10 CFR 50.73(a)(2)(ix)(A), Prevented Safety Function in Multiple System

3.2.14 Single Cause that Could Have Prevented Fulfillment of the Safety Functions of Trains or Channels in Different Systems

§ 50.73(a)(2)(ix) “(A) Any event or condition that as a result of a single cause could have prevented the fulfillment of a safety function for two or more trains or channels in different systems that are needed to:

(1) Shut down the reactor and maintain it in a safe shutdown condition;

(2) Remove residual heat;

(3) Control the release of radioactive material; or

(4) Mitigate the consequences of an accident.

(B) Events covered in paragraph (ix)(A) of this section may include cases of procedural error, equipment failure, and/or discovery of a design, analysis, fabrication, construction, and/or procedural inadequacy. However, licensees are not required to report an event pursuant to paragraph (ix)(A) of this section if the event results from:

(1) A shared dependency among trains or channels that is a natural or expected consequence of the approved plant design; or

(2) Normal and expected wear or degradation.” An LER is required for an event that meets the conditions stated in the rule.

Discussion

The level of judgment for reporting an event or condition under this criterion is a reasonable expectation of preventing fulfillment of a safety function. In the discussions that follow, several different expressions, such as “would have,” “could have,” “alone could have,” and “reasonable doubt,” are used to characterize this standard. In the staff’s view, all of these should be judged on the basis of a reasonable expectation of preventing fulfillment of the safety function. For trains or channels that have been declared inoperable, the capability is considered degraded to a point where it cannot perform with reasonable expectation or reliability. As a result, subject to the exceptions stated in 10 CFR 50.73(a)(2)(ix)(B)(1) and (2), for trains or channels within the scope of this criterion, a report is required when there is a determination that two or more trains or channels in different systems are inoperable as a result of a single cause while in a required mode or other specified condition in the TS Applicability. However, reports are not required when trains or channels in different systems are declared inoperable as part of a planned evolution for maintenance or surveillance testing when done in accordance with an approved procedure and the plant’s TS (unless a condition is discovered that would have resulted in the trains or channels in different systems being declared inoperable as a result of a single cause).

For guidance on determining whether a train or channel is operable, see RIS 2005-20, Revision 1. Operable but nonconforming or degraded conditions are not considered reportable under this criterion.

The intent of this criterion is to capture those events in which, as a result of a single cause, there would have been a failure of two or more trains or channels to properly complete their safety function, regardless of whether there was an actual demand. For example, if, as a result of a single cause, a train of the HPSI system and a train of the AFW system failed, the event would be reportable even if there was no demand for the systems’ safety functions.

Examples of a single cause responsible for a reportable event may include cases of procedural error, equipment failure, or discovery of a design, analysis, fabrication, construction, or procedural inadequacy. They may also include such factors as high ambient temperatures, heatup from energization, inadequate preventive maintenance, oil contamination of air systems, incorrect lubrication, or use of nonqualified components.

The event is reportable if, as a result of a single cause, two or more trains or channels are inoperable, regardless of whether the problem was discovered in both trains at the same time.

Trains or channels, for reportability purposes, are defined as those trains or channels designed to provide protection against single failures. Many systems containing active components are designed as at least a two-train system. Each train in a two-train system can normally satisfy all of the system functions.

SSCs within scope include only safety-related SSCs required by the TS to be operable that are intended to mitigate the consequences of an accident as discussed in Chapters 6 and 15 of the FSAR (or equivalent chapters). Accidents are identified as events of moderate frequency, infrequent incidents, or limiting faults as discussed in Regulatory Guide 1.70 (or equivalent classifications of the three types of events). ANS categorizes these events as Condition II, III and IV type events.

Examples

(1) Solenoid-Operated Valve Deficiency

During testing, two containment isolation valves failed to function as a result of improper air gaps in the solenoid-operated valves that controlled the supply of instrument air to the containment isolation valves.

The valves were powered from the same electrical division. Therefore, 10 CFR 50.73(a)(2)(vii) (common cause inoperability of independent trains or channels) would not apply. The two valves isolated fluid process lines in two different systems. Thus, 10 CFR 50.73(a)(2)(v) (condition that could have prevented fulfillment of the safety function of a structure or system) would apply only if engineering judgment indicates that there was a reasonable expectation of preventing fulfillment of the safety function for redundant valves within the same system.<ref>14 Or, alternatively, that there was reasonable doubt that the safety function would have been fulfilled if the affected trains had been called upon to perform them.</ref> However, this criterion would certainly apply if a single cause (such as a design inadequacy) induced the improper air gaps, thus preventing fulfillment of the safety function of two trains or channels in different systems.

(2) Degraded Valve Stems

A motor-operated valve in one train of a system was found with a crack 75 percent through the stem. Although the valve stem did not fail, engineering evaluation indicated that further cracking would occur that could have prevented fulfillment of its safety function. As a result, the train was not considered capable of performing its specified safety function. The valve stem was replaced with a new one.

The root cause was determined to be environmentally assisted stress-corrosion cracking that resulted from installation of an inadequate material some years earlier. The same inadequate material had been installed in a similar valve in a different system at the same time. The similar valve was exposed to similar environmental conditions as the first valve.

The condition is reportable under this criterion if engineering judgment indicates that there was a reasonable expectation of preventing fulfillment of the safety function of both affected trains. This depends on details such as whether the second valve stem was also significantly degraded and, if not, whether any future degradation of the second valve stem would have been discovered and corrected, as a result of routine maintenance programs, before it could become problematic.

(3) Overpressure Due to Thermal Expansion

It was determined that a number of liquid-filled and isolated containment penetration lines in multiple safety systems were not adequately designed to accommodate the internal pressure buildup that could occur because of thermal expansion caused by heatup after a design-basis accident. The problem existed because the original design failed to consider this effect following a postulated accident.

The condition is reportable under this criterion because there was a reasonable expectation of preventing fulfillment of the safety function of multiple trains or channels as a result of a single cause.

(4) Cable Degradation

One of three component cooling water pumps tripped due to a ground fault on a power cable leading to the pump. The likely cause was determined to be moisture permeation into the cable insulation over time in a section of cable that was exposed to water. The event is reportable under this criterion if engineering judgment indicates that there was a reasonable expectation of preventing fulfillment of the safety function of an additional train in a different system as a result of the same cause. For example, if cable testing indicates that another cable to safety-related equipment was likely to fail as a result of the same cause, the event is reportable.

(5) Overstressed Valve Yokes

It was determined that numerous motor-operated valve yokes experienced overthrusting that exceeded design-basis stress levels. The cause was lack of knowledge that resulted in inadequate design engineering at the time the designs were performed.

Some of the motor-operated valve yokes, in different systems, were being overstressed enough during routine operations that, although they were currently capable of performing their specified safety functions, the overstressing would, with the passage of time, render them incapable of performing those functions. The condition is reportable under this criterion if engineering judgment indicates that there was a reasonable expectation of preventing fulfillment of the safety function of trains or channels in two or more different systems.<ref>15 Or, alternatively, there was reasonable doubt that the safety function would have been fulfilled if the affected trains had been called upon to perform them.</ref>

(6) Heat Exchanger Fouling

Periodic monitoring of heat exchanger performance indicated that two heat exchangers in two different systems required cleaning in order to ensure they would remain operable. The degree of fouling was within the range of the normal expectations upon which the monitoring and maintenance procedures were based.

The event is not reportable under this criterion because there was not a reasonable expectation of preventing the fulfillment of the safety function of the heat exchangers.

(7) Pump Vibration

Based on increasing vibration trends, identified by routine vibration monitoring, it was determined that a pump’s bearings required replacement. Other pumps in different systems with similar designs and service histories experience similar bearing degradation. However, it is expected that the degradation will be detected and corrected before failure occurs.

Such bearing degradation is not reportable under this criterion because it is normal and expected.

v t e Reporting criterion
10 CFR 50.73#a2ixA
10 CFR 50.72 10 CFR 50.72(a)(1)(i), Emergency Class Declaration 10 CFR 50.72(b)(1), 50.54(x) TS Deviation 10 CFR 50.72(b)(2)(i), Tech Spec Required Shutdown 10 CFR 50.72(b)(2)(iv)(A), ECCS System Actuation 10 CFR 50.72(b)(2)(iv)(A), System Actuation - ECCS Discharge 10 CFR 50.72(b)(2)(iv)(B), RPS System Actuation 10 CFR 50.72(b)(2)(xi), Notification to Government Agency or News Release 10 CFR 50.72(b)(3)(ii)(A), Seriously Degraded 10 CFR 50.72(b)(3)(ii)(B), Unanalyzed Condition 10 CFR 50.72(b)(3)(ii), Degraded or Unanalyzed Condition 10 CFR 50.72(b)(3)(iv)(A), System Actuation 10 CFR 50.72(b)(3)(v)(A), Loss of Safety Function - Shutdown the Reactor 10 CFR 50.72(b)(3)(v)(B), Loss of Safety Function - Remove Residual Heat 10 CFR 50.72(b)(3)(v)(C), Loss of Safety Function - Release of Radioactive Material 10 CFR 50.72(b)(3)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident 10 CFR 50.72(b)(3)(v), Loss of Safety Function 10 CFR 50.72(b)(3)(xii), Transport of a Contaminated Person Offsite 10 CFR 50.72(b)(3)(xiii), Loss of Emergency Preparedness 10 CFR 50.73 10 CFR 50.73(a)(1), Submit an LER 10 CFR 50.73(a)(2)(i)(A), Completion of TS Shutdown 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications 10 CFR 50.73(a)(2)(i)(C), 50.54(x) TS Deviation 10 CFR 50.73(a)(2)(ii)(A), Seriously Degraded 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition 10 CFR 50.73(a)(2)(iv)(A), System Actuation 10 CFR 50.73(a)(2)(iv), System Actuation 10 CFR 50.73(a)(2)(ix)(A), Prevented Safety Function in Multiple System 10 CFR 50.73(a)(2)(v)(A), Loss of Safety Function - Shutdown the Reactor 10 CFR 50.73(a)(2)(v)(B), Loss of Safety Function - Remove Residual Heat 10 CFR 50.73(a)(2)(v)(C), Loss of Safety Function - Release of Radioactive Material 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident 10 CFR 50.73(a)(2)(v), Loss of Safety Function 10 CFR 50.73(a)(2)(vii), Common Cause Inoperability 10 CFR 72 10 CFR 72.75(b)(2), Offsite Notification 10 CFR 72.75(c)(1), ISFSI Defect 10 CFR 72.75(c)(2), ISFSI Degradation 10 CFR 72.75(d)(1), ISFSI Safety System Functional Failure 10 CFR 73 10 CFR 73.71(b)(1), Safeguards Event 10 CFR 73.77, Cyber security event notifications Fitness for Duty 10 CFR 26.719, Reporting requirements Other 10 CFR 21.21(a)(2), Interim Report for Comply or Defect in Component 10 CFR 21.21(d)(3)(i), Failure to Comply or Defect 10 CFR 70.50(a), SNM protective actions prevented 10 CFR 70.50(b)(1), SNM unplanned contamination 10 CFR 70.50(b)(2), SNM equipment failure 10 CFR 70.50(b)(3), SNM medical treatment 10 CFR 70.50(b)(4), SNM fire or explosion All reporting criteria
WEEKMONTHYEAR [Table view]
NUREG-1022, Event Reporting Guidelines for 10 CFR 50.72 and 10 CFR 50.73