NRC Generic Letter 1989-18
T FSeptember 6, 1989TO: ALL HOLDERS OF OPERATING LICENSES OR CONSTRUCTION PERMITSFOR NUCLEAR POWER PLANTS
SUBJECT: RESOLUTION OF UNRESOLVED SAFETY ISSUE A-17, "SYSTEMS INTERACTIONSIN NUCLEAR POWER PLANTS" (GENERIC LETTER 89-IA)This generic letter informs licensees and applicants of the final resolutionof USI A-17, "Systems Interactions in Nuclear Power Plants." There are twoenclosures which are provided for information.Enclosure 1 outlines the bases for resolution of USI A-17.Enclosure 2 provides a grouping of five general lessons learned from thereview of the overall systems interaction issue. The review of thisinformation will give licensees additional appreciation of the kinds ofadverse systems interaction which have appeared in operating experience andcan aid them in continuing evaluation of operating experience.No specific action or written response is required by this letter. If youhave any question about this matter, please contact the technical contactlisted below or the Regional Administrator at the appropriate regional office.
Sincerely,ORIGINAL SIGNED BY JAMES PARTLOWJames G. PartlowAssociate Director for ProjectsOffice of Nuclear Reactor RegulationTechnical Contacts:D. Thatcher, RES(301) 492-3935
Enclosures:
1. Bases for Resolution of UnresolvedSafety Issue A-172. Summary Information Relevant to DISTRIBUTIONOperating Experience Evaluations Centrael Fies3. List of Recently Issued NRC NRC PDRGeneric Letters Branch Rdg FileMBoyle D. Thatcher(F. Gillespie concurred in the A-17 resolution (including ltr. Murley fmBeckjord dtd. 08/ 8/89) prior to CRGR review.)NRR e ADP/NA OG CK I b I RMBoy e:ps JPartlV C' 16rGit -t-9/k/899/6/89 1,1 ;.=/j Enclosure 1BAS RESOLUTION OF UNRESOLVED SAFETY ISSUE A-17IntroductionThe U.S. Nuclear Regulatory Commission (NRC) has concluded its resolution ofUnresolved Safety Issue (USI) A-17, "Systems Interactions in Nuclear PowerPlants." This document provides a summary of that resolution. More detailedbackground information is provided in References 1 and 2.Adverse systems interactions (ASIs) involve subtle and often very complicatedplant-specific dependencies between components and systems, possibly compoundedby inducing erroneous human intervention. The staff has identified actions tobe taken by.the NRC to resolve USI A-17, and has made the judgment that theseactions, together with other ongoing activities, should reduce the risk fromiadvFie systems interactions.The staff's judgment is not based on the assertion that all adverse systemsinteractions have been identified, but rather that the A-17 actions plus otheractivities by the licensees and staff, as discussed further below, givereasonable assurance that the more risk-significant interactions will berecognized and appropriate action taken.Resolution(1) Ongoing Actions by Licensees(a) W InrusionandFlooding FromInternal SourcesAs part of the resolution of USI A-17, the staff has identified thatwater intrusion and flooding of equipment from internal plant sources mayresult in a risk-significant adverse systems interaction. Such eventscould cause a transient and could also disable the equipment needed tomitigate the consequences of the event. The appendix to NUREG-l174(reference 1) provides insights regarding plant vulnerabilities toflooding and water intrusion from internal plant sources. It is expectedthat these insights will be considered in implementing Generic Letter88-20 [Individual Plant Examinations (IPE)] which includes an assessmentof internal flooding.(b) Review of Events at Nuclear Power PlantsLicensees are expected to continue to review information on events atoperating nuclear power plants in accordance with the requirements ofItem I.C.5 of NUREG-0737. Such information is disseminated by the NRC inthe form of information notices, bulletins, and other reports; byindividual licensees in the form of licensee event reports; and byindustry groups such as the Institute of Nuclear Power Operations (INPO).The NRC has an aggressive program of reviewing events at nuclear powerplants. Each licensee is required to notify the NRC staff rapidly bytelephone of any event that meets or exceeds the threshold defined in
& 110 CFR 50.72 and to file a written licensee event report for those eventsthat meet or exceed the threshold defined in 10 CFR 50.73. Also, the NRCregional offices report events of significance every day. ThisInformation is reviewed daily by members of the NRC staff and followupefforts are assigned for events that appear to be potentially risksignificant and/or are Judged to be a possible precursor to a more severeevent. A weekly meeting is held to brief NRC management on those eventsof significance. This ongoing process provides a great deal of assurancethat any potentially significant event is brought to the attention of theappropriate NRC staff and management. Depending on the significance,further action may be taken to notify licensees or to impose additionalrequirements. The total process offers a high degree of assurance thatprecursors to potentially significant events, including those involvingadverse systems interactions, are treated expeditiously. Attachment 2summarizes the A-17 information relevant to these ongoing operatingexperience evaluations.(2) Actions-b the NRC Related to AdverseSystems Interactions(a) Integration of Specific, Ongoing, Generic Issues Related to A-17The NRC is considering certain aspects of potential interactions as partof the resolution of identified generic issues.* USI A-46 Seismic-ualification of EquipmentActions to resolve this issue have been sent to the licensees.The NRC and industry are working on detailed procedures that will beused to implement the requirements on a plant-specific basis. Theseimplementation procedures will include walkdowns of individualplants to ensure that the systems needed to shut down the plant andmaintain it in a safe condition for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> can withstand adesign-basis seismic event. The scope includes not only the systemsneeded to control reactivity and remove decay heat, but also thesupporting power supplies, controls, instrumentation, andenvironmental control subsystems needed by those systems. The plantwalkdown reviews include seismic systems interactions.* Generic Issue 128 Electric Power Reliabilit y"The USI A-17 review of operating experience reemphasized the potentialinteractions stemming from the electric power system and, in particular,instrumentation and control (I&C) power supply failures. I&C powerloss can cause significant transients and can simultaneously affectthe operator's ability to proceed with recovery by disablingportions of the indications and the equipment needed for recovery.The events that have occurred were mostly limited to a singleelectrical division and therefore not strictly adverse systemsinteractions by the definition in the USI A-17 program. In addition,actions have already been taken by licensees to Improve the operator'sability to cope with such events. As a separate activity, a numberof generic issues involving electrical power supplies were integratedinto one generic issue. This issue became GI 128, "Electric PowerReliability,' and consists of the following specific electric issues:2 I-GI-48, OLCO for Class lE Vital Instrument Buses in OperatingPlants"-GI-49, Interlocks and LCOs for Redundant Class lE Tie Breakers"-GI-A-30, "Adequacy of Safety Related DC Power Supplies'It was concluded that the additional information developed on USI A-17,(NUREG/CR-4470) should be used as an input to the GI-128 program.Therefore, that information was communicated to GI-128 for possible action.Wb DeieadPirtz te suesThe Advisory Committee for Reactor Safeguards (ACRS) and other groupshave identified concerns in the context of systems interactions. In manycases,-the concerns are not considered to be within the scope of systemsinteractions as defined in the USI A-17 Task Action Plan. In some cases,these concerns have not been described specifically enough to permit therisk to be estimated. The NRC has undertaken a program [referred to asthe Multiple System Responses Program (MSRP)] with Oak Ridge NationalLaboratory (ORNL) to define these concerns in sufficient detail so thatthey may be prioritized in accordance with NRC procedures.Examples of concerns involve potential coupling of postulated plantevents such as seismically induced fires and seismically inducedflooding, and the attendant potential for multiple, simultaneous, adversesystems responses. These concerns are beyond the defined scope of USIA-17. If the definition, priority determination, and peer reviewprocesses identify one or more issues as having high or medium priority,the issue(s) will be assigned to the appropriate organization for resolu-tion.c Probabilistic Risk Analyses or Other Systematic Plant Reviews* Existing PlantsThe Commission's Severe Accident Policy, 50 FR 32128 (August 8, 1985),calls for all existing plants to perform a plant-specific search forvulnerabilities. Such searches, referred to as individual plantexaminations (IPEs), involve a systematic plant review (which couldbe a PRA-type analysis). NRC is issuing guidance for performing suchreviews. One subject area to be treated by the IPEs is common-causefailures (or dependent failures). USI A-17 recognizes that ASIs area subset of this broader subject area and, therefore, is providingfor the dissemination of the insights gained in the A-17 program foruse in the IPE work.* Future PlantsThe Commission's regulations (1OCFR5O.52) require all future plants toperform a probabilistic risk assessment (PRA). NRC is issuing guidanceon the content of PRA submittals for future light-water reactors(LWRs). As part of that guidance, A-17 is providing the insightsgained in the A-17 program for the treatment of plant dependencie I(d) Additional Considerations for Future PlantsThe above actions acknowledge the fact that future plants will performprobabilistic risk assessments, and that such studies can uncover ASIs.The staff also recognizes that the continual review of operatingexperience will identify systems interactions, some of which may be ASIs.Further prioritization of issues defined by the MSRP may result inadditional generic issues whose resolution may lead to requirementsapplicable to future plants.Therefore, future plants should keep current on lessons learned fromoperating experience and continue to monitor the ongoing NRC process ofdeveloping, prioritizing, and resolving generic issues.In addition, the staff plans to develop a standard review plan (SRP) forfuture plants. The SRP would include specific guidance regardingprotection from internal flooding and water intrusion events.Staff FindingsOn the basis of the technical findings reported in NUREG-1174 and theregulatory analysis reported in NUREG-1229 the staff has concluded that theseactions can further reduce the risk from ASIs. The staff does notrecommend further broad searches for ASIs because such searches have notproved to be cost-effective, and in any case, there is no guarantee aftersuch a study is performed that all ASIs have been uncovered. Althoughthese actions complete the staff's work under the Task Action Plan forUSI A-17, and constitute technical resolution of the issue as definedtherein, the potential for systems interactions remains an importantconsideration in the design and operation of nuclear power plants.References:1. U.S. Nuclear Regulatory Commission, NUREG-1174, "Evaluation of SystemsInteractions in Nuclear Power Plants."2. ---, NUREG-1229, 'Regulatory Analysis for Resolution of USI A-17."4 Enclosure 2SUMMARY INFORMATION RELEVANT TOOPERATING EXPERIENCE EVALUATIONS1. SUMMARY OF USI A-l7 FINDINGSThe U.S. Nuclear Regulatory Commission (NRC) has concluded its technicalresolution of Unresolved Safety Issue (USI) A-17, "Systems Interactions inNuclear Power Plants." This summary presents a portion of the results of thattechnical resolution for use in operating experience evaluations. More detailedbackground information is provided in References 1 and 2.Because of the complex, interdependent network of systems, structures, andcomponents that constitute a nuclear power plant, the scenario of almost anysignificant event can be characterized as a "systems interaction." As aresult, the staff recognized that if the term 'systems interaction' was to beinterpreted in a very broad sense, it became an unmanageable safety issue.Focusing was required to address perceived safety concerns. It is recognizedthat by the very nature of such a focusing effort, all concerns that one maycharacterize as systems interactions may not be addressed. It is, therefore,extremely important that the scope and boundary of the focused program beclearly defined and understood. Then, if other concerns still exist aftercompletion of the program, they can be addressed as part of separate effortsas deemed necessary.The information presented in this attachment is based on the followingdefinitions:(1) §s InteractionIActions or Inactions (not necessarily failures) of various systems(subsystems, divisions, trains), components, or structures resultingfrom a single credible failure within one system, component, orstructure and propagation to other systems, components, or structures byInconspicuous or uianti cpated interdependencies. The major differencebetween this type of event and a classic single-failure event is in thoseaspects of the initiating failure and/or its propagation that are notobvious (i.e., that are hidden or unanticipated).(2) Adverse-Systems Interio (ASIA systems interaction that produces an undesirable result.(3) Undesirable Result (Produced by Systems Interaction)This was defined by a list of the types of events that were to beconsidered in USI A-17:(a) Degradation of redundant portions of a safety system, includingconsideration of all auxiliary support functions. Redundant portions are those considered to be independent in the design andaccident analysis (Chapter 15) of the Final Safety Analysis Report(FSAR) of the plant. (Note: This would violate the single-failurecriterion.)(b) Degradation of a safety system by a non-safety system. (Note: Thisresult would demonstrate a breakdown in presumed uisolatThon.)(c) Initiation of an "accident" (e.g., LOCA, MSLB) and (i) thedegradation of at least one redundant portion oTriny one of thesafety systems required to mitigate the event (Chapter 15, FSARanalyses); or (ii) degradation of critical operator informationsufficient tE cause the operator to perform unanalyzed, unassumed,or incorrect actions. Qjote: This includes failure to performcorrect actions because ofTncorrect information.)(d) Initiation of a Itrdnsient" (including reactor trip) and (i) thedegradation of at least one redundant portion of any one of thesafety systems required to mitigate the event (Chapter 15, FSARanalyses); or (ii) degradation of critical operator informationsufficient To cause the operator to perform unanalyzed, unassumed,or incorrect actions. (Note: This includes failure to performcorrect actions because o Tncorrect information.)(e) Initiation of an event that requires plant operators to act in areasoutside the control room (Perhaps because the control room is beingevacuated or the plant is being shut down) and disruption of theaccess to these areas (for example, by disruption of the securitysystem or isolation of an area when fire doors are closed or when asuppression system is actuated).The intersystem dependencies (or systems interactions) have been divided intothree classes based on the way they propagate:(1) functionally Coupled:Those SIs that result from sharing of common systems/components; orphysical connections between systems, including electrical, hydraulic,pneumatic, or mechanical.(2) Spat1OialyCoupled:Those SIs that result from sharing or proximity of structures/locations,equipment, or components or by spatial inter-ties such as HVAC and drainsystems.(3) Indced Human-Interventin Coupled:Those SIs in which a plant malfunction (such as failed indication)inappropriately induces an operator action, or a malfunction inhibits anoperator's ability to respond. As analyzed in the A-17 program, theseSIs are considered another example of functionally coupled ASIs.(Induced human-intervention-coupled systems interactions exclude randomhuman errors and acts of sabotage.)2 As a result of the staff's studies of adverse systems interactions (ASIs)undertaken as part of A-17 and reported in Reference 1, the staff hasconcluded the following:(1) To address a subject area such as "systems interactions' in its broadestsense tends to be an unmanageable task incapable of resolution. Somebounds and limitations are crucial to proceeding toward a resolution.Considering this, the A-17 program utilized a set of working definitionsto limit the issue. It is recognized that such an approach may leavesome concerns unaddressed.(2) The occurrence of an actual ASI or the existence of a potential ASI isvery much a function of an individual plant's design and operationalfeatures (such as its detailed design and layout, allowed operatingmodes, procedures, and tests and maintenance practices). Furthermore,the potential overall safety impact (such as loss of all cooling, loss ofall electric power, or core melt) is similarly a function of those plantfeatures that remain unaffected by the ASI .In other words, the resultsof an ASI depend on the availability of other independent equipment andthe operator's response capabilities.(3) Although each ASI (and its safety impact) is unique to an individualplant, there appear to be some characteristics common to a number of theASIs.(4) Methods are available (and some are under development) for searching outSIs on a plant-specific basis. Studies conducted by utilities andnational laboratories indicate that a full-scope plant search takesconsiderable time and money. Even then, there is not a high degree ofassurance all, or even most, ASIs will be discovered.(5) Functionally coupled ASIs have occurred at a number of plants, butimproved operator information and training (instituted since theaccident at Three Mile Island) should greatly aid in recovery actionsduring future events.(6) Induced human-intervention-coupled interactions as defined in A-17 are asubset of the broader class of functionally coupled SIs. As stated forfunctionally coupled SIs, improvements in both operator information andoperator training will greatly improve recovery from such events.(7) As a class, spatially coupled SIs may be the most significant because ofthe potential for the loss of equipment which is damaged beyond repair.In many cases, these ASIs are less likely to occur because of the lowerprobability of initiating failure (e.g., earthquake, pipe rupture) andthe less-than-certain coupling mechanisms involved. However, pastoperating experience highlighted a number of flooding and water intrusionevents and more recent operating experience indicates that these types ofevents are continuing to occur.(8) Probabilistic risk assessments or other systematic plant-specific reviewscan provide a framework for identifying and addressing ASI (9) Because of the nature of ASIs (they are introduced into plants by designerrors and/or by overlooking subtle or hidden dependencies), they willprobably continue to happen. In their evaluations of operatingexperience, NRC and the nuclear power industry can provide an effectivemethod for addressing ASIs.(10) For existing plants, a properly focused, systematic plant search forcertain types of spatially coupled ASIs and functionally coupled ASIs(and correction of the deficiencies found) should improve safety.(11) The area of electric power, and particularly instrumentation and controlpower supplies, was highlighted as being vulnerable to relativelysignificant ASIs. Further investigation showed that this area remainsthe subject of a number of separate Issues and studies. A concentratedeffort to coordinate these activities and to include power supplyinteractions should prove an effective approach in this area.(12) For future plants, additional guidance regarding ASIs could benefitsafety.(13) The concerns raised by the Advisory Committee on Reactor Safeguards(ACRS), on A-17, but which have not been addressed in the Staff's studyof A-17, should be considered as candidate generic issues, separate fromUSI A-17.It should be noted that the staff has concluded that adverse systemsinteractions (ASIs) involve subtle, and often very complicated, dependencies.Therefore, total elimination of ASIs is unachievable. For these reasons, thestaff is not recommending that each plant undertake a large, comprehensivestudy to uncover ASIs. Instead, the staff is recommending other, more cost-effective actions for reducing the frequency and impact of ASIs. Althoughthese actions complete the staff's work under the task action plan for USIA-17, and constitute technical resolution of the issue as defined therein,the potential for ASIs remains an important consideration in the design andoperation of nuclear power plants. The staff has, therefore, acknowledged thecontinuing importance of ongoing activities such as probabilistic riskassessments or other systematic plant evaluations and the continuing reviewand evaluation of the industry's operating experience.The regulatory analysis (Reference 2) considered a number of alternatives forresolution, and based on that analysis, the staff has concluded that certainactions should be taken by NRC to resolve USI A-17. These actions are:(1) Send a generic letter to all plants outlining the resolution of USI A-17and providing information developed during the resolution of A-17.(2) Consider the insights developed in the resolution of USI A-17 for floodingand water intrusion from internal sources in the Individual Plant Examina-tions (IPE).(3) Consider systems interactions involving the electrical power systems inthe integrated program on electrical power reliability.(4) Provide information for use in future PRA (5) Provide a framework for addressing those other concerns related tosystems interactions which are not covered by the USI A-17 program.(6) Acknowledge that the resolution of USI A-46 addresses aspects of systemsinteraction.(7) Develop a standard review plan for future plants to address protectionfrom internal flooding and water intrusion.The following discussion addresses the first action. The second action isaddressed in the IPE guidance documents. The remaining five actions involvestaff actions.II. INFORMATION RELEVANT TO OPERATING EXPERIENCE EVALUATIONSA. BackgroundThe adverse systems interactions (ASIs) sorted from the survey of experienceappeared to be due to two general causes. Some of the ASIs resulted fromobvious errors or failures to meet clearly specified design requirementsand/or guidance. Others arose from more subtle causes such as the lack ofsufficient consideration, or analysis, of all the significant failuremechanisms or modes and the associated event combinations and/or sequences.In the case of older plants, the causes often are related to the fact thatless design guidance and associated analyses were available and/or requiredwhen the plants were licensed.Although no specific licensee actions are required, the staff concluded thatit should communicate to industry certain highlighted concerns identified inthe A-17 studies. The insights gained from this information should bebeneficial to industry in their ongoing evaluations of operating experience.B. Hglhtdt ConcernsAs part of the effort to provide a more focused approach for the resolution ofA-17, a set of tasks was defined to accomplish a search of operatingexperience to accumulate a data bank on the types of common-cause events ofconcern. The major portion of this work was performed by the Oak RidgeNational Laboratory (ORNL), and a summary of ORNL's findings is included inReference 3.The search emphasized events included in the LER (licensee event report) filesand involved a screening of those events based on the task action plandefinition. On the basis of the characteristics or attributes of the systemsinteraction events, a group of general categories of SI events was developed.The results of the ORNL experience review indicate 23 general categories ofevents (see Table 1) which have involved systems interactions.*More details on the highlighted concerns and other ASIs are provided in Ref-erences 1, 3, and 4, and those documents should be consulted for additionalinformatio Table 1 Event categories involving systems interactionsCategory No. ofNo. Title events1 Adverse interactions between normal or offsite 34power systems and emergency power systems2 Degradation of safety-related systems by vapor 15or gas intrusion3 Degradation of safety-related components by fire 10protection systems4 Plant drain systems allow flooding of safety- 8related equipment5 Loss of charging pumps due to volume control tank 6level instrumentation failures6 Inadvertent ECCS/RHR pump suction transfer 47 HPSI/charging pumps overheat on low flow during 6safety injection8 Level instrumentation degraded by HELB conditions 219 Loss of containment integrity from LOCA conditions 1010 HELB conditions degrading control systems 311 Auxiliary feedwater pump runout under steamlinebreak conditions 212 Waterhammer events 413 Common support systems or cross-connects 1814 Instrument power failures affecting safety systems 515 Inadequate cable separation 816 Safety-related cables unprotected from missiles 3generated from HVAC fans17 Suppression pool swell 318 Scram discharge volume degradation 219 Induced human interactions 420 Functional dependencies from failures during 5seismic events21 Spatial dependencies from failures during seismic 13events22 Other functional dependencies 2123 Other spatial dependencies 306 Review of these 23 general categories led to the identification of five areasof highlighted concerns. These are discussed below:Electric Power SystemThe electric power system includes the offsite sources, the switchyard, thepower distribution buses and breakers, onsite generating equipment, and thecontrol power and logic to operate the breakers and start and load the dieselgenerators. Some of the lower voltage (typically 120-V ac and 125-V dc) powersupply portion of the system is also dealt with under the *Instrumentation andControl Power Supplies" heading below.As outlined in References 3 and 4, concerns were highlighted in the area ofelectric power systems in Categories 1 and 13 (Table 1). Three importantfactors appear to contribute to the possible significance of this area:(1) It is one of the most (if not the most) extensive support systems in aplant. Power is supplied from various sources including the offsitenetwork, the main plant turbine-generator and, in certain situations, thesafety-related diesel generators. Power is then distributed to variousitems of equipment for normal plant control which is not related tosafety, various engineered safety feature equipment which is safety related,and various items of equipment for shutdown and decay heat removal.(2) Given these system demands, the power system is therefore an inherentlycomplex system. A large number of normal operating modes at the plant,as well as transient and accident situations, must be accommodated.Interfaces are created between redundant safety-related equipment. Inaddition, the power system itself relies on a number of other supportsystems such as HVAC and cooling water.(3) Because of individual plant requirements and situations (a number ofsignificant events occur when the system is in any abnormal temporaryalignment), each power system tends to have some unique aspects. Veryfew specific ASIs can be stated to be generically applicable; however,the staff believes that general classes of electric power events can bepotentially generic.ORNL (References 3 and 4) categorized the electric power system concerns intofour areas:* load sequencing/load shedding* diesel generator failures caused by specific operating modes* breaker failures due to loss of dc power* failures that propagate between the safety-related portion and the non-safety-related portion of the power systemsWith respect to these four areas of concern, the staff noted that althoughregulatory practice has allowed non-safety-related equipment to be poweredfrom safety-related buses, this practice has created the potential for anumber of undesirable interactions. In such situations, the isolation devicesprotect the safety-related equipment. These isolation devices have been the7 subject of much concern, both in the main power supply area (such as breakersthat open on fault current or "accident" signals) and in the instrumentationand control power supply area (such as isolation transformers and other devices).In some cases, the "isolation" devices do not isolate the full range of undesir-able events. In addition, the A-17 investigation has focused on another concern.Specifically, some ASIs involve scenarios in which a non-safety-related load issupplied by a safety-related bus and is adequately isolated. The non-safetyload is part of the normal plant operation and/or control. A failure in thesafety-related portion can propagate and create a situation in which a planttransient occurs as a result of non-safety loads supplied by the safety-relatedbus and, simultaneously, significant safety-related equipment is unavailablebecause of the same failure.The most significant events of this type appear to be those that involve theinstrumentation and control power systems. As stated below in the discussionof these specific power supplies, the staff believes that current activitiesin the area of instrumentation and control power supplies should be integratedand should address this type of concern specifically. Accordingly, the staffhas initiated an integrated program to review these issues.Plant-Support SystemsAlthough relatively few events of note were identified from the operatingexperience (Categories 13, 14, 18, and 22 of Table 1 and References 3 and 4),PRAs have consistently shown the potential importance of support systems.JK~a: The electric power system, also a support system, was dealt withseparately above.) This category includes other support systems such ascomponent cooling water; service water; heating, ventilating, and airconditioning; lube oil; and compressed air.As is the case for the electric power system, these support systems are oftenextensive and may be unique. These support systems can affect multiplefrontline safety systems and can often affect systems not related to safety.As a result, failures in support systems can potentially initiate a transientand also can degrade other systems, some of which may have been designed tomitigate that very same event.The support systems of concern often have interconnections between redundantdivisions for operational flexibility or they may have interconnections tonon-safety-related equipment. In some cases, single failures such as headers,drain lines, and vents are designed into the systems because the probabilityof a passive failure in conjunction with the need for the system is assumed tobe low.If the support system failure and the initiation of an event are coupled, arisk-significant situation could result from the failure of the support system(depending on other plant mitigating features).Less attention may have been paid to the design and review of plant supportsystems than was paid to some of the frontline systems such as the ECCS. The8 safety significance of event initiation coupled with limiting the capabilityfor mitigation may not have been recognized.Incorrect Reliance on Failsafe Design PrinciplesProtection systems at nuclear powers plant rely on the design principle of"failsafe" to varying degrees. There have been instances (see Category 18 inTable 1 and References 3 and 4) in which some failure modes wereinsufficiently analyzed because someone relied too much on the concept offailsafe.The events to date have involved the scram system and its related supportfunctions such as the air system and electric power system. Specifically, itwas discovered that water could be in the scram discharge volume (SDV) of aBWR as a result of poor drainage or an air supply failure. Water in the SDVwould inhibit the insertion of control rods. The failure involving the airsystem was of particular concern because it involved a system that had beenconsidered a portion of the reactor protection system not related to safety.Action was taken at all boiling-water reactors to correct this problem.This type of ASI may have resulted from the use of a design approach thatactually requires of a number of non-safety-related features to function and,therefore, does not truly rely on failsafe principles. In the case of the airsystem, the system was assumed to fail safe, i.e., bleed off, and, as aresult, a partial failure went unanalyzed. It was also noted that theelectric supply system to this scram system had been modified previouslybecause of a similar type of concern. Specifically, the electric power wasoriginally assumed to fail safe (i.e., voltage going to zero) and, as aresult, partial failure (such as low voltage or high voltage) went unanalyzedfor a time.The problems appear to have been created when portions of the systems wereallowed to be classified as not related to safety because they were assumed toalways fail safe.Automated Safet-Related Actions With No Preferred Failure ModeAnother area of adverse systems interactions that was highlighted involved theinadvertent actuation of an engineered safety feature (ESF) {Category 6, "Inadver-tent ECCS/RHR pump suction transfer"). The most significant characteristic ofthis area appears to be that, unlike a reactor trip, such a function does nothave an 'always preferred failure mode. As a result, extra precautions may beneeded to avoid (a) a failure to actuate when needed and (b) a failure thatactuates the system when not required (i.e., inadvertently). The area of auto-matic ECCS switch to recirculation is the subject of a separate generic issue,Generic Issue 24.Although the reported events involved only the automatic switchover to thesump in PWRs, some concern exists that individual plants may have otherfunctions with the same characteristic. Some possible other functions include:* containment isolation functions* logic that selects a faulted steam generator to isolate it* low-pressure-to-high-pressure system interlocks in the RHR system9 Of particular note is the possibility that these types of functions willactuate inadvertently during testing or maintenance. It is a fairly commonpractice to put portions of the actuation logic in a trip or actuated stateand to assume then that the plant is in a "safe" condition. Although this maybe true for functions that have a preferred failure mode, it may not be aconservative assumption for functions that do not have an always preferredfailure mode.Instrumentation and Control Power SuppliesThe ORNL review (NRC, NUREG/CR-3922) highlighted several events related toinstrumentation and control (I&C) power supplies (Category 14). The events atall plants, and specifically at B&W plants, have already received significantattention as outlined in the ORNL assessment. Some residual concern wasexpressed that the potential for a significant event related to I&C powersupply interactions may still exist. Because of this concern, further reviewwork at ORNL was identified.ORNL completed this work (reported in Reference 5). A significant number ofI&C power supply events were noted, some of which involve ASIs. Althoughthere is concern about the area of I&C power supplies, a significant amount ofwork (both at NRC and in the industry) has addressed this area. The A-17resolution has not recommended any specific actions to deal with thisarea at this time, but has concluded that the existing efforts at NRC becoordinated to ensure that this critical area receives the proper emphasis.This is being done under Generic Issue 128, "Electric Power Reliability."C. RecommendationsOngoing industry reviews and evaluations of operating experience shouldconsider the above types of events. It is further recommended that whereutilities determine that specific evaluations (e.g., plant walkdowns, limited-scope accident safety analyses, or probabilistic risk assessments) are neededto address other safety concerns, awareness and recognition of potential adversesystems interactions such as highlighted above should be included in theseevaluations.D. References1. U.S. Nuclear Regulatory Commission, NUREG-1174, OEvaluation of SystemsInteractions in Nuclear Power Plants."2. ---, NUREG-1229, *Regulatory Analysis for Resolution of USI A-17."3. ---, NUREG/CR-3922, "Survey and Evaluation of System Interaction Eventsand Sources," January 1985.4. ---, NUREG/CR-4261, "Assessment of System Interaction Experience inNuclear Power Plants," June 1986.5. ---, NUREG/CR-4470, "Survey and Evaluation of Vital Instrumentation andControl Power Supply Events," August 1986.10
,Enclosure 3LIST OF RECENTLY ISSUED GENERIC LETTERSGenericLetter No.Date ofSubject IssuanceIssued To89-18RESOLUTION OF UNRESOLVEDSAFETY ISSUE A-17, "SYSTEMSINTERACTIONS IN NUCLEARPOWER PLANTSPLANNED ADMINISTRATIVECHANGES TO THE NRC OPERATORLICENSING WRITTEN EXAMINA-TION PROCESS -GENERICLETTER 89-1709/06/8909/06/89ALL HOLDERS OFOPERATING LICENSESOR CONSTRUCTIONPERMITS FOR NUCLEARPOWER PLANTSALL HOLDERS OFOPERATING LICENSESOR CONSTRUCTIONPERMITS FOR PWRSAND BWRS AND ALLLICENSED OPERATORS89-1789-16INSTALLATIONWETWELL VENTLETTER 89-16)OF A HARDENED(GENERIC09/01/8988-20SUPPLEMENT 1GENERIC LETTER 88-20 08/29/89SUPPLEMENT NO. 1(INITIATION OF THE INDIVIDUALPLANT EXAMINATION FOR SEVEREVULNERABILITIES 10 CFR 50.54(f))ALL GE PLANTSALL LICENSEESHOLDING OPERATINGLICENSES ANDCONSTRUCTIONPERMITS FORNUCLEAR POWERREACTOR FACILITIES89-15EMERGENCY RESPONSE DATASYSTEM GENERIC LETTER NO.89-1508/21/89CORRECT ACCESSION NUMBER IS 890822042389-0789-14SUPPLEMENT 1 TO GENERICLETTER 89-07, POWER REACTORSAFEGUARDS CONTINGENCYPLANNING FOR SURFACEVEHICLE BOMBSN08/21/89ALL HOLDERS OFOPERATING LICENSESOR CONSTRUCTIONPERMITS FOR NUCLEARPOWER PLANTSALL LICENSEES OFOPERATING PLANTS,APPLICANTS FOROPERATING LICENSES,AND HOLDERS OFCONSTRUCTION PERMITSALL LICENSEES OFOPERATING PLANTS,APPLICANTS FOROPERATING LICENSES,AND HOLDERS OFCONSTRUCTION PERMITSLINE-ITEMS TECHNICAL SPECIFI- 08/21/89CATION IMPROVEMENT -REMOVALOF 3.25 LIMIT ON EXTENDINGSURVEILLANCE INTERVALS(GENERIC LETTER 89-14)