Encl 1 16
}
j % e , 1-_______________. _n
%lO:4 Y. u :._L . 2 L w .<
n L 2 " ':.A f..~' l w W: . L 2 A 5 3. lA?? .A j (2) If the large number of unanalyzed functionally coupled occurrences s which could involve permutations and combinations of systems and all'
- q. their failure states (including off, on, halfway, etc.) are contem-Q a
plated, it is clear that not all possible functionally coupled ASIS have been analyzed. However, this is not always necessary if the 2 analyses performed bound all possible cases (i.e., the analyses are $ conservative). In general, this is believed to be the case and most j experience proves this. y (3) Similar to the spatially coupled ASIS of concern, the functionally q coupled ASIS of concern often involve the support systems (and for 3 the same reasons). P 'i (4) The nature of the functionally coupled ASIS has led the staff to con-clude that the majority of them would be recoverable (i.e., equipment Q was not damaged beyond use) given that the operator has the time and the information needed. In this regard, the actions taken with re-spect to Regulatory Guide 1.97 and I&E Bulletin 79-27 (NRC, November ? 1979) have provided improvements in the area of operator information. s (b) Costs
- To perform a. study for functionally coupled ASIS would involve some type J of plant-specific systematic analysis such as an FMEA (failure mode and effects analysis), PRA, or sneak circuit analysis (NRC, NUREG/CR-4261).
The costs of these types of studies are tied very closely to the scope and detail of the study. Much modeling is required if the scope is not limited to very specific areas or problems. The Brookhaven and Livermore studies were held to $1 million each; it j would be expected that a focused study for functionally coupled ASIS would cost about the same amount. (c) Value/ Impact N O Since the safety benefit of taking actions for these ASIS was also not s practical to quantify, no value/ impact was calculated. {, As in the case of the spatially coupled ASIS, the review of the operating experience uncovered a number of functionally coupled ASIS. In addition, j; recent operating experience continues to show events that involve the same 3 characteristics that were highlighted in the A-17 review. Of particular note are events involving the electrical system and the in-J strumentation and control system. There continue to be inadvertent actua- .} tions which cause undesirable actions, such as initiation of switchover to j the containment sump. Also, isolation problems between safety and non-safety equipment still occur. } h As was concluded for the spatially coupled ASIS, a dedicated search for a these types of functionally coupled ASIS could be costly. Howevee, the d staff believes that there are in place a number of ongoing programs related ] to these concerns, and they should be used to address the A-17 concerns. 9 q $ USI A-17 Encl 1 17 y '
. e.
g . .b rm _ _... & , . .- ). . ,, c , . . SM : I r B 1y ' j' j i ! j ~ See the proposed resolution (Section 6) regarding the operating experience i e reviews (Section 6.1), the USI A-46 implementation (Section 6.2), the i ) further investigation of flooding / water intrusion (Section 6.3), the ) h instrumentation and control power supply issues reviews (Section 6.4), and the Severe Accident Policy Statement (Section 6.5). ? q 4 (5.3) Induced Human-Intervention-Coupled ASIS a ; j As a result of the definitions used in the USI A-17 program, these ASIS have ! j been included in the evaluation of functionally coupled ASIS (Section 4.1(5) ; j (5.2) above). 4.2 Alternatives for Future' Plants j (1) Add a new and separate ASI review section to the Standard Review Plan. j The safety benefit of this alternative would be that ASIS would receive a dedi-cated review. The staff has generally concluded that the individual SRPs cover the area of ASIS. However, there is some question of whether the present approach is adequate for spatially coupled ASIS. The cost to the utility would be to address a separate section in the review process. This would add another licensing burden; however, the concerns should already have been considered in the design and construction process. For example, plant walkdowns are often conducted by an applicant for the area of impacts of equipment that is not seismically qualified (Category II equipment) on seismically qualified (Category I) equipment ("11 over I review") and for high-energy line break (HELB) effects. Adding this to the SRP would require that these reviews be broadened somewhat to consider other systems interac-
, tions. These costs would be expected to be less than $0.5 million per plant, especially given the prospect that future plants would be " standard" plants.
j NRC costs would be somewhat increased because the SRP would recommend that the staff perform some additional review and audit walkdowns. This cost was esti-mated to be less than $100,000 per pla'nt based on about 6 to 7 man-months of effort. (2) Take no action. This alternative was considered because: (a) the individual SRPs were believed 9 to address ASIS, (b) future plants will perform a PRA or some type of syste-matic analysis, and (c) if A-17 recommendations regarding PRAs are included in
, those studies, consideration of ASIS could be addressed. (Refer to Section 4.3,
" Alternatives for Improving Systematic Plant Reviews (Such as PRAs).")
~
(3) Provide additional regulatory guidance for ASIS. It was concluded that, in general, the existing SRPs cover the ASIS of concern. 3 There is a potential benefit to provide more guidance and, if the guidance is followed early enough in the design process, little added cost would result. Such vulnerabilities should surface in a systematic plant review (such as a PRA) which will be required of all future plants. Therefore, the staff con-sidered future plants in conjunction with PRAs. (See Section 4.3 which follows.) 4 USI A-17 Encl 1 18 N 6 , a . .
p 0,d5b - i. . 3- a. .,
. . ._g J:,- m ' m ., ; -
.% i 1
i 1 3 f . i 4.3 Alternatives for Improving Systematic Plant Reviews (Such as PRAs) At the present time, it appears that by the Commission's severe accident policy 4 (NUREG-1070, August 1985) all existing plants (those operating and those that I have applied for an operating license) will be expected to perform a systematic 4 plant examination for vulnerabilities. Future plants will be expected to perform a PRA. Therefore, the resolution of A-17 considered alternatives for W ' l . future systematic studies or PRAs. I 1 (1) Provide additional guidance. 1 } By including more guidance in the specific areas of concern regarding ASIS, it j is anticipated that better studies can be developed and safety-significant ASIS j can be uncovered. The cost to the industry of the added guidance would be q minimal and may in fact save money by focusing industry efforts in certain 4 areas. [See the proposed resolution regarding PRAs (Section 6.5).] V (2) Take no action. a
- To date, there has been guidance given to PRAs regarding dependent failure analysis. This alternative would choose not to add any new information specific i for ASIS.
j There would be neither safety benefit, cost, nor value/ impact in selecting this ll alternative. 4 (3) Require and endorse a specific search method for uncovering ASIS. 1 This alternative evaluated various search methods,. however, it was concluded 4 that any number of methods could be acceptable and the largest benefit appeared to involve focusing the study in the right areas. 9 j There did not appear to be a greater safety benefit in choosing one method over 3 another, and the particular method did not appear to be as critical as the focus: the costs to implement the various methods appear to be equivalent. [? 4.4 Alternatives for Evaluating Operating Experience 1 1 (1) Provide for new recommendations in the future evaluation of operating { experience for ASIS. h3 The existing programs that deal with operating experience were reviewed by ORNL H (NRC,NUREG/CR-4261). It was concluded that the scope of the programs do
- include ASIS.
1 (2) Take no action. p Based on the above, it was concluded not to consider other alternatives, except d ' for the possible one-time dissemination of the information developed in USI O A-17. N e
) ,
I h USI A-17 Enc 1 1 19 9
. +
n b_____________._________
a n:w. a . . I;Q..:^t:V ,% h. ml1 N .- w a .. v ... ..
./
Lulw%:M :, eMrG V .W f^..s.s.usf; a' 'n' ~ . 4.v;;;.4 ?Y; * :C!.h :. , . . u , .C+ %::. . ,,;' % of..V 7 :. t' , I j. i - i . [ (3) Provide information on ASIS to ongoing evaluations of operating experience. k As just stated in item 2, the A-17 resolution is considering a one-time dissemi- [ nation of information (see Section 6.1). it - 5 BASES FOR RESOLUTION OF UNRESOLVED SAFETY ISSUE A-17 d j Adverse systems interactions (ASIS) involve subtle and often very complicated i j: plant-specific dependencies between components and systems, possible com-4 pounded by inducing erroneous human intervention. The staff has identified l [ actions to be taken by licensees and the NRC to resolve USI A-17, and has made ;
)
q the judgment that these actions, together with other ongoing activities, are ; sufficient to reduce the risk from adverse systems interactions to an accept-
~
i 1 able level. a As discussed further below, the staff's judgment that the proposed actions are , i sufficient is not based on the assertion that all adverse systems interactions have been identified, but rather that the A-17 actions plus other activities i by the licensees and staff will identify precursors to potentially risk- 1 q significant interactions so that action can be taken if necussary. [. (1)' Actions To Be Taken by Licensees As a Result of USI A-17 1 ] (a) Water Intrusion and Flooding From Internal Sources a s As part of the resolution of USI A-17, the staff has identified that water intrusion and flooding of equipment from internal plant sources may result i in a risk significant adverse systems interaction. Such events could cause a transient or accident and could also disable the equipment needed , to mitigate the consequences of the event. Existing requirements, if f properly implemented by licensees, are sufficient to prevent'or minimize 1 the consequences of such a sequence of events. The staff plans to issue i a letter under the provisions of 10 CFR 50.54(f) that requires each li-1 censee to evaluate its implementation of these existing requirements. 1 . 4 (b) Dissemination of Information r. 1 The staff plans to issue a letter to all licensees that summarizes the ]" A-17 conclusions and references the pertinent NRC reports developed dur-ing the course of the resolution of USI A-17. The letter and referenced a< reports provide information about potential adverse systen.s interactions 1 p that licensees are expected to review as part of their ongoing operating j experience reviews required by TMI Action Plan Item I.C.5 of NUREG-0737.
}
a ! J (2) Actions To Be Taken by the NRC Related to Adverse Systems Interactions 2 y (a) Integration of Specific, Ongoing. Generic Issues Related to A-17 . p The NRC is considering certain aspects of potential interactions as part j of the resolution of identified generic issues. l N Il T, P.' . a 4 USI A-17 Encl 1 20 ]k + l
' s " " ^
d O A s~= ~:' A'
'y,,
i f iLt.9$%.S$ .~MO:G. s; ,5Ya : N w: ~ i mQ E- '
$Y?NYEU$ Q~~,
l R G I o.-k m
- USI A-46, " Seismic Qualification of Equipment" V:
w Requirements to resolve this issue have been sent to the licensees. a/5 The NRC and industry are working on detailed procedures that will be These 2:; used to implement the requirements on a plant-specific basis. p; implementation procedures will include walkdowns of individual y plants to ensure that.the systems needed to shut down the plant and Kg maintain it in a safe condition for 72 hours can withstand a design- h The scope includes not only the systems needed basis seismic event. to control reactivity and remove decay heat, but also the supporting U power supplies, controls, instrumentation, and environmental control The plant walkdown reviews , subsystems needed by those systems. 3 include seismic systems interactions. u p
- Generic Issue 128, " Electric Power Reliability" w f
The work on USI A-17 reemphasized the potential interactions stemming a from the electric power system and, in particular, instrumentation i and control (I&C) power supply failures. I&C power loss can cause significant transients and can simultaneously affect the operator's ability to proceed with recovery by disabling portions of the indi-Because a number of j cations and the equipment needed for recovery. ' generic issues already ex'sted in the area of electric power, it was concluded that the information developed during the resolution of '. USI A-17 could be best utilized as part of those programs. , The specific electric issues are:
- GI-48, "LC0 for Class 1E Vital Instrument Buses in Operating .
Plants" '.
- GI-49, " Interlocks and LCOs for Redundant Class 1E Tie Breakers"
- GI-A-30, " Adequacy of Sifety Related DC Power Supplies" To better deal with all the activities on electric power, it was decided to handle all these issues in one integrated program; this became Generic Issue 128, " Electric Power Reliability."
(b) Define and Prioritize Other Issues The Advisory Committee for Reactor Safeguards (ACRS)'andInother many groups have identified concerns in the context of systems interactions. cases, the concerns are not considered to be within the scope In some of systems cases, interactions as defined in the USI A-17 Task Action Plan. these concerns have not been described specifically enough to permit the The NRC has undertaken a program with Oak Ridge risk to be estimated. National Laboratory (ORNL) to define these concerns in sufficientThe detail i so that they may be prioritized in accordance with NRC procedures. l 4 latest guidance is provided in a letter written bystaff's In the NRC's Office ofthe judgment, Nuclear 3 Regulatory Research (RES Office letter 1). s i l 0 n 21
- 3. USI A-17 Encl 1 +
? . 'N e .
n. a, yk T . m,.yw w e~ n, 2 , n ,
- u. w ..+ -.c.
, n
- . . .a -
. a. .., . ,
.3:: :.> . ;- s:N
- i l
) % i concerns raised do not appear to represent a significant risk. If, how- $ ever, an issue is categorized as having high or medium priority by the f { prioritization and peer review process, the issue will be assigned to the I appropriate organization for resolution. 1 Examples of concerns involve potential coupling of postulated plant events ! such as seismically induced fires and seismically induced flooding, and 3 the attendant potential for multiple, simultaneous, adverse systems 4 responses. 1 j (c) Probabilistic Risk Analyses or Other Systematic Plant Reviews 2 Existing Plants i The Commission's Severe Accident Policy, 50 FR 32128, requires that i all existing plants perform a plant-specific search for vulnerabil-h ities. Such searches, referred to as individual plant examinations (IPEs), involve a systematic plant review (which could be a PRA-type
, analysis). NRC is preparing to issue guidance for performing such
~ reviews. One subject area to be treated by the IPEs is common-cause h failures (or dependent failures). USI A-17 recognizes that ASIS are 1 a subset of this broader subject area and, therefore, is providing f for the dissemination of the insights gained in the A-17 program for , use in the IPE work. O t Future Plants U According to the Commission's Severe Accident Policy, all applicants i who submit a plant docket for a construction permit or an operating R license in the future are required to perform a probabilistic risk p assessment (PRA) of the plant. NRC is issuing guidance on the con-Q tent of PRA submittals for future light-water reactors (LWRs). As j part of that guidance, A-17 is providing the insights gained in the q A-17 progra:n for the treatment of plant dependencies. J l (3) Review of Events at Nuclear Power Plants 3
- j. Licemaes are expected to continue to review information on events at operat-j ing nuclear power plants in accordance with the requirements of Item I.C.5 of k NUREG-0737. Such information is disseminated by the NRC in the form of infor-A mation notices, bulletins, and other reports; by individual licensees in the form of licensee event reports; and by industry groups such as the Institute 1 of Nuclear Power Operations (INP0). The NRC has an aggressive program of j reviewing events at nuclear power plants. Each licensee is required to notify k the NRC staff rapidly by telephone of any event that meets or exceeds the i threshold defined in 10 CFR 50.72 and to file a written licensee event report 4 for those events that meet or exceed the threshold defined in 10 CFR 50.73.
? Also, the NRC regional offices report events of significance every day. This d information is reviewed daily by members of the NRC staff and followup efforts j are assigned for events that appear to be potentially risk significant and/or Lj are judged to be a possible precursor to a more severe event. A weekly meeting ] is held to brief NRC management on those events of significan;e. This ongoing a 1 2 3 USI A-17 Enci 1 22 } . ,s . n w _ - _-__-__-__-_. _ _ _ - _ _ -
k 2 .:. U. ? L x >,d ; & m k : Lw! OZXw.w:hanh & s , , - _. < ...-
- L M 2 .?& d % . C . ..
9 ~. v l .
~
'&%m nm byf:. x:m g s:. oi:f.y ? ,
[ -
.~fl'.
1 , v .
- . %sy: s . g m process-brings potentially significant events to the attention'ofi.thv appro-S priate NRC staff and management. Depending on the significance,7further - '
i, - action may be taken to notify licensees or to impose additional requirements. 8 The total process offers a high degree of assurance that precursors to'poten-i tially significant events, including those involving adverse systems inter-j' . actions, are treated expeditiously. . a ri - . Staff Findings [ $ It is the judgment of the staff that the combination of the actions described d above will limit the risk from systems interactions to an acceptable low level. j However, this does not mean that the staff has concluded that all possible j adverse systems interactions in nuclear power plants have been or can be elimi-8 nated. On the contrary, the staff does not feel that such a goal can be < $ achieved. Therefore, the staff is not recommending that each plant undertake a d large, comprehensive study to uncover potential, subtle, adverse systems ' interactions. The staff found that such a study would not be cost effective.
- Instead, the staff is recommending.other, specific, more-cost-effective actions 3 for reducing the frequency and impact of adverse systems interactions. Al-though these actions complete the staff's work under the Task Action Plan for ,
USI A-17, and constitute technical resolution of the issue as defined therein, 1 the potential for systems interactions remains an important consideration in . p the design and operation of nuclear power plants.
- 6 PROPOSED RESOLUTION
} Considering the alternatives and other related activities, the staff proposes i the resolution that follows. The staff's proposed resolution is summarized in Table 2.
ft 6.1 Provide Information on ASIS to Ongoing Evaluations of Operating Experience ? 1 Ongoing industry and NRC review of oper,ating experience can provide a framework-9 4 for assessing ASIS (both those that have occurred and those that could occur). , In addition, the ongoing reviews are specifically addressing some of the ASIS . of concern highlighted by A-17. L Therefore, to ensure that these operating experience review programs consider d the concerns highlighted in USI A-17, the sta.ff recommends that a summary of the i, information developed from the work on USI A-17 be sent to all utilities for ' their use. Although no specific action would be required of the utilities, the R staff believes that the transmittal of this information in itself will give p .the information that has been developed on the A-17 issue the appropriate level j - of attention. a ,. c j i Furthermore, to confirm that utilities are evaluating operaticaal experience properly, both the NRC's inspectors and the Institute of Nuclear Power Opera-il
' t 4 tion's (INP0's) evaluation teams routinely audit and review this area. For !
f example . NRC inspectors verify that utilities are reviewing events and issues { d, discussed in NRC information notices for applicability to their facilities. I at / i, n : L1 ! USI A-.17 Enc 1 1 j R q 23 f
q. ( m.&4w:v..
- u owr u w t cgTT..al.ig x a .m .E;;
- .i. ua .
, 3. 7;
.n e 7L .a::. .. . s ~.
&:N u:y,a;w .. m L~ . r.. .:w ;..: ;,n ~ w.
.~ - .;
il l1 .
,e
'_e_ , Table 2 Proposed resolution of USI A-17 F Identified concern Action I Clarification t Spatial-interactions that USI A-46 considered Multiple System
.may be seismically initiated Responses Program to b consider this area
[ further i il g ' Spatial. interactions that A-17 proposes further Multiple System
]- result from a flooding-type action under a 50.54(f) Responses Program to
}- event request consider this area-B' further i E Functional interactions that .A-17 proposes sending A-17 will also pro-j --- involve safety systems and information to utili- -vide information to
- their support systems -
ties for use in their NRC staff responsible 1 Electric power systems operating experience for IPE reviews, ij ' reviews GI-128 to consider "I
- Instrumentation and A-17 information , control power supplies i
] Fa11safo principles, 1 misapplication l-F Safety functions with no, O always preferred, failure d direction 1 f d j The information developed as a result of the A-17 program will be attached to j- the generic letter sent to all utilitie's. It will cover the following specific
; areas:
y , l' 2 electric power systems support systems j 1 reliance on failsafe design principles j 4- - automatic safety actions with no (always) preferred failure mode l 4 instrumentation and control power supplies ) 6.2 Acknowledge Seismic SI Aspects of the USI A-46 Implementation fj One of the areas of concern highlighted in A-17 involves seismically induced e sis. The staff has concluded that activities are already taking place that i ). a adequately address this concern. Specifically, 72 older plants will be imple-menting requirements imposed by the resolution of USI A-46, " Seismic Quali- ' j fication of Equipment in Operating Plants." The newer plants, not covered by ' @ the A-46 program, have been reviewed to current requirements which address I j seismically induced sis. " l The proposed resolution of A-46 involves an onsite review and walkdown of equip- . ? ment required for safe shutdown. As part of this review and walkdown, the d a fj USI A-17 Enc 1 1 24 r,
%;1.6dism h.? .a bi * ' f"
~
' ' " ' " ' * ' 7' '
3 k . O i j . i g 4 evaluation team will review the potential for certain ASIS which might disable j (1) the safe shutdown system components, (2) cable trays, and to a limited
- I extent, (3). the :,upport systems. On the basis of this activity, the staff con-3, cluded that further review in this area (to resolve the A-17 issue), was not required. Although USI A-46 is not covering all possible ASIS, the staff has J
j concluded that any further work in the area of seismically induced failures should be pursued as a generic issue separate from A-46 and A-17. For further q c .' information see the action under Section 6.6 below. $ 6.3 Require Utilities To Submit Information Certifying That Their Plants ]a. Have Been Adequately Evaluated With Respect to Internal Flooding and Water Intrusion The staff was unable to determine if past and current activities in the area of internal flooding were sufficient. Therefore, it was decided that a 10 CFR 50.54(f) request should be initiated. As a result of that decision, the O following information was prepared to address the elements of 50.54(f): 3 (1) A problem statement including a description of the need for information 4
, in terms of the potential safety benefit
' The purpose of the proposed request is to confirm a plant's ability to " cope with or, prevent events involving water intrusion into sensitive equipment. 1 The general design criteria address the area of water intrusion and flooding. Specifically, 4 GDC 3, " Fire Protection," states:
! Fire fighting systems shall be designed to assure that their i4 rupture or inadvertent operation does not significantly impair the safety capability ,of structures, systems and com-i ponents designated as important to safety.
e
; GDC 4, " Environmental and Missile Design Basis," states:
J Structures, systems, and components important to s'afety i' c shall be designed to accommodate the effects of and to be
)
- compatible with normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents. l J ;
These structures, systems, and components shall be appropri-9 ately protected against dynamic effects, including the 1 j effects of missiles, pipe whipping, and discharging fluids, that may result from equipment failures and from events and j conditions outside the nuclear power unit. However, the
; dynamic effects associated with postulated pipe ruptures of 4
3 primary coolant loop piping in pressurized water reactors may be excluded from the design basis when analyses demonstrate ) the probability of rupturing such piping is extremely low 1 under design basis conditions. l
- i d ,
i d USI A-17 Encl 1 25
. 1 a t- '
i
- 3. . ; e p ..s a...-. m 5 x 1 w . k . J :L...a L L.c - - ^ wz.:.3% :.:-.2" L:.w & ::a : ,
4 6 i hi . 1 s - In addition to the above basic requirements, generic letters issued in 1972
- 1 required further review at all licensed facilities. The Standard Review Plan >
- covers more recent plants. l 1 l e
,i ' Subsequently, the Code of Federal Regulations was amended to include environ-mental qualification of electric equipment important to safety (10 CFR 50.49) and it required that the effects of submergence be considered. 4 1 In spite of these requirements and actions, the number of precursor events involving internal plant flooding and water intrusion have indicated to the 9 staff that a plant's ability to achieve and maintain safe shutdown given such
- { an event is in question. Two NRC offices have produced some documents that
; discuss some relevant events.
; (a) Office of Inspection and Enforcement
" Actuation of Fire Suppression System Causing Inoperability of Safety-Related Ventilation Equipment," IE Information Notice 87-14, March 23, 1987.
- " Systems Interaction Event Resulting in Reactor System Safety Relief Valve Opening Following a Fire-Protection Deluge System Malfunction," IE Infor-mation Notice 85-85, October 31, 1985.
" Actuation of Fire Suppression System Causing Inoperability of Safety-Related Equipment," IE Information Notice 83-41, June 22,1983.
" Potential Damage to Redundant Safety Equipment as a Result of Backflow Through the Equipment and Floor Drain System," IE Information Notice 83-44, July 1, 1983.
(b) Office for Analysis and Evaluation of Operational Data
" Operating Experience Related to Moisture Intrusion in Electrical Equipment at Commercial Power Reactors," C402, June 1984.
" Investigation of Backflow Protection in Common Equipment and Flcor .
Drain Systems to Prevent Flooding of Vital Equipment in Safety-Related 2 Compartments," E304, March 1983. (This report was part of the bases for establishing Generic Issue 77, ' " Flooding of Safety Equipment Compartments by Backflow Through Floor Drains." This issue was assigned a high priority in NUREG-0933 and
, has been made part of the resolution of USI A-17.)
" Adverse System Interaction With Domestic Water Systems," C412, May 1984.
It is essential that NRC obtain information from licensees in order to confirm that all plants have evaluated these aspects of internal flooding
; and water intrusion. On the basis of the licensees' replies, it may be determined that some aspect was overlooked and that a safety concern exists. In such cases, further action may be necessary. Any such actions will be submitted to the Committee to Review Generic Requirements (CRGR).
USI A-17 Encl 1 26
'e t ~
L_-.__-----_--__a-_--_. . . ,, m . ., ,,
- o ..~ %. ->c.,.>u r.u. .n .t:.&wc w..eu.a a:w
> .x ..,.....a', . p ...
.e
- L.x , . .a .. ww - -
H l l? a
)
I J (2) The licensee action required and the cost to develop a response to the y information request: - - ) Licensees would be required to submit a certification that they have per- } formed water intrusion and flooding analyses. Since previous reviews and~ I j industry-initiated, ongoing reviews should provide the major portion of the background information, it is expected that the action will be minimal. 9 It is estimated that it will require about 3 man months to verify the
; background information for each reactor. Assuming a cost of $50/ man-hour 4 ($8000/ man-month), the cost per reactor to gather background information a
a and respond to questions is $24,000. ) (3) An anticipated schedule for NRC use of the information: e d The need for NRC action (including verification) will be determined after i receipt of the licensee's certification. Schedules will be developed as j appropriate. It is anticipated that NRC manpower requirements would j involve about 2 man years for verification. 6.4 Provide for the Integration and Coordination of Electrical and Instrumen-q tation and Control Power Supply Issues and Concerns Work on USI A-17 highlighted a number of ASI concerns in the area of instrumen-g tation and control (I&C) power supplies (NRC, NUREG/CR-4470). i ' One specific aspect of note for A-17 was the potential that the loss of one power supply could cause an event (such as a transient or trip) and then could also affect the systems required to respond to the event and/or the operators' '
.; information displays.
Although only a fraction of the events led to such type of results, the work ] under A-17 highlighted a number of other concerns that involved the failure 1l of certain I&C power supply components (such as the inverters) and the lack of consistent limiting conditions for operation (LCOs) on the I&C power supplies. ' ? g Additional review showed that the area of I&C power has been the subject of a number of actions and is the subject of a number of continuing issues. To i achieve a more coordinated approach to this area, the NRC staff working on the A-17 program recommends that the area of I&C power be integrated into one pro-f. gram and that these various issues be addressed under a single program plan to l deal with the overall adequacy of nuclear power plant I&C power systems. n' 4 The NRC staff initiated this activity with the assistance of national labora-a tories under integrated issue GI-128, " Electric Power Reliability." Some of j 4 the issues and concerns being addressed include the following: 1 - A-30, " Adequacy of Safety-Related DC Power Supplies" j - GI-48, "LCO for Class IE Vital Instrument Buses in Operating Reactors" l GI-49, " Interlocks and LCOs for Redundant Class IE Tie Breakers" ' l 1 1
.l.
i USI A-17 Enc 1 1 27 j d. s
[.1 [,,1 E j.N,i. 3 L i nidigd;sWisjh.%.,gl,.O rigc,& n,iwtw.; . i i 9 -
'l j 6.5 Provide Guidance for Future PRA or Other Systematic Plant Reviews '
i' , The staff and the nuclear power industry have been involved in developmental work.for probabilistic risk assessments. One portion of that work involved
~ the "PRA Procedures Guide" (NRC, NUREG/CR-2300) and the "PSA Procedures Guide" (NRC,NUREG/CR-2815). As stated above, the A-17 results can help focus on i areas of the plant that need to be emphasized because of the high potential C
for these areas to be vulnerable to ASIS. Therefore, the resolution of A-17 will provide the information on ASIS high-
+
lighted in A-17 for use in future PRA work. " Similarly, as part of the NRC policy on severe accidents, "the Commission plans j to formulate an integrated systematic approach to an examination of each nuclear power plant now operating or under construction for possible significant risk l-' contributors (sometimes called ' outliers') that might be plant specific and might be missed absent a systematic search" (NRC, NUREG-1070). The A-17 resolution is providing the results of the A-17 study to the Severe Accident Program for its use. { 6.6 Define Potential Generic Issues That Are Not Included As Part of the A-17 Resolution or Other Regulatory Programs As was discussed under the scope and definition of the A-17 issue, some sys-tems interaction concerns may not have been covered as part of the A-17 study. The staff, with the assistance of ORNL, is in the process of defining these ) other issues and concerns in sufficient detail so that they can be prioritized ' separately. As a result of this prioritization, additional work effort may be defined for the separate issues. This research program is designated, " Multiple , System Responses Program." I 1 7 REFERENCES ' 3 , ;) l Atomic Energy Commission, letter dated September 26, 1972, from R. C.' DeYoung. i, to licensees, " Flooding Event at Quad Cities, Unit 1." Atomic Industrial Forum, Inc. , letter dated 0-tober 8,1985, from M. R. \ 4 Edelman to V. Stello, " Unresolved Safety Issue A-17 Systems Interactions." Consumers Power Company, " Program Manual Spatial Systems Interaction Program / { Seismic Midland Energy Center," Revision 1, June 6, 1983. ! Office of Inspection and Enforcement, NRC, Bulletin 79-27, " Loss of Non-Class 1 IE Instrumentation and Control Power Systems Bus During Operation," November 30, l 1979.
'}
l
-- , Information Notice 83-41, " Actuation of Fire Suppression System Causing !'
4 Inoperability of Safety-Related Equipment," June 22, 1983.
-- , Information Notice 83-44, " Potential Damage to Redundant Safety Equipment as a Result of Backflow Through the Equipment and Floor Drainage System,"
July 1, 1983. { l l USI A-17 Enc 1 1 28 !
. g.
s
- p. Sa '
v ~ % K.L L & &;h'm 2 . -.16 M 2:!G,.a% W .%% 3 M.:ddh I , g y , r IV. ; l 4 t-T -- ,-Information Notice 85-85,'" Systems Interaction Event Resulting'in Reactor
' . System Safety Relief Valve Opening Following'a Fire-Protection Deluge System
- i Malfunction," October 31,'1985. .
b }. -- , Information Notice 87-14, " Actuation of Fire Suppression System Causing. 3 ~ 'Inoperability of Safety-Related Ventilation Equipment," March 23, 1987. 1 Pacific Gas and Electric Company, "Diablo Canyon Seismically Induced Systems j Interaction Program," Dockets 50-275 and 50-323, May 7, 1984. 3 Power Authority of the State of New York, " Systems Interaction Study, Indian j( Point 3," Docket 50-286, November 30, 1983. i! U.S. Nuclear Regulatory Commission, Memorandum dated September 18 1984, from j R. Kendall to D. Thatcher, " Comments on ORNL Draft NUREG/CR-3922.
-- , Memorandum dated December 3,1984, from H. R. Denton to Division Directors,
" Insights Gained From Probabilistic Risk Assessments."
9
-- , Memorandum dated March 20, 1985, from A. Thadani to K. Kniel, "RRAB Inputs to the USI A-17 Program."
u (
-- , Memorandum dated May 31, 1985, from A. Thadani to K. Kniel, "RRAB Input to USI A-17 Resolution."
-- , NUREG-75/014, " Reactor Safety Study - An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants," October 197,5, '
-- , NUREG-0471, " Generic Task Problem Descriptions (Categories 8, C, and D),"
June 1978. 1
-- , NUREG-0572, " Review of Licensee Event Reports (1976-1978)," September 1979.
l -- , NUREG-0649, " Task Action Plans for' Unresolved Safety Issues Related to j Nuclear Power Plants," September 1984, s 3
-- , NUREG-0660, "NRC Action Plan Developed as a Result of the TMI-2 Accident,"
May 1980, f
-- , NUREG-0737, " Clarification of TMI Action Plan Requirements," November 1980.
-- , NUREG-0800, " Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," July 1981.
-- , NUREG-0824, " Integrated Plant Safety Assessment Systematic Evaluation 4 Program--Millstone Nuclear Power Station, Unit 1," February 1983.
1 1 -- , NUREG-0933, Rev. 2, "A Prioritization of Generic Safety Issues," December i 1984. ] -- , NUREG-1070, "NRC Policy on Future Reactor Designs," July 1985.
; -- , NUREG-1174, " Evaluation of Systems Interactions in Nuclear Power Plants:
Technical Findings Related to Unresolved Safety Issue A-17," Draft Unpublished. USI A-17 Encl 1 29 ' k e !
; I I
.. -. . ... . . . . ai" . . . .. . . . ' N. .a . ' %: :c:a., Ki ',:n:k:.a . : . 1 :':. x % d - i4 ~l;M : c , ; ** 7 , ,
.wm; .
~
i
) -- , NUREG/CR-2300, "PRA Procedures Guide," Vols. I and 2, January 1983. }
-- , NUREG/CR-2815, "Probabilistic Safety Analysis Procedures Guide,"
1 Brookhaven National Laboratory, January 1984. j'-
-- , NUREG/CR-3922, " Survey and Evaluation of System Interaction Events and . Sources," Dak Ridge National Laboratory, January 1985. * -- , NUREG/CR-4179, " Digraph Matrix Analysis for Systems Interactions at Indian 0
Point Unit 3, Abridged Version," Vol.1, (January 1986) Vols 2-6 will be
' available in the NRC Public Document Room, 1717 H Street, N. W., Washington, O.C., Lawrence Livermore National Laboratory.
e
-- , NUREG/CR-4207, " Fault Tree Application to the Study of Systems Inter-
]! actions at Indian Point 3," Brookhaven National Laboratory, April 1985.
-- , NUREG/CR-4261, " Assessment of System Interaction Experience in Nuclear Power Plants," Oak Ridge National Laboratory, June 1986.
-- , NUREG/CR-4306, " Review and Evaluation of Spatial System Interaction Programs," Oak Ridge National Laboratory, Unpublished.
-- , NUREG/CR-4470, " Survey and Evaluation of Vital Instrumentation and Control Power Supply Events," August 1986.
-- , SECY-84-133, "Results of SEP," Enclosure 4, "SEP Phase II Safety Lessons Learned," March 23, 1984.
4 ! e t i i O I t i
\
USI A-17 Enc 1 1 30 e ,
~ _ . ..
. .n: :. ,, . li ..n : L a.:id: :. v -.. : -a, u?,2;h,::P e: :2 w &.. a,k;t: n o:+:i
. . . .. v L:5 ,t .
n'h. nu<
. M.. z;su;:~',a_ - _ _ _
i ., -
- I .
) .
.~y:n.:a:yavz
> :v,
./ : 1. .w;.gvw. r. m)e,p ;.
1 .n j-
..t 9,-
' ~ ,
?..r':,'
_.% vi'gL ..f..?2.,.4,n ,j
~. :e:q;,
rt as N:
,p,
-- ,e. p..
', ,et, _.
3c . . . _ . ,; ,. ,1 ' W D 00ta m py g g'g. s s fi~UN,.. a 4 S Document Name:; I asas g g ,' F USI A-17 ENCL 2 - i p Requestor's ID: i BONNIE .' $ Author's Name: 1 Thatcher / Sanders Document Comments: ' i ETPB 5/4/88 KEEP THIS SHEET WITH DOCUMENT i L .9 i
? ,
9 s e 4 9 [ O i t B i J I e.
+
n l
.< I 1
1 l i l. I s 4 4
-s. .i l ' ; l i >
e 8
. h. ,
{ e _-----d.-__.-- _ - _ _ . - - _ - _ _ _ _ _--____--.-.-_-_._a - a . - _ . s, k .-
M Lf E s . d G W 5 M % C a i N # ' ' ~ ~
' ~ ** ~ ^
1 8 L l l a ! i I L l
)'
DRAFT GENERIC LETTER i ! ADDRESSEES: All Holders Of Construction Permits or Operating Licenses (Here-L after Referred To as Licensees)
SUBJECT:
RESOLUTION OF UNRESOLVED SAFETY ISSUE A-17, " SYSTEMS INTERACTIONS IN NUCLEAR POWER PLANTS" (GENERIC LETTER 88- ) i i i The NRC staff has resolved USI A-17, " Systems Interactions in Nuclear Power Plants." The resolution is outlined in NUREG-1229 (Reference 1) and is based on the evaluation reported in NUREG-1174 (Reference 2). $ The purpose of this letter is to inform you of the results of the resolution of USI A-17 and to address the actions that involve licensees' activities. The letter includes three attachments: Attachment 1 contains a summary of the bases for the resolution of A-17; attachment 2 contains significant findings j of the USI A-17 program and information for use in operating experience re- ) views; attachment 3,contains guidance for your consideration in responding to , ! the 10 CFR 50.54(f) request (see below) in the area of water intrusion and '
- flooding. Attachment 3 contains no new requirements, guidance, or interpreta-l tions. This letter merely restates the existing requirements, guidance, and .
, interpretations and requests that lictnsees ensure, and then certify, that i the existing requirements have been met. . i Although no specific response is required to the second attachment, it is ! expected that you will utilize the information therein in your review of i operating experience. . , l The third attachment requires a response according to the requirements of l s 10 CFR 50.54(f). The. response should certify that you have: i (1) Determined and documented the susceptibility of plant equipment to water l ! intrusion and flooding from internal plant sources in accordance with j existing requirements and as described in attachment 3. If a documented i
- analysis of internal flooding and water intrusion (consistent with the i existing requirements referenced in attachment 3) is available and is !
i applicable to the current plant configuration, it need not be redone in ! response to this letter, l j (2) Determined whether or not there are deficiencies. i (3) Documented modifications you have made or plan to make to correct any i l identified deficiencies that you have determined should be corrected. l l l (4) Documented the justification for continued operation if any deficiencies l ? that warrant such justification have not been corrected, including a j j description of the modification and the schedule for making any required ; ! , l USI A-17 Enci 2 1 I i
~ d
. j !
~
- 2 :$ M baj M si da.G i.2~p. Ak l;:.h a a ,~.u i ., . , ,.
. t: ' i K Q ...J.' w i
i modifications. It is expected that any necessary modifications you deter- l [ mine necessary will be made consistent with NRC requirements and guidance - l t and within two refueling outages but in no case longer than 4 years. l We require you to submit to the NRC within 180 days of this generic letter a l response, signed under oath and affirmation, indicating that Items (1) through j (4) above have been completed and the information is available for potential audit by the NRC.
~
Within 30 days of completing plant modification (s) you determine to be necessary, a response signed under oath and affirmation must be sent to the NRC indicating > that.all modifications have been completed and are available for potential audit by the NRC. This request is covered by Office of Management and Budget Clearance Number i l 3150-0011 which expires September 30, 1989. Comments on burden and duplication ;
- may be directed to the Office of Management and Budget, Room 3208, New Executive !
) Office Building, Washington, DC 20503. I Our review of your submittal of information in response to this letter is not
- subject to fees under the provision of 10 CFR 170.
I f If you'have any questions, please contact your project manager. 3 Sincerely, f. 4
- Frank Miraglia, Associate Director )
{ for Projects l l Office of Nuclear Reactor Regulation j
. 1
,1 j
References:
- 1. NUREG-1229, " Regulatory Analysis for Proposed Resolution of {
4 USI A-17" (draft) ! ) 2. NUREG-1174, " Evaluation of Systems Interactions in Nuclear j Power Plants" (draft) i j Attachments: I 1 \ i Attachment 1: " Bases for Resolution of Unresolv'ed Safety Issue A-17, " Systems j Interactions" )' i
- Attachment 2
- "For Information Only - Summary of the Resolution of USI A-17 j and Information for Use in Operating Experience Evaluations" 3
; Attachment 3: " Internal Water Intrusion and Flooding Analyses Guidance" 8
1 i 1 . j . I i USI A-17 Enc 1 2 2
$ "o & '
) .
.... . :Li':.c;u::s.t, . .n<,,
~ .. +
.&%.,x,nu,n.p. i .au.G a, e?cauas
- e a.. u . ,..::s L :>i a:. .' ....w.- s1 a t
l' .s.
^
T A
# s
}-
e. N Doct20 TNT HAS Document Name: f .USI:A-17 ENCL 2 ATT 1 -[iM220015Uin l- L . Requestor's ID:
- j. LINDA k- Author's Name: d j THATcuEsp snaoecs Document Comments: '
ETPB 03/22/88 KEEP THIS SHEET WITH DOCUMENT ' P .3 I. i I ~ 9 e
+
y , d 3 1 'e i > ) b a A I .s S 9 .g N, a
- 4. I
.i I ai l W i Q l 3-a. @1. 9 i e s q . : >~
'l 'e f ,
s S -. ,
WGAdyK EEZX.. . v.a.i,sd mSc.. . .. Lw. ._
<_ma %. W , u'.s.
b L 9 e i B g : i l l BASES FOR RESOLUTION OF UNRESOLVED SAFETY ISSUE A-17 " SYSTEMS INTERACTIONS" Adverse systems interactions (ASIS) invoke subtle and often very complicated plant-specific dependencies between components and systems, possible com-pounded by inducing erroneous human intervention. The staff has identified 4 actions to be taken by licensees and the NRC to resolve USI A-17, and has made the. judgment that these actions, together with other ongoing activities,-are f sufficient to reduce the risk from adverse systems interactions to an accept-2 able level. h As discussed further below, this judgment that the proposed actions are ! 4 sufficient is not based on the assertion that all adverse systems interactions !. have been identified, but rather that the A-17 actions plus other activities i by the licensecs and staff will identify precursors to potentially risk-4 significant interactions so that action can be taken if necessary. t j (1) Actions To Be Taken by Licensees As a Result of USI A-17 3 (a) Water Intrusion and Flooding From Internal Sources .i
; As part of the resolution of USI A-17, the staff has identified that water intrusion and flooding of equipment from internal plant sources q may result in a risk significant adverse systems interaction. Such e
events could cause a transient or accident and could also disable the equipment needed to mitigate the consequences of the event. ? j Existing requirements, if properly implemented by licensees, are sufficient to prevent or minimize the consequences of such a sequence j of events. The staff plans to isque a letter under the provisions
,, of_10 CFR 50.54(f) that requires each licensee to evaluate its j implementation of these existing requirements. i n (b) Dissemination of Information -
? The staff plans to issue a letter to all licensees that summarizes the s A-17 conclusions and references the pertinent NRC reports developed during 4 the course of the resolution of USI A-17. The letter and referenced 4 reports provide information about potential adverse systems interactions a that licensees are expected to review as part of their ongoing operating j experience reviews required by TMI Action Plan Item I.C.5 of NUREG-0737. 4 4 f (2) Actions To Be Taken by the NRC Related to Adverse Systems Interactions
- .1 {
j (a) Integration of Specific, Ongoing, Generic Issues Related to A-17 , d 4 4 The NRC is considering certain aspects of potential interactions as part of the resolution of identified generic issues. l l li '
\
a USI A-17 Encl 2 Att 1 1 t _ . . m.o.m_L.__.__2._=.1.. . d_*
- 2 _.m_.:. % s . . m., _
.%,o & r% $
S q d &DL;.'i L a h .a.w w :. 2 : a w.:a... a.&s , a.a . ' . . .a :.: .. ... : c. ' l - l l USI A-46, " Seismic Qualification of Equipment" Requirements to implement this resolved issue have been sent f to the licensees. The NRC and industry are working on detailed i procedures that will be used to implement the requirements on a
- plant-specific basis. These implementation procedures will
} include walkdowns of individual plants to ensure that the sys-
- tems needed to shut down the plant and maintain it in a safe condition for 72 hours can withstand a design-basis seismic event. The scope includes not only the systems needed to con-l trol reactivity and remove decay heat, but also include the supnorting power supplies, controls, instrumentation, and
} environmental control subsystems needed by those systems. The plant walk down reviews include seismic systems interactions. } Generic Issue 128, " Electric Power Reliability"
- The work on USI A-17 re-emphasized the potential interactions
- stemming from the electrical power system and, in particular,
- instrumentation and control (I&C) power supply failures. I&C power loss can cause significant transients and can simultan-eously affect the operator's ability to proceed with recovery
} by disabling portions of the indications and the equipment ! ! needed for recovery. Because a number of generic issues already existed in the area of electric power, it was concluded that i the information developed during the resolution of USI A-17 could be best utilized as part of those programs. . The cpecific electric issues are: } GI-48, "LC0 for Class 1E Vital Instrument Buses in Operating Plants" GI-49, " Interlocks'and LCOs for Redundant Class 1E Tie
- Breakers" i -
GI-A-30, " Adequacy of Safety Related DC Poxwer Supplies" To better deal with all the activities on electric power, it was decided to work all these issues in one integrated program; which became Generic , Issue 128, " Electric Power Reliability." 1 ^ (b) Define and Prioritize Other Issues 0 l The Advisory Committee for Reactor Safeguards (ACRS) and other groups ) have identified other concerns in the context of systems interactions. In many cases, the concerns are not considered to be within the scope 4 of systems interactions as defined in the USI A-17 Task Action Plan. In some cases, these concerns have not been described specifically j enough to permit the risk to be estimated. The NRC has undertaken a
- program with Dak Ridge National Laboratory (ORNL) to define these con-1 cerns in sufficient detail so that they may be prioritized in accordance j with NRC procedures. The latest guidance is provided in a letter 1 .
4 USI A-17 Encl 2 Att 1 2
. e.
. - _ - . ~.
iq:Euq&M2&shu.:@=k.bwxmm: ~1l.= ' i &M a MO N . - 1 L ! written by NRC's 0ffice of Nuclear Regulatory Research (RES Office i
' Letter 1). In the staff's j dgment, the concerns raised do not '
appear to represent a signif cant risk. If, however, an is~ sue is b categorized as having hi [ and peer review process,gh or medium the issue will bepriority assignedby the prioritization to the appropri-ate organization for resolution. l: Examples of concerns involve potential coupling of postulated plant events such as seismically induced fires and seismically induced flooding, and the attend out potential for multiple, simultaneous adverse systems responses. 1 (c) Probabilistic Risk Analyses or Other Systematic Plant Reviews l - Existing Plants V y The Commission's Severe Accident Policy, 50 FR 32128, requires that all existing plants perform a plant specific search for vulnerabil-I ities. Such searches, referred to as individual plant examinations ? j (IPEs), involve a systematic plant review (which could be a PRA-type analysis). .NRC is preparing to issue guidance for the performance of 3 , such reviews. One subject-area to be treated by the IPEs is common- . 4 cause failures (or dependent failures). USI A-17 recognizes that j ASIS are a subset of this broader subject area and, therefore, is { ~ providing for the dissemination of the insights gained in the A-17 [ program for use in the IPE work. c j - Future Plants [- According to the Commission's Policy on Severe Accidents, all appli-cants who submit a plant docket for a construction permit or operat-5 ing license in the future are required to perform a probabilistic ) risk assessment (PRA) of the, plant. NRC is issuing guidance on the i content of PRA submittals for future light-water reactors (LWRs). As j part of that guidance, A-17 is providing the insights gained in the i . A-17 program for the treatment of plant dependencies, j (3) Review of Events at Nuclear Power Plants 1 Licensees are expected to continue to review information on events at operating J nuclear power plants in accordance with the requirements of Item I.C.5 of i NUREG-0737. Such information is disseminated b*y the NRC in the form of infor-J- mation notices, bulletins, and other reports; by individual licensees in the
- . form of licensee event reports; and by industry groups such as the Institute of Nuclear Power Operations (INPO). The NRC has an aggressive program of review-j ing events at nuclear power plants. Each licensee is required to provide a N rapid telephone notification of any event that meets or exceeds the threshold 1- defined in 10.CFR 50.72 and to file a written licensee event report for those ,
events that meet or exceed the threshold defined in 10 CFR 50.73. Also, the ! 9 NRC regional offices report events of significance every day. This information 5 p is reviewed daily by members of the NRC staff and followup efforts are assigned [ for events that appear to be potentially risk significant and/or are judged to j be a possible precursor to a more severe event. A weekly meeting is held to R - U, USI A-17 Enc 1 2 Att 1 3
$ 'e W ki * ,
a . _. - - 4
?iEi 3 5 K G&i W GVJ X L dei D & L 1 . 5 :.T2 L u .. ,i 2.. O G :w. A % ;. D . .. a ; . Y l; - brief NRC management on those events of significance. This-ongoing process l provides a great; deal of assurance that any potentially significant everit is ' brought to the attention of the appropriate NRC staff and management. Depend-
.ing on the significance, further cction may be taken to notify licensees or to impose additional requirements. This process provides a high degree of'assur-ance that precursors to potentially signifi cant events, including-those e involving adverse system interactions, are treated expeditiously.
[ Staff Findings 8 I It is the judgment of the staff that the combination of the actions described l above will limit the risk from systems interactions to an acceptable low level. f; However, this does not mean that the staff has concluded that all possible 4- adverse systems interactions in nuclear power plants have been or can be elimi- { nated. On the contrary, the staff does not feel that such a goal can be a achieved.' Therefore, the staff is not recommending that each plant undertake a large, comprehensive study to uncover potential, subtle, adverse systems inter-actions. The staff found that such a study would not be cost effective. i , Instead, the staff is recommending other, specific, more-cost effective actions j1 for reducing _the frequency and impact of. adverse systems interactions. Al-i though these actions complete the staff's work under the Task Action Plan for
- USI A-17, and constitute technical resolution of the issue as defined therein, j the potential for systems interactions remains.an important consideration in a the design and operation of nuclear power plants.
b 2 L - 9 i ) i ? a k l i ' i d .i i ) , }- t a i s' II - 0 l', USI A-17 Enc 1 2 Att 1 34 H t e
. ., .. u.w 5s..< ?,1 u,wL,.aaanx. ,: z. ,
- a :.-. .:- - - J, .. . J. <. . , .z:.
as.a.vesw. .
.. .. u t.xe . x. . .= : ..,.
> I y l ,. ',.
,. s ,e.
i i l Dccument Name: .
. Doclamtf NAS
- USI A-17 ENCL 2 ATT 2 ,f8MNPR0dlTIAS -
/
Requestor's ID: ' HCKENZIE . Author's Name: l Thatcher / Sanders l Document Comuments: ETPB 03/24/88 RETURN THIS SHEET WITH DOCUMENT 4 6 4 6 s e 9 j 1
, j k,
I l l i I ! l i s j ' t 1 I F ,.
T&tpmn,eml.xuMi.Jeww.A1. .:n %u.v.L s tw.aaia Oh., ~. b.c W.;:-. . :.:s 4 l- ? t .. I L i L FOR INFORMATION ONLY L
SUMMARY
OF THE RESOLUTION OF USI A-17 AND l INFORMATION FOR USE IN OPERATING EXPERIENCE EVALUATIONS I .I. SUMARY: [ The U.S. Nuclear Regulatory Commission (NRC) has concluded its technical resolution of Unresolved Safety Issue (USI) A-17, " Systems Interactions in !. -Nuclear Power Plants." 'This summary presents the results of that technical l 1 resolution. More detailed background information is provided in References 1 { and 2. t Because of the complex, interdependent network of systems, strectures, and I. components that constitute a nuclear power plant,. the scenario.of almost.any !- significant event can be characterized as a " systems interaction." As a result, ( the staff recognized that if_the term " systems interaction" was to be' inter- , [ preted in a very broad sense it became'an unmanageable safety issue. Focusing , I was required to address perceived safety concerns within this potentially broad ' I subject area. One way to focus such an effort is to develop a working set of i definitions based on the perceived safety concerns. It is recognized that by ,' i' the very nature of such a focusing effort, all concerns that one may charac- , l- terize as systems interactions may not be addressed. It is, therefore, extremely { 'important that the scope and boundary of the focused program be clearly defined 3 and understood. Then, if other concerns still exist after completion of the l program, they can be addressed as part of separate efforts as deemed necessary. The'information presented in this document is based on the following j definitions: j (1) Systems Interaction (SI) ~ 3 Actions or inactions (not necessarily failures) of various systems-(sub- } systems, divisions, trains), components, or structures resulting from a single credible failure within one system, component, or structure and !" propagation to other systems, components, or structures by inconspicuous % or unanticipated interdependencies. The major difference between this j type of event and a classic single-failure event is in those aspects of
, the initiating failure and/or its propagation that are not obvious
- j. (i.'e., that are hidden or unanticipated).
(2) Adverse Systems Interaction (ASI) { A systems interaction that produces an undesirable result. I (3)- Undesirable Result (Produced by Systems Interaction) h
- This was defined by a list of the types of events that were to be 1 considered in USI A-17:
2 USI A-17 Encl 2 Att 2 1
- 4 e ,
N ' A ' - u-.__- . _ _ _- , ,n. _=n- _en .. v . l
Q ud.:if!M K h s h k.]i:a.J M ,....x . &.': ..m i . . , w: =.. - l-(a) Degradation of redundant portions of a safety system, including consideration of all auxiliary support functions. Redundant - portions are those considered to be independent in the design and accident analysis (Chapter 15) of the Final Safety Analysis Report (FSAR) of the. plant. (Note: This would violate the single-failure criterion.) . (b) Degradation of a safety system by a non-safety system. (Note: This result would demonstrate a breakdown in presumed " isolation.") i L (c) Initiation of an " accident" (e.g. , LOCA, MSLB) and (i) the degrada-i . tion of at least one redundant portion of any one of.the safety sys-l tems required to mitigate that event (Chapter 15, FSAR analyses); or ! (ii) degradation of critical operator information sufficient to caI"s'e ) the operator to perform unanalyzed, unassumed, or incorrect actions. (Note: This includes failure to perform correct actions because of incorrect information.) (d) Initiation of a " transient" (including reactor trip) and (i) the degradation of at least one redundant portion of any one of the safety systems required to mitigate the event (Chapter 15, FSAR analyses) or (ii) degradation of critical operator information ! sufficient to cause the operator to perform unanalyzed, unassumed, l' or incorrect actions. (Note: This includes failure to perform l , correct actions because of incorrect information.) (e) Initiation of an event that requires plant operators to act in areas ! i outside the control room (perhaps because the control room is being evacuated or the plant is being shut down) and disruption of the access to these areas (for example, by disruption of ti , security ; ) system or isolation of an area when fire doors are closed or when a suppression system is actuated). l ! The intersystem dependencies (or systeins interactions) have been divided into i three classes based on the way they propagate: (1) Functionally Coupled: Those sis that result from sharing of common systems / components; or
- physical connections between systems, including electrical, hydraulic,
- pneumatic, or mechanical.
3 (2) Spatially Coupled: ) i Those sis that result from sharing or proximity of structures / locations, j equipment, or components or by spatial inter-ties such as HVAC and drain , systems. 1
. (3) Induced Human-Intervention Coupled:
i
- Those sis in which a plant malfunction (such as failed indication)
) inappropriately induces an operator action, or a malfunction inhibits an i operator's ability to respond. As analyzed in the A-17 program, these sis
; are considered another example of functionally coupled ASIS. (Indu'ced j
1
- USI A-17 Encl 2 Att 2 2 Y * -
a .
- :.-_. . . - . - , . .,n . . . . . , .
,RW{.QG D.kK%u ~ =. . :. .~ ~ O . ., z ..a. m '
.a . , v. :. .. . -
k , h j human-intervention-coupled systems interactions exclude random human ! ~ errors and acts of sabotage.) l V As a result of the staff's studies of adverse systems interactions (ASIS) under-taken as part of A-17 and reported in Reference 1, the staff has concluded the Il following: (1) To address a subject area such as " systems interactions" in its broadest a sense tends to be an unmanageable task incapable of resolution. Some j bounds and limitations are crucial to proceeding toward a resolution. ]j Considering this, the A-17 program utilized a set of working definitions to limit the issue. It is recognized that such an approach may leave 3 some concerns unaddressed. 4 (2) The occurrence of an actual ASI or the existence of a potential ASI is ' very much a function of an individual plant's design and operational k features (such as its detailed design and layout, allowed operating j modes, procedures, and test and maintenance practices). Furthermore, 4 the potential overall safety impact (such as loss of all cooling, loss l 4 of all electric power, or core melt) is similarly a function of those y plant features that remain unaffected by the ASI. In other words, the M results of an ASI depend on the availability of other independent ] t equipment and the operator's response capabilities. 4 (3) Althoughe'ach ASI (and its safety impact) is unique to an individual 4 plant, there appear to be some characteristics common to a number of the j ASIS. N 4 (4) Methods.are available (and some are under development) for searching out e sis on a plant-specific basis. Studies conducted by utilities and national laboratories indicate that a full-scope plant search takes considerable d time and money. Even then, there is not a high degree of assurance all, 9, 3 or even most, ASIS will be discovered. d (5) Functional S coupled ASIS have occurred at a number of plants, but improved d operator i formation and training (instituted since the accident at Three { Mile Island) snould greatly aid in recovery actions during future events. k (6) Induced human-intervention-coupled interactions as defined in A-17 are a a subset of the broader class of functionally coupled sis. As stated for 'i, functionally coupled sis, improvements in both operator information and j operator training will greatly improve recovery from such events. a j (7) As a class, spatially coupled sis may be the most significant because of W the potential for the loss of equipment which is damaged beyond repair. q However, in many cases these ASIS are less likely to occur because of the 1 lower probability of initiating failure (e.g., earthquake, pipe rupture) ] ~ and the less-than-certain coupling mechanisms involved. . (j (8) Probabilistic risk assessments or other systematic plant-specific reviews j can provide a framework for identifying and addressing ASIS. 1 1 1 Ii P . Q USI A-17 Enci 2 Att 2 3 P; '. e ,
su;:) s hv::p.~ C i a.A &.k.m y . L . e :n . L ..
.. a. d G.w , . . w.
}
i l l (9) Because of the nature of ASIS (they are introduced into plants by design errors and/or by overlooking subtle or hidden dependencies), they will
- probably continue to happen. In their evaluations of operating experience, l NRC and the nuclear power industry can provide an effective method for
- addressing ASIS. .
(10) For existing plants, a properly focused, systematic plant search for cer-tain types of spatially coupled' ASIS and functionally coupled ASIS (and correction of the deficiencies found) may improve safety. (11) The area of electric' power, and particularly instrumentation and control power supplies, was highlighted as being vulnerable to relatively signifi-cant ASIS. c urther investigation showed that this area remains the sub-l ject of a number of separate issues and studies. A concentrated effort to coordinate these activities and to include power supply interactions could prove an effective approach in this area. ,' (12) For future plants, additional guidance regarding ASIS could benefit safety. t e (13) The concerns raised by the Advisory Committee on Reactor Safeguards (ACRS), on A-17, but which have not been addressed in the staff's study of A-17, j should be considered as candidate generic issues, separate from USI A-17. L It should be noted that the staff has concluded that adverse systems inter-actions (ASIS) involve subtle, and often very complicated, dependencies. Therefore total elimination of ASIS is unachievable. For these reasons, the staff is not recommending that each plant undertake a large, comprehensive study to uncover ASIS. Instead, the staff is recommending other, more cost-
; effective actions for reducing the frequency and impact of ASIS. Although i
these actions complete the staff's work under the task action plan for USI 5 A-17, and constitute technical resolution of the issue as defined therein, the potential for ASIS remains an important consideration in the design and opera-i tion of nuclear power plants. The staff has, therefore, acknowledged the con-i tinuing importance of ongoing activities such as probabilistic risk assessments } or other systematic plant evaluations and the continuing review and evaluation R of the industry's operating experience. j The regulatory analysis (Reference.2) considered a number of alternatives for f resoletion, and based on that analysis, the staff has concluded that certain i actions should be taken to resolve USI A-17. These actions are: 1 l ' (1) Send a generic letter to all plants outli'ning the resolution of USI A-17 and providing information developed during the resolution of A-17. i r
- (2) Require all plants to respond to questions regarding internal flooding analyses under a 10 CFR 50.54(f) request.
! (3) Consider systems interactions involving the electrical power systems in the integrated program on electrical power reliability. (4) Provide information for use in future PRAs.
? (5) Provide a framework for addressing those other concerns related to systems 1 interactions which are not covered by the USI A-17 program. '
J e
- USI A-17 Encl 2 Att 2 4 I
mquaqeL2 n Gmm :.Lx.:.m:w ,A s.2.h:2. w .:::..:.n.:..,%..:: - ' I l' . l. L (6) Acknowledge that the resolution of USI A-46 addresses aspects of systems I interaction.
- l l: The following discussion addresses the first action. The second action is addressed in a separate attachment (attachment 3). The remaining four' actions
- involve staff actions.
l
-II. INFORMATION FOR USE IN OPERATING EXPERIENCE EVALUATIONS A. Backaround l
l The adverse systems interactions (ASIS) sorted from the su'rvey of experience i appeared to be due to two general causes. Some of the ASIS resulted from l obvious errors or failures to meet clearly specified design requirements and/or t guidance. , Others arose from more subtle causes such as the lack of sufficient consideration, or analysis, of all the significant failure mechanisms or modes and the associated event combinations and/or sequences. In the case of older plants, the causes often are related to the fact that less design guidance and associated analyses were available and/or required when the plants were licensed. Although no specific licensee actions are required, the staff concluded that if l certain highlighted concerns identified in the A-17 studies were communicated s-to the industry, the ongoing industry evaluations of operating experience could provide adequate treatment of this information. B. highlighted Concerns *
- L As part of the effort to provide a more focused approach for the resolution of A-17, a set of tasks was defined to accomplish a search of operating experience to accumulate a data bank on the types of common-cause events of concern. The
, major portion of this work was performed by the Oak Ridge National Laboratory (ORNL), and a summary of ORNL's findings is included in Reference 3. l The search emphasized events included in the LER (licen wa event report) files ! and involved a screening of those events based on the task action plan defini-tion. On the basis of the characteristics or attributes of the systems inter-action ' events, a group of general categories of SI events was developed. The i results of the ORNL experience review indicate 23 general categories of events l (see Table 1) which have involved systems interactions. o Review of these 23 general categories led to the identification of five areas j of highlighted concerns. These are discussed below: i
- j. Electric Power System The electric power system includes the offsite sources, the switchyard, the .
power distribution buses and breakers, onsite generating equipment, and the ; i
*More details on the highlighted concerns and other ASIS are provided in Ref-
! erences 1, 3, and 4, and those documents should be consulted for additional information. ; } { USI A-17 Encl 2 Att 2 5 i
'e a s
..~__-m ,. ......,..g,,
ZipsW;?DRLL dninnq=ak.:, %&&wam ' i: Q :u.J : % bl.. D W .u:.i ,
- - i V. ,
.,- a W I b Table 1lEventcategories'involvingsystemsinteractions 1 Category-No.'of i No . - . Title events L ' 1 Adverse interactions between normal or offsite ;34 i power systems and emergency power systems 4 2 . Degradation of safety-related systems by vapc: 15 [ or gas intrusion j ) 3 Degradation of safety related components by fire 10 , p' protection systems ) 4 Plant drain systems allow flooding of safety- 8 (. related equipment t 5 Loss of charging pumps due to volume control tank 6 (j level instrumentation failures lj 6 Inadvertent ECCS/RHR pump suction transfer 4 i 7 HPSI/ charging pumps overhe:it on low flow during 6 A a-safety injection fi _ 8 Level instrumentation degraded by HELB conditions 21 e i; 9 Loss of containment integrity from LOCA conditions 10 j, , during purge operations 'j 10 HELB conditions degrading control systems 3 s y 11- Auxiliary feedwater pump runout under steamline 2 break conditions l'j 12 Waterhammer events 4 } 13 Common support systems or cross-connects 18 ?j 14 Instrument power failures affecting safety systems 5 ( , 15 Inadequate cable separation 8 3 16 Safety related cables unprotected from missiles 3 9 generated from HVAC. fans ( 17 18 Suppression pool swell Scram discharge volume degradation 3 [ 2 0 19 Induced-human interactions 4 7 j 20 Functional dependencies from failures during 5 g seismic events 21 Spatial dependencies from failures during seismic j Y events 13 lj 22 Other functional dependencies 21 k 23 Other spatial dependencies 30 i.4 M S - 2 - M A @, USI A-17 Encl 2 Att 2 6 i 'e e- [ u_. _-_:__- - _ . en , , , . . . . . -- . .. .,. n , -
,. . .i
pa.p x_ .y.a x .w:w :Da.:. w .. .
- a. a., ,, ..
a.a. z. .
- c. .
l 6 1 l l l control power and logic to operate the breakers and start and load the diesel 3 generators. Some of the lower voltage (typically 120-V ac and '125-V dc) power ' l supply portion of the s l Control Power Supplies"ystem headingisbelow also (concern dealt with 5).under the " Instrumentation and I s As outlined in References 3 and 4, concerns were highlighted in the area of i i electric power systems in Categories 1 and 13 (Table 1). Three important factors appear to contribute to the possible significance of this area: l (1) It is one of the most (if not the most) extensive support systems in a 4 plant. Power is supplied from various sources including the offsite net-3 work, the main plant turbine generator and, in certain situations, the i safety-related diesel generators. Power is then distributed to various ) items of equipment for normal plant control which is not related to safety, , 1 various engineered safety feature equipment which is safety related, and j various items of equipment for shutdown and decay heat removal. (2) Given these system demands, the power system is therefore an inherently V complex system. A large number of normal operating modes at the plant, as well as transient and accident situations, must be accommodated. Inter-faces are created between redundant safety-related equipment as well as ) between non-safety-related equipment and the safety related equipment. In 4 addition, the power system itself relies on a number of other support j systems such as HVAC and cooling water. t $. (3) Because of individual plant requirements and situations (a number of l *significant events occur when the system is in any abnormal temporary . i alignment), each power system tends to have some unique aspects. Very l few specific ASIS can be stated to be generically applicable; however, the staff believes that general classes of electric power events can be 4 potentially generic. d ORNL (References 3 and 4) categorized the electric power system concerns into q four areas: 4 load sequencing / load shedding diesel generator failures caused by specific operating modes j - breaker failures due to loss of dc power e failures that propagate between the safety-related portion and the non-2 g safety-related portion of the power systems With respect to these four areas of concern, the staff n'oted that although regulatory practice has allowed non-safcty-related equipment to be powered from ? safety related buses, this practice has created the potential for a number of 1 undesirable interactions. In such situations, the isolation devices protect 1 the safety-related equipment. These isolation devices have been the subject of
' much concern, both in the main power supply area (such as breakers that open on fault current or " accident" signals) and in the instrumentation and control '
power supply area (such as isolation transformers and other devices). In some )) cases, the " isolation" devices do not isolate the full range of undesirable j events. In addition, the A-17 investigation has focused on another concern. f Specifically, some ASIS involve scenarios in which a non-safety-related load is j supplied by a safety-related bus and is adequately isolated. The non* safety 3 9 2 USI A-17 Enc 1 2 Att 2 7 { 'e e: 4- , ..
fCy.t a : 4,:K. .~ ?.a.u a na u.i.~ . : x. ..~ % a . .n . .- c .,. j. 4 I load is part of the normal plant operation and/or control. A failure in the
) safety-related portion can propagate and create a situation in which a plant '
j transient occurs as a result of non-safety loads supplied by the safety related
# bus and, simultaneously, significant safety-related equipment is unavailable because of the same failure.
The most significant events of thic type appear to be those that involve the instrumentation and control power systems. As stated below in the discussion of these. specific power supplies, the staff believes that current activities in the area of instrumentation and control power supplies should be integrated and should address this type of concern specifically. Accordingly, the staff has initiated an integrated program to review these issues. - Plant Support Systems b, j Although relatively few events of note were identified from the operating
- q. experience (Categories 13, 14, 18, and 22 of Table 1 and References 3 and 4),
3 PRAs have consistently shown the potential importance of support systems. W (Note: The electric power system, also a support system, was dealt with Q separately above.) This category includes other support systems such as j component cooling water; service water; heating, ventilating, and air condi-j tioning; lube oil; and compressed air. j As is the case for the electric power system, these support systems are often
} extensive and may be unique. These support systems can affect multiple front-J line safety systems and can often affect systems not related to safety. As a
)" result, failures in support systems can potentially initiate a transient and also can degrade other systems, some of which may have been designed to miti-g gate that very same event. W The support systems of concern often have interconnections between redundant $ divisions for operational flexibility or they may have interconnections to ll non-safety-related equipment. In some, cases, single failures such as headers, 4 drain lines, and vents are designed into the systems because the probability of j]. a passive failure in conjunction with the need for the system is assumed to be low. 9 If the support system failure and the initiation of an event are coupled, a risk significant situation could result from the failure of the support system j} (depending on other plant mitigating features).
'i Less attention may have been paid to the desi~gn and review of plant support i systems than was paid to some of the frontline systems such as the ECCS. The ? safety significance of event initiation coupled with limiting the capability 3 for mitigation may not have been recognized.
1 { ,j Incorrect Reliance on Failsafe Design Principles
)
; Protection systems at nuclear powers plant rely on the design principle of 3
" failsafe" to varying degrees. There have been instances (see Category 18 in )
0 Table 1 and References 3 and 4) in which some failure modes were insufficiently ' q analyzed because someone relied too much on the concept of failsafe. a .
?
4 9 USI A-17 Encl 2 Att 2 8 i s lj , n _smm____._ m. _ 2 , .# _ m e. m m-o 2 > . J
p.MWf 2T .. .iL.u.w a . i..:. . . ~ .. w ; . .- .a A - , .. 3 s The events to date have involved the scram system and its related support func-( + tions such as the air system and electric pcwer system. Specifically,*it was discovered that water could be in the scram discharge volume (SDV) of a BWR as 3 a result of poor drainage or an air supply failure. Water in the SDV would is inhibit the insertion of control rods. The failure involving the air system ) was of particular concern because it involved a system that had been considered y a portion of the reactor protection system not related to safety. Action was t taken at all boiling-water reactors to correct this problem. i This type of ASI may have resulted from the use of a design approach that d actually requires of a number of non-safety-related features to function and, y therefore, does not truly rely on failsafe principles. In the case of the air j system, the system was assumed to fail safe, i.e., bleed off, and, as a result, j a partial failure went unanalyzed. It was also noted that the electric supply j system to this scram system had been modified previously because of a similar type of concern. Specifically, the electric power was originally assumed to 3 fail safe (i.e. , voltage going to zero) and, as a result, partial failure (such f as low voltage or high voltage) went unanalyzed for a time. 4 l The problems appear to have been created when portions of the systems were allowed to be classified as not related to safety because they were assumed to j always fail safe. y { Automated Safety-Related Actions With No Preferred Failure Mode
- q. Another area of adverse systems interactions that was highlighted involved the inadvertent actuation of an engineered safety feature (ESF) (Category 6, "In-
, advertent ECCS/RHR pump suction transfer"). The most significant characteristic ,
a of this area appears to be that, unlike a reactor trip, such a function does M not have an "always preferred" failure mode. As a result, extra precautions ) may be needed to avoid (a) a failure to actuate when needed and (b) a failure that actuates the system when not required (i.e., inadvertently). The area of i automatic ECCS switch to recirculation is the subject of an issue that is j scheduled for prioritization, Generic Issue 24. 3 3 Although the reported events involved only the automatic switchover to the sump 9 in PWRs, some concern exists that individual plants may have other functions y with the same characteristic. Some possible other functions include: M ] - containment isolation functions S logic that selects a faulted steam generator to isolate it ] low pressure-to-high pressure system interlocks in' the RHR system q Of particular note is the possibility that these types of functions will actu-Q ate inadvertently during testing or maintenance. It is a fairly common prac-if tice to put portions of the actuation logic in a trip or actuated state and to 9 assume then that the plant is in a " safe" condition. Although this may be true H for functions that have a preferred failure mode, it may not be a conservative j assumption for functions that do not have an always preferred failure mode. 7
/ Instrumentation and Control Power Supplies
() 1 The ORNL review (NRC, NUREG/CR-3922) highlighted several events related to j instrumentation and control (I&C) power supplies (Category 14). The events at j ' USI A-17 Enc 1 2 Att 2 9
* % c '
?) A- E J'L --a.-,-n--.-.-.-.:-A--
- l - $
p awwqo:aiv i u. a.a.. ;w.a.u..
- -. n . .- . ..;... ~.
- . . . w '
q all plants, and specifically at B&W plants, have already received significant i attention as outlined in the ORNL assessment. Some residual concern was fi expressed that the potential for a significant event related to I&C power j supply interactions may still exist. Because of this concern, further review work at ORNL was identified. f ORNL completed this work (reported in Reference 5). A significant number of N I&C power supply events were noted,'some of which involve ASIS. Although there is concern about the area of I&C power supplies, a significant amount of work (both at NRC and in the industry) has addressed this area. The A-17 resolution has not recommended any specific requirements to deal with this area at this d time, but has concluded that the existing efforts at NRC be coordinated to 1 ensure that this critical area receives the proper emphasis. This is being j done under Generic Issue 128, " Electric Power Reliability." i j C. Recommendations 'l
- ] Ongoing industry reviews and evaluations of operating experience should spe-cifically consider the above' types of events. It is further recommended that j where utilities determine that specific evaluations (e.g. , plant walkdowns, ij limited-scope accident safety analyses, or probabilistic risk assessments) are j needed to address other safety concerns, awareness and recognition of potential 1 adverse systems interactions such as highlighted above should be included in
] these evaluations. ) D. References d 1. U.S. Nuclear Regulatory Commission, NUREG-1174, " Evaluation of Systems ^ Interactions in Nuclear Power Plants" (draft). j 2. -
, NUREG-1229, " Regulatory Analysis for Proposed Resolution of 1 USI A-17" (draft).
j 3. -- , NUREG/CR-3922, " Survey and Evaluation of System Interaction Events j and Sources," January 1985. a i 4. -- , NUREG/CR-4261, " Assessment of System Interaction Experience in ] Nuclear Power Plants," June 1986. j
- 5. -- , NUREG/CR-4470, " Survey and Evaluation of Vital Instrumentation and
, Control Power Supply Events," August 1986.
1 i e 'i . 1 i 1 l 1 - D ] i , USI A-17 Encl 2 Att 2 10
; e d.
,- l x; . J
a, . . .:a n.n u'+ s -
.- - . - m-
.. . "r
- - J. ; n- .
i.w
.~^":- ' I'D~,-,- -*
mGCh.ui Cst!t%2 _Ganis 2. %:.Os
> ~-
l t l
' @Dusuf HAS l
WPBobaM t Document Name: l USI A-17 ENCL 2 ATT 3 . (. Requestor's ID: BONNIE ! l l i i-t Author's Name: I Thatcher / Sanders Document Comments: ETPB 05/04/88 PLEASE KEEP THIS SHEET WITH DOCUMENT 4 c l t h h P D i 8 l r n 3 s I
- I i
i 3 i .i i
- i
- s i
3 i i } } l t . l i I
? ! !
j 'e d.< i i i
,m.. . ._g._m_ya + ___t t a 1 # - Il 'N *D ' .. i
gimmwxauw;,2.c..:.:a;w:. ..w Mx.ww - ~ w .1mm;m : i:.m=m . -a g- - , .
- h. . .
- I .
1 l' O $ l [ . INTERNAL WATER INTRUSION AND FLOODING ANALYSES GUIDANCE , l BACKGROUND 4_ The resolution of USI A-17, " Systems Interactions in Nuclear Power Plants," l 9- ' concluded. (References 1 and 2) that action should be taken at all plants to e determine the adequacy of water intrusion analyses. ! This conclusion was mostly based on a number of events that occurred in operat-2 ing nuclear power plants and the effects of which had been unanticipated (Refer-j ences 3-10). 1 \ 3 These events demonstrate the susceptibility of individual plant components to ] water intrusion and flooding from internal plant sources. Flooding, as dis-1 . cussed here, includes flooding of the equipment's location (i.e., equipment j submergence) and other forms of water intrusion, including' water spraying, s dripping, or splashing on sensitive equipment. Examples of these types of 4 events can be found in an operating experience review (References 3 and 4) 3l conducted by the NRC and in individual NRC information notices. (Refer- "4 ences 5-10). -A key point apparent from these events is that the quantity of s the water involved is not necessarily a measure of the problems that the water ]. can create; the location of the water is much more significant. For example, a j small leak that drips down through electrical equipment can have a more severe 3 ' impact on the. plant than an 8-foot flood in a pump compartment. Also, Generic Issue 77, '! Flooding of Safety Equipment Compartments by Back-Flow Through $ Floor Drains," has received a high priority ranking (Reference 11) because of j- the possibility that plant designs have overlooked backflow through floor drains as a flooding pathway. u , a By this time, all plants should have conducted flooding-type studies as part j' . of demonstrating conformance to various requirements. l d' (1) The general design criteria (10 CFR 50, Appendix A) address the area of g y. water intrusion and flooding. Specifically, 1 4 GOC 3, " Fire protection," states: " Fire fighting systems shall be Q designed to assure that their rupture or inadvertent operation does j- not significantly impair the safety capability of these structures, systems, and components" designated as important to safety)." 3 - GDC 4, " Environmental and missile design basis," states: " Structures, , systes, and components important to safety shall be designed to j b accommodate the effects of and to be compatible with... normal ; 4 operation, maintenance, testing, and postulated accidents, including ; y loss-of-coolant accidents. These structures, systems, and components 4 % shall be appropriately protected against dynamic effects, including d the effects of missiles, pipe whipping, and discharging fluids, that i ] may result from equipment failures and from events and conditions d . : 19 USI A-17 Enc 1 2 Att 3 1
'a
( sf a m m m m, z - ~ m., ~ e - ~ - - .
- 1
;y.wup 4.m . . .L.a. % L . _ m u - N c._ . . .d ,
C..' ^ ~ L i j outside the nuclear power unit. However, the dynamic ' effects associated with postulated pipe ruptures of primary coolant loop piping in pressur-Q ized water reactors may be excluded from the design basis when analyses j demonstrate the probability of rupturing such piping is extremely low q under design basis conditions." j y (2) Generic letters issued to licensed facilities in 1972 required additional review based on an event at the Quad Cities plant. 3 (3) For more recently licensed plants, the Standard Review Plan (NUREG-0800) i, cites the generic letters of 1972, and, therefore, flooding-type analysis should have been performed as part of the licensing process. N g 0 (4) All plants should have developed programs for the review of operating exper-N ience per the requirements of Item I.C.5 of NUREG-0737 (Reference 12). These reviews should include consideration of NRC information notices and other industry documents such as those issued by the Institute of Nuclear i Power Operations (INPO). Both of these latter reviews have included events ] involving flooding / water intrusion. ] GUIDANCE 9
- The preceding requirements are not prescriptive with respect to how an internal j flooding or water intrusion analysis should be performed. On the basis of a g large amount'of industry experience, the staff has determined that an acceptable i internal flooding or water intrusion analysis should address the aspects listed
- below. However, the intent is not to require new analyses if documentation of
- previously performed analyses is available and is applicable for the current '
y plant configuration. { l j (1) Internal Flooding and Water Intrusion Scope a
~
li Internal flooding and water intrusion includes all forms of water or mois-f ture release internal to plant structures (e.g., leak or ruptures of water j or steam sources, fire protection system actuation. Regardless of the ! 1 means of release, the failure mechanism is intrusion of water or moisture l d to critical components. ! } (2) Sources 6 The equipment or system that provides the water that subsequently creates 1 the flooding / water intrusion. The water can have~been released by failure j (e.g. , leaks, ruptures), by system actuation (e.g. , fire protection system), j or by special plant situations during maintenance or testing. In addition i j ?) to pipe breaks that are considered design-basis accidents, actual operat- : ing experience has demonstrated problems that emanate from )i { I lj - domestic water systems (toilets, sinks, eye-wash stations, etc.) j - fire suppression equipment l (; - moderate energy piping systems such as circulating water ! Lj d maintenance actions (e.g., draining, venting) , low pressure steam and condensate leakage h i j d
- . USI A-17 Encl 2 Att 3 2
? % er __ J ._C. -1
My&BGi:fnua G:53 M s 4 R.ui;3.2 a . .n.a n.2 . ~ . . . . u a:.; w.<::F . h J. a . . . ' h l l . l [ (3) Pathways I The means by which the water reaches the susceptible equipment. Operating experience has demonstrated 1 hat separate rooms do not necessarily provide g protection because of drain systems that may be plugged or allow backflow heating and ventilation ducts and penetrations between rooms : unsealed doors
~
unsealed electrical conduit and penetrations (either by design or from inadequate maintenance) f L - unusual maintenance situations (temporary drain lines, water barriers) { i (4) Protected Equipment c f$ - l The equipment that is required to be protected against water intrusion.
! The general design criteria, guidance in generic letters, the Standard j Review Plan, and information notices indicate that all safety-related equipment and its support equipment should be protected. As a result of
/ the USI A-17 and A-46 programs, particular concern has been focused on i the equipment and support equipment needed to achieve safe shutdown (and maintain it for an extended period of time). i j In addition, any comprehensive program to address this issue should also con-sider collective industry experience such as that described in: 1 g j_ - NRC Information Notice 83-41, " Actuation of Fire Suppression System ] Causing Inoperability of Safety-Related Equipment, June 22, 1983.
?
] - NRC Information Notice 83-44, " Potential Damage to Redundant Safety
- Equipment As a Result of Backflow Through the Equipment and Floor 4 . Drain Systems," July 1, 1983. !
- i ,
] - NRC Information Notice 85.-85, " Systems Interaction Event Resulting in i 1 Reactor System Safety Relief Valve Opening Following a Fire-Protection k Deluge System Malfunction," October 31, 1985. 1 g - NRC Information Notice 86-106, " Supplement 2: Feedwater Line Break," March 18, 1987. 1 i q - NRC Information Notice 87-14 "Actiation of Fire Suppression System j j Causing Inoperability of Safety-Related Ventilation Equipment," { d March 23, 1987. j a NRC Information Notice 87-49," Deficiencies in Outside Containment )4 Flooding Protection," October 9, 1987. r.} ( - INP0 SOER 85-5, " Internal Flooding of Power Plant Buildings." U a . 4 . 3 , 4 i k USI A-17 Enc 1 2 Att 3 3 ' g .
- w. . - -
.= - ., - -- -,
.va c mi:::him m m :.
- .%:. u.MM.:Wu h a. :.: Q .i. 6 ~ .. . . %.
~ W.-l%: l GKF a- i
?:
f.
. ' 's , l. y 'q -g . ' , .
B REFERENCES '
- 1. U.S. Nuclear Regulatory Commission, NUREG-1174, " Evaluation of Systems .i t
Interactions in Nuclear Power Plants" (draft). ' l 2. -- , NUREG-1229, " Regulatory Analysis.for Proposed Resolution of USI < [ A-17" (draft). n f 3. -- , HUREG/CR-3922, " Survey and Evaluation of System Interaction Events l and Sources," Vol. 1 and 2, January 1985. .
- 4. -- , AE00/C402, " Operating Experience Related to Moisiture Intrusion in Electrical Equipment at Commercial Power Reactors," June 1984.
, 5. -- , Information Notice 83-41, " Actuation of Fire Suppression System 3, Causing Inoperability of Safety-Related Equipment, June 22, 1983. 4 ' ) 6. -- , Information Notice 83-44, " Potential Damage to Redundant Safety A-i Equipment As a Result of Backflow Through the Equipment and Floor Drain Systems," July 1, 1983. l 6 7. -- , Information Notice 85-85, " Systems Interaction Event Resul. ting in j Reactor System Safety Relief Valve Opening Following a Fire-Protection s 4 Deluge , System Malfunction," October 31, 1985. ) 8. -- , Information Notice 86-106, " Supplement 2: Feedwater Line Break," ) . March 18, 1987. .i j 9. -- , Information Notice 87-14," Actuation of Fire Suppression System
- ! Causing Inoperability of Safety-Related Ventilation Equipment," March 23,
[ 1987 8 9 10. -- , Information Notice 87-49," Deficiencies in Outside Containment j Flooding Protection," October 9, 1987. ) ,
- 11. -- , NUREG-0933, "A Prioritization of Generic Safety Issues," December 4 1983.
i j 12. -- , NUREG-0737, " Clarification of TMI-2 Requirements," September 1980. g I 3 . .1
- i d
s 6! . ! y l:- } l ! y l 1 . a b 1 1 USI A-17 Enc 1 2 Att 3 4 h 'e d , H s . _O _2_a .. .e _ _ n \u* LT:- - ' *!
' P-' - *- W
Tqm. .7, 7 .. ..J:: , , . u x: ;;;.,. n, c . . :-, c. . . . . . '. a
. 3
,, s a .u;,, u. :c ' : . < . . . ., .. : .> . . : - .: . ,.
... ;;. : :. - .:.aua.a . ,
t i
,.,- y
, ..p -
l ,
- . alusDocuusuf Ha8 .
Document Name:
,, USI A-17 ENCL 3 -
Requestor's ID: BONNIE Author's Name: Thatcher / Sanders Document Comments: > ETPB 05/04/88 KEEP THIS SHEET WITH DOCUMENT f f
, j i i
- i O
t 0
.]
e i i
- i i
t i 8 0 i 1
. l l
W l
\
9
- 6
., s
__1-_____l.___.___ . _ _ _ _ _ . _
9....,,.,
. .x: . . . .+ .
- t. > ut x
.~
. 2.. w. . ,
i h j USI A-17 RESGLUTION VS. REVISION 4 0F CRGR CHARTER (APRIL 1987) 50.54(f) Elements (III.A of CRGR Charter) ( (a) " Problem statement including a description of the need for information j in terms of the potential safety benefit" ? j The purpose of the proposed request is to seek licensee certification j j concerning the ability of nuclear power plants to cope with, or prevent 4 events involving, water intrusion into sensitive equipment. The ge " ral design criteria (10 CFR 50, Appendix A) address the area of 4 water intrusion and flooding. Specifically, GDC 3, " Fire pratection,"
; states: " Fire fighting systems shall be designed to assure that their 1
rupture or inadvertent operation does not significantly impair the ' q safety capability of these structures, systems, and components" desig-f nated as important to safety)." ' a Ii GDC 4, " Environmental and missile design basis," states: " Structures, i systems, and components important to safety shall be designed to accommo-date the effects of and to be compatible with... normal operation, main-tenance, testing, and postulated accidents, including loss-of-co'lant o
, accidents. These structures, systems, and components shall be appro-3 priately protected against dynamic effects, including the effects of 1 missiles, pipe whipping, and discharging fluids, that may result from '
equipment failures and from events and conditions outside the nuclear power unit. However, the dynamic effects associated with postulated b I pipe ruptures of primary coolant 1,oop piping in pressurized water ! reactors may be excluded from the design basis when analyses demonstrate Il the probability of rupturing such piping is extremely low under design h basis conditions." A i Generic letters issued in 1972 required additional review at all licensed i facilities. The Standard Review Plan (NUREi-0800) sets the standards to i be followed by newer plants regarding water intrusion and flooding. - h Subsequently, the Code of Federal Regulations was amended to include ) environmental qualification of electric equipment important to safety K (10 CFR 50.49) and the Rule required consideration of the effects of submergence. Despite these requirements, the number of precursor events involving i internal plant flooding and water intrusion indicated to the staff that a d plant's ability to achieve and maintain safe shutdown given such an event, Q is in question. Examples of some relevant events are contained in the following NRC information notices and Office for Analysis and Evaluation 1 of Operational Data (AE00) reports: USI A-17 Encl 3 1
'e
{ A
M,&. i, ha 55 5 N .E S 2 5 . k .d.'uc. w.L w ;. M a L O O u. O S n i h d ?
- a. .
.p 4
- + 3 '
.NRC Information Notice 87-49, " Deficiencies in Outside Containment Flooding Protection,".0ctober 9, 1987.
l NRC Information Notice 87-14, " Actuation of Fire Suppression Sy' stem ~ , Causing Inoperability of Safety-Related Ventilation Equipment, h March 23, 1987. > f NRC Information Notice 86-106, Supplement 2, "Feedwater Line Break," {- March 18, 1987. , j NRC Information Notice 85-85, " Systems Interaction Evr t Resulting ! l in Reactor System Safety Relief Valve Opening Following a Fire- 1 Protection Deluge System Malfun.: tion," October 31, 1985. NRC Information Notice 83-41, " Actuation of Fire Suppression System f Causing Inoperability of Safety-Related Equipment," June 22, 1983. I a# - NRC Information Notice 83-44, " Potential Damage to Redundant Safety L ' ' Equipment.as a Result of Backflow through the Equipment and Floor Drain System," July 1, 1983. ' AE00, C402,." Operating Experience Related to Moisture Intrusion in Elec- ' trical Equipment at Commercial Power Reactors," June 1984. AE00, E304, " Investigation of Backflow Protection. in Common Equipment and Floor Drain Systems to Prevent Flooding of Vital Equipment in. , Safety-Related Compartments," March 1983. 4 i 3 This report was part of the bases for establishing Generic Issue i ! 77, " Flooding of Safety Equipment Compartments by Backflow Through '
- Fioor Drains." The issue was priofitized HIGH in NUREG-0933 and j has been included in the resolution of USI A-17.
i - AE00, C412 " Adverse System-interaction With Domestic Water Systems," ; May 1984. ; It is essential that NRC obtain certification from licensees that adequate - measures to protect against water intrusion have been taken at all plants. .- On the basis of the licensee's replies, it may be determined that some i aspect was overlooked and that a safety concern exists. In such cases, i further action may be necessary. Any such actions will be submitted to j CRGR. i h (b) "The licensee action required and the cost to develop a response to the {- information request" t ? Licensees would be required to submit a certification that they have per-formed water intrusion and flooding analyses. Since previous reviews and
; industry-initiated, ongoing reviews should provide the major portion of r "
. the background information, it is expected that the action will be minimal.
. It is estimated that it will require about 3 man-months to verify the back-1 ground information for each reactor. The corresponding costs per reactor are estimated to be $24,000, based on $50/ man-hour or $8000/ man-month. USI A-17 Enc 1 3 2
'e & , + '
C o j
Y - ~' i ' " " -
^
& : 2. . . a . c ' '2d : .~ d d A"V d' * ' ' " ' ' (c) "An anticipated schedule. for NRC use of the information" i The need for NRC action (including verification) will be determined after receipt of the licensee's certification. Schedules will be developed as appropriate. It is anticipated that NRC requirements would involve about 2 man years for verification. Additional Background Information for CRGR Review of USI A-17
)
The following information is provided in the format specified in the f " Revised Charter - Committee to Review Generic Requirements," Revision 4, dated April 1987. l g (i) The proposed generic requirement or staff position as it is proposed j to be sent out to licensees: i j The proposed resolution of USI A-17 includes one requirement which 3 involves a 50.54(f) request for information. This generic request is
; included in the A-17 package as Enclosure 2.
l Draft staff papers or other underlying staff documents supporting the (ii) I requirements or staff positions. (A copy of all materials referenced 3 in the document shall be made available upon request to the DEDROGR staff. Any committee member may request CRGR staff to provide a
] copy of any referenced material for his or her use.)
The draft documents that form the basis for the staff positions are included as the regulatory analysis (NUREG-1229) and the summary of j results (NUREG-1174). I (iii) Each proposed requirement or staff position shall contain the sponsor-1 ing office's position as to whether the proposal would increase j requirements or staff positions, implement existing requirements or j staff positions, or would relax or reduce existing requirements or 3 staff positions: fj The proposal to issue a generic letter request for information re- - j garding " internal flooding implements existing requirements as a outlined in the staff's response to item III.A of the CRGR Charter. fl (iv) The propos'ed method of implementation along with the concurrence (and j any comments) of OGC on the method proposed: h ]; The proposed method of implementation is a generic letter request under 10 CFR 50.54(f). d (v) Regulatory analyses generally conforming to the directives and guid-j ance of NUREG/BR-0058 and NUREG/CR-3568: 1 The regulatory analyses are contained in draft NUREG-1229 . [1 (vi) Identification of the category of reactor plants to which the generic t requirement or staff position is to apply (that is, whether it is to F USI A-17 Enci 3 3 1 . l
, .: w i.a..ld:x ^
- s '..x a' lIl . .t , .2:: . n , . ~ d.% -:- ' 'L ,, . l l i r,
I , l apply to new plants only, new OLs only, OLs after a certain date, OLs !'
-' before a certain date, all OLs, all plants under construction, all -{
plants, all water reactors, all PWRs only, some vintage types such as ! BWR/6 and 4, jet pump and nonjet pump plants, etc.): I I The generic letter will apply to all plants. 1 (vii) For each category of reactor plants, an evaluation which demonstrates 9 I how the action should be prioritized and scheduled in light of other 8 ongoing regulatory activities. The evaluation shall document for consideration information available concerning any of the following factors as may be appropriate and any other information relevant and material to the proposed action: (a) Statement of the specific objectives that the proposed action is designed to achieve: s j The action should allow the staff to verify utilities' actions in the area of internal flooding and water intrusion. ; 5, (b) General description of the activity that would be required by the l licensee or applicant in order to complete the action: The action would involve gathering and evaluating information de- & veloped in response to various previous or ongoing actions in this ;
> area.
p J (c) Potential change in the risk to the public from the accidental offsite release of radioactive material: Il N Although change in risk was not talculated, it is possible that some reduction in risk may occur if further evaluation shows vulnerabilities that requir,e modifications. 3 (d) Potential impact on radiological exposure of facility employees 0 h and other onsite workers: ' d Since the majority of the action involves previous work, it is p expected that the radiological exposure would not be increased. b y (e) Installation and continuing costs associated with the action, b including the cost of facility downtime or the cost of construc-F, tion delay: 3 Because it is believed that the information is available, this 1 action should have no effect on downtime. If major modifications would be needed, some downtime may result. h (f) The potential safety impact of changes in plant or operational ! p. y complexity, including the relationship to proposed and existing ! regulatory requirements and staff positions: d ',- It is anticipated that there should be no adverse safety impact.
~
h . USI A-17 Encl 3 4
'o &
l L i , i b
! j
w : ... -
*$.;. .A f ,, w;:..*x= *j;
- 7'O', 4 '. ,:;y
*: ., L.
.,;,g.;-
,----v; 3 ;;
',t .'. ; , '
- ,----;; 3 . , .
2:.w'.C,, J'.i .* r ;Xu: % 'i n.x . :.1.r :.*l} .- . , ^% v N: ' :v'
, . .. , aln;;L EJ'
/x i
l i I-I !' (g) The estimated resource burden on the NRC associated with the I t , proposed action and the availability of such resources: , NRC resources would be required for possible followup inspections. t This effort is not to exceed 2 man years. (h) The potential impact of differences in facility type, design, or age on the relevancy and practicality of the proposed action: Although facilities may vary, the potential safety impact of flooding type events is relevant to all plants. (i) Whether the proposed action is interim or final, and if interim, l ' the justification for imposing the proposed action on an interim basis: This action is considered final, unless responses indicate a need i for further action. l l l USI A-17 Enci 3 5 i 8 N ' l. 1
$$14Y).%l.Qs.ht .::&:Onhaua.-. ! . = nu +-
>a: ., % . ..? ' .' :.:::w Jb'Ti..uNi$:
]
's . .g i.
fi. 9
.r. ,
a Document Name: f- USI A-17 ENCL 4 ,i D00ppf f Requestor's ID: ) MCKENZIE v k Author's Name: Thatcher / Sanders b Document Comments: 3 i ETPB 3/24/88 PLEASE KEEP THIS SHEET WITH DOCUMENT ! ll h k-9 . A k Ie 1 .# 4 y , i; f. .i ?' t Y i., . 't b
$ i e
~
s b 4 t. e I~ < ).. , 4 E i 9
- . i l
- j. .
i : i i , 1 1
; 1 4., -
i a l '$ l l 9
- h. g l' __ _ . _ _ _ _
s,
- l
%?,WW5. wlshu.u.J . . .. : w u n. : . u.&1:. 3..J L ' ,,J,%,
l l
SUMMARY
OF USI A-17 REFERENCES In response to NRR Office Letter No. 39, Revision 1, the following summaries of the principal documents that had a role in the proposed resolution of USI L A-17 were prepared to be part of the CRGR review package. l (1) Draft NUREG-1174, " Evaluation of Systems Interaction in Nuclear Power Plants: Technical Findings Related to Unresolved Safety Issue A-17," i in process. This report presents the technical findings and summarizes the work performed on USI A-17 by the U.S. Nuclear Regulatory Commission (NRC) and its contractors, Oak Ridge National Laboratory (0RNL), Brookhaven National Laboratory (BNL), Lawrence Livermore National Laboratory (LLNL), and Sandia National Laboratory (SNL). In addition, summaries and staff conclusions are presented regarding other related work, such as probabilistic risk assessment (PRA) techniques, evalua-
- tions of ongoing operating experience, and utility studies.
From the technical findings presented in this report, the staff formulated the resolution of USI A-17. 1 (2) NUREG/CR-3922, Vols. 1 and 2, "Sprvey and Evaluation of System Interaction Events td Sources," Nuclear Operations Analysis Center, Oak Ridge National Laboratories, January 1985. l This report describes a project that identified and evaluated systems inter-action events that have occurred at commercial nuclear power plants in the United States. The report incluoes (a) an assessment of nuclear power plant ? operating experience data sources, (b) the development of search methods and I event selection criteria for identifying systems interaction events, (c) a review of possible events, and (d) a final evaluation and categorization of ' the events. The report, organized in two volumes, outlines each of these l steps and presents the results of the project. Volume 1 contains an intro- j duction to the project, describes the process by which the project identified ; and evaluated the systems interaction events, and presents the results and recommendations from that evaluation. Volume 1 also contains appendices that ! review the data sources used in identifying events and outlines the informa-I tion collected for each event. Volume 2 provides a description'of each ad- ! l Verse systems interaction event and lists the references for the events. ! (3) NUREG/CR-4261 " Assessment of System Interaction Experience in Nuclear ! Power Plants, Nuclear Operations Analysis Center, Oak Ridge National j Laboratory, June 1986. i s
~
i i I USI A-17 Enci 4 1
? '
M5kk.. uLhanO=.: w m. u..n . h .L. u . .~d.Ok . d.a.a '
,,h: : }
l 1 I 1 1 This report describes the work performed by ORNL as a followup to the work reported in NUREG/CR-3922 and includes additional review of the categories of - events established and an evaluation of systems interaction analysis methods. ORNL concludes that most of the events were adequately addressed. In one ; 7 case, i.e., the case of the electric power system, ORNL expresses a concern l l that this category of events may deserve more attention. In addition, ORNL ! recommends that some concerns related to a few categories should be con-i sidered in future work on other generic issues contained in NUREG-0933. ) l With respect to spatially coupled events, ORNL evaluated both the events l reported and additional work performed by ORNL's subcontractor, and con-j cluded that additional regulatory action should be considered for this area. f' The review of available analysis methods provided insights for consideration l in the staff's resolution. Specifically, the evaluation of operating ex-perience reviews and onsite reviews formed part of the bags for the staff's proposed resolution. i (4) NUREG/CR-4306, " Review and Evaluation of Spatial Systec' Interaction Pro-3 grams," performed by utilities based on a review done by Mark Technologies l , Corporation, December 1986. The summary evaluates search methods and screens program results for safety significance. On the basis of these results, the contractor provided insights
- to maximize the benefit-to-cost ratio through a more narrowly focused study.
l ' (5) NUREG/CR-4207, " Fault Tree Application to the Study of Systems Inter-actions at Indian Point 3," Brookhaven National Laboratory, Impe11 l Corp. and Analysis and Technology, Inc., January 1986. i , This report describes an application of fault tree methods to search for systems interactions at Indian Point 3: The methods are introduced, the { findings are presented, and comments on the methods are offered. 5 i The findings are presented as (a) systems interactions which may qualitatively ( violate regulatory requirements (regardless of their probability) and (b) a I probabilistically ranked list of systems interactions. j This study resulted in the discovery of a previously undetected potential f single failure causing loss of low pressure injection. After verifying this j finding, the licensee took immediate corrective actions, including modifying the design of the switching logic for one of the safety buses, as well as
- making procedural changes.
l (6) NUREG/CR-4179, Vols. 1 through 5, " Digraph Matrix Analysis for Systems
- Interactions at Indian Point 3," Lawrence Livermore National Laboratory, 8 January 1986.
1 j This report describes an application of digraph matrix analysis (OMA) to
- - search for systems interactions at Indian Point 3. The report presents the DMA methodology and the results of the analysis of selected safety system j combinations at Indian Point.
4 ) i USI A-17 Enci 4 2
[ :,N..l.A . U. L - N uMJ . A" N- ~ " - ' ' 2" A - ' *E i [ e i. 6 [ This report provides two scenarios identified as "significant systems inter-j actions." One of those events involved a human error of improper valve 1 alignment in the service water system. Although, there may be some concern ! for this scenario, the A-17 program did not consider this an " adverse systems l interaction." l In the second scenario, the initiating failure probability was so low that the group involved in the A-17 program did not consider it a "significant" scenario. j Furthermore, the utility states that this vulnerability was reviewed and ack- ) nowledged during the licensing process and concluded to be acceptable at that j time also. 9 i (7) NRC reports related to probabilistic risk assessment 8 s NUREG-1050, "Probabilistic Risk Assessment (PRA) Reference Docu-ment," September 1S84. NUREG/CR-2815, Revision 1, "Probabilistic Safety Analysis Proce-dures Guide," Brookhaven National Laboratory, August 1985. t NUREG/CR-3852, " Insight Into PRA Methodologies," Science Applica- .) tions, Inc., August 1984. 1 These three reports and other reports related to.probabilistic risk assessments (PRAs) were used by the group involved in the A-17 program to gain insight into the treatment of " systems interaction" in that technology. 1 In addition, PRA-related reports were used to help establish the types of adverse systems interaction events being uncovered in the application of that technology to individual plants. 4 ! The area of adverse systems interaction was concluded to be a subject of the i larger and more general area of " dependencies" addressed in PRAs. ) } i i i e ) 3 4 i l l ) i .
)
- \
! USI A-17 Enci 4 3
74j '%-l 's : ') ' ,, ",'a .~,)_ 6 ,:' '?,' , ,r/ * "~~'a'~.'~
~ '~~- ~~
.
- q t,,... o'T' - ,' '"y; ~f Kym. '. .' "' v. ~ X '
*y ; > q's'l^ i'N R;' t ', ' ' '
' ' " ' * '* ~ ' ^^ *4'~'.*
" ~,; J"'j**,:"***'~b'
~
A [' **~' / ^
- w..:,*
- b ; ,~
I
- i. ' < , > .
.I s'- ,
r b J-a
- s r*
i I j p:, . . l 1
'h s
- F N '
, ~ [O 3
O . ?. l W - S h e 0 0
- a r
bi l' I ,b i i 4 s _____________________.-___-__-m__ -- ---
MMMMMk M Ms&,@SMN,Q;% KA nMm%ya%dy s M m n e$ Mdk MMm , $n MP m ,Mnnw M _mm Dnwq;MMb E M M S@- nn WnW W M C M WA +! dM$S hf Wy@pnMsM n $O $ E$p n uS gWe m4 par Mg; M Q p $w m wnwng myge%- e Q e wh sm n .wWnu> c s. m , 7 mm.m <# p%;y % g y x m 9 :p Wh G3;fqp %%nWMMMMJ ggggcygyg%QQpg;Qgpy Phm g M@ng&mre&gg&p&n q pgyyq 1 ;< mp,WW-gyg:V'y'g;w%g
,f" *q@MN sf Q gyf ~
hhg4%gM)gb;gyg%v??m s ChaRyw% y %$55WW kQ$y.ww+%a$N 9 $? f W N Nn& i~ k: : h$ k+%,+U &u ee %ms pa n. U $r$ g$ mu A wnu m,g W: Q <l wm . 4pfkg$ +&p e w nM e-N py g . 9
@ % y* 8@&plA;+n~{ON . MMWWM g .hWW" A ,sM p
' OfG& "MiWMM W
WWW a g N M en Ju Q M win
<M >W W pM W 9 M.p n ; %w& w$ *sDQr
%$ py # W E ,Ap W Ap%@Lan W N M&w;pyg%n'W;tp3MQi wulM. g , ._a D:
t geph hN n%v% ', h WM: 7 e z t v M+ : edin
%Lu W% t@m:>p%WW~, b WM.~ ),p A ' kn@.k;M' YDh h g;ab. h rY h ik bY I h
k b; :r YY wb:q Y aQ w f & kN' ^Y @4@;pgelk, k g%.pt%> m( p p A! e'py"i%w mW s; f V*$
- e' n t
y wpp %mA&4 ?!q4inM#$g$MM@bW$w@W'mg iMDfd Mwd W WWWWsh em' I Q,, km y M MY w MW Wm &g, n,#4'J.y'qn,: W n ee y.p smmd. k >j% @M g$ g; ei Mh w>M7@8@: ,n ~nw *qv MMWQ av%@$d$@iM m u n W,0,: m&Q Wp e w ty
,.m Q) u Q q m_y~.t; f
%n -, e '
+WW gm a . m n w@. n.n sw.e , w s.i / $ E @ W $d.myM m n,a:nGj y Q ,ek9 nc,u, a Q W.W NLYnk
,4a I Ky? <
fO tj . 2$n e .Y h y: d6 h;x n h d f f dM. f f M; u ~ mm!nhw.a.se~gu %qm
.L e % j e
. . ms Y ?y&@
;3n
- n. ~
1w., s , uw%, i M" v sx c@U, s. w- j ' -+ a me p , W 4 % mm s @$ ,, hh ;. f:h:Nb?hhhb waews$y 4 aw.& lN$ -9,,$g:b:kq k q .Nf egg $5y$$NkfY;0~ b N %u m &am p ew pu 4m m gew m m w a {u}mg y a ewaWw Wyg em my$n'? ww h$ ' "? N YNkh;?f?)b, ?$$ a wap n n.~ bhNXi Wk~l CJ' n Ju ~ ,n M:MF' ^<~p,.+ TW '4fE% '
~qv y VW Acd,G4iD, ~,'i$" O fMJ,f "a ,' ,; v. -
.,- . ' .,<u, - w. -~ r . . , .w.d
" *kC4O@y f
2[ '
-eM " '
'7 .-p -,U ~
^ 'n
.[
_f hhh. 'f1ph ap yip b g/{ ryh~ rk hh
' .- d_
m %n_c,; 'p..$ yr'.1,n s u1W
/ g r ,w;%p T.p m( i m ; . #
J'
., m s, +a.
- %. n , ;oa
, vd ,9.g.W @p M, c!
We ir m"
- j T -
nt
. ., 9 e l
ya:bno . .q- Q.z ,9 A- 'rs:n i.c g4
~ :_es a 1 f-.:~
N
&: e,e g , ' " , , n
_H , /J-u e--
-W f .wu y
si v ge /mMOO/v ,2lMSW@,eKNM gy # & p'dn s $$g? lf'.y M k D'n 4W " 4 M mg% O-O; A @m . . ~ n '@' mm3 4J N Wi; W M%p%p ff g ny Djh & 3l $ y$W;m&g gd &W%WWN,f MW?gw&_g ' Q A,Qyb0p;l ga n . s pA I I W
%p%nny W8Mg W sg$;g&gg w$p MN w%.m.3 .:[,
SMg&Mg@qm m. hpWM m-
%Q Ly W (#m$
9e.. < W; Q*?%**F < > 3 s 1w#e
>< "d+My%
Wy h w a s%v%Mp%~
< 8MWl%@-
@M tg m wc.
-f 'O
% lg'.-i y' p* j,-<-3
^
' \ ) r,, 4
. A' g, ,.
,2 c
s 1,., I- A,d' w . r ':d , p ', y(... A p t > .u...-(% i y s t 4
,.=y e
>y.,i.
j 5 e
.;T.!f .] )
- s. f
/ ;, j d %
a d g f u' t 4,., , ,f, . 3,2[(
,s e.v,
/ q.
x r. , g'
~ -~ ,
. ' /, y c
_i ' 4 ) ,,-.. b ._s., )
. m l, .e'
~,
x . > '4 s', v 4, fm:p Vl9' n f.k, 'u.',, fA
* ~'.',,i-l #
v, '{f. ., A.. ' _, 3 ,
!w. , p A'.:? ,
r w.'(- , , f,-jj%'* n-+.-;k, +%.
~' ?5. . 5 G"._ ',,p,,, .A
f,. ..a\ '-
.y & mm f # #,n . ~ 7 , x -' m mvv 4 m i n i.*w.- a~ e- y. m . ,' f ' N o 6: q:fht - k_,. . f: ,f ,! f@'p Y .b Y_* k h' ' ,k _ 4o 'Nf n
'y* 4 b m s n, m w a, e s_ y ) ,
g ) -
;9 +
z y ,.. k W,tw-A CA 1 's f ll y l' h'f i (z MPEW.'#r@s.Mpisq%o M) u.#>m o m.w~ pw..u m y@s %m sMg&,M,us ,gNy. w gm.,mA44 ,t w u r, 4ljn...+ &,o ?v G: <; \ ' 4 M M}F(Va am y#w 7
. n<
t xn. sm. o; m r m+ 4 m. ih dNih '
.h j >
m - 9 %.. u.; w w s*,H 4 s w%r. ma M @wn@wm @g p/ $ 9 Q G M&n1.qw M hyn%s% , E; .oMMQ 9,e gg.y m. soA y i J Q- - n , l lN%N)g$,u;Al:[N~khm .*;aM~ %NON jWW% $%s... 'qE ' %w W"
,M! m,k #i N,Dkp N , MN Wn$
b ,M dK Mm ~ d,em M ,hh[ w w[ N wM.o , .k%m[N+ i S' ,x m, s
~_Lw]
4 4 s
< m m e r .+
k sym . a1.W Q&:> . ' 'v.,,.m Wa , , f} , n. m!?o c' . s -. g o. ~ .[m~Q'%L f + W e' , m &nQy.m a. s.s,c .]i > l'M NLm&Y. m'.lh D '! f^o 3 s , j ig [x W y> n.,v%
'
- o'
- ts
#:) c,j. f, , Y F&,l r-dj? nB.!i ' ' * ..yh d ,s. .N 'g.)- :..a.a:) ,> ' 1, , s :lt ? ',) q v.
, ^
f..'p0 >c -u, n,.([,< ;- ..
,s i
m i x c, ' W 4 jl
- fi a%'4 F y,. )P - , i.x Un,,-4 'w ~ . b=
ff p '[ ,, I b 1 E I 3 I
..- i i4""P, i 2 ; h lIf' I y 'c, h u.
m"EN'g,, l kW ' A
' " s O, + '
- N., ;
plk i , /. 3 i[ M's #r#
< A k ' * ?: y m' > '&'- ' e 4 5
g s_ { - p m? *5').,'m' it d' i-# '# 4 N h"k0 %.h G d t M M, . M i 3 s 'J ) y (
- e. g' i p 3
.fI
. .%m% v,..p g$j[d6pd m. . %lqfa $yt:,.
MNd' 4f z y@~ s- m.x .>WQy: b g3rai , +qa;. 7 G. ' ' ," ." Op m, W, h, ,@1 .2 o x[; . 1 4 nn.: 9m c2 - h< m-
,{ :t. )p. , - a > \ ..\ s .i. ' .t "
e v.d ,:
,"v < v 2 !( fp 1' u,s %. + '
- u ~ , .
A y l l - ,+ Ni . J J % I I '* '
., fg p['c ' % ;p; ..q'pn'a ;q %)'1, h,\ e-s t
}Wl '. ~+ ct -- ) 3 r' , ' {. l ,f, \
4 :p, ,1 4
- g. i
<..; sp up:, p y't <
.1 m.. ,
--M ,
my W-r S,G, p@. v' ' ' 5<\ y M%w e .a , h,,p,.h s t t ' iw+ e p" s .mi c(,$; s,,p 'if m - , s Mp ri ' ,. a n s
', aJ
- Mi -
c ,
.s.. tl ' if
[4 ' - c ;h '.1/ ,\ n' 4 f( i r c%( 7 <' 'g
- i
@ 9 ri_yG W V;.' t J
o.p- d< -e<f ;?*Q. 2 4 4' , q -, <
, a
\
t i
; { /. ,h. , :'.k a
< a, :. +
.c_ ,
gSv
'q E
__ y.ff: av . '('.
,1 - t L:1 1
>j., _.N.
h.,, [.. } ws lUj w s ys. ud .e v .. , I
, wu.e,c; . ;
+
b' l 0 -
, p y .l
, q; . :
0 .N ! I .w~
' .. f l o'}
g-y c s ' ; f' ' k- .. , g jly' J,r.]._v ' i , gr' i $ *: % :!., yl ; '"&. e m l ' . 1 3+1 , ; ..n. '3 p
' d. ~~ j 5
; ,.g., ' 9' 3 , i O N.
s ,'
q t_A '.,,
f c n hhw h'~.,.]t/ g'a g g
. ,g . ..3 4
.P'
,.'!,c-t ' 7't -
a pW jqj g J. i ). 7. y ' ]r F
,f t4 ,s * &
,t1; 3 1 ,} .,y s 4'
. 9 , , j:,ji. > y , , ,!,,
- $g 4' s " < ( , , -v 5 n
l;y r n : m "t U yy;, ; '
~ ^ l, , O '
'l
,, ygg fl. m -m .. (k o - j,)
% M :, sm'
- . .,
- _, b+:
up e g% <
- 1 .
... i h (%
o '. o-"AN[ r y;f-p, e M , 3. i , }y * , . g> :. i > i w ,w' , , < a : p k;' f ' e(~c'g:,h j - h',: )'
'*L -
, ';};< ,
.,.p.. ;t 1 y, ;'W h ,1 7 i i 3 5W i
, ; , v. a j
e a, 3' u .u* ?! -14 .%* I
- @pG. N 8
- ?;, y 1? s
- ," j ' , t' ;
su+ d '
' .%Q %,
c-y. j
.ws ,
. s y
' ;p'kM%v:NrQ $r m.1L 7
- r q g g f ~}~.y - ~ w > t y; %
v.,
- e. ;M
$ [hh .
' N NU hf $!, , . . .
- s. n.-uamw.~.-w=a a- .e-=
NUREG-1.174 i l' Evaluation of Systems Interactions ' 3 in Nuclear Power Plants: 1 l ) ! Technical Findings Related to l Unresolved Safety issue A-17
- Draft Report for Comment U.S. Nuclear Regulatory Comrhission Offics of Nuclear Regulatory Research l Dala Thatcher l
i t> 4, ,
= ; %,...../
,; lQ ]&h], AA%:N" '.e'E'#
. %.n ""~
~:^t: .".'" ] w:. ,..A0h!Oh, 'W. ..= ' '"#^
C.
' e -'
"%' ;'~ '*
', Y,'e '; .;? ( Tky 'k s $db $$5Y' " * . ~. ", ' ~
i ik c.,,. 4- ,4,,
.. Too eroo w 3
i q'
'. i .
NUREG-1174 [l l j .x 3 Evaluation of Systems Interactions ' a in Nuclear Power Plants: h 4 i a ' c' Technical Findings Related to . Unresolved Safety issue A-17 1 j Draft Report for Comment I
+' .
i Manm/vi Completed: April 1987 4 Data Published: .' '
} . _ .
Dale Thatcher a Division of Engineering - ] ii U.S. Nuclear Regulatory CommissionOffice of Nuclear Regulato Wahington, DC 20665 I i f < i
- - - - ~
Is ,f 1 5
. . . . 1
,l x i l l
- i I l
i 1
$iiIkbb5bb5bUU.hiddN$bbkUN!)[2$2d2AbdE5N5iUbb.!h',1.*dib_GNhshOdlaesindffL'bdSSbz..,
L V . . < ,. t
* ,J- s
- p. :1,; 1;,: ;..)[&
l l 6 l- - g g pocumpfHAS i- Document Name:- : S EHPRo wREAD
~
- j. USI A-17 ENCL 5 TC -
e l-Requestor's ID- 4' l BONNIE i Author's Name: 3 THATCHER / SANDERS Document Comments:
'l j~ ETPB 5/4/88 KEEP THIS SHEET WITH DOCUMENT !
r l r I v' i.. 4 9 f 8
. k I i e i ,
i ) 9 I 4 s 1 1 i .
; I 4 l
.a b 4 . 4 4 i i -
. 9 0
'I I;
'O h
+ '
E___ _-- -- -
llL 4:, u.; hd::a2La uu.kakWl*1*.Dh2:.u6l&bt.ikdhawl2 OEijk:8ld.k22blNIN5A!!$EASI i 1 ) ,.. ABSTRACT 1., j This report presents a summary of the activities related to Unresolved Safety l Issue (USI) A-17, " Systems Interactions in Nuclear Power Plants," and also includes the NRC staff's conclusions based on those activities. The staff's technical findings provide the framework for the final resolution of this un-I resolved safety issue as offered in NUREG-1229. i i i i I t i i I I 1}' l i 9
; USI A-17 Enci 5 iii l 'e * ,
4 ,
4 e d55 A 35E U b55UEAAdN.iM N5dN.5b Nd b ES d b M bd N N N N 1 .
~.
d,.-
= .
.tm. . , , ,- ,
g i.I ' !7 t g
- p a~
y l . . t-p . ,f .. 3" i .;.. 'i 3 4 1 TABLE OF CONTENTS a- l p Pge' ' k= ABSTRACT ........................................................ iii ). ABBREVIATIONS ........................................................ ..... ix
. EXECUTIVE
SUMMARY
.................................................... xi i d 'l INTRODUCTION .................................................... 1 i- 2 BACKGROUND ...................................................... 2 DEFINITIONS AND SCOPE ...........................................
3 2 . F b t 3.1 Systems Interactions ....................................... 4 h 3.2 Adverse Systems Interactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 i-S' 3.3 Other Common-Cause Events .....................<,........... 6 3.4 C l a ri f i c ati o n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
- s. .
j 3.4.1 Operator Error....................................... 7 1 3.4.2 Externa 1' Events ...................................... . 7 .l . ] 3.4.3 Major Plantwide Events and the Potential for ' j Unanalyzed, Nonconservative, Multiple Systems ' i Responses ........................................... 7
; 3.4.4 Single Failure vs. ASIS ............................. 8 L, 3.4.5 Frontline and Support Systems ....................... 9 1- 3.5 Summary and Conclusions .................................... ' ;
, 9
) ; -
j 4 AVAILABLE METHODS FOR IDENTIFYING SYSTEMS INTERACTIONS .......... 9 ; .i - 4.1 Operating Experience Reviews ....,.......................... 10 ' 4.2 Onsite Inspections 11 l A 4.2.1 Pl ant Wal kth roughs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3 4.2.2 Preoperational Testing .............................. 12 4 < .s-l'1 4.3 Analysis by Parts .......................................... 13 a-j 4.3.1 Failure Modes and Effects Analysis .................. 13 j 4.3.2 Design-Reviews .....;................................ 14 j 4.3.3 Decision Tables ...................................... 14 Q 4.3.4 System State Enumeration ............................ 14
- n. 4.3.5 B i na ry Ma t ri ce s . . . . . . . . . . . . . . . . . .. . . . . . . . . . '. . . . . . . . : .
15 1 4.4 G rap h-B as ed Analyse s . . . . . . . . . . . . . . . . . . c. . . . . . . . . . . . . . . . c. . . 15 4.4.1' Digraph Matrix Analysis ............................ 16 4.4.2 Event Tree Analysis ................................. l' 17 i W 4. 4. 3 , + Faul t Tree Analysi s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 l
- 4. 4. 4 . ' GO Methodol ogy .' . . . . . . . . . . . . . . . . . t . . J . . . . . . . . . . . . . . . . 18 i I. 4.4.5 Sneak-Ci rcuit Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 ; !
4 4.4.6' Generic Analysis .................................... 19 ! , !.t A 1, I 4: .USI A-17 Encl 5. v n- i 4 %,- , y , p .- . . p
] l
- m. -
- w. c. x..... ,..;.
- a,, .2a. , a mm,.Lu.. ;& 2 w ,.. t...,c-;:;
ut smavNCrJ.:.a:in. ., x:-:.:. = g, ---
.:.m..s.< z u,.w%;s i:. :
,, is.A..: ae s'rsix.aan w:: sus::2sud::inu:g
.s g
tatc4w21sp
,s,y.; *
^. c.
*~'
, vi.' .
,_ s ,
5 % *
. . - ^
TABLE OF CONTENTS (Continued) P,,ag 5.6 Study of Seismic / Spatially Coupled Systems Interactions .... 49 i l 5.6.1 Target Scope ........................................ ' 49
'5.6.2 Initiating Events ................................... 49 I t
5.6.3 Source Failures ..................................... 5.6.4 Documentation........................................ 50 ,. 50 ', 5.6.5 Analysis of Spatially Coupled Systems Interactions .. 50 } 5.6.6 Staff Conclusions ................................... 51 I 6
SUMMARY
OF. STAFF CONCLUSIONS .................................... 52
'7 REFERENCES ...................................................... 54 i
l 4 I l l 1 i { i i I L i l i i i i' i 3 i 0 { I i i i 1- . t 5 , 1 1 i
- 1
[ USI A-17 Enc 1 5 vii
'e & , .
e y _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ . - - - _ - - - - - - - - - - - - - -- ~- -- ' - ^ ^ ~ ~ ~ ~~ '
p ...-; n.L ,L(m:ahlo. . .Li&n'=.LO: 1.ad iLu. hn.a&. u.LM ~ .: &: Mw ui E. , w } f ! I l I - s
,I i
I' ? e ABBREVIATIONS 5 ACRS Advisory Committee on Reactor Safeguards l ADS automatic depressurization system j AEC Atomic Energy Commission l AE00 Office for Analysis and Evaluation of Operational Data i AFW auxiliary feedwater ! ANS American Nuclear Society
- ASI adverse systems interaction l ATWS anticipated transient without scram l BNL Brookhaven National Laboratory
- BTP branch tecnnical position BWR boiling-water reactor J
! CCC common cause candidate CCW component cooling water l CFR Code of Federal Regulations
- CPCo Consumers Power Company C
\ DMA digraph matrix analysis i S ECCS emergency core cooling system EPRI' Electric Power Research Institute ESF engineered safety features . FMEA failure modes and effects analysis , FSAR Final Safety Analysis Report GDC general design criterion / criteria i GI generic issue , P j HELB high energy line break i HPSI high pressure safety injection I HVAC heating, ventilation, and air conditioning . I&C instrumentation and control
, I&E Office of Inspection and Enforcement, NRC i IEEE Institute of Electrical and Electronics Engineers
{ INP0 Institute of Nuclear Power Operations IP3 Indian Point Station, Unit 3 j IREP Interim Reliability Evaluation Program i y LER licensee event report 4 LLNL Lawrence Livermore National Laboratory Q LOCA loss-of-coolant accident . 3 { MSLB main steamline break ! l a j i i . k USI A-17 Enci 5 ix l 'o p
fi?;l: &ladhhh.d % al:i.dz;.d! % 2 Mty.\;f:h dia.:.5Lb;2abhskhs:::J.d M k2 7 j i I i . [ NPRDS Nuclear Plant Reliability Data System j NRC U.S. Nuclear Regulatory Commission '
! NSSS nuclear steam supply system j NYPA New York Power Authority I
j ORNL Oak Ridge National Laboratory 3
- PASNY . Power Authority of the State of New York j' PG&E Pacific Gas & Electric Co.
PRA probabilistic risk assessment ( PWR pressurized-water reactor j RCPB reactor coolant pressure boundary 9' RHR residual heat removal j- RSS Reactor Safety Study 3 RSSMAP Reactor Safety Study Methodology Applications Program )-1. RTS reactor trip system j [ SEP Systematic Evaluation Program . Set Equation Transformation Systems SETS '
; SI systems interaction 8 ' SISIP Seismically Induced Systems Interaction Program i SRP Standard Review Plan TAP Task Action Plan !
TMI Three Mile Island Nuclear Station l! THI-2 Three Mile Island Nuclear Station, Unit 2 l USI unresolved safety issue' ' a 1 j . e i i ,, 4 A yi ! i l 1 t I 1 o i i 1 I k 1 ! ft u l I l l fiI a ' l l! USI A-17 Enc 1 5 x < i U '. . & ,
~
\I - - - - - - - i
j i.;:> h [l .e, i t? M; d .$.15, 2 Lh2$ & db h O A s iOE N dixa:Si5$h $ 55 5 % M bd6ie l l l $ l Degradation of a safety system by a system that is not safety related. (Note: This result would demonstrate a breakdown in - presumed " isolation.") Initiation of an " accident" [e.g., loss-of-coolant accident (LOCA), ! main steamline break (MSLB)] and (a)'the degradation of at least one
.' redundant portion of any one of the safety systems required to miti-l gate that event (Chapter 15, FSAR analyses) o_r (b) degradation of critical operator information sufficient to cause the operator to per-I form unanalyzed, unassumed, or incorrect action.
p . 1 (Note: This includes failure to perform correct actions because of incorrect information.) t Initiation of a " transient" (including reactor trip) and (a) the ' degradation of at least one redundant portion of any one of the safety system required to mitigate tha event (Chapter 15, FSAR analyses) o_r (b) sufficient degradation of critical operator information to cause the operator to perform unanalyzed, unassumed, or incorrect i action. (Note: This includes failure to perform correct actions because of incorrect information.) Initiation of an event that requires plant operators to act in areas outside the control room (perhaps because the control room is being ' evacuated or the plant is being shut down) and disruption of.the access to these areas (for example, by disruption of the security. system or isolation of an area when fire doors are closed or i sup-pression system is actuated). [ . The intersystem dependencies (or systems interactions) have been divided into' three classes based on the way they propagate: l (1) Functionally Coupled l Those sis that result from sharing of common systems / components; or phys-l ical connections between systems, including electrical, hydraulic, pneumatic, !. or mechanical. i
- (2) Spatially Coupled i
! Those sis that result from sharing or proximity of structures / locations, e equipment, or components or by spatial inter-ties such as heating, ventila-tion, and air conditioning (HVAC) and drain systems. i
- (3) Induced Human-Intervention Coupled i
i Those sis in which a plant malfunction (such as failed indication) inap-
- propriately induces an operator action, or a malfunction inhibits an oper-ator's ability to respond. As analyzed in A-17, these sis are considered another i j example of functionally coupled ASIS.
4 USI A-17 Enci 5 xii
'e s.
.2;.- p. .L .w ]55.E:.:l.DMk%h.$.L:bld $b.JL:,:s.. %. .:.ud:OEas w R
4 b . 8 0 i 1 - l (Note: Random human errors and acts of sabotage are excluded.) ] As a result of the staff's studies of ASIS undertaken as part of its L search for a solution to the USI A-17 safety issue, the staff has concluded 1 4 the following: fi (1) To address a subject area such as " systems interactions" in its broadest sense tends to be an unmanageable task and therefor.e incapable of resolu-
. tion. Some bounds and limitations are crucial to proceeding toward a
) resolution. Considering this, the A-17 program utilized a set of working i definitions to limit the issue. It is recognized that such an approach [ may leave some concerns unaddressed. i (2) The occurrence of an actual ASI or the existence of a potential ASI is very j much a function of an individual plant's design and operational features 1 (such as its detailed design and layout, allowed operating modes, proce-i dures, and test and maintenance practices). Furthermore, the potential I overall safety impact (such as loss of all cooling, loss of all electric
. power, or core melt) is similarly a function of those plant features that j remain unaffected by the ASI. In other words, the results of an ASI depend j on the availability of other independent equipment and the operator's re-3 sponse capabilities.
4
' (3) Although each ASI (and its safety impact) is unique to an individual plant, there appear to be some characteristics common to a number of the ASIS.
2 (4) Methods are available (and some are under development) for searching out sis on a plant-specific basis. Studies conducted by utilities and national laboratories indicate that a full-scope plant search takes considerable time and money. Even then, there is not a high degree of assurance all, or g even most, ASIS will be discovered. (5) Functionally coupled ASIS have occurred at a number of plants, but improved
, operator information and training *(instituted since the accident at Three
- Mile Island) should greatly aid in recovery actions during future events.
4 (6) Induced human-intervention-coupled interactions as defined in A-17 are a i subset of the broader class of functionally coupled sis. As stated for j functionally coupled sis, improvements in both operator information and operator training will greatly improve recovery from such events. 1 (7) As a class, spatially coupled sis may be the most significant because of the potential for the loss of equipment which is damaged beyond repair. However, in many cases these ASIS are less likely to occur because of the
! lower probability of initiating failure (e.g. , earthquake, pipe rupture) and the less-than-certain coupling mechanisms involved.
I (8) Probabilistic risk assessments or other systematic plant-specific reviews ] can provide a ficidework for identifying and addressing ASIS. i (9) Because of the nature of ASIS (they are introduced into plants by design errors and/or by overlooking subtle or hidden dependencies), they will l USI A-17 Enci 5 xiii
p'.:,. :u,p ..e -
= > m..al:1 A n.~.2iAALWM2 MANUOA5EA' AAhNONM~
l , TR
.g.gv.1..p. ]
1 1 , 3 ,, l
. \
! probably continue to happen. In their evaluations of operating experience, I j NRC and the nuclear power industry can provide an effective method for i 3 addressing ASIS. l (10) For existing plants, a properly focused, systematic plant search for cer- I i tain types of spatially coupled ASIS and functionally coupled ASIS (and l correction of the deficiencies found) may improve safety. s i (11) The area of electric power, and particularly instrumentation and control { power supplies, was highlighted as being vulnerable to relatively signifi- 'i cant ASIS. Further investigation showed that this area remains the sub-ject of a number of separate issues and studies. A c~ concentrated effort to { coordinate these activities and to include power supply interactions could ) j provide a more effective approach in this area. (12) For future plants, additional guidance regarding ASIS could benefit safety. ] (13) The concerns raised by the Advisory Committee on Reactor Safeguards (ACRS) 3 on A-17, but which have not been addressed in the staff's study of A-17, should be considered as candidate generic issues, separate from USI A-17. J < )> 'f o i 4 4- ; 1 i i lI i 1
; i 1 'I i
N o l q USI A-17 Enc 1 5 xiv
,j
yt ,,ae 1:, :.;ama, aa,.s%;-Qu a : 21LA u=~; ' 9 :, . . . . . , a;,%%.x.uaJ
- A, J- 2=*w 2 a. 5i.FAwt~h
- :. . -i w: . ::ig.f; K60y=sE2]*~;;A.c,e
.:;;:epig"a!=':. nw . hh.v:.
-"~9'.'
[. g .
-Document Name:
5.- USI A-17 ENCL 5-b 15G9D.<syi8U$,
.'~"
- . Requestor's ID
- 1 1 MCKENZIE r L. U
[ Author's Name: j' Thatcher / Sanders i! Document Comunents: l ETPB 3/24/88 KEEP THIS SHEET WITH DOCUMENT 4-s i 6. I r I t'i I 3 r }. .
)
3' . l I
. 1 1
i 1 i i I t e O f 1 ! i I i A 9 t i 3
4:%La.:m.. . _ w I - - ., ~- m.L .- lSdLUL.w h5k,Aui S&id 6 1 l
- i e !
a j 3 l l UNRESOLVED SAFETY ISSUE A-17: SYSTEMS INTERACTIONS IN NUCLEAR PO W PLANTS I 9 l j 1 1 1 INTRODUCTION 1 ? In 1978, the NRC identified the area of systems interactions as an unresolved ,
- safety issue (USI) and designated it as USI A-17, " Systems Interactions in l j Nuclear Power Plants."
! The origins of the concerns with systems interactions go back to 1974 when the Advisory Committee on Reactor Safeguards (ACRS, Nov. 8, 1974) expressed its
- belief that the staff should give " attention to the evaluation of safety sys-tems and associated equipment from a multi-disciplinary point of view to iden-l tify potentially undesirable interactions between systems."
It should be noted that the original concerns w re raised in the context of standard plants (ACRS, Nov. 8, 1974). It was felt that with the prospect of i many " identical" plants, significant additional efforts should be focused on i uncovering potential problems that may arise because a nuclear power plant is s designed by groups of engineers and scientists who belong to separate engineer-ing and scientific disciplines. It was recognized that some interdisciplinary reviews were performed to ensure the compatibility of the plant's structures, systems, and components; however, there remained some question regarding the adequacy of these reviews. For standardized plants, it was believed that the additional effort could provide significant benefits. In addition to the orig-inal ACRS concern, some potentially significant events at operating nuclear power plants have been traced to, or have been postulated to be the result of, a single common cause (as opposed to multiple independent causes). As a j result, the required independence among the plant safety systems and the inde-pendence of the safety systems from the systems not related to safety has been questioned. Because of the original ACRS concern and because some significant operating events took place as a result of unexpected interdependencies among a the various plant systems, components, and structures, USI A-17 was developed to address the area of systems interactions. (Note: The program designed to q address systems interactions will not address aTTevents resulting from a single j common cause.) For further clarification, see Sections 2 and 3 of this report. In 1979, an accident at the Three Mile Island Nuclear Station, Unit 2 (TMI-2) led to issuance of NUREG-0660, "NRC Action Plan Developed As a Result of the , THI-2 Accident," which identified TMI Action Plan Item II.C.3, " Systems Inter-action," for the purpose of coordinating and expanding the staff's work on systems interaction (USI A-17) and to incorporate that work into an integrated j plan for addressing the broader question of systems reliability in conjunction with IREP (Interim Reliability Evaluation Program) and other efforts. The TMI-2 i Action Plan also stated: "As these progra:ns go forward, there will be a con-3 scious effort to coordinate these activities, including possible combination of resources, to eliminate unnecessary duplication." As stated in the Task Action Plan (TAP) for USI A-17 (NUREG-0649), the resolution of USI A-17 has considered
; the activities described in Item II.C.3.
USI A-17 Enc 1 5 1 9
sii% h.,$Lu a ~ .. L-. . u. . x l N. w - '- . ?LW??.lG1 hA : dD:.MnSOha .QN: I I l I i l The A-17 program has been " designed to establish whether or not there are sig- ! nificant generic safety concerns in the area of systems interactions, and theo l if there are such concerns, to develop ways to identify these concerns and 5 address them. l 2 BACKGROUND ! The term " systems interaction" has never been precisely defined, and, as a ! result, the investigation into the concern has suffered from a lack of a clear focus. At times, A-17 was becoming a " catch all" category for almost all sig-l nificant events that occurred at operating reactors. The term has often been i used interchangeably with other terms such as " dependent failures," "propagat-l ing failures," " common-cause failures," and " common-mode failures." To address l what was perceived to be the original concern, and to address some of the sig-l nificant types of events that have occurred, the A-17 program has been provided ! with a set of working definitions (see Section 3, " Definitions and Scope"). a The definitions attempt to clarify the specific types of phenomena or events , that are of interest in A-17 and to separately classify other phenomena or
- events considered outside the scope of A-17.
3 DEFINITIONS AND SCOPE l t One of the largest efforts in focusing all of the various tasks related to sys-tems interactions was in the development of a workable set of definitions. The
, definitions, and associated clarifications, were drawn from the large amount of information previously developed in A-17 (before 1983). The definitions at-tempt to clarify the specific types of phenomena or events that are of inter-i est, i.e., those that represent unanticipated, adverse interactions among
) " systems" where systems can be structures, systems, or components. The defini-
, tions also attempt to separately classify other types of events which, although they may be significant, are not addressed in A-17. Table 1 is included to i summarize the scope and bases of the USI A-17 issue. ,
The definitions presented here parallel those in the NRC Task Action Plan 4 (NUREG-0649); however, the term " common-mode failure" has been dropped and fur-ther clarifications have been added. In developing the definitions, the main 4 objective was to acknowledge that a great amount of concern exists regarding 4 events in which a scenario progresses to an undesirable set of circumstances i and the cause can be traced to a single common cause (common-cause events), , involving an equipment malfunction or failure and its propagation.
, After tracing the origins of the systems interaction concern as expressed by , the ACRS and then also considering the changes that have been taking place in j the nuclear industry over the last 10 years, it was decided that a classifica-tion needed to be created to make the problem of " systems interactions" more 1 tractable and also to take credit for other activities which will cover areas
) that one might argue should be included in A-17 Some of the changes that have been acknowledged include ] (1) greater attention to human factors or the man / machine interface in all 4 aspects of nuclear power plant design and operation il l USI A-17 Enc 1 5 2 /t
- L:$$$$Y& *. l. L . 2.. c .u. : ' A h.i d 'n ?2E$2&dC.&:Nb.O$&.sh:::a,+
i . Table 1 Scope of USI A-17, " Systems Interactions": General subject area involves system failures which are due to system dependencies Concerns Covered by Clarification l (1) Recognized / analyzed single Existing regulations Not analyzed in j failures directly proptgate Single failure A-17
, to other equipment / systems defined in the GDC i within the same safety ! division (2) Single failures subtly USI A-17 definition See the proposed propagate to cause plant of adverse systems resolution of A-17 transients / accidents interactions for resulting and/or degrade the actions l required safety systems. ? Includes:
1' Subtle spatial interties Subtle functional interties (3) Common failure of redun- Improvements in main- Not analyzed in
; dant safety systems due to tenance and test A-17 commonalities such as: procedures, ATWS rule, Same manufacturing A-44 proposed rule defect Same testing error Same maintenance error L (4) Operator errors that dis- Improvements in oper- Not analyzed by able redundant safety ator training A-17 ; systems ;
(5) Events that could cause USI A-46 plus current Not analyzed in l multiple plant problems licensing requirements A-17, except for simultaneously: cover earthquakes internal flooding / Particularly earthquakes water intrusion 1 Also fire and pipe break / Appendix R deals with events occurring g flooding fire one at a time b Equipment qualifica- See the proposed tion rule (10 CFR resolution of 50.49) deals with A-17 design-basis pipe breaks i None of these programs j l deals with multiple,
! simultaneous events.
Therefore, this area is i to be further evaluated ': under the Multiple System Responses Program. 1 USI A-17 Enci 5 3 L_____-_-_-
- da ,x.
- 1; d .
. L. ~. . .s .. .:
JO:. ~.6:4 m.s. i ; 3 P j . . ) (2) use of probabilistic, risk assessments (PRAs) in safety analysis (3) increased attention to operating events. . j The resulting classification scheme outlines a number of different types of
- common-cause events, only one set of which was defined to involve " adverse sys- 1 l tems interactions." The other single-cause events involve mostly common char-acteristics of the equipment (e.g. , single manufacturer, common maintenance g practices and personnel, common testing practices and personnel).
1 j 3.1 Systems Interactions The definition used here is: Actions or inactions (not necessarily failures) of various systems (subsystems, divisions, trains), components, or structures 3 resultincj from a single credible failure within one system, component, or struc-ture and propagation to other systems, components, or structures by inconspic-
- uous or unanticipated interdependencies. The major difference between this j type of event and a classic single-failure event is in those aspects of the s
initiating failure and/or its propagation that are not obvious (that are hidden or unanticipated). Systems interactions (sis) also can involve systems related to safety and sys- , tems not related to safety. A large part of the problem in addressing sis stems from the fact that, in any nuclear power plant, many systems are intended to interact and are so designed. For example, one division of the safety-related component cooling water system is designed to interact with (that is, cool) a number of other safety-related systems in that division as well as possibly some systems not related to safety. Similarly, one division of the Class 1E electric power system is designed to interact with a number of safety-related systems in that same division as well as possibly with some equipment not re-
; lated to safety. If these su'pport-type systems do fail, the supported system will also most likely fail or at least will operate impropely.
Although these examples involve interaction of systems and even could be con-sidered adverse systems interactions, they are not the kinds of interactions of concern in USI A-17, because this type of interaction is expected and the a potential for such failure propagation is within the typical analysis and assumptions for a single failure. To differentiate among all the potential / " systems interactions," the A-17 Task Action Plan added the aspect of " adverse" h to further pinpoint the issue. g 3.2 Adverse Systems Interactions The definition used here is: A systems interaction that produces.an undesirable result, as defined by a list of the types of events to be considered in the A-17 program (see below). f The list was created on the basis of perceived safety concerns in the broad area of systems interactions for the purpose of capturing potential adverse j systems interactions, and therefore terms such as " undesirable" instead o'
" unacceptable" and " degradation" instead of " failure" were used.
1' l' g USI A-17 Enci 5 4 l- { _ - - - - - l
Esj ..dirdsh .._ . . _.
.a: . ~ ?!n '1 -
C! .b2Si '.: , b. I df..hn'.h a j . t 3 (1) Degradation of redundant portions of a safety system, including consider-i ation of all auxiliary support functions. Redundant portions are those i considered to be independent in the design and accident analysis , i (Chapter'15, FSAR analyses) of the plant. (Note: This would violate the single-failure criterion.) 1 l (2) Degradation of a safety system by a system not related to safety. 3 j (Note: This result would demonstrate a breakdown in presumed " isolation.") (3) Initiation of an " accident" [e.g. , loss of-coolant accident (LOCA), main steamline break (MSLB)] and (a) the degradation of at least one redundant ; l portion of any one of the safety systems required to mitigate that event l Q (Chapter 15, FSAR analyses) o_r (b) degradation of critical operator infor- 1 mation sufficient to cause the operator to perform unanalyzed, unassumed, or incorrect actions. i l (Note: This includes failure to perform correct actions because of
! incorrect information.) l 1 l (4) Initiation of a " transient" (including reactor trip) and (a) the degrada-1 tion of at least one redundant portion of any one of the safety systems . , required to mitigate the event (Chapter 15, FSAR analyses) or (b) degrada- j tion of critical operator information sufficient to cause the operator to ; perform unanalyzed, unassumed, or incorrect actions.
(Note: This includes failure to perform correct actions because of 4 incorrect information.) i (Note: Undesirable results 3 and 4 are included because of the concerns re-garding possible breakdowns in defense-in-depth principles. If a link is found e between the initiation of a event and the systems designed to mitigate that event, then the probability of an event sequence progressing to core melt may be greater than originally believed.) j i (5) Initiation of an event that requires plant operators to act in areas out- I n side the control room area (perhaps because the control room is being evac-j uated or the plant is being shut down) and disruption of the access to these areas (for example, by disruption of the security system or isolation
, of an area when fire doors are closed or a suppression system is actuated).
9 The intersystem dependencies (or systems interactions) have been divided into three classes, based on the way they propagate: 4 4 (1) Functionally Coupled I 1 Those sis that result from sharing of common systems / components; or physical )
+
connections between systems, including electrical, hydraulic, pneumatic, or mechanical. a
. l l
l lj USI A-17 Enci 5 5 L
= . . . , . . , ,
u s e u s w, m .S h z.~.,.,.- - ...-.-..' R , w.Ja < 4 em
.1h n, ..
~ v.- a -:.
M;.dM (2) Spatially Coupled , k Those sis that result from sharing or proximity of structures / locations,,
- j. equipment, or components, or by spatial inter-ties such as heating, ven-r tilation, and air conditioning (HVAC) and drain systems. l j (3) Induced Human-Intervention Coupled 4
i Those sis that result when a plant malfunction (such as failed indication) inappropriately induces an operator action, or when a malfunction inhibits 1 an operator's ability to respond. As analyzed in the study of USI A-17, these sis are considered another example of functionally coupled ASIS. j (Note: Random human errors and acts of sabotage are excluded.) I l 3.3 Other Common-Cause Events a Multiple failures resulting from a single common cause and typically charac-l terized by the failure of identical components in redundant safety systems will ! not be addressed in the A-17 study. Such multiple failures can be traced to external events; manufacturing and installation errors; or to operation, test-ing, and maintenance errors. ' j The usual design practice for safety systems is to satisfy the single-failure criterion by providing identical, redundant safety systems which are subjected to common environmental events and made, installed, operated, tested, and
; maintained in common. Therefore, the potential for these types of " failures" i results from a recognized compromise in independence (see 10 CFR 50, Appendix A, " Introduction to the General Design Criteria") and is addressed in a number of ways, and in some cases without specific identification. Some of the ways
- in which this other class of failures / errors is addressed are discussed in the four paragraphs that follow.
9 4 To obtain protection from possible failures induced by a component's environ-l ment, including failures resulting from external events, the components of the safety systems are designed, qualified, and installed to be immune to such an-ticipated challenges. To obtain immunity to failures, including failures resulting from manufacturing and installation errors, the safety-related systems, structures, and components are subjected to various quality control and quality assurance programs which i include comprehensive testing requirements at all phases of construction and
; pre-operation. Major improvements in the area of quality assurance have been j made at the utilities.
5 Protection from failures attributed to errors by operators, technicians, and ] maintenance personnel can be obtained through adequate training and good proce-1 dures for all aspects of operation, testing, and maintenance. The staff is j instituting major programs to address all of these areas (see NUREG-0985). t l Other provisions may be utilized for protection against these types of common-l cause failures. One design technique which is utilized is diversity. An exam-ple of such an application by the staff is a portion of the requirements which resulted from the Salem anticipated transient without scram (ATWS) event (NUREG-1000). As part of the resolution, it was concluded that consideration USI A-17 Enci 5 6 f
i.i.iri.L;:m.:l.L J.bhiM.. = . . e.: . , , . -.' b. . . a \: h . . L c. O :K.L.' '.. .n u.' should be given to providing a diverse breaker trip scheme. Although such cases have been addressed on an individual basis, the concept of diversity is ; cited in the regulations (e.g., General Design Criterion (GDC) 22). , 3.4 Clarifications Some additional clarifications are included here to address the areas that tend to be the hardest to classify. First, events induced by operator error will be discussed and then events involving external phenomena and other major plant- l wide events will be discussed. Classic single failures vs. adverse systems in- ' teractions will be discussed. Also, the concept of frontline and support sys-tems will be presented. l 1 3.4.1 Operator Error l l For purposes of studying USI A-17, plant operators and their procedures were i assumed to be perfect. This assumption allowed the staff to focus on only the i area of the adequacy of the information presented to the operator by the plant . display systems, as outlined in induced human-intervention-coupled sis. There- I fore, the operator was treated as a hardwired link that performed perfectly. As stated earlier, other programs involving human factors were considered more suited to addressing the possibility of operator error, test and maintenance errors, and procedure deficiencies (see NUREG-0985). e 3.4.2 External Events One of the most difficult areas to classify for purposes of studying USI A-17 is external events. In general, external events such as tornadoes and earth-quakes are not addressed in the A-17 program. It is recognized that external events could initiate other common-cause failures, as stated in Section 3.3 above. i It is also recognized that, with respect to non-seismically qualified or non-safety-related equipment, an external event such as an earthquake could be the cause of the single initiating failure in an adverse systems interaction se-quence. In that limited sense, external events were considered. The group engaged in the A-17 program did not consider the potential for an external event to cause simultaneous multiple initiating failures and systems responses. For more discussion of major plantwide events and the potential for multiple systems responses, see Section 3.4.3 which follows.
. 3.4.3 Major Plantwide Events and the Potential for Unanalyzed, Nonconservative, Multiple Systems Responses Y
During discussions with the ACRS, some disagreements over the scope of the A-17 program were noted (ACRS, May 13, 1986). ) In later discussions with the ACRS, the concerns were developed further. The analysis for plant events (such as earthquakes, fires, LOCAs, and floods) involve a number of assumptions. These assumptions often include certain
,' aspects which the ACRS believes may not be conservative. The first aspect involves the assumptions that the events themselves are not linked, that is USI A-17 Enci 5 7 t
mar; w =;; M;m ;m g r , .c . m . R a. :. n,. muM ~ ,.
=~ ~ . a .~ * ,w ~ ' e us 'u m; ,&, ,..d
- t
} } ) ' i l an earthquake does not start a fire, a fire does not cause a LOCA, etc. The
- j. ACRS is concerned that such assumptions are neither realistic nor conservative.
b The second aspect involves the assumption that if a component is not specific-j ally required to function for the mitigation of an event, then it is assumed ' to be disabled or inoperable. Again, the ACRS is concerned that such assump-l tions are not conservative because if the specific failure mode, of the com-A ponent are considered, the component could spuriously perform scaa detrimental ! action which could affect the ability to mitigate the event and/or to achieve safe shutdown. The above concern involving specific failure modes includes the added aspect j that systems and components are generally assumed to be either fully operable or total.ly inoperable, as if only two possible states existed. As a result, ACRS believes that there is also the potential that partial failures, which do not result in total loss of function could lead to some unanalyzed systems action which in turn may adversely affect the event mitigation and/or the i ability to achieve safe shutdown. The ACRS believes that failures or partial
- failures could occur simultaneously in multiple systems, if the initiating i event is of a sufficiently broad nature, such as an earthquake, fire, or flood.
i_ The staff studying USI A-17 has not addressed the potential for major events causing other events nor has it addressed the multiple failure concerns ex-pressed by the ACRS. It is recommended that these issues be addressed as separate potential generic issues. { 3.4.4 Single Failures vs. ASIS An important aspect of the A-17 group's definition of sis and ASIS is the unan-ticipated or hidden nature of the dependency. It is acknowledged (and therefore l not " unanticipated") that certain design features do not have redundancy. Ea'mples are the reactor vessel itself and the refueling water storage tank at - some pressurized-water reactors (PWRs). Clearly, a failure of these could lead
. to an undesirable result; however, A-17 does not intend to deal with these common causes because they are not hidden or " unanticipated." The other impor-tant aspect involves a similar problem area. A problem arose because once an ASI is identified, it looks like a classic single failure and one could then argue that it is, therefore, not an ASI, just a single failure. This aspect
- was very critical in the operating experience search. That part of the program relied heavily on the consensus of a number of people familiar with operating i events and plant design and, therefore, keenly attentive to " surprises" such as
] unanticipated couplings or dependencies. This " judgment" aspect has led to at least one noted disagreement involving power sources and the results that one j would anticipate or expect from a single failure in a Class 1E power source.
. An analyst or engineer familiar with nuclear power plant systems, and particu-i larly with the instrumentation and control power systems and electric power i systems, may expect one set of results (which would meet all other aspects of ! the ASI definition); another analyst or engineer may find the results unex-1 pected. Therefore, some events involving loss of instrumentation and control a power supplies may not have been captured during the initial screening of the
- licensee event report (LER) data base. Because of its possible importance, as 1' outlined in related Generic Issue (GI) 76 (NUREG-0933, Rev. 2) and as stated by the NRC staff (NRC memorandum, September 18, 1984), further specific work was undertaken in this area (see Section 5.4 below).
USI A-17 Enci 5 8 b
. . !La :. .
f $ $ N ? $ C L .l N .h N ~:::..
. ...~ e .. .. 'OA'h-i i
l . L I: 3.4.5 Frontline and Support Systems !' During the review and evaluation of systems interactions, the group studying [ USI A-17 acknowledged that there may be a difference in the way the frontline i systems, such as emergency core cooling and reactor protection systems, are
- f. treated and the way the support systems, such as component cooling water and ,
i heating and ventilating systems, are treated. The frontline systems usually l 3 receive thorough scrutiny in the licensing process because of the number of specific criteria which are clearly applicable and also because these areas of the plant tend to be more standardized among plants (at least regarding any a specific nuclear steam system supplier), s , The support systems, on the other hand, are often less standardized and in many cases are more complex and pervasive, so that they not only interface with multiple frontline safety sysr. ems and other safety-related support systems, but also may interface with functions not related to safety. As a result, support systems may require greater scrutiny for adverse systems interactions. t
- 3. 5 Summary and Conclusions
) } The resolution of USI A-17 involves those types of common cau e events which 4 are classified as adverse systems interactions subject to the above definitions ? and classifications. 4 i On the basis of all work that has been and is being performed in the resolution of A-17 and with the objective of resolving A-17 in a defined time frame, the . staff concluded that a working set of definitions was crucial to the A-17 program. Therefore, the staff focused its A-17 task on certain types of phe-2 nomena and scenarios and left other areas to other programs and issues. 4 AVAILABLE METHODS FOR IDENTIFYING SYSTEMS INTERACTIONS As a related effort to the investigation of the nature and potential safety l significance of adverse systems interactions, the group engaged in the A-17. i program explored a number of methods that appeared to offer the potential for i finding ASIS. The purpose of this part of the program was to determine the effectiveness and the resource requirements of potential ASI search methods and e to make recommendations regarding possible search methods if it was concluded 3 the* I search was necessary. ? Some of the information on methods is reported in other sections of this report 3 (e.g. , digraph matrix analyses, Section 5.3; interactive fault tree and failure modes and effects analyses, Section 5.3; operating experience search, Sec-tions 5.1.1, 5.2.3, 5.2.5, 5.2.6, and 5.4; onsite inspections, Sections 5.1 and 2 5.6; and PRAs, Section 5.5). This section of the report also addresses some of j these methods, combinations of these methods, and other methods, and then draws . i some general conclusions. ; / ORNL (NRC, NUREG/CR-4261) reviewed and identified four classes of qualitative I j analyses techniques that can be used to identify possible systems interactions. Each class of techniques would be appropriate for different aspects of a systems j u interaction search (see Table 2). In addition, there are distinct advantages ) and disadvantages in performing each class of techniques. The four basic ! classes are I O USI A-17 Enci 5 9 b
B E L..l.a. Q: a ;1S 1
. . m.n L: ..c: * : i. .. a .. .. . , u.w . .. ' bwL:& %
L l l Table 2 Analysis methodologies available to identify types of I systems' interactions Types of systems interactions } identified by methodologies Analysis methodologies available to identify Induced human-systems interactions intervention-Functional Spatial coupled Operating experience review X X X I Plant walkthrough X j ! Preoperational testing X Failure modes and effects analysis X X X Design review X X X Decision table X X > System state enumeration X I i Binary matrix X X l i Digraph matrix X X X l Event tree analysis X
- Fault tree analysis X X X GO methodology X X
, Sneak-circuit analysis X P Generic analysis X X 1 s (1) operating experience reviews (2) onsite inspections (3) analysis by parts- i (4) graph-based analyses j Each class of techniques is composed of one or more different analysis method-ologies. Each class of techniques is discussed below, and information is pro-vided about the individual methodologies in the class. (For a list of some associated references for each technique, see NUREG/CR-4261.) ? Some combination of these analysis techniques could be used to perform a sys-i tems interaction study or could be incorporated into a systematic study such j 4 as a probabilistic risk assessment (PRA) to identify functional, spatial, or induced human-intervention-coupled systems interactions. , l 4.1 Operatina Experience Reviews ! 4
]
j The NRC staff currently requires operating experience review " programs" for ] i each nuclear power plant licensee (TMI Action Plan Item I.C.5). The NRC and
- industry also sponsor their own reviews of operating experier.ce (see 4
Section 5.4). The objective of all of these programs is to learn from events that have already occurred, or have the potential to occur, at operating nuclear power plants. The history of events at plants under construction is also re-viewed. The potential benefit of operating experience reviews is to eliminate recurring problems. For systems interaction purposes, this may allow previ-ously unanticipated moendencies to be identified before any serious safety consequences occur. l h USI A-17 Enc 1 5 10 k 4 J
.a- w
.? -
- . h w. A w.1;2.u A e
. . .t,, .
h.A. .a
. - _ . , u-m;
,A. -n w,amm.
To benefit from the review of operating experience, reliable sources of data on events must be available. For a specific plant, this includes both onsite sources (deficiency reports, operating logs, work orders, etc.) and documents prepared.for submittal to outside agencies (licensee event reports (LERs), l significant event reports, Nuclear Plant Reliability Data System (NPRDS) failure ! reports,etc.) The data sources that contain information on events from many plants include the NRC's LER files, Institute of Nuclear Power Operations (INPO) i operating experience systems, and various other industry working groups (vendors,
- technical societies, etc.).
t Once a source of operating experience is chosen, proper review requires the i" services of experienced personnel. The reviewers need to be familiar with the facility for which the review is conducted; reviewers also need to be l cognizant of the similarities and differences between that facility and those facilities at which the events occurred. This knowledge is, essential in de-j termining whether the events apply to the plant for which the review is being
- performed.
- A key to performing effective operating experience reviews is to carry the j evaluation beyond simply asking, "What would happen in our plant if the exact I i
same conditions occurred?" It requires the personnel to consider two other j questions: . I (1) Can this systems interaction occur at our facility under any conditions?
; (2) If such an event occurred at our facility, are the consequences unacceptable?
If the answer to both these questions is "yes," then further evaluation (and subsequent resolution) of the potential problem is required.
- Operating experience reviews can examine the potential for certain systems
- . interactions (i.e., those interactions that have occurred previously). Since the NRC requires ongoing operating experience reviews, it would be simple and ,
inexpensive to include the identification of systems interactions as one of the objectives of the reviews. The recognized shortcomings of operating experience
, reviews are that the reviews (1) are not fully predictive and (2) are very de-pendent on the experience and training of the review staff. Operating experi- j
- ence reviews can provide insights into functional, spatial, and induced human- 1
; intervention-coupled systems interactions.
j 4.2 Onsite Inspections i l s Onsite inspections are used to identify differences between the as-built condi-tions and the design conditions. They can also examine undesirable situations , 3 (i.e., proximity, seismic interaction, etc.) that may not be apparent from de-sign documentation. This class of techniques incorporates the experience and i knowledge of plant personnel into the analysis. Onsite inspections can also be
, used to identify areas in which the environmental conditions within the plant
} are hazardous to equipment or in which adverse changes have been made in the plant's equipment configuration (because of maintenance or upgrading). Two types
- of onsite inspection methodologies were identified: plant walkthroughs and preoperational testing.
USI A-17 Enci 5 11 a __ _ _____ _ ________-.__ _______ _ _____ _ _________ _ ___ _ _____________-.____ ______.---_._ __________ ___ ----- _. _ _____.___J
d$b.b'.b. h . b $ 2 . h m b b i h . x .. ."'.. l b . m .o .. - ... .u. ha? - 4.2.1 Plant Walkthroughs Plant walkthroughs are used to identify potential spatial systems interactions and to visually inspect safety-related components and systems in their as-built configuration. Consequently, walkthroughs are used to identify those systems interactions that were overlooked during plant design or that were generated during plant construction. Consumers Power Company developed a plant walkthrough program at its Midland i Nuclear Power Plant, Units 1 and 2 (Consumers Power Company, June 1983) to determine the potential for spatial systems interactions. The program consisted of: (1) combined proximity for seismic Category I and II components, systems, and structures, (2) high-energy line break hazards, (3) internal missiles, and (4) flooding. The function and team composition for each of these walkthroughs I were varied to be appropriate for each specific type of systems interaction. Consumers Power Company also developed a supplemental walkthrough program that addressed (1) fire protection, (2) stress, (3) thermal growth, (4) system or area turnover walkthroughs, and (5) potential concerns discovered during pre-operational testing of systems. Plant walkthroughs to identify potential systems interactions have also been performed at Diablo Canyon Nuclear Power Plant; San Onofre Nuclear Generating Station, Units 2 and 3; Zion Nuclear Plant; and Indian Point Station, Unit 3. These walkthroughs were structured to identify spatial systems interactions. The advantages of plant walkthroughs include: (1) They can focus on bad design, construction errors, maintenance errors, and conditions for common failure and (2) They utilize the knowledge of experienced plant personnel. 4.2.2 Preoperational Testing Preoperational testing is used to demonstrate the operability of the nuclear steam supply systems, the auxiliary systems, and related secondary systems. All licensees are required to successfully complete a preoperational testing program before a full power license ran be issued. This testing program demon-strates the capability of items of equipment (and systems) to meet their design performance and safety criteria. However, preoperational tests can specifi-I cally test how systems interact (in some cases existing tests already do this). For example, a diesel generator operability test should include sequencing the diesel generators onto the emergency power buses. There are many cases in which a test specifically designed to test for systems interactions could confirm the absence of unacceptable interactions during specific operating modes. The advantages of preoperational testing include: (1) The tests can provide a baseline of operating data from which future operational anomalies may be iden-tified, (2) They provide further confidence in the analytical results and func-tional capabilities of the systems, and (3) They have the potential to identify functional interactions. i A disadvantage is that they cannot typically identify spatially coupled interactions. l l I \ i
.USI A-17 Enci 5 12
. - < ~
7, = haibh A.s:::,. x .a u w & W a, -g%, .-
. .: x . .hu . a . . :- a, . .. c . ,x 4.3 Analysis by Parts !
j The third class of techniques available for identifying systems interactions is analysis by parts. Analysis-by parts techniques are more analytically oriented i than the previously discussed classes of techniques, but they are also less ( comprehensive than the graph-based analyses discussed in Section 4.4. Five methodologies were identified as analysis-by parts techniques: (1) failure modes and effects
. (2) design' reviews (3) decision tables (4) system state enumeration (5) binary matrix Analysis by parts requires the analyst to examine the causes of a given event or to develop credible conditions under which an undesirable event could occur.
Consequently, a problem is not evaluated from a total system perspective. In-
, stead, direct causes of subsystem or component failures are identified and the
.; consequences of these failures are examined. Since these techniques look for i direct causes, they are not exhaustive in that regard. l [ Several advantages of this class of techniques are: (1) They require less ? effort to perform than the graph-based analyses (at the price of less complete coverage), (2) They are relatively simple to perform, (3) They are useful for detecting local effects, and (4) They require the analyst to look systemati-ically at the failure of each component. Disadvantages of this class include:
- (1) They usually capture only local effects, (2) They depend on the creativity
? of the analyst, (3) They have a limited amount of predictive strength, and (4) They are generally used in support of other classes and frequently address the same type of systems interactions as the graph-based methods. Each of the methodologies is discussed below. 4.3.1 Failure Modes and Effects Analysis C Failure modes and effects analysis (FMEA) is an inductive analysis method that is generally applied at the component level. As such, it examines a component to determine how it would fail (mode) and what would result (effect). An FMEA L generally does not examine the causes of the failure extensively but may be employed to identify failure modes whose effects are severe enough to warrant further analysis.
, The FMEA identifies failure modes for components of concern and traces their effects on other components, subsystems, and systems. Emphasis is placed on
? identifying the problems that result from hardware failures, operator errors, etc. Typically, a column format is employed in an FMEA. Specific entries for i the columns include descriptions of the component, its failure modes, possible , failure causes, possible effects, and actions to reduce the failures and their j j consequences. By further examining the causes of the failures, possible j common-cause mechanisms may be identified. h, ) An FMEA is traditionally developed at the component level. However, an FMEA can also be applied at the subsystem or system level to trace interactions and
- their effects on plant safety functions and, eventually, on plant safety itself.
In addition, the effects of the failure modes (whether at the component or i l s USI A-17 Enci 5 13
. - - _ _ _ _ I
~ , : as - .
h,,t ,W f.6 Li n m s. n : a s . m 1 m . .,. x.c.12.
. w h e ...u.,.. - .a . a.a.. . .
h F . i system level) must be copsidered for all plant operational modes and the analyst i must also consider the possibility of other components undergoing test and maintenance. . j 4.3.2 Design Reviews j Design reviews are performed to ensure that the safety system independence and functional design criteria have been met or exceeded. The procedures for ) performing them vary, and are specific to the design organization. Design re-i views are generally performed by a diversified group of experienced designers , called a design review team. Using the design criteria or specifications for } the systems, the team reviews available documentation such as control schemat-
, ics, layout drawings, as-built drawings, and piping and instrumentation dia-1 grams. .The team then identifies design deficiencies, including potential systems interactions. The team also recommends actions or design changes that may correct the design deficiencies and eliminate potential systems interac-tions. An advantage of using design reviews to identify potential systems in- ;
teractions is that they can provide early identification. One disadvantage is ! that as-built drawings are frequently not available or are not up to date. Also, it is difficult to ensure the comprehensiveness of design reviews. I 4.3.3 Decision Tables f Decision tables are used to describe each possible output state of a compo-nent. The output states are a function of the inputs and internal states
. (operational or failed states) of the components. Decision tables can han-die binary and nonbinary logic (i.e., components with two or more states). ' , To construct a decision table, the analyst divides the system into levels of components or subsystems. Once the system has been divided into levels, the analyst needs to perform three basic steps: . Step 1 The analyst constructs the decision tables beginning with the compo-i nents of the lowest levels (i.e., the simpler components of the system).
o Step 2 The outputs of the tables from Step 1 constitute the inputs of the 4 decision tables for the next higher level. t I Step 3 Step 2 is repeated for each higher level until the decision table of 1 the system is formed. This methodology can be used to identify common-cause failures, since they are the inputs that are carried through several levels. $ One advantage of constructing decision tables is that they not only model hard-J ware failures, but model human actions and interactions as well. However, 3 decision tables are not a stand-alone method and are generally used to aid in constructing fault trees. g l 4 4.3.4 System State Enumeration-4 In a system state enumeration analysis, all of the system states are generated and recorded in a table format by considering all possible combinations of t g USI A-17 Enc 1 5 14 '
.u &.W":W la.:d OM.'.
.L . .l . .. N/ALL.. ,' - .. . e 'n i
1 i ! component states. After this is completed, each system state is individually i examined for dependencies between component states. From a qualitative point. l of view, this analysis is equivalent to an event tree analysis. I j An advantage of system state enumeration is that it is a fairly complete quali-tative method. However, a complete qualitative system analysis would include l an FMEA for each state. Also, for complex systems, enumerating all potential component states can be an overwhelming task. 4.3.5 Binary Matrices Binary matrices use hierarchies to portray the dependencies between components. ! A binary entry in each intersection of the matrix indicates whether or not the
- 9 components are dependent upon each other. The binary entry indicates that the l component on the left of the matrix (row) is dependent upon (receives support
! from) the component listed at the top (column). The matrix is not limited to components. The entity of interest could be maintenance, a physical location, a system train, etc. A set of binary matrices that represent more than one independent system is used to generate digraph matrices. i One advantage of binary matrices is that the analyst need only supply direct relationships between individual items (components, subsystems, etc.). A com-puter code can then be used to deduce subsequent relationships. A second ad-vantage of binary matrices is that the components can be listed in any order in the matrix. In addition, the use of binary matrices forces the analyst to identify all supporting systems or components. This aids the 6alyst in devel-oping fault trees, digraph matrices, etc. 4.4 Graph-Based Analyses I The last class of analysis techniques is graph-based analyses. Graph-based
- analyses are comprehensive within a given set of boundary conditions and are used to represent the logical relationship among those components (or systems)
, whose failure can lead to a specific undesired event. These relationships are
, captured in the graphic model. All of the potential failure modes (within the i scope of the analysis) are then identified by using computers to generate the
! combinations of component and human failures that contribute to the undesired . event.
i Advantages of this class of techniques include: (1) the ability to cover low-frequency events systematically, (2) the ability to deal with complex systems, (3) the ability to evaluate shared support systems, and (4) the ability to iden-i tify common-cause failures. Disadvantages of these techniques include: l (1) their limited ability to analyze human interface, (2) their complexity, and (3) their expense when performed at a detailed level (probably the level needed j for an ASI study). Six methodologies were identified as graph-based analysis techniques: 0 4 (1) digraph matrix (2) event tree (3) fault tree (4) GO methodology (5) sneak circuit (6) generic analysis USI A-17 Enci 5 15 a 6
m, , 7- , , , . .
. ~.9 .t ' i., .. s .
w.w M as h a.nV.L.?i. .ly % w: 1 '.u.n ,-,A B :s % : wa. . , L . . . . . . , c ' % .;.L .s l / . 4.4.1 Digraph Matrix Analysis t Digraph matrix analysis (DMA) utilizes a success tree that includes all sys- ! tems and/or components (elements) involved in an accident sequence. This suc-cess tree includes subsystems and support systems as elements. A binary matrix (known as an adjacency matrix) is produced from the success tree that contains information about the relationship between these elements. This binary matrix is then converted to a dual-digraph matrix by changing all "or" gates to "and" l gates and "and" gates to "or" gates. Cutsets or failure combinations are then I obtained from the dual digraph. The cutsets are then evaluated for systems i interactions. The steps involved in performing a DMA are: e i First, the analyst selects the combinations of systems of interest for a de-tailed evaluation. (This is equivalent to the PRA event tree analysis de~ signed to find accident sequences.) , Next, the analyst constructs a single-digraph model for each accident se-j quence. This is a graphic approach that allows the analyst to develop a. bi- ! nary matrix (adjacency matrix) of elements that have direct influence on an j element of higher order. ! The analyst can then partition digraph models into independent subdigraphs to ! find the cutsets. Computer codes are available that identify the cutsets. I i Finally, the analyst can evaluate cutsets on the basis of probability and dis- , play answers for both top event and cutset probabilities. L , Some advantages of a digraph matrix analysis include:
- (1) The construction of the logic model is performed directly from plant sche-
[ matics (piping and instrumentation diagrams, electrical schematics, safety
- logic diagrams, etc.). The resulting model can be overlaid on the plant schematics; thus, the model can be readily understood, reviewed, and t corrected.
, (2) The digraph can represent physical situations that are cyclic. l (3) DMA computer codes can process very large models. An entire accident se-quence consisting of several safety systems and their support systems is - modeled as a single digraph.
- (4) The binary matrix indicates all levels of subordination, but only direct
- first-level relationships must be provided. Computer codes deduce any
- consequent levels of subordination.
) (5) An element of the matrix can be any entity of interest (e.g., an entire system, a system function, component, or maintenance crew). Elements of 7 any level of detail can be intermixed. Disadvantages of a digraph matrix analysis include: , USI A-17 Enci 5 16 9
a , 7g -c; . .
., q wn:M,ba.R Kn:, w -. .w.m.G: ? ' ' " - - ' - '*' .
(1) There are few trained analysts and few available computer codes that can l be used to develop and subsequently apply the analysis. ' (2) For certain types of logic diagrams, the analyst's attempt to be more com- , plete can lead to computer limitations. I 4.4.2 Event Tree Analysis l Because nuclear power plant systems are so complex, it is not feasible to write down by inspection a listing of important accident sequences. Therefore, a systematic and orderly approach is required to properly understand and identify the many factors that could influence the course of potential accidents. This approach involves developing an event tree. An event tree is an inductive logic model that sequentially models the progression of events (both failure and success) from some initiating event to a series of logic consequences. An event tree begins with an initiating failure, and it maps out a sequence of events of the system level that forms a set of branches. Each of the branches represents a specific accident sequence. A complete event tree analysis re-quires the identification of all possible initiating events and the development of an event tree for each event. Event trees are normally used to model events having binary failure states. These events usually correspond to total success or failure of a system. Event tree analysis is a useful tool for systems interaction analysis when used with other techniques such as fault tree analysis. 4.4.3 Fault Tree Analysis Fault tree analysis is a deductive failure analysis that focuses on an unde-sired event and provides a method for determining causes of this event. The undesired event constitutes the top event in a fault tree diagram. Careful , choice of the top event is important to the success of the analysis. A fault j tree analysis describes an undesired state of the plant or system (usually an I undesired state that is critical from a safety viewpoint) and analyzes the { plant or system to find all credible ways in which the undesired event can oc-cur. The fault tree is a graphic model of the combinations of faults that will result in the occurrence of the undesired event. The faults can depict , ) hardware failure, human error, system failures, external events (e.g., earth- j quakes or internal fires), or other events that can lead to the undesired event. 4 A fault tree is not a model of all possible plant or system failures or all i possible causes for failure. A fault tree is tailored to its top event and I includes only those faults that contribute to the top event. The fault tree is not quantitative; however, the results can be evaluated quantitatively. In fact, the fault tree is a convenient model to quantify and, along with event trees, has formed the structure for almost all of the PRA studies performed l for the nuclear industry. As a result, a large number of people in the nuclear i l industry are experienced in developing and/or using fault trees, j l
)
J A formalized combination of event trees and fault tree analyses is called a l l cause-consequence analysis. The event trees are used to determine the sequence l of events that can lead to the consequences of interest. Event trees are de-veloped for several different initiating events (usually LOCAs and transients). The fault trees are then used to model the causes of the event sequences. The l USI A-17 Enci 5 17
\
mw, , m .. e h ...*a es% A d Au e.'s' a s .e $1. e.s s.'*1. -E ." . A sse. Ns als 5. ' .a ~ . 'We
.. .. ~e - sr , s .' $U3 b a i
causes of the event sequer.ce failures can be modeled as system failures or com-ponent failures. However, if failure data are lacking on the system level, the causes would be modeled on the component level where such data are usually available. Hence, the results of a cause-consequence analysis are both quali-tative and quantitative.
! Two advantages of performing a cause-consequence analysis are: (1) the method l is better suited for identifying potential system dependencies on the component
- level than is the event tree alone and (2) for fault trees alone, the dependen-cies are shown on separate trees. However, the consequence diagram includes i all of them within a single logic structure.
[ 4.4.4 G0 Methodology i The GO methodology is a success-oriented technique that is generally used for
~.
quantitative analyses. However, this methodology can be used to identify component failure combinations that can lead to system failure, and to con-
; struct event trees. Completed GO models resemble system schematic or process l flow charts and tend to be more compact than equivalent fault tree models (al-beit with correspondingly less failure mode information). Seventeen logical operators are used to model a process. From these models, functional, spatial, and induced human-system interactions can be identified. . Specific advantages of the GO methodology include: (1) The system models , follow the normal process flow (as does a digraph matrix analysis), (2) Model-ing of most component and system interactions and dependencies is explicit, (3) Models are compact and easy to validate, (4) Model evaluations can repre-sent both success and failure states of systems, and (5) It is uniquely adapt-4 able to analyses in which many levels of system availability are to be consid- . ered since it has the ability to handle multiple system states (i.e., partial l failure or degraded conditions can be modeled).
Disadvantages of the GO methodology include: (1) Fewer analysts are familiar
+ with the G0 methodology than with fault tree / event tree analyses and (2) The G0 ; methodology has been used extensively for probabilistic studies of individual systems but has not been employed to any great extent as the primary technique e for a full-scope PRA.
4.4.5 Sneak-Circuit Analysis } Sneak-circuit analyses are normally applied to electrical systems and were originally designed to identify unplanned modes of operation, unexplained prob-lems, and unrepeatable anomalies. However, this type of analysis can also be applied to fluid systems since fluid systems can be represented by electrical 3 system analogs.
} A sneak-circuit analysis will identify latent signal paths or circuit condi-4 tions in systems that may cause undesired events to occur, or may inhibit the
.i occurrence of a desired function. The problems identified in the analysis are i called sneak circuits and are characterized by their ability to escape detec-tion during most standardized tests. In addition, sneak circuits are not de- j pendent on component failures, although many erroneous responses of system I failures occur because of component failures. Sneak circuits can be subdivided [ into four types: 1 L . h USI A-17 Enci 5 18 4 i
' l A
I
(' .250.b:u:aZ:.;e :::e<a N A.:n. Lu El..: Y?N(b :., .^ .-...8
.A,a.
i. s ] (1) sneak paths, which cause current or energy to flow along unexpected paths i [ (2) sneak timing, which may cause or prevent the flow of current of energy to activate or inhibit a function at an unexpected time 1 I (3) sneak indications, which may cause an ambiguous or false display of system j operating conditions 4 l (4) sneak labels, which may cause incorrect stimuli to be initiated through operator error ! An advantage of sneak-circuit analyses is that problems caused by latent signal paths that are not contingent on component failures can be identified. These i
- signal paths can cause undesired events to occur, or inhibit a desired function
- from occurring. The main disadvantages of sneak-circuit analyses are the lack l of documentation explaining the methodology. Additionally, only one company i was found that had experienced and qualified analysts able to perform such analyses.
4.4.6 Generic Analysis i A generic analysis reviews the basic events in each minimal cutset for suscep- '; tibilities to generic causes (dependencies). The minimal cutsets can be deter-
, mined from fault tree analysis or similar analyses. When a generic cause is common to all members of a minimal cutset, and the location of the minimal cutset components offers no protection from that generic cause of failure, the minimal cutset is called a common-cause candidate (CCC). Generic causes for failure that are often considered in such analyses are:
(1) mechanical / thermal generic causes
, impact vibration 1
pressure grit moisture
- stress j temperature 4
freezing
- (2) electrical / radiation generic causes
- electromagnetic interference
- ' radiation damage
) conducting medium i out-of-tolerance voltage jj out-of-tolerance current j (3) chemical / miscellaneous generic causes k 9 corrosion (acid) corrosion (oxidation) other chemical reactions carbonization biological USI A-17 Enci 5 19 q L
h S.S.hN5dLLwA.:$d. Ans., ? L .. + E E D C . L . . : . . '
! . . AC &
l l ) l , ) . l (4) other common links i > energy source l l calibration l L installations ! maintenance ! operator o'r operation I proximity test procedure energy flow paths i i
- . Although a major portion of this technique is qualitative, it follows an ana- )
i lysis procedure such as fault trees rather than preceding it, as other qualita- { L tive methods usually do. This approach differs from most common-cause analyses I f because it deals directly with the minimal cutsets instead of adding secondary l j failures to the logic model. Thus, only component failures that result in l system failure are considered. i A generic analysis is a helpful, methodical way to identify spatial systems ' interactions. It has been implemented in a number of computer programs and j is extensively used in dependent-failure analyses in the nuclear industry. f 4.5 Oak Ridge National Laboratory's Conclusions and Recommendations l
- Oak Ridge National Laboratory (ORNL) concluded (NRC, NUREG/CR-4261) that there ;
are many different and varied methodologies available that can identify systems interactions. However, no one methodology by itself can adequately identify functional, spatial, and induced human-intervention-coupled systems interactions. i Therefore, several different analysis techniques should be used simultaneously. i Determining the most appropriate combination of analysis techniques for iden- ! B tifying systems interactions requires consideration of several factors - time, ] scope, costs, benefits, etc. However, a review of the methodologies available g made several insights apparent. First, any systems interaction program should utilize operating experience reviews, design reviews, and preoperational test- , ing. These three methodologies are already required to be performed, and min- , j imal modifications to the existing programs could be required to identify all '
- three types of systems interactions. Second, expanding the scope of PRAs to e
include the identification of systems interactions should simplify the problem . (with respect to starting an independent evaluation), since the analysts would already be familiar with the systems and their responses. Last, the resulting I combination of methodologies must be able to adequately identify all three types } of systems interactions - spatial, functional, and induced human-intervention 3 coupled. 1 i The manpower required to perform a PRA that includes a systems interaction . analysis should be within the bounds provided in the "PRA Procedures Guide" ( (NUREG/CR-2300). The "PRA Procedures Guide" indicates that 19 to 38 man-
. months are required for sequence and system modeling, with another 18 to i 24 man-months required for external event analysis. It is not possible to j separate the amount of modeling required for independent and dependent failure modes. However, it should be recognized that to do an adequate job of ana- .I lyzing systems interactions requires experienced analysts and adequate time to examine and incorporate all the potential dependencies that can arise from USI A-17 Enc 1 5 20 s
M [
WO bOLl:ah .is :h.%.mb, : .. : , ..? a ?. i.:Ai *
- . x . !
I A 1 a. ! systems interactions. For this reason, the upper estimates provided in the l guide may be more appropriate to ensure that adequate analysis of systems t interactions can be included. , a l In summary, the methodologies discussed in this report can be applied to iden-tify systems interactions. However, the problem in conducting a systems inter- 4 l action analysis is not a problem with methodology as much as it is a problem ) l with scope and level of detail. I 9 i 4.6 Staff Conclusions
! All methods appear to have some advantages and disadvantages. The major ; conclusions based on the above review are:
t ] (1) The global application of any method or combination of methods is costly. l i (2) The choice of method may not be as important as the scope and depth of 4 the study performed. ) 3 . e (3) It is, therefore, probably most cost effective to limit studies to spe- , 1 cific areas and to increase the level of detail in modeling and analysis 1 in those areas. t i 5 DESCRIPTION OF RESULTS AND STAFF CONCLUSIONS f
? ' NRC defined a number of tasks in the revised Task Action Plan for USI A-17 (NUREG-0649) to address the area of systems interactions. Although all the tasks defined in the TAP were completed, this section of the report is not i organized into the same set of tasks. Rather, this report is organized around the task results and recommendations which were then used as input for the technical resolution of USI A-17.
) The tasks outlined for studying the A-17 issue were developed to utilize a combination of existing information, ongoing work, and new work with the objec- .' tive of focusing the various efforts to resolve the generic issue as defined j in the revised TAP scope and definitions. J j 5.1 Licensee Studies of Systems Interactions A number of utilities performed systems interaction studies of their own plant (s) as part of the operating license review process. The staff has con-s sidered some of these programs in the resolution of A-17. 5 5.1.1 Zion Nuclear Plant Study i In a June 17, 1977 letter, the NRC Advisory Committee on Reactor Safeguards I (ACRS, June 1977) recommended that Commonwealth Edison conduct a study of { possible systems interactions related to the Zion Nuclear Plant's shutdown heat j removal capability. The ACRS also referenced additional guidance contained in i its letter of November 8, 1974. Possible approaches to a systems interaction study were discussed with a number of consultants and with the NRC staff. }
. As a followup to these discussions, Commonwealth Edison performed an experience survey utilizing LERs (Commonwealth Edison Company, June 1978). The study was USI A-17 Enci 5 21 3 -
;; - - v a .w m;L
- a .a ~.. a w m; y,.a. m. .
F y;.y;;
- u~uw. C.J;L..u.M; .
- n -
a.:.u.u. 33w '.m.w;
;; w: ~
~ a. .
} [ ) . divided into three phases. Phase one consisted of a review of more than 9000 l L LERs which were generate *d in the operation of U.S. commercial nuclear power . plants between 1969 and 1977. ) L - ! .The LERs were used to identify events which have occurred at operating power i plants that involve systems interactions which had a potential for reducing the [ effectiveness of shutdown cooling systems under nonaccident conditions. The 3 review covered not only 4-loop FNRs but all pressurized-water, boiling-water, [ and gas-cooled reactor LERs. F
- The Zion screening criteria as quoted from the report were formulated to in-
- clude the following type of events.
- j. Events which demonstrated that the action of any system degraded or 9 re'sulted in loss of the effectiveness of any of the following .
systems: ! l l reactor coolant instrumentation power I t' residual heat removal- chemical and volume control } component cooling auxiliary feedwater
- service water portions of main steam ,
j auxiliary power j The action which initiated the event could have been a normal control 3 function, a malfunction, or operator induced. The single-failure 1 , criterion was not extended; however, a detailed review was made to determine its applicability. As an example, the failure of an RHR [ residual heat removal] pump to start due to an electrical fault in the motor would not have been j
- considered a systems interaction. However, if the motor failure was i
! due to excessive humidity and temperature in the RHR cubicle, it was ' 3 considered an undesirable systems interaction. 1 4 It was noted that personnel action can result in maintenance errors l 1 or operator errors which will have a direct effect on a system or i j piece of equipment, but this was not considered to be an interaction j j between systems. For example, the loss of an instrument bus due to b placing a grounded test instrument on the bus results in the loss of a a large amount of equipment, as expected. If, alternatively, the
- load from the bus was not correctly shed from the electrical system and resulted in faults in other parts of the electrical system, it ,' would be considered an undesirable interaction.
The second phase of the study, which was conducted by Fluor Pioneer, Inc. , in-volved detailed analysis and investigations of each identified event to deter-mine how and why the event occurred and its effect on the originating plant. " i j For the third phase, an assessment was made of the possibility of the occur-( rence of an identical or similar event at the Zion plant. If it was found that J a similar event could occur at the Zion plant, corrective action options were evaluated. The evaluation criteria included consideration of safety, construc-tability, operability, maintainability, and cost. While the range of possible l l USI A-17 Enci 5 22
. m s: ;= .o uw%w.sa. waw,uuM: .n;;;;:t x, nua:aA:~ks&&+ n.c
-:G.= + E.u:s.p M.~ a.xa .' .
.: r . . Tv - ' --
- A .w: . ' ' 2 wr .
8 L corrective options was being review and analyzed, the utility assessed the benefits of the options. l On the basis of the evaluation criteria and the benefits assessment, the util- } ity concluded that for Zion, the generic studies requested by the NRC and the I implementation of conclusions and recommendations involving such items as fire protection, pipe break, and low-temperature primary system overpressure have resulted in modifications which substantially reduce the possibility of the l occurrence of a majority of the events studied. In addition, there were about L five specific investigations and/or plant modifications recommended by.the ! study. l l It should be noted that there is not a good correlation between the LERs high-lighted by Commonwealth Edison and the LERs contained in the Oak Ridge National Laboratory's (ORNL's) review of operating experience (see Section 5.4, below). To some degree this occurred because of differences in definitions of what con-stitutes an adverse systems interaction event. Nevertheless, the Zion study was reviewed by ORNL as part of the review of operating experience (see Section 5.4, ! below) for possible SI events which met the definition offered in the current A-17 Task Action Plan. 5.1.2 Diablo Canyon Nuclear Power Plant Seismically Induced Systems Interaction
- Program I Pacific Gas and Electric (PG&E) established a systems interaction program (PG&E, i May 1984) which was intended to establish confidence that if a seismic event of the severity of the postulated Hosgri event
- occurred, structures and equipment important to safety will not be prevented from fulfilling their safety functions because of seismically induced failure or motion of structures or equipment not related to safety. Also, the Seismically Induced Systems Interaction Program
, (SISIP) was instituted to establish confidence that safety-related systems will } not fail to meet the single-failure criterion because of seismically induced j interactions. i PG&E defined the following two terms to clarify its postulation of potential i i systems interactions: ; (1) Targets are (a) structures and equipment needed to take the plant to safe ! shutdown and maintain it at safe shutdown; (b) certain accident-mitigating l systems such as containment isolation, main steam isolation, and contain- } ment spray; and (c) the manual fire suppression equipment. (2) Sources are any other equipment whose seismically induced failure or mo-l tion could interact with a target and prevent or inhibit a target from a accomplishing its safety function. i 5 On the basis of these definitions, a large number of potential interactions were postulated. PG&E utilized four ways to resolve postulated interactions. i These were: (1) resolution by field inspection in which the interaction team could by inspection or simple field analysis show that either the source would t
*The Diablo Canyon seismic design basis was upgraded after the potential for < severe earthquakes originating from the Hosgri Fault (a branch of the San Andreas Fault) was reappraised.
I USI A-17 Enci 5 23 h b h
7 , , ,
,- ,, g - -
g ;a., 7, u..:m . a, :. as,.w.x w h:n w, :w:.w:.2 ::: .c . .. u .
~..c. a.. L . ... -.- .
I ) { not fail, the occurrence of the interaction was not credible, or the conse-quences of the interaction, if it occurred, would not adversely affect target ! operations; (2) resolution by engineering analysis in which PG&E could show either that the interact %.s would not occur or, if they did occur, that the l j consequences would not affect target operations; (3) resolution by an expedient ) modification in which PG&E decided it was more cost effective to resolve the interaction by modifying the plant than to justify the configuration by analysis; ! (4) resolution by necessary modification in which further analysis showed that } plant modification is the only means for resolving the interaction. Because the last two involved plant modification, PG&E combined resolutions 3 and 4
- and only reported three resolution groups.
The problem in assessing the Diablo Canyon program comes from the fact that the safety significance of the modifications (both expedient and necessary) cannot
- be readily established.
! Information developed as a result of this program has been utilized in the { A-17 program (see Section 5.6 of this report). 8 5.1.3 Indian Point Station Unit 3 Utility Study i The Indian Point Station Unit 3 (IP3) systems interaction report was prepared l by the Power Authority of the State of New York (PASNY, June 1983).in conjunc-8 tion with Ebasco Services Inc. and consists of 25 volumes. The objectives of
- this study were (1) to develop a methodology and evaluation criteria to be used to identify and evaluate systems interactions and (2) to apply these criteria to a systems interaction review of 23 identified systems.
For purposes of this study, the utility decided to define systems interactions , as those events that affect,the safety of the plant by one system acting on one
; or more other systems' in a manner not intended by design with emphasis on inter-actions in which systems not related to safety (non-safety systems) act on safety-related systems. ;
e i 1 The analysis then involved (1) the systematic search for hidden or inadequately ' analyzed interconnections or couplings that link safety and non-safety systems j in the reactor plant and (2) the evaluation of the effects of a non-safety ; system failure (or maloperation) propagated into the safety system by such ), interconnections / couplings. R l j (Note: It was assumed for purposes of that study that the safety systems sat- ! isfied the single-failure criterion and that redundant safety systems do not
. possess dependencies so that one malfunction cannot disable redundant safety
- systems.)
i
; On the basis of these premises, a number of potentially adverse interactions between non-safety systems and safety systems were identified through a series of dependency tables, logic diagrams, failure mode and effect analysis, event trees / fault trees, review of previous reports, and walkthroughs (onsite re-views). Only one of these resulted in a reportable condition (LER) as deter-mined by the licensee. This involved a nonseismic pipe connection to a seismic system with inadequate isolation. The resolution involved maintaining a manual isolation valve in a closed position.
USI A-17 Enci 5 24
. g ; 7,- 7 7 --
hdEMh;dN >.# , GdiG N MNU U.% $ ; - ~ C.Rm n
- t u,
~
4 C ~=- w ' l - $ A number of potential adverse systems interactions were identified and resolved.
; The utility concluded that the program enhanced the level of safety for Indian R Point 3; however, the contribution to core damage probability from the postu .
} 1ated non-connected seismically initiated systems interactions was less than 4%
; of the overall core-melt frequency at the des 0ln-basis earthouake level (Atomic Industrial Forum, Inc., October 1985). Information developed as a result of this program has been utilized in the A-17 program (see Section 0.6 of this report). {
5.1.4 Mid1'and Nuclear Power Plant Units 1 and 2 Program 1
' In January 1983, Consumers Power Company (CPCo) initieted a program to address
- systems interactions (CPCo, June 1983). The program consisted of three parts
- to address the three classes of systems interaction
- functional, spatial, and 1 induced human-intervention-coupled.
J N The functional interaction portion of the program was to rely heavily on exist-d ing plant procedures for design control and preoperational checkout and testing. j The design control task involved an interdisciplinary review of plant design to ? ensure that potential interactions generated by the interface between activities of the various engineering groups were identified and corrected. The program 0 was to include preoperational testing to demonstrate the capability of required j j safety systems to meet design performance and safety criteria. Additional ! K methods for use in identifying and evaluating functional dependencies included { j probabilistic risk assessment (PRA), control systems failure evaluation, and j u licensing department reviews of industry operating experience through nuclear j 0 steam system supply (NSSS) vendor reports, Institute of Nuclear Power Opera- l
. tions (INPO) reports, and licensee event reports (LERs).
1 Onsite reviews (walkthroughs) of safety-related structures, systems, and com-ponents were employed to address spatially coupled sis. These onsite reviews
; identified potential interactions arising from proximity, location of non-j seismically qualified equipment over safety equipment, high-energy line break 2 (HELB), internal missiles, and flooding. Additional reviews also addressed the ,
areas of pipe stress, fire protection, and thermal growth for potential spatial ! .- interactions. CPCo was incorporating many inplace programs into the spatial SI i studies to avoid unnecessary duplication of efforts. For example, a program { 1 had been in place to address the seismic " Class II over Class I" issue per h Regulatory Guide 1.29 requirements.
- 3 To address the induced human-intervention-coupled class of ASIS, the CPCo SI program incorporated design reviews and other tasks implemented to enhance 1
operator response to plant events. Other tasks included a human factors review of control room design and procedures, review of control room operating experi-
, ence, and increased operator training, including the use of simulators.
4 Although the Midland project has been terminated, the available results, par- (' a ticularly with regard to the seismically induced systems interactions have been utilized in the A-17 program (see Section 5.6 of this report). } 5.1.5 Staff Conclusions Although the licensee programs discussed above contributed to an increase in ) safety, the utilities did not perceive the amount of increase to be significant. ; What was clear was that each program cost the utility millions of dollars. l l USI A-17 Enci 5 25
- _ _ _ _ _ _ _ __ _ _ ___ L
O - GG;.; :, ,
- n. .
. . . ' - a . n.
au. & .& 's; :.a.a m.w: M W,.a u :u no a...s k .: u.a ..a L a.Y a,d . A .w. . . . .,.M. l-r . On the basis of these preliminary conclusions, the staff defined a task to ex-amine the three utility studies (Diablo Canyon, Indian Point Unit 3, and Midland) in greater detail to attempt to better optimize the cost / benefit ratic. i l For the results and conclusions of this additional work, refer to Section 5.6. k j 5.2 Other Related Studies, Programs, and Issues f As part of earlier NRC programs to address the issue of systems interaction, , national laboratories did a number of studies. In addition, many other ongo-l ing NRC programs are directly related to the work on A-17. 5.2.1 Sandia Laboratory Study of Watts Bar Nuclear Plant
~
l From 1978 through 1980, NRC contracted with Sandia Laboratory to utilize a L method of reviewing nuclear power plant systems for potential interactions that l was different from the review process being used by NRC in its Standard Review ! Plan (SRP) (NUREG-0800). i l The method was the fault tree method using the Set Equation Transformation Sys-j tems (SETS) computer code for evaluating the fault trees to identify the poten-tially interactive cutsets. The resulting report (NRC, NUREG/CR-1321), also assessed the SRP to show where the potential interactions revealed-by this independent method may not be specifically discussed in the SRP sections on review, review procedures, or acceptance criteria. The scope of the study was restricted to allow the methodology to be developed and demonstrated in a timely fashion. The interactions addressed were limited to those arising from physical connections and common locations.
; Three plant functions were included: decay heat removal, reactor subcritical-ity, and reactor coolant pressure boundary integrity. The range of environmen-
- tal conditions, plant modes, and plant occurrences was also restricted.
The first step of the study was to develop a methodology for reviewing the SRP that could also be used to evaluate specific facilities. The underlying prem-e ise of the methodology is that potential interactions can effectively be found ? by identifying the commonalities between systems. ,l The methodology uses fault trees to model plant functions from which the ana-lysis is performed. The SETS computer code and subsequent analysis identifies and highlights the important commonalities based on input plant information. Commonalities found between components whose uruailability could lead to loss , or significant degradation of an important plant function are pursued in greater detail. The principal product of this study was to be the development of a systematic , 4 and disciplined methodology for the identification and evaluation of a range of potential systems interactions. The methodology was applied to a facility that had recently gone through the li-censing process (Watts Bar) to achieve two goals: (1) to provide a basis for . comparison to the SRP-type review and (2) to demonstrate the methodology it- l self. In general, it was concluded that application of the methodology should USI A-17 Enci 5 26
W y. n ^
., m,
' ',-"_ =-: :, ~-
_ _. e'L %.e- F--
~%y Z:p;w ic,h.Lm,. K" "
. , an u L. n a ~
L { not be limited to those systems explicitly identified in the SRP as safety re- i c lated. In addition to this general conclusion, several weaknesses were identi- l f> fied in the SRP. These met all of the following criteria: (1) A potential .
)
cause of an interaction could be identified, (2) If an interaction occurred, ! it would increase the likelihood of core damage, and (3) The potential cause of an interaction was not explicitly covered in the SRP. l The weakness identified was the absence of explicit assurances in the SRP or its supporting documents that (1) the reactor coolant pressure boundary integ-F rity will not be lost as a result of interactions stemming from a common loca-f tion or common actuation of the pressurizer power-operated relief valves and l their isolation valves, (2) the decay heat removal function will not be lost F as a result of interactions stemming from a common location or common cooling between trains of the auxiliary feedwater system, (3) positive pressure control i ' will not be lost as a result of interactions stemming from common power sources
- between pressurizer heater channels, and (4) the inventory makeup necessary to maintain deccy heat removal will not be lost as a result of interactions stem-i ming from the common location of the refueling water storage tank output valves.
I
- Although the Sandia work was considered a major portion (Phase I) of the NRC !
l program to address systems interactions, subsequent revision to the A-17 Task Artion Plan somewhat deemphasized this work by Sandia because ongoing PRA work i (see Section 5.5) and the Brookhaven application on Indian Point 3 (see Sec-tion 5.3) were similar to the Sandia work. L The staff concluded that fault trees and other PRA techniques could be used in the investigation of systems interactions. For more on PRA and its relation-ship to systems interactions see Section 5.5. 5.2.2 Systems Interactions State-of-the-Art Reviews The NRC requested three national laboratories to conduct a review of the state of the art in the area of systems interactions in 1980. Each laboratory produced a report es follows: l l - NUREG/CR-1859, " Systems Interaction: State-of-the-Art Review and Methods Evaluation," prepared for NRC by Lawrence Livermore National Laboratory, j dated January 1981 { i - NUREG/CR-1896, " Review of Systems Interactions Methodologies," prepared for NRC by Battelle Columbus Laboratories, dated January 1981 4 i - NUREG/CR-1901, " Review and Evaluation of Systems Interaction Methods," i prepared for NRC by Brookhaven National Laboratory, dated January 1981 1 The broad objective of these reports was to develop methods that held the best i potential for further development and near-term use by industry and NRC on sys-l tems interaction evaluations for future as well as operating plants. More specifically, the objectives of the work were to include: (1) development of a definition of systems interaction and corresponding safety failure criteria l USI A-17 Enc 1 5 27
EA wA iw Os . san - - ' -
.o
~6. . . .:aa:uden.,. &.2.ba. -.w.
W ,s z -J.Mau.s% R, k4 %s.w. 1
. s . s . ..
udehwL.. J. . - . - n 1 4 L (2) review and assessment of current systematic methods that have been used, or considered feasible for use, on any complex system comparable to a j light-water reactor plant l (3) provision of an inventory of a range of systems interaction scenarios with emphasis on actual' operating experience to (a) better focus on the definition of systems interaction (b) serve as a basis for evaluating the ability- of the various method-
} ologies to predict these examples
[ (4) recommendation cf a methodology or alternatives that have the best poten-j- tial for further development and near-term use by industry and the NRC on-systems interaction evaluations i[ [ (5) application of candidate methodologies to actual occurrences to demon-1, . strate their ability to predict systems interactions effects The staff concluded that the recommendations of the three studies would be 1? considered as part of the A-17 resolution if a study was required of all ( s utilities, For more on state of the art see Section 4, on methods. 5.2.3 Advisory Committee on Reactor. Safeguards Concerns f t' As stated in the introduction to this r' port e (Section 1), the ACRS was cred-ited with identifying the original concerns. In addition to the original
, identification, the ACRS has aisc been instrumental in subsequent investiga-tions in the area of system inte n ctions. The utility studies at Zion, In-dian Point, and Diablo Canyon were all the subject of ACRS discussions (see i ' Sections 5.1.1, 5.1.2, and 5.1.3).
1 In addition, in Septe:r.ber 197il, ACRt conruitants completed NUREG-0572, "Re-f view of. Licensee Event Reports -(1976-1978)," in which they identified a class c' of events cs ";ystems interactic.n." The report concluded that a number of .5 LERs reveal unusual ar.d eften unpredicted interactions among various plant j systems. The report weqt on to stete that it is not surprising that interac-g tions exist, since a nuclear power plant is an extensive and complex facili-g ty; however, the nature of these interactions is often quite unexpected.
; When interactions involve degraded performance of systems required for vital h functions, such as shutdown host rewo ul. there can be significant safety A implications. Tne ACf:S acknowledged that the WRC staff is studying systems b interactions through Generic Task No. A-17.
1 j Regarding the use of the LEPs the report stated: 0 b Reaundancy and defense in depth are widely used in essential reactor i systems to assure their availability. Implicit in such usage is the assumption that a high degree of independence exists between the redunaant elements (or the various echelons of defense in depth). Occasionally an LER discloses an unintentional or previously unrecog-h; nized interdependence between such elee nts. In sucn cases, interde-
; pendence reflects one type of systems interaction problem. Althougn o USI A-17 Encl 5 28 2'
nw ..g.. s, , . , s s1 ~ %
~
.J~
C M.L:.N,iW.W a E>.M diFA .% M. ,4:
*~M < M u ~ ' E"kL ~ '- ~ ~
h . I there are few LERs that directly reveal such problems, there are many ) that hint at deficiencies of this nature. Because of the potentially e serious implications of such situations, more attention needs to be directed to seeking them out. Careful review of LERs can uncover l such design errors, if they are consciously sought out. L Reference is then made to three sections of the Appendix which include some ! examples. The first section is entitled " Systems Interactions" and describes l three sepaiate events, all of which involve the plant electrical systems. l These specific events do not meet the definition and screening criteria of the i current TAP for A-17 and therefore were not included in the ORNL list. However, it should be noted that the ORNL LER study (see Section 5.4) does highlight the 3 area of electrical systems as a potentially significant area from the viewpoint j of adverse systems interactions. c l The second section is entitled " Failures That Indicate Interdependence of Re-dundant Elements" and describes four separate events. The first of these events involves redundant battery chargers for a fire s pump and would not meet the TAP definition of systems interaction because (1) the fire system is not typically a system needed to achieve and main-4 tain safe shutdown and (2) the chargers were not truly redundant in the
- same sense of engineered safety features (ESF) Train A and B equipment.
? The second event involves the loss of both makeup pumps at Davis-Besse ! Nuclear Power Station. It is the staff's understanding that the makeup pumps at Davis-Besse are not considered safety related and therefore such an event does not meet the TAP definition which includes degradation of safety-related equipment. The third event involves a boron dilution event at Surry Power Station,
- Unit 2. Although this event involved some unexpected interaction between F
systems and temporarily blinded the operator, none of the systems involved were safety related and the consequences were very minimal. The conse- ~ quences were limited by the inherent design of the system because the 4 system could only deliver a maximum of 150 gpm which could not reduce the 4 boron concentration below acceptable levels between the required sampling intervals. The fourth event occurred at Three Mile Island Nuclear Station Unit 1 (TMI-1) and involves a miscalibration of all four power range flux moni- . tors as a result of a faulty test pressure transmitter. Although this event does demonstrate a common-cause effect or dependency, it is not an ] adverse systems interaction but rather fits in the class of other common-l cause failures according to the TAP definitions. The third section of the Appendix is entitled " Adverse Interactions of Safety System and the Influence of Human Errors" and involves one event at Arkansas Nuclear One Units 1 and 2. The event involved a number of adverse systems in-teraction aspects and has also been included in the list of events compiled by ORNL. It was noted that the ACRS report and the ORNL report both seem to indi-cate the potential for adverse systems interactions in the highly complicated i electrical power supply and its control systems. I I USI A-17 Encl 5 29 .1_______-__-__----__-----------.-_--_---._--- - - - - -- -
pu wo
- n. .v. *.
d:.<&/
., n.. . .
. ~ .
_ . > .w.2 w L.ar:V; .nwi ma =
> u : L,L.
. . . . , L.
i 1 i - !' Some other ACRS questions and concerns were documented in the form of recommen-t dations to the staff and, in at least three cited utility studies, in the l form of guidance to the utilities. Of particular note is the guidance in the. ? ACRS October 12, 1979 letter on Indian Point Station Unit 3. This guidance j was issued in response to questions about what constitutes " reasonably 6 appropriate study of systems interactions at Indian Point 3." In that letter, , the ACRS expressed specific concerns in two separate areas. One area involved r " possibility of systems interactions within an interconnected electrical and i mechanical complex." The ACRS expressed concerns with the consideration of e other than usually assumed failures, i.e. , partly failed or other than normally assumed failed states. The ACRS was also concerned that this type of failure would probably not be revealed by LERs and that a failure mode and effects analysis (FMEA) was required. The second area involved " possibility of
- interactions between non-connected systems due to the physical arrangement or
[ disposition of equipment." Again, ACRS expressed its belief that LERs woJld not reveal these unique interactions and recommended a physical inspection of j the plant and the " formation of a small but competent interdisciplinary team." Over the years, ACRS has stated its belief that the staff should require all
' utilities to do a systems interaction type of analysis and that because such an analysis could be done with little NRC guidance, the requirement should be is-i sued without further investigations and delay. Over the same time period, the 1 NRC staff took the position that such a general requirement would not resolve a
the issue because of the lack of any consensus about what, if anything, needed to be done. The staff continued to pursue an approach for resolution, search-4 'ing for an overall cure in the form of what " acceptable" methods should be ap-( plied. At this time and on the basis of further review, the staff has concluded that the concerns expressed by the ACRS in the October 12, 1979 letter are some of the central issues that need to be addressed by the resolution of USI A-17. J Regarding the ACRS report (NRC, NUREG-0572), the staff concluded that although 1 many of the events cited there were not " adverse systems interactions" as
- defined in the present A-17 TAP, the overall conclusions of the report regard-Li ing power systems and their control remain valid. In addition, the general, .
i type of concerns expressed in the report regarding compromise in redundancy I and/or levels of defense in depth also remain valid and have been explored further in the work on A-17 (see Sections 3, 5.4, and 5.6). a
, On the basis of further review, the staff concludes that (1) walkthroughs simi- ' lar to walkthroughs suggested by ACRS but with much narrower focus could achieve i ; a cost-effective safety improvement at some plants and (2) although the pursuit I u of so-called partial failures (leading to functionally coupled ASIS) may uncover i uniquely plant-specific scenarios, there is not sufficient evidence to show that , they are safety significant enough to justify the type of analyses required to uncover them. In addition, with respect to the failure modes of control sys-tems, USI A-47 (NUREG-0649) is also addressing this area. The staff will pro-i vide information to the utilities regarding the types of problems uncovered in J . the electrical power systems (one area that was highlighted for partial failure ; investigation), and other types of problems regarding failure modes (see Sec- , tion 5.4). The ACRS has also expressed concern (ACRS, May 1986) over the scope . of the A-17 program. This was discussed previously in Sections 3.4.2 and 3.4.3.
USI A-17 Enci 5 30 l
.r - m ,, . ,
g a a.m ...:2 .. . < w.~ .. = .. .m n w a ..a . ..: a , . .z. 22 4 i s j 5.2.4 Post-TMI-2 Actions, Including Human Factors Issues 1,. ! After the accident at TMI-2, a significant amount of attention was focused on, h the operators and on so-called human factors issues. The USI A-17 TAP (NRC, j NUREG-0649) recognizes all the activity in this area and attempts to limit the F overlap of concerns between the systems interaction issue and those other efforts. As a result, the A-17 studies focused on the hardware or hardwired h aspects of the operators' indication systems and left the human engineering 4 and, specifically operator error, to NUREG-0985, " Human Factors Program Plan." The A-17 area of concern was, therefore, limited to the possibility of mis-leading an operator by means of malfunction (that was not readily detectable) in a plant indication system during an event. This was the induced human-intervention-coupled adverse systems interaction referred to in Section 3. After the accident at THI-2, a significant amount of attention was focused on [ this aspect of plant indications. Specifically, requirements were implemented
, through NUREG-0737, Supplement 1, which improved monitoring information (Regu- '
6 latory Guide 1.97, " Instrumentation for Light-Water-Cooled Nuclear Power Plants To Assess Plant and Environs Conditions During and Following an Accident," and added operntor aids such as the safety parameter display system. j The staff engaged in the A-17 program concluded that plant personnel (operators, maintenance personnel, test technicians, etc.) can have a significant impact on plant response, both negative and positive; however, events initiated by per-sonnel error should not be classified as systems interactions. The potential l for indication systems misleading the operator has been reduced by other actions mentioned above. Furthermore, the actions in the area of operator information and training should improve response to and recovery from ASI-type events. 5.2.5 NRC Office for Analysis and Evaluation of Operational Data Activities As a result of the TMI-2 accident, the NRC formed the Office for Analysis and ,, Evaluation of Operational Data (AE0D) with the intent to pay closer attention ) ' to current operating experience and to learn from past experience. AE0D has reported on a number of events that meet the TAP definiticn of systems inter-action, although the events may not have been labeled " systems interactions." In some cases, the staff has formulated new generic issues based on the AE00 reports (see Section 5.2.7 of this report). As part of the resolution of A-17,
. the staff took a separate look at operating experience. The AE0D reports were i-one of the reference sources for this work (see NRC's NUREG/CR-3922 and Section 5.4 of this report for more information on operating events).
The staff has concluded that since the formation of AE00, operating events at plants receive much greater scrutiny than at the time when the systems interaction issue first surfaced. It should be recognized that the imple-a mentation by NRC and the industry, through organizations such as INPO, of such
. scrutinizing analyses addresses some concerns that could be called sis and as such contributes to a reduction in concerns with systems interaction.
5.2.6 Office of Inspection and Enforcement Activities The former NRC Office of Inspection and Enforcement (I&E) had the responsibility for notifying all utilities about significant operating events through a system j of bulletins and information notices. Several of the events that were screened l USI A-17 Enci 5 31 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ __ _ _ _ _ _ _ _ _ _ _ _J
- ,.y,,pc, .3 J a. A..sL w. A? .e s u a .1 w..
.y w _.
,,e .-
L a n.% ;?.L w.m. m di.1P:/LC a4&m. e . . . - C_m.-...
._ y ,
,f..*L . .a a c.. L . c . . - 1.,. . lh.
1 [ I , from the operating experience, by the work on A-17, were the subject of an IE i bulletin or notice. In those cases, this information was included as a refer- { ence source (see NUREG/CR-3922 for more information). In addition, as part of i the decisionmaking to possibly implement new requirements, those regulatory I actions already required by I&E were considered (for more information see Section 5.4 of this report). j i Over the years, I&E has notified the industry about significant operating ' occurrences. In some cases, the occurrences involve systems interactions. As was concluded for AE00, the staff concludes that the I&E mechanisms of bulle-tin's and notices addressed significant experience, including systems '
)
interactions. 5.2.7 .0ther Generic Issues In November 1983, the NRC published NUREG-0933, "A Prioritization of Generic Safety Issues." The report presents the priority rankings for a number of generic safety issues related to nuclear power plants. The purpose of these 4 rankings is to assist in the timely and efficient allocation of NRC resources for the resolution of those safety issues that have a significant potential for reducing risk. The prioritized issues include TMI Action Plan items under development; pre-viously proposed issues covered by task action plans, except issues designated as unresolved safety issues (USIs) which had already been assigned high prior-ity; and newly proposed issues. The safety priorities, ranked as high, medium, low, and drop, have been assigned on the basis of risk significance estimates, the ratio of risk to costs, and other impacts estimated to result if resolution of the safety is-sues were implemented. A number of the issues identified in NUREG-0933 can be called adverse systems interactions and, therefore, there is significant overlap between some issues listed there and the general categories resulting from the ORNL experience search (Section 5.4). This could be expected since the NUREG-0933 issues often l arise from the same sources that ORNL used (e.g., LERs and AE0D reports). In some cases, a potential area of concern highlighted from an A-17 systems inter-l action perspective will have been cited, and possibly addressed, but on a more
- specific basis.
, The resolution of A-17 has considered the safety priority ranking given to the corresponding issues (when available). The A-17 resolution then also recom-mends further action if necessary (for more information see Section 5.4 of this l report). Three issues included in NUREG-0933 warrant special discussion: Issue II.C.3,
" Systems Interactions"; Issue C-13, "Non-random Failures"; and Generic Issue 77,
" Flooding of Safety Equipment Compartments by Backflow Through Floor Drains."
As stated in the TMI Action Plan, the purpose of Issue II.C.3 was "to coordinate and expand ongoing staff work on systems interaction (USI A-17) so as to incor-porate it into an integrated plan for addressing the broader question of system reliability in conjunction with IREP [ Interim Reliability Evaluation Program] and other efforts." USI A-17 Enci 5 32
da.*K :, f ?hm - Li ClJ X 2h%.d.a
%W u.. l Wwi ~.~ .:
L a l When the A-17 Task Action Plan was revised in' January 1984, it was decided to ! include in issue A-17 the activities described under Issue II.C.3. ! Issue C-13,'"Non-random Failures," is an issue that was credited to ACRS in
- f j NUREG-0471. Although this issue was formerly referred to as " common mode L failure of identical components exposed to identical or nearly identical
> conditions or environments" (as evidenced by reference to issues such as A-9, A-30, A-35, B-56, and B-57) it was expanded to include other types of failures l , and, as a result, a reference to USI A-17 is made in NUREG-0933. It should, I therefore,-be kept clear that the term "non-random failures" can include more j than " systems interactions" and that a resolution of A-17 does not resolve all e non-random failures (for additional information see Section 3). ) GI-77 was given a high priority and was also qualified insofar as the lack of i plant-specific details. In this regard, the group studying the resolution of 3 USI A-17 considered these in its resolution. a t The mechanism in place for identifying and prioritizing generic safety issues j provides an avenue for handling all types of issues, including systems inter-action type issues. On the basis of the treatment of a general type of issue j such as C-13, that is by handling it as a class and dealing with individual
- identified parts, the staff concludes that this is the best mechanism for
- dealing with any remaining or future SI concerns after the resolution of A-17.
This is consistent with the need to clearly define any proposed safety issue i in order to prioritize it. i j 5.2.8 Other Unresolved Safety Issues The Task Action Plan for USI A-17 acknowledges that a relationship can exist with USI A-47, " Safety Implications of Control Systems" (NUREG-0649). This is a primarily based on the understanding that control systems do interact with many
- plant systems and, therefore, if the control systems interactions lead to 4 possible degradations in safety systems, such a concern could also be labeled
, an adverse systems interaction. $ As the resolution of A-17 progressed, a close relationship between A-46
; (NUREG-0649) and part of A-17 was acknowledged. Part of A-17 deals with possible i seismic-induced spatial interactions between the non-seismic structures, systems, f and components and the seismic structures, systems, and components. A-46 deals 1 with the seismic qualification of certain equipment in older plants. The resolu-tion of A-17 reflects this relationship. ] Although USI A-45, " Shutdown Decay Heat Removal Requirements" (NUREG-0649) is i'
not directly related to A-17, it is recogr.ized that if the resolution of A-45 were to be an independent shutdown system, then such a resolution could sub-
- stantially reduce the safety benefit of pursuing some ASIS.
) As the resolution of A-17 has progressed to the point of focusing on certain areas, the relationships to other unresolved safety issues have been considered. The proposed resolution of A-17 acknowledges relationships with USI A-45, j USI A-46, and USI A-47. USI A-17 Enci 5 33 i
r.; v x . w ,. p .a. . . ~...;...~..
. ~ . . . .
. . w.. . w-.a.
. n..
T c
- u. z. ,
- m.
.w w i
l I 5.2.9 Systematic Evalugtion Program l The Systematic Evaluation Program (SEP) was initiated by the NRC to review the, ! designs of older operating nuclear reactor plants to reconfirm and document ! their safety. The review provided (1) an assessment of the significance of differences between current technical positions on safety issues and those that i existed when a particular plant was licensed, (2) a basis for deciding how these differences should be resolved in an integrated plant review, and (3) a j documented evaluation of plant safety. 0 The review focused on 137 different " topic" areas (NUREG-0824). Although topics ! that were being reviewed under.other programs, such as unresolved safety issues,
- were generally deleted from consideration in the SEP, some topics that were
- evaluated under the SEP are related to USI A-17. Therefore, the information
- developed in these topic areas was used in the A-17 study.
) Of specific applicability were topics that were related to potential spatially coupled interactions. These topics included: l III-4.C Internally Generated Missiles III-5.A Effects of Pipe Break on Structures, Systems, and Components Inside Containment III-5.B Pipe Break Outside Containment On the basis of its review of the general SEP findings on these topics (NRC, SECY-84-133), the staff concluded that: t ! (1) Plants typically provide significant protection against internally gener- ? ated missiles. (2) The flooding reviews performed in response to the Atomic Energy Commiss' ion 3 (AEC) generic letter of Septemoer 26, 1972, may not have adequately covered i some significant areas of concern, a 4 This information was used to develop the focus of spatially coupled ASIS (see Section 5.6).
- 5.2.10 Standard Review Plan i
The Commission's Standard Review Plan (SRP) (NUREG-0800) is the document that defines the acceptance criteria and review guidance used in the licensing proc-g ess. The SRP has evolved over a number of years and has typically addressed j areas of concern that can t'a considered adverse systems interactions. One alternative considered in the A-17 program was the possibility of revising 2 the SRP or related guidance documents such as regulatory guides to improve the evaluation of ASIS for future plant reviews. Some of the SRP sections that already address systems interaction concerns are listed in Table 3. I USI A-17 Enci 5 34 ! ____-_-________-___a
f5&OIl A&:Y WJON A: - m '. ..: w W . h :l. '. % %. M. J . - . .. .: . } { r i Table 3 SRP sections that deal with spatially and functionally coupled ASIS l S . Source SRP Section(s) (NUREG-0800) } ! Spatially coupled ASIS j Earthquake 3.6.2, 3.7.3, 3.9.2, 3.10, 3.11, 6.7, ! 9.1.3, 9.2.1-9.2.3, 9.2.6, 9.3.1, 9.3.3 9.3.5, 9.4.1-9.4.5, 10.3, 10.4.7, 10.4.9 a Internal flood 3.4.1, 3.6.1, 9.3.3, 10.4.5 Internal fire 9.5.1 l High-energy line break 3.6.1
- Internal missiles 3.5.1.1-3.5.1.3, 9.1.4, 9.1.5 1
4 i Functionally coupled ASIS i j Reactor protection / engineered 7.2, 7.3 safety features 4 Safe shutdown 7.4 Control system 7.7 , Station service water 9.2.2 i i Electric power systems 8.2, 8.3 l $ 5.2.11 NRC's Policy Statement on Severe Reactor Accidents Regarding Future ! Designs and Existing Plants ]. The NRC has published a policy to resolve safety issues related to reactor ac-i: cidents more severe than design-basis accidents (NUREG-1070). Its main focus ? is on the criteria and procedures the Commission intends to use to certify new standard designs for nuclear power plants; however, it also provides guidance f on decision and analytical procedures for the resolution of severe accident j issues for other classes of future plants and for existing plants (operating j reactors and plants under construction which have applied for operating licenses). i Severe nuclear accidents are those during which substantial damage is done to j the reactor core, whether or not there are serious offsite consequences. 3 . Specifically the policy states:
- The Commission plans to formulate an integrated systematic approach
] to an examination of each nuclear power plant now operating or under 4 construction for possible risk contributors (sometimes called 5 " outliers") that might ce plant specific and might be missed absent i a systematic search. ~ s USI A-17 Enci 5 35
~
. .,s .* ,, , , - . , 3,
..:a.r.u . ~ w iX. .. .~ a ~.x.m . x . 8 : .. ~ . .:. a. =.a.. . . . = ' . .
l $ 1 l - k I i } The investigation into DSI A-17, " Systems Interactions," highlighted a number j g of nuclear power plant systems or areas that appear to be the ones that are {
- most likely to contain potential adverse systems interactions. j e .
{ ASIS (both functionally coupled and spatially coupled) are most often caused by J ? a design feature and/or a set of operating conditions peculiar to a particular j plant; the consequences of an ASI are similarly determined by features peculiar i ? to a particular plant and by the operator's response. Therefore, the resolu- j ! tion of A-17 can add to the formulation of any systematic evaluation of plants ( j by providing aid in focusing the search for " outliers." i The areas of concern should include aspects that are discussed in the review l of operating experience (see Section 5.4) and the review of seismic / spatially l coupled SI programs (see Section 5.6). These are,: Functionally Coupled ASIS I (1) electric power systems }~ (2) support systems l (3) overreliance on " fail-safe" design principles ! 3 (4) automatic actions with no preferred failure mode for all stations ) l (5) instrumentation and control power supplies j - Spatially Coupled ASIS (1) non-seismically qualified equipment effects on seismically qualified ) equipment (2) internal plant flooding of safety-related equipment 1 5.2.12 Electric Power Research Institute's " Systems Interaction Identification i Procedures" As the technical resolution of USI A-17 was proceeding, the Electric Power Re- l search Institute (EPRI) published EPRI NP-3834, Volumes 1-5, " Systems Interac-tion Identification Procedures." The staff asked Oak Ridge National Laboratory 1 to review and assess the report's impact on the proposed resolution of USI A-17. 4 ! l ] ORNL prepared a draft letter report dated February 10, 1986, concluding that i , both the proposed resolution for USI A-17 and the EPRI report explored numerous
- methodologies for identifying sis. Both assessments conclude that no onc methodology by itself can adequately identify functional, spatial, and induced human-intervention-coupled interactions. Therefore, several different analysis techniques should and could be used.
None of the methods presented in the EPRI assessment provide a quicker, easier, i i or more comprehensive means of identifying sis. It was, therefore, concluded ')
! that the EPRI work brought no significant information to the technical resolu- ?
tion of A-17. 8 5.3 Indian Point Station Unit 3 Laboratory Demonstration Study i l' The staff initiated a laboratory demonstration study on the Indian Point 3 i plant in mid-1983 through Brookhaven National Laboratory (BNL) and Lawrence l
, .USI A-17 Enci 5 36 ;
i 1
73; xy. q . . 3; ,,
.. a6 ,.~.....a au aL i M 1.L"W.:b4aL*.S Ja m ..:2.:.u.':a L-'io . &y ;
;5.---
W LA;.as " ~ ~ - .a.3 . 2 .. : .. . . ., I Livermore National Laboratory (LLNL). The purpose of the study was to. test and l compare two potentially useful search methods and to compare the results with the study made by the utility. One method, the digraph matrix method, was applied by LLNL (for further information see NUREG/CR-2915, NUREG/CR-3593, , NUREG/CR-4179, and LLNL's report of June 1983) and the other method, the inter-l active fault tree / failure mode and effect analysis, was applied by BNL (for
- i. further information see NUREG/CR-4207). Both studies concentrated on function-ally coupled events.
l i j By placing ~the same $1 million limit on each study, a meaningful comparison was ant.icipated. l There was no shortage of postulated intersystems dependencies that could be counted among the possible causes of safety malfunctions (NRC memorandum, March 20, 1985). From the impressively large number of cutsets generated by ) both groups of analysts, surprisingly few were safety significant. ) i Two cutsets contributed an estimated core damage frequency as high as 6 x 10 8 per reactor year. The next likely cutset contribution was not greater than i about 5 x 10 8 per reactor year. The estimated frequencies of occurrence are i highly biased by a pessimistic treatment of recovery. actions available to the operators. Therefore, a very small fraction of the intersystems dependencies j (which are possible to postulate) were even modestly safety significant. l The only safety-significant systems interaction highlighted by BNL was the un- ! availability of station battery 32 coincident with a safeguards systems actua-6 tion signal. This postulated event would leave both low pressure injection recirculation pumps and other vital equipment unavailable. The loss of station battery 32 does not meet General Design Criterion (GDC) 35 (PASNY, LER 84-010-00,
, Docket 05000286, July 16, 1984). The postulated event could lead to core damage with an estimated frequency as high as 2 x 10 8 per reactor year. The plant was modified and is not now vulnerable to this postulated event.
l The first significant systems interaction highlighted by LLNL is a misalignment of preselected service water pumps and valves coincidant with a loss of offsite j power. Without rapid operator intervention, this postulated event could lead to a reactor coolant pump seal failure and hence a small LOCA and the loss of ~ both core heat removal paths. The postulated event could lead to core damage I with an estimated frequency as high as 4 x 10 8 per reactor year. (Note: i Although this was presented by LLNL as an adverse systems interaction, it does
, not truly fit the TAP definition.)
l The other significant systems interaction highlighted by LLNL is a mechanical failure of the linkage within an interlocking breaker coincident with a loss of offsite power. Without rapid operator intervention, this postulated event 1 could lead to damage to the emergency diesels and the subsequent failure of
- reactor coolant pump seals LOCA and loss of core-heat-removal paths. It was
- estimated that this postulated event could lead to core damage with a frequency only as high as 5 x 10 8 per reactor year.
$; On the basis of the evaluation of the results of the two demonstration anal-yses, the staff concludes that there is no one method that alone could serve as a mechanism for resolving concerns regarding adverse systems interactions; in other words, there is no panacea. Significant resources were expended by 1 i USI A-17 Enci 5 37
)
I.SAA?Am ? I.55 ;..h ^ . .l .L.- .ra n::L'.: -l . . - .. A w :*n A - the two national laboratories and the results indicate that few, if any, risk-significant, functionally coupled systems interactions were uncovered. At least one interaction was uncovered which violated the plant's design basis. , Furthermore, it appears that the ability of of,a method or another to identify ] certain systems interactions is often more a function of the skill of the ana-
- lyst and the modeling detail, rather than a function of a particular method.
( From this, the staff concluded that there is no one solution to the systems t interaction issue and, therefore, focused on a more limited type of analyses. i The basis for this was the possibility that a more directed effort, by any j number of methods, may be cost effective if it can be determined that certain areas are more prone to significant adverse systems interactions. To this end, the operating experience search was intended to highlight such areas (see Sec-l tion 5.4). The IP3 demonstration did point out that the electrical power sys-i tem, or portions of it, may be such an area. In particular, the study provides 1 some indication that electrical distribution systems sometimes are not designed with total redundancy and channelization and usually include significant
; non-safety / safety interfaces which make them prone to hidden dependencies.
i } 5.4 Search for Common-Cause Events in Operating Experience { g As part of the effort to provide a more focused approach for the resolution of A-17, a set of tasks was defined to search operating experience in order to l accumulate a data bank on the types of common-cause events of concern. 5 The major portion of this work was performed by ORNL, and a summary of ORNL's l findings is included in NRC's document, NUREG/CR-3922. The search emphasized events included in the LER files and involved a screening of those events based on the Task Action Plan definition. On the basis of the characteristics or attributes of the SI events, a group of general categories i of systems interaction events was developed. In this manner, it was anticipated 4 that generic areas of concern could be highlighted for possible further action. { The results of the ORNL experience review indicate 23 general categories of events which have involved systems interactions. Those categories are listed in Table 4.
. From these categories, the staff sought to establish possible safety signifi-cance (NUREG/CR-4261). This involved consideration of completed or ongoing re-4 lated regulatory action. In this manner, it was anticipated that some areas j would need no further action and any remaining areas of concern could then be evaluated for potential safety significance. In general, where extensive regu-4 latory action was involved, such as IE bulletins or vendor notifications, the event and action taken could be shown to involve other than plant-specific fea- ] tures. The categories for which little regulatory action was taken often in-volved scenarios that were specific to a particular plant. ] ,
a
, The staff then reviewed all the categories to see if some generic aspects re-1 lated to adverse systems interaction concerns should be identified for action ] on all plants. The areas are summarized below on the basis of the type of coupling exhibited, i.e., functional, spatial, or induced human intervention. ] ORNL also looked at the general adequacy of the ongoing evaluations of operat-ing experience.
1 USI A-17 Enc 1 5 38
a.,.e. ,.8 ..a. . . .s ew. .n ...w. .
- .=:an. . .n. c ;.; :w a+,;. m x sat:;a, M,.& ~- ' 9+'
-a
,, n . . , , ,.
~.L I
3 Table 4 Event categories involving systems interactions Category No. of - No. Title events 1 Adverse interactions between normal or offsite 34 power systems and emergency power systems } 2 Degradation of safety-related systems by vapor 15
- or gas intrusion
{ 3 Degradation of safety-related components by fire' 10 3 protection systems
- 4 Plant drain systems allow flooding of safety- 8 related equipment
{ B 5 Loss of charging pumps due to volume control tank 6 l level instrumentation failures 6 Inadvertent ECCS/RHR pump suction transfer 4 ,
- 7 HPSI/ charging pumps overheat on low flow during 6 ia safety injection j 8 Level instrumentation degraded by HELB conditions 21 1 9 Loss of containment integrity from LOCA condition's 10 !
j during purge operations l !' 10 HELB conditions degrading control systems 3 4 11 Auxiliary feedwater pump runout under steamline 2 break conditions I 12 Waterhammer events 4 1
- 13 Common support systems or cross-connects 18 e
l 14 Instrument power failures affecting safety systems 5 , j 15 Inadequate cable separation 8 3 16 Safety-related cables unprotected from missiles 3 generated from HVAC fans j 17 Suppression pool swell 3 2 18 Scram discharge volume degradation 2 ]. 19 Induced-human interactions 4 20 Functional dependencies from failures during 5 j seismic events 21 Spatial dependencies from failures during seismic 13 ) events j 22 Other functional dependencies 21 ] 23 Other spatial dependencies 30 1 1 o USI A-17 Enci 5 39 t _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ . _ _ _ . _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ . _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . . _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ __ . _ _ __ __]
^
{hl.? l a . iw . . f. Y '.
^
. :. Y ~ ~
. & al . ' . -
J%& ? - l l 5.4.1 Functionally Coupled Type L 5.4.1.1 Electric Power System { l For purposes of this work, the electric power system includes the offsite ! sources, the switchyard, the power distribution buses and breakers, onsite i generating equipment, and the control power and logic to operate the breakers and start and load the diesel generators. Somo of the lower voltage (typi-i ' cally 120-V ac and 125-V de) power supply portion of the system is also dealt
- with under Section 5.4.1.5 below.
- As outlined in NUREG/CR-3922 and NUREG/CR-4261, concerns were highlighted in 4
the area of electric power systems in Categories 1 and 13 (Table 4). Three [ important factors appear to contribute to the possible significance of this area: (1) It is one of the most (if not the most) extensive support systems in a l 2 plant. Power is supplied from various sources including the offsite net-i work, the main plant turbine generator, and in certain situations, the
- safety-related diesel generators. Power is then distributed to various items of equipment for normal plant control which is not related to safety,
! various engineered safety features equipment which is safety related, and j various items of equipment for shutdown and decay heat removal. a j (2) Given these system demands, the power system is therefore an inherently
- complex system. A large number of normal operating modes at the plant, as well as transient and accident situations, must be accommodated.
Interfaces are created between redundant safety-related equipment as well as between non-safety-related equipment and the safety-related equipment. i In addition, the power system itself relies on a number of other support j systems such as HVAC and cooling water.
, (3) Because of individual plant requirements and situations (a number of sig-1 nificant events occur when the system is in any abnormal temporary align-s ment), each power system tends to have some unique aspects. Very few spe-cific ASIS can be stated to be generically applicable; however, the staff believes that general classes of electric power events can be potentially
- generic.
6 7 ORNL (NRC, NUREG/CR-3922 and NUREG/CR-4261) categorized the electric power sys-V tem concerns into four areas. (1) load sequencing / load shedding (2) diesel generator failures caused by specific operating modes 4 (3) breaker failures due to loss of de power i (4) failures that propagate between the safety-related portion and the non-
- j . safety-related portion of the power systems 1 With respect to these four areas of concern, the staff noted that although reg-
. ulatory practice has allowed non-safety-related equipment to be powered from 3 safety-related buses, this practice has created the potential for a number of undesirable interactions. In such situations, the isolation devices protect the 3
safety-related equipment. These isolation devices have been the subject of much concern, both in the main power supply area (such as breakers that open on fault USI A-17 Enc 1 5 40
- - - _ . ______-____-_a
hN. .b5G ? s : Y h.2.Y L l ,$.b:.., % d L:L h.?. w.:2.n -
.l:..
3 4 s 1 1 l current or " accident" signals) and in the instrumentation and control power sup-j ply area (such as isolation transformers and other devices). In some cases, the a " isolation" devices do not isolate the full range of undesirable events. In , l addition, there are other concerns that the investigation into the A-17 issue i has focused on. The ASIS of note involve scenarios in which a non-safety-j related load is supplied by a safety-related bus and the non safety-related .. load is part of important plant operation and/or control. As a result, a fail- ! ure in the safety-related portion can create a situation in which a plant $ transient event occurs and simultaneously significant safety related equipment j is unavailable because of the same failure. The most significant types of [ events appear to be those that involve the instrumentation and control power a system. As stated below in the discussion of those specific power supplies, @ the staff believes that ongoing activities in the area of instrumentation and i control power supplies should be integrated and should also address this type j of concern. 5.4.1.2 Plant Support Systems 3 Concerns related to the area of support systems were noted in Categories 1 (as i stated, the electric power system is a excensive support system), 13, 14, 18, 1 and 22 (Table 4). Since the electric power system was dealt with separately, i the support systems considered here include cooling water systems; heating, 3 ventilation, and air conditioning systems; lube oil systems; air supply systems;
- and instrumentation and control systems. As was pointed out for the electric systems, these types of support systems tend to be plant unique to some extent.
The main general concern with some of the support systems involves the potential for them to initiate an event and also degrade the systems necessary to mitigate
, that event. This potential breakdown in the defense-in-depth philosophy can exist in some plants; however, the safety significance is highly dependent on 4
other plant mitigating features such as remaining independent trains of equipment. 4 Because the loss of these support systems (including the electrical power sys-
, tem) does not lead to events such as a large LOCA or an MSLB which require im-mediate operator action, the staff concludes that, except for catastrophic fail-ures (see spatially coupled sis, Section 5.4.2), the potential for recovery of these systems is very great. In conjunction with the conclusions regarding induced human-intervention coupled sis (see Section 5.4.3 below), the staff has 3 not recommended a regulatory action in this area, except for spatially coupled Q interactions. The staff will, however, communicate this information on support rj systems to the industry.
5.4.1.3 Incorrect Reliance on Failsafe Design Principles 1 One area of adverse systems interact:ons involved reactor protection (scram)
; systems, Category 18. The staff recognized t' such ASIS could be signifi-d cant because of the time response demanded of a trip system. An argument simi-4 lar to the above that the operator could have the time to fix a problem, does a not apply, d
j The staff believes that the types of ASI identified in the studies were the i result of use of a design approach which actually requires the functioning of
- certain features (for instance, a BWR discharge volume had to be empty) and, l
l l USI A-17 Enci 5 41
y , , ; * , _. e
~
i . . . D e n , q , ,, _ , _
> b
, ,, . g. ; '_ ,, y 1 y- ," 1
! therefore, an incorrect, reliance on fail-safe principles. In fact, the con-
- cern with the air system was due to reliance on incorrect failsafe principles.
! In that case, the air system was assumed to fail safe (i.e., bleed off) and, as a result, a partial failure, at some low pressure, went unanalyzed. Action was taken at all boiling water reactors to correct this problem. It was also noted ! that the electrical supply system to this scram system also had been previously l modified because of similar concerns. Specifically, the electrical power was i assumed to fail safe, i.e., voltage going to zero and as a result, partial fail-ure such as low voltage or high voltage went unanalyzed for a time. j Although the staff is concerned with such scenarios, the concern focuses on the reactor trip system and it is acknowledged that the resolution of A-9, "An-i ticipated Transient Without Scram (ATWS)," should resolve the concerns in the ! ! area of the reactor trip system (RTS). The staff acknowledges that there may l
- be other areas of the plant in which incorrect use of failsafe principles has j occurred, but in all cases except the RTS, it is concluded that the safety sig-
- nificance would be less because of the greater time available for the operator
! to take corrective action. The only exception may be during a large LOCA; , however, the probability of a large LOCA occurring in conjunction with these } types of partial failures should be low. The staff will, however, communicate 2 this information on the use of failsafe principles to the industry. ? l 5. 4.1. 4 Automated Safety-Related Actions With No Preferred Failure Mode Another area of adverse systems interactions which was highlighted involved the inadvertent actuation of an engineered safety features (Category 6), inadvert-ent emergency core cooling system / residual heat removal (ECCS/RHR) pump suction transfer. The most significant characteristic of this area appears to be that such a design feature does not have an "always" preferred (failure) mode. As a result, extra precautions may be needed to avoid (1) a failure to actuate
- when needed and (2) a failure that actuates the system when not required (i.e. ,
l inahertently). Of particular note is the possibility of inadvertent actuation i of these types of functions during testing or maintenance. It is fairly common practice to put portions of the actuation logics in a trip or actuated state and assume that the plant is then in a " safe" condition. Although this may be true for functions that have a preferred (failure) mode, it may not be a con-servative assumption for these other functions that do not have an always preferred (failure) mode. The specific area of automatic ECCS switch to recir-culatior is the subject of a generic issue (GI) that is scheduled for prioriti-zation, GI-24 (NUREG-0933, Rev. 2). i GI-24 will consider the aspect of possible untimely, inadvertent ECCS/RHR pump
- , suction transfer; therefore, the staff concludes that further specific action as part of the A-17 resolution is not warranted. The task manager for A-17 will make the staff responsible for NUREG-0933 aware of the information developed in the ORNL study.
There is some additional concern that other ESF systems may similarly not al-s ways have a preferred failure mode. In general, almost all of these systems i have been analyzed for inadvertent actuation from a functional standpoint. The i staff will, however, communicate the information on the concern (regarding d functionally coupled ASIS) for systems that do not have an always preferred
, failure mode to the industry.
! USI A-17 Enci 5 42 r I
+CW! m ' ' - a ;
yiL: g u n ? w & . s m a w ;. w m .:.- - ; f. . D Y ' bf J w- m:u .3, a.<.a :.s.L u c sn. . a. .. , -r, a :a a.wraa u w.: a..Lw; .x L i h . b 5.4.1.5 Instrumentation and Control Power Supplies [ The ORNL review (NRC, NUREG/CR-3922) highlighted several events related to [ instrumentation and control (I&C) power supplies (Category 14). The events at all plants, and specifically at Babcock & Wilcox plants, have already received ( significant attention as outlined in the ORNL assessment (NRC, NUREG/CR-4261). ( As stated in Section 3.4.3, there was some concern that the potential for a r significant event related to I&C power supply interactions may still exist. l Because of.this concern, further review work at ORNL was identified. ? ORNL completed this work and summarized it in a report entitled, " Survey and Evaluation of Vital Instrumentation and Control Power Supply Events" (NRC, } NUREG/CR-4470). The report included a number of I&C power supply failures, [ some of which led to initiation of a plant transient and partial disabling of { a safety system or operator indication, g [ On the basis of the additional work performed by ORNL and the staff's further a review of the area of I&C power, the staff concluded that a significant number $ of issues and industry efforts were already under way in this area. The re-r sults of the A-17 work in this area will be communicated to the industry for } information. However, the conclusion that significant activity is already un-g der way in this area has led the A-17 resolution to include a recommendation l that all the issues related to I&C power be combined under one task action plan a to better expedite and coordinate the work in this critical area'. In addition, i the ORNL report should be utilized in this combined task. a 5.4.2 Spatially Coupled Type Spatial dependencies appeared in a number of categories, including 3, 4, 8, 10,
; 15, 16, 21, and 23 (Table 4). This information was used in conjunction with the review of the utility studies in the spatial area. , See Section 5.6 for the staff's conclusions regarding spatially coupled i interactions. , . 5.4.3 Induced Human-Intervention-Coupled Type The limited treatment of the operator in the study of the A-17 issue (i.e., as , a hardwire link) resulted in only a few events in this specific area (Cate-
) gory 19) and, actually, these events could also be classified as another form of functional coupling. Of related interest are those events related to instru- ] ment and control power losses (Category 14), since such losses can also lead j the operator to a false conclusion.
- i On the basis of actions taken independently of the A-17 issue in the area of operator indication and particularly the implementation of Regulatory Guide j
1.97 and the issuance of I&E Bulletin 79-27, the staff concludes that no addi-a tional action should be required for adverse systems interactions of this type ? at this time. The A-17 investigation will supply any additional information 9 uncovered as a result of instrumentation and control power supply investigations f as input to GI-76 (NUREG-0933, Rev. 2). J l ! USI A-17 Enci 5 43 l
% ,2id 2. .w.u
.: d, C G i .. i. , , -
L l O G L L a w s:- ="s^2 G'1&aM "
-. ,- - m O' '- 1 l i i l
{ 5.4.4 Adequacy of Ongo.ing Evaluations of Operating Experience j ORNL reviewed'(NRC, NUREG/CR-4261) the existing programs for the reporting, , ! evaluation, and dissemination of significant operating experience. This review
- included the activities considered by AEOD (Section 5.2.5) and I&E (Sec-
- tion 5.2.6) and efforts by the industry, On the basis of this review, ORNL j i concluded that adequate provisions are in place to continue to monitor the {
} operating experience for adverse systems interactions regardless of whether > they are specifically labeled as such. ] 1 l The staff agrees with the ORNL conclusion and is, therefore, considering taking I no action in the area of evaluation of operating experience, except for the I one-time dissemination of the information from the ORNL study for ASIS (NRC, NUREG/CR-3922 and NUREG/CR-4261). ! 5.4.5 Undesirable Results of Systems Interaction Events 1 i l Part of the effort to focus USI A-17 involved a set of definitions with a 1 l number of undesirable results (see Section 3.2). Although no conclusion was reached as to the relative consequences or frequency of the various results ! (except for Undesirable Result 5 - see below), a closer evaluation of the ! nature of the events which involve these results led to certain observations.
- Undesirable Result 1 involves breakdowns in the independence of redundant safety systems, divisions, trains, etc. This is a clear violation of the
. single-failure criterion, and these events often result from errors such as design or installation errors. Although they sometimes involve subtle couplings, they are still caused by errors that probably cannot be rectified by providing additional guidance on the application of the single-failure criterion. Undesirable Result 2, which addresses the degradation of a safety-related sys-tem by a system not related to safety, involves a similar observation: Independence or isolation is clearly required for these cases and typically errors, rather than subtle couplings, cause the problems. Undesirable Results 3 and 4, r,n the other hand, involve coupling of any plant accident or transient event and the degradation of any safety system including operation information. This aspect of breakdowns in levels of defense in depth has not typically been the subject of as much guidance as the area of indepen-dence between safety systems and non-safety systems. One exception may be in regard to the potential for a LOCA or MSLB to result in an environment that
- can impact safety-related equipment. This area has been the subject of a 1arge effort to qualify the plant equipment to survive these environments.
~
[ ASIS of note that were identified as a result of the A-17 study were events that involved a single failure, such as lor s of a power supply or other support sys- , tem which led to a transient and also led to the loss of a train of some miti- } gative feature. Undesirable Result 5 was included in the A-17 issue to address events that may involve plant features such as locked doors or inaccessible areas. The search of operating experience uncovered only a few events of this type (NUREG/CR-3922). In addition, a prioritization (NUREG-0933) of a related area, GI-81, " Impact ] USI A-17 Enci 5 44
J.MulSix.i .l.h. O. $li. .L..Nh ::;: . . . Lou a.EL . .:3 '
'* h . ,
[ j k I of Locked Doors and Barriers on Plant and Personnel Safety," concluded that the issue should be dropped from further. consideration. Therefore, the staff did not consider this type of adverse systems interaction further. , 5.5 Probabilistic Risk Assessments l
- The following is extracted from the Introduction to NUREG/CR-3852, " Insight l Into PRA Methodologies."
In 1975, a new approach to evaluating reactor reliability and risk - l Probabilistic Risk Assessment (PRA) - was presented in the Reactor l Safety Study (RSS), WASH-1400 [ renumbered NUREG-75/014]. This ap- l proach is based upon the concept of defining reactor system functions ) j required for specific challenges (event trees) and estimating the j probability of failure of system and functional requirements (fault ' a trees). Since the completion of the RSS, reliability and risk assess-l ment methods have been slowly evolving to the degree that they have g become generally accepted for providing a reasonable analysis of the j safety of a nuclear power plant. During the mid to late 1970s, the l Reactor Safety Study Methodology Applications Prograa (RSSMAP) devel- l oped the concept of dominant accident sequences to simplify the con-struction of detailed event and fault trees. Following RSSMAP, the Interim Reliability Evaluation Program (IREP) sponsored five relia- l bility assessments to determine plant differences by utilizing a variety of probabilistic assessment methods and implementation tech-
, niques. In addition to these NRC-sponsored studies, the nuclear power industry has conducted a number of reliability and risk studies. !
Examples ir.clude the Zion, Indian Point, Oconee, and Limerick PRAs. ' . These studies have also made significant advances to the state of the art in probabilistic analysis. J At the present time about 20 probabilistic safety analyses on speci-fic nuclear power plants have been completed. All of the studies are 1 primarily based on the methods developed in the Reactor Safety Study. However, most of the studies have attempted to improve upon the ori-ginal probabilistic concepts. Many of the studies, to one degree or another, address some aspects of the gen-eral subject area of systems interactions. Adverse systems interactions are a small subset of the general area referred to as " dependencies" in a PRA. The dependencies related to systems interactions involve topic areas such as Mod-eling of AC Power Systems and Modeling of Logic (Actuation) Systems. There are many other dependencies dealt with which are not systems interactions. Some of these are Evaluation of Human Error and Common Mode Analysis. O Reports published on probabilistic risk assessment (NRC, NUREG-1050, NUREG/ i CR-2300, and NUREG/CR-2815) have consistently identified the area of dependen-d cies as critical to the accuracy of the studies. The failure to adequately treat dependencies, including adverse systems interactions, will repeatedly J cause the results to underestimate overall risk. In terms of probabilities, cutsets include independent events so that PAB " P A
*P. B However, where there is some dependency, P AB is greater than USI A-17 Enci 5 45
~*
...,'..~-u.,.c :> m.- .- ,- .ym c
- ~r .
.. . . . . . w.
. u; ,-. .- . ... . - .
-.-..,.;~...w.
. , + . ,
n. ? I ^
]
! P A
*P. B Ciearly, by A,-17 definitions, not all such dependencies are due to h adverse systems interactions because a dependency such as could arise from k common maintenance practices (e.g., the case of the Salem A and B scram
- breakers, NUREG-1000) would also be such a dependency. If a PRA would,
( through very detailed modeling, include all the system and initiating event de-f pendencies (including functional and spatial dependencies), then it would ad-7. I9 dress all concerns for systems interactions. No PRA to date has been able to make this sort of claim; however, many have highlighted significant system dependencies that are related to the systems interaction issue.
- j
, Additional work has been performed in the general subject area of common-cause 3 event analysis. A guide (NRC, NUREG/CR-4780) has been prepared to aid in ptr-ri forming a common-cause analysis as part of a risk or reliability analysis.
? The guide is the result of many years of research by the authors and others in i the treatment of dependent failures in reliability and risk studies. As such, y it references much related work by organizations such as the Electric Power j Research Institute and Pickard, Lowe, and Garrick, Inc. a i During its study leading to the resolution of USI A-17, the staff considered j both the PRA methods used in these areas and significant systems interactions 3 highlighted by individual studies. S 5.5.1 PRA Methods 1 ORNL reviewed the relationship of systems interactions to PRAs (NRC, NUREG/ CR-4261) and concluded that there are three keys to adequately model systems
- interaction dependencies in a PRA:
4 (1) The model must provide adequate detail about the systems. This detail is required to identify functional interactions that occur because support ..' systems fail and is also necessary for examining spatial interactions. (2) The model must utilize extensive plant-sp eific information. This infor-mation includes the location of safety-related equipment and its proximity to both redundant equipment and to items that could affect its safety function. Through the use of such plant-specific information, the spatial l systems interactions could be identified. Plant-specific information is
- also needed for identifying functional interactions that can occur in j support equipment such as cooling water and electric power systems.
s (3) The models must consider off-normal (i.e., other than anticipated) modes of operation. A number of the systems interactions identified in an oper-
; ating experience review (see Section 5.4) involved off-normal conditions Q during which equipment failed because the designer did not anticipate all j .
conditions. j One of the greatest advantages of this type of plant modeling may be found in j the process itself: By following patterns of investigation dictated by appli-cation of the techniques, the analyst takes a systematic look at plant design and operation. This can provide insights which are in addition to those gained in the traditional design-review process. USI A-17 Enci 5 46 3 i
i~
- Y w r . .z . . . ; u .. " . . 3"L
-~
c.L.'C ; x ' ' i . l l l 6 To provide a reasonably accurate estimate of the probabilities of accident l j sequences, a PRA must consider dependencies between the systems and initiating l l events in the sequence. In some cases this has been done through system fail- l , ure probabilities (which are derived from failure data that include such things
- as support system failure) and in other cases explicit, detailed modeling has i accounted for them.
l t In either case, the process must include the normal, recognized, systems inter-l action (e.g. , where Train A cooling water supports Train A high pressure injec-tion through bearing cooling). To resolve issue A-17, a PRA would also have to address the adverse systems interactions. The problem (with respect to A-17) is that the dependencies of concern (referred to as adverse systems interactions) l are sometimes so hidden or subtle that the analyst would not recognize them and, j therefore, would not account for them either in the failure probabilities or i through the modeling. ' 6 l The staff has concluded that it is not necessary (or even logical) to perform " l a separate, full plant-scope study, such as a PRA~, solely for the purpose of j addressing adverse systems interactions. However, if for other reasons a PRA is performed, the A-17 program results provide the following guidance. I j With respect to future PRAs, the staff concludes that numerous methods are I available for identifying the adverse systems interactions, but it is more a l question of the amount of effort (and therefore dollars) one can expend. 1 Therefore, contrary to the expectation expressed in NUREG/CR-2815, "Probabi-
; listic Safety Analysis Procedures Guide," the staff does not endorse one meth- . odology. On the other hand, the staff reinforces the conclusions reached in i NUREG/CR-2815 regarding functional dependencies and physical dependencies.
Specifically, NUREG/CR-2815 concludes: (1) Functional Dependenc[i]es } All functional dependenc[i]es should in principle be identified at the FMEA phase and/or included in a correctly drawn fault tree. A fault tree should contain in particular all the shared-hardware , and direct process-coupling types of dependenc[i]es. Additional functional dependenc[i]es could be identified if the basic events in the fault trees are further decomposed to simpler events. The level of resolution in a fault tree depends on whether the q analyst believes that a dependence could possibly exist at lower
- levels and on the relevant significance of such dependenc[i]es.
i In this last regard, the A-17 program has highlighted a number of areas of concern which should be the focus of such resolution by the analyst (see Section 5.4). (2) Physical Dependenc[i]es r A search of physical dependenc[i]es generally consists of generat-1 ing minimal cutsets and examining whether the elements of these l sets are susceptible to the same generic causative factor and in / addition are connected by an " environmental" conductor that will 3 USI A-17 Enci 5 47 l t _ _ _ - - . _ - - ~ _ _ 1
55 M &A025%::L.A d d:] "?.OO-lChk$ N 5A5: lied 515NHIE W V ' ' l [^ allow such a dependence,to be created by a single source.
' Computer-aide ~d search procedures have been developed for this
- l. .
' purpose and are described.in Section 3.7.3.9 of the ANS/IEEE,
- i "PRA Procedures Guide" [NUREG/CR-2300].* In applying these J techniques, the information generated during the FMEA and put in the form of generic causative factors list is extremely useful.
t l Special caution should be exercised if codes that generate mini-l mal cutsets using cutoff probabilities are employed, in order to l- avoid missing important dependenc[i]es contained in the rejected j.- cutsets. [ j Forcertainphysicaidependenc[i]esthesearchwithinminimal cuts 7ts can be combined with the PASNY** approach of. identifying-
" targets" and " sources" for these interactions.
5 If critical [ combinations _of-" targets" to be examined during "walkthroughs" i are defined on the. basis of the minimum cutsets, then the effi- ! ciency of the "walkthrough" procedure will improve substantially. l' ! As' concluded elsewhere (see Section 5.6 on spatial interactions), the staff j believes that.a focused walkthrough review could be beneficial to safety. If a specific plant PRA is available, the. targets and sources could be identified on the basis of the minimal cutsets and the procedure could be improved j substantially. o i 5.5.2 ASIS Identified From Review of PRA Results l l The following ASIS were identified from a review of a number of PRAs (NRC memo-randa, Dec. 3, 1984, and May 31,1985) based on the description of the events
- as compared to the definitions in the A-17 Task Action Plan.
i 5.5.2.1 Support Systems j (1) Direct-current bus supplies actuation power to the turbine-driven emer-
- gency feedwater pump and to a diesel generator breaker. Therefore, a single dc bus failure (the breaker connecting the bus fails to close) i disables two emergency feedwater pumps in the event of a loss of offsite F power.
s (2) Stripping vital loads from the safety buses on a safety injection signal j (even though offsite power has not been lost) and then reloading them se-1 quentially on the bus reduces the reliability of the safety function. r (3) Direct-current bus faults can cause a reactor trip initiating event with concomitant failure of multiple core and containment cooling system trains. 3 (4) Failures in the component cooling water (CCW) system have been identified
- l as extremely important support system failures which have the potential of j being an initiating event along with disabling mitigative systems required 1
- Prepared for NRC under auspices of ANS/IEEE.
) W ** Power Authority of the State of New York, now called New York Power Authority (NYPA). 9 B L USI A-17 Enci 5 48
k W 3 .5 g.. &~ . :a ... w L h L .f- - --l 2 ' . :. = =Oa s. A J'A I i l for that sequence. These aspects are discussed together in the next sec-r tion, " Initiating Events." l (5) A pipe failure in an air supply system results in failure of all automati'c
- depressurization system (ADS) valves.
l l 5.5.2.2 Initiating Events ! (1) A CCW system pipe break causes loss of cooling to the reactor coolant pump seals'and to the charging pumps which provide seal injection flow. Loss of seal cooling and injection flow may result in seal failure (i.e. , small ! LOCA). Core melt may ensue because the high head safety injection pumps (ECCS) also fail when CCW system cooling is lost. Thus, a single initiat- ) ing event (loss of CCW) may directly result in core melt. (2) Loss of cooling to reactor pump seals for short periods of time (30-60 l minutes) may result in seal failure even when the reactor coolant pumps l have been tripped. l The above examples indicate that PRAs have indeed uncovered some adverse sys- ! tems interactions. These examples of ASIS are in the areas of support systems i and initiating events coupled with mitigating system failures. They tend to l reinforce the areas highlighted by the review of operating experience. i 5.6 Study of Seismic / Spatially Coupled Systems Interactions ' As the review of operating events and the review of utility SI studies pro-gressed, it became apparent that a very large number of spatial interactions were possible. To attempt to understand these phenomena, a separate effort was i defined to review this area. The approach for the review of SI studies was to compare the results of the IP3 study and the Diablo Canyon study, and from this ; information to draw conclusions about the possible safety significance of the i interactions postulated and the costs associated with conducting a more fo-cused program. The major portion of this work was performed by Mark Technologies under sub- , contract to ORNL. That report (NRC, NUREG/CR-4306) addresses four major as- , pects of the programs. These aspects are the targets, the scope of the postu-lated initiating events, the postulated source failures, and the resulting documentation. e 5.6.1 Target Scope The programs reviewed had broad target scopes. They considered most safety 8 systems and one included refueling and fire protection components. The dif-ferences in scope in each of the programs appeared to have been based on plant- } specific licensing and documentation considerations rather than on any cost / ! benefit or risk-based criteria. The target scope is the most important factor ? in the level of effort and cost for all of the programs reviewed. ! 5.6.2 Initiating Events J i A review of the programs shows that greater risk significance is associated I with those initiators capable of challenging the plant support functions.
, USI A-17 Enci 5 49 1
-vm m. 4 .
~ , a ,. , a s. . .
.:c.. w : A A d, .y. M . .t o .n.. a, w _. a m. .L ... A . - . _ a a m r" a '. &b oa w - .6 l l l - ) ! The greatest risk-significant initiators for the reactor coolant pressure boundary include seismic events and fires. Auxiliary feedwater and other l frontline systems have significant risk only for plantwide events which are j capable of challenging multiple frontline functions simultaneously (e.g., i seismic, fire, flood, and possibly tornado winds). Tornado missiles, local internal missiles, and pipe failure (not seismically induced) do not pose ! significant plant risk outside the plant support systems.
- 5.6.3 Source Failures
! All three programs have postulated large numbers of souice failures for which ! limited historical data are available and even less quantitative evaluation i has been performed. The program scopes of source failures included low-
- frequency initiating events such as high-energy line breaks, tornado missiles, j plantwide floods, and low probability seismically initiated component failures i
such as failure and falling of piping, raceways, and HVAC equipment. In ad-l dition to the low-frequency initiating failures, the programs postulated in-l teractions with safety components such as large mechanical equipment, piping, 1 etc., which could be capable of surviving some impacts. Other areas of source ! failure appear to have been less extensively covered. These include, most I notably, the effects of water spray on electrical equipment. The postulation and treatment of water as a source was inconsistent in the documentation of ! both the walkdown and the flooding study portions of the programs. Limiting ) the study to only the most credible source initiators and the resulting credible j interactions can produce reductions in cost and optimize risk benefit. 5.6.4 Documentation , Documentation of the three programs on an individual source / target basis resulted , in large expenditures of engineering and administrative time. Individual docu- ! ments were generated, revised, edited, controlled, tracked, and sorted in the interests of ensuring traceability and unique identification of the thousands ! of potential, but in many cases, clearly low probability, low-risk events. A
- streamlined and focused program could be developed with a level of documentation commensurate with the level of risk associated with the events being investigated.
5.6.5 Analysis of Spatially Coupled Systems Interactions \
- Each interaction is typically characterized by an initiating event or failure, j a coupling or transmission of the failure effects, and a disabling of a target I
! component, system, etc. Of particular note is the uncertain nature of each
. one of these characteristics. Unlike functionally coupled ASIS, where a failure !
{ usually directly propagates through the connected systems and causes other fail- ) i ure in spatially coupled events, failure propagates through less direct paths l
- and, as a result, other failures are less certain. j
$ On the basis of its review, Mark Technologies outlined a relative ranking of ' l the targets based on the perceived risk significance of the target groupings. ! 1 ! With respect to the targets, the support systems and controls were noted to be I j of greatest significance. The basis for this conclusion involves the fact that 4 support systems and controls can potentially affect multiple frontline systems as well as possibly initiate a plant transient. In addition, controls (instru-mentation, electrical devices, etc.) tend to be very sensitive to the type of I j USI A-17 Enci 5 50 l l l
A . N !S ' .= . '%N~
^" ' *' -
- :L 'a l.a h . \
spatial phenomena (e.g., seismic, flood, spray) which are of concern. These j are followed in decreasing importance by the reactor coolant pressure boundary, c the auxiliary feedwater (AFW) system and controls, and the other frontline P systems. ' 4 1 With respect to the source or initiating event scope, the programs considered I 3 a number of initiators which included seismic events, flood, fire, missiles, g pipewhip, and tornado, depending on the target system involved. i 8 The report ~(NRC, NUREG/CR-4306) discusses a simplified search methodology which , could be applied to these target groupings and initiating events and provides cost estimates for such searches. 6 5.6.6 Staff Conclusions l 1
. l The staff generally agrees with the conclusions of NUREG/CR-4306. l J
b The staff believes that for any future SI reviews, the target scope should be 4 limited to the support systems and controls for the systems required for safe ! shutdown, the safe shutdown systems themselves, and the reactor coolant pres-j sure boundary. 1
- The staff does not believe that further review for spatially coupled interac-9 tions in the area of the ECCS is justified. These areas have received signifi-
- cant review effort in the past. The review of the ECCS has not focused on all of the areas listed as concerns, but the need for this equipment is predicated on the occurrence of a LOCA which has a relatively low frequency of occurrence. l In addition, the reactor coolant pressure boundary (RCPB) would be evaluated as a target system (both as the RCPB itself and under controls such as relief valves) and, therefore, the potential for a seismically induced LOCA caused by l a spatially coupled ASI should be low.
Furthermore, the staff believes that the initiating events to be considered q should include only those related to seismic events and fluid-related failures { l such as flooding or spray from low- or moderate-energy piping. On the basis of other previous or ongoing activities, each of the other potential initiating l events is believed to be adequately covered. u With respect to flooding, actions were taken at all plants as a result of the
- event at Quad Cities in 1972 (AEC letter, September 26, 1972). The actions 1 taken should have addressed these areas of concern. (See also SRP Section 3.6.1
~, and Branch Technical Position (BTP) ASB 3-1.) However, there is some evidence
? that not all piping-flood interactions were evaluated. Specifically, both the i Diablo Canyon and Indian Point studies, as well as some of the SEP reviews " (e.g. , NUREG-0824) under Topic III-5.B, " Pipe Break Outside Containment," high-lighted some potential interactions. j The area of fire protection has received significant attention as the result of ? action taken in response to Appendix R of 10 CFR 50. The overall fire reviews N include the type of considerations identified in the Mark Technologies report. i Because of this, the staff is recommending taking no further action related to fire as a hazard. However, the fire suppression system itself may be a source M j for flood or spray. I Lt 1 ) USI A-17 Enci 5 51 l
?5HBMj2DMXMMR d2Mi?MEM Mkz R.32 m M . ' ' &&a2Rk j l Turbine missiles and tornados and tornado missiles have been the subject of a i number of proposed generic issues, namely A-37 and A-38, respectively. These } issues were prioritized " drop" and " low," r, respectively. In addition, the SEP j group reviewed the area of internal missiles under Topic III-4.C and generally concluded that plants had adequate protection from internal missiles. On this f basis, the staff is not recommending that these sources be pursued. l s ' As a result of the above considerations and the spatially coupled ASIS uncov-i ered by the operating experience review (see Section 5.4), the staff concludes j that a focused search for certain spatially coupled systems interactions and l appropriate corrective measures could provide a safety benefit for some operat- ) ing plants. Because the present SRP to some extent addresses all of these ) areas, it is expected that licensees of newer plants would have to take rela-j tively little action. 2 6
SUMMARY
OF STAFF CONCLUSIONS l The resolution of any safety issue requires that the natu're of the concern be clearly described. Concerns described as general subject areas, such as common , cause, systems interactions, and dependent failure, can prove so broad that i almost every conceivable safety issue could fall within the concern, and there-i fore the issue itself would prove unmanageable. } Therefore, to proceed with a resolution of the concerns expressed as " systems interactions," the NRC staff developed a set of definitions to attempt to give ] the safety concern narrower focus. As part of developing this definition, it $ was decided to take advantage of many ongoing efforts so that if some aspects ] that might be considered systems interactions were better addressed by other ] efforts, then the definitions would direct the A-17 effort away from those areas. As a result, a workable set of definitions was developed for the A-17 ,. issue. Many other concerns were left to be addressed outside A-17. These
, definitions are crucial to the understanding of the issue and its resolution.
4 ] On the basis of the definitions, a number of tasks were defined. These tasks i were structured to (1) make use of operating experience and other sources of i , actual or postulated events, (2) take maximum advantage of previous systems s, interaction studies, (3) evaluate the safety significance of systems interac-5 tions, and (4) evaluate the safety benefit and cost effectiveness of potential j corrective measures.
! Because systems interactions events are for the most part plant specific, the 1 quantification of the potential safety significance was extremely difficult.
y Therefore, the safety benefit is based mostly on qualitative insights rather than quantitative analysis. 1
) As a result of the investigation into adverse systems interactions the staff j concluded the following:
1 p (1) To address a subject area such as " systems interactions" in its broadest 1 sense tends to be an unmanageable task incapable of resolution. Some i bounds and limitations are crucial to proceeding toward a resolution. Con-4 sidering this, the staff studying the A-17 issue utilized a set of working i definitions to limit the issue. It is recognized that such an approach ] may leave some concerns unaddressed. 1 1 j H USI A-17 Enci 5 52 P ^ -
~ _- _ _
. = - n
PREMMk:.GGs&ld.DD;MN%%iR2&E%iLF.M3GLK1&R 21. ' % Wn Cii3 a i (2) The occurrence of an actual ASI or the existence of a potential ASI is very 1 much a function of an individual plant's design and operational features % (such as its detailed design and layout, allowed operating modes, proce-i dures, and test and maintenance practices). Furthermore, the potential 3 overall safety impact (such as loss of all cooling, loss of all electric 3 power, or core melt) is similarly a function of those plant features that a remain unaffected by the ASI. In other words, the results of an ASI depend j' on the availability of other independent equipment and the operator's > response capabilities. W N (3) Although each ASI (and its safety impact) is unique to an individual plant, g there appear to be some characteristics common to a number of the ASIS. $ (4) Methods are available (and some are under development) for searching out y sis on a plant-specific basis. Studies conducted by utilities and national j laboratories indicate that a full-scope plant search takes considerable
; time and money. Even then, there is not a high degree of assurance all, j or even most, ASIS will be discovered.
q q (5) Functionally coupled ASIS have occurred at a number of plants, but improved operator information and training (instituted since the accident at Three j Mile Island) should greatly aid in recovery actions during future events.
- 1. (6) Induced human-intervention-coupled interactions as defined in A-17, are a j subset of the broader class of functionally coupled systems interactions.
j As stated for functionally coupled sis, improvements in both operator in-j formation and operator training will greatly improve recovery from such j events. (7) As a class, spatially coupled sis may be the most significant because of 1 the potential for the loss of equipment which is damaged beyond repair. However, in many cases, these ASIS are less likely to occur because of the d lower probability of initiating failure (e.g. , earthquake, pipe rupture) and the less-than-certain coupling mechanisms involved. } , II (8) Probabilistic risk assessments or other systematic plant-specific reviews y can provide a framework for identifying and addressing ASIS. i 1 (9) Because of the nature of ASIS (they are introduced into plants by design 'j
- errors and/or by overlooking subtle or hidden dependencies), they will j probably continue to happen. In their evaluations of operating experience, fj NRC and the nuclear power industry can provide an effective method for p addressing ASIS.
n (10) For existing plants, a properly focused systematic plant search for cer-
- tain types of spatially coupled ASIS and functionally coupled ASIS (and correction of the deficiencies found) may improve safety.
l (11) The area of electric power, particularly instrumentation and control j power supplies, was highlighted as being vulnerable to relatively signifi-( cant ASIS. Further investigation showed that this area remains the sub-
- .i ject of a number of separate issues and studies. A concentrated effort to f coordinate these activities and to include power supply interactions could ;
prove an effective approach in this area. USI A-17 Enc 1 5 53
. i l
.. _ .. _ = ~ . m . ,. .
- 2
TM.tiMIMjEMiGGEM.GRW6h!nkM1EGMGLM.C. inRMhtd&GN M.h12 '.EMX t (12) For future plants, additional guidance regarding ASIS could benefit safety. ] 3 ~ y (13) The concerns raised by the Advisory Committee on Reactor Safeguards (ACRS) on A-17, but which have not been addressed in the staff's study of A-17, ! should be considered as candidate generic issues, separate from USI A-17. k g 7 REFERENCES ; Advisory Committee on Reactor Safeguards, letter dated November 8, 1974, to the Director of Regulation of the AEC, " Systems Analysis of Engineered Safety Systems." l ) -- , letter dated June 17, 1977, to Chairman of the NRC, " Report on the Zion j Station, Units 1 and 2." e -- , letter dated October 12, 1979, to Executive Director of Operations of the
- NRC, " Systems Interactions Study for Indian Point Nuclear Generating Unit g No. 3."
] -- , letter dated May 13, 1986, to Executive Director of Operatiohs of the l NRC, "ACRS Comments on Proposal Resolution of USI A-17, " Systems Interactions in Nuclear Power Plants." .i . S Atomic Energy Commission, letter dated September 26, 1972, from R. C. DeYoung 1 to licensees, " Flooding Event at Quad Cities, Unit 1." ] 3 Atomic Industrial Forum, Inc. , letter dated Octooer 8,1985, from M. R. Edelman
- to V. Stello " Unresolved Safety Issue A-17 Systems Interactions" l'
Commonwealth Edison Company, " Zion Station Interaction Study," Docket 50-304, 4 June 16, 1978. J Consumers Power Company, " Program Manual Spatial Systems Interaction Program / " Seismic Midland Energy Center," Revision 1, June 6, 1983. n i k . Electric Power Research Institute, " Systems Interaction Identification Proce-9 dures," EPRI NP-3844, Vols. 1-5, July 1985. J J i -- , EPRI NP-5613, see NUREG/CR-4780. M i Lawrence Livermore National Laboratory / Analytic Information Processing, Inc. , j
" Preliminary Systems Interaction Results From the Digraph Matrix Analysis of I 5 the Watts Bar Nuclear Power Plant Safety Injection Systems," UCID-19707, o June 1983. - Oak Ridge National Laboratory, ORNL/ Letter Report, " Summary and Assessment of
? EPRI Report NP-3834 on ' Systems Interaction Identification Procedures'," ^ February 10, 1986. 1 Office of Inspection and Enforcement, NRC, Bulletin 79-27, " Loss of Non-Class 1E 1 Instrumentation and Control Power Systems Bus During Operation," November 30, i j 1979. j g. Pacific Gas and Electric Company, "Diablo Canyon Seismically Induced' Systems M Interaction Program," Dockets 50-275 and 50-323, May 7, 1984. l a fi M H USI A-17 Enci 5 54 d 1,
^
[ 7. l^' - - - _ , u,. a e a- s- e :e- *~2- . x :2_ - . ..2,-*n L-~'_X 2*f R 'L f R M D h L U
p?MEGrQOJEMadrMhKMOmu8ES?h &mAE 4J* e--- - ~ Nb i %, b l Power Authority of the State of New York, " Systems Interaction Study, Indian ! Point 3," Docket 50-286, November 30, 1983. j -- , LER 84-010-000, Docket 50-286, July 16, 1984. $ U.S. Nuclear Regulatory Commission, Memorandum dated September 18, 1984, from l R. Kendall to D. Thatcher, " Comments on ORNL Draft NUREG/CR-3922." i j -- , Memorandum dated December 3, 1984, from H. R. Denton to Division Directors,
" Insights Gained From Probabilistic Risk Assessments."
! -- , Memorandum dated March 20, 1985, from A. Thadani to K. Kniel, "RRAB Inputs ) to the USI A-17 Program."
- -- , Memorandum dated May 31, 1985, from A. Thadani to K. Kneil, "RRAB Input to USI A-17 Resolution."
s
-- , NUREG-75/014, " Reactor Safety Study - An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants," October 1975.
1 I 1 -- , NUREG-0471, " Generic Task Problem Descriptions (Categories B, C, and D)," j i June 1978. ' 4 -- , NUREG-0572, " Review of Licensee Event Reports (1976-1978)," September 1979. ? . 1 -- , NUREG-0649, " Task Action Plans for Unresolved Safety Issues Related to j Nuclear Power Plants," September 1984. 4 -- , NUREG-0660, "NRC Action Plan Developed as a Result of the TMI-2 Accident," May 1980. 1 ;
-- , NUREG-0737, Supplement 1, " Clarification of TMI Action Plan Requirements:
- Requirements for Emergency Response Capability," January 1983.
3 . j -- , NUREG-0800, " Standard Review Plan for the Review of Safety Analysis Reports a for Nuclear Power Plants," July 1981.
-- , NUREG-0824, " Integrated Plant Safety Assessment Systematic Evaluation Program--Millstone Nuclear Power Station, Unit 1," February 1983.
e 3 -- , NUREG-0933, "A Prioritization of Generic Safety Issues," revised frequently. 2 -- , NUREG-0985, " Human Factors Program Plan," August 1983; Rev. 1, September 1984. [
-- , NUREG-1000, " Generic Implications of ATWS Events at the Salem Nuclear Power Plant," April 1983.
-- , NUREG-1050, "Probabilistic Risk Assessment (PRA) Reference Document,"
j Final Report, September 1984. a -- , NUREG-1070, "NRC Policy on Future Reactor Designs," July 1985. $ -- , NUREG-1229, " Regulatory Analysis for Proposed Resolution of USI A-17," to L'; be published. b $ USI A-17 Enci 5 55 'ir B l li i b' .- - m ] t f-
JL.ar.h %pWL%R M N M n WZ5iaBMd m M A C M ih e + - ;. a ' .EA N.! N1J i ! -- , NUREG/CR-1321, " Final Report - Phase I, Systems Interaction Methodology { Applications Program," Sandia National Laborr. tories (SAND 80-0884), April 1930. $ -- , NUREG/CR-1859, " Systems Interact <oas. Stata-of-the-Art Review and hethods ! Evaluation," Lawrence Liverem e National Laboratory, January 1981. ) -- , NUREG/CR 1396, ' Review of Jystems Interaction Methodologies;" Battelle Memorial Institute, January 1981. j
-- , NUREG/CR-1901, " Review and Evaluatim. af Systems Interactions Methods,"
Brookhaven National Laboratory, January 1981. } -- , NUREG/CR-2300, "PRA Procedures Guide," Vels.1 and 2, January 1983. a -- , NUREG/CP-2815, "Probabilistic Safety Analysis Procedures Guide," Brookhaven 4 National Lcboratory, Janeary 1984. I ! -- , NUREG/CR-2915, " Initial Guidence on Digraph Matrix Analysis for Systems l
, Interaction Studies," Lawrence Livermore National Laboratory (UCID-19457), I March 1983.
g i l i -- , NUREG/CR-3593, " Systems Interaction Results From the Digraph Matrix Analy- i sis of a Nuclear Power Plant's High Pressure St.fety Injection Systems," Analytic i
- Information Processing and Lawrence Livermore National Laboratory, July 1984.
i -- , NUREG/CR-3852, " Insight Into PRA Methodologies," August 1984.
-- , NUREG/CR-3922, " Survey and Evaluation of Systems Interaction Events and 1 Sources," Dak Ridge National Laboratory, January 1985.
t 1 -- , NUREG/CR-4179, " Digraph Matrix Analysis for Systems Interactions at Indian
- Point Unit 3, Abridged Version," Vol. 1, January 1986, Vols. 2-6 will be available in the NRC Public Document Room, 1717 H Street, N.W., Washington, D.C.,
Lawrence Livermore National Laboratory. I 1 -- , NUREG/CR-4207, " Fault Tree Application to the Study of Systems Interactions j at Indian Point 3," Brookhaven National Laboratory, April 1985. a
-- , NUREG/CR-4261, " Assessment of System Interaction Experience in Nuclear 4 Power Plants," Oak Ridge National Laboratory, June 1986.
e l -- , NUREG/CR-4306, " Review and Evaluation of Spatial System Interaction Pro-j grams," Oak Ridge National Laboratory, December,1986.
-- , NUREG/CR-4470, " Survey and Evaluation of Vital Instrumentation and a Control Power Supply Events," August 1986.
4 -- , NUREG/CR-4780, " Procedures for Treating Common Cause Failures in Safety ]: and Reliability Studies: Procedural Framework and Examples," January 1988. 4 -- , SECY-84-133, "Results of SEP," Enclosure 4, "SEP Phase II Safety Lessons } Learned" March 23, 1984. 1
. I 1 -
e j USI A-17 Enci 5 56 1 d - w - x -n - c - 8
.s U.Jh up. dLi y.wsh l22,!$.. -.__i c.c 3 0:OMeua_Id./dbiAix : . '1c2JdddfiseY ;AMQi1Mds.-J$hraSA -
ui + _i Document Name: ,
- ENCLOSURE 6 - EVAL AND VERIF l
> (
I Requestor'lsID: WHITE-f , i Author's Name: I dthatcher. D' Document Comments: l' evaluation and verification of gl responses i u . l e k. I s 8 ps; \ i: 1 4 ! -l I I I
'1 4
i l 7- i e s I i ) I 1 i-S 4 h 'o i
)
9 i 1 mb t l r h I j 4
} l 4 } }
9 i s
]
1 t
hIIA$5h$5.L_: . }. . L._. u::x fku . ;.x, . . M :%. :!r e2 .c:tl L,Qy&L% 1 l.', . L.;; . .. .
, I I
l l I l-- I
. \
l l Enclosure 6 i VERIFICATION OF LICENSEE ACTIONS i ! IN RESPONSE TO GENERIC LETTER I
- i. -1 f In some cases, verification of a plant's analysis may be determined to be l necessary. In such cases, a temporary instruction could be prepared at that time to focus on the specific areas of concern. It is also possible that aspects of the routine inspection process could be used to cover the areas of l concern.
! The inspections would include items such as the following: i I) deficiencies identified
- 2) modifications identified
- 3) justification for continued operation Plant areas expected to be included for inspection would be drains, curbs, drip shields, flood doors, seals, alarms and administrative controls. Also included I would be lessons learned from more recent operating experience such as (I) outlined in Information Notices or (2) involve the plant's own flooding l occurrence (s).
The total effort to be expended on verification inspections should not exceed i the equivalent of 2 person years. - e i {- l l I i i l i 4 a 4 J b L___.______ _ _ _ _ _ _ _ _ _}}